* Add a new command line arg to enforce tls1.2
* Add better explanation of FreeRDP_EnforceTLSv1_2
(cherry picked from commit ce2e3ab0c7)
* Regenerated settings helpers
* backport prev cherry-pick
* Cleanup tls_prepare
* TLS version control
* added settings for minimal and maximal TLS versions supported
* refactorisation of the force TLSv1.2 setting
* cleanup from prev cherry-pick
* updated change log
Co-authored-by: akallabeth <akallabeth@posteo.net>
Co-authored-by: David Véron <david.veron@rubycat.eu>
If no arguments are supplied, default to the behaviour of
/network:auto. This ensures the default experience is using the
best available graphics options.
As soon as any /network, /bpp, /rfx, /gfx, ... argument is used
only use these.
(cherry picked from commit d3168a1436)
* Fixed typo in changelog
* Fix FIPS mode support and build with OpenSSL 3.0
FreeRDP fails to build with OpenSSL 3.0 because of usage of the `FIPS_mode`
and `FIPS_mode_set` functions, which were removed there. Just a note that
the FIPS mode is not supported by OpenSSL 1.1.* although the mentioned
functions are still there (see https://wiki.openssl.org/index.php/FIPS_modules).
Let's make FreeRDP build with OpenSSL 3.0 and fix the FIPS mode support.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1952937
(cherry picked from commit 26bf2816c3)
* winpr: avoid calling FIPS_mode() with OpenSSL 3.0
Fixes: 26bf2816c3
(cherry picked from commit 0c81c73c8d)
* winpr/crypto: Load legacy provider to fix rc4 with OpenSSL 3.0 (#7210)
* winpr/crypto: Exit cleanly when EVP_EncryptInit_ex fails
The `EVP_EncryptInit_ex` function may fail in certain configurations.
Consequently, FreeRDP segfaults in `EVP_CIPHER_CTX_set_key_length`.
Let's handle the `EVP_EncryptInit_ex` failures and exit cleanly in
such case.
* winpr/crypto: Load legacy provider to fix rc4 with OpenSSL 3.0
Currently, the `EVP_EncryptInit_ex` function fails for rc4 with OpenSSL 3.0.
This is becuase rc4 is provided by the legacy provider which is not loaded
by default. Let's explicitly load the legacy provider to make FreeRDP work
with OpenSSL 3.0.
Relates: https://github.com/openssl/openssl/issues/14392
Fixes: https://github.com/FreeRDP/FreeRDP/issues/6604
(cherry picked from commit 67f3fff2c8)
Conflicts:
winpr/libwinpr/crypto/cipher.c
* Fix TestUnicodeConversion on big endian machines (#7219)
Wide character literals are stored in native byte order.
Use an array of bytes as a reference instead.
Fixes: https://github.com/FreeRDP/FreeRDP/issues/6968
(cherry picked from commit 5208a67ea7)
* Fixed async-input quit
* Fix data write on usb channel
* Bitmap update fix (#7349)
* Added checks for bitmap width and heigth values
Data received from the server might have invalid values for bitmap
with or height. Abort parsing if such a value is found.
Reported by Sunglin from the Knownsec 404 team & 0103 sec team
* Added checks for glyph width & height
* Fixed#7363: Length checks in ConvertUTF8toUTF16
(cherry picked from commit 623a77258a)
* Implemented missing TSG debug functions
(cherry picked from commit c06c463806)
* Refactored RPC gateway parser
Utilize wStream instead of custom binary parsing code, add proper
input validation.
Reported by Sunglin from the Knownsec 404 team & 0103 sec team
(cherry picked from commit f0b44da67c)
* Replaced chmod with safer fchmod
* Use fchmod so the file may not change underneath
* Add unit tests for SetFileAttributesA
* Add warning logs for unsupported flags
(cherry picked from commit c8571dd5fd)
* Updated changelog and version
* Added more explicit warning for deprecated command line
* Add exit codes for more errors
(cherry picked from commit aa4c3dfb8a)
* Updated changelog.
Co-authored-by: Ondrej Holy <oholy@redhat.com>
Co-authored-by: Mike Gilbert <floppym@gentoo.org>
Co-authored-by: Ondrej Holy <ondrejholy@users.noreply.github.com>
Co-authored-by: Ian Weir <mr.weir@me.com>
Functions like fopen, PathFileExists, PathMakePath need to call
the wide character versions on windows for utf-8 support.
(cherry picked from commit 6b36c6d417)
I personally find it more convenient to have pasted data written to
the X11 PRIMARY selection, so that I can paste it with a fast middle-
button click, than to write to CLIPBOARD which typically needs a key
sequence or menu action.
This commit adds a command-line option to let me express that
preference: now I can say "/clipboard:use-selection:PRIMARY" on the
command line, which not only enables clipboard transfer but also says
which X selection I want it to talk to. The previous options
"+clipboard" and "-clipboard" are also still supported.
(cherry picked from commit 64948b96c4)
As discussed in #4717 allow autoreconnect to succeed if that
specific error code was returned as disconnection reason.
(cherry picked from commit 552a7ca25f)
The functions mappedGeometryRef and mappedGeometryUnref are API
functions ([1]) but were implemented in the geometry channel.
In case FreeRDP was built with BUILTIN_CHANNELS=OFF those functions
weren't available globally but used by the video channel.
Now the functions are fixed part of the freerdp-client library and
therefore available for all channels.
[1] exported in freerdp/client/geometry.h
Fixes#6236
(cherry picked from commit 1628939227)
networkautodetect and bandwidthautodetect are both boolean options
which must match each other. Added adequate warnings.
(cherry picked from commit 5f5bf10703)
It is now possible to add usb devices both via vid+pid and via bus+addr
at the same time. To do this, the ids are directly
given to the corresponding command line options:
/usb🆔<vid+pids>,addr:<bus+addrs>
The dev option still works like before: /usb:id,dev:<vid+pids> or
/usb:addr,dev:<bus+addrs>
On high latency links the default of 9 second timeout might be too
strict. Adjusting this for all users will result in a long time
for connections to fail, so let these with high latency links
adjust the value manually.
* The mess with /cert-tofu, /cert-ignore et al is now unified in
a single option.
* Added the option to add fingerprint:<hash>:<hex string> multiple
times to /cert to build a list of accepted certificate
fingerprints
* Added a deprecation warning to older /cert-* options
* Now both, dynamic and static channel entries can be defined by
a single channel.
* Added better logging to distinguish between static and dynamic
channel messages.
The help output advertise an option and an example for usb redirection
regardless of the fact whether the urbdrc channel was built or not.
This is confusing for people. Let's do not show /usb in help if it is
not built.
