Commit Graph

93 Commits

Author SHA1 Message Date
davewheel
d5b8585a39 Allow to specify the raw content of crypto materials
Sometime it's possible that your server application doesn't have access to files
(when running in a very restricted environment for example). This patch allows
to ship the private key and certificate as a string.

Sponsored by: Wheel Systems (http://www.wheelsystems.com)
2016-01-21 11:27:06 +01:00
Armin Novak
188fe4ed2b Removed rdp disconnect, using unified abortEvent instead. 2015-09-05 14:57:30 +02:00
Marc-André Moreau
ddf2519f1e Merge pull request #2719 from bmiklautz/pull/2481
OSS, tsmf, usb and BSD fixes and improvements
2015-06-26 08:27:22 -04:00
Bernhard Miklautz
ff8d172a12 core: use error instead of debug
When the function would return with an error print an error message
instead of a debug message
2015-06-23 11:15:13 +02:00
Marc-André Moreau
1e39d7728c Merge pull request #2702 from akallabeth/nla_null_identity_support
NLA Use current users credentials if none provided.
2015-06-22 08:53:05 -04:00
Norbert Federa
91a9b23b91 core: message channel pdu broken with rdp security
rdp_recv_message_channel_pdu always read the rdp security header
even if it was already previously read (which is the case if rdp
security is active)

This caused malfunctions and disconnects when heartbeat or bandwidth
autodetect packets were sent/received in rdp security mode.

Credit goes to @MartinHaimberger for identifying the broken code
part.
2015-06-19 14:49:17 +02:00
Armin Novak
219ca1c02b NLA identity now a pointer, allowing NULL.
When NLA identity is NULL, the current user context
is used on windows.
2015-06-15 15:03:13 +02:00
ivan-83
3912172fc8 + tsmf: OSS initial suppot (not work yet)
* tsmf: fix video playback on FreeBSD (proper shared object name)
* tsmf: renamed args: audio->sys, audio-dev->dev
* audin: OSS fix, now it work
* cmdline: add syntax help for /audin, /rdpsnd, /tsmf
* add debug messages
2015-05-27 23:22:36 +03:00
ivan-83
0fda0eb0de Code style changed. 2015-05-27 22:59:57 +03:00
ivan-83
1009268158 * debug and error messages now print function name and line number
* add debug messages to trace fake network dissconects
2015-05-27 22:57:10 +03:00
ivan-83
94a7abd2af + tsmf: OSS initial suppot (not work yet)
* tsmf: fix video playback on FreeBSD (proper shared object name)
* tsmf: renamed args: audio->sys, audio-dev->dev
* audin: OSS fix, now it work
* cmdline: add syntax help for /audin, /rdpsnd, /tsmf
* add debug messages
2015-05-27 22:54:13 +03:00
David FORT
85c350f5da Fix for #2657 2015-05-27 15:13:43 +02:00
Marc-André Moreau
36cb1e6dc9 Merge pull request #2639 from awakecoding/master
WLog, server-side rdpdr, remote assistance, byteswap, etc
2015-05-22 14:30:11 -04:00
Konrad Witaszczyk
8797eef9b9 Assign peer to settings when a new RDP module is being initialized. 2015-05-21 16:54:19 +02:00
Marc-André Moreau
7e1dbd505b Merge branch 'awakecoding' of https://github.com/vworkspace/FreeRDP
Conflicts:
	channels/rdpdr/server/rdpdr_main.c
2015-05-20 11:40:48 -04:00
Norbert Federa
ef1fd12b15 Fix unchecked CreateEvent calls and misc fixes
1)
Added missing checks for CreateEvent which also required the
following related changes:

- changed freerdp_context_new API to BOOL
- changed freerdp_peer_context_new API to BOOL
- changed pRdpClientNew callback to BOOL
- changed pContextNew callback to BOOL
- changed psPeerAccepted callback to BOOL
- changed psPeerContextNew callback to BOOL

2)
Fixed lots of missing alloc and error checks in the
changed code's neighbourhood.

3)
Check freerdp_client_codecs_prepare result to avoid segfaults
caused by using non-initialized codecs.

4)
Fixed deadlocks in x11 caused by missing xf_unlock_x11() calls
in some error handlers

5)
Some fixes in thread pool:
- DEFAULT_POOL assignment did not match TP_POOL definition
- don't free the pool pointer if it points to the static DEFAULT_POOL
- added error handling and cleanup in InitializeThreadpool
2015-04-29 18:18:39 +02:00
David FORT
5302bad2b7 Drop the limit on key size 2015-04-01 15:11:57 +02:00
David FORT
cf8c7631bd Kill more exit() occurences
In general we should not have any exit() call in libfreerdp.
2015-03-31 23:56:40 +02:00
Bernhard Miklautz
74c8400789 coding style fixes
Add missing space after if
2015-03-30 17:15:45 +02:00
Bernhard Miklautz
f469e069dc stream: Stream_Ensure*Capacity: change return type
Change the return type of Stream_Ensure*Capacity from void to BOOL to be
able to detect realloc problems easily. Otherwise the only way to detect
this was to check if the capacity after the call was >= the required
size.
In case Stream_Ensure*Capacity fails the old memory is still available
and need to freed outside.

This commit also adds checks to most calls of Stream_Ensure*Capacity to
check if the call was successful.
2015-03-30 16:33:48 +02:00
Bernhard Miklautz
3c7662517c hardening
Start to add missing checks for:
* *alloc
* *_New
2015-03-25 17:38:21 +01:00
Mike McDonald
6dd333c4c8 Modified virtual channel open (as a result of an MCS channel join) to do a case-insensitive comparison of the virtual channel name. 2015-02-23 09:24:43 -05:00
Marc-André Moreau
f9885da81c Merge branch 'master' of github.com:FreeRDP/FreeRDP 2015-02-18 09:51:11 -05:00
Marc-André Moreau
668b2c1811 libfreerdp-core: fix tsg buffer flushing 2015-02-17 10:54:39 -05:00
Marc-André Moreau
ab5fdcc3f1 libfreerdp-core: NLA cleanup 2015-02-15 11:10:14 -05:00
Marc-André Moreau
991f7b347d libfreerdp-core: further abstract multiple connections used internally by tsg from rdpTransport 2015-02-15 10:06:17 -05:00
Marc-André Moreau
edfc5120b7 libfreerdp-core: replace rdpTcp by BufferedSocket BIO 2015-02-14 10:14:13 -05:00
Marc-André Moreau
e904195e49 libfreerdp-core: more rdpTcp refactoring 2015-02-13 16:51:08 -05:00
David FORT
bb9ba34f1d Fix disconnection when negociation has failed
This patch fixes a bug with mstsc connecting to a RDP security only FreeRDP server.
It seems like the mstsc shipped with Windows Seven considers packets after the nego_failure
packet as an error. So after trying to do TLS, depending on the timing, mstsc can print an
error message instead of retrying to connect with RDP security. With this patch, we
don't send the MCS disconnect message when the negociation has failed.
2015-02-13 18:25:50 +01:00
Marc-André Moreau
aa8b843250 libfreerdp-core: move stuff down from transport to tsg layer 2015-02-11 11:57:02 -05:00
Marc-André Moreau
e0b0c77ecb libfreerdp-core: improve http parsing 2015-02-02 17:16:32 -05:00
Martin Haimberger
bba342a6be added set_error_info function
if an error_info is set, a TS_SET_ERROR_INFO_PDU
will be sent to the client on disconnect with
the error_info
2015-01-13 08:09:36 -08:00
Norbert Federa
939f1c639a Standard RDP Security Layer Levels/Method Overhaul
[MS-RDPBCGR] Section 5.3 describes the encryption level and method values for
standard RDP security.

Looking at the current usage of these values in the FreeRDP code gives me
reason to believe that there is a certain lack of understanding of how these
values should be handled.

The encryption level is only configured on the server side in the "Encryption
Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp
properties dialog and this value is never transferred from the client to the
server over the wire.
The possible options are "None", "Low", "Client Compatible", "High" and
"FIPS Compliant". The client receices this value in the Server Security Data
block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to
give the client the possibility to verify if the server's decision for the
encryption method confirms to the server's encryption level.
The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and
"FIPS" and the RDP client advertises the ones it supports to the server in the
Client Security Data block (TS_UD_CS_SEC).
The server's configured encryption level value restricts the possible final
encryption method.
Something that I was not able to find in the documentation is the priority
level of the individual encryption methods based on which the server makes its
final method decision if there are several options.
My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS.
The server only chooses FIPS if the level is "FIPS Comliant" or if it is the
only method advertised by the client.

Bottom line:
* FreeRDP's client side does not need to set settings->EncryptionLevel
(which was done quite frequently).
* FreeRDP's server side does not have to set the supported encryption methods
list in settings->EncryptionMethods

Changes in this commit:

Removed unnecessary/confusing changes of EncryptionLevel/Methods settings

Refactor settings->DisableEncryption
* This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used"
* The old name caused lots of confusion among developers
* Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched)

Any client's setting of settings->EncryptionMethods were annihilated
* All clients "want" to set all supported methods
* Some clients forgot 56bit because 56bit was not supported at the time the
code was written
* settings->EncryptionMethods was overwritten anyways in nego_connect()
* Removed all client side settings of settings->EncryptionMethods
The default is "None" (0)
* Changed nego_connect() to advertise all supported methods if
settings->EncryptionMethods is 0 (None)
* Added a commandline option /encryption-methods:comma separated list of the
values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128
* Print warning if server chooses non-advertised method

Verify received level and method in client's gcc_read_server_security_data
* Only accept valid/known encryption methods
* Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2

Server implementations can now set settings->EncryptionLevel
* The default for settings->EncryptionLevel is 0 (None)
* nego_send_negotiation_response() changes it to ClientCompatible in that case
* default to ClientCompatible if the server implementation set an invalid level

Fix server's gcc_write_server_security_data
* Verify server encryption level value set by server implementations
* Choose rdp encryption method based on level and supported client methods
* Moved FIPS to the lowest priority (only used if other methods are possible)

Updated sample server
* Support RDP Security (RdpKeyFile was not set)
* Added commented sample code for setting the security level
2014-12-12 02:17:12 +01:00
Marc-André Moreau
d95af00117 Merge branch 'awakecoding' of github.com:vworkspace/FreeRDP 2014-11-25 11:20:07 -05:00
Marc-André Moreau
ddedc574f3 freerdp: remove tcp, uds utils 2014-11-12 14:06:34 -05:00
Mike McDonald
7d5963a1e6 Fixed crash caused by trying to cast and dereference a NULL hChannel. 2014-11-07 18:06:14 -05:00
Mehul Dhorda
f64d620a3b Ignore T.128 FlowPDU in Share Control header
According to the Microsoft RDP specification, T.128 flow control PDUs
should be ignored when reading Share Control headers.
(http://msdn.microsoft.com/en-us/library/cc240576.aspx). This patch
checks if we got a flow control PDU (length = 0x8000) and advances the
stream to ignore the PDU.
2014-11-05 11:32:46 -08:00
Vic Lee
152d525a05 libfreerdp-core: server-side auto-detect feature. 2014-10-29 00:49:49 +08:00
Vic Lee
0e7797ffca libfreerdp-core: server-side mcs message channel. 2014-10-29 00:49:27 +08:00
Marc-André Moreau
00e3533230 libfreerdp-core: expose API for FreeRDS WTSVirtualChannelRead 2014-10-10 17:19:38 -04:00
Marc-André Moreau
11ae267518 libfreerdp-core: expose new API to allow FreeRDS virtual channel hooking 2014-10-10 16:11:42 -04:00
Armin Novak
2f519d7f16 Replaced logging in libfreerdp with wlog defines. 2014-09-15 08:48:46 +02:00
Daniel Bungert
27fc3ee64d Fix multiple cases of use of uninitialized vars
* Zeroing xevent helped address some erratic behavior.
* valgrind complained about using xfBitmap uninitialized
  during shutdown, traced it back to the initialization.
  Bitmap_Prototype->size > sizeof(rdpBitmap).
* Early exit from recv_tpkt_pdu is necessary to address
  a shutdown crash - the channelId value was being used
  without being set in the disconnect case.
2014-08-20 03:54:05 -06:00
Marc-André Moreau
e4a4aa4d3a Merge branch 'master' of github.com:awakecoding/FreeRDP into shadow
Conflicts:
	channels/encomsp/client/encomsp_main.c
	libfreerdp/core/tcp.c
	libfreerdp/crypto/certificate.c
	server/Windows/CMakeLists.txt
	server/X11/xf_cursor.c
	server/X11/xf_input.c
	server/X11/xf_interface.c
	server/X11/xf_monitors.c
	server/X11/xf_peer.c
2014-08-11 19:22:33 -04:00
Armin Novak
f4c133eaf8 Replaced custom logging mechanism with WLog wrapper. 2014-08-07 16:51:24 +02:00
Marc-André Moreau
d8b858811f shadow: initial windows server-side connectivity 2014-07-17 21:15:22 -04:00
Marc-André Moreau
8ae00f7385 shadow: start hooking X11 code as subsystem 2014-07-11 19:30:40 -04:00
Hardening
183155dbd1 Fix metrics leak 2014-06-03 14:54:56 +02:00
Marc-André Moreau
830659fc5c libfreerdp-core: add new protocol metrics module 2014-05-26 12:30:58 -04:00
Hardening
dd6d829550 Allow transport_write calls to be non-blocking
This big patch allows to have non-blocking writes. To achieve
this, it slightly changes the way transport is handled. The misc transport
layers are handled with OpenSSL BIOs. In the chain we insert a
bufferedBIO that will bufferize write calls that couldn't be honored.

For an access with Tls security the BIO chain would look like this:
  FreeRdp Code ===> SSL bio ===> buffered BIO ===> socket BIO

The buffered BIO will store bytes that couldn't be send because of
blocking write calls.

This patch also rework TSG so that it would look like this in the
case of SSL security with TSG:
                                         (TSG in)
                              > SSL BIO => buffered BIO ==> socket BIO
                             /
FreeRdp => SSL BIO => TSG BIO
                             \
                              > SSL BIO => buffered BIO ==> socket BIO
                                        (TSG out)

So from the FreeRDP point of view sending something is only BIO_writing
on the frontBio (last BIO on the left).
2014-05-21 17:42:31 +02:00