This option will ensure that NLA is disabled(since NTLM uses weak crypto algorithms), FIPS
encryption is enabled, and ensure fips mode is enabled for openssl.
Selectively override specific uses of MD5/RC4 with new API calls specifically tailored to override FIPS.
Add comments on why overriding the use of these algorithms under FIPS is acceptable for the locations where overrides happen.
Remove check of server proprietary certificate which was already being ignore to avoid use of MD5.
Initialize winpr openssl earlier to ensure fips mode is set before starting using any crypto algorithms.
The idea is based on #3257.
If a non NLA connection is requested the password callbacks are not executed
and there is currently no way to read from stdin.
This extension of /from-stdin allows reading the passwords
before the connection is established.
Add the sshagent plugin to forward the ssh-agent protocol over an RDP
dynamic virtual channel, just as the normal ssh-agent forwards it over
an SSH channel. Add the "/ssh-agent" command line option to enable it.
Usage:
Run FreeRDP with the ssh-agent plugin enabled:
xfreerdp /ssh-agent ...
In the remote desktop session run xrdp-ssh-agent and evaluate the output
in the shell as for ssh-agent to set the required environment variables
(specifically $SSH_AUTH_SOCK):
eval "$(xrdp-ssh-agent -s)"
This is the same as for the normal ssh-agent. You would typically do
this in your Xsession or /etc/xrdp/startwm.sh.
Limitations:
1. Error checking and handling could be improved.
2. This is only tested on Linux and will only work on systems where
clients talk to the ssh-agent via Unix domain sockets. It won't
currently work on Windows but it could be ported.
the objective is that only the updated region(s) are refreshed instead of the whole screen
it's not much a problem for normal FreeRDP usage but becomes a serious issue if the display is processed, forwarded and rendered remotely, as done by web gateways such as Guacamole, FreeRDP-WebConnect and Myrtille (I'm the author of the latter)
Added some checks so that when setting a cache entry fails, we close connection (or
we fail later when trying to use that empty entry).
The small cache egfx capability has also been fixed.
When building packages, especially when source packages are used, git is
not necessarily available or the source isn't provided in git. In those
cases it wasn't possible to set the GIT_REVISION and --version shows
"n/a" for the git revision.
If the file .source_version is available now the content of it is used
as GIT_REVISION. Packagers might want to add a .source_version file
when they don't build the packages from git.
Possible breaking change:
The variable PRODUCT_VERSION isn't available anymore. Use GIT_REVISION
instead.
This patch contains several improvements in order to make the help
output more readable (reduce length of first column):
- move default value into description
- use ... instead of too long format strings
- use [] for optional arguments
This patch contains several improvements:
- add missing colons before format strings
- always print format string after argument
- do not duplicate format string before description
- use <replaceable> only for variables in format string
- use +/- for boolean arguments
- print also default value for all kinds of arguments
This patch contains several improvements for arguments list:
- use capitals consistently
- remove full stop sign at the end
- use "experimental" constiently for unstable and hacky features
- use <> for variables consistenly
- use [] for optional parts consistently.
- shorten some format strings to make /help more readable
- replace whitespace in variables for better readability (especialy man page)
- fix wrong argument tyes
- add missing formats
If the size parameter is used with a percentages like /size:50% now
an additional 'w' or 'h' can be appended (like /size:50%w) to specify
where the percentage should be applied. If both or none are set the
behavior is like it was before and the percentage is applied to width
and height.
* client/x11: Fix colors on big endian
The bitmaps are recieved in little endian byte order (LSBFirst in terms
of X11). This is a problem on systems, where bitmaps are expected in big
endian byte order (MSBFirst). X11 client tries to handle this situation
by different color formats (e.g. RGBX vs. BGRX), but this doesn't work.
BGRX is not MSBFirst variant of RGBX, it should be XRGB. But this would
work only for 32/24 depths, where color channels matches bytes. Let's
say to the XServer that all the bitmaps are in LSBFirst encoding instead
of changing the color formats on big endian systems.
https://github.com/FreeRDP/FreeRDP/issues/2520
* client/x11: Fix cursor color on big endian
The cursor color is wrong on big endian systems. It is not probably
possible to force bitmap_order for XcursorImage as it is possible for
XImage. Fortunately, cursors are always 32 bit so we can use ABGR
instead of BGRA to deal with.
https://github.com/FreeRDP/FreeRDP/issues/2520
* client/x11: Fix comment indentation
The comment has wrong indentation for some reason, let's fix it.
* client/x11: Fix BGR vs. RGB detection
The BGR vs. RGB detection code is leftover from history and I am conviced
that it is wrong with the current color handling, where invert flag is TRUE
by default. However, I suppose that the detection still makes sense and
XServer may use the inverted formats in some cases. Maybe we can force XServer
to use our masks somehow, but let's just fix the value to FALSE now.
* client/x11: Remove unused color shifts
The color shifts are lefover from history and are not used in current
code. Let's remove them.
Arguments of xf_Bitmap_SetSurface are not checked before use currently
which may lead to segfaults. It may happen if bitmap is not found in a
cache from some reason. Let's check the arguments before use similarly
as it is done in client/Windows/wf_graphics.c in order to avoid segfaults.
https://github.com/FreeRDP/FreeRDP/issues/4117
xf_FixWindowCoordinates occasionally set the dimensions of the window to invalid values (0) because the minimum value check was done at the beginning of the method rather than at the end
Commit 54a7d799d1 introduced a problem
where /app was used instead of /shell causing a black screen when remote
programs were used. The Android client doesn't support remote apps
therefore /app can't work. "Remote program" just sets the selected
program as shell to run.
