Commit Graph

258 Commits

Author SHA1 Message Date
Pascal J. Bourguignon
45841f8e67 Applied autoformat.sh manually to settings.h 2018-07-03 14:39:35 +02:00
Pascal J. Bourguignon
35477c35d8 Use tabs to indent the comment in rdp_settings too. 2018-07-03 13:33:05 +02:00
Pascal J. Bourguignon
a7c4022554 Corrected update-rdpSettings according to PR comments.
Updated settings.h with it.
2018-06-06 17:08:52 +02:00
Pascal J. Bourguignon
118ce7f122 Aligned columns in rdpSettings structure declaration. 2018-06-06 14:56:07 +02:00
Armin Novak
5b961e9c75 Fixed /pth: Consistently treat the hash offset to password length. 2018-05-03 17:51:11 +02:00
David Fort
0f968b782c proxy: cleanup SOCKS support and add user/password support 2018-05-02 10:51:16 +02:00
Jiri Sasek
b1c1549ad1 SOCKS proxy support 2018-04-23 21:01:01 +02:00
Jacco Braat
b592684734 Added to rdp file parsing: gatewayaccesstoken:s:<token>
Added to commandline parsing: /gat:<token>
Added GatewayAccessToken to sings
2018-02-15 10:56:57 +01:00
David Fort
b84839b21c video: a skeleton for MS-RDPEVOR client
Basics for implementing the client side of the MS-RDPEVOR channel.

Sponsored by: Rangee GmbH (http://www.rangee.de)
2018-02-13 10:51:07 +01:00
Armin Novak
3b70d1178b Added AVC444 chroma support to shadow server. 2018-02-02 10:39:33 +01:00
akallabeth
71fd6f3116
Merge pull request #4313 from hardening/dyn_res_update
disp: implement dynamic resolution for X11
2017-12-19 13:49:02 +01:00
David Fort
80dab90f1a disp: implement dynamic resolution for X11
If the display channel is available we use it to allow the user to resize the
xfreerdp window. When the window is resized we announce a new monitor layout and
the server reacts by doing a reactivation sequence to the new size.
The minimum window size is limited to 300x300 as 2012 servers crash horribly
if we send them a smaller layout.
2017-12-14 15:13:11 +01:00
Bernhard Miklautz
1e6fea7fa7 fix channel/smartcard: simplify channel variables
Path was not really used and name was duplicated. Use the device->Name
directly.
2017-12-13 17:04:06 +01:00
Armin Novak
2cc64298f2 Fix #4281: Added option to prefer IPv6 over IPv4 2017-11-27 11:43:54 +01:00
Brent Collins
d98b88642b Add new command-line option to force xfreerdp into a fips compliant mode.
This option will ensure that NLA is disabled(since NTLM uses weak crypto algorithms), FIPS
encryption is enabled, and ensure fips mode is enabled for openssl.

Selectively override specific uses of MD5/RC4 with new API calls specifically tailored to override FIPS.

Add comments on why overriding the use of these algorithms under FIPS is acceptable for the locations where overrides happen.

Remove check of server proprietary certificate which was already being ignore to avoid use of MD5.

Initialize winpr openssl earlier to ensure fips mode is set before starting using any crypto algorithms.
2017-11-17 12:43:06 +01:00
Ben Cohen
0e90841a18 Forward ssh-agent data between ssh-agent and RDP
Add the sshagent plugin to forward the ssh-agent protocol over an RDP
dynamic virtual channel, just as the normal ssh-agent forwards it over
an SSH channel.  Add the "/ssh-agent" command line option to enable it.
Usage:

Run FreeRDP with the ssh-agent plugin enabled:

   xfreerdp /ssh-agent ...

In the remote desktop session run xrdp-ssh-agent and evaluate the output
in the shell as for ssh-agent to set the required environment variables
(specifically $SSH_AUTH_SOCK):

   eval "$(xrdp-ssh-agent -s)"

This is the same as for the normal ssh-agent.  You would typically do
this in your Xsession or /etc/xrdp/startwm.sh.

Limitations:

1. Error checking and handling could be improved.

2. This is only tested on Linux and will only work on systems where
clients talk to the ssh-agent via Unix domain sockets.  It won't
currently work on Windows but it could be ported.
2017-11-10 20:16:00 +00:00
Bernhard Miklautz
4592deee72 extend /size to allow width or height percentages (#4146)
If the size parameter is used with a percentages like /size:50% now
an additional 'w' or 'h' can be appended (like /size:50%w) to specify
where the percentage should be applied. If both or none are set the
behavior is like it was before and the percentage is applied to width
and height.
2017-09-25 09:35:49 +02:00
Armin Novak
d2d621106d Fixed capability checks for mouse and unicode input. 2017-07-31 12:30:35 +02:00
Armin Novak
1fb63aea5f Fixed wrong type for AuthenticationLevel.
Replaced type BOOL with INT32 as according to MSDN they are typedefed.
This keeps the ABI compatible and fixes the wrong data type.
2017-07-20 09:35:41 +02:00
Armin Novak
f414522b7a Added setting for QoeAck. 2017-05-18 14:07:09 +02:00
Armin Novak
d119745d97 String representation of logon_error_info 2017-03-02 18:09:51 +01:00
Volth
e7487cea27 Add command line option to override action script path 2017-02-08 08:30:24 +00:00
Christian Plattner
58ef7cc42d More abstracted proxy handling 2016-12-10 23:13:35 +01:00
Christian Plattner
5d10b3bf5b Merge branch 'gateway-http-bugfix'
Conflicts:
	client/common/cmdline.c
	include/freerdp/settings.h
	libfreerdp/common/settings.c
	libfreerdp/core/settings.c
	libfreerdp/core/tcp.c
	libfreerdp/core/transport.c
2016-12-09 20:43:02 +01:00
David Fort
f92860de87 Applied astyle formatting 2016-10-14 15:12:48 +02:00
David Fort
71fd5cc148 Limit the time passed in transport check loop
This patch make it possible to limit the time that is passed when we call
XXX_check_fds functions. This should smooth the treatment between handling inputs
and handling incoming bitmap updates.
The default maximum time is set to 100 ms.
2016-10-14 15:12:48 +02:00
Marc-André Moreau
801dc0f826 freerdp: add configurable NTLM SAM file option for server-side NLA 2016-07-21 18:58:24 -04:00
Marc-André Moreau
e4714f3422 freerdp: fix Hyper-V connectivity, fix issues #2421 and #3325 2016-05-11 15:52:36 -04:00
Armin Novak
53445768ed Added command line option /cert-tofu 2016-03-31 12:16:55 +02:00
Armin Novak
50873be062 Added advanced gfx command line options. 2016-03-24 16:36:43 +01:00
Armin Novak
dccf40c2bc Fixed duplicate loading of smartcard and printers. 2016-02-26 15:21:11 +01:00
Armin Novak
447ac23aee Refactored timezone functions. 2016-02-24 09:28:30 +01:00
davewheel
d5b8585a39 Allow to specify the raw content of crypto materials
Sometime it's possible that your server application doesn't have access to files
(when running in a very restricted environment for example). This patch allows
to ship the private key and certificate as a string.

Sponsored by: Wheel Systems (http://www.wheelsystems.com)
2016-01-21 11:27:06 +01:00
Roland Kaufmann
6f6f0b0c53 Move UnmapButtons settings to stable ABI section
The Miscellaneous section is chosen because choosing not to map the
buttons is not a property of the input system, but rather an ad-hoc
setting to be applied to this session.
2015-12-16 23:21:43 +01:00
Roland Kaufmann
600d3c5ccb Add option to disable pointer button mapping
In case the old behaviour of not reverse-mapping the mouse buttons is
desirable, a command-line option is added to disable the mapping. This
option is made experimental for the time being.

The default is to do the reverse mapping, as this is the intuitive
behaviour (the mouse then works as it would on the console).
2015-12-15 17:42:57 +01:00
Armin Novak
a5db7117c8 Implemented horizontal wheel support.
Horizontal mouse wheel input capabilities are now checked
and if available mouse buttons 6 and 7 are mapped to the
horizontal wheel for the X11 client.
2015-12-14 18:29:23 +01:00
Vic Lee
6f639c1e34 gcc: read and write desktop scale settings in core data. 2015-08-27 16:19:40 +08:00
Vic Lee
8394d8c677 gcc: read and write monitor extended data. 2015-08-27 15:26:37 +08:00
Bernhard Miklautz
1b8dd139a9 cmd line: add missing checks
* strdup
* some allocs
2015-06-22 19:23:57 +02:00
David FORT
7c3f8f33ab Fixes for malloc / calloc + other fixes
This patch contains:

* checks for malloc return value + treat callers;
* modified malloc() + ZeroMemory() to calloc();
* misc fixes of micro errors seen during the code audit:
** some invalid checks in gcc.c, also there were some possible
integer overflow. This is interesting because at the end the data are parsed
and freed directly, so it's a vulnerability in some kind of dead code (at least
useless);
** fixed usage of GetComputerNameExA with just one call, when 2 were used
in misc places. According to MSDN GetComputerNameA() is supposed to return
an error when called with NULL;
** there were a bug in the command line parsing of shadow;
** in freerdp_dynamic_channel_collection_add() the size of array was multiplied
by 4 instead of 2 on resize
2015-06-22 19:21:47 +02:00
Marc-André Moreau
6b1fefea40 freerdp: fix remote assistance mode, add multi-address connection 2015-05-06 16:32:45 -04:00
Marc-André Moreau
6202f48c12 libfreerdp-core: add configurable TSG/RGB fallback, fix edge cases 2015-03-19 11:44:47 -04:00
bjcollins
d4a9a2d3a8 Remove override redirect flag for fullscreen with keyboard grab enabled. Window manager should always know about the main window.
Small cleanup of passing around decorations flag.
Limit PercentScreen to single monitor vs. entire desktop. IMO - this is better behavior in a multimonitor environment.

Handle fullscreen windows better:
1. Ensure that size hints are set to allow resizing before setting a window to fullscreen as some window managers do not behave properly.
2. Handle fullscreen toggles without destroying and recreating window.
3. Use NET_WM_STATE_FULLSCREEN Extended Window Manager Hint for fullscreen functionality
4. Use the NET_WM_FULLSCREEN_MONITORS Extended Window Manager Hint when appropriate
5. When a single monitor fullscreen is requested - use the current monitor(as determined from mouse location)
6. Handle cases where there is no local monitor at coordinate 0,0. The Windows server expect there to be a monitor at this location, so we maintain offset if necessary between our local primary monitor and the server side primary monitor located at 0,0.
2015-02-23 11:22:28 -06:00
Marc-André Moreau
fa06c4d401 libfreerdp-core: improve reconnection 2015-02-06 14:21:26 -05:00
Christian Plattner
33320a2e02 Merge remote-tracking branch 'upstream/master' into httpproxy
Conflicts:
	libfreerdp/core/settings.c
	libfreerdp/core/tcp.c
	libfreerdp/core/transport.c
2015-01-22 14:33:17 +01:00
Christian Plattner
3b7b3a0dac Merge commit '709df9^' into httpproxy
Conflicts:
	client/common/cmdline.c
2015-01-20 01:33:46 +01:00
Christian Plattner
ff42e9f12c Merge commit 'dd6d82': Switch to OpenSSL BIOs
Conflicts:
	libfreerdp/core/tcp.c
	libfreerdp/core/transport.c
2015-01-20 00:47:16 +01:00
Christian Plattner
c20b487815 Merge commit 'dd6d82955087e1b53c8d9f1a7a5b252c8a545210^' into httpproxy 2015-01-19 21:23:37 +01:00
Christian Plattner
5152a8a483 Merge commit '4c920506ed9985fdec0eb52fd2c40626458fd050' into httpproxy
Conflicts:
	include/freerdp/settings.h
	libfreerdp/common/settings.c
	libfreerdp/core/settings.c
	libfreerdp/core/transport.c
2015-01-19 21:13:24 +01:00
Norbert Federa
939f1c639a Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.

Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.

The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.

Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods

Changes in this commit:

Removed unnecessary/confusing changes of EncryptionLevel/Methods settings

Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)

Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method

Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2

Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level

Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)

Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 02:17:12 +01:00