ui: introduce "password-secret" option for SPICE server

Currently when using SPICE the "password" option provides the password in plain text on the command line. This is insecure as it is visible to all processes on the host. As an alternative, the password can be provided separately via the monitor. This introduces a "password-secret" option which lets the password be provided up front. $QEMU --object secret,id=vncsec0,file=passwd.txt \ --spice port=5901,password-secret=vncsec0 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20210311114343.439820-3-berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
author: Daniel P. Berrangé <berrange@redhat.com> 2021-03-11 11:43:42 +0000
committer: Gerd Hoffmann <kraxel@redhat.com> 2021-03-15 17:36:20 +0100
commit: 99522f69d62216f5d9581f66f2c0edca6bd48f78 (patch)
tree: 5f0ad49410504389ac7f87f3d1f2e8019f729c94
parent: 6c6840e9281cf2fd3b29d77f45b18949d4a83944 (diff)
download: qemu-99522f69d62216f5d9581f66f2c0edca6bd48f78.zip
qemu-99522f69d62216f5d9581f66f2c0edca6bd48f78.tar.gz
qemu-99522f69d62216f5d9581f66f2c0edca6bd48f78.tar.bz2
2 files changed, 35 insertions, 4 deletions
diff --git a/qemu-options.hx b/qemu-options.hx
index 357fc45..a98f8e8 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1899,7 +1899,8 @@ DEF("spice", HAS_ARG, QEMU_OPTION_spice,
     "       [,tls-ciphers=<list>]\n"
     "       [,tls-channel=[main|display|cursor|inputs|record|playback]]\n"
     "       [,plaintext-channel=[main|display|cursor|inputs|record|playback]]\n"
-    "       [,sasl=on|off][,password=<secret>][,disable-ticketing=on|off]\n"
+    "       [,sasl=on|off][,disable-ticketing=on|off]\n"
+    "       [,password=<string>][,password-secret=<secret-id>]\n"
     "       [,image-compression=[auto_glz|auto_lz|quic|glz|lz|off]]\n"
     "       [,jpeg-wan-compression=[auto|never|always]]\n"
     "       [,zlib-glz-wan-compression=[auto|never|always]]\n"
@@ -1924,9 +1925,13 @@ SRST
     ``ipv4=on|off``; \ ``ipv6=on|off``; \ ``unix=on|off``
         Force using the specified IP version.
 
-    ``password=<secret>``
+    ``password=<string>``
         Set the password you need to authenticate.
 
+    ``password-secret=<secret-id>``
+        Set the ID of the ``secret`` object containing the password
+        you need to authenticate.
+
     ``sasl=on|off``
         Require that the client use SASL to authenticate with the spice.
         The exact choice of authentication method used is controlled
diff --git a/ui/spice-core.c b/ui/spice-core.c
index cadec76..b9d8ace 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -34,6 +34,7 @@
 #include "qapi/qapi-events-ui.h"
 #include "qemu/notify.h"
 #include "qemu/option.h"
+#include "crypto/secret_common.h"
 #include "migration/misc.h"
 #include "hw/pci/pci_bus.h"
 #include "ui/spice-display.h"
@@ -416,6 +417,9 @@ static QemuOptsList qemu_spice_opts = {
             .name = "password",
             .type = QEMU_OPT_STRING,
         },{
+            .name = "password-secret",
+            .type = QEMU_OPT_STRING,
+        },{
             .name = "disable-ticketing",
             .type = QEMU_OPT_BOOL,
         },{
@@ -636,7 +640,9 @@ void qemu_spice_display_init_done(void)
 static void qemu_spice_init(void)
 {
     QemuOpts *opts = QTAILQ_FIRST(&qemu_spice_opts.head);
-    const char *password, *str, *x509_dir, *addr,
+    char *password = NULL;
+    const char *passwordSecret;
+    const char *str, *x509_dir, *addr,
         *x509_key_password = NULL,
         *x509_dh_file = NULL,
         *tls_ciphers = NULL;
@@ -663,7 +669,26 @@ static void qemu_spice_init(void)
         error_report("spice tls-port is out of range");
         exit(1);
     }
-    password = qemu_opt_get(opts, "password");
+    passwordSecret = qemu_opt_get(opts, "password-secret");
+    if (passwordSecret) {
+        Error *local_err = NULL;
+        if (qemu_opt_get(opts, "password")) {
+            error_report("'password' option is mutually exclusive with "
+                         "'password-secret'");
+            exit(1);
+        }
+        password = qcrypto_secret_lookup_as_utf8(passwordSecret,
+                                                 &local_err);
+        if (!password) {
+            error_report_err(local_err);
+            exit(1);
+        }
+    } else {
+        str = qemu_opt_get(opts, "password");
+        if (str) {
+            password = g_strdup(str);
+        }
+    }
 
     if (tls_port) {
         x509_dir = qemu_opt_get(opts, "x509-dir");
@@ -809,6 +834,7 @@ static void qemu_spice_init(void)
     g_free(x509_key_file);
     g_free(x509_cert_file);
     g_free(x509_cacert_file);
+    g_free(password);
 
 #ifdef HAVE_SPICE_GL
     if (qemu_opt_get_bool(opts, "gl", 0)) {
author	Daniel P. Berrangé <berrange@redhat.com>	2021-03-11 11:43:42 +0000
committer	Gerd Hoffmann <kraxel@redhat.com>	2021-03-15 17:36:20 +0100
commit	99522f69d62216f5d9581f66f2c0edca6bd48f78 (patch)
tree	5f0ad49410504389ac7f87f3d1f2e8019f729c94
parent	6c6840e9281cf2fd3b29d77f45b18949d4a83944 (diff)
download	qemu-99522f69d62216f5d9581f66f2c0edca6bd48f78.zip qemu-99522f69d62216f5d9581f66f2c0edca6bd48f78.tar.gz qemu-99522f69d62216f5d9581f66f2c0edca6bd48f78.tar.bz2