s390x/css: attach css bridge
[qemu.git] / ui / vnc-auth-sasl.c
blob23f28280e7c7b8cded396dbe11c3762c19431a9f
1 /*
2 * QEMU VNC display driver: SASL auth protocol
4 * Copyright (C) 2009 Red Hat, Inc
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 * THE SOFTWARE.
25 #include "qemu/osdep.h"
26 #include "qapi/error.h"
27 #include "vnc.h"
28 #include "trace.h"
30 /* Max amount of data we send/recv for SASL steps to prevent DOS */
31 #define SASL_DATA_MAX_LEN (1024 * 1024)
34 void vnc_sasl_client_cleanup(VncState *vs)
36 if (vs->sasl.conn) {
37 vs->sasl.runSSF = false;
38 vs->sasl.wantSSF = false;
39 vs->sasl.waitWriteSSF = 0;
40 vs->sasl.encodedLength = vs->sasl.encodedOffset = 0;
41 vs->sasl.encoded = NULL;
42 g_free(vs->sasl.username);
43 g_free(vs->sasl.mechlist);
44 vs->sasl.username = vs->sasl.mechlist = NULL;
45 sasl_dispose(&vs->sasl.conn);
46 vs->sasl.conn = NULL;
51 long vnc_client_write_sasl(VncState *vs)
53 long ret;
55 VNC_DEBUG("Write SASL: Pending output %p size %zd offset %zd "
56 "Encoded: %p size %d offset %d\n",
57 vs->output.buffer, vs->output.capacity, vs->output.offset,
58 vs->sasl.encoded, vs->sasl.encodedLength, vs->sasl.encodedOffset);
60 if (!vs->sasl.encoded) {
61 int err;
62 err = sasl_encode(vs->sasl.conn,
63 (char *)vs->output.buffer,
64 vs->output.offset,
65 (const char **)&vs->sasl.encoded,
66 &vs->sasl.encodedLength);
67 if (err != SASL_OK)
68 return vnc_client_io_error(vs, -1, NULL);
70 vs->sasl.encodedOffset = 0;
73 ret = vnc_client_write_buf(vs,
74 vs->sasl.encoded + vs->sasl.encodedOffset,
75 vs->sasl.encodedLength - vs->sasl.encodedOffset);
76 if (!ret)
77 return 0;
79 vs->sasl.encodedOffset += ret;
80 if (vs->sasl.encodedOffset == vs->sasl.encodedLength) {
81 vs->output.offset = 0;
82 vs->sasl.encoded = NULL;
83 vs->sasl.encodedOffset = vs->sasl.encodedLength = 0;
86 /* Can't merge this block with one above, because
87 * someone might have written more unencrypted
88 * data in vs->output while we were processing
89 * SASL encoded output
91 if (vs->output.offset == 0) {
92 if (vs->ioc_tag) {
93 g_source_remove(vs->ioc_tag);
95 vs->ioc_tag = qio_channel_add_watch(
96 vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
99 return ret;
103 long vnc_client_read_sasl(VncState *vs)
105 long ret;
106 uint8_t encoded[4096];
107 const char *decoded;
108 unsigned int decodedLen;
109 int err;
111 ret = vnc_client_read_buf(vs, encoded, sizeof(encoded));
112 if (!ret)
113 return 0;
115 err = sasl_decode(vs->sasl.conn,
116 (char *)encoded, ret,
117 &decoded, &decodedLen);
119 if (err != SASL_OK)
120 return vnc_client_io_error(vs, -1, NULL);
121 VNC_DEBUG("Read SASL Encoded %p size %ld Decoded %p size %d\n",
122 encoded, ret, decoded, decodedLen);
123 buffer_reserve(&vs->input, decodedLen);
124 buffer_append(&vs->input, decoded, decodedLen);
125 return decodedLen;
129 static int vnc_auth_sasl_check_access(VncState *vs)
131 const void *val;
132 int err;
133 int allow;
135 err = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val);
136 if (err != SASL_OK) {
137 trace_vnc_auth_fail(vs, vs->auth, "Cannot fetch SASL username",
138 sasl_errstring(err, NULL, NULL));
139 return -1;
141 if (val == NULL) {
