FreeRDP
Loading...
Searching...
No Matches
redirection.c
1
22#include <freerdp/config.h>
23
24#include "settings.h"
25
26#include <winpr/crt.h>
27#include <winpr/string.h>
28#include <freerdp/log.h>
29#include <freerdp/crypto/certificate.h>
30#include <freerdp/redirection.h>
31#include <freerdp/utils/string.h>
32
33#include "../crypto/certificate.h"
34#include "redirection.h"
35#include "utils.h"
36
37#define TAG FREERDP_TAG("core.redirection")
38
39struct rdp_redirection
40{
41 UINT32 flags;
42 UINT32 sessionID;
43 BYTE* TsvUrl;
44 UINT32 TsvUrlLength;
45 char* Username;
46 char* Domain;
47 BYTE* Password;
48 UINT32 PasswordLength;
49 char* TargetFQDN;
50 BYTE* LoadBalanceInfo;
51 UINT32 LoadBalanceInfoLength;
52 char* TargetNetBiosName;
53 char* TargetNetAddress;
54 UINT32 TargetNetAddressesCount;
55 char** TargetNetAddresses;
56 UINT32 RedirectionGuidLength;
57 BYTE* RedirectionGuid;
58
59 rdpCertificate* TargetCertificate;
60};
61
62static void redirection_free_array(char*** what, UINT32* count)
63{
64 WINPR_ASSERT(what);
65 WINPR_ASSERT(count);
66
67 if (*what)
68 {
69 for (UINT32 x = 0; x < *count; x++)
70 free((*what)[x]);
71 free((void*)*what);
72 }
73
74 *what = NULL;
75 *count = 0;
76}
77
78static void redirection_free_string(char** str)
79{
80 WINPR_ASSERT(str);
81 free(*str);
82 *str = NULL;
83}
84
85static void redirection_free_data(BYTE** str, UINT32* length)
86{
87 WINPR_ASSERT(str);
88 free(*str);
89 if (length)
90 *length = 0;
91 *str = NULL;
92}
93
94static BOOL redirection_copy_string(char** dst, const char* str)
95{
96 redirection_free_string(dst);
97 if (!str)
98 return TRUE;
99
100 *dst = _strdup(str);
101 return *dst != NULL;
102}
103
104static BOOL redirection_copy_data(BYTE** dst, UINT32* plen, const BYTE* str, size_t len)
105{
106 redirection_free_data(dst, plen);
107
108 if (!str || (len == 0))
109 return TRUE;
110 if (len > UINT32_MAX)
111 return FALSE;
112
113 *dst = malloc(len);
114 if (!*dst)
115 return FALSE;
116 memcpy(*dst, str, len);
117 *plen = (UINT32)len;
118 return *dst != NULL;
119}
120
121static BOOL redirection_copy_array(char*** dst, UINT32* plen, const char** str, size_t len)
122{
123 redirection_free_array(dst, plen);
124
125 if (len > UINT32_MAX)
126 return FALSE;
127 if (!str || (len == 0))
128 return TRUE;
129
130 *dst = (char**)calloc(len, sizeof(char*));
131 if (!*dst)
132 return FALSE;
133 *plen = (UINT32)len;
134
135 for (size_t x = 0; x < len; x++)
136 {
137 if (str[x])
138 (*dst)[x] = _strdup(str[x]);
139
140 if (!((*dst)[x]))
141 {
142 redirection_free_array(dst, plen);
143 return FALSE;
144 }
145 }
146
147 return *dst != NULL;
148}
149
150static BOOL rdp_redirection_get_data(wStream* s, UINT32* pLength, const BYTE** pData)
151{
152 WINPR_ASSERT(pLength);
153 WINPR_ASSERT(pData);
154
155 if (!Stream_CheckAndLogRequiredLength(TAG, s, 4))
156 return FALSE;
157
158 Stream_Read_UINT32(s, *pLength);
159
160 if (!Stream_CheckAndLogRequiredLength(TAG, s, *pLength))
161 return FALSE;
162
163 *pData = Stream_ConstPointer(s);
164 Stream_Seek(s, *pLength);
165 return TRUE;
166}
167
168static BOOL rdp_redirection_read_unicode_string(wStream* s, char** str, size_t maxLength)
169{
170 UINT32 length = 0;
171 const BYTE* data = NULL;
172
173 if (!rdp_redirection_get_data(s, &length, &data))
174 return FALSE;
175
176 const WCHAR* wstr = (const WCHAR*)data;
177
178 if ((length % 2) || length < 2 || length > maxLength)
179 {
180 WLog_ERR(TAG, "failure: invalid unicode string length: %" PRIu32 "", length);
181 return FALSE;
182 }
183
184 if (wstr[length / 2 - 1])
185 {
186 WLog_ERR(TAG, "failure: unterminated unicode string");
187 return FALSE;
188 }
189
190 redirection_free_string(str);
191 *str = ConvertWCharNToUtf8Alloc(wstr, length / sizeof(WCHAR), NULL);
192 if (!*str)
193 {
194 WLog_ERR(TAG, "failure: string conversion failed");
195 return FALSE;
196 }
197
198 return TRUE;
199}
200
201static BOOL rdp_redirection_write_data(wStream* s, size_t length, const void* data)
202{
203 WINPR_ASSERT(data || (length == 0));
204 WINPR_ASSERT(length <= UINT32_MAX);
205
206 if (!Stream_EnsureRemainingCapacity(s, 4))
207 return FALSE;
208
209 Stream_Write_UINT32(s, (UINT32)length);
210
211 if (!Stream_EnsureRemainingCapacity(s, length))
212 return FALSE;
213
214 Stream_Write(s, data, length);
215 return TRUE;
216}
217
218static BOOL rdp_redirection_write_base64_wchar(WINPR_ATTR_UNUSED UINT32 flag, wStream* s,
219 size_t length, const void* data)
220{
221 BOOL rc = FALSE;
222
223 char* base64 = crypto_base64_encode(data, length);
224 if (!base64)
225 return FALSE;
226
227 size_t wbase64len = 0;
228 WCHAR* wbase64 = ConvertUtf8ToWCharAlloc(base64, &wbase64len);
229 free(base64);
230 if (!wbase64)
231 return FALSE;
232
