Commit Graph

485 Commits

Author SHA1 Message Date
Valery Kartel
9bf9ff9e8a Fix build with LibreSSL 2017-07-26 17:12:14 +03:00
Armin Novak
8b9e3fa51e Fixed use of reserved keywords for include guards. 2017-07-20 09:35:41 +02:00
Armin Novak
0490aeb018 Fixed clang malloc integer overflow warnings. 2017-07-20 09:29:48 +02:00
Ilya Shipitsin
a9ab65a935 resolve an issue found by cppcheck:
[libfreerdp/crypto/certificate.c:315] -> [libfreerdp/crypto/certificate.c:316]: (warning) Either the condition 'if(fingerprint&&fprint)' is redundant or there is possible null pointer dereference: fingerprint.
2017-06-01 00:05:51 +05:00
Armin Novak
4be62f7047 Fixed OpenSSL 1.1 no legacy compile issues. 2017-04-06 11:25:25 +02:00
Aric Belsito
70ab61c8e6
Support LibreSSL
Broken by the addition of OpenSSL 1.1.0 support.
2017-03-19 13:58:24 -07:00
Norbert Federa
f71b6b46e8 fix string format specifiers
- fixed invalid, missing or additional arguments
- removed all type casts from arguments
- added missing (void*) typecasts for %p arguments
- use inttypes defines where appropriate
2016-12-16 13:48:43 +01:00
Norbert Federa
c6e6b44143 countless WLog/printf format specifier fixes 2016-11-25 17:06:25 +01:00
Norbert Federa
53bd98883e winpr/crypt api changes and memory leak fixes
- winpr_HMAC_New() now just returnes the opaque WINPR_HMAC_CTX* pointer
  which has to be passed to winpr_HMAC_Init() for (re)initialization
  and since winpr_HMAC_Final() no more frees the context you always have to
  use the new function winpr_HMAC_Free() once winpr_HMAC_New() has succeded

- winpr_Digest_New() now just returns the opaque WINPR_DIGEST_CTX* pointer
  which has to be passed to winpr_Digest_Init() for (re)initialization
  and since winpr_Digest_Final() no more frees the context you always have to
  use the new function winpr_Digest_Free() once winpr_Digest_New() has succeded
2016-11-24 18:27:29 +01:00
Norbert Federa
7befab856c Support for OpenSSL 1.1.0 2016-11-24 17:50:09 +01:00
Martin Fleisz
e8fbdf503d crypto: Remove unneeded update (+) flag from file open mode 2016-10-17 14:49:26 +02:00
Armin Novak
c6ae62f700 Fixed memory leak in certificate check. 2016-10-10 13:34:57 +02:00
Armin Novak
f5fff7658a Made some functions static. 2016-10-06 13:43:12 +02:00
Marc-André Moreau
1ffbd774e9 freerdp: fix sending of TLS alert on NLA failure, add better handling of server-side NLA in shadow server 2016-07-21 17:53:20 -04:00
Marc-André Moreau
915b9a15b1 Merge branch 'master' of github.com:FreeRDP/FreeRDP
Conflicts:
	winpr/libwinpr/bcrypt/CMakeLists.txt
2016-05-11 11:05:17 -04:00
Bernhard Miklautz
221a292b04 Merge pull request #3263 from akallabeth/tofu
Added command line option /cert-tofu
2016-05-03 16:27:15 +02:00
akallabeth
a62d962bc7 Merge pull request #3250 from mfleisz/cssp_v3
core: Add support for CredSSP version 3
2016-04-26 09:59:40 +02:00
Armin Novak
53445768ed Added command line option /cert-tofu 2016-03-31 12:16:55 +02:00
Marc-André Moreau
cedf6d98e2 freerdp: more UWP porting 2016-03-29 20:34:52 -04:00
Bernhard Miklautz
9e8c6c99b6 First shot on fixing over linking
If a target is linked against libraries with cmake
(target_link_libraries) and the libraries are not marked as PRIVATE
they are "exported" and in case a other target is linked against this
target it is also linked against *all* (not private) libraries.

Without declaring private libraries PRIVATE a lot of over linking
(linking against unneeded libraries) was done.
2016-03-29 18:14:34 +02:00
Martin Fleisz
1c2d315354 core: Add support for CredSSP version 3 2016-03-18 13:32:13 +01:00
Bernhard Miklautz
014f31db35 Merge pull request #3171 from akallabeth/crypto_simplification
Crypto simplification
2016-02-29 17:10:53 +01:00
Armin Novak
238ff3b315 Unified encryption functions. 2016-02-27 23:28:49 +01:00
Armin Novak
5805ba8e52 Removed crypto_nonce. 2016-02-27 22:40:43 +01:00
Armin Novak
1036f1e296 Fixed default visibility.
When nothing is declared, only export symbols defined
with WINPR_API or FREERDP_API defined.
Override this setting if BUILD_TESTING to allow tests
access to internal functions usually not exposed.
2016-02-26 19:44:14 +01:00
Armin Novak
f997421098 Unified hmac functions. 2016-02-24 21:50:08 +01:00
Armin Novak
4ca6b9bf10 Unified random functions and remaining MD5. 2016-02-24 20:41:01 +01:00
Armin Novak
ada2b16c50 Unified RC4 functions. 2016-02-24 17:04:03 +01:00
Armin Novak
06da644007 Unified md5 functions. 2016-02-24 16:46:25 +01:00
Armin Novak
0e4ea3943a Unified sha1 functions. 2016-02-24 16:36:15 +01:00
Hardening
2a3e9996b3 Merge pull request #2710 from akallabeth/cert_temp_accept_v2
Extended certificate callbacks.
2016-02-15 13:52:47 +01:00
Armin Novak
f4568295e9 Fixed API for old openssl versions < 1.0.0 2016-02-05 11:52:07 +01:00
Armin Novak
0e2208e942 Fixed warning. 2016-02-05 02:04:57 +01:00
Armin Novak
cbf2892ccc Implemented temporary certificate accept.
Certificates can now be accepted temporarily.
The callbacks for certificate validation have been
modified to extend the information presented to the user.
2016-02-05 02:04:57 +01:00
Armin Novak
16699000c4 Fixed allocation issue with common_name. 2016-02-05 02:04:00 +01:00
Armin Novak
3b0f5b5b48 Removed obsolete APPLE preprocessor switch. 2016-02-04 12:55:11 +01:00
Christian Plattner
c0226d686c Enable support for SNI on client side 2016-02-04 08:34:51 +01:00
davewheel
d5b8585a39 Allow to specify the raw content of crypto materials
Sometime it's possible that your server application doesn't have access to files
(when running in a very restricted environment for example). This patch allows
to ship the private key and certificate as a string.

Sponsored by: Wheel Systems (http://www.wheelsystems.com)
2016-01-21 11:27:06 +01:00
Bernhard Miklautz
aa80f63b4a tls: enable tls 1+
Currently TLS version 1.0 is used implicitly by using the TLSv1_method.
To be able to also use TLS 1.1 and later use SSLv23_client_method
instead. To make sure SSLv2 or SSLv3 isn't used disable them.
2016-01-12 17:43:14 +01:00
Bernhard Miklautz
d03b38765a Merge pull request #2816 from akallabeth/known_hosts_locking
Known hosts locking
2015-12-16 19:03:15 +01:00
Armin Novak
65062633c2 Fixed memory leak. 2015-12-10 13:57:05 +01:00
Armin Novak
df528cefc5 Using locking winpr file functions for known hosts. 2015-12-09 18:29:41 +01:00
Armin Novak
75ae38dff2 Silenced VerifyX509Certificate logging.
Now only writing log entries if something was an actual
error, otherwise stay silent.
2015-10-16 11:04:42 +02:00
Marc-André Moreau
87780a850d Merge branch 'master' of github.com:FreeRDP/FreeRDP into mbedtls 2015-10-09 15:58:50 -04:00
Marc-André Moreau
9c35b73fb6 libfreerdp-core: fix gateway connectivity on Windows 2015-09-17 14:32:40 -04:00
Marc-André Moreau
8e3baed882 cmake: add mbed TLS detection 2015-09-15 20:52:46 -04:00
Marc-André Moreau
c0a887da17 libfreerdp-crypto: add locking of operations dealing with SSL* 2015-09-15 19:59:41 -04:00
Marc-André Moreau
3f2915eb78 libfreerdp-core: alternative RDG BIO fix 2015-09-15 13:03:11 -04:00
Marc-André Moreau
12ce635b34 libfreerdp-core: fix code style 2015-09-15 10:37:57 -04:00
Denis Vincent
6d55635ed0 libfreerdp-core: Gateway RDP8 BIO correction. Fixes connection losses. 2015-09-15 09:03:39 -04:00
Armin Novak
dfa7ac6434 Ensure output of crypto_base64_decode is NULL terminated. 2015-08-27 09:34:33 +02:00
Armin Novak
fc929fbc7f Using lowercase hostname for comparison now.
fixed argument mixup.
2015-07-13 15:52:06 +02:00
Armin Novak
ca7c34ff35 Fixed comparison bug, cleanup and error handling. 2015-07-13 14:16:04 +02:00
Bernhard Miklautz
798df32fd9 Integrate pull request feedback
* unify fwrite usage - set nmemb to 1 and the size to the size to write.
2015-07-01 12:22:32 +02:00
Bernhard Miklautz
1cee185e3c hardening: check fread and fwrite return values 2015-06-26 20:38:30 +02:00
Norbert Federa
20878e50fe Merge pull request #2724 from bmiklautz/leak_fix
Fix leaks in certificate and identity handling
2015-06-26 15:30:00 +02:00
Armin Novak
6698e24228 Fixed leaks, NULL dereferences and broken init. 2015-06-23 21:29:21 +02:00
Bernhard Miklautz
2e87d0ee52 Fix leaks in certificate and identity handling 2015-06-23 15:40:37 +02:00
David FORT
7c3f8f33ab Fixes for malloc / calloc + other fixes
This patch contains:

* checks for malloc return value + treat callers;
* modified malloc() + ZeroMemory() to calloc();
* misc fixes of micro errors seen during the code audit:
** some invalid checks in gcc.c, also there were some possible
integer overflow. This is interesting because at the end the data are parsed
and freed directly, so it's a vulnerability in some kind of dead code (at least
useless);
** fixed usage of GetComputerNameExA with just one call, when 2 were used
in misc places. According to MSDN GetComputerNameA() is supposed to return
an error when called with NULL;
** there were a bug in the command line parsing of shadow;
** in freerdp_dynamic_channel_collection_add() the size of array was multiplied
by 4 instead of 2 on resize
2015-06-22 19:21:47 +02:00
Vic Lee
2e11eac79a Merge pull request #2675 from akallabeth/path_make_path
Added PathMakePath function.
2015-06-18 02:43:47 +00:00
Armin Novak
b43c9f9060 Renamed file to known_hosts2. 2015-06-12 09:30:01 +02:00
Armin Novak
9dd9c35cee Updated tests. 2015-06-11 11:34:36 +02:00
Armin Novak
3dda4eb0cf Added NULL pointer checks, fixed warnings. 2015-06-11 11:34:22 +02:00
Armin Novak
7fc1c65165 Added subject and issuer to saved data.
When a certificate has changed, display not only the
fingerprint but also subject and issuer of old certificate.
2015-06-11 11:21:23 +02:00
Armin Novak
7786cf1376 Fixed fingerprint comparison, return value was inverted. 2015-06-11 09:59:04 +02:00
Armin Novak
90d836193c Fixed formatting. 2015-06-11 09:58:58 +02:00
Armin Novak
3d27055539 Added test for fingerprint read. 2015-06-11 09:24:55 +02:00
Armin Novak
b983d8e595 Fixed data replace. 2015-06-11 09:24:53 +02:00
Armin Novak
acc96388a5 Added certificate_get_fingerprint function to read out old one. 2015-06-11 09:14:15 +02:00
Armin Novak
2204df97f8 Added port to certificate warnings. 2015-06-10 10:59:40 +02:00
Armin Novak
ef0b9abf15 Using binary mode for fopen. 2015-06-10 10:47:59 +02:00
Armin Novak
ebad760aff Opening correct file. 2015-06-10 10:40:01 +02:00
Armin Novak
f4843e8ab3 Opening file on use now. 2015-06-10 10:34:02 +02:00
Armin Novak
05755b73ad Working unit test for known_hosts functions. 2015-06-10 09:15:38 +02:00
Armin Novak
98fc5b6e93 Fixed bugs found due to test. 2015-06-10 09:15:28 +02:00
Armin Novak
991fc39a62 Added unit test. 2015-06-09 18:03:32 +02:00
Armin Novak
6192230737 Added legacy known_hosts support.
If no entry for the <host> <port> combination
was found in the v2 file and there is a legacy file
check if a matching <host> entry can be found.
In case there is a matching entry and the <fingerprint>
also matches, create a new entry in the v2 file using the
current port.
2015-06-09 16:12:41 +02:00
Armin Novak
6da4a5aaf0 Using '<host> <port> <fp>' format for known hosts. 2015-06-09 15:33:13 +02:00
Armin Novak
7403cdc60c Added PathMakePath function. 2015-06-09 13:16:28 +02:00
Norbert Federa
1eff1a345e free can handle NULL perfectly fine 2015-05-11 09:07:39 +02:00
Norbert Federa
f9f59cd29b Fix unchecked CreateDirectory calls 2015-05-07 13:28:13 +02:00
David FORT
c03bf75896 Take in account @nfedera's comments 2015-04-07 21:06:53 +02:00
David FORT
8685a8e0a2 Fixed missing return value 2015-04-01 14:24:37 +02:00
David FORT
9bb4d64608 Correctly handle HMAC_Init_ex() for older versions of OpenSSL 2015-04-01 14:12:08 +02:00
David FORT
0eb399a717 Treat return values for security.c
This patch make functions in security.c return values when they should instead of
beeing void. And it also fix the callers of these functions.
2015-04-01 11:11:37 +02:00
Marc-André Moreau
ad6723835b Merge pull request #2505 from bmiklautz/tls_shutdown
rename and update tls_disconnect
2015-03-31 09:26:30 -04:00
Norbert Federa
1ba681fecc crypto: support MSFT iOS clients with faulty SNI
Microsoft iOS Remote Desktop Clients eventually send NULL-terminated
hostnames in SNI which is not allowed in the OpenSSL implementation.

Since we're not using SNI this commit adds an OpenSSL TLS extension
debug callback which modifies the SSL context in a way preventing it
from parsing this extension
2015-03-30 13:48:51 +02:00
Bernhard Miklautz
90968e07e1 rename and update tls_disconnect
tls_disconnect shut down the ssl stream but didn't inform
the BIO(s) about this therefore could happen that a second shut down
was initiated (e.g. in bio_rdp_tls_free) causing rather long delays.

After removing the shut down from tls_disconnect the only thing the
function does is to prepare/send an alert therefore it was renamed to
tls_send_alert.
2015-03-30 11:56:09 +02:00
Vic Lee
5f375d0a6f tls: revert checking SSL_ERROR_SYSCALL which may cause deadlock. 2015-03-25 16:07:39 +08:00
Martin Fleisz
5fa777b11c Merge pull request #2482 from llyzs/llyzs
tls: fix error handling of no error code.
2015-03-23 16:06:12 +01:00
Vic Lee
2137ccc3db tls: retry for all SSL_ERROR_SYSCALL errors. 2015-03-20 10:03:30 +08:00
Marc-André Moreau
dc913d9f2c libfreerdp-core: fix some RDG valgrind issues 2015-03-17 16:09:17 -04:00
Jason Plum
6ce5991e74 libfreerdp: crypto: add certificate chain validation! 2015-03-13 13:50:54 -04:00
Marc-André Moreau
5ab34dfa3e Merge pull request #2456 from zhangzl2013/fix-realloc
Fix incorrect usage of realloc
2015-03-12 07:33:27 -04:00
Bernhard Miklautz
6072165fd7 crypto: use PEM as certificate store file format
Currently the certificate format expected in FreeRDPs certificate store
is DER (ASN1). On most linux/unix systems the system certificate store
default format is PEM. Which is also the more common format used by CAs
to distribute their certificates.

Changing the default format to PEM allows the usage of system
certificates or published CA certificates without the need to convert them.

This fixes a part of issue #2446.
2015-03-11 12:06:52 +01:00
Zhang Zhaolong
4205dac57f crypto: fix incorrect usage of realloc.
Signed-off-by: Zhang Zhaolong <zhangzl2013@126.com>
2015-03-11 12:37:35 +08:00
Jason Plum
30f28d4ac9 Fix case sensitive hostname comparison in tls
To do this I've swapped _strnicmp with memcmp. Seemless, but does lock it to the restrictions of that function.

