Blob Blame History Raw
Index: qemu-kvm-0.10/qemu/Makefile
===================================================================
--- qemu-kvm-0.10.orig/qemu/Makefile
+++ qemu-kvm-0.10/qemu/Makefile
@@ -152,6 +152,9 @@ OBJS+=vnc.o d3des.o
 ifdef CONFIG_VNC_TLS
 OBJS+=vnc-tls.o vnc-auth-vencrypt.o
 endif
+ifdef CONFIG_VNC_SASL
+OBJS+=vnc-auth-sasl.o
+endif
 
 ifdef CONFIG_COCOA
 OBJS+=cocoa.o
@@ -175,7 +178,7 @@ sdl.o: sdl.c keymaps.h sdl_keysym.h
 
 sdl.o audio/sdlaudio.o: CFLAGS += $(SDL_CFLAGS)
 
-vnc.h: vnc-tls.h vnc-auth-vencrypt.h keymaps.h
+vnc.h: vnc-tls.h vnc-auth-vencrypt.h vnc-auth-sasl.h keymaps.h
 
 vnc.o: vnc.c vnc.h vnc_keysym.h vnchextile.h d3des.c d3des.h
 
@@ -185,6 +188,8 @@ vnc-tls.o: vnc-tls.c vnc.h
 
 vnc-auth-vencrypt.o: vnc-auth-vencrypt.c vnc.h
 
+vnc-auth-sasl.o: vnc-auth-sasl.c vnc.h
+
 curses.o: curses.c keymaps.h curses_keys.h
 
 bt-host.o: CFLAGS += $(CONFIG_BLUEZ_CFLAGS)
Index: qemu-kvm-0.10/qemu/Makefile.target
===================================================================
--- qemu-kvm-0.10.orig/qemu/Makefile.target
+++ qemu-kvm-0.10/qemu/Makefile.target
@@ -613,6 +613,11 @@ CPPFLAGS += $(CONFIG_VNC_TLS_CFLAGS)
 LIBS += $(CONFIG_VNC_TLS_LIBS)
 endif
 
+ifdef CONFIG_VNC_SASL
+CPPFLAGS += $(CONFIG_VNC_SASL_CFLAGS)
+LIBS += $(CONFIG_VNC_SASL_LIBS)
+endif
+
 ifdef CONFIG_BLUEZ
 LIBS += $(CONFIG_BLUEZ_LIBS)
 endif
Index: qemu-kvm-0.10/qemu/configure
===================================================================
--- qemu-kvm-0.10.orig/qemu/configure
+++ qemu-kvm-0.10/qemu/configure
@@ -164,6 +164,7 @@ fmod_lib=""
 fmod_inc=""
 oss_lib=""
 vnc_tls="yes"
+vnc_sasl="yes"
 bsd="no"
 linux="no"
 solaris="no"
@@ -404,6 +405,8 @@ for opt do
   ;;
   --disable-vnc-tls) vnc_tls="no"
   ;;
+  --disable-vnc-sasl) vnc_sasl="no"
+  ;;
   --disable-slirp) slirp="no"
   ;;
   --disable-vde) vde="no"
@@ -563,6 +566,7 @@ echo "                           Availab
 echo "  --enable-mixemu          enable mixer emulation"
 echo "  --disable-brlapi         disable BrlAPI"
 echo "  --disable-vnc-tls        disable TLS encryption for VNC server"
+echo "  --disable-vnc-sasl       disable SASL encryption for VNC server"
 echo "  --disable-curses         disable curses output"
 echo "  --disable-bluez          disable bluez stack connectivity"
 echo "  --disable-kvm            disable KVM acceleration support"
@@ -890,6 +894,25 @@ EOF
 fi
 
 ##########################################
+# VNC SASL detection
+if test "$vnc_sasl" = "yes" ; then
+cat > $TMPC <<EOF
+#include <sasl/sasl.h>
+#include <stdio.h>
+int main(void) { sasl_server_init(NULL, "qemu"); return 0; }
+EOF
+    # Assuming Cyrus-SASL installed in /usr prefix
+    vnc_sasl_cflags=""
+    vnc_sasl_libs="-lsasl2"
+    if $cc $ARCH_CFLAGS -o $TMPE ${OS_CFLAGS} $vnc_sasl_cflags $TMPC \
+           $vnc_sasl_libs 2> /dev/null ; then
+	:
+    else
+	vnc_sasl="no"
+    fi
+fi
+
+##########################################
 # vde libraries probe
 if test "$vde" = "yes" ; then
   cat > $TMPC << EOF
@@ -1224,6 +1247,11 @@ if test "$vnc_tls" = "yes" ; then
     echo "    TLS CFLAGS    $vnc_tls_cflags"
     echo "    TLS LIBS      $vnc_tls_libs"
 fi
+echo "VNC SASL support  $vnc_sasl"
+if test "$vnc_sasl" = "yes" ; then
+    echo "    SASL CFLAGS    $vnc_sasl_cflags"
+    echo "    SASL LIBS      $vnc_sasl_libs"
+fi
 if test -n "$sparc_cpu"; then
     echo "Target Sparc Arch $sparc_cpu"
 fi
@@ -1467,6 +1495,12 @@ if test "$vnc_tls" = "yes" ; then
   echo "CONFIG_VNC_TLS_LIBS=$vnc_tls_libs" >> $config_mak
   echo "#define CONFIG_VNC_TLS 1" >> $config_h
 fi
+if test "$vnc_sasl" = "yes" ; then
+  echo "CONFIG_VNC_SASL=yes" >> $config_mak
+  echo "CONFIG_VNC_SASL_CFLAGS=$vnc_sasl_cflags" >> $config_mak
+  echo "CONFIG_VNC_SASL_LIBS=$vnc_sasl_libs" >> $config_mak
+  echo "#define CONFIG_VNC_SASL 1" >> $config_h
+fi
 qemu_version=`head $source_path/VERSION`
 echo "VERSION=$qemu_version" >>$config_mak
 echo "#define QEMU_VERSION \"$qemu_version\"" >> $config_h
Index: qemu-kvm-0.10/qemu/qemu-doc.texi
===================================================================
--- qemu-kvm-0.10.orig/qemu/qemu-doc.texi
+++ qemu-kvm-0.10/qemu/qemu-doc.texi
@@ -624,6 +624,21 @@ path following this option specifies whe
 be loaded from. See the @ref{vnc_security} section for details on generating
 certificates.
 
