Commit Graph

36 Commits

Author SHA1 Message Date
Armin Novak
b2c29158be Scanbuild warning, argument checks and leak fixes.
* Added Stream_GetRemainingCapacity to check remaining stream size
  before writes.
* Fixed shadow server memory leak.
* Fixed lots of scanbuild warnings
* Added missing argument checks in many functions
* Added missing static function declarations
2017-03-02 18:13:43 +01:00
Norbert Federa
f71b6b46e8 fix string format specifiers
- fixed invalid, missing or additional arguments
- removed all type casts from arguments
- added missing (void*) typecasts for %p arguments
- use inttypes defines where appropriate
2016-12-16 13:48:43 +01:00
Bernhard Miklautz
1b8dd139a9 cmd line: add missing checks
* strdup
* some allocs
2015-06-22 19:23:57 +02:00
Norbert Federa
1eff1a345e free can handle NULL perfectly fine 2015-05-11 09:07:39 +02:00
Marc-André Moreau
2094501d8b freerdp: fix failing tests 2015-03-16 09:26:38 -04:00
Armin Novak
9863ccfe66 Fixed memory leak. 2015-01-15 17:19:39 +01:00
Armin Novak
dfb6176df6 Fixed multiple parsing errors for compatibility command line. 2015-01-15 17:14:29 +01:00
Armin Novak
241848038c Fixed missing NULL pointer check. 2015-01-15 14:08:33 +01:00
Armin Novak
1d4403cbbe Fixed command line pre filter, now returning 2 to skip argument. 2015-01-15 13:56:54 +01:00
Norbert Federa
939f1c639a Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.

Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.

The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.

Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods

Changes in this commit:

Removed unnecessary/confusing changes of EncryptionLevel/Methods settings

Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)

Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method

Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2

Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level

Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)

Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 02:17:12 +01:00
Armin Novak
d30b6ed04d Fixed null pointer dereference. 2014-11-17 01:22:33 +01:00
Armin Novak
7913a57bc5 Using wlog for logging in clients now. 2014-09-15 08:55:00 +02:00
Armin Novak
0780c0993e Replaced fprintf(stderr with DEBUG_WARN 2014-08-07 22:21:07 +02:00
Norbert Federa
18cb418c81 core: FIPS for fastpath and RDP security fixes
- fixed invalid stream position if extEncryptionMethods is not used
- enabled 56bit rdp security method
- fixed entropy reduction of the keys for 40 bit and 56 bit
- added rdp security incl. FIPS for fastpath output
- added FIPS encryption to fast path input
- fixed FIPS key generation in server mode
- fixed stream length correction in FIPS mode
- added rdp encryption for licensing packets (apparently some clients,
  specifically cetsc, require the license packets received from the
  server to be encrypted under certain RDP encryption levels)
- replace errnous virtual extended mouse event in focus in event
2014-04-02 14:17:39 +02:00
Marc-André Moreau
5ff847a6e6 wfreerdp: fix multiple warnings 2014-02-10 01:06:11 -05:00
Marc-André Moreau
c4492411e4 Merge branch 'master' of github.com:FreeRDP/FreeRDP 2013-11-14 19:41:59 -05:00
Dan Bungert
d128e44ae3 Add support with new args for client hostname 2013-11-11 17:57:44 -07:00
Marc-André Moreau
fb23f08388 libfreerdp-client: fix possible infinite loop with .rdp file parsing containing freerdp options 2013-11-10 13:29:20 -05:00
Marc-André Moreau
3bc47a2bf8 libfreerdp-core: fix leaks and potential use after free 2013-10-31 21:12:06 -04:00
Marc-André Moreau
c4a8fe0064 libfreerdp-core: simplify management and consistency of PerformanceFlags 2013-09-17 14:56:23 -04:00
Marc-André Moreau
3b7994a9a6 Merge pull request #1467 from akallabeth/cmdline_enhanced
Cmdline enhanced
2013-09-16 13:33:04 -07:00
Armin Novak
21127ec33b Added a new flag to indicate the presence of a single not escaped argument
allowing the legacy command line <server>:<port> syntax.
2013-09-10 10:29:45 +02:00
Armin Novak
4274b266c0 Fixed command line parser, now printing help, if an invalid option is detected. 2013-09-09 16:07:14 +02:00
Armin Novak
a3b531c036 Fixed issues found with clang-analyzer 2013-09-05 12:14:33 +02:00
Armin Novak
c5fc2de710 Fixed coverity issue 1047651 2013-09-05 12:14:33 +02:00
Armin Novak
a7b77db020 Fixed coverity issue 1047624 2013-09-05 12:14:31 +02:00
Bernhard Miklautz
1d660cb217 cmd: fixed some compatibility messages
closes #1442
2013-09-02 19:53:31 +02:00
Daryl Poe
8b621518b6 careful with passwd in compatibility.c
(cherry picked from commit a4a5baf0da)
2013-07-30 14:11:29 +02:00
Hardening
7701c9d934 Replace printf(...) by fprintf(stderr, ...) 2013-03-28 23:06:34 +01:00
Bernhard Miklautz
37f29ebcce Fixed command line with .rdp file
Now clients can be called with a .rdp file again like xfreerdp test.rdp
2013-03-16 00:33:58 +01:00
Marc-André Moreau
7d3d2abd17 client/common: fix help and compatibility helper 2013-02-18 07:49:52 -05:00
Marc-André Moreau
1d9f133059 Merge pull request #938 from bmiklautz/plugin_compat
compat: fix plugin load for plugins without data argument
2013-02-02 13:30:23 -08:00
Bernhard Miklautz
5228c7806e compat: fix plugin load for plugins without data argument 2013-01-30 10:51:49 +01:00
Marc-André Moreau
e1d0fad519 libfreerdp-core: fix memory leaks 2013-01-25 17:52:37 -05:00
Marc-André Moreau
a3080bcd3a libfreerdp-client: add compatibility for --plugin command 2012-12-05 14:00:49 -05:00
Marc-André Moreau
71befd95af libfreerdp-client: introduce CLI compatibility layer and migration assistant 2012-12-05 12:12:18 -05:00