FreeRDP
Loading...
Searching...
No Matches
rdg.c
1
20#include <stdint.h>
21
22#include <freerdp/config.h>
23
24#include "../settings.h"
25
26#include <winpr/assert.h>
27#include <winpr/cast.h>
28
29#include <winpr/crt.h>
30#include <winpr/synch.h>
31#include <winpr/print.h>
32#include <winpr/stream.h>
33#include <winpr/winsock.h>
34#include <winpr/cred.h>
35
36#include <freerdp/log.h>
37#include <freerdp/error.h>
38#include <freerdp/utils/ringbuffer.h>
39#include <freerdp/utils/smartcardlogon.h>
40
41#include "rdg.h"
42#include "websocket.h"
43#include "../credssp_auth.h"
44#include "../proxy.h"
45#include "../rdp.h"
46#include "../../crypto/opensslcompat.h"
47#include "rpc_fault.h"
48#include "../utils.h"
49
50#define TAG FREERDP_TAG("core.gateway.rdg")
51
52#define AUTH_PKG NEGO_SSP_NAME
53
54/* HTTP channel response fields present flags. */
55#define HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID 0x1
56#define HTTP_CHANNEL_RESPONSE_OPTIONAL 0x2
57#define HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT 0x4
58
59/* HTTP extended auth. */
60#define HTTP_EXTENDED_AUTH_NONE 0x0
61#define HTTP_EXTENDED_AUTH_SC 0x1 /* Smart card authentication. */
62#define HTTP_EXTENDED_AUTH_PAA 0x02 /* Pluggable authentication. */
63#define HTTP_EXTENDED_AUTH_SSPI_NTLM 0x04 /* NTLM extended authentication. */
64#define HTTP_EXTENDED_AUTH_BEARER 0x08 /* HTTP Bearer authentication. */
65
66/* HTTP packet types. */
67#define PKT_TYPE_HANDSHAKE_REQUEST 0x1
68#define PKT_TYPE_HANDSHAKE_RESPONSE 0x2
69#define PKT_TYPE_EXTENDED_AUTH_MSG 0x3
70#define PKT_TYPE_TUNNEL_CREATE 0x4
71#define PKT_TYPE_TUNNEL_RESPONSE 0x5
72#define PKT_TYPE_TUNNEL_AUTH 0x6
73#define PKT_TYPE_TUNNEL_AUTH_RESPONSE 0x7
74#define PKT_TYPE_CHANNEL_CREATE 0x8
75#define PKT_TYPE_CHANNEL_RESPONSE 0x9
76#define PKT_TYPE_DATA 0xA
77#define PKT_TYPE_SERVICE_MESSAGE 0xB
78#define PKT_TYPE_REAUTH_MESSAGE 0xC
79#define PKT_TYPE_KEEPALIVE 0xD
80#define PKT_TYPE_CLOSE_CHANNEL 0x10
81#define PKT_TYPE_CLOSE_CHANNEL_RESPONSE 0x11
82
83/* HTTP tunnel auth fields present flags. */
84// #define HTTP_TUNNEL_AUTH_FIELD_SOH 0x1
85
86/* HTTP tunnel auth response fields present flags. */
87#define HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS 0x1
88#define HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT 0x2
89#define HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE 0x4
90
91/* HTTP tunnel packet fields present flags. */
92#define HTTP_TUNNEL_PACKET_FIELD_PAA_COOKIE 0x1
93// #define HTTP_TUNNEL_PACKET_FIELD_REAUTH 0x2
94
95/* HTTP tunnel response fields present flags. */
96#define HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID 0x1
97#define HTTP_TUNNEL_RESPONSE_FIELD_CAPS 0x2
98#define HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ 0x4
99#define HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG 0x10
100
101/* HTTP capability type enumeration. */
102#define HTTP_CAPABILITY_TYPE_QUAR_SOH 0x1
103#define HTTP_CAPABILITY_IDLE_TIMEOUT 0x2
104#define HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN 0x4
105#define HTTP_CAPABILITY_MESSAGING_SERVICE_MSG 0x8
106#define HTTP_CAPABILITY_REAUTH 0x10
107#define HTTP_CAPABILITY_UDP_TRANSPORT 0x20
108
109typedef struct
110{
111 TRANSFER_ENCODING httpTransferEncoding;
112 BOOL isWebsocketTransport;
113 union context
114 {
115 http_encoding_chunked_context chunked;
116 websocket_context* websocket;
117 } context;
118} rdg_http_encoding_context;
119
120struct rdp_rdg
121{
122 rdpContext* context;
123 BOOL attached;
124 BIO* frontBio;
125 rdpTls* tlsIn;
126 rdpTls* tlsOut;
127 rdpCredsspAuth* auth;
128 HttpContext* http;
129 CRITICAL_SECTION writeSection;
130
131 UUID guid;
132
133 int state;
134 UINT16 packetRemainingCount;
135 UINT16 reserved1;
136 int timeout;
137 UINT16 extAuth;
138 UINT16 reserved2;
139 rdg_http_encoding_context transferEncoding;
140
141 SmartcardCertInfo* smartcard;
142 wLog* log;
143};
144
145enum
146{
147 RDG_CLIENT_STATE_INITIAL,
148 RDG_CLIENT_STATE_HANDSHAKE,
149 RDG_CLIENT_STATE_TUNNEL_CREATE,
150 RDG_CLIENT_STATE_TUNNEL_AUTHORIZE,
151 RDG_CLIENT_STATE_CHANNEL_CREATE,
152 RDG_CLIENT_STATE_OPENED,
153};
154
155#pragma pack(push, 1)
156
157typedef struct rdg_packet_header
158{
159 UINT16 type;
160 UINT16 reserved;
161 UINT32 packetLength;
162} RdgPacketHeader;
163
164#pragma pack(pop)
165
166typedef struct
167{
168 UINT32 code;
169 const char* name;
170} t_flag_mapping;
171
172static const t_flag_mapping tunnel_response_fields_present[] = {
173 { HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID, "HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID" },
174 { HTTP_TUNNEL_RESPONSE_FIELD_CAPS, "HTTP_TUNNEL_RESPONSE_FIELD_CAPS" },
175 { HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ, "HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ" },
176 { HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG, "HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG" }
177};
178
179static const t_flag_mapping channel_response_fields_present[] = {
180 { HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID, "HTTP_CHANNEL_RESPONSE_FIELD_CHANNELID" },
181 { HTTP_CHANNEL_RESPONSE_OPTIONAL, "HTTP_CHANNEL_RESPONSE_OPTIONAL" },
182 { HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT, "HTTP_CHANNEL_RESPONSE_FIELD_UDPPORT" }
183};
184
185static const t_flag_mapping tunnel_authorization_response_fields_present[] = {
186 { HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS, "HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS" },
187 { HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT,
188 "HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT" },
189 { HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE,
190 "HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE" }
191};
192
193static const t_flag_mapping extended_auth[] = {
194 { HTTP_EXTENDED_AUTH_NONE, "HTTP_EXTENDED_AUTH_NONE" },
195 { HTTP_EXTENDED_AUTH_SC, "HTTP_EXTENDED_AUTH_SC" },
196 { HTTP_EXTENDED_AUTH_PAA, "HTTP_EXTENDED_AUTH_PAA" },
197 { HTTP_EXTENDED_AUTH_SSPI_NTLM, "HTTP_EXTENDED_AUTH_SSPI_NTLM" }
198};
199
200static const t_flag_mapping capabilities_enum[] = {
201 { HTTP_CAPABILITY_TYPE_QUAR_SOH, "HTTP_CAPABILITY_TYPE_QUAR_SOH" },
202 { HTTP_CAPABILITY_IDLE_TIMEOUT, "HTTP_CAPABILITY_IDLE_TIMEOUT" },
203 { HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN, "HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN" },
