The extended information provided by VerifyCertificateEx and
VerifyChangedCertificateEx is now exploited by the new functions
client_cli_verify_certificate_ex and client_cli_verify_changed_certificate_ex.
The old callbacks now print out deprecation warnings to inform the
user and developer about this deprecation.
This patch simplifies the licensing code mutualizing encryption / decryption
routines. It also adds the support for client_info packet that allows to send a
previously saved CAL file.
The newly introduced option /tls-seclevel can be used to set the tls
security level on systems with openssl >= 1.1.0 or libressl.
As default level 1 is used as higher levels might prohibit connections
to older systems.
The async transport option is broken by design.
If used the main loop is called from the transport thread and the
main thread of the application.
Unless the transport layer is refactored to just work on queues
(input and output) this option will never work, therefore remove it.
Since redirection sometimes happens with internal DNS names that
are resolved different by outside DNS it must be possible to override
the preferred redirection hint.
(we overwrite the password and pin arguments).
This implies changes in the argument parsing tests that now must pass a mutable argv
(copied from the statically declared test argvs).
Some other const inconsistency have been dealt with too.
The command line detection fails, if only one of the aforementioned
files is used as an argument. Detect those first and ignore command
line detection if found.
Move the cmd struct to a extra header file. This allows it to only
include the header file in generate_argument_docbook.c and therefore
remove a linker dependencies.
If the display channel is available we use it to allow the user to resize the
xfreerdp window. When the window is resized we announce a new monitor layout and
the server reacts by doing a reactivation sequence to the new size.
The minimum window size is limited to 300x300 as 2012 servers crash horribly
if we send them a smaller layout.
TestClientRdpFile fails on big endian machines due to some bug in
unicode processing. Let's drop all the unicode functions and convert
unicode input into ascii as soon as possible. This significantly
simplify RDP file processing and also fixes TestClientRdpFile on
big endian machines.
https://github.com/FreeRDP/FreeRDP/issues/4231
FreeRDP aborts if OpenSSL operates in FIPS mode and +fipsmode is not
manually specified. Let's prevent the abortion and enable the necessary
options in that case automatically.
This option will ensure that NLA is disabled(since NTLM uses weak crypto algorithms), FIPS
encryption is enabled, and ensure fips mode is enabled for openssl.
Selectively override specific uses of MD5/RC4 with new API calls specifically tailored to override FIPS.
Add comments on why overriding the use of these algorithms under FIPS is acceptable for the locations where overrides happen.
Remove check of server proprietary certificate which was already being ignore to avoid use of MD5.
Initialize winpr openssl earlier to ensure fips mode is set before starting using any crypto algorithms.
The idea is based on #3257.
If a non NLA connection is requested the password callbacks are not executed
and there is currently no way to read from stdin.
This extension of /from-stdin allows reading the passwords
before the connection is established.
Add the sshagent plugin to forward the ssh-agent protocol over an RDP
dynamic virtual channel, just as the normal ssh-agent forwards it over
an SSH channel. Add the "/ssh-agent" command line option to enable it.
Usage:
Run FreeRDP with the ssh-agent plugin enabled:
xfreerdp /ssh-agent ...
In the remote desktop session run xrdp-ssh-agent and evaluate the output
in the shell as for ssh-agent to set the required environment variables
(specifically $SSH_AUTH_SOCK):
eval "$(xrdp-ssh-agent -s)"
This is the same as for the normal ssh-agent. You would typically do
this in your Xsession or /etc/xrdp/startwm.sh.
Limitations:
1. Error checking and handling could be improved.
2. This is only tested on Linux and will only work on systems where
clients talk to the ssh-agent via Unix domain sockets. It won't
currently work on Windows but it could be ported.
Added some checks so that when setting a cache entry fails, we close connection (or
we fail later when trying to use that empty entry).
The small cache egfx capability has also been fixed.
When building packages, especially when source packages are used, git is
not necessarily available or the source isn't provided in git. In those
cases it wasn't possible to set the GIT_REVISION and --version shows
"n/a" for the git revision.
If the file .source_version is available now the content of it is used
as GIT_REVISION. Packagers might want to add a .source_version file
when they don't build the packages from git.
Possible breaking change:
The variable PRODUCT_VERSION isn't available anymore. Use GIT_REVISION
instead.
This patch contains several improvements in order to make the help
output more readable (reduce length of first column):
- move default value into description
- use ... instead of too long format strings
- use [] for optional arguments
This patch contains several improvements for arguments list:
- use capitals consistently
- remove full stop sign at the end
- use "experimental" constiently for unstable and hacky features
- use <> for variables consistenly
- use [] for optional parts consistently.
- shorten some format strings to make /help more readable
- replace whitespace in variables for better readability (especialy man page)
- fix wrong argument tyes
- add missing formats
If the size parameter is used with a percentages like /size:50% now
an additional 'w' or 'h' can be appended (like /size:50%w) to specify
where the percentage should be applied. If both or none are set the
behavior is like it was before and the percentage is applied to width
and height.
Allow password to be stored in .RDP file and parsed and settings
updated, this will allow for dynamic .RDP files to be created with
complete login credentials, using this method the username, server and
password will no longer be visible within process lists.
Also fixed issue of username and domain being read from .RDP files and
set to null by command line processor.
