FreeRDP
Loading...
Searching...
No Matches
rdstls.c
1
20#include <freerdp/config.h>
21
22#include "settings.h"
23
24#include <freerdp/log.h>
25#include <freerdp/error.h>
26#include <freerdp/settings.h>
27
28#include <winpr/assert.h>
29#include <winpr/stream.h>
30#include <winpr/wlog.h>
31
32#include "rdstls.h"
33#include "transport.h"
34#include "utils.h"
35
36#define RDSTLS_VERSION_1 0x01
37
38#define RDSTLS_TYPE_CAPABILITIES 0x01
39#define RDSTLS_TYPE_AUTHREQ 0x02
40#define RDSTLS_TYPE_AUTHRSP 0x04
41
42#define RDSTLS_DATA_CAPABILITIES 0x01
43#define RDSTLS_DATA_PASSWORD_CREDS 0x01
44#define RDSTLS_DATA_AUTORECONNECT_COOKIE 0x02
45#define RDSTLS_DATA_RESULT_CODE 0x01
46
47typedef enum
48{
49 RDSTLS_STATE_INITIAL,
50 RDSTLS_STATE_CAPABILITIES,
51 RDSTLS_STATE_AUTH_REQ,
52 RDSTLS_STATE_AUTH_RSP,
53 RDSTLS_STATE_FINAL,
54} RDSTLS_STATE;
55
56typedef enum
57{
58
59 RDSTLS_RESULT_SUCCESS = 0x00000000,
60 RDSTLS_RESULT_ACCESS_DENIED = 0x00000005,
61 RDSTLS_RESULT_LOGON_FAILURE = 0x0000052e,
62 RDSTLS_RESULT_INVALID_LOGON_HOURS = 0x00000530,
63 RDSTLS_RESULT_PASSWORD_EXPIRED = 0x00000532,
64 RDSTLS_RESULT_ACCOUNT_DISABLED = 0x00000533,
65 RDSTLS_RESULT_PASSWORD_MUST_CHANGE = 0x00000773,
66 RDSTLS_RESULT_ACCOUNT_LOCKED_OUT = 0x00000775
67} RDSTLS_RESULT_CODE;
68
69struct rdp_rdstls
70{
71 BOOL server;
72 RDSTLS_STATE state;
73 rdpContext* context;
74 rdpTransport* transport;
75
76 RDSTLS_RESULT_CODE resultCode;
77 wLog* log;
78};
79
80static const char* rdstls_result_code_str(UINT32 resultCode)
81{
82 switch (resultCode)
83 {
84 case RDSTLS_RESULT_SUCCESS:
85 return "RDSTLS_RESULT_SUCCESS";
86 case RDSTLS_RESULT_ACCESS_DENIED:
87 return "RDSTLS_RESULT_ACCESS_DENIED";
88 case RDSTLS_RESULT_LOGON_FAILURE:
89 return "RDSTLS_RESULT_LOGON_FAILURE";
90 case RDSTLS_RESULT_INVALID_LOGON_HOURS:
91 return "RDSTLS_RESULT_INVALID_LOGON_HOURS";
92 case RDSTLS_RESULT_PASSWORD_EXPIRED:
93 return "RDSTLS_RESULT_PASSWORD_EXPIRED";
94 case RDSTLS_RESULT_ACCOUNT_DISABLED:
95 return "RDSTLS_RESULT_ACCOUNT_DISABLED";
96 case RDSTLS_RESULT_PASSWORD_MUST_CHANGE:
97 return "RDSTLS_RESULT_PASSWORD_MUST_CHANGE";
98 case RDSTLS_RESULT_ACCOUNT_LOCKED_OUT:
99 return "RDSTLS_RESULT_ACCOUNT_LOCKED_OUT";
100 default:
101 return "RDSTLS_RESULT_UNKNOWN";
102 }
103}
112rdpRdstls* rdstls_new(rdpContext* context, rdpTransport* transport)
113{
114 WINPR_ASSERT(context);
115 WINPR_ASSERT(transport);
116
117 rdpSettings* settings = context->settings;
118 WINPR_ASSERT(settings);
119
120 rdpRdstls* rdstls = (rdpRdstls*)calloc(1, sizeof(rdpRdstls));
121
122 if (!rdstls)
123 return NULL;
124 rdstls->log = WLog_Get(FREERDP_TAG("core.rdstls"));
125 rdstls->context = context;
126 rdstls->transport = transport;
127 rdstls->server = settings->ServerMode;
128
129 rdstls->state = RDSTLS_STATE_INITIAL;
130
131 return rdstls;
132}
133
139void rdstls_free(rdpRdstls* rdstls)
140{
141 free(rdstls);
142}
143
144static const char* rdstls_get_state_str(RDSTLS_STATE state)
145{
146 switch (state)
147 {
148 case RDSTLS_STATE_INITIAL:
149 return "RDSTLS_STATE_INITIAL";
150 case RDSTLS_STATE_CAPABILITIES:
151 return "RDSTLS_STATE_CAPABILITIES";
152 case RDSTLS_STATE_AUTH_REQ:
153 return "RDSTLS_STATE_AUTH_REQ";
154 case RDSTLS_STATE_AUTH_RSP:
155 return "RDSTLS_STATE_AUTH_RSP";
156 case RDSTLS_STATE_FINAL:
157 return "RDSTLS_STATE_FINAL";
158 default:
159 return "UNKNOWN";
160 }
161}
162
163static RDSTLS_STATE rdstls_get_state(rdpRdstls* rdstls)
164{
165 WINPR_ASSERT(rdstls);
166 return rdstls->state;
167}
168
169static BOOL check_transition(wLog* log, RDSTLS_STATE current, RDSTLS_STATE expected,
