akallabeth
02c5ec66e5
Fixed possible integer overflow in crypto_rsa_common
...
Thanks @anticomputer for pointing this out
2020-06-22 12:09:36 +02:00
akallabeth
d936402878
Fixed GHSL-2020-102 heap overflow
2020-05-20 15:10:07 +02:00
akallabeth
6a2785e359
Abort on first possible certificate validation error
...
Only retry certificate validation if the purpose was wrong.
2020-05-20 14:48:15 +02:00
akallabeth
7890833af8
Replaced strtok with strtok_s
2020-05-18 11:39:22 +02:00
akallabeth
5cfc3e8593
Fixed #6148 : multiple ceritificate purposes
...
OpenSSL certificate verification can only check a single purpose.
Run the checks with all allowed purposes and accept any.
2020-05-12 15:36:48 +02:00
akallabeth
095d24934c
Fixed #6122 : Allow SSL server and client purpose
2020-04-25 08:06:00 +02:00
akallabeth
b094d52d0b
Fixed #6099 : Add a flag for legacy hash entries
...
If a legacy entry is found in certificate hash store print
additional information to the user informing about the change
with FreeRDP 2.0
2020-04-22 18:14:39 +02:00
Linus Heckemann
89e4e24c31
tls: support non-RSA keys
2020-04-10 17:57:34 +02:00
Armin Novak
5b9b7f331b
Fixed memory leak in tls_get_channel_bindings
2020-03-06 11:37:35 +01:00
Armin Novak
9c999b7135
Added raw function wrapping X509_digest
2020-03-06 11:37:35 +01:00
Armin Novak
2be6e4117f
Let ssl backend handle hash checks.
2020-03-06 11:37:35 +01:00
Armin Novak
00fa84b514
Check cert against CertificateAcceptedFingerprints
...
CertificateAcceptedFingerprints may contain a list of certificate
hashes and the corresponding fingerprint.
If one of the hashes matches consider the certificate accepted.
2020-03-06 11:37:35 +01:00
Armin Novak
ac4bb3c103
End connection before user callbacks if aborted.
...
If somewhere in freerdp_connect freerdp_abort_connect was called
the user callbacks Authenticate, GatewayAuthenticate and
Verify[Changed|X509]Certificate[Ex] must not be called.
2020-02-19 16:44:42 +01:00
Armin Novak
7c243da6e1
Remove symbols exported by accident.
2019-12-02 10:57:31 +01:00
Armin Novak
72ca88f49c
Reformatted to new style
2019-11-07 10:53:54 +01:00
Armin Novak
d7877186d6
Fixed strnlen issues.
2019-11-05 14:55:33 +01:00
Armin Novak
993b79f1bd
Removed strcpy use.
2019-10-29 11:58:43 +01:00
Armin Novak
f01e042211
Code cleanups (strlen, casts, size_t, ...)
2019-10-29 11:58:43 +01:00
asapelkin
82eadad4a4
Fix some static analizer warnings
2019-10-22 15:39:54 +02:00
Armin Novak
2f2ca9d93b
Fixed leak in verify_cb.
2019-10-04 16:19:23 +02:00
Armin Novak
2778cbce8c
Fixed type of sk_* macro.
2019-08-22 10:40:25 +02:00
Armin Novak
36c820a9d9
Extract whole certificate chain to PEM format.
2019-07-17 14:42:32 +02:00
Armin Novak
0c17c3871b
Pass on cert validation failure, set freerdp error in all use cases.
2019-07-15 15:51:46 +02:00
Armin Novak
ca4a1d19a5
Silenced some unused parameter warnings.
2019-05-08 12:21:31 +02:00
Armin Novak
29c920c568
Fixed review remarks.
2019-04-05 09:14:35 +02:00
Armin Novak
1da57d0b7e
Fixed sign-compare warnings
2019-04-05 09:13:24 +02:00
cerg2010cerg2010
7abc86ffae
Close file handle correctly. ( #5310 )
2019-03-18 14:57:00 +01:00
Armin Novak
4ad0770a7e
Silenced function pointer cast warnings for BIO_callback_ctrl
2019-02-21 13:53:51 +01:00
David Fort
05d9d89796
Merge pull request #5149 from akallabeth/cert_deny
...
New option to disable user certificate dialog
2019-01-25 16:59:33 +01:00
Armin Novak
0c83efa753
Fix #5170 : Disable custom TLS alert for libressl > 2.8.3
2019-01-07 14:20:16 +01:00
Simon Legner
ff375d238b
fix(crypto/tls): typo
2019-01-02 08:18:07 +01:00
Armin Novak
b60045af27
New option to disable user certificate dialog
...
