diff options
| author | Jay Sorg <jay.sorg@gmail.com> | 2014-11-26 13:04:31 -0800 |
|---|---|---|
| committer | Jay Sorg <jay.sorg@gmail.com> | 2014-11-26 13:04:31 -0800 |
| commit | 1d3329b49bc4256d64697380116e86af9a9abf80 (patch) | |
| tree | 20e12cfcbd4b121974ce0c0d7f8caa6c04401ad2 | |
| parent | 32f172853f9763f4b046c9e5465813a0aa5e3f1c (diff) | |
| parent | 2d514e666afdccdf370cfc92fa284b3fa4492824 (diff) | |
| download | xrdp-proprietary-1d3329b49bc4256d64697380116e86af9a9abf80.tar.gz xrdp-proprietary-1d3329b49bc4256d64697380116e86af9a9abf80.zip | |
Merge branch 'devel'
| -rw-r--r-- | common/Makefile.am | 3 | ||||
| -rw-r--r-- | common/ssl_calls.c | 270 | ||||
| -rw-r--r-- | common/ssl_calls.h | 28 | ||||
| -rw-r--r-- | common/trans.c | 60 | ||||
| -rw-r--r-- | common/trans.h | 32 | ||||
| -rw-r--r-- | common/xrdp_tls.c | 269 | ||||
| -rw-r--r-- | configure.ac | 13 | ||||
| -rw-r--r-- | libxrdp/libxrdp.c | 27 | ||||
| -rw-r--r-- | libxrdp/xrdp_rdp.c | 6 | ||||
| -rw-r--r-- | sesman/Makefile.am | 5 | ||||
| -rw-r--r-- | sesman/chansrv/chansrv_common.h | 1 | ||||
| -rw-r--r-- | sesman/chansrv/sound.c | 1 | ||||
| -rw-r--r-- | sesman/verify_user.c | 8 | ||||
| -rw-r--r-- | sesman/verify_user_bsd.c | 118 | ||||
| -rw-r--r-- | xrdp/lang.c | 2 |
15 files changed, 495 insertions, 348 deletions
diff --git a/common/Makefile.am b/common/Makefile.am index 9feac9fb..8c7aa62c 100644 --- a/common/Makefile.am +++ b/common/Makefile.am @@ -39,8 +39,7 @@ libcommon_la_SOURCES = \ os_calls.c \ ssl_calls.c \ thread_calls.c \ - trans.c \ - xrdp_tls.c + trans.c libcommon_la_LIBADD = \ -lcrypto \ diff --git a/common/ssl_calls.c b/common/ssl_calls.c index 134f5afd..966bbb15 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -2,6 +2,7 @@ * xrdp: A Remote Desktop Protocol server. * * Copyright (C) Jay Sorg 2004-2014 + * Copyright (C) Idan Freiberg 2013-2014 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,6 +32,7 @@ #include "os_calls.h" #include "arch.h" #include "ssl_calls.h" +#include "trans.h" #if defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x0090800f) #undef OLD_RSA_GEN1 @@ -524,3 +526,271 @@ ssl_gen_key_xrdp1(int key_size_in_bits, char *exp, int exp_len, return error; } #endif + +/*****************************************************************************/ +struct ssl_tls * +APP_CC +ssl_tls_create(struct trans *trans, const char *key, const char *cert) +{ + struct ssl_tls *self; + int pid; + char buf[1024]; + + self = (struct ssl_tls *) g_malloc(sizeof(struct ssl_tls), 1); + if (self != NULL) + { + self->trans = trans; + self->cert = (char *) cert; + self->key = (char *) key; + pid = g_getpid(); + g_snprintf(buf, 1024, "xrdp_%8.8x_tls_rwo", pid); + self->rwo = g_create_wait_obj(buf); + } + + return self; +} + +/*****************************************************************************/ +int APP_CC +ssl_tls_print_error(char *func, SSL *connection, int value) +{ + switch (SSL_get_error(connection, value)) + { + case SSL_ERROR_ZERO_RETURN: + g_writeln("ssl_tls_print_error: %s: Server closed TLS connection", + func); + return 1; + + case SSL_ERROR_WANT_READ: + g_writeln("ssl_tls_print_error: SSL_ERROR_WANT_READ"); + return 0; + + case SSL_ERROR_WANT_WRITE: + g_writeln("ssl_tls_print_error: SSL_ERROR_WANT_WRITE"); + return 0; + + case SSL_ERROR_SYSCALL: + g_writeln("ssl_tls_print_error: %s: I/O error", func); + return 1; + + case SSL_ERROR_SSL: + g_writeln("ssl_tls_print_error: %s: Failure in SSL library (protocol error?)", + func); + return 