4:33 p.m.
On Thu, Nov 29, 2007 at 05:17:07PM +0000, Daniel P. Berrange wrote:
With the TLS socket, all data is encrypted on the wire. The TCP
socket though
is still clear text. Fortunately some SASL authentication mechanism can
also supply encryption capabilities. This is called SSF in SASL terminology.
This patch mandates the use of an SSF capable SASL authentiction mechanism
on the TCP socket. This in effect restricts you to a choise between GSSAPI
and DIGEST-MD5 as your SASL auth methods (the latter is a user/password
based scheme). We also disallow anonymous & plaintext auth methods. If you
really want to run the TCP socket in clear text & with anonymous auth, simply
turn off SASL altogether. Since TLS already provides encryptiuon, if you run
SASL over the TLS socket, we don't place any restrictions on the choice of
SASL auth mechanism.
On the server side I have removed the 'direction' field of the client object.
This was only used on the TLS socket & was intended to track whether the
handshake process was waiting to receive or send. Rather than try to set
this in various places throughout the daemon code, we simply query the
neccessary direction at the one point where we register a FD event handle
with poll(). This makes the code clearer to follow & reduces the chance of
accidentally messing up the state.
The send & receive functions previously would call read vs gnutls_record_recv
and write vs gnutls_record_send depending on the type of socket. If there is
a SASL SSF layer enabled, we have to first pass the outgoing data through
the sasl_encode() API, and pass incoming data through sasl_decode(). So the
send/recive APIs have changed a little, to deal with this codec need and thus
there is also some more state being tracked per connection - we may have to
cache the output for sasl_decode for future calls depending on how much
data we need in short term.
NB, the SSF layer lets you choose a strength factor from 0 -> a large number
and the docs all talk about
* 0 = no protection
* 1 = integrity protection only
* 40 = 40-bit DES or 40-bit RC2/RC4
* 56 = DES
* 112 = triple-DES
* 128 = 128-bit RC2/RC4/BLOWFISH
* 256 = baseline AES
This is incredibly misleading. The GSSAPI mechanism in SASL will never report
a strength of anything other than 56. Even if it is using triple-DES. The
true strength of the GSSAPI/Kerberos impl is impossible to figure out from
the SASL apis. To ensure that Kerberos uses strong encryption, you need to
make sure that the Kerberos principles issued only have the 3-DES cipher/keys
present. If you are truely paranoid though, you always have the option of using
TLS (which gives at least 128 bit ciphers, often 256 bit), and then just using
Kerberos for auth and ignore the SASL SSF layer. A subsequent patch will make
it possible to configure this stuff.
Rebased to latest CVS.
diff -r 5a37498017ac qemud/internal.h
--- a/qemud/internal.h Wed Nov 28 23:00:04 2007 -0500
+++ b/qemud/internal.h Wed Nov 28 23:00:47 2007 -0500
@@ -73,10 +73,17 @@ enum qemud_mode {
QEMUD_MODE_TLS_HANDSHAKE,
};
-/* These have to remain compatible with gnutls_record_get_direction. */
-enum qemud_tls_direction {
- QEMUD_TLS_DIRECTION_READ = 0,
- QEMUD_TLS_DIRECTION_WRITE = 1,
+/* Whether we're passing reads & writes through a sasl SSF */
+enum qemud_sasl_ssf {
+ QEMUD_SASL_SSF_NONE = 0,
+ QEMUD_SASL_SSF_READ = 1,
+ QEMUD_SASL_SSF_WRITE = 2,
+};
+
+enum qemud_sock_type {
+ QEMUD_SOCK_TYPE_UNIX = 0,
+ QEMUD_SOCK_TYPE_TCP = 1,
+ QEMUD_SOCK_TYPE_TLS = 2,
};
/* Stores the per-client connection state */
@@ -90,13 +97,18 @@ struct qemud_client {
struct sockaddr_storage addr;
socklen_t addrlen;
- /* If set, TLS is required on this socket. */
- int tls;
- gnutls_session_t session;
- enum qemud_tls_direction direction;
+ int type; /* qemud_sock_type */
+ gnutls_session_t tlssession;
int auth;
#if HAVE_SASL
sasl_conn_t *saslconn;
+ int saslSSF;
+ const char *saslDecoded;
+ unsigned int saslDecodedLength;
+ unsigned int saslDecodedOffset;
+ const char *saslEncoded;
+ unsigned int saslEncodedLength;
+ unsigned int saslEncodedOffset;
#endif
unsigned int incomingSerial;
@@ -121,8 +133,7 @@ struct qemud_socket {
struct qemud_socket {
int fd;
int readonly;
- /* If set, TLS is required on this socket. */
- int tls;
