FreeRDP
Loading...
Searching...
No Matches
rdg.c
1
20#include <stdint.h>
21
22#include <freerdp/config.h>
23
24#include "../settings.h"
25
26#include <winpr/assert.h>
27#include <winpr/cast.h>
28
29#include <winpr/crt.h>
30#include <winpr/synch.h>
31#include <winpr/print.h>
32#include <winpr/stream.h>
33#include <winpr/winsock.h>
34#include <winpr/cred.h>
35
36#include <freerdp/log.h>
37#include <freerdp/error.h>
38#include <freerdp/utils/ringbuffer.h>
39#include <freerdp/utils/smartcardlogon.h>
40
41#include "rdg.h"
42#include "websocket.h"
43#include "../credssp_auth.h"
44#include "../proxy.h"
45#include "../rdp.h"
46#include "../../crypto/opensslcompat.h"
47#include "rpc_fault.h"
48#include "../utils.h"
49
50#define TAG FREERDP_TAG("core.gateway.rdg")
51
52#define AUTH_PKG NEGO_SSP_NAME
53
54/* HTTP channel response fields present flags. */
55#define HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID 0x1
56#define HTTP_CHANNEL_RESPONSE_FIELD_AUTHNCOOKIE 0x2
57#define HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT 0x4
58
59/* HTTP extended auth. */
60#define HTTP_EXTENDED_AUTH_NONE 0x0
61#define HTTP_EXTENDED_AUTH_SC 0x1 /* Smart card authentication. */
62#define HTTP_EXTENDED_AUTH_PAA 0x02 /* Pluggable authentication. */
63#define HTTP_EXTENDED_AUTH_SSPI_NTLM 0x04 /* NTLM extended authentication. */
64#define HTTP_EXTENDED_AUTH_BEARER 0x08 /* HTTP Bearer authentication. */
65
66/* HTTP packet types. */
67typedef enum
68{
69 PKT_TYPE_HANDSHAKE_REQUEST = 0x1,
70 PKT_TYPE_HANDSHAKE_RESPONSE = 0x2,
71 PKT_TYPE_EXTENDED_AUTH_MSG = 0x3,
72 PKT_TYPE_TUNNEL_CREATE = 0x4,
73 PKT_TYPE_TUNNEL_RESPONSE = 0x5,
74 PKT_TYPE_TUNNEL_AUTH = 0x6,
75 PKT_TYPE_TUNNEL_AUTH_RESPONSE = 0x7,
76 PKT_TYPE_CHANNEL_CREATE = 0x8,
77 PKT_TYPE_CHANNEL_RESPONSE = 0x9,
78 PKT_TYPE_DATA = 0xA,
79 PKT_TYPE_SERVICE_MESSAGE = 0xB,
80 PKT_TYPE_REAUTH_MESSAGE = 0xC,
81 PKT_TYPE_KEEPALIVE = 0xD,
82 PKT_TYPE_CLOSE_CHANNEL = 0x10,
83 PKT_TYPE_CLOSE_CHANNEL_RESPONSE = 0x11
84} RdgPktType;
85
86/* HTTP tunnel auth fields present flags. */
87// #define HTTP_TUNNEL_AUTH_FIELD_SOH 0x1
88
89/* HTTP tunnel auth response fields present flags. */
90#define HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS 0x1
91#define HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT 0x2
92#define HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE 0x4
93
94/* HTTP tunnel packet fields present flags. */
95#define HTTP_TUNNEL_PACKET_FIELD_PAA_COOKIE 0x1
96// #define HTTP_TUNNEL_PACKET_FIELD_REAUTH 0x2
97
98/* HTTP tunnel response fields present flags. */
99#define HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID 0x1
100#define HTTP_TUNNEL_RESPONSE_FIELD_CAPS 0x2
101#define HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ 0x4
102#define HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG 0x10
103
104/* HTTP capability type enumeration. */
105#define HTTP_CAPABILITY_TYPE_QUAR_SOH 0x1
106#define HTTP_CAPABILITY_IDLE_TIMEOUT 0x2
107#define HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN 0x4
108#define HTTP_CAPABILITY_MESSAGING_SERVICE_MSG 0x8
109#define HTTP_CAPABILITY_REAUTH 0x10
110#define HTTP_CAPABILITY_UDP_TRANSPORT 0x20
111
112typedef struct
113{
114 TRANSFER_ENCODING httpTransferEncoding;
115 BOOL isWebsocketTransport;
116 union context
117 {
118 http_encoding_chunked_context chunked;
119 websocket_context* websocket;
120 } context;
121} rdg_http_encoding_context;
122
123struct rdp_rdg
124{
125 rdpContext* context;
126 BOOL attached;
127 BIO* frontBio;
128 rdpTls* tlsIn;
129 rdpTls* tlsOut;
130 rdpCredsspAuth* auth;
131 HttpContext* http;
132 CRITICAL_SECTION writeSection;
133
134 UUID guid;
135
136 int state;
137 UINT16 packetRemainingCount;
138 UINT16 reserved1;
139 int timeout;
140 UINT16 extAuth;
141 UINT16 reserved2;
142 rdg_http_encoding_context transferEncoding;
143
144 SmartcardCertInfo* smartcard;
145 wLog* log;
146};
147
148enum
149{
150 RDG_CLIENT_STATE_INITIAL,
151 RDG_CLIENT_STATE_HANDSHAKE,
152 RDG_CLIENT_STATE_TUNNEL_CREATE,
153 RDG_CLIENT_STATE_TUNNEL_AUTHORIZE,
154 RDG_CLIENT_STATE_CHANNEL_CREATE,
155 RDG_CLIENT_STATE_OPENED,
156};
157
158#pragma pack(push, 1)
159
160typedef struct rdg_packet_header
161{
162 UINT16 type;
163 UINT16 reserved;
164 UINT32 packetLength;
165} RdgPacketHeader;
166
167#pragma pack(pop)
168
169typedef struct
170{
171 UINT32 code;
172 const char* name;
173} t_flag_mapping;
174
175static const t_flag_mapping tunnel_response_fields_present[] = {
176 { HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID, "HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID" },
177 { HTTP_TUNNEL_RESPONSE_FIELD_CAPS, "HTTP_TUNNEL_RESPONSE_FIELD_CAPS" },
178 { HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ, "HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ" },
179 { HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG, "HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG" }
180};
181
182static const t_flag_mapping channel_response_fields_present[] = {
183 { HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID, "HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID" },
184 { HTTP_CHANNEL_RESPONSE_FIELD_AUTHNCOOKIE, "HTTP_CHANNEL_RESPONSE_FIELD_AUTHNCOOKIE" },
185 { HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT, "HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT" }
186};
187
188static const t_flag_mapping tunnel_authorization_response_fields_present[] = {
189 { HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS, "HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS" },
190 { HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT,
191 "HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT" },
192 { HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE,
193 "HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE" }
194};
195
196static const t_flag_mapping extended_auth[] = {
197 { HTTP_EXTENDED_AUTH_NONE, "HTTP_EXTENDED_AUTH_NONE" },
198 { HTTP_EXTENDED_AUTH_SC, "HTTP_EXTENDED_AUTH_SC" },
199 { HTTP_EXTENDED_AUTH_PAA, "HTTP_EXTENDED_AUTH_PAA" },
200 { HTTP_EXTENDED_AUTH_SSPI_NTLM, "HTTP_EXTENDED_AUTH_SSPI_NTLM" }
201};
202
203static const t_flag_mapping capabilities_enum[] = {
204 { HTTP_CAPABILITY_TYPE_QUAR_SOH, "HTTP_CAPABILITY_TYPE_QUAR_SOH" },
205 { HTTP_CAPABILITY_IDLE_TIMEOUT, "HTTP_CAPABILITY_IDLE_TIMEOUT" },
206 { HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN, "HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN" },
207 { HTTP_CAPABILITY_MESSAGING_SERVICE_MSG, "HTTP_CAPABILITY_MESSAGING_SERVICE_MSG" },
208 { HTTP_CAPABILITY_REAUTH, "HTTP_CAPABILITY_REAUTH" },
209 { HTTP_CAPABILITY_UDP_TRANSPORT, "HTTP_CAPABILITY_UDP_TRANSPORT" }
210};
211
212static const char* rdg_pkt_type_to_string(int type)
213{
214#define ENTRY(x) \
215 case x: \
216 return #x
217
218 switch (type)
219 {
220 ENTRY(PKT_TYPE_HANDSHAKE_REQUEST);
221 ENTRY(PKT_TYPE_HANDSHAKE_RESPONSE);
222 ENTRY(PKT_TYPE_EXTENDED_AUTH_MSG);
223 ENTRY(PKT_TYPE_TUNNEL_CREATE);
224 ENTRY(PKT_TYPE_TUNNEL_RESPONSE);
225 ENTRY(PKT_TYPE_TUNNEL_AUTH);
226 ENTRY(PKT_TYPE_TUNNEL_AUTH_RESPONSE);
227 ENTRY(PKT_TYPE_CHANNEL_CREATE);
228 ENTRY(PKT_TYPE_CHANNEL_RESPONSE);
229 ENTRY(PKT_TYPE_DATA);
230 ENTRY(PKT_TYPE_SERVICE_MESSAGE);
231 ENTRY(PKT_TYPE_REAUTH_MESSAGE);
232 ENTRY(PKT_TYPE_KEEPALIVE);
233 ENTRY(PKT_TYPE_CLOSE_CHANNEL);
234 ENTRY(PKT_TYPE_CLOSE_CHANNEL_RESPONSE);
235 default:
236 return "PKT_TYPE_UNKNOWN";
237 }
238#undef ENTRY
239}
240
241static const char* flags_to_string(UINT32 flags, const t_flag_mapping* map, size_t elements)
242{
243 static char buffer[1024] = WINPR_C_ARRAY_INIT;
244 char fields[12] = WINPR_C_ARRAY_INIT;
245
246 for (size_t x = 0; x < elements; x++)
247 {
248 const t_flag_mapping* cur = &map[x];
249
250 if ((cur->code & flags) != 0)
251 winpr_str_append(cur->name, buffer, sizeof(buffer), "|");
252 }
253
254 (void)sprintf_s(fields, ARRAYSIZE(fields), " [%04" PRIx32 "]", flags);
255 winpr_str_append(fields, buffer, sizeof(buffer), nullptr);
256 return buffer;
257}
258
259static const char* channel_response_fields_present_to_string(UINT16 fieldsPresent)
260{
261 return flags_to_string(fieldsPresent, channel_response_fields_present,
262 ARRAYSIZE(channel_response_fields_present));
263}
264
265static const char* tunnel_response_fields_present_to_string(UINT16 fieldsPresent)
266{
267 return flags_to_string(fieldsPresent, tunnel_response_fields_present,
268 ARRAYSIZE(tunnel_response_fields_present));
269}
270
271static const char* tunnel_authorization_response_fields_present_to_string(UINT16 fieldsPresent)
272{
273 return flags_to_string(fieldsPresent, tunnel_authorization_response_fields_present,
274 ARRAYSIZE(tunnel_authorization_response_fields_present));
275}
276
277static const char* extended_auth_to_string(UINT16 auth)
278{
279 if (auth == HTTP_EXTENDED_AUTH_NONE)
280 return "HTTP_EXTENDED_AUTH_NONE [0x0000]";
281
282 return flags_to_string(auth, extended_auth, ARRAYSIZE(extended_auth));
283}
284
285static const char* capabilities_enum_to_string(UINT32 capabilities)
286{
287 return flags_to_string(capabilities, capabilities_enum, ARRAYSIZE(capabilities_enum));
288}
289
290static BOOL rdg_read_http_unicode_string(wLog* log, wStream* s, const WCHAR** string,
291 UINT16* lengthInBytes)
292{
293 UINT16 strLenBytes = 0;
294 size_t rem = Stream_GetRemainingLength(s);
295
296 /* Read length of the string */
297 if (!Stream_CheckAndLogRequiredLengthWLog(log, s, 4))
298 {
299 WLog_Print(log, WLOG_ERROR, "Could not read stream length, only have %" PRIuz " bytes",
300 rem);
301 return FALSE;
302 }
303 Stream_Read_UINT16(s, strLenBytes);
304
305 /* Remember position of our string */
306 const WCHAR* str = Stream_ConstPointer(s);
307
308 /* seek past the string - if this fails something is wrong */
309 if (!Stream_SafeSeek(s, strLenBytes))
310 {
311 WLog_Print(log, WLOG_ERROR,
312 "Could not read stream data, only have %" PRIuz " bytes, expected %" PRIu16,
313 rem - 4, strLenBytes);
314 return FALSE;
315 }
316
317 /* return the string data (if wanted) */
318 if (string)
319 *string = str;
320 if (lengthInBytes)
321 *lengthInBytes = strLenBytes;
322
323 return TRUE;
324}
325
326static BOOL rdg_write_chunked(BIO* bio, wStream* sPacket)
327{
328 size_t len = 0;
329 int status = 0;
330 wStream* sChunk = nullptr;
331 char chunkSize[11];
332 (void)sprintf_s(chunkSize, sizeof(chunkSize), "%" PRIXz "\r\n", Stream_Length(sPacket));
333 sChunk =
334 Stream_New(nullptr, strnlen(chunkSize, sizeof(chunkSize)) + Stream_Length(sPacket) + 2);
335
336 if (!sChunk)
337 return FALSE;
338
339 Stream_Write(sChunk, chunkSize, strnlen(chunkSize, sizeof(chunkSize)));
340 Stream_Write(sChunk, Stream_Buffer(sPacket), Stream_Length(sPacket));
341 Stream_Write(sChunk, "\r\n", 2);
342 Stream_SealLength(sChunk);
343 len = Stream_Length(sChunk);
344
345 if (len > INT_MAX)
346 {
347 Stream_Free(sChunk, TRUE);
348 return FALSE;
349 }
350
351 ERR_clear_error();
352 status = BIO_write(bio, Stream_Buffer(sChunk), (int)len);
353 Stream_Free(sChunk, TRUE);
354
355 return (status == (SSIZE_T)len);
356}
357
358static BOOL rdg_write_packet(rdpRdg* rdg, wStream* sPacket)
359{
360 if (rdg->transferEncoding.isWebsocketTransport)
361 return websocket_context_write_wstream(rdg->transferEncoding.context.websocket,
362 rdg->tlsOut->bio, sPacket, WebsocketBinaryOpcode);
363
364 return rdg_write_chunked(rdg->tlsIn->bio, sPacket);
365}
366
367static int rdg_socket_read(BIO* bio, BYTE* pBuffer, size_t size,
368 rdg_http_encoding_context* encodingContext)
369{
370 WINPR_ASSERT(encodingContext != nullptr);
371 if (size > INT32_MAX)
372 return -1;
373
374 if (encodingContext->isWebsocketTransport)
375 return websocket_context_read(encodingContext->context.websocket, bio, pBuffer, size);
376
377 switch (encodingContext->httpTransferEncoding)
378 {
379 case TransferEncodingIdentity:
380 ERR_clear_error();
381 return BIO_read(bio, pBuffer, (int)size);
382 case TransferEncodingChunked:
383 return http_chuncked_read(bio, pBuffer, size, &encodingContext->context.chunked);
384 default:
385 return -1;
386 }
387}
388
389static BOOL rdg_shall_abort(rdpRdg* rdg)
390{
391 WINPR_ASSERT(rdg);
392 return freerdp_shall_disconnect_context(rdg->context);
393}
394
395static BOOL rdg_read_all(rdpContext* context, rdpTls* tls, BYTE* buffer, size_t size,
396 rdg_http_encoding_context* transferEncoding)
397{
398 size_t readCount = 0;
399 BYTE* pBuffer = buffer;
400
401 while (readCount < size)
402 {
403 if (freerdp_shall_disconnect_context(context))
404 return FALSE;
405
406 int status = rdg_socket_read(tls->bio, pBuffer, size - readCount, transferEncoding);
407 if (status <= 0)
408 {
409 if (!BIO_should_retry(tls->bio))
410 return FALSE;
411
412 Sleep(10);
413 continue;
414 }
415
416 readCount += WINPR_ASSERTING_INT_CAST(uint32_t, status);
417 pBuffer += WINPR_ASSERTING_INT_CAST(uint32_t, status);
418 }
419
420 return TRUE;
421}
422
423static wStream* rdg_receive_packet(rdpRdg* rdg)
424{
425 const size_t header = sizeof(RdgPacketHeader);
426 size_t packetLength = 0;
427 wStream* s = Stream_New(nullptr, 1024);
428
429 if (!s)
430 return nullptr;
431
432 if (!rdg_read_all(rdg->context, rdg->tlsOut, Stream_Buffer(s), header, &rdg->transferEncoding))
433 goto fail;
434
435 Stream_Seek(s, 4);
436 Stream_Read_UINT32(s, packetLength);
437
438 if ((packetLength > INT_MAX) || !Stream_EnsureCapacity(s, packetLength) ||
439 (packetLength < header))
440 goto fail;
441
442 if (!rdg_read_all(rdg->context, rdg->tlsOut, Stream_Buffer(s) + header, packetLength - header,
443 &rdg->transferEncoding))
444 goto fail;
445
446 if (!Stream_SetLength(s, packetLength))
447 goto fail;
448 return s;
449
450fail:
451 Stream_Free(s, TRUE);
452 return nullptr;
453}
454
455static BOOL rdg_send_handshake(rdpRdg* rdg)
456{
457 BOOL status = FALSE;
458 wStream* s = Stream_New(nullptr, 14);
459
460 if (!s)
461 return FALSE;
462
463 Stream_Write_UINT16(s, PKT_TYPE_HANDSHAKE_REQUEST); /* Type (2 bytes) */
464 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
465 Stream_Write_UINT32(s, 14); /* PacketLength (4 bytes) */
466 Stream_Write_UINT8(s, 1); /* VersionMajor (1 byte) */
467 Stream_Write_UINT8(s, 0); /* VersionMinor (1 byte) */
468 Stream_Write_UINT16(s, 0); /* ClientVersion (2 bytes), must be 0 */
469 Stream_Write_UINT16(s, rdg->extAuth); /* ExtendedAuthentication (2 bytes) */
470 Stream_SealLength(s);
471 status = rdg_write_packet(rdg, s);
472 Stream_Free(s, TRUE);
473
474 if (status)
475 {
476 rdg->state = RDG_CLIENT_STATE_HANDSHAKE;
477 }
478
479 return status;
480}
481
482static BOOL rdg_send_extauth_sspi(rdpRdg* rdg)
483{
484 wStream* s = nullptr;
485 BOOL status = 0;
486 UINT32 packetSize = 8 + 4 + 2;
487
488 WINPR_ASSERT(rdg);
489
490 const SecBuffer* authToken = credssp_auth_get_output_buffer(rdg->auth);
491 if (!authToken)
492 return FALSE;
493 packetSize += authToken->cbBuffer;
494
495 s = Stream_New(nullptr, packetSize);
496
497 if (!s)
498 return FALSE;
499
500 Stream_Write_UINT16(s, PKT_TYPE_EXTENDED_AUTH_MSG); /* Type (2 bytes) */
501 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
502 Stream_Write_UINT32(s, packetSize); /* PacketLength (4 bytes) */
503 Stream_Write_UINT32(s, ERROR_SUCCESS); /* Error code */
504 Stream_Write_UINT16(s, (UINT16)authToken->cbBuffer);
505 Stream_Write(s, authToken->pvBuffer, authToken->cbBuffer);
506
507 Stream_SealLength(s);
508 status = rdg_write_packet(rdg, s);
509 Stream_Free(s, TRUE);
510
511 return status;
512}
513
514static BOOL rdg_send_tunnel_request(rdpRdg* rdg)
515{
516 wStream* s = nullptr;
517 BOOL status = FALSE;
518 UINT32 packetSize = 16;
519 UINT16 fieldsPresent = 0;
520 WCHAR* PAACookie = nullptr;
521 size_t PAACookieLen = 0;
522 const UINT32 capabilities = HTTP_CAPABILITY_TYPE_QUAR_SOH |
523 HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN |
524 HTTP_CAPABILITY_MESSAGING_SERVICE_MSG;
525
526 if (rdg->extAuth == HTTP_EXTENDED_AUTH_PAA)
527 {
528 PAACookie =
529 ConvertUtf8ToWCharAlloc(rdg->context->settings->GatewayAccessToken, &PAACookieLen);
530
531 if (!PAACookie || (PAACookieLen > UINT16_MAX / sizeof(WCHAR)))
532 goto fail;
533
534 PAACookieLen += 1; /* include \0 */
535 packetSize += 2 + (UINT32)(PAACookieLen) * sizeof(WCHAR);
536 fieldsPresent = HTTP_TUNNEL_PACKET_FIELD_PAA_COOKIE;
537 }
538
539 s = Stream_New(nullptr, packetSize);
540
541 if (!s)
542 goto fail;
543
544 Stream_Write_UINT16(s, PKT_TYPE_TUNNEL_CREATE); /* Type (2 bytes) */
545 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
546 Stream_Write_UINT32(s, packetSize); /* PacketLength (4 bytes) */
547 Stream_Write_UINT32(s, capabilities); /* CapabilityFlags (4 bytes) */
548 Stream_Write_UINT16(s, fieldsPresent); /* FieldsPresent (2 bytes) */
549 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes), must be 0 */
550
551 if (PAACookie)
552 {
553 Stream_Write_UINT16(s, (UINT16)PAACookieLen * sizeof(WCHAR)); /* PAA cookie string length */
554 if (!Stream_Write_UTF16_String(s, PAACookie, PAACookieLen))
555 goto fail;
556 }
557
558 Stream_SealLength(s);
559 status = rdg_write_packet(rdg, s);
560
561fail:
562 Stream_Free(s, TRUE);
563 free(PAACookie);
564
565 if (status)
566 {
567 rdg->state = RDG_CLIENT_STATE_TUNNEL_CREATE;
568 }
569
570 return status;
571}
572
573static BOOL rdg_send_tunnel_authorization(rdpRdg* rdg)
574{
575 wStream* s = nullptr;
576 BOOL status = FALSE;
577 WINPR_ASSERT(rdg);
578 size_t clientNameLen = 0;
579 WCHAR* clientName = freerdp_settings_get_string_as_utf16(
580 rdg->context->settings, FreeRDP_ClientHostname, &clientNameLen);
581
582 clientNameLen++; // length including terminating '\0'
583
584 const size_t packetSize = 12ull + clientNameLen * sizeof(WCHAR);
585 if (!clientName || (clientNameLen >= UINT16_MAX / sizeof(WCHAR)) || (packetSize > UINT32_MAX))
586 goto fail;
587
588 s = Stream_New(nullptr, packetSize);
589
590 if (!s)
591 goto fail;
592
593 Stream_Write_UINT16(s, PKT_TYPE_TUNNEL_AUTH); /* Type (2 bytes) */
594 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
