FreeRDP
libfreerdp/crypto/tls.c File Reference
#include <assert.h>
#include <string.h>
#include <errno.h>
#include <winpr/crt.h>
#include <winpr/sspi.h>
#include <winpr/ssl.h>
#include <winpr/stream.h>
#include <freerdp/utils/ringbuffer.h>
#include <freerdp/log.h>
#include <freerdp/crypto/tls.h>
#include "../core/tcp.h"
#include "opensslcompat.h"

Macros

#define TAG   FREERDP_TAG("crypto")
 
#define BIO_TYPE_RDP_TLS   68
 
#define TLS_SERVER_END_POINT   "tls-server-end-point:"
 

Functions

static int tls_verify_certificate (rdpTls *tls, CryptoCert cert, const char *hostname, UINT16 port)
 
static void tls_print_certificate_name_mismatch_error (const char *hostname, UINT16 port, const char *common_name, char **alt_names, int alt_names_count)
 
static void tls_print_certificate_error (const char *hostname, UINT16 port, const char *fingerprint, const char *hosts_file)
 
static int bio_rdp_tls_write (BIO *bio, const char *buf, int size)
 
static int bio_rdp_tls_read (BIO *bio, char *buf, int size)
 
static int bio_rdp_tls_puts (BIO *bio, const char *str)
 
static int bio_rdp_tls_gets (BIO *bio, char *str, int size)
 
static long bio_rdp_tls_ctrl (BIO *bio, int cmd, long num, void *ptr)
 
static int bio_rdp_tls_new (BIO *bio)
 
static int bio_rdp_tls_free (BIO *bio)
 
static long bio_rdp_tls_callback_ctrl (BIO *bio, int cmd, bio_info_cb *fp)
 
static BIO_METHOD * BIO_s_rdp_tls (void)
 
static BIO * BIO_new_rdp_tls (SSL_CTX *ctx, int client)
 
static CryptoCert tls_get_certificate (rdpTls *tls, BOOL peer)
 
static void tls_free_certificate (CryptoCert cert)
 
static SecPkgContext_Bindings * tls_get_channel_bindings (X509 *cert)
 
static BOOL tls_prepare (rdpTls *tls, BIO *underlying, SSL_METHOD *method, int options, BOOL clientMode)
 
static int tls_do_handshake (rdpTls *tls, BOOL clientMode)
 
int tls_connect (rdpTls *tls, BIO *underlying)
 
BOOL tls_accept (rdpTls *tls, BIO *underlying, rdpSettings *settings)
 
BOOL tls_send_alert (rdpTls *tls)
 
int tls_write_all (rdpTls *tls, const BYTE *data, int length)
 
int tls_set_alert_code (rdpTls *tls, int level, int description)
 
static BOOL tls_match_hostname (const char *pattern, const size_t pattern_length, const char *hostname)
 
static BOOL is_redirected (rdpTls *tls)
 
static BOOL is_accepted (rdpTls *tls, const BYTE *pem, size_t length)
 
static BOOL accept_cert (rdpTls *tls, const BYTE *pem, UINT32 length)
 
static BOOL tls_extract_pem (CryptoCert cert, BYTE **PublicKey, DWORD *PublicKeyLength)
 
rdpTls * tls_new (rdpSettings *settings)
 
void tls_free (rdpTls *tls)
 

Macro Definition Documentation

#define BIO_TYPE_RDP_TLS   68
#define TAG   FREERDP_TAG("crypto")

FreeRDP: A Remote Desktop Protocol Implementation Transport Layer Security

Copyright 2011-2012 Marc-Andre Moreau marca.nosp@m.ndre.nosp@m..more.nosp@m.au@g.nosp@m.mail..nosp@m.com

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

#define TLS_SERVER_END_POINT   "tls-server-end-point:"

Function Documentation

static BOOL accept_cert ( rdpTls *  tls,
const BYTE pem,
UINT32  length 
)
static

Here is the call graph for this function:

Here is the caller graph for this function:

static BIO* BIO_new_rdp_tls ( SSL_CTX *  ctx,
int  client 
)
static

Here is the call graph for this function:

Here is the caller graph for this function:

static long bio_rdp_tls_callback_ctrl ( BIO *  bio,
int  cmd,
bio_info_cb *  fp 
)
static

Here is the call graph for this function:

Here is the caller graph for this function:

static long bio_rdp_tls_ctrl ( BIO *  bio,
int  cmd,
long  num,
void ptr 
)
static

Here is the caller graph for this function:

static int bio_rdp_tls_free ( BIO *  bio)
static

Here is the call graph for this function:

Here is the caller graph for this function:

static int bio_rdp_tls_gets ( BIO *  bio,
char *  str,
int  size 
)
static

Here is the caller graph for this function:

static int bio_rdp_tls_new ( BIO *  bio)
static

Here is the call graph for this function:

Here is the caller graph for this function:

static int bio_rdp_tls_puts ( BIO *  bio,
const char *  str 
)
static

Here is the caller graph for this function:

static int bio_rdp_tls_read ( BIO *  bio,
char *  buf,
int  size 
)
static

Here is the call graph for this function:

Here is the caller graph for this function:

static int bio_rdp_tls_write ( BIO *  bio,
const char *  buf,
int  size 
)
static

Here is the call graph for this function:

Here is the caller graph for this function:

static BIO_METHOD* BIO_s_rdp_tls ( void  )
static

Here is the call graph for this function:

Here is the caller graph for this function:

static BOOL is_accepted ( rdpTls *  tls,
const BYTE pem,
size_t  length 
)
static

Here is the call graph for this function:

Here is the caller graph for this function:

static BOOL is_redirected ( rdpTls *  tls)
static

Here is the caller graph for this function:

BOOL tls_accept ( rdpTls *  tls,
BIO *  underlying,
rdpSettings *  settings 
)

SSL_OP_NO_SSLv2:

We only want SSLv3 and TLSv1, so disable SSLv2. SSLv3 is used by, eg. Microsoft RDC for Mac OS X.

SSL_OP_NO_COMPRESSION:

The Microsoft RDP server does not advertise support for TLS compression, but alternative servers may support it. This was observed between early versions of the FreeRDP server and the FreeRDP client, and caused major performance issues, which is why we're disabling it.

SSL_OP_TLS_BLOCK_PADDING_BUG:

The Microsoft RDP server does not support TLS padding. It absolutely needs to be disabled otherwise it won't work.

SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS:

Just like TLS padding, the Microsoft RDP server does not support empty fragments. This needs to be disabled.

Here is the call graph for this function:

Here is the caller graph for this function:

int tls_connect ( rdpTls *  tls,
BIO *  underlying 
)

SSL_OP_NO_COMPRESSION:

The Microsoft RDP server does not advertise support for TLS compression, but alternative servers may support it. This was observed between early versions of the FreeRDP server and the FreeRDP client, and caused major performance issues, which is why we're disabling it.

SSL_OP_TLS_BLOCK_PADDING_BUG:

The Microsoft RDP server does not support TLS padding. It absolutely needs to be disabled otherwise it won't work.

SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS:

Just like TLS padding, the Microsoft RDP server does not support empty fragments. This needs to be disabled.

disable SSLv2 and SSLv3

Here is the call graph for this function:

Here is the caller graph for this function:

static int tls_do_handshake ( rdpTls *  tls,
BOOL  clientMode 
)
static

Here is the call graph for this function:

Here is the caller graph for this function:

static BOOL tls_extract_pem ( CryptoCert  cert,
BYTE **  PublicKey,
DWORD *  PublicKeyLength 
)
static

Don't manage certificates internally, leave it up entirely to the external client implementation

Here is the caller graph for this function:

void tls_free ( rdpTls *  tls)

Here is the call graph for this function:

Here is the caller graph for this function:

static void tls_free_certificate ( CryptoCert  cert)
static

Here is the caller graph for this function:

static CryptoCert tls_get_certificate ( rdpTls *  tls,
BOOL  peer 
)
static

Here is the caller graph for this function:

static SecPkgContext_Bindings* tls_get_channel_bindings ( X509 *  cert)
static

Here is the call graph for this function:

Here is the caller graph for this function:

static BOOL tls_match_hostname ( const char *  pattern,
const size_t  pattern_length,
const char *  hostname 
)
static

Here is the call graph for this function:

Here is the caller graph for this function:

rdpTls* tls_new ( rdpSettings *  settings)

Here is the call graph for this function:

Here is the caller graph for this function:

static BOOL tls_prepare ( rdpTls *  tls,
BIO *  underlying,
SSL_METHOD *  method,
int  options,
BOOL  clientMode 
)
static

Here is the call graph for this function:

Here is the caller graph for this function:

void tls_print_certificate_error ( const char *  hostname,
UINT16  port,
const char *  fingerprint,
const char *  hosts_file 
)
static

Here is the caller graph for this function:

void tls_print_certificate_name_mismatch_error ( const char *  hostname,
UINT16  port,
const char *  common_name,
char **  alt_names,
int  alt_names_count 
)
static

Here is the call graph for this function:

Here is the caller graph for this function:

BOOL tls_send_alert ( rdpTls *  tls)

FIXME: The following code does not work on OpenSSL > 1.1.0 because the SSL struct is opaqe now

OpenSSL doesn't really expose an API for sending a TLS alert manually.

The following code disables the sending of the default "close notify" and then proceeds to force sending a custom TLS alert before shutting down.

Manually sending a TLS alert is necessary in certain cases, like when server-side NLA results in an authentication failure.

Here is the caller graph for this function:

int tls_set_alert_code ( rdpTls *  tls,
int  level,
int  description 
)

Here is the caller graph for this function:

int tls_verify_certificate ( rdpTls *  tls,
CryptoCert  cert,
const char *  hostname,
UINT16  port 
)
static

Here is the call graph for this function:

Here is the caller graph for this function:

int tls_write_all ( rdpTls *  tls,
const BYTE data,
int  length 
)

Here is the call graph for this function:

Here is the caller graph for this function: