src/protocols/kubernetes/ssl.c - guacamole-server - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */

 #include "kubernetes.h"
 #include "settings.h"

 #include <guacamole/client.h>
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
 #include <openssl/pem.h>
 #include <openssl/ssl.h>
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>

 /**
  * Tests whether the given hostname is, in fact, an IP address.
  *
  * @param hostname
  *     The hostname to test.
  *
  * @return
  *     Non-zero if the given hostname is an IP address, zero otherwise.
  */
 static int guac_kubernetes_is_address(const char* hostname) {

     /* Attempt to interpret the hostname as an IP address */
     ASN1_OCTET_STRING* ip = a2i_IPADDRESS(hostname);

     /* If unsuccessful, the hostname is not an IP address */
     if (ip == NULL)
         return 0;

     /* Converted hostname must be freed */
     ASN1_OCTET_STRING_free(ip);
     return 1;

 }

 /**
  * Parses the given PEM certificate, returning a new OpenSSL X509 structure
  * representing that certificate.
  *
  * @param pem
  *     The PEM certificate.
  *
  * @return
  *     An X509 structure representing the given certificate, or NULL if the
  *     certificate was unreadable.
  */
 static X509* guac_kubernetes_read_cert(char* pem) {

     /* Prepare a BIO which provides access to the in-memory CA cert */
     BIO* bio = BIO_new_mem_buf(pem, -1);
     if (bio == NULL)
         return NULL;

     /* Read the CA cert as PEM */
     X509* certificate = PEM_read_bio_X509(bio, NULL, NULL, NULL);
     if (certificate == NULL) {
         BIO_free(bio);
         return NULL;
     }

     return certificate;

 }

 /**
  * Parses the given PEM private key, returning a new OpenSSL EVP_PKEY structure
  * representing that key.
  *
  * @param pem
  *     The PEM private key.
  *
  * @return
  *     An EVP_KEY representing the given private key, or NULL if the private
  *     key was unreadable.
  */
 static EVP_PKEY* guac_kubernetes_read_key(char* pem) {

     /* Prepare a BIO which provides access to the in-memory key */
     BIO* bio = BIO_new_mem_buf(pem, -1);
     if (bio == NULL)
         return NULL;

     /* Read the private key as PEM */
     EVP_PKEY* key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
     if (key == NULL) {
         BIO_free(bio);
         return NULL;
     }

     return key;

 }

 /**
  * OpenSSL certificate verification callback which universally accepts all
  * certificates without performing any verification at all.
  *
  * @param x509_ctx
  *     The current context of the certificate verification process. This
  *     parameter is ignored by this particular implementation of the callback.
  *
  * @param arg
  *     The arbitrary value passed to SSL_CTX_set_cert_verify_callback(). This
  *     parameter is ignored by this particular implementation of the callback.
  *
  * @return
  *     Strictly 0 if certificate verification fails, 1 if the certificate is
  *     verified. No other values are legal return values for this callback as
  *     documented by OpenSSL.
  */
 static int guac_kubernetes_assume_cert_ok(X509_STORE_CTX* x509_ctx, void* arg) {
     return 1;
 }

 void guac_kubernetes_init_ssl(guac_client* client, SSL_CTX* context) {

     guac_kubernetes_client* kubernetes_client =
         (guac_kubernetes_client*) client->data;

     guac_kubernetes_settings* settings = kubernetes_client->settings;

     /* Bypass certificate checks if requested */
     if (settings->ignore_cert) {
         SSL_CTX_set_verify(context, SSL_VERIFY_PEER, NULL);
         SSL_CTX_set_cert_verify_callback(context,
                 guac_kubernetes_assume_cert_ok, NULL);
     }

     /* Otherwise use the given CA certificate to validate (if any) */
     else if (settings->ca_cert != NULL) {

         /* Read CA certificate from configuration data */
         X509* ca_cert = guac_kubernetes_read_cert(settings->ca_cert);
         if (ca_cert == NULL) {
             guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                     "Provided CA certificate is unreadable");
             return;
         }

         /* Add certificate to CA store */
         X509_STORE* ca_store = SSL_CTX_get_cert_store(context);
         if (!X509_STORE_add_cert(ca_store, ca_cert)) {
             guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                     "Unable to add CA certificate to certificate store of "
                     "SSL context");
             return;
         }

     }

     /* Certificate for SSL/TLS client auth */
     if (settings->client_cert != NULL) {

         /* Read client certificate from configuration data */
         X509* client_cert = guac_kubernetes_read_cert(settings->client_cert);
         if (client_cert == NULL) {
             guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                     "Provided client certificate is unreadable");
             return;
         }

         /* Use parsed certificate for authentication */
         if (!SSL_CTX_use_certificate(context, client_cert)) {
             guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                     "Client certificate could not be used for SSL/TLS "
                     "client authentication");
             return;
         }

     }

     /* Private key for SSL/TLS client auth */
     if (settings->client_key != NULL) {

         /* Read client private key from configuration data */
         EVP_PKEY* client_key = guac_kubernetes_read_key(settings->client_key);
         if (client_key == NULL) {
             guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                     "Provided client private key is unreadable");
             return;
         }

         /* Use parsed key for authentication */
         if (!SSL_CTX_use_PrivateKey(context, client_key)) {
             guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                     "Client private key could not be used for SSL/TLS "
                     "client authentication");
             return;
         }

     }

     /* Enable hostname checking */
     X509_VERIFY_PARAM *param = SSL_CTX_get0_param(context);
     X509_VERIFY_PARAM_set_hostflags(param,
             X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);

     /* Validate properly depending on whether hostname is an IP address */
     if (guac_kubernetes_is_address(settings->hostname)) {
         if (!X509_VERIFY_PARAM_set1_ip_asc(param, settings->hostname)) {
             guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                     "Server IP address validation could not be enabled");
             return;
         }
     }
     else {
         if (!X509_VERIFY_PARAM_set1_host(param, settings->hostname, 0)) {
             guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                     "Server hostname validation could not be enabled");
             return;
         }
     }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/

	#include "kubernetes.h"
	#include "settings.h"

	#include <guacamole/client.h>
	#include <openssl/asn1.h>
	#include <openssl/bio.h>
	#include <openssl/pem.h>
	#include <openssl/ssl.h>
	#include <openssl/x509v3.h>
	#include <openssl/x509_vfy.h>

	/**
	* Tests whether the given hostname is, in fact, an IP address.
	*
	* @param hostname
	* The hostname to test.
	*
	* @return
	* Non-zero if the given hostname is an IP address, zero otherwise.
	*/
	static int guac_kubernetes_is_address(const char* hostname) {

	/* Attempt to interpret the hostname as an IP address */
	ASN1_OCTET_STRING* ip = a2i_IPADDRESS(hostname);

	/* If unsuccessful, the hostname is not an IP address */
	if (ip == NULL)
	return 0;

	/* Converted hostname must be freed */
	ASN1_OCTET_STRING_free(ip);
	return 1;

	}

	/**
	* Parses the given PEM certificate, returning a new OpenSSL X509 structure
	* representing that certificate.
	*
	* @param pem
	* The PEM certificate.
	*
	* @return
	* An X509 structure representing the given certificate, or NULL if the
	* certificate was unreadable.
	*/
	static X509* guac_kubernetes_read_cert(char* pem) {

	/* Prepare a BIO which provides access to the in-memory CA cert */
	BIO* bio = BIO_new_mem_buf(pem, -1);
	if (bio == NULL)
	return NULL;

	/* Read the CA cert as PEM */
	X509* certificate = PEM_read_bio_X509(bio, NULL, NULL, NULL);
	if (certificate == NULL) {
	BIO_free(bio);
	return NULL;
	}

	return certificate;

	}

	/**
	* Parses the given PEM private key, returning a new OpenSSL EVP_PKEY structure
	* representing that key.
	*
	* @param pem
	* The PEM private key.
	*
	* @return
	* An EVP_KEY representing the given private key, or NULL if the private
	* key was unreadable.
	*/
	static EVP_PKEY* guac_kubernetes_read_key(char* pem) {

