Accepting request 807754 from home:weberho:branches:X11:RemoteDesktop

- Added freerdp-bug-6205.patch to fix reading newline on certificate accept gh#FreeRDP/FreeRDP#6205
- Added freerdp-bug-6175.patch to fix Certificate Checking Recently Broke gh#FreeRDP/FreeRDP#6148
- Added freerdp-bug-6207.patch to fix Abort on first possible certificate validation error gh#FreeRDP/FreeRDP#6207

OBS-URL: https://build.opensuse.org/request/show/807754
OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/freerdp?expand=0&rev=100

freerdp-bug-6175.patch

@@ -0,0 +1,69 @@
+From f3063a589d908a087a295b9217bc5fa34a80fb36 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Tue, 12 May 2020 13:00:13 +0200
+Subject: [PATCH] Fixed #6148: multiple ceritificate purposes
+
+OpenSSL certificate verification can only check a single purpose.
+Run the checks with all allowed purposes and accept any.
+---
+ libfreerdp/crypto/crypto.c | 35 +++++++++++++++++++++++------------
+ 1 file changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/libfreerdp/crypto/crypto.c b/libfreerdp/crypto/crypto.c
+index 0920e356e9..4507578ab6 100644
+--- a/libfreerdp/crypto/crypto.c
++++ b/libfreerdp/crypto/crypto.c
+@@ -797,6 +797,8 @@ static int verify_cb(int ok, X509_STORE_CTX* csc)
+ 
+ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path)
+ {
++	size_t i;
++	const int purposes[3] = { X509_PURPOSE_SSL_SERVER, X509_PURPOSE_SSL_CLIENT, X509_PURPOSE_ANY };
+ 	X509_STORE_CTX* csc;
+ 	BOOL status = FALSE;
+ 	X509_STORE* cert_ctx = NULL;
+@@ -831,23 +833,32 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
+ 		X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_PEM);
+ 	}
+ 
+-	csc = X509_STORE_CTX_new();
+-
+-	if (csc == NULL)
+-		goto end;
+-
+ 	X509_STORE_set_flags(cert_ctx, 0);
+ 
+-	if (!X509_STORE_CTX_init(csc, cert_ctx, cert->px509, cert->px509chain))
+-		goto end;
++	for (i = 0; i < ARRAYSIZE(purposes); i++)
++	{
++		int rc = -1;
++		int purpose = purposes[i];
++		csc = X509_STORE_CTX_new();
+ 
+-	X509_STORE_CTX_set_purpose(csc, X509_PURPOSE_ANY);
+-	X509_STORE_CTX_set_verify_cb(csc, verify_cb);
++		if (csc == NULL)
++			goto skip;
++		if (!X509_STORE_CTX_init(csc, cert_ctx, cert->px509, cert->px509chain))
++			goto skip;
+ 
+-	if (X509_verify_cert(csc) == 1)
+-		status = TRUE;
++		X509_STORE_CTX_set_purpose(csc, purpose);
++		X509_STORE_CTX_set_verify_cb(csc, verify_cb);
++
++		rc = X509_verify_cert(csc);
++	skip:
++		X509_STORE_CTX_free(csc);
++		if (rc == 1)
++		{
++			status = TRUE;
++			break;
++		}
++	}
+ 
+-	X509_STORE_CTX_free(csc);
+ 	X509_STORE_free(cert_ctx);
+ end:
+ 	return status;

freerdp-bug-6205.patch

@@ -0,0 +1,31 @@
+From 5b842bc7a78621218b1179923c002d32c41f15fe Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Wed, 20 May 2020 11:57:01 +0200
+Subject: [PATCH] Read newline from stdio on certificate accept
+
+---
+ client/common/client.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/client/common/client.c b/client/common/client.c
+index 1f44da41a3..380d7de929 100644
+--- a/client/common/client.c
++++ b/client/common/client.c
+@@ -467,14 +467,17 @@ static DWORD client_cli_accept_certificate(rdpSettings* settings)
+ 		{
+ 			case 'y':
+ 			case 'Y':
++				fgetc(stdin);
+ 				return 1;
+ 
+ 			case 't':
+ 			case 'T':
++				fgetc(stdin);
+ 				return 2;
+ 
+ 			case 'n':
+ 			case 'N':
++				fgetc(stdin);
+ 				return 0;
+ 
+ 			default:

freerdp-bug-6207.patch

@@ -0,0 +1,40 @@
+From de619e9964684eced5fb3108de81440b979aace0 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Wed, 20 May 2020 13:45:57 +0200
+Subject: [PATCH] Abort on first possible certificate validation error
+
+Only retry certificate validation if the purpose was wrong.
+---
+ libfreerdp/crypto/crypto.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libfreerdp/crypto/crypto.c b/libfreerdp/crypto/crypto.c
+index 4507578ab6..5aaaa95924 100644
+--- a/libfreerdp/crypto/crypto.c
++++ b/libfreerdp/crypto/crypto.c
+@@ -837,7 +837,7 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
+ 
+ 	for (i = 0; i < ARRAYSIZE(purposes); i++)
+ 	{
+-		int rc = -1;
++		int err = -1, rc = -1;
+ 		int purpose = purposes[i];
+ 		csc = X509_STORE_CTX_new();
+ 
+@@ -850,6 +850,7 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
+ 		X509_STORE_CTX_set_verify_cb(csc, verify_cb);
+ 
+ 		rc = X509_verify_cert(csc);
++		err = X509_STORE_CTX_get_error(csc);
+ 	skip:
+ 		X509_STORE_CTX_free(csc);
+ 		if (rc == 1)
+@@ -857,6 +858,8 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
+ 			status = TRUE;
+ 			break;
+ 		}
++		else if (err != X509_V_ERR_INVALID_PURPOSE)
++			break;
+ 	}
+ 
+ 	X509_STORE_free(cert_ctx);

freerdp.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed May 20 12:34:27 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Added freerdp-bug-6205.patch to fix reading newline on certificate accept gh#FreeRDP/FreeRDP#6205
+- Added freerdp-bug-6175.patch to fix Certificate Checking Recently Broke gh#FreeRDP/FreeRDP#6148
+- Added freerdp-bug-6207.patch to fix Abort on first possible certificate validation error gh#FreeRDP/FreeRDP#6207
+
 -------------------------------------------------------------------
 Fri May  8 09:51:06 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
 

freerdp.spec

@@ -34,6 +34,12 @@ License:        Apache-2.0
 Group:          Productivity/Networking/Other
 URL:            https://www.freerdp.com/
 Source0:        https://github.com/FreeRDP/FreeRDP/archive/%{version}.tar.gz#/FreeRDP-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM freerdp-bug-6175.patch gh#FreeRDP/FreeRDP#6175
+Patch0:         freerdp-bug-6175.patch
+# PATCH-FIX-UPSTREAM freerdp-bug-6205.patch gh#FreeRDP/FreeRDP#6205
+Patch1:         freerdp-bug-6205.patch
+# PATCH-FIX-UPSTREAM freerdp-bug-6207.patch gh#FreeRDP/FreeRDP#6207
+Patch2:         freerdp-bug-6207.patch
 BuildRequires:  chrpath
 BuildRequires:  cmake >= 2.8
 BuildRequires:  cups-devel