From 7364dbdabb7824d5bde1e341bb6d928282f01c83 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Thu, 21 Sep 2017 13:15:28 +0100 Subject: ui: add tracing of VNC authentication process Trace anything related to authentication in the VNC protocol handshake Signed-off-by: Daniel P. Berrange Message-id: 20170921121528.23935-3-berrange@redhat.com Signed-off-by: Gerd Hoffmann --- ui/vnc.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) (limited to 'ui/vnc.c') diff --git a/ui/vnc.c b/ui/vnc.c index ed6d659722..af810f0547 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -2406,11 +2406,11 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len) Error *err = NULL; if (!vs->vd->password) { - VNC_DEBUG("No password configured on server"); + trace_vnc_auth_fail(vs, vs->auth, "password is not set", ""); goto reject; } if (vs->vd->expires < now) { - VNC_DEBUG("Password is expired"); + trace_vnc_auth_fail(vs, vs->auth, "password is expired", ""); goto reject; } @@ -2427,8 +2427,8 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len) key, G_N_ELEMENTS(key), &err); if (!cipher) { - VNC_DEBUG("Cannot initialize cipher %s", - error_get_pretty(err)); + trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher", + error_get_pretty(err)); error_free(err); goto reject; } @@ -2438,18 +2438,18 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len) response, VNC_AUTH_CHALLENGE_SIZE, &err) < 0) { - VNC_DEBUG("Cannot encrypt challenge %s", - error_get_pretty(err)); + trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response", + error_get_pretty(err)); error_free(err); goto reject; } /* Compare expected vs actual challenge response */ if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) { - VNC_DEBUG("Client challenge response did not match\n"); + trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", ""); goto reject; } else { - VNC_DEBUG("Accepting VNC challenge response\n"); + trace_vnc_auth_pass(vs, vs->auth); vnc_write_u32(vs, 0); /* Accept auth */ vnc_flush(vs); @@ -2488,7 +2488,7 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len) /* We only advertise 1 auth scheme at a time, so client * must pick the one we sent. Verify this */ if (data[0] != vs->auth) { /* Reject auth */ - VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]); + trace_vnc_auth_reject(vs, vs->auth, (int)data[0]); vnc_write_u32(vs, 1); if (vs->minor >= 8) { static const char err[] = "Authentication failed"; @@ -2497,36 +2497,33 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len) } vnc_client_error(vs); } else { /* Accept requested auth */ - VNC_DEBUG("Client requested auth %d\n", (int)data[0]); + trace_vnc_auth_start(vs, vs->auth); switch (vs->auth) { case VNC_AUTH_NONE: - VNC_DEBUG("Accept auth none\n"); if (vs->minor >= 8) { vnc_write_u32(vs, 0); /* Accept auth completion */ vnc_flush(vs); } + trace_vnc_auth_pass(vs, vs->auth); start_client_init(vs); break; case VNC_AUTH_VNC: - VNC_DEBUG("Start VNC auth\n"); start_auth_vnc(vs); break; case VNC_AUTH_VENCRYPT: - VNC_DEBUG("Accept VeNCrypt auth\n"); start_auth_vencrypt(vs); break; #ifdef CONFIG_VNC_SASL case VNC_AUTH_SASL: - VNC_DEBUG("Accept SASL auth\n"); start_auth_sasl(vs); break; #endif /* CONFIG_VNC_SASL */ default: /* Should not be possible, but just in case */ - VNC_DEBUG("Reject auth %d server code bug\n", vs->auth); + trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", ""); vnc_write_u8(vs, 1); if (vs->minor >= 8) { static const char err[] = "Authentication failed"; @@ -2571,10 +2568,11 @@ static int protocol_version(VncState *vs, uint8_t *version, size_t len) vs->minor = 3; if (vs->minor == 3) { + trace_vnc_auth_start(vs, vs->auth); if (vs->auth == VNC_AUTH_NONE) { - VNC_DEBUG("Tell client auth none\n"); vnc_write_u32(vs, vs->auth); vnc_flush(vs); + trace_vnc_auth_pass(vs, vs->auth); start_client_init(vs); } else if (vs->auth == VNC_AUTH_VNC) { VNC_DEBUG("Tell client VNC auth\n"); @@ -2582,13 +2580,13 @@ static int protocol_version(VncState *vs, uint8_t *version, size_t len) vnc_flush(vs); start_auth_vnc(vs); } else { - VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth); + trace_vnc_auth_fail(vs, vs->auth, + "Unsupported auth method for v3.3", ""); vnc_write_u32(vs, VNC_AUTH_INVALID); vnc_flush(vs); vnc_client_error(vs); } } else { - VNC_DEBUG("Telling client we support auth %d\n", vs->auth); vnc_write_u8(vs, 1); /* num auth */ vnc_write_u8(vs, vs->auth); vnc_read_when(vs, protocol_client_auth, 1); @@ -3942,12 +3940,14 @@ void vnc_display_open(const char *id, Error **errp) sasl, false, errp) < 0) { goto fail; } + trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth); if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth, vd->tlscreds, password, sasl, true, errp) < 0) { goto fail; } + trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth); #ifdef CONFIG_VNC_SASL if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) { -- cgit v1.2.1