From a376656b3c3adf7e58a11797b914b89bd66628b8 Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Tue, 21 Nov 2017 11:37:42 +0100
Subject: [PATCH] Disabled ceritficate signature check.

---
 libfreerdp/core/certificate.c | 82 +++++++++++++++++++++++++++----------------
 1 file changed, 52 insertions(+), 30 deletions(-)

diff --git a/libfreerdp/core/certificate.c b/libfreerdp/core/certificate.c
index 70b1084..d0e67c8 100644
--- a/libfreerdp/core/certificate.c
+++ b/libfreerdp/core/certificate.c
@@ -207,7 +207,8 @@ BOOL certificate_read_x509_certificate(rdpCertBlob* cert, rdpCertInfo* info)
 	error++;
 
 	/* signature */
-	if (!ber_read_sequence_tag(s, &length) || !Stream_SafeSeek(s, length)) /* AlgorithmIdentifier (SEQUENCE) */
+	if (!ber_read_sequence_tag(s, &length) ||
+	    !Stream_SafeSeek(s, length)) /* AlgorithmIdentifier (SEQUENCE) */
 		goto error1;
 
 	error++;
@@ -237,7 +238,8 @@ BOOL certificate_read_x509_certificate(rdpCertBlob* cert, rdpCertInfo* info)
 	error++;
 
 	/* subjectPublicKeyInfo::AlgorithmIdentifier */
-	if (!ber_read_sequence_tag(s, &length) || !Stream_SafeSeek(s, length)) /* AlgorithmIdentifier (SEQUENCE) */
+	if (!ber_read_sequence_tag(s, &length) ||
+	    !Stream_SafeSeek(s, length)) /* AlgorithmIdentifier (SEQUENCE) */
 		goto error1;
 
 	error++;
@@ -308,7 +310,8 @@ error2:
 	free(info->Modulus);
 	info->Modulus = 0;
 error1:
-	WLog_ERR(TAG, "error reading when reading certificate: part=%s error=%d", certificate_read_errors[error], error);
+	WLog_ERR(TAG, "error reading when reading certificate: part=%s error=%d",
+	         certificate_read_errors[error], error);
 	Stream_Free(s, FALSE);
 	return FALSE;
 }
@@ -360,7 +363,8 @@ void certificate_free_x509_certificate_chain(rdpX509CertChain* x509_cert_chain)
 	free(x509_cert_chain);
 }
 
-static BOOL certificate_process_server_public_key(rdpCertificate* certificate, wStream* s, UINT32 length)
+static BOOL certificate_process_server_public_key(rdpCertificate* certificate, wStream* s,
+        UINT32 length)
 {
 	BYTE magic[4];
 	UINT32 keylen;
@@ -398,27 +402,36 @@ static BOOL certificate_process_server_public_key(rdpCertificate* certificate, w
 }
 
 static BOOL certificate_process_server_public_signature(rdpCertificate* certificate,
-        const BYTE* sigdata, int sigdatalen, wStream* s, UINT32 siglen)
+        const BYTE* sigdata, size_t sigdatalen, wStream* s, UINT32 siglen)
 {
+#if defined(CERT_VALIDATE_PADDING) || defined(CERT_VALIDATE_RSA)
 	size_t i, sum;
+#endif
+#if defined(CERT_VALIDATE_RSA)
 	BYTE sig[TSSK_KEY_LENGTH];
+#endif
 	BYTE encsig[TSSK_KEY_LENGTH + 8];
-#if defined(VALIDATE_MD5)
+#if defined(CERT_VALIDATE_MD5) && defined(CERT_VALIDATE_RSA)
 	BYTE md5hash[WINPR_MD5_DIGEST_LENGTH];
 #endif
+#if !defined(CERT_VALIDATE_MD5) || !defined(CERT_VALIDATE_RSA)
+	(void)sigdata;
+	(void)sigdatalen;
+#endif
+	(void)certificate;
 	/* Do not bother with validation of server proprietary certificate. The use of MD5 here is not allowed under FIPS.
 	 * Since the validation is not protecting against anything since the private/public keys are well known and documented in
 	 * MS-RDPBCGR section 5.3.3.1, we are not gaining any security by using MD5 for signature comparison. Rather then use MD5
 	 * here we just dont do the validation to avoid its use. Historically, freerdp has been ignoring a failed validation anyways. */
-#if defined(VALIDATE_MD5)
+#if defined(CERT_VALIDATE_MD5)
 
 	if (!winpr_Digest(WINPR_MD_MD5, sigdata, sigdatalen, md5hash, sizeof(md5hash)))
 		return FALSE;
 
