FreeRDP
connection.c
1 /*
2  * FreeRDP: A Remote Desktop Protocol Implementation
3  * Connection Sequence
4  *
5  * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
6  * Copyright 2015 Thincast Technologies GmbH
7  * Copyright 2015 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
8  * Copyright 2023 Armin Novak <anovak@thincast.com>
9  * Copyright 2023 Thincast Technologies GmbH
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License");
12  * you may not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS,
19  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 
24 #include <freerdp/config.h>
25 
26 #include "settings.h"
27 
28 #include "info.h"
29 #include "input.h"
30 #include "rdp.h"
31 #include "peer.h"
32 
33 #include "connection.h"
34 #include "transport.h"
35 
36 #include <winpr/crt.h>
37 #include <winpr/crypto.h>
38 #include <winpr/ssl.h>
39 
40 #include <freerdp/log.h>
41 #include <freerdp/error.h>
42 #include <freerdp/listener.h>
43 
44 #include "../cache/pointer.h"
45 #include "../crypto/crypto.h"
46 #include "../crypto/privatekey.h"
47 #include "../crypto/certificate.h"
48 #include "gateway/arm.h"
49 
50 #include "utils.h"
51 
52 #define TAG FREERDP_TAG("core.connection")
53 
197 static BOOL rdp_set_state(rdpRdp* rdp, CONNECTION_STATE state);
198 
199 static BOOL rdp_client_reset_codecs(rdpContext* context)
200 {
201  rdpSettings* settings = NULL;
202 
203  if (!context || !context->settings)
204  return FALSE;
205 
206  settings = context->settings;
207 
208  if (!freerdp_settings_get_bool(settings, FreeRDP_DeactivateClientDecoding))
209  {
210  const UINT32 flags = freerdp_settings_get_uint32(settings, FreeRDP_ThreadingFlags);
211  freerdp_client_codecs_free(context->codecs);
212  context->codecs = freerdp_client_codecs_new(flags);
213 
214  if (!context->codecs)
215  return FALSE;
216 
217  if (!freerdp_client_codecs_prepare(context->codecs,
218  freerdp_settings_get_codecs_flags(settings),
219  settings->DesktopWidth, settings->DesktopHeight))
220  return FALSE;
221 
222 /* Runtime H264 detection. (only available if dynamic backend loading is defined)
223  * If no backend is available disable it before the channel is loaded.
224  */
225 #if defined(WITH_GFX_H264) && defined(WITH_OPENH264_LOADING)
226  if (!context->codecs->h264)
227  {
228  settings->GfxH264 = FALSE;
229  settings->GfxAVC444 = FALSE;
230  settings->GfxAVC444v2 = FALSE;
231  }
232 #endif
233  }
234 
235  return TRUE;
236 }
237 
238 static BOOL rdp_client_wait_for_activation(rdpRdp* rdp)
239 {
240  BOOL timedout = FALSE;
241  WINPR_ASSERT(rdp);
242 
243  const rdpSettings* settings = rdp->settings;
244  WINPR_ASSERT(settings);
245 
246  UINT64 now = GetTickCount64();
247  UINT64 dueDate = now + freerdp_settings_get_uint32(settings, FreeRDP_TcpAckTimeout);
248 
249  for (; (now < dueDate) && !timedout; now = GetTickCount64())
250  {
251  HANDLE events[MAXIMUM_WAIT_OBJECTS] = { 0 };
252  DWORD wstatus = 0;
253  DWORD nevents = freerdp_get_event_handles(rdp->context, events, ARRAYSIZE(events));
254  if (!nevents)
255  {
256  WLog_ERR(TAG, "error retrieving connection events");
257  return FALSE;
258  }
259 
260  const UINT64 timeout = (dueDate - now);
261  WINPR_ASSERT(timeout <= UINT32_MAX);
262  wstatus = WaitForMultipleObjectsEx(nevents, events, FALSE, (UINT32)timeout, TRUE);
263  switch (wstatus)
264  {
265  case WAIT_TIMEOUT:
266  /* will make us quit with a timeout */
267  timedout = TRUE;
268  break;
269  case WAIT_ABANDONED:
270  case WAIT_FAILED:
271  return FALSE;
272  case WAIT_IO_COMPLETION:
273  break;
274  case WAIT_OBJECT_0:
275  default:
276  /* handles all WAIT_OBJECT_0 + [0 .. MAXIMUM_WAIT_OBJECTS-1] cases */
277  if (rdp_check_fds(rdp) < 0)
278  {
279  freerdp_set_last_error_if_not(rdp->context,
280  FREERDP_ERROR_CONNECT_TRANSPORT_FAILED);
281  return FALSE;
282  }
283  break;
284  }
285 
286  if (rdp_is_active_state(rdp))
287  return TRUE;
288  }
289 
290  WLog_ERR(TAG, "Timeout waiting for activation");
291  freerdp_set_last_error_if_not(rdp->context, FREERDP_ERROR_CONNECT_ACTIVATION_TIMEOUT);
292  return FALSE;
293 }
301 BOOL rdp_client_connect(rdpRdp* rdp)
302 {
303  UINT32 SelectedProtocol = 0;
304  BOOL status = 0;
305  rdpSettings* settings = NULL;
306  /* make sure SSL is initialize for earlier enough for crypto, by taking advantage of winpr SSL
307  * FIPS flag for openssl initialization */
308  DWORD flags = WINPR_SSL_INIT_DEFAULT;
309 
310  WINPR_ASSERT(rdp);
311 
312  settings = rdp->settings;
313  WINPR_ASSERT(settings);
314 
315  if (!rdp_client_reset_codecs(rdp->context))
316  return FALSE;
317 
318  if (settings->FIPSMode)
319  flags |= WINPR_SSL_INIT_ENABLE_FIPS;
320 
321  winpr_InitializeSSL(flags);
322 
323  /* FIPS Mode forces the following and overrides the following(by happening later */
324  /* in the command line processing): */
325  /* 1. Disables NLA Security since NLA in freerdp uses NTLM(no Kerberos support yet) which uses
326  * algorithms */
327  /* not allowed in FIPS for sensitive data. So, we disallow NLA when FIPS is required. */
328  /* 2. Forces the only supported RDP encryption method to be FIPS. */
329  if (settings->FIPSMode || winpr_FIPSMode())
330  {
331  settings->NlaSecurity = FALSE;
332  settings->EncryptionMethods = ENCRYPTION_METHOD_FIPS;
333  }
334 
335  UINT32 TcpConnectTimeout = freerdp_settings_get_uint32(settings, FreeRDP_TcpConnectTimeout);
336  if (settings->GatewayArmTransport)
337  {
338  if (!arm_resolve_endpoint(rdp->context, TcpConnectTimeout))
339  {
340  WLog_ERR(TAG, "error retrieving ARM configuration");
341  return FALSE;
342  }
343  }
344 
345  const char* hostname = settings->ServerHostname;
346  if (!hostname)
347  {
348  WLog_ERR(TAG, "Missing hostname, can not connect to NULL target");
349  return FALSE;
350  }
351 
352  const UINT32 port = settings->ServerPort;
353  WINPR_ASSERT(port <= UINT32_MAX);
354 
355  nego_init(rdp->nego);
356  nego_set_target(rdp->nego, hostname, (UINT16)port);
357 
358  if (settings->GatewayEnabled)
359  {
360  char* user = NULL;
361  char* domain = NULL;
362  size_t user_length = 0;
363 
364  if (settings->Username)
365  {
366  user = settings->Username;
367  user_length = strlen(settings->Username);
368  }
369 
370  if (settings->Domain)
371  domain = settings->Domain;
372  else
373  domain = settings->ComputerName;
374 
375  const size_t domain_length = strlen(domain);
376  const size_t cookie_length = domain_length + 1 + user_length;
377  char* cookie = malloc(cookie_length + 1);
378 
379  if (!cookie)
380  return FALSE;
381 
382  CopyMemory(cookie, domain, domain_length);
383  WINPR_ASSERT(domain_length <= UINT32_MAX);
384  CharUpperBuffA(cookie, (UINT32)domain_length);
385  cookie[domain_length] = '\\';
386 
387  if (settings->Username)
388  CopyMemory(&cookie[domain_length + 1], user, user_length);
389 
390  cookie[cookie_length] = '\0';
391  status = nego_set_cookie(rdp->nego, cookie);
392  free(cookie);
393  }
394  else
395  {
396  status = nego_set_cookie(rdp->nego, settings->Username);
397  }
398 
399  if (!status)
400  return FALSE;
401 
402  nego_set_childsession_enabled(rdp->nego, settings->ConnectChildSession);
403  nego_set_send_preconnection_pdu(rdp->nego, settings->SendPreconnectionPdu);
404  nego_set_preconnection_id(rdp->nego, settings->PreconnectionId);
405  nego_set_preconnection_blob(rdp->nego, settings->PreconnectionBlob);
406  nego_set_negotiation_enabled(rdp->nego, settings->NegotiateSecurityLayer);
407  nego_set_restricted_admin_mode_required(rdp->nego, settings->RestrictedAdminModeRequired);
408  nego_set_RCG_required(rdp->nego, settings->RemoteCredentialGuard);
409  nego_set_gateway_enabled(rdp->nego, settings->GatewayEnabled);
410  nego_set_gateway_bypass_local(rdp->nego, settings->GatewayBypassLocal);
411  nego_enable_rdp(rdp->nego, settings->RdpSecurity);
412  nego_enable_tls(rdp->nego, settings->TlsSecurity);
413  nego_enable_nla(rdp->nego, settings->NlaSecurity);
414  nego_enable_ext(rdp->nego, settings->ExtSecurity);
415  nego_enable_rdstls(rdp->nego, settings->RdstlsSecurity);
