FreeRDP
Loading...
Searching...
No Matches
rdg.c
1
20#include <stdint.h>
21
22#include <freerdp/config.h>
23
24#include "../settings.h"
25
26#include <winpr/assert.h>
27#include <winpr/cast.h>
28
29#include <winpr/crt.h>
30#include <winpr/synch.h>
31#include <winpr/print.h>
32#include <winpr/stream.h>
33#include <winpr/winsock.h>
34#include <winpr/cred.h>
35
36#include <freerdp/log.h>
37#include <freerdp/error.h>
38#include <freerdp/utils/ringbuffer.h>
39#include <freerdp/utils/smartcardlogon.h>
40
41#include "rdg.h"
42#include "websocket.h"
43#include "../credssp_auth.h"
44#include "../proxy.h"
45#include "../rdp.h"
46#include "../../crypto/opensslcompat.h"
47#include "rpc_fault.h"
48#include "../utils.h"
49
50#define TAG FREERDP_TAG("core.gateway.rdg")
51
52#define AUTH_PKG NEGO_SSP_NAME
53
54/* HTTP channel response fields present flags. */
55#define HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID 0x1
56#define HTTP_CHANNEL_RESPONSE_FIELD_AUTHNCOOKIE 0x2
57#define HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT 0x4
58
59/* HTTP extended auth. */
60#define HTTP_EXTENDED_AUTH_NONE 0x0
61#define HTTP_EXTENDED_AUTH_SC 0x1 /* Smart card authentication. */
62#define HTTP_EXTENDED_AUTH_PAA 0x02 /* Pluggable authentication. */
63#define HTTP_EXTENDED_AUTH_SSPI_NTLM 0x04 /* NTLM extended authentication. */
64#define HTTP_EXTENDED_AUTH_BEARER 0x08 /* HTTP Bearer authentication. */
65
66/* HTTP packet types. */
67typedef enum
68{
69 PKT_TYPE_HANDSHAKE_REQUEST = 0x1,
70 PKT_TYPE_HANDSHAKE_RESPONSE = 0x2,
71 PKT_TYPE_EXTENDED_AUTH_MSG = 0x3,
72 PKT_TYPE_TUNNEL_CREATE = 0x4,
73 PKT_TYPE_TUNNEL_RESPONSE = 0x5,
74 PKT_TYPE_TUNNEL_AUTH = 0x6,
75 PKT_TYPE_TUNNEL_AUTH_RESPONSE = 0x7,
76 PKT_TYPE_CHANNEL_CREATE = 0x8,
77 PKT_TYPE_CHANNEL_RESPONSE = 0x9,
78 PKT_TYPE_DATA = 0xA,
79 PKT_TYPE_SERVICE_MESSAGE = 0xB,
80 PKT_TYPE_REAUTH_MESSAGE = 0xC,
81 PKT_TYPE_KEEPALIVE = 0xD,
82 PKT_TYPE_CLOSE_CHANNEL = 0x10,
83 PKT_TYPE_CLOSE_CHANNEL_RESPONSE = 0x11
84} RdgPktType;
85
86/* HTTP tunnel auth fields present flags. */
87// #define HTTP_TUNNEL_AUTH_FIELD_SOH 0x1
88
89/* HTTP tunnel auth response fields present flags. */
90#define HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS 0x1
91#define HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT 0x2
92#define HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE 0x4
93
94/* HTTP tunnel packet fields present flags. */
95#define HTTP_TUNNEL_PACKET_FIELD_PAA_COOKIE 0x1
96// #define HTTP_TUNNEL_PACKET_FIELD_REAUTH 0x2
97
98/* HTTP tunnel response fields present flags. */
99#define HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID 0x1
100#define HTTP_TUNNEL_RESPONSE_FIELD_CAPS 0x2
101#define HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ 0x4
102#define HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG 0x10
103
104/* HTTP capability type enumeration. */
105#define HTTP_CAPABILITY_TYPE_QUAR_SOH 0x1
106#define HTTP_CAPABILITY_IDLE_TIMEOUT 0x2
107#define HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN 0x4
108#define HTTP_CAPABILITY_MESSAGING_SERVICE_MSG 0x8
109#define HTTP_CAPABILITY_REAUTH 0x10
110#define HTTP_CAPABILITY_UDP_TRANSPORT 0x20
111
112typedef struct
113{
114 TRANSFER_ENCODING httpTransferEncoding;
115 BOOL isWebsocketTransport;
116 union context
117 {
118 http_encoding_chunked_context chunked;
119 websocket_context* websocket;
120 } context;
121} rdg_http_encoding_context;
122
123struct rdp_rdg
124{
125 rdpContext* context;
126 BOOL attached;
127 BIO* frontBio;
128 rdpTls* tlsIn;
129 rdpTls* tlsOut;
130 rdpCredsspAuth* auth;
131 HttpContext* http;
132 CRITICAL_SECTION writeSection;
133
134 UUID guid;
135
136 int state;
137 UINT16 packetRemainingCount;
138 UINT16 reserved1;
139 int timeout;
140 UINT16 extAuth;
141 UINT16 reserved2;
142 rdg_http_encoding_context transferEncoding;
143
144 SmartcardCertInfo* smartcard;
145 wLog* log;
146};
147
148enum
149{
150 RDG_CLIENT_STATE_INITIAL,
151 RDG_CLIENT_STATE_HANDSHAKE,
152 RDG_CLIENT_STATE_TUNNEL_CREATE,
153 RDG_CLIENT_STATE_TUNNEL_AUTHORIZE,
154 RDG_CLIENT_STATE_CHANNEL_CREATE,
155 RDG_CLIENT_STATE_OPENED,
156};
157
158#pragma pack(push, 1)
159
160typedef struct rdg_packet_header
161{
162 UINT16 type;
163 UINT16 reserved;
164 UINT32 packetLength;
165} RdgPacketHeader;
166
167#pragma pack(pop)
168
169typedef struct
170{
171 UINT32 code;
172 const char* name;
173} t_flag_mapping;
174
175static const t_flag_mapping tunnel_response_fields_present[] = {
176 { HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID, "HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID" },
177 { HTTP_TUNNEL_RESPONSE_FIELD_CAPS, "HTTP_TUNNEL_RESPONSE_FIELD_CAPS" },
178 { HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ, "HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ" },
179 { HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG, "HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG" }
180};
181
182static const t_flag_mapping channel_response_fields_present[] = {
183 { HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID, "HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID" },
184 { HTTP_CHANNEL_RESPONSE_FIELD_AUTHNCOOKIE, "HTTP_CHANNEL_RESPONSE_FIELD_AUTHNCOOKIE" },
185 { HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT, "HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT" }
186};
187
188static const t_flag_mapping tunnel_authorization_response_fields_present[] = {
189 { HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS, "HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS" },
190 { HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT,
191 "HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT" },
192 { HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE,
193 "HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE" }
194};
195
196static const t_flag_mapping extended_auth[] = {
197 { HTTP_EXTENDED_AUTH_NONE, "HTTP_EXTENDED_AUTH_NONE" },
198 { HTTP_EXTENDED_AUTH_SC, "HTTP_EXTENDED_AUTH_SC" },
199 { HTTP_EXTENDED_AUTH_PAA, "HTTP_EXTENDED_AUTH_PAA" },
200 { HTTP_EXTENDED_AUTH_SSPI_NTLM, "HTTP_EXTENDED_AUTH_SSPI_NTLM" }
201};
202
203static const t_flag_mapping capabilities_enum[] = {
204 { HTTP_CAPABILITY_TYPE_QUAR_SOH, "HTTP_CAPABILITY_TYPE_QUAR_SOH" },
205 { HTTP_CAPABILITY_IDLE_TIMEOUT, "HTTP_CAPABILITY_IDLE_TIMEOUT" },
206 { HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN, "HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN" },
207 { HTTP_CAPABILITY_MESSAGING_SERVICE_MSG, "HTTP_CAPABILITY_MESSAGING_SERVICE_MSG" },
208 { HTTP_CAPABILITY_REAUTH, "HTTP_CAPABILITY_REAUTH" },
209 { HTTP_CAPABILITY_UDP_TRANSPORT, "HTTP_CAPABILITY_UDP_TRANSPORT" }
210};
211
212static const char* rdg_pkt_type_to_string(int type)
213{
214#define ENTRY(x) \
215 case x: \
216 return #x
217
218 switch (type)
219 {
220 ENTRY(PKT_TYPE_HANDSHAKE_REQUEST);
221 ENTRY(PKT_TYPE_HANDSHAKE_RESPONSE);
222 ENTRY(PKT_TYPE_EXTENDED_AUTH_MSG);
223 ENTRY(PKT_TYPE_TUNNEL_CREATE);
224 ENTRY(PKT_TYPE_TUNNEL_RESPONSE);
225 ENTRY(PKT_TYPE_TUNNEL_AUTH);
226 ENTRY(PKT_TYPE_TUNNEL_AUTH_RESPONSE);
227 ENTRY(PKT_TYPE_CHANNEL_CREATE);
228 ENTRY(PKT_TYPE_CHANNEL_RESPONSE);
229 ENTRY(PKT_TYPE_DATA);
230 ENTRY(PKT_TYPE_SERVICE_MESSAGE);
231 ENTRY(PKT_TYPE_REAUTH_MESSAGE);
232 ENTRY(PKT_TYPE_KEEPALIVE);
233 ENTRY(PKT_TYPE_CLOSE_CHANNEL);
234 ENTRY(PKT_TYPE_CLOSE_CHANNEL_RESPONSE);
235 default:
236 return "PKT_TYPE_UNKNOWN";
237 }
238#undef ENTRY
239}
240
241static const char* flags_to_string(UINT32 flags, const t_flag_mapping* map, size_t elements)
242{
243 static char buffer[1024] = WINPR_C_ARRAY_INIT;
244 char fields[12] = WINPR_C_ARRAY_INIT;
245
246 for (size_t x = 0; x < elements; x++)
247 {
248 const t_flag_mapping* cur = &map[x];
249
250 if ((cur->code & flags) != 0)
251 winpr_str_append(cur->name, buffer, sizeof(buffer), "|");
252 }
253
254 (void)sprintf_s(fields, ARRAYSIZE(fields), " [%04" PRIx32 "]", flags);
255 winpr_str_append(fields, buffer, sizeof(buffer), nullptr);
256 return buffer;
257}
258
259static const char* channel_response_fields_present_to_string(UINT16 fieldsPresent)
260{
261 return flags_to_string(fieldsPresent, channel_response_fields_present,
262 ARRAYSIZE(channel_response_fields_present));
263}
264
265static const char* tunnel_response_fields_present_to_string(UINT16 fieldsPresent)
266{
267 return flags_to_string(fieldsPresent, tunnel_response_fields_present,
268 ARRAYSIZE(tunnel_response_fields_present));
269}
270
271static const char* tunnel_authorization_response_fields_present_to_string(UINT16 fieldsPresent)
272{
273 return flags_to_string(fieldsPresent, tunnel_authorization_response_fields_present,
274 ARRAYSIZE(tunnel_authorization_response_fields_present));
275}
276
277static const char* extended_auth_to_string(UINT16 auth)
278{
279 if (auth == HTTP_EXTENDED_AUTH_NONE)
280 return "HTTP_EXTENDED_AUTH_NONE [0x0000]";
281
282 return flags_to_string(auth, extended_auth, ARRAYSIZE(extended_auth));
283}
284
285static const char* capabilities_enum_to_string(UINT32 capabilities)
