From c9ada2ddda89c65077841fae5e1c880880411b2d Mon Sep 17 00:00:00 2001
From: Robert Ancell <robert.ancell@canonical.com>
Date: Tue, 8 Feb 2011 16:43:28 +1100
Subject: [PATCH 2/2] Pass certificate check up to UI layer

---
 X11/xf_win.c              |    8 ++++++++
 include/freerdp/freerdp.h |    1 +
 libfreerdp/rdp.h          |    2 +-
 libfreerdp/secure.c       |   14 ++++++++++++++
 libfreerdp/secure.h       |    1 +
 libfreerdp/tls.c          |    4 +---
 libfreerdp/tls.h          |    2 ++
 7 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/X11/xf_win.c b/X11/xf_win.c
index b3e3d49..5625aa4 100644
--- a/X11/xf_win.c
+++ b/X11/xf_win.c
@@ -188,6 +188,13 @@ xf_set_rop3(xfInfo * xfi, int rop3)
 	return 0;
 }
 
+static RD_BOOL
+l_ui_check_certificate(struct rdp_inst * inst, const char * text)
+{
+	printf("ui_check_certificate: %s\n", text);
+	return False;
+}
+
 static void
 l_ui_error(struct rdp_inst * inst, const char * text)
 {
@@ -893,6 +900,7 @@ l_ui_channel_data(struct rdp_inst * inst, int chan_id, char * data, int data_siz
 static int
 xf_assign_callbacks(rdpInst * inst)
 {
+	inst->ui_check_certificate = l_ui_check_certificate;
 	inst->ui_error = l_ui_error;
 	inst->ui_warning = l_ui_warning;
 	inst->ui_unimpl = l_ui_unimpl;
diff --git a/include/freerdp/freerdp.h b/include/freerdp/freerdp.h
index 5313c6f..f9c2ad6 100644
--- a/include/freerdp/freerdp.h
+++ b/include/freerdp/freerdp.h
@@ -83,6 +83,7 @@ struct rdp_inst
 	int (* rdp_channel_data)(rdpInst * inst, int chan_id, char * data, int data_size);
 	void (* rdp_disconnect)(rdpInst * inst);
 	/* calls from library to ui */
+	RD_BOOL (* ui_check_certificate)(rdpInst * inst, const char * text);
 	void (* ui_error)(rdpInst * inst, const char * text);
 	void (* ui_warning)(rdpInst * inst, const char * text);
 	void (* ui_unimpl)(rdpInst * inst, const char * text);
diff --git a/libfreerdp/rdp.h b/libfreerdp/rdp.h
index 3890ed1..a0ba245 100644
--- a/libfreerdp/rdp.h
+++ b/libfreerdp/rdp.h
@@ -22,7 +22,7 @@
 #define __RDP_H
 
 #include <time.h>
-#include <freerdp/types_ui.h>
+#include <freerdp/freerdp.h>
 #include "types.h"
 
 RD_BOOL
diff --git a/libfreerdp/secure.c b/libfreerdp/secure.c
index 6bcdc30..ea4ff9b 100644
--- a/libfreerdp/secure.c
+++ b/libfreerdp/secure.c
@@ -717,6 +717,8 @@ sec_parse_server_security_data(rdpSec * sec, STREAM s, uint32 * encryptionMethod
 			ui_error(sec->rdp->inst, "TS Certificate not signed with License Certificate\n");
 			return False;
 		}
+		if (!sec->rdp->inst->ui_check_certificate || !sec->rdp->inst->ui_check_certificate(sec->rdp->inst, ""))
+			return False;
 		crypto_cert_free(license_cert);
 
 		if (crypto_cert_get_pub_exp_mod(ts_cert, &(sec->server_public_key_len),
@@ -985,6 +987,12 @@ sec_connect(rdpSec * sec, char *server, char *username, int port)
 		printf("TLS encryption with NLA negotiated\n");
 		sec->ctx = tls_create_context();
 		sec->ssl = tls_connect(sec->ctx, sec->mcs->iso->tcp->sock, server);
+		sec->verified = tls_verify(sec->ssl, server);      
+		if(!sec->verified)
+		{
+			if (!sec->rdp->inst->ui_check_certificate || !sec->rdp->inst->ui_check_certificate(sec->rdp->inst, ""))
+				return False;
+		}
 		sec->tls_connected = 1;
 		ntlm_send_negotiate_message(sec);
 		credssp_recv(sec);
@@ -997,6 +1005,12 @@ sec_connect(rdpSec * sec, char *server, char *username, int port)
 		printf("TLS Encryption negotiated\n");
 		sec->ctx = tls_create_context();
 		sec->ssl = tls_connect(sec->ctx, sec->mcs->iso->tcp->sock, server);
+		sec->verified = tls_verify(sec->ssl, server);      
+		if(!sec->verified)
+		{
+			if (!sec->rdp->inst->ui_check_certificate || !sec->rdp->inst->ui_check_certificate(sec->rdp->inst, ""))
+				return False;
+		}
 		sec->tls_connected = 1;
 		sec->rdp->settings->encryption = 0;
 		success = mcs_connect(sec->mcs);
diff --git a/libfreerdp/secure.h b/libfreerdp/secure.h
index 0649c48..8150e7b 100644
--- a/libfreerdp/secure.h
+++ b/libfreerdp/secure.h
@@ -58,6 +58,7 @@ struct rdp_sec
 	int tls_connected;
 #ifndef DISABLE_TLS
 	SSL *ssl;
+	RD_BOOL verified;
 	SSL_CTX *ctx;
 	struct rdp_nla * nla;
 #endif
diff --git a/libfreerdp/tls.c b/libfreerdp/tls.c
index b07ec37..dc23ff9 100644
--- a/libfreerdp/tls.c
+++ b/libfreerdp/tls.c
@@ -103,7 +103,7 @@ exit:
  * certificate is signed by a trusted certification authority
  */
 
-static RD_BOOL
+RD_BOOL
 tls_verify(SSL *connection, const char *server)
 {
 	/* TODO: Check for eku extension with server authentication purpose */
@@ -253,8 +253,6 @@ tls_connect(SSL_CTX *ctx, int sockfd, char *server)
 			return NULL;
 	}
 
-	tls_verify(ssl, server);
-
 	printf("TLS connection established\n");
 
 	return ssl;
diff --git a/libfreerdp/tls.h b/libfreerdp/tls.h
index 52777fa..18682a6 100644
--- a/libfreerdp/tls.h
+++ b/libfreerdp/tls.h
@@ -37,6 +37,8 @@ void
 tls_destroy_context(SSL_CTX *ctx);
 SSL*
 tls_connect(SSL_CTX *ctx, int sockfd, char *server);
+RD_BOOL
+tls_verify(SSL *connection, const char *server);
 void
 tls_disconnect(SSL *ssl);
 int
-- 
1.7.2.3