22 #include <freerdp/config.h>
24 #include "../core/settings.h"
26 #include <winpr/assert.h>
30 #include <winpr/crt.h>
31 #include <winpr/winpr.h>
32 #include <winpr/string.h>
33 #include <winpr/sspi.h>
34 #include <winpr/ssl.h>
35 #include <winpr/json.h>
37 #include <winpr/stream.h>
38 #include <freerdp/utils/ringbuffer.h>
40 #include <freerdp/crypto/certificate.h>
41 #include <freerdp/crypto/certificate_data.h>
42 #include <freerdp/utils/helpers.h>
44 #include <freerdp/log.h>
45 #include "../crypto/tls.h"
46 #include "../core/tcp.h"
48 #include "opensslcompat.h"
49 #include "certificate.h"
50 #include "privatekey.h"
52 #ifdef WINPR_HAVE_POLL_H
56 #ifdef FREERDP_HAVE_VALGRIND_MEMCHECK_H
57 #include <valgrind/memcheck.h>
60 #define TAG FREERDP_TAG("crypto")
90 static int tls_verify_certificate(rdpTls* tls,
const rdpCertificate* cert,
const char* hostname,
92 static void tls_print_certificate_name_mismatch_error(
const char* hostname, UINT16 port,
93 const char* common_name,
char** alt_names,
94 size_t alt_names_count);
95 static void tls_print_new_certificate_warn(rdpCertificateStore* store,
const char* hostname,
96 UINT16 port,
const char* fingerprint);
97 static void tls_print_certificate_error(rdpCertificateStore* store, rdpCertificateData* stored_data,
98 const char* hostname, UINT16 port,
const char* fingerprint);
100 static void free_tls_public_key(rdpTls* tls)
103 free(tls->PublicKey);
104 tls->PublicKey = NULL;
105 tls->PublicKeyLength = 0;
108 static void free_tls_bindings(rdpTls* tls)
113 free(tls->Bindings->Bindings);
116 tls->Bindings = NULL;
119 static int bio_rdp_tls_write(BIO* bio,
const char* buf,
int size)
123 BIO_RDP_TLS* tls = (BIO_RDP_TLS*)BIO_get_data(bio);
128 BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_READ | BIO_FLAGS_IO_SPECIAL);
129 EnterCriticalSection(&tls->lock);
130 status = SSL_write(tls->ssl, buf, size);
131 error = SSL_get_error(tls->ssl, status);
132 LeaveCriticalSection(&tls->lock);
139 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
142 case SSL_ERROR_WANT_WRITE:
143 BIO_set_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);
146 case SSL_ERROR_WANT_READ:
147 BIO_set_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
150 case SSL_ERROR_WANT_X509_LOOKUP:
151 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
152 BIO_set_retry_reason(bio, BIO_RR_SSL_X509_LOOKUP);
155 case SSL_ERROR_WANT_CONNECT:
156 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
157 BIO_set_retry_reason(bio, BIO_RR_CONNECT);
160 case SSL_ERROR_SYSCALL:
161 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
165 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
175 static int bio_rdp_tls_read(BIO* bio,
char* buf,
int size)
179 BIO_RDP_TLS* tls = (BIO_RDP_TLS*)BIO_get_data(bio);
184 BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_READ | BIO_FLAGS_IO_SPECIAL);
185 EnterCriticalSection(&tls->lock);
186 status = SSL_read(tls->ssl, buf, size);
187 error = SSL_get_error(tls->ssl, status);
188 LeaveCriticalSection(&tls->lock);
196 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
199 case SSL_ERROR_WANT_READ:
200 BIO_set_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
203 case SSL_ERROR_WANT_WRITE:
204 BIO_set_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);
207 case SSL_ERROR_WANT_X509_LOOKUP:
208 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
209 BIO_set_retry_reason(bio, BIO_RR_SSL_X509_LOOKUP);
212 case SSL_ERROR_WANT_ACCEPT:
213 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
214 BIO_set_retry_reason(bio, BIO_RR_ACCEPT);
217 case SSL_ERROR_WANT_CONNECT:
218 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL);
219 BIO_set_retry_reason(bio, BIO_RR_CONNECT);
223 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
226 case SSL_ERROR_ZERO_RETURN:
227 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
230 case SSL_ERROR_SYSCALL:
231 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
238 #ifdef FREERDP_HAVE_VALGRIND_MEMCHECK_H
242 VALGRIND_MAKE_MEM_DEFINED(buf, status);
249 static int bio_rdp_tls_puts(BIO* bio,
const char* str)
254 const size_t size = strnlen(str, INT_MAX + 1UL);
258 return BIO_write(bio, str, (
int)size);
261 static int bio_rdp_tls_gets(BIO* bio,
char* str,
int size)
266 static long bio_rdp_tls_ctrl(BIO* bio,
int cmd,
long num,
void* ptr)
268 BIO* ssl_rbio = NULL;
269 BIO* ssl_wbio = NULL;
270 BIO* next_bio = NULL;
272 BIO_RDP_TLS* tls = (BIO_RDP_TLS*)BIO_get_data(bio);
277 if (!tls->ssl && (cmd != BIO_C_SET_SSL))
280 next_bio = BIO_next(bio);
281 ssl_rbio = tls->ssl ? SSL_get_rbio(tls->ssl) : NULL;
282 ssl_wbio = tls->ssl ? SSL_get_wbio(tls->ssl) : NULL;
287 SSL_shutdown(tls->ssl);
289 if (SSL_in_connect_init(tls->ssl))
290 SSL_set_connect_state(tls->ssl);
291 else if (SSL_in_accept_init(tls->ssl))
292 SSL_set_accept_state(tls->ssl);
297 status = BIO_ctrl(next_bio, cmd, num, ptr);
299 status = BIO_ctrl(ssl_rbio, cmd, num, ptr);
306 status = BIO_ctrl(ssl_rbio, cmd, num, ptr);
313 case BIO_CTRL_SET_CALLBACK:
317 case BIO_CTRL_GET_CALLBACK:
324 void* vptr = WINPR_FUNC_PTR_CAST(SSL_get_info_callback(tls->ssl),
void*);
325 *((
void**)ptr) = vptr;
