1 /* 2 * QEMU VNC display driver: SASL auth protocol 3 * 4 * Copyright (C) 2009 Red Hat, Inc 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining a copy 7 * of this software and associated documentation files (the "Software"), to deal 8 * in the Software without restriction, including without limitation the rights 9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 * copies of the Software, and to permit persons to whom the Software is 11 * furnished to do so, subject to the following conditions: 12 * 13 * The above copyright notice and this permission notice shall be included in 14 * all copies or substantial portions of the Software. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 22 * THE SOFTWARE. 23 */ 24 25 #include "qemu/osdep.h" 26 #include "qapi/error.h" 27 #include "vnc.h" 28 29 /* Max amount of data we send/recv for SASL steps to prevent DOS */ 30 #define SASL_DATA_MAX_LEN (1024 * 1024) 31 32 33 void vnc_sasl_client_cleanup(VncState *vs) 34 { 35 if (vs->sasl.conn) { 36 vs->sasl.runSSF = false; 37 vs->sasl.wantSSF = false; 38 vs->sasl.waitWriteSSF = 0; 39 vs->sasl.encodedLength = vs->sasl.encodedOffset = 0; 40 vs->sasl.encoded = NULL; 41 g_free(vs->sasl.username); 42 g_free(vs->sasl.mechlist); 43 vs->sasl.username = vs->sasl.mechlist = NULL; 44 sasl_dispose(&vs->sasl.conn); 45 vs->sasl.conn = NULL; 46 } 47 } 48 49 50 long vnc_client_write_sasl(VncState *vs) 51 { 52 long ret; 53 54 VNC_DEBUG("Write SASL: Pending output %p size %zd offset %zd " 55 "Encoded: %p size %d offset %d\n", 56 vs->output.buffer, vs->output.capacity, vs->output.offset, 57 vs->sasl.encoded, vs->sasl.encodedLength, vs->sasl.encodedOffset); 58 59 if (!vs->sasl.encoded) { 60 int err; 61 err = sasl_encode(vs->sasl.conn, 62 (char *)vs->output.buffer, 63 vs->output.offset, 64 (const char **)&vs->sasl.encoded, 65 &vs->sasl.encodedLength); 66 if (err != SASL_OK) 67 return vnc_client_io_error(vs, -1, NULL); 68 69 vs->sasl.encodedOffset = 0; 70 } 71 72 ret = vnc_client_write_buf(vs, 73 vs->sasl.encoded + vs->sasl.encodedOffset, 74 vs->sasl.encodedLength - vs->sasl.encodedOffset); 75 if (!ret) 76 return 0; 77 78 vs->sasl.encodedOffset += ret; 79 if (vs->sasl.encodedOffset == vs->sasl.encodedLength) { 80 vs->output.offset = 0; 81 vs->sasl.encoded = NULL; 82 vs->sasl.encodedOffset = vs->sasl.encodedLength = 0; 83 } 84 85 /* Can't merge this block with one above, because 86 * someone might have written more unencrypted 87 * data in vs->output while we were processing 88 * SASL encoded output 89 */ 90 if (vs->output.offset == 0) { 91 if (vs->ioc_tag) { 92 g_source_remove(vs->ioc_tag); 93 } 94 vs->ioc_tag = qio_channel_add_watch( 95 vs->ioc, G_IO_IN, vnc_client_io, vs, NULL); 96 } 97 98 return ret; 99 } 100 101 102 long vnc_client_read_sasl(VncState *vs) 103 { 104 long ret; 105 uint8_t encoded[4096]; 106 const char *decoded; 107 unsigned int decodedLen; 108 int err; 109 110 ret = vnc_client_read_buf(vs, encoded, sizeof(encoded)); 111 if (!ret) 112 return 0; 113 114 