Re: [PATCH 02/18] usbip: Add support for client authentication

From: Max Vozeler
Date: Sat Sep 20 2014 - 20:53:41 EST

Hi,

On Tue, Sep 16, 2014 at 11:38:39PM +0000, Maximilian Eschenbacher wrote:
> From: Dominik Paulus <dominik.paulus@xxxxxx>
>
> This patch adds support for authenticating both client and server using
> a pre-shared passphrase using SRP (Secure Remote Password) over TLS (see
> RFC 5054) using GnuTLS. Both usbip and usbipd now accept a shared secret
> as a command line argument.

The command line is not a good fit for passing secrets.

There is no way for the caller to provide the passphrase securely
because anything in the command line can be seen by other local users.

I suggest to read the passphrase from a file instead.

> Currently, the established TLS connection is
> only used to perform a secure handshake and dropped before the socket is
> passed to the kernel. The code may be extended to exchange a session key
> over TLS and pass it to the kernel to perform IPsec.
>
> Signed-off-by: Maximilian Eschenbacher <maximilian@xxxxxxxxxxxxxxxxxx>
> Signed-off-by: Fjodor Schelichow <fjodor.schelichow@xxxxxxxxxxx>
> Signed-off-by: Johannes Stadlinger <johannes.stadlinger@xxxxxx>
> Signed-off-by: Dominik Paulus <dominik.paulus@xxxxxx>
> Signed-off-by: Tobias Polzer <tobias.polzer@xxxxxx>
> ---
> tools/usb/usbip/configure.ac | 14 +++
> tools/usb/usbip/doc/usbip.8 | 4 +
> tools/usb/usbip/doc/usbipd.8 | 5 +
> tools/usb/usbip/src/usbip.c | 30 +++++-
> tools/usb/usbip/src/usbip_attach.c | 2 +-
> tools/usb/usbip/src/usbip_list.c | 2 +-
> tools/usb/usbip/src/usbip_network.c | 185 ++++++++++++++++++++++++++++++++++++
> tools/usb/usbip/src/usbip_network.h | 11 ++-
> tools/usb/usbip/src/usbipd.c | 115 ++++++++++++++++------
> 9 files changed, 335 insertions(+), 33 deletions(-)
>
> diff --git a/tools/usb/usbip/configure.ac b/tools/usb/usbip/configure.ac
> index 607d05c..6a8156f 100644
> --- a/tools/usb/usbip/configure.ac
> +++ b/tools/usb/usbip/configure.ac
> @@ -83,6 +83,20 @@ AC_ARG_WITH([tcp-wrappers],
> AC_DEFINE([HAVE_LIBWRAP], [1], [use tcp wrapper])],
> [AC_MSG_RESULT([no]); LIBS="$saved_LIBS"])])
>
> +# Checks for the GnuTLS library
> +AC_ARG_WITH([gnutls],
> + [AS_HELP_STRING([--with-gnutls],
> + [use the GnuTLS library for authentication])],
> + dnl [ACTION-IF-GIVEN]
> + [if test "$withval" = "yes"; then
> + PKG_CHECK_MODULES([GNUTLS], [gnutls])

GnuTLS version 2.12 passes this configure test but then fails during the
build. Please check for the minimum version here:

+ PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.0])

