|
|
4a2fec |
From d22fb15220016b86cca81f73f27c748f5a5c1183 Mon Sep 17 00:00:00 2001
|
|
|
4a2fec |
From: "Daniel P. Berrange" <berrange@redhat.com>
|
|
|
4a2fec |
Date: Mon, 5 Feb 2018 11:09:57 +0100
|
|
|
4a2fec |
Subject: [PATCH 03/20] ui: add tracing of VNC authentication process
|
|
|
4a2fec |
|
|
|
4a2fec |
RH-Author: Daniel P. Berrange <berrange@redhat.com>
|
|
|
4a2fec |
Message-id: <20180205111012.6210-3-berrange@redhat.com>
|
|
|
4a2fec |
Patchwork-id: 78881
|
|
|
4a2fec |
O-Subject: [RHV-7.5 qemu-kvm-rhev PATCH v2 02/17] ui: add tracing of VNC authentication process
|
|
|
4a2fec |
Bugzilla: 1527404
|
|
|
4a2fec |
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
4a2fec |
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
4a2fec |
RH-Acked-by: Thomas Huth <thuth@redhat.com>
|
|
|
4a2fec |
|
|
|
4a2fec |
From: "Daniel P. Berrange" <berrange@redhat.com>
|
|
|
4a2fec |
|
|
|
4a2fec |
Trace anything related to authentication in the VNC protocol
|
|
|
4a2fec |
handshake
|
|
|
4a2fec |
|
|
|
4a2fec |
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
|
|
4a2fec |
Message-id: 20170921121528.23935-3-berrange@redhat.com
|
|
|
4a2fec |
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
4a2fec |
(cherry picked from commit 7364dbdabb7824d5bde1e341bb6d928282f01c83)
|
|
|
4a2fec |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
4a2fec |
---
|
|
|
4a2fec |
ui/trace-events | 15 +++++++
|
|
|
4a2fec |
ui/vnc-auth-sasl.c | 113 ++++++++++++++++++++++---------------------------
|
|
|
4a2fec |
ui/vnc-auth-vencrypt.c | 21 ++++-----
|
|
|
4a2fec |
ui/vnc.c | 36 ++++++++--------
|
|
|
4a2fec |
4 files changed, 92 insertions(+), 93 deletions(-)
|
|
|
4a2fec |
|
|
|
4a2fec |
diff --git a/ui/trace-events b/ui/trace-events
|
|
|
4a2fec |
index e4c02e4..1a9f126 100644
|
|
|
4a2fec |
--- a/ui/trace-events
|
|
|
4a2fec |
+++ b/ui/trace-events
|
|
|
4a2fec |
@@ -35,6 +35,21 @@ vnc_client_connect(void *state, void *ioc) "VNC client connect state=%p ioc=%p"
|
|
|
4a2fec |
vnc_client_disconnect_start(void *state, void *ioc) "VNC client disconnect start state=%p ioc=%p"
|
|
|
4a2fec |
vnc_client_disconnect_finish(void *state, void *ioc) "VNC client disconnect finish state=%p ioc=%p"
|
|
|
4a2fec |
vnc_client_io_wrap(void *state, void *ioc, const char *type) "VNC client I/O wrap state=%p ioc=%p type=%s"
|
|
|
4a2fec |
+vnc_auth_init(void *display, int websock, int auth, int subauth) "VNC auth init state=%p websock=%d auth=%d subauth=%d"
|
|
|
4a2fec |
+vnc_auth_start(void *state, int method) "VNC client auth start state=%p method=%d"
|
|
|
4a2fec |
+vnc_auth_pass(void *state, int method) "VNC client auth passed state=%p method=%d"
|
|
|
4a2fec |
+vnc_auth_fail(void *state, int method, const char *message, const char *reason) "VNC client auth failed state=%p method=%d message=%s reason=%s"
|
|
|
4a2fec |
+vnc_auth_reject(void *state, int expect, int got) "VNC client auth rejected state=%p method expected=%d got=%d"
|
|
|
4a2fec |
+vnc_auth_vencrypt_version(void *state, int major, int minor) "VNC client auth vencrypt version state=%p major=%d minor=%d"
|
|
|
4a2fec |
+vnc_auth_vencrypt_subauth(void *state, int auth) "VNC client auth vencrypt subauth state=%p auth=%d"
|
|
|
4a2fec |
+vnc_auth_sasl_mech_list(void *state, const char *mechs) "VNC client auth SASL state=%p mechlist=%s"
|
|
|
4a2fec |
+vnc_auth_sasl_mech_choose(void *state, const char *mech) "VNC client auth SASL state=%p mech=%s"
|
|
|
4a2fec |
+vnc_auth_sasl_start(void *state, const void *clientdata, size_t clientlen, const void *serverdata, size_t severlen, int ret) "VNC client auth SASL start state=%p clientdata=%p clientlen=%zu serverdata=%p serverlen=%zu ret=%d"
|
|
|
4a2fec |
+vnc_auth_sasl_step(void *state, const void *clientdata, size_t clientlen, const void *serverdata, size_t severlen, int ret) "VNC client auth SASL step state=%p clientdata=%p clientlen=%zu serverdata=%p serverlen=%zu ret=%d"
|
|
|
4a2fec |
+vnc_auth_sasl_ssf(void *state, int ssf) "VNC client auth SASL SSF state=%p size=%d"
|
|
|
4a2fec |
+vnc_auth_sasl_username(void *state, const char *name) "VNC client auth SASL user state=%p name=%s"
