Commit Graph

131 Commits

Author SHA1 Message Date
Marc-André Moreau
eddfee56a3 libfreerdp-core: prepare client-side NLA for event-driven structure 2015-02-15 14:54:10 -05:00
David FORT
6a8d21cab9 Fix server-side protocol negociation
Before this patch, RDP security was (wrongly) the fallback when negociating a
security protocol between the client and the server. For example when a client
was claiming TLS-only when connecting to a FreeRDP based-server with RDP security only,
the result of the negociation was that the server started to do RDP security.
The expected behaviour is to send a nego failure packet with error code
SSL_NOT_ALLOWED_BY_SERVER. This patch fixes this.

We also try to handle all cases of failed negociation and return the corresponding
error code.
2015-02-11 21:38:32 +01:00
Marc-André Moreau
e0b0c77ecb libfreerdp-core: improve http parsing 2015-02-02 17:16:32 -05:00
Marc-André Moreau
e4f99834d0 libfreerdp-core: make tsg threadless 2015-02-02 11:50:56 -05:00
Norbert Federa
344362a8a3 clients: fix "focus in event" issues
The input->FocusInEvent callback implementations (normal and fast-path) have
always sent the mouse position even if the pointer was outside of the freerdp
client area. In addition xfreerdp used the wrong pointer coordinates which
were relative to the root window instead of its own.
On focus-in the pointer position must only be sent if the pointer is
currently within the program's client area. However, the clients had no way
to pass that information to input->FocusInEvent which required an API change.

- removed mouse pointer x, y parameters from input interface's FocusInEvent
- clients are responsible to call input->MouseEvent on focus-in if necessary
- fixed xfreerdp and wfreerdp accordingly
2015-01-16 18:40:57 +01:00
Armin Novak
b3eafca85b Fixed return type for nego_transport_connect and nego_transport_disconnect. 2015-01-14 11:35:19 +01:00
Armin Novak
e0139fc4d8 Added nego_disconnect. 2015-01-12 13:44:04 +01:00
Norbert Federa
939f1c639a Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.

Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.

The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.

Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods

Changes in this commit:

Removed unnecessary/confusing changes of EncryptionLevel/Methods settings

Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)

Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method

Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2

Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level

Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)

Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 02:17:12 +01:00
Bernhard Miklautz
7b413fb951 nego: print message when bypassing gateway
When "detect" is used as gateway usage method (which is the default)
it is tried to by-pass gateway connection for local hosts.
The detection might take some time therefore print a message that people
are aware that a detection is tried.

Fixes #2171
2014-12-08 19:00:05 +01:00
Marc-André Moreau
72fff184dd libfreerdp-core: fix RemoteFX/autodetect incompatibility issue with 2008 R2 2014-09-24 17:23:12 -04:00
Marc-André Moreau
d102e746c8 Merge branch 'awakecoding' of github.com:vworkspace/FreeRDP
Conflicts:
	libfreerdp/core/license.c
	libfreerdp/core/nego.c
	winpr/libwinpr/synch/wait.c
2014-09-19 14:38:25 -04:00
Mike McDonald
ad8268d059 Minor fix to server side RDP security negotiation. 2014-09-18 19:44:52 -04:00
Armin Novak
2f519d7f16 Replaced logging in libfreerdp with wlog defines. 2014-09-15 08:48:46 +02:00
Marc-André Moreau
168d46f253 Merge branch 'awakecoding' of github.com:vworkspace/FreeRDP
Conflicts:
	libfreerdp/core/nego.c
	libfreerdp/core/peer.c
	winpr/libwinpr/synch/wait.c
2014-08-15 11:43:50 -04:00
Mike McDonald
5906efc5f7 Fixed a FreeRDP server problem which prevented RDP security from being negotiated. 2014-08-13 11:01:43 -04:00
Armin Novak
f4c133eaf8 Replaced custom logging mechanism with WLog wrapper. 2014-08-07 16:51:24 +02:00
Bernhard Miklautz
a124f6a7c6 fix comment style
// to /* */
2014-07-29 05:22:30 +02:00
Bernhard Miklautz
a9eed46e38 Fix warnings found in Xcode 2014-07-29 05:22:30 +02:00
Bernhard Miklautz
47dd22ba87 transport refactor
rename transport_read to transport_read_pdu. This name is more
descriptive what the function actually does.
2014-07-24 16:34:59 +02:00
Marc-André Moreau
709df9aecc libfreerdp-core: add connection timeout, fix gateway bypass local 2014-05-30 14:03:20 -04:00
caramorsimon
8e77192ed8 Test for RoutingTokenLength before checking against termination chars 2014-05-18 21:32:26 +01:00
caramorsimon
a561e246e8 Test for CRLF (0x0D0A) termination on the routing token before trying to add it again 2014-05-16 16:19:22 +01:00
Hardening
4366a2219a Honor bypass local gateway setting
This patch make the bypass local gateway setting works
2014-04-19 23:31:12 +02:00
Hardening
2089eaf0d2 Fix connection when no cookie is given
This patch corrects a regression introduced in 2edd8bee12
2014-04-16 17:04:49 +02:00
Hardening
2edd8bee12 Misc fixes to check OOM 2014-04-10 21:10:19 +02:00
Norbert Federa
18cb418c81 core: FIPS for fastpath and RDP security fixes
- fixed invalid stream position if extEncryptionMethods is not used
- enabled 56bit rdp security method
- fixed entropy reduction of the keys for 40 bit and 56 bit
- added rdp security incl. FIPS for fastpath output
- added FIPS encryption to fast path input
- fixed FIPS key generation in server mode
- fixed stream length correction in FIPS mode
- added rdp encryption for licensing packets (apparently some clients,
  specifically cetsc, require the license packets received from the
  server to be encrypted under certain RDP encryption levels)
- replace errnous virtual extended mouse event in focus in event
2014-04-02 14:17:39 +02:00
Hardening
ac7507ab8d Adds some check to treat OOM problems + RDP security fix
Malloc can fail so it will, this patch adds some check in some places
where malloc/strdup results were not checked.

