From 1b4f956f40315ecc756e34cdeb923424c7095684 Mon Sep 17 00:00:00 2001

From: aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>

Date: Fri, 6 Mar 2009 20:27:28 +0000

Subject: [PATCH] Add SASL authentication support ("Daniel P. Berrange")

This patch adds the new SASL authentication protocol to the VNC server.

It is enabled by setting the 'sasl' flag when launching VNC. SASL can

optionally provide encryption via its SSF layer, if a suitable mechanism

is configured (eg, GSSAPI/Kerberos, or Digest-MD5).  If an SSF layer is

not available, then it should be combined with the x509 VNC authentication

protocol which provides encryption.

eg, if using GSSAPI

   qemu -vnc localhost:1,sasl

eg if using  TLS/x509 for encryption

   qemu -vnc localhost:1,sasl,tls,x509

By default the Cyrus SASL library will look for its configuration in

the file /etc/sasl2/qemu.conf.  For non-root users, this can be overridden

by setting the SASL_CONF_PATH environment variable, eg to make it look in

$HOME/.sasl2.  NB unprivileged users may not have access to the full range

of SASL mechanisms, since some of them require some administrative privileges

to configure. The patch includes an example SASL configuration file which

illustrates config for GSSAPI and Digest-MD5, though it should be noted that

the latter is not really considered secure any more.

Most of the SASL authentication code is located in a separate source file,

vnc-auth-sasl.c.  The main vnc.c file only contains minimal integration

glue, specifically parsing of command line flags / setup, and calls to

start the SASL auth process, to do encoding/decoding for data.

There are several possible stacks for reading & writing of data, depending

on the combo of VNC authentication methods in use

 - Clear.    read/write straight to socket

 - TLS.      read/write via GNUTLS helpers

 - SASL.     encode/decode via SASL SSF layer, then read/write to socket

 - SASL+TLS. encode/decode via SASL SSF layer, then read/write via GNUTLS

Hence, the vnc_client_read & vnc_client_write methods have been refactored

a little.

   vnc_client_read:  main entry point for reading, calls either

       - vnc_client_read_plain   reading, with no intermediate decoding

       - vnc_client_read_sasl    reading, with SASL SSF decoding

   These two methods, then call vnc_client_read_buf(). This decides

   whether to write to the socket directly or write via GNUTLS.

The situation is the same for writing data. More extensive comments

have been added in the code / patch. The vnc_client_read_sasl and

vnc_client_write_sasl method implementations live in the separate

vnc-auth-sasl.c file.

The state required for the SASL auth mechanism is kept in a separate

VncStateSASL struct, defined in vnc-auth-sasl.h and included in the

main VncState.

The configure script probes for SASL and automatically enables it

if found, unless --disable-vnc-sasl was given to override it.

(cherry picked from commit 2f9606b3736c3be4dbd606c46525c7b770ced119)

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

Signed-off-by: Mark McLoughlin <markmc@redhat.com>

Fedora-patch: 06-vnc-sasl.patch

---

 Makefile            |    7 +-

 Makefile.target     |    5 +

 configure           |   34 +++

 qemu-doc.texi       |   97 ++++++++

 qemu.sasl           |   34 +++

 vnc-auth-sasl.c     |  626 +++++++++++++++++++++++++++++++++++++++++++++++++++

 vnc-auth-sasl.h     |   67 ++++++

 vnc-auth-vencrypt.c |   12 +-

 vnc.c               |  249 ++++++++++++++++++---

 vnc.h               |   31 +++-

 10 files changed, 1129 insertions(+), 33 deletions(-)

 create mode 100644 qemu.sasl

 create mode 100644 vnc-auth-sasl.c

 create mode 100644 vnc-auth-sasl.h

diff --git a/Makefile b/Makefile

index 680939f..13ae73d 100644

--- a/Makefile

+++ b/Makefile

@@ -152,6 +152,9 @@ OBJS+=vnc.o d3des.o

 ifdef CONFIG_VNC_TLS

 OBJS+=vnc-tls.o vnc-auth-vencrypt.o

 endif

+ifdef CONFIG_VNC_SASL

+OBJS+=vnc-auth-sasl.o

+endif

 ifdef CONFIG_COCOA

 OBJS+=cocoa.o

@@ -175,7 +178,7 @@ sdl.o: sdl.c keymaps.h sdl_keysym.h

 sdl.o audio/sdlaudio.o: CFLAGS += $(SDL_CFLAGS)

