ui: split setup of VNC auth scheme into separate method
The vnc_display_open method is quite long and complex, so move the VNC auth scheme decision logic into a separate method for clarity. Also update the comment to better describe what we are trying to achieve. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
This commit is contained in:
Daniel P. Berrange
Gerd Hoffmann
parent
d169f04b8b
commit
0dd72e1531
153
ui/vnc.c
153
ui/vnc.c
|
|
@ -3314,6 +3314,96 @@ static QemuOptsList qemu_vnc_opts = {
|
|||
},
|
||||
};
|
||||
|
||||
|
||||
static void
|
||||
vnc_display_setup_auth(VncDisplay *vs,
|
||||
bool password,
|
||||
bool sasl,
|
||||
bool tls,
|
||||
bool x509)
|
||||
{
|
||||
/*
|
||||
* We have a choice of 3 authentication options
|
||||
*
|
||||
* 1. none
|
||||
* 2. vnc
|
||||
* 3. sasl
|
||||
*
|
||||
* The channel can be run in 2 modes
|
||||
*
|
||||
* 1. clear
|
||||
* 2. tls
|
||||
*
|
||||
* And TLS can use 2 types of credentials
|
||||
*
|
||||
* 1. anon
|
||||
* 2. x509
|
||||
*
|
||||
* We thus have 9 possible logical combinations
|
||||
*
|
||||
* 1. clear + none
|
||||
* 2. clear + vnc
|
||||
* 3. clear + sasl
|
||||
* 4. tls + anon + none
|
||||
* 5. tls + anon + vnc
|
||||
* 6. tls + anon + sasl
|
||||
* 7. tls + x509 + none
|
||||
* 8. tls + x509 + vnc
|
||||
* 9. tls + x509 + sasl
|
||||
*
|
||||
* These need to be mapped into the VNC auth schemes
|
||||
* in an appropriate manner. In regular VNC, all the
|
||||
* TLS options get mapped into VNC_AUTH_VENCRYPT
|
||||
* sub-auth types.
|
||||
*/
|
||||
if (password) {
|
||||
if (tls) {
|
||||
vs->auth = VNC_AUTH_VENCRYPT;
|
||||
if (x509) {
|
||||
VNC_DEBUG("Initializing VNC server with x509 password auth\n");
|
||||
vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
|
||||
} else {
|
||||
VNC_DEBUG("Initializing VNC server with TLS password auth\n");
|
||||
vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
|
||||
}
|
||||
} else {
|
||||
VNC_DEBUG("Initializing VNC server with password auth\n");
|
||||
vs->auth = VNC_AUTH_VNC;
|
||||
vs->subauth = VNC_AUTH_INVALID;
|
||||
}
|
||||
} else if (sasl) {
|
||||
if (tls) {
|
||||
vs->auth = VNC_AUTH_VENCRYPT;
|
||||
if (x509) {
|
||||
VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
|
||||
vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
|
||||
} else {
|
||||
VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
|
||||
vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
|
||||
}
|
||||
} else {
|
||||
VNC_DEBUG("Initializing VNC server with SASL auth\n");
|
||||
vs->auth = VNC_AUTH_SASL;
|
||||
vs->subauth = VNC_AUTH_INVALID;
|
||||
}
|
||||
} else {
|
||||
if (tls) {
|
||||
vs->auth = VNC_AUTH_VENCRYPT;
|
||||
if (x509) {
|
||||
VNC_DEBUG("Initializing VNC server with x509 no auth\n");
|
||||
vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
|
||||
} else {
|
||||
VNC_DEBUG("Initializing VNC server with TLS no auth\n");
|
||||
vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
|
||||
}
|
||||
} else {
|
||||
VNC_DEBUG("Initializing VNC server with no auth\n");
|
||||
vs->auth = VNC_AUTH_NONE;
|
||||
vs->subauth = VNC_AUTH_INVALID;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void vnc_display_open(const char *id, Error **errp)
|
||||
{
|
||||
VncDisplay *vs = vnc_display_find(id);
|
||||
|
|
@ -3506,68 +3596,7 @@ void vnc_display_open(const char *id, Error **errp)
|
|||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Combinations we support here:
|
||||
*
|
||||
* - no-auth (clear text, no auth)
|
||||
* - password (clear text, weak auth)
|
||||
* - sasl (encrypt, good auth *IF* using Kerberos via GSSAPI)
|
||||
* - tls (encrypt, weak anonymous creds, no auth)
|
||||
* - tls + password (encrypt, weak anonymous creds, weak auth)
|
||||
* - tls + sasl (encrypt, weak anonymous creds, good auth)
|
||||
* - tls + x509 (encrypt, good x509 creds, no auth)
|
||||
* - tls + x509 + password (encrypt, good x509 creds, weak auth)
|
||||
* - tls + x509 + sasl (encrypt, good x509 creds, good auth)
|
||||
*
|
||||
* NB1. TLS is a stackable auth scheme.
|
||||
* NB2. the x509 schemes have option to validate a client cert dname
|
||||
*/
|
||||
if (password) {
|
||||
if (tls) {
|
||||
vs->auth = VNC_AUTH_VENCRYPT;
|
||||
if (x509) {
|
||||
VNC_DEBUG("Initializing VNC server with x509 password auth\n");
|
||||
vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
|
||||
} else {
|
||||
VNC_DEBUG("Initializing VNC server with TLS password auth\n");
|
||||
vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
|
||||
}
|
||||
} else {
|
||||
VNC_DEBUG("Initializing VNC server with password auth\n");
|
||||
vs->auth = VNC_AUTH_VNC;
|
||||
vs->subauth = VNC_AUTH_INVALID;
|
||||
}
|
||||
} else if (sasl) {
|
||||
if (tls) {
|
||||
vs->auth = VNC_AUTH_VENCRYPT;
|
||||
if (x509) {
|
||||
VNC_DEBUG("Initializing VNC server with x509 SASL auth\n");
|
||||
vs->subauth = VNC_AUTH_VENCRYPT_X509SASL;
|
||||
} else {
|
||||
VNC_DEBUG("Initializing VNC server with TLS SASL auth\n");
|
||||
vs->subauth = VNC_AUTH_VENCRYPT_TLSSASL;
|
||||
}
|
||||
} else {
|
||||
VNC_DEBUG("Initializing VNC server with SASL auth\n");
|
||||
vs->auth = VNC_AUTH_SASL;
|
||||
vs->subauth = VNC_AUTH_INVALID;
|
||||
}
|
||||
} else {
|
||||
if (tls) {
|
||||
vs->auth = VNC_AUTH_VENCRYPT;
|
||||
if (x509) {
|
||||
VNC_DEBUG("Initializing VNC server with x509 no auth\n");
|
||||
vs->subauth = VNC_AUTH_VENCRYPT_X509NONE;
|
||||
} else {
|
||||
VNC_DEBUG("Initializing VNC server with TLS no auth\n");
|
||||
vs->subauth = VNC_AUTH_VENCRYPT_TLSNONE;
|
||||
}
|
||||
} else {
|
||||
VNC_DEBUG("Initializing VNC server with no auth\n");
|
||||
vs->auth = VNC_AUTH_NONE;
|
||||
vs->subauth = VNC_AUTH_INVALID;
|
||||
}
|
||||
}
|
||||
vnc_display_setup_auth(vs, password, sasl, tls, x509);
|
||||
|
||||
#ifdef CONFIG_VNC_SASL
|
||||
if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue