diff --git a/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.md b/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.md index e299551ed4..c8008fa161 100644 --- a/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.md +++ b/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.md @@ -132,6 +132,7 @@ * _Logging_. Fixed a bug that prevented GhidraScript output from being directed to either the default or user-specified `script.log` file. (GP-6532) * _Memory_. Corrected various issues related to improper use of Addresses from one program in another program's AddressMap. (GP-6150) * _Multi-User_. Corrected potential security concern with Ghidra Server PKI Authentication. If using PKI Authentication mode (`-a2`) for the server install, the user should upgrade the server. See reported Ghidra GitHub Pull Request #9109 for more details. (GP-6678, Issue #9109) +* _Multi-User_. Added Ghidra Server `-ipAlt` option to address self-signed certificate issues affecting docker container deployments where an formal certificate was not used (see `server.conf` and `svrREADME.md`. (GP-6811) * _Processors_. Fixed ARM `ldrsh.w` and `ldrsb.w` instruction semantics. (GP-4651, Issue #6564) * _Processors_. Reworded Tricore processor description. (GP-5243, Issue #7170) * _Processors_. Corrected AVR32 `ICALL` instruction behavior when `rd0` is the `LR` register. (GP-5306, Issue #5718) diff --git a/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java b/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java index 0b47bb36b7..fee9938982 100644 --- a/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java +++ b/Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java @@ -78,7 +78,8 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan private static String HELP_FILE = "ServerHelp.txt"; private static String USAGE_ARGS = - "[-ip ] [-i #.#.#.#] [-p#] [-n] [-a#] [-d] [-e] [-jaas ] [-u] [-autoProvision] [-anonymous] [-ssh] "; + "[-ip ] [-ipAlt [,...]] [-i #.#.#.#] [-p#] [-n] [-a#] [-d]" + + " [-e] [-jaas ] [-u] [-autoProvision] [-anonymous] [-ssh] "; private static final String RMI_SERVER_PROPERTY = "java.rmi.server.hostname"; @@ -539,6 +540,7 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan int defaultPasswordExpiration = -1; boolean autoProvision = false; File jaasConfigFile = null; + Set altNames = new TreeSet<>(); // Network name resolution disabled by default InetNameLookup.setLookupEnabled(false); @@ -588,6 +590,23 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan System.exit(-1); } } + else if (s.startsWith("-ipAlt")) { // self-signed cert alt subject names + int nextArgIndex = i + 1; + String hostname; + if (s.length() == 6 && nextArgIndex < args.length) { + hostname = args[++i]; + } + else { + hostname = s.substring(6); + } + for (String h : hostname.trim().split(";")) { + if (hostname.length() == 0 || hostname.startsWith("-")) { + displayUsage("Missing -ipAlt altName"); + System.exit(-1); + } + altNames.add(h); + } + } else if (s.startsWith("-ip")) { // setting server remote access hostname int nextArgIndex = i + 1; String hostname; @@ -793,7 +812,6 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan DefaultKeyManagerFactory.addSubjectAlternativeName(hostname); // Collect alternate hostnames for inclusion in certificate - Set altNames = new TreeSet<>(); Enumeration nets = NetworkInterface.getNetworkInterfaces(); while (nets.hasMoreElements()) { NetworkInterface netint = nets.nextElement(); diff --git a/Ghidra/RuntimeScripts/Common/server/server.conf b/Ghidra/RuntimeScripts/Common/server/server.conf index 89f8cee6b8..392cee1e3c 100644 --- a/Ghidra/RuntimeScripts/Common/server/server.conf +++ b/Ghidra/RuntimeScripts/Common/server/server.conf @@ -134,12 +134,23 @@ ghidra.repositories.dir=./repositories # Ghidra server startup parameters. # # Command line parameters: (Add command line parameters as needed and renumber each starting from .1) -# [-ip ] [-i #.#.#.#] [-p#] [-n] -# [-a#] [-d] [-e] [-jaas ] [-u] [-autoProvision] [-anonymous] [-ssh] +# [-ip ] [-ipAlt [;...]] [-i #.#.#.#] [-p#] [-n] +# [-a#] [-d] [-e] [-jaas ] [-u] [-autoProvision] +# [-anonymous] [-ssh] # # # -ip : identifies the remote access IPv4 address or hostname (FQDN) which should be -# used by remote clients to access the server. +# used by remote clients to access the server. This option is frequently required +# when deploying a Ghidra Server within a docker container. When this option +# specifies a hostname, and the -Dghidra.keystore JVM property has not been specified, +# it is generally required that the -ipAlt option be included to specify the IP +# Address which corresponds to the hostname. +# +# -ipAlt [;,...] : identifies additional addresses and hostnames (FQDN) that +# should be included as subject alternative names when generating a self-signed +# server certificate. Currently, a temporary self-signed server certificate is +# generated whenever the -Dghidra.keystore option JVM property has not been specified. +# NOTE: ';' must be used as separator for more than one altName. # # -i #.#.#.# : server interface IPv4 address to listen on (default will listen on all interfaces). # diff --git a/Ghidra/RuntimeScripts/Common/server/svrREADME.md b/Ghidra/RuntimeScripts/Common/server/svrREADME.md index f395c06c58..1eac65f397 100644 --- a/Ghidra/RuntimeScripts/Common/server/svrREADME.md +++ b/Ghidra/RuntimeScripts/Common/server/svrREADME.md @@ -265,8 +265,17 @@ Identifies the remote access hostname (FQDN) or IPv4 address which should be us to access the server. By default the host name reported by the operating system is resolved to an IPv4 address, if this fails the local loopback address is used. The server log will indicate the remote access hostname at startup. This option may be required when a server has multiple IP -interfaces, relies on a dynamic DNS or other network address translation for incoming connections. -This option establishes the property value for _java.rmi.server.hostname_. +interfaces, running within a docker container, or relies on a dynamic DNS or other network address +translation for incoming connections. This option establishes the property value for +_java.rmi.server.hostname_. When this option specifies a hostname, and the _-Dghidra.keystore_ JVM +property has not been specified, it is generally required that the _-ipAlt_ option be included to +specify the IP Address which corresponds to the hostname. + +#### `-ipAlt [;,...]` +Identifies additional addresses and hostnames (FQDN) that should be included as subject alternative +names when generating a self-signed server certificate. Currently, a temporary self-signed server +certificate is generated whenever the _-Dghidra.keystore_ JVM property has not been specified. +NOTE: ';' must be used as separator for more than one altName. #### `-i <#.#.#.#>` Forces the server to be bound to a specific IPv4 interface on the server. If specified and the `-ip` diff --git a/docker/README.md b/docker/README.md index c621f9acc9..3552cd13f3 100644 --- a/docker/README.md +++ b/docker/README.md @@ -125,6 +125,8 @@ After exec'ing into the container, administration and management of the Ghidra s To stop the container, execute the command `docker stop `. +NOTE: ports you map from the host to the docker container must match. You can change the default base server port (i.e. `13100`) in the `server.conf` file using the `-p` option. + ## Example of BSIM Server Mode ```