mirrors
/
xrdp
mirror of https://github.com/neutrinolabs/xrdp
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,831 Commits 9 Branches 44 Tags 21 MiB
Commit Graph

77 Commits

Author SHA1 Message Date
firewave fb9c175b11 enabled and fixed `-Wmissing-prototypes` compiler warnings 
Co-authored-by: matt335672 <30179339+matt335672@users.noreply.github.com>
 2024-04-23 18:38:20 +02:00
matt335672 18c5538781 Add casts required for C++ CI and OpenSSL 3.x 2022-10-20 09:56:23 +01:00
matt335672 8b8cfbe119 Improve wrapping of openssl module 2022-01-28 12:23:40 +00:00
matt335672 6cebade78e OpenSSL 3.x compatibility 2022-01-20 16:45:25 +00:00
matt335672 d853228c19 const fixes for SSL calls 2022-01-19 11:11:37 +00:00
matt335672 2ee5e76ed7 Improve quality of SSL logging 2021-06-21 17:44:47 +01:00
matt335672 ea582429e1 Load any private key type, not just RSA (#1776) 
Fix missing SSL logging and reformat with astyle
 2021-01-07 10:34:39 +00:00
matt335672 0a1a8f40e5 Moved a lot of string funcs to string_calls module 2020-12-22 11:57:24 +00:00
Alexandre Quesnel 9cb6bfc3a4 Fix SSL compiler warning 2020-11-17 05:46:36 +00:00
Koichiro IWAO 74497752dc
Add TLSv1.3 support 
Actually, TLSv1.3 will be enabled without this change if xrdp is compiled
with OpenSSL or alternatives which support TLSv1.3. This commit makes to
enable or disable TLSv1.3 explicitly.  Also, this commit adds a log
"TLSv1.3 enabled by config, but not supported by system OpenSSL". if
xrdp installation doesn't support TLSv1.3. It should be user-friendly.
 2018-09-14 11:50:55 +09:00
daixj 88b3c06311 fix issue #1112: set SSL object's read_ahead flag to be 0 2018-05-21 11:08:41 +08:00
Koichiro IWAO b2b42d28f3
xrdp: add OpenSSL version to --version 
While here, cleanup --help,  --version, and when unknown option.
 2018-04-10 23:58:31 +09:00
speidy a432969746 common: ssl_calls: add support for OpenSSL>=1.1.0 API for DH keys 
also fixes some memory leak introduced in PR#1024.
and adds a check that DH params generated successfully. write a proper log message if not.
 2018-03-22 02:20:47 +02:00
speidy 8effc09ab7 common: ssl_calls: check if SSL object created right after its creation. 2018-03-21 08:16:12 +02:00
Koichiro IWAO e3d0fd6d46
common: temporarily disable DHE 
until make it possible to use generated DH parameters per installation.
 2018-03-18 21:14:06 +09:00
Koichiro IWAO 1690950cc8
common: regenerate dhparam 
Generated by: openssl dhparam -C 2236
 2018-03-01 13:48:22 +09:00
Koichiro IWAO 578d23477c
common: obey coding style, remove trailing space 2018-03-01 12:11:52 +09:00
Enrico Tagliavini 70b5adb396 add support for DHE ciphers via compiled in dhparam 
make it possible to use regular (non EC) EDH ciphers. To make this
possible a Diffie-Hellman parameter must be passed to the openssl
library. There are a few options possible as described in the manuals at
[1] and [2]. Simplest approach is to generate a DH parameter using
openssl dhparam -C <lenght> and include the code into the application.
The lenght used for this commit is 2236 bits long, which is the longest
possible without risking backward incompatibilities with old systems as
stated in [1]. Newer systems should use ECDH anyway, so it makes sense
to keep this method as compatible with older system as possible.
Paramters longer than 2048 should still be secure enough at the time of
writing.

[1] https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
[2] https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_tmp_dh_callback(3)
 2018-03-01 09:57:35 +09:00
Enrico Tagliavini 6cdc0f31b0 enable automatic ECDH when possible (openssl 1.0.2) 
Openssl 1.1.0 and later are enabling ECDH automatically, but for older
version it must be enabled explicitly or all Perfect Forward Secrecy
ciphers will be silently ignored. See also [1]. This commit applies the
same fix as found in CnetOS 7 httpd package to enable automatic ECDH as
found in [2].

