Windows expects the containerName field in TSSmartCardCreds to be what
it would use for a smartcard key's name. Try to accomodate that (at
least for PIV and GIDS cards).
This PR fixes following issues with server-side NLA authentication:
- The client nonce should only be sent by the client
- The final stage in the nego token exchange checked the negoToken
buffer for data. Instead the corresponding credssp API is now used
which checks the correct buffer (output_buffer).
- The negoToken buffer needs to be cleared before sending the public key
echo. In some cases the buffer was not empty and incorrectly was part
of the response to the client.
When smartcard emulation was enabled we were dumping the key and cert to
temporary files for PKINIT call, but they were deleted before we have
actually done the PKINIT. This patch fixes it.
It also add debug statement for the listing of smartcard keys / certs.
This also fixes the listing of smartcard on certain windows configurations
were we have to force NCRYPT_SILENT when doing a NCryptOpenKey.
* Ensure negoToken is cleaned up in nla_free
* Renamed function credssp_auth_take_input_buffer now invalidates
input buffer an takes ownership of that buffer
* Fixed format strings to match arguments
Reviewed and replaced all %d specifiers to match proper type
* Added proxy dynamic channel command type to log messages.
* add support for 64-bit big-endian encoding
* kerberos: drop reliance on gssapi and add user 2 user support
* Fix local variable declared in the middle of the function body
* kerberos: add ccache server option
Co-authored-by: fifthdegree <fifthdegree@protonmail.com>
Co-authored-by: David Fort <contact@hardening-consulting.com>
* core: correctly handle console mode server-side
In server-side we were not interpreting redirected session flag to compute a
console mode flag. In the proxy that was leading client connecting with /admin to front
to not connect with /admin on the back server.
* nla: fix the printinng of the package name
* Fixed remdesk settings pointer
* Fixed sign warnings in display_write_monitor_layout_pdu
* Use freerdp_abort_connect_context and freerdp_shall_disconnect_context
* Added and updates settings
* info assert/dynamic timezone
* mcs assert/log/flags
* Fixed and added assertions for wStream
* Unified stream length checks
* Added new function to check for lenght and log
* Replace all usages with this new function
* Cleaned up PER, added parser logging
* Cleaned up BER, added parser logging
* log messages
* Modified Stream_CheckAndLogRequiredLengthEx
* Allow custom format and options
* Add Stream_CheckAndLogRequiredLengthExVa for prepared va_list
* Improved Stream_CheckAndLogRequiredLength
* Now have log level adjustable
* Added function equivalents for existing logger
* Added a backtrace in case of a failure is detected
* Fixed public API input checks
* Early return authenticate if TLS smartcard logon
* Removed obsolete SmartcardPin and unified AuthenticateEx calls
* Remove password-is-pin from command line
The setting is implied by smartcard-logon and only of interest in
server side code, so the setting is useless
* Rework AUTH_SMARTCARD_PIN
Just prompt for PIN and not user/domain if this is requested.
* Fixed a memory leak in nla.c
* Align credentail prompt
* Handle AUTH_NLA & smartcard, just ask for PIN
* Added assertions, removed duplicate password prompt check
* Move smartcard logon after credential prompt
* Fixed SSPI fallback to NTLM
* Fixed wide/ansi mixup
* WITH_GSS fixes
* Move to WinPR as this is not related to FreeRDP
* Add option WITH_GSS_NO_NTLM_FALLBACK to disable NTLM fallback
* Abort NLA if status is SEC_E_NO_CREDENTIALS
* Properly invalidate sspi::SubContext
