mirror of
https://github.com/Motorhead1991/qemu.git
synced 2025-08-04 00:03:54 -06:00
ui: add tracing of VNC authentication process
Trace anything related to authentication in the VNC protocol handshake Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-id: 20170921121528.23935-3-berrange@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
This commit is contained in:
Daniel P. Berrange
Gerd Hoffmann
parent
ad6374c43e
commit
7364dbdabb
4 changed files with 92 additions and 93 deletions
36
ui/vnc.c
36
ui/vnc.c
|
|
@ -2406,11 +2406,11 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
|
|||
Error *err = NULL;
|
||||
|
||||
if (!vs->vd->password) {
|
||||
VNC_DEBUG("No password configured on server");
|
||||
trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
|
||||
goto reject;
|
||||
}
|
||||
if (vs->vd->expires < now) {
|
||||
VNC_DEBUG("Password is expired");
|
||||
trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
|
||||
goto reject;
|
||||
}
|
||||
|
||||
|
|
@ -2427,8 +2427,8 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
|
|||
key, G_N_ELEMENTS(key),
|
||||
&err);
|
||||
if (!cipher) {
|
||||
VNC_DEBUG("Cannot initialize cipher %s",
|
||||
error_get_pretty(err));
|
||||
trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
|
||||
error_get_pretty(err));
|
||||
error_free(err);
|
||||
goto reject;
|
||||
}
|
||||
|
|
@ -2438,18 +2438,18 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
|
|||
response,
|
||||
VNC_AUTH_CHALLENGE_SIZE,
|
||||
&err) < 0) {
|
||||
VNC_DEBUG("Cannot encrypt challenge %s",
|
||||
error_get_pretty(err));
|
||||
trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
|
||||
error_get_pretty(err));
|
||||
error_free(err);
|
||||
goto reject;
|
||||
}
|
||||
|
||||
/* Compare expected vs actual challenge response */
|
||||
if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
|
||||
VNC_DEBUG("Client challenge response did not match\n");
|
||||
trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
|
||||
goto reject;
|
||||
} else {
|
||||
VNC_DEBUG("Accepting VNC challenge response\n");
|
||||
trace_vnc_auth_pass(vs, vs->auth);
|
||||
vnc_write_u32(vs, 0); /* Accept auth */
|
||||
vnc_flush(vs);
|
||||
|
||||
|
|
@ -2488,7 +2488,7 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
|
|||
/* We only advertise 1 auth scheme at a time, so client
|
||||
* must pick the one we sent. Verify this */
|
||||
if (data[0] != vs->auth) { /* Reject auth */
|
||||
VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
|
||||
trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
|
||||
vnc_write_u32(vs, 1);
|
||||
if (vs->minor >= 8) {
|
||||
static const char err[] = "Authentication failed";
|
||||
|
|
@ -2497,36 +2497,33 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
|
|||
}
|
||||
vnc_client_error(vs);
|
||||
} else { /* Accept requested auth */
|
||||
VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
|
||||
trace_vnc_auth_start(vs, vs->auth);
|
||||
switch (vs->auth) {
|
||||
case VNC_AUTH_NONE:
|
||||
VNC_DEBUG("Accept auth none\n");
|
||||
if (vs->minor >= 8) {
|
||||
vnc_write_u32(vs, 0); /* Accept auth completion */
|
||||
vnc_flush(vs);
|
||||
}
|
||||
trace_vnc_auth_pass(vs, vs->auth);
|
||||
start_client_init(vs);
|
||||
break;
|
||||
|
||||
case VNC_AUTH_VNC:
|
||||
VNC_DEBUG("Start VNC auth\n");
|
||||
start_auth_vnc(vs);
|
||||
break;
|
||||
|
||||
case VNC_AUTH_VENCRYPT:
|
||||
VNC_DEBUG("Accept VeNCrypt auth\n");
|
||||
start_auth_vencrypt(vs);
|
||||
break;
|
||||
|
||||
#ifdef CONFIG_VNC_SASL
|
||||
case VNC_AUTH_SASL:
|
||||
VNC_DEBUG("Accept SASL auth\n");
|
||||
start_auth_sasl(vs);
|
||||
break;
|
||||
#endif /* CONFIG_VNC_SASL */
|
||||
|
||||
default: /* Should not be possible, but just in case */
|
||||
VNC_DEBUG("Reject auth %d server code bug\n", vs->auth);
|
||||
trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
|
||||
vnc_write_u8(vs, 1);
|
||||
if (vs->minor >= 8) {
|
||||
static const char err[] = "Authentication failed";
|
||||
|
|
@ -2571,10 +2568,11 @@ static int protocol_version(VncState *vs, uint8_t *version, size_t len)
|
|||
vs->minor = 3;
|
||||
|
||||
if (vs->minor == 3) {
|
||||
trace_vnc_auth_start(vs, vs->auth);
|
||||
if (vs->auth == VNC_AUTH_NONE) {
|
||||
VNC_DEBUG("Tell client auth none\n");
|
||||
vnc_write_u32(vs, vs->auth);
|
||||
vnc_flush(vs);
|
||||
trace_vnc_auth_pass(vs, vs->auth);
|
||||
start_client_init(vs);
|
||||
} else if (vs->auth == VNC_AUTH_VNC) {
|
||||
VNC_DEBUG("Tell client VNC auth\n");
|
||||
|
|
@ -2582,13 +2580,13 @@ static int protocol_version(VncState *vs, uint8_t *version, size_t len)
|
|||
vnc_flush(vs);
|
||||
start_auth_vnc(vs);
|
||||
} else {
|
||||
VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth);
|
||||
trace_vnc_auth_fail(vs, vs->auth,
|
||||
"Unsupported auth method for v3.3", "");
|
||||
vnc_write_u32(vs, VNC_AUTH_INVALID);
|
||||
vnc_flush(vs);
|
||||
vnc_client_error(vs);
|
||||
}
|
||||
} else {
|
||||
VNC_DEBUG("Telling client we support auth %d\n", vs->auth);
|
||||
vnc_write_u8(vs, 1); /* num auth */
|
||||
vnc_write_u8(vs, vs->auth);
|
||||
vnc_read_when(vs, protocol_client_auth, 1);
|
||||
|
|
@ -3942,12 +3940,14 @@ void vnc_display_open(const char *id, Error **errp)
|
|||
sasl, false, errp) < 0) {
|
||||
goto fail;
|
||||
}
|
||||
trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
|
||||
|
||||
if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
|
||||
vd->tlscreds, password,
|
||||
sasl, true, errp) < 0) {
|
||||
goto fail;
|
||||
}
|
||||
trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
|
||||
|
||||
#ifdef CONFIG_VNC_SASL
|
||||
if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue