ui/vnc-auth-sasl.c

   1 /*
   2  * QEMU VNC display driver: SASL auth protocol
   3  *
   4  * Copyright (C) 2009 Red Hat, Inc
   5  *
   6  * Permission is hereby granted, free of charge, to any person obtaining a copy
   7  * of this software and associated documentation files (the "Software"), to deal
   8  * in the Software without restriction, including without limitation the rights
   9  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  10  * copies of the Software, and to permit persons to whom the Software is
  11  * furnished to do so, subject to the following conditions:
  12  *
  13  * The above copyright notice and this permission notice shall be included in
  14  * all copies or substantial portions of the Software.
  15  *
  16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
  19  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  21  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  22  * THE SOFTWARE.
  23  */
  24
  25 #include "qemu/osdep.h"
  26 #include "qapi/error.h"
  27 #include "vnc.h"
  28 #include "trace.h"
  29
  30 /* Max amount of data we send/recv for SASL steps to prevent DOS */
  31 #define SASL_DATA_MAX_LEN (1024 * 1024)
  32
  33
  34 void vnc_sasl_client_cleanup(VncState *vs)
  35 {
  36     if (vs->sasl.conn) {
  37         vs->sasl.runSSF = false;
  38         vs->sasl.wantSSF = false;
  39         vs->sasl.waitWriteSSF = 0;
  40         vs->sasl.encodedLength = vs->sasl.encodedOffset = 0;
  41         vs->sasl.encoded = NULL;
  42         g_free(vs->sasl.username);
  43         g_free(vs->sasl.mechlist);
  44         vs->sasl.username = vs->sasl.mechlist = NULL;
  45         sasl_dispose(&vs->sasl.conn);
  46         vs->sasl.conn = NULL;
  47     }
  48 }
  49
  50
  51 long vnc_client_write_sasl(VncState *vs)
  52 {
  53     long ret;
  54
  55     VNC_DEBUG("Write SASL: Pending output %p size %zd offset %zd "
  56               "Encoded: %p size %d offset %d\n",
  57               vs->output.buffer, vs->output.capacity, vs->output.offset,
  58               vs->sasl.encoded, vs->sasl.encodedLength, vs->sasl.encodedOffset);
  59
  60     if (!vs->sasl.encoded) {
  61         int err;
  62         err = sasl_encode(vs->sasl.conn,
  63                           (char *)vs->output.buffer,
  64                           vs->output.offset,
  65                           (const char **)&vs->sasl.encoded,
  66                           &vs->sasl.encodedLength);
  67         if (err != SASL_OK)
  68             return vnc_client_io_error(vs, -1, NULL);
  69
  70         vs->sasl.encodedOffset = 0;
  71     }
  72
  73     ret = vnc_client_write_buf(vs,
  74                                vs->sasl.encoded + vs->sasl.encodedOffset,
  75                                vs->sasl.encodedLength - vs->sasl.encodedOffset);
  76     if (!ret)
  77         return 0;
  78
  79     vs->sasl.encodedOffset += ret;
  80     if (vs->sasl.encodedOffset == vs->sasl.encodedLength) {
  81         vs->output.offset = 0;
  82         vs->sasl.encoded = NULL;
  83         vs->sasl.encodedOffset = vs->sasl.encodedLength = 0;
  84     }
  85
  86     /* Can't merge this block with one above, because
  87      * someone might have written more unencrypted
  88      * data in vs->output while we were processing
  89      * SASL encoded output
  90      */
  91     if (vs->output.offset == 0) {
  92         if (vs->ioc_tag) {
  93             g_source_remove(vs->ioc_tag);
  94         }
  95         vs->ioc_tag = qio_channel_add_watch(
  96             vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
  97     }
  98
  99     return ret;
 100 }
 101
 102
