2 * QEMU VNC display driver: SASL auth protocol
4 * Copyright (C) 2009 Red Hat, Inc
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
25 #include "qemu/osdep.h"
26 #include "qapi/error.h"
30 /* Max amount of data we send/recv for SASL steps to prevent DOS */
31 #define SASL_DATA_MAX_LEN (1024 * 1024)
34 void vnc_sasl_client_cleanup(VncState
*vs
)
37 vs
->sasl
.runSSF
= false;
38 vs
->sasl
.wantSSF
= false;
39 vs
->sasl
.waitWriteSSF
= 0;
40 vs
->sasl
.encodedLength
= vs
->sasl
.encodedOffset
= 0;
41 vs
->sasl
.encoded
= NULL
;
42 g_free(vs
->sasl
.username
);
43 g_free(vs
->sasl
.mechlist
);
44 vs
->sasl
.username
= vs
->sasl
.mechlist
= NULL
;
45 sasl_dispose(&vs
->sasl
.conn
);
51 long vnc_client_write_sasl(VncState
*vs
)
55 VNC_DEBUG("Write SASL: Pending output %p size %zd offset %zd "
56 "Encoded: %p size %d offset %d\n",
57 vs
->output
.buffer
, vs
->output
.capacity
, vs
->output
.offset
,
58 vs
->sasl
.encoded
, vs
->sasl
.encodedLength
, vs
->sasl
.encodedOffset
);
60 if (!vs
->sasl
.encoded
) {
62 err
= sasl_encode(vs
->sasl
.conn
,
63 (char *)vs
->output
.buffer
,
65 (const char **)&vs
->sasl
.encoded
,
66 &vs
->sasl
.encodedLength
);
68 return vnc_client_io_error(vs
, -1, NULL
);
70 vs
->sasl
.encodedRawLength
= vs
->output
.offset
;
71 vs
->sasl
.encodedOffset
= 0;
74 ret
= vnc_client_write_buf(vs
,
75 vs
->sasl
.encoded
+ vs
->sasl
.encodedOffset
,
76 vs
->sasl
.encodedLength
- vs
->sasl
.encodedOffset
);
80 vs
->sasl
.encodedOffset
+= ret
;
81 if (vs
->sasl
.encodedOffset
== vs
->sasl
.encodedLength
) {
82 vs
->output
.offset
-= vs
->sasl
.encodedRawLength
;
83 vs
->sasl
.encoded
= NULL
;
84 vs
->sasl
.encodedOffset
= vs
->sasl
.encodedLength
= 0;
87 /* Can't merge this block with one above, because
88 * someone might have written more unencrypted
89 * data in vs->output while we were processing
92 if (vs
->output
.offset
== 0) {
94 g_source_remove(vs
->ioc_tag
);
96 vs
->ioc_tag
= qio_channel_add_watch(
97 vs
->ioc
, G_IO_IN
, vnc_client_io
, vs
, NULL
);
104 long vnc_client_read_sasl(VncState
*vs
)
107 uint8_t encoded
[4096];
109 unsigned int decodedLen
;
112 ret
= vnc_client_read_buf(vs
, encoded
, sizeof(encoded
));
116 err
= sasl_decode(vs
->sasl
.conn
,
117 (char *)encoded
, ret
,
118 &decoded
, &decodedLen
);
121 return vnc_client_io_error(vs
, -1, NULL
);
122 VNC_DEBUG("Read SASL Encoded %p size %ld Decoded %p size %d\n",
123 encoded
, ret
, decoded
, decodedLen
);
124 buffer_reserve(&vs
->input
, decodedLen
);
125 buffer_append(&vs
->input
, decoded
, decodedLen
);
130 static int vnc_auth_sasl_check_access(VncState
*vs
)
136 err
= sasl_getprop(vs
->sasl
.conn
, SASL_USERNAME
, &val
);
137 if (err
!= SASL_OK
) {
138 trace_vnc_auth_fail(vs
, vs
->auth
, "Cannot fetch SASL username",
139 sasl_errstring(err
, NULL
, NULL
));
143 trace_vnc_auth_fail(vs
, vs
->auth
, "No SASL username set", "");
147 vs
->sasl
.username
= g_strdup((const char*)val
);
148 trace_vnc_auth_sasl_username(vs
, vs
->sasl
.username
);
150 if (vs
->vd
->sasl
.acl
== NULL
) {
151 trace_vnc_auth_sasl_acl(vs
, 1);
155 allow
= qemu_acl_party_is_allowed(vs
->vd
->sasl
.acl
, vs
->sasl
.username
);
157 trace_vnc_auth_sasl_acl(vs
, allow
);
158 return allow
? 0 : -1;
161 static int vnc_auth_sasl_check_ssf(VncState
*vs
)
166 if (!vs
->sasl
.wantSSF
)
169 err
= sasl_getprop(vs
->sasl
.conn
, SASL_SSF
, &val
);
173 ssf
= *(const int *)val
;
175 trace_vnc_auth_sasl_ssf(vs
, ssf
);
178 return 0; /* 56 is good for Kerberos */