142 trace_vnc_auth_fail(vs, vs->auth, "No SASL username set", "");
143 return -1;
146 vs->sasl.username = g_strdup((const char*)val);
147 trace_vnc_auth_sasl_username(vs, vs->sasl.username);
149 if (vs->vd->sasl.acl == NULL) {
150 trace_vnc_auth_sasl_acl(vs, 1);
151 return 0;
154 allow = qemu_acl_party_is_allowed(vs->vd->sasl.acl, vs->sasl.username);
156 trace_vnc_auth_sasl_acl(vs, allow);
157 return allow ? 0 : -1;
160 static int vnc_auth_sasl_check_ssf(VncState *vs)
162 const void *val;
163 int err, ssf;
165 if (!vs->sasl.wantSSF)
166 return 1;
168 err = sasl_getprop(vs->sasl.conn, SASL_SSF, &val);
169 if (err != SASL_OK)
170 return 0;
172 ssf = *(const int *)val;
174 trace_vnc_auth_sasl_ssf(vs, ssf);
176 if (ssf < 56)
177 return 0; /* 56 is good for Kerberos */
179 /* Only setup for read initially, because we're about to send an RPC
180 * reply which must be in plain text. When the next incoming RPC
181 * arrives, we'll switch on writes too
183 * cf qemudClientReadSASL in qemud.c
185 vs->sasl.runSSF = 1;
187 /* We have a SSF that's good enough */
188 return 1;
192 * Step Msg
194 * Input from client:
196 * u32 clientin-length
197 * u8-array clientin-string
199 * Output to client:
201 * u32 serverout-length
202 * u8-array serverout-strin
203 * u8 continue
206 static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len);
208 static int protocol_client_auth_sasl_step(VncState *vs, uint8_t *data, size_t len)
210 uint32_t datalen = len;
211 const char *serverout;
212 unsigned int serveroutlen;
213 int err;
214 char *clientdata = NULL;
216 /* NB, distinction of NULL vs "" is *critical* in SASL */
217 if (datalen) {
218 clientdata = (char*)data;
219 clientdata[datalen-1] = '\0'; /* Wire includes '\0', but make sure */
220 datalen--; /* Don't count NULL byte when passing to _start() */
223 err = sasl_server_step(vs->sasl.conn,
224 clientdata,
225 datalen,
226 &serverout,
227 &serveroutlen);
228 trace_vnc_auth_sasl_step(vs, data, len, serverout, serveroutlen, err);
229 if (err != SASL_OK &&
230 err != SASL_CONTINUE) {
231 trace_vnc_auth_fail(vs, vs->auth, "Cannot step SASL auth",
232 sasl_errdetail(vs->sasl.conn));
233 sasl_dispose(&vs->sasl.conn);
234 vs->sasl.conn = NULL;
235 goto authabort;
238 if (serveroutlen > SASL_DATA_MAX_LEN) {
239 trace_vnc_auth_fail(vs, vs->auth, "SASL data too long", "");
240 sasl_dispose(&vs->sasl.conn);
241 vs->sasl.conn = NULL;
242 goto authabort;
245 if (serveroutlen) {
246 vnc_write_u32(vs, serveroutlen + 1);
247 vnc_write(vs, serverout, serveroutlen + 1);
248 } else {
249 vnc_write_u32(vs, 0);
252 /* Whether auth is complete */
253 vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);
255 if (err == SASL_CONTINUE) {
256 /* Wait for step length */
257 vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);
258 } else {
259 if (!vnc_auth_sasl_check_ssf(vs)) {
260 trace_vnc_auth_fail(vs, vs->auth, "SASL SSF too weak", "");
261 goto authreject;
264 /* Check username whitelist ACL */
265 if (vnc_auth_sasl_check_access(vs) < 0) {
266 goto authreject;
269 trace_vnc_auth_pass(vs, vs->auth);
270 vnc_write_u32(vs, 0); /* Accept auth */
272 * Delay writing in SSF encoded mode until pending output
273 * buffer is written
275 if (vs->sasl.runSSF)
