2023-02-03 13:40:35 +03:00
|
|
|
/**
|
|
|
|
* FreeRDP: A Remote Desktop Protocol Implementation
|
|
|
|
* Certificate Handling
|
|
|
|
*
|
|
|
|
* Copyright 2011 Jiten Pathy
|
|
|
|
* Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
|
2023-02-09 10:48:11 +03:00
|
|
|
* Copyright 2023 Armin Novak <anovak@thincast.com>
|
|
|
|
* Copyright 2023 Thincast Technologies GmbH
|
2023-02-03 13:40:35 +03:00
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <ctype.h>
|
|
|
|
|
|
|
|
#include <freerdp/config.h>
|
|
|
|
|
|
|
|
#include <winpr/assert.h>
|
|
|
|
#include <winpr/path.h>
|
|
|
|
|
|
|
|
#include <freerdp/settings.h>
|
|
|
|
|
|
|
|
#include <freerdp/crypto/crypto.h>
|
|
|
|
#include <freerdp/crypto/certificate_data.h>
|
|
|
|
|
|
|
|
#include "certificate.h"
|
|
|
|
|
|
|
|
#include <freerdp/log.h>
|
|
|
|
#define TAG FREERDP_TAG("crypto")
|
|
|
|
|
|
|
|
struct rdp_certificate_data
|
|
|
|
{
|
|
|
|
char* hostname;
|
|
|
|
UINT16 port;
|
|
|
|
rdpCertificate* cert;
|
|
|
|
|
|
|
|
char cached_hash[MAX_PATH + 10];
|
|
|
|
char* cached_subject;
|
|
|
|
char* cached_issuer;
|
|
|
|
char* cached_fingerprint;
|
|
|
|
char* cached_pem;
|
2024-08-13 16:54:03 +03:00
|
|
|
char* cached_pem_chain;
|
2023-02-03 13:40:35 +03:00
|
|
|
};
|
|
|
|
|
2024-03-21 16:54:47 +03:00
|
|
|
/* ensure our hostnames (and therefore filenames) always use the same capitalization.
|
|
|
|
* the user might have input random case, but we always need to have a sane
|
|
|
|
* baseline to compare against. */
|
|
|
|
static char* ensure_lowercase(char* str, size_t length)
|
|
|
|
{
|
|
|
|
const size_t len = strnlen(str, length);
|
|
|
|
for (size_t x = 0; x < len; x++)
|
|
|
|
str[x] = tolower(str[x]);
|
|
|
|
return str;
|
|
|
|
}
|
2023-02-03 13:40:35 +03:00
|
|
|
static const char* freerdp_certificate_data_hash_(const char* hostname, UINT16 port, char* name,
|
|
|
|
size_t length)
|
|
|
|
{
|
|
|
|
_snprintf(name, length, "%s_%" PRIu16 ".pem", hostname, port);
|
2024-03-21 16:54:47 +03:00
|
|
|
return ensure_lowercase(name, length);
|
2023-02-03 13:40:35 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
static BOOL freerdp_certificate_data_load_cache(rdpCertificateData* data)
|
|
|
|
{
|
|
|
|
BOOL rc = FALSE;
|
|
|
|
|
|
|
|
WINPR_ASSERT(data);
|
|
|
|
|
|
|
|
freerdp_certificate_data_hash_(data->hostname, data->port, data->cached_hash,
|
|
|
|
sizeof(data->cached_hash));
|
|
|
|
if (strnlen(data->cached_hash, sizeof(data->cached_hash)) == 0)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
data->cached_subject = freerdp_certificate_get_subject(data->cert);
|
|
|
|
if (!data->cached_subject)
|
2023-08-07 14:03:54 +03:00
|
|
|
data->cached_subject = calloc(1, 1);
|
2023-02-03 13:40:35 +03:00
|
|
|
|
|
|
|
size_t pemlen = 0;
|
2024-08-13 16:54:03 +03:00
|
|
|
data->cached_pem = freerdp_certificate_get_pem_ex(data->cert, &pemlen, FALSE);
|
2023-02-03 13:40:35 +03:00
|
|
|
if (!data->cached_pem)
|
|
|
|
goto fail;
|
|
|
|
|
2024-08-13 16:54:03 +03:00
|
|
|
size_t pemchainlen = 0;
|
|
|
|
data->cached_pem_chain = freerdp_certificate_get_pem_ex(data->cert, &pemchainlen, TRUE);
|
|
|
|
if (!data->cached_pem_chain)
