libxrdp: started adding TLS support

11 years ago · f0b6c6b1d1
parent 5fcf6beffa
commit f0b6c6b1d1
8 changed files with 302 additions and 4 deletions
--- a/common/trans.c
+++ b/common/trans.c
@ -38,6 +38,8 @@ trans_create(int mode, int in_size, int out_size)
        make_stream(self->out_s);
        init_stream(self->out_s, out_size);
        self->mode = mode;
+        self->do_tls = 0; /* default simple tcp layer */
+        self->tls = 0;
    }

    return self;
@ -248,7 +250,7 @@ trans_check_wait_objs(struct trans *self)

            if (to_read > 0)
            {
-                read_bytes = g_tcp_recv(self->sck, self->in_s->end, to_read, 0);
+				read_bytes = g_tcp_recv(self->sck, self->in_s->end, to_read, 0);

                if (read_bytes == -1)
                {
@ -318,7 +320,9 @@ trans_force_read_s(struct trans *self, struct stream *in_s, int size)
        {
            return 1;
        }
+
        rcvd = g_tcp_recv(self->sck, in_s->end, size, 0);
+
        if (rcvd == -1)
        {
            if (g_tcp_last_error_would_block(self->sck))
@ -391,7 +395,7 @@ trans_force_write_s(struct trans *self, struct stream *out_s)

    while (total < size)
    {
-        sent = g_tcp_send(self->sck, out_s->data + total, size - total, 0);
+		sent = g_tcp_send(self->sck, out_s->data + total, size - total, 0);

        if (sent == -1)
        {
--- a/common/trans.h
+++ b/common/trans.h
@ -60,6 +60,8 @@ struct trans
    char port[256];
    int no_stream_init_on_data_in;
    int extra_flags; /* user defined */
+    int do_tls; /* 0 - tcp, 1 - tls */
+    struct xrdp_tls *tls;
 };

 struct trans* APP_CC
--- a/libxrdp/Makefile.am
+++ b/libxrdp/Makefile.am
@ -61,7 +61,8 @@ libxrdp_la_SOURCES = \
  xrdp_orders_rail.c \
  xrdp_mppc_enc.c \
  xrdp_fastpath.c \
-  xrdp_caps.c
+  xrdp_caps.c \
+  xrdp_tls.c

 libxrdp_la_LDFLAGS = \
  $(EXTRA_FLAGS)
--- a/libxrdp/libxrdp.c
+++ b/libxrdp/libxrdp.c
@ -141,7 +141,11 @@ libxrdp_force_read(struct trans* trans)

    s = trans->in_s;
    init_stream(s, 32 * 1024);
-    if (trans_force_read(trans, 4) != 0)
+    if (trans->do_tls)
+    {
+    	/*TLS*/
+    }
+    else if (trans_force_read(trans, 4) != 0) /*TCP*/
    {
        g_writeln("libxrdp_force_read: error");
        return 0;
--- a/libxrdp/libxrdp.h
+++ b/libxrdp/libxrdp.h
@ -36,6 +36,7 @@
 #include "libxrdpinc.h"
 #include "file_loc.h"
 #include "xrdp_client_info.h"
+#include <openssl/ssl.h>


 /* iso */
@ -131,6 +132,7 @@ struct xrdp_sec
    void *encrypt_fips_info;
    void *decrypt_fips_info;
    void *sign_fips_info;
+    struct xrdp_tls *tls;
 };

 /* channel */
@ -290,6 +292,30 @@ struct xrdp_mppc_enc
    tui16 *hash_table;
 };

+
+/* xrdp_tls */
+struct xrdp_tls {
+	SSL *ssl;
+	SSL_CTX *ctx;
+	char *cert;
+	char *key;
+	struct trans *trans;
+};
+
+/* xrdp_tls.c */
+struct xrdp_tls *APP_CC
+xrdp_tls_create(struct trans *trans, const char *key, const char *cert);
+int APP_CC
+xrdp_tls_accept(struct xrdp_tls *self);
+int APP_CC
+xrdp_tls_disconnect(struct xrdp_tls *self);
+void APP_CC
+xrdp_tls_delete(struct xrdp_tls *self);
+int APP_CC
+xrdp_tls_read(struct xrdp_tls *tls, unsigned char *data, int length);
+int APP_CC
+xrdp_tls_write(struct xrdp_tls *tls, unsigned char *data, int length);
+
 int APP_CC
 compress_rdp(struct xrdp_mppc_enc *enc, tui8 *srcData, int len);
 struct xrdp_mppc_enc * APP_CC
--- a/libxrdp/xrdp_mcs.c
+++ b/libxrdp/xrdp_mcs.c
@ -755,6 +755,21 @@ xrdp_mcs_incoming(struct xrdp_mcs *self)
        return 1;
    }

