FreeRDP
Loading...
Searching...
No Matches
libfreerdp/crypto/tls.c
1
22#include <freerdp/config.h>
23
24#include "../core/settings.h"
25
26#include <winpr/assert.h>
27#include <string.h>
28#include <errno.h>
29
30#include <winpr/crt.h>
31#include <winpr/winpr.h>
32#include <winpr/string.h>
33#include <winpr/sspi.h>
34#include <winpr/ssl.h>
35#include <winpr/json.h>
36
37#include <winpr/stream.h>
38#include <freerdp/utils/ringbuffer.h>
39
40#include <freerdp/crypto/certificate.h>
41#include <freerdp/crypto/certificate_data.h>
42#include <freerdp/utils/helpers.h>
43
44#include <freerdp/log.h>
45#include "../crypto/tls.h"
46#include "../core/tcp.h"
47
48#include "opensslcompat.h"
49#include "certificate.h"
50#include "privatekey.h"
51
52#ifdef WINPR_HAVE_POLL_H
53#include <poll.h>
54#endif
55
56#ifdef FREERDP_HAVE_VALGRIND_MEMCHECK_H
57#include <valgrind/memcheck.h>
58#endif
59
60#define TAG FREERDP_TAG("crypto")
61
84typedef struct
85{
86 SSL* ssl;
87 CRITICAL_SECTION lock;
88} BIO_RDP_TLS;
89
90static int tls_verify_certificate(rdpTls* tls, const rdpCertificate* cert, const char* hostname,
91 UINT16 port);
92static void tls_print_certificate_name_mismatch_error(const char* hostname, UINT16 port,
93 const char* common_name, char** alt_names,
94 size_t alt_names_count);
95static void tls_print_new_certificate_warn(rdpCertificateStore* store, const char* hostname,
96 UINT16 port, const char* type, const char* fingerprint);
97static void tls_print_certificate_error(rdpCertificateStore* store, rdpCertificateData* stored_data,
98 const char* hostname, UINT16 port, const char* fingerprint);
99
100static void free_tls_public_key(rdpTls* tls)
101{
102 WINPR_ASSERT(tls);
103 free(tls->PublicKey);
104 tls->PublicKey = NULL;
105 tls->PublicKeyLength = 0;
106}
107
108static void free_tls_bindings(rdpTls* tls)
109{
110 WINPR_ASSERT(tls);
111
112 if (tls->Bindings)
113 free(tls->Bindings->Bindings);
114
115 free(tls->Bindings);
116 tls->Bindings = NULL;
117}
118
119static int bio_rdp_tls_write(BIO* bio, const char* buf, int size)
120{
121 int error = 0;
122 int status = 0;
123 BIO_RDP_TLS* tls = (BIO_RDP_TLS*)BIO_get_data(bio);
124
125 if (!buf || !tls)
126 return 0;
127
128 BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_READ | BIO_FLAGS_IO_SPECIAL);
129 EnterCriticalSection(&tls->lock);
130 status = SSL_write(tls->ssl, buf, size);
131 error = SSL_get_error(tls->ssl, status);
132 LeaveCriticalSection(&tls->lock);
133
134 if (status <= 0)
135 {
136 switch (error)
137 {
138 case SSL_ERROR_NONE:
139 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
140 break;
141
142 case SSL_ERROR_WANT_WRITE:
143 BIO_set_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);
144 break;
145
146 case SSL_ERROR_WANT_READ:
147 BIO_set_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
148 break;
149
150 case SSL_ERROR_WANT_X509_LOOKUP:
151 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
152 BIO_set_retry_reason(bio, BIO_RR_SSL_X509_LOOKUP);
153 break;
154
155 case SSL_ERROR_WANT_CONNECT:
156 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
157 BIO_set_retry_reason(bio, BIO_RR_CONNECT);
158 break;
159
160 case SSL_ERROR_SYSCALL:
161 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
162 break;
163
164 case SSL_ERROR_SSL:
165 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
166 break;
167 default:
168 break;
169 }
170 }
171
172 return status;
173}
174
175static int bio_rdp_tls_read(BIO* bio, char* buf, int size)
176{
177 int error = 0;
178 int status = 0;
179 BIO_RDP_TLS* tls = (BIO_RDP_TLS*)BIO_get_data(bio);
180
181 if (!buf || !tls)
182 return 0;
183
184 BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_READ | BIO_FLAGS_IO_SPECIAL);
185 EnterCriticalSection(&tls->lock);
186 status = SSL_read(tls->ssl, buf, size);
187 error = SSL_get_error(tls->ssl, status);
188 LeaveCriticalSection(&tls->lock);
189
190 if (status <= 0)
191 {
192
193 switch (error)
194 {
195 case SSL_ERROR_NONE:
196 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
197 break;
198
199 case SSL_ERROR_WANT_READ:
200 BIO_set_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
201 break;
202
203 case SSL_ERROR_WANT_WRITE:
204 BIO_set_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);
205 break;
206
207 case SSL_ERROR_WANT_X509_LOOKUP:
208 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
209 BIO_set_retry_reason(bio, BIO_RR_SSL_X509_LOOKUP);
210 break;
211
212 case SSL_ERROR_WANT_ACCEPT:
213 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
214 BIO_set_retry_reason(bio, BIO_RR_ACCEPT);
215 break;
216
217 case SSL_ERROR_WANT_CONNECT:
218 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
219 BIO_set_retry_reason(bio, BIO_RR_CONNECT);
220 break;
221
222 case SSL_ERROR_SSL:
223 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
224 break;
225
226 case SSL_ERROR_ZERO_RETURN:
227 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
228 break;
229
230 case SSL_ERROR_SYSCALL:
231 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
232 break;
233 default:
234 break;
235 }
236 }
237
238#ifdef FREERDP_HAVE_VALGRIND_MEMCHECK_H
239
240 if (status > 0)
241 {
242 VALGRIND_MAKE_MEM_DEFINED(buf, status);
243 }
244
245#endif
246 return status;
247}
248
249static int bio_rdp_tls_puts(BIO* bio, const char* str)
250{
251 if (!str)
252 return 0;
253
254 const size_t max = (INT_MAX > SIZE_MAX) ? SIZE_MAX : INT_MAX;
255 const size_t size = strnlen(str, max);
256 if (size >= max)
257 return -1;
258 ERR_clear_error();
259 return BIO_write(bio, str, (int)size);
260}
261
262static int bio_rdp_tls_gets(WINPR_ATTR_UNUSED BIO* bio, WINPR_ATTR_UNUSED char* str,
263 WINPR_ATTR_UNUSED int size)
264{
265 return 1;
266}
267
268static long bio_rdp_tls_ctrl(BIO* bio, int cmd, long num, void* ptr)
269{
270 BIO* ssl_rbio = NULL;
271 BIO* ssl_wbio = NULL;
272 BIO* next_bio = NULL;
273 long status = -1;
274 BIO_RDP_TLS* tls = (BIO_RDP_TLS*)BIO_get_data(bio);
275
276 if (!tls)
277 return 0;
278
279 if (!tls->ssl && (cmd != BIO_C_SET_SSL))
280 return 0;
281
282 next_bio = BIO_next(bio);
283 ssl_rbio = tls->ssl ? SSL_get_rbio(tls->ssl) : NULL;
284 ssl_wbio = tls->ssl ? SSL_get_wbio(tls->ssl) : NULL;
285
286 switch (cmd)
287 {
288 case BIO_CTRL_RESET:
289 SSL_shutdown(tls->ssl);
290
291 if (SSL_in_connect_init(tls->ssl))
292 SSL_set_connect_state(tls->ssl);
293 else if (SSL_in_accept_init(tls->ssl))
294 SSL_set_accept_state(tls->ssl);
295
296 SSL_clear(tls->ssl);
297
298 if (next_bio)
299 status = BIO_ctrl(next_bio, cmd, num, ptr);
300 else if (ssl_rbio)
301 status = BIO_ctrl(ssl_rbio, cmd, num, ptr);
302 else
303 status = 1;
304
305 break;
306
307 case BIO_C_GET_FD:
308 status = BIO_ctrl(ssl_rbio, cmd, num, ptr);
309 break;
310
311 case BIO_CTRL_INFO:
312 status = 0;
313 break;
314
315 case BIO_CTRL_SET_CALLBACK:
316 status = 0;
317 break;
318
319 case BIO_CTRL_GET_CALLBACK:
320 /* The OpenSSL API is horrible here:
321 * we get a function pointer returned and have to cast it to ULONG_PTR
322 * to return the value to the caller.