204 { HTTP_CAPABILITY_MESSAGING_SERVICE_MSG, "HTTP_CAPABILITY_MESSAGING_SERVICE_MSG" },
205 { HTTP_CAPABILITY_REAUTH, "HTTP_CAPABILITY_REAUTH" },
206 { HTTP_CAPABILITY_UDP_TRANSPORT, "HTTP_CAPABILITY_UDP_TRANSPORT" }
207};
208
209static const char* flags_to_string(UINT32 flags, const t_flag_mapping* map, size_t elements)
210{
211 static char buffer[1024] = { 0 };
212 char fields[12] = { 0 };
213
214 for (size_t x = 0; x < elements; x++)
215 {
216 const t_flag_mapping* cur = &map[x];
217
218 if ((cur->code & flags) != 0)
219 winpr_str_append(cur->name, buffer, sizeof(buffer), "|");
220 }
221
222 (void)sprintf_s(fields, ARRAYSIZE(fields), " [%04" PRIx32 "]", flags);
223 winpr_str_append(fields, buffer, sizeof(buffer), NULL);
224 return buffer;
225}
226
227static const char* channel_response_fields_present_to_string(UINT16 fieldsPresent)
228{
229 return flags_to_string(fieldsPresent, channel_response_fields_present,
230 ARRAYSIZE(channel_response_fields_present));
231}
232
233static const char* tunnel_response_fields_present_to_string(UINT16 fieldsPresent)
234{
235 return flags_to_string(fieldsPresent, tunnel_response_fields_present,
236 ARRAYSIZE(tunnel_response_fields_present));
237}
238
239static const char* tunnel_authorization_response_fields_present_to_string(UINT16 fieldsPresent)
240{
241 return flags_to_string(fieldsPresent, tunnel_authorization_response_fields_present,
242 ARRAYSIZE(tunnel_authorization_response_fields_present));
243}
244
245static const char* extended_auth_to_string(UINT16 auth)
246{
247 if (auth == HTTP_EXTENDED_AUTH_NONE)
248 return "HTTP_EXTENDED_AUTH_NONE [0x0000]";
249
250 return flags_to_string(auth, extended_auth, ARRAYSIZE(extended_auth));
251}
252
253static const char* capabilities_enum_to_string(UINT32 capabilities)
254{
255 return flags_to_string(capabilities, capabilities_enum, ARRAYSIZE(capabilities_enum));
256}
257
258static BOOL rdg_read_http_unicode_string(wLog* log, wStream* s, const WCHAR** string,
259 UINT16* lengthInBytes)
260{
261 UINT16 strLenBytes = 0;
262 size_t rem = Stream_GetRemainingLength(s);
263
264 /* Read length of the string */
265 if (!Stream_CheckAndLogRequiredLengthWLog(log, s, 4))
266 {
267 WLog_Print(log, WLOG_ERROR, "Could not read stream length, only have %" PRIuz " bytes",
268 rem);
269 return FALSE;
270 }
271 Stream_Read_UINT16(s, strLenBytes);
272
273 /* Remember position of our string */
274 const WCHAR* str = Stream_ConstPointer(s);
275
276 /* seek past the string - if this fails something is wrong */
277 if (!Stream_SafeSeek(s, strLenBytes))
278 {
279 WLog_Print(log, WLOG_ERROR,
280 "Could not read stream data, only have %" PRIuz " bytes, expected %" PRIu16,
281 rem - 4, strLenBytes);
282 return FALSE;
283 }
284
285 /* return the string data (if wanted) */
286 if (string)
287 *string = str;
288 if (lengthInBytes)
289 *lengthInBytes = strLenBytes;
290
291 return TRUE;
292}
293
294static BOOL rdg_write_chunked(BIO* bio, wStream* sPacket)
295{
296 size_t len = 0;
297 int status = 0;
298 wStream* sChunk = NULL;
299 char chunkSize[11];
300 (void)sprintf_s(chunkSize, sizeof(chunkSize), "%" PRIXz "\r\n", Stream_Length(sPacket));
301 sChunk = Stream_New(NULL, strnlen(chunkSize, sizeof(chunkSize)) + Stream_Length(sPacket) + 2);
