|
|
24c59a |
From 53fa7e1e996f23818e17ab59f1cb1849c533472d Mon Sep 17 00:00:00 2001
|
|
|
24c59a |
From: =?UTF-8?q?Marc-Andr=C3=A9=20Moreau?= <marcandre.moreau@gmail.com>
|
|
|
24c59a |
Date: Sun, 12 Feb 2012 12:46:53 -0500
|
|
|
24c59a |
Subject: [PATCH 1/5] libfreerdp-core: verify TLS certificate with both TLS and
|
|
|
24c59a |
NLA
|
|
|
24c59a |
|
|
|
24c59a |
---
|
|
|
24c59a |
libfreerdp-core/credssp.c | 44 ++++++++------------------------------------
|
|
|
24c59a |
libfreerdp-core/credssp.h | 1 -
|
|
|
24c59a |
libfreerdp-core/nego.c | 5 ++++-
|
|
|
24c59a |
libfreerdp-core/tls.c | 19 +++++++++++++++++++
|
|
|
24c59a |
libfreerdp-core/tls.h | 2 ++
|
|
|
24c59a |
libfreerdp-core/transport.c | 1 +
|
|
|
24c59a |
6 files changed, 34 insertions(+), 38 deletions(-)
|
|
|
24c59a |
|
|
|
24c59a |
diff --git a/libfreerdp-core/credssp.c b/libfreerdp-core/credssp.c
|
|
|
24c59a |
index e269a21..6ef40e1 100644
|
|
|
24c59a |
--- a/libfreerdp-core/credssp.c
|
|
|
24c59a |
+++ b/libfreerdp-core/credssp.c
|
|
|
24c59a |
@@ -119,33 +119,6 @@ int credssp_ntlmssp_init(rdpCredssp* credssp)
|
|
|
24c59a |
}
|
|
|
24c59a |
|
|
|
24c59a |
/**
|
|
|
24c59a |
- * Get TLS public key.
|
|
|
24c59a |
- * @param credssp
|
|
|
24c59a |
- */
|
|
|
24c59a |
-
|
|
|
24c59a |
-int credssp_get_public_key(rdpCredssp* credssp)
|
|
|
24c59a |
-{
|
|
|
24c59a |
- int status;
|
|
|
24c59a |
- CryptoCert cert;
|
|
|
24c59a |
-
|
|
|
24c59a |
- cert = tls_get_certificate(credssp->transport->tls);
|
|
|
24c59a |
-
|
|
|
24c59a |
- if (cert == NULL)
|
|
|
24c59a |
- {
|
|
|
24c59a |
- printf("credssp_get_public_key: tls_get_certificate failed to return the server certificate.\n");
|
|
|
24c59a |
- return 0;
|
|
|
24c59a |
- }
|
|
|
24c59a |
-
|
|
|
24c59a |
- if (!tls_verify_certificate(credssp->transport->tls, cert, credssp->transport->settings->hostname))
|
|
|
24c59a |
- tls_disconnect(credssp->transport->tls);
|
|
|
24c59a |
-
|
|
|
24c59a |
- status = crypto_cert_get_public_key(cert, &credssp->public_key);
|
|
|
24c59a |
- crypto_cert_free(cert);
|
|
|
24c59a |
-
|
|
|
24c59a |
- return status;
|
|
|
24c59a |
-}
|
|
|
24c59a |
-
|
|
|
24c59a |
-/**
|
|
|
24c59a |
* Authenticate with server using CredSSP.
|
|
|
24c59a |
* @param credssp
|
|
|
24c59a |
* @return 1 if authentication is successful
|
|
|
24c59a |
@@ -160,9 +133,6 @@ int credssp_authenticate(rdpCredssp* credssp)
|
|
|
24c59a |
if (credssp_ntlmssp_init(credssp) == 0)
|
|
|
24c59a |
return 0;
|
|
|
24c59a |
|
|
|
24c59a |
- if (credssp_get_public_key(credssp) == 0)
|
|
|
24c59a |
- return 0;
|
|
|
24c59a |
-
|
|
|
24c59a |
/* NTLMSSP NEGOTIATE MESSAGE */
|
|
|
24c59a |
stream_attach(s, negoTokenBuffer, 2048);
|
|
|
24c59a |
ntlmssp_send(ntlmssp, s);
|
|
|
24c59a |
@@ -223,16 +193,18 @@ int credssp_authenticate(rdpCredssp* credssp)
|
|
|
24c59a |
void credssp_encrypt_public_key(rdpCredssp* credssp, rdpBlob* d)
|
|
|
24c59a |
{
|
|
|
24c59a |
uint8* p;
|
|
|
24c59a |
+ rdpTls* tls;
|
|
|
24c59a |
uint8 signature[16];
|
|
|
24c59a |
rdpBlob encrypted_public_key;
|
|
|
24c59a |
NTLMSSP *ntlmssp = credssp->ntlmssp;
|
|
|
24c59a |
+ tls = credssp->transport->tls;
|
|
|
24c59a |
|
|
|
24c59a |
- freerdp_blob_alloc(d, credssp->public_key.length + 16);
|
|
|
24c59a |
- ntlmssp_encrypt_message(ntlmssp, &credssp->public_key, &encrypted_public_key, signature);
|
|
|
24c59a |
+ freerdp_blob_alloc(d, tls->public_key.length + 16);
|
|
|
24c59a |
+ ntlmssp_encrypt_message(ntlmssp, &tls->public_key, &encrypted_public_key, signature);
|
|
|
24c59a |
|
|
|
24c59a |
#ifdef WITH_DEBUG_NLA
|
|
|
24c59a |
- printf("Public Key (length = %d)\n", credssp->public_key.length);
|
|
|
24c59a |
- freerdp_hexdump(credssp->public_key.data, credssp->public_key.length);
|
|
|
24c59a |
+ printf("Public Key (length = %d)\n", tls->public_key.length);
|
|
|
24c59a |
+ freerdp_hexdump(tls->public_key.data, tls->public_key.length);
|
|
|
24c59a |
printf("\n");
|
|
|
24c59a |
|
|
|
24c59a |
printf("Encrypted Public Key (length = %d)\n", encrypted_public_key.length);
|
|
|
24c59a |
@@ -264,6 +236,7 @@ int credssp_verify_public_key(rdpCredssp* credssp, rdpBlob* d)
|
|
|
24c59a |
uint8* signature;
|
|
|
24c59a |
rdpBlob public_key;
|
|
|
24c59a |
rdpBlob encrypted_public_key;
|
|
|
24c59a |
+ rdpTls* tls = credssp->transport->tls;
|
|
|
24c59a |
|
|
|
24c59a |
signature = d->data;
|
|
|
24c59a |
encrypted_public_key.data = (void*) (signature + 16);
|
|
|
24c59a |
@@ -271,7 +244,7 @@ int credssp_verify_public_key(rdpCredssp* credssp, rdpBlob* d)
|
|
|
24c59a |
|
|
|
24c59a |
ntlmssp_decrypt_message(credssp->ntlmssp, &encrypted_public_key, &public_key, signature);
|
|
|
24c59a |
|
|
|
24c59a |
- p1 = (uint8*) credssp->public_key.data;
|
|
|
24c59a |
+ p1 = (uint8*) tls->public_key.data;
|
|
|
24c59a |
p2 = (uint8*) public_key.data;
|
|
|
24c59a |
|
|
|
24c59a |
p2[0]--;
|
|
|
24c59a |
@@ -661,7 +634,6 @@ void credssp_free(rdpCredssp* credssp)
|
|
|
24c59a |
{
|
|
|
24c59a |
if (credssp != NULL)
|
|
|
24c59a |
{
|
|
|
24c59a |
- freerdp_blob_free(&credssp->public_key);
|
|
|
24c59a |
freerdp_blob_free(&credssp->ts_credentials);
|
|
|
24c59a |
|
|
|
24c59a |
ntlmssp_free(credssp->ntlmssp);
|
|
|
24c59a |
diff --git a/libfreerdp-core/credssp.h b/libfreerdp-core/credssp.h
|
|
|
24c59a |
index 3277425..d98554a 100644
|
|
|
24c59a |
--- a/libfreerdp-core/credssp.h
|
|
|
24c59a |
+++ b/libfreerdp-core/credssp.h
|
|
|
24c59a |
@@ -40,7 +40,6 @@ struct rdp_credssp
|
|
|
24c59a |
rdpBlob pubKeyAuth;
|
|
|
24c59a |
rdpBlob authInfo;
|
|
|
24c59a |
int send_seq_num;
|
|
|
24c59a |
- rdpBlob public_key;
|
|
|
24c59a |
rdpBlob ts_credentials;
|
|
|
24c59a |
rdpSettings* settings;
|
|
|
24c59a |
CryptoRc4 rc4_seal_state;
|
|
|
24c59a |
diff --git a/libfreerdp-core/nego.c b/libfreerdp-core/nego.c
|
|
|
24c59a |
index 7eb810b..ab4da37 100644
|
|
|
24c59a |
--- a/libfreerdp-core/nego.c
|
|
|
24c59a |
+++ b/libfreerdp-core/nego.c
|
|
|
24c59a |
@@ -256,8 +256,10 @@ void nego_attempt_rdp(rdpNego* nego)
|
|
|
24c59a |
boolean nego_recv_response(rdpNego* nego)
|
|
|
24c59a |
{
|
|
|
24c59a |
STREAM* s = transport_recv_stream_init(nego->transport, 1024);
|
|
|
24c59a |
+
|
|
|
24c59a |
if (transport_read(nego->transport, s) < 0)
|
|
|
24c59a |
return false;
|
|
|
24c59a |
+
|
|
|
24c59a |
return nego_recv(nego->transport, s, nego->transport->recv_extra);
|
|
|
24c59a |
}
|
|
|
24c59a |
|
|
|
24c59a |
@@ -319,6 +321,7 @@ boolean nego_read_request(rdpNego* nego, STREAM* s)
|
|
|
24c59a |
|
|
|
24c59a |
tpkt_read_header(s);
|
|
|
24c59a |
li = tpdu_read_connection_request(s);
|
|
|
24c59a |
+
|
|
|
24c59a |
if (li != stream_get_left(s) + 6)
|
|
|
24c59a |
{
|
|
|
24c59a |
printf("Incorrect TPDU length indicator.\n");
|
|
|
24c59a |
@@ -403,7 +406,7 @@ boolean nego_send_negotiation_request(rdpNego* nego)
|
|
|
24c59a |
{
|
|
|
24c59a |
int cookie_length = strlen(nego->cookie);
|
|
|
24c59a |
stream_write(s, "Cookie: mstshash=", 17);
|
|
|
24c59a |
- stream_write(s, (uint8*)nego->cookie, cookie_length);
|
|
|
24c59a |
+ stream_write(s, (uint8*) nego->cookie, cookie_length);
|
|
|
24c59a |
stream_write_uint8(s, 0x0D); /* CR */
|
|
|
24c59a |
stream_write_uint8(s, 0x0A); /* LF */
|
|
|
24c59a |
length += cookie_length + 19;
|
|
|
24c59a |
diff --git a/libfreerdp-core/tls.c b/libfreerdp-core/tls.c
|
|
|
24c59a |
index 106f9ca..942b430 100644
|
|
|
24c59a |
--- a/libfreerdp-core/tls.c
|
|
|
24c59a |
+++ b/libfreerdp-core/tls.c
|
|
|
24c59a |
@@ -66,6 +66,23 @@ boolean tls_connect(rdpTls* tls)
|
|
|
24c59a |
return false;
|
|
|
24c59a |
}
|
|
|
24c59a |
|
|
|
24c59a |
+ tls->cert = tls_get_certificate(tls);
|
|
|
24c59a |
+
|
|
|
24c59a |
+ if (tls->cert == NULL)
|
|
|
24c59a |
+ {
|
|
|
24c59a |
+ printf("tls_connect: tls_get_certificate failed to return the server certificate.\n");
|
|
|
24c59a |
+ return false;
|
|
|
24c59a |
+ }
|
|
|
24c59a |
+
|
|
|
24c59a |
+ if (!crypto_cert_get_public_key(tls->cert, &tls->public_key))
|
|
|
24c59a |
+ {
|
|
|
24c59a |
+ printf("tls_connect: crypto_cert_get_public_key failed to return the server public key.\n");
|
|
|
24c59a |
+ return false;
|
|
|
24c59a |
+ }
|
|
|
24c59a |
+
|
|
|
24c59a |
+ if (!tls_verify_certificate(tls, tls->cert, tls->settings->hostname))
|
|
|
24c59a |
+ tls_disconnect(tls);
|
|
|
24c59a |
+
|
|
|
24c59a |
return true;
|
|
|
24c59a |
}
|
|
|
24c59a |
|
|
|
24c59a |
@@ -433,6 +450,8 @@ void tls_free(rdpTls* tls)
|
|
|
24c59a |
if (tls->ctx)
|
|
|
24c59a |
SSL_CTX_free(tls->ctx);
|
|
|
24c59a |
|
|
|
24c59a |
+ freerdp_blob_free(&tls->public_key);
|
|
|
24c59a |
+
|
|
|
24c59a |
certificate_store_free(tls->certificate_store);
|
|
|
24c59a |
|
|
|
24c59a |
xfree(tls);
|
|
|
24c59a |
diff --git a/libfreerdp-core/tls.h b/libfreerdp-core/tls.h
|
|
|
24c59a |
index c3f2f59..e941dd0 100644
|
|
|
24c59a |
--- a/libfreerdp-core/tls.h
|
|
|
24c59a |
+++ b/libfreerdp-core/tls.h
|
|
|
24c59a |
@@ -36,6 +36,8 @@ struct rdp_tls
|
|
|
24c59a |
SSL* ssl;
|
|
|
24c59a |
int sockfd;
|
|
|
24c59a |
SSL_CTX* ctx;
|
|
|
24c59a |
+ CryptoCert cert;
|
|
|
24c59a |
+ rdpBlob public_key;
|
|
|
24c59a |
rdpSettings* settings;
|
|
|
24c59a |
rdpCertificateStore* certificate_store;
|
|
|
24c59a |
};
|
|
|
24c59a |
diff --git a/libfreerdp-core/transport.c b/libfreerdp-core/transport.c
|
|
|
24c59a |
index df43a8e..f4c28d8 100644
|
|
|
24c59a |
--- a/libfreerdp-core/transport.c
|
|
|
24c59a |
+++ b/libfreerdp-core/transport.c
|
|
|
24c59a |
@@ -72,6 +72,7 @@ boolean transport_disconnect(rdpTransport* transport)
|
|
|
24c59a |
{
|
|
|
24c59a |
if (transport->layer == TRANSPORT_LAYER_TLS)
|
|
|
24c59a |
tls_disconnect(transport->tls);
|
|
|
24c59a |
+
|
|
|
24c59a |
return tcp_disconnect(transport->tcp);
|
|
|
24c59a |
}
|
|
|
24c59a |
|
|
|
24c59a |
--
|
|
|
24c59a |
2.5.5
|
|
|
24c59a |
|