Revision 7e7e2ebc
b/ui/vnc-auth-sasl.c | ||
---|---|---|
538 | 538 |
|
539 | 539 |
#ifdef CONFIG_VNC_TLS |
540 | 540 |
/* Inform SASL that we've got an external SSF layer from TLS/x509 */ |
541 |
if (vs->vd->auth == VNC_AUTH_VENCRYPT &&
|
|
542 |
vs->vd->subauth == VNC_AUTH_VENCRYPT_X509SASL) {
|
|
541 |
if (vs->auth == VNC_AUTH_VENCRYPT && |
|
542 |
vs->subauth == VNC_AUTH_VENCRYPT_X509SASL) { |
|
543 | 543 |
gnutls_cipher_algorithm_t cipher; |
544 | 544 |
sasl_ssf_t ssf; |
545 | 545 |
|
... | ... | |
570 | 570 |
#ifdef CONFIG_VNC_TLS |
571 | 571 |
/* Disable SSF, if using TLS+x509+SASL only. TLS without x509 |
572 | 572 |
is not sufficiently strong */ |
573 |
|| (vs->vd->auth == VNC_AUTH_VENCRYPT &&
|
|
574 |
vs->vd->subauth == VNC_AUTH_VENCRYPT_X509SASL)
|
|
573 |
|| (vs->auth == VNC_AUTH_VENCRYPT && |
|
574 |
vs->subauth == VNC_AUTH_VENCRYPT_X509SASL) |
|
575 | 575 |
#endif /* CONFIG_VNC_TLS */ |
576 | 576 |
) { |
577 | 577 |
/* If we've got TLS or UNIX domain sock, we don't care about SSF */ |
b/ui/vnc-auth-vencrypt.c | ||
---|---|---|
29 | 29 |
|
30 | 30 |
static void start_auth_vencrypt_subauth(VncState *vs) |
31 | 31 |
{ |
32 |
switch (vs->vd->subauth) {
|
|
32 |
switch (vs->subauth) { |
|
33 | 33 |
case VNC_AUTH_VENCRYPT_TLSNONE: |
34 | 34 |
case VNC_AUTH_VENCRYPT_X509NONE: |
35 | 35 |
VNC_DEBUG("Accept TLS auth none\n"); |
... | ... | |
51 | 51 |
#endif /* CONFIG_VNC_SASL */ |
52 | 52 |
|
53 | 53 |
default: /* Should not be possible, but just in case */ |
54 |
VNC_DEBUG("Reject subauth %d server bug\n", vs->vd->auth);
|
|
54 |
VNC_DEBUG("Reject subauth %d server bug\n", vs->auth); |
|
55 | 55 |
vnc_write_u8(vs, 1); |
56 | 56 |
if (vs->minor >= 8) { |
57 | 57 |
static const char err[] = "Unsupported authentication type"; |
... | ... | |
110 | 110 |
|
111 | 111 |
|
112 | 112 |
#define NEED_X509_AUTH(vs) \ |
113 |
((vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509NONE || \
|
|
114 |
(vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509VNC || \
|
|
115 |
(vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509PLAIN || \
|
|
116 |
(vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509SASL)
|
|
113 |
((vs)->subauth == VNC_AUTH_VENCRYPT_X509NONE || \ |
|
114 |
(vs)->subauth == VNC_AUTH_VENCRYPT_X509VNC || \ |
|
115 |
(vs)->subauth == VNC_AUTH_VENCRYPT_X509PLAIN || \ |
|
116 |
(vs)->subauth == VNC_AUTH_VENCRYPT_X509SASL) |
|
117 | 117 |
|
118 | 118 |
|
119 | 119 |
static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len) |
120 | 120 |
{ |
121 | 121 |
int auth = read_u32(data, 0); |
122 | 122 |
|
123 |
if (auth != vs->vd->subauth) {
|
|
123 |