 #endif
 	Stream_Read(s, encsig, siglen);
-
 	/* Last 8 bytes shall be all zero. */
+#if defined(CERT_VALIDATE_PADDING)
 
 	for (sum = 0, i = sizeof(encsig) - 8; i < sizeof(encsig); i++)
 		sum += encsig[i];
@@ -429,7 +442,9 @@ static BOOL certificate_process_server_public_signature(rdpCertificate* certific
 		return FALSE;
 	}
 
+#endif
 	siglen -= 8;
+#if defined(CERT_VALIDATE_RSA)
 
 	if (crypto_rsa_public_decrypt(encsig, siglen, TSSK_KEY_LENGTH, tssk_modulus, tssk_exponent,
 	                              sig) <= 0)
@@ -440,7 +455,7 @@ static BOOL certificate_process_server_public_signature(rdpCertificate* certific
 
 	/* Verify signature. */
 	/* Do not bother with validation of server proprietary certificate as described above. */
-#if defined(VALIDATE_MD5)
+#if defined(CERT_VALIDATE_MD5)
 
 	if (memcmp(md5hash, sig, sizeof(md5hash)) != 0)
 	{
@@ -449,7 +464,6 @@ static BOOL certificate_process_server_public_signature(rdpCertificate* certific
 	}
 
 #endif
-
 	/*
 	 * Verify rest of decrypted data:
 	 * The 17th byte is 0x00.
@@ -466,6 +480,7 @@ static BOOL certificate_process_server_public_signature(rdpCertificate* certific
 		return FALSE;
 	}
 
+#endif
 	return TRUE;
 }
 
@@ -484,7 +499,7 @@ BOOL certificate_read_server_proprietary_certificate(rdpCertificate* certificate
 	UINT16 wSignatureBlobType;
 	UINT16 wSignatureBlobLen;
 	BYTE* sigdata;
-	int sigdatalen;
+	size_t sigdatalen;
 
 	if (Stream_GetRemainingLength(s) < 12)
 		return FALSE;
@@ -497,7 +512,7 @@ BOOL certificate_read_server_proprietary_certificate(rdpCertificate* certificate
 	if (!((dwSigAlgId == SIGNATURE_ALG_RSA) && (dwKeyAlgId == KEY_EXCHANGE_ALG_RSA)))
 	{
 		WLog_ERR(TAG, "unsupported signature or key algorithm, dwSigAlgId=%"PRIu32" dwKeyAlgId=%"PRIu32"",
-				 dwSigAlgId, dwKeyAlgId);
+		         dwSigAlgId, dwKeyAlgId);
 		return FALSE;
 	}
 
@@ -549,7 +564,8 @@ BOOL certificate_read_server_proprietary_certificate(rdpCertificate* certificate
 		return FALSE;
 	}
 
-	if (!certificate_process_server_public_signature(certificate, sigdata, sigdatalen, s, wSignatureBlobLen))
+	if (!certificate_process_server_public_signature(certificate, sigdata, sigdatalen, s,
+	        wSignatureBlobLen))
 	{
 		WLog_ERR(TAG, "unable to parse server public signature");
 		return FALSE;
@@ -604,16 +620,15 @@ BOOL certificate_read_server_x509_certificate_chain(rdpCertificate* certificate,
 		{
 			rdpCertInfo cert_info = { 0 };
 			DEBUG_CERTIFICATE("License Server Certificate");
-			
 			ret = certificate_read_x509_certificate(&certificate->x509_cert_chain->array[i], &cert_info);
-			
 			DEBUG_LICENSE("modulus length:%"PRIu32"", cert_info.ModulusLength);
 			free(cert_info.Modulus);
 
 			if (!ret)
 			{
 				WLog_ERR(TAG, "failed to read License Server, content follows:");
-				winpr_HexDump(TAG, WLOG_ERROR, certificate->x509_cert_chain->array[i].data, certificate->x509_cert_chain->array[i].length);
+				winpr_HexDump(TAG, WLOG_ERROR, certificate->x509_cert_chain->array[i].data,
+				              certificate->x509_cert_chain->array[i].length);
 				return FALSE;
 			}
 		}
@@ -621,7 +636,8 @@ BOOL certificate_read_server_x509_certificate_chain(rdpCertificate* certificate,
 		{
 			DEBUG_CERTIFICATE("Terminal Server Certificate");
 
-			if (!certificate_read_x509_certificate(&certificate->x509_cert_chain->array[i], &certificate->cert_info))
+			if (!certificate_read_x509_certificate(&certificate->x509_cert_chain->array[i],
+			                                       &certificate->cert_info))
 				return FALSE;
 
