/* * Copyright (C) 2015 Glyptodon LLC * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN * THE SOFTWARE. */ #include "guac_ssh.h" #include "guac_ssh_key.h" #include #include #ifdef LIBSSH2_USES_GCRYPT #include #endif #include #include #include #include #include #include #include #include #include #include #ifdef LIBSSH2_USES_GCRYPT GCRY_THREAD_OPTION_PTHREAD_IMPL; #endif /** * Array of mutexes, used by OpenSSL. */ static pthread_mutex_t* guac_common_ssh_openssl_locks; /** * Called by OpenSSL when locking or unlocking the Nth mutex. */ static void guac_common_ssh_openssl_locking_callback(int mode, int n, const char* file, int line){ /* Lock given mutex upon request */ if (mode & CRYPTO_LOCK) pthread_mutex_lock(&(guac_common_ssh_openssl_locks[n])); /* Unlock given mutex upon request */ else if (mode & CRYPTO_UNLOCK) pthread_mutex_unlock(&(guac_common_ssh_openssl_locks[n])); } /** * Called by OpenSSL when determining the current thread ID. */ static unsigned long guac_common_ssh_openssl_id_callback() { return (unsigned long) pthread_self(); } /** * Creates the given number of mutexes, such that OpenSSL will have at least * this number of mutexes at its disposal. */ static void guac_common_ssh_openssl_init_locks(int count) { int i; /* Allocate required number of locks */ guac_common_ssh_openssl_locks = malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks()); /* Initialize each lock */ for (i=0; i < count; i++) pthread_mutex_init(&(guac_common_ssh_openssl_locks[i]), NULL); } /** * Frees the given number of mutexes. */ static void guac_common_ssh_openssl_free_locks(int count) { int i; /* Free all locks */ for (i=0; i < count; i++) pthread_mutex_destroy(&(guac_common_ssh_openssl_locks[i])); } int guac_common_ssh_init(guac_client* client) { #ifdef LIBSSH2_USES_GCRYPT /* Init threadsafety in libgcrypt */ gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); if (!gcry_check_version(GCRYPT_VERSION)) { guac_client_log(client, GUAC_LOG_ERROR, "libgcrypt version mismatch."); return 1; } #endif /* Init threadsafety in OpenSSL */ guac_common_ssh_openssl_init_locks(CRYPTO_num_locks()); CRYPTO_set_id_callback(guac_common_ssh_openssl_id_callback); CRYPTO_set_locking_callback(guac_common_ssh_openssl_locking_callback); /* Init OpenSSL */ SSL_library_init(); ERR_load_crypto_strings(); /* Init libssh2 */ libssh2_init(0); /* Success */ return 0; } void guac_common_ssh_uninit() { guac_common_ssh_openssl_free_locks(CRYPTO_num_locks()); } /** * Connects to the SSH server running at the given hostname and port, but does * not perform any authentication. Authentication must be immediately performed * after creation of the session for the session to become usable. If an error * occurs while connecting, the Guacamole client will automatically and fatally * abort. * * @param client * The Guacamole client that will be using SSH. * * @param hostname * The hostname of the SSH server to connect to. * * @param port * The port to connect to on the given hostname. * * @param socket_fd * A pointer to an integer in which the newly-allocated file descriptor for * the SSH socket should be stored. * * @return * A new SSH session if the connection succeeds, or NULL if the connection * was not successful. */ static LIBSSH2_SESSION* guac_common_ssh_connect(guac_client* client, const char* hostname, const char* port, int* socket_fd) { int retval; int fd; struct addrinfo* addresses; struct addrinfo* current_address; char connected_address[1024]; char connected_port[64]; struct addrinfo hints = { .ai_family = AF_UNSPEC, .ai_socktype = SOCK_STREAM, .ai_protocol = IPPROTO_TCP }; /* Get socket */ fd = socket(AF_INET, SOCK_STREAM, 0); /* Get addresses connection */ if ((retval = getaddrinfo(hostname, port, &hints, &addresses))) { guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR, "Error parsing given address or port: %s", gai_strerror(retval)); return NULL; } /* Attempt connection to each address until success */ current_address = addresses; while (current_address != NULL) { /* Resolve hostname */ if ((retval = getnameinfo(current_address->ai_addr, current_address->ai_addrlen, connected_address, sizeof(connected_address), connected_port, sizeof(connected_port), NI_NUMERICHOST | NI_NUMERICSERV))) guac_client_log(client, GUAC_LOG_DEBUG, "Unable to resolve host: %s", gai_strerror(retval)); /* Connect */ if (connect(fd, current_address->ai_addr, current_address->ai_addrlen) == 