1 /* 2 * QEMU VNC display driver: VeNCrypt authentication setup 3 * 4 * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws> 5 * Copyright (C) 2006 Fabrice Bellard 6 * Copyright (C) 2009 Red Hat, Inc 7 * 8 * Permission is hereby granted, free of charge, to any person obtaining a copy 9 * of this software and associated documentation files (the "Software"), to deal 10 * in the Software without restriction, including without limitation the rights 11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 12 * copies of the Software, and to permit persons to whom the Software is 13 * furnished to do so, subject to the following conditions: 14 * 15 * The above copyright notice and this permission notice shall be included in 16 * all copies or substantial portions of the Software. 17 * 18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 21 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 24 * THE SOFTWARE. 25 */ 26 27 #include "qemu/osdep.h" 28 #include "vnc.h" 29 #include "qapi/error.h" 30 #include "qemu/main-loop.h" 31 32 static void start_auth_vencrypt_subauth(VncState *vs) 33 { 34 switch (vs->subauth) { 35 case VNC_AUTH_VENCRYPT_TLSNONE: 36 case VNC_AUTH_VENCRYPT_X509NONE: 37 VNC_DEBUG("Accept TLS auth none\n"); 38 vnc_write_u32(vs, 0); /* Accept auth completion */ 39 start_client_init(vs); 40 break; 41 42 case VNC_AUTH_VENCRYPT_TLSVNC: 43 case VNC_AUTH_VENCRYPT_X509VNC: 44 VNC_DEBUG("Start TLS auth VNC\n"); 45 start_auth_vnc(vs); 46 break; 47 48 #ifdef CONFIG_VNC_SASL 49 case VNC_AUTH_VENCRYPT_TLSSASL: 50 case VNC_AUTH_VENCRYPT_X509SASL: 51 VNC_DEBUG("Start TLS auth SASL\n"); 52 start_auth_sasl(vs); 53 break; 54 #endif /* CONFIG_VNC_SASL */ 55 56 default: /* Should not be possible, but just in case */ 57 VNC_DEBUG("Reject subauth %d server bug\n", vs->auth); 58 vnc_write_u8(vs, 1); 59 if (vs->minor >= 8) { 60 static const char err[] = "Unsupported authentication type"; 61 vnc_write_u32(vs, sizeof(err)); 62 vnc_write(vs, err, sizeof(err)); 63 } 64 vnc_client_error(vs); 65 } 66 } 67 68 static void vnc_tls_handshake_done(QIOTask *task, 69 gpointer user_data) 70 { 71 VncState *vs = user_data; 72 Error *err = NULL; 73 74 if (qio_task_propagate_error(task, &err)) { 75 VNC_DEBUG("Handshake failed %s\n", 76 error_get_pretty(err)); 77 vnc_client_error(vs); 78 error_free(err); 79 } else { 80 vs->ioc_tag = qio_channel_add_watch( 81 vs->ioc, G_IO_IN | G_IO_OUT, vnc_client_io, vs, NULL); 82 start_auth_vencrypt_subauth(vs); 83 } 84 } 85 86 87 static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len) 88 { 89 int auth = read_u32(data, 0); 90 91 if (auth != vs->subauth) { 92 VNC_DEBUG("Rejecting auth %d\n", auth); 93 vnc_write_u8(vs, 0); /* Reject auth */ 94 vnc_flush(vs); 95 vnc_client_error(vs); 96 } else { 97 Error *err = NULL; 98 QIOChannelTLS *tls; 99 VNC_DEBUG("Accepting auth %d, setting up TLS for handshake\n", auth); 100 vnc_write_u8(vs, 1); /* Accept auth */ 101 vnc_flush(vs); 102 103 if (vs->ioc_tag) { 104 g_source_remove(vs->ioc_tag); 105 vs->ioc_tag = 0; 106 } 107 108 tls = qio_channel_tls_new_server( 109 vs->ioc, 110 vs->vd->tlscreds, 111 vs->vd->tlsaclname, 112 &err); 113 if (!tls) { 114 VNC_DEBUG("Failed to setup TLS %s\n", error_get_pretty(err)); 115 error_free(err); 116 vnc_client_error(vs); 117 return 0; 118 } 119 120 qio_channel_set_name(QIO_CHANNEL(tls), "vnc-server-tls"); 121 VNC_DEBUG("Start TLS VeNCrypt handshake process\n"); 122 object_unref(OBJECT(vs->ioc)); 123 vs->ioc = QIO_CHANNEL(tls); 124 vs->tls = qio_channel_tls_get_session(tls); 125 126 qio_channel_tls_handshake(tls, 127 vnc_tls_handshake_done, 128 vs, 129 NULL); 130 } 131 return 0; 132 } 133 134 static int protocol_client_vencrypt_init(VncState *vs, uint8_t *data, size_t len) 135 { 136 if (data[0] != 0 || 137 data[1] != 2) { 138 VNC_DEBUG("Unsupported VeNCrypt protocol %d.%d\n", (int)data[0], (int)data[1]); 139 vnc_write_u8(vs, 1); /* Reject version */ 140 vnc_flush(vs); 141 vnc_client_error(vs); 142 } else { 143 VNC_DEBUG("Sending allowed auth %d\n", vs->subauth); 144 vnc_write_u8(vs, 0); /* Accept version */ 145 vnc_write_u8(vs, 1); /* Number of sub-auths */ 146 vnc_write_u32(vs, vs->subauth); /* The supported auth */ 147 vnc_flush(vs); 148 vnc_read_when(vs, protocol_client_vencrypt_auth, 4); 149 } 150 return 0; 151 } 152 153 154 void start_auth_vencrypt(VncState *vs) 155 { 156 /* Send VeNCrypt version 0.2 */ 157 vnc_write_u8(vs, 0); 158 vnc_write_u8(vs, 2); 159 160 vnc_read_when(vs, protocol_client_vencrypt_init, 2); 161 } 162 163