Add option to pass the password in an encrypted file, kasmvncpasswd utility

common/network/TcpSocket.cxx

@@ -38,11 +38,13 @@
 #include <sys/un.h>
 #include <stdlib.h>
 #include <unistd.h>
+#include <wordexp.h>
 #include "websocket.h"
 
 #include <network/TcpSocket.h>
 #include <rfb/LogWriter.h>
 #include <rfb/Configuration.h>
+#include <rfb/ServerCore.h>
 
 #ifdef WIN32
 #include <os/winerrno.h>
@@ -485,6 +487,13 @@ WebsocketListener::WebsocketListener(const struct sockaddr *listenaddr,
 
   listen(internalSocket);
 
+  settings.passwdfile = NULL;
+
+  wordexp_t wexp;
+  if (!wordexp(rfb::Server::kasmPasswordFile, &wexp, WRDE_NOCMD))
+    settings.passwdfile = strdup(wexp.we_wordv[0]);
+  wordfree(&wexp);
+
   settings.basicauth = basicauth;
   settings.cert = cert;
   settings.key = "";

common/network/websocket.c

@@ -878,7 +878,8 @@ ws_ctx_t *do_handshake(int sock) {
         usleep(10);
     }
 
-    if (strchr(settings.basicauth, ':')) {
+    const char *colon;
+    if ((colon = strchr(settings.basicauth, ':'))) {
         const char *hdr = strstr(handshake, "Authorization: Basic ");
         if (!hdr) {
             sprintf(response, "HTTP/1.1 401 Unauthorized\r\n"
@@ -901,7 +902,42 @@ ws_ctx_t *do_handshake(int sock) {
         tmp[len] = '\0';
         len = ws_b64_pton(tmp, response, 256);
 
-        if (len <= 0 || strcmp(settings.basicauth, response)) {
+        char authbuf[4096];
+        strncpy(authbuf, settings.basicauth, 4096);
+        authbuf[4095] = '\0';
+
+        // Do we need to read it from the file?
+        char *resppw = strchr(response, ':');
+        if (resppw && *resppw)
+            resppw++;
+        if (!colon[1] && settings.passwdfile) {
+            if (resppw && *resppw) {
+                char pwbuf[4096];
+                FILE *f = fopen(settings.passwdfile, "r");
+                if (f) {
+                    const unsigned len = fread(pwbuf, 1, 4096, f);
+                    fclose(f);
+                    pwbuf[4095] = '\0';
+                    if (len < 4096)
+                        pwbuf[len] = '\0';
+
+                    snprintf(authbuf, 4096, "%s%s", settings.basicauth, pwbuf);
+                    authbuf[4095] = '\0';
+
+                    const char *encrypted = crypt(resppw, "$5$kasm$");
+                    *resppw = '\0';
+
+                    snprintf(pwbuf, 4096, "%s%s", response, encrypted);
+                    pwbuf[4095] = '\0';
+                    strcpy(response, pwbuf);
+                }
+            } else {
+                // Client tried an empty password, just fail them
+                response[0] = '\0';
+            }
+        }
+
+        if (len <= 0 || strcmp(authbuf, response)) {
             sprintf(response, "HTTP/1.1 401 Forbidden\r\n"
                               "\r\n");
             ws_send(ws_ctx, response, strlen(response));

common/network/websocket.h

@@ -67,6 +67,7 @@ typedef struct {
     const char *cert;
     const char *key;
     const char *basicauth;
+    const char *passwdfile;
     int ssl_only;
     const char *httpdir;
 } settings_t;