This patch simplifies the licensing code mutualizing encryption / decryption
routines. It also adds the support for client_info packet that allows to send a
previously saved CAL file.
The newly introduced option /tls-seclevel can be used to set the tls
security level on systems with openssl >= 1.1.0 or libressl.
As default level 1 is used as higher levels might prohibit connections
to older systems.
The async transport option is broken by design.
If used the main loop is called from the transport thread and the
main thread of the application.
Unless the transport layer is refactored to just work on queues
(input and output) this option will never work, therefore remove it.
Since redirection sometimes happens with internal DNS names that
are resolved different by outside DNS it must be possible to override
the preferred redirection hint.
(we overwrite the password and pin arguments).
This implies changes in the argument parsing tests that now must pass a mutable argv
(copied from the statically declared test argvs).
Some other const inconsistency have been dealt with too.
The command line detection fails, if only one of the aforementioned
files is used as an argument. Detect those first and ignore command
line detection if found.
Move the cmd struct to a extra header file. This allows it to only
include the header file in generate_argument_docbook.c and therefore
remove a linker dependencies.
If the display channel is available we use it to allow the user to resize the
xfreerdp window. When the window is resized we announce a new monitor layout and
the server reacts by doing a reactivation sequence to the new size.
The minimum window size is limited to 300x300 as 2012 servers crash horribly
if we send them a smaller layout.
TestClientRdpFile fails on big endian machines due to some bug in
unicode processing. Let's drop all the unicode functions and convert
unicode input into ascii as soon as possible. This significantly
simplify RDP file processing and also fixes TestClientRdpFile on
big endian machines.
https://github.com/FreeRDP/FreeRDP/issues/4231
FreeRDP aborts if OpenSSL operates in FIPS mode and +fipsmode is not
manually specified. Let's prevent the abortion and enable the necessary
options in that case automatically.
This option will ensure that NLA is disabled(since NTLM uses weak crypto algorithms), FIPS
encryption is enabled, and ensure fips mode is enabled for openssl.
Selectively override specific uses of MD5/RC4 with new API calls specifically tailored to override FIPS.
Add comments on why overriding the use of these algorithms under FIPS is acceptable for the locations where overrides happen.
Remove check of server proprietary certificate which was already being ignore to avoid use of MD5.
Initialize winpr openssl earlier to ensure fips mode is set before starting using any crypto algorithms.
The idea is based on #3257.
If a non NLA connection is requested the password callbacks are not executed
and there is currently no way to read from stdin.
This extension of /from-stdin allows reading the passwords
before the connection is established.
Add the sshagent plugin to forward the ssh-agent protocol over an RDP
dynamic virtual channel, just as the normal ssh-agent forwards it over
an SSH channel. Add the "/ssh-agent" command line option to enable it.
Usage:
Run FreeRDP with the ssh-agent plugin enabled:
xfreerdp /ssh-agent ...
In the remote desktop session run xrdp-ssh-agent and evaluate the output
in the shell as for ssh-agent to set the required environment variables
(specifically $SSH_AUTH_SOCK):
eval "$(xrdp-ssh-agent -s)"
This is the same as for the normal ssh-agent. You would typically do
this in your Xsession or /etc/xrdp/startwm.sh.
Limitations:
1. Error checking and handling could be improved.
2. This is only tested on Linux and will only work on systems where
clients talk to the ssh-agent via Unix domain sockets. It won't
currently work on Windows but it could be ported.
Added some checks so that when setting a cache entry fails, we close connection (or
we fail later when trying to use that empty entry).
The small cache egfx capability has also been fixed.
When building packages, especially when source packages are used, git is
not necessarily available or the source isn't provided in git. In those
cases it wasn't possible to set the GIT_REVISION and --version shows
"n/a" for the git revision.
If the file .source_version is available now the content of it is used
as GIT_REVISION. Packagers might want to add a .source_version file
when they don't build the packages from git.
Possible breaking change:
The variable PRODUCT_VERSION isn't available anymore. Use GIT_REVISION
instead.