diff options
Diffstat (limited to 'libxrdp')
| -rw-r--r-- | libxrdp/Makefile.am | 3 | ||||
| -rw-r--r-- | libxrdp/libxrdp.c | 27 | ||||
| -rw-r--r-- | libxrdp/libxrdp.h | 36 | ||||
| -rw-r--r-- | libxrdp/xrdp_fastpath.c | 2 | ||||
| -rw-r--r-- | libxrdp/xrdp_iso.c | 15 | ||||
| -rw-r--r-- | libxrdp/xrdp_mcs.c | 222 | ||||
| -rw-r--r-- | libxrdp/xrdp_rdp.c | 46 | ||||
| -rw-r--r-- | libxrdp/xrdp_sec.c | 459 | ||||
| -rw-r--r-- | libxrdp/xrdp_tls.c | 418 |
9 files changed, 406 insertions, 822 deletions
diff --git a/libxrdp/Makefile.am b/libxrdp/Makefile.am index 57c4b716..bd37cad4 100644 --- a/libxrdp/Makefile.am +++ b/libxrdp/Makefile.am @@ -61,8 +61,7 @@ libxrdp_la_SOURCES = \ xrdp_orders_rail.c \ xrdp_mppc_enc.c \ xrdp_fastpath.c \ - xrdp_caps.c \ - xrdp_tls.c + xrdp_caps.c libxrdp_la_LDFLAGS = \ $(EXTRA_FLAGS) diff --git a/libxrdp/libxrdp.c b/libxrdp/libxrdp.c index 44e9d775..3b781f70 100644 --- a/libxrdp/libxrdp.c +++ b/libxrdp/libxrdp.c @@ -141,16 +141,8 @@ libxrdp_force_read(struct trans* trans) s = trans->in_s; init_stream(s, 32 * 1024); - if (trans->do_tls) - { - g_writeln("libxrdp_force_read: tls data in"); - if (xrdp_tls_force_read_s(trans, s, 4) != 0) - { - return 0; - } - g_hexdump(s->data, 4); - } - else if (trans_force_read(trans, 4) != 0) /*TCP*/ + + if (trans_force_read(trans, 4) != 0) { g_writeln("libxrdp_force_read: error"); return 0; @@ -167,24 +159,11 @@ libxrdp_force_read(struct trans* trans) return 0; } - if (trans->do_tls) - { - g_writeln("libxrdp_force_read: tls data in"); - xrdp_tls_force_read_s(trans, s, bytes - 4); - g_hexdump(s->data, bytes); - } - else if (trans_force_read(trans, bytes - 4) != 0) /*TCP*/ + if (trans_force_read(trans, bytes - 4) != 0) { g_writeln("libxrdp_force_read: error"); return 0; } - - -// if (trans_force_read(trans, bytes - 4) != 0) -// { -// g_writeln("libxrdp_force_read: error"); -// return 0; -// } return s; } diff --git a/libxrdp/libxrdp.h b/libxrdp/libxrdp.h index 4ce39eb3..0bda9f45 100644 --- a/libxrdp/libxrdp.h +++ b/libxrdp/libxrdp.h @@ -36,7 +36,6 @@ #include "libxrdpinc.h" #include "file_loc.h" #include "xrdp_client_info.h" -#include <openssl/ssl.h> /* iso */ @@ -123,16 +122,13 @@ struct xrdp_sec char pub_mod[256]; char pub_sig[64]; char pri_exp[256]; - int rsa_key_bytes; /* 64 or 256 */ - int channel_code; - int multimon; + int rsa_key_bytes; /* 64 or 256 , 0 = no rdp security */ char fips_encrypt_key[24]; char fips_decrypt_key[24]; char fips_sign_key[20]; void *encrypt_fips_info; void *decrypt_fips_info; void *sign_fips_info; - struct xrdp_tls *tls; }; /* channel */ @@ -293,29 +289,6 @@ struct xrdp_mppc_enc }; -/* xrdp_tls */ -struct xrdp_tls { - SSL *ssl; - SSL_CTX *ctx; - char *cert; - char *key; - struct trans *trans; -}; - -/* xrdp_tls.c */ -struct xrdp_tls *APP_CC -xrdp_tls_create(struct trans *trans, const char *key, const char *cert); -int APP_CC -xrdp_tls_accept(struct xrdp_tls *self); -int APP_CC -xrdp_tls_disconnect(struct xrdp_tls *self); -void APP_CC -xrdp_tls_delete(struct xrdp_tls *self); -int APP_CC -xrdp_tls_force_read_s(struct trans *self, struct stream *in_s, int size); -int APP_CC -xrdp_tls_force_write_s(struct trans *self, struct stream *out_s); - int APP_CC compress_rdp(struct xrdp_mppc_enc *enc, tui8 *srcData, int len); struct xrdp_mppc_enc * APP_CC @@ -370,9 +343,8 @@ int APP_CC xrdp_mcs_disconnect(struct xrdp_mcs *self); /* xrdp_sec.c */ -struct xrdp_sec * APP_CC -xrdp_sec_create(struct xrdp_rdp *owner, struct trans *trans, int crypt_level, - int channel_code, int multimon); +struct xrdp_sec *APP_CC +xrdp_sec_create(struct xrdp_rdp *owner, struct trans *trans); void APP_CC xrdp_sec_delete(struct xrdp_sec *self); int APP_CC @@ -392,8 +364,6 @@ xrdp_sec_send(struct xrdp_sec *self, struct stream *s, int chan); int APP_CC xrdp_sec_process_mcs_data(struct xrdp_sec *self); int APP_CC -xrdp_sec_out_mcs_data(struct xrdp_sec *self); -int APP_CC xrdp_sec_incoming(struct xrdp_sec *self); int APP_CC xrdp_sec_disconnect(struct xrdp_sec *self); diff --git a/libxrdp/xrdp_fastpath.c b/libxrdp/xrdp_fastpath.c index 8739c764..f84f5ae1 100644 --- a/libxrdp/xrdp_fastpath.c +++ b/libxrdp/xrdp_fastpath.c @@ -117,7 +117,7 @@ xrdp_fastpath_init(struct xrdp_fastpath *self, struct stream *s) int APP_CC xrdp_fastpath_send(struct xrdp_fastpath *self, struct stream *s) { - if (trans_force_write_s(self->trans, s) != 0) + if (trans_force_write_s(self->trans, s) != 0) { return 1; } diff --git a/libxrdp/xrdp_iso.c b/libxrdp/xrdp_iso.c index 33570e19..90bfebce 100644 --- a/libxrdp/xrdp_iso.c +++ b/libxrdp/xrdp_iso.c @@ -56,8 +56,6 @@ xrdp_iso_process_rdpNegReq(struct xrdp_iso *self, struct stream *s) int flags; int len; - DEBUG((" in xrdp_iso_process_neg_req")); - in_uint8(s, flags); if (flags != 0x0 && flags != 0x8 && flags != 0x1) { @@ -80,7 +78,6 @@ xrdp_iso_process_rdpNegReq(struct xrdp_iso *self, struct stream *s) return 1; } - DEBUG((" out xrdp_iso_process_rdpNegReq")); return 0; } /*****************************************************************************/ @@ -278,8 +275,7 @@ xrdp_iso_incoming(struct xrdp_iso *self) self->rdpNegData = 1; if (xrdp_iso_process_rdpNegReq(self, s) != 0) { - g_writeln( - "xrdp_iso_incoming: xrdp_iso_process_rdpNegReq returned non zero"); + g_writeln("xrdp_iso_incoming: xrdp_iso_process_rdpNegReq returned non zero"); return 1; } break; @@ -416,14 +412,7 @@ xrdp_iso_send(struct xrdp_iso *self, struct stream *s) out_uint8(s, ISO_PDU_DT); out_uint8(s, 0x80); - if (self->trans->do_tls) - { - if (xrdp_tls_force_write_s(self->trans, s) != 0) - { - return 1; - } - } - else if (trans_force_write_s(self->trans, s) != 0) + if (trans_force_write_s(self->trans, s) != 0) { return 1; } diff --git a/libxrdp/xrdp_mcs.c b/libxrdp/xrdp_mcs.c index fd8fe3fb..404db998 100644 --- a/libxrdp/xrdp_mcs.c +++ b/libxrdp/xrdp_mcs.c @@ -706,7 +706,163 @@ xrdp_mcs_out_domain_params(struct xrdp_mcs *self, struct stream *s, xrdp_mcs_ber_out_int8(self, s, 2); return 0; } +/*****************************************************************************/ +/* prepare server gcc data to send in mcs response msg */ +int APP_CC +xrdp_mcs_out_gcc_data(struct xrdp_sec *self) +{ + struct stream *s; + int num_channels_even; + int num_channels; + int index; + int channel; + int gcc_size; + char* gcc_size_ptr; + char* ud_ptr; + + num_channels = self->mcs_layer->channel_list->count; + num_channels_even = num_channels + (num_channels & 1); + s = &(self->server_mcs_data); + init_stream(s, 8192); + out_uint16_be(s, 5); /* AsnBerObjectIdentifier */ + out_uint16_be(s, 0x14); + out_uint8(s, 0x7c); + out_uint16_be(s, 1); /* -- */ + out_uint8(s, 0x2a); /* ConnectPDULen */ + out_uint8(s, 0x14); + out_uint8(s, 0x76); + out_uint8(s, 0x0a); + out_uint8(s, 1); + out_uint8(s, 1); + out_uint8(s, 0); + out_uint16_le(s, 0xc001); + out_uint8(s, 0); + out_uint8(s, 0x4d); /* M */ + out_uint8(s, 0x63); /* c */ + out_uint8(s, 0x44); /* D */ + out_uint8(s, 0x6e); /* n */ + /* GCC Response Total Length - 2 bytes , set later */ + gcc_size_ptr = s->p; /* RDPGCCUserDataResponseLength */ + out_uint8s(s, 2); + ud_ptr = s->p; /* User Data */ + out_uint16_le(s, SEC_TAG_SRV_INFO); + if (self->mcs_layer->iso_layer->rdpNegData) + { + out_uint16_le(s, 12); /* len */ + } + else + { + out_uint16_le(s, 8); /* len */ + } + out_uint8(s, 4); /* 4 = rdp5 1 = rdp4 */ + out_uint8(s, 0); + out_uint8(s, 8); + out_uint8(s, 0); + if (self->mcs_layer->iso_layer->rdpNegData) + { + /* ReqeustedProtocol */ + out_uint32_le(s, self->mcs_layer->iso_layer->requestedProtocol); + } + out_uint16_le(s, SEC_TAG_SRV_CHANNELS); + out_uint16_le(s, 8 + (num_channels_even * 2)); /* len */ + out_uint16_le(s, MCS_GLOBAL_CHANNEL); /* 1003, 0x03eb main channel */ + out_uint16_le(s, num_channels); /* number of other channels */ + + for (index = 0; index < num_channels_even; index++) + { + if (index < num_channels) + { + channel = MCS_GLOBAL_CHANNEL + (index + 1); + out_uint16_le(s, channel); + } + else + { + out_uint16_le(s, 0); + } + } + + if (self->rsa_key_bytes == 64) + { + g_writeln("xrdp_sec_out_mcs_data: using 512 bit RSA key"); + out_uint16_le(s, SEC_TAG_SRV_CRYPT); + out_uint16_le(s, 0x00ec); /* len is 236 */ + out_uint32_le(s, self->crypt_method); + out_uint32_le(s, self->crypt_level); + out_uint32_le(s, 32); /* 32 bytes random len */ + out_uint32_le(s, 0xb8); /* 184 bytes rsa info(certificate) len */ + out_uint8a(s, self->server_random, 32); + /* here to end is certificate */ + /* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ */ + /* TermService\Parameters\Certificate */ + out_uint32_le(s, 1); + out_uint32_le(s, 1); + out_uint32_le(s, 1); + out_uint16_le(s, SEC_TAG_PUBKEY); /* 0x0006 */ + out_uint16_le(s, 0x005c); /* 92 bytes length of SEC_TAG_PUBKEY */ + out_uint32_le(s, SEC_RSA_MAGIC); /* 0x31415352 'RSA1' */ + out_uint32_le(s, 0x0048); /* 72 bytes modulus len */ + out_uint32_be(s, 0x00020000); /* bit len */ + out_uint32_be(s, 0x3f000000); /* data len */ + out_uint8a(s, self->pub_exp, 4); /* pub exp */ + out_uint8a(s, self->pub_mod, 64); /* pub mod */ + out_uint8s(s, 8); /* pad */ + out_uint16_le(s, SEC_TAG_KEYSIG); /* 0x0008 */ + out_uint16_le(s, 72); /* len */ + out_uint8a(s, self->pub_sig, 64); /* pub sig */ + out_uint8s(s, 8); /* pad */ + } + else if (self->rsa_key_bytes == 256) + { + g_writeln("xrdp_sec_out_mcs_data: using 2048 bit RSA key"); + out_uint16_le(s, SEC_TAG_SRV_CRYPT); + out_uint16_le(s, 0x01ac); /* len is 428 */ + out_uint32_le(s, self->crypt_method); + out_uint32_le(s, self->crypt_level); + out_uint32_le(s, 32); /* 32 bytes random len */ + out_uint32_le(s, 0x178); /* 376 bytes rsa info(certificate) len */ + out_uint8a(s, self->server_random, 32); + /* here to end is certificate */ + /* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ */ + /* TermService\Parameters\Certificate */ + out_uint32_le(s, 1); + out_uint32_le(s, 1); + out_uint32_le(s, 1); + out_uint16_le(s, SEC_TAG_PUBKEY); /* 0x0006 */ + out_uint16_le(s, 0x011c); /* 284 bytes length of SEC_TAG_PUBKEY */ + out_uint32_le(s, SEC_RSA_MAGIC); /* 0x31415352 'RSA1' */ + out_uint32_le(s, 0x0108); /* 264 bytes modulus len */ + out_uint32_be(s, 0x00080000); /* bit len */ + out_uint32_be(s, 0xff000000); /* data len */ + out_uint8a(s, self->pub_exp, 4); /* pub exp */ + out_uint8a(s, self->pub_mod, 256); /* pub mod */ + out_uint8s(s, 8); /* pad */ + out_uint16_le(s, SEC_TAG_KEYSIG); /* 0x0008 */ + out_uint16_le(s, 72); /* len */ + out_uint8a(s, self->pub_sig, 64); /* pub sig */ + out_uint8s(s, 8); /* pad */ + } + else if (self->rsa_key_bytes == 0) /* no security */ + { + g_writeln("xrdp_sec_out_mcs_data: using no security"); + out_uint16_le(s, SEC_TAG_SRV_CRYPT); + out_uint16_le(s, 