Commit Graph

153 Commits

Author SHA1 Message Date
Armin Novak
13564dbb41 Allow redirect address override with a list of values. 2018-08-08 12:30:47 +02:00
Armin Novak
cc5e402cda Added command line option /redirect-prefer:<fqdn|ip|netbios>
Since redirection sometimes happens with internal DNS names that
are resolved different by outside DNS it must be possible to override
the preferred redirection hint.
2018-08-08 11:24:13 +02:00
Armin Novak
f6b6eba0ab Try redirection FQDN first, but check if it is resolvable. 2018-08-08 10:25:09 +02:00
Armin Novak
3a30844db8 Added default return value. 2018-07-31 10:45:04 +02:00
Armin Novak
7a6b8a04b9 Fixed channel reconnect after redirect. 2018-07-13 13:11:38 +02:00
Armin Novak
77eb93b4b7 Made internal functions static to help compiler optimize. 2018-07-10 12:21:38 +02:00
Armin Novak
7a39dcd7e2 Updated reconnect to handle cases where PostConnect was not called
freerdp_reconnect might be called after a freerdp_connect failed due
to a TCP timeout waiting for user input.
In such cases we need to know if PostConect was already called and
do that if not.
2018-07-10 12:04:27 +02:00
Armin Novak
35cd438eca Added enum for client connection state. 2018-06-25 09:25:27 +02:00
Armin Novak
273655a850 Follow up fix for #4631
Remember the callback state to avoid calling reerdp_channels_post_connect
before the corresponding client callback has benn called.
This might happen during redirection and reconnection.
2018-06-18 10:44:35 +02:00
Armin Novak
e1ea441275 Fixed #4629: Only call freerdp_channels_post_connect when it was connected.
In rdp_client_redirect or rdp_client_reconnect freerdp_channels_post_connect must
be called if the channels were connected previously.
This might not be the case, skip that call then.
2018-05-11 10:49:29 +02:00
David Fort
8cba201999
Merge pull request #4548 from akallabeth/autoreconnect_fix
Autoreconnect fix
2018-04-27 09:39:30 +02:00
Armin Novak
1feca7768e Fixed redirection with session brokers.
* Only reconnect channels on redirect, if they have already been connected.
* Prefer TargetNetAddress over FQDN to connect.
2018-04-16 16:46:48 +02:00
Armin Novak
685f5a8d20 Do not clear last error if not reconnecting. 2018-04-11 10:06:11 +02:00
Armin Novak
2fc31fcb37 Set connection error if TCP connect fails. 2018-04-11 09:09:23 +02:00
Armin Novak
7af9ba9171 Refactored reconnect and redirect API
Reconnect and redirect share the same code on disconnect.
Move that to a single function and export it as it may be required
to terminate the session properly before reconnect is called.
2018-04-09 14:04:30 +02:00
Armin Novak
0a7691de58 Fixed channel (dis)connect on redirect or reconnect. 2018-04-09 11:26:12 +02:00
KOVACS Krisztian
6518e36c70 Revert "core/connection: use redirection password when reconnecting"
This reverts commit 70c65e70d1.
2017-12-06 14:58:34 +01:00
Ondrej Holy
6973b14eed Enable FIPS mode automatically
FreeRDP aborts if OpenSSL operates in FIPS mode and +fipsmode is not
manually specified. Let's prevent the abortion and enable the necessary
options in that case automatically.
2017-11-23 10:09:17 +01:00
Brent Collins
d98b88642b Add new command-line option to force xfreerdp into a fips compliant mode.
This option will ensure that NLA is disabled(since NTLM uses weak crypto algorithms), FIPS
encryption is enabled, and ensure fips mode is enabled for openssl.

Selectively override specific uses of MD5/RC4 with new API calls specifically tailored to override FIPS.

Add comments on why overriding the use of these algorithms under FIPS is acceptable for the locations where overrides happen.

Remove check of server proprietary certificate which was already being ignore to avoid use of MD5.

Initialize winpr openssl earlier to ensure fips mode is set before starting using any crypto algorithms.
2017-11-17 12:43:06 +01:00
KOVACS Krisztian
70c65e70d1 core/connection: use redirection password when reconnecting
According to MS-RDPBCGR the server might send a password in the Redirection PDU
that then must be sent by the client to the server as password.

