nego.c

 
#include <freerdp/config.h>
 
#include <winpr/crt.h>
#include <winpr/assert.h>
#include <winpr/stream.h>
 
#include <freerdp/log.h>
 
#include "tpkt.h"
 
#include "nego.h"
#include "aad.h"
 
#include "transport.h"
 
#define TAG FREERDP_TAG("core.nego")
 
struct rdp_nego
{
  UINT16 port;
  UINT32 flags;
  const char* hostname;
  char* cookie;
  BYTE* RoutingToken;
  DWORD RoutingTokenLength;
  BOOL SendPreconnectionPdu;
  UINT32 PreconnectionId;
  const char* PreconnectionBlob;
 
  NEGO_STATE state;
  BOOL TcpConnected;
  BOOL SecurityConnected;
  UINT32 CookieMaxLength;
 
  BOOL sendNegoData;
  UINT32 SelectedProtocol;
  UINT32 RequestedProtocols;
  BOOL NegotiateSecurityLayer;
  BOOL EnabledProtocols[32];
  BOOL RestrictedAdminModeRequired;
  BOOL RemoteCredsGuardRequired;
  BOOL RemoteCredsGuardActive;
  BOOL RemoteCredsGuardSupported;
  BOOL GatewayEnabled;
  BOOL GatewayBypassLocal;
  BOOL ConnectChildSession;
 
  rdpTransport* transport;
};
 
static const char* nego_state_string(NEGO_STATE state)
{
  static const char* const NEGO_STATE_STRINGS[] = { "NEGO_STATE_INITIAL", "NEGO_STATE_RDSTLS",
                                                  "NEGO_STATE_AAD",     "NEGO_STATE_EXT",
                                                  "NEGO_STATE_NLA",     "NEGO_STATE_TLS",
                                                  "NEGO_STATE_RDP",     "NEGO_STATE_FAIL",
                                                  "NEGO_STATE_FINAL",   "NEGO_STATE_INVALID" };
  if (state >= ARRAYSIZE(NEGO_STATE_STRINGS))
    return NEGO_STATE_STRINGS[ARRAYSIZE(NEGO_STATE_STRINGS) - 1];
  return NEGO_STATE_STRINGS[state];
}
 
static BOOL nego_tcp_connect(rdpNego* nego);
static BOOL nego_transport_connect(rdpNego* nego);
static BOOL nego_transport_disconnect(rdpNego* nego);
static BOOL nego_security_connect(rdpNego* nego);
static BOOL nego_send_preconnection_pdu(rdpNego* nego);
static BOOL nego_recv_response(rdpNego* nego);
static void nego_send(rdpNego* nego);
static BOOL nego_process_negotiation_request(rdpNego* nego, wStream* s);
static BOOL nego_process_negotiation_response(rdpNego* nego, wStream* s);
static BOOL nego_process_negotiation_failure(rdpNego* nego, wStream* s);
 
BOOL nego_update_settings_from_state(rdpNego* nego, rdpSettings* settings)
{
  WINPR_ASSERT(nego);
 
  /* update settings with negotiated protocol security */
  return freerdp_settings_set_uint32(settings, FreeRDP_RequestedProtocols,
                                     nego->RequestedProtocols) &&
         freerdp_settings_set_uint32(settings, FreeRDP_SelectedProtocol,
                                     nego->SelectedProtocol) &&
         freerdp_settings_set_uint32(settings, FreeRDP_NegotiationFlags, nego->flags);
}
 
BOOL nego_connect(rdpNego* nego)
{
  rdpContext* context = NULL;
  rdpSettings* settings = NULL;
  WINPR_ASSERT(nego);
  context = transport_get_context(nego->transport);
  WINPR_ASSERT(context);
  settings = context->settings;
  WINPR_ASSERT(settings);
 
  if (nego_get_state(nego) == NEGO_STATE_INITIAL)
  {
    if (nego->EnabledProtocols[PROTOCOL_RDSAAD])
    {
      nego_set_state(nego, NEGO_STATE_AAD);
    }
    else if (nego->EnabledProtocols[PROTOCOL_RDSTLS])
    {
      nego_set_state(nego, NEGO_STATE_RDSTLS);
    }
    else if (nego->EnabledProtocols[PROTOCOL_HYBRID_EX])
    {
      nego_set_state(nego, NEGO_STATE_EXT);
    }
    else if (nego->EnabledProtocols[PROTOCOL_HYBRID])
    {
      nego_set_state(nego, NEGO_STATE_NLA);
    }
    else if (nego->EnabledProtocols[PROTOCOL_SSL])
    {
      nego_set_state(nego, NEGO_STATE_TLS);
    }
    else if (nego->EnabledProtocols[PROTOCOL_RDP])
    {
      nego_set_state(nego, NEGO_STATE_RDP);
    }
    else
    {
      WLog_ERR(TAG, "No security protocol is enabled");
      nego_set_state(nego, NEGO_STATE_FAIL);
      return FALSE;
    }
 
    if (!nego->NegotiateSecurityLayer)
    {
      WLog_DBG(TAG, "Security Layer Negotiation is disabled");
      /* attempt only the highest enabled protocol (see nego_attempt_*) */
      nego->EnabledProtocols[PROTOCOL_RDSAAD] = FALSE;
      nego->EnabledProtocols[PROTOCOL_HYBRID] = FALSE;
      nego->EnabledProtocols[PROTOCOL_SSL] = FALSE;
      nego->EnabledProtocols[PROTOCOL_RDP] = FALSE;
      nego->EnabledProtocols[PROTOCOL_HYBRID_EX] = FALSE;
      nego->EnabledProtocols[PROTOCOL_RDSTLS] = FALSE;
 
      UINT32 SelectedProtocol = 0;
      switch (nego_get_state(nego))
      {
        case NEGO_STATE_AAD:
          nego->EnabledProtocols[PROTOCOL_RDSAAD] = TRUE;
          SelectedProtocol = PROTOCOL_RDSAAD;
          break;
        case NEGO_STATE_RDSTLS:
          nego->EnabledProtocols[PROTOCOL_RDSTLS] = TRUE;
          SelectedProtocol = PROTOCOL_RDSTLS;
          break;
        case NEGO_STATE_EXT:
          nego->EnabledProtocols[PROTOCOL_HYBRID_EX] = TRUE;
          nego->EnabledProtocols[PROTOCOL_HYBRID] = TRUE;
          SelectedProtocol = PROTOCOL_HYBRID_EX;
          break;
        case NEGO_STATE_NLA:
          nego->EnabledProtocols[PROTOCOL_HYBRID] = TRUE;
          SelectedProtocol = PROTOCOL_HYBRID;
          break;
        case NEGO_STATE_TLS:
          nego->EnabledProtocols[PROTOCOL_SSL] = TRUE;
          SelectedProtocol = PROTOCOL_SSL;
          break;
        case NEGO_STATE_RDP:
          nego->EnabledProtocols[PROTOCOL_RDP] = TRUE;
          SelectedProtocol = PROTOCOL_RDP;
          break;
        default:
          WLog_ERR(TAG, "Invalid NEGO state 0x%08" PRIx32, nego_get_state(nego));
          return FALSE;
      }
      if (!nego_set_selected_protocol(nego, SelectedProtocol))
        return FALSE;
    }
 