The new option +cert-deny aborts a connection automatically if
the certificate can not be validated by OpenSSL or via known hosts.
2018-12-14 10:17:52 +01:00
Armin Novak
6906efa354
Fixed return value for already accepted certificate.
2018-12-14 09:52:25 +01:00
Armin Novak
d2ac7acdd9
Fixed certificate accept
...
certificate_data_replace can only replace an existing entry,
use certificate_data_print for new ones.
2018-12-10 12:03:55 +01:00
Armin Novak
d05217454f
Fix #5115 : Cast PEM data from BYTE* to char* to silence warnings.
2018-12-07 12:36:18 +01:00
Armin Novak
0aaf14bed7
Fixe accidental removal of certificate_data_replace
2018-12-06 09:39:50 +01:00
Armin Novak
b27470405c
Duplicate PEM when accepted.
2018-12-04 09:35:24 +01:00
Armin Novak
e04c319d21
Added new default certificate callbacks with extended information.
...
The extended information provided by VerifyCertificateEx and
VerifyChangedCertificateEx is now exploited by the new functions
client_cli_verify_certificate_ex and client_cli_verify_changed_certificate_ex.
The old callbacks now print out deprecation warnings to inform the
user and developer about this deprecation.
2018-12-04 09:35:24 +01:00
Armin Novak
a8823fdf95
Cleaned up certificate verification code.
2018-12-04 09:35:24 +01:00
Armin Novak
7ab07ab980
Added certificate callbacks with source indications.
2018-12-04 09:35:24 +01:00
Armin Novak
dd3276d664
Prefer VerifyX509Certificate and fixed const arguments
...
If VerifyX509Certificate is set use it also when doing internal
certificate management. Added flags to ensure it is possible to
find out which type of connection is being made.
2018-12-04 09:35:24 +01:00
Armin Novak
d27cd1b19e
Fixed unit tests, use uniqe file names
2018-12-04 08:45:41 +01:00
Armin Novak
f3e1ffb121
Fix #4764 : Second try, use X509_STORE_CTX_set_purpose
2018-11-28 12:08:42 +01:00
Armin Novak
77744200a8
Fix #4768 : Set SSL verify purpose to ANY
...
Should actually be SSL server but since we allowed broken
purpose up until now keep that for the 2.0 series.
2018-11-26 11:58:29 +01:00
akallabeth
effa8b8562
Fix #5049 : Libressl declares OPENSSL_VERSION_NUMBER too high
...
Need to check specifically for LIBRESSL_VERSION_NUMBER as they
set the version higher than OpenSSL 1.1 but without API support.
2018-11-22 19:10:05 +01:00
Armin Novak
649f49fa61
Fix #5049 : LibreSSL does not have SSL_CTX_set_security_level
2018-11-22 09:23:46 +01:00
Martin Fleisz
947aa80033
Merge pull request #5016 from akallabeth/windows_server_build_fix
...
Windows server build fix
2018-11-21 16:02:47 +01:00
Christian Gall
fffe4f077a
* remove obsolete SSLv23_client_method in tls_connect()
...
* set min TLS Version
2018-11-18 14:09:37 +00:00
Armin Novak
a2cd934184
Fixed windows build warnings.
2018-11-15 09:01:53 +01:00
Martin Fleisz
097ac0ee13
Merge pull request #4997 from akallabeth/use_bio_free_all
...
Replaced BIO_free with BIO_free_all
2018-11-12 13:55:36 +01:00
Armin Novak
5f4843191b
Replaced BIO_free with BIO_free_all
...
There is no point in using BIO_free with a custom recursion
to free up stacked BIOs if there is already BIO_free_all.
Using it consistently avoids memory leaks due to stacked BIOs
not being recursively freed.
2018-11-08 12:09:49 +01:00
Bernhard Miklautz
1222e7060b
new [crypto/tls]: add support to set tls security level
...
The newly introduced option /tls-seclevel can be used to set the tls
security level on systems with openssl >= 1.1.0 or libressl.
As default level 1 is used as higher levels might prohibit connections
to older systems.
2018-11-08 11:13:15 +01:00
Bernhard Miklautz
649404dd29
fix [libfreerdp/crypto]: memory leak in Test_x509_cert_info
2018-11-05 13:46:05 +01:00
Armin Novak
bdff1c96fd
Fixed use after free and leak.
2018-09-20 11:08:12 +02:00
Armin Novak
817f8e0d47
Fixed an issue introduced with #4822
...