> + AC_DEFINE([HAVE_GNUTLS], [1], [use gnutls])
> + CFLAGS="$CFLAGS $GNUTLS_CFLAGS"
> + LDFLAGS="$LDFLAGS $GNUTLS_LIBS"
> + fi
> + ],
> + )
> +
> # Sets directory containing usb.ids.
> AC_ARG_WITH([usbids-dir],
> [AS_HELP_STRING([--with-usbids-dir=DIR],
> diff --git a/tools/usb/usbip/doc/usbip.8 b/tools/usb/usbip/doc/usbip.8
> index a6097be..847aa40 100644
> --- a/tools/usb/usbip/doc/usbip.8
> +++ b/tools/usb/usbip/doc/usbip.8
> @@ -27,6 +27,10 @@ Log to syslog.
> \fB\-\-tcp-port PORT\fR
> .IP
> Connect to PORT on remote host (used for attach and list --remote).
> +
> +\fB\-\-auth\fR
> +.IP
> +Set the password to be used for client authentication. See usbipd(8) for more information.
> .PP
>
> .SH COMMANDS
> diff --git a/tools/usb/usbip/doc/usbipd.8 b/tools/usb/usbip/doc/usbipd.8
> index ac4635d..8beb95a 100644
> --- a/tools/usb/usbip/doc/usbipd.8
> +++ b/tools/usb/usbip/doc/usbipd.8
> @@ -52,6 +52,11 @@ If no FILE specified, use /var/run/usbipd.pid
> \fB\-tPORT\fR, \fB\-\-tcp\-port PORT\fR
> .IP
> Listen on TCP/IP port PORT.
> +
> +.HP
> +\fB\-s\fR, \fB\-\-auth\fR
> +.IP
> +Sets the password to be used for client authentication. If -a is used, the server will only accept connections from authenticated clients. Note: USB traffic will still be unencrypted, this currently only serves for authentication.
> .PP
>
> \fB\-h\fR, \fB\-\-help\fR
> diff --git a/tools/usb/usbip/src/usbip.c b/tools/usb/usbip/src/usbip.c
> index d7599d9..cd7e420 100644
> --- a/tools/usb/usbip/src/usbip.c
> +++ b/tools/usb/usbip/src/usbip.c
> @@ -25,6 +25,12 @@
> #include <getopt.h>
> #include <syslog.h>
>
> +#include "../config.h"
> +
> +#ifdef HAVE_GNUTLS
> +#include <gnutls/gnutls.h>
> +#endif
> +
> #include "usbip_common.h"
> #include "usbip_network.h"
> #include "usbip.h"
> @@ -35,8 +41,12 @@ static int usbip_version(int argc, char *argv[]);
> static const char usbip_version_string[] = PACKAGE_STRING;
>
> static const char usbip_usage_string[] =
> - "usbip [--debug] [--log] [--tcp-port PORT] [version]\n"
> - " [help] <command> <args>\n";
> + "usbip "
> +#ifdef HAVE_GNUTLS
> + "[--auth PASSWORD] "
> +#endif
> + "[--debug] [--log] [--tcp-port PORT]\n"
> + " [version] [help] <command> <args>\n";
>
> static void usbip_usage(void)
> {
> @@ -148,6 +158,7 @@ int main(int argc, char *argv[])
> { "debug", no_argument, NULL, 'd' },
> { "log", no_argument, NULL, 'l' },
> { "tcp-port", required_argument, NULL, 't' },
> + { "auth", required_argument, NULL, 's' },
> { NULL, 0, NULL, 0 }
> };
>
> @@ -158,12 +169,25 @@ int main(int argc, char *argv[])
> usbip_use_stderr = 1;
> opterr = 0;
> for (;;) {
> - opt = getopt_long(argc, argv, "+dlt:", opts, NULL);
> + opt = getopt_long(argc, argv, "+dls:t:", opts, NULL);
>
> if (opt == -1)
> break;
>
> switch (opt) {
> + case 's':
> +#ifdef HAVE_GNUTLS
> + usbip_srp_password = optarg;
> + rc = gnutls_global_init();
> + if (rc < 0) {
> + err("Unable to initialize GnuTLS library: %s",
> + gnutls_strerror(rc));
> + return EXIT_FAILURE;
> + }

The initialization may be better placed outside the getopt loop or it
could be called multiple times.

> +#else
> + err("usbip has been compiled without GnuTLS support");
> +#endif
> + break;
> case 'd':
> usbip_use_debug = 1;
> break;
> diff --git a/tools/usb/usbip/src/usbip_attach.c b/tools/usb/usbip/src/usbip_attach.c
> index d58a14d..4421ebc 100644
> --- a/tools/usb/usbip/src/usbip_attach.c
> +++ b/tools/usb/usbip/src/usbip_attach.c
> @@ -175,7 +175,7 @@ static int attach_device(char *host, char *busid)
> int rc;
> int rhport;
>
> - sockfd = usbip_net_tcp_connect(host, usbip_port_string);
> + sockfd = usbip_net_connect(host);
> if (sockfd < 0) {
> err("tcp connect");
> return -1;
> diff --git a/tools/usb/usbip/src/usbip_list.c b/tools/usb/usbip/src/usbip_list.c
> index d5ce34a..6042b7e 100644
> --- a/tools/usb/usbip/src/usbip_list.c
> +++ b/tools/usb/usbip/src/usbip_list.c
> @@ -132,7 +132,7 @@ static int list_exported_devices(char *host)
> int rc;
> int sockfd;
>
> - sockfd = usbip_net_tcp_connect(host, usbip_port_string);
> + sockfd = usbip_net_connect(host);
> if (sockfd < 0) {
> err("could not connect to %s:%s: %s", host,
> usbip_port_string, gai_strerror(sockfd));
> diff --git a/tools/usb/usbip/src/usbip_network.c b/tools/usb/usbip/src/usbip_network.c
> index b4c37e7..6b8f949 100644
> --- a/tools/usb/usbip/src/usbip_network.c
> +++ b/tools/usb/usbip/src/usbip_network.c
> @@ -29,11 +29,20 @@
> #include <tcpd.h>
> #endif
>
> +#include "../config.h"
> +#ifdef HAVE_GNUTLS
> +#include <gnutls/gnutls.h>
> +#include <gnutls/crypto.h>
> +#endif
> +
> #include "usbip_common.h"
> #include "usbip_network.h"
>
> int usbip_port = 3240;
> char *usbip_port_string = "3240";
> +#ifdef HAVE_GNUTLS
> +char *usbip_srp_password;
> +#endif
>
> void usbip_setup_port_number(char *arg)
> {
> @@ -301,3 +310,179 @@ int usbip_net_tcp_connect(char *hostname, char *service)
>
> return sockfd;
> }
> +
> +#ifdef HAVE_GNUTLS
> +static gnutls_datum_t usbip_net_srp_salt, usbip_net_srp_verifier;
> +static gnutls_srp_server_credentials_t usbip_net_srp_cred;
> +
> +#define SRP_GROUP gnutls_srp_2048_group_generator
> +#define SRP_PRIME gnutls_srp_2048_group_prime
> +
> +int usbip_net_srp_client_handshake(int sockfd)
> +{
> + int ret;
> + gnutls_session_t session;
> + gnutls_srp_client_credentials_t usbip_net_srp_cred;
> +
> + ret = gnutls_srp_allocate_client_credentials(&usbip_net_srp_cred);
> + if (ret < 0)
> + return ret;
> +
> + gnutls_srp_set_client_credentials(usbip_net_srp_cred, "dummyuser",
> + usbip_srp_password);
>
> + ret = gnutls_init(&session, GNUTLS_CLIENT);
> + if (ret < 0) {
> + gnutls_srp_free_client_credentials(usbip_net_srp_cred);
> + return ret;
> + }
> +
> + gnutls_priority_set_direct(session, "NORMAL:+SRP", NULL);
> +
> + gnutls_credentials_set(session, GNUTLS_CRD_SRP, usbip_net_srp_cred);
> + gnutls_transport_set_int (session, sockfd);
> +
> + do {
> + ret = gnutls_handshake(session);
> + } while (ret < 0 && !gnutls_error_is_fatal(ret));
> +
> + gnutls_bye(session, GNUTLS_SHUT_RDWR);
> +
> + gnutls_deinit(session);
> + gnutls_srp_free_client_credentials(usbip_net_srp_cred);
> +
> + return ret;
> +}
> +
> +int net_srp_server_handshake(int connfd)
> +{
> + int ret;
> + gnutls_session_t session;
> +
> + if (gnutls_init(&session, GNUTLS_SERVER) != 0)
> + return -1;
> + gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+SRP", NULL);
> + ret = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
> + usbip_net_srp_cred);
> + if (!ret)
> + return -1;
> +
> + gnutls_transport_set_int(session, connfd);
> +
> + do {
> + ret = gnutls_handshake(session);
> + } while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
> +
> + if (ret < 0)
> + err("GnuTLS handshake failed (%s)", gnutls_strerror(ret));
> + else
> + info("GnuTLS handshake completed");
> +
> + if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != 0)
> + err("Unable to shutdown TLS connection.");
> + gnutls_deinit(session);
> +
> + return ret;
> +}
> +
> +static int net_srp_callback(gnutls_session_t sess, const char *username,
> + gnutls_datum_t *nsalt, gnutls_datum_t *nverifier, gnutls_datum_t *g,
> + gnutls_datum_t *n)
> +{
> + /*
> + * GnuTLS expects us to allocate all data returned from callbacks
> + * using gnutls_malloc(), thus, we have to create a fresh copy of
> + * our static credentials for every connection.
> + */
> + nsalt->data = gnutls_malloc(usbip_net_srp_salt.size);
> + nverifier->data = gnutls_malloc(usbip_net_srp_verifier.size);
> + if (nsalt->data == NULL || nverifier->data == NULL) {

