Commit Graph

18475 Commits

Author SHA1 Message Date
David Benjamin
7548be62c3 Support RSA-PSS certificates in x509_utils_get_signature_alg
RSA-PSS in X.509 is truly horrible, and OpenSSL does not expose very good APIs
to extract this, even though the library does handle it internally. Instead, we
must tediously unwrap RFC 4055's unnecessarily complicated encoding of
RFC 8017's unnecessarily flexible RSA-PSS definition.
2024-02-07 07:53:37 +01:00
David Benjamin
f987e304ee Add some tests for x509_utils_get_signature_alg
Temporarily disable the RSA-PSS tests for now, but this is enough for a
regression test for the previous issue.
2024-02-07 07:53:37 +01:00
David Benjamin
bee7f94e93 [crypto,x509] fix tls-server-end-point signature algorithm selection
This reverts commit 00baf58a71. That
change appears to have been incorrect. It's described as simplying
retrieving the "default signature digest", but it actually changed the
function's behavior entirely. The function wasn't retrieving defaults
previously.

A certificate contains, among other things, a public key and a
signature. The public key is the public key of the subject. However, the
signature was generated by the issuer. That is, if I get a certificate
from a CA, the public key will be my public key and the signature will
be my CA's signature over the certificate contents.

Now, the original code returned the digest used in the certificate's
signature. That is, it tells you which signature algorithm did my *CA*
use to sign my certificate.

The new code extracts the certificate's public key (my public key, not
the CA's). This doesn't necessarily tell you the signature algorithm, so
it then asks OpenSSL what the "default" signature algorithm would it use
with the key. This notion of "default" is ad-hoc and has changed over
time with OpenSSL releases. It doesn't correspond to any particular
protocol semantics. It's not necessarily the signature algorithm of the
certificate.

Now, looking at where this function is used, it's called by
freerdp_certificate_get_signature_alg, which is called by
tls_get_channel_binding to compute the tls-server-end-point channel
binding. That code cites RFC 5929, which discusses picking the hash
algorithm based on the certificate's signatureAlgorithm:

https://www.rfc-editor.org/rfc/rfc5929#section-4.1

That is, the old version of the code was correct and the
"simplification" broke it. Revert this and restore the original version.