+ int type; /* qemud_sock_type */
int auth;
int port;
struct qemud_socket *next;
diff -r 5a37498017ac qemud/qemud.c
--- a/qemud/qemud.c Wed Nov 28 23:00:04 2007 -0500
+++ b/qemud/qemud.c Wed Nov 28 23:00:47 2007 -0500
@@ -463,6 +463,7 @@ static int qemudListenUnix(struct qemud_
sock->readonly = readonly;
sock->port = -1;
+ sock->type = QEMUD_SOCK_TYPE_UNIX;
if ((sock->fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) {
qemudLog(QEMUD_ERR, "Failed to create socket: %s",
@@ -577,7 +578,7 @@ static int
static int
remoteListenTCP (struct qemud_server *server,
const char *port,
- int tls,
+ int type,
int auth)
{
int fds[2];
@@ -606,7 +607,7 @@ remoteListenTCP (struct qemud_server *se
server->nsockets++;
sock->fd = fds[i];
- sock->tls = tls;
+ sock->type = type;
sock->auth = auth;
if (getsockname(sock->fd, (struct sockaddr *)(&sa), &salen) < 0)
@@ -745,10 +746,10 @@ static struct qemud_server *qemudInitial
if (ipsock) {
#if HAVE_SASL
- if (listen_tcp && remoteListenTCP (server, tcp_port, 0, REMOTE_AUTH_SASL)
< 0)
+ if (listen_tcp && remoteListenTCP (server, tcp_port, QEMUD_SOCK_TYPE_TCP,
REMOTE_AUTH_SASL) < 0)
goto cleanup;
#else
- if (listen_tcp && remoteListenTCP (server, tcp_port, 0, REMOTE_AUTH_NONE)
< 0)
+ if (listen_tcp && remoteListenTCP (server, tcp_port, QEMUD_SOCK_TYPE_TCP,
REMOTE_AUTH_NONE) < 0)
goto cleanup;
#endif
@@ -756,7 +757,7 @@ static struct qemud_server *qemudInitial
if (remoteInitializeGnuTLS () < 0)
goto cleanup;
- if (remoteListenTCP (server, tls_port, 1, REMOTE_AUTH_NONE) < 0)
+ if (remoteListenTCP (server, tls_port, QEMUD_SOCK_TYPE_TLS, REMOTE_AUTH_NONE)
< 0)
goto cleanup;
}
}
@@ -789,7 +790,7 @@ static struct qemud_server *qemudInitial
*/
sock = server->sockets;
while (sock) {
- if (sock->port != -1 && sock->tls) {
+ if (sock->port != -1 && sock->type == QEMUD_SOCK_TYPE_TLS) {
port = sock->port;
break;
}
@@ -981,7 +982,7 @@ remoteCheckAccess (struct qemud_client *
int found, err;
/* Verify client certificate. */
- if (remoteCheckCertificate (client->session) == -1) {
+ if (remoteCheckCertificate (client->tlssession) == -1) {
qemudLog (QEMUD_ERR, "remoteCheckCertificate: failed to verify client's
certificate");
if (!tls_no_verify_certificate) return -1;
else qemudLog (QEMUD_INFO, "remoteCheckCertificate:
tls_no_verify_certificate is set so the bad certificate is ignored");
@@ -1033,7 +1034,6 @@ remoteCheckAccess (struct qemud_client *
client->bufferOffset = 0;
client->buffer[0] = '\1';
client->mode = QEMUD_MODE_TX_PACKET;
- client->direction = QEMUD_TLS_DIRECTION_WRITE;
return 0;
}
@@ -1065,12 +1065,12 @@ static int qemudDispatchServer(struct qe
client->magic = QEMUD_CLIENT_MAGIC;
client->fd = fd;
client->readonly = sock->readonly;
- client->tls = sock->tls;
+ client->type = sock->type;
client->auth = sock->auth;
memcpy (&client->addr, &addr, sizeof addr);
client->addrlen = addrlen;
- if (!client->tls) {
+ if (client->type != QEMUD_SOCK_TYPE_TLS) {
client->mode = QEMUD_MODE_RX_HEADER;
client->bufferLength = REMOTE_MESSAGE_HEADER_XDR_LEN;
@@ -1079,15 +1079,15 @@ static int qemudDispatchServer(struct qe
} else {
int ret;
- client->session = remoteInitializeTLSSession ();
- if (client->session == NULL)
+ client->tlssession = remoteInitializeTLSSession ();
+ if (client->tlssession == NULL)
goto cleanup;
- gnutls_transport_set_ptr (client->session,
+ gnutls_transport_set_ptr (client->tlssession,
(gnutls_transport_ptr_t) (long) fd);
/* Begin the TLS handshake. */
- ret = gnutls_handshake (client->session);
+ ret = gnutls_handshake (client->tlssession);
if (ret == 0) {
/* Unlikely, but ... Next step is to check the certificate. */
if (remoteCheckAccess (client) == -1)
@@ -1099,7 +1099,6 @@ static int qemudDispatchServer(struct qe
/* Most likely. */
client->mode = QEMUD_MODE_TLS_HANDSHAKE;
client->bufferLength = -1;
- client->direction = gnutls_record_get_direction (client->session);
if (qemudRegisterClientEvent (server, client, 0) < 0)
goto cleanup;
@@ -1117,7 +1116,7 @@ static int qemudDispatchServer(struct qe
return 0;
cleanup:
- if (client->session) gnutls_deinit (client->session);
+ if (client->tlssession) gnutls_deinit (client->tlssession);
close (fd);
free (client);
return -1;
@@ -1150,24 +1149,21 @@ static void qemudDispatchClientFailure(s
#if HAVE_SASL
