summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--common/Makefile.am5
-rw-r--r--common/trans.c67
-rw-r--r--common/trans.h38
-rw-r--r--common/xrdp_client_info.h3
-rw-r--r--common/xrdp_tls.c422
m---------librfxcodec0
-rw-r--r--libxrdp/libxrdp.c2
-rw-r--r--libxrdp/libxrdp.h12
-rw-r--r--libxrdp/xrdp_fastpath.c2
-rw-r--r--libxrdp/xrdp_iso.c15
-rw-r--r--libxrdp/xrdp_mcs.c199
-rw-r--r--libxrdp/xrdp_rdp.c46
-rw-r--r--libxrdp/xrdp_sec.c445
-rw-r--r--xrdp/xrdp.ini10
-rw-r--r--xrdp/xrdp_process.c1
15 files changed, 949 insertions, 318 deletions
diff --git a/common/Makefile.am b/common/Makefile.am
index ab9c2bd5..9feac9fb 100644
--- a/common/Makefile.am
+++ b/common/Makefile.am
@@ -17,7 +17,7 @@ EXTRA_DIST = \
trans.h \
xrdp_client_info.h \
xrdp_constants.h \
- xrdp_rail.h
+ xrdp_rail.h
AM_CFLAGS = \
-DXRDP_CFG_PATH=\"${sysconfdir}/xrdp\" \
@@ -39,7 +39,8 @@ libcommon_la_SOURCES = \
os_calls.c \
ssl_calls.c \
thread_calls.c \
- trans.c
+ trans.c \
+ xrdp_tls.c
libcommon_la_LIBADD = \
-lcrypto \
diff --git a/common/trans.c b/common/trans.c
index 6fd5a9d8..e13cd420 100644
--- a/common/trans.c
+++ b/common/trans.c
@@ -38,6 +38,10 @@ trans_create(int mode, int in_size, int out_size)
make_stream(self->out_s);
init_stream(self->out_s, out_size);
self->mode = mode;
+ self->tls = 0;
+ /* assign tcp functions */
+ self->trans_read_call = trans_tcp_force_read_s;
+ self->trans_write_call = trans_tcp_force_write_s;
}
return self;
@@ -68,6 +72,11 @@ trans_delete(struct trans *self)
g_free(self->listen_filename);
}
+ if (self->tls != 0)
+ {
+ xrdp_tls_delete(self->tls);
+ }
+
g_free(self);
}
@@ -248,7 +257,7 @@ trans_check_wait_objs(struct trans *self)
if (to_read > 0)
{
- read_bytes = g_tcp_recv(self->sck, self->in_s->end, to_read, 0);
+ read_bytes = g_tcp_recv(self->sck, self->in_s->end, to_read, 0);
if (read_bytes == -1)
{
@@ -299,11 +308,16 @@ trans_check_wait_objs(struct trans *self)
return rv;
}
-
/*****************************************************************************/
int APP_CC
trans_force_read_s(struct trans *self, struct stream *in_s, int size)
{
+ return self->trans_read_call(self, in_s, size);
+}
+/*****************************************************************************/
+int APP_CC
+trans_tcp_force_read_s(struct trans *self, struct stream *in_s, int size)
+{
int rcvd;
if (self->status != TRANS_STATUS_UP)
@@ -318,7 +332,9 @@ trans_force_read_s(struct trans *self, struct stream *in_s, int size)
{
return 1;
}
+
rcvd = g_tcp_recv(self->sck, in_s->end, size, 0);
+
if (rcvd == -1)
{
if (g_tcp_last_error_would_block(self->sck))
@@ -371,6 +387,12 @@ trans_force_read(struct trans *self, int size)
int APP_CC
trans_force_write_s(struct trans *self, struct stream *out_s)
{
+ return self->trans_write_call(self, out_s);
+}
+/*****************************************************************************/
+int APP_CC
+trans_tcp_force_write_s(struct trans *self, struct stream *out_s)
+{
int size;
int total;
int sent;
@@ -391,7 +413,7 @@ trans_force_write_s(struct trans *self, struct stream *out_s)
while (total < size)
{
- sent = g_tcp_send(self->sck, out_s->data + total, size - total, 0);
+ sent = g_tcp_send(self->sck, out_s->data + total, size - total, 0);
if (sent == -1)
{
@@ -628,3 +650,42 @@ trans_get_out_s(struct trans *self, int size)
return rv;
}
+/*****************************************************************************/
+/* returns error */
+int APP_CC
+trans_set_tls_mode(struct trans *self, const char *key, const char *cert)
+{
+ self->tls = xrdp_tls_create(self, key, cert);
+ if (self->tls == NULL)
+ {
+ g_writeln("trans_set_tls_mode: xrdp_tls_create malloc error");
+ return 1;
+ }
+
+ if (xrdp_tls_accept(self->tls) != 0)
+ {
+ g_writeln("trans_set_tls_mode: xrdp_tls_accept failed");
+ return 1;
+ }
+
+ /* assign tls functions */
+ self->trans_read_call = xrdp_tls_force_read_s;
+ self->trans_write_call = xrdp_tls_force_write_s;
+
+ return 0;
+}
+/*****************************************************************************/
+/* returns error */
+int APP_CC
+trans_shutdown_tls_mode(struct trans *self)
+{
+ if (self->tls != NULL)
+ {
+ return xrdp_tls_disconnect(self->tls);
+ }
+
+ /* set callback back to tcp */
+ self->trans_read_call = trans_tcp_force_read_s;
+ self->trans_write_call = trans_tcp_force_write_s;
+ return 0;
+}
diff --git a/common/trans.h b/common/trans.h
index 4a8b249c..54566d85 100644
--- a/common/trans.h
+++ b/common/trans.h
@@ -23,6 +23,7 @@
#include "arch.h"
#include "parse.h"
+#include <openssl/ssl.h>
#define TRANS_MODE_TCP 1
#define TRANS_MODE_UNIX 2
@@ -35,11 +36,14 @@
#define TRANS_STATUS_UP 1
struct trans; /* forward declaration */
+struct xrdp_tls;
typedef int (DEFAULT_CC *ttrans_data_in)(struct trans* self);
typedef int (DEFAULT_CC *ttrans_conn_in)(struct trans* self,
struct trans* new_self);
typedef int (DEFAULT_CC *tis_term)(void);
+typedef int (APP_CC *trans_read_call) (struct trans *self, struct stream *in_s, int size);
+typedef int (APP_CC *trans_write_call) (struct trans *self, struct stream *out_s);
struct trans
{
@@ -60,8 +64,34 @@ struct trans
char port[256];
int no_stream_init_on_data_in;
int extra_flags; /* user defined */
+ struct xrdp_tls *tls;
+ trans_read_call trans_read_call;
+ trans_write_call trans_write_call;
};
+/* xrdp_tls */
+struct xrdp_tls {
+ SSL *ssl;
+ SSL_CTX *ctx;
+ char *cert;
+ char *key;
+ struct trans *trans;
+};
+
+/* xrdp_tls.c */
+struct xrdp_tls *APP_CC
+xrdp_tls_create(struct trans *trans, const char *key, const char *cert);
+int APP_CC
+xrdp_tls_accept(struct xrdp_tls *self);
+int APP_CC
+xrdp_tls_disconnect(struct xrdp_tls *self);
+void APP_CC
+xrdp_tls_delete(struct xrdp_tls *self);
+int APP_CC
+xrdp_tls_force_read_s(struct trans *self, struct stream *in_s, int size);
+int APP_CC
+xrdp_tls_force_write_s(struct trans *self, struct stream *out_s);
+
struct trans* APP_CC
trans_create(int mode, int in_size, int out_size);
void APP_CC
@@ -95,5 +125,13 @@ struct stream* APP_CC
trans_get_in_s(struct trans* self);
struct stream* APP_CC
trans_get_out_s(struct trans* self, int size);
+int APP_CC
+trans_set_tls_mode(struct trans *self, const char *key, const char *cert);
+int APP_CC
+trans_shutdown_tls_mode(struct trans *self);
+int APP_CC
+trans_tcp_force_read_s(struct trans *self, struct stream *in_s, int size);
+int APP_CC
+trans_tcp_force_write_s(struct trans *self, struct stream *out_s);
#endif
diff --git a/common/xrdp_client_info.h b/common/xrdp_client_info.h
index bccb4436..59915f37 100644
--- a/common/xrdp_client_info.h
+++ b/common/xrdp_client_info.h
@@ -125,6 +125,9 @@ struct xrdp_client_info
int capture_code;
int capture_format;
+ char certificate[1024];
+ char key_file[1024];
+
};
#endif
diff --git a/common/xrdp_tls.c b/common/xrdp_tls.c
new file mode 100644
index 00000000..4429ff5e
--- /dev/null
+++ b/common/xrdp_tls.c
@@ -0,0 +1,422 @@
+/**
+ * xrdp: A Remote Desktop Protocol server.
+ *
+ * Copyright (C) Idan Freiberg 2013-2014
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * transport layer security
+ */
+
+#include "trans.h"
+#include "ssl_calls.h"
+
+/*****************************************************************************/
+struct xrdp_tls *APP_CC
+xrdp_tls_create(struct trans *trans, const char *key, const char *cert)
+{
+ struct xrdp_tls *self;
+ self = (struct xrdp_tls *) g_malloc(sizeof(struct xrdp_tls), 1);
+
+ if (self != NULL)
+ {
+ self->trans = trans;
+ self->cert = (char *) cert;
+ self->key = (char *) key;
+ }
+
+ return self;
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_accept(struct xrdp_tls *self)
+{
+ int connection_status;
+ long options = 0;
+
+ /**
+ * SSL_OP_NO_SSLv2:
+ *
+ * We only want SSLv3 and TLSv1, so disable SSLv2.
+ * SSLv3 is used by, eg. Microsoft RDC for Mac OS X.
+ */
+ options |= SSL_OP_NO_SSLv2;
+
+ /**
+ * SSL_OP_NO_COMPRESSION:
+ *
+ * The Microsoft RDP server does not advertise support
+ * for TLS compression, but alternative servers may support it.
+ * This was observed between early versions of the FreeRDP server
+ * and the FreeRDP client, and caused major performance issues,
+ * which is why we're disabling it.
+ */
+ options |= SSL_OP_NO_COMPRESSION;
+
+ /**
+ * SSL_OP_TLS_BLOCK_PADDING_BUG:
+ *
+ * The Microsoft RDP server does *not* support TLS padding.
+ * It absolutely needs to be disabled otherwise it won't work.
+ */
+ options |= SSL_OP_TLS_BLOCK_PADDING_BUG;
+
+ /**
+ * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS:
+ *
+ * Just like TLS padding, the Microsoft RDP server does not
+ * support empty fragments. This needs to be disabled.
+ */
+ options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+
+ self->ctx = SSL_CTX_new(SSLv23_server_method());
+ /* set context options */
+ SSL_CTX_set_mode(self->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
+ SSL_CTX_set_options(self->ctx, options);
+ SSL_CTX_set_read_ahead(self->ctx, 1);
+
+ if (self->ctx == NULL) {
+ g_writeln("xrdp_tls_accept: SSL_CTX_new failed");
+ return 1;
+ }
+
+ if (SSL_CTX_use_RSAPrivateKey_file(self->ctx, self->key, SSL_FILETYPE_PEM)
+ <= 0) {
+ g_writeln("xrdp_tls_accept: SSL_CTX_use_RSAPrivateKey_file failed");
+ return 1;
+ }
+
+ self->ssl = SSL_new(self->ctx);
+
+ if (self->ssl == NULL) {
+ g_writeln("xrdp_tls_accept: SSL_new failed");
+ return 1;
+ }
+
+ if (SSL_use_certificate_file(self->ssl, self->cert, SSL_FILETYPE_PEM) <= 0) {
+ g_writeln("xrdp_tls_accept: SSL_use_certificate_file failed");
+ return 1;
+ }
+
+ if (SSL_set_fd(self->ssl, self->trans->sck) < 1) {
+ g_writeln("xrdp_tls_accept: SSL_set_fd failed");
+ return 1;
+ }
+
+ connection_status = SSL_accept(self->ssl);
+
+ if (connection_status <= 0) {
+ if (xrdp_tls_print_error("SSL_accept", self->ssl, connection_status))
+ {
+ return 1;
+ }
+ }
+
+ g_writeln("xrdp_tls_accept: TLS connection accepted");
+
+ return 0;
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_print_error(char *func, SSL *connection, int value)
+{
+ switch (SSL_get_error(connection, value))
+ {
+ case SSL_ERROR_ZERO_RETURN:
+ g_writeln("xrdp_tls_print_error: %s: Server closed TLS connection", func);
+ return 1;
+
+ case SSL_ERROR_WANT_READ:
+ g_writeln("xrdp_tls_print_error: SSL_ERROR_WANT_READ");
+ return 0;
+
+ case SSL_ERROR_WANT_WRITE:
+ g_writeln("xrdp_tls_print_error: SSL_ERROR_WANT_WRITE");
+ return 0;
+
+ case SSL_ERROR_SYSCALL:
+ g_writeln("xrdp_tls_print_error: %s: I/O error", func);
+ return 1;
+
+ case SSL_ERROR_SSL:
+ g_writeln("xrdp_tls_print_error: %s: Failure in SSL library (protocol error?)", func);
+ return 1;
+
+ default:
+ g_writeln("xrdp_tls_print_error: %s: Unknown error", func);
+ return 1;
+ }
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_disconnect(struct xrdp_tls *self)
+{
+ int status = SSL_shutdown(self->ssl);
+ while (status != 1)
+ {
+ status = SSL_shutdown(self->ssl);
+
+ if (status <= 0) {
+ if (xrdp_tls_print_error("SSL_shutdown", self->ssl, status))
+ {
+ return 1;
+ }
+ }
+ }
+ return 0;
+}
+/*****************************************************************************/
+void APP_CC
+xrdp_tls_delete(struct xrdp_tls *self)
+{
+ if (self != NULL)
+ {
+ if (self->ssl)
+ SSL_free(self->ssl);
+
+ if (self->ctx)
+ SSL_CTX_free(self->ctx);
+
+ g_free(self);
+ }
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_read(struct xrdp_tls *tls, unsigned char *data, int length)
+{
+ int status;
+
+ status = SSL_read(tls->ssl, data, length);
+
+ switch (SSL_get_error(tls->ssl, status))
+ {
+ case SSL_ERROR_NONE:
+ break;
+
+ case SSL_ERROR_WANT_READ:
+ case SSL_ERROR_WANT_WRITE:
+ status = 0;
+ break;
+
+ default:
+ xrdp_tls_print_error("SSL_read", tls->ssl, status);
+ status = -1;
+ break;
+ }
+
+ return status;
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_write(struct xrdp_tls *tls, unsigned char *data, int length)
+{
+ int status;
+
+ status = SSL_write(tls->ssl, data, length);
+
+ switch (SSL_get_error(tls->ssl, status))
+ {
+ case SSL_ERROR_NONE:
+ break;
+
+ case SSL_ERROR_WANT_READ:
+ case SSL_ERROR_WANT_WRITE:
+ status = 0;
+ break;
+
+ default:
+ xrdp_tls_print_error("SSL_write", tls->ssl, status);
+ status = -1;
+ break;
+ }
+
+ return status;
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_force_read_s(struct trans *self, struct stream *in_s, int size)
+{
+ int rcvd;
+
+ if (self->status != TRANS_STATUS_UP)
+ {
+ return 1;
+ }
+
+ while (size > 0)
+ {
+ /* make sure stream has room */
+ if ((in_s->end + size) > (in_s->data + in_s->size))
+ {
+ return 1;
+ }
+
+ rcvd = xrdp_tls_read(self->tls, in_s->end, size);
+
+ if (rcvd == -1)
+ {
+ if (g_tcp_last_error_would_block(self->sck))
+ {
+ if (!g_tcp_can_recv(self->sck, 100))
+ {
+ /* check for term here */
+ if (self->is_term != 0)
+ {
+ if (self->is_term())
+ {
+ /* term */
+ self->status = TRANS_STATUS_DOWN;
+ return 1;
+ }
+ }
+ }
+ }
+ else
+ {
+ /* error */
+ self->status = TRANS_STATUS_DOWN;
+ return 1;
+ }
+ }
+ else if (rcvd == 0)
+ {
+ /* error */
+ self->status = TRANS_STATUS_DOWN;
+ return 1;
+ }
+ else
+ {
+ in_s->end += rcvd;
+ size -= rcvd;
+ }
+ }
+
+ return 0;
+}
+
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_force_write_s(struct trans *self, struct stream *out_s)
+{
+ int size;
+ int total;
+ int sent;
+
+ if (self->status != TRANS_STATUS_UP)
+ {
+ return 1;
+ }
+
+ size = (int)(out_s->end - out_s->data);
+ total = 0;
+
+ if (xrdp_tls_send_waiting(self, 1) != 0)
+ {
+ self->status = TRANS_STATUS_DOWN;
+ return 1;
+ }
+
+ while (total < size)
+ {
+ sent = xrdp_tls_write(self->tls, out_s->data + total, size - total);
+
+ if (sent == -1)
+ {
+ if (g_tcp_last_error_would_block(self->sck))
+ {
+ if (!g_tcp_can_send(self->sck, 100))
+ {
+ /* check for term here */
+ if (self->is_term != 0)
+ {
+ if (self->is_term())
+ {
+ /* term */
+ self->status = TRANS_STATUS_DOWN;
+ return 1;
+ }
+ }
+ }
+ }
+ else
+ {
+ /* error */
+ self->status = TRANS_STATUS_DOWN;
+ return 1;
+ }
+ }
+ else if (sent == 0)
+ {
+ /* error */
+ self->status = TRANS_STATUS_DOWN;
+ return 1;
+ }
+ else
+ {
+ total = total + sent;
+ }
+ }
+
+ return 0;
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_send_waiting(struct trans *self, int block)
+{
+ struct stream *temp_s;
+ int bytes;
+ int sent;
+ int timeout;
+ int cont;
+
+ timeout = block ? 100 : 0;
+ cont = 1;
+ while (cont)
+ {
+ if (self->wait_s != 0)
+ {
+ temp_s = self->wait_s;
+ if (g_tcp_can_send(self->sck, timeout))
+ {
+ bytes = (int) (temp_s->end - temp_s->p);
+ sent = xrdp_tls_write(self->tls, temp_s->p, bytes);
+ if (sent > 0)
+ {
+ temp_s->p += sent;
+ if (temp_s->p >= temp_s->end)
+ {
+ self->wait_s = (struct stream *) (temp_s->next_packet);
+ free_stream(temp_s);
+ }
+ }
+ else if (sent == 0)
+ {
+ return 1;
+ }
+ else
+ {
+ if (!g_tcp_last_error_would_block(self->sck))
+ {
+ return 1;
+ }
+ }
+ }
+ }
+ else
+ {
+ break;
+ }
+ cont = block;
+ }
+ return 0;
+}
diff --git a/librfxcodec b/librfxcodec
deleted file mode 160000
-Subproject 766b06b5f914e9a0b0f5faf02912451d12dba07
diff --git a/libxrdp/libxrdp.c b/libxrdp/libxrdp.c
index e5b921c0..876d9473 100644
--- a/libxrdp/libxrdp.c
+++ b/libxrdp/libxrdp.c
@@ -141,6 +141,7 @@ libxrdp_force_read(struct trans* trans)
s = trans->in_s;
init_stream(s, 32 * 1024);
+
if (trans_force_read(trans, 4) != 0)
{
g_writeln("libxrdp_force_read: error");
@@ -157,6 +158,7 @@ libxrdp_force_read(struct trans* trans)
g_writeln("libxrdp_force_read: error");
return 0;
}
+
if (trans_force_read(trans, bytes - 4) != 0)
{
g_writeln("libxrdp_force_read: error");
diff --git a/libxrdp/libxrdp.h b/libxrdp/libxrdp.h
index f702c280..0bda9f45 100644
--- a/libxrdp/libxrdp.h
+++ b/libxrdp/libxrdp.h
@@ -122,9 +122,7 @@ struct xrdp_sec
char pub_mod[256];
char pub_sig[64];
char pri_exp[256];
- int rsa_key_bytes; /* 64 or 256 */
- int channel_code;
- int multimon;
+ int rsa_key_bytes; /* 64 or 256 , 0 = no rdp security */
char fips_encrypt_key[24];
char fips_decrypt_key[24];
char fips_sign_key[20];
@@ -290,6 +288,7 @@ struct xrdp_mppc_enc
tui16 *hash_table;
};
+
int APP_CC
compress_rdp(struct xrdp_mppc_enc *enc, tui8 *srcData, int len);
struct xrdp_mppc_enc * APP_CC
@@ -344,9 +343,8 @@ int APP_CC
xrdp_mcs_disconnect(struct xrdp_mcs *self);
/* xrdp_sec.c */
-struct xrdp_sec * APP_CC
-xrdp_sec_create(struct xrdp_rdp *owner, struct trans *trans, int crypt_level,
- int channel_code, int multimon);
+struct xrdp_sec *APP_CC
+xrdp_sec_create(struct xrdp_rdp *owner, struct trans *trans);
void APP_CC
xrdp_sec_delete(struct xrdp_sec *self);
int APP_CC
@@ -366,8 +364,6 @@ xrdp_sec_send(struct xrdp_sec *self, struct stream *s, int chan);
int APP_CC
xrdp_sec_process_mcs_data(struct xrdp_sec *self);
int APP_CC
-xrdp_sec_out_mcs_data(struct xrdp_sec *self);
-int APP_CC
xrdp_sec_incoming(struct xrdp_sec *self);
int APP_CC
xrdp_sec_disconnect(struct xrdp_sec *self);
diff --git a/libxrdp/xrdp_fastpath.c b/libxrdp/xrdp_fastpath.c
index 8739c764..f84f5ae1 100644
--- a/libxrdp/xrdp_fastpath.c
+++ b/libxrdp/xrdp_fastpath.c
@@ -117,7 +117,7 @@ xrdp_fastpath_init(struct xrdp_fastpath *self, struct stream *s)
int APP_CC
xrdp_fastpath_send(struct xrdp_fastpath *self, struct stream *s)
{
- if (trans_force_write_s(self->trans, s) != 0)
+ if (trans_force_write_s(self->trans, s) != 0)
{
return 1;
}
diff --git a/libxrdp/xrdp_iso.c b/libxrdp/xrdp_iso.c
index 6fb803ad..ee490839 100644
--- a/libxrdp/xrdp_iso.c
+++ b/libxrdp/xrdp_iso.c
@@ -56,8 +56,6 @@ xrdp_iso_process_rdpNegReq(struct xrdp_iso *self, struct stream *s)
int flags;
int len;
- DEBUG((" in xrdp_iso_process_neg_req"));
-
in_uint8(s, flags);
if (flags != 0x0 && flags != 0x8 && flags != 0x1)
{
@@ -80,7 +78,6 @@ xrdp_iso_process_rdpNegReq(struct xrdp_iso *self, struct stream *s)
return 1;
}
- DEBUG((" out xrdp_iso_process_rdpNegReq"));
return 0;
}
/*****************************************************************************/
@@ -279,8 +276,7 @@ xrdp_iso_incoming(struct xrdp_iso *self)
self->rdpNegData = 1;
if (xrdp_iso_process_rdpNegReq(self, s) != 0)
{
- g_writeln(
- "xrdp_iso_incoming: xrdp_iso_process_rdpNegReq returned non zero");
+ g_writeln("xrdp_iso_incoming: xrdp_iso_process_rdpNegReq returned non zero");
return 1;
}
break;
@@ -306,12 +302,10 @@ xrdp_iso_incoming(struct xrdp_iso *self)
}
}
+ int serverSecurityLayer = self->mcs_layer->sec_layer->rdp_layer->client_info.security_layer;
/* security layer negotiation */
if (self->rdpNegData)
{
- int
- serverSecurityLayer =
- self->mcs_layer->sec_layer->rdp_layer->client_info.security_layer;
self->selectedProtocol = PROTOCOL_RDP; /* set default security layer */
switch (serverSecurityLayer)
@@ -372,6 +366,11 @@ xrdp_iso_incoming(struct xrdp_iso *self)
self->failureCode = INCONSISTENT_FLAGS; //TODO: ?
}
}
+ else if (self->requestedProtocol != serverSecurityLayer)
+ {
+ /* enforce server security */
+ return 1;
+ }
/* set things for tls connection */
diff --git a/libxrdp/xrdp_mcs.c b/libxrdp/xrdp_mcs.c
index c1b0b908..a15c2fce 100644
--- a/libxrdp/xrdp_mcs.c
+++ b/libxrdp/xrdp_mcs.c
@@ -706,7 +706,163 @@ xrdp_mcs_out_domain_params(struct xrdp_mcs *self, struct stream *s,
xrdp_mcs_ber_out_int8(self, s, 2);
return 0;
}
+/*****************************************************************************/
+/* prepare server gcc data to send in mcs response msg */
+int APP_CC
+xrdp_mcs_out_gcc_data(struct xrdp_sec *self)
+{
+ struct stream *s;
+ int num_channels_even;
+ int num_channels;
+ int index;
+ int channel;
+ int gcc_size;
+ char* gcc_size_ptr;
+ char* ud_ptr;
+
+ num_channels = self->mcs_layer->channel_list->count;
+ num_channels_even = num_channels + (num_channels & 1);
+ s = &(self->server_mcs_data);
+ init_stream(s, 8192);
+ out_uint16_be(s, 5); /* AsnBerObjectIdentifier */
+ out_uint16_be(s, 0x14);
+ out_uint8(s, 0x7c);
+ out_uint16_be(s, 1); /* -- */
+ out_uint8(s, 0x2a); /* ConnectPDULen */
+ out_uint8(s, 0x14);
+ out_uint8(s, 0x76);
+ out_uint8(s, 0x0a);
+ out_uint8(s, 1);
+ out_uint8(s, 1);
+ out_uint8(s, 0);
+ out_uint16_le(s, 0xc001);
+ out_uint8(s, 0);
+ out_uint8(s, 0x4d); /* M */
+ out_uint8(s, 0x63); /* c */
+ out_uint8(s, 0x44); /* D */
+ out_uint8(s, 0x6e); /* n */
+ /* GCC Response Total Length - 2 bytes , set later */
+ gcc_size_ptr = s->p; /* RDPGCCUserDataResponseLength */
+ out_uint8s(s, 2);
+ ud_ptr = s->p; /* User Data */
+ out_uint16_le(s, SEC_TAG_SRV_INFO);
+ if (self->mcs_layer->iso_layer->rdpNegData)
+ {
+ out_uint16_le(s, 12); /* len */
+ }
+ else
+ {
+ out_uint16_le(s, 8); /* len */
+ }
+ out_uint8(s, 4); /* 4 = rdp5 1 = rdp4 */
+ out_uint8(s, 0);
+ out_uint8(s, 8);
+ out_uint8(s, 0);
+ if (self->mcs_layer->iso_layer->rdpNegData)
+ {
+ /* ReqeustedProtocol */
+ out_uint32_le(s, self->mcs_layer->iso_layer->requestedProtocol);
+ }
+ out_uint16_le(s, SEC_TAG_SRV_CHANNELS);
+ out_uint16_le(s, 8 + (num_channels_even * 2)); /* len */
+ out_uint16_le(s, MCS_GLOBAL_CHANNEL); /* 1003, 0x03eb main channel */
+ out_uint16_le(s, num_channels); /* number of other channels */
+
+ for (index = 0; index < num_channels_even; index++)
+ {
+ if (index < num_channels)
+ {
+ channel = MCS_GLOBAL_CHANNEL + (index + 1);
+ out_uint16_le(s, channel);
+ }
+ else
+ {
+ out_uint16_le(s, 0);
+ }
+ }
+
+ if (self->rsa_key_bytes == 64)
+ {
+ g_writeln("xrdp_sec_out_mcs_data: using 512 bit RSA key");
+ out_uint16_le(s, SEC_TAG_SRV_CRYPT);
+ out_uint16_le(s, 0x00ec); /* len is 236 */
+ out_uint32_le(s, self->crypt_method);
+ out_uint32_le(s, self->crypt_level);
+ out_uint32_le(s, 32); /* 32 bytes random len */
+ out_uint32_le(s, 0xb8); /* 184 bytes rsa info(certificate) len */
+ out_uint8a(s, self->server_random, 32);
+ /* here to end is certificate */
+ /* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ */
+ /* TermService\Parameters\Certificate */
+ out_uint32_le(s, 1);
+ out_uint32_le(s, 1);
+ out_uint32_le(s, 1);
+ out_uint16_le(s, SEC_TAG_PUBKEY); /* 0x0006 */
+ out_uint16_le(s, 0x005c); /* 92 bytes length of SEC_TAG_PUBKEY */
+ out_uint32_le(s, SEC_RSA_MAGIC); /* 0x31415352 'RSA1' */
+ out_uint32_le(s, 0x0048); /* 72 bytes modulus len */
+ out_uint32_be(s, 0x00020000); /* bit len */
+ out_uint32_be(s, 0x3f000000); /* data len */
+ out_uint8a(s, self->pub_exp, 4); /* pub exp */
+ out_uint8a(s, self->pub_mod, 64); /* pub mod */
+ out_uint8s(s, 8); /* pad */
+ out_uint16_le(s, SEC_TAG_KEYSIG); /* 0x0008 */
+ out_uint16_le(s, 72); /* len */
+ out_uint8a(s, self->pub_sig, 64); /* pub sig */
+ out_uint8s(s, 8); /* pad */
+ }
+ else if (self->rsa_key_bytes == 256)
+ {
+ g_writeln("xrdp_sec_out_mcs_data: using 2048 bit RSA key");
+ out_uint16_le(s, SEC_TAG_SRV_CRYPT);
+ out_uint16_le(s, 0x01ac); /* len is 428 */
+ out_uint32_le(s, self->crypt_method);
+ out_uint32_le(s, self->crypt_level);
+ out_uint32_le(s, 32); /* 32 bytes random len */
+ out_uint32_le(s, 0x178); /* 376 bytes rsa info(certificate) len */
+ out_uint8a(s, self->server_random, 32);
+ /* here to end is certificate */
+ /* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ */
+ /* TermService\Parameters\Certificate */
+ out_uint32_le(s, 1);
+ out_uint32_le(s, 1);
+ out_uint32_le(s, 1);
+ out_uint16_le(s, SEC_TAG_PUBKEY); /* 0x0006 */
+ out_uint16_le(s, 0x011c); /* 284 bytes length of SEC_TAG_PUBKEY */
+ out_uint32_le(s, SEC_RSA_MAGIC); /* 0x31415352 'RSA1' */
+ out_uint32_le(s, 0x0108); /* 264 bytes modulus len */
+ out_uint32_be(s, 0x00080000); /* bit len */
+ out_uint32_be(s, 0xff000000); /* data len */
+ out_uint8a(s, self->pub_exp, 4); /* pub exp */
+ out_uint8a(s, self->pub_mod, 256); /* pub mod */
+ out_uint8s(s, 8); /* pad */
+ out_uint16_le(s, SEC_TAG_KEYSIG); /* 0x0008 */
+ out_uint16_le(s, 72); /* len */
+ out_uint8a(s, self->pub_sig, 64); /* pub sig */
+ out_uint8s(s, 8); /* pad */
+ }
+ else if (self->rsa_key_bytes == 0) /* no security */
+ {
+ g_writeln("xrdp_sec_out_mcs_data: using no security");
+ out_uint16_le(s, SEC_TAG_SRV_CRYPT);
+ out_uint16_le(s, 12); /* len is 12 */
+ out_uint32_le(s, self->crypt_method);
+ out_uint32_le(s, self->crypt_level);
+ }
+ else
+ {
+ g_writeln("xrdp_sec_out_mcs_data: error");
+ }
+ /* end certificate */
+ s_mark_end(s);
+
+ gcc_size = (int)(s->end - ud_ptr) | 0x8000;
+ gcc_size_ptr[0] = gcc_size >> 8;
+ gcc_size_ptr[1] = gcc_size;
+
+ return 0;
+}
/*****************************************************************************/
/* returns error */
