FreeRDP
Loading...
Searching...
No Matches
rdg.c
1
20#include <stdint.h>
21
22#include <freerdp/config.h>
23
24#include "../settings.h"
25
26#include <winpr/assert.h>
27#include <winpr/cast.h>
28
29#include <winpr/crt.h>
30#include <winpr/synch.h>
31#include <winpr/print.h>
32#include <winpr/stream.h>
33#include <winpr/winsock.h>
34#include <winpr/cred.h>
35
36#include <freerdp/log.h>
37#include <freerdp/error.h>
38#include <freerdp/utils/ringbuffer.h>
39#include <freerdp/utils/smartcardlogon.h>
40
41#include "rdg.h"
42#include "websocket.h"
43#include "../credssp_auth.h"
44#include "../proxy.h"
45#include "../rdp.h"
46#include "../../crypto/opensslcompat.h"
47#include "rpc_fault.h"
48#include "../utils.h"
49
50#define TAG FREERDP_TAG("core.gateway.rdg")
51
52#define AUTH_PKG NEGO_SSP_NAME
53
54/* HTTP channel response fields present flags. */
55#define HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID 0x1
56#define HTTP_CHANNEL_RESPONSE_FIELD_AUTHNCOOKIE 0x2
57#define HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT 0x4
58
59/* HTTP extended auth. */
60#define HTTP_EXTENDED_AUTH_NONE 0x0
61#define HTTP_EXTENDED_AUTH_SC 0x1 /* Smart card authentication. */
62#define HTTP_EXTENDED_AUTH_PAA 0x02 /* Pluggable authentication. */
63#define HTTP_EXTENDED_AUTH_SSPI_NTLM 0x04 /* NTLM extended authentication. */
64#define HTTP_EXTENDED_AUTH_BEARER 0x08 /* HTTP Bearer authentication. */
65
66/* HTTP packet types. */
67typedef enum
68{
69 PKT_TYPE_HANDSHAKE_REQUEST = 0x1,
70 PKT_TYPE_HANDSHAKE_RESPONSE = 0x2,
71 PKT_TYPE_EXTENDED_AUTH_MSG = 0x3,
72 PKT_TYPE_TUNNEL_CREATE = 0x4,
73 PKT_TYPE_TUNNEL_RESPONSE = 0x5,
74 PKT_TYPE_TUNNEL_AUTH = 0x6,
75 PKT_TYPE_TUNNEL_AUTH_RESPONSE = 0x7,
76 PKT_TYPE_CHANNEL_CREATE = 0x8,
77 PKT_TYPE_CHANNEL_RESPONSE = 0x9,
78 PKT_TYPE_DATA = 0xA,
79 PKT_TYPE_SERVICE_MESSAGE = 0xB,
80 PKT_TYPE_REAUTH_MESSAGE = 0xC,
81 PKT_TYPE_KEEPALIVE = 0xD,
82 PKT_TYPE_CLOSE_CHANNEL = 0x10,
83 PKT_TYPE_CLOSE_CHANNEL_RESPONSE = 0x11
84} RdgPktType;
85
86/* HTTP tunnel auth fields present flags. */
87// #define HTTP_TUNNEL_AUTH_FIELD_SOH 0x1
88
89/* HTTP tunnel auth response fields present flags. */
90#define HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS 0x1
91#define HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT 0x2
92#define HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE 0x4
93
94/* HTTP tunnel packet fields present flags. */
95#define HTTP_TUNNEL_PACKET_FIELD_PAA_COOKIE 0x1
96// #define HTTP_TUNNEL_PACKET_FIELD_REAUTH 0x2
97
98/* HTTP tunnel response fields present flags. */
99#define HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID 0x1
100#define HTTP_TUNNEL_RESPONSE_FIELD_CAPS 0x2
101#define HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ 0x4
102#define HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG 0x10
103
104/* HTTP capability type enumeration. */
105#define HTTP_CAPABILITY_TYPE_QUAR_SOH 0x1
106#define HTTP_CAPABILITY_IDLE_TIMEOUT 0x2
107#define HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN 0x4
108#define HTTP_CAPABILITY_MESSAGING_SERVICE_MSG 0x8
109#define HTTP_CAPABILITY_REAUTH 0x10
110#define HTTP_CAPABILITY_UDP_TRANSPORT 0x20
111
112typedef struct
113{
114 TRANSFER_ENCODING httpTransferEncoding;
115 BOOL isWebsocketTransport;
116 union context
117 {
118 http_encoding_chunked_context chunked;
119 websocket_context* websocket;
120 } context;
121} rdg_http_encoding_context;
122
123struct rdp_rdg
124{
125 rdpContext* context;
126 BOOL attached;
127 BIO* frontBio;
128 rdpTls* tlsIn;
129 rdpTls* tlsOut;
130 rdpCredsspAuth* auth;
131 HttpContext* http;
132 CRITICAL_SECTION writeSection;
133
134 int state;
135 UINT16 packetRemainingCount;
136 UINT16 reserved1;
137 int timeout;
138 UINT16 extAuth;
139 UINT16 reserved2;
140 rdg_http_encoding_context transferEncoding;
141
142 SmartcardCertInfo* smartcard;
143 wLog* log;
144};
145
146enum
147{
148 RDG_CLIENT_STATE_INITIAL,
149 RDG_CLIENT_STATE_HANDSHAKE,
150 RDG_CLIENT_STATE_TUNNEL_CREATE,
151 RDG_CLIENT_STATE_TUNNEL_AUTHORIZE,
152 RDG_CLIENT_STATE_CHANNEL_CREATE,
153 RDG_CLIENT_STATE_OPENED,
154};
155
156#pragma pack(push, 1)
157
158typedef struct rdg_packet_header
159{
160 UINT16 type;
161 UINT16 reserved;
162 UINT32 packetLength;
163} RdgPacketHeader;
164
165#pragma pack(pop)
166
167typedef struct
168{
169 UINT32 code;
170 const char* name;
171} t_flag_mapping;
172
173static const t_flag_mapping tunnel_response_fields_present[] = {
174 { HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID, "HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID" },
175 { HTTP_TUNNEL_RESPONSE_FIELD_CAPS, "HTTP_TUNNEL_RESPONSE_FIELD_CAPS" },
176 { HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ, "HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ" },
177 { HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG, "HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG" }
178};
179
180static const t_flag_mapping channel_response_fields_present[] = {
181 { HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID, "HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID" },
182 { HTTP_CHANNEL_RESPONSE_FIELD_AUTHNCOOKIE, "HTTP_CHANNEL_RESPONSE_FIELD_AUTHNCOOKIE" },
183 { HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT, "HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT" }
184};
185
186static const t_flag_mapping tunnel_authorization_response_fields_present[] = {
187 { HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS, "HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS" },
188 { HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT,
189 "HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT" },
190 { HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE,
191 "HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE" }
192};
193
194static const t_flag_mapping extended_auth[] = {
195 { HTTP_EXTENDED_AUTH_NONE, "HTTP_EXTENDED_AUTH_NONE" },
196 { HTTP_EXTENDED_AUTH_SC, "HTTP_EXTENDED_AUTH_SC" },
197 { HTTP_EXTENDED_AUTH_PAA, "HTTP_EXTENDED_AUTH_PAA" },
198 { HTTP_EXTENDED_AUTH_SSPI_NTLM, "HTTP_EXTENDED_AUTH_SSPI_NTLM" }
199};
200
201static const t_flag_mapping capabilities_enum[] = {
202 { HTTP_CAPABILITY_TYPE_QUAR_SOH, "HTTP_CAPABILITY_TYPE_QUAR_SOH" },
203 { HTTP_CAPABILITY_IDLE_TIMEOUT, "HTTP_CAPABILITY_IDLE_TIMEOUT" },
204 { HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN, "HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN" },
205 { HTTP_CAPABILITY_MESSAGING_SERVICE_MSG, "HTTP_CAPABILITY_MESSAGING_SERVICE_MSG" },
206 { HTTP_CAPABILITY_REAUTH, "HTTP_CAPABILITY_REAUTH" },
207 { HTTP_CAPABILITY_UDP_TRANSPORT, "HTTP_CAPABILITY_UDP_TRANSPORT" }
208};
209
210static const char* rdg_pkt_type_to_string(int type)
211{
212#define ENTRY(x) \
213 case x: \
214 return #x
215
216 switch (type)
217 {
218 ENTRY(PKT_TYPE_HANDSHAKE_REQUEST);
219 ENTRY(PKT_TYPE_HANDSHAKE_RESPONSE);
220 ENTRY(PKT_TYPE_EXTENDED_AUTH_MSG);
221 ENTRY(PKT_TYPE_TUNNEL_CREATE);
222 ENTRY(PKT_TYPE_TUNNEL_RESPONSE);
223 ENTRY(PKT_TYPE_TUNNEL_AUTH);
224 ENTRY(PKT_TYPE_TUNNEL_AUTH_RESPONSE);
225 ENTRY(PKT_TYPE_CHANNEL_CREATE);
226 ENTRY(PKT_TYPE_CHANNEL_RESPONSE);
227 ENTRY(PKT_TYPE_DATA);
228 ENTRY(PKT_TYPE_SERVICE_MESSAGE);
229 ENTRY(PKT_TYPE_REAUTH_MESSAGE);
230 ENTRY(PKT_TYPE_KEEPALIVE);
231 ENTRY(PKT_TYPE_CLOSE_CHANNEL);
232 ENTRY(PKT_TYPE_CLOSE_CHANNEL_RESPONSE);
233 default:
234 return "PKT_TYPE_UNKNOWN";
235 }
236#undef ENTRY
237}
238
239static const char* flags_to_string(UINT32 flags, const t_flag_mapping* map, size_t elements)
240{
241 static char buffer[1024] = WINPR_C_ARRAY_INIT;
242 char fields[12] = WINPR_C_ARRAY_INIT;
243
244 for (size_t x = 0; x < elements; x++)
245 {
246 const t_flag_mapping* cur = &map[x];
247
248 if ((cur->code & flags) != 0)
249 winpr_str_append(cur->name, buffer, sizeof(buffer), "|");
250 }
251
252 (void)sprintf_s(fields, ARRAYSIZE(fields), " [%04" PRIx32 "]", flags);
253 winpr_str_append(fields, buffer, sizeof(buffer), nullptr);
254 return buffer;
255}
256
257static const char* channel_response_fields_present_to_string(UINT16 fieldsPresent)
258{
259 return flags_to_string(fieldsPresent, channel_response_fields_present,
260 ARRAYSIZE(channel_response_fields_present));
261}
262
263static const char* tunnel_response_fields_present_to_string(UINT16 fieldsPresent)
264{
265 return flags_to_string(fieldsPresent, tunnel_response_fields_present,
266 ARRAYSIZE(tunnel_response_fields_present));
267}
268
269static const char* tunnel_authorization_response_fields_present_to_string(UINT16 fieldsPresent)
270{
271 return flags_to_string(fieldsPresent, tunnel_authorization_response_fields_present,
272 ARRAYSIZE(tunnel_authorization_response_fields_present));
273}
274
275static const char* extended_auth_to_string(UINT16 auth)
276{
277 if (auth == HTTP_EXTENDED_AUTH_NONE)
278 return "HTTP_EXTENDED_AUTH_NONE [0x0000]";
279
280 return flags_to_string(auth, extended_auth, ARRAYSIZE(extended_auth));
281}
282
283static const char* capabilities_enum_to_string(UINT32 capabilities)
