jh163888/xrdp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #1778 from matt335672/ec-crypto

Browse Source 
Support EC cryptographic keys for TLS
This commit is contained in:
matt335672 2021-01-07 10:47:42 +00:00 committed by GitHub
commit cca057908c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 86 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
common/ssl_calls.c
View File

@ -532,7 +532,8 @@ see also
*/ */
static DH *ssl_get_dh2236() static DH *ssl_get_dh2236()
{ {
static unsigned char dh2236_p[] = { static unsigned char dh2236_p[] =
{
0x0E, 0xF8, 0x69, 0x0B, 0x35, 0x2F, 0x62, 0x59, 0xF7, 0xAF, 0x4E, 0x19, 0x0E, 0xF8, 0x69, 0x0B, 0x35, 0x2F, 0x62, 0x59, 0xF7, 0xAF, 0x4E, 0x19,
0xB5, 0x9B, 0xD2, 0xEB, 0x33, 0x78, 0x1D, 0x43, 0x1D, 0xB6, 0xE4, 0xA3, 0xB5, 0x9B, 0xD2, 0xEB, 0x33, 0x78, 0x1D, 0x43, 0x1D, 0xB6, 0xE4, 0xA3,
0x63, 0x47, 0x6A, 0xD4, 0xA8, 0x28, 0x11, 0x8C, 0x3F, 0xC8, 0xF1, 0x32, 0x63, 0x47, 0x6A, 0xD4, 0xA8, 0x28, 0x11, 0x8C, 0x3F, 0xC8, 0xF1, 0x32,
@ -558,7 +559,8 @@ static DH *ssl_get_dh2236()
0x70, 0xAC, 0x58, 0x3A, 0x3C, 0x18, 0x15, 0x54, 0x84, 0xA8, 0xAA, 0x41, 0x70, 0xAC, 0x58, 0x3A, 0x3C, 0x18, 0x15, 0x54, 0x84, 0xA8, 0xAA, 0x41,
0x26, 0x7B, 0xE0, 0xA3, 0x26, 0x7B, 0xE0, 0xA3,
}; };
static unsigned char dh2236_g[] = { static unsigned char dh2236_g[] =
{
0x02, 0x02,
}; };
@ -613,14 +615,13 @@ ssl_tls_create(struct trans *trans, const char *key, const char *cert)
} }
/*****************************************************************************/ /*****************************************************************************/
int static int
ssl_tls_print_error(const char *func, SSL *connection, int value) ssl_tls_log_error(const char *func, SSL *connection, int value)
{ {
switch (SSL_get_error(connection, value)) switch (SSL_get_error(connection, value))
{ {
case SSL_ERROR_ZERO_RETURN: case SSL_ERROR_ZERO_RETURN:
g_writeln("ssl_tls_print_error: %s: Server closed TLS connection", LOG(LOG_LEVEL_ERROR, "%s: Server closed TLS connection", func);
func);
return 1; return 1;
case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_READ:
@ -628,16 +629,15 @@ ssl_tls_print_error(const char *func, SSL *connection, int value)
return 0; return 0;
case SSL_ERROR_SYSCALL: case SSL_ERROR_SYSCALL:
g_writeln("ssl_tls_print_error: %s: I/O error", func); LOG(LOG_LEVEL_ERROR, "%s: I/O error", func);
return 1; return 1;
case SSL_ERROR_SSL: case SSL_ERROR_SSL:
g_writeln("ssl_tls_print_error: %s: Failure in SSL library (protocol error?)", LOG(LOG_LEVEL_ERROR, "%s: Failure in SSL library (protocol error?)", func);
func);
return 1; return 1;
default: default:
g_writeln("ssl_tls_print_error: %s: Unknown error", func); LOG(LOG_LEVEL_ERROR, "%s: Unknown SSL error", func);
return 1; return 1;
} }
} }
@ -694,7 +694,7 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols,
self->ctx = SSL_CTX_new(SSLv23_server_method()); self->ctx = SSL_CTX_new(SSLv23_server_method());
if (self->ctx == NULL) if (self->ctx == NULL)
{ {
log_message(LOG_LEVEL_ERROR, "ssl_tls_accept: SSL_CTX_new failed"); LOG(LOG_LEVEL_ERROR, "Unable to negotiate a TLS connection with the client");
return 1; return 1;
} }
@ -708,14 +708,13 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols,
DH *dh = ssl_get_dh2236(); DH *dh = ssl_get_dh2236();
if (dh == NULL) if (dh == NULL)
{ {
log_message(LOG_LEVEL_ERROR, "ssl_tls_accept: ssl_get_dh2236 failed"); LOG(LOG_LEVEL_ERROR, "Unable to generate DHE parameters for TLS");
return 1; return 1;
} }
if (SSL_CTX_set_tmp_dh(self->ctx, dh) != 1) if (SSL_CTX_set_tmp_dh(self->ctx, dh) != 1)
{ {
log_message(LOG_LEVEL_ERROR, LOG(LOG_LEVEL_ERROR, "Unable to setup DHE parameters for TLS");
"ssl_tls_accept: SSL_CTX_set_tmp_dh failed");
return 1; return 1;
} }
DH_free(dh); // ok to free, copied into ctx by SSL_CTX_set_tmp_dh() DH_free(dh); // ok to free, copied into ctx by SSL_CTX_set_tmp_dh()
@ -729,27 +728,26 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols,
if (g_strlen(tls_ciphers) > 1) if (g_strlen(tls_ciphers) > 1)
{ {
log_message(LOG_LEVEL_TRACE, "ssl_tls_accept: tls_ciphers=%s", LOG(LOG_LEVEL_TRACE, "tls_ciphers=%s", tls_ciphers);
tls_ciphers);
if (SSL_CTX_set_cipher_list(self->ctx, tls_ciphers) == 0) if (SSL_CTX_set_cipher_list(self->ctx, tls_ciphers) == 0)
{ {
g_writeln("ssl_tls_accept: invalid cipher options"); LOG(LOG_LEVEL_ERROR, "Invalid TLS cipher options %s", tls_ciphers);
return 1; return 1;
} }
} }
SSL_CTX_set_read_ahead(self->ctx, 0); SSL_CTX_set_read_ahead(self->ctx, 0);
if (SSL_CTX_use_RSAPrivateKey_file(self->ctx, self->key, SSL_FILETYPE_PEM) if (SSL_CTX_use_PrivateKey_file(self->ctx, self->key, SSL_FILETYPE_PEM)
<= 0) <= 0)
{ {
g_writeln("ssl_tls_accept: SSL_CTX_use_RSAPrivateKey_file failed"); LOG(LOG_LEVEL_ERROR, "Error loading TLS private key from %s", self->key);
return 1; return 1;
} }
if (SSL_CTX_use_certificate_chain_file(self->ctx, self->cert) <= 0) if (SSL_CTX_use_certificate_chain_file(self->ctx, self->cert) <= 0)
{ {
g_writeln("ssl_tls_accept: SSL_CTX_use_certificate_chain_file failed"); LOG(LOG_LEVEL_ERROR, "Error loading TLS certificate chain from %s", self->cert);
return 1; return 1;
} }
@ -757,22 +755,24 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols,
if (self->ssl == NULL) if (self->ssl == NULL)
{ {
g_writeln("ssl_tls_accept: SSL_new failed"); LOG(LOG_LEVEL_ERROR, "Unable to create an SSL structure");
return 1; return 1;
} }
if (SSL_set_fd(self->ssl, self->trans->sck) < 1) if (SSL_set_fd(self->ssl, self->trans->sck) < 1)
{ {
g_writeln("ssl_tls_accept: SSL_set_fd failed"); LOG(LOG_LEVEL_ERROR, "Unable to set up an SSL structure on fd %d",
(int)self->trans->sck);
return 1; return 1;
} }
while(1) { while (1)
{
connection_status = SSL_accept(self->ssl); connection_status = SSL_accept(self->ssl);
if (connection_status <= 0) if (connection_status <= 0)
{ {
if (ssl_tls_print_error("SSL_accept", self->ssl, connection_status)) if (ssl_tls_log_error("SSL_accept", self->ssl, connection_status))
{ {
return 1; return 1;
} }
@ -797,7 +797,7 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols,
} }
} }
g_writeln("ssl_tls_accept: TLS connection accepted"); LOG(LOG_LEVEL_TRACE, "TLS connection accepted");
return 0; return 0;
} }
@ -823,7 +823,7 @@ ssl_tls_disconnect(struct ssl_tls *self)
status = SSL_shutdown(self->ssl); status = SSL_shutdown(self->ssl);
if (status <= 0) if (status <= 0)
{ {
if (ssl_tls_print_error("SSL_shutdown", self->ssl, status)) if (ssl_tls_log_error("SSL_shutdown", self->ssl, status))
{ {
return 1; return 1;
} }
@ -844,10 +844,14 @@ ssl_tls_delete(struct ssl_tls *self)
if (self != NULL) if (self != NULL)
{ {
if (self->ssl) if (self->ssl)
{
SSL_free(self->ssl); SSL_free(self->ssl);
}
if (self->ctx) if (self->ctx)
{
SSL_CTX_free(self->ctx); SSL_CTX_free(self->ctx);
}
g_delete_wait_obj(self->rwo); g_delete_wait_obj(self->rwo);
@ -862,7 +866,8 @@ ssl_tls_read(struct ssl_tls *tls, char *data, int length)
int status; int status;
int break_flag; int break_flag;
while(1) { while (1)
{
status = SSL_read(tls->ssl, data, length); status = SSL_read(tls->ssl, data, length);
switch (SSL_get_error(tls->ssl, status)) switch (SSL_get_error(tls->ssl, status))
@ -888,7 +893,7 @@ ssl_tls_read(struct ssl_tls *tls, char *data, int length)
return 0; return 0;
default: default:
ssl_tls_print_error("SSL_read", tls->ssl, status); ssl_tls_log_error("SSL_read", tls->ssl, status);
status = -1; status = -1;
break_flag = 1; break_flag = 1;
break; break;
@ -915,7 +920,8 @@ ssl_tls_write(struct ssl_tls *tls, const char *data, int length)
int status; int status;
int break_flag; int break_flag;
while(1) { while (1)
{
status = SSL_write(tls->ssl, data, length); status = SSL_write(tls->ssl, data, length);
switch (SSL_get_error(tls->ssl, status)) switch (SSL_get_error(tls->ssl, status))
@ -941,7 +947,7 @@ ssl_tls_write(struct ssl_tls *tls, const char *data, int length)
return 0; return 0;
default: default:
ssl_tls_print_error("SSL_write", tls->ssl, status); ssl_tls_log_error("SSL_write", tls->ssl, status);
status = -1; status = -1;
break_flag = 1; break_flag = 1;
break; break;
@ -1016,10 +1022,10 @@ ssl_get_protocols_from_string(const char *str, long *ssl_protocols)
if (g_pos(str, ",TLSv1.3,") >= 0) if (g_pos(str, ",TLSv1.3,") >= 0)
{ {
#if defined(SSL_OP_NO_TLSv1_3) #if defined(SSL_OP_NO_TLSv1_3)
log_message(LOG_LEVEL_DEBUG, "TLSv1.3 enabled"); LOG(LOG_LEVEL_DEBUG, "TLSv1.3 enabled");
protocols &= ~SSL_OP_NO_TLSv1_3; protocols &= ~SSL_OP_NO_TLSv1_3;
#else #else
log_message(LOG_LEVEL_WARNING, LOG(LOG_LEVEL_WARNING,
"TLSv1.3 enabled by config, " "TLSv1.3 enabled by config, "
"but not supported by system OpenSSL"); "but not supported by system OpenSSL");
rv |= (1 << 6); rv |= (1 << 6);
@ -1028,10 +1034,10 @@ ssl_get_protocols_from_string(const char *str, long *ssl_protocols)
if (g_pos(str, ",TLSv1.2,") >= 0) if (g_pos(str, ",TLSv1.2,") >= 0)
{ {
#if defined(SSL_OP_NO_TLSv1_2) #if defined(SSL_OP_NO_TLSv1_2)
log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled"); LOG(LOG_LEVEL_DEBUG, "TLSv1.2 enabled");
protocols &= ~SSL_OP_NO_TLSv1_2; protocols &= ~SSL_OP_NO_TLSv1_2;
#else #else
log_message(LOG_LEVEL_WARNING, LOG(LOG_LEVEL_WARNING,
"TLSv1.2 enabled by config, " "TLSv1.2 enabled by config, "
"but not supported by system OpenSSL"); "but not supported by system OpenSSL");
rv |= (1 << 1); rv |= (1 << 1);
@ -1040,10 +1046,10 @@ ssl_get_protocols_from_string(const char *str, long *ssl_protocols)
if (g_pos(str, ",TLSv1.1,") >= 0) if (g_pos(str, ",TLSv1.1,") >= 0)
{ {
#if defined(SSL_OP_NO_TLSv1_1) #if defined(SSL_OP_NO_TLSv1_1)
log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled"); LOG(LOG_LEVEL_DEBUG, "TLSv1.1 enabled");
protocols &= ~SSL_OP_NO_TLSv1_1; protocols &= ~SSL_OP_NO_TLSv1_1;
#else #else
log_message(LOG_LEVEL_WARNING, LOG(LOG_LEVEL_WARNING,
"TLSv1.1 enabled by config, " "TLSv1.1 enabled by config, "
"but not supported by system OpenSSL"); "but not supported by system OpenSSL");
rv |= (1 << 2); rv |= (1 << 2);
@ -1052,10 +1058,10 @@ ssl_get_protocols_from_string(const char *str, long *ssl_protocols)
if (g_pos(str, ",TLSv1,") >= 0) if (g_pos(str, ",TLSv1,") >= 0)
{ {
#if defined(SSL_OP_NO_TLSv1) #if defined(SSL_OP_NO_TLSv1)
log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled"); LOG(LOG_LEVEL_DEBUG, "TLSv1 enabled");
protocols &= ~SSL_OP_NO_TLSv1; protocols &= ~SSL_OP_NO_TLSv1;
#else #else
log_message(LOG_LEVEL_WARNING, LOG(LOG_LEVEL_WARNING,
"TLSv1 enabled by config, " "TLSv1 enabled by config, "
"but not supported by system OpenSSL"); "but not supported by system OpenSSL");
rv |= (1 << 3); rv |= (1 << 3);
@ -1064,10 +1070,10 @@ ssl_get_protocols_from_string(const char *str, long *ssl_protocols)
if (g_pos(str, ",SSLv3,") >= 0) if (g_pos(str, ",SSLv3,") >= 0)
{ {
#if defined(SSL_OP_NO_SSLv3) #if defined(SSL_OP_NO_SSLv3)
log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled"); LOG(LOG_LEVEL_DEBUG, "SSLv3 enabled");
protocols &= ~SSL_OP_NO_SSLv3; protocols &= ~SSL_OP_NO_SSLv3;
#else #else
log_message(LOG_LEVEL_WARNING, LOG(LOG_LEVEL_WARNING,
"SSLv3 enabled by config, " "SSLv3 enabled by config, "
"but not supported by system OpenSSL"); "but not supported by system OpenSSL");
rv |= (1 << 4); rv |= (1 << 4);
@ -1075,7 +1081,7 @@ ssl_get_protocols_from_string(const char *str, long *ssl_protocols)
} }
if (protocols == bad_protocols) if (protocols == bad_protocols)
{ {
log_message(LOG_LEVEL_WARNING, "No SSL/TLS protocols enabled. " LOG(LOG_LEVEL_WARNING, "No SSL/TLS protocols enabled. "
"At least one protocol should be enabled to accept " "At least one protocol should be enabled to accept "
"TLS connections."); "TLS connections.");
rv |= (1 << 5); rv |= (1 << 5);