1; + + default: + g_writeln("ssl_tls_print_error: %s: Unknown error", func); + return 1; + } +} + +/*****************************************************************************/ +int APP_CC +ssl_tls_accept(struct ssl_tls *self) +{ + int connection_status; + long options = 0; + + /** + * SSL_OP_NO_SSLv2: + * + * We only want SSLv3 and TLSv1, so disable SSLv2. + * SSLv3 is used by, eg. Microsoft RDC for Mac OS X. + */ + options |= SSL_OP_NO_SSLv2; + +#if defined(SSL_OP_NO_COMPRESSION) + /** + * SSL_OP_NO_COMPRESSION: + * + * The Microsoft RDP server does not advertise support + * for TLS compression, but alternative servers may support it. + * This was observed between early versions of the FreeRDP server + * and the FreeRDP client, and caused major performance issues, + * which is why we're disabling it. + */ + options |= SSL_OP_NO_COMPRESSION; +#endif + + /** + * SSL_OP_TLS_BLOCK_PADDING_BUG: + * + * The Microsoft RDP server does *not* support TLS padding. + * It absolutely needs to be disabled otherwise it won't work. + */ + options |= SSL_OP_TLS_BLOCK_PADDING_BUG; + + /** + * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: + * + * Just like TLS padding, the Microsoft RDP server does not + * support empty fragments. This needs to be disabled. + */ + options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + + self->ctx = SSL_CTX_new(SSLv23_server_method()); + /* set context options */ + SSL_CTX_set_mode(self->ctx, + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | + SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_options(self->ctx, options); + SSL_CTX_set_read_ahead(self->ctx, 1); + + if (self->ctx == NULL) + { + g_writeln("ssl_tls_accept: SSL_CTX_new failed"); + return 1; + } + + if (SSL_CTX_use_RSAPrivateKey_file(self->ctx, self->key, SSL_FILETYPE_PEM) + <= 0) + { + g_writeln("ssl_tls_accept: SSL_CTX_use_RSAPrivateKey_file failed"); + return 1; + } + + self->ssl = SSL_new(self->ctx); + + if (self->ssl == NULL) + { + g_writeln("ssl_tls_accept: SSL_new failed"); + return 1; + } + + if (SSL_use_certificate_file(self->ssl, self->cert, SSL_FILETYPE_PEM) <= 0) + { + g_writeln("ssl_tls_accept: SSL_use_certificate_file failed"); + return 1; + } + + if (SSL_set_fd(self->ssl, self->trans->sck) < 1) + { + g_writeln("ssl_tls_accept: SSL_set_fd failed"); + return 1; + } + + connection_status = SSL_accept(self->ssl); + + if (connection_status <= 0) + { + if (ssl_tls_print_error("SSL_accept", self->ssl, connection_status)) + { + return 1; + } + } + + g_writeln("ssl_tls_accept: TLS connection accepted"); + + return 0; +} + +/*****************************************************************************/ +int APP_CC +ssl_tls_disconnect(struct ssl_tls *self) +{ + int status = SSL_shutdown(self->ssl); + while (status != 1) + { + status = SSL_shutdown(self->ssl); + + if (status <= 0) + { + if (ssl_tls_print_error("SSL_shutdown", self->ssl, status)) + { + return 1; + } + } + } + return 0; +} + +/*****************************************************************************/ +void APP_CC +ssl_tls_delete(struct ssl_tls *self) +{ + if (self != NULL) + { + if (self->ssl) + SSL_free(self->ssl); + + if (self->ctx) + SSL_CTX_free(self->ctx); + + g_delete_wait_obj(self->rwo); + + g_free(self); + } +} + +/*****************************************************************************/ +int APP_CC +ssl_tls_read(struct ssl_tls *tls, char *data, int length) +{ + int status; + + status = SSL_read(tls->ssl, data, length); + + switch (SSL_get_error(tls->ssl, status)) + { + case