This patch also contains a server side fix for RDP security (credit to nfedera).
The signature len was badly set in the GCC packet. And some other RDP security
oriented fixes are also there.
2014-03-25 23:13:08 +01:00
Marc-André Moreau
4c920506ed libfreerdp-core: add 'Bypass RD Gateway server for local addresses' feature 2014-03-24 14:44:18 -04:00
Marc-André Moreau
5536033a8a libfreerdp-core: transport refactoring 2013-11-07 17:37:58 -05:00
Marc-André Moreau
a3d0e271b5 freerdp: add restricted admin option 2013-11-06 01:51:55 -05:00
Marc-André Moreau
13b6678977 libfreerdp-core: start untangling session redirection 2013-11-03 16:25:56 -05:00
Marc-André Moreau
76414588b1 libfreerdp-core: fix transport failure case with session redirection 2013-11-01 14:13:09 -04:00
Marc-André Moreau
8c4b1361d1 libfreerdp-core: merge with TSG TLS update 2013-10-28 20:20:18 -04:00
Dan Bungert
a38c3ac794 Debug message fix for DEBUG_NLA 2013-10-28 14:54:00 -06:00
Marc-André Moreau
3951a6e1c3 channels/rdpgfx: implement basic negotiation 2013-10-21 23:33:25 -04:00
Daryl Poe
fee219168a send RDP_NEG_REQ also in the case of a null server certificate
(cherry picked from commit afec6957c4)
2013-09-23 10:03:13 +02:00
Armin Novak
4e0c7d251d Fixed double free. 2013-09-06 11:07:33 +02:00
Armin Novak
e6c3dbde3d Fixed coverity issue 1047612 2013-09-05 12:14:32 +02:00
Armin Novak
2f20a8c12b Fixed various memory leaks and resource deallocation problems. 2013-08-19 17:44:52 +02:00
Marc-André Moreau
202614a1a4 libfreerdp-core: reduce reuse of same pdu buffers 2013-05-15 15:54:33 -04:00
Marc-André Moreau
fc592a1750 libfreerdp-core: replace usage of Stream_GetPointer() by Stream_GetPosition() in potentially unsafe places 2013-05-15 14:42:37 -04:00
Marc-André Moreau
5c37356506 libfreerdp-core: reduce reuse of the same send buffer 2013-05-15 13:17:29 -04:00
Marc-André Moreau
367ebf32a3 freerdp: make use of stream macros to access members 2013-05-15 12:14:26 -04:00
Marc-André Moreau
fd230443c5 freerdp: purge old stream utils 2013-05-08 16:27:21 -04:00
Marc-André Moreau
5b92413843 freerdp: purge deprecated stream utils 2013-05-08 16:09:16 -04:00
Marc-André Moreau
51715636a5 freerdp: remove some deprecated stream utils 2013-04-29 22:35:15 -04:00
Marc-André Moreau
073c6fb983 libfreerdp-core: fix handling of SSL_CERT_NOT_ON_SERVER 2013-04-12 18:03:56 -04:00
Marc-André Moreau
d0e989a549 libfreerdp-core: add support for load balance info 2013-04-11 11:51:10 -04:00
Hardening
7701c9d934 Replace printf(...) by fprintf(stderr, ...) 2013-03-28 23:06:34 +01:00
Marc-André Moreau
a8201b0d1b libwinpr-utils: combine old and new stream utils 2013-03-21 15:19:33 -04:00
Marc-André Moreau
3d77d5a497 freerdp: merging with master 2013-01-14 13:50:16 -05:00
rdp.effort
81c0e99ceb Misc fixes and result checks 2013-01-13 23:37:50 +01:00
rdp.effort
4d90284657 Renamed CODEC_ID_NONE to RDP_CODEC_ID_NONE as it is already defined in
avcodecs.h
Fixed a warning in schannel_openssl.c
Added checks for: input, mcs, tpdu, certificate, license
2013-01-12 14:49:01 +01:00
Marc-André Moreau
