2011-08-18 12:06:32 +04:00
|
|
|
/**
|
2012-10-09 07:02:04 +04:00
|
|
|
* FreeRDP: A Remote Desktop Protocol Implementation
|
2011-08-18 12:06:32 +04:00
|
|
|
* FreeRDP Test Server
|
|
|
|
|
*
|
|
|
|
|
* Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
|
2011-08-24 17:59:32 +04:00
|
|
|
* Copyright 2011 Vic Lee
|
Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.
Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.
The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.
Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods
Changes in this commit:
Removed unnecessary/confusing changes of EncryptionLevel/Methods settings
Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)
Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method
Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2
Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level
Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)
Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 04:17:12 +03:00
|
|
|
* Copyright 2014 Norbert Federa <norbert.federa@thincast.com>
|
2011-08-18 12:06:32 +04:00
|
|
|
*
|
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
|
*
|
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
*
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
* limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
2012-08-15 01:20:53 +04:00
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
|
#include "config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
2011-08-18 12:06:32 +04:00
|
|
|
#include <errno.h>
|
2011-08-25 09:18:01 +04:00
|
|
|
#include <signal.h>
|
2012-08-15 01:20:53 +04:00
|
|
|
|
2012-10-09 07:42:01 +04:00
|
|
|
#include <winpr/crt.h>
|
2012-11-27 05:15:48 +04:00
|
|
|
#include <winpr/synch.h>
|
2014-11-12 22:06:34 +03:00
|
|
|
#include <winpr/winsock.h>
|
2014-06-25 23:21:02 +04:00
|
|
|
|
2014-03-03 21:10:06 +04:00
|
|
|
#include <freerdp/channels/wtsvc.h>
|
|
|
|
|
#include <freerdp/channels/channels.h>
|
2014-09-12 19:38:12 +04:00
|
|
|
|
2011-08-23 19:28:54 +04:00
|
|
|
#include <freerdp/constants.h>
|
2012-10-09 00:12:03 +04:00
|
|
|
#include <freerdp/server/rdpsnd.h>
|
|
|
|
|
|
|
|
|
|
#include "sf_audin.h"
|
|
|
|
|
#include "sf_rdpsnd.h"
|
2014-06-25 23:21:02 +04:00
|
|
|
#include "sf_encomsp.h"
|
2012-10-09 00:12:03 +04:00
|
|
|
|
|
|
|
|
#include "sfreerdp.h"
|
2011-08-18 12:06:32 +04:00
|
|
|
|
2014-09-12 19:38:12 +04:00
|
|
|
#include <freerdp/log.h>
|
|
|
|
|
#define TAG SERVER_TAG("sample")
|
|
|
|
|
|
2013-06-24 20:02:21 +04:00
|
|
|
#define SAMPLE_SERVER_USE_CLIENT_RESOLUTION 1
|
2013-06-21 18:46:46 +04:00
|
|
|
#define SAMPLE_SERVER_DEFAULT_WIDTH 1024
|
|
|
|
|
#define SAMPLE_SERVER_DEFAULT_HEIGHT 768
|
|
|
|
|
|
2011-08-29 07:39:04 +04:00
|
|
|
static char* test_pcap_file = NULL;
|
2012-10-09 10:38:39 +04:00
|
|
|
static BOOL test_dump_rfx_realtime = TRUE;
|
2011-08-29 07:39:04 +04:00
|
|
|
|
2015-04-28 18:00:41 +03:00
|
|
|
BOOL test_peer_context_new(freerdp_peer* client, testPeerContext* context)
|
2011-10-18 11:10:12 +04:00
|
|
|
{
|
2015-04-28 18:00:41 +03:00
|
|
|
if (!(context->rfx_context = rfx_context_new(TRUE)))
|
|
|
|
|
goto fail_rfx_context;
|
|
|
|
|
|
2011-10-18 11:10:12 +04:00
|
|
|
context->rfx_context->mode = RLGR3;
|
2013-06-21 18:46:46 +04:00
|
|
|
context->rfx_context->width = SAMPLE_SERVER_DEFAULT_WIDTH;
|
|
|
|
|
context->rfx_context->height = SAMPLE_SERVER_DEFAULT_HEIGHT;
|
2012-03-13 15:02:19 +04:00
|
|
|
rfx_context_set_pixel_format(context->rfx_context, RDP_PIXEL_FORMAT_R8G8B8);
|
2011-08-24 19:10:23 +04:00
|
|
|
|
2015-04-28 18:00:41 +03:00
|
|
|
if (!(context->nsc_context = nsc_context_new()))
|
|
|
|
|
goto fail_nsc_context;
|
|
|
|
|
|
2012-03-18 12:36:38 +04:00
|
|
|
nsc_context_set_pixel_format(context->nsc_context, RDP_PIXEL_FORMAT_R8G8B8);
|
|
|
|
|
|
2015-04-28 18:00:41 +03:00
|
|
|
if (!(context->s = Stream_New(NULL, 65536)))
|
|
|
|
|
goto fail_stream_new;
|
2011-08-24 17:59:32 +04:00
|
|
|
|
2011-10-18 11:10:12 +04:00
|
|
|
context->icon_x = -1;
|
|
|
|
|
context->icon_y = -1;
|
2011-12-12 12:42:42 +04:00
|
|
|
|
2014-02-27 22:30:04 +04:00
|
|
|
context->vcm = WTSOpenServerA((LPSTR) client->context);
|
2015-04-28 18:00:41 +03:00
|
|
|
|
|
|
|
|
if (!context->vcm || context->vcm == INVALID_HANDLE_VALUE)
|
|
|
|
|
goto fail_open_server;
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
|
|
|
|
|
|
fail_open_server:
|
|
|
|
|
context->vcm = NULL;
|
|
|
|
|
Stream_Free(context->s, TRUE);
|
|
|
|
|
context->s = NULL;
|
|
|
|
|
fail_stream_new:
|
|
|
|
|
nsc_context_free(context->nsc_context);
|
|
|
|
|
context->nsc_context = NULL;
|
|
|
|
|
fail_nsc_context:
|
|
|
|
|
rfx_context_free(context->rfx_context);
|
|
|
|
|
context->rfx_context = NULL;
|
|
|
|
|
fail_rfx_context:
|
|
|
|
|
return FALSE;
|
2011-08-24 17:59:32 +04:00
|
|
|
}
|
|
|
|
|
|
2011-10-18 11:10:12 +04:00
|
|
|
void test_peer_context_free(freerdp_peer* client, testPeerContext* context)
|
2011-08-24 17:59:32 +04:00
|
|
|
{
|
2011-10-18 11:10:12 +04:00
|
|
|
if (context)
|
2011-08-24 17:59:32 +04:00
|
|
|
{
|
2011-12-12 18:37:48 +04:00
|
|
|
if (context->debug_channel_thread)
|
|
|
|
|
{
|
2013-03-22 01:49:10 +04:00
|
|
|
SetEvent(context->stopEvent);
|
|
|
|
|
WaitForSingleObject(context->debug_channel_thread, INFINITE);
|
|
|
|
|
CloseHandle(context->debug_channel_thread);
|
2011-12-12 18:37:48 +04:00
|
|
|
}
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2013-05-09 01:48:30 +04:00
|
|
|
Stream_Free(context->s, TRUE);
|
2012-10-09 07:21:26 +04:00
|
|
|
free(context->icon_data);
|
|
|
|
|
free(context->bg_data);
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2011-10-18 11:10:12 +04:00
|
|
|
rfx_context_free(context->rfx_context);
|
2012-03-18 12:36:38 +04:00
|
|
|
nsc_context_free(context->nsc_context);
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2011-12-12 12:42:42 +04:00
|
|
|
if (context->debug_channel)
|
|
|
|
|
WTSVirtualChannelClose(context->debug_channel);
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2012-06-26 10:51:22 +04:00
|
|
|
if (context->audin)
|
|
|
|
|
audin_server_context_free(context->audin);
|
2012-10-09 00:12:03 +04:00
|
|
|
|
|
|
|
|
if (context->rdpsnd)
|
|
|
|
|
rdpsnd_server_context_free(context->rdpsnd);
|
|
|
|
|
|
2014-06-25 23:21:02 +04:00
|
|
|
if (context->encomsp)
|
|
|
|
|
encomsp_server_context_free(context->encomsp);
|
|
|
|
|
|
2014-02-17 08:09:21 +04:00
|
|
|
WTSCloseServer((HANDLE) context->vcm);
|
2011-08-24 17:59:32 +04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-28 18:00:41 +03:00
|
|
|
static BOOL test_peer_init(freerdp_peer* client)
|
2011-10-18 11:10:12 +04:00
|
|
|
{
|
2013-06-14 05:34:46 +04:00
|
|
|
client->ContextSize = sizeof(testPeerContext);
|
2011-10-18 11:10:12 +04:00
|
|
|
client->ContextNew = (psPeerContextNew) test_peer_context_new;
|
|
|
|
|
client->ContextFree = (psPeerContextFree) test_peer_context_free;
|
2015-04-28 18:00:41 +03:00
|
|
|
return freerdp_peer_context_new(client);
|
2011-10-18 11:10:12 +04:00
|
|
|
}
|
|
|
|
|
|
2013-03-21 23:19:33 +04:00
|
|
|
static wStream* test_peer_stream_init(testPeerContext* context)
|
2011-08-24 17:59:32 +04:00
|
|
|
{
|
2013-05-02 02:15:55 +04:00
|
|
|
Stream_Clear(context->s);
|
2013-04-30 06:35:15 +04:00
|
|
|
Stream_SetPosition(context->s, 0);
|
2011-10-18 11:10:12 +04:00
|
|
|
return context->s;
|
2011-08-24 17:59:32 +04:00
|
|
|
}
|
2011-08-24 12:25:18 +04:00
|
|
|
|
2012-05-11 12:35:11 +04:00
|
|
|
static void test_peer_begin_frame(freerdp_peer* client)
|
|
|
|
|
{
|
|
|
|
|
rdpUpdate* update = client->update;
|
|
|
|
|
SURFACE_FRAME_MARKER* fm = &update->surface_frame_marker;
|
|
|
|
|
testPeerContext* context = (testPeerContext*) client->context;
|
|
|
|
|
|
|
|
|
|
fm->frameAction = SURFACECMD_FRAMEACTION_BEGIN;
|
|
|
|
|
fm->frameId = context->frame_id;
|
|
|
|
|
update->SurfaceFrameMarker(update->context, fm);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void test_peer_end_frame(freerdp_peer* client)
|
|
|
|
|
{
|
|
|
|
|
rdpUpdate* update = client->update;
|
|
|
|
|
SURFACE_FRAME_MARKER* fm = &update->surface_frame_marker;
|
|
|
|
|
testPeerContext* context = (testPeerContext*) client->context;
|
|
|
|
|
|
|
|
|
|
fm->frameAction = SURFACECMD_FRAMEACTION_END;
|
|
|
|
|
fm->frameId = context->frame_id;
|
|
|
|
|
update->SurfaceFrameMarker(update->context, fm);
|
|
|
|
|
|
|
|
|
|
context->frame_id++;
|
|
|
|
|
}
|
|
|
|
|
|
2011-08-24 17:59:32 +04:00
|
|
|
static void test_peer_draw_background(freerdp_peer* client)
|
2011-08-23 19:28:54 +04:00
|
|
|
{
|
2012-10-09 00:12:03 +04:00
|
|
|
int size;
|
2013-03-21 23:19:33 +04:00
|
|
|
wStream* s;
|
2011-08-24 17:59:32 +04:00
|
|
|
RFX_RECT rect;
|
2012-10-09 11:01:37 +04:00
|
|
|
BYTE* rgb_data;
|
2012-10-09 00:12:03 +04:00
|
|
|
rdpUpdate* update = client->update;
|
|
|
|
|
SURFACE_BITS_COMMAND* cmd = &update->surface_bits_command;
|
|
|
|
|
testPeerContext* context = (testPeerContext*) client->context;
|
2011-08-24 12:25:18 +04:00
|
|
|
|
2012-11-08 00:13:14 +04:00
|
|
|
if (!client->settings->RemoteFxCodec && !client->settings->NSCodec)
|
2011-08-24 12:25:18 +04:00
|
|
|
return;
|
2011-08-23 19:28:54 +04:00
|
|
|
|
2011-10-18 11:10:12 +04:00
|
|
|
s = test_peer_stream_init(context);
|
2011-08-23 19:28:54 +04:00
|
|
|
|
2011-08-24 17:59:32 +04:00
|
|
|
rect.x = 0;
|
|
|
|
|
rect.y = 0;
|
2012-11-26 21:38:28 +04:00
|
|
|
rect.width = client->settings->DesktopWidth;
|
|
|
|
|
rect.height = client->settings->DesktopHeight;
|
2011-08-23 19:28:54 +04:00
|
|
|
|
2011-08-24 17:59:32 +04:00
|
|
|
size = rect.width * rect.height * 3;
|
2015-04-23 16:42:21 +03:00
|
|
|
if (!(rgb_data = malloc(size)))
|
|
|
|
|
return;
|
|
|
|
|
|
2011-08-24 17:59:32 +04:00
|
|
|
memset(rgb_data, 0xA0, size);
|
2011-08-23 19:28:54 +04:00
|
|
|
|
2012-11-08 00:13:14 +04:00
|
|
|
if (client->settings->RemoteFxCodec)
|
2012-03-18 12:36:38 +04:00
|
|
|
{
|
2015-04-23 16:42:21 +03:00
|
|
|
if (!rfx_compose_message(context->rfx_context, s,
|
|
|
|
|
&rect, 1, rgb_data, rect.width, rect.height, rect.width * 3))
|
|
|
|
|
{
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2012-11-08 00:13:14 +04:00
|
|
|
cmd->codecID = client->settings->RemoteFxCodecId;
|
2012-03-18 12:36:38 +04:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
nsc_compose_message(context->nsc_context, s,
|
|
|
|
|
rgb_data, rect.width, rect.height, rect.width * 3);
|
2012-11-08 00:13:14 +04:00
|
|
|
cmd->codecID = client->settings->NSCodecId;
|
2012-03-18 12:36:38 +04:00
|
|
|
}
|
2011-08-23 19:28:54 +04:00
|
|
|
|
|
|
|
|
cmd->destLeft = 0;
|
|
|
|
|
cmd->destTop = 0;
|
2011-08-24 17:59:32 +04:00
|
|
|
cmd->destRight = rect.width;
|
|
|
|
|
cmd->destBottom = rect.height;
|
2011-08-23 19:28:54 +04:00
|
|
|
cmd->bpp = 32;
|
2011-08-24 17:59:32 +04:00
|
|
|
cmd->width = rect.width;
|
|
|
|
|
cmd->height = rect.height;
|
2013-04-30 06:35:15 +04:00
|
|
|
cmd->bitmapDataLength = Stream_GetPosition(s);
|
2013-05-09 00:27:21 +04:00
|
|
|
cmd->bitmapData = Stream_Buffer(s);
|
2015-04-23 16:42:21 +03:00
|
|
|
|
|
|
|
|
test_peer_begin_frame(client);
|
2011-11-22 04:41:49 +04:00
|
|
|
update->SurfaceBits(update->context, cmd);
|
2015-04-23 16:42:21 +03:00
|
|
|
test_peer_end_frame(client);
|
2011-08-23 19:28:54 +04:00
|
|
|
|
2015-04-23 16:42:21 +03:00
|
|
|
out:
|
2012-10-09 07:21:26 +04:00
|
|
|
free(rgb_data);
|
2011-08-23 19:28:54 +04:00
|
|
|
}
|
|
|
|
|
|
2011-08-24 19:10:23 +04:00
|
|
|
static void test_peer_load_icon(freerdp_peer* client)
|
|
|
|
|
{
|
2011-10-18 11:10:12 +04:00
|
|
|
testPeerContext* context = (testPeerContext*) client->context;
|
2011-08-24 19:10:23 +04:00
|
|
|
FILE* fp;
|
|
|
|
|
int i;
|
|
|
|
|
char line[50];
|
2012-10-09 11:01:37 +04:00
|
|
|
BYTE* rgb_data;
|
2011-08-24 19:10:23 +04:00
|
|
|
int c;
|
|
|
|
|
|
2012-11-08 00:13:14 +04:00
|
|
|
if (!client->settings->RemoteFxCodec && !client->settings->NSCodec)
|
2011-08-24 19:10:23 +04:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if ((fp = fopen("test_icon.ppm", "r")) == NULL)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* P3 */
|
|
|
|
|
fgets(line, sizeof(line), fp);
|
|
|
|
|
/* Creater comment */
|
|
|
|
|
fgets(line, sizeof(line), fp);
|
|
|
|
|
/* width height */
|
|
|
|
|
fgets(line, sizeof(line), fp);
|
2011-10-18 11:10:12 +04:00
|
|
|
sscanf(line, "%d %d", &context->icon_width, &context->icon_height);
|
2011-08-24 19:10:23 +04:00
|
|
|
/* Max */
|
|
|
|
|
fgets(line, sizeof(line), fp);
|
|
|
|
|
|
2012-10-09 07:21:26 +04:00
|
|
|
rgb_data = malloc(context->icon_width * context->icon_height * 3);
|
2011-08-24 19:10:23 +04:00
|
|
|
|
2011-10-18 11:10:12 +04:00
|
|
|
for (i = 0; i < context->icon_width * context->icon_height * 3; i++)
|
2011-08-24 19:10:23 +04:00
|
|
|
{
|
|
|
|
|
if (fgets(line, sizeof(line), fp))
|
|
|
|
|
{
|
|
|
|
|
sscanf(line, "%d", &c);
|
2012-10-09 11:01:37 +04:00
|
|
|
rgb_data[i] = (BYTE)c;
|
2011-08-24 19:10:23 +04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2011-10-18 11:10:12 +04:00
|
|
|
context->icon_data = rgb_data;
|
2011-08-24 19:10:23 +04:00
|
|
|
|
2011-08-25 13:38:51 +04:00
|
|
|
/* background with same size, which will be used to erase the icon from old position */
|
2012-10-09 07:21:26 +04:00
|
|
|
context->bg_data = malloc(context->icon_width * context->icon_height * 3);
|
2011-10-18 11:10:12 +04:00
|
|
|
memset(context->bg_data, 0xA0, context->icon_width * context->icon_height * 3);
|
2011-08-24 19:10:23 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void test_peer_draw_icon(freerdp_peer* client, int x, int y)
|
|
|
|
|
{
|
2013-03-21 23:19:33 +04:00
|
|
|
wStream* s;
|
2012-10-09 00:12:03 +04:00
|
|
|
RFX_RECT rect;
|
2011-08-24 19:10:23 +04:00
|
|
|
rdpUpdate* update = client->update;
|
|
|
|
|
SURFACE_BITS_COMMAND* cmd = &update->surface_bits_command;
|
2012-10-09 00:12:03 +04:00
|
|
|
testPeerContext* context = (testPeerContext*) client->context;
|
2011-08-24 19:10:23 +04:00
|
|
|
|
2011-08-29 07:39:04 +04:00
|
|
|
if (client->update->dump_rfx)
|
|
|
|
|
return;
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2012-03-18 12:36:38 +04:00
|
|
|
if (!context)
|
2011-08-24 19:10:23 +04:00
|
|
|
return;
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2011-10-18 11:10:12 +04:00
|
|
|
if (context->icon_width < 1 || !context->activated)
|
2011-08-24 19:10:23 +04:00
|
|
|
return;
|
|
|
|
|
|
2012-05-11 12:35:11 +04:00
|
|
|
test_peer_begin_frame(client);
|
|
|
|
|
|
2011-08-25 13:38:51 +04:00
|
|
|
rect.x = 0;
|
|
|
|
|
rect.y = 0;
|
2011-10-18 11:10:12 +04:00
|
|
|
rect.width = context->icon_width;
|
|
|
|
|
rect.height = context->icon_height;
|
2011-08-24 19:10:23 +04:00
|
|
|
|
2011-10-18 11:10:12 +04:00
|
|
|
if (context->icon_x >= 0)
|
2011-08-24 19:10:23 +04:00
|
|
|
{
|
2011-10-18 11:10:12 +04:00
|
|
|
s = test_peer_stream_init(context);
|
2012-11-08 00:13:14 +04:00
|
|
|
if (client->settings->RemoteFxCodec)
|
2012-03-18 12:36:38 +04:00
|
|
|
{
|
|
|
|
|
rfx_compose_message(context->rfx_context, s,
|
|
|
|
|
&rect, 1, context->bg_data, rect.width, rect.height, rect.width * 3);
|
2012-11-08 00:13:14 +04:00
|
|
|
cmd->codecID = client->settings->RemoteFxCodecId;
|
2012-03-18 12:36:38 +04:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
nsc_compose_message(context->nsc_context, s,
|
|
|
|
|
context->bg_data, rect.width, rect.height, rect.width * 3);
|
2012-11-08 00:13:14 +04:00
|
|
|
cmd->codecID = client->settings->NSCodecId;
|
2012-03-18 12:36:38 +04:00
|
|
|
}
|
2011-10-18 11:10:12 +04:00
|
|
|
|
|
|
|
|
cmd->destLeft = context->icon_x;
|
|
|
|
|
cmd->destTop = context->icon_y;
|
|
|
|
|
cmd->destRight = context->icon_x + context->icon_width;
|
|
|
|
|
cmd->destBottom = context->icon_y + context->icon_height;
|
2011-08-25 13:38:51 +04:00
|
|
|
cmd->bpp = 32;
|
2011-10-18 11:10:12 +04:00
|
|
|
cmd->width = context->icon_width;
|
|
|
|
|
cmd->height = context->icon_height;
|
2013-04-30 06:35:15 +04:00
|
|
|
cmd->bitmapDataLength = Stream_GetPosition(s);
|
2013-05-09 00:27:21 +04:00
|
|
|
cmd->bitmapData = Stream_Buffer(s);
|
2011-11-22 04:41:49 +04:00
|
|
|
update->SurfaceBits(update->context, cmd);
|
2011-08-24 19:10:23 +04:00
|
|
|
}
|
|
|
|
|
|
2011-10-18 11:10:12 +04:00
|
|
|
s = test_peer_stream_init(context);
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2012-11-08 00:13:14 +04:00
|
|
|
if (client->settings->RemoteFxCodec)
|
2012-03-18 12:36:38 +04:00
|
|
|
{
|
|
|
|
|
rfx_compose_message(context->rfx_context, s,
|
|
|
|
|
&rect, 1, context->icon_data, rect.width, rect.height, rect.width * 3);
|
2012-11-08 00:13:14 +04:00
|
|
|
cmd->codecID = client->settings->RemoteFxCodecId;
|
2012-03-18 12:36:38 +04:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
nsc_compose_message(context->nsc_context, s,
|
|
|
|
|
context->icon_data, rect.width, rect.height, rect.width * 3);
|
2012-11-08 00:13:14 +04:00
|
|
|
cmd->codecID = client->settings->NSCodecId;
|
2012-03-18 12:36:38 +04:00
|
|
|
}
|
2011-08-25 13:38:51 +04:00
|
|
|
|
2011-08-24 19:10:23 +04:00
|
|
|
cmd->destLeft = x;
|
|
|
|
|
cmd->destTop = y;
|
2011-10-18 11:10:12 +04:00
|
|
|
cmd->destRight = x + context->icon_width;
|
|
|
|
|
cmd->destBottom = y + context->icon_height;
|
2011-08-25 13:38:51 +04:00
|
|
|
cmd->bpp = 32;
|
2011-10-18 11:10:12 +04:00
|
|
|
cmd->width = context->icon_width;
|
|
|
|
|
