FreeRDP
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Modules Pages
arm.c
1
21#include <freerdp/config.h>
22#include <freerdp/version.h>
23
24#include "../settings.h"
25
26#include <winpr/assert.h>
27
28#include <winpr/crt.h>
29#include <winpr/synch.h>
30#include <winpr/print.h>
31#include <winpr/stream.h>
32#include <winpr/winsock.h>
33#include <winpr/cred.h>
34#include <winpr/bcrypt.h>
35
36#include <freerdp/log.h>
37#include <freerdp/error.h>
38#include <freerdp/crypto/certificate.h>
39#include <freerdp/utils/ringbuffer.h>
40#include <freerdp/utils/smartcardlogon.h>
41#include <freerdp/utils/aad.h>
42
43#include "arm.h"
44#include "wst.h"
45#include "websocket.h"
46#include "http.h"
47#include "../credssp_auth.h"
48#include "../proxy.h"
49#include "../rdp.h"
50#include "../../crypto/crypto.h"
51#include "../../crypto/certificate.h"
52#include "../../crypto/opensslcompat.h"
53#include "rpc_fault.h"
54#include "../utils.h"
55#include "../redirection.h"
56
57#include <winpr/json.h>
58
59#include <string.h>
60
61struct rdp_arm
62{
63 rdpContext* context;
64 rdpTls* tls;
65 HttpContext* http;
66
67 UINT32 gateway_retry;
68 wLog* log;
69};
70
71typedef struct rdp_arm rdpArm;
72
73#define TAG FREERDP_TAG("core.gateway.arm")
74
75#ifdef WITH_AAD
76static BOOL arm_tls_connect(rdpArm* arm, rdpTls* tls, UINT32 timeout)
77{
78 WINPR_ASSERT(arm);
79 WINPR_ASSERT(tls);
80 int sockfd = 0;
81 long status = 0;
82 BIO* socketBio = NULL;
83 BIO* bufferedBio = NULL;
84 rdpSettings* settings = arm->context->settings;
85 if (!settings)
86 return FALSE;
87
88 const char* peerHostname = freerdp_settings_get_string(settings, FreeRDP_GatewayHostname);
89 if (!peerHostname)
90 return FALSE;
91
92 UINT16 peerPort = (UINT16)freerdp_settings_get_uint32(settings, FreeRDP_GatewayPort);
93 const char* proxyUsername = NULL;
94 const char* proxyPassword = NULL;
95 BOOL isProxyConnection =
96 proxy_prepare(settings, &peerHostname, &peerPort, &proxyUsername, &proxyPassword);
97
98 sockfd = freerdp_tcp_connect(arm->context, peerHostname, peerPort, timeout);
99
100 WLog_Print(arm->log, WLOG_DEBUG, "connecting to %s %d", peerHostname, peerPort);
101 if (sockfd < 0)
102 return FALSE;
103
104 socketBio = BIO_new(BIO_s_simple_socket());
105
106 if (!socketBio)
107 {
108 closesocket((SOCKET)sockfd);
109 return FALSE;
110 }
111
112 BIO_set_fd(socketBio, sockfd, BIO_CLOSE);
113 bufferedBio = BIO_new(BIO_s_buffered_socket());
114
115 if (!bufferedBio)
116 {
117 BIO_free_all(socketBio);
118 return FALSE;
119 }
120
121 bufferedBio = BIO_push(bufferedBio, socketBio);
122 if (!bufferedBio)
123 return FALSE;
124
125 status = BIO_set_nonblock(bufferedBio, TRUE);
126
127 if (isProxyConnection)
128 {
129 if (!proxy_connect(arm->context, bufferedBio, proxyUsername, proxyPassword,
130 freerdp_settings_get_string(settings, FreeRDP_GatewayHostname),
131 (UINT16)freerdp_settings_get_uint32(settings, FreeRDP_GatewayPort)))
132 {
133 BIO_free_all(bufferedBio);
134 return FALSE;
135 }
136 }
137
138 if (!status)
139 {
140 BIO_free_all(bufferedBio);
141 return FALSE;
142 }
143
144 tls->hostname = freerdp_settings_get_string(settings, FreeRDP_GatewayHostname);
145 tls->port = MIN(UINT16_MAX, WINPR_ASSERTING_INT_CAST(int32_t, settings->GatewayPort));
146 tls->isGatewayTransport = TRUE;
147 status = freerdp_tls_connect(tls, bufferedBio);
148 if (status < 1)
149 {
150 rdpContext* context = arm->context;
151 if (status < 0)
152 freerdp_set_last_error_if_not(context, FREERDP_ERROR_TLS_CONNECT_FAILED);
153 else
154 freerdp_set_last_error_if_not(context, FREERDP_ERROR_CONNECT_CANCELLED);
155
156 return FALSE;
157 }
158 return (status >= 1);
159}
160
161static BOOL arm_fetch_wellknown(rdpArm* arm)
162{
163 WINPR_ASSERT(arm);
164 WINPR_ASSERT(arm->context);
165 WINPR_ASSERT(arm->context->rdp);
166
167 rdpRdp* rdp = arm->context->rdp;
168 if (rdp->wellknown)
169 return TRUE;
170
171 const char* base =
172 freerdp_settings_get_string(arm->context->settings, FreeRDP_GatewayAzureActiveDirectory);
173 const BOOL useTenant =
174 freerdp_settings_get_bool(arm->context->settings, FreeRDP_GatewayAvdUseTenantid);
175 const char* tenantid = "common";
176 if (useTenant)
177 tenantid =