170 RDSTLS_STATE requested)
171{
172 if (requested != expected)
173 {
174 WLog_Print(log, WLOG_ERROR,
175 "Unexpected rdstls state transition from %s [%u] to %s [%u], expected %s [%u]",
176 rdstls_get_state_str(current), current, rdstls_get_state_str(requested),
177 requested, rdstls_get_state_str(expected), expected);
178 return FALSE;
179 }
180 return TRUE;
181}
182
183static BOOL rdstls_set_state(rdpRdstls* rdstls, RDSTLS_STATE state)
184{
185 BOOL rc = FALSE;
186 WINPR_ASSERT(rdstls);
187
188 WLog_Print(rdstls->log, WLOG_DEBUG, "-- %s\t--> %s", rdstls_get_state_str(rdstls->state),
189 rdstls_get_state_str(state));
190
191 switch (rdstls->state)
192 {
193 case RDSTLS_STATE_INITIAL:
194 rc = check_transition(rdstls->log, rdstls->state, RDSTLS_STATE_CAPABILITIES, state);
195 break;
196 case RDSTLS_STATE_CAPABILITIES:
197 rc = check_transition(rdstls->log, rdstls->state, RDSTLS_STATE_AUTH_REQ, state);
198 break;
199 case RDSTLS_STATE_AUTH_REQ:
200 rc = check_transition(rdstls->log, rdstls->state, RDSTLS_STATE_AUTH_RSP, state);
201 break;
202 case RDSTLS_STATE_AUTH_RSP:
203 rc = check_transition(rdstls->log, rdstls->state, RDSTLS_STATE_FINAL, state);
204 break;
205 case RDSTLS_STATE_FINAL:
206 rc = check_transition(rdstls->log, rdstls->state, RDSTLS_STATE_CAPABILITIES, state);
207 break;
208 default:
209 WLog_Print(rdstls->log, WLOG_ERROR,
210 "Invalid rdstls state %s [%u], requested transition to %s [%u]",
211 rdstls_get_state_str(rdstls->state), rdstls->state,
212 rdstls_get_state_str(state), state);
213 break;
214 }
215 if (rc)
216 rdstls->state = state;
217
218 return rc;
219}
220
221static BOOL rdstls_write_capabilities(WINPR_ATTR_UNUSED rdpRdstls* rdstls, wStream* s)
222{
223 if (!Stream_EnsureRemainingCapacity(s, 6))
224 return FALSE;
225
226 Stream_Write_UINT16(s, RDSTLS_TYPE_CAPABILITIES);
227 Stream_Write_UINT16(s, RDSTLS_DATA_CAPABILITIES);
228 Stream_Write_UINT16(s, RDSTLS_VERSION_1);
229
230 return TRUE;
231}
232
233static SSIZE_T rdstls_write_string(wStream* s, const char* str)
234{
235 const size_t pos = Stream_GetPosition(s);
236
237 if (!Stream_EnsureRemainingCapacity(s, 2))
238 return -1;
239
240 if (!str)
241 {
242 /* Write unicode null */
243 Stream_Write_UINT16(s, 2);
244 if (!Stream_EnsureRemainingCapacity(s, 2))
245 return -1;
246
247 Stream_Write_UINT16(s, 0);
248 return (SSIZE_T)(Stream_GetPosition(s) - pos);
249 }
250
251 const size_t length = (strlen(str) + 1);
252
253 Stream_Write_UINT16(s, (UINT16)length * sizeof(WCHAR));
254
255 if (!Stream_EnsureRemainingCapacity(s, length * sizeof(WCHAR)))
256 return -1;
257
258 if (Stream_Write_UTF16_String_From_UTF8(s, length, str, length, TRUE) < 0)
259 return -1;
260
261 return (SSIZE_T)(Stream_GetPosition(s) - pos);
262}
263
264static BOOL rdstls_write_data(wStream* s, UINT32 length, const BYTE* data)
265{
266 WINPR_ASSERT(data || (length == 0));
267
268 if (!Stream_EnsureRemainingCapacity(s, 2) || (length > UINT16_MAX))
269 return FALSE;
270
271 Stream_Write_UINT16(s, (UINT16)length);
272
273 if (!Stream_EnsureRemainingCapacity(s, length))
274 return FALSE;
275
276 Stream_Write(s, data, length);
277
278 return TRUE;
279}
280
281static BOOL rdstls_write_cookie(wStream* s, const ARC_SC_PRIVATE_PACKET* cookie)
282{
283 WINPR_ASSERT(cookie);
284 const uint16_t length = 28;
285
286 if (!Stream_EnsureRemainingCapacity(s, 2))
287 return FALSE;
288
289 Stream_Write_UINT16(s, length);
290
291 if (!Stream_EnsureRemainingCapacity(s, length))
292 return FALSE;
293
294 Stream_Write_UINT32(s, cookie->cbLen);
295 Stream_Write_UINT32(s, cookie->version);
296 Stream_Write_UINT32(s, cookie->logonId);
297 Stream_Write(s, cookie->arcRandomBits, sizeof(cookie->arcRandomBits));
298 return TRUE;
299}
300
301static BOOL rdstls_write_authentication_request_with_password(rdpRdstls* rdstls, wStream* s)
302{
303 WINPR_ASSERT(rdstls);
304 WINPR_ASSERT(rdstls->context);
305
306 WLog_Print(rdstls->log, WLOG_DEBUG, "Writing RDSTLS password authentication message");
307
308 rdpSettings* settings = rdstls->context->settings;
309 WINPR_ASSERT(settings);
310
311 if (!Stream_EnsureRemainingCapacity(s, 4))
312 return FALSE;
313
314 Stream_Write_UINT16(s, RDSTLS_TYPE_AUTHREQ);
315 Stream_Write_UINT16(s, RDSTLS_DATA_PASSWORD_CREDS);
316
317 if (!rdstls_write_data(s, settings->RedirectionGuidLength, settings->RedirectionGuid))
318 return FALSE;
319
320 if (rdstls_write_string(s, settings->Username) < 0)
321 return FALSE;
322
323 if (rdstls_write_string(s, settings->Domain) < 0)
324 return FALSE;
325
326 if (!rdstls_write_data(s, settings->RedirectionPasswordLength, settings->RedirectionPassword))
327 return FALSE;
328
329 return TRUE;
330}
331
332static BOOL rdstls_write_authentication_request_with_cookie(WINPR_ATTR_UNUSED rdpRdstls* rdstls,
333 WINPR_ATTR_UNUSED wStream* s)
334{
335 WINPR_ASSERT(rdstls);
336 WINPR_ASSERT(rdstls->context);
337
338 WLog_Print(rdstls->log, WLOG_DEBUG, "Writing RDSTLS cookie authentication message");
339
340 rdpSettings* settings = rdstls->context->settings;
341 WINPR_ASSERT(settings);
342
343 if (!Stream_EnsureRemainingCapacity(s, 8))
344 return FALSE;
345
346 Stream_Write_UINT16(s, RDSTLS_TYPE_AUTHREQ);
347 Stream_Write_UINT16(s, RDSTLS_DATA_AUTORECONNECT_COOKIE);
348 Stream_Write_UINT32(s, settings->RedirectedSessionId);
349
350 if (!rdstls_write_cookie(s, settings->ServerAutoReconnectCookie))
351 return FALSE;
352
353 return TRUE;
354}
355
356static BOOL rdstls_write_authentication_response(rdpRdstls* rdstls, wStream* s)
357{
358 WINPR_ASSERT(rdstls);
359 if (!Stream_EnsureRemainingCapacity(s, 8))
360 return FALSE;
361
362 Stream_Write_UINT16(s, RDSTLS_TYPE_AUTHRSP);
363 Stream_Write_UINT16(s, RDSTLS_DATA_RESULT_CODE);
364 Stream_Write_UINT32(s, rdstls->resultCode);
365
366 return TRUE;
367}
368
369static BOOL rdstls_process_capabilities(rdpRdstls* rdstls, wStream* s)
370{
371 WINPR_ASSERT(rdstls);
372 if (!Stream_CheckAndLogRequiredLengthWLog(rdstls->log, s, 4))
373 return FALSE;
374
375 const UINT16 dataType = Stream_Get_UINT16(s);
376 if (dataType != RDSTLS_DATA_CAPABILITIES)
377 {
378 WLog_Print(rdstls->log, WLOG_ERROR,
379 "received invalid DataType=0x%04" PRIX16 ", expected 0x%04" PRIX32, dataType,
380 WINPR_CXX_COMPAT_CAST(UINT32, RDSTLS_DATA_CAPABILITIES));
381 return FALSE;
382 }
383
384 const UINT16 supportedVersions = Stream_Get_UINT16(s);
385 if ((supportedVersions & RDSTLS_VERSION_1) == 0)
386 {
387 WLog_Print(rdstls->log, WLOG_ERROR,
388 "received invalid supportedVersions=0x%04" PRIX16 ", expected 0x%04" PRIX32,
389 supportedVersions, WINPR_CXX_COMPAT_CAST(UINT32, RDSTLS_VERSION_1));
390 return FALSE;
391 }
392
393 return TRUE;
394}
395
396static BOOL rdstls_read_unicode_string(WINPR_ATTR_UNUSED wLog* log, wStream* s, char** str)
397{
398 WINPR_ASSERT(str);
399
400 if (!Stream_CheckAndLogRequiredLengthWLog(log, s, 2))
401 return FALSE;
402
403 const UINT16 length = Stream_Get_UINT16(s);
404
405 if (!Stream_CheckAndLogRequiredLengthWLog(log, s, length))
406 return FALSE;
407
408 if (length <= 2)
409 {
410 Stream_Seek(s, length);
411 return TRUE;
412 }
413
414 *str = Stream_Read_UTF16_String_As_UTF8(s, length / sizeof(WCHAR), NULL);
415 if (!*str)
416 return FALSE;
417
418 return TRUE;
419}
420
421static BOOL rdstls_read_data(WINPR_ATTR_UNUSED wLog* log, wStream* s, UINT16* pLength,
422 const BYTE** pData)
423{
424 WINPR_ASSERT(pLength);
425 WINPR_ASSERT(pData);
426
427 *pData = NULL;
428 *pLength = 0;
429 if (!Stream_CheckAndLogRequiredLengthWLog(log, s, 2))
430 return FALSE;
431
432 const UINT16 length = Stream_Get_UINT16(s);
433
434 if (!Stream_CheckAndLogRequiredLengthWLog(log, s, length))
435 return FALSE;
436
437 if (length <= 2)
438 {
439 Stream_Seek(s, length);
440 return TRUE;
441 }
442
443 *pData = Stream_ConstPointer(s);
444 *pLength = length;
445 Stream_Seek(s, length);
446 return TRUE;
447}
448
449static BOOL rdstls_cmp_data(wLog* log, const char* field, const BYTE* serverData,
450 const UINT32 serverDataLength, const BYTE* clientData,
451 const UINT16 clientDataLength)
452{
453 if (serverDataLength > 0)
454 {
455 if (clientDataLength == 0)
456 {
457 WLog_Print(log, WLOG_ERROR, "expected %s", field);
458 return FALSE;
459 }
460
461 if (serverDataLength > UINT16_MAX || serverDataLength != clientDataLength ||
462 memcmp(serverData, clientData, serverDataLength) != 0)
463 {
464 WLog_Print(log, WLOG_ERROR, "%s verification failed", field);
465 return FALSE;
466 }
467 }
468
469 return TRUE;
470}
471
472static BOOL rdstls_cmp_str(wLog* log, const char* field, const char* serverStr,
473 const char* clientStr)
474{
475 if (!utils_str_is_empty(serverStr))
476 {
477 if (utils_str_is_empty(clientStr))
478 {
479 WLog_Print(log, WLOG_ERROR, "expected %s", field);
480 return FALSE;
481 }
482
483 WINPR_ASSERT(serverStr);
484 WINPR_ASSERT(clientStr);
485 if (strcmp(serverStr, clientStr) != 0)
486 {
487 WLog_Print(log, WLOG_ERROR, "%s verification failed", field);
488 return FALSE;
489 }
490 }
491
492 return TRUE;
493}
494
495static BOOL rdstls_process_authentication_request_with_password(rdpRdstls* rdstls, wStream* s)
496{
497 WINPR_ASSERT(rdstls);
498 WINPR_ASSERT(rdstls->context);
499
500 BOOL rc = FALSE;
501
502 const BYTE* clientRedirectionGuid = NULL;
503 UINT16 clientRedirectionGuidLength = 0;
504 char* clientPassword = NULL;
505 char* clientUsername = NULL;
506 char* clientDomain = NULL;
507
508 const rdpSettings* settings = rdstls->context->settings;
509 WINPR_ASSERT(settings);
510
511 if (!rdstls_read_data(rdstls->log, s, &clientRedirectionGuidLength, &clientRedirectionGuid))
512 goto fail;
513
514 if (!rdstls_read_unicode_string(rdstls->log, s, &clientUsername))
515 goto fail;
516
517 if (!rdstls_read_unicode_string(rdstls->log, s, &clientDomain))
518 goto fail;
519
520 if (!rdstls_read_unicode_string(rdstls->log, s, &clientPassword))
521 goto fail;
522
523 const BYTE* serverRedirectionGuid =
524 freerdp_settings_get_pointer(settings, FreeRDP_RedirectionGuid);
525 const UINT32 serverRedirectionGuidLength =
526 freerdp_settings_get_uint32(settings, FreeRDP_RedirectionGuidLength);
527 const char* serverUsername = freerdp_settings_get_string(settings, FreeRDP_Username);
528 const char* serverDomain = freerdp_settings_get_string(settings, FreeRDP_Domain);
529 const char* serverPassword = freerdp_settings_get_string(settings, FreeRDP_Password);
530
531 rdstls->resultCode = RDSTLS_RESULT_SUCCESS;
532
533 if (!rdstls_cmp_data(rdstls->log, "RedirectionGuid", serverRedirectionGuid,
534 serverRedirectionGuidLength, clientRedirectionGuid,
535 clientRedirectionGuidLength))
536 rdstls->resultCode = RDSTLS_RESULT_ACCESS_DENIED;
537
538 if (!rdstls_cmp_str(rdstls->log, "UserName", serverUsername, clientUsername))
539 rdstls->resultCode = RDSTLS_RESULT_LOGON_FAILURE;
540
541 if (!rdstls_cmp_str(rdstls->log, "Domain", serverDomain, clientDomain))