-vnc.h: vnc-tls.h vnc-auth-vencrypt.h keymaps.h

+vnc.h: vnc-tls.h vnc-auth-vencrypt.h vnc-auth-sasl.h keymaps.h

 vnc.o: vnc.c vnc.h vnc_keysym.h vnchextile.h d3des.c d3des.h

@@ -185,6 +188,8 @@ vnc-tls.o: vnc-tls.c vnc.h

 vnc-auth-vencrypt.o: vnc-auth-vencrypt.c vnc.h

+vnc-auth-sasl.o: vnc-auth-sasl.c vnc.h

+

 curses.o: curses.c keymaps.h curses_keys.h

 bt-host.o: CFLAGS += $(CONFIG_BLUEZ_CFLAGS)

diff --git a/Makefile.target b/Makefile.target

index a8b198c..e2e23bf 100644

--- a/Makefile.target

+++ b/Makefile.target

@@ -613,6 +613,11 @@ CPPFLAGS += $(CONFIG_VNC_TLS_CFLAGS)

 LIBS += $(CONFIG_VNC_TLS_LIBS)

 endif

+ifdef CONFIG_VNC_SASL

+CPPFLAGS += $(CONFIG_VNC_SASL_CFLAGS)

+LIBS += $(CONFIG_VNC_SASL_LIBS)

+endif

+

 ifdef CONFIG_BLUEZ

 LIBS += $(CONFIG_BLUEZ_LIBS)

 endif

diff --git a/configure b/configure

index 23ac0ef..e3522f2 100755

--- a/configure

+++ b/configure

@@ -175,6 +175,7 @@ fmod_lib=""

 fmod_inc=""

 oss_lib=""

 vnc_tls="yes"

+vnc_sasl="yes"

 bsd="no"

 linux="no"

 solaris="no"

@@ -417,6 +418,8 @@ for opt do

   ;;

   --disable-vnc-tls) vnc_tls="no"

   ;;

+  --disable-vnc-sasl) vnc_sasl="no"

+  ;;

   --disable-slirp) slirp="no"

   ;;

   --disable-vde) vde="no"

@@ -578,6 +581,7 @@ echo "                           Available cards: $audio_possible_cards"

 echo "  --enable-mixemu          enable mixer emulation"

 echo "  --disable-brlapi         disable BrlAPI"

 echo "  --disable-vnc-tls        disable TLS encryption for VNC server"

+echo "  --disable-vnc-sasl       disable SASL encryption for VNC server"

 echo "  --disable-curses         disable curses output"

 echo "  --disable-bluez          disable bluez stack connectivity"

 echo "  --disable-kvm            disable KVM acceleration support"

@@ -919,6 +923,25 @@ EOF

 fi

 ##########################################

+# VNC SASL detection

+if test "$vnc_sasl" = "yes" ; then

+cat > $TMPC <

+#include <sasl/sasl.h>

+#include <stdio.h>

+int main(void) { sasl_server_init(NULL, "qemu"); return 0; }

+EOF

+    # Assuming Cyrus-SASL installed in /usr prefix

+    vnc_sasl_cflags=""

+    vnc_sasl_libs="-lsasl2"

+    if $cc $ARCH_CFLAGS -o $TMPE ${OS_CFLAGS} $vnc_sasl_cflags $TMPC \

+           $vnc_sasl_libs 2> /dev/null ; then

+	:

+    else

+	vnc_sasl="no"