 			DEBUG_CERTIFICATE("modulus length:%"PRIu32"", certificate->cert_info.ModulusLength);
@@ -638,7 +654,8 @@ BOOL certificate_read_server_x509_certificate_chain(rdpCertificate* certificate,
  * @param length certificate length
  */
 
-BOOL certificate_read_server_certificate(rdpCertificate* certificate, BYTE* server_cert, size_t length)
+BOOL certificate_read_server_certificate(rdpCertificate* certificate, BYTE* server_cert,
+        size_t length)
 {
 	BOOL ret;
 	wStream* s;
@@ -677,20 +694,20 @@ BOOL certificate_read_server_certificate(rdpCertificate* certificate, BYTE* serv
 	return ret;
 }
 
-rdpRsaKey* key_new_from_content(const char *keycontent, const char *keyfile)
+rdpRsaKey* key_new_from_content(const char* keycontent, const char* keyfile)
 {
 	BIO* bio = NULL;
 	RSA* rsa = NULL;
 	rdpRsaKey* key = NULL;
-	const BIGNUM *rsa_e = NULL;
-	const BIGNUM *rsa_n = NULL;
-	const BIGNUM *rsa_d = NULL;
+	const BIGNUM* rsa_e = NULL;
+	const BIGNUM* rsa_n = NULL;
+	const BIGNUM* rsa_d = NULL;
 	key = (rdpRsaKey*) calloc(1, sizeof(rdpRsaKey));
 
 	if (!key)
 		return NULL;
 
-	bio = BIO_new_mem_buf((void *)keycontent, strlen(keycontent));
+	bio = BIO_new_mem_buf((void*)keycontent, strlen(keycontent));
 
 	if (!bio)
 		goto out_free;
@@ -781,7 +798,7 @@ rdpRsaKey* key_new(const char* keyfile)
 	if (_fseeki64(fp, 0, SEEK_SET) < 0)
 		goto out_free;
 
-	buffer = (char *)malloc(length + 1);
+	buffer = (char*)malloc(length + 1);
 
 	if (!buffer)
 		goto out_free;
@@ -830,7 +847,8 @@ rdpCertificate* certificate_clone(rdpCertificate* certificate)
 		if (!_certificate->cert_info.Modulus)
 			goto out_fail;
 
-		CopyMemory(_certificate->cert_info.Modulus, certificate->cert_info.Modulus, certificate->cert_info.ModulusLength);
+		CopyMemory(_certificate->cert_info.Modulus, certificate->cert_info.Modulus,
+		           certificate->cert_info.ModulusLength);
 		_certificate->cert_info.ModulusLength = certificate->cert_info.ModulusLength;
 	}
 
@@ -845,18 +863,21 @@ rdpCertificate* certificate_clone(rdpCertificate* certificate)
 
 		if (certificate->x509_cert_chain->count)
 		{
-			_certificate->x509_cert_chain->array = (rdpCertBlob*) calloc(certificate->x509_cert_chain->count, sizeof(rdpCertBlob));
+			_certificate->x509_cert_chain->array = (rdpCertBlob*) calloc(certificate->x509_cert_chain->count,
+			                                       sizeof(rdpCertBlob));
 
 			if (!_certificate->x509_cert_chain->array)
 				goto out_fail;
 
 			for (index = 0; index < certificate->x509_cert_chain->count; index++)
 			{
-				_certificate->x509_cert_chain->array[index].length = certificate->x509_cert_chain->array[index].length;
+				_certificate->x509_cert_chain->array[index].length =
+				    certificate->x509_cert_chain->array[index].length;
 
 				if (certificate->x509_cert_chain->array[index].length)
 				{
-					_certificate->x509_cert_chain->array[index].data = (BYTE*) malloc(certificate->x509_cert_chain->array[index].length);
+					_certificate->x509_cert_chain->array[index].data = (BYTE*) malloc(
+					            certificate->x509_cert_chain->array[index].length);
 
 					if (!_certificate->x509_cert_chain->array[index].data)
 					{
@@ -869,8 +890,9 @@ rdpCertificate* certificate_clone(rdpCertificate* certificate)
 						goto out_fail;
 					}
 
-					CopyMemory(_certificate->x509_cert_chain->array[index].data, certificate->x509_cert_chain->array[index].data,
-							_certificate->x509_cert_chain->array[index].length);
+					CopyMemory(_certificate->x509_cert_chain->array[index].data,
+					           certificate->x509_cert_chain->array[index].data,
+					           _certificate->x509_cert_chain->array[index].length);
 				}
 			}
 		}
-- 
2.7.4