Under windows you can connect to a child session by requesting a named pipe to
the local server, and then do some RDP on this named pipe.
The protocol is like for /vmconnect with CredSSP, then Nego and then the "normal"
workflow for a connection. For CredSSP we force the usage of NTLM for the Negociate
SSPI, and the credentials are empty.
All clients can implement their own callbacks for
certificate/credential/smartcard/... but there is a common (default)
implementation for all clients.
with the new setting FreeRDP_UseCommonStdioCallbacks it is now possible
to force these over the client implementation provided ones
This PR creates a new /gateway:type:arm transport.
It depends on CJSON
The arm transport is not a transport by itself but is responsible
for getting the websocket endpoint from a configuration url derived from
the configured gateway host in the rdpw file or cmdline
* factor out most websocket specific code parts into websocket.c
* create wst.c (Websocket Transport) as gateway transport implementation
* introduce GatewayUrl setting that holds the websocket url
* introduce GatewayHttpExtAuthBearer that holds the HTTP Bearer
* GatewayHttpExtAuthBearer can be used by both rdg and wst
The client tries to connect using RDSTLS only when it has received a
server redirection PDU with LB_PASSWORD_IS_ENCRYPTED flag.
The server exposes RDSTLS on negotiation if it has been configured on settings.
Then authenticates a client using configured credentials from settings:
RedirectionGuid, Username, Domain, Password.
* extract the certificate from the redirection PDU
* if there is a certificate provided accept it if it matches the
redirection target certificate without further user checks
* Properly split certificate_store, certificate_data, certificate and
private key functions to files
* Prefix all functions with freerdp_ to have a unique name
* Update certificate store to use one file per host instead of
known_hosts2
* Merge CryptoCert and rdpCertificate
We no longer have a blocking polling loop in transport. Instead assume
there is more data after a packet was processed and let the transport
try again. If there is another packet ready, this repeats until only a
partly received (or no new data available) situation is reached.
* Add new settings for OrderSupportFlags, OrderSupportFlagsEx,
TerminalDescriptor and TextANSICodePage
* Add proper read/write routines for the new settings
* Add proper default values for the new settings
* Add new settings for previously ignored capability options
* Store raw capability data in settings for later use
* Add function to extract settings from raw capability data
* Split capability read/write from client/server logic (e.g. enforce
limits, ...)
This new option /tls-secret-file:<file> allows to dump TLS secrets in a file with
the SSLKEYLOGFILE format. So this way you can setup the TLS dissector of wireshark
(Pre-Master-Secret log filename) and see the traffic in clear in wireshark.
It also add some more PFS ciphers to remove for netmon captures.
* Added tests for freerdp_[static|dynamic]_collection_* functions
* Added settings unit test for clone functions
* Fix argument for winpr_RAND and winpr_RAND_pseudo
Using void* eliminates all assumptions of which type the buffer is.
This eliminates unnecessary warnings.
* Fixed remdesk settings pointer
* Fixed sign warnings in display_write_monitor_layout_pdu
* Use freerdp_abort_connect_context and freerdp_shall_disconnect_context
* Added and updates settings
* info assert/dynamic timezone
* mcs assert/log/flags
* Fixed and added assertions for wStream
* Unified stream length checks
* Added new function to check for lenght and log
* Replace all usages with this new function
* Cleaned up PER, added parser logging
* Cleaned up BER, added parser logging
* log messages
* Modified Stream_CheckAndLogRequiredLengthEx
* Allow custom format and options
* Add Stream_CheckAndLogRequiredLengthExVa for prepared va_list
* Improved Stream_CheckAndLogRequiredLength
* Now have log level adjustable
* Added function equivalents for existing logger
* Added a backtrace in case of a failure is detected
* Fixed public API input checks
* Early return authenticate if TLS smartcard logon
* Removed obsolete SmartcardPin and unified AuthenticateEx calls
* Remove password-is-pin from command line
The setting is implied by smartcard-logon and only of interest in
server side code, so the setting is useless
* Rework AUTH_SMARTCARD_PIN
Just prompt for PIN and not user/domain if this is requested.
* Fixed a memory leak in nla.c
* Align credentail prompt
* Handle AUTH_NLA & smartcard, just ask for PIN
* Added assertions, removed duplicate password prompt check
* Move smartcard logon after credential prompt