    if (!nego_tcp_connect(nego))
    {
      WLog_ERR(TAG, "Failed to connect");
      return FALSE;
    }
 
    if (nego->SendPreconnectionPdu)
    {
      if (!nego_send_preconnection_pdu(nego))
      {
        WLog_ERR(TAG, "Failed to send preconnection pdu");
        nego_set_state(nego, NEGO_STATE_FINAL);
        return FALSE;
      }
    }
  }
 
  if (!nego->NegotiateSecurityLayer)
  {
    nego_set_state(nego, NEGO_STATE_FINAL);
  }
  else
  {
    do
    {
      WLog_DBG(TAG, "state: %s", nego_state_string(nego_get_state(nego)));
      nego_send(nego);
 
      if (nego_get_state(nego) == NEGO_STATE_FAIL)
      {
        if (freerdp_get_last_error(transport_get_context(nego->transport)) ==
            FREERDP_ERROR_SUCCESS)
          WLog_ERR(TAG, "Protocol Security Negotiation Failure");
 
        nego_set_state(nego, NEGO_STATE_FINAL);
        return FALSE;
      }
    } while (nego_get_state(nego) != NEGO_STATE_FINAL);
  }
 
  {
    char buffer[64] = { 0 };
    WLog_DBG(TAG, "Negotiated %s security",
             nego_protocol_to_str(nego->SelectedProtocol, buffer, sizeof(buffer)));
  }
 
  /* update settings with negotiated protocol security */
  if (!nego_update_settings_from_state(nego, settings))
    return FALSE;
 
  if (nego->SelectedProtocol == PROTOCOL_RDP)
  {
    if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, TRUE))
      return FALSE;
 
    if (freerdp_settings_get_uint32(settings, FreeRDP_EncryptionMethods) == 0)
    {
      if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionMethods,
                                       ENCRYPTION_METHOD_40BIT | ENCRYPTION_METHOD_56BIT |
                                           ENCRYPTION_METHOD_128BIT | ENCRYPTION_METHOD_FIPS))
        return FALSE;
    }
  }
 
  /* finally connect security layer (if not already done) */
  if (!nego_security_connect(nego))
  {
    char buffer[64] = { 0 };
    WLog_DBG(TAG, "Failed to connect with %s security",
             nego_protocol_to_str(nego->SelectedProtocol, buffer, sizeof(buffer)));
    return FALSE;
  }
 
  return TRUE;
}
 
BOOL nego_disconnect(rdpNego* nego)
{
  WINPR_ASSERT(nego);
  nego_set_state(nego, NEGO_STATE_INITIAL);
  return nego_transport_disconnect(nego);
}
 
static BOOL nego_try_connect(rdpNego* nego)
{
  WINPR_ASSERT(nego);
 
  switch (nego->SelectedProtocol)
  {
    case PROTOCOL_RDSAAD:
      WLog_DBG(TAG, "nego_security_connect with PROTOCOL_RDSAAD");
      nego->SecurityConnected = transport_connect_aad(nego->transport);
      break;
    case PROTOCOL_RDSTLS:
      WLog_DBG(TAG, "nego_security_connect with PROTOCOL_RDSTLS");
      nego->SecurityConnected = transport_connect_rdstls(nego->transport);
      break;
    case PROTOCOL_HYBRID:
      WLog_DBG(TAG, "nego_security_connect with PROTOCOL_HYBRID");
      nego->SecurityConnected = transport_connect_nla(nego->transport, FALSE);
      break;
    case PROTOCOL_HYBRID_EX:
      WLog_DBG(TAG, "nego_security_connect with PROTOCOL_HYBRID_EX");
      nego->SecurityConnected = transport_connect_nla(nego->transport, TRUE);
      break;
    case PROTOCOL_SSL:
      WLog_DBG(TAG, "nego_security_connect with PROTOCOL_SSL");
      nego->SecurityConnected = transport_connect_tls(nego->transport);
      break;
    case PROTOCOL_RDP:
      WLog_DBG(TAG, "nego_security_connect with PROTOCOL_RDP");
      nego->SecurityConnected = transport_connect_rdp(nego->transport);
      break;
    default:
      WLog_ERR(TAG,
               "cannot connect security layer because no protocol has been selected yet.");
      return FALSE;
  }
  return nego->SecurityConnected;
}
 
/* connect to selected security layer */
BOOL nego_security_connect(rdpNego* nego)
{
  WINPR_ASSERT(nego);
  if (!nego->TcpConnected)
  {
    nego->SecurityConnected = FALSE;
  }
  else if (!nego->SecurityConnected)
  {
    if (!nego_try_connect(nego))
      return FALSE;
  }
 
  return nego->SecurityConnected;
}
 
static BOOL nego_tcp_connect(rdpNego* nego)
{
  rdpContext* context = NULL;
  WINPR_ASSERT(nego);
  if (!nego->TcpConnected)
  {
    UINT32 TcpConnectTimeout = 0;
 
    context = transport_get_context(nego->transport);
    WINPR_ASSERT(context);
 
    TcpConnectTimeout =
        freerdp_settings_get_uint32(context->settings, FreeRDP_TcpConnectTimeout);
 
    if (nego->GatewayEnabled)
    {
      if (nego->GatewayBypassLocal)
      {
        /* Attempt a direct connection first, and then fallback to using the gateway */
        WLog_INFO(TAG,
                  "Detecting if host can be reached locally. - This might take some time.");
        WLog_INFO(TAG, "To disable auto detection use /gateway-usage-method:direct");
        transport_set_gateway_enabled(nego->transport, FALSE);
        nego->TcpConnected = transport_connect(nego->transport, nego->hostname, nego->port,
                                               TcpConnectTimeout);
      }
 
      if (!nego->TcpConnected)
      {
        transport_set_gateway_enabled(nego->transport, TRUE);
        nego->TcpConnected = transport_connect(nego->transport, nego->hostname, nego->port,
                                               TcpConnectTimeout);
      }
    }
    else if (nego->ConnectChildSession)
    {
      nego->TcpConnected = transport_connect_childsession(nego->transport);
    }
    else
    {
      nego->TcpConnected =
          transport_connect(nego->transport, nego->hostname, nego->port, TcpConnectTimeout);
    }
  }
 
  return nego->TcpConnected;
}
 
BOOL nego_transport_connect(rdpNego* nego)
{
  WINPR_ASSERT(nego);
  if (!nego_tcp_connect(nego))
    return FALSE;
 
  if (nego->TcpConnected && !nego->NegotiateSecurityLayer)
    return nego_security_connect(nego);
 
  return nego->TcpConnected;
}
 
BOOL nego_transport_disconnect(rdpNego* nego)
{
  WINPR_ASSERT(nego);
  if (nego->TcpConnected)
    transport_disconnect(nego->transport);
 
  nego->TcpConnected = FALSE;
  nego->SecurityConnected = FALSE;
  return TRUE;
}
 
BOOL nego_send_preconnection_pdu(rdpNego* nego)
{
  wStream* s = NULL;
  UINT32 cbSize = 0;
  UINT16 cchPCB = 0;
  WCHAR* wszPCB = NULL;
 
  WINPR_ASSERT(nego);
 
  WLog_DBG(TAG, "Sending preconnection PDU");
 
  if (!nego_tcp_connect(nego))
    return FALSE;
 
  /* it's easier to always send the version 2 PDU, and it's just 2 bytes overhead */
  cbSize = PRECONNECTION_PDU_V2_MIN_SIZE;
 
  if (nego->PreconnectionBlob)
  {
    size_t len = 0;
    wszPCB = ConvertUtf8ToWCharAlloc(nego->PreconnectionBlob, &len);
    if (len > UINT16_MAX - 1)
    {
      free(wszPCB);
      return FALSE;
    }
    cchPCB = (UINT16)len;
    cchPCB += 1; /* zero-termination */
    cbSize += cchPCB * sizeof(WCHAR);
  }
 
  s = Stream_New(NULL, cbSize);
 
  if (!s)
  {
    free(wszPCB);
    WLog_ERR(TAG, "Stream_New failed!");
    return FALSE;
  }
 
  Stream_Write_UINT32(s, cbSize);                /* cbSize */
  Stream_Write_UINT32(s, 0);                     /* Flags */
  Stream_Write_UINT32(s, PRECONNECTION_PDU_V2);  /* Version */
  Stream_Write_UINT32(s, nego->PreconnectionId); /* Id */
  Stream_Write_UINT16(s, cchPCB);                /* cchPCB */
 
  if (wszPCB)
  {
    Stream_Write(s, wszPCB, cchPCB * sizeof(WCHAR)); /* wszPCB */
    free(wszPCB);
  }
 
  Stream_SealLength(s);
 
  if (transport_write(nego->transport, s) < 0)
  {
    Stream_Free(s, TRUE);
    return FALSE;
  }
 
  Stream_Free(s, TRUE);
  return TRUE;
}
 
static void nego_attempt_rdstls(rdpNego* nego)
{
  WINPR_ASSERT(nego);
  nego->RequestedProtocols = PROTOCOL_RDSTLS | PROTOCOL_SSL;
  WLog_DBG(TAG, "Attempting RDSTLS security");
 
  if (!nego_transport_connect(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  if (!nego_send_negotiation_request(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  if (!nego_recv_response(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  WLog_DBG(TAG, "state: %s", nego_state_string(nego_get_state(nego)));
 
  if (nego_get_state(nego) != NEGO_STATE_FINAL)
  {
    nego_transport_disconnect(nego);
 
    if (nego->EnabledProtocols[PROTOCOL_HYBRID_EX])
      nego_set_state(nego, NEGO_STATE_EXT);
    else if (nego->EnabledProtocols[PROTOCOL_HYBRID])
      nego_set_state(nego, NEGO_STATE_NLA);
    else if (nego->EnabledProtocols[PROTOCOL_SSL])
      nego_set_state(nego, NEGO_STATE_TLS);
    else if (nego->EnabledProtocols[PROTOCOL_RDP])
      nego_set_state(nego, NEGO_STATE_RDP);
    else
      nego_set_state(nego, NEGO_STATE_FAIL);
  }
}
 
static void nego_attempt_rdsaad(rdpNego* nego)
{
  WINPR_ASSERT(nego);
  nego->RequestedProtocols = PROTOCOL_RDSAAD;
  WLog_DBG(TAG, "Attempting RDS AAD Auth security");
 
  if (!nego_transport_connect(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  if (!nego_send_negotiation_request(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  if (!nego_recv_response(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  WLog_DBG(TAG, "state: %s", nego_state_string(nego_get_state(nego)));
 
  if (nego_get_state(nego) != NEGO_STATE_FINAL)
  {
    nego_transport_disconnect(nego);
 
    if (nego->EnabledProtocols[PROTOCOL_HYBRID_EX])
      nego_set_state(nego, NEGO_STATE_EXT);
    else if (nego->EnabledProtocols[PROTOCOL_HYBRID])
      nego_set_state(nego, NEGO_STATE_NLA);
    else if (nego->EnabledProtocols[PROTOCOL_SSL])
      nego_set_state(nego, NEGO_STATE_TLS);
    else if (nego->EnabledProtocols[PROTOCOL_RDP])
      nego_set_state(nego, NEGO_STATE_RDP);
    else
      nego_set_state(nego, NEGO_STATE_FAIL);
  }
}
 
static void nego_attempt_ext(rdpNego* nego)
{
  WINPR_ASSERT(nego);
  nego->RequestedProtocols = PROTOCOL_HYBRID | PROTOCOL_SSL | PROTOCOL_HYBRID_EX;
  WLog_DBG(TAG, "Attempting NLA extended security");
 
  if (!nego_transport_connect(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  if (!nego_send_negotiation_request(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  if (!nego_recv_response(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  WLog_DBG(TAG, "state: %s", nego_state_string(nego_get_state(nego)));
 
  if (nego_get_state(nego) != NEGO_STATE_FINAL)
  {
    nego_transport_disconnect(nego);
 
    if (nego->EnabledProtocols[PROTOCOL_HYBRID])
      nego_set_state(nego, NEGO_STATE_NLA);
    else if (nego->EnabledProtocols[PROTOCOL_SSL])
      nego_set_state(nego, NEGO_STATE_TLS);
    else if (nego->EnabledProtocols[PROTOCOL_RDP])
      nego_set_state(nego, NEGO_STATE_RDP);
    else
      nego_set_state(nego, NEGO_STATE_FAIL);
  }
}
 
static void nego_attempt_nla(rdpNego* nego)
{
  WINPR_ASSERT(nego);
  nego->RequestedProtocols = PROTOCOL_HYBRID | PROTOCOL_SSL;
  WLog_DBG(TAG, "Attempting NLA security");
 
  if (!nego_transport_connect(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  if (!nego_send_negotiation_request(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  if (!nego_recv_response(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  WLog_DBG(TAG, "state: %s", nego_state_string(nego_get_state(nego)));
 
  if (nego_get_state(nego) != NEGO_STATE_FINAL)
  {
    nego_transport_disconnect(nego);
 
    if (nego->EnabledProtocols[PROTOCOL_SSL])
      nego_set_state(nego, NEGO_STATE_TLS);
    else if (nego->EnabledProtocols[PROTOCOL_RDP])
      nego_set_state(nego, NEGO_STATE_RDP);
    else
      nego_set_state(nego, NEGO_STATE_FAIL);
  }
}
 
static void nego_attempt_tls(rdpNego* nego)
{
  WINPR_ASSERT(nego);
  nego->RequestedProtocols = PROTOCOL_SSL;
  WLog_DBG(TAG, "Attempting TLS security");
 
  if (!nego_transport_connect(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  if (!nego_send_negotiation_request(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  if (!nego_recv_response(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  if (nego_get_state(nego) != NEGO_STATE_FINAL)
  {
    nego_transport_disconnect(nego);
 
    if (nego->EnabledProtocols[PROTOCOL_RDP])
      nego_set_state(nego, NEGO_STATE_RDP);
    else
      nego_set_state(nego, NEGO_STATE_FAIL);
  }
}
 
static void nego_attempt_rdp(rdpNego* nego)
{
  WINPR_ASSERT(nego);
  nego->RequestedProtocols = PROTOCOL_RDP;
  WLog_DBG(TAG, "Attempting RDP security");
 
  if (!nego_transport_connect(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  if (!nego_send_negotiation_request(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
 
  if (!nego_recv_response(nego))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return;
  }
}
 
BOOL nego_recv_response(rdpNego* nego)
{
  int status = 0;
  wStream* s = NULL;
 
  WINPR_ASSERT(nego);
  s = Stream_New(NULL, 1024);
 
  if (!s)
  {
    WLog_ERR(TAG, "Stream_New failed!");
    return FALSE;
  }
 
  status = transport_read_pdu(nego->transport, s);
 
  if (status < 0)
  {
    Stream_Free(s, TRUE);
    return FALSE;
  }
 
  status = nego_recv(nego->transport, s, nego);
  Stream_Free(s, TRUE);
 
  if (status < 0)
    return FALSE;
 
  return TRUE;
}
 
int nego_recv(rdpTransport* transport, wStream* s, void* extra)
{
  BYTE li = 0;
  BYTE type = 0;
  UINT16 length = 0;
  rdpNego* nego = (rdpNego*)extra;
 
  WINPR_ASSERT(nego);
  if (!tpkt_read_header(s, &length))
    return -1;
 
  if (!tpdu_read_connection_confirm(s, &li, length))
    return -1;
 
  if (li > 6)
  {
    /* rdpNegData (optional) */
    Stream_Read_UINT8(s, type); /* Type */
 
    switch (type)
    {
      case TYPE_RDP_NEG_RSP:
        if (!nego_process_negotiation_response(nego, s))
          return -1;
        {
          char buffer[64] = { 0 };
          WLog_DBG(TAG, "selected_protocol: %s",
                   nego_protocol_to_str(nego->SelectedProtocol, buffer, sizeof(buffer)));
        }
 
        /* enhanced security selected ? */
 
        if (nego->SelectedProtocol)
        {
          if ((nego->SelectedProtocol == PROTOCOL_RDSAAD) &&
              (!nego->EnabledProtocols[PROTOCOL_RDSAAD]))
          {
            nego_set_state(nego, NEGO_STATE_FAIL);
          }
          if ((nego->SelectedProtocol == PROTOCOL_HYBRID) &&
              (!nego->EnabledProtocols[PROTOCOL_HYBRID]))
          {
            nego_set_state(nego, NEGO_STATE_FAIL);
          }
 
          if ((nego->SelectedProtocol == PROTOCOL_SSL) &&
              (!nego->EnabledProtocols[PROTOCOL_SSL]))
          {
            nego_set_state(nego, NEGO_STATE_FAIL);
          }
        }
        else if (!nego->EnabledProtocols[PROTOCOL_RDP])
        {
          nego_set_state(nego, NEGO_STATE_FAIL);
        }
 
        break;
 
      case TYPE_RDP_NEG_FAILURE:
        if (!nego_process_negotiation_failure(nego, s))
          return -1;
        break;
      default:
        return -1;
    }
  }
  else if (li == 6)
  {
    WLog_DBG(TAG, "no rdpNegData");
 
    if (!nego->EnabledProtocols[PROTOCOL_RDP])
      nego_set_state(nego, NEGO_STATE_FAIL);
    else
      nego_set_state(nego, NEGO_STATE_FINAL);
  }
  else
  {
    WLog_ERR(TAG, "invalid negotiation response");
    nego_set_state(nego, NEGO_STATE_FAIL);
  }
 
  if (!tpkt_ensure_stream_consumed(s, length))
    return -1;
  return 0;
}
 
static BOOL nego_read_request_token_or_cookie(rdpNego* nego, wStream* s)
{
  /* routingToken and cookie are optional and mutually exclusive!
   *
   * routingToken (variable): An optional and variable-length routing
   * token (used for load balancing) terminated by a 0x0D0A two-byte
   * sequence: (check [MSFT-SDLBTS] for details!)
   * Cookie:[space]msts=[ip address].[port].[reserved][\x0D\x0A]
   * tsv://MS Terminal Services Plugin.1.[\x0D\x0A]
   *
   * cookie (variable): An optional and variable-length ANSI character
   * string terminated by a 0x0D0A two-byte sequence:
   * Cookie:[space]mstshash=[ANSISTRING][\x0D\x0A]
   */
  UINT16 crlf = 0;
  BOOL result = FALSE;
  BOOL isToken = FALSE;
  size_t remain = Stream_GetRemainingLength(s);
 
  WINPR_ASSERT(nego);
 
  const char* str = Stream_ConstPointer(s);
  const size_t pos = Stream_GetPosition(s);
 
  /* minimum length for token is 15 */
  if (remain < 15)
    return TRUE;
 
  if (memcmp(Stream_ConstPointer(s), "Cookie: mstshash=", 17) != 0)
  {
    if (memcmp(Stream_ConstPointer(s), "Cookie: msts=", 13) != 0)
    {
      if (memcmp(Stream_ConstPointer(s), "tsv:", 4) != 0)
      {
        if (memcmp(Stream_ConstPointer(s), "mth://", 6) != 0)
        {
          /* remaining bytes are neither a token nor a cookie */
          return TRUE;
        }
      }
    }
    isToken = TRUE;
  }
  else
  {
    /* not a token, minimum length for cookie is 19 */
    if (remain < 19)
      return TRUE;
 
    Stream_Seek(s, 17);
  }
 
  while (Stream_GetRemainingLength(s) >= 2)
  {
    Stream_Read_UINT16(s, crlf);
 
    if (crlf == 0x0A0D)
      break;
 
    Stream_Rewind(s, 1);
  }
 
  if (crlf == 0x0A0D)
  {
    Stream_Rewind(s, 2);
    const size_t len = Stream_GetPosition(s) - pos;
    Stream_Write_UINT16(s, 0);
 
    if (len > UINT32_MAX)
      return FALSE;
 
    if (strnlen(str, len) == len)
    {
      if (isToken)
        result = nego_set_routing_token(nego, str, (UINT32)len);
      else
        result = nego_set_cookie(nego, str);
    }
  }
 
  if (!result)
  {
    Stream_SetPosition(s, pos);
    WLog_ERR(TAG, "invalid %s received", isToken ? "routing token" : "cookie");
  }
  else
  {
    WLog_DBG(TAG, "received %s [%s]", isToken ? "routing token" : "cookie", str);
  }
 
  return result;
}
 
BOOL nego_read_request(rdpNego* nego, wStream* s)
{
  BYTE li = 0;
  BYTE type = 0;
  UINT16 length = 0;
 
  WINPR_ASSERT(nego);
  WINPR_ASSERT(s);
 
  if (!tpkt_read_header(s, &length))
    return FALSE;
 
  if (!tpdu_read_connection_request(s, &li, length))
    return FALSE;
 
  if (li != Stream_GetRemainingLength(s) + 6)
  {
    WLog_ERR(TAG, "Incorrect TPDU length indicator.");
    return FALSE;
  }
 
  if (!nego_read_request_token_or_cookie(nego, s))
  {
    WLog_ERR(TAG, "Failed to parse routing token or cookie.");
    return FALSE;
  }
 
  if (Stream_GetRemainingLength(s) >= 8)
  {
    /* rdpNegData (optional) */
    Stream_Read_UINT8(s, type); /* Type */
 
    if (type != TYPE_RDP_NEG_REQ)
    {
      WLog_ERR(TAG, "Incorrect negotiation request type %" PRIu8 "", type);
      return FALSE;
    }
 
    if (!nego_process_negotiation_request(nego, s))
      return FALSE;
  }
 
  return tpkt_ensure_stream_consumed(s, length);
}
 
void nego_send(rdpNego* nego)
{
  WINPR_ASSERT(nego);
 
  switch (nego_get_state(nego))
  {
    case NEGO_STATE_AAD:
      nego_attempt_rdsaad(nego);
      break;
    case NEGO_STATE_RDSTLS:
      nego_attempt_rdstls(nego);
      break;
    case NEGO_STATE_EXT:
      nego_attempt_ext(nego);
      break;
    case NEGO_STATE_NLA:
      nego_attempt_nla(nego);
      break;
    case NEGO_STATE_TLS:
      nego_attempt_tls(nego);
      break;
    case NEGO_STATE_RDP:
      nego_attempt_rdp(nego);
      break;
    default:
      WLog_ERR(TAG, "invalid negotiation state for sending");
      break;
  }
}
 
BOOL nego_send_negotiation_request(rdpNego* nego)
{
  BOOL rc = FALSE;
  wStream* s = NULL;
  size_t length = 0;
  size_t bm = 0;
  size_t em = 0;
  BYTE flags = 0;
  size_t cookie_length = 0;
  s = Stream_New(NULL, 512);
 
  WINPR_ASSERT(nego);
  if (!s)
  {
    WLog_ERR(TAG, "Stream_New failed!");
    return FALSE;
  }
 
  length = TPDU_CONNECTION_REQUEST_LENGTH;
  bm = Stream_GetPosition(s);
  Stream_Seek(s, length);
 
  if (nego->RoutingToken)
  {
    Stream_Write(s, nego->RoutingToken, nego->RoutingTokenLength);
 
    /* Ensure Routing Token is correctly terminated - may already be present in string */
 
    if ((nego->RoutingTokenLength > 2) &&
        (nego->RoutingToken[nego->RoutingTokenLength - 2] == 0x0D) &&
        (nego->RoutingToken[nego->RoutingTokenLength - 1] == 0x0A))
    {
      WLog_DBG(TAG, "Routing token looks correctly terminated - use verbatim");
      length += nego->RoutingTokenLength;
    }
    else
    {
      WLog_DBG(TAG, "Adding terminating CRLF to routing token");
      Stream_Write_UINT8(s, 0x0D); /* CR */
      Stream_Write_UINT8(s, 0x0A); /* LF */
      length += nego->RoutingTokenLength + 2;
    }
  }
  else if (nego->cookie)
  {
    cookie_length = strlen(nego->cookie);
 
    if (cookie_length > nego->CookieMaxLength)
      cookie_length = nego->CookieMaxLength;
 
    Stream_Write(s, "Cookie: mstshash=", 17);
    Stream_Write(s, (BYTE*)nego->cookie, cookie_length);
    Stream_Write_UINT8(s, 0x0D); /* CR */
    Stream_Write_UINT8(s, 0x0A); /* LF */
    length += cookie_length + 19;
  }
 
  {
    char buffer[64] = { 0 };
    WLog_DBG(TAG, "RequestedProtocols: %s",
             nego_protocol_to_str(nego->RequestedProtocols, buffer, sizeof(buffer)));
  }
 
  if ((nego->RequestedProtocols > PROTOCOL_RDP) || (nego->sendNegoData))
  {
    /* RDP_NEG_DATA must be present for TLS and NLA */
    if (nego->RestrictedAdminModeRequired)
      flags |= RESTRICTED_ADMIN_MODE_REQUIRED;
 
    if (nego->RemoteCredsGuardRequired)
      flags |= REDIRECTED_AUTHENTICATION_MODE_REQUIRED;
 
    Stream_Write_UINT8(s, TYPE_RDP_NEG_REQ);
    Stream_Write_UINT8(s, flags);
    Stream_Write_UINT16(s, 8);                        /* RDP_NEG_DATA length (8) */
    Stream_Write_UINT32(s, nego->RequestedProtocols); /* requestedProtocols */
    length += 8;
  }
 
  if (length > UINT16_MAX)
    goto fail;
 
  em = Stream_GetPosition(s);
  Stream_SetPosition(s, bm);
  if (!tpkt_write_header(s, (UINT16)length))
    goto fail;
  if (!tpdu_write_connection_request(s, (UINT16)length - 5))
    goto fail;
  Stream_SetPosition(s, em);
  Stream_SealLength(s);
  rc = (transport_write(nego->transport, s) >= 0);
fail:
  Stream_Free(s, TRUE);
  return rc;
}
 
static BOOL nego_process_correlation_info(rdpNego* nego, wStream* s)
{
  UINT8 type = 0;
  UINT8 flags = 0;
  UINT16 length = 0;
  BYTE correlationId[16] = { 0 };
 
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 36))
  {
    WLog_ERR(TAG, "RDP_NEG_REQ::flags CORRELATION_INFO_PRESENT but data is missing");
    return FALSE;
  }
 
  Stream_Read_UINT8(s, type);
  if (type != TYPE_RDP_CORRELATION_INFO)
  {
    WLog_ERR(TAG, "(RDP_NEG_CORRELATION_INFO::type != TYPE_RDP_CORRELATION_INFO");
    return FALSE;
  }
  Stream_Read_UINT8(s, flags);
  if (flags != 0)
  {
    WLog_ERR(TAG, "(RDP_NEG_CORRELATION_INFO::flags != 0");
    return FALSE;
  }
  Stream_Read_UINT16(s, length);
  if (length != 36)
  {
    WLog_ERR(TAG, "(RDP_NEG_CORRELATION_INFO::length != 36");
    return FALSE;
  }
 
  Stream_Read(s, correlationId, sizeof(correlationId));
  if ((correlationId[0] == 0x00) || (correlationId[0] == 0xF4))
  {
    WLog_ERR(TAG, "(RDP_NEG_CORRELATION_INFO::correlationId[0] has invalid value 0x%02" PRIx8,
             correlationId[0]);
    return FALSE;
  }
  for (size_t x = 0; x < ARRAYSIZE(correlationId); x++)
  {
    if (correlationId[x] == 0x0D)
    {
      WLog_ERR(TAG,
               "(RDP_NEG_CORRELATION_INFO::correlationId[%" PRIuz
               "] has invalid value 0x%02" PRIx8,
               x, correlationId[x]);
      return FALSE;
    }
  }
  Stream_Seek(s, 16); /* skip reserved bytes */
 
  WLog_INFO(TAG,
            "RDP_NEG_CORRELATION_INFO::correlationId = { %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8
            ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8
            ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8
            ", %02" PRIx8 " }",
            correlationId[0], correlationId[1], correlationId[2], correlationId[3],
            correlationId[4], correlationId[5], correlationId[6], correlationId[7],
            correlationId[8], correlationId[9], correlationId[10], correlationId[11],
            correlationId[12], correlationId[13], correlationId[14], correlationId[15]);
  return TRUE;
}
 
BOOL nego_process_negotiation_request(rdpNego* nego, wStream* s)
{
  BYTE flags = 0;
  UINT16 length = 0;
 