12); /* len is 12 */ + out_uint32_le(s, self->crypt_method); + out_uint32_le(s, self->crypt_level); + } + else + { + g_writeln("xrdp_sec_out_mcs_data: error"); + } + /* end certificate */ + s_mark_end(s); + + gcc_size = (int)(s->end - ud_ptr) | 0x8000; + gcc_size_ptr[0] = gcc_size >> 8; + gcc_size_ptr[1] = gcc_size; + + return 0; +} /*****************************************************************************/ /* returns error */ static int APP_CC @@ -719,10 +875,10 @@ xrdp_mcs_send_connect_response(struct xrdp_mcs *self) make_stream(s); init_stream(s, 8192); data_len = (int) (self->server_mcs_data->end - self->server_mcs_data->data); - g_writeln("data len = %d , +36= %d", data_len, data_len+36); xrdp_iso_init(self->iso_layer, s); - //TODO: 36 - tls , 38 - rdp - we should calculate that - xrdp_mcs_ber_out_header(self, s, MCS_CONNECT_RESPONSE, data_len + 36); + //TODO: we should calculate the whole length include MCS_CONNECT_RESPONSE + xrdp_mcs_ber_out_header(self, s, MCS_CONNECT_RESPONSE, + data_len > 0x80 ? data_len + 38 : data_len + 36); xrdp_mcs_ber_out_header(self, s, BER_TAG_RESULT, 1); out_uint8(s, 0); xrdp_mcs_ber_out_header(self, s, BER_TAG_INTEGER, 1); @@ -751,31 +907,9 @@ xrdp_mcs_send_connect_response(struct xrdp_mcs *self) int APP_CC xrdp_mcs_incoming(struct xrdp_mcs *self) { + int i; DEBUG((" in xrdp_mcs_incoming")); - /* ISO */ - if (xrdp_iso_incoming(self->iso_layer) != 0) - { - return 1; - } - - /* TLS */ - if (PROTOCOL_SSL & self->iso_layer->selectedProtocol) - { - g_writeln("xrdp_mcs_incoming: TLS mode!"); - self->sec_layer->crypt_level = CRYPT_LEVEL_NONE; - self->sec_layer->crypt_method = CRYPT_METHOD_NONE; - self->sec_layer->rsa_key_bytes = 0; - - if (xrdp_tls_accept(self->sec_layer->tls) != 0) - { - g_writeln("xrdp_mcs_incoming: ssl_tls_accept failed"); - return 1; - } - g_writeln("xrdp_mcs_incoming: ssl_tls_accept done!!!!"); - } - - /* MCS */ if (xrdp_mcs_recv_connect_initial(self) != 0) { return 1; @@ -787,8 +921,7 @@ xrdp_mcs_incoming(struct xrdp_mcs *self) return 1; } - /* in xrdp_sec.c */ - if (xrdp_sec_out_mcs_data(self->sec_layer) != 0) + if (xrdp_mcs_out_gcc_data(self->sec_layer) != 0) { return 1; } @@ -813,25 +946,18 @@ xrdp_mcs_incoming(struct xrdp_mcs *self) return 1; } - if (xrdp_mcs_recv_cjrq(self) != 0) - { - return 1; - } - - if (xrdp_mcs_send_cjcf(self, self->userid, - self->userid + MCS_USERCHANNEL_BASE) != 0) - { - return 1; - } - - if (xrdp_mcs_recv_cjrq(self) != 0) + for (i = 0 ; i < self->channel_list->count + 2 ; i++) { - return 1; - } + if (xrdp_mcs_recv_cjrq(self) != 0) + { + return 1; + } - if (xrdp_mcs_send_cjcf(self, self->userid, MCS_GLOBAL_CHANNEL) != 0) - { - return 1; + if (xrdp_mcs_send_cjcf(self, self->userid, + self->userid + MCS_USERCHANNEL_BASE + i) != 0) + { + return 1; + } } DEBUG((" out xrdp_mcs_incoming")); @@ -960,6 +1086,7 @@ close_rdp_socket(struct xrdp_mcs *self) { if (self->iso_layer->trans != 0) { + trans_shutdown_tls_mode(self->iso_layer->trans); g_tcp_close(self->iso_layer->trans->sck); self->iso_layer->trans->sck = 0 ; g_writeln("xrdp_mcs_disconnect - socket closed"); @@ -982,8 +1109,7 @@ xrdp_mcs_disconnect(struct xrdp_mcs *self) if (xrdp_iso_init(self->iso_layer, s) != 0) { - xrdp_tls_disconnect(self->sec_layer->tls); - free_stream(s); + free_stream(s); close_rdp_socket(self); DEBUG((" out xrdp_mcs_disconnect error - 1")); return 1; @@ -995,14 +1121,12 @@ xrdp_mcs_disconnect(struct xrdp_mcs *self) if (xrdp_iso_send(self->iso_layer, s) != 0) { - xrdp_tls_disconnect(self->sec_layer->tls); free_stream(s); close_rdp_socket(self); DEBUG((" out xrdp_mcs_disconnect error - 2")); return 1; } - xrdp_tls_disconnect(self->sec_layer->tls); free_stream(s); close_rdp_socket(self); DEBUG(("xrdp_mcs_disconnect - close sent")); diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index 3719b015..6891bb97 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -177,6 +177,38 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info) client_info->security_layer = PROTOCOL_SSL | PROTOCOL_HYBRID | PROTOCOL_HYBRID_EX; } } + else if (g_strcasecmp(item, "certificate") == 0) + { + g_memset(client_info->certificate, 0, sizeof(char) * 1024); + if (value[0] != '/') + { + /* default certificate path */ + g_snprintf(client_info->certificate, 1023, "%s/cert.pem", XRDP_CFG_PATH); + log_message(LOG_LEVEL_ALWAYS,"WARNING: Invalid x.509 certificate path defined, " + "default path will be used: %s", client_info->certificate); + } + else + { + /* use user defined certificate */ + g_strncpy(client_info->certificate, value, 1023); + } + } + else if (g_strcasecmp(item, "key_file") == 0) + { + g_memset(client_info->key_file, 0, sizeof(char) * 1024); + if (value[0] != '/') + { + /* default key_file path */ + g_snprintf(client_info->key_file, 1023, "%s/key.pem", XRDP_CFG_PATH); + log_message(LOG_LEVEL_ALWAYS,"WARNING: Invalid x.509 certificate path defined, " + "default path will be used: %s", client_info->key_file); + } + else + { + /* use user defined key_file */ + g_strncpy(client_info->key_file, value, 1023); + } + } } @@ -253,10 +285,7 @@ xrdp_rdp_create(struct xrdp_session *session, struct trans *trans) /* read ini settings */ xrdp_rdp_read_config(&self->client_info); /* create sec layer */ - self->sec_layer = xrdp_sec_create(self, trans, - self->client_info.crypt_level, - self->client_info.channel_code, - self->client_info.multimon); + self->sec_layer = xrdp_sec_create(self, trans); /* default 8 bit v1 color bitmap cache entries and size */ self->client_info.cache1_entries = 600; self->client_info.cache1_size = 256; @@ -352,6 +381,15 @@ xrdp_rdp_recv(struct xrdp_rdp *self, struct stream *s, int *code) chan = 0; error = xrdp_sec_recv(self->sec_layer, s, &chan); + if (error == 3) + { + /* unencrypted confirm active msg arrived */ + s->next_packet = 0; + *code = 3; + DEBUG(("out (0) xrdp_rdp_recv")); + return 0; + } + if (error == -1) /* special code for send demand active */ { s->next_packet = 0; diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c index 76fc3ae2..d5e19f76 100644 --- a/libxrdp/xrdp_sec.c +++ b/libxrdp/xrdp_sec.c @@ -222,91 +222,46 @@ hex_str_to_bin(char *in, char *out, int out_len) /*****************************************************************************/ struct xrdp_sec *APP_CC -xrdp_sec_create(struct xrdp_rdp *owner, struct trans *trans, int crypt_level, - int channel_code, int multimon) +xrdp_sec_create(struct xrdp_rdp *owner, struct trans *trans) { struct xrdp_sec *self; - DEBUG((" in xrdp_sec_create")); - self = (struct xrdp_sec *)g_malloc(sizeof(struct xrdp_sec), 1); - self->rdp_layer = owner; - self->crypt_method = CRYPT_METHOD_NONE; - self->crypt_level = CRYPT_LEVEL_NONE; - switch (crypt_level) - { - case 1: /* low */ - self->crypt_method = CRYPT_METHOD_40BIT; - self->crypt_level = CRYPT_LEVEL_LOW; - break; - case 2: /* medium */ - self->crypt_method = CRYPT_METHOD_40BIT; - self->crypt_level = CRYPT_LEVEL_CLIENT_COMPATIBLE; - break; - case 3: /* high */ - self->crypt_method = CRYPT_METHOD_128BIT; - self->crypt_level = CRYPT_LEVEL_HIGH; - break; - case 4: /* fips */ - self->crypt_method = CRYPT_METHOD_FIPS; - self->crypt_level = CRYPT_LEVEL_FIPS; - break; - default: - g_writeln("Fatal : Illegal crypt_level"); - break ; - } - - self->channel_code = channel_code; - self->multimon = multimon; - - if (self->decrypt_rc4_info != NULL) - { - g_writeln("xrdp_sec_create - decrypt_rc4_info already created !!!"); - } - - self->decrypt_rc4_info = ssl_rc4_info_create(); - - if (self->encrypt_rc4_info != NULL) - { - g_writeln("xrdp_sec_create - encrypt_rc4_info already created !!!"); - } - - self->encrypt_rc4_info = ssl_rc4_info_create(); - self->mcs_layer = xrdp_mcs_create(self, trans, - &(self->client_mcs_data), - &(self->server_mcs_data)); - self->fastpath_layer = xrdp_fastpath_create(self, trans); - self->chan_layer = xrdp_channel_create(self, self->mcs_layer); - //TODO: add cert to config - self->tls = xrdp_tls_create(trans, "/opt/xrdpinstall/etc/xrdp/pkey.pem", - "/opt/xrdpinstall/etc/xrdp/cert.pem"); - DEBUG((" out xrdp_sec_create")); - return self; + DEBUG((" in xrdp_sec_create")); + self = (struct xrdp_sec *) g_malloc(sizeof(struct xrdp_sec), 1); + self->rdp_layer = owner; + self->crypt_method = CRYPT_METHOD_NONE; /* set later */ + self->crypt_level = CRYPT_LEVEL_NONE; + self->mcs_layer = xrdp_mcs_create(self, trans, &(self->client_mcs_data), + &(self->server_mcs_data)); + self->fastpath_layer = xrdp_fastpath_create(self, trans); + self->chan_layer = xrdp_channel_create(self, self->mcs_layer); + DEBUG((" out xrdp_sec_create")); + + return self; } /*****************************************************************************/ void APP_CC -xrdp_sec_delete(struct xrdp_sec *self) -{ - if (self == 0) - { - g_writeln("xrdp_sec_delete: indata is null"); - return; - } - - xrdp_channel_delete(self->chan_layer); - xrdp_mcs_delete(self->mcs_layer); - xrdp_fastpath_delete(self->fastpath_layer); - ssl_rc4_info_delete(self->decrypt_rc4_info); /* TODO clear all data */ - ssl_rc4_info_delete(self->encrypt_rc4_info); /* TODO clear all data */ - ssl_des3_info_delete(self->decrypt_fips_info); - ssl_des3_info_delete(self->encrypt_fips_info); - ssl_hmac_info_delete(self->sign_fips_info); - xrdp_tls_delete(self->tls); - g_free(self->client_mcs_data.data); - g_free(self->server_mcs_data.data); - /* Crypto information must always be cleared */ - g_memset(self, 0, sizeof(struct xrdp_sec)); - g_free(self); +xrdp_sec_delete(struct xrdp_sec *self) { + + if (self == 0) { + g_writeln("xrdp_sec_delete: indata is null"); + return; + } + + xrdp_channel_delete(self->chan_layer); + xrdp_mcs_delete(self->mcs_layer); + xrdp_fastpath_delete(self->fastpath_layer); + ssl_rc4_info_delete(self->decrypt_rc4_info); /* TODO clear all data */ + ssl_rc4_info_delete(self->encrypt_rc4_info); /* TODO clear all data */ + ssl_des3_info_delete(self->decrypt_fips_info); + ssl_des3_info_delete(self->encrypt_fips_info); + ssl_hmac_info_delete(self->sign_fips_info); + g_free(self->client_mcs_data.data); + g_free(self->server_mcs_data.data); + /* Crypto information must always be cleared */ + g_memset(self, 0, sizeof(struct xrdp_sec)); + g_free(self); } /*****************************************************************************/ @@ -1046,9 +1001,23 @@ xrdp_sec_recv(struct xrdp_sec *self, struct stream *s, int *chan) { return 1; } + + //TODO: HACK, we should recognize packets with sec header: client info, and license. + if (s->data[17] == 0x13) /* confirm active pdu */ + { + g_writeln("CONFIRM ACTIVE ARRIVED"); + in_uint8s(s, 6); + return 3; + } + + if (s->data[17] == 0x17 || s->data[16] == 0x17) /* rdp data pdu */ + { + g_writeln("RDP DATA ARRIVED"); + return 0; + } + in_uint32_le(s, flags); DEBUG((" in xrdp_sec_recv flags $%x", flags)); - g_writeln("userdata shareheaedr flags = %d", flags); if (flags & SEC_ENCRYPT) /* 0x08 */ { @@ -1071,7 +1040,7 @@ xrdp_sec_recv(struct xrdp_sec *self, struct stream *s, int *chan) xrdp_sec_fips_decrypt(self, s->p, (int)(s->end - s->p)); s->end -= pad; } - else + else if (self->crypt_level > CRYPT_LEVEL_NONE) { if (!s_check_rem(s, 8)) { @@ -1622,11 +1591,14 @@ xrdp_sec_process_mcs_data_channels(struct xrdp_sec *self, struct stream *s) int num_channels; int index; struct mcs_channel_item *channel_item; + struct xrdp_client_info *client_info = (struct xrdp_client_info *)NULL; - DEBUG(("processing channels, channel_code is %d", self->channel_code)); + client_info = &(self->rdp_layer->client_info); + + DEBUG(("processing channels, channel_code is %d", client_info->channel_code)); /* this is an option set in xrdp.ini */ - if (self->channel_code != 1) /* are channels on? */ + if (client_info->channel_code != 1) /* are channels on? */ { g_writeln("Processing channel data from client - The channel is off"); return 0; @@ -1675,9 +1647,9 @@ xrdp_sec_process_mcs_data_monitors(struct xrdp_sec *self, struct stream *s) client_info = &(self->rdp_layer->client_info); - DEBUG(("processing monitors data, allow_multimon is %d", self->multimon)); + DEBUG(("processing monitors data, allow_multimon is %d", client_info->multimon)); /* this is an option set in xrdp.ini */ - if (self->multimon != 1) /* are multi-monitors allowed ? */ + if (client_info->multimon != 1) /* are multi-monitors allowed ? */ { DEBUG(("[INFO] xrdp_sec_process_mcs_data_monitors: multimon is not " "allowed, skipping")); @@ -1819,164 +1791,6 @@ xrdp_sec_process_mcs_data(struct xrdp_sec *self) } /*****************************************************************************/ -/* prepare server mcs data to send in mcs layer */ -int APP_CC -xrdp_sec_out_mcs_data(struct xrdp_sec *self) -{ - struct stream *s; - int num_channels_even; - int num_channels; - int index; - int channel; - int gcc_size; - char* gcc_size_ptr; - char* ud_ptr; - - num_channels = self->mcs_layer->channel_list->count; - num_channels_even = num_channels + (num_channels & 1); - s = &(self->server_mcs_data); - init_stream(s, 8192); - out_uint16_be(s, 5); /* AsnBerObjectIdentifier */ - out_uint16_be(s, 0x14); - out_uint8(s, 0x7c); - out_uint16_be(s, 1); /* -- */ - out_uint8(s, 0x2a); /* ConnectPDULen */ - out_uint8(s, 0x14); - out_uint8(s, 0x76); - out_uint8(s, 0x0a); - out_uint8(s, 1); - out_uint8(s, 1); - out_uint8(s, 0); - out_uint16_le(s, 0xc001); - out_uint8(s, 0); - out_uint8(s, 0x4d); /* M */ - out_uint8(s, 0x63); /* c */ - out_uint8(s, 0x44); /* D */ - out_uint8(s, 0x6e); /* n */ - /* GCC Response Total Length - 2 bytes , set later */ - gcc_size_ptr = s->p; /* RDPGCCUserDataResponseLength */ - out_uint8(s, 0); - ud_ptr = s->p; /* User Data */ - - out_uint16_le(s, SEC_TAG_SRV_INFO); - if (self->mcs_layer->iso_layer->rdpNegData) - { - out_uint16_le(s, 12); /* len */ - } - else - { - out_uint16_le(s, 8); /* len */ - } - out_uint8(s, 4); /* 4 = rdp5 1 = rdp4 */ - out_uint8(s, 0); - out_uint8(s, 8); - out_uint8(s, 0); - if (self->mcs_layer->iso_layer->rdpNegData) - { - /* ReqeustedProtocol */ - out_uint32_le(s, self->mcs_layer->iso_layer->requestedProtocol); - } - out_uint16_le(s, SEC_TAG_SRV_CHANNELS); - out_uint16_le(s, 8 + (num_channels_even * 2)); /* len */ - out_uint16_le(s, MCS_GLOBAL_CHANNEL); /* 1003, 0x03eb main channel */ - out_uint16_le(s, num_channels); /* number of other channels */ - - for (index = 0; index < num_channels_even; index++) - { - if (index < num_channels) - { - channel = MCS_GLOBAL_CHANNEL + (index + 1); - out_uint16_le(s, channel); - } - else - { - out_uint16_le(s, 0); - } - } - - if (self->rsa_key_bytes == 64) - { - g_writeln("xrdp_sec_out_mcs_data: using 512 bit RSA key"); - out_uint16_le(s, SEC_TAG_SRV_CRYPT); - out_uint16_le(s, 0x00ec); /* len is 236 */ - out_uint32_le(s, self->crypt_method); - out_uint32_le(s, self->crypt_level); - out_uint32_le(s, 32); /* 32 bytes random len */ - out_uint32_le(s, 0xb8); /* 184 bytes rsa info(certificate) len */ - out_uint8a(s, self->server_random, 32); - /* here to end is certificate */ - /* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ */ - /* TermService\Parameters\Certificate */ - out_uint32_le(s, 1); - out_uint32_le(s, 1); - out_uint32_le(s, 1); - out_uint16_le(s, SEC_TAG_PUBKEY); /* 0x0006 */ - out_uint16_le(s, 0x005c); /* 92 bytes length of SEC_TAG_PUBKEY */ - out_uint32_le(s, SEC_RSA_MAGIC); /* 0x31415352 'RSA1' */ - out_uint32_le(s, 0x0048); /* 72 bytes modulus len */ - out_uint32_be(s, 0x00020000); /* bit len */ - out_uint32_be(s, 0x3f000000); /* data len */ - out_uint8a(s, self->pub_exp, 4); /* pub exp */ - out_uint8a(s, self->pub_mod, 64); /* pub mod */ - out_uint8s(s, 8); /* pad */ - out_uint16_le(s, SEC_TAG_KEYSIG); /* 0x0008 */ - out_uint16_le(s, 72); /* len */ - out_uint8a(s, self->pub_sig, 64); /* pub sig */ - out_uint8s(s, 8); /* pad */ - } - else if (self->rsa_key_bytes == 256) - { - g_writeln("xrdp_sec_out_mcs_data: using 2048 bit RSA key"); - out_uint16_le(s, SEC_TAG_SRV_CRYPT); - out_uint16_le(s, 0x01ac); /* len is 428 */ - out_uint32_le(s, self->crypt_method); - out_uint32_le(s, self->crypt_level); - out_uint32_le(s, 32); /* 32 bytes random len */ - out_uint32_le(s, 0x178); /* 376 bytes rsa info(certificate) len */ - out_uint8a(s, self->server_random, 32); - /* here to end is certificate */ - /* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ */ - /* TermService\Parameters\Certificate */ - out_uint32_le(s, 1); - out_uint32_le(s, 1); - out_uint32_le(s, 1); - out_uint16_le(s, SEC_TAG_PUBKEY); /* 0x0006 */ - out_uint16_le(s, 0x011c); /* 284 bytes length of SEC_TAG_PUBKEY */ - out_uint32_le(s, SEC_RSA_MAGIC); /* 0x31415352 'RSA1' */ - out_uint32_le(s, 0x0108); /* 264 bytes modulus len */ - out_uint32_be(s, 0x00080000); /* bit len */ - out_uint32_be(s, 0xff000000); /* data len */ - out_uint8a(s, self->pub_exp, 4); /* pub exp */ - out_uint8a(s, self->pub_mod, 256); /* pub mod */ - out_uint8s(s, 8); /* pad */ - out_uint16_le(s, SEC_TAG_KEYSIG); /* 0x0008 */ - out_uint16_le(s, 72); /* len */ - out_uint8a(s, self->pub_sig, 64); /* pub sig */ - out_uint8s(s, 8); /* pad */ - } - else if (self->rsa_key_bytes == 0) /* no security */ - { - g_writeln("xrdp_sec_out_mcs_data: using no security"); - out_uint16_le(s, SEC_TAG_SRV_CRYPT); - out_uint16_le(s, 12); /* len is 12 */ - out_uint32_le(s, self->crypt_method); - out_uint32_le(s, self->crypt_level); - } - else - { - LLOGLN(0, ("xrdp_sec_out_mcs_data: error")); - } - /* end certificate */ - s_mark_end(s); - - gcc_size = (int)(s->end - ud_ptr);// | 0x8000; - gcc_size_ptr[0] = gcc_size;// >> 8; - //gcc_size_ptr[1] = gcc_size; - - return 0; -} - -/*****************************************************************************/ /* process the mcs client data we received from the mcs layer */ static int APP_CC xrdp_sec_in_mcs_data(struct xrdp_sec *self) @@ -2040,65 +1854,154 @@ xrdp_sec_in_mcs_data(struct xrdp_sec *self) } /*****************************************************************************/ +/* returns error */ +int APP_CC +xrdp_sec_init_rdp_security(struct xrdp_sec *self) +{ + switch (self->rdp_layer->client_info.crypt_level) + { + case 1: /* low */ + self->crypt_method = CRYPT_METHOD_40BIT; + self->crypt_level = CRYPT_LEVEL_LOW; + break; + case 2: /* medium */ + self->crypt_method = CRYPT_METHOD_40BIT; + self->crypt_level = CRYPT_LEVEL_CLIENT_COMPATIBLE; + break; + case 3: /* high */ + self->crypt_method = CRYPT_METHOD_128BIT; + self->crypt_level = CRYPT_LEVEL_HIGH; + break; + case 4: /* fips */ + self->crypt_method = CRYPT_METHOD_FIPS; + self->crypt_level = CRYPT_LEVEL_FIPS; + break; + default: + g_writeln("Fatal : Illegal crypt_level"); + break ; + } + + if (self->decrypt_rc4_info != NULL) + { + g_writeln("xrdp_sec_init_rdp_security: decrypt_rc4_info already created !!!"); + } + else + { + self->decrypt_rc4_info = ssl_rc4_info_create(); + } + + if (self->encrypt_rc4_info != NULL) + { + g_writeln("xrdp_sec_init_rdp_security: encrypt_rc4_info already created !!!"); + } + else + { + self->encrypt_rc4_info = ssl_rc4_info_create(); + } + + return 0; +} +/*****************************************************************************/ int APP_CC xrdp_sec_incoming(struct xrdp_sec *self) { struct list *items = NULL; struct list *values = NULL; + struct xrdp_iso *iso; int index = 0; char *item = NULL; char *value = NULL; char key_file[256]; - g_memset(key_file, 0, sizeof(char) * 256); - DEBUG((" in xrdp_sec_incoming")); - g_random(self->server_random, 32); - items = list_create(); - items->auto_free = 1; - values = list_create(); - values->auto_free = 1; - g_snprintf(key_file, 255, "%s/rsakeys.ini", XRDP_CFG_PATH); + DEBUG((" in xrdp_sec_incoming:")); + iso = self->mcs_layer->iso_layer; - if (file_by_name_read_section(key_file, "keys", items, values) != 0) + /* negotiate security layer */ + if (xrdp_iso_incoming(iso) != 0) { - /* this is a show stopper */ - log_message(LOG_LEVEL_ALWAYS, "XRDP cannot read file: %s " - "(check permissions)", key_file); - list_delete(items); - list_delete(values); + DEBUG(("xrdp_sec_incoming: xrdp_iso_incoming failed")); return 1; } - for (index = 0; index < items->count; index++) + /* initialize selected security layer */ + if (iso->requestedProtocol > PROTOCOL_RDP) { - item = (char *)list_get_item(items, index); - value = (char *)list_get_item(values, index); - - if (g_strcasecmp(item, "pub_exp") == 0) - { - hex_str_to_bin(value, self->pub_exp, 4); - } - else if (g_strcasecmp(item, "pub_mod") == 0) + /* init tls security */ + DEBUG((" in xrdp_sec_incoming: init tls security")); + + if (trans_set_tls_mode(self->mcs_layer->iso_layer->trans, + self->rdp_layer->client_info.key_file, + self->rdp_layer->client_info.certificate) != 0) + { + g_writeln("xrdp_sec_incoming: trans_set_tls_mode failed"); + return 1; + } + + self->crypt_level = CRYPT_LEVEL_NONE; + self->crypt_method = CRYPT_METHOD_NONE; + self->rsa_key_bytes = 0; + + } + else + { + /* init rdp security */ + DEBUG((" in xrdp_sec_incoming: init rdp security")); + if (xrdp_sec_init_rdp_security(self) != 0) { - self->rsa_key_bytes = (g_strlen(value) + 1) / 5; - g_writeln("pub_mod bytes %d", self->rsa_key_bytes); - hex_str_to_bin(value, self->pub_mod, self->rsa_key_bytes); + DEBUG(("xrdp_sec_incoming: xrdp_sec_init_rdp_security failed")); + return 1; } - else if (g_strcasecmp(item, "pub_sig") == 0) + + g_memset(key_file, 0, sizeof(char) * 