Commit Graph

72 Commits

Author SHA1 Message Date
Norbert Federa
939f1c639a Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.

Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.

The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.

Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods

Changes in this commit:

Removed unnecessary/confusing changes of EncryptionLevel/Methods settings

Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)

Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method

Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2

Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level

Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)

Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 02:17:12 +01:00
Marc-André Moreau
ddedc574f3 freerdp: remove tcp, uds utils 2014-11-12 14:06:34 -05:00
Armin Novak
89bb28adb2 Fixed setting of RV_VERSION_PATCH, now BUILD_NUMBER is used for every library.
Executable names are now correctly set, using CMAKE_EXECUTABLE_SUFFIX now.
Fixed version defines for winpr executables.
2014-10-09 16:18:35 +02:00
Armin Novak
5364a834c4 Added windows version information to build. 2014-10-03 15:17:40 +02:00
Armin Novak
5b5791c8d7 Using wlog for server now. 2014-09-15 08:55:00 +02:00
Bernhard Miklautz
0313ca3622 libfreerdp: always build "MONOLITHIC"
"libfreerdp" consisted of multiple (small) single libraries. If the cmake
option MONOLITHIC was used only one library was build combining all of
the libfreerdp-* libraries.
The only exceptions to this are libfreerdp-server and libfreerdp-client these
are build as separate libraries.

This commit obsoltes non-monolithic builds and makes monolithic builds
the default. The cmake option MONOLITHIC is also removed.
2014-09-12 00:19:53 +02:00
Armin Novak
784696c1cd Fixed missing includes and invalid replacement. 2014-08-11 09:38:08 +02:00
Armin Novak
8d8719e101 Replaced fprintf with DEBUG_WARN 2014-08-11 09:19:47 +02:00
Bernhard Miklautz
6a49bcfe40 winpr: always build "monolitic"
winpr is now always build as single library.
The build option MONOLITHIC_BUILD doesn't influence this behavior anymore.

The only exception is winpr-makecert-tool which is still build as extra
library.

