Commit Graph

59 Commits

Author SHA1 Message Date
Norbert Federa
939f1c639a Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.

Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.

The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.

Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods

Changes in this commit:

Removed unnecessary/confusing changes of EncryptionLevel/Methods settings

Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)

Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method

Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2

Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level

Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)

Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 02:17:12 +01:00
Mehul Dhorda
58ab355bad Call redraw only when region is invalidated
Added a condition to redraw a rect only when region is invalidated. For
example. this avoids a redraw when only the cursor changes on the
remote machine.
2014-11-19 11:48:12 -08:00
Marc-André Moreau
98965d4258 client/iOS: remove deprecated includes 2014-11-15 13:02:09 -05:00
Bernhard Miklautz
0313ca3622 libfreerdp: always build "MONOLITHIC"
"libfreerdp" consisted of multiple (small) single libraries. If the cmake
option MONOLITHIC was used only one library was build combining all of
the libfreerdp-* libraries.
The only exceptions to this are libfreerdp-server and libfreerdp-client these
are build as separate libraries.

This commit obsoltes non-monolithic builds and makes monolithic builds
the default. The cmake option MONOLITHIC is also removed.
2014-09-12 00:19:53 +02:00
Rene Rheaume
15ad357e1a Recompressed images with FileOptimizer 6.8 (an open-source mass file recompression tool for Windows) 2014-08-08 20:12:25 -04:00
Rene Rheaume
151e5de3d4 Recompressed PNG images again 2014-08-06 23:10:23 -04:00
Rene Rheaume
281ab78481 Recompressed losslessy PNG and JPEG images 2014-08-06 22:37:14 -04:00
Mike Gilbert
ae1fdf6153 Remove execute bit from many files 2014-07-20 00:52:35 -04:00
Bernhard Miklautz
6a49bcfe40 winpr: always build "monolitic"
winpr is now always build as single library.
The build option MONOLITHIC_BUILD doesn't influence this behavior anymore.

The only exception is winpr-makecert-tool which is still build as extra
library.

This obsoletes complex_libraries for winpr.
2014-07-10 11:10:58 +02:00
Marc-André Moreau
2a82684521 channels: cleanup unused freerdp channels global functions 2014-06-11 16:27:31 -04:00
Martin Fleisz
43e08997f1 Merge pull request #1633 from MicahChase/master
Bluetooth Keyboard Fix
2014-04-22 08:36:25 +02:00
Marc-André Moreau
4bbd78a80b libfreerdp-core: remove unnecessary usage of freerdp_channels_data 2014-02-15 15:26:34 -05:00
MicahChase
6e63873e66 bluetooth keyboard fix 2013-12-11 15:13:01 -06:00
Marc-André Moreau
62199fc46a Merge branch 'master' of github.com:FreeRDP/FreeRDP 2013-12-10 11:54:03 -05:00
Martin Fleisz
4d71032656 iOS: Removed unused code 2013-12-04 12:30:33 +01:00
Bernhard Miklautz
2b6b4a6685 updated file headers 2013-12-04 11:44:22 +01:00
Marc-André Moreau
cea8c08328 ifreerdp: fix iOS/OSX platform detection 2013-12-03 15:19:58 -05:00
Bernhard Miklautz
1a5c527c07 ios: fixed broken clang pragmas 2013-11-15 11:55:33 +01:00
Bernhard Miklautz
0147b06d06 use version.h in ios client 2013-11-15 11:54:38 +01:00
Bernhard Miklautz
f30d3ac3a1 ios build: added option to set signing certificate
Code signing certificate can be set with with cmake option CODE_SIGN_IDENTITY.
Like -DCODE_SIGN_IDENTITY="signing identity"
2013-10-05 22:00:37 +02:00
Marc-André Moreau
b480ce1830 freerdp: remove vendor-specific options from build system, add automatic ways of including external clients/servers 2013-09-03 20:37:04 -04:00
Marc-André Moreau
bc631c93a8 freerdp: separate GatewayUsageMethod from GatewayEnabled 2013-07-03 15:07:12 -04:00
Marc-André Moreau
208c9f844a freerdp: fix core API bugs 2013-06-13 21:34:46 -04:00
Bernhard Miklautz
ba4182566c Merge pull request #1259 from mfleisz/tsgshutdown
libfreerdp-core: Added support for server initiated shutdown to TSG
2013-05-22 02:12:51 -07:00
Bernhard Miklautz
91380255c9 Merge pull request #1258 from mfleisz/rfxbmpv3fix
Android/iOS: Fixes for using RemoteFX with Bitmap Cache V3
2013-05-22 02:11:52 -07:00
Martin Fleisz
120960fd4d libfreerdp-core: Added support for server initiated shutdown to TSG 2013-05-22 10:58:11 +02:00
Martin Fleisz
f2aea91ccf Android/iOS: Fixes for using RemoteFX with Bitmap Cache V3 2013-05-22 01:48:43 -07:00
Martin Fleisz
583938dcb8 iOS: Fixed password storage on higher iOS versions 2013-05-21 15:42:49 +02:00
Martin Fleisz
c55f3d6426 iOS: Encrypt TS Gateway passwords 2013-05-08 17:29:52 +02:00
Martin Fleisz
935aa5e2ea iOS: Added TS Gateway support 2013-05-08 14:50:29 +02:00
Martin Fleisz
cc188b5796 iOS: Remove verification data when UUID is created 2013-05-07 12:38:25 +02:00
Martin Fleisz
544f5997bc iOS: Got rid of device UID 2013-05-07 12:05:21 +02:00
Martin Fleisz
19acfbd6ee iOS: Improved handling of chinese keyboards 2013-04-25 12:31:11 +02:00
Martin Fleisz
afd9065cce iOS/Android: Updated version number 2013-04-24 00:36:48 -07:00
Martin Fleisz
1a336c30b8 iOS: Fix for shift key handling (by bslande) 2013-04-23 10:15:12 +02:00
Martin Fleisz
dd5cbef467 iOS: Fix resource leak 2013-04-18 10:51:39 +02:00
Martin Fleisz
ce4e02ae48 iOS: Fixed possible crash on disconnect 2013-04-17 13:09:53 +02:00
Martin Fleisz
fea9407814 iOS: BlockAlertView now supports rotation 2013-04-08 14:17:47 +02:00
Martin Fleisz
6da16f4165 iOS: Replaced UIViewAlert with custom alert dialog 2013-04-08 13:25:00 +02:00
Martin Fleisz
0375189c8e iOS/Android: Fix for Win8 2013-04-05 12:36:23 +02:00
Martin Fleisz
db79cb34e2 iOS: Ensure each bookmark has a UUID 2013-04-05 10:46:28 +02:00
Martin Fleisz
522fe1baf3 iOS: Corrected wrong function signature 2013-04-03 11:04:29 +02:00
Thinstuff Developer
834ca7fc4a iOS: Fixed issue where boookmarks were saved even though cancel was pressed 2013-04-03 09:36:55 +02:00
Martin Fleisz
38446b5f2b iOS: got rid of xcode project file 2013-03-29 14:28:27 +01:00
Bernhard Miklautz
88fd7edf6d ios: link against libfreerdp-client-combined.a 2013-03-26 12:59:03 +01:00
Florian Holzapfel
65577d138e fix some memory leaks on iOS 2013-03-20 14:16:09 +01:00
Martin Fleisz
b75344afe1 iOS: Changing deployment target to 4.3 (no supp. for armv6 needed) 2013-03-19 10:50:37 +01:00
Martin Fleisz
0d75b9e24e iOS: Fixed iPhone session scrolling bug 2013-03-18 16:31:14 +01:00
Martin Fleisz
212673d7e9 iOS: Fixed keyboard issues 2013-03-18 12:29:47 +01:00
Martin Fleisz
96a2717b3c iOS: Compile fixes (Fixed #1069, #1086) 2013-03-13 15:08:45 +01:00