FreeRDP
Loading...
Searching...
No Matches
libfreerdp/crypto/tls.c
1
22#include <freerdp/config.h>
23
24#include "../core/settings.h"
25
26#include <winpr/assert.h>
27#include <string.h>
28#include <errno.h>
29
30#include <winpr/crt.h>
31#include <winpr/winpr.h>
32#include <winpr/string.h>
33#include <winpr/sspi.h>
34#include <winpr/ssl.h>
35#include <winpr/json.h>
36
37#include <winpr/stream.h>
38#include <freerdp/utils/ringbuffer.h>
39
40#include <freerdp/crypto/certificate.h>
41#include <freerdp/crypto/certificate_data.h>
42#include <freerdp/utils/helpers.h>
43
44#include <freerdp/log.h>
45#include "../crypto/tls.h"
46#include "../core/tcp.h"
47
48#include "opensslcompat.h"
49#include "certificate.h"
50#include "privatekey.h"
51
52#ifdef WINPR_HAVE_POLL_H
53#include <poll.h>
54#endif
55
56#ifdef FREERDP_HAVE_VALGRIND_MEMCHECK_H
57#include <valgrind/memcheck.h>
58#endif
59
60#define TAG FREERDP_TAG("crypto")
61
84typedef struct
85{
86 SSL* ssl;
88} BIO_RDP_TLS;
89
90static int tls_verify_certificate(rdpTls* tls, const rdpCertificate* cert, const char* hostname,
91 UINT16 port);
92static void tls_print_certificate_name_mismatch_error(const char* hostname, UINT16 port,
93 const char* common_name, char** alt_names,
94 size_t alt_names_count);
95static void tls_print_new_certificate_warn(rdpCertificateStore* store, const char* hostname,
96 UINT16 port, const char* type, const char* fingerprint);
97static void tls_print_certificate_error(rdpCertificateStore* store, rdpCertificateData* stored_data,
98 const char* hostname, UINT16 port, const char* fingerprint);
99
100static void free_tls_public_key(rdpTls* tls)
101{
102 WINPR_ASSERT(tls);
103 free(tls->PublicKey);
104 tls->PublicKey = nullptr;
105 tls->PublicKeyLength = 0;
106}
107
108static void free_tls_bindings(rdpTls* tls)
109{
110 WINPR_ASSERT(tls);
111
112 if (tls->Bindings)
113 free(tls->Bindings->Bindings);
114
115 free(tls->Bindings);
116 tls->Bindings = nullptr;
117}
118
119static int bio_rdp_tls_write(BIO* bio, const char* buf, int size)
120{
121 int error = 0;
122 int status = 0;
123 BIO_RDP_TLS* tls = (BIO_RDP_TLS*)BIO_get_data(bio);
124
125 if (!buf || !tls)
126 return 0;
127
128 BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_READ | BIO_FLAGS_IO_SPECIAL);
129 EnterCriticalSection(&tls->lock);
130 status = SSL_write(tls->ssl, buf, size);
131 error = SSL_get_error(tls->ssl, status);
132 LeaveCriticalSection(&tls->lock);
133
134 if (status <= 0)
135 {
136 switch (error)
137 {
138 case SSL_ERROR_NONE:
139 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
140 break;
141
142 case SSL_ERROR_WANT_WRITE:
143 BIO_set_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);
144 break;
145
146 case SSL_ERROR_WANT_READ:
147 BIO_set_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
148 break;
149
150 case SSL_ERROR_WANT_X509_LOOKUP:
151 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
152 BIO_set_retry_reason(bio, BIO_RR_SSL_X509_LOOKUP);
153 break;
154
155 case SSL_ERROR_WANT_CONNECT:
156 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
157 BIO_set_retry_reason(bio, BIO_RR_CONNECT);
158 break;
159
160 case SSL_ERROR_SYSCALL:
161 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
162 break;
163
164 case SSL_ERROR_SSL:
165 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
166 break;
167 default:
168 break;
169 }
170 }
171
172 return status;
173}
174
175static int bio_rdp_tls_read(BIO* bio, char* buf, int size)
176{
177 int error = 0;
178 int status = 0;
179 BIO_RDP_TLS* tls = (BIO_RDP_TLS*)BIO_get_data(bio);
180
181 if (!buf || !tls)
182 return 0;
183
184 BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_READ | BIO_FLAGS_IO_SPECIAL);
185 EnterCriticalSection(&tls->lock);
186 status = SSL_read(tls->ssl, buf, size);
187 error = SSL_get_error(tls->ssl, status);
188 LeaveCriticalSection(&tls->lock);
189
190 if (status <= 0)
191 {
192
193 switch (error)
194 {
195 case SSL_ERROR_NONE:
196 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
197 break;
198
199 case SSL_ERROR_WANT_READ:
200 BIO_set_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
201 break;
202
203 case SSL_ERROR_WANT_WRITE:
204 BIO_set_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);
205 break;
206
207 case SSL_ERROR_WANT_X509_LOOKUP:
208 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
209 BIO_set_retry_reason(bio, BIO_RR_SSL_X509_LOOKUP);
210 break;
211
212 case SSL_ERROR_WANT_ACCEPT:
213 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
214 BIO_set_retry_reason(bio, BIO_RR_ACCEPT);
215 break;
216
217 case SSL_ERROR_WANT_CONNECT:
218 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
219 BIO_set_retry_reason(bio, BIO_RR_CONNECT);
220 break;
221
222 case SSL_ERROR_SSL:
223 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
224 break;
225
226 case SSL_ERROR_ZERO_RETURN:
227 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
228 break;
229
230 case SSL_ERROR_SYSCALL:
231 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
232 break;
233 default:
234 break;
235 }
236 }
237
238#ifdef FREERDP_HAVE_VALGRIND_MEMCHECK_H
239
240 if (status > 0)
241 {
242 VALGRIND_MAKE_MEM_DEFINED(buf, status);
243 }
244
245#endif
246 return status;
247}
248
249static int bio_rdp_tls_puts(BIO* bio, const char* str)
250{
251 if (!str)
252 return 0;
253
254 const size_t max = (INT_MAX > SIZE_MAX) ? SIZE_MAX : INT_MAX;
255 const size_t size = strnlen(str, max);
256 if (size >= max)
257 return -1;
258 ERR_clear_error();
259 return BIO_write(bio, str, (int)size);
260}
261
262static int bio_rdp_tls_gets(WINPR_ATTR_UNUSED BIO* bio, WINPR_ATTR_UNUSED char* str,
263 WINPR_ATTR_UNUSED int size)
264{
265 return 1;
266}
267
268static long bio_rdp_tls_ctrl(BIO* bio, int cmd, long num, void* ptr)
269{
270 BIO* ssl_rbio = nullptr;
271 BIO* ssl_wbio = nullptr;
272 BIO* next_bio = nullptr;
273 long status = -1;
274 BIO_RDP_TLS* tls = (BIO_RDP_TLS*)BIO_get_data(bio);
275
276 if (!tls)
277 return 0;
278
279 if (!tls->ssl && (cmd != BIO_C_SET_SSL))
280 return 0;
281
282 next_bio = BIO_next(bio);
283 ssl_rbio = tls->ssl ? SSL_get_rbio(tls->ssl) : nullptr;
284 ssl_wbio = tls->ssl ? SSL_get_wbio(tls->ssl) : nullptr;
285
286 switch (cmd)
287 {
288 case BIO_CTRL_RESET:
289 SSL_shutdown(tls->ssl);
290
291 if (SSL_in_connect_init(tls->ssl))
292 SSL_set_connect_state(tls->ssl);
293 else if (SSL_in_accept_init(tls->ssl))
294 SSL_set_accept_state(tls->ssl);
295
296 SSL_clear(tls->ssl);
297
298 if (next_bio)
299 status = BIO_ctrl(next_bio, cmd, num, ptr);
300 else if (ssl_rbio)
301 status = BIO_ctrl(ssl_rbio, cmd, num, ptr);
302 else
303 status = 1;
304
305 break;
306
307 case BIO_C_GET_FD:
308 status = BIO_ctrl(ssl_rbio, cmd, num, ptr);
309 break;
310
311 case BIO_CTRL_INFO:
312 status = 0;
313 break;
314
315 case BIO_CTRL_SET_CALLBACK:
316 status = 0;
317 break;
318
319 case BIO_CTRL_GET_CALLBACK:
320 /* The OpenSSL API is horrible here:
321 * we get a function pointer returned and have to cast it to ULONG_PTR
322 * to return the value to the caller.
323 *
324 * This, of course, is something compilers warn about. So silence it by casting */
325 {
326 void* vptr = WINPR_FUNC_PTR_CAST(SSL_get_info_callback(tls->ssl), void*);
327 *((void**)ptr) = vptr;
328 status = 1;
329 }
330 break;
331
332 case BIO_C_SSL_MODE:
333 if (num)
334 SSL_set_connect_state(tls->ssl);
335 else
336 SSL_set_accept_state(tls->ssl);
337
338 status = 1;
339 break;
340
341 case BIO_CTRL_GET_CLOSE:
342 status = BIO_get_shutdown(bio);
343 break;
344
345 case BIO_CTRL_SET_CLOSE:
346 BIO_set_shutdown(bio, (int)num);
347 status = 1;
348 break;
349
350 case BIO_CTRL_WPENDING:
351 status = BIO_ctrl(ssl_wbio, cmd, num, ptr);
352 break;
353
354 case BIO_CTRL_PENDING:
355 status = SSL_pending(tls->ssl);
356
357 if (status == 0)
358 status = BIO_pending(ssl_rbio);
359
360 break;
361
362 case BIO_CTRL_FLUSH:
363 BIO_clear_retry_flags(bio);
364 status = BIO_ctrl(ssl_wbio, cmd, num, ptr);
365 if (status != 1)
366 WLog_DBG(TAG, "BIO_ctrl returned %ld", status);
367 BIO_copy_next_retry(bio);
368 status = 1;
369 break;
370
371 case BIO_CTRL_PUSH:
372 if (next_bio && (next_bio != ssl_rbio))
373 {
374#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
375 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
376 SSL_set_bio(tls->ssl, next_bio, next_bio);
377 CRYPTO_add(&(bio->next_bio->references), 1, CRYPTO_LOCK_BIO);
378#else
379 /*
380 * We are going to pass ownership of next to the SSL object...but
381 * we don't own a reference to pass yet - so up ref
382 */
383 BIO_up_ref(next_bio);
384 SSL_set_bio(tls->ssl, next_bio, next_bio);
385#endif
386 }
387
388 status = 1;
389 break;
390
391 case BIO_CTRL_POP:
392
393 /* Only detach if we are the BIO explicitly being popped */
394 if (bio == ptr)
395 {
396 if (ssl_rbio != ssl_wbio)
397 BIO_free_all(ssl_wbio);
398
399#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
400 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
401
402 if (next_bio)
403 CRYPTO_add(&(bio->next_bio->references), -1, CRYPTO_LOCK_BIO);
404
405 tls->ssl->wbio = tls->ssl->rbio = nullptr;
406#else
407 /* OpenSSL 1.1: This will also clear the reference we obtained during push */
408 SSL_set_bio(tls->ssl, nullptr, nullptr);
409#endif
410 }
411
412 status = 1;
413 break;
414
415 case BIO_C_GET_SSL:
416 if (ptr)
417 {
418 *((SSL**)ptr) = tls->ssl;
419 status = 1;
420 }
421
422 break;
423
424 case BIO_C_SET_SSL:
425 BIO_set_shutdown(bio, (int)num);
426
427 if (ptr)
428 {
429 tls->ssl = (SSL*)ptr;
430 ssl_rbio = SSL_get_rbio(tls->ssl);
431 }
432
433 if (ssl_rbio)
434 {
435 if (next_bio)
436 BIO_push(ssl_rbio, next_bio);
437
438 BIO_set_next(bio, ssl_rbio);
439#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
440 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
441 CRYPTO_add(&(ssl_rbio->references), 1, CRYPTO_LOCK_BIO);
442#else
443 BIO_up_ref(ssl_rbio);
444#endif
445 }
446
447 BIO_set_init(bio, 1);
448 status = 1;
449 break;
450
451 case BIO_C_DO_STATE_MACHINE:
452 BIO_clear_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_WRITE | BIO_FLAGS_IO_SPECIAL);
453 BIO_set_retry_reason(bio, 0);
454 status = SSL_do_handshake(tls->ssl);
455
456 if (status <= 0)
457 {
458 const int err = (status < INT32_MIN) ? INT32_MIN : (int)status;
459 switch (SSL_get_error(tls->ssl, err))
460 {
461 case SSL_ERROR_WANT_READ:
462 BIO_set_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
463 break;
464
465 case SSL_ERROR_WANT_WRITE:
466 BIO_set_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);
467 break;
468
469 case SSL_ERROR_WANT_CONNECT:
470 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL | BIO_FLAGS_SHOULD_RETRY);
471 BIO_set_retry_reason(bio, BIO_get_retry_reason(next_bio));
472 break;
473
474 default:
475 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
476 break;
477 }
478 }
479
480 break;
481
482 default:
483 status = BIO_ctrl(ssl_rbio, cmd, num, ptr);
484 break;
485 }
486
487 return status;
488}
489
490static int bio_rdp_tls_new(BIO* bio)
491{
492 BIO_RDP_TLS* tls = nullptr;
493 BIO_set_flags(bio, BIO_FLAGS_SHOULD_RETRY);
494
495 if (!(tls = calloc(1, sizeof(BIO_RDP_TLS))))
496 return 0;
497
498 if (!InitializeCriticalSectionAndSpinCount(&tls->lock, 4000))
499 {
500 free(tls);
501 return -1;
502 }
503
504 BIO_set_data(bio, (void*)tls);
505 return 1;
506}
507
508static int bio_rdp_tls_free(BIO* bio)
509{
510 BIO_RDP_TLS* tls = nullptr;
511
512 if (!bio)
513 return 0;
514
515 tls = (BIO_RDP_TLS*)BIO_get_data(bio);
516
517 if (!tls)
518 return 0;
519
520 BIO_set_data(bio, nullptr);
521 if (BIO_get_shutdown(bio))
522 {
523 if (BIO_get_init(bio) && tls->ssl)
524 {
525 SSL_shutdown(tls->ssl);
526 SSL_free(tls->ssl);
527 }
528
529 BIO_set_init(bio, 0);
530 BIO_set_flags(bio, 0);
531 }
532
533 DeleteCriticalSection(&tls->lock);
534 free(tls);
535
536 return 1;
537}
538
539static long bio_rdp_tls_callback_ctrl(BIO* bio, int cmd, bio_info_cb* fp)
540{
541 long status = 0;
542
543 if (!bio)
544 return 0;
545
546 BIO_RDP_TLS* tls = (BIO_RDP_TLS*)BIO_get_data(bio);
547
548 if (!tls)
549 return 0;
550
551 switch (cmd)
552 {
553 case BIO_CTRL_SET_CALLBACK:
554 {
555 typedef void (*fkt_t)(const SSL*, int, int);
556
557 /* Documented since https://www.openssl.org/docs/man1.1.1/man3/BIO_set_callback.html
558 * the argument is not really of type bio_info_cb* and must be cast
559 * to the required type */
560
561 fkt_t fkt = WINPR_FUNC_PTR_CAST(fp, fkt_t);
562 SSL_set_info_callback(tls->ssl, fkt);
563 status = 1;
564 }
565 break;
566
567 default:
568 status = BIO_callback_ctrl(SSL_get_rbio(tls->ssl), cmd, fp);
569 break;
570 }
571
572 return status;
573}
574
575#define BIO_TYPE_RDP_TLS 68
576
577static BIO_METHOD* BIO_s_rdp_tls(void)
578{
579 static BIO_METHOD* bio_methods = nullptr;
580
581 if (bio_methods == nullptr)
582 {
583 if (!(bio_methods = BIO_meth_new(BIO_TYPE_RDP_TLS, "RdpTls")))
584 return nullptr;
585
586 BIO_meth_set_write(bio_methods, bio_rdp_tls_write);
587 BIO_meth_set_read(bio_methods, bio_rdp_tls_read);
588 BIO_meth_set_puts(bio_methods, bio_rdp_tls_puts);
589 BIO_meth_set_gets(bio_methods, bio_rdp_tls_gets);
590 BIO_meth_set_ctrl(bio_methods, bio_rdp_tls_ctrl);
591 BIO_meth_set_create(bio_methods, bio_rdp_tls_new);
592 BIO_meth_set_destroy(bio_methods, bio_rdp_tls_free);
593 BIO_meth_set_callback_ctrl(bio_methods, bio_rdp_tls_callback_ctrl);
594 }
595
596 return bio_methods;
597}
598
599static BIO* BIO_new_rdp_tls(SSL_CTX* ctx, int client)
600{
601 BIO* bio = nullptr;
602 SSL* ssl = nullptr;
603 bio = BIO_new(BIO_s_rdp_tls());
604
605 if (!bio)
606 return nullptr;
607
608 ssl = SSL_new(ctx);
609
610 if (!ssl)
611 {
612 BIO_free_all(bio);
613 return nullptr;
614 }
615
616 if (client)
617 SSL_set_connect_state(ssl);
618 else
619 SSL_set_accept_state(ssl);
620
621 BIO_set_ssl(bio, ssl, BIO_CLOSE);
622 return bio;
623}
624
625static rdpCertificate* tls_get_certificate(rdpTls* tls, BOOL peer)
626{
627 X509* remote_cert = nullptr;
628
629 if (peer)
630 remote_cert = SSL_get_peer_certificate(tls->ssl);
631 else
632 remote_cert = X509_dup(SSL_get_certificate(tls->ssl));
633
