Commit Graph

97 Commits

Author SHA1 Message Date
Brad
0746d8c14c Do not BIO_clear_flags() when the SSL error is not valid to fix #2056 2014-10-08 00:00:36 -07:00
Armin Novak
2f519d7f16 Replaced logging in libfreerdp with wlog defines. 2014-09-15 08:48:46 +02:00
Marc-André Moreau
e4a4aa4d3a Merge branch 'master' of github.com:awakecoding/FreeRDP into shadow
Conflicts:
	channels/encomsp/client/encomsp_main.c
	libfreerdp/core/tcp.c
	libfreerdp/crypto/certificate.c
	server/Windows/CMakeLists.txt
	server/X11/xf_cursor.c
	server/X11/xf_input.c
	server/X11/xf_interface.c
	server/X11/xf_monitors.c
	server/X11/xf_peer.c
2014-08-11 19:22:33 -04:00
Armin Novak
f4c133eaf8 Replaced custom logging mechanism with WLog wrapper. 2014-08-07 16:51:24 +02:00
Marc-André Moreau
3895c930a3 Merge branch 'master' of github.com:awakecoding/FreeRDP into shadow 2014-08-05 09:56:12 -04:00
Norbert Federa
cdcdec99bc OpenSSL thread safety
freerdp/winpr had the following issues:
* The non reentrant SSL_library_init() was called concurrently (crash)
* Missing code/api to set the eventually required OpenSSL static and dynamic locking callbacks
* Missing code/api to free the application-global or thread-local OpenSSL data and tables

This commit creates two new winpr functions:

BOOL winpr_InitializeSSL(DWORD flags):

Use the flag WINPR_SSL_INIT_ALREADY_INITIALIZED if you want to tell winpr that
your application has already initialized OpenSSL.
If required use the flag WINPR_SSL_INIT_ENABLE_LOCKING to tell winpr that it
should set the OpenSSL static and dynamic locking callbacks.
Otherwise just call it with the flag WINPR_SSL_INIT_DEFAULT.

The recommended way is that your application calls this function once before
any threads are created. However, in order to support lazy OpenSSL library
initialization winpr_InitializeSSL() can also safely be called multiple times
and concurrently because it uses the new InitOnceExecuteOnce() function to
guarantee that the initialization is only performed successfully once during
the life time of the calling process.

BOOL winpr_CleanupSSL(DWORD flags):

If you create a thread that uses SSL you should call this function before the
thread returns using the flag WINPR_SSL_CLEANUP_THREAD in order to clean up
the thread-local OpenSSL data and tables.
Call the function with the flag WINPR_SSL_CLEANUP_GLOBAL before terminating
your application.

Note: This commit only replaced the current occurences of the
SSL_load_error_strings(); SSL_library_init(); pairs in the freerdp source
with winpr_InitializeSSL(). None of the server or client applications has been
changed according to the recommended usage described above (TBDL).
2014-07-28 21:55:57 +02:00
Marc-André Moreau
d8b858811f shadow: initial windows server-side connectivity 2014-07-17 21:15:22 -04:00
Daniel Bungert
625f7c3c22 Add arguments for managing tls ciphers & netmon
This adds 2 arguments:
    /tls-ciphers                List of permitted openssl ciphers - see ciphers(1)
    /tls-ciphers-netmon         Use tls ciphers that netmon can parse

