#include <winpr/crt.h>
#include <winpr/sspi.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <freerdp/api.h>
#include <freerdp/types.h>
#include <freerdp/crypto/certificate_store.h>
#include <winpr/stream.h>

This graph shows which files directly or indirectly include this file:

Data Structures
struct	rdpTls

Macros
#define	TLS_ALERT_LEVEL_WARNING 1

#define	TLS_ALERT_LEVEL_FATAL 2

#define	TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY 0

#define	TLS_ALERT_DESCRIPTION_UNEXPECTED_MESSAGE 10

#define	TLS_ALERT_DESCRIPTION_BAD_RECORD_MAC 20

#define	TLS_ALERT_DESCRIPTION_DECRYPTION_FAILED 21

#define	TLS_ALERT_DESCRIPTION_RECORD_OVERFLOW 22

#define	TLS_ALERT_DESCRIPTION_DECOMPRESSION_FAILURE 30

#define	TLS_ALERT_DESCRIPTION_HANSHAKE_FAILURE 40

#define	TLS_ALERT_DESCRIPTION_NO_CERTIFICATE 41

#define	TLS_ALERT_DESCRIPTION_BAD_CERTIFICATE 42

#define	TLS_ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE 43

#define	TLS_ALERT_DESCRIPTION_CERTIFICATE_REVOKED 44

#define	TLS_ALERT_DESCRIPTION_CERTIFICATE_EXPIRED 45

#define	TLS_ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN 46

#define	TLS_ALERT_DESCRIPTION_ILLEGAL_PARAMETER 47

#define	TLS_ALERT_DESCRIPTION_UNKNOWN_CA 48

#define	TLS_ALERT_DESCRIPTION_ACCESS_DENIED 49

#define	TLS_ALERT_DESCRIPTION_DECODE_ERROR 50

#define	TLS_ALERT_DESCRIPTION_DECRYPT_ERROR 51

#define	TLS_ALERT_DESCRIPTION_EXPORT_RESTRICTION 60

#define	TLS_ALERT_DESCRIPTION_PROTOCOL_VERSION 70

#define	TLS_ALERT_DESCRIPTION_INSUFFICIENT_SECURITY 71

#define	TLS_ALERT_DESCRIPTION_INTERNAL_ERROR 80

#define	TLS_ALERT_DESCRIPTION_USER_CANCELED 90

#define	TLS_ALERT_DESCRIPTION_NO_RENEGOTIATION 100

#define	TLS_ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION 110

Enumerations
enum	TlsHandshakeResult { TLS_HANDSHAKE_SUCCESS , TLS_HANDSHAKE_CONTINUE , TLS_HANDSHAKE_ERROR , TLS_HANDSHAKE_VERIFY_ERROR }
	result of a handshake operation More...

Functions
FREERDP_LOCAL const SSL_METHOD *	freerdp_tls_get_ssl_method (BOOL isDtls, BOOL isClient)

FREERDP_LOCAL int	freerdp_tls_connect (rdpTls tls, BIO underlying)

FREERDP_LOCAL TlsHandshakeResult	freerdp_tls_connect_ex (rdpTls tls, BIO underlying, const SSL_METHOD *methods)

FREERDP_LOCAL BOOL	freerdp_tls_accept (rdpTls tls, BIO underlying, rdpSettings *settings)

FREERDP_LOCAL TlsHandshakeResult	freerdp_tls_accept_ex (rdpTls tls, BIO underlying, rdpSettings settings, const SSL_METHOD methods)

FREERDP_LOCAL TlsHandshakeResult	freerdp_tls_handshake (rdpTls *tls)

FREERDP_LOCAL BOOL	freerdp_tls_send_alert (rdpTls *tls)

FREERDP_LOCAL int	freerdp_tls_write_all (rdpTls tls, const BYTE data, int length)

FREERDP_LOCAL int	freerdp_tls_set_alert_code (rdpTls *tls, int level, int description)

