From b3cc8f75d9803bacd8c1717c75bce5fb7770ac76 Mon Sep 17 00:00:00 2001 From: Mike Rostermund Date: Thu, 20 Nov 2014 23:49:35 +0100 Subject: [PATCH 1/9] Fix spelling error and typo --- xrdp/lang.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xrdp/lang.c b/xrdp/lang.c index a2942599..de81c681 100644 --- a/xrdp/lang.c +++ b/xrdp/lang.c @@ -246,7 +246,7 @@ get_keymaps(int keylayout, struct xrdp_keymap *keymap) if (fd != -1) { lkeymap = (struct xrdp_keymap *)g_malloc(sizeof(struct xrdp_keymap), 0); - /* make a copy of the build in kaymap */ + /* make a copy of the built-in keymap */ g_memcpy(lkeymap, keymap, sizeof(struct xrdp_keymap)); /* clear the keymaps */ g_memset(keymap, 0, sizeof(struct xrdp_keymap)); From c1595059801e20cd3fa4b7a812f288e4083ab56a Mon Sep 17 00:00:00 2001 From: speidy Date: Fri, 21 Nov 2014 03:13:14 +0200 Subject: [PATCH 2/9] chansrv: fix for segfault issue in chansrv_common --- sesman/chansrv/chansrv_common.h | 1 + sesman/chansrv/sound.c | 1 + 2 files changed, 2 insertions(+) diff --git a/sesman/chansrv/chansrv_common.h b/sesman/chansrv/chansrv_common.h index 833e3359..d15c8da7 100644 --- a/sesman/chansrv/chansrv_common.h +++ b/sesman/chansrv/chansrv_common.h @@ -20,6 +20,7 @@ #define _CHANSRV_COMMON_H #include "parse.h" +#include "os_calls.h" int read_entire_packet(struct stream *src, struct stream **dest, int chan_flags, int length, int total_length); diff --git a/sesman/chansrv/sound.c b/sesman/chansrv/sound.c index 9943a15b..6281969b 100644 --- a/sesman/chansrv/sound.c +++ b/sesman/chansrv/sound.c @@ -28,6 +28,7 @@ #include "defines.h" #include "fifo.h" #include "file_loc.h" +#include "chansrv_common.h" extern int g_rdpsnd_chan_id; /* in chansrv.c */ extern int g_display_num; /* in chansrv.c */ From 52cac060923ab40fba27e37b108745acd4e9f837 Mon Sep 17 00:00:00 2001 From: speidy Date: Fri, 21 Nov 2014 03:17:45 +0200 Subject: [PATCH 3/9] libxrdp: delete NLA header detection for now, TLS is working now with mstsc --- libxrdp/libxrdp.c | 27 --------------------------- libxrdp/xrdp_rdp.c | 6 +++--- 2 files changed, 3 insertions(+), 30 deletions(-) diff --git a/libxrdp/libxrdp.c b/libxrdp/libxrdp.c index df755f2b..594fcc73 100644 --- a/libxrdp/libxrdp.c +++ b/libxrdp/libxrdp.c @@ -89,33 +89,6 @@ libxrdp_get_pdu_bytes(const char *aheader) /* TPKT */ rv = (header[2] << 8) | header[3]; } - else if (header[0] == 0x30) - { - /* TSRequest (NLA) */ - if (header[1] & 0x80) - { - if ((header[1] & ~(0x80)) == 1) - { - rv = header[2]; - rv += 3; - } - else if ((header[1] & ~(0x80)) == 2) - { - rv = (header[2] << 8) | header[3]; - rv += 4; - } - else - { - g_writeln("libxrdp_get_pdu_bytes: error TSRequest!"); - return -1; - } - } - else - { - rv = header[1]; - rv += 2; - } - } else { /* Fast-Path */ diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index 4fc83ae8..6523a5b0 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -155,7 +155,7 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info) } else { - log_message(LOG_LEVEL_ALWAYS,"Warning: Your configured fastpath level is" + log_message(LOG_LEVEL_ALWAYS,"Warning: Your configured fastpath level is " "undefined, fastpath will not be used"); client_info->use_fast_path = 0; } @@ -176,7 +176,7 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info) } else { - log_message(LOG_LEVEL_ALWAYS,"Warning: Your configured security layer is" + log_message(LOG_LEVEL_ALWAYS,"Warning: Your configured security layer is " "undefined, xrdp will negotiate client compatible"); client_info->security_layer = PROTOCOL_SSL | PROTOCOL_HYBRID | PROTOCOL_HYBRID_EX; } @@ -369,7 +369,7 @@ xrdp_rdp_recv(struct xrdp_rdp *self, struct stream *s, int *code) { /* check for fastpath first */ header = (const tui8 *) (s->p); - if ((header[0] != 0x3) && (header[0] != 0x3c)) + if (header[0] != 0x3) { if (xrdp_sec_recv_fastpath(self->sec_layer, s) != 0) { From 618ca587a52791bfccd3d81ee0dab16c8a005118 Mon Sep 17 00:00:00 2001 From: Renaud Allard Date: Fri, 21 Nov 2014 14:22:15 +0100 Subject: [PATCH 4/9] Enable authenticate user using BSD password system --- configure.ac | 11 +++- sesman/Makefile.am | 5 ++ sesman/verify_user_bsd.c | 113 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 127 insertions(+), 2 deletions(-) create mode 100644 sesman/verify_user_bsd.c diff --git a/configure.ac b/configure.ac index c5d22ec0..50db1fe9 100644 --- a/configure.ac +++ b/configure.ac @@ -32,6 +32,10 @@ AM_CONDITIONAL(SESMAN_NOPAM, [test x$enable_pam != xyes]) AC_ARG_ENABLE(kerberos, AS_HELP_STRING([--enable-kerberos], [Build kerberos support (default: no)]), [], [enable_kerberos=no]) +AC_ARG_ENABLE(bsd, AS_HELP_STRING([--enable-bsd], + [Build BSD auth support (default: no)]), + [bsd=true], [bsd=false]) +AM_CONDITIONAL(SESMAN_BSD, [test x$bsd = xtrue]) AM_CONDITIONAL(SESMAN_KERBEROS, [test x$enable_kerberos = xyes]) AC_ARG_ENABLE(pamuserpass, AS_HELP_STRING([--enable-pamuserpass], [Build pam userpass support (default: no)]), @@ -78,8 +82,11 @@ if test "x$enable_pam" = "xyes" then if test "x$enable_kerberos" != "xyes" then - AC_CHECK_HEADER([security/pam_appl.h], [], - [AC_MSG_ERROR([please install libpam0g-dev or pam-devel])]) + if test -z "$enable_bsd" + then + AC_CHECK_HEADER([security/pam_appl.h], [], + [AC_MSG_ERROR([please install libpam0g-dev or pam-devel])]) + fi fi fi diff --git a/sesman/Makefile.am b/sesman/Makefile.am index e4b63eb4..516639f4 100644 --- a/sesman/Makefile.am +++ b/sesman/Makefile.am @@ -14,6 +14,10 @@ if SESMAN_NOPAM AUTH_C = verify_user.c AUTH_LIB = -lcrypt else +if SESMAN_BSD +AUTH_C = verify_user_bsd.c +AUTH_LIB = +else if SESMAN_PAMUSERPASS AUTH_C = verify_user_pam_userpass.c AUTH_LIB = -lpam -lpam_userpass @@ -27,6 +31,7 @@ AUTH_LIB = -lpam endif endif endif +endif sbin_PROGRAMS = \ xrdp-sesman diff --git a/sesman/verify_user_bsd.c b/sesman/verify_user_bsd.c new file mode 100644 index 00000000..3edd2d9e --- /dev/null +++ b/sesman/verify_user_bsd.c @@ -0,0 +1,113 @@ +/* + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + + xrdp: A Remote Desktop Protocol server. + Copyright (C) Jay Sorg 2005-2008 +*/ + +/** + * + * @file verify_user_user.c + * @brief Authenticate user using BSD password system + * @author Renaud Allard + * + */ + +#include "sesman.h" + +#define _XOPEN_SOURCE +#include +#include +#include +#include +#include +#include +#include + +#ifndef SECS_PER_DAY +#define SECS_PER_DAY (24L*3600L) +#endif + +extern struct config_sesman* g_cfg; /* in sesman.c */ + +/******************************************************************************/ +/* returns boolean */ +long DEFAULT_CC +auth_userpass(char* user, char* pass) +{ + int ret = auth_userokay(user, NULL, "auth-xrdp", pass); + return ret; +} + +/******************************************************************************/ +/* returns error */ +int DEFAULT_CC +auth_start_session(long in_val, int in_display) +{ + return 0; +} + +/******************************************************************************/ +int DEFAULT_CC +auth_end(long in_val) +{ + return 0; +} + +/******************************************************************************/ +int DEFAULT_CC +auth_set_env(long in_val) +{ + return 0; +} + +/******************************************************************************/ +int DEFAULT_CC +auth_check_pwd_chg(char* user) +{ + return 0; +} + +int DEFAULT_CC +auth_change_pwd(char* user, char* newpwd) +{ + return 0; +} + +/** + * + * @brief Password encryption + * @param pwd Old password + * @param pln Plaintext new password + * @param crp Crypted new password + * + */ + +static int DEFAULT_CC +auth_crypt_pwd(char* pwd, char* pln, char* crp) +{ + return 0; +} + +/** + * + * @return 1 if the account is disabled, 0 otherwise + * + */ +static int DEFAULT_CC +auth_account_disabled(struct spwd* stp) +{ + return 0; +} From 803af49a0452f029895657280d473b5cae8bec2d Mon Sep 17 00:00:00 2001 From: Renaud Allard Date: Fri, 21 Nov 2014 15:00:01 +0100 Subject: [PATCH 5/9] Some fixes to compile properly since this version has change a lot from 0.6.1 --- configure.ac | 2 +- sesman/verify_user_bsd.c | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 50db1fe9..e1a150e8 100644 --- a/configure.ac +++ b/configure.ac @@ -95,7 +95,7 @@ AC_CHECK_MEMBER([struct in6_addr.s6_addr], [AC_DEFINE(NO_ARPA_INET_H_IP6, 1, [for IPv6])], [#include ]) -if test "x$enable_pam" != "xyes" +if test "x$enable_pam" != "xyes" || test "x$bsd" = "xtrue" then AC_DEFINE([USE_NOPAM],1,[Disable PAM]) fi diff --git a/sesman/verify_user_bsd.c b/sesman/verify_user_bsd.c index 3edd2d9e..ef35037f 100644 --- a/sesman/verify_user_bsd.c +++ b/sesman/verify_user_bsd.c @@ -19,7 +19,7 @@ /** * - * @file verify_user_user.c + * @file verify_user_bsd.c * @brief Authenticate user using BSD password system * @author Renaud Allard * @@ -45,7 +45,7 @@ extern struct config_sesman* g_cfg; /* in sesman.c */ /******************************************************************************/ /* returns boolean */ long DEFAULT_CC -auth_userpass(char* user, char* pass) +auth_userpass(char *user, char *pass, int *errorcode) { int ret = auth_userokay(user, NULL, "auth-xrdp", pass); return ret; @@ -86,6 +86,12 @@ auth_change_pwd(char* user, char* newpwd) return 0; } +int DEFAULT_CC +auth_stop_session(long in_val) +{ + return 0; +} + /** * * @brief Password encryption From 5a8bf87c7fe4911335a81b3ace83f35ada4fdc7d Mon Sep 17 00:00:00 2001 From: Jay Sorg Date: Fri, 21 Nov 2014 20:49:01 -0800 Subject: [PATCH 6/9] common: tls, fix for pending reads --- common/trans.c | 43 +++++++++++++++++++++++++++++++++---------- common/trans.h | 17 +++++++++++++---- common/xrdp_tls.c | 28 ++++++++++++++++++++++++++-- 3 files changed, 72 insertions(+), 16 deletions(-) diff --git a/common/trans.c b/common/trans.c index 5503ea61..5f435bcd 100644 --- a/common/trans.c +++ b/common/trans.c @@ -45,6 +45,17 @@ trans_tls_send(struct trans *self, const void *data, int len) return xrdp_tls_write(self->tls, data, len); } +/*****************************************************************************/ +int APP_CC +trans_tls_can_recv(struct trans *self, int sck, int millis) +{ + if (self->tls == NULL) + { + return 1; + } + return xrdp_tls_can_recv(self->tls, sck, millis); +} + /*****************************************************************************/ int APP_CC trans_tcp_recv(struct trans *self, void *ptr, int len) @@ -59,6 +70,13 @@ trans_tcp_send(struct trans *self, const void *data, int len) return g_tcp_send(self->sck, data, len, 0); } +/*****************************************************************************/ +int APP_CC +trans_tcp_can_recv(struct trans *self, int sck, int millis) +{ + return g_tcp_can_recv(sck, millis); +} + /*****************************************************************************/ struct trans * APP_CC @@ -79,6 +97,7 @@ trans_create(int mode, int in_size, int out_size) /* assign tcp calls by default */ self->trans_recv = trans_tcp_recv; self->trans_send = trans_tcp_send; + self->trans_can_recv = trans_tcp_can_recv; } return self; @@ -133,6 +152,16 @@ trans_get_wait_objs(struct trans *self, tbus *objs, int *count) objs[*count] = self->sck; (*count)++; + + if (self->tls != 0) + { + if (self->tls->rwo != 0) + { + objs[*count] = self->tls->rwo; + (*count)++; + } + } + return 0; } @@ -141,19 +170,11 @@ int APP_CC trans_get_wait_objs_rw(struct trans *self, tbus *robjs, int *rcount, tbus *wobjs, int *wcount) { - if (self == 0) + if (trans_get_wait_objs(self, robjs, rcount) != 0) { return 1; } - if (self->status != TRANS_STATUS_UP) - { - return 1; - } - - robjs[*rcount] = self->sck; - (*rcount)++; - if (self->wait_s != 0) { wobjs[*wcount] = self->sck; @@ -288,7 +309,7 @@ trans_check_wait_objs(struct trans *self) } else /* connected server or client (2 or 3) */ { - if (g_tcp_can_recv(self->sck, 0)) + if (self->trans_can_recv(self, self->sck, 0)) { read_so_far = (int) (self->in_s->end - self->in_s->data); to_read = self->header_size - read_so_far; @@ -716,6 +737,7 @@ trans_set_tls_mode(struct trans *self, const char *key, const char *cert) /* assign tls functions */ self->trans_recv = trans_tls_recv; self->trans_send = trans_tls_send; + self->trans_can_recv = trans_tls_can_recv; return 0; } @@ -732,6 +754,7 @@ trans_shutdown_tls_mode(struct trans *self) /* assign callback back to tcp cal */ self->trans_recv = trans_tcp_recv; self->trans_send = trans_tcp_send; + self->trans_can_recv = trans_tcp_can_recv; return 0; } diff --git a/common/trans.h b/common/trans.h index a169e9cb..fbf08f01 100644 --- a/common/trans.h +++ b/common/trans.h @@ -41,8 +41,9 @@ typedef int (DEFAULT_CC *ttrans_data_in)(struct trans* self); typedef int (DEFAULT_CC *ttrans_conn_in)(struct trans* self, struct trans* new_self); typedef int (DEFAULT_CC *tis_term)(void); -typedef int (APP_CC *trans_recv) (struct trans *self, void *ptr, int len); -typedef int (APP_CC *trans_send) (struct trans *self, const void *data, int len); +typedef int (APP_CC *trans_recv_proc) (struct trans *self, void *ptr, int len); +typedef int (APP_CC *trans_send_proc) (struct trans *self, const void *data, int len); +typedef int (APP_CC *trans_can_recv_proc) (struct trans *self, int sck, int millis); struct trans { @@ -64,8 +65,9 @@ struct trans int no_stream_init_on_data_in; int extra_flags; /* user defined */ struct xrdp_tls *tls; - trans_recv trans_recv; - trans_send trans_send; + trans_recv_proc trans_recv; + trans_send_proc trans_send; + trans_can_recv_proc trans_can_recv; }; /* xrdp_tls */ @@ -76,6 +78,7 @@ struct xrdp_tls char *cert; char *key; struct trans *trans; + tintptr rwo; /* wait obj */ }; /* xrdp_tls.c */ @@ -87,6 +90,12 @@ int APP_CC xrdp_tls_disconnect(struct xrdp_tls *self); void APP_CC xrdp_tls_delete(struct xrdp_tls *self); +int APP_CC +xrdp_tls_read(struct xrdp_tls *tls, char *data, int length); +int APP_CC +xrdp_tls_write(struct xrdp_tls *tls, const char *data, int length); +int APP_CC +xrdp_tls_can_recv(struct xrdp_tls *tls, int sck, int millis); struct trans* APP_CC trans_create(int mode, int in_size, int out_size); diff --git a/common/xrdp_tls.c b/common/xrdp_tls.c index 28f1af55..3c74c47a 100644 --- a/common/xrdp_tls.c +++ b/common/xrdp_tls.c @@ -35,13 +35,18 @@ APP_CC xrdp_tls_create(struct trans *trans, const char *key, const char *cert) { struct xrdp_tls *self; - self = (struct xrdp_tls *) g_malloc(sizeof(struct xrdp_tls), 1); + int pid; + char buf[1024]; + self = (struct xrdp_tls *) g_malloc(sizeof(struct xrdp_tls), 1); if (self != NULL) { self->trans = trans; self->cert = (char *) cert; self->key = (char *) key; + pid = g_getpid(); + g_snprintf(buf, 1024, "xrdp_%8.8x_tls_rwo", pid); + self->rwo = g_create_wait_obj(buf); } return self; @@ -211,6 +216,8 @@ xrdp_tls_delete(struct xrdp_tls *self) if (self->ctx) SSL_CTX_free(self->ctx); + g_delete_wait_obj(self->rwo); + g_free(self); } } @@ -238,11 +245,16 @@ xrdp_tls_read(struct xrdp_tls *tls, char *data, int length) break; } + if (SSL_pending(tls->ssl) > 0) + { + g_set_wait_obj(tls->rwo); + } + return status; } /*****************************************************************************/ int APP_CC -xrdp_tls_write(struct xrdp_tls *tls, char *data, int length) +xrdp_tls_write(struct xrdp_tls *tls, const char *data, int length) { int status; @@ -266,4 +278,16 @@ xrdp_tls_write(struct xrdp_tls *tls, char *data, int length) return status; } +/*****************************************************************************/ +/* returns boolean */ +int APP_CC +xrdp_tls_can_recv(struct xrdp_tls *tls, int sck, int millis) +{ + if (SSL_pending(tls->ssl) > 0) + { + return 1; + } + g_reset_wait_obj(tls->rwo); + return g_tcp_can_recv(sck, millis); +} From cb4f2998992d1d39fa4629c2187832249c0a5932 Mon Sep 17 00:00:00 2001 From: Jay Sorg Date: Sat, 22 Nov 2014 23:17:00 -0800 Subject: [PATCH 7/9] sesman: fix for --enable-nopam --- sesman/verify_user.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sesman/verify_user.c b/sesman/verify_user.c index 49c475c6..9dc77efc 100644 --- a/sesman/verify_user.c +++ b/sesman/verify_user.c @@ -101,6 +101,14 @@ auth_start_session(long in_val, int in_display) return 0; } +/******************************************************************************/ +/* returns error */ +int DEFAULT_CC +auth_stop_session(long in_val) +{ + return 0; +} + /******************************************************************************/ int DEFAULT_CC auth_end(long in_val) From 47de7a67f6c82794bb3d1c624c34df35c4e0bb90 Mon Sep 17 00:00:00 2001 From: Jay Sorg Date: Mon, 24 Nov 2014 09:23:48 -0800 Subject: [PATCH 8/9] sesman: verify_user_bsd.c license change and indent --- sesman/verify_user_bsd.c | 57 ++++++++++++++++++++-------------------- 1 file changed, 28 insertions(+), 29 deletions(-) diff --git a/sesman/verify_user_bsd.c b/sesman/verify_user_bsd.c index ef35037f..5d9d0e23 100644 --- a/sesman/verify_user_bsd.c +++ b/sesman/verify_user_bsd.c @@ -1,21 +1,20 @@ -/* - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - - xrdp: A Remote Desktop Protocol server. - Copyright (C) Jay Sorg 2005-2008 -*/ +/** + * xrdp: A Remote Desktop Protocol server. + * + * Copyright (C) Jay Sorg 2005-2014 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ /** * @@ -47,8 +46,8 @@ extern struct config_sesman* g_cfg; /* in sesman.c */ long DEFAULT_CC auth_userpass(char *user, char *pass, int *errorcode) { - int ret = auth_userokay(user, NULL, "auth-xrdp", pass); - return ret; + int ret = auth_userokay(user, NULL, "auth-xrdp", pass); + return ret; } /******************************************************************************/ @@ -56,40 +55,40 @@ auth_userpass(char *user, char *pass, int *errorcode) int DEFAULT_CC auth_start_session(long in_val, int in_display) { - return 0; + return 0; } /******************************************************************************/ int DEFAULT_CC auth_end(long in_val) { - return 0; + return 0; } /******************************************************************************/ int DEFAULT_CC auth_set_env(long in_val) { - return 0; + return 0; } /******************************************************************************/ int DEFAULT_CC auth_check_pwd_chg(char* user) { - return 0; + return 0; } int DEFAULT_CC auth_change_pwd(char* user, char* newpwd) { - return 0; + return 0; } -int DEFAULT_CC +int DEFAULT_CC auth_stop_session(long in_val) { - return 0; + return 0; } /** @@ -104,7 +103,7 @@ auth_stop_session(long in_val) static int DEFAULT_CC auth_crypt_pwd(char* pwd, char* pln, char* crp) { - return 0; + return 0; } /** @@ -115,5 +114,5 @@ auth_crypt_pwd(char* pwd, char* pln, char* crp) static int DEFAULT_CC auth_account_disabled(struct spwd* stp) { - return 0; + return 0; } From cc0406dddffaebf7e37e939ac26e3bdfe08cc0ed Mon Sep 17 00:00:00 2001 From: Jay Sorg Date: Tue, 25 Nov 2014 18:55:37 -0800 Subject: [PATCH 9/9] common: move tls calls to ssl_calls --- common/Makefile.am | 3 +- common/ssl_calls.c | 270 +++++++++++++++++++++++++++++++++++++++++ common/ssl_calls.h | 28 +++++ common/trans.c | 19 +-- common/trans.h | 29 +---- common/xrdp_tls.c | 293 --------------------------------------------- 6 files changed, 310 insertions(+), 332 deletions(-) delete mode 100644 common/xrdp_tls.c diff --git a/common/Makefile.am b/common/Makefile.am index 9feac9fb..8c7aa62c 100644 --- a/common/Makefile.am +++ b/common/Makefile.am @@ -39,8 +39,7 @@ libcommon_la_SOURCES = \ os_calls.c \ ssl_calls.c \ thread_calls.c \ - trans.c \ - xrdp_tls.c + trans.c libcommon_la_LIBADD = \ -lcrypto \ diff --git a/common/ssl_calls.c b/common/ssl_calls.c index 134f5afd..966bbb15 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -2,6 +2,7 @@ * xrdp: A Remote Desktop Protocol server. * * Copyright (C) Jay Sorg 2004-2014 + * Copyright (C) Idan Freiberg 2013-2014 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,6 +32,7 @@ #include "os_calls.h" #include "arch.h" #include "ssl_calls.h" +#include "trans.h" #if defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x0090800f) #undef OLD_RSA_GEN1 @@ -524,3 +526,271 @@ ssl_gen_key_xrdp1(int key_size_in_bits, char *exp, int exp_len, return error; } #endif + +/*****************************************************************************/ +struct ssl_tls * +APP_CC +ssl_tls_create(struct trans *trans, const char *key, const char *cert) +{ + struct ssl_tls *self; + int pid; + char buf[1024]; + + self = (struct ssl_tls *) g_malloc(sizeof(struct ssl_tls), 1); + if (self != NULL) + { + self->trans = trans; + self->cert = (char *) cert; + self->key = (char *) key; + pid = g_getpid(); + g_snprintf(buf, 1024, "xrdp_%8.8x_tls_rwo", pid); + self->rwo = g_create_wait_obj(buf); + } + + return self; +} + +/*****************************************************************************/ +int APP_CC +ssl_tls_print_error(char *func, SSL *connection, int value) +{ + switch (SSL_get_error(connection, value)) + { + case SSL_ERROR_ZERO_RETURN: + g_writeln("ssl_tls_print_error: %s: Server closed TLS connection", + func); + return 1; + + case SSL_ERROR_WANT_READ: + g_writeln("ssl_tls_print_error: SSL_ERROR_WANT_READ"); + return 0; + + case SSL_ERROR_WANT_WRITE: + g_writeln("ssl_tls_print_error: SSL_ERROR_WANT_WRITE"); + return 0; + + case SSL_ERROR_SYSCALL: + g_writeln("ssl_tls_print_error: %s: I/O error", func); + return 1; + + case SSL_ERROR_SSL: + g_writeln("ssl_tls_print_error: %s: Failure in SSL library (protocol error?)", + func); + return 1; + + default: + g_writeln("ssl_tls_print_error: %s: Unknown error", func); + return 1; + } +} + +/*****************************************************************************/ +int APP_CC +ssl_tls_accept(struct ssl_tls *self) +{ + int connection_status; + long options = 0; + + /** + * SSL_OP_NO_SSLv2: + * + * We only want SSLv3 and TLSv1, so disable SSLv2. + * SSLv3 is used by, eg. Microsoft RDC for Mac OS X. + */ + options |= SSL_OP_NO_SSLv2; + +#if defined(SSL_OP_NO_COMPRESSION) + /** + * SSL_OP_NO_COMPRESSION: + * + * The Microsoft RDP server does not advertise support + * for TLS compression, but alternative servers may support it. + * This was observed between early versions of the FreeRDP server + * and the FreeRDP client, and caused major performance issues, + * which is why we're disabling it. + */ + options |= SSL_OP_NO_COMPRESSION; +#endif + + /** + * SSL_OP_TLS_BLOCK_PADDING_BUG: + * + * The Microsoft RDP server does *not* support TLS padding. + * It absolutely needs to be disabled otherwise it won't work. + */ + options |= SSL_OP_TLS_BLOCK_PADDING_BUG; + + /** + * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: + * + * Just like TLS padding, the Microsoft RDP server does not + * support empty fragments. This needs to be disabled. + */ + options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + + self->ctx = SSL_CTX_new(SSLv23_server_method()); + /* set context options */ + SSL_CTX_set_mode(self->ctx, + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | + SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_options(self->ctx, options); + SSL_CTX_set_read_ahead(self->ctx, 