634 if (!remote_cert)
635 {
636 WLog_ERR(TAG, "failed to get the server TLS certificate");
637 return nullptr;
638 }
639
640 /* Get the peer's chain. If it does not exist, we're setting nullptr (clean data either way) */
641 STACK_OF(X509)* chain = SSL_get_peer_cert_chain(tls->ssl);
642 rdpCertificate* cert = freerdp_certificate_new_from_x509(remote_cert, chain);
643 X509_free(remote_cert);
644
645 return cert;
646}
647
648static const char* tls_get_server_name(rdpTls* tls)
649{
650 return tls->serverName ? tls->serverName : tls->hostname;
651}
652
653#define TLS_SERVER_END_POINT "tls-server-end-point:"
654
655static SecPkgContext_Bindings* tls_get_channel_bindings(const rdpCertificate* cert)
656{
657 size_t CertificateHashLength = 0;
658 BYTE* ChannelBindingToken = nullptr;
659 SEC_CHANNEL_BINDINGS* ChannelBindings = nullptr;
660 const size_t PrefixLength = strnlen(TLS_SERVER_END_POINT, ARRAYSIZE(TLS_SERVER_END_POINT));
661
662 WINPR_ASSERT(cert);
663
664 /* See https://www.rfc-editor.org/rfc/rfc5929 for details about hashes */
665 WINPR_MD_TYPE alg = freerdp_certificate_get_signature_alg(cert);
666 const char* hash = nullptr;
667 switch (alg)
668 {
669
670 case WINPR_MD_MD5:
671 case WINPR_MD_SHA1:
672 hash = winpr_md_type_to_string(WINPR_MD_SHA256);
673 break;
674 default:
675 hash = winpr_md_type_to_string(alg);
676 break;
677 }
678 if (!hash)
679 return nullptr;
680
681 char* CertificateHash = freerdp_certificate_get_hash(cert, hash, &CertificateHashLength);
682 if (!CertificateHash)
683 return nullptr;
684
685 const size_t ChannelBindingTokenLength = PrefixLength + CertificateHashLength;
686 SecPkgContext_Bindings* ContextBindings = calloc(1, sizeof(SecPkgContext_Bindings));
687
688 if (!ContextBindings)
689 goto out_free;
690
691 {
692 const size_t slen = sizeof(SEC_CHANNEL_BINDINGS) + ChannelBindingTokenLength;
693 if (slen > UINT32_MAX)
694 goto out_free;
695
696 ContextBindings->BindingsLength = (UINT32)slen;
697 }
698 ChannelBindings = (SEC_CHANNEL_BINDINGS*)calloc(1, ContextBindings->BindingsLength);
699
700 if (!ChannelBindings)
701 goto out_free;
702
703 ContextBindings->Bindings = ChannelBindings;
704 ChannelBindings->cbApplicationDataLength = (UINT32)ChannelBindingTokenLength;
705 ChannelBindings->dwApplicationDataOffset = sizeof(SEC_CHANNEL_BINDINGS);
706 ChannelBindingToken = &((BYTE*)ChannelBindings)[ChannelBindings->dwApplicationDataOffset];
707 memcpy(ChannelBindingToken, TLS_SERVER_END_POINT, PrefixLength);
708 memcpy(ChannelBindingToken + PrefixLength, CertificateHash, CertificateHashLength);
709 free(CertificateHash);
710 return ContextBindings;
711out_free:
712 free(CertificateHash);
713 free(ContextBindings);
714 return nullptr;
715}
716
717static INIT_ONCE secrets_file_idx_once = INIT_ONCE_STATIC_INIT;
718static int secrets_file_idx = -1;
719
720static BOOL CALLBACK secrets_file_init_cb(WINPR_ATTR_UNUSED PINIT_ONCE once,
721 WINPR_ATTR_UNUSED PVOID param,
722 WINPR_ATTR_UNUSED PVOID* context)
723{
724 secrets_file_idx = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
725
726 return (secrets_file_idx != -1);
727}
728
729static void SSLCTX_keylog_cb(const SSL* ssl, const char* line)
730{
731 char* dfile = nullptr;
732
733 if (secrets_file_idx == -1)
734 return;
735
736 dfile = SSL_get_ex_data(ssl, secrets_file_idx);
737 if (dfile)
738 {
739 FILE* f = winpr_fopen(dfile, "a+");
740 if (f)
741 {
742 (void)fwrite(line, strlen(line), 1, f);
743 (void)fwrite("\n", 1, 1, f);
744 (void)fclose(f);
745 }
746 }
747}
748
749static void tls_reset(rdpTls* tls)
750{
751 WINPR_ASSERT(tls);
752
753 if (tls->ctx)
754 {
755 SSL_CTX_free(tls->ctx);
756 tls->ctx = nullptr;
757 }
758
759 /* tls->underlying is a stacked BIO under tls->bio.
760 * BIO_free_all will free recursively. */
761 if (tls->bio)
762 BIO_free_all(tls->bio);
763 else if (tls->underlying)
764 BIO_free_all(tls->underlying);
765 tls->bio = nullptr;
766 tls->underlying = nullptr;
767
768 free_tls_public_key(tls);
769 free_tls_bindings(tls);
770}
771
772#if OPENSSL_VERSION_NUMBER >= 0x010000000L
773static BOOL tls_prepare(rdpTls* tls, BIO* underlying, const SSL_METHOD* method, int options,
774 BOOL clientMode)
775#else
776static BOOL tls_prepare(rdpTls* tls, BIO* underlying, SSL_METHOD* method, int options,
777 BOOL clientMode)
778#endif
779{
780 WINPR_ASSERT(tls);
781
782 rdpSettings* settings = tls->context->settings;
783 WINPR_ASSERT(settings);
784
785 tls_reset(tls);
786 tls->ctx = SSL_CTX_new(method);
787
788 tls->underlying = underlying;
789
790 if (!tls->ctx)
791 {
792 WLog_ERR(TAG, "SSL_CTX_new failed");
793 return FALSE;
794 }
795
796 SSL_CTX_set_mode(tls->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
797 SSL_CTX_set_options(tls->ctx, WINPR_ASSERTING_INT_CAST(uint64_t, options));
798 SSL_CTX_set_read_ahead(tls->ctx, 1);
799#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
800 UINT16 version = freerdp_settings_get_uint16(settings, FreeRDP_TLSMinVersion);
801 if (!SSL_CTX_set_min_proto_version(tls->ctx, version))
802 {
803 WLog_ERR(TAG, "SSL_CTX_set_min_proto_version %" PRIu16 " failed", version);
804 return FALSE;
805 }
806 version = freerdp_settings_get_uint16(settings, FreeRDP_TLSMaxVersion);
807 if (!SSL_CTX_set_max_proto_version(tls->ctx, version))
808 {
809 WLog_ERR(TAG, "SSL_CTX_set_max_proto_version %" PRIu16 " failed", version);
810 return FALSE;
811 }
812#endif
813#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
814 SSL_CTX_set_security_level(tls->ctx, WINPR_ASSERTING_INT_CAST(int, settings->TlsSecLevel));
815#endif
816
817 if (settings->AllowedTlsCiphers)
818 {
819 if (!SSL_CTX_set_cipher_list(tls->ctx, settings->AllowedTlsCiphers))
820 {
821 WLog_ERR(TAG, "SSL_CTX_set_cipher_list %s failed", settings->AllowedTlsCiphers);
822 return FALSE;
823 }
824 }
825
826 tls->bio = BIO_new_rdp_tls(tls->ctx, clientMode);
827
828 if (BIO_get_ssl(tls->bio, &tls->ssl) < 0)
829 {
830 WLog_ERR(TAG, "unable to retrieve the SSL of the connection");
831 return FALSE;
832 }
833
834 if (settings->TlsSecretsFile)
835 {
836#if OPENSSL_VERSION_NUMBER >= 0x10101000L
837 if (!InitOnceExecuteOnce(&secrets_file_idx_once, secrets_file_init_cb, nullptr, nullptr))
838 return FALSE;
839
840 if (secrets_file_idx != -1)
841 {
842 SSL_set_ex_data(tls->ssl, secrets_file_idx, settings->TlsSecretsFile);
843 SSL_CTX_set_keylog_callback(tls->ctx, SSLCTX_keylog_cb);
844 }
845#else
846 WLog_WARN(TAG, "Key-Logging not available - requires OpenSSL 1.1.1 or higher");
847#endif
848 }
849
850 BIO_push(tls->bio, underlying);
851 return TRUE;
852}
853
854static void
855adjustSslOptions(WINPR_ATTR_UNUSED int* options) // NOLINT(readability-non-const-parameter)
856{
857 WINPR_ASSERT(options);
858#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
859 *options |= SSL_OP_NO_SSLv2;
860 *options |= SSL_OP_NO_SSLv3;
861#endif
862}
863
864const SSL_METHOD* freerdp_tls_get_ssl_method(BOOL isDtls, BOOL isClient)
865{
866 if (isClient)
867 {
868 if (isDtls)
869 return DTLS_client_method();
870#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
871 return SSLv23_client_method();
