2 * QEMU VNC display driver: SASL auth protocol
4 * Copyright (C) 2009 Red Hat, Inc
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
25 #include "qemu/osdep.h"
26 #include "qapi/error.h"
27 #include "authz/base.h"
31 /* Max amount of data we send/recv for SASL steps to prevent DOS */
32 #define SASL_DATA_MAX_LEN (1024 * 1024)
35 void vnc_sasl_client_cleanup(VncState
*vs
)
38 vs
->sasl
.runSSF
= false;
39 vs
->sasl
.wantSSF
= false;
40 vs
->sasl
.waitWriteSSF
= 0;
41 vs
->sasl
.encodedLength
= vs
->sasl
.encodedOffset
= 0;
42 vs
->sasl
.encoded
= NULL
;
43 g_free(vs
->sasl
.username
);
44 g_free(vs
->sasl
.mechlist
);
45 vs
->sasl
.username
= vs
->sasl
.mechlist
= NULL
;
46 sasl_dispose(&vs
->sasl
.conn
);
52 size_t vnc_client_write_sasl(VncState
*vs
)
56 VNC_DEBUG("Write SASL: Pending output %p size %zd offset %zd "
57 "Encoded: %p size %d offset %d\n",
58 vs
->output
.buffer
, vs
->output
.capacity
, vs
->output
.offset
,
59 vs
->sasl
.encoded
, vs
->sasl
.encodedLength
, vs
->sasl
.encodedOffset
);
61 if (!vs
->sasl
.encoded
) {
63 err
= sasl_encode(vs
->sasl
.conn
,
64 (char *)vs
->output
.buffer
,
66 (const char **)&vs
->sasl
.encoded
,
67 &vs
->sasl
.encodedLength
);
69 return vnc_client_io_error(vs
, -1, NULL
);
71 vs
->sasl
.encodedRawLength
= vs
->output
.offset
;
72 vs
->sasl
.encodedOffset
= 0;
75 ret
= vnc_client_write_buf(vs
,
76 vs
->sasl
.encoded
+ vs
->sasl
.encodedOffset
,
77 vs
->sasl
.encodedLength
- vs
->sasl
.encodedOffset
);
81 vs
->sasl
.encodedOffset
+= ret
;
82 if (vs
->sasl
.encodedOffset
== vs
->sasl
.encodedLength
) {
83 bool throttled
= vs
->force_update_offset
!= 0;
85 if (vs
->sasl
.encodedRawLength
>= vs
->force_update_offset
) {
86 vs
->force_update_offset
= 0;
88 vs
->force_update_offset
-= vs
->sasl
.encodedRawLength
;
90 if (throttled
&& vs
->force_update_offset
== 0) {
91 trace_vnc_client_unthrottle_forced(vs
, vs
->ioc
);
93 offset
= vs
->output
.offset
;
94 buffer_advance(&vs
->output
, vs
->sasl
.encodedRawLength
);
95 if (offset
>= vs
->throttle_output_offset
&&
96 vs
->output
.offset
< vs
->throttle_output_offset
) {
97 trace_vnc_client_unthrottle_incremental(vs
, vs
->ioc
,
100 vs
->sasl
.encoded
= NULL
;
101 vs
->sasl
.encodedOffset
= vs
->sasl
.encodedLength
= 0;
104 /* Can't merge this block with one above, because
105 * someone might have written more unencrypted
106 * data in vs->output while we were processing
107 * SASL encoded output
109 if (vs
->output
.offset
== 0) {
111 g_source_remove(vs
->ioc_tag
);
113 vs
->ioc_tag
= qio_channel_add_watch(
114 vs
->ioc
, G_IO_IN
, vnc_client_io
, vs
, NULL
);
121 size_t vnc_client_read_sasl(VncState
*vs
)
124 uint8_t encoded
[4096];
126 unsigned int decodedLen
;
129 ret
= vnc_client_read_buf(vs
, encoded
, sizeof(encoded
));
133 err
= sasl_decode(vs
->sasl
.conn
,
134 (char *)encoded
, ret
,
135 &decoded
, &decodedLen
);
138 return vnc_client_io_error(vs
, -1, NULL
);