if (client->saslconn) sasl_dispose(&client->saslconn);
#endif
- if (client->tls && client->session) gnutls_deinit
(client->session);
+ if (client->tlssession) gnutls_deinit (client->tlssession);
close(client->fd);
free(client);
}
-static int qemudClientRead(struct qemud_server *server,
- struct qemud_client *client) {
- int ret, len;
- char *data;
-
- data = client->buffer + client->bufferOffset;
- len = client->bufferLength - client->bufferOffset;
+static int qemudClientReadBuf(struct qemud_server *server,
+ struct qemud_client *client,
+ char *data, unsigned len) {
+ int ret;
/*qemudDebug ("qemudClientRead: len = %d", len);*/
- if (!client->tls) {
+ if (!client->tlssession) {
if ((ret = read (client->fd, data, len)) <= 0) {
if (ret == 0 || errno != EAGAIN) {
if (ret != 0)
@@ -1177,8 +1173,7 @@ static int qemudClientRead(struct qemud_
return -1;
}
} else {
- ret = gnutls_record_recv (client->session, data, len);
- client->direction = gnutls_record_get_direction (client->session);
+ ret = gnutls_record_recv (client->tlssession, data, len);
if (qemudRegisterClientEvent (server, client, 1) < 0)
qemudDispatchClientFailure (server, client);
else if (ret <= 0) {
@@ -1193,9 +1188,79 @@ static int qemudClientRead(struct qemud_
}
}
+ return ret;
+}
+
+static int qemudClientReadPlain(struct qemud_server *server,
+ struct qemud_client *client) {
+ int ret;
+ ret = qemudClientReadBuf(server, client,
+ client->buffer + client->bufferOffset,
+ client->bufferLength - client->bufferOffset);
+ if (ret < 0)
+ return ret;
client->bufferOffset += ret;
return 0;
}
+
+#if HAVE_SASL
+static int qemudClientReadSASL(struct qemud_server *server,
+ struct qemud_client *client) {
+ int got, want;
+
+ /* We're doing a SSF data read, so now its times to ensure
+ * future writes are under SSF too.
+ *
+ * cf remoteSASLCheckSSF in remote.c
+ */
+ client->saslSSF |= QEMUD_SASL_SSF_WRITE;
+
+ /* Need to read some more data off the wire */
+ if (client->saslDecoded == NULL) {
+ char encoded[8192];
+ int encodedLen = sizeof(encoded);
+ encodedLen = qemudClientReadBuf(server, client, encoded, encodedLen);
+
+ if (encodedLen < 0)
+ return -1;
+
+ sasl_decode(client->saslconn, encoded, encodedLen,
+ &client->saslDecoded, &client->saslDecodedLength);
+
+ client->saslDecodedOffset = 0;
+ }
+
+ /* Some buffered decoded data to return now */
+ got = client->saslDecodedLength - client->saslDecodedOffset;
+ want = client->bufferLength - client->bufferOffset;
+
+ if (want > got)
+ want = got;
+
+ memcpy(client->buffer + client->bufferOffset,
+ client->saslDecoded + client->saslDecodedOffset, want);
+ client->saslDecodedOffset += want;
+ client->bufferOffset += want;
+
+ if (client->saslDecodedOffset == client->saslDecodedLength) {
+ client->saslDecoded = NULL;
+ client->saslDecodedOffset = client->saslDecodedLength = 0;
+ }
+
+ return 0;
+}
+#endif
+
+static int qemudClientRead(struct qemud_server *server,
+ struct qemud_client *client) {
+#if HAVE_SASL
+ if (client->saslSSF & QEMUD_SASL_SSF_READ)
+ return qemudClientReadSASL(server, client);
+ else
+#endif
+ return qemudClientReadPlain(server, client);
+}
+
static void qemudDispatchClientRead(struct qemud_server *server, struct qemud_client
*client) {
@@ -1239,7 +1304,6 @@ static void qemudDispatchClientRead(stru
client->mode = QEMUD_MODE_RX_PAYLOAD;
client->bufferLength = len - REMOTE_MESSAGE_HEADER_XDR_LEN;
client->bufferOffset = 0;
- if (client->tls) client->direction = QEMUD_TLS_DIRECTION_READ;
if (qemudRegisterClientEvent(server, client, 1) < 0) {
qemudDispatchClientFailure(server, client);
@@ -1267,7 +1331,7 @@ static void qemudDispatchClientRead(stru
int ret;
/* Continue the handshake. */
- ret = gnutls_handshake (client->session);
+ ret = gnutls_handshake (client->tlssession);
if (ret == 0) {
/* Finished. Next step is to check the certificate. */
if (remoteCheckAccess (client) == -1)
@@ -1279,7 +1343,6 @@ static void qemudDispatchClientRead(stru
gnutls_strerror (ret));
qemudDispatchClientFailure (server, client);
} else {
- client->direction = gnutls_record_get_direction (client->session);
if (qemudRegisterClientEvent (server ,client, 1) < 0)
qemudDispatchClientFailure (server, client);
}
@@ -1294,15 +1357,11 @@ static void qemudDispatchClientRead(stru
}
-static int qemudClientWrite(struct qemud_server *server,
- struct qemud_client *client) {
- int ret, len;
- char *data;
-
- data = client->buffer + client->bufferOffset;
- len = client->bufferLength - client->bufferOffset;
-
- if (!client->tls) {
+static int qemudClientWriteBuf(struct qemud_server *server,
+ struct qemud_client *client,
+ const char *data, int len) {
+ int ret;
+ if (!client->tlssession) {
if ((ret = write(client->fd, data, len)) == -1) {
if (errno != EAGAIN) {
qemudLog (QEMUD_ERR, "write: %s", strerror (errno));
@@ -1311,8 +1370,7 @@ static int qemudClientWrite(struct qemud
return -1;
}
} else {
- ret = gnutls_record_send (client->session, data, len);
- client->direction = gnutls_record_get_direction (client->session);
+ ret = gnutls_record_send (client->tlssession, data, len);
if (qemudRegisterClientEvent (server, client, 1) < 0)
qemudDispatchClientFailure (server, client);
else if (ret < 0) {
@@ -1324,9 +1382,69 @@ static int qemudClientWrite(struct qemud
return -1;
}
}
-
+ return ret;
+}
+
+
+static int qemudClientWritePlain(struct qemud_server *server,
+ struct qemud_client *client) {
+ int ret = qemudClientWriteBuf(server, client,
+ client->buffer + client->bufferOffset,
+ client->bufferLength - client->bufferOffset);
+ if (ret < 0)
+ return -1;
client->bufferOffset += ret;
return 0;
+}
+
+
+#if HAVE_SASL
+static int qemudClientWriteSASL(struct qemud_server *server,
+ struct qemud_client *client) {
+ int ret;
+
+ /* Not got any pending encoded data, so we need to encode raw stuff */
+ if (client->saslEncoded == NULL) {
+ int err;
+ err = sasl_encode(client->saslconn,
+ client->buffer + client->bufferOffset,
+ client->bufferLength - client->bufferOffset,
+ &client->saslEncoded,
+ &client->saslEncodedLength);
+
+ client->saslEncodedOffset = 0;
+ }
+
+ /* Send some of the encoded stuff out on the wire */
+ ret = qemudClientWriteBuf(server, client,
+ client->saslEncoded + client->saslEncodedOffset,
+ client->saslEncodedLength -
client->saslEncodedOffset);
+
+ if (ret < 0)
+ return -1;
+
+ /* Note how much we sent */
+ client->saslEncodedOffset += ret;
+
+ /* Sent all encoded, so update raw buffer to indicate completion */
+ if (client->saslEncodedOffset == client->saslEncodedLength) {
+ client->saslEncoded = NULL;
+ client->saslEncodedOffset = client->saslEncodedLength = 0;
+ client->bufferOffset = client->bufferLength;
+ }
+
+ return 0;
+}
+#endif
+
+static int qemudClientWrite(struct qemud_server *server,
+ struct qemud_client *client) {
+#if HAVE_SASL
+ if (client->saslSSF & QEMUD_SASL_SSF_WRITE)
+ return qemudClientWriteSASL(server, client);
+ else
+#endif
+ return qemudClientWritePlain(server, client);
}
@@ -1341,7 +1459,6 @@ static void qemudDispatchClientWrite(str
client->mode = QEMUD_MODE_RX_HEADER;
client->bufferLength = REMOTE_MESSAGE_HEADER_XDR_LEN;
client->bufferOffset = 0;
- if (client->tls) client->direction = QEMUD_TLS_DIRECTION_READ;
if (qemudRegisterClientEvent (server, client, 1) < 0)
qemudDispatchClientFailure (server, client);
@@ -1354,7 +1471,7 @@ static void qemudDispatchClientWrite(str
int ret;
/* Continue the handshake. */
- ret = gnutls_handshake (client->session);
+ ret = gnutls_handshake (client->tlssession);
if (ret == 0) {
/* Finished. Next step is to check the certificate. */
if (remoteCheckAccess (client) == -1)
@@ -1366,7 +1483,6 @@ static void qemudDispatchClientWrite(str
gnutls_strerror (ret));
qemudDispatchClientFailure (server, client);
} else {
- client->direction = gnutls_record_get_direction (client->session);
if (qemudRegisterClientEvent (server, client, 1))
qemudDispatchClientFailure (server, client);
}
@@ -1406,25 +1522,37 @@ static int qemudRegisterClientEvent(stru
static int qemudRegisterClientEvent(struct qemud_server *server,
struct qemud_client *client,
int removeFirst) {
+ int mode;
+ switch (client->mode) {
+ case QEMUD_MODE_TLS_HANDSHAKE:
+ if (gnutls_record_get_direction (client->tlssession) == 0)
+ mode = POLLIN;
+ else
+ mode = POLLOUT;
+ break;
+
+ case QEMUD_MODE_RX_HEADER:
+ case QEMUD_MODE_RX_PAYLOAD:
+ mode = POLLIN;
+ break;
+
+ case QEMUD_MODE_TX_PACKET:
+ mode = POLLOUT;
+ break;
+
+ default:
+ return -1;
+ }
+
if (removeFirst)
if (virEventRemoveHandleImpl(client->fd) < 0)
return -1;
- if (client->tls) {
- if (virEventAddHandleImpl(client->fd,
- (client->direction ?
