xref: /openbmc/qemu/ui/vnc-auth-sasl.c (revision 4a09d0bb)
1 /*
2  * QEMU VNC display driver: SASL auth protocol
3  *
4  * Copyright (C) 2009 Red Hat, Inc
5  *
6  * Permission is hereby granted, free of charge, to any person obtaining a copy
7  * of this software and associated documentation files (the "Software"), to deal
8  * in the Software without restriction, including without limitation the rights
9  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10  * copies of the Software, and to permit persons to whom the Software is
11  * furnished to do so, subject to the following conditions:
12  *
13  * The above copyright notice and this permission notice shall be included in
14  * all copies or substantial portions of the Software.
15  *
16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22  * THE SOFTWARE.
23  */
24 
25 #include "qemu/osdep.h"
26 #include "qapi/error.h"
27 #include "vnc.h"
28 
29 /* Max amount of data we send/recv for SASL steps to prevent DOS */
30 #define SASL_DATA_MAX_LEN (1024 * 1024)
31 
32 
33 void vnc_sasl_client_cleanup(VncState *vs)
34 {
35     if (vs->sasl.conn) {
36         vs->sasl.runSSF = false;
37         vs->sasl.wantSSF = false;
38         vs->sasl.waitWriteSSF = 0;
39         vs->sasl.encodedLength = vs->sasl.encodedOffset = 0;
40         vs->sasl.encoded = NULL;
41         g_free(vs->sasl.username);
42         g_free(vs->sasl.mechlist);
43         vs->sasl.username = vs->sasl.mechlist = NULL;
44         sasl_dispose(&vs->sasl.conn);
45         vs->sasl.conn = NULL;
46     }
47 }
48 
49 
50 long vnc_client_write_sasl(VncState *vs)
51 {
52     long ret;
53 
54     VNC_DEBUG("Write SASL: Pending output %p size %zd offset %zd "
55               "Encoded: %p size %d offset %d\n",
56               vs->output.buffer, vs->output.capacity, vs->output.offset,
57               vs->sasl.encoded, vs->sasl.encodedLength, vs->sasl.encodedOffset);
58 
59     if (!vs->sasl.encoded) {
60         int err;
61         err = sasl_encode(vs->sasl.conn,
62                           (char *)vs->output.buffer,
63                           vs->output.offset,
64                           (const char **)&vs->sasl.encoded,
65                           &vs->sasl.encodedLength);
66         if (err != SASL_OK)
67             return vnc_client_io_error(vs, -1, NULL);
68 
69         vs->sasl.encodedOffset = 0;
70     }
71 
72     ret = vnc_client_write_buf(vs,
73                                vs->sasl.encoded + vs->sasl.encodedOffset,
74                                vs->sasl.encodedLength - vs->sasl.encodedOffset);
75     if (!ret)
76         return 0;
77 
78     vs->sasl.encodedOffset += ret;
79     if (vs->sasl.encodedOffset == vs->sasl.encodedLength) {
80         vs->output.offset = 0;
81         vs->sasl.encoded = NULL;
82         vs->sasl.encodedOffset = vs->sasl.encodedLength = 0;
83     }
84 
85     /* Can't merge this block with one above, because
86      * someone might have written more unencrypted
87      * data in vs->output while we were processing
88      * SASL encoded output
89      */
90     if (vs->output.offset == 0) {
91         if (vs->ioc_tag) {
92             g_source_remove(vs->ioc_tag);
93         }
94         vs->ioc_tag = qio_channel_add_watch(
95             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
96     }
97 
98     return ret;
99 }
100 
101 
102 long vnc_client_read_sasl(VncState *vs)
103 {
104     long ret;
105     uint8_t encoded[4096];
106     const char *decoded;
107     unsigned int decodedLen;
108     int err;
109 
110     ret = vnc_client_read_buf(vs, encoded, sizeof(encoded));
111     if (!ret)
112         return 0;
113 
114     err = sasl_decode(vs->sasl.conn,
115                       (char *)encoded, ret,
116                       &decoded, &decodedLen);
117 
118     if (err != SASL_OK)
119         return vnc_client_io_error(vs, -1, NULL);
120     VNC_DEBUG("Read SASL Encoded %p size %ld Decoded %p size %d\n",
121               encoded, ret, decoded, decodedLen);
122     buffer_reserve(&vs->input, decodedLen);
123     buffer_append(&vs->input, decoded, decodedLen);
124     return decodedLen;
125 }
126 
127 
128 static int vnc_auth_sasl_check_access(VncState *vs)
129 {
130     const void *val;
131     int err;
132     int allow;
133 
134     err = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val);
135     if (err != SASL_OK) {
136         VNC_DEBUG("cannot query SASL username on connection %d (%s), denying access\n",
137                   err, sasl_errstring(err, NULL, NULL));
138         return -1;
139     }
140     if (val == NULL) {
141         VNC_DEBUG("no client username was found, denying access\n");
142         return -1;
143     }
144     VNC_DEBUG("SASL client username %s\n", (const char *)val);
145 
146     vs->sasl.username = g_strdup((const char*)val);
147 
148     if (vs->vd->sasl.acl == NULL) {
149         VNC_DEBUG("no ACL activated, allowing access\n");
150         return 0;
151     }
152 
153     allow = qemu_acl_party_is_allowed(vs->vd->sasl.acl, vs->sasl.username);
154 
155     VNC_DEBUG("SASL client %s %s by ACL\n", vs->sasl.username,
156               allow ? "allowed" : "denied");
157     return allow ? 0 : -1;
158 }
159 
160 static int vnc_auth_sasl_check_ssf(VncState *vs)
161 {
162     const void *val;
163     int err, ssf;
164 
165     if (!vs->sasl.wantSSF)
166         return 1;
167 
168     err = sasl_getprop(vs->sasl.conn, SASL_SSF, &val);
169     if (err != SASL_OK)
170         return 0;
171 
172     ssf = *(const int *)val;
173     VNC_DEBUG("negotiated an SSF of %d\n", ssf);
174     if (ssf < 56)
175         return 0; /* 56 is good for Kerberos */
176 
177     /* Only setup for read initially, because we're about to send an RPC
178      * reply which must be in plain text. When the next incoming RPC
179      * arrives, we'll switch on writes too
180      *
181      * cf qemudClientReadSASL  in qemud.c
182      */
183     vs->sasl.runSSF = 1;
184 
185     /* We have a SSF that's good enough */
186     return 1;
187 }
188 
189 /*
190  * Step Msg
191  *
192  * Input from client:
193  *
194  * u32 clientin-length
195  * u8-array clientin-string
196  *
197  * Output to client:
198  *
199  * u32 serverout-length
200  * u8-array serverout-strin
201  * u8 continue
202  */
203 
204 static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len);
205 
206 static int protocol_client_auth_sasl_step(VncState *vs, uint8_t *data, size_t len)
207 {
208     uint32_t datalen = len;
209     const char *serverout;
210     unsigned int serveroutlen;
211     int err;
212     char *clientdata = NULL;
213 
214     /* NB, distinction of NULL vs "" is *critical* in SASL */
215     if (datalen) {
216         clientdata = (char*)data;
217         clientdata[datalen-1] = '\0'; /* Wire includes '\0', but make sure */
218         datalen--; /* Don't count NULL byte when passing to _start() */
219     }
220 
221     VNC_DEBUG("Step using SASL Data %p (%d bytes)\n",
222               clientdata, datalen);
223     err = sasl_server_step(vs->sasl.conn,
224                            clientdata,
225                            datalen,
226                            &serverout,
227                            &serveroutlen);
228     if (err != SASL_OK &&
229         err != SASL_CONTINUE) {
230         VNC_DEBUG("sasl step failed %d (%s)\n",
231                   err, sasl_errdetail(vs->sasl.conn));
232         sasl_dispose(&vs->sasl.conn);
233         vs->sasl.conn = NULL;
234         goto authabort;
235     }
236 
237     if (serveroutlen > SASL_DATA_MAX_LEN) {
238         VNC_DEBUG("sasl step reply data too long %d\n",
239                   serveroutlen);
240         sasl_dispose(&vs->sasl.conn);
241         vs->sasl.conn = NULL;
242         goto authabort;
243     }
244 
245     VNC_DEBUG("SASL return data %d bytes, nil; %d\n",
246               serveroutlen, serverout ? 0 : 1);
247 
248     if (serveroutlen) {
249         vnc_write_u32(vs, serveroutlen + 1);
250         vnc_write(vs, serverout, serveroutlen + 1);
251     } else {
252         vnc_write_u32(vs, 0);
253     }
254 
255     /* Whether auth is complete */
256     vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);
257 
258     if (err == SASL_CONTINUE) {
259         VNC_DEBUG("%s", "Authentication must continue\n");
260         /* Wait for step length */
261         vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);
262     } else {
263         if (!vnc_auth_sasl_check_ssf(vs)) {
264             VNC_DEBUG("Authentication rejected for weak SSF %p\n", vs->ioc);
265             goto authreject;
266         }
267 
268         /* Check username whitelist ACL */
269         if (vnc_auth_sasl_check_access(vs) < 0) {
270             VNC_DEBUG("Authentication rejected for ACL %p\n", vs->ioc);
271             goto authreject;
272         }
273 
274         VNC_DEBUG("Authentication successful %p\n", vs->ioc);
275         vnc_write_u32(vs, 0); /* Accept auth */
276         /*
277          * Delay writing in SSF encoded mode until pending output
278          * buffer is written
279          */
280         if (vs->sasl.runSSF)
281             vs->sasl.waitWriteSSF = vs->output.offset;
282         start_client_init(vs);
283     }
284 
285     return 0;
286 
287  authreject:
288     vnc_write_u32(vs, 1); /* Reject auth */
289     vnc_write_u32(vs, sizeof("Authentication failed"));
290     vnc_write(vs, "Authentication failed", sizeof("Authentication failed"));
291     vnc_flush(vs);
292     vnc_client_error(vs);
293     return -1;
294 
295  authabort:
296     vnc_client_error(vs);
297     return -1;
298 }
299 
300 static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len)
301 {
302     uint32_t steplen = read_u32(data, 0);
303     VNC_DEBUG("Got client step len %d\n", steplen);
304     if (steplen > SASL_DATA_MAX_LEN) {
305         VNC_DEBUG("Too much SASL data %d\n", steplen);
306         vnc_client_error(vs);
307         return -1;
308     }
309 
310     if (steplen == 0)
311         return protocol_client_auth_sasl_step(vs, NULL, 0);
312     else
313         vnc_read_when(vs, protocol_client_auth_sasl_step, steplen);
314     return 0;
315 }
316 
317 /*
318  * Start Msg
319  *
320  * Input from client:
321  *
322  * u32 clientin-length
323  * u8-array clientin-string
324  *
325  * Output to client:
326  *
327  * u32 serverout-length
328  * u8-array serverout-strin
329  * u8 continue
330  */
331 
332 #define SASL_DATA_MAX_LEN (1024 * 1024)
333 
334 static int protocol_client_auth_sasl_start(VncState *vs, uint8_t *data, size_t len)
335 {
336     uint32_t datalen = len;
337     const char *serverout;
338     unsigned int serveroutlen;
339     int err;
340     char *clientdata = NULL;
341 
342     /* NB, distinction of NULL vs "" is *critical* in SASL */
343     if (datalen) {
344         clientdata = (char*)data;
345         clientdata[datalen-1] = '\0'; /* Should be on wire, but make sure */
346         datalen--; /* Don't count NULL byte when passing to _start() */
