Milestone 5: deliver embedded RDP sessions and lifecycle hardening

2026-03-03 18:59:26 -07:00
parent 230a401386
commit 36006bd4aa
2941 changed files with 724359 additions and 77 deletions
--- a/third_party/FreeRDP/winpr/libwinpr/sspicli/CMakeLists.txt
+++ b/third_party/FreeRDP/winpr/libwinpr/sspicli/CMakeLists.txt
@@ -0,0 +1,18 @@
+# WinPR: Windows Portable Runtime
+# libwinpr-sspicli cmake build script
+#
+# Copyright 2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+winpr_module_add(sspicli.c)
--- a/third_party/FreeRDP/winpr/libwinpr/sspicli/ModuleOptions.cmake
+++ b/third_party/FreeRDP/winpr/libwinpr/sspicli/ModuleOptions.cmake
@@ -0,0 +1,7 @@
+set(MINWIN_LAYER "0")
+set(MINWIN_GROUP "none")
+set(MINWIN_MAJOR_VERSION "0")
+set(MINWIN_MINOR_VERSION "0")
+set(MINWIN_SHORT_NAME "sspicli")
+set(MINWIN_LONG_NAME "Authentication Functions")
+set(MODULE_LIBRARY_NAME "${MINWIN_SHORT_NAME}")
--- a/third_party/FreeRDP/winpr/libwinpr/sspicli/sspicli.c
+++ b/third_party/FreeRDP/winpr/libwinpr/sspicli/sspicli.c
@@ -0,0 +1,306 @@
+/**
+ * WinPR: Windows Portable Runtime
+ * Security Support Provider Interface
+ *
+ * Copyright 2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <winpr/config.h>
+
+#include <winpr/assert.h>
+#include <winpr/sspicli.h>
+
+/**
+ * sspicli.dll:
+ *
+ * EnumerateSecurityPackagesA
+ * EnumerateSecurityPackagesW
+ * GetUserNameExW
+ * ImportSecurityContextA
+ * LogonUser
+ * LogonUserEx
+ * LogonUserExExW
+ * SspiCompareAuthIdentities
+ * SspiCopyAuthIdentity
+ * SspiDecryptAuthIdentity
+ * SspiEncodeAuthIdentityAsStrings
+ * SspiEncodeStringsAsAuthIdentity
+ * SspiEncryptAuthIdentity
+ * SspiExcludePackage
+ * SspiFreeAuthIdentity
+ * SspiGetTargetHostName
+ * SspiIsAuthIdentityEncrypted
+ * SspiLocalFree
+ * SspiMarshalAuthIdentity
+ * SspiPrepareForCredRead
+ * SspiPrepareForCredWrite
+ * SspiUnmarshalAuthIdentity
+ * SspiValidateAuthIdentity
+ * SspiZeroAuthIdentity
+ */
+
+#ifndef _WIN32
+
+#include <winpr/crt.h>
+
+#ifdef WINPR_HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#if defined(WINPR_HAVE_GETPWUID_R)
+#include <sys/types.h>
+#endif
+
+#include <pthread.h>
+
+#include <pwd.h>
+#include <grp.h>
+
+#include "../handle/handle.h"
+
+#include "../security/security.h"
+
+static BOOL LogonUserCloseHandle(HANDLE handle);
+
+static BOOL LogonUserIsHandled(HANDLE handle)
+{
+	return WINPR_HANDLE_IS_HANDLED(handle, HANDLE_TYPE_ACCESS_TOKEN, FALSE);
+}
+
+static int LogonUserGetFd(HANDLE handle)
+{
+	WINPR_ACCESS_TOKEN* pLogonUser = (WINPR_ACCESS_TOKEN*)handle;
+
+	if (!LogonUserIsHandled(handle))
+		return -1;
+
+	/* TODO: File fd not supported */
+	(void)pLogonUser;
+	return -1;
+}
+
+BOOL LogonUserCloseHandle(HANDLE handle)
+{
+	WINPR_ACCESS_TOKEN* token = (WINPR_ACCESS_TOKEN*)handle;
+