595 Stream_Write_UINT32(s, (UINT32)packetSize); /* PacketLength (4 bytes) */
596 Stream_Write_UINT16(s, 0); /* FieldsPresent (2 bytes) */
597 Stream_Write_UINT16(s, (UINT16)clientNameLen * sizeof(WCHAR)); /* Client name string length */
598 if (!Stream_Write_UTF16_String(s, clientName, clientNameLen))
599 goto fail;
600 Stream_SealLength(s);
601 status = rdg_write_packet(rdg, s);
602
603fail:
604 Stream_Free(s, TRUE);
605 free(clientName);
606
607 if (status)
608 rdg->state = RDG_CLIENT_STATE_TUNNEL_AUTHORIZE;
609
610 return status;
611}
612
613static BOOL rdg_send_channel_create(rdpRdg* rdg)
614{
615 wStream* s = nullptr;
616 BOOL status = FALSE;
617 WCHAR* serverName = nullptr;
618 size_t serverNameLen = 0;
619
620 WINPR_ASSERT(rdg);
621 serverName = freerdp_settings_get_string_as_utf16(rdg->context->settings,
622 FreeRDP_ServerHostname, &serverNameLen);
623
624 serverNameLen++; // length including terminating '\0'
625 const size_t packetSize = 16ull + serverNameLen * sizeof(WCHAR);
626 if (!serverName || (serverNameLen >= UINT16_MAX / sizeof(WCHAR)) || (packetSize > UINT32_MAX))
627 goto fail;
628
629 s = Stream_New(nullptr, packetSize);
630
631 if (!s)
632 goto fail;
633
634 Stream_Write_UINT16(s, PKT_TYPE_CHANNEL_CREATE); /* Type (2 bytes) */
635 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
636 Stream_Write_UINT32(s, (UINT32)packetSize); /* PacketLength (4 bytes) */
637 Stream_Write_UINT8(s, 1); /* Number of resources. (1 byte) */
638 Stream_Write_UINT8(s, 0); /* Number of alternative resources (1 byte) */
639 Stream_Write_UINT16(s,
640 (UINT16)rdg->context->settings->ServerPort); /* Resource port (2 bytes) */
641 Stream_Write_UINT16(s, 3); /* Protocol number (2 bytes) */
642 Stream_Write_UINT16(s, (UINT16)serverNameLen * sizeof(WCHAR));
643 if (!Stream_Write_UTF16_String(s, serverName, serverNameLen))
644 goto fail;
645
646 Stream_SealLength(s);
647 status = rdg_write_packet(rdg, s);
648fail:
649 free(serverName);
650 Stream_Free(s, TRUE);
651
652 if (status)
653 rdg->state = RDG_CLIENT_STATE_CHANNEL_CREATE;
654
655 return status;
656}
657
658static BOOL rdg_set_auth_header(rdpCredsspAuth* auth, HttpRequest* request)
659{
660 const SecBuffer* authToken = credssp_auth_get_output_buffer(auth);
661 char* base64AuthToken = nullptr;
662
663 if (authToken)
664 {
665 if (authToken->cbBuffer > INT_MAX)
666 return FALSE;
667
668 base64AuthToken = crypto_base64_encode(authToken->pvBuffer, authToken->cbBuffer);
669 }
670
671 if (base64AuthToken)
672 {
673 BOOL rc = http_request_set_auth_scheme(request, credssp_auth_pkg_name(auth)) &&
674 http_request_set_auth_param(request, base64AuthToken);
675 free(base64AuthToken);
676
677 if (!rc)
678 return FALSE;
679 }
680
681 return TRUE;
682}
683
684static wStream* rdg_build_http_request(rdpRdg* rdg, const char* method,
685 TRANSFER_ENCODING transferEncoding)
686{
687 wStream* s = nullptr;
688 HttpRequest* request = nullptr;
689 const char* uri = nullptr;
690
691 if (!rdg || !method)
692 return nullptr;
693
694 uri = http_context_get_uri(rdg->http);
695 request = http_request_new();
696
697 if (!request)
698 return nullptr;
699
700 if (!http_request_set_method(request, method) || !http_request_set_uri(request, uri))
701 goto out;
702
703 if (rdg->auth)
704 {
705 if (!rdg_set_auth_header(rdg->auth, request))
706 goto out;
707 }
708
709 else if (rdg->extAuth == HTTP_EXTENDED_AUTH_BEARER)
710 {
711 if (!http_request_set_auth_scheme(request, "Bearer"))
712 goto out;
713 if (!http_request_set_auth_param(request, rdg->context->settings->GatewayHttpExtAuthBearer))
714 goto out;
715 }
716
717 if (!http_request_set_transfer_encoding(request, transferEncoding))
718 goto out;
719
720 s = http_request_write(rdg->http, request);
721out:
722 http_request_free(request);
723
724 if (s)
725 Stream_SealLength(s);
726
727 return s;
728}
729
730static BOOL rdg_recv_auth_token(wLog* log, rdpCredsspAuth* auth, HttpResponse* response)
731{
732 size_t len = 0;
733 size_t authTokenLength = 0;
734 BYTE* authTokenData = nullptr;
735 SecBuffer authToken = WINPR_C_ARRAY_INIT;
736 int rc = 0;
737
738 if (!auth || !response)
739 return FALSE;
740
741 const UINT16 StatusCode = http_response_get_status_code(response);
742 switch (StatusCode)
743 {
744 case HTTP_STATUS_DENIED:
745 case HTTP_STATUS_OK:
746 case HTTP_STATUS_SWITCH_PROTOCOLS:
747 break;
748 default:
749 http_response_log_error_status(log, WLOG_WARN, response);
750 return FALSE;
751 }
752
753 const char* token64 = http_response_get_auth_token(response, credssp_auth_pkg_name(auth));
754 if (!token64)
755 return FALSE;
756
757 len = strlen(token64);
758
759 crypto_base64_decode(token64, len, &authTokenData, &authTokenLength);
760
761 if (authTokenLength && authTokenData && (authTokenLength <= UINT32_MAX))
762 {
763 authToken.pvBuffer = authTokenData;
764 authToken.cbBuffer = (UINT32)authTokenLength;
765 credssp_auth_take_input_buffer(auth, &authToken);
766 }
767 else
768 free(authTokenData);
769
770 rc = credssp_auth_authenticate(auth);
771 return (rc >= 0);
772}
773
774static BOOL rdg_skip_seed_payload(rdpContext* context, rdpTls* tls, size_t lastResponseLength,
775 rdg_http_encoding_context* transferEncoding)
776{
777 BYTE seed_payload[10] = WINPR_C_ARRAY_INIT;
778 const size_t size = sizeof(seed_payload);
779
780 /* Per [MS-TSGU] 3.3.5.1 step 4, after final OK response RDG server sends
781 * random "seed" payload of limited size. In practice it's 10 bytes.
782 */
783 if (lastResponseLength < size)
784 {
785 if (!rdg_read_all(context, tls, seed_payload, size - lastResponseLength, transferEncoding))
786 {
787 return FALSE;
788 }
789 }
790
791 return TRUE;
792}
793
794static BOOL rdg_process_handshake_response(rdpRdg* rdg, wStream* s)
795{
796 UINT32 errorCode = 0;
797 UINT16 serverVersion = 0;
798 UINT16 extendedAuth = 0;
799 BYTE verMajor = 0;
800 BYTE verMinor = 0;
801 const char* error = nullptr;
802 WLog_Print(rdg->log, WLOG_DEBUG, "Handshake response received");
803
804 if (rdg->state != RDG_CLIENT_STATE_HANDSHAKE)
805 {
806 return FALSE;
807 }
808
809 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 10))
810 return FALSE;
811
812 Stream_Read_UINT32(s, errorCode);
813 Stream_Read_UINT8(s, verMajor);
814 Stream_Read_UINT8(s, verMinor);
815 Stream_Read_UINT16(s, serverVersion);
816 Stream_Read_UINT16(s, extendedAuth);
817 error = rpc_error_to_string(errorCode);
818 WLog_Print(rdg->log, WLOG_DEBUG,
819 "errorCode=%s, verMajor=%" PRId8 ", verMinor=%" PRId8 ", serverVersion=%" PRId16
820 ", extendedAuth=%s",
821 error, verMajor, verMinor, serverVersion, extended_auth_to_string(extendedAuth));
822
823 if (FAILED((HRESULT)errorCode))
824 {
825 WLog_Print(rdg->log, WLOG_ERROR, "Handshake error %s", error);
826 freerdp_set_last_error_log(rdg->context, errorCode);
827 return FALSE;
828 }
829
830 if (rdg->extAuth == HTTP_EXTENDED_AUTH_SSPI_NTLM)
831 return rdg_send_extauth_sspi(rdg);
832
833 return rdg_send_tunnel_request(rdg);
834}
835
836static BOOL rdg_process_tunnel_response_optional(rdpRdg* rdg, wStream* s, UINT16 fieldsPresent)
837{
838 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID)
839 {
840 /* Seek over tunnelId (4 bytes) */
841 if (!Stream_SafeSeek(s, 4))
842 {
843 WLog_Print(rdg->log, WLOG_ERROR, "Short tunnelId, got %" PRIuz ", expected 4",
844 Stream_GetRemainingLength(s));
845 return FALSE;
846 }
847 }
848
849 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_CAPS)
850 {
851 UINT32 caps = 0;
852 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 4))
853 return FALSE;
854
855 Stream_Read_UINT32(s, caps);
856 WLog_Print(rdg->log, WLOG_DEBUG, "capabilities=%s", capabilities_enum_to_string(caps));
857 }
858
859 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ)
860 {
861 /* Seek over nonce (20 bytes) */
862 if (!Stream_SafeSeek(s, 20))
863 {
864 WLog_Print(rdg->log, WLOG_ERROR, "Short nonce, got %" PRIuz ", expected 20",
865 Stream_GetRemainingLength(s));
866 return FALSE;
867 }
868
869 /* Read serverCert */
870 if (!rdg_read_http_unicode_string(rdg->log, s, nullptr, nullptr))
871 {
872 WLog_Print(rdg->log, WLOG_ERROR, "Failed to read server certificate");
873 return FALSE;
874 }
875 }
876
877 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG)
878 {
879 const WCHAR* msg = nullptr;
880 UINT16 msgLenBytes = 0;
881 rdpContext* context = rdg->context;
882
883 WINPR_ASSERT(context);
884 WINPR_ASSERT(context->instance);
885
886 /* Read message string and invoke callback */
887 if (!rdg_read_http_unicode_string(rdg->log, s, &msg, &msgLenBytes))
888 {
889 WLog_Print(rdg->log, WLOG_ERROR, "Failed to read consent message");
890 return FALSE;
891 }
892
893 return IFCALLRESULT(TRUE, context->instance->PresentGatewayMessage, context->instance,
894 GATEWAY_MESSAGE_CONSENT, TRUE, TRUE, msgLenBytes, msg);
895 }
896
897 return TRUE;
898}
899
900static BOOL rdg_process_tunnel_response(rdpRdg* rdg, wStream* s)
901{
902 UINT16 serverVersion = 0;
903 UINT16 fieldsPresent = 0;
904 UINT32 errorCode = 0;
905 const char* error = nullptr;
906 WLog_Print(rdg->log, WLOG_DEBUG, "Tunnel response received");
907
908 if (rdg->state != RDG_CLIENT_STATE_TUNNEL_CREATE)
909 {
910 return FALSE;
911 }
912
913 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 10))
914 return FALSE;
915
916 Stream_Read_UINT16(s, serverVersion);
917 Stream_Read_UINT32(s, errorCode);
918 Stream_Read_UINT16(s, fieldsPresent);
919 Stream_Seek_UINT16(s); /* reserved */
920 error = rpc_error_to_string(errorCode);
921 WLog_Print(rdg->log, WLOG_DEBUG, "serverVersion=%" PRId16 ", errorCode=%s, fieldsPresent=%s",
922 serverVersion, error, tunnel_response_fields_present_to_string(fieldsPresent));
923
924 if (FAILED((HRESULT)errorCode))
925 {
926 WLog_Print(rdg->log, WLOG_ERROR, "Tunnel creation error %s", error);
927 freerdp_set_last_error_log(rdg->context, errorCode);
928 return FALSE;
929 }
930
931 if (!rdg_process_tunnel_response_optional(rdg, s, fieldsPresent))
932 return FALSE;
933
934 return rdg_send_tunnel_authorization(rdg);
935}
936
937static BOOL rdg_process_tunnel_authorization_response(rdpRdg* rdg, wStream* s)
938{
939 UINT32 errorCode = 0;
940 UINT16 fieldsPresent = 0;
941 const char* error = nullptr;
942 WLog_Print(rdg->log, WLOG_DEBUG, "Tunnel authorization received");
943
944 if (rdg->state != RDG_CLIENT_STATE_TUNNEL_AUTHORIZE)
945 {
946 return FALSE;
947 }
948
949 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 8))
950 return FALSE;
951
952 Stream_Read_UINT32(s, errorCode);
953 Stream_Read_UINT16(s, fieldsPresent);
954 Stream_Seek_UINT16(s); /* reserved */
955 error = rpc_error_to_string(errorCode);
956 WLog_Print(rdg->log, WLOG_DEBUG, "errorCode=%s, fieldsPresent=%s", error,
957 tunnel_authorization_response_fields_present_to_string(fieldsPresent));
958
959 /* [MS-TSGU] 3.7.5.2.7 */
960 if (errorCode != S_OK && errorCode != E_PROXY_QUARANTINE_ACCESSDENIED)
961 {
962 WLog_Print(rdg->log, WLOG_ERROR, "Tunnel authorization error %s", error);
963 freerdp_set_last_error_log(rdg->context, errorCode);
964 return FALSE;
965 }
966
967 if (fieldsPresent & HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS)
968 {
969 UINT32 redirFlags = 0;
970 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 4))
971 return FALSE;
972 Stream_Read_UINT32(s, redirFlags);
973
974 rdpContext* context = rdg->context;
975 if (!utils_apply_gateway_policy(rdg->log, context, redirFlags, "RDG"))
976 return FALSE;
977 }
978
979 if (fieldsPresent & HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT)
980 {
981 UINT32 idleTimeout = 0;
982 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 4))
983 return FALSE;
984 Stream_Read_UINT32(s, idleTimeout);
985 WLog_Print(rdg->log, WLOG_DEBUG, "[IDLE_TIMEOUT] idleTimeout=%" PRIu32 ": TODO: unused",
986 idleTimeout);
987 }
988
989 if (fieldsPresent & HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE)
990 {
991 UINT16 cbLen = 0;
992 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 2))
993 return FALSE;
994 Stream_Read_UINT16(s, cbLen);
995
996 WLog_Print(rdg->log, WLOG_DEBUG, "[SOH_RESPONSE] cbLen=%" PRIu16 ": TODO: unused", cbLen);
997 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, cbLen))
998 return FALSE;
999 Stream_Seek(s, cbLen);
1000 }
1001
1002 return rdg_send_channel_create(rdg);
1003}
1004
1005static BOOL rdg_process_extauth_sspi(rdpRdg* rdg, wStream* s)
1006{
1007 INT32 errorCode = 0;
1008 UINT16 authBlobLen = 0;
1009 SecBuffer authToken = WINPR_C_ARRAY_INIT;
1010 BYTE* authTokenData = nullptr;
1011
1012 WINPR_ASSERT(rdg);
1013
1014 Stream_Read_INT32(s, errorCode);
1015 Stream_Read_UINT16(s, authBlobLen);
1016
1017 if (errorCode != ERROR_SUCCESS)
1018 {
1019 WLog_Print(rdg->log, WLOG_ERROR, "EXTAUTH_SSPI_NTLM failed with error %s [0x%08X]",
1020 GetSecurityStatusString(errorCode), WINPR_CXX_COMPAT_CAST(UINT32, errorCode));
1021 return FALSE;
1022 }
1023
1024 if (authBlobLen == 0)
1025 {
1026 if (credssp_auth_is_complete(rdg->auth))
1027 {
1028 credssp_auth_free(rdg->auth);
1029 rdg->auth = nullptr;
1030 return rdg_send_tunnel_request(rdg);
1031 }
1032 return FALSE;
1033 }
1034
1035 authTokenData = malloc(authBlobLen);
1036 if (authTokenData == nullptr)
1037 return FALSE;
1038 Stream_Read(s, authTokenData, authBlobLen);
1039
1040 authToken.pvBuffer = authTokenData;
1041 authToken.cbBuffer = authBlobLen;
1042
1043 credssp_auth_take_input_buffer(rdg->auth, &authToken);
1044
1045 if (credssp_auth_authenticate(rdg->auth) < 0)
1046 return FALSE;
1047
1048 if (credssp_auth_have_output_token(rdg->auth))
1049 return rdg_send_extauth_sspi(rdg);
1050
1051 return FALSE;
1052}
1053
1054static BOOL rdg_process_channel_response_optional(rdpRdg* rdg, wStream* s, UINT16 fieldsPresent)
1055{
1056 if ((fieldsPresent & HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID) != 0)
1057 {
1058 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 4))
1059 return FALSE;
1060 const UINT32 channelId = Stream_Get_UINT32(s);
1061 WLog_Print(rdg->log, WLOG_DEBUG, "TODO: Got channelId=%" PRIu32, channelId);
1062 }
1063 if ((fieldsPresent & HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT) != 0)
1064 {
1065 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 2))
1066 return FALSE;
1067 const UINT16 udpPort = Stream_Get_UINT16(s);
1068 WLog_Print(rdg->log, WLOG_DEBUG, "TODO: Got udpPort=%" PRIu32, udpPort);
1069 }
1070 if ((fieldsPresent & HTTP_CHANNEL_RESPONSE_FIELD_AUTHNCOOKIE) != 0)
1071 {
1072 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 2))
1073 return FALSE;
1074 const UINT16 blobLen = Stream_Get_UINT16(s);
1075 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, blobLen))
1076 return FALSE;
1077 WLog_Print(rdg->log, WLOG_DEBUG, "TODO: Got UDP auth blob=%" PRIu32, blobLen);
1078 if (!Stream_SafeSeek(s, blobLen))
1079 return FALSE;
1080 }
1081
1082 return TRUE;
1083}
1084
1085static BOOL rdg_process_channel_response(rdpRdg* rdg, wStream* s)
1086{
1087 UINT16 fieldsPresent = 0;
1088 UINT32 errorCode = 0;
1089 const char* error = nullptr;
1090 WLog_Print(rdg->log, WLOG_DEBUG, "Channel response received");
1091
1092 if (rdg->state != RDG_CLIENT_STATE_CHANNEL_CREATE)
1093 {
1094 return FALSE;
1095 }
1096
1097 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 8))
1098 return FALSE;
1099
1100 Stream_Read_UINT32(s, errorCode);
1101 Stream_Read_UINT16(s, fieldsPresent);
1102 Stream_Seek_UINT16(s); /* reserved */
1103 error = rpc_error_to_string(errorCode);
1104 WLog_Print(rdg->log, WLOG_DEBUG, "channel response errorCode=%s, fieldsPresent=%s", error,
1105 channel_response_fields_present_to_string(fieldsPresent));
1106
1107 if (FAILED((HRESULT)errorCode))
1108 {
1109 WLog_Print(rdg->log, WLOG_ERROR, "channel response errorCode=%s, fieldsPresent=%s", error,
1110 channel_response_fields_present_to_string(fieldsPresent));
1111 freerdp_set_last_error_log(rdg->context, errorCode);
1112 return FALSE;
1113 }
1114
1115 if (!rdg_process_channel_response_optional(rdg, s, fieldsPresent))
1116 return FALSE;
1117
1118 rdg->state = RDG_CLIENT_STATE_OPENED;
1119 return TRUE;
1120}
1121
1122static BOOL rdg_process_packet(rdpRdg* rdg, wStream* s)
1123{
1124 BOOL status = TRUE;
1125 UINT16 type = 0;
1126 UINT32 packetLength = 0;
1127 Stream_ResetPosition(s);
1128
1129 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 8))
1130 return FALSE;
1131
1132 Stream_Read_UINT16(s, type);
1133 Stream_Seek_UINT16(s); /* reserved */
1134 Stream_Read_UINT32(s, packetLength);
1135
1136 if (Stream_Length(s) < packetLength)
1137 {
1138 WLog_Print(rdg->log, WLOG_ERROR, "Short packet %" PRIuz ", expected %" PRIu32,
1139 Stream_Length(s), packetLength);
1140 return FALSE;
1141 }
1142
1143 switch (type)
1144 {
1145 case PKT_TYPE_HANDSHAKE_RESPONSE:
1146 status = rdg_process_handshake_response(rdg, s);
1147 break;
1148
1149 case PKT_TYPE_TUNNEL_RESPONSE:
1150 status = rdg_process_tunnel_response(rdg, s);
1151 break;
1152
1153 case PKT_TYPE_TUNNEL_AUTH_RESPONSE:
1154 status = rdg_process_tunnel_authorization_response(rdg, s);
1155 break;
1156
1157 case PKT_TYPE_CHANNEL_RESPONSE:
1158 status = rdg_process_channel_response(rdg, s);
1159 break;
1160
1161 case PKT_TYPE_DATA:
1162 WLog_Print(rdg->log, WLOG_ERROR, "Unexpected packet type DATA");
1163 status = FALSE;
1164 break;
1165
1166 case PKT_TYPE_EXTENDED_AUTH_MSG:
1167 status = rdg_process_extauth_sspi(rdg, s);
1168 break;
1169
1170 default:
1171 WLog_Print(rdg->log, WLOG_ERROR, "PKG TYPE 0x%x not implemented", type);
1172 status = FALSE;
1173 break;
1174 }
1175
1176 if (status)
1177 {
1178 const size_t rem = Stream_GetRemainingLength(s);
1179 if (rem > 0)
1180 WLog_Print(rdg->log, WLOG_WARN, "[%s] unparsed data detected: %" PRIuz " bytes",
1181 rdg_pkt_type_to_string(type), rem);
1182 }
1183 return status;
1184}
1185
1186DWORD rdg_get_event_handles(rdpRdg* rdg, HANDLE* events, DWORD count)
1187{
1188 DWORD nCount = 0;
1189 WINPR_ASSERT(rdg != nullptr);
1190
1191 if (rdg->tlsOut && rdg->tlsOut->bio)
1192 {
1193 if (events && (nCount < count))