SSL_ERROR_NONE: + break; + + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + status = 0; + break; + + default: + ssl_tls_print_error("SSL_read", tls->ssl, status); + status = -1; + break; + } + + if (SSL_pending(tls->ssl) > 0) + { + g_set_wait_obj(tls->rwo); + } + + return status; +} + +/*****************************************************************************/ +int APP_CC +ssl_tls_write(struct ssl_tls *tls, const char *data, int length) +{ + int status; + + status = SSL_write(tls->ssl, data, length); + + switch (SSL_get_error(tls->ssl, status)) + { + case SSL_ERROR_NONE: + break; + + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + status = 0; + break; + + default: + ssl_tls_print_error("SSL_write", tls->ssl, status); + status = -1; + break; + } + + return status; +} + +/*****************************************************************************/ +/* returns boolean */ +int APP_CC +ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis) +{ + if (SSL_pending(tls->ssl) > 0) + { + return 1; + } + g_reset_wait_obj(tls->rwo); + return g_tcp_can_recv(sck, millis); +} + diff --git a/common/ssl_calls.h b/common/ssl_calls.h index 40acfb5b..6cfe73a3 100644 --- a/common/ssl_calls.h +++ b/common/ssl_calls.h @@ -2,6 +2,7 @@ * xrdp: A Remote Desktop Protocol server. * * Copyright (C) Jay Sorg 2004-2014 + * Copyright (C) Idan Freiberg 2013-2014 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -80,4 +81,31 @@ int APP_CC ssl_gen_key_xrdp1(int key_size_in_bits, char* exp, int exp_len, char* mod, int mod_len, char* pri, int pri_len); +/* ssl_tls */ +struct ssl_tls +{ + void *ssl; /* SSL * */ + void *ctx; /* SSL_CTX * */ + char *cert; + char *key; + struct trans *trans; + tintptr rwo; /* wait obj */ +}; + +/* xrdp_tls.c */ +struct ssl_tls *APP_CC +ssl_tls_create(struct trans *trans, const char *key, const char *cert); +int APP_CC +ssl_tls_accept(struct ssl_tls *self); +int APP_CC +ssl_tls_disconnect(struct ssl_tls *self); +void APP_CC +ssl_tls_delete(struct ssl_tls *self); +int APP_CC +ssl_tls_read(struct ssl_tls *tls, char *data, int length); +int APP_CC +ssl_tls_write(struct ssl_tls *tls, const char *data, int length); +int APP_CC +ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis); + #endif diff --git a/common/trans.c b/common/trans.c index 5503ea61..3828a174 100644 --- a/common/trans.c +++ b/common/trans.c @@ -22,6 +22,7 @@ #include "trans.h" #include "arch.h" #include "parse.h" +#include "ssl_calls.h" /*****************************************************************************/ int APP_CC @@ -31,7 +32,7 @@ trans_tls_recv(struct trans *self, void *ptr, int len) { return 1; } - return xrdp_tls_read(self->tls, ptr, len); + return ssl_tls_read(self->tls, ptr, len); } /*****************************************************************************/ @@ -42,7 +43,18 @@ trans_tls_send(struct trans *self, const void *data, int len) { return 1; } - return xrdp_tls_write(self->tls, data, len); + return ssl_tls_write(self->tls, data, len); +} + +/*****************************************************************************/ +int APP_CC +trans_tls_can_recv(struct trans *self, int sck, int millis) +{ + if (self->tls == NULL) + { + return 1; + } + return ssl_tls_can_recv(self->tls, sck, millis); } /*****************************************************************************/ @@ -60,6 +72,13 @@ trans_tcp_send(struct trans *self, const void *data, int len) } /*****************************************************************************/ +int