286{
287 return flags_to_string(capabilities, capabilities_enum, ARRAYSIZE(capabilities_enum));
288}
289
290static BOOL rdg_read_http_unicode_string(wLog* log, wStream* s, const WCHAR** string,
291 UINT16* lengthInBytes)
292{
293 UINT16 strLenBytes = 0;
294 size_t rem = Stream_GetRemainingLength(s);
295
296 /* Read length of the string */
297 if (!Stream_CheckAndLogRequiredLengthWLog(log, s, 4))
298 {
299 WLog_Print(log, WLOG_ERROR, "Could not read stream length, only have %" PRIuz " bytes",
300 rem);
301 return FALSE;
302 }
303 Stream_Read_UINT16(s, strLenBytes);
304
305 /* Remember position of our string */
306 const WCHAR* str = Stream_ConstPointer(s);
307
308 /* seek past the string - if this fails something is wrong */
309 if (!Stream_SafeSeek(s, strLenBytes))
310 {
311 WLog_Print(log, WLOG_ERROR,
312 "Could not read stream data, only have %" PRIuz " bytes, expected %" PRIu16,
313 rem - 4, strLenBytes);
314 return FALSE;
315 }
316
317 /* return the string data (if wanted) */
318 if (string)
319 *string = str;
320 if (lengthInBytes)
321 *lengthInBytes = strLenBytes;
322
323 return TRUE;
324}
325
326static BOOL rdg_write_chunked(BIO* bio, wStream* sPacket)
327{
328 size_t len = 0;
329 int status = 0;
330 wStream* sChunk = nullptr;
331 char chunkSize[11];
332 (void)sprintf_s(chunkSize, sizeof(chunkSize), "%" PRIXz "\r\n", Stream_Length(sPacket));
333 sChunk =
334 Stream_New(nullptr, strnlen(chunkSize, sizeof(chunkSize)) + Stream_Length(sPacket) + 2);
335
336 if (!sChunk)
337 return FALSE;
338
339 Stream_Write(sChunk, chunkSize, strnlen(chunkSize, sizeof(chunkSize)));
340 Stream_Write(sChunk, Stream_Buffer(sPacket), Stream_Length(sPacket));
341 Stream_Write(sChunk, "\r\n", 2);
342 Stream_SealLength(sChunk);
343 len = Stream_Length(sChunk);
344
345 if (len > INT_MAX)
346 {
347 Stream_Free(sChunk, TRUE);
348 return FALSE;
349 }
350
351 ERR_clear_error();
352 status = BIO_write(bio, Stream_Buffer(sChunk), (int)len);
353 Stream_Free(sChunk, TRUE);
354
355 return (status == (SSIZE_T)len);
356}
357
358static BOOL rdg_write_packet(rdpRdg* rdg, wStream* sPacket)
359{
360 if (rdg->transferEncoding.isWebsocketTransport)
361 return websocket_context_write_wstream(rdg->transferEncoding.context.websocket,
362 rdg->tlsOut->bio, sPacket, WebsocketBinaryOpcode);
363
364 return rdg_write_chunked(rdg->tlsIn->bio, sPacket);
365}
366
367static int rdg_socket_read(BIO* bio, BYTE* pBuffer, size_t size,
368 rdg_http_encoding_context* encodingContext)
369{
370 WINPR_ASSERT(encodingContext != nullptr);
371 if (size > INT32_MAX)
372 return -1;
373
374 if (encodingContext->isWebsocketTransport)
375 return websocket_context_read(encodingContext->context.websocket, bio, pBuffer, size);
376
377 switch (encodingContext->httpTransferEncoding)
378 {
379 case TransferEncodingIdentity:
380 ERR_clear_error();
381 return BIO_read(bio, pBuffer, (int)size);
382 case TransferEncodingChunked:
383 return http_chuncked_read(bio, pBuffer, size, &encodingContext->context.chunked);
384 default:
385 return -1;
386 }
387}
388
389static BOOL rdg_shall_abort(rdpRdg* rdg)
390{
391 WINPR_ASSERT(rdg);
392 return freerdp_shall_disconnect_context(rdg->context);
393}
394
395static BOOL rdg_read_all(rdpContext* context, rdpTls* tls, BYTE* buffer, size_t size,
396 rdg_http_encoding_context* transferEncoding)
397{
398 size_t readCount = 0;
399 BYTE* pBuffer = buffer;
400
401 while (readCount < size)
402 {
403 if (freerdp_shall_disconnect_context(context))
404 return FALSE;
405
406 int status = rdg_socket_read(tls->bio, pBuffer, size - readCount, transferEncoding);
407 if (status <= 0)
408 {
409 if (!BIO_should_retry(tls->bio))
410 return FALSE;
411
412 Sleep(10);
413 continue;
414 }
415
416 readCount += WINPR_ASSERTING_INT_CAST(uint32_t, status);
417 pBuffer += WINPR_ASSERTING_INT_CAST(uint32_t, status);
418 }
419
420 return TRUE;
421}
422
423static wStream* rdg_receive_packet(rdpRdg* rdg)
424{
425 const size_t header = sizeof(RdgPacketHeader);
426 size_t packetLength = 0;
427 wStream* s = Stream_New(nullptr, 1024);
428
429 if (!s)
430 return nullptr;
431
432 if (!rdg_read_all(rdg->context, rdg->tlsOut, Stream_Buffer(s), header, &rdg->transferEncoding))
433 {
434 Stream_Free(s, TRUE);
435 return nullptr;
436 }
437
438 Stream_Seek(s, 4);
439 Stream_Read_UINT32(s, packetLength);
440
441 if ((packetLength > INT_MAX) || !Stream_EnsureCapacity(s, packetLength) ||
442 (packetLength < header))
443 {
444 Stream_Free(s, TRUE);
445 return nullptr;
446 }
447
448 if (!rdg_read_all(rdg->context, rdg->tlsOut, Stream_Buffer(s) + header, packetLength - header,
449 &rdg->transferEncoding))
450 {
451 Stream_Free(s, TRUE);
452 return nullptr;
453 }
454
455 Stream_SetLength(s, packetLength);
456 return s;
457}
458
459static BOOL rdg_send_handshake(rdpRdg* rdg)
460{
461 BOOL status = FALSE;
462 wStream* s = Stream_New(nullptr, 14);
463
464 if (!s)
465 return FALSE;
466
467 Stream_Write_UINT16(s, PKT_TYPE_HANDSHAKE_REQUEST); /* Type (2 bytes) */
468 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
469 Stream_Write_UINT32(s, 14); /* PacketLength (4 bytes) */
470 Stream_Write_UINT8(s, 1); /* VersionMajor (1 byte) */
471 Stream_Write_UINT8(s, 0); /* VersionMinor (1 byte) */
472 Stream_Write_UINT16(s, 0); /* ClientVersion (2 bytes), must be 0 */
473 Stream_Write_UINT16(s, rdg->extAuth); /* ExtendedAuthentication (2 bytes) */
474 Stream_SealLength(s);
475 status = rdg_write_packet(rdg, s);
476 Stream_Free(s, TRUE);
477
478 if (status)
479 {
480 rdg->state = RDG_CLIENT_STATE_HANDSHAKE;
481 }
482
483 return status;
484}
485
486static BOOL rdg_send_extauth_sspi(rdpRdg* rdg)
487{
488 wStream* s = nullptr;
489 BOOL status = 0;
490 UINT32 packetSize = 8 + 4 + 2;
491
492 WINPR_ASSERT(rdg);
493
494 const SecBuffer* authToken = credssp_auth_get_output_buffer(rdg->auth);
495 if (!authToken)
496 return FALSE;
497 packetSize += authToken->cbBuffer;
498
499 s = Stream_New(nullptr, packetSize);
500
501 if (!s)
502 return FALSE;
503
504 Stream_Write_UINT16(s, PKT_TYPE_EXTENDED_AUTH_MSG); /* Type (2 bytes) */
505 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
506 Stream_Write_UINT32(s, packetSize); /* PacketLength (4 bytes) */
507 Stream_Write_UINT32(s, ERROR_SUCCESS); /* Error code */
508 Stream_Write_UINT16(s, (UINT16)authToken->cbBuffer);
509 Stream_Write(s, authToken->pvBuffer, authToken->cbBuffer);
510
511 Stream_SealLength(s);
512 status = rdg_write_packet(rdg, s);
513 Stream_Free(s, TRUE);
514
515 return status;
516}
517
518static BOOL rdg_send_tunnel_request(rdpRdg* rdg)
519{
520 wStream* s = nullptr;
521 BOOL status = 0;
522 UINT32 packetSize = 16;
523 UINT16 fieldsPresent = 0;
524 WCHAR* PAACookie = nullptr;
525 size_t PAACookieLen = 0;
526 const UINT32 capabilities = HTTP_CAPABILITY_TYPE_QUAR_SOH |
527 HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN |
528 HTTP_CAPABILITY_MESSAGING_SERVICE_MSG;
529
530 if (rdg->extAuth == HTTP_EXTENDED_AUTH_PAA)
531 {
532 PAACookie =
533 ConvertUtf8ToWCharAlloc(rdg->context->settings->GatewayAccessToken, &PAACookieLen);
534
535 if (!PAACookie || (PAACookieLen > UINT16_MAX / sizeof(WCHAR)))
536 {
537 free(PAACookie);
538 return FALSE;
539 }
540
541 PAACookieLen += 1; /* include \0 */
542 packetSize += 2 + (UINT32)(PAACookieLen) * sizeof(WCHAR);
543 fieldsPresent = HTTP_TUNNEL_PACKET_FIELD_PAA_COOKIE;
544 }
545
546 s = Stream_New(nullptr, packetSize);
547
548 if (!s)
549 {
550 free(PAACookie);
551 return FALSE;
552 }
553
554 Stream_Write_UINT16(s, PKT_TYPE_TUNNEL_CREATE); /* Type (2 bytes) */
555 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
556 Stream_Write_UINT32(s, packetSize); /* PacketLength (4 bytes) */
557 Stream_Write_UINT32(s, capabilities); /* CapabilityFlags (4 bytes) */
558 Stream_Write_UINT16(s, fieldsPresent); /* FieldsPresent (2 bytes) */
559 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes), must be 0 */
560
561 if (PAACookie)
562 {
563 Stream_Write_UINT16(s, (UINT16)PAACookieLen * sizeof(WCHAR)); /* PAA cookie string length */
564 Stream_Write_UTF16_String(s, PAACookie, PAACookieLen);
565 }
566
567 Stream_SealLength(s);
568 status = rdg_write_packet(rdg, s);
569 Stream_Free(s, TRUE);
570 free(PAACookie);
571
572 if (status)
573 {
574 rdg->state = RDG_CLIENT_STATE_TUNNEL_CREATE;
575 }
576
577 return status;
578}
579
580static BOOL rdg_send_tunnel_authorization(rdpRdg* rdg)
581{
582 wStream* s = nullptr;
583 BOOL status = 0;
584 WINPR_ASSERT(rdg);
585 size_t clientNameLen = 0;
586 WCHAR* clientName = freerdp_settings_get_string_as_utf16(
587 rdg->context->settings, FreeRDP_ClientHostname, &clientNameLen);
588
589 clientNameLen++; // length including terminating '\0'
590
591 const size_t packetSize = 12ull + clientNameLen * sizeof(WCHAR);
592 if (!clientName || (clientNameLen >= UINT16_MAX / sizeof(WCHAR)) || (packetSize > UINT32_MAX))
593 {
594 free(clientName);
595 return FALSE;
596 }
597
598 s = Stream_New(nullptr, packetSize);
599
600 if (!s)
601 {
602 free(clientName);
603 return FALSE;
604 }
605
606 Stream_Write_UINT16(s, PKT_TYPE_TUNNEL_AUTH); /* Type (2 bytes) */
607 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
608 Stream_Write_UINT32(s, (UINT32)packetSize); /* PacketLength (4 bytes) */
609 Stream_Write_UINT16(s, 0); /* FieldsPresent (2 bytes) */
610 Stream_Write_UINT16(s, (UINT16)clientNameLen * sizeof(WCHAR)); /* Client name string length */
611 Stream_Write_UTF16_String(s, clientName, clientNameLen);
612 Stream_SealLength(s);
613 status = rdg_write_packet(rdg, s);
614 Stream_Free(s, TRUE);
615 free(clientName);
616
617 if (status)
618 {
619 rdg->state = RDG_CLIENT_STATE_TUNNEL_AUTHORIZE;
620 }
621
622 return status;
623}
624
625static BOOL rdg_send_channel_create(rdpRdg* rdg)
626{
627 wStream* s = nullptr;
628 BOOL status = FALSE;
629 WCHAR* serverName = nullptr;
630 size_t serverNameLen = 0;
631
632 WINPR_ASSERT(rdg);
633 serverName = freerdp_settings_get_string_as_utf16(rdg->context->settings,
634 FreeRDP_ServerHostname, &serverNameLen);
635
636 serverNameLen++; // length including terminating '\0'
637 const size_t packetSize = 16ull + serverNameLen * sizeof(WCHAR);
638 if (!serverName || (serverNameLen >= UINT16_MAX / sizeof(WCHAR)) || (packetSize > UINT32_MAX))
639 goto fail;
640
641 s = Stream_New(nullptr, packetSize);
642
643 if (!s)
644 goto fail;
645
646 Stream_Write_UINT16(s, PKT_TYPE_CHANNEL_CREATE); /* Type (2 bytes) */
647 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
648 Stream_Write_UINT32(s, (UINT32)packetSize); /* PacketLength (4 bytes) */
649 Stream_Write_UINT8(s, 1); /* Number of resources. (1 byte) */
650 Stream_Write_UINT8(s, 0); /* Number of alternative resources (1 byte) */
651 Stream_Write_UINT16(s,
652 (UINT16)rdg->context->settings->ServerPort); /* Resource port (2 bytes) */
653 Stream_Write_UINT16(s, 3); /* Protocol number (2 bytes) */
654 Stream_Write_UINT16(s, (UINT16)serverNameLen * sizeof(WCHAR));
655 Stream_Write_UTF16_String(s, serverName, serverNameLen);
656 Stream_SealLength(s);
657 status = rdg_write_packet(rdg, s);
658fail:
659 free(serverName);
660 Stream_Free(s, TRUE);
661
662 if (status)
663 rdg->state = RDG_CLIENT_STATE_CHANNEL_CREATE;
664
665 return status;
666}
667
668static BOOL rdg_set_auth_header(rdpCredsspAuth* auth, HttpRequest* request)
669{
670 const SecBuffer* authToken = credssp_auth_get_output_buffer(auth);
671 char* base64AuthToken = nullptr;
672
673 if (authToken)
674 {
675 if (authToken->cbBuffer > INT_MAX)
676 return FALSE;
677
678 base64AuthToken = crypto_base64_encode(authToken->pvBuffer, authToken->cbBuffer);
679 }
680
681 if (base64AuthToken)
682 {
683 BOOL rc = http_request_set_auth_scheme(request, credssp_auth_pkg_name(auth)) &&
684 http_request_set_auth_param(request, base64AuthToken);
685 free(base64AuthToken);
686
687 if (!rc)
688 return FALSE;
689 }
690
691 return TRUE;
692}
693
694static wStream* rdg_build_http_request(rdpRdg* rdg, const char* method,
695 TRANSFER_ENCODING transferEncoding)
696{
697 wStream* s = nullptr;
698 HttpRequest* request = nullptr;
699 const char* uri = nullptr;
700
701 if (!rdg || !method)
702 return nullptr;
703
704 uri = http_context_get_uri(rdg->http);
705 request = http_request_new();
706
707 if (!request)
708 return nullptr;
709
710 if (!http_request_set_method(request, method) || !http_request_set_uri(request, uri))
711 goto out;
712
713 if (rdg->auth)
714 {
715 if (!rdg_set_auth_header(rdg->auth, request))
716 goto out;
717 }
718
719 else if (rdg->extAuth == HTTP_EXTENDED_AUTH_BEARER)
720 {
721 if (!http_request_set_auth_scheme(request, "Bearer"))
722 goto out;
723 if (!http_request_set_auth_param(request, rdg->context->settings->GatewayHttpExtAuthBearer))
724 goto out;
725 }
726
727 if (!http_request_set_transfer_encoding(request, transferEncoding))
728 goto out;
729
730 s = http_request_write(rdg->http, request);
731out:
732 http_request_free(request);
733
734 if (s)
735 Stream_SealLength(s);
736
737 return s;
738}
739
740static BOOL rdg_recv_auth_token(wLog* log, rdpCredsspAuth* auth, HttpResponse* response)
741{
742 size_t len = 0;
743 size_t authTokenLength = 0;
744 BYTE* authTokenData = nullptr;
745 SecBuffer authToken = WINPR_C_ARRAY_INIT;
746 int rc = 0;
747
748 if (!auth || !response)
749 return FALSE;
750
751 const UINT16 StatusCode = http_response_get_status_code(response);
752 switch (StatusCode)
753 {
754 case HTTP_STATUS_DENIED:
755 case HTTP_STATUS_OK:
756 case HTTP_STATUS_SWITCH_PROTOCOLS:
757 break;
758 default:
759 http_response_log_error_status(log, WLOG_WARN, response);
760 return FALSE;
761 }
762
763 const char* token64 = http_response_get_auth_token(response, credssp_auth_pkg_name(auth));
764 if (!token64)
765 return FALSE;
766
767 len = strlen(token64);
768
769 crypto_base64_decode(token64, len, &authTokenData, &authTokenLength);
770
771 if (authTokenLength && authTokenData && (authTokenLength <= UINT32_MAX))
772 {
773 authToken.pvBuffer = authTokenData;
774 authToken.cbBuffer = (UINT32)authTokenLength;
775 credssp_auth_take_input_buffer(auth, &authToken);
776 }
777 else
778 free(authTokenData);
779
780 rc = credssp_auth_authenticate(auth);
781 return (rc >= 0);
782}
783
784static BOOL rdg_skip_seed_payload(rdpContext* context, rdpTls* tls, size_t lastResponseLength,
785 rdg_http_encoding_context* transferEncoding)
786{
787 BYTE seed_payload[10] = WINPR_C_ARRAY_INIT;
788 const size_t size = sizeof(seed_payload);
789
790 /* Per [MS-TSGU] 3.3.5.1 step 4, after final OK response RDG server sends
791 * random "seed" payload of limited size. In practice it's 10 bytes.
792 */
793 if (lastResponseLength < size)
794 {
795 if (!rdg_read_all(context, tls, seed_payload, size - lastResponseLength, transferEncoding))
796 {
797 return FALSE;
798 }
799 }
800
801 return TRUE;
802}
803
804static BOOL rdg_process_handshake_response(rdpRdg* rdg, wStream* s)
805{
806 UINT32 errorCode = 0;
807 UINT16 serverVersion = 0;
808 UINT16 extendedAuth = 0;
809 BYTE verMajor = 0;
810 BYTE verMinor = 0;
811 const char* error = nullptr;
812 WLog_Print(rdg->log, WLOG_DEBUG, "Handshake response received");
813
814 if (rdg->state != RDG_CLIENT_STATE_HANDSHAKE)
815 {
816 return FALSE;
817 }
818
819 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 10))
820 return FALSE;
821
822 Stream_Read_UINT32(s, errorCode);
823 Stream_Read_UINT8(s, verMajor);
824 Stream_Read_UINT8(s, verMinor);
825 Stream_Read_UINT16(s, serverVersion);
826 Stream_Read_UINT16(s, extendedAuth);
827 error = rpc_error_to_string(errorCode);
828 WLog_Print(rdg->log, WLOG_DEBUG,
829 "errorCode=%s, verMajor=%" PRId8 ", verMinor=%" PRId8 ", serverVersion=%" PRId16
830 ", extendedAuth=%s",
831 error, verMajor, verMinor, serverVersion, extended_auth_to_string(extendedAuth));
832
833 if (FAILED((HRESULT)errorCode))
834 {
835 WLog_Print(rdg->log, WLOG_ERROR, "Handshake error %s", error);
836 freerdp_set_last_error_log(rdg->context, errorCode);
837 return FALSE;
838 }
839
840 if (rdg->extAuth == HTTP_EXTENDED_AUTH_SSPI_NTLM)
841 return rdg_send_extauth_sspi(rdg);
842
843 return rdg_send_tunnel_request(rdg);
844}
845
846static BOOL rdg_process_tunnel_response_optional(rdpRdg* rdg, wStream* s, UINT16 fieldsPresent)
847{
848 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID)
849 {
850 /* Seek over tunnelId (4 bytes) */
851 if (!Stream_SafeSeek(s, 4))
852 {
853 WLog_Print(rdg->log, WLOG_ERROR, "Short tunnelId, got %" PRIuz ", expected 4",
854 Stream_GetRemainingLength(s));
855 return FALSE;
856 }
857 }
858
859 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_CAPS)
860 {
861 UINT32 caps = 0;
862 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 4))
863 return FALSE;
864
865 Stream_Read_UINT32(s, caps);
866 WLog_Print(rdg->log, WLOG_DEBUG, "capabilities=%s", capabilities_enum_to_string(caps));
867 }
868
869 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ)
870 {
871 /* Seek over nonce (20 bytes) */
872 if (!Stream_SafeSeek(s, 20))
873 {
874 WLog_Print(rdg->log, WLOG_ERROR, "Short nonce, got %" PRIuz ", expected 20",
875 Stream_GetRemainingLength(s));
876 return FALSE;
877 }
878
879 /* Read serverCert */
880 if (!rdg_read_http_unicode_string(rdg->log, s, nullptr, nullptr))
881 {
882 WLog_Print(rdg->log, WLOG_ERROR, "Failed to read server certificate");
883 return FALSE;
884 }
885 }
886
887 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG)
888 {
889 const WCHAR* msg = nullptr;
890 UINT16 msgLenBytes = 0;
891 rdpContext* context = rdg->context;
892
893 WINPR_ASSERT(context);
894 WINPR_ASSERT(context->instance);
895
896 /* Read message string and invoke callback */
897 if (!rdg_read_http_unicode_string(rdg->log, s, &msg, &msgLenBytes))
898 {
899 WLog_Print(rdg->log, WLOG_ERROR, "Failed to read consent message");
900 return FALSE;
901 }
902
903 return IFCALLRESULT(TRUE, context->instance->PresentGatewayMessage, context->instance,
904 GATEWAY_MESSAGE_CONSENT, TRUE, TRUE, msgLenBytes, msg);
905 }
906
907 return TRUE;
908}
909
910static BOOL rdg_process_tunnel_response(rdpRdg* rdg, wStream* s)
911{
912 UINT16 serverVersion = 0;
913 UINT16 fieldsPresent = 0;
914 UINT32 errorCode = 0;
915 const char* error = nullptr;
916 WLog_Print(rdg->log, WLOG_DEBUG, "Tunnel response received");
917
918 if (rdg->state != RDG_CLIENT_STATE_TUNNEL_CREATE)
919 {
920 return FALSE;
921 }
922
923 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 10))
924 return FALSE;
925
926 Stream_Read_UINT16(s, serverVersion);
927 Stream_Read_UINT32(s, errorCode);
928 Stream_Read_UINT16(s, fieldsPresent);
929 Stream_Seek_UINT16(s); /* reserved */
930 error = rpc_error_to_string(errorCode);
931 WLog_Print(rdg->log, WLOG_DEBUG, "serverVersion=%" PRId16 ", errorCode=%s, fieldsPresent=%s",
932 serverVersion, error, tunnel_response_fields_present_to_string(fieldsPresent));
933
934 if (FAILED((HRESULT)errorCode))
935 {
936 WLog_Print(rdg->log, WLOG_ERROR, "Tunnel creation error %s", error);
937 freerdp_set_last_error_log(rdg->context, errorCode);
938 return FALSE;
939 }
940
941 if (!rdg_process_tunnel_response_optional(rdg, s, fieldsPresent))
942 return FALSE;
943
944 return rdg_send_tunnel_authorization(rdg);
945}
946
947static BOOL rdg_process_tunnel_authorization_response(rdpRdg* rdg, wStream* s)
948{
949 UINT32 errorCode = 0;
950 UINT16 fieldsPresent = 0;
951 const char* error = nullptr;
952 WLog_Print(rdg->log, WLOG_DEBUG, "Tunnel authorization received");
953
954 if (rdg->state != RDG_CLIENT_STATE_TUNNEL_AUTHORIZE)
955 {
956 return FALSE;
957 }
958
959 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 8))
960 return FALSE;
961
962 Stream_Read_UINT32(s, errorCode);
963 Stream_Read_UINT16(s, fieldsPresent);
964 Stream_Seek_UINT16(s); /* reserved */
965 error = rpc_error_to_string(errorCode);
966 WLog_Print(rdg->log, WLOG_DEBUG, "errorCode=%s, fieldsPresent=%s", error,
967 tunnel_authorization_response_fields_present_to_string(fieldsPresent));
968
969 /* [MS-TSGU] 3.7.5.2.7 */
970 if (errorCode != S_OK && errorCode != E_PROXY_QUARANTINE_ACCESSDENIED)
971 {
972 WLog_Print(rdg->log, WLOG_ERROR, "Tunnel authorization error %s", error);
973 freerdp_set_last_error_log(rdg->context, errorCode);
974 return FALSE;
975 }
976
977 if (fieldsPresent & HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS)
978 {
979 UINT32 redirFlags = 0;
980 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 4))
981 return FALSE;
982 Stream_Read_UINT32(s, redirFlags);
983
984 rdpContext* context = rdg->context;
985 if (!utils_apply_gateway_policy(rdg->log, context, redirFlags, "RDG"))
986 return FALSE;
987 }
988
989 if (fieldsPresent & HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT)
990 {
991 UINT32 idleTimeout = 0;
992 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 4))
993 return FALSE;
994 Stream_Read_UINT32(s, idleTimeout);
995 WLog_Print(rdg->log, WLOG_DEBUG, "[IDLE_TIMEOUT] idleTimeout=%" PRIu32 ": TODO: unused",
996 idleTimeout);
997 }
998
999 if (fieldsPresent & HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE)
1000 {
1001 UINT16 cbLen = 0;
1002 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 2))
1003 return FALSE;
1004 Stream_Read_UINT16(s, cbLen);
1005
1006 WLog_Print(rdg->log, WLOG_DEBUG, "[SOH_RESPONSE] cbLen=%" PRIu16 ": TODO: unused", cbLen);
1007 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, cbLen))
1008 return FALSE;
1009 Stream_Seek(s, cbLen);
1010 }
1011
1012 return rdg_send_channel_create(rdg);
1013}
1014
1015static BOOL rdg_process_extauth_sspi(rdpRdg* rdg, wStream* s)
1016{
1017 INT32 errorCode = 0;
1018 UINT16 authBlobLen = 0;
1019 SecBuffer authToken = WINPR_C_ARRAY_INIT;
1020 BYTE* authTokenData = nullptr;
1021
1022 WINPR_ASSERT(rdg);
1023
1024 Stream_Read_INT32(s, errorCode);
1025 Stream_Read_UINT16(s, authBlobLen);
1026
1027 if (errorCode != ERROR_SUCCESS)
1028 {
1029 WLog_Print(rdg->log, WLOG_ERROR, "EXTAUTH_SSPI_NTLM failed with error %s [0x%08X]",
1030 GetSecurityStatusString(errorCode), WINPR_CXX_COMPAT_CAST(UINT32, errorCode));
1031 return FALSE;
1032 }
1033
1034 if (authBlobLen == 0)
1035 {
1036 if (credssp_auth_is_complete(rdg->auth))
1037 {
1038 credssp_auth_free(rdg->auth);
1039 rdg->auth = nullptr;
1040 return rdg_send_tunnel_request(rdg);
1041 }
1042 return FALSE;
1043 }
1044
1045 authTokenData = malloc(authBlobLen);
1046 if (authTokenData == nullptr)
1047 return FALSE;
1048 Stream_Read(s, authTokenData, authBlobLen);
1049
1050 authToken.pvBuffer = authTokenData;
1051 authToken.cbBuffer = authBlobLen;
1052
1053 credssp_auth_take_input_buffer(rdg->auth, &authToken);
1054
1055 if (credssp_auth_authenticate(rdg->auth) < 0)
1056 return FALSE;
1057
1058 if (credssp_auth_have_output_token(rdg->auth))
1059 return rdg_send_extauth_sspi(rdg);
1060
1061 return FALSE;
1062}
1063
1064static BOOL rdg_process_channel_response_optional(rdpRdg* rdg, wStream* s, UINT16 fieldsPresent)
1065{
1066 if ((fieldsPresent & HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID) != 0)
1067 {
1068 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 4))
1069 return FALSE;
1070 const UINT32 channelId = Stream_Get_UINT32(s);
1071 WLog_Print(rdg->log, WLOG_DEBUG, "TODO: Got channelId=%" PRIu32, channelId);
1072 }
1073 if ((fieldsPresent & HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT) != 0)
1074 {
1075 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 2))
1076 return FALSE;
1077 const UINT16 udpPort = Stream_Get_UINT16(s);
1078 WLog_Print(rdg->log, WLOG_DEBUG, "TODO: Got udpPort=%" PRIu32, udpPort);
1079 }
1080 if ((fieldsPresent & HTTP_CHANNEL_RESPONSE_FIELD_AUTHNCOOKIE) != 0)
1081 {
1082 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 2))
1083 return FALSE;
1084 const UINT16 blobLen = Stream_Get_UINT16(s);
1085 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, blobLen))
1086 return FALSE;
1087 WLog_Print(rdg->log, WLOG_DEBUG, "TODO: Got UDP auth blob=%" PRIu32, blobLen);
1088 if (!Stream_SafeSeek(s, blobLen))
1089 return FALSE;
1090 }
1091
1092 return TRUE;
1093}
1094
1095static BOOL rdg_process_channel_response(rdpRdg* rdg, wStream* s)
1096{
1097 UINT16 fieldsPresent = 0;
1098 UINT32 errorCode = 0;
1099 const char* error = nullptr;
1100 WLog_Print(rdg->log, WLOG_DEBUG, "Channel response received");
1101
1102 if (rdg->state != RDG_CLIENT_STATE_CHANNEL_CREATE)
1103 {
1104 return FALSE;
1105 }
1106
1107 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 8))
1108 return FALSE;
1109
1110 Stream_Read_UINT32(s, errorCode);
1111 Stream_Read_UINT16(s, fieldsPresent);
1112 Stream_Seek_UINT16(s); /* reserved */
1113 error = rpc_error_to_string(errorCode);
1114 WLog_Print(rdg->log, WLOG_DEBUG, "channel response errorCode=%s, fieldsPresent=%s", error,
1115 channel_response_fields_present_to_string(fieldsPresent));
1116
1117 if (FAILED((HRESULT)errorCode))
1118 {
1119 WLog_Print(rdg->log, WLOG_ERROR, "channel response errorCode=%s, fieldsPresent=%s", error,
1120 channel_response_fields_present_to_string(fieldsPresent));
1121 freerdp_set_last_error_log(rdg->context, errorCode);
1122 return FALSE;
1123 }
1124
1125 if (!rdg_process_channel_response_optional(rdg, s, fieldsPresent))
1126 return FALSE;
1127
1128 rdg->state = RDG_CLIENT_STATE_OPENED;
1129 return TRUE;
1130}
1131
1132static BOOL rdg_process_packet(rdpRdg* rdg, wStream* s)
1133{
1134 BOOL status = TRUE;
1135 UINT16 type = 0;
1136 UINT32 packetLength = 0;
1137 Stream_SetPosition(s, 0);
1138
1139 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 8))
1140 return FALSE;
1141
1142 Stream_Read_UINT16(s, type);
1143 Stream_Seek_UINT16(s); /* reserved */
1144 Stream_Read_UINT32(s, packetLength);
1145
1146 if (Stream_Length(s) < packetLength)
1147 {
1148 WLog_Print(rdg->log, WLOG_ERROR, "Short packet %" PRIuz ", expected %" PRIu32,
1149 Stream_Length(s), packetLength);
1150 return FALSE;
1151 }
1152
1153 switch (type)
1154 {
1155 case PKT_TYPE_HANDSHAKE_RESPONSE:
1156 status = rdg_process_handshake_response(rdg, s);
1157 break;
1158
1159 case PKT_TYPE_TUNNEL_RESPONSE:
1160 status = rdg_process_tunnel_response(rdg, s);
1161 break;
1162
1163 case PKT_TYPE_TUNNEL_AUTH_RESPONSE:
1164 status = rdg_process_tunnel_authorization_response(rdg, s);
1165 break;
1166
1167 case PKT_TYPE_CHANNEL_RESPONSE:
1168 status = rdg_process_channel_response(rdg, s);
1169 break;
1170
1171 case PKT_TYPE_DATA:
1172 WLog_Print(rdg->log, WLOG_ERROR, "Unexpected packet type DATA");
1173 status = FALSE;
1174 break;
1175
1176 case PKT_TYPE_EXTENDED_AUTH_MSG:
1177 status = rdg_process_extauth_sspi(rdg, s);
1178 break;
1179
1180 default:
1181 WLog_Print(rdg->log, WLOG_ERROR, "PKG TYPE 0x%x not implemented", type);
1182 status = FALSE;
1183 break;
1184 }
1185
1186 if (status)
1187 {
1188 const size_t rem = Stream_GetRemainingLength(s);
1189 if (rem > 0)
1190 WLog_Print(rdg->log, WLOG_WARN, "[%s] unparsed data detected: %" PRIuz " bytes",
1191 rdg_pkt_type_to_string(type), rem);
1192 }
1193 return status;
1194}
1195
1196DWORD rdg_get_event_handles(rdpRdg* rdg, HANDLE* events, DWORD count)
1197{
1198 DWORD nCount = 0;
1199 WINPR_ASSERT(rdg != nullptr);
1200
1201 if (rdg->tlsOut && rdg->tlsOut->bio)