static int APP_CC
@@ -720,7 +876,9 @@ xrdp_mcs_send_connect_response(struct xrdp_mcs *self)
init_stream(s, 8192);
data_len = (int) (self->server_mcs_data->end - self->server_mcs_data->data);
xrdp_iso_init(self->iso_layer, s);
- xrdp_mcs_ber_out_header(self, s, MCS_CONNECT_RESPONSE, data_len + 38);
+ //TODO: we should calculate the whole length include MCS_CONNECT_RESPONSE
+ xrdp_mcs_ber_out_header(self, s, MCS_CONNECT_RESPONSE,
+ data_len > 0x80 ? data_len + 38 : data_len + 36);
xrdp_mcs_ber_out_header(self, s, BER_TAG_RESULT, 1);
out_uint8(s, 0);
xrdp_mcs_ber_out_header(self, s, BER_TAG_INTEGER, 1);
@@ -748,13 +906,9 @@ xrdp_mcs_send_connect_response(struct xrdp_mcs *self)
int APP_CC
xrdp_mcs_incoming(struct xrdp_mcs *self)
{
+ int i;
DEBUG((" in xrdp_mcs_incoming"));
- if (xrdp_iso_incoming(self->iso_layer) != 0)
- {
- return 1;
- }
-
if (xrdp_mcs_recv_connect_initial(self) != 0)
{
return 1;
@@ -766,8 +920,7 @@ xrdp_mcs_incoming(struct xrdp_mcs *self)
return 1;
}
- /* in xrdp_sec.c */
- if (xrdp_sec_out_mcs_data(self->sec_layer) != 0)
+ if (xrdp_mcs_out_gcc_data(self->sec_layer) != 0)
{
return 1;
}
@@ -792,25 +945,18 @@ xrdp_mcs_incoming(struct xrdp_mcs *self)
return 1;
}
- if (xrdp_mcs_recv_cjrq(self) != 0)
+ for (i = 0 ; i < self->channel_list->count + 2 ; i++)
{
- return 1;
- }
+ if (xrdp_mcs_recv_cjrq(self) != 0)
+ {
+ return 1;
+ }
- if (xrdp_mcs_send_cjcf(self, self->userid,
- self->userid + MCS_USERCHANNEL_BASE) != 0)
- {
- return 1;
- }
-
- if (xrdp_mcs_recv_cjrq(self) != 0)
- {
- return 1;
- }
-
- if (xrdp_mcs_send_cjcf(self, self->userid, MCS_GLOBAL_CHANNEL) != 0)
- {
- return 1;
+ if (xrdp_mcs_send_cjcf(self, self->userid,
+ self->userid + MCS_USERCHANNEL_BASE + i) != 0)
+ {
+ return 1;
+ }
}
DEBUG((" out xrdp_mcs_incoming"));
@@ -939,6 +1085,7 @@ close_rdp_socket(struct xrdp_mcs *self)
{
if (self->iso_layer->trans != 0)
{
+ trans_shutdown_tls_mode(self->iso_layer->trans);
g_tcp_close(self->iso_layer->trans->sck);
self->iso_layer->trans->sck = 0 ;
g_writeln("xrdp_mcs_disconnect - socket closed");
@@ -961,7 +1108,7 @@ xrdp_mcs_disconnect(struct xrdp_mcs *self)
if (xrdp_iso_init(self->iso_layer, s) != 0)
{
- free_stream(s);
+ free_stream(s);
close_rdp_socket(self);
DEBUG((" out xrdp_mcs_disconnect error - 1"));
return 1;
diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c
index c99074fd..b4ef19a8 100644
--- a/libxrdp/xrdp_rdp.c
+++ b/libxrdp/xrdp_rdp.c
@@ -177,6 +177,38 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
client_info->security_layer = PROTOCOL_SSL | PROTOCOL_HYBRID | PROTOCOL_HYBRID_EX;
}
}
+ else if (g_strcasecmp(item, "certificate") == 0)
+ {
+ g_memset(client_info->certificate, 0, sizeof(char) * 1024);
+ if (value[0] != '/')
+ {
+ /* default certificate path */
+ g_snprintf(client_info->certificate, 1023, "%s/cert.pem", XRDP_CFG_PATH);
+ log_message(LOG_LEVEL_ALWAYS,"WARNING: Invalid x.509 certificate path defined, "
+ "default path will be used: %s", client_info->certificate);
+ }
+ else
+ {
+ /* use user defined certificate */
+ g_strncpy(client_info->certificate, value, 1023);
+ }
+ }
+ else if (g_strcasecmp(item, "key_file") == 0)
+ {
+ g_memset(client_info->key_file, 0, sizeof(char) * 1024);
+ if (value[0] != '/')
+ {
+ /* default key_file path */
+ g_snprintf(client_info->key_file, 1023, "%s/key.pem", XRDP_CFG_PATH);
+ log_message(LOG_LEVEL_ALWAYS,"WARNING: Invalid x.509 certificate path defined, "
+ "default path will be used: %s", client_info->key_file);
+ }
+ else
+ {
+ /* use user defined key_file */
+ g_strncpy(client_info->key_file, value, 1023);
+ }
+ }
}
@@ -253,10 +285,7 @@ xrdp_rdp_create(struct xrdp_session *session, struct trans *trans)
/* read ini settings */
xrdp_rdp_read_config(&self->client_info);
/* create sec layer */
- self->sec_layer = xrdp_sec_create(self, trans,
- self->client_info.crypt_level,
- self->client_info.channel_code,
- self->client_info.multimon);
+ self->sec_layer = xrdp_sec_create(self, trans);
/* default 8 bit v1 color bitmap cache entries and size */
self->client_info.cache1_entries = 600;
self->client_info.cache1_size = 256;
@@ -352,6 +381,15 @@ xrdp_rdp_recv(struct xrdp_rdp *self, struct stream *s, int *code)
chan = 0;
error = xrdp_sec_recv(self->sec_layer, s, &chan);
+ if (error == 3)
+ {
+ /* unencrypted confirm active msg arrived */
+ s->next_packet = 0;
+ *code = 3;
+ DEBUG(("out (0) xrdp_rdp_recv"));
+ return 0;
+ }
+
if (error == -1) /* special code for send demand active */
{
s->next_packet = 0;
diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
index 6ebdf715..7ac68b14 100644
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@@ -222,87 +222,46 @@ hex_str_to_bin(char *in, char *out, int out_len)
/*****************************************************************************/
struct xrdp_sec *APP_CC
-xrdp_sec_create(struct xrdp_rdp *owner, struct trans *trans, int crypt_level,
- int channel_code, int multimon)
+xrdp_sec_create(struct xrdp_rdp *owner, struct trans *trans)
{
struct xrdp_sec *self;
- DEBUG((" in xrdp_sec_create"));
- self = (struct xrdp_sec *)g_malloc(sizeof(struct xrdp_sec), 1);
- self->rdp_layer = owner;
- self->crypt_method = CRYPT_METHOD_NONE;
- self->crypt_level = CRYPT_LEVEL_NONE;
- switch (crypt_level)
- {
- case 1: /* low */
- self->crypt_method = CRYPT_METHOD_40BIT;
- self->crypt_level = CRYPT_LEVEL_LOW;
- break;
- case 2: /* medium */
- self->crypt_method = CRYPT_METHOD_40BIT;
- self->crypt_level = CRYPT_LEVEL_CLIENT_COMPATIBLE;
- break;
- case 3: /* high */
- self->crypt_method = CRYPT_METHOD_128BIT;
- self->crypt_level = CRYPT_LEVEL_HIGH;