139 VNC_DEBUG("Read SASL Encoded %p size %ld Decoded %p size %d\n",
140 encoded
, ret
, decoded
, decodedLen
);
141 buffer_reserve(&vs
->input
, decodedLen
);
142 buffer_append(&vs
->input
, decoded
, decodedLen
);
147 static int vnc_auth_sasl_check_access(VncState
*vs
)
154 rv
= sasl_getprop(vs
->sasl
.conn
, SASL_USERNAME
, &val
);
156 trace_vnc_auth_fail(vs
, vs
->auth
, "Cannot fetch SASL username",
157 sasl_errstring(rv
, NULL
, NULL
));
161 trace_vnc_auth_fail(vs
, vs
->auth
, "No SASL username set", "");
165 vs
->sasl
.username
= g_strdup((const char*)val
);
166 trace_vnc_auth_sasl_username(vs
, vs
->sasl
.username
);
168 if (vs
->vd
->sasl
.authzid
== NULL
) {
169 trace_vnc_auth_sasl_acl(vs
, 1);
173 allow
= qauthz_is_allowed_by_id(vs
->vd
->sasl
.authzid
,
174 vs
->sasl
.username
, &err
);
176 trace_vnc_auth_fail(vs
, vs
->auth
, "Error from authz",
177 error_get_pretty(err
));
182 trace_vnc_auth_sasl_acl(vs
, allow
);
183 return allow
? 0 : -1;
186 static int vnc_auth_sasl_check_ssf(VncState
*vs
)
191 if (!vs
->sasl
.wantSSF
)
194 err
= sasl_getprop(vs
->sasl
.conn
, SASL_SSF
, &val
);
198 ssf
= *(const int *)val
;
200 trace_vnc_auth_sasl_ssf(vs
, ssf
);
203 return 0; /* 56 is good for Kerberos */
205 /* Only setup for read initially, because we're about to send an RPC
206 * reply which must be in plain text. When the next incoming RPC
207 * arrives, we'll switch on writes too
209 * cf qemudClientReadSASL in qemud.c
213 /* We have a SSF that's good enough */
222 * u32 clientin-length
223 * u8-array clientin-string
227 * u32 serverout-length
228 * u8-array serverout-strin
232 static int protocol_client_auth_sasl_step_len(VncState
*vs
, uint8_t *data
, size_t len
);
234 static int protocol_client_auth_sasl_step(VncState
*vs
, uint8_t *data
, size_t len
)
236 uint32_t datalen
= len
;
237 const char *serverout
;
238 unsigned int serveroutlen
;
240 char *clientdata
= NULL
;
242 /* NB, distinction of NULL vs "" is *critical* in SASL */
244 clientdata
= (char*)data
;
245 clientdata
[datalen
-1] = '\0'; /* Wire includes '\0', but make sure */
246 datalen
--; /* Don't count NULL byte when passing to _start() */
249 err
= sasl_server_step(vs
->sasl
.conn
,
254 trace_vnc_auth_sasl_step(vs
, data
, len
, serverout
, serveroutlen
, err
);
255 if (err
!= SASL_OK
&&
256 err
!= SASL_CONTINUE
) {
257 trace_vnc_auth_fail(vs
, vs
->auth
, "Cannot step SASL auth",
258 sasl_errdetail(vs
->sasl
.conn
));
259 sasl_dispose(&vs
->sasl
.conn
);
260 vs
->sasl
.conn
= NULL
;
264 if (serveroutlen
> SASL_DATA_MAX_LEN
) {
265 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL data too long", "");
266 sasl_dispose(&vs
->sasl
.conn
);
267 vs
->sasl
.conn
= NULL
;
272 vnc_write_u32(vs
, serveroutlen
+ 1);
273 vnc_write(vs
, serverout
, serveroutlen
+ 1);
275 vnc_write_u32(vs
, 0);
278 /* Whether auth is complete */
279 vnc_write_u8(vs
, err
== SASL_CONTINUE
? 0 : 1);
281 if (err
== SASL_CONTINUE
) {
