Index: qemu-kvm-0.10/qemu/Makefile =================================================================== --- qemu-kvm-0.10.orig/qemu/Makefile +++ qemu-kvm-0.10/qemu/Makefile @@ -152,6 +152,9 @@ OBJS+=vnc.o d3des.o ifdef CONFIG_VNC_TLS OBJS+=vnc-tls.o vnc-auth-vencrypt.o endif +ifdef CONFIG_VNC_SASL +OBJS+=vnc-auth-sasl.o +endif ifdef CONFIG_COCOA OBJS+=cocoa.o @@ -175,7 +178,7 @@ sdl.o: sdl.c keymaps.h sdl_keysym.h sdl.o audio/sdlaudio.o: CFLAGS += $(SDL_CFLAGS) -vnc.h: vnc-tls.h vnc-auth-vencrypt.h keymaps.h +vnc.h: vnc-tls.h vnc-auth-vencrypt.h vnc-auth-sasl.h keymaps.h vnc.o: vnc.c vnc.h vnc_keysym.h vnchextile.h d3des.c d3des.h @@ -185,6 +188,8 @@ vnc-tls.o: vnc-tls.c vnc.h vnc-auth-vencrypt.o: vnc-auth-vencrypt.c vnc.h +vnc-auth-sasl.o: vnc-auth-sasl.c vnc.h + curses.o: curses.c keymaps.h curses_keys.h bt-host.o: CFLAGS += $(CONFIG_BLUEZ_CFLAGS) Index: qemu-kvm-0.10/qemu/Makefile.target =================================================================== --- qemu-kvm-0.10.orig/qemu/Makefile.target +++ qemu-kvm-0.10/qemu/Makefile.target @@ -613,6 +613,11 @@ CPPFLAGS += $(CONFIG_VNC_TLS_CFLAGS) LIBS += $(CONFIG_VNC_TLS_LIBS) endif +ifdef CONFIG_VNC_SASL +CPPFLAGS += $(CONFIG_VNC_SASL_CFLAGS) +LIBS += $(CONFIG_VNC_SASL_LIBS) +endif + ifdef CONFIG_BLUEZ LIBS += $(CONFIG_BLUEZ_LIBS) endif Index: qemu-kvm-0.10/qemu/configure =================================================================== --- qemu-kvm-0.10.orig/qemu/configure +++ qemu-kvm-0.10/qemu/configure @@ -164,6 +164,7 @@ fmod_lib="" fmod_inc="" oss_lib="" vnc_tls="yes" +vnc_sasl="yes" bsd="no" linux="no" solaris="no" @@ -404,6 +405,8 @@ for opt do ;; --disable-vnc-tls) vnc_tls="no" ;; + --disable-vnc-sasl) vnc_sasl="no" + ;; --disable-slirp) slirp="no" ;; --disable-vde) vde="no" @@ -563,6 +566,7 @@ echo " Availab echo " --enable-mixemu enable mixer emulation" echo " --disable-brlapi disable BrlAPI" echo " --disable-vnc-tls disable TLS encryption for VNC server" +echo " --disable-vnc-sasl disable SASL encryption for VNC server" echo " --disable-curses disable curses output" echo " --disable-bluez disable bluez stack connectivity" echo " --disable-kvm disable KVM acceleration support" @@ -890,6 +894,25 @@ EOF fi ########################################## +# VNC SASL detection +if test "$vnc_sasl" = "yes" ; then +cat > $TMPC < +#include +int main(void) { sasl_server_init(NULL, "qemu"); return 0; } +EOF + # Assuming Cyrus-SASL installed in /usr prefix + vnc_sasl_cflags="" + vnc_sasl_libs="-lsasl2" + if $cc $ARCH_CFLAGS -o $TMPE ${OS_CFLAGS} $vnc_sasl_cflags $TMPC \ + $vnc_sasl_libs 2> /dev/null ; then + : + else + vnc_sasl="no" + fi +fi + +########################################## # vde libraries probe if test "$vde" = "yes" ; then cat > $TMPC << EOF @@ -1224,6 +1247,11 @@ if test "$vnc_tls" = "yes" ; then echo " TLS CFLAGS $vnc_tls_cflags" echo " TLS LIBS $vnc_tls_libs" fi +echo "VNC SASL support $vnc_sasl" +if test "$vnc_sasl" = "yes" ; then + echo " SASL CFLAGS $vnc_sasl_cflags" + echo " SASL LIBS $vnc_sasl_libs" +fi if test -n "$sparc_cpu"; then echo "Target Sparc Arch $sparc_cpu" fi @@ -1467,6 +1495,12 @@ if test "$vnc_tls" = "yes" ; then echo "CONFIG_VNC_TLS_LIBS=$vnc_tls_libs" >> $config_mak echo "#define CONFIG_VNC_TLS 1" >> $config_h fi +if test "$vnc_sasl" = "yes" ; then + echo "CONFIG_VNC_SASL=yes" >> $config_mak + echo "CONFIG_VNC_SASL_CFLAGS=$vnc_sasl_cflags" >> $config_mak + echo "CONFIG_VNC_SASL_LIBS=$vnc_sasl_libs" >> $config_mak + echo "#define CONFIG_VNC_SASL 1" >> $config_h +fi qemu_version=`head $source_path/VERSION` echo "VERSION=$qemu_version" >>$config_mak echo "#define QEMU_VERSION \"$qemu_version\"" >> $config_h Index: qemu-kvm-0.10/qemu/qemu-doc.texi =================================================================== --- qemu-kvm-0.10.orig/qemu/qemu-doc.texi +++ qemu-kvm-0.10/qemu/qemu-doc.texi @@ -624,6 +624,21 @@ path following this option specifies whe be loaded from. See the @ref{vnc_security} section for details on generating certificates. +@item sasl + +Require that the client use SASL to authenticate with the VNC server. +The exact choice of authentication method used is controlled from the +system / user's SASL configuration file for the 'qemu' service. This +is typically found in /etc/sasl2/qemu.conf. If running QEMU as an +unprivileged user, an environment variable SASL_CONF_PATH can be used +to make it search alternate locations for the service config. +While some SASL auth methods can also provide data encryption (eg GSSAPI), +it is recommended that SASL always be combined with the 'tls' and +'x509' settings to enable use of SSL and server certificates. This +ensures a data encryption preventing compromise of authentication +credentials. See the @ref{vnc_security} section for details on using +SASL authentication. + @end table @end table @@ -2069,7 +2084,10 @@ considerations depending on the deployme * vnc_sec_certificate:: * vnc_sec_certificate_verify:: * vnc_sec_certificate_pw:: +* vnc_sec_sasl:: +* vnc_sec_certificate_sasl:: * vnc_generate_cert:: +* vnc_setup_sasl:: @end menu @node vnc_sec_none @subsection Without passwords @@ -2152,6 +2170,41 @@ Password: ******** (qemu) @end example + +@node vnc_sec_sasl +@subsection With SASL authentication + +The SASL authentication method is a VNC extension, that