+@item sasl
+
+Require that the client use SASL to authenticate with the VNC server.
+The exact choice of authentication method used is controlled from the
+system / user's SASL configuration file for the 'qemu' service. This
+is typically found in /etc/sasl2/qemu.conf. If running QEMU as an
+unprivileged user, an environment variable SASL_CONF_PATH can be used
+to make it search alternate locations for the service config.
+While some SASL auth methods can also provide data encryption (eg GSSAPI),
+it is recommended that SASL always be combined with the 'tls' and
+'x509' settings to enable use of SSL and server certificates. This
+ensures a data encryption preventing compromise of authentication
+credentials. See the @ref{vnc_security} section for details on using
+SASL authentication.
+
 @end table
 
 @end table
@@ -2069,7 +2084,10 @@ considerations depending on the deployme
 * vnc_sec_certificate::
 * vnc_sec_certificate_verify::
 * vnc_sec_certificate_pw::
+* vnc_sec_sasl::
+* vnc_sec_certificate_sasl::
 * vnc_generate_cert::
+* vnc_setup_sasl::
 @end menu
 @node vnc_sec_none
 @subsection Without passwords
@@ -2152,6 +2170,41 @@ Password: ********
 (qemu)
 @end example
 
+
+@node vnc_sec_sasl
+@subsection With SASL authentication
+
+The SASL authentication method is a VNC extension, that provides an
+easily extendable, pluggable authentication method. This allows for
+integration with a wide range of authentication mechanisms, such as
+PAM, GSSAPI/Kerberos, LDAP, SQL databases, one-time keys and more.
+The strength of the authentication depends on the exact mechanism
+configured. If the chosen mechanism also provides a SSF layer, then
+it will encrypt the datastream as well.
+
+Refer to the later docs on how to choose the exact SASL mechanism
+used for authentication, but assuming use of one supporting SSF,
+then QEMU can be launched with:
+
+@example
+qemu [...OPTIONS...] -vnc :1,sasl -monitor stdio
+@end example
+
+@node vnc_sec_certificate_sasl
+@subsection With x509 certificates and SASL authentication
+
+If the desired SASL authentication mechanism does not supported
+SSF layers, then it is strongly advised to run it in combination
+with TLS and x509 certificates. This provides securely encrypted
+data stream, avoiding risk of compromising of the security
+credentials. This can be enabled, by combining the 'sasl' option
+with the aforementioned TLS + x509 options:
+
+@example
+qemu [...OPTIONS...] -vnc :1,tls,x509,sasl -monitor stdio
+@end example
+
+
 @node vnc_generate_cert
 @subsection Generating certificates for VNC
 
@@ -2263,6 +2316,50 @@ EOF
 The @code{client-key.pem} and @code{client-cert.pem} files should now be securely
 copied to the client for which they were generated.
 
+
+@node vnc_setup_sasl
+
+@subsection Configuring SASL mechanisms
+
+The following documentation assumes use of the Cyrus SASL implementation on a
+Linux host, but the principals should apply to any other SASL impl. When SASL
+is enabled, the mechanism configuration will be loaded from system default
+SASL service config /etc/sasl2/qemu.conf. If running QEMU as an
+unprivileged user, an environment variable SASL_CONF_PATH can be used
+to make it search alternate locations for the service config.
+
+The default configuration might contain
+
+@example
+mech_list: digest-md5
+sasldb_path: /etc/qemu/passwd.db
+@end example
+
+This says to use the 'Digest MD5' mechanism, which is similar to the HTTP
+Digest-MD5 mechanism. The list of valid usernames & passwords is maintained
+in the /etc/qemu/passwd.db file, and can be updated using the saslpasswd2
+command. While this mechanism is easy to configure and use, it is not
+considered secure by modern standards, so only suitable for developers /
+ad-hoc testing.
+
+A more serious deployment might use Kerberos, which is done with the 'gssapi'
+mechanism
+
+@example
+mech_list: gssapi
+keytab: /etc/qemu/krb5.tab
+@end example
+
+For this to work the administrator of your KDC must generate a Kerberos
+principal for the server, with a name of  'qemu/somehost.example.com@@EXAMPLE.COM'
+replacing 'somehost.example.com' with the fully qualified host name of the
+machine running QEMU, and 'EXAMPLE.COM' with the Keberos Realm.
+
+Other configurations will be left as an exercise for the reader. It should
+be noted that only Digest-MD5 and GSSAPI provides a SSF layer for data
+encryption. For all other mechanisms, VNC should always be configured to
+use TLS and x509 certificates to protect security credentials from snooping.
+
 @node gdb_usage
 @section GDB usage
 
