* Allow an application to set a vendor/product/version namespace to search
for configuration files/settings/...
* Replace all FREERDP_VENDOR_STRING and similar macros with these
getters.
This function should be used to free certain buffers retrieved using
freerdp_nla_QueryContextAttributes(). It fetches the right vfunc table
to call into, which typically ends up in sspi_FreeContextBuffer() in
sspi_winpr.c.
This is needed to allow querying the PackageInfo attribute.
This patch adds the handling of basic NTLM commands. Because there's some mysterious
4 zero bytes after pickle header in Kerberos packets, not present in NTLM commands, the
patch also had to rework a bit the packet parsing / forging.
The patch also addresses a server-side bug when parsing supplemental creds, if the client
was sending an empty list, we were considering this as an error.
And finally we also implement the parsing of MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL.
This breaks the public API, anyway this was basically unused (as not parsed before) and
the previous API was wrong as what we receive is MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL
not MSV1_0_SUPPLEMENTAL_CREDENTIAL, so I guess the API breakage is ok.
Due to a bug in the tag comparison, ReaderName, CardName, CspName and containerName
were not read on server side during a smartcard logon, leading to incomplete settings.
When logging with a smartcard logon, the TS Credentials packet can also contains
hints of the user and the domain that were used. This patch adds these informations.
This patch implements the client-side part of the remote credential guard feature
as described in MS-RDPEAR. The 2 main changes are: shipping the TSRemoteGuardaCreds in
NLA, and implement the rdpear channel that allows LSASS to remote all the calls to
our client. For now it's UNIX only as the windows implementation would be implemented
in a completely different way.
To test, you may establish you ccache and then connect with (RCG enabled on the server):
xfreerdp /remoteGuard /u:<user> /d:<domain> /v<server>
That should log you in, and in the session you should not be asked for credentials when
doing mstsc /remoteGuard /v:<other server>.
Under certain circumstances `InitializeSecurityContext` returns an error
if a wrong password was provided. This PR checks the returned status
code and correctly sets the last error code. This allows a client
application to ask the user again for credentials.
A scenario where this happens is when a user tries to connect with a wrong
password and both machines are joined to the same domain.
Adds support for server-side remote credential guard in NLA. When enabled that allows
the remote user to connect without shipping credentials in TSCred packets. Instead
it will send his TGT encoded with a TGS from the remote server. This way the server
is able to populate that TGT in a local credential cache without knowing the user's
password.
The patch only treats the NLA part and does not contain the associated RDPEAR channel
that allows to have the complete interaction to retrieve new access tokens.
The RDP client sends TSCredentials so that the server can reuse these credentials. This
patch stores these values in the peer's rdpSettings in the corresponding fields.
It handles TSPasswordCreds for user/domain/password connection but also TSSmartCardCreds
when the users has connected with a smartcard.
