]> git.proxmox.com Git - mirror_qemu.git/blame - ui/vnc-auth-sasl.c
projects / mirror_qemu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge remote-tracking branch 'remotes/jnsnow/tags/bitmaps-pull-request' into staging
[mirror_qemu.git] / ui / vnc-auth-sasl.c
CommitLineData
2f9606b3
AL		 1/*
2 * QEMU VNC display driver: SASL auth protocol
3 *
4 * Copyright (C) 2009 Red Hat, Inc
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 * THE SOFTWARE.
23 */
24
e16f4c87 25#include "qemu/osdep.h"
da34e65c 26#include "qapi/error.h"
b76806d4 27#include "authz/base.h"
2f9606b3 28#include "vnc.h"
7364dbda 29#include "trace.h"
2f9606b3
AL		 30
31/* Max amount of data we send/recv for SASL steps to prevent DOS */
32#define SASL_DATA_MAX_LEN (1024 * 1024)
33
34
35void vnc_sasl_client_cleanup(VncState *vs)
36{
37 if (vs->sasl.conn) {
ee032ca1
SW		 38 vs->sasl.runSSF = false;
39 vs->sasl.wantSSF = false;
40 vs->sasl.waitWriteSSF = 0;
28a76be8
AL		 41 vs->sasl.encodedLength = vs->sasl.encodedOffset = 0;
42 vs->sasl.encoded = NULL;
ae878b17 43 g_free(vs->sasl.username);
302d9d6f 44 g_free(vs->sasl.mechlist);
28a76be8
AL		 45 vs->sasl.username = vs->sasl.mechlist = NULL;
46 sasl_dispose(&vs->sasl.conn);
47 vs->sasl.conn = NULL;
2f9606b3
AL		 48 }
49}
50
51
30b80fd5 52size_t vnc_client_write_sasl(VncState *vs)
2f9606b3 53{
30b80fd5 54 size_t ret;
2f9606b3 55
bc47d201
CC		 56 VNC_DEBUG("Write SASL: Pending output %p size %zd offset %zd "
57 "Encoded: %p size %d offset %d\n",
28a76be8
AL		 58 vs->output.buffer, vs->output.capacity, vs->output.offset,
59 vs->sasl.encoded, vs->sasl.encodedLength, vs->sasl.encodedOffset);
2f9606b3
AL		 60
61 if (!vs->sasl.encoded) {
28a76be8
AL		 62 int err;
63 err = sasl_encode(vs->sasl.conn,
64 (char *)vs->output.buffer,
65 vs->output.offset,
66 (const char **)&vs->sasl.encoded,
67 &vs->sasl.encodedLength);
68 if (err != SASL_OK)
04d2529d 69 return vnc_client_io_error(vs, -1, NULL);
28a76be8 70
8f61f1c5 71 vs->sasl.encodedRawLength = vs->output.offset;
28a76be8 72 vs->sasl.encodedOffset = 0;
2f9606b3
AL		 73 }
74
75 ret = vnc_client_write_buf(vs,
28a76be8
AL		 76 vs->sasl.encoded + vs->sasl.encodedOffset,
77 vs->sasl.encodedLength - vs->sasl.encodedOffset);
2f9606b3 78 if (!ret)
28a76be8 79 return 0;
2f9606b3
AL		 80
81 vs->sasl.encodedOffset += ret;
82 if (vs->sasl.encodedOffset == vs->sasl.encodedLength) {
d50f09ff
DB		 83 bool throttled = vs->force_update_offset != 0;
84 size_t offset;
ada8d2e4
DB		 85 if (vs->sasl.encodedRawLength >= vs->force_update_offset) {
86 vs->force_update_offset = 0;
87 } else {
88 vs->force_update_offset -= vs->sasl.encodedRawLength;
89 }
d50f09ff
DB		 90 if (throttled && vs->force_update_offset == 0) {
91 trace_vnc_client_unthrottle_forced(vs, vs->ioc);
92 }
93 offset = vs->output.offset;
627ebec2 94 buffer_advance(&vs->output, vs->sasl.encodedRawLength);
d50f09ff
DB		 95 if (offset >= vs->throttle_output_offset &&
96 vs->output.offset < vs->throttle_output_offset) {
97 trace_vnc_client_unthrottle_incremental(vs, vs->ioc,
98 vs->output.offset);
99 }
28a76be8
AL		 100 vs->sasl.encoded = NULL;