APP_CC +trans_tcp_can_recv(struct trans *self, int sck, int millis) +{ + return g_tcp_can_recv(sck, millis); +} + +/*****************************************************************************/ struct trans * APP_CC trans_create(int mode, int in_size, int out_size) @@ -79,6 +98,7 @@ trans_create(int mode, int in_size, int out_size) /* assign tcp calls by default */ self->trans_recv = trans_tcp_recv; self->trans_send = trans_tcp_send; + self->trans_can_recv = trans_tcp_can_recv; } return self; @@ -111,7 +131,7 @@ trans_delete(struct trans *self) if (self->tls != 0) { - xrdp_tls_delete(self->tls); + ssl_tls_delete(self->tls); } g_free(self); @@ -133,6 +153,16 @@ trans_get_wait_objs(struct trans *self, tbus *objs, int *count) objs[*count] = self->sck; (*count)++; + + if (self->tls != 0) + { + if (self->tls->rwo != 0) + { + objs[*count] = self->tls->rwo; + (*count)++; + } + } + return 0; } @@ -141,19 +171,11 @@ int APP_CC trans_get_wait_objs_rw(struct trans *self, tbus *robjs, int *rcount, tbus *wobjs, int *wcount) { - if (self == 0) + if (trans_get_wait_objs(self, robjs, rcount) != 0) { return 1; } - if (self->status != TRANS_STATUS_UP) - { - return 1; - } - - robjs[*rcount] = self->sck; - (*rcount)++; - if (self->wait_s != 0) { wobjs[*wcount] = self->sck; @@ -288,7 +310,7 @@ trans_check_wait_objs(struct trans *self) } else /* connected server or client (2 or 3) */ { - if (g_tcp_can_recv(self->sck, 0)) + if (self->trans_can_recv(self, self->sck, 0)) { read_so_far = (int) (self->in_s->end - self->in_s->data); to_read = self->header_size - read_so_far; @@ -700,22 +722,23 @@ trans_get_out_s(struct trans *self, int size) int APP_CC trans_set_tls_mode(struct trans *self, const char *key, const char *cert) { - self->tls = xrdp_tls_create(self, key, cert); + self->tls = ssl_tls_create(self, key, cert); if (self->tls == NULL) { - g_writeln("trans_set_tls_mode: xrdp_tls_create malloc error"); + g_writeln("trans_set_tls_mode: ssl_tls_create malloc error"); return 1; } - if (xrdp_tls_accept(self->tls) != 0) + if (ssl_tls_accept(self->tls) != 0) { - g_writeln("trans_set_tls_mode: xrdp_tls_accept failed"); + g_writeln("trans_set_tls_mode: ssl_tls_accept failed"); return 1; } /* assign tls functions */ self->trans_recv = trans_tls_recv; self->trans_send = trans_tls_send; + self->trans_can_recv = trans_tls_can_recv; return 0; } @@ -726,12 +749,13 @@ trans_shutdown_tls_mode(struct trans *self) { if (self->tls != NULL) { - return xrdp_tls_disconnect(self->tls); + return ssl_tls_disconnect(self->tls); } /* assign callback back to tcp cal */ self->trans_recv = trans_tcp_recv; self->trans_send = trans_tcp_send; + self->trans_can_recv = trans_tcp_can_recv; return 0; } diff --git a/common/trans.h b/common/trans.h index a169e9cb..c2a10762 100644 --- a/common/trans.h +++ b/common/trans.h @@ -41,8 +41,9 @@ typedef int (DEFAULT_CC *ttrans_data_in)(struct trans* self); typedef int (DEFAULT_CC *ttrans_conn_in)(struct trans* self, struct trans* new_self); typedef int (DEFAULT_CC *tis_term)(void); -typedef int (APP_CC *trans_recv) (struct trans *self, void *ptr, int len); -typedef int (APP_CC *trans_send) (struct trans *self, const void *data, int len); +typedef int (APP_CC *trans_recv_proc) (struct trans *self, void *ptr, int len); +typedef int (APP_CC *trans_send_proc) (struct trans *self, const void *data, int len); +typedef int (APP_CC *trans_can_recv_proc) (struct trans *self, int sck, int millis); struct trans { @@ -63,31 +64,12 @@ struct trans char port[256]; int