302
303 if (!sChunk)
304 return FALSE;
305
306 Stream_Write(sChunk, chunkSize, strnlen(chunkSize, sizeof(chunkSize)));
307 Stream_Write(sChunk, Stream_Buffer(sPacket), Stream_Length(sPacket));
308 Stream_Write(sChunk, "\r\n", 2);
309 Stream_SealLength(sChunk);
310 len = Stream_Length(sChunk);
311
312 if (len > INT_MAX)
313 {
314 Stream_Free(sChunk, TRUE);
315 return FALSE;
316 }
317
318 ERR_clear_error();
319 status = BIO_write(bio, Stream_Buffer(sChunk), (int)len);
320 Stream_Free(sChunk, TRUE);
321
322 if (status != (SSIZE_T)len)
323 return FALSE;
324
325 return TRUE;
326}
327
328static BOOL rdg_write_packet(rdpRdg* rdg, wStream* sPacket)
329{
330 if (rdg->transferEncoding.isWebsocketTransport)
331 return websocket_context_write_wstream(rdg->transferEncoding.context.websocket,
332 rdg->tlsOut->bio, sPacket, WebsocketBinaryOpcode);
333
334 return rdg_write_chunked(rdg->tlsIn->bio, sPacket);
335}
336
337static int rdg_socket_read(BIO* bio, BYTE* pBuffer, size_t size,
338 rdg_http_encoding_context* encodingContext)
339{
340 WINPR_ASSERT(encodingContext != NULL);
341 if (size > INT32_MAX)
342 return -1;
343
344 if (encodingContext->isWebsocketTransport)
345 return websocket_context_read(encodingContext->context.websocket, bio, pBuffer, size);
346
347 switch (encodingContext->httpTransferEncoding)
348 {
349 case TransferEncodingIdentity:
350 ERR_clear_error();
351 return BIO_read(bio, pBuffer, (int)size);
352 case TransferEncodingChunked:
353 return http_chuncked_read(bio, pBuffer, size, &encodingContext->context.chunked);
354 default:
355 return -1;
356 }
357}
358
359static BOOL rdg_shall_abort(rdpRdg* rdg)
360{
361 WINPR_ASSERT(rdg);
362 return freerdp_shall_disconnect_context(rdg->context);
363}
364
365static BOOL rdg_read_all(rdpContext* context, rdpTls* tls, BYTE* buffer, size_t size,
366 rdg_http_encoding_context* transferEncoding)
367{
368 size_t readCount = 0;
369 BYTE* pBuffer = buffer;
370
371 while (readCount < size)
372 {
373 if (freerdp_shall_disconnect_context(context))
374 return FALSE;
375
376 int status = rdg_socket_read(tls->bio, pBuffer, size - readCount, transferEncoding);
377 if (status <= 0)
378 {
379 if (!BIO_should_retry(tls->bio))
380 return FALSE;
381
382 Sleep(10);
383 continue;
384 }
385
386 readCount += WINPR_ASSERTING_INT_CAST(uint32_t, status);
387 pBuffer += WINPR_ASSERTING_INT_CAST(uint32_t, status);
388 }
389
390 return TRUE;
391}
392
393static wStream* rdg_receive_packet(rdpRdg* rdg)
394{
395 const size_t header = sizeof(RdgPacketHeader);
396 size_t packetLength = 0;
397 wStream* s = Stream_New(NULL, 1024);
398
399 if (!s)
400 return NULL;
401
402 if (!rdg_read_all(rdg->context, rdg->tlsOut, Stream_Buffer(s), header, &rdg->transferEncoding))
403 {
404 Stream_Free(s, TRUE);
405 return NULL;
406 }
407
408 Stream_Seek(s, 4);
409 Stream_Read_UINT32(s, packetLength);
410
411 if ((packetLength > INT_MAX) || !Stream_EnsureCapacity(s, packetLength) ||
412 (packetLength < header))
413 {
414 Stream_Free(s, TRUE);
415 return NULL;
416 }
417
418 if (!rdg_read_all(rdg->context, rdg->tlsOut, Stream_Buffer(s) + header, packetLength - header,
419 &rdg->transferEncoding))
420 {
421 Stream_Free(s, TRUE);
422 return NULL;
423 }
424
425 Stream_SetLength(s, packetLength);
426 return s;
427}
428
429static BOOL rdg_send_handshake(rdpRdg* rdg)
430{
431 BOOL status = FALSE;
432 wStream* s = Stream_New(NULL, 14);
433
434 if (!s)
435 return FALSE;
436
437 Stream_Write_UINT16(s, PKT_TYPE_HANDSHAKE_REQUEST); /* Type (2 bytes) */
438 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
439 Stream_Write_UINT32(s, 14); /* PacketLength (4 bytes) */
440 Stream_Write_UINT8(s, 1); /* VersionMajor (1 byte) */
441 Stream_Write_UINT8(s, 0); /* VersionMinor (1 byte) */
442 Stream_Write_UINT16(s, 0); /* ClientVersion (2 bytes), must be 0 */
443 Stream_Write_UINT16(s, rdg->extAuth); /* ExtendedAuthentication (2 bytes) */
444 Stream_SealLength(s);
445 status = rdg_write_packet(rdg, s);
446 Stream_Free(s, TRUE);
447
448 if (status)
449 {
450 rdg->state = RDG_CLIENT_STATE_HANDSHAKE;
451 }
452
453 return status;
454}
455
456static BOOL rdg_send_extauth_sspi(rdpRdg* rdg)
457{
458 wStream* s = NULL;
459 BOOL status = 0;
460 UINT32 packetSize = 8 + 4 + 2;
461
462 WINPR_ASSERT(rdg);
463
464 const SecBuffer* authToken = credssp_auth_get_output_buffer(rdg->auth);
465 if (!authToken)
466 return FALSE;
467 packetSize += authToken->cbBuffer;
468
469 s = Stream_New(NULL, packetSize);
470
471 if (!s)
472 return FALSE;
473
474 Stream_Write_UINT16(s, PKT_TYPE_EXTENDED_AUTH_MSG); /* Type (2 bytes) */
475 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
476 Stream_Write_UINT32(s, packetSize); /* PacketLength (4 bytes) */
477 Stream_Write_UINT32(s, ERROR_SUCCESS); /* Error code */
478 Stream_Write_UINT16(s, (UINT16)authToken->cbBuffer);
479 Stream_Write(s, authToken->pvBuffer, authToken->cbBuffer);
480
481 Stream_SealLength(s);
482 status = rdg_write_packet(rdg, s);
483 Stream_Free(s, TRUE);
484
485 return status;
486}
487
488static BOOL rdg_send_tunnel_request(rdpRdg* rdg)
489{
490 wStream* s = NULL;
491 BOOL status = 0;
492 UINT32 packetSize = 16;
493 UINT16 fieldsPresent = 0;
494 WCHAR* PAACookie = NULL;
495 size_t PAACookieLen = 0;
496 const UINT32 capabilities = HTTP_CAPABILITY_TYPE_QUAR_SOH |
497 HTTP_CAPABILITY_MESSAGING_CONSENT_SIGN |
498 HTTP_CAPABILITY_MESSAGING_SERVICE_MSG;
499
500 if (rdg->extAuth == HTTP_EXTENDED_AUTH_PAA)
501 {
502 PAACookie =
503 ConvertUtf8ToWCharAlloc(rdg->context->settings->GatewayAccessToken, &PAACookieLen);
504
505 if (!PAACookie || (PAACookieLen > UINT16_MAX / sizeof(WCHAR)))
506 {
507 free(PAACookie);
508 return FALSE;
509 }
510
511 PAACookieLen += 1; /* include \0 */
512 packetSize += 2 + (UINT32)(PAACookieLen) * sizeof(WCHAR);
513 fieldsPresent = HTTP_TUNNEL_PACKET_FIELD_PAA_COOKIE;
514 }
515
516 s = Stream_New(NULL, packetSize);
517
518 if (!s)
519 {
520 free(PAACookie);
521 return FALSE;
522 }
523
524 Stream_Write_UINT16(s, PKT_TYPE_TUNNEL_CREATE); /* Type (2 bytes) */
525 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
526 Stream_Write_UINT32(s, packetSize); /* PacketLength (4 bytes) */
527 Stream_Write_UINT32(s, capabilities); /* CapabilityFlags (4 bytes) */
528 Stream_Write_UINT16(s, fieldsPresent); /* FieldsPresent (2 bytes) */
529 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes), must be 0 */
530
