diff --git a/.freerdp.metadata b/.freerdp.metadata index a266bf9..bd6a9d1 100644 --- a/.freerdp.metadata +++ b/.freerdp.metadata @@ -1 +1 @@ -34f7f62c00be97f6619743c0cea1e0fda04fd08a SOURCES/FreeRDP-2.4.0.tar.gz +03ba0409951eaf50023cd4aac9bd49e443225a2f SOURCES/FreeRDP-2.4.1.tar.gz diff --git a/.gitignore b/.gitignore index ea8c60c..f81ddfc 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/FreeRDP-2.4.0.tar.gz +SOURCES/FreeRDP-2.4.1.tar.gz diff --git a/SOURCES/Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch b/SOURCES/Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch deleted file mode 100644 index 20bf09a..0000000 --- a/SOURCES/Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch +++ /dev/null @@ -1,41 +0,0 @@ -From df5d2572497f4cd7ab15144dbab99d0e01495127 Mon Sep 17 00:00:00 2001 -From: Ondrej Holy -Date: Wed, 12 May 2021 12:48:15 +0200 -Subject: [PATCH] Fix FIPS mode support and build with OpenSSL 3.0 - -FreeRDP fails to build with OpenSSL 3.0 because of usage of the `FIPS_mode` -and `FIPS_mode_set` functions, which were removed there. Just a note that -the FIPS mode is not supported by OpenSSL 1.1.* although the mentioned -functions are still there (see https://wiki.openssl.org/index.php/FIPS_modules). -Let's make FreeRDP build with OpenSSL 3.0 and fix the FIPS mode support. - -See: https://bugzilla.redhat.com/show_bug.cgi?id=1952937 ---- - winpr/libwinpr/utils/ssl.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c -index 3a8590390..03b23af43 100644 ---- a/winpr/libwinpr/utils/ssl.c -+++ b/winpr/libwinpr/utils/ssl.c -@@ -244,9 +244,17 @@ static BOOL winpr_enable_fips(DWORD flags) - #else - WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled"); - -+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) -+ if (!EVP_default_properties_is_fips_enabled(NULL)) -+#else - if (FIPS_mode() != 1) -+#endif - { -+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) -+ if (EVP_set_default_properties(NULL, "fips=yes")) -+#else - if (FIPS_mode_set(1)) -+#endif - WLog_INFO(TAG, "Openssl fips mode ENabled!"); - else - { --- -2.31.1 - diff --git a/SOURCES/Fixed-7436-Datatype-mismatch-to-crypto_base64_decode.patch b/SOURCES/Fixed-7436-Datatype-mismatch-to-crypto_base64_decode.patch new file mode 100644 index 0000000..3279a28 --- /dev/null +++ b/SOURCES/Fixed-7436-Datatype-mismatch-to-crypto_base64_decode.patch @@ -0,0 +1,25 @@ +From 2ddb22f7a453f3429b3246ca8ffa1ff2c31fe71d Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Fri, 12 Nov 2021 11:24:38 +0100 +Subject: [PATCH] Fixed #7436: Datatype mismatch to crypto_base64_decode + +--- + libfreerdp/core/gateway/rdg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libfreerdp/core/gateway/rdg.c b/libfreerdp/core/gateway/rdg.c +index 72019ede8..44de2c137 100644 +--- a/libfreerdp/core/gateway/rdg.c ++++ b/libfreerdp/core/gateway/rdg.c +@@ -1190,7 +1190,7 @@ static BOOL rdg_handle_ntlm_challenge(rdpNtlm* ntlm, HttpResponse* response) + BOOL continueNeeded = FALSE; + size_t len; + const char* token64 = NULL; +- size_t ntlmTokenLength = 0; ++ int ntlmTokenLength = 0; + BYTE* ntlmTokenData = NULL; + long StatusCode; + +-- +2.33.1 + diff --git a/SOURCES/Fixed-7436-Datatype-mismatch.patch b/SOURCES/Fixed-7436-Datatype-mismatch.patch new file mode 100644 index 0000000..22c3987 --- /dev/null +++ b/SOURCES/Fixed-7436-Datatype-mismatch.patch @@ -0,0 +1,34 @@ +From 403402607214092d20277af3aa959ce87768580a Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Fri, 12 Nov 2021 16:01:39 +0100 +Subject: [PATCH] Fixed #7436: Datatype mismatch + +--- + libfreerdp/core/gateway/ncacn_http.