From 8d63c32899ff9972e45cbb19f7aa020da31bbd8e Mon Sep 17 00:00:00 2001 From: Jay Sorg Date: Thu, 8 Jun 2017 09:39:07 -0700 Subject: [PATCH] move openssl calls to common/libssl.c, check for defines --- common/ssl_calls.c | 81 +++++++++++++++++++++++++++++++++++++++++++++- common/ssl_calls.h | 9 ++++-- libxrdp/xrdp_rdp.c | 43 ++++-------------------- 3 files changed, 92 insertions(+), 41 deletions(-) diff --git a/common/ssl_calls.c b/common/ssl_calls.c index 0362f668..a741ef92 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -37,6 +37,7 @@ #include "arch.h" #include "ssl_calls.h" #include "trans.h" +#include "log.h" #define SSL_WANT_READ_WRITE_TIMEOUT 100 @@ -829,7 +830,6 @@ ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis) return g_sck_can_recv(sck, millis); } - /*****************************************************************************/ const char * ssl_get_version(const struct ssl_st *ssl) @@ -843,3 +843,82 @@ ssl_get_cipher_name(const struct ssl_st *ssl) { return SSL_get_cipher_name(ssl); } + +/*****************************************************************************/ +int +ssl_get_protocols_from_string(const char *str, long *ssl_protocols) +{ + long protocols; + long bad_protocols; + int rv; + + if ((str == NULL) || (ssl_protocols == NULL)) + { + return 1; + } + rv = 0; + protocols = 0; +#if defined(SSL_OP_NO_SSLv3) + protocols |= SSL_OP_NO_SSLv3; +#endif +#if defined(SSL_OP_NO_TLSv1) + protocols |= SSL_OP_NO_TLSv1; +#endif +#if defined(SSL_OP_NO_TLSv1_1) + protocols |= SSL_OP_NO_TLSv1_1; +#endif +#if defined(SSL_OP_NO_TLSv1_2) + protocols |= SSL_OP_NO_TLSv1_2; +#endif + bad_protocols = protocols; + if (g_pos(str, ",TLSv1.2,") >= 0) + { +#if defined(SSL_OP_NO_TLSv1_2) + log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled"); + protocols &= ~SSL_OP_NO_TLSv1_2; +#else + log_message(LOG_LEVEL_DEBUG, "TLSv1.2 not enabled, not available"); + rv |= (1 << 1); +#endif + } + if (g_pos(str, ",TLSv1.1,") >= 0) + { +#if defined(SSL_OP_NO_TLSv1_1) + log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled"); + protocols &= ~SSL_OP_NO_TLSv1_1; +#else + log_message(LOG_LEVEL_DEBUG, "TLSv1.1 not enabled, not available"); + rv |= (1 << 2); +#endif + } + if (g_pos(str, ",TLSv1,") >= 0) + { +#if defined(SSL_OP_NO_TLSv1) + log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled"); + protocols &= ~SSL_OP_NO_TLSv1; +#else + log_message(LOG_LEVEL_DEBUG, "TLSv1 not enabled, not available"); + rv |= (1 << 3); +#endif + } + if (g_pos(str, ",SSLv3,") >= 0) + { +#if defined(SSL_OP_NO_SSLv3) + log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled"); + protocols &= ~SSL_OP_NO_SSLv3; +#else + log_message(LOG_LEVEL_DEBUG, "SSLv3 not enabled, not available"); + rv |= (1 << 4); +#endif + } + if (protocols == bad_protocols) + { + log_message(LOG_LEVEL_WARNING, "No SSL/TLS protocols enabled. " + "At least one protocol should be enabled to accept " + "TLS connections."); + rv |= (1 << 5); + } + *ssl_protocols = protocols; + return rv; +} + diff --git a/common/ssl_calls.h b/common/ssl_calls.h index 4c069cb0..dc60a23e 100644 --- a/common/ssl_calls.h +++ b/common/ssl_calls.h @@ -108,8 +108,11 @@ int ssl_tls_write(struct ssl_tls *tls, const char *data, int length); int ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis); - -const char *ssl_get_version(const struct ssl_st *ssl); -const char *ssl_get_cipher_name(const struct ssl_st *ssl); +const char * +ssl_get_version(const struct ssl_st *ssl); +const char * +ssl_get_cipher_name(const struct ssl_st *ssl); +int +ssl_get_protocols_from_string(const char *str, long *ssl_protocols); #endif diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index ea3f446e..099cec47 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -22,9 +22,9 @@ #include #endif -#include #include "libxrdp.h" #include "log.h" +#include "ssl_calls.h" #if defined(XRDP_NEUTRINORDP) #include @@ -49,7 +49,7 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info) char *item = NULL; char *value = NULL; char cfg_file[256]; - char *p = NULL; + int pos; char *tmp = NULL; int tmp_length = 0; @@ -174,44 +174,13 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info) tmp_length = g_strlen(value) + 3; tmp = g_new(char, tmp_length); g_snprintf(tmp, tmp_length, "%s%s%s", ",", value, ","); + /* replace all spaces with comma */ /* to accept space after comma */ - while ((p = (char *) g_strchr(tmp, ' ')) != NULL) + while ((pos = g_pos(tmp, " ")) != -1) { - *p = ','; - } - - /* disable all protocols first, enable later */ - client_info->ssl_protocols = - SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; - - if (g_pos(tmp, ",TLSv1.2,") >= 0) - { - log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled"); - client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_2; - } - if (g_pos(tmp, ",TLSv1.1,") >= 0) - { - log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled"); - client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_1; - } - if (g_pos(tmp, ",TLSv1,") >= 0) - { - log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled"); - client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1; - } - if (g_pos(tmp, ",SSLv3,") >= 0) - { - log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled"); - client_info->ssl_protocols &= ~SSL_OP_NO_SSLv3; - } - - if (client_info->ssl_protocols == - (SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2)) - { - log_message(LOG_LEVEL_WARNING, "No SSL/TLS protocols enabled. " - "At least one protocol should be enabled to accept " - "TLS connections."); + tmp[pos] = ','; } + ssl_get_protocols_from_string(tmp, &(client_info->ssl_protocols)); g_free(tmp); } else if (g_strcasecmp(item, "tls_ciphers") == 0)