Signed-off-by: Jason Plum <jplum@archlinuxarm.org>
2015-03-10 16:48:35 -04:00
Marc-André Moreau
44d06888bb libfreerdp-core: fix BIO leaks 2015-02-18 15:36:57 -05:00
Marc-André Moreau
e241330daf libfreerdp-core: rewrite tls_write_all to use front BIO only 2015-02-13 16:02:37 -05:00
Marc-André Moreau
b7a619ff8a libfreerdp-core: move some rdpTcp operations under BIO layer 2015-02-13 14:26:02 -05:00
Marc-André Moreau
fa06c4d401 libfreerdp-core: improve reconnection 2015-02-06 14:21:26 -05:00
Marc-André Moreau
82d58086db xfreerdp: partial reconnect fixes 2015-02-05 17:01:56 -05:00
Marc-André Moreau
81e190eccb libfreerdp-crypto: fix tls_write_all ringbuffer usage 2015-01-14 13:25:54 -05:00
Marc-André Moreau
98cd697cad libfreerdp-utils: add ringbuffer debug output 2015-01-14 13:15:57 -05:00
Bernhard Miklautz
f338e1f6c3 crypto: revert pull request #2130
The fix in #2130 eliminates the problem when connecting over a gateway
but introduces other problems server side and client side (client/server
can't detect anymore when a TCP connection was closed).
2014-11-26 19:46:32 +01:00
Marc-André Moreau
ddedc574f3 freerdp: remove tcp, uds utils 2014-11-12 14:06:34 -05:00
Marc-André Moreau
2de73e0243 Merge pull request #2130 from eosrei/2056/ts-gateway-connect-fail
Removing TS Gateway breaking BIO_clear_flags() call
2014-10-25 11:52:29 -04:00
Marc-André Moreau
ce7302a999 wfreerdp: cleanup clipboard 2014-10-22 22:32:55 -04:00
Brad
0746d8c14c Do not BIO_clear_flags() when the SSL error is not valid to fix #2056 2014-10-08 00:00:36 -07:00
Marc-André Moreau
d102e746c8 Merge branch 'awakecoding' of github.com:vworkspace/FreeRDP
Conflicts:
	libfreerdp/core/license.c
	libfreerdp/core/nego.c
	winpr/libwinpr/synch/wait.c
2014-09-19 14:38:25 -04:00
Mike McDonald
50cf0ee915 Modified per_read_integer to handle a length of 0 (which is seen when older RDP clients connect to the FreeRDP server) 2014-09-16 23:15:34 -04:00
Armin Novak
17fa410785 Fixed compiler warning. 2014-09-15 08:48:46 +02:00
Armin Novak
2f519d7f16 Replaced logging in libfreerdp with wlog defines. 2014-09-15 08:48:46 +02:00
Bernhard Miklautz
0313ca3622 libfreerdp: always build "MONOLITHIC"
"libfreerdp" consisted of multiple (small) single libraries. If the cmake
option MONOLITHIC was used only one library was build combining all of
the libfreerdp-* libraries.
The only exceptions to this are libfreerdp-server and libfreerdp-client these
are build as separate libraries.

This commit obsoltes non-monolithic builds and makes monolithic builds
the default. The cmake option MONOLITHIC is also removed.
2014-09-12 00:19:53 +02:00
Marc-André Moreau
1a8c763309 Merge branch 'shadow' of github.com:awakecoding/FreeRDP 2014-08-18 17:06:13 -04:00
Bernhard Miklautz
e5e1a75c35 crypto: fix fingerprint
Latest logging changes introduced a problem with fingerprint generation.
The last byte wasn't added.
2014-08-12 15:40:53 +02:00
Marc-André Moreau
e4a4aa4d3a Merge branch 'master' of github.com:awakecoding/FreeRDP into shadow
Conflicts:
	channels/encomsp/client/encomsp_main.c
	libfreerdp/core/tcp.c
	libfreerdp/crypto/certificate.c
	server/Windows/CMakeLists.txt
	server/X11/xf_cursor.c
	server/X11/xf_input.c
	server/X11/xf_interface.c
	server/X11/xf_monitors.c
	server/X11/xf_peer.c
2014-08-11 19:22:33 -04:00
Armin Novak
f00cb3d25c Reverted previous replacements, not to be done for tests. 2014-08-07 19:05:22 +02:00
Armin Novak
f4c133eaf8 Replaced custom logging mechanism with WLog wrapper. 2014-08-07 16:51:24 +02:00
Marc-André Moreau
3895c930a3 Merge branch 'master' of github.com:awakecoding/FreeRDP into shadow 2014-08-05 09:56:12 -04:00
Norbert Federa
cdcdec99bc OpenSSL thread safety
freerdp/winpr had the following issues:
* The non reentrant SSL_library_init() was called concurrently (crash)
* Missing code/api to set the eventually required OpenSSL static and dynamic locking callbacks
* Missing code/api to free the application-global or thread-local OpenSSL data and tables

This commit creates two new winpr functions:

BOOL winpr_InitializeSSL(DWORD flags):

Use the flag WINPR_SSL_INIT_ALREADY_INITIALIZED if you want to tell winpr that
your application has already initialized OpenSSL.
If required use the flag WINPR_SSL_INIT_ENABLE_LOCKING to tell winpr that it
should set the OpenSSL static and dynamic locking callbacks.
Otherwise just call it with the flag WINPR_SSL_INIT_DEFAULT.

The recommended way is that your application calls this function once before
any threads are created. However, in order to support lazy OpenSSL library
initialization winpr_InitializeSSL() can also safely be called multiple times
and concurrently because it uses the new InitOnceExecuteOnce() function to
guarantee that the initialization is only performed successfully once during
the life time of the calling process.

BOOL winpr_CleanupSSL(DWORD flags):

If you create a thread that uses SSL you should call this function before the
thread returns using the flag WINPR_SSL_CLEANUP_THREAD in order to clean up
the thread-local OpenSSL data and tables.
Call the function with the flag WINPR_SSL_CLEANUP_GLOBAL before terminating
your application.

