Commit Graph

266 Commits

Author SHA1 Message Date
Armin Novak
5805ba8e52 Removed crypto_nonce. 2016-02-27 22:40:43 +01:00
Armin Novak
f997421098 Unified hmac functions. 2016-02-24 21:50:08 +01:00
Armin Novak
ada2b16c50 Unified RC4 functions. 2016-02-24 17:04:03 +01:00
Armin Novak
24c93e4de7 Resetting abortEvent only on connect and reconnect. 2016-02-23 16:32:47 +01:00
bjcollins
ee3b39d70f Remove unnecessary variable to keep track of nlaFailure, instead just set the NLA authentication error in the callback
where it is detected.
2015-09-15 14:17:13 -05:00
bjcollins
32a1406dc4 Return FREERDP_ERROR_AUTHENTICATION_FAILED on an authentication failure
when using NLA with xfreerdp.
2015-09-15 14:07:14 -05:00
Armin Novak
f7a11a0ed8 Resetting abortEvent on disconnect to avoid race during connect. 2015-09-05 16:26:46 +02:00
Armin Novak
188fe4ed2b Removed rdp disconnect, using unified abortEvent instead. 2015-09-05 14:57:30 +02:00
David FORT
7c3f8f33ab Fixes for malloc / calloc + other fixes
This patch contains:

* checks for malloc return value + treat callers;
* modified malloc() + ZeroMemory() to calloc();
* misc fixes of micro errors seen during the code audit:
** some invalid checks in gcc.c, also there were some possible
integer overflow. This is interesting because at the end the data are parsed
and freed directly, so it's a vulnerability in some kind of dead code (at least
useless);
** fixed usage of GetComputerNameExA with just one call, when 2 were used
in misc places. According to MSDN GetComputerNameA() is supposed to return
an error when called with NULL;
** there were a bug in the command line parsing of shadow;
** in freerdp_dynamic_channel_collection_add() the size of array was multiplied
by 4 instead of 2 on resize
2015-06-22 19:21:47 +02:00
Bernhard Miklautz
bf73f4e4f1 Fix unchecked strdups
* add missing checks
* adapt function return values where necessary
* add initial test for settings
2015-06-22 19:09:59 +02:00
Norbert Federa
91a9b23b91 core: message channel pdu broken with rdp security
rdp_recv_message_channel_pdu always read the rdp security header
even if it was already previously read (which is the case if rdp
security is active)

This caused malfunctions and disconnects when heartbeat or bandwidth
autodetect packets were sent/received in rdp security mode.

Credit goes to @MartinHaimberger for identifying the broken code
part.
2015-06-19 14:49:17 +02:00
Martin Haimberger
951a2d2210 stream: check stream_new in winpr and libfreerdp
also fixed a few things
2015-05-29 04:46:50 -07:00
MartinHaimberger
e3236c2317 Merge pull request #2605 from nfedera/fix-2015-05-08-01
fixed multiple missing gdi return value checks
2015-05-11 16:59:32 +02:00
Norbert Federa
1eff1a345e free can handle NULL perfectly fine 2015-05-11 09:07:39 +02:00
Norbert Federa
71a4349928 fixed multiple missing gdi return value checks
mainly gdi_Create* functions
2015-05-08 21:39:23 +02:00
Marc-André Moreau
0e57706de5 libfreerdp-core: cleanup connect error codes, fix Win32 NLA 2015-02-17 21:01:27 -05:00
Marc-André Moreau
9c7b7ab561 libfreerdp-core: make NLA event-driven 2015-02-15 16:04:59 -05:00
Marc-André Moreau
eddfee56a3 libfreerdp-core: prepare client-side NLA for event-driven structure 2015-02-15 14:54:10 -05:00
David FORT
6a8d21cab9 Fix server-side protocol negociation
Before this patch, RDP security was (wrongly) the fallback when negociating a
security protocol between the client and the server. For example when a client
was claiming TLS-only when connecting to a FreeRDP based-server with RDP security only,
the result of the negociation was that the server started to do RDP security.
The expected behaviour is to send a nego failure packet with error code
SSL_NOT_ALLOWED_BY_SERVER. This patch fixes this.