err = sasl_decode(vs->sasl.conn, 115 (char *)encoded, ret, 116 &decoded, &decodedLen); 117 118 if (err != SASL_OK) 119 return vnc_client_io_error(vs, -1, NULL); 120 VNC_DEBUG("Read SASL Encoded %p size %ld Decoded %p size %d\n", 121 encoded, ret, decoded, decodedLen); 122 buffer_reserve(&vs->input, decodedLen); 123 buffer_append(&vs->input, decoded, decodedLen); 124 return decodedLen; 125 } 126 127 128 static int vnc_auth_sasl_check_access(VncState *vs) 129 { 130 const void *val; 131 int err; 132 int allow; 133 134 err = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val); 135 if (err != SASL_OK) { 136 VNC_DEBUG("cannot query SASL username on connection %d (%s), denying access\n", 137 err, sasl_errstring(err, NULL, NULL)); 138 return -1; 139 } 140 if (val == NULL) { 141 VNC_DEBUG("no client username was found, denying access\n"); 142 return -1; 143 } 144 VNC_DEBUG("SASL client username %s\n", (const char *)val); 145 146 vs->sasl.username = g_strdup((const char*)val); 147 148 if (vs->vd->sasl.acl == NULL) { 149 VNC_DEBUG("no ACL activated, allowing access\n"); 150 return 0; 151 } 152 153 allow = qemu_acl_party_is_allowed(vs->vd->sasl.acl, vs->sasl.username); 154 155 VNC_DEBUG("SASL client %s %s by ACL\n", vs->sasl.username, 156 allow ? "allowed" : "denied"); 157 return allow ? 0 : -1; 158 } 159 160 static int vnc_auth_sasl_check_ssf(VncState *vs) 161 { 162 const void *val; 163 int err, ssf; 164 165 if (!vs->sasl.wantSSF) 166 return 1; 167 168 err = sasl_getprop(vs->sasl.conn, SASL_SSF, &val); 169 if (err != SASL_OK) 170 return 0; 171 172 ssf = *(const int *)val; 173 VNC_DEBUG("negotiated an SSF of %d\n", ssf); 174 if (ssf < 56) 175 return 0; /* 56 is good for Kerberos */ 176 177 /* Only setup for read initially, because we're about to send an RPC 178 * reply which must be in plain text. When the next incoming RPC 179 * arrives, we'll switch on writes too 180 * 181 * cf qemudClientReadSASL in qemud.c 182 */ 183 vs->sasl.runSSF = 1; 184 185 /* We have a SSF that's good enough */ 186 return 1; 187 } 188 189 /* 190 * Step Msg 191 * 192 * Input from client: 193 * 194 * u32 clientin-length 195 * u8-array clientin-string 196 * 197 * Output to client: 198 * 199 * u32 serverout-length 200 * u8-array serverout-strin 201 * u8 continue 202 */ 203 204 static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len); 205 206 static int protocol_client_auth_sasl_step(VncState *vs, uint8_t *data, size_t len) 207 { 208 uint32_t datalen = len; 209 const char *serverout; 210 unsigned int serveroutlen; 211 int err; 212 char *clientdata = NULL; 213 214 /* NB, distinction of NULL vs "" is *critical* in SASL */ 215 if (datalen) { 216 clientdata = (char*)data; 217 clientdata[datalen-1] = '\0'; /* Wire includes '\0', but make sure */ 218 datalen--; /* Don't count NULL byte when passing to _start() */ 219 } 220 221 VNC_DEBUG("Step using SASL Data %p (%d bytes)\n", 222 clientdata, datalen); 223 err = sasl_server_step(vs->sasl.conn, 224 clientdata, 225 datalen, 226 &serverout, 227 &serveroutlen); 228 if (err != SASL_OK && 229 err != SASL_CONTINUE) { 230 VNC_DEBUG("sasl step failed %d (%s)\n", 231 err, sasl_errdetail(vs->sasl.conn)); 232 sasl_dispose(&vs->sasl.conn); 233 vs->sasl.conn = NULL; 234 goto authabort; 235 } 236 237 if (serveroutlen > SASL_DATA_MAX_LEN) { 238 VNC_DEBUG("sasl step reply data too long %d\n", 239 serveroutlen); 240 sasl_dispose(&vs->sasl.conn); 241 vs->sasl.conn = NULL; 242 goto authabort; 243 } 244 245 VNC_DEBUG("SASL return data %d bytes, nil; %d\n", 246 serveroutlen, serverout ? 0 : 1); 247 248 if (serveroutlen) { 249 vnc_write_u32(vs, serveroutlen + 1); 250 vnc_write(vs, serverout, serveroutlen + 1); 251 } else { 252 vnc_write_u32(vs, 0); 253 } 254 255 /* Whether auth is complete */ 256 vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1); 257 258 if (err == SASL_CONTINUE) { 259 VNC_DEBUG("%s", "Authentication must continue\n"); 260 /* Wait for step length */ 261 vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4); 262 } else { 263 if (!vnc_auth_sasl_check_ssf(vs)) { 264 VNC_DEBUG("Authentication rejected for weak SSF %p\n", vs->ioc); 265 goto authreject; 266 } 267 268 /* Check username whitelist ACL */ 269 if (vnc_auth_sasl_check_access(vs) < 0) { 270 VNC_DEBUG("Authentication rejected for ACL %p\n", vs->ioc); 271 goto authreject; 272 } 273 274 VNC_DEBUG("Authentication successful %p\n", vs->ioc); 275 vnc_write_u32(vs, 0); /* Accept auth */ 276 /* 277 * Delay writing in SSF encoded mode until pending output 278 * buffer is written 279 */ 280 if (vs->sasl.runSSF) 281 vs->sasl.waitWriteSSF = vs->output.offset; 282 start_client_init(vs); 283 } 284 285 return 0; 286 287 authreject: 288 vnc_write_u32(vs, 1); /* Reject auth */ 289 vnc_write_u32(vs, sizeof("Authentication failed")); 290 vnc_write(vs, "Authentication failed", sizeof("Authentication failed")); 291 vnc_flush(vs); 292 vnc_client_error(vs); 293 return -1; 294 295 authabort: 296 vnc_client_error(vs); 297 return -1; 298 } 299 300 static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len) 301 { 302 uint32_t steplen = read_u32(data, 0); 303 VNC_DEBUG("Got client step len %d\n", steplen); 304 if (steplen > SASL_DATA_MAX_LEN) { 305 VNC_DEBUG("Too much SASL data %d\n", steplen); 306 vnc_client_error(vs); 307 return -1; 308 } 309 310 if (steplen == 0) 311 return protocol_client_auth_sasl_step(vs, NULL, 0); 312 else 313 vnc_read_when(vs, protocol_client_auth_sasl_step, steplen); 314 return 0; 315 } 316 317 /* 318 * Start Msg 319 * 320 * Input from client: 321 * 322 * u32 clientin-length 323 * u8-array clientin-string 324 * 325 * Output to client: 326 * 327 * u32 serverout-length 328 * u8-array serverout-strin 329 * u8 continue 330 */ 331 332 #define SASL_DATA_MAX_LEN (1024 * 1024) 333 334 static int protocol_client_auth_sasl_start(VncState *vs, uint8_t *data, size_t len) 335 { 336 uint32_t datalen = len; 337 const char *serverout; 338 unsigned int serveroutlen; 339 int err; 340 char *clientdata = NULL; 341 342 /* NB, distinction of NULL vs "" is *critical* in SASL */ 343 if (datalen) { 344 clientdata = (char*)data; 345 clientdata[datalen-1] = '\0'; /* Should be on wire, but make sure */ 346 datalen--; /* Don't count NULL byte when passing to _start() */ 347 } 348 349 VNC_DEBUG("Start SASL auth with mechanism %s. Data %p (%d bytes)\n", 350 vs->sasl.mechlist, clientdata, datalen); 351 err = sasl_server_start(vs->sasl.conn, 352 vs->sasl.mechlist, 353 clientdata, 354 datalen, 355 &serverout, 356 &serveroutlen); 357 if (err != SASL_OK && 358 err != SASL_CONTINUE) { 359 VNC_DEBUG("sasl start failed %d (%s)\n", 360 err, sasl_errdetail(vs->sasl.conn)); 361 sasl_dispose(&vs->sasl.conn); 362 vs->sasl.conn = NULL; 363 goto authabort; 364 } 365 if (serveroutlen > SASL_DATA_MAX_LEN) { 366 VNC_DEBUG("sasl start reply data too long %d\n", 367 serveroutlen); 368 sasl_dispose(&vs->sasl.conn); 369 vs->sasl.conn = NULL; 370 goto authabort; 371 } 372 373 VNC_DEBUG("SASL return data %d bytes, nil; %d\n", 374 serveroutlen, serverout ? 0 : 1); 375 376 if (serveroutlen) { 377 vnc_write_u32(vs, serveroutlen + 1); 378 vnc_write(vs, serverout, serveroutlen + 1); 379 } else { 380 vnc_write_u32(vs, 0); 381 } 382 383 /* Whether auth is complete */ 384 vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1); 385 386 if (err == SASL_CONTINUE) { 387 VNC_DEBUG("%s", "Authentication must continue\n"); 388 /* Wait for step length */ 389 vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4); 390 } else { 391 if (!vnc_auth_sasl_check_ssf(vs)) { 392 VNC_DEBUG("Authentication rejected for weak SSF %p\n", vs->ioc); 393 goto authreject; 394 } 395 396 /* Check username whitelist ACL */ 397 if (vnc_auth_sasl_check_access(vs) < 0) { 398 VNC_DEBUG("Authentication rejected for ACL %p\n", vs->ioc); 399 goto authreject; 400 } 401 402 VNC_DEBUG("Authentication successful %p\n", vs->ioc); 403 vnc_write_u32(vs, 0); /* Accept auth */ 404 start_client_init(vs); 405 } 406 407 return 0; 408 409 authreject: 410 vnc_write_u32(vs, 1); /* Reject auth */ 411 vnc_write_u32(vs, sizeof("Authentication failed")); 412 vnc_write(vs, "Authentication failed", sizeof("Authentication failed")); 413 vnc_flush(vs); 414 vnc_client_error(vs); 415 return -1; 416 417 authabort: 418 vnc_client_error(vs); 419 return -1; 420 } 421 422 static int protocol_client_auth_sasl_start_len(VncState *vs, uint8_t *data, size_t len) 423 { 424 uint32_t startlen = read_u32(data, 0); 425 VNC_DEBUG("Got client start len %d\n", startlen); 426 if (startlen > SASL_DATA_MAX_LEN) { 427 VNC_DEBUG("Too much SASL data %d\n", startlen); 428 vnc_client_error(vs); 429 return -1; 430 } 431 432 if (startlen == 0) 433 return protocol_client_auth_sasl_start(vs, NULL, 0); 434 435 vnc_read_when(vs, protocol_client_auth_sasl_start, startlen); 436 return 0; 437 } 438 439 static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_t len) 440 { 441 char *mechname = g_strndup((const char *) data, len); 442 VNC_DEBUG("Got client mechname '%s' check against '%s'\n", 443 