Commit Graph

259 Commits

Author SHA1 Message Date
akallabeth
71080e61b0
[warnings] fix a bunch of them
* fix uninitialized variable warnings
 * modivy ndr_context_* functions to utilize WINPR_ATTR_MALLOC
 * build_krbtgt use winpr_asprintf
 * add proper Stream_Write_UINT64_BE
2024-09-14 08:24:28 +02:00
David Fort
a4bd5ba886 core, channels: client-side remote credential guard
This patch implements the client-side part of the remote credential guard feature
as described in MS-RDPEAR. The 2 main changes are: shipping the TSRemoteGuardaCreds in
NLA, and implement the rdpear channel that allows LSASS to remote all the calls to
our client. For now it's UNIX only as the windows implementation would be implemented
in a completely different way.
To test, you may establish you ccache and then connect with (RCG enabled on the server):
	xfreerdp /remoteGuard /u:<user> /d:<domain> /v<server>

That should log you in, and in the session you should not be asked for credentials when
doing mstsc /remoteGuard /v:<other server>.
2024-09-11 17:15:11 +02:00
akallabeth
679de71056
[core,nla] remove platform guards for PasswordHash
Fixes #10507: do not ask for password if PasswordHash is supplied on
windows.
2024-08-26 09:23:55 +02:00
Martin Fleisz
d8cd7c2f38 core: Fix handling of logon errors during nla_client_begin
Under certain circumstances `InitializeSecurityContext` returns an error
if a wrong password was provided. This PR checks the returned status
code and correctly sets the last error code. This allows a client
application to ask the user again for credentials.

A scenario where this happens is when a user tries to connect with a wrong
password and both machines are joined to the same domain.
2024-07-01 14:54:53 +02:00
Armin Novak
8d783d5189
[covertity] fix various warnings 2024-06-05 09:19:59 +02:00
Armin Novak
09f679da61 [coverity] 1543075 Explicit null dereferenced 2024-04-15 11:30:31 +02:00
akallabeth
2477b37128 [warnings,types] fix BOOL assingments 2024-04-12 09:45:09 +02:00
akallabeth
05e555feb7 fixed unused-variable warnings 2024-02-22 12:31:50 +01:00
akallabeth
0ba995655d [clang-tidy] cppcoreguidelines-init-variables 2024-02-15 11:49:16 +01:00
akallabeth
207def5c56 [clang-tidy] readability-isolate-declaration 2024-02-15 11:49:16 +01:00
akallabeth
ba8cf8cf21 [build] fix Wmismatched-deallocator warnings
With custom malloc function attributes the fail path in the _New
functions produces warnings due to allocator mismatches. Silence them.
2024-02-05 08:16:55 +01:00
Vic Lee
33447dc16e [nla,transport] move public key retrieval to transport IO. 2024-01-03 08:40:39 +01:00
akallabeth
737cd9b8f6 [warnings] Wshadow, uninitialized variables 2023-11-24 18:19:03 +01:00
akallabeth
c78e466be1 [warnings] fixes Wunused-variable 2023-11-24 18:19:03 +01:00
Armin Novak
6e6559c41a [settings] fix type mismatch warnings 2023-11-24 14:54:56 +01:00
akallabeth
cd4d77af86 [settings] add deprecation warnings
direct struct access to rdpSettings now produces warnings if not
explicitly deactiaved by defining FREERDP_SETTINGS_INTERNAL_USE
2023-11-24 14:54:56 +01:00
David Fort
061148f856 [nla] initial server-side remote credential guard support
Adds support for server-side remote credential guard in NLA. When enabled that allows
the remote user to connect without shipping credentials in TSCred packets. Instead
it will send his TGT encoded with a TGS from the remote server. This way the server
is able to populate that TGT in a local credential cache without knowing the user's
password.

The patch only treats the NLA part and does not contain the associated RDPEAR channel
that allows to have the complete interaction to retrieve new access tokens.
2023-11-20 16:17:00 +01:00
David Fort
ff303a9bda [core,nla] Inject received TSCredentials in the peer's settings
The RDP client sends TSCredentials so that the server can reuse these credentials. This
patch stores these values in the peer's rdpSettings in the corresponding fields.
It handles TSPasswordCreds for user/domain/password connection but also TSSmartCardCreds
when the users has connected with a smartcard.
2023-10-04 09:22:49 +02:00
David Fort
0638c382f9 [core,nla] correctly print the value of earlyUserAuth
The log was printing the previous value instead of the value that is set.
2023-09-27 11:57:49 +02:00
Armin Novak
555fa2c98a [core,nla] print name of error code in log 2023-07-13 09:25:45 +02:00
akallabeth
851f9cce2d [core,nla] fix unused variable warning 2023-06-29 18:34:51 +02:00
Hugues LEFEBVRE
b67afecf0f CredSSP with early user auth (nla_ext) support 2023-06-26 11:53:46 +02:00
Armin Novak
f8e8764ea8 [core,settings] unify identity from settings 2023-04-11 11:37:09 +02:00
Armin Novak
9b498efa79 [core,nla] unify identity creation 2023-04-11 11:37:09 +02:00
Armin Novak
e2f85fc329 [core,nla] ensure the identity is created with unicode 2023-04-11 11:37:09 +02:00
Armin Novak
13c025e04c [winpr,sspi] remove sspi_SetAuthIdentityWithUnicodePassword
the function is useless as we always use the SetAuthIdentityW API now
2023-04-11 11:37:09 +02:00
Martin Fleisz
ecc29d00c0 core: Allow NULL identity for NLA authentication
During the recent changes the possiblity to perform NLA auth using the
current identity was removed.

