1 /* 2 * QEMU VNC display driver: SASL auth protocol 3 * 4 * Copyright (C) 2009 Red Hat, Inc 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining a copy 7 * of this software and associated documentation files (the "Software"), to deal 8 * in the Software without restriction, including without limitation the rights 9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 * copies of the Software, and to permit persons to whom the Software is 11 * furnished to do so, subject to the following conditions: 12 * 13 * The above copyright notice and this permission notice shall be included in 14 * all copies or substantial portions of the Software. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 22 * THE SOFTWARE. 23 */ 24 25 #include "qemu/osdep.h" 26 #include "qapi/error.h" 27 #include "vnc.h" 28 #include "trace.h" 29 30 /* Max amount of data we send/recv for SASL steps to prevent DOS */ 31 #define SASL_DATA_MAX_LEN (1024 * 1024) 32 33 34 void vnc_sasl_client_cleanup(VncState *vs) 35 { 36 if (vs->sasl.conn) { 37 vs->sasl.runSSF = false; 38 vs->sasl.wantSSF = false; 39 vs->sasl.waitWriteSSF = 0; 40 vs->sasl.encodedLength = vs->sasl.encodedOffset = 0; 41 vs->sasl.encoded = NULL; 42 g_free(vs->sasl.username); 43 g_free(vs->sasl.mechlist); 44 vs->sasl.username = vs->sasl.mechlist = NULL; 45 sasl_dispose(&vs->sasl.conn); 46 vs->sasl.conn = NULL; 47 } 48 } 49 50 51 size_t vnc_client_write_sasl(VncState *vs) 52 { 53 size_t ret; 54 55 VNC_DEBUG("Write SASL: Pending output %p size %zd offset %zd " 56 "Encoded: %p size %d offset %d\n", 57 vs->output.buffer, vs->output.capacity, vs->output.offset, 58 vs->sasl.encoded, vs->sasl.encodedLength, vs->sasl.encodedOffset); 59 60 if (!vs->sasl.encoded) { 61 int err; 62 err = sasl_encode(vs->sasl.conn, 63 (char *)vs->output.buffer, 64 vs->output.offset, 65 (const char **)&vs->sasl.encoded, 66 &vs->sasl.encodedLength); 67 if (err != SASL_OK) 68 return vnc_client_io_error(vs, -1, NULL); 69 70 vs->sasl.encodedRawLength = vs->output.offset; 71 vs->sasl.encodedOffset = 0; 72 } 73 74 ret = vnc_client_write_buf(vs, 75 vs->sasl.encoded + vs->sasl.encodedOffset, 76 vs->sasl.encodedLength - vs->sasl.encodedOffset); 77 if (!ret) 78 return 0; 79 80 vs->sasl.encodedOffset += ret; 81 if (vs->sasl.encodedOffset == vs->sasl.encodedLength) { 82 if (vs->sasl.encodedRawLength >= vs->force_update_offset) { 83 vs->force_update_offset = 0; 84 } else { 85 vs->force_update_offset -= vs->sasl.encodedRawLength; 86 } 87 buffer_advance(&vs->output, vs->sasl.encodedRawLength); 88 vs->sasl.encoded = NULL; 89 vs->sasl.encodedOffset = vs->sasl.encodedLength = 0; 90 } 91 92 /* Can't merge this block with one above, because 93 * someone might have written more unencrypted 94 * data in vs->output while we were processing 95 * SASL encoded output 96 */ 97 if (vs->output.offset == 0) { 98 if (vs->ioc_tag) { 99 g_source_remove(vs->ioc_tag); 100 } 101 vs->ioc_tag = qio_channel_add_watch( 102 vs->ioc, G_IO_IN, vnc_client_io, vs, NULL); 103 } 104 105 return ret; 106 } 107 108 109 size_t vnc_client_read_sasl(VncState *vs) 110 { 111 size_t ret; 112 uint8_t encoded[4096]; 113 const char *decoded; 114 unsigned int decodedLen; 115 int err; 116 117 ret = vnc_client_read_buf(vs, encoded, sizeof(encoded)); 118 if (!ret) 119 return 0; 120 121 err = sasl_decode(vs->sasl.conn, 122 (char *)encoded, ret, 123 &decoded, &decodedLen); 124 125 if (err != SASL_OK) 126 return vnc_client_io_error(vs, -1, NULL); 127 VNC_DEBUG("Read SASL Encoded %p size %ld Decoded %p size %d\n", 128 