provides an +easily extendable, pluggable authentication method. This allows for +integration with a wide range of authentication mechanisms, such as +PAM, GSSAPI/Kerberos, LDAP, SQL databases, one-time keys and more. +The strength of the authentication depends on the exact mechanism +configured. If the chosen mechanism also provides a SSF layer, then +it will encrypt the datastream as well. + +Refer to the later docs on how to choose the exact SASL mechanism +used for authentication, but assuming use of one supporting SSF, +then QEMU can be launched with: + +@example +qemu [...OPTIONS...] -vnc :1,sasl -monitor stdio +@end example + +@node vnc_sec_certificate_sasl +@subsection With x509 certificates and SASL authentication + +If the desired SASL authentication mechanism does not supported +SSF layers, then it is strongly advised to run it in combination +with TLS and x509 certificates. This provides securely encrypted +data stream, avoiding risk of compromising of the security +credentials. This can be enabled, by combining the 'sasl' option +with the aforementioned TLS + x509 options: + +@example +qemu [...OPTIONS...] -vnc :1,tls,x509,sasl -monitor stdio +@end example + + @node vnc_generate_cert @subsection Generating certificates for VNC @@ -2263,6 +2316,50 @@ EOF The @code{client-key.pem} and @code{client-cert.pem} files should now be securely copied to the client for which they were generated. + +@node vnc_setup_sasl + +@subsection Configuring SASL mechanisms + +The following documentation assumes use of the Cyrus SASL implementation on a +Linux host, but the principals should apply to any other SASL impl. When SASL +is enabled, the mechanism configuration will be loaded from system default +SASL service config /etc/sasl2/qemu.conf. If running QEMU as an +unprivileged user, an environment variable SASL_CONF_PATH can be used +to make it search alternate locations for the service config. + +The default configuration might contain + +@example +mech_list: digest-md5 +sasldb_path: /etc/qemu/passwd.db +@end example + +This says to use the 'Digest MD5' mechanism, which is similar to the HTTP +Digest-MD5 mechanism. The list of valid usernames & passwords is maintained +in the /etc/qemu/passwd.db file, and can be updated using the saslpasswd2 +command. While this mechanism is easy to configure and use, it is not +considered secure by modern standards, so only suitable for developers / +ad-hoc testing. + +A more serious deployment might use Kerberos, which is done with the 'gssapi' +mechanism + +@example +mech_list: gssapi +keytab: /etc/qemu/krb5.tab +@end example + +For this to work the administrator of your KDC must generate a Kerberos +principal for the server, with a name of 'qemu/somehost.example.com@@EXAMPLE.COM' +replacing 'somehost.example.com' with the fully qualified host name of the +machine running QEMU, and 'EXAMPLE.COM' with the Keberos Realm. + +Other configurations will be left as an exercise for the reader. It should +be noted that only Digest-MD5 and GSSAPI provides a SSF layer for data +encryption. For all other mechanisms, VNC should always be configured to +use TLS and x509 certificates to protect security credentials from snooping. + @node gdb_usage @section GDB usage Index: qemu-kvm-0.10/qemu/qemu.sasl =================================================================== --- /dev/null +++ qemu-kvm-0.10/qemu/qemu.sasl @@ -0,0 +1,34 @@ +# If you want to use the non-TLS socket, then you *must* include +# the GSSAPI or DIGEST-MD5 mechanisms, because they are the only +# ones that can offer session encryption as well as authentication. +# +# If you're only using TLS, then you can turn on any mechanisms +# you like for authentication, because TLS provides the encryption +# +# Default to a simple username+password mechanism +# NB digest-md5 is no longer considered secure by current standards +mech_list: digest-md5 + +# Before you can use GSSAPI, you need a service principle on the +# KDC server for libvirt, and that to be exported to the keytab +# file listed below +#mech_list: gssapi +# +# You can also list many mechanisms at once, then the user can choose +# by adding '?auth=sasl.gssapi' to their libvirt URI, eg +# qemu+tcp://hostname/system?auth=sasl.gssapi +#mech_list: digest-md5 gssapi + +# Some older builds of MIT kerberos on Linux ignore this option & +# instead need KRB5_KTNAME env var. +# For modern Linux, and other OS, this should be sufficient +keytab: /etc/qemu/krb5.tab + +# If using digest-md5 for username/passwds, then this is the file +# containing the passwds. Use 'saslpasswd2 -a qemu [username]' +# to add entries, and 'sasldblistusers2 -a qemu' to browse it +sasldb_path: /etc/qemu/passwd.db + + +auxprop_plugin: sasldb + Index: qemu-kvm-0.10/qemu/vnc-auth-sasl.c =================================================================== --- /dev/null +++ qemu-kvm-0.10/qemu/vnc-auth-sasl.c @@ -0,0 +1,626 @@ +/* + * QEMU VNC display driver: SASL auth protocol + * + * Copyright (C) 2009 Red Hat, Inc + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#include "vnc.h" + +/* Max amount of data we send/recv for SASL steps to prevent DOS */ +#define SASL_DATA_MAX_LEN (1024 * 1024) + + +void vnc_sasl_client_cleanup(VncState *vs) +{ + if (vs->sasl.conn) { + vs->sasl.runSSF = vs->sasl.waitWriteSSF = vs->sasl.wantSSF = 0; + vs->sasl.encodedLength = vs->sasl.encodedOffset = 0; + vs->sasl.encoded = NULL; + free(vs->sasl.username); + free(vs->sasl.mechlist); + vs->sasl.username = vs->sasl.mechlist = NULL; + sasl_dispose(&vs->sasl.conn); + vs->sasl.conn = NULL; + } +} + + +long vnc_client_write_sasl(VncState *vs) +{ + long ret; + + VNC_DEBUG("Write SASL: Pending output %p size %d offset %d Encoded: %p size %d offset %d\n", + vs->output.buffer, vs->output.capacity, vs->output.offset, + vs->sasl.encoded, vs->sasl.encodedLength, vs->sasl.encodedOffset); + + if (!vs->sasl.encoded) { + int err; + err = sasl_encode(vs->sasl.conn, + (char *)vs->output.buffer, + vs->output.offset, + (const char **)&vs->sasl.encoded, + &vs->sasl.encodedLength); + if (err != SASL_OK) + return vnc_client_io_error(vs, -1, EIO); + + vs->sasl.encodedOffset = 0; + } + + ret = vnc_client_write_buf(vs, + vs->sasl.encoded + vs->sasl.encodedOffset, + vs->sasl.encodedLength - vs->sasl.encodedOffset); + if (!ret) + return 0; + + vs->sasl.encodedOffset += ret; + if (vs->sasl.encodedOffset == vs->sasl.encodedLength) { + vs->output.offset = 0; + vs->sasl.encoded = NULL; + vs->sasl.encodedOffset = vs->sasl.encodedLength = 0; + } + + /* Can't merge this block with one above, because + * someone might have written more unencrypted + * data in vs->output while we were processing + * SASL encoded output + */ + if (vs->output.offset == 0) { + qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs); + } + + return ret; +} + + +long vnc_client_read_sasl(VncState *vs) +{ + long ret; + uint8_t encoded[4096]; + const char *decoded; + unsigned int decodedLen; + int err; + + ret = vnc_client_read_buf(vs, encoded, sizeof(encoded)); + if (!ret) + return 0; + + err = sasl_decode(vs->sasl.conn, + (char *)encoded, ret, + &decoded, &decodedLen); + + if (err != SASL_OK) + return vnc_client_io_error(vs, -1, -EIO); + VNC_DEBUG("Read SASL Encoded %p size %ld Decoded %p size %d\n", + encoded, ret, decoded, decodedLen); + buffer_reserve(&vs->input, decodedLen); + buffer_append(&vs->input, decoded, decodedLen); + return decodedLen; +} + + +static int vnc_auth_sasl_check_access(VncState *vs) +{ + const void *val; + int err; + + err = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val); + if (err != SASL_OK) { + VNC_DEBUG("cannot query SASL username on connection %d (%s)\n", + err, sasl_errstring(err, NULL, NULL)); + return -1; + } + if (val == NULL) { + VNC_DEBUG("no client username was found\n"); + return -1; + } + VNC_DEBUG("SASL client username %s\n", (const char *)val); + + vs->sasl.username = qemu_strdup((const char*)val); + + return 0; +} + +static int vnc_auth_sasl_check_ssf(VncState *vs) +{ + const void *val; + int err, ssf; + + if (!vs->sasl.wantSSF) + return 1; + + err = sasl_getprop(vs->sasl.conn, SASL_SSF, &val); + if (err != SASL_OK) + return 0; + + ssf = *(const int *)val; + VNC_DEBUG("negotiated an SSF of %d\n", ssf); + if (ssf < 56) + return 0; /* 56 is good for Kerberos */ + + /* Only setup for read initially, because we're about to send an RPC + * reply which must be in plain text. When the next incoming RPC + * arrives, we'll switch on writes too + * + * cf qemudClientReadSASL in qemud.c + */ + vs->sasl.runSSF = 1; + + /* We have a SSF that's good enough */ + return 1; +} + +/* + * Step Msg + * + * Input from client: + * + * u32 clientin-length + * u8-array clientin-string + * + * Output to client: + * + * u32 serverout-length + * u8-array serverout-strin + * u8 continue + */ + +static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len); + +static int protocol_client_auth_sasl_step(VncState *vs, uint8_t *data, size_t len) +{ + uint32_t datalen = len; + const char *serverout; + unsigned int serveroutlen; + int err; + char *clientdata = NULL; + + /* NB, distinction of NULL vs "" is *critical* in SASL */ + if (datalen) { + clientdata = (char*)data; + clientdata[datalen-1] = '\0'; /* Wire includes '\0', but make sure */ + datalen--; /* Don't count NULL byte when passing to _start() */ + } + + VNC_DEBUG("Step using SASL Data %p (%d bytes)\n", + clientdata, datalen); + err = sasl_server_step(vs->sasl.conn, + clientdata, + datalen, + &serverout, + &serveroutlen); + if (err != SASL_OK && + err != SASL_CONTINUE) { + VNC_DEBUG("sasl step failed %d (%s)\n", + err, sasl_errdetail(vs->sasl.conn)); + sasl_dispose(&vs->sasl.conn); + vs->sasl.conn = NULL; + goto authabort; + } + + if (serveroutlen > SASL_DATA_MAX_LEN) { + VNC_DEBUG("sasl step reply data too long %d\n", + serveroutlen); + sasl_dispose(&vs->sasl.conn); + vs->sasl.conn = NULL; + goto authabort; + } + + VNC_DEBUG("SASL return data %d bytes, nil; %d\n", + serveroutlen, serverout ? 