2011-07-06 07:18:00 +04:00
|
|
|
/**
|
2012-02-21 09:56:55 +04:00
|
|
|
* FreeRDP: A Remote Desktop Protocol Implementation
|
2011-07-06 07:18:00 +04:00
|
|
|
* Cryptographic Abstraction Layer
|
|
|
|
*
|
2012-02-21 09:56:55 +04:00
|
|
|
* Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
|
2011-07-06 07:18:00 +04:00
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
2011-08-29 00:46:36 +04:00
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
2011-07-06 07:18:00 +04:00
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
2012-08-15 01:09:01 +04:00
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
#include "config.h"
|
|
|
|
#endif
|
|
|
|
|
2012-11-22 04:22:41 +04:00
|
|
|
#include <winpr/crt.h>
|
2016-02-24 22:39:49 +03:00
|
|
|
#include <winpr/crypto.h>
|
2012-11-22 04:22:41 +04:00
|
|
|
|
2014-09-12 16:36:29 +04:00
|
|
|
#include <freerdp/log.h>
|
2012-02-17 09:58:30 +04:00
|
|
|
#include <freerdp/crypto/crypto.h>
|
2011-07-06 07:18:00 +04:00
|
|
|
|
2014-09-12 16:36:29 +04:00
|
|
|
#define TAG FREERDP_TAG("crypto")
|
|
|
|
|
2012-10-09 11:26:39 +04:00
|
|
|
CryptoCert crypto_cert_read(BYTE* data, UINT32 length)
|
2011-07-06 07:18:00 +04:00
|
|
|
{
|
2012-10-09 07:21:26 +04:00
|
|
|
CryptoCert cert = malloc(sizeof(*cert));
|
2014-03-26 02:13:08 +04:00
|
|
|
if (!cert)
|
|
|
|
return NULL;
|
|
|
|
|
2011-07-06 07:18:00 +04:00
|
|
|
/* this will move the data pointer but we don't care, we don't use it again */
|
2012-10-09 11:01:37 +04:00
|
|
|
cert->px509 = d2i_X509(NULL, (D2I_X509_CONST BYTE **) &data, length);
|
2011-07-06 07:18:00 +04:00
|
|
|
return cert;
|
|
|
|
}
|
|
|
|
|
|
|
|
void crypto_cert_free(CryptoCert cert)
|
|
|
|
{
|
2012-02-11 00:35:22 +04:00
|
|
|
if (cert == NULL)
|
|
|
|
return;
|
2012-09-24 12:40:32 +04:00
|
|
|
|
2011-07-06 07:18:00 +04:00
|
|
|
X509_free(cert->px509);
|
2012-09-24 12:40:32 +04:00
|
|
|
|
2012-10-09 07:21:26 +04:00
|
|
|
free(cert);
|
2011-07-06 07:18:00 +04:00
|
|
|
}
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL crypto_cert_get_public_key(CryptoCert cert, BYTE** PublicKey, DWORD* PublicKeyLength)
|
2011-07-07 19:27:24 +04:00
|
|
|
{
|
2012-09-24 12:40:32 +04:00
|
|
|
BYTE* ptr;
|
2011-07-07 19:27:24 +04:00
|
|
|
int length;
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL status = TRUE;
|
2011-07-07 19:27:24 +04:00
|
|
|
EVP_PKEY* pkey = NULL;
|
|
|
|
|
|
|
|
pkey = X509_get_pubkey(cert->px509);
|
|
|
|
if (!pkey)
|
|
|
|
{
|
2014-09-12 16:36:29 +04:00
|
|
|
WLog_ERR(TAG, "X509_get_pubkey() failed");
|
2012-10-09 10:31:28 +04:00
|
|
|