|
|
|
|
goto fail;
|
|
|
|
|
2023-02-03 13:40:35 +03:00
|
|
|
data->cached_fingerprint = freerdp_certificate_get_fingerprint(data->cert);
|
|
|
|
if (!data->cached_fingerprint)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
data->cached_issuer = freerdp_certificate_get_issuer(data->cert);
|
|
|
|
if (!data->cached_issuer)
|
2023-08-07 14:03:54 +03:00
|
|
|
data->cached_issuer = calloc(1, 1);
|
2023-02-03 13:40:35 +03:00
|
|
|
|
|
|
|
rc = TRUE;
|
|
|
|
fail:
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
|
|
|
static rdpCertificateData* freerdp_certificate_data_new_nocopy(const char* hostname, UINT16 port,
|
|
|
|
rdpCertificate* xcert)
|
|
|
|
{
|
|
|
|
rdpCertificateData* certdata = NULL;
|
|
|
|
|
|
|
|
if (!hostname || !xcert)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
certdata = (rdpCertificateData*)calloc(1, sizeof(rdpCertificateData));
|
|
|
|
|
|
|
|
if (!certdata)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
certdata->port = port;
|
|
|
|
certdata->hostname = _strdup(hostname);
|
|
|
|
if (!certdata->hostname)
|
|
|
|
goto fail;
|
2024-03-21 16:54:47 +03:00
|
|
|
ensure_lowercase(certdata->hostname, strlen(certdata->hostname));
|
2023-02-03 13:40:35 +03:00
|
|
|
|
|
|
|
certdata->cert = xcert;
|
|
|
|
if (!freerdp_certificate_data_load_cache(certdata))
|
|
|
|
{
|
|
|
|
certdata->cert = NULL;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
return certdata;
|
|
|
|
fail:
|
|
|
|
freerdp_certificate_data_free(certdata);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
rdpCertificateData* freerdp_certificate_data_new(const char* hostname, UINT16 port,
|
|
|
|
const rdpCertificate* xcert)
|
|
|
|
{
|
|
|
|
rdpCertificate* copy = freerdp_certificate_clone(xcert);
|
|
|
|
rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, copy);
|
|
|
|
if (!data)
|
|
|
|
freerdp_certificate_free(copy);
|
|
|
|
return data;
|
|
|
|
}
|
|
|
|
|
|
|
|
rdpCertificateData* freerdp_certificate_data_new_from_pem(const char* hostname, UINT16 port,
|
|
|
|
const char* pem, size_t length)
|
|
|
|
{
|
|
|
|
if (!pem || (length == 0))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
rdpCertificate* cert = freerdp_certificate_new_from_pem(pem);
|
|
|
|
rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, cert);
|
|
|
|
if (!data)
|
|
|
|
freerdp_certificate_free(cert);
|
|
|
|
return data;
|
|
|
|
}
|
|
|
|
|
|
|
|
rdpCertificateData* freerdp_certificate_data_new_from_file(const char* hostname, UINT16 port,
|
|
|
|
const char* file)
|
|
|
|
{
|
|
|
|
if (!file)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
rdpCertificate* cert = freerdp_certificate_new_from_file(file);
|
|
|
|
rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, cert);
|
|
|
|
if (!data)
|
|
|
|
freerdp_certificate_free(cert);
|
|
|
|
return data;
|
|
|
|
}
|
|
|
|
|
|
|
|
void freerdp_certificate_data_free(rdpCertificateData* data)
|
|
|
|
{
|
|
|
|
if (data == NULL)
|
|
|
|
return;
|
|
|
|
|
|
|
|
free(data->hostname);
|
|
|
|
freerdp_certificate_free(data->cert);
|
|
|
|
free(data->cached_subject);
|
|
|
|
free(data->cached_issuer);
|
|
|
|
free(data->cached_fingerprint);