Since the field either contains a password string (unicode) or a binary cookie,
we try to convert the password from unicode and use it only if conversion
succeeds.
2017-11-09 14:46:38 +01:00
Armin Novak
0490aeb018 Fixed clang malloc integer overflow warnings. 2017-07-20 09:29:48 +02:00
Armin Novak
8292b4558f Fix TALOS issues
Fix the following issues identified by the CISCO TALOS project:
 * TALOS-2017-0336 CVE-2017-2834
 * TALOS-2017-0337 CVE-2017-2834
 * TALOS-2017-0338 CVE-2017-2836
 * TALOS-2017-0339 CVE-2017-2837
 * TALOS-2017-0340 CVE-2017-2838
 * TALOS-2017-0341 CVE-2017-2839
2017-07-20 09:28:47 +02:00
Armin Novak
8c52dcbdc2 SEC_ENCRYPT check in rdp_client_connect_auto_detect
Fix by @wizwizaco for #3951
2017-05-15 13:10:10 +02:00
Armin Novak
9f9254504e Fixed leak of client random. 2017-03-28 14:33:02 +02:00
David Fort
b0b3a78a20 Store client_random in server mode
We need the client_random in server mode when the client does RDP security and
tries to reconnect using the cookie.
2017-03-21 10:32:17 +01:00
David Fort
7b437178bb Add a ClientCapabilities callback
This callback is called when the client capabilities have been received. This callback
appears to be more useful than the Capabilities one that is called just before the server
sends its capabilities.
2017-02-21 23:44:47 +01:00
Martin Fleisz
68a9408249 core: Get rid of useless settings copy 2017-02-15 14:59:24 +01:00
Norbert Federa
f71b6b46e8 fix string format specifiers
- fixed invalid, missing or additional arguments
- removed all type casts from arguments
- added missing (void*) typecasts for %p arguments
- use inttypes defines where appropriate
2016-12-16 13:48:43 +01:00
Armin Novak
a1b2325c1d Ensure securityFlags are always initialized. 2016-12-02 12:04:53 +01:00
Norbert Federa
53bd98883e winpr/crypt api changes and memory leak fixes
- winpr_HMAC_New() now just returnes the opaque WINPR_HMAC_CTX* pointer
  which has to be passed to winpr_HMAC_Init() for (re)initialization
  and since winpr_HMAC_Final() no more frees the context you always have to
  use the new function winpr_HMAC_Free() once winpr_HMAC_New() has succeded

- winpr_Digest_New() now just returns the opaque WINPR_DIGEST_CTX* pointer
  which has to be passed to winpr_Digest_Init() for (re)initialization
  and since winpr_Digest_Final() no more frees the context you always have to
  use the new function winpr_Digest_Free() once winpr_Digest_New() has succeded
2016-11-24 18:27:29 +01:00
Norbert Federa
7befab856c Support for OpenSSL 1.1.0 2016-11-24 17:50:09 +01:00
Marc-André Moreau
1ffbd774e9 freerdp: fix sending of TLS alert on NLA failure, add better handling of server-side NLA in shadow server 2016-07-21 17:53:20 -04:00
Norbert Federa
6ee445339b core: fix broken rdp security (server side)
- fixed typo in rdp_server_establish_keys
2016-04-08 14:47:35 +02:00
Armin Novak
36cbf1b583 Fixed error handling for channel load failures. 2016-03-14 13:13:43 +01:00
Armin Novak
b429d230cb Refactored crypto *_New functions. 2016-02-29 09:00:02 +01:00
Armin Novak
92c15783dc Updated RC4 API, fixed crashing bug. 2016-02-28 11:19:29 +01:00
Armin Novak
238ff3b315 Unified encryption functions. 2016-02-27 23:28:49 +01:00
Armin Novak
5805ba8e52 Removed crypto_nonce. 2016-02-27 22:40:43 +01:00
Armin Novak
f997421098 Unified hmac functions. 2016-02-24 21:50:08 +01:00
Armin Novak
ada2b16c50 Unified RC4 functions. 2016-02-24 17:04:03 +01:00
Armin Novak
24c93e4de7 Resetting abortEvent only on connect and reconnect. 2016-02-23 16:32:47 +01:00
bjcollins
ee3b39d70f Remove unnecessary variable to keep track of nlaFailure, instead just set the NLA authentication error in the callback
where it is detected.
2015-09-15 14:17:13 -05:00
bjcollins
32a1406dc4 Return FREERDP_ERROR_AUTHENTICATION_FAILED on an authentication failure
when using NLA with xfreerdp.
2015-09-15 14:07:14 -05:00
Armin Novak
f7a11a0ed8 Resetting abortEvent on disconnect to avoid race during connect. 2015-09-05 16:26:46 +02:00
Armin Novak
188fe4ed2b Removed rdp disconnect, using unified abortEvent instead. 2015-09-05 14:57:30 +02:00
David FORT
7c3f8f33ab Fixes for malloc / calloc + other fixes
This patch contains:

* checks for malloc return value + treat callers;
* modified malloc() + ZeroMemory() to calloc();
* misc fixes of micro errors seen during the code audit:
** some invalid checks in gcc.c, also there were some possible
integer overflow. This is interesting because at the end the data are parsed
and freed directly, so it's a vulnerability in some kind of dead code (at least
useless);
** fixed usage of GetComputerNameExA with just one call, when 2 were used
in misc places. According to MSDN GetComputerNameA() is supposed to return
an error when called with NULL;
** there were a bug in the command line parsing of shadow;
** in freerdp_dynamic_channel_collection_add() the size of array was multiplied
by 4 instead of 2 on resize
2015-06-22 19:21:47 +02:00
Bernhard Miklautz
bf73f4e4f1 Fix unchecked strdups
* add missing checks
* adapt function return values where necessary
* add initial test for settings
2015-06-22 19:09:59 +02:00
Norbert Federa
91a9b23b91 core: message channel pdu broken with rdp security
rdp_recv_message_channel_pdu always read the rdp security header
even if it was already previously read (which is the case if rdp
security is active)

This caused malfunctions and disconnects when heartbeat or bandwidth
autodetect packets were sent/received in rdp security mode.

Credit goes to @MartinHaimberger for identifying the broken code
part.
2015-06-19 14:49:17 +02:00
Martin Haimberger
951a2d2210 stream: check stream_new in winpr and libfreerdp
also fixed a few things
2015-05-29 04:46:50 -07:00
MartinHaimberger
e3236c2317 Merge pull request #2605 from nfedera/fix-2015-05-08-01
fixed multiple missing gdi return value checks
2015-05-11 16:59:32 +02:00