Index: qemu-kvm-0.10/qemu/qemu.sasl
===================================================================
--- /dev/null
+++ qemu-kvm-0.10/qemu/qemu.sasl
@@ -0,0 +1,34 @@
+# If you want to use the non-TLS socket, then you *must* include
+# the GSSAPI or DIGEST-MD5 mechanisms, because they are the only
+# ones that can offer session encryption as well as authentication.
+#
+# If you're only using TLS, then you can turn on any mechanisms
+# you like for authentication, because TLS provides the encryption
+#
+# Default to a simple username+password mechanism
+# NB digest-md5 is no longer considered secure by current standards
+mech_list: digest-md5
+
+# Before you can use GSSAPI, you need a service principle on the
+# KDC server for libvirt, and that to be exported to the keytab
+# file listed below
+#mech_list: gssapi
+#
+# You can also list many mechanisms at once, then the user can choose
+# by adding  '?auth=sasl.gssapi' to their libvirt URI, eg
+#   qemu+tcp://hostname/system?auth=sasl.gssapi
+#mech_list: digest-md5 gssapi
+
+# Some older builds of MIT kerberos on Linux ignore this option &
+# instead need KRB5_KTNAME env var.
+# For modern Linux, and other OS, this should be sufficient
+keytab: /etc/qemu/krb5.tab
+
+# If using digest-md5 for username/passwds, then this is the file
+# containing the passwds. Use 'saslpasswd2 -a qemu [username]'
+# to add entries, and 'sasldblistusers2 -a qemu' to browse it
+sasldb_path: /etc/qemu/passwd.db
+
+
+auxprop_plugin: sasldb
+
Index: qemu-kvm-0.10/qemu/vnc-auth-sasl.c
===================================================================
--- /dev/null
+++ qemu-kvm-0.10/qemu/vnc-auth-sasl.c
@@ -0,0 +1,626 @@
+/*
+ * QEMU VNC display driver: SASL auth protocol
+ *
+ * Copyright (C) 2009 Red Hat, Inc
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "vnc.h"
+
+/* Max amount of data we send/recv for SASL steps to prevent DOS */
+#define SASL_DATA_MAX_LEN (1024 * 1024)
+
+
+void vnc_sasl_client_cleanup(VncState *vs)
+{
+    if (vs->sasl.conn) {
+	vs->sasl.runSSF = vs->sasl.waitWriteSSF = vs->sasl.wantSSF = 0;
+	vs->sasl.encodedLength = vs->sasl.encodedOffset = 0;
+	vs->sasl.encoded = NULL;
+	free(vs->sasl.username);
+	free(vs->sasl.mechlist);
+	vs->sasl.username = vs->sasl.mechlist = NULL;
+	sasl_dispose(&vs->sasl.conn);
+	vs->sasl.conn = NULL;
+    }
+}
+
+
+long vnc_client_write_sasl(VncState *vs)
+{
+    long ret;
+
+    VNC_DEBUG("Write SASL: Pending output %p size %d offset %d Encoded: %p size %d offset %d\n",
+	      vs->output.buffer, vs->output.capacity, vs->output.offset,
+	      vs->sasl.encoded, vs->sasl.encodedLength, vs->sasl.encodedOffset);
+
+    if (!vs->sasl.encoded) {
+	int err;
+	err = sasl_encode(vs->sasl.conn,
+			  (char *)vs->output.buffer,
+			  vs->output.offset,
+			  (const char **)&vs->sasl.encoded,
+			  &vs->sasl.encodedLength);
+	if (err != SASL_OK)
+	    return vnc_client_io_error(vs, -1, EIO);
+
+	vs->sasl.encodedOffset = 0;
+    }
+
+    ret = vnc_client_write_buf(vs,
+			       vs->sasl.encoded + vs->sasl.encodedOffset,
+			       vs->sasl.encodedLength - vs->sasl.encodedOffset);
+    if (!ret)
+	return 0;
+
+    vs->sasl.encodedOffset += ret;
+    if (vs->sasl.encodedOffset == vs->sasl.encodedLength) {
+	vs->output.offset = 0;
+	vs->sasl.encoded = NULL;
+	vs->sasl.encodedOffset = vs->sasl.encodedLength = 0;
+    }
+
+    /* Can't merge this block with one above, because
+     * someone might have written more unencrypted
+     * data in vs->output while we were processing
+     * SASL encoded output
+     */
+    if (vs->output.offset == 0) {
+	qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
+    }
+
+    return ret;
+}
+
+
+long vnc_client_read_sasl(VncState *vs)
+{
+    long ret;
+    uint8_t encoded[4096];
+    const char *decoded;
+    unsigned int decodedLen;
+    int err;
+
+    ret = vnc_client_read_buf(vs, encoded, sizeof(encoded));
+    if (!ret)
+	return 0;
+
+    err = sasl_decode(vs->sasl.conn,
+		      (char *)encoded, ret,
+		      &decoded, &decodedLen);
+
+    if (err != SASL_OK)
+	return vnc_client_io_error(vs, -1, -EIO);
+    VNC_DEBUG("Read SASL Encoded %p size %ld Decoded %p size %d\n",
+	      encoded, ret, decoded, decodedLen);
+    buffer_reserve(&vs->input, decodedLen);
+    buffer_append(&vs->input, decoded, decodedLen);
+    return decodedLen;
+}
+
+
+static int vnc_auth_sasl_check_access(VncState *vs)
+{
+    const void *val;
+    int err;
+
+    err = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val);
+    if (err != SASL_OK) {
+	VNC_DEBUG("cannot query SASL username on connection %d (%s)\n",
+		  err, sasl_errstring(err, NULL, NULL));
+	return -1;
+    }
+    if (val == NULL) {
+	VNC_DEBUG("no client username was found\n");
+	return -1;
+    }
+    VNC_DEBUG("SASL client username %s\n", (const char *)val);
+
+    vs->sasl.username = qemu_strdup((const char*)val);
+
+    return 0;
+}
+
+static int vnc_auth_sasl_check_ssf(VncState *vs)
+{
+    const void *val;
+    int err, ssf;
+
+    if (!vs->sasl.wantSSF)
+	return 1;
+
+    err = sasl_getprop(vs->sasl.conn, SASL_SSF, &val);
+    if (err != SASL_OK)
+	return 0;
+
+    ssf = *(const int *)val;
+    VNC_DEBUG("negotiated an SSF of %d\n", ssf);
+    if (ssf < 56)
+	return 0; /* 56 is good for Kerberos */
+
+    /* Only setup for read initially, because we're about to send an RPC
+     * reply which must be in plain text. When the next incoming RPC
+     * arrives, we'll switch on writes too
+     *
+     * cf qemudClientReadSASL  in qemud.c
+     */
+    vs->sasl.runSSF = 1;
+
+    /* We have a SSF that's good enough */
+    return 1;
+}
+
+/*
+ * Step Msg
+ *
+ * Input from client:
+ *
+ * u32 clientin-length
+ * u8-array clientin-string
+ *
+ * Output to client:
+ *
+ * u32 serverout-length
+ * u8-array serverout-strin
+ * u8 continue
+ */
+
+static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len);
+
+static int protocol_client_auth_sasl_step(VncState *vs, uint8_t *data, size_t len)
+{
+    uint32_t datalen = len;
+    const char *serverout;
+    unsigned int serveroutlen;
+    int err;
+    char *clientdata = NULL;
+
+    /* NB, distinction of NULL vs "" is *critical* in SASL */
+    if (datalen) {
+	clientdata = (char*)data;
+	clientdata[datalen-1] = '\0'; /* Wire includes '\0', but make sure */
+	datalen--; /* Don't count NULL byte when passing to _start() */
+    }
+
+    VNC_DEBUG("Step using SASL Data %p (%d bytes)\n",
+	      clientdata, datalen);
+    err = sasl_server_step(vs->sasl.conn,
+			   clientdata,
+			   datalen,
+			   &serverout,
+			   &serveroutlen);
+    if (err != SASL_OK &&
+	err != SASL_CONTINUE) {
+	VNC_DEBUG("sasl step failed %d (%s)\n",
+		  err, sasl_errdetail(vs->sasl.conn));
+	sasl_dispose(&vs->sasl.conn);
+	vs->sasl.conn = NULL;
+	goto authabort;
+    }
+
+    if (serveroutlen > SASL_DATA_MAX_LEN) {
+	VNC_DEBUG("sasl step reply data too long %d\n",
+		  serveroutlen);
+	sasl_dispose(&vs->sasl.conn);
+	vs->sasl.conn = NULL;
+	goto authabort;
+    }
+
+    VNC_DEBUG("SASL return data %d bytes, nil; %d\n",
+	      serveroutlen, serverout ? 0 : 1);
+
+    if (serveroutlen) {
+	vnc_write_u32(vs, serveroutlen + 1);
+	vnc_write(vs, serverout, serveroutlen + 1);
+    } else {
+	vnc_write_u32(vs, 0);
+    }
+
+    /* Whether auth is complete */
+    vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);
+
+    if (err == SASL_CONTINUE) {
+	VNC_DEBUG("%s", "Authentication must continue\n");
+	/* Wait for step length */
+	vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);
+    } else {
+	if (!vnc_auth_sasl_check_ssf(vs)) {
+	    VNC_DEBUG("Authentication rejected for weak SSF %d\n", vs->csock);
+	    goto authreject;
+	}
+
+	/* Check username whitelist ACL */
+	if (vnc_auth_sasl_check_access(vs) < 0) {
+	    VNC_DEBUG("Authentication rejected for ACL %d\n", vs->csock);
+	    goto authreject;
+	}
+
+	VNC_DEBUG("Authentication successful %d\n", vs->csock);
+	vnc_write_u32(vs, 0); /* Accept auth */
+	/*
+	 * Delay writing in SSF encoded mode until pending output
+	 * buffer is written
+	 */
+	if (vs->sasl.runSSF)
+	    vs->sasl.waitWriteSSF = vs->output.offset;
+	start_client_init(vs);
+    }
+
+    return 0;
+
+ authreject:
+    vnc_write_u32(vs, 1); /* Reject auth */
+    vnc_write_u32(vs, sizeof("Authentication failed"));
+    vnc_write(vs, "Authentication failed", sizeof("Authentication failed"));
+    vnc_flush(vs);
+    vnc_client_error(vs);
+    return -1;
+
+ authabort:
+    vnc_client_error(vs);
+    return -1;
+}
+
+static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len)
+{
+    uint32_t steplen = read_u32(data, 0);
+    VNC_DEBUG("Got client step len %d\n", steplen);
+    if (steplen > SASL_DATA_MAX_LEN) {
+	VNC_DEBUG("Too much SASL data %d\n", steplen);
+	vnc_client_error(vs);
+	return -1;
+    }
+
+    if (steplen == 0)
+	return protocol_client_auth_sasl_step(vs, NULL, 0);
+    else
+	vnc_read_when(vs, protocol_client_auth_sasl_step, steplen);
+    return 0;
+}
+
+/*
+ * Start Msg
+ *
+ * Input from client:
+ *
+ * u32 clientin-length
+ * u8-array clientin-string
+ *
+ * Output to client:
+ *
+ * u32 serverout-length
+ * u8-array serverout-strin
+ * u8 continue
+ */
+
+#define SASL_DATA_MAX_LEN (1024 * 1024)
+
+static int protocol_client_auth_sasl_start(VncState *vs, uint8_t *data, size_t len)
+{
+    uint32_t datalen = len;
+    const char *serverout;
+    unsigned int serveroutlen;
+    int err;
+    char *clientdata = NULL;
+
+    /* NB, distinction of NULL vs "" is *critical* in SASL */
+    if (datalen) {
+	clientdata = (char*)data;
+	clientdata[datalen-1] = '\0'; /* Should be on wire, but make sure */
+	datalen--; /* Don't count NULL byte when passing to _start() */
+    }
+
+    VNC_DEBUG("Start SASL auth with mechanism %s. Data %p (%d bytes)\n",
+	      vs->sasl.mechlist, clientdata, datalen);
+    err = sasl_server_start(vs->sasl.conn,
+			    vs->sasl.mechlist,
+			    clientdata,
+			    datalen,
+			    &serverout,
+			    &serveroutlen);
+    if (err != SASL_OK &&
