mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
18,273 Commits 6 Branches 74 Tags 84 MiB
C 87.6%
C++ 3.3%
CMake 3.2%
Objective-C 2.7%
Java 1.9%
Other 1.2%
bee7f94e93
Go to file
David Benjamin bee7f94e93 [crypto,x509] fix tls-server-end-point signature algorithm selection 
This reverts commit 00baf58a71. That
change appears to have been incorrect. It's described as simplying
retrieving the "default signature digest", but it actually changed the
function's behavior entirely. The function wasn't retrieving defaults
previously.

A certificate contains, among other things, a public key and a
signature. The public key is the public key of the subject. However, the
signature was generated by the issuer. That is, if I get a certificate
from a CA, the public key will be my public key and the signature will
be my CA's signature over the certificate contents.

Now, the original code returned the digest used in the certificate's
signature. That is, it tells you which signature algorithm did my *CA*
use to sign my certificate.

The new code extracts the certificate's public key (my public key, not
the CA's). This doesn't necessarily tell you the signature algorithm, so
it then asks OpenSSL what the "default" signature algorithm would it use
with the key. This notion of "default" is ad-hoc and has changed over
time with OpenSSL releases. It doesn't correspond to any particular
protocol semantics. It's not necessarily the signature algorithm of the
certificate.

Now, looking at where this function is used, it's called by
freerdp_certificate_get_signature_alg, which is called by
tls_get_channel_binding to compute the tls-server-end-point channel
binding. That code cites RFC 5929, which discusses picking the hash
algorithm based on the certificate's signatureAlgorithm:

https://www.rfc-editor.org/rfc/rfc5929#section-4.1

That is, the old version of the code was correct and the
"simplification" broke it. Revert this and restore the original version.

I suspect this went unnoticed because, almost all the time, both the old
and new code picked SHA-256 and it was fine. But if the certificate was,
say, signed with SHA-384, the new code would compute the wrong channel
binding.
2024-02-07 07:53:37 +01:00
.github [ci,codeql] update dependencies 2023-12-20 23:16:10 +01:00
channels [winpr] use winpr_strerror instead of strerror 2024-02-06 15:45:47 +01:00
ci/cmake-preloads link executables to static runtime 2024-01-25 09:40:10 +01:00
client [winpr] use winpr_strerror instead of strerror 2024-02-06 15:45:47 +01:00
cmake [cmake] fix manpage generation dependencies 2024-01-29 09:34:59 +01:00
compat/stdbool Added stdbool.h compat header 2021-06-18 11:32:16 +02:00
docs Add wiki link to README files 2023-12-12 19:36:54 +01:00
external cmake: added external directory 2012-11-01 13:50:49 -04:00
include [build] fix Wmismatched-deallocator warnings 2024-02-05 08:16:55 +01:00
libfreerdp [crypto,x509] fix tls-server-end-point signature algorithm selection 2024-02-07 07:53:37 +01:00
packaging [packaging] clean debian rules 2024-01-29 09:34:59 +01:00
rdtk [cmake] generate relative pkgconfig path 2024-01-05 14:19:34 +01:00
resources remove logo from external vendor 2023-12-21 09:19:38 +01:00
scripts [build,mac] FFmpeg --enable-cross-compile 2024-01-10 12:41:34 +01:00
server [build] fix Wmismatched-deallocator warnings 2024-02-05 08:16:55 +01:00
third-party [git] remove .gitignore 2023-11-28 12:14:55 +01:00
tools [settings] assert invalid keys in getter 2023-11-24 14:54:56 +01:00
uwac [uwac] output: take a max scale into scaling code 2024-01-11 16:00:40 +01:00
winpr [winpr] use winpr_strerror instead of strerror 2024-02-06 15:45:47 +01:00
.clang-format [clang-format] remove duplicate option 2023-06-05 11:28:48 +02:00
.clang-tidy [cmake] add clang-tidy support 2024-01-25 09:40:10 +01:00
.gitignore [cmake] prevent in source builds 2023-11-28 12:14:55 +01:00
.travis.yml Remove unused codec x264 2021-09-14 12:38:14 +02:00
ChangeLog changelog 2024-01-19 09:57:41 +01:00
CMakeCPack.cmake [cmake] use CMAKE_MSVC_RUNTIME_LIBRARY 2023-11-16 10:40:04 +01:00
CMakeCPackOptions.cmake.in cmake: fix package generation on Mac OS X 2013-09-09 21:42:25 -04:00
CMakeLists.txt [common,addin] make plugin loader path configurable 2024-01-30 09:48:52 +01:00
LICENSE FreeRDP 1.0: initial commit 2011-06-30 15:12:51 -04:00
README.md Add security policy to readme 2022-04-26 07:45:33 +02:00
SECURITY.md Update the security policy (#8408) 2022-11-16 18:06:37 +01:00

README.md

FreeRDP: A Remote Desktop Protocol Implementation

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Enjoy the freedom of using your software wherever you want, the way you want it, in a world where interoperability can finally liberate your computing experience.

Resources

Project website: https://www.freerdp.com/
Issue tracker: https://github.com/FreeRDP/FreeRDP/issues
Sources: https://github.com/FreeRDP/FreeRDP/
Downloads: https://pub.freerdp.com/releases/
Wiki: https://github.com/FreeRDP/FreeRDP/wiki
API documentation: https://pub.freerdp.com/api/

Security policy: https://github.com/FreeRDP/FreeRDP/security/policy

Matrix room : #FreeRDP:matrix.org (main) XMPP channel: #FreeRDP#matrix.org@matrix.org (bridged) IRC channel : #freerdp @ irc.oftc.net (bridged) Mailing list: https://lists.sourceforge.net/lists/listinfo/freerdp-devel

Microsoft Open Specifications

Information regarding the Microsoft Open Specifications can be found at: https://www.microsoft.com/openspecifications/

A list of reference documentation is maintained here: https://github.com/FreeRDP/FreeRDP/wiki/Reference-Documentation

Compilation

Instructions on how to get started compiling FreeRDP can be found on the wiki: https://github.com/FreeRDP/FreeRDP/wiki/Compilation