|
|
|
4a2fec |
+vnc_auth_sasl_acl(void *state, int allow) "VNC client auth SASL ACL state=%p allow=%d"
|
|
|
4a2fec |
+
|
|
|
4a2fec |
|
|
|
4a2fec |
# ui/input.c
|
|
|
4a2fec |
input_event_key_number(int conidx, int number, const char *qcode, bool down) "con %d, key number 0x%x [%s], down %d"
|
|
|
4a2fec |
diff --git a/ui/vnc-auth-sasl.c b/ui/vnc-auth-sasl.c
|
|
|
4a2fec |
index 3ade4a4..23f2828 100644
|
|
|
4a2fec |
--- a/ui/vnc-auth-sasl.c
|
|
|
4a2fec |
+++ b/ui/vnc-auth-sasl.c
|
|
|
4a2fec |
@@ -25,6 +25,7 @@
|
|
|
4a2fec |
#include "qemu/osdep.h"
|
|
|
4a2fec |
#include "qapi/error.h"
|
|
|
4a2fec |
#include "vnc.h"
|
|
|
4a2fec |
+#include "trace.h"
|
|
|
4a2fec |
|
|
|
4a2fec |
/* Max amount of data we send/recv for SASL steps to prevent DOS */
|
|
|
4a2fec |
#define SASL_DATA_MAX_LEN (1024 * 1024)
|
|
|
4a2fec |
@@ -133,27 +134,26 @@ static int vnc_auth_sasl_check_access(VncState *vs)
|
|
|
4a2fec |
|
|
|
4a2fec |
err = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val;;
|
|
|
4a2fec |
if (err != SASL_OK) {
|
|
|
4a2fec |
- VNC_DEBUG("cannot query SASL username on connection %d (%s), denying access\n",
|
|
|
4a2fec |
- err, sasl_errstring(err, NULL, NULL));
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "Cannot fetch SASL username",
|
|
|
4a2fec |
+ sasl_errstring(err, NULL, NULL));
|
|
|
4a2fec |
return -1;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
if (val == NULL) {
|
|
|
4a2fec |
- VNC_DEBUG("no client username was found, denying access\n");
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "No SASL username set", "");
|
|
|
4a2fec |
return -1;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
- VNC_DEBUG("SASL client username %s\n", (const char *)val);
|
|
|
4a2fec |
|
|
|
4a2fec |
vs->sasl.username = g_strdup((const char*)val);
|
|
|
4a2fec |
+ trace_vnc_auth_sasl_username(vs, vs->sasl.username);
|
|
|
4a2fec |
|
|
|
4a2fec |
if (vs->vd->sasl.acl == NULL) {
|
|
|
4a2fec |
- VNC_DEBUG("no ACL activated, allowing access\n");
|
|
|
4a2fec |
+ trace_vnc_auth_sasl_acl(vs, 1);
|
|
|
4a2fec |
return 0;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
allow = qemu_acl_party_is_allowed(vs->vd->sasl.acl, vs->sasl.username);
|
|
|
4a2fec |
|
|
|
4a2fec |
- VNC_DEBUG("SASL client %s %s by ACL\n", vs->sasl.username,
|
|
|
4a2fec |
- allow ? "allowed" : "denied");
|
|
|
4a2fec |
+ trace_vnc_auth_sasl_acl(vs, allow);
|
|
|
4a2fec |
return allow ? 0 : -1;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
@@ -170,7 +170,9 @@ static int vnc_auth_sasl_check_ssf(VncState *vs)
|
|
|
4a2fec |
return 0;
|
|
|
4a2fec |
|
|
|
4a2fec |
ssf = *(const int *)val;
|
|
|
4a2fec |
- VNC_DEBUG("negotiated an SSF of %d\n", ssf);
|
|
|
4a2fec |
+
|
|
|
4a2fec |
+ trace_vnc_auth_sasl_ssf(vs, ssf);
|
|
|
4a2fec |
+
|
|
|
4a2fec |
if (ssf < 56)
|
|
|
4a2fec |
return 0; /* 56 is good for Kerberos */
|
|
|
4a2fec |
|
|
|
4a2fec |
@@ -218,33 +220,28 @@ static int protocol_client_auth_sasl_step(VncState *vs, uint8_t *data, size_t le
|
|
|
4a2fec |
datalen--; /* Don't count NULL byte when passing to _start() */
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
- VNC_DEBUG("Step using SASL Data %p (%d bytes)\n",
|
|
|
4a2fec |
- clientdata, datalen);
|
|
|
4a2fec |
err = sasl_server_step(vs->sasl.conn,
|
|
|
4a2fec |
clientdata,
|
|
|
4a2fec |
datalen,
|
|
|
4a2fec |
&serverout,
|
|
|
4a2fec |
&serveroutlen);
|
|
|
4a2fec |
+ trace_vnc_auth_sasl_step(vs, data, len, serverout, serveroutlen, err);
|
|
|
4a2fec |
if (err != SASL_OK &&
|
|
|
4a2fec |
err != SASL_CONTINUE) {
|
|
|
4a2fec |
- VNC_DEBUG("sasl step failed %d (%s)\n",
|
|
|
4a2fec |
- err, sasl_errdetail(vs->sasl.conn));
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "Cannot step SASL auth",
|
|
|
4a2fec |
+ sasl_errdetail(vs->sasl.conn));
|
|
|
4a2fec |
sasl_dispose(&vs->sasl.conn);
|
|
|
4a2fec |
vs->sasl.conn = NULL;
|
|
|
4a2fec |
goto authabort;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
if (serveroutlen > SASL_DATA_MAX_LEN) {
|
|
|
4a2fec |
- VNC_DEBUG("sasl step reply data too long %d\n",
|
|
|
4a2fec |
- serveroutlen);
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "SASL data too long", "");