542 rdstls->resultCode = RDSTLS_RESULT_LOGON_FAILURE;
543
544 if (!rdstls_cmp_str(rdstls->log, "Password", serverPassword, clientPassword))
545 rdstls->resultCode = RDSTLS_RESULT_LOGON_FAILURE;
546
547 rc = TRUE;
548fail:
549 return rc;
550}
551
552static BOOL rdstls_process_authentication_request_with_cookie(WINPR_ATTR_UNUSED rdpRdstls* rdstls,
553 WINPR_ATTR_UNUSED wStream* s)
554{
555 // TODO
556 WLog_Print(rdstls->log, WLOG_ERROR, "TODO: RDSTLS Cookie authentication not implemented");
557 return FALSE;
558}
559
560static BOOL rdstls_process_authentication_request(rdpRdstls* rdstls, wStream* s)
561{
562 if (!Stream_CheckAndLogRequiredLengthWLog(rdstls->log, s, 2))
563 return FALSE;
564
565 const UINT16 dataType = Stream_Get_UINT16(s);
566 switch (dataType)
567 {
568 case RDSTLS_DATA_PASSWORD_CREDS:
569 if (!rdstls_process_authentication_request_with_password(rdstls, s))
570 return FALSE;
571 break;
572 case RDSTLS_DATA_AUTORECONNECT_COOKIE:
573 if (!rdstls_process_authentication_request_with_cookie(rdstls, s))
574 return FALSE;
575 break;
576 default:
577 WLog_Print(rdstls->log, WLOG_ERROR,
578 "received invalid DataType=0x%04" PRIX16 ", expected 0x%04" PRIX32
579 " or 0x%04" PRIX32,
580 dataType, WINPR_CXX_COMPAT_CAST(UINT32, RDSTLS_DATA_PASSWORD_CREDS),
581 WINPR_CXX_COMPAT_CAST(UINT32, RDSTLS_DATA_AUTORECONNECT_COOKIE));
582 return FALSE;
583 }
584
585 return TRUE;
586}
587
588static BOOL rdstls_process_authentication_response(rdpRdstls* rdstls, wStream* s)
589{
590 if (!Stream_CheckAndLogRequiredLengthWLog(rdstls->log, s, 6))
591 return FALSE;
592
593 const UINT16 dataType = Stream_Get_UINT16(s);
594 if (dataType != RDSTLS_DATA_RESULT_CODE)
595 {
596 WLog_Print(rdstls->log, WLOG_ERROR,
597 "received invalid DataType=0x%04" PRIX16 ", expected 0x%04" PRIX32, dataType,
598 WINPR_CXX_COMPAT_CAST(UINT32, RDSTLS_DATA_RESULT_CODE));
599 return FALSE;
600 }
601
602 const UINT32 resultCode = Stream_Get_UINT32(s);
603 if (resultCode != RDSTLS_RESULT_SUCCESS)
604 {
605 WLog_Print(rdstls->log, WLOG_ERROR, "resultCode: %s [0x%08" PRIX32 "]",
606 rdstls_result_code_str(resultCode), resultCode);
607
608 UINT32 error = FREERDP_ERROR_CONNECT_UNDEFINED;
609 switch (resultCode)
610 {
611 case RDSTLS_RESULT_ACCESS_DENIED:
612 error = FREERDP_ERROR_CONNECT_ACCESS_DENIED;
613 break;
614 case RDSTLS_RESULT_ACCOUNT_DISABLED:
615 error = FREERDP_ERROR_CONNECT_ACCOUNT_DISABLED;
616 break;
617 case RDSTLS_RESULT_ACCOUNT_LOCKED_OUT:
618 error = FREERDP_ERROR_CONNECT_ACCOUNT_LOCKED_OUT;
619 break;
620 case RDSTLS_RESULT_LOGON_FAILURE:
621 error = FREERDP_ERROR_CONNECT_LOGON_FAILURE;
622 break;
623 case RDSTLS_RESULT_INVALID_LOGON_HOURS:
624 error = FREERDP_ERROR_CONNECT_ACCOUNT_RESTRICTION;
625 break;
626 case RDSTLS_RESULT_PASSWORD_EXPIRED:
627 error = FREERDP_ERROR_CONNECT_PASSWORD_EXPIRED;
628 break;
629 case RDSTLS_RESULT_PASSWORD_MUST_CHANGE:
630 error = FREERDP_ERROR_CONNECT_PASSWORD_MUST_CHANGE;
631 break;
632 default:
633 WLog_Print(rdstls->log, WLOG_ERROR,
634 "Unexpected resultCode: [0x%08" PRIX32 "], NTSTATUS=%s, Win32Error=%s",
635 resultCode, GetSecurityStatusString((SECURITY_STATUS)resultCode),
636 Win32ErrorCode2Tag(resultCode & 0xFFFF));
637 error = FREERDP_ERROR_CONNECT_UNDEFINED;
638 break;
639 }
640
641 freerdp_set_last_error_if_not(rdstls->context, error);
642 return FALSE;
643 }
644
645 return TRUE;
646}
647
648static BOOL rdstls_send(WINPR_ATTR_UNUSED rdpTransport* transport, wStream* s, void* extra)
649{
650 rdpRdstls* rdstls = (rdpRdstls*)extra;
651 rdpSettings* settings = NULL;
652
653 WINPR_ASSERT(transport);
654 WINPR_ASSERT(s);
655 WINPR_ASSERT(rdstls);
656
657 settings = rdstls->context->settings;
658 WINPR_ASSERT(settings);
659
660 if (!Stream_EnsureRemainingCapacity(s, 2))
661 return FALSE;
662
663 Stream_Write_UINT16(s, RDSTLS_VERSION_1);
664
665 const RDSTLS_STATE state = rdstls_get_state(rdstls);
666 switch (state)
667 {
668 case RDSTLS_STATE_CAPABILITIES:
669 if (!rdstls_write_capabilities(rdstls, s))
670 return FALSE;
671 break;
672 case RDSTLS_STATE_AUTH_REQ:
673 if (settings->RedirectionFlags & LB_PASSWORD_IS_PK_ENCRYPTED)
674 {
675 if (!rdstls_write_authentication_request_with_password(rdstls, s))
676 return FALSE;
677 }
678 else if (settings->ServerAutoReconnectCookie != NULL)
679 {
680 if (!rdstls_write_authentication_request_with_cookie(rdstls, s))
681 return FALSE;
682 }
683 else
684 {
685 WLog_Print(rdstls->log, WLOG_ERROR,
686 "cannot authenticate with password or auto-reconnect cookie");
687 return FALSE;
688 }
689 break;
690 case RDSTLS_STATE_AUTH_RSP:
691 if (!rdstls_write_authentication_response(rdstls, s))
692 return FALSE;
693 break;
694 default:
695 WLog_Print(rdstls->log, WLOG_ERROR, "Invalid rdstls state %s [%" PRIu32 "]",
696 rdstls_get_state_str(state), state);
697 return FALSE;
698 }
699
700 if (transport_write(rdstls->transport, s) < 0)
701 return FALSE;
702
703 return TRUE;
704}
705
706static int rdstls_recv(WINPR_ATTR_UNUSED rdpTransport* transport, wStream* s, void* extra)
707{
708 rdpRdstls* rdstls = (rdpRdstls*)extra;
709
710 WINPR_ASSERT(transport);
711 WINPR_ASSERT(s);
712 WINPR_ASSERT(rdstls);
713
714 if (!Stream_CheckAndLogRequiredLengthWLog(rdstls->log, s, 4))
715 return -1;
716
717 const UINT16 version = Stream_Get_UINT16(s);
718 if (version != RDSTLS_VERSION_1)
719 {
720 WLog_Print(rdstls->log, WLOG_ERROR,
721 "received invalid RDSTLS Version=0x%04" PRIX16 ", expected 0x%04" PRIX16,
722 version, WINPR_CXX_COMPAT_CAST(UINT32, RDSTLS_VERSION_1));
723 return -1;
724 }
725
726 const UINT16 pduType = Stream_Get_UINT16(s);
727 switch (pduType)
728 {
729 case RDSTLS_TYPE_CAPABILITIES:
730 if (!rdstls_process_capabilities(rdstls, s))
731 return -1;
732 break;
733 case RDSTLS_TYPE_AUTHREQ:
734 if (!rdstls_process_authentication_request(rdstls, s))
735 return -1;
736 break;
737 case RDSTLS_TYPE_AUTHRSP:
738 if (!rdstls_process_authentication_response(rdstls, s))
739 return -1;
740 break;
741 default:
742 WLog_Print(rdstls->log, WLOG_ERROR, "unknown RDSTLS PDU type [0x%04" PRIx16 "]",
743 pduType);
744 return -1;
745 }
746
747 return 1;
748}
749
750#define rdstls_check_state_requirements(rdstls, expected) \
751 rdstls_check_state_requirements_((rdstls), (expected), __FILE__, __func__, __LINE__)
752static BOOL rdstls_check_state_requirements_(rdpRdstls* rdstls, RDSTLS_STATE expected,
753 const char* file, const char* fkt, size_t line)
754{
755 const RDSTLS_STATE current = rdstls_get_state(rdstls);
756 if (current == expected)
757 return TRUE;
758
759 WINPR_ASSERT(rdstls);
760
761 const DWORD log_level = WLOG_ERROR;
762 if (WLog_IsLevelActive(rdstls->log, log_level))
763 WLog_PrintTextMessage(rdstls->log, log_level, line, file, fkt,
764 "Unexpected rdstls state %s [%u], expected %s [%u]",
765 rdstls_get_state_str(current), current,
766 rdstls_get_state_str(expected), expected);
767
768 return FALSE;
769}
770
771static BOOL rdstls_send_capabilities(rdpRdstls* rdstls)
772{
773 BOOL rc = FALSE;
774
775 if (!rdstls_check_state_requirements(rdstls, RDSTLS_STATE_CAPABILITIES))
776 return FALSE;
777
778 wStream* s = Stream_New(NULL, 512);
779 if (!s)
780 goto fail;
781
782 WINPR_ASSERT(rdstls);
783 if (!rdstls_send(rdstls->transport, s, rdstls))
784 goto fail;
785
786 rc = rdstls_set_state(rdstls, RDSTLS_STATE_AUTH_REQ);
787fail:
788 Stream_Free(s, TRUE);
789 return rc;
790}
791
792static BOOL rdstls_recv_authentication_request(rdpRdstls* rdstls)
793{
794 BOOL rc = FALSE;
795
796 if (!rdstls_check_state_requirements(rdstls, RDSTLS_STATE_AUTH_REQ))
797 return FALSE;
798
799 wStream* s = Stream_New(NULL, 4096);
800 if (!s)
801 goto fail;
802
803 WINPR_ASSERT(rdstls);
804 const int res = transport_read_pdu(rdstls->transport, s);
805
806 if (res < 0)
807 goto fail;
808
809 const int status = rdstls_recv(rdstls->transport, s, rdstls);
810
811 if (status < 0)
812 goto fail;
813
814 rc = rdstls_set_state(rdstls, RDSTLS_STATE_AUTH_RSP);
815fail:
816 Stream_Free(s, TRUE);
817 return rc;
818}
819
820static BOOL rdstls_send_authentication_response(rdpRdstls* rdstls)
821{
822 BOOL rc = FALSE;
823
824 if (!rdstls_check_state_requirements(rdstls, RDSTLS_STATE_AUTH_RSP))
825 return FALSE;
826
827 wStream* s = Stream_New(NULL, 512);
828 if (!s)
829 goto fail;
830
831 WINPR_ASSERT(rdstls);
832 if (!rdstls_send(rdstls->transport, s, rdstls))
833 goto fail;
834
835 rc = rdstls_set_state(rdstls, RDSTLS_STATE_FINAL);
836fail:
837 Stream_Free(s, TRUE);
838 return rc;
839}
840
841static BOOL rdstls_recv_capabilities(rdpRdstls* rdstls)
842{
843 BOOL rc = FALSE;
844
845 if (!rdstls_check_state_requirements(rdstls, RDSTLS_STATE_CAPABILITIES))
846 return FALSE;
847
848 wStream* s = Stream_New(NULL, 512);
849 if (!s)
850 goto fail;
851
852 WINPR_ASSERT(rdstls);
853 const int res = transport_read_pdu(rdstls->transport, s);
854
855 if (res < 0)
856 goto fail;
857
858 const int status = rdstls_recv(rdstls->transport, s, rdstls);
859
860 if (status < 0)
861 goto fail;
862
863 rc = rdstls_set_state(rdstls, RDSTLS_STATE_AUTH_REQ);
864fail:
865 Stream_Free(s, TRUE);
866 return rc;
867}
868
869static BOOL rdstls_send_authentication_request(rdpRdstls* rdstls)
870{
871 BOOL rc = FALSE;
872
873 if (!rdstls_check_state_requirements(rdstls, RDSTLS_STATE_AUTH_REQ))
874 return FALSE;
875
876 wStream* s = Stream_New(NULL, 4096);
877 if (!s)
878 goto fail;
879
880 WINPR_ASSERT(rdstls);
881 if (!rdstls_send(rdstls->transport, s, rdstls))
882 goto fail;
883
884 rc = rdstls_set_state(rdstls, RDSTLS_STATE_AUTH_RSP);
885fail:
886 Stream_Free(s, TRUE);
887 return rc;
888}
889
890static BOOL rdstls_recv_authentication_response(rdpRdstls* rdstls)
891{
892 BOOL rc = FALSE;
893
894 WINPR_ASSERT(rdstls);
895
896 if (!rdstls_check_state_requirements(rdstls, RDSTLS_STATE_AUTH_RSP))
897 return FALSE;
898
899 wStream* s = Stream_New(NULL, 512);
900 if (!s)
901 goto fail;
902
903 const int res = transport_read_pdu(rdstls->transport, s);
904
905 if (res < 0)
906 goto fail;
907
908 const int status = rdstls_recv(rdstls->transport, s, rdstls);
909
910 if (status < 0)
911 goto fail;
912
913 rc = rdstls_set_state(rdstls, RDSTLS_STATE_FINAL);
914fail:
915 Stream_Free(s, TRUE);
916 return rc;
917}
918
919static int rdstls_server_authenticate(rdpRdstls* rdstls)
920{
921 WINPR_ASSERT(rdstls);
922
923 if (!rdstls_set_state(rdstls, RDSTLS_STATE_CAPABILITIES))
924 return -1;
925
926 if (!rdstls_send_capabilities(rdstls))
927 return -1;
928
929 if (!rdstls_recv_authentication_request(rdstls))
930 return -1;
931
932 if (!rdstls_send_authentication_response(rdstls))
933 return -1;
934
935 if (rdstls->resultCode != RDSTLS_RESULT_SUCCESS)
936 return -1;
937
938 return 1;
939}
940
941static int rdstls_client_authenticate(rdpRdstls* rdstls)
942{
943 if (!rdstls_set_state(rdstls, RDSTLS_STATE_CAPABILITIES))
944 return -1;
