FreeRDP
tls.h File Reference
#include "crypto.h"
#include "certificate.h"
#include <winpr/crt.h>
#include <winpr/sspi.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <freerdp/api.h>
#include <freerdp/types.h>
#include <winpr/stream.h>
This graph shows which files directly or indirectly include this file:

Data Structures

struct  rdpTls
 

Macros

#define TLS_ALERT_LEVEL_WARNING   1
 
#define TLS_ALERT_LEVEL_FATAL   2
 
#define TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY   0
 
#define TLS_ALERT_DESCRIPTION_UNEXPECTED_MESSAGE   10
 
#define TLS_ALERT_DESCRIPTION_BAD_RECORD_MAC   20
 
#define TLS_ALERT_DESCRIPTION_DECRYPTION_FAILED   21
 
#define TLS_ALERT_DESCRIPTION_RECORD_OVERFLOW   22
 
#define TLS_ALERT_DESCRIPTION_DECOMPRESSION_FAILURE   30
 
#define TLS_ALERT_DESCRIPTION_HANSHAKE_FAILURE   40
 
#define TLS_ALERT_DESCRIPTION_NO_CERTIFICATE   41
 
#define TLS_ALERT_DESCRIPTION_BAD_CERTIFICATE   42
 
#define TLS_ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE   43
 
#define TLS_ALERT_DESCRIPTION_CERTIFICATE_REVOKED   44
 
#define TLS_ALERT_DESCRIPTION_CERTIFICATE_EXPIRED   45
 
#define TLS_ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN   46
 
#define TLS_ALERT_DESCRIPTION_ILLEGAL_PARAMETER   47
 
#define TLS_ALERT_DESCRIPTION_UNKNOWN_CA   48
 
#define TLS_ALERT_DESCRIPTION_ACCESS_DENIED   49
 
#define TLS_ALERT_DESCRIPTION_DECODE_ERROR   50
 
#define TLS_ALERT_DESCRIPTION_DECRYPT_ERROR   51
 
#define TLS_ALERT_DESCRIPTION_EXPORT_RESTRICTION   60
 
#define TLS_ALERT_DESCRIPTION_PROTOCOL_VERSION   70
 
#define TLS_ALERT_DESCRIPTION_INSUFFICIENT_SECURITY   71
 
#define TLS_ALERT_DESCRIPTION_INTERNAL_ERROR   80
 
#define TLS_ALERT_DESCRIPTION_USER_CANCELED   90
 
#define TLS_ALERT_DESCRIPTION_NO_RENEGOTIATION   100
 
#define TLS_ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION   110
 

Functions

FREERDP_API int tls_connect (rdpTls *tls, BIO *underlying)
 
FREERDP_API BOOL tls_accept (rdpTls *tls, BIO *underlying, rdpSettings *settings)
 
FREERDP_API BOOL tls_send_alert (rdpTls *tls)
 
FREERDP_API int tls_write_all (rdpTls *tls, const BYTE *data, int length)
 
FREERDP_API int tls_set_alert_code (rdpTls *tls, int level, int description)
 
FREERDP_API rdpTls * tls_new (rdpSettings *settings)
 
FREERDP_API void tls_free (rdpTls *tls)
 

