FreeRDP
Loading...
Searching...
No Matches
nego.c
1
23#include <freerdp/config.h>
24
25#include <winpr/crt.h>
26#include <winpr/assert.h>
27#include <winpr/stream.h>
28
29#include <freerdp/log.h>
30
31#include "tpkt.h"
32
33#include "nego.h"
34#include "aad.h"
35
36#include "transport.h"
37
38#define NEGO_TAG FREERDP_TAG("core.nego")
39
40struct rdp_nego
41{
42 UINT16 port;
43 UINT32 flags;
44 const char* hostname;
45 char* cookie;
46 BYTE* RoutingToken;
47 DWORD RoutingTokenLength;
48 BOOL SendPreconnectionPdu;
49 UINT32 PreconnectionId;
50 const char* PreconnectionBlob;
51
52 NEGO_STATE state;
53 BOOL TcpConnected;
54 BOOL SecurityConnected;
55 UINT32 CookieMaxLength;
56
57 BOOL sendNegoData;
58 UINT32 SelectedProtocol;
59 UINT32 RequestedProtocols;
60 BOOL NegotiateSecurityLayer;
61 BOOL EnabledProtocols[32];
62 BOOL RestrictedAdminModeRequired; /* Client-side */
63 BOOL RestrictedAdminModeSupported; /* Server-side */
64 BOOL RemoteCredsGuardRequired;
65 BOOL RemoteCredsGuardActive;
66 BOOL RemoteCredsGuardSupported;
67 BOOL GatewayEnabled;
68 BOOL GatewayBypassLocal;
69 BOOL ConnectChildSession;
70
71 rdpTransport* transport;
72 wLog* log;
73};
74
75static const char* nego_state_string(NEGO_STATE state)
76{
77 static const char* const NEGO_STATE_STRINGS[] = { "NEGO_STATE_INITIAL", "NEGO_STATE_RDSTLS",
78 "NEGO_STATE_AAD", "NEGO_STATE_EXT",
79 "NEGO_STATE_NLA", "NEGO_STATE_TLS",
80 "NEGO_STATE_RDP", "NEGO_STATE_FAIL",
81 "NEGO_STATE_FINAL", "NEGO_STATE_INVALID" };
82 if (state >= ARRAYSIZE(NEGO_STATE_STRINGS))
83 return NEGO_STATE_STRINGS[ARRAYSIZE(NEGO_STATE_STRINGS) - 1];
84 return NEGO_STATE_STRINGS[state];
85}
86
87static BOOL nego_tcp_connect(rdpNego* nego);
88static BOOL nego_transport_connect(rdpNego* nego);
89static BOOL nego_transport_disconnect(rdpNego* nego);
90static BOOL nego_security_connect(rdpNego* nego);
91static BOOL nego_send_preconnection_pdu(rdpNego* nego);
92static BOOL nego_recv_response(rdpNego* nego);
93static void nego_send(rdpNego* nego);
94static BOOL nego_process_negotiation_request(rdpNego* nego, wStream* s);
95static BOOL nego_process_negotiation_response(rdpNego* nego, wStream* s);
96static BOOL nego_process_negotiation_failure(rdpNego* nego, wStream* s);
97
98BOOL nego_update_settings_from_state(rdpNego* nego, rdpSettings* settings)
99{
100 WINPR_ASSERT(nego);
101
102 /* update settings with negotiated protocol security */
103 return freerdp_settings_set_uint32(settings, FreeRDP_RequestedProtocols,
104 nego->RequestedProtocols) &&
105 freerdp_settings_set_uint32(settings, FreeRDP_SelectedProtocol,
106 nego->SelectedProtocol) &&
107 freerdp_settings_set_uint32(settings, FreeRDP_NegotiationFlags, nego->flags);
108}
109
118BOOL nego_connect(rdpNego* nego)
119{
120 rdpContext* context = NULL;
121 rdpSettings* settings = NULL;
122 WINPR_ASSERT(nego);
123 context = transport_get_context(nego->transport);
124 WINPR_ASSERT(context);
125 settings = context->settings;
126 WINPR_ASSERT(settings);
127
128 if (nego_get_state(nego) == NEGO_STATE_INITIAL)
129 {
130 if (nego->EnabledProtocols[PROTOCOL_RDSAAD])
131 {
132 nego_set_state(nego, NEGO_STATE_AAD);
133 }
134 else if (nego->EnabledProtocols[PROTOCOL_RDSTLS])
135 {
136 nego_set_state(nego, NEGO_STATE_RDSTLS);
137 }
138 else if (nego->EnabledProtocols[PROTOCOL_HYBRID_EX])
139 {
140 nego_set_state(nego, NEGO_STATE_EXT);
141 }
142 else if (nego->EnabledProtocols[PROTOCOL_HYBRID])
143 {
144 nego_set_state(nego, NEGO_STATE_NLA);
145 }
146 else if (nego->EnabledProtocols[PROTOCOL_SSL])
147 {
148 nego_set_state(nego, NEGO_STATE_TLS);
149 }
150 else if (nego->EnabledProtocols[PROTOCOL_RDP])
151 {
152 nego_set_state(nego, NEGO_STATE_RDP);
153 }
154 else
155 {
156 WLog_Print(nego->log, WLOG_ERROR, "No security protocol is enabled");
157 nego_set_state(nego, NEGO_STATE_FAIL);
158 return FALSE;
159 }
160
161 if (!nego->NegotiateSecurityLayer)
162 {
163 WLog_Print(nego->log, WLOG_DEBUG, "Security Layer Negotiation is disabled");
164 /* attempt only the highest enabled protocol (see nego_attempt_*) */
165 nego->EnabledProtocols[PROTOCOL_RDSAAD] = FALSE;
166 nego->EnabledProtocols[PROTOCOL_HYBRID] = FALSE;
167 nego->EnabledProtocols[PROTOCOL_SSL] = FALSE;
168 nego->EnabledProtocols[PROTOCOL_RDP] = FALSE;
169 nego->EnabledProtocols[PROTOCOL_HYBRID_EX] = FALSE;
170 nego->EnabledProtocols[PROTOCOL_RDSTLS] = FALSE;
171
172 UINT32 SelectedProtocol = 0;
173 switch (nego_get_state(nego))
174 {
175 case NEGO_STATE_AAD:
176 nego->EnabledProtocols[PROTOCOL_RDSAAD] = TRUE;
177 SelectedProtocol = PROTOCOL_RDSAAD;
178 break;
179 case NEGO_STATE_RDSTLS:
180 nego->EnabledProtocols[PROTOCOL_RDSTLS] = TRUE;
181 SelectedProtocol = PROTOCOL_RDSTLS;
182 break;
183 case NEGO_STATE_EXT:
184 nego->EnabledProtocols[PROTOCOL_HYBRID_EX] = TRUE;
185 nego->EnabledProtocols[PROTOCOL_HYBRID] = TRUE;
186 SelectedProtocol = PROTOCOL_HYBRID_EX;
187 break;
188 case NEGO_STATE_NLA:
189 nego->EnabledProtocols[PROTOCOL_HYBRID] = TRUE;
190 SelectedProtocol = PROTOCOL_HYBRID;
191 break;
192 case NEGO_STATE_TLS:
193 nego->EnabledProtocols[PROTOCOL_SSL] = TRUE;
194 SelectedProtocol = PROTOCOL_SSL;
195 break;
196 case NEGO_STATE_RDP:
197 nego->EnabledProtocols[PROTOCOL_RDP] = TRUE;
198 SelectedProtocol = PROTOCOL_RDP;
199 break;
200 default:
201 WLog_Print(nego->log, WLOG_ERROR, "Invalid NEGO state 0x%08" PRIx32,
202 nego_get_state(nego));
203 return FALSE;
204 }
205 if (!nego_set_selected_protocol(nego, SelectedProtocol))
206 return FALSE;
207 }
208
209 if (!nego_tcp_connect(nego))
210 {
211 WLog_Print(nego->log, WLOG_ERROR, "Failed to connect");
212 return FALSE;
213 }
214
215 if (nego->SendPreconnectionPdu)
216 {
217 if (!nego_send_preconnection_pdu(nego))
218 {
219 WLog_Print(nego->log, WLOG_ERROR, "Failed to send preconnection pdu");
220 nego_set_state(nego, NEGO_STATE_FINAL);
221 return FALSE;
222 }
223 }
224 }
225
226 if (!nego->NegotiateSecurityLayer)
227 {
228 nego_set_state(nego, NEGO_STATE_FINAL);
229 }
230 else
231 {
232 do
233 {
234 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
235 nego_send(nego);
236
237 if (nego_get_state(nego) == NEGO_STATE_FAIL)
238 {
239 if (freerdp_get_last_error(transport_get_context(nego->transport)) ==
240 FREERDP_ERROR_SUCCESS)
241 WLog_Print(nego->log, WLOG_ERROR, "Protocol Security Negotiation Failure");
242
243 nego_set_state(nego, NEGO_STATE_FINAL);
244 return FALSE;
245 }
246 } while (nego_get_state(nego) != NEGO_STATE_FINAL);
247 }
248
249 {
250 char buffer[64] = { 0 };
251 WLog_Print(nego->log, WLOG_DEBUG, "Negotiated %s security",
252 nego_protocol_to_str(nego->SelectedProtocol, buffer, sizeof(buffer)));
253 }
254
255 /* update settings with negotiated protocol security */
256 if (!nego_update_settings_from_state(nego, settings))
257 return FALSE;
258
259 if (nego->SelectedProtocol == PROTOCOL_RDP)
260 {
261 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, TRUE))
262 return FALSE;
263
264 if (freerdp_settings_get_uint32(settings, FreeRDP_EncryptionMethods) == 0)
265 {
270 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionMethods,
271 ENCRYPTION_METHOD_40BIT | ENCRYPTION_METHOD_56BIT |
272 ENCRYPTION_METHOD_128BIT | ENCRYPTION_METHOD_FIPS))
273 return FALSE;
274 }
275 }
276
277 /* finally connect security layer (if not already done) */
278 if (!nego_security_connect(nego))
279 {
280 char buffer[64] = { 0 };
281 WLog_Print(nego->log, WLOG_DEBUG, "Failed to connect with %s security",
282 nego_protocol_to_str(nego->SelectedProtocol, buffer, sizeof(buffer)));
283 return FALSE;
284 }
285
286 return TRUE;
287}
288
289BOOL nego_disconnect(rdpNego* nego)
290{
291 WINPR_ASSERT(nego);
292 nego_set_state(nego, NEGO_STATE_INITIAL);
293 return nego_transport_disconnect(nego);
294}
295
296static BOOL nego_try_connect(rdpNego* nego)
297{
298 WINPR_ASSERT(nego);
299
300 switch (nego->SelectedProtocol)
301 {
302 case PROTOCOL_RDSAAD:
303 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_RDSAAD");
304 nego->SecurityConnected = transport_connect_aad(nego->transport);
305 break;
306 case PROTOCOL_RDSTLS:
307 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_RDSTLS");
308 nego->SecurityConnected = transport_connect_rdstls(nego->transport);
309 break;
310 case PROTOCOL_HYBRID:
311 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_HYBRID");
312 nego->SecurityConnected = transport_connect_nla(nego->transport, FALSE);
313 break;
314 case PROTOCOL_HYBRID_EX:
315 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_HYBRID_EX");
316 nego->SecurityConnected = transport_connect_nla(nego->transport, TRUE);
317 break;
318 case PROTOCOL_SSL:
319 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_SSL");
320 nego->SecurityConnected = transport_connect_tls(nego->transport);
321 break;
322 case PROTOCOL_RDP:
323 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_RDP");
324 nego->SecurityConnected = transport_connect_rdp(nego->transport);
325 break;
326 default:
327 WLog_Print(nego->log, WLOG_ERROR,
328 "cannot connect security layer because no protocol has been selected yet.");
329 return FALSE;
330 }
331 return nego->SecurityConnected;
332}
333
334/* connect to selected security layer */
335BOOL nego_security_connect(rdpNego* nego)
336{
337 WINPR_ASSERT(nego);
338 if (!nego->TcpConnected)
339 {
340 nego->SecurityConnected = FALSE;
341 }
342 else if (!nego->SecurityConnected)
343 {
344 if (!nego_try_connect(nego))
345 return FALSE;
346 }
347
348 return nego->SecurityConnected;
349}
350
351static BOOL nego_tcp_connect(rdpNego* nego)
352{
353 rdpContext* context = NULL;
354 WINPR_ASSERT(nego);
355 if (!nego->TcpConnected)
356 {
357 UINT32 TcpConnectTimeout = 0;
358
359 context = transport_get_context(nego->transport);
360 WINPR_ASSERT(context);
361
362 TcpConnectTimeout =
363 freerdp_settings_get_uint32(context->settings, FreeRDP_TcpConnectTimeout);
364
365 if (nego->GatewayEnabled)
366 {
367 if (nego->GatewayBypassLocal)
368 {
369 /* Attempt a direct connection first, and then fallback to using the gateway */
370 WLog_Print(
371 nego->log, WLOG_INFO,
372 "Detecting if host can be reached locally. - This might take some time.");
373 WLog_Print(nego->log, WLOG_INFO,
374 "To disable auto detection use /gateway-usage-method:direct");
375 transport_set_gateway_enabled(nego->transport, FALSE);
376 nego->TcpConnected = transport_connect(nego->transport, nego->hostname, nego->port,
377 TcpConnectTimeout);
378 }
379
380 if (!nego->TcpConnected)
381 {
382 transport_set_gateway_enabled(nego->transport, TRUE);
383 nego->TcpConnected = transport_connect(nego->transport, nego->hostname, nego->port,
384 TcpConnectTimeout);
385 }
386 }
387 else if (nego->ConnectChildSession)
388 {
389 nego->TcpConnected = transport_connect_childsession(nego->transport);
390 }
391 else
392 {
393 nego->TcpConnected =
394 transport_connect(nego->transport, nego->hostname, nego->port, TcpConnectTimeout);
395 }
396 }
397
398 return nego->TcpConnected;
399}
400
409BOOL nego_transport_connect(rdpNego* nego)
410{
411 WINPR_ASSERT(nego);
412 if (!nego_tcp_connect(nego))
413 return FALSE;
414
415 if (nego->TcpConnected && !nego->NegotiateSecurityLayer)
416 return nego_security_connect(nego);
417
418 return nego->TcpConnected;
419}
420
429BOOL nego_transport_disconnect(rdpNego* nego)
430{
431 WINPR_ASSERT(nego);
432 if (nego->TcpConnected)
433 transport_disconnect(nego->transport);
434
435 nego->TcpConnected = FALSE;
436 nego->SecurityConnected = FALSE;
437 return TRUE;
438}
439
448BOOL nego_send_preconnection_pdu(rdpNego* nego)
449{
450 wStream* s = NULL;
451 UINT32 cbSize = 0;
452 UINT16 cchPCB = 0;
453 WCHAR* wszPCB = NULL;
454
455 WINPR_ASSERT(nego);
456
457 WLog_Print(nego->log, WLOG_DEBUG, "Sending preconnection PDU");
458
459 if (!nego_tcp_connect(nego))
460 return FALSE;
461
462 /* it's easier to always send the version 2 PDU, and it's just 2 bytes overhead */
463 cbSize = PRECONNECTION_PDU_V2_MIN_SIZE;
464
465 if (nego->PreconnectionBlob)
466 {
467 size_t len = 0;
468 wszPCB = ConvertUtf8ToWCharAlloc(nego->PreconnectionBlob, &len);
469 if (len > UINT16_MAX - 1)
470 {
471 free(wszPCB);
472 return FALSE;
473 }
474 cchPCB = (UINT16)len;
475 cchPCB += 1; /* zero-termination */
476 cbSize += cchPCB * sizeof(WCHAR);
477 }
478
479 s = Stream_New(NULL, cbSize);
480
481 if (!s)
482 {
483 free(wszPCB);
484 WLog_Print(nego->log, WLOG_ERROR, "Stream_New failed!");
485 return FALSE;
486 }
487
488 Stream_Write_UINT32(s, cbSize); /* cbSize */
489 Stream_Write_UINT32(s, 0); /* Flags */
490 Stream_Write_UINT32(s, PRECONNECTION_PDU_V2); /* Version */
491 Stream_Write_UINT32(s, nego->PreconnectionId); /* Id */
492 Stream_Write_UINT16(s, cchPCB); /* cchPCB */
493
494 if (wszPCB)
495 {
496 Stream_Write(s, wszPCB, cchPCB * sizeof(WCHAR)); /* wszPCB */
497 free(wszPCB);
498 }
499
500 Stream_SealLength(s);
501
502 if (transport_write(nego->transport, s) < 0)
503 {
504 Stream_Free(s, TRUE);
505 return FALSE;
506 }
507
508 Stream_Free(s, TRUE);
509 return TRUE;