With KB2919355, client/server negotiate the use of
TLS cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
which works fine except that netmon can't parse it.
By adding commandline /tls-ciphers-netmon, we restrict
the available ciphers to a list that netmon can
deal with.  Also adds /tls-ciphers, which
accepts a string arg, for further customization.
2014-07-17 06:59:06 -06:00
Vic Lee
8df60ecbe4 tls: fix some error handling. 2014-07-15 11:36:35 +08:00
Hardening
3fce288c66 Fix unclean SSL disconnection
This patch prevent an infinite loop when the remote peer disconnect
the socket without cleanly closing the SSL connection.
2014-07-10 23:35:11 +02:00
Hardening
542811291c Use poll() instead of select() when available
select() has the major drawback that it cannot handle file descriptor
that are bigger than 1024. This patch makes use of poll() instead of
select() when poll() support is available.
2014-07-03 15:26:49 +02:00
Hardening
462a26c8c3 Don't leak cert in case of failure 2014-06-03 15:19:00 +02:00
Hardening
a607b4553d Fix certificate leak
There were a leak when doing TLS in server mode
2014-06-03 14:59:58 +02:00
Hardening
4f1b77408a Fix NLA authentication for server-side
This patch make copies of the server public key so that the NLA
authentication can be performed server-side.
2014-06-03 11:04:35 +02:00
Marc-André Moreau
04968b18c4 libfreerdp-core: replace all OpenSSL built-in BIOs by new full duplex BIOs 2014-06-01 21:37:20 -04:00
Marc-André Moreau
b1416af362 libfreerdp-core: add locks to disable full duplex BIOs (currently unsafe) 2014-05-30 14:53:10 -04:00
Marc-André Moreau
d2ad5f698b libfreerdp-core: fix VerifyX509Certificate to make distinction between gateway and direct connection 2014-05-30 14:36:18 -04:00
Benoît LeBlanc
f57c694a3b tls_prepare: suppressed a warning on Mac 2014-05-28 21:33:30 -04:00
Hardening
dd6d829550 Allow transport_write calls to be non-blocking
This big patch allows to have non-blocking writes. To achieve
this, it slightly changes the way transport is handled. The misc transport
layers are handled with OpenSSL BIOs. In the chain we insert a
bufferedBIO that will bufferize write calls that couldn't be honored.

For an access with Tls security the BIO chain would look like this:
  FreeRdp Code ===> SSL bio ===> buffered BIO ===> socket BIO

The buffered BIO will store bytes that couldn't be send because of
blocking write calls.

This patch also rework TSG so that it would look like this in the
case of SSL security with TSG:
                                         (TSG in)
                              > SSL BIO => buffered BIO ==> socket BIO
                             /
FreeRdp => SSL BIO => TSG BIO
                             \
                              > SSL BIO => buffered BIO ==> socket BIO
                                        (TSG out)

