Fixed #6099: Add a flag for legacy hash entries

If a legacy entry is found in certificate hash store print
additional information to the user informing about the change
with FreeRDP 2.0
This commit is contained in:
akallabeth 2020-04-21 09:06:39 +02:00 committed by akallabeth
parent fd3edaa203
commit b094d52d0b
3 changed files with 26 additions and 0 deletions

View File

@ -549,6 +549,7 @@ DWORD client_cli_verify_certificate_ex(freerdp* instance, const char* host, UINT
printf("\tSubject: %s\n", subject);
printf("\tIssuer: %s\n", issuer);
printf("\tThumbprint: %s\n", fingerprint);
printf("The above X.509 certificate could not be verified, possibly because you do not have\n"
"the CA certificate in your certificate store, or the certificate has expired.\n"
"Please look at the OpenSSL documentation on how to add a private CA to the store.\n");
@ -644,6 +645,14 @@ DWORD client_cli_verify_changed_certificate_ex(freerdp* instance, const char* ho
printf("\tIssuer: %s\n", old_issuer);
printf("\tThumbprint: %s\n", old_fingerprint);
printf("\n");
if (flags & VERIFY_CERT_FLAG_MATCH_LEGACY_SHA1)
{
printf("\tA matching entry with legacy SHA1 was found in local known_hosts2 store.\n");
printf("\tIf you just upgraded from a FreeRDP version before 2.0 this is expected.\n");
printf("\tThe hashing algorithm has been upgraded from SHA1 to SHA256.\n");
printf("\tAll manually accepted certificates must be reconfirmed!\n");
printf("\n");
}
printf("The above X.509 certificate does not match the certificate used for previous "
"connections.\n"
"This may indicate that the certificate has been tampered with.\n"

View File

@ -67,6 +67,7 @@ extern "C"
#define VERIFY_CERT_FLAG_GATEWAY 0x20
#define VERIFY_CERT_FLAG_CHANGED 0x40
#define VERIFY_CERT_FLAG_MISMATCH 0x80
#define VERIFY_CERT_FLAG_MATCH_LEGACY_SHA1 0x100
typedef BOOL (*pContextNew)(freerdp* instance, rdpContext* context);
typedef void (*pContextFree)(freerdp* instance, rdpContext* context);

View File

@ -1492,6 +1492,22 @@ int tls_verify_certificate(rdpTls* tls, CryptoCert cert, const char* hostname, U
fingerprint = crypto_cert_fingerprint(cert->px509);
/* search for matching entry in known_hosts file */
match = certificate_data_match(tls->certificate_store, certificate_data);
{
int match_old = -1;
char* sha1 = crypto_cert_fingerprint_by_hash(cert->px509, "sha1");
rdpCertificateData* certificate_data_sha1 =
certificate_data_new(hostname, port, subject, issuer, sha1);
if (sha1 && certificate_data_sha1)
match_old =
certificate_data_match(tls->certificate_store, certificate_data_sha1);
if (match_old == 0)
flags |= VERIFY_CERT_FLAG_MATCH_LEGACY_SHA1;
certificate_data_free(certificate_data_sha1);
free(sha1);
}
if (match == 1)
{