Added raw function wrapping X509_digest

This commit is contained in:
Armin Novak 2020-02-12 13:47:35 +01:00 committed by akallabeth
parent 8b85913ac0
commit 9c999b7135
4 changed files with 50 additions and 20 deletions

View File

@ -54,8 +54,8 @@ extern "C"
typedef struct crypto_cert_struct* CryptoCert; typedef struct crypto_cert_struct* CryptoCert;
FREERDP_API CryptoCert crypto_cert_read(BYTE* data, UINT32 length); FREERDP_API CryptoCert crypto_cert_read(BYTE* data, UINT32 length);
FREERDP_API BYTE* crypto_cert_hash(X509* xcert, const char* hash, UINT32* length);
FREERDP_API char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash); FREERDP_API char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash);
FREERDP_API char* crypto_cert_sign_with_hash(X509* xcert, const char* hash);
FREERDP_API char* crypto_cert_fingerprint(X509* xcert); FREERDP_API char* crypto_cert_fingerprint(X509* xcert);
FREERDP_API char* crypto_cert_subject(X509* xcert); FREERDP_API char* crypto_cert_subject(X509* xcert);
FREERDP_API char* crypto_cert_subject_common_name(X509* xcert, int* length); FREERDP_API char* crypto_cert_subject_common_name(X509* xcert, int* length);

View File

@ -571,7 +571,7 @@ BYTE* freerdp_assistance_encrypt_pass_stub(const char* password, const char* pas
if (!rc4Ctx) if (!rc4Ctx)
{ {
WLog_ERR(TAG, "EVP_CipherInit_ex failure"); WLog_ERR(TAG, "winpr_Cipher_New failure");
goto fail; goto fail;
} }
@ -581,13 +581,13 @@ BYTE* freerdp_assistance_encrypt_pass_stub(const char* password, const char* pas
if (!rc) if (!rc)
{ {
WLog_ERR(TAG, "EVP_CipherUpdate failure"); WLog_ERR(TAG, "winpr_Cipher_Update failure");
goto fail; goto fail;
} }
if (!winpr_Cipher_Final(rc4Ctx, pbOut + cbOut, &cbFinal)) if (!winpr_Cipher_Final(rc4Ctx, pbOut + cbOut, &cbFinal))
{ {
WLog_ERR(TAG, "EVP_CipherFinal_ex failure"); WLog_ERR(TAG, "winpr_Cipher_Final failure");
goto fail; goto fail;
} }
@ -663,7 +663,7 @@ static BOOL freerdp_assistance_decrypt2(rdpAssistanceFile* file, const char* pas
if (!winpr_Cipher_Final(aesDec, pbOut + cbOut, &cbFinal)) if (!winpr_Cipher_Final(aesDec, pbOut + cbOut, &cbFinal))
{ {
WLog_ERR(TAG, "EVP_DecryptFinal_ex failure"); WLog_ERR(TAG, "winpr_Cipher_Final failure");
goto fail; goto fail;
} }

View File

@ -215,25 +215,49 @@ void crypto_reverse(BYTE* data, int length)
char* crypto_cert_fingerprint(X509* xcert) char* crypto_cert_fingerprint(X509* xcert)
{ {
return crypto_cert_fingerprint_by_hash(xcert, "sha1"); return crypto_cert_fingerprint_by_hash(xcert, "sha256");
}
BYTE* crypto_cert_hash(X509* xcert, const char* hash, UINT32* length)
{
UINT32 fp_len = EVP_MAX_MD_SIZE;
BYTE* fp;
const EVP_MD* md = EVP_get_digestbyname(hash);
if (!md)
return NULL;
if (!length)
return NULL;
if (!xcert)
return NULL;
fp = calloc(fp_len, sizeof(BYTE));
if (!fp)
return NULL;
if (X509_digest(xcert, md, fp, &fp_len) != 1)
{
free(fp);
return NULL;
}
*length = fp_len;
return fp;
} }
char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash) char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash)
{ {
size_t i = 0; UINT32 fp_len, i;
BYTE* fp;
char* p; char* p;
char* fp_buffer; char* fp_buffer;
UINT32 fp_len;
BYTE fp[EVP_MAX_MD_SIZE]; fp = crypto_cert_hash(xcert, hash, &fp_len);
const EVP_MD* md = EVP_get_digestbyname(hash); if (!fp)
if (!md)
return NULL; return NULL;
X509_digest(xcert, md, fp, &fp_len); fp_buffer = calloc(fp_len * 3 + 1, sizeof(char));
fp_buffer = (char*)calloc(fp_len + 1, 3);
if (!fp_buffer) if (!fp_buffer)
return NULL; goto fail;
p = fp_buffer; p = fp_buffer;
@ -244,6 +268,9 @@ char* crypto_cert_fingerprint_by_hash(X509* xcert, const char* hash)
} }
sprintf_s(p, (fp_len - i) * 3, "%02" PRIx8 "", fp[i]); sprintf_s(p, (fp_len - i) * 3, "%02" PRIx8 "", fp[i]);
fail:
free(fp);
return fp_buffer; return fp_buffer;
} }