status = FALSE;
|
2011-07-07 19:27:24 +04:00
|
|
|
goto exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
length = i2d_PublicKey(pkey, NULL);
|
|
|
|
if (length < 1)
|
|
|
|
{
|
2014-09-12 16:36:29 +04:00
|
|
|
WLog_ERR(TAG, "i2d_PublicKey() failed");
|
2012-10-09 10:31:28 +04:00
|
|
|
status = FALSE;
|
2011-07-07 19:27:24 +04:00
|
|
|
goto exit;
|
|
|
|
}
|
|
|
|
|
2012-09-24 12:40:32 +04:00
|
|
|
*PublicKeyLength = (DWORD) length;
|
|
|
|
*PublicKey = (BYTE*) malloc(length);
|
|
|
|
ptr = (BYTE*) (*PublicKey);
|
2015-06-16 16:42:07 +03:00
|
|
|
if (!ptr)
|
|
|
|
{
|
|
|
|
status = FALSE;
|
|
|
|
goto exit;
|
|
|
|
}
|
2012-09-24 12:40:32 +04:00
|
|
|
|
|
|
|
i2d_PublicKey(pkey, &ptr);
|
2011-07-07 19:27:24 +04:00
|
|
|
|
|
|
|
exit:
|
|
|
|
if (pkey)
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
|
|
|
|
return status;
|
|
|
|
}
|
|
|
|
|
2013-08-08 02:28:31 +04:00
|
|
|
static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus, const BYTE* exponent, int exponent_size, BYTE* output)
|
2011-07-13 18:21:12 +04:00
|
|
|
{
|
2011-09-27 09:30:58 +04:00
|
|
|
BN_CTX* ctx;
|
2014-03-26 02:13:08 +04:00
|
|
|
int output_length = -1;
|
2012-10-09 11:01:37 +04:00
|
|
|
BYTE* input_reverse;
|
|
|
|
BYTE* modulus_reverse;
|
|
|
|
BYTE* exponent_reverse;
|
2016-11-21 19:28:54 +03:00
|
|
|
BIGNUM *mod, *exp, *x, *y;
|
2011-07-13 18:21:12 +04:00
|
|
|
|
2012-10-09 11:01:37 +04:00
|
|
|
input_reverse = (BYTE*) malloc(2 * key_length + exponent_size);
|
2014-03-26 02:13:08 +04:00
|
|
|
if (!input_reverse)
|
|
|
|
return -1;
|
2016-11-21 19:28:54 +03:00
|
|
|
|
2012-01-19 07:40:29 +04:00
|
|
|
modulus_reverse = input_reverse + key_length;
|
|
|
|
exponent_reverse = modulus_reverse + key_length;
|
2011-07-15 09:11:09 +04:00
|
|
|
|
|
|
|
memcpy(modulus_reverse, modulus, key_length);
|
|
|
|
crypto_reverse(modulus_reverse, key_length);
|
2012-01-19 07:40:29 +04:00
|
|
|
memcpy(exponent_reverse, exponent, exponent_size);
|
|
|
|
crypto_reverse(exponent_reverse, exponent_size);
|
2011-07-15 09:11:09 +04:00
|
|
|
memcpy(input_reverse, input, length);
|
|
|
|
crypto_reverse(input_reverse, length);
|
|
|
|
|
2016-11-21 19:28:54 +03:00
|
|
|
if (!(ctx = BN_CTX_new()))
|
|
|
|
goto fail_bn_ctx;
|
|
|
|
|
|
|
|
if (!(mod = BN_new()))
|
|
|
|
goto fail_bn_mod;
|
|
|
|
|
|
|
|
if (!(exp = BN_new()))
|
|
|
|
goto fail_bn_exp;
|
2011-07-13 18:21:12 +04:00
|
|
|
|
2016-11-21 19:28:54 +03:00
|
|
|
if (!(x = BN_new()))
|
|
|
|
goto fail_bn_x;
|
2011-07-15 09:11:09 +04:00
|
|
|
|
2016-11-21 19:28:54 +03:00
|
|
|
if (!(y = BN_new()))
|
|
|
|
