diff options
-rw-r--r-- | common/trans.c | 8 | ||||
-rw-r--r-- | common/trans.h | 2 | ||||
-rw-r--r-- | libxrdp/Makefile.am | 3 | ||||
-rw-r--r-- | libxrdp/libxrdp.c | 6 | ||||
-rw-r--r-- | libxrdp/libxrdp.h | 26 | ||||
-rw-r--r-- | libxrdp/xrdp_mcs.c | 18 | ||||
-rw-r--r-- | libxrdp/xrdp_sec.c | 4 | ||||
-rw-r--r-- | libxrdp/xrdp_tls.c | 239 |
8 files changed, 302 insertions, 4 deletions
diff --git a/common/trans.c b/common/trans.c index 6fd5a9d8..421d5679 100644 --- a/common/trans.c +++ b/common/trans.c @@ -38,6 +38,8 @@ trans_create(int mode, int in_size, int out_size) make_stream(self->out_s); init_stream(self->out_s, out_size); self->mode = mode; + self->do_tls = 0; /* default simple tcp layer */ + self->tls = 0; } return self; @@ -248,7 +250,7 @@ trans_check_wait_objs(struct trans *self) if (to_read > 0) { - read_bytes = g_tcp_recv(self->sck, self->in_s->end, to_read, 0); + read_bytes = g_tcp_recv(self->sck, self->in_s->end, to_read, 0); if (read_bytes == -1) { @@ -318,7 +320,9 @@ trans_force_read_s(struct trans *self, struct stream *in_s, int size) { return 1; } + rcvd = g_tcp_recv(self->sck, in_s->end, size, 0); + if (rcvd == -1) { if (g_tcp_last_error_would_block(self->sck)) @@ -391,7 +395,7 @@ trans_force_write_s(struct trans *self, struct stream *out_s) while (total < size) { - sent = g_tcp_send(self->sck, out_s->data + total, size - total, 0); + sent = g_tcp_send(self->sck, out_s->data + total, size - total, 0); if (sent == -1) { diff --git a/common/trans.h b/common/trans.h index 4a8b249c..a391309e 100644 --- a/common/trans.h +++ b/common/trans.h @@ -60,6 +60,8 @@ struct trans char port[256]; int no_stream_init_on_data_in; int extra_flags; /* user defined */ + int do_tls; /* 0 - tcp, 1 - tls */ + struct xrdp_tls *tls; }; struct trans* APP_CC diff --git a/libxrdp/Makefile.am b/libxrdp/Makefile.am index bd37cad4..57c4b716 100644 --- a/libxrdp/Makefile.am +++ b/libxrdp/Makefile.am @@ -61,7 +61,8 @@ libxrdp_la_SOURCES = \ xrdp_orders_rail.c \ xrdp_mppc_enc.c \ xrdp_fastpath.c \ - xrdp_caps.c + xrdp_caps.c \ + xrdp_tls.c libxrdp_la_LDFLAGS = \ $(EXTRA_FLAGS) diff --git a/libxrdp/libxrdp.c b/libxrdp/libxrdp.c index e9c3508b..6a79e8fb 100644 --- a/libxrdp/libxrdp.c +++ b/libxrdp/libxrdp.c @@ -141,7 +141,11 @@ libxrdp_force_read(struct trans* trans) s = trans->in_s; init_stream(s, 32 * 1024); - if (trans_force_read(trans, 4) != 0) + if (trans->do_tls) + { + /*TLS*/ + } + else if (trans_force_read(trans, 4) != 0) /*TCP*/ { g_writeln("libxrdp_force_read: error"); return 0; diff --git a/libxrdp/libxrdp.h b/libxrdp/libxrdp.h index f702c280..c2800abf 100644 --- a/libxrdp/libxrdp.h +++ b/libxrdp/libxrdp.h @@ -36,6 +36,7 @@ #include "libxrdpinc.h" #include "file_loc.h" #include "xrdp_client_info.h" +#include <openssl/ssl.h> /* iso */ @@ -131,6 +132,7 @@ struct xrdp_sec void *encrypt_fips_info; void *decrypt_fips_info; void *sign_fips_info; + struct xrdp_tls *tls; }; /* channel */ @@ -290,6 +292,30 @@ struct xrdp_mppc_enc tui16 *hash_table; }; + +/* xrdp_tls */ +struct xrdp_tls { + SSL *ssl; + SSL_CTX *ctx; + char *cert; + char *key; + struct trans *trans; +}; + +/* xrdp_tls.c */ +struct xrdp_tls *APP_CC +xrdp_tls_create(struct trans *trans, const char *key, const char *cert); +int APP_CC +xrdp_tls_accept(struct xrdp_tls *self); +int APP_CC +xrdp_tls_disconnect(struct xrdp_tls *self); +void APP_CC +xrdp_tls_delete(struct xrdp_tls *self); +int APP_CC +xrdp_tls_read(struct xrdp_tls *tls, unsigned char *data, int length); +int APP_CC +xrdp_tls_write(struct xrdp_tls *tls, unsigned char *data, int length); + int APP_CC compress_rdp(struct xrdp_mppc_enc *enc, tui8 *srcData, int len); struct xrdp_mppc_enc * APP_CC diff --git a/libxrdp/xrdp_mcs.c b/libxrdp/xrdp_mcs.c index c1b0b908..df4f81f5 100644 --- a/libxrdp/xrdp_mcs.c +++ b/libxrdp/xrdp_mcs.c @@ -755,6 +755,21 @@ xrdp_mcs_incoming(struct xrdp_mcs *self) return 1; } + /* tls */ + if (PROTOCOL_SSL & self->iso_layer->selectedProtocol) + { + g_writeln("xrdp_mcs_incoming: TLS mode!"); + self->sec_layer->crypt_level = CRYPT_LEVEL_NONE; + self->sec_layer->crypt_method = CRYPT_METHOD_NONE; + + if (xrdp_tls_accept(self->sec_layer->tls) != 0) + { + g_writeln("xrdp_mcs_incoming: ssl_tls_accept failed"); + return 1; + } + g_writeln("xrdp_mcs_incoming: ssl_tls_accept done!!!!"); + } + if (xrdp_mcs_recv_connect_initial(self) != 0) { return 1; @@ -961,6 +976,7 @@ xrdp_mcs_disconnect(struct xrdp_mcs *self) if (xrdp_iso_init(self->iso_layer, s) != 0) { + xrdp_tls_disconnect(self->sec_layer->tls); free_stream(s); close_rdp_socket(self); DEBUG((" out xrdp_mcs_disconnect error - 1")); @@ -973,12 +989,14 @@ xrdp_mcs_disconnect(struct xrdp_mcs *self) if (xrdp_iso_send(self->iso_layer, s) != 0) { + xrdp_tls_disconnect(self->sec_layer->tls); free_stream(s); close_rdp_socket(self); DEBUG((" out xrdp_mcs_disconnect error - 2")); return 1; } + xrdp_tls_disconnect(self->sec_layer->tls); free_stream(s); close_rdp_socket(self); DEBUG(("xrdp_mcs_disconnect - close sent")); diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c index d726f3e8..c908c081 100644 --- a/libxrdp/xrdp_sec.c +++ b/libxrdp/xrdp_sec.c @@ -276,6 +276,8 @@ xrdp_sec_create(struct xrdp_rdp *owner, struct trans *trans, int crypt_level, &(self->server_mcs_data)); self->fastpath_layer = xrdp_fastpath_create(self, trans); self->chan_layer = xrdp_channel_create(self, self->mcs_layer); + //TODO: add cert to config + self->tls = xrdp_tls_create(trans, "/opt/xrdpdev/etc/xrdp/pkey.pem", "/opt/xrdpdev/etc/xrdp/cert.pem"); DEBUG((" out xrdp_sec_create")); return self; } @@ -298,6 +300,7 @@ xrdp_sec_delete(struct xrdp_sec *self) ssl_des3_info_delete(self->decrypt_fips_info); ssl_des3_info_delete(self->encrypt_fips_info); ssl_hmac_info_delete(self->sign_fips_info); + xrdp_tls_delete(self->tls); g_free(self->client_mcs_data.data); g_free(self->server_mcs_data.data); /* Crypto information must always be cleared */ @@ -2115,6 +2118,7 @@ xrdp_sec_disconnect(struct xrdp_sec *self) int rv; DEBUG((" in xrdp_sec_disconnect")); + rv = xrdp_mcs_disconnect(self->mcs_layer); DEBUG((" out xrdp_sec_disconnect")); return rv; diff --git a/libxrdp/xrdp_tls.c b/libxrdp/xrdp_tls.c new file mode 100644 index 00000000..d893ca3c --- /dev/null +++ b/libxrdp/xrdp_tls.c @@ -0,0 +1,239 @@ +/** + * xrdp: A Remote Desktop Protocol server. + * + * Copyright (C) Idan Freiberg 2013-2014 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * transport layer security + */ + +#include "libxrdp.h" + +/*****************************************************************************/ +struct xrdp_tls *APP_CC +xrdp_tls_create(struct trans *trans, const char *key, const char *cert) +{ + struct xrdp_tls *self; + self = (struct xrdp_tls *) g_malloc(sizeof(struct xrdp_tls), 1); + + if (self != NULL) + { + self->trans = trans; + self->cert = g_malloc(g_strlen(key) + 1, 1); + self->key = g_malloc(g_strlen(cert) + 1, 1); + strcpy(self->cert, cert); + strcpy(self->key, key); + } + + return self; +} +/*****************************************************************************/ +int APP_CC +xrdp_tls_accept(struct xrdp_tls *self) +{ + int connection_status; + long options = 0; + + /** + * SSL_OP_NO_SSLv2: + * + * We only want SSLv3 and TLSv1, so disable SSLv2. + * SSLv3 is used by, eg. Microsoft RDC for Mac OS X. + */ + options |= SSL_OP_NO_SSLv2; + + /** + * SSL_OP_NO_COMPRESSION: + * + * The Microsoft RDP server does not advertise support + * for TLS compression, but alternative servers may support it. + * This was observed between early versions of the FreeRDP server + * and the FreeRDP client, and caused major performance issues, + * which is why we're disabling it. + */ + options |= SSL_OP_NO_COMPRESSION; + + /** + * SSL_OP_TLS_BLOCK_PADDING_BUG: + * + * The Microsoft RDP server does *not* support TLS padding. + * It absolutely needs to be disabled otherwise it won't work. + */ + options |= SSL_OP_TLS_BLOCK_PADDING_BUG; + + /** + * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: + * + * Just like TLS padding, the Microsoft RDP server does not + * support empty fragments. This needs to be disabled. + */ + options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + + self->ctx = SSL_CTX_new(SSLv23_server_method()); + /* set context options */ + SSL_CTX_set_mode(self->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_options(self->ctx, options); + SSL_CTX_set_read_ahead(self->ctx, 1); + + if (self->ctx == NULL) { + g_writeln("ssl_tls_accept: SSL_CTX_new failed"); + return 1; + } + + if (SSL_CTX_use_RSAPrivateKey_file(self->ctx, self->key, SSL_FILETYPE_PEM) + <= 0) { + g_writeln("ssl_tls_accept: SSL_CTX_use_RSAPrivateKey_file failed"); + return 1; + } + + self->ssl = SSL_new(self->ctx); + + if (self->ssl == NULL) { + g_writeln("ssl_tls_accept: SSL_new failed"); + return 1; + } + + if (SSL_use_certificate_file(self->ssl, self->cert, SSL_FILETYPE_PEM) <= 0) { + g_writeln("ssl_tls_accept: SSL_use_certificate_file failed"); + return 1; + } + + if (SSL_set_fd(self->ssl, self->trans->sck) < 1) { + g_writeln("ssl_tls_accept: SSL_set_fd failed"); + return 1; + } + + connection_status = SSL_accept(self->ssl); + + if (connection_status <= 0) { + if (xrdp_tls_print_error("SSL_accept", self->ssl, connection_status)) + { + return 1; + } + } + + g_writeln("ssl_tls_accept: TLS connection accepted"); + + /* set trans for TLS */ + self->trans->do_tls = 1; /* TLS layer */ + self->trans->tls = self; /* owner */ + + return 0; +} +/*****************************************************************************/ +int APP_CC +xrdp_tls_print_error(char *func, SSL *connection, int value) +{ + switch (SSL_get_error(connection, value)) + { + case SSL_ERROR_ZERO_RETURN: + g_writeln("xrdp_tls_print_error: %s: Server closed TLS connection", func); + return 1; + + case SSL_ERROR_WANT_READ: + g_writeln("xrdp_tls_print_error: SSL_ERROR_WANT_READ"); + return 0; + + case SSL_ERROR_WANT_WRITE: + g_writeln("xrdp_tls_print_error: SSL_ERROR_WANT_WRITE"); + return 0; + + case SSL_ERROR_SYSCALL: + g_writeln("xrdp_tls_print_error: %s: I/O error", func); + return 1; + + case SSL_ERROR_SSL: + g_writeln("xrdp_tls_print_error: %s: Failure in SSL library (protocol error?)", func); + return 1; + + default: + g_writeln("xrdp_tls_print_error: %s: Unknown error", func); + return 1; + } +} +/*****************************************************************************/ +int APP_CC +xrdp_tls_disconnect(struct xrdp_tls *self) +{ + SSL_shutdown(self->ssl); + return 0; +} +/*****************************************************************************/ +void APP_CC +xrdp_tls_delete(struct xrdp_tls *self) +{ + if (self != NULL) + { + if (self->ssl) + SSL_free(self->ssl); + + if (self->ctx) + SSL_CTX_free(self->ctx); + + g_free(self); + } +} +/*****************************************************************************/ +int APP_CC +xrdp_tls_read(struct xrdp_tls *tls, unsigned char *data, int length) +{ + int status; + + status = SSL_read(tls->ssl, data, length); + + switch (SSL_get_error(tls->ssl, status)) + { + case SSL_ERROR_NONE: + break; + + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + status = 0; + break; + + default: + xrdp_tls_print_error("SSL_read", tls->ssl, status); + status = -1; + break; + } + + return status; +} +/*****************************************************************************/ +int APP_CC +xrdp_tls_write(struct xrdp_tls *tls, unsigned char *data, int length) +{ + int status; + + status = SSL_write(tls->ssl, data, length); + + switch (SSL_get_error(tls->ssl, status)) + { + case SSL_ERROR_NONE: + break; + + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + status = 0; + break; + + default: + xrdp_tls_print_error("SSL_write", tls->ssl, status); + status = -1; + break; + } + + return status; +} +/*****************************************************************************/ |