Add options for controlling TLS and NLA security, as well as authentication and bad certs.

src/protocols/rdp/client.c

@@ -109,6 +109,10 @@ const char* GUAC_CLIENT_ARGS[] = {
     "console",
     "console-audio",
     "server-layout",
+    "enable-nla",
+    "enable-tls",
+    "ignore-certificate",
+    "enable-authentication",
     NULL
 };
 
@@ -128,6 +132,10 @@ enum RDP_ARGS_IDX {
     IDX_CONSOLE,
     IDX_CONSOLE_AUDIO,
     IDX_SERVER_LAYOUT,
+    IDX_ENABLE_NLA,
+    IDX_ENABLE_TLS,
+    IDX_IGNORE_CERT,
+    IDX_ENABLE_AUTH,
     RDP_ARGS_COUNT
 };
 
@@ -405,6 +413,12 @@ int guac_client_init(guac_client* client, int argc, char** argv) {
     settings->console         = (strcmp(argv[IDX_CONSOLE], "true") == 0);
     settings->console_audio   = (strcmp(argv[IDX_CONSOLE_AUDIO], "true") == 0);
 
+    /* Security */
+    settings->enable_nla_security = (strcmp(argv[IDX_ENABLE_NLA], "true") == 0);
+    settings->enable_tls_security = (strcmp(argv[IDX_ENABLE_TLS], "true") == 0);
+    settings->ignore_certificate = (strcmp(argv[IDX_IGNORE_CERT], "true") == 0);
+    settings->enable_authentication = (strcmp(argv[IDX_ENABLE_AUTH], "true") == 0);
+
     /* Set hostname */
     settings->hostname = strdup(argv[IDX_HOSTNAME]);
 

src/protocols/rdp/rdp_settings.c

@@ -103,30 +103,31 @@ void guac_rdp_push_settings(guac_rdp_settings* guac_settings, freerdp* rdp) {
     rdp_settings->RemoteConsoleAudio = guac_settings->console_audio;
 #endif
 
-    /* --no-auth */
+    /* Security */
-#ifdef LEGACY_RDPSETTINGS
-    rdp_settings->authentication = FALSE;
-#else
-    rdp_settings->Authentication = FALSE;
-#endif
-
-    /* --sec rdp */
 #ifdef LEGACY_RDPSETTINGS
+    rdp_settings->authentication = guac_settings->enable_authentication;
     rdp_settings->rdp_security = TRUE;
-    rdp_settings->tls_security = FALSE;
+    rdp_settings->tls_security = guac_settings->enable_tls_security;
-    rdp_settings->nla_security = FALSE;
+    rdp_settings->nla_security = guac_settings->enable_nla_security;
+    rdp_settings->ignore_certificate = guac_settings->ignore_certificate;
     rdp_settings->encryption = TRUE;
-    rdp_settings->encryption_method =
-        ENCRYPTION_METHOD_40BIT | ENCRYPTION_METHOD_128BIT | ENCRYPTION_METHOD_FIPS;
     rdp_settings->encryption_level = ENCRYPTION_LEVEL_CLIENT_COMPATIBLE;
+    rdp_settings->encryption_method =
+          ENCRYPTION_METHOD_40BIT
+        | ENCRYPTION_METHOD_128BIT
+        | ENCRYPTION_METHOD_FIPS;
 #else
+    rdp_settings->Authentication = guac_settings->enable_authentication;
     rdp_settings->RdpSecurity = TRUE;
-    rdp_settings->TlsSecurity = FALSE;
+    rdp_settings->TlsSecurity = guac_settings->enable_tls_security;
-    rdp_settings->NlaSecurity = FALSE;
+    rdp_settings->NlaSecurity = guac_settings->enable_nla_security;
+    rdp_settings->IgnoreCertificate = guac_settings->ignore_certificate;
     rdp_settings->DisableEncryption = FALSE;
-    rdp_settings->EncryptionMethods =
-        ENCRYPTION_METHOD_40BIT | ENCRYPTION_METHOD_128BIT | ENCRYPTION_METHOD_FIPS;
     rdp_settings->EncryptionLevel = ENCRYPTION_LEVEL_CLIENT_COMPATIBLE;
+    rdp_settings->EncryptionMethods =
+          ENCRYPTION_METHOD_40BIT
+        | ENCRYPTION_METHOD_128BIT 
+        | ENCRYPTION_METHOD_FIPS;
 #endif
 
     /* Order support */

src/protocols/rdp/rdp_settings.h

@@ -138,6 +138,28 @@ typedef struct guac_rdp_settings {
      */
     char* initial_program;
 
+    /**
+     * Whether NLA security is enabled.
+     */
+    int enable_nla_security;
+
+    /**
+     * Whether TLS security is enabled.
+     */
+    int enable_tls_security;
+
+    /**
+     * Whether bad server certificates should be ignored.
+     */
+    int ignore_certificate;
+
+    /**
+     * Whether authentication should be enabled. This is different from the
+     * authentication that takes place when a user provides their username
+     * and password.
+     */
+    int enable_authentication;
+
 } guac_rdp_settings;