FreeRDP
connection.c
1 /*
2  * FreeRDP: A Remote Desktop Protocol Implementation
3  * Connection Sequence
4  *
5  * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
6  * Copyright 2015 Thincast Technologies GmbH
7  * Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
8  * Copyright 2023 Armin Novak <anovak@thincast.com>
9  * Copyright 2023 Thincast Technologies GmbH
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License");
12  * you may not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS,
19  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 
24 #include <freerdp/config.h>
25 
26 #include "settings.h"
27 
28 #include "info.h"
29 #include "input.h"
30 #include "rdp.h"
31 #include "peer.h"
32 
33 #include "connection.h"
34 #include "transport.h"
35 
36 #include <winpr/crt.h>
37 #include <winpr/crypto.h>
38 #include <winpr/ssl.h>
39 
40 #include <freerdp/log.h>
41 #include <freerdp/error.h>
42 #include <freerdp/listener.h>
43 
44 #include "../cache/pointer.h"
45 #include "../crypto/crypto.h"
46 #include "../crypto/privatekey.h"
47 #include "../crypto/certificate.h"
48 #include "gateway/arm.h"
49 
50 #include "utils.h"
51 
52 #define TAG FREERDP_TAG("core.connection")
53 
197 static BOOL rdp_set_state(rdpRdp* rdp, CONNECTION_STATE state);
198 
199 static BOOL rdp_client_reset_codecs(rdpContext* context)
200 {
201  rdpSettings* settings = NULL;
202 
203  if (!context || !context->settings)
204  return FALSE;
205 
206  settings = context->settings;
207 
208  if (!freerdp_settings_get_bool(settings, FreeRDP_DeactivateClientDecoding))
209  {
210  const UINT32 flags = freerdp_settings_get_uint32(settings, FreeRDP_ThreadingFlags);
211  freerdp_client_codecs_free(context->codecs);
212  context->codecs = freerdp_client_codecs_new(flags);
213 
214  if (!context->codecs)
215  return FALSE;
216 
217  if (!freerdp_client_codecs_prepare(context->codecs,
218  freerdp_settings_get_codecs_flags(settings),
219  settings->DesktopWidth, settings->DesktopHeight))
220  return FALSE;
221 
222 /* Runtime H264 detection. (only available if dynamic backend loading is defined)
223  * If no backend is available disable it before the channel is loaded.
224  */
225 #if defined(WITH_GFX_H264) && defined(WITH_OPENH264_LOADING)
226  if (!context->codecs->h264)
227  {
228  settings->GfxH264 = FALSE;
229  settings->GfxAVC444 = FALSE;
230  settings->GfxAVC444v2 = FALSE;
231  }
232 #endif
233  }
234 
235  return TRUE;
236 }
237 
238 static BOOL rdp_client_wait_for_activation(rdpRdp* rdp)
239 {
240  BOOL timedout = FALSE;
241  WINPR_ASSERT(rdp);
242 
243  const rdpSettings* settings = rdp->settings;
244  WINPR_ASSERT(settings);
245 
246  UINT64 now = GetTickCount64();
247  UINT64 dueDate = now + freerdp_settings_get_uint32(settings, FreeRDP_TcpAckTimeout);
248 
249  for (; (now < dueDate) && !timedout; now = GetTickCount64())
250  {
251  HANDLE events[MAXIMUM_WAIT_OBJECTS] = { 0 };
252  DWORD wstatus = 0;
253  DWORD nevents = freerdp_get_event_handles(rdp->context, events, ARRAYSIZE(events));
254  if (!nevents)
255  {
256  WLog_ERR(TAG, "error retrieving connection events");
257  return FALSE;
258  }
259 
260  const UINT64 timeout = (dueDate - now);
261  WINPR_ASSERT(timeout <= UINT32_MAX);
262  wstatus = WaitForMultipleObjectsEx(nevents, events, FALSE, (UINT32)timeout, TRUE);
263  switch (wstatus)
264  {
265  case WAIT_TIMEOUT:
266  /* will make us quit with a timeout */
267  timedout = TRUE;
268  break;
269  case WAIT_ABANDONED:
270  case WAIT_FAILED:
271  return FALSE;
272  case WAIT_IO_COMPLETION:
273  break;
274  case WAIT_OBJECT_0:
275  default:
276  /* handles all WAIT_OBJECT_0 + [0 .. MAXIMUM_WAIT_OBJECTS-1] cases */
277  if (rdp_check_fds(rdp) < 0)
278  {
279  freerdp_set_last_error_if_not(rdp->context,
280  FREERDP_ERROR_CONNECT_TRANSPORT_FAILED);
281  return FALSE;
282  }
283  break;
284  }
285 
286  if (rdp_is_active_state(rdp))
287  return TRUE;
288  }
289 
290  WLog_ERR(TAG, "Timeout waiting for activation");
291  freerdp_set_last_error_if_not(rdp->context, FREERDP_ERROR_CONNECT_ACTIVATION_TIMEOUT);
292  return FALSE;
293 }
301 BOOL rdp_client_connect(rdpRdp* rdp)
302 {
303  UINT32 SelectedProtocol = 0;
304  BOOL status = 0;
305  rdpSettings* settings = NULL;
306  /* make sure SSL is initialize for earlier enough for crypto, by taking advantage of winpr SSL
307  * FIPS flag for openssl initialization */
308  DWORD flags = WINPR_SSL_INIT_DEFAULT;
309 
310  WINPR_ASSERT(rdp);
311 
312  settings = rdp->settings;
313  WINPR_ASSERT(settings);
314 
315  if (!rdp_client_reset_codecs(rdp->context))
316  return FALSE;
317 
318  if (settings->FIPSMode)
319  flags |= WINPR_SSL_INIT_ENABLE_FIPS;
320 
321  winpr_InitializeSSL(flags);
322  rdp_log_build_warnings(rdp);
323 
324  /* FIPS Mode forces the following and overrides the following(by happening later */
325  /* in the command line processing): */
326  /* 1. Disables NLA Security since NLA in freerdp uses NTLM(no Kerberos support yet) which uses
327  * algorithms */
328  /* not allowed in FIPS for sensitive data. So, we disallow NLA when FIPS is required. */
329  /* 2. Forces the only supported RDP encryption method to be FIPS. */
330  if (settings->FIPSMode || winpr_FIPSMode())
331  {
332  settings->NlaSecurity = FALSE;
333  settings->EncryptionMethods = ENCRYPTION_METHOD_FIPS;
334  }
335 
336  UINT32 TcpConnectTimeout = freerdp_settings_get_uint32(settings, FreeRDP_TcpConnectTimeout);
337  if (settings->GatewayArmTransport)
338  {
339  if (!arm_resolve_endpoint(rdp->log, rdp->context, TcpConnectTimeout))
340  {
341  WLog_ERR(TAG, "error retrieving ARM configuration");
342  return FALSE;
343  }
344  }
345 
346  const char* hostname = settings->ServerHostname;
347  if (!hostname)
348  {
349  WLog_ERR(TAG, "Missing hostname, can not connect to NULL target");
350  return FALSE;
351  }
352 
353  const UINT32 port = settings->ServerPort;
354  WINPR_ASSERT(port <= UINT32_MAX);
355 
356  nego_init(rdp->nego);
357  nego_set_target(rdp->nego, hostname, (UINT16)port);
358 
359  if (settings->GatewayEnabled)
360  {
361  char* user = NULL;
362  char* domain = NULL;
363  size_t user_length = 0;
364 
365  if (settings->Username)
366  {
367  user = settings->Username;
368  user_length = strlen(settings->Username);
369  }
370 
371  if (settings->Domain)
372  domain = settings->Domain;
373  else
374  domain = settings->ComputerName;
375 
376  const size_t domain_length = strlen(domain);
377  const size_t cookie_length = domain_length + 1 + user_length;
378  char* cookie = malloc(cookie_length + 1);
379 
380  if (!cookie)
381  return FALSE;
382 
383  CopyMemory(cookie, domain, domain_length);
384  WINPR_ASSERT(domain_length <= UINT32_MAX);
385  CharUpperBuffA(cookie, (UINT32)domain_length);
386  cookie[domain_length] = '\\';
387 
388  if (settings->Username)
389  CopyMemory(&cookie[domain_length + 1], user, user_length);
390 
391  cookie[cookie_length] = '\0';
392  status = nego_set_cookie(rdp->nego, cookie);
393  free(cookie);
394  }
395  else
396  {
397  status = nego_set_cookie(rdp->nego, settings->Username);
398  }
399 
400  if (!status)
401  return FALSE;
402 
403  nego_set_childsession_enabled(rdp->nego, settings->ConnectChildSession);
404  nego_set_send_preconnection_pdu(rdp->nego, settings->SendPreconnectionPdu);
405  nego_set_preconnection_id(rdp->nego, settings->PreconnectionId);
406  nego_set_preconnection_blob(rdp->nego, settings->PreconnectionBlob);
407  nego_set_negotiation_enabled(rdp->nego, settings->NegotiateSecurityLayer);
408  nego_set_restricted_admin_mode_required(rdp->nego, settings->RestrictedAdminModeRequired);
409  nego_set_RCG_required(rdp->nego, settings->RemoteCredentialGuard);
410  nego_set_gateway_enabled(rdp->nego, settings->GatewayEnabled);
411  nego_set_gateway_bypass_local(rdp->nego, settings->GatewayBypassLocal);
412  nego_enable_rdp(rdp->nego, settings->RdpSecurity);
413  nego_enable_tls(rdp->nego, settings->TlsSecurity);
414  nego_enable_nla(rdp->nego, settings->NlaSecurity);
415  nego_enable_ext(rdp->nego, settings->ExtSecurity);
416  nego_enable_rdstls(rdp->nego, settings->RdstlsSecurity);
417  nego_enable_aad(rdp->nego, settings->AadSecurity);
418 
419  if (settings->MstscCookieMode)
420  settings->CookieMaxLength = MSTSC_COOKIE_MAX_LENGTH;
421 
422  nego_set_cookie_max_length(rdp->nego, settings->CookieMaxLength);
423 
424  if (settings->LoadBalanceInfo && (settings->LoadBalanceInfoLength > 0))
425  {
426  if (!nego_set_routing_token(rdp->nego, settings->LoadBalanceInfo,
427  settings->LoadBalanceInfoLength))
428  return FALSE;
429  }
430 
431  if (!freerdp_settings_get_bool(settings, FreeRDP_TransportDumpReplay))
432  {
433  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_NEGO))
434  return FALSE;
435 
436  if (!nego_connect(rdp->nego))
437  {
438  if (!freerdp_get_last_error(rdp->context))
439  {
440  freerdp_set_last_error_log(rdp->context,
441  FREERDP_ERROR_SECURITY_NEGO_CONNECT_FAILED);
442  WLog_ERR(TAG, "Error: protocol security negotiation or connection failure");
443  }
444 
445  return FALSE;
446  }
447 
448  SelectedProtocol = nego_get_selected_protocol(rdp->nego);
449 
450  if ((SelectedProtocol & PROTOCOL_SSL) || (SelectedProtocol == PROTOCOL_RDP) ||
451  (SelectedProtocol == PROTOCOL_RDSTLS))
452  {
453  wStream s = { 0 };
454 
455  if ((settings->Username != NULL) &&
456  ((freerdp_settings_get_string(settings, FreeRDP_Password) != NULL) ||
457  (settings->RedirectionPassword != NULL &&
458  settings->RedirectionPasswordLength > 0)))
459  settings->AutoLogonEnabled = TRUE;
460 
461  if (rdp_recv_callback(rdp->transport, &s, rdp) < 0)
462  return FALSE;
463  }
464 
465  transport_set_blocking_mode(rdp->transport, FALSE);
466  }
467  else
468  {
469  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_MCS_CREATE_REQUEST))
470  return FALSE;
471  }
472 
473  /* everything beyond this point is event-driven and non blocking */
474  if (!transport_set_recv_callbacks(rdp->transport, rdp_recv_callback, rdp))
475  return FALSE;
476 
477  return rdp_client_wait_for_activation(rdp);
478 }
479 
480 BOOL rdp_client_disconnect(rdpRdp* rdp)
481 {
482  rdpContext* context = NULL;
483 
484  if (!rdp || !rdp->settings || !rdp->context)
485  return FALSE;
486 
487  context = rdp->context;
488 
489  if (rdp->nego)
490  {
491  if (!nego_disconnect(rdp->nego))
492  return FALSE;
493  }
494 
495  if (!transport_disconnect(rdp->transport))
496  return FALSE;
497 
498  if (!rdp_reset(rdp))
499  return FALSE;
500 
501  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_INITIAL))
502  return FALSE;
503 
504  if (freerdp_channels_disconnect(context->channels, context->instance) != CHANNEL_RC_OK)
505  return FALSE;
506 
507  freerdp_client_codecs_free(context->codecs);
508  context->codecs = NULL;
509  return TRUE;
510 }
511 
512 BOOL rdp_client_disconnect_and_clear(rdpRdp* rdp)
513 {
514  rdpContext* context = NULL;
515 
516  if (!rdp_client_disconnect(rdp))
517  return FALSE;
518 
519  WINPR_ASSERT(rdp);
520 
521  context = rdp->context;
522  WINPR_ASSERT(context);
523 
524  if (freerdp_get_last_error(context) == FREERDP_ERROR_CONNECT_CANCELLED)
525  return FALSE;
526 
527  context->LastError = FREERDP_ERROR_SUCCESS;
528  clearChannelError(context);
529  return utils_reset_abort(rdp);
530 }
531 
532 static BOOL rdp_client_reconnect_channels(rdpRdp* rdp, BOOL redirect)
533 {
534  BOOL status = FALSE;
535  rdpContext* context = NULL;
536 
537  if (!rdp || !rdp->context || !rdp->context->channels)
538  return FALSE;
539 
540  context = rdp->context;
541 
542  if (context->instance->ConnectionCallbackState == CLIENT_STATE_INITIAL)
543  return FALSE;
544 
545  if (context->instance->ConnectionCallbackState == CLIENT_STATE_PRECONNECT_PASSED)
546  {
547  if (redirect)
548  return TRUE;
549 
550  pointer_cache_register_callbacks(context->update);
551 
552  if (!IFCALLRESULT(FALSE, context->instance->PostConnect, context->instance))
553  return FALSE;
554 
555  context->instance->ConnectionCallbackState = CLIENT_STATE_POSTCONNECT_PASSED;
556  }
557 
558  if (context->instance->ConnectionCallbackState == CLIENT_STATE_POSTCONNECT_PASSED)
559  status =
560  (freerdp_channels_post_connect(context->channels, context->instance) == CHANNEL_RC_OK);
561 
562  return status;
563 }
564 
565 static BOOL rdp_client_redirect_resolvable(const char* host)
566 {
567  struct addrinfo* result = freerdp_tcp_resolve_host(host, -1, 0);
568 
569  if (!result)
570  return FALSE;
571 
572  freeaddrinfo(result);
573  return TRUE;
574 }
575 
576 static BOOL rdp_client_redirect_try_fqdn(rdpSettings* settings)
577 {
578  if (settings->RedirectionFlags & LB_TARGET_FQDN)
579  {
580  if (settings->GatewayEnabled ||
581  rdp_client_redirect_resolvable(settings->RedirectionTargetFQDN))
582  {
583  if (!freerdp_settings_set_string(settings, FreeRDP_ServerHostname,
584  settings->RedirectionTargetFQDN))
585  return FALSE;
586 
587  return TRUE;
588  }
589  }
590 
591  return FALSE;
592 }
593 
594 static BOOL rdp_client_redirect_try_ip(rdpSettings* settings)
595 {
596  if (settings->RedirectionFlags & LB_TARGET_NET_ADDRESS)
597  {
598  if (!freerdp_settings_set_string(settings, FreeRDP_ServerHostname,
599  settings->TargetNetAddress))
600  return FALSE;
601 
602  return TRUE;
603  }
604 
605  return FALSE;
606 }
607 
608 static BOOL rdp_client_redirect_try_netbios(rdpSettings* settings)
609 {
610  if (settings->RedirectionFlags & LB_TARGET_NETBIOS_NAME)
611  {
612  if (settings->GatewayEnabled ||
613  rdp_client_redirect_resolvable(settings->RedirectionTargetNetBiosName))
614  {
615  if (!freerdp_settings_set_string(settings, FreeRDP_ServerHostname,
616  settings->RedirectionTargetNetBiosName))
617  return FALSE;
618 
619  return TRUE;
620  }
621  }
622 
623  return FALSE;
624 }
625 
626 BOOL rdp_client_redirect(rdpRdp* rdp)
627 {
628  BOOL status = 0;
629  rdpSettings* settings = NULL;
630 
631  if (!rdp_client_disconnect_and_clear(rdp))
632  return FALSE;
633 
634  /* Only disconnect & close the channels here.
635  * they will be discarded and recreated after the new settings have been applied. */
636  freerdp_channels_disconnect(rdp->context->channels, rdp->context->instance);
637  freerdp_channels_close(rdp->context->channels, rdp->context->instance);
638 
639  if (rdp_redirection_apply_settings(rdp) != 0)
640  return FALSE;
641 
642  WINPR_ASSERT(rdp);
643 
644  settings = rdp->settings;
645  WINPR_ASSERT(settings);
646 
647  if ((settings->RedirectionFlags & LB_LOAD_BALANCE_INFO) == 0)
648  {
649  BOOL haveRedirectAddress = FALSE;
650  UINT32 redirectionMask = settings->RedirectionPreferType;
651 
652  do
653  {
654  const BOOL tryFQDN = (redirectionMask & 0x01) == 0;
655  const BOOL tryNetAddress = (redirectionMask & 0x02) == 0;
656  const BOOL tryNetbios = (redirectionMask & 0x04) == 0;
657 
658  if (tryFQDN && !haveRedirectAddress)
659  haveRedirectAddress = rdp_client_redirect_try_fqdn(settings);
660 
661  if (tryNetAddress && !haveRedirectAddress)
662  haveRedirectAddress = rdp_client_redirect_try_ip(settings);
663 
664  if (tryNetbios && !haveRedirectAddress)
665  haveRedirectAddress = rdp_client_redirect_try_netbios(settings);
666 
667  redirectionMask >>= 3;
668  } while (!haveRedirectAddress && (redirectionMask != 0));
669  }
670 
671  if (settings->RedirectionFlags & LB_USERNAME)
672  {
673  if (!freerdp_settings_set_string(
674  settings, FreeRDP_Username,
675  freerdp_settings_get_string(settings, FreeRDP_RedirectionUsername)))
676  return FALSE;
677  }
678 
679  if (settings->RedirectionFlags & LB_DOMAIN)
680  {
681  if (!freerdp_settings_set_string(
682  settings, FreeRDP_Domain,
683  freerdp_settings_get_string(settings, FreeRDP_RedirectionDomain)))
684  return FALSE;
685  }
686 
687  settings->RdstlsSecurity =
688  (settings->RedirectionFlags & LB_PASSWORD_IS_PK_ENCRYPTED) != 0 ? TRUE : FALSE;
689 
690  WINPR_ASSERT(rdp->context);
691  WINPR_ASSERT(rdp->context->instance);
692  if (!IFCALLRESULT(TRUE, rdp->context->instance->Redirect, rdp->context->instance))
693  return FALSE;
694 
695  BOOL ok = utils_reload_channels(rdp->context);
696  if (!ok)
697  return FALSE;
698 
699  status = rdp_client_connect(rdp);
700 
701  if (status)
702  status = rdp_client_reconnect_channels(rdp, TRUE);
703 
704  return status;
705 }
706 
707 BOOL rdp_client_reconnect(rdpRdp* rdp)
708 {
709  BOOL status = 0;
710 
711  if (!rdp_client_disconnect_and_clear(rdp))
712  return FALSE;
713 
714  status = rdp_client_connect(rdp);
715 
716  if (status)
717  status = rdp_client_reconnect_channels(rdp, FALSE);
718 
719  return status;
720 }
721 
722 static const BYTE fips_ivec[8] = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF };
723 
724 static BOOL rdp_client_establish_keys(rdpRdp* rdp)
725 {
726  wStream* s = NULL;
727  int status = 0;
728  BOOL ret = FALSE;
729 
730  WINPR_ASSERT(rdp);
731  rdpSettings* settings = rdp->settings;
732  BYTE* crypt_client_random = NULL;
733 
734  WINPR_ASSERT(settings);
735  if (!settings->UseRdpSecurityLayer)
736  {
737  /* no RDP encryption */
738  return TRUE;
739  }
740 
741  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_RDP_SECURITY_COMMENCEMENT))
742  return FALSE;
743 
744  /* encrypt client random */
745  if (!freerdp_settings_set_pointer_len(settings, FreeRDP_ClientRandom, NULL,
746  CLIENT_RANDOM_LENGTH))
747  return FALSE;
748  winpr_RAND(settings->ClientRandom, settings->ClientRandomLength);
749 
750  const rdpCertInfo* info = freerdp_certificate_get_info(settings->RdpServerCertificate);
751  if (!info)
752  {
753  WLog_ERR(TAG, "Failed to get rdpCertInfo from RdpServerCertificate");
754  return FALSE;
755  }
756 
757  /*
758  * client random must be (bitlen / 8) + 8 - see [MS-RDPBCGR] 5.3.4.1
759  * for details
760  */
761  crypt_client_random = calloc(info->ModulusLength, 1);
762 
763  if (!crypt_client_random)
764  return FALSE;
765 
766  crypto_rsa_public_encrypt(settings->ClientRandom, settings->ClientRandomLength, info,
767  crypt_client_random, info->ModulusLength);
768  /* send crypt client random to server */
769  const size_t length = RDP_PACKET_HEADER_MAX_LENGTH + RDP_SECURITY_HEADER_LENGTH + 4ULL +
770  info->ModulusLength + 8ULL;
771  if (length > UINT16_MAX)
772  return FALSE;
773 
774  s = Stream_New(NULL, length);
775 
776  if (!s)
777  {
778  WLog_ERR(TAG, "Stream_New failed!");
779  goto end;
780  }
781 
782  if (!rdp_write_header(rdp, s, length, MCS_GLOBAL_CHANNEL_ID))
783  goto end;
784  if (!rdp_write_security_header(rdp, s, SEC_EXCHANGE_PKT | SEC_LICENSE_ENCRYPT_SC))
785  goto end;
786 
787  Stream_Write_UINT32(s, info->ModulusLength + 8);
788  Stream_Write(s, crypt_client_random, info->ModulusLength);
789  Stream_Zero(s, 8);
790  Stream_SealLength(s);
791  status = transport_write(rdp->mcs->transport, s);
792 
793  if (status < 0)
794  goto end;
795 
796  rdp->do_crypt_license = TRUE;
797 
798  /* now calculate encrypt / decrypt and update keys */
799  if (!security_establish_keys(rdp))
800  goto end;
801 
802  rdp->do_crypt = TRUE;
803 
804  if (settings->SaltedChecksum)
805  rdp->do_secure_checksum = TRUE;
806 
807  if (settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
808  {
809  rdp->fips_encrypt =
810  winpr_Cipher_NewEx(WINPR_CIPHER_DES_EDE3_CBC, WINPR_ENCRYPT, rdp->fips_encrypt_key,
811  sizeof(rdp->fips_encrypt_key), fips_ivec, sizeof(fips_ivec));
812 
813  if (!rdp->fips_encrypt)
814  {
815  WLog_ERR(TAG, "unable to allocate des3 encrypt key");
816  goto end;
817  }
818 
819  rdp->fips_decrypt =
820  winpr_Cipher_NewEx(WINPR_CIPHER_DES_EDE3_CBC, WINPR_DECRYPT, rdp->fips_decrypt_key,
821  sizeof(rdp->fips_decrypt_key), fips_ivec, sizeof(fips_ivec));
822 
823  if (!rdp->fips_decrypt)
824  {
825  WLog_ERR(TAG, "unable to allocate des3 decrypt key");
826  goto end;
827  }
828 
829  ret = TRUE;
830  goto end;
831  }
832 
833  if (!rdp_reset_rc4_encrypt_keys(rdp))
834  goto end;
835  if (!rdp_reset_rc4_decrypt_keys(rdp))
836  goto end;
837 
838  ret = TRUE;
839 end:
840  Stream_Free(s, TRUE);
841  free(crypt_client_random);
842 
843  if (!ret)
844  {
845  winpr_Cipher_Free(rdp->fips_decrypt);
846  winpr_Cipher_Free(rdp->fips_encrypt);
847  rdp->fips_decrypt = NULL;
848  rdp->fips_encrypt = NULL;
849 
850  rdp_free_rc4_decrypt_keys(rdp);
851  rdp_free_rc4_encrypt_keys(rdp);
852  }
853 
854  return ret;
855 }
856 
857 static BOOL rdp_update_client_random(rdpSettings* settings, const BYTE* crypt_random,
858  size_t crypt_random_len)
859 {
860  const size_t length = 32;
861  WINPR_ASSERT(settings);
862 
863  const rdpPrivateKey* rsa = freerdp_settings_get_pointer(settings, FreeRDP_RdpServerRsaKey);
864  WINPR_ASSERT(rsa);
865 
866  const rdpCertInfo* cinfo = freerdp_key_get_info(rsa);
867  WINPR_ASSERT(cinfo);
868 
869  if (crypt_random_len != cinfo->ModulusLength + 8)
870  {
871  WLog_ERR(TAG, "invalid encrypted client random length");
872  return FALSE;
873  }
874  if (!freerdp_settings_set_pointer_len(settings, FreeRDP_ClientRandom, NULL, length))
875  return FALSE;
876 
877  BYTE* client_random = freerdp_settings_get_pointer_writable(settings, FreeRDP_ClientRandom);
878  WINPR_ASSERT(client_random);
879  return crypto_rsa_private_decrypt(crypt_random, crypt_random_len - 8, rsa, client_random,
880  length) > 0;
881 }
882 
883 BOOL rdp_server_establish_keys(rdpRdp* rdp, wStream* s)
884 {
885  UINT32 rand_len = 0;
886  UINT16 channel_id = 0;
887  UINT16 length = 0;
888  UINT16 sec_flags = 0;
889  BOOL ret = FALSE;
890 
891  WINPR_ASSERT(rdp);
892 
893  if (!rdp->settings->UseRdpSecurityLayer)
894  {
895  /* No RDP Security. */
896  return TRUE;
897  }
898 
899  if (!rdp_read_header(rdp, s, &length, &channel_id))
900  return FALSE;
901 
902  if (!rdp_read_security_header(rdp, s, &sec_flags, NULL))
903  {
904  WLog_ERR(TAG, "invalid security header");
905  return FALSE;
906  }
907 
908  if ((sec_flags & SEC_EXCHANGE_PKT) == 0)
909  {
910  WLog_ERR(TAG, "missing SEC_EXCHANGE_PKT in security header");
911  return FALSE;
912  }
913 
914  rdp->do_crypt_license = (sec_flags & SEC_LICENSE_ENCRYPT_SC) != 0 ? TRUE : FALSE;
915 
916  if (!Stream_CheckAndLogRequiredLength(TAG, s, 4))
917  return FALSE;
918 
919  Stream_Read_UINT32(s, rand_len);
920 
921  /* rand_len already includes 8 bytes of padding */
922  if (!Stream_CheckAndLogRequiredLength(TAG, s, rand_len))
923  return FALSE;
924 
925  const BYTE* crypt_random = Stream_ConstPointer(s);
926  if (!Stream_SafeSeek(s, rand_len))
927  goto end;
928  if (!rdp_update_client_random(rdp->settings, crypt_random, rand_len))
929  goto end;
930 
931  /* now calculate encrypt / decrypt and update keys */
932  if (!security_establish_keys(rdp))
933  goto end;
934 
935  rdp->do_crypt = TRUE;
936 
937  if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
938  {
939  rdp->fips_encrypt =
940  winpr_Cipher_NewEx(WINPR_CIPHER_DES_EDE3_CBC, WINPR_ENCRYPT, rdp->fips_encrypt_key,
941  sizeof(rdp->fips_encrypt_key), fips_ivec, sizeof(fips_ivec));
942 
943  if (!rdp->fips_encrypt)
944  {
945  WLog_ERR(TAG, "unable to allocate des3 encrypt key");
946  goto end;
947  }
948 
949  rdp->fips_decrypt =
950  winpr_Cipher_NewEx(WINPR_CIPHER_DES_EDE3_CBC, WINPR_DECRYPT, rdp->fips_decrypt_key,
951  sizeof(rdp->fips_decrypt_key), fips_ivec, sizeof(fips_ivec));
952 
953  if (!rdp->fips_decrypt)
954  {
955  WLog_ERR(TAG, "unable to allocate des3 decrypt key");
956  goto end;
957  }
958 
959  ret = TRUE;
960  goto end;
961  }
962 
963  if (!rdp_reset_rc4_encrypt_keys(rdp))
964  goto end;
965 
966  if (!rdp_reset_rc4_decrypt_keys(rdp))
967  goto end;
968 
969  ret = tpkt_ensure_stream_consumed(s, length);
970 end:
971 
972  if (!ret)
973  {
974  winpr_Cipher_Free(rdp->fips_encrypt);
975  winpr_Cipher_Free(rdp->fips_decrypt);
976  rdp->fips_encrypt = NULL;
977  rdp->fips_decrypt = NULL;
978 
979  rdp_free_rc4_encrypt_keys(rdp);
980  rdp_free_rc4_decrypt_keys(rdp);
981  }
982 
983  return ret;
984 }
985 
986 static BOOL rdp_client_send_client_info_and_change_state(rdpRdp* rdp)
987 {
988  WINPR_ASSERT(rdp);
989  if (!rdp_client_establish_keys(rdp))
990  return FALSE;
991  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_SECURE_SETTINGS_EXCHANGE))
992  return FALSE;
993  if (!rdp_send_client_info(rdp))
994  return FALSE;
995  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_CONNECT_TIME_AUTO_DETECT_REQUEST))
996  return FALSE;
997  return TRUE;
998 }
999 
1000 BOOL rdp_client_skip_mcs_channel_join(rdpRdp* rdp)
1001 {
1002  WINPR_ASSERT(rdp);
1003 
1004  rdpMcs* mcs = rdp->mcs;
1005  WINPR_ASSERT(mcs);
1006 
1007  mcs->userChannelJoined = TRUE;
1008  mcs->globalChannelJoined = TRUE;
1009  mcs->messageChannelJoined = TRUE;
1010 
1011  for (UINT32 i = 0; i < mcs->channelCount; i++)
1012  {
1013  rdpMcsChannel* cur = &mcs->channels[i];
1014  WLog_DBG(TAG, " %s [%" PRIu16 "]", cur->Name, cur->ChannelId);
1015  cur->joined = TRUE;
1016  }
1017 
1018  return rdp_client_send_client_info_and_change_state(rdp);
1019 }
1020 
1021 static BOOL rdp_client_join_channel(rdpRdp* rdp, UINT16 ChannelId)
1022 {
1023  WINPR_ASSERT(rdp);
1024 
1025  rdpMcs* mcs = rdp->mcs;
1026  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_MCS_CHANNEL_JOIN_REQUEST))
1027  return FALSE;
1028  if (!mcs_send_channel_join_request(mcs, ChannelId))
1029  return FALSE;
1030  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_MCS_CHANNEL_JOIN_RESPONSE))
1031  return FALSE;
1032  return TRUE;
1033 }
1034 
1035 BOOL rdp_client_connect_mcs_channel_join_confirm(rdpRdp* rdp, wStream* s)
1036 {
1037  UINT16 channelId = 0;
1038  BOOL allJoined = TRUE;
1039 
1040  WINPR_ASSERT(rdp);
1041  rdpMcs* mcs = rdp->mcs;
1042 
1043  if (!mcs_recv_channel_join_confirm(mcs, s, &channelId))
1044  return FALSE;
1045 
1046  if (!mcs->userChannelJoined)
1047  {
1048  if (channelId != mcs->userId)
1049  {
1050  WLog_ERR(TAG, "expected user channel id %" PRIu16 ", but received %" PRIu16,
1051  mcs->userId, channelId);
1052  return FALSE;
1053  }
1054 
1055  mcs->userChannelJoined = TRUE;
1056  if (!rdp_client_join_channel(rdp, MCS_GLOBAL_CHANNEL_ID))
1057  return FALSE;
1058  }
1059  else if (!mcs->globalChannelJoined)
1060  {
1061  if (channelId != MCS_GLOBAL_CHANNEL_ID)
1062  {
1063  WLog_ERR(TAG, "expected uglobalser channel id %" PRIu16 ", but received %" PRIu16,
1064  MCS_GLOBAL_CHANNEL_ID, channelId);
1065  return FALSE;
1066  }
1067  mcs->globalChannelJoined = TRUE;
1068 
1069  if (mcs->messageChannelId != 0)
1070  {
1071  if (!rdp_client_join_channel(rdp, mcs->messageChannelId))
1072  return FALSE;
1073  allJoined = FALSE;
1074  }
1075  else
1076  {
1077  if (mcs->channelCount > 0)
1078  {
1079  const rdpMcsChannel* cur = &mcs->channels[0];
1080  if (!rdp_client_join_channel(rdp, cur->ChannelId))
1081  return FALSE;
1082  allJoined = FALSE;
1083  }
1084  }
1085  }
1086  else if ((mcs->messageChannelId != 0) && !mcs->messageChannelJoined)
1087  {
1088  if (channelId != mcs->messageChannelId)
1089  {
1090  WLog_ERR(TAG, "expected messageChannelId=%" PRIu16 ", got %" PRIu16,
1091  mcs->messageChannelId, channelId);
1092  return FALSE;
1093  }
1094 
1095  mcs->messageChannelJoined = TRUE;
1096 
1097  if (mcs->channelCount > 0)
1098  {
1099  const rdpMcsChannel* cur = &mcs->channels[0];
1100  if (!rdp_client_join_channel(rdp, cur->ChannelId))
1101  return FALSE;
1102  allJoined = FALSE;
1103  }
1104  }
1105  else
1106  {
1107  UINT32 i = 0;
1108  for (; i < mcs->channelCount; i++)
1109  {
1110  rdpMcsChannel* cur = &mcs->channels[i];
1111  if (cur->joined)
1112  continue;
1113 
1114  if (cur->ChannelId != channelId)
1115  {
1116  WLog_ERR(TAG, "expected channel id %" PRIu16 ", but received %" PRIu16,
1117  MCS_GLOBAL_CHANNEL_ID, channelId);
1118  return FALSE;
1119  }
1120  cur->joined = TRUE;
1121  break;
1122  }
1123 
1124  if (i + 1 < mcs->channelCount)
1125  {
1126  const rdpMcsChannel* cur = &mcs->channels[i + 1];
1127  if (!rdp_client_join_channel(rdp, cur->ChannelId))
1128  return FALSE;
1129  allJoined = FALSE;
1130  }
1131  }
1132 
1133  if (mcs->userChannelJoined && mcs->globalChannelJoined && allJoined)
1134  {
1135  if (!rdp_client_send_client_info_and_change_state(rdp))
1136  return FALSE;
1137  }
1138 
1139  return TRUE;
1140 }
1141 
1142 BOOL rdp_handle_message_channel(rdpRdp* rdp, wStream* s, UINT16 channelId, UINT16 length)
1143 {
1144  WINPR_ASSERT(rdp);
1145  WINPR_ASSERT(rdp->mcs);
1146 
1147  if (!rdp->mcs->messageChannelJoined)
1148  {
1149  WLog_Print(rdp->log, WLOG_WARN, "MCS message channel not joined!");
1150  return FALSE;
1151  }
1152  const UINT16 messageChannelId = rdp->mcs->messageChannelId;
1153  if (messageChannelId == 0)
1154  {
1155  WLog_Print(rdp->log, WLOG_WARN, "MCS message channel id == 0");
1156  return FALSE;
1157  }
1158 
1159  if (channelId != messageChannelId)
1160  {
1161  WLog_Print(rdp->log, WLOG_WARN, "MCS message channel expected id=%" PRIu16 ", got %" PRIu16,
1162  messageChannelId, channelId);
1163  return FALSE;
1164  }
1165 
1166  UINT16 securityFlags = 0;
1167  if (!rdp_read_security_header(rdp, s, &securityFlags, &length))
1168  return FALSE;
1169 
1170  if (securityFlags & SEC_ENCRYPT)
1171  {
1172  if (!rdp_decrypt(rdp, s, &length, securityFlags))
1173  return FALSE;
1174  }
1175 
1176  if (rdp_recv_message_channel_pdu(rdp, s, securityFlags) != STATE_RUN_SUCCESS)
1177  return FALSE;
1178 
1179  return tpkt_ensure_stream_consumed(s, length);
1180 }
1181 
1182 BOOL rdp_client_connect_auto_detect(rdpRdp* rdp, wStream* s)
1183 {
1184  WINPR_ASSERT(rdp);
1185  WINPR_ASSERT(rdp->mcs);
1186 
1187  const size_t pos = Stream_GetPosition(s);
1188  UINT16 length = 0;
1189  UINT16 channelId = 0;
1190 
1191  if (rdp_read_header(rdp, s, &length, &channelId))
1192  {
1193  const UINT16 messageChannelId = rdp->mcs->messageChannelId;
1194  /* If the MCS message channel has been joined... */
1195 
1196  /* Process any MCS message channel PDUs. */
1197  if (rdp->mcs->messageChannelJoined && (channelId == messageChannelId))
1198  {
1199  if (rdp_handle_message_channel(rdp, s, channelId, length))
1200  return TRUE;
1201  }
1202  else
1203  {
1204  WLog_WARN(TAG, "expected messageChannelId=%" PRIu16 ", got %" PRIu16, messageChannelId,
1205  channelId);
1206  }
1207  }
1208 
1209  Stream_SetPosition(s, pos);
1210  return FALSE;
1211 }
1212 
1213 state_run_t rdp_client_connect_license(rdpRdp* rdp, wStream* s)
1214 {
1215  state_run_t status = STATE_RUN_FAILED;
1216  LICENSE_STATE state = LICENSE_STATE_ABORTED;
1217  UINT16 length = 0;
1218  UINT16 channelId = 0;
1219  UINT16 securityFlags = 0;
1220 
1221  WINPR_ASSERT(rdp);
1222  if (!rdp_read_header(rdp, s, &length, &channelId))
1223  return STATE_RUN_FAILED;
1224 
1225  /* there might be autodetect messages mixed in between licensing messages.
1226  * that has been observed with 2k12 R2 and 2k19
1227  */
1228  const UINT16 messageChannelId = rdp->mcs->messageChannelId;
1229  if (rdp->mcs->messageChannelJoined && (channelId == messageChannelId))
1230  {
1231  if (!rdp_handle_message_channel(rdp, s, channelId, length))
1232  return STATE_RUN_FAILED;
1233  return STATE_RUN_SUCCESS;
1234  }
1235 
1236  if (!rdp_read_security_header(rdp, s, &securityFlags, &length))
1237  return STATE_RUN_FAILED;
1238 
1239  if (securityFlags & SEC_ENCRYPT)
1240  {
1241  if (!rdp_decrypt(rdp, s, &length, securityFlags))
1242  return STATE_RUN_FAILED;
1243  }
1244 
1245  if (channelId != MCS_GLOBAL_CHANNEL_ID)
1246  WLog_WARN(TAG, "unexpected message for channel %u, expected %u", channelId,
1247  MCS_GLOBAL_CHANNEL_ID);
1248 
1249  if ((securityFlags & SEC_LICENSE_PKT) == 0)
1250  {
1251  char buffer[512] = { 0 };
1252  char lbuffer[32] = { 0 };
1253  WLog_ERR(TAG, "securityFlags=%s, missing required flag %s",
1254  rdp_security_flag_string(securityFlags, buffer, sizeof(buffer)),
1255  rdp_security_flag_string(SEC_LICENSE_PKT, lbuffer, sizeof(lbuffer)));
1256  return STATE_RUN_FAILED;
1257  }
1258 
1259  status = license_recv(rdp->license, s);
1260 
1261  if (state_run_failed(status))
1262  return status;
1263 
1264  state = license_get_state(rdp->license);
1265  switch (state)
1266  {
1267  case LICENSE_STATE_ABORTED:
1268  WLog_ERR(TAG, "license connection sequence aborted.");
1269  return STATE_RUN_FAILED;
1270  case LICENSE_STATE_COMPLETED:
1271  if (rdp->settings->MultitransportFlags)
1272  {
1273  if (!rdp_client_transition_to_state(
1274  rdp, CONNECTION_STATE_MULTITRANSPORT_BOOTSTRAPPING_REQUEST))