|
|
|
4a2fec |
sasl_dispose(&vs->sasl.conn);
|
|
|
4a2fec |
vs->sasl.conn = NULL;
|
|
|
4a2fec |
goto authabort;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
- VNC_DEBUG("SASL return data %d bytes, nil; %d\n",
|
|
|
4a2fec |
- serveroutlen, serverout ? 0 : 1);
|
|
|
4a2fec |
-
|
|
|
4a2fec |
if (serveroutlen) {
|
|
|
4a2fec |
vnc_write_u32(vs, serveroutlen + 1);
|
|
|
4a2fec |
vnc_write(vs, serverout, serveroutlen + 1);
|
|
|
4a2fec |
@@ -256,22 +253,20 @@ static int protocol_client_auth_sasl_step(VncState *vs, uint8_t *data, size_t le
|
|
|
4a2fec |
vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);
|
|
|
4a2fec |
|
|
|
4a2fec |
if (err == SASL_CONTINUE) {
|
|
|
4a2fec |
- VNC_DEBUG("%s", "Authentication must continue\n");
|
|
|
4a2fec |
/* Wait for step length */
|
|
|
4a2fec |
vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);
|
|
|
4a2fec |
} else {
|
|
|
4a2fec |
if (!vnc_auth_sasl_check_ssf(vs)) {
|
|
|
4a2fec |
- VNC_DEBUG("Authentication rejected for weak SSF %p\n", vs->ioc);
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "SASL SSF too weak", "");
|
|
|
4a2fec |
goto authreject;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
/* Check username whitelist ACL */
|
|
|
4a2fec |
if (vnc_auth_sasl_check_access(vs) < 0) {
|
|
|
4a2fec |
- VNC_DEBUG("Authentication rejected for ACL %p\n", vs->ioc);
|
|
|
4a2fec |
goto authreject;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
- VNC_DEBUG("Authentication successful %p\n", vs->ioc);
|
|
|
4a2fec |
+ trace_vnc_auth_pass(vs, vs->auth);
|
|
|
4a2fec |
vnc_write_u32(vs, 0); /* Accept auth */
|
|
|
4a2fec |
/*
|
|
|
4a2fec |
* Delay writing in SSF encoded mode until pending output
|
|
|
4a2fec |
@@ -300,9 +295,9 @@ static int protocol_client_auth_sasl_step(VncState *vs, uint8_t *data, size_t le
|
|
|
4a2fec |
static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len)
|
|
|
4a2fec |
{
|
|
|
4a2fec |
uint32_t steplen = read_u32(data, 0);
|
|
|
4a2fec |
- VNC_DEBUG("Got client step len %d\n", steplen);
|
|
|
4a2fec |
+
|
|
|
4a2fec |
if (steplen > SASL_DATA_MAX_LEN) {
|
|
|
4a2fec |
- VNC_DEBUG("Too much SASL data %d\n", steplen);
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "SASL step len too large", "");
|
|
|
4a2fec |
vnc_client_error(vs);
|
|
|
4a2fec |
return -1;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
@@ -346,33 +341,28 @@ static int protocol_client_auth_sasl_start(VncState *vs, uint8_t *data, size_t l
|
|
|
4a2fec |
datalen--; /* Don't count NULL byte when passing to _start() */
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
- VNC_DEBUG("Start SASL auth with mechanism %s. Data %p (%d bytes)\n",
|
|
|
4a2fec |
- vs->sasl.mechlist, clientdata, datalen);
|
|
|
4a2fec |
err = sasl_server_start(vs->sasl.conn,
|
|
|
4a2fec |
vs->sasl.mechlist,
|
|
|
4a2fec |
clientdata,
|
|
|
4a2fec |
datalen,
|
|
|
4a2fec |
&serverout,
|
|
|
4a2fec |
&serveroutlen);
|
|
|
4a2fec |
+ trace_vnc_auth_sasl_start(vs, data, len, serverout, serveroutlen, err);
|
|
|
4a2fec |
if (err != SASL_OK &&
|
|
|
4a2fec |
err != SASL_CONTINUE) {
|
|
|
4a2fec |
- VNC_DEBUG("sasl start failed %d (%s)\n",
|
|
|
4a2fec |
- err, sasl_errdetail(vs->sasl.conn));
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "Cannot start SASL auth",
|
|
|
4a2fec |
+ sasl_errdetail(vs->sasl.conn));
|
|
|
4a2fec |
sasl_dispose(&vs->sasl.conn);
|
|
|
4a2fec |
vs->sasl.conn = NULL;
|
|
|
4a2fec |
goto authabort;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
if (serveroutlen > SASL_DATA_MAX_LEN) {
|
|
|
4a2fec |
- VNC_DEBUG("sasl start reply data too long %d\n",
|
|
|
4a2fec |
- serveroutlen);
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "SASL data too long", "");
|
|
|
4a2fec |
sasl_dispose(&vs->sasl.conn);
|
|
|
4a2fec |
vs->sasl.conn = NULL;
|
|
|
4a2fec |
goto authabort;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
- VNC_DEBUG("SASL return data %d bytes, nil; %d\n",
|
|
|
4a2fec |
- serveroutlen, serverout ? 0 : 1);
|
|
|
4a2fec |
-
|
|
|
4a2fec |
if (serveroutlen) {
|
|
|
4a2fec |
vnc_write_u32(vs, serveroutlen + 1);
|
|
|
4a2fec |
vnc_write(vs, serverout, serveroutlen + 1);
|
|
|
4a2fec |
@@ -384,22 +374,20 @@ static int protocol_client_auth_sasl_start(VncState *vs, uint8_t *data, size_t l
|
|
|
4a2fec |
vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);
|
|
|
4a2fec |
|
|
|
4a2fec |
if (err == SASL_CONTINUE) {
|
|
|
4a2fec |
- VNC_DEBUG("%s", "Authentication must continue\n");
|
|
|
4a2fec |
/* Wait for step length */
|
|
|
4a2fec |
vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);
|
|
|
4a2fec |
} else {
|
|
|
4a2fec |
if (!vnc_auth_sasl_check_ssf(vs)) {
|
|
|
4a2fec |
- VNC_DEBUG("Authentication rejected for weak SSF %p\n", vs->ioc);
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "SASL SSF too weak", "");
|
|
|
4a2fec |
goto authreject;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
/* Check username whitelist ACL */
|
|
|
4a2fec |
if (vnc_auth_sasl_check_access(vs) < 0) {
|
|
|
4a2fec |
- VNC_DEBUG("Authentication rejected for ACL %p\n", vs->ioc);
|
|
|
4a2fec |
goto authreject;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
- VNC_DEBUG("Authentication successful %p\n", vs->ioc);
|
|
|
4a2fec |
+ trace_vnc_auth_pass(vs, vs->auth);
|
|
|
4a2fec |
vnc_write_u32(vs, 0); /* Accept auth */
|
|
|
4a2fec |
start_client_init(vs);
|
|
|
4a2fec |
}
|
|
|
4a2fec |
@@ -422,9 +410,9 @@ static int protocol_client_auth_sasl_start(VncState *vs, uint8_t *data, size_t l
|
|
|
4a2fec |
static int protocol_client_auth_sasl_start_len(VncState *vs, uint8_t *data, size_t len)
|
|
|
4a2fec |
{
|
|
|
4a2fec |
uint32_t startlen = read_u32(data, 0);
|
|
|
4a2fec |
- VNC_DEBUG("Got client start len %d\n", startlen);
|
|
|
4a2fec |
+
|
|
|
4a2fec |
if (startlen > SASL_DATA_MAX_LEN) {
|
|
|
4a2fec |
- VNC_DEBUG("Too much SASL data %d\n", startlen);
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "SASL start len too large", "");
|
|
|
4a2fec |
vnc_client_error(vs);
|
|
|
4a2fec |
return -1;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
@@ -439,22 +427,18 @@ static int protocol_client_auth_sasl_start_len(VncState *vs, uint8_t *data, size
|
|
|
4a2fec |
static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_t len)
|
|
|
4a2fec |
{
|
|
|
4a2fec |
char *mechname = g_strndup((const char *) data, len);
|
|
|
4a2fec |
- VNC_DEBUG("Got client mechname '%s' check against '%s'\n",
|
|
|
4a2fec |
- mechname, vs->sasl.mechlist);
|
|
|
4a2fec |
+ trace_vnc_auth_sasl_mech_choose(vs, mechname);
|
|
|
4a2fec |
|
|
|
4a2fec |
if (strncmp(vs->sasl.mechlist, mechname, len) == 0) {
|
|
|
4a2fec |
if (vs->sasl.mechlist[len] != '\0' &&
|
|
|
4a2fec |
vs->sasl.mechlist[len] != ',') {
|
|
|
4a2fec |
- VNC_DEBUG("One %d", vs->sasl.mechlist[len]);
|
|
|
4a2fec |
goto fail;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
} else {
|
|
|
4a2fec |
char *offset = strstr(vs->sasl.mechlist, mechname);
|
|
|
4a2fec |
- VNC_DEBUG("Two %p\n", offset);
|
|
|
4a2fec |
if (!offset) {
|
|
|
4a2fec |
goto fail;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
- VNC_DEBUG("Two '%s'\n", offset);
|
|
|
4a2fec |
if (offset[-1] != ',' ||
|
|
|
4a2fec |
(offset[len] != '\0'&&
|
|
|
4a2fec |
offset[len] != ',')) {
|
|
|
4a2fec |
@@ -465,11 +449,11 @@ static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_
|
|
|
4a2fec |
g_free(vs->sasl.mechlist);
|
|
|
4a2fec |
vs->sasl.mechlist = mechname;
|
|
|
4a2fec |
|
|
|
4a2fec |
- VNC_DEBUG("Validated mechname '%s'\n", mechname);
|
|
|
4a2fec |
vnc_read_when(vs, protocol_client_auth_sasl_start_len, 4);
|
|
|
4a2fec |
return 0;
|
|
|
4a2fec |
|
|
|
4a2fec |
fail:
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "Unsupported mechname", mechname);
|
|
|
4a2fec |
vnc_client_error(vs);
|
|
|
4a2fec |
g_free(mechname);
|
|
|
4a2fec |
return -1;
|
|
|
4a2fec |
@@ -478,14 +462,14 @@ static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_
|
|
|
4a2fec |
static int protocol_client_auth_sasl_mechname_len(VncState *vs, uint8_t *data, size_t len)
|
|
|
4a2fec |
{
|
|
|
4a2fec |
uint32_t mechlen = read_u32(data, 0);
|
|
|
4a2fec |
- VNC_DEBUG("Got client mechname len %d\n", mechlen);
|
|
|
4a2fec |
+
|
|
|
4a2fec |
if (mechlen > 100) {
|
|
|
4a2fec |
- VNC_DEBUG("Too long SASL mechname data %d\n", mechlen);
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "SASL mechname too long", "");
|
|
|
4a2fec |
vnc_client_error(vs);
|
|
|
4a2fec |
return -1;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
if (mechlen < 1) {
|
|
|
4a2fec |
- VNC_DEBUG("Too short SASL mechname %d\n", mechlen);
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "SASL mechname too short", "");
|
|
|
4a2fec |
vnc_client_error(vs);
|
|
|
4a2fec |
return -1;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
@@ -524,19 +508,22 @@ void start_auth_sasl(VncState *vs)
|
|
|
4a2fec |
const char *mechlist = NULL;
|
|
|
4a2fec |
sasl_security_properties_t secprops;
|
|
|
4a2fec |
int err;
|
|
|
4a2fec |
+ Error *local_err = NULL;
|
|
|
4a2fec |
char *localAddr, *remoteAddr;
|
|
|
4a2fec |
int mechlistlen;
|
|
|
4a2fec |
|
|
|
4a2fec |
- VNC_DEBUG("Initialize SASL auth %p\n", vs->ioc);
|
|
|
4a2fec |
-
|
|
|
4a2fec |
/* Get local & remote client addresses in form IPADDR;PORT */
|
|
|
4a2fec |
- localAddr = vnc_socket_ip_addr_string(vs->sioc, true, NULL);
|
|
|
4a2fec |
+ localAddr = vnc_socket_ip_addr_string(vs->sioc, true, &local_err);
|
|
|
4a2fec |
if (!localAddr) {
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "Cannot format local IP",
|
|
|
4a2fec |
+ error_get_pretty(local_err));
|
|
|
4a2fec |
goto authabort;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
- remoteAddr = vnc_socket_ip_addr_string(vs->sioc, false, NULL);
|
|
|
4a2fec |
+ remoteAddr = vnc_socket_ip_addr_string(vs->sioc, false, &local_err);
|
|
|
4a2fec |
if (!remoteAddr) {
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "Cannot format remote IP",
|
|
|
4a2fec |
+ error_get_pretty(local_err));
|
|
|
4a2fec |
g_free(localAddr);
|
|
|
4a2fec |
goto authabort;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
@@ -554,8 +541,8 @@ void start_auth_sasl(VncState *vs)
|
|
|
4a2fec |
localAddr = remoteAddr = NULL;
|
|
|
4a2fec |
|
|
|
4a2fec |
if (err != SASL_OK) {
|
|
|
4a2fec |
- VNC_DEBUG("sasl context setup failed %d (%s)",
|
|
|
4a2fec |
- err, sasl_errstring(err, NULL, NULL));
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "SASL context setup failed",
|
|
|
4a2fec |
+ sasl_errstring(err, NULL, NULL));
|
|
|
4a2fec |
vs->sasl.conn = NULL;
|
|
|
4a2fec |
goto authabort;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
@@ -570,8 +557,8 @@ void start_auth_sasl(VncState *vs)
|
|
|
4a2fec |
keysize = qcrypto_tls_session_get_key_size(vs->tls,
|
|
|
4a2fec |
&local_err);
|
|
|
4a2fec |
if (keysize < 0) {
|
|
|
4a2fec |
- VNC_DEBUG("cannot TLS get cipher size: %s\n",
|
|
|
4a2fec |
- error_get_pretty(local_err));
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "cannot TLS get cipher size",
|
|
|
4a2fec |
+ error_get_pretty(local_err));
|
|
|
4a2fec |
error_free(local_err);
|
|
|
4a2fec |
sasl_dispose(&vs->sasl.conn);
|
|
|
4a2fec |
vs->sasl.conn = NULL;
|
|
|
4a2fec |
@@ -581,8 +568,8 @@ void start_auth_sasl(VncState *vs)
|
|
|
4a2fec |
|
|
|
4a2fec |
err = sasl_setprop(vs->sasl.conn, SASL_SSF_EXTERNAL, &ssf;;
|
|
|
4a2fec |
if (err != SASL_OK) {
|
|
|
4a2fec |
- VNC_DEBUG("cannot set SASL external SSF %d (%s)\n",
|
|
|
4a2fec |
- err, sasl_errstring(err, NULL, NULL));
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "cannot set SASL external SSF",
|
|
|
4a2fec |
+ sasl_errstring(err, NULL, NULL));
|
|
|
4a2fec |
sasl_dispose(&vs->sasl.conn);
|
|
|
4a2fec |
vs->sasl.conn = NULL;
|
|
|
4a2fec |
goto authabort;
|
|
|
4a2fec |
@@ -617,8 +604,8 @@ void start_auth_sasl(VncState *vs)
|
|
|
4a2fec |
|
|
|
4a2fec |
err = sasl_setprop(vs->sasl.conn, SASL_SEC_PROPS, &secprops);
|
|
|
4a2fec |
if (err != SASL_OK) {
|
|
|
4a2fec |
- VNC_DEBUG("cannot set SASL security props %d (%s)\n",
|
|
|
4a2fec |
- err, sasl_errstring(err, NULL, NULL));
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "cannot set SASL security props",
|
|
|
4a2fec |
+ sasl_errstring(err, NULL, NULL));
|
|
|
4a2fec |
sasl_dispose(&vs->sasl.conn);
|
|
|
4a2fec |
vs->sasl.conn = NULL;
|
|
|
4a2fec |
goto authabort;
|
|
|
4a2fec |
@@ -633,13 +620,13 @@ void start_auth_sasl(VncState *vs)
|
|
|
