mirrors
/
FreeRDP
mirror of https://github.com/FreeRDP/FreeRDP
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

certificate verification (not tested)

This commit is contained in:
qubit 2011-08-29 02:16:36 +05:30
parent 2cd7b267e7
commit 66d1ceff03
7 changed files with 195 additions and 264 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
include/freerdp/utils/certstore.h
View File

@ -10,6 +10,7 @@ typedef struct rdp_certdata rdpCertdata;
#include <freerdp/api.h>
#include <freerdp/freerdp.h>
#include <freerdp/utils/memory.h>
struct rdp_certdata
{
char* thumbprint;
@ -24,11 +25,17 @@ struct rdp_certstore
int match;
struct rdp_certdata* certdata;
};
void certstore_create(rdpCertstore* certstore);
void certstore_open(rdpCertstore* certstore);
void certstore_load(rdpCertstore* certstore);
void certstore_close(rdpcertstore* certstore);
char* get_local_certloc();
rdpCertdata* certdata_new(char* host_name,char* fingerprint);
void certdata_free(rdpCertdata* certdata);
void certstore_init(rdpCertstore* certstore);
rdpCertstore* certstore_new(rdpCertdata* certdata);
void cerstore_free(rdpCertsore* certstore);
void certstore_free(rdpCertsore* certstore);
int match_certdata(rdpCertdata* certdata);
void print_certdata(rdpCertstore* certstore);
#endif /* __CERTSTORE_UTILS_H */

69
libfreerdp-core/credssp.c
View File

@ -8,7 +8,7 @@
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@ -28,9 +28,9 @@
/**
* TSRequest ::= SEQUENCE {
* version [0] INTEGER,
* version [0] INTEGER,
* negoTokens [1] NegoData OPTIONAL,
* authInfo [2] OCTET STRING OPTIONAL,
* authInfo [2] OCTET STRING OPTIONAL,
* pubKeyAuth [3] OCTET STRING OPTIONAL
* }
*
@ -41,29 +41,29 @@
* }
*
* TSCredentials ::= SEQUENCE {
* credType [0] INTEGER,
* credType [0] INTEGER,
* credentials [1] OCTET STRING
* }
*
* TSPasswordCreds ::= SEQUENCE {
* domainName [0] OCTET STRING,
* userName [1] OCTET STRING,
* password [2] OCTET STRING
* domainName [0] OCTET STRING,
* userName [1] OCTET STRING,
* password [2] OCTET STRING
* }
*
* TSSmartCardCreds ::= SEQUENCE {
* pin [0] OCTET STRING,
* cspData [1] TSCspDataDetail,
* userHint [2] OCTET STRING OPTIONAL,
* pin [0] OCTET STRING,
* cspData [1] TSCspDataDetail,
* userHint [2] OCTET STRING OPTIONAL,
* domainHint [3] OCTET STRING OPTIONAL
* }
*
* TSCspDataDetail ::= SEQUENCE {
* keySpec [0] INTEGER,
* cardName [1] OCTET STRING OPTIONAL,
* readerName [2] OCTET STRING OPTIONAL,
* keySpec [0] INTEGER,
* cardName [1] OCTET STRING OPTIONAL,
* readerName [2] OCTET STRING OPTIONAL,
* containerName [3] OCTET STRING OPTIONAL,
* cspName [4] OCTET STRING OPTIONAL
* cspName [4] OCTET STRING OPTIONAL
* }
*
*/
@ -100,6 +100,43 @@ void credssp_ntlmssp_init(rdpCredssp* credssp)
ntlmssp->ntlm_v2 = 0;
}
int tls_verify_certificate(CryptoCert cert,char* hostname)
{
boolean ret;
ret=x509_verify_cert(cert);
if(!ret)
{
Certdata* certdata;
certdata=crypto_get_certdata(cert->px509,hostname);
Certstore* certstore=certstore_new(certdata);
if(match_certdata(certstore)==0)
return 0;
if(certstore->match==1)
{
crypto_cert_printinfo(cert->x509);
char answer;
while(1)
{
printf("Do you trust the above certificate? (Y/N)");
answer=fgetc(stdin);
if(answer=='y' || answer =='Y')
{
print_certdata(certstore);break;
}
else if(answer=='n' || answer=='N')
{
/*disconnect*/break;
}
}
return 0;
}
else if(certstore->match==-1)
{
cert_print_error();/*disconnect*/
}
certstore_free(certstore);
}
}
/**
* Get TLS public key.
* @param credssp
@ -109,7 +146,7 @@ int credssp_get_public_key(rdpCredssp* credssp)
{
int ret;
CryptoCert cert;
cert = tls_get_certificate(credssp->transport->tls);
if (cert == NULL)
@ -117,7 +154,7 @@ int credssp_get_public_key(rdpCredssp* credssp)
printf("credssp_get_public_key: tls_get_certificate failed to return the server certificate.\n");
return 0;
}
tls_verify_certificate(cert,credssp->transport->settings->hostname);
ret = crypto_cert_get_public_key(cert, &credssp->public_key);
crypto_cert_free(cert);

