move openssl calls to common/libssl.c, check for defines

This commit is contained in:
Jay Sorg 2017-06-08 09:39:07 -07:00 committed by metalefty
parent 5def0596e0
commit 8d63c32899
3 changed files with 92 additions and 41 deletions

View File

@ -37,6 +37,7 @@
#include "arch.h"
#include "ssl_calls.h"
#include "trans.h"
#include "log.h"
#define SSL_WANT_READ_WRITE_TIMEOUT 100
@ -829,7 +830,6 @@ ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis)
return g_sck_can_recv(sck, millis);
}
/*****************************************************************************/
const char *
ssl_get_version(const struct ssl_st *ssl)
@ -843,3 +843,82 @@ ssl_get_cipher_name(const struct ssl_st *ssl)
{
return SSL_get_cipher_name(ssl);
}
/*****************************************************************************/
int
ssl_get_protocols_from_string(const char *str, long *ssl_protocols)
{
long protocols;
long bad_protocols;
int rv;
if ((str == NULL) || (ssl_protocols == NULL))
{
return 1;
}
rv = 0;
protocols = 0;
#if defined(SSL_OP_NO_SSLv3)
protocols |= SSL_OP_NO_SSLv3;
#endif
#if defined(SSL_OP_NO_TLSv1)
protocols |= SSL_OP_NO_TLSv1;
#endif
#if defined(SSL_OP_NO_TLSv1_1)
protocols |= SSL_OP_NO_TLSv1_1;
#endif
#if defined(SSL_OP_NO_TLSv1_2)
protocols |= SSL_OP_NO_TLSv1_2;
#endif
bad_protocols = protocols;
if (g_pos(str, ",TLSv1.2,") >= 0)
{
#if defined(SSL_OP_NO_TLSv1_2)
log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled");
protocols &= ~SSL_OP_NO_TLSv1_2;
#else
log_message(LOG_LEVEL_DEBUG, "TLSv1.2 not enabled, not available");
rv |= (1 << 1);
#endif
}
if (g_pos(str, ",TLSv1.1,") >= 0)
{
#if defined(SSL_OP_NO_TLSv1_1)
log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled");
protocols &= ~SSL_OP_NO_TLSv1_1;
#else
log_message(LOG_LEVEL_DEBUG, "TLSv1.1 not enabled, not available");
rv |= (1 << 2);
#endif
}
if (g_pos(str, ",TLSv1,") >= 0)
{
#if defined(SSL_OP_NO_TLSv1)
log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled");
protocols &= ~SSL_OP_NO_TLSv1;
#else
log_message(LOG_LEVEL_DEBUG, "TLSv1 not enabled, not available");
rv |= (1 << 3);
#endif
}
if (g_pos(str, ",SSLv3,") >= 0)
{
#if defined(SSL_OP_NO_SSLv3)
log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled");
protocols &= ~SSL_OP_NO_SSLv3;
#else
log_message(LOG_LEVEL_DEBUG, "SSLv3 not enabled, not available");
rv |= (1 << 4);
#endif
}
if (protocols == bad_protocols)
{
log_message(LOG_LEVEL_WARNING, "No SSL/TLS protocols enabled. "
"At least one protocol should be enabled to accept "
"TLS connections.");
rv |= (1 << 5);
}
*ssl_protocols = protocols;
return rv;
}

View File

@ -108,8 +108,11 @@ int
ssl_tls_write(struct ssl_tls *tls, const char *data, int length);
int
ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis);
const char *ssl_get_version(const struct ssl_st *ssl);
const char *ssl_get_cipher_name(const struct ssl_st *ssl);
const char *
ssl_get_version(const struct ssl_st *ssl);
const char *
ssl_get_cipher_name(const struct ssl_st *ssl);
int
ssl_get_protocols_from_string(const char *str, long *ssl_protocols);
#endif

View File

@ -22,9 +22,9 @@
#include <config_ac.h>
#endif
#include <openssl/ssl.h>
#include "libxrdp.h"
#include "log.h"
#include "ssl_calls.h"
#if defined(XRDP_NEUTRINORDP)
#include <freerdp/codec/rfx.h>
@ -49,7 +49,7 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
char *item = NULL;
char *value = NULL;
char cfg_file[256];
char *p = NULL;
int pos;
char *tmp = NULL;
int tmp_length = 0;
@ -174,44 +174,13 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
tmp_length = g_strlen(value) + 3;
tmp = g_new(char, tmp_length);
g_snprintf(tmp, tmp_length, "%s%s%s", ",", value, ",");
/* replace all spaces with comma */
/* to accept space after comma */
while ((p = (char *) g_strchr(tmp, ' ')) != NULL)
while ((pos = g_pos(tmp, " ")) != -1)
{
*p = ',';
}
/* disable all protocols first, enable later */
client_info->ssl_protocols =
SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
if (g_pos(tmp, ",TLSv1.2,") >= 0)
{
log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled");
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_2;
}
if (g_pos(tmp, ",TLSv1.1,") >= 0)
{
log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled");
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_1;
}
if (g_pos(tmp, ",TLSv1,") >= 0)
{
log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled");
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1;
}
if (g_pos(tmp, ",SSLv3,") >= 0)
{
log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled");
client_info->ssl_protocols &= ~SSL_OP_NO_SSLv3;
}
if (client_info->ssl_protocols ==
(SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2))
{
log_message(LOG_LEVEL_WARNING, "No SSL/TLS protocols enabled. "
"At least one protocol should be enabled to accept "
"TLS connections.");
tmp[pos] = ',';
}
ssl_get_protocols_from_string(tmp, &(client_info->ssl_protocols));
g_free(tmp);
}
else if (g_strcasecmp(item, "tls_ciphers") == 0)