* extract the certificate from the redirection PDU
* if there is a certificate provided accept it if it matches the
redirection target certificate without further user checks
most protocol internal caches do not need to be exposed. this reduces
the public API and allows us to more easily improve/change this during a
release cycle
Too often experimental flags had been used without the user noticing
that. As bug reports are hard to analyze without proper information take
this approach and inform about experimental flags in use by logging
these.
Currently smartcard settings were only updated in the WIN32 code path.
This must be done on all platforms to have the correct settings (i.e.
pkinitArgs) correctly applied.
Windows seems to favor using the legacy Crypto API (CAPI) for
enumerating RSA key containers and only relies on the newer CNG APIs for
ECC keys.
This PR adds support for CAPI key container enumeration on Windows.
The PR also fixes an issue where the CSP was always set to the MS Base
Smart Card Provider during NLA authentication.
This PR adds a few changes so that a client is able to change the
authentication/logon type in the Authentication callback. I.e. if the
client was started without user/domain the authentication callback is
now able to activate smart card logon by setting the SmartcardLogon
setting along with csp/container/reader name.
Currently if the authentication callback returns `FALSE` the utils
function handle this as scenario as no credentials provided (returns
`AUTH_NO_CREDENTIALS)`.
This PR introduces a new `auth_status` called `AUTH_CANCELLED` that is
returned if the authentication callback returns `FALSE`. If the callback
returns `TRUE` and username or password are empty the util function will
continue to return `AUTH_NO_CREDENTIALS`.
THe PR also fixes some incorrect returns in RPC over HTTP gateway code.
* Properly split certificate_store, certificate_data, certificate and
private key functions to files
* Prefix all functions with freerdp_ to have a unique name
* Update certificate store to use one file per host instead of
known_hosts2
* Merge CryptoCert and rdpCertificate
Currently the proxy's TLS fallback if an NLA connection attempt failed
is broken. There are two issues with the current code that this PR
fixes:
- freerdp_reconnect is used which requires an already established
connection to work correctly. This is not the case since the NLA
connectin attempt failed. This resulted in a seemingly working TLS
connection but i.e. channels where missing/not working.
- The fallback connection attempt just altered the NLA security setting
in the instance's settings. However these settings have been already
modified by the NLA connection attempt so we need to create a copy of
the original connection settings before doing the first connect.
The PR also introduces freerdp_reset_context which restores the initial
connection settings for the given instance.
* Remove duplications in rdpRsaKey, reuse rdpCertificate for public
components
* Move all private key and certificate code to certificate.c,
remove the tssk_* variables from gcc
* Handle update of client and server random keys in wrapping functions
* Simplify gcc_write_server_security_data, use certificate.c functions
to write the certificate data
* Refactor security_establish_keys, use the random values stored in
settings directly
The TPKT header length does not match the [MS-RDPBCGR] 2.2.1.11.1.1
Info Packet (TS_INFO_PACKET) and 2.2.1.11.1.1.1 Extended Info Packet
(TS_EXTENDED_INFO_PACKET) length. print a warning and consume the rest
of the data.
now rdp_write_extended_info_packet only adds the
cbDynamicDSTTimeZoneKeyName, dynamicDSTTimeZoneKeyName and
dynamicDaylightTimeDisabled fields if both, client and server support
the dynamic timezone settings.
__LINE__ is not particularily well defined (most fall back to int).
We want to ensure that all the uses in a format string match the format
specifier, so do an explicit cast
REDIRECTION_VERSION6 breaks redirection for currently unknown reasons.
Revert to the last known good version until we receive an update on
documentation for the redirection handling
* Added missing definitions for RNS_UD_CS_SUPPORT_SKIP_CHANNELJOIN
and RNS_UD_SC_SKIP_CHANNELJOIN_SUPPORTED flags
* Updated stringification functions for these flags
* Implemented client and server EarlyCapabilityFlags filter for
these flags as FreeRDP currently does not implement them.
When using Enhanced RAIL the HandshakeEx flag must also be set. However
in the current code it was always overwritten by the server flags (which
might lack the flag).
The length had more bytes than the RDP_SERVER_REDIRECTION_PACKET
structure because it was counting bytes before the struct.
Using a start variable from the beginnig of sending the structure fixes
it.
When a FreeRDP-based server tried to open a DVC, but the client answered
the DVC create request with a negative CreationStatus in the DVC create
response PDU, the server can then assume that no actual PDUs can be
received for that channel.
However, as long as the channel handle exists, FreeRDP happily forwards
any potential PDU for that handle disregarding the CreationStatus.
This is problematic, since the channel handling usually runs in its own
thread and as a result, the channel may not be destructed yet, when
receiving such stray PDU.
The PDU may be processed, even though it is not expected to be.
A situation, where this becomes problematic is the AUDIO_PLAYBACK_DVC
channel.