0) { guac_client_log(client, GUAC_LOG_DEBUG, "Successfully connected to host %s, port %s", connected_address, connected_port); /* Done if successful connect */ break; } /* Otherwise log information regarding bind failure */ else guac_client_log(client, GUAC_LOG_DEBUG, "Unable to connect to " "host %s, port %s: %s", connected_address, connected_port, strerror(errno)); current_address = current_address->ai_next; } /* If unable to connect to anything, fail */ if (current_address == NULL) { guac_client_abort(client, GUAC_PROTOCOL_STATUS_UPSTREAM_ERROR, "Unable to connect to any addresses."); return NULL; } /* Free addrinfo */ freeaddrinfo(addresses); /* Open SSH session */ LIBSSH2_SESSION* session = libssh2_session_init_ex(NULL, NULL, NULL, client); if (session == NULL) { guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR, "Session allocation failed."); return NULL; } /* Perform handshake */ if (libssh2_session_handshake(session, fd)) { guac_client_abort(client, GUAC_PROTOCOL_STATUS_UPSTREAM_ERROR, "SSH handshake failed."); return NULL; } /* Save file descriptor */ if (socket_fd != NULL) *socket_fd = fd; /* Return created session */ return session; } LIBSSH2_SESSION* guac_common_ssh_connect_password(guac_client* client, const char* hostname, const char* port, const char* username, const char* password, int* socket_fd) { LIBSSH2_SESSION* session = guac_common_ssh_connect(client, hostname, port, socket_fd); /* STUB */ return session; } static int __sign_callback(LIBSSH2_SESSION* session, unsigned char** sig, size_t* sig_len, const unsigned char* data, size_t data_len, void **abstract) { guac_common_ssh_key* key = (guac_common_ssh_key*) abstract; int length; /* Allocate space for signature */ *sig = malloc(4096); /* Sign with key */ length = guac_common_ssh_key_sign(key, (const char*) data, data_len, *sig); if (length < 0) return 1; *sig_len = length; return 0; } LIBSSH2_SESSION* guac_common_ssh_connect_private_key(guac_client* client, const char* hostname, const char* port, const char* username, char* private_key, char* passphrase, int* socket_fd) { LIBSSH2_SESSION* session = guac_common_ssh_connect(client, hostname, port, socket_fd); guac_client_log(client, GUAC_LOG_DEBUG, "Attempting private key import (WITHOUT passphrase)"); /* Attempt to read key without passphrase */ guac_common_ssh_key* key = guac_common_ssh_key_alloc(private_key, strlen(private_key), ""); #if 0 /* On failure, attempt with passphrase */ if (key == NULL) { /* Log failure of initial attempt */ guac_client_log(client, GUAC_LOG_DEBUG, "Initial import failed: %s", guac_common_ssh_key_error()); guac_client_log(client, GUAC_LOG_DEBUG, "Re-attempting private key import (WITH passphrase)"); /* Prompt for passphrase if missing */ if (client_data->key_passphrase[0] == 0) guac_terminal_prompt(client_data->term, "Key passphrase: ", client_data->key_passphrase, sizeof(client_data->key_passphrase), false); /* Import key with passphrase */ client_data->key = guac_common_ssh_key_alloc(client_data->key_base64, strlen(client_data->key_base64), client_data->key_passphrase); /* If still failing, give up */ if (client_data->key == NULL) { guac_client_abort(client, GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED, "Auth key import failed: %s", guac_common_ssh_key_error()); return NULL; } } /* end decrypt key with passphrase */ #endif /* Success */ guac_client_log(client, GUAC_LOG_INFO, "Auth key successfully imported."); /* Get list of suported authentication methods */ char* user_authlist = libssh2_userauth_list(session, username, strlen(username)); guac_client_log(client, GUAC_LOG_DEBUG, "Supported authentication methods: %s", user_authlist); /* Check if public key auth is suported on the server */ if (strstr(user_authlist, "publickey") == NULL) { guac_client_abort(client, GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED, "Public key authentication not suported"); return NULL; } /* Attempt public key auth */ if (libssh2_userauth_publickey(session, username, (unsigned char*) key->public_key, key->public_key_length, __sign_callback, (void**) key)) { /* Abort on failure */ char* error_message; libssh2_session_last_error(session, &error_message, NULL, 0); guac_client_abort(client, GUAC_PROTOCOL_STATUS_CLIENT_UNAUTHORIZED, "Public key authentication failed: %s", error_message); return NULL; } /* Return new session on success */ return session; }