From 1222e7060b400da5bd6f4588cc914a56db8e16fc Mon Sep 17 00:00:00 2001 From: Bernhard Miklautz Date: Thu, 8 Nov 2018 11:01:56 +0100 Subject: [PATCH 1/2] new [crypto/tls]: add support to set tls security level The newly introduced option /tls-seclevel can be used to set the tls security level on systems with openssl >= 1.1.0 or libressl. As default level 1 is used as higher levels might prohibit connections to older systems. --- client/common/cmdline.c | 9 +++++++++ client/common/cmdline.h | 1 + include/freerdp/settings.h | 5 ++++- libfreerdp/common/settings.c | 6 ++++++ libfreerdp/core/settings.c | 1 + libfreerdp/crypto/tls.c | 4 ++++ 6 files changed, 25 insertions(+), 1 deletion(-) diff --git a/client/common/cmdline.c b/client/common/cmdline.c index d8880146e..cfb109493 100644 --- a/client/common/cmdline.c +++ b/client/common/cmdline.c @@ -2458,6 +2458,15 @@ int freerdp_client_settings_parse_command_line_arguments(rdpSettings* settings, return COMMAND_LINE_ERROR_MEMORY; } } + CommandLineSwitchCase(arg, "tls-seclevel") + { + unsigned long val = strtoul(arg->Value, NULL, 0); + + if ((errno != 0) || (val > 5)) + return COMMAND_LINE_ERROR_UNEXPECTED_VALUE; + + settings->TlsSecLevel = val; + } CommandLineSwitchCase(arg, "cert-name") { if (!copy_value(arg->Value, &settings->CertificateName)) diff --git a/client/common/cmdline.h b/client/common/cmdline.h index e2f700c77..23ec292df 100644 --- a/client/common/cmdline.h +++ b/client/common/cmdline.h @@ -168,6 +168,7 @@ static COMMAND_LINE_ARGUMENT_A args[] = { "t", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, "title", "Window title" }, { "themes", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL, "themes" }, { "tls-ciphers", COMMAND_LINE_VALUE_REQUIRED, "netmon|ma|ciphers", NULL, NULL, -1, NULL, "Allowed TLS ciphers" }, + { "tls-seclevel", COMMAND_LINE_VALUE_REQUIRED, "<level>", "1", NULL, -1, NULL, "TLS security level - defaults to 1" }, { "toggle-fullscreen", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL, "Alt+Ctrl+Enter toggles fullscreen" }, { "u", COMMAND_LINE_VALUE_REQUIRED, "[<domain>\\]<user> or <user>[@<domain>]", NULL, NULL, -1, NULL, "Username" }, { "unmap-buttons", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueFalse, NULL, -1, NULL, "Let server see real physical pointer button"}, diff --git a/include/freerdp/settings.h b/include/freerdp/settings.h index 9feb945f3..fefad604c 100644 --- a/include/freerdp/settings.h +++ b/include/freerdp/settings.h @@ -627,6 +627,7 @@ typedef struct _RDPDR_PARALLEL RDPDR_PARALLEL; #define FreeRDP_VmConnectMode (1102) #define FreeRDP_NtlmSamFile (1103) #define FreeRDP_FIPSMode (1104) +#define FreeRDP_TlsSecLevel (1105) #define FreeRDP_MstscCookieMode (1152) #define FreeRDP_CookieMaxLength (1153) #define FreeRDP_PreconnectionId (1154) @@ -756,6 +757,7 @@ typedef struct _RDPDR_PARALLEL RDPDR_PARALLEL; #define FreeRDP_OrderSupport (2432) #define FreeRDP_BitmapCacheV3Enabled (2433) #define FreeRDP_AltSecFrameMarkerSupport (2434) +#define FreeRDP_AllowUnanouncedOrdersFromServer (2435) #define FreeRDP_BitmapCacheEnabled (2497) #define FreeRDP_BitmapCacheVersion (2498) #define FreeRDP_AllowCacheWaitingList (2499) @@ -1058,7 +1060,8 @@ struct rdp_settings ALIGN64 BOOL VmConnectMode; /* 1102 */ ALIGN64 char* NtlmSamFile; /* 1103 */ ALIGN64 BOOL FIPSMode; /* 1104 */ - UINT64 padding1152[1152 - 1105]; /* 1105 */ + ALIGN64 UINT32 TlsSecLevel; /* 1105 */ + UINT64 padding1152[1152 - 1106]; /* 1106 */ /* Connection Cookie */ ALIGN64 BOOL MstscCookieMode; /* 1152 */ diff --git a/libfreerdp/common/settings.c b/libfreerdp/common/settings.c index 2043be2d9..8a8d53846 100644 --- a/libfreerdp/common/settings.c +++ b/libfreerdp/common/settings.c @@ -1999,6 +1999,9 @@ UINT32 freerdp_get_param_uint32(rdpSettings* settings, int id) case FreeRDP_SmartSizingHeight: return settings->SmartSizingHeight; + case FreeRDP_TlsSecLevel: + return settings->TlsSecLevel; + default: WLog_ERR(TAG, "freerdp_get_param_uint32: unknown id: %d", id); return 0; @@ -2341,6 +2344,9 @@ int freerdp_set_param_uint32(rdpSettings* settings, int id, UINT32 param) settings->DynamicChannelArraySize = param; break; + case FreeRDP_TlsSecLevel: + settings->TlsSecLevel = param; + default: WLog_ERR(TAG, "freerdp_set_param_uint32: unknown id %d (param = %"PRIu32")", id, param); return -1; diff --git a/libfreerdp/core/settings.c b/libfreerdp/core/settings.c index 3d18bbccf..4f013abf7 100644 --- a/libfreerdp/core/settings.c +++ b/libfreerdp/core/settings.c @@ -615,6 +615,7 @@ rdpSettings* freerdp_settings_new(DWORD flags) settings->ActionScript = _strdup("~/.config/freerdp/action.sh"); settings->SmartcardLogon = FALSE; + settings->TlsSecLevel = 1; return settings; out_fail: free(settings->HomePath); diff --git a/libfreerdp/crypto/tls.c b/libfreerdp/crypto/tls.c index 8e563b976..c93aad6d9 100644 --- a/libfreerdp/crypto/tls.c +++ b/libfreerdp/crypto/tls.c @@ -651,6 +651,10 @@ static BOOL tls_prepare(rdpTls* tls, BIO* underlying, SSL_METHOD* method, SSL_CTX_set_options(tls->ctx, options); SSL_CTX_set_read_ahead(tls->ctx, 1); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + SSL_CTX_set_security_level(tls->ctx, settings->TlsSecLevel); +#endif + if (settings->AllowedTlsCiphers) { if (!SSL_CTX_set_cipher_list(tls->ctx, settings->AllowedTlsCiphers)) From 8be6ec9720877ee52433df1be32bf218775e248f Mon Sep 17 00:00:00 2001 From: Bernhard Miklautz <bernhard.miklautz@thincast.com> Date: Thu, 8 Nov 2018 11:13:57 +0100 Subject: [PATCH 2/2] fix [cmdline]: parameter parsing use strtoul instead of strtol --- client/common/cmdline.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/common/cmdline.c b/client/common/cmdline.c index cfb109493..54dacda93 100644 --- a/client/common/cmdline.c +++ b/client/common/cmdline.c @@ -2092,7 +2092,7 @@ int freerdp_client_settings_parse_command_line_arguments(rdpSettings* settings, } CommandLineSwitchCase(arg, "compression-level") { - unsigned long val = strtol(arg->Value, NULL, 0); + unsigned long val = strtoul(arg->Value, NULL, 0); if ((errno != 0) || (val > UINT32_MAX)) return COMMAND_LINE_ERROR_UNEXPECTED_VALUE;