From 3a8d721bb9628d676a5a55134dd8a18dd9689690 Mon Sep 17 00:00:00 2001 From: Pavel Pautov <37922380+p-pautov@users.noreply.github.com> Date: Wed, 11 Apr 2018 20:02:44 -0700 Subject: [PATCH 1/5] Don't use CertificateName setting for RDG connections. --- libfreerdp/crypto/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libfreerdp/crypto/tls.c b/libfreerdp/crypto/tls.c index c9ae8c85f..8e2c68c78 100644 --- a/libfreerdp/crypto/tls.c +++ b/libfreerdp/crypto/tls.c @@ -1246,7 +1246,7 @@ int tls_verify_certificate(rdpTls* tls, CryptoCert cert, char* hostname, return 1; /* success! */ /* if user explicitly specified a certificate name, use it instead of the hostname */ - if (tls->settings->CertificateName) + if (!tls->isGatewayTransport && tls->settings->CertificateName) hostname = tls->settings->CertificateName; /* attempt verification using OpenSSL and the ~/.freerdp/certs certificate store */ From 32505fda137e06994a0eb13c28c9cb0ec63d9692 Mon Sep 17 00:00:00 2001 From: Pavel Pautov <37922380+p-pautov@users.noreply.github.com> Date: Thu, 12 Apr 2018 13:05:04 -0700 Subject: [PATCH 2/5] Apply "authentication level" RDP property only to non-RDG connections (as mstsc does). --- client/common/file.c | 3 +-- libfreerdp/crypto/tls.c | 3 +++ 2 files changed, 4 insertions(+), 2 deletions(-) mode change 100644 => 100755 client/common/file.c diff --git a/client/common/file.c b/client/common/file.c old mode 100644 new mode 100755 index ed43264ff..3ff727755 --- a/client/common/file.c +++ b/client/common/file.c @@ -855,8 +855,7 @@ BOOL freerdp_client_populate_settings_from_rdp_file(rdpFile* file, rdpSettings* * 2: If server authentication fails, show a warning and allow me to connect or refuse the connection (Warn me). * 3: No authentication requirement is specified. */ - freerdp_set_param_bool(settings, FreeRDP_IgnoreCertificate, - (file->AuthenticationLevel == 0) ? TRUE : FALSE); + settings->AuthenticationLevel = file->AuthenticationLevel; } if (~file->ConnectionType) diff --git a/libfreerdp/crypto/tls.c b/libfreerdp/crypto/tls.c index 8e2c68c78..6e75f4434 100644 --- a/libfreerdp/crypto/tls.c +++ b/libfreerdp/crypto/tls.c @@ -1245,6 +1245,9 @@ int tls_verify_certificate(rdpTls* tls, CryptoCert cert, char* hostname, if (tls->settings->IgnoreCertificate) return 1; /* success! */ + if (!tls->isGatewayTransport && tls->settings->AuthenticationLevel == 0) + return 1; /* success! */ + /* if user explicitly specified a certificate name, use it instead of the hostname */ if (!tls->isGatewayTransport && tls->settings->CertificateName) hostname = tls->settings->CertificateName; From c60388954b10eab612b070d05b3c5c1418873d20 Mon Sep 17 00:00:00 2001 From: Pavel Pautov <37922380+p-pautov@users.noreply.github.com> Date: Mon, 16 Apr 2018 14:23:13 -0700 Subject: [PATCH 3/5] Remove some unused functions. --- libfreerdp/crypto/tls.c | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/libfreerdp/crypto/tls.c b/libfreerdp/crypto/tls.c index 6e75f4434..1b04fe9fa 100644 --- a/libfreerdp/crypto/tls.c +++ b/libfreerdp/crypto/tls.c @@ -78,12 +78,6 @@ struct _BIO_RDP_TLS }; typedef struct _BIO_RDP_TLS BIO_RDP_TLS; -static long bio_rdp_tls_callback(BIO* bio, int mode, const char* argp, int argi, - long argl, long ret) -{ - return 1; -} - static int bio_rdp_tls_write(BIO* bio, const char* buf, int size) { int error; @@ -1052,21 +1046,6 @@ BOOL tls_send_alert(rdpTls* tls) return TRUE; } -static BIO* findBufferedBio(BIO* front) -{ - BIO* ret = front; - - while (ret) - { - if (BIO_method_type(ret) == BIO_TYPE_BUFFERED) - return ret; - - ret = BIO_next(ret); - } - - return ret; -} - int tls_write_all(rdpTls* tls, const BYTE* data, int length) { int status; From a0019ec79cc9c3a5c8fc2b4c0eda2da0f7d153f0 Mon Sep 17 00:00:00 2001 From: Pavel Pautov <37922380+p-pautov@users.noreply.github.com> Date: Tue, 17 Apr 2018 17:05:20 -0700 Subject: [PATCH 4/5] Fallback to RDG RPC transport only if server does not support RDG HTTP and error out in other cases - invalid RDG SSL cert, bad credentials, PAA failue, etc. --- libfreerdp/core/gateway/rdg.c | 16 ++++++++++++---- libfreerdp/core/gateway/rdg.h | 3 +-- libfreerdp/core/transport.c | 5 +++-- 3 files changed, 16 insertions(+), 8 deletions(-) mode change 100644 => 100755 libfreerdp/core/transport.c diff --git a/libfreerdp/core/gateway/rdg.c b/libfreerdp/core/gateway/rdg.c index 3dab0f4f1..2eac65609 100755 --- a/libfreerdp/core/gateway/rdg.c +++ b/libfreerdp/core/gateway/rdg.c @@ -733,7 +733,7 @@ static BOOL rdg_tls_connect(rdpRdg* rdg, rdpTls* tls, const char* peerAddress, i } static BOOL rdg_establish_data_connection(rdpRdg* rdg, rdpTls* tls, - const char* method, const char* peerAddress, int timeout) + const char* method, const char* peerAddress, int timeout, BOOL* rpcFallback) { HttpResponse* response = NULL; int statusCode; @@ -754,6 +754,14 @@ static BOOL rdg_establish_data_connection(rdpRdg* rdg, rdpTls* tls, if (!response) return FALSE; + if (response->StatusCode == HTTP_STATUS_NOT_FOUND) + { + WLog_INFO(TAG, "RD Gateway does not support HTTP transport."); + if (rpcFallback) *rpcFallback = TRUE; + http_response_free(response); + return FALSE; + } + if (!rdg_handle_ntlm_challenge(rdg->ntlm, response)) { http_response_free(response); @@ -824,7 +832,7 @@ static BOOL rdg_tunnel_connect(rdpRdg* rdg) return TRUE; } -BOOL rdg_connect(rdpRdg* rdg, const char* hostname, UINT16 port, int timeout) +BOOL rdg_connect(rdpRdg* rdg, int timeout, BOOL* rpcFallback) { BOOL status; int outConnSocket = 0; @@ -832,7 +840,7 @@ BOOL rdg_connect(rdpRdg* rdg, const char* hostname, UINT16 port, int timeout) assert(rdg != NULL); status = rdg_establish_data_connection( - rdg, rdg->tlsOut, "RDG_OUT_DATA", NULL, timeout); + rdg, rdg->tlsOut, "RDG_OUT_DATA", NULL, timeout, rpcFallback); if (status) { @@ -843,7 +851,7 @@ BOOL rdg_connect(rdpRdg* rdg, const char* hostname, UINT16 port, int timeout) peerAddress = freerdp_tcp_get_peer_address(outConnSocket); status = rdg_establish_data_connection( - rdg, rdg->tlsIn, "RDG_IN_DATA", peerAddress, timeout); + rdg, rdg->tlsIn, "RDG_IN_DATA", peerAddress, timeout, NULL); free(peerAddress); } diff --git a/libfreerdp/core/gateway/rdg.h b/libfreerdp/core/gateway/rdg.h index 2dfbbc5c5..f4fa95c11 100755 --- a/libfreerdp/core/gateway/rdg.h +++ b/libfreerdp/core/gateway/rdg.h @@ -138,8 +138,7 @@ struct rdp_rdg FREERDP_LOCAL rdpRdg* rdg_new(rdpTransport* transport); FREERDP_LOCAL void rdg_free(rdpRdg* rdg); -FREERDP_LOCAL BOOL rdg_connect(rdpRdg* rdg, const char* hostname, UINT16 port, - int timeout); +FREERDP_LOCAL BOOL rdg_connect(rdpRdg* rdg, int timeout, BOOL* rpcFallback); FREERDP_LOCAL DWORD rdg_get_event_handles(rdpRdg* rdg, HANDLE* events, DWORD count); diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c old mode 100644 new mode 100755 index ad44e0a17..59ee8cf3d --- a/libfreerdp/core/transport.c +++ b/libfreerdp/core/transport.c @@ -354,6 +354,7 @@ BOOL transport_connect(rdpTransport* transport, const char* hostname, rdpSettings* settings = transport->settings; rdpContext* context = transport->context; transport->async = settings->AsyncTransport; + BOOL rpcFallback = !settings->GatewayHttpTransport; if (transport->GatewayEnabled) { @@ -364,7 +365,7 @@ BOOL transport_connect(rdpTransport* transport, const char* hostname, if (!transport->rdg) return FALSE; - status = rdg_connect(transport->rdg, hostname, port, timeout); + status = rdg_connect(transport->rdg, timeout, &rpcFallback); if (status) { @@ -380,7 +381,7 @@ BOOL transport_connect(rdpTransport* transport, const char* hostname, } } - if (!status && settings->GatewayRpcTransport) + if (!status && settings->GatewayRpcTransport && rpcFallback) { transport->tsg = tsg_new(transport); From fda76349b98901a60720966606e928c8a771c625 Mon Sep 17 00:00:00 2001 From: p-pautov <37922380+p-pautov@users.noreply.github.com> Date: Thu, 26 Apr 2018 02:11:04 -0700 Subject: [PATCH 5/5] Fix Windows build. --- libfreerdp/core/transport.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c index 59ee8cf3d..59eb092cd 100755 --- a/libfreerdp/core/transport.c +++ b/libfreerdp/core/transport.c @@ -353,8 +353,8 @@ BOOL transport_connect(rdpTransport* transport, const char* hostname, BOOL status = FALSE; rdpSettings* settings = transport->settings; rdpContext* context = transport->context; - transport->async = settings->AsyncTransport; BOOL rpcFallback = !settings->GatewayHttpTransport; + transport->async = settings->AsyncTransport; if (transport->GatewayEnabled) {