101 vs->sasl.encodedOffset = vs->sasl.encodedLength = 0;
2f9606b3
AL		 102 }
103
104 /* Can't merge this block with one above, because
105 * someone might have written more unencrypted
106 * data in vs->output while we were processing
107 * SASL encoded output
108 */
109 if (vs->output.offset == 0) {
04d2529d
DB		 110 if (vs->ioc_tag) {
111 g_source_remove(vs->ioc_tag);
112 }
113 vs->ioc_tag = qio_channel_add_watch(
114 vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
2f9606b3
AL		 115 }
116
117 return ret;
118}
119
120
30b80fd5 121size_t vnc_client_read_sasl(VncState *vs)
2f9606b3 122{
30b80fd5 123 size_t ret;
2f9606b3
AL		 124 uint8_t encoded[4096];
125 const char *decoded;
126 unsigned int decodedLen;
127 int err;
128
129 ret = vnc_client_read_buf(vs, encoded, sizeof(encoded));
130 if (!ret)
28a76be8 131 return 0;
2f9606b3
AL		 132
133 err = sasl_decode(vs->sasl.conn,
28a76be8
AL		 134 (char *)encoded, ret,
135 &decoded, &decodedLen);
2f9606b3
AL		 136
137 if (err != SASL_OK)
04d2529d 138 return vnc_client_io_error(vs, -1, NULL);
2f9606b3 139 VNC_DEBUG("Read SASL Encoded %p size %ld Decoded %p size %d\n",
28a76be8 140 encoded, ret, decoded, decodedLen);
2f9606b3
AL		 141 buffer_reserve(&vs->input, decodedLen);
142 buffer_append(&vs->input, decoded, decodedLen);
143 return decodedLen;
144}
145
146
147static int vnc_auth_sasl_check_access(VncState *vs)
148{
149 const void *val;
b76806d4
DB		 150 int rv;
151 Error *err = NULL;
152 bool allow;
2f9606b3 153
b76806d4
DB		 154 rv = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val);
155 if (rv != SASL_OK) {
7364dbda 156 trace_vnc_auth_fail(vs, vs->auth, "Cannot fetch SASL username",
b76806d4 157 sasl_errstring(rv, NULL, NULL));
28a76be8 158 return -1;
2f9606b3
AL		 159 }
160 if (val == NULL) {
7364dbda 161 trace_vnc_auth_fail(vs, vs->auth, "No SASL username set", "");
28a76be8 162 return -1;
2f9606b3 163 }
2f9606b3 164
7267c094 165 vs->sasl.username = g_strdup((const char*)val);
7364dbda 166 trace_vnc_auth_sasl_username(vs, vs->sasl.username);
2f9606b3 167
b76806d4 168 if (vs->vd->sasl.authzid == NULL) {
7364dbda 169 trace_vnc_auth_sasl_acl(vs, 1);
28a76be8 170 return 0;
76655d6d
AL		 171 }
172
b76806d4
DB		 173 allow = qauthz_is_allowed_by_id(vs->vd->sasl.authzid,
174 vs->sasl.username, &err);
175 if (err) {
176 trace_vnc_auth_fail(vs, vs->auth, "Error from authz",
177 error_get_pretty(err));
178 error_free(err);
179 return -1;
180 }
76655d6d 181
7364dbda 182 trace_vnc_auth_sasl_acl(vs, allow);
76655d6d 183 return allow ? 0 : -1;
2f9606b3
AL		 184}
185
186static int vnc_auth_sasl_check_ssf(VncState *vs)
187{
188 const void *val;
189 int err, ssf;
190
191 if (!vs->sasl.wantSSF)
28a76be8 192 return 1;
2f9606b3
AL		 193
194 err = sasl_getprop(vs->sasl.conn, SASL_SSF, &val);
195 if (err != SASL_OK)
28a76be8 196 return 0;
2f9606b3
AL		 197
198 ssf = *(const int *)val;
7364dbda
DB		 199
200 trace_vnc_auth_sasl_ssf(vs, ssf);
201
2f9606b3 202 if (ssf < 56)
28a76be8 203 return 0; /* 56 is good for Kerberos */
2f9606b3
AL		 204
205 /* Only setup for read initially, because we're about to send an RPC