416  nego_enable_aad(rdp->nego, settings->AadSecurity);
417 
418  if (settings->MstscCookieMode)
419  settings->CookieMaxLength = MSTSC_COOKIE_MAX_LENGTH;
420 
421  nego_set_cookie_max_length(rdp->nego, settings->CookieMaxLength);
422 
423  if (settings->LoadBalanceInfo && (settings->LoadBalanceInfoLength > 0))
424  {
425  if (!nego_set_routing_token(rdp->nego, settings->LoadBalanceInfo,
426  settings->LoadBalanceInfoLength))
427  return FALSE;
428  }
429 
430  if (!freerdp_settings_get_bool(settings, FreeRDP_TransportDumpReplay))
431  {
432  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_NEGO))
433  return FALSE;
434 
435  if (!nego_connect(rdp->nego))
436  {
437  if (!freerdp_get_last_error(rdp->context))
438  {
439  freerdp_set_last_error_log(rdp->context,
440  FREERDP_ERROR_SECURITY_NEGO_CONNECT_FAILED);
441  WLog_ERR(TAG, "Error: protocol security negotiation or connection failure");
442  }
443 
444  return FALSE;
445  }
446 
447  SelectedProtocol = nego_get_selected_protocol(rdp->nego);
448 
449  if ((SelectedProtocol & PROTOCOL_SSL) || (SelectedProtocol == PROTOCOL_RDP) ||
450  (SelectedProtocol == PROTOCOL_RDSTLS))
451  {
452  wStream s = { 0 };
453 
454  if ((settings->Username != NULL) &&
455  ((freerdp_settings_get_string(settings, FreeRDP_Password) != NULL) ||
456  (settings->RedirectionPassword != NULL &&
457  settings->RedirectionPasswordLength > 0)))
458  settings->AutoLogonEnabled = TRUE;
459 
460  if (rdp_recv_callback(rdp->transport, &s, rdp) < 0)
461  return FALSE;
462  }
463 
464  transport_set_blocking_mode(rdp->transport, FALSE);
465  }
466  else
467  {
468  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_MCS_CREATE_REQUEST))
469  return FALSE;
470  }
471 
472  /* everything beyond this point is event-driven and non blocking */
473  if (!transport_set_recv_callbacks(rdp->transport, rdp_recv_callback, rdp))
474  return FALSE;
475 
476  return rdp_client_wait_for_activation(rdp);
477 }
478 
479 BOOL rdp_client_disconnect(rdpRdp* rdp)
480 {
481  rdpContext* context = NULL;
482 
483  if (!rdp || !rdp->settings || !rdp->context)
484  return FALSE;
485 
486  context = rdp->context;
487 
488  if (rdp->nego)
489  {
490  if (!nego_disconnect(rdp->nego))
491  return FALSE;
492  }
493 
494  if (!rdp_reset(rdp))
495  return FALSE;
496 
497  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_INITIAL))
498  return FALSE;
499 
500  if (freerdp_channels_disconnect(context->channels, context->instance) != CHANNEL_RC_OK)
501  return FALSE;
502 
503  freerdp_client_codecs_free(context->codecs);
504  context->codecs = NULL;
505  return TRUE;
506 }
507 
508 BOOL rdp_client_disconnect_and_clear(rdpRdp* rdp)
509 {
510  rdpContext* context = NULL;
511 
512  if (!rdp_client_disconnect(rdp))
513  return FALSE;
514 
515  WINPR_ASSERT(rdp);
516 
517  context = rdp->context;
518  WINPR_ASSERT(context);
519 
520  if (freerdp_get_last_error(context) == FREERDP_ERROR_CONNECT_CANCELLED)
521  return FALSE;
522 
523  context->LastError = FREERDP_ERROR_SUCCESS;
524  clearChannelError(context);
525  return utils_reset_abort(rdp);
526 }
527 
528 static BOOL rdp_client_reconnect_channels(rdpRdp* rdp, BOOL redirect)
529 {
530  BOOL status = FALSE;
531  rdpContext* context = NULL;
532 
533  if (!rdp || !rdp->context || !rdp->context->channels)
534  return FALSE;
535 
536  context = rdp->context;
537 
538  if (context->instance->ConnectionCallbackState == CLIENT_STATE_INITIAL)
539  return FALSE;
540 
541  if (context->instance->ConnectionCallbackState == CLIENT_STATE_PRECONNECT_PASSED)
542  {
543  if (redirect)
544  return TRUE;
545 
546  pointer_cache_register_callbacks(context->update);
547 
548  if (!IFCALLRESULT(FALSE, context->instance->PostConnect, context->instance))
549  return FALSE;
550 
551  context->instance->ConnectionCallbackState = CLIENT_STATE_POSTCONNECT_PASSED;
552  }
553 
554  if (context->instance->ConnectionCallbackState == CLIENT_STATE_POSTCONNECT_PASSED)
555  status =
556  (freerdp_channels_post_connect(context->channels, context->instance) == CHANNEL_RC_OK);
557 
558  return status;
559 }
560 
561 static BOOL rdp_client_redirect_resolvable(const char* host)
562 {
563  struct addrinfo* result = freerdp_tcp_resolve_host(host, -1, 0);
564 
565  if (!result)
566  return FALSE;
567 
568  freeaddrinfo(result);
569  return TRUE;
570 }
571 
572 static BOOL rdp_client_redirect_try_fqdn(rdpSettings* settings)
573 {
574  if (settings->RedirectionFlags & LB_TARGET_FQDN)
575  {
576  if (settings->GatewayEnabled ||
577  rdp_client_redirect_resolvable(settings->RedirectionTargetFQDN))
578  {
579  if (!freerdp_settings_set_string(settings, FreeRDP_ServerHostname,
580  settings->RedirectionTargetFQDN))
581  return FALSE;
582 
583  return TRUE;
584  }
585  }
586 
587  return FALSE;
588 }
589 
590 static BOOL rdp_client_redirect_try_ip(rdpSettings* settings)
591 {
592  if (settings->RedirectionFlags & LB_TARGET_NET_ADDRESS)
593  {
594  if (!freerdp_settings_set_string(settings, FreeRDP_ServerHostname,
595  settings->TargetNetAddress))
596  return FALSE;
597 
598  return TRUE;
599  }
600 
601  return FALSE;
602 }
603 
604 static BOOL rdp_client_redirect_try_netbios(rdpSettings* settings)
605 {
606  if (settings->RedirectionFlags & LB_TARGET_NETBIOS_NAME)
607  {
608  if (settings->GatewayEnabled ||
609  rdp_client_redirect_resolvable(settings->RedirectionTargetNetBiosName))
610  {
611  if (!freerdp_settings_set_string(settings, FreeRDP_ServerHostname,
612  settings->RedirectionTargetNetBiosName))
613  return FALSE;
614 
615  return TRUE;
616  }
617  }
618 
619  return FALSE;
620 }
621 
622 BOOL rdp_client_redirect(rdpRdp* rdp)
623 {
624  BOOL status = 0;
625  rdpSettings* settings = NULL;
626 
627  if (!rdp_client_disconnect_and_clear(rdp))
628  return FALSE;
629 
630  /* Only disconnect & close the channels here.
631  * they will be discarded and recreated after the new settings have been applied. */
632  freerdp_channels_disconnect(rdp->context->channels, rdp->context->instance);
633  freerdp_channels_close(rdp->context->channels, rdp->context->instance);
634 
635  if (rdp_redirection_apply_settings(rdp) != 0)
636  return FALSE;
637 
638  WINPR_ASSERT(rdp);
639 
640  settings = rdp->settings;
641  WINPR_ASSERT(settings);
642 
643  if ((settings->RedirectionFlags & LB_LOAD_BALANCE_INFO) == 0)
644  {
645  BOOL haveRedirectAddress = FALSE;
646  UINT32 redirectionMask = settings->RedirectionPreferType;
647 
648  do
649  {
650  const BOOL tryFQDN = (redirectionMask & 0x01) == 0;
651  const BOOL tryNetAddress = (redirectionMask & 0x02) == 0;
652  const BOOL tryNetbios = (redirectionMask & 0x04) == 0;
653 
654  if (tryFQDN && !haveRedirectAddress)
655  haveRedirectAddress = rdp_client_redirect_try_fqdn(settings);
656 
657  if (tryNetAddress && !haveRedirectAddress)
658  haveRedirectAddress = rdp_client_redirect_try_ip(settings);
659 
660  if (tryNetbios && !haveRedirectAddress)
661  haveRedirectAddress = rdp_client_redirect_try_netbios(settings);
662 
663  redirectionMask >>= 3;
664  } while (!haveRedirectAddress && (redirectionMask != 0));
665  }
666 
667  if (settings->RedirectionFlags & LB_USERNAME)
668  {
669  if (!freerdp_settings_set_string(
670  settings, FreeRDP_Username,
671  freerdp_settings_get_string(settings, FreeRDP_RedirectionUsername)))
672  return FALSE;
673  }
674 
675  if (settings->RedirectionFlags & LB_DOMAIN)
676  {
677  if (!freerdp_settings_set_string(
678  settings, FreeRDP_Domain,
679  freerdp_settings_get_string(settings, FreeRDP_RedirectionDomain)))
680  return FALSE;
681  }
682 
683  settings->RdstlsSecurity =
684  (settings->RedirectionFlags & LB_PASSWORD_IS_PK_ENCRYPTED) != 0 ? TRUE : FALSE;
685 
686  WINPR_ASSERT(rdp->context);
687  WINPR_ASSERT(rdp->context->instance);
688  if (!IFCALLRESULT(TRUE, rdp->context->instance->Redirect, rdp->context->instance))
689  return FALSE;
690 
691  BOOL ok = utils_reload_channels(rdp->context);
692  if (!ok)
693  return FALSE;
694 
695  status = rdp_client_connect(rdp);
696 
697  if (status)
698  status = rdp_client_reconnect_channels(rdp, TRUE);