872#else
873 return TLS_client_method();
874#endif
875 }
876
877 if (isDtls)
878 return DTLS_server_method();
879
880#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
881 return SSLv23_server_method();
882#else
883 return TLS_server_method();
884#endif
885}
886
887TlsHandshakeResult freerdp_tls_connect_ex(rdpTls* tls, BIO* underlying, const SSL_METHOD* methods)
888{
889 WINPR_ASSERT(tls);
890
891 int options = 0;
901#ifdef SSL_OP_NO_COMPRESSION
902 options |= SSL_OP_NO_COMPRESSION;
903#endif
910 options |= SSL_OP_TLS_BLOCK_PADDING_BUG;
917 options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
918
919 tls->isClientMode = TRUE;
920 adjustSslOptions(&options);
921
922 if (!tls_prepare(tls, underlying, methods, options, TRUE))
923 return TLS_HANDSHAKE_ERROR;
924
925#if !defined(OPENSSL_NO_TLSEXT)
926 const char* str = tls_get_server_name(tls);
927 void* ptr = WINPR_CAST_CONST_PTR_AWAY(str, void*);
928 SSL_set_tlsext_host_name(tls->ssl, ptr);
929#endif
930
931 return freerdp_tls_handshake(tls);
932}
933
934static int bio_err_print(const char* str, size_t len, void* u)
935{
936 wLog* log = u;
937 WLog_Print(log, WLOG_ERROR, "[BIO_do_handshake] %s [%" PRIuz "]", str, len);
938 return 0;
939}
940
941TlsHandshakeResult freerdp_tls_handshake(rdpTls* tls)
942{
943 TlsHandshakeResult ret = TLS_HANDSHAKE_ERROR;
944
945 WINPR_ASSERT(tls);
946 const long status = BIO_do_handshake(tls->bio);
947 if (status != 1)
948 {
949 if (!BIO_should_retry(tls->bio))
950 {
951 wLog* log = WLog_Get(TAG);
952 WLog_Print(log, WLOG_ERROR, "BIO_do_handshake failed");
953 ERR_print_errors_cb(bio_err_print, log);
954 return TLS_HANDSHAKE_ERROR;
955 }
956
957 return TLS_HANDSHAKE_CONTINUE;
958 }
959
960 int verify_status = 0;
961 rdpCertificate* cert = tls_get_certificate(tls, tls->isClientMode);
962
963 if (!cert)
964 {
965 WLog_ERR(TAG, "tls_get_certificate failed to return the server certificate.");
966 return TLS_HANDSHAKE_ERROR;
967 }
968
969 do
970 {
971 free_tls_bindings(tls);
972 tls->Bindings = tls_get_channel_bindings(cert);
973 if (!tls->Bindings)
974 {
975 WLog_ERR(TAG, "unable to retrieve bindings");
976 break;
977 }
978
979 free_tls_public_key(tls);
980 if (!freerdp_certificate_get_public_key(cert, &tls->PublicKey, &tls->PublicKeyLength))
981 {
982 WLog_ERR(TAG,
983 "freerdp_certificate_get_public_key failed to return the server public key.");
984 break;
985 }
986
987 /* server-side NLA needs public keys (keys from us, the server) but no certificate verify */
988 ret = TLS_HANDSHAKE_SUCCESS;
989
990 if (tls->isClientMode)
991 {
992 WINPR_ASSERT(tls->port <= UINT16_MAX);
993 verify_status =
994 tls_verify_certificate(tls, cert, tls_get_server_name(tls), (UINT16)tls->port);
995
996 if (verify_status < 1)
997 {
998 WLog_ERR(TAG, "certificate not trusted, aborting.");
999 freerdp_tls_send_alert(tls);
1000 ret = TLS_HANDSHAKE_VERIFY_ERROR;
1001 }
1002 }
1003 } while (0);
1004
1005 freerdp_certificate_free(cert);
1006 return ret;
1007}
1008
1009static int pollAndHandshake(rdpTls* tls)
1010{
1011 WINPR_ASSERT(tls);
1012
1013 do
1014 {
1015 HANDLE events[] = { freerdp_abort_event(tls->context), nullptr };
1016 DWORD status = 0;
1017 if (BIO_get_event(tls->bio, &events[1]) < 0)
1018 {
1019 WLog_ERR(TAG, "unable to retrieve BIO associated event");
1020 return -1;
1021 }
1022
1023 if (!events[1])
1024 {
1025 WLog_ERR(TAG, "unable to retrieve BIO event");
1026 return -1;
1027 }
1028
1029 status = WaitForMultipleObjectsEx(ARRAYSIZE(events), events, FALSE, INFINITE, TRUE);
1030 switch (status)
1031 {
1032 case WAIT_OBJECT_0 + 1:
1033 break;
1034 case WAIT_OBJECT_0:
1035 WLog_DBG(TAG, "Abort event set, cancel connect");
1036 return -1;
1037 case WAIT_TIMEOUT:
1038 case WAIT_IO_COMPLETION:
1039 continue;
1040 default:
1041 WLog_ERR(TAG, "error during WaitForSingleObject(): 0x%08" PRIX32 "", status);
1042 return -1;
1043 }
1044
1045 TlsHandshakeResult result = freerdp_tls_handshake(tls);
1046 switch (result)
1047 {
1048 case TLS_HANDSHAKE_CONTINUE:
1049 break;
1050 case TLS_HANDSHAKE_SUCCESS:
1051 return 1;
1052 case TLS_HANDSHAKE_ERROR:
1053 case TLS_HANDSHAKE_VERIFY_ERROR:
1054 default:
1055 return -1;
1056 }
1057 } while (TRUE);
1058}
1059
1060int freerdp_tls_connect(rdpTls* tls, BIO* underlying)
1061{
1062 const SSL_METHOD* method = freerdp_tls_get_ssl_method(FALSE, TRUE);
1063
1064 WINPR_ASSERT(tls);
1065 TlsHandshakeResult result = freerdp_tls_connect_ex(tls, underlying, method);
1066 switch (result)
1067 {
1068 case TLS_HANDSHAKE_SUCCESS:
1069 return 1;
1070 case TLS_HANDSHAKE_CONTINUE:
1071 break;
1072 case TLS_HANDSHAKE_ERROR:
1073 case TLS_HANDSHAKE_VERIFY_ERROR:
1074 return -1;
1075 default:
1076 return -1;
1077 }
1078
1079 return pollAndHandshake(tls);
1080}
1081
1082#if defined(MICROSOFT_IOS_SNI_BUG) && !defined(OPENSSL_NO_TLSEXT) && \
1083 !defined(LIBRESSL_VERSION_NUMBER)
1084static void tls_openssl_tlsext_debug_callback(SSL* s, int client_server, int type,
1085 unsigned char* data, int len, void* arg)
1086{
1087 if (type == TLSEXT_TYPE_server_name)
1088 {
1089 WLog_DBG(TAG, "Client uses SNI (extension disabled)");
1090 s->servername_done = 2;
1091 }
1092}
1093#endif
1094
1095BOOL freerdp_tls_accept(rdpTls* tls, BIO* underlying, rdpSettings* settings)
1096{
1097 WINPR_ASSERT(tls);
1098 TlsHandshakeResult res =
1099 freerdp_tls_accept_ex(tls, underlying, settings, freerdp_tls_get_ssl_method(FALSE, FALSE));
1100 switch (res)
1101 {
1102 case TLS_HANDSHAKE_SUCCESS:
1103 return TRUE;
1104 case TLS_HANDSHAKE_CONTINUE:
1105 break;
1106 case TLS_HANDSHAKE_ERROR:
1107 case TLS_HANDSHAKE_VERIFY_ERROR:
1108 default:
1109 return FALSE;
1110 }
1111
1112 return pollAndHandshake(tls) > 0;
1113}
1114
1115TlsHandshakeResult freerdp_tls_accept_ex(rdpTls* tls, BIO* underlying, rdpSettings* settings,
1116 const SSL_METHOD* methods)
1117{
1118 WINPR_ASSERT(tls);
1119
1120 int options = 0;
1121 int status = 0;
1122
1129 options |= SSL_OP_NO_SSLv2;
1139#ifdef SSL_OP_NO_COMPRESSION
1140 options |= SSL_OP_NO_COMPRESSION;
1141#endif
1148 options |= SSL_OP_TLS_BLOCK_PADDING_BUG;
1155 options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1156
1163#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && (OPENSSL_VERSION_NUMBER < 0x30000000L) && \
1164 !defined(LIBRESSL_VERSION_NUMBER)
1165 options |= SSL_OP_NO_RENEGOTIATION;
1166#endif
1167
1168 if (!tls_prepare(tls, underlying, methods, options, FALSE))
1169 return TLS_HANDSHAKE_ERROR;
1170
1171 const rdpPrivateKey* key = freerdp_settings_get_pointer(settings, FreeRDP_RdpServerRsaKey);
1172 if (!key)
1173 {
1174 WLog_ERR(TAG, "invalid private key");
1175 return TLS_HANDSHAKE_ERROR;
1176 }
1177
1178 EVP_PKEY* privkey = freerdp_key_get_evp_pkey(key);
1179 if (!privkey)
1180 {
1181 WLog_ERR(TAG, "invalid private key");
1182 return TLS_HANDSHAKE_ERROR;
1183 }
1184
1185 status = SSL_use_PrivateKey(tls->ssl, privkey);
1186 /* The local reference to the private key will anyway go out of
1187 * scope; so the reference count should be decremented weither
1188 * SSL_use_PrivateKey succeeds or fails.
