Commit Graph

237 Commits

Author SHA1 Message Date
Armin Novak
f8e8764ea8 [core,settings] unify identity from settings 2023-04-11 11:37:09 +02:00
Armin Novak
9b498efa79 [core,nla] unify identity creation 2023-04-11 11:37:09 +02:00
Armin Novak
e2f85fc329 [core,nla] ensure the identity is created with unicode 2023-04-11 11:37:09 +02:00
Armin Novak
13c025e04c [winpr,sspi] remove sspi_SetAuthIdentityWithUnicodePassword
the function is useless as we always use the SetAuthIdentityW API now
2023-04-11 11:37:09 +02:00
Martin Fleisz
ecc29d00c0 core: Allow NULL identity for NLA authentication
During the recent changes the possiblity to perform NLA auth using the
current identity was removed.

In case we receive AUTH_NO_CREDENTIALS with NLA we should resume using a
NULL-identity and not abort the connection.
2023-03-13 10:59:57 +01:00
Joan Torres
689bf6daab [core,nla]: Fix using password from redirection
If a client reconnects on redirection process and uses NLA authentication,
the client was using the old password because it wasn't setting
usePassword to false.

With this commit the client will use the new password.
2023-03-08 08:36:42 +01:00
Marc-André Moreau
3a8dce07ea expose last NLA/CredSSP SSPI error code (freerdp_get_nla_sspi_error) 2023-02-24 13:19:19 -05:00
Martin Fleisz
892e58d969 core: Update smartcard settings on all platforms
Currently smartcard settings were only updated in the WIN32 code path.
This must be done on all platforms to have the correct settings (i.e.
pkinitArgs) correctly applied.
2023-02-23 14:25:44 +01:00
Martin Fleisz
09b2096cf2 core: Add CAPI support for enumerating smart card key containers
Windows seems to favor using the legacy Crypto API (CAPI) for
enumerating RSA key containers and only relies on the newer CNG APIs for
ECC keys.

This PR adds support for CAPI key container enumeration on Windows.

The PR also fixes an issue where the CSP was always set to the MS Base
Smart Card Provider during NLA authentication.
2023-02-22 17:10:47 +01:00
Martin Fleisz
6f639686cf core: Allow change to smart card logon in Authentication callbacks
This PR adds a few changes so that a client is able to change the
authentication/logon type in the Authentication callback. I.e. if the
client was started without user/domain the authentication callback is
now able to activate smart card logon by setting the SmartcardLogon
setting along with csp/container/reader name.
2023-02-22 11:45:32 +01:00
Martin Fleisz
1f903f80a5 core: Add possibility to distinguish between auth cancelled and no creds
Currently if the authentication callback returns `FALSE` the utils
function handle this as scenario as no credentials provided (returns
`AUTH_NO_CREDENTIALS)`.

This PR introduces a new `auth_status` called `AUTH_CANCELLED` that is
returned if the authentication callback returns `FALSE`. If the callback
returns `TRUE` and username or password are empty the util function will
continue to return `AUTH_NO_CREDENTIALS`.

THe PR also fixes some incorrect returns in RPC over HTTP gateway code.
2023-02-14 08:43:23 +01:00
akallabeth
818267bc80 [core] fixed missing BYTE to WCHAR casts 2023-02-01 09:51:54 +01:00
akallabeth
22f3bf6f78 [core,nla] initialize stack variables 2023-01-27 10:07:01 +01:00
akallabeth
f5d759c979 [core,nla] unify SecBuffer to ASN1 string
use a helper function to convert the buffer to a ASN1 string
2023-01-27 10:07:01 +01:00
akallabeth
c604801a67 [core,nla] simplify server side authentication
* Single point fo function return
* Clear all buffers after authentication
2023-01-27 10:07:01 +01:00
akallabeth
ca3cd8b7ec [core,nla] fix a memory leak in server nla
Clear destination SecBuffer before calling credssp_auth_decrypt or
credssp_auth_encrypt
2023-01-27 10:07:01 +01:00
Armin Novak
dd0d130f48 [crypto] make tls.h a private header
no need to uselessly export symbols that are not usable outside the
project
2023-01-14 08:50:26 +01:00
akallabeth
37ab25e19d Fixed all Wdocumentation warnings 2022-12-12 14:24:55 +01:00
akallabeth
0186a9b303 Fixed some warnings 2022-12-09 15:58:26 +01:00
akallabeth
7e1065a9b9 Fixed Wshadow warnings 2022-12-09 15:58:26 +01:00
akallabeth
5799fb2018 Replace ConvertFromUnicode and ConvertToUnicode
* Use new ConvertUtf8ToWChar, ConvertUtf8NToWChar,
  ConvertUtf8ToWCharAlloc and ConvertUtf8NToWCharAlloc
* Use new ConvertWCharToUtf8, ConvertWCharNToUtf8,
  ConvertWCharToUtf8Alloc and ConvertWCharNToUtf8Alloc
* Use new Stream UTF16 to/from UTF8 read/write functions
* Use new settings UTF16 to/from UTF8 read/write functions
2022-11-28 10:42:36 +01:00
akallabeth
4284d67088 [core,state] fix state transitions, added logging 2022-11-22 15:30:31 +01:00
akallabeth
9dcf2c7e39 [nla] Advance input stream position
In nla_decode_ts_request the input stream position was not advanced.
This lead to issues when testing proper input data processing in the
client receive state callback
2022-11-22 15:30:31 +01:00
Armin Novak
b56b09840a Fixed -Wshadow 2022-11-21 10:12:31 +01:00
Armin Novak
31c1700c0c Fixed -Wunused-variable 2022-11-21 10:12:31 +01:00
Armin Novak
f1ae9be54d Fixed nla error code to string conversion 2022-10-27 10:37:23 +02:00
fifthdegree
eb04eb0008 Support using smartcard for gateway authentication 2022-10-19 18:55:38 +02:00
fifthdegree
e847f159a6 Try to use the smartcard key name Windows uses
Windows expects the containerName field in TSSmartCardCreds to be what
it would use for a smartcard key's name. Try to accomodate that (at
least for PIV and GIDS cards).
2022-10-19 18:55:38 +02:00
fifthdegree
9d0beaccae smartcardlogon: choose a single smartcard to use
Require a single smartcard certificate to be chosen and define a
callback to choose when more than one is available.
2022-10-19 18:55:38 +02:00
Marc-André Moreau
e3594c91dc Add UserSpecifiedServerName setting, /server-name command-line parameter 2022-10-14 17:59:57 -04:00
Martin Fleisz
4bc74392c2 nla: Fix some issues with server-side NLA authentication
This PR fixes following issues with server-side NLA authentication:

- The client nonce should only be sent by the client
- The final stage in the nego token exchange checked the negoToken
  buffer for data. Instead the corresponding credssp API is now used
  which checks the correct buffer (output_buffer).
- The negoToken buffer needs to be cleared before sending the public key
  echo. In some cases the buffer was not empty and incorrectly was part
  of the response to the client.
2022-10-13 17:16:07 +02:00
David Fort
f76c14c256 fix smartcard logon with smartcard emulation
When smartcard emulation was enabled we were dumping the key and cert to
temporary files for PKINIT call, but they were deleted before we have
actually done the PKINIT. This patch fixes it.

It also add debug statement for the listing of smartcard keys / certs.

This also fixes the listing of smartcard on certain windows configurations
were we have to force NCRYPT_SILENT when doing a NCryptOpenKey.
2022-10-13 12:03:58 +02:00
David Fort
467816a7a5 nla: fix unicode and non unicode build 2022-10-10 09:01:04 +02:00
David Fort
f486fb1e92 fixes for NLA under win32 2022-10-10 09:01:04 +02:00
akallabeth
7dde39de9d Fixed ownership of negoToken
* Ensure negoToken is cleaned up in nla_free
* Renamed function credssp_auth_take_input_buffer now invalidates
  input buffer an takes ownership of that buffer
2022-10-09 21:34:26 +02:00
akallabeth
54a1e4ea7e Fixed invalid return values 2022-10-07 11:04:04 +02:00
fifthdegree
2de7a4c249 Support spnego authentication for gateway
* Consolidate authentication support functions into auth.c
* Change authentication flow in gateway to be non-ntlm specific
2022-10-06 21:33:01 +02:00
Marc-André Moreau
479e891545 check return values for SetCredentialsAttributes, throw warnings for unsupported attributes 2022-09-30 19:33:12 +02:00
Marc-André Moreau
fddb0dac75 add missing OOM checks 2022-09-30 19:33:12 +02:00
Marc-André Moreau
eadbb15741 run clang-format 2022-09-30 19:33:12 +02:00
Marc-André Moreau
80a1fc6a98 add SetCredentialsAttributes SSPI function 2022-09-30 19:33:12 +02:00
Marc-André Moreau
23f66f3987 add KDC URL to internal SSPI Kerberos settings 2022-09-30 19:33:12 +02:00
akallabeth
1849632c43
Fixed format strings to match arguments (#8254)
* Fixed format strings to match arguments

Reviewed and replaced all %d specifiers to match proper type

* Added proxy dynamic channel command type to log messages.
2022-09-29 14:55:27 +02:00
akallabeth
f8159cc18a
Fixed memory leak in nla_send (#8193) 2022-09-12 10:54:29 +02:00
fifthdegree
7901a26a16
Kerberos User 2 User support (#8070)
* add support for 64-bit big-endian encoding

* kerberos: drop reliance on gssapi and add user 2 user support

* Fix local variable declared in the middle of the function body

* kerberos: add ccache server option

Co-authored-by: fifthdegree <fifthdegree@protonmail.com>
Co-authored-by: David Fort <contact@hardening-consulting.com>
2022-08-17 12:25:26 +02:00
fifthdegree
5f3bc5842a nla: use winpr asn1 library 2022-07-26 09:38:53 +02:00
Martin Fleisz
e58d53188a core: Fix broken string handling for custom sspi module loading 2022-07-21 15:59:43 +02:00
fifthdegree
e66b99f8dc deprecate old hash callback field 2022-06-21 10:27:17 +02:00
fifthdegree
6d3aa52496 set SAM file and hash callback on credential rather than context 2022-06-21 10:27:17 +02:00
fifthdegree
eeece1a027 server-side kerberos (and some fixes) 2022-06-21 10:27:17 +02:00