323 *
324 * This, of course, is something compilers warn about. So silence it by casting */
325 {
326 void* vptr = WINPR_FUNC_PTR_CAST(SSL_get_info_callback(tls->ssl), void*);
327 *((void**)ptr) = vptr;
328 status = 1;
329 }
330 break;
331
332 case BIO_C_SSL_MODE:
333 if (num)
334 SSL_set_connect_state(tls->ssl);
335 else
336 SSL_set_accept_state(tls->ssl);
337
338 status = 1;
339 break;
340
341 case BIO_CTRL_GET_CLOSE:
342 status = BIO_get_shutdown(bio);
343 break;
344
345 case BIO_CTRL_SET_CLOSE:
346 BIO_set_shutdown(bio, (int)num);
347 status = 1;
348 break;
349
350 case BIO_CTRL_WPENDING:
351 status = BIO_ctrl(ssl_wbio, cmd, num, ptr);
352 break;
353
354 case BIO_CTRL_PENDING:
355 status = SSL_pending(tls->ssl);
356
357 if (status == 0)
358 status = BIO_pending(ssl_rbio);
359
360 break;
361
362 case BIO_CTRL_FLUSH:
363 BIO_clear_retry_flags(bio);
364 status = BIO_ctrl(ssl_wbio, cmd, num, ptr);
365 if (status != 1)
366 WLog_DBG(TAG, "BIO_ctrl returned %ld", status);
367 BIO_copy_next_retry(bio);
368 status = 1;
369 break;
370
371 case BIO_CTRL_PUSH:
372 if (next_bio && (next_bio != ssl_rbio))
373 {
374#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
375 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
376 SSL_set_bio(tls->ssl, next_bio, next_bio);
377 CRYPTO_add(&(bio->next_bio->references), 1, CRYPTO_LOCK_BIO);
378#else
379 /*
380 * We are going to pass ownership of next to the SSL object...but
381 * we don't own a reference to pass yet - so up ref
382 */
383 BIO_up_ref(next_bio);
384 SSL_set_bio(tls->ssl, next_bio, next_bio);
385#endif
386 }
387
388 status = 1;
389 break;
390
391 case BIO_CTRL_POP:
392
393 /* Only detach if we are the BIO explicitly being popped */
394 if (bio == ptr)
395 {
396 if (ssl_rbio != ssl_wbio)
397 BIO_free_all(ssl_wbio);
398
399#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
400 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
401
402 if (next_bio)
403 CRYPTO_add(&(bio->next_bio->references), -1, CRYPTO_LOCK_BIO);
404
405 tls->ssl->wbio = tls->ssl->rbio = NULL;
406#else
407 /* OpenSSL 1.1: This will also clear the reference we obtained during push */
408 SSL_set_bio(tls->ssl, NULL, NULL);
409#endif
410 }
411
412 status = 1;
413 break;
414
415 case BIO_C_GET_SSL:
416 if (ptr)
417 {
418 *((SSL**)ptr) = tls->ssl;
419 status = 1;
420 }
421
422 break;
423
424 case BIO_C_SET_SSL:
425 BIO_set_shutdown(bio, (int)num);
426
427 if (ptr)
428 {
429 tls->ssl = (SSL*)ptr;
430 ssl_rbio = SSL_get_rbio(tls->ssl);
431 }
432
433 if (ssl_rbio)
434 {
435 if (next_bio)
436 BIO_push(ssl_rbio, next_bio);
437
438 BIO_set_next(bio, ssl_rbio);
439#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
440 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
441 CRYPTO_add(&(ssl_rbio->references), 1, CRYPTO_LOCK_BIO);
442#else
443 BIO_up_ref(ssl_rbio);
444#endif
445 }
446
447 BIO_set_init(bio, 1);
448 status = 1;
449 break;
450
451 case BIO_C_DO_STATE_MACHINE:
452 BIO_clear_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_WRITE | BIO_FLAGS_IO_SPECIAL);
453 BIO_set_retry_reason(bio, 0);
454 status = SSL_do_handshake(tls->ssl);
455
456 if (status <= 0)
457 {
458 const int err = (status < INT32_MIN) ? INT32_MIN : (int)status;
459 switch (SSL_get_error(tls->ssl, err))
460 {
461 case SSL_ERROR_WANT_READ:
462 BIO_set_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
463 break;
464
465 case SSL_ERROR_WANT_WRITE:
466 BIO_set_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);
467 break;
468
469 case SSL_ERROR_WANT_CONNECT:
470 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL | BIO_FLAGS_SHOULD_RETRY);
471 BIO_set_retry_reason(bio, BIO_get_retry_reason(next_bio));
472 break;
473
474 default:
475 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
476 break;
477 }
478 }
479
480 break;
481
482 default:
483 status = BIO_ctrl(ssl_rbio, cmd, num, ptr);
484 break;
485 }
486
487 return status;
488}
489
490static int bio_rdp_tls_new(BIO* bio)
491{
492 BIO_RDP_TLS* tls = NULL;
493 BIO_set_flags(bio, BIO_FLAGS_SHOULD_RETRY);
494
495 if (!(tls = calloc(1, sizeof(BIO_RDP_TLS))))
496 return 0;
497
498 InitializeCriticalSectionAndSpinCount(&tls->lock, 4000);
499 BIO_set_data(bio, (void*)tls);
500 return 1;
501}
502
503static int bio_rdp_tls_free(BIO* bio)
504{
505 BIO_RDP_TLS* tls = NULL;
506
507 if (!bio)
508 return 0;
509
510 tls = (BIO_RDP_TLS*)BIO_get_data(bio);
511
512 if (!tls)
513 return 0;
514
515 BIO_set_data(bio, NULL);
516 if (BIO_get_shutdown(bio))
517 {
518 if (BIO_get_init(bio) && tls->ssl)
519 {
520 SSL_shutdown(tls->ssl);
521 SSL_free(tls->ssl);
522 }
523
524 BIO_set_init(bio, 0);
525 BIO_set_flags(bio, 0);
526 }
527
528 DeleteCriticalSection(&tls->lock);
529 free(tls);
530
531 return 1;
532}
533
534static long bio_rdp_tls_callback_ctrl(BIO* bio, int cmd, bio_info_cb* fp)
535{
536 long status = 0;
537
538 if (!bio)
539 return 0;
540
541 BIO_RDP_TLS* tls = (BIO_RDP_TLS*)BIO_get_data(bio);
542
543 if (!tls)
544 return 0;
545
546 switch (cmd)
547 {
548 case BIO_CTRL_SET_CALLBACK:
549 {
550 typedef void (*fkt_t)(const SSL*, int, int);
551
552 /* Documented since https://www.openssl.org/docs/man1.1.1/man3/BIO_set_callback.html
553 * the argument is not really of type bio_info_cb* and must be cast
554 * to the required type */
555
556 fkt_t fkt = WINPR_FUNC_PTR_CAST(fp, fkt_t);
557 SSL_set_info_callback(tls->ssl, fkt);
558 status = 1;
559 }
560 break;
561
562 default:
563 status = BIO_callback_ctrl(SSL_get_rbio(tls->ssl), cmd, fp);
564 break;
565 }
566
567 return status;
568}
569
570#define BIO_TYPE_RDP_TLS 68
571
572static BIO_METHOD* BIO_s_rdp_tls(void)
573{
574 static BIO_METHOD* bio_methods = NULL;
575
576 if (bio_methods == NULL)
577 {
578 if (!(bio_methods = BIO_meth_new(BIO_TYPE_RDP_TLS, "RdpTls")))
579 return NULL;
580
581 BIO_meth_set_write(bio_methods, bio_rdp_tls_write);
582 BIO_meth_set_read(bio_methods, bio_rdp_tls_read);
583 BIO_meth_set_puts(bio_methods, bio_rdp_tls_puts);
584 BIO_meth_set_gets(bio_methods, bio_rdp_tls_gets);
585 BIO_meth_set_ctrl(bio_methods, bio_rdp_tls_ctrl);
586 BIO_meth_set_create(bio_methods, bio_rdp_tls_new);
587 BIO_meth_set_destroy(bio_methods, bio_rdp_tls_free);
588 BIO_meth_set_callback_ctrl(bio_methods, bio_rdp_tls_callback_ctrl);
589 }
590
591 return bio_methods;
592}
593
594static BIO* BIO_new_rdp_tls(SSL_CTX* ctx, int client)
595{
596 BIO* bio = NULL;
597 SSL* ssl = NULL;
598 bio = BIO_new(BIO_s_rdp_tls());
599
600 if (!bio)
601 return NULL;
602
603 ssl = SSL_new(ctx);
604
605 if (!ssl)
606 {
607 BIO_free_all(bio);
608 return NULL;
609 }
610
611 if (client)
612 SSL_set_connect_state(ssl);
613 else
614 SSL_set_accept_state(ssl);
615
616 BIO_set_ssl(bio, ssl, BIO_CLOSE);
617 return bio;
618}
619
620static rdpCertificate* tls_get_certificate(rdpTls* tls, BOOL peer)
621{
622 X509* remote_cert = NULL;
623
624 if (peer)
625 remote_cert = SSL_get_peer_certificate(tls->ssl);
626 else
627 remote_cert = X509_dup(SSL_get_certificate(tls->ssl));
628
629 if (!remote_cert)
630 {