1189 */
1190 EVP_PKEY_free(privkey);
1191
1192 if (status <= 0)
1193 {
1194 WLog_ERR(TAG, "SSL_CTX_use_PrivateKey_file failed");
1195 return TLS_HANDSHAKE_ERROR;
1196 }
1197
1198 rdpCertificate* cert =
1199 freerdp_settings_get_pointer_writable(settings, FreeRDP_RdpServerCertificate);
1200 if (!cert)
1201 {
1202 WLog_ERR(TAG, "invalid certificate");
1203 return TLS_HANDSHAKE_ERROR;
1204 }
1205
1206 status = SSL_use_certificate(tls->ssl, freerdp_certificate_get_x509(cert));
1207
1208 if (status <= 0)
1209 {
1210 WLog_ERR(TAG, "SSL_use_certificate_file failed");
1211 return TLS_HANDSHAKE_ERROR;
1212 }
1213
1214 const size_t cnt = freerdp_certificate_get_chain_len(cert);
1215 for (size_t x = 0; x < cnt; x++)
1216 {
1217 X509* xcert = freerdp_certificate_get_chain_at(cert, x);
1218 WINPR_ASSERT(xcert);
1219 const long rc = SSL_add1_chain_cert(tls->ssl, xcert);
1220 if (rc != 1)
1221 {
1222 WLog_ERR(TAG, "SSL_add1_chain_cert failed");
1223 return TLS_HANDSHAKE_ERROR;
1224 }
1225 }
1226
1227#if defined(MICROSOFT_IOS_SNI_BUG) && !defined(OPENSSL_NO_TLSEXT) && \
1228 !defined(LIBRESSL_VERSION_NUMBER)
1229 SSL_set_tlsext_debug_callback(tls->ssl, tls_openssl_tlsext_debug_callback);
1230#endif
1231
1232 return freerdp_tls_handshake(tls);
1233}
1234
1235BOOL freerdp_tls_send_alert(rdpTls* tls)
1236{
1237 WINPR_ASSERT(tls);
1238
1239 if (!tls)
1240 return FALSE;
1241
1242 if (!tls->ssl)
1243 return TRUE;
1244
1249#if (!defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x10100000L)) || \
1250 (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER <= 0x2080300fL))
1251
1252 if (tls->alertDescription != TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY)
1253 {
1263 SSL_SESSION* ssl_session = SSL_get_session(tls->ssl);
1264 SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(tls->ssl);
1265 SSL_set_quiet_shutdown(tls->ssl, 1);
1266
1267 if ((tls->alertLevel == TLS_ALERT_LEVEL_FATAL) && (ssl_session))
1268 SSL_CTX_remove_session(ssl_ctx, ssl_session);
1269
1270 tls->ssl->s3->alert_dispatch = 1;
1271 tls->ssl->s3->send_alert[0] = tls->alertLevel;
1272 tls->ssl->s3->send_alert[1] = tls->alertDescription;
1273
1274 if (tls->ssl->s3->wbuf.left == 0)
1275 tls->ssl->method->ssl_dispatch_alert(tls->ssl);
1276 }
1277
1278#endif
1279 return TRUE;
1280}
1281
1282int freerdp_tls_write_all(rdpTls* tls, const BYTE* data, size_t length)
1283{
1284 WINPR_ASSERT(tls);
1285 size_t offset = 0;
1286 BIO* bio = tls->bio;
1287
1288 if (length > INT32_MAX)
1289 return -1;
1290
1291 while (offset < length)
1292 {
1293 ERR_clear_error();
1294 const int status = BIO_write(bio, &data[offset], (int)(length - offset));
1295
1296 if (status > 0)
1297 offset += (size_t)status;
1298 else
1299 {
1300 if (!BIO_should_retry(bio))
1301 return -1;
1302
1303 if (BIO_write_blocked(bio))
1304 {
1305 const long rc = BIO_wait_write(bio, 100);
1306 if (rc < 0)
1307 return -1;
1308 }
1309 else if (BIO_read_blocked(bio))
1310 return -2; /* Abort write, there is data that must be read */
1311 else
1312 USleep(100);
1313 }
1314 }
1315
1316 return (int)length;
1317}
1318
1319int freerdp_tls_set_alert_code(rdpTls* tls, int level, int description)
1320{
1321 WINPR_ASSERT(tls);
1322 tls->alertLevel = level;
1323 tls->alertDescription = description;
1324 return 0;
1325}
1326
1327static BOOL tls_match_hostname(const char* pattern, const size_t pattern_length,
1328 const char* hostname)
1329{
1330 WINPR_ASSERT(hostname);
1331 WINPR_ASSERT(pattern || (pattern_length == 0));
1332
1333 const size_t hlen = strlen(hostname);
1334 if (hlen == pattern_length)
1335 {
1336 if (_strnicmp(hostname, pattern, pattern_length) == 0)
1337 return TRUE;
1338 }
1339
1340 if ((pattern_length > 2) && (pattern[0] == '*') && (pattern[1] == '.') &&
1341 (hlen >= pattern_length))
1342 {
1343 /* Ensure wildcard only matches foo.example.com and not foo.bar.example.com */
1344 const size_t prefixlen = hlen - pattern_length;
1345 for (size_t x = 0; x < prefixlen; x++)
1346 {
1347 char cur = hostname[x];
1348 if (cur == '.')
1349 return FALSE;
1350 }
1351
1352 /* Check the hostname ends with the domain */
1353 const char* check_hostname = &hostname[prefixlen + 1];
1354 return _strnicmp(check_hostname, &pattern[1], pattern_length - 1) == 0;
1355 }
1356
1357 return FALSE;
1358}
1359
1360static BOOL is_redirected(rdpTls* tls)
1361{
1362 rdpSettings* settings = tls->context->settings;
1363
1364 if (settings->GatewayArmTransport)
1365 return TRUE;
1366
1367 if (LB_NOREDIRECT & settings->RedirectionFlags)
1368 return FALSE;
1369
1370 return settings->RedirectionFlags != 0;
1371}
1372
1373static BOOL is_accepted(rdpTls* tls, const rdpCertificate* cert)
1374{
1375 WINPR_ASSERT(tls);
1376 WINPR_ASSERT(tls->context);
1377 WINPR_ASSERT(cert);
1378 rdpSettings* settings = tls->context->settings;
1379 WINPR_ASSERT(settings);
1380
1381 FreeRDP_Settings_Keys_String keyAccepted = FreeRDP_AcceptedCert;
1382 FreeRDP_Settings_Keys_UInt32 keyLength = FreeRDP_AcceptedCertLength;
1383
1384 if (tls->isGatewayTransport)
1385 {
1386 keyAccepted = FreeRDP_GatewayAcceptedCert;
1387 keyLength = FreeRDP_GatewayAcceptedCertLength;
1388 }
1389 else if (is_redirected(tls))
1390 {
1391 keyAccepted = FreeRDP_RedirectionAcceptedCert;
1392 keyLength = FreeRDP_RedirectionAcceptedCertLength;
1393 }
1394
1395 const char* AcceptedKey = freerdp_settings_get_string(settings, keyAccepted);
1396 const UINT32 AcceptedKeyLength = freerdp_settings_get_uint32(settings, keyLength);
1397
1398 if ((AcceptedKeyLength > 0) && AcceptedKey)
1399 {
1400 BOOL accepted = FALSE;
1401 size_t pemLength = 0;
1402 char* pem = freerdp_certificate_get_pem_ex(cert, &pemLength, FALSE);
1403 if (pem && (AcceptedKeyLength == pemLength))
1404 {
1405 if (memcmp(AcceptedKey, pem, AcceptedKeyLength) == 0)
1406 accepted = TRUE;
1407 }
1408 free(pem);
1409 if (accepted)
1410 return TRUE;
1411 }
1412
1413 if (!freerdp_settings_set_string(settings, keyAccepted, nullptr))
1414 WLog_WARN(TAG, "freerdp_settings_set_string(settings, keyAccepted=%d, nullptr) failde",
1415 keyAccepted);
1416 if (!freerdp_settings_set_uint32(settings, keyLength, 0))
1417 WLog_WARN(TAG, "freerdp_settings_set_uint32(settings, keyLength=%d, 0) failed", keyLength);
1418
1419 return FALSE;
1420}
1421
1422static BOOL compare_fingerprint(const char* fp, const char* hash, const rdpCertificate* cert,
1423 BOOL separator)
1424{
1425 BOOL equal = 0;
1426 char* strhash = nullptr;
1427
1428 WINPR_ASSERT(fp);
1429 WINPR_ASSERT(hash);
1430 WINPR_ASSERT(cert);
1431
1432 strhash = freerdp_certificate_get_fingerprint_by_hash_ex(cert, hash, separator);
1433 if (!strhash)
1434 return FALSE;
1435
1436 equal = (_stricmp(strhash, fp) == 0);
1437 free(strhash);
1438 return equal;
1439}
1440
1441static BOOL compare_fingerprint_all(const char* fp, const char* hash, const rdpCertificate* cert)
1442{
1443 WINPR_ASSERT(fp);
1444 WINPR_ASSERT(hash);
1445 WINPR_ASSERT(cert);
1446 if (compare_fingerprint(fp, hash, cert, FALSE))
1447 return TRUE;
1448 if (compare_fingerprint(fp, hash, cert, TRUE))
1449 return TRUE;
1450 return FALSE;
1451}
1452
1453static BOOL is_accepted_fingerprint(const rdpCertificate* cert,
1454 const char* CertificateAcceptedFingerprints)
1455{
1456 WINPR_ASSERT(cert);
1457
1458 BOOL rc = FALSE;
1459 if (CertificateAcceptedFingerprints)
1460 {
1461 char* context = nullptr;
1462 char* copy = _strdup(CertificateAcceptedFingerprints);
1463 char* cur = strtok_s(copy, ",", &context);
1464 while (cur)
1465 {
1466 char* subcontext = nullptr;
1467 const char* h = strtok_s(cur, ":", &subcontext);
1468
1469 if (!h)
1470 goto next;
1471
1472 {
1473 const char* fp = h + strlen(h) + 1;
1474 if (compare_fingerprint_all(fp, h, cert))
1475 {
1476 rc = TRUE;
1477 break;
1478 }
1479 }
1480 next:
1481 cur = strtok_s(nullptr, ",", &context);
1482 }
1483 free(copy);
1484 }
1485
1486 return rc;
1487}
1488
1489static BOOL accept_cert(rdpTls* tls, const rdpCertificate* cert)
1490{
1491 WINPR_ASSERT(tls);