In case we receive AUTH_NO_CREDENTIALS with NLA we should resume using a
NULL-identity and not abort the connection.
2023-03-13 10:59:57 +01:00
Joan Torres
689bf6daab [core,nla]: Fix using password from redirection
If a client reconnects on redirection process and uses NLA authentication,
the client was using the old password because it wasn't setting
usePassword to false.

With this commit the client will use the new password.
2023-03-08 08:36:42 +01:00
Marc-André Moreau
3a8dce07ea expose last NLA/CredSSP SSPI error code (freerdp_get_nla_sspi_error) 2023-02-24 13:19:19 -05:00
Martin Fleisz
892e58d969 core: Update smartcard settings on all platforms
Currently smartcard settings were only updated in the WIN32 code path.
This must be done on all platforms to have the correct settings (i.e.
pkinitArgs) correctly applied.
2023-02-23 14:25:44 +01:00
Martin Fleisz
09b2096cf2 core: Add CAPI support for enumerating smart card key containers
Windows seems to favor using the legacy Crypto API (CAPI) for
enumerating RSA key containers and only relies on the newer CNG APIs for
ECC keys.

This PR adds support for CAPI key container enumeration on Windows.

The PR also fixes an issue where the CSP was always set to the MS Base
Smart Card Provider during NLA authentication.
2023-02-22 17:10:47 +01:00
Martin Fleisz
6f639686cf core: Allow change to smart card logon in Authentication callbacks
This PR adds a few changes so that a client is able to change the
authentication/logon type in the Authentication callback. I.e. if the
client was started without user/domain the authentication callback is
now able to activate smart card logon by setting the SmartcardLogon
setting along with csp/container/reader name.
2023-02-22 11:45:32 +01:00
Martin Fleisz
1f903f80a5 core: Add possibility to distinguish between auth cancelled and no creds
Currently if the authentication callback returns `FALSE` the utils
function handle this as scenario as no credentials provided (returns
`AUTH_NO_CREDENTIALS)`.

This PR introduces a new `auth_status` called `AUTH_CANCELLED` that is
returned if the authentication callback returns `FALSE`. If the callback
returns `TRUE` and username or password are empty the util function will
continue to return `AUTH_NO_CREDENTIALS`.

THe PR also fixes some incorrect returns in RPC over HTTP gateway code.
2023-02-14 08:43:23 +01:00
akallabeth
818267bc80 [core] fixed missing BYTE to WCHAR casts 2023-02-01 09:51:54 +01:00
akallabeth
22f3bf6f78 [core,nla] initialize stack variables 2023-01-27 10:07:01 +01:00
akallabeth
f5d759c979 [core,nla] unify SecBuffer to ASN1 string
use a helper function to convert the buffer to a ASN1 string
2023-01-27 10:07:01 +01:00
akallabeth
c604801a67 [core,nla] simplify server side authentication
* Single point fo function return
* Clear all buffers after authentication
2023-01-27 10:07:01 +01:00
akallabeth
ca3cd8b7ec [core,nla] fix a memory leak in server nla
Clear destination SecBuffer before calling credssp_auth_decrypt or
credssp_auth_encrypt
2023-01-27 10:07:01 +01:00
Armin Novak
dd0d130f48 [crypto] make tls.h a private header
no need to uselessly export symbols that are not usable outside the
project
2023-01-14 08:50:26 +01:00
akallabeth
37ab25e19d Fixed all Wdocumentation warnings 2022-12-12 14:24:55 +01:00
akallabeth
0186a9b303 Fixed some warnings 2022-12-09 15:58:26 +01:00
akallabeth
7e1065a9b9 Fixed Wshadow warnings 2022-12-09 15:58:26 +01:00
akallabeth
5799fb2018 Replace ConvertFromUnicode and ConvertToUnicode
* Use new ConvertUtf8ToWChar, ConvertUtf8NToWChar,
  ConvertUtf8ToWCharAlloc and ConvertUtf8NToWCharAlloc
* Use new ConvertWCharToUtf8, ConvertWCharNToUtf8,
  ConvertWCharToUtf8Alloc and ConvertWCharNToUtf8Alloc
* Use new Stream UTF16 to/from UTF8 read/write functions
* Use new settings UTF16 to/from UTF8 read/write functions
2022-11-28 10:42:36 +01:00
akallabeth
4284d67088 [core,state] fix state transitions, added logging 2022-11-22 15:30:31 +01:00
akallabeth
9dcf2c7e39 [nla] Advance input stream position
In nla_decode_ts_request the input stream position was not advanced.
This lead to issues when testing proper input data processing in the
client receive state callback
2022-11-22 15:30:31 +01:00
Armin Novak
b56b09840a Fixed -Wshadow 2022-11-21 10:12:31 +01:00
Armin Novak
31c1700c0c Fixed -Wunused-variable 2022-11-21 10:12:31 +01:00
Armin Novak
f1ae9be54d Fixed nla error code to string conversion 2022-10-27 10:37:23 +02:00
fifthdegree
eb04eb0008 Support using smartcard for gateway authentication 2022-10-19 18:55:38 +02:00
fifthdegree
e847f159a6 Try to use the smartcard key name Windows uses
Windows expects the containerName field in TSSmartCardCreds to be what
it would use for a smartcard key's name. Try to accomodate that (at
least for PIV and GIDS cards).
2022-10-19 18:55:38 +02:00