mechname, vs->sasl.mechlist); 444 445 if (strncmp(vs->sasl.mechlist, mechname, len) == 0) { 446 if (vs->sasl.mechlist[len] != '\0' && 447 vs->sasl.mechlist[len] != ',') { 448 VNC_DEBUG("One %d", vs->sasl.mechlist[len]); 449 goto fail; 450 } 451 } else { 452 char *offset = strstr(vs->sasl.mechlist, mechname); 453 VNC_DEBUG("Two %p\n", offset); 454 if (!offset) { 455 goto fail; 456 } 457 VNC_DEBUG("Two '%s'\n", offset); 458 if (offset[-1] != ',' || 459 (offset[len] != '\0'&& 460 offset[len] != ',')) { 461 goto fail; 462 } 463 } 464 465 g_free(vs->sasl.mechlist); 466 vs->sasl.mechlist = mechname; 467 468 VNC_DEBUG("Validated mechname '%s'\n", mechname); 469 vnc_read_when(vs, protocol_client_auth_sasl_start_len, 4); 470 return 0; 471 472 fail: 473 vnc_client_error(vs); 474 g_free(mechname); 475 return -1; 476 } 477 478 static int protocol_client_auth_sasl_mechname_len(VncState *vs, uint8_t *data, size_t len) 479 { 480 uint32_t mechlen = read_u32(data, 0); 481 VNC_DEBUG("Got client mechname len %d\n", mechlen); 482 if (mechlen > 100) { 483 VNC_DEBUG("Too long SASL mechname data %d\n", mechlen); 484 vnc_client_error(vs); 485 return -1; 486 } 487 if (mechlen < 1) { 488 VNC_DEBUG("Too short SASL mechname %d\n", mechlen); 489 vnc_client_error(vs); 490 return -1; 491 } 492 vnc_read_when(vs, protocol_client_auth_sasl_mechname,mechlen); 493 return 0; 494 } 495 496 static char * 497 vnc_socket_ip_addr_string(QIOChannelSocket *ioc, 498 bool local, 499 Error **errp) 500 { 501 SocketAddress *addr; 502 char *ret; 503 504 if (local) { 505 addr = qio_channel_socket_get_local_address(ioc, errp); 506 } else { 507 addr = qio_channel_socket_get_remote_address(ioc, errp); 508 } 509 if (!addr) { 510 return NULL; 511 } 512 513 if (addr->type != SOCKET_ADDRESS_KIND_INET) { 514 error_setg(errp, "Not an inet socket type"); 515 return NULL; 516 } 517 ret = g_strdup_printf("%s;%s", addr->u.inet.data->host, 518 addr->u.inet.data->port); 519 qapi_free_SocketAddress(addr); 520 return ret; 521 } 522 523 void start_auth_sasl(VncState *vs) 524 { 525 const char *mechlist = NULL; 526 sasl_security_properties_t secprops; 527 int err; 528 char *localAddr, *remoteAddr; 529 int mechlistlen; 530 531 VNC_DEBUG("Initialize SASL auth %p\n", vs->ioc); 532 533 /* Get local & remote client addresses in form IPADDR;PORT */ 534 localAddr = vnc_socket_ip_addr_string(vs->sioc, true, NULL); 535 if (!localAddr) { 536 goto authabort; 537 } 538 539 remoteAddr = vnc_socket_ip_addr_string(vs->sioc, false, NULL); 540 if (!remoteAddr) { 541 g_free(localAddr); 542 goto authabort; 543 } 544 545 err = sasl_server_new("vnc", 546 NULL, /* FQDN - just delegates to gethostname */ 547 NULL, /* User realm */ 548 localAddr, 549 remoteAddr, 550 NULL, /* Callbacks, not needed */ 551 SASL_SUCCESS_DATA, 552 &vs->sasl.conn); 553 g_free(localAddr); 554 g_free(remoteAddr); 555 localAddr = remoteAddr = NULL; 556 557 if (err != SASL_OK) { 558 VNC_DEBUG("sasl context setup failed %d (%s)", 559 err, sasl_errstring(err, NULL, NULL)); 