1492 WINPR_ASSERT(tls->context);
1493 WINPR_ASSERT(cert);
1494
1495 FreeRDP_Settings_Keys_String id = FreeRDP_AcceptedCert;
1496 FreeRDP_Settings_Keys_UInt32 lid = FreeRDP_AcceptedCertLength;
1497
1498 rdpSettings* settings = tls->context->settings;
1499 WINPR_ASSERT(settings);
1500
1501 if (tls->isGatewayTransport)
1502 {
1503 id = FreeRDP_GatewayAcceptedCert;
1504 lid = FreeRDP_GatewayAcceptedCertLength;
1505 }
1506 else if (is_redirected(tls))
1507 {
1508 id = FreeRDP_RedirectionAcceptedCert;
1509 lid = FreeRDP_RedirectionAcceptedCertLength;
1510 }
1511
1512 size_t pemLength = 0;
1513 char* pem = freerdp_certificate_get_pem_ex(cert, &pemLength, FALSE);
1514 BOOL rc = FALSE;
1515 if (pemLength <= UINT32_MAX)
1516 {
1517 if (freerdp_settings_set_string_len(settings, id, pem, pemLength))
1518 rc = freerdp_settings_set_uint32(settings, lid, (UINT32)pemLength);
1519 }
1520 free(pem);
1521 return rc;
1522}
1523
1524static BOOL tls_extract_full_pem(const rdpCertificate* cert, BYTE** PublicKey,
1525 size_t* PublicKeyLength)
1526{
1527 if (!cert || !PublicKey)
1528 return FALSE;
1529 *PublicKey = (BYTE*)freerdp_certificate_get_pem(cert, PublicKeyLength);
1530 return *PublicKey != nullptr;
1531}
1532
1533static int tls_config_parse_bool(WINPR_JSON* json, const char* opt)
1534{
1535 WINPR_JSON* val = WINPR_JSON_GetObjectItemCaseSensitive(json, opt);
1536 if (!val || !WINPR_JSON_IsBool(val))
1537 return -1;
1538
1539 if (WINPR_JSON_IsTrue(val))
1540 return 1;
1541 return 0;
1542}
1543
1544static int tls_config_check_allowed_hashed(const char* configfile, const rdpCertificate* cert,
1545 WINPR_JSON* json)
1546{
1547 WINPR_ASSERT(configfile);
1548 WINPR_ASSERT(cert);
1549 WINPR_ASSERT(json);
1550
1551 WINPR_JSON* db = WINPR_JSON_GetObjectItemCaseSensitive(json, "certificate-db");
1552 if (!db || !WINPR_JSON_IsArray(db))
1553 return 0;
1554
1555 for (size_t x = 0; x < WINPR_JSON_GetArraySize(db); x++)
1556 {
1557 WINPR_JSON* cur = WINPR_JSON_GetArrayItem(db, x);
1558 if (!cur || !WINPR_JSON_IsObject(cur))
1559 {
1560 WLog_WARN(TAG,
1561 "[%s] invalid certificate-db entry at position %" PRIuz ": not a JSON object",
1562 configfile, x);
1563 continue;
1564 }
1565
1566 WINPR_JSON* key = WINPR_JSON_GetObjectItemCaseSensitive(cur, "type");
1567 if (!key || !WINPR_JSON_IsString(key))
1568 {
1569 WLog_WARN(TAG,
1570 "[%s] invalid certificate-db entry at position %" PRIuz
1571 ": invalid 'type' element, expected type string",
1572 configfile, x);
1573 continue;
1574 }
1575 WINPR_JSON* val = WINPR_JSON_GetObjectItemCaseSensitive(cur, "hash");
1576 if (!val || !WINPR_JSON_IsString(val))
1577 {
1578 WLog_WARN(TAG,
1579 "[%s] invalid certificate-db entry at position %" PRIuz
1580 ": invalid 'hash' element, expected type string",
1581 configfile, x);
1582 continue;
1583 }
1584
1585 const char* skey = WINPR_JSON_GetStringValue(key);
1586 const char* sval = WINPR_JSON_GetStringValue(val);
1587
1588 char* hash = freerdp_certificate_get_fingerprint_by_hash_ex(cert, skey, FALSE);
1589 if (!hash)
1590 {
1591 WLog_WARN(TAG,
1592 "[%s] invalid certificate-db entry at position %" PRIuz
1593 ": hash type '%s' not supported by certificate",
1594 configfile, x, skey);
1595 continue;
1596 }
1597
1598 const int cmp = _stricmp(hash, sval);
1599 free(hash);
1600
1601 if (cmp == 0)
1602 return 1;
1603 }
1604
1605 return 0;
1606}
1607
1608static int tls_config_check_certificate(const rdpCertificate* cert, BOOL* pAllowUserconfig)
1609{
1610 WINPR_ASSERT(cert);
1611 WINPR_ASSERT(pAllowUserconfig);
1612
1613 int rc = 0;
1614 const char configfile[] = "certificates.json";
1615 WINPR_JSON* json = freerdp_GetJSONConfigFile(TRUE, configfile);
1616
1617 if (!json)
1618 {
1619 WLog_DBG(TAG, "No or no valid configuration file for certificate handling, asking user");
1620 goto fail;
1621 }
1622
1623 if (tls_config_parse_bool(json, "deny") > 0)
1624 {
1625 WLog_WARN(TAG, "[%s] certificate denied by configuration", configfile);
1626 rc = -1;
1627 goto fail;
1628 }
1629
1630 if (tls_config_parse_bool(json, "ignore") > 0)
1631 {
1632 WLog_WARN(TAG, "[%s] certificate ignored by configuration", configfile);
1633 rc = 1;
1634 goto fail;
1635 }
1636
1637 if (tls_config_check_allowed_hashed(configfile, cert, json) > 0)
1638 {
1639 WLog_WARN(TAG, "[%s] certificate manually accepted by configuration", configfile);
1640 rc = 1;
1641 goto fail;
1642 }
1643
1644 if (tls_config_parse_bool(json, "deny-userconfig") > 0)
1645 {
1646 WLog_WARN(TAG, "[%s] configuration denies user to accept certificates", configfile);
1647 rc = -1;
1648 goto fail;
1649 }
1650
1651fail:
1652
1653 *pAllowUserconfig = (rc == 0);
1654 WINPR_JSON_Delete(json);
1655 return rc;
1656}
1657
1658int tls_verify_certificate(rdpTls* tls, const rdpCertificate* cert, const char* hostname,
1659 UINT16 port)
1660{
1661 int match = 0;
1662 size_t length = 0;
1663 BOOL certificate_status = 0;
1664 char* common_name = nullptr;
1665 size_t common_name_length = 0;
1666 char** dns_names = nullptr;
1667 size_t dns_names_count = 0;
1668 size_t* dns_names_lengths = nullptr;
1669 int verification_status = -1;
1670 BOOL hostname_match = FALSE;
1671 rdpCertificateData* certificate_data = nullptr;
1672 BYTE* pemCert = nullptr;
1673 DWORD flags = VERIFY_CERT_FLAG_NONE;
1674
1675 WINPR_ASSERT(tls);
1676
1677 rdpContext* context = tls->context;
1678 WINPR_ASSERT(context);
1679
1680 freerdp* instance = context->instance;
1681 WINPR_ASSERT(instance);
1682
1683 const rdpSettings* settings = context->settings;
1684 WINPR_ASSERT(settings);
1685
1686 if (freerdp_shall_disconnect_context(context))
1687 return -1;
1688
1689 if (!tls_extract_full_pem(cert, &pemCert, &length))
1690 goto end;
1691
1692 /* Check, if we already accepted this key. */
1693 if (is_accepted(tls, cert))
1694 {
1695 verification_status = 1;
1696 goto end;
1697 }
1698
1699 if (is_accepted_fingerprint(cert, settings->CertificateAcceptedFingerprints))
1700 {
1701 verification_status = 1;
1702 goto end;
1703 }
1704
1705 if (tls->isGatewayTransport || is_redirected(tls))
1706 flags |= VERIFY_CERT_FLAG_LEGACY;
1707
1708 if (tls->isGatewayTransport)
1709 flags |= VERIFY_CERT_FLAG_GATEWAY;
1710
1711 if (is_redirected(tls))
1712 flags |= VERIFY_CERT_FLAG_REDIRECT;
1713
1714 /* Certificate management is done by the application */
1715 if (settings->ExternalCertificateManagement)
1716 {
1717 if (instance->VerifyX509Certificate)
1718 verification_status =
1719 instance->VerifyX509Certificate(instance, pemCert, length, hostname, port, flags);
1720 else
1721 WLog_ERR(TAG, "No VerifyX509Certificate callback registered!");
1722
1723 if (verification_status > 0)
1724 accept_cert(tls, cert);
1725 else if (verification_status < 0)
1726 {
1727 WLog_ERR(TAG, "VerifyX509Certificate failed: (length = %" PRIuz ") status: [%d] %s",
1728 length, verification_status, pemCert);
1729 goto end;
1730 }
1731 }
1732 /* ignore certificate verification if user explicitly required it (discouraged) */
1733 else if (freerdp_settings_get_bool(settings, FreeRDP_IgnoreCertificate))
1734 {
1735 WLog_WARN(TAG, "[DANGER] Certificate not checked, /cert:ignore in use.");
1736 WLog_WARN(TAG, "[DANGER] This prevents MITM attacks from being detected!");
1737 WLog_WARN(TAG,
1738 "[DANGER] Avoid using this unless in a secure LAN (=no internet) environment");
1739 verification_status = 1; /* success! */
1740 }
1741 else if (!tls->isGatewayTransport && (settings->AuthenticationLevel == 0))
1742 verification_status = 1; /* success! */
1743 else
1744 {
1745 /* if user explicitly specified a certificate name, use it instead of the hostname */
1746 if (!tls->isGatewayTransport && settings->CertificateName)
1747 hostname = settings->CertificateName;
1748
1749 /* attempt verification using OpenSSL and the ~/.freerdp/certs certificate store */
1750 certificate_status = freerdp_certificate_verify(
1751 cert, freerdp_certificate_store_get_certs_path(tls->certificate_store));
1752 /* verify certificate name match */
