Enrico Tagliavini
70b5adb396
add support for DHE ciphers via compiled in dhparam
...
make it possible to use regular (non EC) EDH ciphers. To make this
possible a Diffie-Hellman parameter must be passed to the openssl
library. There are a few options possible as described in the manuals at
[1] and [2]. Simplest approach is to generate a DH parameter using
openssl dhparam -C <lenght> and include the code into the application.
The lenght used for this commit is 2236 bits long, which is the longest
possible without risking backward incompatibilities with old systems as
stated in [1]. Newer systems should use ECDH anyway, so it makes sense
to keep this method as compatible with older system as possible.
Paramters longer than 2048 should still be secure enough at the time of
writing.
[1] https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
[2] https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_tmp_dh_callback(3)
7 years ago
Enrico Tagliavini
6cdc0f31b0
enable automatic ECDH when possible (openssl 1.0.2)
...
Openssl 1.1.0 and later are enabling ECDH automatically, but for older
version it must be enabled explicitly or all Perfect Forward Secrecy
ciphers will be silently ignored. See also [1]. This commit applies the
same fix as found in CnetOS 7 httpd package to enable automatic ECDH as
found in [2].
[1] https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
[2] https://git.centos.org/blob/rpms!httpd.git/c7/SOURCES!httpd-2.4.6-ssl-ecdh-auto.patch
7 years ago
Koichiro IWAO
793a418cfb
common: log what value is set to tls_ciphers
...
Related to #1033 .
7 years ago
Koichiro IWAO
3da4d72323
common: quit using `!` as comment out symbol in config files
...
It is not used anywhere in default config. Some config like
`tls_ciphers` might contain `!` like this:
tls_ciphers=FIPS:!aNULL:!eNULL
Fixes #1033 .
7 years ago
daixj
31ef2552c4
log: revert permission
7 years ago
daixj
ea6bb62410
log: fix fd checking
7 years ago
daixj
551bb185c5
log: remove unused code and fix potential memory leak
7 years ago
Koichiro IWAO
577bd8214f
common: add more capset constants
...
defined at MS-RDPBCGR 2.2.1.13.1.1.1 [1] and sort
[1] https://msdn.microsoft.com/en-us/library/cc240486.aspx
7 years ago
Koichiro IWAO
77a34e0a7b
common: express capability set constants in hex
...
as same as done in MS-RDPBCGR 2.2.1.13.1.1.1 [1].
[1] https://msdn.microsoft.com/en-us/library/cc240486.aspx
7 years ago
Koichiro IWAO
788ae1467a
xrdp_sec: constify color depth value
7 years ago
Koichiro IWAO
d0c27a2904
common: suppress log when closing log files
...
because if xrdp is running 'fork=yes' mode, the log message
'shutting down log subsystem...' is logged everytime when the child
process is exitting. In other words, everytime when clients are
disconnecting. This is a little bit too vebose.
7 years ago
Koichiro IWAO
3de3a4fab5
common: add more references to constants' origin
...
classify constants into these 5 types
* constants for xrdp
* constants come from ITU-T Recommendations
* constants come from Remote Desktop Protocol
* constants come from other MS products
* unclassified yet
7 years ago
Koichiro IWAO
799c230998
common: add references to constants' origin
7 years ago
Jay Sorg
a9eb21e6d7
common: avoid 100% cpu on ssl accept, can be fake client
7 years ago
Justin Terry (VM)
d7d14d7462
Implements the accept/close logic for vsock
7 years ago
Jay Sorg
bc48578a90
remove crc16.h from common/Makefile.am
7 years ago
Jay Sorg
54285d26dd
remove empty crc16.h file
7 years ago
Jay Sorg
285465a1f5
common, return -1 for bad socket
7 years ago
Jay Sorg
c6c513b23c
use g_memcpy, braces
7 years ago
Jay Sorg
26507644e3
vsock, move some defines
7 years ago
Justin Terry (VM)
50bd624cc4
Implements XRDP over vsock
...