Note: This commit only replaced the current occurences of the
SSL_load_error_strings(); SSL_library_init(); pairs in the freerdp source
with winpr_InitializeSSL(). None of the server or client applications has been
changed according to the recommended usage described above (TBDL).
2014-07-28 21:55:57 +02:00
Marc-André Moreau
d8b858811f shadow: initial windows server-side connectivity 2014-07-17 21:15:22 -04:00
Daniel Bungert
625f7c3c22 Add arguments for managing tls ciphers & netmon
This adds 2 arguments:
    /tls-ciphers                List of permitted openssl ciphers - see ciphers(1)
    /tls-ciphers-netmon         Use tls ciphers that netmon can parse

With KB2919355, client/server negotiate the use of
TLS cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
which works fine except that netmon can't parse it.
By adding commandline /tls-ciphers-netmon, we restrict
the available ciphers to a list that netmon can
deal with.  Also adds /tls-ciphers, which
accepts a string arg, for further customization.
2014-07-17 06:59:06 -06:00
Vic Lee
8df60ecbe4 tls: fix some error handling. 2014-07-15 11:36:35 +08:00
Armin Novak
ad3255354d Added WITH_LIBRARY_VERSIONING, allowing to build shared libraries without
SOVERSION information. (required by Android)
2014-07-11 11:53:58 +02:00
Hardening
3fce288c66 Fix unclean SSL disconnection
This patch prevent an infinite loop when the remote peer disconnect
the socket without cleanly closing the SSL connection.
2014-07-10 23:35:11 +02:00
Bernhard Miklautz
6a49bcfe40 winpr: always build "monolitic"
winpr is now always build as single library.
The build option MONOLITHIC_BUILD doesn't influence this behavior anymore.

The only exception is winpr-makecert-tool which is still build as extra
library.

This obsoletes complex_libraries for winpr.
2014-07-10 11:10:58 +02:00
Hardening
542811291c Use poll() instead of select() when available
select() has the major drawback that it cannot handle file descriptor
that are bigger than 1024. This patch makes use of poll() instead of
select() when poll() support is available.
2014-07-03 15:26:49 +02:00
Hardening
462a26c8c3 Don't leak cert in case of failure 2014-06-03 15:19:00 +02:00
Hardening
a607b4553d Fix certificate leak
There were a leak when doing TLS in server mode
2014-06-03 14:59:58 +02:00
Hardening
4f1b77408a Fix NLA authentication for server-side
This patch make copies of the server public key so that the NLA
authentication can be performed server-side.
2014-06-03 11:04:35 +02:00
Marc-André Moreau
04968b18c4 libfreerdp-core: replace all OpenSSL built-in BIOs by new full duplex BIOs 2014-06-01 21:37:20 -04:00
Marc-André Moreau
b1416af362 libfreerdp-core: add locks to disable full duplex BIOs (currently unsafe) 2014-05-30 14:53:10 -04:00
Marc-André Moreau
d2ad5f698b libfreerdp-core: fix VerifyX509Certificate to make distinction between gateway and direct connection 2014-05-30 14:36:18 -04:00
Benoît LeBlanc
f57c694a3b tls_prepare: suppressed a warning on Mac 2014-05-28 21:33:30 -04:00
Marc-André Moreau
c0ec800bfd freerdp: fix incorrect copyright headers 2014-05-22 15:56:47 -04:00
Hardening
2b1a27b9b6 Add .gitignore files for test generated files 2014-05-21 22:18:38 +02:00
Hardening
dd6d829550 Allow transport_write calls to be non-blocking
This big patch allows to have non-blocking writes. To achieve
this, it slightly changes the way transport is handled. The misc transport
layers are handled with OpenSSL BIOs. In the chain we insert a
bufferedBIO that will bufferize write calls that couldn't be honored.

For an access with Tls security the BIO chain would look like this:
  FreeRdp Code ===> SSL bio ===> buffered BIO ===> socket BIO

The buffered BIO will store bytes that couldn't be send because of
blocking write calls.

This patch also rework TSG so that it would look like this in the
case of SSL security with TSG:
                                         (TSG in)
                              > SSL BIO => buffered BIO ==> socket BIO
                             /
FreeRdp => SSL BIO => TSG BIO
                             \
                              > SSL BIO => buffered BIO ==> socket BIO
                                        (TSG out)

So from the FreeRDP point of view sending something is only BIO_writing
on the frontBio (last BIO on the left).
2014-05-21 17:42:31 +02:00
Hardening
c0087832ad Merge pull request #1839 from hardening/base64
Changes for base64
2014-05-20 11:17:47 +02:00
Hardening
729c24cedb Adds some support for valgrind helpers
This patch adds an option to compile freerdp in a valgrind compliant way.
The purpose is to ease memchecking when connecting with TLS. We mark bytes
retrieved from SSL_read() as plainly defined to prevent the undefined contamination.
With the patch and the option activated you get a single warning at connection
during the handshake, and nothing after.
2014-05-12 18:01:29 +02:00
Hardening
9f1d0201ec Changes for base64
This patch changes the prototype for decode_base64 so that the encode / decode
method are consistant (encode(BYTE *) => char* and decode(char*) => BYTE*).
It also does some improvements with unrolling loops so that end conditions are
tested only at the end.
The patch also adds some unitary tests.
Before the patch base64_decode() made valgrind complain about uninitialized
bits, after valgrind is happy and very quiet.
2014-05-11 22:49:10 +02:00
Hardening
50f1f0df6f Add some const modifiers
This allows these functions to be used with const buffers.
2014-05-09 22:36:50 +02:00
Vic Lee
02595df976 tls: WSAGetLastError should be used on Windows to check system socket error. 2014-04-29 23:05:30 +08:00
Vic Lee
c8848fe4c8 tls: do not kill the connection for non-fatal openssl error codes. 2014-04-29 21:48:11 +08:00
Bernhard Miklautz
b817e92e5e cmake: mark required libraries for export 2014-04-23 10:16:02 +02:00
Marc-André Moreau
94f2a52196 Merge branch 'master' of github.com:FreeRDP/FreeRDP 2014-04-14 14:17:37 -04:00
Hardening
1d1844aabd Treat OOM cases 2014-04-09 16:07:06 +02:00
Benoit LeBlanc
6f99f252d9 Fix windows compilation 2014-04-04 10:08:44 -04:00
Marc-André Moreau
feea87b42f libfreerdp-crypto: make distinction between TLS connection error and user cancellation 2014-04-01 16:23:27 -04:00
Hardening
ac7507ab8d Adds some check to treat OOM problems + RDP security fix
Malloc can fail so it will, this patch adds some check in some places
where malloc/strdup results were not checked.