The string prepared is not NULL terminated and the sources are of fixed sizes.
Use memcpy instead of print fucntions in this specific case.
2018-09-03 08:48:33 +02:00
Armin Novak
5bc3993e3f
Fixed buffer size and function name
2018-08-27 14:34:42 +02:00
Armin Novak
62c1696d4c
Removed use of unchecked sprintf
2018-08-27 14:34:42 +02:00
Armin Novak
114abad767
Removed use of strcpy.
2018-08-27 14:34:09 +02:00
akallabeth
9e3b48e0fb
Merge pull request #4829 from informatimago/smartcard-logon-rdp--x509-certificate-info-extraction
...
Smartcard Logon: restructured x509 certificate info extraction; added extracting the UPN.
2018-08-27 14:33:09 +02:00
Pascal J. Bourguignon
63d00f6f81
Corrected the compatibility function names: crypto_cert_subject_alt_name and crypto_cert_subject_alt_name_free.
2018-08-27 13:51:30 +02:00
Pascal J. Bourguignon
53692ffc57
Compute certificate_path from __FILE__ to adapt to changing compilation and test environments.
2018-08-24 16:04:29 +02:00
Pascal J. Bourguignon
79d2294a23
Put back deprecated function names crypto_cert_get_alt_names and crypto_cert_alt_names_free for FREERDP_API compatibility.
2018-08-24 15:20:03 +02:00
Pascal J. Bourguignon
98b8602663
Use C comment syntax instead of C++; added static declaration for local functions.
2018-08-24 15:05:50 +02:00
Pascal J. Bourguignon
469f9bf488
Smartcard Logon: restructured x509 certificate info extraction; added extracting the UPN.
2018-08-24 14:03:04 +02:00
Armin Novak
dab842cfb5
Fixed missing type casts.
2018-08-24 13:40:36 +02:00
Ondrej Holy
0b7d0c2002
crypto/tls: Prevent usage of freed pointer found by coverity
...
pass_freed_arg: Passing freed pointer "pemCert" as an argument to "WLog_PrintMessage".
2018-08-22 14:34:02 +02:00
Armin Novak
026ff00e7d
Fixed #4806 broken bounds check.
2018-08-21 09:08:33 +02:00
Armin Novak
3d6c41746d
Expose redirection flag for certificate.
2018-07-18 16:06:20 +02:00
Armin Novak
7ebc899516
Fixed PEM certificate reading.
2018-07-10 15:21:53 +02:00
Armin Novak
c9cebf6ed6
Remember accepted PEM cert to avoid unnecessary user input.
2018-07-10 11:27:58 +02:00
Armin Novak
9de99f15d4
Added comment support for known_hosts format.
2018-05-14 12:08:35 +02:00
Armin Novak
5765e9a422
Fixed #4476 : broken casts/variable sizes for custom BIO calls.
2018-05-03 12:30:40 +02:00
Martin Fleisz
296b19e172
Merge pull request #4596 from p-pautov/rdg_ssl_fixes
...
RDG related fixes for better compatibility with mstsc
2018-05-03 10:23:12 +02:00
akallabeth
2215071b23
Merge pull request #4576 from ccpp/bugfix-rdg-poll
...
Fix polling in RDG
2018-05-02 17:59:10 +02:00
Kyle Evans
f8c391876f
Pull in the LibreSSL compatibility patches from FreeBSD
2018-05-01 08:43:36 -05:00
Pavel Pautov
c60388954b
Remove some unused functions.
2018-04-25 18:36:16 -07:00
Pavel Pautov
32505fda13
Apply "authentication level" RDP property only to non-RDG connections (as mstsc does).
2018-04-25 18:12:23 -07:00
Pavel Pautov
3a8d721bb9
Don't use CertificateName setting for RDG connections.
2018-04-25 18:12:23 -07:00
Christian Plattner
8956898364
Revert useless part of the bugfix
...
This reverts commit 589d2ec62a
.
https://github.com/FreeRDP/FreeRDP/pull/4576#pullrequestreview-113378805
2018-04-24 16:20:42 +02:00
Christian Plattner
589d2ec62a
Fix timeout for polling (partly fixes #3602 )
2018-04-18 10:38:42 +02:00
Martin Fleisz
b8599b08f2
Merge pull request #4364 from akallabeth/gateway_refactor
...
Gateway refactor
2018-02-13 13:48:45 +01:00
Armin Novak
0fc19e5590
Functions static where appropriate.