+	err != SASL_CONTINUE) {
+	VNC_DEBUG("sasl start failed %d (%s)\n",
+		  err, sasl_errdetail(vs->sasl.conn));
+	sasl_dispose(&vs->sasl.conn);
+	vs->sasl.conn = NULL;
+	goto authabort;
+    }
+    if (serveroutlen > SASL_DATA_MAX_LEN) {
+	VNC_DEBUG("sasl start reply data too long %d\n",
+		  serveroutlen);
+	sasl_dispose(&vs->sasl.conn);
+	vs->sasl.conn = NULL;
+	goto authabort;
+    }
+
+    VNC_DEBUG("SASL return data %d bytes, nil; %d\n",
+	      serveroutlen, serverout ? 0 : 1);
+
+    if (serveroutlen) {
+	vnc_write_u32(vs, serveroutlen + 1);
+	vnc_write(vs, serverout, serveroutlen + 1);
+    } else {
+	vnc_write_u32(vs, 0);
+    }
+
+    /* Whether auth is complete */
+    vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);
+
+    if (err == SASL_CONTINUE) {
+	VNC_DEBUG("%s", "Authentication must continue\n");
+	/* Wait for step length */
+	vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);
+    } else {
+	if (!vnc_auth_sasl_check_ssf(vs)) {
+	    VNC_DEBUG("Authentication rejected for weak SSF %d\n", vs->csock);
+	    goto authreject;
+	}
+
+	/* Check username whitelist ACL */
+	if (vnc_auth_sasl_check_access(vs) < 0) {
+	    VNC_DEBUG("Authentication rejected for ACL %d\n", vs->csock);
+	    goto authreject;
+	}
+
+	VNC_DEBUG("Authentication successful %d\n", vs->csock);
+	vnc_write_u32(vs, 0); /* Accept auth */
+	start_client_init(vs);
+    }
+
+    return 0;
+
+ authreject:
+    vnc_write_u32(vs, 1); /* Reject auth */
+    vnc_write_u32(vs, sizeof("Authentication failed"));
+    vnc_write(vs, "Authentication failed", sizeof("Authentication failed"));
+    vnc_flush(vs);
+    vnc_client_error(vs);
+    return -1;
+
+ authabort:
+    vnc_client_error(vs);
+    return -1;
+}
+
+static int protocol_client_auth_sasl_start_len(VncState *vs, uint8_t *data, size_t len)
+{
+    uint32_t startlen = read_u32(data, 0);
+    VNC_DEBUG("Got client start len %d\n", startlen);
+    if (startlen > SASL_DATA_MAX_LEN) {
+	VNC_DEBUG("Too much SASL data %d\n", startlen);
+	vnc_client_error(vs);
+	return -1;
+    }
+
+    if (startlen == 0)
+	return protocol_client_auth_sasl_start(vs, NULL, 0);
+
+    vnc_read_when(vs, protocol_client_auth_sasl_start, startlen);
+    return 0;
+}
+
+static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_t len)
+{
+    char *mechname = malloc(len + 1);
+    if (!mechname) {
+	VNC_DEBUG("Out of memory reading mechname\n");
+	vnc_client_error(vs);
+    }
+    strncpy(mechname, (char*)data, len);
+    mechname[len] = '\0';
+    VNC_DEBUG("Got client mechname '%s' check against '%s'\n",
+	      mechname, vs->sasl.mechlist);
+
+    if (strncmp(vs->sasl.mechlist, mechname, len) == 0) {
+	if (vs->sasl.mechlist[len] != '\0' &&
+	    vs->sasl.mechlist[len] != ',') {
+	    VNC_DEBUG("One %d", vs->sasl.mechlist[len]);
+	    vnc_client_error(vs);
+	    return -1;
+	}
+    } else {
+	char *offset = strstr(vs->sasl.mechlist, mechname);
+	VNC_DEBUG("Two %p\n", offset);
+	if (!offset) {
+	    vnc_client_error(vs);
+	    return -1;
+	}
+	VNC_DEBUG("Two '%s'\n", offset);
+	if (offset[-1] != ',' ||
+	    (offset[len] != '\0'&&
+	     offset[len] != ',')) {
+	    vnc_client_error(vs);
+	    return -1;
+	}
+    }
+
+    free(vs->sasl.mechlist);
+    vs->sasl.mechlist = mechname;
+
+    VNC_DEBUG("Validated mechname '%s'\n", mechname);
+    vnc_read_when(vs, protocol_client_auth_sasl_start_len, 4);
+    return 0;
+}
+
+static int protocol_client_auth_sasl_mechname_len(VncState *vs, uint8_t *data, size_t len)
+{
+    uint32_t mechlen = read_u32(data, 0);
+    VNC_DEBUG("Got client mechname len %d\n", mechlen);
+    if (mechlen > 100) {
+	VNC_DEBUG("Too long SASL mechname data %d\n", mechlen);
+	vnc_client_error(vs);
+	return -1;
+    }
+    if (mechlen < 1) {
+	VNC_DEBUG("Too short SASL mechname %d\n", mechlen);
+	vnc_client_error(vs);
+	return -1;
+    }
+    vnc_read_when(vs, protocol_client_auth_sasl_mechname,mechlen);
+    return 0;
+}
+
+#define USES_X509_AUTH(vs)			      \
+    ((vs)->subauth == VNC_AUTH_VENCRYPT_X509NONE ||   \
+     (vs)->subauth == VNC_AUTH_VENCRYPT_X509VNC ||    \
+     (vs)->subauth == VNC_AUTH_VENCRYPT_X509PLAIN ||  \
+     (vs)->subauth == VNC_AUTH_VENCRYPT_X509SASL)
+
+
+void start_auth_sasl(VncState *vs)
+{
+    const char *mechlist = NULL;
+    sasl_security_properties_t secprops;
+    int err;
+    char *localAddr, *remoteAddr;
+    int mechlistlen;
+
+    VNC_DEBUG("Initialize SASL auth %d\n", vs->csock);
+
+    /* Get local & remote client addresses in form  IPADDR;PORT */
+    if (!(localAddr = vnc_socket_local_addr("%s;%s", vs->csock)))
+	goto authabort;
+
+    if (!(remoteAddr = vnc_socket_remote_addr("%s;%s", vs->csock))) {
+	free(localAddr);
+	goto authabort;
+    }
+
+    err = sasl_server_new("vnc",
+			  NULL, /* FQDN - just delegates to gethostname */
+			  NULL, /* User realm */
+			  localAddr,
+			  remoteAddr,
+			  NULL, /* Callbacks, not needed */
+			  SASL_SUCCESS_DATA,
+			  &vs->sasl.conn);
+    free(localAddr);
+    free(remoteAddr);
+    localAddr = remoteAddr = NULL;
+
+    if (err != SASL_OK) {
+	VNC_DEBUG("sasl context setup failed %d (%s)",
+		  err, sasl_errstring(err, NULL, NULL));
+	vs->sasl.conn = NULL;
+	goto authabort;
+    }
+
+#ifdef CONFIG_VNC_TLS
+    /* Inform SASL that we've got an external SSF layer from TLS/x509 */
+    if (vs->vd->auth == VNC_AUTH_VENCRYPT &&
+	vs->vd->subauth == VNC_AUTH_VENCRYPT_X509SASL) {
+	gnutls_cipher_algorithm_t cipher;
+	sasl_ssf_t ssf;
+
+	cipher = gnutls_cipher_get(vs->tls.session);
+	if (!(ssf = (sasl_ssf_t)gnutls_cipher_get_key_size(cipher))) {
+	    VNC_DEBUG("%s", "cannot TLS get cipher size\n");
+	    sasl_dispose(&vs->sasl.conn);
+	    vs->sasl.conn = NULL;
+	    goto authabort;
+	}
+	ssf *= 8; /* tls key size is bytes, sasl wants bits */
+
+	err = sasl_setprop(vs->sasl.conn, SASL_SSF_EXTERNAL, &ssf);
+	if (err != SASL_OK) {
+	    VNC_DEBUG("cannot set SASL external SSF %d (%s)\n",
+		      err, sasl_errstring(err, NULL, NULL));
+	    sasl_dispose(&vs->sasl.conn);
+	    vs->sasl.conn = NULL;
+	    goto authabort;
+	}
+    } else
+#endif /* CONFIG_VNC_TLS */
+	vs->sasl.wantSSF = 1;
+
+    memset (&secprops, 0, sizeof secprops);
+    /* Inform SASL that we've got an external SSF layer from TLS */
+    if (strncmp(vs->vd->display, "unix:", 5) == 0
+#ifdef CONFIG_VNC_TLS
+	/* Disable SSF, if using TLS+x509+SASL only. TLS without x509
+	   is not sufficiently strong */
+	|| (vs->vd->auth == VNC_AUTH_VENCRYPT &&
+	    vs->vd->subauth == VNC_AUTH_VENCRYPT_X509SASL)
+#endif /* CONFIG_VNC_TLS */
+	) {
+	/* If we've got TLS or UNIX domain sock, we don't care about SSF */
+	secprops.min_ssf = 0;
+	secprops.max_ssf = 0;
+	secprops.maxbufsize = 8192;
+	secprops.security_flags = 0;
+    } else {
+	/* Plain TCP, better get an SSF layer */
+	secprops.min_ssf = 56; /* Good enough to require kerberos */
+	secprops.max_ssf = 100000; /* Arbitrary big number */
+	secprops.maxbufsize = 8192;
+	/* Forbid any anonymous or trivially crackable auth */
+	secprops.security_flags =
+	    SASL_SEC_NOANONYMOUS | SASL_SEC_NOPLAINTEXT;
+    }
+
+    err = sasl_setprop(vs->sasl.conn, SASL_SEC_PROPS, &secprops);
+    if (err != SASL_OK) {
+	VNC_DEBUG("cannot set SASL security props %d (%s)\n",
+		  err, sasl_errstring(err, NULL, NULL));
+	sasl_dispose(&vs->sasl.conn);
+	vs->sasl.conn = NULL;
+	goto authabort;
+    }
+
+    err = sasl_listmech(vs->sasl.conn,
+			NULL, /* Don't need to set user */
+			"", /* Prefix */
+			",", /* Separator */
+			"", /* Suffix */
+			&mechlist,
+			NULL,
+			NULL);
+    if (err != SASL_OK) {
+	VNC_DEBUG("cannot list SASL mechanisms %d (%s)\n",
+		  err, sasl_errdetail(vs->sasl.conn));
+	sasl_dispose(&vs->sasl.conn);
+	vs->sasl.conn = NULL;
+	goto authabort;
+    }
+    VNC_DEBUG("Available mechanisms for client: '%s'\n", mechlist);
+
+    if (!(vs->sasl.mechlist = strdup(mechlist))) {
+	VNC_DEBUG("Out of memory");
+	sasl_dispose(&vs->sasl.conn);
+	vs->sasl.conn = NULL;
+	goto authabort;
+    }
+    mechlistlen = strlen(mechlist);
+    vnc_write_u32(vs, mechlistlen);
+    vnc_write(vs, mechlist, mechlistlen);
+    vnc_flush(vs);
+
+    VNC_DEBUG("Wait for client mechname length\n");
+    vnc_read_when(vs, protocol_client_auth_sasl_mechname_len, 4);
+
+    return;
+
+ authabort:
+    vnc_client_error(vs);
+    return;
+}
+
+
Index: qemu-kvm-0.10/qemu/vnc-auth-sasl.h
===================================================================
--- /dev/null
+++ qemu-kvm-0.10/qemu/vnc-auth-sasl.h
@@ -0,0 +1,67 @@
+/*
+ * QEMU VNC display driver: SASL auth protocol
+ *
+ * Copyright (C) 2009 Red Hat, Inc
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+
+#ifndef __QEMU_VNC_AUTH_SASL_H__
+#define __QEMU_VNC_AUTH_SASL_H__
+
+
+#include <sasl/sasl.h>
+
+typedef struct VncStateSASL VncStateSASL;
+
+struct VncStateSASL {
+    sasl_conn_t *conn;
+    /* If we want to negotiate an SSF layer with client */
+    int wantSSF :1;
+    /* If we are now running the SSF layer */
+    int runSSF :1;
+    /*
+     * If this is non-zero, then wait for that many bytes
+     * to be written plain, before switching to SSF encoding
+     * This allows the VNC auth result to finish being
+     * written in plain.
+     */
+    unsigned int waitWriteSSF;
+
+    /*
+     * Buffering encoded data to allow more clear data
+     * to be stuffed onto the output buffer
+     */
+    const uint8_t *encoded;
+    unsigned int encodedLength;
+    unsigned int encodedOffset;
+    char *username;
+    char *mechlist;
+};
+
+void vnc_sasl_client_cleanup(VncState *vs);
+
+long vnc_client_read_sasl(VncState *vs);
+long vnc_client_write_sasl(VncState *vs);
+
+void start_auth_sasl(VncState *vs);
+
+#endif /* __QEMU_VNC_AUTH_SASL_H__ */
+
Index: qemu-kvm-0.10/qemu/vnc-auth-vencrypt.c
===================================================================
--- qemu-kvm-0.10.orig/qemu/vnc-auth-vencrypt.c
+++ qemu-kvm-0.10/qemu/vnc-auth-vencrypt.c
@@ -43,8 +43,15 @@ static void start_auth_vencrypt_subauth(
        start_auth_vnc(vs);
        break;
 