+    fi

+fi

+

+##########################################

 # vde libraries probe

 if test "$vde" = "yes" ; then

   cat > $TMPC << EOF

@@ -1240,6 +1263,11 @@ if test "$vnc_tls" = "yes" ; then

     echo "    TLS CFLAGS    $vnc_tls_cflags"

     echo "    TLS LIBS      $vnc_tls_libs"

 fi

+echo "VNC SASL support  $vnc_sasl"

+if test "$vnc_sasl" = "yes" ; then

+    echo "    SASL CFLAGS    $vnc_sasl_cflags"

+    echo "    SASL LIBS      $vnc_sasl_libs"

+fi

 if test -n "$sparc_cpu"; then

     echo "Target Sparc Arch $sparc_cpu"

 fi

@@ -1483,6 +1511,12 @@ if test "$vnc_tls" = "yes" ; then

   echo "CONFIG_VNC_TLS_LIBS=$vnc_tls_libs" >> $config_mak

   echo "#define CONFIG_VNC_TLS 1" >> $config_h

 fi

+if test "$vnc_sasl" = "yes" ; then

+  echo "CONFIG_VNC_SASL=yes" >> $config_mak

+  echo "CONFIG_VNC_SASL_CFLAGS=$vnc_sasl_cflags" >> $config_mak

+  echo "CONFIG_VNC_SASL_LIBS=$vnc_sasl_libs" >> $config_mak

+  echo "#define CONFIG_VNC_SASL 1" >> $config_h

+fi

 qemu_version=`head $source_path/VERSION`

 echo "VERSION=$qemu_version" >>$config_mak

 echo "#define QEMU_VERSION \"$qemu_version\"" >> $config_h

diff --git a/qemu-doc.texi b/qemu-doc.texi

index 1cb3318..3ba727e 100644

--- a/qemu-doc.texi

+++ b/qemu-doc.texi

@@ -624,6 +624,21 @@ path following this option specifies where the x509 certificates are to

 be loaded from. See the @ref{vnc_security} section for details on generating

 certificates.

+@item sasl

+

+Require that the client use SASL to authenticate with the VNC server.

+The exact choice of authentication method used is controlled from the

+system / user's SASL configuration file for the 'qemu' service. This

+is typically found in /etc/sasl2/qemu.conf. If running QEMU as an

+unprivileged user, an environment variable SASL_CONF_PATH can be used

+to make it search alternate locations for the service config.

+While some SASL auth methods can also provide data encryption (eg GSSAPI),

+it is recommended that SASL always be combined with the 'tls' and

+'x509' settings to enable use of SSL and server certificates. This

+ensures a data encryption preventing compromise of authentication

+credentials. See the @ref{vnc_security} section for details on using

+SASL authentication.

+

 @end table

 @end table

@@ -2069,7 +2084,10 @@ considerations depending on the deployment scenarios.

 * vnc_sec_certificate::

 * vnc_sec_certificate_verify::

 * vnc_sec_certificate_pw::

+* vnc_sec_sasl::

+* vnc_sec_certificate_sasl::

 * vnc_generate_cert::

+* vnc_setup_sasl::

 @end menu

 @node vnc_sec_none

 @subsection Without passwords

@@ -2152,6 +2170,41 @@ Password: ********

 (qemu)

 @end example

+

+@node vnc_sec_sasl

+@subsection With SASL authentication

+

+The SASL authentication method is a VNC extension, that provides an

+easily extendable, pluggable authentication method. This allows for

+integration with a wide range of authentication mechanisms, such as

+PAM, GSSAPI/Kerberos, LDAP, SQL databases, one-time keys and more.

+The strength of the authentication depends on the exact mechanism

+configured. If the chosen mechanism also provides a SSF layer, then

+it will encrypt the datastream as well.