- POLLOUT : POLLIN) | POLLERR | POLLHUP,
- qemudDispatchClientEvent,
- server) < 0)
- return -1;
- } else {
- if (virEventAddHandleImpl(client->fd,
- (client->mode == QEMUD_MODE_TX_PACKET ?
- POLLOUT : POLLIN) | POLLERR | POLLHUP,
- qemudDispatchClientEvent,
- server) < 0)
- return -1;
- }
+ if (virEventAddHandleImpl(client->fd,
+ mode | POLLERR | POLLHUP,
+ qemudDispatchClientEvent,
+ server) < 0)
+ return -1;
return 0;
}
diff -r 5a37498017ac qemud/remote.c
--- a/qemud/remote.c Wed Nov 28 23:00:04 2007 -0500
+++ b/qemud/remote.c Wed Nov 28 23:00:47 2007 -0500
@@ -284,7 +284,6 @@ remoteDispatchClientRequest (struct qemu
client->mode = QEMUD_MODE_TX_PACKET;
client->bufferLength = len;
client->bufferOffset = 0;
- if (client->tls) client->direction = QEMUD_TLS_DIRECTION_WRITE;
}
/* An error occurred during the dispatching process itself (ie. not
@@ -369,7 +368,6 @@ remoteDispatchSendError (struct qemud_cl
client->mode = QEMUD_MODE_TX_PACKET;
client->bufferLength = len;
client->bufferOffset = 0;
- if (client->tls) client->direction = QEMUD_TLS_DIRECTION_WRITE;
}
static void
@@ -2042,6 +2040,7 @@ remoteDispatchAuthSaslInit (struct qemud
remote_auth_sasl_init_ret *ret)
{
const char *mechlist = NULL;
+ sasl_security_properties_t secprops;
int err;
struct sockaddr_storage sa;
socklen_t salen;
@@ -2097,6 +2096,60 @@ remoteDispatchAuthSaslInit (struct qemud
return -2;
}
+ /* Inform SASL that we've got an external SSF layer from TLS */
+ if (client->type == QEMUD_SOCK_TYPE_TLS) {
+ gnutls_cipher_algorithm_t cipher;
+ sasl_ssf_t ssf;
+
+ cipher = gnutls_cipher_get(client->tlssession);
+ if (!(ssf = (sasl_ssf_t)gnutls_cipher_get_key_size(cipher))) {
+ qemudLog(QEMUD_ERR, "cannot TLS get cipher size");
+ remoteDispatchFailAuth(client, req);
+ sasl_dispose(&client->saslconn);
+ client->saslconn = NULL;
+ return -2;
+ }
+ ssf *= 8; /* tls key size is bytes, sasl wants bits */
+
+ err = sasl_setprop(client->saslconn, SASL_SSF_EXTERNAL, &ssf);
+ if (err != SASL_OK) {
+ qemudLog(QEMUD_ERR, "cannot set SASL external SSF %d (%s)",
+ err, sasl_errstring(err, NULL, NULL));
+ remoteDispatchFailAuth(client, req);
+ sasl_dispose(&client->saslconn);
+ client->saslconn = NULL;
+ return -2;
+ }
+ }
+
+ memset (&secprops, 0, sizeof secprops);
+ if (client->type == QEMUD_SOCK_TYPE_TLS ||
+ client->type == QEMUD_SOCK_TYPE_UNIX) {
+ /* If we've got TLS or UNIX domain sock, we don't care about SSF */
+ secprops.min_ssf = 0;
+ secprops.max_ssf = 0;
+ secprops.maxbufsize = 8192;
+ secprops.security_flags = 0;
+ } else {
+ /* Plain TCP, better get an SSF layer */
+ secprops.min_ssf = 56; /* Good enough to require kerberos */
+ secprops.max_ssf = 100000; /* Arbitrary big number */
+ secprops.maxbufsize = 8192;
+ /* Forbid any anonymous or trivially crackable auth */
+ secprops.security_flags =
+ SASL_SEC_NOANONYMOUS | SASL_SEC_NOPLAINTEXT;
+ }
+
+ err = sasl_setprop(client->saslconn, SASL_SEC_PROPS, &secprops);
+ if (err != SASL_OK) {
+ qemudLog(QEMUD_ERR, "cannot set SASL security props %d (%s)",