We also try to handle all cases of failed negociation and return the corresponding
error code.
2015-02-11 21:38:32 +01:00
Marc-André Moreau
3258c887a4 libfreerdp-core: add channel reconnect 2015-02-06 17:35:14 -05:00
Marc-André Moreau
fa06c4d401 libfreerdp-core: improve reconnection 2015-02-06 14:21:26 -05:00
Marc-André Moreau
e0b0c77ecb libfreerdp-core: improve http parsing 2015-02-02 17:16:32 -05:00
Armin Novak
8a1f9c321c Added nego_disconnect function. 2015-01-12 13:43:29 +01:00
Armin Novak
9274de4921 Fixed rdp_client_disconnect and rdp_reset. 2015-01-12 13:36:38 +01:00
Norbert Federa
939f1c639a Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.

Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.

The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.

Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods

Changes in this commit:

Removed unnecessary/confusing changes of EncryptionLevel/Methods settings

Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)

Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method

Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2

Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level

Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)

Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 02:17:12 +01:00
Bernhard Miklautz
e139bd0fb8 core client side: set flag to crypt license
Client side code always tells the server that it is capable of processing
encrypted licensing packages (SEC_LICENSE_ENCRYPT_SC) but didn't set
the recently added flag to indicate that.

Fixes #2196
2014-12-01 11:12:34 +01:00
Marc-André Moreau
3f5aa863cb libfreerdp-core: fix server-side activated state 2014-11-19 14:21:23 -05:00
Vic Lee
0e7797ffca libfreerdp-core: server-side mcs message channel. 2014-10-29 00:49:27 +08:00
Marc-André Moreau
d102e746c8 Merge branch 'awakecoding' of github.com:vworkspace/FreeRDP
Conflicts:
	libfreerdp/core/license.c
	libfreerdp/core/nego.c
	winpr/libwinpr/synch/wait.c
2014-09-19 14:38:25 -04:00
Mike McDonald
65d38b54be Modified server code to honor the negotiated settings for 1) SEC_LICENSE_ENCRYPT_SC in the security exchange PDU (which controls the encryption of license PDUs from the server to the client) and 2) ENC_SALTED_CHECKSUM in the bitmap capability set. 2014-09-18 19:38:04 -04:00
Armin Novak
2f519d7f16 Replaced logging in libfreerdp with wlog defines. 2014-09-15 08:48:46 +02:00
Marc-André Moreau
7171a0b5c1 libfreerdp-core: fix reconnection using client random 2014-08-11 11:23:23 -04:00
Armin Novak
f4c133eaf8 Replaced custom logging mechanism with WLog wrapper. 2014-08-07 16:51:24 +02:00
Marc-André Moreau
49975d7da5 libfreerdp-core: properly reset internal RDP state on reconnect 2014-05-08 17:22:39 -04:00
Marc-André Moreau
c2a59c23a7 libfreerdp-core: fix potential crash on session redirection failure 2014-04-28 16:44:52 -04:00
Zhang Zhaolong
e40c5ce2ce libfreerdp-core: fix assignment after memory free. 2014-04-27 20:32:52 +08:00
Hardening
2edd8bee12 Misc fixes to check OOM 2014-04-10 21:10:19 +02:00
Bernhard Miklautz
3720e205b4 core: fixed client random size
client random must be (bitlen / 8) + 8 - see [MS-RDPBCGR] 5.3.4.1

fixes #1771
2014-04-08 19:38:01 +02:00
Bernhard Miklautz
16bc9f4bd1 sec-rdp: fixed cleanup in key error case 2014-04-03 12:18:08 +02:00
Bernhard Miklautz
9436d64ff5 sec-rdp: fixed *_establish_keys for keys > 256 bit 2014-04-03 11:36:51 +02:00
Norbert Federa
18cb418c81 core: FIPS for fastpath and RDP security fixes
- fixed invalid stream position if extEncryptionMethods is not used
- enabled 56bit rdp security method
- fixed entropy reduction of the keys for 40 bit and 56 bit
- added rdp security incl. FIPS for fastpath output
- added FIPS encryption to fast path input
- fixed FIPS key generation in server mode
- fixed stream length correction in FIPS mode
- added rdp encryption for licensing packets (apparently some clients,
  specifically cetsc, require the license packets received from the
  server to be encrypted under certain RDP encryption levels)
- replace errnous virtual extended mouse event in focus in event
2014-04-02 14:17:39 +02:00
Marc-André Moreau
2524cebfa2 Merge branch 'master' of github.com:mrthebunny/FreeRDP 2014-03-28 12:30:24 -04:00
Benoît LeBlanc
6d55d8859d Added context error codes 2014-03-28 12:23:16 -04:00
Hardening
ac7507ab8d Adds some check to treat OOM problems + RDP security fix
Malloc can fail so it will, this patch adds some check in some places
where malloc/strdup results were not checked.

This patch also contains a server side fix for RDP security (credit to nfedera).
The signature len was badly set in the GCC packet. And some other RDP security
oriented fixes are also there.
2014-03-25 23:13:08 +01:00
Marc-André Moreau
4c920506ed libfreerdp-core: add 'Bypass RD Gateway server for local addresses' feature 2014-03-24 14:44:18 -04:00
Benoît LeBlanc
d1b9565f51 Added context-specific error management.
Added error codes to replace connectErrorCode.
2014-03-20 18:19:54 -04:00
William Cheong Weelau
4e588ac331 Update connection.c
it's better to check and resolve the connection use the FQDN first instead of ip address, due to the issue of getting internal ip address that's getting "Resource Access Denied" response.
2014-03-10 11:18:31 +08:00
Marc-André Moreau
db7a9d2e77 libfreerdp-core: start moving internal MCS variables out of rdpSettings* 2014-02-15 16:32:38 -05:00
Marc-André Moreau
e5990fa60c libfreerdp-core: MCS cleanup, better handling of domain parameters 2014-02-13 17:06:33 -05:00
Marc-André Moreau
cdcd290c44 wfreerdp: fix most build warnings 2014-02-10 22:12:13 -05:00
Mike McDonald
02c9d07bcf Fixes to process new command line options (autodetect, heartbeat, multitransport), join the MCS message channel and process auto-detect PDUs during the connection sequence. 2014-01-29 22:53:32 -05:00
Mike McDonald
c4f6dcc24f Added auto reconnect to FreeRDP core and X11 client 2014-01-16 17:38:56 -05:00
Marc-André Moreau
a3d0e271b5 freerdp: add restricted admin option 2013-11-06 01:51:55 -05:00
Marc-André Moreau
3d339b04d9 libfreerdp-core: modify parsing functions to return int instead of BOOL to propagate session redirection return code 2013-11-04 15:52:29 -05:00
Marc-André Moreau
5406ebd5d8 channels/drive: refactoring 2013-11-03 19:10:33 -05:00