+

+Refer to the later docs on how to choose the exact SASL mechanism

+used for authentication, but assuming use of one supporting SSF,

+then QEMU can be launched with:

+

+@example

+qemu [...OPTIONS...] -vnc :1,sasl -monitor stdio

+@end example

+

+@node vnc_sec_certificate_sasl

+@subsection With x509 certificates and SASL authentication

+

+If the desired SASL authentication mechanism does not supported

+SSF layers, then it is strongly advised to run it in combination

+with TLS and x509 certificates. This provides securely encrypted

+data stream, avoiding risk of compromising of the security

+credentials. This can be enabled, by combining the 'sasl' option

+with the aforementioned TLS + x509 options:

+

+@example

+qemu [...OPTIONS...] -vnc :1,tls,x509,sasl -monitor stdio

+@end example

+

+

 @node vnc_generate_cert

 @subsection Generating certificates for VNC

@@ -2263,6 +2316,50 @@ EOF

 The @code{client-key.pem} and @code{client-cert.pem} files should now be securely

 copied to the client for which they were generated.

+

+@node vnc_setup_sasl

+

+@subsection Configuring SASL mechanisms

+

+The following documentation assumes use of the Cyrus SASL implementation on a

+Linux host, but the principals should apply to any other SASL impl. When SASL

+is enabled, the mechanism configuration will be loaded from system default

+SASL service config /etc/sasl2/qemu.conf. If running QEMU as an

+unprivileged user, an environment variable SASL_CONF_PATH can be used

+to make it search alternate locations for the service config.

+

+The default configuration might contain

+

+@example

+mech_list: digest-md5

+sasldb_path: /etc/qemu/passwd.db

+@end example

+

+This says to use the 'Digest MD5' mechanism, which is similar to the HTTP

+Digest-MD5 mechanism. The list of valid usernames & passwords is maintained

+in the /etc/qemu/passwd.db file, and can be updated using the saslpasswd2

+command. While this mechanism is easy to configure and use, it is not

+considered secure by modern standards, so only suitable for developers /

+ad-hoc testing.

+

+A more serious deployment might use Kerberos, which is done with the 'gssapi'

+mechanism

+

+@example

+mech_list: gssapi

+keytab: /etc/qemu/krb5.tab

+@end example

+

+For this to work the administrator of your KDC must generate a Kerberos

+principal for the server, with a name of  'qemu/somehost.example.com@@EXAMPLE.COM'

+replacing 'somehost.example.com' with the fully qualified host name of the

+machine running QEMU, and 'EXAMPLE.COM' with the Keberos Realm.

+

+Other configurations will be left as an exercise for the reader. It should

+be noted that only Digest-MD5 and GSSAPI provides a SSF layer for data

+encryption. For all other mechanisms, VNC should always be configured to

+use TLS and x509 certificates to protect security credentials from snooping.

+

 @node gdb_usage

 @section GDB usage

diff --git a/qemu.sasl b/qemu.sasl

new file mode 100644

index 0000000..cf19cf8

--- /dev/null

+++ b/qemu.sasl

@@ -0,0 +1,34 @@

+# If you want to use the non-TLS socket, then you *must* include

+# the GSSAPI or DIGEST-MD5 mechanisms, because they are the only

+# ones that can offer session encryption as well as authentication.

+#

+# If you're only using TLS, then you can turn on any mechanisms

+# you like for authentication, because TLS provides the encryption

+#

+# Default to a simple username+password mechanism

+# NB digest-md5 is no longer considered secure by current standards

+mech_list: digest-md5

+

+# Before you can use GSSAPI, you need a service principle on the

+# KDC server for libvirt, and that to be exported to the keytab

+# file listed below

+#mech_list: gssapi

+#

+# You can also list many mechanisms at once, then the user can choose

+# by adding  '?auth=sasl.gssapi' to their libvirt URI, eg

+#   qemu+tcp://hostname/system?auth=sasl.gssapi

+#mech_list: digest-md5 gssapi

+

+# Some older builds of MIT kerberos on Linux ignore this option &

+# instead need KRB5_KTNAME env var.

+# For modern Linux, and other OS, this should be sufficient

+keytab: /etc/qemu/krb5.tab

+

+# If using digest-md5 for username/passwds, then this is the file

+# containing the passwds. Use 'saslpasswd2 -a qemu [username]'

+# to add entries, and 'sasldblistusers2 -a qemu' to browse it

+sasldb_path: /etc/qemu/passwd.db

+

+

+auxprop_plugin: sasldb

+

diff --git a/vnc-auth-sasl.c b/vnc-auth-sasl.c

new file mode 100644

index 0000000..2882a35

--- /dev/null

+++ b/vnc-auth-sasl.c

@@ -0,0 +1,626 @@

+/*

+ * QEMU VNC display driver: SASL auth protocol

+ *

+ * Copyright (C) 2009 Red Hat, Inc

+ *

+ * Permission is hereby granted, free of charge, to any person obtaining a copy

+ * of this software and associated documentation files (the "Software"), to deal

+ * in the Software without restriction, including without limitation the rights

+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

+ * copies of the Software, and to permit persons to whom the Software is

+ * furnished to do so, subject to the following conditions:

+ *

+ * The above copyright notice and this permission notice shall be included in

+ * all copies or substantial portions of the Software.

+ *

+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL

+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

+ * THE SOFTWARE.

+ */

+

+#include "vnc.h"

+

+/* Max amount of data we send/recv for SASL steps to prevent DOS */

+#define SASL_DATA_MAX_LEN (1024 * 1024)

+

+

+void vnc_sasl_client_cleanup(VncState *vs)

+{

+    if (vs->sasl.conn) {

+	vs->sasl.runSSF = vs->sasl.waitWriteSSF = vs->sasl.wantSSF = 0;

+	vs->sasl.encodedLength = vs->sasl.encodedOffset = 0;

+	vs->sasl.encoded = NULL;

+	free(vs->sasl.username);

+	free(vs->sasl.mechlist);

+	vs->sasl.username = vs->sasl.mechlist = NULL;

+	sasl_dispose(&vs->sasl.conn);

+	vs->sasl.conn = NULL;

+    }

+}

+

+

+long vnc_client_write_sasl(VncState *vs)

+{

+    long ret;

+

+    VNC_DEBUG("Write SASL: Pending output %p size %d offset %d Encoded: %p size %d offset %d\n",

+	      vs->output.buffer, vs->output.capacity, vs->output.offset,

+	      vs->sasl.encoded, vs->sasl.encodedLength, vs->sasl.encodedOffset);

+

+    if (!vs->sasl.encoded) {

+	int err;

+	err = sasl_encode(vs->sasl.conn,

+			  (char *)vs->output.buffer,

+			  vs->output.offset,

+			  (const char **)&vs->sasl.encoded,

+			  &vs->sasl.encodedLength);

+	if (err != SASL_OK)

+	    return vnc_client_io_error(vs, -1, EIO);

+

+	vs->sasl.encodedOffset = 0;

+    }

+

+    ret = vnc_client_write_buf(vs,

+			       vs->sasl.encoded + vs->sasl.encodedOffset,

+			       vs->sasl.encodedLength - vs->sasl.encodedOffset);

+    if (!ret)

+	return 0;

+

+    vs->sasl.encodedOffset += ret;

+    if (vs->sasl.encodedOffset == vs->sasl.encodedLength) {

+	vs->output.offset = 0;

+	vs->sasl.encoded = NULL;

+	vs->sasl.encodedOffset = vs->sasl.encodedLength = 0;

+    }

+

+    /* Can't merge this block with one above, because

+     * someone might have written more unencrypted

+     * data in vs->output while we were processing

+     * SASL encoded output

+     */

+    if (vs->output.offset == 0) {

+	qemu_set_fd_handler2(vs->csock, NULL, vnc_client_read, NULL, vs);

+    }

+

+    return ret;

+}

+

+

+long vnc_client_read_sasl(VncState *vs)

+{

+    long ret;

+    uint8_t encoded[4096];

+    const char *decoded;

+    unsigned int decodedLen;

+    int err;

+

+    ret = vnc_client_read_buf(vs, encoded, sizeof(encoded));

+    if (!ret)

+	return 0;

+

+    err = sasl_decode(vs->sasl.conn,

+		      (char *)encoded, ret,

+		      &decoded, &decodedLen);

+

+    if (err != SASL_OK)

+	return vnc_client_io_error(vs, -1, -EIO);

+    VNC_DEBUG("Read SASL Encoded %p size %ld Decoded %p size %d\n",

+	      encoded, ret, decoded, decodedLen);

+    buffer_reserve(&vs->input, decodedLen);

+    buffer_append(&vs->input, decoded, decodedLen);

+    return decodedLen;

+}

+

+

+static int vnc_auth_sasl_check_access(VncState *vs)

+{

+    const void *val;

+    int err;

+

+    err = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val;;

+    if (err != SASL_OK) {

+	VNC_DEBUG("cannot query SASL username on connection %d (%s)\n",

+		  err, sasl_errstring(err, NULL, NULL));

+	return -1;

+    }

+    if (val == NULL) {

+	VNC_DEBUG("no client username was found\n");

+	return -1;

+    }

+    VNC_DEBUG("SASL client username %s\n", (const char *)val);

+

+    vs->sasl.username = qemu_strdup((const char*)val);

+

+    return 0;

+}

+

+static int vnc_auth_sasl_check_ssf(VncState *vs)

+{

+    const void *val;

+    int err, ssf;

+

+    if (!vs->sasl.wantSSF)

+	return 1;

+

+    err = sasl_getprop(vs->sasl.conn, SASL_SSF, &val;;

+    if (err != SASL_OK)

+	return 0;

+

+    ssf = *(const int *)val;

+    VNC_DEBUG("negotiated an SSF of %d\n", ssf);

+    if (ssf < 56)

+	return 0; /* 56 is good for Kerberos */

+

+    /* Only setup for read initially, because we're about to send an RPC

+     * reply which must be in plain text. When the next incoming RPC

+     * arrives, we'll switch on writes too

+     *

+     * cf qemudClientReadSASL  in qemud.c

+     */

+    vs->sasl.runSSF = 1;

+

+    /* We have a SSF that's good enough */

+    return 1;

+}

+

+/*

+ * Step Msg

+ *

+ * Input from client:

+ *

+ * u32 clientin-length

+ * u8-array clientin-string

+ *

+ * Output to client:

+ *

+ * u32 serverout-length

+ * u8-array serverout-strin

+ * u8 continue

+ */

+

+static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len);

+

+static int protocol_client_auth_sasl_step(VncState *vs, uint8_t *data, size_t len)

+{

+    uint32_t datalen = len;

+    const char *serverout;

+    unsigned int serveroutlen;

+    int err;

+    char *clientdata = NULL;

+

+    /* NB, distinction of NULL vs "" is *critical* in SASL */

+    if (datalen) {

+	clientdata = (char*)data;

+	clientdata[datalen-1] = '\0'; /* Wire includes '\0', but make sure */

+	datalen--; /* Don't count NULL byte when passing to _start() */

+    }

+

+    VNC_DEBUG("Step using SASL Data %p (%d bytes)\n",

+	      clientdata, datalen);

+    err = sasl_server_step(vs->sasl.conn,

+			   clientdata,

+			   datalen,

+			   &serverout,

+			   &serveroutlen);

+    if (err != SASL_OK &&

+	err != SASL_CONTINUE) {

+	VNC_DEBUG("sasl step failed %d (%s)\n",

+		  err, sasl_errdetail(vs->sasl.conn));

+	sasl_dispose(&vs->sasl.conn);

+	vs->sasl.conn = NULL;

+	goto authabort;

+    }

+

+    if (serveroutlen > SASL_DATA_MAX_LEN) {

+	VNC_DEBUG("sasl step reply data too long %d\n",

+		  serveroutlen);

+	sasl_dispose(&vs->sasl.conn);

+	vs->sasl.conn = NULL;

+	goto authabort;

+    }

+

+    VNC_DEBUG("SASL return data %d bytes, nil; %d\n",

+	      serveroutlen, serverout ? 0 : 1);

+

+    if (serveroutlen) {

+	vnc_write_u32(vs, serveroutlen + 1);

+	vnc_write(vs, serverout, serveroutlen + 1);

+    } else {

+	vnc_write_u32(vs, 0);

+    }

+

+    /* Whether auth is complete */

+    vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);

+

+    if (err == SASL_CONTINUE) {

+	VNC_DEBUG("%s", "Authentication must continue\n");

+	/* Wait for step length */

+	vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);

+    } else {

+	if (!vnc_auth_sasl_check_ssf(vs)) {

+	    VNC_DEBUG("Authentication rejected for weak SSF %d\n", vs->csock);

+	    goto authreject;

+	}

+

+	/* Check username whitelist ACL */

+	if (vnc_auth_sasl_check_access(vs) < 0) {

+	    VNC_DEBUG("Authentication rejected for ACL %d\n", vs->csock);

+	    goto authreject;

+	}

+

+	VNC_DEBUG("Authentication successful %d\n", vs->csock);

+	vnc_write_u32(vs, 0); /* Accept auth */

+	/*

+	 * Delay writing in SSF encoded mode until pending output

+	 * buffer is written

+	 */

+	if (vs->sasl.runSSF)

+	    vs->sasl.waitWriteSSF = vs->output.offset;

+	start_client_init(vs);

+    }

+

+    return 0;

+

+ authreject:

+    vnc_write_u32(vs, 1); /* Reject auth */

+    vnc_write_u32(vs, sizeof("Authentication failed"));

+    vnc_write(vs, "Authentication failed", sizeof("Authentication failed"));

+    vnc_flush(vs);

+    vnc_client_error(vs);

+    return -1;

+

+ authabort:

+    vnc_client_error(vs);

+    return -1;

+}

+

+static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len)

+{

+    uint32_t steplen = read_u32(data, 0);

+    VNC_DEBUG("Got client step len %d\n", steplen);

+    if (steplen > SASL_DATA_MAX_LEN) {

+	VNC_DEBUG("Too much SASL data %d\n", steplen);

+	vnc_client_error(vs);

+	return -1;

+    }

+

+    if (steplen == 0)

+	return protocol_client_auth_sasl_step(vs, NULL, 0);

+    else

+	vnc_read_when(vs, protocol_client_auth_sasl_step, steplen);

+    return 0;

+}

+

+/*

+ * Start Msg

+ *

+ * Input from client:

+ *

+ * u32 clientin-length

+ * u8-array clientin-string

+ *

+ * Output to client:

+ *

+ * u32 serverout-length

+ * u8-array serverout-strin

+ * u8 continue

+ */

+

+#define SASL_DATA_MAX_LEN (1024 * 1024)

+

+static int protocol_client_auth_sasl_start(VncState *vs, uint8_t *data, size_t len)

+{

+    uint32_t datalen = len;

+    const char *serverout;

+    unsigned int serveroutlen;

+    int err;

+    char *clientdata = NULL;

+

+    /* NB, distinction of NULL vs "" is *critical* in SASL */

+    if (datalen) {

+	clientdata = (char*)data;

+	clientdata[datalen-1] = '\0'; /* Should be on wire, but make sure */

+	datalen--; /* Don't count NULL byte when passing to _start() */

+    }

+

+    VNC_DEBUG("Start SASL auth with mechanism %s. Data %p (%d bytes)\n",

+	      vs->sasl.mechlist, clientdata, datalen);

+    err = sasl_server_start(vs->sasl.conn,

+			    vs->sasl.mechlist,

+			    clientdata,

+			    datalen,

+			    &serverout,

+			    &serveroutlen);

+    if (err != SASL_OK &&

+	err != SASL_CONTINUE) {

+	VNC_DEBUG("sasl start failed %d (%s)\n",

+		  err, sasl_errdetail(vs->sasl.conn));

+	sasl_dispose(&vs->sasl.conn);

+	vs->sasl.conn = NULL;

+	goto authabort;

