ui/vnc-auth-sasl.c

   1 /*
   2  * QEMU VNC display driver: SASL auth protocol
   3  *
   4  * Copyright (C) 2009 Red Hat, Inc
   5  *
   6  * Permission is hereby granted, free of charge, to any person obtaining a copy
   7  * of this software and associated documentation files (the "Software"), to deal
   8  * in the Software without restriction, including without limitation the rights
   9  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  10  * copies of the Software, and to permit persons to whom the Software is
  11  * furnished to do so, subject to the following conditions:
  12  *
  13  * The above copyright notice and this permission notice shall be included in
  14  * all copies or substantial portions of the Software.
  15  *
  16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
  19  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  21  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  22  * THE SOFTWARE.
  23  */
  24
  25 #include "qemu/osdep.h"
  26 #include "qapi/error.h"
  27 #include "vnc.h"
  28 #include "trace.h"
  29
  30 /* Max amount of data we send/recv for SASL steps to prevent DOS */
  31 #define SASL_DATA_MAX_LEN (1024 * 1024)
  32
  33
  34 void vnc_sasl_client_cleanup(VncState *vs)
  35 {
  36     if (vs->sasl.conn) {
  37         vs->sasl.runSSF = false;
  38         vs->sasl.wantSSF = false;
  39         vs->sasl.waitWriteSSF = 0;
  40         vs->sasl.encodedLength = vs->sasl.encodedOffset = 0;
  41         vs->sasl.encoded = NULL;
  42         g_free(vs->sasl.username);
  43         g_free(vs->sasl.mechlist);
  44         vs->sasl.username = vs->sasl.mechlist = NULL;
  45         sasl_dispose(&vs->sasl.conn);
  46         vs->sasl.conn = NULL;
  47     }
  48 }
  49
  50
  51 size_t vnc_client_write_sasl(VncState *vs)
  52 {
  53     size_t ret;
  54
  55     VNC_DEBUG("Write SASL: Pending output %p size %zd offset %zd "
  56               "Encoded: %p size %d offset %d\n",
  57               vs->output.buffer, vs->output.capacity, vs->output.offset,
  58               vs->sasl.encoded, vs->sasl.encodedLength, vs->sasl.encodedOffset);
  59
  60     if (!vs->sasl.encoded) {
  61         int err;
  62         err = sasl_encode(vs->sasl.conn,
  63                           (char *)vs->output.buffer,
  64                           vs->output.offset,
  65                           (const char **)&vs->sasl.encoded,
  66                           &vs->sasl.encodedLength);
  67         if (err != SASL_OK)
  68             return vnc_client_io_error(vs, -1, NULL);
  69
  70         vs->sasl.encodedRawLength = vs->output.offset;
  71         vs->sasl.encodedOffset = 0;
  72     }
  73
  74     ret = vnc_client_write_buf(vs,
  75                                vs->sasl.encoded + vs->sasl.encodedOffset,
  76                                vs->sasl.encodedLength - vs->sasl.encodedOffset);
  77     if (!ret)
  78         return 0;
  79
  80     vs->sasl.encodedOffset += ret;
  81     if (vs->sasl.encodedOffset == vs->sasl.encodedLength) {
  82         bool throttled = vs->force_update_offset != 0;
  83         size_t offset;
  84         if (vs->sasl.encodedRawLength >= vs->force_update_offset) {
  85             vs->force_update_offset = 0;
  86         } else {
  87             vs->force_update_offset -= vs->sasl.encodedRawLength;
  88         }
  89         if (throttled && vs->force_update_offset == 0) {
  90             trace_vnc_client_unthrottle_forced(vs, vs->ioc);
  91         }
  92         offset = vs->output.offset;
  93         buffer_advance(&vs->output, vs->sasl.encodedRawLength);
  94         if (offset >= vs->throttle_output_offset &&
  95             vs->output.offset < vs->throttle_output_offset) {
  96             trace_vnc_client_unthrottle_incremental(vs, vs->ioc,
