summaryrefslogtreecommitdiffstats
path: root/libxrdp
diff options
context:
space:
mode:
Diffstat (limited to 'libxrdp')
-rw-r--r--libxrdp/Makefile.am3
-rw-r--r--libxrdp/libxrdp.c6
-rw-r--r--libxrdp/libxrdp.h26
-rw-r--r--libxrdp/xrdp_mcs.c18
-rw-r--r--libxrdp/xrdp_sec.c4
-rw-r--r--libxrdp/xrdp_tls.c239
6 files changed, 294 insertions, 2 deletions
diff --git a/libxrdp/Makefile.am b/libxrdp/Makefile.am
index bd37cad4..57c4b716 100644
--- a/libxrdp/Makefile.am
+++ b/libxrdp/Makefile.am
@@ -61,7 +61,8 @@ libxrdp_la_SOURCES = \
xrdp_orders_rail.c \
xrdp_mppc_enc.c \
xrdp_fastpath.c \
- xrdp_caps.c
+ xrdp_caps.c \
+ xrdp_tls.c
libxrdp_la_LDFLAGS = \
$(EXTRA_FLAGS)
diff --git a/libxrdp/libxrdp.c b/libxrdp/libxrdp.c
index e9c3508b..6a79e8fb 100644
--- a/libxrdp/libxrdp.c
+++ b/libxrdp/libxrdp.c
@@ -141,7 +141,11 @@ libxrdp_force_read(struct trans* trans)
s = trans->in_s;
init_stream(s, 32 * 1024);
- if (trans_force_read(trans, 4) != 0)
+ if (trans->do_tls)
+ {
+ /*TLS*/
+ }
+ else if (trans_force_read(trans, 4) != 0) /*TCP*/
{
g_writeln("libxrdp_force_read: error");
return 0;
diff --git a/libxrdp/libxrdp.h b/libxrdp/libxrdp.h
index f702c280..c2800abf 100644
--- a/libxrdp/libxrdp.h
+++ b/libxrdp/libxrdp.h
@@ -36,6 +36,7 @@
#include "libxrdpinc.h"
#include "file_loc.h"
#include "xrdp_client_info.h"
+#include <openssl/ssl.h>
/* iso */
@@ -131,6 +132,7 @@ struct xrdp_sec
void *encrypt_fips_info;
void *decrypt_fips_info;
void *sign_fips_info;
+ struct xrdp_tls *tls;
};
/* channel */
@@ -290,6 +292,30 @@ struct xrdp_mppc_enc
tui16 *hash_table;
};
+
+/* xrdp_tls */
+struct xrdp_tls {
+ SSL *ssl;
+ SSL_CTX *ctx;
+ char *cert;
+ char *key;
+ struct trans *trans;
+};
+
+/* xrdp_tls.c */
+struct xrdp_tls *APP_CC
+xrdp_tls_create(struct trans *trans, const char *key, const char *cert);
+int APP_CC
+xrdp_tls_accept(struct xrdp_tls *self);
+int APP_CC
+xrdp_tls_disconnect(struct xrdp_tls *self);
+void APP_CC
+xrdp_tls_delete(struct xrdp_tls *self);
+int APP_CC
+xrdp_tls_read(struct xrdp_tls *tls, unsigned char *data, int length);
+int APP_CC
+xrdp_tls_write(struct xrdp_tls *tls, unsigned char *data, int length);
+
int APP_CC
compress_rdp(struct xrdp_mppc_enc *enc, tui8 *srcData, int len);
struct xrdp_mppc_enc * APP_CC
diff --git a/libxrdp/xrdp_mcs.c b/libxrdp/xrdp_mcs.c
index c1b0b908..df4f81f5 100644
--- a/libxrdp/xrdp_mcs.c
+++ b/libxrdp/xrdp_mcs.c
@@ -755,6 +755,21 @@ xrdp_mcs_incoming(struct xrdp_mcs *self)
return 1;
}
+ /* tls */
+ if (PROTOCOL_SSL & self->iso_layer->selectedProtocol)
+ {
+ g_writeln("xrdp_mcs_incoming: TLS mode!");
+ self->sec_layer->crypt_level = CRYPT_LEVEL_NONE;
+ self->sec_layer->crypt_method = CRYPT_METHOD_NONE;
+
+ if (xrdp_tls_accept(self->sec_layer->tls) != 0)
+ {
+ g_writeln("xrdp_mcs_incoming: ssl_tls_accept failed");
+ return 1;
+ }
+ g_writeln("xrdp_mcs_incoming: ssl_tls_accept done!!!!");
+ }
+
if (xrdp_mcs_recv_connect_initial(self) != 0)
{
return 1;
@@ -961,6 +976,7 @@ xrdp_mcs_disconnect(struct xrdp_mcs *self)
if (xrdp_iso_init(self->iso_layer, s) != 0)
{
+ xrdp_tls_disconnect(self->sec_layer->tls);
free_stream(s);
close_rdp_socket(self);
DEBUG((" out xrdp_mcs_disconnect error - 1"));
@@ -973,12 +989,14 @@ xrdp_mcs_disconnect(struct xrdp_mcs *self)
if (xrdp_iso_send(self->iso_layer, s) != 0)
{
+ xrdp_tls_disconnect(self->sec_layer->tls);
