summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--common/ssl_calls.c81
-rw-r--r--common/ssl_calls.h9
-rw-r--r--libxrdp/xrdp_rdp.c43
3 files changed, 92 insertions, 41 deletions
diff --git a/common/ssl_calls.c b/common/ssl_calls.c
index 0362f668..a741ef92 100644
--- a/common/ssl_calls.c
+++ b/common/ssl_calls.c
@@ -37,6 +37,7 @@
#include "arch.h"
#include "ssl_calls.h"
#include "trans.h"
+#include "log.h"
#define SSL_WANT_READ_WRITE_TIMEOUT 100
@@ -829,7 +830,6 @@ ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis)
return g_sck_can_recv(sck, millis);
}
-
/*****************************************************************************/
const char *
ssl_get_version(const struct ssl_st *ssl)
@@ -843,3 +843,82 @@ ssl_get_cipher_name(const struct ssl_st *ssl)
{
return SSL_get_cipher_name(ssl);
}
+
+/*****************************************************************************/
+int
+ssl_get_protocols_from_string(const char *str, long *ssl_protocols)
+{
+ long protocols;
+ long bad_protocols;
+ int rv;
+
+ if ((str == NULL) || (ssl_protocols == NULL))
+ {
+ return 1;
+ }
+ rv = 0;
+ protocols = 0;
+#if defined(SSL_OP_NO_SSLv3)
+ protocols |= SSL_OP_NO_SSLv3;
+#endif
+#if defined(SSL_OP_NO_TLSv1)
+ protocols |= SSL_OP_NO_TLSv1;
+#endif
+#if defined(SSL_OP_NO_TLSv1_1)
+ protocols |= SSL_OP_NO_TLSv1_1;
+#endif
+#if defined(SSL_OP_NO_TLSv1_2)
+ protocols |= SSL_OP_NO_TLSv1_2;
+#endif
+ bad_protocols = protocols;
+ if (g_pos(str, ",TLSv1.2,") >= 0)
+ {
+#if defined(SSL_OP_NO_TLSv1_2)
+ log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled");
+ protocols &= ~SSL_OP_NO_TLSv1_2;
+#else
+ log_message(LOG_LEVEL_DEBUG, "TLSv1.2 not enabled, not available");
+ rv |= (1 << 1);
+#endif
+ }
+ if (g_pos(str, ",TLSv1.1,") >= 0)
+ {
+#if defined(SSL_OP_NO_TLSv1_1)
+ log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled");
+ protocols &= ~SSL_OP_NO_TLSv1_1;
+#else
+ log_message(LOG_LEVEL_DEBUG, "TLSv1.1 not enabled, not available");
+ rv |= (1 << 2);
+#endif
+ }
+ if (g_pos(str, ",TLSv1,") >= 0)
+ {
+#if defined(SSL_OP_NO_TLSv1)
+ log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled");
+ protocols &= ~SSL_OP_NO_TLSv1;
+#else
+ log_message(LOG_LEVEL_DEBUG, "TLSv1 not enabled, not available");
+ rv |= (1 << 3);
+#endif
+ }
+ if (g_pos(str, ",SSLv3,") >= 0)
+ {
+#if defined(SSL_OP_NO_SSLv3)
+ log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled");
+ protocols &= ~SSL_OP_NO_SSLv3;
+#else
+ log_message(LOG_LEVEL_DEBUG, "SSLv3 not enabled, not available");
+ rv |= (1 << 4);
+#endif
+ }
+ if (protocols == bad_protocols)
+ {
+ log_message(LOG_LEVEL_WARNING, "No SSL/TLS protocols enabled. "
+ "At least one protocol should be enabled to accept "
+ "TLS connections.");
+ rv |= (1 << 5);
+ }
+ *ssl_protocols = protocols;
+ return rv;
+}
+
diff --git a/common/ssl_calls.h b/common/ssl_calls.h
index 4c069cb0..dc60a23e 100644
--- a/common/ssl_calls.h
+++ b/common/ssl_calls.h
@@ -108,8 +108,11 @@ int
ssl_tls_write(struct ssl_tls *tls, const char *data, int length);
int
ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis);
-
-const char *ssl_get_version(const struct ssl_st *ssl);
-const char *ssl_get_cipher_name(const struct ssl_st *ssl);
+const char *
+ssl_get_version(const struct ssl_st *ssl);
+const char *
+ssl_get_cipher_name(const struct ssl_st *ssl);
+int
+ssl_get_protocols_from_string(const char *str, long *ssl_protocols);
#endif
diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c
index ea3f446e..099cec47 100644
--- a/libxrdp/xrdp_rdp.c
+++ b/libxrdp/xrdp_rdp.c
@@ -22,9 +22,9 @@
#include <config_ac.h>
#endif
-#include <openssl/ssl.h>
#include "libxrdp.h"
#include "log.h"
+#include "ssl_calls.h"
#if defined(XRDP_NEUTRINORDP)
#include <freerdp/codec/rfx.h>
@@ -49,7 +49,7 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
char *item = NULL;
char *value = NULL;
char cfg_file[256];
- char *p = NULL;
+ int pos;
char *tmp = NULL;
int tmp_length = 0;
@@ -174,44 +174,13 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
tmp_length = g_strlen(value) + 3;
tmp = g_new(char, tmp_length);
g_snprintf(tmp, tmp_length, "%s%s%s", ",", value, ",");
+ /* replace all spaces with comma */
/* to accept space after comma */
- while ((p = (char *) g_strchr(tmp, ' ')) != NULL)
+ while ((pos = g_pos(tmp, " ")) != -1)
{
- *p = ',';
- }
-
- /* disable all protocols first, enable later */
- client_info->ssl_protocols =
- SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
-
- if (g_pos(tmp, ",TLSv1.2,") >= 0)
- {
- log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled");
- client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_2;
- }
- if (g_pos(tmp, ",TLSv1.1,") >= 0)
- {
- log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled");
- client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_1;
- }
- if (g_pos(tmp, ",TLSv1,") >= 0)
- {
- log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled");
- client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1;
- }
- if (g_pos(tmp, ",SSLv3,") >= 0)
- {
- log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled");
- client_info->ssl_protocols &= ~SSL_OP_NO_SSLv3;
- }
-
- if (client_info->ssl_protocols ==
- (SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2))
- {
- log_message(LOG_LEVEL_WARNING, "No SSL/TLS protocols enabled. "
- "At least one protocol should be enabled to accept "
- "TLS connections.");
+ tmp[pos] = ',';
}
+ ssl_get_protocols_from_string(tmp, &(client_info->ssl_protocols));
g_free(tmp);
}
else if (g_strcasecmp(item, "tls_ciphers") == 0)