1194 {
1195 BIO_get_event(rdg->tlsOut->bio, &events[nCount]);
1196 nCount++;
1197 }
1198 else
1199 return 0;
1200 }
1201
1202 /* We just need the read event handle even in non-websocket mode. */
1203
1204 return nCount;
1205}
1206
1207static BOOL rdg_get_gateway_credentials(rdpContext* context, rdp_auth_reason reason)
1208{
1209 freerdp* instance = context->instance;
1210
1211 auth_status rc = utils_authenticate_gateway(instance, reason);
1212 switch (rc)
1213 {
1214 case AUTH_SUCCESS:
1215 case AUTH_SKIP:
1216 return TRUE;
1217 case AUTH_CANCELLED:
1218 freerdp_set_last_error_log(instance->context, FREERDP_ERROR_CONNECT_CANCELLED);
1219 return FALSE;
1220 case AUTH_NO_CREDENTIALS:
1221 WLog_INFO(TAG, "No credentials provided - using nullptr identity");
1222 return TRUE;
1223 case AUTH_FAILED:
1224 default:
1225 return FALSE;
1226 }
1227}
1228
1229static BOOL rdg_auth_init(rdpRdg* rdg, rdpTls* tls, TCHAR* authPkg)
1230{
1231 rdpContext* context = rdg->context;
1232 rdpSettings* settings = context->settings;
1233 SEC_WINNT_AUTH_IDENTITY identity = WINPR_C_ARRAY_INIT;
1234 int rc = 0;
1235
1236 rdg->auth = credssp_auth_new(context);
1237 if (!rdg->auth)
1238 return FALSE;
1239
1240 if (!credssp_auth_init(rdg->auth, authPkg, tls->Bindings))
1241 return FALSE;
1242
1243 BOOL doSCLogon = freerdp_settings_get_bool(settings, FreeRDP_SmartcardLogon);
1244 if (doSCLogon)
1245 {
1246 if (!smartcard_getCert(context, &rdg->smartcard, TRUE))
1247 return FALSE;
1248
1249 if (!rdg_get_gateway_credentials(context, AUTH_SMARTCARD_PIN))
1250 return FALSE;
1251 }
1252 else
1253 {
1254 if (!rdg_get_gateway_credentials(context, GW_AUTH_RDG))
1255 return FALSE;
1256
1257 /* Auth callback might changed logon to smartcard so check again */
1258 doSCLogon = freerdp_settings_get_bool(settings, FreeRDP_SmartcardLogon);
1259 if (doSCLogon && !smartcard_getCert(context, &rdg->smartcard, TRUE))
1260 return FALSE;
1261 }
1262
1263 SEC_WINNT_AUTH_IDENTITY* identityArg = &identity;
1264 if (doSCLogon)
1265 {
1266 if (!identity_set_from_smartcard_hash(&identity, settings, FreeRDP_GatewayUsername,
1267 FreeRDP_GatewayDomain, FreeRDP_GatewayPassword,
1268 rdg->smartcard->sha1Hash,
1269 sizeof(rdg->smartcard->sha1Hash)))
1270 return FALSE;
1271 }
1272 else
1273 {
1274 if (!identity_set_from_settings(&identity, settings, FreeRDP_GatewayUsername,
1275 FreeRDP_GatewayDomain, FreeRDP_GatewayPassword))
1276 return FALSE;
1277
1278 if (!settings->GatewayUsername)
1279 identityArg = nullptr;
1280 }
1281
1282 if (!credssp_auth_setup_client(rdg->auth, "HTTP", settings->GatewayHostname, identityArg,
1283 rdg->smartcard ? rdg->smartcard->pkinitArgs : nullptr))
1284 {
1285 sspi_FreeAuthIdentity(&identity);
1286 return FALSE;
1287 }
1288 sspi_FreeAuthIdentity(&identity);
1289
1290 credssp_auth_set_flags(rdg->auth, ISC_REQ_CONFIDENTIALITY | ISC_REQ_MUTUAL_AUTH);
1291
1292 rc = credssp_auth_authenticate(rdg->auth);
1293 return (rc >= 0);
1294}
1295
1296static BOOL rdg_send_http_request(rdpRdg* rdg, rdpTls* tls, const char* method,
1297 TRANSFER_ENCODING transferEncoding)
1298{
1299 int status = -1;
1300 wStream* s = rdg_build_http_request(rdg, method, transferEncoding);
1301
1302 if (!s)
1303 return FALSE;
1304
1305 const size_t sz = Stream_Length(s);
1306 status = freerdp_tls_write_all(tls, Stream_Buffer(s), sz);
1307
1308 Stream_Free(s, TRUE);
1309 return (status >= 0);
1310}
1311
1312static BOOL rdg_tls_connect(rdpRdg* rdg, rdpTls* tls, const char* peerAddress, UINT32 timeout)
1313{
1314 long status = 0;
1315 BIO* layerBio = nullptr;
1316 BIO* bufferedBio = nullptr;
1317 rdpTransportLayer* layer = nullptr;
1318 rdpSettings* settings = rdg->context->settings;
1319 rdpTransport* transport = freerdp_get_transport(rdg->context);
1320 const char* peerHostname = settings->GatewayHostname;
1321 UINT16 peerPort = (UINT16)settings->GatewayPort;
1322 const char* proxyUsername = nullptr;
1323 const char* proxyPassword = nullptr;
1324 BOOL isProxyConnection =
1325 proxy_prepare(settings, &peerHostname, &peerPort, &proxyUsername, &proxyPassword);
1326
1327 if (settings->GatewayPort > UINT16_MAX)
1328 return FALSE;
1329
1330 layer = transport_connect_layer(transport, peerAddress ? peerAddress : peerHostname, peerPort,
1331 timeout);
1332
1333 if (!layer)
1334 {
1335 return FALSE;
1336 }
1337
1338 layerBio = BIO_new(BIO_s_transport_layer());
1339 if (!layerBio)
1340 {
1341 transport_layer_free(layer);
1342 return FALSE;
1343 }
1344 BIO_set_data(layerBio, layer);
1345
1346 bufferedBio = BIO_new(BIO_s_buffered_socket());
1347 if (!bufferedBio)
1348 {
1349 BIO_free_all(layerBio);
1350 return FALSE;
1351 }
1352
1353 bufferedBio = BIO_push(bufferedBio, layerBio);
1354 status = BIO_set_nonblock(bufferedBio, TRUE);
1355
1356 if (isProxyConnection)
1357 {
1358 if (!proxy_connect(rdg->context, bufferedBio, proxyUsername, proxyPassword,
1359 settings->GatewayHostname, (UINT16)settings->GatewayPort))
1360 {
1361 BIO_free_all(bufferedBio);
1362 return FALSE;
1363 }
1364 }
1365
1366 if (!status)
1367 {
1368 BIO_free_all(bufferedBio);
1369 return FALSE;
1370 }
1371
1372 tls->hostname = settings->GatewayHostname;
1373 tls->port = WINPR_ASSERTING_INT_CAST(int32_t, MIN(UINT16_MAX, settings->GatewayPort));
1374 tls->isGatewayTransport = TRUE;
1375 status = freerdp_tls_connect(tls, bufferedBio);
1376 if (status < 1)
1377 {
1378 rdpContext* context = rdg->context;
1379 if (status < 0)
1380 {
1381 freerdp_set_last_error_if_not(context, FREERDP_ERROR_TLS_CONNECT_FAILED);
1382 }
1383 else
1384 {
1385 freerdp_set_last_error_if_not(context, FREERDP_ERROR_CONNECT_CANCELLED);
1386 }
1387
1388 return FALSE;
1389 }
1390 return (status >= 1);
1391}
1392
1393static BOOL rdg_establish_data_connection(rdpRdg* rdg, rdpTls* tls, const char* method,
1394 const char* peerAddress, UINT32 timeout,
1395 BOOL* rpcFallback)
1396{
1397 char buffer[64] = WINPR_C_ARRAY_INIT;
1398 HttpResponse* response = nullptr;
1399
1400 if (!rdg_tls_connect(rdg, tls, peerAddress, timeout))
1401 return FALSE;
1402
1403 WINPR_ASSERT(rpcFallback);
1404 if (rdg->context->settings->GatewayHttpExtAuthBearer && rdg->extAuth == HTTP_EXTENDED_AUTH_NONE)
1405 rdg->extAuth = HTTP_EXTENDED_AUTH_BEARER;
1406 if (rdg->extAuth == HTTP_EXTENDED_AUTH_NONE)
1407 {
1408 if (!rdg_auth_init(rdg, tls, AUTH_PKG))
1409 return FALSE;
1410
1411 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingIdentity))
1412 return FALSE;
1413
1414 response = http_response_recv(tls, TRUE);
1415 /* MS RD Gateway seems to just terminate the tls connection without
1416 * sending an answer if it is not happy with the http request */
1417 if (!response)
1418 {
1419 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway HTTP transport broken.");
1420 *rpcFallback = TRUE;
1421 return FALSE;
1422 }
1423
1424 (void)http_response_extract_cookies(response, rdg->http);
1425
1426 const UINT16 StatusCode = http_response_get_status_code(response);
1427 switch (StatusCode)
1428 {
1429 case HTTP_STATUS_GONE:
1430 case HTTP_STATUS_FORBIDDEN:
1431 case HTTP_STATUS_NOT_FOUND:
1432 {
1433 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway does not support HTTP transport.");
1434 http_response_log_error_status(rdg->log, WLOG_DEBUG, response);
1435 *rpcFallback = TRUE;
1436
1437 http_response_free(response);
1438 return FALSE;
1439 }
1440 case HTTP_STATUS_OK:
1441 break;
1442
1443 case HTTP_STATUS_DENIED:
1444 http_response_log_error_status(rdg->log, WLOG_DEBUG, response);
1445 break;
1446
1447 default:
1448 http_response_log_error_status(rdg->log, WLOG_WARN, response);
1449 break;
1450 }
1451
1452 while (!credssp_auth_is_complete(rdg->auth))
1453 {
1454 if (!rdg_recv_auth_token(rdg->log, rdg->auth, response))
1455 {
1456 http_response_free(response);
1457 return FALSE;
1458 }
1459
1460 if (credssp_auth_have_output_token(rdg->auth))
1461 {
1462 http_response_free(response);
1463
1464 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingIdentity))
1465 return FALSE;
1466
1467 response = http_response_recv(tls, TRUE);
1468 if (!response)
1469 {
1470 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway HTTP transport broken.");
1471 *rpcFallback = TRUE;
1472 return FALSE;
1473 }
1474 (void)http_response_extract_cookies(response, rdg->http);
1475 }
1476 }
1477 credssp_auth_free(rdg->auth);
1478 rdg->auth = nullptr;
1479 }
1480 else
1481 {
1482 credssp_auth_free(rdg->auth);
1483 rdg->auth = nullptr;
1484
1485 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingIdentity))
1486 return FALSE;
1487
1488 response = http_response_recv(tls, TRUE);
1489
1490 if (!response)
1491 {
1492 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway HTTP transport broken.");
1493 *rpcFallback = TRUE;
1494 return FALSE;
1495 }
1496 (void)http_response_extract_cookies(response, rdg->http);
1497 }
1498
1499 const UINT16 statusCode = http_response_get_status_code(response);
1500 const size_t bodyLength = http_response_get_body_length(response);
1501 const TRANSFER_ENCODING encoding = http_response_get_transfer_encoding(response);
1502 const BOOL isWebsocket = http_response_is_websocket(rdg->http, response);
1503
1504 WLog_Print(rdg->log, WLOG_DEBUG, "%s authorization result: %s", method,
1505 freerdp_http_status_string_format(statusCode, buffer, ARRAYSIZE(buffer)));
1506
1507 switch (statusCode)
1508 {
1509 case HTTP_STATUS_OK:
1510 /* old rdg endpoint without websocket support, don't request websocket for RDG_IN_DATA
1511 */
1512 http_context_enable_websocket_upgrade(rdg->http, FALSE);
1513 http_response_free(response);
1514 break;
1515 case HTTP_STATUS_DENIED:
1516 freerdp_set_last_error_log(rdg->context, FREERDP_ERROR_CONNECT_ACCESS_DENIED);
1517 http_response_free(response);
1518 return FALSE;
1519 case HTTP_STATUS_SWITCH_PROTOCOLS:
1520 http_response_free(response);
1521 if (!isWebsocket)
1522 {
1523 /*
1524 * webserver is broken, a fallback may be possible here
1525 * but only if already tested with oppurtonistic upgrade
1526 */
1527 if (http_context_is_websocket_upgrade_enabled(rdg->http))
1528 {
1529 long fd = BIO_get_fd(tls->bio, nullptr);
1530 if (fd >= 0)
1531 closesocket((SOCKET)fd);
1532 http_context_enable_websocket_upgrade(rdg->http, FALSE);
1533 return rdg_establish_data_connection(rdg, tls, method, peerAddress, timeout,
1534 rpcFallback);
1535 }
1536 return FALSE;
1537 }
1538
1539 rdg->transferEncoding.isWebsocketTransport = TRUE;
1540 if (!websocket_context_reset(rdg->transferEncoding.context.websocket))
1541 return FALSE;
1542
1543 if (rdg->extAuth == HTTP_EXTENDED_AUTH_SSPI_NTLM)
1544 {
1545 /* create a new auth context for SSPI_NTLM. This must be done after the last
1546 * rdg_send_http_request */
1547 if (!rdg_auth_init(rdg, tls, NTLM_SSP_NAME))
1548 return FALSE;
1549 }
1550 return TRUE;
1551 default:
1552 http_response_log_error_status(rdg->log, WLOG_WARN, response);
1553 http_response_free(response);
1554 return FALSE;
1555 }
1556
1557 if (strcmp(method, "RDG_OUT_DATA") == 0)
1558 {
1559 if (encoding == TransferEncodingChunked)
1560 {
1561 rdg->transferEncoding.httpTransferEncoding = TransferEncodingChunked;
1562 rdg->transferEncoding.context.chunked.nextOffset = 0;
1563 rdg->transferEncoding.context.chunked.headerFooterPos = 0;
1564 rdg->transferEncoding.context.chunked.state = ChunkStateLenghHeader;
1565 }
1566 if (!rdg_skip_seed_payload(rdg->context, tls, bodyLength, &rdg->transferEncoding))
1567 {
1568 return FALSE;
1569 }
1570 }
1571 else
1572 {
1573 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingChunked))
1574 return FALSE;
1575
1576 if (rdg->extAuth == HTTP_EXTENDED_AUTH_SSPI_NTLM)
1577 {
1578 /* create a new auth context for SSPI_NTLM. This must be done after the last
1579 * rdg_send_http_request (RDG_IN_DATA is always after RDG_OUT_DATA) */
1580 if (!rdg_auth_init(rdg, tls, NTLM_SSP_NAME))
1581 return FALSE;
1582 }
1583 }
1584
1585 return TRUE;
1586}
1587
1588static BOOL rdg_tunnel_connect(rdpRdg* rdg)
1589{
1590 BOOL status = 0;
1591 wStream* s = nullptr;
1592 rdg_send_handshake(rdg);
1593
1594 while (rdg->state < RDG_CLIENT_STATE_OPENED)
1595 {
1596 status = FALSE;
1597 s = rdg_receive_packet(rdg);
1598
1599 if (s)
1600 {
1601 status = rdg_process_packet(rdg, s);
1602 Stream_Free(s, TRUE);
1603 }
1604
1605 if (!status)
1606 {
1607 WINPR_ASSERT(rdg);
1608 WINPR_ASSERT(rdg->context);
1609 WINPR_ASSERT(rdg->context->rdp);
1610 transport_set_layer(rdg->context->rdp->transport, TRANSPORT_LAYER_CLOSED);
1611 return FALSE;
1612 }
1613 }
1614
1615 return TRUE;
1616}
1617
1618BOOL rdg_connect(rdpRdg* rdg, DWORD timeout, BOOL* rpcFallback)
1619{
1620 BOOL status = 0;
1621 SOCKET outConnSocket = 0;
1622 char* peerAddress = nullptr;
1623 BOOL rpcFallbackLocal = FALSE;
1624
1625 WINPR_ASSERT(rdg != nullptr);
1626 freerdp_set_last_error(rdg->context, ERROR_SUCCESS);
1627 status = rdg_establish_data_connection(rdg, rdg->tlsOut, "RDG_OUT_DATA", nullptr, timeout,
1628 &rpcFallbackLocal);
1629
1630 if (status)
1631 {
1632 if (rdg->transferEncoding.isWebsocketTransport)
1633 {
1634 WLog_Print(rdg->log, WLOG_DEBUG, "Upgraded to websocket. RDG_IN_DATA not required");
1635 }
1636 else
1637 {
1638 /* Establish IN connection with the same peer/server as OUT connection,
1639 * even when server hostname resolves to different IP addresses.
1640 */
1641 BIO_get_socket(rdg->tlsOut->underlying, &outConnSocket);
1642 peerAddress = freerdp_tcp_get_peer_address(outConnSocket);
1643 status = rdg_establish_data_connection(rdg, rdg->tlsIn, "RDG_IN_DATA", peerAddress,
1644 timeout, &rpcFallbackLocal);
1645 free(peerAddress);
1646 }
1647 }
1648
1649 if (rpcFallback)
1650 *rpcFallback = rpcFallbackLocal;
1651
1652 if (!status)
1653 {
1654 WINPR_ASSERT(rdg);
1655 WINPR_ASSERT(rdg->context);
1656 WINPR_ASSERT(rdg->context->rdp);
1657 if (rpcFallbackLocal)
1658 {
1659 http_context_enable_websocket_upgrade(rdg->http, FALSE);
1660 credssp_auth_free(rdg->auth);
1661 rdg->auth = nullptr;
1662 }
1663
1664 transport_set_layer(rdg->context->rdp->transport, TRANSPORT_LAYER_CLOSED);
1665 return FALSE;
1666 }
1667
1668 status = rdg_tunnel_connect(rdg);
1669
1670 return (status);
1671}
1672
1673static int rdg_write_websocket_data_packet(rdpRdg* rdg, const BYTE* buf, int isize)
1674{
1675 WINPR_ASSERT(rdg);
1676 if (isize < 0)
1677 return -1;
1678
1679 const size_t payloadSize = (size_t)isize + 10;
1680 union
1681 {
1682 UINT32 u32;
1683 UINT8 u8[4];
1684 } maskingKey;
1685
1686 wStream* sWS =
1687 websocket_context_packet_new(payloadSize, WebsocketBinaryOpcode, &maskingKey.u32);
1688 if (!sWS)
1689 return FALSE;
1690
1691 Stream_Write_UINT16(
1692 sWS, WINPR_ASSERTING_INT_CAST(
1693 uint16_t, PKT_TYPE_DATA ^ (maskingKey.u8[0] | maskingKey.u8[1] << 8))); /* Type */
1694 Stream_Write_UINT16(
1695 sWS, WINPR_ASSERTING_INT_CAST(
1696 uint16_t, 0 ^ (maskingKey.u8[2] | maskingKey.u8[3] << 8))); /* Reserved */
1697 Stream_Write_UINT32(
1698 sWS, WINPR_ASSERTING_INT_CAST(uint32_t, payloadSize ^ maskingKey.u32)); /* Packet length */
1699 Stream_Write_UINT16(
1700 sWS, WINPR_ASSERTING_INT_CAST(
1701 uint16_t, isize ^ (maskingKey.u8[0] | maskingKey.u8[1] << 8))); /* Data size */
1702
1703 /* masking key is now off by 2 bytes. fix that */
1704 maskingKey.u32 = (maskingKey.u32 & 0xffff) << 16 | (maskingKey.u32 >> 16);
1705
1706 WINPR_ASSERT(rdg->tlsOut);
1707 wStream sPacket = WINPR_C_ARRAY_INIT;
1708 Stream_StaticConstInit(&sPacket, buf, (size_t)isize);
1709 if (!websocket_context_mask_and_send(rdg->tlsOut->bio, sWS, &sPacket, maskingKey.u32))
1710 return -1;
1711
1712 return isize;
1713}
1714
1715static int rdg_write_chunked_data_packet(rdpRdg* rdg, const BYTE* buf, int isize)
1716{
1717 int status = 0;
1718 size_t len = 0;
1719 wStream* sChunk = nullptr;
1720
1721 if (isize > UINT16_MAX)
1722 return -1;
1723
1724 const size_t size = (size_t)isize;
1725 if (size < 1)
1726 return 0;
1727
1728 const size_t packetSize = size + 10;
1729 char chunkSize[11] = WINPR_C_ARRAY_INIT;
1730 (void)sprintf_s(chunkSize, sizeof(chunkSize), "%" PRIxz "\r\n", packetSize);
1731 sChunk = Stream_New(nullptr, strnlen(chunkSize, sizeof(chunkSize)) + packetSize + 2);
1732
1733 if (!sChunk)
1734 return -1;
1735
1736 Stream_Write(sChunk, chunkSize, strnlen(chunkSize, sizeof(chunkSize)));
1737 Stream_Write_UINT16(sChunk, PKT_TYPE_DATA); /* Type */
1738 Stream_Write_UINT16(sChunk, 0); /* Reserved */
1739 Stream_Write_UINT32(sChunk, (UINT32)packetSize); /* Packet length */
1740 Stream_Write_UINT16(sChunk, (UINT16)size); /* Data size */
1741 Stream_Write(sChunk, buf, size); /* Data */
1742 Stream_Write(sChunk, "\r\n", 2);
1743 Stream_SealLength(sChunk);
1744 len = Stream_Length(sChunk);
1745
1746 status = freerdp_tls_write_all(rdg->tlsIn, Stream_Buffer(sChunk), len);
1747 Stream_Free(sChunk, TRUE);
1748
1749 if (status < 0)
1750 return -1;
1751
1752 return (int)size;
1753}
1754
1755static int rdg_write_data_packet(rdpRdg* rdg, const BYTE* buf, int isize)
1756{
1757 WINPR_ASSERT(rdg);
1758 if (rdg->transferEncoding.isWebsocketTransport)
1759 return rdg_write_websocket_data_packet(rdg, buf, isize);
1760 else
1761 return rdg_write_chunked_data_packet(rdg, buf, isize);
1762}
1763
1764static BOOL rdg_process_close_packet(rdpRdg* rdg, wStream* s)
1765{
1766 int status = -1;
1767 wStream* sClose = nullptr;
1768 UINT32 errorCode = 0;
1769 UINT32 packetSize = 12;
1770
1771 /* Read error code */
1772 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 4))
1773 return FALSE;
1774 Stream_Read_UINT32(s, errorCode);
1775
1776 if (errorCode != 0)
1777 freerdp_set_last_error_log(rdg->context, errorCode);
1778
1779 sClose = Stream_New(nullptr, packetSize);
1780 if (!sClose)
1781 return FALSE;
1782
1783 Stream_Write_UINT16(sClose, PKT_TYPE_CLOSE_CHANNEL_RESPONSE); /* Type */
1784 Stream_Write_UINT16(sClose, 0); /* Reserved */
1785 Stream_Write_UINT32(sClose, packetSize); /* Packet length */
1786 Stream_Write_UINT32(sClose, 0); /* Status code */
1787 Stream_SealLength(sClose);
1788 status = rdg_write_packet(rdg, sClose);