I suspect this went unnoticed because, almost all the time, both the old
and new code picked SHA-256 and it was fine. But if the certificate was,
say, signed with SHA-384, the new code would compute the wrong channel
binding.
2024-02-07 07:53:37 +01:00
akallabeth
2fffcd64b9 [winpr] use winpr_strerror instead of strerror
use the wrapper from WinPR to use the best implementation available.
2024-02-06 15:45:47 +01:00
akallabeth
c415ec1110 [winpr,utils] use strerror_s or strerror_r
prefer to use strerror_s over strerror_r and strerror to convert errno
to strings.
2024-02-06 15:45:47 +01:00
akallabeth
ba8cf8cf21 [build] fix Wmismatched-deallocator warnings
With custom malloc function attributes the fail path in the _New
functions produces warnings due to allocator mismatches. Silence them.
2024-02-05 08:16:55 +01:00
Isaac Klein
763462d0a9 include null byte in Authorization Request PDU
The RDS AAD Auth PDUs have no packet headers to indicate length.
Instead, these packets are zero-terminated strings. Somehow, Windows
accepts Authentication Request PDUs without a terminating null byte
during regular connections, but not through WVD websocket gateways.
2024-02-04 13:00:48 +01:00
akallabeth
bb42d425ed [gcc,clang] add support for attribute(malloc)
Mark all malloc like functions and add their appropriate free function
to let the compiler complain on mismatches
2024-02-02 15:10:40 +01:00
Vic Lee
5559e59f40 [channels] Add synchronous static channel setting. 2024-02-01 15:06:23 +01:00
Armin Novak
33764e603a [common,addin] make plugin loader path configurable
* Add new option WITH_ABSOLUTE_PLUGIN_LOAD_PATHS to allow overriding
  platform default option (load channel plugins with absolute paths or
  from environment search paths)
* Fix freerdp_get_dynamic_addin_install_path: use native platform path
  separators
2024-01-30 09:48:52 +01:00
akallabeth
5cb463e74b [channel,rdpgfx] disable client side caps
If no image scaling is available disable capabilities that require image
scaling to function properly
2024-01-29 19:26:18 +01:00
akallabeth
278a56263b [channels,rdpgfx] add server side channel checks
check if the message is allowed in current channel state.
2024-01-29 19:26:18 +01:00
akallabeth
01e415b801 [channel,rdpgfx] use dynamic WLog for server channel 2024-01-29 19:26:18 +01:00
akallabeth
4add7836fa [server,shadow] wait for rdpegfx channel ready
we need to wait until the capability messages are exchanged before
starting to issue gfx commands
2024-01-29 19:26:18 +01:00
akallabeth
e067e9dc6d [core,peer] fix typo 2024-01-29 11:52:22 +01:00
akallabeth
8b04ab53eb [cmake] disable WITH_WEBVIEW if not build on linux/bsd 2024-01-29 10:01:23 +01:00
akallabeth
2cd64ba424 [cmake] fallback cJSON detection 2024-01-29 09:34:59 +01:00
akallabeth
4f2d9ac313 [packaging] clean debian rules 2024-01-29 09:34:59 +01:00
akallabeth
f22d3065cb [cmake] fix manpage generation dependencies 2024-01-29 09:34:59 +01:00
akallabeth
902832ca76 [client,common] fix clipboard command line
allow both, +/- and /clipboard style options.
2024-01-29 09:23:58 +01:00
akallabeth
cefe847683 [core,gateway] use FREERDP_USER_AGENT define
Define FREERDP_USER_AGENT in version.h to be used by gateway http user
agent
2024-01-29 08:46:29 +01:00
akallabeth
ebebc5b2a7 [cmake] set policy CMP0138 NEW
with CMake >= 3.24 use the parent project compiler settings for
check_ipo_supported as it might fail otherwise.
2024-01-29 08:46:29 +01:00
Armin Novak
f61d1fd66a [cmake] fix clang-format detection 2024-01-25 10:36:52 +01:00
akallabeth
187001ed55 link executables to static runtime 2024-01-25 09:40:10 +01:00
akallabeth
fc47a019df [clang] unify tool detection 2024-01-25 09:40:10 +01:00
akallabeth
aa9a9564ac [ci] enable clang-tidy for ci builds 2024-01-25 09:40:10 +01:00
akallabeth
98daeb812e [cmake] add clang-format versions
add new versions of clang-format to detection script
2024-01-25 09:40:10 +01:00
akallabeth
15d9e5e01a [cmake] add clang-tidy support 2024-01-25 09:40:10 +01:00
akallabeth
465745131e [client,sdl] fix verbose logging
only call SDL_DestroyTexture if texture != NULL
2024-01-22 13:09:25 +01:00
Vic Lee
f2794daf38 [core,transport] make blocking mode available to transport IO interface. 2024-01-22 12:57:01 +01:00
akallabeth
bc23b205b5 [release] start new development cycle 2024-01-19 09:57:41 +01:00
akallabeth
bb87d4ca50 [release] update to 3.2.0 2024-01-19 09:57:41 +01:00
akallabeth
a387b98d3d changelog 2024-01-19 09:57:41 +01:00
akallabeth
575d42312a [code] improve error checks on free 2024-01-19 09:57:41 +01:00
Armin Novak
8d45b3fa66 [client,mac] key down & up for CAPS and NUM lock 2024-01-19 08:54:05 +01:00
dev
feceb1c0f3 [client,mac] fix keyboard state sync
* release all keyboard modifiers on pause
* release/sync keyboard modifier states on resume
* update modifier states on keyDown, keyUp and flagsChanged
2024-01-19 08:54:05 +01:00
Armin Novak
db73c562a2 [core,gcc] split update of RDP encryption from gcc
* Update EncryptionLevel and EncryptionMethods before writing GCC data
* Use const rdpSettings* in all GCC write functions
2024-01-19 06:51:30 +01:00
Armin Novak
9729a51cb2 [client,common] add example for use with AzuerAD accounts 2024-01-18 11:22:20 +01:00
Armin Novak
a4425d945c [server,proxy] drop capture plugin
the capture plugin was written for FreeRDP2 proxy, which used a
different approach that is no longer working with FreeRDP3.
Drop the module so that we don´t diffuse people into thinking that this
is working.
2024-01-18 11:20:29 +01:00
Armin Novak
b4587efad1 [proxy,modules] fix module load check 2024-01-17 11:31:13 +01:00
Armin Novak
939e922936 [codec,planar] check resolution for overflow
If the codec resolution is too large return an error as the internal
buffers would otherwise overflow.
2024-01-16 09:02:58 +01:00
akallabeth
a842350177 [core,license] improve logging of failures
* ensure every failure path writes an appropriate log message
* fix compiler warnings (integer sizes, ...)
2024-01-15 13:13:42 +01:00
akallabeth
c303e4e8b9 [core,security] ensure length, log failures 2024-01-15 13:13:42 +01:00
akallabeth
55f200f1b5 [core,tpkt] log too large tpkt stream length 2024-01-15 13:13:42 +01:00
akallabeth
d5eecda8a3 [crypto,cert] log if empty certificate is read 2024-01-15 13:13:42 +01:00
Armin Novak
5298580bbd [winpr,sspi] properly log all kerberos calls
to ease debugging log each failure of a kerberos related function along
with location and function name
2024-01-15 08:10:30 +01:00
Mariusz Bialonczyk
4c17dfb71d [uwac] output: take a max scale into scaling code
Fix for a hybrid multimonitor configurations:
Previous code was working for me because the display with scale=2
was last on the wayland display list. After restarting it was earlier.
To fix this - just take the highest scale provided by a display.
Similar as eg. here the SDL is doing:
b5bc64aa55/src/video/wayland/SDL_waylandwindow.c (L1170)
2024-01-11 16:00:40 +01:00
Mariusz Bialonczyk
26017c71bd [uwac] input: release pressed keys when loosing window focus
The commit is fixing the problem when eg. a user is pressing some
modifier key to switch from active FreeRDP window and when get back to
that window, it "virtually" has that modifier key pressed, thus leading
to pressing eg. `Win+r` instead of just `r`.
2024-01-11 16:00:40 +01:00
Mariusz Bialonczyk
36e79b449d [uwac] input: fix keyboard "sticky" keys when entering window
The commit is fixing the following problem:
When the freerdp window gets keyboard focus and is notified,
it wrongly process keys which are *held*, not a freshly pressed.

The comment in the code explains it more.
2024-01-11 16:00:40 +01:00
Vic Lee
16206cb505 [channels,drdynvc] Add settings to enable synchronous dynamic channels. 2024-01-11 15:24:55 +01:00