  97                                                     vs->output.offset);
  98         }
  99         vs->sasl.encoded = NULL;
 100         vs->sasl.encodedOffset = vs->sasl.encodedLength = 0;
 101     }
 102
 103     /* Can't merge this block with one above, because
 104      * someone might have written more unencrypted
 105      * data in vs->output while we were processing
 106      * SASL encoded output
 107      */
 108     if (vs->output.offset == 0) {
 109         if (vs->ioc_tag) {
 110             g_source_remove(vs->ioc_tag);
 111         }
 112         vs->ioc_tag = qio_channel_add_watch(
 113             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
 114     }
 115
 116     return ret;
 117 }
 118
 119
 120 size_t vnc_client_read_sasl(VncState *vs)
 121 {
 122     size_t ret;
 123     uint8_t encoded[4096];
 124     const char *decoded;
 125     unsigned int decodedLen;
 126     int err;
 127
 128     ret = vnc_client_read_buf(vs, encoded, sizeof(encoded));
 129     if (!ret)
 130         return 0;
 131
 132     err = sasl_decode(vs->sasl.conn,
 133                       (char *)encoded, ret,
 134                       &decoded, &decodedLen);
 135
 136     if (err != SASL_OK)
 137         return vnc_client_io_error(vs, -1, NULL);
 138     VNC_DEBUG("Read SASL Encoded %p size %ld Decoded %p size %d\n",
 139               encoded, ret, decoded, decodedLen);
 140     buffer_reserve(&vs->input, decodedLen);
 141     buffer_append(&vs->input, decoded, decodedLen);
 142     return decodedLen;
 143 }
 144
 145
 146 static int vnc_auth_sasl_check_access(VncState *vs)
 147 {
 148     const void *val;
 149     int err;
 150     int allow;
 151
 152     err = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val);
 153     if (err != SASL_OK) {
 154         trace_vnc_auth_fail(vs, vs->auth, "Cannot fetch SASL username",
 155                             sasl_errstring(err, NULL, NULL));
 156         return -1;
 157     }
 158     if (val == NULL) {
 159         trace_vnc_auth_fail(vs, vs->auth, "No SASL username set", "");
 160         return -1;
 161     }
 162
 163     vs->sasl.username = g_strdup((const char*)val);
 164     trace_vnc_auth_sasl_username(vs, vs->sasl.username);
 165
 166     if (vs->vd->sasl.acl == NULL) {
 167         trace_vnc_auth_sasl_acl(vs, 1);
 168         return 0;
 169     }
 170
 171     allow = qemu_acl_party_is_allowed(vs->vd->sasl.acl, vs->sasl.username);
 172
 173     trace_vnc_auth_sasl_acl(vs, allow);
 174     return allow ? 0 : -1;
 175 }
 176
 177 static int vnc_auth_sasl_check_ssf(VncState *vs)
 178 {
 179     const void *val;
 180     int err, ssf;
 181
 182     if (!vs->sasl.wantSSF)
 183         return 1;
 184
 185     err = sasl_getprop(vs->sasl.conn, SASL_SSF, &val);
 186     if (err != SASL_OK)
 187         return 0;
 188
 189     ssf = *(const int *)val;
 190
 191     trace_vnc_auth_sasl_ssf(vs, ssf);
 192
 193     if (ssf < 56)
 194         return 0; /* 56 is good for Kerberos */
 195
 196     /* Only setup for read initially, because we're about to send an RPC
 197      * reply which must be in plain text. When the next incoming RPC
 198      * arrives, we'll switch on writes too
 199      *
 200      * cf qemudClientReadSASL  in qemud.c
 201      */
 202     vs->sasl.runSSF = 1;
 203
 204     /* We have a SSF that's good enough */
 205     return 1;
 206 }
 207
 208 /*
 209  * Step Msg
 210  *
 211  * Input from client:
 212  *
 213  * u32 clientin-length
 214  * u8-array clientin-string
 215  *
 216  * Output to client:
 217  *
 218  * u32 serverout-length
 219  * u8-array serverout-strin
 220  * u8 continue
 221  */
 222
 223 static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len);
 224
 225 static int protocol_client_auth_sasl_step(VncState *vs, uint8_t *data, size_t len)
 226 {
 227     uint32_t datalen = len;
 228     const char *serverout;
 229     unsigned int serveroutlen;
 230     int err;
 231     char *clientdata = NULL;
 232
 233     /* NB, distinction of NULL vs "" is *critical* in SASL */
 234     if (datalen) {
 235         clientdata = (char*)data;
 236         clientdata[datalen-1] = '\0'; /* Wire includes '\0', but make sure */
 237         datalen--; /* Don't count NULL byte when passing to _start() */
 238     }
 239
 240     err = sasl_server_step(vs->sasl.conn,
 241                            clientdata,
 242                            datalen,
 243                            &serverout,
 244                            &serveroutlen);
 245     trace_vnc_auth_sasl_step(vs, data, len, serverout, serveroutlen, err);
 246     if (err != SASL_OK &&
 247         err != SASL_CONTINUE) {
 248         trace_vnc_auth_fail(vs, vs->auth, "Cannot step SASL auth",
 249                             sasl_errdetail(vs->sasl.conn));
 250         sasl_dispose(&vs->sasl.conn);
 251         vs->sasl.conn = NULL;
 252         goto authabort;
 253     }
 254
 255     if (serveroutlen > SASL_DATA_MAX_LEN) {
 256         trace_vnc_auth_fail(vs, vs->auth, "SASL data too long", "");
 257         sasl_dispose(&vs->sasl.conn);
 258         vs->sasl.conn = NULL;
 259         goto authabort;
 260     }
 261
 262     if (serveroutlen) {
 263         vnc_write_u32(vs, serveroutlen + 1);
 264         vnc_write(vs, serverout, serveroutlen + 1);
 265     } else {
 266         vnc_write_u32(vs, 0);
 267     }
 268
 269     /* Whether auth is complete */
 270     vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);
 271
 272     if (err == SASL_CONTINUE) {
 273         /* Wait for step length */
 274         vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);
 275     } else {
 276         if (!vnc_auth_sasl_check_ssf(vs)) {
 277             trace_vnc_auth_fail(vs, vs->auth, "SASL SSF too weak", "");
 278             goto authreject;
 279         }
 280
 281         /* Check username whitelist ACL */
 282         if (vnc_auth_sasl_check_access(vs) < 0) {
 283             goto authreject;
 284         }
 285
 286         trace_vnc_auth_pass(vs, vs->auth);
 287         vnc_write_u32(vs, 0); /* Accept auth */
 288         /*
 289          * Delay writing in SSF encoded mode until pending output
 290          * buffer is written
 291          */
 292         if (vs->sasl.runSSF)
 293             vs->sasl.waitWriteSSF = vs->output.offset;
 294         start_client_init(vs);
 295     }
 296
 297     return 0;
 298
 299  authreject:
 300     vnc_write_u32(vs, 1); /* Reject auth */
 301     vnc_write_u32(vs, sizeof("Authentication failed"));
 302     vnc_write(vs, "Authentication failed", sizeof("Authentication failed"));
 303     vnc_flush(vs);
 304     vnc_client_error(vs);
 305     return -1;
 306
 307  authabort:
 308     vnc_client_error(vs);
 309     return -1;
 310 }
 311
 312 static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len)
 313 {
 314     uint32_t steplen = read_u32(data, 0);
 315
 316     if (steplen > SASL_DATA_MAX_LEN) {
 317         trace_vnc_auth_fail(vs, vs->auth, "SASL step len too large", "");
 318         vnc_client_error(vs);
 319         return -1;
 320     }
 321
 322     if (steplen == 0)
 323         return protocol_client_auth_sasl_step(vs, NULL, 0);
 324     else
 325         vnc_read_when(vs, protocol_client_auth_sasl_step, steplen);
 326     return 0;
 327 }
 328
 329 /*
 330  * Start Msg
 331  *
 332  * Input from client:
 333  *
 334  * u32 clientin-length
 335  * u8-array clientin-string
 336  *
 337  * Output to client:
 338  *
 339  * u32 serverout-length
 340  * u8-array serverout-strin
 341  * u8 continue
 342  */
 343
 344 #define SASL_DATA_MAX_LEN (1024 * 1024)
 345
 346 static int protocol_client_auth_sasl_start(VncState *vs, uint8_t *data, size_t len)
 347 {
 348     uint32_t datalen = len;
 349     const char *serverout;
 350     unsigned int serveroutlen;
 351     int err;
 352     char *clientdata = NULL;
 353
 354     /* NB, distinction of NULL vs "" is *critical* in SASL */
 355     if (datalen) {
 356         clientdata = (char*)data;
 357         clientdata[datalen-1] = '\0'; /* Should be on wire, but make sure */
 358         datalen--; /* Don't count NULL byte when passing to _start() */
 359     }
 360
 361     err = sasl_server_start(vs->sasl.conn,
 362                             vs->sasl.mechlist,
 363                             clientdata,
 364                             datalen,
 365                             &serverout,
 366                             &serveroutlen);
 367     trace_vnc_auth_sasl_start(vs, data, len, serverout, serveroutlen, err);
 368     if (err != SASL_OK &&
 369         err != SASL_CONTINUE) {
 370         trace_vnc_auth_fail(vs, vs->auth, "Cannot start SASL auth",
 371                             sasl_errdetail(vs->sasl.conn));
 372         sasl_dispose(&vs->sasl.conn);
 373         vs->sasl.conn = NULL;
 374         goto authabort;
 375     }
 376     if (serveroutlen > SASL_DATA_MAX_LEN) {
 377         trace_vnc_auth_fail(vs, vs->auth, "SASL data too long", "");
 378         sasl_dispose(&vs->sasl.conn);
 379         vs->sasl.conn = NULL;
 380         goto authabort;
 381     }
 382
 383     if (serveroutlen) {
 384         vnc_write_u32(vs, serveroutlen + 1);
 385         vnc_write(vs, serverout, serveroutlen + 1);
 386     } else {
 387         vnc_write_u32(vs, 0);
 388     }
 389
 390     /* Whether auth is complete */
 391     vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);
 392
 393     if (err == SASL_CONTINUE) {
 394         /* Wait for step length */
 395         vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);
 396     } else {
 397         if (!vnc_auth_sasl_check_ssf(vs)) {
 398             trace_vnc_auth_fail(vs, vs->auth, "SASL SSF too weak", "");
 399             goto authreject;
 400         }
 401
 402         /* Check username whitelist ACL */
 403         if (vnc_auth_sasl_check_access(vs) < 0) {
 404             goto authreject;
 405         }
 406
 407         trace_vnc_auth_pass(vs, vs->auth);
 408         vnc_write_u32(vs, 0); /* Accept auth */
 409         start_client_init(vs);
 410     }
 411
 412     return 0;
 413
 414  authreject:
 415     vnc_write_u32(vs, 1); /* Reject auth */
 416     vnc_write_u32(vs, sizeof("Authentication failed"));
 417     vnc_write(vs, "Authentication failed", sizeof("Authentication failed"));
 418     vnc_flush(vs);
 419     vnc_client_error(vs);
 420     return -1;
 421
 422  authabort:
 423     vnc_client_error(vs);
 424     return -1;
 425 }
 426
 427 static int protocol_client_auth_sasl_start_len(VncState *vs, uint8_t *data, size_t len)
 428 {
 429     uint32_t startlen = read_u32(data, 0);
 430
 431     if (startlen > SASL_DATA_MAX_LEN) {
 432         trace_vnc_auth_fail(vs, vs->auth, "SASL start len too large", "");
 433         vnc_client_error(vs);
 434         return -1;
 435     }
 436
 437     if (startlen == 0)
 438         return protocol_client_auth_sasl_start(vs, NULL, 0);
 439
 440     vnc_read_when(vs, protocol_client_auth_sasl_start, startlen);
 441     return 0;
 442 }
 443
 444 static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_t len)
 445 {
 446     char *mechname = g_strndup((const char *) data, len);
 447     trace_vnc_auth_sasl_mech_choose(vs, mechname);
 448
 449     if (strncmp(vs->sasl.mechlist, mechname, len) == 0) {
 450         if (vs->sasl.mechlist[len] != '\0' &&
 451             vs->sasl.mechlist[len] != ',') {
 452             goto fail;
