Merge remote-tracking branch 'origin/patch'

Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java

@@ -69,6 +69,7 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan
 	private static final String SERIAL_FILTER_FILE = "serial.filter";
 
 	private static final String TLS_SERVER_PROTOCOLS_PROPERTY = "ghidra.tls.server.protocols";
+	private static final String TLS_ENABLED_CIPHERS_PROPERTY = "jdk.tls.server.cipherSuites";
 
 	private static SslRMIServerSocketFactory serverSocketFactory;
 	private static SslRMIClientSocketFactory clientSocketFactory;
@@ -796,7 +797,16 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan
 			}
 			log.info(
 				"   Anonymous server access: " + (allowAnonymousAccess ? "enabled" : "disabled"));
-
+			
+			String enabledCiphers = System.getProperty(TLS_ENABLED_CIPHERS_PROPERTY);
+			if (enabledCiphers != null) {
+				String[] cipherList = enabledCiphers.split(",");
+				log.info("   Enabled cipher suites:");
+				for (String s : cipherList) {
+					log.info("       " + s);
+				}
+			}
+			
 			serverSocketFactory = new SslRMIServerSocketFactory(null, getEnabledTlsProtocols(),
 				authMode == PKI_LOGIN) {
 				@Override

Ghidra/Features/VersionTracking/src/main/java/ghidra/feature/vt/gui/filters/TagFilter.java

@@ -60,6 +60,11 @@ public class TagFilter extends AncillaryFilter<VTMatch> {
 		initializeTags();
 	}
 
+	@Override
+	protected Filter<VTMatch> createEmptyCopy() {
+		return new TagFilter(controller);
+	}
+
 	private JComponent createComponent() {
 		JPanel panel = new JPanel(new BorderLayout());
 		panel.setBorder(BorderFactory.createTitledBorder("Tags"));
@@ -93,7 +98,7 @@ public class TagFilter extends AncillaryFilter<VTMatch> {
 	}
 
 	/**
-	 * This differs from {@link #initializeTags()} in that this method will keep any excluded 
+	 * This differs from {@link #initializeTags()} in that this method will keep any excluded
 	 * tags when updating.
 	 */
 	private void reInitializeTags() {
@@ -288,11 +293,11 @@ public class TagFilter extends AncillaryFilter<VTMatch> {
 		Set<String> names = excludedTags.keySet();
 		Set<String> otherNames = otherTagFilter.excludedTags.keySet();
 
-		// 
-		// This filter is a collection of 'things', that are NOT allowed to pass the filter.   
+		//
+		// This filter is a collection of 'things', that are NOT allowed to pass the filter.
 		// We are only a sub-filter if the other filter is a subset of our filter, since we will
-		// be taking the already excluded items and adding more restrictions.  Suppose our filter 
-		// consists of: 'cat', 'dog', 'mouse'.  We would then be a sub-filter if the other 
+		// be taking the already excluded items and adding more restrictions.  Suppose our filter
+		// consists of: 'cat', 'dog', 'mouse'.  We would then be a sub-filter if the other
 		// filter's set consists of: 'cat', 'dog'.
 		//
 		if (names.containsAll(otherNames)) {
@@ -343,10 +348,10 @@ public class TagFilter extends AncillaryFilter<VTMatch> {
 		public void sessionUpdated(DomainObjectChangedEvent ev) {
 			//
 			// Note: we don't trigger a refilter after changes are made.  We assume that if a tag
-			//       is added, then it will not be excluded by default.  If a tag is removed, 
+			//       is added, then it will not be excluded by default.  If a tag is removed,
 			//       then the work to remove it will have cleared any matches using that tag, which
 			//       will trigger an update to the table, which will trigger a refilter.
-			// 
+			//
 
 			for (int i = 0; i < ev.numRecords(); i++) {
 				DomainObjectChangeRecord doRecord = ev.getChangeRecord(i);

Ghidra/Framework/FileSystem/src/main/java/ghidra/framework/client/ClientUtil.java

@@ -199,6 +199,9 @@ public class ClientUtil {
 			Msg.debug(ClientUtil.class, "Server not connected (" + operation + ")");
 			promptForReconnect(repository, operation, mustRetry, parent);
 		}
+		else if (exc instanceof RepositoryNotFoundException) {
+			Msg.showError(ClientUtil.class, parent, title, exc.getMessage());
+		}
 		else if (exc instanceof UserAccessException) {
 			Msg.showError(ClientUtil.class, parent, title,
 				"Access denied: " + repository + "\n" + exc.getMessage());