It may be the case, that the client answered the DVC create request
with a negative result, the server may try to close the handle and open
the static channel (RDPSND) instead, but before the server can close the
channel handle, the client actually sends PDUs regarding the format
negotiation.
In this case, the server may unintentionally already set things up,
which was not desired (the DVC is about to be closed anyway).
While this specific situation is hypothetical, since it would depend on
a malicious client, it is still possible to happen, especially since the
server implementation does not invoke the format negotiation, but
FreeRDP does it automatically, as soon as the DVC create request is
sent.
Fix this issue by discarding any data PDUs (DYNVC_DATA_FIRST and
DYNVC_DATA) of channels, that were not opened successfully.
With all calls when WTSVirtualChannelQuery returns FALSE that means that
no ppBuffer was allocated, that was not the case with class=WTSVirtualChannelReady.
Most callers were not aware of that, leading to leaks for example when the channel is
not available client-side, the patch changes that so that you have to call call WTSFreeMemory
only if WTSVirtualChannelQuery returned TRUE.
In case alternate shell was set to an empty string ("") the old code
would try to convert it to a WChar string. This resulted in a NULL
pointer being returned by `ConvertUtf8ToWCharAlloc` that was interpreted
as an error and the connection failed.
* Removed comments with invalid assumptions
* Added arguments to rdp_read_info_null_string to indicate if the string
is expected to be '\0' terminated and what is actually read for error
logs
Multi-transport flags must be merged between local and remote so that on both sides
we know the shared parameters. Also this patch sends multi-transport GCC block when
multi-transport is enabled.
We no longer have a blocking polling loop in transport. Instead assume
there is more data after a packet was processed and let the transport
try again. If there is another packet ready, this repeats until only a
partly received (or no new data available) situation is reached.
To have more fine granied control add a new callback.
Now you have the following callback pairs:
* PreConnect <--> PostFinalDisconnect
* PostConnect <--> PostDisconnect
[MS-RDPEGDI] 3.1.9.1.3 Chroma Subsampling and Super-Sampling is a
compression technique that blurs fonts. Disable this to have a cleaner
image for /bpp:32 connections
Some RDP servers start sending graphics updates too early for us to
process. This triggered a bug that at that point the EndPaint callback
is not available, as the connection is not fully established.
When some channels are filtered, some misalignement of channel ids could happen.
This patch keeps track of the back and front channel ids to correctly identify a
channel and send packets with the correct channel id.
Without the patch, we parse more packets and the calling code doesn't have the
opportunity to invoke PostConnect callback (make the connection not work in the proxy)
* Use new ConvertUtf8ToWChar, ConvertUtf8NToWChar,
ConvertUtf8ToWCharAlloc and ConvertUtf8NToWCharAlloc
* Use new ConvertWCharToUtf8, ConvertWCharNToUtf8,
ConvertWCharToUtf8Alloc and ConvertWCharNToUtf8Alloc
* Use new Stream UTF16 to/from UTF8 read/write functions
* Use new settings UTF16 to/from UTF8 read/write functions
RDP security is rarely used nowadays, but there have been reports about
situations where the encryption key is missing.
Add this check to properly terminate the connection in case of such an
unexpected event.
In nla_decode_ts_request the input stream position was not advanced.
This lead to issues when testing proper input data processing in the
client receive state callback
This PR fixes an issue where user credentials were lost when connecting
to a farm that redirects the client.
During a redirect the connection settings were overriden by the settings
stored in `rdp->originalSettings`. However these settings miss any
credentials the user provides during the connection phase, thus causing
another authentication prompt to appear.
With the latest client changes the internal event loop requires a handle
to wait on. Add a new function to (re)set the newly added transport event handle.
Autodetect packets can be transported either in TCP TPKT packets or be contained
in multi-transport subheaders (transported on UDP). These changes do the appropriate
modifications so that in further developments we can take the transport type in account
when treating / writing these packets.
list_provider_keys() returns a Boolean, true == success. But
smartcard_hw_enumerateCerts() expects the return value on success to
be ERROR_SUCCESS == 0, and so inverts success/failure.
Up to this commit the client and server state machine handling used
different return values for state machine changes.
This is fixed with this commit:
* Use common enum return values
* Use common helper functions
It seems MS RDG 2016+ does not send a http status code if
something with the request or configuration is not ok. It is worth
retrying with rpc in that case
When transitioning from CONNECTION_STATE_FINALIZATION_FONT_LIST to
CONNECTION_STATE_ACTIVE we must return a value > 0 so that the
state machine can properly initialize the new state.
The demand active state might be called when receiving data from the
client during initial connection phase or might be triggered server
side after sending a deactivate all pdu
The old code was looping with blindly checking for transport events, and then
sleep for 100 ms. It was doing that until the connection is established or
the timeout expired.
The new version polls the transport's events, potentially not having many 100 ms
waits.