cmd->height = context->icon_height;
|
2013-04-30 06:35:15 +04:00
|
|
|
cmd->bitmapDataLength = Stream_GetPosition(s);
|
2013-05-09 00:27:21 +04:00
|
|
|
cmd->bitmapData = Stream_Buffer(s);
|
2011-11-22 04:41:49 +04:00
|
|
|
update->SurfaceBits(update->context, cmd);
|
2011-08-24 19:10:23 +04:00
|
|
|
|
2011-10-18 11:10:12 +04:00
|
|
|
context->icon_x = x;
|
|
|
|
|
context->icon_y = y;
|
2012-05-11 12:35:11 +04:00
|
|
|
|
|
|
|
|
test_peer_end_frame(client);
|
2011-08-24 19:10:23 +04:00
|
|
|
}
|
|
|
|
|
|
2012-10-09 11:26:39 +04:00
|
|
|
static BOOL test_sleep_tsdiff(UINT32 *old_sec, UINT32 *old_usec, UINT32 new_sec, UINT32 new_usec)
|
2011-10-18 20:36:34 +04:00
|
|
|
{
|
2012-10-09 11:26:39 +04:00
|
|
|
INT32 sec, usec;
|
2011-10-18 20:36:34 +04:00
|
|
|
|
2014-04-21 05:28:09 +04:00
|
|
|
if ((*old_sec == 0) && (*old_usec == 0))
|
2011-10-18 20:36:34 +04:00
|
|
|
{
|
|
|
|
|
*old_sec = new_sec;
|
|
|
|
|
*old_usec = new_usec;
|
2012-10-09 10:31:28 +04:00
|
|
|
return TRUE;
|
2011-10-18 20:36:34 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sec = new_sec - *old_sec;
|
|
|
|
|
usec = new_usec - *old_usec;
|
|
|
|
|
|
2014-04-21 05:28:09 +04:00
|
|
|
if ((sec < 0) || ((sec == 0) && (usec < 0)))
|
2011-10-18 20:36:34 +04:00
|
|
|
{
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_ERR(TAG, "Invalid time stamp detected.");
|
2012-10-09 10:31:28 +04:00
|
|
|
return FALSE;
|
2011-10-18 20:36:34 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*old_sec = new_sec;
|
|
|
|
|
*old_usec = new_usec;
|
Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.
Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.
The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.
Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods
Changes in this commit:
Removed unnecessary/confusing changes of EncryptionLevel/Methods settings
Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)
Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method
Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2
Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level
Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)
Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 04:17:12 +03:00
|
|
|
|
|
|
|
|
while (usec < 0)
|
2011-10-18 20:36:34 +04:00
|
|
|
{
|
|
|
|
|
usec += 1000000;
|
|
|
|
|
sec--;
|
|
|
|
|
}
|
Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.
Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.
The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.
Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods
Changes in this commit:
Removed unnecessary/confusing changes of EncryptionLevel/Methods settings
Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)
Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method
Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2
Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level
Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)
Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 04:17:12 +03:00
|
|
|
|
2011-10-18 20:36:34 +04:00
|
|
|
if (sec > 0)
|
2012-12-14 09:58:48 +04:00
|
|
|
Sleep(sec * 1000);
|
Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.
Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.
The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.
Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods
Changes in this commit:
Removed unnecessary/confusing changes of EncryptionLevel/Methods settings
Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)
Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method
Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2
Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level
Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)
Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 04:17:12 +03:00
|
|
|
|
2011-10-18 20:36:34 +04:00
|
|
|
if (usec > 0)
|
2012-12-14 09:58:48 +04:00
|
|
|
USleep(usec);
|
Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.
Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.
The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.
Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods
Changes in this commit:
Removed unnecessary/confusing changes of EncryptionLevel/Methods settings
Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)
Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method
Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2
Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level
Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)
Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 04:17:12 +03:00
|
|
|
|
2012-10-09 10:31:28 +04:00
|
|
|
return TRUE;
|
2011-10-18 20:36:34 +04:00
|
|
|
}
|
|
|
|
|
|
2011-09-14 03:03:06 +04:00
|
|
|
void tf_peer_dump_rfx(freerdp_peer* client)
|
2011-08-27 05:44:37 +04:00
|
|
|
{
|
2013-03-21 23:19:33 +04:00
|
|
|
wStream* s;
|
2012-10-09 11:26:39 +04:00
|
|
|
UINT32 prev_seconds;
|
|
|
|
|
UINT32 prev_useconds;
|
2011-08-27 05:44:37 +04:00
|
|
|
rdpUpdate* update;
|
|
|
|
|
rdpPcap* pcap_rfx;
|
|
|
|
|
pcap_record record;
|
|
|
|
|
|
2013-05-09 01:48:30 +04:00
|
|
|
s = Stream_New(NULL, 512);
|
2011-08-27 05:44:37 +04:00
|
|
|
update = client->update;
|
2012-10-09 10:31:28 +04:00
|
|
|
client->update->pcap_rfx = pcap_open(test_pcap_file, FALSE);
|
2011-08-27 05:44:37 +04:00
|
|
|
pcap_rfx = client->update->pcap_rfx;
|
|
|
|
|
|
2011-10-20 16:25:25 +04:00
|
|
|
if (pcap_rfx == NULL)
|
|
|
|
|
return;
|
|
|
|
|
|
2011-10-18 20:36:34 +04:00
|
|
|
prev_seconds = prev_useconds = 0;
|
2011-09-01 04:56:17 +04:00
|
|
|
|
2011-08-27 05:44:37 +04:00
|
|
|
while (pcap_has_next_record(pcap_rfx))
|
|
|
|
|
{
|
|
|
|
|
pcap_get_next_record_header(pcap_rfx, &record);
|
|
|
|
|
|
2013-05-15 20:14:26 +04:00
|
|
|