goto fail_bn_y;
|
|
|
|
|
|
|
|
BN_bin2bn(modulus_reverse, key_length, mod);
|
|
|
|
BN_bin2bn(exponent_reverse, exponent_size, exp);
|
|
|
|
BN_bin2bn(input_reverse, length, x);
|
|
|
|
BN_mod_exp(y, x, exp, mod, ctx);
|
|
|
|
|
|
|
|
output_length = BN_bn2bin(y, output);
|
2011-07-15 09:11:09 +04:00
|
|
|
crypto_reverse(output, output_length);
|
|
|
|
|
|
|
|
if (output_length < (int) key_length)
|
|
|
|
memset(output + output_length, 0, key_length - output_length);
|
2011-07-13 18:21:12 +04:00
|
|
|
|
2016-11-21 19:28:54 +03:00
|
|
|
BN_free(y);
|
|
|
|
fail_bn_y:
|
|
|
|
BN_clear_free(x);
|
|
|
|
fail_bn_x:
|
|
|
|
BN_free(exp);
|
|
|
|
fail_bn_exp:
|
|
|
|
BN_free(mod);
|
|
|
|
fail_bn_mod:
|
2011-07-13 18:21:12 +04:00
|
|
|
BN_CTX_free(ctx);
|
2016-11-21 19:28:54 +03:00
|
|
|
fail_bn_ctx:
|
2012-10-09 07:21:26 +04:00
|
|
|
free(input_reverse);
|
2013-08-08 02:28:31 +04:00
|
|
|
|
|
|
|
return output_length;
|
2011-07-15 09:11:09 +04:00
|
|
|
}
|
|
|
|
|
2013-08-08 02:28:31 +04:00
|
|
|
static int crypto_rsa_public(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus, const BYTE* exponent, BYTE* output)
|
2012-01-19 07:40:29 +04:00
|
|
|
{
|
2013-08-08 02:28:31 +04:00
|
|
|
return crypto_rsa_common(input, length, key_length, modulus, exponent, EXPONENT_MAX_SIZE, output);
|
2012-01-19 07:40:29 +04:00
|
|
|
}
|
|
|
|
|
2013-08-08 02:28:31 +04:00
|
|
|
static int crypto_rsa_private(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus, const BYTE* private_exponent, BYTE* output)
|
2012-01-19 07:40:29 +04:00
|
|
|
{
|
2013-08-08 02:28:31 +04:00
|
|
|
return crypto_rsa_common(input, length, key_length, modulus, private_exponent, key_length, output);
|
2012-01-19 07:40:29 +04:00
|
|
|
}
|
|
|
|
|
2013-08-08 02:28:31 +04:00
|
|
|
int crypto_rsa_public_encrypt(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus, const BYTE* exponent, BYTE* output)
|
2012-01-19 07:40:29 +04:00
|
|
|
{
|
2013-08-08 02:28:31 +04:00
|
|
|
return crypto_rsa_public(input, length, key_length, modulus, exponent, output);
|
2012-01-19 07:40:29 +04:00
|
|
|
}
|
|
|
|
|
2013-08-08 02:28:31 +04:00
|
|
|
int crypto_rsa_public_decrypt(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus, const BYTE* exponent, BYTE* output)
|
2012-01-19 07:40:29 +04:00
|
|
|
{
|
2013-08-08 02:28:31 +04:00
|
|
|
return crypto_rsa_public(input, length, key_length, modulus, exponent, output);
|
2012-01-19 07:40:29 +04:00
|
|
|
}
|
|
|
|
|
2013-08-08 02:28:31 +04:00
|
|
|
int crypto_rsa_private_encrypt(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus, const BYTE* private_exponent, BYTE* output)