276 vs->sasl.waitWriteSSF = vs->output.offset;
277 start_client_init(vs);
280 return 0;
282 authreject:
283 vnc_write_u32(vs, 1); /* Reject auth */
284 vnc_write_u32(vs, sizeof("Authentication failed"));
285 vnc_write(vs, "Authentication failed", sizeof("Authentication failed"));
286 vnc_flush(vs);
287 vnc_client_error(vs);
288 return -1;
290 authabort:
291 vnc_client_error(vs);
292 return -1;
295 static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len)
297 uint32_t steplen = read_u32(data, 0);
299 if (steplen > SASL_DATA_MAX_LEN) {
300 trace_vnc_auth_fail(vs, vs->auth, "SASL step len too large", "");
301 vnc_client_error(vs);
302 return -1;
305 if (steplen == 0)
306 return protocol_client_auth_sasl_step(vs, NULL, 0);
307 else
308 vnc_read_when(vs, protocol_client_auth_sasl_step, steplen);
309 return 0;
313 * Start Msg
315 * Input from client:
317 * u32 clientin-length
318 * u8-array clientin-string
320 * Output to client:
322 * u32 serverout-length
323 * u8-array serverout-strin
324 * u8 continue
327 #define SASL_DATA_MAX_LEN (1024 * 1024)
329 static int protocol_client_auth_sasl_start(VncState *vs, uint8_t *data, size_t len)
331 uint32_t datalen = len;
332 const char *serverout;
333 unsigned int serveroutlen;
334 int err;
335 char *clientdata = NULL;
337 /* NB, distinction of NULL vs "" is *critical* in SASL */
338 if (datalen) {
339 clientdata = (char*)data;
340 clientdata[datalen-1] = '\0'; /* Should be on wire, but make sure */
341 datalen--; /* Don't count NULL byte when passing to _start() */
344 err = sasl_server_start(vs->sasl.conn,
345 vs->sasl.mechlist,
346 clientdata,
347 datalen,
348 &serverout,
349 &serveroutlen);
350 trace_vnc_auth_sasl_start(vs, data, len, serverout, serveroutlen, err);
351 if (err != SASL_OK &&
352 err != SASL_CONTINUE) {
353 trace_vnc_auth_fail(vs, vs->auth, "Cannot start SASL auth",
354 sasl_errdetail(vs->sasl.conn));
355 sasl_dispose(&vs->sasl.conn);
356 vs->sasl.conn = NULL;
357 goto authabort;
359 if (serveroutlen > SASL_DATA_MAX_LEN) {
360 trace_vnc_auth_fail(vs, vs->auth, "SASL data too long", "");
361 sasl_dispose(&vs->sasl.conn);
362 vs->sasl.conn = NULL;
363 goto authabort;
366 if (serveroutlen) {
367 vnc_write_u32(vs, serveroutlen + 1);
368 vnc_write(vs, serverout, serveroutlen + 1);
369 } else {
370 vnc_write_u32(vs, 0);
373 /* Whether auth is complete */
374 vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);
376 if (err == SASL_CONTINUE) {
377 /* Wait for step length */
378 vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);
379 } else {
380 if (!vnc_auth_sasl_check_ssf(vs)) {
381 trace_vnc_auth_fail(vs, vs->auth, "SASL SSF too weak", "");
382 goto authreject;
385 /* Check username whitelist ACL */
386 if (vnc_auth_sasl_check_access(vs) < 0) {
387 goto authreject;
390 trace_vnc_auth_pass(vs, vs->auth);
391 vnc_write_u32(vs, 0); /* Accept auth */
392 start_client_init(vs);
395 return 0;
397 authreject:
398 vnc_write_u32(vs, 1); /* Reject auth */
399 vnc_write_u32(vs, sizeof("Authentication failed"));
400 vnc_write(vs, "Authentication failed", sizeof("Authentication failed"));
401 vnc_flush(vs);
402 vnc_client_error(vs);
403 return -1;
405 authabort:
406 vnc_client_error(vs);