699 
700  return status;
701 }
702 
703 BOOL rdp_client_reconnect(rdpRdp* rdp)
704 {
705  BOOL status = 0;
706 
707  if (!rdp_client_disconnect_and_clear(rdp))
708  return FALSE;
709 
710  status = rdp_client_connect(rdp);
711 
712  if (status)
713  status = rdp_client_reconnect_channels(rdp, FALSE);
714 
715  return status;
716 }
717 
718 static const BYTE fips_ivec[8] = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF };
719 
720 static BOOL rdp_client_establish_keys(rdpRdp* rdp)
721 {
722  wStream* s = NULL;
723  int status = 0;
724  BOOL ret = FALSE;
725 
726  WINPR_ASSERT(rdp);
727  rdpSettings* settings = rdp->settings;
728  BYTE* crypt_client_random = NULL;
729 
730  WINPR_ASSERT(settings);
731  if (!settings->UseRdpSecurityLayer)
732  {
733  /* no RDP encryption */
734  return TRUE;
735  }
736 
737  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_RDP_SECURITY_COMMENCEMENT))
738  return FALSE;
739 
740  /* encrypt client random */
741  if (!freerdp_settings_set_pointer_len(settings, FreeRDP_ClientRandom, NULL,
742  CLIENT_RANDOM_LENGTH))
743  return FALSE;
744  winpr_RAND(settings->ClientRandom, settings->ClientRandomLength);
745 
746  const rdpCertInfo* info = freerdp_certificate_get_info(settings->RdpServerCertificate);
747  if (!info)
748  {
749  WLog_ERR(TAG, "Failed to get rdpCertInfo from RdpServerCertificate");
750  return FALSE;
751  }
752 
753  /*
754  * client random must be (bitlen / 8) + 8 - see [MS-RDPBCGR] 5.3.4.1
755  * for details
756  */
757  crypt_client_random = calloc(info->ModulusLength, 1);
758 
759  if (!crypt_client_random)
760  return FALSE;
761 
762  crypto_rsa_public_encrypt(settings->ClientRandom, settings->ClientRandomLength, info,
763  crypt_client_random, info->ModulusLength);
764  /* send crypt client random to server */
765  const size_t length = RDP_PACKET_HEADER_MAX_LENGTH + RDP_SECURITY_HEADER_LENGTH + 4ULL +
766  info->ModulusLength + 8ULL;
767  if (length > UINT16_MAX)
768  return FALSE;
769 
770  s = Stream_New(NULL, length);
771 
772  if (!s)
773  {
774  WLog_ERR(TAG, "Stream_New failed!");
775  goto end;
776  }
777 
778  if (!rdp_write_header(rdp, s, length, MCS_GLOBAL_CHANNEL_ID))
779  goto end;
780  if (!rdp_write_security_header(rdp, s, SEC_EXCHANGE_PKT | SEC_LICENSE_ENCRYPT_SC))
781  goto end;
782 
783  Stream_Write_UINT32(s, info->ModulusLength + 8);
784  Stream_Write(s, crypt_client_random, info->ModulusLength);
785  Stream_Zero(s, 8);
786  Stream_SealLength(s);
787  status = transport_write(rdp->mcs->transport, s);
788 
789  if (status < 0)
790  goto end;
791 
792  rdp->do_crypt_license = TRUE;
793 
794  /* now calculate encrypt / decrypt and update keys */
795  if (!security_establish_keys(rdp))
796  goto end;
797 
798  rdp->do_crypt = TRUE;
799 
800  if (settings->SaltedChecksum)
801  rdp->do_secure_checksum = TRUE;
802 
803  if (settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
804  {
805  rdp->fips_encrypt =
806  winpr_Cipher_NewEx(WINPR_CIPHER_DES_EDE3_CBC, WINPR_ENCRYPT, rdp->fips_encrypt_key,
807  sizeof(rdp->fips_encrypt_key), fips_ivec, sizeof(fips_ivec));
808 
809  if (!rdp->fips_encrypt)
810  {
811  WLog_ERR(TAG, "unable to allocate des3 encrypt key");
812  goto end;
813  }
814 
815  rdp->fips_decrypt =
816  winpr_Cipher_NewEx(WINPR_CIPHER_DES_EDE3_CBC, WINPR_DECRYPT, rdp->fips_decrypt_key,
817  sizeof(rdp->fips_decrypt_key), fips_ivec, sizeof(fips_ivec));
818 
819  if (!rdp->fips_decrypt)
820  {
821  WLog_ERR(TAG, "unable to allocate des3 decrypt key");
822  goto end;
823  }
824 
825  ret = TRUE;
826  goto end;
827  }
828 
829  if (!rdp_reset_rc4_encrypt_keys(rdp))
830  goto end;
831  if (!rdp_reset_rc4_decrypt_keys(rdp))
832  goto end;
833 
834  ret = TRUE;
835 end:
836  Stream_Free(s, TRUE);
837  free(crypt_client_random);
838 
839  if (!ret)
840  {
841  winpr_Cipher_Free(rdp->fips_decrypt);
842  winpr_Cipher_Free(rdp->fips_encrypt);
843  rdp->fips_decrypt = NULL;
844  rdp->fips_encrypt = NULL;
845 
846  rdp_free_rc4_decrypt_keys(rdp);
847  rdp_free_rc4_encrypt_keys(rdp);
848  }
849 
850  return ret;
851 }
852 
853 static BOOL rdp_update_client_random(rdpSettings* settings, const BYTE* crypt_random,
854  size_t crypt_random_len)
855 {
856  const size_t length = 32;
857  WINPR_ASSERT(settings);
858 
859  const rdpPrivateKey* rsa = freerdp_settings_get_pointer(settings, FreeRDP_RdpServerRsaKey);
860  WINPR_ASSERT(rsa);
861 
862  const rdpCertInfo* cinfo = freerdp_key_get_info(rsa);
863  WINPR_ASSERT(cinfo);
864 
865  if (crypt_random_len != cinfo->ModulusLength + 8)
866  {
867  WLog_ERR(TAG, "invalid encrypted client random length");
868  return FALSE;
869  }
870  if (!freerdp_settings_set_pointer_len(settings, FreeRDP_ClientRandom, NULL, length))
871  return FALSE;
872 
873  BYTE* client_random = freerdp_settings_get_pointer_writable(settings, FreeRDP_ClientRandom);
874  WINPR_ASSERT(client_random);
875  return crypto_rsa_private_decrypt(crypt_random, crypt_random_len - 8, rsa, client_random,
876  length) > 0;
877 }
878 
879 BOOL rdp_server_establish_keys(rdpRdp* rdp, wStream* s)
880 {
881  UINT32 rand_len = 0;
882  UINT16 channel_id = 0;
883  UINT16 length = 0;
884  UINT16 sec_flags = 0;
885  BOOL ret = FALSE;
886 
887  WINPR_ASSERT(rdp);
888 
889  if (!rdp->settings->UseRdpSecurityLayer)
890  {
891  /* No RDP Security. */
892  return TRUE;
893  }
894 
895  if (!rdp_read_header(rdp, s, &length, &channel_id))
896  return FALSE;
897 
898  if (!rdp_read_security_header(rdp, s, &sec_flags, NULL))
899  {
900  WLog_ERR(TAG, "invalid security header");
901  return FALSE;
902  }
903 
904  if ((sec_flags & SEC_EXCHANGE_PKT) == 0)
905  {
906  WLog_ERR(TAG, "missing SEC_EXCHANGE_PKT in security header");
907  return FALSE;
908  }
909 
910  rdp->do_crypt_license = (sec_flags & SEC_LICENSE_ENCRYPT_SC) != 0 ? TRUE : FALSE;
911 
912  if (!Stream_CheckAndLogRequiredLength(TAG, s, 4))
913  return FALSE;
914 
915  Stream_Read_UINT32(s, rand_len);
916 
917  /* rand_len already includes 8 bytes of padding */
918  if (!Stream_CheckAndLogRequiredLength(TAG, s, rand_len))
919  return FALSE;
920 
921  const BYTE* crypt_random = Stream_ConstPointer(s);
922  if (!Stream_SafeSeek(s, rand_len))
923  goto end;
924  if (!rdp_update_client_random(rdp->settings, crypt_random, rand_len))
925  goto end;
926 
927  /* now calculate encrypt / decrypt and update keys */
928  if (!security_establish_keys(rdp))
929  goto end;
930 
931  rdp->do_crypt = TRUE;
932 
933  if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
934  {
935  rdp->fips_encrypt =
936  winpr_Cipher_NewEx(WINPR_CIPHER_DES_EDE3_CBC, WINPR_ENCRYPT, rdp->fips_encrypt_key,
937  sizeof(rdp->fips_encrypt_key), fips_ivec, sizeof(fips_ivec));
938 
939  if (!rdp->fips_encrypt)
940  {
941  WLog_ERR(TAG, "unable to allocate des3 encrypt key");
942  goto end;
943  }
944 
945  rdp->fips_decrypt =
946  winpr_Cipher_NewEx(WINPR_CIPHER_DES_EDE3_CBC, WINPR_DECRYPT, rdp->fips_decrypt_key,
947  sizeof(rdp->fips_decrypt_key), fips_ivec, sizeof(fips_ivec));
948 
949  if (!rdp->fips_decrypt)
950  {
951  WLog_ERR(TAG, "unable to allocate des3 decrypt key");
952  goto end;
953  }
954 
955  ret = TRUE;
956  goto end;
957  }
958 
959  if (!rdp_reset_rc4_encrypt_keys(rdp))
960  goto end;
961 
962  if (!rdp_reset_rc4_decrypt_keys(rdp))
963  goto end;
964 
965  ret = tpkt_ensure_stream_consumed(s, length);
966 end:
967 
968  if (!ret)
969  {
970  winpr_Cipher_Free(rdp->fips_encrypt);
971  winpr_Cipher_Free(rdp->fips_decrypt);
972  rdp->fips_encrypt = NULL;
973  rdp->fips_decrypt = NULL;
974 
975  rdp_free_rc4_encrypt_keys(rdp);
976  rdp_free_rc4_decrypt_keys(rdp);
977  }
978 
979  return ret;
980 }
981 
982 static BOOL rdp_client_send_client_info_and_change_state(rdpRdp* rdp)
983 {
984  WINPR_ASSERT(rdp);
985  if (!rdp_client_establish_keys(rdp))
986  return FALSE;
987  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_SECURE_SETTINGS_EXCHANGE))
988  return FALSE;
989  if (!rdp_send_client_info(rdp))
990  return FALSE;
991  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_CONNECT_TIME_AUTO_DETECT_REQUEST))
992  return FALSE;
993  return TRUE;
994 }
995 
996 BOOL rdp_client_skip_mcs_channel_join(rdpRdp* rdp)
997 {
998  WINPR_ASSERT(rdp);
999 
1000  rdpMcs* mcs = rdp->mcs;
1001  WINPR_ASSERT(mcs);
1002 
1003  mcs->userChannelJoined = TRUE;
1004  mcs->globalChannelJoined = TRUE;
1005  mcs->messageChannelJoined = TRUE;
1006 
1007  for (UINT32 i = 0; i < mcs->channelCount; i++)
1008  {
1009  rdpMcsChannel* cur = &mcs->channels[i];
1010  WLog_DBG(TAG, " %s [%" PRIu16 "]", cur->Name, cur->ChannelId);
1011  cur->joined = TRUE;
1012  }
1013 
1014  return rdp_client_send_client_info_and_change_state(rdp);
1015 }
1016 
1017 static BOOL rdp_client_join_channel(rdpRdp* rdp, UINT16 ChannelId)
1018 {
1019  WINPR_ASSERT(rdp);
1020 
1021  rdpMcs* mcs = rdp->mcs;
1022  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_MCS_CHANNEL_JOIN_REQUEST))
1023  return FALSE;
1024  if (!mcs_send_channel_join_request(mcs, ChannelId))
1025  return FALSE;
1026  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_MCS_CHANNEL_JOIN_RESPONSE))
1027  return FALSE;
1028  return TRUE;
1029 }
1030 
1031 BOOL rdp_client_connect_mcs_channel_join_confirm(rdpRdp* rdp, wStream* s)
1032 {
1033  UINT16 channelId = 0;
1034  BOOL allJoined = TRUE;
1035 
1036  WINPR_ASSERT(rdp);
1037  rdpMcs* mcs = rdp->mcs;
1038 
1039  if (!mcs_recv_channel_join_confirm(mcs, s, &channelId))
1040  return FALSE;
1041 
1042  if (!mcs->userChannelJoined)
1043  {
1044  if (channelId != mcs->userId)
1045  {
1046  WLog_ERR(TAG, "expected user channel id %" PRIu16 ", but received %" PRIu16,
1047  mcs->userId, channelId);
1048  return FALSE;
1049  }
1050 
1051  mcs->userChannelJoined = TRUE;
1052  if (!rdp_client_join_channel(rdp, MCS_GLOBAL_CHANNEL_ID))
1053  return FALSE;
1054  }
1055  else if (!mcs->globalChannelJoined)
1056  {
1057  if (channelId != MCS_GLOBAL_CHANNEL_ID)
1058  {
1059  WLog_ERR(TAG, "expected uglobalser channel id %" PRIu16 ", but received %" PRIu16,
1060  MCS_GLOBAL_CHANNEL_ID, channelId);
1061  return FALSE;
1062  }
1063  mcs->globalChannelJoined = TRUE;
1064 
1065  if (mcs->messageChannelId != 0)
1066  {
1067  if (!rdp_client_join_channel(rdp, mcs->messageChannelId))
1068  return FALSE;
1069  allJoined = FALSE;
1070  }
1071  else
1072  {
1073  if (mcs->channelCount > 0)
1074  {
1075  const rdpMcsChannel* cur = &mcs->channels[0];
1076  if (!rdp_client_join_channel(rdp, cur->ChannelId))
1077  return FALSE;
1078  allJoined = FALSE;
1079  }
1080  }
1081  }
1082  else if ((mcs->messageChannelId != 0) && !mcs->messageChannelJoined)
1083  {
1084  if (channelId != mcs->messageChannelId)
1085  {
1086  WLog_ERR(TAG, "expected messageChannelId=%" PRIu16 ", got %" PRIu16,
1087  mcs->messageChannelId, channelId);
1088  return FALSE;
1089  }
1090 
1091  mcs->messageChannelJoined = TRUE;
1092 
1093  if (mcs->channelCount > 0)
1094  {
1095  const rdpMcsChannel* cur = &mcs->channels[0];
1096  if (!rdp_client_join_channel(rdp, cur->ChannelId))
1097  return FALSE;
1098  allJoined = FALSE;
1099  }
1100  }
1101  else
1102  {
1103  UINT32 i = 0;
1104  for (; i < mcs->channelCount; i++)
1105  {
1106  rdpMcsChannel* cur = &mcs->channels[i];
1107  if (cur->joined)
1108  continue;
1109 
1110  if (cur->ChannelId != channelId)
1111  {
1112  WLog_ERR(TAG, "expected channel id %" PRIu16 ", but received %" PRIu16,
1113  MCS_GLOBAL_CHANNEL_ID, channelId);
1114  return FALSE;
1115  }
1116  cur->joined = TRUE;
1117  break;
1118  }
1119 
1120  if (i + 1 < mcs->channelCount)
1121  {
1122  const rdpMcsChannel* cur = &mcs->channels[i + 1];
1123  if (!rdp_client_join_channel(rdp, cur->ChannelId))
1124  return FALSE;
1125  allJoined = FALSE;
1126  }
1127  }
1128 
1129  if (mcs->userChannelJoined && mcs->globalChannelJoined && allJoined)
1130  {
1131  if (!rdp_client_send_client_info_and_change_state(rdp))
1132  return FALSE;
1133  }
1134 
1135  return TRUE;
1136 }
1137 
1138 BOOL rdp_handle_message_channel(rdpRdp* rdp, wStream* s, UINT16 channelId, UINT16 length)
1139 {
1140  WINPR_ASSERT(rdp);
1141  WINPR_ASSERT(rdp->mcs);
1142 
1143  if (!rdp->mcs->messageChannelJoined)
1144  {
1145  WLog_Print(rdp->log, WLOG_WARN, "MCS message channel not joined!");
1146  return FALSE;
1147  }
1148  const UINT16 messageChannelId = rdp->mcs->messageChannelId;
1149  if (messageChannelId == 0)
1150  {
1151  WLog_Print(rdp->log, WLOG_WARN, "MCS message channel id == 0");
1152  return FALSE;
1153  }
1154 
1155  if (channelId != messageChannelId)
1156  {
1157  WLog_Print(rdp->log, WLOG_WARN, "MCS message channel expected id=%" PRIu16 ", got %" PRIu16,
1158  messageChannelId, channelId);
1159  return FALSE;
1160  }
1161 
1162  UINT16 securityFlags = 0;
1163  if (!rdp_read_security_header(rdp, s, &securityFlags, &length))
1164  return FALSE;
1165 
1166  if (securityFlags & SEC_ENCRYPT)
1167  {
1168  if (!rdp_decrypt(rdp, s, &length, securityFlags))
1169  return FALSE;
1170  }
1171 
1172  if (rdp_recv_message_channel_pdu(rdp, s, securityFlags) != STATE_RUN_SUCCESS)
1173  return FALSE;
1174 
1175  return tpkt_ensure_stream_consumed(s, length);
1176 }
1177 
1178 BOOL rdp_client_connect_auto_detect(rdpRdp* rdp, wStream* s)
1179 {
1180  WINPR_ASSERT(rdp);
1181  WINPR_ASSERT(rdp->mcs);
1182 
1183  const size_t pos = Stream_GetPosition(s);
1184  UINT16 length = 0;
1185  UINT16 channelId = 0;
1186 
1187  if (rdp_read_header(rdp, s, &length, &channelId))
1188  {
1189  const UINT16 messageChannelId = rdp->mcs->messageChannelId;
1190  /* If the MCS message channel has been joined... */
1191 
1192  /* Process any MCS message channel PDUs. */
1193  if (rdp->mcs->messageChannelJoined && (channelId == messageChannelId))
1194  {
1195  if (rdp_handle_message_channel(rdp, s, channelId, length))
1196  return TRUE;
1197  }
1198  else
1199  {
1200  WLog_WARN(TAG, "expected messageChannelId=%" PRIu16 ", got %" PRIu16, messageChannelId,
1201  channelId);
1202  }
1203  }
1204 
1205  Stream_SetPosition(s, pos);
1206  return FALSE;
1207 }
1208 
1209 state_run_t rdp_client_connect_license(rdpRdp* rdp, wStream* s)
1210 {
1211  state_run_t status = STATE_RUN_FAILED;
1212  LICENSE_STATE state = LICENSE_STATE_ABORTED;
1213  UINT16 length = 0;
1214  UINT16 channelId = 0;
1215  UINT16 securityFlags = 0;
1216 
1217  WINPR_ASSERT(rdp);
1218  if (!rdp_read_header(rdp, s, &length, &channelId))
1219  return STATE_RUN_FAILED;
1220 
1221  /* there might be autodetect messages mixed in between licensing messages.
1222  * that has been observed with 2k12 R2 and 2k19
1223  */
1224  const UINT16 messageChannelId = rdp->mcs->messageChannelId;
1225  if (rdp->mcs->messageChannelJoined && (channelId == messageChannelId))
1226  {
1227  if (!rdp_handle_message_channel(rdp, s, channelId, length))
1228  return STATE_RUN_FAILED;
1229  return STATE_RUN_SUCCESS;
1230  }
1231 
1232  if (!rdp_read_security_header(rdp, s, &securityFlags, &length))
1233  return STATE_RUN_FAILED;
1234 
1235  if (securityFlags & SEC_ENCRYPT)
1236  {
1237  if (!rdp_decrypt(rdp, s, &length, securityFlags))
1238  return STATE_RUN_FAILED;
1239  }
1240 
1241  if (channelId != MCS_GLOBAL_CHANNEL_ID)
1242  WLog_WARN(TAG, "unexpected message for channel %u, expected %u", channelId,
1243  MCS_GLOBAL_CHANNEL_ID);
1244 
1245  if ((securityFlags & SEC_LICENSE_PKT) == 0)
1246  {
1247  char buffer[512] = { 0 };
1248  char lbuffer[32] = { 0 };
1249  WLog_ERR(TAG, "securityFlags=%s, missing required flag %s",
1250  rdp_security_flag_string(securityFlags, buffer, sizeof(buffer)),
1251  rdp_security_flag_string(SEC_LICENSE_PKT, lbuffer, sizeof(lbuffer)));
1252  return STATE_RUN_FAILED;
1253  }
1254 
1255  status = license_recv(rdp->license, s);
1256 
1257  if (state_run_failed(status))
1258  return status;
1259 
1260  state = license_get_state(rdp->license);
1261  switch (state)
1262  {
1263  case LICENSE_STATE_ABORTED:
1264  WLog_ERR(TAG, "license connection sequence aborted.");
1265  return STATE_RUN_FAILED;
1266  case LICENSE_STATE_COMPLETED:
1267  if (rdp->settings->MultitransportFlags)
1268  {
1269  if (!rdp_client_transition_to_state(
1270  rdp, CONNECTION_STATE_MULTITRANSPORT_BOOTSTRAPPING_REQUEST))
1271  return STATE_RUN_FAILED;