510}
511
512static void nego_attempt_rdstls(rdpNego* nego)
513{
514 WINPR_ASSERT(nego);
515 nego->RequestedProtocols = PROTOCOL_RDSTLS | PROTOCOL_SSL;
516 WLog_Print(nego->log, WLOG_DEBUG, "Attempting RDSTLS security");
517
518 if (!nego_transport_connect(nego))
519 {
520 nego_set_state(nego, NEGO_STATE_FAIL);
521 return;
522 }
523
524 if (!nego_send_negotiation_request(nego))
525 {
526 nego_set_state(nego, NEGO_STATE_FAIL);
527 return;
528 }
529
530 if (!nego_recv_response(nego))
531 {
532 nego_set_state(nego, NEGO_STATE_FAIL);
533 return;
534 }
535
536 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
537
538 if (nego_get_state(nego) != NEGO_STATE_FINAL)
539 {
540 nego_transport_disconnect(nego);
541
542 if (nego->EnabledProtocols[PROTOCOL_HYBRID_EX])
543 nego_set_state(nego, NEGO_STATE_EXT);
544 else if (nego->EnabledProtocols[PROTOCOL_HYBRID])
545 nego_set_state(nego, NEGO_STATE_NLA);
546 else if (nego->EnabledProtocols[PROTOCOL_SSL])
547 nego_set_state(nego, NEGO_STATE_TLS);
548 else if (nego->EnabledProtocols[PROTOCOL_RDP])
549 nego_set_state(nego, NEGO_STATE_RDP);
550 else
551 nego_set_state(nego, NEGO_STATE_FAIL);
552 }
553}
554
555static void nego_attempt_rdsaad(rdpNego* nego)
556{
557 WINPR_ASSERT(nego);
558 nego->RequestedProtocols = PROTOCOL_RDSAAD;
559 WLog_Print(nego->log, WLOG_DEBUG, "Attempting RDS AAD Auth security");
560
561 if (!nego_transport_connect(nego))
562 {
563 nego_set_state(nego, NEGO_STATE_FAIL);
564 return;
565 }
566
567 if (!nego_send_negotiation_request(nego))
568 {
569 nego_set_state(nego, NEGO_STATE_FAIL);
570 return;
571 }
572
573 if (!nego_recv_response(nego))
574 {
575 nego_set_state(nego, NEGO_STATE_FAIL);
576 return;
577 }
578
579 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
580
581 if (nego_get_state(nego) != NEGO_STATE_FINAL)
582 {
583 nego_transport_disconnect(nego);
584
585 if (nego->EnabledProtocols[PROTOCOL_HYBRID_EX])
586 nego_set_state(nego, NEGO_STATE_EXT);
587 else if (nego->EnabledProtocols[PROTOCOL_HYBRID])
588 nego_set_state(nego, NEGO_STATE_NLA);
589 else if (nego->EnabledProtocols[PROTOCOL_SSL])
590 nego_set_state(nego, NEGO_STATE_TLS);
591 else if (nego->EnabledProtocols[PROTOCOL_RDP])
592 nego_set_state(nego, NEGO_STATE_RDP);
593 else
594 nego_set_state(nego, NEGO_STATE_FAIL);
595 }
596}
597
598static void nego_attempt_ext(rdpNego* nego)
599{
600 WINPR_ASSERT(nego);
601 nego->RequestedProtocols = PROTOCOL_HYBRID | PROTOCOL_SSL | PROTOCOL_HYBRID_EX;
602 WLog_Print(nego->log, WLOG_DEBUG, "Attempting NLA extended security");
603
604 if (!nego_transport_connect(nego))
605 {
606 nego_set_state(nego, NEGO_STATE_FAIL);
607 return;
608 }
609
610 if (!nego_send_negotiation_request(nego))
611 {
612 nego_set_state(nego, NEGO_STATE_FAIL);
613 return;
614 }
615
616 if (!nego_recv_response(nego))
617 {
618 nego_set_state(nego, NEGO_STATE_FAIL);
619 return;
620 }
621
622 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
623
624 if (nego_get_state(nego) != NEGO_STATE_FINAL)
625 {
626 nego_transport_disconnect(nego);
627
628 if (nego->EnabledProtocols[PROTOCOL_HYBRID])
629 nego_set_state(nego, NEGO_STATE_NLA);
630 else if (nego->EnabledProtocols[PROTOCOL_SSL])
631 nego_set_state(nego, NEGO_STATE_TLS);
632 else if (nego->EnabledProtocols[PROTOCOL_RDP])
633 nego_set_state(nego, NEGO_STATE_RDP);
634 else
635 nego_set_state(nego, NEGO_STATE_FAIL);
636 }
637}
638
639static void nego_attempt_nla(rdpNego* nego)
640{
641 WINPR_ASSERT(nego);
642 nego->RequestedProtocols = PROTOCOL_HYBRID | PROTOCOL_SSL;
643 WLog_Print(nego->log, WLOG_DEBUG, "Attempting NLA security");
644
645 if (!nego_transport_connect(nego))
646 {
647 nego_set_state(nego, NEGO_STATE_FAIL);
648 return;
649 }
650
651 if (!nego_send_negotiation_request(nego))
652 {
653 nego_set_state(nego, NEGO_STATE_FAIL);
654 return;
655 }
656
657 if (!nego_recv_response(nego))
658 {
659 nego_set_state(nego, NEGO_STATE_FAIL);
660 return;
661 }
662
663 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
664
665 if (nego_get_state(nego) != NEGO_STATE_FINAL)
666 {
667 nego_transport_disconnect(nego);
668
669 if (nego->EnabledProtocols[PROTOCOL_SSL])
670 nego_set_state(nego, NEGO_STATE_TLS);
671 else if (nego->EnabledProtocols[PROTOCOL_RDP])
672 nego_set_state(nego, NEGO_STATE_RDP);
673 else
674 nego_set_state(nego, NEGO_STATE_FAIL);
675 }
676}
677
678static void nego_attempt_tls(rdpNego* nego)
679{
680 WINPR_ASSERT(nego);
681 nego->RequestedProtocols = PROTOCOL_SSL;
682 WLog_Print(nego->log, WLOG_DEBUG, "Attempting TLS security");
683
684 if (!nego_transport_connect(nego))
685 {
686 nego_set_state(nego, NEGO_STATE_FAIL);
687 return;
688 }
689
690 if (!nego_send_negotiation_request(nego))
691 {
692 nego_set_state(nego, NEGO_STATE_FAIL);
693 return;
694 }
695
696 if (!nego_recv_response(nego))
697 {
698 nego_set_state(nego, NEGO_STATE_FAIL);
699 return;
700 }
701
702 if (nego_get_state(nego) != NEGO_STATE_FINAL)
703 {
704 nego_transport_disconnect(nego);
705
706 if (nego->EnabledProtocols[PROTOCOL_RDP])
707 nego_set_state(nego, NEGO_STATE_RDP);
708 else
709 nego_set_state(nego, NEGO_STATE_FAIL);
710 }
711}
712
713static void nego_attempt_rdp(rdpNego* nego)
714{
715 WINPR_ASSERT(nego);
716 nego->RequestedProtocols = PROTOCOL_RDP;
717 WLog_Print(nego->log, WLOG_DEBUG, "Attempting RDP security");
718
719 if (!nego_transport_connect(nego))
720 {
721 nego_set_state(nego, NEGO_STATE_FAIL);
722 return;
723 }
724
725 if (!nego_send_negotiation_request(nego))
726 {
727 nego_set_state(nego, NEGO_STATE_FAIL);
728 return;
729 }
730
731 if (!nego_recv_response(nego))
732 {
733 nego_set_state(nego, NEGO_STATE_FAIL);
734 return;
735 }
736}
737
746BOOL nego_recv_response(rdpNego* nego)
747{
748 int status = 0;
749 wStream* s = NULL;
750
751 WINPR_ASSERT(nego);
752 s = Stream_New(NULL, 1024);
753
754 if (!s)
755 {
756 WLog_Print(nego->log, WLOG_ERROR, "Stream_New failed!");
757 return FALSE;
758 }
759
760 status = transport_read_pdu(nego->transport, s);
761
762 if (status < 0)
763 {
764 Stream_Free(s, TRUE);
765 return FALSE;
766 }
767
768 status = nego_recv(nego->transport, s, nego);
769 Stream_Free(s, TRUE);
770
771 if (status < 0)
772 return FALSE;
773
774 return TRUE;
775}
776
788int nego_recv(WINPR_ATTR_UNUSED rdpTransport* transport, wStream* s, void* extra)
789{
790 BYTE li = 0;
791 BYTE type = 0;
792 UINT16 length = 0;
793 rdpNego* nego = (rdpNego*)extra;
794
795 WINPR_ASSERT(nego);
796 if (!tpkt_read_header(s, &length))
797 return -1;
798