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libfreerdp/core/gateway/ncacn_http.c b/libfreerdp/core/gateway/ncacn_http.c +index f288a0f3c..75da83d62 100644 +--- a/libfreerdp/core/gateway/ncacn_http.c ++++ b/libfreerdp/core/gateway/ncacn_http.c +@@ -105,7 +105,7 @@ BOOL rpc_ncacn_http_send_in_channel_request(RpcChannel* inChannel) + BOOL rpc_ncacn_http_recv_in_channel_response(RpcChannel* inChannel, HttpResponse* response) + { + const char* token64 = NULL; +- size_t ntlmTokenLength = 0; ++ int ntlmTokenLength = 0; + BYTE* ntlmTokenData = NULL; + rdpNtlm* ntlm; + +@@ -259,7 +259,7 @@ BOOL rpc_ncacn_http_send_out_channel_request(RpcChannel* outChannel, BOOL replac + BOOL rpc_ncacn_http_recv_out_channel_response(RpcChannel* outChannel, HttpResponse* response) + { + const char* token64 = NULL; +- size_t ntlmTokenLength = 0; ++ int ntlmTokenLength = 0; + BYTE* ntlmTokenData = NULL; + rdpNtlm* ntlm; + +-- +2.33.1 + diff --git a/SOURCES/winpr-crypto-Exit-cleanly-when-EVP_EncryptInit_ex-fa.patch b/SOURCES/winpr-crypto-Exit-cleanly-when-EVP_EncryptInit_ex-fa.patch deleted file mode 100644 index 24aeeed..0000000 --- a/SOURCES/winpr-crypto-Exit-cleanly-when-EVP_EncryptInit_ex-fa.patch +++ /dev/null @@ -1,47 +0,0 @@ -From a79e09d97435bfdf4fdd439d76d847ba8dcbb445 Mon Sep 17 00:00:00 2001 -From: Ondrej Holy -Date: Tue, 3 Aug 2021 08:39:21 +0200 -Subject: [PATCH] winpr/crypto: Exit cleanly when EVP_EncryptInit_ex fails - -The `EVP_EncryptInit_ex` function may fail in certain configurations. -Consequently, FreeRDP segfaults in `EVP_CIPHER_CTX_set_key_length`. -Let's handle the `EVP_EncryptInit_ex` failures and exit cleanly in -such case. ---- - winpr/libwinpr/crypto/cipher.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/winpr/libwinpr/crypto/cipher.c b/winpr/libwinpr/crypto/cipher.c -index c47595b14..bd52cfeed 100644 ---- a/winpr/libwinpr/crypto/cipher.c -+++ b/winpr/libwinpr/crypto/cipher.c -@@ -66,7 +66,12 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO - return NULL; - - EVP_CIPHER_CTX_init((EVP_CIPHER_CTX*)ctx); -- EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, evp, NULL, NULL, NULL); -+ if (EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, evp, NULL, NULL, NULL) != 1) -+ { -+ EVP_CIPHER_CTX_free ((EVP_CIPHER_CTX*)ctx); -+ return NULL; -+ } -+ - /* EVP_CIPH_FLAG_NON_FIPS_ALLOW does not exist before openssl 1.0.1 */ - #if !(OPENSSL_VERSION_NUMBER < 0x10001000L) - -@@ -75,7 +80,11 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO - - #endif - EVP_CIPHER_CTX_set_key_length((EVP_CIPHER_CTX*)ctx, keylen); -- EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, NULL, NULL, key, NULL); -+ if (EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, NULL, NULL, key, NULL) != 1) -+ { -+ EVP_CIPHER_CTX_free ((EVP_CIPHER_CTX*)ctx); -+ return NULL; -+ } - #elif defined(WITH_MBEDTLS) && defined(MBEDTLS_ARC4_C) - - if (!(ctx = (WINPR_RC4_CTX*)calloc(1, sizeof(mbedtls_arc4_context)))) --- -2.31.1 - diff --git a/SOURCES/winpr-crypto-Load-legacy-provider-to-fix-rc4-with-Op.patch b/SOURCES/winpr-crypto-Load-legacy-provider-to-fix-rc4-with-Op.patch deleted file mode 100644 index 43be2e5..0000000 --- a/SOURCES/winpr-crypto-Load-legacy-provider-to-fix-rc4-with-Op.patch +++ /dev/null @@ -1,46 +0,0 @@ -From e1f63dba5c63302b8a5e9d33c9ffe5580105de72 Mon Sep 17 00:00:00 2001 -From: Ondrej Holy -Date: Tue, 3 Aug 2021 08:47:13 +0200 -Subject: [PATCH] winpr/crypto: Load legacy provider to fix rc4 with OpenSSL - 3.0 - -Currently, the `EVP_EncryptInit_ex` function fails for rc4 with OpenSSL 3.0. -This is becuase rc4 is provided by the legacy provider which is not loaded -by default. Let's explicitly load the legacy provider to make FreeRDP work -with OpenSSL 3.0. - -Relates: https://github.com/openssl/openssl/issues/14392 -Fixes: https://github.com/FreeRDP/FreeRDP/issues/6604 ---- - winpr/libwinpr/crypto/cipher.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/winpr/libwinpr/crypto/cipher.c b/winpr/libwinpr/crypto/cipher.c -index bd52cfeed..75d25a1c7 100644 ---- a/winpr/libwinpr/crypto/cipher.c -+++ b/winpr/libwinpr/crypto/cipher.c -@@ -29,6 +29,9 @@ - #include - #include - #include -+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) -+#include -+#endif - #endif - - #ifdef WITH_MBEDTLS -@@ -58,6 +60,11 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO - - #if defined(WITH_OPENSSL) - -+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) -+ if (OSSL_PROVIDER_load(NULL, "legacy") == NULL) -+ return NULL; -+#endif -+ - if (!(ctx = (WINPR_RC4_CTX*)EVP_CIPHER_CTX_new())) - return NULL; - --- -2.31.1 - diff --git a/SOURCES/winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch b/SOURCES/winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch new file mode 100644 index 0000000..9f20750 --- /dev/null +++ b/SOURCES/winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch @@ -0,0 +1,61 @@ +From 2d0b58759ba823bbc372ac19fea5080f4261c26e Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Tue, 16 Nov 2021 16:12:33 +0100 +Subject: [PATCH] winpr/ssl: Load legacy provider when initializing OpenSSL 3.0 + +With OpenSSL 3.O, FreeRDP log contains errors like: + +``` +4036740A4C7F0000:error:0308010C:digital envelope routines: +inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346: +Global default library context, Algorithm (MD4 : 85), Properties () +``` + +This leads to connection failures in some cases. This is because algorithms +like MD4 are now part of the legacy provider, which is not loaded by +default. Let's explicitly load that provider. With this change, also the +other provides has to be explicitely loaded. +--- + winpr/libwinpr/utils/ssl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c +index 74ef156e7..392f8e227 100644 +--- a/winpr/libwinpr/utils/ssl.c ++++ b/winpr/libwinpr/utils/ssl.c +@@ -33,6 +33,10 @@ + #include + #include + ++#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) ++#include ++#endif ++ + #include "../log.h" + #define TAG WINPR_TAG("utils.ssl") + +@@ -245,6 +249,7 @@ static BOOL winpr_enable_fips(DWORD flags) + WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled"); + + #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) ++ OSSL_PROVIDER_load(NULL, "fips"); + if (!EVP_default_properties_is_fips_enabled(NULL)) + #else + if (FIPS_mode() != 1) +@@ -305,6 +310,13 @@ static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVO + return FALSE; + + #endif ++ ++#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) ++ /* The legacy provider is needed for MD4. */ ++ OSSL_PROVIDER_load(NULL, "legacy"); ++ OSSL_PROVIDER_load(NULL, "default"); ++#endif ++ + g_winpr_openssl_initialized_by_winpr = TRUE; + return winpr_enable_fips(flags); + } +-- +2.33.1 + diff --git a/SPECS/freerdp.spec b/SPECS/freerdp.spec index f3bb38b..9910f26 100644 --- a/SPECS/freerdp.spec +++ b/SPECS/freerdp.spec @@ -21,8 +21,8 @@ %endif Name: freerdp -Version: 2.4.0 -Release: 3%{?dist} +Version: 2.4.1 +Release: 2%{?dist} Epoch: 2 Summary: Free implementation of the Remote Desktop Protocol (RDP) License: ASL 2.0 @@ -30,9 +30,12 @@ URL: http://www.freerdp.com/ Source0: https://github.com/FreeRDP/FreeRDP/archive/%{version}/FreeRDP-%{version}.tar.gz -Patch0: Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch -Patch1: winpr-crypto-Exit-cleanly-when-EVP_EncryptInit_ex-fa.patch -Patch2: winpr-crypto-Load-legacy-provider-to-fix-rc4-with-Op.patch +# https://github.com/FreeRDP/FreeRDP/issues/7436 +Patch0: Fixed-7436-Datatype-mismatch-to-crypto_base64_decode.patch +Patch1: Fixed-7436-Datatype-mismatch.patch + +# https://github.com/FreeRDP/FreeRDP/pull/7448 +Patch2: winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch BuildRequires: gcc BuildRequires: gcc-c++ @@ -299,6 +302,13 @@ find %{buildroot} -name "*.a" -delete %{_libdir}/pkgconfig/winpr-tools2.pc %changelog +* Fri Nov 26 2021 Ondrej Holy - 2:2.4.1-2 +- Fix datatype mismatch / big-endian breakage +- Load legacy provider when initializing OpenSSL 3.0 + +* Wed Nov 10 2021 Ondrej Holy - 2:2.4.1-1 +- Update to 2.4.1 (CVE-2021-41159, CVE-2021-41160). + * Mon Aug 09 2021 Mohan Boddu - 2:2.4.0-3 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688