1202 {
1203 if (events && (nCount < count))
1204 {
1205 BIO_get_event(rdg->tlsOut->bio, &events[nCount]);
1206 nCount++;
1207 }
1208 else
1209 return 0;
1210 }
1211
1212 /* We just need the read event handle even in non-websocket mode. */
1213
1214 return nCount;
1215}
1216
1217static BOOL rdg_get_gateway_credentials(rdpContext* context, rdp_auth_reason reason)
1218{
1219 freerdp* instance = context->instance;
1220
1221 auth_status rc = utils_authenticate_gateway(instance, reason);
1222 switch (rc)
1223 {
1224 case AUTH_SUCCESS:
1225 case AUTH_SKIP:
1226 return TRUE;
1227 case AUTH_CANCELLED:
1228 freerdp_set_last_error_log(instance->context, FREERDP_ERROR_CONNECT_CANCELLED);
1229 return FALSE;
1230 case AUTH_NO_CREDENTIALS:
1231 WLog_INFO(TAG, "No credentials provided - using nullptr identity");
1232 return TRUE;
1233 case AUTH_FAILED:
1234 default:
1235 return FALSE;
1236 }
1237}
1238
1239static BOOL rdg_auth_init(rdpRdg* rdg, rdpTls* tls, TCHAR* authPkg)
1240{
1241 rdpContext* context = rdg->context;
1242 rdpSettings* settings = context->settings;
1243 SEC_WINNT_AUTH_IDENTITY identity = WINPR_C_ARRAY_INIT;
1244 int rc = 0;
1245
1246 rdg->auth = credssp_auth_new(context);
1247 if (!rdg->auth)
1248 return FALSE;
1249
1250 if (!credssp_auth_init(rdg->auth, authPkg, tls->Bindings))
1251 return FALSE;
1252
1253 BOOL doSCLogon = freerdp_settings_get_bool(settings, FreeRDP_SmartcardLogon);
1254 if (doSCLogon)
1255 {
1256 if (!smartcard_getCert(context, &rdg->smartcard, TRUE))
1257 return FALSE;
1258
1259 if (!rdg_get_gateway_credentials(context, AUTH_SMARTCARD_PIN))
1260 return FALSE;
1261 }
1262 else
1263 {
1264 if (!rdg_get_gateway_credentials(context, GW_AUTH_RDG))
1265 return FALSE;
1266
1267 /* Auth callback might changed logon to smartcard so check again */
1268 doSCLogon = freerdp_settings_get_bool(settings, FreeRDP_SmartcardLogon);
1269 if (doSCLogon && !smartcard_getCert(context, &rdg->smartcard, TRUE))
1270 return FALSE;
1271 }
1272
1273 SEC_WINNT_AUTH_IDENTITY* identityArg = &identity;
1274 if (doSCLogon)
1275 {
1276 if (!identity_set_from_smartcard_hash(&identity, settings, FreeRDP_GatewayUsername,
1277 FreeRDP_GatewayDomain, FreeRDP_GatewayPassword,
1278 rdg->smartcard->sha1Hash,
1279 sizeof(rdg->smartcard->sha1Hash)))
1280 return FALSE;
1281 }
1282 else
1283 {
1284 if (!identity_set_from_settings(&identity, settings, FreeRDP_GatewayUsername,
1285 FreeRDP_GatewayDomain, FreeRDP_GatewayPassword))
1286 return FALSE;
1287
1288 if (!settings->GatewayUsername)
1289 identityArg = nullptr;
1290 }
1291
1292 if (!credssp_auth_setup_client(rdg->auth, "HTTP", settings->GatewayHostname, identityArg,
1293 rdg->smartcard ? rdg->smartcard->pkinitArgs : nullptr))
1294 {
1295 sspi_FreeAuthIdentity(&identity);
1296 return FALSE;
1297 }
1298 sspi_FreeAuthIdentity(&identity);
1299
1300 credssp_auth_set_flags(rdg->auth, ISC_REQ_CONFIDENTIALITY | ISC_REQ_MUTUAL_AUTH);
1301
1302 rc = credssp_auth_authenticate(rdg->auth);
1303 return (rc >= 0);
1304}
1305
1306static BOOL rdg_send_http_request(rdpRdg* rdg, rdpTls* tls, const char* method,
1307 TRANSFER_ENCODING transferEncoding)
1308{
1309 int status = -1;
1310 wStream* s = rdg_build_http_request(rdg, method, transferEncoding);
1311
1312 if (!s)
1313 return FALSE;
1314
1315 const size_t sz = Stream_Length(s);
1316 status = freerdp_tls_write_all(tls, Stream_Buffer(s), sz);
1317
1318 Stream_Free(s, TRUE);
1319 return (status >= 0);
1320}
1321
1322static BOOL rdg_tls_connect(rdpRdg* rdg, rdpTls* tls, const char* peerAddress, UINT32 timeout)
1323{
1324 long status = 0;
1325 BIO* layerBio = nullptr;
1326 BIO* bufferedBio = nullptr;
1327 rdpTransportLayer* layer = nullptr;
1328 rdpSettings* settings = rdg->context->settings;
1329 rdpTransport* transport = freerdp_get_transport(rdg->context);
1330 const char* peerHostname = settings->GatewayHostname;
1331 UINT16 peerPort = (UINT16)settings->GatewayPort;
1332 const char* proxyUsername = nullptr;
1333 const char* proxyPassword = nullptr;
1334 BOOL isProxyConnection =
1335 proxy_prepare(settings, &peerHostname, &peerPort, &proxyUsername, &proxyPassword);
1336
1337 if (settings->GatewayPort > UINT16_MAX)
1338 return FALSE;
1339
1340 layer = transport_connect_layer(transport, peerAddress ? peerAddress : peerHostname, peerPort,
1341 timeout);
1342
1343 if (!layer)
1344 {
1345 return FALSE;
1346 }
1347
1348 layerBio = BIO_new(BIO_s_transport_layer());
1349 if (!layerBio)
1350 {
1351 transport_layer_free(layer);
1352 return FALSE;
1353 }
1354 BIO_set_data(layerBio, layer);
1355
1356 bufferedBio = BIO_new(BIO_s_buffered_socket());
1357 if (!bufferedBio)
1358 {
1359 BIO_free_all(layerBio);
1360 return FALSE;
1361 }
1362
1363 bufferedBio = BIO_push(bufferedBio, layerBio);
1364 status = BIO_set_nonblock(bufferedBio, TRUE);
1365
1366 if (isProxyConnection)
1367 {
1368 if (!proxy_connect(rdg->context, bufferedBio, proxyUsername, proxyPassword,
1369 settings->GatewayHostname, (UINT16)settings->GatewayPort))
1370 {
1371 BIO_free_all(bufferedBio);
1372 return FALSE;
1373 }
1374 }
1375
1376 if (!status)
1377 {
1378 BIO_free_all(bufferedBio);
1379 return FALSE;
1380 }
1381
1382 tls->hostname = settings->GatewayHostname;
1383 tls->port = WINPR_ASSERTING_INT_CAST(int32_t, MIN(UINT16_MAX, settings->GatewayPort));
1384 tls->isGatewayTransport = TRUE;
1385 status = freerdp_tls_connect(tls, bufferedBio);
1386 if (status < 1)
1387 {
1388 rdpContext* context = rdg->context;
1389 if (status < 0)
1390 {
1391 freerdp_set_last_error_if_not(context, FREERDP_ERROR_TLS_CONNECT_FAILED);
1392 }
1393 else
1394 {
1395 freerdp_set_last_error_if_not(context, FREERDP_ERROR_CONNECT_CANCELLED);
1396 }
1397
1398 return FALSE;
1399 }
1400 return (status >= 1);
1401}
1402
1403static BOOL rdg_establish_data_connection(rdpRdg* rdg, rdpTls* tls, const char* method,
1404 const char* peerAddress, UINT32 timeout,
1405 BOOL* rpcFallback)
1406{
1407 char buffer[64] = WINPR_C_ARRAY_INIT;
1408 HttpResponse* response = nullptr;
1409
1410 if (!rdg_tls_connect(rdg, tls, peerAddress, timeout))
1411 return FALSE;
1412
1413 WINPR_ASSERT(rpcFallback);
1414 if (rdg->context->settings->GatewayHttpExtAuthBearer && rdg->extAuth == HTTP_EXTENDED_AUTH_NONE)
1415 rdg->extAuth = HTTP_EXTENDED_AUTH_BEARER;
1416 if (rdg->extAuth == HTTP_EXTENDED_AUTH_NONE)
1417 {
1418 if (!rdg_auth_init(rdg, tls, AUTH_PKG))
1419 return FALSE;
1420
1421 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingIdentity))
1422 return FALSE;
1423
1424 response = http_response_recv(tls, TRUE);
1425 /* MS RD Gateway seems to just terminate the tls connection without
1426 * sending an answer if it is not happy with the http request */
1427 if (!response)
1428 {
1429 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway HTTP transport broken.");
1430 *rpcFallback = TRUE;
1431 return FALSE;
1432 }
1433
1434 (void)http_response_extract_cookies(response, rdg->http);
1435
1436 const UINT16 StatusCode = http_response_get_status_code(response);
1437 switch (StatusCode)
1438 {
1439 case HTTP_STATUS_GONE:
1440 case HTTP_STATUS_FORBIDDEN:
1441 case HTTP_STATUS_NOT_FOUND:
1442 {
1443 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway does not support HTTP transport.");
1444 http_response_log_error_status(rdg->log, WLOG_DEBUG, response);
1445 *rpcFallback = TRUE;
1446
1447 http_response_free(response);
1448 return FALSE;
1449 }
1450 case HTTP_STATUS_OK:
1451 break;
1452
1453 case HTTP_STATUS_DENIED:
1454 http_response_log_error_status(rdg->log, WLOG_DEBUG, response);
1455 break;
1456
1457 default:
1458 http_response_log_error_status(rdg->log, WLOG_WARN, response);
1459 break;
1460 }
1461
1462 while (!credssp_auth_is_complete(rdg->auth))
1463 {
1464 if (!rdg_recv_auth_token(rdg->log, rdg->auth, response))
1465 {
1466 http_response_free(response);
1467 return FALSE;
1468 }
1469
1470 if (credssp_auth_have_output_token(rdg->auth))
1471 {
1472 http_response_free(response);
1473
1474 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingIdentity))
1475 return FALSE;
1476
1477 response = http_response_recv(tls, TRUE);
1478 if (!response)
1479 {
1480 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway HTTP transport broken.");
1481 *rpcFallback = TRUE;
1482 return FALSE;
1483 }
1484 (void)http_response_extract_cookies(response, rdg->http);
1485 }
1486 }
1487 credssp_auth_free(rdg->auth);
1488 rdg->auth = nullptr;
1489 }
1490 else
1491 {
1492 credssp_auth_free(rdg->auth);
1493 rdg->auth = nullptr;
1494
1495 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingIdentity))
1496 return FALSE;
1497
1498 response = http_response_recv(tls, TRUE);
1499
1500 if (!response)
1501 {
1502 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway HTTP transport broken.");
1503 *rpcFallback = TRUE;
1504 return FALSE;
1505 }
1506 (void)http_response_extract_cookies(response, rdg->http);
1507 }
1508
1509 const UINT16 statusCode = http_response_get_status_code(response);
1510 const size_t bodyLength = http_response_get_body_length(response);
1511 const TRANSFER_ENCODING encoding = http_response_get_transfer_encoding(response);
1512 const BOOL isWebsocket = http_response_is_websocket(rdg->http, response);
1513
1514 WLog_Print(rdg->log, WLOG_DEBUG, "%s authorization result: %s", method,
1515 freerdp_http_status_string_format(statusCode, buffer, ARRAYSIZE(buffer)));
1516
1517 switch (statusCode)
1518 {
1519 case HTTP_STATUS_OK:
1520 /* old rdg endpoint without websocket support, don't request websocket for RDG_IN_DATA
1521 */
1522 http_context_enable_websocket_upgrade(rdg->http, FALSE);
1523 http_response_free(response);
1524 break;
1525 case HTTP_STATUS_DENIED:
1526 freerdp_set_last_error_log(rdg->context, FREERDP_ERROR_CONNECT_ACCESS_DENIED);
1527 http_response_free(response);
1528 return FALSE;
1529 case HTTP_STATUS_SWITCH_PROTOCOLS:
1530 http_response_free(response);
1531 if (!isWebsocket)
1532 {
1533 /*
1534 * webserver is broken, a fallback may be possible here
1535 * but only if already tested with oppurtonistic upgrade
1536 */
1537 if (http_context_is_websocket_upgrade_enabled(rdg->http))
1538 {
1539 long fd = BIO_get_fd(tls->bio, nullptr);
1540 if (fd >= 0)
1541 closesocket((SOCKET)fd);
1542 http_context_enable_websocket_upgrade(rdg->http, FALSE);
1543 return rdg_establish_data_connection(rdg, tls, method, peerAddress, timeout,
1544 rpcFallback);
1545 }
1546 return FALSE;
1547 }
1548
1549 rdg->transferEncoding.isWebsocketTransport = TRUE;
1550 if (!websocket_context_reset(rdg->transferEncoding.context.websocket))
1551 return FALSE;
1552
1553 if (rdg->extAuth == HTTP_EXTENDED_AUTH_SSPI_NTLM)
1554 {
1555 /* create a new auth context for SSPI_NTLM. This must be done after the last
1556 * rdg_send_http_request */
1557 if (!rdg_auth_init(rdg, tls, NTLM_SSP_NAME))
1558 return FALSE;
1559 }
1560 return TRUE;
1561 default:
1562 http_response_log_error_status(rdg->log, WLOG_WARN, response);
1563 http_response_free(response);
1564 return FALSE;
1565 }
1566
1567 if (strcmp(method, "RDG_OUT_DATA") == 0)
1568 {
1569 if (encoding == TransferEncodingChunked)
1570 {
1571 rdg->transferEncoding.httpTransferEncoding = TransferEncodingChunked;
1572 rdg->transferEncoding.context.chunked.nextOffset = 0;
1573 rdg->transferEncoding.context.chunked.headerFooterPos = 0;
1574 rdg->transferEncoding.context.chunked.state = ChunkStateLenghHeader;
1575 }
1576 if (!rdg_skip_seed_payload(rdg->context, tls, bodyLength, &rdg->transferEncoding))
1577 {
1578 return FALSE;
1579 }
1580 }
1581 else
1582 {
1583 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingChunked))
1584 return FALSE;
1585
1586 if (rdg->extAuth == HTTP_EXTENDED_AUTH_SSPI_NTLM)
1587 {
1588 /* create a new auth context for SSPI_NTLM. This must be done after the last
1589 * rdg_send_http_request (RDG_IN_DATA is always after RDG_OUT_DATA) */
1590 if (!rdg_auth_init(rdg, tls, NTLM_SSP_NAME))
1591 return FALSE;
1592 }
1593 }
1594
1595 return TRUE;
1596}
1597
1598static BOOL rdg_tunnel_connect(rdpRdg* rdg)
1599{
1600 BOOL status = 0;
1601 wStream* s = nullptr;
1602 rdg_send_handshake(rdg);
1603
1604 while (rdg->state < RDG_CLIENT_STATE_OPENED)
1605 {
1606 status = FALSE;
1607 s = rdg_receive_packet(rdg);
1608
1609 if (s)
1610 {
1611 status = rdg_process_packet(rdg, s);
1612 Stream_Free(s, TRUE);
1613 }
1614
1615 if (!status)
1616 {
1617 WINPR_ASSERT(rdg);
1618 WINPR_ASSERT(rdg->context);
1619 WINPR_ASSERT(rdg->context->rdp);
1620 transport_set_layer(rdg->context->rdp->transport, TRANSPORT_LAYER_CLOSED);
1621 return FALSE;
1622 }
1623 }
1624
1625 return TRUE;
1626}
1627
1628BOOL rdg_connect(rdpRdg* rdg, DWORD timeout, BOOL* rpcFallback)
1629{
1630 BOOL status = 0;
1631 SOCKET outConnSocket = 0;
1632 char* peerAddress = nullptr;
1633 BOOL rpcFallbackLocal = FALSE;
1634
1635 WINPR_ASSERT(rdg != nullptr);
1636 freerdp_set_last_error(rdg->context, ERROR_SUCCESS);
1637 status = rdg_establish_data_connection(rdg, rdg->tlsOut, "RDG_OUT_DATA", nullptr, timeout,
1638 &rpcFallbackLocal);
1639
1640 if (status)
1641 {
1642 if (rdg->transferEncoding.isWebsocketTransport)
1643 {
1644 WLog_Print(rdg->log, WLOG_DEBUG, "Upgraded to websocket. RDG_IN_DATA not required");
1645 }
1646 else
1647 {
1648 /* Establish IN connection with the same peer/server as OUT connection,
1649 * even when server hostname resolves to different IP addresses.
1650 */
1651 BIO_get_socket(rdg->tlsOut->underlying, &outConnSocket);
1652 peerAddress = freerdp_tcp_get_peer_address(outConnSocket);
1653 status = rdg_establish_data_connection(rdg, rdg->tlsIn, "RDG_IN_DATA", peerAddress,
1654 timeout, &rpcFallbackLocal);
1655 free(peerAddress);
1656 }
1657 }
1658
1659 if (rpcFallback)
1660 *rpcFallback = rpcFallbackLocal;
1661
1662 if (!status)
1663 {
1664 WINPR_ASSERT(rdg);
1665 WINPR_ASSERT(rdg->context);
1666 WINPR_ASSERT(rdg->context->rdp);
1667 if (rpcFallbackLocal)
1668 {
1669 http_context_enable_websocket_upgrade(rdg->http, FALSE);
1670 credssp_auth_free(rdg->auth);
1671 rdg->auth = nullptr;
1672 }
1673
1674 transport_set_layer(rdg->context->rdp->transport, TRANSPORT_LAYER_CLOSED);
1675 return FALSE;
1676 }
1677
1678 status = rdg_tunnel_connect(rdg);
1679
1680 return (status);
1681}
1682
1683static int rdg_write_websocket_data_packet(rdpRdg* rdg, const BYTE* buf, int isize)
1684{
1685 WINPR_ASSERT(rdg);
1686 if (isize < 0)
1687 return -1;
1688
1689 const size_t payloadSize = (size_t)isize + 10;
1690 union
1691 {
1692 UINT32 u32;
1693 UINT8 u8[4];
1694 } maskingKey;
1695
1696 wStream* sWS =
1697 websocket_context_packet_new(payloadSize, WebsocketBinaryOpcode, &maskingKey.u32);
1698 if (!sWS)
1699 return FALSE;
1700
1701 Stream_Write_UINT16(
1702 sWS, WINPR_ASSERTING_INT_CAST(
1703 uint16_t, PKT_TYPE_DATA ^ (maskingKey.u8[0] | maskingKey.u8[1] << 8))); /* Type */
1704 Stream_Write_UINT16(
1705 sWS, WINPR_ASSERTING_INT_CAST(
1706 uint16_t, 0 ^ (maskingKey.u8[2] | maskingKey.u8[3] << 8))); /* Reserved */
1707 Stream_Write_UINT32(
1708 sWS, WINPR_ASSERTING_INT_CAST(uint32_t, payloadSize ^ maskingKey.u32)); /* Packet length */
1709 Stream_Write_UINT16(
1710 sWS, WINPR_ASSERTING_INT_CAST(
1711 uint16_t, isize ^ (maskingKey.u8[0] | maskingKey.u8[1] << 8))); /* Data size */
1712
1713 /* masking key is now off by 2 bytes. fix that */
1714 maskingKey.u32 = (maskingKey.u32 & 0xffff) << 16 | (maskingKey.u32 >> 16);
1715
1716 WINPR_ASSERT(rdg->tlsOut);
1717 wStream sPacket = WINPR_C_ARRAY_INIT;
1718 Stream_StaticConstInit(&sPacket, buf, (size_t)isize);
1719 if (!websocket_context_mask_and_send(rdg->tlsOut->bio, sWS, &sPacket, maskingKey.u32))
1720 return -1;
1721
1722 return isize;
1723}
1724
1725static int rdg_write_chunked_data_packet(rdpRdg* rdg, const BYTE* buf, int isize)
1726{
1727 int status = 0;
1728 size_t len = 0;
1729 wStream* sChunk = nullptr;
1730
1731 if (isize > UINT16_MAX)
1732 return -1;
1733
1734 const size_t size = (size_t)isize;
1735 if (size < 1)
1736 return 0;
1737
1738 const size_t packetSize = size + 10;
1739 char chunkSize[11] = WINPR_C_ARRAY_INIT;
1740 (void)sprintf_s(chunkSize, sizeof(chunkSize), "%" PRIxz "\r\n", packetSize);
1741 sChunk = Stream_New(nullptr, strnlen(chunkSize, sizeof(chunkSize)) + packetSize + 2);
1742
1743 if (!sChunk)
1744 return -1;
1745
1746 Stream_Write(sChunk, chunkSize, strnlen(chunkSize, sizeof(chunkSize)));
1747 Stream_Write_UINT16(sChunk, PKT_TYPE_DATA); /* Type */
1748 Stream_Write_UINT16(sChunk, 0); /* Reserved */
1749 Stream_Write_UINT32(sChunk, (UINT32)packetSize); /* Packet length */
1750 Stream_Write_UINT16(sChunk, (UINT16)size); /* Data size */
1751 Stream_Write(sChunk, buf, size); /* Data */
1752 Stream_Write(sChunk, "\r\n", 2);
1753 Stream_SealLength(sChunk);
1754 len = Stream_Length(sChunk);
1755
1756 status = freerdp_tls_write_all(rdg->tlsIn, Stream_Buffer(sChunk), len);
1757 Stream_Free(sChunk, TRUE);
1758
1759 if (status < 0)
1760 return -1;
1761
1762 return (int)size;
1763}
1764
1765static int rdg_write_data_packet(rdpRdg* rdg, const BYTE* buf, int isize)
1766{
1767 WINPR_ASSERT(rdg);
1768 if (rdg->transferEncoding.isWebsocketTransport)
1769 return rdg_write_websocket_data_packet(rdg, buf, isize);
1770 else
1771 return rdg_write_chunked_data_packet(rdg, buf, isize);
1772}
1773
1774static BOOL rdg_process_close_packet(rdpRdg* rdg, wStream* s)
1775{
1776 int status = -1;
1777 wStream* sClose = nullptr;
1778 UINT32 errorCode = 0;
1779 UINT32 packetSize = 12;
1780
1781 /* Read error code */
1782 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 4))
1783 return FALSE;
1784 Stream_Read_UINT32(s, errorCode);
1785
1786 if (errorCode != 0)
1787 freerdp_set_last_error_log(rdg->context, errorCode);
1788
1789 sClose = Stream_New(nullptr, packetSize);
1790 if (!sClose)
1791 return FALSE;
1792
1793 Stream_Write_UINT16(sClose, PKT_TYPE_CLOSE_CHANNEL_RESPONSE); /* Type */
1794 Stream_Write_UINT16(sClose, 0); /* Reserved */
1795 Stream_Write_UINT32(sClose, packetSize); /* Packet length */
1796 Stream_Write_UINT32(sClose, 0); /* Status code */
1797 Stream_SealLength(sClose);
1798 status = rdg_write_packet(rdg, sClose);
1799 Stream_Free(sClose, TRUE);
1800
1801 return ((status >= 0));
1802}
1803
1804static BOOL rdg_process_keep_alive_packet(rdpRdg* rdg)
1805{
1806 int status = -1;
1807 wStream* sKeepAlive = nullptr;
1808 size_t packetSize = 8;
1809
1810 sKeepAlive = Stream_New(nullptr, packetSize);
1811
1812 if (!sKeepAlive)
1813 return FALSE;
1814
1815 Stream_Write_UINT16(sKeepAlive, PKT_TYPE_KEEPALIVE); /* Type */
1816 Stream_Write_UINT16(sKeepAlive, 0); /* Reserved */
1817 Stream_Write_UINT32(sKeepAlive, (UINT32)packetSize); /* Packet length */
1818 Stream_SealLength(sKeepAlive);
1819 status = rdg_write_packet(rdg, sKeepAlive);
1820 Stream_Free(sKeepAlive, TRUE);
1821
1822 return ((status >= 0));
1823}
1824
1825static BOOL rdg_process_service_message(rdpRdg* rdg, wStream* s)
1826{
1827 const WCHAR* msg = nullptr;
1828 UINT16 msgLenBytes = 0;
1829 rdpContext* context = rdg->context;
1830 WINPR_ASSERT(context);
1831 WINPR_ASSERT(context->instance);
1832
1833 /* Read message string */
1834 if (!rdg_read_http_unicode_string(rdg->log, s, &msg, &msgLenBytes))
1835 {
1836 WLog_Print(rdg->log, WLOG_ERROR, "Failed to read string");
1837 return FALSE;
1838 }
1839
1840 return IFCALLRESULT(TRUE, context->instance->PresentGatewayMessage, context->instance,
1841 GATEWAY_MESSAGE_SERVICE, TRUE, FALSE, msgLenBytes, msg);
1842}
1843
1844static BOOL rdg_process_unknown_packet(rdpRdg* rdg, int type)
1845{
1846 WINPR_UNUSED(rdg);
1847 WINPR_UNUSED(type);
1848 WLog_Print(rdg->log, WLOG_WARN, "Unknown Control Packet received: %" PRIX32,
1849 WINPR_CXX_COMPAT_CAST(UINT32, type));
1850 return TRUE;
1851}
1852
1853static BOOL rdg_process_control_packet(rdpRdg* rdg, int type, size_t packetLength)
1854{
1855 wStream* s = nullptr;
1856 size_t readCount = 0;
1857 int status = 0;
1858 size_t payloadSize = packetLength - sizeof(RdgPacketHeader);
1859
1860 if (packetLength < sizeof(RdgPacketHeader))
1861 return FALSE;
1862
1863 // NOLINTNEXTLINE(bugprone-sizeof-expression)
1864 WINPR_ASSERT(sizeof(RdgPacketHeader) < INT_MAX);
1865
1866 if (payloadSize)
1867 {
1868 s = Stream_New(nullptr, payloadSize);
1869
1870 if (!s)
1871 return FALSE;
1872
1873 while (readCount < payloadSize)
1874 {
1875 if (rdg_shall_abort(rdg))
1876 {
1877 Stream_Free(s, TRUE);
1878 return FALSE;
1879 }
1880 status = rdg_socket_read(rdg->tlsOut->bio, Stream_Pointer(s), payloadSize - readCount,
1881 &rdg->transferEncoding);
1882
1883 if (status <= 0)
1884 {
1885 if (!BIO_should_retry(rdg->tlsOut->bio))
1886 {
1887 Stream_Free(s, TRUE);
1888 return FALSE;
1889 }
1890
1891 continue;
1892 }
1893
1894 Stream_Seek(s, (size_t)status);
1895 readCount += (size_t)status;
1896
1897 if (readCount > INT_MAX)
1898 {
1899 Stream_Free(s, TRUE);
1900 return FALSE;
1901 }
1902 }
1903
1904 Stream_SetPosition(s, 0);
1905 }
1906
1907 switch (type)
1908 {
1909 case PKT_TYPE_CLOSE_CHANNEL:
1910 EnterCriticalSection(&rdg->writeSection);
1911 status = rdg_process_close_packet(rdg, s);
1912 LeaveCriticalSection(&rdg->writeSection);
1913 break;
1914
1915 case PKT_TYPE_KEEPALIVE:
1916 EnterCriticalSection(&rdg->writeSection);
1917 status = rdg_process_keep_alive_packet(rdg);
1918 LeaveCriticalSection(&rdg->writeSection);
1919 break;
1920
1921 case PKT_TYPE_SERVICE_MESSAGE:
1922 if (!s)
1923 {
1924 WLog_Print(rdg->log, WLOG_ERROR,
1925 "PKT_TYPE_SERVICE_MESSAGE requires payload but none was sent");
1926 return FALSE;
1927 }
1928 status = rdg_process_service_message(rdg, s);
1929 break;
1930
1931 case PKT_TYPE_REAUTH_MESSAGE:
1932 default:
1933 status = rdg_process_unknown_packet(rdg, type);
1934 break;
1935 }
1936
1937 Stream_Free(s, TRUE);
1938 return status;
1939}
1940
1941static int rdg_read_data_packet(rdpRdg* rdg, BYTE* buffer, size_t size)
1942{
1943 RdgPacketHeader header = WINPR_C_ARRAY_INIT;
1944 size_t readCount = 0;
1945 size_t readSize = 0;
1946 int status = 0;
1947
1948 if (!rdg->packetRemainingCount)
1949 {
1950 // NOLINTNEXTLINE(bugprone-sizeof-expression)
1951 WINPR_ASSERT(sizeof(RdgPacketHeader) < INT_MAX);
1952
1953 while (readCount < sizeof(RdgPacketHeader))
1954 {
1955 if (rdg_shall_abort(rdg))
1956 return -1;
1957
1958 status = rdg_socket_read(rdg->tlsOut->bio, (BYTE*)(&header) + readCount,
1959 sizeof(RdgPacketHeader) - readCount, &rdg->transferEncoding);
1960
1961 if (status <= 0)
1962 {
1963 if (!BIO_should_retry(rdg->tlsOut->bio))
1964 return -1;
1965
1966 if (!readCount)
1967 return 0;
1968
1969 BIO_wait_read(rdg->tlsOut->bio, 50);
1970 continue;
1971 }
1972
1973 readCount += (size_t)status;
1974
1975 if (readCount > INT_MAX)
1976 return -1;
1977 }
1978
1979 if (header.type != PKT_TYPE_DATA)
1980 {
1981 status = rdg_process_control_packet(rdg, header.type, header.packetLength);
1982
1983 if (!status)
1984 return -1;
1985
1986 return 0;
1987 }
1988
1989 readCount = 0;
1990
1991 while (readCount < 2)
1992 {
1993 if (rdg_shall_abort(rdg))
1994 return -1;
1995 status =
1996 rdg_socket_read(rdg->tlsOut->bio, (BYTE*)(&rdg->packetRemainingCount) + readCount,
1997 2 - readCount, &rdg->transferEncoding);
1998
1999 if (status < 0)
2000 {
2001 if (!BIO_should_retry(rdg->tlsOut->bio))
2002 return -1;
2003
2004 BIO_wait_read(rdg->tlsOut->bio, 50);
2005 continue;
2006 }
2007
2008 readCount += (size_t)status;
2009 }
2010 }
2011
2012 readSize = (rdg->packetRemainingCount < size) ? rdg->packetRemainingCount : size;
2013 status = rdg_socket_read(rdg->tlsOut->bio, buffer, readSize, &rdg->transferEncoding);
2014
2015 if (status <= 0)
2016 {
2017 if (!BIO_should_retry(rdg->tlsOut->bio))
2018 {
2019 return -1;
2020 }
2021
2022 return 0;
2023 }
2024
2025 rdg->packetRemainingCount -= status;
2026 return status;
2027}
2028
2029static int rdg_bio_write(BIO* bio, const char* buf, int num)
2030{
2031 int status = 0;
2032 rdpRdg* rdg = (rdpRdg*)BIO_get_data(bio);
2033 if (num < 0)
2034 return num;
2035
2036 BIO_clear_flags(bio, BIO_FLAGS_WRITE);
2037 EnterCriticalSection(&rdg->writeSection);
2038 status = rdg_write_data_packet(rdg, (const BYTE*)buf, num);
2039 LeaveCriticalSection(&rdg->writeSection);
2040
2041 if (status < 0)
2042 {
2043 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
2044 return -1;
2045 }
2046 else if (status < num)
2047 {
2048 BIO_set_flags(bio, BIO_FLAGS_WRITE);
2049 WSASetLastError(WSAEWOULDBLOCK);
2050 }
2051 else
2052 {
2053 BIO_set_flags(bio, BIO_FLAGS_WRITE);
2054 }
2055
2056 return status;
2057}
2058
2059static int rdg_bio_read(BIO* bio, char* buf, int size)
2060{
2061 int status = 0;
2062 rdpRdg* rdg = (rdpRdg*)BIO_get_data(bio);
2063 if (size < 0)
2064 return size;
2065 status = rdg_read_data_packet(rdg, (BYTE*)buf, (size_t)size);
2066
2067 if (status < 0)
2068 {
2069 BIO_clear_retry_flags(bio);
2070 return -1;
2071 }
2072 else if (status == 0)
2073 {
2074 BIO_set_retry_read(bio);
2075 WSASetLastError(WSAEWOULDBLOCK);
2076 return -1;
2077 }
2078 else
2079 {
2080 BIO_set_flags(bio, BIO_FLAGS_READ);
2081 }
2082
2083 return status;
2084}
2085
2086static int rdg_bio_puts(BIO* bio, const char* str)
2087{
2088 WINPR_UNUSED(bio);
2089 WINPR_UNUSED(str);
2090 return -2;
2091}
2092
2093// NOLINTNEXTLINE(readability-non-const-parameter)
2094static int rdg_bio_gets(BIO* bio, char* str, int size)
2095{
2096 WINPR_UNUSED(bio);
2097 WINPR_UNUSED(str);
2098 WINPR_UNUSED(size);
2099 return -2;
2100}
2101
2102static long rdg_bio_ctrl(BIO* in_bio, int cmd, long arg1, void* arg2)
2103{
2104 long status = -1;
2105 rdpRdg* rdg = (rdpRdg*)BIO_get_data(in_bio);
2106 rdpTls* tlsOut = rdg->tlsOut;
2107 rdpTls* tlsIn = rdg->tlsIn;
2108
2109 if (cmd == BIO_CTRL_FLUSH)
2110 {
2111 (void)BIO_flush(tlsOut->bio);
2112 if (!rdg->transferEncoding.isWebsocketTransport)
2113 (void)BIO_flush(tlsIn->bio);
2114 status = 1;
2115 }
2116 else if (cmd == BIO_C_SET_NONBLOCK)
2117 {
2118 status = 1;
2119 }
2120 else if (cmd == BIO_C_READ_BLOCKED)
2121 {
2122 BIO* cbio = tlsOut->bio;
2123 status = BIO_read_blocked(cbio);
2124 }
2125 else if (cmd == BIO_C_WRITE_BLOCKED)
2126 {
2127 BIO* cbio = tlsIn->bio;
2128
2129 if (rdg->transferEncoding.isWebsocketTransport)
2130 cbio = tlsOut->bio;
2131
2132 status = BIO_write_blocked(cbio);
2133 }
2134 else if (cmd == BIO_C_WAIT_READ)
2135 {
2136 int timeout = (int)arg1;
2137 BIO* cbio = tlsOut->bio;
2138
2139 if (BIO_read_blocked(cbio))
2140 return BIO_wait_read(cbio, timeout);
2141 else if (BIO_write_blocked(cbio))
2142 return BIO_wait_write(cbio, timeout);
2143 else
2144 status = 1;
2145 }
2146 else if (cmd == BIO_C_WAIT_WRITE)
2147 {
2148 int timeout = (int)arg1;
2149 BIO* cbio = tlsIn->bio;
2150
2151 if (rdg->transferEncoding.isWebsocketTransport)
2152 cbio = tlsOut->bio;
2153
2154 if (BIO_write_blocked(cbio))
2155 status = BIO_wait_write(cbio, timeout);
2156 else if (BIO_read_blocked(cbio))
2157 status = BIO_wait_read(cbio, timeout);
2158 else
2159 status = 1;
2160 }
2161 else if (cmd == BIO_C_GET_EVENT || cmd == BIO_C_GET_FD)
2162 {
2163 /*
2164 * A note about BIO_C_GET_FD:
2165 * Even if two FDs are part of RDG, only one FD can be returned here.
2166 *
2167 * In FreeRDP, BIO FDs are only used for polling, so it is safe to use the outgoing FD only
2168 *
2169 * See issue #3602
2170 */
2171 status = BIO_ctrl(tlsOut->bio, cmd, arg1, arg2);
2172 }
2173#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2174 else if (cmd == BIO_CTRL_GET_KTLS_SEND)
2175 {
2176 /* Even though BIO_get_ktls_send says that returning negative values is valid
2177 * openssl internal sources are full of if(!BIO_get_ktls_send && ) stuff. This has some
2178 * nasty sideeffects. return 0 as proper no KTLS offloading flag
2179 */
2180 status = 0;
2181 }
2182 else if (cmd == BIO_CTRL_GET_KTLS_RECV)
2183 {
2184 /* Even though BIO_get_ktls_recv says that returning negative values is valid
2185 * there is no reason to trust trust negative values are implemented right everywhere
2186 */
2187 status = 0;
2188 }
2189#endif
2190 return status;
2191}
2192
2193static int rdg_bio_new(BIO* bio)
2194{
2195 BIO_set_init(bio, 1);
2196 BIO_set_flags(bio, BIO_FLAGS_SHOULD_RETRY);
2197 return 1;
2198}
2199
2200static int rdg_bio_free(BIO* bio)
2201{
2202 WINPR_UNUSED(bio);
2203 return 1;
2204}
2205
2206static BIO_METHOD* BIO_s_rdg(void)
2207{
2208 static BIO_METHOD* bio_methods = nullptr;
2209
2210 if (bio_methods == nullptr)
2211 {
2212 if (!(bio_methods = BIO_meth_new(BIO_TYPE_TSG, "RDGateway")))
2213 return nullptr;
2214
2215 BIO_meth_set_write(bio_methods, rdg_bio_write);
2216 BIO_meth_set_read(bio_methods, rdg_bio_read);
2217 BIO_meth_set_puts(bio_methods, rdg_bio_puts);
2218 BIO_meth_set_gets(bio_methods, rdg_bio_gets);
2219 BIO_meth_set_ctrl(bio_methods, rdg_bio_ctrl);
2220 BIO_meth_set_create(bio_methods, rdg_bio_new);
2221 BIO_meth_set_destroy(bio_methods, rdg_bio_free);
2222 }
2223
2224 return bio_methods;
2225}
2226
2227rdpRdg* rdg_new(rdpContext* context)
2228{
2229 if (!context)
2230 return nullptr;
2231
2232 rdpRdg* rdg = (rdpRdg*)calloc(1, sizeof(rdpRdg));
2233 if (!rdg)
2234 return nullptr;
2235
2236 rdg->log = WLog_Get(TAG);
2237 rdg->state = RDG_CLIENT_STATE_INITIAL;
2238 rdg->context = context;
2239 rdg->extAuth =
2240 (rdg->context->settings->GatewayHttpExtAuthSspiNtlm ? HTTP_EXTENDED_AUTH_SSPI_NTLM
2241 : HTTP_EXTENDED_AUTH_NONE);
2242
2243 if (rdg->context->settings->GatewayAccessToken)
2244 rdg->extAuth = HTTP_EXTENDED_AUTH_PAA;
2245
2246 UuidCreate(&rdg->guid);
2247
2248 rdg->tlsOut = freerdp_tls_new(rdg->context);
2249
2250 if (!rdg->tlsOut)
2251 goto rdg_alloc_error;
2252
2253 rdg->tlsIn = freerdp_tls_new(rdg->context);
2254
2255 if (!rdg->tlsIn)
2256 goto rdg_alloc_error;
2257
2258 rdg->http = http_context_new();
2259
2260 if (!rdg->http)
2261 goto rdg_alloc_error;
2262
2263 if (!http_context_set_uri(rdg->http, "/remoteDesktopGateway/") ||
2264 !http_context_set_accept(rdg->http, "*/*") ||
2265 !http_context_set_cache_control(rdg->http, "no-cache") ||
2266 !http_context_set_pragma(rdg->http, "no-cache") ||
2267 !http_context_set_connection(rdg->http, "Keep-Alive") ||
2268 !http_context_set_user_agent(rdg->http, "MS-RDGateway/1.0") ||
2269 !http_context_set_host(rdg->http, rdg->context->settings->GatewayHostname) ||
2270 !http_context_set_rdg_connection_id(rdg->http, &rdg->guid) ||
2271 !http_context_set_rdg_correlation_id(rdg->http, &rdg->guid) ||
2272 !http_context_enable_websocket_upgrade(
2273 rdg->http,
2274 freerdp_settings_get_bool(rdg->context->settings, FreeRDP_GatewayHttpUseWebsockets)))
2275 {
2276 goto rdg_alloc_error;
2277 }
2278
2279 if (rdg->extAuth != HTTP_EXTENDED_AUTH_NONE)
2280 {
2281 switch (rdg->extAuth)
2282 {
2283 case HTTP_EXTENDED_AUTH_PAA:
2284 if (!http_context_set_rdg_auth_scheme(rdg->http, "PAA"))
2285 goto rdg_alloc_error;
2286
2287 break;
2288
2289 case HTTP_EXTENDED_AUTH_SSPI_NTLM:
2290 if (!http_context_set_rdg_auth_scheme(rdg->http, "SSPI_NTLM"))
2291 goto rdg_alloc_error;
2292
2293 break;
2294
2295 default:
2296 WLog_Print(rdg->log, WLOG_DEBUG,
2297 "RDG extended authentication method %d not supported", rdg->extAuth);
2298 }
2299 }
2300
2301 rdg->frontBio = BIO_new(BIO_s_rdg());
2302
2303 if (!rdg->frontBio)
2304 goto rdg_alloc_error;
2305
2306 BIO_set_data(rdg->frontBio, rdg);
2307 InitializeCriticalSection(&rdg->writeSection);
2308
2309 rdg->transferEncoding.httpTransferEncoding = TransferEncodingIdentity;
2310 rdg->transferEncoding.isWebsocketTransport = FALSE;
2311
2312 rdg->transferEncoding.context.websocket = websocket_context_new();
2313 if (!rdg->transferEncoding.context.websocket)
2314 goto rdg_alloc_error;
2315
2316 return rdg;
2317rdg_alloc_error:
2318 WINPR_PRAGMA_DIAG_PUSH
2319 WINPR_PRAGMA_DIAG_IGNORED_MISMATCHED_DEALLOC
2320 rdg_free(rdg);
2321 WINPR_PRAGMA_DIAG_POP
2322 return nullptr;
2323}
2324
2325void rdg_free(rdpRdg* rdg)
2326{
2327 if (!rdg)
2328 return;
2329
2330 freerdp_tls_free(rdg->tlsOut);
2331 freerdp_tls_free(rdg->tlsIn);
2332 http_context_free(rdg->http);
2333 credssp_auth_free(rdg->auth);
2334
2335 if (!rdg->attached)
2336 BIO_free_all(rdg->frontBio);
2337
2338 DeleteCriticalSection(&rdg->writeSection);
2339
2340 smartcardCertInfo_Free(rdg->smartcard);
2341
2342 websocket_context_free(rdg->transferEncoding.context.websocket);
2343
2344 free(rdg);
2345}
2346
2347BIO* rdg_get_front_bio_and_take_ownership(rdpRdg* rdg)
2348{
2349 if (!rdg)
2350 return nullptr;
2351
2352 rdg->attached = TRUE;
2353 return rdg->frontBio;
2354}
freerdp_settings_get_string_as_utf16
WINPR_ATTR_NODISCARD FREERDP_API WCHAR * freerdp_settings_get_string_as_utf16(const rdpSettings *settings, FreeRDP_Settings_Keys_String id, size_t *pCharLen)
Return an allocated UTF16 string.
Definition common/settings.c:2281
freerdp_settings_get_bool
WINPR_ATTR_NODISCARD FREERDP_API BOOL freerdp_settings_get_bool(const rdpSettings *settings, FreeRDP_Settings_Keys_Bool id)
Returns a boolean settings value.
RTL_CRITICAL_SECTION
Definition include/winpr/synch.h:174
UUID
Definition wtypes.h:254
http_encoding_chunked_context
Definition libfreerdp/core/gateway/http.h:46