 103 long vnc_client_read_sasl(VncState *vs)
 104 {
 105     long ret;
 106     uint8_t encoded[4096];
 107     const char *decoded;
 108     unsigned int decodedLen;
 109     int err;
 110
 111     ret = vnc_client_read_buf(vs, encoded, sizeof(encoded));
 112     if (!ret)
 113         return 0;
 114
 115     err = sasl_decode(vs->sasl.conn,
 116                       (char *)encoded, ret,
 117                       &decoded, &decodedLen);
 118
 119     if (err != SASL_OK)
 120         return vnc_client_io_error(vs, -1, NULL);
 121     VNC_DEBUG("Read SASL Encoded %p size %ld Decoded %p size %d\n",
 122               encoded, ret, decoded, decodedLen);
 123     buffer_reserve(&vs->input, decodedLen);
 124     buffer_append(&vs->input, decoded, decodedLen);
 125     return decodedLen;
 126 }
 127
 128
 129 static int vnc_auth_sasl_check_access(VncState *vs)
 130 {
 131     const void *val;
 132     int err;
 133     int allow;
 134
 135     err = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val);
 136     if (err != SASL_OK) {
 137         trace_vnc_auth_fail(vs, vs->auth, "Cannot fetch SASL username",
 138                             sasl_errstring(err, NULL, NULL));
 139         return -1;
 140     }
 141     if (val == NULL) {
 142         trace_vnc_auth_fail(vs, vs->auth, "No SASL username set", "");
 143         return -1;
 144     }
 145
 146     vs->sasl.username = g_strdup((const char*)val);
 147     trace_vnc_auth_sasl_username(vs, vs->sasl.username);
 148
 149     if (vs->vd->sasl.acl == NULL) {
 150         trace_vnc_auth_sasl_acl(vs, 1);
 151         return 0;
 152     }
 153
 154     allow = qemu_acl_party_is_allowed(vs->vd->sasl.acl, vs->sasl.username);
 155
 156     trace_vnc_auth_sasl_acl(vs, allow);
 157     return allow ? 0 : -1;
 158 }
 159
 160 static int vnc_auth_sasl_check_ssf(VncState *vs)
 161 {
 162     const void *val;
 163     int err, ssf;
 164
 165     if (!vs->sasl.wantSSF)
 166         return 1;
 167
 168     err = sasl_getprop(vs->sasl.conn, SASL_SSF, &val);
 169     if (err != SASL_OK)
 170         return 0;
 171
 172     ssf = *(const int *)val;
 173
 174     trace_vnc_auth_sasl_ssf(vs, ssf);
 175
 176     if (ssf < 56)
 177         return 0; /* 56 is good for Kerberos */
 178
 179     /* Only setup for read initially, because we're about to send an RPC
 180      * reply which must be in plain text. When the next incoming RPC
 181      * arrives, we'll switch on writes too
 182      *
 183      * cf qemudClientReadSASL  in qemud.c
 184      */
 185     vs->sasl.runSSF = 1;
 186
 187     /* We have a SSF that's good enough */
 188     return 1;
 189 }
 190
 191 /*
 192  * Step Msg
 193  *
 194  * Input from client:
 195  *
 196  * u32 clientin-length
 197  * u8-array clientin-string
 198  *
 199  * Output to client:
 200  *
 201  * u32 serverout-length
 202  * u8-array serverout-strin
 203  * u8 continue
 204  */
 205
 206 static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len);
 207
 208 static int protocol_client_auth_sasl_step(VncState *vs, uint8_t *data, size_t len)
 209 {
 210     uint32_t datalen = len;
 211     const char *serverout;
 212     unsigned int serveroutlen;
 213     int err;
 214     char *clientdata = NULL;
 215
 216     /* NB, distinction of NULL vs "" is *critical* in SASL */
 217     if (datalen) {
 218         clientdata = (char*)data;
 219         clientdata[datalen-1] = '\0'; /* Wire includes '\0', but make sure */
 220         datalen--; /* Don't count NULL byte when passing to _start() */
 221     }
 222
 223     err = sasl_server_step(vs->sasl.conn,
 224                            clientdata,
 225                            datalen,
 226                            &serverout,
 227                            &serveroutlen);
 228     trace_vnc_auth_sasl_step(vs, data, len, serverout, serveroutlen, err);
 229     if (err != SASL_OK &&
 230         err != SASL_CONTINUE) {
 231         trace_vnc_auth_fail(vs, vs->auth, "Cannot step SASL auth",
 232                             sasl_errdetail(vs->sasl.conn));
 233         sasl_dispose(&vs->sasl.conn);
 234         vs->sasl.conn = NULL;
 235         goto authabort;
 236     }
 237
 238     if (serveroutlen > SASL_DATA_MAX_LEN) {
 239         trace_vnc_auth_fail(vs, vs->auth, "SASL data too long", "");
 240         sasl_dispose(&vs->sasl.conn);
 241         vs->sasl.conn = NULL;
 242         goto authabort;
 243     }
 244
 245     if (serveroutlen) {
 246         vnc_write_u32(vs, serveroutlen + 1);
 247         vnc_write(vs, serverout, serveroutlen + 1);
 248     } else {
 249         vnc_write_u32(vs, 0);
 250     }
 251
 252     /* Whether auth is complete */
 253     vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);
 254
 255     if (err == SASL_CONTINUE) {
 256         /* Wait for step length */
 257         vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);
 258     } else {
 259         if (!vnc_auth_sasl_check_ssf(vs)) {
 260             trace_vnc_auth_fail(vs, vs->auth, "SASL SSF too weak", "");
 261             goto authreject;
 262         }
 263
 264         /* Check username whitelist ACL */
 265         if (vnc_auth_sasl_check_access(vs) < 0) {
 266             goto authreject;
 267         }
 268
 269         trace_vnc_auth_pass(vs, vs->auth);
 270         vnc_write_u32(vs, 0); /* Accept auth */
 271         /*
 272          * Delay writing in SSF encoded mode until pending output
 273          * buffer is written
 274          */
 275         if (vs->sasl.runSSF)
 276             vs->sasl.waitWriteSSF = vs->output.offset;
 277         start_client_init(vs);
 278     }
 279
 280     return 0;
 281
 282  authreject:
 283     vnc_write_u32(vs, 1); /* Reject auth */
 284     vnc_write_u32(vs, sizeof("Authentication failed"));
 285     vnc_write(vs, "Authentication failed", sizeof("Authentication failed"));
 286     vnc_flush(vs);
 287     vnc_client_error(vs);
 288     return -1;
 289
 290  authabort:
 291     vnc_client_error(vs);
 292     return -1;
 293 }
 294
 295 static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len)
 296 {
 297     uint32_t steplen = read_u32(data, 0);
 298
 299     if (steplen > SASL_DATA_MAX_LEN) {
 300         trace_vnc_auth_fail(vs, vs->auth, "SASL step len too large", "");
 301         vnc_client_error(vs);
 302         return -1;
 303     }
 304
 305     if (steplen == 0)
 306         return protocol_client_auth_sasl_step(vs, NULL, 0);
 307     else
 308         vnc_read_when(vs, protocol_client_auth_sasl_step, steplen);
 309     return 0;
 310 }
 311
 312 /*
 313  * Start Msg
 314  *
 315  * Input from client:
 316  *
 317  * u32 clientin-length
 318  * u8-array clientin-string
 319  *
 320  * Output to client:
 321  *
 322  * u32 serverout-length
 323  * u8-array serverout-strin
 324  * u8 continue
 325  */
 326
 327 #define SASL_DATA_MAX_LEN (1024 * 1024)
 328
 329 static int protocol_client_auth_sasl_start(VncState *vs, uint8_t *data, size_t len)
 330 {
 331     uint32_t datalen = len;
 332     const char *serverout;
 333     unsigned int serveroutlen;
 334     int err;
 335     char *clientdata = NULL;
 336
 337     /* NB, distinction of NULL vs "" is *critical* in SASL */
 338     if (datalen) {
 339         clientdata = (char*)data;
 340         clientdata[datalen-1] = '\0'; /* Should be on wire, but make sure */
 341         datalen--; /* Don't count NULL byte when passing to _start() */
 342     }
 343
 344     err = sasl_server_start(vs->sasl.conn,
 345                             vs->sasl.mechlist,
 346                             clientdata,
 347                             datalen,
 348                             &serverout,
 349                             &serveroutlen);
 350     trace_vnc_auth_sasl_start(vs, data, len, serverout, serveroutlen, err);
 351     if (err != SASL_OK &&
 352         err != SASL_CONTINUE) {
 353         trace_vnc_auth_fail(vs, vs->auth, "Cannot start SASL auth",
 354                             sasl_errdetail(vs->sasl.conn));
 355         sasl_dispose(&vs->sasl.conn);
 356         vs->sasl.conn = NULL;
 357         goto authabort;
 358     }
 359     if (serveroutlen > SASL_DATA_MAX_LEN) {
 360         trace_vnc_auth_fail(vs, vs->auth, "SASL data too long", "");
 361         sasl_dispose(&vs->sasl.conn);
 362         vs->sasl.conn = NULL;
 363         goto authabort;
 364     }
 365
 366     if (serveroutlen) {
 367         vnc_write_u32(vs, serveroutlen + 1);
 368         vnc_write(vs, serverout, serveroutlen + 1);
 369     } else {
 370         vnc_write_u32(vs, 0);
 371     }
 372
 373     /* Whether auth is complete */
 374     vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);
 375
 376     if (err == SASL_CONTINUE) {
 377         /* Wait for step length */
 378         vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);
 379     } else {
 380         if (!vnc_auth_sasl_check_ssf(vs)) {
 381             trace_vnc_auth_fail(vs, vs->auth, "SASL SSF too weak", "");
 382             goto authreject;
 383         }
 384
 385         /* Check username whitelist ACL */
 386         if (vnc_auth_sasl_check_access(vs) < 0) {
 387             goto authreject;
 388         }
 389
 390         trace_vnc_auth_pass(vs, vs->auth);
 391         vnc_write_u32(vs, 0); /* Accept auth */
 392         start_client_init(vs);
 393     }
 394
 395     return 0;
 396
 397  authreject:
 398     vnc_write_u32(vs, 1); /* Reject auth */
 399     vnc_write_u32(vs, sizeof("Authentication failed"));
 400     vnc_write(vs, "Authentication failed", sizeof("Authentication failed"));
 401     vnc_flush(vs);
 402     vnc_client_error(vs);
 403     return -1;
 404
 405  authabort:
 406     vnc_client_error(vs);
 407     return -1;
 408 }
 409
 410 static int protocol_client_auth_sasl_start_len(VncState *vs, uint8_t *data, size_t len)
 411 {
 412     uint32_t startlen = read_u32(data, 0);
 413
 414     if (startlen > SASL_DATA_MAX_LEN) {
 415         trace_vnc_auth_fail(vs, vs->auth, "SASL start len too large", "");
 416         vnc_client_error(vs);
 417         return -1;
 418     }
 419
 420     if (startlen == 0)
 421         return protocol_client_auth_sasl_start(vs, NULL, 0);
 422
 423     vnc_read_when(vs, protocol_client_auth_sasl_start, startlen);
 424     return 0;
 425 }
 426
 427 static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_t len)
 428 {
 429     char *mechname = g_strndup((const char *) data, len);
 430     trace_vnc_auth_sasl_mech_choose(vs, mechname);
 431
 432     if (strncmp(vs->sasl.mechlist, mechname, len) == 0) {
 433         if (vs->sasl.mechlist[len] != '\0' &&
 434             vs->sasl.mechlist[len] != ',') {
 435             goto fail;
 436         }
 437     } else {
 438         char *offset = strstr(vs->sasl.mechlist, mechname);
 439         if (!offset) {
 440             goto fail;
 441         }
 442         if (offset[-1] != ',' ||
 443             (offset[len] != '\0'&&
 444              offset[len] != ',')) {
 445             goto fail;
 446         }
 447     }
 448
 449     g_free(vs->sasl.mechlist);
 450     vs->sasl.mechlist = mechname;
 451
 452     vnc_read_when(vs, protocol_client_auth_sasl_start_len, 4);
 453     return 0;
 454
 455  fail:
 456     trace_vnc_auth_fail(vs, vs->auth, "Unsupported mechname", mechname);
 457     vnc_client_error(vs);
 458     g_free(mechname);
 459     return -1;
 460 }
 461
 462 static int protocol_client_auth_sasl_mechname_len(VncState *vs, uint8_t *data, size_t len)
 463 {
 464     uint32_t mechlen = read_u32(data, 0);
 465
 466     if (mechlen > 100) {
 467         trace_vnc_auth_fail(vs, vs->auth, "SASL mechname too long", "");
 468         vnc_client_error(vs);
 469         return -1;
 470     }
 471     if (mechlen < 1) {
 472         trace_vnc_auth_fail(vs, vs->auth, "SASL mechname too short", "");
 473         vnc_client_error(vs);
 474         return -1;
 475     }
 476     vnc_read_when(vs, protocol_client_auth_sasl_mechname,mechlen);
 477     return 0;
 478 }
 479
 480 static char *
 481 vnc_socket_ip_addr_string(QIOChannelSocket *ioc,
 482                           bool local,
 483                           Error **errp)
 484 {
 485     SocketAddress *addr;
 486     char *ret;
 487
 488     if (local) {
 489         addr = qio_channel_socket_get_local_address(ioc, errp);
 490     } else {
 491         addr = qio_channel_socket_get_remote_address(ioc, errp);
 492     }
 493     if (!addr) {
 494         return NULL;
 495     }
 496
 497     if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
 498         error_setg(errp, "Not an inet socket type");
 499         return NULL;
 500     }
 501     ret = g_strdup_printf("%s;%s", addr->u.inet.host, addr->u.inet.port);
 502     qapi_free_SocketAddress(addr);
 503     return ret;
 504 }
 505
 506 void start_auth_sasl(VncState *vs)
 507 {
 508     const char *mechlist = NULL;
 509     sasl_security_properties_t secprops;
 510     int err;
 511     Error *local_err = NULL;
 512     char *localAddr, *remoteAddr;
 513     int mechlistlen;
 514
 515     /* Get local & remote client addresses in form  IPADDR;PORT */
 516     localAddr = vnc_socket_ip_addr_string(vs->sioc, true, &local_err);
 517     if (!localAddr) {
 518         trace_vnc_auth_fail(vs, vs->auth, "Cannot format local IP",
 519                             error_get_pretty(local_err));
 520         goto authabort;
 521     }
 522
 523     remoteAddr = vnc_socket_ip_addr_string(vs->sioc, false, &local_err);
 524     if (!remoteAddr) {
 525         trace_vnc_auth_fail(vs, vs->auth, "Cannot format remote IP",
 526                             error_get_pretty(local_err));
 527         g_free(localAddr);
 528         goto authabort;
 529     }
 530
 531     err = sasl_server_new("vnc",
 532                           NULL, /* FQDN - just delegates to gethostname */
 533                           NULL, /* User realm */
 534                           localAddr,
 535                           remoteAddr,
 536                           NULL, /* Callbacks, not needed */
 537                           SASL_SUCCESS_DATA,
 538                           &vs->sasl.conn);
 539     g_free(localAddr);
 540     g_free(remoteAddr);
 541     localAddr = remoteAddr = NULL;
 542
 543     if (err != SASL_OK) {
 544         trace_vnc_auth_fail(vs, vs->auth,  "SASL context setup failed",
 545                             sasl_errstring(err, NULL, NULL));
 546         vs->sasl.conn = NULL;
 547         goto authabort;
 548     }
 549
 550     /* Inform SASL that we've got an external SSF layer from TLS/x509 */
 551     if (vs->auth == VNC_AUTH_VENCRYPT &&
 552         vs->subauth == VNC_AUTH_VENCRYPT_X509SASL) {
 553         Error *local_err = NULL;