1789 Stream_Free(sClose, TRUE);
1790
1791 return ((status >= 0));
1792}
1793
1794static BOOL rdg_process_keep_alive_packet(rdpRdg* rdg)
1795{
1796 int status = -1;
1797 wStream* sKeepAlive = nullptr;
1798 size_t packetSize = 8;
1799
1800 sKeepAlive = Stream_New(nullptr, packetSize);
1801
1802 if (!sKeepAlive)
1803 return FALSE;
1804
1805 Stream_Write_UINT16(sKeepAlive, PKT_TYPE_KEEPALIVE); /* Type */
1806 Stream_Write_UINT16(sKeepAlive, 0); /* Reserved */
1807 Stream_Write_UINT32(sKeepAlive, (UINT32)packetSize); /* Packet length */
1808 Stream_SealLength(sKeepAlive);
1809 status = rdg_write_packet(rdg, sKeepAlive);
1810 Stream_Free(sKeepAlive, TRUE);
1811
1812 return ((status >= 0));
1813}
1814
1815static BOOL rdg_process_service_message(rdpRdg* rdg, wStream* s)
1816{
1817 const WCHAR* msg = nullptr;
1818 UINT16 msgLenBytes = 0;
1819 rdpContext* context = rdg->context;
1820 WINPR_ASSERT(context);
1821 WINPR_ASSERT(context->instance);
1822
1823 /* Read message string */
1824 if (!rdg_read_http_unicode_string(rdg->log, s, &msg, &msgLenBytes))
1825 {
1826 WLog_Print(rdg->log, WLOG_ERROR, "Failed to read string");
1827 return FALSE;
1828 }
1829
1830 return IFCALLRESULT(TRUE, context->instance->PresentGatewayMessage, context->instance,
1831 GATEWAY_MESSAGE_SERVICE, TRUE, FALSE, msgLenBytes, msg);
1832}
1833
1834static BOOL rdg_process_unknown_packet(rdpRdg* rdg, int type)
1835{
1836 WINPR_UNUSED(rdg);
1837 WINPR_UNUSED(type);
1838 WLog_Print(rdg->log, WLOG_WARN, "Unknown Control Packet received: %" PRIX32,
1839 WINPR_CXX_COMPAT_CAST(UINT32, type));
1840 return TRUE;
1841}
1842
1843static BOOL rdg_process_control_packet(rdpRdg* rdg, int type, size_t packetLength)
1844{
1845 wStream* s = nullptr;
1846 size_t readCount = 0;
1847 int status = 0;
1848 size_t payloadSize = packetLength - sizeof(RdgPacketHeader);
1849
1850 if (packetLength < sizeof(RdgPacketHeader))
1851 return FALSE;
1852
1853 // NOLINTNEXTLINE(bugprone-sizeof-expression)
1854 WINPR_ASSERT(sizeof(RdgPacketHeader) < INT_MAX);
1855
1856 if (payloadSize)
1857 {
1858 s = Stream_New(nullptr, payloadSize);
1859
1860 if (!s)
1861 return FALSE;
1862
1863 while (readCount < payloadSize)
1864 {
1865 if (rdg_shall_abort(rdg))
1866 {
1867 Stream_Free(s, TRUE);
1868 return FALSE;
1869 }
1870 status = rdg_socket_read(rdg->tlsOut->bio, Stream_Pointer(s), payloadSize - readCount,
1871 &rdg->transferEncoding);
1872
1873 if (status <= 0)
1874 {
1875 if (!BIO_should_retry(rdg->tlsOut->bio))
1876 {
1877 Stream_Free(s, TRUE);
1878 return FALSE;
1879 }
1880
1881 continue;
1882 }
1883
1884 Stream_Seek(s, (size_t)status);
1885 readCount += (size_t)status;
1886
1887 if (readCount > INT_MAX)
1888 {
1889 Stream_Free(s, TRUE);
1890 return FALSE;
1891 }
1892 }
1893
1894 Stream_ResetPosition(s);
1895 }
1896
1897 switch (type)
1898 {
1899 case PKT_TYPE_CLOSE_CHANNEL:
1900 EnterCriticalSection(&rdg->writeSection);
1901 status = rdg_process_close_packet(rdg, s);
1902 LeaveCriticalSection(&rdg->writeSection);
1903 break;
1904
1905 case PKT_TYPE_KEEPALIVE:
1906 EnterCriticalSection(&rdg->writeSection);
1907 status = rdg_process_keep_alive_packet(rdg);
1908 LeaveCriticalSection(&rdg->writeSection);
1909 break;
1910
1911 case PKT_TYPE_SERVICE_MESSAGE:
1912 if (!s)
1913 {
1914 WLog_Print(rdg->log, WLOG_ERROR,
1915 "PKT_TYPE_SERVICE_MESSAGE requires payload but none was sent");
1916 return FALSE;
1917 }
1918 status = rdg_process_service_message(rdg, s);
1919 break;
1920
1921 case PKT_TYPE_REAUTH_MESSAGE:
1922 default:
1923 status = rdg_process_unknown_packet(rdg, type);
1924 break;
1925 }
1926
1927 Stream_Free(s, TRUE);
1928 return status;
1929}
1930
1931static int rdg_read_data_packet(rdpRdg* rdg, BYTE* buffer, size_t size)
1932{
1933 RdgPacketHeader header = WINPR_C_ARRAY_INIT;
1934 size_t readCount = 0;
1935 size_t readSize = 0;
1936 int status = 0;
1937
1938 if (!rdg->packetRemainingCount)
1939 {
1940 // NOLINTNEXTLINE(bugprone-sizeof-expression)
1941 WINPR_ASSERT(sizeof(RdgPacketHeader) < INT_MAX);
1942
1943 while (readCount < sizeof(RdgPacketHeader))
1944 {
1945 if (rdg_shall_abort(rdg))
1946 return -1;
1947
1948 status = rdg_socket_read(rdg->tlsOut->bio, (BYTE*)(&header) + readCount,
1949 sizeof(RdgPacketHeader) - readCount, &rdg->transferEncoding);
1950
1951 if (status <= 0)
1952 {
1953 if (!BIO_should_retry(rdg->tlsOut->bio))
1954 return -1;
1955
1956 if (!readCount)
1957 return 0;
1958
1959 BIO_wait_read(rdg->tlsOut->bio, 50);
1960 continue;
1961 }
1962
1963 readCount += (size_t)status;
1964
1965 if (readCount > INT_MAX)
1966 return -1;
1967 }
1968
1969 if (header.type != PKT_TYPE_DATA)
1970 {
1971 status = rdg_process_control_packet(rdg, header.type, header.packetLength);
1972
1973 if (!status)
1974 return -1;
1975
1976 return 0;
1977 }
1978
1979 readCount = 0;
1980
1981 while (readCount < 2)
1982 {
1983 if (rdg_shall_abort(rdg))
1984 return -1;
1985 status =
1986 rdg_socket_read(rdg->tlsOut->bio, (BYTE*)(&rdg->packetRemainingCount) + readCount,
1987 2 - readCount, &rdg->transferEncoding);
1988
1989 if (status < 0)
1990 {
1991 if (!BIO_should_retry(rdg->tlsOut->bio))
1992 return -1;
1993
1994 BIO_wait_read(rdg->tlsOut->bio, 50);
1995 continue;
1996 }
1997
1998 readCount += (size_t)status;
1999 }
2000 }
2001
2002 readSize = (rdg->packetRemainingCount < size) ? rdg->packetRemainingCount : size;
2003 status = rdg_socket_read(rdg->tlsOut->bio, buffer, readSize, &rdg->transferEncoding);
2004
2005 if (status <= 0)
2006 {
2007 if (!BIO_should_retry(rdg->tlsOut->bio))
2008 {
2009 return -1;
2010 }
2011
2012 return 0;
2013 }
2014
2015 rdg->packetRemainingCount -= status;
2016 return status;
2017}
2018
2019static int rdg_bio_write(BIO* bio, const char* buf, int num)
2020{
2021 int status = 0;
2022 rdpRdg* rdg = (rdpRdg*)BIO_get_data(bio);
2023 if (num < 0)
2024 return num;
2025
2026 BIO_clear_flags(bio, BIO_FLAGS_WRITE);
2027 EnterCriticalSection(&rdg->writeSection);
2028 status = rdg_write_data_packet(rdg, (const BYTE*)buf, num);
2029 LeaveCriticalSection(&rdg->writeSection);
2030
2031 if (status < 0)
2032 {
2033 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
2034 return -1;
2035 }
2036 else if (status < num)
2037 {
2038 BIO_set_flags(bio, BIO_FLAGS_WRITE);
2039 WSASetLastError(WSAEWOULDBLOCK);
2040 }
2041 else
2042 {
2043 BIO_set_flags(bio, BIO_FLAGS_WRITE);
2044 }
2045
2046 return status;
2047}
2048
2049static int rdg_bio_read(BIO* bio, char* buf, int size)
2050{
2051 int status = 0;
2052 rdpRdg* rdg = (rdpRdg*)BIO_get_data(bio);
2053 if (size < 0)
2054 return size;
2055 status = rdg_read_data_packet(rdg, (BYTE*)buf, (size_t)size);
2056
2057 if (status < 0)
2058 {
2059 BIO_clear_retry_flags(bio);
2060 return -1;
2061 }
2062 else if (status == 0)
2063 {
2064 BIO_set_retry_read(bio);
2065 WSASetLastError(WSAEWOULDBLOCK);
2066 return -1;
2067 }
2068 else
2069 {
2070 BIO_set_flags(bio, BIO_FLAGS_READ);
2071 }
2072
2073 return status;
2074}
2075
2076static int rdg_bio_puts(BIO* bio, const char* str)
2077{
2078 WINPR_UNUSED(bio);
2079 WINPR_UNUSED(str);
2080 return -2;
2081}
2082
2083// NOLINTNEXTLINE(readability-non-const-parameter)
2084static int rdg_bio_gets(BIO* bio, char* str, int size)
2085{
2086 WINPR_UNUSED(bio);
2087 WINPR_UNUSED(str);
2088 WINPR_UNUSED(size);
2089 return -2;
2090}
2091
2092static long rdg_bio_ctrl(BIO* in_bio, int cmd, long arg1, void* arg2)
2093{
2094 long status = -1;
2095 rdpRdg* rdg = (rdpRdg*)BIO_get_data(in_bio);
2096 rdpTls* tlsOut = rdg->tlsOut;
2097 rdpTls* tlsIn = rdg->tlsIn;
2098
2099 if (cmd == BIO_CTRL_FLUSH)
2100 {
2101 (void)BIO_flush(tlsOut->bio);
2102 if (!rdg->transferEncoding.isWebsocketTransport)
2103 (void)BIO_flush(tlsIn->bio);
2104 status = 1;
2105 }
2106 else if (cmd == BIO_C_SET_NONBLOCK)
2107 {
2108 status = 1;
2109 }
2110 else if (cmd == BIO_C_READ_BLOCKED)
2111 {
2112 BIO* cbio = tlsOut->bio;
2113 status = BIO_read_blocked(cbio);
2114 }
2115 else if (cmd == BIO_C_WRITE_BLOCKED)
2116 {
2117 BIO* cbio = tlsIn->bio;
2118
2119 if (rdg->transferEncoding.isWebsocketTransport)
2120 cbio = tlsOut->bio;
2121
2122 status = BIO_write_blocked(cbio);
2123 }
2124 else if (cmd == BIO_C_WAIT_READ)
2125 {
2126 int timeout = (int)arg1;
2127 BIO* cbio = tlsOut->bio;
2128
2129 if (BIO_read_blocked(cbio))
2130 return BIO_wait_read(cbio, timeout);
2131 else if (BIO_write_blocked(cbio))
2132 return BIO_wait_write(cbio, timeout);
2133 else
2134 status = 1;
2135 }
2136 else if (cmd == BIO_C_WAIT_WRITE)
2137 {
2138 int timeout = (int)arg1;
2139 BIO* cbio = tlsIn->bio;
2140
2141 if (rdg->transferEncoding.isWebsocketTransport)
2142 cbio = tlsOut->bio;
2143
2144 if (BIO_write_blocked(cbio))
2145 status = BIO_wait_write(cbio, timeout);
2146 else if (BIO_read_blocked(cbio))
2147 status = BIO_wait_read(cbio, timeout);
2148 else
2149 status = 1;
2150 }
2151 else if (cmd == BIO_C_GET_EVENT || cmd == BIO_C_GET_FD)
2152 {
2153 /*
2154 * A note about BIO_C_GET_FD:
2155 * Even if two FDs are part of RDG, only one FD can be returned here.