631 WLog_ERR(TAG, "failed to get the server TLS certificate");
632 return NULL;
633 }
634
635 /* Get the peer's chain. If it does not exist, we're setting NULL (clean data either way) */
636 STACK_OF(X509)* chain = SSL_get_peer_cert_chain(tls->ssl);
637 rdpCertificate* cert = freerdp_certificate_new_from_x509(remote_cert, chain);
638 X509_free(remote_cert);
639
640 return cert;
641}
642
643static const char* tls_get_server_name(rdpTls* tls)
644{
645 return tls->serverName ? tls->serverName : tls->hostname;
646}
647
648#define TLS_SERVER_END_POINT "tls-server-end-point:"
649
650static SecPkgContext_Bindings* tls_get_channel_bindings(const rdpCertificate* cert)
651{
652 size_t CertificateHashLength = 0;
653 BYTE* ChannelBindingToken = NULL;
654 SEC_CHANNEL_BINDINGS* ChannelBindings = NULL;
655 const size_t PrefixLength = strnlen(TLS_SERVER_END_POINT, ARRAYSIZE(TLS_SERVER_END_POINT));
656
657 WINPR_ASSERT(cert);
658
659 /* See https://www.rfc-editor.org/rfc/rfc5929 for details about hashes */
660 WINPR_MD_TYPE alg = freerdp_certificate_get_signature_alg(cert);
661 const char* hash = NULL;
662 switch (alg)
663 {
664
665 case WINPR_MD_MD5:
666 case WINPR_MD_SHA1:
667 hash = winpr_md_type_to_string(WINPR_MD_SHA256);
668 break;
669 default:
670 hash = winpr_md_type_to_string(alg);
671 break;
672 }
673 if (!hash)
674 return NULL;
675
676 char* CertificateHash = freerdp_certificate_get_hash(cert, hash, &CertificateHashLength);
677 if (!CertificateHash)
678 return NULL;
679
680 const size_t ChannelBindingTokenLength = PrefixLength + CertificateHashLength;
681 SecPkgContext_Bindings* ContextBindings = calloc(1, sizeof(SecPkgContext_Bindings));
682
683 if (!ContextBindings)
684 goto out_free;
685
686 {
687 const size_t slen = sizeof(SEC_CHANNEL_BINDINGS) + ChannelBindingTokenLength;
688 if (slen > UINT32_MAX)
689 goto out_free;
690
691 ContextBindings->BindingsLength = (UINT32)slen;
692 }
693 ChannelBindings = (SEC_CHANNEL_BINDINGS*)calloc(1, ContextBindings->BindingsLength);
694
695 if (!ChannelBindings)
696 goto out_free;
697
698 ContextBindings->Bindings = ChannelBindings;
699 ChannelBindings->cbApplicationDataLength = (UINT32)ChannelBindingTokenLength;
700 ChannelBindings->dwApplicationDataOffset = sizeof(SEC_CHANNEL_BINDINGS);
701 ChannelBindingToken = &((BYTE*)ChannelBindings)[ChannelBindings->dwApplicationDataOffset];
702 memcpy(ChannelBindingToken, TLS_SERVER_END_POINT, PrefixLength);
703 memcpy(ChannelBindingToken + PrefixLength, CertificateHash, CertificateHashLength);
704 free(CertificateHash);
705 return ContextBindings;
706out_free:
707 free(CertificateHash);
708 free(ContextBindings);
709 return NULL;
710}
711
712static INIT_ONCE secrets_file_idx_once = INIT_ONCE_STATIC_INIT;
713static int secrets_file_idx = -1;
714
715static BOOL CALLBACK secrets_file_init_cb(WINPR_ATTR_UNUSED PINIT_ONCE once,
716 WINPR_ATTR_UNUSED PVOID param,
717 WINPR_ATTR_UNUSED PVOID* context)
718{
719 secrets_file_idx = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
720
721 return (secrets_file_idx != -1);
722}
723
724static void SSLCTX_keylog_cb(const SSL* ssl, const char* line)
725{
726 char* dfile = NULL;
727
728 if (secrets_file_idx == -1)
729 return;
730
731 dfile = SSL_get_ex_data(ssl, secrets_file_idx);
732 if (dfile)
733 {
734 FILE* f = winpr_fopen(dfile, "a+");
735 if (f)
736 {
737 (void)fwrite(line, strlen(line), 1, f);
738 (void)fwrite("\n", 1, 1, f);
739 (void)fclose(f);
740 }
741 }
742}
743
744static void tls_reset(rdpTls* tls)
745{
746 WINPR_ASSERT(tls);
747
748 if (tls->ctx)
749 {
750 SSL_CTX_free(tls->ctx);
751 tls->ctx = NULL;
752 }
753
754 /* tls->underlying is a stacked BIO under tls->bio.
755 * BIO_free_all will free recursively. */
756 if (tls->bio)
757 BIO_free_all(tls->bio);
758 else if (tls->underlying)
759 BIO_free_all(tls->underlying);
760 tls->bio = NULL;
761 tls->underlying = NULL;
762
763 free_tls_public_key(tls);
764 free_tls_bindings(tls);
765}
766
767#if OPENSSL_VERSION_NUMBER >= 0x010000000L
768static BOOL tls_prepare(rdpTls* tls, BIO* underlying, const SSL_METHOD* method, int options,
769 BOOL clientMode)
770#else
771static BOOL tls_prepare(rdpTls* tls, BIO* underlying, SSL_METHOD* method, int options,
772 BOOL clientMode)
773#endif
774{
775 WINPR_ASSERT(tls);
776
777 rdpSettings* settings = tls->context->settings;
778 WINPR_ASSERT(settings);
779
780 tls_reset(tls);
781 tls->ctx = SSL_CTX_new(method);
782
783 tls->underlying = underlying;
784
785 if (!tls->ctx)
786 {
787 WLog_ERR(TAG, "SSL_CTX_new failed");
788 return FALSE;
789 }
790
791 SSL_CTX_set_mode(tls->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
792 SSL_CTX_set_options(tls->ctx, WINPR_ASSERTING_INT_CAST(uint64_t, options));
793 SSL_CTX_set_read_ahead(tls->ctx, 1);
794#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
795 UINT16 version = freerdp_settings_get_uint16(settings, FreeRDP_TLSMinVersion);
796 if (!SSL_CTX_set_min_proto_version(tls->ctx, version))
797 {
798 WLog_ERR(TAG, "SSL_CTX_set_min_proto_version %" PRIu16 " failed", version);
799 return FALSE;
800 }
801 version = freerdp_settings_get_uint16(settings, FreeRDP_TLSMaxVersion);
802 if (!SSL_CTX_set_max_proto_version(tls->ctx, version))
803 {
804 WLog_ERR(TAG, "SSL_CTX_set_max_proto_version %" PRIu16 " failed", version);
805 return FALSE;
806 }
807#endif
808#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
809 SSL_CTX_set_security_level(tls->ctx, WINPR_ASSERTING_INT_CAST(int, settings->TlsSecLevel));
810#endif
811
812 if (settings->AllowedTlsCiphers)
813 {
814 if (!SSL_CTX_set_cipher_list(tls->ctx, settings->AllowedTlsCiphers))
815 {
816 WLog_ERR(TAG, "SSL_CTX_set_cipher_list %s failed", settings->AllowedTlsCiphers);
817 return FALSE;
818 }
819 }
820
821 tls->bio = BIO_new_rdp_tls(tls->ctx, clientMode);
822
823 if (BIO_get_ssl(tls->bio, &tls->ssl) < 0)
824 {
825 WLog_ERR(TAG, "unable to retrieve the SSL of the connection");
826 return FALSE;
827 }
828
829 if (settings->TlsSecretsFile)
830 {
831#if OPENSSL_VERSION_NUMBER >= 0x10101000L
832 InitOnceExecuteOnce(&secrets_file_idx_once, secrets_file_init_cb, NULL, NULL);
833
834 if (secrets_file_idx != -1)
835 {
836 SSL_set_ex_data(tls->ssl, secrets_file_idx, settings->TlsSecretsFile);
837 SSL_CTX_set_keylog_callback(tls->ctx, SSLCTX_keylog_cb);
838 }
839#else
840 WLog_WARN(TAG, "Key-Logging not available - requires OpenSSL 1.1.1 or higher");
841#endif
842 }
843
844 BIO_push(tls->bio, underlying);
845 return TRUE;
846}
847
848static void
849adjustSslOptions(WINPR_ATTR_UNUSED int* options) // NOLINT(readability-non-const-parameter)
850{
851 WINPR_ASSERT(options);
852#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
853 *options |= SSL_OP_NO_SSLv2;
854 *options |= SSL_OP_NO_SSLv3;
855#endif
856}
857
858const SSL_METHOD* freerdp_tls_get_ssl_method(BOOL isDtls, BOOL isClient)
859{
860 if (isClient)
861 {
862 if (isDtls)
863 return DTLS_client_method();
864#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
865 return SSLv23_client_method();
866#else
867 return TLS_client_method();