+ err, sasl_errstring(err, NULL, NULL));
+ remoteDispatchFailAuth(client, req);
+ sasl_dispose(&client->saslconn);
+ client->saslconn = NULL;
+ return -2;
+ }
+
err = sasl_listmech(client->saslconn,
NULL, /* Don't need to set user */
"", /* Prefix */
@@ -2126,6 +2179,49 @@ remoteDispatchAuthSaslInit (struct qemud
return 0;
}
+
+/* We asked for an SSF layer, so sanity check that we actaully
+ * got what we asked for */
+static int
+remoteSASLCheckSSF (struct qemud_client *client,
+ remote_message_header *req) {
+ const void *val;
+ int err, ssf;
+
+ if (client->type == QEMUD_SOCK_TYPE_TLS ||
+ client->type == QEMUD_SOCK_TYPE_UNIX)
+ return 0; /* TLS or UNIX domain sockets trivially OK */
+
+ err = sasl_getprop(client->saslconn, SASL_SSF, &val);
+ if (err != SASL_OK) {
+ qemudLog(QEMUD_ERR, "cannot query SASL ssf on connection %d (%s)",
+ err, sasl_errstring(err, NULL, NULL));
+ remoteDispatchFailAuth(client, req);
+ sasl_dispose(&client->saslconn);
+ client->saslconn = NULL;
+ return -1;
+ }
+ ssf = *(const int *)val;
+ REMOTE_DEBUG("negotiated an SSF of %d", ssf);
+ if (ssf < 56) { /* 56 is good for Kerberos */
+ qemudLog(QEMUD_ERR, "negotiated SSF %d was not strong enough", ssf);
+ remoteDispatchFailAuth(client, req);
+ sasl_dispose(&client->saslconn);
+ client->saslconn = NULL;
+ return -1;
+ }
+
+ /* Only setup for read initially, because we're about to send an RPC
+ * reply which must be in plain text. When the next incoming RPC
+ * arrives, we'll switch on writes too
+ *
+ * cf qemudClientReadSASL in qemud.c
+ */
+ client->saslSSF = QEMUD_SASL_SSF_READ;
+
+ /* We have a SSF !*/
+ return 0;
+}
/*
* This starts the SASL authentication negotiation.
@@ -2192,6 +2288,9 @@ remoteDispatchAuthSaslStart (struct qemu
if (err == SASL_CONTINUE) {
ret->complete = 0;
} else {
+ if (remoteSASLCheckSSF(client, req) < 0)
+ return -2;
+
REMOTE_DEBUG("Authentication successful %d", client->fd);
ret->complete = 1;
client->auth = REMOTE_AUTH_NONE;
@@ -2263,6 +2362,9 @@ remoteDispatchAuthSaslStep (struct qemud
if (err == SASL_CONTINUE) {
ret->complete = 0;
} else {
+ if (remoteSASLCheckSSF(client, req) < 0)
+ return -2;
+
REMOTE_DEBUG("Authentication successful %d", client->fd);
ret->complete = 1;
client->auth = REMOTE_AUTH_NONE;
diff -r 5a37498017ac src/remote_internal.c
--- a/src/remote_internal.c Wed Nov 28 23:00:04 2007 -0500
+++ b/src/remote_internal.c Wed Nov 28 23:00:47 2007 -0500
@@ -79,6 +79,9 @@ struct private_data {
FILE *debugLog; /* Debug remote protocol */
#if HAVE_SASL
sasl_conn_t *saslconn; /* SASL context */
+ const char *saslDecoded;
+ unsigned int saslDecodedLength;
+ unsigned int saslDecodedOffset;
#endif
};
@@ -2907,15 +2910,14 @@ static char *addrToString(struct sockadd
/* Perform the SASL authentication process
*
- * XXX negotiate a session encryption layer for non-TLS sockets
* XXX fetch credentials from a libvirt client app callback
- * XXX max packet size spec
* XXX better mechanism negotiation ? Ask client app ?