if (!nsalt->data || !nverifier->data) {

> + gnutls_free(nsalt->data);
> + gnutls_free(nverifier->data);
> + return -1;
> + }
> + nsalt->size = usbip_net_srp_salt.size;
> + nverifier->size = usbip_net_srp_verifier.size;
> + memcpy(nverifier->data, usbip_net_srp_verifier.data,
> + usbip_net_srp_verifier.size);
> + memcpy(nsalt->data, usbip_net_srp_salt.data, usbip_net_srp_salt.size);
> +
> + *g = SRP_GROUP;
> + *n = SRP_PRIME;
> +
> + /* We only have a single session, thus, ignore it */
> + (void) sess;
> +
> + if (strcmp(username, "dummyuser"))
> + /* User invalid, stored dummy data in g and n. */
> + return 1;

Could you describe the role of "dummyuser" in a comment? It seems to be
a placeholder for GnuTLS SRP requiring a username.

> + return 0;
> +}
> +
> +int usbip_net_init_gnutls(void)
> +{
> + int ret;
> +
> + gnutls_global_init();
> +
> + usbip_net_srp_salt.data = gnutls_malloc(16);

This should be freed somewhere.

> + if (!usbip_net_srp_salt.data)
> + return GNUTLS_E_MEMORY_ERROR;
> +
> + ret = gnutls_rnd(GNUTLS_RND_NONCE, usbip_net_srp_salt.data, 16);
> + if (ret < 0)
> + return ret;
> +
> + usbip_net_srp_salt.size = 16;
> +
> + ret = gnutls_srp_allocate_server_credentials(&usbip_net_srp_cred);
> + if (ret < 0)
> + return ret;
> +
> + ret = gnutls_srp_verifier("dummyuser", optarg, &usbip_net_srp_salt,
> + &SRP_GROUP, &SRP_PRIME,
> + &usbip_net_srp_verifier);
> + if (ret < 0)
> + return ret;
> +
> + gnutls_srp_set_server_credentials_function(usbip_net_srp_cred,
> + net_srp_callback);
> +
> + return GNUTLS_E_SUCCESS;
> +}
> +#endif
> +
> +/*
> + * Connect to the server. Performs the TCP connection attempt
> + * and - if necessary - the TLS handshake used for authentication.
> + */
> +int usbip_net_connect(char *hostname)
> +{
> + int sockfd;
> +
> + sockfd = usbip_net_tcp_connect(hostname, usbip_port_string);
> + if (sockfd < 0)
> + return sockfd;
> +
> +#ifdef HAVE_GNUTLS
> + if (usbip_srp_password) {
> + int rc;
> +
> + rc = usbip_net_send_op_common(sockfd, OP_REQ_STARTTLS, 0);
> + if (rc < 0) {
> + err("usbip_net_send_op_common failed");
> + return EAI_SYSTEM;
> + }
> +
> + rc = usbip_net_srp_client_handshake(sockfd);
> + if (rc < 0) {
> + err("Unable to perform TLS handshake (wrong password?): %s",
> + gnutls_strerror(rc));
> + close(sockfd);
> + return EAI_SYSTEM;
> + }
> + }
> +#endif
> +
> + return sockfd;
> +}
> diff --git a/tools/usb/usbip/src/usbip_network.h b/tools/usb/usbip/src/usbip_network.h
> index c1e875c..292d584 100644
> --- a/tools/usb/usbip/src/usbip_network.h
> +++ b/tools/usb/usbip/src/usbip_network.h
> @@ -15,6 +15,7 @@
>
> extern int usbip_port;
> extern char *usbip_port_string;
> +extern char *usbip_srp_password;
> void usbip_setup_port_number(char *arg);
>
> /* ---------------------------------------------------------------------- */
> @@ -167,6 +168,12 @@ struct op_devlist_reply_extra {
> usbip_net_pack_uint32_t(pack, &(reply)->ndev);\
> } while (0)
>
> +/* ---------------------------------------------------------------------- */
> +/* Initiate encrypted connection. */
> +#define OP_STARTTLS 0x06
> +#define OP_REQ_STARTTLS (OP_REQUEST | OP_STARTTLS)
> +#define OP_REP_STARTTLS (OP_REPLY | OP_STARTTLS)
> +
> void usbip_net_pack_uint32_t(int pack, uint32_t *num);
> void usbip_net_pack_uint16_t(int pack, uint16_t *num);
> void usbip_net_pack_usb_device(int pack, struct usbip_usb_device *udev);
> @@ -180,6 +187,8 @@ int usbip_net_set_reuseaddr(int sockfd);
> int usbip_net_set_nodelay(int sockfd);
> int usbip_net_set_keepalive(int sockfd);
> int usbip_net_set_v6only(int sockfd);
> -int usbip_net_tcp_connect(char *hostname, char *port);
> +int usbip_net_connect(char *hostname);
> +int net_srp_server_handshake(int connfd);
> +int usbip_net_init_gnutls(void);
>
> #endif /* __USBIP_NETWORK_H */
> diff --git a/tools/usb/usbip/src/usbipd.c b/tools/usb/usbip/src/usbipd.c
> index 2f87f2d..23c15d7 100644
> --- a/tools/usb/usbip/src/usbipd.c
> +++ b/tools/usb/usbip/src/usbipd.c
> @@ -36,6 +36,11 @@
> #include <tcpd.h>
> #endif
>
> +#ifdef HAVE_GNUTLS
> +#include <gnutls/gnutls.h>
> +#include <gnutls/crypto.h>
> +#endif
> +
> #include <getopt.h>
> #include <signal.h>
> #include <poll.h>
> @@ -64,6 +69,11 @@ static const char usbipd_help_string[] =
> " -6, --ipv6\n"
> " Bind to IPv6. Default is both.\n"
> "\n"
> +#ifdef HAVE_GNUTLS
> + " -sPASSWORD, --auth PASSWORD\n"
> + " Set PASSWORD as key used for authentication.\n"
> + "\n"
> +#endif
> " -D, --daemon\n"
> " Run as a daemon process.\n"
> "\n"
> @@ -83,6 +93,8 @@ static const char usbipd_help_string[] =
> " -v, --version\n"
> " Show version.\n";
>
> +static int need_auth;
> +
> static void usbipd_help(void)
> {
> printf("%s\n", usbipd_help_string);
> @@ -239,14 +251,7 @@ static int recv_request_devlist(int connfd)
>
> static int recv_pdu(int connfd)
> {
> - uint16_t code = OP_UNSPEC;
> - int ret;
> -
> - ret = usbip_net_recv_op_common(connfd, &code);
> - if (ret < 0) {
> - dbg("could not receive opcode: %#0x", code);
> - return -1;
> - }
> + int auth = !need_auth, cont = 1, ret;
> ret = usbip_host_refresh_device_list();
> if (ret < 0) {
> @@ -254,25 +259,63 @@ static int recv_pdu(int connfd)
> return -1;
> }
>
> - info("received request: %#0x(%d)", code, connfd);
> - switch (code) {
> - case OP_REQ_DEVLIST:
> - ret = recv_request_devlist(connfd);
> - break;
> - case OP_REQ_IMPORT:
> - ret = recv_request_import(connfd);
> - break;
> - case OP_REQ_DEVINFO:
> - case OP_REQ_CRYPKEY:
> - default:
> - err("received an unknown opcode: %#0x", code);
> - ret = -1;
> - }
> + /*
> + * Process opcodes. We might receive more than one, as the
> + * client might send STARTTLS first
> + */
> + while (cont) {
> + uint16_t code = OP_UNSPEC;
>
> - if (ret == 0)
> - info("request %#0x(%d): complete", code, connfd);
> - else
> - info("request %#0x(%d): failed", code, connfd);
> + ret = usbip_net_recv_op_common(connfd, &code);
> + if (ret < 0) {
> + dbg("could not receive opcode: %#0x", code);
> + return -1;
> + }
> +
> + info("received request: %#0x(%d)", code, connfd);
> +
> + /* We require an authenticated encryption */
> + if (!auth && code != OP_REQ_STARTTLS) {
> + usbip_net_send_op_common(connfd, OP_REPLY, ST_NA);
> + return -1;
> + }
> +
> + switch (code) {
> +#ifdef HAVE_GNUTLS
> + case OP_REQ_STARTTLS:
> + if (!need_auth) {
> + ret = -1;
> + err("Unexpected TLS handshake attempt (client uses password, server doesn't)");
> + } else {
> + ret = net_srp_server_handshake(connfd);
> + if (ret != 0)
> + err("TLS handshake failed");
> + auth = 1;