407 return -1;
410 static int protocol_client_auth_sasl_start_len(VncState *vs, uint8_t *data, size_t len)
412 uint32_t startlen = read_u32(data, 0);
414 if (startlen > SASL_DATA_MAX_LEN) {
415 trace_vnc_auth_fail(vs, vs->auth, "SASL start len too large", "");
416 vnc_client_error(vs);
417 return -1;
420 if (startlen == 0)
421 return protocol_client_auth_sasl_start(vs, NULL, 0);
423 vnc_read_when(vs, protocol_client_auth_sasl_start, startlen);
424 return 0;
427 static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_t len)
429 char *mechname = g_strndup((const char *) data, len);
430 trace_vnc_auth_sasl_mech_choose(vs, mechname);
432 if (strncmp(vs->sasl.mechlist, mechname, len) == 0) {
433 if (vs->sasl.mechlist[len] != '\0' &&
434 vs->sasl.mechlist[len] != ',') {
435 goto fail;
437 } else {
438 char *offset = strstr(vs->sasl.mechlist, mechname);
439 if (!offset) {
440 goto fail;
442 if (offset[-1] != ',' ||
443 (offset[len] != '\0'&&
444 offset[len] != ',')) {
445 goto fail;
449 g_free(vs->sasl.mechlist);
450 vs->sasl.mechlist = mechname;
452 vnc_read_when(vs, protocol_client_auth_sasl_start_len, 4);
453 return 0;
455 fail:
456 trace_vnc_auth_fail(vs, vs->auth, "Unsupported mechname", mechname);
457 vnc_client_error(vs);
458 g_free(mechname);
459 return -1;
462 static int protocol_client_auth_sasl_mechname_len(VncState *vs, uint8_t *data, size_t len)
464 uint32_t mechlen = read_u32(data, 0);
466 if (mechlen > 100) {
467 trace_vnc_auth_fail(vs, vs->auth, "SASL mechname too long", "");
468 vnc_client_error(vs);
469 return -1;
471 if (mechlen < 1) {
472 trace_vnc_auth_fail(vs, vs->auth, "SASL mechname too short", "");
473 vnc_client_error(vs);
474 return -1;
476 vnc_read_when(vs, protocol_client_auth_sasl_mechname,mechlen);
477 return 0;
480 static char *
481 vnc_socket_ip_addr_string(QIOChannelSocket *ioc,
482 bool local,
483 Error **errp)
485 SocketAddress *addr;
486 char *ret;
488 if (local) {
489 addr = qio_channel_socket_get_local_address(ioc, errp);
490 } else {
491 addr = qio_channel_socket_get_remote_address(ioc, errp);
493 if (!addr) {
494 return NULL;
497 if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
498 error_setg(errp, "Not an inet socket type");
499 return NULL;
501 ret = g_strdup_printf("%s;%s", addr->u.inet.host, addr->u.inet.port);
502 qapi_free_SocketAddress(addr);
503 return ret;
506 void start_auth_sasl(VncState *vs)
508 const char *mechlist = NULL;
509 sasl_security_properties_t secprops;
510 int err;
511 Error *local_err = NULL;
512 char *localAddr, *remoteAddr;
513 int mechlistlen;
515 /* Get local & remote client addresses in form IPADDR;PORT */
516 localAddr = vnc_socket_ip_addr_string(vs->sioc, true, &local_err);
517 if (!localAddr) {
518 trace_vnc_auth_fail(vs, vs->auth, "Cannot format local IP",
519 error_get_pretty(local_err));
520 goto authabort;
523 remoteAddr = vnc_socket_ip_addr_string(vs->sioc, false, &local_err);
524 if (!remoteAddr) {
525 trace_vnc_auth_fail(vs, vs->auth, "Cannot format remote IP",
526 error_get_pretty(local_err));
527 g_free(localAddr);
528 goto authabort;
531 err = sasl_server_new("vnc",
532 NULL, /* FQDN - just delegates to gethostname */
533 NULL, /* User realm */
