diff --git a/debian/changelog b/debian/changelog index 84f8ef6..70fcc94 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +freerdp2 (2.0.0~git20180411.1.7a7b1802+dfsg1-3) unstable; urgency=medium + + * debian/patches: + + Add 0002_set-tls-seclevel.patch. Sets the default TLS security level to + 1. Back ported from ustream (PR 4996). (Closes #912206). + + -- Bernhard Miklautz Thu, 08 Nov 2018 11:44:36 +0100 + freerdp2 (2.0.0~git20180411.1.7a7b1802+dfsg1-2) unstable; urgency=medium * debian/patches: diff --git a/debian/patches/0002_set-tls-seclevel.patch b/debian/patches/0002_set-tls-seclevel.patch new file mode 100644 index 0000000..0986a33 --- /dev/null +++ b/debian/patches/0002_set-tls-seclevel.patch @@ -0,0 +1,73 @@ +diff --git a/client/common/cmdline.c b/client/common/cmdline.c +index 801ef95..3296da8 100644 +--- a/client/common/cmdline.c ++++ b/client/common/cmdline.c +@@ -2367,6 +2367,15 @@ int freerdp_client_settings_parse_command_line_arguments(rdpSettings* settings, + return COMMAND_LINE_ERROR_MEMORY; + } + } ++ CommandLineSwitchCase(arg, "tls-seclevel") ++ { ++ unsigned long val = strtoul(arg->Value, NULL, 0); ++ ++ if ((errno != 0) || (val > 5)) ++ return COMMAND_LINE_ERROR_UNEXPECTED_VALUE; ++ ++ settings->TlsSecLevel = val; ++ } + CommandLineSwitchCase(arg, "cert-name") + { + free(settings->CertificateName); +diff --git a/client/common/cmdline.h b/client/common/cmdline.h +index 8785ed6..364a161 100644 +--- a/client/common/cmdline.h ++++ b/client/common/cmdline.h +@@ -165,6 +165,7 @@ static COMMAND_LINE_ARGUMENT_A args[] = + { "t", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, "title", "Window title" }, + { "themes", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL, "Enable themes" }, + { "tls-ciphers", COMMAND_LINE_VALUE_REQUIRED, "netmon|ma|ciphers", NULL, NULL, -1, NULL, "Allowed TLS ciphers" }, ++ { "tls-seclevel", COMMAND_LINE_VALUE_REQUIRED, "<level>", "1", NULL, -1, NULL, "TLS security level - defaults to 1" }, + { "toggle-fullscreen", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL, "Alt+Ctrl+Enter toggles fullscreen" }, + { "u", COMMAND_LINE_VALUE_REQUIRED, "[<domain>\\]<user> or <user>[@<domain>]", NULL, NULL, -1, NULL, "Username" }, + { "unmap-buttons", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueFalse, NULL, -1, NULL, "Let server see real physical pointer button"}, +diff --git a/include/freerdp/settings.h b/include/freerdp/settings.h +index e35364b..3f2fdd8 100644 +--- a/include/freerdp/settings.h ++++ b/include/freerdp/settings.h +@@ -1020,7 +1020,8 @@ struct rdp_settings + ALIGN64 BOOL VmConnectMode; /* 1102 */ + ALIGN64 char* NtlmSamFile; /* 1103 */ + ALIGN64 BOOL FIPSMode; /* 1104 */ +- UINT64 padding1152[1152 - 1105]; /* 1105 */ ++ ALIGN64 UINT32 TlsSecLevel; /* 1105 */ ++ UINT64 padding1152[1152 - 1106]; /* 1106 */ + + /* Connection Cookie */ + ALIGN64 BOOL MstscCookieMode; /* 1152 */ +diff --git a/libfreerdp/core/settings.c b/libfreerdp/core/settings.c +index 4d249eb..4b5ab46 100644 +--- a/libfreerdp/core/settings.c ++++ b/libfreerdp/core/settings.c +@@ -612,6 +612,7 @@ rdpSettings* freerdp_settings_new(DWORD flags) + goto out_fail; + + settings->ActionScript = _strdup("~/.config/freerdp/action.sh"); ++ settings->TlsSecLevel = 1; + return settings; + out_fail: + free(settings->HomePath); +diff --git a/libfreerdp/crypto/tls.c b/libfreerdp/crypto/tls.c +index c9ae8c8..cd06b94 100644 +--- a/libfreerdp/crypto/tls.c ++++ b/libfreerdp/crypto/tls.c +@@ -659,6 +659,10 @@ static BOOL tls_prepare(rdpTls* tls, BIO* underlying, SSL_METHOD* method, + SSL_CTX_set_options(tls->ctx, options); + SSL_CTX_set_read_ahead(tls->ctx, 1); + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++ SSL_CTX_set_security_level(tls->ctx, settings->TlsSecLevel); ++#endif ++ + if (settings->AllowedTlsCiphers) + { + if (!SSL_CTX_set_cipher_list(tls->ctx, settings->AllowedTlsCiphers)) diff --git a/debian/patches/series b/debian/patches/series index 53bdebc..972bdca 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0001_nsc-context-free-must-not-access-uninit-fields.patch +0002_set-tls-seclevel.patch