Commit Graph

206 Commits

Author SHA1 Message Date
Norbert Federa
1eff1a345e free can handle NULL perfectly fine 2015-05-11 09:07:39 +02:00
Norbert Federa
f9f59cd29b Fix unchecked CreateDirectory calls 2015-05-07 13:28:13 +02:00
David FORT
c03bf75896 Take in account @nfedera's comments 2015-04-07 21:06:53 +02:00
David FORT
8685a8e0a2 Fixed missing return value 2015-04-01 14:24:37 +02:00
David FORT
9bb4d64608 Correctly handle HMAC_Init_ex() for older versions of OpenSSL 2015-04-01 14:12:08 +02:00
David FORT
0eb399a717 Treat return values for security.c
This patch make functions in security.c return values when they should instead of
beeing void. And it also fix the callers of these functions.
2015-04-01 11:11:37 +02:00
Marc-André Moreau
ad6723835b Merge pull request #2505 from bmiklautz/tls_shutdown
rename and update tls_disconnect
2015-03-31 09:26:30 -04:00
Norbert Federa
1ba681fecc crypto: support MSFT iOS clients with faulty SNI
Microsoft iOS Remote Desktop Clients eventually send NULL-terminated
hostnames in SNI which is not allowed in the OpenSSL implementation.

Since we're not using SNI this commit adds an OpenSSL TLS extension
debug callback which modifies the SSL context in a way preventing it
from parsing this extension
2015-03-30 13:48:51 +02:00
Bernhard Miklautz
90968e07e1 rename and update tls_disconnect
tls_disconnect shut down the ssl stream but didn't inform
the BIO(s) about this therefore could happen that a second shut down
was initiated (e.g. in bio_rdp_tls_free) causing rather long delays.

After removing the shut down from tls_disconnect the only thing the
function does is to prepare/send an alert therefore it was renamed to
tls_send_alert.
2015-03-30 11:56:09 +02:00
Vic Lee
5f375d0a6f tls: revert checking SSL_ERROR_SYSCALL which may cause deadlock. 2015-03-25 16:07:39 +08:00
Martin Fleisz
5fa777b11c Merge pull request #2482 from llyzs/llyzs
tls: fix error handling of no error code.
2015-03-23 16:06:12 +01:00
Vic Lee
2137ccc3db tls: retry for all SSL_ERROR_SYSCALL errors. 2015-03-20 10:03:30 +08:00
Marc-André Moreau
dc913d9f2c libfreerdp-core: fix some RDG valgrind issues 2015-03-17 16:09:17 -04:00
Jason Plum
6ce5991e74 libfreerdp: crypto: add certificate chain validation! 2015-03-13 13:50:54 -04:00
Marc-André Moreau
5ab34dfa3e Merge pull request #2456 from zhangzl2013/fix-realloc
Fix incorrect usage of realloc
2015-03-12 07:33:27 -04:00
Bernhard Miklautz
6072165fd7 crypto: use PEM as certificate store file format
Currently the certificate format expected in FreeRDPs certificate store
is DER (ASN1). On most linux/unix systems the system certificate store
default format is PEM. Which is also the more common format used by CAs
to distribute their certificates.

Changing the default format to PEM allows the usage of system
certificates or published CA certificates without the need to convert them.

This fixes a part of issue #2446.
2015-03-11 12:06:52 +01:00
Zhang Zhaolong
4205dac57f crypto: fix incorrect usage of realloc.
Signed-off-by: Zhang Zhaolong <zhangzl2013@126.com>
2015-03-11 12:37:35 +08:00
Jason Plum
30f28d4ac9 Fix case sensitive hostname comparison in tls
To do this I've swapped _strnicmp with memcmp. Seemless, but does lock it to the restrictions of that function.