0 : 1); + + if (serveroutlen) { + vnc_write_u32(vs, serveroutlen + 1); + vnc_write(vs, serverout, serveroutlen + 1); + } else { + vnc_write_u32(vs, 0); + } + + /* Whether auth is complete */ + vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1); + + if (err == SASL_CONTINUE) { + VNC_DEBUG("%s", "Authentication must continue\n"); + /* Wait for step length */ + vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4); + } else { + if (!vnc_auth_sasl_check_ssf(vs)) { + VNC_DEBUG("Authentication rejected for weak SSF %d\n", vs->csock); + goto authreject; + } + + /* Check username whitelist ACL */ + if (vnc_auth_sasl_check_access(vs) < 0) { + VNC_DEBUG("Authentication rejected for ACL %d\n", vs->csock); + goto authreject; + } + + VNC_DEBUG("Authentication successful %d\n", vs->csock); + vnc_write_u32(vs, 0); /* Accept auth */ + /* + * Delay writing in SSF encoded mode until pending output + * buffer is written + */ + if (vs->sasl.runSSF) + vs->sasl.waitWriteSSF = vs->output.offset; + start_client_init(vs); + } + + return 0; + + authreject: + vnc_write_u32(vs, 1); /* Reject auth */ + vnc_write_u32(vs, sizeof("Authentication failed")); + vnc_write(vs, "Authentication failed", sizeof("Authentication failed")); + vnc_flush(vs); + vnc_client_error(vs); + return -1; + + authabort: + vnc_client_error(vs); + return -1; +} + +static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len) +{ + uint32_t steplen = read_u32(data, 0); + VNC_DEBUG("Got client step len %d\n", steplen); + if (steplen > SASL_DATA_MAX_LEN) { + VNC_DEBUG("Too much SASL data %d\n", steplen); + vnc_client_error(vs); + return -1; + } + + if (steplen == 0) + return protocol_client_auth_sasl_step(vs, NULL, 0); + else + vnc_read_when(vs, protocol_client_auth_sasl_step, steplen); + return 0; +} + +/* + * Start Msg + * + * Input from client: + * + * u32 clientin-length + * u8-array clientin-string + * + * Output to client: + * + * u32 serverout-length + * u8-array serverout-strin + * u8 continue + */ + +#define SASL_DATA_MAX_LEN (1024 * 1024) + +static int protocol_client_auth_sasl_start(VncState *vs, uint8_t *data, size_t len) +{ + uint32_t datalen = len; + const char *serverout; + unsigned int serveroutlen; + int err; + char *clientdata = NULL; + + /* NB, distinction of NULL vs "" is *critical* in SASL */ + if (datalen) { + clientdata = (char*)data; + clientdata[datalen-1] = '\0'; /* Should be on wire, but make sure */ + datalen--; /* Don't count NULL byte when passing to _start() */ + } + + VNC_DEBUG("Start SASL auth with mechanism %s. Data %p (%d bytes)\n", + vs->sasl.mechlist, clientdata, datalen); + err = sasl_server_start(vs->sasl.conn, + vs->sasl.mechlist, + clientdata, + datalen, + &serverout, + &serveroutlen); + if (err != SASL_OK && + err != SASL_CONTINUE) { + VNC_DEBUG("sasl start failed %d (%s)\n", + err, sasl_errdetail(vs->sasl.conn)); + sasl_dispose(&vs->sasl.conn); + vs->sasl.conn = NULL; + goto authabort; + } + if (serveroutlen > SASL_DATA_MAX_LEN) { + VNC_DEBUG("sasl start reply data too long %d\n", + serveroutlen); + sasl_dispose(&vs->sasl.conn); + vs->sasl.conn = NULL; + goto authabort; + } + + VNC_DEBUG("SASL return data %d bytes, nil; %d\n", + serveroutlen, serverout ? 0 : 1); + + if (serveroutlen) { + vnc_write_u32(vs, serveroutlen + 1); + vnc_write(vs, serverout, serveroutlen + 1); + } else { + vnc_write_u32(vs, 0); + } + + /* Whether auth is complete */ + vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1); + + if (err == SASL_CONTINUE) { + VNC_DEBUG("%s", "Authentication must continue\n"); + /* Wait for step length */ + vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4); + } else { + if (!vnc_auth_sasl_check_ssf(vs)) { + VNC_DEBUG("Authentication rejected for weak SSF %d\n", vs->csock); + goto authreject; + } + + /* Check username whitelist ACL */ + if (vnc_auth_sasl_check_access(vs) < 0) { + VNC_DEBUG("Authentication rejected for ACL %d\n", vs->csock); + goto authreject; + } + + VNC_DEBUG("Authentication successful %d\n", vs->csock); + vnc_write_u32(vs, 0); /* Accept auth */ + start_client_init(vs); + } + + return 0; + + authreject: + vnc_write_u32(vs, 1); /* Reject auth */ + vnc_write_u32(vs, sizeof("Authentication failed")); + vnc_write(vs, "Authentication failed", sizeof("Authentication failed")); + vnc_flush(vs); + vnc_client_error(vs); + return -1; + + authabort: + vnc_client_error(vs); + return -1; +} + +static int protocol_client_auth_sasl_start_len(VncState *vs, uint8_t *data, size_t len) +{ + uint32_t startlen = read_u32(data, 0); + VNC_DEBUG("Got client start len %d\n", startlen); + if (startlen > SASL_DATA_MAX_LEN) { + VNC_DEBUG("Too much SASL data %d\n", startlen); + vnc_client_error(vs); + return -1; + } + + if (startlen == 0) + return protocol_client_auth_sasl_start(vs, NULL, 0); + + vnc_read_when(vs, protocol_client_auth_sasl_start, startlen); + return 0; +} + +static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_t len) +{ + char *mechname = malloc(len + 1); + if (!mechname) { + VNC_DEBUG("Out of memory reading mechname\n"); + vnc_client_error(vs); + } + strncpy(mechname, (char*)data, len); + mechname[len] = '\0'; + VNC_DEBUG("Got client mechname '%s' check against '%s'\n", + mechname, vs->sasl.mechlist); + + if (strncmp(vs->sasl.mechlist, mechname, len) == 0) { + if (vs->sasl.mechlist[len] != '\0' && + vs->sasl.mechlist[len] != ',') { + VNC_DEBUG("One %d", vs->sasl.mechlist[len]); + vnc_client_error(vs); + return -1; + } + } else { + char *offset = strstr(vs->sasl.mechlist, mechname); + VNC_DEBUG("Two %p\n", offset); + if (!offset) { + vnc_client_error(vs); + return -1; + } + VNC_DEBUG("Two '%s'\n", offset); + if (offset[-1] != ',' || + (offset[len] != '\0'&& + offset[len] != ',')) { + vnc_client_error(vs); + return -1; + } + } + + free(vs->sasl.mechlist); + vs->sasl.mechlist = mechname; + + VNC_DEBUG("Validated mechname '%s'\n", mechname); + vnc_read_when(vs, protocol_client_auth_sasl_start_len, 4); + return 0; +} + +static int protocol_client_auth_sasl_mechname_len(VncState *vs, uint8_t *data, size_t len) +{ + uint32_t mechlen = read_u32(data, 0); + VNC_DEBUG("Got client mechname len %d\n", mechlen); + if (mechlen > 100) { + VNC_DEBUG("Too long SASL mechname data %d\n", mechlen); + vnc_client_error(vs); + return -1; + } + if (mechlen < 1) { + VNC_DEBUG("Too short SASL mechname %d\n", mechlen); + vnc_client_error(vs); + return -1; + } + vnc_read_when(vs, protocol_client_auth_sasl_mechname,mechlen); + return 0; +} + +#define USES_X509_AUTH(vs) \ + ((vs)->subauth == VNC_AUTH_VENCRYPT_X509NONE || \ + (vs)->subauth == VNC_AUTH_VENCRYPT_X509VNC || \ + (vs)->subauth == VNC_AUTH_VENCRYPT_X509PLAIN || \ + (vs)->subauth == VNC_AUTH_VENCRYPT_X509SASL) + + +void start_auth_sasl(VncState *vs) +{ + const char *mechlist = NULL; + sasl_security_properties_t secprops; + int err; + char *localAddr, *remoteAddr; + int mechlistlen; + + VNC_DEBUG("Initialize SASL auth %d\n", vs->csock); + + /* Get local & remote client addresses in form IPADDR;PORT */ + if (!(localAddr = vnc_socket_local_addr("%s;%s", vs->csock))) + goto authabort; + + if (!(remoteAddr = vnc_socket_remote_addr("%s;%s", vs->csock))) { + free(localAddr); + goto authabort; + } + + err = sasl_server_new("vnc", + NULL, /* FQDN - just delegates to gethostname */ + NULL, /* User realm */ + localAddr, + remoteAddr, + NULL, /* Callbacks, not needed */ + SASL_SUCCESS_DATA, + &vs->sasl.conn); + free(localAddr); + free(remoteAddr); + localAddr = remoteAddr = NULL; + + if (err != SASL_OK) { + VNC_DEBUG("sasl context setup failed %d (%s)", + err, sasl_errstring(err, NULL, NULL)); + vs->sasl.conn = NULL; + goto authabort; + } + +#ifdef CONFIG_VNC_TLS + /* Inform SASL that we've got an external SSF layer from TLS/x509 */ + if (vs->vd->auth == VNC_AUTH_VENCRYPT && + vs->vd->subauth == VNC_AUTH_VENCRYPT_X509SASL) { + gnutls_cipher_algorithm_t cipher; + sasl_ssf_t ssf; + + cipher = gnutls_cipher_get(vs->tls.session); + if (!(ssf = (sasl_ssf_t)gnutls_cipher_get_key_size(cipher))) { + VNC_DEBUG("%s", "cannot TLS get cipher size\n"); + sasl_dispose(&vs->sasl.conn); + vs->sasl.conn = NULL; + goto authabort; + } + ssf *= 8; /* tls key size is bytes, sasl wants bits */ + + err = sasl_setprop(vs->sasl.conn, SASL_SSF_EXTERNAL, &ssf); + if (err != SASL_OK) { + VNC_DEBUG("cannot set SASL external SSF %d (%s)\n", + err, sasl_errstring(err, NULL, NULL)); + sasl_dispose(&vs->sasl.conn); + vs->sasl.conn = NULL; + goto authabort; + } + } else +#endif /* CONFIG_VNC_TLS */ + vs->sasl.wantSSF = 1; + + memset (&secprops, 0, sizeof secprops); + /* Inform SASL that we've got an external SSF layer from TLS */ + if (strncmp(vs->vd->display, "unix:", 5) == 0 +#ifdef CONFIG_VNC_TLS + /* Disable SSF, if using TLS+x509+SASL only. TLS without x509 + is not sufficiently strong */ + || (vs->vd->auth == VNC_AUTH_VENCRYPT && + vs->vd->subauth == VNC_AUTH_VENCRYPT_X509SASL) +#endif /* CONFIG_VNC_TLS */ + ) { + /* If we've got TLS or UNIX domain sock, we don't care about SSF */ + secprops.min_ssf = 0; + secprops.max_ssf = 0; + secprops.maxbufsize = 8192; + secprops.security_flags = 0; + } else { + /* Plain TCP, better get an SSF layer */ + secprops.min_ssf = 56; /* Good enough to require kerberos */ + secprops.max_ssf = 100000; /* Arbitrary big number */ + secprops.maxbufsize = 8192; + /* Forbid any anonymous or trivially crackable auth */ + secprops.security_flags = + SASL_SEC_NOANONYMOUS | SASL_SEC_NOPLAINTEXT; + } + + err = sasl_setprop(vs->sasl.conn, SASL_SEC_PROPS, &secprops); + if (err != SASL_OK) { + VNC_DEBUG("cannot set SASL security props %d (%s)\n", + err, sasl_errstring(err, NULL, NULL)); + sasl_dispose(&vs->sasl.conn); + vs->sasl.conn = NULL; + goto authabort; + } + + err = sasl_listmech(vs->sasl.conn, + NULL, /* Don't need to set user */ + "", /* Prefix */ + ",", /* Separator */ + "", /* Suffix */ + &mechlist, + NULL, + NULL); + if (err != SASL_OK) { + VNC_DEBUG("cannot list SASL mechanisms %d (%s)\n", + err, sasl_errdetail(vs->sasl.conn)); + sasl_dispose(&vs->sasl.conn); + vs->sasl.conn = NULL; + goto authabort; + } + VNC_DEBUG("Available mechanisms for client: '%s'\n", mechlist); + + if (!(vs->sasl.mechlist = strdup(mechlist))) { + VNC_DEBUG("Out of memory"); + sasl_dispose(&vs->sasl.conn); + vs->sasl.conn = NULL; + goto authabort; + } + mechlistlen = strlen(mechlist); + vnc_write_u32(vs, mechlistlen); + vnc_write(vs, mechlist, mechlistlen); + vnc_flush(vs); + + VNC_DEBUG("Wait for client mechname length\n"); + vnc_read_when(vs, protocol_client_auth_sasl_mechname_len, 4); + + return; + + authabort: + vnc_client_error(vs); + return; +} + + Index: qemu-kvm-0.10/qemu/vnc-auth-sasl.h =================================================================== --- /dev/null +++ qemu-kvm-0.10/qemu/vnc-auth-sasl.h @@ -0,0 +1,67 @@ +/* + * QEMU VNC display driver: SASL auth protocol + * + * Copyright (C) 2009 Red Hat, Inc + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + + +#ifndef __QEMU_VNC_AUTH_SASL_H__ +#define __QEMU_VNC_AUTH_SASL_H__ + + +#include + +typedef struct VncStateSASL VncStateSASL; + +struct VncStateSASL { + sasl_conn_t *conn; + /* If we want to negotiate an SSF layer with client */ + int wantSSF :1; + /* If we are now running the SSF layer */ + int runSSF :1; + /* + * If this is non-zero, then wait for that many bytes + * to be written plain, before switching to SSF encoding + * This allows the VNC auth result to finish being + * written in plain. + */ + unsigned int waitWriteSSF; + + /* + * Buffering encoded data to allow more clear data + * to be stuffed onto the output buffer + */ + const uint8_t *encoded; + unsigned int encodedLength; + unsigned int encodedOffset; + char *username; + char *mechlist; +}; + +void vnc_sasl_client_cleanup(VncState *vs); + +long vnc_client_read_sasl(VncState *vs); +long vnc_client_write_sasl(VncState *vs); + +void start_auth_sasl(VncState *vs); + +#endif /* __QEMU_VNC_AUTH_SASL_H__ */ + Index: qemu-kvm-0.10/qemu/vnc-auth-vencrypt.c =================================================================== --- qemu-kvm-0.10.orig/qemu/vnc-auth-vencrypt.c +++ qemu-kvm-0.10/qemu/vnc-auth-vencrypt.c @@ -43,8 +43,15 @@ static void start_auth_vencrypt_subauth( start_auth_vnc(vs); break; +#ifdef CONFIG_VNC_SASL + case VNC_AUTH_VENCRYPT_TLSSASL: + case VNC_AUTH_VENCRYPT_X509SASL: + VNC_DEBUG("Start TLS auth SASL\n"); + return start_auth_sasl(vs); +#endif /* CONFIG_VNC_SASL */ + default: /* Should not be possible, but just in case */ - VNC_DEBUG("Reject auth %d\n", vs->vd->auth); + VNC_DEBUG("Reject subauth %d server bug\n", vs->vd->auth); vnc_write_u8(vs, 1); if (vs->minor >= 8) { static const char err[] = "Unsupported authentication type"; @@ -105,7 +112,8 @@ static void vnc_tls_handshake_io(void *o #define NEED_X509_AUTH(vs) \ ((vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509NONE || \ (vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509VNC || \ - (vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509PLAIN) + (vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509PLAIN || \ + (vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509SASL) static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len) Index: qemu-kvm-0.10/qemu/vnc.c =================================================================== --- qemu-kvm-0.10.orig/qemu/vnc.c +++ qemu-kvm-0.10/qemu/vnc.c @@ -68,7 +68,8 @@ static char *addr_to_string(const char * return addr; } -static char *vnc_socket_local_addr(const char *format, int fd) { + +char *vnc_socket_local_addr(const char *format, int fd) { struct sockaddr_storage sa; socklen_t salen; @@ -79,7 +80,8 @@ static char *vnc_socket_local_addr(const return addr_to_string(format, &sa, salen); } -static char *vnc_socket_remote_addr(const char *format, int fd) { + +char *vnc_socket_remote_addr(const char *format, int fd) { struct sockaddr_storage sa; socklen_t salen; @@ -125,12 +127,18 @@ static const char *vnc_auth_name(VncDisp return "vencrypt+x509+vnc"; case VNC_AUTH_VENCRYPT_X509PLAIN: return "vencrypt+x509+plain"; + case VNC_AUTH_VENCRYPT_TLSSASL: + return "vencrypt+tls+sasl"; + case VNC_AUTH_VENCRYPT_X509SASL: + return "vencrypt+x509+sasl"; default: return "vencrypt"; } #else return "vencrypt"; #endif + case VNC_AUTH_SASL: + return "sasl"; } return "unknown"; } @@ -278,7 +286,7 @@ static void vnc_framebuffer_update(VncSt vnc_write_s32(vs, encoding); } -static void buffer_reserve(Buffer *buffer, size_t len) +void buffer_reserve(Buffer *buffer, size_t len) { if ((buffer->capacity - buffer->offset) < len) { buffer->capacity += (len + 1024); @@ -290,22 +298,22 @@ static void buffer_reserve(Buffer *buffe } } -static int buffer_empty(Buffer *buffer) +int buffer_empty(Buffer *buffer) { return buffer->offset == 0; } -static uint8_t *buffer_end(Buffer *buffer) +uint8_t *buffer_end(Buffer *buffer) { return buffer->buffer + buffer->offset; } -static void buffer_reset(Buffer *buffer) +void buffer_reset(Buffer *buffer) { buffer->offset = 0; } -static void buffer_append(Buffer *buffer, const void *data, size_t len) +void buffer_append(Buffer *buffer, const void *data, size_t len) { memcpy(buffer->buffer + buffer->offset, data, len); buffer->offset += len; @@ -821,7 +829,8 @@ static void audio_del(VncState *vs) } } -static int vnc_client_io_error(VncState *vs, int ret, int last_errno) + +int vnc_client_io_error(VncState *vs, int ret, int last_errno) { if (ret == 0 || ret == -1) { if (ret == -1) { @@ -847,6 +856,9 @@ static int vnc_client_io_error(VncState #ifdef CONFIG_VNC_TLS vnc_tls_client_cleanup(vs); #endif /* CONFIG_VNC_TLS */ +#ifdef CONFIG_VNC_SASL + vnc_sasl_client_cleanup(vs); +#endif /* CONFIG_VNC_SASL */ audio_del(vs); VncState *p, *parent = NULL; @@ -877,14 +889,28 @@ void vnc_client_error(VncState *vs) vnc_client_io_error(vs, -1, EINVAL); } -void vnc_client_write(void *opaque) + +/* + * Called to write a chunk of data to the client socket. The data may + * be the raw data, or may have already been encoded by SASL. + * The data will be written either straight onto the socket, or + * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled + * + * NB, it is theoretically possible to have 2 layers of encryption, + * both SASL, and this TLS layer. It is highly unlikely in practice + * though, since SASL encryption will typically be a no-op if TLS + * is active + * + * Returns the number of bytes written, which may be less than + * the requested 'datalen' if the socket would block. Returns + * -1 on error, and disconnects the client socket. + */ +long vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen) { long ret; - VncState *vs = opaque; - #ifdef CONFIG_VNC_TLS if (vs->tls.session) { - ret = gnutls_write(vs->tls.session, vs->output.buffer, vs->output.offset); + ret = gnutls_write(vs->tls.session, data, datalen); if (ret < 0) { if (ret == GNUTLS_E_AGAIN) errno = EAGAIN; @@ -894,10 +920,42 @@ void vnc_client_write(void *opaque) } } else #endif /* CONFIG_VNC_TLS */ - ret = send(vs->csock, vs->output.buffer, vs->output.offset, 0); - ret = vnc_client_io_error(vs, ret, socket_error()); + ret = send(vs->csock, data, datalen, 0); + VNC_DEBUG("Wrote wire %p %d -> %ld\n", data, datalen, ret); + return vnc_client_io_error(vs, ret, socket_error()); +} + + +/* + * Called to write buffered data to the client socket, when not + * using any SASL SSF encryption layers. Will write as much data + * as possible without blocking. If all buffered data is written, + * will switch the FD poll() handler back to read monitoring. + * + * Returns the number of bytes written, which may be less than + * the buffered output data if the socket would block. Returns + * -1 on error, and disconnects the client socket. + */ +static long vnc_client_write_plain(VncState *vs) +{ + long ret; + +#ifdef CONFIG_VNC_SASL + VNC_DEBUG("Write Plain: Pending output %p size %d offset %d. Wait SSF %d\n", + vs->output.buffer, vs->output.capacity, vs->output.offset, + vs->sasl.waitWriteSSF); + + if (vs->sasl.conn && + vs->sasl.runSSF && + vs->sasl.waitWriteSSF) { + ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF); + if (ret) + vs->sasl.waitWriteSSF -= ret; + } else +#endif /* CONFIG_VNC_SASL */ + ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset); if (!ret) - return; + return 0; memmove(vs->output.buffer, vs->output.buffer + ret, (vs->output.offset - ret)); vs->output.offset -= ret; @@ -905,6 +963,29 @@ void vnc_client_write(void *opaque) if (vs->output.offset == 0) { qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs); } + + return ret; +} + + +/* + * First function called whenever there is data to be written to + * the client socket. Will delegate actual work according to whether + * SASL SSF layers are enabled (thus requiring encryption calls) + */ +void vnc_client_write(void *opaque) +{ + long ret; + VncState *vs = opaque; + +#ifdef CONFIG_VNC_SASL + if (vs->sasl.conn && + vs->sasl.runSSF && + !vs->sasl.waitWriteSSF) + ret = vnc_client_write_sasl(vs); + else +#endif /* CONFIG_VNC_SASL */ + ret = vnc_client_write_plain(vs); } void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting) @@ -913,16 +994,28 @@ void vnc_read_when(VncState *vs, VncRead vs->read_handler_expect = expecting; } -void vnc_client_read(void *opaque) + +/* + * Called to read a chunk of data from the client socket. The data may + * be the raw data, or may need to be further decoded by SASL. + * The data will be read either straight from to the socket, or + * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled + * + * NB, it is theoretically possible to have 2 layers of encryption, + * both SASL, and this TLS layer. It is highly unlikely in practice + * though, since SASL encryption will typically be a no-op if TLS + * is active + * + * Returns the number of bytes read, which may be less than + * the requested 'datalen' if the socket would block. Returns + * -1 on error, and disconnects the client socket. + */ +long vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen) { - VncState *vs = opaque; long ret; - - buffer_reserve(&vs->input, 4096); - #ifdef CONFIG_VNC_TLS if (vs->tls.session) { - ret = gnutls_read(vs->tls.session, buffer_end(&vs->input), 4096); + ret = gnutls_read(vs->tls.session, data, datalen); if (ret < 0) { if (ret == GNUTLS_E_AGAIN) errno = EAGAIN; @@ -932,12 +1025,52 @@ void vnc_client_read(void *opaque) } } else #endif /* CONFIG_VNC_TLS */ - ret = recv(vs->csock, buffer_end(&vs->input), 4096, 0); - ret = vnc_client_io_error(vs, ret, socket_error()); - if (!ret) - return; + ret = recv(vs->csock, data, datalen, 0); + VNC_DEBUG("Read wire %p %d -> %ld\n", data, datalen, ret); + return vnc_client_io_error(vs, ret, socket_error()); +} + +/* + * Called to read data from the client socket to the input buffer, + * when not using any SASL SSF encryption layers. Will read as much + * data as possible without blocking. + * + * Returns the number of bytes read. Returns -1 on error, and + * disconnects the client socket. + */ +static long vnc_client_read_plain(VncState *vs) +{ + int ret; + VNC_DEBUG("Read plain %p size %d offset %d\n", + vs->input.buffer, vs->input.capacity, vs->input.offset); + buffer_reserve(&vs->input, 4096); + ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096); + if (!ret) + return 0; vs->input.offset += ret; + return ret; +} + + +/* + * First function called whenever there is more data to be read from + * the client socket. Will delegate actual work according to whether + * SASL SSF layers are enabled (thus requiring decryption calls) + */ +void vnc_client_read(void *opaque) +{ + VncState *vs = opaque; + long ret; + +#ifdef CONFIG_VNC_SASL + if (vs->sasl.conn && vs->sasl.runSSF) + ret = vnc_client_read_sasl(vs); + else +#endif /* CONFIG_VNC_SASL */ + ret = vnc_client_read_plain(vs); + if (!ret) + return; while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) { size_t