256); + g_random(self->server_random, 32); + items = list_create(); + items->auto_free = 1; + values = list_create(); + values->auto_free = 1; + g_snprintf(key_file, 255, "%s/rsakeys.ini", XRDP_CFG_PATH); + + if (file_by_name_read_section(key_file, "keys", items, values) != 0) { - hex_str_to_bin(value, self->pub_sig, 64); + /* this is a show stopper */ + log_message(LOG_LEVEL_ALWAYS, "XRDP cannot read file: %s " + "(check permissions)", key_file); + list_delete(items); + list_delete(values); + return 1; } - else if (g_strcasecmp(item, "pri_exp") == 0) + + for (index = 0; index < items->count; index++) { - self->rsa_key_bytes = (g_strlen(value) + 1) / 5; - g_writeln("pri_exp %d", self->rsa_key_bytes); - hex_str_to_bin(value, self->pri_exp, self->rsa_key_bytes); + item = (char *)list_get_item(items, index); + value = (char *)list_get_item(values, index); + + if (g_strcasecmp(item, "pub_exp") == 0) + { + hex_str_to_bin(value, self->pub_exp, 4); + } + else if (g_strcasecmp(item, "pub_mod") == 0) + { + self->rsa_key_bytes = (g_strlen(value) + 1) / 5; + g_writeln("pub_mod bytes %d", self->rsa_key_bytes); + hex_str_to_bin(value, self->pub_mod, self->rsa_key_bytes); + } + else if (g_strcasecmp(item, "pub_sig") == 0) + { + hex_str_to_bin(value, self->pub_sig, 64); + } + else if (g_strcasecmp(item, "pri_exp") == 0) + { + self->rsa_key_bytes = (g_strlen(value) + 1) / 5; + g_writeln("pri_exp %d", self->rsa_key_bytes); + hex_str_to_bin(value, self->pri_exp, self->rsa_key_bytes); + } } - } - list_delete(items); - list_delete(values); + list_delete(items); + list_delete(values); + } + /* negotiate mcs layer */ if (xrdp_mcs_incoming(self->mcs_layer) != 0) { return 1; @@ -2117,6 +2020,7 @@ xrdp_sec_incoming(struct xrdp_sec *self) { return 1; } + LLOGLN(10, ("xrdp_sec_incoming: out")); return 0; } @@ -2128,7 +2032,6 @@ xrdp_sec_disconnect(struct xrdp_sec *self) int rv; DEBUG((" in xrdp_sec_disconnect")); - rv = xrdp_mcs_disconnect(self->mcs_layer); DEBUG((" out xrdp_sec_disconnect")); return rv; diff --git a/libxrdp/xrdp_tls.c b/libxrdp/xrdp_tls.c deleted file mode 100644 index 1f6e847e..00000000 --- a/libxrdp/xrdp_tls.c +++ /dev/null @@ -1,418 +0,0 @@ -/** - * xrdp: A Remote Desktop Protocol server. - * - * Copyright (C) Idan Freiberg 2013-2014 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * transport layer security - */ - -#include "libxrdp.h" - -/*****************************************************************************/ -struct xrdp_tls *APP_CC -xrdp_tls_create(struct trans *trans, const char *key, const char *cert) -{ - struct xrdp_tls *self; - self = (struct xrdp_tls *) g_malloc(sizeof(struct xrdp_tls), 1); - - if (self != NULL) - { - self->trans = trans; - self->cert = g_malloc(g_strlen(key) + 1, 1); - self->key = g_malloc(g_strlen(cert) + 1, 1); - strcpy(self->cert, cert); - strcpy(self->key, key); - } - - return self; -} -/*****************************************************************************/ -int APP_CC -xrdp_tls_accept(struct xrdp_tls *self) -{ - int connection_status; - long options = 0; - - /** - * SSL_OP_NO_SSLv2: - * - * We only want SSLv3 and TLSv1, so disable SSLv2. - * SSLv3 is used by, eg. Microsoft RDC for Mac OS X. - */ - options |= SSL_OP_NO_SSLv2; - - /** - * SSL_OP_NO_COMPRESSION: - * - * The Microsoft RDP server does not advertise support - * for TLS compression, but alternative servers may support it. - * This was observed between early versions of the FreeRDP server - * and the FreeRDP client, and caused major performance issues, - * which is why we're disabling it. - */ - options |= SSL_OP_NO_COMPRESSION; - - /** - * SSL_OP_TLS_BLOCK_PADDING_BUG: - * - * The Microsoft RDP server does *not* support TLS padding. - * It absolutely needs to be disabled otherwise it won't work. - */ - options |= SSL_OP_TLS_BLOCK_PADDING_BUG; - - /** - * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: - * - * Just like TLS padding, the Microsoft RDP server does not - * support empty fragments. This needs to be disabled. - */ - options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; - - self->ctx = SSL_CTX_new(SSLv23_server_method()); - /* set context options */ - SSL_CTX_set_mode(self->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE); - SSL_CTX_set_options(self->ctx, options); - SSL_CTX_set_read_ahead(self->ctx, 1); - - if (self->ctx == NULL) { - g_writeln("ssl_tls_accept: SSL_CTX_new failed"); - return 1; - } - - if (SSL_CTX_use_RSAPrivateKey_file(self->ctx, self->key, SSL_FILETYPE_PEM) - <= 0) { - g_writeln("ssl_tls_accept: SSL_CTX_use_RSAPrivateKey_file failed"); - return 1; - } - - self->ssl = SSL_new(self->ctx); - - if (self->ssl == NULL) { - g_writeln("ssl_tls_accept: SSL_new failed"); - return 1; - } - - if (SSL_use_certificate_file(self->ssl, self->cert, SSL_FILETYPE_PEM) <= 0) { - g_writeln("ssl_tls_accept: SSL_use_certificate_file failed"); - return 1; - } - - if (SSL_set_fd(self->ssl, self->trans->sck) < 1) { - g_writeln("ssl_tls_accept: SSL_set_fd failed"); - return 1; - } - - connection_status = SSL_accept(self->ssl); - - if (connection_status <= 0) { - if (xrdp_tls_print_error("SSL_accept", self->ssl, connection_status)) - { - return 1; - } - } - - g_writeln("ssl_tls_accept: TLS connection accepted"); - - /* set trans for TLS */ - self->trans->do_tls = 1; /* TLS