kekePower/rdesktop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #285 from gpatel-fr/master

Browse Source 
Add TLS 1.1 and 1.2 support
This commit is contained in:
Alexander Zakharov 2018-10-23 11:53:16 +03:00 committed by GitHub
commit 6a14831965
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 50 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/rdesktop.1
View File

@ -115,6 +115,10 @@ Any subsequential call to the above command line example will make use of the se
connection sharing feature which spawns another notepad in the current connection to the connection sharing feature which spawns another notepad in the current connection to the
specified server and then exit. specified server and then exit.
.TP
.BR "-V <tls version>"
Set the Transport Level Security (also known as SSL) Version used.
Should be one of the following values: 1.0, 1.1, 1.2. If the option is missing 1.0 is assumed.
.TP .TP
.BR "-B" .BR "-B"
Use the BackingStore of the Xserver instead of the integrated one in Use the BackingStore of the Xserver instead of the integrated one in

17
iso.c
View File

@ -32,6 +32,7 @@ extern char *g_sc_csp_name;
extern char *g_sc_reader_name; extern char *g_sc_reader_name;
extern char *g_sc_card_name; extern char *g_sc_card_name;
extern char *g_sc_container_name; extern char *g_sc_container_name;
extern char g_tls_version[];
/* Send a self-contained ISO PDU */ /* Send a self-contained ISO PDU */
@ -211,6 +212,20 @@ iso_recv(RD_BOOL *is_fastpath, uint8 *fastpath_hdr)
return s; return s;
} }
/* try to setup a more helpful error message about TLS */
char *get_credSSP_reason(uint32 neg_proto)
{
static char msg[256];
strcat(msg, "CredSSP required by server");
if ((neg_proto & PROTOCOL_SSL) &&
( (g_tls_version[0] == 0) ||
(strcmp(g_tls_version, "1.2") < 0)))
strcat(msg, " (check if server has disabled old TLS versions, if yes use -V option)");
return msg;
}
/* Establish a connection up to the ISO layer */ /* Establish a connection up to the ISO layer */
RD_BOOL RD_BOOL
iso_connect(char *server, char *username, char *domain, char *password, iso_connect(char *server, char *username, char *domain, char *password,
@ -298,7 +313,7 @@ iso_connect(char *server, char *username, char *domain, char *password,
reason = "SSL required by server"; reason = "SSL required by server";
break; break;
case HYBRID_REQUIRED_BY_SERVER: case HYBRID_REQUIRED_BY_SERVER:
reason = "CredSSP required by server"; reason = get_credSSP_reason(neg_proto);
break; break;
default: default:
reason = "unknown reason"; reason = "unknown reason";