View File

@ -611,13 +611,15 @@ static SecPkgContext_Bindings* tls_get_channel_bindings(X509* cert)
SEC_CHANNEL_BINDINGS* ChannelBindings; SEC_CHANNEL_BINDINGS* ChannelBindings;
SecPkgContext_Bindings* ContextBindings; SecPkgContext_Bindings* ContextBindings;
const size_t PrefixLength = strnlen(TLS_SERVER_END_POINT, ARRAYSIZE(TLS_SERVER_END_POINT)); const size_t PrefixLength = strnlen(TLS_SERVER_END_POINT, ARRAYSIZE(TLS_SERVER_END_POINT));
BYTE CertificateHash[32] = { 0 }; BYTE* CertificateHash = crypto_cert_hash(cert, "sha256", &CertificateHashLength);
X509_digest(cert, EVP_sha256(), CertificateHash, &CertificateHashLength); if (!CertificateHash)
return NULL;
ChannelBindingTokenLength = PrefixLength + CertificateHashLength; ChannelBindingTokenLength = PrefixLength + CertificateHashLength;
ContextBindings = (SecPkgContext_Bindings*)calloc(1, sizeof(SecPkgContext_Bindings)); ContextBindings = (SecPkgContext_Bindings*)calloc(1, sizeof(SecPkgContext_Bindings));
if (!ContextBindings) if (!ContextBindings)
return NULL; goto out_free;
ContextBindings->BindingsLength = sizeof(SEC_CHANNEL_BINDINGS) + ChannelBindingTokenLength; ContextBindings->BindingsLength = sizeof(SEC_CHANNEL_BINDINGS) + ChannelBindingTokenLength;
ChannelBindings = (SEC_CHANNEL_BINDINGS*)calloc(1, ContextBindings->BindingsLength); ChannelBindings = (SEC_CHANNEL_BINDINGS*)calloc(1, ContextBindings->BindingsLength);
@ -633,6 +635,7 @@ static SecPkgContext_Bindings* tls_get_channel_bindings(X509* cert)
memcpy(ChannelBindingToken + PrefixLength, CertificateHash, CertificateHashLength); memcpy(ChannelBindingToken + PrefixLength, CertificateHash, CertificateHashLength);
return ContextBindings; return ContextBindings;
out_free: out_free:
free(CertificateHash);
free(ContextBindings); free(ContextBindings);
return NULL; return NULL;
} }
@ -1195,7 +1198,7 @@ static BOOL is_accepted_fingerprint(CryptoCert cert, const char* CertificateAcce
while (cur) while (cur)
{ {
BOOL equal; BOOL equal;
char* strhash;
const char* h = strtok(cur, ":"); const char* h = strtok(cur, ":");
const char* fp; const char* fp;
@ -1206,7 +1209,7 @@ static BOOL is_accepted_fingerprint(CryptoCert cert, const char* CertificateAcce
if (!fp) if (!fp)
continue; continue;
char* strhash = crypto_cert_fingerprint_by_hash(cert->px509, h); strhash = crypto_cert_fingerprint_by_hash(cert->px509, h);
if (!strhash) if (!strhash)
continue; continue;