+    /* tls */
+    if (PROTOCOL_SSL & self->iso_layer->selectedProtocol)
+    {
+    	g_writeln("xrdp_mcs_incoming: TLS mode!");
+    	self->sec_layer->crypt_level = CRYPT_LEVEL_NONE;
+    	self->sec_layer->crypt_method = CRYPT_METHOD_NONE;
+
+    	if (xrdp_tls_accept(self->sec_layer->tls) != 0)
+    	{
+    		g_writeln("xrdp_mcs_incoming: ssl_tls_accept failed");
+    		return 1;
+    	}
+    	g_writeln("xrdp_mcs_incoming: ssl_tls_accept done!!!!");
+    }
+
    if (xrdp_mcs_recv_connect_initial(self) != 0)
    {
        return 1;
@ -961,6 +976,7 @@ xrdp_mcs_disconnect(struct xrdp_mcs *self)

    if (xrdp_iso_init(self->iso_layer, s) != 0)
    {
+    	xrdp_tls_disconnect(self->sec_layer->tls);
        free_stream(s);
        close_rdp_socket(self);
        DEBUG(("  out xrdp_mcs_disconnect error - 1"));
@ -973,12 +989,14 @@ xrdp_mcs_disconnect(struct xrdp_mcs *self)

    if (xrdp_iso_send(self->iso_layer, s) != 0)
    {
+    	xrdp_tls_disconnect(self->sec_layer->tls);
        free_stream(s);
        close_rdp_socket(self);
        DEBUG(("  out xrdp_mcs_disconnect error - 2"));
        return 1;
    }

+    xrdp_tls_disconnect(self->sec_layer->tls);
    free_stream(s);
    close_rdp_socket(self);
    DEBUG(("xrdp_mcs_disconnect - close sent"));
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@ -276,6 +276,8 @@ xrdp_sec_create(struct xrdp_rdp *owner, struct trans *trans, int crypt_level,
                                      &(self->server_mcs_data));
    self->fastpath_layer = xrdp_fastpath_create(self, trans);
    self->chan_layer = xrdp_channel_create(self, self->mcs_layer);
+    //TODO: add cert to config
+    self->tls = xrdp_tls_create(trans, "/opt/xrdpdev/etc/xrdp/pkey.pem", "/opt/xrdpdev/etc/xrdp/cert.pem");
    DEBUG((" out xrdp_sec_create"));
    return self;
 }
@ -298,6 +300,7 @@ xrdp_sec_delete(struct xrdp_sec *self)
    ssl_des3_info_delete(self->decrypt_fips_info);
    ssl_des3_info_delete(self->encrypt_fips_info);
    ssl_hmac_info_delete(self->sign_fips_info);
+    xrdp_tls_delete(self->tls);
    g_free(self->client_mcs_data.data);
    g_free(self->server_mcs_data.data);
    /* Crypto information must always be cleared */
@ -2115,6 +2118,7 @@ xrdp_sec_disconnect(struct xrdp_sec *self)
    int rv;