no_stream_init_on_data_in; int extra_flags; /* user defined */ - struct xrdp_tls *tls; - trans_recv trans_recv; - trans_send trans_send; + struct ssl_tls *tls; + trans_recv_proc trans_recv; + trans_send_proc trans_send; + trans_can_recv_proc trans_can_recv; }; -/* xrdp_tls */ -struct xrdp_tls -{ - void *ssl; /* SSL * */ - void *ctx; /* SSL_CTX * */ - char *cert; - char *key; - struct trans *trans; -}; - -/* xrdp_tls.c */ -struct xrdp_tls *APP_CC -xrdp_tls_create(struct trans *trans, const char *key, const char *cert); -int APP_CC -xrdp_tls_accept(struct xrdp_tls *self); -int APP_CC -xrdp_tls_disconnect(struct xrdp_tls *self); -void APP_CC -xrdp_tls_delete(struct xrdp_tls *self); - struct trans* APP_CC trans_create(int mode, int in_size, int out_size); void APP_CC diff --git a/common/xrdp_tls.c b/common/xrdp_tls.c deleted file mode 100644 index 28f1af55..00000000 --- a/common/xrdp_tls.c +++ /dev/null @@ -1,269 +0,0 @@ -/** - * xrdp: A Remote Desktop Protocol server. - * - * Copyright (C) Idan Freiberg 2013-2014 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * transport layer security - */ - - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <openssl/ssl.h> - -#include "os_calls.h" -#include "trans.h" -#include "ssl_calls.h" - - -/*****************************************************************************/ -struct xrdp_tls * -APP_CC -xrdp_tls_create(struct trans *trans, const char *key, const char *cert) -{ - struct xrdp_tls *self; - self = (struct xrdp_tls *) g_malloc(sizeof(struct xrdp_tls), 1); - - if (self != NULL) - { - self->trans = trans; - self->cert = (char *) cert; - self->key = (char *) key; - } - - return self; -} - -/*****************************************************************************/ -int APP_CC -xrdp_tls_print_error(char *func, SSL *connection, int value) -{ - switch (SSL_get_error(connection, value)) - { - case SSL_ERROR_ZERO_RETURN: - g_writeln("xrdp_tls_print_error: %s: Server closed TLS connection", - func); - return 1; - - case SSL_ERROR_WANT_READ: - g_writeln("xrdp_tls_print_error: SSL_ERROR_WANT_READ"); - return 0; - - case SSL_ERROR_WANT_WRITE: - g_writeln("xrdp_tls_print_error: SSL_ERROR_WANT_WRITE"); - return 0; - - case SSL_ERROR_SYSCALL: - g_writeln("xrdp_tls_print_error: %s: I/O error", func); - return 1; - - case SSL_ERROR_SSL: - g_writeln("xrdp_tls_print_error: %s: Failure in SSL library (protocol error?)", - func); - return 1; - - default: - g_writeln("xrdp_tls_print_error: %s: Unknown error", func); - return 1; - } -} - -/*****************************************************************************/ -int APP_CC -xrdp_tls_accept(struct xrdp_tls *self) -{ - int connection_status; - long options = 0; - - /** - * SSL_OP_NO_SSLv2: - * - * We only want SSLv3 and TLSv1, so disable SSLv2. - * SSLv3 is used by, eg. Microsoft RDC for Mac OS X. - */ - options |= SSL_OP_NO_SSLv2; - -#if defined(SSL_OP_NO_COMPRESSION) - /** - * SSL_OP_NO_COMPRESSION: - * - * The Microsoft RDP server does not advertise support - * for TLS compression, but alternative servers may support it. - * This was observed between early versions of the FreeRDP server - * and the FreeRDP client, and caused major performance issues, - * which is why we're disabling it. - */ - options |= SSL_OP_NO_COMPRESSION; -#endif - - /** - * SSL_OP_TLS_BLOCK_PADDING_BUG: - * - * The Microsoft RDP server does *not* support TLS padding. - * It absolutely needs to be disabled otherwise it won't work. - */ - options |= SSL_OP_TLS_BLOCK_PADDING_BUG; - - /** - * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: - * - * Just like TLS padding, the Microsoft RDP server does not - * support empty fragments. This needs to be disabled. - */ - options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; - - self->ctx = SSL_CTX_new(SSLv23_server_method()); - /* set context options */ - SSL_CTX_set_mode(self->ctx, - SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | - SSL_MODE_ENABLE_PARTIAL_WRITE); - SSL_CTX_set_options(self->ctx, options); - SSL_CTX_set_read_ahead(self->ctx, 1); - - if (self->ctx == NULL) - { - g_writeln("xrdp_tls_accept: SSL_CTX_new failed"); - return 1; - } - - if (SSL_CTX_use_RSAPrivateKey_file(self->ctx, self->key, SSL_FILETYPE_PEM) - <= 0) - { - g_writeln("xrdp_tls_accept: SSL_CTX_use_RSAPrivateKey_file failed"); - return 1; - } - - self->ssl = SSL_new(self->ctx); - - if (self->ssl == NULL) - { - g_writeln("xrdp_tls_accept: SSL_new failed"); - return 1; - } - - if (SSL_use_certificate_file(self->ssl, self->cert, SSL_FILETYPE_PEM) <= 0) - { - g_writeln("xrdp_tls_accept: SSL_use_certificate_file failed"); - return 1; - } - - if (SSL_set_fd(self->ssl, self->trans->sck) < 1) - { - g_writeln("xrdp_tls_accept: SSL_set_fd failed"); - return 1; - } - - connection_status = SSL_accept(self->ssl); - - if (connection_status <= 0) - { - if (xrdp_tls_print_error("SSL_accept", self->ssl, connection_status)) - { - return 1; - } - } - - g_writeln("xrdp_tls_accept: TLS connection accepted"); - - return 0; -} -/*****************************************************************************/ -int APP_CC -xrdp_tls_disconnect(struct xrdp_tls *self) -{ - int status = SSL_shutdown(self->ssl); - while (status != 1) - { - status = SSL_shutdown(self->ssl); - - if (status <= 0) - { - if (xrdp_tls_print_error("SSL_shutdown", self->ssl, status)) - { - return 1; - } - } - } - return 0; -} -/*****************************************************************************/ -void APP_CC -xrdp_tls_delete(struct xrdp_tls *self) -{ - if (self != NULL) - { - if (self->ssl) - SSL_free(self->ssl); - - if (self->ctx) - SSL_CTX_free(self->ctx); - - g_free(self); - } -} -/*****************************************************************************/ -int APP_CC -xrdp_tls_read(struct xrdp_tls *tls, char *data, int length) -{ - int status; - - status = SSL_read(tls->ssl, data, length); - - switch (SSL_get_error(tls->ssl, status)) - { - case SSL_ERROR_NONE: - break; - - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: - status = 0; - break; - - default: - xrdp_tls_print_error("SSL_read", tls->ssl, status); - status = -1; - break; - } - - return status; -} -/*****************************************************************************/ -int APP_CC -xrdp_tls_write(struct xrdp_tls *tls, char *data, int length) -{ - int status; - - status = SSL_write(tls->ssl, data, length); - - switch (SSL_get_error(tls->ssl, status)) - { - case SSL_ERROR_NONE: - break; - - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: - status = 0; - break; - - default: - xrdp_tls_print_error("SSL_write", tls->ssl, status); - status = -1; - break; - } - - return status; -} - diff --git a/configure.ac b/configure.ac index c5d22ec0..e1a150e8 100644 --- a/configure.ac +++ b/configure.ac @@ -32,6 +32,10 @@ AM_CONDITIONAL(SESMAN_NOPAM, [test x$enable_pam != xyes]) AC_ARG_ENABLE(kerberos, AS_HELP_STRING([--enable-kerberos], [Build kerberos support (default: no)]), [], [enable_kerberos=no]) +AC_ARG_ENABLE(bsd, AS_HELP_STRING([--enable-bsd], + [Build BSD auth support (default: no)]), + [bsd=true], [bsd=false]) +AM_CONDITIONAL(SESMAN_BSD, [test x$bsd = xtrue]) AM_CONDITIONAL(SESMAN_KERBEROS, [test x$enable_kerberos = xyes]) AC_ARG_ENABLE(pamuserpass, AS_HELP_STRING([--enable-pamuserpass], [Build pam userpass support (default: no)]), @@ -78,8 +82,11 @@ if test "x$enable_pam" = "xyes" then if test "x$enable_kerberos" != "xyes" then - AC_CHECK_HEADER([security/pam_appl.h], [], - [AC_MSG_ERROR([please install libpam0g-dev or pam-devel])]) + if test -z "$enable_bsd" + then + AC_CHECK_HEADER([security/pam_appl.h], [], + [AC_MSG_ERROR([please install libpam0g-dev or pam-devel])]) + fi fi fi @@ -88,7 +95,7 @@ AC_CHECK_MEMBER([struct in6_addr.s6_addr], [AC_DEFINE(NO_ARPA_INET_H_IP6, 1, [for IPv6])], [#include <arpa/inet.h>]) -if test "x$enable_pam" != "xyes" +if test "x$enable_pam" != "xyes" || test "x$bsd" = "xtrue" then AC_DEFINE([USE_NOPAM],1,[Disable PAM]) fi diff --git a/libxrdp/libxrdp.c b/libxrdp/libxrdp.c index df755f2b..594fcc73 100644 --- a/libxrdp/libxrdp.c +++ b/libxrdp/libxrdp.c @@ -89,33 +89,6 @@ libxrdp_get_pdu_bytes(const char *aheader) /* TPKT */ rv = (header[2] << 8) | header[3]; } - else if (header[0] == 0x30) - { - /* TSRequest (NLA) */ - if (header[1] & 0x80) - { - if ((header[1] & ~(0x80)) == 1) - { - rv = header[2]; - rv += 3; - } - else if ((header[1] & ~(0x80)) == 2) - { - rv = (header[2] << 8) | header[3]; - rv += 4; - } - else - { - g_writeln("libxrdp_get_pdu_bytes: error TSRequest!"); - return -1; - } - } - else - { - rv = header[1]; - rv += 2; - } - } else { /* Fast-Path */ diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index 4fc83ae8..6523a5b0 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -155,7 +155,7 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info) } else { - log_message(LOG_LEVEL_ALWAYS,"Warning: Your configured fastpath level is" + log_message(LOG_LEVEL_ALWAYS,"Warning: Your configured fastpath level is " "undefined, fastpath will not be used"); client_info->use_fast_path = 0; } @@ -176,7 +176,7 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info) } else { - log_message(LOG_LEVEL_ALWAYS,"Warning: Your configured security layer is" + log_message(LOG_LEVEL_ALWAYS,"Warning: Your configured security layer is " "undefined, xrdp will negotiate client compatible"); client_info->security_layer = PROTOCOL_SSL | PROTOCOL_HYBRID | PROTOCOL_HYBRID_EX; } @@ -369,7 +369,7 @@ xrdp_rdp_recv(struct xrdp_rdp *self, struct stream *s, int *code) { /* check for fastpath first */ header = (const tui8 *) (s->p); - if ((header[0] != 0x3) && (header[0] != 0x3c)) + if (header[0] != 0x3) { if (xrdp_sec_recv_fastpath(self->sec_layer, s) != 0) { diff --git a/sesman/Makefile.am b/sesman/Makefile.am index e4b63eb4..516639f4 100644 --- a/sesman/Makefile.am +++ b/sesman/Makefile.am @@ -14,6 +14,10 @@ if SESMAN_NOPAM AUTH_C = verify_user.c AUTH_LIB = -lcrypt else +if SESMAN_BSD +AUTH_C = verify_user_bsd.c +AUTH_LIB = +else if SESMAN_PAMUSERPASS AUTH_C = verify_user_pam_userpass.c AUTH_LIB = -lpam -lpam_userpass @@ -27,6 +31,7 @@ AUTH_LIB = -lpam endif endif endif +endif sbin_PROGRAMS = \ xrdp-sesman diff --git a/sesman/chansrv/chansrv_common.h b/sesman/chansrv/chansrv_common.h index 833e3359..d15c8da7 100644 --- a/sesman/chansrv/chansrv_common.h +++ b/sesman/chansrv/chansrv_common.h @@ -20,6 +20,7 @@ #define _CHANSRV_COMMON_H #include "parse.h" +#include "os_calls.h" int read_entire_packet(struct stream *src, struct stream **dest, int chan_flags, int length, int total_length); diff --git