Currently it is not possible to cleanly install multiple major version
of FreeRDP concurrently as some of the development libraries (.so files)
files can conflict.
This change renames all libraries to include the major version number in
the library name to fix this limitation.
The list of changed libraries:
libwinpr-tools.so -> libwinpr-tools2.so
libwinpr.so -> libwinpr2.so
libfreerdp.so -> libfreerdp2.so
libfreerdp-client.so -> libfreerdp-client2.so
libfreerdp-shadow.so -> libfreerdp-shadow2.so
libfreerdp-server.so -> libfreerdp-server2.so
libfreerdp-shadow-subsystem.so -> libfreerdp-shadow-subsystem2.so
libuwac.so -> libuwac0.so
As the library names have changed, projects that use FreeRDP will need to
update their dependencies. -
If pkg-config or cmake find modules are used, reconfiguration might be
sufficient.
Fixes#3460
- fixed invalid, missing or additional arguments
- removed all type casts from arguments
- added missing (void*) typecasts for %p arguments
- use inttypes defines where appropriate
If a target is linked against libraries with cmake
(target_link_libraries) and the libraries are not marked as PRIVATE
they are "exported" and in case a other target is linked against this
target it is also linked against *all* (not private) libraries.
Without declaring private libraries PRIVATE a lot of over linking
(linking against unneeded libraries) was done.
Extend winpr and client/common to support a new option "/buildconfig".
When used build the following build specific information is print:
* cmake options
* cflags
* compiler
* target architecture
* cmake build type
With this commit the "exported" components (usable with pkg-config and
cmake find module package)
* winpr - winpr library and headers
* freerdp - core library and headers
* freerdp-client - client specific library
* freerdp-server - server specific library
* rdtk - rdtk headers and library
To allow the installation of multiple different version (different major
number) the include files were moved into the respective sub folder:
freerdp -> freerdp{MAJOR}/freerdp (currently freerdp2/freerdp/)
winpr -> winpr{MAJOR}/winpr (currently winrp1/winpr/)
rdtk -> rdpk{MAJOR}/rdtk (currently rdtk0/rdtk/
The generated pkg-config and cmake find modules now also include the major
version number. Currently the following pkg-config are generated and
installed.
* winpr1
* freerdp2
* freerdp-server2
* freerdp-client2
* rdtk0
As cmake is able to handle multiple versions out of the box the
following can be used to find a specific module:
find_package(WinPR)
find_package(FreeRDP)
find_package(FreeRDP-Server)
find_package(FreeRDP-Client)
find_package(RdTk)
As cmake doesn't automatically resolve dependencies for packages it is
necessary to manually include the requirements. For example if
FreeRDP-Client is required WinPR and FreeRDP need to be included
(find_package) as well.
This commit also fixes the installation when STATIC_CHANNELS are built.
WITH STATIC_CHANNELS all channels are linked into libfreerdp-client, for
this all channels are generated as linker archive and linked together in
the final step. Before the intermediate linker archives were, although
not required and useful, installed. Same applies for server side
channels.
In case the old behaviour of not reverse-mapping the mouse buttons is
desirable, a command-line option is added to disable the mapping. This
option is made experimental for the time being.
The default is to do the reverse mapping, as this is the intuitive
behaviour (the mouse then works as it would on the console).
This patch contains:
* checks for malloc return value + treat callers;
* modified malloc() + ZeroMemory() to calloc();
* misc fixes of micro errors seen during the code audit:
** some invalid checks in gcc.c, also there were some possible
integer overflow. This is interesting because at the end the data are parsed
and freed directly, so it's a vulnerability in some kind of dead code (at least
useless);
** fixed usage of GetComputerNameExA with just one call, when 2 were used
in misc places. According to MSDN GetComputerNameA() is supposed to return
an error when called with NULL;
** there were a bug in the command line parsing of shadow;
** in freerdp_dynamic_channel_collection_add() the size of array was multiplied
by 4 instead of 2 on resize
1)
Added missing checks for CreateEvent which also required the
following related changes:
- changed freerdp_context_new API to BOOL
- changed freerdp_peer_context_new API to BOOL
- changed pRdpClientNew callback to BOOL
- changed pContextNew callback to BOOL
- changed psPeerAccepted callback to BOOL
- changed psPeerContextNew callback to BOOL
2)
Fixed lots of missing alloc and error checks in the
changed code's neighbourhood.
3)
Check freerdp_client_codecs_prepare result to avoid segfaults
caused by using non-initialized codecs.
4)
Fixed deadlocks in x11 caused by missing xf_unlock_x11() calls
in some error handlers
5)
Some fixes in thread pool:
- DEFAULT_POOL assignment did not match TP_POOL definition
- don't free the pool pointer if it points to the static DEFAULT_POOL
- added error handling and cleanup in InitializeThreadpool
+ add: COMMAND_LINE_IGN_UNKNOWN_KEYWORD flag for CommandLineParseArgumentsA to ignory unknown keys without fail
+ add: lot of WLog_DBG() in drdynvc, add function names in existing
* change: error text in rdpsnd OSS
* fix: dev in rdpsnd does not work
* fix/change: audio-dev renamed to dev and now work in audin
* fix dynamic channels now work again
Command line detection is run with dummy settings where not everything
is allocated. Collections (device, dynamic channel and static
channel) didn't handle this case properly.