This marks the connection as authenticated even if the handshake has
failed, which doesn't seem right.

The err() used here is a macro that merely logs the error and moves
on. It does not exit() like the err.h err() functions.

So this should probably be

> + if (ret != 0)
> + err("TLS handshake failed");
else
> + auth = 1;

instead?

> + }
> + break;
> +#endif
> + case OP_REQ_DEVLIST:
> + ret = recv_request_devlist(connfd);
> + cont = 0;
> + break;
> + case OP_REQ_IMPORT:
> + ret = recv_request_import(connfd);
> + cont = 0;
> + break;
> + case OP_REQ_DEVINFO:
> + case OP_REQ_CRYPKEY:
> + default:
> + err("received an unknown opcode: %#0x", code);
> + ret = -1;
> + }
> +
> + if (ret == 0)
> + info("request %#0x(%d): complete", code, connfd);
> + else {
> + info("request %#0x(%d): failed", code, connfd);
> + break;
> + }
> + }
>
> return ret;
> }
> @@ -593,6 +636,7 @@ int main(int argc, char *argv[])
> { "tcp-port", required_argument, NULL, 't' },
> { "help", no_argument, NULL, 'h' },
> { "version", no_argument, NULL, 'v' },
> + { "auth", required_argument, NULL, 's' },
> { NULL, 0, NULL, 0 }
> };
>
> @@ -605,6 +649,9 @@ int main(int argc, char *argv[])
> int daemonize = 0;
> int ipv4 = 0, ipv6 = 0;
> int opt, rc = -1;
> +#ifdef HAVE_GNUTLS
> + int ret;
> +#endif
>
> pid_file = NULL;
>
> @@ -616,7 +663,7 @@ int main(int argc, char *argv[])
>
> cmd = cmd_standalone_mode;
> for (;;) {
> - opt = getopt_long(argc, argv, "46DdP::t:hv", longopts, NULL);
> + opt = getopt_long(argc, argv, "46s:DdP::t:hv", longopts, NULL);
>
> if (opt == -1)
> break;
> @@ -628,6 +675,20 @@ int main(int argc, char *argv[])
> case '6':
> ipv6 = 1;
> break;
> + case 's':
> +#ifdef HAVE_GNUTLS
> + need_auth = 1;
> + ret = usbip_net_init_gnutls();
> + if (ret < 0) {
> + err("Unable to initialize GnuTLS: %s",
> + gnutls_strerror(ret));
> + return EXIT_FAILURE;
> + }
> + break;

Same comment as above (move outside getopt loop).

Max
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/