if (auth != vs->subauth) { |
|
124 | 124 |
VNC_DEBUG("Rejecting auth %d\n", auth); |
125 | 125 |
vnc_write_u8(vs, 0); /* Reject auth */ |
126 | 126 |
vnc_flush(vs); |
... | ... | |
153 | 153 |
vnc_flush(vs); |
154 | 154 |
vnc_client_error(vs); |
155 | 155 |
} else { |
156 |
VNC_DEBUG("Sending allowed auth %d\n", vs->vd->subauth);
|
|
156 |
VNC_DEBUG("Sending allowed auth %d\n", vs->subauth); |
|
157 | 157 |
vnc_write_u8(vs, 0); /* Accept version */ |
158 | 158 |
vnc_write_u8(vs, 1); /* Number of sub-auths */ |
159 |
vnc_write_u32(vs, vs->vd->subauth); /* The supported auth */
|
|
159 |
vnc_write_u32(vs, vs->subauth); /* The supported auth */ |
|
160 | 160 |
vnc_flush(vs); |
161 | 161 |
vnc_read_when(vs, protocol_client_vencrypt_auth, 4); |
162 | 162 |
} |
b/ui/vnc.c | ||
---|---|---|
2124 | 2124 |
{ |
2125 | 2125 |
/* We only advertise 1 auth scheme at a time, so client |
2126 | 2126 |
* must pick the one we sent. Verify this */ |
2127 |
if (data[0] != vs->vd->auth) { /* Reject auth */
|
|
2127 |
if (data[0] != vs->auth) { /* Reject auth */ |
|
2128 | 2128 |
VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]); |
2129 | 2129 |
vnc_write_u32(vs, 1); |
2130 | 2130 |
if (vs->minor >= 8) { |
... | ... | |
2135 | 2135 |
vnc_client_error(vs); |
2136 | 2136 |
} else { /* Accept requested auth */ |
2137 | 2137 |
VNC_DEBUG("Client requested auth %d\n", (int)data[0]); |
2138 |
switch (vs->vd->auth) {
|
|
2138 |
switch (vs->auth) { |
|
2139 | 2139 |
case VNC_AUTH_NONE: |
2140 | 2140 |
VNC_DEBUG("Accept auth none\n"); |
2141 | 2141 |
if (vs->minor >= 8) { |
... | ... | |
2165 | 2165 |
#endif /* CONFIG_VNC_SASL */ |
2166 | 2166 |
|
2167 | 2167 |
default: /* Should not be possible, but just in case */ |
2168 |
VNC_DEBUG("Reject auth %d server code bug\n", vs->vd->auth);
|
|
2168 |
VNC_DEBUG("Reject auth %d server code bug\n", vs->auth); |
|
2169 | 2169 |
vnc_write_u8(vs, 1); |
2170 | 2170 |
if (vs->minor >= 8) { |
2171 | 2171 |
static const char err[] = "Authentication failed"; |
... | ... | |
2210 | 2210 |
vs->minor = 3; |
2211 | 2211 |
|
2212 | 2212 |
if (vs->minor == 3) { |
2213 |
if (vs->vd->auth == VNC_AUTH_NONE) {
|
|
2213 |
if (vs->auth == VNC_AUTH_NONE) { |
|
2214 | 2214 |
VNC_DEBUG("Tell client auth none\n"); |
2215 |
vnc_write_u32(vs, vs->vd->auth);
|
|
2215 |
vnc_write_u32(vs, vs->auth); |
|
2216 | 2216 |
vnc_flush(vs); |
2217 | 2217 |
start_client_init(vs); |
2218 |
} else if (vs->vd->auth == VNC_AUTH_VNC) {
|
|
2218 |
} else if (vs->auth == VNC_AUTH_VNC) { |
|
2219 | 2219 |
VNC_DEBUG("Tell client VNC auth\n"); |
2220 |
vnc_write_u32(vs, vs->vd->auth);
|
|
2220 |
vnc_write_u32(vs, vs->auth); |
