FREERDP_API void certificate_store_free(rdpCertificateStore* certificate_store);
FREERDP_API int certificate_data_match(rdpCertificateStore* certificate_store, rdpCertificateData* certificate_data);
FREERDP_API BOOL certificate_data_print(rdpCertificateStore* certificate_store, rdpCertificateData* certificate_data);
+FREERDP_API BOOL certificate_get_fingerprint(rdpCertificateStore* certificate_store,
+ rdpCertificateData* certificate_data, char** fingerprint);
#ifdef __cplusplus
}
#include <unistd.h>
#endif
+#include <ctype.h>
+
#include <winpr/crt.h>
#include <winpr/file.h>
#include <winpr/path.h>
}
-int certificate_data_match(rdpCertificateStore* certificate_store, rdpCertificateData* certificate_data)
+static int certificate_data_match_raw(rdpCertificateStore* certificate_store,
+ rdpCertificateData* certificate_data, char** fprint)
{
BOOL found = FALSE;
FILE* fp;
{
found = TRUE;
match = strcmp(fingerprint, certificate_data->fingerprint);
+ if ((match == 0) && fprint)
+ *fprint = _strdup(fingerprint);
break;
}
}
return match;
}
+BOOL certificate_get_fingerprint(rdpCertificateStore* certificate_store,
+ rdpCertificateData* certificate_data, char** fingerprint)
+{
+ int rc = certificate_data_match_raw(certificate_store, certificate_data, fingerprint);
+
+ if (rc == 0)
+ return TRUE;
+ return FALSE;
+}
+
+int certificate_data_match(rdpCertificateStore* certificate_store, rdpCertificateData* certificate_data)
+{
+ return certificate_data_match_raw(certificate_store, certificate_data, NULL);
+}
+
BOOL certificate_data_replace(rdpCertificateStore* certificate_store, rdpCertificateData* certificate_data)
{
FILE* fp;
}
else if (match == -1)
{
+ char* old_fingerprint = NULL;
+
/* entry was found in known_hosts file, but fingerprint does not match. ask user to use it */
tls_print_certificate_error(hostname, port, fingerprint,
tls->certificate_store->file);
+ if (!certificate_get_fingerprint(tls->certificate_store, certificate_data, &old_fingerprint))
+ WLog_WARN(TAG, "Failed to get certificate entry for %s:hu", hostname, port);
+
if (instance->VerifyChangedCertificate)
{
- accept_certificate = instance->VerifyChangedCertificate(instance, subject, issuer, fingerprint, "");
+ accept_certificate = instance->VerifyChangedCertificate(instance, subject, issuer,
+ fingerprint, old_fingerprint);
}
+ free(old_fingerprint);
+
if (!accept_certificate)
{
/* user did not accept, abort and do not change known_hosts file */