Update to 3.27.1

It fixes CVE-2026-40033, CVE-2026-44420, CVE-2026-44421, CVE-2026-44422,
and CVE-2026-45700.

Resolves: RHEL-186097, RHEL-186938, RHEL-186960, RHEL-186965, RHEL-186980
This commit is contained in:
Ondrej Holy 2026-07-01 10:52:27 +00:00
parent ac51bba8e3
commit 6ecf4a031a
7 changed files with 15 additions and 357 deletions

1
.gitignore vendored
View File

@ -75,3 +75,4 @@
/FreeRDP-3.9.0-repack.tar.gz
/FreeRDP-3.10.3-repack.tar.gz
/FreeRDP-3.24.2-repack.tar.gz
/FreeRDP-3.27.1-repack.tar.gz

View File

@ -1,50 +0,0 @@
From e73687cb40d1a94214613ec5cd541cc8f676d55a Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Mon, 25 May 2026 11:01:12 +0200
Subject: [PATCH] [core,connection] disable NTLM in FIPS mode
Commit eed2d3421a enabled NLA in FIPS mode since Kerberos support
had been added to FreeRDP since the original FIPS implementation.
However, that commit removed the NLA restriction entirely without
accounting for the fact that NTLM authentication still uses
MD4 and RC4 which are not FIPS-compliant. This means the Negotiate
SSP can fall back to NTLM, which violates FIPS requirements.
This commit addresses that by setting `AuthenticationPackageList`
to `"!ntlm"` when FIPS mode is active and the user has not
explicitly configured a package list. This disables the NTLM
mechanism within the Negotiate SSP while keeping Kerberos
available for NLA.
Made-with: Cursor
Co-authored-by: Cursor <cursoragent@cursor.com>
---
libfreerdp/core/connection.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libfreerdp/core/connection.c b/libfreerdp/core/connection.c
index cc9c8899b..c013e9b38 100644
--- a/libfreerdp/core/connection.c
+++ b/libfreerdp/core/connection.c
@@ -324,10 +324,16 @@ BOOL rdp_client_connect(rdpRdp* rdp)
/* FIPS Mode forces the following and overrides the following(by happening later
* in the command line processing):
- * 1. Forces the only supported RDP encryption method to be FIPS. */
+ * 1. Forces the only supported RDP encryption method to be FIPS.
+ * 2. Disables NTLM authentication (not FIPS compliant due to MD4/RC4). */
if (settings->FIPSMode || winpr_FIPSMode())
{
settings->EncryptionMethods = ENCRYPTION_METHOD_FIPS;
+ if (!settings->AuthenticationPackageList)
+ {
+ if (!freerdp_settings_set_string(settings, FreeRDP_AuthenticationPackageList, "!ntlm"))
+ return FALSE;
+ }
}
UINT32 TcpConnectTimeout = freerdp_settings_get_uint32(settings, FreeRDP_TcpConnectTimeout);
--
2.54.0