    DEBUG((" in xrdp_sec_disconnect"));
+
    rv = xrdp_mcs_disconnect(self->mcs_layer);
    DEBUG((" out xrdp_sec_disconnect"));
    return rv;
--- a/libxrdp/xrdp_tls.c
+++ b/libxrdp/xrdp_tls.c
@ -0,0 +1,239 @@
+/**
+ * xrdp: A Remote Desktop Protocol server.
+ *
+ * Copyright (C) Idan Freiberg 2013-2014
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * transport layer security
+ */
+
+#include "libxrdp.h"
+
+/*****************************************************************************/
+struct xrdp_tls *APP_CC
+xrdp_tls_create(struct trans *trans, const char *key, const char *cert)
+{
+    struct xrdp_tls *self;
+    self = (struct xrdp_tls *) g_malloc(sizeof(struct xrdp_tls), 1);
+
+    if (self != NULL)
+    {
+		self->trans = trans;
+		self->cert = g_malloc(g_strlen(key) + 1, 1);
+		self->key = g_malloc(g_strlen(cert) + 1, 1);
+		strcpy(self->cert, cert);
+		strcpy(self->key, key);
+    }
+
+    return self;
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_accept(struct xrdp_tls *self)
+{
+	int connection_status;
+	long options = 0;
+
+	/**
+	 * SSL_OP_NO_SSLv2:
+	 *
+	 * We only want SSLv3 and TLSv1, so disable SSLv2.
+	 * SSLv3 is used by, eg. Microsoft RDC for Mac OS X.
+	 */
+	options |= SSL_OP_NO_SSLv2;
+
+	/**
+	 * SSL_OP_NO_COMPRESSION:
+	 *
+	 * The Microsoft RDP server does not advertise support
+	 * for TLS compression, but alternative servers may support it.
+	 * This was observed between early versions of the FreeRDP server
+	 * and the FreeRDP client, and caused major performance issues,
+	 * which is why we're disabling it.
+	 */
+	options |= SSL_OP_NO_COMPRESSION;
+
+	/**
+	 * SSL_OP_TLS_BLOCK_PADDING_BUG:
+	 *
+	 * The Microsoft RDP server does *not* support TLS padding.
+	 * It absolutely needs to be disabled otherwise it won't work.
+	 */
+	options |= SSL_OP_TLS_BLOCK_PADDING_BUG;
+
+	/**
+	 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS:
+	 *
+	 * Just like TLS padding, the Microsoft RDP server does not
+	 * support empty fragments. This needs to be disabled.
+	 */
+	options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+
+	self->ctx = SSL_CTX_new(SSLv23_server_method());
+	/* set context options */
+	SSL_CTX_set_mode(self->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
+	SSL_CTX_set_options(self->ctx, options);
+	SSL_CTX_set_read_ahead(self->ctx, 1);
+
+	if (self->ctx == NULL) {
+		g_writeln("ssl_tls_accept: SSL_CTX_new failed");
+		return 1;
+	}
+
+	if (SSL_CTX_use_RSAPrivateKey_file(self->ctx, self->key, SSL_FILETYPE_PEM)
+			<= 0) {
+		g_writeln("ssl_tls_accept: SSL_CTX_use_RSAPrivateKey_file failed");
+		return 1;
+	}
+
+	self->ssl = SSL_new(self->ctx);
+
+	if (self->ssl == NULL) {
+		g_writeln("ssl_tls_accept: SSL_new failed");
+		return 1;
+	}
+
+	if (SSL_use_certificate_file(self->ssl, self->cert, SSL_FILETYPE_PEM) <= 0) {
+		g_writeln("ssl_tls_accept: SSL_use_certificate_file failed");
+		return 1;
+	}
+
+	if (SSL_set_fd(self->ssl, self->trans->sck) < 1) {
+		g_writeln("ssl_tls_accept: SSL_set_fd failed");
+		return 1;
+	}
+
+	connection_status = SSL_accept(self->ssl);
+
+	if (connection_status <= 0) {
+		if (xrdp_tls_print_error("SSL_accept", self->ssl, connection_status))
+		{
+			return 1;
+		}
+	}
+
+	g_writeln("ssl_tls_accept: TLS connection accepted");
+
+	/* set trans for TLS */
+	self->trans->do_tls = 1; /* TLS layer */
+	self->trans->tls = self; /* owner */
+
+	return 0;
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_print_error(char *func, SSL *connection, int value)
+{
+	switch (SSL_get_error(connection, value))
+	{
+		case SSL_ERROR_ZERO_RETURN:
+			g_writeln("xrdp_tls_print_error: %s: Server closed TLS connection", func);
+			return 1;
+
+		case SSL_ERROR_WANT_READ:
+			g_writeln("xrdp_tls_print_error: SSL_ERROR_WANT_READ");
+			return 0;
+
+		case SSL_ERROR_WANT_WRITE:
+			g_writeln("xrdp_tls_print_error: SSL_ERROR_WANT_WRITE");
+			return 0;
+
+		case SSL_ERROR_SYSCALL:
+			g_writeln("xrdp_tls_print_error: %s: I/O error", func);
+			return 1;
+
+		case SSL_ERROR_SSL:
+			g_writeln("xrdp_tls_print_error: %s: Failure in SSL library (protocol error?)", func);
+			return 1;
+
+		default:
+			g_writeln("xrdp_tls_print_error: %s: Unknown error", func);
+			return 1;
+	}
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_disconnect(struct xrdp_tls *self)
+{
+	SSL_shutdown(self->ssl);
+	return 0;
+}
+/*****************************************************************************/
+void APP_CC
+xrdp_tls_delete(struct xrdp_tls *self)
+{
+	if (self != NULL)
+	{
+		if (self->ssl)
+			SSL_free(self->ssl);
+
+		if (self->ctx)
+			SSL_CTX_free(self->ctx);
+
+		g_free(self);
+	}
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_read(struct xrdp_tls *tls, unsigned char *data, int length)
+{
+	int status;
+
+	status = SSL_read(tls->ssl, data, length);
+
+	switch (SSL_get_error(tls->ssl, status))
+	{
+		case SSL_ERROR_NONE:
+			break;
+
+		case SSL_ERROR_WANT_READ:
+		case SSL_ERROR_WANT_WRITE:
+			status = 0;
+			break;
+
+		default:
+			xrdp_tls_print_error("SSL_read", tls->ssl, status);
+			status = -1;
+			break;
+	}
+
+	return status;
+}
+/*****************************************************************************/
+int APP_CC
+xrdp_tls_write(struct xrdp_tls *tls, unsigned char *data, int length)
+{
+	int status;
+
+	status = SSL_write(tls->ssl, data, length);
+
+	switch (SSL_get_error(tls->ssl, status))
+	{
+		case SSL_ERROR_NONE:
+			break;
+
+		case SSL_ERROR_WANT_READ:
+		case SSL_ERROR_WANT_WRITE:
+			status = 0;
+			break;
+
+		default:
+			xrdp_tls_print_error("SSL_write", tls->ssl, status);
+			status = -1;
+			break;
+	}
+
+	return status;
+}
+/*****************************************************************************/