Let ssl backend handle hash checks.
This commit is contained in:
parent
9d13729617
commit
2be6e4117f
@ -54,6 +54,8 @@ extern "C"
|
||||
typedef struct crypto_cert_struct* CryptoCert;
|
||||
|
||||
FREERDP_API CryptoCert crypto_cert_read(BYTE* data, UINT32 length);
|
||||
FREERDP_API char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash);
|
||||
FREERDP_API char* crypto_cert_sign_with_hash(X509* xcert, const char* hash);
|
||||
FREERDP_API char* crypto_cert_fingerprint(X509* xcert);
|
||||
FREERDP_API char* crypto_cert_subject(X509* xcert);
|
||||
FREERDP_API char* crypto_cert_subject_common_name(X509* xcert, int* length);
|
||||
|
@ -214,13 +214,22 @@ void crypto_reverse(BYTE* data, int length)
|
||||
}
|
||||
|
||||
char* crypto_cert_fingerprint(X509* xcert)
|
||||
{
|
||||
return crypto_cert_fingerprint_by_hash(xcert, "sha1");
|
||||
}
|
||||
|
||||
char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash)
|
||||
{
|
||||
size_t i = 0;
|
||||
char* p;
|
||||
char* fp_buffer;
|
||||
UINT32 fp_len;
|
||||
BYTE fp[EVP_MAX_MD_SIZE];
|
||||
X509_digest(xcert, EVP_sha1(), fp, &fp_len);
|
||||
const EVP_MD* md = EVP_get_digestbyname(hash);
|
||||
if (!md)
|
||||
return NULL;
|
||||
|
||||
X509_digest(xcert, md, fp, &fp_len);
|
||||
fp_buffer = (char*)calloc(fp_len + 1, 3);
|
||||
|
||||
if (!fp_buffer)
|
||||
|
@ -1194,63 +1194,30 @@ static BOOL is_accepted_fingerprint(CryptoCert cert, const char* CertificateAcce
|
||||
char* cur = strtok_s(copy, ",", &context);
|
||||
while (cur)
|
||||
{
|
||||
BYTE hash[EVP_MAX_MD_SIZE] = { 0 };
|
||||
struct hash_map
|
||||
{
|
||||
const char* name;
|
||||
const EVP_MD* type;
|
||||
};
|
||||
unsigned int hashlen;
|
||||
BOOL equal;
|
||||
|
||||
struct hash_map hashes[] = { { "sha1", EVP_sha1() },
|
||||
{ "sha224", EVP_sha224() },
|
||||
{ "sha256", EVP_sha256() },
|
||||
{ "sha384", EVP_sha384() },
|
||||
{ "sha512", EVP_sha512() },
|
||||
{ "ripemd160", EVP_ripemd160() },
|
||||
{ "sha3_224", EVP_sha3_224() },
|
||||
{ "sha3_256", EVP_sha3_256() },
|
||||
{ "sha3_384", EVP_sha3_384() },
|
||||
{ "sha3_512", EVP_sha3_512() },
|
||||
{ "shake128", EVP_shake128() },
|
||||
{ "shake256", EVP_shake256() },
|
||||
{ NULL, NULL } };
|
||||
struct hash_map* chash = &hashes[0];
|
||||
const char* h = strtok(cur, ":");
|
||||
const char* fp;
|
||||
|
||||
while (chash->name && h)
|
||||
{
|
||||
if (_stricmp(chash->name, cur) == 0)
|
||||
break;
|
||||
chash++;
|
||||
}
|
||||
if ((chash->name == NULL) || (chash->type == NULL))
|
||||
if (!h)
|
||||
continue;
|
||||
|
||||
fp = h + strlen(h) + 1;
|
||||
if (!fp)
|
||||
continue;
|
||||
|
||||
hashlen = (unsigned int)EVP_MD_size(chash->type);
|
||||
if (X509_digest(cert->px509, chash->type, hash, &hashlen) == 1)
|
||||
{
|
||||
size_t x;
|
||||
char strhash[EVP_MAX_MD_SIZE * 3 + 1] = { 0 };
|
||||
for (x = 0; x < hashlen; x++)
|
||||
{
|
||||
if (x > 0)
|
||||
_snprintf(&strhash[3 * x - 1], 4, ":%02x", hash[x]);
|
||||
else
|
||||
_snprintf(strhash, 3, "%02x", hash[x]);
|
||||
}
|
||||
char* strhash = crypto_cert_fingerprint_by_hash(cert->px509, h);
|
||||
if (!strhash)
|
||||
continue;
|
||||
|
||||
if (_strnicmp(strhash, fp, hashlen * 3) == 0)
|
||||
equal = (_stricmp(strhash, fp) == 0);
|
||||
free(strhash);
|
||||
if (equal)
|
||||
{
|
||||
rc = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
cur = strtok_s(NULL, ",", &context);
|
||||
}
|
||||
free(copy);
|
||||
|
Loading…
Reference in New Issue
Block a user