+#ifdef CONFIG_VNC_SASL
+    case VNC_AUTH_VENCRYPT_TLSSASL:
+    case VNC_AUTH_VENCRYPT_X509SASL:
+      VNC_DEBUG("Start TLS auth SASL\n");
+      return start_auth_sasl(vs);
+#endif /* CONFIG_VNC_SASL */
+
     default: /* Should not be possible, but just in case */
-       VNC_DEBUG("Reject auth %d\n", vs->vd->auth);
+       VNC_DEBUG("Reject subauth %d server bug\n", vs->vd->auth);
        vnc_write_u8(vs, 1);
        if (vs->minor >= 8) {
            static const char err[] = "Unsupported authentication type";
@@ -105,7 +112,8 @@ static void vnc_tls_handshake_io(void *o
 #define NEED_X509_AUTH(vs)			      \
     ((vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509NONE ||   \
      (vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509VNC ||    \
-     (vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509PLAIN)
+     (vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509PLAIN ||  \
+     (vs)->vd->subauth == VNC_AUTH_VENCRYPT_X509SASL)
 
 
 static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len)
Index: qemu-kvm-0.10/qemu/vnc.c
===================================================================
--- qemu-kvm-0.10.orig/qemu/vnc.c
+++ qemu-kvm-0.10/qemu/vnc.c
@@ -68,7 +68,8 @@ static char *addr_to_string(const char *
     return addr;
 }
 