347     }
348 
349     VNC_DEBUG("Start SASL auth with mechanism %s. Data %p (%d bytes)\n",
350               vs->sasl.mechlist, clientdata, datalen);
351     err = sasl_server_start(vs->sasl.conn,
352                             vs->sasl.mechlist,
353                             clientdata,
354                             datalen,
355                             &serverout,
356                             &serveroutlen);
357     if (err != SASL_OK &&
358         err != SASL_CONTINUE) {
359         VNC_DEBUG("sasl start failed %d (%s)\n",
360                   err, sasl_errdetail(vs->sasl.conn));
361         sasl_dispose(&vs->sasl.conn);
362         vs->sasl.conn = NULL;
363         goto authabort;
364     }
365     if (serveroutlen > SASL_DATA_MAX_LEN) {
366         VNC_DEBUG("sasl start reply data too long %d\n",
367                   serveroutlen);
368         sasl_dispose(&vs->sasl.conn);
369         vs->sasl.conn = NULL;
370         goto authabort;
371     }
372 
373     VNC_DEBUG("SASL return data %d bytes, nil; %d\n",
374               serveroutlen, serverout ? 0 : 1);
375 
376     if (serveroutlen) {
377         vnc_write_u32(vs, serveroutlen + 1);
378         vnc_write(vs, serverout, serveroutlen + 1);
379     } else {
380         vnc_write_u32(vs, 0);
381     }
382 
383     /* Whether auth is complete */
384     vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);
385 
386     if (err == SASL_CONTINUE) {
387         VNC_DEBUG("%s", "Authentication must continue\n");
388         /* Wait for step length */
389         vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);
390     } else {
391         if (!vnc_auth_sasl_check_ssf(vs)) {
392             VNC_DEBUG("Authentication rejected for weak SSF %p\n", vs->ioc);
393             goto authreject;
394         }
395 
396         /* Check username whitelist ACL */
397         if (vnc_auth_sasl_check_access(vs) < 0) {
398             VNC_DEBUG("Authentication rejected for ACL %p\n", vs->ioc);
399             goto authreject;
400         }
401 
402         VNC_DEBUG("Authentication successful %p\n", vs->ioc);
403         vnc_write_u32(vs, 0); /* Accept auth */
404         start_client_init(vs);
405     }
406 
407     return 0;
408 
409  authreject:
410     vnc_write_u32(vs, 1); /* Reject auth */
411     vnc_write_u32(vs, sizeof("Authentication failed"));
412     vnc_write(vs, "Authentication failed", sizeof("Authentication failed"));
413     vnc_flush(vs);
414     vnc_client_error(vs);
415     return -1;
416 
417  authabort:
418     vnc_client_error(vs);
419     return -1;
420 }
421 
422 static int protocol_client_auth_sasl_start_len(VncState *vs, uint8_t *data, size_t len)
423 {
424     uint32_t startlen = read_u32(data, 0);
425     VNC_DEBUG("Got client start len %d\n", startlen);
426     if (startlen > SASL_DATA_MAX_LEN) {
427         VNC_DEBUG("Too much SASL data %d\n", startlen);
428         vnc_client_error(vs);
429         return -1;
430     }
431 
432     if (startlen == 0)
433         return protocol_client_auth_sasl_start(vs, NULL, 0);
434 
435     vnc_read_when(vs, protocol_client_auth_sasl_start, startlen);
436     return 0;
437 }
438 
439 static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_t len)
440 {
441     char *mechname = g_strndup((const char *) data, len);
442     VNC_DEBUG("Got client mechname '%s' check against '%s'\n",
443               mechname, vs->sasl.mechlist);
444 
445     if (strncmp(vs->sasl.mechlist, mechname, len) == 0) {
446         if (vs->sasl.mechlist[len] != '\0' &&
447             vs->sasl.mechlist[len] != ',') {
448             VNC_DEBUG("One %d", vs->sasl.mechlist[len]);