1); + + if (self->ctx == NULL) + { + g_writeln("ssl_tls_accept: SSL_CTX_new failed"); + return 1; + } + + if (SSL_CTX_use_RSAPrivateKey_file(self->ctx, self->key, SSL_FILETYPE_PEM) + <= 0) + { + g_writeln("ssl_tls_accept: SSL_CTX_use_RSAPrivateKey_file failed"); + return 1; + } + + self->ssl = SSL_new(self->ctx); + + if (self->ssl == NULL) + { + g_writeln("ssl_tls_accept: SSL_new failed"); + return 1; + } + + if (SSL_use_certificate_file(self->ssl, self->cert, SSL_FILETYPE_PEM) <= 0) + { + g_writeln("ssl_tls_accept: SSL_use_certificate_file failed"); + return 1; + } + + if (SSL_set_fd(self->ssl, self->trans->sck) < 1) + { + g_writeln("ssl_tls_accept: SSL_set_fd failed"); + return 1; + } + + connection_status = SSL_accept(self->ssl); + + if (connection_status <= 0) + { + if (ssl_tls_print_error("SSL_accept", self->ssl, connection_status)) + { + return 1; + } + } + + g_writeln("ssl_tls_accept: TLS connection accepted"); + + return 0; +} + +/*****************************************************************************/ +int APP_CC +ssl_tls_disconnect(struct ssl_tls *self) +{ + int status = SSL_shutdown(self->ssl); + while (status != 1) + { + status = SSL_shutdown(self->ssl); + + if (status <= 0) + { + if (ssl_tls_print_error("SSL_shutdown", self->ssl, status)) + { + return 1; + } + } + } + return 0; +} + +/*****************************************************************************/ +void APP_CC +ssl_tls_delete(struct ssl_tls *self) +{ + if (self != NULL) + { + if (self->ssl) + SSL_free(self->ssl); + + if (self->ctx) + SSL_CTX_free(self->ctx); + + g_delete_wait_obj(self->rwo); + + g_free(self); + } +} + +/*****************************************************************************/ +int APP_CC +ssl_tls_read(struct ssl_tls *tls, char *data, int length) +{ + int status; + + status = SSL_read(tls->ssl, data, length); + + switch (SSL_get_error(tls->ssl, status)) + { + case SSL_ERROR_NONE: + break; + + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + status = 0; + break; + + default: + ssl_tls_print_error("SSL_read", tls->ssl, status); + status = -1; + break; + } + + if (SSL_pending(tls->ssl) > 0) + { + g_set_wait_obj(tls->rwo); + } + + return status; +} + +/*****************************************************************************/ +int APP_CC +ssl_tls_write(struct ssl_tls *tls, const char *data, int length) +{ + int status; + + status = SSL_write(tls->ssl, data, length); + + switch (SSL_get_error(tls->ssl, status)) + { + case SSL_ERROR_NONE: + break; + + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + status = 0; + break; + + default: + ssl_tls_print_error("SSL_write", tls->ssl, status); + status = -1; + break; + } + + return status; +} + +/*****************************************************************************/ +/* returns boolean */ +int APP_CC +ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis) +{ + if (SSL_pending(tls->ssl) > 0) + { + return 1; + } + g_reset_wait_obj(tls->rwo); + return g_tcp_can_recv(sck, millis); +} + diff --git a/common/ssl_calls.h b/common/ssl_calls.h index 40acfb5b..6cfe73a3 100644 --- a/common/ssl_calls.h +++ b/common/ssl_calls.h @@ -2,6 +2,7 @@ * xrdp: A Remote Desktop Protocol server. * * Copyright (C) Jay Sorg 2004-2014 + * Copyright (C) Idan Freiberg 2013-2014 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -80,4 +81,31 @@ int APP_CC ssl_gen_key_xrdp1(int key_size_in_bits, char* exp, int exp_len, char* mod, int mod_len, char* pri, int pri_len); +/* ssl_tls */ +struct ssl_tls +{ + void *ssl; /* SSL * */ + void *ctx; /* SSL_CTX * */ + char *cert; + char *key; + struct trans *trans; + tintptr rwo; /* wait obj */ +}; + +/* xrdp_tls.c */ +struct ssl_tls *APP_CC +ssl_tls_create(struct trans *trans, const char *key, const char *cert); +int APP_CC +ssl_tls_accept(struct ssl_tls *self); +int APP_CC +ssl_tls_disconnect(struct ssl_tls *self); +void APP_CC +ssl_tls_delete(struct ssl_tls *self); +int APP_CC +ssl_tls_read(struct ssl_tls *tls, char *data, int length); +int APP_CC +ssl_tls_write(struct ssl_tls *tls, const char *data, int length); +int APP_CC +ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis); + #endif diff --git a/common/trans.c b/common/trans.c index 5f435bcd..3828a174 100644 --- a/common/trans.c +++ b/common/trans.c @@ -22,6 +22,7 @@ #include "trans.h" #include "arch.h" #include "parse.h" +#include "ssl_calls.h" /*****************************************************************************/ int APP_CC @@ -31,7 +32,7 @@ trans_tls_recv(struct trans *self, void *ptr, int len) { return 1; } - return xrdp_tls_read(self->tls, ptr, len); + return