Commit Graph

373 Commits

Author SHA1 Message Date
akallabeth
8305349a94 Fixed GHSL-2020-102 heap overflow
(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)
2020-05-20 15:41:24 +02:00
akallabeth
64bec7586d Replaced strtok with strtok_s
(cherry picked from commit 7890833af8)
2020-05-18 16:56:03 +02:00
akallabeth
0f89e23542 Fixed #6148: multiple ceritificate purposes
OpenSSL certificate verification can only check a single purpose.
Run the checks with all allowed purposes and accept any.

(cherry picked from commit f3063a589d)
2020-05-18 16:41:11 +02:00
akallabeth
da03f7e04e Fixed #6122: Allow SSL server and client purpose 2020-05-05 07:46:10 +02:00
akallabeth
973731824b Fixed #6099: Add a flag for legacy hash entries
If a legacy entry is found in certificate hash store print
additional information to the user informing about the change
with FreeRDP 2.0
2020-04-28 14:03:19 +02:00
Linus Heckemann
b70be2ee04 tls: support non-RSA keys 2020-04-10 18:06:14 +02:00
Armin Novak
5b9b7f331b Fixed memory leak in tls_get_channel_bindings 2020-03-06 11:37:35 +01:00
Armin Novak
9c999b7135 Added raw function wrapping X509_digest 2020-03-06 11:37:35 +01:00
Armin Novak
2be6e4117f Let ssl backend handle hash checks. 2020-03-06 11:37:35 +01:00
Armin Novak
00fa84b514 Check cert against CertificateAcceptedFingerprints
CertificateAcceptedFingerprints may contain a list of certificate
hashes and the corresponding fingerprint.
If one of the hashes matches consider the certificate accepted.
2020-03-06 11:37:35 +01:00
Armin Novak
ac4bb3c103 End connection before user callbacks if aborted.
If somewhere in freerdp_connect freerdp_abort_connect was called
the user callbacks Authenticate, GatewayAuthenticate and
Verify[Changed|X509]Certificate[Ex] must not be called.
2020-02-19 16:44:42 +01:00
Armin Novak
7c243da6e1 Remove symbols exported by accident. 2019-12-02 10:57:31 +01:00
Armin Novak
72ca88f49c Reformatted to new style 2019-11-07 10:53:54 +01:00
Armin Novak
d7877186d6 Fixed strnlen issues. 2019-11-05 14:55:33 +01:00
Armin Novak
993b79f1bd Removed strcpy use. 2019-10-29 11:58:43 +01:00
Armin Novak
f01e042211 Code cleanups (strlen, casts, size_t, ...) 2019-10-29 11:58:43 +01:00
asapelkin
82eadad4a4 Fix some static analizer warnings 2019-10-22 15:39:54 +02:00
Armin Novak
2f2ca9d93b Fixed leak in verify_cb. 2019-10-04 16:19:23 +02:00
Armin Novak
2778cbce8c Fixed type of sk_* macro. 2019-08-22 10:40:25 +02:00
Armin Novak
36c820a9d9 Extract whole certificate chain to PEM format. 2019-07-17 14:42:32 +02:00
Armin Novak
0c17c3871b Pass on cert validation failure, set freerdp error in all use cases. 2019-07-15 15:51:46 +02:00
Armin Novak
ca4a1d19a5 Silenced some unused parameter warnings. 2019-05-08 12:21:31 +02:00
Armin Novak
29c920c568 Fixed review remarks. 2019-04-05 09:14:35 +02:00
Armin Novak
1da57d0b7e Fixed sign-compare warnings 2019-04-05 09:13:24 +02:00
cerg2010cerg2010
7abc86ffae Close file handle correctly. (#5310) 2019-03-18 14:57:00 +01:00
Armin Novak
4ad0770a7e Silenced function pointer cast warnings for BIO_callback_ctrl 2019-02-21 13:53:51 +01:00
David Fort
05d9d89796
Merge pull request #5149 from akallabeth/cert_deny
New option to disable user certificate dialog
2019-01-25 16:59:33 +01:00
Armin Novak
0c83efa753 Fix #5170: Disable custom TLS alert for libressl > 2.8.3 2019-01-07 14:20:16 +01:00
Simon Legner
ff375d238b
fix(crypto/tls): typo 2019-01-02 08:18:07 +01:00
Armin Novak
b60045af27 New option to disable user certificate dialog
The new option +cert-deny aborts a connection automatically if
the certificate can not be validated by OpenSSL or via known hosts.
2018-12-14 10:17:52 +01:00
Armin Novak
6906efa354 Fixed return value for already accepted certificate. 2018-12-14 09:52:25 +01:00
Armin Novak
d2ac7acdd9 Fixed certificate accept
certificate_data_replace can only replace an existing entry,
use certificate_data_print for new ones.
2018-12-10 12:03:55 +01:00
Armin Novak
d05217454f Fix #5115: Cast PEM data from BYTE* to char* to silence warnings. 2018-12-07 12:36:18 +01:00
Armin Novak
0aaf14bed7 Fixe accidental removal of certificate_data_replace 2018-12-06 09:39:50 +01:00
Armin Novak
b27470405c Duplicate PEM when accepted. 2018-12-04 09:35:24 +01:00
Armin Novak
e04c319d21 Added new default certificate callbacks with extended information.
The extended information provided by VerifyCertificateEx and
VerifyChangedCertificateEx is now exploited by the new functions
client_cli_verify_certificate_ex and client_cli_verify_changed_certificate_ex.