Macro Definition Documentation

#define TLS_ALERT_DESCRIPTION_ACCESS_DENIED   49
#define TLS_ALERT_DESCRIPTION_BAD_CERTIFICATE   42
#define TLS_ALERT_DESCRIPTION_BAD_RECORD_MAC   20
#define TLS_ALERT_DESCRIPTION_CERTIFICATE_EXPIRED   45
#define TLS_ALERT_DESCRIPTION_CERTIFICATE_REVOKED   44
#define TLS_ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN   46
#define TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY   0
#define TLS_ALERT_DESCRIPTION_DECODE_ERROR   50
#define TLS_ALERT_DESCRIPTION_DECOMPRESSION_FAILURE   30
#define TLS_ALERT_DESCRIPTION_DECRYPT_ERROR   51
#define TLS_ALERT_DESCRIPTION_DECRYPTION_FAILED   21
#define TLS_ALERT_DESCRIPTION_EXPORT_RESTRICTION   60
#define TLS_ALERT_DESCRIPTION_HANSHAKE_FAILURE   40
#define TLS_ALERT_DESCRIPTION_ILLEGAL_PARAMETER   47
#define TLS_ALERT_DESCRIPTION_INSUFFICIENT_SECURITY   71
#define TLS_ALERT_DESCRIPTION_INTERNAL_ERROR   80
#define TLS_ALERT_DESCRIPTION_NO_CERTIFICATE   41
#define TLS_ALERT_DESCRIPTION_NO_RENEGOTIATION   100
#define TLS_ALERT_DESCRIPTION_PROTOCOL_VERSION   70
#define TLS_ALERT_DESCRIPTION_RECORD_OVERFLOW   22
#define TLS_ALERT_DESCRIPTION_UNEXPECTED_MESSAGE   10
#define TLS_ALERT_DESCRIPTION_UNKNOWN_CA   48
#define TLS_ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE   43
#define TLS_ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION   110
#define TLS_ALERT_DESCRIPTION_USER_CANCELED   90
#define TLS_ALERT_LEVEL_FATAL   2
#define TLS_ALERT_LEVEL_WARNING   1

FreeRDP: A Remote Desktop Protocol Implementation Transport Layer Security

Copyright 2011-2012 Marc-Andre Moreau marca.nosp@m.ndre.nosp@m..more.nosp@m.au@g.nosp@m.mail..nosp@m.com

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Function Documentation

FREERDP_API BOOL tls_accept ( rdpTls *  tls,
BIO *  underlying,
rdpSettings *  settings 
)

SSL_OP_NO_SSLv2:

We only want SSLv3 and TLSv1, so disable SSLv2. SSLv3 is used by, eg. Microsoft RDC for Mac OS X.

SSL_OP_NO_COMPRESSION:

The Microsoft RDP server does not advertise support for TLS compression, but alternative servers may support it. This was observed between early versions of the FreeRDP server and the FreeRDP client, and caused major performance issues, which is why we're disabling it.

SSL_OP_TLS_BLOCK_PADDING_BUG:

The Microsoft RDP server does not support TLS padding. It absolutely needs to be disabled otherwise it won't work.

SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS:

Just like TLS padding, the Microsoft RDP server does not support empty fragments. This needs to be disabled.

Here is the call graph for this function:

Here is the caller graph for this function:

FREERDP_API int tls_connect ( rdpTls *  tls,
BIO *  underlying 
)

SSL_OP_NO_COMPRESSION:

The Microsoft RDP server does not advertise support for TLS compression, but alternative servers may support it. This was observed between early versions of the FreeRDP server and the FreeRDP client, and caused major performance issues, which is why we're disabling it.

SSL_OP_TLS_BLOCK_PADDING_BUG:

The Microsoft RDP server does not support TLS padding. It absolutely needs to be disabled otherwise it won't work.

SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS:

Just like TLS padding, the Microsoft RDP server does not support empty fragments. This needs to be disabled.

disable SSLv2 and SSLv3

Here is the call graph for this function:

Here is the caller graph for this function:

FREERDP_API void tls_free ( rdpTls *  tls)

Here is the call graph for this function:

Here is the caller graph for this function:

FREERDP_API rdpTls* tls_new ( rdpSettings *  settings)

Here is the call graph for this function:

Here is the caller graph for this function:

FREERDP_API BOOL tls_send_alert ( rdpTls *  tls)

FIXME: The following code does not work on OpenSSL > 1.1.0 because the SSL struct is opaqe now

OpenSSL doesn't really expose an API for sending a TLS alert manually.

The following code disables the sending of the default "close notify" and then proceeds to force sending a custom TLS alert before shutting down.

Manually sending a TLS alert is necessary in certain cases, like when server-side NLA results in an authentication failure.

Here is the caller graph for this function:

FREERDP_API int tls_set_alert_code ( rdpTls *  tls,
int  level,
int  description 
)

Here is the caller graph for this function:

FREERDP_API int tls_write_all ( rdpTls *  tls,
const BYTE data,
int  length 
)

Here is the call graph for this function:

Here is the caller graph for this function: