FreeRDP
Loading...
Searching...
No Matches
nego.c
1
23#include <freerdp/config.h>
24
25#include <winpr/crt.h>
26#include <winpr/assert.h>
27#include <winpr/stream.h>
28
29#include <freerdp/log.h>
30
31#include "tpkt.h"
32
33#include "nego.h"
34#include "aad.h"
35
36#include "transport.h"
37
38#define NEGO_TAG FREERDP_TAG("core.nego")
39
40struct rdp_nego
41{
42 UINT16 port;
43 UINT32 flags;
44 const char* hostname;
45 char* cookie;
46 BYTE* RoutingToken;
47 DWORD RoutingTokenLength;
48 BOOL SendPreconnectionPdu;
49 UINT32 PreconnectionId;
50 const char* PreconnectionBlob;
51
52 NEGO_STATE state;
53 BOOL TcpConnected;
54 BOOL SecurityConnected;
55 UINT32 CookieMaxLength;
56
57 BOOL sendNegoData;
58 UINT32 SelectedProtocol;
59 UINT32 RequestedProtocols;
60 BOOL NegotiateSecurityLayer;
61 BOOL EnabledProtocols[32];
62 BOOL RestrictedAdminModeRequired; /* Client-side */
63 BOOL RestrictedAdminModeSupported; /* Server-side */
64 BOOL RemoteCredsGuardRequired;
65 BOOL RemoteCredsGuardActive;
66 BOOL RemoteCredsGuardSupported;
67 BOOL GatewayEnabled;
68 BOOL GatewayBypassLocal;
69 BOOL ConnectChildSession;
70
71 rdpTransport* transport;
72 wLog* log;
73};
74
75static const char* nego_state_string(NEGO_STATE state)
76{
77 static const char* const NEGO_STATE_STRINGS[] = { "NEGO_STATE_INITIAL", "NEGO_STATE_RDSTLS",
78 "NEGO_STATE_AAD", "NEGO_STATE_EXT",
79 "NEGO_STATE_NLA", "NEGO_STATE_TLS",
80 "NEGO_STATE_RDP", "NEGO_STATE_FAIL",
81 "NEGO_STATE_FINAL", "NEGO_STATE_INVALID" };
82 if (state >= ARRAYSIZE(NEGO_STATE_STRINGS))
83 return NEGO_STATE_STRINGS[ARRAYSIZE(NEGO_STATE_STRINGS) - 1];
84 return NEGO_STATE_STRINGS[state];
85}
86
87static BOOL nego_tcp_connect(rdpNego* nego);
88static BOOL nego_transport_connect(rdpNego* nego);
89static BOOL nego_transport_disconnect(rdpNego* nego);
90static BOOL nego_security_connect(rdpNego* nego);
91static BOOL nego_send_preconnection_pdu(rdpNego* nego);
92static BOOL nego_recv_response(rdpNego* nego);
93static void nego_send(rdpNego* nego);
94static BOOL nego_process_negotiation_request(rdpNego* nego, wStream* s);
95static BOOL nego_process_negotiation_response(rdpNego* nego, wStream* s);
96static BOOL nego_process_negotiation_failure(rdpNego* nego, wStream* s);
97
98BOOL nego_update_settings_from_state(rdpNego* nego, rdpSettings* settings)
99{
100 WINPR_ASSERT(nego);
101
102 /* update settings with negotiated protocol security */
103 return freerdp_settings_set_uint32(settings, FreeRDP_RequestedProtocols,
104 nego->RequestedProtocols) &&
105 freerdp_settings_set_uint32(settings, FreeRDP_SelectedProtocol,
106 nego->SelectedProtocol) &&
107 freerdp_settings_set_uint32(settings, FreeRDP_NegotiationFlags, nego->flags);
108}
109
118BOOL nego_connect(rdpNego* nego)
119{
120 rdpContext* context = NULL;
121 rdpSettings* settings = NULL;
122 WINPR_ASSERT(nego);
123 context = transport_get_context(nego->transport);
124 WINPR_ASSERT(context);
125 settings = context->settings;
126 WINPR_ASSERT(settings);
127
128 if (nego_get_state(nego) == NEGO_STATE_INITIAL)
129 {
130 if (nego->EnabledProtocols[PROTOCOL_RDSAAD])
131 {
132 nego_set_state(nego, NEGO_STATE_AAD);
133 }
134 else if (nego->EnabledProtocols[PROTOCOL_RDSTLS])
135 {
136 nego_set_state(nego, NEGO_STATE_RDSTLS);
137 }
138 else if (nego->EnabledProtocols[PROTOCOL_HYBRID_EX])
139 {
140 nego_set_state(nego, NEGO_STATE_EXT);
141 }
142 else if (nego->EnabledProtocols[PROTOCOL_HYBRID])
143 {
144 nego_set_state(nego, NEGO_STATE_NLA);
145 }
146 else if (nego->EnabledProtocols[PROTOCOL_SSL])
147 {
148 nego_set_state(nego, NEGO_STATE_TLS);
149 }
150 else if (nego->EnabledProtocols[PROTOCOL_RDP])
151 {
152 nego_set_state(nego, NEGO_STATE_RDP);
153 }
154 else
155 {
156 WLog_Print(nego->log, WLOG_ERROR, "No security protocol is enabled");
157 nego_set_state(nego, NEGO_STATE_FAIL);
158 return FALSE;
159 }
160
161 if (!nego->NegotiateSecurityLayer)
162 {
163 WLog_Print(nego->log, WLOG_DEBUG, "Security Layer Negotiation is disabled");
164 /* attempt only the highest enabled protocol (see nego_attempt_*) */
165 nego->EnabledProtocols[PROTOCOL_RDSAAD] = FALSE;
166 nego->EnabledProtocols[PROTOCOL_HYBRID] = FALSE;
167 nego->EnabledProtocols[PROTOCOL_SSL] = FALSE;
168 nego->EnabledProtocols[PROTOCOL_RDP] = FALSE;
169 nego->EnabledProtocols[PROTOCOL_HYBRID_EX] = FALSE;
170 nego->EnabledProtocols[PROTOCOL_RDSTLS] = FALSE;
171
172 UINT32 SelectedProtocol = 0;
173 switch (nego_get_state(nego))
174 {
175 case NEGO_STATE_AAD:
176 nego->EnabledProtocols[PROTOCOL_RDSAAD] = TRUE;
177 SelectedProtocol = PROTOCOL_RDSAAD;
178 break;
179 case NEGO_STATE_RDSTLS:
180 nego->EnabledProtocols[PROTOCOL_RDSTLS] = TRUE;
181 SelectedProtocol = PROTOCOL_RDSTLS;
182 break;
183 case NEGO_STATE_EXT:
184 nego->EnabledProtocols[PROTOCOL_HYBRID_EX] = TRUE;
185 nego->EnabledProtocols[PROTOCOL_HYBRID] = TRUE;
186 SelectedProtocol = PROTOCOL_HYBRID_EX;
187 break;
188 case NEGO_STATE_NLA:
189 nego->EnabledProtocols[PROTOCOL_HYBRID] = TRUE;
190 SelectedProtocol = PROTOCOL_HYBRID;
191 break;
192 case NEGO_STATE_TLS:
193 nego->EnabledProtocols[PROTOCOL_SSL] = TRUE;
194 SelectedProtocol = PROTOCOL_SSL;
195 break;
196 case NEGO_STATE_RDP:
197 nego->EnabledProtocols[PROTOCOL_RDP] = TRUE;
198 SelectedProtocol = PROTOCOL_RDP;
199 break;
200 default:
201 WLog_Print(nego->log, WLOG_ERROR, "Invalid NEGO state 0x%08" PRIx32,
202 nego_get_state(nego));
203 return FALSE;
204 }
205 if (!nego_set_selected_protocol(nego, SelectedProtocol))
206 return FALSE;
207 }
208
209 if (!nego_tcp_connect(nego))
210 {
211 WLog_Print(nego->log, WLOG_ERROR, "Failed to connect");
212 return FALSE;
213 }
214
215 if (nego->SendPreconnectionPdu)
216 {
217 if (!nego_send_preconnection_pdu(nego))
218 {
219 WLog_Print(nego->log, WLOG_ERROR, "Failed to send preconnection pdu");
220 nego_set_state(nego, NEGO_STATE_FINAL);
221 return FALSE;
222 }
223 }
224 }
225
226 if (!nego->NegotiateSecurityLayer)
227 {
228 nego_set_state(nego, NEGO_STATE_FINAL);
229 }
230 else
231 {
232 do
233 {
234 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
235 nego_send(nego);
236
237 if (nego_get_state(nego) == NEGO_STATE_FAIL)
238 {
239 if (freerdp_get_last_error(transport_get_context(nego->transport)) ==
240 FREERDP_ERROR_SUCCESS)
241 WLog_Print(nego->log, WLOG_ERROR, "Protocol Security Negotiation Failure");
242
243 nego_set_state(nego, NEGO_STATE_FINAL);
244 return FALSE;
245 }
246 } while (nego_get_state(nego) != NEGO_STATE_FINAL);
247 }
248
249 {
250 char buffer[64] = { 0 };
251 WLog_Print(nego->log, WLOG_DEBUG, "Negotiated %s security",
252 nego_protocol_to_str(nego->SelectedProtocol, buffer, sizeof(buffer)));
253 }
254
255 /* update settings with negotiated protocol security */
256 if (!nego_update_settings_from_state(nego, settings))
257 return FALSE;
258
259 if (nego->SelectedProtocol == PROTOCOL_RDP)
260 {
261 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, TRUE))
262 return FALSE;
263
264 if (freerdp_settings_get_uint32(settings, FreeRDP_EncryptionMethods) == 0)
265 {
270 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionMethods,
271 ENCRYPTION_METHOD_40BIT | ENCRYPTION_METHOD_56BIT |
272 ENCRYPTION_METHOD_128BIT | ENCRYPTION_METHOD_FIPS))
273 return FALSE;
274 }
275 }
276
277 /* finally connect security layer (if not already done) */
278 if (!nego_security_connect(nego))
279 {
280 char buffer[64] = { 0 };
281 WLog_Print(nego->log, WLOG_DEBUG, "Failed to connect with %s security",
282 nego_protocol_to_str(nego->SelectedProtocol, buffer, sizeof(buffer)));
283 return FALSE;
284 }
285
286 return TRUE;
287}
288
289BOOL nego_disconnect(rdpNego* nego)
290{
291 WINPR_ASSERT(nego);
292 nego_set_state(nego, NEGO_STATE_INITIAL);
293 return nego_transport_disconnect(nego);
294}
295
296static BOOL nego_try_connect(rdpNego* nego)
297{
298 WINPR_ASSERT(nego);
299
300 switch (nego->SelectedProtocol)
301 {
302 case PROTOCOL_RDSAAD:
303 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_RDSAAD");
304 nego->SecurityConnected = transport_connect_aad(nego->transport);
305 break;
306 case PROTOCOL_RDSTLS:
307 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_RDSTLS");
308 nego->SecurityConnected = transport_connect_rdstls(nego->transport);
309 break;
310 case PROTOCOL_HYBRID:
311 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_HYBRID");
312 nego->SecurityConnected = transport_connect_nla(nego->transport, FALSE);
313 break;
314 case PROTOCOL_HYBRID_EX:
315 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_HYBRID_EX");
316 nego->SecurityConnected = transport_connect_nla(nego->transport, TRUE);
317 break;
318 case PROTOCOL_SSL:
319 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_SSL");
320 nego->SecurityConnected = transport_connect_tls(nego->transport);
321 break;
322 case PROTOCOL_RDP:
323 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_RDP");
324 nego->SecurityConnected = transport_connect_rdp(nego->transport);
325 break;
326 default:
327 WLog_Print(nego->log, WLOG_ERROR,
328 "cannot connect security layer because no protocol has been selected yet.");
329 return FALSE;
330 }
331 return nego->SecurityConnected;
332}
333
334/* connect to selected security layer */
335BOOL nego_security_connect(rdpNego* nego)
336{
337 WINPR_ASSERT(nego);
338 if (!nego->TcpConnected)
339 {
340 nego->SecurityConnected = FALSE;
341 }
342 else if (!nego->SecurityConnected)
343 {
344 if (!nego_try_connect(nego))
345 return FALSE;
346 }
347
348 return nego->SecurityConnected;
349}
350
351static BOOL nego_tcp_connect(rdpNego* nego)
352{
353 rdpContext* context = NULL;
354 WINPR_ASSERT(nego);
355 if (!nego->TcpConnected)
356 {
357 UINT32 TcpConnectTimeout = 0;
358
359 context = transport_get_context(nego->transport);
360 WINPR_ASSERT(context);
361
362 TcpConnectTimeout =
363 freerdp_settings_get_uint32(context->settings, FreeRDP_TcpConnectTimeout);
364
365 if (nego->GatewayEnabled)
366 {
367 if (nego->GatewayBypassLocal)
368 {
369 /* Attempt a direct connection first, and then fallback to using the gateway */
370 WLog_Print(
371 nego->log, WLOG_INFO,
372 "Detecting if host can be reached locally. - This might take some time.");
373 WLog_Print(nego->log, WLOG_INFO,
374 "To disable auto detection use /gateway-usage-method:direct");
375 transport_set_gateway_enabled(nego->transport, FALSE);
376 nego->TcpConnected = transport_connect(nego->transport, nego->hostname, nego->port,
377 TcpConnectTimeout);
378 }
379
380 if (!nego->TcpConnected)
381 {
382 transport_set_gateway_enabled(nego->transport, TRUE);
383 nego->TcpConnected = transport_connect(nego->transport, nego->hostname, nego->port,
384 TcpConnectTimeout);
385 }
386 }
387 else if (nego->ConnectChildSession)
388 {
389 nego->TcpConnected = transport_connect_childsession(nego->transport);
390 }
391 else
392 {
393 nego->TcpConnected =
394 transport_connect(nego->transport, nego->hostname, nego->port, TcpConnectTimeout);
395 }
396 }
397
398 return nego->TcpConnected;
399}
400
409BOOL nego_transport_connect(rdpNego* nego)
410{
411 WINPR_ASSERT(nego);
412 if (!nego_tcp_connect(nego))
413 return FALSE;
414
415 if (nego->TcpConnected && !nego->NegotiateSecurityLayer)
416 return nego_security_connect(nego);
417
418 return nego->TcpConnected;
419}
420
429BOOL nego_transport_disconnect(rdpNego* nego)
430{
431 WINPR_ASSERT(nego);
432 if (nego->TcpConnected)
433 transport_disconnect(nego->transport);
434
435 nego->TcpConnected = FALSE;
436 nego->SecurityConnected = FALSE;
437 return TRUE;
438}
439
448BOOL nego_send_preconnection_pdu(rdpNego* nego)
449{
450 wStream* s = NULL;
451 UINT32 cbSize = 0;
452 UINT16 cchPCB = 0;
453 WCHAR* wszPCB = NULL;
454
455 WINPR_ASSERT(nego);
456
457 WLog_Print(nego->log, WLOG_DEBUG, "Sending preconnection PDU");
458
459 if (!nego_tcp_connect(nego))
460 return FALSE;
461
462 /* it's easier to always send the version 2 PDU, and it's just 2 bytes overhead */
463 cbSize = PRECONNECTION_PDU_V2_MIN_SIZE;
464
465 if (nego->PreconnectionBlob)
466 {
467 size_t len = 0;
468 wszPCB = ConvertUtf8ToWCharAlloc(nego->PreconnectionBlob, &len);
469 if (len > UINT16_MAX - 1)
470 {
471 free(wszPCB);
472 return FALSE;
473 }
474 cchPCB = (UINT16)len;
475 cchPCB += 1; /* zero-termination */
476 cbSize += cchPCB * sizeof(WCHAR);
477 }
478
479 s = Stream_New(NULL, cbSize);
480
481 if (!s)
482 {
483 free(wszPCB);
484 WLog_Print(nego->log, WLOG_ERROR, "Stream_New failed!");
485 return FALSE;
486 }
487
488 Stream_Write_UINT32(s, cbSize); /* cbSize */
489 Stream_Write_UINT32(s, 0); /* Flags */
490 Stream_Write_UINT32(s, PRECONNECTION_PDU_V2); /* Version */
491 Stream_Write_UINT32(s, nego->PreconnectionId); /* Id */
492 Stream_Write_UINT16(s, cchPCB); /* cchPCB */
493
494 if (wszPCB)
495 {
496 Stream_Write(s, wszPCB, cchPCB * sizeof(WCHAR)); /* wszPCB */
497 free(wszPCB);
498 }
499
500 Stream_SealLength(s);
501
502 if (transport_write(nego->transport, s) < 0)
503 {
504 Stream_Free(s, TRUE);
505 return FALSE;
506 }
507
508 Stream_Free(s, TRUE);
509 return TRUE;
510}
511
512static void nego_attempt_rdstls(rdpNego* nego)
513{
514 WINPR_ASSERT(nego);
515 nego->RequestedProtocols = PROTOCOL_RDSTLS | PROTOCOL_SSL;
516 WLog_Print(nego->log, WLOG_DEBUG, "Attempting RDSTLS security");
517
518 if (!nego_transport_connect(nego))
519 {
520 nego_set_state(nego, NEGO_STATE_FAIL);
521 return;
522 }
523
524 if (!nego_send_negotiation_request(nego))
525 {
526 nego_set_state(nego, NEGO_STATE_FAIL);
527 return;
528 }
529
530 if (!nego_recv_response(nego))
531 {
532 nego_set_state(nego, NEGO_STATE_FAIL);
533 return;
534 }
535
536 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
537
538 if (nego_get_state(nego) != NEGO_STATE_FINAL)
539 {
540 nego_transport_disconnect(nego);
541
542 if (nego->EnabledProtocols[PROTOCOL_HYBRID_EX])
543 nego_set_state(nego, NEGO_STATE_EXT);
544 else if (nego->EnabledProtocols[PROTOCOL_HYBRID])
545 nego_set_state(nego, NEGO_STATE_NLA);
546 else if (nego->EnabledProtocols[PROTOCOL_SSL])
547 nego_set_state(nego, NEGO_STATE_TLS);
548 else if (nego->EnabledProtocols[PROTOCOL_RDP])
549 nego_set_state(nego, NEGO_STATE_RDP);
550 else
551 nego_set_state(nego, NEGO_STATE_FAIL);
552 }
553}
554
555static void nego_attempt_rdsaad(rdpNego* nego)
556{
557 WINPR_ASSERT(nego);
558 nego->RequestedProtocols = PROTOCOL_RDSAAD;