945
946 if (!rdstls_recv_capabilities(rdstls))
947 return -1;
948
949 if (!rdstls_send_authentication_request(rdstls))
950 return -1;
951
952 if (!rdstls_recv_authentication_response(rdstls))
953 return -1;
954
955 return 1;
956}
957
965int rdstls_authenticate(rdpRdstls* rdstls)
966{
967 WINPR_ASSERT(rdstls);
968
969 if (rdstls->server)
970 return rdstls_server_authenticate(rdstls);
971 else
972 return rdstls_client_authenticate(rdstls);
973}
974
975static SSIZE_T rdstls_parse_pdu_data_type(wLog* log, UINT16 dataType, wStream* s)
976{
977 size_t pduLength = 0;
978
979 switch (dataType)
980 {
981 case RDSTLS_DATA_PASSWORD_CREDS:
982 {
983 if (Stream_GetRemainingLength(s) < 2)
984 return 0;
985
986 const UINT16 redirGuidLength = Stream_Get_UINT16(s);
987
988 if (Stream_GetRemainingLength(s) < redirGuidLength)
989 return 0;
990 Stream_Seek(s, redirGuidLength);
991
992 if (Stream_GetRemainingLength(s) < 2)
993 return 0;
994
995 const UINT16 usernameLength = Stream_Get_UINT16(s);
996
997 if (Stream_GetRemainingLength(s) < usernameLength)
998 return 0;
999 Stream_Seek(s, usernameLength);
1000
1001 if (Stream_GetRemainingLength(s) < 2)
1002 return 0;
1003 const UINT16 domainLength = Stream_Get_UINT16(s);
1004
1005 if (Stream_GetRemainingLength(s) < domainLength)
1006 return 0;
1007 Stream_Seek(s, domainLength);
1008
1009 if (Stream_GetRemainingLength(s) < 2)
1010 return 0;
1011 const UINT16 passwordLength = Stream_Get_UINT16(s);
1012
1013 pduLength = Stream_GetPosition(s) + passwordLength;
1014 }
1015 break;
1016 case RDSTLS_DATA_AUTORECONNECT_COOKIE:
1017 {
1018 if (Stream_GetRemainingLength(s) < 4)
1019 return 0;
1020 Stream_Seek(s, 4);
1021
1022 if (Stream_GetRemainingLength(s) < 2)
1023 return 0;
1024 const UINT16 cookieLength = Stream_Get_UINT16(s);
1025
1026 pduLength = Stream_GetPosition(s) + cookieLength;
1027 }
1028 break;
1029 default:
1030 WLog_Print(log, WLOG_ERROR, "invalid RDSLTS dataType");
1031 return -1;
1032 }
1033
1034 if (pduLength > SSIZE_MAX)
1035 return 0;
1036 return (SSIZE_T)pduLength;
1037}
1038
1039SSIZE_T rdstls_parse_pdu(wLog* log, wStream* stream)
1040{
1041 SSIZE_T pduLength = -1;
1042 wStream sbuffer = { 0 };
1043 wStream* s = Stream_StaticConstInit(&sbuffer, Stream_Buffer(stream), Stream_Length(stream));
1044
1045 if (Stream_GetRemainingLength(s) < 2)
1046 return 0;
1047
1048 const UINT16 version = Stream_Get_UINT16(s);
1049 if (version != RDSTLS_VERSION_1)
1050 {
1051 WLog_Print(log, WLOG_ERROR, "invalid RDSTLS version");
1052 return -1;
1053 }
1054
1055 if (Stream_GetRemainingLength(s) < 2)
1056 return 0;
1057
1058 const UINT16 pduType = Stream_Get_UINT16(s);
1059 switch (pduType)
1060 {
1061 case RDSTLS_TYPE_CAPABILITIES:
1062 pduLength = 8;
1063 break;
1064 case RDSTLS_TYPE_AUTHREQ:
1065 if (Stream_GetRemainingLength(s) < 2)
1066 return 0;
1067
1068 const UINT16 dataType = Stream_Get_UINT16(s);
1069 pduLength = rdstls_parse_pdu_data_type(log, dataType, s);
1070
1071 break;
1072 case RDSTLS_TYPE_AUTHRSP:
1073 pduLength = 10;
1074 break;
1075 default:
1076 WLog_Print(log, WLOG_ERROR, "invalid RDSTLS PDU type");
1077 return -1;
1078 }
1079
1080 return pduLength;
1081}
FREERDP_API UINT32 freerdp_settings_get_uint32(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id)
Returns a UINT32 settings value.
FREERDP_API const void * freerdp_settings_get_pointer(const rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a immutable pointer settings value.
FREERDP_API const char * freerdp_settings_get_string(const rdpSettings *settings, FreeRDP_Settings_Keys_String id)
Returns a immutable string settings value.