move openssl calls to common/libssl.c, check for defines

7 years ago · 8d63c32899
parent 5def0596e0
commit 8d63c32899
3 changed files with 92 additions and 41 deletions
--- a/common/ssl_calls.c
+++ b/common/ssl_calls.c
@ -37,6 +37,7 @@
 #include "arch.h"
 #include "ssl_calls.h"
 #include "trans.h"
+#include "log.h"

 #define SSL_WANT_READ_WRITE_TIMEOUT 100

@ -829,7 +830,6 @@ ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis)
    return g_sck_can_recv(sck, millis);
 }

-
 /*****************************************************************************/
 const char *
 ssl_get_version(const struct ssl_st *ssl)
@ -843,3 +843,82 @@ ssl_get_cipher_name(const struct ssl_st *ssl)
 {
    return SSL_get_cipher_name(ssl);
 }
+
+/*****************************************************************************/
+int
+ssl_get_protocols_from_string(const char *str, long *ssl_protocols)
+{
+    long protocols;
+    long bad_protocols;
+    int rv;
+
+    if ((str == NULL) || (ssl_protocols == NULL))
+    {
+        return 1;
+    }
+    rv = 0;
+    protocols = 0;
+#if defined(SSL_OP_NO_SSLv3)
+    protocols |= SSL_OP_NO_SSLv3;
+#endif
+#if defined(SSL_OP_NO_TLSv1)
+    protocols |= SSL_OP_NO_TLSv1;
+#endif
+#if defined(SSL_OP_NO_TLSv1_1)
+    protocols |= SSL_OP_NO_TLSv1_1;
+#endif
+#if defined(SSL_OP_NO_TLSv1_2)
+    protocols |= SSL_OP_NO_TLSv1_2;
+#endif
+    bad_protocols = protocols;
+    if (g_pos(str, ",TLSv1.2,") >= 0)
+    {
+#if defined(SSL_OP_NO_TLSv1_2)
+        log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled");
+        protocols &= ~SSL_OP_NO_TLSv1_2;
+#else
+        log_message(LOG_LEVEL_DEBUG, "TLSv1.2 not enabled, not available");
+        rv |= (1 << 1);
+#endif
+    }
+    if (g_pos(str, ",TLSv1.1,") >= 0)
+    {
+#if defined(SSL_OP_NO_TLSv1_1)
+        log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled");
+        protocols &= ~SSL_OP_NO_TLSv1_1;
+#else
+        log_message(LOG_LEVEL_DEBUG, "TLSv1.1 not enabled, not available");
+        rv |= (1 << 2);
+#endif
+    }
+    if (g_pos(str, ",TLSv1,") >= 0)
+    {
+#if defined(SSL_OP_NO_TLSv1)
+        log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled");
+        protocols &= ~SSL_OP_NO_TLSv1;
+#else
+        log_message(LOG_LEVEL_DEBUG, "TLSv1 not enabled, not available");
+        rv |= (1 << 3);
+#endif
+    }
+    if (g_pos(str, ",SSLv3,") >= 0)
+    {
+#if defined(SSL_OP_NO_SSLv3)
+        log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled");
+        protocols &= ~SSL_OP_NO_SSLv3;
+#else
+        log_message(LOG_LEVEL_DEBUG, "SSLv3 not enabled, not available");
+        rv |= (1 << 4);
+#endif
+    }
+    if (protocols == bad_protocols)
+    {
+        log_message(LOG_LEVEL_WARNING, "No SSL/TLS protocols enabled. "
+                    "At least one protocol should be enabled to accept "
+                    "TLS connections.");
+        rv |= (1 << 5);
+    }
+    *ssl_protocols = protocols;
+    return rv;
+}
+
--- a/common/ssl_calls.h
+++ b/common/ssl_calls.h
@ -108,8 +108,11 @@ int
 ssl_tls_write(struct ssl_tls *tls, const char *data, int length);
 int
 ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis);
-
-const char *ssl_get_version(const struct ssl_st *ssl);
-const char *ssl_get_cipher_name(const struct ssl_st *ssl);
+const char *
+ssl_get_version(const struct ssl_st *ssl);
+const char *
+ssl_get_cipher_name(const struct ssl_st *ssl);
+int
+ssl_get_protocols_from_string(const char *str, long *ssl_protocols);

 #endif
--- a/libxrdp/xrdp_rdp.c
+++ b/libxrdp/xrdp_rdp.c
@ -22,9 +22,9 @@
 #include <config_ac.h>
 #endif

-#include <openssl/ssl.h>
 #include "libxrdp.h"
 #include "log.h"
+#include "ssl_calls.h"

 #if defined(XRDP_NEUTRINORDP)
 #include <freerdp/codec/rfx.h>
@ -49,7 +49,7 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
    char *item = NULL;
    char *value = NULL;
    char cfg_file[256];
-    char *p = NULL;
+    int pos;
    char *tmp = NULL;
    int tmp_length = 0;

@ -174,44 +174,13 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
            tmp_length = g_strlen(value) + 3;
            tmp = g_new(char, tmp_length);
            g_snprintf(tmp, tmp_length, "%s%s%s", ",", value, ",");
+            /* replace all spaces with comma */
            /* to accept space after comma */
-            while ((p = (char *) g_strchr(tmp, ' ')) != NULL)
+            while ((pos = g_pos(tmp, " ")) != -1)
            {
-                *p = ',';
-            }
-
-            /* disable all protocols first, enable later */
-            client_info->ssl_protocols =
-                SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
-
-            if (g_pos(tmp, ",TLSv1.2,") >= 0)
-            {
-                log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled");
-                client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_2;
-            }
-            if (g_pos(tmp, ",TLSv1.1,") >= 0)
-            {
-                log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled");
-                client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_1;
-            }
-            if (g_pos(tmp, ",TLSv1,") >= 0)
-            {
-                log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled");
-                client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1;
-            }
-            if (g_pos(tmp, ",SSLv3,") >= 0)
-            {
-                log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled");
-                client_info->ssl_protocols &= ~SSL_OP_NO_SSLv3;
-            }
-
-            if (client_info->ssl_protocols ==
-                (SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2))
-            {
-                log_message(LOG_LEVEL_WARNING, "No SSL/TLS protocols enabled. "
-                            "At least one protocol should be enabled to accept "
-                            "TLS connections.");
+                tmp[pos] = ',';
            }
+            ssl_get_protocols_from_string(tmp, &(client_info->ssl_protocols));
            g_free(tmp);
        }
        else if (g_strcasecmp(item, "tls_ciphers") == 0)