559 WLog_Print(nego->log, WLOG_DEBUG, "Attempting RDS AAD Auth security");
560
561 if (!nego_transport_connect(nego))
562 {
563 nego_set_state(nego, NEGO_STATE_FAIL);
564 return;
565 }
566
567 if (!nego_send_negotiation_request(nego))
568 {
569 nego_set_state(nego, NEGO_STATE_FAIL);
570 return;
571 }
572
573 if (!nego_recv_response(nego))
574 {
575 nego_set_state(nego, NEGO_STATE_FAIL);
576 return;
577 }
578
579 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
580
581 if (nego_get_state(nego) != NEGO_STATE_FINAL)
582 {
583 nego_transport_disconnect(nego);
584
585 if (nego->EnabledProtocols[PROTOCOL_HYBRID_EX])
586 nego_set_state(nego, NEGO_STATE_EXT);
587 else if (nego->EnabledProtocols[PROTOCOL_HYBRID])
588 nego_set_state(nego, NEGO_STATE_NLA);
589 else if (nego->EnabledProtocols[PROTOCOL_SSL])
590 nego_set_state(nego, NEGO_STATE_TLS);
591 else if (nego->EnabledProtocols[PROTOCOL_RDP])
592 nego_set_state(nego, NEGO_STATE_RDP);
593 else
594 nego_set_state(nego, NEGO_STATE_FAIL);
595 }
596}
597
598static void nego_attempt_ext(rdpNego* nego)
599{
600 WINPR_ASSERT(nego);
601 nego->RequestedProtocols = PROTOCOL_HYBRID | PROTOCOL_SSL | PROTOCOL_HYBRID_EX;
602 WLog_Print(nego->log, WLOG_DEBUG, "Attempting NLA extended security");
603
604 if (!nego_transport_connect(nego))
605 {
606 nego_set_state(nego, NEGO_STATE_FAIL);
607 return;
608 }
609
610 if (!nego_send_negotiation_request(nego))
611 {
612 nego_set_state(nego, NEGO_STATE_FAIL);
613 return;
614 }
615
616 if (!nego_recv_response(nego))
617 {
618 nego_set_state(nego, NEGO_STATE_FAIL);
619 return;
620 }
621
622 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
623
624 if (nego_get_state(nego) != NEGO_STATE_FINAL)
625 {
626 nego_transport_disconnect(nego);
627
628 if (nego->EnabledProtocols[PROTOCOL_HYBRID])
629 nego_set_state(nego, NEGO_STATE_NLA);
630 else if (nego->EnabledProtocols[PROTOCOL_SSL])
631 nego_set_state(nego, NEGO_STATE_TLS);
632 else if (nego->EnabledProtocols[PROTOCOL_RDP])
633 nego_set_state(nego, NEGO_STATE_RDP);
634 else
635 nego_set_state(nego, NEGO_STATE_FAIL);
636 }
637}
638
639static void nego_attempt_nla(rdpNego* nego)
640{
641 WINPR_ASSERT(nego);
642 nego->RequestedProtocols = PROTOCOL_HYBRID | PROTOCOL_SSL;
643 WLog_Print(nego->log, WLOG_DEBUG, "Attempting NLA security");
644
645 if (!nego_transport_connect(nego))
646 {
647 nego_set_state(nego, NEGO_STATE_FAIL);
648 return;
649 }
650
651 if (!nego_send_negotiation_request(nego))
652 {
653 nego_set_state(nego, NEGO_STATE_FAIL);
654 return;
655 }
656
657 if (!nego_recv_response(nego))
658 {
659 nego_set_state(nego, NEGO_STATE_FAIL);
660 return;
661 }
662
663 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
664
665 if (nego_get_state(nego) != NEGO_STATE_FINAL)
666 {
667 nego_transport_disconnect(nego);
668
669 if (nego->EnabledProtocols[PROTOCOL_SSL])
670 nego_set_state(nego, NEGO_STATE_TLS);
671 else if (nego->EnabledProtocols[PROTOCOL_RDP])
672 nego_set_state(nego, NEGO_STATE_RDP);
673 else
674 nego_set_state(nego, NEGO_STATE_FAIL);
675 }
676}
677
678static void nego_attempt_tls(rdpNego* nego)
679{
680 WINPR_ASSERT(nego);
681 nego->RequestedProtocols = PROTOCOL_SSL;
682 WLog_Print(nego->log, WLOG_DEBUG, "Attempting TLS security");
683
684 if (!nego_transport_connect(nego))
685 {
686 nego_set_state(nego, NEGO_STATE_FAIL);
687 return;
688 }
689
690 if (!nego_send_negotiation_request(nego))
691 {
692 nego_set_state(nego, NEGO_STATE_FAIL);
693 return;
694 }
695
696 if (!nego_recv_response(nego))
697 {
698 nego_set_state(nego, NEGO_STATE_FAIL);
699 return;
700 }
701
702 if (nego_get_state(nego) != NEGO_STATE_FINAL)
703 {
704 nego_transport_disconnect(nego);
705
706 if (nego->EnabledProtocols[PROTOCOL_RDP])
707 nego_set_state(nego, NEGO_STATE_RDP);
708 else
709 nego_set_state(nego, NEGO_STATE_FAIL);
710 }
711}
712
713static void nego_attempt_rdp(rdpNego* nego)
714{
715 WINPR_ASSERT(nego);
716 nego->RequestedProtocols = PROTOCOL_RDP;
717 WLog_Print(nego->log, WLOG_DEBUG, "Attempting RDP security");
718
719 if (!nego_transport_connect(nego))
720 {
721 nego_set_state(nego, NEGO_STATE_FAIL);
722 return;
723 }
724
725 if (!nego_send_negotiation_request(nego))
726 {
727 nego_set_state(nego, NEGO_STATE_FAIL);
728 return;
729 }
730
731 if (!nego_recv_response(nego))
732 {
733 nego_set_state(nego, NEGO_STATE_FAIL);
734 return;
735 }
736}
737
746BOOL nego_recv_response(rdpNego* nego)
747{
748 int status = 0;
749 wStream* s = NULL;
750
751 WINPR_ASSERT(nego);
752 s = Stream_New(NULL, 1024);
753
754 if (!s)
755 {
756 WLog_Print(nego->log, WLOG_ERROR, "Stream_New failed!");
757 return FALSE;
758 }
759
760 status = transport_read_pdu(nego->transport, s);
761
762 if (status < 0)
763 {
764 Stream_Free(s, TRUE);
765 return FALSE;
766 }
767
768 status = nego_recv(nego->transport, s, nego);
769 Stream_Free(s, TRUE);
770
771 if (status < 0)
772 return FALSE;
773
774 return TRUE;
775}
776
788int nego_recv(WINPR_ATTR_UNUSED rdpTransport* transport, wStream* s, void* extra)
789{
790 BYTE li = 0;
791 BYTE type = 0;
792 UINT16 length = 0;
793 rdpNego* nego = (rdpNego*)extra;
794
795 WINPR_ASSERT(nego);
796 if (!tpkt_read_header(s, &length))
797 return -1;
798
799 if (!tpdu_read_connection_confirm(s, &li, length))
800 return -1;
801
802 if (li > 6)
803 {
804 /* rdpNegData (optional) */
805 Stream_Read_UINT8(s, type); /* Type */
806
807 switch (type)
808 {
809 case TYPE_RDP_NEG_RSP:
810 if (!nego_process_negotiation_response(nego, s))
811 return -1;
812 {
813 char buffer[64] = { 0 };
814 WLog_Print(
815 nego->log, WLOG_DEBUG, "selected_protocol: %s",
816 nego_protocol_to_str(nego->SelectedProtocol, buffer, sizeof(buffer)));
817 }
818
819 /* enhanced security selected ? */
820
821 if (nego->SelectedProtocol)
822 {
823 if ((nego->SelectedProtocol == PROTOCOL_RDSAAD) &&
824 (!nego->EnabledProtocols[PROTOCOL_RDSAAD]))
825 {
826 nego_set_state(nego, NEGO_STATE_FAIL);
827 }
828 if ((nego->SelectedProtocol == PROTOCOL_HYBRID) &&
829 (!nego->EnabledProtocols[PROTOCOL_HYBRID]))
830 {
831 nego_set_state(nego, NEGO_STATE_FAIL);
832 }
833
834 if ((nego->SelectedProtocol == PROTOCOL_SSL) &&
835 (!nego->EnabledProtocols[PROTOCOL_SSL]))
836 {
837 nego_set_state(nego, NEGO_STATE_FAIL);
838 }
839 }
840 else if (!nego->EnabledProtocols[PROTOCOL_RDP])
841 {
842 nego_set_state(nego, NEGO_STATE_FAIL);
843 }
844
845 break;
846
847 case TYPE_RDP_NEG_FAILURE:
848 if (!nego_process_negotiation_failure(nego, s))
849 return -1;
850 break;
851 default:
852 return -1;
853 }
854 }
855 else if (li == 6)
856 {
857 WLog_Print(nego->log, WLOG_DEBUG, "no rdpNegData");
858
859 if (!nego->EnabledProtocols[PROTOCOL_RDP])
860 nego_set_state(nego, NEGO_STATE_FAIL);
861 else
862 nego_set_state(nego, NEGO_STATE_FINAL);
863 }
864 else
865 {
866 WLog_Print(nego->log, WLOG_ERROR, "invalid negotiation response");
867 nego_set_state(nego, NEGO_STATE_FAIL);
868 }
869
870 if (!tpkt_ensure_stream_consumed(nego->log, s, length))
871 return -1;
872 return 0;
873}
874
880static BOOL nego_read_request_token_or_cookie(rdpNego* nego, wStream* s)
881{
882 /* routingToken and cookie are optional and mutually exclusive!
883 *
884 * routingToken (variable): An optional and variable-length routing
885 * token (used for load balancing) terminated by a 0x0D0A two-byte
886 * sequence: (check [MSFT-SDLBTS] for details!)
887 * Cookie:[space]msts=[ip address].[port].[reserved][\x0D\x0A]
888 * tsv://MS Terminal Services Plugin.1.[\x0D\x0A]
889 *
890 * cookie (variable): An optional and variable-length ANSI character
891 * string terminated by a 0x0D0A two-byte sequence:
892 * Cookie:[space]mstshash=[ANSISTRING][\x0D\x0A]
893 */
894 UINT16 crlf = 0;
895 BOOL result = FALSE;
896 BOOL isToken = FALSE;
897 size_t remain = Stream_GetRemainingLength(s);
898
899 WINPR_ASSERT(nego);
900
901 const char* str = Stream_ConstPointer(s);
902 const size_t pos = Stream_GetPosition(s);
903
904 /* minimum length for token is 15 */
905 if (remain < 15)
906 return TRUE;
907
908 if (memcmp(Stream_ConstPointer(s), "Cookie: mstshash=", 17) != 0)
909 {
910 if (memcmp(Stream_ConstPointer(s), "Cookie: msts=", 13) != 0)
911 {
912 if (memcmp(Stream_ConstPointer(s), "tsv:", 4) != 0)
913 {
914 if (memcmp(Stream_ConstPointer(s), "mth://", 6) != 0)
915 {
916 /* remaining bytes are neither a token nor a cookie */
917 return TRUE;
918 }
919 }
920 }
921 isToken = TRUE;
922 }
923 else
924 {
925 /* not a token, minimum length for cookie is 19 */
926 if (remain < 19)
927 return TRUE;
928
929 Stream_Seek(s, 17);
930 }
931
932 while (Stream_GetRemainingLength(s) >= 2)
933 {
934 Stream_Read_UINT16(s, crlf);
935
936 if (crlf == 0x0A0D)
937 break;
938
939 Stream_Rewind(s, 1);
940 }
941
942 if (crlf == 0x0A0D)
943 {
944 Stream_Rewind(s, 2);
945 const size_t len = Stream_GetPosition(s) - pos;
946 Stream_Write_UINT16(s, 0);
947
948 if (len > UINT32_MAX)
949 return FALSE;
950
951 if (strnlen(str, len) == len)
952 {
953 if (isToken)
954 result = nego_set_routing_token(nego, str, (UINT32)len);
955 else
956 result = nego_set_cookie(nego, str);
957 }
958 }
959
960 if (!result)
961 {
962 Stream_SetPosition(s, pos);
963 WLog_Print(nego->log, WLOG_ERROR, "invalid %s received",
964 isToken ? "routing token" : "cookie");
965 }
966 else
967 {
968 WLog_Print(nego->log, WLOG_DEBUG, "received %s [%s]", isToken ? "routing token" : "cookie",
969 str);
970 }
971
972 return result;
973}
974
984BOOL nego_read_request(rdpNego* nego, wStream* s)
985{
986 BYTE li = 0;
987 BYTE type = 0;
988 UINT16 length = 0;
989
990 WINPR_ASSERT(nego);
991 WINPR_ASSERT(s);
992
993 if (!tpkt_read_header(s, &length))
994 return FALSE;
995
996 if (!tpdu_read_connection_request(s, &li, length))
997 return FALSE;
998
999 if (li != Stream_GetRemainingLength(s) + 6)
1000 {
1001 WLog_Print(nego->log, WLOG_ERROR, "Incorrect TPDU length indicator.");
1002 return FALSE;
1003 }
1004
1005 if (!nego_read_request_token_or_cookie(nego, s))
1006 {
1007 WLog_Print(nego->log, WLOG_ERROR, "Failed to parse routing token or cookie.");
1008 return FALSE;
1009 }
1010
1011 if (Stream_GetRemainingLength(s) >= 8)
1012 {
1013 /* rdpNegData (optional) */
1014 Stream_Read_UINT8(s, type); /* Type */
1015
1016 if (type != TYPE_RDP_NEG_REQ)
1017 {
1018 WLog_Print(nego->log, WLOG_ERROR, "Incorrect negotiation request type %" PRIu8 "",
1019 type);
1020 return FALSE;
1021 }
1022
1023 if (!nego_process_negotiation_request(nego, s))
1024 return FALSE;
1025 }
1026
1027 return tpkt_ensure_stream_consumed(nego->log, s, length);
1028}
1029
1036void nego_send(rdpNego* nego)
1037{
1038 WINPR_ASSERT(nego);
1039
1040 switch (nego_get_state(nego))
1041 {
1042 case NEGO_STATE_AAD:
1043 nego_attempt_rdsaad(nego);
1044 break;
1045 case NEGO_STATE_RDSTLS:
1046 nego_attempt_rdstls(nego);
1047 break;
1048 case NEGO_STATE_EXT:
1049 nego_attempt_ext(nego);
1050 break;
1051 case NEGO_STATE_NLA:
1052 nego_attempt_nla(nego);
1053 break;
1054 case NEGO_STATE_TLS:
1055 nego_attempt_tls(nego);
1056 break;
1057 case NEGO_STATE_RDP:
1058 nego_attempt_rdp(nego);
1059 break;
1060 default:
1061 WLog_Print(nego->log, WLOG_ERROR, "invalid negotiation state for sending");
1062 break;
1063 }
1064}
1065
1076BOOL nego_send_negotiation_request(rdpNego* nego)
1077{
1078 BOOL rc = FALSE;
1079 wStream* s = NULL;
1080 size_t length = 0;
1081 size_t bm = 0;
1082 size_t em = 0;
1083 BYTE flags = 0;
1084 size_t cookie_length = 0;
1085 s = Stream_New(NULL, 512);
1086
1087 WINPR_ASSERT(nego);
1088 if (!s)
1089 {
1090 WLog_Print(nego->log, WLOG_ERROR, "Stream_New failed!");
1091 return FALSE;
1092 }
1093
1094 length = TPDU_CONNECTION_REQUEST_LENGTH;
1095 bm = Stream_GetPosition(s);
1096 Stream_Seek(s, length);
1097
1098 if (nego->RoutingToken)
1099 {
1100 Stream_Write(s, nego->RoutingToken, nego->RoutingTokenLength);
1101
1102 /* Ensure Routing Token is correctly terminated - may already be present in string */
1103
1104 if ((nego->RoutingTokenLength > 2) &&
1105 (nego->RoutingToken[nego->RoutingTokenLength - 2] == 0x0D) &&
1106 (nego->RoutingToken[nego->RoutingTokenLength - 1] == 0x0A))
1107 {
1108 WLog_Print(nego->log, WLOG_DEBUG,
1109 "Routing token looks correctly terminated - use verbatim");
1110 length += nego->RoutingTokenLength;
1111 }
1112 else
1113 {
1114 WLog_Print(nego->log, WLOG_DEBUG, "Adding terminating CRLF to routing token");
1115 Stream_Write_UINT8(s, 0x0D); /* CR */
1116 Stream_Write_UINT8(s, 0x0A); /* LF */
1117 length += nego->RoutingTokenLength + 2;
1118 }
1119 }
1120 else if (nego->cookie)
1121 {
1122 cookie_length = strlen(nego->cookie);
1123
1124 if (cookie_length > nego->CookieMaxLength)
1125 cookie_length = nego->CookieMaxLength;
1126
1127 Stream_Write(s, "Cookie: mstshash=", 17);
1128 Stream_Write(s, (BYTE*)nego->cookie, cookie_length);
1129 Stream_Write_UINT8(s, 0x0D); /* CR */
1130 Stream_Write_UINT8(s, 0x0A); /* LF */
1131 length += cookie_length + 19;
1132 }
1133
1134 {
1135 char buffer[64] = { 0 };
1136 WLog_Print(nego->log, WLOG_DEBUG, "RequestedProtocols: %s",
1137 nego_protocol_to_str(nego->RequestedProtocols, buffer, sizeof(buffer)));
1138 }
1139
1140 if ((nego->RequestedProtocols > PROTOCOL_RDP) || (nego->sendNegoData))
1141 {
1142 /* RDP_NEG_DATA must be present for TLS and NLA */
1143 if (nego->RestrictedAdminModeRequired)
1144 flags |= RESTRICTED_ADMIN_MODE_REQUIRED;
1145
1146 if (nego->RemoteCredsGuardRequired)
1147 flags |= REDIRECTED_AUTHENTICATION_MODE_REQUIRED;
1148
1149 Stream_Write_UINT8(s, TYPE_RDP_NEG_REQ);
1150 Stream_Write_UINT8(s, flags);
1151 Stream_Write_UINT16(s, 8); /* RDP_NEG_DATA length (8) */
1152 Stream_Write_UINT32(s, nego->RequestedProtocols); /* requestedProtocols */
1153 length += 8;
1154 }
1155
1156 if (length > UINT16_MAX)
1157 goto fail;
1158
1159 em = Stream_GetPosition(s);
1160 Stream_SetPosition(s, bm);
1161 if (!tpkt_write_header(s, (UINT16)length))
1162 goto fail;
1163 if (!tpdu_write_connection_request(s, (UINT16)length - 5))
1164 goto fail;
1165 Stream_SetPosition(s, em);
1166 Stream_SealLength(s);
1167 rc = (transport_write(nego->transport, s) >= 0);
1168fail:
1169 Stream_Free(s, TRUE);
1170 return rc;
1171}
1172
1173static BOOL nego_process_correlation_info(WINPR_ATTR_UNUSED rdpNego* nego, wStream* s)
1174{
1175 UINT8 type = 0;
1176 UINT8 flags = 0;
1177 UINT16 length = 0;
1178 BYTE correlationId[16] = { 0 };
1179
1180 if (!Stream_CheckAndLogRequiredLengthWLog(nego->log, s, 36))
1181 {
1182 WLog_Print(nego->log, WLOG_ERROR,
1183 "RDP_NEG_REQ::flags CORRELATION_INFO_PRESENT but data is missing");
1184 return FALSE;
1185 }
1186
1187 Stream_Read_UINT8(s, type);
1188 if (type != TYPE_RDP_CORRELATION_INFO)
1189 {
1190 WLog_Print(nego->log, WLOG_ERROR,
1191 "(RDP_NEG_CORRELATION_INFO::type != TYPE_RDP_CORRELATION_INFO");
1192 return FALSE;
1193 }
1194 Stream_Read_UINT8(s, flags);
1195 if (flags != 0)
1196 {
1197 WLog_Print(nego->log, WLOG_ERROR, "(RDP_NEG_CORRELATION_INFO::flags != 0");
1198 return FALSE;
1199 }
1200 Stream_Read_UINT16(s, length);
1201 if (length != 36)
1202 {
1203 WLog_Print(nego->log, WLOG_ERROR, "(RDP_NEG_CORRELATION_INFO::length != 36");
1204 return FALSE;
1205 }
1206
1207 Stream_Read(s, correlationId, sizeof(correlationId));
1208 if ((correlationId[0] == 0x00) || (correlationId[0] == 0xF4))
1209 {
1210 WLog_Print(nego->log, WLOG_ERROR,
1211 "(RDP_NEG_CORRELATION_INFO::correlationId[0] has invalid value 0x%02" PRIx8,
1212 correlationId[0]);
1213 return FALSE;
1214 }
1215 for (size_t x = 0; x < ARRAYSIZE(correlationId); x++)
1216 {
1217 if (correlationId[x] == 0x0D)
1218 {
1219 WLog_Print(nego->log, WLOG_ERROR,
1220 "(RDP_NEG_CORRELATION_INFO::correlationId[%" PRIuz
1221 "] has invalid value 0x%02" PRIx8,
1222 x, correlationId[x]);
1223 return FALSE;
1224 }
1225 }
1226 Stream_Seek(s, 16); /* skip reserved bytes */
1227
1228 WLog_Print(nego->log, WLOG_INFO,
1229 "RDP_NEG_CORRELATION_INFO::correlationId = { %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8
1230 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8
1231 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8
1232 ", %02" PRIx8 " }",
1233 correlationId[0], correlationId[1], correlationId[2], correlationId[3],
1234 correlationId[4], correlationId[5], correlationId[6], correlationId[7],
1235 correlationId[8], correlationId[9], correlationId[10], correlationId[11],
1236 correlationId[12], correlationId[13], correlationId[14], correlationId[15]);
1237 return TRUE;
1238}
1239
1240BOOL nego_process_negotiation_request(rdpNego* nego, wStream* s)
1241{
1242 BYTE flags = 0;
1243 UINT16 length = 0;
1244
1245 WINPR_ASSERT(nego);
1246 WINPR_ASSERT(s);
1247
1248 if (!Stream_CheckAndLogRequiredLengthWLog(nego->log, s, 7))
1249 return FALSE;
1250 Stream_Read_UINT8(s, flags);
1251 if ((flags & ~(RESTRICTED_ADMIN_MODE_REQUIRED | REDIRECTED_AUTHENTICATION_MODE_REQUIRED |
1252 CORRELATION_INFO_PRESENT)) != 0)
1253 {
1254 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_REQ::flags invalid value 0x%02" PRIx8, flags);
1255 return FALSE;
1256 }
1257 if (flags & RESTRICTED_ADMIN_MODE_REQUIRED)
1258 {
1259 if (nego->RestrictedAdminModeSupported)
1260 {
1261 WLog_Print(nego->log, WLOG_INFO, "RDP_NEG_REQ::flags RESTRICTED_ADMIN_MODE_REQUIRED");
1262 }
1263 else
1264 {
1265 WLog_Print(nego->log, WLOG_ERROR,
1266 "RDP_NEG_REQ::flags RESTRICTED_ADMIN_MODE_REQUIRED but disabled");
1267 return FALSE;
1268 }
1269 }
1270
1271 if (flags & REDIRECTED_AUTHENTICATION_MODE_REQUIRED)
1272 {
1273 if (nego->RemoteCredsGuardSupported)
1274 {
1275 WLog_Print(nego->log, WLOG_INFO,
1276 "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED");
1277 nego->RemoteCredsGuardActive = TRUE;
1278 }
1279 else
1280 {
1281 /* If both RESTRICTED_ADMIN_MODE_REQUIRED and REDIRECTED_AUTHENTICATION_MODE_REQUIRED
1282 * are set, it means one or the other. In this case, don't fail if Remote Guard isn't
1283 * available. */
1284 if (flags & RESTRICTED_ADMIN_MODE_REQUIRED)
1285 {
1286 WLog_Print(nego->log, WLOG_INFO,
1287 "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED ignored.");
1288 }
1289 else
1290 {
1291 WLog_Print(
1292 nego->log, WLOG_ERROR,
1293 "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED but disabled");
1294 return FALSE;
1295 }
1296 }
1297 }
1298
1299 Stream_Read_UINT16(s, length);
1300 if (length != 8)
1301 {
1302 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_REQ::length != 8");
1303 return FALSE;
1304 }
1305 Stream_Read_UINT32(s, nego->RequestedProtocols);
1306
1307 if (flags & CORRELATION_INFO_PRESENT)
1308 {
1309 if (!nego_process_correlation_info(nego, s))
1310 return FALSE;
1311 }
1312
1313 {
1314 char buffer[64] = { 0 };
1315 WLog_Print(nego->log, WLOG_DEBUG, "RDP_NEG_REQ: RequestedProtocol: %s",
1316 nego_protocol_to_str(nego->RequestedProtocols, buffer, sizeof(buffer)));
1317 }
1318 nego_set_state(nego, NEGO_STATE_FINAL);
1319 return TRUE;
1320}
1321
1322static const char* nego_rdp_neg_rsp_flags_str(UINT32 flags)
1323{
1324 const uint32_t mask =
1325 (EXTENDED_CLIENT_DATA_SUPPORTED | DYNVC_GFX_PROTOCOL_SUPPORTED | RDP_NEGRSP_RESERVED |
1326 RESTRICTED_ADMIN_MODE_SUPPORTED | REDIRECTED_AUTHENTICATION_MODE_SUPPORTED);
1327 static char buffer[1024] = { 0 };
1328
1329 (void)_snprintf(buffer, ARRAYSIZE(buffer), "[0x%02" PRIx32 "] ", flags);
1330 if (flags & EXTENDED_CLIENT_DATA_SUPPORTED)
1331 winpr_str_append("EXTENDED_CLIENT_DATA_SUPPORTED", buffer, sizeof(buffer), "|");
1332 if (flags & DYNVC_GFX_PROTOCOL_SUPPORTED)
1333 winpr_str_append("DYNVC_GFX_PROTOCOL_SUPPORTED", buffer, sizeof(buffer), "|");
1334 if (flags & RDP_NEGRSP_RESERVED)
1335 winpr_str_append("RDP_NEGRSP_RESERVED", buffer, sizeof(buffer), "|");
1336 if (flags & RESTRICTED_ADMIN_MODE_SUPPORTED)
1337 winpr_str_append("RESTRICTED_ADMIN_MODE_SUPPORTED", buffer, sizeof(buffer), "|");
1338 if (flags & REDIRECTED_AUTHENTICATION_MODE_SUPPORTED)
1339 winpr_str_append("REDIRECTED_AUTHENTICATION_MODE_SUPPORTED", buffer, sizeof(buffer), "|");
1340 if (flags & ~mask)
1341 {
1342 char buffer2[32] = { 0 };
1343 (void)_snprintf(buffer2, sizeof(buffer2), "UNKNOWN[0x%04" PRIx32 "]", flags & ~mask);
1344 winpr_str_append(buffer2, buffer, sizeof(buffer), "|");
1345 }
1346
1347 return buffer;
1348}
1349
1350BOOL nego_process_negotiation_response(rdpNego* nego, wStream* s)
1351{
1352 UINT16 length = 0;
1353
1354 WINPR_ASSERT(nego);
1355 WINPR_ASSERT(s);
1356
1357 if (!Stream_CheckAndLogRequiredLengthWLog(nego->log, s, 7))
1358 {
1359 nego_set_state(nego, NEGO_STATE_FAIL);
1360 return FALSE;
1361 }
1362
1363 Stream_Read_UINT8(s, nego->flags);
1364 WLog_Print(nego->log, WLOG_DEBUG, "RDP_NEG_RSP::flags = { %s }",
1365 nego_rdp_neg_rsp_flags_str(nego->flags));
1366
1367 Stream_Read_UINT16(s, length);
1368 if (length != 8)
1369 {
1370 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_RSP::length != 8");
1371 nego_set_state(nego, NEGO_STATE_FAIL);
1372 return FALSE;
1373 }
1374 UINT32 SelectedProtocol = 0;
1375 Stream_Read_UINT32(s, SelectedProtocol);
1376
1377 if (!nego_set_selected_protocol(nego, SelectedProtocol))
1378 return FALSE;
1379 return nego_set_state(nego, NEGO_STATE_FINAL);
1380}
1381
1382static const char* nego_rdp_neg_fail_str(uint32_t what)
1383{
1384 switch (what)
1385 {
1386 case SSL_REQUIRED_BY_SERVER:
1387 return "SSL_REQUIRED_BY_SERVER";
1388 case SSL_NOT_ALLOWED_BY_SERVER:
1389 return "SSL_NOT_ALLOWED_BY_SERVER";
1390 case SSL_CERT_NOT_ON_SERVER:
1391 return "SSL_CERT_NOT_ON_SERVER";
1392 case INCONSISTENT_FLAGS:
1393 return "INCONSISTENT_FLAGS";
1394 case HYBRID_REQUIRED_BY_SERVER:
1395 return "HYBRID_REQUIRED_BY_SERVER";
1396 case SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER:
1397 return "SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER";
1398 default:
1399 return "UNKNOWN";
1400 }
1401}
1402
1411BOOL nego_process_negotiation_failure(rdpNego* nego, wStream* s)
1412{
1413 BYTE flags = 0;
1414 UINT16 length = 0;
1415
1416 WINPR_ASSERT(nego);
1417 WINPR_ASSERT(s);
1418
1419 WLog_Print(nego->log, WLOG_DEBUG, "RDP_NEG_FAILURE");
1420 if (!Stream_CheckAndLogRequiredLengthWLog(nego->log, s, 7))
1421 return FALSE;
1422
1423 Stream_Read_UINT8(s, flags);
1424 if (flags != 0)
1425 {
1426 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_FAILURE::flags = 0x%02" PRIx8, flags);
1427 return FALSE;
1428 }
1429 Stream_Read_UINT16(s, length);
1430 if (length != 8)
1431 {
1432 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_FAILURE::length != 8");
1433 return FALSE;
1434 }
1435 const uint32_t failureCode = Stream_Get_UINT32(s);
1436 const char* failureStr = nego_rdp_neg_fail_str(failureCode);
1437 DWORD level = WLOG_WARN;
1438 switch (failureCode)
1439 {
1440 case SSL_REQUIRED_BY_SERVER:
1441 break;
1442
1443 case SSL_NOT_ALLOWED_BY_SERVER:
1444 nego->sendNegoData = TRUE;
1445 break;
1446
1447 case SSL_CERT_NOT_ON_SERVER:
1448 level = WLOG_ERROR;
1449 nego->sendNegoData = TRUE;
1450 break;
1451
1452 case INCONSISTENT_FLAGS:
1453 level = WLOG_ERROR;
1454 break;
1455
1456 case HYBRID_REQUIRED_BY_SERVER:
1457 break;
1458
1459 default:
1460 level = WLOG_ERROR;
1461 break;
1462 }
1463
1464 WLog_Print(nego->log, level, "Error: %s [0x%08" PRIx32 "]", failureStr, failureCode);
1465 nego_set_state(nego, NEGO_STATE_FAIL);
1466 return TRUE;
1467}
1468
1474BOOL nego_send_negotiation_response(rdpNego* nego)
1475{
1476 UINT16 length = 0;
1477 size_t bm = 0;
1478 size_t em = 0;
1479 BOOL status = 0;
1480 wStream* s = NULL;
1481 BYTE flags = 0;
1482 rdpContext* context = NULL;
1483 rdpSettings* settings = NULL;
1484
1485 WINPR_ASSERT(nego);
1486 context = transport_get_context(nego->transport);
1487 WINPR_ASSERT(context);
1488
1489 settings = context->settings;
1490 WINPR_ASSERT(settings);
1491
1492 s = Stream_New(NULL, 512);
1493
1494 if (!s)
1495 {
1496 WLog_Print(nego->log, WLOG_ERROR, "Stream_New failed!");
1497 return FALSE;
1498 }
1499
1500 length = TPDU_CONNECTION_CONFIRM_LENGTH;
1501 bm = Stream_GetPosition(s);
1502 Stream_Seek(s, length);
1503
1504 if (nego->SelectedProtocol & PROTOCOL_FAILED_NEGO)
1505 {
1506 UINT32 errorCode = (nego->SelectedProtocol & ~PROTOCOL_FAILED_NEGO);
1507 flags = 0;
1508 Stream_Write_UINT8(s, TYPE_RDP_NEG_FAILURE);
1509 Stream_Write_UINT8(s, flags); /* flags */
1510 Stream_Write_UINT16(s, 8); /* RDP_NEG_DATA length (8) */
1511 Stream_Write_UINT32(s, errorCode);
1512 length += 8;
1513 }
1514 else
1515 {
1516 flags = EXTENDED_CLIENT_DATA_SUPPORTED;
1517
1518 if (freerdp_settings_get_bool(settings, FreeRDP_SupportGraphicsPipeline))
1519 flags |= DYNVC_GFX_PROTOCOL_SUPPORTED;
1520
1521 if (nego->RestrictedAdminModeSupported)
1522 flags |= RESTRICTED_ADMIN_MODE_SUPPORTED;
1523
1524 if (nego->RemoteCredsGuardSupported)
1525 flags |= REDIRECTED_AUTHENTICATION_MODE_SUPPORTED;
1526
1527 /* RDP_NEG_DATA must be present for TLS, NLA, RDP and RDSTLS */
1528 Stream_Write_UINT8(s, TYPE_RDP_NEG_RSP);
1529 Stream_Write_UINT8(s, flags); /* flags */
1530 Stream_Write_UINT16(s, 8); /* RDP_NEG_DATA length (8) */
1531 Stream_Write_UINT32(s, nego->SelectedProtocol); /* selectedProtocol */
1532 length += 8;
1533 }
1534
1535 em = Stream_GetPosition(s);
1536 Stream_SetPosition(s, bm);
1537 status = tpkt_write_header(s, length);
1538 if (status)
1539 {
1540 tpdu_write_connection_confirm(s, length - 5);
1541 Stream_SetPosition(s, em);
1542 Stream_SealLength(s);
1543
1544 status = (transport_write(nego->transport, s) >= 0);
1545 }
1546 Stream_Free(s, TRUE);
1547
1548 if (status)
1549 {
1550 /* update settings with negotiated protocol security */
1551 if (!freerdp_settings_set_uint32(settings, FreeRDP_RequestedProtocols,
1552 nego->RequestedProtocols))
1553 return FALSE;
1554 if (!freerdp_settings_set_uint32(settings, FreeRDP_SelectedProtocol,
1555 nego->SelectedProtocol))
1556 return FALSE;
1557
1558 switch (nego->SelectedProtocol)
1559 {
1560 case PROTOCOL_RDP:
1561 if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, FALSE))
1562 return FALSE;
1563 if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE))
1564 return FALSE;
1565 if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, TRUE))
1566 return FALSE;
1567 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, TRUE))
1568 return FALSE;
1569
1570 if (freerdp_settings_get_uint32(settings, FreeRDP_EncryptionLevel) ==
1571 ENCRYPTION_LEVEL_NONE)
1572 {
1577 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1578 ENCRYPTION_LEVEL_CLIENT_COMPATIBLE))
1579 return FALSE;
1580 }
1581
1582 if (freerdp_settings_get_bool(settings, FreeRDP_LocalConnection))
1583 {
1590 WLog_Print(nego->log, WLOG_INFO,
1591 "Turning off encryption for local peer with standard rdp security");
1592 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
1593 return FALSE;
1594 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1595 ENCRYPTION_LEVEL_NONE))
1596 return FALSE;
1597 }
1598 else if (!freerdp_settings_get_pointer(settings, FreeRDP_RdpServerRsaKey))
1599 {
1600 WLog_Print(nego->log, WLOG_ERROR, "Missing server certificate");
1601 return FALSE;
1602 }
1603 break;
1604 case PROTOCOL_SSL:
1605 if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE))
1606 return FALSE;
1607 if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE))
1608 return FALSE;
1609 if (!freerdp_settings_set_bool(settings, FreeRDP_RdstlsSecurity, FALSE))
1610 return FALSE;
1611 if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
1612 return FALSE;
1613 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
1614 return FALSE;
1615
1616 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1617 ENCRYPTION_LEVEL_NONE))
1618 return FALSE;
1619 break;
1620 case PROTOCOL_HYBRID:
1621 if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE))
1622 return FALSE;
1623 if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, TRUE))
1624 return FALSE;
1625 if (!freerdp_settings_set_bool(settings, FreeRDP_RdstlsSecurity, FALSE))
1626 return FALSE;
1627 if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
1628 return FALSE;
1629 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
1630 return FALSE;
1631
1632 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1633 ENCRYPTION_LEVEL_NONE))
1634 return FALSE;
1635 break;
1636 case PROTOCOL_RDSTLS:
1637 if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE))
1638 return FALSE;
1639 if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE))
1640 return FALSE;
1641 if (!freerdp_settings_set_bool(settings, FreeRDP_RdstlsSecurity, TRUE))
1642 return FALSE;
1643 if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
1644 return FALSE;
1645 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
1646 return FALSE;
1647
1648 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1649 ENCRYPTION_LEVEL_NONE))
1650 return FALSE;
1651 break;
1652 default:
1653 break;
1654 }
1655 }
1656
1657 return status;
1658}
1659
1665void nego_init(rdpNego* nego)
1666{
1667 WINPR_ASSERT(nego);
1668 nego_set_state(nego, NEGO_STATE_INITIAL);
1669 nego->RequestedProtocols = PROTOCOL_RDP;
1670 nego->CookieMaxLength = DEFAULT_COOKIE_MAX_LENGTH;
1671 nego->sendNegoData = FALSE;
1672 nego->flags = 0;
1673}
1674
1683rdpNego* nego_new(rdpTransport* transport)
1684{
1685 rdpNego* nego = (rdpNego*)calloc(1, sizeof(rdpNego));
1686
1687 if (!nego)
1688 return NULL;
1689
1690 nego->log = WLog_Get(NEGO_TAG);
1691 WINPR_ASSERT(nego->log);
1692 nego->transport = transport;
1693 nego_init(nego);
1694 return nego;
1695}
1696
1702void nego_free(rdpNego* nego)
1703{
1704 if (nego)
1705 {
1706 free(nego->RoutingToken);
1707 free(nego->cookie);
1708 free(nego);
1709 }
1710}
1711
1721BOOL nego_set_target(rdpNego* nego, const char* hostname, UINT16 port)
1722{
1723 if (!nego || !hostname)
1724 return FALSE;
1725
1726 nego->hostname = hostname;
1727 nego->port = port;
1728 return TRUE;
1729}
1730
1738void nego_set_negotiation_enabled(rdpNego* nego, BOOL NegotiateSecurityLayer)
1739{
1740 WLog_Print(nego->log, WLOG_DEBUG, "Enabling security layer negotiation: %s",
1741 NegotiateSecurityLayer ? "TRUE" : "FALSE");
1742 nego->NegotiateSecurityLayer = NegotiateSecurityLayer;
1743}
1744
1752void nego_set_restricted_admin_mode_required(rdpNego* nego, BOOL RestrictedAdminModeRequired)
1753{
1754 WLog_Print(nego->log, WLOG_DEBUG, "Enabling restricted admin mode: %s",
1755 RestrictedAdminModeRequired ? "TRUE" : "FALSE");
1756 nego->RestrictedAdminModeRequired = RestrictedAdminModeRequired;
1757}
1758
1759void nego_set_restricted_admin_mode_supported(rdpNego* nego, BOOL enabled)
1760{
1761 WINPR_ASSERT(nego);
1762
1763 nego->RestrictedAdminModeSupported = enabled;
1764}
1765
1766void nego_set_RCG_required(rdpNego* nego, BOOL enabled)
1767{
1768 WINPR_ASSERT(nego);
1769
1770 WLog_Print(nego->log, WLOG_DEBUG, "Enabling remoteCredentialGuards: %s",
1771 enabled ? "TRUE" : "FALSE");
1772 nego->RemoteCredsGuardRequired = enabled;
1773}
1774
1775void nego_set_RCG_supported(rdpNego* nego, BOOL enabled)
1776{
1777 WINPR_ASSERT(nego);
1778
1779 nego->RemoteCredsGuardSupported = enabled;
1780}
1781
1782BOOL nego_get_remoteCredentialGuard(const rdpNego* nego)
1783{
1784 WINPR_ASSERT(nego);
1785
1786 return nego->RemoteCredsGuardActive;
1787}
1788
1789void nego_set_childsession_enabled(rdpNego* nego, BOOL ChildSessionEnabled)
1790{
1791 WINPR_ASSERT(nego);
1792 nego->ConnectChildSession = ChildSessionEnabled;
1793}
1794
1795void nego_set_gateway_enabled(rdpNego* nego, BOOL GatewayEnabled)
1796{
1797 nego->GatewayEnabled = GatewayEnabled;
1798}
1799
1800void nego_set_gateway_bypass_local(rdpNego* nego, BOOL GatewayBypassLocal)
1801{
1802 nego->GatewayBypassLocal = GatewayBypassLocal;
1803}
1804
1811void nego_enable_rdp(rdpNego* nego, BOOL enable_rdp)
1812{
1813 WLog_Print(nego->log, WLOG_DEBUG, "Enabling RDP security: %s", enable_rdp ? "TRUE" : "FALSE");
1814 nego->EnabledProtocols[PROTOCOL_RDP] = enable_rdp;
1815}
1816
1823void nego_enable_tls(rdpNego* nego, BOOL enable_tls)
1824{
1825 WLog_Print(nego->log, WLOG_DEBUG, "Enabling TLS security: %s", enable_tls ? "TRUE" : "FALSE");