Marc-André Moreau
13b6678977 libfreerdp-core: start untangling session redirection 2013-11-03 16:25:56 -05:00
Marc-André Moreau
76414588b1 libfreerdp-core: fix transport failure case with session redirection 2013-11-01 14:13:09 -04:00
Marc-André Moreau
aea4960924 libfreerdp-core: get rid of rdpString in redirection module 2013-11-01 10:59:30 -04:00
Marc-André Moreau
3cdc490bf4 libfreerdp-cache: refactor glyph cache and add logging 2013-11-01 10:01:16 -04:00
Marc-André Moreau
1fc2d780f7 libfreerdp-core: fix memory leaks reported by valgrind 2013-10-31 23:35:24 -04:00
Dan Bungert
66ecabb647 Final cleanups - merge ready. 2013-10-28 16:59:02 -06:00
Dan Bungert
f02daaa2d5 More cleanups - remove LWD and all references. 2013-10-28 15:46:28 -06:00
Dan Bungert
c025042d07 NLA over TLS support
Improve credssp transport layer handling, so that it works
with the correct TLS object.
2013-10-28 14:39:10 -06:00
Dan Bungert
db890d9bf2 TLS over TLS baseline functionality.
TLS over TLS works and we get screen drawing and server interaction.
Network traffic flows in spurts with frequent apparent hangups.
2013-10-24 12:58:06 -06:00
Dan Bungert
eb25e45149 TLS over TLS maybe working. 2013-10-24 12:58:06 -06:00
Daryl Poe
076b8a84c2 commandline session reconnect 2013-10-22 09:14:29 -06:00
Vic Lee
b04544121c server: fix double demand active pdu during reactivation. 2013-09-03 19:09:53 +08:00
Marc-André Moreau
efff23acb5 Merge pull request #1395 from richterger/client_redir
Fix memory corruption in client redirection
2013-08-15 10:15:11 -07:00
richterger
3246dcff22 Fixed memory corruption problems within client redirect
- set freed pointers to NULL to avoid double free
- realloc mppc to cleanly restart compression
- avoid releaseing StreamPool from already freed transport after client redirect
2013-08-07 07:58:34 +02:00
Marc-André Moreau
69128d8018 libfreerdp-core: improvements to the server-side activation/reactivation code 2013-07-19 21:52:28 -04:00
Marc-André Moreau
91103b76b3 libfreerdp-core: modify server-side confirm active pdu receiving logic 2013-07-19 18:24:56 -04:00
Marc-André Moreau
6cde25937d libfreerdp-core: wrap state transition actions 2013-07-18 17:15:10 -04:00
Marc-André Moreau
f27ab422e3 libfreerdp-core: expand comments for connection sequence, split in more steps server-side connection code 2013-07-18 15:18:59 -04:00
Marc-André Moreau
7e63668090 libfreerdp-core: split licensing/capability steps in server-side RDP state machine 2013-07-17 17:46:58 -04:00
Benoît LeBlanc
c17c2f811b FreeRDP:
- replaced char* by const char* in function prototypes
- MacFreeRDP: moved assignation of context function pointers
- freerdp: added more pointer and return value validations to prevent crashes
2013-07-04 14:42:40 -04:00
Marc-André Moreau
bc631c93a8 freerdp: separate GatewayUsageMethod from GatewayEnabled 2013-07-03 15:07:12 -04:00
Bernhard Miklautz
72c6ecdd3b core: Don't sent persistent key list if deact/react
Client persistent key list should not be sent if deactivation-
reactivation sequence is in progress. See [MS-RDPBCGR] 2.2.1.17
for details.