a/sesman/chansrv/sound.c b/sesman/chansrv/sound.c index 9943a15b..6281969b 100644 --- a/sesman/chansrv/sound.c +++ b/sesman/chansrv/sound.c @@ -28,6 +28,7 @@ #include "defines.h" #include "fifo.h" #include "file_loc.h" +#include "chansrv_common.h" extern int g_rdpsnd_chan_id; /* in chansrv.c */ extern int g_display_num; /* in chansrv.c */ diff --git a/sesman/verify_user.c b/sesman/verify_user.c index 49c475c6..9dc77efc 100644 --- a/sesman/verify_user.c +++ b/sesman/verify_user.c @@ -102,6 +102,14 @@ auth_start_session(long in_val, int in_display) } /******************************************************************************/ +/* returns error */ +int DEFAULT_CC +auth_stop_session(long in_val) +{ + return 0; +} + +/******************************************************************************/ int DEFAULT_CC auth_end(long in_val) { diff --git a/sesman/verify_user_bsd.c b/sesman/verify_user_bsd.c new file mode 100644 index 00000000..5d9d0e23 --- /dev/null +++ b/sesman/verify_user_bsd.c @@ -0,0 +1,118 @@ +/** + * xrdp: A Remote Desktop Protocol server. + * + * Copyright (C) Jay Sorg 2005-2014 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * + * @file verify_user_bsd.c + * @brief Authenticate user using BSD password system + * @author Renaud Allard + * + */ + +#include "sesman.h" + +#define _XOPEN_SOURCE +#include <stdio.h> +#include <sys/types.h> +#include <stdlib.h> +#include <unistd.h> +#include <time.h> +#include <login_cap.h> +#include <bsd_auth.h> + +#ifndef SECS_PER_DAY +#define SECS_PER_DAY (24L*3600L) +#endif + +extern struct config_sesman* g_cfg; /* in sesman.c */ + +/******************************************************************************/ +/* returns boolean */ +long DEFAULT_CC +auth_userpass(char *user, char *pass, int *errorcode) +{ + int ret = auth_userokay(user, NULL, "auth-xrdp", pass); + return ret; +} + +/******************************************************************************/ +/* returns error */ +int DEFAULT_CC +auth_start_session(long in_val, int in_display) +{ + return 0; +} + +/******************************************************************************/ +int DEFAULT_CC +auth_end(long in_val) +{ + return 0; +} + +/******************************************************************************/ +int DEFAULT_CC +auth_set_env(long in_val) +{ + return 0; +} + +/******************************************************************************/ +int DEFAULT_CC +auth_check_pwd_chg(char* user) +{ + return 0; +} + +int DEFAULT_CC +auth_change_pwd(char* user, char* newpwd) +{ + return 0; +} + +int DEFAULT_CC +auth_stop_session(long in_val) +{ + return 0; +} + +/** + * + * @brief Password encryption + * @param pwd Old password + * @param pln Plaintext new password + * @param crp Crypted new password + * + */ + +static int DEFAULT_CC +auth_crypt_pwd(char* pwd, char* pln, char* crp) +{ + return 0; +} + +/** + * + * @return 1 if the account is disabled, 0 otherwise + * + */ +static int DEFAULT_CC +auth_account_disabled(struct spwd* stp) +{ + return 0; +} diff --git a/xrdp/lang.c b/xrdp/lang.c index a2942599..de81c681 100644 --- a/xrdp/lang.c +++ b/xrdp/lang.c @@ -246,7 +246,7 @@ get_keymaps(int keylayout, struct xrdp_keymap *keymap) if (fd != -1) { lkeymap = (struct xrdp_keymap *)g_malloc(sizeof(struct xrdp_keymap), 0); - /* make a copy of the build in kaymap */ + /* make a copy of the built-in keymap */ g_memcpy(lkeymap, keymap, sizeof(struct xrdp_keymap)); /* clear the keymaps */ g_memset(keymap, 0, sizeof(struct xrdp_keymap)); |