View File

@ -1,66 +0,0 @@
From 56b0402e945360eaa2ad64922a6591f7ccea9ee5 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Mon, 25 May 2026 11:49:12 +0200
Subject: [PATCH] [core,connection] disable RDP Security in FIPS mode
The FIPS mode block in `rdp_client_connect` forces
`ENCRYPTION_METHOD_FIPS` which uses 3DES-EDE3-CBC for the RDP
Security layer encryption.
Starting with OpenSSL 3.4, the FIPS provider marks Triple-DES as
a non-approved algorithm (`fips=no`) and rejects its use by
default. This causes connection failures when RDP Security
negotiation is attempted in FIPS mode on systems with OpenSSL 3.4
or newer.
This commit addresses that by disabling `RdpSecurity` entirely
when 3DES-EDE3-CBC is not available, so that only NLA/TLS (which
use FIPS-approved AES) are negotiated. On older OpenSSL versions,
the existing `ENCRYPTION_METHOD_FIPS` behavior is preserved since
3DES still works there.
Made-with: Cursor
---
libfreerdp/core/connection.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/libfreerdp/core/connection.c b/libfreerdp/core/connection.c
index c013e9b38..0d72c0e50 100644
--- a/libfreerdp/core/connection.c
+++ b/libfreerdp/core/connection.c
@@ -325,15 +325,31 @@ BOOL rdp_client_connect(rdpRdp* rdp)
/* FIPS Mode forces the following and overrides the following(by happening later
* in the command line processing):
* 1. Forces the only supported RDP encryption method to be FIPS.
- * 2. Disables NTLM authentication (not FIPS compliant due to MD4/RC4). */
+ * 2. Disables NTLM authentication (not FIPS compliant due to MD4/RC4).
+ * 3. Disables RDP Security if 3DES is not available in the crypto provider. */
if (settings->FIPSMode || winpr_FIPSMode())
{
+
settings->EncryptionMethods = ENCRYPTION_METHOD_FIPS;
+
if (!settings->AuthenticationPackageList)
{
if (!freerdp_settings_set_string(settings, FreeRDP_AuthenticationPackageList, "!ntlm"))
return FALSE;
}
+
+ const BYTE key[WINPR_CIPHER_MAX_KEY_LENGTH] = WINPR_C_ARRAY_INIT;
+ const BYTE iv[WINPR_CIPHER_MAX_IV_LENGTH] = WINPR_C_ARRAY_INIT;
+ WINPR_CIPHER_CTX* ctx = winpr_Cipher_NewEx(WINPR_CIPHER_DES_EDE3_CBC, WINPR_ENCRYPT, key,
+ sizeof(key), iv, sizeof(iv));
+ if (ctx)
+ {
+ winpr_Cipher_Free(ctx);
+ }
+ else
+ {
+ settings->RdpSecurity = FALSE;
+ }
}
UINT32 TcpConnectTimeout = freerdp_settings_get_uint32(settings, FreeRDP_TcpConnectTimeout);
--
2.54.0

