[gtk-vnc] Add support for VeNCrypt "plain" auth mode

[Daniel P. Berrange <dberrange src gnome org>]

commit dda56d4a14dff3816e6a3f89f7abbce313b2a584
Author: Daniel P. Berrangé <dan berrange com>
Date:   Fri Sep 4 15:18:12 2020 +0100

    Add support for VeNCrypt "plain" auth mode
    
    The "plain" auth mode sends a username and password "as is" to the
    server. This mode is only sensible to use if combined with TLS
    session encryption, or if the channel is otherwise immune from
    MITM attacks, such as a UNIX domain socket.
    
    Signed-off-by: Daniel P. Berrangé <berrange redhat com>

 src/vncconnection.c | 86 ++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 62 insertions(+), 24 deletions(-)
---
diff --git a/src/vncconnection.c b/src/vncconnection.c
index 6d34c5a..13900b0 100644
--- a/src/vncconnection.c
+++ b/src/vncconnection.c
@@ -3810,6 +3810,29 @@ error:
     return FALSE;
 }
 
+static gboolean vnc_connection_perform_auth_plain(VncConnection *conn)
+{
+    VncConnectionPrivate *priv = conn->priv;
+
+    VNC_DEBUG("Auth plain, gather username/password");
+    priv->want_cred_password = TRUE;
+    priv->want_cred_username = TRUE;
+    priv->want_cred_x509 = FALSE;
+    if (!vnc_connection_gather_credentials(conn))
+        return FALSE;
+
+    if (!priv->cred_password || !priv->cred_username)
+        return FALSE;
+
+    vnc_connection_write_u32(conn, strlen(priv->cred_username));
+    vnc_connection_write_u32(conn, strlen(priv->cred_password));
+    vnc_connection_write(conn, priv->cred_username, strlen(priv->cred_username));
+    vnc_connection_write(conn, priv->cred_password, strlen(priv->cred_password));
+
+    vnc_connection_flush(conn);
+    return vnc_connection_check_auth_result(conn);
+}
+
 /*
  *   marscha@2006 - Martin Scharpf
  *   Encrypt bytes[length] in memory using key.
@@ -4770,7 +4793,7 @@ static gboolean vnc_connection_perform_auth_tls(VncConnection *conn)
 static gboolean vnc_connection_perform_auth_vencrypt(VncConnection *conn)
 {
     VncConnectionPrivate *priv = conn->priv;
-    int major, minor, status, anonTLS;
+    int major, minor, status, anonTLS, needTLS;
     unsigned int nauth, i;
     unsigned int auth[20];
 
@@ -4817,18 +4840,35 @@ static gboolean vnc_connection_perform_auth_vencrypt(VncConnection *conn)
     if (vnc_connection_has_error(conn))
         return FALSE;
 
-    VNC_DEBUG("Choose auth %u", priv->auth_subtype);
+    VNC_DEBUG("Choose auth subtype %u", priv->auth_subtype);
 
-    if (!vnc_connection_gather_credentials(conn))
+    switch (priv->auth_subtype) {
+    case VNC_CONNECTION_AUTH_VENCRYPT_PLAIN:
+        needTLS = 0;
+        anonTLS = 0;
+        break;
+    case VNC_CONNECTION_AUTH_VENCRYPT_TLSNONE:
+    case VNC_CONNECTION_AUTH_VENCRYPT_TLSPLAIN:
+    case VNC_CONNECTION_AUTH_VENCRYPT_TLSVNC:
+    case VNC_CONNECTION_AUTH_VENCRYPT_TLSSASL:
+        needTLS = 1;
+        anonTLS = 1;
+        break;
+    case VNC_CONNECTION_AUTH_VENCRYPT_X509NONE:
+    case VNC_CONNECTION_AUTH_VENCRYPT_X509PLAIN:
+    case VNC_CONNECTION_AUTH_VENCRYPT_X509VNC:
+    case VNC_CONNECTION_AUTH_VENCRYPT_X509SASL:
+        needTLS = 1;
+        anonTLS = 0;
+        break;
+    default:
+        vnc_connection_set_error(conn,
+                                 "Unknown VeNCrypt auth subtype %d", priv->auth_subtype);
         return FALSE;
+    }
 
-#ifndef DEBUG
-    if (priv->auth_subtype == VNC_CONNECTION_AUTH_VENCRYPT_PLAIN) {
-        vnc_connection_set_error(conn, "%s",
-                                 "Cowardly refusing to transmit plain text password");
+    if (!vnc_connection_gather_credentials(conn))
         return FALSE;
-    }
-#endif
 
     vnc_connection_write_u32(conn, priv->auth_subtype);
     vnc_connection_flush(conn);
@@ -4839,21 +4879,14 @@ static gboolean vnc_connection_perform_auth_vencrypt(VncConnection *conn)
         return FALSE;
     }
 
-    switch (priv->auth_subtype) {
-    case VNC_CONNECTION_AUTH_VENCRYPT_TLSNONE:
-    case VNC_CONNECTION_AUTH_VENCRYPT_TLSPLAIN:
-    case VNC_CONNECTION_AUTH_VENCRYPT_TLSVNC:
-    case VNC_CONNECTION_AUTH_VENCRYPT_TLSSASL:
-        anonTLS = 1;
-        break;
-    default:
-        anonTLS = 0;
-    }
-
-    if (!vnc_connection_start_tls(conn, anonTLS)) {
-        return FALSE;
+    if (needTLS) {
+        if (!vnc_connection_start_tls(conn, anonTLS)) {
+            return FALSE;
+        }
+        VNC_DEBUG("Completed TLS setup, do subauth %u", priv->auth_subtype);
+    } else {
+        VNC_DEBUG("TLS not required for subauth %u", priv->auth_subtype);
     }
-    VNC_DEBUG("Completed TLS setup, do subauth %u", priv->auth_subtype);
 
     switch (priv->auth_subtype) {
         /* Plain certificate based auth */
@@ -4876,8 +4909,13 @@ static gboolean vnc_connection_perform_auth_vencrypt(VncConnection *conn)
         return vnc_connection_perform_auth_sasl(conn);
 #endif
 
+    case VNC_CONNECTION_AUTH_VENCRYPT_PLAIN:
+    case VNC_CONNECTION_AUTH_VENCRYPT_TLSPLAIN:
+    case VNC_CONNECTION_AUTH_VENCRYPT_X509PLAIN:
+        return vnc_connection_perform_auth_plain(conn);
+
     default:
-        vnc_connection_set_error(conn, "Unknown auth subtype %u", priv->auth_subtype);
+        vnc_connection_set_error(conn, "Unsupported VeNCrypt auth subtype %u", priv->auth_subtype);
         return FALSE;
     }
 }