282 /* Wait for step length */
283 vnc_read_when(vs
, protocol_client_auth_sasl_step_len
, 4);
285 if (!vnc_auth_sasl_check_ssf(vs
)) {
286 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL SSF too weak", "");
290 /* Check username whitelist ACL */
291 if (vnc_auth_sasl_check_access(vs
) < 0) {
295 trace_vnc_auth_pass(vs
, vs
->auth
);
296 vnc_write_u32(vs
, 0); /* Accept auth */
298 * Delay writing in SSF encoded mode until pending output
302 vs
->sasl
.waitWriteSSF
= vs
->output
.offset
;
303 start_client_init(vs
);
309 vnc_write_u32(vs
, 1); /* Reject auth */
310 vnc_write_u32(vs
, sizeof("Authentication failed"));
311 vnc_write(vs
, "Authentication failed", sizeof("Authentication failed"));
313 vnc_client_error(vs
);
317 vnc_client_error(vs
);
321 static int protocol_client_auth_sasl_step_len(VncState
*vs
, uint8_t *data
, size_t len
)
323 uint32_t steplen
= read_u32(data
, 0);
325 if (steplen
> SASL_DATA_MAX_LEN
) {
326 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL step len too large", "");
327 vnc_client_error(vs
);
332 return protocol_client_auth_sasl_step(vs
, NULL
, 0);
334 vnc_read_when(vs
, protocol_client_auth_sasl_step
, steplen
);
343 * u32 clientin-length
344 * u8-array clientin-string
348 * u32 serverout-length
349 * u8-array serverout-strin
353 #define SASL_DATA_MAX_LEN (1024 * 1024)
355 static int protocol_client_auth_sasl_start(VncState
*vs
, uint8_t *data
, size_t len
)
357 uint32_t datalen
= len
;
358 const char *serverout
;
359 unsigned int serveroutlen
;
361 char *clientdata
= NULL
;
363 /* NB, distinction of NULL vs "" is *critical* in SASL */
365 clientdata
= (char*)data
;
366 clientdata
[datalen
-1] = '\0'; /* Should be on wire, but make sure */
367 datalen
--; /* Don't count NULL byte when passing to _start() */
370 err
= sasl_server_start(vs
->sasl
.conn
,
376 trace_vnc_auth_sasl_start(vs
, data
, len
, serverout
, serveroutlen
, err
);
377 if (err
!= SASL_OK
&&
378 err
!= SASL_CONTINUE
) {
379 trace_vnc_auth_fail(vs
, vs
->auth
, "Cannot start SASL auth",
380 sasl_errdetail(vs
->sasl
.conn
));
381 sasl_dispose(&vs
->sasl
.conn
);
382 vs
->sasl
.conn
= NULL
;
385 if (serveroutlen
> SASL_DATA_MAX_LEN
) {
386 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL data too long", "");
387 sasl_dispose(&vs
->sasl
.conn
);
388 vs
->sasl
.conn
= NULL
;
393 vnc_write_u32(vs
, serveroutlen
+ 1);
394 vnc_write(vs
, serverout
, serveroutlen
+ 1);
396 vnc_write_u32(vs
, 0);
399 /* Whether auth is complete */
400 vnc_write_u8(vs
, err
== SASL_CONTINUE
? 0 : 1);
402 if (err
== SASL_CONTINUE
) {
403 /* Wait for step length */
404 vnc_read_when(vs
, protocol_client_auth_sasl_step_len
, 4);
406 if (!vnc_auth_sasl_check_ssf(vs
)) {
407 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL SSF too weak", "");
411 /* Check username whitelist ACL */
412 if (vnc_auth_sasl_check_access(vs
) < 0) {
416 trace_vnc_auth_pass(vs
, vs
->auth
);
417 vnc_write_u32(vs
