[Spice-devel] [PATCH] protocol: RFC: add common channel caps for AUTH mechanism selection

Marc-André Lureau marcandre.lureau at gmail.com
Sun Feb 13 06:23:53 PST 2011 

Current version 2.0 of the SPICE protocol describes how the client
reply to the server SpiceLinkReply message with a RSA_public_encrypt()
of the password.

Instead of using the current Spice AUTH mechanism, we would like to
offer different AUTH mechanisms, in particular SASL, which is a
framework allowing different underlying mechanisms such as
GSSAPI/Kerberos v5 (and optionally adding a data security layer).

We could bump the protocol version, but that would make this feature
mandatory for the implementer of the protocol. By using the channel
caps, the client and server are left to negotiate and alter the AUTH
part of the protocol as follows:

- SPICE_CHANNEL_CAP_PROTOCOL_AUTH_SELECTION, if set, the
  authentication mechanism can be chosen. If both client and server
  have this caps, the client MUST reply to SpiceLinkReply with a
  SpiceLinkAuthMechanism message, with the value of the CAP_AUTH
  mechanism choosen (uint32 auth_mechanism). The following authentication
  steps are described by the selected authentication mechanism.

The differents mechanisms selectable via
SPICE_CHANNEL_CAP_PROTOCOL_AUTH_SELECTION are also specified as part
of the common channel caps. They can be used only if both client and
server offer them.

Ex: no AUTH selection
C: SpiceLinkMess
S: SpiceLinkReply, CAP_PROTOCOL_AUTH_SELECTION not in common caps
- The client can't choose AUTH, and fallback on Spice RSA mechanism

Ex: AUTH selection
C: SpiceLinkMess, CAP_PROTOCOL_AUTH_SELECTION in common caps
S: SpiceLinkReply, CAP_PROTOCOL_AUTH_SELECTION in common caps
- The client MUST reply with SpiceLinkAuthMechanism
C: SpiceLinkAuthMechanism (with a matching CAP_AUTH)

- SPICE_CHANNEL_CAP_AUTH_SPICE, the following steps and authentication
  mechanism are the same as with version 2.0: a RSA_public_encrypt()
  of the password is sent.

- SPICE_CHANNEL_CAP_AUTH_SASL, the authentication exchange follows
  SASL protocol has defined in RFC 2222.

Ex: AUTH selection, followed by SASL authentication

AUTH Selection:
C: SpiceLinkMess, CAP_PROTOCOL_AUTH_SELECTION + CAP_AUTH_SASL in common caps
S: SpiceLinkReply, CAP_PROTOCOL_AUTH_SELECTION + CAP_AUTH_SASL in common caps
- The client MUST reply with SpiceLinkAuthMechanism
C: SpiceLinkAuthMechanism CAP_AUTH_SASL

Init:
S:  u32 mechlist-length
    u8-array mechlist-string

Start:
C:  u32 mechname-length
    u8-array mechname-string
    u32 clientout-length
    u8-array clientout-string
S:  u32 serverin-length
    u8-array serverin-string
    u8 continue

Step: (while continue)
C:  u32 clientout-length
    u8-array clientout-string
S:  u32 serverin-length
    u8-array serverin-string
    u8 continue

See also VNC SASL protocol description, which uses the same protocol:

http://sourceforge.net/mailarchive/forum.php?thread_name=20100719125155.GA14166%40evileye.atkac.brq.redhat.com&forum_name=tigervnc-rfbproto
---
 spice/protocol.h |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/spice/protocol.h b/spice/protocol.h
index d6a2041..77458db 100644
--- a/spice/protocol.h
+++ b/spice/protocol.h
@@ -51,6 +51,12 @@ typedef struct SPICE_ATTR_PACKED SpiceLinkHeader {
     uint32_t size;
 } SpiceLinkHeader;
 
+enum {
+    SPICE_CHANNEL_CAP_PROTOCOL_AUTH_SELECTION,
+    SPICE_CHANNEL_CAP_AUTH_SPICE,
+    SPICE_CHANNEL_CAP_AUTH_SASL,
+};
+
 typedef struct SPICE_ATTR_PACKED SpiceLinkMess {
     uint32_t connection_id;
     uint8_t channel_type;
@@ -72,6 +78,10 @@ typedef struct SPICE_ATTR_PACKED SpiceLinkEncryptedTicket {
     uint8_t encrypted_data[SPICE_TICKET_KEY_PAIR_LENGTH / 8];
 } SpiceLinkEncryptedTicket;
 
+typedef struct SPICE_ATTR_PACKED SpiceLinkAuthMechanism {
+    uint32_t auth_mechanism;
+} SpiceLinkAuthMechanism;
+
 typedef struct SPICE_ATTR_PACKED SpiceDataHeader {
     uint64_t serial;
     uint16_t type;
-- 
1.7.4

More information about the Spice-devel mailing list