|
2012-01-19 07:40:29 +04:00
|
|
|
{
|
2013-08-08 02:28:31 +04:00
|
|
|
return crypto_rsa_private(input, length, key_length, modulus, private_exponent, output);
|
2012-01-19 07:40:29 +04:00
|
|
|
}
|
|
|
|
|
2013-08-08 02:28:31 +04:00
|
|
|
int crypto_rsa_private_decrypt(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus, const BYTE* private_exponent, BYTE* output)
|
2012-01-19 07:40:29 +04:00
|
|
|
{
|
2013-08-08 02:28:31 +04:00
|
|
|
return crypto_rsa_private(input, length, key_length, modulus, private_exponent, output);
|
2012-01-19 07:40:29 +04:00
|
|
|
}
|
|
|
|
|
2013-08-08 02:28:31 +04:00
|
|
|
int crypto_rsa_decrypt(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus, const BYTE* private_exponent, BYTE* output)
|
2012-01-19 07:40:29 +04:00
|
|
|
{
|
2013-08-08 02:28:31 +04:00
|
|
|
return crypto_rsa_common(input, length, key_length, modulus, private_exponent, key_length, output);
|
2012-01-19 07:40:29 +04:00
|
|
|
}
|
|
|
|
|
2012-10-09 11:01:37 +04:00
|
|
|
void crypto_reverse(BYTE* data, int length)
|
2011-07-15 09:11:09 +04:00
|
|
|
{
|
|
|
|
int i, j;
|
2012-10-09 11:01:37 +04:00
|
|
|
BYTE temp;
|
2011-07-15 09:11:09 +04:00
|
|
|
|
|
|
|
for (i = 0, j = length - 1; i < j; i++, j--)
|
|
|
|
{
|
|
|
|
temp = data[i];
|
|
|
|
data[i] = data[j];
|
|
|
|
data[j] = temp;
|
|
|
|
}
|
2011-07-13 18:21:12 +04:00
|
|
|
}
|
|
|
|
|
2011-08-30 20:20:36 +04:00
|
|
|
char* crypto_cert_fingerprint(X509* xcert)
|
2011-08-26 07:10:49 +04:00
|
|
|
{
|
2011-08-30 20:20:36 +04:00
|
|
|
int i = 0;
|
2011-09-27 09:30:58 +04:00
|
|
|
char* p;
|
2011-08-30 20:20:36 +04:00
|
|
|
char* fp_buffer;
|
2012-10-09 11:26:39 +04:00
|
|
|
UINT32 fp_len;
|
2012-10-09 11:01:37 +04:00
|
|
|
BYTE fp[EVP_MAX_MD_SIZE];
|
2011-08-30 20:20:36 +04:00
|
|
|
|
|
|
|
X509_digest(xcert, EVP_sha1(), fp, &fp_len);
|
|
|
|
|
2017-05-30 11:46:43 +03:00
|
|
|
fp_buffer = (char*) calloc(fp_len, 3);
|
2014-03-26 02:13:08 +04:00
|
|
|
if (!fp_buffer)
|
|
|
|
return NULL;
|
2012-11-22 04:22:41 +04:00
|
|
|
|
2011-08-30 20:20:36 +04:00
|
|
|
p = fp_buffer;
|
2011-11-12 09:51:41 +04:00
|
|
|
for (i = 0; i < (int) (fp_len - 1); i++)
|
2011-08-29 00:46:36 +04:00
|
|
|
{
|
2016-12-14 00:47:08 +03:00
|
|
|
sprintf(p, "%02"PRIx8":", fp[i]);
|
2012-07-22 20:52:55 +04:00
|
|
|
p = &fp_buffer[(i + 1) * 3];
|
2011-08-29 00:46:36 +04:00
|
|
|
}
|
2016-12-14 00:47:08 +03:00
|
|
|
sprintf(p, "%02"PRIx8"", fp[i]);
|
2011-08-30 20:20:36 +04:00
|
|
|
|
|
|
|
return fp_buffer;
|
2011-08-29 00:46:36 +04:00
|
|
|
}
|
|
|
|
|
