Commit Graph

264 Commits

Author SHA1 Message Date
Armin Novak
b56b09840a Fixed -Wshadow 2022-11-21 10:12:31 +01:00
Armin Novak
31c1700c0c Fixed -Wunused-variable 2022-11-21 10:12:31 +01:00
Armin Novak
f1ae9be54d Fixed nla error code to string conversion 2022-10-27 10:37:23 +02:00
fifthdegree
eb04eb0008 Support using smartcard for gateway authentication 2022-10-19 18:55:38 +02:00
fifthdegree
e847f159a6 Try to use the smartcard key name Windows uses
Windows expects the containerName field in TSSmartCardCreds to be what
it would use for a smartcard key's name. Try to accomodate that (at
least for PIV and GIDS cards).
2022-10-19 18:55:38 +02:00
fifthdegree
9d0beaccae smartcardlogon: choose a single smartcard to use
Require a single smartcard certificate to be chosen and define a
callback to choose when more than one is available.
2022-10-19 18:55:38 +02:00
Marc-André Moreau
e3594c91dc Add UserSpecifiedServerName setting, /server-name command-line parameter 2022-10-14 17:59:57 -04:00
Martin Fleisz
4bc74392c2 nla: Fix some issues with server-side NLA authentication
This PR fixes following issues with server-side NLA authentication:

- The client nonce should only be sent by the client
- The final stage in the nego token exchange checked the negoToken
  buffer for data. Instead the corresponding credssp API is now used
  which checks the correct buffer (output_buffer).
- The negoToken buffer needs to be cleared before sending the public key
  echo. In some cases the buffer was not empty and incorrectly was part
  of the response to the client.
2022-10-13 17:16:07 +02:00
David Fort
f76c14c256 fix smartcard logon with smartcard emulation
When smartcard emulation was enabled we were dumping the key and cert to
temporary files for PKINIT call, but they were deleted before we have
actually done the PKINIT. This patch fixes it.

It also add debug statement for the listing of smartcard keys / certs.

This also fixes the listing of smartcard on certain windows configurations
were we have to force NCRYPT_SILENT when doing a NCryptOpenKey.
2022-10-13 12:03:58 +02:00
David Fort
467816a7a5 nla: fix unicode and non unicode build 2022-10-10 09:01:04 +02:00
David Fort
f486fb1e92 fixes for NLA under win32 2022-10-10 09:01:04 +02:00
akallabeth
7dde39de9d Fixed ownership of negoToken
* Ensure negoToken is cleaned up in nla_free
* Renamed function credssp_auth_take_input_buffer now invalidates
  input buffer an takes ownership of that buffer
2022-10-09 21:34:26 +02:00
akallabeth
54a1e4ea7e Fixed invalid return values 2022-10-07 11:04:04 +02:00
fifthdegree
2de7a4c249 Support spnego authentication for gateway
* Consolidate authentication support functions into auth.c
* Change authentication flow in gateway to be non-ntlm specific
2022-10-06 21:33:01 +02:00
Marc-André Moreau
479e891545 check return values for SetCredentialsAttributes, throw warnings for unsupported attributes 2022-09-30 19:33:12 +02:00
Marc-André Moreau
fddb0dac75 add missing OOM checks 2022-09-30 19:33:12 +02:00
Marc-André Moreau
eadbb15741 run clang-format 2022-09-30 19:33:12 +02:00
Marc-André Moreau
80a1fc6a98 add SetCredentialsAttributes SSPI function 2022-09-30 19:33:12 +02:00
Marc-André Moreau
23f66f3987 add KDC URL to internal SSPI Kerberos settings 2022-09-30 19:33:12 +02:00
akallabeth
1849632c43
Fixed format strings to match arguments (#8254)
* Fixed format strings to match arguments

Reviewed and replaced all %d specifiers to match proper type

* Added proxy dynamic channel command type to log messages.
2022-09-29 14:55:27 +02:00
akallabeth
f8159cc18a
Fixed memory leak in nla_send (#8193) 2022-09-12 10:54:29 +02:00
fifthdegree
7901a26a16
Kerberos User 2 User support (#8070)
* add support for 64-bit big-endian encoding