206 * reply which must be in plain text. When the next incoming RPC
207 * arrives, we'll switch on writes too
208 *
209 * cf qemudClientReadSASL in qemud.c
210 */
211 vs->sasl.runSSF = 1;
212
213 /* We have a SSF that's good enough */
214 return 1;
215}
216
217/*
218 * Step Msg
219 *
220 * Input from client:
221 *
222 * u32 clientin-length
223 * u8-array clientin-string
224 *
225 * Output to client:
226 *
227 * u32 serverout-length
228 * u8-array serverout-strin
229 * u8 continue
230 */
231
232static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len);
233
234static int protocol_client_auth_sasl_step(VncState *vs, uint8_t *data, size_t len)
235{
236 uint32_t datalen = len;
237 const char *serverout;
238 unsigned int serveroutlen;
239 int err;
240 char *clientdata = NULL;
241
242 /* NB, distinction of NULL vs "" is *critical* in SASL */
243 if (datalen) {
28a76be8
AL		 244 clientdata = (char*)data;
245 clientdata[datalen-1] = '\0'; /* Wire includes '\0', but make sure */
246 datalen--; /* Don't count NULL byte when passing to _start() */
2f9606b3
AL		 247 }
248
2f9606b3 249 err = sasl_server_step(vs->sasl.conn,
28a76be8
AL		 250 clientdata,
251 datalen,
252 &serverout,
253 &serveroutlen);
7364dbda 254 trace_vnc_auth_sasl_step(vs, data, len, serverout, serveroutlen, err);
2f9606b3 255 if (err != SASL_OK &&
28a76be8 256 err != SASL_CONTINUE) {
7364dbda
DB		 257 trace_vnc_auth_fail(vs, vs->auth, "Cannot step SASL auth",
258 sasl_errdetail(vs->sasl.conn));
28a76be8
AL		 259 sasl_dispose(&vs->sasl.conn);
260 vs->sasl.conn = NULL;
261 goto authabort;
2f9606b3
AL		 262 }
263
264 if (serveroutlen > SASL_DATA_MAX_LEN) {
7364dbda 265 trace_vnc_auth_fail(vs, vs->auth, "SASL data too long", "");
28a76be8
AL		 266 sasl_dispose(&vs->sasl.conn);
267 vs->sasl.conn = NULL;
268 goto authabort;
2f9606b3
AL		 269 }
270
2f9606b3 271 if (serveroutlen) {
28a76be8
AL		 272 vnc_write_u32(vs, serveroutlen + 1);
273 vnc_write(vs, serverout, serveroutlen + 1);
2f9606b3 274 } else {
28a76be8 275 vnc_write_u32(vs, 0);
2f9606b3
AL		 276 }
277
278 /* Whether auth is complete */
279 vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);
280
281 if (err == SASL_CONTINUE) {
28a76be8
AL		 282 /* Wait for step length */
283 vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);
2f9606b3 284 } else {
28a76be8 285 if (!vnc_auth_sasl_check_ssf(vs)) {
7364dbda 286 trace_vnc_auth_fail(vs, vs->auth, "SASL SSF too weak", "");
28a76be8
AL		 287 goto authreject;
288 }
289
290 /* Check username whitelist ACL */
291 if (vnc_auth_sasl_check_access(vs) < 0) {
28a76be8
AL		 292 goto authreject;
293 }
294
7364dbda 295 trace_vnc_auth_pass(vs, vs->auth);
28a76be8
AL		 296 vnc_write_u32(vs, 0); /* Accept auth */
297 /*
298 * Delay writing in SSF encoded mode until pending output
299 * buffer is written
300 */
301 if (vs->sasl.runSSF)
302 vs->sasl.waitWriteSSF = vs->output.offset;
303 start_client_init(vs);
2f9606b3
AL		 304 }
305
306 return 0;
307
308 authreject:
309 vnc_write_u32(vs, 1); /* Reject auth */
310 vnc_write_u32(vs, sizeof("Authentication failed"));