-static char *vnc_socket_local_addr(const char *format, int fd) {
+
+char *vnc_socket_local_addr(const char *format, int fd) {
     struct sockaddr_storage sa;
     socklen_t salen;
 
@@ -79,7 +80,8 @@ static char *vnc_socket_local_addr(const
     return addr_to_string(format, &sa, salen);
 }
 
-static char *vnc_socket_remote_addr(const char *format, int fd) {
+
+char *vnc_socket_remote_addr(const char *format, int fd) {
     struct sockaddr_storage sa;
     socklen_t salen;
 
@@ -125,12 +127,18 @@ static const char *vnc_auth_name(VncDisp
 	    return "vencrypt+x509+vnc";
 	case VNC_AUTH_VENCRYPT_X509PLAIN:
 	    return "vencrypt+x509+plain";
+	case VNC_AUTH_VENCRYPT_TLSSASL:
+	    return "vencrypt+tls+sasl";
+	case VNC_AUTH_VENCRYPT_X509SASL:
+	    return "vencrypt+x509+sasl";
 	default:
 	    return "vencrypt";
 	}
 #else
 	return "vencrypt";
 #endif
+    case VNC_AUTH_SASL:
+	return "sasl";
     }
     return "unknown";
 }
@@ -278,7 +286,7 @@ static void vnc_framebuffer_update(VncSt
     vnc_write_s32(vs, encoding);
 }
 
-static void buffer_reserve(Buffer *buffer, size_t len)
+void buffer_reserve(Buffer *buffer, size_t len)
 {
     if ((buffer->capacity - buffer->offset) < len) {
 	buffer->capacity += (len + 1024);
@@ -290,22 +298,22 @@ static void buffer_reserve(Buffer *buffe
     }
 }
 
-static int buffer_empty(Buffer *buffer)
+int buffer_empty(Buffer *buffer)
 {
     return buffer->offset == 0;
 }
 
-static uint8_t *buffer_end(Buffer *buffer)
+uint8_t *buffer_end(Buffer *buffer)
 {
     return buffer->buffer + buffer->offset;
 }
 
-static void buffer_reset(Buffer *buffer)
+void buffer_reset(Buffer *buffer)
 {
 	buffer->offset = 0;
 }
 
-static void buffer_append(Buffer *buffer, const void *data, size_t len)
+void buffer_append(Buffer *buffer, const void *data, size_t len)
 {
     memcpy(buffer->buffer + buffer->offset, data, len);
     buffer->offset += len;
@@ -821,7 +829,8 @@ static void audio_del(VncState *vs)
     }
 }
 
-static int vnc_client_io_error(VncState *vs, int ret, int last_errno)
+
+int vnc_client_io_error(VncState *vs, int ret, int last_errno)
 {
     if (ret == 0 || ret == -1) {
         if (ret == -1) {
@@ -847,6 +856,9 @@ static int vnc_client_io_error(VncState 
 #ifdef CONFIG_VNC_TLS
 	vnc_tls_client_cleanup(vs);
 #endif /* CONFIG_VNC_TLS */
+#ifdef CONFIG_VNC_SASL
+        vnc_sasl_client_cleanup(vs);
+#endif /* CONFIG_VNC_SASL */
         audio_del(vs);
 
         VncState *p, *parent = NULL;
@@ -877,14 +889,28 @@ void vnc_client_error(VncState *vs)
     vnc_client_io_error(vs, -1, EINVAL);
 }
 