This patch also contains a server side fix for RDP security (credit to nfedera).
The signature len was badly set in the GCC packet. And some other RDP security
oriented fixes are also there.
2014-03-25 23:13:08 +01:00
Marc-André Moreau
14b75d1b27 libfreerdp-core: fix build warnings and windows broken build 2014-03-25 15:19:52 -04:00
Benoît LeBlanc
3e1dfc6311 updated context error messages. utility macros for getting error code CLASS/TYPE 2014-03-21 13:45:43 -04:00
Benoît LeBlanc
d1b9565f51 Added context-specific error management.
Added error codes to replace connectErrorCode.
2014-03-20 18:19:54 -04:00
Benoît LeBlanc
557c082458 Merge branch 'master' of git://github.com/awakecoding/FreeRDP 2014-03-05 16:35:22 -05:00
Marc-André Moreau
951368a1ce Merge branch 'master' of github.com:FreeRDP/FreeRDP 2014-02-27 13:58:29 -05:00
Christian Hofstaedtler
5a74bd7bdb Fix assertion abort when no CN is present in certificate
Triggered by Windows Server 2012 Admin-Mode with MS-recommended AD CA
Certificate setup, which would cause the CN to be absent, and a single
subjectAltName to be present.
2014-02-14 15:25:48 +01:00
Marc-André Moreau
cdcd290c44 wfreerdp: fix most build warnings 2014-02-10 22:12:13 -05:00
Benoît LeBlanc
44e7d2f36c error handling in rpc and transport functions 2013-12-20 17:56:59 -05:00
Marc-André Moreau
51ad85e0ee libfreerdp-core: send Access Denied TLS alert when server-side NLA fails 2013-12-18 19:44:18 -05:00
Marc-André Moreau
9d745cc038 Merge branch 'master' of github.com:mrthebunny/FreeRDP 2013-12-11 12:22:33 -05:00
Marc-André Moreau
62199fc46a Merge branch 'master' of github.com:FreeRDP/FreeRDP 2013-12-10 11:54:03 -05:00
Benoît LeBlanc
8c1f836ac8 - SSL verification callback: send correct hostname and port
- Gateway Authentication callback.
- Handling “use same credentials”
2013-12-06 22:15:45 -05:00
Bernhard Miklautz
6763e059c3 tls: handle the case if endpoint has disconnected 2013-12-04 15:36:25 +01:00
Benoît LeBlanc
6a60f79e07 Merge branch 'master' of git://github.com/awakecoding/FreeRDP
# By Bernhard Miklautz (10) and others
# Via Marc-André Moreau (10) and Martin Fleisz (1)
* 'master' of git://github.com/awakecoding/FreeRDP: (32 commits)
  libfreerdp-crypto: add robustness checks for VerifyX509Certificate
  mfreerdp: fix possible crash on gdi termination
  channels/cliprdr: add callback for data request response
  channels/cliprdr: fix conflict with CLIPRDR_HEADER
  fix a gdi leak bug.
  channels/cliprdr: implement more of the callback interface
  channels/cliprdr: start implementing clean callback interface
  channels/rdpsnd: initial attempt at adding GSM610 support
  winpr-thread: fixed bugs in _CreateProcessExA
  ffmpeg-2 -- CodecID
  ffmpeg-2 -- dsp_mask
  ffmpeg-2 -- AVCODEC_MAX_AUDIO_FRAME_SIZE
  check return value.
  reformat coding styles.
  fix name length to copy.
  fix memory realloc size error.
  libfreerdp-crypto: don't report SSL_ERROR_SYSCALL with errno value 0 as error
  channels/rdpsnd: add wlog debug output
  android toolchain: support for ndk r9b
  android toolchain: fixed cmake syntax warning
  ...
2013-11-25 14:40:01 -05:00
Benoît LeBlanc
56c517170f Added hostname and port to callback function for SSL certification verification. 2013-11-25 14:30:43 -05:00
Marc-André Moreau
4987f2b0e1 libfreerdp-crypto: add robustness checks for VerifyX509Certificate 2013-11-25 12:08:58 -05:00
Marc-André Moreau
690a6b624d libfreerdp-crypto: don't report SSL_ERROR_SYSCALL with errno value 0 as error 2013-11-20 15:21:29 -05:00
Marc-André Moreau
b0369cf284 libfreerdp-core: add external certificate management, pass X509 PEM certificate through client callback 2013-11-18 13:54:33 -05:00
Armin Novak
6f43252c9a Fixed argument check in <tls_disconnect> 2013-11-14 10:09:40 +01:00
Marc-André Moreau
1fc2d780f7 libfreerdp-core: fix memory leaks reported by valgrind 2013-10-31 23:35:24 -04:00
Marc-André Moreau
55565e056c freerdp: export targets 2013-10-28 23:06:39 -04:00
Marc-André Moreau
8c4b1361d1 libfreerdp-core: merge with TSG TLS update 2013-10-28 20:20:18 -04:00
Dan Bungert
66ecabb647 Final cleanups - merge ready. 2013-10-28 16:59:02 -06:00
Dan Bungert
f02daaa2d5 More cleanups - remove LWD and all references. 2013-10-28 15:46:28 -06:00
Dan Bungert