2011-10-18 19:02:05 +04:00
|
|
|
char* crypto_print_name(X509_NAME* name)
|
|
|
|
{
|
|
|
|
char* buffer = NULL;
|
|
|
|
BIO* outBIO = BIO_new(BIO_s_mem());
|
2015-06-11 12:16:45 +03:00
|
|
|
|
2012-02-04 11:21:39 +04:00
|
|
|
if (X509_NAME_print_ex(outBIO, name, 0, XN_FLAG_ONELINE) > 0)
|
2011-10-18 19:02:05 +04:00
|
|
|
{
|
|
|
|
unsigned long size = BIO_number_written(outBIO);
|
2015-06-16 16:42:07 +03:00
|
|
|
buffer = calloc(1, size + 1);
|
|
|
|
if (!buffer)
|
|
|
|
return NULL;
|
2011-10-18 19:02:05 +04:00
|
|
|
BIO_read(outBIO, buffer, size);
|
|
|
|
}
|
|
|
|
|
|
|
|
BIO_free(outBIO);
|
2012-11-22 04:22:41 +04:00
|
|
|
|
2011-10-18 19:02:05 +04:00
|
|
|
return buffer;
|
|
|
|
}
|
|
|
|
|
|
|
|
char* crypto_cert_subject(X509* xcert)
|
|
|
|
{
|
|
|
|
return crypto_print_name(X509_get_subject_name(xcert));
|
|
|
|
}
|
|
|
|
|
2012-02-08 07:16:57 +04:00
|
|
|
char* crypto_cert_subject_common_name(X509* xcert, int* length)
|
2012-02-04 11:21:39 +04:00
|
|
|
{
|
|
|
|
int index;
|
2015-12-14 16:01:12 +03:00
|
|
|
BYTE* common_name_raw;
|
|
|
|
char* common_name;
|
2012-02-04 11:21:39 +04:00
|
|
|
X509_NAME* subject_name;
|
|
|
|
X509_NAME_ENTRY* entry;
|
|
|
|
ASN1_STRING* entry_data;
|
|
|
|
|
|
|
|
subject_name = X509_get_subject_name(xcert);
|
2012-02-08 07:16:57 +04:00
|
|
|
|
|
|
|
if (subject_name == NULL)
|
|
|
|
return NULL;
|
|
|
|
|
2012-02-04 11:21:39 +04:00
|
|
|
index = X509_NAME_get_index_by_NID(subject_name, NID_commonName, -1);
|
|
|
|
|
2012-02-08 07:16:57 +04:00
|
|
|
if (index < 0)
|
|
|
|
return NULL;
|
|
|
|
|
2012-02-04 11:21:39 +04:00
|
|
|
entry = X509_NAME_get_entry(subject_name, index);
|
2012-02-08 07:16:57 +04:00
|
|
|
|
|
|
|
if (entry == NULL)
|
|
|
|
return NULL;
|
|
|
|
|
2012-02-04 11:21:39 +04:00
|
|
|
entry_data = X509_NAME_ENTRY_get_data(entry);
|
|
|
|
|
2012-02-08 07:16:57 +04:00
|
|
|
if (entry_data == NULL)
|
|
|
|
return NULL;
|
|
|
|
|
2015-12-14 16:01:12 +03:00
|
|
|
*length = ASN1_STRING_to_UTF8(&common_name_raw, entry_data);
|
2012-02-08 07:16:57 +04:00
|
|
|
|
|
|
|
if (*length < 0)
|
|
|
|
return NULL;
|
2012-02-04 11:21:39 +04:00
|
|
|
|
2015-12-17 18:43:49 +03:00
|
|
|
common_name = _strdup((char*)common_name_raw);
|
2015-12-14 16:01:12 +03:00
|
|
|
OPENSSL_free(common_name_raw);
|
|
|
|
|
2012-02-04 11:21:39 +04:00
|
|
|
return (char*) common_name;
|
|
|
|
}
|
|
|
|
|
2016-02-26 21:25:49 +03:00
|
|
|
void crypto_cert_subject_alt_name_free(int count, int *lengths,
|
2015-06-11 12:16:45 +03:00
|
|
|
char** alt_name)
|
2013-09-02 18:14:22 +04:00
