Added raw function wrapping X509_digest

2020-02-12 13:47:35 +01:00 · 2020-02-12 13:47:35 +01:00 · 9c999b7135
parent 8b85913ac0
commit 9c999b7135
4 changed files with 50 additions and 20 deletions
--- a/include/freerdp/crypto/crypto.h
+++ b/include/freerdp/crypto/crypto.h
@ -54,8 +54,8 @@ extern "C"
 	typedef struct crypto_cert_struct* CryptoCert;

 	FREERDP_API CryptoCert crypto_cert_read(BYTE* data, UINT32 length);
+	FREERDP_API BYTE* crypto_cert_hash(X509* xcert, const char* hash, UINT32* length);
 	FREERDP_API char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash);
-	FREERDP_API char* crypto_cert_sign_with_hash(X509* xcert, const char* hash);
 	FREERDP_API char* crypto_cert_fingerprint(X509* xcert);
 	FREERDP_API char* crypto_cert_subject(X509* xcert);
 	FREERDP_API char* crypto_cert_subject_common_name(X509* xcert, int* length);
--- a/libfreerdp/common/assistance.c
+++ b/libfreerdp/common/assistance.c
@ -571,7 +571,7 @@ BYTE* freerdp_assistance_encrypt_pass_stub(const char* password, const char* pas

 	if (!rc4Ctx)
 	{
-		WLog_ERR(TAG, "EVP_CipherInit_ex failure");
+		WLog_ERR(TAG, "winpr_Cipher_New failure");
 		goto fail;
 	}

@ -581,13 +581,13 @@ BYTE* freerdp_assistance_encrypt_pass_stub(const char* password, const char* pas

 	if (!rc)
 	{
-		WLog_ERR(TAG, "EVP_CipherUpdate failure");
+		WLog_ERR(TAG, "winpr_Cipher_Update failure");
 		goto fail;
 	}

 	if (!winpr_Cipher_Final(rc4Ctx, pbOut + cbOut, &cbFinal))
 	{
-		WLog_ERR(TAG, "EVP_CipherFinal_ex failure");
+		WLog_ERR(TAG, "winpr_Cipher_Final failure");
 		goto fail;
 	}

@ -663,7 +663,7 @@ static BOOL freerdp_assistance_decrypt2(rdpAssistanceFile* file, const char* pas

 	if (!winpr_Cipher_Final(aesDec, pbOut + cbOut, &cbFinal))
 	{
-		WLog_ERR(TAG, "EVP_DecryptFinal_ex failure");
+		WLog_ERR(TAG, "winpr_Cipher_Final failure");
 		goto fail;
 	}

--- a/libfreerdp/crypto/crypto.c
+++ b/libfreerdp/crypto/crypto.c
@ -215,25 +215,49 @@ void crypto_reverse(BYTE* data, int length)

 char* crypto_cert_fingerprint(X509* xcert)
 {
-	return crypto_cert_fingerprint_by_hash(xcert, "sha1");
+	return crypto_cert_fingerprint_by_hash(xcert, "sha256");
+}
+
+BYTE* crypto_cert_hash(X509* xcert, const char* hash, UINT32* length)
+{
+	UINT32 fp_len = EVP_MAX_MD_SIZE;
+	BYTE* fp;
+	const EVP_MD* md = EVP_get_digestbyname(hash);
+	if (!md)
+		return NULL;
+	if (!length)
+		return NULL;
+	if (!xcert)
+		return NULL;
+
+	fp = calloc(fp_len, sizeof(BYTE));
+	if (!fp)
+		return NULL;
+
+	if (X509_digest(xcert, md, fp, &fp_len) != 1)
+	{
+		free(fp);
+		return NULL;
+	}
+
+	*length = fp_len;
+	return fp;
 }

 char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash)
 {
-	size_t i = 0;
+	UINT32 fp_len, i;
+	BYTE* fp;
 	char* p;
 	char* fp_buffer;
-	UINT32 fp_len;
-	BYTE fp[EVP_MAX_MD_SIZE];
-	const EVP_MD* md = EVP_get_digestbyname(hash);
-	if (!md)
+
+	fp = crypto_cert_hash(xcert, hash, &fp_len);
+	if (!fp)
 		return NULL;

-	X509_digest(xcert, md, fp, &fp_len);
-	fp_buffer = (char*)calloc(fp_len + 1, 3);
-
+	fp_buffer = calloc(fp_len * 3 + 1, sizeof(char));
 	if (!fp_buffer)
-		return NULL;
+		goto fail;

 	p = fp_buffer;

@ -244,6 +268,9 @@ char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash)
 	}

 	sprintf_s(p, (fp_len - i) * 3, "%02" PRIx8 "", fp[i]);
+fail:
+	free(fp);
+
 	return fp_buffer;
 }

--- a/libfreerdp/crypto/tls.c
+++ b/libfreerdp/crypto/tls.c
@ -611,13 +611,15 @@ static SecPkgContext_Bindings* tls_get_channel_bindings(X509* cert)
 	SEC_CHANNEL_BINDINGS* ChannelBindings;
 	SecPkgContext_Bindings* ContextBindings;
 	const size_t PrefixLength = strnlen(TLS_SERVER_END_POINT, ARRAYSIZE(TLS_SERVER_END_POINT));
-	BYTE CertificateHash[32] = { 0 };
-	X509_digest(cert, EVP_sha256(), CertificateHash, &CertificateHashLength);
+	BYTE* CertificateHash = crypto_cert_hash(cert, "sha256", &CertificateHashLength);
+	if (!CertificateHash)
+		return NULL;
+
 	ChannelBindingTokenLength = PrefixLength + CertificateHashLength;
 	ContextBindings = (SecPkgContext_Bindings*)calloc(1, sizeof(SecPkgContext_Bindings));

 	if (!ContextBindings)
-		return NULL;
+		goto out_free;

 	ContextBindings->BindingsLength = sizeof(SEC_CHANNEL_BINDINGS) + ChannelBindingTokenLength;
 	ChannelBindings = (SEC_CHANNEL_BINDINGS*)calloc(1, ContextBindings->BindingsLength);
@ -633,6 +635,7 @@ static SecPkgContext_Bindings* tls_get_channel_bindings(X509* cert)
 	memcpy(ChannelBindingToken + PrefixLength, CertificateHash, CertificateHashLength);
 	return ContextBindings;
 out_free:
+	free(CertificateHash);
 	free(ContextBindings);
 	return NULL;
 }
@ -1195,7 +1198,7 @@ static BOOL is_accepted_fingerprint(CryptoCert cert, const char* CertificateAcce
 		while (cur)
 		{
 			BOOL equal;
-
+			char* strhash;
 			const char* h = strtok(cur, ":");
 			const char* fp;

@ -1206,7 +1209,7 @@ static BOOL is_accepted_fingerprint(CryptoCert cert, const char* CertificateAcce
 			if (!fp)
 				continue;

-			char* strhash = crypto_cert_fingerprint_by_hash(cert->px509, h);
+			strhash = crypto_cert_fingerprint_by_hash(cert->px509, h);
 			if (!strhash)
 				continue;