799 if (!tpdu_read_connection_confirm(s, &li, length))
800 return -1;
801
802 if (li > 6)
803 {
804 /* rdpNegData (optional) */
805 Stream_Read_UINT8(s, type); /* Type */
806
807 switch (type)
808 {
809 case TYPE_RDP_NEG_RSP:
810 if (!nego_process_negotiation_response(nego, s))
811 return -1;
812 {
813 char buffer[64] = { 0 };
814 WLog_Print(
815 nego->log, WLOG_DEBUG, "selected_protocol: %s",
816 nego_protocol_to_str(nego->SelectedProtocol, buffer, sizeof(buffer)));
817 }
818
819 /* enhanced security selected ? */
820
821 if (nego->SelectedProtocol)
822 {
823 if ((nego->SelectedProtocol == PROTOCOL_RDSAAD) &&
824 (!nego->EnabledProtocols[PROTOCOL_RDSAAD]))
825 {
826 nego_set_state(nego, NEGO_STATE_FAIL);
827 }
828 if ((nego->SelectedProtocol == PROTOCOL_HYBRID) &&
829 (!nego->EnabledProtocols[PROTOCOL_HYBRID]))
830 {
831 nego_set_state(nego, NEGO_STATE_FAIL);
832 }
833
834 if ((nego->SelectedProtocol == PROTOCOL_SSL) &&
835 (!nego->EnabledProtocols[PROTOCOL_SSL]))
836 {
837 nego_set_state(nego, NEGO_STATE_FAIL);
838 }
839 }
840 else if (!nego->EnabledProtocols[PROTOCOL_RDP])
841 {
842 nego_set_state(nego, NEGO_STATE_FAIL);
843 }
844
845 break;
846
847 case TYPE_RDP_NEG_FAILURE:
848 if (!nego_process_negotiation_failure(nego, s))
849 return -1;
850 break;
851 default:
852 return -1;
853 }
854 }
855 else if (li == 6)
856 {
857 WLog_Print(nego->log, WLOG_DEBUG, "no rdpNegData");
858
859 if (!nego->EnabledProtocols[PROTOCOL_RDP])
860 nego_set_state(nego, NEGO_STATE_FAIL);
861 else
862 nego_set_state(nego, NEGO_STATE_FINAL);
863 }
864 else
865 {
866 WLog_Print(nego->log, WLOG_ERROR, "invalid negotiation response");
867 nego_set_state(nego, NEGO_STATE_FAIL);
868 }
869
870 if (!tpkt_ensure_stream_consumed(nego->log, s, length))
871 return -1;
872 return 0;
873}
874
880static BOOL nego_read_request_token_or_cookie(rdpNego* nego, wStream* s)
881{
882 /* routingToken and cookie are optional and mutually exclusive!
883 *
884 * routingToken (variable): An optional and variable-length routing
885 * token (used for load balancing) terminated by a 0x0D0A two-byte
886 * sequence: (check [MSFT-SDLBTS] for details!)
887 * Cookie:[space]msts=[ip address].[port].[reserved][\x0D\x0A]
888 * tsv://MS Terminal Services Plugin.1.[\x0D\x0A]
889 *
890 * cookie (variable): An optional and variable-length ANSI character
891 * string terminated by a 0x0D0A two-byte sequence:
892 * Cookie:[space]mstshash=[ANSISTRING][\x0D\x0A]
893 */
894 UINT16 crlf = 0;
895 BOOL result = FALSE;
896 BOOL isToken = FALSE;
897 size_t remain = Stream_GetRemainingLength(s);
898
899 WINPR_ASSERT(nego);
900
901 const char* str = Stream_ConstPointer(s);
902 const size_t pos = Stream_GetPosition(s);
903
904 /* minimum length for token is 15 */
905 if (remain < 15)
906 return TRUE;
907
908 if (memcmp(Stream_ConstPointer(s), "Cookie: mstshash=", 17) != 0)
909 {
910 if (memcmp(Stream_ConstPointer(s), "Cookie: msts=", 13) != 0)
911 {
912 if (memcmp(Stream_ConstPointer(s), "tsv:", 4) != 0)
913 {
914 if (memcmp(Stream_ConstPointer(s), "mth://", 6) != 0)
915 {
916 /* remaining bytes are neither a token nor a cookie */
917 return TRUE;
918 }
919 }
920 }
921 isToken = TRUE;
922 }
923 else
924 {
925 /* not a token, minimum length for cookie is 19 */
926 if (remain < 19)
927 return TRUE;
928
929 Stream_Seek(s, 17);
930 }
931
932 while (Stream_GetRemainingLength(s) >= 2)
933 {
934 Stream_Read_UINT16(s, crlf);
935
936 if (crlf == 0x0A0D)
937 break;
938
939 Stream_Rewind(s, 1);
940 }
941
942 if (crlf == 0x0A0D)
943 {
944 Stream_Rewind(s, 2);
945 const size_t len = Stream_GetPosition(s) - pos;
946 Stream_Write_UINT16(s, 0);
947
948 if (len > UINT32_MAX)
949 return FALSE;
950
951 if (strnlen(str, len) == len)
952 {
953 if (isToken)
954 result = nego_set_routing_token(nego, str, (UINT32)len);
955 else
956 result = nego_set_cookie(nego, str);
957 }
958 }
959
960 if (!result)
961 {
962 Stream_SetPosition(s, pos);
963 WLog_Print(nego->log, WLOG_ERROR, "invalid %s received",
964 isToken ? "routing token" : "cookie");
965 }
966 else
967 {
968 WLog_Print(nego->log, WLOG_DEBUG, "received %s [%s]", isToken ? "routing token" : "cookie",
969 str);
970 }
971
972 return result;
973}
974
984BOOL nego_read_request(rdpNego* nego, wStream* s)
985{
986 BYTE li = 0;
987 BYTE type = 0;
988 UINT16 length = 0;
989
990 WINPR_ASSERT(nego);
991 WINPR_ASSERT(s);
992
993 if (!tpkt_read_header(s, &length))
994 return FALSE;
995
996 if (!tpdu_read_connection_request(s, &li, length))
997 return FALSE;
998
999 if (li != Stream_GetRemainingLength(s) + 6)
1000 {
1001 WLog_Print(nego->log, WLOG_ERROR, "Incorrect TPDU length indicator.");
1002 return FALSE;
1003 }
1004
1005 if (!nego_read_request_token_or_cookie(nego, s))
1006 {
1007 WLog_Print(nego->log, WLOG_ERROR, "Failed to parse routing token or cookie.");
1008 return FALSE;
1009 }
1010
1011 if (Stream_GetRemainingLength(s) >= 8)
1012 {
1013 /* rdpNegData (optional) */
1014 Stream_Read_UINT8(s, type); /* Type */
1015
1016 if (type != TYPE_RDP_NEG_REQ)
1017 {
1018 WLog_Print(nego->log, WLOG_ERROR, "Incorrect negotiation request type %" PRIu8 "",
1019 type);
1020 return FALSE;
1021 }
1022
1023 if (!nego_process_negotiation_request(nego, s))
1024 return FALSE;
1025 }
1026
1027 return tpkt_ensure_stream_consumed(nego->log, s, length);
1028}
1029
1036void nego_send(rdpNego* nego)
1037{
1038 WINPR_ASSERT(nego);
1039
1040 switch (nego_get_state(nego))
1041 {
1042 case NEGO_STATE_AAD:
1043 nego_attempt_rdsaad(nego);
1044 break;
1045 case NEGO_STATE_RDSTLS:
1046 nego_attempt_rdstls(nego);
1047 break;
1048 case NEGO_STATE_EXT:
1049 nego_attempt_ext(nego);
1050 break;
1051 case NEGO_STATE_NLA:
1052 nego_attempt_nla(nego);
1053 break;
1054 case NEGO_STATE_TLS:
1055 nego_attempt_tls(nego);
1056 break;
1057 case NEGO_STATE_RDP:
1058 nego_attempt_rdp(nego);
1059 break;
1060 default:
1061 WLog_Print(nego->log, WLOG_ERROR, "invalid negotiation state for sending");
1062 break;
1063 }
1064}
1065
1076BOOL nego_send_negotiation_request(rdpNego* nego)
1077{
1078 BOOL rc = FALSE;
1079 wStream* s = NULL;
1080 size_t length = 0;
1081 size_t bm = 0;
1082 size_t em = 0;
1083 BYTE flags = 0;
1084 size_t cookie_length = 0;
1085 s = Stream_New(NULL, 512);
1086
1087 WINPR_ASSERT(nego);
1088 if (!s)
1089 {
1090 WLog_Print(nego->log, WLOG_ERROR, "Stream_New failed!");
1091 return FALSE;
1092 }
1093
1094 length = TPDU_CONNECTION_REQUEST_LENGTH;
1095 bm = Stream_GetPosition(s);
1096 Stream_Seek(s, length);
1097
1098 if (nego->RoutingToken)
1099 {
1100 Stream_Write(s, nego->RoutingToken, nego->RoutingTokenLength);
1101
1102 /* Ensure Routing Token is correctly terminated - may already be present in string */
1103
1104 if ((nego->RoutingTokenLength > 2) &&
1105 (nego->RoutingToken[nego->RoutingTokenLength - 2] == 0x0D) &&
1106 (nego->RoutingToken[nego->RoutingTokenLength - 1] == 0x0A))
1107 {
1108 WLog_Print(nego->log, WLOG_DEBUG,
1109 "Routing token looks correctly terminated - use verbatim");
1110 length += nego->RoutingTokenLength;
1111 }
1112 else
1113 {
1114 WLog_Print(nego->log, WLOG_DEBUG, "Adding terminating CRLF to routing token");
1115 Stream_Write_UINT8(s, 0x0D); /* CR */
1116 Stream_Write_UINT8(s, 0x0A); /* LF */
1117 length += nego->RoutingTokenLength + 2;
1118 }
1119 }
1120 else if (nego->cookie)
1121 {
1122 cookie_length = strlen(nego->cookie);
1123
1124 if (cookie_length > nego->CookieMaxLength)
1125 cookie_length = nego->CookieMaxLength;
1126
1127 Stream_Write(s, "Cookie: mstshash=", 17);
1128 Stream_Write(s, (BYTE*)nego->cookie, cookie_length);
1129 Stream_Write_UINT8(s, 0x0D); /* CR */
1130 Stream_Write_UINT8(s, 0x0A); /* LF */
1131 length += cookie_length + 19;
1132 }
1133
1134 {
1135 char buffer[64] = { 0 };
1136 WLog_Print(nego->log, WLOG_DEBUG, "RequestedProtocols: %s",
1137 nego_protocol_to_str(nego->RequestedProtocols, buffer, sizeof(buffer)));
1138 }
1139
1140 if ((nego->RequestedProtocols > PROTOCOL_RDP) || (nego->sendNegoData))
1141 {
1142 /* RDP_NEG_DATA must be present for TLS and NLA */
1143 if (nego->RestrictedAdminModeRequired)
1144 flags |= RESTRICTED_ADMIN_MODE_REQUIRED;
1145
1146 if (nego->RemoteCredsGuardRequired)
1147 flags |= REDIRECTED_AUTHENTICATION_MODE_REQUIRED;
1148
1149 Stream_Write_UINT8(s, TYPE_RDP_NEG_REQ);
1150 Stream_Write_UINT8(s, flags);
1151 Stream_Write_UINT16(s, 8); /* RDP_NEG_DATA length (8) */
1152 Stream_Write_UINT32(s, nego->RequestedProtocols); /* requestedProtocols */
1153 length += 8;
1154 }
1155
1156 if (length > UINT16_MAX)
1157 goto fail;
1158
1159 em = Stream_GetPosition(s);
1160 Stream_SetPosition(s, bm);
1161 if (!tpkt_write_header(s, (UINT16)length))
1162 goto fail;
1163 if (!tpdu_write_connection_request(s, (UINT16)length - 5))
1164 goto fail;
1165 Stream_SetPosition(s, em);
1166 Stream_SealLength(s);
1167 rc = (transport_write(nego->transport, s) >= 0);
1168fail:
1169 Stream_Free(s, TRUE);
1170 return rc;
1171}
1172
1173static BOOL nego_process_correlation_info(WINPR_ATTR_UNUSED rdpNego* nego, wStream* s)
1174{
1175 UINT8 type = 0;
1176 UINT8 flags = 0;
1177 UINT16 length = 0;
1178 BYTE correlationId[16] = { 0 };
1179
1180 if (!Stream_CheckAndLogRequiredLengthWLog(nego->log, s, 36))
1181 {
1182 WLog_Print(nego->log, WLOG_ERROR,
1183 "RDP_NEG_REQ::flags CORRELATION_INFO_PRESENT but data is missing");
1184 return FALSE;
1185 }
1186
1187 Stream_Read_UINT8(s, type);
1188 if (type != TYPE_RDP_CORRELATION_INFO)
1189 {
1190 WLog_Print(nego->log, WLOG_ERROR,
1191 "(RDP_NEG_CORRELATION_INFO::type != TYPE_RDP_CORRELATION_INFO");
1192 return FALSE;
1193 }
1194 Stream_Read_UINT8(s, flags);
1195 if (flags != 0)
1196 {
1197 WLog_Print(nego->log, WLOG_ERROR, "(RDP_NEG_CORRELATION_INFO::flags != 0");
1198 return FALSE;
1199 }
1200 Stream_Read_UINT16(s, length);
1201 if (length != 36)
1202 {
1203 WLog_Print(nego->log, WLOG_ERROR, "(RDP_NEG_CORRELATION_INFO::length != 36");
1204 return FALSE;
1205 }
1206
1207 Stream_Read(s, correlationId, sizeof(correlationId));
1208 if ((correlationId[0] == 0x00) || (correlationId[0] == 0xF4))
1209 {
1210 WLog_Print(nego->log, WLOG_ERROR,
1211 "(RDP_NEG_CORRELATION_INFO::correlationId[0] has invalid value 0x%02" PRIx8,
1212 correlationId[0]);
1213 return FALSE;
1214 }
1215 for (size_t x = 0; x < ARRAYSIZE(correlationId); x++)
1216 {
1217 if (correlationId[x] == 0x0D)
1218 {
1219 WLog_Print(nego->log, WLOG_ERROR,
1220 "(RDP_NEG_CORRELATION_INFO::correlationId[%" PRIuz
1221 "] has invalid value 0x%02" PRIx8,
1222 x, correlationId[x]);
1223 return FALSE;
1224 }
1225 }
1226 Stream_Seek(s, 16); /* skip reserved bytes */
1227
1228 WLog_Print(nego->log, WLOG_INFO,
1229 "RDP_NEG_CORRELATION_INFO::correlationId = { %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8
1230 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8
1231 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8
1232 ", %02" PRIx8 " }",
1233 correlationId[0], correlationId[1], correlationId[2], correlationId[3],
1234 correlationId[4], correlationId[5], correlationId[6], correlationId[7],
1235 correlationId[8], correlationId[9], correlationId[10], correlationId[11],
1236 correlationId[12], correlationId[13], correlationId[14], correlationId[15]);
1237 return TRUE;
1238}
1239
1240BOOL nego_process_negotiation_request(rdpNego* nego, wStream* s)
1241{
1242 BYTE flags = 0;
1243 UINT16 length = 0;
1244
1245 WINPR_ASSERT(nego);
1246 WINPR_ASSERT(s);
1247
1248 if (!Stream_CheckAndLogRequiredLengthWLog(nego->log, s, 7))
1249 return FALSE;
1250 Stream_Read_UINT8(s, flags);
1251 if ((flags & ~(RESTRICTED_ADMIN_MODE_REQUIRED | REDIRECTED_AUTHENTICATION_MODE_REQUIRED |
1252 CORRELATION_INFO_PRESENT)) != 0)
1253 {
1254 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_REQ::flags invalid value 0x%02" PRIx8, flags);
1255 return FALSE;
1256 }
1257 if (flags & RESTRICTED_ADMIN_MODE_REQUIRED)
1258 {
1259 if (nego->RestrictedAdminModeSupported)
1260 {
1261 WLog_Print(nego->log, WLOG_INFO, "RDP_NEG_REQ::flags RESTRICTED_ADMIN_MODE_REQUIRED");
1262 }
1263 else
1264 {
1265 WLog_Print(nego->log, WLOG_ERROR,
1266 "RDP_NEG_REQ::flags RESTRICTED_ADMIN_MODE_REQUIRED but disabled");
1267 return FALSE;
1268 }
1269 }
1270
1271 if (flags & REDIRECTED_AUTHENTICATION_MODE_REQUIRED)
1272 {
1273 if (nego->RemoteCredsGuardSupported)
1274 {
1275 WLog_Print(nego->log, WLOG_INFO,
1276 "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED");
1277 nego->RemoteCredsGuardActive = TRUE;
1278 }
1279 else
1280 {
1281 /* If both RESTRICTED_ADMIN_MODE_REQUIRED and REDIRECTED_AUTHENTICATION_MODE_REQUIRED
1282 * are set, it means one or the other. In this case, don't fail if Remote Guard isn't
1283 * available. */
1284 if (flags & RESTRICTED_ADMIN_MODE_REQUIRED)
1285 {
1286 WLog_Print(nego->log, WLOG_INFO,
1287 "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED ignored.");
1288 }
1289 else
1290 {
1291 WLog_Print(
1292 nego->log, WLOG_ERROR,
1293 "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED but disabled");
1294 return FALSE;
1295 }
1296 }
1297 }
1298
1299 Stream_Read_UINT16(s, length);
1300 if (length != 8)
1301 {
1302 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_REQ::length != 8");
1303 return FALSE;
1304 }
1305 Stream_Read_UINT32(s, nego->RequestedProtocols);
1306
1307 if (flags & CORRELATION_INFO_PRESENT)
1308 {
1309 if (!nego_process_correlation_info(nego, s))
1310 return FALSE;
1311 }
1312
1313 {
1314 char buffer[64] = { 0 };
1315 WLog_Print(nego->log, WLOG_DEBUG, "RDP_NEG_REQ: RequestedProtocol: %s",
1316 nego_protocol_to_str(nego->RequestedProtocols, buffer, sizeof(buffer)));
1317 }
1318 nego_set_state(nego, NEGO_STATE_FINAL);
1319 return TRUE;
1320}
1321
1322static const char* nego_rdp_neg_rsp_flags_str(UINT32 flags)
1323{
1324 static char buffer[1024] = { 0 };
1325
1326 (void)_snprintf(buffer, ARRAYSIZE(buffer), "[0x%02" PRIx32 "] ", flags);
1327 if (flags & EXTENDED_CLIENT_DATA_SUPPORTED)
1328 winpr_str_append("EXTENDED_CLIENT_DATA_SUPPORTED", buffer, sizeof(buffer), "|");
1329 if (flags & DYNVC_GFX_PROTOCOL_SUPPORTED)
1330 winpr_str_append("DYNVC_GFX_PROTOCOL_SUPPORTED", buffer, sizeof(buffer), "|");
1331 if (flags & RDP_NEGRSP_RESERVED)
1332 winpr_str_append("RDP_NEGRSP_RESERVED", buffer, sizeof(buffer), "|");
1333 if (flags & RESTRICTED_ADMIN_MODE_SUPPORTED)
1334 winpr_str_append("RESTRICTED_ADMIN_MODE_SUPPORTED", buffer, sizeof(buffer), "|");
1335 if (flags & REDIRECTED_AUTHENTICATION_MODE_SUPPORTED)
1336 winpr_str_append("REDIRECTED_AUTHENTICATION_MODE_SUPPORTED", buffer, sizeof(buffer), "|");
1337 if ((flags & (uint32_t)~(EXTENDED_CLIENT_DATA_SUPPORTED | DYNVC_GFX_PROTOCOL_SUPPORTED |
1338 RDP_NEGRSP_RESERVED | RESTRICTED_ADMIN_MODE_SUPPORTED |
1339 REDIRECTED_AUTHENTICATION_MODE_SUPPORTED)))
1340 winpr_str_append("UNKNOWN", buffer, sizeof(buffer), "|");
1341
1342 return buffer;
1343}
1344
1345BOOL nego_process_negotiation_response(rdpNego* nego, wStream* s)
1346{
1347 UINT16 length = 0;
1348
1349 WINPR_ASSERT(nego);
1350 WINPR_ASSERT(s);
1351
1352 if (!Stream_CheckAndLogRequiredLengthWLog(nego->log, s, 7))
1353 {
1354 nego_set_state(nego, NEGO_STATE_FAIL);
1355 return FALSE;
1356 }
1357
1358 Stream_Read_UINT8(s, nego->flags);
1359 WLog_Print(nego->log, WLOG_DEBUG, "RDP_NEG_RSP::flags = { %s }",
1360 nego_rdp_neg_rsp_flags_str(nego->flags));
1361
1362 Stream_Read_UINT16(s, length);
1363 if (length != 8)
1364 {
1365 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_RSP::length != 8");
1366 nego_set_state(nego, NEGO_STATE_FAIL);
1367 return FALSE;
1368 }
1369 UINT32 SelectedProtocol = 0;
1370 Stream_Read_UINT32(s, SelectedProtocol);
1371
1372 if (!nego_set_selected_protocol(nego, SelectedProtocol))
1373 return FALSE;
1374 return nego_set_state(nego, NEGO_STATE_FINAL);
1375}
1376
1385BOOL nego_process_negotiation_failure(rdpNego* nego, wStream* s)
1386{
1387 BYTE flags = 0;
1388 UINT16 length = 0;
1389 UINT32 failureCode = 0;
1390
1391 WINPR_ASSERT(nego);
1392 WINPR_ASSERT(s);
1393
1394 WLog_Print(nego->log, WLOG_DEBUG, "RDP_NEG_FAILURE");
1395 if (!Stream_CheckAndLogRequiredLengthWLog(nego->log, s, 7))
1396 return FALSE;
1397
1398 Stream_Read_UINT8(s, flags);
1399 if (flags != 0)
1400 {
1401 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_FAILURE::flags = 0x%02" PRIx8, flags);
1402 return FALSE;
1403 }
1404 Stream_Read_UINT16(s, length);
1405 if (length != 8)
1406 {
1407 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_FAILURE::length != 8");
1408 return FALSE;
1409 }
1410 Stream_Read_UINT32(s, failureCode);
1411
1412 switch (failureCode)
1413 {
1414 case SSL_REQUIRED_BY_SERVER:
1415 WLog_Print(nego->log, WLOG_WARN, "Error: SSL_REQUIRED_BY_SERVER");
1416 break;
1417
1418 case SSL_NOT_ALLOWED_BY_SERVER:
1419 WLog_Print(nego->log, WLOG_WARN, "Error: SSL_NOT_ALLOWED_BY_SERVER");
1420 nego->sendNegoData = TRUE;
1421 break;
1422
1423 case SSL_CERT_NOT_ON_SERVER:
1424 WLog_Print(nego->log, WLOG_ERROR, "Error: SSL_CERT_NOT_ON_SERVER");
1425 nego->sendNegoData = TRUE;
1426 break;
1427
1428 case INCONSISTENT_FLAGS:
1429 WLog_Print(nego->log, WLOG_ERROR, "Error: INCONSISTENT_FLAGS");
1430 break;
1431
1432 case HYBRID_REQUIRED_BY_SERVER:
1433 WLog_Print(nego->log, WLOG_WARN, "Error: HYBRID_REQUIRED_BY_SERVER");
1434 break;
1435
1436 default:
1437 WLog_Print(nego->log, WLOG_ERROR, "Error: Unknown protocol security error %" PRIu32 "",
1438 failureCode);
1439 break;
1440 }
1441
1442 nego_set_state(nego, NEGO_STATE_FAIL);
1443 return TRUE;
1444}
1445
1451BOOL nego_send_negotiation_response(rdpNego* nego)
1452{
1453 UINT16 length = 0;
1454 size_t bm = 0;
1455 size_t em = 0;
1456 BOOL status = 0;
1457 wStream* s = NULL;
1458 BYTE flags = 0;
1459 rdpContext* context = NULL;
1460 rdpSettings* settings = NULL;
1461
1462 WINPR_ASSERT(nego);
1463 context = transport_get_context(nego->transport);
1464 WINPR_ASSERT(context);
1465
1466 settings = context->settings;
1467 WINPR_ASSERT(settings);
1468
1469 s = Stream_New(NULL, 512);
1470
1471 if (!s)
1472 {
1473 WLog_Print(nego->log, WLOG_ERROR, "Stream_New failed!");
1474 return FALSE;
1475 }
1476
1477 length = TPDU_CONNECTION_CONFIRM_LENGTH;
1478 bm = Stream_GetPosition(s);
1479 Stream_Seek(s, length);
1480
1481 if (nego->SelectedProtocol & PROTOCOL_FAILED_NEGO)
1482 {
1483 UINT32 errorCode = (nego->SelectedProtocol & ~PROTOCOL_FAILED_NEGO);
1484 flags = 0;
1485 Stream_Write_UINT8(s, TYPE_RDP_NEG_FAILURE);
1486 Stream_Write_UINT8(s, flags); /* flags */
1487 Stream_Write_UINT16(s, 8); /* RDP_NEG_DATA length (8) */
1488 Stream_Write_UINT32(s, errorCode);
1489 length += 8;
1490 }
1491 else
1492 {
1493 flags = EXTENDED_CLIENT_DATA_SUPPORTED;
1494
1495 if (freerdp_settings_get_bool(settings, FreeRDP_SupportGraphicsPipeline))
1496 flags |= DYNVC_GFX_PROTOCOL_SUPPORTED;
1497
1498 if (nego->RestrictedAdminModeSupported)
1499 flags |= RESTRICTED_ADMIN_MODE_SUPPORTED;
1500
1501 if (nego->RemoteCredsGuardSupported)
1502 flags |= REDIRECTED_AUTHENTICATION_MODE_SUPPORTED;
1503
1504 /* RDP_NEG_DATA must be present for TLS, NLA, RDP and RDSTLS */
1505 Stream_Write_UINT8(s, TYPE_RDP_NEG_RSP);
1506 Stream_Write_UINT8(s, flags); /* flags */
1507 Stream_Write_UINT16(s, 8); /* RDP_NEG_DATA length (8) */
1508 Stream_Write_UINT32(s, nego->SelectedProtocol); /* selectedProtocol */
1509 length += 8;
1510 }
1511
1512 em = Stream_GetPosition(s);
1513 Stream_SetPosition(s, bm);
1514 status = tpkt_write_header(s, length);
1515 if (status)
1516 {
1517 tpdu_write_connection_confirm(s, length - 5);
1518 Stream_SetPosition(s, em);
