Do not touch invalid regions before BeginPaint was called. This fixes
issue #9953 as the sdl client is waiting in BeginPaint for the screen
updates of EndPaint to be actually drawn.
* Add new function winpr_GetTickCount64NS for high resolution tick
count with (up to) nanosecond resolution
* Add new function winpr_GetUnixTimeNS for high resolution system time
as nanoseconds since 1.1.1970
* Replace use of clock_gettime and gettimeofday in whole project with
these new functions
* Add new macros WINPR_TIME_NS_TO_* and WINPR_TIME_NS_REM_* to convert
the nano second count to less resolution or get the remainder in the
desired resolution
Add the wrapper function utils_reload_channels that unifies the channel
cleanup and channel initialization sequence required on connect,
redirect and gateway policy apply
* use dynamic logger in RDG
* honor [MS-TSGU] 2.2.9.2.1.5.2 TSG_REDIRECTION_FLAGS
* honor [MS-TSGU] 2.2.10.16 HTTP_TUNNEL_AUTH_RESPONSE
HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS flag
* add setting GatewayIgnoreRedirectionPolicy to ignore the gateway
policy if desired
add missing log entries for possible failures due to invalid data
received. This allows better debugging if a server sends garbage or the
crypto routines have direct RSA routine access disabled.
It seems like WaitFor[Single|Multiple]Object calls aren't reliable on pipes, especially
on the pipe opened for childSession access. The object can be marked as signaled even if
no data is available, making the connection laggy and unresponsive (nearly unusable in some
cases).
This patch works around that by using ReadFileEx() with overlapped instead of simple
ReadFile() and use asynchronous reads.
freerdp_peer->Disconnect calls BIO_free which then calls close on the
underlying file descriptor.
Then when freerdp_peer_free is called, the file descriptor is closed
again.
This is problematic if the file descriptor is recycled in between:
thread 1: freerdp_peer_new(42);
thread 1: freerdp_peer->Disconnect() closes 42
thread 2: opens a file with fd 42
thread 1: freerdp_peer_free closes 42
thread 2: uses closed file descriptor 42
The ArrayList, HashTable, ... New functions require
void* (*fkt)(const void* ptr) type functions. Provide a generic wrapper
for CHAR and WCHAR strdup to eliminate warnings. Also export a
corresponding free function to avoid issues with runtime
differences.
Sometimes the RPC PDUs have unprocessed data (padding bytes) at their
end. In that case do not fail but just log a warning with the correct
amount of remaining bytes.
RSA-PSS in X.509 is truly horrible, and OpenSSL does not expose very good APIs
to extract this, even though the library does handle it internally. Instead, we
must tediously unwrap RFC 4055's unnecessarily complicated encoding of
RFC 8017's unnecessarily flexible RSA-PSS definition.
This reverts commit 00baf58a71. That
change appears to have been incorrect. It's described as simplying
retrieving the "default signature digest", but it actually changed the
function's behavior entirely. The function wasn't retrieving defaults
previously.
A certificate contains, among other things, a public key and a
signature. The public key is the public key of the subject. However, the
signature was generated by the issuer. That is, if I get a certificate
from a CA, the public key will be my public key and the signature will
be my CA's signature over the certificate contents.
Now, the original code returned the digest used in the certificate's
signature. That is, it tells you which signature algorithm did my *CA*
use to sign my certificate.
The new code extracts the certificate's public key (my public key, not
the CA's). This doesn't necessarily tell you the signature algorithm, so
it then asks OpenSSL what the "default" signature algorithm would it use
with the key. This notion of "default" is ad-hoc and has changed over
time with OpenSSL releases. It doesn't correspond to any particular
protocol semantics. It's not necessarily the signature algorithm of the
certificate.
Now, looking at where this function is used, it's called by
freerdp_certificate_get_signature_alg, which is called by
tls_get_channel_binding to compute the tls-server-end-point channel
binding. That code cites RFC 5929, which discusses picking the hash
algorithm based on the certificate's signatureAlgorithm:
https://www.rfc-editor.org/rfc/rfc5929#section-4.1
That is, the old version of the code was correct and the
"simplification" broke it. Revert this and restore the original version.
I suspect this went unnoticed because, almost all the time, both the old
and new code picked SHA-256 and it was fine. But if the certificate was,
say, signed with SHA-384, the new code would compute the wrong channel
binding.
The RDS AAD Auth PDUs have no packet headers to indicate length.
Instead, these packets are zero-terminated strings. Somehow, Windows
accepts Authentication Request PDUs without a terminating null byte
during regular connections, but not through WVD websocket gateways.
