akallabeth
8305349a94
Fixed GHSL-2020-102 heap overflow
...
(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)
2020-05-20 15:41:24 +02:00
akallabeth
64bec7586d
Replaced strtok with strtok_s
...
(cherry picked from commit 7890833af8
)
2020-05-18 16:56:03 +02:00
akallabeth
0f89e23542
Fixed #6148 : multiple ceritificate purposes
...
OpenSSL certificate verification can only check a single purpose.
Run the checks with all allowed purposes and accept any.
(cherry picked from commit f3063a589d
)
2020-05-18 16:41:11 +02:00
akallabeth
da03f7e04e
Fixed #6122 : Allow SSL server and client purpose
2020-05-05 07:46:10 +02:00
akallabeth
973731824b
Fixed #6099 : Add a flag for legacy hash entries
...
If a legacy entry is found in certificate hash store print
additional information to the user informing about the change
with FreeRDP 2.0
2020-04-28 14:03:19 +02:00
Linus Heckemann
b70be2ee04
tls: support non-RSA keys
2020-04-10 18:06:14 +02:00
Armin Novak
5b9b7f331b
Fixed memory leak in tls_get_channel_bindings
2020-03-06 11:37:35 +01:00
Armin Novak
9c999b7135
Added raw function wrapping X509_digest
2020-03-06 11:37:35 +01:00
Armin Novak
2be6e4117f
Let ssl backend handle hash checks.
2020-03-06 11:37:35 +01:00
Armin Novak
00fa84b514
Check cert against CertificateAcceptedFingerprints
...
CertificateAcceptedFingerprints may contain a list of certificate
hashes and the corresponding fingerprint.
If one of the hashes matches consider the certificate accepted.
2020-03-06 11:37:35 +01:00
Armin Novak
ac4bb3c103
End connection before user callbacks if aborted.
...
If somewhere in freerdp_connect freerdp_abort_connect was called
the user callbacks Authenticate, GatewayAuthenticate and
Verify[Changed|X509]Certificate[Ex] must not be called.
2020-02-19 16:44:42 +01:00
Armin Novak
7c243da6e1
Remove symbols exported by accident.
2019-12-02 10:57:31 +01:00
Armin Novak
72ca88f49c
Reformatted to new style
2019-11-07 10:53:54 +01:00
Armin Novak
d7877186d6
Fixed strnlen issues.
2019-11-05 14:55:33 +01:00
Armin Novak
993b79f1bd
Removed strcpy use.
2019-10-29 11:58:43 +01:00
Armin Novak
f01e042211
Code cleanups (strlen, casts, size_t, ...)
2019-10-29 11:58:43 +01:00
asapelkin
82eadad4a4
Fix some static analizer warnings
2019-10-22 15:39:54 +02:00
Armin Novak
2f2ca9d93b
Fixed leak in verify_cb.
2019-10-04 16:19:23 +02:00
Armin Novak
2778cbce8c
Fixed type of sk_* macro.
2019-08-22 10:40:25 +02:00
Armin Novak
36c820a9d9
Extract whole certificate chain to PEM format.
2019-07-17 14:42:32 +02:00
Armin Novak
0c17c3871b
Pass on cert validation failure, set freerdp error in all use cases.
2019-07-15 15:51:46 +02:00
Armin Novak
ca4a1d19a5
Silenced some unused parameter warnings.
2019-05-08 12:21:31 +02:00
Armin Novak
29c920c568
Fixed review remarks.
2019-04-05 09:14:35 +02:00
Armin Novak
1da57d0b7e
Fixed sign-compare warnings
2019-04-05 09:13:24 +02:00
cerg2010cerg2010
7abc86ffae
Close file handle correctly. ( #5310 )
2019-03-18 14:57:00 +01:00
Armin Novak
4ad0770a7e
Silenced function pointer cast warnings for BIO_callback_ctrl
2019-02-21 13:53:51 +01:00
David Fort
05d9d89796
Merge pull request #5149 from akallabeth/cert_deny
...
New option to disable user certificate dialog
2019-01-25 16:59:33 +01:00
Armin Novak
0c83efa753
Fix #5170 : Disable custom TLS alert for libressl > 2.8.3
2019-01-07 14:20:16 +01:00
Simon Legner
ff375d238b
fix(crypto/tls): typo
2019-01-02 08:18:07 +01:00
Armin Novak
b60045af27
New option to disable user certificate dialog
...