|
|
|
|
free(data->cached_pem);
|
2024-08-13 16:54:03 +03:00
|
|
|
free(data->cached_pem_chain);
|
2023-02-03 13:40:35 +03:00
|
|
|
|
|
|
|
free(data);
|
|
|
|
}
|
|
|
|
|
|
|
|
const char* freerdp_certificate_data_get_host(const rdpCertificateData* cert)
|
|
|
|
{
|
2024-03-21 14:36:34 +03:00
|
|
|
if (!cert)
|
|
|
|
return NULL;
|
2023-02-03 13:40:35 +03:00
|
|
|
return cert->hostname;
|
|
|
|
}
|
|
|
|
|
|
|
|
UINT16 freerdp_certificate_data_get_port(const rdpCertificateData* cert)
|
|
|
|
{
|
2024-03-21 14:36:34 +03:00
|
|
|
if (!cert)
|
|
|
|
return 0;
|
2023-02-03 13:40:35 +03:00
|
|
|
return cert->port;
|
|
|
|
}
|
|
|
|
|
|
|
|
const char* freerdp_certificate_data_get_pem(const rdpCertificateData* cert)
|
2024-08-13 16:54:03 +03:00
|
|
|
{
|
|
|
|
return freerdp_certificate_data_get_pem_ex(cert, TRUE);
|
|
|
|
}
|
|
|
|
|
|
|
|
const char* freerdp_certificate_data_get_pem_ex(const rdpCertificateData* cert, BOOL withFullChain)
|
2023-02-03 13:40:35 +03:00
|
|
|
{
|
2024-03-21 14:36:34 +03:00
|
|
|
if (!cert)
|
|
|
|
return NULL;
|
2024-08-13 16:54:03 +03:00
|
|
|
if (withFullChain)
|
|
|
|
return cert->cached_pem_chain;
|
2023-02-03 13:40:35 +03:00
|
|
|
return cert->cached_pem;
|
|
|
|
}
|
|
|
|
|
|
|
|
const char* freerdp_certificate_data_get_subject(const rdpCertificateData* cert)
|
|
|
|
{
|
2024-03-21 14:36:34 +03:00
|
|
|
if (!cert)
|
|
|
|
return NULL;
|
2023-02-03 13:40:35 +03:00
|
|
|
|
|
|
|
return cert->cached_subject;
|
|
|
|
}
|
|
|
|
|
|
|
|
const char* freerdp_certificate_data_get_issuer(const rdpCertificateData* cert)
|
|
|
|
{
|
2024-03-21 14:36:34 +03:00
|
|
|
if (!cert)
|
|
|
|
return NULL;
|
2023-02-03 13:40:35 +03:00
|
|
|
|
|
|
|
return cert->cached_issuer;
|
|
|
|
}
|
|
|
|
const char* freerdp_certificate_data_get_fingerprint(const rdpCertificateData* cert)
|
|
|
|
{
|
2024-03-21 14:36:34 +03:00
|
|
|
if (!cert)
|
|
|
|
return NULL;
|
2023-02-03 13:40:35 +03:00
|
|
|
|
|
|
|
return cert->cached_fingerprint;
|
|
|
|
}
|
|
|
|
|
|
|
|
BOOL freerdp_certificate_data_equal(const rdpCertificateData* a, const rdpCertificateData* b)
|
|
|
|
{
|
|
|
|
BOOL rc = FALSE;
|
|
|
|
|
|
|
|
WINPR_ASSERT(a);
|
|
|
|
WINPR_ASSERT(b);
|
|
|
|
|
|
|
|
if (strcmp(a->hostname, b->hostname) != 0)
|
|
|
|
return FALSE;
|
|
|
|
if (a->port != b->port)
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
const char* pem1 = freerdp_certificate_data_get_fingerprint(a);
|
|
|
|
const char* pem2 = freerdp_certificate_data_get_fingerprint(b);
|
|
|
|
if (pem1 && pem2)
|
|
|
|
rc = strcmp(pem1, pem2) == 0;
|
|
|
|
else
|
|
|
|
rc = pem1 == pem2;
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
|
|
|
const char* freerdp_certificate_data_get_hash(const rdpCertificateData* cert)
|
|
|
|
{
|
2024-03-21 14:36:34 +03:00
|
|
|
if (!cert)
|
|
|
|
return NULL;
|
2023-02-03 13:40:35 +03:00
|
|
|
|
|
|
|
return cert->cached_hash;
|
|
|
|
}
|
|
|
|
|
|
|
|
char* freerdp_certificate_data_hash(const char* hostname, UINT16 port)
|
|
|
|
{
|
|
|
|
char name[MAX_PATH + 10] = { 0 };
|
|
|
|
freerdp_certificate_data_hash_(hostname, port, name, sizeof(name));
|
|
|
|
return _strdup(name);
|
|
|
|
}
|