ui/vnc: fix skipping SASL SSF on UNIX sockets

The 'is_unix' flag is set on the VNC server during startup, however,
a regression in:

  commit 8bd22f477f
  Author: Daniel P. Berrangé <berrange@redhat.com>
  Date:   Fri Feb 3 12:06:46 2017 +0000

    ui: extract code to connect/listen from vnc_display_open

meant we stopped setting the 'is_unix' flag when QEMU listens for
VNC sockets, only setting when QEMU does a reverse VNC connection.

Rather than fixing setting of the 'is_unix' flag, remove it, and
directly check the live client socket address. This is more robust
to a possible situation where the VNC server was listening on a
mixture of INET and UNIX sockets.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2024-09-11 13:13:01 +01:00
parent e9eabcc911
commit c0a9c92bd5
3 changed files with 11 additions and 7 deletions

View File

@ -551,6 +551,13 @@ vnc_socket_ip_addr_string(QIOChannelSocket *ioc,
return 0; return 0;
} }
static bool
vnc_socket_is_unix(QIOChannelSocket *ioc)
{
SocketAddress *addr = qio_channel_socket_get_local_address(ioc, NULL);
return addr && addr->type == SOCKET_ADDRESS_TYPE_UNIX;
}
void start_auth_sasl(VncState *vs) void start_auth_sasl(VncState *vs)
{ {
const char *mechlist = NULL; const char *mechlist = NULL;
@ -627,10 +634,11 @@ void start_auth_sasl(VncState *vs)
memset (&secprops, 0, sizeof secprops); memset (&secprops, 0, sizeof secprops);
/* Inform SASL that we've got an external SSF layer from TLS. /* Inform SASL that we've got an external SSF layer from TLS.
* *
* Disable SSF, if using TLS+x509+SASL only. TLS without x509 * Disable SSF, if using TLS+x509+SASL only, or UNIX sockets.
* is not sufficiently strong * TLS without x509 is not sufficiently strong, nor is plain
* TCP
*/ */
if (vs->vd->is_unix || if (vnc_socket_is_unix(vs->sioc) ||
(vs->auth == VNC_AUTH_VENCRYPT && (vs->auth == VNC_AUTH_VENCRYPT &&
vs->subauth == VNC_AUTH_VENCRYPT_X509SASL)) { vs->subauth == VNC_AUTH_VENCRYPT_X509SASL)) {
/* If we've got TLS or UNIX domain sock, we don't care about SSF */ /* If we've got TLS or UNIX domain sock, we don't care about SSF */

View File

@ -3430,7 +3430,6 @@ static void vnc_display_close(VncDisplay *vd)
if (!vd) { if (!vd) {
return; return;
} }
vd->is_unix = false;
if (vd->listener) { if (vd->listener) {
qio_net_listener_disconnect(vd->listener); qio_net_listener_disconnect(vd->listener);
@ -3932,8 +3931,6 @@ static int vnc_display_connect(VncDisplay *vd,
error_setg(errp, "Expected a single address in reverse mode"); error_setg(errp, "Expected a single address in reverse mode");
return -1; return -1;
} }
/* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
vd->is_unix = saddr_list->value->type == SOCKET_ADDRESS_TYPE_UNIX;
sioc = qio_channel_socket_new(); sioc = qio_channel_socket_new();
qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse"); qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
if (qio_channel_socket_connect_sync(sioc, saddr_list->value, errp) < 0) { if (qio_channel_socket_connect_sync(sioc, saddr_list->value, errp) < 0) {

View File

@ -168,7 +168,6 @@ struct VncDisplay
const char *id; const char *id;
QTAILQ_ENTRY(VncDisplay) next; QTAILQ_ENTRY(VncDisplay) next;
bool is_unix;
char *password; char *password;
time_t expires; time_t expires;
int auth; int auth;