cefcac3414 more debug 2013-10-25 15:29:46 -06:00
Dan Bungert
f13c8a0be7 Logging 2013-10-25 10:43:21 -06:00
Marc-André Moreau
b5dd670e73 libfreerdp-core: extend OpenSSL TSG BIO 2013-10-24 12:56:43 -06:00
Marc-André Moreau
bd6760bd13 libfreerdp-core: start implement TSG OpenSSL BIO 2013-10-24 12:56:43 -06:00
Marc-André Moreau
d30f66b1b7 Merge branch 'master' of github.com:FreeRDP/FreeRDP 2013-10-23 14:18:40 -04:00
Benoît LeBlanc
5bfca61261 setting pointers to NULL after freeing memory to avoid crashes.
gitignore: only top-level "external" folder is ignored.
2013-10-22 17:05:41 -04:00
Daryl Poe
076b8a84c2 commandline session reconnect 2013-10-22 09:14:29 -06:00
Benoît LeBlanc
801c1fe1d6 - Fixed crash in tls_read (unchecked null pointer)
- also check for empty string on username and password to launch authentication callback
2013-10-18 16:23:29 -04:00
Marc-André Moreau
3fe3cdf876 libfreerdp-core: extend OpenSSL TSG BIO 2013-10-11 15:27:22 -04:00
Marc-André Moreau
08eadc2ee3 libfreerdp-core: start implement TSG OpenSSL BIO 2013-10-11 06:12:50 -04:00
Marc-André Moreau
c058095251 libfreerdp-core: cleanup TS Gateway code 2013-10-11 05:07:33 -04:00
Armin Novak
ddab90ece4 Fixed alt_names free, now using cleanup function to wrap details. 2013-09-05 12:14:35 +02:00
Armin Novak
e5c138a5b9 Fixed various memory leaks, allocation size issues and API misuse
warnings shown by clang as well as some compiler warnings.
2013-09-05 12:14:34 +02:00
Armin Novak
a3b531c036 Fixed issues found with clang-analyzer 2013-09-05 12:14:33 +02:00
Armin Novak
1e2455fa4a Fixed various memory leaks and compiler warnings. 2013-09-05 12:14:33 +02:00
Armin Novak
e9be3e9500 Fixed coverity issue 1047607 2013-09-05 12:14:32 +02:00
Armin Novak
c7abfb8fa1 Fixed coverity issue 1047608 2013-09-05 12:14:32 +02:00
Armin Novak
0575197960 Fixed coverity issue 1047609 2013-09-05 12:14:32 +02:00
Daryl Poe
f71f179c28 fix per-device CAL licensing
(cherry picked from commit d6d0d81d08)
2013-08-26 09:37:48 +02:00
Marc-André Moreau
5f4f3af98a Merge branch 'master' of github.com:FreeRDP/FreeRDP 2013-07-04 20:33:00 -04:00
Marc-André Moreau
bc631c93a8 freerdp: separate GatewayUsageMethod from GatewayEnabled 2013-07-03 15:07:12 -04:00
Bernhard Miklautz
87e9a24b1e tls: updated certificate mismatch message
Added information to the message if the name found is an CN or an
alternative name. Also print a message if no CN was not found instead
of (null).
2013-07-01 19:21:57 +02:00
Marc-André Moreau
863b51f938 freerdp: merge with master 2013-06-28 12:50:24 -04:00
Chris
44f6f16953 Fixed a possible buffer overflow issue 2013-06-17 21:49:29 +02:00
Chris
cd548da226 Using the more efficient code for comparing host names 2013-06-17 21:26:35 +02:00
Chris
13466349bc 1) Add support for Wildcard Certificates
2) For Gateway connections compare against gateway host name instead of target host
2013-06-17 21:19:01 +02:00
Marc-André Moreau
e405fe2692 libfreerdp-crypto: create server directory for certificates 2013-06-06 16:45:19 -04:00
Marc-André Moreau
2bd6808432 freerdp: merge with master 2013-06-05 10:31:01 -04:00
Marc-André Moreau
6e0cbdddb1 Merge pull request #1261 from simon-engledew/master
Ber Encoding Issue
2013-06-03 16:41:29 -07:00
Hardening
f37cd53769 Fixed a memory leak with alternative names 2013-06-01 22:37:49 +02:00
Marc-André Moreau
2a08093e60 libfreerdp-crypto: fix openssl null pointer dereferencing in tls_accept 2013-05-30 19:44:58 -04:00
Simon Engledew
bceec08367 Finished merging missing changes from pull request #1257 (https://github.com/FreeRDP/FreeRDP/pull/1257 - commit 0dc22d5). Correctly report the length of ts_password_creds. 2013-05-22 14:29:33 +01:00
Marc-André Moreau
ac86310993 Merge pull request #1257 from simon-engledew/master
Ber Encoding Issue
2013-05-22 05:06:52 -07:00
Simon Engledew
0dc22d5a30 Fixed a range of BER boundary encoding bugs which would occur when any NLA packet hit the 127 character mark. Removed ber#get_content_length as it was not behaving deterministically. 2013-05-21 16:06:00 +01:00
Bernhard Miklautz
9e59fc905d client: print detected path to known_host file
Use detected path instead of hard coded for error messages
2013-05-21 15:48:27 +02:00
Marc-André Moreau