* Add new settings for OrderSupportFlags, OrderSupportFlagsEx,
TerminalDescriptor and TextANSICodePage
* Add proper read/write routines for the new settings
* Add proper default values for the new settings
* Add new settings for previously ignored capability options
* Store raw capability data in settings for later use
* Add function to extract settings from raw capability data
* Split capability read/write from client/server logic (e.g. enforce
limits, ...)
Gateway code was passing a char string as the package name to
`credssp_auth_init`. When using Unicode builds this fails since
`QuerySecurityPackageInfo` expects a wchar string.
Additionally with unicode builds, `credssp_auth_pkg_name` causes string
type mismatches in the gateway code where a char string is expected.
Windows expects the containerName field in TSSmartCardCreds to be what
it would use for a smartcard key's name. Try to accomodate that (at
least for PIV and GIDS cards).
This commit fixes various bugs that I've noticed on some windows systems with
smartcards that contains multiple certificates:
* With some drivers if you retrieve the ATR while enumerating the NCrypt keys, it seems to
confuse the NCrypt key context (and you're unable to retrieve certificate property). As
we don't use the ATR, let's remove the ATR retrieval.
* if don't give any user or domain on the command line, in settings you get User=Domain=NULL,
but if you pass /u:user, you get User="user" and Domain = ""(empty string not NULL). The
smartcard filtering by user/domain was not ready for that.
This PR fixes following issues with server-side NLA authentication:
- The client nonce should only be sent by the client
- The final stage in the nego token exchange checked the negoToken
buffer for data. Instead the corresponding credssp API is now used
which checks the correct buffer (output_buffer).
- The negoToken buffer needs to be cleared before sending the public key
echo. In some cases the buffer was not empty and incorrectly was part
of the response to the client.
When smartcard emulation was enabled we were dumping the key and cert to
temporary files for PKINIT call, but they were deleted before we have
actually done the PKINIT. This patch fixes it.
It also add debug statement for the listing of smartcard keys / certs.
This also fixes the listing of smartcard on certain windows configurations
were we have to force NCRYPT_SILENT when doing a NCryptOpenKey.
* New defines for 10.8, 10.9, 10.10, 10.11 protocol versions
* New function returning a string representation of the protocol version
* Use 10.11 by default now
* Ensure negoToken is cleaned up in nla_free
* Renamed function credssp_auth_take_input_buffer now invalidates
input buffer an takes ownership of that buffer
When no CSP is provided, we were listing smartcard materials by querying the
MS_SCARD_PROV_A CSP, unfortunately on some windows hosts, the smartcards aren't
listed in that CSP. So this patch does the key listing by browsing all CSPs
instead of just a default one. You can still force a CSP and you'll get keys only
from this one.
This patch also address cases where the certificate on the smartcard doesn't
have a UPN attribute, if that happen we try to get a UPN from the email address.
* Fixed format strings to match arguments
Reviewed and replaced all %d specifiers to match proper type
* Added proxy dynamic channel command type to log messages.
* add support for 64-bit big-endian encoding
* kerberos: drop reliance on gssapi and add user 2 user support
* Fix local variable declared in the middle of the function body
* kerberos: add ccache server option
Co-authored-by: fifthdegree <fifthdegree@protonmail.com>
Co-authored-by: David Fort <contact@hardening-consulting.com>
This new option /tls-secret-file:<file> allows to dump TLS secrets in a file with
the SSLKEYLOGFILE format. So this way you can setup the TLS dissector of wireshark
(Pre-Master-Secret log filename) and see the traffic in clear in wireshark.
It also add some more PFS ciphers to remove for netmon captures.
* winpr: add lock operation on HashTables
* drdynvc: change the listeners array for a hashtable and other micro cleanups
* logonInfo: drop warning that is shown at every connection
Let's avoid this log, we can't do anything if at Microsoft they don't respect
their own specs.
* rdpei: fix terminate of rdpei
* drdynvc: implement the channel list with a hashtable by channelId
According to the RFC the websocket key in the request header should be
base-64 encoded:
The request MUST include a header field with the name |Sec-WebSocket-Key|. The value of this header field MUST be a nonce consisting of a randomly selected 16-byte value that has been base64-encoded (see Section 4 of [RFC4648]). The nonce MUST be selected randomly for each connection.
If we just send a random key this might cause problems with
gateways/proxies that try to decode the key, resulting in an error (i.e.
HAProxy returns 400 Bad Request).
Microsoft Windows imposes strict filename restrictions on its platform.
As RDP is developed by Microsoft and the RDS in MS Windows is typically
used as remote desktop server for the RDP protocol, these filename
restrictions are also enforced in WinPR, when copy-pasting files over
the clipboard.
However, in some connections no peer on MS Windows is involved and in
these situations, these filename restrictions are just an annoyance.
With a recent API addition in WinPR, it is now possible to override the
callback, where the filename is checked, whether it is valid.
So, use this new API to relieve the filename restriction, when the
connected remote desktop server is not on MS Windows.