868#endif
869 }
870
871 if (isDtls)
872 return DTLS_server_method();
873
874#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
875 return SSLv23_server_method();
876#else
877 return TLS_server_method();
878#endif
879}
880
881TlsHandshakeResult freerdp_tls_connect_ex(rdpTls* tls, BIO* underlying, const SSL_METHOD* methods)
882{
883 WINPR_ASSERT(tls);
884
885 int options = 0;
895#ifdef SSL_OP_NO_COMPRESSION
896 options |= SSL_OP_NO_COMPRESSION;
897#endif
904 options |= SSL_OP_TLS_BLOCK_PADDING_BUG;
911 options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
912
913 tls->isClientMode = TRUE;
914 adjustSslOptions(&options);
915
916 if (!tls_prepare(tls, underlying, methods, options, TRUE))
917 return TLS_HANDSHAKE_ERROR;
918
919#if !defined(OPENSSL_NO_TLSEXT)
920 const char* str = tls_get_server_name(tls);
921 void* ptr = WINPR_CAST_CONST_PTR_AWAY(str, void*);
922 SSL_set_tlsext_host_name(tls->ssl, ptr);
923#endif
924
925 return freerdp_tls_handshake(tls);
926}
927
928static int bio_err_print(const char* str, size_t len, void* u)
929{
930 wLog* log = u;
931 WLog_Print(log, WLOG_ERROR, "[BIO_do_handshake] %s [%" PRIuz "]", str, len);
932 return 0;
933}
934
935TlsHandshakeResult freerdp_tls_handshake(rdpTls* tls)
936{
937 TlsHandshakeResult ret = TLS_HANDSHAKE_ERROR;
938
939 WINPR_ASSERT(tls);
940 const long status = BIO_do_handshake(tls->bio);
941 if (status != 1)
942 {
943 if (!BIO_should_retry(tls->bio))
944 {
945 wLog* log = WLog_Get(TAG);
946 WLog_Print(log, WLOG_ERROR, "BIO_do_handshake failed");
947 ERR_print_errors_cb(bio_err_print, log);
948 return TLS_HANDSHAKE_ERROR;
949 }
950
951 return TLS_HANDSHAKE_CONTINUE;
952 }
953
954 int verify_status = 0;
955 rdpCertificate* cert = tls_get_certificate(tls, tls->isClientMode);
956
957 if (!cert)
958 {
959 WLog_ERR(TAG, "tls_get_certificate failed to return the server certificate.");
960 return TLS_HANDSHAKE_ERROR;
961 }
962
963 do
964 {
965 free_tls_bindings(tls);
966 tls->Bindings = tls_get_channel_bindings(cert);
967 if (!tls->Bindings)
968 {
969 WLog_ERR(TAG, "unable to retrieve bindings");
970 break;
971 }
972
973 free_tls_public_key(tls);
974 if (!freerdp_certificate_get_public_key(cert, &tls->PublicKey, &tls->PublicKeyLength))
975 {
976 WLog_ERR(TAG,
977 "freerdp_certificate_get_public_key failed to return the server public key.");
978 break;
979 }
980
981 /* server-side NLA needs public keys (keys from us, the server) but no certificate verify */
982 ret = TLS_HANDSHAKE_SUCCESS;
983
984 if (tls->isClientMode)
985 {
986 WINPR_ASSERT(tls->port <= UINT16_MAX);
987 verify_status =
988 tls_verify_certificate(tls, cert, tls_get_server_name(tls), (UINT16)tls->port);
989
990 if (verify_status < 1)
991 {
992 WLog_ERR(TAG, "certificate not trusted, aborting.");
993 freerdp_tls_send_alert(tls);
994 ret = TLS_HANDSHAKE_VERIFY_ERROR;
995 }
996 }
997 } while (0);
998
999 freerdp_certificate_free(cert);
1000 return ret;
1001}
1002
1003static int pollAndHandshake(rdpTls* tls)
1004{
1005 WINPR_ASSERT(tls);
1006
1007 do
1008 {
1009 HANDLE events[] = { freerdp_abort_event(tls->context), NULL };
1010 DWORD status = 0;
1011 if (BIO_get_event(tls->bio, &events[1]) < 0)
1012 {
1013 WLog_ERR(TAG, "unable to retrieve BIO associated event");
1014 return -1;
1015 }
1016
1017 if (!events[1])
1018 {
1019 WLog_ERR(TAG, "unable to retrieve BIO event");
1020 return -1;
1021 }
1022
1023 status = WaitForMultipleObjectsEx(ARRAYSIZE(events), events, FALSE, INFINITE, TRUE);
1024 switch (status)
1025 {
1026 case WAIT_OBJECT_0 + 1:
1027 break;
1028 case WAIT_OBJECT_0:
1029 WLog_DBG(TAG, "Abort event set, cancel connect");
1030 return -1;
1031 case WAIT_TIMEOUT:
1032 case WAIT_IO_COMPLETION:
1033 continue;
1034 default:
1035 WLog_ERR(TAG, "error during WaitForSingleObject(): 0x%08" PRIX32 "", status);
1036 return -1;
1037 }
1038
1039 TlsHandshakeResult result = freerdp_tls_handshake(tls);
1040 switch (result)
1041 {
1042 case TLS_HANDSHAKE_CONTINUE:
1043 break;
1044 case TLS_HANDSHAKE_SUCCESS:
1045 return 1;
1046 case TLS_HANDSHAKE_ERROR:
1047 case TLS_HANDSHAKE_VERIFY_ERROR:
1048 default:
1049 return -1;
1050 }
1051 } while (TRUE);
1052}
1053
1054int freerdp_tls_connect(rdpTls* tls, BIO* underlying)
1055{
1056 const SSL_METHOD* method = freerdp_tls_get_ssl_method(FALSE, TRUE);
1057
1058 WINPR_ASSERT(tls);
1059 TlsHandshakeResult result = freerdp_tls_connect_ex(tls, underlying, method);
1060 switch (result)
1061 {
1062 case TLS_HANDSHAKE_SUCCESS:
1063 return 1;
1064 case TLS_HANDSHAKE_CONTINUE:
1065 break;
1066 case TLS_HANDSHAKE_ERROR:
1067 case TLS_HANDSHAKE_VERIFY_ERROR:
1068 return -1;
1069 default:
1070 return -1;
1071 }
1072
1073 return pollAndHandshake(tls);
1074}
1075
1076#if defined(MICROSOFT_IOS_SNI_BUG) && !defined(OPENSSL_NO_TLSEXT) && \
1077 !defined(LIBRESSL_VERSION_NUMBER)
1078static void tls_openssl_tlsext_debug_callback(SSL* s, int client_server, int type,
1079 unsigned char* data, int len, void* arg)
1080{
1081 if (type == TLSEXT_TYPE_server_name)
1082 {
1083 WLog_DBG(TAG, "Client uses SNI (extension disabled)");
1084 s->servername_done = 2;
1085 }
1086}
1087#endif
1088
1089BOOL freerdp_tls_accept(rdpTls* tls, BIO* underlying, rdpSettings* settings)
1090{
1091 WINPR_ASSERT(tls);
1092 TlsHandshakeResult res =
1093 freerdp_tls_accept_ex(tls, underlying, settings, freerdp_tls_get_ssl_method(FALSE, FALSE));
1094 switch (res)
1095 {
1096 case TLS_HANDSHAKE_SUCCESS:
1097 return TRUE;
1098 case TLS_HANDSHAKE_CONTINUE:
1099 break;
1100 case TLS_HANDSHAKE_ERROR:
1101 case TLS_HANDSHAKE_VERIFY_ERROR:
1102 default:
1103 return FALSE;
1104 }
1105
1106 return pollAndHandshake(tls) > 0;
1107}
1108
1109TlsHandshakeResult freerdp_tls_accept_ex(rdpTls* tls, BIO* underlying, rdpSettings* settings,
1110 const SSL_METHOD* methods)
1111{
1112 WINPR_ASSERT(tls);
1113
1114 int options = 0;
1115 int status = 0;
1116
1123 options |= SSL_OP_NO_SSLv2;
1133#ifdef SSL_OP_NO_COMPRESSION
1134 options |= SSL_OP_NO_COMPRESSION;
1135#endif
1142 options |= SSL_OP_TLS_BLOCK_PADDING_BUG;
1149 options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1150
1157#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && (OPENSSL_VERSION_NUMBER < 0x30000000L) && \
1158 !defined(LIBRESSL_VERSION_NUMBER)
1159 options |= SSL_OP_NO_RENEGOTIATION;
1160#endif
1161
1162 if (!tls_prepare(tls, underlying, methods, options, FALSE))
1163 return TLS_HANDSHAKE_ERROR;
1164
1165 const rdpPrivateKey* key = freerdp_settings_get_pointer(settings, FreeRDP_RdpServerRsaKey);
1166 if (!key)
1167 {
1168 WLog_ERR(TAG, "invalid private key");
1169 return TLS_HANDSHAKE_ERROR;
1170 }
1171
1172 EVP_PKEY* privkey = freerdp_key_get_evp_pkey(key);
1173 if (!privkey)
1174 {
1175 WLog_ERR(TAG, "invalid private key");
1176 return TLS_HANDSHAKE_ERROR;
1177 }
1178
1179 status = SSL_use_PrivateKey(tls->ssl, privkey);
1180 /* The local reference to the private key will anyway go out of
1181 * scope; so the reference count should be decremented weither
1182 * SSL_use_PrivateKey succeeds or fails.