free_stream(s);
close_rdp_socket(self);
DEBUG((" out xrdp_mcs_disconnect error - 2"));
return 1;
}
+ xrdp_tls_disconnect(self->sec_layer->tls);
free_stream(s);
close_rdp_socket(self);
DEBUG(("xrdp_mcs_disconnect - close sent"));
diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
index d726f3e8..c908c081 100644
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@@ -276,6 +276,8 @@ xrdp_sec_create(struct xrdp_rdp *owner, struct trans *trans, int crypt_level,
&(self->server_mcs_data));
self->fastpath_layer = xrdp_fastpath_create(self, trans);
self->chan_layer = xrdp_channel_create(self, self->mcs_layer);
+ //TODO: add cert to config
+ self->tls = xrdp_tls_create(trans, "/opt/xrdpdev/etc/xrdp/pkey.pem", "/opt/xrdpdev/etc/xrdp/cert.pem");
DEBUG((" out xrdp_sec_create"));
return self;
}
@@ -298,6 +300,7 @@ xrdp_sec_delete(struct xrdp_sec *self)
ssl_des3_info_delete(self->decrypt_fips_info);
ssl_des3_info_delete(self->encrypt_fips_info);
ssl_hmac_info_delete(self->sign_fips_info);
+ xrdp_tls_delete(self->tls);
g_free(self->client_mcs_data.data);
g_free(self->server_mcs_data.data);
/* Crypto information must always be cleared */
@@ -2115,6 +2118,7 @@ xrdp_sec_disconnect(struct xrdp_sec *self)
int rv;
DEBUG((" in xrdp_sec_disconnect"));
+
rv = xrdp_mcs_disconnect(self->mcs_layer);
DEBUG((" out xrdp_sec_disconnect"));
return rv;
diff --git a/libxrdp/xrdp_tls.c b/libxrdp/xrdp_tls.c
new file mode 100644
index 00000000..d893ca3c
--- /dev/null
+++ b/libxrdp/xrdp_tls.c
@@ -0,0 +1,239 @@
+/**
+ * xrdp: A Remote Desktop Protocol server.
+ *
+ * Copyright (C) Idan Freiberg 2013-2014
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * transport layer security
+ */
+
+#include "libxrdp.h"
+
+/*****************************************************************************/
+struct xrdp_tls *APP_CC
+xrdp_tls_create(struct trans *trans, const char *key, const char *cert)
+{
+ struct xrdp_tls *self;
+ self = (struct xrdp_tls *) g_malloc(sizeof(struct xrdp_tls), 1);
+
+ if (self != NULL)
+ {
+ self->trans = trans;
+ self->cert = g_malloc(g_strlen(key) + 1, 1);
+ self->key = g_malloc(g_strlen(cert) + 1, 1);
+ strcpy(self->cert, cert);
+ strcpy(self->key, key);
+ }
+
+ return self;
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_accept(struct xrdp_tls *self)
+{
+ int connection_status;
+ long options = 0;
+
+ /**
+ * SSL_OP_NO_SSLv2:
+ *
+ * We only want SSLv3 and TLSv1, so disable SSLv2.
+ * SSLv3 is used by, eg. Microsoft RDC for Mac OS X.
+ */
+ options |= SSL_OP_NO_SSLv2;
+
+ /**
+ * SSL_OP_NO_COMPRESSION:
+ *
+ * The Microsoft RDP server does not advertise support
+ * for TLS compression, but alternative servers may support it.
+ * This was observed between early versions of the FreeRDP server
+ * and the FreeRDP client, and caused major performance issues,
+ * which is why we're disabling it.
+ */
+ options |= SSL_OP_NO_COMPRESSION;
+
+ /**
+ * SSL_OP_TLS_BLOCK_PADDING_BUG:
+ *
+ * The Microsoft RDP server does *not* support TLS padding.
+ * It absolutely needs to be disabled otherwise it won't work.
+ */
+ options |= SSL_OP_TLS_BLOCK_PADDING_BUG;
+
+ /**
+ * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS:
+ *
+ * Just like TLS padding, the Microsoft RDP server does not
+ * support empty fragments. This needs to be disabled.
