Skip to content

Commit

Permalink
GUACAMOLE-1332: Add support for certificate fingerprints and auto-acc…
Browse files Browse the repository at this point in the history
…ept.
  • Loading branch information
necouchman committed Sep 6, 2023
1 parent 694b3fc commit 1b13024
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 1 deletion.
33 changes: 32 additions & 1 deletion src/protocols/rdp/settings.c
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,8 @@ const char* GUAC_RDP_CLIENT_ARGS[] = {
"server-layout",
"security",
"ignore-cert",
"cert-tofu",
"cert-fingerprints",
"disable-auth",
"remote-app",
"remote-app-dir",
Expand Down Expand Up @@ -289,6 +291,21 @@ enum RDP_ARGS_IDX {
*/
IDX_IGNORE_CERT,

/**
* "true" if a server certificate should be trusted the first time that
* a connection is established, and then subsequently checked for validity
* after that. "false" if that behavior should not be forced. Whether or not
* the connection succeeds will be dependent upon other certificate settings,
* like ignore and/or provided fingerprints.
*/
IDX_CERTIFICATE_TOFU,

/**
* A comma-separate list of fingerprints of certificates that should be
* trusted when establishing this RDP connection.
*/
IDX_CERTIFICATE_FINGERPRINTS,

/**
* "true" if authentication should be disabled, "false" or blank otherwise.
* This is different from the authentication that takes place when a user
Expand Down Expand Up @@ -708,6 +725,16 @@ guac_rdp_settings* guac_rdp_parse_args(guac_user* user,
guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
IDX_IGNORE_CERT, 0);

/* Add new certificates to trust list */
settings->certificate_tofu =
guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
IDX_CERTIFICATE_TOFU, 0);

/* Fingerprints of certificates that should be trusted */
settings->certificate_fingerprints =
guac_user_parse_args_string(user, GUAC_RDP_CLIENT_ARGS, argv,
IDX_CERTIFICATE_FINGERPRINTS, NULL);

/* Disable authentication */
settings->disable_authentication =
guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
Expand Down Expand Up @@ -1296,6 +1323,7 @@ void guac_rdp_settings_free(guac_rdp_settings* settings) {
free(settings->drive_name);
free(settings->drive_path);
free(settings->hostname);
free(settings->certificate_fingerprints);
free(settings->initial_program);
free(settings->password);
free(settings->preconnection_blob);
Expand Down Expand Up @@ -1575,9 +1603,12 @@ void guac_rdp_push_settings(guac_client* client,

}

/* Authentication */
/* Security */
rdp_settings->Authentication = !guac_settings->disable_authentication;
rdp_settings->IgnoreCertificate = guac_settings->ignore_certificate;
rdp_settings->AutoAcceptCertificate = guac_settings->certificate_tofu;
if (guac_settings->certificate_fingerprints != NULL)
rdp_settings->CertificateAcceptedFingerprints = guac_strdup(guac_settings->certificate_fingerprints);

/* RemoteApp */
if (guac_settings->remote_app != NULL) {
Expand Down
12 changes: 12 additions & 0 deletions src/protocols/rdp/settings.h
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,18 @@ typedef struct guac_rdp_settings {
*/
int ignore_certificate;

/**
* Whether or not a certificate should be added to the local trust
* store on first use.
*/
int certificate_tofu;

/**
* The fingerprints of host certificates that should be trusted for
* this connection.
*/
char* certificate_fingerprints;

/**
* Whether authentication should be disabled. This is different from the
* authentication that takes place when a user provides their username
Expand Down

0 comments on commit 1b13024

Please sign in to comment.