, 0); /* Accept auth */
418 start_client_init(vs
);
424 vnc_write_u32(vs
, 1); /* Reject auth */
425 vnc_write_u32(vs
, sizeof("Authentication failed"));
426 vnc_write(vs
, "Authentication failed", sizeof("Authentication failed"));
428 vnc_client_error(vs
);
432 vnc_client_error(vs
);
436 static int protocol_client_auth_sasl_start_len(VncState
*vs
, uint8_t *data
, size_t len
)
438 uint32_t startlen
= read_u32(data
, 0);
440 if (startlen
> SASL_DATA_MAX_LEN
) {
441 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL start len too large", "");
442 vnc_client_error(vs
);
447 return protocol_client_auth_sasl_start(vs
, NULL
, 0);
449 vnc_read_when(vs
, protocol_client_auth_sasl_start
, startlen
);
453 static int protocol_client_auth_sasl_mechname(VncState
*vs
, uint8_t *data
, size_t len
)
455 char *mechname
= g_strndup((const char *) data
, len
);
456 trace_vnc_auth_sasl_mech_choose(vs
, mechname
);
458 if (strncmp(vs
->sasl
.mechlist
, mechname
, len
) == 0) {
459 if (vs
->sasl
.mechlist
[len
] != '\0' &&
460 vs
->sasl
.mechlist
[len
] != ',') {
464 char *offset
= strstr(vs
->sasl
.mechlist
, mechname
);
468 if (offset
[-1] != ',' ||
469 (offset
[len
] != '\0'&&
470 offset
[len
] != ',')) {
475 g_free(vs
->sasl
.mechlist
);
476 vs
->sasl
.mechlist
= mechname
;
478 vnc_read_when(vs
, protocol_client_auth_sasl_start_len
, 4);
482 trace_vnc_auth_fail(vs
, vs
->auth
, "Unsupported mechname", mechname
);
483 vnc_client_error(vs
);
488 static int protocol_client_auth_sasl_mechname_len(VncState
*vs
, uint8_t *data
, size_t len
)
490 uint32_t mechlen
= read_u32(data
, 0);
493 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL mechname too long", "");
494 vnc_client_error(vs
);
498 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL mechname too short", "");
499 vnc_client_error(vs
);
502 vnc_read_when(vs
, protocol_client_auth_sasl_mechname
,mechlen
);
507 vnc_socket_ip_addr_string(QIOChannelSocket
*ioc
,
515 addr
= qio_channel_socket_get_local_address(ioc
, errp
);
517 addr
= qio_channel_socket_get_remote_address(ioc
, errp
);
523 if (addr
->type
!= SOCKET_ADDRESS_TYPE_INET
) {
524 error_setg(errp
, "Not an inet socket type");
525 qapi_free_SocketAddress(addr
);
528 ret
= g_strdup_printf("%s;%s", addr
->u
.inet
.host
, addr
->u
.inet
.port
);
529 qapi_free_SocketAddress(addr
);
533 void start_auth_sasl(VncState
*vs
)
535 const char *mechlist
= NULL
;
536 sasl_security_properties_t secprops
;
538 Error
*local_err
= NULL
;
539 char *localAddr
, *remoteAddr
;
542 /* Get local & remote client addresses in form IPADDR;PORT */
543 localAddr
= vnc_socket_ip_addr_string(vs
->sioc
, true, &local_err
);
545 trace_vnc_auth_fail(vs
, vs
->auth
, "Cannot format local IP",
546 error_get_pretty(local_err
));
550 remoteAddr
= vnc_socket_ip_addr_string(vs
->sioc
, false, &local_err
);
552 trace_vnc_auth_fail(vs
, vs
->auth
, "Cannot format remote IP",
553 error_get_pretty(local_err