* kerberos: drop reliance on gssapi and add user 2 user support

* Fix local variable declared in the middle of the function body

* kerberos: add ccache server option

Co-authored-by: fifthdegree <fifthdegree@protonmail.com>
Co-authored-by: David Fort <contact@hardening-consulting.com>
2022-08-17 12:25:26 +02:00
fifthdegree
5f3bc5842a nla: use winpr asn1 library 2022-07-26 09:38:53 +02:00
Martin Fleisz
e58d53188a core: Fix broken string handling for custom sspi module loading 2022-07-21 15:59:43 +02:00
fifthdegree
e66b99f8dc deprecate old hash callback field 2022-06-21 10:27:17 +02:00
fifthdegree
6d3aa52496 set SAM file and hash callback on credential rather than context 2022-06-21 10:27:17 +02:00
fifthdegree
eeece1a027 server-side kerberos (and some fixes) 2022-06-21 10:27:17 +02:00
fifthdegree
1c012b09b8 implement proper SPNEGO negotiation 2022-06-21 10:27:17 +02:00
Marc-André Moreau
1d5c0be5ec Add settings to load a custom SSPI shared library module 2022-06-01 15:16:12 +02:00
David Fort
97c65d9701
Console mode fix (#7902)
* core: correctly handle console mode server-side

In server-side we were not interpreting redirected session flag to compute a
console mode flag. In the proxy that was leading client connecting with /admin to front
to not connect with /admin on the back server.

* nla: fix the printinng of the package name
2022-05-16 09:05:48 +02:00
akallabeth
ec699f6c75 scanbuild fixes 2022-04-28 12:37:19 +02:00
Armin Novak
a005472337 Fixed const correctness of settings pointers 2022-04-27 19:42:04 +02:00
Armin Novak
5482607b15 Added Stream_PointerAs
This macro allows retrieving the stream pointer casted to correct
type.
2022-04-27 19:42:04 +02:00
akallabeth
73cdcdfe09
Logging and parser fixes (#7796)
* Fixed remdesk settings pointer

* Fixed sign warnings in display_write_monitor_layout_pdu

* Use freerdp_abort_connect_context and freerdp_shall_disconnect_context

* Added and updates settings

* info assert/dynamic timezone

* mcs assert/log/flags

* Fixed and added assertions for wStream

* Unified stream length checks

* Added new function to check for lenght and log
* Replace all usages with this new function

* Cleaned up PER, added parser logging

* Cleaned up BER, added parser logging

* log messages

* Modified Stream_CheckAndLogRequiredLengthEx

* Allow custom format and options
* Add Stream_CheckAndLogRequiredLengthExVa for prepared va_list

* Improved Stream_CheckAndLogRequiredLength

* Now have log level adjustable
* Added function equivalents for existing logger
* Added a backtrace in case of a failure is detected

* Fixed public API input checks
2022-04-19 14:29:17 +02:00
akallabeth
47bd162065 Added function sspi_SetAuthIdentityW 2022-03-28 15:52:59 +02:00
akallabeth
905609381f Unified sspi_FreeAuthIdentity 2022-03-28 15:52:59 +02:00
akallabeth
7b5ebced28 Fixed use of rdpSettings, prefer getter/setter 2022-03-28 15:52:32 +02:00
Martin Fleisz
ecf7a5929d nla: Fix handling of NULL identity
While the identity got correctly reset if no username was set,
identityPtr was dangling and caused AcquireCredentialsHandle to fail.
2022-03-25 12:28:32 +01:00
akallabeth
c2e882c509
Nla server cleanup && server auth fix (#7743)
* Reduce negotiate logging verbosity

* Remove duplicate pointers from rdpNla

* Fixed server nla auth

* Encapsulated nla_server_recv_credentials
2022-03-25 10:47:05 +01:00
akallabeth
704289ffee
Smartcard tls logon fix (#7709)
* Early return authenticate if TLS smartcard logon

* Removed obsolete SmartcardPin and unified AuthenticateEx calls

* Remove password-is-pin from command line

The setting is implied by smartcard-logon and only of interest in
server side code, so the setting is useless

* Rework AUTH_SMARTCARD_PIN

Just prompt for PIN and not user/domain if this is requested.

* Fixed a memory leak in nla.c

* Align credentail prompt

* Handle AUTH_NLA & smartcard, just ask for PIN

* Added assertions, removed duplicate password prompt check

* Move smartcard logon after credential prompt
2022-03-09 09:09:53 +01:00
Armin Novak
4d03d7c0bf Freerdp remove #ifdef HAVE_CONFIG_H 2022-03-03 11:26:48 +01:00
Armin Novak
b2ad47a809 Reorganized FreeRDP headers 2022-03-03 11:26:48 +01:00
akallabeth
64f47848c9
Proxy fixes (#7686)
* Fixed a memory leak in server side NLA auth

* Fixed #7675: Pass channel packets directly
2022-03-02 09:13:41 +01:00
David Fort
502f44949a nla: fix smartcard login under windows
Remove incorrect UNICODE flag for Ascii structures.
2022-03-02 07:32:45 +01:00
Armin Novak
499d73e6f4 Replaced strdup with _strdup 2022-02-24 08:52:25 +01:00
Armin Novak
150674f341 Moved headers to appropriate places 2022-02-24 08:52:25 +01:00
David Fort
0435b5a65d Implement smartcard logon 2022-02-24 08:52:25 +01:00
Armin Novak
b3790d7454 Removed Smartcard files from settings
* Removed file names from settings
* Added temporary file creation for pkinit
2022-02-24 08:52:25 +01:00
David Fort
44c82cd929 Fixes various akallabeth remarks 2022-02-24 08:52:25 +01:00
Armin Novak
a00238d253 Use freerdp_settings_set and _strdup 2022-02-24 08:52:25 +01:00
David Fort
cb351a099d Enable smartcard NLA logon 2022-02-24 08:52:25 +01:00
akallabeth
2d2627deab
Fixed SSPI fallback to NTLM (#7642)
* Fixed SSPI fallback to NTLM

* Fixed wide/ansi mixup

* WITH_GSS fixes

* Move to WinPR as this is not related to FreeRDP
* Add option WITH_GSS_NO_NTLM_FALLBACK to disable NTLM fallback

* Abort NLA if status is SEC_E_NO_CREDENTIALS

* Properly invalidate sspi::SubContext
2022-02-15 09:04:17 +01:00
Armin Novak
ca30e749e9 Fixed unused-but-set-variable and reserved identifier warnings 2022-02-01 08:48:21 +01:00
Armin Novak
673fb46836 Fixed uninitialized warnings 2021-09-10 08:16:25 +02:00
Armin Novak
17f530a866 Transport opaque 2021-09-09 08:36:01 +02:00
Martin Fleisz
c2819a00c9 nla: Remove incorrect check when using NLA with a NULL identity
When using NLA with a NULL identity (in AcquireCredentialsHandle) on
Windows the client sends the first NLA package with cbBuffer set to 0.
In that case the client currently incorrectly kills the connection. With
this PR the check is removed and the client correctly connects to the server.
2021-09-08 14:02:00 +02:00
Armin Novak
50e9d3adf9 Implemented new AuthenticateEx callbacks. 2021-09-04 18:01:30 +02:00
Armin Novak
fbae9ba88c Added LoadLibraryX and LoadLibraryExX
These functions take a UTF8 string and load a library with
LoadLibraryW under windows.
2021-09-03 08:29:15 +02:00
Armin Novak
06c883a709 Fix #7249: Endless loop in NLA 2021-08-26 09:26:34 +02:00
akallabeth
242f1734ec Fixed dpkg-buildpackage warnings 2021-06-30 11:57:23 +02:00
Armin Novak
6eab6391c7 Fixed invalid return value conversion 2021-06-21 13:27:39 +02:00
akallabeth
6726772d8d Fixed integer warnings 2021-06-18 09:41:02 +02:00
akallabeth
460fef545d Refactored NLA
* Simplified client/server state machine
* Encapsulated steps in functions
* Added proper debug logging so that state changes are easy to
  follow
2021-06-09 11:03:37 +02:00
Biswapriyo Nath
173ab04b59 Use same data types as calling function prototypes. 2021-05-31 13:38:19 +02:00
Peter Harris
63ef97a2b3 core/nla: fix order of operations
The order of evaluation of the two sides of addition is undefined in C.
Since there is no sequence point between ber_write_contextual_tag and
ber_write_octet_string, these two functions can be called in any order.

Force the correct order by breaking the two function calls into two
separate statements.
2020-10-06 17:19:38 +02:00
Armin Novak
10ed4ec422 Improve NLA auth token debugging 2020-08-10 17:10:42 +02:00
Armin Novak
32c9a519df Improve NLA error code logging. 2020-08-10 14:35:40 +02:00
akallabeth
354bb7d6ae Fixed some more resource cleanup leaks in nla 2020-05-20 15:10:08 +02:00
akallabeth
1e5bf45b1e Ensure buffers are NULL before reuse in NLA 2020-05-20 15:10:08 +02:00
Armin Novak
24bd601f8d Fixed data type warnings 2020-04-11 09:43:14 +02:00
akallabeth
bc33a50c5a Treat NULL and empty string as the same for credentials. 2020-03-24 12:34:35 +01:00
Armin Novak
ac4bb3c103 End connection before user callbacks if aborted.
If somewhere in freerdp_connect freerdp_abort_connect was called
the user callbacks Authenticate, GatewayAuthenticate and
Verify[Changed|X509]Certificate[Ex] must not be called.
2020-02-19 16:44:42 +01:00
Armin Novak
7d252cdc8e Added freerdp_set_last_error_ex function
This new function allows better logging of call locations
for errors. Additionally added freerdp_set_error_log macro
to record function, file and line the error was set.

Signed-off-by: Armin Novak <armin.novak@thincast.com>
2020-01-08 17:39:25 +01:00
Armin Novak
72ca88f49c Reformatted to new style 2019-11-07 10:53:54 +01:00
Martin Fleisz
645cd3208f core: Fix handling of PromptForCredentials setting
The prompt for credentials setting was incorrectly used in FreeRDP. If
this setting is set to 1 in a rdp file the client should prompt for
credentials even if it has credentials stored for this connection. If
the setting is set to 0 the client should either use the stored
credentials (if present) or ask for username/password otherwise.
This PR changes the old handling (if PromptForCredentials was set to 0
no credential prompting was done) to the desired behavior.
2019-08-20 16:25:08 +02:00
Armin Novak
3b38479ec5 Added PromptForCredentials setting. 2019-07-15 12:01:30 +02:00
Armin Novak
f51a9bafcc Fixed sign-compare warnings 2019-04-05 09:13:24 +02:00
Armin Novak
67be5258ad Exposing NLA functions to impersonate and revert context. 2019-03-08 10:10:43 +01:00
Armin Novak
82863a8518 Refactored NLA to be self contained. 2018-12-05 10:55:06 +01:00
Armin Novak
17bbe7a23f Do not compile extended authentication debugging by default. 2018-11-21 15:36:31 +01:00
Pascal J. Bourguignon
6f2caef778 Fix Issue #4983 : Increased size of buffer to encrypt hash with kerberos. 2018-11-06 11:20:02 +01:00
Armin Novak
991f051a63 Fixed stream release for transport_write 2018-10-17 14:55:55 +02:00
byteboon
1d99d2d5fa Regression: added back kerberos signature fix that was lost in a recent refactor #4801 2018-10-05 09:43:00 -07:00
Tobias
a4df4f7bbf
Do not prompt if blank password was provided 2018-09-19 15:36:24 +02:00
Armin Novak
62c1696d4c Removed use of unchecked sprintf 2018-08-27 14:34:42 +02:00
Ondrej Holy
2417a6a16c core/nla: Fix leak found by covscan
leaked_storage: Variable "s" going out of scope leaks the storage it points to.
2018-08-22 14:34:02 +02:00
Armin Novak
398da7340b Added no or missing credentail error. 2018-07-05 16:12:52 +02:00
Armin Novak
458e51eae8 Do not set password to identity if pth is used. 2018-05-04 10:40:55 +02:00
Armin Novak
5b961e9c75 Fixed /pth: Consistently treat the hash offset to password length. 2018-05-03 17:51:11 +02:00
Mariusz Zaborski
dc2c826edd Fix checking of krb in encrypt public key echo.
In commit 0e1a073384 there was a mistake -
originally code said different then kerberos. Because of that NLA authentication
of server side didn't work for me.
2018-04-09 15:09:38 +02:00
Martin Fleisz
5c59b5f2b8 cssp: Fix handling of nonce 2018-03-29 21:42:14 +02:00
Martin Fleisz
eb1f693fc4 cssp: Separate client/server version handling (#4502) 2018-03-23 12:12:08 +01:00
Martin Fleisz
e9ba4b58ec cssp: Fix warnings (#4503) 2018-03-21 12:57:58 +01:00
Martin Fleisz
8df96364f2 cssp: Add support for protocol version 6 2018-03-20 10:37:38 +01:00
Bernhard Miklautz
e7ae3f6bab fix nla: don't use server version
FreeRDP currently only supports CredSSP protocol version 3. However the
current implementation always sent back the version received by the
server indicating that this version was supported.
With recent windows updates applied the protocol changed and this approach
doesn't work anymore (see
https://msdn.microsoft.com/en-us/library/mt752485.aspx for protocol changes).

With this fix FreeRDP always sends version 3 as supported version.

Credit goes to @mfleisz.

Fixes #4449
2018-03-14 14:04:56 +01:00
Martin Fleisz
07f05c5cb3 nla: Add NULL pointer check 2018-03-06 15:39:03 +01:00
Armin Novak
53d2150e00 Fixed windows unicode authentication. 2018-02-13 11:29:56 +01:00
Armin Novak
29f2d2d9bb Fixed missing packageName setup in server NLA 2018-01-17 09:09:58 +01:00
Armin Novak
0e1a073384 Simplified package name comparisons. 2018-01-17 08:18:45 +01:00
Armin Novak
dc3d536398 Changed length arguments and return to size_t 2018-01-17 08:14:06 +01:00