+ */
+ options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+
+ self->ctx = SSL_CTX_new(SSLv23_server_method());
+ /* set context options */
+ SSL_CTX_set_mode(self->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
+ SSL_CTX_set_options(self->ctx, options);
+ SSL_CTX_set_read_ahead(self->ctx, 1);
+
+ if (self->ctx == NULL) {
+ g_writeln("ssl_tls_accept: SSL_CTX_new failed");
+ return 1;
+ }
+
+ if (SSL_CTX_use_RSAPrivateKey_file(self->ctx, self->key, SSL_FILETYPE_PEM)
+ <= 0) {
+ g_writeln("ssl_tls_accept: SSL_CTX_use_RSAPrivateKey_file failed");
+ return 1;
+ }
+
+ self->ssl = SSL_new(self->ctx);
+
+ if (self->ssl == NULL) {
+ g_writeln("ssl_tls_accept: SSL_new failed");
+ return 1;
+ }
+
+ if (SSL_use_certificate_file(self->ssl, self->cert, SSL_FILETYPE_PEM) <= 0) {
+ g_writeln("ssl_tls_accept: SSL_use_certificate_file failed");
+ return 1;
+ }
+
+ if (SSL_set_fd(self->ssl, self->trans->sck) < 1) {
+ g_writeln("ssl_tls_accept: SSL_set_fd failed");
+ return 1;
+ }
+
+ connection_status = SSL_accept(self->ssl);
+
+ if (connection_status <= 0) {
+ if (xrdp_tls_print_error("SSL_accept", self->ssl, connection_status))
+ {
+ return 1;
+ }
+ }
+
+ g_writeln("ssl_tls_accept: TLS connection accepted");
+
+ /* set trans for TLS */
+ self->trans->do_tls = 1; /* TLS layer */
+ self->trans->tls = self; /* owner */
+
+ return 0;
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_print_error(char *func, SSL *connection, int value)
+{
+ switch (SSL_get_error(connection, value))
+ {
+ case SSL_ERROR_ZERO_RETURN:
+ g_writeln("xrdp_tls_print_error: %s: Server closed TLS connection", func);
+ return 1;
+
+ case SSL_ERROR_WANT_READ:
+ g_writeln("xrdp_tls_print_error: SSL_ERROR_WANT_READ");
+ return 0;
+
+ case SSL_ERROR_WANT_WRITE:
+ g_writeln("xrdp_tls_print_error: SSL_ERROR_WANT_WRITE");
+ return 0;
+
+ case SSL_ERROR_SYSCALL:
+ g_writeln("xrdp_tls_print_error: %s: I/O error", func);
+ return 1;
+
+ case SSL_ERROR_SSL:
+ g_writeln("xrdp_tls_print_error: %s: Failure in SSL library (protocol error?)", func);
+ return 1;
+
+ default:
+ g_writeln("xrdp_tls_print_error: %s: Unknown error", func);
+ return 1;
+ }
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_disconnect(struct xrdp_tls *self)
+{
+ SSL_shutdown(self->ssl);
+ return 0;
+}
+/*****************************************************************************/
+void APP_CC
+xrdp_tls_delete(struct xrdp_tls *self)
+{
+ if (self != NULL)
+ {
+ if (self->ssl)
+ SSL_free(self->ssl);
+
+ if (self->ctx)
+ SSL_CTX_free(self->ctx);
+
+ g_free(self);
+ }
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_read(struct xrdp_tls *tls, unsigned char *data, int length)
+{
+ int status;
+
+ status = SSL_read(tls->ssl, data, length);
+
+ switch (SSL_get_error(tls->ssl, status))
+ {
+ case SSL_ERROR_NONE:
+ break;
+
+ case SSL_ERROR_WANT_READ:
+ case SSL_ERROR_WANT_WRITE:
+ status = 0;
+ break;
+
+ default:
+ xrdp_tls_print_error("SSL_read", tls->ssl, status);
+ status = -1;
+ break;
+ }
+
+ return status;
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_write(struct xrdp_tls *tls, unsigned char *data, int length)
+{
+ int status;
+
+ status = SSL_write(tls->ssl, data, length);
+
+ switch (SSL_get_error(tls->ssl, status))
+ {
+ case SSL_ERROR_NONE:
+ break;
+
+ case SSL_ERROR_WANT_READ:
+ case SSL_ERROR_WANT_WRITE:
+ status = 0;
+ break;
+
+ default:
+ xrdp_tls_print_error("SSL_write", tls->ssl, status);
+ status = -1;
+ break;
+ }
+
+ return status;
+}
+/*****************************************************************************/
generated by cgit v1.2.1 (git 2.18.0) at 2024-12-26 02:14:11 +0000