fixes #1229
2013-06-13 20:27:10 +02:00
Marc-André Moreau
5c37356506 libfreerdp-core: reduce reuse of the same send buffer 2013-05-15 13:17:29 -04:00
Marc-André Moreau
367ebf32a3 freerdp: make use of stream macros to access members 2013-05-15 12:14:26 -04:00
Marc-André Moreau
fd230443c5 freerdp: purge old stream utils 2013-05-08 16:27:21 -04:00
Marc-André Moreau
5b92413843 freerdp: purge deprecated stream utils 2013-05-08 16:09:16 -04:00
Marc-André Moreau
51715636a5 freerdp: remove some deprecated stream utils 2013-04-29 22:35:15 -04:00
Marc-André Moreau
d0e989a549 libfreerdp-core: add support for load balance info 2013-04-11 11:51:10 -04:00
Daryl Poe
551cb22975 fix for PDU_TYPE_DEMAND_ACTIVE 0001, got 0007 error 2013-04-05 12:53:22 -06:00
Hardening
7701c9d934 Replace printf(...) by fprintf(stderr, ...) 2013-03-28 23:06:34 +01:00
Marc-André Moreau
a8201b0d1b libwinpr-utils: combine old and new stream utils 2013-03-21 15:19:33 -04:00
Marc-André Moreau
e42b1272ef libfreerdp-core: added ObjectPool 2013-02-14 20:39:56 -05:00
rdp.effort
0abf945a18 check or propagate return values when writing 2013-01-14 23:40:34 +01:00
Marc-André Moreau
dcf6c17e03 libfreerdp-core: transport cleanup 2012-12-21 15:49:02 -05:00
Marc-André Moreau
81c2782be3 libwinpr-sspi: start implementing Channel Bindings 2012-12-21 12:17:07 -05:00
Marc-André Moreau
709e66a596 libfreerdp: header cleanup 2012-12-14 00:25:48 -05:00
Marc-André Moreau
102abcbef2 libfreerdp-core: improve TSG memory cleanup 2012-12-12 20:02:56 -05:00
Marc-André Moreau
c5b12e5c1e libfreerdp-core: adjust security level for TSG 2012-11-14 23:21:00 -05:00
Marc-André Moreau
98dcdcfb8f libfreerdp-core: transport refactoring to split in/out channels 2012-11-14 20:46:51 -05:00
Marc-André Moreau
a25c72cb0e libfreerdp-core: rdpSettings refactoring (part 5) 2012-11-08 11:16:54 -05:00
Marc-André Moreau
410b7ab867 libfreerdp-core: rdpSettings refactoring (part 4) 2012-11-07 23:29:24 -05:00
Marc-André Moreau
8544716104 libfreerdp-core: rdpSettings refactoring (part 3) 2012-11-07 18:23:33 -05:00
Marc-André Moreau
6427c9dd90 libfreerdp-core: rdpSettings refactoring (part 2) 2012-11-07 15:13:14 -05:00
Marc-André Moreau
1a2839a165 libfreerdp-core: rdpSettings refactoring (part 1) 2012-11-07 11:02:46 -05:00
Marc-André Moreau
ebc09d17d8 libfreerdp-core: started refactoring rdpSettings 2012-11-07 10:33:06 -05:00
Marc-André Moreau
bd6861cd00 libfreerdp-core: added protocol security negotiation for PROTOCOL_HYBRID_EX, added registry keys to configure cookie length 2012-10-31 20:38:48 -04:00
Marc-André Moreau
0e5b076008 libfreerdp-core: simplify encoding of syntax UUIDs 2012-10-31 14:17:33 -04:00
Marc-André Moreau
37b6f9dd8e libfreerdp-core: improve options for connection cookie 2012-10-25 18:38:51 -04:00
Marc-André Moreau
9d064171a7 freerdp: get rid of old types 2012-10-09 03:26:39 -04:00
Marc-André Moreau
1bf8a45519 freerdp: change uint8, sint8, uint16, sint16 to BYTE, INT8, UINT16, INT16 2012-10-09 03:01:37 -04:00
Marc-André Moreau
1ed644786c freerdp: change boolean type to BOOL type 2012-10-09 02:38:39 -04:00
Marc-André Moreau
5612bc43f8 freerdp: change true/false to TRUE/FALSE 2012-10-09 02:31:28 -04:00
Marc-André Moreau
2df7aaad39 libfreerdp-utils: get rid of xstrdup in favor of WinPR _strdup 2012-10-08 23:42:01 -04:00
Marc-André Moreau
9909a12af5 libfreerdp-utils: get rid of xmalloc, xrealloc and xfree 2012-10-08 23:21:26 -04:00
Marc-André Moreau
e60a092d81 freerdp: fix headers 2012-10-08 23:02:04 -04:00
Marc-André Moreau
6dcc8e73ee libfreerdp-utils: get rid of rdpBlob 2012-09-24 04:40:32 -04:00
Marc-André Moreau
2026d3079e libfreerdp-core: code restructuration 2012-09-16 21:05:51 -04:00
Marc-André Moreau
bdfb1ca26a libfreerdp-core: fix enabling of RDP security levels 2012-09-10 16:01:02 -07:00
Marc-André Moreau
1e2d7599d9 libfreerdp-core: minor TSG code style cleanup 2012-09-08 17:49:37 -04:00
Marc-André Moreau
d5d1eb7762 libfreerdp: add proper config.h inclusions 2012-08-14 17:09:01 -04:00
Marc-André Moreau
19028a27b0 libfreerdp: move all libraries to libfreerdp directory, one step closer to monolithic build option 2012-08-13 23:19:51 -04:00