178 freerdp_settings_get_string(arm->context->settings, FreeRDP_GatewayAvdAadtenantid);
179
180 rdp->wellknown = freerdp_utils_aad_get_wellknown(arm->log, base, tenantid);
181 return rdp->wellknown ? TRUE : FALSE;
182}
183
184static wStream* arm_build_http_request(rdpArm* arm, const char* method,
185 TRANSFER_ENCODING transferEncoding, const char* content_type,
186 size_t content_length)
187{
188 wStream* s = NULL;
189 HttpRequest* request = NULL;
190 const char* uri = NULL;
191
192 WINPR_ASSERT(arm);
193 WINPR_ASSERT(method);
194 WINPR_ASSERT(content_type);
195
196 WINPR_ASSERT(arm->context);
197 WINPR_ASSERT(arm->context->rdp);
198
199 uri = http_context_get_uri(arm->http);
200 request = http_request_new();
201
202 if (!request)
203 return NULL;
204
205 if (!http_request_set_method(request, method) || !http_request_set_uri(request, uri))
206 goto out;
207
208 if (!freerdp_settings_get_string(arm->context->settings, FreeRDP_GatewayHttpExtAuthBearer))
209 {
210 char* token = NULL;
211
212 pGetCommonAccessToken GetCommonAccessToken = freerdp_get_common_access_token(arm->context);
213 if (!GetCommonAccessToken)
214 {
215 WLog_Print(arm->log, WLOG_ERROR, "No authorization token provided");
216 goto out;
217 }
218
219 if (!arm_fetch_wellknown(arm))
220 goto out;
221
222 if (!GetCommonAccessToken(arm->context, ACCESS_TOKEN_TYPE_AVD, &token, 0))
223 {
224 WLog_Print(arm->log, WLOG_ERROR, "Unable to obtain access token");
225 goto out;
226 }
227
228 if (!freerdp_settings_set_string(arm->context->settings, FreeRDP_GatewayHttpExtAuthBearer,
229 token))
230 {
231 free(token);
232 goto out;
233 }
234 free(token);
235 }
236
237 if (!http_request_set_auth_scheme(request, "Bearer") ||
238 !http_request_set_auth_param(
239 request,
240 freerdp_settings_get_string(arm->context->settings, FreeRDP_GatewayHttpExtAuthBearer)))
241 goto out;
242
243 if (!http_request_set_transfer_encoding(request, transferEncoding) ||
244 !http_request_set_content_length(request, content_length) ||
245 !http_request_set_content_type(request, content_type))
246 goto out;
247
248 s = http_request_write(arm->http, request);
249out:
250 http_request_free(request);
251
252 if (s)
253 Stream_SealLength(s);
254
255 return s;
256}
257
258static BOOL arm_send_http_request(rdpArm* arm, rdpTls* tls, const char* method,
259 const char* content_type, const char* data, size_t content_length)
260{
261 int status = -1;
262 wStream* s =
263 arm_build_http_request(arm, method, TransferEncodingIdentity, content_type, content_length);
264
265 if (!s)
266 return FALSE;
267
268 const size_t sz = Stream_Length(s);
269 status = freerdp_tls_write_all(tls, Stream_Buffer(s), sz);
270
271 Stream_Free(s, TRUE);
272 if (status >= 0 && content_length > 0 && data)
273 status = freerdp_tls_write_all(tls, (const BYTE*)data, content_length);
274
275 return (status >= 0);
276}
277
278static void arm_free(rdpArm* arm)
279{
280 if (!arm)
281 return;
282
283 freerdp_tls_free(arm->tls);
284 http_context_free(arm->http);
285
286 free(arm);
287}
288
289static rdpArm* arm_new(rdpContext* context)
290{
291 WINPR_ASSERT(context);
292
293 rdpArm* arm = (rdpArm*)calloc(1, sizeof(rdpArm));
294 if (!arm)
295 goto fail;
296
297 arm->log = WLog_Get(TAG);
298 arm->context = context;
299 arm->tls = freerdp_tls_new(context);
300 if (!arm->tls)
301 goto fail;
302
303 arm->http = http_context_new();
304
305 if (!arm->http)
306 goto fail;
307
308 return arm;
309
310fail:
311 arm_free(arm);
312 return NULL;
313}
314
315static char* arm_create_request_json(rdpArm* arm)
316{
317 char* lbi = NULL;
318 char* message = NULL;
319
320 WINPR_ASSERT(arm);
321
322 WINPR_JSON* json = WINPR_JSON_CreateObject();
323 if (!json)
324 goto arm_create_cleanup;
325 WINPR_JSON_AddStringToObject(
326 json, "application",
327 freerdp_settings_get_string(arm->context->settings, FreeRDP_RemoteApplicationProgram));
328
329 lbi = calloc(
330 freerdp_settings_get_uint32(arm->context->settings, FreeRDP_LoadBalanceInfoLength) + 1,
331 sizeof(char));
332 if (!lbi)
333 goto arm_create_cleanup;
334
335 const size_t len =
336 freerdp_settings_get_uint32(arm->context->settings, FreeRDP_LoadBalanceInfoLength);
337 memcpy(lbi, freerdp_settings_get_pointer(arm->context->settings, FreeRDP_LoadBalanceInfo), len);
338
339 WINPR_JSON_AddStringToObject(json, "loadBalanceInfo", lbi);
340 WINPR_JSON_AddNullToObject(json, "LogonToken");
341 WINPR_JSON_AddNullToObject(json, "gatewayLoadBalancerToken");
342
343 message = WINPR_JSON_PrintUnformatted(json);
344arm_create_cleanup:
345 if (json)
346 WINPR_JSON_Delete(json);
347 free(lbi);
348 return message;
349}
350
365static WINPR_CIPHER_CTX* treatAuthBlob(wLog* log, const BYTE* pbInput, size_t cbInput)
366{
367 WINPR_CIPHER_CTX* ret = NULL;
368 char algoName[100] = { 0 };
369
370 SSIZE_T algoSz = ConvertWCharNToUtf8((const WCHAR*)pbInput, cbInput / sizeof(WCHAR), algoName,
371 sizeof(algoName));
372 if (algoSz <= 0)
373 {
374 WLog_Print(log, WLOG_ERROR, "invalid algoName");
375 return NULL;
376 }
377
378 algoName[algoSz] = 0;
379 if (strcmp(algoName, "AES") != 0)
380 {
381 WLog_Print(log, WLOG_ERROR, "only AES is supported for now");
382 return NULL;
383 }
384
385 cbInput -= WINPR_ASSERTING_INT_CAST(size_t, (algoSz + 1)) * sizeof(WCHAR);
386
387 if (cbInput < 12)
388 {
389 WLog_Print(log, WLOG_ERROR, "invalid AuthBlob size");
390 return NULL;
391 }
392
393 /* BCRYPT_KEY_DATA_BLOB_HEADER */
394 wStream staticStream = { 0 };
395 wStream* s = Stream_StaticConstInit(
396 &staticStream, pbInput + WINPR_ASSERTING_INT_CAST(size_t, (algoSz + 1)) * sizeof(WCHAR),
397 cbInput);
398
399 UINT32 dwMagic = 0;
400 Stream_Read_UINT32(s, dwMagic);
401
402 if (dwMagic != BCRYPT_KEY_DATA_BLOB_MAGIC)
403 {
404 WLog_Print(log, WLOG_ERROR, "unsupported authBlob type");
405 return NULL;
406 }
407
408 UINT32 dwVersion = 0;
409 Stream_Read_UINT32(s, dwVersion);
410 if (dwVersion != BCRYPT_KEY_DATA_BLOB_VERSION1)
411 {
412 WLog_Print(log, WLOG_ERROR, "unsupported authBlob version %d, expecting %d", dwVersion,
413 BCRYPT_KEY_DATA_BLOB_VERSION1);
414 return NULL;
415 }
416
417 UINT32 cbKeyData = 0;
418 Stream_Read_UINT32(s, cbKeyData);
419 cbInput -= 12;
420
421 if (cbKeyData > cbInput)
422 {
423 WLog_Print(log, WLOG_ERROR, "invalid authBlob size");
424 return NULL;
425 }
426
427 WINPR_CIPHER_TYPE cipherType = 0;
428 switch (cbKeyData)
429 {
430 case 16:
431 cipherType = WINPR_CIPHER_AES_128_CBC;
432 break;
433 case 24:
434 cipherType = WINPR_CIPHER_AES_192_CBC;
435 break;
436 case 32:
437 cipherType = WINPR_CIPHER_AES_256_CBC;
438 break;
439 default:
440 WLog_Print(log, WLOG_ERROR, "invalid authBlob cipher size");
441 return NULL;
442 }
443
444 ret = winpr_Cipher_NewEx(cipherType, WINPR_ENCRYPT, Stream_Pointer(s), cbKeyData, NULL, 0);
445 if (!ret)
446 {
447 WLog_Print(log, WLOG_ERROR, "error creating cipher");
448 return NULL;
449 }
450
451 if (!winpr_Cipher_SetPadding(ret, TRUE))
452 {
453 WLog_Print(log, WLOG_ERROR, "unable to enable padding on cipher");
454 winpr_Cipher_Free(ret);
455 return NULL;
456 }
457
458 return ret;
459}
460
461static BOOL arm_stringEncodeW(const BYTE* pin, size_t cbIn, BYTE** ppOut, size_t* pcbOut)
462{
463 *ppOut = NULL;
464 *pcbOut = 0;
465
466 /* encode to base64 with crlf */
467 char* b64encoded = crypto_base64_encode_ex(pin, cbIn, TRUE);
468 if (!b64encoded)
469 return FALSE;
470
471 /* and then convert to Unicode */
472 size_t outSz = 0;
473 *ppOut = (BYTE*)ConvertUtf8NToWCharAlloc(b64encoded, strlen(b64encoded), &outSz);
474 free(b64encoded);
475
476 if (!*ppOut)
477 return FALSE;
478
479 *pcbOut = (outSz + 1) * sizeof(WCHAR);
480 return TRUE;
481}
482
483static BOOL arm_encodeRedirectPasswd(wLog* log, rdpSettings* settings, const rdpCertificate* cert,
484 WINPR_CIPHER_CTX* cipher)
485{
486 BOOL ret = FALSE;
487 BYTE* output = NULL;
488 BYTE* finalOutput = NULL;
489
490 /* let's prepare the encrypted password, first we do a
491 * cipheredPass = AES(redirectedAuthBlob, toUtf16(passwd))
492 */
493
494 size_t wpasswdLen = 0;
495 WCHAR* wpasswd = freerdp_settings_get_string_as_utf16(settings, FreeRDP_Password, &wpasswdLen);
496 if (!wpasswd)
497 {
498 WLog_Print(log, WLOG_ERROR, "error when converting password to UTF16");
499 return FALSE;
500 }
501
502 size_t wpasswdBytes = (wpasswdLen + 1) * sizeof(WCHAR);
503 BYTE* encryptedPass = calloc(1, wpasswdBytes + 16); /* 16: block size of AES (padding) */
504 size_t encryptedPassLen = 0;
505 size_t finalLen = 0;
506 if (!encryptedPass ||
507 !winpr_Cipher_Update(cipher, wpasswd, wpasswdBytes, encryptedPass, &encryptedPassLen) ||
508 !winpr_Cipher_Final(cipher, encryptedPass + encryptedPassLen, &finalLen))
509 {
510 WLog_Print(log, WLOG_ERROR, "error when ciphering password");
511 goto out;
512 }
513 encryptedPassLen += finalLen;
514
515 /* then encrypt(cipheredPass, publicKey(redirectedServerCert) */
516 size_t output_length = 0;
517
518 if (!freerdp_certificate_publickey_encrypt(cert, encryptedPass, encryptedPassLen, &output,
519 &output_length))
520 {
521 WLog_Print(log, WLOG_ERROR, "unable to encrypt with the server's public key");
522 goto out;
523 }
524
525 size_t finalOutputLen = 0;
526 if (!arm_stringEncodeW(output, output_length, &finalOutput, &finalOutputLen))
527 {
528 WLog_Print(log, WLOG_ERROR, "unable to base64+utf16 final blob");
529 goto out;
530 }
531
532 if (!freerdp_settings_set_pointer_len(settings, FreeRDP_RedirectionPassword, finalOutput,
533 finalOutputLen))
534 {
535 WLog_Print(log, WLOG_ERROR, "unable to set the redirection password in settings");
536 goto out;
537 }
538
539 settings->RdstlsSecurity = TRUE;
540 settings->AadSecurity = FALSE;
541 settings->NlaSecurity = FALSE;
542 settings->RdpSecurity = FALSE;
543 settings->TlsSecurity = FALSE;
544 settings->RedirectionFlags = LB_PASSWORD_IS_PK_ENCRYPTED;
545 ret = TRUE;
546out:
547 free(finalOutput);
548 free(output);
549 free(encryptedPass);
550 free(wpasswd);
551 return ret;
552}
553
558static BOOL arm_pick_base64Utf16Field(wLog* log, const WINPR_JSON* json, const char* name,
559 BYTE** poutput, size_t* plen)
560{
561 *poutput = NULL;
562 *plen = 0;
563
564 WINPR_JSON* node = WINPR_JSON_GetObjectItemCaseSensitive(json, name);
565 if (!node || !WINPR_JSON_IsString(node))
566 return TRUE;
567
568 const char* nodeValue = WINPR_JSON_GetStringValue(node);
569 if (!nodeValue)
570 return TRUE;
571
572 BYTE* output1 = NULL;
573 size_t len1 = 0;
574 crypto_base64_decode(nodeValue, strlen(nodeValue), &output1, &len1);
575 if (!output1 || !len1)
576 {
577 WLog_Print(log, WLOG_ERROR, "error when first unbase64 for %s", name);
578 free(output1);
579 return FALSE;
580 }
581
582 size_t len2 = 0;
583 char* output2 = ConvertWCharNToUtf8Alloc((WCHAR*)output1, len1 / sizeof(WCHAR), &len2);
584 free(output1);
585 if (!output2 || !len2)
586 {
587 WLog_Print(log, WLOG_ERROR, "error when decode('utf-16') for %s", name);
588 free(output2);
589 return FALSE;
590 }
591
592 BYTE* output = NULL;
593 crypto_base64_decode(output2, len2, &output, plen);
594 free(output2);
595 if (!output || !*plen)
596 {
597 WLog_Print(log, WLOG_ERROR, "error when second unbase64 for %s", name);
598 free(output);
599 return FALSE;
600 }
601
602 *poutput = output;
603 return TRUE;
604}
605
626static size_t arm_parse_ipvx_count(WINPR_JSON* ipvX)
627{
628 WINPR_ASSERT(ipvX);
629 WINPR_JSON* ipAddress = WINPR_JSON_GetObjectItem(ipvX, "ipAddress");
630 if (!ipAddress || !WINPR_JSON_IsArray(ipAddress))
631 return 0;
632 return WINPR_JSON_GetArraySize(ipAddress);
633}
634
635static BOOL arm_parse_ipv6(rdpSettings* settings, WINPR_JSON* ipv6, size_t* pAddressIdx)
636{
637 WINPR_ASSERT(settings);
638 WINPR_ASSERT(ipv6);
639 WINPR_ASSERT(pAddressIdx);
640
641 if (!freerdp_settings_get_bool(settings, FreeRDP_IPv6Enabled))
642 return TRUE;
643
644 WINPR_JSON* ipAddress = WINPR_JSON_GetObjectItem(ipv6, "ipAddress");
645 if (!ipAddress || !WINPR_JSON_IsArray(ipAddress))
646 return TRUE;
647 const size_t naddresses = WINPR_JSON_GetArraySize(ipAddress);
648 for (size_t j = 0; j < naddresses; j++)
649 {
650 WINPR_JSON* adressN = WINPR_JSON_GetArrayItem(ipAddress, j);
651 if (!adressN || !WINPR_JSON_IsString(adressN))
652 continue;
653
654 const char* addr = WINPR_JSON_GetStringValue(adressN);
655 if (utils_str_is_empty(addr))
656 continue;
657 if (!freerdp_settings_set_pointer_array(settings, FreeRDP_TargetNetAddresses,
658 (*pAddressIdx)++, addr))
659 return FALSE;
660 }
661 return TRUE;
662}
663
664static BOOL arm_parse_ipv4(rdpSettings* settings, WINPR_JSON* ipv4, size_t* pAddressIdx)
665{
666 WINPR_ASSERT(settings);
667 WINPR_ASSERT(ipv4);