180 /* Only setup for read initially, because we're about to send an RPC
181 * reply which must be in plain text. When the next incoming RPC
182 * arrives, we'll switch on writes too
184 * cf qemudClientReadSASL in qemud.c
188 /* We have a SSF that's good enough */
197 * u32 clientin-length
198 * u8-array clientin-string
202 * u32 serverout-length
203 * u8-array serverout-strin
207 static int protocol_client_auth_sasl_step_len(VncState
*vs
, uint8_t *data
, size_t len
);
209 static int protocol_client_auth_sasl_step(VncState
*vs
, uint8_t *data
, size_t len
)
211 uint32_t datalen
= len
;
212 const char *serverout
;
213 unsigned int serveroutlen
;
215 char *clientdata
= NULL
;
217 /* NB, distinction of NULL vs "" is *critical* in SASL */
219 clientdata
= (char*)data
;
220 clientdata
[datalen
-1] = '\0'; /* Wire includes '\0', but make sure */
221 datalen
--; /* Don't count NULL byte when passing to _start() */
224 err
= sasl_server_step(vs
->sasl
.conn
,
229 trace_vnc_auth_sasl_step(vs
, data
, len
, serverout
, serveroutlen
, err
);
230 if (err
!= SASL_OK
&&
231 err
!= SASL_CONTINUE
) {
232 trace_vnc_auth_fail(vs
, vs
->auth
, "Cannot step SASL auth",
233 sasl_errdetail(vs
->sasl
.conn
));
234 sasl_dispose(&vs
->sasl
.conn
);
235 vs
->sasl
.conn
= NULL
;
239 if (serveroutlen
> SASL_DATA_MAX_LEN
) {
240 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL data too long", "");
241 sasl_dispose(&vs
->sasl
.conn
);
242 vs
->sasl
.conn
= NULL
;
247 vnc_write_u32(vs
, serveroutlen
+ 1);
248 vnc_write(vs
, serverout
, serveroutlen
+ 1);
250 vnc_write_u32(vs
, 0);
253 /* Whether auth is complete */
254 vnc_write_u8(vs
, err
== SASL_CONTINUE
? 0 : 1);
256 if (err
== SASL_CONTINUE
) {
257 /* Wait for step length */
258 vnc_read_when(vs
, protocol_client_auth_sasl_step_len
, 4);
260 if (!vnc_auth_sasl_check_ssf(vs
)) {
261 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL SSF too weak", "");
265 /* Check username whitelist ACL */
266 if (vnc_auth_sasl_check_access(vs
) < 0) {
270 trace_vnc_auth_pass(vs
, vs
->auth
);
271 vnc_write_u32(vs
, 0); /* Accept auth */
273 * Delay writing in SSF encoded mode until pending output
277 vs
->sasl
.waitWriteSSF
= vs
->output
.offset
;
278 start_client_init(vs
);
284 vnc_write_u32(vs
, 1); /* Reject auth */
285 vnc_write_u32(vs
, sizeof("Authentication failed"));
286 vnc_write(vs
, "Authentication failed", sizeof("Authentication failed"));
288 vnc_client_error(vs
);
292 vnc_client_error(vs
);
296 static int protocol_client_auth_sasl_step_len(VncState
*vs
, uint8_t *data
, size_t len
)
298 uint32_t steplen
= read_u32(data
, 0);
300 if (steplen
> SASL_DATA_MAX_LEN
) {
301 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL step len too large", "");
302 vnc_client_error(vs
);
307 return protocol_client_auth_sasl_step(vs
, NULL
, 0);
309 vnc_read_when(vs
, protocol_client_auth_sasl_step
, steplen
);
318 * u32 clientin-length
319 * u8-array clientin-string
323 * u32 serverout-length
324 * u8-array serverout-strin
328 #define SASL_DATA_MAX_LEN (1024 * 1024)
330 static int protocol_client_auth_sasl_start(VncState
*vs
, uint8_t *data
, size_t len
)
332 uint32_t datalen
= len
;
333 const char *serverout
;
334 unsigned int serveroutlen
;
336 char *clientdata
= NULL
;
338 /* NB, distinction of NULL vs "" is *critical* in SASL */
340 clientdata
= (char*)data
;
341 clientdata
[datalen
-1] = '\0'; /* Should be on wire, but make sure */
342 datalen
--; /* Don't count NULL byte when passing to _start() */
345 err
= sasl_server_start(vs