FREERDP_LOCAL void	freerdp_tls_free (rdpTls *tls)

FREERDP_LOCAL rdpTls *	freerdp_tls_new (rdpContext *context)

Macro Definition Documentation

◆ TLS_ALERT_DESCRIPTION_ACCESS_DENIED

#define TLS_ALERT_DESCRIPTION_ACCESS_DENIED 49

◆ TLS_ALERT_DESCRIPTION_BAD_CERTIFICATE

#define TLS_ALERT_DESCRIPTION_BAD_CERTIFICATE 42

◆ TLS_ALERT_DESCRIPTION_BAD_RECORD_MAC

#define TLS_ALERT_DESCRIPTION_BAD_RECORD_MAC 20

◆ TLS_ALERT_DESCRIPTION_CERTIFICATE_EXPIRED

#define TLS_ALERT_DESCRIPTION_CERTIFICATE_EXPIRED 45

◆ TLS_ALERT_DESCRIPTION_CERTIFICATE_REVOKED

#define TLS_ALERT_DESCRIPTION_CERTIFICATE_REVOKED 44

◆ TLS_ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN

#define TLS_ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN 46

◆ TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY

#define TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY 0

◆ TLS_ALERT_DESCRIPTION_DECODE_ERROR

#define TLS_ALERT_DESCRIPTION_DECODE_ERROR 50

◆ TLS_ALERT_DESCRIPTION_DECOMPRESSION_FAILURE

#define TLS_ALERT_DESCRIPTION_DECOMPRESSION_FAILURE 30

◆ TLS_ALERT_DESCRIPTION_DECRYPT_ERROR

#define TLS_ALERT_DESCRIPTION_DECRYPT_ERROR 51

◆ TLS_ALERT_DESCRIPTION_DECRYPTION_FAILED

#define TLS_ALERT_DESCRIPTION_DECRYPTION_FAILED 21

◆ TLS_ALERT_DESCRIPTION_EXPORT_RESTRICTION

#define TLS_ALERT_DESCRIPTION_EXPORT_RESTRICTION 60

◆ TLS_ALERT_DESCRIPTION_HANSHAKE_FAILURE

#define TLS_ALERT_DESCRIPTION_HANSHAKE_FAILURE 40

◆ TLS_ALERT_DESCRIPTION_ILLEGAL_PARAMETER

#define TLS_ALERT_DESCRIPTION_ILLEGAL_PARAMETER 47

◆ TLS_ALERT_DESCRIPTION_INSUFFICIENT_SECURITY

#define TLS_ALERT_DESCRIPTION_INSUFFICIENT_SECURITY 71

◆ TLS_ALERT_DESCRIPTION_INTERNAL_ERROR

#define TLS_ALERT_DESCRIPTION_INTERNAL_ERROR 80

◆ TLS_ALERT_DESCRIPTION_NO_CERTIFICATE

#define TLS_ALERT_DESCRIPTION_NO_CERTIFICATE 41

◆ TLS_ALERT_DESCRIPTION_NO_RENEGOTIATION

#define TLS_ALERT_DESCRIPTION_NO_RENEGOTIATION 100

◆ TLS_ALERT_DESCRIPTION_PROTOCOL_VERSION

#define TLS_ALERT_DESCRIPTION_PROTOCOL_VERSION 70

◆ TLS_ALERT_DESCRIPTION_RECORD_OVERFLOW

#define TLS_ALERT_DESCRIPTION_RECORD_OVERFLOW 22

◆ TLS_ALERT_DESCRIPTION_UNEXPECTED_MESSAGE

#define TLS_ALERT_DESCRIPTION_UNEXPECTED_MESSAGE 10

◆ TLS_ALERT_DESCRIPTION_UNKNOWN_CA

#define TLS_ALERT_DESCRIPTION_UNKNOWN_CA 48

◆ TLS_ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE

#define TLS_ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE 43

◆ TLS_ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION

#define TLS_ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION 110

◆ TLS_ALERT_DESCRIPTION_USER_CANCELED

#define TLS_ALERT_DESCRIPTION_USER_CANCELED 90

◆ TLS_ALERT_LEVEL_FATAL

#define TLS_ALERT_LEVEL_FATAL 2

◆ TLS_ALERT_LEVEL_WARNING

#define TLS_ALERT_LEVEL_WARNING 1

FreeRDP: A Remote Desktop Protocol Implementation Transport Layer Security

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Enumeration Type Documentation

◆ TlsHandshakeResult

enum TlsHandshakeResult

result of a handshake operation

Enumerator
TLS_HANDSHAKE_SUCCESS	handshake was successful
TLS_HANDSHAKE_CONTINUE	handshake is not completed
TLS_HANDSHAKE_ERROR	an error (probably IO error) happened
TLS_HANDSHAKE_VERIFY_ERROR	Certificate verification failed (client mode)

Function Documentation

◆ freerdp_tls_accept()

FREERDP_LOCAL BOOL freerdp_tls_accept	(	rdpTls *	tls,
		BIO *	underlying,
		rdpSettings *	settings
	)

Here is the call graph for this function:

Here is the caller graph for this function:

◆ freerdp_tls_accept_ex()

FREERDP_LOCAL TlsHandshakeResult freerdp_tls_accept_ex	(	rdpTls *	tls,
		BIO *	underlying,
		rdpSettings *	settings,
		const SSL_METHOD *	methods
	)

SSL_OP_NO_SSLv2:

We only want SSLv3 and TLSv1, so disable SSLv2. SSLv3 is used by, eg. Microsoft RDC for Mac OS X.

SSL_OP_NO_COMPRESSION:

The Microsoft RDP server does not advertise support for TLS compression, but alternative servers may support it. This was observed between early versions of the FreeRDP server and the FreeRDP client, and caused major performance issues, which is why we're disabling it.

SSL_OP_TLS_BLOCK_PADDING_BUG:

The Microsoft RDP server does not support TLS padding. It absolutely needs to be disabled otherwise it won't work.

SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS:

Just like TLS padding, the Microsoft RDP server does not support empty fragments. This needs to be disabled.

SSL_OP_NO_RENEGOTIATION

Disable SSL client site renegotiation.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ freerdp_tls_connect()

FREERDP_LOCAL int freerdp_tls_connect	(	rdpTls *	tls,
		BIO *	underlying
	)

Here is the call graph for this function:

Here is the caller graph for this function:

◆ freerdp_tls_connect_ex()

FREERDP_LOCAL TlsHandshakeResult freerdp_tls_connect_ex	(	rdpTls *	tls,
		BIO *	underlying,
		const SSL_METHOD *	methods
	)

SSL_OP_NO_COMPRESSION:

The Microsoft RDP server does not advertise support for TLS compression, but alternative servers may support it. This was observed between early versions of the FreeRDP server and the FreeRDP client, and caused major performance issues, which is why we're disabling it.

SSL_OP_TLS_BLOCK_PADDING_BUG:

The Microsoft RDP server does not support TLS padding. It absolutely needs to be disabled otherwise it won't work.

SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS:

Just like TLS padding, the Microsoft RDP server does not support empty fragments. This needs to be disabled.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ freerdp_tls_free()

FREERDP_LOCAL void freerdp_tls_free ( rdpTls * tls )

Here is the call graph for this function:

Here is the caller graph for this function:

◆ freerdp_tls_get_ssl_method()

FREERDP_LOCAL const SSL_METHOD* freerdp_tls_get_ssl_method	(	BOOL	isDtls,
		BOOL	isClient
	)

Here is the caller graph for this function:

◆ freerdp_tls_handshake()

FREERDP_LOCAL TlsHandshakeResult freerdp_tls_handshake ( rdpTls * tls )

Here is the call graph for this function:

Here is the caller graph for this function:

◆ freerdp_tls_new()

FREERDP_LOCAL rdpTls* freerdp_tls_new ( rdpContext * context )

Here is the call graph for this function:

Here is the caller graph for this function:

◆ freerdp_tls_send_alert()

FREERDP_LOCAL BOOL freerdp_tls_send_alert ( rdpTls * tls )

FIXME: The following code does not work on OpenSSL > 1.1.0 because the SSL struct is opaqe now

OpenSSL doesn't really expose an API for sending a TLS alert manually.

