mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #2466 from WarheadsSE/fix-cert-chain-validation-GH2446

Browse Source 
libfreerdp: crypto: add certificate chain validation!
This commit is contained in:
Marc-André Moreau 2015-03-13 14:44:55 -04:00
commit e059804706
3 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/freerdp/crypto/crypto.h
View File

@ -72,6 +72,7 @@ struct crypto_hmac_struct
struct crypto_cert_struct struct crypto_cert_struct
{ {
X509 * px509; X509 * px509;
STACK_OF(X509) *px509chain;
}; };
#ifdef __cplusplus #ifdef __cplusplus

2
libfreerdp/crypto/crypto.c
View File

@ -533,7 +533,7 @@ BOOL x509_verify_certificate(CryptoCert cert, char* certificate_store_path)
X509_STORE_set_flags(cert_ctx, 0); X509_STORE_set_flags(cert_ctx, 0);
if (!X509_STORE_CTX_init(csc, cert_ctx, xcert, 0)) if (!X509_STORE_CTX_init(csc, cert_ctx, xcert, cert->px509chain))
goto end; goto end;
if (X509_verify_cert(csc) == 1) if (X509_verify_cert(csc) == 1)

6
libfreerdp/crypto/tls.c
View File

@ -504,6 +504,7 @@ static CryptoCert tls_get_certificate(rdpTls* tls, BOOL peer)
{ {
CryptoCert cert; CryptoCert cert;
X509* remote_cert; X509* remote_cert;
STACK_OF(X509) *chain;
if (peer) if (peer)
remote_cert = SSL_get_peer_certificate(tls->ssl); remote_cert = SSL_get_peer_certificate(tls->ssl);
@ -524,6 +525,11 @@ static CryptoCert tls_get_certificate(rdpTls* tls, BOOL peer)
} }
cert->px509 = remote_cert; cert->px509 = remote_cert;
/* Get the peer's chain. If it does not exist, we're setting NULL (clean data either way) */
chain = SSL_get_peer_cert_chain(tls->ssl);
cert->px509chain = chain;
return cert; return cert;
} }