311 vnc_write(vs, "Authentication failed", sizeof("Authentication failed"));
312 vnc_flush(vs);
313 vnc_client_error(vs);
314 return -1;
315
316 authabort:
317 vnc_client_error(vs);
318 return -1;
319}
320
321static int protocol_client_auth_sasl_step_len(VncState *vs, uint8_t *data, size_t len)
322{
323 uint32_t steplen = read_u32(data, 0);
7364dbda 324
2f9606b3 325 if (steplen > SASL_DATA_MAX_LEN) {
7364dbda 326 trace_vnc_auth_fail(vs, vs->auth, "SASL step len too large", "");
28a76be8
AL		 327 vnc_client_error(vs);
328 return -1;
2f9606b3
AL		 329 }
330
331 if (steplen == 0)
28a76be8 332 return protocol_client_auth_sasl_step(vs, NULL, 0);
2f9606b3 333 else
28a76be8 334 vnc_read_when(vs, protocol_client_auth_sasl_step, steplen);
2f9606b3
AL		 335 return 0;
336}
337
338/*
339 * Start Msg
340 *
341 * Input from client:
342 *
343 * u32 clientin-length
344 * u8-array clientin-string
345 *
346 * Output to client:
347 *
348 * u32 serverout-length
349 * u8-array serverout-strin
350 * u8 continue
351 */
352
353#define SASL_DATA_MAX_LEN (1024 * 1024)
354
355static int protocol_client_auth_sasl_start(VncState *vs, uint8_t *data, size_t len)
356{
357 uint32_t datalen = len;
358 const char *serverout;
359 unsigned int serveroutlen;
360 int err;
361 char *clientdata = NULL;
362
363 /* NB, distinction of NULL vs "" is *critical* in SASL */
364 if (datalen) {
28a76be8
AL		 365 clientdata = (char*)data;
366 clientdata[datalen-1] = '\0'; /* Should be on wire, but make sure */
367 datalen--; /* Don't count NULL byte when passing to _start() */
2f9606b3
AL		 368 }
369
2f9606b3 370 err = sasl_server_start(vs->sasl.conn,
28a76be8
AL		 371 vs->sasl.mechlist,
372 clientdata,
373 datalen,
374 &serverout,
375 &serveroutlen);
7364dbda 376 trace_vnc_auth_sasl_start(vs, data, len, serverout, serveroutlen, err);
2f9606b3 377 if (err != SASL_OK &&
28a76be8 378 err != SASL_CONTINUE) {
7364dbda
DB		 379 trace_vnc_auth_fail(vs, vs->auth, "Cannot start SASL auth",
380 sasl_errdetail(vs->sasl.conn));
28a76be8
AL		 381 sasl_dispose(&vs->sasl.conn);
382 vs->sasl.conn = NULL;
383 goto authabort;
2f9606b3
AL		 384 }
385 if (serveroutlen > SASL_DATA_MAX_LEN) {
7364dbda 386 trace_vnc_auth_fail(vs, vs->auth, "SASL data too long", "");
28a76be8
AL		 387 sasl_dispose(&vs->sasl.conn);
388 vs->sasl.conn = NULL;
389 goto authabort;
2f9606b3
AL		 390 }
391
2f9606b3 392 if (serveroutlen) {
28a76be8
AL		 393 vnc_write_u32(vs, serveroutlen + 1);
394 vnc_write(vs, serverout, serveroutlen + 1);
2f9606b3 395 } else {
28a76be8 396 vnc_write_u32(vs, 0);
2f9606b3
AL		 397 }
398
399 /* Whether auth is complete */
400 vnc_write_u8(vs, err == SASL_CONTINUE ? 0 : 1);
401
402 if (err == SASL_CONTINUE) {
28a76be8
AL		 403 /* Wait for step length */
404 vnc_read_when(vs, protocol_client_auth_sasl_step_len, 4);
2f9606b3 405 } else {
28a76be8 406 if (!vnc_auth_sasl_check_ssf(vs)) {
7364dbda 407 trace_vnc_auth_fail(vs, vs->auth, "SASL SSF too weak", "");
28a76be8
AL		 408 goto authreject;
409 }
410
411 /* Check username whitelist ACL */
412 if (vnc_auth_sasl_check_access(vs) < 0) {
28a76be8
AL		 413 goto authreject;
414 }
415