1753 certificate_data = freerdp_certificate_data_new(hostname, port, cert);
1754 if (!certificate_data)
1755 goto end;
1756 /* extra common name and alternative names */
1757 common_name = freerdp_certificate_get_common_name(cert, &common_name_length);
1758 dns_names = freerdp_certificate_get_dns_names(cert, &dns_names_count, &dns_names_lengths);
1759
1760 /* compare against common name */
1761
1762 if (common_name)
1763 {
1764 if (tls_match_hostname(common_name, common_name_length, hostname))
1765 hostname_match = TRUE;
1766 }
1767
1768 /* compare against alternative names */
1769
1770 if (dns_names)
1771 {
1772 for (size_t index = 0; index < dns_names_count; index++)
1773 {
1774 if (tls_match_hostname(dns_names[index], dns_names_lengths[index], hostname))
1775 {
1776 hostname_match = TRUE;
1777 break;
1778 }
1779 }
1780 }
1781
1782 /* if the certificate is valid and the certificate name matches, verification succeeds
1783 */
1784 if (certificate_status && hostname_match)
1785 verification_status = 1; /* success! */
1786
1787 if (!hostname_match)
1788 flags |= VERIFY_CERT_FLAG_MISMATCH;
1789
1790 BOOL allowUserconfig = TRUE;
1791 if (!certificate_status || !hostname_match)
1792 verification_status = tls_config_check_certificate(cert, &allowUserconfig);
1793
1794 /* verification could not succeed with OpenSSL, use known_hosts file and prompt user for
1795 * manual verification */
1796 if (allowUserconfig && (!certificate_status || !hostname_match))
1797 {
1798 DWORD accept_certificate = 0;
1799 size_t pem_length = 0;
1800 char* issuer = freerdp_certificate_get_issuer(cert);
1801 char* subject = freerdp_certificate_get_subject(cert);
1802 char* pem = freerdp_certificate_get_pem(cert, &pem_length);
1803
1804 if (!pem)
1805 goto end;
1806
1807 /* search for matching entry in known_hosts file */
1808 match =
1809 freerdp_certificate_store_contains_data(tls->certificate_store, certificate_data);
1810
1811 if (match == 1)
1812 {
1813 /* no entry was found in known_hosts file, prompt user for manual verification
1814 */
1815 if (!hostname_match)
1816 tls_print_certificate_name_mismatch_error(hostname, port, common_name,
1817 dns_names, dns_names_count);
1818
1819 {
1820 const char* type = "";
1821 if (freerdp_settings_get_bool(settings, FreeRDP_AutoAcceptCertificate))
1822 type = "tofo (auto-accept)";
1823
1824 if (freerdp_settings_get_bool(settings, FreeRDP_AutoDenyCertificate))
1825 type = "strict (auto-deny)";
1826
1827 if (freerdp_settings_get_bool(settings, FreeRDP_IgnoreCertificate))
1828 type = "ignore (no check)";
1829
1830 char* efp = freerdp_certificate_get_fingerprint(cert);
1831 tls_print_new_certificate_warn(tls->certificate_store, hostname, port, type,
1832 efp);
1833 free(efp);
1834 }
1835
1836#if !defined(WITHOUT_FREERDP_3x_DEPRECATED)
1837 WINPR_PRAGMA_DIAG_PUSH
1838 WINPR_PRAGMA_DIAG_IGNORED_DEPRECATED_DECL
1839#endif
1840
1841 /* Automatically accept certificate on first use */
1842 if (settings->AutoAcceptCertificate)
1843 {
1844 WLog_INFO(TAG, "No certificate stored, automatically accepting.");
1845 accept_certificate = 1;
1846 }
1847 else if (settings->AutoDenyCertificate)
1848 {
1849 WLog_INFO(TAG, "No certificate stored, automatically denying.");
1850 accept_certificate = 0;
1851 }
1852 else if (instance->VerifyX509Certificate)
1853 {
1854 int rc = instance->VerifyX509Certificate(instance, pemCert, pem_length,
1855 hostname, port, flags);
1856
1857 if (rc == 1)
1858 accept_certificate = 1;
1859 else if (rc > 1)
1860 accept_certificate = 2;
1861 else
1862 accept_certificate = 0;
1863 }
1864 else if (instance->VerifyCertificateEx)
1865 {
1866 const BOOL use_pem =
1867 freerdp_settings_get_bool(settings, FreeRDP_CertificateCallbackPreferPEM);
1868 char* fp = nullptr;
1869 DWORD cflags = flags;
1870 if (use_pem)
1871 {
1872 cflags |= VERIFY_CERT_FLAG_FP_IS_PEM;
1873 fp = pem;
1874 }
1875 else
1876 fp = freerdp_certificate_get_fingerprint(cert);
1877 accept_certificate = instance->VerifyCertificateEx(
1878 instance, hostname, port, common_name, subject, issuer, fp, cflags);
1879 if (!use_pem)
1880 free(fp);
1881 }
1882#if !defined(WITHOUT_FREERDP_3x_DEPRECATED)
1883 else if (instance->VerifyCertificate)
1884 {
1885 char* fp = freerdp_certificate_get_fingerprint(cert);
1886
1887 WLog_WARN(TAG, "The VerifyCertificate callback is deprecated, migrate your "
1888 "application to VerifyCertificateEx");
1889 accept_certificate = instance->VerifyCertificate(instance, common_name, subject,
1890 issuer, fp, !hostname_match);
1891 free(fp);
1892 }
1893#endif
1894 }
1895 else if (match == -1)
1896 {
1897 rdpCertificateData* stored_data =
1898 freerdp_certificate_store_load_data(tls->certificate_store, hostname, port);
1899 /* entry was found in known_hosts file, but fingerprint does not match. ask user
1900 * to use it */
1901 {
1902 char* efp = freerdp_certificate_get_fingerprint(cert);
1903 tls_print_certificate_error(tls->certificate_store, stored_data, hostname, port,
1904 efp);
1905 free(efp);
1906 }
1907
1908 if (!stored_data)
1909 WLog_WARN(TAG, "Failed to get certificate entry for %s:%" PRIu16 "", hostname,
1910 port);
1911
1912 if (settings->AutoDenyCertificate)
1913 {
1914 WLog_INFO(TAG, "No certificate stored, automatically denying.");
1915 accept_certificate = 0;
1916 }
1917 else if (instance->VerifyX509Certificate)
1918 {
1919 const int rc =
1920 instance->VerifyX509Certificate(instance, pemCert, pem_length, hostname,
1921 port, flags | VERIFY_CERT_FLAG_CHANGED);
1922
1923 if (rc == 1)
1924 accept_certificate = 1;
1925 else if (rc > 1)
1926 accept_certificate = 2;
1927 else
1928 accept_certificate = 0;
1929 }
1930 else if (instance->VerifyChangedCertificateEx)
1931 {
1932 DWORD cflags = flags | VERIFY_CERT_FLAG_CHANGED;
1933 const char* old_subject = freerdp_certificate_data_get_subject(stored_data);
1934 const char* old_issuer = freerdp_certificate_data_get_issuer(stored_data);
1935 const char* old_fp = freerdp_certificate_data_get_fingerprint(stored_data);
1936 const char* old_pem = freerdp_certificate_data_get_pem(stored_data);
1937 const BOOL fpIsAllocated =
1938 !old_pem ||
1939 !freerdp_settings_get_bool(settings, FreeRDP_CertificateCallbackPreferPEM);
1940 char* fp = nullptr;
1941 if (!fpIsAllocated)
1942 {
1943 cflags |= VERIFY_CERT_FLAG_FP_IS_PEM;
1944 fp = pem;
1945 old_fp = old_pem;
1946 }
1947 else
1948 {
1949 fp = freerdp_certificate_get_fingerprint(cert);
1950 }
1951 accept_certificate = instance->VerifyChangedCertificateEx(
1952 instance, hostname, port, common_name, subject, issuer, fp, old_subject,
1953 old_issuer, old_fp, cflags);
1954 if (fpIsAllocated)
1955 free(fp);
1956 }
1957#if !defined(WITHOUT_FREERDP_3x_DEPRECATED)
1958 else if (instance->VerifyChangedCertificate)
1959 {
1960 char* fp = freerdp_certificate_get_fingerprint(cert);
1961 const char* old_subject = freerdp_certificate_data_get_subject(stored_data);
1962 const char* old_issuer = freerdp_certificate_data_get_issuer(stored_data);
1963 const char* old_fingerprint =
1964 freerdp_certificate_data_get_fingerprint(stored_data);
1965
1966 WLog_WARN(TAG, "The VerifyChangedCertificate callback is deprecated, migrate "
1967 "your application to VerifyChangedCertificateEx");
1968 accept_certificate = instance->VerifyChangedCertificate(
1969 instance, common_name, subject, issuer, fp, old_subject, old_issuer,
1970 old_fingerprint);
1971 free(fp);
1972 }
1973#endif
1974
1975 freerdp_certificate_data_free(stored_data);
1976 }
1977 else if (match == 0)
1978 accept_certificate = 2; /* success! */
1979
1980#if !defined(WITHOUT_FREERDP_3x_DEPRECATED)
1981 WINPR_PRAGMA_DIAG_POP
1982#endif
1983
1984 /* Save certificate or do a simple accept / reject */
1985 switch (accept_certificate)
1986 {
1987 case 1:
1988
1989 /* user accepted certificate, add entry in known_hosts file */
1990 verification_status = freerdp_certificate_store_save_data(
1991 tls->certificate_store, certificate_data)
