david.venhoff/QEMU-Nyx-fork
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ui: split setup of VNC auth scheme into separate method

Browse Source 
The vnc_display_open method is quite long and complex, so
move the VNC auth scheme decision logic into a separate
method for clarity.

Also update the comment to better describe what we are
trying to achieve.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
This commit is contained in:
Daniel P. Berrange 2015-03-17 13:42:56 +00:00 committed by Gerd Hoffmann
parent d169f04b8b
commit 0dd72e1531
1 changed files with 91 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
ui/vnc.c
View File

@ -3314,6 +3314,96 @@ static QemuOptsList qemu_vnc_opts = {
}, },
}; };
static void
vnc_display_setup_auth(VncDisplay *vs,
bool password,
bool sasl,
bool tls,
bool x509)
{
/*
* We have a choice of 3 authentication options
*
* 1. none
* 2. vnc
* 3. sasl
*
* The channel can be run in 2 modes
*
* 1. clear
* 2. tls
*
* And TLS can use 2 types of credentials
*
* 1. anon
* 2. x509
*
* We thus have 9 possible logical combinations
*
* 1. clear + none
* 2. clear + vnc
* 3. clear + sasl
* 4. tls + anon + none
* 5. tls + anon + vnc
* 6. tls + anon + sasl
* 7. tls + x509 + none
* 8. tls + x509 + vnc
* 9. tls + x509 + sasl
*
* These need to be mapped into the VNC auth schemes
* in an appropriate manner. In regular VNC, all the
* TLS options get mapped into VNC_AUTH_VENCRYPT
* sub-auth types.
*/
if (password) {
if (tls) {
vs->auth = VNC_AUTH_VENCRYPT;
if (x509) {
VNC_DEBUG("Initializing VNC server with x509 password auth\n");
vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
} else {
VNC_DEBUG("Initializing VNC server with TLS password auth\n");
vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
}
} else {
VNC_DEBUG("Initializing VNC server with password auth\n");
vs->auth = VNC_AUTH_VNC;
vs->subauth = VNC_AUTH_INVALID;
}
} else if (sasl) {
if (tls) {
vs->auth = VNC_AUTH_VENCRYPT;
if (x509) {
VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
} else {
VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
}
} else {
VNC_DEBUG("Initializing VNC server with SASL auth\n");
vs->auth = VNC_AUTH_SASL;
vs->subauth = VNC_AUTH_INVALID;
}
} else {
if (tls) {
vs->auth = VNC_AUTH_VENCRYPT;
if (x509) {
VNC_DEBUG("Initializing VNC server with x509 no auth\n");
vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
} else {
VNC_DEBUG("Initializing VNC server with TLS no auth\n");
vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
}
} else {
VNC_DEBUG("Initializing VNC server with no auth\n");
vs->auth = VNC_AUTH_NONE;
vs->subauth = VNC_AUTH_INVALID;
}
}
}
void vnc_display_open(const char *id, Error **errp) void vnc_display_open(const char *id, Error **errp)
{ {
VncDisplay *vs = vnc_display_find(id); VncDisplay *vs = vnc_display_find(id);
@ -3506,68 +3596,7 @@ void vnc_display_open(const char *id, Error **errp)
} }
#endif #endif
/* vnc_display_setup_auth(vs, password, sasl, tls, x509);
* Combinations we support here:
*
* - no-auth (clear text, no auth)
* - password (clear text, weak auth)
* - sasl (encrypt, good auth *IF* using Kerberos via GSSAPI)
* - tls (encrypt, weak anonymous creds, no auth)
* - tls + password (encrypt, weak anonymous creds, weak auth)
* - tls + sasl (encrypt, weak anonymous creds, good auth)
* - tls + x509 (encrypt, good x509 creds, no auth)
* - tls + x509 + password (encrypt, good x509 creds, weak auth)
* - tls + x509 + sasl (encrypt, good x509 creds, good auth)
*
* NB1. TLS is a stackable auth scheme.
* NB2. the x509 schemes have option to validate a client cert dname
*/
if (password) {
if (tls) {
vs->auth = VNC_AUTH_VENCRYPT;
if (x509) {
VNC_DEBUG("Initializing VNC server with x509 password auth\n");
vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
} else {
VNC_DEBUG("Initializing VNC server with TLS password auth\n");
vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
}
} else {
VNC_DEBUG("Initializing VNC server with password auth\n");
vs->auth = VNC_AUTH_VNC;
vs->subauth = VNC_AUTH_INVALID;
}
} else if (sasl) {
if (tls) {
vs->auth = VNC_AUTH_VENCRYPT;
if (x509) {
VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
} else {
VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
}
} else {
VNC_DEBUG("Initializing VNC server with SASL auth\n");
vs->auth = VNC_AUTH_SASL;
vs->subauth = VNC_AUTH_INVALID;
}
} else {
if (tls) {
vs->auth = VNC_AUTH_VENCRYPT;
if (x509) {
VNC_DEBUG("Initializing VNC server with x509 no auth\n");
vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
} else {
VNC_DEBUG("Initializing VNC server with TLS no auth\n");
vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
}
} else {
VNC_DEBUG("Initializing VNC server with no auth\n");
vs->auth = VNC_AUTH_NONE;
vs->subauth = VNC_AUTH_INVALID;
}
}
#ifdef CONFIG_VNC_SASL #ifdef CONFIG_VNC_SASL
if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) { if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {