You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by vn...@apache.org on 2018/09/27 08:36:47 UTC
[1/6] guacamole-server git commit: GUACAMOLE-623: Support older
libwebsockets SSL initialization.
Repository: guacamole-server
Updated Branches:
refs/heads/master af93cfb32 -> b0be80803
GUACAMOLE-623: Support older libwebsockets SSL initialization.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-server/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-server/commit/d8618b06
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-server/tree/d8618b06
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-server/diff/d8618b06
Branch: refs/heads/master
Commit: d8618b0682e69ca5c99f0608368f21188d16fce3
Parents: af93cfb
Author: Michael Jumper <mj...@apache.org>
Authored: Wed Sep 26 21:50:19 2018 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Wed Sep 26 21:50:19 2018 -0700
----------------------------------------------------------------------
configure.ac | 22 ++++++++++++++++++++--
src/protocols/kubernetes/kubernetes.c | 6 ++++++
2 files changed, 26 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/guacamole-server/blob/d8618b06/configure.ac
----------------------------------------------------------------------
diff --git a/configure.ac b/configure.ac
index d26db39..bb23f62 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1198,14 +1198,32 @@ then
have_libwebsockets=no])
fi
-# Check for client-specific closed event, which must be used in favor of the
-# generic closed event if libwebsockets is recent enough to provide this
if test "x$with_websockets" != "xno"
then
+
+ # Check for client-specific closed event, which must be used in favor of
+ # the generic closed event if libwebsockets is recent enough to provide
+ # this
AC_CHECK_DECL([LWS_CALLBACK_CLIENT_CLOSED],
[AC_DEFINE([HAVE_LWS_CALLBACK_CLIENT_CLOSED],,
[Whether LWS_CALLBACK_CLIENT_CLOSED is defined])],,
[#include <libwebsockets.h>])
+
+ # Older versions of libwebsockets may not define a flag for requesting
+ # global initialization of OpenSSL, instead performing that initialization
+ # by default
+ AC_CHECK_DECL([LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT],
+ [AC_DEFINE([HAVE_LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT],,
+ [Whether LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT is defined])],,
+ [#include <libwebsockets.h>])
+
+ # Older versions of libwebsockets do not define special macros for SSL
+ # connection flags, instead relying on documented integer values
+ AC_CHECK_DECL([LCCSCF_USE_SSL],
+ [AC_DEFINE([HAVE_LCCSCF_USE_SSL],,
+ [Whether LCCSCF_USE_SSL is defined])],,
+ [#include <libwebsockets.h>])
+
fi
AM_CONDITIONAL([ENABLE_WEBSOCKETS],
http://git-wip-us.apache.org/repos/asf/guacamole-server/blob/d8618b06/src/protocols/kubernetes/kubernetes.c
----------------------------------------------------------------------
diff --git a/src/protocols/kubernetes/kubernetes.c b/src/protocols/kubernetes/kubernetes.c
index f314c59..9cb0b13 100644
--- a/src/protocols/kubernetes/kubernetes.c
+++ b/src/protocols/kubernetes/kubernetes.c
@@ -268,9 +268,15 @@ void* guac_kubernetes_client_thread(void* data) {
* do our own validation - libwebsockets does not validate properly if
* IP addresses are used. */
if (settings->use_ssl) {
+#ifdef HAVE_LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT
context_info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
+#endif
+#ifdef HAVE_LCCSCF_USE_SSL
connection_info.ssl_connection = LCCSCF_USE_SSL
| LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK;
+#else
+ connection_info.ssl_connection = 2; /* SSL + no hostname check */
+#endif
}
/* Create libwebsockets context */
[5/6] guacamole-server git commit: GUACAMOLE-623: Kill connection if
libwebsockets is destroying the underlying WebSocket.
Posted by vn...@apache.org.
GUACAMOLE-623: Kill connection if libwebsockets is destroying the underlying WebSocket.
Older versions of libwebsockets will not necessarily invoke close events
under all circumstances, and will instead sometimes summarily destroy
the WebSocket. Thankfully there is another event for that, and newer
versions of libwebsockets continue to define that event. We can hook
into both to handle disconnect.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-server/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-server/commit/9c593bde
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-server/tree/9c593bde
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-server/diff/9c593bde
Branch: refs/heads/master
Commit: 9c593bde89891522324fe84034e4a9bd415aae2c
Parents: 44d3433
Author: Michael Jumper <mj...@apache.org>
Authored: Wed Sep 26 22:30:08 2018 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Wed Sep 26 22:31:25 2018 -0700
----------------------------------------------------------------------
src/protocols/kubernetes/kubernetes.c | 1 +
1 file changed, 1 insertion(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/guacamole-server/blob/9c593bde/src/protocols/kubernetes/kubernetes.c
----------------------------------------------------------------------
diff --git a/src/protocols/kubernetes/kubernetes.c b/src/protocols/kubernetes/kubernetes.c
index 66fc27d..e115fc5 100644
--- a/src/protocols/kubernetes/kubernetes.c
+++ b/src/protocols/kubernetes/kubernetes.c
@@ -120,6 +120,7 @@ static int guac_kubernetes_lws_callback(struct lws* wsi,
#endif
/* Connection closed */
+ case LWS_CALLBACK_WSI_DESTROY:
case LWS_CALLBACK_CLOSED:
guac_client_stop(client);
guac_client_log(client, GUAC_LOG_DEBUG, "WebSocket connection to "
[2/6] guacamole-server git commit: GUACAMOLE-623: Use libwebsockets'
dummy callback only if defined.
