Commit Graph

82 Commits

Author SHA1 Message Date
Armin Novak
a8823fdf95 Cleaned up certificate verification code. 2018-12-04 09:35:24 +01:00
Armin Novak
dd3276d664 Prefer VerifyX509Certificate and fixed const arguments
If VerifyX509Certificate is set use it also when doing internal
certificate management. Added flags to ensure it is possible to
find out which type of connection is being made.
2018-12-04 09:35:24 +01:00
Pascal J. Bourguignon
63d00f6f81 Corrected the compatibility function names: crypto_cert_subject_alt_name and crypto_cert_subject_alt_name_free. 2018-08-27 13:51:30 +02:00
Pascal J. Bourguignon
79d2294a23 Put back deprecated function names crypto_cert_get_alt_names and crypto_cert_alt_names_free for FREERDP_API compatibility. 2018-08-24 15:20:03 +02:00
Pascal J. Bourguignon
469f9bf488 Smartcard Logon: restructured x509 certificate info extraction; added extracting the UPN. 2018-08-24 14:03:04 +02:00
Armin Novak
c9cebf6ed6 Remember accepted PEM cert to avoid unnecessary user input. 2018-07-10 11:27:58 +02:00
Armin Novak
dc3d536398 Changed length arguments and return to size_t 2018-01-17 08:14:06 +01:00
Norbert Federa
7befab856c Support for OpenSSL 1.1.0 2016-11-24 17:50:09 +01:00
Armin Novak
238ff3b315 Unified encryption functions. 2016-02-27 23:28:49 +01:00
Armin Novak
5805ba8e52 Removed crypto_nonce. 2016-02-27 22:40:43 +01:00
Armin Novak
f997421098 Unified hmac functions. 2016-02-24 21:50:08 +01:00
Armin Novak
ada2b16c50 Unified RC4 functions. 2016-02-24 17:04:03 +01:00
Armin Novak
06da644007 Unified md5 functions. 2016-02-24 16:46:25 +01:00
Armin Novak
0e4ea3943a Unified sha1 functions. 2016-02-24 16:36:15 +01:00
davewheel
d5b8585a39 Allow to specify the raw content of crypto materials
Sometime it's possible that your server application doesn't have access to files
(when running in a very restricted environment for example). This patch allows
to ship the private key and certificate as a string.

Sponsored by: Wheel Systems (http://www.wheelsystems.com)
2016-01-21 11:27:06 +01:00
David FORT
7c3f8f33ab Fixes for malloc / calloc + other fixes
This patch contains:

* checks for malloc return value + treat callers;
* modified malloc() + ZeroMemory() to calloc();
* misc fixes of micro errors seen during the code audit:
** some invalid checks in gcc.c, also there were some possible
integer overflow. This is interesting because at the end the data are parsed
and freed directly, so it's a vulnerability in some kind of dead code (at least
useless);
** fixed usage of GetComputerNameExA with just one call, when 2 were used
in misc places. According to MSDN GetComputerNameA() is supposed to return
an error when called with NULL;
** there were a bug in the command line parsing of shadow;
** in freerdp_dynamic_channel_collection_add() the size of array was multiplied
by 4 instead of 2 on resize
2015-06-22 19:21:47 +02:00
Armin Novak
7fc1c65165 Added subject and issuer to saved data.
When a certificate has changed, display not only the
fingerprint but also subject and issuer of old certificate.
2015-06-11 11:21:23 +02:00
Armin Novak
acc96388a5 Added certificate_get_fingerprint function to read out old one. 2015-06-11 09:14:15 +02:00
Armin Novak
2204df97f8 Added port to certificate warnings. 2015-06-10 10:59:40 +02:00
Armin Novak
f4843e8ab3 Opening file on use now. 2015-06-10 10:34:02 +02:00
Armin Novak
6192230737 Added legacy known_hosts support.
If no entry for the <host> <port> combination
was found in the v2 file and there is a legacy file
check if a matching <host> entry can be found.
In case there is a matching entry and the <fingerprint>
also matches, create a new entry in the v2 file using the
current port.
2015-06-09 16:12:41 +02:00
Armin Novak
6da4a5aaf0 Using '<host> <port> <fp>' format for known hosts. 2015-06-09 15:33:13 +02:00
David FORT
0eb399a717 Treat return values for security.c
This patch make functions in security.c return values when they should instead of
beeing void. And it also fix the callers of these functions.
2015-04-01 11:11:37 +02:00
Bernhard Miklautz
90968e07e1 rename and update tls_disconnect
tls_disconnect shut down the ssl stream but didn't inform
the BIO(s) about this therefore could happen that a second shut down
was initiated (e.g. in bio_rdp_tls_free) causing rather long delays.