1275  return STATE_RUN_FAILED;
1276  }
1277  else
1278  {
1279  if (!rdp_client_transition_to_state(
1280  rdp, CONNECTION_STATE_CAPABILITIES_EXCHANGE_DEMAND_ACTIVE))
1281  return STATE_RUN_FAILED;
1282  }
1283  return STATE_RUN_SUCCESS;
1284  default:
1285  return STATE_RUN_SUCCESS;
1286  }
1287 }
1288 
1289 state_run_t rdp_client_connect_demand_active(rdpRdp* rdp, wStream* s)
1290 {
1291  UINT16 length = 0;
1292  UINT16 channelId = 0;
1293  UINT16 pduType = 0;
1294  UINT16 pduSource = 0;
1295 
1296  WINPR_ASSERT(rdp);
1297  WINPR_ASSERT(s);
1298  WINPR_ASSERT(rdp->settings);
1299 
1300  if (!rdp_recv_get_active_header(rdp, s, &channelId, &length))
1301  return STATE_RUN_FAILED;
1302 
1303  if (freerdp_shall_disconnect_context(rdp->context))
1304  return STATE_RUN_QUIT_SESSION;
1305 
1306  if (rdp->mcs->messageChannelId && (channelId == rdp->mcs->messageChannelId))
1307  {
1308  rdp->inPackets++;
1309  if (!rdp_handle_message_channel(rdp, s, channelId, length))
1310  return STATE_RUN_FAILED;
1311  return STATE_RUN_SUCCESS;
1312  }
1313 
1314  if (!rdp_handle_optional_rdp_decryption(rdp, s, &length, NULL))
1315  return STATE_RUN_FAILED;
1316 
1317  if (!rdp_read_share_control_header(rdp, s, NULL, NULL, &pduType, &pduSource))
1318  return STATE_RUN_FAILED;
1319 
1320  switch (pduType)
1321  {
1322  case PDU_TYPE_DEMAND_ACTIVE:
1323  if (!rdp_recv_demand_active(rdp, s, pduSource, length))
1324  return STATE_RUN_FAILED;
1325  return STATE_RUN_ACTIVE;
1326  default:
1327  return rdp_recv_out_of_sequence_pdu(rdp, s, pduType, length);
1328  }
1329 }
1330 
1331 state_run_t rdp_client_connect_finalize(rdpRdp* rdp)
1332 {
1333  WINPR_ASSERT(rdp);
1340  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_SYNC))
1341  return STATE_RUN_FAILED;
1342 
1343  if (!rdp_send_client_synchronize_pdu(rdp))
1344  return STATE_RUN_FAILED;
1345 
1346  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_COOPERATE))
1347  return STATE_RUN_FAILED;
1348  if (!rdp_send_client_control_pdu(rdp, CTRLACTION_COOPERATE))
1349  return STATE_RUN_FAILED;
1350 
1351  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_REQUEST_CONTROL))
1352  return STATE_RUN_FAILED;
1353  if (!rdp_send_client_control_pdu(rdp, CTRLACTION_REQUEST_CONTROL))
1354  return STATE_RUN_FAILED;
1355 
1363  if (!rdp_finalize_is_flag_set(rdp, FINALIZE_DEACTIVATE_REACTIVATE) &&
1364  freerdp_settings_get_bool(rdp->settings, FreeRDP_BitmapCachePersistEnabled))
1365  {
1366  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_PERSISTENT_KEY_LIST))
1367  return STATE_RUN_FAILED;
1368  if (!rdp_send_client_persistent_key_list_pdu(rdp))
1369  return STATE_RUN_FAILED;
1370  }
1371 
1372  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_FONT_LIST))
1373  return STATE_RUN_FAILED;
1374  if (!rdp_send_client_font_list_pdu(rdp, FONTLIST_FIRST | FONTLIST_LAST))
1375  return STATE_RUN_FAILED;
1376 
1377  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_CLIENT_SYNC))
1378  return STATE_RUN_FAILED;
1379  return STATE_RUN_SUCCESS;
1380 }
1381 
1382 BOOL rdp_client_transition_to_state(rdpRdp* rdp, CONNECTION_STATE state)
1383 {
1384  const char* name = rdp_state_string(state);
1385 
1386  WINPR_ASSERT(rdp);
1387  WLog_Print(rdp->log, WLOG_DEBUG, "%s --> %s", rdp_get_state_string(rdp), name);
1388 
1389  if (!rdp_set_state(rdp, state))
1390  return FALSE;
1391 
1392  switch (state)
1393  {
1394  case CONNECTION_STATE_FINALIZATION_SYNC:
1395  case CONNECTION_STATE_FINALIZATION_COOPERATE:
1396  case CONNECTION_STATE_FINALIZATION_REQUEST_CONTROL:
1397  case CONNECTION_STATE_FINALIZATION_PERSISTENT_KEY_LIST:
1398  case CONNECTION_STATE_FINALIZATION_FONT_LIST:
1399  update_reset_state(rdp->update);
1400  break;
1401 
1402  case CONNECTION_STATE_CAPABILITIES_EXCHANGE_CONFIRM_ACTIVE:
1403  {
1404  ActivatedEventArgs activatedEvent = { 0 };
1405  rdpContext* context = rdp->context;
1406  EventArgsInit(&activatedEvent, "libfreerdp");
1407  activatedEvent.firstActivation =
1408  !rdp_finalize_is_flag_set(rdp, FINALIZE_DEACTIVATE_REACTIVATE);
1409  PubSub_OnActivated(rdp->pubSub, context, &activatedEvent);
1410  }
1411 
1412  break;
1413 
1414  default:
1415  break;
1416  }
1417 
1418  {
1419  ConnectionStateChangeEventArgs stateEvent = { 0 };
1420  rdpContext* context = rdp->context;
1421  EventArgsInit(&stateEvent, "libfreerdp");
1422  stateEvent.state = WINPR_ASSERTING_INT_CAST(int32_t, rdp_get_state(rdp));
1423  stateEvent.active = rdp_is_active_state(rdp);
1424  PubSub_OnConnectionStateChange(rdp->pubSub, context, &stateEvent);
1425  }
1426 
1427  return TRUE;
1428 }
1429 
1430 BOOL rdp_server_accept_nego(rdpRdp* rdp, wStream* s)
1431 {
1432  UINT32 SelectedProtocol = 0;
1433  UINT32 RequestedProtocols = 0;
1434  BOOL status = 0;
1435  rdpSettings* settings = NULL;
1436  rdpNego* nego = NULL;
1437 
1438  WINPR_ASSERT(rdp);
1439  WINPR_ASSERT(s);
1440 
1441  settings = rdp->settings;
1442  WINPR_ASSERT(settings);
1443 
1444  nego = rdp->nego;
1445  WINPR_ASSERT(nego);
1446 
1447  transport_set_blocking_mode(rdp->transport, TRUE);
1448 
1449  if (!nego_read_request(nego, s))
1450  return FALSE;
1451 
1452  RequestedProtocols = nego_get_requested_protocols(nego);
1453  WLog_DBG(TAG, "Client Security: RDSTLS:%d NLA:%d TLS:%d RDP:%d",
1454  (RequestedProtocols & PROTOCOL_RDSTLS) ? 1 : 0,
1455  (RequestedProtocols & PROTOCOL_HYBRID) ? 1 : 0,
1456  (RequestedProtocols & PROTOCOL_SSL) ? 1 : 0,
1457  (RequestedProtocols == PROTOCOL_RDP) ? 1 : 0);
1458  WLog_DBG(TAG,
1459  "Server Security: RDSTLS:%" PRId32 " NLA:%" PRId32 " TLS:%" PRId32 " RDP:%" PRId32 "",
1460  settings->RdstlsSecurity, settings->NlaSecurity, settings->TlsSecurity,
1461  settings->RdpSecurity);
1462 
1463  if ((settings->RdstlsSecurity) && (RequestedProtocols & PROTOCOL_RDSTLS))
1464  {
1465  SelectedProtocol = PROTOCOL_RDSTLS;
1466  }
1467  else if ((settings->NlaSecurity) && (RequestedProtocols & PROTOCOL_HYBRID))
1468  {
1469  SelectedProtocol = PROTOCOL_HYBRID;
1470  }
1471  else if ((settings->TlsSecurity) && (RequestedProtocols & PROTOCOL_SSL))
1472  {
1473  SelectedProtocol = PROTOCOL_SSL;
1474  }
1475  else if ((settings->RdpSecurity) && (RequestedProtocols == PROTOCOL_RDP))
1476  {
1477  SelectedProtocol = PROTOCOL_RDP;
1478  }
1479  else
1480  {
1481  /*
1482  * when here client and server aren't compatible, we select the right
1483  * error message to return to the client in the nego failure packet
1484  */
1485  SelectedProtocol = PROTOCOL_FAILED_NEGO;
1486 
1487  if (settings->RdpSecurity)
1488  {
1489  WLog_ERR(TAG, "server supports only Standard RDP Security");
1490  SelectedProtocol |= SSL_NOT_ALLOWED_BY_SERVER;
1491  }
1492  else
1493  {
1494  if (settings->NlaSecurity && !settings->TlsSecurity)
1495  {
1496  WLog_WARN(TAG, "server supports only NLA Security");
1497  SelectedProtocol |= HYBRID_REQUIRED_BY_SERVER;
1498  }
1499  else
1500  {
1501  WLog_WARN(TAG, "server supports only a SSL based Security (TLS or NLA)");
1502  SelectedProtocol |= SSL_REQUIRED_BY_SERVER;
1503  }
1504  }
1505 
1506  WLog_ERR(TAG, "Protocol security negotiation failure");
1507  }
1508 
1509  if (!(SelectedProtocol & PROTOCOL_FAILED_NEGO))
1510  {
1511  WLog_DBG(TAG, "Negotiated Security: RDSTLS:%d NLA:%d TLS:%d RDP:%d",
1512  (SelectedProtocol & PROTOCOL_RDSTLS) ? 1 : 0,
1513  (SelectedProtocol & PROTOCOL_HYBRID) ? 1 : 0,
1514  (SelectedProtocol & PROTOCOL_SSL) ? 1 : 0,
1515  (SelectedProtocol == PROTOCOL_RDP) ? 1 : 0);
1516  }
1517 
1518  if (!nego_set_selected_protocol(nego, SelectedProtocol))
1519  return FALSE;
1520 
1521  if (!nego_send_negotiation_response(nego))
1522  return FALSE;
1523 
1524  SelectedProtocol = nego_get_selected_protocol(nego);
1525  status = FALSE;
1526 
1527  if (SelectedProtocol & PROTOCOL_RDSTLS)
1528  status = transport_accept_rdstls(rdp->transport);
1529  else if (SelectedProtocol & PROTOCOL_HYBRID)
1530  status = transport_accept_nla(rdp->transport);
1531  else if (SelectedProtocol & PROTOCOL_SSL)
1532  status = transport_accept_tls(rdp->transport);
1533  else if (SelectedProtocol == PROTOCOL_RDP) /* 0 */
