Let ssl backend handle hash checks.

2020-02-12 13:17:42 +01:00 · 2020-02-12 13:17:42 +01:00 · 2be6e4117f
commit 2be6e4117f
parent 9d13729617
3 changed files with 24 additions and 46 deletions
--- a/include/freerdp/crypto/crypto.h
+++ b/include/freerdp/crypto/crypto.h
@ -54,6 +54,8 @@ extern "C"
 	typedef struct crypto_cert_struct* CryptoCert;

 	FREERDP_API CryptoCert crypto_cert_read(BYTE* data, UINT32 length);
+	FREERDP_API char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash);
+	FREERDP_API char* crypto_cert_sign_with_hash(X509* xcert, const char* hash);
 	FREERDP_API char* crypto_cert_fingerprint(X509* xcert);
 	FREERDP_API char* crypto_cert_subject(X509* xcert);
 	FREERDP_API char* crypto_cert_subject_common_name(X509* xcert, int* length);
--- a/libfreerdp/crypto/crypto.c
+++ b/libfreerdp/crypto/crypto.c
@ -214,13 +214,22 @@ void crypto_reverse(BYTE* data, int length)
 }

 char* crypto_cert_fingerprint(X509* xcert)
+{
+	return crypto_cert_fingerprint_by_hash(xcert, "sha1");
+}
+
+char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash)
 {
 	size_t i = 0;
 	char* p;
 	char* fp_buffer;
 	UINT32 fp_len;
 	BYTE fp[EVP_MAX_MD_SIZE];
-	X509_digest(xcert, EVP_sha1(), fp, &fp_len);
+	const EVP_MD* md = EVP_get_digestbyname(hash);
+	if (!md)
+		return NULL;
+
+	X509_digest(xcert, md, fp, &fp_len);
 	fp_buffer = (char*)calloc(fp_len + 1, 3);

 	if (!fp_buffer)
--- a/libfreerdp/crypto/tls.c
+++ b/libfreerdp/crypto/tls.c
@ -1194,63 +1194,30 @@ static BOOL is_accepted_fingerprint(CryptoCert cert, const char* CertificateAcce
 		char* cur = strtok_s(copy, ",", &context);
 		while (cur)
 		{
-			BYTE hash[EVP_MAX_MD_SIZE] = { 0 };
-			struct hash_map
-			{
-				const char* name;
-				const EVP_MD* type;
-			};
-			unsigned int hashlen;
+			BOOL equal;

-			struct hash_map hashes[] = { { "sha1", EVP_sha1() },
-				                         { "sha224", EVP_sha224() },
-				                         { "sha256", EVP_sha256() },
-				                         { "sha384", EVP_sha384() },
-				                         { "sha512", EVP_sha512() },
-				                         { "ripemd160", EVP_ripemd160() },
-				                         { "sha3_224", EVP_sha3_224() },
-				                         { "sha3_256", EVP_sha3_256() },
-				                         { "sha3_384", EVP_sha3_384() },
-				                         { "sha3_512", EVP_sha3_512() },
-				                         { "shake128", EVP_shake128() },
-				                         { "shake256", EVP_shake256() },
-				                         { NULL, NULL } };
-			struct hash_map* chash = &hashes[0];
 			const char* h = strtok(cur, ":");
 			const char* fp;

-			while (chash->name && h)
-			{
-				if (_stricmp(chash->name, cur) == 0)
-					break;
-				chash++;
-			}
-			if ((chash->name == NULL) || (chash->type == NULL))
+			if (!h)
 				continue;

 			fp = h + strlen(h) + 1;
 			if (!fp)
 				continue;

-			hashlen = (unsigned int)EVP_MD_size(chash->type);
-			if (X509_digest(cert->px509, chash->type, hash, &hashlen) == 1)
-			{
-				size_t x;
-				char strhash[EVP_MAX_MD_SIZE * 3 + 1] = { 0 };
-				for (x = 0; x < hashlen; x++)
-				{
-					if (x > 0)
-						_snprintf(&strhash[3 * x - 1], 4, ":%02x", hash[x]);
-					else
-						_snprintf(strhash, 3, "%02x", hash[x]);
-				}
+			char* strhash = crypto_cert_fingerprint_by_hash(cert->px509, h);
+			if (!strhash)
+				continue;

-				if (_strnicmp(strhash, fp, hashlen * 3) == 0)
-				{
-					rc = TRUE;
-					break;
-				}
+			equal = (_stricmp(strhash, fp) == 0);
+			free(strhash);
+			if (equal)
+			{
+				rc = TRUE;
+				break;
 			}
+
 			cur = strtok_s(NULL, ",", &context);
 		}
 		free(copy);