-void vnc_client_write(void *opaque)
+
+/*
+ * Called to write a chunk of data to the client socket. The data may
+ * be the raw data, or may have already been encoded by SASL.
+ * The data will be written either straight onto the socket, or
+ * written via the GNUTLS wrappers, if TLS/SSL encryption is enabled
+ *
+ * NB, it is theoretically possible to have 2 layers of encryption,
+ * both SASL, and this TLS layer. It is highly unlikely in practice
+ * though, since SASL encryption will typically be a no-op if TLS
+ * is active
+ *
+ * Returns the number of bytes written, which may be less than
+ * the requested 'datalen' if the socket would block. Returns
+ * -1 on error, and disconnects the client socket.
+ */
+long vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
 {
     long ret;
-    VncState *vs = opaque;
-
 #ifdef CONFIG_VNC_TLS
     if (vs->tls.session) {
-	ret = gnutls_write(vs->tls.session, vs->output.buffer, vs->output.offset);
+	ret = gnutls_write(vs->tls.session, data, datalen);
 	if (ret < 0) {
 	    if (ret == GNUTLS_E_AGAIN)
 		errno = EAGAIN;
@@ -894,10 +920,42 @@ void vnc_client_write(void *opaque)
 	}
     } else
 #endif /* CONFIG_VNC_TLS */
-	ret = send(vs->csock, vs->output.buffer, vs->output.offset, 0);
-    ret = vnc_client_io_error(vs, ret, socket_error());
+	ret = send(vs->csock, data, datalen, 0);
+    VNC_DEBUG("Wrote wire %p %d -> %ld\n", data, datalen, ret);
+    return vnc_client_io_error(vs, ret, socket_error());
+}
+
+
+/*
+ * Called to write buffered data to the client socket, when not
+ * using any SASL SSF encryption layers. Will write as much data
+ * as possible without blocking. If all buffered data is written,
+ * will switch the FD poll() handler back to read monitoring.
+ *
+ * Returns the number of bytes written, which may be less than
+ * the buffered output data if the socket would block. Returns
+ * -1 on error, and disconnects the client socket.
+ */
+static long vnc_client_write_plain(VncState *vs)
+{
+    long ret;
+
+#ifdef CONFIG_VNC_SASL
+    VNC_DEBUG("Write Plain: Pending output %p size %d offset %d. Wait SSF %d\n",
+              vs->output.buffer, vs->output.capacity, vs->output.offset,
+              vs->sasl.waitWriteSSF);
+
+    if (vs->sasl.conn &&
+        vs->sasl.runSSF &&
+        vs->sasl.waitWriteSSF) {
+        ret = vnc_client_write_buf(vs, vs->output.buffer, vs->sasl.waitWriteSSF);
+        if (ret)
+            vs->sasl.waitWriteSSF -= ret;
+    } else
+#endif /* CONFIG_VNC_SASL */
+        ret = vnc_client_write_buf(vs, vs->output.buffer, vs->output.offset);
     if (!ret)
-	return;
+        return 0;
 
     memmove(vs->output.buffer, vs->output.buffer + ret, (vs->output.offset - ret));
     vs->output.offset -= ret;
@@ -905,6 +963,29 @@ void vnc_client_write(void *opaque)
     if (vs->output.offset == 0) {
 	qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);
     }
+
+    return ret;
+}
+
+
+/*
+ * First function called whenever there is data to be written to
+ * the client socket. Will delegate actual work according to whether
+ * SASL SSF layers are enabled (thus requiring encryption calls)
+ */
+void vnc_client_write(void *opaque)
+{
+    long ret;
+    VncState *vs = opaque;
+
+#ifdef CONFIG_VNC_SASL
+    if (vs->sasl.conn &&
+        vs->sasl.runSSF &&
+        !vs->sasl.waitWriteSSF)
+        ret = vnc_client_write_sasl(vs);
+    else
+#endif /* CONFIG_VNC_SASL */
+        ret = vnc_client_write_plain(vs);
 }
 
 void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
@@ -913,16 +994,28 @@ void vnc_read_when(VncState *vs, VncRead
     vs->read_handler_expect = expecting;
 }
 
-void vnc_client_read(void *opaque)
+
+/*
+ * Called to read a chunk of data from the client socket. The data may
+ * be the raw data, or may need to be further decoded by SASL.
+ * The data will be read either straight from to the socket, or
+ * read via the GNUTLS wrappers, if TLS/SSL encryption is enabled
+ *
+ * NB, it is theoretically possible to have 2 layers of encryption,
+ * both SASL, and this TLS layer. It is highly unlikely in practice
+ * though, since SASL encryption will typically be a no-op if TLS
+ * is active
+ *
+ * Returns the number of bytes read, which may be less than
+ * the requested 'datalen' if the socket would block. Returns
+ * -1 on error, and disconnects the client socket.
+ */
+long vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
 {
-    VncState *vs = opaque;
     long ret;
-
-    buffer_reserve(&vs->input, 4096);
-
 #ifdef CONFIG_VNC_TLS
     if (vs->tls.session) {
-	ret = gnutls_read(vs->tls.session, buffer_end(&vs->input), 4096);
+	ret = gnutls_read(vs->tls.session, data, datalen);
 	if (ret < 0) {
 	    if (ret == GNUTLS_E_AGAIN)
 		errno = EAGAIN;
@@ -932,12 +1025,52 @@ void vnc_client_read(void *opaque)
 	}
     } else
 #endif /* CONFIG_VNC_TLS */
-	ret = recv(vs->csock, buffer_end(&vs->input), 4096, 0);
-    ret = vnc_client_io_error(vs, ret, socket_error());
-    if (!ret)
-	return;
+	ret = recv(vs->csock, data, datalen, 0);
+    VNC_DEBUG("Read wire %p %d -> %ld\n", data, datalen, ret);
+    return vnc_client_io_error(vs, ret, socket_error());
+}
 
+
+/*
+ * Called to read data from the client socket to the input buffer,
+ * when not using any SASL SSF encryption layers. Will read as much
+ * data as possible without blocking.
+ *
+ * Returns the number of bytes read. Returns -1 on error, and
+ * disconnects the client socket.
+ */
+static long vnc_client_read_plain(VncState *vs)
+{
+    int ret;
+    VNC_DEBUG("Read plain %p size %d offset %d\n",
+              vs->input.buffer, vs->input.capacity, vs->input.offset);
+    buffer_reserve(&vs->input, 4096);
+    ret = vnc_client_read_buf(vs, buffer_end(&vs->input), 4096);
+    if (!ret)
+        return 0;
     vs->input.offset += ret;
+    return ret;
+}
+
+
+/*
+ * First function called whenever there is more data to be read from
+ * the client socket. Will delegate actual work according to whether
+ * SASL SSF layers are enabled (thus requiring decryption calls)
+ */
+void vnc_client_read(void *opaque)
+{
+    VncState *vs = opaque;
+    long ret;
+
+#ifdef CONFIG_VNC_SASL
+    if (vs->sasl.conn && vs->sasl.runSSF)
+        ret = vnc_client_read_sasl(vs);
+    else
+#endif /* CONFIG_VNC_SASL */
+        ret = vnc_client_read_plain(vs);
+    if (!ret)
+	return;
 
     while (vs->read_handler && vs->input.offset >= vs->read_handler_expect) {
 	size_t len = vs->read_handler_expect;
@@ -1722,6 +1855,13 @@ static int protocol_client_auth(VncState
            break;
 #endif /* CONFIG_VNC_TLS */
 
