diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index b4ef19a8..e0443a3b 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -76,7 +76,11 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info) } else if (g_strcasecmp(item, "crypt_level") == 0) { - if (g_strcasecmp(value, "low") == 0) + if (g_strcasecmp(value, "none") == 0) + { + client_info->crypt_level = 0; + } + else if (g_strcasecmp(value, "low") == 0) { client_info->crypt_level = 1; } diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c index faaf9133..c3e2c674 100644 --- a/libxrdp/xrdp_sec.c +++ b/libxrdp/xrdp_sec.c @@ -1779,9 +1779,22 @@ xrdp_sec_process_mcs_data_CS_SECURITY(struct xrdp_sec *self, struct stream* s) found = 1; } } + if ((found == 0) && + (self->crypt_level == CRYPT_LEVEL_NONE)) + { + if (crypt_method == CRYPT_METHOD_NONE) + { + g_writeln(" client and server support none crypt, using " + "none crypt"); + self->crypt_method = CRYPT_METHOD_NONE; + self->crypt_level = CRYPT_LEVEL_NONE; + found = 1; + } + } if (found == 0) { - g_writeln(" no security"); + g_writeln(" can not find client / server agreed encryption method"); + return 1; } return 0; } @@ -2069,6 +2082,10 @@ xrdp_sec_init_rdp_security(struct xrdp_sec *self) { switch (self->rdp_layer->client_info.crypt_level) { + case 0: /* none */ + self->crypt_method = CRYPT_METHOD_NONE; + self->crypt_level = CRYPT_LEVEL_NONE; + break; case 1: /* low */ self->crypt_method = CRYPT_METHOD_40BIT; self->crypt_level = CRYPT_LEVEL_LOW; diff --git a/xrdp/xrdp.ini b/xrdp/xrdp.ini index 52a6c7d9..09bb2d5a 100644 --- a/xrdp/xrdp.ini +++ b/xrdp/xrdp.ini @@ -8,6 +8,8 @@ port=3389 allow_channels=true max_bpp=32 fork=yes +# minimum security level allowed for client +# can be 'none', 'low', 'medium', 'high', 'fips' crypt_level=high # security layer can be 'tls', 'rdp' or 'negotiate' # for client compatible layer