7364dbda 416 trace_vnc_auth_pass(vs, vs->auth);
28a76be8
AL		 417 vnc_write_u32(vs, 0); /* Accept auth */
418 start_client_init(vs);
2f9606b3
AL		 419 }
420
421 return 0;
422
423 authreject:
424 vnc_write_u32(vs, 1); /* Reject auth */
425 vnc_write_u32(vs, sizeof("Authentication failed"));
426 vnc_write(vs, "Authentication failed", sizeof("Authentication failed"));
427 vnc_flush(vs);
428 vnc_client_error(vs);
429 return -1;
430
431 authabort:
432 vnc_client_error(vs);
433 return -1;
434}
435
436static int protocol_client_auth_sasl_start_len(VncState *vs, uint8_t *data, size_t len)
437{
438 uint32_t startlen = read_u32(data, 0);
7364dbda 439
2f9606b3 440 if (startlen > SASL_DATA_MAX_LEN) {
7364dbda 441 trace_vnc_auth_fail(vs, vs->auth, "SASL start len too large", "");
28a76be8
AL		 442 vnc_client_error(vs);
443 return -1;
2f9606b3
AL		 444 }
445
446 if (startlen == 0)
28a76be8 447 return protocol_client_auth_sasl_start(vs, NULL, 0);
2f9606b3
AL		 448
449 vnc_read_when(vs, protocol_client_auth_sasl_start, startlen);
450 return 0;
451}
452
453static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_t len)
454{
5847d9e1 455 char *mechname = g_strndup((const char *) data, len);
7364dbda 456 trace_vnc_auth_sasl_mech_choose(vs, mechname);
2f9606b3
AL		 457
458 if (strncmp(vs->sasl.mechlist, mechname, len) == 0) {
28a76be8
AL		 459 if (vs->sasl.mechlist[len] != '\0' &&
460 vs->sasl.mechlist[len] != ',') {
8ce7d352 461 goto fail;
28a76be8 462 }
2f9606b3 463 } else {
28a76be8 464 char *offset = strstr(vs->sasl.mechlist, mechname);
28a76be8 465 if (!offset) {
8ce7d352 466 goto fail;
28a76be8 467 }
28a76be8
AL		 468 if (offset[-1] != ',' ||
469 (offset[len] != '\0'&&
470 offset[len] != ',')) {
8ce7d352 471 goto fail;
28a76be8 472 }
2f9606b3
AL		 473 }
474
302d9d6f 475 g_free(vs->sasl.mechlist);
2f9606b3
AL		 476 vs->sasl.mechlist = mechname;
477
2f9606b3
AL		 478 vnc_read_when(vs, protocol_client_auth_sasl_start_len, 4);
479 return 0;
8ce7d352
BS		 480
481 fail:
7364dbda 482 trace_vnc_auth_fail(vs, vs->auth, "Unsupported mechname", mechname);
8ce7d352 483 vnc_client_error(vs);
302d9d6f 484 g_free(mechname);
8ce7d352 485 return -1;
2f9606b3
AL		 486}
487
488static int protocol_client_auth_sasl_mechname_len(VncState *vs, uint8_t *data, size_t len)
489{
490 uint32_t mechlen = read_u32(data, 0);
7364dbda 491
2f9606b3 492 if (mechlen > 100) {
7364dbda 493 trace_vnc_auth_fail(vs, vs->auth, "SASL mechname too long", "");
28a76be8
AL		 494 vnc_client_error(vs);
495 return -1;
2f9606b3
AL		 496 }
497 if (mechlen < 1) {
7364dbda 498 trace_vnc_auth_fail(vs, vs->auth, "SASL mechname too short", "");
28a76be8
AL		 499 vnc_client_error(vs);
500 return -1;
2f9606b3
AL		 501 }
502 vnc_read_when(vs, protocol_client_auth_sasl_mechname,mechlen);
503 return 0;
504}
505
04d2529d
DB		 506static char *
507vnc_socket_ip_addr_string(QIOChannelSocket *ioc,
508 bool local,
509 Error **errp)
510{
bd269ebc 511 SocketAddress *addr;
04d2529d
DB		 512 char *ret;
513
514 if (local) {
515 addr = qio_channel_socket_get_local_address(ioc, errp);
516 } else {