534 localAddr,
535 remoteAddr,
536 NULL, /* Callbacks, not needed */
537 SASL_SUCCESS_DATA,
538 &vs->sasl.conn);
539 g_free(localAddr);
540 g_free(remoteAddr);
541 localAddr = remoteAddr = NULL;
543 if (err != SASL_OK) {
544 trace_vnc_auth_fail(vs, vs->auth, "SASL context setup failed",
545 sasl_errstring(err, NULL, NULL));
546 vs->sasl.conn = NULL;
547 goto authabort;
550 /* Inform SASL that we've got an external SSF layer from TLS/x509 */
551 if (vs->auth == VNC_AUTH_VENCRYPT &&
552 vs->subauth == VNC_AUTH_VENCRYPT_X509SASL) {
553 Error *local_err = NULL;
554 int keysize;
555 sasl_ssf_t ssf;
557 keysize = qcrypto_tls_session_get_key_size(vs->tls,
558 &local_err);
559 if (keysize < 0) {
560 trace_vnc_auth_fail(vs, vs->auth, "cannot TLS get cipher size",
561 error_get_pretty(local_err));
562 error_free(local_err);
563 sasl_dispose(&vs->sasl.conn);
564 vs->sasl.conn = NULL;
565 goto authabort;
567 ssf = keysize * CHAR_BIT; /* tls key size is bytes, sasl wants bits */
569 err = sasl_setprop(vs->sasl.conn, SASL_SSF_EXTERNAL, &ssf);
570 if (err != SASL_OK) {
571 trace_vnc_auth_fail(vs, vs->auth, "cannot set SASL external SSF",
572 sasl_errstring(err, NULL, NULL));
573 sasl_dispose(&vs->sasl.conn);
574 vs->sasl.conn = NULL;
575 goto authabort;
577 } else {
578 vs->sasl.wantSSF = 1;
581 memset (&secprops, 0, sizeof secprops);
582 /* Inform SASL that we've got an external SSF layer from TLS.
584 * Disable SSF, if using TLS+x509+SASL only. TLS without x509
585 * is not sufficiently strong
587 if (vs->vd->is_unix ||
588 (vs->auth == VNC_AUTH_VENCRYPT &&
589 vs->subauth == VNC_AUTH_VENCRYPT_X509SASL)) {
590 /* If we've got TLS or UNIX domain sock, we don't care about SSF */
591 secprops.min_ssf = 0;
592 secprops.max_ssf = 0;
593 secprops.maxbufsize = 8192;
594 secprops.security_flags = 0;
595 } else {
596 /* Plain TCP, better get an SSF layer */
597 secprops.min_ssf = 56; /* Good enough to require kerberos */
598 secprops.max_ssf = 100000; /* Arbitrary big number */
599 secprops.maxbufsize = 8192;
600 /* Forbid any anonymous or trivially crackable auth */
601 secprops.security_flags =
602 SASL_SEC_NOANONYMOUS | SASL_SEC_NOPLAINTEXT;
605 err = sasl_setprop(vs->sasl.conn, SASL_SEC_PROPS, &secprops);
606 if (err != SASL_OK) {
607 trace_vnc_auth_fail(vs, vs->auth, "cannot set SASL security props",
608 sasl_errstring(err, NULL, NULL));
609 sasl_dispose(&vs->sasl.conn);
610 vs->sasl.conn = NULL;
611 goto authabort;
614 err = sasl_listmech(vs->sasl.conn,
615 NULL, /* Don't need to set user */
616 "", /* Prefix */
617 ",", /* Separator */
618 "", /* Suffix */
619 &mechlist,
620 NULL,
621 NULL);
622 if (err != SASL_OK) {
623 trace_vnc_auth_fail(vs, vs->auth, "cannot list SASL mechanisms",
624 sasl_errdetail(vs->sasl.conn));
625 sasl_dispose(&vs->sasl.conn);
626 vs->sasl.conn = NULL;
627 goto authabort;
629 trace_vnc_auth_sasl_mech_list(vs, mechlist);
631 vs->sasl.mechlist = g_strdup(mechlist);
632 mechlistlen = strlen(mechlist);
633 vnc_write_u32(vs, mechlistlen);
634 vnc_write(vs, mechlist, mechlistlen);
635 vnc_flush(vs);
637 vnc_read_when(vs, protocol_client_auth_sasl_mechname_len, 4);
639 return;
641 authabort:
642 error_free(local_err);
643 vnc_client_error(vs);