4a2fec |
NULL,
|
|
|
4a2fec |
NULL);
|
|
|
4a2fec |
if (err != SASL_OK) {
|
|
|
4a2fec |
- VNC_DEBUG("cannot list SASL mechanisms %d (%s)\n",
|
|
|
4a2fec |
- err, sasl_errdetail(vs->sasl.conn));
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "cannot list SASL mechanisms",
|
|
|
4a2fec |
+ sasl_errdetail(vs->sasl.conn));
|
|
|
4a2fec |
sasl_dispose(&vs->sasl.conn);
|
|
|
4a2fec |
vs->sasl.conn = NULL;
|
|
|
4a2fec |
goto authabort;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
- VNC_DEBUG("Available mechanisms for client: '%s'\n", mechlist);
|
|
|
4a2fec |
+ trace_vnc_auth_sasl_mech_list(vs, mechlist);
|
|
|
4a2fec |
|
|
|
4a2fec |
vs->sasl.mechlist = g_strdup(mechlist);
|
|
|
4a2fec |
mechlistlen = strlen(mechlist);
|
|
|
4a2fec |
@@ -647,12 +634,12 @@ void start_auth_sasl(VncState *vs)
|
|
|
4a2fec |
vnc_write(vs, mechlist, mechlistlen);
|
|
|
4a2fec |
vnc_flush(vs);
|
|
|
4a2fec |
|
|
|
4a2fec |
- VNC_DEBUG("Wait for client mechname length\n");
|
|
|
4a2fec |
vnc_read_when(vs, protocol_client_auth_sasl_mechname_len, 4);
|
|
|
4a2fec |
|
|
|
4a2fec |
return;
|
|
|
4a2fec |
|
|
|
4a2fec |
authabort:
|
|
|
4a2fec |
+ error_free(local_err);
|
|
|
4a2fec |
vnc_client_error(vs);
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
diff --git a/ui/vnc-auth-vencrypt.c b/ui/vnc-auth-vencrypt.c
|
|
|
4a2fec |
index 2a3766a..7833631 100644
|
|
|
4a2fec |
--- a/ui/vnc-auth-vencrypt.c
|
|
|
4a2fec |
+++ b/ui/vnc-auth-vencrypt.c
|
|
|
4a2fec |
@@ -35,27 +35,24 @@ static void start_auth_vencrypt_subauth(VncState *vs)
|
|
|
4a2fec |
switch (vs->subauth) {
|
|
|
4a2fec |
case VNC_AUTH_VENCRYPT_TLSNONE:
|
|
|
4a2fec |
case VNC_AUTH_VENCRYPT_X509NONE:
|
|
|
4a2fec |
- VNC_DEBUG("Accept TLS auth none\n");
|
|
|
4a2fec |
vnc_write_u32(vs, 0); /* Accept auth completion */
|
|
|
4a2fec |
start_client_init(vs);
|
|
|
4a2fec |
break;
|
|
|
4a2fec |
|
|
|
4a2fec |
case VNC_AUTH_VENCRYPT_TLSVNC:
|
|
|
4a2fec |
case VNC_AUTH_VENCRYPT_X509VNC:
|
|
|
4a2fec |
- VNC_DEBUG("Start TLS auth VNC\n");
|
|
|
4a2fec |
start_auth_vnc(vs);
|
|
|
4a2fec |
break;
|
|
|
4a2fec |
|
|
|
4a2fec |
#ifdef CONFIG_VNC_SASL
|
|
|
4a2fec |
case VNC_AUTH_VENCRYPT_TLSSASL:
|
|
|
4a2fec |
case VNC_AUTH_VENCRYPT_X509SASL:
|
|
|
4a2fec |
- VNC_DEBUG("Start TLS auth SASL\n");
|
|
|
4a2fec |
start_auth_sasl(vs);
|
|
|
4a2fec |
break;
|
|
|
4a2fec |
#endif /* CONFIG_VNC_SASL */
|
|
|
4a2fec |
|
|
|
4a2fec |
default: /* Should not be possible, but just in case */
|
|
|
4a2fec |
- VNC_DEBUG("Reject subauth %d server bug\n", vs->auth);
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "Unhandled VeNCrypt subauth", "");
|
|
|
4a2fec |
vnc_write_u8(vs, 1);
|
|
|
4a2fec |
if (vs->minor >= 8) {
|
|
|
4a2fec |
static const char err[] = "Unsupported authentication type";
|
|
|
4a2fec |
@@ -73,8 +70,8 @@ static void vnc_tls_handshake_done(QIOTask *task,
|
|
|
4a2fec |
Error *err = NULL;
|
|
|
4a2fec |
|
|
|
4a2fec |
if (qio_task_propagate_error(task, &err)) {
|
|
|
4a2fec |
- VNC_DEBUG("Handshake failed %s\n",
|
|
|
4a2fec |
- error_get_pretty(err));
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "TLS handshake failed",
|
|
|
4a2fec |
+ error_get_pretty(err));
|
|
|
4a2fec |
vnc_client_error(vs);
|
|
|
4a2fec |
error_free(err);
|
|
|
4a2fec |
} else {
|
|
|
4a2fec |
@@ -92,15 +89,15 @@ static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len
|
|
|
4a2fec |
{
|
|
|
4a2fec |
int auth = read_u32(data, 0);
|
|
|
4a2fec |
|
|
|
4a2fec |
+ trace_vnc_auth_vencrypt_subauth(vs, auth);
|
|
|
4a2fec |
if (auth != vs->subauth) {
|
|
|
4a2fec |
- VNC_DEBUG("Rejecting auth %d\n", auth);
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "Unsupported sub-auth version", "");
|
|
|
4a2fec |
vnc_write_u8(vs, 0); /* Reject auth */
|
|
|
4a2fec |
vnc_flush(vs);
|
|
|
4a2fec |
vnc_client_error(vs);
|
|
|
4a2fec |
} else {
|
|
|
4a2fec |
Error *err = NULL;
|
|
|
4a2fec |
QIOChannelTLS *tls;
|
|
|
4a2fec |
- VNC_DEBUG("Accepting auth %d, setting up TLS for handshake\n", auth);
|
|
|
4a2fec |
vnc_write_u8(vs, 1); /* Accept auth */
|
|
|
4a2fec |
vnc_flush(vs);
|
|
|
4a2fec |
|
|
|
4a2fec |