encoded, ret, decoded, decodedLen); 129 buffer_reserve(&vs->input, decodedLen); 130 buffer_append(&vs->input, decoded, decodedLen); 131 return decodedLen; 132 } 133 134 135 static int vnc_auth_sasl_check_access(VncState *vs) 136 { 137 const void *val; 138 int err; 139 int allow; 140 141 err = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val); 142 if (err != SASL_OK) { 143 trace_vnc_auth_fail(vs, vs->auth, "Cannot fetch SASL username", 144 sasl_errstring(err, NULL, NULL)); 145 return -1; 146 } 147 if (val == NULL) { 148 trace_vnc_auth_fail(vs, vs->auth, "No SASL username set", ""); 149 return -1; 150 } 151 152 vs->sasl.username = g_strdup((const char*)val); 153 trace_vnc_auth_sasl_username(vs, vs->sasl.username); 154 155 if (vs->vd->sasl.acl == NULL) { 156 trace_vnc_auth_sasl_acl(vs, 1); 157 return 0; 158 } 159 160 allow = qemu_acl_party_is_allowed(vs->vd->sasl.acl, vs->sasl.username); 161 162 trace_vnc_auth_sasl_acl(vs, allow); 163 return allow ? 0 : -1; 164 } 165 166 static int vnc_auth_sasl_check_ssf(VncState *vs) 167 { 168 const void *val; 169 int err, ssf; 170 171 if (!vs->sasl.wantSSF) 172 return 1; 173 174 err = sasl_getprop(vs->sasl.conn, SASL_SSF, &val); 175 if (err != SASL_OK) 176 return 0; 177 178 ssf = *(const int *)val; 179 180 trace_vnc_auth_sasl_ssf(vs, ssf); 181 182 if (ssf < 56) 183 return 0; /* 56 is good for Kerberos */ 184 185 /* Only setup for read initially, because we're about to send an RPC 186 * reply which must be in plain text. When the next incoming RPC 187 * arrives, we'll switch on writes too 188 * 189 * cf qemudClientReadSASL in qemud.c 190 */ 191 vs->sasl.runSSF = 1; 192 193 /* We have a SSF that's good enough */ 194 return 1; 195 } 196 197 /* 198 * Step Msg 199 * 200 * Input from client: 201 * 202 * u32 clientin-length 203 * u8-array clientin-string 204 * 205 * Output to client: 206 * 207 * u32 serverout-length 208 * u8-array serverout-strin 209 * u8 continue 210 */ 211 212 static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len); 213 214 static int protocol_client_auth_sasl_step(VncState *vs, uint8_t *data, size_t len) 215 { 216 uint32_t datalen = len; 217 const char *serverout; 218 unsigned int serveroutlen; 219 int err; 220 char *clientdata = NULL; 221 222 /* NB, distinction of NULL vs "" is *critical* in SASL */ 223 if (datalen) { 224 clientdata = (char*)data; 225 clientdata[datalen-1] = '\0'; /* Wire includes '\0', but make sure */ 226 datalen--; /* Don't count NULL byte when passing to _start() */ 227 } 228 229 err = sasl_server_step(vs->sasl.conn, 230 clientdata, 231 datalen, 232 &serverout, 233 &serveroutlen); 234 trace_vnc_auth_sasl_step(vs, data, len, serverout, serveroutlen, err); 235 if (err != SASL_OK && 236 err != SASL_CONTINUE) { 237 trace_vnc_auth_fail(vs, vs->auth, "Cannot step SASL auth", 238 sasl_errdetail(vs->sasl.conn)); 239 sasl_dispose(&vs->sasl.conn); 240 vs->sasl.conn = NULL; 241 goto authabort; 242 } 243 244 if (serveroutlen > SASL_DATA_MAX_LEN) { 245 trace_vnc_auth_fail(vs, vs->auth, "SASL data too long", ""); 246 sasl_dispose(&vs->sasl.conn); 247 vs->sasl.conn = NULL; 248 goto authabort; 249 } 250 251 if (serveroutlen) { 252 vnc_write_u32(vs, serveroutlen + 1); 253 vnc_write(vs, serverout, serveroutlen + 1); 254 } else { 255 vnc_write_u32(vs, 0); 256 } 257 258 /* Whether auth is complete */ 259 vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1); 260 261 if (err == SASL_CONTINUE) { 262 /* Wait for step length */ 263 vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4); 264 } else { 265 if (!vnc_auth_sasl_check_ssf(vs)) { 266 trace_vnc_auth_fail(vs, vs->auth, "SASL SSF too weak", ""); 267 goto authreject; 268 } 269 270 /* Check username whitelist ACL */ 271 if (vnc_auth_sasl_check_access(vs) < 0) { 272 goto authreject; 273 } 274 275 trace_vnc_auth_pass(vs, vs->auth); 276 vnc_write_u32(vs, 0); /* Accept auth */ 277 /* 278 * Delay writing in SSF encoded mode until pending output 279 * buffer is written 280 */ 281 if (vs->sasl.runSSF) 282 vs->sasl.waitWriteSSF = vs->output.offset; 283 start_client_init(vs); 284 } 285 286 return 0; 287 288 authreject: 289 vnc_write_u32(vs, 1); /* Reject auth */ 290 vnc_write_u32(vs, sizeof("Authentication failed")); 291 vnc_write(vs, "Authentication failed", sizeof("Authentication failed")); 292 vnc_flush(vs); 293 vnc_client_error(vs); 294 return -1; 295 296 authabort: 297 vnc_client_error(vs); 298 return -1; 299 } 300 301 static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len) 302 { 303 uint32_t steplen = read_u32(data, 0); 304 305 if (steplen > SASL_DATA_MAX_LEN) { 306 trace_vnc_auth_fail(vs, vs->auth, "SASL step len too large", ""); 307 vnc_client_error(vs); 308 return -1; 309 } 310 311 if (steplen == 0) 312 return protocol_client_auth_sasl_step(vs, NULL, 0); 313 else 314 vnc_read_when(vs, protocol_client_auth_sasl_step, steplen); 315 return 0; 316 } 317 318 /* 319 * Start Msg 320 * 321 * Input from client: 322 * 323 * u32 clientin-length 324 * u8-array clientin-string 325 * 326 * Output to client: 327 * 328 * u32 serverout-length 329 * u8-array serverout-strin 330 * u8 continue 331 */ 332 333 #define SASL_DATA_MAX_LEN (1024 * 1024) 334 335 static int protocol_client_auth_sasl_start(VncState *vs, uint8_t *data, size_t len) 336 { 337 uint32_t datalen = len; 338 const char *serverout; 339 unsigned int serveroutlen; 340 int err; 341 char *clientdata = NULL; 342 343 /* NB, distinction of NULL vs "" is *critical* in SASL */ 344 if (datalen) { 345 clientdata = (char*)data; 346 clientdata[datalen-1] = '\0'; /* Should be on wire, but make sure */ 347 datalen--; /* Don't count NULL byte when passing to _start() */ 348 } 349 350 err = sasl_server_start(vs->sasl.conn, 351 vs->sasl.mechlist, 352 clientdata, 353 datalen, 354 &serverout, 355 &serveroutlen); 356 trace_vnc_auth_sasl_start(vs, data, len, serverout, serveroutlen, err); 357 if (err != SASL_OK && 358 err != SASL_CONTINUE) { 359 trace_vnc_auth_fail(vs, vs->auth, "Cannot start SASL auth", 360 sasl_errdetail(vs->sasl.conn)); 361 sasl_dispose(&vs->sasl.conn); 362 vs->sasl.conn = NULL; 363 goto authabort; 364 } 365 if (serveroutlen > SASL_DATA_MAX_LEN) { 366 trace_vnc_auth_fail(vs, vs->auth, "SASL data too long", ""); 367 sasl_dispose(&vs->sasl.conn); 368 vs->sasl.conn = NULL; 369 goto authabort; 370 } 371 372 if (serveroutlen) { 373 vnc_write_u32(vs, serveroutlen + 1); 374 vnc_write(vs, serverout, serveroutlen + 1); 375 } else { 376 vnc_write_u32(vs, 0); 377 } 378 379 /* Whether auth is complete */ 380 vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1); 381 382 if (err == SASL_CONTINUE) { 383 /* Wait for step length */ 384 vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4); 385 } else { 386 if (!vnc_auth_sasl_check_ssf(vs)) { 387 trace_vnc_auth_fail(vs, vs->auth, "SASL SSF too weak", ""); 388 goto authreject; 389 } 390 391 /* Check username whitelist ACL */ 392 if (vnc_auth_sasl_check_access(vs) < 0) { 393 goto authreject; 394 } 395 396 trace_vnc_auth_pass(vs, vs->auth); 397 vnc_write_u32(vs, 0); /* Accept auth */ 398 start_client_init(vs); 