 554         int keysize;
 555         sasl_ssf_t ssf;
 556
 557         keysize = qcrypto_tls_session_get_key_size(vs->tls,
 558                                                    &local_err);
 559         if (keysize < 0) {
 560             trace_vnc_auth_fail(vs, vs->auth, "cannot TLS get cipher size",
 561                                 error_get_pretty(local_err));
 562             error_free(local_err);
 563             sasl_dispose(&vs->sasl.conn);
 564             vs->sasl.conn = NULL;
 565             goto authabort;
 566         }
 567         ssf = keysize * CHAR_BIT; /* tls key size is bytes, sasl wants bits */
 568
 569         err = sasl_setprop(vs->sasl.conn, SASL_SSF_EXTERNAL, &ssf);
 570         if (err != SASL_OK) {
 571             trace_vnc_auth_fail(vs, vs->auth, "cannot set SASL external SSF",
 572                                 sasl_errstring(err, NULL, NULL));
 573             sasl_dispose(&vs->sasl.conn);
 574             vs->sasl.conn = NULL;
 575             goto authabort;
 576         }
 577     } else {
 578         vs->sasl.wantSSF = 1;
 579     }
 580
 581     memset (&secprops, 0, sizeof secprops);
 582     /* Inform SASL that we've got an external SSF layer from TLS.
 583      *
 584      * Disable SSF, if using TLS+x509+SASL only. TLS without x509
 585      * is not sufficiently strong
 586      */
 587     if (vs->vd->is_unix ||
 588         (vs->auth == VNC_AUTH_VENCRYPT &&
 589          vs->subauth == VNC_AUTH_VENCRYPT_X509SASL)) {
 590         /* If we've got TLS or UNIX domain sock, we don't care about SSF */
 591         secprops.min_ssf = 0;
 592         secprops.max_ssf = 0;
 593         secprops.maxbufsize = 8192;
 594         secprops.security_flags = 0;
 595     } else {
 596         /* Plain TCP, better get an SSF layer */
 597         secprops.min_ssf = 56; /* Good enough to require kerberos */
 598         secprops.max_ssf = 100000; /* Arbitrary big number */
 599         secprops.maxbufsize = 8192;
 600         /* Forbid any anonymous or trivially crackable auth */
 601         secprops.security_flags =
 602             SASL_SEC_NOANONYMOUS | SASL_SEC_NOPLAINTEXT;
 603     }
 604
 605     err = sasl_setprop(vs->sasl.conn, SASL_SEC_PROPS, &secprops);
 606     if (err != SASL_OK) {
 607         trace_vnc_auth_fail(vs, vs->auth, "cannot set SASL security props",
 608                             sasl_errstring(err, NULL, NULL));
 609         sasl_dispose(&vs->sasl.conn);
 610         vs->sasl.conn = NULL;
 611         goto authabort;
 612     }
 613
 614     err = sasl_listmech(vs->sasl.conn,
 615                         NULL, /* Don't need to set user */
 616                         "", /* Prefix */
 617                         ",", /* Separator */
 618                         "", /* Suffix */
 619                         &mechlist,
 620                         NULL,
 621                         NULL);
 622     if (err != SASL_OK) {
 623         trace_vnc_auth_fail(vs, vs->auth, "cannot list SASL mechanisms",
 624                             sasl_errdetail(vs->sasl.conn));
 625         sasl_dispose(&vs->sasl.conn);
 626         vs->sasl.conn = NULL;
 627         goto authabort;
 628     }
 629     trace_vnc_auth_sasl_mech_list(vs, mechlist);
 630
 631     vs->sasl.mechlist = g_strdup(mechlist);
 632     mechlistlen = strlen(mechlist);
 633     vnc_write_u32(vs, mechlistlen);
 634     vnc_write(vs, mechlist, mechlistlen);
 635     vnc_flush(vs);
 636
 637     vnc_read_when(vs, protocol_client_auth_sasl_mechname_len, 4);
 638
 639     return;
 640
 641  authabort:
 642     error_free(local_err);
 643     vnc_client_error(vs);
 644 }
 645
 646