len = vs->read_handler_expect; @@ -1722,6 +1855,13 @@ static int protocol_client_auth(VncState break; #endif /* CONFIG_VNC_TLS */ +#ifdef CONFIG_VNC_SASL + case VNC_AUTH_SASL: + VNC_DEBUG("Accept SASL auth\n"); + start_auth_sasl(vs); + break; +#endif /* CONFIG_VNC_SASL */ + default: /* Should not be possible, but just in case */ VNC_DEBUG("Reject auth %d\n", vs->vd->auth); vnc_write_u8(vs, 1); @@ -1923,6 +2063,10 @@ int vnc_display_open(DisplayState *ds, c #ifdef CONFIG_VNC_TLS int tls = 0, x509 = 0; #endif +#ifdef CONFIG_VNC_SASL + int sasl = 0; + int saslErr; +#endif if (!vnc_display) return -1; @@ -1942,6 +2086,10 @@ int vnc_display_open(DisplayState *ds, c reverse = 1; } else if (strncmp(options, "to=", 3) == 0) { to_port = atoi(options+3) + 5900; +#ifdef CONFIG_VNC_SASL + } else if (strncmp(options, "sasl", 4) == 0) { + sasl = 1; /* Require SASL auth */ +#endif #ifdef CONFIG_VNC_TLS } else if (strncmp(options, "tls", 3) == 0) { tls = 1; /* Require TLS */ @@ -1978,6 +2126,22 @@ int vnc_display_open(DisplayState *ds, c } } + /* + * Combinations we support here: + * + * - no-auth (clear text, no auth) + * - password (clear text, weak auth) + * - sasl (encrypt, good auth *IF* using Kerberos via GSSAPI) + * - tls (encrypt, weak anonymous creds, no auth) + * - tls + password (encrypt, weak anonymous creds, weak auth) + * - tls + sasl (encrypt, weak anonymous creds, good auth) + * - tls + x509 (encrypt, good x509 creds, no auth) + * - tls + x509 + password (encrypt, good x509 creds, weak auth) + * - tls + x509 + sasl (encrypt, good x509 creds, good auth) + * + * NB1. TLS is a stackable auth scheme. + * NB2. the x509 schemes have option to validate a client cert dname + */ if (password) { #ifdef CONFIG_VNC_TLS if (tls) { @@ -1990,13 +2154,34 @@ int vnc_display_open(DisplayState *ds, c vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC; } } else { -#endif +#endif /* CONFIG_VNC_TLS */ VNC_DEBUG("Initializing VNC server with password auth\n"); vs->auth = VNC_AUTH_VNC; #ifdef CONFIG_VNC_TLS vs->subauth = VNC_AUTH_INVALID; } -#endif +#endif /* CONFIG_VNC_TLS */ +#ifdef CONFIG_VNC_SASL + } else if (sasl) { +#ifdef CONFIG_VNC_TLS + if (tls) { + vs->auth = VNC_AUTH_VENCRYPT; + if (x509) { + VNC_DEBUG("Initializing VNC server with x509 SASL auth\n"); + vs->subauth = VNC_AUTH_VENCRYPT_X509SASL; + } else { + VNC_DEBUG("Initializing VNC server with TLS SASL auth\n"); + vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL; + } + } else { +#endif /* CONFIG_VNC_TLS */ + VNC_DEBUG("Initializing VNC server with SASL auth\n"); + vs->auth = VNC_AUTH_SASL; +#ifdef CONFIG_VNC_TLS + vs->subauth = VNC_AUTH_INVALID; + } +#endif /* CONFIG_VNC_TLS */ +#endif /* CONFIG_VNC_SASL */ } else { #ifdef CONFIG_VNC_TLS if (tls) { @@ -2018,6 +2203,16 @@ int vnc_display_open(DisplayState *ds, c #endif } +#ifdef CONFIG_VNC_SASL + if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) { + fprintf(stderr, "Failed to initialize SASL auth %s", + sasl_errstring(saslErr, NULL, NULL)); + free(vs->display); + vs->display = NULL; + return -1; + } +#endif + if (reverse) { /* connect to viewer */ if (strncmp(display, "unix:", 5) == 0) Index: qemu-kvm-0.10/qemu/vnc.h =================================================================== --- qemu-kvm-0.10.orig/qemu/vnc.h +++ qemu-kvm-0.10/qemu/vnc.h @@ -79,6 +79,10 @@ typedef struct VncDisplay VncDisplay; #include "vnc-tls.h" #include "vnc-auth-vencrypt.h" #endif +#ifdef CONFIG_VNC_SASL +#include "vnc-auth-sasl.h" +#endif + struct VncDisplay { @@ -118,10 +122,12 @@ struct VncState int minor; char challenge[VNC_AUTH_CHALLENGE_SIZE]; - #ifdef CONFIG_VNC_TLS VncStateTLS tls; #endif +#ifdef CONFIG_VNC_SASL + VncStateSASL sasl; +#endif Buffer output; Buffer input; @@ -160,8 +166,9 @@ enum { VNC_AUTH_RA2NE = 6, VNC_AUTH_TIGHT = 16, VNC_AUTH_ULTRA = 17, - VNC_AUTH_TLS = 18, - VNC_AUTH_VENCRYPT = 19 + VNC_AUTH_TLS = 18, /* Supported in GTK-VNC & VINO */ + VNC_AUTH_VENCRYPT = 19, /* Supported in GTK-VNC & VeNCrypt */ + VNC_AUTH_SASL = 20, /* Supported in GTK-VNC & VINO */ }; enum { @@ -172,6 +179,8 @@ enum { VNC_AUTH_VENCRYPT_X509NONE = 260, VNC_AUTH_VENCRYPT_X509VNC = 261, VNC_AUTH_VENCRYPT_X509PLAIN = 262, + VNC_AUTH_VENCRYPT_X509SASL = 263, + VNC_AUTH_VENCRYPT_TLSSASL = 264, }; @@ -255,6 +264,8 @@ enum { void vnc_client_read(void *opaque); void vnc_client_write(void *opaque); +long vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen); +long vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen); /* Protocol I/O functions */ void vnc_write(VncState *vs, const void *data, size_t len); @@ -274,8 +285,22 @@ uint32_t read_u32(uint8_t *data, size_t /* Protocol stage functions */ void vnc_client_error(VncState *vs); +int vnc_client_io_error(VncState *vs, int ret, int last_errno); void start_client_init(VncState *vs); void start_auth_vnc(VncState *vs); +/* Buffer management */ +void buffer_reserve(Buffer *buffer, size_t len); +int buffer_empty(Buffer *buffer); +uint8_t *buffer_end(Buffer *buffer); +void buffer_reset(Buffer *buffer); +void buffer_append(Buffer *buffer, const void *data, size_t len); + + +/* Misc helpers */ + +char *vnc_socket_local_addr(const char *format, int fd); +char *vnc_socket_remote_addr(const char *format, int fd); + #endif /* __QEMU_VNC_H */