 453         }
 454     } else {
 455         char *offset = strstr(vs->sasl.mechlist, mechname);
 456         if (!offset) {
 457             goto fail;
 458         }
 459         if (offset[-1] != ',' ||
 460             (offset[len] != '\0'&&
 461              offset[len] != ',')) {
 462             goto fail;
 463         }
 464     }
 465
 466     g_free(vs->sasl.mechlist);
 467     vs->sasl.mechlist = mechname;
 468
 469     vnc_read_when(vs, protocol_client_auth_sasl_start_len, 4);
 470     return 0;
 471
 472  fail:
 473     trace_vnc_auth_fail(vs, vs->auth, "Unsupported mechname", mechname);
 474     vnc_client_error(vs);
 475     g_free(mechname);
 476     return -1;
 477 }
 478
 479 static int protocol_client_auth_sasl_mechname_len(VncState *vs, uint8_t *data, size_t len)
 480 {
 481     uint32_t mechlen = read_u32(data, 0);
 482
 483     if (mechlen > 100) {
 484         trace_vnc_auth_fail(vs, vs->auth, "SASL mechname too long", "");
 485         vnc_client_error(vs);
 486         return -1;
 487     }
 488     if (mechlen < 1) {
 489         trace_vnc_auth_fail(vs, vs->auth, "SASL mechname too short", "");
 490         vnc_client_error(vs);
 491         return -1;
 492     }
 493     vnc_read_when(vs, protocol_client_auth_sasl_mechname,mechlen);
 494     return 0;
 495 }
 496
 497 static char *
 498 vnc_socket_ip_addr_string(QIOChannelSocket *ioc,
 499                           bool local,
 500                           Error **errp)
 501 {
 502     SocketAddress *addr;
 503     char *ret;
 504
 505     if (local) {
 506         addr = qio_channel_socket_get_local_address(ioc, errp);
 507     } else {
 508         addr = qio_channel_socket_get_remote_address(ioc, errp);
 509     }
 510     if (!addr) {
 511         return NULL;
 512     }
 513
 514     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
 515         error_setg(errp, "Not an inet socket type");
 516         return NULL;
 517     }
 518     ret = g_strdup_printf("%s;%s", addr->u.inet.host, addr->u.inet.port);
 519     qapi_free_SocketAddress(addr);
 520     return ret;
 521 }
 522
 523 void start_auth_sasl(VncState *vs)
 524 {
 525     const char *mechlist = NULL;
 526     sasl_security_properties_t secprops;
 527     int err;
 528     Error *local_err = NULL;
 529     char *localAddr, *remoteAddr;
 530     int mechlistlen;
 531
 532     /* Get local & remote client addresses in form  IPADDR;PORT */
 533     localAddr = vnc_socket_ip_addr_string(vs->sioc, true, &local_err);
 534     if (!localAddr) {
 535         trace_vnc_auth_fail(vs, vs->auth, "Cannot format local IP",
 536                             error_get_pretty(local_err));
 537         goto authabort;
 538     }
 539
 540     remoteAddr = vnc_socket_ip_addr_string(vs->sioc, false, &local_err);
 541     if (!remoteAddr) {
 542         trace_vnc_auth_fail(vs, vs->auth, "Cannot format remote IP",
 543                             error_get_pretty(local_err));
 544         g_free(localAddr);
 545         goto authabort;
 546     }
 547
 548     err = sasl_server_new("vnc",
 549                           NULL, /* FQDN - just delegates to gethostname */
 550                           NULL, /* User realm */
 551                           localAddr,
 552                           remoteAddr,
 553                           NULL, /* Callbacks, not needed */
 554                           SASL_SUCCESS_DATA,
 555                           &vs->sasl.conn);
 556     g_free(localAddr);
 557     g_free(remoteAddr);
 558     localAddr = remoteAddr = NULL;
 559
 560     if (err != SASL_OK) {
 561         trace_vnc_auth_fail(vs, vs->auth,  "SASL context setup failed",
 562                             sasl_errstring(err, NULL, NULL));
 563         vs->sasl.conn = NULL;
 564         goto authabort;
 565     }