The new option +cert-deny aborts a connection automatically if
the certificate can not be validated by OpenSSL or via known hosts.
2018-12-14 10:17:52 +01:00
Armin Novak
6906efa354
Fixed return value for already accepted certificate.
2018-12-14 09:52:25 +01:00
Armin Novak
d2ac7acdd9
Fixed certificate accept
...
certificate_data_replace can only replace an existing entry,
use certificate_data_print for new ones.
2018-12-10 12:03:55 +01:00
Armin Novak
d05217454f
Fix #5115 : Cast PEM data from BYTE* to char* to silence warnings.
2018-12-07 12:36:18 +01:00
Armin Novak
0aaf14bed7
Fixe accidental removal of certificate_data_replace
2018-12-06 09:39:50 +01:00
Armin Novak
b27470405c
Duplicate PEM when accepted.
2018-12-04 09:35:24 +01:00
Armin Novak
e04c319d21
Added new default certificate callbacks with extended information.
...
The extended information provided by VerifyCertificateEx and
VerifyChangedCertificateEx is now exploited by the new functions
client_cli_verify_certificate_ex and client_cli_verify_changed_certificate_ex.
The old callbacks now print out deprecation warnings to inform the
user and developer about this deprecation.
2018-12-04 09:35:24 +01:00
Armin Novak
a8823fdf95
Cleaned up certificate verification code.
2018-12-04 09:35:24 +01:00
Armin Novak
7ab07ab980
Added certificate callbacks with source indications.
2018-12-04 09:35:24 +01:00
Armin Novak
dd3276d664
Prefer VerifyX509Certificate and fixed const arguments
...
If VerifyX509Certificate is set use it also when doing internal
certificate management. Added flags to ensure it is possible to
find out which type of connection is being made.
2018-12-04 09:35:24 +01:00
Armin Novak
d27cd1b19e
Fixed unit tests, use uniqe file names
2018-12-04 08:45:41 +01:00
Armin Novak
f3e1ffb121
Fix #4764 : Second try, use X509_STORE_CTX_set_purpose
2018-11-28 12:08:42 +01:00
Armin Novak
77744200a8
Fix #4768 : Set SSL verify purpose to ANY
...
Should actually be SSL server but since we allowed broken
purpose up until now keep that for the 2.0 series.
2018-11-26 11:58:29 +01:00
akallabeth
effa8b8562
Fix #5049 : Libressl declares OPENSSL_VERSION_NUMBER too high
...
Need to check specifically for LIBRESSL_VERSION_NUMBER as they
set the version higher than OpenSSL 1.1 but without API support.
2018-11-22 19:10:05 +01:00
Armin Novak
649f49fa61
Fix #5049 : LibreSSL does not have SSL_CTX_set_security_level
2018-11-22 09:23:46 +01:00
Martin Fleisz
947aa80033
Merge pull request #5016 from akallabeth/windows_server_build_fix
...
Windows server build fix
2018-11-21 16:02:47 +01:00
Christian Gall
fffe4f077a
* remove obsolete SSLv23_client_method in tls_connect()
...
* set min TLS Version
2018-11-18 14:09:37 +00:00
Armin Novak
a2cd934184
Fixed windows build warnings.
2018-11-15 09:01:53 +01:00
Martin Fleisz
097ac0ee13
Merge pull request #4997 from akallabeth/use_bio_free_all
...
Replaced BIO_free with BIO_free_all
2018-11-12 13:55:36 +01:00
Armin Novak
5f4843191b
Replaced BIO_free with BIO_free_all
...
There is no point in using BIO_free with a custom recursion
to free up stacked BIOs if there is already BIO_free_all.
Using it consistently avoids memory leaks due to stacked BIOs
not being recursively freed.
2018-11-08 12:09:49 +01:00
Bernhard Miklautz
1222e7060b
new [crypto/tls]: add support to set tls security level
...
The newly introduced option /tls-seclevel can be used to set the tls
security level on systems with openssl >= 1.1.0 or libressl.
As default level 1 is used as higher levels might prohibit connections
to older systems.
2018-11-08 11:13:15 +01:00