The following code disables the sending of the default "close notify" and then proceeds to force sending a custom TLS alert before shutting down.

Manually sending a TLS alert is necessary in certain cases, like when server-side NLA results in an authentication failure.

Here is the caller graph for this function:

◆ freerdp_tls_set_alert_code()

FREERDP_LOCAL int freerdp_tls_set_alert_code	(	rdpTls *	tls,
		int	level,
		int	description
	)

Here is the caller graph for this function:

◆ freerdp_tls_write_all()

FREERDP_LOCAL int freerdp_tls_write_all	(	rdpTls *	tls,
		const BYTE *	data,
		int	length
	)

Here is the call graph for this function:

Here is the caller graph for this function:

Data Structures

Macros

Enumerations

Functions

Macro Definition Documentation

◆ TLS_ALERT_DESCRIPTION_ACCESS_DENIED

◆ TLS_ALERT_DESCRIPTION_BAD_CERTIFICATE

◆ TLS_ALERT_DESCRIPTION_BAD_RECORD_MAC

◆ TLS_ALERT_DESCRIPTION_CERTIFICATE_EXPIRED

◆ TLS_ALERT_DESCRIPTION_CERTIFICATE_REVOKED

◆ TLS_ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN

◆ TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY

◆ TLS_ALERT_DESCRIPTION_DECODE_ERROR

◆ TLS_ALERT_DESCRIPTION_DECOMPRESSION_FAILURE

◆ TLS_ALERT_DESCRIPTION_DECRYPT_ERROR

◆ TLS_ALERT_DESCRIPTION_DECRYPTION_FAILED

◆ TLS_ALERT_DESCRIPTION_EXPORT_RESTRICTION

◆ TLS_ALERT_DESCRIPTION_HANSHAKE_FAILURE

◆ TLS_ALERT_DESCRIPTION_ILLEGAL_PARAMETER

◆ TLS_ALERT_DESCRIPTION_INSUFFICIENT_SECURITY

◆ TLS_ALERT_DESCRIPTION_INTERNAL_ERROR

◆ TLS_ALERT_DESCRIPTION_NO_CERTIFICATE

◆ TLS_ALERT_DESCRIPTION_NO_RENEGOTIATION

◆ TLS_ALERT_DESCRIPTION_PROTOCOL_VERSION

◆ TLS_ALERT_DESCRIPTION_RECORD_OVERFLOW

◆ TLS_ALERT_DESCRIPTION_UNEXPECTED_MESSAGE

◆ TLS_ALERT_DESCRIPTION_UNKNOWN_CA

◆ TLS_ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE

◆ TLS_ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION

◆ TLS_ALERT_DESCRIPTION_USER_CANCELED

◆ TLS_ALERT_LEVEL_FATAL

◆ TLS_ALERT_LEVEL_WARNING

Enumeration Type Documentation

◆ TlsHandshakeResult

Function Documentation

◆ freerdp_tls_accept()

◆ freerdp_tls_accept_ex()

◆ freerdp_tls_connect()

◆ freerdp_tls_connect_ex()

◆ freerdp_tls_free()

◆ freerdp_tls_get_ssl_method()

◆ freerdp_tls_handshake()

◆ freerdp_tls_new()

◆ freerdp_tls_send_alert()

◆ freerdp_tls_set_alert_code()

◆ freerdp_tls_write_all()