From d2cdb055f83cd90cb387f5d536048de99325cd35 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Sat, 24 Aug 2013 01:17:27 -0700 Subject: [PATCH] Add options for controlling TLS and NLA security, as well as authentication and bad certs. --- src/protocols/rdp/client.c | 14 ++++++++++++++ src/protocols/rdp/rdp_settings.c | 33 ++++++++++++++++---------------- src/protocols/rdp/rdp_settings.h | 22 +++++++++++++++++++++ 3 files changed, 53 insertions(+), 16 deletions(-) diff --git a/src/protocols/rdp/client.c b/src/protocols/rdp/client.c index ff3241bd..b07d434a 100644 --- a/src/protocols/rdp/client.c +++ b/src/protocols/rdp/client.c @@ -109,6 +109,10 @@ const char* GUAC_CLIENT_ARGS[] = { "console", "console-audio", "server-layout", + "enable-nla", + "enable-tls", + "ignore-certificate", + "enable-authentication", NULL }; @@ -128,6 +132,10 @@ enum RDP_ARGS_IDX { IDX_CONSOLE, IDX_CONSOLE_AUDIO, IDX_SERVER_LAYOUT, + IDX_ENABLE_NLA, + IDX_ENABLE_TLS, + IDX_IGNORE_CERT, + IDX_ENABLE_AUTH, RDP_ARGS_COUNT }; @@ -405,6 +413,12 @@ int guac_client_init(guac_client* client, int argc, char** argv) { settings->console = (strcmp(argv[IDX_CONSOLE], "true") == 0); settings->console_audio = (strcmp(argv[IDX_CONSOLE_AUDIO], "true") == 0); + /* Security */ + settings->enable_nla_security = (strcmp(argv[IDX_ENABLE_NLA], "true") == 0); + settings->enable_tls_security = (strcmp(argv[IDX_ENABLE_TLS], "true") == 0); + settings->ignore_certificate = (strcmp(argv[IDX_IGNORE_CERT], "true") == 0); + settings->enable_authentication = (strcmp(argv[IDX_ENABLE_AUTH], "true") == 0); + /* Set hostname */ settings->hostname = strdup(argv[IDX_HOSTNAME]); diff --git a/src/protocols/rdp/rdp_settings.c b/src/protocols/rdp/rdp_settings.c index a882a063..e8de9330 100644 --- a/src/protocols/rdp/rdp_settings.c +++ b/src/protocols/rdp/rdp_settings.c @@ -103,30 +103,31 @@ void guac_rdp_push_settings(guac_rdp_settings* guac_settings, freerdp* rdp) { rdp_settings->RemoteConsoleAudio = guac_settings->console_audio; #endif - /* --no-auth */ -#ifdef LEGACY_RDPSETTINGS - rdp_settings->authentication = FALSE; -#else - rdp_settings->Authentication = FALSE; -#endif - - /* --sec rdp */ + /* Security */ #ifdef LEGACY_RDPSETTINGS + rdp_settings->authentication = guac_settings->enable_authentication; rdp_settings->rdp_security = TRUE; - rdp_settings->tls_security = FALSE; - rdp_settings->nla_security = FALSE; + rdp_settings->tls_security = guac_settings->enable_tls_security; + rdp_settings->nla_security = guac_settings->enable_nla_security; + rdp_settings->ignore_certificate = guac_settings->ignore_certificate; rdp_settings->encryption = TRUE; - rdp_settings->encryption_method = - ENCRYPTION_METHOD_40BIT | ENCRYPTION_METHOD_128BIT | ENCRYPTION_METHOD_FIPS; rdp_settings->encryption_level = ENCRYPTION_LEVEL_CLIENT_COMPATIBLE; + rdp_settings->encryption_method = + ENCRYPTION_METHOD_40BIT + | ENCRYPTION_METHOD_128BIT + | ENCRYPTION_METHOD_FIPS; #else + rdp_settings->Authentication = guac_settings->enable_authentication; rdp_settings->RdpSecurity = TRUE; - rdp_settings->TlsSecurity = FALSE; - rdp_settings->NlaSecurity = FALSE; + rdp_settings->TlsSecurity = guac_settings->enable_tls_security; + rdp_settings->NlaSecurity = guac_settings->enable_nla_security; + rdp_settings->IgnoreCertificate = guac_settings->ignore_certificate; rdp_settings->DisableEncryption = FALSE; - rdp_settings->EncryptionMethods = - ENCRYPTION_METHOD_40BIT | ENCRYPTION_METHOD_128BIT | ENCRYPTION_METHOD_FIPS; rdp_settings->EncryptionLevel = ENCRYPTION_LEVEL_CLIENT_COMPATIBLE; + rdp_settings->EncryptionMethods = + ENCRYPTION_METHOD_40BIT + | ENCRYPTION_METHOD_128BIT + | ENCRYPTION_METHOD_FIPS; #endif /* Order support */ diff --git a/src/protocols/rdp/rdp_settings.h b/src/protocols/rdp/rdp_settings.h index b3b9d514..bc63753d 100644 --- a/src/protocols/rdp/rdp_settings.h +++ b/src/protocols/rdp/rdp_settings.h @@ -138,6 +138,28 @@ typedef struct guac_rdp_settings { */ char* initial_program; + /** + * Whether NLA security is enabled. + */ + int enable_nla_security; + + /** + * Whether TLS security is enabled. + */ + int enable_tls_security; + + /** + * Whether bad server certificates should be ignored. + */ + int ignore_certificate; + + /** + * Whether authentication should be enabled. This is different from the + * authentication that takes place when a user provides their username + * and password. + */ + int enable_authentication; + } guac_rdp_settings;