ssl_tls_read(self->tls, ptr, len); } /*****************************************************************************/ @@ -42,7 +43,7 @@ trans_tls_send(struct trans *self, const void *data, int len) { return 1; } - return xrdp_tls_write(self->tls, data, len); + return ssl_tls_write(self->tls, data, len); } /*****************************************************************************/ @@ -53,7 +54,7 @@ trans_tls_can_recv(struct trans *self, int sck, int millis) { return 1; } - return xrdp_tls_can_recv(self->tls, sck, millis); + return ssl_tls_can_recv(self->tls, sck, millis); } /*****************************************************************************/ @@ -130,7 +131,7 @@ trans_delete(struct trans *self) if (self->tls != 0) { - xrdp_tls_delete(self->tls); + ssl_tls_delete(self->tls); } g_free(self); @@ -721,16 +722,16 @@ trans_get_out_s(struct trans *self, int size) int APP_CC trans_set_tls_mode(struct trans *self, const char *key, const char *cert) { - self->tls = xrdp_tls_create(self, key, cert); + self->tls = ssl_tls_create(self, key, cert); if (self->tls == NULL) { - g_writeln("trans_set_tls_mode: xrdp_tls_create malloc error"); + g_writeln("trans_set_tls_mode: ssl_tls_create malloc error"); return 1; } - if (xrdp_tls_accept(self->tls) != 0) + if (ssl_tls_accept(self->tls) != 0) { - g_writeln("trans_set_tls_mode: xrdp_tls_accept failed"); + g_writeln("trans_set_tls_mode: ssl_tls_accept failed"); return 1; } @@ -748,7 +749,7 @@ trans_shutdown_tls_mode(struct trans *self) { if (self->tls != NULL) { - return xrdp_tls_disconnect(self->tls); + return ssl_tls_disconnect(self->tls); } /* assign callback back to tcp cal */ diff --git a/common/trans.h b/common/trans.h index fbf08f01..c2a10762 100644 --- a/common/trans.h +++ b/common/trans.h @@ -64,39 +64,12 @@ struct trans char port[256]; int no_stream_init_on_data_in; int extra_flags; /* user defined */ - struct xrdp_tls *tls; + struct ssl_tls *tls; trans_recv_proc trans_recv; trans_send_proc trans_send; trans_can_recv_proc trans_can_recv; }; -/* xrdp_tls */ -struct xrdp_tls -{ - void *ssl; /* SSL * */ - void *ctx; /* SSL_CTX * */ - char *cert; - char *key; - struct trans *trans; - tintptr rwo; /* wait obj */ -}; - -/* xrdp_tls.c */ -struct xrdp_tls *APP_CC -xrdp_tls_create(struct trans *trans, const char *key, const char *cert); -int APP_CC -xrdp_tls_accept(struct xrdp_tls *self); -int APP_CC -xrdp_tls_disconnect(struct xrdp_tls *self); -void APP_CC -xrdp_tls_delete(struct xrdp_tls *self); -int APP_CC -xrdp_tls_read(struct xrdp_tls *tls, char *data, int length); -int APP_CC -xrdp_tls_write(struct xrdp_tls *tls, const char *data, int length); -int APP_CC -xrdp_tls_can_recv(struct xrdp_tls *tls, int sck, int millis); - struct trans* APP_CC trans_create(int mode, int in_size, int out_size); void APP_CC diff --git a/common/xrdp_tls.c b/common/xrdp_tls.c deleted file mode 100644 index 3c74c47a..00000000 --- a/common/xrdp_tls.c +++ /dev/null @@ -1,293 +0,0 @@ -/** - * xrdp: A Remote Desktop Protocol server. - * - * Copyright (C) Idan Freiberg 2013-2014 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * transport layer security - */ - - -#include -#include -#include -#include - -#include "os_calls.h" -#include "trans.h" -#include "ssl_calls.h" - - -/*****************************************************************************/ -struct xrdp_tls * -APP_CC -xrdp_tls_create(struct trans *trans, const char *key, const char *cert) -{ - struct xrdp_tls *self; - int pid; - char buf[1024]; - - self = (struct xrdp_tls *) g_malloc(sizeof(struct xrdp_tls), 1); - if (self != NULL) - { - self->trans = trans; - self->cert = (char *) cert; - self->key = (char *) key; - pid = g_getpid(); - g_snprintf(buf, 1024, "xrdp_%8.8x_tls_rwo", pid); - self->rwo = g_create_wait_obj(buf); - } - - return self; -} - -/*****************************************************************************/ -int APP_CC -xrdp_tls_print_error(char *func, SSL *connection, int value) -{ - switch (SSL_get_error(connection, value)) - { - case SSL_ERROR_ZERO_RETURN: - g_writeln("xrdp_tls_print_error: %s: Server closed TLS connection", - func); - return 1; - - case SSL_ERROR_WANT_READ: - g_writeln("xrdp_tls_print_error: SSL_ERROR_WANT_READ"); - return 0; - - case SSL_ERROR_WANT_WRITE: - g_writeln("xrdp_tls_print_error: SSL_ERROR_WANT_WRITE"); - return 0; - - case SSL_ERROR_SYSCALL: - g_writeln("xrdp_tls_print_error: %s: I/O error", func); - return 1; - - case SSL_ERROR_SSL: - g_writeln("xrdp_tls_print_error: %s: Failure in SSL library (protocol error?)", - func); - return 1; - - default: - g_writeln("xrdp_tls_print_error: %s: Unknown error", func); - return 1; - } -} - -/*****************************************************************************/ -int APP_CC -xrdp_tls_accept(struct xrdp_tls *self) -{ - int connection_status; - long options = 0; - - /** - * SSL_OP_NO_SSLv2: - * - * We only want SSLv3 and TLSv1, so disable SSLv2. - * SSLv3 is used by, eg. Microsoft RDC for Mac OS X. - */ - options |= SSL_OP_NO_SSLv2; - -#if defined(SSL_OP_NO_COMPRESSION) - /** - * SSL_OP_NO_COMPRESSION: - * - * The Microsoft RDP server does not advertise support - * for TLS compression, but alternative servers may support it. - * This was observed between early versions of the FreeRDP server - * and the FreeRDP client, and caused major performance issues, - * which is why we're disabling it. - */ - options |= SSL_OP_NO_COMPRESSION; -#endif - - /** - * SSL_OP_TLS_BLOCK_PADDING_BUG: - * - * The Microsoft RDP server does *not* support TLS padding. - * It absolutely needs to be disabled otherwise it won't work. - */ - options |= SSL_OP_TLS_BLOCK_PADDING_BUG; - - /** - * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: - * - * Just like TLS padding, the Microsoft RDP server does not - * support empty fragments. This needs to be disabled. - */ - options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; - - self->ctx = SSL_CTX_new(SSLv23_server_method()); - /* set context options */ - SSL_CTX_set_mode(self->ctx, - SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | - SSL_MODE_ENABLE_PARTIAL_WRITE); - SSL_CTX_set_options(self->ctx, options); - SSL_CTX_set_read_ahead(self->ctx, 1); - - if (self->ctx == NULL) - { - g_writeln("xrdp_tls_accept: SSL_CTX_new failed"); - return 1; - } - - if (SSL_CTX_use_RSAPrivateKey_file(self->ctx, self->key, SSL_FILETYPE_PEM) - <= 0) - { - g_writeln("xrdp_tls_accept: SSL_CTX_use_RSAPrivateKey_file failed"); - return 1; - } - - self->ssl = SSL_new(self->ctx); - - if (self->ssl == NULL) - { - g_writeln("xrdp_tls_accept: SSL_new failed"); - return 1; - } - - if (SSL_use_certificate_file(self->ssl, self->cert, SSL_FILETYPE_PEM) <= 0) - { - g_writeln("xrdp_tls_accept: SSL_use_certificate_file failed"); - return 1; - } - - if (SSL_set_fd(self->ssl, self->trans->sck) < 1) - { - g_writeln("xrdp_tls_accept: SSL_set_fd failed"); - return 1; - } - - connection_status = SSL_accept(self->ssl); - - if (connection_status <= 0) - { - if (xrdp_tls_print_error("SSL_accept", self->ssl, connection_status)) - { - return 1; - } - } - - g_writeln("xrdp_tls_accept: TLS connection accepted"); - - return 0; -} -/*****************************************************************************/ -int APP_CC -xrdp_tls_disconnect(struct xrdp_tls *self) -{ - int status = SSL_shutdown(self->ssl); - while (status != 1) - { - status = SSL_shutdown(self->ssl); - - if (status <= 0) - { - if (xrdp_tls_print_error("SSL_shutdown", self->ssl, status)) - { - return 1; - } - } - } - return 0; -} -/*****************************************************************************/ -void APP_CC -xrdp_tls_delete(struct xrdp_tls *self) -{ - if (self != NULL) - { - if (self->ssl) - SSL_free(self->ssl); - - if (self->ctx) - SSL_CTX_free(self->ctx); - - g_delete_wait_obj(self->rwo); - - g_free(self); - } -} -/*****************************************************************************/ -int APP_CC -xrdp_tls_read(struct xrdp_tls *tls, char *data, int length) -{ - int status; - - status = SSL_read(tls->ssl, data, length); - - switch (SSL_get_error(tls->ssl, status)) - { - case SSL_ERROR_NONE: - break; - - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: - status = 0; - break; - - default: - xrdp_tls_print_error("SSL_read", tls->ssl, status); - status = -1; - break; - } - - if (SSL_pending(tls->ssl) > 0) - { - g_set_wait_obj(tls->rwo); - } - - return status; -} -/*****************************************************************************/ -int APP_CC -xrdp_tls_write(struct xrdp_tls *tls, const char *data, int length) -{ - int status; - - status = SSL_write(tls->ssl, data, length); - - switch (SSL_get_error(tls->ssl, status)) - { - case SSL_ERROR_NONE: - break; - - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: - status = 0; - break; - - default: - xrdp_tls_print_error("SSL_write", tls->ssl, status); - status = -1; - break; - } - - return status; -} -/*****************************************************************************/ -/* returns boolean */ -int APP_CC -xrdp_tls_can_recv(struct xrdp_tls *tls, int sck, int millis) -{ - if (SSL_pending(tls->ssl) > 0) - { - return 1; - } - g_reset_wait_obj(tls->rwo); - return g_tcp_can_recv(sck, millis); -} -