- break;
- case 4: /* fips */
- self->crypt_method = CRYPT_METHOD_FIPS;
- self->crypt_level = CRYPT_LEVEL_FIPS;
- break;
- default:
- g_writeln("Fatal : Illegal crypt_level");
- break ;
- }
-
- self->channel_code = channel_code;
- self->multimon = multimon;
-
- if (self->decrypt_rc4_info != NULL)
- {
- g_writeln("xrdp_sec_create - decrypt_rc4_info already created !!!");
- }
-
- self->decrypt_rc4_info = ssl_rc4_info_create();
-
- if (self->encrypt_rc4_info != NULL)
- {
- g_writeln("xrdp_sec_create - encrypt_rc4_info already created !!!");
- }
-
- self->encrypt_rc4_info = ssl_rc4_info_create();
- self->mcs_layer = xrdp_mcs_create(self, trans,
- &(self->client_mcs_data),
- &(self->server_mcs_data));
- self->fastpath_layer = xrdp_fastpath_create(self, trans);
- self->chan_layer = xrdp_channel_create(self, self->mcs_layer);
- DEBUG((" out xrdp_sec_create"));
- return self;
+ DEBUG((" in xrdp_sec_create"));
+ self = (struct xrdp_sec *) g_malloc(sizeof(struct xrdp_sec), 1);
+ self->rdp_layer = owner;
+ self->crypt_method = CRYPT_METHOD_NONE; /* set later */
+ self->crypt_level = CRYPT_LEVEL_NONE;
+ self->mcs_layer = xrdp_mcs_create(self, trans, &(self->client_mcs_data),
+ &(self->server_mcs_data));
+ self->fastpath_layer = xrdp_fastpath_create(self, trans);
+ self->chan_layer = xrdp_channel_create(self, self->mcs_layer);
+ DEBUG((" out xrdp_sec_create"));
+
+ return self;
}
/*****************************************************************************/
void APP_CC
-xrdp_sec_delete(struct xrdp_sec *self)
-{
- if (self == 0)
- {
- g_writeln("xrdp_sec_delete: indata is null");
- return;
- }
-
- xrdp_channel_delete(self->chan_layer);
- xrdp_mcs_delete(self->mcs_layer);
- xrdp_fastpath_delete(self->fastpath_layer);
- ssl_rc4_info_delete(self->decrypt_rc4_info); /* TODO clear all data */
- ssl_rc4_info_delete(self->encrypt_rc4_info); /* TODO clear all data */
- ssl_des3_info_delete(self->decrypt_fips_info);
- ssl_des3_info_delete(self->encrypt_fips_info);
- ssl_hmac_info_delete(self->sign_fips_info);
- g_free(self->client_mcs_data.data);
- g_free(self->server_mcs_data.data);
- /* Crypto information must always be cleared */
- g_memset(self, 0, sizeof(struct xrdp_sec));
- g_free(self);
+xrdp_sec_delete(struct xrdp_sec *self) {
+
+ if (self == 0) {
+ g_writeln("xrdp_sec_delete: indata is null");
+ return;
+ }
+
+ xrdp_channel_delete(self->chan_layer);
+ xrdp_mcs_delete(self->mcs_layer);
+ xrdp_fastpath_delete(self->fastpath_layer);
+ ssl_rc4_info_delete(self->decrypt_rc4_info); /* TODO clear all data */
+ ssl_rc4_info_delete(self->encrypt_rc4_info); /* TODO clear all data */
+ ssl_des3_info_delete(self->decrypt_fips_info);
+ ssl_des3_info_delete(self->encrypt_fips_info);
+ ssl_hmac_info_delete(self->sign_fips_info);
+ g_free(self->client_mcs_data.data);
+ g_free(self->server_mcs_data.data);
+ /* Crypto information must always be cleared */
+ g_memset(self, 0, sizeof(struct xrdp_sec));
+ g_free(self);
}
/*****************************************************************************/
@@ -325,7 +284,7 @@ xrdp_sec_init(struct xrdp_sec *self, struct stream *s)
}
else
{
- s_push_layer(s, sec_hdr, 4);
+// s_push_layer(s, sec_hdr, 4);
}
return 0;
@@ -1042,6 +1001,21 @@ xrdp_sec_recv(struct xrdp_sec *self, struct stream *s, int *chan)
{
return 1;
}
+
+ /* TODO: HACK, we should recognize packets without security header
+ However, client info packet and license packet always have security header. */
+ if (s->data[17] == 0x13) /* confirm active pdu */
+ {
+ g_writeln("CONFIRM ACTIVE ARRIVED");
+ return 0;
+ }
+
+ if (s->data[17] == 0x17 || s->data[16] == 0x17) /* rdp data pdu */
+ {
+ g_writeln("RDP DATA ARRIVED");
+ return 0;
+ }
+
in_uint32_le(s, flags);
DEBUG((" in xrdp_sec_recv flags $%x", flags));
@@ -1066,7 +1040,7 @@ xrdp_sec_recv(struct xrdp_sec *self, struct stream *s, int *chan)
xrdp_sec_fips_decrypt(self, s->p, (int)(s->end - s->p));
s->end -= pad;
}
- else
+ else if (self->crypt_level > CRYPT_LEVEL_NONE)
{
if (!s_check_rem(s, 8))
{
@@ -1253,7 +1227,7 @@ xrdp_sec_send(struct xrdp_sec *self, struct stream *s, int chan)
}
else
{
- out_uint32_le(s, 0);
+// out_uint32_le(s, 0);
}
if (xrdp_mcs_send(self->mcs_layer, s, chan) != 0)
@@ -1616,11 +1590,16 @@ xrdp_sec_process_mcs_data_channels(struct xrdp_sec *self, struct stream *s)
{
int num_channels;
int index;
+ struct mcs_channel_item *channel_item;
+ struct xrdp_client_info *client_info = (struct xrdp_client_info *)NULL;
+
+ client_info = &(self->rdp_layer->client_info);
+
- DEBUG(("processing channels, channel_code is %d", self->channel_code));
+ DEBUG(("processing channels, channel_code is %d", client_info->channel_code));
/* this is an option set in xrdp.ini */
- if (self->channel_code != 1) /* are channels on? */
+ if (client_info->channel_code != 1) /* are channels on? */
{
g_writeln("Processing channel data from client - The channel is off");
return 0;
@@ -1672,9 +1651,9 @@ xrdp_sec_process_mcs_data_monitors(struct xrdp_sec *self, struct stream *s)
client_info = &(self->rdp_layer->client_info);
- DEBUG(("processing monitors data, allow_multimon is %d", self->multimon));
+ DEBUG(("processing monitors data, allow_multimon is %d", client_info->multimon));
/* this is an option set in xrdp.ini */
- if (self->multimon != 1) /* are multi-monitors allowed ? */
+ if (client_info->multimon != 1) /* are multi-monitors allowed ? */
{
DEBUG(("[INFO] xrdp_sec_process_mcs_data_monitors: multimon is not "
"allowed, skipping"));
@@ -1816,156 +1795,6 @@ xrdp_sec_process_mcs_data(struct xrdp_sec *self)
}