233 rc = rdp_redirection_write_data(s, wbase64len * sizeof(WCHAR), wbase64);
234 free(wbase64);
235 return rc;
236}
237
238static BOOL rdp_redirection_read_base64_wchar(UINT32 flag, wStream* s, UINT32* pLength,
239 BYTE** pData)
240{
241 BOOL rc = FALSE;
242 char buffer[64] = { 0 };
243 const BYTE* ptr = NULL;
244
245 if (!rdp_redirection_get_data(s, pLength, &ptr))
246 return FALSE;
247 const WCHAR* wchar = (const WCHAR*)ptr;
248
249 size_t utf8_len = 0;
250 char* utf8 = ConvertWCharNToUtf8Alloc(wchar, *pLength / sizeof(WCHAR), &utf8_len);
251 if (!utf8)
252 goto fail;
253
254 redirection_free_data(pData, NULL);
255
256 utf8_len = strnlen(utf8, utf8_len);
257 *pData = NULL;
258 if (utf8_len > 0)
259 *pData = calloc(utf8_len, sizeof(BYTE));
260 if (!*pData)
261 goto fail;
262
263 {
264 size_t rlen = utf8_len;
265 size_t wpos = 0;
266 char* saveptr = NULL;
267 char* tok = strtok_s(utf8, "\r\n", &saveptr);
268 while (tok)
269 {
270 const size_t len = strnlen(tok, rlen);
271 rlen -= len;
272
273 size_t bplen = 0;
274 BYTE* bptr = NULL;
275 crypto_base64_decode(tok, len, &bptr, &bplen);
276 if (!bptr)
277 goto fail;
278 memcpy(&(*pData)[wpos], bptr, bplen);
279 wpos += bplen;
280 free(bptr);
281
282 tok = strtok_s(NULL, "\r\n", &saveptr);
283 }
284 if (wpos > UINT32_MAX)
285 goto fail;
286
287 *pLength = (UINT32)wpos;
288
289 WLog_DBG(TAG, "%s:", rdp_redirection_flags_to_string(flag, buffer, sizeof(buffer)));
290 }
291
292 rc = TRUE;
293fail:
294 if (!rc)
295 WLog_ERR(TAG, "failed to read base64 data");
296 free(utf8);
297 return rc;
298}
299
300static BOOL rdp_target_cert_get_element(wStream* s, UINT32* pType, UINT32* pEncoding,
301 const BYTE** ptr, size_t* pLength)
302{
303 WINPR_ASSERT(pType);
304 WINPR_ASSERT(pEncoding);
305 WINPR_ASSERT(ptr);
306 WINPR_ASSERT(pLength);
307
308 if (!Stream_CheckAndLogRequiredLength(TAG, s, 12))
309 return FALSE;
310
311 UINT32 type = 0;
312 UINT32 encoding = 0;
313 UINT32 elementSize = 0;
314
315 Stream_Read_UINT32(s, type);
316 Stream_Read_UINT32(s, encoding);
317 Stream_Read_UINT32(s, elementSize);
318
319 if (!Stream_CheckAndLogRequiredLength(TAG, s, elementSize))
320 return FALSE;
321
322 *ptr = Stream_ConstPointer(s);
323 *pLength = elementSize;
324 Stream_Seek(s, elementSize);
325
326 *pType = type;
327 *pEncoding = encoding;
328 return TRUE;
329}
330
331static BOOL rdp_target_cert_write_element(wStream* s, UINT32 Type, UINT32 Encoding,
332 const BYTE* data, size_t length)
333{
334 WINPR_ASSERT(data || (length == 0));
335 WINPR_ASSERT(length <= UINT32_MAX);
336
337 if (!Stream_EnsureRemainingCapacity(s, 12))
338 return FALSE;
339
340 Stream_Write_UINT32(s, Type);
341 Stream_Write_UINT32(s, Encoding);
342 Stream_Write_UINT32(s, (UINT32)length);
343
344 if (!Stream_EnsureRemainingCapacity(s, length))
345 return FALSE;
346
347 Stream_Write(s, data, length);
348 return TRUE;
349}
350
351BOOL rdp_redirection_read_target_cert(rdpCertificate** ptargetCertificate, const BYTE* data,
352 size_t length)
353{
354 WINPR_ASSERT(ptargetCertificate);
355
356 wStream sbuffer = { 0 };
357 wStream* s = Stream_StaticConstInit(&sbuffer, data, length);
358
359 freerdp_certificate_free(*ptargetCertificate);
360 *ptargetCertificate = NULL;
361
362 size_t plength = 0;
363 const BYTE* ptr = NULL;
364 while (Stream_GetRemainingLength(s) > 0)
365 {
366 UINT32 type = 0;
367 UINT32 encoding = 0;
368 if (!rdp_target_cert_get_element(s, &type, &encoding, &ptr, &plength))
369 return FALSE;
370
371 switch (type)
372 {
373 case CERT_cert_file_element:
374 if (encoding == ENCODING_TYPE_ASN1_DER)
375 {
376 if (*ptargetCertificate)
377 WLog_WARN(TAG, "Duplicate TargetCertificate in data detected!");
378 else
379 {
380 *ptargetCertificate = freerdp_certificate_new_from_der(ptr, plength);
381 if (!*ptargetCertificate)
382 WLog_ERR(TAG, "TargetCertificate parsing DER data failed");
383 }
384 }
385 else
386 {
387 WLog_ERR(TAG,
388 "TargetCertificate data in unknown encoding %" PRIu32 " detected!");
389 }
390 break;
391 default: /* ignore unknown fields */
392 WLog_VRB(TAG,
393 "Unknown TargetCertificate field type %" PRIu32 ", encoding %" PRIu32
394 " of length %" PRIu32,
395 type, encoding, plength);
396 break;
397 }
398 }
399
400 return *ptargetCertificate != NULL;
401}
402
403static BOOL rdp_redirection_write_target_cert(wStream* s, const rdpRedirection* redirection)
404{
405 BOOL rc = FALSE;
406 WINPR_ASSERT(redirection);
407
408 const rdpCertificate* cert = redirection->TargetCertificate;
409 if (!cert)
410 return FALSE;
411
412 size_t derlen = 0;
413
414 BYTE* der = freerdp_certificate_get_der(cert, &derlen);
415 if (!rdp_target_cert_write_element(s, CERT_cert_file_element, ENCODING_TYPE_ASN1_DER, der,
416 derlen))
417 goto fail;
418
419 rc = TRUE;
420
421fail:
422 free(der);