 566
 567     /* Inform SASL that we've got an external SSF layer from TLS/x509 */
 568     if (vs->auth == VNC_AUTH_VENCRYPT &&
 569         vs->subauth == VNC_AUTH_VENCRYPT_X509SASL) {
 570         int keysize;
 571         sasl_ssf_t ssf;
 572
 573         keysize = qcrypto_tls_session_get_key_size(vs->tls,
 574                                                    &local_err);
 575         if (keysize < 0) {
 576             trace_vnc_auth_fail(vs, vs->auth, "cannot TLS get cipher size",
 577                                 error_get_pretty(local_err));
 578             sasl_dispose(&vs->sasl.conn);
 579             vs->sasl.conn = NULL;
 580             goto authabort;
 581         }
 582         ssf = keysize * CHAR_BIT; /* tls key size is bytes, sasl wants bits */
 583
 584         err = sasl_setprop(vs->sasl.conn, SASL_SSF_EXTERNAL, &ssf);
 585         if (err != SASL_OK) {
 586             trace_vnc_auth_fail(vs, vs->auth, "cannot set SASL external SSF",
 587                                 sasl_errstring(err, NULL, NULL));
 588             sasl_dispose(&vs->sasl.conn);
 589             vs->sasl.conn = NULL;
 590             goto authabort;
 591         }
 592     } else {
 593         vs->sasl.wantSSF = 1;
 594     }
 595
 596     memset (&secprops, 0, sizeof secprops);
 597     /* Inform SASL that we've got an external SSF layer from TLS.
 598      *
 599      * Disable SSF, if using TLS+x509+SASL only. TLS without x509
 600      * is not sufficiently strong
 601      */
 602     if (vs->vd->is_unix ||
 603         (vs->auth == VNC_AUTH_VENCRYPT &&
 604          vs->subauth == VNC_AUTH_VENCRYPT_X509SASL)) {
 605         /* If we've got TLS or UNIX domain sock, we don't care about SSF */
 606         secprops.min_ssf = 0;
 607         secprops.max_ssf = 0;
 608         secprops.maxbufsize = 8192;
 609         secprops.security_flags = 0;
 610     } else {
 611         /* Plain TCP, better get an SSF layer */
 612         secprops.min_ssf = 56; /* Good enough to require kerberos */
 613         secprops.max_ssf = 100000; /* Arbitrary big number */
 614         secprops.maxbufsize = 8192;
 615         /* Forbid any anonymous or trivially crackable auth */
 616         secprops.security_flags =
 617             SASL_SEC_NOANONYMOUS | SASL_SEC_NOPLAINTEXT;
 618     }
 619
 620     err = sasl_setprop(vs->sasl.conn, SASL_SEC_PROPS, &secprops);
 621     if (err != SASL_OK) {
 622         trace_vnc_auth_fail(vs, vs->auth, "cannot set SASL security props",
 623                             sasl_errstring(err, NULL, NULL));
 624         sasl_dispose(&vs->sasl.conn);
 625         vs->sasl.conn = NULL;
 626         goto authabort;
 627     }
 628
 629     err = sasl_listmech(vs->sasl.conn,
 630                         NULL, /* Don't need to set user */
 631                         "", /* Prefix */
 632                         ",", /* Separator */
 633                         "", /* Suffix */
 634                         &mechlist,
 635                         NULL,
 636                         NULL);
 637     if (err != SASL_OK) {
 638         trace_vnc_auth_fail(vs, vs->auth, "cannot list SASL mechanisms",
 639                             sasl_errdetail(vs->sasl.conn));
 640         sasl_dispose(&vs->sasl.conn);
 641         vs->sasl.conn = NULL;
 642         goto authabort;
 643     }
 644     trace_vnc_auth_sasl_mech_list(vs, mechlist);
 645
 646     vs->sasl.mechlist = g_strdup(mechlist);
 647     mechlistlen = strlen(mechlist);
 648     vnc_write_u32(vs, mechlistlen);
 649     vnc_write(vs, mechlist, mechlistlen);
 650     vnc_flush(vs);
 651
 652     vnc_read_when(vs, protocol_client_auth_sasl_mechname_len, 4);
 653
 654     return;
 655
 656  authabort:
 657     error_free(local_err);
 658     vnc_client_error(vs);
 659 }
 660
 661