* Fixed SSPI fallback to NTLM
* Fixed wide/ansi mixup
* WITH_GSS fixes
* Move to WinPR as this is not related to FreeRDP
* Add option WITH_GSS_NO_NTLM_FALLBACK to disable NTLM fallback
* Abort NLA if status is SEC_E_NO_CREDENTIALS
* Properly invalidate sspi::SubContext
When using NLA with a NULL identity (in AcquireCredentialsHandle) on
Windows the client sends the first NLA package with cbBuffer set to 0.
In that case the client currently incorrectly kills the connection. With
this PR the check is removed and the client correctly connects to the server.
The order of evaluation of the two sides of addition is undefined in C.
Since there is no sequence point between ber_write_contextual_tag and
ber_write_octet_string, these two functions can be called in any order.
Force the correct order by breaking the two function calls into two
separate statements.
If somewhere in freerdp_connect freerdp_abort_connect was called
the user callbacks Authenticate, GatewayAuthenticate and
Verify[Changed|X509]Certificate[Ex] must not be called.
This new function allows better logging of call locations
for errors. Additionally added freerdp_set_error_log macro
to record function, file and line the error was set.
Signed-off-by: Armin Novak <armin.novak@thincast.com>
The prompt for credentials setting was incorrectly used in FreeRDP. If
this setting is set to 1 in a rdp file the client should prompt for
credentials even if it has credentials stored for this connection. If
the setting is set to 0 the client should either use the stored
credentials (if present) or ask for username/password otherwise.
This PR changes the old handling (if PromptForCredentials was set to 0
no credential prompting was done) to the desired behavior.
In commit 0e1a073384 there was a mistake -
originally code said different then kerberos. Because of that NLA authentication
of server side didn't work for me.
FreeRDP currently only supports CredSSP protocol version 3. However the
current implementation always sent back the version received by the
server indicating that this version was supported.
With recent windows updates applied the protocol changed and this approach
doesn't work anymore (see
https://msdn.microsoft.com/en-us/library/mt752485.aspx for protocol changes).
With this fix FreeRDP always sends version 3 as supported version.
Credit goes to @mfleisz.
Fixes#4449
Previously, the code prompted for the password even if a RedirectionPassword
was provided.
With this change the prompt is only shown if both settins->Password and
settings->RedirectionPassword is absent.
Adds a callback that allows servers to compute NTLM hashes by themselves. The typical
use of this callback is to provide a function that gives precomputed hash values.
Sponsored by: Wheel Systems (http://www.wheelsystems.com)
- fixed invalid, missing or additional arguments
- removed all type casts from arguments
- added missing (void*) typecasts for %p arguments
- use inttypes defines where appropriate
Details: cbSecurityTrailer was assumed to be a fixed length for all signatures, however for Kerberos authentication the signature may generate smaller than this value
build-config.h should contain configure/compile time settings that are
relevant for projects that use FreeRDP.
For example the compiled in plugin search paths.
It was supported in freerdp 1.0.2 but not supported in lastest master.
We should take empty password if it is explicitly specified with /v option.
If a password is not specified, we could first try SAM file. If the user entry does not exist, prompt for password.
The token buffer size during authentication was constructed
from the wrong buffer size. These sizes are equal in case of
local account logins but differ with domain accounts.
When using NULL credentials (current context)
the server state machine did not send back the
required authentication token.
On client side erroneous checks prevented sending
the appropriate public key.
This patch contains:
* checks for malloc return value + treat callers;
* modified malloc() + ZeroMemory() to calloc();
* misc fixes of micro errors seen during the code audit:
** some invalid checks in gcc.c, also there were some possible
integer overflow. This is interesting because at the end the data are parsed
and freed directly, so it's a vulnerability in some kind of dead code (at least
useless);
** fixed usage of GetComputerNameExA with just one call, when 2 were used
in misc places. According to MSDN GetComputerNameA() is supposed to return
an error when called with NULL;
** there were a bug in the command line parsing of shadow;
** in freerdp_dynamic_channel_collection_add() the size of array was multiplied
by 4 instead of 2 on resize
transport_check_fds and transport_read_pdu had almost the same
functionality: reading and validating one pdu at a time.
Now transport_read_pdu reads one pdu from the transport layer and verifies
that the pdu data is valid - as before.
transport_read_pdu also ensures that the stream is sealed and
rewound when the pdu is received completely.
transport_check_fds just uses transport_read_pdu and does *not* do
the verification a second time based on the stream.
Besides the clean up this fixes the following problems:
* transport_read always read 4 bytes. Fast-path input synchronize pdus
are only 3 bytes long. In this case on byte got lost in the stream
buffer which lead to "de-synchronization" of server and
client.
* Size check in tpdu_read_connection_confirm - already read bytes
weren't taken into account.
- AUTHENTICATIONERROR error code correclty set on gateway authentication (http error 401)
- Better error handling on connection errors and user cancelation
If sec pointer isn't invalidated after creation it is not possible
to check if the upper and lower pointers are valid.
This fixes a segfault in the server part if the client disconnects before
the authentication was finished.