With some usb barcode scanners, repeated characters do not appear in the freerdp session.
It looks like this is because the KeyRelease signal is not sent for the first character.
Removing this if check fixes the problem.
The data provided by local applications can be actually encoded in
UTF-16 (e.g., Firefox does this to HTML). UTF-16 allows embedded null
bytes so we should not use strlen() to fix up the data. The HTML format
synthesizer can handle trailing null bytes just fine and can detect
whether it deals with UTF-8 or UTF-16.
Most of the functions is this file are internal-use callbacks so they do
not need to be exported from the compilation unit. Mark functions static
as appropriate.
The H264 context is surface specific, so in multi-monitor (with multiple surfaces)
the decoding was failing. This patch fixes that by introducing a surface specific
h264 context.
XSelection protocol does not define any global clipboard as there is on
Windows. Instead each window has its own property for clipboard content
(like CLIPBOARD or PRIMARY) and there is a global notion of clipboard
ownership. Only one window can claim ownership of some clipboard type
at the moment.
FreeRDP uses CLIPBOARD for clipboard transfers (it's the one used by
applications when Ctrl+V is pressed). For regular desktop sessions the
session window itself is used for clipboard interactions via
xfc->drawable field. However, for remote app session there is no session
window. We cannot use the current remote app window as it may change or
be destroyed without closing the session. We also cannot use the root
window as it is already used for CF_RAW transfer protocol.
Therefore we create a simple dummy window to put into xfc->drawable for
this exact job: to act as a clipboard vessel on behalf of the entire
remote app session.
xf_create_window() usually creates the window as we immediately start in
RAIL mode when possible. xf_rail_enable_remoteapp_mode() is invoked only
when autologin failed or remote desktop had to show the session window
to the user for some reason.
The surface's damage region is not relative to the output but
lives in its own universe starting at origin 0,0.
Also fixed the drawing coordinates used in the XRENDER code path
which is used with /smart-sizing
Now that we've got everything in place to handle files it's time to tell
the server that we can actually do this.
MS-RDPECLIP 3.2.5.1.3 Sending a Client Clipboard Capabilities PDU asks
us politely to not advertise file clipping support if the server did not
do that itself. Thus we need to parse the capabilities sent by the
server and take a note whether it supports file clipping.
There is also no point in advertising file clipping support if
wClipboard failed to initalize any local file subsystem, in which case
we cannot handle files for real. Take a note of this as well when we
register the file formats.
If everthing is really in place and the stars shine upon us then we are
allowed to set CB_STREAM_FILECLIP_ENABLED in the capabilities. There is
no command line switch to disable file clipping (and there is little
reason to), so we always support it if we can.
We also set an additional flag CB_FILECLIP_NO_FILE_PATHS flag in the
capabilities because it seems to be necessary for the server to send the
"FileGroupDescriptorW" format to us. Otherwise the server will only send
the old CF_HDROP format which can't be handled well without enabled disk
drive redirection and a properly negotiated server-side temporary
directory.
xf_cliprdr_server_file_contents_request() handles the
CLIPRDR_FILECONTENTS_REQUEST which is sent by the server to retrieve the
size or data of a single file. The server can only request one of these
things at a time, do confirm this.
The actual handling of the requests is done by wClipboardDelegate. In
order to handle its resposes we register a bunch of our own callbacks
which simply pass the responses to the server.
In case of an error we should always send a CB_RESPONSE_FAIL to the
server. If we do not then the file transfer progress dialog may end up
hanging in the remote session forever until the user logs out or kills
explorer.exe. We do wnat this.
To handle a new format we should first be able to transform the format
name from the local clipboard owner into its remote representation. In
our case this will be trasforming the "text/uri-list" target into the
"FileGroupDescriptorW" named format.
Add CB_FORMAT_TEXTURILIST to identify the local format by its ID during
the data conversion step. This numeric ID has nothing to do with the ID
which will be sent to server. It's a bit weird, but that's how XFreeRDP
works.
After that add a new client format with this ID and appropriate local
and remote format names (in atom and formatName fields respectively).
Do this only if wClipboard actually supports "text/uri-list" format.
(It could fail to initialize the local file subsystem, in which case
it will fail all file-related requests and there would be no point in
advertising the file format support in the first place.)
Finally, handle the actual format data request for a new named format
in xf_cliprdr_process_requested_data(). Remember to convert the
FILEDESCRIPTOR array we receive from wClipboard into the
CLIPRDR_FILELIST expected by the server. Also take care to not leak
memory during this conversion.
Note that this handles only the CLIPRDR_FORMAT_DATA_REQUEST. The server
is still not able to retrieve the file content as this is done via a
separate request-reply sequence.
Unify error handling in xf_clipboard_new() by using a common cleanup
code path. This fixes a leak of clipboard->system and format names when
an error occurs during initialization.
Also reformat the code to fit into 100 column limit without this line
break insanity and with improved readability.
I do not particularly like to use a variable with such a descriptive
name 'n' far away in the error handling part, but its short name is
kinda important for readability so let's keep it as is.