[1] https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
[2] https://git.centos.org/blob/rpms!httpd.git/c7/SOURCES!httpd-2.4.6-ssl-ecdh-auto.patch
 2018-03-01 09:57:35 +09:00
Koichiro IWAO 793a418cfb
common: log what value is set to tls_ciphers 
Related to #1033.
 2018-02-20 13:13:37 +09:00
Jay Sorg a9eb21e6d7 common: avoid 100% cpu on ssl accept, can be fake client 2017-11-22 16:17:34 -08:00
Koichiro IWAO 04187945a8 move base64 functions to base64.c 2017-08-01 08:40:30 +09:00
Koichiro IWAO d57e02626d add base64_decode function 2017-08-01 08:40:30 +09:00
Koichiro IWAO aa4b90d250 Change log level DEBUG -> WARNING 
since unavailability of ssl protocols defined in config file
may weaken security and it is important for users.
 2017-07-06 13:14:27 +09:00
Koichiro IWAO 455c341efc Reword log messages in ssl_get_protocols_from_string() 2017-07-06 13:14:27 +09:00
Jay Sorg 8d63c32899 move openssl calls to common/libssl.c, check for defines 2017-06-22 11:47:48 +09:00
Jay Sorg 2c96908ea5 common: if SSL_shutdown fails, only call one more time 2017-05-10 14:56:20 -07:00
Jay Sorg 75fd3fcf89 common: ssl_tls_write / read return 0 on socket close 2017-05-10 14:56:20 -07:00
Pavel Roskin 6ed4c969f4 Eliminate APP_CC and DEFAULT_CC 2017-03-14 00:21:48 -07:00
Pavel Roskin b2d3dcf169 Include config_ac.h from all source files 2017-03-04 00:52:34 -08:00
Koichiro IWAO e94ab10e14 TLS: new method to specify SSL/TLS version 
SSL/TLS protocols only listed in ssl_protocols should be used.
The name "ssl_protocols" comes from nginx.

Resolves #428.
 2017-02-27 14:17:25 +09:00
Jay Sorg 657f6f3756 common: use select for SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE tls errors 2017-02-25 20:52:27 -08:00
Pavel Roskin dc1e341f5a Constify input arguments of ssl_mod_exp() and ssl_gen_key_xrdp1() 2017-02-02 21:39:10 -08:00
Pavel Roskin 6a3f0a75bd Remove support for OpenSSL older than 0.9.8 
It's hard to find an older version of OpenSSL even on long term support
distros.
 2017-02-02 21:39:10 -08:00
Idan Freiberg 19375dda7a Merge pull request #426 from metalefty/log-tls-version-and-cipher 
TLS: log TLS version and cipher
 2017-01-16 07:26:51 +02:00
Koichiro IWAO c89c1318f8 obey coding standard, no logic change 2017-01-12 09:28:22 +09:00
Pavel Roskin 6664aac00f Use "void" for empty argument list in declarations 
In C, an empty argument list in a declaration means that the function
can accept any arguments. Use "void" instead, it means "no arguments".

C++ treats void and empty list as "no arguments".
 2017-01-05 17:27:20 -08:00
Koichiro IWAO 40e8194122 TLS: log TLS version and cipher 2016-11-22 10:50:30 +09:00
Pavel Roskin 4324084d58 Use static inline functions for OpenSSL 1.0 backport 
Conditional preprocessor directives spread throughout the code set a bad
example.

The new backport code is located in one place. The compiler checks
argument types. The backport code has no access to the caller variables.
The main code has all advantages of the new, more compact API.
 2016-11-01 11:09:15 -07:00
Dominik George e5cf45d1ac
Add backwards compatibility to OpenSSL < 1.1.0. 2016-10-27 22:40:48 +02:00
Dominik George 1b5fb8f1c8
Fix ssl_calls for OpenSSL 1.1.0, closes #458. 2016-10-27 21:56:22 +02:00
Jay Sorg 8f747e37ca always set SSL_OP_NO_SSLv2 in TLS options 2016-08-25 11:38:03 -07:00
Alex Illsley 47124df4ed new options for xrdp.ini disableSSlv3=yes and tls_ciphers=HIGH and code to implement 2016-08-25 11:20:47 -07:00
Pavel Roskin 5829323ad8 Use g_new or g_new0 when C++ compiler would complain about implicit cast 2016-07-08 04:29:49 +00:00
Pavel Roskin aeeb3d2c2e Fix warnings detected by -Wwrite-strings 2016-07-08 04:29:42 +00:00
Jay Sorg f100036cd9 common: minor fix for older openssl keygen 2016-02-22 11:48:54 -08:00
Jay Sorg 0d192aee62 common: fix for key generated smaller than asked for 2016-02-22 11:38:03 -08:00
Jay Sorg fd793bd213 rename g_tcp_can_recv to g_sck_can_recv 2015-10-07 22:17:12 -07:00
Koichiro IWAO cd6ab20e94 common: shut up some messages in ssl_tls_print_error 
SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE are not fatal error but just
indicate SSL_read, SSL_write, SSL_accept functions to repeat.
 2015-06-12 13:03:07 +09:00
Koichiro IWAO 2a2b8bcd59 common: fix #248 TLS on FreeBSD 
According to document[1][2][3], retry when SSL_get_error returns
SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE.

[1] https://www.openssl.org/docs/ssl/SSL_read.html
[2] https://www.openssl.org/docs/ssl/SSL_write.html
[3] https://www.openssl.org/docs/ssl/SSL_accept.html
 2015-06-11 21:45:57 +09:00