423 return rc;
424}
425
426static BOOL rdp_redireciton_write_target_cert_stream(wStream* s, const rdpRedirection* redirection)
427{
428 BOOL rc = FALSE;
429 wStream* serialized = Stream_New(NULL, 2048);
430 if (!serialized)
431 goto fail;
432
433 if (!rdp_redirection_write_target_cert(serialized, redirection))
434 goto fail;
435
436 rc = rdp_redirection_write_base64_wchar(
437 LB_TARGET_CERTIFICATE, s, Stream_GetPosition(serialized), Stream_Buffer(serialized));
438
439fail:
440 Stream_Free(serialized, TRUE);
441 return rc;
442}
443
444static BOOL rdp_redirection_read_target_cert_stream(wStream* s, rdpRedirection* redirection)
445{
446 UINT32 length = 0;
447 BYTE* ptr = NULL;
448
449 WINPR_ASSERT(redirection);
450
451 BOOL rc = FALSE;
452 if (rdp_redirection_read_base64_wchar(LB_TARGET_CERTIFICATE, s, &length, &ptr))
453 rc = rdp_redirection_read_target_cert(&redirection->TargetCertificate, ptr, length);
454 free(ptr);
455 return rc;
456}
457
458BOOL rdp_set_target_certificate(rdpSettings* settings, const rdpCertificate* tcert)
459{
460 rdpCertificate* cert = freerdp_certificate_clone(tcert);
461 if (!freerdp_settings_set_pointer(settings, FreeRDP_RedirectionTargetCertificate, cert))
462 return FALSE;
463
464 BOOL pres = FALSE;
465 size_t length = 0;
466 char* pem = freerdp_certificate_get_pem(cert, &length);
467 if (pem && (length <= UINT32_MAX))
468 {
469 pres =
470 freerdp_settings_set_string_len(settings, FreeRDP_RedirectionAcceptedCert, pem, length);
471 if (pres)
472 pres = freerdp_settings_set_uint32(settings, FreeRDP_RedirectionAcceptedCertLength,
473 (UINT32)length);
474 }
475 free(pem);
476 return pres;
477}
478
479int rdp_redirection_apply_settings(rdpRdp* rdp)
480{
481 rdpSettings* settings = NULL;
482 rdpRedirection* redirection = NULL;
483
484 if (!rdp_reset_runtime_settings(rdp))
485 return -1;
486
487 settings = rdp->settings;
488 WINPR_ASSERT(settings);
489
490 redirection = rdp->redirection;
491 WINPR_ASSERT(redirection);
492
493 settings->RedirectionFlags = redirection->flags;
494 settings->RedirectedSessionId = redirection->sessionID;
495
496 if (settings->RedirectionFlags & LB_TARGET_NET_ADDRESS)
497 {
498 if (!freerdp_settings_set_string(settings, FreeRDP_TargetNetAddress,
499 redirection->TargetNetAddress))
500 return -1;
501 }
502
503 if (settings->RedirectionFlags & LB_USERNAME)
504 {
505 if (!freerdp_settings_set_string(settings, FreeRDP_RedirectionUsername,
506 redirection->Username))
507 return -1;
508 }
509
510 if (settings->RedirectionFlags & LB_DOMAIN)
511 {
512 if (!freerdp_settings_set_string(settings, FreeRDP_RedirectionDomain, redirection->Domain))
513 return -1;
514 }
515
516 if (settings->RedirectionFlags & LB_PASSWORD)
517 {
518 /* Password may be a cookie without a null terminator */
519 if (!freerdp_settings_set_pointer_len(settings, FreeRDP_RedirectionPassword,
520 redirection->Password, redirection->PasswordLength))
521 return -1;
522 }
523
524 if (settings->RedirectionFlags & LB_DONTSTOREUSERNAME)
525 {
526 // TODO
527 }
528
529 if (settings->RedirectionFlags & LB_SMARTCARD_LOGON)
530 {
531 // TODO
532 }
533
534 if (settings->RedirectionFlags & LB_NOREDIRECT)
535 {
536 // TODO
537 }
538
539 if (settings->RedirectionFlags & LB_TARGET_FQDN)
540 {
541 if (!freerdp_settings_set_string(settings, FreeRDP_RedirectionTargetFQDN,
542 redirection->TargetFQDN))
543 return -1;
544 }
545
546 if (settings->RedirectionFlags & LB_TARGET_NETBIOS_NAME)
547 {
548 if (!freerdp_settings_set_string(settings, FreeRDP_RedirectionTargetNetBiosName,
549 redirection->TargetNetBiosName))
550 return -1;
551 }
552
553 if (settings->RedirectionFlags & LB_TARGET_NET_ADDRESSES)
554 {
555 if (!freerdp_target_net_addresses_copy(settings, redirection->TargetNetAddresses,
556 redirection->TargetNetAddressesCount))
557 return -1;
558 }
559
560 if (settings->RedirectionFlags & LB_CLIENT_TSV_URL)
561 {
562 /* TsvUrl may not contain a null terminator */
563 if (!freerdp_settings_set_pointer_len(settings, FreeRDP_RedirectionTsvUrl,
564 redirection->TsvUrl, redirection->TsvUrlLength))
565 return -1;
566
567 const size_t lblen = freerdp_settings_get_uint32(settings, FreeRDP_LoadBalanceInfoLength);
568 const char* lb = freerdp_settings_get_pointer(settings, FreeRDP_LoadBalanceInfo);
569 if (lblen > 0)
570 {
571 BOOL valid = TRUE;
572 size_t tsvlen = 0;
573
574 char* tsv =
575 ConvertWCharNToUtf8Alloc((const WCHAR*)redirection->TsvUrl,
576 redirection->TsvUrlLength / sizeof(WCHAR), &tsvlen);
577 if (!tsv || !lb)
578 valid = FALSE;
579 else if (tsvlen != lblen)
580 valid = FALSE;
581 else if (memcmp(tsv, lb, lblen) != 0)
582 valid = FALSE;
583
584 if (!valid)
585 {
586 WLog_ERR(TAG,
587 "[redirection] Expected TsvUrl '%s' [%" PRIuz "], but got '%s' [%" PRIuz
588 "]",