+#ifdef CONFIG_VNC_SASL
+       case VNC_AUTH_SASL:
+           VNC_DEBUG("Accept SASL auth\n");
+           start_auth_sasl(vs);
+           break;
+#endif /* CONFIG_VNC_SASL */
+
        default: /* Should not be possible, but just in case */
            VNC_DEBUG("Reject auth %d\n", vs->vd->auth);
            vnc_write_u8(vs, 1);
@@ -1923,6 +2063,10 @@ int vnc_display_open(DisplayState *ds, c
 #ifdef CONFIG_VNC_TLS
     int tls = 0, x509 = 0;
 #endif
+#ifdef CONFIG_VNC_SASL
+    int sasl = 0;
+    int saslErr;
+#endif
 
     if (!vnc_display)
         return -1;
@@ -1942,6 +2086,10 @@ int vnc_display_open(DisplayState *ds, c
 	    reverse = 1;
 	} else if (strncmp(options, "to=", 3) == 0) {
             to_port = atoi(options+3) + 5900;
+#ifdef CONFIG_VNC_SASL
+	} else if (strncmp(options, "sasl", 4) == 0) {
+	    sasl = 1; /* Require SASL auth */
+#endif
 #ifdef CONFIG_VNC_TLS
 	} else if (strncmp(options, "tls", 3) == 0) {
 	    tls = 1; /* Require TLS */
@@ -1978,6 +2126,22 @@ int vnc_display_open(DisplayState *ds, c
 	}
     }
 
+    /*
+     * Combinations we support here:
+     *
+     *  - no-auth                (clear text, no auth)
+     *  - password               (clear text, weak auth)
+     *  - sasl                   (encrypt, good auth *IF* using Kerberos via GSSAPI)
+     *  - tls                    (encrypt, weak anonymous creds, no auth)
+     *  - tls + password         (encrypt, weak anonymous creds, weak auth)
+     *  - tls + sasl             (encrypt, weak anonymous creds, good auth)
+     *  - tls + x509             (encrypt, good x509 creds, no auth)
+     *  - tls + x509 + password  (encrypt, good x509 creds, weak auth)
+     *  - tls + x509 + sasl      (encrypt, good x509 creds, good auth)
+     *
+     * NB1. TLS is a stackable auth scheme.
+     * NB2. the x509 schemes have option to validate a client cert dname
+     */
     if (password) {
 #ifdef CONFIG_VNC_TLS
 	if (tls) {
@@ -1990,13 +2154,34 @@ int vnc_display_open(DisplayState *ds, c
 		vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
 	    }
 	} else {
-#endif
+#endif /* CONFIG_VNC_TLS */
 	    VNC_DEBUG("Initializing VNC server with password auth\n");
 	    vs->auth = VNC_AUTH_VNC;
 #ifdef CONFIG_VNC_TLS
 	    vs->subauth = VNC_AUTH_INVALID;
 	}
-#endif
+#endif /* CONFIG_VNC_TLS */
+#ifdef CONFIG_VNC_SASL
+    } else if (sasl) {
+#ifdef CONFIG_VNC_TLS
+        if (tls) {
+            vs->auth = VNC_AUTH_VENCRYPT;
+            if (x509) {
+		VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
+                vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
+            } else {
+		VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
+                vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
+            }
+        } else {
+#endif /* CONFIG_VNC_TLS */
+	    VNC_DEBUG("Initializing VNC server with SASL auth\n");
+            vs->auth = VNC_AUTH_SASL;
+#ifdef CONFIG_VNC_TLS
+            vs->subauth = VNC_AUTH_INVALID;
+        }
+#endif /* CONFIG_VNC_TLS */
+#endif /* CONFIG_VNC_SASL */
     } else {
 #ifdef CONFIG_VNC_TLS
 	if (tls) {
@@ -2018,6 +2203,16 @@ int vnc_display_open(DisplayState *ds, c
 #endif
     }
 
+#ifdef CONFIG_VNC_SASL
+    if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
+        fprintf(stderr, "Failed to initialize SASL auth %s",
+                sasl_errstring(saslErr, NULL, NULL));
+        free(vs->display);
+        vs->display = NULL;
+        return -1;
+    }
+#endif
+
     if (reverse) {
         /* connect to viewer */
         if (strncmp(display, "unix:", 5) == 0)
Index: qemu-kvm-0.10/qemu/vnc.h
===================================================================
--- qemu-kvm-0.10.orig/qemu/vnc.h
+++ qemu-kvm-0.10/qemu/vnc.h
@@ -79,6 +79,10 @@ typedef struct VncDisplay VncDisplay;
 #include "vnc-tls.h"
 #include "vnc-auth-vencrypt.h"
 #endif
+#ifdef CONFIG_VNC_SASL
+#include "vnc-auth-sasl.h"
+#endif
+
 
 struct VncDisplay
 {
@@ -118,10 +122,12 @@ struct VncState
     int minor;
 
     char challenge[VNC_AUTH_CHALLENGE_SIZE];
-
 #ifdef CONFIG_VNC_TLS
     VncStateTLS tls;
 #endif
+#ifdef CONFIG_VNC_SASL
+    VncStateSASL sasl;
+#endif
 
     Buffer output;
     Buffer input;
@@ -160,8 +166,9 @@ enum {
     VNC_AUTH_RA2NE = 6,
     VNC_AUTH_TIGHT = 16,
     VNC_AUTH_ULTRA = 17,
-    VNC_AUTH_TLS = 18,
-    VNC_AUTH_VENCRYPT = 19
+    VNC_AUTH_TLS = 18,      /* Supported in GTK-VNC & VINO */
+    VNC_AUTH_VENCRYPT = 19, /* Supported in GTK-VNC & VeNCrypt */
+    VNC_AUTH_SASL = 20,     /* Supported in GTK-VNC & VINO */
 };
 
 enum {
@@ -172,6 +179,8 @@ enum {
     VNC_AUTH_VENCRYPT_X509NONE = 260,
     VNC_AUTH_VENCRYPT_X509VNC = 261,
     VNC_AUTH_VENCRYPT_X509PLAIN = 262,
+    VNC_AUTH_VENCRYPT_X509SASL = 263,
+    VNC_AUTH_VENCRYPT_TLSSASL = 264,
 };
 
 
@@ -255,6 +264,8 @@ enum {
 void vnc_client_read(void *opaque);
 void vnc_client_write(void *opaque);
 
+long vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen);
+long vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen);
 
 /* Protocol I/O functions */
 void vnc_write(VncState *vs, const void *data, size_t len);
@@ -274,8 +285,22 @@ uint32_t read_u32(uint8_t *data, size_t 
 
 /* Protocol stage functions */
 void vnc_client_error(VncState *vs);
+int vnc_client_io_error(VncState *vs, int ret, int last_errno);
 
 void start_client_init(VncState *vs);
 void start_auth_vnc(VncState *vs);
 
+/* Buffer management */
+void buffer_reserve(Buffer *buffer, size_t len);
+int buffer_empty(Buffer *buffer);
+uint8_t *buffer_end(Buffer *buffer);
+void buffer_reset(Buffer *buffer);
+void buffer_append(Buffer *buffer, const void *data, size_t len);
+
+
+/* Misc helpers */
+
+char *vnc_socket_local_addr(const char *format, int fd);
+char *vnc_socket_remote_addr(const char *format, int fd);
+
 #endif /* __QEMU_VNC_H */