diff --git a/freerdp-bug-6175.patch b/freerdp-bug-6175.patch new file mode 100644 index 0000000..ac34950 --- /dev/null +++ b/freerdp-bug-6175.patch @@ -0,0 +1,69 @@ +From f3063a589d908a087a295b9217bc5fa34a80fb36 Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Tue, 12 May 2020 13:00:13 +0200 +Subject: [PATCH] Fixed #6148: multiple ceritificate purposes + +OpenSSL certificate verification can only check a single purpose. +Run the checks with all allowed purposes and accept any. +--- + libfreerdp/crypto/crypto.c | 35 +++++++++++++++++++++++------------ + 1 file changed, 23 insertions(+), 12 deletions(-) + +diff --git a/libfreerdp/crypto/crypto.c b/libfreerdp/crypto/crypto.c +index 0920e356e9..4507578ab6 100644 +--- a/libfreerdp/crypto/crypto.c ++++ b/libfreerdp/crypto/crypto.c +@@ -797,6 +797,8 @@ static int verify_cb(int ok, X509_STORE_CTX* csc) + + BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path) + { ++ size_t i; ++ const int purposes[3] = { X509_PURPOSE_SSL_SERVER, X509_PURPOSE_SSL_CLIENT, X509_PURPOSE_ANY }; + X509_STORE_CTX* csc; + BOOL status = FALSE; + X509_STORE* cert_ctx = NULL; +@@ -831,23 +833,32 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path + X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_PEM); + } + +- csc = X509_STORE_CTX_new(); +- +- if (csc == NULL) +- goto end; +- + X509_STORE_set_flags(cert_ctx, 0); + +- if (!X509_STORE_CTX_init(csc, cert_ctx, cert->px509, cert->px509chain)) +- goto end; ++ for (i = 0; i < ARRAYSIZE(purposes); i++) ++ { ++ int rc = -1; ++ int purpose = purposes[i]; ++ csc = X509_STORE_CTX_new(); + +- X509_STORE_CTX_set_purpose(csc, X509_PURPOSE_ANY); +- X509_STORE_CTX_set_verify_cb(csc, verify_cb); ++ if (csc == NULL) ++ goto skip; ++ if (!X509_STORE_CTX_init(csc, cert_ctx, cert->px509, cert->px509chain)) ++ goto skip; + +- if (X509_verify_cert(csc) == 1) +- status = TRUE; ++ X509_STORE_CTX_set_purpose(csc, purpose); ++ X509_STORE_CTX_set_verify_cb(csc, verify_cb); ++ ++ rc = X509_verify_cert(csc); ++ skip: ++ X509_STORE_CTX_free(csc); ++ if (rc == 1) ++ { ++ status = TRUE; ++ break; ++ } ++ } + +- X509_STORE_CTX_free(csc); + X509_STORE_free(cert_ctx); + end: + return status; diff --git a/freerdp-bug-6205.patch b/freerdp-bug-6205.patch new file mode 100644 index 0000000..a09c2ee --- /dev/null +++ b/freerdp-bug-6205.patch @@ -0,0 +1,31 @@ +From 5b842bc7a78621218b1179923c002d32c41f15fe Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Wed, 20 May 2020 11:57:01 +0200 +Subject: [PATCH] Read newline from stdio on certificate accept + +--- + client/common/client.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/client/common/client.c b/client/common/client.c +index 1f44da41a3..380d7de929 100644 +--- a/client/common/client.c ++++ b/client/common/client.c +@@ -467,14 +467,17 @@ static DWORD client_cli_accept_certificate(rdpSettings* settings) + { + case 'y': + case 'Y': ++ fgetc(stdin); + return 1; + + case 't': + case 'T': ++ fgetc(stdin); + return 2; + + case 'n': + case 'N': ++ fgetc(stdin); + return 0; + + default: diff --git a/freerdp-bug-6207.patch b/freerdp-bug-6207.patch new file mode 100644 index 0000000..10ec71e --- /dev/null +++ b/freerdp-bug-6207.patch @@ -0,0 +1,40 @@ +From de619e9964684eced5fb3108de81440b979aace0 Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Wed, 20 May 2020 13:45:57 +0200 +Subject: [PATCH] Abort on first possible certificate validation error + +Only retry certificate validation if the purpose was wrong. +--- + libfreerdp/crypto/crypto.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libfreerdp/crypto/crypto.c b/libfreerdp/crypto/crypto.c +index 4507578ab6..5aaaa95924 100644 +--- a/libfreerdp/crypto/crypto.c ++++ b/libfreerdp/crypto/crypto.c +@@ -837,7 +837,7 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path + + for (i = 0; i < ARRAYSIZE(purposes); i++) + { +- int rc = -1; ++ int err = -1, rc = -1; + int purpose = purposes[i]; + csc = X509_STORE_CTX_new(); + +@@ -850,6 +850,7 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path + X509_STORE_CTX_set_verify_cb(csc, verify_cb); + + rc = X509_verify_cert(csc); ++ err = X509_STORE_CTX_get_error(csc); + skip: + X509_STORE_CTX_free(csc); + if (rc == 1) +@@ -857,6 +858,8 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path + status = TRUE; + break; + } ++ else if (err != X509_V_ERR_INVALID_PURPOSE) ++ break; + } + + X509_STORE_free(cert_ctx); diff --git a/freerdp.changes b/freerdp.changes index b351331..edeb6ef 100644 --- a/freerdp.changes +++ b/freerdp.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed May 20 12:34:27 UTC 2020 - Johannes Weberhofer + +- Added freerdp-bug-6205.patch to fix reading newline on certificate accept gh#FreeRDP/FreeRDP#6205 +- Added freerdp-bug-6175.patch to fix Certificate Checking Recently Broke gh#FreeRDP/FreeRDP#6148 +- Added freerdp-bug-6207.patch to fix Abort on first possible certificate validation error gh#FreeRDP/FreeRDP#6207 + ------------------------------------------------------------------- Fri May 8 09:51:06 UTC 2020 - Johannes Weberhofer diff --git a/freerdp.spec b/freerdp.spec index 0a10f9a..a2567ac 100644 --- a/freerdp.spec +++ b/freerdp.spec @@ -34,6 +34,12 @@ License: Apache-2.0 Group: Productivity/Networking/Other URL: https://www.freerdp.com/ Source0: https://github.com/FreeRDP/FreeRDP/archive/%{version}.tar.gz#/FreeRDP-%{version}.tar.gz +# PATCH-FIX-UPSTREAM freerdp-bug-6175.patch gh#FreeRDP/FreeRDP#6175 +Patch0: freerdp-bug-6175.patch +# PATCH-FIX-UPSTREAM freerdp-bug-6205.patch gh#FreeRDP/FreeRDP#6205 +Patch1: freerdp-bug-6205.patch +# PATCH-FIX-UPSTREAM freerdp-bug-6207.patch gh#FreeRDP/FreeRDP#6207 +Patch2: freerdp-bug-6207.patch BuildRequires: chrpath BuildRequires: cmake >= 2.8 BuildRequires: cups-devel