1534  status = transport_accept_rdp(rdp->transport);
1535 
1536  if (!status)
1537  return FALSE;
1538 
1539  transport_set_blocking_mode(rdp->transport, FALSE);
1540 
1541  return TRUE;
1542 }
1543 
1544 static BOOL rdp_update_encryption_level(rdpSettings* settings)
1545 {
1546  WINPR_ASSERT(settings);
1547 
1548  UINT32 EncryptionLevel = freerdp_settings_get_uint32(settings, FreeRDP_EncryptionLevel);
1549  UINT32 EncryptionMethods = freerdp_settings_get_uint32(settings, FreeRDP_EncryptionMethods);
1550 
1561  if (!settings->UseRdpSecurityLayer)
1562  {
1563  /* TLS/NLA is used: disable rdp style encryption */
1564  EncryptionLevel = ENCRYPTION_LEVEL_NONE;
1565  }
1566  else
1567  {
1568  /* verify server encryption level value */
1569  switch (EncryptionLevel)
1570  {
1571  case ENCRYPTION_LEVEL_NONE:
1572  WLog_INFO(TAG, "Active rdp encryption level: NONE");
1573  break;
1574 
1575  case ENCRYPTION_LEVEL_FIPS:
1576  WLog_INFO(TAG, "Active rdp encryption level: FIPS Compliant");
1577  break;
1578 
1579  case ENCRYPTION_LEVEL_HIGH:
1580  WLog_INFO(TAG, "Active rdp encryption level: HIGH");
1581  break;
1582 
1583  case ENCRYPTION_LEVEL_LOW:
1584  WLog_INFO(TAG, "Active rdp encryption level: LOW");
1585  break;
1586 
1587  case ENCRYPTION_LEVEL_CLIENT_COMPATIBLE:
1588  WLog_INFO(TAG, "Active rdp encryption level: CLIENT-COMPATIBLE");
1589  break;
1590 
1591  default:
1592  WLog_ERR(TAG, "Invalid server encryption level 0x%08" PRIX32 "", EncryptionLevel);
1593  WLog_ERR(TAG, "Switching to encryption level CLIENT-COMPATIBLE");
1594  EncryptionLevel = ENCRYPTION_LEVEL_CLIENT_COMPATIBLE;
1595  }
1596  }
1597 
1598  /* choose rdp encryption method based on server level and client methods */
1599  switch (EncryptionLevel)
1600  {
1601  case ENCRYPTION_LEVEL_NONE:
1602  /* The only valid method is NONE in this case */
1603  EncryptionMethods = ENCRYPTION_METHOD_NONE;
1604  break;
1605 
1606  case ENCRYPTION_LEVEL_FIPS:
1607 
1608  /* The only valid method is FIPS in this case */
1609  if (!(EncryptionMethods & ENCRYPTION_METHOD_FIPS))
1610  {
1611  WLog_WARN(TAG, "client does not support FIPS as required by server configuration");
1612  }
1613 
1614  EncryptionMethods = ENCRYPTION_METHOD_FIPS;
1615  break;
1616 
1617  case ENCRYPTION_LEVEL_HIGH:
1618 
1619  /* Maximum key strength supported by the server must be used (128 bit)*/
1620  if (!(EncryptionMethods & ENCRYPTION_METHOD_128BIT))
1621  {
1622  WLog_WARN(TAG, "client does not support 128 bit encryption method as required by "
1623  "server configuration");
1624  }
1625 
1626  EncryptionMethods = ENCRYPTION_METHOD_128BIT;
1627  break;
1628 
1629  case ENCRYPTION_LEVEL_LOW:
1630  case ENCRYPTION_LEVEL_CLIENT_COMPATIBLE:
1631 
1632  /* Maximum key strength supported by the client must be used */
1633  if (EncryptionMethods & ENCRYPTION_METHOD_128BIT)
1634  EncryptionMethods = ENCRYPTION_METHOD_128BIT;
1635  else if (EncryptionMethods & ENCRYPTION_METHOD_56BIT)
1636  EncryptionMethods = ENCRYPTION_METHOD_56BIT;
1637  else if (EncryptionMethods & ENCRYPTION_METHOD_40BIT)
1638  EncryptionMethods = ENCRYPTION_METHOD_40BIT;
1639  else if (EncryptionMethods & ENCRYPTION_METHOD_FIPS)
1640  EncryptionMethods = ENCRYPTION_METHOD_FIPS;
1641  else
1642  {
1643  WLog_WARN(TAG, "client has not announced any supported encryption methods");
1644  EncryptionMethods = ENCRYPTION_METHOD_128BIT;
1645  }
1646 
1647  break;
1648 
1649  default:
1650  WLog_ERR(TAG, "internal error: unknown encryption level");
1651  return FALSE;
1652  }
1653 
1654  /* log selected encryption method */
1655  if (settings->UseRdpSecurityLayer)
1656  {
1657  switch (EncryptionMethods)
1658  {
1659  case ENCRYPTION_METHOD_NONE:
1660  WLog_INFO(TAG, "Selected rdp encryption method: NONE");
1661  break;
1662 
1663  case ENCRYPTION_METHOD_40BIT:
1664  WLog_INFO(TAG, "Selected rdp encryption method: 40BIT");
1665  break;
1666 
1667  case ENCRYPTION_METHOD_56BIT:
1668  WLog_INFO(TAG, "Selected rdp encryption method: 56BIT");
1669  break;
1670 
1671  case ENCRYPTION_METHOD_128BIT:
1672  WLog_INFO(TAG, "Selected rdp encryption method: 128BIT");
1673  break;
1674 
1675  case ENCRYPTION_METHOD_FIPS:
1676  WLog_INFO(TAG, "Selected rdp encryption method: FIPS");
1677  break;
1678 
1679  default:
1680  WLog_ERR(TAG, "internal error: unknown encryption method");
1681  return FALSE;
1682  }
1683  }
1684 
1685  if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel, EncryptionLevel))
1686  return FALSE;
1687  if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionMethods, EncryptionMethods))
1688  return FALSE;
1689  return TRUE;
1690 }
1691 
1692 BOOL rdp_server_accept_mcs_connect_initial(rdpRdp* rdp, wStream* s)
1693 {
1694  WINPR_ASSERT(rdp);
1695  WINPR_ASSERT(s);
1696 
1697  rdpMcs* mcs = rdp->mcs;
1698  WINPR_ASSERT(mcs);
1699 
1700  WINPR_ASSERT(rdp_get_state(rdp) == CONNECTION_STATE_MCS_CREATE_REQUEST);
1701  if (!mcs_recv_connect_initial(mcs, s))
1702  return FALSE;
1703  WINPR_ASSERT(rdp->settings);
1704 
1705  if (!mcs_server_apply_to_settings(mcs, rdp->settings))
1706  return FALSE;
1707 
1708  WLog_DBG(TAG, "Accepted client: %s", rdp->settings->ClientHostname);
1709  WLog_DBG(TAG, "Accepted channels:");
1710 
1711  WINPR_ASSERT(mcs->channels || (mcs->channelCount == 0));
1712  for (UINT32 i = 0; i < mcs->channelCount; i++)
1713  {
1714  ADDIN_ARGV* arg = NULL;
1715  rdpMcsChannel* cur = &mcs->channels[i];
1716  const char* params[1] = { cur->Name };
1717  WLog_DBG(TAG, " %s [%" PRIu16 "]", cur->Name, cur->ChannelId);
1718  arg = freerdp_addin_argv_new(ARRAYSIZE(params), params);
1719  if (!arg)
1720  return FALSE;
1721 
1722  if (!freerdp_static_channel_collection_add(rdp->settings, arg))
1723  {
1724  freerdp_addin_argv_free(arg);
1725  return FALSE;
1726  }
1727  }
1728 
1729  if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_MCS_CREATE_RESPONSE))
1730  return FALSE;
1731  if (!rdp_update_encryption_level(rdp->settings))
1732  return FALSE;
1733  if (!mcs_send_connect_response(mcs))
1734  return FALSE;
1735  if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_MCS_ERECT_DOMAIN))
1736  return FALSE;
1737 
1738  return TRUE;
1739 }
1740 
1741 BOOL rdp_server_accept_mcs_erect_domain_request(rdpRdp* rdp, wStream* s)
1742 {
1743  WINPR_ASSERT(rdp);
1744  WINPR_ASSERT(s);
1745  WINPR_ASSERT(rdp_get_state(rdp) == CONNECTION_STATE_MCS_ERECT_DOMAIN);
1746 
1747  if (!mcs_recv_erect_domain_request(rdp->mcs, s))
1748  return FALSE;
1749 
1750  return rdp_server_transition_to_state(rdp, CONNECTION_STATE_MCS_ATTACH_USER);
1751 }
1752 
1753 static BOOL rdp_server_skip_mcs_channel_join(rdpRdp* rdp)
1754 {
1755  WINPR_ASSERT(rdp);
1756 
1757  rdpMcs* mcs = rdp->mcs;
1758  WINPR_ASSERT(mcs);
1759 
1760  mcs->userChannelJoined = TRUE;
1761  mcs->globalChannelJoined = TRUE;
1762  mcs->messageChannelJoined = TRUE;
1763 
1764  for (UINT32 i = 0; i < mcs->channelCount; i++)
1765  {
1766  rdpMcsChannel* cur = &mcs->channels[i];
1767  WLog_DBG(TAG, " %s [%" PRIu16 "]", cur->Name, cur->ChannelId);
1768  cur->joined = TRUE;
1769  }
1770  return rdp_server_transition_to_state(rdp, CONNECTION_STATE_RDP_SECURITY_COMMENCEMENT);
1771 }
1772 
1773 BOOL rdp_server_accept_mcs_attach_user_request(rdpRdp* rdp, wStream* s)
1774 {
1775  if (!mcs_recv_attach_user_request(rdp->mcs, s))
1776  return FALSE;
1777 
1778  if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_MCS_ATTACH_USER_CONFIRM))
1779  return FALSE;
1780 
1781  if (!mcs_send_attach_user_confirm(rdp->mcs))
1782  return FALSE;
1783 
1784  if (freerdp_settings_get_bool(rdp->settings, FreeRDP_SupportSkipChannelJoin))
1785  return rdp_server_skip_mcs_channel_join(rdp);
1786  return rdp_server_transition_to_state(rdp, CONNECTION_STATE_MCS_CHANNEL_JOIN_REQUEST);
1787 }
1788 
1789 BOOL rdp_server_accept_mcs_channel_join_request(rdpRdp* rdp, wStream* s)
1790 {
1791  UINT16 channelId = 0;
1792  BOOL allJoined = TRUE;
1793  rdpMcs* mcs = NULL;
1794 
1795  WINPR_ASSERT(rdp);
1796  WINPR_ASSERT(rdp->context);
1797 
1798  mcs = rdp->mcs;
1799  WINPR_ASSERT(mcs);
1800 