560 vs->sasl.conn = NULL; 561 goto authabort; 562 } 563 564 /* Inform SASL that we've got an external SSF layer from TLS/x509 */ 565 if (vs->auth == VNC_AUTH_VENCRYPT && 566 vs->subauth == VNC_AUTH_VENCRYPT_X509SASL) { 567 Error *local_err = NULL; 568 int keysize; 569 sasl_ssf_t ssf; 570 571 keysize = qcrypto_tls_session_get_key_size(vs->tls, 572 &local_err); 573 if (keysize < 0) { 574 VNC_DEBUG("cannot TLS get cipher size: %s\n", 575 error_get_pretty(local_err)); 576 error_free(local_err); 577 sasl_dispose(&vs->sasl.conn); 578 vs->sasl.conn = NULL; 579 goto authabort; 580 } 581 ssf = keysize * CHAR_BIT; /* tls key size is bytes, sasl wants bits */ 582 583 err = sasl_setprop(vs->sasl.conn, SASL_SSF_EXTERNAL, &ssf); 584 if (err != SASL_OK) { 585 VNC_DEBUG("cannot set SASL external SSF %d (%s)\n", 586 err, sasl_errstring(err, NULL, NULL)); 587 sasl_dispose(&vs->sasl.conn); 588 vs->sasl.conn = NULL; 589 goto authabort; 590 } 591 } else { 592 vs->sasl.wantSSF = 1; 593 } 594 595 memset (&secprops, 0, sizeof secprops); 596 /* Inform SASL that we've got an external SSF layer from TLS. 597 * 598 * Disable SSF, if using TLS+x509+SASL only. TLS without x509 599 * is not sufficiently strong 600 */ 601 if (vs->vd->is_unix || 602 (vs->auth == VNC_AUTH_VENCRYPT && 603 vs->subauth == VNC_AUTH_VENCRYPT_X509SASL)) { 604 /* If we've got TLS or UNIX domain sock, we don't care about SSF */ 605 secprops.min_ssf = 0; 606 secprops.max_ssf = 0; 607 secprops.maxbufsize = 8192; 608 secprops.security_flags = 0; 609 } else { 610 /* Plain TCP, better get an SSF layer */ 611 secprops.min_ssf = 56; /* Good enough to require kerberos */ 612 secprops.max_ssf = 100000; /* Arbitrary big number */ 613 secprops.maxbufsize = 8192; 614 /* Forbid any anonymous or trivially crackable auth */ 615 secprops.security_flags = 616 SASL_SEC_NOANONYMOUS | SASL_SEC_NOPLAINTEXT; 617 } 618 619 err = sasl_setprop(vs->sasl.conn, SASL_SEC_PROPS, &secprops); 620 if (err != SASL_OK) { 621 VNC_DEBUG("cannot set SASL security props %d (%s)\n", 622 err, sasl_errstring(err, NULL, NULL)); 623 sasl_dispose(&vs->sasl.conn); 624 vs->sasl.conn = NULL; 625 goto authabort; 626 } 627 628 err = sasl_listmech(vs->sasl.conn, 629 NULL, /* Don't need to set user */ 630 "", /* Prefix */ 631 ",", /* Separator */ 632 "", /* Suffix */ 633 &mechlist, 634 NULL, 635 NULL); 636 if (err != SASL_OK) { 637 VNC_DEBUG("cannot list SASL mechanisms %d (%s)\n", 638 err, sasl_errdetail(vs->sasl.conn)); 639 sasl_dispose(&vs->sasl.conn); 640 vs->sasl.conn = NULL; 641 goto authabort; 642 } 643 VNC_DEBUG("Available mechanisms for client: '%s'\n", mechlist); 644 645 vs->sasl.mechlist = g_strdup(mechlist); 646 mechlistlen = strlen(mechlist); 647 vnc_write_u32(vs, mechlistlen); 648 vnc_write(vs, mechlist, mechlistlen); 649 vnc_flush(vs); 650 651 VNC_DEBUG("Wait for client mechname length\n"); 652 vnc_read_when(vs, protocol_client_auth_sasl_mechname_len, 4); 653 654 return; 655 656 authabort: 657 vnc_client_error(vs); 658 } 659 660 661