Posted by vn...@apache.org.
GUACAMOLE-623: Use libwebsockets' dummy callback only if defined.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-server/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-server/commit/b48a1b3a
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-server/tree/b48a1b3a
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-server/diff/b48a1b3a
Branch: refs/heads/master
Commit: b48a1b3a5d15e6c95fa64222342033eb584dc0a3
Parents: d8618b0
Author: Michael Jumper <mj...@apache.org>
Authored: Wed Sep 26 21:51:07 2018 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Wed Sep 26 21:51:07 2018 -0700
----------------------------------------------------------------------
configure.ac | 8 ++++++++
src/protocols/kubernetes/kubernetes.c | 11 ++++++++++-
2 files changed, 18 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/guacamole-server/blob/b48a1b3a/configure.ac
----------------------------------------------------------------------
diff --git a/configure.ac b/configure.ac
index bb23f62..672d19e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1224,6 +1224,14 @@ then
[Whether LCCSCF_USE_SSL is defined])],,
[#include <libwebsockets.h>])
+ # Older versions of libwebsockets do not define a dummy callback which
+ # must be invoked after the main event callback is invoked; the main event
+ # callback must instead manually return zero
+ AC_CHECK_DECL([lws_callback_http_dummy],
+ [AC_DEFINE([HAVE_LWS_CALLBACK_HTTP_DUMMY],,
+ [Whether lws_callback_http_dummy() is defined])],,
+ [#include <libwebsockets.h>])
+
fi
AM_CONDITIONAL([ENABLE_WEBSOCKETS],
http://git-wip-us.apache.org/repos/asf/guacamole-server/blob/b48a1b3a/src/protocols/kubernetes/kubernetes.c
----------------------------------------------------------------------
diff --git a/src/protocols/kubernetes/kubernetes.c b/src/protocols/kubernetes/kubernetes.c
index 9cb0b13..fb38d68 100644
--- a/src/protocols/kubernetes/kubernetes.c
+++ b/src/protocols/kubernetes/kubernetes.c
@@ -66,8 +66,13 @@ static int guac_kubernetes_lws_callback(struct lws* wsi,
guac_client* client = guac_kubernetes_lws_current_client;
/* Do not handle any further events if connection is closing */
- if (client->state != GUAC_CLIENT_RUNNING)
+ if (client->state != GUAC_CLIENT_RUNNING) {
+#ifdef HAVE_LWS_CALLBACK_HTTP_DUMMY
return lws_callback_http_dummy(wsi, reason, user, in, length);
+#else
+ return 0;
+#endif
+ }
switch (reason) {
@@ -127,7 +132,11 @@ static int guac_kubernetes_lws_callback(struct lws* wsi,
}
+#ifdef HAVE_LWS_CALLBACK_HTTP_DUMMY
return lws_callback_http_dummy(wsi, reason, user, in, length);
+#else
+ return 0;
+#endif
}
[4/6] guacamole-server git commit: GUACAMOLE-623: Explicitly bypass
certificate checks if requested.
Posted by vn...@apache.org.
GUACAMOLE-623: Explicitly bypass certificate checks if requested.
For older versions of libwebsockets, simply requesting that OpenSSL
ignore the verification result is insufficient, as libwebsockets
manually checks and confirms the verification result, producing an error
in all but specific cases.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-server/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-server/commit/44d3433e
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-server/tree/44d3433e
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-server/diff/44d3433e
Branch: refs/heads/master
Commit: 44d3433ea92de6de7d127f93335c0a5be47c735c
Parents: 7ee6248
Author: Michael Jumper <mj...@apache.org>
Authored: Wed Sep 26 22:01:43 2018 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Wed Sep 26 22:01:46 2018 -0700
----------------------------------------------------------------------
src/protocols/kubernetes/ssl.c | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/guacamole-server/blob/44d3433e/src/protocols/kubernetes/ssl.c
----------------------------------------------------------------------
diff --git a/src/protocols/kubernetes/ssl.c b/src/protocols/kubernetes/ssl.c
index 6ebafc6..520ce8c 100644
--- a/src/protocols/kubernetes/ssl.c
+++ b/src/protocols/kubernetes/ssl.c
@@ -110,6 +110,27 @@ static EVP_PKEY* guac_kubernetes_read_key(char* pem) {
}
+/**
+ * OpenSSL certificate verification callback which universally accepts all
+ * certificates without performing any verification at all.