1801  WINPR_ASSERT(rdp_get_state(rdp) == CONNECTION_STATE_MCS_CHANNEL_JOIN_REQUEST);
1802 
1803  if (!mcs_recv_channel_join_request(mcs, rdp->settings, s, &channelId))
1804  return FALSE;
1805 
1806  if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_MCS_CHANNEL_JOIN_RESPONSE))
1807  return FALSE;
1808 
1809  if (!mcs_send_channel_join_confirm(mcs, channelId))
1810  return FALSE;
1811 
1812  if (channelId == mcs->userId)
1813  mcs->userChannelJoined = TRUE;
1814  if (channelId == MCS_GLOBAL_CHANNEL_ID)
1815  mcs->globalChannelJoined = TRUE;
1816  if (channelId == mcs->messageChannelId)
1817  mcs->messageChannelJoined = TRUE;
1818 
1819  for (UINT32 i = 0; i < mcs->channelCount; i++)
1820  {
1821  rdpMcsChannel* cur = &mcs->channels[i];
1822  WLog_DBG(TAG, " %s [%" PRIu16 "]", cur->Name, cur->ChannelId);
1823  if (cur->ChannelId == channelId)
1824  cur->joined = TRUE;
1825 
1826  if (!cur->joined)
1827  allJoined = FALSE;
1828  }
1829 
1830  CONNECTION_STATE rc = CONNECTION_STATE_INITIAL;
1831  if ((mcs->userChannelJoined) && (mcs->globalChannelJoined) &&
1832  (mcs->messageChannelId == 0 || mcs->messageChannelJoined) && allJoined)
1833  rc = CONNECTION_STATE_RDP_SECURITY_COMMENCEMENT;
1834  else
1835  rc = CONNECTION_STATE_MCS_CHANNEL_JOIN_REQUEST;
1836 
1837  return rdp_server_transition_to_state(rdp, rc);
1838 }
1839 
1840 static BOOL rdp_server_send_sync(rdpRdp* rdp)
1841 {
1842  WINPR_ASSERT(rdp);
1843 
1844  if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_CLIENT_SYNC))
1845  return FALSE;
1846  if (!rdp_send_server_synchronize_pdu(rdp))
1847  return FALSE;
1848  if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_CLIENT_COOPERATE))
1849  return FALSE;
1850  if (!rdp_send_server_control_cooperate_pdu(rdp))
1851  return FALSE;
1852  if (!rdp_finalize_reset_flags(rdp, FALSE))
1853  return FALSE;
1854  return rdp_server_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_SYNC);
1855 }
1856 
1857 BOOL rdp_server_accept_confirm_active(rdpRdp* rdp, wStream* s, UINT16 pduLength)
1858 {
1859  WINPR_ASSERT(rdp);
1860  WINPR_ASSERT(rdp->context);
1861  WINPR_ASSERT(rdp->settings);
1862  WINPR_ASSERT(s);
1863 
1864  freerdp_peer* peer = rdp->context->peer;
1865  WINPR_ASSERT(peer);
1866 
1867  if (rdp_get_state(rdp) != CONNECTION_STATE_CAPABILITIES_EXCHANGE_CONFIRM_ACTIVE)
1868  {
1869  if (freerdp_settings_get_bool(rdp->settings, FreeRDP_TransportDumpReplay))
1870  rdp_finalize_set_flag(rdp, FINALIZE_DEACTIVATE_REACTIVATE);
1871  else
1872  {
1873  WLog_WARN(TAG, "Invalid state, got %s, expected %s", rdp_get_state_string(rdp),
1874  rdp_state_string(CONNECTION_STATE_CAPABILITIES_EXCHANGE_CONFIRM_ACTIVE));
1875  return FALSE;
1876  }
1877  }
1878 
1879  if (!rdp_recv_confirm_active(rdp, s, pduLength))
1880  return FALSE;
1881 
1882  if (peer->ClientCapabilities && !peer->ClientCapabilities(peer))
1883  {
1884  WLog_WARN(TAG, "peer->ClientCapabilities failed");
1885  return FALSE;
1886  }
1887 
1888  if (rdp->settings->SaltedChecksum)
1889  rdp->do_secure_checksum = TRUE;
1890 
1891  return rdp_server_send_sync(rdp);
1892 }
1893 
1894 BOOL rdp_server_reactivate(rdpRdp* rdp)
1895 {
1896  freerdp_peer* client = NULL;
1897 
1898  if (rdp->context && rdp->context->peer)
1899  client = rdp->context->peer;
1900 
1901  if (client)
1902  client->activated = FALSE;
1903 
1904  if (!rdp_send_deactivate_all(rdp))
1905  return FALSE;
1906 
1907  rdp_finalize_set_flag(rdp, FINALIZE_DEACTIVATE_REACTIVATE);
1908  if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_CAPABILITIES_EXCHANGE_DEMAND_ACTIVE))
1909  return FALSE;
1910 
1911  state_run_t rc = rdp_peer_handle_state_demand_active(client);
1912  return state_run_success(rc);
1913 }
1914 
1915 static BOOL rdp_is_active_peer_state(CONNECTION_STATE state)
1916 {
1917  /* [MS-RDPBCGR] 1.3.1.1 Connection Sequence states:
1918  * 'upon receipt of the Font List PDU the server can start sending graphics
1919  * output to the client'
1920  */
1921  switch (state)
1922  {
1923  case CONNECTION_STATE_FINALIZATION_CLIENT_SYNC:
1924  case CONNECTION_STATE_FINALIZATION_CLIENT_COOPERATE:
1925  case CONNECTION_STATE_FINALIZATION_CLIENT_GRANTED_CONTROL:
1926  case CONNECTION_STATE_FINALIZATION_CLIENT_FONT_MAP:
1927  case CONNECTION_STATE_ACTIVE:
1928  return TRUE;
1929  default:
1930  return FALSE;
1931  }
1932 }
1933 
1934 static BOOL rdp_is_active_client_state(CONNECTION_STATE state)
1935 {
1936  /* [MS-RDPBCGR] 1.3.1.1 Connection Sequence states:
1937  * 'Once the client has sent the Confirm Active PDU, it can start sending
1938  * mouse and keyboard input to the server'
1939  */
1940  switch (state)
1941  {
1942  case CONNECTION_STATE_FINALIZATION_SYNC:
1943  case CONNECTION_STATE_FINALIZATION_COOPERATE:
1944  case CONNECTION_STATE_FINALIZATION_REQUEST_CONTROL:
1945  case CONNECTION_STATE_FINALIZATION_PERSISTENT_KEY_LIST:
1946  case CONNECTION_STATE_FINALIZATION_FONT_LIST:
1947  case CONNECTION_STATE_FINALIZATION_CLIENT_SYNC:
1948  case CONNECTION_STATE_FINALIZATION_CLIENT_COOPERATE:
1949  case CONNECTION_STATE_FINALIZATION_CLIENT_GRANTED_CONTROL:
1950  case CONNECTION_STATE_FINALIZATION_CLIENT_FONT_MAP:
1951  case CONNECTION_STATE_ACTIVE:
1952  return TRUE;
1953  default:
1954  return FALSE;
1955  }
1956 }
1957 
1958 BOOL rdp_is_active_state(const rdpRdp* rdp)
1959 {
1960  WINPR_ASSERT(rdp);
1961  WINPR_ASSERT(rdp->context);
1962 
1963  const CONNECTION_STATE state = rdp_get_state(rdp);
1964  if (freerdp_settings_get_bool(rdp->context->settings, FreeRDP_ServerMode))
1965  return rdp_is_active_peer_state(state);
1966  else
1967  return rdp_is_active_client_state(state);
1968 }
1969 
1970 BOOL rdp_server_transition_to_state(rdpRdp* rdp, CONNECTION_STATE state)
1971 {
1972  BOOL status = FALSE;
1973  freerdp_peer* client = NULL;
1974  const CONNECTION_STATE cstate = rdp_get_state(rdp);
1975 
1976  if (cstate >= CONNECTION_STATE_RDP_SECURITY_COMMENCEMENT)
1977  {
1978  WINPR_ASSERT(rdp->context);
1979  client = rdp->context->peer;
1980  }
1981 
1982  if (!rdp_is_active_peer_state(cstate))
1983  {
1984  if (client)
1985  client->activated = FALSE;
1986  }
1987 
1988  WLog_Print(rdp->log, WLOG_DEBUG, "%s --> %s", rdp_get_state_string(rdp),
1989  rdp_state_string(state));
1990  if (!rdp_set_state(rdp, state))
1991  goto fail;
1992 
1993  status = TRUE;
1994 fail:
1995  return status;
1996 }
1997 
1998 const char* rdp_client_connection_state_string(UINT state)
1999 {
2000  switch (state)
2001  {
2002  case CLIENT_STATE_INITIAL:
2003  return "CLIENT_STATE_INITIAL";
2004  case CLIENT_STATE_PRECONNECT_PASSED:
2005  return "CLIENT_STATE_PRECONNECT_PASSED";
2006  case CLIENT_STATE_POSTCONNECT_PASSED:
2007  return "CLIENT_STATE_POSTCONNECT_PASSED";
2008  default:
2009  return "UNKNOWN";
2010  }
2011 }
2012 
2013 const char* rdp_state_string(CONNECTION_STATE state)
2014 {
2015  switch (state)
2016  {
2017  case CONNECTION_STATE_INITIAL:
2018  return "CONNECTION_STATE_INITIAL";
2019  case CONNECTION_STATE_NEGO:
2020  return "CONNECTION_STATE_NEGO";
2021  case CONNECTION_STATE_NLA:
2022  return "CONNECTION_STATE_NLA";
2023  case CONNECTION_STATE_AAD:
2024  return "CONNECTION_STATE_AAD";
2025  case CONNECTION_STATE_MCS_CREATE_REQUEST:
2026  return "CONNECTION_STATE_MCS_CREATE_REQUEST";
2027  case CONNECTION_STATE_MCS_CREATE_RESPONSE:
2028  return "CONNECTION_STATE_MCS_CREATE_RESPONSE";
2029  case CONNECTION_STATE_MCS_ERECT_DOMAIN:
2030  return "CONNECTION_STATE_MCS_ERECT_DOMAIN";
2031  case CONNECTION_STATE_MCS_ATTACH_USER:
2032  return "CONNECTION_STATE_MCS_ATTACH_USER";
2033  case CONNECTION_STATE_MCS_ATTACH_USER_CONFIRM:
2034  return "CONNECTION_STATE_MCS_ATTACH_USER_CONFIRM";
2035  case CONNECTION_STATE_MCS_CHANNEL_JOIN_REQUEST:
2036  return "CONNECTION_STATE_MCS_CHANNEL_JOIN_REQUEST";
2037  case CONNECTION_STATE_MCS_CHANNEL_JOIN_RESPONSE:
2038  return "CONNECTION_STATE_MCS_CHANNEL_JOIN_RESPONSE";
2039  case CONNECTION_STATE_RDP_SECURITY_COMMENCEMENT:
2040  return "CONNECTION_STATE_RDP_SECURITY_COMMENCEMENT";
2041  case CONNECTION_STATE_SECURE_SETTINGS_EXCHANGE:
2042  return "CONNECTION_STATE_SECURE_SETTINGS_EXCHANGE";