668 WINPR_ASSERT(pAddressIdx);
669
670 WINPR_JSON* ipAddress = WINPR_JSON_GetObjectItem(ipv4, "ipAddress");
671 if (!ipAddress || !WINPR_JSON_IsArray(ipAddress))
672 return TRUE;
673
674 const size_t naddresses = WINPR_JSON_GetArraySize(ipAddress);
675 for (size_t j = 0; j < naddresses; j++)
676 {
677 WINPR_JSON* adressN = WINPR_JSON_GetArrayItem(ipAddress, j);
678 if (!adressN)
679 continue;
680
681 WINPR_JSON* publicIpNode = WINPR_JSON_GetObjectItem(adressN, "publicIpAddress");
682 if (publicIpNode && WINPR_JSON_IsString(publicIpNode))
683 {
684 const char* publicIp = WINPR_JSON_GetStringValue(publicIpNode);
685 if (!utils_str_is_empty(publicIp))
686 {
687 if (!freerdp_settings_set_pointer_array(settings, FreeRDP_TargetNetAddresses,
688 (*pAddressIdx)++, publicIp))
689 return FALSE;
690 }
691 }
692
693 WINPR_JSON* privateIpNode = WINPR_JSON_GetObjectItem(adressN, "privateIpAddress");
694 if (privateIpNode && WINPR_JSON_IsString(privateIpNode))
695 {
696 const char* privateIp = WINPR_JSON_GetStringValue(privateIpNode);
697 if (!utils_str_is_empty(privateIp))
698 {
699 if (!freerdp_settings_set_pointer_array(settings, FreeRDP_TargetNetAddresses,
700 (*pAddressIdx)++, privateIp))
701 return FALSE;
702 }
703 }
704 }
705 return TRUE;
706}
707
708static BOOL arm_treat_azureInstanceNetworkMetadata(wLog* log, const char* metadata,
709 rdpSettings* settings)
710{
711 BOOL ret = FALSE;
712
713 WINPR_ASSERT(settings);
714
715 if (!freerdp_target_net_adresses_reset(settings, 0))
716 return FALSE;
717
718 WINPR_JSON* json = WINPR_JSON_Parse(metadata);
719 if (!json)
720 {
721 WLog_Print(log, WLOG_ERROR, "invalid azureInstanceNetworkMetadata");
722 return FALSE;
723 }
724
725 WINPR_JSON* iface = WINPR_JSON_GetObjectItem(json, "interface");
726 if (!iface)
727 {
728 ret = TRUE;
729 goto out;
730 }
731
732 if (!WINPR_JSON_IsArray(iface))
733 {
734 WLog_Print(log, WLOG_ERROR, "expecting interface to be an Array");
735 goto out;
736 }
737
738 size_t interfaceSz = WINPR_JSON_GetArraySize(iface);
739 if (interfaceSz == 0)
740 {
741 WLog_WARN(TAG, "no addresses in azure instance metadata");
742 ret = TRUE;
743 goto out;
744 }
745
746 size_t count = 0;
747 for (size_t i = 0; i < interfaceSz; i++)
748 {
749 WINPR_JSON* interN = WINPR_JSON_GetArrayItem(iface, i);
750 if (!interN)
751 continue;
752
753 WINPR_JSON* ipv6 = WINPR_JSON_GetObjectItem(interN, "ipv6");
754 if (ipv6)
755 count += arm_parse_ipvx_count(ipv6);
756
757 WINPR_JSON* ipv4 = WINPR_JSON_GetObjectItem(interN, "ipv4");
758 if (ipv4)
759 count += arm_parse_ipvx_count(ipv4);
760 }
761
762 if (!freerdp_target_net_adresses_reset(settings, count))
763 return FALSE;
764
765 size_t addressIdx = 0;
766 for (size_t i = 0; i < interfaceSz; i++)
767 {
768 WINPR_JSON* interN = WINPR_JSON_GetArrayItem(iface, i);
769 if (!interN)
770 continue;
771
772 WINPR_JSON* ipv6 = WINPR_JSON_GetObjectItem(interN, "ipv6");
773 if (ipv6)
774 {
775 if (!arm_parse_ipv6(settings, ipv6, &addressIdx))
776 goto out;
777 }
778
779 WINPR_JSON* ipv4 = WINPR_JSON_GetObjectItem(interN, "ipv4");
780 if (ipv4)
781 {
782 if (!arm_parse_ipv4(settings, ipv4, &addressIdx))
783 goto out;
784 }
785 }
786 if (addressIdx > UINT32_MAX)
787 goto out;
788
789 if (!freerdp_settings_set_uint32(settings, FreeRDP_TargetNetAddressCount, (UINT32)addressIdx))
790 goto out;
791
792 ret = freerdp_settings_get_uint32(settings, FreeRDP_TargetNetAddressCount) > 0;
793
794out:
795 WINPR_JSON_Delete(json);
796 return ret;
797}
798
799static BOOL arm_fill_rdstls(rdpArm* arm, rdpSettings* settings, const WINPR_JSON* json)
800{
801 BOOL ret = TRUE;
802 BYTE* cert = NULL;
803 BYTE* authBlob = NULL;
804 rdpCertificate* redirectedServerCert = NULL;
805
806 do
807 {
808 /* redirectedAuthGuid */
809 WINPR_JSON* redirectedAuthGuidNode =
810 WINPR_JSON_GetObjectItemCaseSensitive(json, "redirectedAuthGuid");
811 if (!redirectedAuthGuidNode || !WINPR_JSON_IsString(redirectedAuthGuidNode))
812 break;
813
814 const char* redirectedAuthGuid = WINPR_JSON_GetStringValue(redirectedAuthGuidNode);
815 if (!redirectedAuthGuid)
816 break;
817
818 WCHAR wGUID[72] = {
819 0
820 }; /* A GUID string is between 32 and 68 characters as string, depending on representation.
821 Add a few extra bytes for braces et al */
822 const SSIZE_T wGUID_len = ConvertUtf8ToWChar(redirectedAuthGuid, wGUID, ARRAYSIZE(wGUID));
823 if (wGUID_len < 0)
824 {
825 WLog_Print(arm->log, WLOG_ERROR, "unable to allocate space for redirectedAuthGuid");
826 ret = FALSE;
827 goto endOfFunction;
828 }
829
830 BOOL status = freerdp_settings_set_pointer_len(
831 settings, FreeRDP_RedirectionGuid, wGUID,
832 WINPR_ASSERTING_INT_CAST(size_t, (wGUID_len + 1)) * sizeof(WCHAR));
833 if (!status)
834 {
835 WLog_Print(arm->log, WLOG_ERROR, "unable to set RedirectionGuid");
836 ret = FALSE;
837 goto endOfFunction;
838 }
839
840 /* redirectedServerCert */
841 size_t certLen = 0;
842 if (!arm_pick_base64Utf16Field(arm->log, json, "redirectedServerCert", &cert, &certLen))
843 break;
844
845 if (!rdp_redirection_read_target_cert(&redirectedServerCert, cert, certLen))
846 break;
847
848 /* redirectedAuthBlob */
849 size_t authBlobLen = 0;
850 if (!arm_pick_base64Utf16Field(arm->log, json, "redirectedAuthBlob", &authBlob,
851 &authBlobLen))
852 break;
853
854 WINPR_CIPHER_CTX* cipher = treatAuthBlob(arm->log, authBlob, authBlobLen);
855 if (!cipher)
856 break;
857
858 const BOOL rerp =
859 arm_encodeRedirectPasswd(arm->log, settings, redirectedServerCert, cipher);
860 winpr_Cipher_Free(cipher);
861 if (!rerp)
862 break;
863
864 ret = TRUE;
865 } while (FALSE);
866
867 free(cert);
868 freerdp_certificate_free(redirectedServerCert);
869 free(authBlob);
870
871endOfFunction:
872 return ret;
873}
874
875static BOOL arm_fill_gateway_parameters(rdpArm* arm, const char* message, size_t len)
876{
877 WINPR_ASSERT(arm);
878 WINPR_ASSERT(arm->context);
879 WINPR_ASSERT(message);
880
881 WINPR_JSON* json = WINPR_JSON_ParseWithLength(message, len);
882 BOOL status = FALSE;
883 if (!json)
884 return FALSE;
885
886 rdpSettings* settings = arm->context->settings;
887 WINPR_JSON* gwurl = WINPR_JSON_GetObjectItemCaseSensitive(json, "gatewayLocation");
888 const char* gwurlstr = WINPR_JSON_GetStringValue(gwurl);
889 if (gwurlstr != NULL)
890 {
891 WLog_Print(arm->log, WLOG_DEBUG, "extracted target url %s", gwurlstr);
892 if (!freerdp_settings_set_string(settings, FreeRDP_GatewayUrl, gwurlstr))
893 status = FALSE;
894 else
895 status = TRUE;
896 }
897
898 WINPR_JSON* serverNameNode = WINPR_JSON_GetObjectItem(json, "redirectedServerName");
899 if (serverNameNode)
900 {
901 const char* serverName = WINPR_JSON_GetStringValue(serverNameNode);
902 if (serverName)
903 status = freerdp_settings_set_string(settings, FreeRDP_ServerHostname, serverName);
904 }
905
906 WINPR_JSON* azureMeta = WINPR_JSON_GetObjectItem(json, "azureInstanceNetworkMetadata");
907 if (azureMeta && WINPR_JSON_IsString(azureMeta))
908 {
909 if (!arm_treat_azureInstanceNetworkMetadata(arm->log, WINPR_JSON_GetStringValue(azureMeta),
910 settings))
911 {
912 WLog_Print(arm->log, WLOG_ERROR, "error when treating azureInstanceNetworkMetadata");
913 }
914 }
915
916 if (freerdp_settings_get_string(settings, FreeRDP_Password))
917 {
918 /* note: we retrieve some more fields for RDSTLS only if we have a password provided by the
919 * user, otherwise these are useless: we will not be able to do RDSTLS
920 */
921 status = arm_fill_rdstls(arm, settings, json);
922 }
923
924 WINPR_JSON_Delete(json);
925 return status;
926}
927
928static BOOL arm_handle_request_ok(rdpArm* arm, const HttpResponse* response)
929{
930 const size_t len = http_response_get_body_length(response);
931 const char* msg = (const char*)http_response_get_body(response);
932 if (strnlen(msg, len + 1) > len)
933 return FALSE;
934
935 WLog_Print(arm->log, WLOG_DEBUG, "Got HTTP Response data: %s", msg);
936 return arm_fill_gateway_parameters(arm, msg, len);
937}
938
939static BOOL arm_handle_bad_request(rdpArm* arm, const HttpResponse* response, BOOL* retry)
940{
941 WINPR_ASSERT(response);
942 WINPR_ASSERT(retry);
943
944 *retry = FALSE;
945
946 BOOL rc = FALSE;
947
948 const size_t len = http_response_get_body_length(response);
949 const char* msg = (const char*)http_response_get_body(response);
950 if (strnlen(msg, len + 1) > len)
951 return FALSE;
952
953 WLog_Print(arm->log, WLOG_DEBUG, "Got HTTP Response data: %s", msg);
954
955 WINPR_JSON* json = WINPR_JSON_ParseWithLength(msg, len);
956 if (json == NULL)
957 {
958 const char* error_ptr = WINPR_JSON_GetErrorPtr();
959 if (error_ptr != NULL)
960 WLog_Print(arm->log, WLOG_ERROR, "NullPoException: %s", error_ptr);
961
962 return FALSE;
963 }
964
965 WINPR_JSON* gateway_code_obj = WINPR_JSON_GetObjectItemCaseSensitive(json, "Code");
966 const char* gw_code_str = WINPR_JSON_GetStringValue(gateway_code_obj);
967 if (gw_code_str == NULL)
968 {
969 WLog_Print(arm->log, WLOG_ERROR, "Response has no \"Code\" property");
970 http_response_log_error_status(WLog_Get(TAG), WLOG_ERROR, response);
971 goto fail;
972 }
973
974 if (strcmp(gw_code_str, "E_PROXY_ORCHESTRATION_LB_SESSIONHOST_DEALLOCATED") == 0)
975 {
976 *retry = TRUE;
977 WINPR_JSON* message = WINPR_JSON_GetObjectItemCaseSensitive(json, "Message");
978 const char* msgstr = WINPR_JSON_GetStringValue(message);
979 if (!msgstr)
980 WLog_WARN(TAG, "Starting your VM. It may take up to 5 minutes");
981 else
982 WLog_WARN(TAG, "%s", msgstr);
983 }
984 else
985 {
986 http_response_log_error_status(WLog_Get(TAG), WLOG_ERROR, response);
987 goto fail;
988 }
989
990 rc = TRUE;
991fail:
992 WINPR_JSON_Delete(json);
993 return rc;
994}
995
996static BOOL arm_handle_request(rdpArm* arm, BOOL* retry, DWORD timeout)
997{
998 WINPR_ASSERT(retry);
999
1000 if (!arm_fetch_wellknown(arm))
1001 {
1002 *retry = TRUE;
1003 return FALSE;
1004 }
1005
1006 *retry = FALSE;
1007
1008 char* message = NULL;
1009 BOOL rc = FALSE;
1010
1011 HttpResponse* response = NULL;
1012 long StatusCode = 0;
1013
1014 if (!http_context_set_uri(arm->http, "/api/arm/v2/connections/") ||
1015 !http_context_set_accept(arm->http, "application/json") ||
1016 !http_context_set_cache_control(arm->http, "no-cache") ||
1017 !http_context_set_pragma(arm->http, "no-cache") ||
1018 !http_context_set_connection(arm->http, "Keep-Alive") ||
1019 !http_context_set_user_agent(arm->http, FREERDP_USER_AGENT) ||
1020 !http_context_set_x_ms_user_agent(arm->http, FREERDP_USER_AGENT) ||
1021 !http_context_set_host(arm->http, freerdp_settings_get_string(arm->context->settings,
1022 FreeRDP_GatewayHostname)))
1023 goto arm_error;
1024
1025 if (!arm_tls_connect(arm, arm->tls, timeout))
1026 goto arm_error;
1027
1028 message = arm_create_request_json(arm);
1029 if (!message)
1030 goto arm_error;
1031
1032 if (!arm_send_http_request(arm, arm->tls, "POST", "application/json", message, strlen(message)))
1033 goto arm_error;
1034
1035 response = http_response_recv(arm->tls, TRUE);
1036 if (!response)
1037 goto arm_error;
1038
1039 StatusCode = http_response_get_status_code(response);
1040 if (StatusCode == HTTP_STATUS_OK)
1041 {
1042 if (!arm_handle_request_ok(arm, response))
1043 goto arm_error;
1044 }
1045 else if (StatusCode == HTTP_STATUS_BAD_REQUEST)
1046 {
1047 if (!arm_handle_bad_request(arm, response, retry))
1048 goto arm_error;
1049 }
1050 else
1051 {
1052 http_response_log_error_status(WLog_Get(TAG), WLOG_ERROR, response);
1053 goto arm_error;
1054 }
1055
1056 rc = TRUE;
1057arm_error:
1058 http_response_free(response);
1059 free(message);
1060 return rc;
1061}
1062
1063#endif
1064
1065BOOL arm_resolve_endpoint(wLog* log, rdpContext* context, DWORD timeout)
1066{
1067#ifndef WITH_AAD
1068 WLog_Print(log, WLOG_ERROR, "arm gateway support not compiled in");
1069 return FALSE;
1070#else
1071
1072 if (!context)
1073 return FALSE;
1074
1075 if (!context->settings)
1076 return FALSE;
1077
1078 if ((freerdp_settings_get_uint32(context->settings, FreeRDP_LoadBalanceInfoLength) == 0) ||
1079 (freerdp_settings_get_string(context->settings, FreeRDP_RemoteApplicationProgram) == NULL))
1080 {
1081 WLog_Print(log, WLOG_ERROR, "loadBalanceInfo and RemoteApplicationProgram needed");
1082 return FALSE;
1083 }
1084
1085 rdpArm* arm = arm_new(context);
1086 if (!arm)
1087 return FALSE;
1088
1089 BOOL retry = FALSE;
1090 BOOL rc = FALSE;
1091 do
1092 {
1093 if (retry && rc)
1094 {
1095 freerdp* instance = context->instance;
1096 WINPR_ASSERT(instance);
1097 SSIZE_T delay = IFCALLRESULT(-1, instance->RetryDialog, instance, "arm-transport",
1098 arm->gateway_retry, arm);
1099 arm->gateway_retry++;
1100 if (delay <= 0)
1101 break; /* error or no retry desired, abort loop */
1102 else
1103 {
1104 WLog_Print(arm->log, WLOG_DEBUG, "Delay for %" PRIdz "ms before next attempt",
1105 delay);
1106 while (delay > 0)
1107 {
1108 DWORD slp = (UINT32)delay;
1109 if (delay > UINT32_MAX)
1110 slp = UINT32_MAX;
1111 Sleep(slp);
1112 delay -= slp;
1113 }
1114 }
1115 }
1116 rc = arm_handle_request(arm, &retry, timeout);
1117
1118 } while (retry && rc);
1119 arm_free(arm);
1120 return rc;
1121#endif
1122}
WINPR_JSON_GetObjectItem
WINPR_API WINPR_JSON * WINPR_JSON_GetObjectItem(const WINPR_JSON *object, const char *string)
Return a pointer to an JSON object item.
