diff options
| author | Jay Sorg <jay.sorg@gmail.com> | 2017-06-08 09:39:07 -0700 |
|---|---|---|
| committer | metalefty <meta@vmeta.jp> | 2017-06-22 11:47:48 +0900 |
| commit | 8d63c32899ff9972e45cbb19f7aa020da31bbd8e (patch) | |
| tree | 85e1cb7dea383aaeeb0d616d6464fe8dce1eead4 /common | |
| parent | 5def0596e0c8832d8c47396b7b5ab91258e3e4d9 (diff) | |
| download | xrdp-proprietary-8d63c32899ff9972e45cbb19f7aa020da31bbd8e.tar.gz xrdp-proprietary-8d63c32899ff9972e45cbb19f7aa020da31bbd8e.zip | |
move openssl calls to common/libssl.c, check for defines
Diffstat (limited to 'common')
| -rw-r--r-- | common/ssl_calls.c | 81 | ||||
| -rw-r--r-- | common/ssl_calls.h | 9 |
2 files changed, 86 insertions, 4 deletions
diff --git a/common/ssl_calls.c b/common/ssl_calls.c index 0362f668..a741ef92 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -37,6 +37,7 @@ #include "arch.h" #include "ssl_calls.h" #include "trans.h" +#include "log.h" #define SSL_WANT_READ_WRITE_TIMEOUT 100 @@ -829,7 +830,6 @@ ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis) return g_sck_can_recv(sck, millis); } - /*****************************************************************************/ const char * ssl_get_version(const struct ssl_st *ssl) @@ -843,3 +843,82 @@ ssl_get_cipher_name(const struct ssl_st *ssl) { return SSL_get_cipher_name(ssl); } + +/*****************************************************************************/ +int +ssl_get_protocols_from_string(const char *str, long *ssl_protocols) +{ + long protocols; + long bad_protocols; + int rv; + + if ((str == NULL) || (ssl_protocols == NULL)) + { + return 1; + } + rv = 0; + protocols = 0; +#if defined(SSL_OP_NO_SSLv3) + protocols |= SSL_OP_NO_SSLv3; +#endif +#if defined(SSL_OP_NO_TLSv1) + protocols |= SSL_OP_NO_TLSv1; +#endif +#if defined(SSL_OP_NO_TLSv1_1) + protocols |= SSL_OP_NO_TLSv1_1; +#endif +#if defined(SSL_OP_NO_TLSv1_2) + protocols |= SSL_OP_NO_TLSv1_2; +#endif + bad_protocols = protocols; + if (g_pos(str, ",TLSv1.2,") >= 0) + { +#if defined(SSL_OP_NO_TLSv1_2) + log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled"); + protocols &= ~SSL_OP_NO_TLSv1_2; +#else + log_message(LOG_LEVEL_DEBUG, "TLSv1.2 not enabled, not available"); + rv |= (1 << 1); +#endif + } + if (g_pos(str, ",TLSv1.1,") >= 0) + { +#if defined(SSL_OP_NO_TLSv1_1) + log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled"); + protocols &= ~SSL_OP_NO_TLSv1_1; +#else + log_message(LOG_LEVEL_DEBUG, "TLSv1.1 not enabled, not available"); + rv |= (1 << 2); +#endif + } + if (g_pos(str, ",TLSv1,") >= 0) + { +#if defined(SSL_OP_NO_TLSv1) + log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled"); + protocols &= ~SSL_OP_NO_TLSv1; +#else + log_message(LOG_LEVEL_DEBUG, "TLSv1 not enabled, not available"); + rv |= (1 << 3); +#endif + } + if (g_pos(str, ",SSLv3,") >= 0) + { +#if defined(SSL_OP_NO_SSLv3) + log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled"); + protocols &= ~SSL_OP_NO_SSLv3; +#else + log_message(LOG_LEVEL_DEBUG, "SSLv3 not enabled, not available"); + rv |= (1 << 4); +#endif + } + if (protocols == bad_protocols) + { + log_message(LOG_LEVEL_WARNING, "No SSL/TLS protocols enabled. " + "At least one protocol should be enabled to accept " + "TLS connections."); + rv |= (1 << 5); + } + *ssl_protocols = protocols; + return rv; +} + diff --git a/common/ssl_calls.h b/common/ssl_calls.h index 4c069cb0..dc60a23e 100644 --- a/common/ssl_calls.h +++ b/common/ssl_calls.h @@ -108,8 +108,11 @@ int ssl_tls_write(struct ssl_tls *tls, const char *data, int length); int ssl_tls_can_recv(struct ssl_tls *tls, int sck, int millis); - -const char *ssl_get_version(const struct ssl_st *ssl); -const char *ssl_get_cipher_name(const struct ssl_st *ssl); +const char * +ssl_get_version(const struct ssl_st *ssl); +const char * +ssl_get_cipher_name(const struct ssl_st *ssl); +int +ssl_get_protocols_from_string(const char *str, long *ssl_protocols); #endif |