1183 */
1184 EVP_PKEY_free(privkey);
1185
1186 if (status <= 0)
1187 {
1188 WLog_ERR(TAG, "SSL_CTX_use_PrivateKey_file failed");
1189 return TLS_HANDSHAKE_ERROR;
1190 }
1191
1192 rdpCertificate* cert =
1193 freerdp_settings_get_pointer_writable(settings, FreeRDP_RdpServerCertificate);
1194 if (!cert)
1195 {
1196 WLog_ERR(TAG, "invalid certificate");
1197 return TLS_HANDSHAKE_ERROR;
1198 }
1199
1200 status = SSL_use_certificate(tls->ssl, freerdp_certificate_get_x509(cert));
1201
1202 if (status <= 0)
1203 {
1204 WLog_ERR(TAG, "SSL_use_certificate_file failed");
1205 return TLS_HANDSHAKE_ERROR;
1206 }
1207
1208 const size_t cnt = freerdp_certificate_get_chain_len(cert);
1209 for (size_t x = 0; x < cnt; x++)
1210 {
1211 X509* xcert = freerdp_certificate_get_chain_at(cert, x);
1212 WINPR_ASSERT(xcert);
1213 const long rc = SSL_add1_chain_cert(tls->ssl, xcert);
1214 if (rc != 1)
1215 {
1216 WLog_ERR(TAG, "SSL_add1_chain_cert failed");
1217 return TLS_HANDSHAKE_ERROR;
1218 }
1219 }
1220
1221#if defined(MICROSOFT_IOS_SNI_BUG) && !defined(OPENSSL_NO_TLSEXT) && \
1222 !defined(LIBRESSL_VERSION_NUMBER)
1223 SSL_set_tlsext_debug_callback(tls->ssl, tls_openssl_tlsext_debug_callback);
1224#endif
1225
1226 return freerdp_tls_handshake(tls);
1227}
1228
1229BOOL freerdp_tls_send_alert(rdpTls* tls)
1230{
1231 WINPR_ASSERT(tls);
1232
1233 if (!tls)
1234 return FALSE;
1235
1236 if (!tls->ssl)
1237 return TRUE;
1238
1243#if (!defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x10100000L)) || \
1244 (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER <= 0x2080300fL))
1245
1246 if (tls->alertDescription != TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY)
1247 {
1257 SSL_SESSION* ssl_session = SSL_get_session(tls->ssl);
1258 SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(tls->ssl);
1259 SSL_set_quiet_shutdown(tls->ssl, 1);
1260
1261 if ((tls->alertLevel == TLS_ALERT_LEVEL_FATAL) && (ssl_session))
1262 SSL_CTX_remove_session(ssl_ctx, ssl_session);
1263
1264 tls->ssl->s3->alert_dispatch = 1;
1265 tls->ssl->s3->send_alert[0] = tls->alertLevel;
1266 tls->ssl->s3->send_alert[1] = tls->alertDescription;
1267
1268 if (tls->ssl->s3->wbuf.left == 0)
1269 tls->ssl->method->ssl_dispatch_alert(tls->ssl);
1270 }
1271
1272#endif
1273 return TRUE;
1274}
1275
1276int freerdp_tls_write_all(rdpTls* tls, const BYTE* data, size_t length)
1277{
1278 WINPR_ASSERT(tls);
1279 size_t offset = 0;
1280 BIO* bio = tls->bio;
1281
1282 if (length > INT32_MAX)
1283 return -1;
1284
1285 while (offset < length)
1286 {
1287 ERR_clear_error();
1288 const int status = BIO_write(bio, &data[offset], (int)(length - offset));
1289
1290 if (status > 0)
1291 offset += (size_t)status;
1292 else
1293 {
1294 if (!BIO_should_retry(bio))
1295 return -1;
1296
1297 if (BIO_write_blocked(bio))
1298 {
1299 const long rc = BIO_wait_write(bio, 100);
1300 if (rc < 0)
1301 return -1;
1302 }
1303 else if (BIO_read_blocked(bio))
1304 return -2; /* Abort write, there is data that must be read */
1305 else
1306 USleep(100);
1307 }
1308 }
1309
1310 return (int)length;
1311}
1312
1313int freerdp_tls_set_alert_code(rdpTls* tls, int level, int description)
1314{
1315 WINPR_ASSERT(tls);
1316 tls->alertLevel = level;
1317 tls->alertDescription = description;
1318 return 0;
1319}
1320
1321static BOOL tls_match_hostname(const char* pattern, const size_t pattern_length,
1322 const char* hostname)
1323{
1324 if (strlen(hostname) == pattern_length)
1325 {
1326 if (_strnicmp(hostname, pattern, pattern_length) == 0)
1327 return TRUE;
1328 }
1329
1330 if ((pattern_length > 2) && (pattern[0] == '*') && (pattern[1] == '.') &&
1331 ((strlen(hostname)) >= pattern_length))
1332 {
1333 const char* check_hostname = &hostname[strlen(hostname) - pattern_length + 1];
1334
1335 if (_strnicmp(check_hostname, &pattern[1], pattern_length - 1) == 0)
1336 {
1337 return TRUE;
1338 }
1339 }
1340
1341 return FALSE;
1342}
1343
1344static BOOL is_redirected(rdpTls* tls)
1345{
1346 rdpSettings* settings = tls->context->settings;
1347
1348 if (settings->GatewayArmTransport)
1349 return TRUE;
1350
1351 if (LB_NOREDIRECT & settings->RedirectionFlags)
1352 return FALSE;
1353
1354 return settings->RedirectionFlags != 0;
1355}
1356
1357static BOOL is_accepted(rdpTls* tls, const rdpCertificate* cert)
1358{
1359 WINPR_ASSERT(tls);
1360 WINPR_ASSERT(tls->context);
1361 WINPR_ASSERT(cert);
1362 rdpSettings* settings = tls->context->settings;
1363 WINPR_ASSERT(settings);
1364
1365 FreeRDP_Settings_Keys_String keyAccepted = FreeRDP_AcceptedCert;
1366 FreeRDP_Settings_Keys_UInt32 keyLength = FreeRDP_AcceptedCertLength;
1367
1368 if (tls->isGatewayTransport)
1369 {
1370 keyAccepted = FreeRDP_GatewayAcceptedCert;
1371 keyLength = FreeRDP_GatewayAcceptedCertLength;
1372 }
1373 else if (is_redirected(tls))
1374 {
1375 keyAccepted = FreeRDP_RedirectionAcceptedCert;
1376 keyLength = FreeRDP_RedirectionAcceptedCertLength;
1377 }
1378
1379 const char* AcceptedKey = freerdp_settings_get_string(settings, keyAccepted);
1380 const UINT32 AcceptedKeyLength = freerdp_settings_get_uint32(settings, keyLength);
1381
1382 if ((AcceptedKeyLength > 0) && AcceptedKey)
1383 {
1384 BOOL accepted = FALSE;
1385 size_t pemLength = 0;
1386 char* pem = freerdp_certificate_get_pem_ex(cert, &pemLength, FALSE);
1387 if (pem && (AcceptedKeyLength == pemLength))
1388 {
1389 if (memcmp(AcceptedKey, pem, AcceptedKeyLength) == 0)
1390 accepted = TRUE;
1391 }
1392 free(pem);
1393 if (accepted)
1394 return TRUE;
1395 }
1396
1397 (void)freerdp_settings_set_string(settings, keyAccepted, NULL);
1398 (void)freerdp_settings_set_uint32(settings, keyLength, 0);
1399
1400 return FALSE;
1401}
1402
1403static BOOL compare_fingerprint(const char* fp, const char* hash, const rdpCertificate* cert,
1404 BOOL separator)
1405{
1406 BOOL equal = 0;
1407 char* strhash = NULL;
1408
1409 WINPR_ASSERT(fp);
1410 WINPR_ASSERT(hash);
1411 WINPR_ASSERT(cert);
1412
1413 strhash = freerdp_certificate_get_fingerprint_by_hash_ex(cert, hash, separator);
1414 if (!strhash)
1415 return FALSE;
1416
1417 equal = (_stricmp(strhash, fp) == 0);
1418 free(strhash);
1419 return equal;
1420}
1421
1422static BOOL compare_fingerprint_all(const char* fp, const char* hash, const rdpCertificate* cert)
1423{
1424 WINPR_ASSERT(fp);
1425 WINPR_ASSERT(hash);
1426 WINPR_ASSERT(cert);
1427 if (compare_fingerprint(fp, hash, cert, FALSE))
1428 return TRUE;
1429 if (compare_fingerprint(fp, hash, cert, TRUE))
1430 return TRUE;
1431 return FALSE;
1432}
1433
1434static BOOL is_accepted_fingerprint(const rdpCertificate* cert,
1435 const char* CertificateAcceptedFingerprints)
1436{
1437 WINPR_ASSERT(cert);
1438
1439 BOOL rc = FALSE;
1440 if (CertificateAcceptedFingerprints)
1441 {
1442 char* context = NULL;
1443 char* copy = _strdup(CertificateAcceptedFingerprints);
1444 char* cur = strtok_s(copy, ",", &context);
1445 while (cur)
1446 {
1447 char* subcontext = NULL;
1448 const char* h = strtok_s(cur, ":", &subcontext);
1449
1450 if (!h)
1451 goto next;
1452
1453 {
1454 const char* fp = h + strlen(h) + 1;
1455 if (compare_fingerprint_all(fp, h, cert))
1456 {
1457 rc = TRUE;
1458 break;
1459 }
1460 }
1461 next:
1462 cur = strtok_s(NULL, ",", &context);
1463 }
1464 free(copy);
1465 }
1466
1467 return rc;
1468}
1469
1470static BOOL accept_cert(rdpTls* tls, const rdpCertificate* cert)
1471{
1472 WINPR_ASSERT(tls);
1473 WINPR_ASSERT(tls->context);
1474 WINPR_ASSERT(cert);
1475
1476 FreeRDP_Settings_Keys_String id = FreeRDP_AcceptedCert;
1477 FreeRDP_Settings_Keys_UInt32 lid = FreeRDP_AcceptedCertLength;
1478
1479 rdpSettings* settings = tls->context->settings;
1480 WINPR_ASSERT(settings);
1481
1482 if (tls->isGatewayTransport)
1483 {
1484 id = FreeRDP_GatewayAcceptedCert;
1485 lid = FreeRDP_GatewayAcceptedCertLength;
1486 }
1487 else if (is_redirected(tls))
1488 {
1489 id = FreeRDP_RedirectionAcceptedCert;