@@ -115,14 +112,14 @@ static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len
|
|
|
4a2fec |
vs->vd->tlsaclname,
|
|
|
4a2fec |
&err;;
|
|
|
4a2fec |
if (!tls) {
|
|
|
4a2fec |
- VNC_DEBUG("Failed to setup TLS %s\n", error_get_pretty(err));
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "TLS setup failed",
|
|
|
4a2fec |
+ error_get_pretty(err));
|
|
|
4a2fec |
error_free(err);
|
|
|
4a2fec |
vnc_client_error(vs);
|
|
|
4a2fec |
return 0;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
qio_channel_set_name(QIO_CHANNEL(tls), "vnc-server-tls");
|
|
|
4a2fec |
- VNC_DEBUG("Start TLS VeNCrypt handshake process\n");
|
|
|
4a2fec |
object_unref(OBJECT(vs->ioc));
|
|
|
4a2fec |
vs->ioc = QIO_CHANNEL(tls);
|
|
|
4a2fec |
trace_vnc_client_io_wrap(vs, vs->ioc, "tls");
|
|
|
4a2fec |
@@ -138,14 +135,14 @@ static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len
|
|
|
4a2fec |
|
|
|
4a2fec |
static int protocol_client_vencrypt_init(VncState *vs, uint8_t *data, size_t len)
|
|
|
4a2fec |
{
|
|
|
4a2fec |
+ trace_vnc_auth_vencrypt_version(vs, (int)data[0], (int)data[1]);
|
|
|
4a2fec |
if (data[0] != 0 ||
|
|
|
4a2fec |
data[1] != 2) {
|
|
|
4a2fec |
- VNC_DEBUG("Unsupported VeNCrypt protocol %d.%d\n", (int)data[0], (int)data[1]);
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "Unsupported version", "");
|
|
|
4a2fec |
vnc_write_u8(vs, 1); /* Reject version */
|
|
|
4a2fec |
vnc_flush(vs);
|
|
|
4a2fec |
vnc_client_error(vs);
|
|
|
4a2fec |
} else {
|
|
|
4a2fec |
- VNC_DEBUG("Sending allowed auth %d\n", vs->subauth);
|
|
|
4a2fec |
vnc_write_u8(vs, 0); /* Accept version */
|
|
|
4a2fec |
vnc_write_u8(vs, 1); /* Number of sub-auths */
|
|
|
4a2fec |
vnc_write_u32(vs, vs->subauth); /* The supported auth */
|
|
|
4a2fec |
diff --git a/ui/vnc.c b/ui/vnc.c
|
|
|
4a2fec |
index 66783ec..1275bba 100644
|
|
|
4a2fec |
--- a/ui/vnc.c
|
|
|
4a2fec |
+++ b/ui/vnc.c
|
|
|
4a2fec |
@@ -2407,11 +2407,11 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
|
|
|
4a2fec |
Error *err = NULL;
|
|
|
4a2fec |
|
|
|
4a2fec |
if (!vs->vd->password) {
|
|
|
4a2fec |
- VNC_DEBUG("No password configured on server");
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
|
|
|
4a2fec |
goto reject;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
if (vs->vd->expires < now) {
|
|
|
4a2fec |
- VNC_DEBUG("Password is expired");
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
|
|
|
4a2fec |
goto reject;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
@@ -2428,8 +2428,8 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
|
|
|
4a2fec |
key, G_N_ELEMENTS(key),
|
|
|
4a2fec |
&err;;
|
|
|
4a2fec |
if (!cipher) {
|
|
|
4a2fec |
- VNC_DEBUG("Cannot initialize cipher %s",
|
|
|
4a2fec |
- error_get_pretty(err));
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
|
|
|
4a2fec |
+ error_get_pretty(err));
|
|
|
4a2fec |
error_free(err);
|
|
|
4a2fec |
goto reject;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
@@ -2439,18 +2439,18 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
|
|
|
4a2fec |
response,
|
|
|
4a2fec |
VNC_AUTH_CHALLENGE_SIZE,
|
|
|
4a2fec |
&err) < 0) {
|
|
|
4a2fec |
- VNC_DEBUG("Cannot encrypt challenge %s",
|
|
|
4a2fec |
- error_get_pretty(err));
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
|
|
|
4a2fec |
+ error_get_pretty(err));
|
|
|
4a2fec |
error_free(err);
|
|
|
4a2fec |
goto reject;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
|
|
|
4a2fec |
/* Compare expected vs actual challenge response */
|
|
|
4a2fec |
if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
|
|
|
4a2fec |
- VNC_DEBUG("Client challenge response did not match\n");
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
|
|
|
4a2fec |
goto reject;
|
|
|
4a2fec |
} else {
|
|
|
4a2fec |
- VNC_DEBUG("Accepting VNC challenge response\n");
|
|
|
4a2fec |
+ trace_vnc_auth_pass(vs, vs->auth);
|
|
|
4a2fec |
vnc_write_u32(vs, 0); /* Accept auth */
|
|
|
4a2fec |
vnc_flush(vs);
|
|
|
4a2fec |
|
|
|
4a2fec |
@@ -2489,7 +2489,7 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
|
|
|
4a2fec |
/* We only advertise 1 auth scheme at a time, so client
|
|
|
4a2fec |