399 } 400 401 return 0; 402 403 authreject: 404 vnc_write_u32(vs, 1); /* Reject auth */ 405 vnc_write_u32(vs, sizeof("Authentication failed")); 406 vnc_write(vs, "Authentication failed", sizeof("Authentication failed")); 407 vnc_flush(vs); 408 vnc_client_error(vs); 409 return -1; 410 411 authabort: 412 vnc_client_error(vs); 413 return -1; 414 } 415 416 static int protocol_client_auth_sasl_start_len(VncState *vs, uint8_t *data, size_t len) 417 { 418 uint32_t startlen = read_u32(data, 0); 419 420 if (startlen > SASL_DATA_MAX_LEN) { 421 trace_vnc_auth_fail(vs, vs->auth, "SASL start len too large", ""); 422 vnc_client_error(vs); 423 return -1; 424 } 425 426 if (startlen == 0) 427 return protocol_client_auth_sasl_start(vs, NULL, 0); 428 429 vnc_read_when(vs, protocol_client_auth_sasl_start, startlen); 430 return 0; 431 } 432 433 static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_t len) 434 { 435 char *mechname = g_strndup((const char *) data, len); 436 trace_vnc_auth_sasl_mech_choose(vs, mechname); 437 438 if (strncmp(vs->sasl.mechlist, mechname, len) == 0) { 439 if (vs->sasl.mechlist[len] != '\0' && 440 vs->sasl.mechlist[len] != ',') { 441 goto fail; 442 } 443 } else { 444 char *offset = strstr(vs->sasl.mechlist, mechname); 445 if (!offset) { 446 goto fail; 447 } 448 if (offset[-1] != ',' || 449 (offset[len] != '\0'&& 450 offset[len] != ',')) { 451 goto fail; 452 } 453 } 454 455 g_free(vs->sasl.mechlist); 456 vs->sasl.mechlist = mechname; 457 458 vnc_read_when(vs, protocol_client_auth_sasl_start_len, 4); 459 return 0; 460 461 fail: 462 trace_vnc_auth_fail(vs, vs->auth, "Unsupported mechname", mechname); 463 vnc_client_error(vs); 464 g_free(mechname); 465 return -1; 466 } 467 468 static int protocol_client_auth_sasl_mechname_len(VncState *vs, uint8_t *data, size_t len) 469 { 470 uint32_t mechlen = read_u32(data, 0); 471 472 if (mechlen > 100) { 473 trace_vnc_auth_fail(vs, vs->auth, "SASL mechname too long", ""); 474 vnc_client_error(vs); 475 return -1; 476 } 477 if (mechlen < 1) { 478 trace_vnc_auth_fail(vs, vs->auth, "SASL mechname too short", ""); 479 vnc_client_error(vs); 480 return -1; 481 } 482 vnc_read_when(vs, protocol_client_auth_sasl_mechname,mechlen); 483 return 0; 484 } 485 486 static char * 487 vnc_socket_ip_addr_string(QIOChannelSocket *ioc, 488 bool local, 489 Error **errp) 490 { 491 SocketAddress *addr; 492 char *ret; 493 494 if (local) { 495 addr = qio_channel_socket_get_local_address(ioc, errp); 496 } else { 497 addr = qio_channel_socket_get_remote_address(ioc, errp); 498 } 499 if (!addr) { 500 return NULL; 501 } 502 503 if (addr->type != SOCKET_ADDRESS_TYPE_INET) { 504 error_setg(errp, "Not an inet socket type"); 505 return NULL; 506 } 507 ret = g_strdup_printf("%s;%s", addr->u.inet.host, addr->u.inet.port); 508 qapi_free_SocketAddress(addr); 509 return ret; 510 } 511 512 void start_auth_sasl(VncState *vs) 513 { 514 const char *mechlist = NULL; 515 sasl_security_properties_t secprops; 516 int err; 517 Error *local_err = NULL; 518 char *localAddr, *remoteAddr; 519 int mechlistlen; 520 521 /* Get local & remote client addresses in form IPADDR;PORT */ 522 localAddr = vnc_socket_ip_addr_string(vs->sioc, true, &local_err); 523 if (!localAddr) { 524 trace_vnc_auth_fail(vs, vs->auth, "Cannot format local IP", 525 error_get_pretty(local_err)); 526 goto authabort; 527 } 528 529 remoteAddr = vnc_socket_ip_addr_string(vs->sioc, false, &local_err); 530 if (!remoteAddr) { 531 trace_vnc_auth_fail(vs, vs->auth, "Cannot format remote IP", 532 