1519 Stream_SealLength(s);
1520
1521 status = (transport_write(nego->transport, s) >= 0);
1522 }
1523 Stream_Free(s, TRUE);
1524
1525 if (status)
1526 {
1527 /* update settings with negotiated protocol security */
1528 if (!freerdp_settings_set_uint32(settings, FreeRDP_RequestedProtocols,
1529 nego->RequestedProtocols))
1530 return FALSE;
1531 if (!freerdp_settings_set_uint32(settings, FreeRDP_SelectedProtocol,
1532 nego->SelectedProtocol))
1533 return FALSE;
1534
1535 switch (nego->SelectedProtocol)
1536 {
1537 case PROTOCOL_RDP:
1538 if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, FALSE))
1539 return FALSE;
1540 if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE))
1541 return FALSE;
1542 if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, TRUE))
1543 return FALSE;
1544 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, TRUE))
1545 return FALSE;
1546
1547 if (freerdp_settings_get_uint32(settings, FreeRDP_EncryptionLevel) ==
1548 ENCRYPTION_LEVEL_NONE)
1549 {
1554 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1555 ENCRYPTION_LEVEL_CLIENT_COMPATIBLE))
1556 return FALSE;
1557 }
1558
1559 if (freerdp_settings_get_bool(settings, FreeRDP_LocalConnection))
1560 {
1567 WLog_Print(nego->log, WLOG_INFO,
1568 "Turning off encryption for local peer with standard rdp security");
1569 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
1570 return FALSE;
1571 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1572 ENCRYPTION_LEVEL_NONE))
1573 return FALSE;
1574 }
1575 else if (!freerdp_settings_get_pointer(settings, FreeRDP_RdpServerRsaKey))
1576 {
1577 WLog_Print(nego->log, WLOG_ERROR, "Missing server certificate");
1578 return FALSE;
1579 }
1580 break;
1581 case PROTOCOL_SSL:
1582 if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE))
1583 return FALSE;
1584 if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE))
1585 return FALSE;
1586 if (!freerdp_settings_set_bool(settings, FreeRDP_RdstlsSecurity, FALSE))
1587 return FALSE;
1588 if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
1589 return FALSE;
1590 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
1591 return FALSE;
1592
1593 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1594 ENCRYPTION_LEVEL_NONE))
1595 return FALSE;
1596 break;
1597 case PROTOCOL_HYBRID:
1598 if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE))
1599 return FALSE;
1600 if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, TRUE))
1601 return FALSE;
1602 if (!freerdp_settings_set_bool(settings, FreeRDP_RdstlsSecurity, FALSE))
1603 return FALSE;
1604 if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
1605 return FALSE;
1606 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
1607 return FALSE;
1608
1609 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1610 ENCRYPTION_LEVEL_NONE))
1611 return FALSE;
1612 break;
1613 case PROTOCOL_RDSTLS:
1614 if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE))
1615 return FALSE;
1616 if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE))
1617 return FALSE;
1618 if (!freerdp_settings_set_bool(settings, FreeRDP_RdstlsSecurity, TRUE))
1619 return FALSE;
1620 if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
1621 return FALSE;
1622 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
1623 return FALSE;
1624
1625 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1626 ENCRYPTION_LEVEL_NONE))
1627 return FALSE;
1628 break;
1629 default:
1630 break;
1631 }
1632 }
1633
1634 return status;
1635}
1636
1642void nego_init(rdpNego* nego)
1643{
1644 WINPR_ASSERT(nego);
1645 nego_set_state(nego, NEGO_STATE_INITIAL);
1646 nego->RequestedProtocols = PROTOCOL_RDP;
1647 nego->CookieMaxLength = DEFAULT_COOKIE_MAX_LENGTH;
1648 nego->sendNegoData = FALSE;
1649 nego->flags = 0;
1650}
1651
1660rdpNego* nego_new(rdpTransport* transport)
1661{
1662 rdpNego* nego = (rdpNego*)calloc(1, sizeof(rdpNego));
1663
1664 if (!nego)
1665 return NULL;
1666
1667 nego->log = WLog_Get(NEGO_TAG);
1668 WINPR_ASSERT(nego->log);
1669 nego->transport = transport;
1670 nego_init(nego);
1671 return nego;
1672}
1673
1679void nego_free(rdpNego* nego)
1680{
1681 if (nego)
1682 {
1683 free(nego->RoutingToken);
1684 free(nego->cookie);
1685 free(nego);
1686 }
1687}
1688
1698BOOL nego_set_target(rdpNego* nego, const char* hostname, UINT16 port)
1699{
1700 if (!nego || !hostname)
1701 return FALSE;
1702
1703 nego->hostname = hostname;
1704 nego->port = port;
1705 return TRUE;
1706}
1707
1715void nego_set_negotiation_enabled(rdpNego* nego, BOOL NegotiateSecurityLayer)
1716{
1717 WLog_Print(nego->log, WLOG_DEBUG, "Enabling security layer negotiation: %s",
1718 NegotiateSecurityLayer ? "TRUE" : "FALSE");
1719 nego->NegotiateSecurityLayer = NegotiateSecurityLayer;
1720}
1721
1729void nego_set_restricted_admin_mode_required(rdpNego* nego, BOOL RestrictedAdminModeRequired)
1730{
1731 WLog_Print(nego->log, WLOG_DEBUG, "Enabling restricted admin mode: %s",
1732 RestrictedAdminModeRequired ? "TRUE" : "FALSE");
1733 nego->RestrictedAdminModeRequired = RestrictedAdminModeRequired;
1734}
1735
1736void nego_set_restricted_admin_mode_supported(rdpNego* nego, BOOL enabled)
1737{
1738 WINPR_ASSERT(nego);
1739
1740 nego->RestrictedAdminModeSupported = enabled;
1741}
1742
1743void nego_set_RCG_required(rdpNego* nego, BOOL enabled)
1744{
1745 WINPR_ASSERT(nego);
1746
1747 WLog_Print(nego->log, WLOG_DEBUG, "Enabling remoteCredentialGuards: %s",
1748 enabled ? "TRUE" : "FALSE");
1749 nego->RemoteCredsGuardRequired = enabled;
1750}
1751
1752void nego_set_RCG_supported(rdpNego* nego, BOOL enabled)
1753{
1754 WINPR_ASSERT(nego);
1755
1756 nego->RemoteCredsGuardSupported = enabled;
1757}
1758
1759BOOL nego_get_remoteCredentialGuard(rdpNego* nego)
1760{
1761 WINPR_ASSERT(nego);
1762
1763 return nego->RemoteCredsGuardActive;
1764}
1765
1766void nego_set_childsession_enabled(rdpNego* nego, BOOL ChildSessionEnabled)
1767{
1768 WINPR_ASSERT(nego);
1769 nego->ConnectChildSession = ChildSessionEnabled;
1770}
1771
1772void nego_set_gateway_enabled(rdpNego* nego, BOOL GatewayEnabled)
1773{
1774 nego->GatewayEnabled = GatewayEnabled;
1775}
1776
1777void nego_set_gateway_bypass_local(rdpNego* nego, BOOL GatewayBypassLocal)
1778{
1779 nego->GatewayBypassLocal = GatewayBypassLocal;
1780}
1781
1788void nego_enable_rdp(rdpNego* nego, BOOL enable_rdp)
1789{
1790 WLog_Print(nego->log, WLOG_DEBUG, "Enabling RDP security: %s", enable_rdp ? "TRUE" : "FALSE");
1791 nego->EnabledProtocols[PROTOCOL_RDP] = enable_rdp;