589 lb, lblen, tsv, tsvlen);
590 }
591 free(tsv);
592
593 if (!valid)
594 return -2;
595 }
596 }
597
598 if (settings->RedirectionFlags & LB_SERVER_TSV_CAPABLE)
599 {
600 // TODO
601 }
602
603 if (settings->RedirectionFlags & LB_LOAD_BALANCE_INFO)
604 {
605 /* LoadBalanceInfo may not contain a null terminator */
606 if (!freerdp_settings_set_pointer_len(settings, FreeRDP_LoadBalanceInfo,
607 redirection->LoadBalanceInfo,
608 redirection->LoadBalanceInfoLength))
609 return -1;
610 }
611 else
612 {
617 if (!freerdp_settings_set_pointer_len(settings, FreeRDP_LoadBalanceInfo, NULL, 0))
618 return -1;
619 }
620
621 if (settings->RedirectionFlags & LB_PASSWORD_IS_PK_ENCRYPTED)
622 {
623 // TODO
624 }
625
626 if (settings->RedirectionFlags & LB_REDIRECTION_GUID)
627 {
628 if (!freerdp_settings_set_pointer_len(settings, FreeRDP_RedirectionGuid,
629 redirection->RedirectionGuid,
630 redirection->RedirectionGuidLength))
631 return -1;
632 }
633
634 if (settings->RedirectionFlags & LB_TARGET_CERTIFICATE)
635 {
636 if (!rdp_set_target_certificate(settings, redirection->TargetCertificate))
637 return -1;
638 }
639
640 return 0;
641}
642
643static BOOL rdp_redirection_read_data(UINT32 flag, wStream* s, UINT32* pLength, BYTE** pData)
644{
645 char buffer[64] = { 0 };
646 const BYTE* ptr = NULL;
647
648 if (!rdp_redirection_get_data(s, pLength, &ptr))
649 return FALSE;
650
651 redirection_free_data(pData, NULL);
652 *pData = (BYTE*)malloc(*pLength);
653
654 if (!*pData)
655 return FALSE;
656 memcpy(*pData, ptr, *pLength);
657
658 WLog_DBG(TAG, "%s:", rdp_redirection_flags_to_string(flag, buffer, sizeof(buffer)));
659
660 return TRUE;
661}
662
663static state_run_t rdp_recv_server_redirection_pdu(rdpRdp* rdp, wStream* s)
664{
665 char buffer[256] = { 0 };
666 UINT16 flags = 0;
667 UINT16 length = 0;
668 rdpRedirection* redirection = rdp->redirection;
669
670 if (!Stream_CheckAndLogRequiredLength(TAG, s, 12))
671 return STATE_RUN_FAILED;
672
673 Stream_Read_UINT16(s, flags); /* flags (2 bytes) */
674 if (flags != SEC_REDIRECTION_PKT)
675 {
676 char buffer1[1024] = { 0 };
677 char buffer2[1024] = { 0 };
678 WLog_ERR(TAG, "received invalid flags=%s, expected %s",
679 rdp_security_flag_string(flags, buffer1, sizeof(buffer1)),
680 rdp_security_flag_string(SEC_REDIRECTION_PKT, buffer2, sizeof(buffer2)));
681 return STATE_RUN_FAILED;
682 }
683 Stream_Read_UINT16(s, length); /* length (2 bytes) */
684 Stream_Read_UINT32(s, redirection->sessionID); /* sessionID (4 bytes) */
685 Stream_Read_UINT32(s, redirection->flags); /* redirFlags (4 bytes) */
686 WLog_INFO(TAG,
687 "flags: 0x%04" PRIX16 ", length: %" PRIu16 ", sessionID: 0x%08" PRIX32
688 ", redirFlags: %s [0x%08" PRIX32 "]",
689 flags, length, redirection->sessionID,
690 rdp_redirection_flags_to_string(redirection->flags, buffer, sizeof(buffer)),
691 redirection->flags);
692
693 /* Although MS-RDPBCGR does not mention any length constraints limits for the
694 * variable length null-terminated unicode strings in the RDP_SERVER_REDIRECTION_PACKET
695 * structure we will use the following limits in bytes including the null terminator:
696 *
697 * TargetNetAddress: 80 bytes
698 * UserName: 512 bytes
699 * Domain: 52 bytes
700 * Password(Cookie): 512 bytes
701 * TargetFQDN: 512 bytes
702 * TargetNetBiosName: 32 bytes
703 */
704
705 if (redirection->flags & LB_TARGET_NET_ADDRESS)
706 {
707 if (!rdp_redirection_read_unicode_string(s, &(redirection->TargetNetAddress), 80))
708 return STATE_RUN_FAILED;
709 }
710
711 if (redirection->flags & LB_LOAD_BALANCE_INFO)
712 {
713 /* See [MSFT-SDLBTS] (a.k.a. TS_Session_Directory.doc)
714 * load balance info example data:
715 * 0000 43 6f 6f 6b 69 65 3a 20 6d 73 74 73 3d 32 31 33 Cookie: msts=213
716 * 0010 34 30 32 36 34 33 32 2e 31 35 36 32 39 2e 30 30 4026432.15629.00
717 * 0020 30 30 0d 0a 00..
718 */
719 if (!rdp_redirection_read_data(LB_LOAD_BALANCE_INFO, s, &redirection->LoadBalanceInfoLength,
720 &redirection->LoadBalanceInfo))
721 return STATE_RUN_FAILED;
722 }
723
724 if (redirection->flags & LB_USERNAME)
725 {
726 if (!rdp_redirection_read_unicode_string(s, &(redirection->Username), 512))
727 return STATE_RUN_FAILED;
728
729 WLog_DBG(TAG, "Username: %s", redirection->Username);
730 }
731
732 if (redirection->flags & LB_DOMAIN)
733 {
734 if (!rdp_redirection_read_unicode_string(s, &(redirection->Domain), 52))
735 return STATE_RUN_FAILED;
736
737 WLog_DBG(TAG, "Domain: %s", redirection->Domain);
738 }
739
740 if (redirection->flags & LB_PASSWORD)
741 {
742 /* Note: Password is a variable-length array of bytes containing the
743 * password used by the user in Unicode format, including a null-terminator
744 * or (!) or a cookie value that MUST be passed to the target server on
745 * successful connection.