/*****************************************************************************/
-/* prepare server mcs data to send in mcs layer */
-int APP_CC
-xrdp_sec_out_mcs_data(struct xrdp_sec *self)
-{
- struct stream *s;
- int num_channels_even;
- int num_channels;
- int index;
- int channel;
- int gcc_size;
- char* gcc_size_ptr;
- char* ud_ptr;
-
- num_channels = self->mcs_layer->channel_list->count;
- num_channels_even = num_channels + (num_channels & 1);
- s = &(self->server_mcs_data);
- init_stream(s, 8192);
- out_uint16_be(s, 5);
- out_uint16_be(s, 0x14);
- out_uint8(s, 0x7c);
- out_uint16_be(s, 1);
- out_uint8(s, 0x2a);
- out_uint8(s, 0x14);
- out_uint8(s, 0x76);
- out_uint8(s, 0x0a);
- out_uint8(s, 1);
- out_uint8(s, 1);
- out_uint8(s, 0);
- out_uint16_le(s, 0xc001);
- out_uint8(s, 0);
- out_uint8(s, 0x4d); /* M */
- out_uint8(s, 0x63); /* c */
- out_uint8(s, 0x44); /* D */
- out_uint8(s, 0x6e); /* n */
- /* GCC Response Total Length - 2 bytes , set later */
- gcc_size_ptr = s->p; /* RDPGCCUserDataResponseLength */
- out_uint8s(s, 2);
- ud_ptr = s->p; /* User Data */
-
- out_uint16_le(s, SEC_TAG_SRV_INFO);
- if (self->mcs_layer->iso_layer->selectedProtocol != -1)
- {
- out_uint16_le(s, 12); /* len */
- }
- else
- {
- out_uint16_le(s, 8); /* len */
- }
- out_uint8(s, 4); /* 4 = rdp5 1 = rdp4 */
- out_uint8(s, 0);
- out_uint8(s, 8);
- out_uint8(s, 0);
- if (self->mcs_layer->iso_layer->selectedProtocol != -1)
- {
- /* ReqeustedProtocol */
- out_uint32_le(s, self->mcs_layer->iso_layer->selectedProtocol);
- }
- out_uint16_le(s, SEC_TAG_SRV_CHANNELS);
- out_uint16_le(s, 8 + (num_channels_even * 2)); /* len */
- out_uint16_le(s, MCS_GLOBAL_CHANNEL); /* 1003, 0x03eb main channel */
- out_uint16_le(s, num_channels); /* number of other channels */
-
- for (index = 0; index < num_channels_even; index++)
- {
- if (index < num_channels)
- {
- channel = MCS_GLOBAL_CHANNEL + (index + 1);
- out_uint16_le(s, channel);
- }
- else
- {
- out_uint16_le(s, 0);
- }
- }
-
- if (self->rsa_key_bytes == 64)
- {
- g_writeln("xrdp_sec_out_mcs_data: using 512 bit RSA key");
- out_uint16_le(s, SEC_TAG_SRV_CRYPT);
- out_uint16_le(s, 0x00ec); /* len is 236 */
- out_uint32_le(s, self->crypt_method);
- out_uint32_le(s, self->crypt_level);
- out_uint32_le(s, 32); /* 32 bytes random len */
- out_uint32_le(s, 0xb8); /* 184 bytes rsa info(certificate) len */
- out_uint8a(s, self->server_random, 32);
- /* here to end is certificate */
- /* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ */
- /* TermService\Parameters\Certificate */
- out_uint32_le(s, 1);
- out_uint32_le(s, 1);
- out_uint32_le(s, 1);
- out_uint16_le(s, SEC_TAG_PUBKEY); /* 0x0006 */
- out_uint16_le(s, 0x005c); /* 92 bytes length of SEC_TAG_PUBKEY */
- out_uint32_le(s, SEC_RSA_MAGIC); /* 0x31415352 'RSA1' */
- out_uint32_le(s, 0x0048); /* 72 bytes modulus len */
- out_uint32_be(s, 0x00020000); /* bit len */
- out_uint32_be(s, 0x3f000000); /* data len */
- out_uint8a(s, self->pub_exp, 4); /* pub exp */
- out_uint8a(s, self->pub_mod, 64); /* pub mod */
- out_uint8s(s, 8); /* pad */
- out_uint16_le(s, SEC_TAG_KEYSIG); /* 0x0008 */
- out_uint16_le(s, 72); /* len */
- out_uint8a(s, self->pub_sig, 64); /* pub sig */
- out_uint8s(s, 8); /* pad */
- }
- else if (self->rsa_key_bytes == 256)
- {
- g_writeln("xrdp_sec_out_mcs_data: using 2048 bit RSA key");
- out_uint16_le(s, SEC_TAG_SRV_CRYPT);
- out_uint16_le(s, 0x01ac); /* len is 428 */
- out_uint32_le(s, self->crypt_method);
- out_uint32_le(s, self->crypt_level);
- out_uint32_le(s, 32); /* 32 bytes random len */
- out_uint32_le(s, 0x178); /* 376 bytes rsa info(certificate) len */
- out_uint8a(s, self->server_random, 32);
- /* here to end is certificate */
- /* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ */
- /* TermService\Parameters\Certificate */
- out_uint32_le(s, 1);
- out_uint32_le(s, 1);
- out_uint32_le(s, 1);
- out_uint16_le(s, SEC_TAG_PUBKEY); /* 0x0006 */
- out_uint16_le(s, 0x011c); /* 284 bytes length of SEC_TAG_PUBKEY */
- out_uint32_le(s, SEC_RSA_MAGIC); /* 0x31415352 'RSA1' */
- out_uint32_le(s, 0x0108); /* 264 bytes modulus len */
- out_uint32_be(s, 0x00080000); /* bit len */
- out_uint32_be(s, 0xff000000); /* data len */
- out_uint8a(s, self->pub_exp, 4); /* pub exp */
- out_uint8a(s, self->pub_mod, 256); /* pub mod */
- out_uint8s(s, 8); /* pad */
- out_uint16_le(s, SEC_TAG_KEYSIG); /* 0x0008 */
- out_uint16_le(s, 72); /* len */
- out_uint8a(s, self->pub_sig, 64); /* pub sig */
- out_uint8s(s, 8); /* pad */
- }
- else
- {
- LLOGLN(0, ("xrdp_sec_out_mcs_data: error"));
- }
- /* end certificate */
- s_mark_end(s);
-
- gcc_size = (int)(s->end - ud_ptr) | 0x8000;
- gcc_size_ptr[0] = gcc_size >> 8;
- gcc_size_ptr[1] = gcc_size;
-
- return 0;
-}
-
-/*****************************************************************************/
/* process the mcs client data we received from the mcs layer */
static int APP_CC
xrdp_sec_in_mcs_data(struct xrdp_sec *self)
@@ -2029,65 +1858,154 @@ xrdp_sec_in_mcs_data(struct xrdp_sec *self)
}
/*****************************************************************************/
+/* returns error */
+int APP_CC
+xrdp_sec_init_rdp_security(struct xrdp_sec *self)
+{
+ switch (self->rdp_layer->client_info.crypt_level)
+ {
+ case 1: /* low */
+ self->crypt_method = CRYPT_METHOD_40BIT;
+ self->crypt_level = CRYPT_LEVEL_LOW;
+ break;
+ case 2: /* medium */
+ self->crypt_method = CRYPT_METHOD_40BIT;
+ self->crypt_level = CRYPT_LEVEL_CLIENT_COMPATIBLE;
+ break;
+ case 3: /* high */
+ self->crypt_method = CRYPT_METHOD_128BIT;
+ self->crypt_level = CRYPT_LEVEL_HIGH;
+ break;
+ case 4: /* fips */