View File

@ -1,166 +0,0 @@
From 96ba0967557901ed8179e0e5997d1604064697bf Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Mon, 25 May 2026 14:59:47 +0200
Subject: [PATCH] [core,rdp] suppress expected FIPS cipher warnings
The build-time cipher and digest checks warn about missing crypto
functionality. In FIPS mode many algorithms (MD4, MD5, RC4) are
expected to be unavailable, producing misleading warnings that
obscure real problems.
This commit addresses that by adding an `allowFIPS` parameter to
`log_build_warn_cipher` and `log_build_warn_hash`. When set, the
`_Allow_FIPS` variant is tested instead (e.g.
`winpr_RC4_New_Allow_FIPS`, `winpr_Digest_Init_Allow_FIPS`).
Checks for algorithms expected to be unavailable on FIPS (MD4,
HMAC-MD5) are skipped silently, and a single INFO message
summarizes the situation. The DES_EDE3_CBC check is skipped since
3DES is no longer available in the FIPS provider.
Made-with: Cursor
---
libfreerdp/core/rdp.c | 83 +++++++++++++++++++++++++++++++------------
1 file changed, 60 insertions(+), 23 deletions(-)
diff --git a/libfreerdp/core/rdp.c b/libfreerdp/core/rdp.c
index aec144796..12bfd0296 100644
--- a/libfreerdp/core/rdp.c
+++ b/libfreerdp/core/rdp.c
@@ -28,6 +28,7 @@
#include <winpr/assert.h>
#include <winpr/cast.h>
#include <winpr/json.h>
+#include <winpr/ssl.h>
#include "rdp.h"
@@ -3043,7 +3044,7 @@ static void print_last_line(wLog* log, const log_line_t* firstLine)
}
static void log_build_warn_cipher(rdpRdp* rdp, log_line_t* firstLine, WINPR_CIPHER_TYPE md,
- const char* what)
+ const char* what, BOOL allowFIPS)
{
BOOL haveCipher = FALSE;
@@ -3054,7 +3055,11 @@ static void log_build_warn_cipher(rdpRdp* rdp, log_line_t* firstLine, WINPR_CIPH
* winpr_Cipher_* does not support that. */
if (md == WINPR_CIPHER_ARC4_128)
{
- WINPR_RC4_CTX* enc = winpr_RC4_New(key, sizeof(key));
+ WINPR_RC4_CTX* enc = nullptr;
+ if (allowFIPS)
+ enc = winpr_RC4_New_Allow_FIPS(key, sizeof(key));
+ else
+ enc = winpr_RC4_New(key, sizeof(key));
haveCipher = enc != nullptr;
winpr_RC4_Free(enc);
}
@@ -3101,13 +3106,17 @@ static void log_build_warn_hmac(rdpRdp* rdp, log_line_t* firstLine, WINPR_MD_TYP
}
static void log_build_warn_hash(rdpRdp* rdp, log_line_t* firstLine, WINPR_MD_TYPE md,
- const char* what)
+ const char* what, BOOL allowFIPS)
{
BOOL haveDigestX = FALSE;
-
WINPR_DIGEST_CTX* digest = winpr_Digest_New();
if (digest)
- haveDigestX = winpr_Digest_Init(digest, md);
+ {
+ if (allowFIPS)
+ haveDigestX = winpr_Digest_Init_Allow_FIPS(digest, md);
+ else
+ haveDigestX = winpr_Digest_Init(digest, md);
+ }
winpr_Digest_Free(digest);
if (!haveDigestX)
@@ -3121,37 +3130,65 @@ static void log_build_warn_ssl(rdpRdp* rdp)
{
WINPR_ASSERT(rdp);
+ const BOOL fips = winpr_FIPSMode();
+
+ if (fips)
+ {
+ WLog_Print(rdp->log, WLOG_INFO,
+ "FIPS mode active: non-approved algorithms are unavailable "
+ "as expected. NTLM, autoreconnect cookies, assistance files "
+ "with encrypted passwords and RDP security will not work.");
+ }
+
log_line_t firstHashLine = WINPR_C_ARRAY_INIT;
- log_build_warn_hash(rdp, &firstHashLine, WINPR_MD_MD4, "NTLM support not available");
+ if (!fips)
+ {
+ log_build_warn_hash(rdp, &firstHashLine, WINPR_MD_MD4, "NTLM support not available", FALSE);
+ log_build_warn_hash(rdp, &firstHashLine, WINPR_MD_MD5,
+ "NTLM, assistance files with encrypted passwords "
+ " and autoreconnect cookies will not work",
+ FALSE);
+ }
log_build_warn_hash(rdp, &firstHashLine, WINPR_MD_MD5,
- "NTLM, assistance files with encrypted passwords, autoreconnect cookies, "
- "licensing and RDP security will not work");
+ "RDP licensing and RDP security will not work", TRUE);
log_build_warn_hash(rdp, &firstHashLine, WINPR_MD_SHA1,
"assistance files with encrypted passwords, Kerberos, Smartcard Logon, RDP "
- "security support not available");
- log_build_warn_hash(
- rdp, &firstHashLine, WINPR_MD_SHA256,
- "file clipboard, AAD gateway, NLA security and certificates might not work");
+ "security support not available",
+ FALSE);
+ log_build_warn_hash(rdp, &firstHashLine, WINPR_MD_SHA256,
+ "file clipboard, AAD gateway, NLA security and certificates might not work",
+ FALSE);
print_last_line(rdp->log, &firstHashLine);
- log_line_t firstHmacLine = WINPR_C_ARRAY_INIT;
- log_build_warn_hmac(rdp, &firstHmacLine, WINPR_MD_MD5, "Autoreconnect cookie not supported");
- log_build_warn_hmac(rdp, &firstHmacLine, WINPR_MD_SHA1, "RDP security not supported");
- print_last_line(rdp->log, &firstHmacLine);
+ if (!fips)
+ {
+ log_line_t firstHmacLine = WINPR_C_ARRAY_INIT;
+ log_build_warn_hmac(rdp, &firstHmacLine, WINPR_MD_MD5,
+ "Autoreconnect cookie not supported");
+ log_build_warn_hmac(rdp, &firstHmacLine, WINPR_MD_SHA1, "RDP security not supported");
+ print_last_line(rdp->log, &firstHmacLine);
+ }
log_line_t firstCipherLine = WINPR_C_ARRAY_INIT;
+ if (!fips)
+ {
+ log_build_warn_cipher(rdp, &firstCipherLine, WINPR_CIPHER_ARC4_128,
+ "assistance files with encrypted passwords, NTLM "
+ "and autoreconnect cookies will not work",
+ FALSE);
+ }
log_build_warn_cipher(rdp, &firstCipherLine, WINPR_CIPHER_ARC4_128,
- "assistance files with encrypted passwords, NTLM, RDP licensing and RDP "
- "security will not work");
- log_build_warn_cipher(rdp, &firstCipherLine, WINPR_CIPHER_DES_EDE3_CBC,
- "RDP security FIPS mode will not work");
+ "RDP licensing and RDP security will not work", TRUE);
+ if (!fips)
+ log_build_warn_cipher(rdp, &firstCipherLine, WINPR_CIPHER_DES_EDE3_CBC,
+ "RDP security will not work", TRUE);
log_build_warn_cipher(
rdp, &firstCipherLine, WINPR_CIPHER_AES_128_CBC,
- "assistance file encrypted LHTicket will not work and ARM gateway might not");
+ "assistance file encrypted LHTicket will not work and ARM gateway might not", FALSE);
log_build_warn_cipher(rdp, &firstCipherLine, WINPR_CIPHER_AES_192_CBC,
- "ARM gateway might not work");
+ "ARM gateway might not work", FALSE);
log_build_warn_cipher(rdp, &firstCipherLine, WINPR_CIPHER_AES_256_CBC,
- "ARM gateway might not work");
+ "ARM gateway might not work", FALSE);
print_last_line(rdp->log, &firstCipherLine);
}
--
2.54.0