517 addr = qio_channel_socket_get_remote_address(ioc, errp);
518 }
519 if (!addr) {
520 return NULL;
521 }
522
bd269ebc 523 if (addr->type != SOCKET_ADDRESS_TYPE_INET) {
04d2529d
DB		 524 error_setg(errp, "Not an inet socket type");
525 return NULL;
526 }
bd269ebc
MA		 527 ret = g_strdup_printf("%s;%s", addr->u.inet.host, addr->u.inet.port);
528 qapi_free_SocketAddress(addr);
04d2529d
DB		 529 return ret;
530}
531
2f9606b3
AL		 532void start_auth_sasl(VncState *vs)
533{
534 const char *mechlist = NULL;
535 sasl_security_properties_t secprops;
536 int err;
7364dbda 537 Error *local_err = NULL;
2f9606b3
AL		 538 char *localAddr, *remoteAddr;
539 int mechlistlen;
540
2f9606b3 541 /* Get local & remote client addresses in form IPADDR;PORT */
7364dbda 542 localAddr = vnc_socket_ip_addr_string(vs->sioc, true, &local_err);
04d2529d 543 if (!localAddr) {
7364dbda
DB		 544 trace_vnc_auth_fail(vs, vs->auth, "Cannot format local IP",
545 error_get_pretty(local_err));
28a76be8 546 goto authabort;
04d2529d 547 }
2f9606b3 548
7364dbda 549 remoteAddr = vnc_socket_ip_addr_string(vs->sioc, false, &local_err);
04d2529d 550 if (!remoteAddr) {
7364dbda
DB		 551 trace_vnc_auth_fail(vs, vs->auth, "Cannot format remote IP",
552 error_get_pretty(local_err));
ae878b17 553 g_free(localAddr);
28a76be8 554 goto authabort;
2f9606b3
AL		 555 }
556
557 err = sasl_server_new("vnc",
28a76be8
AL		 558 NULL, /* FQDN - just delegates to gethostname */
559 NULL, /* User realm */
560 localAddr,
561 remoteAddr,
562 NULL, /* Callbacks, not needed */
563 SASL_SUCCESS_DATA,
564 &vs->sasl.conn);
ae878b17
SW		 565 g_free(localAddr);
566 g_free(remoteAddr);
2f9606b3
AL		 567 localAddr = remoteAddr = NULL;
568
569 if (err != SASL_OK) {
7364dbda
DB		 570 trace_vnc_auth_fail(vs, vs->auth, "SASL context setup failed",
571 sasl_errstring(err, NULL, NULL));
28a76be8
AL		 572 vs->sasl.conn = NULL;
573 goto authabort;
2f9606b3
AL		 574 }
575
2f9606b3 576 /* Inform SASL that we've got an external SSF layer from TLS/x509 */
7e7e2ebc
DB		 577 if (vs->auth == VNC_AUTH_VENCRYPT &&
578 vs->subauth == VNC_AUTH_VENCRYPT_X509SASL) {
3e305e4a 579 int keysize;
28a76be8
AL		 580 sasl_ssf_t ssf;
581
3e305e4a
DB		 582 keysize = qcrypto_tls_session_get_key_size(vs->tls,
583 &local_err);
584 if (keysize < 0) {
7364dbda
DB		 585 trace_vnc_auth_fail(vs, vs->auth, "cannot TLS get cipher size",
586 error_get_pretty(local_err));
28a76be8
AL		 587 sasl_dispose(&vs->sasl.conn);
588 vs->sasl.conn = NULL;
589 goto authabort;
590 }
3e305e4a 591 ssf = keysize * CHAR_BIT; /* tls key size is bytes, sasl wants bits */
28a76be8
AL		 592
593 err = sasl_setprop(vs->sasl.conn, SASL_SSF_EXTERNAL, &ssf);
594 if (err != SASL_OK) {
7364dbda
DB		 595 trace_vnc_auth_fail(vs, vs->auth, "cannot set SASL external SSF",
596 sasl_errstring(err, NULL, NULL));
28a76be8
AL		 597 sasl_dispose(&vs->sasl.conn);
598 vs->sasl.conn = NULL;
599 goto authabort;
600 }
3e305e4a 601 } else {
28a76be8 602 vs->sasl.wantSSF = 1;
3e305e4a 603 }
2f9606b3
AL		 604
605 memset (&secprops, 0, sizeof secprops);
3e305e4a
DB		 606 /* Inform SASL that we've got an external SSF layer from TLS.