Signed-off-by: Jason Plum <jplum@archlinuxarm.org>
2015-03-10 16:48:35 -04:00
Marc-André Moreau
44d06888bb libfreerdp-core: fix BIO leaks 2015-02-18 15:36:57 -05:00
Marc-André Moreau
e241330daf libfreerdp-core: rewrite tls_write_all to use front BIO only 2015-02-13 16:02:37 -05:00
Marc-André Moreau
b7a619ff8a libfreerdp-core: move some rdpTcp operations under BIO layer 2015-02-13 14:26:02 -05:00
Marc-André Moreau
fa06c4d401 libfreerdp-core: improve reconnection 2015-02-06 14:21:26 -05:00
Marc-André Moreau
82d58086db xfreerdp: partial reconnect fixes 2015-02-05 17:01:56 -05:00
Marc-André Moreau
81e190eccb libfreerdp-crypto: fix tls_write_all ringbuffer usage 2015-01-14 13:25:54 -05:00
Marc-André Moreau
98cd697cad libfreerdp-utils: add ringbuffer debug output 2015-01-14 13:15:57 -05:00
Bernhard Miklautz
f338e1f6c3 crypto: revert pull request #2130
The fix in #2130 eliminates the problem when connecting over a gateway
but introduces other problems server side and client side (client/server
can't detect anymore when a TCP connection was closed).
2014-11-26 19:46:32 +01:00
Marc-André Moreau
ddedc574f3 freerdp: remove tcp, uds utils 2014-11-12 14:06:34 -05:00
Marc-André Moreau
2de73e0243 Merge pull request #2130 from eosrei/2056/ts-gateway-connect-fail
Removing TS Gateway breaking BIO_clear_flags() call
2014-10-25 11:52:29 -04:00
Marc-André Moreau
ce7302a999 wfreerdp: cleanup clipboard 2014-10-22 22:32:55 -04:00
Brad
0746d8c14c Do not BIO_clear_flags() when the SSL error is not valid to fix #2056 2014-10-08 00:00:36 -07:00
Marc-André Moreau
d102e746c8 Merge branch 'awakecoding' of github.com:vworkspace/FreeRDP
Conflicts:
	libfreerdp/core/license.c
	libfreerdp/core/nego.c
	winpr/libwinpr/synch/wait.c
2014-09-19 14:38:25 -04:00
Mike McDonald
50cf0ee915 Modified per_read_integer to handle a length of 0 (which is seen when older RDP clients connect to the FreeRDP server) 2014-09-16 23:15:34 -04:00
Armin Novak
17fa410785 Fixed compiler warning. 2014-09-15 08:48:46 +02:00
Armin Novak
2f519d7f16 Replaced logging in libfreerdp with wlog defines. 2014-09-15 08:48:46 +02:00
Bernhard Miklautz
0313ca3622 libfreerdp: always build "MONOLITHIC"
"libfreerdp" consisted of multiple (small) single libraries. If the cmake
option MONOLITHIC was used only one library was build combining all of
the libfreerdp-* libraries.
The only exceptions to this are libfreerdp-server and libfreerdp-client these
are build as separate libraries.

This commit obsoltes non-monolithic builds and makes monolithic builds
the default. The cmake option MONOLITHIC is also removed.
2014-09-12 00:19:53 +02:00
Marc-André Moreau
1a8c763309 Merge branch 'shadow' of github.com:awakecoding/FreeRDP 2014-08-18 17:06:13 -04:00
Bernhard Miklautz
e5e1a75c35 crypto: fix fingerprint
Latest logging changes introduced a problem with fingerprint generation.
The last byte wasn't added.
2014-08-12 15:40:53 +02:00
Marc-André Moreau
e4a4aa4d3a Merge branch 'master' of github.com:awakecoding/FreeRDP into shadow
Conflicts:
	channels/encomsp/client/encomsp_main.c
	libfreerdp/core/tcp.c
	libfreerdp/crypto/certificate.c
	server/Windows/CMakeLists.txt
	server/X11/xf_cursor.c
	server/X11/xf_input.c
	server/X11/xf_interface.c
	server/X11/xf_monitors.c
	server/X11/xf_peer.c
2014-08-11 19:22:33 -04:00
Armin Novak
f00cb3d25c Reverted previous replacements, not to be done for tests. 2014-08-07 19:05:22 +02:00
Armin Novak
f4c133eaf8 Replaced custom logging mechanism with WLog wrapper. 2014-08-07 16:51:24 +02:00
Marc-André Moreau
3895c930a3 Merge branch 'master' of github.com:awakecoding/FreeRDP into shadow 2014-08-05 09:56:12 -04:00
Norbert Federa
cdcdec99bc OpenSSL thread safety
freerdp/winpr had the following issues:
* The non reentrant SSL_library_init() was called concurrently (crash)
* Missing code/api to set the eventually required OpenSSL static and dynamic locking callbacks
* Missing code/api to free the application-global or thread-local OpenSSL data and tables