View File

@ -29,8 +29,8 @@
Name: freerdp
Epoch: 2
Version: 3.24.2
Release: 2%{?dist}
Version: 3.27.1
Release: 1%{?dist}
Summary: Free implementation of the Remote Desktop Protocol (RDP)
# The effective license is Apache-2.0 but:
@ -47,12 +47,6 @@ URL: http://www.freerdp.com/
Source0: FreeRDP-%{version}-repack.tar.gz
Source1: freerdp_download_and_repack.sh
# https://github.com/FreeRDP/FreeRDP/pull/12811
Patch: core-connection-disable-NTLM-in-FIPS-mode.patch
Patch: core-connection-disable-RDP-Security-in-FIPS-mode.patch
Patch: winpr-crypto-fix-RC4-FIPS-override-for-OpenSSL-3.patch
Patch: core-rdp-suppress-expected-FIPS-cipher-warnings.patch
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: alsa-lib-devel
@ -62,6 +56,7 @@ BuildRequires: gsm-devel
BuildRequires: lame-devel
BuildRequires: libicu-devel
BuildRequires: libjpeg-turbo-devel
BuildRequires: turbojpeg-devel
BuildRequires: libX11-devel
BuildRequires: libXcursor-devel
BuildRequires: libXdamage-devel
@ -90,6 +85,8 @@ BuildRequires: pkgconfig(cairo)
BuildRequires: pkgconfig(krb5)
BuildRequires: pkgconfig(fdk-aac)
BuildRequires: pkgconfig(fuse3)
BuildRequires: pkgconfig(libcbor)
BuildRequires: pkgconfig(libfido2)
BuildRequires: pkgconfig(libpcsclite)
BuildRequires: pkgconfig(libpulse)
BuildRequires: pkgconfig(libsystemd)
@ -186,6 +183,10 @@ find . -name "*.c" -exec chmod 664 {} \;
%build
%cmake \
-DBUILD_TESTING=ON \
-DCHANNEL_RDP2TCP=ON \
-DCHANNEL_RDP2TCP_CLIENT=ON \
-DCHANNEL_RDPEWA=ON \
-DCHANNEL_RDPEWA_CLIENT=ON \
-DCMAKE_SKIP_INSTALL_RPATH=ON \
-DCMAKE_INSTALL_LIBDIR:PATH=%{_lib} \
-DWITH_ALSA=ON \
@ -377,6 +378,10 @@ find %{buildroot} -name "*.a" -delete
%{_libdir}/pkgconfig/winpr-tools3.pc
%changelog
* Wed Jul 01 2026 Ondrej Holy <oholy@redhat.com> - 2:3.27.1-1
- Update to 3.27.1
Resolves: RHEL-186097, RHEL-186938, RHEL-186960, RHEL-186965, RHEL-186980
* Mon Jun 01 2026 Ondrej Holy <oholy@redhat.com> - 2:3.24.2-2
- Improve FIPS mode support
Resolves: RHEL-140202