->sasl
.conn
,
351 trace_vnc_auth_sasl_start(vs
, data
, len
, serverout
, serveroutlen
, err
);
352 if (err
!= SASL_OK
&&
353 err
!= SASL_CONTINUE
) {
354 trace_vnc_auth_fail(vs
, vs
->auth
, "Cannot start SASL auth",
355 sasl_errdetail(vs
->sasl
.conn
));
356 sasl_dispose(&vs
->sasl
.conn
);
357 vs
->sasl
.conn
= NULL
;
360 if (serveroutlen
> SASL_DATA_MAX_LEN
) {
361 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL data too long", "");
362 sasl_dispose(&vs
->sasl
.conn
);
363 vs
->sasl
.conn
= NULL
;
368 vnc_write_u32(vs
, serveroutlen
+ 1);
369 vnc_write(vs
, serverout
, serveroutlen
+ 1);
371 vnc_write_u32(vs
, 0);
374 /* Whether auth is complete */
375 vnc_write_u8(vs
, err
== SASL_CONTINUE
? 0 : 1);
377 if (err
== SASL_CONTINUE
) {
378 /* Wait for step length */
379 vnc_read_when(vs
, protocol_client_auth_sasl_step_len
, 4);
381 if (!vnc_auth_sasl_check_ssf(vs
)) {
382 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL SSF too weak", "");
386 /* Check username whitelist ACL */
387 if (vnc_auth_sasl_check_access(vs
) < 0) {
391 trace_vnc_auth_pass(vs
, vs
->auth
);
392 vnc_write_u32(vs
, 0); /* Accept auth */
393 start_client_init(vs
);
399 vnc_write_u32(vs
, 1); /* Reject auth */
400 vnc_write_u32(vs
, sizeof("Authentication failed"));
401 vnc_write(vs
, "Authentication failed", sizeof("Authentication failed"));
403 vnc_client_error(vs
);
407 vnc_client_error(vs
);
411 static int protocol_client_auth_sasl_start_len(VncState
*vs
, uint8_t *data
, size_t len
)
413 uint32_t startlen
= read_u32(data
, 0);
415 if (startlen
> SASL_DATA_MAX_LEN
) {
416 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL start len too large", "");
417 vnc_client_error(vs
);
422 return protocol_client_auth_sasl_start(vs
, NULL
, 0);
424 vnc_read_when(vs
, protocol_client_auth_sasl_start
, startlen
);
428 static int protocol_client_auth_sasl_mechname(VncState
*vs
, uint8_t *data
, size_t len
)
430 char *mechname
= g_strndup((const char *) data
, len
);
431 trace_vnc_auth_sasl_mech_choose(vs
, mechname
);
433 if (strncmp(vs
->sasl
.mechlist
, mechname
, len
) == 0) {
434 if (vs
->sasl
.mechlist
[len
] != '\0' &&
435 vs
->sasl
.mechlist
[len
] != ',') {
439 char *offset
= strstr(vs
->sasl
.mechlist
, mechname
);
443 if (offset
[-1] != ',' ||
444 (offset
[len
] != '\0'&&
445 offset
[len
] != ',')) {
450 g_free(vs
->sasl
.mechlist
);
451 vs
->sasl
.mechlist
= mechname
;
453 vnc_read_when(vs
, protocol_client_auth_sasl_start_len
, 4);
457 trace_vnc_auth_fail(vs
, vs
->auth
, "Unsupported mechname", mechname
);
458 vnc_client_error(vs
);
463 static int protocol_client_auth_sasl_mechname_len(VncState
*vs
, uint8_t *data
, size_t len
)
465 uint32_t mechlen
= read_u32(data
, 0);
468 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL mechname too long", "");
469 vnc_client_error(vs
);
473 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL mechname too short", "");
474 vnc_client_error(vs
);
477 vnc_read_when(vs
, protocol_client_auth_sasl_mechname
,mechlen
);
482 vnc_socket_ip_addr_string(QIOChannelSocket
*ioc
,
490 addr
= qio_channel_socket_get_local_address(ioc
, errp
);
492 addr
= qio_channel_socket_get_remote_address(ioc
, errp
);
498 if (addr
->type
!= SOCKET_ADDRESS_TYPE_INET
) {
499 error_setg(errp
, "Not an inet socket type");
502 ret
= g_strdup_printf("%s;%s", addr
->u
.inet
.host
, addr
->u
.inet
.port
);
503 qapi_free_SocketAddress(addr
);
507 void start_auth_sasl(VncState
*vs
)
509 const char *mechlist
= NULL
;
