diff --git a/libfreerdp-core/transport.c b/libfreerdp-core/transport.c index 309214903..06dab0ee0 100644 --- a/libfreerdp-core/transport.c +++ b/libfreerdp-core/transport.c @@ -92,8 +92,11 @@ boolean transport_connect_tls(rdpTransport* transport) transport->layer = TRANSPORT_LAYER_TLS; transport->tls->sockfd = transport->tcp->sockfd; - if (tls_connect(transport->tls) != true) + if (tls_connect(transport->tls) != true) { + tls_free(transport->tls); + transport->tls = NULL; return false; + } return true; } @@ -109,8 +112,11 @@ boolean transport_connect_nla(rdpTransport* transport) transport->layer = TRANSPORT_LAYER_TLS; transport->tls->sockfd = transport->tcp->sockfd; - if (tls_connect(transport->tls) != true) + if (tls_connect(transport->tls) != true) { + tls_free(transport->tls); + transport->tls = NULL; return false; + } /* Network Level Authentication */ diff --git a/libfreerdp-crypto/tls.c b/libfreerdp-crypto/tls.c index 26b1e1edc..39ad75769 100644 --- a/libfreerdp-crypto/tls.c +++ b/libfreerdp-crypto/tls.c @@ -53,6 +53,7 @@ static void tls_free_certificate(CryptoCert cert) xfree(cert); } + boolean tls_connect(rdpTls* tls) { CryptoCert cert; @@ -80,15 +81,12 @@ boolean tls_connect(rdpTls* tls) if (tls->ssl == NULL) { - SSL_CTX_free(tls->ctx); printf("SSL_new failed\n"); return false; } if (SSL_set_fd(tls->ssl, tls->sockfd) < 1) { - SSL_free(tls->ssl); - SSL_CTX_free(tls->ctx); printf("SSL_set_fd failed\n"); return false; } @@ -99,8 +97,6 @@ boolean tls_connect(rdpTls* tls) { if (tls_print_error("SSL_connect", tls->ssl, connection_status)) { - SSL_free(tls->ssl); - SSL_CTX_free(tls->ctx); return false; } } @@ -119,8 +115,12 @@ boolean tls_connect(rdpTls* tls) return false; } - if (!tls_verify_certificate(tls, cert, tls->settings->hostname)) + if (!tls_verify_certificate(tls, cert, tls->settings->hostname)) { + printf("tls_connect: certificate not trusted, aborting.\n"); tls_disconnect(tls); + tls_free_certificate(cert); + return false; + } tls_free_certificate(cert);