Definition json.c:184
WINPR_JSON_IsString
WINPR_API BOOL WINPR_JSON_IsString(const WINPR_JSON *item)
Check if JSON item is of type String.
Definition json.c:349
WINPR_JSON_CreateObject
WINPR_API WINPR_JSON * WINPR_JSON_CreateObject(void)
WINPR_JSON_CreateObject.
Definition json.c:465
WINPR_JSON_GetArrayItem
WINPR_API WINPR_JSON * WINPR_JSON_GetArrayItem(const WINPR_JSON *array, size_t index)
Return a pointer to an item in the array.
Definition json.c:155
WINPR_JSON_GetObjectItemCaseSensitive
WINPR_API WINPR_JSON * WINPR_JSON_GetObjectItemCaseSensitive(const WINPR_JSON *object, const char *string)
Same as WINPR_JSON_GetObjectItem but with case insensitive matching.
Definition json.c:197
WINPR_JSON_AddStringToObject
WINPR_API WINPR_JSON * WINPR_JSON_AddStringToObject(WINPR_JSON *object, const char *name, const char *string)
WINPR_JSON_AddStringToObject.
Definition json.c:573
WINPR_JSON_ParseWithLength
WINPR_API WINPR_JSON * WINPR_JSON_ParseWithLength(const char *value, size_t buffer_length)
Parse a JSON string.
Definition json.c:125
WINPR_JSON_PrintUnformatted
WINPR_API char * WINPR_JSON_PrintUnformatted(WINPR_JSON *item)
Serialize a JSON instance to string without formatting for human readable formatted output see WINPR_...
Definition json.c:669
WINPR_JSON_GetStringValue
WINPR_API const char * WINPR_JSON_GetStringValue(WINPR_JSON *item)
Return the String value of a JSON item.
Definition json.c:234
WINPR_JSON_AddNullToObject
WINPR_API WINPR_JSON * WINPR_JSON_AddNullToObject(WINPR_JSON *object, const char *name)
WINPR_JSON_AddNullToObject.
Definition json.c:476
WINPR_JSON_Delete
WINPR_API void WINPR_JSON_Delete(WINPR_JSON *item)
Delete a WinPR JSON wrapper object.
Definition json.c:144
WINPR_JSON_GetArraySize
WINPR_API size_t WINPR_JSON_GetArraySize(const WINPR_JSON *array)
Get the number of arrayitems from an array.
Definition json.c:169
WINPR_JSON_IsArray
WINPR_API BOOL WINPR_JSON_IsArray(const WINPR_JSON *item)
Check if JSON item is of type Array.
Definition json.c:361
WINPR_JSON_GetErrorPtr
WINPR_API const char * WINPR_JSON_GetErrorPtr(void)
Return an error string.
Definition json.c:223
WINPR_JSON_Parse
WINPR_API WINPR_JSON * WINPR_JSON_Parse(const char *value)
Parse a '\0' terminated JSON string.
Definition json.c:113
freerdp_settings_get_uint32
FREERDP_API UINT32 freerdp_settings_get_uint32(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id)
Returns a UINT32 settings value.
freerdp_settings_set_string
FREERDP_API BOOL freerdp_settings_set_string(rdpSettings *settings, FreeRDP_Settings_Keys_String id, const char *param)
Sets a string settings value. The param is copied.
Definition settings_getters.c:3690
freerdp_settings_get_bool
FREERDP_API BOOL freerdp_settings_get_bool(const rdpSettings *settings, FreeRDP_Settings_Keys_Bool id)
Returns a boolean settings value.
freerdp_settings_set_pointer_len
FREERDP_API BOOL freerdp_settings_set_pointer_len(rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id, const void *data, size_t len)
Set a pointer to value data.
Definition common/settings.c:1415
freerdp_settings_get_string_as_utf16
FREERDP_API WCHAR * freerdp_settings_get_string_as_utf16(const rdpSettings *settings, FreeRDP_Settings_Keys_String id, size_t *pCharLen)
Return an allocated UTF16 string.
Definition common/settings.c:2271
freerdp_settings_get_pointer
FREERDP_API const void * freerdp_settings_get_pointer(const rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a immutable pointer settings value.
Definition common/settings.c:1403
freerdp_settings_set_uint32
FREERDP_API BOOL freerdp_settings_set_uint32(rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id, UINT32 param)
Sets a UINT32 settings value.
freerdp_settings_get_string
FREERDP_API const char * freerdp_settings_get_string(const rdpSettings *settings, FreeRDP_Settings_Keys_String id)
Returns a immutable string settings value.