1490 lid = FreeRDP_RedirectionAcceptedCertLength;
1491 }
1492
1493 size_t pemLength = 0;
1494 char* pem = freerdp_certificate_get_pem_ex(cert, &pemLength, FALSE);
1495 BOOL rc = FALSE;
1496 if (pemLength <= UINT32_MAX)
1497 {
1498 if (freerdp_settings_set_string_len(settings, id, pem, pemLength))
1499 rc = freerdp_settings_set_uint32(settings, lid, (UINT32)pemLength);
1500 }
1501 free(pem);
1502 return rc;
1503}
1504
1505static BOOL tls_extract_full_pem(const rdpCertificate* cert, BYTE** PublicKey,
1506 size_t* PublicKeyLength)
1507{
1508 if (!cert || !PublicKey)
1509 return FALSE;
1510 *PublicKey = (BYTE*)freerdp_certificate_get_pem(cert, PublicKeyLength);
1511 return *PublicKey != NULL;
1512}
1513
1514static int tls_config_parse_bool(WINPR_JSON* json, const char* opt)
1515{
1516 WINPR_JSON* val = WINPR_JSON_GetObjectItemCaseSensitive(json, opt);
1517 if (!val || !WINPR_JSON_IsBool(val))
1518 return -1;
1519
1520 if (WINPR_JSON_IsTrue(val))
1521 return 1;
1522 return 0;
1523}
1524
1525static int tls_config_check_allowed_hashed(const char* configfile, const rdpCertificate* cert,
1526 WINPR_JSON* json)
1527{
1528 WINPR_ASSERT(configfile);
1529 WINPR_ASSERT(cert);
1530 WINPR_ASSERT(json);
1531
1532 WINPR_JSON* db = WINPR_JSON_GetObjectItemCaseSensitive(json, "certificate-db");
1533 if (!db || !WINPR_JSON_IsArray(db))
1534 return 0;
1535
1536 for (size_t x = 0; x < WINPR_JSON_GetArraySize(db); x++)
1537 {
1538 WINPR_JSON* cur = WINPR_JSON_GetArrayItem(db, x);
1539 if (!cur || !WINPR_JSON_IsObject(cur))
1540 {
1541 WLog_WARN(TAG,
1542 "[%s] invalid certificate-db entry at position %" PRIuz ": not a JSON object",
1543 configfile, x);
1544 continue;
1545 }
1546
1547 WINPR_JSON* key = WINPR_JSON_GetObjectItemCaseSensitive(cur, "type");
1548 if (!key || !WINPR_JSON_IsString(key))
1549 {
1550 WLog_WARN(TAG,
1551 "[%s] invalid certificate-db entry at position %" PRIuz
1552 ": invalid 'type' element, expected type string",
1553 configfile, x);
1554 continue;
1555 }
1556 WINPR_JSON* val = WINPR_JSON_GetObjectItemCaseSensitive(cur, "hash");
1557 if (!val || !WINPR_JSON_IsString(val))
1558 {
1559 WLog_WARN(TAG,
1560 "[%s] invalid certificate-db entry at position %" PRIuz
1561 ": invalid 'hash' element, expected type string",
1562 configfile, x);
1563 continue;
1564 }
1565
1566 const char* skey = WINPR_JSON_GetStringValue(key);
1567 const char* sval = WINPR_JSON_GetStringValue(val);
1568
1569 char* hash = freerdp_certificate_get_fingerprint_by_hash_ex(cert, skey, FALSE);
1570 if (!hash)
1571 {
1572 WLog_WARN(TAG,
1573 "[%s] invalid certificate-db entry at position %" PRIuz
1574 ": hash type '%s' not supported by certificate",
1575 configfile, x, skey);
1576 continue;
1577 }
1578
1579 const int cmp = _stricmp(hash, sval);
1580 free(hash);
1581
1582 if (cmp == 0)
1583 return 1;
1584 }
1585
1586 return 0;
1587}
1588
1589static int tls_config_check_certificate(const rdpCertificate* cert, BOOL* pAllowUserconfig)
1590{
1591 WINPR_ASSERT(cert);
1592 WINPR_ASSERT(pAllowUserconfig);
1593
1594 int rc = 0;
1595 const char configfile[] = "certificates.json";
1596 WINPR_JSON* json = freerdp_GetJSONConfigFile(TRUE, configfile);
1597
1598 if (!json)
1599 {
1600 WLog_DBG(TAG, "No or no valid configuration file for certificate handling, asking user");
1601 goto fail;
1602 }
1603
1604 if (tls_config_parse_bool(json, "deny") > 0)
1605 {
1606 WLog_WARN(TAG, "[%s] certificate denied by configuration", configfile);
1607 rc = -1;
1608 goto fail;
1609 }
1610
1611 if (tls_config_parse_bool(json, "ignore") > 0)
1612 {
1613 WLog_WARN(TAG, "[%s] certificate ignored by configuration", configfile);
1614 rc = 1;
1615 goto fail;
1616 }
1617
1618 if (tls_config_check_allowed_hashed(configfile, cert, json) > 0)
1619 {
1620 WLog_WARN(TAG, "[%s] certificate manually accepted by configuration", configfile);
1621 rc = 1;
1622 goto fail;
1623 }
1624
1625 if (tls_config_parse_bool(json, "deny-userconfig") > 0)
1626 {
1627 WLog_WARN(TAG, "[%s] configuration denies user to accept certificates", configfile);
1628 rc = -1;
1629 goto fail;
1630 }
1631
1632fail:
1633
1634 *pAllowUserconfig = (rc == 0);
1635 WINPR_JSON_Delete(json);
1636 return rc;
1637}
1638
1639int tls_verify_certificate(rdpTls* tls, const rdpCertificate* cert, const char* hostname,
1640 UINT16 port)
1641{
1642 int match = 0;
1643 size_t length = 0;
1644 BOOL certificate_status = 0;
1645 char* common_name = NULL;
1646 size_t common_name_length = 0;
1647 char** dns_names = 0;
1648 size_t dns_names_count = 0;
1649 size_t* dns_names_lengths = NULL;
1650 int verification_status = -1;
1651 BOOL hostname_match = FALSE;
1652 rdpCertificateData* certificate_data = NULL;
1653 BYTE* pemCert = NULL;
1654 DWORD flags = VERIFY_CERT_FLAG_NONE;
1655
1656 WINPR_ASSERT(tls);
1657
1658 rdpContext* context = tls->context;
1659 WINPR_ASSERT(context);
1660
1661 freerdp* instance = context->instance;
1662 WINPR_ASSERT(instance);
1663
1664 const rdpSettings* settings = context->settings;
1665 WINPR_ASSERT(settings);
1666
1667 if (freerdp_shall_disconnect_context(context))
1668 return -1;
1669
1670 if (!tls_extract_full_pem(cert, &pemCert, &length))
1671 goto end;
1672
1673 /* Check, if we already accepted this key. */
1674 if (is_accepted(tls, cert))
1675 {
1676 verification_status = 1;
1677 goto end;
1678 }
1679
1680 if (is_accepted_fingerprint(cert, settings->CertificateAcceptedFingerprints))
1681 {
1682 verification_status = 1;
1683 goto end;
1684 }
1685
1686 if (tls->isGatewayTransport || is_redirected(tls))
1687 flags |= VERIFY_CERT_FLAG_LEGACY;
1688
1689 if (tls->isGatewayTransport)
1690 flags |= VERIFY_CERT_FLAG_GATEWAY;
1691
1692 if (is_redirected(tls))
1693 flags |= VERIFY_CERT_FLAG_REDIRECT;
1694
1695 /* Certificate management is done by the application */
1696 if (settings->ExternalCertificateManagement)
1697 {
1698 if (instance->VerifyX509Certificate)
1699 verification_status =
1700 instance->VerifyX509Certificate(instance, pemCert, length, hostname, port, flags);
1701 else
1702 WLog_ERR(TAG, "No VerifyX509Certificate callback registered!");
1703
1704 if (verification_status > 0)
1705 accept_cert(tls, cert);
1706 else if (verification_status < 0)
1707 {
1708 WLog_ERR(TAG, "VerifyX509Certificate failed: (length = %" PRIuz ") status: [%d] %s",
1709 length, verification_status, pemCert);
1710 goto end;
1711 }
1712 }
1713 /* ignore certificate verification if user explicitly required it (discouraged) */
1714 else if (freerdp_settings_get_bool(settings, FreeRDP_IgnoreCertificate))
1715 {
1716 WLog_WARN(TAG, "[DANGER] Certificate not checked, /cert:ignore in use.");
1717 WLog_WARN(TAG, "[DANGER] This prevents MITM attacks from being detected!");
1718 WLog_WARN(TAG,
1719 "[DANGER] Avoid using this unless in a secure LAN (=no internet) environment");
1720 verification_status = 1; /* success! */
1721 }
1722 else if (!tls->isGatewayTransport && (settings->AuthenticationLevel == 0))
1723 verification_status = 1; /* success! */
1724 else
1725 {
1726 /* if user explicitly specified a certificate name, use it instead of the hostname */
1727 if (!tls->isGatewayTransport && settings->CertificateName)
1728 hostname = settings->CertificateName;
1729
1730 /* attempt verification using OpenSSL and the ~/.freerdp/certs certificate store */
1731 certificate_status = freerdp_certificate_verify(
1732 cert, freerdp_certificate_store_get_certs_path(tls->certificate_store));
1733 /* verify certificate name match */
1734 certificate_data = freerdp_certificate_data_new(hostname, port, cert);
1735 if (!certificate_data)
1736 goto end;
1737 /* extra common name and alternative names */
1738 common_name = freerdp_certificate_get_common_name(cert, &common_name_length);
1739 dns_names = freerdp_certificate_get_dns_names(cert, &dns_names_count, &dns_names_lengths);
1740
1741 /* compare against common name */