3c2687b7d6 libfreerdp-crypto: handle EAGAIN with TLS 2013-05-15 20:19:26 -04:00
Marc-André Moreau
367ebf32a3 freerdp: make use of stream macros to access members 2013-05-15 12:14:26 -04:00
Marc-André Moreau
fdf3ddcf9e freerdp: purge deprecated stream utils 2013-05-08 17:48:30 -04:00
Marc-André Moreau
5b92413843 freerdp: purge deprecated stream utils 2013-05-08 16:09:16 -04:00
Marc-André Moreau
51715636a5 freerdp: remove some deprecated stream utils 2013-04-29 22:35:15 -04:00
Marc-André Moreau
70dea34a90 Merge github.com:FreeRDP/FreeRDP 2013-04-29 13:59:24 -04:00
Marc-André Moreau
fae24b1ef9 xfreerdp-server: auto-generate self-signed certificate 2013-04-23 18:17:01 -04:00
Martin Fleisz
ce4e02ae48 iOS: Fixed possible crash on disconnect 2013-04-17 13:09:53 +02:00
Jason Mealins
e7b863d3f0 libfreerdp-crypto: add missing link libraries 2013-03-28 16:01:41 -07:00
Hardening
7701c9d934 Replace printf(...) by fprintf(stderr, ...) 2013-03-28 23:06:34 +01:00
Marc-André Moreau
e4e0b05784 libfreerdp-crypto: fix local directory creation 2013-03-27 20:10:18 -04:00
Marc-André Moreau
068f0de4d4 libfreerdp-utils: purge old file utils 2013-03-22 15:52:43 -04:00
Marc-André Moreau
edf6e7258d libwinpr-path: add path detection functions 2013-03-22 00:42:09 -04:00
Marc-André Moreau
8c8a82c31f libfreerdp-utils: purge old STREAM utils 2013-03-21 16:45:25 -04:00
Marc-André Moreau
a8201b0d1b libwinpr-utils: combine old and new stream utils 2013-03-21 15:19:33 -04:00
Marc-André Moreau
62eec0c2b5 libfreerdp-utils: rename internal members of STREAM to match new wStream 2013-03-21 15:01:46 -04:00
hardening
132d736cd9 Fixed skip_length() methods 2013-02-27 00:01:03 +01:00
Alexander Gottwald
026e9996d3 Issue #847: protocol deadlock in NLA
fix ber_get_content_length and der_get_content_length to work for values
around 0x80 and 0x100
Fix nego_token, auth_info and pub_key_auth content length calculation in
credssp_send to fix a lockup in NLA protocol.
2013-02-26 21:32:36 +01:00
Marc-André Moreau
edc2b1de9e xfreerdp-server: fix encoding 2013-02-17 11:03:35 -05:00
Marc-André Moreau
4269ac5c14 xfreerdp: improve asynchronicity 2013-02-09 17:13:53 -05:00
Marc-André Moreau
593a9030d3 libfreerdp-core: cleanup licensing RSA public key code 2013-02-05 10:02:06 -05:00
Marc-André Moreau
db331d64f7 libfreerdp-core: fix message queue ids, fix async glyph messages 2013-02-03 12:41:59 -05:00
Marc-André Moreau
44bb1059ea libfreerdp-crypto: replace Base64 implementation 2013-01-31 18:07:04 -05:00
Marc-André Moreau
51293f48e9 libfreerdp-crypto: fix build on windows 2013-01-31 16:36:56 -05:00
Marc-André Moreau
9c85f97137 libfreerdp-crypto: fix base64 encoding, fix TS Gateway HTTPS authentication 2013-01-31 16:11:37 -05:00
Marc-André Moreau
e1d0fad519 libfreerdp-core: fix memory leaks 2013-01-25 17:52:37 -05:00
david
4d01e2d4fe Allow to read ber integers with fancy size when the result is ignored 2013-01-20 21:30:17 +01:00
Marc-André Moreau
d8875ae3e7 libfreerdp-core: fix windows build 2013-01-19 22:00:09 -05:00
david
ea43348ba3 Allow ignoring an 8 bytes integer 2013-01-19 23:32:04 +01:00
Marc-André Moreau
3d77d5a497 freerdp: merging with master 2013-01-14 13:50:16 -05:00
ArvidNorr
cea442f24e login and synchronize fix 2013-01-14 01:13:29 -08:00
rdp.effort
376731315b Checks stream size when reading in BER format 2013-01-11 01:11:03 +01:00
Marc-André Moreau
0fbf846671 libwinpr-sspi: NTLM extended protection cleanup 2013-01-10 11:19:57 -05:00
Marc-André Moreau
1d893ed268 libwinpr-sspi: add support for NTLMv2 Channel Binding Token (CBT) 2013-01-09 00:20:08 -05:00
Vic Lee
ed5ad30d4f libfreerdp-core/transport: select sockfd instead of sleep when blocking. 2012-12-21 16:24:26 +08:00
Marc-André Moreau
387a152299 libfreerdp-core: TSG reassembly refactoring 2012-12-12 15:55:42 -05:00
Marc-André Moreau
12f0afd1e0 libfreerdp-core: fix TSG socket blocking mode 2012-11-27 18:34:00 -05:00
Marc-André Moreau
5fb6312a1f Merge github.com:FreeRDP/FreeRDP 2012-11-25 15:29:40 -05:00
Marc-André Moreau
84f358d3ce Merge pull request #812 from bmiklautz/versioning
build: fixed library versioning
2012-11-25 12:29:29 -08:00
Marc-André Moreau
6b2db2d103 macosx: update client 2012-11-22 15:32:21 -05:00
Marc-André Moreau
f6748dba3f wfreerdp: update client 2012-11-22 09:06:45 -05:00