[Spice-devel] [PATCH] protocol: add common channel caps for AUTH mechanism selection

Hans de Goede hdegoede at redhat.com
Tue Feb 22 08:12:53 PST 2011 

Ack.

On 02/22/2011 04:37 PM, Marc-André Lureau wrote:
> From: Marc-André Lureau<marcandre.lureau at redhat.com>
>
> Current version 2.0 of the SPICE protocol describes how the client
> reply to the server SpiceLinkReply message with a RSA_public_encrypt()
> of the password.
>
> Instead of using the current Spice AUTH mechanism, we would like to
> offer different AUTH mechanisms, in particular SASL, which is a
> framework allowing different underlying mechanisms such as
> GSSAPI/Kerberos v5 (and optionally adding a data security layer).
>
> We could bump the protocol version, but that would make this feature
> mandatory for the implementer of the protocol. By using the channel
> caps, the client and server are left to negotiate and alter the AUTH
> part of the protocol as follows:
>
> - SPICE_COMMON_CAP_PROTOCOL_AUTH_SELECTION, if set, the authentication
>    mechanism can be chosen during link phase. If both client and server
>    have this cap, the client MUST reply to SpiceLinkReply with a
>    SpiceLinkAuthMechanism message, with the value of the CAP_AUTH
>    mechanism choosen (a uint32 auth_mechanism). The following
>    authentication steps are described by the selected authentication
>    mechanism.
>
> The differents mechanisms selectable via
> SPICE_COMMON_CAP_PROTOCOL_AUTH_SELECTION are also specified as part of
> the common channel caps. They can be used only if both client and
> server offer them.
>
> Ex: no AUTH selection
> C: SpiceLinkMess
> S: SpiceLinkReply, CAP_PROTOCOL_AUTH_SELECTION not in common caps
> - The client can't choose AUTH, and fallback on Spice RSA mechanism
>
> Ex: AUTH selection
> C: SpiceLinkMess, CAP_PROTOCOL_AUTH_SELECTION in common caps
> S: SpiceLinkReply, CAP_PROTOCOL_AUTH_SELECTION in common caps
> - The client MUST reply with SpiceLinkAuthMechanism
> C: SpiceLinkAuthMechanism (with a matching CAP_AUTH)
>
> - SPICE_COMMON_CAP_AUTH_SPICE, the following steps and authentication
>    mechanism are the same as with version 2.0: a RSA_public_encrypt()
>    of the password is sent.
>
>    This mechanism MUST be implemented in both client and server to
>    comply with the SPICE protocol.
>
> - SPICE_COMMON_CAP_AUTH_SASL, the authentication exchange follows
>    SASL protocol has defined in RFC 2222.
>
>    This mechanism is OPTIONAL in both client and servers.
>
> Ex: AUTH selection, followed by SASL authentication
>
> AUTH Selection:
> C: SpiceLinkMess, CAP_PROTOCOL_AUTH_SELECTION + CAP_AUTH_SASL in common caps
> S: SpiceLinkReply, CAP_PROTOCOL_AUTH_SELECTION + CAP_AUTH_SASL in common caps
> - The client MUST reply with SpiceLinkAuthMechanism
> C: SpiceLinkAuthMechanism CAP_AUTH_SASL
>
> Init:
> S:  u32 mechlist-length
>      u8-array mechlist-string
>
> Start:
> C:  u32 mechname-length
>      u8-array mechname-string
>      u32 clientout-length
>      u8-array clientout-string
> S:  u32 serverin-length
>      u8-array serverin-string
>      u8 continue
>
> Step: (while continue)
> C:  u32 clientout-length
>      u8-array clientout-string
> S:  u32 serverin-length
>      u8-array serverin-string
>      u8 continue
>
> See also VNC SASL protocol description, which uses the same protocol:
>
> http://sourceforge.net/mailarchive/forum.php?thread_name=20100719125155.GA14166%40evileye.atkac.brq.redhat.com&forum_name=tigervnc-rfbproto
>
> Updated since v1 of this commit:
>   - renamed s/SPICE_CHANNEL_CAP/SPICE_COMMON_CAP
>   - added some note about mandatory vs optional mechanisms.
> ---
>   spice/protocol.h |   10 ++++++++++
>   1 files changed, 10 insertions(+), 0 deletions(-)
>
> diff --git a/spice/protocol.h b/spice/protocol.h
> index d6a2041..26d964b 100644
> --- a/spice/protocol.h
> +++ b/spice/protocol.h
> @@ -51,6 +51,12 @@ typedef struct SPICE_ATTR_PACKED SpiceLinkHeader {
>       uint32_t size;
>   } SpiceLinkHeader;
>
> +enum {
> +    SPICE_COMMON_CAP_PROTOCOL_AUTH_SELECTION,
> +    SPICE_COMMON_CAP_AUTH_SPICE,
> +    SPICE_COMMON_CAP_AUTH_SASL,
> +};
> +
>   typedef struct SPICE_ATTR_PACKED SpiceLinkMess {
>       uint32_t connection_id;
>       uint8_t channel_type;
> @@ -72,6 +78,10 @@ typedef struct SPICE_ATTR_PACKED SpiceLinkEncryptedTicket {
>       uint8_t encrypted_data[SPICE_TICKET_KEY_PAIR_LENGTH / 8];
>   } SpiceLinkEncryptedTicket;
>
> +typedef struct SPICE_ATTR_PACKED SpiceLinkAuthMechanism {
> +    uint32_t auth_mechanism;
> +} SpiceLinkAuthMechanism;
> +
>   typedef struct SPICE_ATTR_PACKED SpiceDataHeader {
>       uint64_t serial;
>       uint16_t type;

More information about the Spice-devel mailing list