+ *
+ * @param x509_ctx
+ * The current context of the certificate verification process. This
+ * parameter is ignored by this particular implementation of the callback.
+ *
+ * @param arg
+ * The arbitrary value passed to SSL_CTX_set_cert_verify_callback(). This
+ * parameter is ignored by this particular implementation of the callback.
+ *
+ * @return
+ * Strictly 0 if certificate verification fails, 1 if the certificate is
+ * verified. No other values are legal return values for this callback as
+ * documented by OpenSSL.
+ */
+static int guac_kubernetes_assume_cert_ok(X509_STORE_CTX* x509_ctx, void* arg) {
+ return 1;
+}
+
void guac_kubernetes_init_ssl(guac_client* client, SSL_CTX* context) {
guac_kubernetes_client* kubernetes_client =
@@ -118,8 +139,11 @@ void guac_kubernetes_init_ssl(guac_client* client, SSL_CTX* context) {
guac_kubernetes_settings* settings = kubernetes_client->settings;
/* Bypass certificate checks if requested */
- if (settings->ignore_cert)
- SSL_CTX_set_verify(context, SSL_VERIFY_NONE, NULL);
+ if (settings->ignore_cert) {
+ SSL_CTX_set_verify(context, SSL_VERIFY_PEER, NULL);
+ SSL_CTX_set_cert_verify_callback(context,
+ guac_kubernetes_assume_cert_ok, NULL);
+ }
/* Otherwise use the given CA certificate to validate (if any) */
else if (settings->ca_cert != NULL) {
[3/6] guacamole-server git commit: GUACAMOLE-623: Remove unnecessary
initialization of pwsi.
Posted by vn...@apache.org.
GUACAMOLE-623: Remove unnecessary initialization of pwsi.
The pwsi member was previously used to ensure the lws structure was made
available to invocations of the event callback early in the connection
lifecycle such that the underlyin guac_client could always be retrieved.
Since the migration to guac_kubernetes_lws_current_client, this is not
necessary, and isn't supported in older versions of libwebsockets
anyway.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-server/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-server/commit/7ee62484
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-server/tree/7ee62484
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-server/diff/7ee62484
Branch: refs/heads/master
Commit: 7ee624844a2ef577bfd5af6c9559919e1ba77846
Parents: b48a1b3
Author: Michael Jumper <mj...@apache.org>
Authored: Wed Sep 26 21:51:46 2018 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Wed Sep 26 21:52:53 2018 -0700
----------------------------------------------------------------------
src/protocols/kubernetes/kubernetes.c | 1 -
1 file changed, 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/guacamole-server/blob/7ee62484/src/protocols/kubernetes/kubernetes.c
----------------------------------------------------------------------
diff --git a/src/protocols/kubernetes/kubernetes.c b/src/protocols/kubernetes/kubernetes.c
index fb38d68..66fc27d 100644
--- a/src/protocols/kubernetes/kubernetes.c
+++ b/src/protocols/kubernetes/kubernetes.c
@@ -268,7 +268,6 @@ void* guac_kubernetes_client_thread(void* data) {
.origin = settings->hostname,
.port = settings->port,
.protocol = GUAC_KUBERNETES_LWS_PROTOCOL,
- .pwsi = &kubernetes_client->wsi,
.userdata = client
};
[6/6] guacamole-server git commit: GUACAMOLE-623: Merge fix build
against older libwebsockets.
Posted by vn...@apache.org.
GUACAMOLE-623: Merge fix build against older libwebsockets.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-server/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-server/commit/b0be8080
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-server/tree/b0be8080
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-server/diff/b0be8080
Branch: refs/heads/master
Commit: b0be8080360f7e54e3a395ce18471b99ddd34b4e
Parents: af93cfb 9c593bd
Author: Nick Couchman <vn...@apache.org>
Authored: Thu Sep 27 04:36:15 2018 -0400
Committer: Nick Couchman <vn...@apache.org>
Committed: Thu Sep 27 04:36:15 2018 -0400
----------------------------------------------------------------------
configure.ac | 30 ++++++++++++++++++++++++++++--
src/protocols/kubernetes/kubernetes.c | 19 +++++++++++++++++--
src/protocols/kubernetes/ssl.c | 28 ++++++++++++++++++++++++++--
3 files changed, 71 insertions(+), 6 deletions(-)
----------------------------------------------------------------------