* must pick the one we sent. Verify this */
|
|
|
4a2fec |
if (data[0] != vs->auth) { /* Reject auth */
|
|
|
4a2fec |
- VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
|
|
|
4a2fec |
+ trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
|
|
|
4a2fec |
vnc_write_u32(vs, 1);
|
|
|
4a2fec |
if (vs->minor >= 8) {
|
|
|
4a2fec |
static const char err[] = "Authentication failed";
|
|
|
4a2fec |
@@ -2498,36 +2498,33 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
|
|
|
4a2fec |
}
|
|
|
4a2fec |
vnc_client_error(vs);
|
|
|
4a2fec |
} else { /* Accept requested auth */
|
|
|
4a2fec |
- VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
|
|
|
4a2fec |
+ trace_vnc_auth_start(vs, vs->auth);
|
|
|
4a2fec |
switch (vs->auth) {
|
|
|
4a2fec |
case VNC_AUTH_NONE:
|
|
|
4a2fec |
- VNC_DEBUG("Accept auth none\n");
|
|
|
4a2fec |
if (vs->minor >= 8) {
|
|
|
4a2fec |
vnc_write_u32(vs, 0); /* Accept auth completion */
|
|
|
4a2fec |
vnc_flush(vs);
|
|
|
4a2fec |
}
|
|
|
4a2fec |
+ trace_vnc_auth_pass(vs, vs->auth);
|
|
|
4a2fec |
start_client_init(vs);
|
|
|
4a2fec |
break;
|
|
|
4a2fec |
|
|
|
4a2fec |
case VNC_AUTH_VNC:
|
|
|
4a2fec |
- VNC_DEBUG("Start VNC auth\n");
|
|
|
4a2fec |
start_auth_vnc(vs);
|
|
|
4a2fec |
break;
|
|
|
4a2fec |
|
|
|
4a2fec |
case VNC_AUTH_VENCRYPT:
|
|
|
4a2fec |
- VNC_DEBUG("Accept VeNCrypt auth\n");
|
|
|
4a2fec |
start_auth_vencrypt(vs);
|
|
|
4a2fec |
break;
|
|
|
4a2fec |
|
|
|
4a2fec |
#ifdef CONFIG_VNC_SASL
|
|
|
4a2fec |
case VNC_AUTH_SASL:
|
|
|
4a2fec |
- VNC_DEBUG("Accept SASL auth\n");
|
|
|
4a2fec |
start_auth_sasl(vs);
|
|
|
4a2fec |
break;
|
|
|
4a2fec |
#endif /* CONFIG_VNC_SASL */
|
|
|
4a2fec |
|
|
|
4a2fec |
default: /* Should not be possible, but just in case */
|
|
|
4a2fec |
- VNC_DEBUG("Reject auth %d server code bug\n", vs->auth);
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
|
|
|
4a2fec |
vnc_write_u8(vs, 1);
|
|
|
4a2fec |
if (vs->minor >= 8) {
|
|
|
4a2fec |
static const char err[] = "Authentication failed";
|
|
|
4a2fec |
@@ -2572,10 +2569,11 @@ static int protocol_version(VncState *vs, uint8_t *version, size_t len)
|
|
|
4a2fec |
vs->minor = 3;
|
|
|
4a2fec |
|
|
|
4a2fec |
if (vs->minor == 3) {
|
|
|
4a2fec |
+ trace_vnc_auth_start(vs, vs->auth);
|
|
|
4a2fec |
if (vs->auth == VNC_AUTH_NONE) {
|
|
|
4a2fec |
- VNC_DEBUG("Tell client auth none\n");
|
|
|
4a2fec |
vnc_write_u32(vs, vs->auth);
|
|
|
4a2fec |
vnc_flush(vs);
|
|
|
4a2fec |
+ trace_vnc_auth_pass(vs, vs->auth);
|
|
|
4a2fec |
start_client_init(vs);
|
|
|
4a2fec |
} else if (vs->auth == VNC_AUTH_VNC) {
|
|
|
4a2fec |
VNC_DEBUG("Tell client VNC auth\n");
|
|
|
4a2fec |
@@ -2583,13 +2581,13 @@ static int protocol_version(VncState *vs, uint8_t *version, size_t len)
|
|
|
4a2fec |
vnc_flush(vs);
|
|
|
4a2fec |
start_auth_vnc(vs);
|
|
|
4a2fec |
} else {
|
|
|
4a2fec |
- VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth);
|
|
|
4a2fec |
+ trace_vnc_auth_fail(vs, vs->auth,
|
|
|
4a2fec |
+ "Unsupported auth method for v3.3", "");
|
|
|
4a2fec |
vnc_write_u32(vs, VNC_AUTH_INVALID);
|
|
|
4a2fec |
vnc_flush(vs);
|
|
|
4a2fec |
vnc_client_error(vs);
|
|
|
4a2fec |
}
|
|
|
4a2fec |
} else {
|
|
|
4a2fec |
- VNC_DEBUG("Telling client we support auth %d\n", vs->auth);
|
|
|
4a2fec |
vnc_write_u8(vs, 1); /* num auth */
|
|
|
4a2fec |
vnc_write_u8(vs, vs->auth);
|
|
|
4a2fec |
vnc_read_when(vs, protocol_client_auth, 1);
|
|
|
4a2fec |
@@ -3946,12 +3944,14 @@ void vnc_display_open(const char *id, Error **errp)
|
|
|
4a2fec |
sasl, false, errp) < 0) {
|
|
|
4a2fec |
goto fail;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
+ trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
|
|
|
4a2fec |
|
|
|
4a2fec |
if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
|
|
|
4a2fec |
vd->tlscreds, password,
|
|
|
4a2fec |
sasl, true, errp) < 0) {
|
|
|
4a2fec |
goto fail;
|
|
|
4a2fec |
}
|
|
|
4a2fec |
+ trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
|
|
|
4a2fec |
|
|
|
4a2fec |
#ifdef CONFIG_VNC_SASL
|
|
|
4a2fec |
if ((saslErr = sasl_server_init(NULL, "qemu-kvm")) != SASL_OK) {
|
|
|
4a2fec |
--
|
|
|
4a2fec |
1.8.3.1
|
|
|
4a2fec |
|