ui/vnc: fix skipping SASL SSF on UNIX sockets
The 'is_unix' flag is set on the VNC server during startup, however,
a regression in:
commit 8bd22f477f
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Fri Feb 3 12:06:46 2017 +0000
ui: extract code to connect/listen from vnc_display_open
meant we stopped setting the 'is_unix' flag when QEMU listens for
VNC sockets, only setting when QEMU does a reverse VNC connection.
Rather than fixing setting of the 'is_unix' flag, remove it, and
directly check the live client socket address. This is more robust
to a possible situation where the VNC server was listening on a
mixture of INET and UNIX sockets.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
e9eabcc911
commit
c0a9c92bd5
@ -551,6 +551,13 @@ vnc_socket_ip_addr_string(QIOChannelSocket *ioc,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool
|
||||||
|
vnc_socket_is_unix(QIOChannelSocket *ioc)
|
||||||
|
{
|
||||||
|
SocketAddress *addr = qio_channel_socket_get_local_address(ioc, NULL);
|
||||||
|
return addr && addr->type == SOCKET_ADDRESS_TYPE_UNIX;
|
||||||
|
}
|
||||||
|
|
||||||
void start_auth_sasl(VncState *vs)
|
void start_auth_sasl(VncState *vs)
|
||||||
{
|
{
|
||||||
const char *mechlist = NULL;
|
const char *mechlist = NULL;
|
||||||
@ -627,10 +634,11 @@ void start_auth_sasl(VncState *vs)
|
|||||||
memset (&secprops, 0, sizeof secprops);
|
memset (&secprops, 0, sizeof secprops);
|
||||||
/* Inform SASL that we've got an external SSF layer from TLS.
|
/* Inform SASL that we've got an external SSF layer from TLS.
|
||||||
*
|
*
|
||||||
* Disable SSF, if using TLS+x509+SASL only. TLS without x509
|
* Disable SSF, if using TLS+x509+SASL only, or UNIX sockets.
|
||||||
* is not sufficiently strong
|
* TLS without x509 is not sufficiently strong, nor is plain
|
||||||
|
* TCP
|
||||||
*/
|
*/
|
||||||
if (vs->vd->is_unix ||
|
if (vnc_socket_is_unix(vs->sioc) ||
|
||||||
(vs->auth == VNC_AUTH_VENCRYPT &&
|
(vs->auth == VNC_AUTH_VENCRYPT &&
|
||||||
vs->subauth == VNC_AUTH_VENCRYPT_X509SASL)) {
|
vs->subauth == VNC_AUTH_VENCRYPT_X509SASL)) {
|
||||||
/* If we've got TLS or UNIX domain sock, we don't care about SSF */
|
/* If we've got TLS or UNIX domain sock, we don't care about SSF */
|
||||||
|
3
ui/vnc.c
3
ui/vnc.c
@ -3430,7 +3430,6 @@ static void vnc_display_close(VncDisplay *vd)
|
|||||||
if (!vd) {
|
if (!vd) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
vd->is_unix = false;
|
|
||||||
|
|
||||||
if (vd->listener) {
|
if (vd->listener) {
|
||||||
qio_net_listener_disconnect(vd->listener);
|
qio_net_listener_disconnect(vd->listener);
|
||||||
@ -3932,8 +3931,6 @@ static int vnc_display_connect(VncDisplay *vd,
|
|||||||
error_setg(errp, "Expected a single address in reverse mode");
|
error_setg(errp, "Expected a single address in reverse mode");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
/* TODO SOCKET_ADDRESS_TYPE_FD when fd has AF_UNIX */
|
|
||||||
vd->is_unix = saddr_list->value->type == SOCKET_ADDRESS_TYPE_UNIX;
|
|
||||||
sioc = qio_channel_socket_new();
|
sioc = qio_channel_socket_new();
|
||||||
qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
|
qio_channel_set_name(QIO_CHANNEL(sioc), "vnc-reverse");
|
||||||
if (qio_channel_socket_connect_sync(sioc, saddr_list->value, errp) < 0) {
|
if (qio_channel_socket_connect_sync(sioc, saddr_list->value, errp) < 0) {
|
||||||
|
Loading…
Reference in New Issue
Block a user