1742
1743 if (common_name)
1744 {
1745 if (tls_match_hostname(common_name, common_name_length, hostname))
1746 hostname_match = TRUE;
1747 }
1748
1749 /* compare against alternative names */
1750
1751 if (dns_names)
1752 {
1753 for (size_t index = 0; index < dns_names_count; index++)
1754 {
1755 if (tls_match_hostname(dns_names[index], dns_names_lengths[index], hostname))
1756 {
1757 hostname_match = TRUE;
1758 break;
1759 }
1760 }
1761 }
1762
1763 /* if the certificate is valid and the certificate name matches, verification succeeds
1764 */
1765 if (certificate_status && hostname_match)
1766 verification_status = 1; /* success! */
1767
1768 if (!hostname_match)
1769 flags |= VERIFY_CERT_FLAG_MISMATCH;
1770
1771 BOOL allowUserconfig = TRUE;
1772 if (!certificate_status || !hostname_match)
1773 verification_status = tls_config_check_certificate(cert, &allowUserconfig);
1774
1775 /* verification could not succeed with OpenSSL, use known_hosts file and prompt user for
1776 * manual verification */
1777 if (allowUserconfig && (!certificate_status || !hostname_match))
1778 {
1779 DWORD accept_certificate = 0;
1780 size_t pem_length = 0;
1781 char* issuer = freerdp_certificate_get_issuer(cert);
1782 char* subject = freerdp_certificate_get_subject(cert);
1783 char* pem = freerdp_certificate_get_pem(cert, &pem_length);
1784
1785 if (!pem)
1786 goto end;
1787
1788 /* search for matching entry in known_hosts file */
1789 match =
1790 freerdp_certificate_store_contains_data(tls->certificate_store, certificate_data);
1791
1792 if (match == 1)
1793 {
1794 /* no entry was found in known_hosts file, prompt user for manual verification
1795 */
1796 if (!hostname_match)
1797 tls_print_certificate_name_mismatch_error(hostname, port, common_name,
1798 dns_names, dns_names_count);
1799
1800 {
1801 const char* type = "";
1802 if (freerdp_settings_get_bool(settings, FreeRDP_AutoAcceptCertificate))
1803 type = "tofo (auto-accept)";
1804
1805 if (freerdp_settings_get_bool(settings, FreeRDP_AutoDenyCertificate))
1806 type = "strict (auto-deny)";
1807
1808 if (freerdp_settings_get_bool(settings, FreeRDP_IgnoreCertificate))
1809 type = "ignore (no check)";
1810
1811 char* efp = freerdp_certificate_get_fingerprint(cert);
1812 tls_print_new_certificate_warn(tls->certificate_store, hostname, port, type,
1813 efp);
1814 free(efp);
1815 }
1816
1817 /* Automatically accept certificate on first use */
1818 if (settings->AutoAcceptCertificate)
1819 {
1820 WLog_INFO(TAG, "No certificate stored, automatically accepting.");
1821 accept_certificate = 1;
1822 }
1823 else if (settings->AutoDenyCertificate)
1824 {
1825 WLog_INFO(TAG, "No certificate stored, automatically denying.");
1826 accept_certificate = 0;
1827 }
1828 else if (instance->VerifyX509Certificate)
1829 {
1830 int rc = instance->VerifyX509Certificate(instance, pemCert, pem_length,
1831 hostname, port, flags);
1832
1833 if (rc == 1)
1834 accept_certificate = 1;
1835 else if (rc > 1)
1836 accept_certificate = 2;
1837 else
1838 accept_certificate = 0;
1839 }
1840 else if (instance->VerifyCertificateEx)
1841 {
1842 const BOOL use_pem =
1843 freerdp_settings_get_bool(settings, FreeRDP_CertificateCallbackPreferPEM);
1844 char* fp = NULL;
1845 DWORD cflags = flags;
1846 if (use_pem)
1847 {
1848 cflags |= VERIFY_CERT_FLAG_FP_IS_PEM;
1849 fp = pem;
1850 }
1851 else
1852 fp = freerdp_certificate_get_fingerprint(cert);
1853 accept_certificate = instance->VerifyCertificateEx(
1854 instance, hostname, port, common_name, subject, issuer, fp, cflags);
1855 if (!use_pem)
1856 free(fp);
1857 }
1858#if defined(WITH_FREERDP_DEPRECATED)
1859 else if (instance->VerifyCertificate)
1860 {
1861 char* fp = freerdp_certificate_get_fingerprint(cert);
1862
1863 WLog_WARN(TAG, "The VerifyCertificate callback is deprecated, migrate your "
1864 "application to VerifyCertificateEx");
1865 accept_certificate = instance->VerifyCertificate(instance, common_name, subject,
1866 issuer, fp, !hostname_match);
1867 free(fp);
1868 }
1869#endif
1870 }
1871 else if (match == -1)
1872 {
1873 rdpCertificateData* stored_data =
1874 freerdp_certificate_store_load_data(tls->certificate_store, hostname, port);
1875 /* entry was found in known_hosts file, but fingerprint does not match. ask user
1876 * to use it */
1877 {
1878 char* efp = freerdp_certificate_get_fingerprint(cert);
1879 tls_print_certificate_error(tls->certificate_store, stored_data, hostname, port,
1880 efp);
1881 free(efp);
1882 }
1883
1884 if (!stored_data)
1885 WLog_WARN(TAG, "Failed to get certificate entry for %s:%" PRIu16 "", hostname,
1886 port);
1887
1888 if (settings->AutoDenyCertificate)
1889 {
1890 WLog_INFO(TAG, "No certificate stored, automatically denying.");
1891 accept_certificate = 0;
1892 }
1893 else if (instance->VerifyX509Certificate)
1894 {
1895 const int rc =
1896 instance->VerifyX509Certificate(instance, pemCert, pem_length, hostname,
1897 port, flags | VERIFY_CERT_FLAG_CHANGED);
1898
1899 if (rc == 1)
1900 accept_certificate = 1;
1901 else if (rc > 1)
1902 accept_certificate = 2;
1903 else
1904 accept_certificate = 0;
1905 }
1906 else if (instance->VerifyChangedCertificateEx)
1907 {
1908 DWORD cflags = flags | VERIFY_CERT_FLAG_CHANGED;
1909 const char* old_subject = freerdp_certificate_data_get_subject(stored_data);
1910 const char* old_issuer = freerdp_certificate_data_get_issuer(stored_data);
1911 const char* old_fp = freerdp_certificate_data_get_fingerprint(stored_data);
1912 const char* old_pem = freerdp_certificate_data_get_pem(stored_data);
1913 const BOOL fpIsAllocated =
1914 !old_pem ||
1915 !freerdp_settings_get_bool(settings, FreeRDP_CertificateCallbackPreferPEM);
1916 char* fp = NULL;
1917 if (!fpIsAllocated)
1918 {
1919 cflags |= VERIFY_CERT_FLAG_FP_IS_PEM;
1920 fp = pem;
1921 old_fp = old_pem;
1922 }
1923 else
1924 {
1925 fp = freerdp_certificate_get_fingerprint(cert);
1926 }
1927 accept_certificate = instance->VerifyChangedCertificateEx(
1928 instance, hostname, port, common_name, subject, issuer, fp, old_subject,
1929 old_issuer, old_fp, cflags);
1930 if (fpIsAllocated)
1931 free(fp);
1932 }
1933#if defined(WITH_FREERDP_DEPRECATED)
1934 else if (instance->VerifyChangedCertificate)
1935 {
1936 char* fp = freerdp_certificate_get_fingerprint(cert);
1937 const char* old_subject = freerdp_certificate_data_get_subject(stored_data);
1938 const char* old_issuer = freerdp_certificate_data_get_issuer(stored_data);
1939 const char* old_fingerprint =
1940 freerdp_certificate_data_get_fingerprint(stored_data);
1941
1942 WLog_WARN(TAG, "The VerifyChangedCertificate callback is deprecated, migrate "
1943 "your application to VerifyChangedCertificateEx");
1944 accept_certificate = instance->VerifyChangedCertificate(
1945 instance, common_name, subject, issuer, fp, old_subject, old_issuer,
1946 old_fingerprint);
1947 free(fp);
1948 }
1949#endif
1950
1951 freerdp_certificate_data_free(stored_data);
1952 }
1953 else if (match == 0)
1954 accept_certificate = 2; /* success! */
1955
1956 /* Save certificate or do a simple accept / reject */
1957 switch (accept_certificate)
1958 {
1959 case 1:
1960
1961 /* user accepted certificate, add entry in known_hosts file */
1962 verification_status = freerdp_certificate_store_save_data(
1963 tls->certificate_store, certificate_data)
1964 ? 1
1965 : -1;
1966 break;
1967
1968 case 2:
1969 /* user did accept temporaty, do not add to known hosts file */
1970 verification_status = 1;
1971 break;
1972
1973 default:
1974 /* user did not accept, abort and do not add entry in known_hosts file */
1975 verification_status = -1; /* failure! */
1976 break;
1977 }
1978
1979 free(issuer);
1980 free(subject);
1981 free(pem);
1982 }
1983
1984 if (verification_status > 0)
1985 accept_cert(tls, cert);
1986 }
1987
1988end:
1989 freerdp_certificate_data_free(certificate_data);
1990 free(common_name);