If the peer state machine is in state
CONNECTION_STATE_CAPABILITIES_EXCHANGE_MONITOR_LAYOUT properly check for
available data. If a PDU was received in this state it is an out of
sequence PDU (that might happen during deactivation/reactivation) and
must be parsed.
* FreeRDP_WTSVirtualChannelWrite might be called from different threads,
so lock the function execution to keep split packets in order
* unify DVC and SVC channel creation/deletion to avoid duplicate code
The client must handle graphics updates in EndPaint.
If we already reached BeginPaint again reset the invalidated regions
as they are already processed and start anew. Fixes#9672
The previous code was assuming that the host name used for doing AAD was
ServerHostname parameter. But when you connect directly to Azure hosts you most
likely connect by IP and use short name for the AAD host, so you need to be able
to give ServerHostname=<IP of host> and AadServerHostname=<shortname>.
The compiler may complain with a 'implicit conversion changes
signedness' warning. Get rid of these warnings by explicitly
casting the respective values before shifting them.
When connecting to child session(or a VM), we have CredSSP/Nego/ActivationSequence
instead of Nego/CredSSP/ActivationSequence. Before the patch, we were not applying
flags read in the NegoResponse to the settings and that was leading to FreeRDP
thinking that the remote server was not supporting EXTENDED_CLIENT_DATA_SUPPORTED.
That was later preventing some GCC blocks to be sent, and make the server unhappy
and freeze the connection.
* use enum types for settings getter/setter to have compiler check if
keys are valid
* generate enum types from struct at compile time
* CMake option WITH_OPAQUE_SETTINGS to hide rdpStruct implementation
from external projects
The Opus codec is a modern free audio codec, that is also royalty-free.
Adding support for it will allow clients and servers supporting it to
transfer audio in similar efficient way like with AAC.
So, add support it.
Adds support for server-side remote credential guard in NLA. When enabled that allows
the remote user to connect without shipping credentials in TSCred packets. Instead
it will send his TGT encoded with a TGS from the remote server. This way the server
is able to populate that TGT in a local credential cache without knowing the user's
password.
The patch only treats the NLA part and does not contain the associated RDPEAR channel
that allows to have the complete interaction to retrieve new access tokens.
ffmpeg format conversion from int16 to float sometimes produces values
that are NaN or Infinity.
Replace these values as these input values break the AAC encoder
Some virtual channels, like the location channel use encoded types to
lower the bandwidth usage.
Add common helper functions, so that each virtual channel doesn't have
to reimplement the parser functions again and again.
The RDP client sends TSCredentials so that the server can reuse these credentials. This
patch stores these values in the peer's rdpSettings in the corresponding fields.
It handles TSPasswordCreds for user/domain/password connection but also TSSmartCardCreds
when the users has connected with a smartcard.
This fixes an issue with keyboard layout detection reintroduced in #8960
The problem has already been fixed in #6688 but got lost after
refactoring.
The issue is that the layout specifier might be a comma separated list
with country specifiers i.e. `"at,us"` which was not correctly handled.
Under windows you can connect to a child session by requesting a named pipe to
the local server, and then do some RDP on this named pipe.
The protocol is like for /vmconnect with CredSSP, then Nego and then the "normal"
workflow for a connection. For CredSSP we force the usage of NTLM for the Negociate
SSPI, and the credentials are empty.
This patch prepares the reading of the dynamic channel version so that next we
can take in account this to take advantage of advanced features in last versions
(compressions or priorities).
The patch also implement notifying the VCM event when the dynamic channel becomes ready
so that users of FreeRDP can just do calls to WTSVirtualChannelManagerGetDrdynvcState
when the channel event is set (no blind calls).
Treat the case where the publicIpAddress is there but empty.
Don't try RDSTLS if the password has not been been provided.
When RDSTLS is what we will do, disengage all the other security kinds.
the field for delta rectangles/points/... are only transmitted if they
changed from the previous order of the same type. So keep the original
value and update only if a new one is read.
This patch moves the ARM configuration before starting the connection process, so
that we can do some provisioning of the FreeRDP settings with the items retrieved
from Azure.
Most notably that allows us to connect directly using RDSTLS security.
Some windows APIs do put \r\n every 64 characters of the output of a
base64 encoded blob. The extended version of crypto_base64_encode allows
to do the same.
update initial state transitions according to [MS-RDPBCGR]
the diagram is misleading, some of the text below ambigious, but
1.3.1.1 Connection Sequence phase 10 description lists the dependencies
of server initiated messages.
Kai Pastor