freerdp: add option to disable credentials delegation

2026-04-15 00:44:19 +09:00 · 2014-02-14 00:43:31 -05:00
parent 8a44b2baa6
commit 87be2e0f80
5 changed files with 23 additions and 4 deletions
--- a/client/common/cmdline.c
+++ b/client/common/cmdline.c
@@ -125,6 +125,7 @@ COMMAND_LINE_ARGUMENT_A args[] =
 	{ "pcb", COMMAND_LINE_VALUE_REQUIRED, "<blob>", NULL, NULL, -1, NULL, "Preconnection Blob" },
 	{ "pcid", COMMAND_LINE_VALUE_REQUIRED, "<id>", NULL, NULL, -1, NULL, "Preconnection Id" },
 	{ "spn-class", COMMAND_LINE_VALUE_REQUIRED, "<service class>", NULL, NULL, -1, NULL, "SPN authentication service class" },
+	{ "credentials-delegation", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueFalse, NULL, -1, NULL, "Disable credentials delegation" },
 	{ "vmconnect", COMMAND_LINE_VALUE_OPTIONAL, "<vmid>", NULL, NULL, -1, NULL, "Hyper-V console (use port 2179, disable negotiation)" },
 	{ "authentication", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL, "authentication (hack!)" },
 	{ "encryption", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL, "encryption (hack!)" },
@@ -1143,6 +1144,10 @@ int freerdp_client_settings_parse_command_line_arguments(rdpSettings* settings,
 		{
 			settings->AuthenticationServiceClass = _strdup(arg->Value);
 		}
+		CommandLineSwitchCase(arg, "credentials-delegation")
+		{
+			settings->DisableCredentialsDelegation = arg->Value ? FALSE : TRUE;
+		}
 		CommandLineSwitchCase(arg, "vmconnect")
 		{
 			settings->ServerPort = 2179;
--- a/include/freerdp/settings.h
+++ b/include/freerdp/settings.h
@@ -598,6 +598,7 @@ typedef struct _RDPDR_PARALLEL RDPDR_PARALLEL;
 #define FreeRDP_NegotiateSecurityLayer				1096
 #define FreeRDP_RestrictedAdminModeRequired			1097
 #define FreeRDP_AuthenticationServiceClass 			1098
+#define FreeRDP_DisableCredentialsDelegation 			1099
 #define FreeRDP_MstscCookieMode					1152
 #define FreeRDP_CookieMaxLength					1153
 #define FreeRDP_PreconnectionId					1154
@@ -950,7 +951,8 @@ struct rdp_settings
 	ALIGN64 BOOL NegotiateSecurityLayer; /* 1096 */
 	ALIGN64 BOOL RestrictedAdminModeRequired; /* 1097 */
 	ALIGN64 char* AuthenticationServiceClass; /* 1098 */
-	UINT64 padding1152[1152 - 1099]; /* 1099 */
+	ALIGN64 BOOL DisableCredentialsDelegation; /* 1099 */
+	UINT64 padding1152[1152 - 1100]; /* 1100 */

 	/* Connection Cookie */
 	ALIGN64 BOOL MstscCookieMode; /* 1152 */
--- a/libfreerdp/common/settings.c
+++ b/libfreerdp/common/settings.c
@@ -654,6 +654,10 @@ BOOL freerdp_get_param_bool(rdpSettings* settings, int id)
 			return settings->RestrictedAdminModeRequired;
 			break;

+		case FreeRDP_DisableCredentialsDelegation:
+			return settings->DisableCredentialsDelegation;
+			break;
+
 		case FreeRDP_MstscCookieMode:
 			return settings->MstscCookieMode;
 			break;
@@ -1122,6 +1126,10 @@ int freerdp_set_param_bool(rdpSettings* settings, int id, BOOL param)
 			settings->RestrictedAdminModeRequired = param;
 			break;

+		case FreeRDP_DisableCredentialsDelegation:
+			settings->DisableCredentialsDelegation = param;
+			break;
+
 		case FreeRDP_MstscCookieMode:
 			settings->MstscCookieMode = param;
 			break;
--- a/libfreerdp/core/nla.c
+++ b/libfreerdp/core/nla.c
@@ -123,6 +123,9 @@ int credssp_ntlm_client_init(rdpCredssp* credssp)
 	settings = credssp->settings;
 	instance = (freerdp*) settings->instance;

+	if (settings->RestrictedAdminModeRequired)
+		settings->DisableCredentialsDelegation = TRUE;
+
 	if ((!settings->Password) || (!settings->Username)
 			|| (!strlen(settings->Password)) || (!strlen(settings->Username)))
 	{
@@ -998,7 +1001,7 @@ void credssp_encode_ts_credentials(rdpCredssp* credssp)
 	UserLength = credssp->identity.UserLength;
 	PasswordLength = credssp->identity.PasswordLength;

-	if (credssp->settings->RestrictedAdminModeRequired)
+	if (credssp->settings->DisableCredentialsDelegation)
 	{
 		credssp->identity.DomainLength = 0;
 		credssp->identity.UserLength = 0;
@@ -1008,10 +1011,10 @@ void credssp_encode_ts_credentials(rdpCredssp* credssp)
 	length = ber_sizeof_sequence(credssp_sizeof_ts_credentials(credssp));
 	sspi_SecBufferAlloc(&credssp->ts_credentials, length);

-	s = Stream_New(credssp->ts_credentials.pvBuffer, length);
+	s = Stream_New((BYTE*) credssp->ts_credentials.pvBuffer, length);
 	credssp_write_ts_credentials(credssp, s);

-	if (credssp->settings->RestrictedAdminModeRequired)
+	if (credssp->settings->DisableCredentialsDelegation)
 	{
 		credssp->identity.DomainLength = DomainLength;
 		credssp->identity.UserLength = UserLength;
--- a/libfreerdp/core/settings.c
+++ b/libfreerdp/core/settings.c
@@ -618,6 +618,7 @@ rdpSettings* freerdp_settings_clone(rdpSettings* settings)
 		_settings->Authentication = settings->Authentication; /* 1092 */
 		_settings->NegotiateSecurityLayer = settings->NegotiateSecurityLayer; /* 1096 */
 		_settings->RestrictedAdminModeRequired = settings->RestrictedAdminModeRequired; /* 1097 */
+		_settings->DisableCredentialsDelegation = settings->DisableCredentialsDelegation; /* 1099 */
 		_settings->MstscCookieMode = settings->MstscCookieMode; /* 1152 */
 		_settings->SendPreconnectionPdu = settings->SendPreconnectionPdu; /* 1156 */
 		_settings->IgnoreCertificate = settings->IgnoreCertificate; /* 1408 */