2018-01-19 10:59:10 +01:00
Armin Novak
dc3d536398
Changed length arguments and return to size_t
2018-01-17 08:14:06 +01:00
Martin Fleisz
80a49f46dc
Merge pull request #4320 from ondrejholy/coverity-fixes
...
Coverity Scan fixes
2017-12-20 14:17:20 +01:00
Ondrej Holy
9f5d0d4c4d
crypto: Improve PER OID calculations
...
"(oid[0] << 4) & (oid[1] & 0x0F)" statement is always 0. It is not
problem currently because the only OID which is written by this
function should have 0 there. The function to read/write are pretty
limited anyway and can't work properly with all kind of OIDs. Maybe
it would be better to hardcode the OID there without decoding
and encoding. But those functions are already there so let's improve
them a bit according the spec and warn about limited set of
supported OIDs.
See:
https://msdn.microsoft.com/en-us/library/windows/desktop/bb540809
2017-12-19 14:42:06 +01:00
Armin Novak
7305828122
Fix #4239 : Various memory leaks
...
* Fixed all tests, now can be run with -DWITH_ADDRESS_SANITIZER=ON compiled.
* Enabled address sanitizer for nightly builds.
2017-12-12 11:40:48 +01:00
Armin Novak
12a9b9a0b4
Fix #3890 : Point to OpenSSL doc for private CA
2017-11-21 11:47:33 +01:00
Brent Collins
d98b88642b
Add new command-line option to force xfreerdp into a fips compliant mode.
...
This option will ensure that NLA is disabled(since NTLM uses weak crypto algorithms), FIPS
encryption is enabled, and ensure fips mode is enabled for openssl.
Selectively override specific uses of MD5/RC4 with new API calls specifically tailored to override FIPS.
Add comments on why overriding the use of these algorithms under FIPS is acceptable for the locations where overrides happen.
Remove check of server proprietary certificate which was already being ignore to avoid use of MD5.
Initialize winpr openssl earlier to ensure fips mode is set before starting using any crypto algorithms.
2017-11-17 12:43:06 +01:00
Armin Novak
4eb5b8e349
Replaced atoi
2017-11-15 15:52:16 +01:00
Armin Novak
c301f2d56a
Fixed certificate check return.
2017-07-28 08:35:41 +02:00
Valery Kartel
9bf9ff9e8a
Fix build with LibreSSL
2017-07-26 17:12:14 +03:00
Armin Novak
8b9e3fa51e
Fixed use of reserved keywords for include guards.
2017-07-20 09:35:41 +02:00
Armin Novak
0490aeb018
Fixed clang malloc integer overflow warnings.
2017-07-20 09:29:48 +02:00
Ilya Shipitsin
a9ab65a935
resolve an issue found by cppcheck:
...
[libfreerdp/crypto/certificate.c:315] -> [libfreerdp/crypto/certificate.c:316]: (warning) Either the condition 'if(fingerprint&&fprint)' is redundant or there is possible null pointer dereference: fingerprint.
2017-06-01 00:05:51 +05:00
Armin Novak
4be62f7047
Fixed OpenSSL 1.1 no legacy compile issues.
2017-04-06 11:25:25 +02:00
Aric Belsito
70ab61c8e6
Support LibreSSL
...
Broken by the addition of OpenSSL 1.1.0 support.
2017-03-19 13:58:24 -07:00
Norbert Federa
f71b6b46e8
fix string format specifiers
...
- fixed invalid, missing or additional arguments
- removed all type casts from arguments
- added missing (void*) typecasts for %p arguments
- use inttypes defines where appropriate
2016-12-16 13:48:43 +01:00
Norbert Federa
c6e6b44143
countless WLog/printf format specifier fixes
2016-11-25 17:06:25 +01:00
Norbert Federa
53bd98883e
winpr/crypt api changes and memory leak fixes
...
- winpr_HMAC_New() now just returnes the opaque WINPR_HMAC_CTX* pointer
which has to be passed to winpr_HMAC_Init() for (re)initialization
and since winpr_HMAC_Final() no more frees the context you always have to
use the new function winpr_HMAC_Free() once winpr_HMAC_New() has succeded
- winpr_Digest_New() now just returns the opaque WINPR_DIGEST_CTX* pointer
which has to be passed to winpr_Digest_Init() for (re)initialization
and since winpr_Digest_Final() no more frees the context you always have to
use the new function winpr_Digest_Free() once winpr_Digest_New() has succeded
2016-11-24 18:27:29 +01:00
Norbert Federa
7befab856c
Support for OpenSSL 1.1.0
2016-11-24 17:50:09 +01:00