1991 freerdp_certificate_free_dns_names(dns_names_count, dns_names_lengths, dns_names);
1992 free(pemCert);
1993 return verification_status;
1994}
1995
1996void tls_print_new_certificate_warn(rdpCertificateStore* store, const char* hostname, UINT16 port,
1997 const char* type, const char* fingerprint)
1998{
1999 char* path = freerdp_certificate_store_get_cert_path(store, hostname, port);
2000
2001 WLog_ERR(TAG, "The host key for %s:%" PRIu16 " has changed", hostname, port);
2002 WLog_ERR(TAG, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2003 WLog_ERR(TAG, "@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
2004 WLog_ERR(TAG, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2005 WLog_ERR(TAG, "IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
2006 WLog_ERR(TAG, "Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
2007 WLog_ERR(TAG, "It is also possible that a host key has just been changed.");
2008 WLog_ERR(TAG, "The fingerprint for the host key sent by the remote host is %s", fingerprint);
2009 WLog_ERR(TAG, "Please contact your system administrator.");
2010 WLog_ERR(TAG, "Add correct host key in %s to get rid of this message.", path);
2011 WLog_ERR(TAG, "Host key for %s has changed and you have requested %s checking.", hostname,
2012 type);
2013 WLog_ERR(TAG, "Host key verification failed.");
2014
2015 free(path);
2016}
2017
2018void tls_print_certificate_error(rdpCertificateStore* store,
2019 WINPR_ATTR_UNUSED rdpCertificateData* stored_data,
2020 const char* hostname, UINT16 port, const char* fingerprint)
2021{
2022 char* path = freerdp_certificate_store_get_cert_path(store, hostname, port);
2023
2024 WLog_ERR(TAG, "New host key for %s:%" PRIu16, hostname, port);
2025 WLog_ERR(TAG, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2026 WLog_ERR(TAG, "@ WARNING: NEW HOST IDENTIFICATION! @");
2027 WLog_ERR(TAG, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2028
2029 WLog_ERR(TAG, "The fingerprint for the host key sent by the remote host is %s", fingerprint);
2030 WLog_ERR(TAG, "Please contact your system administrator.");
2031 WLog_ERR(TAG, "Add correct host key in %s to get rid of this message.", path);
2032
2033 free(path);
2034}
2035
2036void tls_print_certificate_name_mismatch_error(const char* hostname, UINT16 port,
2037 const char* common_name, char** alt_names,
2038 size_t alt_names_count)
2039{
2040 WINPR_ASSERT(NULL != hostname);
2041 WLog_ERR(TAG, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2042 WLog_ERR(TAG, "@ WARNING: CERTIFICATE NAME MISMATCH! @");
2043 WLog_ERR(TAG, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2044 WLog_ERR(TAG, "The hostname used for this connection (%s:%" PRIu16 ") ", hostname, port);
2045 WLog_ERR(TAG, "does not match %s given in the certificate:",
2046 alt_names_count < 1 ? "the name" : "any of the names");
2047 WLog_ERR(TAG, "Common Name (CN):");
2048 WLog_ERR(TAG, "\t%s", common_name ? common_name : "no CN found in certificate");
2049
2050 if (alt_names_count > 0)
2051 {
2052 WINPR_ASSERT(NULL != alt_names);
2053 WLog_ERR(TAG, "Alternative names:");
2054
2055 for (size_t index = 0; index < alt_names_count; index++)
2056 {
2057 WINPR_ASSERT(alt_names[index]);
2058 WLog_ERR(TAG, "\t %s", alt_names[index]);
2059 }
2060 }
2061
2062 WLog_ERR(TAG, "A valid certificate for the wrong name should NOT be trusted!");
2063}
2064
2065rdpTls* freerdp_tls_new(rdpContext* context)
2066{
2067 rdpTls* tls = NULL;
2068 tls = (rdpTls*)calloc(1, sizeof(rdpTls));
2069
2070 if (!tls)
2071 return NULL;
2072
2073 tls->context = context;
2074
2075 if (!freerdp_settings_get_bool(tls->context->settings, FreeRDP_ServerMode))
2076 {
2077 tls->certificate_store = freerdp_certificate_store_new(tls->context->settings);
2078
2079 if (!tls->certificate_store)
2080 goto out_free;
2081 }
2082
2083 tls->alertLevel = TLS_ALERT_LEVEL_WARNING;
2084 tls->alertDescription = TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY;
2085 return tls;
2086out_free:
2087 free(tls);
2088 return NULL;
2089}
2090
2091void freerdp_tls_free(rdpTls* tls)
2092{
2093 if (!tls)
2094 return;
2095
2096 tls_reset(tls);
2097
2098 if (tls->certificate_store)
2099 {
2100 freerdp_certificate_store_free(tls->certificate_store);
2101 tls->certificate_store = NULL;
2102 }
2103
2104 free(tls);
2105}
WINPR_JSON_IsString
WINPR_API BOOL WINPR_JSON_IsString(const WINPR_JSON *item)
Check if JSON item is of type String.
Definition c-json.c:182
WINPR_JSON_IsBool
WINPR_API BOOL WINPR_JSON_IsBool(const WINPR_JSON *item)
Check if JSON item is of type BOOL.
Definition c-json.c:167
WINPR_JSON_GetArrayItem
WINPR_API WINPR_JSON * WINPR_JSON_GetArrayItem(const WINPR_JSON *array, size_t index)
Return a pointer to an item in the array.
Definition c-json.c:108
WINPR_JSON_GetObjectItemCaseSensitive
WINPR_API WINPR_JSON * WINPR_JSON_GetObjectItemCaseSensitive(const WINPR_JSON *object, const char *string)
Same as WINPR_JSON_GetObjectItem but with case sensitive matching.
Definition c-json.c:127
WINPR_JSON_IsObject
WINPR_API BOOL WINPR_JSON_IsObject(const WINPR_JSON *item)
Check if JSON item is of type Object.
Definition c-json.c:192
WINPR_JSON_GetStringValue
WINPR_API const char * WINPR_JSON_GetStringValue(WINPR_JSON *item)
Return the String value of a JSON item.
Definition c-json.c:142
WINPR_JSON_Delete
WINPR_API void WINPR_JSON_Delete(WINPR_JSON *item)
Delete a WinPR JSON wrapper object.
Definition c-json.c:103
WINPR_JSON_GetArraySize
WINPR_API size_t WINPR_JSON_GetArraySize(const WINPR_JSON *array)
Get the number of arrayitems from an array.
Definition c-json.c:114
WINPR_JSON_IsArray
WINPR_API BOOL WINPR_JSON_IsArray(const WINPR_JSON *item)
Check if JSON item is of type Array.
Definition c-json.c:187
WINPR_JSON_IsTrue
WINPR_API BOOL WINPR_JSON_IsTrue(const WINPR_JSON *item)
Check if JSON item is BOOL value True.
Definition c-json.c:162
freerdp_settings_get_uint32
FREERDP_API UINT32 freerdp_settings_get_uint32(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id)
Returns a UINT32 settings value.
freerdp_settings_set_string
FREERDP_API BOOL freerdp_settings_set_string(rdpSettings *settings, FreeRDP_Settings_Keys_String id, const char *param)
Sets a string settings value. The param is copied.
Definition settings_getters.c:3729
freerdp_settings_get_bool
FREERDP_API BOOL freerdp_settings_get_bool(const rdpSettings *settings, FreeRDP_Settings_Keys_Bool id)
Returns a boolean settings value.
freerdp_settings_get_uint16
FREERDP_API UINT16 freerdp_settings_get_uint16(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt16 id)
Returns a UINT16 settings value.
freerdp_settings_get_pointer_writable
FREERDP_API void * freerdp_settings_get_pointer_writable(rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a mutable pointer settings value.
Definition settings_getters.c:4088
freerdp_settings_get_pointer
FREERDP_API const void * freerdp_settings_get_pointer(const rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a immutable pointer settings value.
Definition common/settings.c:1430
freerdp_settings_set_string_len
FREERDP_API BOOL freerdp_settings_set_string_len(rdpSettings *settings, FreeRDP_Settings_Keys_String id, const char *param, size_t len)
Sets a string settings value. The param is copied.
Definition settings_getters.c:3723
freerdp_settings_set_uint32
FREERDP_API BOOL freerdp_settings_set_uint32(rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id, UINT32 param)
Sets a UINT32 settings value.
freerdp_settings_get_string
FREERDP_API const char * freerdp_settings_get_string(const rdpSettings *settings, FreeRDP_Settings_Keys_String id)
Returns a immutable string settings value.
RTL_CRITICAL_SECTION
Definition include/winpr/synch.h:158
RTL_RUN_ONCE
Definition include/winpr/synch.h:359
SEC_CHANNEL_BINDINGS
Definition include/winpr/sspi.h:349
SecPkgContext_Bindings
Definition include/winpr/sspi.h:553