+    }

+    if (serveroutlen > SASL_DATA_MAX_LEN) {

+	VNC_DEBUG("sasl start reply data too long %d\n",

+		  serveroutlen);

+	sasl_dispose(&vs->sasl.conn);

+	vs->sasl.conn = NULL;

+	goto authabort;

+    }

+

+    VNC_DEBUG("SASL return data %d bytes, nil; %d\n",

+	      serveroutlen, serverout ? 0 : 1);

+

+    if (serveroutlen) {

+	vnc_write_u32(vs, serveroutlen + 1);

+	vnc_write(vs, serverout, serveroutlen + 1);

+    } else {

+	vnc_write_u32(vs, 0);

+    }

+

+    /* Whether auth is complete */

+    vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);

+

+    if (err == SASL_CONTINUE) {

+	VNC_DEBUG("%s", "Authentication must continue\n");

+	/* Wait for step length */

+	vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);

+    } else {

+	if (!vnc_auth_sasl_check_ssf(vs)) {

+	    VNC_DEBUG("Authentication rejected for weak SSF %d\n", vs->csock);

+	    goto authreject;

+	}

+

+	/* Check username whitelist ACL */

+	if (vnc_auth_sasl_check_access(vs) < 0) {

+	    VNC_DEBUG("Authentication rejected for ACL %d\n", vs->csock);

+	    goto authreject;

+	}

+

+	VNC_DEBUG("Authentication successful %d\n", vs->csock);

+	vnc_write_u32(vs, 0); /* Accept auth */

+	start_client_init(vs);

+    }

+

+    return 0;

+

+ authreject:

+    vnc_write_u32(vs, 1); /* Reject auth */

+    vnc_write_u32(vs, sizeof("Authentication failed"));

+    vnc_write(vs, "Authentication failed", sizeof("Authentication failed"));

+    vnc_flush(vs);

+    vnc_client_error(vs);

+    return -1;

+

+ authabort:

+    vnc_client_error(vs);

+    return -1;

+}

+

+static int protocol_client_auth_sasl_start_len(VncState *vs, uint8_t *data, size_t len)

+{

+    uint32_t startlen = read_u32(data, 0);

+    VNC_DEBUG("Got client start len %d\n", startlen);

+    if (startlen > SASL_DATA_MAX_LEN) {

+	VNC_DEBUG("Too much SASL data %d\n", startlen);

+	vnc_client_error(vs);

+	return -1;

+    }

+

+    if (startlen == 0)

+	return protocol_client_auth_sasl_start(vs, NULL, 0);

+

+    vnc_read_when(vs, protocol_client_auth_sasl_start, startlen);

+    return 0;

+}

+

+static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_t len)

+{

+    char *mechname = malloc(len + 1);

+    if (!mechname) {

+	VNC_DEBUG("Out of memory reading mechname\n");

+	vnc_client_error(vs);

+    }

+    strncpy(mechname, (char*)data, len);

+    mechname[len] = '\0';

+    VNC_DEBUG("Got client mechname '%s' check against '%s'\n",

+	      mechname, vs->sasl.mechlist);

+

+    if (strncmp(vs->sasl.mechlist, mechname, len) == 0) {

+	if (vs->sasl.mechlist[len] != '\0' &&

+	    vs->sasl.mechlist[len] != ',') {

+	    VNC_DEBUG("One %d", vs->sasl.mechlist[len]);

+	    vnc_client_error(vs);

+	    return -1;

+	}

+    } else {

+	char *offset = strstr(vs->sasl.mechlist, mechname);

+	VNC_DEBUG("Two %p\n", offset);

+	if (!offset) {

+	    vnc_client_error(vs);

+	    return -1;

+	}

+	VNC_DEBUG("Two '%s'\n", offset);

+	if (offset[-1] != ',' ||

+	    (offset[len] != '\0'&&

+	     offset[len] != ',')) {

+	    vnc_client_error(vs);

+	    return -1;

+	}

+    }

+

+    free(vs->sasl.mechlist);

+    vs->sasl.mechlist = mechname;