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
2015-05-11 10:07:39 +03:00
|
|
|
free(lengths);
|
2013-09-02 18:14:22 +04:00
|
|
|
|
|
|
|
if (alt_name)
|
|
|
|
{
|
|
|
|
for (i=0; i<count; i++)
|
|
|
|
{
|
|
|
|
if (alt_name[i])
|
|
|
|
OPENSSL_free(alt_name[i]);
|
|
|
|
}
|
|
|
|
|
|
|
|
free(alt_name);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-02-08 07:16:57 +04:00
|
|
|
char** crypto_cert_subject_alt_name(X509* xcert, int* count, int** lengths)
|
2012-02-04 11:21:39 +04:00
|
|
|
{
|
|
|
|
int index;
|
2013-08-30 16:19:50 +04:00
|
|
|
int length = 0;
|
|
|
|
char** strings = NULL;
|
2012-10-09 11:01:37 +04:00
|
|
|
BYTE* string;
|
2012-02-04 11:21:39 +04:00
|
|
|
int num_subject_alt_names;
|
|
|
|
GENERAL_NAMES* subject_alt_names;
|
|
|
|
GENERAL_NAME* subject_alt_name;
|
|
|
|
|
|
|
|
*count = 0;
|
|
|
|
subject_alt_names = X509_get_ext_d2i(xcert, NID_subject_alt_name, 0, 0);
|
|
|
|
|
|
|
|
if (!subject_alt_names)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
num_subject_alt_names = sk_GENERAL_NAME_num(subject_alt_names);
|
2013-08-30 16:19:50 +04:00
|
|
|
if (num_subject_alt_names)
|
|
|
|
{
|
2017-05-30 11:46:43 +03:00
|
|
|
strings = (char**) calloc(num_subject_alt_names, sizeof(char*));
|
2015-06-16 16:42:07 +03:00
|
|
|
if (!strings)
|
|
|
|
goto out;
|
|
|
|
|
2017-05-30 11:46:43 +03:00
|
|
|
*lengths = (int*) calloc(num_subject_alt_names, sizeof(int));
|
2015-06-16 16:42:07 +03:00
|
|
|
if (!*lengths)
|
|
|
|
{
|
|
|
|
free(strings);
|
2015-06-23 22:29:21 +03:00
|
|
|
strings = NULL;
|
2015-06-16 16:42:07 +03:00
|
|
|
goto out;
|
|
|
|
}
|
2013-08-30 16:19:50 +04:00
|
|
|
}
|
2012-02-04 11:21:39 +04:00
|
|
|
|
|
|
|
for (index = 0; index < num_subject_alt_names; ++index)
|
|
|
|
{
|
|
|
|
subject_alt_name = sk_GENERAL_NAME_value(subject_alt_names, index);
|
|
|
|
|
|
|
|
if (subject_alt_name->type == GEN_DNS)
|
|
|
|
{
|
2012-02-08 07:16:57 +04:00
|
|
|
length = ASN1_STRING_to_UTF8(&string, subject_alt_name->d.dNSName);
|
|
|
|
strings[*count] = (char*) string;
|
2012-02-16 01:33:51 +04:00
|
|
|
(*lengths)[*count] = length;
|
2012-02-08 07:16:57 +04:00
|
|
|
(*count)++;
|
2012-02-04 11:21:39 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-02-08 07:16:57 +04:00
|
|
|
if (*count < 1)
|
2012-05-09 19:40:13 +04:00
|
|
|
{
|
2012-10-09 07:21:26 +04:00
|
|
|
free(strings) ;
|
|
|
|
free(*lengths) ;
|
2012-05-09 19:40:13 +04:00
|
|
|
*lengths = NULL ;
|
2012-02-08 07:16:57 +04:00
|
|
|
return NULL;
|
2012-05-09 19:40:13 +04:00
|
|
|
}
|
2015-06-16 16:42:07 +03:00
|
|
|
|
|
|
|
out:
|
2013-06-02 00:37:49 +04:00
|
|
|
GENERAL_NAMES_free(subject_alt_names);
|
2012-02-08 07:16:57 +04:00
|
|
|
|
2012-02-04 11:21:39 +04:00
|
|
|
return strings;
|
|
|
|
}
|
|
|
|
|
2011-10-18 19:02:05 +04:00
|
|
|
char* crypto_cert_issuer(X509* xcert)
|
|
|
|
{
|
|
|
|
return crypto_print_name(X509_get_issuer_name(xcert));
|
|
|
|
}
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL x509_verify_certificate(CryptoCert cert, char* certificate_store_path)
|
2011-08-29 00:46:36 +04:00
|
|
|
{
|
2011-08-30 20:20:36 +04:00
|
|
|
X509_STORE_CTX* csc;
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL status = FALSE;
|
2011-08-30 20:20:36 +04:00
|
|
|
X509_STORE* cert_ctx = NULL;
|
|
|
|
X509_LOOKUP* lookup = NULL;
|
|
|
|
X509* xcert = cert->px509;
|
|
|
|
|
|
|
|
cert_ctx = X509_STORE_new();
|
|
|
|
|
2011-08-29 00:46:36 +04:00
|
|
|
if (cert_ctx == NULL)
|
|
|
|
goto end;
|
2011-08-30 20:20:36 +04:00
|
|
|
|
2017-07-26 17:12:14 +03:00
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
2011-08-29 00:46:36 +04:00
|
|
|
OpenSSL_add_all_algorithms();
|
2017-04-06 11:37:28 +03:00
|
|
|
#else
|
|
|
|
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
|
|
|
|
| OPENSSL_INIT_ADD_ALL_DIGESTS \
|
|
|
|
| OPENSSL_INIT_LOAD_CONFIG, NULL);
|
|
|
|
#endif
|
|
|
|
|
2011-08-30 20:20:36 +04:00
|
|
|
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
|
|
|
|
|
2011-08-29 00:46:36 +04:00
|
|
|
if (lookup == NULL)
|
|
|
|
goto end;
|
2011-08-30 20:20:36 +04:00
|
|
|
|
|
|
|
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
|
|
|
|
|
2011-08-29 00:46:36 +04:00
|
|
|
if (lookup == NULL)
|
|
|
|
goto end;
|
2011-08-30 20:20:36 +04:00
|
|
|
|
|
|
|
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
|
|
|
|
|
2012-02-03 02:36:07 +04:00
|
|
|
if (certificate_store_path != NULL)
|
2011-08-29 02:19:25 +04:00
|
|
|
{
|
2015-03-11 14:06:52 +03:00
|
|
|
X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_PEM);
|
2011-08-29 02:19:25 +04:00
|
|
|
}
|
2011-08-30 20:20:36 +04:00
|
|
|
|
2011-08-29 00:46:36 +04:00
|
|
|
csc = X509_STORE_CTX_new();
|
2011-08-30 20:20:36 +04:00
|
|
|
|
2011-08-29 00:46:36 +04:00
|
|
|
if (csc == NULL)
|
|
|
|
goto end;
|
2011-08-30 20:20:36 +04:00
|
|
|
|
2011-08-29 00:46:36 +04:00
|
|
|
X509_STORE_set_flags(cert_ctx, 0);
|
2011-08-30 20:20:36 +04:00
|
|
|
|
2015-03-13 20:50:54 +03:00
|
|
|
if (!X509_STORE_CTX_init(csc, cert_ctx, xcert, cert->px509chain))
|
2011-08-29 00:46:36 +04:00
|
|
|
goto end;
|
2011-08-30 20:20:36 +04:00
|
|
|
|
|
|
|
if (X509_verify_cert(csc) == 1)
|
2012-10-09 10:31:28 +04:00
|
|
|
status = TRUE;
