From 6fcbf7f84cfc7592f7a5ceb30f2bc8dd7db038b2 Mon Sep 17 00:00:00 2001 From: Rainer Bayr Date: Mon, 2 Feb 2026 13:56:03 +0100 Subject: [PATCH] add NLA support an the nla-ntlm-db option Signed-off-by: Rainova --- frontend/main.c | 3 ++ include/libweston/backend-rdp.h | 1 + libweston/backend-rdp/rdp.c | 93 +++++++++++++++++++++++++++++---- libweston/backend-rdp/rdp.h | 2 + man/weston-rdp.man | 6 +++ 5 files changed, 94 insertions(+), 11 deletions(-) diff --git a/frontend/main.c b/frontend/main.c index 43915f8af..5909c4327 100644 --- a/frontend/main.c +++ b/frontend/main.c @@ -4502,6 +4502,7 @@ weston_rdp_backend_config_init(struct weston_rdp_backend_config *config) config->force_no_compression = 0; config->remotefx_codec = true; config->refresh_rate = RDP_DEFAULT_FREQ; + config->nla_ntlm_db = NULL; } static int @@ -4611,6 +4612,8 @@ load_rdp_backend(struct weston_compositor *c, config.server_cert); weston_config_section_get_string(section, "tls-key", &config.server_key, config.server_key); + weston_config_section_get_string(section, "nla-ntlm-db", + &config.nla_ntlm_db, config.nla_ntlm_db); wb = wet_compositor_load_backend(c, WESTON_BACKEND_RDP, &config.base, simple_heads_changed, diff --git a/include/libweston/backend-rdp.h b/include/libweston/backend-rdp.h index 4179bd1ec..a62022a1f 100644 --- a/include/libweston/backend-rdp.h +++ b/include/libweston/backend-rdp.h @@ -93,6 +93,7 @@ struct weston_rdp_backend_config { rdp_audio_in_teardown audio_in_teardown; rdp_audio_out_setup audio_out_setup; rdp_audio_out_teardown audio_out_teardown; + char *nla_ntlm_db; }; #ifdef __cplusplus diff --git a/libweston/backend-rdp/rdp.c b/libweston/backend-rdp/rdp.c index 4b16119d2..33eda246d 100644 --- a/libweston/backend-rdp/rdp.c +++ b/libweston/backend-rdp/rdp.c @@ -1802,20 +1802,80 @@ rdp_peer_init(freerdp_peer *client, struct rdp_backend *b) goto error_initialize; if (!freerdp_settings_set_pointer_len(settings, FreeRDP_RdpServerRsaKey, key, 1)) goto error_initialize; - } else { - freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, FALSE); - } + + if(b->nla_enabled){ + if(!freerdp_settings_set_string(settings, FreeRDP_NtlmSamFile, b->nla_ntlm_db)){ + rdp_debug(b, "Error setting FreeRDP_NtlmSamFile to '%s'.\n", b->nla_ntlm_db); + goto error_initialize; + } + + if(!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, FALSE)) + rdp_debug(b, "Error setting FreeRDP_TlsSecurity to 'FALSE'.\n"); + + if(!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, TRUE)) + rdp_debug(b, "Error setting FreeRDP_NlaSecurity to 'TRUE'.\n"); + + }else{ + if(!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE)) + rdp_debug(b, "Error setting FreeRDP_TlsSecurity to 'TRUE'.\n"); + + if(!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE)) + rdp_debug(b, "Error setting FreeRDP_NlaSecurity to 'FALSE'.\n"); + } + } else { + if(!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, FALSE)) + rdp_debug(b, "Error setting FreeRDP_TlsSecurity to 'FALsE'.\n"); + + if(!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE)) + rdp_debug(b, "Error setting FreeRDP_NlaSecurity to 'FALsE'.\n"); + } + #else - if (b->rdp_key) - settings->RdpKeyFile = strdup(b->rdp_key); - if (b->tls_enabled) { - settings->CertificateFile = strdup(b->server_cert); - settings->PrivateKeyFile = strdup(b->server_key); - } else { - settings->TlsSecurity = FALSE; + if (b->rdp_key){ + if(!freerdp_settings_set_string(settings, FreeRDP_RdpKeyFile,b->rdp_key)){ + rdp_debug(b, "Error setting FreeRDP_RdpKeyFile to '%s'.\n", b->rdp_key); + goto error_initialize; + } } + if (b->tls_enabled) { + if(!freerdp_settings_set_string(settings, FreeRDP_CertificateFile,b->server_cert)){ + rdp_debug(b, "Error setting FreeRDP_CertificateFile to '%s'.\n", b->server_cert); + goto error_initialize; + } + + if(!freerdp_settings_set_string(settings, FreeRDP_PrivateKeyFile, b->server_key)){ + rdp_debug(b, "Error setting FreeRDP_PrivateKeyFile to '%s'.\n", b->server_key); + goto error_initialize; + } + + + if(b->nla_enabled){ + if(!freerdp_settings_set_string(settings, FreeRDP_NtlmSamFile, b->nla_ntlm_db)){ + rdp_debug(b, "Error setting FreeRDP_NtlmSamFile to '%s'.\n", b->nla_ntlm_db); + goto error_initialize; + } + + if(!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, FALSE)) + rdp_debug(b, "Error setting FreeRDP_TlsSecurity to 'FALSE'.\n"); + + if(!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, TRUE)) + rdp_debug(b, "Error setting FreeRDP_NlaSecurity to 'TRUE'.\n"); + + }else{ + if(!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE)) + rdp_debug(b, "Error setting FreeRDP_TlsSecurity to 'TRUE'.\n"); + + if(!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE)) + rdp_debug(b, "Error setting FreeRDP_NlaSecurity to 'FALSE'.\n"); + } + } else { + if(!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, FALSE)) + rdp_debug(b, "Error setting FreeRDP_TlsSecurity to 'FALsE'.\n"); + + if(!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE)) + rdp_debug(b, "Error setting FreeRDP_NlaSecurity to 'FALsE'.\n"); + } #endif - freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE); if (!client->Initialize(client)) { weston_log("peer initialization failed\n"); @@ -1951,6 +2011,7 @@ rdp_backend_create(struct weston_compositor *compositor, b->audio_in_teardown = config->audio_in_teardown; b->audio_out_setup = config->audio_out_setup; b->audio_out_teardown = config->audio_out_teardown; + b->nla_ntlm_db = config->nla_ntlm_db; b->debug = weston_compositor_add_log_scope(compositor, "rdp-backend", @@ -1998,6 +2059,15 @@ rdp_backend_create(struct weston_compositor *compositor, b->tls_enabled = 1; rdp_debug(b, "TLS support activated\n"); } + if(b->tls_enabled && b->nla_ntlm_db){ + if (access(b->nla_ntlm_db, F_OK) == 0) { + b->nla_enabled = 1; + rdp_debug(b, "NLA support activated\n"); + } else { + b->nla_enabled = 0; + rdp_debug(b, "NLA credential file ('%s') not found, fall back to TLS Security.\n", b->nla_ntlm_db); + } + } } wl_list_init(&b->peers); @@ -2138,6 +2208,7 @@ config_init_to_defaults(struct weston_rdp_backend_config *config) config->audio_in_teardown = NULL; config->audio_out_setup = NULL; config->audio_out_teardown = NULL; + config->nla_ntlm_db = NULL; } WL_EXPORT int diff --git a/libweston/backend-rdp/rdp.h b/libweston/backend-rdp/rdp.h index c5f515097..b457e3589 100644 --- a/libweston/backend-rdp/rdp.h +++ b/libweston/backend-rdp/rdp.h @@ -100,6 +100,8 @@ struct rdp_backend { char *server_key; char *rdp_key; int tls_enabled; + char *nla_ntlm_db; + int nla_enabled; int resizeable; int force_no_compression; bool remotefx_codec; diff --git a/man/weston-rdp.man b/man/weston-rdp.man index 680e02955..7a0f13c6f 100644 --- a/man/weston-rdp.man +++ b/man/weston-rdp.man @@ -43,6 +43,12 @@ to ship a file containing a certificate. \fBtls\-cert\fR=\fIfile\fR The file containing the certificate for doing TLS security. To have TLS security you also need to ship a key file. +.TP +\fBnla\-ntlm\-db\fR=\fIfile\fR +The file containing the NTLM credentials used by the NLA (Network Layer Authentication). The entries +for this file can be generated using the 'winpr-hash' tool, which is part of FreeRDP. It contains +one credential per line. +Example for the credential generation: 'winpr-hash -u -d -p -f sam'. .\" ***************************************************************