103
libfreerdp-core/crypto.c
View File

@ -8,7 +8,7 @@
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@ -189,33 +189,86 @@ void crypto_nonce(uint8* nonce, int size)
{
RAND_bytes((void*) nonce, size);
}
char* crypto_cert_fingerprint(X509 *xcert)
{
unsigned char fp[EVP_MAX_MD_SIZE];
int i;
unsigned int fp_len;
X509_digest(xcert,EVP_sha1(),fp,&fp_len);
char *fp_buf=xzalloc(3*fp_len);
char *p = fp_buf;
for (i = 0; i < fp_len - 1; i++)
{
sprintf(p, "%02x:", fp[i]);
p = (char*) &fp_buf[i * 3];
}
sprintf(p, "%02x", fp[i]);
return fp_buf;
unsigned char fp[EVP_MAX_MD_SIZE];
int i;
unsigned int fp_len;
X509_digest(xcert,EVP_sha1(),fp,&fp_len);
char *fp_buf=xzalloc(3*fp_len);
char *p = fp_buf;
for (i = 0; i < fp_len - 1; i++)
{
sprintf(p, "%02x:", fp[i]);
p = (char*) &fp_buf[i * 3];
}
sprintf(p, "%02x", fp[i]);
return fp_buf;
}
boolean x509_verify_cert(CryptoCert cert)
{
X509 *xcert=cert->px509;
char *cert_loc;
int ret=0;
X509_STORE *cert_ctx=NULL;
X509_LOOKUP *lookup=NULL;
X509_STORE_CTX *csc;
cert_ctx=X509_STORE_new();
if (cert_ctx == NULL)
goto end;
OpenSSL_add_all_algorithms();
lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file());
if (lookup == NULL)
goto end;
lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_hash_dir());
if (lookup == NULL)
goto end;
X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
cert_loc=get_local_certloc();
if(cert_loc!=NULL)
{
X509_LOOKUP_add_dir(lookup,cert_loc,X509_FILETYPE_ASN1);
xfree(cert_loc);
}
csc = X509_STORE_CTX_new();
if (csc == NULL)
goto end;
X509_STORE_set_flags(cert_ctx, 0);
if(!X509_STORE_CTX_init(csc,cert_ctx,xcert,0))
goto end;
int i=X509_verify_cert(csc);
X509_STORE_CTX_free(csc);
X509_STORE_free(cert_ctx);
ret=0;
end:
ret = (i > 0);
return(ret);
}
rdpCertdata* crypto_get_certdata(X509 *xcert,char* hostname)
{
rdpCertdata* certdata;
char *fp;
fp=crypto_cert_fingerprint(xcert);
certdata=certdata_new(hostname,fp);
xfree(fp);
return certdata;
}
void crypto_cert_printinfo(X509 *xcert)
{
char *subject;
char *issuer;
char *fp;
subject=X509_NAME_oneline(X509_get_subject_name(xcert),NULL,0);
issuer=X509_NAME_oneline(X509_get_issuer_name(xcert),NULL,0);
fp=crypto_cert_fingerprint(xcert);
printf("Cerificate details:\n");
printf("\tSubject : %s\n",subject);
printf("\tIssuer : %s\n",issuer);
printf("\tCert Thumbprint (sha1) : %s\n",fp);
xfree(fp);
char *subject;
char *issuer;
char *fp;
subject=X509_NAME_oneline(X509_get_subject_name(xcert),NULL,0);
issuer=X509_NAME_oneline(X509_get_issuer_name(xcert),NULL,0);
fp=crypto_cert_fingerprint(xcert);
printf("Cerificate details:\n");
printf("\tSubject : %s\n",subject);
printf("\tIssuer : %s\n",issuer);
printf("\tThumbprint (sha1) : %s\n",fp);
printf("The above x509 certificate couldn't be verified.Possibly because you do not have the CA cetificate in your certstore or certificate has expired.\nPlease look at the docs on how to create local certstore for private CA.\n");
xfree(fp);
}