error_get_pretty(local_err)); 533 g_free(localAddr); 534 goto authabort; 535 } 536 537 err = sasl_server_new("vnc", 538 NULL, /* FQDN - just delegates to gethostname */ 539 NULL, /* User realm */ 540 localAddr, 541 remoteAddr, 542 NULL, /* Callbacks, not needed */ 543 SASL_SUCCESS_DATA, 544 &vs->sasl.conn); 545 g_free(localAddr); 546 g_free(remoteAddr); 547 localAddr = remoteAddr = NULL; 548 549 if (err != SASL_OK) { 550 trace_vnc_auth_fail(vs, vs->auth, "SASL context setup failed", 551 sasl_errstring(err, NULL, NULL)); 552 vs->sasl.conn = NULL; 553 goto authabort; 554 } 555 556 /* Inform SASL that we've got an external SSF layer from TLS/x509 */ 557 if (vs->auth == VNC_AUTH_VENCRYPT && 558 vs->subauth == VNC_AUTH_VENCRYPT_X509SASL) { 559 Error *local_err = NULL; 560 int keysize; 561 sasl_ssf_t ssf; 562 563 keysize = qcrypto_tls_session_get_key_size(vs->tls, 564 &local_err); 565 if (keysize < 0) { 566 trace_vnc_auth_fail(vs, vs->auth, "cannot TLS get cipher size", 567 error_get_pretty(local_err)); 568 error_free(local_err); 569 sasl_dispose(&vs->sasl.conn); 570 vs->sasl.conn = NULL; 571 goto authabort; 572 } 573 ssf = keysize * CHAR_BIT; /* tls key size is bytes, sasl wants bits */ 574 575 err = sasl_setprop(vs->sasl.conn, SASL_SSF_EXTERNAL, &ssf); 576 if (err != SASL_OK) { 577 trace_vnc_auth_fail(vs, vs->auth, "cannot set SASL external SSF", 578 sasl_errstring(err, NULL, NULL)); 579 sasl_dispose(&vs->sasl.conn); 580 vs->sasl.conn = NULL; 581 goto authabort; 582 } 583 } else { 584 vs->sasl.wantSSF = 1; 585 } 586 587 memset (&secprops, 0, sizeof secprops); 588 /* Inform SASL that we've got an external SSF layer from TLS. 589 * 590 * Disable SSF, if using TLS+x509+SASL only. TLS without x509 591 * is not sufficiently strong 592 */ 593 if (vs->vd->is_unix || 594 (vs->auth == VNC_AUTH_VENCRYPT && 595 vs->subauth == VNC_AUTH_VENCRYPT_X509SASL)) { 596 /* If we've got TLS or UNIX domain sock, we don't care about SSF */ 597 secprops.min_ssf = 0; 598 secprops.max_ssf = 0; 599 secprops.maxbufsize = 8192; 600 secprops.security_flags = 0; 601 } else { 602 /* Plain TCP, better get an SSF layer */ 603 secprops.min_ssf = 56; /* Good enough to require kerberos */ 604 secprops.max_ssf = 100000; /* Arbitrary big number */ 605 secprops.maxbufsize = 8192; 606 /* Forbid any anonymous or trivially crackable auth */ 607 secprops.security_flags = 608 SASL_SEC_NOANONYMOUS | SASL_SEC_NOPLAINTEXT; 609 } 610 611 err = sasl_setprop(vs->sasl.conn, SASL_SEC_PROPS, &secprops); 612 if (err != SASL_OK) { 613 trace_vnc_auth_fail(vs, vs->auth, "cannot set SASL security props", 614 sasl_errstring(err, NULL, NULL)); 615 sasl_dispose(&vs->sasl.conn); 616 vs->sasl.conn = NULL; 617 goto authabort; 618 } 619 620 err = sasl_listmech(vs->sasl.conn, 621 NULL, /* Don't need to set user */ 622 "", /* Prefix */ 623 ",", /* Separator */ 624 "", /* Suffix */ 625 &mechlist, 626 NULL, 627 NULL); 628 if (err != SASL_OK) { 629 trace_vnc_auth_fail(vs, vs->auth, "cannot list SASL mechanisms", 630 sasl_errdetail(vs->sasl.conn)); 631 sasl_dispose(&vs->sasl.conn); 632 vs->sasl.conn = NULL; 633 goto authabort; 634 } 635 trace_vnc_auth_sasl_mech_list(vs, mechlist); 636 637 vs->sasl.mechlist = g_strdup(mechlist); 638 mechlistlen = strlen(mechlist); 639 vnc_write_u32(vs, mechlistlen); 640 vnc_write(vs, mechlist, mechlistlen); 641 vnc_flush(vs); 642 643 vnc_read_when(vs, protocol_client_auth_sasl_mechname_len, 4); 644 645 return; 646 647 authabort: 648 error_free(local_err); 649 vnc_client_error(vs); 650 } 651 652 653