View File

@ -1 +1 @@
SHA512 (FreeRDP-3.24.2-repack.tar.gz) = e4fcd7ffede1db9541463ba3389fe412326f05b762d38a36a79361bfe0a0d5fa2f8a889988a0f1a7971277a6ee8e27669541f665568192b849ddd3544f24e72d
SHA512 (FreeRDP-3.27.1-repack.tar.gz) = a8268fdbd9cd9a1ad6df56fdfa233bb2d282026d8dd295cdb0c47ae42e98fc1de8d428d0eecef3c302c3b42415cedf78ae29e6dc475a51a590f99d6ee69f6851

View File

@ -1,66 +0,0 @@
From 13edfacb49d8c9843b339b528562eab839d81a0b Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Mon, 25 May 2026 11:21:05 +0200
Subject: [PATCH] [winpr,crypto] fix RC4 FIPS override for OpenSSL 3
The `winpr_RC4_New_Allow_FIPS` function uses
`EVP_CIPH_FLAG_NON_FIPS_ALLOW` to permit RC4 usage in FIPS mode
for protocol-required operations like RDP licensing.
In OpenSSL 3.x this flag is no longer honored, causing RC4
operations to fail when the system is running in FIPS mode.
This commit addresses that by using `EVP_CIPHER_fetch` with the
`"fips=no"` property string on OpenSSL 3.x, matching the approach
used for MD5 in commit 97d7a3fc6d.
Made-with: Cursor
---
winpr/libwinpr/crypto/cipher.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/winpr/libwinpr/crypto/cipher.c b/winpr/libwinpr/crypto/cipher.c
index 896a0d1d6..de65a4654 100644
--- a/winpr/libwinpr/crypto/cipher.c
+++ b/winpr/libwinpr/crypto/cipher.c
@@ -90,7 +90,6 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO
if (!ctx->ictx)
goto fail;
#elif defined(WITH_OPENSSL)
- const EVP_CIPHER* evp = nullptr;
if (keylen > INT_MAX)
goto fail;
@@ -99,7 +98,11 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO
if (!ctx->ctx)
goto fail;
- evp = EVP_rc4();
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_CIPHER* evp = EVP_CIPHER_fetch(NULL, "RC4", override_fips ? "fips=no" : NULL);
+#else
+ const EVP_CIPHER* evp = EVP_rc4();
+#endif
if (!evp)
goto fail;
@@ -108,12 +111,16 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO
if (EVP_EncryptInit_ex(ctx->ctx, evp, nullptr, nullptr, nullptr) != 1)
goto fail;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_CIPHER_free(evp);
+
/* EVP_CIPH_FLAG_NON_FIPS_ALLOW does not exist before openssl 1.0.1 */
#if !(OPENSSL_VERSION_NUMBER < 0x10001000L)
if (override_fips == TRUE)
EVP_CIPHER_CTX_set_flags(ctx->ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
+#endif
#endif
EVP_CIPHER_CTX_set_key_length(ctx->ctx, (int)keylen);
if (EVP_EncryptInit_ex(ctx->ctx, nullptr, nullptr, key, nullptr) != 1)
--
2.54.0