607 *
608 * Disable SSF, if using TLS+x509+SASL only. TLS without x509
609 * is not sufficiently strong
610 */
611 if (vs->vd->is_unix ||
612 (vs->auth == VNC_AUTH_VENCRYPT &&
613 vs->subauth == VNC_AUTH_VENCRYPT_X509SASL)) {
28a76be8
AL		 614 /* If we've got TLS or UNIX domain sock, we don't care about SSF */
615 secprops.min_ssf = 0;
616 secprops.max_ssf = 0;
617 secprops.maxbufsize = 8192;
618 secprops.security_flags = 0;
2f9606b3 619 } else {
28a76be8
AL		 620 /* Plain TCP, better get an SSF layer */
621 secprops.min_ssf = 56; /* Good enough to require kerberos */
622 secprops.max_ssf = 100000; /* Arbitrary big number */
623 secprops.maxbufsize = 8192;
624 /* Forbid any anonymous or trivially crackable auth */
625 secprops.security_flags =
626 SASL_SEC_NOANONYMOUS | SASL_SEC_NOPLAINTEXT;
2f9606b3
AL		 627 }
628
629 err = sasl_setprop(vs->sasl.conn, SASL_SEC_PROPS, &secprops);
630 if (err != SASL_OK) {
7364dbda
DB		 631 trace_vnc_auth_fail(vs, vs->auth, "cannot set SASL security props",
632 sasl_errstring(err, NULL, NULL));
28a76be8
AL		 633 sasl_dispose(&vs->sasl.conn);
634 vs->sasl.conn = NULL;
635 goto authabort;
2f9606b3
AL		 636 }
637
638 err = sasl_listmech(vs->sasl.conn,
28a76be8
AL		 639 NULL, /* Don't need to set user */
640 "", /* Prefix */
641 ",", /* Separator */
642 "", /* Suffix */
643 &mechlist,
644 NULL,
645 NULL);
2f9606b3 646 if (err != SASL_OK) {
7364dbda
DB		 647 trace_vnc_auth_fail(vs, vs->auth, "cannot list SASL mechanisms",
648 sasl_errdetail(vs->sasl.conn));
28a76be8
AL		 649 sasl_dispose(&vs->sasl.conn);
650 vs->sasl.conn = NULL;
651 goto authabort;
2f9606b3 652 }
7364dbda 653 trace_vnc_auth_sasl_mech_list(vs, mechlist);
2f9606b3 654
302d9d6f 655 vs->sasl.mechlist = g_strdup(mechlist);
2f9606b3
AL		 656 mechlistlen = strlen(mechlist);
657 vnc_write_u32(vs, mechlistlen);
658 vnc_write(vs, mechlist, mechlistlen);
659 vnc_flush(vs);
660
2f9606b3
AL		 661 vnc_read_when(vs, protocol_client_auth_sasl_mechname_len, 4);
662
663 return;
664
665 authabort:
7364dbda 666 error_free(local_err);
2f9606b3 667 vnc_client_error(vs);
2f9606b3
AL		 668}
669
670
QEMU mirror