746 * Since the format of the password cookie (probably some salted hash) is
747 * currently unknown we'll treat it as opaque data. All cookies seen so far
748 * are 120 bytes including \0\0 termination.
749 * Here is an observed example of a redirection password cookie:
750 *
751 * 0000 02 00 00 80 44 53 48 4c 60 ab 69 2f 07 d6 9e 2d ....DSHL`.i/...-
752 * 0010 f0 3a 97 3b a9 c5 ec 7e 66 bd b3 84 6c b1 ef b9 .:.;...~f...l...
753 * 0020 b6 82 4e cc 3a df 64 b7 7b 25 04 54 c2 58 98 f8 ..N.:.d.{%.T.X..
754 * 0030 97 87 d4 93 c7 c1 e1 5b c2 85 f8 22 49 1f 81 88 .......[..."I...
755 * 0040 43 44 83 f6 9a 72 40 24 dc 4d 43 cb d9 92 3c 8f CD...r@$.MC...<.
756 * 0050 3a 37 5c 77 13 a0 72 3c 72 08 64 2a 29 fb dc eb :7\w..r<r.d*)...
757 * 0060 0d 2b 06 b4 c6 08 b4 73 34 16 93 62 6d 24 e9 93 .+.....s4..bm$..
758 * 0070 97 27 7b dd 9a 72 00 00 .'{..r..
759 *
760 * Notwithstanding the above, we'll allocated an additional zero WCHAR at the
761 * end of the buffer which won't get counted in PasswordLength.
762 */
763 if (!rdp_redirection_read_data(LB_PASSWORD, s, &redirection->PasswordLength,
764 &redirection->Password))
765 return STATE_RUN_FAILED;
766
767 /* [MS-RDPBCGR] specifies 512 bytes as the upper limit for the password length
768 * including the null terminatior(s). This should also be enough for the unknown
769 * password cookie format (see previous comment).
770 */
771 if ((redirection->flags & LB_PASSWORD_IS_PK_ENCRYPTED) == 0)
772 {
773 const size_t charLen = redirection->PasswordLength / sizeof(WCHAR);
774 if (redirection->PasswordLength > LB_PASSWORD_MAX_LENGTH)
775 {
776 WLog_ERR(TAG, "LB_PASSWORD: %" PRIuz " exceeds limit of %d", charLen,
777 LB_PASSWORD_MAX_LENGTH);
778 return STATE_RUN_FAILED;
779 }
780
781 /* Ensure the text password is '\0' terminated */
782 if (_wcsnlen((const WCHAR*)redirection->Password, charLen) == charLen)
783 {
784 WLog_ERR(TAG, "LB_PASSWORD: missing '\0' termination");
785 return STATE_RUN_FAILED;
786 }
787 }
788 }
789
790 if (redirection->flags & LB_TARGET_FQDN)
791 {
792 if (!rdp_redirection_read_unicode_string(s, &(redirection->TargetFQDN), 512))
793 return STATE_RUN_FAILED;
794
795 WLog_DBG(TAG, "TargetFQDN: %s", redirection->TargetFQDN);
796 }
797
798 if (redirection->flags & LB_TARGET_NETBIOS_NAME)
799 {
800 if (!rdp_redirection_read_unicode_string(s, &(redirection->TargetNetBiosName), 32))
801 return STATE_RUN_FAILED;
802
803 WLog_DBG(TAG, "TargetNetBiosName: %s", redirection->TargetNetBiosName);
804 }
805
806 if (redirection->flags & LB_CLIENT_TSV_URL)
807 {
808 if (!rdp_redirection_read_data(LB_CLIENT_TSV_URL, s, &redirection->TsvUrlLength,
809 &redirection->TsvUrl))
810 return STATE_RUN_FAILED;
811 }
812
813 if (redirection->flags & LB_REDIRECTION_GUID)
814 {
815 if (!rdp_redirection_read_data(LB_REDIRECTION_GUID, s, &redirection->RedirectionGuidLength,
816 &redirection->RedirectionGuid))
817 return STATE_RUN_FAILED;
818 }
819
820 if (redirection->flags & LB_TARGET_CERTIFICATE)
821 {
822 if (!rdp_redirection_read_target_cert_stream(s, redirection))
823 return STATE_RUN_FAILED;
824 }
825
826 if (redirection->flags & LB_TARGET_NET_ADDRESSES)
827 {
828 UINT32 targetNetAddressesLength = 0;
829 UINT32 TargetNetAddressesCount = 0;
830
831 if (!Stream_CheckAndLogRequiredLength(TAG, s, 8))
832 return STATE_RUN_FAILED;
833
834 Stream_Read_UINT32(s, targetNetAddressesLength);
835 Stream_Read_UINT32(s, TargetNetAddressesCount);
836
837 /* sanity check: the whole packet has a length limit of UINT16_MAX
838 * each TargetNetAddress is a WCHAR string, so minimum length 2 bytes
839 */
840 const size_t size = TargetNetAddressesCount * sizeof(WCHAR);
841 if ((size > Stream_GetRemainingLength(s)) || (size > targetNetAddressesLength))
842 {
843 WLog_ERR(TAG,
844 "Invalid RDP_SERVER_REDIRECTION_PACKET::TargetNetAddressLength %" PRIuz
845 ", sanity limit is %" PRIuz,
846 TargetNetAddressesCount * sizeof(WCHAR), Stream_GetRemainingLength(s));
847 return STATE_RUN_FAILED;
848 }
849
850 redirection_free_array(&redirection->TargetNetAddresses,
851 &redirection->TargetNetAddressesCount);
852 if (TargetNetAddressesCount > 0)
853 {
854 redirection->TargetNetAddresses =
855 (char**)calloc(TargetNetAddressesCount, sizeof(char*));
856
857 if (!redirection->TargetNetAddresses)
858 {
859 WLog_ERR(TAG, "TargetNetAddresses %" PRIu32 " failed to allocate",
860 TargetNetAddressesCount);
861 return STATE_RUN_FAILED;
862 }
863 }
864 redirection->TargetNetAddressesCount = TargetNetAddressesCount;
865
866 WLog_DBG(TAG, "TargetNetAddressesCount: %" PRIu32 "", TargetNetAddressesCount);
867
868 for (UINT32 i = 0; i < TargetNetAddressesCount; i++)
869 {
870 if (!rdp_redirection_read_unicode_string(s, &(redirection->TargetNetAddresses[i]), 80))
871 return STATE_RUN_FAILED;
872
873 WLog_DBG(TAG, "TargetNetAddresses[%" PRIu32 "]: %s", i,
874 redirection->TargetNetAddresses[i]);
875 }
876 }
877
878 if (Stream_GetRemainingLength(s) >= 8)
879 {
880 /* some versions of windows don't included this padding before closing the connection */
881 Stream_Seek(s, 8); /* pad (8 bytes) */
882 }
883
884 if (redirection->flags & LB_NOREDIRECT)
885 return STATE_RUN_SUCCESS;
886
887 return STATE_RUN_REDIRECT;
888}
889
890state_run_t rdp_recv_enhanced_security_redirection_packet(rdpRdp* rdp, wStream* s)
891{
892 state_run_t status = STATE_RUN_SUCCESS;
893
894 if (!Stream_SafeSeek(s, 2)) /* pad2Octets (2 bytes) */
895 return STATE_RUN_FAILED;
896
897 status = rdp_recv_server_redirection_pdu(rdp, s);
898
899 if (state_run_failed(status))
900 return status;
901
902 if (Stream_GetRemainingLength(s) >= 1)
903 {
904 /* this field is optional, and its absence is not an error */
905 Stream_Seek(s, 1); /* pad2Octets (1 byte) */
906 }
907
908 return status;
909}
910
911rdpRedirection* redirection_new(void)
912{
913 rdpRedirection* redirection = (rdpRedirection*)calloc(1, sizeof(rdpRedirection));
914
915 if (redirection)
916 {
917 }
918
919 return redirection;
920}
921
922void redirection_free(rdpRedirection* redirection)
923{
924 if (redirection)
925 {
926 redirection_free_data(&redirection->TsvUrl, &redirection->TsvUrlLength);
927 redirection_free_string(&redirection->Username);
928 redirection_free_string(&redirection->Domain);
929 redirection_free_string(&redirection->TargetFQDN);
930 redirection_free_string(&redirection->TargetNetBiosName);
931 redirection_free_string(&redirection->TargetNetAddress);
932 redirection_free_data(&redirection->LoadBalanceInfo, &redirection->LoadBalanceInfoLength);
933 redirection_free_data(&redirection->Password, &redirection->PasswordLength);
934 redirection_free_data(&redirection->RedirectionGuid, &redirection->RedirectionGuidLength);
935 freerdp_certificate_free(redirection->TargetCertificate);
936 redirection_free_array(&redirection->TargetNetAddresses,
937 &redirection->TargetNetAddressesCount);
938
939 free(redirection);
940 }
941}
942
943static SSIZE_T redir_write_string(WINPR_ATTR_UNUSED UINT32 flag, wStream* s, const char* str)
944{
945 const size_t length = (strlen(str) + 1);
946 if (!Stream_EnsureRemainingCapacity(s, 4ull + length * sizeof(WCHAR)))
947 return -1;
948
949 const size_t pos = Stream_GetPosition(s);
950 Stream_Write_UINT32(s, (UINT32)length * sizeof(WCHAR));
951 if (Stream_Write_UTF16_String_From_UTF8(s, length, str, length, TRUE) < 0)
952 return -1;
953 return (SSIZE_T)(Stream_GetPosition(s) - pos);
954}
955
956static BOOL redir_write_data(WINPR_ATTR_UNUSED UINT32 flag, wStream* s, UINT32 length,
957 const BYTE* data)
958{
959 if (!Stream_EnsureRemainingCapacity(s, 4ull + length))
960 return FALSE;
961
962 Stream_Write_UINT32(s, length);
963 Stream_Write(s, data, length);
964 return TRUE;
965}
966
967BOOL rdp_write_enhanced_security_redirection_packet(wStream* s, const rdpRedirection* redirection)
968{
969 BOOL rc = FALSE;
970
971 WINPR_ASSERT(s);
972 WINPR_ASSERT(redirection);
973
974 if (!Stream_EnsureRemainingCapacity(s, 14))
975 goto fail;
976
977 Stream_Write_UINT16(s, 0);
978
979 {
980 const size_t start = Stream_GetPosition(s);
981 Stream_Write_UINT16(s, SEC_REDIRECTION_PKT);
982 const size_t lengthOffset = Stream_GetPosition(s);
983 Stream_Seek_UINT16(s); /* placeholder for length */
984
985 if (redirection->sessionID)
986 Stream_Write_UINT32(s, redirection->sessionID);
987 else
988 Stream_Write_UINT32(s, 0);
989
990 Stream_Write_UINT32(s, redirection->flags);
991
992 if (redirection->flags & LB_TARGET_NET_ADDRESS)
993 {
994 if (redir_write_string(LB_TARGET_NET_ADDRESS, s, redirection->TargetNetAddress) < 0)
995 goto fail;
996 }
997
998 if (redirection->flags & LB_LOAD_BALANCE_INFO)
999 {
1000 const UINT32 length = 13 + redirection->LoadBalanceInfoLength + 2;
1001 if (!Stream_EnsureRemainingCapacity(s, length))
1002 goto fail;
1003 Stream_Write_UINT32(s, length);
1004 Stream_Write(s, "Cookie: msts=", 13);
1005 Stream_Write(s, redirection->LoadBalanceInfo, redirection->LoadBalanceInfoLength);
1006 Stream_Write_UINT8(s, 0x0d);
1007 Stream_Write_UINT8(s, 0x0a);
1008 }
1009
1010 if (redirection->flags & LB_USERNAME)
1011 {
1012 if (redir_write_string(LB_USERNAME, s, redirection->Username) < 0)
1013 goto fail;
1014 }
1015
1016 if (redirection->flags & LB_DOMAIN)
1017 {
1018 if (redir_write_string(LB_DOMAIN, s, redirection->Domain) < 0)
1019 goto fail;
1020 }
1021
1022 if (redirection->flags & LB_PASSWORD)
1023 {
1024 /* Password is either UNICODE or opaque data */
1025 if (!redir_write_data(LB_PASSWORD, s, redirection->PasswordLength,
1026 redirection->Password))
1027 goto fail;
1028 }
1029
1030 if (redirection->flags & LB_TARGET_FQDN)
1031 {
1032 if (redir_write_string(LB_TARGET_FQDN, s, redirection->TargetFQDN) < 0)
1033 goto fail;
1034 }
1035
1036 if (redirection->flags & LB_TARGET_NETBIOS_NAME)
1037 {
1038 if (redir_write_string(LB_TARGET_NETBIOS_NAME, s, redirection->TargetNetBiosName) < 0)
1039 goto fail;
1040 }
1041
1042 if (redirection->flags & LB_CLIENT_TSV_URL)
1043 {
1044 if (!redir_write_data(LB_CLIENT_TSV_URL, s, redirection->TsvUrlLength,
1045 redirection->TsvUrl))
1046 goto fail;
1047 }
1048
1049 if (redirection->flags & LB_REDIRECTION_GUID)
1050 {
1051 if (!redir_write_data(LB_REDIRECTION_GUID, s, redirection->RedirectionGuidLength,
1052 redirection->RedirectionGuid))
1053 goto fail;
1054 }
1055
1056 if (redirection->flags & LB_TARGET_CERTIFICATE)
1057 {
1058 if (!rdp_redireciton_write_target_cert_stream(s, redirection))
1059 goto fail;
1060 }
1061
1062 if (redirection->flags & LB_TARGET_NET_ADDRESSES)
1063 {
1064 UINT32 length = sizeof(UINT32);
1065
1066 if (!Stream_EnsureRemainingCapacity(s, 2 * sizeof(UINT32)))
1067 goto fail;
1068
1069 const size_t lstart = Stream_GetPosition(s);
1070 Stream_Seek_UINT32(s); /* length of field */
1071 Stream_Write_UINT32(s, redirection->TargetNetAddressesCount);
1072 for (UINT32 i = 0; i < redirection->TargetNetAddressesCount; i++)
1073 {
1074 const SSIZE_T rcc = redir_write_string(LB_TARGET_NET_ADDRESSES, s,
1075 redirection->TargetNetAddresses[i]);
1076 if (rcc < 0)
1077 goto fail;
1078 length += (UINT32)rcc;
1079 }
1080
1081 /* Write length field */
1082 const size_t lend = Stream_GetPosition(s);
1083 Stream_SetPosition(s, lstart);
1084 Stream_Write_UINT32(s, length);
1085 Stream_SetPosition(s, lend);
1086 }
1087
1088 /* Padding 8 bytes */
1089 if (!Stream_EnsureRemainingCapacity(s, 8))
1090 goto fail;
1091 Stream_Zero(s, 8);
1092
1093 {
1094 const size_t end = Stream_GetPosition(s);
1095 Stream_SetPosition(s, lengthOffset);
1096 Stream_Write_UINT16(s, (UINT16)(end - start));
1097 Stream_SetPosition(s, end);
1098 }
1099 }
1100
1101 rc = TRUE;
1102fail:
1103 return rc;
1104}
1105
1106BOOL redirection_settings_are_valid(rdpRedirection* redirection, UINT32* pFlags)
1107{
1108 UINT32 flags = 0;
1109
1110 WINPR_ASSERT(redirection);
1111
1112 if (redirection->flags & LB_CLIENT_TSV_URL)
1113 {
1114 if (!redirection->TsvUrl || (redirection->TsvUrlLength == 0))
1115 flags |= LB_CLIENT_TSV_URL;
1116 }
1117
1118 if (redirection->flags & LB_SERVER_TSV_CAPABLE)
1119 {
1120 if ((redirection->flags & LB_CLIENT_TSV_URL) == 0)
1121 flags |= LB_SERVER_TSV_CAPABLE;
1122 }
1123
1124 if (redirection->flags & LB_USERNAME)
1125 {
1126 if (utils_str_is_empty(redirection->Username))
1127 flags |= LB_USERNAME;
1128 }
1129
1130 if (redirection->flags & LB_DOMAIN)
1131 {
1132 if (utils_str_is_empty(redirection->Domain))
1133 flags |= LB_DOMAIN;
1134 }
1135
1136 if (redirection->flags & LB_PASSWORD)
1137 {
1138 if (!redirection->Password || (redirection->PasswordLength == 0))
1139 flags |= LB_PASSWORD;
1140 }
1141
1142 if (redirection->flags & LB_TARGET_FQDN)
1143 {
1144 if (utils_str_is_empty(redirection->TargetFQDN))
1145 flags |= LB_TARGET_FQDN;
1146 }
1147
1148 if (redirection->flags & LB_LOAD_BALANCE_INFO)
1149 {
1150 if (!redirection->LoadBalanceInfo || (redirection->LoadBalanceInfoLength == 0))
1151 flags |= LB_LOAD_BALANCE_INFO;
1152 }
1153
1154 if (redirection->flags & LB_TARGET_NETBIOS_NAME)
1155 {
1156 if (utils_str_is_empty(redirection->TargetNetBiosName))
1157 flags |= LB_TARGET_NETBIOS_NAME;
1158 }
1159
1160 if (redirection->flags & LB_TARGET_NET_ADDRESS)
1161 {
1162 if (utils_str_is_empty(redirection->TargetNetAddress))
1163 flags |= LB_TARGET_NET_ADDRESS;
1164 }
1165
1166 if (redirection->flags & LB_TARGET_NET_ADDRESSES)
1167 {
1168 if (!redirection->TargetNetAddresses || (redirection->TargetNetAddressesCount == 0))
1169 flags |= LB_TARGET_NET_ADDRESSES;
1170 else
1171 {
1172 for (UINT32 x = 0; x < redirection->TargetNetAddressesCount; x++)
1173 {
1174 if (!redirection->TargetNetAddresses[x])
1175 flags |= LB_TARGET_NET_ADDRESSES;
1176 }
1177 }
1178 }
1179
1180 if (redirection->flags & LB_REDIRECTION_GUID)
1181 {
1182 if (!redirection->RedirectionGuid || (redirection->RedirectionGuidLength == 0))
1183 flags |= LB_REDIRECTION_GUID;
1184 }
1185
1186 if (redirection->flags & LB_TARGET_CERTIFICATE)
1187 {
1188 if (!redirection->TargetCertificate)
1189 flags |= LB_TARGET_CERTIFICATE;
1190 }
1191