1992 ? 1
1993 : -1;
1994 break;
1995
1996 case 2:
1997 /* user did accept temporaty, do not add to known hosts file */
1998 verification_status = 1;
1999 break;
2000
2001 default:
2002 /* user did not accept, abort and do not add entry in known_hosts file */
2003 verification_status = -1; /* failure! */
2004 break;
2005 }
2006
2007 free(issuer);
2008 free(subject);
2009 free(pem);
2010 }
2011
2012 if (verification_status > 0)
2013 accept_cert(tls, cert);
2014 }
2015
2016end:
2017 freerdp_certificate_data_free(certificate_data);
2018 free(common_name);
2019 freerdp_certificate_free_dns_names(dns_names_count, dns_names_lengths, dns_names);
2020 free(pemCert);
2021 return verification_status;
2022}
2023
2024void tls_print_new_certificate_warn(rdpCertificateStore* store, const char* hostname, UINT16 port,
2025 const char* type, const char* fingerprint)
2026{
2027 char* path = freerdp_certificate_store_get_cert_path(store, hostname, port);
2028
2029 WLog_ERR(TAG, "The host key for %s:%" PRIu16 " has changed", hostname, port);
2030 WLog_ERR(TAG, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2031 WLog_ERR(TAG, "@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
2032 WLog_ERR(TAG, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2033 WLog_ERR(TAG, "IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
2034 WLog_ERR(TAG, "Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
2035 WLog_ERR(TAG, "It is also possible that a host key has just been changed.");
2036 WLog_ERR(TAG, "The fingerprint for the host key sent by the remote host is %s", fingerprint);
2037 WLog_ERR(TAG, "Please contact your system administrator.");
2038 WLog_ERR(TAG, "Add correct host key in %s to get rid of this message.", path);
2039 WLog_ERR(TAG, "Host key for %s has changed and you have requested %s checking.", hostname,
2040 type);
2041 WLog_ERR(TAG, "Host key verification failed.");
2042
2043 free(path);
2044}
2045
2046void tls_print_certificate_error(rdpCertificateStore* store,
2047 WINPR_ATTR_UNUSED rdpCertificateData* stored_data,
2048 const char* hostname, UINT16 port, const char* fingerprint)
2049{
2050 char* path = freerdp_certificate_store_get_cert_path(store, hostname, port);
2051
2052 WLog_ERR(TAG, "New host key for %s:%" PRIu16, hostname, port);
2053 WLog_ERR(TAG, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2054 WLog_ERR(TAG, "@ WARNING: NEW HOST IDENTIFICATION! @");
2055 WLog_ERR(TAG, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2056
2057 WLog_ERR(TAG, "The fingerprint for the host key sent by the remote host is %s", fingerprint);
2058 WLog_ERR(TAG, "Please contact your system administrator.");
2059 WLog_ERR(TAG, "Add correct host key in %s to get rid of this message.", path);
2060
2061 free(path);
2062}
2063
2064void tls_print_certificate_name_mismatch_error(const char* hostname, UINT16 port,
2065 const char* common_name, char** alt_names,
2066 size_t alt_names_count)
2067{
2068 WINPR_ASSERT(nullptr != hostname);
2069 WLog_ERR(TAG, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2070 WLog_ERR(TAG, "@ WARNING: CERTIFICATE NAME MISMATCH! @");
2071 WLog_ERR(TAG, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2072 WLog_ERR(TAG, "The hostname used for this connection (%s:%" PRIu16 ") ", hostname, port);
2073 WLog_ERR(TAG, "does not match %s given in the certificate:",
2074 alt_names_count < 1 ? "the name" : "any of the names");
2075 WLog_ERR(TAG, "Common Name (CN):");
2076 WLog_ERR(TAG, "\t%s", common_name ? common_name : "no CN found in certificate");
2077
2078 if (alt_names_count > 0)
2079 {
2080 WINPR_ASSERT(nullptr != alt_names);
2081 WLog_ERR(TAG, "Alternative names:");
2082
2083 for (size_t index = 0; index < alt_names_count; index++)
2084 {
2085 WINPR_ASSERT(alt_names[index]);
2086 WLog_ERR(TAG, "\t %s", alt_names[index]);
2087 }
2088 }
2089
2090 WLog_ERR(TAG, "A valid certificate for the wrong name should NOT be trusted!");
2091}
2092
2093rdpTls* freerdp_tls_new(rdpContext* context)
2094{
2095 rdpTls* tls = nullptr;
2096 tls = (rdpTls*)calloc(1, sizeof(rdpTls));
2097
2098 if (!tls)
2099 return nullptr;
2100
2101 tls->context = context;
2102
2103 if (!freerdp_settings_get_bool(tls->context->settings, FreeRDP_ServerMode))
2104 {
2105 tls->certificate_store = freerdp_certificate_store_new(tls->context->settings);
2106
2107 if (!tls->certificate_store)
2108 goto out_free;
2109 }
2110
2111 tls->alertLevel = TLS_ALERT_LEVEL_WARNING;
2112 tls->alertDescription = TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY;
2113 return tls;
2114out_free:
2115 free(tls);
2116 return nullptr;
2117}
2118
2119void freerdp_tls_free(rdpTls* tls)
2120{
2121 if (!tls)
2122 return;
2123
2124 tls_reset(tls);
2125
2126 if (tls->certificate_store)
2127 {
2128 freerdp_certificate_store_free(tls->certificate_store);
2129 tls->certificate_store = nullptr;
2130 }
2131
2132 free(tls);
2133}
WINPR_ATTR_NODISCARD WINPR_API BOOL WINPR_JSON_IsBool(const WINPR_JSON *item)
Check if JSON item is of type BOOL.
Definition c-json.c:167
WINPR_ATTR_NODISCARD WINPR_API size_t WINPR_JSON_GetArraySize(const WINPR_JSON *array)
Get the number of arrayitems from an array.
Definition c-json.c:114
WINPR_ATTR_NODISCARD WINPR_API BOOL WINPR_JSON_IsTrue(const WINPR_JSON *item)
Check if JSON item is BOOL value True.
Definition c-json.c:162
WINPR_ATTR_NODISCARD WINPR_API WINPR_JSON * WINPR_JSON_GetObjectItemCaseSensitive(const WINPR_JSON *object, const char *string)
Same as WINPR_JSON_GetObjectItem but with case sensitive matching.
Definition c-json.c:127
WINPR_ATTR_NODISCARD WINPR_API BOOL WINPR_JSON_IsString(const WINPR_JSON *item)
Check if JSON item is of type String.
Definition c-json.c:182
WINPR_ATTR_NODISCARD WINPR_API WINPR_JSON * WINPR_JSON_GetArrayItem(const WINPR_JSON *array, size_t index)
Return a pointer to an item in the array.
Definition c-json.c:108
WINPR_ATTR_NODISCARD WINPR_API BOOL WINPR_JSON_IsArray(const WINPR_JSON *item)
Check if JSON item is of type Array.
Definition c-json.c:187
WINPR_ATTR_NODISCARD WINPR_API BOOL WINPR_JSON_IsObject(const WINPR_JSON *item)
Check if JSON item is of type Object.
Definition c-json.c:192
WINPR_API void WINPR_JSON_Delete(WINPR_JSON *item)
Delete a WinPR JSON wrapper object.
Definition c-json.c:103
WINPR_ATTR_NODISCARD WINPR_API const char * WINPR_JSON_GetStringValue(WINPR_JSON *item)
Return the String value of a JSON item.
Definition c-json.c:142
WINPR_ATTR_NODISCARD FREERDP_API const void * freerdp_settings_get_pointer(const rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a immutable pointer settings value.
WINPR_ATTR_NODISCARD FREERDP_API const char * freerdp_settings_get_string(const rdpSettings *settings, FreeRDP_Settings_Keys_String id)
Returns a immutable string settings value.
WINPR_ATTR_NODISCARD FREERDP_API BOOL freerdp_settings_set_string_len(rdpSettings *settings, FreeRDP_Settings_Keys_String id, const char *val, size_t len)
Sets a string settings value. The val is copied.
WINPR_ATTR_NODISCARD FREERDP_API void * freerdp_settings_get_pointer_writable(rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a mutable pointer settings value.
WINPR_ATTR_NODISCARD FREERDP_API UINT16 freerdp_settings_get_uint16(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt16 id)
Returns a UINT16 settings value.
WINPR_ATTR_NODISCARD FREERDP_API BOOL freerdp_settings_set_uint32(rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id, UINT32 val)
Sets a UINT32 settings value.
WINPR_ATTR_NODISCARD FREERDP_API UINT32 freerdp_settings_get_uint32(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id)
Returns a UINT32 settings value.
WINPR_ATTR_NODISCARD FREERDP_API BOOL freerdp_settings_set_string(rdpSettings *settings, FreeRDP_Settings_Keys_String id, const char *val)
Sets a string settings value. The param is copied.
WINPR_ATTR_NODISCARD FREERDP_API BOOL freerdp_settings_get_bool(const rdpSettings *settings, FreeRDP_Settings_Keys_Bool id)
Returns a boolean settings value.