1272  }
1273  else
1274  {
1275  if (!rdp_client_transition_to_state(
1276  rdp, CONNECTION_STATE_CAPABILITIES_EXCHANGE_DEMAND_ACTIVE))
1277  return STATE_RUN_FAILED;
1278  }
1279  return STATE_RUN_SUCCESS;
1280  default:
1281  return STATE_RUN_SUCCESS;
1282  }
1283 }
1284 
1285 state_run_t rdp_client_connect_demand_active(rdpRdp* rdp, wStream* s)
1286 {
1287  UINT16 length = 0;
1288  UINT16 channelId = 0;
1289  UINT16 pduType = 0;
1290  UINT16 pduSource = 0;
1291 
1292  WINPR_ASSERT(rdp);
1293  WINPR_ASSERT(s);
1294  WINPR_ASSERT(rdp->settings);
1295 
1296  if (!rdp_recv_get_active_header(rdp, s, &channelId, &length))
1297  return STATE_RUN_FAILED;
1298 
1299  if (freerdp_shall_disconnect_context(rdp->context))
1300  return STATE_RUN_QUIT_SESSION;
1301 
1302  if (rdp->mcs->messageChannelId && (channelId == rdp->mcs->messageChannelId))
1303  {
1304  rdp->inPackets++;
1305  if (!rdp_handle_message_channel(rdp, s, channelId, length))
1306  return STATE_RUN_FAILED;
1307  return STATE_RUN_SUCCESS;
1308  }
1309 
1310  if (!rdp_handle_optional_rdp_decryption(rdp, s, &length, NULL))
1311  return STATE_RUN_FAILED;
1312 
1313  if (!rdp_read_share_control_header(rdp, s, NULL, NULL, &pduType, &pduSource))
1314  return STATE_RUN_FAILED;
1315 
1316  switch (pduType)
1317  {
1318  case PDU_TYPE_DEMAND_ACTIVE:
1319  if (!rdp_recv_demand_active(rdp, s, pduSource, length))
1320  return STATE_RUN_FAILED;
1321  return STATE_RUN_ACTIVE;
1322  default:
1323  return rdp_recv_out_of_sequence_pdu(rdp, s, pduType, length);
1324  }
1325 }
1326 
1327 state_run_t rdp_client_connect_finalize(rdpRdp* rdp)
1328 {
1329  WINPR_ASSERT(rdp);
1336  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_SYNC))
1337  return STATE_RUN_FAILED;
1338 
1339  if (!rdp_send_client_synchronize_pdu(rdp))
1340  return STATE_RUN_FAILED;
1341 
1342  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_COOPERATE))
1343  return STATE_RUN_FAILED;
1344  if (!rdp_send_client_control_pdu(rdp, CTRLACTION_COOPERATE))
1345  return STATE_RUN_FAILED;
1346 
1347  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_REQUEST_CONTROL))
1348  return STATE_RUN_FAILED;
1349  if (!rdp_send_client_control_pdu(rdp, CTRLACTION_REQUEST_CONTROL))
1350  return STATE_RUN_FAILED;
1351 
1359  if (!rdp_finalize_is_flag_set(rdp, FINALIZE_DEACTIVATE_REACTIVATE) &&
1360  freerdp_settings_get_bool(rdp->settings, FreeRDP_BitmapCachePersistEnabled))
1361  {
1362  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_PERSISTENT_KEY_LIST))
1363  return STATE_RUN_FAILED;
1364  if (!rdp_send_client_persistent_key_list_pdu(rdp))
1365  return STATE_RUN_FAILED;
1366  }
1367 
1368  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_FONT_LIST))
1369  return STATE_RUN_FAILED;
1370  if (!rdp_send_client_font_list_pdu(rdp, FONTLIST_FIRST | FONTLIST_LAST))
1371  return STATE_RUN_FAILED;
1372 
1373  if (!rdp_client_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_CLIENT_SYNC))
1374  return STATE_RUN_FAILED;
1375  return STATE_RUN_SUCCESS;
1376 }
1377 
1378 BOOL rdp_client_transition_to_state(rdpRdp* rdp, CONNECTION_STATE state)
1379 {
1380  const char* name = rdp_state_string(state);
1381 
1382  WINPR_ASSERT(rdp);
1383  WLog_Print(rdp->log, WLOG_DEBUG, "%s --> %s", rdp_get_state_string(rdp), name);
1384 
1385  if (!rdp_set_state(rdp, state))
1386  return FALSE;
1387 
1388  switch (state)
1389  {
1390  case CONNECTION_STATE_FINALIZATION_SYNC:
1391  case CONNECTION_STATE_FINALIZATION_COOPERATE:
1392  case CONNECTION_STATE_FINALIZATION_REQUEST_CONTROL:
1393  case CONNECTION_STATE_FINALIZATION_PERSISTENT_KEY_LIST:
1394  case CONNECTION_STATE_FINALIZATION_FONT_LIST:
1395  update_reset_state(rdp->update);
1396  break;
1397 
1398  case CONNECTION_STATE_CAPABILITIES_EXCHANGE_CONFIRM_ACTIVE:
1399  {
1400  ActivatedEventArgs activatedEvent = { 0 };
1401  rdpContext* context = rdp->context;
1402  EventArgsInit(&activatedEvent, "libfreerdp");
1403  activatedEvent.firstActivation =
1404  !rdp_finalize_is_flag_set(rdp, FINALIZE_DEACTIVATE_REACTIVATE);
1405  PubSub_OnActivated(rdp->pubSub, context, &activatedEvent);
1406  }
1407 
1408  break;
1409 
1410  default:
1411  break;
1412  }
1413 
1414  {
1415  ConnectionStateChangeEventArgs stateEvent = { 0 };
1416  rdpContext* context = rdp->context;
1417  EventArgsInit(&stateEvent, "libfreerdp");
1418  stateEvent.state = rdp_get_state(rdp);
1419  stateEvent.active = rdp_is_active_state(rdp);
1420  PubSub_OnConnectionStateChange(rdp->pubSub, context, &stateEvent);
1421  }
1422 
1423  return TRUE;
1424 }
1425 
1426 BOOL rdp_server_accept_nego(rdpRdp* rdp, wStream* s)
1427 {
1428  UINT32 SelectedProtocol = 0;
1429  UINT32 RequestedProtocols = 0;
1430  BOOL status = 0;
1431  rdpSettings* settings = NULL;
1432  rdpNego* nego = NULL;
1433 
1434  WINPR_ASSERT(rdp);
1435  WINPR_ASSERT(s);
1436 
1437  settings = rdp->settings;
1438  WINPR_ASSERT(settings);
1439 
1440  nego = rdp->nego;
1441  WINPR_ASSERT(nego);
1442 
1443  transport_set_blocking_mode(rdp->transport, TRUE);
1444 
1445  if (!nego_read_request(nego, s))
1446  return FALSE;
1447 
1448  RequestedProtocols = nego_get_requested_protocols(nego);
1449  WLog_DBG(TAG, "Client Security: RDSTLS:%d NLA:%d TLS:%d RDP:%d",
1450  (RequestedProtocols & PROTOCOL_RDSTLS) ? 1 : 0,
1451  (RequestedProtocols & PROTOCOL_HYBRID) ? 1 : 0,
1452  (RequestedProtocols & PROTOCOL_SSL) ? 1 : 0,
1453  (RequestedProtocols == PROTOCOL_RDP) ? 1 : 0);
1454  WLog_DBG(TAG,
1455  "Server Security: RDSTLS:%" PRId32 " NLA:%" PRId32 " TLS:%" PRId32 " RDP:%" PRId32 "",
1456  settings->RdstlsSecurity, settings->NlaSecurity, settings->TlsSecurity,
1457  settings->RdpSecurity);
1458 
1459  if ((settings->RdstlsSecurity) && (RequestedProtocols & PROTOCOL_RDSTLS))
1460  {
1461  SelectedProtocol = PROTOCOL_RDSTLS;
1462  }
1463  else if ((settings->NlaSecurity) && (RequestedProtocols & PROTOCOL_HYBRID))
1464  {
1465  SelectedProtocol = PROTOCOL_HYBRID;
1466  }
1467  else if ((settings->TlsSecurity) && (RequestedProtocols & PROTOCOL_SSL))
1468  {
1469  SelectedProtocol = PROTOCOL_SSL;
1470  }
1471  else if ((settings->RdpSecurity) && (RequestedProtocols == PROTOCOL_RDP))
1472  {
1473  SelectedProtocol = PROTOCOL_RDP;
1474  }
1475  else
1476  {
1477  /*
1478  * when here client and server aren't compatible, we select the right
1479  * error message to return to the client in the nego failure packet
1480  */
1481  SelectedProtocol = PROTOCOL_FAILED_NEGO;
1482 
1483  if (settings->RdpSecurity)
1484  {
1485  WLog_ERR(TAG, "server supports only Standard RDP Security");
1486  SelectedProtocol |= SSL_NOT_ALLOWED_BY_SERVER;
1487  }
1488  else
1489  {
1490  if (settings->NlaSecurity && !settings->TlsSecurity)
1491  {
1492  WLog_WARN(TAG, "server supports only NLA Security");
1493  SelectedProtocol |= HYBRID_REQUIRED_BY_SERVER;
1494  }
1495  else
1496  {
1497  WLog_WARN(TAG, "server supports only a SSL based Security (TLS or NLA)");
1498  SelectedProtocol |= SSL_REQUIRED_BY_SERVER;
1499  }
1500  }
1501 
1502  WLog_ERR(TAG, "Protocol security negotiation failure");
1503  }
1504 
1505  if (!(SelectedProtocol & PROTOCOL_FAILED_NEGO))
1506  {
1507  WLog_DBG(TAG, "Negotiated Security: RDSTLS:%d NLA:%d TLS:%d RDP:%d",
1508  (SelectedProtocol & PROTOCOL_RDSTLS) ? 1 : 0,
1509  (SelectedProtocol & PROTOCOL_HYBRID) ? 1 : 0,
1510  (SelectedProtocol & PROTOCOL_SSL) ? 1 : 0,
1511  (SelectedProtocol == PROTOCOL_RDP) ? 1 : 0);
1512  }
1513 
1514  if (!nego_set_selected_protocol(nego, SelectedProtocol))
1515  return FALSE;
1516 
1517  if (!nego_send_negotiation_response(nego))
1518  return FALSE;
1519 
1520  SelectedProtocol = nego_get_selected_protocol(nego);
1521  status = FALSE;
1522 
1523  if (SelectedProtocol & PROTOCOL_RDSTLS)
1524  status = transport_accept_rdstls(rdp->transport);
1525  else if (SelectedProtocol & PROTOCOL_HYBRID)
1526  status = transport_accept_nla(rdp->transport);
1527  else if (SelectedProtocol & PROTOCOL_SSL)
1528  status = transport_accept_tls(rdp->transport);
1529  else if (SelectedProtocol == PROTOCOL_RDP) /* 0 */
1530  status = transport_accept_rdp(rdp->transport);