Stream_Buffer(s) = realloc(Stream_Buffer(s), record.length);
|
|
|
|
|
record.data = Stream_Buffer(s);
|
|
|
|
|
Stream_Capacity(s) = record.length;
|
2011-08-27 05:44:37 +04:00
|
|
|
|
|
|
|
|
pcap_get_next_record_content(pcap_rfx, &record);
|
2013-05-15 20:14:26 +04:00
|
|
|
Stream_Pointer(s) = Stream_Buffer(s) + Stream_Capacity(s);
|
2011-08-27 05:44:37 +04:00
|
|
|
|
2012-10-09 10:31:28 +04:00
|
|
|
if (test_dump_rfx_realtime && test_sleep_tsdiff(&prev_seconds, &prev_useconds, record.header.ts_sec, record.header.ts_usec) == FALSE)
|
2011-10-18 20:36:34 +04:00
|
|
|
break;
|
2011-09-01 04:56:17 +04:00
|
|
|
|
2011-11-22 04:41:49 +04:00
|
|
|
update->SurfaceCommand(update->context, s);
|
2014-04-21 05:28:09 +04:00
|
|
|
|
|
|
|
|
if (client->CheckFileDescriptor(client) != TRUE)
|
|
|
|
|
break;
|
2011-08-27 05:44:37 +04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2011-12-12 18:37:48 +04:00
|
|
|
static void* tf_debug_channel_thread_func(void* arg)
|
|
|
|
|
{
|
|
|
|
|
void* fd;
|
2013-03-21 23:19:33 +04:00
|
|
|
wStream* s;
|
2011-12-12 18:37:48 +04:00
|
|
|
void* buffer;
|
2013-08-21 03:26:36 +04:00
|
|
|
DWORD BytesReturned = 0;
|
2014-05-28 19:04:24 +04:00
|
|
|
ULONG written;
|
2011-12-12 18:37:48 +04:00
|
|
|
testPeerContext* context = (testPeerContext*) arg;
|
|
|
|
|
|
2013-08-21 03:26:36 +04:00
|
|
|
if (WTSVirtualChannelQuery(context->debug_channel, WTSVirtualFileHandle, &buffer, &BytesReturned) == TRUE)
|
2011-12-12 18:37:48 +04:00
|
|
|
{
|
2012-11-27 05:15:48 +04:00
|
|
|
fd = *((void**) buffer);
|
2011-12-12 18:37:48 +04:00
|
|
|
WTSFreeMemory(buffer);
|
2013-03-22 01:49:10 +04:00
|
|
|
|
2015-05-05 14:55:48 +03:00
|
|
|
if (!(context->event = CreateWaitObjectEvent(NULL, TRUE, FALSE, fd)))
|
|
|
|
|
return NULL;
|
2011-12-12 18:37:48 +04:00
|
|
|
}
|
|
|
|
|
|
2013-05-09 01:48:30 +04:00
|
|
|
s = Stream_New(NULL, 4096);
|
2011-12-12 18:37:48 +04:00
|
|
|
|
2014-05-28 19:04:24 +04:00
|
|
|
WTSVirtualChannelWrite(context->debug_channel, (PCHAR) "test1", 5, &written);
|
2011-12-12 18:37:48 +04:00
|
|
|
|
|
|
|
|
while (1)
|
|
|
|
|
{
|
2013-03-22 01:49:10 +04:00
|
|
|
WaitForSingleObject(context->event, INFINITE);
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2013-03-22 01:49:10 +04:00
|
|
|
if (WaitForSingleObject(context->stopEvent, 0) == WAIT_OBJECT_0)
|
2011-12-12 18:37:48 +04:00
|
|
|
break;
|
|
|
|
|
|
2013-04-30 06:35:15 +04:00
|
|
|
Stream_SetPosition(s, 0);
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2013-08-21 03:26:36 +04:00
|
|
|
if (WTSVirtualChannelRead(context->debug_channel, 0, (PCHAR) Stream_Buffer(s),
|
|
|
|
|
Stream_Capacity(s), &BytesReturned) == FALSE)
|
2011-12-12 18:37:48 +04:00
|
|
|
{
|
2013-08-21 03:26:36 +04:00
|
|
|
if (BytesReturned == 0)
|
2011-12-12 18:37:48 +04:00
|
|
|
break;
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2013-08-21 03:26:36 +04:00
|
|
|
Stream_EnsureRemainingCapacity(s, BytesReturned);
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2013-08-21 03:26:36 +04:00
|
|
|
if (WTSVirtualChannelRead(context->debug_channel, 0, (PCHAR) Stream_Buffer(s),
|
|
|
|
|
Stream_Capacity(s), &BytesReturned) == FALSE)
|
2011-12-12 18:37:48 +04:00
|
|
|
{
|
|
|
|
|
/* should not happen */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2013-08-21 03:26:36 +04:00
|
|
|
Stream_SetPosition(s, BytesReturned);
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_DBG(TAG, "got %lu bytes", BytesReturned);
|
2011-12-12 18:37:48 +04:00
|
|
|
}
|
|
|
|
|
|
2013-05-09 01:48:30 +04:00
|
|
|
Stream_Free(s, TRUE);
|
2011-12-12 18:37:48 +04:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL tf_peer_post_connect(freerdp_peer* client)
|
2011-08-22 19:02:56 +04:00
|
|
|
{
|
2011-12-12 10:12:16 +04:00
|
|
|
testPeerContext* context = (testPeerContext*) client->context;
|
|
|
|
|
|
2011-08-22 19:02:56 +04:00
|
|
|
/**
|
|
|
|
|
* This callback is called when the entire connection sequence is done, i.e. we've received the
|
|
|
|
|
* Font List PDU from the client and sent out the Font Map PDU.
|
|
|
|
|
* The server may start sending graphics output and receiving keyboard/mouse input after this
|
|
|
|
|
* callback returns.
|
|
|
|
|
*/
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_DBG(TAG, "Client %s is activated (osMajorType %d osMinorType %d)", client->local ? "(local)" : client->hostname,
|
|
|
|
|
client->settings->OsMajorType, client->settings->OsMinorType);
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2012-11-08 03:23:25 +04:00
|
|
|
if (client->settings->AutoLogonEnabled)
|
2011-08-22 19:02:56 +04:00
|
|
|
{
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_DBG(TAG, " and wants to login automatically as %s\\%s",
|
|
|
|
|
client->settings->Domain ? client->settings->Domain : "",
|
|
|
|
|
client->settings->Username);
|
2011-08-22 19:02:56 +04:00
|
|
|
/* A real server may perform OS login here if NLA is not executed previously. */
|
|
|
|
|
}
|
2011-08-23 11:51:51 +04:00
|
|
|
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_DBG(TAG, "");
|
|
|
|
|
WLog_DBG(TAG, "Client requested desktop: %dx%dx%d",
|
|
|
|
|
client->settings->DesktopWidth, client->settings->DesktopHeight, client->settings->ColorDepth);
|
2013-06-21 18:46:46 +04:00
|
|
|
#if (SAMPLE_SERVER_USE_CLIENT_RESOLUTION == 1)
|
|
|
|
|
context->rfx_context->width = client->settings->DesktopWidth;
|
|
|
|
|
context->rfx_context->height = client->settings->DesktopHeight;
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_DBG(TAG, "Using resolution requested by client.");
|
2013-06-21 18:46:46 +04:00
|
|
|
#else
|
|
|
|
|
client->settings->DesktopWidth = context->rfx_context->width;
|
|
|
|
|
client->settings->DesktopHeight = context->rfx_context->height;