layer */ - self->trans->tls = self; /* owner */ - - return 0; -} -/*****************************************************************************/ -int APP_CC -xrdp_tls_print_error(char *func, SSL *connection, int value) -{ - switch (SSL_get_error(connection, value)) - { - case SSL_ERROR_ZERO_RETURN: - g_writeln("xrdp_tls_print_error: %s: Server closed TLS connection", func); - return 1; - - case SSL_ERROR_WANT_READ: - g_writeln("xrdp_tls_print_error: SSL_ERROR_WANT_READ"); - return 0; - - case SSL_ERROR_WANT_WRITE: - g_writeln("xrdp_tls_print_error: SSL_ERROR_WANT_WRITE"); - return 0; - - case SSL_ERROR_SYSCALL: - g_writeln("xrdp_tls_print_error: %s: I/O error", func); - return 1; - - case SSL_ERROR_SSL: - g_writeln("xrdp_tls_print_error: %s: Failure in SSL library (protocol error?)", func); - return 1; - - default: - g_writeln("xrdp_tls_print_error: %s: Unknown error", func); - return 1; - } -} -/*****************************************************************************/ -int APP_CC -xrdp_tls_disconnect(struct xrdp_tls *self) -{ - SSL_shutdown(self->ssl); - return 0; -} -/*****************************************************************************/ -void APP_CC -xrdp_tls_delete(struct xrdp_tls *self) -{ - if (self != NULL) - { - if (self->ssl) - SSL_free(self->ssl); - - if (self->ctx) - SSL_CTX_free(self->ctx); - - g_free(self); - } -} -/*****************************************************************************/ -int APP_CC -xrdp_tls_read(struct xrdp_tls *tls, unsigned char *data, int length) -{ - int status; - - status = SSL_read(tls->ssl, data, length); - - switch (SSL_get_error(tls->ssl, status)) - { - case SSL_ERROR_NONE: - break; - - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: - status = 0; - break; - - default: - xrdp_tls_print_error("SSL_read", tls->ssl, status); - status = -1; - break; - } - - return status; -} -/*****************************************************************************/ -int APP_CC -xrdp_tls_write(struct xrdp_tls *tls, unsigned char *data, int length) -{ - int status; - - status = SSL_write(tls->ssl, data, length); - - switch (SSL_get_error(tls->ssl, status)) - { - case SSL_ERROR_NONE: - break; - - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: - status = 0; - break; - - default: - xrdp_tls_print_error("SSL_write", tls->ssl, status); - status = -1; - break; - } - - return status; -} -/*****************************************************************************/ -int APP_CC -xrdp_tls_force_read_s(struct trans *self, struct stream *in_s, int size) -{ - int rcvd; - - if (self->status != TRANS_STATUS_UP) - { - return 1; - } - - while (size > 0) - { - /* make sure stream has room */ - if ((in_s->end + size) > (in_s->data + in_s->size)) - { - return 1; - } - - g_writeln("xrdp_tls_force_read_s: Pending= %d", SSL_pending(self->tls->ssl)); - rcvd = xrdp_tls_read(self->tls, in_s->end, size); - - if (rcvd == -1) - { - if (g_tcp_last_error_would_block(self->sck)) - { - if (!g_tcp_can_recv(self->sck, 100)) - { - /* check for term here */ - if (self->is_term != 0) - { - if (self->is_term()) - { - /* term */ - self->status = TRANS_STATUS_DOWN; - return 1; - } - } - } - } - else - { - /* error */ - self->status = TRANS_STATUS_DOWN; - return 1; - } - } - else if (rcvd == 0) - { - /* error */ - self->status = TRANS_STATUS_DOWN; - return 1; - } - else - { - in_s->end += rcvd; - size -= rcvd; - } - } - - return 0; -} - -/*****************************************************************************/ -int APP_CC -xrdp_tls_force_write_s(struct trans *self, struct stream *out_s) -{ - int size; - int total; - int sent; - - if (self->status != TRANS_STATUS_UP) - { - return 1; - } - - size = (int)(out_s->end - out_s->data); - g_writeln("packet size= %d", size); - total = 0; - - if (send_waiting(self, 1) != 0) - { - self->status = TRANS_STATUS_DOWN; - return 1; - } - - while (total < size) - { - sent = xrdp_tls_write(self->tls, out_s->data + total, size - total); - - if (sent == -1) - { - if (g_tcp_last_error_would_block(self->sck)) - { - if (!g_tcp_can_send(self->sck, 100)) - { - /* check for term here */ - if (self->is_term != 0) - { - if (self->is_term()) - { - /* term */ - self->status = TRANS_STATUS_DOWN; - return 1; - } - } - } - } - else - { - /* error */ - self->status = TRANS_STATUS_DOWN; - return 1; - } - } - else if (sent == 0) - { - /* error */ - self->status = TRANS_STATUS_DOWN; - return 1; - } - else - { - total = total + sent; - } - } - - return 0; -} -/*****************************************************************************/ -int APP_CC -send_waiting(struct trans *self, int block) -{ - struct stream *temp_s; - int bytes; - int sent; - int timeout; - int cont; - - timeout = block ? 100 : 0; - cont = 1; - while (cont) - { - if (self->wait_s != 0) - { - temp_s = self->wait_s; - if (g_tcp_can_send(self->sck, timeout)) - { - bytes = (int) (temp_s->end - temp_s->p); - sent = xrdp_tls_write(self->tls, temp_s->p, bytes); - if (sent > 0) - { - temp_s->p += sent; - if (temp_s->p >= temp_s->end) - { - self->wait_s = (struct stream *) (temp_s->next_packet); - free_stream(temp_s); - } - } - else if (sent == 0) - { - return 1; - } - else - { - if (!g_tcp_last_error_would_block(self->sck)) - { - return 1; - } - } - } - } - else - { - break; - } - cont = block; - } - return 0; -} |