|
2011-08-30 20:20:36 +04:00
|
|
|
|
2011-08-29 00:46:36 +04:00
|
|
|
X509_STORE_CTX_free(csc);
|
|
|
|
X509_STORE_free(cert_ctx);
|
2011-08-30 20:20:36 +04:00
|
|
|
|
|
|
|
end:
|
|
|
|
return status;
|
2011-08-26 07:10:49 +04:00
|
|
|
}
|
2011-08-29 00:46:36 +04:00
|
|
|
|
2015-06-09 16:33:13 +03:00
|
|
|
rdpCertificateData* crypto_get_certificate_data(X509* xcert, char* hostname, UINT16 port)
|
2011-08-29 00:46:36 +04:00
|
|
|
{
|
2015-06-11 12:16:45 +03:00
|
|
|
char* issuer;
|
|
|
|
char* subject;
|
2011-08-30 20:20:36 +04:00
|
|
|
char* fp;
|
2012-02-03 02:36:07 +04:00
|
|
|
rdpCertificateData* certdata;
|
2011-08-30 20:20:36 +04:00
|
|
|
|
|
|
|
fp = crypto_cert_fingerprint(xcert);
|
2014-03-26 02:13:08 +04:00
|
|
|
if (!fp)
|
|
|
|
return NULL;
|
|
|
|
|
2015-06-11 12:16:45 +03:00
|
|
|
issuer = crypto_cert_issuer(xcert);
|
|
|
|
subject = crypto_cert_subject(xcert);
|
|
|
|
|
|
|
|
certdata = certificate_data_new(hostname, port, issuer, subject, fp);
|
|
|
|
|
|
|
|
free(subject);
|
|
|
|
free(issuer);
|
2012-10-09 07:21:26 +04:00
|
|
|
free(fp);
|
2011-08-30 20:20:36 +04:00
|
|
|
|
2011-08-29 00:46:36 +04:00
|
|
|
return certdata;
|
|
|
|
}
|
|
|
|
|
2011-09-27 06:58:49 +04:00
|
|
|
void crypto_cert_print_info(X509* xcert)
|
2011-08-26 07:10:49 +04:00
|
|
|
{
|
2011-08-30 20:20:36 +04:00
|
|
|
char* fp;
|
|
|
|
char* issuer;
|
|
|
|
char* subject;
|
|
|
|
|
2011-10-18 19:02:05 +04:00
|
|
|
subject = crypto_cert_subject(xcert);
|
|
|
|
issuer = crypto_cert_issuer(xcert);
|
2011-08-30 20:20:36 +04:00
|
|
|
fp = crypto_cert_fingerprint(xcert);
|
2014-03-26 02:13:08 +04:00
|
|
|
if (!fp)
|
|
|
|
{
|
2014-09-12 16:36:29 +04:00
|
|
|
WLog_ERR(TAG, "error computing fingerprint");
|
2014-03-26 02:13:08 +04:00
|
|
|
goto out_free_issuer;
|
|
|
|
}
|
2011-08-30 20:20:36 +04:00
|
|
|
|
2014-09-12 16:36:29 +04:00
|
|
|
WLog_INFO(TAG, "Certificate details:");
|
|
|
|
WLog_INFO(TAG, "\tSubject: %s", subject);
|
|
|
|
WLog_INFO(TAG, "\tIssuer: %s", issuer);
|
|
|
|
WLog_INFO(TAG, "\tThumbprint: %s", fp);
|
|
|
|
WLog_INFO(TAG, "The above X.509 certificate could not be verified, possibly because you do not have "
|
2015-06-11 12:16:45 +03:00
|
|
|
"the CA certificate in your certificate store, or the certificate has expired. "
|
2017-11-21 13:47:33 +03:00
|
|
|
"Please look at the OpenSSL documentation on how to add a private CA to the store.");
|
2012-10-09 07:21:26 +04:00
|
|
|
free(fp);
|
2014-03-26 02:13:08 +04:00
|
|
|
out_free_issuer:
|
|
|
|
free(issuer);
|
|
|
|
free(subject);
|
2011-08-26 07:10:49 +04:00
|
|
|
}
|