10
rdesktop.c
View File

@ -113,6 +113,7 @@ RD_BOOL g_seamless_rdp = False;
RD_BOOL g_use_password_as_pin = False; RD_BOOL g_use_password_as_pin = False;
char g_seamless_shell[512]; char g_seamless_shell[512];
char g_seamless_spawn_cmd[512]; char g_seamless_spawn_cmd[512];
char g_tls_version[4];
RD_BOOL g_seamless_persistent_mode = True; RD_BOOL g_seamless_persistent_mode = True;
RD_BOOL g_user_quit = False; RD_BOOL g_user_quit = False;
uint32 g_embed_wnd; uint32 g_embed_wnd;
@ -184,6 +185,7 @@ usage(char *program)
fprintf(stderr, " -b: force bitmap updates\n"); fprintf(stderr, " -b: force bitmap updates\n");
fprintf(stderr, " -L: local codepage\n"); fprintf(stderr, " -L: local codepage\n");
fprintf(stderr, " -A: path to SeamlessRDP shell, this enables SeamlessRDP mode\n"); fprintf(stderr, " -A: path to SeamlessRDP shell, this enables SeamlessRDP mode\n");
fprintf(stderr, " -V: tls version (1.0, 1.1, 1.2, defaults to 1.0)\n");
fprintf(stderr, " -B: use BackingStore of X-server (if available)\n"); fprintf(stderr, " -B: use BackingStore of X-server (if available)\n");
fprintf(stderr, " -e: disable encryption (French TS)\n"); fprintf(stderr, " -e: disable encryption (French TS)\n");
fprintf(stderr, " -E: disable encryption from client to server\n"); fprintf(stderr, " -E: disable encryption from client to server\n");
@ -805,13 +807,13 @@ main(int argc, char *argv[])
flags = RDP_INFO_MOUSE | RDP_INFO_DISABLECTRLALTDEL flags = RDP_INFO_MOUSE | RDP_INFO_DISABLECTRLALTDEL
| RDP_INFO_UNICODE | RDP_INFO_MAXIMIZESHELL | RDP_INFO_ENABLEWINDOWSKEY; | RDP_INFO_UNICODE | RDP_INFO_MAXIMIZESHELL | RDP_INFO_ENABLEWINDOWSKEY;
g_seamless_spawn_cmd[0] = domain[0] = g_password[0] = shell[0] = directory[0] = 0; g_seamless_spawn_cmd[0] = g_tls_version[0] = domain[0] = g_password[0] = shell[0] = directory[0] = 0;
g_embed_wnd = 0; g_embed_wnd = 0;
g_num_devices = 0; g_num_devices = 0;
while ((c = getopt(argc, argv, while ((c = getopt(argc, argv,
"A:u:L:d:s:c:p:n:k:g:o:fbBeEitmMzCDKS:T:NX:a:x:Pr:045vh?")) != -1) "A:V:u:L:d:s:c:p:n:k:g:o:fbBeEitmMzCDKS:T:NX:a:x:Pr:045vh?")) != -1)
{ {
switch (c) switch (c)
{ {
@ -820,6 +822,10 @@ main(int argc, char *argv[])
STRNCPY(g_seamless_shell, optarg, sizeof(g_seamless_shell)); STRNCPY(g_seamless_shell, optarg, sizeof(g_seamless_shell));
break; break;
case 'V':
STRNCPY(g_tls_version, optarg, sizeof(g_tls_version));
break;
case 'u': case 'u':
g_username = (char *) xmalloc(strlen(optarg) + 1); g_username = (char *) xmalloc(strlen(optarg) + 1);
STRNCPY(g_username, optarg, strlen(optarg) + 1); STRNCPY(g_username, optarg, strlen(optarg) + 1);

26
tcp.c
View File

@ -77,6 +77,7 @@ int g_tcp_port_rdp = TCP_PORT_RDP;
extern RD_BOOL g_exit_mainloop; extern RD_BOOL g_exit_mainloop;
extern RD_BOOL g_network_error; extern RD_BOOL g_network_error;
extern RD_BOOL g_reconnect_loop; extern RD_BOOL g_reconnect_loop;
extern char g_tls_version[];
/* wait till socket is ready to write or timeout */ /* wait till socket is ready to write or timeout */
static RD_BOOL static RD_BOOL
@ -299,7 +300,7 @@ tcp_recv(STREAM s, uint32 length)
return s; return s;
} }
/* Establish a SSL/TLS 1.0 connection */ /* Establish a SSL/TLS 1.0-1-2 connection */
RD_BOOL RD_BOOL
tcp_tls_connect(void) tcp_tls_connect(void)
{ {
@ -316,11 +317,28 @@ tcp_tls_connect(void)
/* create process context */ /* create process context */
if (g_ssl_ctx == NULL) if (g_ssl_ctx == NULL)
{ {
g_ssl_ctx = SSL_CTX_new(TLSv1_client_method());
const SSL_METHOD *(*tlsmeth) (void) = NULL;
if (g_tls_version[0] == 0)
tlsmeth = TLSv1_method;
else if (!strcmp(g_tls_version, "1.0"))
tlsmeth = TLSv1_method;
else if (!strcmp(g_tls_version, "1.1"))
tlsmeth = TLSv1_1_method;
else if (!strcmp(g_tls_version, "1.2"))
tlsmeth = TLSv1_2_method;
if (tlsmeth == NULL)
{
logger(Core, Error,
"tcp_tls_connect(), TLS method should be 1.0, 1.1, or 1.2\n");
goto fail;
}
g_ssl_ctx = SSL_CTX_new(tlsmeth());
if (g_ssl_ctx == NULL) if (g_ssl_ctx == NULL)
{ {
logger(Core, Error, logger(Core, Error,
"tcp_tls_connect(), SSL_CTX_new() failed to create TLS v1.0 context\n"); "tcp_tls_connect(), SSL_CTX_new() failed to create TLS v1.x context\n");
goto fail; goto fail;
} }
@ -375,7 +393,7 @@ tcp_tls_connect(void)
return False; return False;
} }
/* Get public key from server of TLS 1.0 connection */ /* Get public key from server of TLS 1.x connection */
RD_BOOL RD_BOOL
tcp_tls_get_server_pubkey(STREAM s) tcp_tls_get_server_pubkey(STREAM s)
{ {