1792}
1793
1800void nego_enable_tls(rdpNego* nego, BOOL enable_tls)
1801{
1802 WLog_Print(nego->log, WLOG_DEBUG, "Enabling TLS security: %s", enable_tls ? "TRUE" : "FALSE");
1803 nego->EnabledProtocols[PROTOCOL_SSL] = enable_tls;
1804}
1805
1813void nego_enable_nla(rdpNego* nego, BOOL enable_nla)
1814{
1815 WLog_Print(nego->log, WLOG_DEBUG, "Enabling NLA security: %s", enable_nla ? "TRUE" : "FALSE");
1816 nego->EnabledProtocols[PROTOCOL_HYBRID] = enable_nla;
1817}
1818
1826void nego_enable_rdstls(rdpNego* nego, BOOL enable_rdstls)
1827{
1828 WLog_Print(nego->log, WLOG_DEBUG, "Enabling RDSTLS security: %s",
1829 enable_rdstls ? "TRUE" : "FALSE");
1830 nego->EnabledProtocols[PROTOCOL_RDSTLS] = enable_rdstls;
1831}
1832
1840void nego_enable_ext(rdpNego* nego, BOOL enable_ext)
1841{
1842 WLog_Print(nego->log, WLOG_DEBUG, "Enabling NLA extended security: %s",
1843 enable_ext ? "TRUE" : "FALSE");
1844 nego->EnabledProtocols[PROTOCOL_HYBRID_EX] = enable_ext;
1845}
1846
1854void nego_enable_aad(rdpNego* nego, BOOL enable_aad)
1855{
1856 WINPR_ASSERT(nego);
1857 if (aad_is_supported())
1858 {
1859 WLog_Print(nego->log, WLOG_DEBUG, "Enabling RDS AAD security: %s",
1860 enable_aad ? "TRUE" : "FALSE");
1861 nego->EnabledProtocols[PROTOCOL_RDSAAD] = enable_aad;
1862 }
1863 else
1864 {
1865 WLog_Print(nego->log, WLOG_WARN, "This build does not support AAD security, disabling.");
1866 }
1867}
1868
1878BOOL nego_set_routing_token(rdpNego* nego, const void* RoutingToken, DWORD RoutingTokenLength)
1879{
1880 if (RoutingTokenLength == 0)
1881 return FALSE;
1882
1883 free(nego->RoutingToken);
1884 nego->RoutingTokenLength = RoutingTokenLength;
1885 nego->RoutingToken = (BYTE*)malloc(nego->RoutingTokenLength);
1886
1887 if (!nego->RoutingToken)
1888 return FALSE;
1889
1890 CopyMemory(nego->RoutingToken, RoutingToken, nego->RoutingTokenLength);
1891 return TRUE;
1892}
1893
1902BOOL nego_set_cookie(rdpNego* nego, const char* cookie)
1903{
1904 if (nego->cookie)
1905 {
1906 free(nego->cookie);
1907 nego->cookie = NULL;
1908 }
1909
1910 if (!cookie)
1911 return TRUE;
1912
1913 nego->cookie = _strdup(cookie);
1914
1915 if (!nego->cookie)
1916 return FALSE;
1917
1918 return TRUE;
1919}
1920
1927void nego_set_cookie_max_length(rdpNego* nego, UINT32 CookieMaxLength)
1928{
1929 nego->CookieMaxLength = CookieMaxLength;
1930}
1931
1938void nego_set_send_preconnection_pdu(rdpNego* nego, BOOL SendPreconnectionPdu)
1939{
1940 nego->SendPreconnectionPdu = SendPreconnectionPdu;
1941}
1942
1949void nego_set_preconnection_id(rdpNego* nego, UINT32 PreconnectionId)
1950{
1951 nego->PreconnectionId = PreconnectionId;
1952}
1953
1960void nego_set_preconnection_blob(rdpNego* nego, const char* PreconnectionBlob)
1961{
1962 nego->PreconnectionBlob = PreconnectionBlob;
1963}
1964
1965UINT32 nego_get_selected_protocol(rdpNego* nego)
1966{
1967 if (!nego)
1968 return 0;
1969
1970 return nego->SelectedProtocol;
1971}
1972
1973BOOL nego_set_selected_protocol(rdpNego* nego, UINT32 SelectedProtocol)
1974{
1975 WINPR_ASSERT(nego);
1976 nego->SelectedProtocol = SelectedProtocol;
1977 return TRUE;
1978}
1979
1980UINT32 nego_get_requested_protocols(rdpNego* nego)
1981{
1982 if (!nego)
1983 return 0;
1984
1985 return nego->RequestedProtocols;
1986}
1987
1988BOOL nego_set_requested_protocols(rdpNego* nego, UINT32 RequestedProtocols)
1989{
1990 if (!nego)
1991 return FALSE;
1992
1993 nego->RequestedProtocols = RequestedProtocols;
1994 return TRUE;
1995}
1996
1997NEGO_STATE nego_get_state(rdpNego* nego)
1998{
1999 if (!nego)
2000 return NEGO_STATE_FAIL;
2001
2002 return nego->state;
2003}
2004
2005BOOL nego_set_state(rdpNego* nego, NEGO_STATE state)
2006{
2007 if (!nego)
2008 return FALSE;
2009
2010 nego->state = state;
2011 return TRUE;
2012}
2013
2014SEC_WINNT_AUTH_IDENTITY* nego_get_identity(rdpNego* nego)
2015{
2016 rdpNla* nla = NULL;
2017 if (!nego)
2018 return NULL;
2019
2020 nla = transport_get_nla(nego->transport);
2021 return nla_get_identity(nla);
2022}
2023
2024void nego_free_nla(rdpNego* nego)
2025{
2026 if (!nego || !nego->transport)
2027 return;
2028
2029 transport_set_nla(nego->transport, NULL);
2030}
2031
2032const BYTE* nego_get_routing_token(rdpNego* nego, DWORD* RoutingTokenLength)
2033{
2034 if (!nego)
2035 return NULL;
2036 if (RoutingTokenLength)
2037 *RoutingTokenLength = nego->RoutingTokenLength;
2038 return nego->RoutingToken;
2039}
2040
2041const char* nego_protocol_to_str(UINT32 protocol, char* buffer, size_t size)
2042{
2043 const UINT32 mask = ~(PROTOCOL_SSL | PROTOCOL_HYBRID | PROTOCOL_RDSTLS | PROTOCOL_HYBRID_EX |
2044 PROTOCOL_RDSAAD | PROTOCOL_FAILED_NEGO);
2045 char str[48] = { 0 };
2046
2047 if (protocol & PROTOCOL_SSL)
2048 (void)winpr_str_append("SSL", str, sizeof(str), "|");
2049 if (protocol & PROTOCOL_HYBRID)
2050 (void)winpr_str_append("HYBRID", str, sizeof(str), "|");
2051 if (protocol & PROTOCOL_RDSTLS)
2052 (void)winpr_str_append("RDSTLS", str, sizeof(str), "|");
2053 if (protocol & PROTOCOL_HYBRID_EX)
2054 (void)winpr_str_append("HYBRID_EX", str, sizeof(str), "|");
2055 if (protocol & PROTOCOL_RDSAAD)
2056 (void)winpr_str_append("RDSAAD", str, sizeof(str), "|");
2057 if (protocol & PROTOCOL_FAILED_NEGO)
2058 (void)winpr_str_append("NEGO FAILED", str, sizeof(str), "|");
2059
2060 if (protocol == PROTOCOL_RDP)
2061 (void)winpr_str_append("RDP", str, sizeof(str), "");
2062 else if ((protocol & mask) != 0)
2063 (void)winpr_str_append("UNKNOWN", str, sizeof(str), "|");
2064
2065 (void)_snprintf(buffer, size, "[%s][0x%08" PRIx32 "]", str, protocol);
2066 return buffer;
2067}
freerdp_settings_get_uint32
FREERDP_API UINT32 freerdp_settings_get_uint32(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id)
Returns a UINT32 settings value.
freerdp_settings_get_bool
FREERDP_API BOOL freerdp_settings_get_bool(const rdpSettings *settings, FreeRDP_Settings_Keys_Bool id)
Returns a boolean settings value.
freerdp_settings_get_pointer
FREERDP_API const void * freerdp_settings_get_pointer(const rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a immutable pointer settings value.
Definition common/settings.c:1419
freerdp_settings_set_uint32
FREERDP_API BOOL freerdp_settings_set_uint32(rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id, UINT32 param)
Sets a UINT32 settings value.
freerdp_settings_set_bool
FREERDP_API BOOL freerdp_settings_set_bool(rdpSettings *settings, FreeRDP_Settings_Keys_Bool id, BOOL param)
Sets a BOOL settings value.