1. Implements the ability to use AV_VSOCK for the transport rather than TCP.
2. Updates the ini file to be able to conditionally turn this feature on.
7 years ago
Koichiro IWAO
a6fd518a48
fix typo s/Roration/Rotation/
7 years ago
Koichiro IWAO
2475893402
Constify extended mouse events
7 years ago
Koichiro IWAO
27aef96e81
Constify mouse event flags, use the MS name for constants
7 years ago
Koichiro IWAO
4a2818e183
Add some more Input Capability Set constants
7 years ago
Koichiro IWAO
2411a0be14
log: add log level TRACE
...
TRACE means more verbose than DEBUG. syslog doesn't have more verbose
level than DEBUG, map TRACE to DEBUG for syslog.
7 years ago
Koichiro IWAO
00bf62bd42
common: prevent raw use of snprintf
7 years ago
Koichiro IWAO
ced3a4817f
xrdp: constify input event type
7 years ago
Koichiro IWAO
f9ab4df7f2
common: fix g_write_ip_address() didn't return correct IP address
...
Fixes : #878 .
7 years ago
Jay Sorg
021a78f4c6
chansrv: sound, use WAVE_FORMAT_AAC not WAVE_FORMAT_AAC_MS
7 years ago
Jay Sorg
bf0d56c314
chansrv: sound, add aac
7 years ago
Koichiro IWAO
4d14f344fd
fix indent, no logic change
7 years ago
Koichiro IWAO
04187945a8
move base64 functions to base64.c
7 years ago
Koichiro IWAO
eae5cdf1fd
pass through except for the first '='
...
if "foo=ba=r" is found in ini files, it should be parsed like this.
key : foo
value : ba=r
7 years ago
Koichiro IWAO
d57e02626d
add base64_decode function
7 years ago
Koichiro IWAO
dbaf23e93b
chansrv: constify wFormatTag
7 years ago
Ian Geiser
324a334315
append a / to ensure the full path is created even when the config variable lacks a trailing /
7 years ago
Koichiro IWAO
aa0721a90e
common: fix more glitches in IPv4 initialization
7 years ago
Ian Geiser
4b87548b71
Use g_create_path instead of g_create_dir
...
Rename g_mk_temp_dir to g_mk_socket_path
7 years ago
Koichiro IWAO
8d5010a202
common: use log_message
7 years ago
Koichiro IWAO
8c74fcb80c
common: fix a glitch with IPv4 struct initialization
...
Pointed out by: andrecbarros
Closes : #803
7 years ago
Koichiro IWAO
aa4b90d250
Change log level DEBUG -> WARNING
...
since unavailability of ssl protocols defined in config file
may weaken security and it is important for users.
7 years ago
Koichiro IWAO
455c341efc
Reword log messages in ssl_get_protocols_from_string()
7 years ago
Jay Sorg
8d63c32899
move openssl calls to common/libssl.c, check for defines
8 years ago
Koichiro IWAO
088bd2d811
common: implement g_file_readable for WIN32
8 years ago
Koichiro IWAO
65c1fe87d7
Log user-friendly message when certificate/privkey is inaccessible
...
We shouldn't assume that xrdp daemon is running under root privilege.
In many cases, root privilege is not really needed for xrdp daemon.
xrdp may fail to load certificate/privkey due to lack of permissions
when running under user privilege. Checking existence of files is not
enough and xrdp should output user-friendly log in such case.
Reported by Debian user in bug 856436 [1].
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856436
8 years ago
Koichiro IWAO
0e7844ab02
Constify MCS connectionType
8 years ago
Koichiro IWAO
c7f8e360fd
common: separate sockets macros into basename and fullpath
...
since sometimes socket directory is obtained from environment variable.
8 years ago
Jay Sorg
2c96908ea5
common: if SSL_shutdown fails, only call one more time
8 years ago
Jay Sorg
75fd3fcf89
common: ssl_tls_write / read return 0 on socket close
8 years ago