So from the FreeRDP point of view sending something is only BIO_writing
on the frontBio (last BIO on the left).
2014-05-21 17:42:31 +02:00
Hardening
729c24cedb Adds some support for valgrind helpers
This patch adds an option to compile freerdp in a valgrind compliant way.
The purpose is to ease memchecking when connecting with TLS. We mark bytes
retrieved from SSL_read() as plainly defined to prevent the undefined contamination.
With the patch and the option activated you get a single warning at connection
during the handshake, and nothing after.
2014-05-12 18:01:29 +02:00
Vic Lee
02595df976 tls: WSAGetLastError should be used on Windows to check system socket error. 2014-04-29 23:05:30 +08:00
Vic Lee
c8848fe4c8 tls: do not kill the connection for non-fatal openssl error codes. 2014-04-29 21:48:11 +08:00
Benoit LeBlanc
6f99f252d9 Fix windows compilation 2014-04-04 10:08:44 -04:00
Marc-André Moreau
feea87b42f libfreerdp-crypto: make distinction between TLS connection error and user cancellation 2014-04-01 16:23:27 -04:00
Marc-André Moreau
14b75d1b27 libfreerdp-core: fix build warnings and windows broken build 2014-03-25 15:19:52 -04:00
Benoît LeBlanc
3e1dfc6311 updated context error messages. utility macros for getting error code CLASS/TYPE 2014-03-21 13:45:43 -04:00
Benoît LeBlanc
d1b9565f51 Added context-specific error management.
Added error codes to replace connectErrorCode.
2014-03-20 18:19:54 -04:00
Benoît LeBlanc
557c082458 Merge branch 'master' of git://github.com/awakecoding/FreeRDP 2014-03-05 16:35:22 -05:00
Marc-André Moreau
951368a1ce Merge branch 'master' of github.com:FreeRDP/FreeRDP 2014-02-27 13:58:29 -05:00
Christian Hofstaedtler
5a74bd7bdb Fix assertion abort when no CN is present in certificate
Triggered by Windows Server 2012 Admin-Mode with MS-recommended AD CA
Certificate setup, which would cause the CN to be absent, and a single
subjectAltName to be present.
2014-02-14 15:25:48 +01:00
Marc-André Moreau
cdcd290c44 wfreerdp: fix most build warnings 2014-02-10 22:12:13 -05:00
Benoît LeBlanc
44e7d2f36c error handling in rpc and transport functions 2013-12-20 17:56:59 -05:00
Marc-André Moreau
51ad85e0ee libfreerdp-core: send Access Denied TLS alert when server-side NLA fails 2013-12-18 19:44:18 -05:00
Marc-André Moreau
9d745cc038 Merge branch 'master' of github.com:mrthebunny/FreeRDP 2013-12-11 12:22:33 -05:00
Marc-André Moreau
62199fc46a Merge branch 'master' of github.com:FreeRDP/FreeRDP 2013-12-10 11:54:03 -05:00
Benoît LeBlanc
8c1f836ac8 - SSL verification callback: send correct hostname and port
- Gateway Authentication callback.
- Handling “use same credentials”
2013-12-06 22:15:45 -05:00
Bernhard Miklautz
6763e059c3 tls: handle the case if endpoint has disconnected 2013-12-04 15:36:25 +01:00
Benoît LeBlanc
6a60f79e07 Merge branch 'master' of git://github.com/awakecoding/FreeRDP
# By Bernhard Miklautz (10) and others
# Via Marc-André Moreau (10) and Martin Fleisz (1)
* 'master' of git://github.com/awakecoding/FreeRDP: (32 commits)
  libfreerdp-crypto: add robustness checks for VerifyX509Certificate
  mfreerdp: fix possible crash on gdi termination
  channels/cliprdr: add callback for data request response
  channels/cliprdr: fix conflict with CLIPRDR_HEADER
  fix a gdi leak bug.
  channels/cliprdr: implement more of the callback interface
  channels/cliprdr: start implementing clean callback interface
  channels/rdpsnd: initial attempt at adding GSM610 support
  winpr-thread: fixed bugs in _CreateProcessExA
  ffmpeg-2 -- CodecID
  ffmpeg-2 -- dsp_mask
  ffmpeg-2 -- AVCODEC_MAX_AUDIO_FRAME_SIZE
  check return value.
  reformat coding styles.
  fix name length to copy.
  fix memory realloc size error.
  libfreerdp-crypto: don't report SSL_ERROR_SYSCALL with errno value 0 as error
  channels/rdpsnd: add wlog debug output
  android toolchain: support for ndk r9b
  android toolchain: fixed cmake syntax warning
  ...
2013-11-25 14:40:01 -05:00
Benoît LeBlanc
56c517170f Added hostname and port to callback function for SSL certification verification. 2013-11-25 14:30:43 -05:00
Marc-André Moreau
4987f2b0e1 libfreerdp-crypto: add robustness checks for VerifyX509Certificate 2013-11-25 12:08:58 -05:00
Marc-André Moreau
690a6b624d libfreerdp-crypto: don't report SSL_ERROR_SYSCALL with errno value 0 as error 2013-11-20 15:21:29 -05:00
Marc-André Moreau
b0369cf284 libfreerdp-core: add external certificate management, pass X509 PEM certificate through client callback 2013-11-18 13:54:33 -05:00
Armin Novak
6f43252c9a Fixed argument check in <tls_disconnect> 2013-11-14 10:09:40 +01:00
Marc-André Moreau
1fc2d780f7 libfreerdp-core: fix memory leaks reported by valgrind 2013-10-31 23:35:24 -04:00
Marc-André Moreau
8c4b1361d1 libfreerdp-core: merge with TSG TLS update 2013-10-28 20:20:18 -04:00
Dan Bungert
66ecabb647 Final cleanups - merge ready. 2013-10-28 16:59:02 -06:00
Dan Bungert
f02daaa2d5 More cleanups - remove LWD and all references. 2013-10-28 15:46:28 -06:00
Dan Bungert
cefcac3414 more debug 2013-10-25 15:29:46 -06:00
Dan Bungert
f13c8a0be7 Logging 2013-10-25 10:43:21 -06:00
Marc-André Moreau
b5dd670e73 libfreerdp-core: extend OpenSSL TSG BIO 2013-10-24 12:56:43 -06:00