2156 *
2157 * In FreeRDP, BIO FDs are only used for polling, so it is safe to use the outgoing FD only
2158 *
2159 * See issue #3602
2160 */
2161 status = BIO_ctrl(tlsOut->bio, cmd, arg1, arg2);
2162 }
2163#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2164 else if (cmd == BIO_CTRL_GET_KTLS_SEND)
2165 {
2166 /* Even though BIO_get_ktls_send says that returning negative values is valid
2167 * openssl internal sources are full of if(!BIO_get_ktls_send && ) stuff. This has some
2168 * nasty sideeffects. return 0 as proper no KTLS offloading flag
2169 */
2170 status = 0;
2171 }
2172 else if (cmd == BIO_CTRL_GET_KTLS_RECV)
2173 {
2174 /* Even though BIO_get_ktls_recv says that returning negative values is valid
2175 * there is no reason to trust trust negative values are implemented right everywhere
2176 */
2177 status = 0;
2178 }
2179#endif
2180 return status;
2181}
2182
2183static int rdg_bio_new(BIO* bio)
2184{
2185 BIO_set_init(bio, 1);
2186 BIO_set_flags(bio, BIO_FLAGS_SHOULD_RETRY);
2187 return 1;
2188}
2189
2190static int rdg_bio_free(BIO* bio)
2191{
2192 WINPR_UNUSED(bio);
2193 return 1;
2194}
2195
2196static BIO_METHOD* BIO_s_rdg(void)
2197{
2198 static BIO_METHOD* bio_methods = nullptr;
2199
2200 if (bio_methods == nullptr)
2201 {
2202 if (!(bio_methods = BIO_meth_new(BIO_TYPE_TSG, "RDGateway")))
2203 return nullptr;
2204
2205 BIO_meth_set_write(bio_methods, rdg_bio_write);
2206 BIO_meth_set_read(bio_methods, rdg_bio_read);
2207 BIO_meth_set_puts(bio_methods, rdg_bio_puts);
2208 BIO_meth_set_gets(bio_methods, rdg_bio_gets);
2209 BIO_meth_set_ctrl(bio_methods, rdg_bio_ctrl);
2210 BIO_meth_set_create(bio_methods, rdg_bio_new);
2211 BIO_meth_set_destroy(bio_methods, rdg_bio_free);
2212 }
2213
2214 return bio_methods;
2215}
2216
2217rdpRdg* rdg_new(rdpContext* context)
2218{
2219 if (!context)
2220 return nullptr;
2221
2222 rdpRdg* rdg = (rdpRdg*)calloc(1, sizeof(rdpRdg));
2223 if (!rdg)
2224 return nullptr;
2225
2226 rdg->log = WLog_Get(TAG);
2227 rdg->state = RDG_CLIENT_STATE_INITIAL;
2228 rdg->context = context;
2229 rdg->extAuth =
2230 (rdg->context->settings->GatewayHttpExtAuthSspiNtlm ? HTTP_EXTENDED_AUTH_SSPI_NTLM
2231 : HTTP_EXTENDED_AUTH_NONE);
2232
2233 if (rdg->context->settings->GatewayAccessToken)
2234 rdg->extAuth = HTTP_EXTENDED_AUTH_PAA;
2235
2236 if (UuidCreate(&rdg->guid) != RPC_S_OK)
2237 goto rdg_alloc_error;
2238
2239 rdg->tlsOut = freerdp_tls_new(rdg->context);
2240
2241 if (!rdg->tlsOut)
2242 goto rdg_alloc_error;
2243
2244 rdg->tlsIn = freerdp_tls_new(rdg->context);
2245
2246 if (!rdg->tlsIn)
2247 goto rdg_alloc_error;
2248
2249 rdg->http = http_context_new();
2250
2251 if (!rdg->http)
2252 goto rdg_alloc_error;
2253
2254 if (!http_context_set_uri(rdg->http, "/remoteDesktopGateway/") ||
2255 !http_context_set_accept(rdg->http, "*/*") ||
2256 !http_context_set_cache_control(rdg->http, "no-cache") ||
2257 !http_context_set_pragma(rdg->http, "no-cache") ||
2258 !http_context_set_connection(rdg->http, "Keep-Alive") ||
2259 !http_context_set_user_agent(rdg->http, "MS-RDGateway/1.0") ||
2260 !http_context_set_host(rdg->http, rdg->context->settings->GatewayHostname) ||
2261 !http_context_set_rdg_connection_id(rdg->http, &rdg->guid) ||
2262 !http_context_set_rdg_correlation_id(rdg->http, &rdg->guid) ||
2263 !http_context_enable_websocket_upgrade(
2264 rdg->http,
2265 freerdp_settings_get_bool(rdg->context->settings, FreeRDP_GatewayHttpUseWebsockets)))
2266 {
2267 goto rdg_alloc_error;
2268 }
2269
2270 if (rdg->extAuth != HTTP_EXTENDED_AUTH_NONE)
2271 {
2272 switch (rdg->extAuth)
2273 {
2274 case HTTP_EXTENDED_AUTH_PAA:
2275 if (!http_context_set_rdg_auth_scheme(rdg->http, "PAA"))
2276 goto rdg_alloc_error;
2277
2278 break;
2279
2280 case HTTP_EXTENDED_AUTH_SSPI_NTLM:
2281 if (!http_context_set_rdg_auth_scheme(rdg->http, "SSPI_NTLM"))
2282 goto rdg_alloc_error;
2283
2284 break;
2285
2286 default:
2287 WLog_Print(rdg->log, WLOG_DEBUG,
2288 "RDG extended authentication method %d not supported", rdg->extAuth);
2289 }
2290 }
2291
2292 rdg->frontBio = BIO_new(BIO_s_rdg());
2293
2294 if (!rdg->frontBio)
2295 goto rdg_alloc_error;
2296
2297 BIO_set_data(rdg->frontBio, rdg);
2298 InitializeCriticalSection(&rdg->writeSection);
2299
2300 rdg->transferEncoding.httpTransferEncoding = TransferEncodingIdentity;
2301 rdg->transferEncoding.isWebsocketTransport = FALSE;
2302
2303 rdg->transferEncoding.context.websocket = websocket_context_new();
2304 if (!rdg->transferEncoding.context.websocket)
2305 goto rdg_alloc_error;
2306
2307 return rdg;
2308rdg_alloc_error:
2309 WINPR_PRAGMA_DIAG_PUSH
2310 WINPR_PRAGMA_DIAG_IGNORED_MISMATCHED_DEALLOC
2311 rdg_free(rdg);
2312 WINPR_PRAGMA_DIAG_POP
2313 return nullptr;
2314}
2315
2316void rdg_free(rdpRdg* rdg)
2317{
2318 if (!rdg)
2319 return;
2320
2321 freerdp_tls_free(rdg->tlsOut);
2322 freerdp_tls_free(rdg->tlsIn);
2323 http_context_free(rdg->http);
2324 credssp_auth_free(rdg->auth);
2325
2326 if (!rdg->attached)
2327 BIO_free_all(rdg->frontBio);
2328
2329 DeleteCriticalSection(&rdg->writeSection);
2330
2331 smartcardCertInfo_Free(rdg->smartcard);
2332
2333 websocket_context_free(rdg->transferEncoding.context.websocket);
2334
2335 free(rdg);
2336}
2337
2338BIO* rdg_get_front_bio_and_take_ownership(rdpRdg* rdg)
2339{
2340 if (!rdg)
2341 return nullptr;
2342
2343 rdg->attached = TRUE;
2344 return rdg->frontBio;
2345}
freerdp_settings_get_string_as_utf16
WINPR_ATTR_NODISCARD FREERDP_API WCHAR * freerdp_settings_get_string_as_utf16(const rdpSettings *settings, FreeRDP_Settings_Keys_String id, size_t *pCharLen)
Return an allocated UTF16 string.
Definition common/settings.c:2286
freerdp_settings_get_bool
WINPR_ATTR_NODISCARD FREERDP_API BOOL freerdp_settings_get_bool(const rdpSettings *settings, FreeRDP_Settings_Keys_Bool id)
Returns a boolean settings value.
RTL_CRITICAL_SECTION
Definition include/winpr/synch.h:174
UUID
Definition wtypes.h:254
http_encoding_chunked_context
Definition libfreerdp/core/gateway/http.h:46