449             goto fail;
450         }
451     } else {
452         char *offset = strstr(vs->sasl.mechlist, mechname);
453         VNC_DEBUG("Two %p\n", offset);
454         if (!offset) {
455             goto fail;
456         }
457         VNC_DEBUG("Two '%s'\n", offset);
458         if (offset[-1] != ',' ||
459             (offset[len] != '\0'&&
460              offset[len] != ',')) {
461             goto fail;
462         }
463     }
464 
465     g_free(vs->sasl.mechlist);
466     vs->sasl.mechlist = mechname;
467 
468     VNC_DEBUG("Validated mechname '%s'\n", mechname);
469     vnc_read_when(vs, protocol_client_auth_sasl_start_len, 4);
470     return 0;
471 
472  fail:
473     vnc_client_error(vs);
474     g_free(mechname);
475     return -1;
476 }
477 
478 static int protocol_client_auth_sasl_mechname_len(VncState *vs, uint8_t *data, size_t len)
479 {
480     uint32_t mechlen = read_u32(data, 0);
481     VNC_DEBUG("Got client mechname len %d\n", mechlen);
482     if (mechlen > 100) {
483         VNC_DEBUG("Too long SASL mechname data %d\n", mechlen);
484         vnc_client_error(vs);
485         return -1;
486     }
487     if (mechlen < 1) {
488         VNC_DEBUG("Too short SASL mechname %d\n", mechlen);
489         vnc_client_error(vs);
490         return -1;
491     }
492     vnc_read_when(vs, protocol_client_auth_sasl_mechname,mechlen);
493     return 0;
494 }
495 
496 static char *
497 vnc_socket_ip_addr_string(QIOChannelSocket *ioc,
498                           bool local,
499                           Error **errp)
500 {
501     SocketAddress *addr;
502     char *ret;
503 
504     if (local) {
505         addr = qio_channel_socket_get_local_address(ioc, errp);
506     } else {
507         addr = qio_channel_socket_get_remote_address(ioc, errp);
508     }
509     if (!addr) {
510         return NULL;
511     }
512 
513     if (addr->type != SOCKET_ADDRESS_KIND_INET) {
514         error_setg(errp, "Not an inet socket type");
515         return NULL;
516     }
517     ret = g_strdup_printf("%s;%s", addr->u.inet.data->host,
518                           addr->u.inet.data->port);
519     qapi_free_SocketAddress(addr);
520     return ret;
521 }
522 
523 void start_auth_sasl(VncState *vs)
524 {
525     const char *mechlist = NULL;
526     sasl_security_properties_t secprops;
527     int err;
528     char *localAddr, *remoteAddr;
529     int mechlistlen;
530 
531     VNC_DEBUG("Initialize SASL auth %p\n", vs->ioc);
532 
533     /* Get local & remote client addresses in form  IPADDR;PORT */
534     localAddr = vnc_socket_ip_addr_string(vs->sioc, true, NULL);
535     if (!localAddr) {
536         goto authabort;
537     }
538 
539     remoteAddr = vnc_socket_ip_addr_string(vs->sioc, false, NULL);
540     if (!remoteAddr) {
541         g_free(localAddr);
542         goto authabort;
543     }
544 
545     err = sasl_server_new("vnc",
546                           NULL, /* FQDN - just delegates to gethostname */
547                           NULL, /* User realm */
548                           localAddr,
549                           remoteAddr,
550                           NULL, /* Callbacks, not needed */
551                           SASL_SUCCESS_DATA,
552                           &vs->sasl.conn);
553     g_free(localAddr);
554     g_free(remoteAddr);
555     localAddr = remoteAddr = NULL;
556 
557     if (err != SASL_OK) {
558         VNC_DEBUG("sasl context setup failed %d (%s)",
559                   err, sasl_errstring(err, NULL, NULL));
560         vs->sasl.conn = NULL;
561         goto authabort;
562     }
563 
564     /* Inform SASL that we've got an external SSF layer from TLS/x509 */
