/*****************************************************************************/ /* returns error */ staticint
xrdp_iso_negotiate_security(struct xrdp_iso *self)
{ int rv = 0; struct xrdp_client_info *client_info = &(self->mcs_layer->sec_layer->rdp_layer->client_info); char protostr[64]; int got_protocol = 0; int security_type_mask;
/* Map the configuration from xrdp.ini to a mask of allowed *securitytypes([MS-RDPBCGR]2.2.1.2.1) * *There'ssomeoddnessaroundPROTOCOL_RDP.Thisvalueis0, *forcompatibilityreasons,andit'sOKfortheserverto *suggestRDPasthefallbackprotocolifnothingelseis *agreedon.Nowadays,classicRDPsecurityshould
* not be used, if at all avoidable */
/* At present we only support SSL and RDP security */ if (client_info->security_layer == SECURITY_LAYER_RDP)
{
security_type_mask = PROTOCOL_RDP;
} else
{
security_type_mask = PROTOCOL_SSL;
} /* But VMConnect mode supports everything. */ if (client_info->vmconnect)
{
security_type_mask |= PROTOCOL_HYBRID | PROTOCOL_HYBRID_EX;
}
/* Logically 'and' this value with the mask requested by the client, and
* see what's left */
protocol_mask_to_str(self->requestedProtocol, protostr, sizeof(protostr));
LOG(LOG_LEVEL_INFO, "Client requested security types (RDP assumed) : %s",
protostr);
security_type_mask &= self->requestedProtocol;
if (security_type_mask & PROTOCOL_HYBRID_EX)
{ /* Currently supported by VMConnect mode only */
LOG(LOG_LEVEL_INFO, "Selected HYBRID_EX security");
self->selectedProtocol = PROTOCOL_HYBRID_EX;
got_protocol = 1;
} elseif (security_type_mask & PROTOCOL_HYBRID)
{ /* Currently supported by VMConnect mode only */
LOG(LOG_LEVEL_INFO, "Selected HYBRID security");
self->selectedProtocol = PROTOCOL_HYBRID;
got_protocol = 1;
} elseif ((security_type_mask & PROTOCOL_SSL) != 0)
{ /* Can we do TLS? (basic check). VMConnect is exempt. */ if ((g_file_readable(client_info->certificate) &&
g_file_readable(client_info->key_file)) || client_info->vmconnect)
{
LOG(LOG_LEVEL_INFO, "Selected TLS security");
self->selectedProtocol = PROTOCOL_SSL;
got_protocol = 1;
} else
{
LOG(LOG_LEVEL_WARNING, "Cannot accept TLS connections because " "certificate or private key file is not readable. " "certificate file: [%s], private key file: [%s]",
client_info->certificate, client_info->key_file);
/* If we're configured to ONLY use TLS, this is a problem.
* If not, we can fall back to RDP */ if (client_info->security_layer == SECURITY_LAYER_TLS)
{
LOG(LOG_LEVEL_ERROR, "Server requires TLS (security_layer=tls)");
self->failureCode = SSL_CERT_NOT_ON_SERVER;
rv = 1;
}
}
} elseif (client_info->security_layer == SECURITY_LAYER_TLS)
{ /* We don't have a match on TLS, but we'll accept nothing less */
LOG(LOG_LEVEL_ERROR, "Server requires TLS (security_layer=tls)");
self->failureCode = SSL_REQUIRED_BY_SERVER;
rv = 1;
}
/* If we haven't got a match so far, and we haven't got a fail,
* try RDP */ if (!got_protocol && !rv)
{
self->selectedProtocol = PROTOCOL_RDP;
LOG(LOG_LEVEL_INFO, "Selected classic RDP security");
}
return rv;
}
/*****************************************************************************/ /* Process a [MS-RDPBCGR] RDP_NEG_REQ message. *returnserror
*/ staticint
xrdp_iso_process_rdp_neg_req(struct xrdp_iso *self, struct stream *s)
{ int flags; int len;
if (!s_check_rem_and_log(s, 7, "Parsing [MS-RDPBCGR] RDP_NEG_REQ"))
{ return1;
}
/* The type field has already been read to determine that this function
should be called */
in_uint8(s, flags); /* flags */ if ((flags & 0x0000000b) != flags)
{
LOG(LOG_LEVEL_ERROR, "Unsupported [MS-RDPBCGR] RDP_NEG_REQ flags: 0x%2.2x", flags); return1;
}
/* If both flags are set, it means 'OR', so fail only if only the one is set. */ if ((flags & REDIRECTED_AUTHENTICATION_MODE_REQUIRED) && !(flags & RESTRICTED_ADMIN_MODE_REQUIRED))
{
LOG(LOG_LEVEL_ERROR, "[MS-RDPBCGR] RDP_NEG_REQ: RemoteGuard isn't supported !"); return1;
}
in_uint16_le(s, len); /* length */ if (len != 8)
{
LOG(LOG_LEVEL_ERROR, "Protocol error: [MS-RDPBCGR] RDP_NEG_REQ length must be 8, " "received %d", len); return1;
}
if (s != self->trans->in_s)
{
LOG(LOG_LEVEL_WARNING, "Bug: the input stream is not the same stream as the " "transport input stream");
}
/* [ITU-T T.123] TPKT header is 4 bytes, then first 2 bytes of the X.224 CR-TPDU */ if (!s_check_rem_and_log(s, 6, "Parsing [ITU-T T.123] TPKT header and [ITU-T X.224] TPDU header"))
{ return1;
}
if (*len == 255)
{ /* X.224 13.2.1 - reserved value */
LOG(LOG_LEVEL_ERROR, "[ITU-T X.224] TPDU header: unsupported use of reserved length value");
LOG_DEVEL_HEXDUMP(LOG_LEVEL_ERROR, "[ITU-T X.224] TPDU header", s->data + 4, 4); return1;
}
if (*code == ISO_PDU_DT)
{ /* Data PDU : X.224 13.7 class 0 */ if (!s_check_rem_and_log(s, 1, "Parsing [ITU-T X.224] DT-TPDU (Data) header"))
{ return1;
}
in_uint8s(s, 1); /* EOT (End of TSDU Mark) (upper 1 bit) and
TPDU-NR (Data TPDU Number) (lower 7 bits) */
} else
{ /* Other supported X.224 class 0 PDUs all have 5 bytes remaining inthefixedheader: CRConnectionrequest(13.3) CCConnectionconfirm(13.4)
DR Disconnect request (13.5) */ if (!s_check_rem_and_log(s, 5, "Parsing [ITU-T X.224] Other PDU header"))
{ return1;
}
in_uint8s(s, 5); /* DST-REF (2 bytes) SRC-REF(2bytes)
[CR, CC] CLASS OPTION (1 byte) or [DR] REASON (1 byte) */
}
return0;
}
/*****************************************************************************/ /* Process the header of a [ITU-T X.224] DT-TPDU (Data) message. * *returnserror
*/ int
xrdp_iso_recv(struct xrdp_iso *self, struct stream *s)
{ int code; int len;
/*****************************************************************************/ /* Sends a message with the [ITU-T T.123] TPKT header (T.123 section 8) and *[ITU-TX.224]DT-TPDU(Data)header(X.224section13) *returnserror
*/ int
xrdp_iso_send(struct xrdp_iso *self, struct stream *s)
{ int len;
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.