1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
Origin: upstream, https://github.com/FreeRDP/FreeRDP/commit/88a3c94adc5abab5d4fbbf6bc5feaf663d6c5736
Forwarded: not-needed
From: Armin Novak <armin.novak@thincast.com>
Date: Tue, 15 Apr 2025 16:08:17 +0200
Subject: [crypto,certificate] Add a fallback for weak RSA keys
X509_dup fails with weak RSA keys. RDP security does still use them, so
add a fallback to recreate the X509 from the raw RSA data.
---
libfreerdp/crypto/certificate.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/libfreerdp/crypto/certificate.c b/libfreerdp/crypto/certificate.c
index 8904d368f..53b83f2fd 100644
--- a/libfreerdp/crypto/certificate.c
+++ b/libfreerdp/crypto/certificate.c
@@ -1158,15 +1158,26 @@ BOOL cert_clone_int(rdpCertificate* dst, const rdpCertificate* src)
WINPR_ASSERT(dst);
WINPR_ASSERT(src);
+ if (!cert_info_clone(&dst->cert_info, &src->cert_info))
+ return FALSE;
+
if (src->x509)
{
dst->x509 = X509_dup(src->x509);
if (!dst->x509)
- return FALSE;
+ {
+ /* Workaround for SSL deprecation issues:
+ * some security modes use weak RSA ciphers where X509_dup fails.
+ * In that case recreate the X509 from the raw RSA data
+ */
+ if (!update_x509_from_info(dst))
+ {
+ WLog_ERR(TAG, "X509_dup failed, SSL configuration bug?");
+ return FALSE;
+ }
+ }
}
- if (!cert_info_clone(&dst->cert_info, &src->cert_info))
- return FALSE;
return cert_x509_chain_copy(&dst->x509_cert_chain, &src->x509_cert_chain);
}
--
2.39.5
|