After removing the shut down from tls_disconnect the only thing the
function does is to prepare/send an alert therefore it was renamed to
tls_send_alert.
2015-03-30 11:56:09 +02:00
Jason Plum
6ce5991e74 libfreerdp: crypto: add certificate chain validation! 2015-03-13 13:50:54 -04:00
Bernhard Miklautz
a371723c4f build: fix compiler warnings
warning: redundant redeclaration
Tested with: 4.7.2 and 3.5.0-1~exp1
2015-03-03 19:36:54 +01:00
Marc-André Moreau
44d06888bb libfreerdp-core: fix BIO leaks 2015-02-18 15:36:57 -05:00
Armin Novak
e6fa0911a3 Fixed missing extern C 2014-12-01 13:12:51 +01:00
Hardening
0ce300125b Drop unused field 2014-06-03 11:04:12 +02:00
Marc-André Moreau
d2ad5f698b libfreerdp-core: fix VerifyX509Certificate to make distinction between gateway and direct connection 2014-05-30 14:36:18 -04:00
Hardening
dd6d829550 Allow transport_write calls to be non-blocking
This big patch allows to have non-blocking writes. To achieve
this, it slightly changes the way transport is handled. The misc transport
layers are handled with OpenSSL BIOs. In the chain we insert a
bufferedBIO that will bufferize write calls that couldn't be honored.

For an access with Tls security the BIO chain would look like this:
  FreeRdp Code ===> SSL bio ===> buffered BIO ===> socket BIO

The buffered BIO will store bytes that couldn't be send because of
blocking write calls.

This patch also rework TSG so that it would look like this in the
case of SSL security with TSG:
                                         (TSG in)
                              > SSL BIO => buffered BIO ==> socket BIO
                             /
FreeRdp => SSL BIO => TSG BIO
                             \
                              > SSL BIO => buffered BIO ==> socket BIO
                                        (TSG out)

So from the FreeRDP point of view sending something is only BIO_writing
on the frontBio (last BIO on the left).
2014-05-21 17:42:31 +02:00
Hardening
9f1d0201ec Changes for base64
This patch changes the prototype for decode_base64 so that the encode / decode
method are consistant (encode(BYTE *) => char* and decode(char*) => BYTE*).
It also does some improvements with unrolling loops so that end conditions are
tested only at the end.
The patch also adds some unitary tests.
Before the patch base64_decode() made valgrind complain about uninitialized
bits, after valgrind is happy and very quiet.
2014-05-11 22:49:10 +02:00
Hardening
50f1f0df6f Add some const modifiers
This allows these functions to be used with const buffers.
2014-05-09 22:36:50 +02:00
Marc-André Moreau
42a88b93dd libfreerdp-crypto: fix tls_verify_certificate declaration 2014-04-01 21:17:44 -04:00
Marc-André Moreau
feea87b42f libfreerdp-crypto: make distinction between TLS connection error and user cancellation 2014-04-01 16:23:27 -04:00
Marc-André Moreau
51ad85e0ee libfreerdp-core: send Access Denied TLS alert when server-side NLA fails 2013-12-18 19:44:18 -05:00
Benoît LeBlanc
8c1f836ac8 - SSL verification callback: send correct hostname and port
- Gateway Authentication callback.
- Handling “use same credentials”
2013-12-06 22:15:45 -05:00
Benoît LeBlanc
56c517170f Added hostname and port to callback function for SSL certification verification. 2013-11-25 14:30:43 -05:00
Marc-André Moreau
1fc2d780f7 libfreerdp-core: fix memory leaks reported by valgrind 2013-10-31 23:35:24 -04:00
Marc-André Moreau
d30f66b1b7 Merge branch 'master' of github.com:FreeRDP/FreeRDP 2013-10-23 14:18:40 -04:00
Daryl Poe
076b8a84c2 commandline session reconnect 2013-10-22 09:14:29 -06:00
Marc-André Moreau
08eadc2ee3 libfreerdp-core: start implement TSG OpenSSL BIO 2013-10-11 06:12:50 -04:00
Armin Novak
ddab90ece4 Fixed alt_names free, now using cleanup function to wrap details. 2013-09-05 12:14:35 +02:00
Daryl Poe
f71f179c28 fix per-device CAL licensing
(cherry picked from commit d6d0d81d08)
2013-08-26 09:37:48 +02:00
Chris
13466349bc 1) Add support for Wildcard Certificates
2) For Gateway connections compare against gateway host name instead of target host
2013-06-17 21:19:01 +02:00
Marc-André Moreau
ac86310993 Merge pull request #1257 from simon-engledew/master
Ber Encoding Issue
2013-05-22 05:06:52 -07:00
Simon Engledew
0dc22d5a30 Fixed a range of BER boundary encoding bugs which would occur when any NLA packet hit the 127 character mark. Removed ber#get_content_length as it was not behaving deterministically. 2013-05-21 16:06:00 +01:00
Bernhard Miklautz
9e59fc905d client: print detected path to known_host file
Use detected path instead of hard coded for error messages
2013-05-21 15:48:27 +02:00
Marc-André Moreau
8c8a82c31f libfreerdp-utils: purge old STREAM utils 2013-03-21 16:45:25 -04:00
Marc-André Moreau
a8201b0d1b libwinpr-utils: combine old and new stream utils 2013-03-21 15:19:33 -04:00