332 SSL_set_connect_state(tls->ssl);
334 SSL_set_accept_state(tls->ssl);
339 case BIO_CTRL_GET_CLOSE:
340 status = BIO_get_shutdown(bio);
343 case BIO_CTRL_SET_CLOSE:
344 BIO_set_shutdown(bio, (
int)num);
348 case BIO_CTRL_WPENDING:
349 status = BIO_ctrl(ssl_wbio, cmd, num, ptr);
352 case BIO_CTRL_PENDING:
353 status = SSL_pending(tls->ssl);
356 status = BIO_pending(ssl_rbio);
361 BIO_clear_retry_flags(bio);
362 status = BIO_ctrl(ssl_wbio, cmd, num, ptr);
364 WLog_DBG(TAG,
"BIO_ctrl returned %d", status);
365 BIO_copy_next_retry(bio);
370 if (next_bio && (next_bio != ssl_rbio))
372 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
373 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
374 SSL_set_bio(tls->ssl, next_bio, next_bio);
375 CRYPTO_add(&(bio->next_bio->references), 1, CRYPTO_LOCK_BIO);
381 BIO_up_ref(next_bio);
382 SSL_set_bio(tls->ssl, next_bio, next_bio);
394 if (ssl_rbio != ssl_wbio)
395 BIO_free_all(ssl_wbio);
397 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
398 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
401 CRYPTO_add(&(bio->next_bio->references), -1, CRYPTO_LOCK_BIO);
403 tls->ssl->wbio = tls->ssl->rbio = NULL;
406 SSL_set_bio(tls->ssl, NULL, NULL);
416 *((SSL**)ptr) = tls->ssl;
423 BIO_set_shutdown(bio, (
int)num);
427 tls->ssl = (SSL*)ptr;
428 ssl_rbio = SSL_get_rbio(tls->ssl);
434 BIO_push(ssl_rbio, next_bio);
436 BIO_set_next(bio, ssl_rbio);
437 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
438 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
439 CRYPTO_add(&(ssl_rbio->references), 1, CRYPTO_LOCK_BIO);
441 BIO_up_ref(ssl_rbio);
445 BIO_set_init(bio, 1);
449 case BIO_C_DO_STATE_MACHINE:
450 BIO_clear_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_WRITE | BIO_FLAGS_IO_SPECIAL);
451 BIO_set_retry_reason(bio, 0);
452 status = SSL_do_handshake(tls->ssl);
456 const int err = (status < INT32_MIN) ? INT32_MIN : (
int)status;
457 switch (SSL_get_error(tls->ssl, err))
459 case SSL_ERROR_WANT_READ:
460 BIO_set_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
463 case SSL_ERROR_WANT_WRITE:
464 BIO_set_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);
467 case SSL_ERROR_WANT_CONNECT:
468 BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL | BIO_FLAGS_SHOULD_RETRY);
469 BIO_set_retry_reason(bio, BIO_get_retry_reason(next_bio));
473 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
481 status = BIO_ctrl(ssl_rbio, cmd, num, ptr);
488 static int bio_rdp_tls_new(BIO* bio)
490 BIO_RDP_TLS* tls = NULL;
491 BIO_set_flags(bio, BIO_FLAGS_SHOULD_RETRY);
493 if (!(tls = calloc(1,
sizeof(BIO_RDP_TLS))))
496 InitializeCriticalSectionAndSpinCount(&tls->lock, 4000);
497 BIO_set_data(bio, (
void*)tls);
501 static int bio_rdp_tls_free(BIO* bio)
503 BIO_RDP_TLS* tls = NULL;
508 tls = (BIO_RDP_TLS*)BIO_get_data(bio);
513 BIO_set_data(bio, NULL);
514 if (BIO_get_shutdown(bio))
516 if (BIO_get_init(bio) && tls->ssl)
518 SSL_shutdown(tls->ssl);
522 BIO_set_init(bio, 0);
523 BIO_set_flags(bio, 0);
526 DeleteCriticalSection(&tls->lock);
532 static long bio_rdp_tls_callback_ctrl(BIO* bio,
int cmd, bio_info_cb* fp)
539 BIO_RDP_TLS* tls = (BIO_RDP_TLS*)BIO_get_data(bio);
546 case BIO_CTRL_SET_CALLBACK:
548 typedef void (*fkt_t)(
const SSL*, int, int);
554 fkt_t fkt = WINPR_FUNC_PTR_CAST(fp, fkt_t);
555 SSL_set_info_callback(tls->ssl, fkt);
561 status = BIO_callback_ctrl(SSL_get_rbio(tls->ssl), cmd, fp);
568 #define BIO_TYPE_RDP_TLS 68
570 static BIO_METHOD* BIO_s_rdp_tls(
void)
572 static BIO_METHOD* bio_methods = NULL;
574 if (bio_methods == NULL)
576 if (!(bio_methods = BIO_meth_new(BIO_TYPE_RDP_TLS,
"RdpTls")))
579 BIO_meth_set_write(bio_methods, bio_rdp_tls_write);
580 BIO_meth_set_read(bio_methods, bio_rdp_tls_read);
581 BIO_meth_set_puts(bio_methods, bio_rdp_tls_puts);
582 BIO_meth_set_gets(bio_methods, bio_rdp_tls_gets);
583 BIO_meth_set_ctrl(bio_methods, bio_rdp_tls_ctrl);
584 BIO_meth_set_create(bio_methods, bio_rdp_tls_new);
585 BIO_meth_set_destroy(bio_methods, bio_rdp_tls_free);
586 BIO_meth_set_callback_ctrl(bio_methods, bio_rdp_tls_callback_ctrl);
592 static BIO* BIO_new_rdp_tls(SSL_CTX* ctx,
int client)
596 bio = BIO_new(BIO_s_rdp_tls());
610 SSL_set_connect_state(ssl);
612 SSL_set_accept_state(ssl);
614 BIO_set_ssl(bio, ssl, BIO_CLOSE);
618 static rdpCertificate* tls_get_certificate(rdpTls* tls, BOOL peer)
620 X509* remote_cert = NULL;
623 remote_cert = SSL_get_peer_certificate(tls->ssl);
625 remote_cert = X509_dup(SSL_get_certificate(tls->ssl));
629 WLog_ERR(TAG,
"failed to get the server TLS certificate");
634 STACK_OF(X509)* chain = SSL_get_peer_cert_chain(tls->ssl);
635 rdpCertificate* cert = freerdp_certificate_new_from_x509(remote_cert, chain);
636 X509_free(remote_cert);
641 static const char* tls_get_server_name(rdpTls* tls)
643 return tls->serverName ? tls->serverName : tls->hostname;
646 #define TLS_SERVER_END_POINT "tls-server-end-point:"
650 size_t CertificateHashLength = 0;
651 BYTE* ChannelBindingToken = NULL;
653 const size_t PrefixLength = strnlen(TLS_SERVER_END_POINT, ARRAYSIZE(TLS_SERVER_END_POINT));
658 WINPR_MD_TYPE alg = freerdp_certificate_get_signature_alg(cert);
