[Spice-devel] [PATCH] protocol: RFC: add common channel caps for AUTH mechanism selection

Yaniv Kaul ykaul at redhat.com
Sun Feb 13 06:34:01 PST 2011 

On 2/13/2011 4:23 PM, Marc-André Lureau wrote:
> Current version 2.0 of the SPICE protocol describes how the client
> reply to the server SpiceLinkReply message with a RSA_public_encrypt()
> of the password.
>
> Instead of using the current Spice AUTH mechanism, we would like to
> offer different AUTH mechanisms, in particular SASL, which is a
> framework allowing different underlying mechanisms such as
> GSSAPI/Kerberos v5 (and optionally adding a data security layer).

How can we re-use the authentication result of the first channel with 
the other channels?
It never made sense to me to perform the authentication per-channel.
Y.

> We could bump the protocol version, but that would make this feature
> mandatory for the implementer of the protocol. By using the channel
> caps, the client and server are left to negotiate and alter the AUTH
> part of the protocol as follows:
>
> - SPICE_CHANNEL_CAP_PROTOCOL_AUTH_SELECTION, if set, the
>    authentication mechanism can be chosen. If both client and server
>    have this caps, the client MUST reply to SpiceLinkReply with a
>    SpiceLinkAuthMechanism message, with the value of the CAP_AUTH
>    mechanism choosen (uint32 auth_mechanism). The following authentication
>    steps are described by the selected authentication mechanism.
>
> The differents mechanisms selectable via
> SPICE_CHANNEL_CAP_PROTOCOL_AUTH_SELECTION are also specified as part
> of the common channel caps. They can be used only if both client and
> server offer them.
>
> Ex: no AUTH selection
> C: SpiceLinkMess
> S: SpiceLinkReply, CAP_PROTOCOL_AUTH_SELECTION not in common caps
> - The client can't choose AUTH, and fallback on Spice RSA mechanism
>
> Ex: AUTH selection
> C: SpiceLinkMess, CAP_PROTOCOL_AUTH_SELECTION in common caps
> S: SpiceLinkReply, CAP_PROTOCOL_AUTH_SELECTION in common caps
> - The client MUST reply with SpiceLinkAuthMechanism
> C: SpiceLinkAuthMechanism (with a matching CAP_AUTH)
>
> - SPICE_CHANNEL_CAP_AUTH_SPICE, the following steps and authentication
>    mechanism are the same as with version 2.0: a RSA_public_encrypt()
>    of the password is sent.
>
> - SPICE_CHANNEL_CAP_AUTH_SASL, the authentication exchange follows
>    SASL protocol has defined in RFC 2222.
>
> Ex: AUTH selection, followed by SASL authentication
>
> AUTH Selection:
> C: SpiceLinkMess, CAP_PROTOCOL_AUTH_SELECTION + CAP_AUTH_SASL in common caps
> S: SpiceLinkReply, CAP_PROTOCOL_AUTH_SELECTION + CAP_AUTH_SASL in common caps
> - The client MUST reply with SpiceLinkAuthMechanism
> C: SpiceLinkAuthMechanism CAP_AUTH_SASL
>
> Init:
> S:  u32 mechlist-length
>      u8-array mechlist-string
>
> Start:
> C:  u32 mechname-length
>      u8-array mechname-string
>      u32 clientout-length
>      u8-array clientout-string
> S:  u32 serverin-length
>      u8-array serverin-string
>      u8 continue
>
> Step: (while continue)
> C:  u32 clientout-length
>      u8-array clientout-string
> S:  u32 serverin-length
>      u8-array serverin-string
>      u8 continue
>
> See also VNC SASL protocol description, which uses the same protocol:
>
> http://sourceforge.net/mailarchive/forum.php?thread_name=20100719125155.GA14166%40evileye.atkac.brq.redhat.com&forum_name=tigervnc-rfbproto
> ---
>   spice/protocol.h |   10 ++++++++++
>   1 files changed, 10 insertions(+), 0 deletions(-)
>
> diff --git a/spice/protocol.h b/spice/protocol.h
> index d6a2041..77458db 100644
> --- a/spice/protocol.h
> +++ b/spice/protocol.h
> @@ -51,6 +51,12 @@ typedef struct SPICE_ATTR_PACKED SpiceLinkHeader {
>       uint32_t size;
>   } SpiceLinkHeader;
>
> +enum {
> +    SPICE_CHANNEL_CAP_PROTOCOL_AUTH_SELECTION,
> +    SPICE_CHANNEL_CAP_AUTH_SPICE,
> +    SPICE_CHANNEL_CAP_AUTH_SASL,
> +};
> +
>   typedef struct SPICE_ATTR_PACKED SpiceLinkMess {
>       uint32_t connection_id;
>       uint8_t channel_type;
> @@ -72,6 +78,10 @@ typedef struct SPICE_ATTR_PACKED SpiceLinkEncryptedTicket {
>       uint8_t encrypted_data[SPICE_TICKET_KEY_PAIR_LENGTH / 8];
>   } SpiceLinkEncryptedTicket;
>
> +typedef struct SPICE_ATTR_PACKED SpiceLinkAuthMechanism {
> +    uint32_t auth_mechanism;
> +} SpiceLinkAuthMechanism;
> +
>   typedef struct SPICE_ATTR_PACKED SpiceDataHeader {
>       uint64_t serial;
>       uint16_t type;

More information about the Spice-devel mailing list