  WINPR_ASSERT(nego);
  WINPR_ASSERT(s);
 
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 7))
    return FALSE;
  Stream_Read_UINT8(s, flags);
  if ((flags & ~(RESTRICTED_ADMIN_MODE_REQUIRED | REDIRECTED_AUTHENTICATION_MODE_REQUIRED |
                 CORRELATION_INFO_PRESENT)) != 0)
  {
    WLog_ERR(TAG, "RDP_NEG_REQ::flags invalid value 0x%02" PRIx8, flags);
    return FALSE;
  }
  if (flags & RESTRICTED_ADMIN_MODE_REQUIRED)
    WLog_INFO(TAG, "RDP_NEG_REQ::flags RESTRICTED_ADMIN_MODE_REQUIRED");
 
  if (flags & REDIRECTED_AUTHENTICATION_MODE_REQUIRED)
  {
    if (!nego->RemoteCredsGuardSupported)
    {
      WLog_ERR(TAG,
               "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED but disabled");
      return FALSE;
    }
    else
    {
      WLog_INFO(TAG, "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED");
    }
    nego->RemoteCredsGuardActive = TRUE;
  }
 
  Stream_Read_UINT16(s, length);
  if (length != 8)
  {
    WLog_ERR(TAG, "RDP_NEG_REQ::length != 8");
    return FALSE;
  }
  Stream_Read_UINT32(s, nego->RequestedProtocols);
 
  if (flags & CORRELATION_INFO_PRESENT)
  {
    if (!nego_process_correlation_info(nego, s))
      return FALSE;
  }
 
  {
    char buffer[64] = { 0 };
    WLog_DBG(TAG, "RDP_NEG_REQ: RequestedProtocol: %s",
             nego_protocol_to_str(nego->RequestedProtocols, buffer, sizeof(buffer)));
  }
  nego_set_state(nego, NEGO_STATE_FINAL);
  return TRUE;
}
 
static const char* nego_rdp_neg_rsp_flags_str(UINT32 flags)
{
  static char buffer[1024] = { 0 };
 
  (void)_snprintf(buffer, ARRAYSIZE(buffer), "[0x%02" PRIx32 "] ", flags);
  if (flags & EXTENDED_CLIENT_DATA_SUPPORTED)
    winpr_str_append("EXTENDED_CLIENT_DATA_SUPPORTED", buffer, sizeof(buffer), "|");
  if (flags & DYNVC_GFX_PROTOCOL_SUPPORTED)
    winpr_str_append("DYNVC_GFX_PROTOCOL_SUPPORTED", buffer, sizeof(buffer), "|");
  if (flags & RDP_NEGRSP_RESERVED)
    winpr_str_append("RDP_NEGRSP_RESERVED", buffer, sizeof(buffer), "|");
  if (flags & RESTRICTED_ADMIN_MODE_SUPPORTED)
    winpr_str_append("RESTRICTED_ADMIN_MODE_SUPPORTED", buffer, sizeof(buffer), "|");
  if (flags & REDIRECTED_AUTHENTICATION_MODE_SUPPORTED)
    winpr_str_append("REDIRECTED_AUTHENTICATION_MODE_SUPPORTED", buffer, sizeof(buffer), "|");
  if ((flags &
       ~(EXTENDED_CLIENT_DATA_SUPPORTED | DYNVC_GFX_PROTOCOL_SUPPORTED | RDP_NEGRSP_RESERVED |
         RESTRICTED_ADMIN_MODE_SUPPORTED | REDIRECTED_AUTHENTICATION_MODE_SUPPORTED)))
    winpr_str_append("UNKNOWN", buffer, sizeof(buffer), "|");
 
  return buffer;
}
 
BOOL nego_process_negotiation_response(rdpNego* nego, wStream* s)
{
  UINT16 length = 0;
 
  WINPR_ASSERT(nego);
  WINPR_ASSERT(s);
 
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 7))
  {
    nego_set_state(nego, NEGO_STATE_FAIL);
    return FALSE;
  }
 
  Stream_Read_UINT8(s, nego->flags);
  WLog_DBG(TAG, "RDP_NEG_RSP::flags = { %s }", nego_rdp_neg_rsp_flags_str(nego->flags));
 
  Stream_Read_UINT16(s, length);
  if (length != 8)
  {
    WLog_ERR(TAG, "RDP_NEG_RSP::length != 8");
    nego_set_state(nego, NEGO_STATE_FAIL);
    return FALSE;
  }
  UINT32 SelectedProtocol = 0;
  Stream_Read_UINT32(s, SelectedProtocol);
 
  if (!nego_set_selected_protocol(nego, SelectedProtocol))
    return FALSE;
  return nego_set_state(nego, NEGO_STATE_FINAL);
}
 
BOOL nego_process_negotiation_failure(rdpNego* nego, wStream* s)
{
  BYTE flags = 0;
  UINT16 length = 0;
  UINT32 failureCode = 0;
 
  WINPR_ASSERT(nego);
  WINPR_ASSERT(s);
 
  WLog_DBG(TAG, "RDP_NEG_FAILURE");
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 7))
    return FALSE;
 
  Stream_Read_UINT8(s, flags);
  if (flags != 0)
  {
    WLog_WARN(TAG, "RDP_NEG_FAILURE::flags = 0x%02" PRIx8, flags);
    return FALSE;
  }
  Stream_Read_UINT16(s, length);
  if (length != 8)
  {
    WLog_ERR(TAG, "RDP_NEG_FAILURE::length != 8");
    return FALSE;
  }
  Stream_Read_UINT32(s, failureCode);
 
  switch (failureCode)
  {
    case SSL_REQUIRED_BY_SERVER:
      WLog_WARN(TAG, "Error: SSL_REQUIRED_BY_SERVER");
      break;
 
    case SSL_NOT_ALLOWED_BY_SERVER:
      WLog_WARN(TAG, "Error: SSL_NOT_ALLOWED_BY_SERVER");
      nego->sendNegoData = TRUE;
      break;
 
    case SSL_CERT_NOT_ON_SERVER:
      WLog_ERR(TAG, "Error: SSL_CERT_NOT_ON_SERVER");
      nego->sendNegoData = TRUE;
      break;
 
    case INCONSISTENT_FLAGS:
      WLog_ERR(TAG, "Error: INCONSISTENT_FLAGS");
      break;
 
    case HYBRID_REQUIRED_BY_SERVER:
      WLog_WARN(TAG, "Error: HYBRID_REQUIRED_BY_SERVER");
      break;
 
    default:
      WLog_ERR(TAG, "Error: Unknown protocol security error %" PRIu32 "", failureCode);
      break;
  }
 
  nego_set_state(nego, NEGO_STATE_FAIL);
  return TRUE;
}
 
BOOL nego_send_negotiation_response(rdpNego* nego)
{
  UINT16 length = 0;
  size_t bm = 0;
  size_t em = 0;
  BOOL status = 0;
  wStream* s = NULL;
  BYTE flags = 0;
  rdpContext* context = NULL;
  rdpSettings* settings = NULL;
 