659 const char* hash = NULL;
665 hash = winpr_md_type_to_string(WINPR_MD_SHA256);
668 hash = winpr_md_type_to_string(alg);
674 char* CertificateHash = freerdp_certificate_get_hash(cert, hash, &CertificateHashLength);
675 if (!CertificateHash)
678 const size_t ChannelBindingTokenLength = PrefixLength + CertificateHashLength;
681 if (!ContextBindings)
685 if (slen > UINT32_MAX)
688 ContextBindings->BindingsLength = (UINT32)slen;
691 if (!ChannelBindings)
694 ContextBindings->Bindings = ChannelBindings;
695 ChannelBindings->cbApplicationDataLength = (UINT32)ChannelBindingTokenLength;
697 ChannelBindingToken = &((BYTE*)ChannelBindings)[ChannelBindings->dwApplicationDataOffset];
698 memcpy(ChannelBindingToken, TLS_SERVER_END_POINT, PrefixLength);
699 memcpy(ChannelBindingToken + PrefixLength, CertificateHash, CertificateHashLength);
700 free(CertificateHash);
701 return ContextBindings;
703 free(CertificateHash);
704 free(ContextBindings);
708 static INIT_ONCE secrets_file_idx_once = INIT_ONCE_STATIC_INIT;
709 static int secrets_file_idx = -1;
711 static BOOL CALLBACK secrets_file_init_cb(
PINIT_ONCE once, PVOID param, PVOID* context)
713 secrets_file_idx = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
715 return (secrets_file_idx != -1);
718 static void SSLCTX_keylog_cb(
const SSL* ssl,
const char* line)
722 if (secrets_file_idx == -1)
725 dfile = SSL_get_ex_data(ssl, secrets_file_idx);
728 FILE* f = winpr_fopen(dfile,
"a+");
731 (void)fwrite(line, strlen(line), 1, f);
732 (void)fwrite(
"\n", 1, 1, f);
738 static void tls_reset(rdpTls* tls)
744 SSL_CTX_free(tls->ctx);
751 BIO_free_all(tls->bio);
752 else if (tls->underlying)
753 BIO_free_all(tls->underlying);
755 tls->underlying = NULL;
757 free_tls_public_key(tls);
758 free_tls_bindings(tls);
761 #if OPENSSL_VERSION_NUMBER >= 0x010000000L
762 static BOOL tls_prepare(rdpTls* tls, BIO* underlying,
const SSL_METHOD* method,
int options,
765 static BOOL tls_prepare(rdpTls* tls, BIO* underlying, SSL_METHOD* method,
int options,
771 rdpSettings* settings = tls->context->settings;
772 WINPR_ASSERT(settings);
775 tls->ctx = SSL_CTX_new(method);
777 tls->underlying = underlying;
781 WLog_ERR(TAG,
"SSL_CTX_new failed");
785 SSL_CTX_set_mode(tls->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
786 SSL_CTX_set_options(tls->ctx, options);
787 SSL_CTX_set_read_ahead(tls->ctx, 1);
788 #if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
790 if (!SSL_CTX_set_min_proto_version(tls->ctx, version))
792 WLog_ERR(TAG,
"SSL_CTX_set_min_proto_version %s failed", version);
796 if (!SSL_CTX_set_max_proto_version(tls->ctx, version))
798 WLog_ERR(TAG,
"SSL_CTX_set_max_proto_version %s failed", version);
802 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
803 SSL_CTX_set_security_level(tls->ctx, settings->TlsSecLevel);
806 if (settings->AllowedTlsCiphers)
808 if (!SSL_CTX_set_cipher_list(tls->ctx, settings->AllowedTlsCiphers))
810 WLog_ERR(TAG,
"SSL_CTX_set_cipher_list %s failed", settings->AllowedTlsCiphers);
815 tls->bio = BIO_new_rdp_tls(tls->ctx, clientMode);
817 if (BIO_get_ssl(tls->bio, &tls->ssl) < 0)
819 WLog_ERR(TAG,
"unable to retrieve the SSL of the connection");
823 if (settings->TlsSecretsFile)
825 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
826 InitOnceExecuteOnce(&secrets_file_idx_once, secrets_file_init_cb, NULL, NULL);
828 if (secrets_file_idx != -1)
830 SSL_set_ex_data(tls->ssl, secrets_file_idx, settings->TlsSecretsFile);
831 SSL_CTX_set_keylog_callback(tls->ctx, SSLCTX_keylog_cb);
834 WLog_WARN(TAG,
"Key-Logging not available - requires OpenSSL 1.1.1 or higher");
838 BIO_push(tls->bio, underlying);
842 static void adjustSslOptions(
int* options)
844 WINPR_ASSERT(options);
845 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
846 *options |= SSL_OP_NO_SSLv2;
847 *options |= SSL_OP_NO_SSLv3;
851 const SSL_METHOD* freerdp_tls_get_ssl_method(BOOL isDtls, BOOL isClient)
856 return DTLS_client_method();
857 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
858 return SSLv23_client_method();
860 return TLS_client_method();
865 return DTLS_server_method();
867 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
868 return SSLv23_server_method();
870 return TLS_server_method();
874 TlsHandshakeResult freerdp_tls_connect_ex(rdpTls* tls, BIO* underlying,
const SSL_METHOD* methods)
888 #ifdef SSL_OP_NO_COMPRESSION
889 options |= SSL_OP_NO_COMPRESSION;
897 options |= SSL_OP_TLS_BLOCK_PADDING_BUG;
904 options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
906 tls->isClientMode = TRUE;
907 adjustSslOptions(&options);
909 if (!tls_prepare(tls, underlying, methods, options, TRUE))
912 #if !defined(OPENSSL_NO_TLSEXT) && !defined(LIBRESSL_VERSION_NUMBER)
913 const char* str = tls_get_server_name(tls);
914 void* ptr = WINPR_CAST_CONST_PTR_AWAY(str,
void*);
915 SSL_set_tlsext_host_name(tls->ssl, ptr);
918 return freerdp_tls_handshake(tls);
921 static int bio_err_print(
const char* str,
size_t len,
void* u)
924 WLog_Print(log, WLOG_ERROR,
"[BIO_do_handshake] %s [%" PRIuz
"]", str, len);
928 TlsHandshakeResult freerdp_tls_handshake(rdpTls* tls)
930 TlsHandshakeResult ret = TLS_HANDSHAKE_ERROR;
933 const long status = BIO_do_handshake(tls->bio);
936 if (!BIO_should_retry(tls->bio))
938 wLog* log = WLog_Get(TAG);
939 WLog_Print(log, WLOG_ERROR,
"BIO_do_handshake failed");
940 ERR_print_errors_cb(bio_err_print, log);
941 return TLS_HANDSHAKE_ERROR;
944 return TLS_HANDSHAKE_CONTINUE;
947 int verify_status = 0;
948 rdpCertificate* cert = tls_get_certificate(tls, tls->isClientMode);
952 WLog_ERR(TAG,
"tls_get_certificate failed to return the server certificate.");
953 return TLS_HANDSHAKE_ERROR;
958 free_tls_bindings(tls);
959 tls->Bindings = tls_get_channel_bindings(cert);
962 WLog_ERR(TAG,
"unable to retrieve bindings");
966 free_tls_public_key(tls);
967 if (!freerdp_certificate_get_public_key(cert, &tls->PublicKey, &tls->PublicKeyLength))
970 "freerdp_certificate_get_public_key failed to return the server public key.");
975 ret = TLS_HANDSHAKE_SUCCESS;
977 if (tls->isClientMode)
979 WINPR_ASSERT(tls->port <= UINT16_MAX);
981 tls_verify_certificate(tls, cert, tls_get_server_name(tls), (UINT16)tls->port);
983 if (verify_status < 1)
985 WLog_ERR(TAG,
"certificate not trusted, aborting.");
986 freerdp_tls_send_alert(tls);
987 ret = TLS_HANDSHAKE_VERIFY_ERROR;
992 freerdp_certificate_free(cert);
996 static int pollAndHandshake(rdpTls* tls)
1002 HANDLE
event = NULL;
1004 if (BIO_get_event(tls->bio, &event) < 0)
1006 WLog_ERR(TAG,
"unable to retrieve BIO associated event");
1012 WLog_ERR(TAG,
"unable to retrieve BIO event");
1016 status = WaitForSingleObjectEx(event, 50, TRUE);
1022 case WAIT_IO_COMPLETION:
1025 WLog_ERR(TAG,
"error during WaitForSingleObject(): 0x%08" PRIX32
"", status);
1029 TlsHandshakeResult result = freerdp_tls_handshake(tls);
1032 case TLS_HANDSHAKE_CONTINUE:
1034 case TLS_HANDSHAKE_SUCCESS:
1036 case TLS_HANDSHAKE_ERROR:
1037 case TLS_HANDSHAKE_VERIFY_ERROR:
1044 int freerdp_tls_connect(rdpTls* tls, BIO* underlying)
1046 const SSL_METHOD* method = freerdp_tls_get_ssl_method(FALSE, TRUE);
1049 TlsHandshakeResult result = freerdp_tls_connect_ex(tls, underlying, method);
1052 case TLS_HANDSHAKE_SUCCESS:
1054 case TLS_HANDSHAKE_CONTINUE:
1056 case TLS_HANDSHAKE_ERROR:
1057 case TLS_HANDSHAKE_VERIFY_ERROR:
1063 return pollAndHandshake(tls);
1066 #if defined(MICROSOFT_IOS_SNI_BUG) && !defined(OPENSSL_NO_TLSEXT) && \
1067 !defined(LIBRESSL_VERSION_NUMBER)
1068 static void tls_openssl_tlsext_debug_callback(SSL* s,
int client_server,
int type,
1069 unsigned char* data,
int len,
void* arg)
1071 if (type == TLSEXT_TYPE_server_name)
1073 WLog_DBG(TAG,
"Client uses SNI (extension disabled)");
1074 s->servername_done = 2;
1079 BOOL freerdp_tls_accept(rdpTls* tls, BIO* underlying, rdpSettings* settings)
1082 TlsHandshakeResult res =
1083 freerdp_tls_accept_ex(tls, underlying, settings, freerdp_tls_get_ssl_method(FALSE, FALSE));
1086 case TLS_HANDSHAKE_SUCCESS:
1088 case TLS_HANDSHAKE_CONTINUE:
1090 case TLS_HANDSHAKE_ERROR:
1091 case TLS_HANDSHAKE_VERIFY_ERROR:
1096 return pollAndHandshake(tls) > 0;
1099 TlsHandshakeResult freerdp_tls_accept_ex(rdpTls* tls, BIO* underlying, rdpSettings* settings,
1100 const SSL_METHOD* methods)
1113 options |= SSL_OP_NO_SSLv2;
1123 #ifdef SSL_OP_NO_COMPRESSION
1124 options |= SSL_OP_NO_COMPRESSION;
1132 options |= SSL_OP_TLS_BLOCK_PADDING_BUG;
1139 options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1147 #if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && (OPENSSL_VERSION_NUMBER < 0x30000000L) && \
1148 !defined(LIBRESSL_VERSION_NUMBER)
1149 options |= SSL_OP_NO_RENEGOTIATION;
1152 if (!tls_prepare(tls, underlying, methods, options, FALSE))
1153 return TLS_HANDSHAKE_ERROR;
1158 WLog_ERR(TAG,
"invalid private key");
1159 return TLS_HANDSHAKE_ERROR;
1162 EVP_PKEY* privkey = freerdp_key_get_evp_pkey(key);
1165 WLog_ERR(TAG,
"invalid private key");
1166 return TLS_HANDSHAKE_ERROR;
1169 status = SSL_use_PrivateKey(tls->ssl, privkey);
1174 EVP_PKEY_free(privkey);
1178 WLog_ERR(TAG,
"SSL_CTX_use_PrivateKey_file failed");
1179 return TLS_HANDSHAKE_ERROR;
1182 rdpCertificate* cert =
1186 WLog_ERR(TAG,
"invalid certificate");
1187 return TLS_HANDSHAKE_ERROR;
1190 status = SSL_use_certificate(tls->ssl, freerdp_certificate_get_x509(cert));
1194 WLog_ERR(TAG,
"SSL_use_certificate_file failed");
1195 return TLS_HANDSHAKE_ERROR;
1198 #if defined(MICROSOFT_IOS_SNI_BUG) && !defined(OPENSSL_NO_TLSEXT) && \
1199 !defined(LIBRESSL_VERSION_NUMBER)
1200 SSL_set_tlsext_debug_callback(tls->ssl, tls_openssl_tlsext_debug_callback);
1203 return freerdp_tls_handshake(tls);
1206 BOOL freerdp_tls_send_alert(rdpTls* tls)
1220 #if (!defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x10100000L)) || \
1221 (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER <= 0x2080300fL))
1223 if (tls->alertDescription != TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY)
1234 SSL_SESSION* ssl_session = SSL_get_session(tls->ssl);
1235 SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(tls->ssl);
1236 SSL_set_quiet_shutdown(tls->ssl, 1);
1238 if ((tls->alertLevel == TLS_ALERT_LEVEL_FATAL) && (ssl_session))
1239 SSL_CTX_remove_session(ssl_ctx, ssl_session);
1241 tls->ssl->s3->alert_dispatch = 1;
1242 tls->ssl->s3->send_alert[0] = tls->alertLevel;
1243 tls->ssl->s3->send_alert[1] = tls->alertDescription;
1245 if (tls->ssl->s3->wbuf.left == 0)
1246 tls->ssl->method->ssl_dispatch_alert(tls->ssl);
1253 int freerdp_tls_write_all(rdpTls* tls,
const BYTE* data,
size_t length)
1257 BIO* bio = tls->bio;
1259 if (length > INT32_MAX)
1262 while (offset < length)
1265 const int status = BIO_write(bio, &data[offset], (
int)(length - offset));
1268 offset += (size_t)status;
1271 if (!BIO_should_retry(bio))
1274 if (BIO_write_blocked(bio))
1276 const long rc = BIO_wait_write(bio, 100);
1280 else if (BIO_read_blocked(bio))
1290 int freerdp_tls_set_alert_code(rdpTls* tls,
int level,
int description)
1293 tls->alertLevel = level;
1294 tls->alertDescription = description;
1298 static BOOL tls_match_hostname(
const char* pattern,
const size_t pattern_length,
1299 const char* hostname)
1301 if (strlen(hostname) == pattern_length)
1303 if (_strnicmp(hostname, pattern, pattern_length) == 0)
1307 if ((pattern_length > 2) && (pattern[0] ==
'*') && (pattern[1] ==
'.') &&
1308 ((strlen(hostname)) >= pattern_length))
1310 const char* check_hostname = &hostname[strlen(hostname) - pattern_length + 1];
1312 if (_strnicmp(check_hostname, &pattern[1], pattern_length - 1) == 0)
1321 static BOOL is_redirected(rdpTls* tls)
1323 rdpSettings* settings = tls->context->settings;
1325 if (LB_NOREDIRECT & settings->RedirectionFlags)
1328 return settings->RedirectionFlags != 0;
1331 static BOOL is_accepted(rdpTls* tls,
const rdpCertificate* cert)
1334 WINPR_ASSERT(tls->context);
1336 rdpSettings* settings = tls->context->settings;
1337 WINPR_ASSERT(settings);
1339 FreeRDP_Settings_Keys_String keyAccepted = FreeRDP_AcceptedCert;
1340 FreeRDP_Settings_Keys_UInt32 keyLength = FreeRDP_AcceptedCertLength;
1342 if (tls->isGatewayTransport)
1344 keyAccepted = FreeRDP_GatewayAcceptedCert;
1345 keyLength = FreeRDP_GatewayAcceptedCertLength;
1347 else if (is_redirected(tls))
1349 keyAccepted = FreeRDP_RedirectionAcceptedCert;
1350 keyLength = FreeRDP_RedirectionAcceptedCertLength;
1356 if ((AcceptedKeyLength > 0) && AcceptedKey)
1358 BOOL accepted = FALSE;
1359 size_t pemLength = 0;
1360 char* pem = freerdp_certificate_get_pem_ex(cert, &pemLength, FALSE);
1361 if (pem && (AcceptedKeyLength == pemLength))
1363 if (memcmp(AcceptedKey, pem, AcceptedKeyLength) == 0)
1377 static BOOL compare_fingerprint(
const char* fp,
const char* hash,
const rdpCertificate* cert,
1381 char* strhash = NULL;
1387 strhash = freerdp_certificate_get_fingerprint_by_hash_ex(cert, hash, separator);
1391 equal = (_stricmp(strhash, fp) == 0);
1396 static BOOL compare_fingerprint_all(
const char* fp,
const char* hash,
const rdpCertificate* cert)
1401 if (compare_fingerprint(fp, hash, cert, FALSE))
1403 if (compare_fingerprint(fp, hash, cert, TRUE))
1408 static BOOL is_accepted_fingerprint(
const rdpCertificate* cert,
1409 const char* CertificateAcceptedFingerprints)
1414 if (CertificateAcceptedFingerprints)
1416 char* context = NULL;
1417 char* copy = _strdup(CertificateAcceptedFingerprints);
1418 char* cur = strtok_s(copy,
",", &context);
1421 char* subcontext = NULL;
1422 const char* h = strtok_s(cur,
":", &subcontext);
1427 const char* fp = h + strlen(h) + 1;
1428 if (compare_fingerprint_all(fp, h, cert))
1434 cur = strtok_s(NULL,
",", &context);
1442 static BOOL accept_cert(rdpTls* tls,
const rdpCertificate* cert)
1445 WINPR_ASSERT(tls->context);
1448 FreeRDP_Settings_Keys_String
id = FreeRDP_AcceptedCert;
1449 FreeRDP_Settings_Keys_UInt32 lid = FreeRDP_AcceptedCertLength;
1451 rdpSettings* settings = tls->context->settings;
1452 WINPR_ASSERT(settings);
1454 if (tls->isGatewayTransport)
1456 id = FreeRDP_GatewayAcceptedCert;
1457 lid = FreeRDP_GatewayAcceptedCertLength;
1459 else if (is_redirected(tls))
1461 id = FreeRDP_RedirectionAcceptedCert;
1462 lid = FreeRDP_RedirectionAcceptedCertLength;
1465 size_t pemLength = 0;
1466 char* pem = freerdp_certificate_get_pem_ex(cert, &pemLength, FALSE);
1468 if (pemLength <= UINT32_MAX)
1477 static BOOL tls_extract_full_pem(
const rdpCertificate* cert, BYTE** PublicKey,
1478 size_t* PublicKeyLength)
1480 if (!cert || !PublicKey)
1482 *PublicKey = (BYTE*)freerdp_certificate_get_pem(cert, PublicKeyLength);
1483 return *PublicKey != NULL;
1486 static int tls_config_parse_bool(WINPR_JSON* json,
const char* opt)
1497 static char* tls_config_read(
const char* configfile)
1500 FILE* fp = winpr_fopen(configfile,
"r");
1504 const int rc = fseek(fp, 0, SEEK_END);
1508 const INT64 size = _ftelli64(fp);
1512 const int rc2 = fseek(fp, 0, SEEK_SET);
1516 data = calloc((
size_t)size + 1,
sizeof(
char));
1520 const size_t read = fread(data, 1, (
size_t)size, fp);
1521 if (read != (
size_t)size)
1533 static int tls_config_check_allowed_hashed(
const char* configfile,
const rdpCertificate* cert,
1536 WINPR_ASSERT(configfile);
1550 "[%s] invalid certificate-db entry at position %" PRIuz
": not a JSON object",
1559 "[%s] invalid certificate-db entry at position %" PRIuz
1560 ": invalid 'type' element, expected type string",
1568 "[%s] invalid certificate-db entry at position %" PRIuz
1569 ": invalid 'hash' element, expected type string",
1577 char* hash = freerdp_certificate_get_fingerprint_by_hash_ex(cert, skey, FALSE);
1581 "[%s] invalid certificate-db entry at position %" PRIuz
1582 ": hash type '%s' not supported by certificate",
1583 configfile, x, skey);
1587 const int cmp = _stricmp(hash, sval);
1597 static int tls_config_check_certificate(
const rdpCertificate* cert, BOOL* pAllowUserconfig)
1600 WINPR_ASSERT(pAllowUserconfig);
1603 char* configfile = freerdp_GetConfigFilePath(TRUE,
"certificates.json");
1604 WINPR_JSON* json = NULL;
1608 WLog_DBG(TAG,
"No configuration file for certificate handling, asking user");
1612 char* configdata = tls_config_read(configfile);
1615 WLog_DBG(TAG,
"Configuration file for certificate handling, asking user");
1621 WLog_DBG(TAG,
"No valid configuration file '%s' for certificate handling, asking user",
1626 if (tls_config_parse_bool(json,
"deny") > 0)
1628 WLog_WARN(TAG,
"[%s] certificate denied by configuration", configfile);
1633 if (tls_config_parse_bool(json,
"ignore") > 0)
1635 WLog_WARN(TAG,
"[%s] certificate ignored by configuration", configfile);
1640 if (tls_config_check_allowed_hashed(configfile, cert, json) > 0)
1642 WLog_WARN(TAG,
"[%s] certificate manually accepted by configuration", configfile);
1647 if (tls_config_parse_bool(json,
"deny-userconfig") > 0)
1649 WLog_WARN(TAG,
"[%s] configuration denies user to accept certificates", configfile);
1656 *pAllowUserconfig = (rc == 0);
1662 int tls_verify_certificate(rdpTls* tls,
const rdpCertificate* cert,
const char* hostname,
1667 BOOL certificate_status = 0;
1668 char* common_name = NULL;
1669 size_t common_name_length = 0;
1670 char** dns_names = 0;
1671 size_t dns_names_count = 0;
1672 size_t* dns_names_lengths = NULL;
1673 int verification_status = -1;
1674 BOOL hostname_match = FALSE;
1675 rdpCertificateData* certificate_data = NULL;
1676 BYTE* pemCert = NULL;
1677 DWORD flags = VERIFY_CERT_FLAG_NONE;
1678 freerdp* instance = NULL;
1681 WINPR_ASSERT(tls->context->settings);
1683 instance = (freerdp*)tls->context->settings->instance;
1684 WINPR_ASSERT(instance);
1686 if (freerdp_shall_disconnect_context(instance->context))
1689 if (!tls_extract_full_pem(cert, &pemCert, &length))
1693 if (is_accepted(tls, cert))
1695 verification_status = 1;
1699 if (is_accepted_fingerprint(cert, tls->context->settings->CertificateAcceptedFingerprints))
1701 verification_status = 1;
1705 if (tls->isGatewayTransport || is_redirected(tls))
1706 flags |= VERIFY_CERT_FLAG_LEGACY;
1708 if (tls->isGatewayTransport)
1709 flags |= VERIFY_CERT_FLAG_GATEWAY;
1711 if (is_redirected(tls))
1712 flags |= VERIFY_CERT_FLAG_REDIRECT;
1715 if (tls->context->settings->ExternalCertificateManagement)
1717 if (instance->VerifyX509Certificate)
1718 verification_status =
1719 instance->VerifyX509Certificate(instance, pemCert, length, hostname, port, flags);
1721 WLog_ERR(TAG,
"No VerifyX509Certificate callback registered!");
1723 if (verification_status > 0)
1724 accept_cert(tls, cert);
1725 else if (verification_status < 0)
1727 WLog_ERR(TAG,
"VerifyX509Certificate failed: (length = %" PRIuz
") status: [%d] %s",
1728 length, verification_status, pemCert);
1733 else if (tls->context->settings->IgnoreCertificate)
1734 verification_status = 1;
1735 else if (!tls->isGatewayTransport && (tls->context->settings->AuthenticationLevel == 0))
1736 verification_status = 1;
1740 if (!tls->isGatewayTransport && tls->context->settings->CertificateName)
1741 hostname = tls->context->settings->CertificateName;
1744 certificate_status = freerdp_certificate_verify(
1745 cert, freerdp_certificate_store_get_certs_path(tls->certificate_store));
1747 certificate_data = freerdp_certificate_data_new(hostname, port, cert);
1748 if (!certificate_data)
1751 common_name = freerdp_certificate_get_common_name(cert, &common_name_length);
1752 dns_names = freerdp_certificate_get_dns_names(cert, &dns_names_count, &dns_names_lengths);
1758 if (tls_match_hostname(common_name, common_name_length, hostname))
1759 hostname_match = TRUE;
1766 for (
size_t index = 0; index < dns_names_count; index++)
1768 if (tls_match_hostname(dns_names[index], dns_names_lengths[index], hostname))
1770 hostname_match = TRUE;
1778 if (certificate_status && hostname_match)
1779 verification_status = 1;
1781 if (!hostname_match)
1782 flags |= VERIFY_CERT_FLAG_MISMATCH;
1784 BOOL allowUserconfig = TRUE;
1785 if (!certificate_status || !hostname_match)
1786 verification_status = tls_config_check_certificate(cert, &allowUserconfig);
1790 if (allowUserconfig && (!certificate_status || !hostname_match))
1792 DWORD accept_certificate = 0;
1793 size_t pem_length = 0;
1794 char* issuer = freerdp_certificate_get_issuer(cert);
1795 char* subject = freerdp_certificate_get_subject(cert);
1796 char* pem = freerdp_certificate_get_pem(cert, &pem_length);
1803 freerdp_certificate_store_contains_data(tls->certificate_store, certificate_data);
1809 if (!hostname_match)
1810 tls_print_certificate_name_mismatch_error(hostname, port, common_name,
1811 dns_names, dns_names_count);
1814 char* efp = freerdp_certificate_get_fingerprint(cert);
1815 tls_print_new_certificate_warn(tls->certificate_store, hostname, port, efp);
1820 if (tls->context->settings->AutoAcceptCertificate)
1822 WLog_INFO(TAG,
"No certificate stored, automatically accepting.");
1823 accept_certificate = 1;
1825 else if (tls->context->settings->AutoDenyCertificate)
1827 WLog_INFO(TAG,
"No certificate stored, automatically denying.");
1828 accept_certificate = 0;
1830 else if (instance->VerifyX509Certificate)
1832 int rc = instance->VerifyX509Certificate(instance, pemCert, pem_length,
1833 hostname, port, flags);
1836 accept_certificate = 1;
1838 accept_certificate = 2;
1840 accept_certificate = 0;
1842 else if (instance->VerifyCertificateEx)
1845 tls->context->settings, FreeRDP_CertificateCallbackPreferPEM);
1847 DWORD cflags = flags;
1850 cflags |= VERIFY_CERT_FLAG_FP_IS_PEM;
1854 fp = freerdp_certificate_get_fingerprint(cert);
1855 accept_certificate = instance->VerifyCertificateEx(
1856 instance, hostname, port, common_name, subject, issuer, fp, cflags);
1860 #if defined(WITH_FREERDP_DEPRECATED)
1861 else if (instance->VerifyCertificate)
1863 char* fp = freerdp_certificate_get_fingerprint(cert);
1865 WLog_WARN(TAG,
"The VerifyCertificate callback is deprecated, migrate your "
1866 "application to VerifyCertificateEx");
1867 accept_certificate = instance->VerifyCertificate(instance, common_name, subject,
1868 issuer, fp, !hostname_match);
1873 else if (match == -1)
1875 rdpCertificateData* stored_data =
1876 freerdp_certificate_store_load_data(tls->certificate_store, hostname, port);
1880 char* efp = freerdp_certificate_get_fingerprint(cert);
1881 tls_print_certificate_error(tls->certificate_store, stored_data, hostname, port,
1887 WLog_WARN(TAG,
"Failed to get certificate entry for %s:%" PRIu16
"", hostname,
1890 if (tls->context->settings->AutoDenyCertificate)
1892 WLog_INFO(TAG,
"No certificate stored, automatically denying.");
1893 accept_certificate = 0;
1895 else if (instance->VerifyX509Certificate)
1898 instance->VerifyX509Certificate(instance, pemCert, pem_length, hostname,
1899 port, flags | VERIFY_CERT_FLAG_CHANGED);
1902 accept_certificate = 1;
1904 accept_certificate = 2;
1906 accept_certificate = 0;
1908 else if (instance->VerifyChangedCertificateEx)
1910 DWORD cflags = flags | VERIFY_CERT_FLAG_CHANGED;
1911 const char* old_subject = freerdp_certificate_data_get_subject(stored_data);
1912 const char* old_issuer = freerdp_certificate_data_get_issuer(stored_data);
1913 const char* old_fp = freerdp_certificate_data_get_fingerprint(stored_data);
1914 const char* old_pem = freerdp_certificate_data_get_pem(stored_data);
1915 const BOOL fpIsAllocated =
1918 FreeRDP_CertificateCallbackPreferPEM);
1922 cflags |= VERIFY_CERT_FLAG_FP_IS_PEM;
1928 fp = freerdp_certificate_get_fingerprint(cert);
1930 accept_certificate = instance->VerifyChangedCertificateEx(
1931 instance, hostname, port, common_name, subject, issuer, fp, old_subject,
1932 old_issuer, old_fp, cflags);
1936 #if defined(WITH_FREERDP_DEPRECATED)
1937 else if (instance->VerifyChangedCertificate)
1939 char* fp = freerdp_certificate_get_fingerprint(cert);
1940 const char* old_subject = freerdp_certificate_data_get_subject(stored_data);
1941 const char* old_issuer = freerdp_certificate_data_get_issuer(stored_data);
1942 const char* old_fingerprint =
1943 freerdp_certificate_data_get_fingerprint(stored_data);
1945 WLog_WARN(TAG,
"The VerifyChangedCertificate callback is deprecated, migrate "
1946 "your application to VerifyChangedCertificateEx");
1947 accept_certificate = instance->VerifyChangedCertificate(
1948 instance, common_name, subject, issuer, fp, old_subject, old_issuer,
1954 freerdp_certificate_data_free(stored_data);
1956 else if (match == 0)
1957 accept_certificate = 2;
1960 switch (accept_certificate)
1965 verification_status = freerdp_certificate_store_save_data(
1966 tls->certificate_store, certificate_data)
1973 verification_status = 1;
1978 verification_status = -1;
1987 if (verification_status > 0)
1988 accept_cert(tls, cert);
1992 freerdp_certificate_data_free(certificate_data);
1994 freerdp_certificate_free_dns_names(dns_names_count, dns_names_lengths, dns_names);
1996 return verification_status;
1999 void tls_print_new_certificate_warn(rdpCertificateStore* store,
const char* hostname, UINT16 port,
2000 const char* fingerprint)
2002 char* path = freerdp_certificate_store_get_cert_path(store, hostname, port);
2004 WLog_ERR(TAG,
"The host key for %s:%" PRIu16
" has changed", hostname, port);
2005 WLog_ERR(TAG,
"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2006 WLog_ERR(TAG,
"@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
2007 WLog_ERR(TAG,
"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2008 WLog_ERR(TAG,
"IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
2009 WLog_ERR(TAG,
"Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
2010 WLog_ERR(TAG,
"It is also possible that a host key has just been changed.");
2011 WLog_ERR(TAG,
"The fingerprint for the host key sent by the remote host is %s", fingerprint);
2012 WLog_ERR(TAG,
"Please contact your system administrator.");
2013 WLog_ERR(TAG,