*/
static int
remoteAuthSASL (virConnectPtr conn, struct private_data *priv, int in_open)
{
sasl_conn_t *saslconn = NULL;
+ sasl_security_properties_t secprops;
remote_auth_sasl_init_ret iret;
remote_auth_sasl_start_args sargs;
remote_auth_sasl_start_ret sret;
@@ -2929,6 +2931,8 @@ remoteAuthSASL (virConnectPtr conn, stru
struct sockaddr_storage sa;
socklen_t salen;
char *localAddr, *remoteAddr;
+ const void *val;
+ sasl_ssf_t ssf;
remoteDebug(priv, "Client initialize SASL authentication");
/* Sets up the SASL library as a whole */
@@ -2984,6 +2988,51 @@ remoteAuthSASL (virConnectPtr conn, stru
VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0,
"Failed to create SASL client context: %d (%s)",
err, sasl_errstring(err, NULL, NULL));
+ return -1;
+ }
+
+ /* Initialize some connection props we care about */
+ if (priv->uses_tls) {
+ gnutls_cipher_algorithm_t cipher;
+
+ cipher = gnutls_cipher_get(priv->session);
+ if (!(ssf = (sasl_ssf_t)gnutls_cipher_get_key_size(cipher))) {
+ __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE,
+ VIR_ERR_INTERNAL_ERROR, VIR_ERR_ERROR, NULL, NULL, NULL, 0,
0,
+ "invalid cipher size for TLS session");
+ sasl_dispose(&saslconn);
+ return -1;
+ }
+ ssf *= 8; /* key size is bytes, sasl wants bits */
+
+ remoteDebug(priv, "Setting external SSF %d", ssf);
+ err = sasl_setprop(saslconn, SASL_SSF_EXTERNAL, &ssf);
+ if (err != SASL_OK) {
+ __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE,
+ VIR_ERR_INTERNAL_ERROR, VIR_ERR_ERROR, NULL, NULL, NULL, 0,
0,
+ "cannot set external SSF %d (%s)",
+ err, sasl_errstring(err, NULL, NULL));
+ sasl_dispose(&saslconn);
+ return -1;
+ }
+ }
+
+ memset (&secprops, 0, sizeof secprops);
+ /* If we've got TLS, we don't care about SSF */
+ secprops.min_ssf = priv->uses_tls ? 0 : 56; /* Equiv to DES supported by all
Kerberos */
+ secprops.max_ssf = priv->uses_tls ? 0 : 100000; /* Very strong ! AES == 256 */
+ secprops.maxbufsize = 100000;
+ /* If we're not TLS, then forbid any anonymous or trivially crackable auth */
+ secprops.security_flags = priv->uses_tls ? 0 :
+ SASL_SEC_NOANONYMOUS | SASL_SEC_NOPLAINTEXT;
+
+ err = sasl_setprop(saslconn, SASL_SEC_PROPS, &secprops);
+ if (err != SASL_OK) {
+ __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE,
+ VIR_ERR_INTERNAL_ERROR, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0,
+ "cannot set security props %d (%s)",
+ err, sasl_errstring(err, NULL, NULL));
+ sasl_dispose(&saslconn);
return -1;
}
@@ -3103,9 +3152,30 @@ remoteAuthSASL (virConnectPtr conn, stru
}
}
+ /* Check for suitable SSF if non-TLS */
+ if (!priv->uses_tls) {
+ err = sasl_getprop(saslconn, SASL_SSF, &val);
+ if (err != SASL_OK) {
+ __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE,
+ VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0,
+ "cannot query SASL ssf on connection %d (%s)",
+ err, sasl_errstring(err, NULL, NULL));
+ sasl_dispose(&saslconn);
+ return -1;
+ }
+ ssf = *(const int *)val;
+ remoteDebug(priv, "SASL SSF value %d", ssf);
+ if (ssf < 56) { /* 56 == DES level, good for Kerberos */
+ __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE,
+ VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0,
+ "negotiation SSF %d was not strong enough", ssf);
+ sasl_dispose(&saslconn);
+ return -1;
+ }
+ }
+
remoteDebug(priv, "SASL authentication complete");
- /* XXX keep this around for wire encoding */
- sasl_dispose(&saslconn);
+ priv->saslconn = saslconn;
return 0;
}
#endif /* HAVE_SASL */
@@ -3306,11 +3376,11 @@ call (virConnectPtr conn, struct private
}
static int
-really_write (virConnectPtr conn, struct private_data *priv,
- int in_open /* if we are in virConnectOpen */,
- char *bytes, int len)
-{
- char *p;
+really_write_buf (virConnectPtr conn, struct private_data *priv,
+ int in_open /* if we are in virConnectOpen */,
+ const char *bytes, int len)
+{
+ const char *p;
int err;
p = bytes;
@@ -3348,55 +3418,156 @@ really_write (virConnectPtr conn, struct
}
static int
+really_write_plain (virConnectPtr conn, struct private_data *priv,
+ int in_open /* if we are in virConnectOpen */,
+ char *bytes, int len)
+{
+ return really_write_buf(conn, priv, in_open, bytes, len);
+}
+
+#if HAVE_SASL
+static int