1192 if (pFlags)
1193 *pFlags = flags;
1194 return flags == 0;
1195}
1196
1197BOOL redirection_set_flags(rdpRedirection* redirection, UINT32 flags)
1198{
1199 WINPR_ASSERT(redirection);
1200 redirection->flags = flags;
1201 return TRUE;
1202}
1203
1204BOOL redirection_set_session_id(rdpRedirection* redirection, UINT32 session_id)
1205{
1206 WINPR_ASSERT(redirection);
1207 redirection->sessionID = session_id;
1208 return TRUE;
1209}
1210
1211static BOOL redirection_unsupported(const char* fkt, UINT32 flag, UINT32 mask)
1212{
1213 char buffer[1024] = { 0 };
1214 char buffer2[1024] = { 0 };
1215 WLog_WARN(TAG, "[%s] supported flags are {%s}, have {%s}", fkt,
1216 rdp_redirection_flags_to_string(mask, buffer, sizeof(buffer)),
1217 rdp_redirection_flags_to_string(flag, buffer2, sizeof(buffer2)));
1218 return FALSE;
1219}
1220
1221BOOL redirection_set_byte_option(rdpRedirection* redirection, UINT32 flag, const BYTE* data,
1222 size_t length)
1223{
1224 WINPR_ASSERT(redirection);
1225 switch (flag)
1226 {
1227 case LB_CLIENT_TSV_URL:
1228 return redirection_copy_data(&redirection->TsvUrl, &redirection->TsvUrlLength, data,
1229 length);
1230 case LB_PASSWORD:
1231 return redirection_copy_data(&redirection->Password, &redirection->PasswordLength, data,
1232 length);
1233 case LB_LOAD_BALANCE_INFO:
1234 return redirection_copy_data(&redirection->LoadBalanceInfo,
1235 &redirection->LoadBalanceInfoLength, data, length);
1236 case LB_REDIRECTION_GUID:
1237 return redirection_copy_data(&redirection->RedirectionGuid,
1238 &redirection->RedirectionGuidLength, data, length);
1239 case LB_TARGET_CERTIFICATE:
1240 return rdp_redirection_read_target_cert(&redirection->TargetCertificate, data, length);
1241 default:
1242 return redirection_unsupported(__func__, flag,
1243 LB_CLIENT_TSV_URL | LB_PASSWORD | LB_LOAD_BALANCE_INFO |
1244 LB_REDIRECTION_GUID | LB_TARGET_CERTIFICATE);
1245 }
1246}
1247
1248BOOL redirection_set_string_option(rdpRedirection* redirection, UINT32 flag, const char* str)
1249{
1250 WINPR_ASSERT(redirection);
1251 switch (flag)
1252 {
1253 case LB_USERNAME:
1254 return redirection_copy_string(&redirection->Username, str);
1255 case LB_DOMAIN:
1256 return redirection_copy_string(&redirection->Domain, str);
1257 case LB_TARGET_FQDN:
1258 return redirection_copy_string(&redirection->TargetFQDN, str);
1259 case LB_TARGET_NETBIOS_NAME:
1260 return redirection_copy_string(&redirection->TargetNetBiosName, str);
1261 case LB_TARGET_NET_ADDRESS:
1262 return redirection_copy_string(&redirection->TargetNetAddress, str);
1263 default:
1264 return redirection_unsupported(__func__, flag,
1265 LB_USERNAME | LB_DOMAIN | LB_TARGET_FQDN |
1266 LB_TARGET_NETBIOS_NAME | LB_TARGET_NET_ADDRESS);
1267 }
1268}
1269
1270BOOL redirection_set_array_option(rdpRedirection* redirection, UINT32 flag, const char** str,
1271 size_t count)
1272{
1273 WINPR_ASSERT(redirection);
1274 switch (flag)
1275 {
1276 case LB_TARGET_NET_ADDRESSES:
1277 return redirection_copy_array(&redirection->TargetNetAddresses,
1278 &redirection->TargetNetAddressesCount, str, count);
1279 default:
1280 return redirection_unsupported(__func__, flag, LB_TARGET_NET_ADDRESSES);
1281 }
1282}
freerdp_settings_get_uint32
FREERDP_API UINT32 freerdp_settings_get_uint32(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id)
Returns a UINT32 settings value.
freerdp_settings_set_string
FREERDP_API BOOL freerdp_settings_set_string(rdpSettings *settings, FreeRDP_Settings_Keys_String id, const char *param)
Sets a string settings value. The param is copied.
Definition settings_getters.c:3746
freerdp_settings_set_pointer_len
FREERDP_API BOOL freerdp_settings_set_pointer_len(rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id, const void *data, size_t len)
Set a pointer to value data.
Definition common/settings.c:1442
freerdp_settings_set_pointer
FREERDP_API BOOL freerdp_settings_set_pointer(rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id, const void *data)
Set a pointer to value data.
freerdp_settings_get_pointer
FREERDP_API const void * freerdp_settings_get_pointer(const rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a immutable pointer settings value.
Definition common/settings.c:1430
freerdp_settings_set_string_len
FREERDP_API BOOL freerdp_settings_set_string_len(rdpSettings *settings, FreeRDP_Settings_Keys_String id, const char *param, size_t len)
Sets a string settings value. The param is copied.
Definition settings_getters.c:3740
freerdp_settings_set_uint32
FREERDP_API BOOL freerdp_settings_set_uint32(rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id, UINT32 param)
Sets a UINT32 settings value.