"Add correct host key in %s to get rid of this message.", path);
2014 WLog_ERR(TAG,
"Host key for %s has changed and you have requested strict checking.", hostname);
2015 WLog_ERR(TAG,
"Host key verification failed.");
2020 void tls_print_certificate_error(rdpCertificateStore* store, rdpCertificateData* stored_data,
2021 const char* hostname, UINT16 port,
const char* fingerprint)
2023 char* path = freerdp_certificate_store_get_cert_path(store, hostname, port);
2025 WLog_ERR(TAG,
"New host key for %s:%" PRIu16, hostname, port);
2026 WLog_ERR(TAG,
"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2027 WLog_ERR(TAG,
"@ WARNING: NEW HOST IDENTIFICATION! @");
2028 WLog_ERR(TAG,
"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2030 WLog_ERR(TAG,
"The fingerprint for the host key sent by the remote host is %s", fingerprint);
2031 WLog_ERR(TAG,
"Please contact your system administrator.");
2032 WLog_ERR(TAG,
"Add correct host key in %s to get rid of this message.", path);
2037 void tls_print_certificate_name_mismatch_error(
const char* hostname, UINT16 port,
2038 const char* common_name,
char** alt_names,
2039 size_t alt_names_count)
2041 WINPR_ASSERT(NULL != hostname);
2042 WLog_ERR(TAG,
"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2043 WLog_ERR(TAG,
"@ WARNING: CERTIFICATE NAME MISMATCH! @");
2044 WLog_ERR(TAG,
"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
2045 WLog_ERR(TAG,
"The hostname used for this connection (%s:%" PRIu16
") ", hostname, port);
2046 WLog_ERR(TAG,
"does not match %s given in the certificate:",
2047 alt_names_count < 1 ?
"the name" :
"any of the names");
2048 WLog_ERR(TAG,
"Common Name (CN):");
2049 WLog_ERR(TAG,
"\t%s", common_name ? common_name :
"no CN found in certificate");
2051 if (alt_names_count > 0)
2053 WINPR_ASSERT(NULL != alt_names);
2054 WLog_ERR(TAG,
"Alternative names:");
2056 for (
size_t index = 0; index < alt_names_count; index++)
2058 WINPR_ASSERT(alt_names[index]);
2059 WLog_ERR(TAG,
"\t %s", alt_names[index]);
2063 WLog_ERR(TAG,
"A valid certificate for the wrong name should NOT be trusted!");
2066 rdpTls* freerdp_tls_new(rdpContext* context)
2069 tls = (rdpTls*)calloc(1,
sizeof(rdpTls));
2074 tls->context = context;
2078 tls->certificate_store = freerdp_certificate_store_new(tls->context->settings);
2080 if (!tls->certificate_store)
2084 tls->alertLevel = TLS_ALERT_LEVEL_WARNING;
2085 tls->alertDescription = TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY;
2092 void freerdp_tls_free(rdpTls* tls)
2099 if (tls->certificate_store)
2101 freerdp_certificate_store_free(tls->certificate_store);
2102 tls->certificate_store = NULL;
WINPR_API BOOL WINPR_JSON_IsString(const WINPR_JSON *item)
Check if JSON item is of type String.
WINPR_API BOOL WINPR_JSON_IsBool(const WINPR_JSON *item)
Check if JSON item is of type BOOL.
WINPR_API WINPR_JSON * WINPR_JSON_Parse(const char *value)
Parse a '\0' terminated JSON string.
WINPR_API BOOL WINPR_JSON_IsObject(const WINPR_JSON *item)
Check if JSON item is of type Object.
WINPR_API WINPR_JSON * WINPR_JSON_GetArrayItem(const WINPR_JSON *array, size_t index)
Return a pointer to an item in the array.
WINPR_API void WINPR_JSON_Delete(WINPR_JSON *item)
Delete a WinPR JSON wrapper object.
WINPR_API WINPR_JSON * WINPR_JSON_GetObjectItem(const WINPR_JSON *object, const char *string)
Return a pointer to an JSON object item.
WINPR_API size_t WINPR_JSON_GetArraySize(const WINPR_JSON *array)
Get the number of arrayitems from an array.
WINPR_API BOOL WINPR_JSON_IsArray(const WINPR_JSON *item)
Check if JSON item is of type Array.
WINPR_API const char * WINPR_JSON_GetStringValue(WINPR_JSON *item)
Return the String value of a JSON item.
WINPR_API BOOL WINPR_JSON_IsTrue(const WINPR_JSON *item)
Check if JSON item is BOOL value True.
FREERDP_API UINT32 freerdp_settings_get_uint32(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id)
Returns a UINT32 settings value.
FREERDP_API BOOL freerdp_settings_set_string(rdpSettings *settings, FreeRDP_Settings_Keys_String id, const char *param)
Sets a string settings value. The param is copied.
FREERDP_API BOOL freerdp_settings_get_bool(const rdpSettings *settings, FreeRDP_Settings_Keys_Bool id)
Returns a boolean settings value.
FREERDP_API const void * freerdp_settings_get_pointer(const rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a immutable pointer settings value.
FREERDP_API const char * freerdp_settings_get_string(const rdpSettings *settings, FreeRDP_Settings_Keys_String id)
Returns a immutable string settings value.
FREERDP_API UINT16 freerdp_settings_get_uint16(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt16 id)
Returns a UINT16 settings value.
FREERDP_API BOOL freerdp_settings_set_string_len(rdpSettings *settings, FreeRDP_Settings_Keys_String id, const char *param, size_t len)
Sets a string settings value. The param is copied.
FREERDP_API BOOL freerdp_settings_set_uint32(rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id, UINT32 param)
Sets a UINT32 settings value.
FREERDP_API void * freerdp_settings_get_pointer_writable(rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a mutable pointer settings value.
1.9.1