+really_write_sasl (virConnectPtr conn, struct private_data *priv,
+ int in_open /* if we are in virConnectOpen */,
+ char *bytes, int len)
+{
+ const char *output;
+ unsigned int outputlen;
+ int err;
+
+ err = sasl_encode(priv->saslconn, bytes, len, &output, &outputlen);
+ if (err != SASL_OK) {
+ return -1;
+ }
+
+ return really_write_buf(conn, priv, in_open, output, outputlen);
+}
+#endif
+
+static int
+really_write (virConnectPtr conn, struct private_data *priv,
+ int in_open /* if we are in virConnectOpen */,
+ char *bytes, int len)
+{
+#if HAVE_SASL
+ if (priv->saslconn)
+ return really_write_sasl(conn, priv, in_open, bytes, len);
+ else
+#endif
+ return really_write_plain(conn, priv, in_open, bytes, len);
+}
+
+static int
+really_read_buf (virConnectPtr conn, struct private_data *priv,
+ int in_open /* if we are in virConnectOpen */,
+ char *bytes, int len)
+{
+ int err;
+
+ if (priv->uses_tls) {
+ tlsreread:
+ err = gnutls_record_recv (priv->session, bytes, len);
+ if (err < 0) {
+ if (err == GNUTLS_E_INTERRUPTED)
+ goto tlsreread;
+ error (in_open ? NULL : conn,
+ VIR_ERR_GNUTLS_ERROR, gnutls_strerror (err));
+ return -1;
+ }
+ if (err == 0) {
+ error (in_open ? NULL : conn,
+ VIR_ERR_RPC, "socket closed unexpectedly");
+ return -1;
+ }
+ return err;
+ } else {
+ reread:
+ err = read (priv->sock, bytes, len);
+ if (err == -1) {
+ if (errno == EINTR)
+ goto reread;
+ error (in_open ? NULL : conn,
+ VIR_ERR_SYSTEM_ERROR, strerror (errno));
+ return -1;
+ }
+ if (err == 0) {
+ error (in_open ? NULL : conn,
+ VIR_ERR_RPC, "socket closed unexpectedly");
+ return -1;
+ }
+ return err;
+ }
+
+ return 0;
+}
+
+static int
+really_read_plain (virConnectPtr conn, struct private_data *priv,
+ int in_open /* if we are in virConnectOpen */,
+ char *bytes, int len)
+{
+ do {
+ int ret = really_read_buf (conn, priv, in_open, bytes, len);
+ if (ret < 0)
+ return -1;
+
+ len -= ret;
+ bytes += ret;
+ } while (len > 0);
+
+ return 0;
+}
+
+#if HAVE_SASL
+static int
+really_read_sasl (virConnectPtr conn, struct private_data *priv,
+ int in_open /* if we are in virConnectOpen */,
+ char *bytes, int len)
+{
+ do {
+ int want, got;
+ if (priv->saslDecoded == NULL) {
+ char encoded[8192];
+ int encodedLen = sizeof(encoded);
+ int err, ret;
+ ret = really_read_buf (conn, priv, in_open, encoded, encodedLen);
+ if (ret < 0)
+ return -1;
+
+ err = sasl_decode(priv->saslconn, encoded, ret,
+ &priv->saslDecoded,
&priv->saslDecodedLength);
+ }
+
+ got = priv->saslDecodedLength - priv->saslDecodedOffset;
+ want = len;
+ if (want > got)
+ want = got;
+
+ memcpy(bytes, priv->saslDecoded + priv->saslDecodedOffset, want);
+ priv->saslDecodedOffset += want;
+ if (priv->saslDecodedOffset == priv->saslDecodedLength) {
+ priv->saslDecoded = NULL;
+ priv->saslDecodedOffset = priv->saslDecodedLength = 0;
+ }
+ bytes += want;
+ len -= want;
+ } while (len > 0);
+
+ return 0;
+}
+#endif
+
+static int
really_read (virConnectPtr conn, struct private_data *priv,
int in_open /* if we are in virConnectOpen */,
char *bytes, int len)
{
- char *p;
- int err;
-
- p = bytes;
- if (priv->uses_tls) {
- do {
- err = gnutls_record_recv (priv->session, p, len);
- if (err < 0) {
- if (err == GNUTLS_E_INTERRUPTED || err == GNUTLS_E_AGAIN)
- continue;
- error (in_open ? NULL : conn,
- VIR_ERR_GNUTLS_ERROR, gnutls_strerror (err));
- return -1;
- }
- if (err == 0) {
- error (in_open ? NULL : conn,
- VIR_ERR_RPC, "socket closed unexpectedly");
- return -1;
- }
- len -= err;
- p += err;
- }
- while (len > 0);
- } else {
- do {
- err = read (priv->sock, p, len);
- if (err == -1) {
- if (errno == EINTR || errno == EAGAIN)
- continue;
- error (in_open ? NULL : conn,
- VIR_ERR_SYSTEM_ERROR, strerror (errno));
- return -1;
- }
- if (err == 0) {
- error (in_open ? NULL : conn,
- VIR_ERR_RPC, "socket closed unexpectedly");
- return -1;
- }
- len -= err;
- p += err;
- }
- while (len > 0);
- }
-
- return 0;
+#if HAVE_SASL
+ if (priv->saslconn)
+ return really_read_sasl (conn, priv, in_open, bytes, len);
+ else
+#endif
+ return really_read_plain (conn, priv, in_open, bytes, len);
}
/* For errors internal to this library. */
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|