284{
285 return flags_to_string(capabilities, capabilities_enum, ARRAYSIZE(capabilities_enum));
286}
287
288static BOOL rdg_read_http_unicode_string(wLog* log, wStream* s, const WCHAR** string,
289 UINT16* lengthInBytes)
290{
291 UINT16 strLenBytes = 0;
292 size_t rem = Stream_GetRemainingLength(s);
293
294 /* Read length of the string */
295 if (!Stream_CheckAndLogRequiredLengthWLog(log, s, 4))
296 {
297 WLog_Print(log, WLOG_ERROR, "Could not read stream length, only have %" PRIuz " bytes",
298 rem);
299 return FALSE;
300 }
301 Stream_Read_UINT16(s, strLenBytes);
302
303 /* Remember position of our string */
304 const WCHAR* str = Stream_ConstPointer(s);
305
306 /* seek past the string - if this fails something is wrong */
307 if (!Stream_SafeSeek(s, strLenBytes))
308 {
309 WLog_Print(log, WLOG_ERROR,
310 "Could not read stream data, only have %" PRIuz " bytes, expected %" PRIu16,
311 rem - 4, strLenBytes);
312 return FALSE;
313 }
314
315 /* return the string data (if wanted) */
316 if (string)
317 *string = str;
318 if (lengthInBytes)
319 *lengthInBytes = strLenBytes;
320
321 return TRUE;
322}
323
324static BOOL rdg_write_chunked(BIO* bio, wStream* sPacket)
325{
326 size_t len = 0;
327 int status = 0;
328 wStream* sChunk = nullptr;
329 char chunkSize[11];
330 (void)sprintf_s(chunkSize, sizeof(chunkSize), "%" PRIXz "\r\n", Stream_Length(sPacket));
331 sChunk =
332 Stream_New(nullptr, strnlen(chunkSize, sizeof(chunkSize)) + Stream_Length(sPacket) + 2);
333
334 if (!sChunk)
335 return FALSE;
336
337 Stream_Write(sChunk, chunkSize, strnlen(chunkSize, sizeof(chunkSize)));
338 Stream_Write(sChunk, Stream_Buffer(sPacket), Stream_Length(sPacket));
339 Stream_Write(sChunk, "\r\n", 2);
340 Stream_SealLength(sChunk);
341 len = Stream_Length(sChunk);
342
343 if (len > INT_MAX)
344 {
345 Stream_Free(sChunk, TRUE);
346 return FALSE;
347 }
348
349 ERR_clear_error();
350 status = BIO_write(bio, Stream_Buffer(sChunk), (int)len);
351 Stream_Free(sChunk, TRUE);
352
353 return (status == (SSIZE_T)len);
354}
355
356static BOOL rdg_write_packet(rdpRdg* rdg, wStream* sPacket)
357{
358 if (rdg->transferEncoding.isWebsocketTransport)
359 return websocket_context_write_wstream(rdg->transferEncoding.context.websocket,
360 rdg->tlsOut->bio, sPacket, WebsocketBinaryOpcode);
361
362 return rdg_write_chunked(rdg->tlsIn->bio, sPacket);
363}
364
365static int rdg_socket_read(BIO* bio, BYTE* pBuffer, size_t size,
366 rdg_http_encoding_context* encodingContext)
367{
368 WINPR_ASSERT(encodingContext != nullptr);
369 if (size > INT32_MAX)
370 return -1;
371
372 if (encodingContext->isWebsocketTransport)
373 return websocket_context_read(encodingContext->context.websocket, bio, pBuffer, size);
374
375 switch (encodingContext->httpTransferEncoding)
376 {
377 case TransferEncodingIdentity:
378 ERR_clear_error();
379 return BIO_read(bio, pBuffer, (int)size);
380 case TransferEncodingChunked:
381 return http_chuncked_read(bio, pBuffer, size, &encodingContext->context.chunked);
382 default:
383 return -1;
384 }
385}
386
387static BOOL rdg_shall_abort(rdpRdg* rdg)
388{
389 WINPR_ASSERT(rdg);
390 return freerdp_shall_disconnect_context(rdg->context);
391}
392
393static BOOL rdg_read_all(rdpContext* context, rdpTls* tls, BYTE* buffer, size_t size,
394 rdg_http_encoding_context* transferEncoding)
395{
396 size_t readCount = 0;
397 BYTE* pBuffer = buffer;
398
399 while (readCount < size)
400 {
401 if (freerdp_shall_disconnect_context(context))
402 return FALSE;
403
404 int status = rdg_socket_read(tls->bio, pBuffer, size - readCount, transferEncoding);
405 if (status <= 0)
406 {
407 if (!BIO_should_retry(tls->bio))
408 return FALSE;
409
410 Sleep(10);
411 continue;
412 }
413
414 readCount += WINPR_ASSERTING_INT_CAST(uint32_t, status);
415 pBuffer += WINPR_ASSERTING_INT_CAST(uint32_t, status);
416 }
417
418 return TRUE;
419}
420
421static wStream* rdg_receive_packet(rdpRdg* rdg)
422{
423 const size_t header = sizeof(RdgPacketHeader);
424 size_t packetLength = 0;
425 wStream* s = Stream_New(nullptr, 1024);
426
427 if (!s)
428 return nullptr;
429
430 if (!rdg_read_all(rdg->context, rdg->tlsOut, Stream_Buffer(s), header, &rdg->transferEncoding))
431 goto fail;
432
433 Stream_Seek(s, 4);
434 Stream_Read_UINT32(s, packetLength);
435
436 if ((packetLength > INT_MAX) || !Stream_EnsureCapacity(s, packetLength) ||
437 (packetLength < header))
438 goto fail;
439
440 if (!rdg_read_all(rdg->context, rdg->tlsOut, Stream_Buffer(s) + header, packetLength - header,
441 &rdg->transferEncoding))
442 goto fail;
443
444 if (!Stream_SetLength(s, packetLength))
445 goto fail;
446 return s;
447
448fail:
449 Stream_Free(s, TRUE);
450 return nullptr;
451}
452
453static BOOL rdg_send_handshake(rdpRdg* rdg)
454{
455 BOOL status = FALSE;
456 wStream* s = Stream_New(nullptr, 14);
457
458 if (!s)
459 return FALSE;
460
461 Stream_Write_UINT16(s, PKT_TYPE_HANDSHAKE_REQUEST); /* Type (2 bytes) */
462 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
463 Stream_Write_UINT32(s, 14); /* PacketLength (4 bytes) */
464 Stream_Write_UINT8(s, 1); /* VersionMajor (1 byte) */
465 Stream_Write_UINT8(s, 0); /* VersionMinor (1 byte) */
466 Stream_Write_UINT16(s, 0); /* ClientVersion (2 bytes), must be 0 */
467 Stream_Write_UINT16(s, rdg->extAuth); /* ExtendedAuthentication (2 bytes) */
468 Stream_SealLength(s);
469 status = rdg_write_packet(rdg, s);
470 Stream_Free(s, TRUE);
471
472 if (status)
473 {
474 rdg->state = RDG_CLIENT_STATE_HANDSHAKE;
475 }
476
477 return status;
478}
479
480static BOOL rdg_send_extauth_sspi(rdpRdg* rdg)
481{
482 wStream* s = nullptr;
483 BOOL status = 0;
484 UINT32 packetSize = 8 + 4 + 2;
485
486 WINPR_ASSERT(rdg);
487
488 const SecBuffer* authToken = credssp_auth_get_output_buffer(rdg->auth);
489 if (!authToken)
490 return FALSE;
491 packetSize += authToken->cbBuffer;
492
493 s = Stream_New(nullptr, packetSize);
494
495 if (!s)
496 return FALSE;
497
498 Stream_Write_UINT16(s, PKT_TYPE_EXTENDED_AUTH_MSG); /* Type (2 bytes) */
499 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
500 Stream_Write_UINT32(s, packetSize); /* PacketLength (4 bytes) */
501 Stream_Write_UINT32(s, ERROR_SUCCESS); /* Error code */
502 Stream_Write_UINT16(s, (UINT16)authToken->cbBuffer);
503 Stream_Write(s, authToken->pvBuffer, authToken->cbBuffer);
504
505 Stream_SealLength(s);
506 status = rdg_write_packet(rdg, s);
507 Stream_Free(s, TRUE);
508
509 return status;
510}
511
512static BOOL rdg_send_tunnel_request(rdpRdg* rdg)
513{
514 wStream* s = nullptr;
515 BOOL status = FALSE;
516 UINT32 packetSize = 16;
517 UINT16 fieldsPresent = 0;
518 WCHAR* PAACookie = nullptr;
519 size_t PAACookieLen = 0;
520 const UINT32 capabilities = HTTP_CAPABILITY_TYPE_QUAR_SOH |
521 HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN |
522 HTTP_CAPABILITY_MESSAGING_SERVICE_MSG;
523
524 if (rdg->extAuth == HTTP_EXTENDED_AUTH_PAA)
525 {
526 PAACookie =
527 ConvertUtf8ToWCharAlloc(rdg->context->settings->GatewayAccessToken, &PAACookieLen);
528
529 if (!PAACookie || (PAACookieLen > UINT16_MAX / sizeof(WCHAR)))
530 goto fail;
531
532 PAACookieLen += 1; /* include \0 */
533 packetSize += 2 + (UINT32)(PAACookieLen) * sizeof(WCHAR);
534 fieldsPresent = HTTP_TUNNEL_PACKET_FIELD_PAA_COOKIE;
535 }
536
537 s = Stream_New(nullptr, packetSize);
538
539 if (!s)
540 goto fail;
541
542 Stream_Write_UINT16(s, PKT_TYPE_TUNNEL_CREATE); /* Type (2 bytes) */
543 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
544 Stream_Write_UINT32(s, packetSize); /* PacketLength (4 bytes) */
545 Stream_Write_UINT32(s, capabilities); /* CapabilityFlags (4 bytes) */
546 Stream_Write_UINT16(s, fieldsPresent); /* FieldsPresent (2 bytes) */
547 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes), must be 0 */
548
549 if (PAACookie)
550 {
551 Stream_Write_UINT16(s, (UINT16)PAACookieLen * sizeof(WCHAR)); /* PAA cookie string length */
552 if (!Stream_Write_UTF16_String(s, PAACookie, PAACookieLen))
553 goto fail;
554 }
555
556 Stream_SealLength(s);
557 status = rdg_write_packet(rdg, s);
558
559fail:
560 Stream_Free(s, TRUE);
561 free(PAACookie);
562
563 if (status)
564 {
565 rdg->state = RDG_CLIENT_STATE_TUNNEL_CREATE;
566 }
567
568 return status;
569}
570
571static BOOL rdg_send_tunnel_authorization(rdpRdg* rdg)
572{
573 wStream* s = nullptr;
574 BOOL status = FALSE;
575 WINPR_ASSERT(rdg);
576 size_t clientNameLen = 0;
577 WCHAR* clientName = freerdp_settings_get_string_as_utf16(
578 rdg->context->settings, FreeRDP_ClientHostname, &clientNameLen);
579
580 clientNameLen++; // length including terminating '\0'
581
582 const size_t packetSize = 12ull + clientNameLen * sizeof(WCHAR);
583 if (!clientName || (clientNameLen >= UINT16_MAX / sizeof(WCHAR)) || (packetSize > UINT32_MAX))
584 goto fail;
585
586 s = Stream_New(nullptr, packetSize);
587
588 if (!s)
589 goto fail;
590
591 Stream_Write_UINT16(s, PKT_TYPE_TUNNEL_AUTH); /* Type (2 bytes) */
592 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
593 Stream_Write_UINT32(s, (UINT32)packetSize); /* PacketLength (4 bytes) */
