Re: x11/freerdp: stop reaching into libssl internals to send TLS alerts

Wed, 24 Oct 2018 04:42:01 -0700 

On 2018/10/23 03:13, Joel Sing wrote:
> x11/freerdp currently reaches deep into libssl internals, in order to send
> TLS alerts. AFAIK OpenSSL 1.1 does not provide any way for TLS alerts to be
> triggered outside the library and freerdp's approach is to simply disable
> this code. Do the same thing for current LibreSSL, so that we can make
> these internals internal.
> 
> ok?

OK.  Alternatively I would also be happy to just remove the
"|| defined(LIBRESSL_VERSION_NUMBER)".

In that code block it says "Manually sending a TLS alert is necessary in
certain cases, like when server-side NLA results in an authentication
failure" - I don't think we have anything using the server-side functionality
of freerdp's library so this is unlikely to affect us.

There's a newer version upstream (ports update blocked as they now want
timer_create()) - but they haven't changed this area.



> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/x11/freerdp/Makefile,v
> retrieving revision 1.33
> diff -u -p -u -p -r1.33 Makefile
> --- Makefile  14 Aug 2018 08:36:49 -0000      1.33
> +++ Makefile  22 Oct 2018 16:08:45 -0000
> @@ -6,7 +6,7 @@ BROKEN-hppa =         undefined reference to __
>  COMMENT =            open source client for Windows Terminal Server
>  DISTNAME =           freerdp-2.0.0-rc1
>  PKGNAME =            freerdp-2.0.0rc1
> -REVISION =           0
> +REVISION =           1
>  CATEGORIES =         x11 net
>  
>  SHARED_LIBS +=  freerdp-client2           0.0 # 2.0
> Index: patches/patch-libfreerdp_crypto_tls_c
> ===================================================================
> RCS file: patches/patch-libfreerdp_crypto_tls_c
> diff -N patches/patch-libfreerdp_crypto_tls_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-libfreerdp_crypto_tls_c     22 Oct 2018 16:08:45 -0000
> @@ -0,0 +1,17 @@
> +$OpenBSD$
> +
> +Stop reaching into libssl internals to send TLS alerts.
> +
> +Index: libfreerdp/crypto/tls.c
> +--- libfreerdp/crypto/tls.c.orig
> ++++ libfreerdp/crypto/tls.c
> +@@ -1020,7 +1020,8 @@ BOOL tls_send_alert(rdpTls* tls)
> +      * FIXME: The following code does not work on OpenSSL > 1.1.0 because 
> the
> +      *        SSL struct is opaqe now
> +      */
> +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
> ++    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 
> 0x2080000fL)
> + 
> +     if (tls->alertDescription != TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY)
> +     {
>

Reply via email to