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_DBG(TAG, "Resizing client to %dx%d", client->settings->DesktopWidth, client->settings->DesktopHeight);
|
2013-06-21 18:46:46 +04:00
|
|
|
client->update->DesktopResize(client->update->context);
|
|
|
|
|
#endif
|
|
|
|
|
|
2012-11-26 21:38:28 +04:00
|
|
|
/* A real server should tag the peer as activated here and start sending updates in main loop. */
|
2011-08-24 19:10:23 +04:00
|
|
|
test_peer_load_icon(client);
|
2011-08-23 19:28:54 +04:00
|
|
|
|
2014-02-28 21:07:22 +04:00
|
|
|
if (WTSVirtualChannelManagerIsChannelJoined(context->vcm, "rdpdbg"))
|
2011-12-12 10:12:16 +04:00
|
|
|
{
|
2014-03-03 21:10:06 +04:00
|
|
|
context->debug_channel = WTSVirtualChannelOpen(context->vcm, WTS_CURRENT_SESSION, "rdpdbg");
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2014-02-28 21:07:22 +04:00
|
|
|
if (context->debug_channel != NULL)
|
|
|
|
|
{
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_DBG(TAG, "Open channel rdpdbg.");
|
2015-04-28 18:00:41 +03:00
|
|
|
if (!(context->stopEvent = CreateEvent(NULL, TRUE, FALSE, NULL)))
|
|
|
|
|
{
|
|
|
|
|
WLog_ERR(TAG, "Failed to create stop event");
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
2013-03-22 01:49:10 +04:00
|
|
|
|
2015-04-28 18:00:41 +03:00
|
|
|
if (!(context->debug_channel_thread = CreateThread(NULL, 0,
|
|
|
|
|
(LPTHREAD_START_ROUTINE) tf_debug_channel_thread_func, (void*) context, 0, NULL)))
|
|
|
|
|
{
|
|
|
|
|
WLog_ERR(TAG, "Failed to create debug channel thread");
|
|
|
|
|
CloseHandle(context->stopEvent);
|
|
|
|
|
context->stopEvent = NULL;
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
2011-12-12 10:12:16 +04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2014-02-28 21:07:22 +04:00
|
|
|
if (WTSVirtualChannelManagerIsChannelJoined(context->vcm, "rdpsnd"))
|
|
|
|
|
{
|
|
|
|
|
sf_peer_rdpsnd_init(context); /* Audio Output */
|
|
|
|
|
}
|
|
|
|
|
|
2014-06-25 23:21:02 +04:00
|
|
|
if (WTSVirtualChannelManagerIsChannelJoined(context->vcm, "encomsp"))
|
|
|
|
|
{
|
|
|
|
|
sf_peer_encomsp_init(context); /* Lync Multiparty */
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-09 00:29:40 +04:00
|
|
|
/* Dynamic Virtual Channels */
|
|
|
|
|
|
2012-10-09 00:12:03 +04:00
|
|
|
sf_peer_audin_init(context); /* Audio Input */
|
2012-06-26 10:51:22 +04:00
|
|
|
|
2012-11-27 07:42:40 +04:00
|
|
|
/* Return FALSE here would stop the execution of the peer main loop. */
|
2012-10-09 00:12:03 +04:00
|
|
|
|
2012-10-09 10:31:28 +04:00
|
|
|
return TRUE;
|
2011-09-06 14:55:11 +04:00
|
|
|
}
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL tf_peer_activate(freerdp_peer* client)
|
2011-09-06 14:55:11 +04:00
|
|
|
{
|
2011-10-18 11:10:12 +04:00
|
|
|
testPeerContext* context = (testPeerContext*) client->context;
|
2011-09-06 14:55:11 +04:00
|
|
|
|
2011-10-18 11:10:12 +04:00
|
|
|
rfx_context_reset(context->rfx_context);
|
2012-10-09 10:31:28 +04:00
|
|
|
context->activated = TRUE;
|
2011-09-06 14:55:11 +04:00
|
|
|
|
2014-04-21 05:28:09 +04:00
|
|
|
//client->settings->CompressionLevel = PACKET_COMPR_TYPE_8K;
|
2014-04-21 07:19:09 +04:00
|
|
|
//client->settings->CompressionLevel = PACKET_COMPR_TYPE_64K;
|
2014-05-23 22:11:53 +04:00
|
|
|
//client->settings->CompressionLevel = PACKET_COMPR_TYPE_RDP6;
|
|
|
|
|
client->settings->CompressionLevel = PACKET_COMPR_TYPE_RDP61;
|
2014-04-21 05:28:09 +04:00
|
|
|
|
2011-08-29 07:39:04 +04:00
|
|
|
if (test_pcap_file != NULL)
|
2011-08-27 05:44:37 +04:00
|
|
|
{
|
2012-10-09 10:31:28 +04:00
|
|
|
client->update->dump_rfx = TRUE;
|
2011-09-14 03:03:06 +04:00
|
|
|
tf_peer_dump_rfx(client);
|
2011-08-27 05:44:37 +04:00
|
|
|
}
|
2011-08-29 07:39:04 +04:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
test_peer_draw_background(client);
|
|
|
|
|
}
|
2011-08-27 05:44:37 +04:00
|
|
|
|
2012-10-09 10:31:28 +04:00
|
|
|
return TRUE;
|
2011-08-22 19:02:56 +04:00
|
|
|
}
|
|
|
|
|
|
2015-04-14 11:14:23 +03:00
|
|
|
BOOL tf_peer_synchronize_event(rdpInput* input, UINT32 flags)
|
2011-08-23 07:50:41 +04:00
|
|
|
{
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_DBG(TAG, "Client sent a synchronize event (flags:0x%X)", flags);
|
2015-04-21 15:15:53 +03:00
|
|
|
return TRUE;
|
2011-08-23 07:50:41 +04:00
|
|
|
}
|
|
|
|
|
|
2015-04-14 11:14:23 +03:00
|
|
|
BOOL tf_peer_keyboard_event(rdpInput* input, UINT16 flags, UINT16 code)
|
2011-08-23 07:50:41 +04:00
|
|
|
{
|
2011-10-18 11:10:12 +04:00
|
|
|
freerdp_peer* client = input->context->peer;
|
2011-09-06 13:19:59 +04:00
|
|
|
rdpUpdate* update = client->update;
|
2011-10-18 11:10:12 +04:00
|
|
|
testPeerContext* context = (testPeerContext*) input->context;
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_DBG(TAG, "Client sent a keyboard event (flags:0x%X code:0x%X)", flags, code);
|
2011-09-06 13:19:59 +04:00
|
|
|
|
2012-10-09 00:12:03 +04:00
|
|
|
if ((flags & 0x4000) && code == 0x22) /* 'g' key */
|
2011-09-06 13:19:59 +04:00
|
|
|
{
|
2012-11-26 21:38:28 +04:00
|
|
|
if (client->settings->DesktopWidth != 800)
|
2011-09-06 13:19:59 +04:00
|
|
|
{
|
2012-11-26 21:38:28 +04:00
|
|
|
client->settings->DesktopWidth = 800;
|
|
|
|
|
client->settings->DesktopHeight = 600;
|
2011-09-06 13:19:59 +04:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2013-06-24 20:02:21 +04:00
|
|
|
client->settings->DesktopWidth = SAMPLE_SERVER_DEFAULT_WIDTH;
|
|
|
|
|
client->settings->DesktopHeight = SAMPLE_SERVER_DEFAULT_HEIGHT;
|
2011-09-06 13:19:59 +04:00
|
|
|
}
|
2013-06-24 20:02:21 +04:00
|
|
|
context->rfx_context->width = client->settings->DesktopWidth;
|
|
|
|
|
context->rfx_context->height = client->settings->DesktopHeight;
|
2011-11-22 04:41:49 +04:00
|
|
|
update->DesktopResize(update->context);
|
2012-10-09 10:31:28 +04:00
|
|
|
context->activated = FALSE;
|
2011-09-06 13:19:59 +04:00
|
|
|
}
|
2011-12-12 18:37:48 +04:00
|
|
|
else if ((flags & 0x4000) && code == 0x2E) /* 'c' key */
|
|
|
|
|
{
|
|
|
|
|
if (context->debug_channel)
|
|
|
|
|
{
|
2014-05-28 19:04:24 +04:00
|
|
|
ULONG written;
|
|
|
|
|
WTSVirtualChannelWrite(context->debug_channel, (PCHAR) "test2", 5, &written);
|
2011-12-12 18:37:48 +04:00
|
|
|
}
|
|
|
|
|
}
|
2012-04-13 11:58:28 +04:00
|
|
|
else if ((flags & 0x4000) && code == 0x2D) /* 'x' key */
|
|
|
|
|
{
|
|
|
|
|
client->Close(client);
|
|
|
|
|
}
|
2012-06-25 12:41:59 +04:00
|
|
|
else if ((flags & 0x4000) && code == 0x13) /* 'r' key */
|
|
|
|
|
{
|
2012-06-26 10:51:22 +04:00
|
|
|
if (!context->audin_open)
|
2012-06-25 12:41:59 +04:00
|
|
|
{
|
2012-06-26 10:51:22 +04:00
|
|
|
context->audin->Open(context->audin);
|
2012-10-09 10:31:28 +04:00
|
|
|
context->audin_open = TRUE;
|
2012-06-25 12:41:59 +04:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2012-06-26 10:51:22 +04:00
|
|
|
context->audin->Close(context->audin);
|
2012-10-09 10:31:28 +04:00
|
|
|
context->audin_open = FALSE;
|
2012-06-25 12:41:59 +04:00
|
|
|
}
|
|
|
|
|
}
|
2012-10-09 00:12:03 +04:00
|
|
|
else if ((flags & 0x4000) && code == 0x1F) /* 's' key */
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
}
|
2015-04-21 15:15:53 +03:00
|
|
|
return TRUE;
|
2011-08-23 07:50:41 +04:00
|
|
|
}
|
|
|
|
|
|
2015-04-14 11:14:23 +03:00
|
|
|
BOOL tf_peer_unicode_keyboard_event(rdpInput* input, UINT16 flags, UINT16 code)
|
2011-08-23 07:50:41 +04:00
|
|
|
{
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_DBG(TAG, "Client sent a unicode keyboard event (flags:0x%X code:0x%X)", flags, code);
|
2015-04-21 15:15:53 +03:00
|
|
|
return TRUE;
|
2011-08-23 07:50:41 +04:00
|
|
|
}
|
|
|
|
|
|
2015-04-14 11:14:23 +03:00
|
|
|
BOOL tf_peer_mouse_event(rdpInput* input, UINT16 flags, UINT16 x, UINT16 y)
|
2011-08-23 07:50:41 +04:00
|
|
|
{
|
2014-09-12 19:38:12 +04:00
|
|
|
//WLog_DBG(TAG, "Client sent a mouse event (flags:0x%X pos:%d,%d)", flags, x, y);
|
2011-10-18 11:10:12 +04:00
|
|
|
test_peer_draw_icon(input->context->peer, x + 10, y);
|
2015-04-21 15:15:53 +03:00
|
|
|
return TRUE;
|
2011-08-23 07:50:41 +04:00
|
|
|
}
|
|
|
|
|
|
2015-04-14 11:14:23 +03:00
|
|
|
BOOL tf_peer_extended_mouse_event(rdpInput* input, UINT16 flags, UINT16 x, UINT16 y)
|
2011-08-23 07:50:41 +04:00
|
|
|
{
|
2014-09-12 19:38:12 +04:00
|
|
|
//WLog_DBG(TAG, "Client sent an extended mouse event (flags:0x%X pos:%d,%d)", flags, x, y);
|
2015-04-21 15:15:53 +03:00
|
|
|
return TRUE;
|
2011-08-23 07:50:41 +04:00
|
|
|
}
|
|
|
|
|
|
2015-04-14 11:14:23 +03:00
|
|
|
static BOOL tf_peer_refresh_rect(rdpContext* context, BYTE count, RECTANGLE_16* areas)
|
2012-05-26 17:34:09 +04:00
|
|
|
{
|
2012-10-09 11:01:37 +04:00
|
|
|
BYTE i;
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_DBG(TAG, "Client requested to refresh:");
|
2012-05-26 17:34:09 +04:00
|
|
|
|
|
|
|
|
for (i = 0; i < count; i++)
|
|
|
|
|
{
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_DBG(TAG, " (%d, %d) (%d, %d)", areas[i].left, areas[i].top, areas[i].right, areas[i].bottom);
|
2012-05-26 17:34:09 +04:00
|
|
|
}
|
2015-04-21 15:15:53 +03:00
|
|
|
return TRUE;
|
2012-05-26 17:34:09 +04:00
|
|
|
}
|
|
|
|
|
|
2015-04-14 11:14:23 +03:00
|
|
|
static BOOL tf_peer_suppress_output(rdpContext* context, BYTE allow, RECTANGLE_16* area)
|
2012-05-26 17:34:09 +04:00
|
|
|
{
|
|
|
|
|
if (allow > 0)
|
|
|
|
|
{
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_DBG(TAG, "Client restore output (%d, %d) (%d, %d).", area->left, area->top, area->right, area->bottom);
|
2012-05-26 17:34:09 +04:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_DBG(TAG, "Client minimized and suppress output.");
|
2012-05-26 17:34:09 +04:00
|
|
|
}
|
2015-04-21 15:15:53 +03:00
|
|
|
return TRUE;
|
2012-05-26 17:34:09 +04:00
|
|
|
}
|
|
|
|
|
|
2011-08-18 12:06:32 +04:00
|
|
|
static void* test_peer_mainloop(void* arg)
|
|
|
|
|
{
|
2015-04-19 11:31:28 +03:00
|
|
|
HANDLE handles[32];
|
|
|
|
|
DWORD count;
|
|
|
|
|
DWORD status;
|
2011-12-12 12:42:42 +04:00
|
|
|
testPeerContext* context;
|
2011-08-28 01:11:20 +04:00
|
|
|
freerdp_peer* client = (freerdp_peer*) arg;
|
2011-08-18 12:06:32 +04:00
|
|
|
|
2015-04-28 18:00:41 +03:00
|
|
|
if (!test_peer_init(client))
|
|
|
|
|
{
|
|
|
|
|
freerdp_peer_free(client);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2011-08-18 12:06:32 +04:00
|
|
|
|
2011-08-23 07:50:41 +04:00
|
|
|
/* Initialize the real server settings here */
|
2012-11-08 00:13:14 +04:00
|
|
|
client->settings->CertificateFile = _strdup("server.crt");
|
|
|
|
|
client->settings->PrivateKeyFile = _strdup("server.key");
|
Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.
Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.
The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.
Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods
Changes in this commit:
Removed unnecessary/confusing changes of EncryptionLevel/Methods settings
Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)
Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method
Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2
Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level
Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)
Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 04:17:12 +03:00
|
|
|
client->settings->RdpKeyFile = _strdup("server.key");
|
|
|
|
|
client->settings->RdpSecurity = TRUE;
|
|
|
|
|
client->settings->TlsSecurity = TRUE;
|
2012-11-07 20:02:46 +04:00
|
|
|
client->settings->NlaSecurity = FALSE;
|
Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.
Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.
The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.
Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods
Changes in this commit:
Removed unnecessary/confusing changes of EncryptionLevel/Methods settings
Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)
Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method
Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2
Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level
Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)
Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 04:17:12 +03:00
|
|
|
client->settings->EncryptionLevel = ENCRYPTION_LEVEL_CLIENT_COMPATIBLE;
|
|
|
|
|
/* client->settings->EncryptionLevel = ENCRYPTION_LEVEL_HIGH; */
|
|
|
|
|
/* client->settings->EncryptionLevel = ENCRYPTION_LEVEL_LOW; */
|
|
|
|
|
/* client->settings->EncryptionLevel = ENCRYPTION_LEVEL_FIPS; */
|
|
|
|
|
|
2012-11-08 00:13:14 +04:00
|
|
|
client->settings->RemoteFxCodec = TRUE;
|
2013-02-20 18:26:56 +04:00
|
|
|
client->settings->ColorDepth = 32;
|
2012-11-08 00:13:14 +04:00
|
|
|
client->settings->SuppressOutput = TRUE;
|
|
|
|
|
client->settings->RefreshRect = TRUE;
|
2011-08-22 19:02:56 +04:00
|
|
|
|
2011-09-14 03:03:06 +04:00
|
|
|
client->PostConnect = tf_peer_post_connect;
|
|
|
|
|
client->Activate = tf_peer_activate;
|
2011-08-23 07:50:41 +04:00
|
|
|
|
2011-09-14 03:03:06 +04:00
|
|
|
client->input->SynchronizeEvent = tf_peer_synchronize_event;
|
|
|
|
|
client->input->KeyboardEvent = tf_peer_keyboard_event;
|
|
|
|
|
client->input->UnicodeKeyboardEvent = tf_peer_unicode_keyboard_event;
|
|
|
|
|
client->input->MouseEvent = tf_peer_mouse_event;
|
|
|
|
|
client->input->ExtendedMouseEvent = tf_peer_extended_mouse_event;
|
2011-08-23 07:50:41 +04:00
|
|
|
|
2012-05-26 17:34:09 +04:00
|
|
|
client->update->RefreshRect = tf_peer_refresh_rect;
|
|
|
|
|
client->update->SuppressOutput = tf_peer_suppress_output;
|
|
|
|
|
|
2013-06-21 18:46:46 +04:00
|
|
|
client->settings->MultifragMaxRequestSize = 0xFFFFFF; /* FIXME */
|
|
|
|
|
|
2011-08-18 12:06:32 +04:00
|
|
|
client->Initialize(client);
|
2011-12-12 12:42:42 +04:00
|
|
|
context = (testPeerContext*) client->context;
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_INFO(TAG, "We've got a client %s", client->local ? "(local)" : client->hostname);
|
2011-10-18 11:10:12 +04:00
|
|
|
|
2011-08-18 12:06:32 +04:00
|
|
|
while (1)
|
|
|
|
|
{
|
2015-04-19 11:31:28 +03:00
|
|
|
count = 0;
|
|
|
|
|
handles[count++] = client->GetEventHandle(client);
|
|
|
|
|
handles[count++] = WTSVirtualChannelManagerGetEventHandle(context->vcm);
|
2013-06-24 20:02:21 +04:00
|
|
|
|
2015-04-19 11:31:28 +03:00
|
|
|
status = WaitForMultipleObjects(count, handles, FALSE, INFINITE);
|
2011-08-18 12:06:32 +04:00
|
|
|
|
2015-04-19 11:31:28 +03:00
|
|
|
if (status == WAIT_FAILED)
|
2011-08-18 12:06:32 +04:00
|
|
|
{
|
2015-04-19 11:31:28 +03:00
|
|
|
WLog_ERR(TAG, "WaitForMultipleObjects failed (errno: %d)", errno);
|
2011-08-18 12:06:32 +04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-09 10:31:28 +04:00
|
|
|
if (client->CheckFileDescriptor(client) != TRUE)
|
2011-12-12 12:42:42 +04:00
|
|
|
break;
|
2013-03-22 01:49:10 +04:00
|
|
|
|
2012-10-09 10:31:28 +04:00
|
|
|
if (WTSVirtualChannelManagerCheckFileDescriptor(context->vcm) != TRUE)
|
2011-08-18 12:06:32 +04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_INFO(TAG, "Client %s disconnected.", client->local ? "(local)" : client->hostname);
|
2011-08-18 12:06:32 +04:00
|
|
|
client->Disconnect(client);
|
2011-10-18 11:10:12 +04:00
|
|
|
freerdp_peer_context_free(client);
|
2011-08-18 12:06:32 +04:00
|
|
|
freerdp_peer_free(client);
|
|
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-28 18:00:41 +03:00
|
|
|
static BOOL test_peer_accepted(freerdp_listener* instance, freerdp_peer* client)
|
2011-08-18 12:06:32 +04:00
|
|
|
{
|
2015-05-05 14:55:48 +03:00
|
|
|
HANDLE hThread;
|
2015-04-28 18:00:41 +03:00
|
|
|
|
2015-05-05 14:55:48 +03:00
|
|
|
if (!(hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE) test_peer_mainloop, (void*) client, 0, NULL)))
|
|
|
|
|
return FALSE;
|
2015-04-28 18:00:41 +03:00
|
|
|
|
2015-05-05 14:55:48 +03:00
|
|
|
CloseHandle(hThread);
|
|
|
|
|
return TRUE;
|
2011-08-18 12:06:32 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void test_server_mainloop(freerdp_listener* instance)
|
|
|
|
|
{
|
2015-04-19 11:36:20 +03:00
|
|
|
HANDLE handles[32];
|
|
|
|
|
DWORD count;
|
|
|
|
|
DWORD status;
|
2011-08-18 12:06:32 +04:00
|
|
|
|
|
|
|
|
while (1)
|
|
|
|
|
{
|
2015-04-21 16:57:25 +03:00
|
|
|
count = instance->GetEventHandles(instance, handles, 32);
|
|
|
|
|
if (0 == count)
|
2011-08-18 12:06:32 +04:00
|
|
|
{
|
2015-04-19 11:36:20 +03:00
|
|
|
WLog_ERR(TAG, "Failed to get FreeRDP event handles");
|
2011-08-18 12:06:32 +04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-19 11:36:20 +03:00
|
|
|
status = WaitForMultipleObjects(count, handles, FALSE, INFINITE);
|
2011-08-18 12:06:32 +04:00
|
|
|
|
2015-04-19 11:36:20 +03:00
|
|
|
if (WAIT_FAILED == status)
|
2011-08-18 12:06:32 +04:00
|
|
|
{
|
2015-04-19 11:36:20 +03:00
|
|
|
WLog_ERR(TAG, "select failed");
|
2011-08-18 12:06:32 +04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-09 10:31:28 +04:00
|
|
|
if (instance->CheckFileDescriptor(instance) != TRUE)
|
2011-08-18 12:06:32 +04:00
|
|
|
{
|
2014-09-12 19:38:12 +04:00
|
|
|
WLog_ERR(TAG, "Failed to check FreeRDP file descriptor");
|
2011-08-18 12:06:32 +04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
instance->Close(instance);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int main(int argc, char* argv[])
|
|
|
|
|
{
|
2014-11-12 22:06:34 +03:00
|
|
|
WSADATA wsaData;
|
2011-08-18 12:06:32 +04:00
|
|
|
freerdp_listener* instance;
|
|
|
|
|
|
2014-03-03 21:10:06 +04:00
|
|
|
WTSRegisterWtsApiFunctionTable(FreeRDP_InitWtsApi());
|
2011-08-18 12:06:32 +04:00
|
|
|
instance = freerdp_listener_new();
|
|
|
|
|
|
|
|
|
|
instance->PeerAccepted = test_peer_accepted;
|
|
|
|
|
|
2011-08-29 07:39:04 +04:00
|
|
|
if (argc > 1)
|
|
|
|
|
test_pcap_file = argv[1];
|
Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.
Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.
The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.
Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods
Changes in this commit:
Removed unnecessary/confusing changes of EncryptionLevel/Methods settings
Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)
Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method
Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2
Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level
Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)
Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 04:17:12 +03:00
|
|
|
|
2011-10-18 20:36:34 +04:00
|
|
|
if (argc > 2 && !strcmp(argv[2], "--fast"))
|
2012-10-09 10:31:28 +04:00
|
|
|
test_dump_rfx_realtime = FALSE;
|
2011-08-29 07:39:04 +04:00
|
|
|
|
2014-11-12 22:06:34 +03:00
|
|
|
if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2011-08-18 12:06:32 +04:00
|
|
|
/* Open the server socket and start listening. */
|
2014-11-12 22:06:34 +03:00
|
|
|
|
2012-05-22 14:53:11 +04:00
|
|
|
if (instance->Open(instance, NULL, 3389) &&
|
|
|
|
|
instance->OpenLocal(instance, "/tmp/tfreerdp-server.0"))
|
2011-08-18 12:06:32 +04:00
|
|
|
{
|
|
|
|
|
/* Entering the server main loop. In a real server the listener can be run in its own thread. */
|
|
|
|
|
test_server_mainloop(instance);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
freerdp_listener_free(instance);
|
|
|
|
|
|
2014-11-12 22:06:34 +03:00
|
|
|
WSACleanup();
|
|
|
|
|
|
2011-08-18 12:06:32 +04:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|