1 /* 2 * QEMU VNC display driver: VeNCrypt authentication setup 3 * 4 * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws> 5 * Copyright (C) 2006 Fabrice Bellard 6 * Copyright (C) 2009 Red Hat, Inc 7 * 8 * Permission is hereby granted, free of charge, to any person obtaining a copy 9 * of this software and associated documentation files (the "Software"), to deal 10 * in the Software without restriction, including without limitation the rights 11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 12 * copies of the Software, and to permit persons to whom the Software is 13 * furnished to do so, subject to the following conditions: 14 * 15 * The above copyright notice and this permission notice shall be included in 16 * all copies or substantial portions of the Software. 17 * 18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 21 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 24 * THE SOFTWARE. 25 */ 26 27 #include "qemu/osdep.h" 28 #include "vnc.h" 29 #include "qapi/error.h" 30 #include "qemu/main-loop.h" 31 #include "trace.h" 32 33 static void start_auth_vencrypt_subauth(VncState *vs) 34 { 35 switch (vs->subauth) { 36 case VNC_AUTH_VENCRYPT_TLSNONE: 37 case VNC_AUTH_VENCRYPT_X509NONE: 38 vnc_write_u32(vs, 0); /* Accept auth completion */ 39 start_client_init(vs); 40 break; 41 42 case VNC_AUTH_VENCRYPT_TLSVNC: 43 case VNC_AUTH_VENCRYPT_X509VNC: 44 start_auth_vnc(vs); 45 break; 46 47 #ifdef CONFIG_VNC_SASL 48 case VNC_AUTH_VENCRYPT_TLSSASL: 49 case VNC_AUTH_VENCRYPT_X509SASL: 50 start_auth_sasl(vs); 51 break; 52 #endif /* CONFIG_VNC_SASL */ 53 54 default: /* Should not be possible, but just in case */ 55 trace_vnc_auth_fail(vs, vs->auth, "Unhandled VeNCrypt subauth", ""); 56 vnc_write_u8(vs, 1); 57 if (vs->minor >= 8) { 58 static const char err[] = "Unsupported authentication type"; 59 vnc_write_u32(vs, sizeof(err)); 60 vnc_write(vs, err, sizeof(err)); 61 } 62 vnc_client_error(vs); 63 } 64 } 65 66 static void vnc_tls_handshake_done(QIOTask *task, 67 gpointer user_data) 68 { 69 VncState *vs = user_data; 70 Error *err = NULL; 71 72 if (qio_task_propagate_error(task, &err)) { 73 trace_vnc_auth_fail(vs, vs->auth, "TLS handshake failed", 74 error_get_pretty(err)); 75 vnc_client_error(vs); 76 error_free(err); 77 } else { 78 if (vs->ioc_tag) { 79 g_source_remove(vs->ioc_tag); 80 } 81 vs->ioc_tag = qio_channel_add_watch( 82 vs->ioc, G_IO_IN | G_IO_OUT, vnc_client_io, vs, NULL); 83 start_auth_vencrypt_subauth(vs); 84 } 85 } 86 87 88 static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len) 89 { 90 int auth = read_u32(data, 0); 91 92 trace_vnc_auth_vencrypt_subauth(vs, auth); 93 if (auth != vs->subauth) { 94 trace_vnc_auth_fail(vs, vs->auth, "Unsupported sub-auth version", ""); 95 vnc_write_u8(vs, 0); /* Reject auth */ 96 vnc_flush(vs); 97 vnc_client_error(vs); 98 } else { 99 Error *err = NULL; 100 QIOChannelTLS *tls; 101 vnc_write_u8(vs, 1); /* Accept auth */ 102 vnc_flush(vs); 103 104 if (vs->ioc_tag) { 105 g_source_remove(vs->ioc_tag); 106 vs->ioc_tag = 0; 107 } 108 109 tls = qio_channel_tls_new_server( 110 vs->ioc, 111 vs->vd->tlscreds, 112 vs->vd->tlsaclname, 113 &err); 114 if (!tls) { 115 trace_vnc_auth_fail(vs, vs->auth, "TLS setup failed", 116 error_get_pretty(err)); 117 error_free(err); 118 vnc_client_error(vs); 119 return 0; 120 } 121 122 qio_channel_set_name(QIO_CHANNEL(tls), "vnc-server-tls"); 123 object_unref(OBJECT(vs->ioc)); 124 vs->ioc = QIO_CHANNEL(tls); 125 trace_vnc_client_io_wrap(vs, vs->ioc, "tls"); 126 vs->tls = qio_channel_tls_get_session(tls); 127 128 qio_channel_tls_handshake(tls, 129 vnc_tls_handshake_done, 130 vs, 131 NULL); 132 } 133 return 0; 134 } 135 136 static int protocol_client_vencrypt_init(VncState *vs, uint8_t *data, size_t len) 137 { 138 trace_vnc_auth_vencrypt_version(vs, (int)data[0], (int)data[1]); 139 if (data[0] != 0 || 140 data[1] != 2) { 141 trace_vnc_auth_fail(vs, vs->auth, "Unsupported version", ""); 142 vnc_write_u8(vs, 1); /* Reject version */ 143 vnc_flush(vs); 144 vnc_client_error(vs); 145 } else { 146 vnc_write_u8(vs, 0); /* Accept version */ 147 vnc_write_u8(vs, 1); /* Number of sub-auths */ 148 vnc_write_u32(vs, vs->subauth); /* The supported auth */ 149 vnc_flush(vs); 150 vnc_read_when(vs, protocol_client_vencrypt_auth, 4); 151 } 152 return 0; 153 } 154 155 156 void start_auth_vencrypt(VncState *vs) 157 { 158 /* Send VeNCrypt version 0.2 */ 159 vnc_write_u8(vs, 0); 160 vnc_write_u8(vs, 2); 161 162 vnc_read_when(vs, protocol_client_vencrypt_init, 2); 163 } 164 165