From 53445768ed498b24197cb91931c0510b9647ea75 Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Thu, 31 Mar 2016 12:16:55 +0200 Subject: [PATCH] Added command line option /cert-tofu --- client/common/cmdline.c | 5 +++++ include/freerdp/settings.h | 4 +++- libfreerdp/common/settings.c | 7 +++++++ libfreerdp/crypto/tls.c | 16 +++++++++++++--- 4 files changed, 28 insertions(+), 4 deletions(-) diff --git a/client/common/cmdline.c b/client/common/cmdline.c index 3de0d1439..bf6639db8 100644 --- a/client/common/cmdline.c +++ b/client/common/cmdline.c @@ -139,6 +139,7 @@ static COMMAND_LINE_ARGUMENT_A args[] = { "tls-ciphers", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Allowed TLS ciphers" }, { "cert-name", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "certificate name" }, { "cert-ignore", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "ignore certificate" }, + { "cert-tofu", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "Automatically accept certificate on first connect" }, { "pcb", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Preconnection Blob" }, { "pcid", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Preconnection Id" }, { "spn-class", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "SPN authentication service class" }, @@ -2220,6 +2221,10 @@ int freerdp_client_settings_parse_command_line_arguments(rdpSettings* settings, { settings->IgnoreCertificate = TRUE; } + CommandLineSwitchCase(arg, "cert-tofu") + { + settings->AutoAcceptCertificate = TRUE; + } CommandLineSwitchCase(arg, "authentication") { settings->Authentication = arg->Value ? TRUE : FALSE; diff --git a/include/freerdp/settings.h b/include/freerdp/settings.h index d73d5ec53..06e084175 100644 --- a/include/freerdp/settings.h +++ b/include/freerdp/settings.h @@ -635,6 +635,7 @@ typedef struct _RDPDR_PARALLEL RDPDR_PARALLEL; #define FreeRDP_CertificateContent 1416 #define FreeRDP_PrivateKeyContent 1417 #define FreeRDP_RdpKeyContent 1418 +#define FreeRDP_AutoAcceptCertificate 1419 #define FreeRDP_Workarea 1536 #define FreeRDP_Fullscreen 1537 @@ -1056,7 +1057,8 @@ struct rdp_settings ALIGN64 char *CertificateContent; /* 1416 */ ALIGN64 char *PrivateKeyContent; /* 1417 */ ALIGN64 char* RdpKeyContent; /* 1418 */ - UINT64 padding1472[1472 - 1419]; /* 1419 */ + ALIGN64 BOOL AutoAcceptCertificate; /* 1419 */ + UINT64 padding1472[1472 - 1420]; /* 1420 */ UINT64 padding1536[1536 - 1472]; /* 1472 */ /** diff --git a/libfreerdp/common/settings.c b/libfreerdp/common/settings.c index 271569c53..228c04c60 100644 --- a/libfreerdp/common/settings.c +++ b/libfreerdp/common/settings.c @@ -912,6 +912,9 @@ BOOL freerdp_get_param_bool(rdpSettings* settings, int id) case FreeRDP_IgnoreCertificate: return settings->IgnoreCertificate; + case FreeRDP_AutoAcceptCertificate: + return settings->AutoAcceptCertificate; + case FreeRDP_ExternalCertificateManagement: return settings->ExternalCertificateManagement; @@ -1363,6 +1366,10 @@ int freerdp_set_param_bool(rdpSettings* settings, int id, BOOL param) settings->IgnoreCertificate = param; break; + case FreeRDP_AutoAcceptCertificate: + settings->AutoAcceptCertificate = param; + break; + case FreeRDP_ExternalCertificateManagement: settings->ExternalCertificateManagement = param; break; diff --git a/libfreerdp/crypto/tls.c b/libfreerdp/crypto/tls.c index ba10e0db1..e02577d6e 100644 --- a/libfreerdp/crypto/tls.c +++ b/libfreerdp/crypto/tls.c @@ -1273,9 +1273,19 @@ int tls_verify_certificate(rdpTls* tls, CryptoCert cert, char* hostname, int por common_name, alt_names, alt_names_count); - if (instance->VerifyCertificate) - accept_certificate = instance->VerifyCertificate(instance, common_name, - subject, issuer, fingerprint, !hostname_match); + /* Automatically accept certificate on first use */ + if (tls->settings->AutoAcceptCertificate) + { + WLog_INFO(TAG, "No certificate stored, automatically accepting."); + accept_certificate = 1; + } + else if (instance->VerifyCertificate) + { + accept_certificate = instance->VerifyCertificate( + instance, common_name, + subject, issuer, + fingerprint, !hostname_match); + } switch(accept_certificate) {