	/* Prepare a BIO which provides access to the in-memory key */
	BIO* bio = BIO_new_mem_buf(pem, -1);
	if (bio == NULL)
	return NULL;

	/* Read the private key as PEM */
	EVP_PKEY* key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
	if (key == NULL) {
	BIO_free(bio);
	return NULL;
	}

	return key;

	}

	/**
	* OpenSSL certificate verification callback which universally accepts all
	* certificates without performing any verification at all.
	*
	* @param x509_ctx
	* The current context of the certificate verification process. This
	* parameter is ignored by this particular implementation of the callback.
	*
	* @param arg
	* The arbitrary value passed to SSL_CTX_set_cert_verify_callback(). This
	* parameter is ignored by this particular implementation of the callback.
	*
	* @return
	* Strictly 0 if certificate verification fails, 1 if the certificate is
	* verified. No other values are legal return values for this callback as
	* documented by OpenSSL.
	*/
	static int guac_kubernetes_assume_cert_ok(X509_STORE_CTX* x509_ctx, void* arg) {
	return 1;
	}

	void guac_kubernetes_init_ssl(guac_client* client, SSL_CTX* context) {

	guac_kubernetes_client* kubernetes_client =
	(guac_kubernetes_client*) client->data;

	guac_kubernetes_settings* settings = kubernetes_client->settings;

	/* Bypass certificate checks if requested */
	if (settings->ignore_cert) {
	SSL_CTX_set_verify(context, SSL_VERIFY_PEER, NULL);
	SSL_CTX_set_cert_verify_callback(context,
	guac_kubernetes_assume_cert_ok, NULL);
	}

	/* Otherwise use the given CA certificate to validate (if any) */
	else if (settings->ca_cert != NULL) {

	/* Read CA certificate from configuration data */
	X509* ca_cert = guac_kubernetes_read_cert(settings->ca_cert);
	if (ca_cert == NULL) {
	guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
	"Provided CA certificate is unreadable");
	return;
	}

	/* Add certificate to CA store */
	X509_STORE* ca_store = SSL_CTX_get_cert_store(context);
	if (!X509_STORE_add_cert(ca_store, ca_cert)) {
	guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
	"Unable to add CA certificate to certificate store of "
	"SSL context");
	return;
	}

	}

	/* Certificate for SSL/TLS client auth */
	if (settings->client_cert != NULL) {

	/* Read client certificate from configuration data */
	X509* client_cert = guac_kubernetes_read_cert(settings->client_cert);
	if (client_cert == NULL) {
	guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
	"Provided client certificate is unreadable");
	return;
	}

	/* Use parsed certificate for authentication */
	if (!SSL_CTX_use_certificate(context, client_cert)) {
	guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
	"Client certificate could not be used for SSL/TLS "
	"client authentication");
	return;
	}

	}

	/* Private key for SSL/TLS client auth */
	if (settings->client_key != NULL) {

	/* Read client private key from configuration data */
	EVP_PKEY* client_key = guac_kubernetes_read_key(settings->client_key);
	if (client_key == NULL) {
	guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
	"Provided client private key is unreadable");
	return;
	}

	/* Use parsed key for authentication */
	if (!SSL_CTX_use_PrivateKey(context, client_key)) {
	guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
	"Client private key could not be used for SSL/TLS "
	"client authentication");
	return;
	}

	}

	/* Enable hostname checking */
	X509_VERIFY_PARAM *param = SSL_CTX_get0_param(context);
	X509_VERIFY_PARAM_set_hostflags(param,
	X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);

	/* Validate properly depending on whether hostname is an IP address */
	if (guac_kubernetes_is_address(settings->hostname)) {
	if (!X509_VERIFY_PARAM_set1_ip_asc(param, settings->hostname)) {
	guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
	"Server IP address validation could not be enabled");
	return;
	}
	}
	else {
	if (!X509_VERIFY_PARAM_set1_host(param, settings->hostname, 0)) {
	guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
	"Server hostname validation could not be enabled");
	return;
	}
	}

	}