594 Stream_Write_UINT16(s, 0); /* FieldsPresent (2 bytes) */
595 Stream_Write_UINT16(s, (UINT16)clientNameLen * sizeof(WCHAR)); /* Client name string length */
596 if (!Stream_Write_UTF16_String(s, clientName, clientNameLen))
597 goto fail;
598 Stream_SealLength(s);
599 status = rdg_write_packet(rdg, s);
600
601fail:
602 Stream_Free(s, TRUE);
603 free(clientName);
604
605 if (status)
606 rdg->state = RDG_CLIENT_STATE_TUNNEL_AUTHORIZE;
607
608 return status;
609}
610
611static BOOL rdg_send_channel_create(rdpRdg* rdg)
612{
613 wStream* s = nullptr;
614 BOOL status = FALSE;
615 WCHAR* serverName = nullptr;
616 size_t serverNameLen = 0;
617
618 WINPR_ASSERT(rdg);
619 serverName = freerdp_settings_get_string_as_utf16(rdg->context->settings,
620 FreeRDP_ServerHostname, &serverNameLen);
621
622 serverNameLen++; // length including terminating '\0'
623 const size_t packetSize = 16ull + serverNameLen * sizeof(WCHAR);
624 if (!serverName || (serverNameLen >= UINT16_MAX / sizeof(WCHAR)) || (packetSize > UINT32_MAX))
625 goto fail;
626
627 s = Stream_New(nullptr, packetSize);
628
629 if (!s)
630 goto fail;
631
632 Stream_Write_UINT16(s, PKT_TYPE_CHANNEL_CREATE); /* Type (2 bytes) */
633 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
634 Stream_Write_UINT32(s, (UINT32)packetSize); /* PacketLength (4 bytes) */
635 Stream_Write_UINT8(s, 1); /* Number of resources. (1 byte) */
636 Stream_Write_UINT8(s, 0); /* Number of alternative resources (1 byte) */
637 Stream_Write_UINT16(s,
638 (UINT16)rdg->context->settings->ServerPort); /* Resource port (2 bytes) */
639 Stream_Write_UINT16(s, 3); /* Protocol number (2 bytes) */
640 Stream_Write_UINT16(s, (UINT16)serverNameLen * sizeof(WCHAR));
641 if (!Stream_Write_UTF16_String(s, serverName, serverNameLen))
642 goto fail;
643
644 Stream_SealLength(s);
645 status = rdg_write_packet(rdg, s);
646fail:
647 free(serverName);
648 Stream_Free(s, TRUE);
649
650 if (status)
651 rdg->state = RDG_CLIENT_STATE_CHANNEL_CREATE;
652
653 return status;
654}
655
656static BOOL rdg_set_auth_header(rdpCredsspAuth* auth, HttpRequest* request)
657{
658 const SecBuffer* authToken = credssp_auth_get_output_buffer(auth);
659 char* base64AuthToken = nullptr;
660
661 if (authToken)
662 {
663 if (authToken->cbBuffer > INT_MAX)
664 return FALSE;
665
666 base64AuthToken = crypto_base64_encode(authToken->pvBuffer, authToken->cbBuffer);
667 }
668
669 if (base64AuthToken)
670 {
671 BOOL rc = http_request_set_auth_scheme(request, credssp_auth_pkg_name(auth)) &&
672 http_request_set_auth_param(request, base64AuthToken);
673 free(base64AuthToken);
674
675 if (!rc)
676 return FALSE;
677 }
678
679 return TRUE;
680}
681
682static wStream* rdg_build_http_request(rdpRdg* rdg, const char* method,
683 TRANSFER_ENCODING transferEncoding)
684{
685 wStream* s = nullptr;
686 HttpRequest* request = nullptr;
687 const char* uri = nullptr;
688
689 if (!rdg || !method)
690 return nullptr;
691
692 uri = http_context_get_uri(rdg->http);
693 request = http_request_new();
694
695 if (!request)
696 return nullptr;
697
698 if (!http_request_set_method(request, method) || !http_request_set_uri(request, uri))
699 goto out;
700
701 if (rdg->auth)
702 {
703 if (!rdg_set_auth_header(rdg->auth, request))
704 goto out;
705 }
706
707 else if (rdg->extAuth == HTTP_EXTENDED_AUTH_BEARER)
708 {
709 if (!http_request_set_auth_scheme(request, "Bearer"))
710 goto out;
711 if (!http_request_set_auth_param(request, rdg->context->settings->GatewayHttpExtAuthBearer))
712 goto out;
713 }
714
715 if (!http_request_set_transfer_encoding(request, transferEncoding))
716 goto out;
717
718 s = http_request_write(rdg->http, request);
719out:
720 http_request_free(request);
721
722 if (s)
723 Stream_SealLength(s);
724
725 return s;
726}
727
728static BOOL rdg_recv_auth_token(wLog* log, rdpCredsspAuth* auth, HttpResponse* response)
729{
730 size_t len = 0;
731 size_t authTokenLength = 0;
732 BYTE* authTokenData = nullptr;
733 SecBuffer authToken = WINPR_C_ARRAY_INIT;
734 int rc = 0;
735
736 if (!auth || !response)
737 return FALSE;
738
739 const UINT16 StatusCode = http_response_get_status_code(response);
740 switch (StatusCode)
741 {
742 case HTTP_STATUS_DENIED:
743 case HTTP_STATUS_OK:
744 case HTTP_STATUS_SWITCH_PROTOCOLS:
745 break;
746 default:
747 http_response_log_error_status(log, WLOG_WARN, response);
748 return FALSE;
749 }
750
751 const char* token64 = http_response_get_auth_token(response, credssp_auth_pkg_name(auth));
752 if (!token64)
753 return FALSE;
754
755 len = strlen(token64);
756
757 crypto_base64_decode(token64, len, &authTokenData, &authTokenLength);
758
759 if (authTokenLength && authTokenData && (authTokenLength <= UINT32_MAX))
760 {
761 authToken.pvBuffer = authTokenData;
762 authToken.cbBuffer = (UINT32)authTokenLength;
763 credssp_auth_take_input_buffer(auth, &authToken);
764 }
765 else
766 free(authTokenData);
767
768 rc = credssp_auth_authenticate(auth);
769 return (rc >= 0);
770}
771
772static BOOL rdg_skip_seed_payload(rdpContext* context, rdpTls* tls, size_t lastResponseLength,
773 rdg_http_encoding_context* transferEncoding)
774{
775 BYTE seed_payload[10] = WINPR_C_ARRAY_INIT;
776 const size_t size = sizeof(seed_payload);
777
778 /* Per [MS-TSGU] 3.3.5.1 step 4, after final OK response RDG server sends
779 * random "seed" payload of limited size. In practice it's 10 bytes.
780 */
781 if (lastResponseLength < size)
782 {
783 if (!rdg_read_all(context, tls, seed_payload, size - lastResponseLength, transferEncoding))
784 {
785 return FALSE;
786 }
787 }
788
789 return TRUE;
790}
791
792static BOOL rdg_process_handshake_response(rdpRdg* rdg, wStream* s)
793{
794 UINT32 errorCode = 0;
795 UINT16 serverVersion = 0;
796 UINT16 extendedAuth = 0;
797 BYTE verMajor = 0;
798 BYTE verMinor = 0;
799 const char* error = nullptr;
800 WLog_Print(rdg->log, WLOG_DEBUG, "Handshake response received");
801
802 if (rdg->state != RDG_CLIENT_STATE_HANDSHAKE)
803 {
804 return FALSE;
805 }
806
807 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 10))
808 return FALSE;
809
810 Stream_Read_UINT32(s, errorCode);
811 Stream_Read_UINT8(s, verMajor);
812 Stream_Read_UINT8(s, verMinor);
813 Stream_Read_UINT16(s, serverVersion);
814 Stream_Read_UINT16(s, extendedAuth);
815 error = rpc_error_to_string(errorCode);
816 WLog_Print(rdg->log, WLOG_DEBUG,
817 "errorCode=%s, verMajor=%" PRId8 ", verMinor=%" PRId8 ", serverVersion=%" PRId16
818 ", extendedAuth=%s",
819 error, verMajor, verMinor, serverVersion, extended_auth_to_string(extendedAuth));
820
821 if (FAILED((HRESULT)errorCode))
822 {
823 WLog_Print(rdg->log, WLOG_ERROR, "Handshake error %s", error);
824 freerdp_set_last_error_log(rdg->context, errorCode);
825 return FALSE;
826 }
827
828 if (rdg->extAuth == HTTP_EXTENDED_AUTH_SSPI_NTLM)
829 return rdg_send_extauth_sspi(rdg);
830
831 return rdg_send_tunnel_request(rdg);
832}
833
834static BOOL rdg_process_tunnel_response_optional(rdpRdg* rdg, wStream* s, UINT16 fieldsPresent)
835{
836 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID)
837 {
838 /* Seek over tunnelId (4 bytes) */
839 if (!Stream_SafeSeek(s, 4))
840 {
841 WLog_Print(rdg->log, WLOG_ERROR, "Short tunnelId, got %" PRIuz ", expected 4",
842 Stream_GetRemainingLength(s));
843 return FALSE;
844 }
845 }
846
847 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_CAPS)
848 {
849 UINT32 caps = 0;
850 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 4))
851 return FALSE;
852
853 Stream_Read_UINT32(s, caps);
854 WLog_Print(rdg->log, WLOG_DEBUG, "capabilities=%s", capabilities_enum_to_string(caps));
855 }
856
857 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ)
858 {
859 /* Seek over nonce (20 bytes) */
860 if (!Stream_SafeSeek(s, 20))
861 {
862 WLog_Print(rdg->log, WLOG_ERROR, "Short nonce, got %" PRIuz ", expected 20",
863 Stream_GetRemainingLength(s));
864 return FALSE;
865 }
866
867 /* Read serverCert */
868 if (!rdg_read_http_unicode_string(rdg->log, s, nullptr, nullptr))
869 {
870 WLog_Print(rdg->log, WLOG_ERROR, "Failed to read server certificate");
871 return FALSE;
872 }
873 }
874
875 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG)
876 {
877 const WCHAR* msg = nullptr;
878 UINT16 msgLenBytes = 0;
879 rdpContext* context = rdg->context;
880
881 WINPR_ASSERT(context);
882 WINPR_ASSERT(context->instance);
883
884 /* Read message string and invoke callback */
885 if (!rdg_read_http_unicode_string(rdg->log, s, &msg, &msgLenBytes))
886 {
887 WLog_Print(rdg->log, WLOG_ERROR, "Failed to read consent message");
888 return FALSE;
889 }
890
891 return IFCALLRESULT(TRUE, context->instance->PresentGatewayMessage, context->instance,
892 GATEWAY_MESSAGE_CONSENT, TRUE, TRUE, msgLenBytes, msg);
893 }
894
895 return TRUE;
896}
897
898static BOOL rdg_process_tunnel_response(rdpRdg* rdg, wStream* s)
899{
900 UINT16 serverVersion = 0;
901 UINT16 fieldsPresent = 0;
902 UINT32 errorCode = 0;
903 const char* error = nullptr;
904 WLog_Print(rdg->log, WLOG_DEBUG, "Tunnel response received");
905
906 if (rdg->state != RDG_CLIENT_STATE_TUNNEL_CREATE)
907 {
908 return FALSE;
909 }
910
911 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 10))
912 return FALSE;
913
914 Stream_Read_UINT16(s, serverVersion);
915 Stream_Read_UINT32(s, errorCode);
916 Stream_Read_UINT16(s, fieldsPresent);
917 Stream_Seek_UINT16(s); /* reserved */
918 error = rpc_error_to_string(errorCode);
919 WLog_Print(rdg->log, WLOG_DEBUG, "serverVersion=%" PRId16 ", errorCode=%s, fieldsPresent=%s",
920 serverVersion, error, tunnel_response_fields_present_to_string(fieldsPresent));
921
922 if (FAILED((HRESULT)errorCode))
923 {
924 WLog_Print(rdg->log, WLOG_ERROR, "Tunnel creation error %s", error);
925 freerdp_set_last_error_log(rdg->context, errorCode);
926 return FALSE;
927 }
928
929 if (!rdg_process_tunnel_response_optional(rdg, s, fieldsPresent))
930 return FALSE;
931
932 return rdg_send_tunnel_authorization(rdg);
933}
934
935static BOOL rdg_process_tunnel_authorization_response(rdpRdg* rdg, wStream* s)
936{
937 UINT32 errorCode = 0;
938 UINT16 fieldsPresent = 0;
939 const char* error = nullptr;
940 WLog_Print(rdg->log, WLOG_DEBUG, "Tunnel authorization received");
941
942 if (rdg->state != RDG_CLIENT_STATE_TUNNEL_AUTHORIZE)
943 {
944 return FALSE;
945 }
946
947 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 8))
948 return FALSE;
949
950 Stream_Read_UINT32(s, errorCode);
951 Stream_Read_UINT16(s, fieldsPresent);
952 Stream_Seek_UINT16(s); /* reserved */
953 error = rpc_error_to_string(errorCode);
954 WLog_Print(rdg->log, WLOG_DEBUG, "errorCode=%s, fieldsPresent=%s", error,
955 tunnel_authorization_response_fields_present_to_string(fieldsPresent));
956
957 /* [MS-TSGU] 3.7.5.2.7 */
958 if (errorCode != S_OK && errorCode != E_PROXY_QUARANTINE_ACCESSDENIED)
959 {
960 WLog_Print(rdg->log, WLOG_ERROR, "Tunnel authorization error %s", error);
961 freerdp_set_last_error_log(rdg->context, errorCode);
962 return FALSE;
963 }
964
965 if (fieldsPresent & HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS)
966 {
967 UINT32 redirFlags = 0;
968 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 4))
969 return FALSE;
970 Stream_Read_UINT32(s, redirFlags);
971
972 rdpContext* context = rdg->context;
973 if (!utils_apply_gateway_policy(rdg->log, context, redirFlags, "RDG"))
974 return FALSE;
975 }
976
977 if (fieldsPresent & HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT)
978 {
979 UINT32 idleTimeout = 0;
980 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 4))
981 return FALSE;
982 Stream_Read_UINT32(s, idleTimeout);
983 WLog_Print(rdg->log, WLOG_DEBUG, "[IDLE_TIMEOUT] idleTimeout=%" PRIu32 ": TODO: unused",
984 idleTimeout);
985 }
986
987 if (fieldsPresent & HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE)
988 {
989 UINT16 cbLen = 0;
990 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 2))
991 return FALSE;
992 Stream_Read_UINT16(s, cbLen);
993
994 WLog_Print(rdg->log, WLOG_DEBUG, "[SOH_RESPONSE] cbLen=%" PRIu16 ": TODO: unused", cbLen);
995 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, cbLen))
996 return FALSE;
997 Stream_Seek(s, cbLen);
998 }
999
1000 return rdg_send_channel_create(rdg);
1001}
1002
1003static BOOL rdg_process_extauth_sspi(rdpRdg* rdg, wStream* s)
1004{
1005 INT32 errorCode = 0;
1006 UINT16 authBlobLen = 0;
1007 SecBuffer authToken = WINPR_C_ARRAY_INIT;
1008 BYTE* authTokenData = nullptr;
1009
1010 WINPR_ASSERT(rdg);
1011
1012 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 6))
1013 return FALSE;
1014
1015 Stream_Read_INT32(s, errorCode);
1016 Stream_Read_UINT16(s, authBlobLen);
1017
1018 if (errorCode != ERROR_SUCCESS)
1019 {
1020 WLog_Print(rdg->log, WLOG_ERROR, "EXTAUTH_SSPI_NTLM failed with error %s [0x%08X]",
1021 GetSecurityStatusString(errorCode), WINPR_CXX_COMPAT_CAST(UINT32, errorCode));
1022 return FALSE;
1023 }
1024
1025 if (authBlobLen == 0)
1026 {
1027 if (credssp_auth_is_complete(rdg->auth))
1028 {
1029 credssp_auth_free(rdg->auth);
1030 rdg->auth = nullptr;
1031 return rdg_send_tunnel_request(rdg);
1032 }
1033 return FALSE;
1034 }
1035
1036 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, authBlobLen))
1037 return FALSE;
1038
1039 authTokenData = malloc(authBlobLen);
1040 if (authTokenData == nullptr)
1041 return FALSE;
1042 Stream_Read(s, authTokenData, authBlobLen);
1043
1044 authToken.pvBuffer = authTokenData;
1045 authToken.cbBuffer = authBlobLen;
1046
1047 credssp_auth_take_input_buffer(rdg->auth, &authToken);
1048
1049 if (credssp_auth_authenticate(rdg->auth) < 0)
1050 return FALSE;
1051
1052 if (credssp_auth_have_output_token(rdg->auth))
1053 return rdg_send_extauth_sspi(rdg);
1054
1055 return FALSE;
1056}
1057
1058static BOOL rdg_process_channel_response_optional(rdpRdg* rdg, wStream* s, UINT16 fieldsPresent)
1059{
1060 if ((fieldsPresent & HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID) != 0)
1061 {
1062 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 4))
1063 return FALSE;
1064 const UINT32 channelId = Stream_Get_UINT32(s);
1065 WLog_Print(rdg->log, WLOG_DEBUG, "TODO: Got channelId=%" PRIu32, channelId);
1066 }
1067 if ((fieldsPresent & HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT) != 0)
1068 {
1069 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 2))
1070 return FALSE;
1071 const UINT16 udpPort = Stream_Get_UINT16(s);
1072 WLog_Print(rdg->log, WLOG_DEBUG, "TODO: Got udpPort=%" PRIu32, udpPort);
1073 }
1074 if ((fieldsPresent & HTTP_CHANNEL_RESPONSE_FIELD_AUTHNCOOKIE) != 0)
1075 {
1076 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 2))
1077 return FALSE;
1078 const UINT16 blobLen = Stream_Get_UINT16(s);
1079 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, blobLen))
1080 return FALSE;
1081 WLog_Print(rdg->log, WLOG_DEBUG, "TODO: Got UDP auth blob=%" PRIu32, blobLen);
1082 if (!Stream_SafeSeek(s, blobLen))
1083 return FALSE;
1084 }
1085
1086 return TRUE;
1087}
1088
1089static BOOL rdg_process_channel_response(rdpRdg* rdg, wStream* s)
1090{
1091 UINT16 fieldsPresent = 0;
1092 UINT32 errorCode = 0;
1093 const char* error = nullptr;
1094 WLog_Print(rdg->log, WLOG_DEBUG, "Channel response received");
1095
1096 if (rdg->state != RDG_CLIENT_STATE_CHANNEL_CREATE)
1097 {
1098 return FALSE;
1099 }
1100
1101 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 8))
1102 return FALSE;
1103
1104 Stream_Read_UINT32(s, errorCode);
1105 Stream_Read_UINT16(s, fieldsPresent);
1106 Stream_Seek_UINT16(s); /* reserved */
1107 error = rpc_error_to_string(errorCode);
1108 WLog_Print(rdg->log, WLOG_DEBUG, "channel response errorCode=%s, fieldsPresent=%s", error,
1109 channel_response_fields_present_to_string(fieldsPresent));
1110
1111 if (FAILED((HRESULT)errorCode))
1112 {
1113 WLog_Print(rdg->log, WLOG_ERROR, "channel response errorCode=%s, fieldsPresent=%s", error,
1114 channel_response_fields_present_to_string(fieldsPresent));
1115 freerdp_set_last_error_log(rdg->context, errorCode);
1116 return FALSE;
1117 }
1118
1119 if (!rdg_process_channel_response_optional(rdg, s, fieldsPresent))
1120 return FALSE;
1121
1122 rdg->state = RDG_CLIENT_STATE_OPENED;
1123 return TRUE;
1124}
1125
1126static BOOL rdg_process_packet(rdpRdg* rdg, wStream* s)
1127{
1128 BOOL status = TRUE;
1129 UINT16 type = 0;
1130 UINT32 packetLength = 0;
1131 Stream_ResetPosition(s);
1132
1133 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 8))
1134 return FALSE;
1135
1136 Stream_Read_UINT16(s, type);
1137 Stream_Seek_UINT16(s); /* reserved */
1138 Stream_Read_UINT32(s, packetLength);
1139
1140 if (Stream_Length(s) < packetLength)
1141 {
1142 WLog_Print(rdg->log, WLOG_ERROR, "Short packet %" PRIuz ", expected %" PRIu32,
1143 Stream_Length(s), packetLength);
1144 return FALSE;
1145 }
1146
1147 switch (type)
1148 {
1149 case PKT_TYPE_HANDSHAKE_RESPONSE:
1150 status = rdg_process_handshake_response(rdg, s);
1151 break;
1152
1153 case PKT_TYPE_TUNNEL_RESPONSE:
1154 status = rdg_process_tunnel_response(rdg, s);
1155 break;
1156
1157 case PKT_TYPE_TUNNEL_AUTH_RESPONSE:
1158 status = rdg_process_tunnel_authorization_response(rdg, s);
1159 break;
1160
1161 case PKT_TYPE_CHANNEL_RESPONSE:
1162 status = rdg_process_channel_response(rdg, s);
1163 break;
1164
1165 case PKT_TYPE_DATA:
1166 WLog_Print(rdg->log, WLOG_ERROR, "Unexpected packet type DATA");
1167 status = FALSE;
1168 break;
1169
1170 case PKT_TYPE_EXTENDED_AUTH_MSG:
1171 status = rdg_process_extauth_sspi(rdg, s);
1172 break;
1173
1174 default:
1175 WLog_Print(rdg->log, WLOG_ERROR, "PKG TYPE 0x%x not implemented", type);
1176 status = FALSE;
1177 break;
1178 }
1179
1180 if (status)
1181 {
1182 const size_t rem = Stream_GetRemainingLength(s);
1183 if (rem > 0)
1184 WLog_Print(rdg->log, WLOG_WARN, "[%s] unparsed data detected: %" PRIuz " bytes",
1185 rdg_pkt_type_to_string(type), rem);
1186 }
1187 return status;
1188}
1189
1190DWORD rdg_get_event_handles(rdpRdg* rdg, HANDLE* events, DWORD count)
1191{
1192 DWORD nCount = 0;
1193 WINPR_ASSERT(rdg != nullptr);
1194
1195 if (rdg->tlsOut && rdg->tlsOut->bio)
1196 {
1197 if (events && (nCount < count))
1198 {
1199 BIO_get_event(rdg->tlsOut->bio, &events[nCount]);
1200 nCount++;
1201 }
1202 else
1203 return 0;
1204 }
1205
1206 /* We just need the read event handle even in non-websocket mode. */
1207
1208 return nCount;
1209}
1210
1211static BOOL rdg_get_gateway_credentials(rdpContext* context, rdp_auth_reason reason)
1212{
1213 freerdp* instance = context->instance;
1214
1215 auth_status rc = utils_authenticate_gateway(instance, reason);
1216 switch (rc)
1217 {
1218 case AUTH_SUCCESS:
1219 case AUTH_SKIP:
1220 return TRUE;
1221 case AUTH_CANCELLED:
1222 freerdp_set_last_error_log(instance->context, FREERDP_ERROR_CONNECT_CANCELLED);
1223 return FALSE;
1224 case AUTH_NO_CREDENTIALS:
1225 WLog_INFO(TAG, "No credentials provided - using nullptr identity");
1226 return TRUE;
1227 case AUTH_FAILED:
1228 default:
1229 return FALSE;
1230 }
1231}
1232
1233static BOOL rdg_auth_init(rdpRdg* rdg, rdpTls* tls, TCHAR* authPkg)
1234{
1235 rdpContext* context = rdg->context;
1236 rdpSettings* settings = context->settings;
1237 SEC_WINNT_AUTH_IDENTITY identity = WINPR_C_ARRAY_INIT;
1238 int rc = 0;
1239
1240 rdg->auth = credssp_auth_new(context);
1241 if (!rdg->auth)
1242 return FALSE;
1243
1244 if (!credssp_auth_init(rdg->auth, authPkg, tls->Bindings))
1245 return FALSE;
1246
1247 BOOL doSCLogon = freerdp_settings_get_bool(settings, FreeRDP_SmartcardLogon);
1248 if (doSCLogon)
1249 {
1250 if (!smartcard_getCert(context, &rdg->smartcard, TRUE))
1251 return FALSE;
1252
1253 if (!rdg_get_gateway_credentials(context, AUTH_SMARTCARD_PIN))
1254 return FALSE;
1255 }
1256 else
1257 {
1258 if (!rdg_get_gateway_credentials(context, GW_AUTH_RDG))
1259 return FALSE;
1260
1261 /* Auth callback might changed logon to smartcard so check again */
1262 doSCLogon = freerdp_settings_get_bool(settings, FreeRDP_SmartcardLogon);
1263 if (doSCLogon && !smartcard_getCert(context, &rdg->smartcard, TRUE))
1264 return FALSE;
1265 }
1266
1267 SEC_WINNT_AUTH_IDENTITY* identityArg = &identity;
1268 if (doSCLogon)
1269 {
1270 if (!identity_set_from_smartcard_hash(&identity, settings, FreeRDP_GatewayUsername,
1271 FreeRDP_GatewayDomain, FreeRDP_GatewayPassword,
1272 rdg->smartcard->sha1Hash,
1273 sizeof(rdg->smartcard->sha1Hash)))
1274 return FALSE;
1275 }
1276 else
1277 {
1278 if (!identity_set_from_settings(&identity, settings, FreeRDP_GatewayUsername,
1279 FreeRDP_GatewayDomain, FreeRDP_GatewayPassword))
1280 return FALSE;
1281
1282 if (!settings->GatewayUsername)
1283 identityArg = nullptr;
1284 }
1285
1286 if (!credssp_auth_setup_client(rdg->auth, "HTTP", settings->GatewayHostname, identityArg,
1287 rdg->smartcard ? rdg->smartcard->pkinitArgs : nullptr))
1288 {
1289 sspi_FreeAuthIdentity(&identity);
1290 return FALSE;
1291 }
1292 sspi_FreeAuthIdentity(&identity);
1293
1294 credssp_auth_set_flags(rdg->auth, ISC_REQ_CONFIDENTIALITY | ISC_REQ_MUTUAL_AUTH);
1295
1296 rc = credssp_auth_authenticate(rdg->auth);
1297 return (rc >= 0);
1298}
1299
1300static BOOL rdg_send_http_request(rdpRdg* rdg, rdpTls* tls, const char* method,
1301 TRANSFER_ENCODING transferEncoding)
1302{
1303 int status = -1;
1304 wStream* s = rdg_build_http_request(rdg, method, transferEncoding);
1305
1306 if (!s)
1307 return FALSE;
1308
1309 const size_t sz = Stream_Length(s);
1310 status = freerdp_tls_write_all(tls, Stream_Buffer(s), sz);
1311
1312 Stream_Free(s, TRUE);
1313 return (status >= 0);
1314}
1315
1316static BOOL rdg_tls_connect(rdpRdg* rdg, rdpTls* tls, const char* peerAddress, UINT32 timeout)
1317{
1318 long status = 0;
1319 BIO* layerBio = nullptr;
1320 BIO* bufferedBio = nullptr;
1321 rdpTransportLayer* layer = nullptr;
1322 rdpSettings* settings = rdg->context->settings;
1323 rdpTransport* transport = freerdp_get_transport(rdg->context);
1324 const char* peerHostname = settings->GatewayHostname;
1325 UINT16 peerPort = (UINT16)settings->GatewayPort;
1326 const char* proxyUsername = nullptr;
1327 const char* proxyPassword = nullptr;
1328 BOOL isProxyConnection =
1329 proxy_prepare(settings, &peerHostname, &peerPort, &proxyUsername, &proxyPassword);
1330
1331 if (settings->GatewayPort > UINT16_MAX)
1332 return FALSE;
1333
1334 layer = transport_connect_layer(transport, peerAddress ? peerAddress : peerHostname, peerPort,
1335 timeout);
1336
1337 if (!layer)
1338 {
1339 return FALSE;
1340 }
1341
1342 layerBio = BIO_new(BIO_s_transport_layer());
1343 if (!layerBio)
1344 {
1345 transport_layer_free(layer);
1346 return FALSE;
1347 }
1348 BIO_set_data(layerBio, layer);
1349
1350 bufferedBio = BIO_new(BIO_s_buffered_socket());
1351 if (!bufferedBio)
1352 {
1353 BIO_free_all(layerBio);
1354 return FALSE;
1355 }
1356
1357 bufferedBio = BIO_push(bufferedBio, layerBio);
1358 status = BIO_set_nonblock(bufferedBio, TRUE);
1359
1360 if (isProxyConnection)
1361 {
1362 if (!proxy_connect(rdg->context, bufferedBio, proxyUsername, proxyPassword,
1363 settings->GatewayHostname, (UINT16)settings->GatewayPort))
1364 {
1365 BIO_free_all(bufferedBio);
1366 return FALSE;
1367 }
1368 }
1369
1370 if (!status)
1371 {
1372 BIO_free_all(bufferedBio);
1373 return FALSE;
1374 }
1375
1376 tls->hostname = settings->GatewayHostname;
1377 tls->port = WINPR_ASSERTING_INT_CAST(int32_t, MIN(UINT16_MAX, settings->GatewayPort));
1378 tls->isGatewayTransport = TRUE;
1379 status = freerdp_tls_connect(tls, bufferedBio);
1380 if (status < 1)
1381 {
1382 rdpContext* context = rdg->context;
1383 if (status < 0)
1384 {
1385 freerdp_set_last_error_if_not(context, FREERDP_ERROR_TLS_CONNECT_FAILED);
1386 }
1387 else
1388 {
1389 freerdp_set_last_error_if_not(context, FREERDP_ERROR_CONNECT_CANCELLED);
1390 }
1391
1392 return FALSE;
1393 }
1394 return (status >= 1);
1395}
1396
1397static BOOL rdg_establish_data_connection(rdpRdg* rdg, rdpTls* tls, const char* method,
1398 const char* peerAddress, UINT32 timeout,
1399 BOOL* rpcFallback)
1400{
1401 char buffer[64] = WINPR_C_ARRAY_INIT;
1402 HttpResponse* response = nullptr;
1403
1404 if (!rdg_tls_connect(rdg, tls, peerAddress, timeout))
1405 return FALSE;
1406
1407 WINPR_ASSERT(rpcFallback);
1408 if (rdg->context->settings->GatewayHttpExtAuthBearer && rdg->extAuth == HTTP_EXTENDED_AUTH_NONE)
1409 rdg->extAuth = HTTP_EXTENDED_AUTH_BEARER;
1410 if (rdg->extAuth == HTTP_EXTENDED_AUTH_NONE)
1411 {
1412 if (!rdg_auth_init(rdg, tls, AUTH_PKG))
1413 return FALSE;
1414
1415 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingIdentity))
1416 return FALSE;
1417
1418 response = http_response_recv(tls, TRUE);
1419 /* MS RD Gateway seems to just terminate the tls connection without
1420 * sending an answer if it is not happy with the http request */
1421 if (!response)
1422 {
1423 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway HTTP transport broken.");
1424 *rpcFallback = TRUE;
1425 return FALSE;
1426 }
1427
1428 (void)http_response_extract_cookies(response, rdg->http);
1429
1430 const UINT16 StatusCode = http_response_get_status_code(response);
1431 switch (StatusCode)
1432 {
1433 case HTTP_STATUS_GONE:
1434 case HTTP_STATUS_FORBIDDEN:
1435 case HTTP_STATUS_NOT_FOUND:
1436 {
1437 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway does not support HTTP transport.");
1438 http_response_log_error_status(rdg->log, WLOG_DEBUG, response);
1439 *rpcFallback = TRUE;
1440
1441 http_response_free(response);
1442 return FALSE;
1443 }
1444 case HTTP_STATUS_OK:
1445 break;
1446
1447 case HTTP_STATUS_DENIED:
1448 http_response_log_error_status(rdg->log, WLOG_DEBUG, response);
1449 break;
1450
1451 default:
1452 http_response_log_error_status(rdg->log, WLOG_WARN, response);
1453 break;
1454 }
1455
1456 while (!credssp_auth_is_complete(rdg->auth))
1457 {
1458 if (!rdg_recv_auth_token(rdg->log, rdg->auth, response))
1459 {
1460 http_response_free(response);
1461 return FALSE;
1462 }
1463
1464 if (credssp_auth_have_output_token(rdg->auth))
1465 {
1466 http_response_free(response);
1467
1468 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingIdentity))
1469 return FALSE;
1470
1471 response = http_response_recv(tls, TRUE);
1472 if (!response)
1473 {
1474 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway HTTP transport broken.");
1475 *rpcFallback = TRUE;
1476 return FALSE;
1477 }
1478 (void)http_response_extract_cookies(response, rdg->http);
1479 }
1480 }
1481 credssp_auth_free(rdg->auth);
1482 rdg->auth = nullptr;
1483 }
1484 else
1485 {
1486 credssp_auth_free(rdg->auth);
1487 rdg->auth = nullptr;
1488
1489 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingIdentity))
1490 return FALSE;
1491
1492 response = http_response_recv(tls, TRUE);
1493
1494 if (!response)
1495 {
1496 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway HTTP transport broken.");
1497 *rpcFallback = TRUE;
1498 return FALSE;
1499 }
1500 (void)http_response_extract_cookies(response, rdg->http);
1501 }
1502
1503 const UINT16 statusCode = http_response_get_status_code(response);
1504 const size_t bodyLength = http_response_get_body_length(response);
1505 const TRANSFER_ENCODING encoding = http_response_get_transfer_encoding(response);
1506 const BOOL isWebsocket = http_response_is_websocket(rdg->http, response);
1507
1508 WLog_Print(rdg->log, WLOG_DEBUG, "%s authorization result: %s", method,
1509 freerdp_http_status_string_format(statusCode, buffer, ARRAYSIZE(buffer)));
1510
1511 switch (statusCode)
1512 {
1513 case HTTP_STATUS_OK:
1514 /* old rdg endpoint without websocket support, don't request websocket for RDG_IN_DATA
1515 */
1516 http_context_enable_websocket_upgrade(rdg->http, FALSE);
1517 http_response_free(response);
1518 break;
1519 case HTTP_STATUS_DENIED:
1520 freerdp_set_last_error_log(rdg->context, FREERDP_ERROR_CONNECT_ACCESS_DENIED);
1521 http_response_free(response);
1522 return FALSE;
1523 case HTTP_STATUS_SWITCH_PROTOCOLS:
1524 http_response_free(response);
1525 if (!isWebsocket)
1526 {
1527 /*
1528 * webserver is broken, a fallback may be possible here
1529 * but only if already tested with oppurtonistic upgrade
1530 */
1531 if (http_context_is_websocket_upgrade_enabled(rdg->http))
1532 {
1533 long fd = BIO_get_fd(tls->bio, nullptr);
1534 if (fd >= 0)
1535 closesocket((SOCKET)fd);
1536 http_context_enable_websocket_upgrade(rdg->http, FALSE);
1537 return rdg_establish_data_connection(rdg, tls, method, peerAddress, timeout,
1538 rpcFallback);
1539 }
1540 return FALSE;
1541 }
1542
1543 rdg->transferEncoding.isWebsocketTransport = TRUE;
1544 if (!websocket_context_reset(rdg->transferEncoding.context.websocket))
1545 return FALSE;
1546
1547 if (rdg->extAuth == HTTP_EXTENDED_AUTH_SSPI_NTLM)
1548 {
1549 /* create a new auth context for SSPI_NTLM. This must be done after the last
1550 * rdg_send_http_request */
1551 if (!rdg_auth_init(rdg, tls, NTLM_SSP_NAME))
1552 return FALSE;
1553 }
1554 return TRUE;
1555 default:
1556 http_response_log_error_status(rdg->log, WLOG_WARN, response);
1557 http_response_free(response);
1558 return FALSE;
1559 }
1560
1561 if (strcmp(method, "RDG_OUT_DATA") == 0)
1562 {
1563 if (encoding == TransferEncodingChunked)
1564 {
1565 rdg->transferEncoding.httpTransferEncoding = TransferEncodingChunked;
1566 rdg->transferEncoding.context.chunked.nextOffset = 0;
1567 rdg->transferEncoding.context.chunked.headerFooterPos = 0;
1568 rdg->transferEncoding.context.chunked.state = ChunkStateLenghHeader;
1569 }
1570 if (!rdg_skip_seed_payload(rdg->context, tls, bodyLength, &rdg->transferEncoding))
1571 {
1572 return FALSE;
1573 }
1574 }
1575 else
1576 {
1577 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingChunked))
1578 return FALSE;
1579
1580 if (rdg->extAuth == HTTP_EXTENDED_AUTH_SSPI_NTLM)
1581 {
1582 /* create a new auth context for SSPI_NTLM. This must be done after the last
1583 * rdg_send_http_request (RDG_IN_DATA is always after RDG_OUT_DATA) */
1584 if (!rdg_auth_init(rdg, tls, NTLM_SSP_NAME))
1585 return FALSE;
1586 }
1587 }
1588
1589 return TRUE;
1590}
1591
1592static BOOL rdg_tunnel_connect(rdpRdg* rdg)
1593{
1594 BOOL status = 0;
1595 wStream* s = nullptr;
1596 rdg_send_handshake(rdg);
1597
1598 while (rdg->state < RDG_CLIENT_STATE_OPENED)
1599 {
1600 status = FALSE;
1601 s = rdg_receive_packet(rdg);
1602
1603 if (s)
1604 {
1605 status = rdg_process_packet(rdg, s);
1606 Stream_Free(s, TRUE);
1607 }
1608
1609 if (!status)
1610 {
1611 WINPR_ASSERT(rdg);
1612 WINPR_ASSERT(rdg->context);
1613 WINPR_ASSERT(rdg->context->rdp);
1614 transport_set_layer(rdg->context->rdp->transport, TRANSPORT_LAYER_CLOSED);
1615 return FALSE;
1616 }
1617 }
1618
1619 return TRUE;
1620}
1621
1622BOOL rdg_connect(rdpRdg* rdg, DWORD timeout, BOOL* rpcFallback)
1623{
1624 BOOL status = 0;
1625 SOCKET outConnSocket = 0;
1626 char* peerAddress = nullptr;
1627 BOOL rpcFallbackLocal = FALSE;
1628
1629 WINPR_ASSERT(rdg != nullptr);
1630 freerdp_set_last_error(rdg->context, ERROR_SUCCESS);
1631 status = rdg_establish_data_connection(rdg, rdg->tlsOut, "RDG_OUT_DATA", nullptr, timeout,
1632 &rpcFallbackLocal);
1633
1634 if (status)
1635 {
1636 if (rdg->transferEncoding.isWebsocketTransport)
1637 {
1638 WLog_Print(rdg->log, WLOG_DEBUG, "Upgraded to websocket. RDG_IN_DATA not required");
1639 }
1640 else
1641 {
1642 /* Establish IN connection with the same peer/server as OUT connection,
1643 * even when server hostname resolves to different IP addresses.
1644 */
1645 BIO_get_socket(rdg->tlsOut->underlying, &outConnSocket);
1646 peerAddress = freerdp_tcp_get_peer_address(outConnSocket);
1647 status = rdg_establish_data_connection(rdg, rdg->tlsIn, "RDG_IN_DATA", peerAddress,
1648 timeout, &rpcFallbackLocal);
1649 free(peerAddress);
1650 }
1651 }
1652
1653 if (rpcFallback)
1654 *rpcFallback = rpcFallbackLocal;
1655
1656 if (!status)
1657 {
1658 WINPR_ASSERT(rdg);
1659 WINPR_ASSERT(rdg->context);
1660 WINPR_ASSERT(rdg->context->rdp);
1661 if (rpcFallbackLocal)
1662 {
1663 http_context_enable_websocket_upgrade(rdg->http, FALSE);
1664 credssp_auth_free(rdg->auth);
1665 rdg->auth = nullptr;
1666 }
1667
1668 transport_set_layer(rdg->context->rdp->transport, TRANSPORT_LAYER_CLOSED);
1669 return FALSE;
1670 }
1671
1672 status = rdg_tunnel_connect(rdg);
1673
1674 return (status);
1675}
1676
1677static int rdg_write_websocket_data_packet(rdpRdg* rdg, const BYTE* buf, int isize)
1678{
1679 WINPR_ASSERT(rdg);
1680 if (isize < 0)
1681 return -1;
1682
1683 const size_t payloadSize = (size_t)isize + 10;
1684 union
1685 {
1686 UINT32 u32;
1687 UINT8 u8[4];
1688 } maskingKey;
1689
1690 wStream* sWS =
1691 websocket_context_packet_new(payloadSize, WebsocketBinaryOpcode, &maskingKey.u32);
1692 if (!sWS)
1693 return -1;
1694
1695 Stream_Write_UINT16(
1696 sWS, WINPR_ASSERTING_INT_CAST(
1697 uint16_t, PKT_TYPE_DATA ^ (maskingKey.u8[0] | maskingKey.u8[1] << 8))); /* Type */
1698 Stream_Write_UINT16(
1699 sWS, WINPR_ASSERTING_INT_CAST(
1700 uint16_t, 0 ^ (maskingKey.u8[2] | maskingKey.u8[3] << 8))); /* Reserved */
1701 Stream_Write_UINT32(
1702 sWS, WINPR_ASSERTING_INT_CAST(uint32_t, payloadSize ^ maskingKey.u32)); /* Packet length */
1703 Stream_Write_UINT16(
1704 sWS, WINPR_ASSERTING_INT_CAST(
1705 uint16_t, isize ^ (maskingKey.u8[0] | maskingKey.u8[1] << 8))); /* Data size */
1706
1707 /* masking key is now off by 2 bytes. fix that */
1708 maskingKey.u32 = (maskingKey.u32 & 0xffff) << 16 | (maskingKey.u32 >> 16);
1709
1710 WINPR_ASSERT(rdg->tlsOut);
1711 wStream sPacket = WINPR_C_ARRAY_INIT;
1712 Stream_StaticConstInit(&sPacket, buf, (size_t)isize);
1713 if (!websocket_context_mask_and_send(rdg->tlsOut->bio, sWS, &sPacket, maskingKey.u32))
1714 return -1;
1715
1716 return isize;
1717}
1718
1719static int rdg_write_chunked_data_packet(rdpRdg* rdg, const BYTE* buf, int isize)
1720{
1721 int status = 0;
1722 size_t len = 0;
1723 wStream* sChunk = nullptr;
1724
1725 if (isize > UINT16_MAX)
1726 return -1;
1727
1728 const size_t size = (size_t)isize;
1729 if (size < 1)
1730 return 0;
1731
1732 const size_t packetSize = size + 10;
1733 char chunkSize[11] = WINPR_C_ARRAY_INIT;
1734 (void)sprintf_s(chunkSize, sizeof(chunkSize), "%" PRIxz "\r\n", packetSize);
1735 sChunk = Stream_New(nullptr, strnlen(chunkSize, sizeof(chunkSize)) + packetSize + 2);
1736
1737 if (!sChunk)
1738 return -1;
1739
1740 Stream_Write(sChunk, chunkSize, strnlen(chunkSize, sizeof(chunkSize)));
1741 Stream_Write_UINT16(sChunk, PKT_TYPE_DATA); /* Type */
1742 Stream_Write_UINT16(sChunk, 0); /* Reserved */
1743 Stream_Write_UINT32(sChunk, (UINT32)packetSize); /* Packet length */
1744 Stream_Write_UINT16(sChunk, (UINT16)size); /* Data size */
1745 Stream_Write(sChunk, buf, size); /* Data */
1746 Stream_Write(sChunk, "\r\n", 2);
1747 Stream_SealLength(sChunk);
1748 len = Stream_Length(sChunk);
1749
1750 status = freerdp_tls_write_all(rdg->tlsIn, Stream_Buffer(sChunk), len);
1751 Stream_Free(sChunk, TRUE);
1752
1753 if (status < 0)
1754 return -1;
1755
1756 return (int)size;
1757}
1758
1759static int rdg_write_data_packet(rdpRdg* rdg, const BYTE* buf, int isize)
1760{
1761 WINPR_ASSERT(rdg);
1762 if (rdg->transferEncoding.isWebsocketTransport)
1763 return rdg_write_websocket_data_packet(rdg, buf, isize);
1764 else
1765 return rdg_write_chunked_data_packet(rdg, buf, isize);
1766}
1767
1768static BOOL rdg_process_close_packet(rdpRdg* rdg, wStream* s)
1769{
1770 int status = -1;
1771 wStream* sClose = nullptr;
1772 UINT32 errorCode = 0;
1773 UINT32 packetSize = 12;
1774
1775 /* Read error code */
1776 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 4))
1777 return FALSE;
1778 Stream_Read_UINT32(s, errorCode);
1779
1780 if (errorCode != 0)
1781 freerdp_set_last_error_log(rdg->context, errorCode);
1782
1783 sClose = Stream_New(nullptr, packetSize);
1784 if (!sClose)
1785 return FALSE;
1786
1787 Stream_Write_UINT16(sClose, PKT_TYPE_CLOSE_CHANNEL_RESPONSE); /* Type */
1788 Stream_Write_UINT16(sClose, 0); /* Reserved */
1789 Stream_Write_UINT32(sClose, packetSize); /* Packet length */
1790 Stream_Write_UINT32(sClose, 0); /* Status code */
1791 Stream_SealLength(sClose);
1792 status = rdg_write_packet(rdg, sClose);
1793 Stream_Free(sClose, TRUE);
1794
1795 return ((status >= 0));
1796}
1797
1798static BOOL rdg_process_keep_alive_packet(rdpRdg* rdg)
1799{
1800 int status = -1;
1801 wStream* sKeepAlive = nullptr;
1802 size_t packetSize = 8;
1803
1804 sKeepAlive = Stream_New(nullptr, packetSize);
1805
1806 if (!sKeepAlive)
1807 return FALSE;
1808
1809 Stream_Write_UINT16(sKeepAlive, PKT_TYPE_KEEPALIVE); /* Type */
1810 Stream_Write_UINT16(sKeepAlive, 0); /* Reserved */
1811 Stream_Write_UINT32(sKeepAlive, (UINT32)packetSize); /* Packet length */
1812 Stream_SealLength(sKeepAlive);
1813 status = rdg_write_packet(rdg, sKeepAlive);
1814 Stream_Free(sKeepAlive, TRUE);
1815
1816 return ((status >= 0));
1817}
1818
1819static BOOL rdg_process_service_message(rdpRdg* rdg, wStream* s)
1820{
1821 const WCHAR* msg = nullptr;
1822 UINT16 msgLenBytes = 0;
1823 rdpContext* context = rdg->context;
1824 WINPR_ASSERT(context);
1825 WINPR_ASSERT(context->instance);
1826
1827 /* Read message string */
1828 if (!rdg_read_http_unicode_string(rdg->log, s, &msg, &msgLenBytes))
1829 {
1830 WLog_Print(rdg->log, WLOG_ERROR, "Failed to read string");
1831 return FALSE;
1832 }
1833
1834 return IFCALLRESULT(TRUE, context->instance->PresentGatewayMessage, context->instance,
1835 GATEWAY_MESSAGE_SERVICE, TRUE, FALSE, msgLenBytes, msg);
1836}
1837
1838static BOOL rdg_process_unknown_packet(rdpRdg* rdg, int type)
1839{
1840 WINPR_UNUSED(rdg);
1841 WINPR_UNUSED(type);
1842 WLog_Print(rdg->log, WLOG_WARN, "Unknown Control Packet received: %" PRIX32,
1843 WINPR_CXX_COMPAT_CAST(UINT32, type));
1844 return TRUE;
1845}
1846
1847static BOOL rdg_process_control_packet(rdpRdg* rdg, int type, size_t packetLength)
1848{
1849 wStream* s = nullptr;
1850 size_t readCount = 0;
1851 int status = 0;
1852 size_t payloadSize = packetLength - sizeof(RdgPacketHeader);
1853
1854 if (packetLength < sizeof(RdgPacketHeader))
1855 return FALSE;
1856
1857 // NOLINTNEXTLINE(bugprone-sizeof-expression)
1858 WINPR_ASSERT(sizeof(RdgPacketHeader) < INT_MAX);
1859
1860 if (payloadSize)
1861 {
1862 s = Stream_New(nullptr, payloadSize);
1863
1864 if (!s)
1865 return FALSE;
1866
1867 while (readCount < payloadSize)
1868 {
1869 if (rdg_shall_abort(rdg))
1870 {
1871 Stream_Free(s, TRUE);
1872 return FALSE;
1873 }
1874 status = rdg_socket_read(rdg->tlsOut->bio, Stream_Pointer(s), payloadSize - readCount,
1875 &rdg->transferEncoding);
1876
1877 if (status <= 0)
1878 {
1879 if (!BIO_should_retry(rdg->tlsOut->bio))
1880 {
1881 Stream_Free(s, TRUE);
1882 return FALSE;
1883 }
1884
1885 continue;
1886 }
1887
1888 Stream_Seek(s, (size_t)status);
1889 readCount += (size_t)status;
1890
1891 if (readCount > INT_MAX)
1892 {
1893 Stream_Free(s, TRUE);
1894 return FALSE;
1895 }
1896 }
1897
1898 Stream_ResetPosition(s);
1899 }
1900
1901 switch (type)
1902 {
1903 case PKT_TYPE_CLOSE_CHANNEL:
1904 EnterCriticalSection(&rdg->writeSection);
1905 status = rdg_process_close_packet(rdg, s);
1906 LeaveCriticalSection(&rdg->writeSection);
1907 break;
1908
1909 case PKT_TYPE_KEEPALIVE:
1910 EnterCriticalSection(&rdg->writeSection);
1911 status = rdg_process_keep_alive_packet(rdg);
1912 LeaveCriticalSection(&rdg->writeSection);
1913 break;
1914
1915 case PKT_TYPE_SERVICE_MESSAGE:
1916 if (!s)
1917 {
1918 WLog_Print(rdg->log, WLOG_ERROR,
1919 "PKT_TYPE_SERVICE_MESSAGE requires payload but none was sent");
1920 return FALSE;
1921 }
1922 status = rdg_process_service_message(rdg, s);
1923 break;
1924
1925 case PKT_TYPE_REAUTH_MESSAGE:
1926 default:
1927 status = rdg_process_unknown_packet(rdg, type);
1928 break;
1929 }
1930
1931 Stream_Free(s, TRUE);
1932 return status;
1933}
1934
1935static int rdg_read_data_packet(rdpRdg* rdg, BYTE* buffer, size_t size)
1936{
1937 RdgPacketHeader header = WINPR_C_ARRAY_INIT;
1938 size_t readCount = 0;
1939 size_t readSize = 0;
1940 int status = 0;
1941
1942 if (!rdg->packetRemainingCount)
1943 {
1944 // NOLINTNEXTLINE(bugprone-sizeof-expression)
1945 WINPR_ASSERT(sizeof(RdgPacketHeader) < INT_MAX);
1946
1947 while (readCount < sizeof(RdgPacketHeader))
1948 {
1949 if (rdg_shall_abort(rdg))
1950 return -1;
1951
1952 status = rdg_socket_read(rdg->tlsOut->bio, (BYTE*)(&header) + readCount,
1953 sizeof(RdgPacketHeader) - readCount, &rdg->transferEncoding);
1954
1955 if (status <= 0)
1956 {
1957 if (!BIO_should_retry(rdg->tlsOut->bio))
1958 return -1;
1959
1960 if (!readCount)
1961 return 0;
1962
1963 BIO_wait_read(rdg->tlsOut->bio, 50);
1964 continue;
1965 }
1966
1967 readCount += (size_t)status;
1968
1969 if (readCount > INT_MAX)
1970 return -1;
1971 }
1972
1973 if (header.type != PKT_TYPE_DATA)
1974 {
1975 status = rdg_process_control_packet(rdg, header.type, header.packetLength);
1976
1977 if (!status)
1978 return -1;
1979
1980 return 0;
1981 }
1982
1983 readCount = 0;
1984
1985 while (readCount < 2)
1986 {
1987 if (rdg_shall_abort(rdg))
1988 return -1;
1989 status =
1990 rdg_socket_read(rdg->tlsOut->bio, (BYTE*)(&rdg->packetRemainingCount) + readCount,
1991 2 - readCount, &rdg->transferEncoding);
1992
1993 if (status < 0)
1994 {
1995 if (!BIO_should_retry(rdg->tlsOut->bio))
1996 return -1;
1997
1998 BIO_wait_read(rdg->tlsOut->bio, 50);
1999 continue;
2000 }
2001
2002 readCount += (size_t)status;
2003 }
2004 }
2005
2006 readSize = (rdg->packetRemainingCount < size) ? rdg->packetRemainingCount : size;
2007 status = rdg_socket_read(rdg->tlsOut->bio, buffer, readSize, &rdg->transferEncoding);
2008
2009 if (status <= 0)
2010 {
2011 if (!BIO_should_retry(rdg->tlsOut->bio))
2012 {
2013 return -1;
2014 }
2015
2016 return 0;
2017 }
2018
2019 rdg->packetRemainingCount -= status;
2020 return status;
2021}
2022
2023static int rdg_bio_write(BIO* bio, const char* buf, int num)
2024{
2025 int status = 0;
2026 rdpRdg* rdg = (rdpRdg*)BIO_get_data(bio);
2027 if (num < 0)
2028 return num;
2029
2030 BIO_clear_flags(bio, BIO_FLAGS_WRITE);
2031 EnterCriticalSection(&rdg->writeSection);
2032 status = rdg_write_data_packet(rdg, (const BYTE*)buf, num);
2033 LeaveCriticalSection(&rdg->writeSection);
2034
2035 if (status < 0)
2036 {
2037 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
2038 return -1;
2039 }
2040 else if (status < num)
2041 {
2042 BIO_set_flags(bio, BIO_FLAGS_WRITE);
2043 WSASetLastError(WSAEWOULDBLOCK);
2044 }
2045 else
2046 {
2047 BIO_set_flags(bio, BIO_FLAGS_WRITE);
2048 }
2049
2050 return status;
2051}
2052
2053static int rdg_bio_read(BIO* bio, char* buf, int size)
2054{
2055 int status = 0;
2056 rdpRdg* rdg = (rdpRdg*)BIO_get_data(bio);
2057 if (size < 0)
2058 return size;
2059 status = rdg_read_data_packet(rdg, (BYTE*)buf, (size_t)size);
2060
2061 if (status < 0)
2062 {
2063 BIO_clear_retry_flags(bio);
2064 return -1;
2065 }
2066 else if (status == 0)
2067 {
2068 BIO_set_retry_read(bio);
2069 WSASetLastError(WSAEWOULDBLOCK);
2070 return -1;
2071 }
2072 else
2073 {
2074 BIO_set_flags(bio, BIO_FLAGS_READ);
2075 }
2076
2077 return status;
2078}
2079
2080static int rdg_bio_puts(BIO* bio, const char* str)
2081{
2082 WINPR_UNUSED(bio);
2083 WINPR_UNUSED(str);
2084 return -2;
2085}
2086
2087// NOLINTNEXTLINE(readability-non-const-parameter)
2088static int rdg_bio_gets(BIO* bio, char* str, int size)
2089{
2090 WINPR_UNUSED(bio);
2091 WINPR_UNUSED(str);
2092 WINPR_UNUSED(size);
2093 return -2;
2094}
2095
2096static long rdg_bio_ctrl(BIO* in_bio, int cmd, long arg1, void* arg2)
2097{
2098 long status = -1;
2099 rdpRdg* rdg = (rdpRdg*)BIO_get_data(in_bio);
2100 rdpTls* tlsOut = rdg->tlsOut;
2101 rdpTls* tlsIn = rdg->tlsIn;
2102
2103 if (cmd == BIO_CTRL_FLUSH)
2104 {
2105 (void)BIO_flush(tlsOut->bio);
2106 if (!rdg->transferEncoding.isWebsocketTransport)
2107 (void)BIO_flush(tlsIn->bio);
2108 status = 1;
2109 }
2110 else if (cmd == BIO_C_SET_NONBLOCK)
2111 {
2112 status = 1;
2113 }
2114 else if (cmd == BIO_C_READ_BLOCKED)
2115 {
2116 BIO* cbio = tlsOut->bio;
2117 status = BIO_read_blocked(cbio);
2118 }
2119 else if (cmd == BIO_C_WRITE_BLOCKED)
2120 {
2121 BIO* cbio = tlsIn->bio;
2122
2123 if (rdg->transferEncoding.isWebsocketTransport)
2124 cbio = tlsOut->bio;
2125
2126 status = BIO_write_blocked(cbio);
2127 }
2128 else if (cmd == BIO_C_WAIT_READ)
2129 {
2130 int timeout = (int)arg1;
2131 BIO* cbio = tlsOut->bio;
2132
2133 if (BIO_read_blocked(cbio))
2134 return BIO_wait_read(cbio, timeout);
2135 else if (BIO_write_blocked(cbio))
2136 return BIO_wait_write(cbio, timeout);
2137 else
2138 status = 1;
2139 }
2140 else if (cmd == BIO_C_WAIT_WRITE)
2141 {
2142 int timeout = (int)arg1;
2143 BIO* cbio = tlsIn->bio;
2144
2145 if (rdg->transferEncoding.isWebsocketTransport)
2146 cbio = tlsOut->bio;
2147
2148 if (BIO_write_blocked(cbio))
2149 status = BIO_wait_write(cbio, timeout);
2150 else if (BIO_read_blocked(cbio))
2151 status = BIO_wait_read(cbio, timeout);
2152 else
2153 status = 1;
2154 }
2155 else if (cmd == BIO_C_GET_EVENT || cmd == BIO_C_GET_FD)
2156 {
2157 /*
2158 * A note about BIO_C_GET_FD:
2159 * Even if two FDs are part of RDG, only one FD can be returned here.
2160 *
2161 * In FreeRDP, BIO FDs are only used for polling, so it is safe to use the outgoing FD only
2162 *
2163 * See issue #3602
2164 */
2165 status = BIO_ctrl(tlsOut->bio, cmd, arg1, arg2);
2166 }
2167#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2168 else if (cmd == BIO_CTRL_GET_KTLS_SEND)
2169 {
2170 /* Even though BIO_get_ktls_send says that returning negative values is valid
2171 * openssl internal sources are full of if(!BIO_get_ktls_send && ) stuff. This has some
2172 * nasty sideeffects. return 0 as proper no KTLS offloading flag
2173 */
2174 status = 0;
2175 }
2176 else if (cmd == BIO_CTRL_GET_KTLS_RECV)
2177 {
2178 /* Even though BIO_get_ktls_recv says that returning negative values is valid
2179 * there is no reason to trust trust negative values are implemented right everywhere
2180 */
2181 status = 0;
2182 }
2183#endif
2184 return status;
2185}
2186
2187static int rdg_bio_new(BIO* bio)
2188{
2189 BIO_set_init(bio, 1);
2190 BIO_set_flags(bio, BIO_FLAGS_SHOULD_RETRY);
2191 return 1;
2192}
2193
2194static int rdg_bio_free(BIO* bio)
2195{
2196 WINPR_UNUSED(bio);
2197 return 1;
2198}
2199
2200static BIO_METHOD* BIO_s_rdg(void)
2201{
2202 static BIO_METHOD* bio_methods = nullptr;
2203
2204 if (bio_methods == nullptr)
2205 {
2206 if (!(bio_methods = BIO_meth_new(BIO_TYPE_TSG, "RDGateway")))
2207 return nullptr;
2208
2209 BIO_meth_set_write(bio_methods, rdg_bio_write);
2210 BIO_meth_set_read(bio_methods, rdg_bio_read);
2211 BIO_meth_set_puts(bio_methods, rdg_bio_puts);
2212 BIO_meth_set_gets(bio_methods, rdg_bio_gets);
2213 BIO_meth_set_ctrl(bio_methods, rdg_bio_ctrl);
2214 BIO_meth_set_create(bio_methods, rdg_bio_new);
2215 BIO_meth_set_destroy(bio_methods, rdg_bio_free);
2216 }
2217
2218 return bio_methods;
2219}
2220
2221rdpRdg* rdg_new(rdpContext* context)
2222{
2223 if (!context)
2224 return nullptr;
2225
2226 rdpRdg* rdg = (rdpRdg*)calloc(1, sizeof(rdpRdg));
2227 if (!rdg)
2228 return nullptr;
2229
2230 rdg->log = WLog_Get(TAG);
2231 rdg->state = RDG_CLIENT_STATE_INITIAL;
2232 rdg->context = context;
2233 rdpSettings* settings = rdg->context->settings;
2234 rdg->extAuth = (settings->GatewayHttpExtAuthSspiNtlm ? HTTP_EXTENDED_AUTH_SSPI_NTLM
2235 : HTTP_EXTENDED_AUTH_NONE);
2236
2237 if (settings->GatewayAccessToken)
2238 rdg->extAuth = HTTP_EXTENDED_AUTH_PAA;
2239
2240 rdg->tlsOut = freerdp_tls_new(rdg->context);
2241
2242 if (!rdg->tlsOut)
2243 goto rdg_alloc_error;
2244
2245 rdg->tlsIn = freerdp_tls_new(rdg->context);
2246
2247 if (!rdg->tlsIn)
2248 goto rdg_alloc_error;
2249
2250 rdg->http = http_context_new();
2251
2252 if (!rdg->http)
2253 goto rdg_alloc_error;
2254
2255 GUID guid = WINPR_C_ARRAY_INIT;
2256 if (UuidFromStringA(settings->CorrelationId, &guid) != RPC_S_OK)
2257 goto rdg_alloc_error;
2258
2259 if (!http_context_set_uri(rdg->http, "/remoteDesktopGateway/") ||
2260 !http_context_set_accept(rdg->http, "*/*") ||
2261 !http_context_set_cache_control(rdg->http, "no-cache") ||
2262 !http_context_set_pragma(rdg->http, "no-cache") ||
2263 !http_context_set_connection(rdg->http, "Keep-Alive") ||
2264 !http_context_set_user_agent(rdg->http, "MS-RDGateway/1.0") ||
2265 !http_context_set_host(rdg->http, rdg->context->settings->GatewayHostname) ||
2266 !http_context_set_rdg_connection_id(rdg->http, &guid) ||
2267 !http_context_set_rdg_correlation_id(rdg->http, &guid) ||
2268 !http_context_enable_websocket_upgrade(
2269 rdg->http,
2270 freerdp_settings_get_bool(rdg->context->settings, FreeRDP_GatewayHttpUseWebsockets)))
2271 {
2272 goto rdg_alloc_error;
2273 }
2274
2275 if (rdg->extAuth != HTTP_EXTENDED_AUTH_NONE)
2276 {
2277 switch (rdg->extAuth)
2278 {
2279 case HTTP_EXTENDED_AUTH_PAA:
2280 if (!http_context_set_rdg_auth_scheme(rdg->http, "PAA"))
2281 goto rdg_alloc_error;
2282
2283 break;
2284
2285 case HTTP_EXTENDED_AUTH_SSPI_NTLM:
2286 if (!http_context_set_rdg_auth_scheme(rdg->http, "SSPI_NTLM"))
2287 goto rdg_alloc_error;
2288
2289 break;
2290
2291 default:
2292 WLog_Print(rdg->log, WLOG_DEBUG,
2293 "RDG extended authentication method %d not supported", rdg->extAuth);
2294 }
2295 }
2296
2297 rdg->frontBio = BIO_new(BIO_s_rdg());
2298
2299 if (!rdg->frontBio)
2300 goto rdg_alloc_error;
2301
2302 BIO_set_data(rdg->frontBio, rdg);
2303 InitializeCriticalSection(&rdg->writeSection);
2304
2305 rdg->transferEncoding.httpTransferEncoding = TransferEncodingIdentity;
2306 rdg->transferEncoding.isWebsocketTransport = FALSE;
2307
2308 rdg->transferEncoding.context.websocket = websocket_context_new();
2309 if (!rdg->transferEncoding.context.websocket)
2310 goto rdg_alloc_error;
2311
2312 return rdg;
2313rdg_alloc_error:
2314 WINPR_PRAGMA_DIAG_PUSH
2315 WINPR_PRAGMA_DIAG_IGNORED_MISMATCHED_DEALLOC
2316 rdg_free(rdg);
2317 WINPR_PRAGMA_DIAG_POP
2318 return nullptr;
2319}
2320
2321void rdg_free(rdpRdg* rdg)
2322{
2323 if (!rdg)
2324 return;
2325
2326 freerdp_tls_free(rdg->tlsOut);
2327 freerdp_tls_free(rdg->tlsIn);
2328 http_context_free(rdg->http);
2329 credssp_auth_free(rdg->auth);
2330
2331 if (!rdg->attached)
2332 BIO_free_all(rdg->frontBio);
2333
2334 DeleteCriticalSection(&rdg->writeSection);
2335
2336 smartcardCertInfo_Free(rdg->smartcard);
2337
2338 websocket_context_free(rdg->transferEncoding.context.websocket);
2339
2340 free(rdg);
2341}
2342
2343BIO* rdg_get_front_bio_and_take_ownership(rdpRdg* rdg)
2344{
2345 if (!rdg)
2346 return nullptr;
2347
2348 rdg->attached = TRUE;
2349 return rdg->frontBio;
2350}
freerdp_settings_get_string_as_utf16
FREERDP_API WCHAR * freerdp_settings_get_string_as_utf16(const rdpSettings *settings, FreeRDP_Settings_Keys_String id, size_t *pCharLen)
Return an allocated UTF16 string.
Definition common/settings.c:2289
freerdp_settings_get_bool
WINPR_ATTR_NODISCARD FREERDP_API BOOL freerdp_settings_get_bool(const rdpSettings *settings, FreeRDP_Settings_Keys_Bool id)
Returns a boolean settings value.
RTL_CRITICAL_SECTION
Definition include/winpr/synch.h:160
http_encoding_chunked_context
Definition libfreerdp/core/gateway/http.h:46