Ghidra/RuntimeScripts/Common/server/server.conf

@@ -40,29 +40,36 @@ wrapper.java.additional.5=-Djna.tmpdir=${wrapper_tmpdir}
 # NOTE: multiple protocols must be separated with a semi-colon (e.g., TLSv1.2;TLSv1.3).
 wrapper.java.additional.6=-Dghidra.tls.server.protocols=TLSv1.2;TLSv1.3
 
+# Restrict server to specific TLS cipher suites for all secure communications
+# NOTE: multiple ciphers must be separated using "\,".  The specified list includes both TLSv1.2 and TLSv1.3 supported ciphers.
+# TLSv1.3 info: https://www.packetmania.net/en/2023/08/21/TLS1-3-intro/
+# See Commercial National Security Algorithm (CNSA) Suite Profile for TLS and DTLS 1.2 and 1.3
+#   RFC 9151 https://datatracker.ietf.org/doc/rfc9151/
+wrapper.java.additional.7=-Djdk.tls.server.cipherSuites="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\,TLS_AES_256_GCM_SHA384"
+
 # A suitable cacerts file must be installed when using PKI authentication
-#wrapper.java.additional.7=-Dghidra.cacerts=./Ghidra/cacerts
+#wrapper.java.additional.8=-Dghidra.cacerts=./Ghidra/cacerts
 
 # If Ghidra clients must authenticate the server, the server will need to install
 # a server key/certificate in a secure location (e.g., /etc/pki/...) 
 # and specify the location and password via the properties below.
 # Be sure to properly set permissions on the Ghidra installation and this file
 # if using these settings.
-#wrapper.java.additional.8=-Dghidra.keystore=
-#wrapper.java.additional.9=-Dghidra.password=
+#wrapper.java.additional.9=-Dghidra.keystore=
+#wrapper.java.additional.10=-Dghidra.password=
 
 # Enable/Disable use of compression for DataBuffer serialization and Block Streams
-wrapper.java.additional.10=-Ddb.buffers.DataBuffer.compressedOutput=true
+wrapper.java.additional.11=-Ddb.buffers.DataBuffer.compressedOutput=true
 
 # Uncomment to enable remote debug support
 # The debug address will listen on all network interfaces, if desired the '*' may be
 # set to a specific interface IP address (e.g., 127.0.0.1) if you wish to restrict.
 # During debug it may be necessary to increase timeout values to prevent the wrapper
 # from restarting the server due to unresponsiveness.
-#wrapper.java.additional.11=-Xdebug
-#wrapper.java.additional.12=-Xnoagent
-#wrapper.java.additional.13=-Djava.compiler=NONE
-#wrapper.java.additional.14=-Xrunjdwp:transport=dt_socket\,server=y\,suspend=n\,address=*:18200
+#wrapper.java.additional.12=-Xdebug
+#wrapper.java.additional.13=-Xnoagent
+#wrapper.java.additional.14=-Djava.compiler=NONE
+#wrapper.java.additional.15=-Xrunjdwp:transport=dt_socket\,server=y\,suspend=n\,address=*:18200
 #wrapper.startup.timeout=0
 #wrapper.ping.timeout=0
 
@@ -73,10 +80,10 @@ wrapper.java.additional.10=-Ddb.buffers.DataBuffer.compressedOutput=true
 
 # Uncomment to enable remote use of jvisualvm for profiling
 # See JMX documentation for more information: http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
-#wrapper.java.additional.15=-Dcom.sun.management.jmxremote.port=9010
-#wrapper.java.additional.16=-Dcom.sun.management.jmxremote.local.only=false
-#wrapper.java.additional.17=-Dcom.sun.management.jmxremote.authenticate=false
-#wrapper.java.additional.18=-Dcom.sun.management.jmxremote.ssl=false
+#wrapper.java.additional.16=-Dcom.sun.management.jmxremote.port=9010
+#wrapper.java.additional.17=-Dcom.sun.management.jmxremote.local.only=false
+#wrapper.java.additional.18=-Dcom.sun.management.jmxremote.authenticate=false
+#wrapper.java.additional.19=-Dcom.sun.management.jmxremote.ssl=false
 
 # YAJSW will by default assume a POSIX spawn for Linux and Mac OS X systems, unfortunately it has 
 # not yet been implemented for Mac OS X.  The default process support within YAJSW for Mac OS X is