The old callbacks now print out deprecation warnings to inform the
user and developer about this deprecation.
2018-12-04 09:35:24 +01:00
Armin Novak
a8823fdf95 Cleaned up certificate verification code. 2018-12-04 09:35:24 +01:00
Armin Novak
7ab07ab980 Added certificate callbacks with source indications. 2018-12-04 09:35:24 +01:00
Armin Novak
dd3276d664 Prefer VerifyX509Certificate and fixed const arguments
If VerifyX509Certificate is set use it also when doing internal
certificate management. Added flags to ensure it is possible to
find out which type of connection is being made.
2018-12-04 09:35:24 +01:00
Armin Novak
d27cd1b19e Fixed unit tests, use uniqe file names 2018-12-04 08:45:41 +01:00
Armin Novak
f3e1ffb121 Fix #4764: Second try, use X509_STORE_CTX_set_purpose 2018-11-28 12:08:42 +01:00
Armin Novak
77744200a8 Fix #4768: Set SSL verify purpose to ANY
Should actually be SSL server but since we allowed broken
purpose up until now keep that for the 2.0 series.
2018-11-26 11:58:29 +01:00
akallabeth
effa8b8562 Fix #5049: Libressl declares OPENSSL_VERSION_NUMBER too high
Need to check specifically for LIBRESSL_VERSION_NUMBER as they
set the version higher than OpenSSL 1.1 but without API support.
2018-11-22 19:10:05 +01:00
Armin Novak
649f49fa61 Fix #5049: LibreSSL does not have SSL_CTX_set_security_level 2018-11-22 09:23:46 +01:00
Martin Fleisz
947aa80033
Merge pull request #5016 from akallabeth/windows_server_build_fix
Windows server build fix
2018-11-21 16:02:47 +01:00
Christian Gall
fffe4f077a * remove obsolete SSLv23_client_method in tls_connect()
* set min TLS Version
2018-11-18 14:09:37 +00:00
Armin Novak
a2cd934184 Fixed windows build warnings. 2018-11-15 09:01:53 +01:00
Martin Fleisz
097ac0ee13
Merge pull request #4997 from akallabeth/use_bio_free_all
Replaced BIO_free with BIO_free_all
2018-11-12 13:55:36 +01:00
Armin Novak
5f4843191b Replaced BIO_free with BIO_free_all
There is no point in using BIO_free with a custom recursion
to free up stacked BIOs if there is already BIO_free_all.
Using it consistently avoids memory leaks due to stacked BIOs
not being recursively freed.
2018-11-08 12:09:49 +01:00
Bernhard Miklautz
1222e7060b new [crypto/tls]: add support to set tls security level
The newly introduced option /tls-seclevel can be used to set the tls
security level on systems with openssl >= 1.1.0 or libressl.
As default level 1 is used as higher levels might prohibit connections
to older systems.
2018-11-08 11:13:15 +01:00