510 sasl_security_properties_t secprops
;
512 Error
*local_err
= NULL
;
513 char *localAddr
, *remoteAddr
;
516 /* Get local & remote client addresses in form IPADDR;PORT */
517 localAddr
= vnc_socket_ip_addr_string(vs
->sioc
, true, &local_err
);
519 trace_vnc_auth_fail(vs
, vs
->auth
, "Cannot format local IP",
520 error_get_pretty(local_err
));
524 remoteAddr
= vnc_socket_ip_addr_string(vs
->sioc
, false, &local_err
);
526 trace_vnc_auth_fail(vs
, vs
->auth
, "Cannot format remote IP",
527 error_get_pretty(local_err
));
532 err
= sasl_server_new("vnc",
533 NULL
, /* FQDN - just delegates to gethostname */
534 NULL
, /* User realm */
537 NULL
, /* Callbacks, not needed */
542 localAddr
= remoteAddr
= NULL
;
544 if (err
!= SASL_OK
) {
545 trace_vnc_auth_fail(vs
, vs
->auth
, "SASL context setup failed",
546 sasl_errstring(err
, NULL
, NULL
));
547 vs
->sasl
.conn
= NULL
;
551 /* Inform SASL that we've got an external SSF layer from TLS/x509 */
552 if (vs
->auth
== VNC_AUTH_VENCRYPT
&&
553 vs
->subauth
== VNC_AUTH_VENCRYPT_X509SASL
) {
554 Error
*local_err
= NULL
;
558 keysize
= qcrypto_tls_session_get_key_size(vs
->tls
,
561 trace_vnc_auth_fail(vs
, vs
->auth
, "cannot TLS get cipher size",
562 error_get_pretty(local_err
));
563 error_free(local_err
);
564 sasl_dispose(&vs
->sasl
.conn
);
565 vs
->sasl
.conn
= NULL
;
568 ssf
= keysize
* CHAR_BIT
; /* tls key size is bytes, sasl wants bits */
570 err
= sasl_setprop(vs
->sasl
.conn
, SASL_SSF_EXTERNAL
, &ssf
);
571 if (err
!= SASL_OK
) {
572 trace_vnc_auth_fail(vs
, vs
->auth
, "cannot set SASL external SSF",
573 sasl_errstring(err
, NULL
, NULL
));
574 sasl_dispose(&vs
->sasl
.conn
);
575 vs
->sasl
.conn
= NULL
;
579 vs
->sasl
.wantSSF
= 1;
582 memset (&secprops
, 0, sizeof secprops
);
583 /* Inform SASL that we've got an external SSF layer from TLS.
585 * Disable SSF, if using TLS+x509+SASL only. TLS without x509
586 * is not sufficiently strong
588 if (vs
->vd
->is_unix
||
589 (vs
->auth
== VNC_AUTH_VENCRYPT
&&
590 vs
->subauth
== VNC_AUTH_VENCRYPT_X509SASL
)) {
591 /* If we've got TLS or UNIX domain sock, we don't care about SSF */
592 secprops
.min_ssf
= 0;
593 secprops
.max_ssf
= 0;
594 secprops
.maxbufsize
= 8192;
595 secprops
.security_flags
= 0;
597 /* Plain TCP, better get an SSF layer */
598 secprops
.min_ssf
= 56; /* Good enough to require kerberos */
599 secprops
.max_ssf
= 100000; /* Arbitrary big number */
600 secprops
.maxbufsize
= 8192;
601 /* Forbid any anonymous or trivially crackable auth */
602 secprops
.security_flags
=
603 SASL_SEC_NOANONYMOUS
| SASL_SEC_NOPLAINTEXT
;
606 err
= sasl_setprop(vs
->sasl
.conn
, SASL_SEC_PROPS
, &secprops
);
607 if (err
!= SASL_OK
) {
608 trace_vnc_auth_fail(vs
, vs
->auth
, "cannot set SASL security props",
609 sasl_errstring(err
, NULL
, NULL
));
610 sasl_dispose(&vs
->sasl
.conn
);
611 vs
->sasl
.conn
= NULL
;
615 err
= sasl_listmech(vs
->sasl
.conn
,
616 NULL
, /* Don't need to set user */
623 if (err
!= SASL_OK
) {
624 trace_vnc_auth_fail(vs
, vs
->auth
, "cannot list SASL mechanisms",
625 sasl_errdetail(vs
->sasl
.conn
));
626 sasl_dispose(&vs
->sasl
.conn
);
627 vs
->sasl
.conn
= NULL
;
630 trace_vnc_auth_sasl_mech_list(vs
, mechlist
);
632 vs
->sasl
.mechlist
= g_strdup(mechlist
);
633 mechlistlen
= strlen(mechlist
);
634 vnc_write_u32(vs
, mechlistlen
);
635 vnc_write(vs
, mechlist
, mechlistlen
);
638 vnc_read_when(vs
, protocol_client_auth_sasl_mechname_len
, 4);
643 error_free(local_err
);
644 vnc_client_error(vs
);