1531 
1532  if (!status)
1533  return FALSE;
1534 
1535  transport_set_blocking_mode(rdp->transport, FALSE);
1536 
1537  return TRUE;
1538 }
1539 
1540 static BOOL rdp_update_encryption_level(rdpSettings* settings)
1541 {
1542  WINPR_ASSERT(settings);
1543 
1544  UINT32 EncryptionLevel = freerdp_settings_get_uint32(settings, FreeRDP_EncryptionLevel);
1545  UINT32 EncryptionMethods = freerdp_settings_get_uint32(settings, FreeRDP_EncryptionMethods);
1546 
1557  if (!settings->UseRdpSecurityLayer)
1558  {
1559  /* TLS/NLA is used: disable rdp style encryption */
1560  EncryptionLevel = ENCRYPTION_LEVEL_NONE;
1561  }
1562  else
1563  {
1564  /* verify server encryption level value */
1565  switch (EncryptionLevel)
1566  {
1567  case ENCRYPTION_LEVEL_NONE:
1568  WLog_INFO(TAG, "Active rdp encryption level: NONE");
1569  break;
1570 
1571  case ENCRYPTION_LEVEL_FIPS:
1572  WLog_INFO(TAG, "Active rdp encryption level: FIPS Compliant");
1573  break;
1574 
1575  case ENCRYPTION_LEVEL_HIGH:
1576  WLog_INFO(TAG, "Active rdp encryption level: HIGH");
1577  break;
1578 
1579  case ENCRYPTION_LEVEL_LOW:
1580  WLog_INFO(TAG, "Active rdp encryption level: LOW");
1581  break;
1582 
1583  case ENCRYPTION_LEVEL_CLIENT_COMPATIBLE:
1584  WLog_INFO(TAG, "Active rdp encryption level: CLIENT-COMPATIBLE");
1585  break;
1586 
1587  default:
1588  WLog_ERR(TAG, "Invalid server encryption level 0x%08" PRIX32 "", EncryptionLevel);
1589  WLog_ERR(TAG, "Switching to encryption level CLIENT-COMPATIBLE");
1590  EncryptionLevel = ENCRYPTION_LEVEL_CLIENT_COMPATIBLE;
1591  }
1592  }
1593 
1594  /* choose rdp encryption method based on server level and client methods */
1595  switch (EncryptionLevel)
1596  {
1597  case ENCRYPTION_LEVEL_NONE:
1598  /* The only valid method is NONE in this case */
1599  EncryptionMethods = ENCRYPTION_METHOD_NONE;
1600  break;
1601 
1602  case ENCRYPTION_LEVEL_FIPS:
1603 
1604  /* The only valid method is FIPS in this case */
1605  if (!(EncryptionMethods & ENCRYPTION_METHOD_FIPS))
1606  {
1607  WLog_WARN(TAG, "client does not support FIPS as required by server configuration");
1608  }
1609 
1610  EncryptionMethods = ENCRYPTION_METHOD_FIPS;
1611  break;
1612 
1613  case ENCRYPTION_LEVEL_HIGH:
1614 
1615  /* Maximum key strength supported by the server must be used (128 bit)*/
1616  if (!(EncryptionMethods & ENCRYPTION_METHOD_128BIT))
1617  {
1618  WLog_WARN(TAG, "client does not support 128 bit encryption method as required by "
1619  "server configuration");
1620  }
1621 
1622  EncryptionMethods = ENCRYPTION_METHOD_128BIT;
1623  break;
1624 
1625  case ENCRYPTION_LEVEL_LOW:
1626  case ENCRYPTION_LEVEL_CLIENT_COMPATIBLE:
1627 
1628  /* Maximum key strength supported by the client must be used */
1629  if (EncryptionMethods & ENCRYPTION_METHOD_128BIT)
1630  EncryptionMethods = ENCRYPTION_METHOD_128BIT;
1631  else if (EncryptionMethods & ENCRYPTION_METHOD_56BIT)
1632  EncryptionMethods = ENCRYPTION_METHOD_56BIT;
1633  else if (EncryptionMethods & ENCRYPTION_METHOD_40BIT)
1634  EncryptionMethods = ENCRYPTION_METHOD_40BIT;
1635  else if (EncryptionMethods & ENCRYPTION_METHOD_FIPS)
1636  EncryptionMethods = ENCRYPTION_METHOD_FIPS;
1637  else
1638  {
1639  WLog_WARN(TAG, "client has not announced any supported encryption methods");
1640  EncryptionMethods = ENCRYPTION_METHOD_128BIT;
1641  }
1642 
1643  break;
1644 
1645  default:
1646  WLog_ERR(TAG, "internal error: unknown encryption level");
1647  return FALSE;
1648  }
1649 
1650  /* log selected encryption method */
1651  if (settings->UseRdpSecurityLayer)
1652  {
1653  switch (EncryptionMethods)
1654  {
1655  case ENCRYPTION_METHOD_NONE:
1656  WLog_INFO(TAG, "Selected rdp encryption method: NONE");
1657  break;
1658 
1659  case ENCRYPTION_METHOD_40BIT:
1660  WLog_INFO(TAG, "Selected rdp encryption method: 40BIT");
1661  break;
1662 
1663  case ENCRYPTION_METHOD_56BIT:
1664  WLog_INFO(TAG, "Selected rdp encryption method: 56BIT");
1665  break;
1666 
1667  case ENCRYPTION_METHOD_128BIT:
1668  WLog_INFO(TAG, "Selected rdp encryption method: 128BIT");
1669  break;
1670 
1671  case ENCRYPTION_METHOD_FIPS:
1672  WLog_INFO(TAG, "Selected rdp encryption method: FIPS");
1673  break;
1674 
1675  default:
1676  WLog_ERR(TAG, "internal error: unknown encryption method");
1677  return FALSE;
1678  }
1679  }
1680 
1681  if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel, EncryptionLevel))
1682  return FALSE;
1683  if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionMethods, EncryptionMethods))
1684  return FALSE;
1685  return TRUE;
1686 }
1687 
1688 BOOL rdp_server_accept_mcs_connect_initial(rdpRdp* rdp, wStream* s)
1689 {
1690  WINPR_ASSERT(rdp);
1691  WINPR_ASSERT(s);
1692 
1693  rdpMcs* mcs = rdp->mcs;
1694  WINPR_ASSERT(mcs);
1695 
1696  WINPR_ASSERT(rdp_get_state(rdp) == CONNECTION_STATE_MCS_CREATE_REQUEST);
1697  if (!mcs_recv_connect_initial(mcs, s))
1698  return FALSE;
1699  WINPR_ASSERT(rdp->settings);
1700 
1701  if (!mcs_server_apply_to_settings(mcs, rdp->settings))
1702  return FALSE;
1703 
1704  WLog_DBG(TAG, "Accepted client: %s", rdp->settings->ClientHostname);
1705  WLog_DBG(TAG, "Accepted channels:");
1706 
1707  WINPR_ASSERT(mcs->channels || (mcs->channelCount == 0));
1708  for (UINT32 i = 0; i < mcs->channelCount; i++)
1709  {
1710  ADDIN_ARGV* arg = NULL;
1711  rdpMcsChannel* cur = &mcs->channels[i];
1712  const char* params[1] = { cur->Name };
1713  WLog_DBG(TAG, " %s [%" PRIu16 "]", cur->Name, cur->ChannelId);
1714  arg = freerdp_addin_argv_new(ARRAYSIZE(params), params);
1715  if (!arg)
1716  return FALSE;
1717 
1718  if (!freerdp_static_channel_collection_add(rdp->settings, arg))
1719  {
1720  freerdp_addin_argv_free(arg);
1721  return FALSE;
1722  }
1723  }
1724 
1725  if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_MCS_CREATE_RESPONSE))
1726  return FALSE;
1727  if (!rdp_update_encryption_level(rdp->settings))
1728  return FALSE;
1729  if (!mcs_send_connect_response(mcs))
1730  return FALSE;
1731  if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_MCS_ERECT_DOMAIN))
1732  return FALSE;
1733 
1734  return TRUE;
1735 }
1736 
1737 BOOL rdp_server_accept_mcs_erect_domain_request(rdpRdp* rdp, wStream* s)
1738 {
1739  WINPR_ASSERT(rdp);
1740  WINPR_ASSERT(s);
1741  WINPR_ASSERT(rdp_get_state(rdp) == CONNECTION_STATE_MCS_ERECT_DOMAIN);
1742 
1743  if (!mcs_recv_erect_domain_request(rdp->mcs, s))
1744  return FALSE;
1745 
1746  return rdp_server_transition_to_state(rdp, CONNECTION_STATE_MCS_ATTACH_USER);
1747 }
1748 
1749 static BOOL rdp_server_skip_mcs_channel_join(rdpRdp* rdp)
1750 {
1751  WINPR_ASSERT(rdp);
1752 
1753  rdpMcs* mcs = rdp->mcs;
1754  WINPR_ASSERT(mcs);
1755 
1756  mcs->userChannelJoined = TRUE;
1757  mcs->globalChannelJoined = TRUE;
1758  mcs->messageChannelJoined = TRUE;
1759 
1760  for (UINT32 i = 0; i < mcs->channelCount; i++)
1761  {
1762  rdpMcsChannel* cur = &mcs->channels[i];
1763  WLog_DBG(TAG, " %s [%" PRIu16 "]", cur->Name, cur->ChannelId);
1764  cur->joined = TRUE;
1765  }
1766  return rdp_server_transition_to_state(rdp, CONNECTION_STATE_RDP_SECURITY_COMMENCEMENT);
1767 }
1768 
1769 BOOL rdp_server_accept_mcs_attach_user_request(rdpRdp* rdp, wStream* s)
1770 {
1771  if (!mcs_recv_attach_user_request(rdp->mcs, s))
1772  return FALSE;
1773 
1774  if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_MCS_ATTACH_USER_CONFIRM))
1775  return FALSE;
1776 
1777  if (!mcs_send_attach_user_confirm(rdp->mcs))
1778  return FALSE;
1779 
1780  if (freerdp_settings_get_bool(rdp->settings, FreeRDP_SupportSkipChannelJoin))
1781  return rdp_server_skip_mcs_channel_join(rdp);
1782  return rdp_server_transition_to_state(rdp, CONNECTION_STATE_MCS_CHANNEL_JOIN_REQUEST);
1783 }
1784 
1785 BOOL rdp_server_accept_mcs_channel_join_request(rdpRdp* rdp, wStream* s)
1786 {
1787  UINT16 channelId = 0;
1788  BOOL allJoined = TRUE;
1789  rdpMcs* mcs = NULL;
1790 
1791  WINPR_ASSERT(rdp);
1792  WINPR_ASSERT(rdp->context);
1793 
1794  mcs = rdp->mcs;
1795  WINPR_ASSERT(mcs);
1796 
1797  WINPR_ASSERT(rdp_get_state(rdp) == CONNECTION_STATE_MCS_CHANNEL_JOIN_REQUEST);