2
libfreerdp-core/crypto.h
View File

@ -46,6 +46,7 @@
#include <freerdp/freerdp.h>
#include <freerdp/utils/blob.h>
#include <freerdp/utils/memory.h>
#include <freerdp/utils/certstore.h>
struct crypto_sha1_struct
{
@ -87,6 +88,7 @@ CryptoCert crypto_cert_read(uint8* data, uint32 length);
char* cypto_cert_fingerprint(X509* xcert);
void crypto_cert_printinfo(X509* xcert);
void crypto_cert_free(CryptoCert cert);
boolean x509_verify_cert(CryptoCert cert);
boolean crypto_cert_verify(CryptoCert server_cert, CryptoCert cacert);
boolean crypto_cert_get_public_key(CryptoCert cert, rdpBlob* public_key);

87
libfreerdp-core/tls.c
View File

@ -8,7 +8,7 @@
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@ -240,48 +240,63 @@ rdpTls* tls_new()
tls->connect = tls_connect;
tls->accept = tls_accept;
tls->disconnect = tls_disconnect;
SSL_load_error_strings();
SSL_library_init();
}
return tls;
}
boolean tls_verify_cert(CryptoCert cert)
int tls_verify_certificate(CryptoCert cert,char* hostname)
{
X509 *xcert=cert->px509;
char *cert_loc;
int ret=0;
X509_STORE *cert_ctx=NULL;
X509_LOOKUP *lookup=NULL;
X509_STORE_CTX *csc;
cert_ctx=X509_STORE_new();
if (cert_ctx == NULL)
goto end;
OpenSSL_add_all_algorithms();
lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file());
if (lookup == NULL)
goto end;
lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_hash_dir());
if (lookup == NULL)
goto end;
X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
cert_loc=get_local_certloc();
X509_LOOKUP_add_dir(lookup,cert_loc,X509_FILETYPE_ASN1);
xfree(cert_loc);
csc = X509_STORE_CTX_new();
if (csc == NULL)
goto end;
X509_STORE_set_flags(cert_ctx, 0);
if(!X509_STORE_CTX_init(csc,cert_ctx,xcert,0))
goto end;
int i=X509_verify_cert(csc);
X509_STORE_CTX_free(csc);
X509_STORE_free(cert_ctx);
ret=0;
end:
ret = (i > 0);
return(ret);
boolean ret;
ret=x509_verify_cert(cert);
if(!ret)
{
Certdata* certdata;
certdata=crypto_get_certdata(cert->px509,hostname);
Certstore* certstore=certstore_new(certdata);
if(match_certdata(certstore)==0)
return 0;
if(certstore->match==1)
{
crypto_cert_printinfo(cert->x509);
char answer;
while(1)
{
printf("Do you trust the above certificate? (Y/N)");
answer=fgetc(stdin);
if(answer=='y' || answer =='Y')
{
print_certdata(certstore);break;
}
else if(answer=='n' || answer=='N')
{
/*disconnect*/break;
}
}
return 0;
}
else if(certstore->match==-1)
{
tls_print_cert_error();/*disconnect*/
}
certstore_free(certstore);
}
}
void tls_print_cert_error()
{
printf("#####################################\n");
printf("##############WARNING################\n");
printf("#####################################\n");
printf("The thumbprint of certificate recieved\n");
printf("did not match the stored thumbprint.You\n");
printf("might be a victim of MAN in the MIDDLE\n");
printf("ATTACK.It is also possible that server's\n");
printf("certificate have been changed.In that case\n");
printf("contact your server administrator\n");
}
void tls_free(rdpTls* tls)

4
libfreerdp-core/tls.h
View File

@ -41,6 +41,7 @@ struct rdp_tls
TlsConnect connect;
TlsAccept accept;
TlsDisconnect disconnect;
struct rdp_settings* settings;
};
boolean tls_connect(rdpTls* tls);
@ -49,8 +50,9 @@ boolean tls_disconnect(rdpTls* tls);
int tls_read(rdpTls* tls, uint8* data, int length);
int tls_write(rdpTls* tls, uint8* data, int length);
CryptoCert tls_get_certificate(rdpTls* tls);
int tls_verify_certificate(CryptoCert cert,char* hostname);
void tls_print_cert_error();
boolean tls_print_error(char* func, SSL* connection, int value);
boolean tls_verify_cert(CryptoCert cert);
rdpTls* tls_new();
void tls_free(rdpTls* tls);