+	if (!handle || !LogonUserIsHandled(handle))
+		return FALSE;
+
+	free(token->Username);
+	free(token->Domain);
+	free(token);
+	return TRUE;
+}
+
+static HANDLE_OPS ops = { LogonUserIsHandled,
+	                      LogonUserCloseHandle,
+	                      LogonUserGetFd,
+	                      nullptr, /* CleanupHandle */
+	                      nullptr,
+	                      nullptr,
+	                      nullptr,
+	                      nullptr,
+	                      nullptr,
+	                      nullptr,
+	                      nullptr,
+	                      nullptr,
+	                      nullptr,
+	                      nullptr,
+	                      nullptr,
+	                      nullptr,
+	                      nullptr,
+	                      nullptr,
+	                      nullptr,
+	                      nullptr,
+	                      nullptr };
+
+BOOL LogonUserA(LPCSTR lpszUsername, LPCSTR lpszDomain, WINPR_ATTR_UNUSED LPCSTR lpszPassword,
+                WINPR_ATTR_UNUSED DWORD dwLogonType, WINPR_ATTR_UNUSED DWORD dwLogonProvider,
+                PHANDLE phToken)
+{
+	if (!lpszUsername)
+		return FALSE;
+
+	WINPR_ACCESS_TOKEN* token = (WINPR_ACCESS_TOKEN*)calloc(1, sizeof(WINPR_ACCESS_TOKEN));
+
+	if (!token)
+		return FALSE;
+
+	WINPR_HANDLE_SET_TYPE_AND_MODE(token, HANDLE_TYPE_ACCESS_TOKEN, WINPR_FD_READ);
+	token->common.ops = &ops;
+	token->Username = _strdup(lpszUsername);
+
+	if (!token->Username)
+		goto fail;
+
+	if (lpszDomain)
+	{
+		token->Domain = _strdup(lpszDomain);
+
+		if (!token->Domain)
+			goto fail;
+	}
+
+	{
+		long buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
+		if (buflen < 0)
+			buflen = 8196;
+
+		{
+			const size_t s = 1ULL + (size_t)buflen;
+			char* buf = (char*)calloc(s, sizeof(char));
+			if (!buf)
+				goto fail;
+
+			{
+				struct passwd pwd = WINPR_C_ARRAY_INIT;
+				struct passwd* pw = nullptr;
+				const int rc = getpwnam_r(lpszUsername, &pwd, buf,
+				                          WINPR_ASSERTING_INT_CAST(size_t, buflen), &pw);
+				free(buf);
+				if ((rc == 0) && pw)
+				{
+					token->UserId = (DWORD)pw->pw_uid;
+					token->GroupId = (DWORD)pw->pw_gid;
+				}
+
+				*((ULONG_PTR*)phToken) = (ULONG_PTR)token;
+				return TRUE;
+			}
+		}
+	}
+fail:
+	free(token->Username);
+	free(token->Domain);
+	free(token);
+	return FALSE;
+}
+
+BOOL LogonUserW(WINPR_ATTR_UNUSED LPCWSTR lpszUsername, WINPR_ATTR_UNUSED LPCWSTR lpszDomain,
+                WINPR_ATTR_UNUSED LPCWSTR lpszPassword, WINPR_ATTR_UNUSED DWORD dwLogonType,
+                WINPR_ATTR_UNUSED DWORD dwLogonProvider, WINPR_ATTR_UNUSED PHANDLE phToken)
+{
+	WLog_ERR("TODO", "TODO: implement");
+	return TRUE;
+}
+
+BOOL LogonUserExA(WINPR_ATTR_UNUSED LPCSTR lpszUsername, WINPR_ATTR_UNUSED LPCSTR lpszDomain,
+                  WINPR_ATTR_UNUSED LPCSTR lpszPassword, WINPR_ATTR_UNUSED DWORD dwLogonType,
+                  WINPR_ATTR_UNUSED DWORD dwLogonProvider, WINPR_ATTR_UNUSED PHANDLE phToken,
+                  WINPR_ATTR_UNUSED PSID* ppLogonSid, WINPR_ATTR_UNUSED PVOID* ppProfileBuffer,
+                  WINPR_ATTR_UNUSED LPDWORD pdwProfileLength,
+                  WINPR_ATTR_UNUSED PQUOTA_LIMITS pQuotaLimits)
+{
+	WLog_ERR("TODO", "TODO: implement");
+	return TRUE;
+}
+
+BOOL LogonUserExW(WINPR_ATTR_UNUSED LPCWSTR lpszUsername, WINPR_ATTR_UNUSED LPCWSTR lpszDomain,
+                  WINPR_ATTR_UNUSED LPCWSTR lpszPassword, WINPR_ATTR_UNUSED DWORD dwLogonType,
+                  WINPR_ATTR_UNUSED DWORD dwLogonProvider, WINPR_ATTR_UNUSED PHANDLE phToken,
+                  WINPR_ATTR_UNUSED PSID* ppLogonSid, WINPR_ATTR_UNUSED PVOID* ppProfileBuffer,
+                  WINPR_ATTR_UNUSED LPDWORD pdwProfileLength,
+                  WINPR_ATTR_UNUSED PQUOTA_LIMITS pQuotaLimits)
+{
+	WLog_ERR("TODO", "TODO: implement");
+	return TRUE;
+}
+
+BOOL GetUserNameExA(EXTENDED_NAME_FORMAT NameFormat, LPSTR lpNameBuffer, PULONG nSize)
+{
+	WINPR_ASSERT(lpNameBuffer);
+	WINPR_ASSERT(nSize);
+
+	switch (NameFormat)
+	{
+		case NameSamCompatible:
+#if defined(WINPR_HAVE_GETPWUID_R)
+		{
+			int rc = 0;
+			struct passwd pwd = WINPR_C_ARRAY_INIT;
+			struct passwd* result = nullptr;
+			uid_t uid = getuid();
+
+			rc = getpwuid_r(uid, &pwd, lpNameBuffer, *nSize, &result);
+			if (rc != 0)
+				return FALSE;
+			if (result == nullptr)
+				return FALSE;
+		}
+#elif defined(WINPR_HAVE_GETLOGIN_R)
+			if (getlogin_r(lpNameBuffer, *nSize) != 0)
+				return FALSE;
+#else
+		{
+			const char* name = getlogin();
+			if (!name)
+				return FALSE;
+			strncpy(lpNameBuffer, name, strnlen(name, *nSize));
+		}
+#endif
+			{
+				const size_t len = strnlen(lpNameBuffer, *nSize);
+				if (len > UINT32_MAX)
+					return FALSE;
+				*nSize = (ULONG)len;
+			}
+			return TRUE;
+
+		case NameFullyQualifiedDN:
+		case NameDisplay:
+		case NameUniqueId:
+		case NameCanonical:
+		case NameUserPrincipal:
+		case NameCanonicalEx:
+		case NameServicePrincipal:
+		case NameDnsDomain:
+			break;
+
+		default:
+			break;
+	}
+
+	return FALSE;
+}
+
+BOOL GetUserNameExW(EXTENDED_NAME_FORMAT NameFormat, LPWSTR lpNameBuffer, PULONG nSize)
+{
+	BOOL rc = FALSE;
+	char* name = nullptr;
+
+	WINPR_ASSERT(nSize);
+	WINPR_ASSERT(lpNameBuffer);
+
+	name = calloc(1, *nSize + 1);
+	if (!name)
+		goto fail;
+
+	if (!GetUserNameExA(NameFormat, name, nSize))
+		goto fail;
+
+	{
+		const SSIZE_T res = ConvertUtf8ToWChar(name, lpNameBuffer, *nSize);
+		if ((res < 0) || (res >= UINT32_MAX))
+			goto fail;
+
+		*nSize = (UINT32)res + 1;
+	}
+	rc = TRUE;
+fail:
+	free(name);
+	return rc;
+}
+
+#endif