Commit Graph

79 Commits

Author SHA1 Message Date
Armin Novak
7c243da6e1 Remove symbols exported by accident. 2019-12-02 10:57:31 +01:00
Armin Novak
72ca88f49c Reformatted to new style 2019-11-07 10:53:54 +01:00
Armin Novak
59b4988f56 Fixed compilation warnings. 2019-10-16 14:54:05 +02:00
byteboon
df280a7ffd FreeRDP#5329 if using OldLicenseBehaviour, don't try to save the Cal since we're not going to try to load it (#5330) 2019-04-08 09:42:02 +02:00
Armin Novak
f51a9bafcc Fixed sign-compare warnings 2019-04-05 09:13:24 +02:00
David Fort
f4b7a27c2b license: implement server-side management
Add server-side management of the licensing workflow. The default
behaviour is to accept the client, but if a server wants to implement
full licensing support as in MS-RDPELE it is possible by defining a callback.
2019-01-21 09:57:15 +01:00
David Fort
635b17d0a1 license: fix licencing against windows 2003 server
The spec says:

"For Windows Server 2008, Windows Server 2008 R2, and Windows Server
2012, the EncryptedLicenseInfo variable (part of the Server Upgrade License PDU) sent by the server
to the client has the wBlobType parameter set to value BB_ENCRYPTED_DATA_BLOB (0x0009). For
Windows Server 2003, the value of wBlobType is not defined."

So don't enforce the message type.
2018-12-05 10:50:47 +01:00
Armin Novak
aeeaba5bc3 Fixed a memory leak. 2018-11-29 12:14:20 +01:00
Armin Novak
feb993b948 Fixed double free in license_free_binary_blob 2018-11-21 15:07:36 +01:00
David Fort
b6e6575bf6 license: support CAL license
This patch simplifies the licensing code mutualizing encryption / decryption
routines. It also adds the support for client_info packet that allows to send a
previously saved CAL file.
2018-11-13 09:42:19 +01:00
Armin Novak
991f051a63 Fixed stream release for transport_write 2018-10-17 14:55:55 +02:00
David Fort
41823080f9 Fix users of Stream_GetPosition() that returns size_t 2017-12-11 22:38:58 +01:00
Brent Collins
9ca9df1ead Make the new winpr_Digest*MD5_Allow_FIPS functions more generic to no longer be MD5 specific in design. This way the FIPS override
could easily be extended to more digests in the future. For now, an attempt to use these functions with anything other than MD5 will
not work.
2017-11-17 12:43:07 +01:00
Brent Collins
d98b88642b Add new command-line option to force xfreerdp into a fips compliant mode.
This option will ensure that NLA is disabled(since NTLM uses weak crypto algorithms), FIPS
encryption is enabled, and ensure fips mode is enabled for openssl.

Selectively override specific uses of MD5/RC4 with new API calls specifically tailored to override FIPS.

Add comments on why overriding the use of these algorithms under FIPS is acceptable for the locations where overrides happen.

Remove check of server proprietary certificate which was already being ignore to avoid use of MD5.

Initialize winpr openssl earlier to ensure fips mode is set before starting using any crypto algorithms.
2017-11-17 12:43:06 +01:00
Armin Novak
0490aeb018 Fixed clang malloc integer overflow warnings. 2017-07-20 09:29:48 +02:00
Armin Novak
8292b4558f Fix TALOS issues
Fix the following issues identified by the CISCO TALOS project:
 * TALOS-2017-0336 CVE-2017-2834
 * TALOS-2017-0337 CVE-2017-2834
 * TALOS-2017-0338 CVE-2017-2836
 * TALOS-2017-0339 CVE-2017-2837
 * TALOS-2017-0340 CVE-2017-2838
 * TALOS-2017-0341 CVE-2017-2839
2017-07-20 09:28:47 +02:00
Norbert Federa
f71b6b46e8 fix string format specifiers
- fixed invalid, missing or additional arguments
- removed all type casts from arguments
- added missing (void*) typecasts for %p arguments
- use inttypes defines where appropriate
2016-12-16 13:48:43 +01:00
Armin Novak
a1b2325c1d Ensure securityFlags are always initialized. 2016-12-02 12:04:53 +01:00
Norbert Federa
7befab856c Support for OpenSSL 1.1.0 2016-11-24 17:50:09 +01:00
Armin Novak
b429d230cb Refactored crypto *_New functions. 2016-02-29 09:00:02 +01:00
Armin Novak
92c15783dc Updated RC4 API, fixed crashing bug. 2016-02-28 11:19:29 +01:00
Armin Novak
5805ba8e52 Removed crypto_nonce. 2016-02-27 22:40:43 +01:00
Armin Novak
f997421098 Unified hmac functions. 2016-02-24 21:50:08 +01:00
Armin Novak
ada2b16c50 Unified RC4 functions. 2016-02-24 17:04:03 +01:00
Armin Novak
06da644007 Unified md5 functions. 2016-02-24 16:46:25 +01:00
David FORT
7c3f8f33ab Fixes for malloc / calloc + other fixes
This patch contains:

* checks for malloc return value + treat callers;
* modified malloc() + ZeroMemory() to calloc();
* misc fixes of micro errors seen during the code audit:
** some invalid checks in gcc.c, also there were some possible
integer overflow. This is interesting because at the end the data are parsed
and freed directly, so it's a vulnerability in some kind of dead code (at least
useless);
** fixed usage of GetComputerNameExA with just one call, when 2 were used
in misc places. According to MSDN GetComputerNameA() is supposed to return
an error when called with NULL;
** there were a bug in the command line parsing of shadow;
** in freerdp_dynamic_channel_collection_add() the size of array was multiplied
by 4 instead of 2 on resize
2015-06-22 19:21:47 +02:00
Norbert Federa
1eff1a345e free can handle NULL perfectly fine 2015-05-11 09:07:39 +02:00
David FORT
c03bf75896 Take in account @nfedera's comments 2015-04-07 21:06:53 +02:00
David FORT
edb915943f Treat return values in license.c
This patch changes functions that should not return void and also treat the
callers of these functions.
2015-04-01 11:38:53 +02:00
David FORT
0eb399a717 Treat return values for security.c
This patch make functions in security.c return values when they should instead of
beeing void. And it also fix the callers of these functions.
2015-04-01 11:11:37 +02:00
Marc-André Moreau
aa8b843250 libfreerdp-core: move stuff down from transport to tsg layer 2015-02-11 11:57:02 -05:00
Norbert Federa
765b25933e license: fix for corrupted licensing packets
Since commit a228952 FreeRDP generates corrupt licensing packets if the rdp
security layer is used and the peer did not indicate that it is capable of
processing encrypted licensing packets:
That commit changed rdp->sec_flags after the rdp stream was already initialized
with encryption enabled which placed the PDU payload at an incorrect offset.

Instead of directly modifying the rdp->sec_flags this patch temporarily
disables rdp->do_crypt during rdp stream initialization if the client has not
advertised support for encrypted licensing packets.
2015-01-12 11:31:18 +01:00
Marc-André Moreau
d102e746c8 Merge branch 'awakecoding' of github.com:vworkspace/FreeRDP
Conflicts:
	libfreerdp/core/license.c
	libfreerdp/core/nego.c
	winpr/libwinpr/synch/wait.c
2014-09-19 14:38:25 -04:00
Mike McDonald
a228952a69 Modified server code to honor the negotiated setting for SEC_LICENSE_ENCRYPT_SC in the security exchange PDU (which controls the encryption of license PDUs from the server to the client). 2014-09-18 19:43:28 -04:00
Armin Novak
2f519d7f16 Replaced logging in libfreerdp with wlog defines. 2014-09-15 08:48:46 +02:00
Armin Novak
6762d73ae1 Fixed winpr_HexDump calls. 2014-09-09 16:33:05 +02:00
Armin Novak
f4c133eaf8 Replaced custom logging mechanism with WLog wrapper. 2014-08-07 16:51:24 +02:00
Hardening
9c18ae5bee Print function name when emiting an error 2014-05-21 17:27:36 +02:00
Zhang Zhaolong
8ce32773f3 core: fix memory leak in case of error out. 2014-04-26 12:00:07 +08:00
Maks Naumov
c230fae097 Make certificate_read_server_certificate() return BOOL 2014-04-08 19:23:06 +03:00
Norbert Federa
18cb418c81 core: FIPS for fastpath and RDP security fixes
- fixed invalid stream position if extEncryptionMethods is not used
- enabled 56bit rdp security method
- fixed entropy reduction of the keys for 40 bit and 56 bit
- added rdp security incl. FIPS for fastpath output
- added FIPS encryption to fast path input
- fixed FIPS key generation in server mode
- fixed stream length correction in FIPS mode
- added rdp encryption for licensing packets (apparently some clients,
  specifically cetsc, require the license packets received from the
  server to be encrypted under certain RDP encryption levels)
- replace errnous virtual extended mouse event in focus in event
2014-04-02 14:17:39 +02:00
Hardening
ac7507ab8d Adds some check to treat OOM problems + RDP security fix
Malloc can fail so it will, this patch adds some check in some places
where malloc/strdup results were not checked.

This patch also contains a server side fix for RDP security (credit to nfedera).
The signature len was badly set in the GCC packet. And some other RDP security
oriented fixes are also there.
2014-03-25 23:13:08 +01:00
Marc-André Moreau
de3156512c libfreerdp-core: start including wtsapi.h 2014-02-16 18:02:50 -05:00
Hardening
f1d6afca6a Fix CVE-2014-0791
This patch fixes CVE-2014-0791, the remaining length in the stream is checked
before doing some malloc().
2014-01-08 16:57:56 +01:00
Marc-André Moreau
3d339b04d9 libfreerdp-core: modify parsing functions to return int instead of BOOL to propagate session redirection return code 2013-11-04 15:52:29 -05:00
Marc-André Moreau
a0e09e6273 libfreerdp-core: fix server-side licensing sequence 2013-09-05 18:53:55 -04:00
Daryl Poe
f71f179c28 fix per-device CAL licensing
(cherry picked from commit d6d0d81d08)
2013-08-26 09:37:48 +02:00
Armin Novak
6e6581ab87 Fix for Issue #1349 2013-07-15 10:20:24 +02:00
Marc-André Moreau
5c37356506 libfreerdp-core: reduce reuse of the same send buffer 2013-05-15 13:17:29 -04:00
Marc-André Moreau
367ebf32a3 freerdp: make use of stream macros to access members 2013-05-15 12:14:26 -04:00