This obsoletes complex_libraries for winpr.
2014-07-10 11:10:58 +02:00
Hardening
4b6edb913c Make server sound thread optionnal
This patch makes the server-side sound channel thread optionnal, and
exposes functions to handle channel traffic from the outside.
2014-07-02 10:31:45 +02:00
Marc-André Moreau
f1a866340e server/Sample: stub server-side encomsp channel 2014-06-25 15:21:02 -04:00
Hardening
c076ffb020 Don't use NULL for pWrittenBytes when calling WTSVirtualChannelWrite()
Nothing in the MSDN API says that setting NULL is safe. And if the
implementation uses WriteFile directly, it crashes.
2014-05-28 17:04:24 +02:00
Marc-André Moreau
67743b6832 libfreerdp-core: enable RDP6.1 XCrush compression/decompression by default 2014-05-23 14:11:53 -04:00
Marc-André Moreau
ab7958ffb2 libfreerdp-codec: fix NCrush compressor 2014-04-20 23:19:09 -04:00
Marc-André Moreau
d08b6fe4bd libfreerdp-codec: fix handling of PACKET_AT_FRONT, PACKET_FLUSHED in MPPC compression 2014-04-20 21:28:09 -04:00
Bernhard Miklautz
8168477886 sample server: fix printf format compiler warning 2014-04-17 10:04:17 +02:00
Bernhard Miklautz
cd4cfaae6a sfreerdp: updated to use latest WTSAPI 2014-03-03 18:10:06 +01:00
Marc-André Moreau
8510ad3171 freerdp: remove rdpChannel definition in favor of CHANNEL_DEF 2014-02-28 12:07:22 -05:00
Marc-André Moreau
6e1cdf1b67 libfreerdp-core: expose opaque HANDLE instead of WTSVirtualChannelManager* 2014-02-27 13:30:04 -05:00
Marc-André Moreau
f3011492d8 freerdp-server: remove usage of deprecated custom server-side channel API 2014-02-16 23:09:21 -05:00
Marc-André Moreau
518995a05e freerdp: merge with master 2013-09-16 17:10:27 -04:00
Marc-André Moreau
f790831e7d Merge branch 'master' of github.com:awakecoding/FreeRDP into xrdp-ng 2013-09-05 15:23:19 -04:00
Armin Novak
e5c138a5b9 Fixed various memory leaks, allocation size issues and API misuse
warnings shown by clang as well as some compiler warnings.
2013-09-05 12:14:34 +02:00
Marc-André Moreau
b480ce1830 freerdp: remove vendor-specific options from build system, add automatic ways of including external clients/servers 2013-09-03 20:37:04 -04:00
Marc-André Moreau
68ec10a9d9 libwinpr-nt: implement NtCurrentTeb() 2013-08-22 10:18:38 -04:00
Marc-André Moreau
c878200e00 channels/server: refactor to match WTSApi + avoid conflicts 2013-08-20 19:26:36 -04:00
Marc-André Moreau
23a8354656 channels: rdpsnd refactoring, drdynvc initial server-side code 2013-08-18 21:52:55 -04:00
Marc-André Moreau
0fd705c6c7 channels/cliprdr: start server-side implementation 2013-08-16 16:46:47 -04:00
Marc-André Moreau
863b51f938 freerdp: merge with master 2013-06-28 12:50:24 -04:00
Norbert Federa
729814fabd sample server: support build on win32 2013-06-24 18:02:21 +02:00
Norbert Federa
018ed7e09b server/sample: fix for issue #1312 (mstsc protocol error) 2013-06-21 16:46:46 +02:00
Marc-André Moreau
208c9f844a freerdp: fix core API bugs 2013-06-13 21:34:46 -04:00
Marc-André Moreau
367ebf32a3 freerdp: make use of stream macros to access members 2013-05-15 12:14:26 -04:00
Marc-André Moreau
fdf3ddcf9e freerdp: purge deprecated stream utils 2013-05-08 17:48:30 -04:00
Marc-André Moreau
fd230443c5 freerdp: purge old stream utils 2013-05-08 16:27:21 -04:00
Marc-André Moreau
b4cac74136 xfreerdp-server: fix RemoteFX encoding 2013-05-01 18:15:55 -04:00
Marc-André Moreau
51715636a5 freerdp: remove some deprecated stream utils 2013-04-29 22:35:15 -04:00
Marc-André Moreau
8ad5932a3d channels: continue event refactoring 2013-03-28 19:33:31 -04:00
Marc-André Moreau
79e72755e4 server/sample: remove usage of thread utils 2013-03-21 17:49:10 -04:00
Marc-André Moreau
a8201b0d1b libwinpr-utils: combine old and new stream utils 2013-03-21 15:19:33 -04:00
Marc-André Moreau
62eec0c2b5 libfreerdp-utils: rename internal members of STREAM to match new wStream 2013-03-21 15:01:46 -04:00
Bernhard Miklautz
103171a98e Fixed compiler warnings (-Wall) 2013-03-15 20:41:10 +01:00
Marc-André Moreau
ddf4c6e0ff Merge branch 'master' of github.com:FreeRDP/FreeRDP 2013-02-27 09:38:39 -05:00
Marc-André Moreau
2b9174a69b channels/rdpsnd: cleanup 2013-02-25 21:46:48 -05:00
Bernhard Miklautz
3a75dea05b server/Sample: fix color depth negotiation 2013-02-20 15:26:56 +01:00
Daryl Poe
b64408975d freerdp primitives library 2013-01-18 15:32:58 -07:00
Marc-André Moreau
92bf3e4ae0 libfreerdp-utils: remove sleep utils in favor of WinPR 2012-12-14 00:58:48 -05:00
Marc-André Moreau
fbacea6bad winpr/tools/makecert: stubbed basic makecert wrapper 2012-11-26 22:42:40 -05:00
Marc-André Moreau
eea3414579 libfreerdp-utils: purge deprecated wait_obj utils 2012-11-26 20:15:48 -05:00
Marc-André Moreau
a716dfa7f6 server/sample: fix build 2012-11-26 12:38:28 -05:00