565     if (vs->auth == VNC_AUTH_VENCRYPT &&
566         vs->subauth == VNC_AUTH_VENCRYPT_X509SASL) {
567         Error *local_err = NULL;
568         int keysize;
569         sasl_ssf_t ssf;
570 
571         keysize = qcrypto_tls_session_get_key_size(vs->tls,
572                                                    &local_err);
573         if (keysize < 0) {
574             VNC_DEBUG("cannot TLS get cipher size: %s\n",
575                       error_get_pretty(local_err));
576             error_free(local_err);
577             sasl_dispose(&vs->sasl.conn);
578             vs->sasl.conn = NULL;
579             goto authabort;
580         }
581         ssf = keysize * CHAR_BIT; /* tls key size is bytes, sasl wants bits */
582 
583         err = sasl_setprop(vs->sasl.conn, SASL_SSF_EXTERNAL, &ssf);
584         if (err != SASL_OK) {
585             VNC_DEBUG("cannot set SASL external SSF %d (%s)\n",
586                       err, sasl_errstring(err, NULL, NULL));
587             sasl_dispose(&vs->sasl.conn);
588             vs->sasl.conn = NULL;
589             goto authabort;
590         }
591     } else {
592         vs->sasl.wantSSF = 1;
593     }
594 
595     memset (&secprops, 0, sizeof secprops);
596     /* Inform SASL that we've got an external SSF layer from TLS.
597      *
598      * Disable SSF, if using TLS+x509+SASL only. TLS without x509
599      * is not sufficiently strong
600      */
601     if (vs->vd->is_unix ||
602         (vs->auth == VNC_AUTH_VENCRYPT &&
603          vs->subauth == VNC_AUTH_VENCRYPT_X509SASL)) {
604         /* If we've got TLS or UNIX domain sock, we don't care about SSF */
605         secprops.min_ssf = 0;
606         secprops.max_ssf = 0;
607         secprops.maxbufsize = 8192;
608         secprops.security_flags = 0;
609     } else {
610         /* Plain TCP, better get an SSF layer */
611         secprops.min_ssf = 56; /* Good enough to require kerberos */
612         secprops.max_ssf = 100000; /* Arbitrary big number */
613         secprops.maxbufsize = 8192;
614         /* Forbid any anonymous or trivially crackable auth */
615         secprops.security_flags =
616             SASL_SEC_NOANONYMOUS | SASL_SEC_NOPLAINTEXT;
617     }
618 
619     err = sasl_setprop(vs->sasl.conn, SASL_SEC_PROPS, &secprops);
620     if (err != SASL_OK) {
621         VNC_DEBUG("cannot set SASL security props %d (%s)\n",
622                   err, sasl_errstring(err, NULL, NULL));
623         sasl_dispose(&vs->sasl.conn);
624         vs->sasl.conn = NULL;
625         goto authabort;
626     }
627 
628     err = sasl_listmech(vs->sasl.conn,
629                         NULL, /* Don't need to set user */
630                         "", /* Prefix */
631                         ",", /* Separator */
632                         "", /* Suffix */
633                         &mechlist,
634                         NULL,
635                         NULL);
636     if (err != SASL_OK) {
637         VNC_DEBUG("cannot list SASL mechanisms %d (%s)\n",
638                   err, sasl_errdetail(vs->sasl.conn));
639         sasl_dispose(&vs->sasl.conn);
640         vs->sasl.conn = NULL;
641         goto authabort;
642     }
643     VNC_DEBUG("Available mechanisms for client: '%s'\n", mechlist);
644 
645     vs->sasl.mechlist = g_strdup(mechlist);
646     mechlistlen = strlen(mechlist);
647     vnc_write_u32(vs, mechlistlen);
648     vnc_write(vs, mechlist, mechlistlen);
649     vnc_flush(vs);
650 
651     VNC_DEBUG("Wait for client mechname length\n");
652     vnc_read_when(vs, protocol_client_auth_sasl_mechname_len, 4);
653 
654     return;
655 
656  authabort:
657     vnc_client_error(vs);
658 }
659 
660 
661