bee7f94e93
This reverts commit 00baf58a71ccd0842e483ac034a0658e8945f887. That change appears to have been incorrect. It's described as simplying retrieving the "default signature digest", but it actually changed the function's behavior entirely. The function wasn't retrieving defaults previously. A certificate contains, among other things, a public key and a signature. The public key is the public key of the subject. However, the signature was generated by the issuer. That is, if I get a certificate from a CA, the public key will be my public key and the signature will be my CA's signature over the certificate contents. Now, the original code returned the digest used in the certificate's signature. That is, it tells you which signature algorithm did my *CA* use to sign my certificate. The new code extracts the certificate's public key (my public key, not the CA's). This doesn't necessarily tell you the signature algorithm, so it then asks OpenSSL what the "default" signature algorithm would it use with the key. This notion of "default" is ad-hoc and has changed over time with OpenSSL releases. It doesn't correspond to any particular protocol semantics. It's not necessarily the signature algorithm of the certificate. Now, looking at where this function is used, it's called by freerdp_certificate_get_signature_alg, which is called by tls_get_channel_binding to compute the tls-server-end-point channel binding. That code cites RFC 5929, which discusses picking the hash algorithm based on the certificate's signatureAlgorithm: https://www.rfc-editor.org/rfc/rfc5929#section-4.1 That is, the old version of the code was correct and the "simplification" broke it. Revert this and restore the original version. I suspect this went unnoticed because, almost all the time, both the old and new code picked SHA-256 and it was fine. But if the certificate was, say, signed with SHA-384, the new code would compute the wrong channel binding.
FreeRDP: A Remote Desktop Protocol Implementation
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Enjoy the freedom of using your software wherever you want, the way you want it, in a world where interoperability can finally liberate your computing experience.
Resources
Project website: https://www.freerdp.com/
Issue tracker: https://github.com/FreeRDP/FreeRDP/issues
Sources: https://github.com/FreeRDP/FreeRDP/
Downloads: https://pub.freerdp.com/releases/
Wiki: https://github.com/FreeRDP/FreeRDP/wiki
API documentation: https://pub.freerdp.com/api/
Security policy: https://github.com/FreeRDP/FreeRDP/security/policy
Matrix room : #FreeRDP:matrix.org (main) XMPP channel: #FreeRDP#matrix.org@matrix.org (bridged) IRC channel : #freerdp @ irc.oftc.net (bridged) Mailing list: https://lists.sourceforge.net/lists/listinfo/freerdp-devel
Microsoft Open Specifications
Information regarding the Microsoft Open Specifications can be found at: https://www.microsoft.com/openspecifications/
A list of reference documentation is maintained here: https://github.com/FreeRDP/FreeRDP/wiki/Reference-Documentation
Compilation
Instructions on how to get started compiling FreeRDP can be found on the wiki: https://github.com/FreeRDP/FreeRDP/wiki/Compilation