2043  case CONNECTION_STATE_CONNECT_TIME_AUTO_DETECT_REQUEST:
2044  return "CONNECTION_STATE_CONNECT_TIME_AUTO_DETECT_REQUEST";
2045  case CONNECTION_STATE_CONNECT_TIME_AUTO_DETECT_RESPONSE:
2046  return "CONNECTION_STATE_CONNECT_TIME_AUTO_DETECT_RESPONSE";
2047  case CONNECTION_STATE_LICENSING:
2048  return "CONNECTION_STATE_LICENSING";
2049  case CONNECTION_STATE_MULTITRANSPORT_BOOTSTRAPPING_REQUEST:
2050  return "CONNECTION_STATE_MULTITRANSPORT_BOOTSTRAPPING_REQUEST";
2051  case CONNECTION_STATE_MULTITRANSPORT_BOOTSTRAPPING_RESPONSE:
2052  return "CONNECTION_STATE_MULTITRANSPORT_BOOTSTRAPPING_RESPONSE";
2053  case CONNECTION_STATE_CAPABILITIES_EXCHANGE_DEMAND_ACTIVE:
2054  return "CONNECTION_STATE_CAPABILITIES_EXCHANGE_DEMAND_ACTIVE";
2055  case CONNECTION_STATE_CAPABILITIES_EXCHANGE_MONITOR_LAYOUT:
2056  return "CONNECTION_STATE_CAPABILITIES_EXCHANGE_MONITOR_LAYOUT";
2057  case CONNECTION_STATE_CAPABILITIES_EXCHANGE_CONFIRM_ACTIVE:
2058  return "CONNECTION_STATE_CAPABILITIES_EXCHANGE_CONFIRM_ACTIVE";
2059  case CONNECTION_STATE_FINALIZATION_SYNC:
2060  return "CONNECTION_STATE_FINALIZATION_SYNC";
2061  case CONNECTION_STATE_FINALIZATION_COOPERATE:
2062  return "CONNECTION_STATE_FINALIZATION_COOPERATE";
2063  case CONNECTION_STATE_FINALIZATION_REQUEST_CONTROL:
2064  return "CONNECTION_STATE_FINALIZATION_REQUEST_CONTROL";
2065  case CONNECTION_STATE_FINALIZATION_PERSISTENT_KEY_LIST:
2066  return "CONNECTION_STATE_FINALIZATION_PERSISTENT_KEY_LIST";
2067  case CONNECTION_STATE_FINALIZATION_FONT_LIST:
2068  return "CONNECTION_STATE_FINALIZATION_FONT_LIST";
2069  case CONNECTION_STATE_FINALIZATION_CLIENT_SYNC:
2070  return "CONNECTION_STATE_FINALIZATION_CLIENT_SYNC";
2071  case CONNECTION_STATE_FINALIZATION_CLIENT_COOPERATE:
2072  return "CONNECTION_STATE_FINALIZATION_CLIENT_COOPERATE";
2073  case CONNECTION_STATE_FINALIZATION_CLIENT_GRANTED_CONTROL:
2074  return "CONNECTION_STATE_FINALIZATION_CLIENT_GRANTED_CONTROL";
2075  case CONNECTION_STATE_FINALIZATION_CLIENT_FONT_MAP:
2076  return "CONNECTION_STATE_FINALIZATION_CLIENT_FONT_MAP";
2077  case CONNECTION_STATE_ACTIVE:
2078  return "CONNECTION_STATE_ACTIVE";
2079  default:
2080  return "UNKNOWN";
2081  }
2082 }
2083 
2084 CONNECTION_STATE rdp_get_state(const rdpRdp* rdp)
2085 {
2086  WINPR_ASSERT(rdp);
2087  return rdp->state;
2088 }
2089 
2090 BOOL rdp_set_state(rdpRdp* rdp, CONNECTION_STATE state)
2091 {
2092  WINPR_ASSERT(rdp);
2093  rdp->state = state;
2094  return TRUE;
2095 }
2096 
2097 const char* rdp_get_state_string(const rdpRdp* rdp)
2098 {
2099  CONNECTION_STATE state = rdp_get_state(rdp);
2100  return rdp_state_string(state);
2101 }
2102 
2103 BOOL rdp_channels_from_mcs(rdpSettings* settings, const rdpRdp* rdp)
2104 {
2105  const rdpMcs* mcs = NULL;
2106 
2107  WINPR_ASSERT(rdp);
2108 
2109  mcs = rdp->mcs;
2110  WINPR_ASSERT(mcs);
2111 
2112  if (!freerdp_settings_set_pointer_len(settings, FreeRDP_ChannelDefArray, NULL,
2113  CHANNEL_MAX_COUNT))
2114  return FALSE;
2115 
2116  for (UINT32 x = 0; x < mcs->channelCount; x++)
2117  {
2118  const rdpMcsChannel* mchannel = &mcs->channels[x];
2119  CHANNEL_DEF cur = { 0 };
2120 
2121  memcpy(cur.name, mchannel->Name, sizeof(cur.name));
2122  cur.options = mchannel->options;
2123  if (!freerdp_settings_set_pointer_array(settings, FreeRDP_ChannelDefArray, x, &cur))
2124  return FALSE;
2125  }
2126 
2127  return freerdp_settings_set_uint32(settings, FreeRDP_ChannelCount, mcs->channelCount);
2128 }
2129 
2130 /* Here we are in client state CONFIRM_ACTIVE.
2131  *
2132  * This means:
2133  * 1. send the CONFIRM_ACTIVE PDU to the server
2134  * 2. register callbacks, the server can now start sending stuff
2135  */
2136 state_run_t rdp_client_connect_confirm_active(rdpRdp* rdp, wStream* s)
2137 {
2138  WINPR_ASSERT(rdp);
2139  WINPR_ASSERT(rdp->settings);
2140  WINPR_ASSERT(s);
2141 
2142  const UINT32 width = rdp->settings->DesktopWidth;
2143  const UINT32 height = rdp->settings->DesktopHeight;
2144 
2145  if (!rdp_send_confirm_active(rdp))
2146  return STATE_RUN_FAILED;
2147 
2148  if (!input_register_client_callbacks(rdp->input))
2149  {
2150  WLog_ERR(TAG, "error registering client callbacks");
2151  return STATE_RUN_FAILED;
2152  }
2153 
2158  const BOOL deactivate_reactivate =
2159  rdp->was_deactivated && ((rdp->deactivated_width != rdp->settings->DesktopWidth) ||
2160  (rdp->deactivated_height != rdp->settings->DesktopHeight));
2161  const BOOL resolution_change =
2162  ((width != rdp->settings->DesktopWidth) || (height != rdp->settings->DesktopHeight));
2163  if (deactivate_reactivate || resolution_change)
2164  {
2165  BOOL status = TRUE;
2166  IFCALLRET(rdp->update->DesktopResize, status, rdp->update->context);
2167 
2168  if (!status)
2169  {
2170  WLog_ERR(TAG, "client desktop resize callback failed");
2171  return STATE_RUN_FAILED;
2172  }
2173  }
2174 
2175  WINPR_ASSERT(rdp->context);
2176  if (freerdp_shall_disconnect_context(rdp->context))
2177  return STATE_RUN_SUCCESS;
2178 
2179  state_run_t status = STATE_RUN_SUCCESS;
2180  if (!rdp->settings->SupportMonitorLayoutPdu)
2181  status = rdp_client_connect_finalize(rdp);
2182  else
2183  {
2184  if (!rdp_client_transition_to_state(rdp,
2185  CONNECTION_STATE_CAPABILITIES_EXCHANGE_MONITOR_LAYOUT))
2186  status = STATE_RUN_FAILED;
2187  }
2188  if (!rdp_finalize_reset_flags(rdp, FALSE))
2189  status = STATE_RUN_FAILED;
2190  return status;
2191 }
2192 
2193 BOOL rdp_handle_optional_rdp_decryption(rdpRdp* rdp, wStream* s, UINT16* length,
2194  UINT16* pSecurityFlags)
2195 {
2196  BOOL rc = FALSE;
2197  WINPR_ASSERT(rdp);
2198  WINPR_ASSERT(rdp->settings);
2199 
2200  UINT16 securityFlags = 0;
2201  if (rdp->settings->UseRdpSecurityLayer)
2202  {
2203  if (!rdp_read_security_header(rdp, s, &securityFlags, length))
2204  goto fail;
2205 
2206  if (securityFlags & SEC_ENCRYPT)
2207  {
2208  if (!rdp_decrypt(rdp, s, length, securityFlags))
2209  goto fail;
2210  }
2211  }
2212 
2213  rc = TRUE;
2214 
2215 fail:
2216  if (pSecurityFlags)
2217  *pSecurityFlags = securityFlags;
2218  return rc;
2219 }
freerdp_settings_get_uint32
FREERDP_API UINT32 freerdp_settings_get_uint32(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id)
Returns a UINT32 settings value.
Definition: settings_getters.c:1620
freerdp_settings_set_string
FREERDP_API BOOL freerdp_settings_set_string(rdpSettings *settings, FreeRDP_Settings_Keys_String id, const char *param)
Sets a string settings value. The param is copied.
Definition: settings_getters.c:3641
freerdp_settings_get_bool
FREERDP_API BOOL freerdp_settings_get_bool(const rdpSettings *settings, FreeRDP_Settings_Keys_Bool id)
Returns a boolean settings value.
Definition: settings_getters.c:54
freerdp_settings_get_pointer
FREERDP_API const void * freerdp_settings_get_pointer(const rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a immutable pointer settings value.
Definition: common/settings.c:1332
freerdp_settings_get_string
FREERDP_API const char * freerdp_settings_get_string(const rdpSettings *settings, FreeRDP_Settings_Keys_String id)
Returns a immutable string settings value.
Definition: settings_getters.c:2679
freerdp_settings_set_pointer_len
FREERDP_API BOOL freerdp_settings_set_pointer_len(rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id, const void *data, size_t len)
Set a pointer to value data.
Definition: common/settings.c:1344
freerdp_settings_get_codecs_flags
FREERDP_API UINT32 freerdp_settings_get_codecs_flags(const rdpSettings *settings)
helper function to get a mask of supported codec flags.
Definition: common/settings.c:1849
freerdp_settings_set_uint32
FREERDP_API BOOL freerdp_settings_set_uint32(rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id, UINT32 param)
Sets a UINT32 settings value.
Definition: settings_getters.c:2013
freerdp_settings_get_pointer_writable
FREERDP_API void * freerdp_settings_get_pointer_writable(rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a mutable pointer settings value.
Definition: settings_getters.c:3981
ADDIN_ARGV
Definition: settings_types.h:362
CHANNEL_DEF
Definition: wtsapi.h:78