));
558 err
= sasl_server_new("vnc",
559 NULL
, /* FQDN - just delegates to gethostname */
560 NULL
, /* User realm */
563 NULL
, /* Callbacks, not needed */
568 localAddr
= remoteAddr
= NULL
;
570 if (err
!= SASL_OK
) {
571 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL context setup failed",
572 sasl_errstring(err
, NULL
, NULL
));
573 vs
->sasl
.conn
= NULL
;
577 /* Inform SASL that we've got an external SSF layer from TLS/x509 */
578 if (vs
->auth
== VNC_AUTH_VENCRYPT
&&
579 vs
->subauth
== VNC_AUTH_VENCRYPT_X509SASL
) {
583 keysize
= qcrypto_tls_session_get_key_size(vs
->tls
,
586 trace_vnc_auth_fail(vs
, vs
->auth
, "cannot TLS get cipher size",
587 error_get_pretty(local_err
));
588 sasl_dispose(&vs
->sasl
.conn
);
589 vs
->sasl
.conn
= NULL
;
592 ssf
= keysize
* CHAR_BIT
; /* tls key size is bytes, sasl wants bits */
594 err
= sasl_setprop(vs
->sasl
.conn
, SASL_SSF_EXTERNAL
, &ssf
);
595 if (err
!= SASL_OK
) {
596 trace_vnc_auth_fail(vs
, vs
->auth
, "cannot set SASL external SSF",
597 sasl_errstring(err
, NULL
, NULL
));
598 sasl_dispose(&vs
->sasl
.conn
);
599 vs
->sasl
.conn
= NULL
;
603 vs
->sasl
.wantSSF
= 1;
606 memset (&secprops
, 0, sizeof secprops
);
607 /* Inform SASL that we've got an external SSF layer from TLS.
609 * Disable SSF, if using TLS+x509+SASL only. TLS without x509
610 * is not sufficiently strong
612 if (vs
->vd
->is_unix
||
613 (vs
->auth
== VNC_AUTH_VENCRYPT
&&
614 vs
->subauth
== VNC_AUTH_VENCRYPT_X509SASL
)) {
615 /* If we've got TLS or UNIX domain sock, we don't care about SSF */
616 secprops
.min_ssf
= 0;
617 secprops
.max_ssf
= 0;
618 secprops
.maxbufsize
= 8192;
619 secprops
.security_flags
= 0;
621 /* Plain TCP, better get an SSF layer */
622 secprops
.min_ssf
= 56; /* Good enough to require kerberos */
623 secprops
.max_ssf
= 100000; /* Arbitrary big number */
624 secprops
.maxbufsize
= 8192;
625 /* Forbid any anonymous or trivially crackable auth */
626 secprops
.security_flags
=
627 SASL_SEC_NOANONYMOUS
| SASL_SEC_NOPLAINTEXT
;
630 err
= sasl_setprop(vs
->sasl
.conn
, SASL_SEC_PROPS
, &secprops
);
631 if (err
!= SASL_OK
) {
632 trace_vnc_auth_fail(vs
, vs
->auth
, "cannot set SASL security props",
633 sasl_errstring(err
, NULL
, NULL
));
634 sasl_dispose(&vs
->sasl
.conn
);
635 vs
->sasl
.conn
= NULL
;
639 err
= sasl_listmech(vs
->sasl
.conn
,
640 NULL
, /* Don't need to set user */
647 if (err
!= SASL_OK
) {
648 trace_vnc_auth_fail(vs
, vs
->auth
, "cannot list SASL mechanisms",
649 sasl_errdetail(vs
->sasl
.conn
));
650 sasl_dispose(&vs
->sasl
.conn
);
651 vs
->sasl
.conn
= NULL
;
654 trace_vnc_auth_sasl_mech_list(vs
, mechlist
);
656 vs
->sasl
.mechlist
= g_strdup(mechlist
);
657 mechlistlen
= strlen(mechlist
);
658 vnc_write_u32(vs
, mechlistlen
);
659 vnc_write(vs
, mechlist
, mechlistlen
);
662 vnc_read_when(vs
, protocol_client_auth_sasl_mechname_len
, 4);
667 error_free(local_err
);
668 vnc_client_error(vs
);