1826 nego->EnabledProtocols[PROTOCOL_SSL] = enable_tls;
1827}
1828
1836void nego_enable_nla(rdpNego* nego, BOOL enable_nla)
1837{
1838 WLog_Print(nego->log, WLOG_DEBUG, "Enabling NLA security: %s", enable_nla ? "TRUE" : "FALSE");
1839 nego->EnabledProtocols[PROTOCOL_HYBRID] = enable_nla;
1840}
1841
1849void nego_enable_rdstls(rdpNego* nego, BOOL enable_rdstls)
1850{
1851 WLog_Print(nego->log, WLOG_DEBUG, "Enabling RDSTLS security: %s",
1852 enable_rdstls ? "TRUE" : "FALSE");
1853 nego->EnabledProtocols[PROTOCOL_RDSTLS] = enable_rdstls;
1854}
1855
1863void nego_enable_ext(rdpNego* nego, BOOL enable_ext)
1864{
1865 WLog_Print(nego->log, WLOG_DEBUG, "Enabling NLA extended security: %s",
1866 enable_ext ? "TRUE" : "FALSE");
1867 nego->EnabledProtocols[PROTOCOL_HYBRID_EX] = enable_ext;
1868}
1869
1877void nego_enable_aad(rdpNego* nego, BOOL enable_aad)
1878{
1879 WINPR_ASSERT(nego);
1880 if (aad_is_supported())
1881 {
1882 WLog_Print(nego->log, WLOG_DEBUG, "Enabling RDS AAD security: %s",
1883 enable_aad ? "TRUE" : "FALSE");
1884 nego->EnabledProtocols[PROTOCOL_RDSAAD] = enable_aad;
1885 }
1886 else
1887 {
1888 WLog_Print(nego->log, WLOG_WARN, "This build does not support AAD security, disabling.");
1889 }
1890}
1891
1901BOOL nego_set_routing_token(rdpNego* nego, const void* RoutingToken, DWORD RoutingTokenLength)
1902{
1903 if (RoutingTokenLength == 0)
1904 return FALSE;
1905
1906 free(nego->RoutingToken);
1907 nego->RoutingTokenLength = RoutingTokenLength;
1908 nego->RoutingToken = (BYTE*)malloc(nego->RoutingTokenLength);
1909
1910 if (!nego->RoutingToken)
1911 return FALSE;
1912
1913 CopyMemory(nego->RoutingToken, RoutingToken, nego->RoutingTokenLength);
1914 return TRUE;
1915}
1916
1925BOOL nego_set_cookie(rdpNego* nego, const char* cookie)
1926{
1927 if (nego->cookie)
1928 {
1929 free(nego->cookie);
1930 nego->cookie = NULL;
1931 }
1932
1933 if (!cookie)
1934 return TRUE;
1935
1936 nego->cookie = _strdup(cookie);
1937
1938 if (!nego->cookie)
1939 return FALSE;
1940
1941 return TRUE;
1942}
1943
1950void nego_set_cookie_max_length(rdpNego* nego, UINT32 CookieMaxLength)
1951{
1952 nego->CookieMaxLength = CookieMaxLength;
1953}
1954
1961void nego_set_send_preconnection_pdu(rdpNego* nego, BOOL SendPreconnectionPdu)
1962{
1963 nego->SendPreconnectionPdu = SendPreconnectionPdu;
1964}
1965
1972void nego_set_preconnection_id(rdpNego* nego, UINT32 PreconnectionId)
1973{
1974 nego->PreconnectionId = PreconnectionId;
1975}
1976
1983void nego_set_preconnection_blob(rdpNego* nego, const char* PreconnectionBlob)
1984{
1985 nego->PreconnectionBlob = PreconnectionBlob;
1986}
1987
1988UINT32 nego_get_selected_protocol(const rdpNego* nego)
1989{
1990 if (!nego)
1991 return 0;
1992
1993 return nego->SelectedProtocol;
1994}
1995
1996BOOL nego_set_selected_protocol(rdpNego* nego, UINT32 SelectedProtocol)
1997{
1998 WINPR_ASSERT(nego);
1999 nego->SelectedProtocol = SelectedProtocol;
2000 return TRUE;
2001}
2002
2003UINT32 nego_get_requested_protocols(const rdpNego* nego)
2004{
2005 if (!nego)
2006 return 0;
2007
2008 return nego->RequestedProtocols;
2009}
2010
2011BOOL nego_set_requested_protocols(rdpNego* nego, UINT32 RequestedProtocols)
2012{
2013 if (!nego)
2014 return FALSE;
2015
2016 nego->RequestedProtocols = RequestedProtocols;
2017 return TRUE;
2018}
2019
2020NEGO_STATE nego_get_state(const rdpNego* nego)
2021{
2022 if (!nego)
2023 return NEGO_STATE_FAIL;
2024
2025 return nego->state;
2026}
2027
2028BOOL nego_set_state(rdpNego* nego, NEGO_STATE state)
2029{
2030 if (!nego)
2031 return FALSE;
2032
2033 nego->state = state;
2034 return TRUE;
2035}
2036
2037SEC_WINNT_AUTH_IDENTITY* nego_get_identity(rdpNego* nego)
2038{
2039 rdpNla* nla = NULL;
2040 if (!nego)
2041 return NULL;
2042
2043 nla = transport_get_nla(nego->transport);
2044 return nla_get_identity(nla);
2045}
2046
2047void nego_free_nla(rdpNego* nego)
2048{
2049 if (!nego || !nego->transport)
2050 return;
2051
2052 transport_set_nla(nego->transport, NULL);
2053}
2054
2055const BYTE* nego_get_routing_token(const rdpNego* nego, DWORD* RoutingTokenLength)
2056{
2057 if (!nego)
2058 return NULL;
2059 if (RoutingTokenLength)
2060 *RoutingTokenLength = nego->RoutingTokenLength;
2061 return nego->RoutingToken;
2062}
2063
2064const char* nego_protocol_to_str(UINT32 protocol, char* buffer, size_t size)
2065{
2066 const UINT32 mask = ~(PROTOCOL_SSL | PROTOCOL_HYBRID | PROTOCOL_RDSTLS | PROTOCOL_HYBRID_EX |
2067 PROTOCOL_RDSAAD | PROTOCOL_FAILED_NEGO);
2068 char str[48] = { 0 };
2069
2070 if (protocol & PROTOCOL_SSL)
2071 (void)winpr_str_append("SSL", str, sizeof(str), "|");
2072 if (protocol & PROTOCOL_HYBRID)
2073 (void)winpr_str_append("HYBRID", str, sizeof(str), "|");
2074 if (protocol & PROTOCOL_RDSTLS)
2075 (void)winpr_str_append("RDSTLS", str, sizeof(str), "|");
2076 if (protocol & PROTOCOL_HYBRID_EX)
2077 (void)winpr_str_append("HYBRID_EX", str, sizeof(str), "|");
2078 if (protocol & PROTOCOL_RDSAAD)
2079 (void)winpr_str_append("RDSAAD", str, sizeof(str), "|");
2080 if (protocol & PROTOCOL_FAILED_NEGO)
2081 (void)winpr_str_append("NEGO FAILED", str, sizeof(str), "|");
2082
2083 if (protocol == PROTOCOL_RDP)
2084 (void)winpr_str_append("RDP", str, sizeof(str), "");
2085 else if ((protocol & mask) != 0)
2086 (void)winpr_str_append("UNKNOWN", str, sizeof(str), "|");
2087
2088 (void)_snprintf(buffer, size, "[%s][0x%08" PRIx32 "]", str, protocol);
2089 return buffer;
2090}
FREERDP_API UINT32 freerdp_settings_get_uint32(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id)
Returns a UINT32 settings value.
FREERDP_API BOOL freerdp_settings_get_bool(const rdpSettings *settings, FreeRDP_Settings_Keys_Bool id)
Returns a boolean settings value.
FREERDP_API const void * freerdp_settings_get_pointer(const rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a immutable pointer settings value.
FREERDP_API BOOL freerdp_settings_set_uint32(rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id, UINT32 param)
Sets a UINT32 settings value.
FREERDP_API BOOL freerdp_settings_set_bool(rdpSettings *settings, FreeRDP_Settings_Keys_Bool id, BOOL param)
Sets a BOOL settings value.