1798 
1799  if (!mcs_recv_channel_join_request(mcs, rdp->settings, s, &channelId))
1800  return FALSE;
1801 
1802  if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_MCS_CHANNEL_JOIN_RESPONSE))
1803  return FALSE;
1804 
1805  if (!mcs_send_channel_join_confirm(mcs, channelId))
1806  return FALSE;
1807 
1808  if (channelId == mcs->userId)
1809  mcs->userChannelJoined = TRUE;
1810  if (channelId == MCS_GLOBAL_CHANNEL_ID)
1811  mcs->globalChannelJoined = TRUE;
1812  if (channelId == mcs->messageChannelId)
1813  mcs->messageChannelJoined = TRUE;
1814 
1815  for (UINT32 i = 0; i < mcs->channelCount; i++)
1816  {
1817  rdpMcsChannel* cur = &mcs->channels[i];
1818  WLog_DBG(TAG, " %s [%" PRIu16 "]", cur->Name, cur->ChannelId);
1819  if (cur->ChannelId == channelId)
1820  cur->joined = TRUE;
1821 
1822  if (!cur->joined)
1823  allJoined = FALSE;
1824  }
1825 
1826  CONNECTION_STATE rc = CONNECTION_STATE_INITIAL;
1827  if ((mcs->userChannelJoined) && (mcs->globalChannelJoined) &&
1828  (mcs->messageChannelId == 0 || mcs->messageChannelJoined) && allJoined)
1829  rc = CONNECTION_STATE_RDP_SECURITY_COMMENCEMENT;
1830  else
1831  rc = CONNECTION_STATE_MCS_CHANNEL_JOIN_REQUEST;
1832 
1833  return rdp_server_transition_to_state(rdp, rc);
1834 }
1835 
1836 static BOOL rdp_server_send_sync(rdpRdp* rdp)
1837 {
1838  WINPR_ASSERT(rdp);
1839 
1840  if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_CLIENT_SYNC))
1841  return FALSE;
1842  if (!rdp_send_server_synchronize_pdu(rdp))
1843  return FALSE;
1844  if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_CLIENT_COOPERATE))
1845  return FALSE;
1846  if (!rdp_send_server_control_cooperate_pdu(rdp))
1847  return FALSE;
1848  if (!rdp_finalize_reset_flags(rdp, FALSE))
1849  return FALSE;
1850  return rdp_server_transition_to_state(rdp, CONNECTION_STATE_FINALIZATION_SYNC);
1851 }
1852 
1853 BOOL rdp_server_accept_confirm_active(rdpRdp* rdp, wStream* s, UINT16 pduLength)
1854 {
1855  WINPR_ASSERT(rdp);
1856  WINPR_ASSERT(rdp->context);
1857  WINPR_ASSERT(rdp->settings);
1858  WINPR_ASSERT(s);
1859 
1860  freerdp_peer* peer = rdp->context->peer;
1861  WINPR_ASSERT(peer);
1862 
1863  if (rdp_get_state(rdp) != CONNECTION_STATE_CAPABILITIES_EXCHANGE_CONFIRM_ACTIVE)
1864  {
1865  if (freerdp_settings_get_bool(rdp->settings, FreeRDP_TransportDumpReplay))
1866  rdp_finalize_set_flag(rdp, FINALIZE_DEACTIVATE_REACTIVATE);
1867  else
1868  {
1869  WLog_WARN(TAG, "Invalid state, got %s, expected %s", rdp_get_state_string(rdp),
1870  rdp_state_string(CONNECTION_STATE_CAPABILITIES_EXCHANGE_CONFIRM_ACTIVE));
1871  return FALSE;
1872  }
1873  }
1874 
1875  if (!rdp_recv_confirm_active(rdp, s, pduLength))
1876  return FALSE;
1877 
1878  if (peer->ClientCapabilities && !peer->ClientCapabilities(peer))
1879  {
1880  WLog_WARN(TAG, "peer->ClientCapabilities failed");
1881  return FALSE;
1882  }
1883 
1884  if (rdp->settings->SaltedChecksum)
1885  rdp->do_secure_checksum = TRUE;
1886 
1887  return rdp_server_send_sync(rdp);
1888 }
1889 
1890 BOOL rdp_server_reactivate(rdpRdp* rdp)
1891 {
1892  freerdp_peer* client = NULL;
1893 
1894  if (rdp->context && rdp->context->peer)
1895  client = rdp->context->peer;
1896 
1897  if (client)
1898  client->activated = FALSE;
1899 
1900  if (!rdp_send_deactivate_all(rdp))
1901  return FALSE;
1902 
1903  rdp_finalize_set_flag(rdp, FINALIZE_DEACTIVATE_REACTIVATE);
1904  if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_CAPABILITIES_EXCHANGE_DEMAND_ACTIVE))
1905  return FALSE;
1906 
1907  state_run_t rc = rdp_peer_handle_state_demand_active(client);
1908  return state_run_success(rc);
1909 }
1910 
1911 static BOOL rdp_is_active_peer_state(CONNECTION_STATE state)
1912 {
1913  /* [MS-RDPBCGR] 1.3.1.1 Connection Sequence states:
1914  * 'upon receipt of the Font List PDU the server can start sending graphics
1915  * output to the client'
1916  */
1917  switch (state)
1918  {
1919  case CONNECTION_STATE_FINALIZATION_CLIENT_SYNC:
1920  case CONNECTION_STATE_FINALIZATION_CLIENT_COOPERATE:
1921  case CONNECTION_STATE_FINALIZATION_CLIENT_GRANTED_CONTROL:
1922  case CONNECTION_STATE_FINALIZATION_CLIENT_FONT_MAP:
1923  case CONNECTION_STATE_ACTIVE:
1924  return TRUE;
1925  default:
1926  return FALSE;
1927  }
1928 }
1929 
1930 static BOOL rdp_is_active_client_state(CONNECTION_STATE state)
1931 {
1932  /* [MS-RDPBCGR] 1.3.1.1 Connection Sequence states:
1933  * 'Once the client has sent the Confirm Active PDU, it can start sending
1934  * mouse and keyboard input to the server'
1935  */
1936  switch (state)
1937  {
1938  case CONNECTION_STATE_FINALIZATION_SYNC:
1939  case CONNECTION_STATE_FINALIZATION_COOPERATE:
1940  case CONNECTION_STATE_FINALIZATION_REQUEST_CONTROL:
1941  case CONNECTION_STATE_FINALIZATION_PERSISTENT_KEY_LIST:
1942  case CONNECTION_STATE_FINALIZATION_FONT_LIST:
1943  case CONNECTION_STATE_FINALIZATION_CLIENT_SYNC:
1944  case CONNECTION_STATE_FINALIZATION_CLIENT_COOPERATE:
1945  case CONNECTION_STATE_FINALIZATION_CLIENT_GRANTED_CONTROL:
1946  case CONNECTION_STATE_FINALIZATION_CLIENT_FONT_MAP:
1947  case CONNECTION_STATE_ACTIVE:
1948  return TRUE;
1949  default:
1950  return FALSE;
1951  }
1952 }
1953 
1954 BOOL rdp_is_active_state(const rdpRdp* rdp)
1955 {
1956  WINPR_ASSERT(rdp);
1957  WINPR_ASSERT(rdp->context);
1958 
1959  const CONNECTION_STATE state = rdp_get_state(rdp);
1960  if (freerdp_settings_get_bool(rdp->context->settings, FreeRDP_ServerMode))
1961  return rdp_is_active_peer_state(state);
1962  else
1963  return rdp_is_active_client_state(state);
1964 }
1965 
1966 BOOL rdp_server_transition_to_state(rdpRdp* rdp, CONNECTION_STATE state)
1967 {
1968  BOOL status = FALSE;
1969  freerdp_peer* client = NULL;
1970  const CONNECTION_STATE cstate = rdp_get_state(rdp);
1971 
1972  if (cstate >= CONNECTION_STATE_RDP_SECURITY_COMMENCEMENT)
1973  {
1974  WINPR_ASSERT(rdp->context);
1975  client = rdp->context->peer;
1976  }
1977 
1978  if (!rdp_is_active_peer_state(cstate))
1979  {
1980  if (client)
1981  client->activated = FALSE;
1982  }
1983 
1984  WLog_Print(rdp->log, WLOG_DEBUG, "%s --> %s", rdp_get_state_string(rdp),
1985  rdp_state_string(state));
1986  if (!rdp_set_state(rdp, state))
1987  goto fail;
1988 
1989  status = TRUE;
1990 fail:
1991  return status;
1992 }
1993 
1994 const char* rdp_client_connection_state_string(int state)
1995 {
1996  switch (state)
1997  {
1998  case CLIENT_STATE_INITIAL:
1999  return "CLIENT_STATE_INITIAL";
2000  case CLIENT_STATE_PRECONNECT_PASSED:
2001  return "CLIENT_STATE_PRECONNECT_PASSED";
2002  case CLIENT_STATE_POSTCONNECT_PASSED:
2003  return "CLIENT_STATE_POSTCONNECT_PASSED";
2004  default:
2005  return "UNKNOWN";
2006  }
2007 }
2008 
2009 const char* rdp_state_string(CONNECTION_STATE state)
2010 {
2011  switch (state)
2012  {
2013  case CONNECTION_STATE_INITIAL:
2014  return "CONNECTION_STATE_INITIAL";
2015  case CONNECTION_STATE_NEGO:
2016  return "CONNECTION_STATE_NEGO";
2017  case CONNECTION_STATE_NLA:
2018  return "CONNECTION_STATE_NLA";
2019  case CONNECTION_STATE_AAD:
2020  return "CONNECTION_STATE_AAD";
2021  case CONNECTION_STATE_MCS_CREATE_REQUEST:
2022  return "CONNECTION_STATE_MCS_CREATE_REQUEST";
2023  case CONNECTION_STATE_MCS_CREATE_RESPONSE:
2024  return "CONNECTION_STATE_MCS_CREATE_RESPONSE";
2025  case CONNECTION_STATE_MCS_ERECT_DOMAIN:
2026  return "CONNECTION_STATE_MCS_ERECT_DOMAIN";
2027  case CONNECTION_STATE_MCS_ATTACH_USER:
2028  return "CONNECTION_STATE_MCS_ATTACH_USER";
2029  case CONNECTION_STATE_MCS_ATTACH_USER_CONFIRM:
2030  return "CONNECTION_STATE_MCS_ATTACH_USER_CONFIRM";
2031  case CONNECTION_STATE_MCS_CHANNEL_JOIN_REQUEST:
2032  return "CONNECTION_STATE_MCS_CHANNEL_JOIN_REQUEST";
2033  case CONNECTION_STATE_MCS_CHANNEL_JOIN_RESPONSE:
2034  return "CONNECTION_STATE_MCS_CHANNEL_JOIN_RESPONSE";
2035  case CONNECTION_STATE_RDP_SECURITY_COMMENCEMENT:
2036  return "CONNECTION_STATE_RDP_SECURITY_COMMENCEMENT";
2037  case CONNECTION_STATE_SECURE_SETTINGS_EXCHANGE:
2038  return "CONNECTION_STATE_SECURE_SETTINGS_EXCHANGE";