This commit creates two new winpr functions:

BOOL winpr_InitializeSSL(DWORD flags):

Use the flag WINPR_SSL_INIT_ALREADY_INITIALIZED if you want to tell winpr that
your application has already initialized OpenSSL.
If required use the flag WINPR_SSL_INIT_ENABLE_LOCKING to tell winpr that it
should set the OpenSSL static and dynamic locking callbacks.
Otherwise just call it with the flag WINPR_SSL_INIT_DEFAULT.

The recommended way is that your application calls this function once before
any threads are created. However, in order to support lazy OpenSSL library
initialization winpr_InitializeSSL() can also safely be called multiple times
and concurrently because it uses the new InitOnceExecuteOnce() function to
guarantee that the initialization is only performed successfully once during
the life time of the calling process.

BOOL winpr_CleanupSSL(DWORD flags):

If you create a thread that uses SSL you should call this function before the
thread returns using the flag WINPR_SSL_CLEANUP_THREAD in order to clean up
the thread-local OpenSSL data and tables.
Call the function with the flag WINPR_SSL_CLEANUP_GLOBAL before terminating
your application.

Note: This commit only replaced the current occurences of the
SSL_load_error_strings(); SSL_library_init(); pairs in the freerdp source
with winpr_InitializeSSL(). None of the server or client applications has been
changed according to the recommended usage described above (TBDL).
2014-07-28 21:55:57 +02:00
Marc-André Moreau
d8b858811f shadow: initial windows server-side connectivity 2014-07-17 21:15:22 -04:00
Daniel Bungert
625f7c3c22 Add arguments for managing tls ciphers & netmon
This adds 2 arguments:
    /tls-ciphers                List of permitted openssl ciphers - see ciphers(1)
    /tls-ciphers-netmon         Use tls ciphers that netmon can parse

With KB2919355, client/server negotiate the use of
TLS cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
which works fine except that netmon can't parse it.
By adding commandline /tls-ciphers-netmon, we restrict
the available ciphers to a list that netmon can
deal with.  Also adds /tls-ciphers, which
accepts a string arg, for further customization.
2014-07-17 06:59:06 -06:00
Vic Lee
8df60ecbe4 tls: fix some error handling. 2014-07-15 11:36:35 +08:00
Armin Novak
ad3255354d Added WITH_LIBRARY_VERSIONING, allowing to build shared libraries without
SOVERSION information. (required by Android)
2014-07-11 11:53:58 +02:00
Hardening
3fce288c66 Fix unclean SSL disconnection
This patch prevent an infinite loop when the remote peer disconnect
the socket without cleanly closing the SSL connection.
2014-07-10 23:35:11 +02:00
Bernhard Miklautz
6a49bcfe40 winpr: always build "monolitic"
winpr is now always build as single library.
The build option MONOLITHIC_BUILD doesn't influence this behavior anymore.

The only exception is winpr-makecert-tool which is still build as extra
library.

This obsoletes complex_libraries for winpr.
2014-07-10 11:10:58 +02:00
Hardening
542811291c Use poll() instead of select() when available
select() has the major drawback that it cannot handle file descriptor
that are bigger than 1024. This patch makes use of poll() instead of
select() when poll() support is available.
2014-07-03 15:26:49 +02:00
Hardening
462a26c8c3 Don't leak cert in case of failure 2014-06-03 15:19:00 +02:00