185
libfreerdp-utils/cerstore.c
View File

@ -1,185 +0,0 @@
/**
* FreeRDP: A Remote Desktop Protocol Client
* certstore Utils
*
* Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <freerdp/utils/certstore.h>
#ifdef _WIN32
#include <windows.h>
#endif
static char cert_dir[] = "freerdp";
static char cert_loc[] = "cacert";
static char certstore_file[] = "known_hosts";
void certstore_create(rdpCertstore* certstore)
{
certstore->fp = fopen((char*)certstore->file, "w+");
if (certstore->fp == NULL)
{
printf("certstore_create: error opening [%s] for writing\n", certstore->file);
return;
}
fflush(certstore->fp);
}
void certstore_load(rdpCertstore* certstore)
{
certstore->fp = fopen((char*)certstore->file, "r+");
}
void certstore_open(rdpCertstore* certstore)
{
struct stat stat_info;
if (stat((char*)certstore->file, &stat_info) != 0)
certstore_create(certstore);
else
certstore_load(certstore);
}
void certstore_close(rdpcertstore* certstore)
{
if (certstore->fp != NULL)
fclose(certstore->fp);
}
char* get_local_certloc()
{
char *home_path;
char *cert_loc;
home_path=getenv("HOME");
cert_loc=(char*)xmalloc(strlen(home_path)+strlen("/.")+strlen(cert_dir)+strlen("/")+strlen(cert_loc)+1);
sprintf(cert_loc,"%s/.%s/%s",home_path,cert_dir,cert_loc);
return cert_loc;
}
void certstore_init(rdpCertstore* certstore)
{
int length;
char* home_path;
struct stat stat_info;
certstore->match=1;
home_path = getenv("HOME");
if (home_path == NULL)
{
printf("could not get home path\n");
certstore->available = False;
return;
}
certstore->home = (char*) xstrdup(home_path);
printf("home path: %s\n", certstore->home);
certstore->path = (char*) xmalloc(strlen(certstore->home) + strlen("/.") + strlen(cert_dir) + 1);
sprintf(certstore->path, "%s/.%s", certstore->home, cert_dir);
printf("certstore path: %s\n", certstore->path);
if (stat(certstore->path, &stat_info) != 0)
{
#ifndef _WIN32
mkdir(certstore->path, S_IRUSR | S_IWUSR | S_IXUSR);
#else
CreateDirectory(certstore->path, 0);
#endif
printf("creating directory %s\n", certstore->path);
}
length = strlen(certstore->path);
certstore->file = (char*) xmalloc(strlen(certstore->path) + strlen("/") + strlen(certstore_file) + 1);
sprintf(certstore->file, "%s/%s", certstore->path, certstore_file);
printf("certstore file: %s\n", certstore->file);
certstore_open(certstore);
}
rdpCertstore* certstore_new(rdpCertdata* certdata)
{
rdpCertstore* certstore = (rdpCertstore*) xzalloc(sizeof(rdpCertstore));
if (certstore != NULL)
{
certstore->certdata = certdata;
certstore_init(certstore);
}
return certstore;
}
void cerstore_free(rdpCertsore* certstore)
{
if (certstore != NULL)
{
certstore_close(certstore);
xfree(certstore->path);
xfree(certstore->file);
xfree(certstore->home);
xfree(certstore);
}
}
int match_certdata(rdpCertdata* certdata)
{
char *host;
char *p;
char *thumb_print;
int length;
unsigned char c;
FILE* cfp;
rdpCertstore* certstore=certstore_new(certdata);
cfp=certstore->fp;
length=strlen(certdata->thumbprint);
for(;;)
{
if((int)fread(host,sizeof(char),strlen(certdata->hostname),cfp) < strlen(certdata->hostname))
break;
if((!strcmp(host,certdata->hostname)) && ((c=fgetc(cfp))==' ' || c=='\t') )
{
ungetc(c,cfp);
while((c=fgetc(cfp))==' ' || c=='\t');
if(c==EOF)
break;
ungetc(c,cfp);
thumb_print=xzalloc(length+1);
p=thumb_print;
while((p-thumb_print < length) && (*p=fgetc(cfp))!=EOF && *p!='\n' && *p==certdata->thumbprint+p-thumb_print)
p++;
if(p-thumb_print==length)
certdata->match=0;
else
certdata->match=-1;
break;
}
else
while(c!='\n'||c!=EOF)
c=fgetc(cfp);
if(c==EOF)
break;
else
ungetc(c,cfp);
}
return certdata->match;
}
void print_certdata(rdpCertstore* certstore)
{
lseek(certstore->fp,0,SEEK_END);
fprintf(certstore->fp,"%s %s\n",certstore->certdata->hostname,certstore->certdata->thumbprint);
}