2039  case CONNECTION_STATE_CONNECT_TIME_AUTO_DETECT_REQUEST:
2040  return "CONNECTION_STATE_CONNECT_TIME_AUTO_DETECT_REQUEST";
2041  case CONNECTION_STATE_CONNECT_TIME_AUTO_DETECT_RESPONSE:
2042  return "CONNECTION_STATE_CONNECT_TIME_AUTO_DETECT_RESPONSE";
2043  case CONNECTION_STATE_LICENSING:
2044  return "CONNECTION_STATE_LICENSING";
2045  case CONNECTION_STATE_MULTITRANSPORT_BOOTSTRAPPING_REQUEST:
2046  return "CONNECTION_STATE_MULTITRANSPORT_BOOTSTRAPPING_REQUEST";
2047  case CONNECTION_STATE_MULTITRANSPORT_BOOTSTRAPPING_RESPONSE:
2048  return "CONNECTION_STATE_MULTITRANSPORT_BOOTSTRAPPING_RESPONSE";
2049  case CONNECTION_STATE_CAPABILITIES_EXCHANGE_DEMAND_ACTIVE:
2050  return "CONNECTION_STATE_CAPABILITIES_EXCHANGE_DEMAND_ACTIVE";
2051  case CONNECTION_STATE_CAPABILITIES_EXCHANGE_MONITOR_LAYOUT:
2052  return "CONNECTION_STATE_CAPABILITIES_EXCHANGE_MONITOR_LAYOUT";
2053  case CONNECTION_STATE_CAPABILITIES_EXCHANGE_CONFIRM_ACTIVE:
2054  return "CONNECTION_STATE_CAPABILITIES_EXCHANGE_CONFIRM_ACTIVE";
2055  case CONNECTION_STATE_FINALIZATION_SYNC:
2056  return "CONNECTION_STATE_FINALIZATION_SYNC";
2057  case CONNECTION_STATE_FINALIZATION_COOPERATE:
2058  return "CONNECTION_STATE_FINALIZATION_COOPERATE";
2059  case CONNECTION_STATE_FINALIZATION_REQUEST_CONTROL:
2060  return "CONNECTION_STATE_FINALIZATION_REQUEST_CONTROL";
2061  case CONNECTION_STATE_FINALIZATION_PERSISTENT_KEY_LIST:
2062  return "CONNECTION_STATE_FINALIZATION_PERSISTENT_KEY_LIST";
2063  case CONNECTION_STATE_FINALIZATION_FONT_LIST:
2064  return "CONNECTION_STATE_FINALIZATION_FONT_LIST";
2065  case CONNECTION_STATE_FINALIZATION_CLIENT_SYNC:
2066  return "CONNECTION_STATE_FINALIZATION_CLIENT_SYNC";
2067  case CONNECTION_STATE_FINALIZATION_CLIENT_COOPERATE:
2068  return "CONNECTION_STATE_FINALIZATION_CLIENT_COOPERATE";
2069  case CONNECTION_STATE_FINALIZATION_CLIENT_GRANTED_CONTROL:
2070  return "CONNECTION_STATE_FINALIZATION_CLIENT_GRANTED_CONTROL";
2071  case CONNECTION_STATE_FINALIZATION_CLIENT_FONT_MAP:
2072  return "CONNECTION_STATE_FINALIZATION_CLIENT_FONT_MAP";
2073  case CONNECTION_STATE_ACTIVE:
2074  return "CONNECTION_STATE_ACTIVE";
2075  default:
2076  return "UNKNOWN";
2077  }
2078 }
2079 
2080 CONNECTION_STATE rdp_get_state(const rdpRdp* rdp)
2081 {
2082  WINPR_ASSERT(rdp);
2083  return rdp->state;
2084 }
2085 
2086 BOOL rdp_set_state(rdpRdp* rdp, CONNECTION_STATE state)
2087 {
2088  WINPR_ASSERT(rdp);
2089  rdp->state = state;
2090  return TRUE;
2091 }
2092 
2093 const char* rdp_get_state_string(const rdpRdp* rdp)
2094 {
2095  CONNECTION_STATE state = rdp_get_state(rdp);
2096  return rdp_state_string(state);
2097 }
2098 
2099 BOOL rdp_channels_from_mcs(rdpSettings* settings, const rdpRdp* rdp)
2100 {
2101  const rdpMcs* mcs = NULL;
2102 
2103  WINPR_ASSERT(rdp);
2104 
2105  mcs = rdp->mcs;
2106  WINPR_ASSERT(mcs);
2107 
2108  if (!freerdp_settings_set_pointer_len(settings, FreeRDP_ChannelDefArray, NULL,
2109  CHANNEL_MAX_COUNT))
2110  return FALSE;
2111 
2112  for (UINT32 x = 0; x < mcs->channelCount; x++)
2113  {
2114  const rdpMcsChannel* mchannel = &mcs->channels[x];
2115  CHANNEL_DEF cur = { 0 };
2116 
2117  memcpy(cur.name, mchannel->Name, sizeof(cur.name));
2118  cur.options = mchannel->options;
2119  if (!freerdp_settings_set_pointer_array(settings, FreeRDP_ChannelDefArray, x, &cur))
2120  return FALSE;
2121  }
2122 
2123  return freerdp_settings_set_uint32(settings, FreeRDP_ChannelCount, mcs->channelCount);
2124 }
2125 
2126 /* Here we are in client state CONFIRM_ACTIVE.
2127  *
2128  * This means:
2129  * 1. send the CONFIRM_ACTIVE PDU to the server
2130  * 2. register callbacks, the server can now start sending stuff
2131  */
2132 state_run_t rdp_client_connect_confirm_active(rdpRdp* rdp, wStream* s)
2133 {
2134  WINPR_ASSERT(rdp);
2135  WINPR_ASSERT(rdp->settings);
2136  WINPR_ASSERT(s);
2137 
2138  const UINT32 width = rdp->settings->DesktopWidth;
2139  const UINT32 height = rdp->settings->DesktopHeight;
2140 
2141  if (!rdp_send_confirm_active(rdp))
2142  return STATE_RUN_FAILED;
2143 
2144  if (!input_register_client_callbacks(rdp->input))
2145  {
2146  WLog_ERR(TAG, "error registering client callbacks");
2147  return STATE_RUN_FAILED;
2148  }
2149 
2154  const BOOL deactivate_reactivate =
2155  rdp->was_deactivated && ((rdp->deactivated_width != rdp->settings->DesktopWidth) ||
2156  (rdp->deactivated_height != rdp->settings->DesktopHeight));
2157  const BOOL resolution_change =
2158  ((width != rdp->settings->DesktopWidth) || (height != rdp->settings->DesktopHeight));
2159  if (deactivate_reactivate || resolution_change)
2160  {
2161  BOOL status = TRUE;
2162  IFCALLRET(rdp->update->DesktopResize, status, rdp->update->context);
2163 
2164  if (!status)
2165  {
2166  WLog_ERR(TAG, "client desktop resize callback failed");
2167  return STATE_RUN_FAILED;
2168  }
2169  }
2170 
2171  WINPR_ASSERT(rdp->context);
2172  if (freerdp_shall_disconnect_context(rdp->context))
2173  return STATE_RUN_SUCCESS;
2174 
2175  state_run_t status = STATE_RUN_SUCCESS;
2176  if (!rdp->settings->SupportMonitorLayoutPdu)
2177  status = rdp_client_connect_finalize(rdp);
2178  else
2179  {
2180  if (!rdp_client_transition_to_state(rdp,
2181  CONNECTION_STATE_CAPABILITIES_EXCHANGE_MONITOR_LAYOUT))
2182  status = STATE_RUN_FAILED;
2183  }
2184  if (!rdp_finalize_reset_flags(rdp, FALSE))
2185  status = STATE_RUN_FAILED;
2186  return status;
2187 }
2188 
2189 BOOL rdp_handle_optional_rdp_decryption(rdpRdp* rdp, wStream* s, UINT16* length,
2190  UINT16* pSecurityFlags)
2191 {
2192  BOOL rc = FALSE;
2193  WINPR_ASSERT(rdp);
2194  WINPR_ASSERT(rdp->settings);
2195 
2196  UINT16 securityFlags = 0;
2197  if (rdp->settings->UseRdpSecurityLayer)
2198  {
2199  if (!rdp_read_security_header(rdp, s, &securityFlags, length))
2200  goto fail;
2201 
2202  if (securityFlags & SEC_ENCRYPT)
2203  {
2204  if (!rdp_decrypt(rdp, s, length, securityFlags))
2205  goto fail;
2206  }
2207  }
2208 
2209  rc = TRUE;
2210 
2211 fail:
2212  if (pSecurityFlags)
2213  *pSecurityFlags = securityFlags;
2214  return rc;
2215 }
freerdp_settings_get_uint32
FREERDP_API UINT32 freerdp_settings_get_uint32(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id)
Returns a UINT32 settings value.
Definition: settings_getters.c:1613
freerdp_settings_set_string
FREERDP_API BOOL freerdp_settings_set_string(rdpSettings *settings, FreeRDP_Settings_Keys_String id, const char *param)
Sets a string settings value. The param is copied.
Definition: settings_getters.c:3616
freerdp_settings_get_bool
FREERDP_API BOOL freerdp_settings_get_bool(const rdpSettings *settings, FreeRDP_Settings_Keys_Bool id)
Returns a boolean settings value.
Definition: settings_getters.c:54
freerdp_settings_get_pointer
FREERDP_API const void * freerdp_settings_get_pointer(const rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a immutable pointer settings value.
Definition: common/settings.c:1321
freerdp_settings_get_string
FREERDP_API const char * freerdp_settings_get_string(const rdpSettings *settings, FreeRDP_Settings_Keys_String id)
Returns a immutable string settings value.
Definition: settings_getters.c:2672
freerdp_settings_set_pointer_len
FREERDP_API BOOL freerdp_settings_set_pointer_len(rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id, const void *data, size_t len)
Set a pointer to value data.
Definition: common/settings.c:1333
freerdp_settings_get_codecs_flags
FREERDP_API UINT32 freerdp_settings_get_codecs_flags(const rdpSettings *settings)
helper function to get a mask of supported codec flags.
Definition: common/settings.c:1837
freerdp_settings_set_uint32
FREERDP_API BOOL freerdp_settings_set_uint32(rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id, UINT32 param)
Sets a UINT32 settings value.
Definition: settings_getters.c:2006
freerdp_settings_get_pointer_writable
FREERDP_API void * freerdp_settings_get_pointer_writable(rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a mutable pointer settings value.
Definition: settings_getters.c:3949
ADDIN_ARGV
Definition: settings_types.h:362
CHANNEL_DEF
Definition: wtsapi.h:78