|
2221 | 2221 |
vnc_flush(vs); |
2222 | 2222 |
start_auth_vnc(vs); |
2223 | 2223 |
} else { |
2224 |
VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->vd->auth);
|
|
2224 |
VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth); |
|
2225 | 2225 |
vnc_write_u32(vs, VNC_AUTH_INVALID); |
2226 | 2226 |
vnc_flush(vs); |
2227 | 2227 |
vnc_client_error(vs); |
2228 | 2228 |
} |
2229 | 2229 |
} else { |
2230 |
VNC_DEBUG("Telling client we support auth %d\n", vs->vd->auth);
|
|
2230 |
VNC_DEBUG("Telling client we support auth %d\n", vs->auth); |
|
2231 | 2231 |
vnc_write_u8(vs, 1); /* num auth */ |
2232 |
vnc_write_u8(vs, vs->vd->auth);
|
|
2232 |
vnc_write_u8(vs, vs->auth); |
|
2233 | 2233 |
vnc_read_when(vs, protocol_client_auth, 1); |
2234 | 2234 |
vnc_flush(vs); |
2235 | 2235 |
} |
... | ... | |
2494 | 2494 |
} |
2495 | 2495 |
} |
2496 | 2496 |
|
2497 |
static void vnc_connect(VncDisplay *vd, int csock) |
|
2497 |
static void vnc_connect(VncDisplay *vd, int csock, int skipauth)
|
|
2498 | 2498 |
{ |
2499 | 2499 |
VncState *vs = qemu_mallocz(sizeof(VncState)); |
2500 | 2500 |
int i; |
2501 | 2501 |
|
2502 | 2502 |
vs->csock = csock; |
2503 |
|
|
2504 |
if (skipauth) { |
|
2505 |
vs->auth = VNC_AUTH_NONE; |
|
2506 |
#ifdef CONFIG_VNC_TLS |
|
2507 |
vs->subauth = VNC_AUTH_INVALID; |
|
2508 |
#endif |
|
2509 |
} else { |
|
2510 |
vs->auth = vd->auth; |
|
2511 |
#ifdef CONFIG_VNC_TLS |
|
2512 |
vs->subauth = vd->subauth; |
|
2513 |
#endif |
|
2514 |
} |
|
2515 |
|
|
2503 | 2516 |
vs->lossy_rect = qemu_mallocz(VNC_STAT_ROWS * sizeof (*vs->lossy_rect)); |
2504 | 2517 |
for (i = 0; i < VNC_STAT_ROWS; ++i) { |
2505 | 2518 |
vs->lossy_rect[i] = qemu_mallocz(VNC_STAT_COLS * sizeof (uint8_t)); |
... | ... | |
2557 | 2570 |
|
2558 | 2571 |
int csock = qemu_accept(vs->lsock, (struct sockaddr *)&addr, &addrlen); |
2559 | 2572 |
if (csock != -1) { |
2560 |
vnc_connect(vs, csock); |
|
2573 |
vnc_connect(vs, csock, 0);
|
|
2561 | 2574 |
} |
2562 | 2575 |
} |
2563 | 2576 |
|
... | ... | |
2887 | 2900 |
} else { |
2888 | 2901 |
int csock = vs->lsock; |
2889 | 2902 |
vs->lsock = -1; |
2890 |
vnc_connect(vs, csock); |
|
2903 |
vnc_connect(vs, csock, 0);
|
|
2891 | 2904 |
} |
2892 | 2905 |
return 0; |
2893 | 2906 |
|
b/ui/vnc.h | ||
---|---|---|
256 | 256 |
int major; |
257 | 257 |
int minor; |
258 | 258 |
|
259 |
int auth; |
|
259 | 260 |
char challenge[VNC_AUTH_CHALLENGE_SIZE]; |
260 | 261 |
#ifdef CONFIG_VNC_TLS |
262 |
int subauth; /* Used by VeNCrypt */ |
|
261 | 263 |
VncStateTLS tls; |
262 | 264 |
#endif |
263 | 265 |
#ifdef CONFIG_VNC_SASL |
Also available in: Unified diff