  WINPR_ASSERT(nego);
  context = transport_get_context(nego->transport);
  WINPR_ASSERT(context);
 
  settings = context->settings;
  WINPR_ASSERT(settings);
 
  s = Stream_New(NULL, 512);
 
  if (!s)
  {
    WLog_ERR(TAG, "Stream_New failed!");
    return FALSE;
  }
 
  length = TPDU_CONNECTION_CONFIRM_LENGTH;
  bm = Stream_GetPosition(s);
  Stream_Seek(s, length);
 
  if (nego->SelectedProtocol & PROTOCOL_FAILED_NEGO)
  {
    UINT32 errorCode = (nego->SelectedProtocol & ~PROTOCOL_FAILED_NEGO);
    flags = 0;
    Stream_Write_UINT8(s, TYPE_RDP_NEG_FAILURE);
    Stream_Write_UINT8(s, flags); /* flags */
    Stream_Write_UINT16(s, 8);    /* RDP_NEG_DATA length (8) */
    Stream_Write_UINT32(s, errorCode);
    length += 8;
  }
  else
  {
    flags = EXTENDED_CLIENT_DATA_SUPPORTED;
 
    if (freerdp_settings_get_bool(settings, FreeRDP_SupportGraphicsPipeline))
      flags |= DYNVC_GFX_PROTOCOL_SUPPORTED;
 
    if (freerdp_settings_get_bool(settings, FreeRDP_RestrictedAdminModeRequired))
      flags |= RESTRICTED_ADMIN_MODE_SUPPORTED;
 
    if (nego->RemoteCredsGuardSupported)
      flags |= REDIRECTED_AUTHENTICATION_MODE_SUPPORTED;
 
    /* RDP_NEG_DATA must be present for TLS, NLA, RDP and RDSTLS */
    Stream_Write_UINT8(s, TYPE_RDP_NEG_RSP);
    Stream_Write_UINT8(s, flags);                   /* flags */
    Stream_Write_UINT16(s, 8);                      /* RDP_NEG_DATA length (8) */
    Stream_Write_UINT32(s, nego->SelectedProtocol); /* selectedProtocol */
    length += 8;
  }
 
  em = Stream_GetPosition(s);
  Stream_SetPosition(s, bm);
  status = tpkt_write_header(s, length);
  if (status)
  {
    tpdu_write_connection_confirm(s, length - 5);
    Stream_SetPosition(s, em);
    Stream_SealLength(s);
 
    status = (transport_write(nego->transport, s) >= 0);
  }
  Stream_Free(s, TRUE);
 
  if (status)
  {
    /* update settings with negotiated protocol security */
    if (!freerdp_settings_set_uint32(settings, FreeRDP_RequestedProtocols,
                                     nego->RequestedProtocols))
      return FALSE;
    if (!freerdp_settings_set_uint32(settings, FreeRDP_SelectedProtocol,
                                     nego->SelectedProtocol))
      return FALSE;
 
    switch (nego->SelectedProtocol)
    {
      case PROTOCOL_RDP:
        if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, FALSE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, TRUE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, TRUE))
          return FALSE;
 
        if (freerdp_settings_get_uint32(settings, FreeRDP_EncryptionLevel) ==
            ENCRYPTION_LEVEL_NONE)
        {
          if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
                                           ENCRYPTION_LEVEL_CLIENT_COMPATIBLE))
            return FALSE;
        }
 
        if (freerdp_settings_get_bool(settings, FreeRDP_LocalConnection))
        {
          WLog_INFO(TAG,
                    "Turning off encryption for local peer with standard rdp security");
          if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
            return FALSE;
          if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
                                           ENCRYPTION_LEVEL_NONE))
            return FALSE;
        }
        else if (!freerdp_settings_get_pointer(settings, FreeRDP_RdpServerRsaKey))
        {
          WLog_ERR(TAG, "Missing server certificate");
          return FALSE;
        }
        break;
      case PROTOCOL_SSL:
        if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_RdstlsSecurity, FALSE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
          return FALSE;
 
        if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
                                         ENCRYPTION_LEVEL_NONE))
          return FALSE;
        break;
      case PROTOCOL_HYBRID:
        if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, TRUE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_RdstlsSecurity, FALSE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
          return FALSE;
 
        if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
                                         ENCRYPTION_LEVEL_NONE))
          return FALSE;
        break;
      case PROTOCOL_RDSTLS:
        if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_RdstlsSecurity, TRUE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
          return FALSE;
        if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
          return FALSE;
 
        if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
                                         ENCRYPTION_LEVEL_NONE))
          return FALSE;
        break;
      default:
        break;
    }
  }
 
  return status;
}
 
void nego_init(rdpNego* nego)
{
  WINPR_ASSERT(nego);
  nego_set_state(nego, NEGO_STATE_INITIAL);
  nego->RequestedProtocols = PROTOCOL_RDP;
  nego->CookieMaxLength = DEFAULT_COOKIE_MAX_LENGTH;
  nego->sendNegoData = FALSE;
  nego->flags = 0;
}
 
rdpNego* nego_new(rdpTransport* transport)
{
  rdpNego* nego = (rdpNego*)calloc(1, sizeof(rdpNego));
 
  if (!nego)
    return NULL;
 
  nego->transport = transport;
  nego_init(nego);
  return nego;
}
 
void nego_free(rdpNego* nego)
{
  if (nego)
  {
    free(nego->RoutingToken);
    free(nego->cookie);
    free(nego);
  }
}
 
BOOL nego_set_target(rdpNego* nego, const char* hostname, UINT16 port)
{
  if (!nego || !hostname)
    return FALSE;
 
  nego->hostname = hostname;
  nego->port = port;
  return TRUE;
}
 
void nego_set_negotiation_enabled(rdpNego* nego, BOOL NegotiateSecurityLayer)
{
  WLog_DBG(TAG, "Enabling security layer negotiation: %s",
           NegotiateSecurityLayer ? "TRUE" : "FALSE");
  nego->NegotiateSecurityLayer = NegotiateSecurityLayer;
}
 
void nego_set_restricted_admin_mode_required(rdpNego* nego, BOOL RestrictedAdminModeRequired)
{
  WLog_DBG(TAG, "Enabling restricted admin mode: %s",
           RestrictedAdminModeRequired ? "TRUE" : "FALSE");
  nego->RestrictedAdminModeRequired = RestrictedAdminModeRequired;
}
 
void nego_set_RCG_required(rdpNego* nego, BOOL enabled)
{
  WINPR_ASSERT(nego);
 
  WLog_DBG(TAG, "Enabling remoteCredentialGuards: %s", enabled ? "TRUE" : "FALSE");
  nego->RemoteCredsGuardRequired = enabled;
}
 
void nego_set_RCG_supported(rdpNego* nego, BOOL enabled)
{
  WINPR_ASSERT(nego);
 
  nego->RemoteCredsGuardSupported = enabled;
}
 
BOOL nego_get_remoteCredentialGuard(rdpNego* nego)
{
  WINPR_ASSERT(nego);
 
  return nego->RemoteCredsGuardActive;
}
 
void nego_set_childsession_enabled(rdpNego* nego, BOOL ChildSessionEnabled)
{
  WINPR_ASSERT(nego);
  nego->ConnectChildSession = ChildSessionEnabled;
}
 
void nego_set_gateway_enabled(rdpNego* nego, BOOL GatewayEnabled)
{
  nego->GatewayEnabled = GatewayEnabled;
}
 
void nego_set_gateway_bypass_local(rdpNego* nego, BOOL GatewayBypassLocal)
{
  nego->GatewayBypassLocal = GatewayBypassLocal;
}
 
void nego_enable_rdp(rdpNego* nego, BOOL enable_rdp)
{
  WLog_DBG(TAG, "Enabling RDP security: %s", enable_rdp ? "TRUE" : "FALSE");
  nego->EnabledProtocols[PROTOCOL_RDP] = enable_rdp;
}
 
void nego_enable_tls(rdpNego* nego, BOOL enable_tls)
{
  WLog_DBG(TAG, "Enabling TLS security: %s", enable_tls ? "TRUE" : "FALSE");
  nego->EnabledProtocols[PROTOCOL_SSL] = enable_tls;
}
 
void nego_enable_nla(rdpNego* nego, BOOL enable_nla)
{
  WLog_DBG(TAG, "Enabling NLA security: %s", enable_nla ? "TRUE" : "FALSE");
  nego->EnabledProtocols[PROTOCOL_HYBRID] = enable_nla;
}
 
void nego_enable_rdstls(rdpNego* nego, BOOL enable_rdstls)
{
  WLog_DBG(TAG, "Enabling RDSTLS security: %s", enable_rdstls ? "TRUE" : "FALSE");
  nego->EnabledProtocols[PROTOCOL_RDSTLS] = enable_rdstls;
}
 
void nego_enable_ext(rdpNego* nego, BOOL enable_ext)
{
  WLog_DBG(TAG, "Enabling NLA extended security: %s", enable_ext ? "TRUE" : "FALSE");
  nego->EnabledProtocols[PROTOCOL_HYBRID_EX] = enable_ext;
}
 
void nego_enable_aad(rdpNego* nego, BOOL enable_aad)
{
  if (aad_is_supported())
  {
    WLog_DBG(TAG, "Enabling RDS AAD security: %s", enable_aad ? "TRUE" : "FALSE");
    nego->EnabledProtocols[PROTOCOL_RDSAAD] = enable_aad;
  }
  else
  {
    WLog_WARN(TAG, "This build does not support AAD security, disabling.");
  }
}
 
BOOL nego_set_routing_token(rdpNego* nego, const void* RoutingToken, DWORD RoutingTokenLength)
{
  if (RoutingTokenLength == 0)
    return FALSE;
 
  free(nego->RoutingToken);
  nego->RoutingTokenLength = RoutingTokenLength;
  nego->RoutingToken = (BYTE*)malloc(nego->RoutingTokenLength);
 
  if (!nego->RoutingToken)
    return FALSE;
 
  CopyMemory(nego->RoutingToken, RoutingToken, nego->RoutingTokenLength);
  return TRUE;
}
 
BOOL nego_set_cookie(rdpNego* nego, const char* cookie)
{
  if (nego->cookie)
  {
    free(nego->cookie);
    nego->cookie = NULL;
  }
 
  if (!cookie)
    return TRUE;
 
  nego->cookie = _strdup(cookie);
 
  if (!nego->cookie)
    return FALSE;
 
  return TRUE;
}
 
void nego_set_cookie_max_length(rdpNego* nego, UINT32 CookieMaxLength)
{
  nego->CookieMaxLength = CookieMaxLength;
}
 
void nego_set_send_preconnection_pdu(rdpNego* nego, BOOL SendPreconnectionPdu)
{
  nego->SendPreconnectionPdu = SendPreconnectionPdu;
}
 
void nego_set_preconnection_id(rdpNego* nego, UINT32 PreconnectionId)
{
  nego->PreconnectionId = PreconnectionId;
}
 
void nego_set_preconnection_blob(rdpNego* nego, const char* PreconnectionBlob)
{
  nego->PreconnectionBlob = PreconnectionBlob;
}
 
UINT32 nego_get_selected_protocol(rdpNego* nego)
{
  if (!nego)
    return 0;
 
  return nego->SelectedProtocol;
}
 
BOOL nego_set_selected_protocol(rdpNego* nego, UINT32 SelectedProtocol)
{
  WINPR_ASSERT(nego);
  nego->SelectedProtocol = SelectedProtocol;
  return TRUE;
}
 
UINT32 nego_get_requested_protocols(rdpNego* nego)
{
  if (!nego)
    return 0;
 
  return nego->RequestedProtocols;
}
 
BOOL nego_set_requested_protocols(rdpNego* nego, UINT32 RequestedProtocols)
{
  if (!nego)
    return FALSE;
 
  nego->RequestedProtocols = RequestedProtocols;
  return TRUE;
}
 
NEGO_STATE nego_get_state(rdpNego* nego)
{
  if (!nego)
    return NEGO_STATE_FAIL;
 
  return nego->state;
}
 
BOOL nego_set_state(rdpNego* nego, NEGO_STATE state)
{
  if (!nego)
    return FALSE;
 
  nego->state = state;
  return TRUE;
}
 
SEC_WINNT_AUTH_IDENTITY* nego_get_identity(rdpNego* nego)
{
  rdpNla* nla = NULL;
  if (!nego)
    return NULL;
 
  nla = transport_get_nla(nego->transport);
  return nla_get_identity(nla);
}
 
void nego_free_nla(rdpNego* nego)
{
  if (!nego || !nego->transport)
    return;
 
  transport_set_nla(nego->transport, NULL);
}
 
const BYTE* nego_get_routing_token(rdpNego* nego, DWORD* RoutingTokenLength)
{
  if (!nego)
    return NULL;
  if (RoutingTokenLength)
    *RoutingTokenLength = nego->RoutingTokenLength;
  return nego->RoutingToken;
}
 
const char* nego_protocol_to_str(UINT32 protocol, char* buffer, size_t size)
{
  const UINT32 mask = ~(PROTOCOL_SSL | PROTOCOL_HYBRID | PROTOCOL_RDSTLS | PROTOCOL_HYBRID_EX |
                        PROTOCOL_RDSAAD | PROTOCOL_FAILED_NEGO);
  char str[48] = { 0 };
 
  if (protocol & PROTOCOL_SSL)
    (void)winpr_str_append("SSL", str, sizeof(str), "|");
  if (protocol & PROTOCOL_HYBRID)
    (void)winpr_str_append("HYBRID", str, sizeof(str), "|");
  if (protocol & PROTOCOL_RDSTLS)
    (void)winpr_str_append("RDSTLS", str, sizeof(str), "|");
  if (protocol & PROTOCOL_HYBRID_EX)
    (void)winpr_str_append("HYBRID_EX", str, sizeof(str), "|");
  if (protocol & PROTOCOL_RDSAAD)
    (void)winpr_str_append("RDSAAD", str, sizeof(str), "|");
  if (protocol & PROTOCOL_FAILED_NEGO)
    (void)winpr_str_append("NEGO FAILED", str, sizeof(str), "|");
 
  if (protocol == PROTOCOL_RDP)
    (void)winpr_str_append("RDP", str, sizeof(str), "");
  else if ((protocol & mask) != 0)
    (void)winpr_str_append("UNKNOWN", str, sizeof(str), "|");
 
  (void)_snprintf(buffer, size, "[%s][0x%08" PRIx32 "]", str, protocol);
  return buffer;
}