0fbf846671 libwinpr-sspi: NTLM extended protection cleanup 2013-01-10 11:19:57 -05:00
Marc-André Moreau
811ff44720 libfreerdp-core: change ReceiveCallback return values 2013-01-06 17:24:08 -05:00
Marc-André Moreau
dcf6c17e03 libfreerdp-core: transport cleanup 2012-12-21 15:49:02 -05:00
Marc-André Moreau
d19e2042c3 libfreerdp-utils: remove deprecrated unicode utils in favor of WinPR 2012-12-17 10:20:25 -05:00
Marc-André Moreau
d3e0537d0d libfreerdp-core: more TSG memory cleanup 2012-12-12 00:49:15 -05:00
Marc-André Moreau
8aa1143cc6 libfreerdp-core: work around PDU corruption issue with TSG, still experience locking 2012-12-11 17:24:52 -05:00
Marc-André Moreau
8a32de3801 libfreerdp: purged source tree from deprecated memory utils 2012-11-21 21:22:06 -05:00
Marc-André Moreau
98dcdcfb8f libfreerdp-core: transport refactoring to split in/out channels 2012-11-14 20:46:51 -05:00
Marc-André Moreau
a3d3c3bc19 libfreerdp-core: TSG experiments 2012-11-13 11:06:33 -05:00
Marc-André Moreau
410b7ab867 libfreerdp-core: rdpSettings refactoring (part 4) 2012-11-07 23:29:24 -05:00
Marc-André Moreau
8544716104 libfreerdp-core: rdpSettings refactoring (part 3) 2012-11-07 18:23:33 -05:00
Marc-André Moreau
6427c9dd90 libfreerdp-core: rdpSettings refactoring (part 2) 2012-11-07 15:13:14 -05:00
Marc-André Moreau
1a2839a165 libfreerdp-core: rdpSettings refactoring (part 1) 2012-11-07 11:02:46 -05:00
Marc-André Moreau
bd6861cd00 libfreerdp-core: added protocol security negotiation for PROTOCOL_HYBRID_EX, added registry keys to configure cookie length 2012-10-31 20:38:48 -04:00
Marc-André Moreau
67c24dc81d wfreerdp: add support for .rdp files 2012-10-28 12:12:36 -04:00
Marc-André Moreau
37b6f9dd8e libfreerdp-core: improve options for connection cookie 2012-10-25 18:38:51 -04:00
Marc-André Moreau
9d064171a7 freerdp: get rid of old types 2012-10-09 03:26:39 -04:00
Marc-André Moreau
1bf8a45519 freerdp: change uint8, sint8, uint16, sint16 to BYTE, INT8, UINT16, INT16 2012-10-09 03:01:37 -04:00
Marc-André Moreau
1ed644786c freerdp: change boolean type to BOOL type 2012-10-09 02:38:39 -04:00
Marc-André Moreau
5612bc43f8 freerdp: change true/false to TRUE/FALSE 2012-10-09 02:31:28 -04:00
Marc-André Moreau
9909a12af5 libfreerdp-utils: get rid of xmalloc, xrealloc and xfree 2012-10-08 23:21:26 -04:00
Marc-André Moreau
e60a092d81 freerdp: fix headers 2012-10-08 23:02:04 -04:00
Marc-André Moreau
6dcc8e73ee libfreerdp-utils: get rid of rdpBlob 2012-09-24 04:40:32 -04:00
Marc-André Moreau
d0ac31b2c1 libfreerdp-utils: get rid of freerdp_uniconv_out 2012-09-23 19:49:13 -04:00
Marc-André Moreau
44f18159c4 libfreerdp-utils: get rid of UNICONV unicode conversion context 2012-09-23 18:41:07 -04:00
Marc-André Moreau
1e2d7599d9 libfreerdp-core: minor TSG code style cleanup 2012-09-08 17:49:37 -04:00
Marc-André Moreau
d5d1eb7762 libfreerdp: add proper config.h inclusions 2012-08-14 17:09:01 -04:00
Marc-André Moreau
19028a27b0 libfreerdp: move all libraries to libfreerdp directory, one step closer to monolithic build option 2012-08-13 23:19:51 -04:00