+ self->crypt_method = CRYPT_METHOD_FIPS;
+ self->crypt_level = CRYPT_LEVEL_FIPS;
+ break;
+ default:
+ g_writeln("Fatal : Illegal crypt_level");
+ break ;
+ }
+
+ if (self->decrypt_rc4_info != NULL)
+ {
+ g_writeln("xrdp_sec_init_rdp_security: decrypt_rc4_info already created !!!");
+ }
+ else
+ {
+ self->decrypt_rc4_info = ssl_rc4_info_create();
+ }
+
+ if (self->encrypt_rc4_info != NULL)
+ {
+ g_writeln("xrdp_sec_init_rdp_security: encrypt_rc4_info already created !!!");
+ }
+ else
+ {
+ self->encrypt_rc4_info = ssl_rc4_info_create();
+ }
+
+ return 0;
+}
+/*****************************************************************************/
int APP_CC
xrdp_sec_incoming(struct xrdp_sec *self)
{
struct list *items = NULL;
struct list *values = NULL;
+ struct xrdp_iso *iso;
int index = 0;
char *item = NULL;
char *value = NULL;
char key_file[256];
- g_memset(key_file, 0, sizeof(char) * 256);
- DEBUG((" in xrdp_sec_incoming"));
- g_random(self->server_random, 32);
- items = list_create();
- items->auto_free = 1;
- values = list_create();
- values->auto_free = 1;
- g_snprintf(key_file, 255, "%s/rsakeys.ini", XRDP_CFG_PATH);
+ DEBUG((" in xrdp_sec_incoming:"));
+ iso = self->mcs_layer->iso_layer;
- if (file_by_name_read_section(key_file, "keys", items, values) != 0)
+ /* negotiate security layer */
+ if (xrdp_iso_incoming(iso) != 0)
{
- /* this is a show stopper */
- log_message(LOG_LEVEL_ALWAYS, "XRDP cannot read file: %s "
- "(check permissions)", key_file);
- list_delete(items);
- list_delete(values);
+ DEBUG(("xrdp_sec_incoming: xrdp_iso_incoming failed"));
return 1;
}
- for (index = 0; index < items->count; index++)
+ /* initialize selected security layer */
+ if (iso->requestedProtocol > PROTOCOL_RDP)
{
- item = (char *)list_get_item(items, index);
- value = (char *)list_get_item(values, index);
+ /* init tls security */
+ DEBUG((" in xrdp_sec_incoming: init tls security"));
- if (g_strcasecmp(item, "pub_exp") == 0)
+ if (trans_set_tls_mode(self->mcs_layer->iso_layer->trans,
+ self->rdp_layer->client_info.key_file,
+ self->rdp_layer->client_info.certificate) != 0)
{
- hex_str_to_bin(value, self->pub_exp, 4);
+ g_writeln("xrdp_sec_incoming: trans_set_tls_mode failed");
+ return 1;
}
- else if (g_strcasecmp(item, "pub_mod") == 0)
+
+ self->crypt_level = CRYPT_LEVEL_NONE;
+ self->crypt_method = CRYPT_METHOD_NONE;
+ self->rsa_key_bytes = 0;
+
+ }
+ else
+ {
+ /* init rdp security */
+ DEBUG((" in xrdp_sec_incoming: init rdp security"));
+ if (xrdp_sec_init_rdp_security(self) != 0)
{
- self->rsa_key_bytes = (g_strlen(value) + 1) / 5;
- g_writeln("pub_mod bytes %d", self->rsa_key_bytes);
- hex_str_to_bin(value, self->pub_mod, self->rsa_key_bytes);
+ DEBUG(("xrdp_sec_incoming: xrdp_sec_init_rdp_security failed"));
+ return 1;
}
- else if (g_strcasecmp(item, "pub_sig") == 0)
+
+ g_memset(key_file, 0, sizeof(char) * 256);
+ g_random(self->server_random, 32);
+ items = list_create();
+ items->auto_free = 1;
+ values = list_create();
+ values->auto_free = 1;
+ g_snprintf(key_file, 255, "%s/rsakeys.ini", XRDP_CFG_PATH);
+
+ if (file_by_name_read_section(key_file, "keys", items, values) != 0)
{
- hex_str_to_bin(value, self->pub_sig, 64);
+ /* this is a show stopper */
+ log_message(LOG_LEVEL_ALWAYS, "XRDP cannot read file: %s "
+ "(check permissions)", key_file);
+ list_delete(items);
+ list_delete(values);
+ return 1;
}
- else if (g_strcasecmp(item, "pri_exp") == 0)
+
+ for (index = 0; index < items->count; index++)
{
- self->rsa_key_bytes = (g_strlen(value) + 1) / 5;
- g_writeln("pri_exp %d", self->rsa_key_bytes);
- hex_str_to_bin(value, self->pri_exp, self->rsa_key_bytes);
+ item = (char *)list_get_item(items, index);
+ value = (char *)list_get_item(values, index);
+
+ if (g_strcasecmp(item, "pub_exp") == 0)
+ {
+ hex_str_to_bin(value, self->pub_exp, 4);
+ }
+ else if (g_strcasecmp(item, "pub_mod") == 0)
+ {
+ self->rsa_key_bytes = (g_strlen(value) + 1) / 5;
+ g_writeln("pub_mod bytes %d", self->rsa_key_bytes);
+ hex_str_to_bin(value, self->pub_mod, self->rsa_key_bytes);
+ }
+ else if (g_strcasecmp(item, "pub_sig") == 0)
+ {
+ hex_str_to_bin(value, self->pub_sig, 64);
+ }
+ else if (g_strcasecmp(item, "pri_exp") == 0)
+ {
+ self->rsa_key_bytes = (g_strlen(value) + 1) / 5;
+ g_writeln("pri_exp %d", self->rsa_key_bytes);
+ hex_str_to_bin(value, self->pri_exp, self->rsa_key_bytes);
+ }
}
- }
- list_delete(items);
- list_delete(values);
+ list_delete(items);
+ list_delete(values);
+ }
+ /* negotiate mcs layer */
if (xrdp_mcs_incoming(self->mcs_layer) != 0)
{
return 1;
@@ -2106,6 +2024,7 @@ xrdp_sec_incoming(struct xrdp_sec *self)
{
return 1;
}
+
LLOGLN(10, ("xrdp_sec_incoming: out"));
return 0;
}
diff --git a/xrdp/xrdp.ini b/xrdp/xrdp.ini
index 5b86d4c2..52a6c7d9 100644
--- a/xrdp/xrdp.ini
+++ b/xrdp/xrdp.ini
@@ -5,11 +5,17 @@ ini_version=1
bitmap_cache=yes
bitmap_compression=yes
port=3389
-crypt_level=high
-security_layer=rdp
allow_channels=true
max_bpp=32
fork=yes
+crypt_level=high
+# security layer can be 'tls', 'rdp' or 'negotiate'
+# for client compatible layer
+security_layer=rdp
+# X.509 certificate and private key
+# openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
+certificate=
+key_file=
# regulate if the listening socket use socket option tcp_nodelay
# no buffering will be performed in the TCP stack
diff --git a/xrdp/xrdp_process.c b/xrdp/xrdp_process.c
index b9cac32b..5a7cd1d8 100644
--- a/xrdp/xrdp_process.c
+++ b/xrdp/xrdp_process.c
@@ -171,7 +171,6 @@ xrdp_process_data_in(struct trans *self)
pro->server_trans->extra_flags = 1;
break;
}
-
return 0;
}