531 if (PAACookie)
532 {
533 Stream_Write_UINT16(s, (UINT16)PAACookieLen * sizeof(WCHAR)); /* PAA cookie string length */
534 Stream_Write_UTF16_String(s, PAACookie, PAACookieLen);
535 }
536
537 Stream_SealLength(s);
538 status = rdg_write_packet(rdg, s);
539 Stream_Free(s, TRUE);
540 free(PAACookie);
541
542 if (status)
543 {
544 rdg->state = RDG_CLIENT_STATE_TUNNEL_CREATE;
545 }
546
547 return status;
548}
549
550static BOOL rdg_send_tunnel_authorization(rdpRdg* rdg)
551{
552 wStream* s = NULL;
553 BOOL status = 0;
554 WINPR_ASSERT(rdg);
555 size_t clientNameLen = 0;
556 WCHAR* clientName = freerdp_settings_get_string_as_utf16(
557 rdg->context->settings, FreeRDP_ClientHostname, &clientNameLen);
558
559 clientNameLen++; // length including terminating '\0'
560
561 const size_t packetSize = 12ull + clientNameLen * sizeof(WCHAR);
562 if (!clientName || (clientNameLen >= UINT16_MAX / sizeof(WCHAR)) || (packetSize > UINT32_MAX))
563 {
564 free(clientName);
565 return FALSE;
566 }
567
568 s = Stream_New(NULL, packetSize);
569
570 if (!s)
571 {
572 free(clientName);
573 return FALSE;
574 }
575
576 Stream_Write_UINT16(s, PKT_TYPE_TUNNEL_AUTH); /* Type (2 bytes) */
577 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
578 Stream_Write_UINT32(s, (UINT32)packetSize); /* PacketLength (4 bytes) */
579 Stream_Write_UINT16(s, 0); /* FieldsPresent (2 bytes) */
580 Stream_Write_UINT16(s, (UINT16)clientNameLen * sizeof(WCHAR)); /* Client name string length */
581 Stream_Write_UTF16_String(s, clientName, clientNameLen);
582 Stream_SealLength(s);
583 status = rdg_write_packet(rdg, s);
584 Stream_Free(s, TRUE);
585 free(clientName);
586
587 if (status)
588 {
589 rdg->state = RDG_CLIENT_STATE_TUNNEL_AUTHORIZE;
590 }
591
592 return status;
593}
594
595static BOOL rdg_send_channel_create(rdpRdg* rdg)
596{
597 wStream* s = NULL;
598 BOOL status = FALSE;
599 WCHAR* serverName = NULL;
600 size_t serverNameLen = 0;
601
602 WINPR_ASSERT(rdg);
603 serverName = freerdp_settings_get_string_as_utf16(rdg->context->settings,
604 FreeRDP_ServerHostname, &serverNameLen);
605
606 serverNameLen++; // length including terminating '\0'
607 const size_t packetSize = 16ull + serverNameLen * sizeof(WCHAR);
608 if (!serverName || (serverNameLen >= UINT16_MAX / sizeof(WCHAR)) || (packetSize > UINT32_MAX))
609 goto fail;
610
611 s = Stream_New(NULL, packetSize);
612
613 if (!s)
614 goto fail;
615
616 Stream_Write_UINT16(s, PKT_TYPE_CHANNEL_CREATE); /* Type (2 bytes) */
617 Stream_Write_UINT16(s, 0); /* Reserved (2 bytes) */
618 Stream_Write_UINT32(s, (UINT32)packetSize); /* PacketLength (4 bytes) */
619 Stream_Write_UINT8(s, 1); /* Number of resources. (1 byte) */
620 Stream_Write_UINT8(s, 0); /* Number of alternative resources (1 byte) */
621 Stream_Write_UINT16(s,
622 (UINT16)rdg->context->settings->ServerPort); /* Resource port (2 bytes) */
623 Stream_Write_UINT16(s, 3); /* Protocol number (2 bytes) */
624 Stream_Write_UINT16(s, (UINT16)serverNameLen * sizeof(WCHAR));
625 Stream_Write_UTF16_String(s, serverName, serverNameLen);
626 Stream_SealLength(s);
627 status = rdg_write_packet(rdg, s);
628fail:
629 free(serverName);
630 Stream_Free(s, TRUE);
631
632 if (status)
633 rdg->state = RDG_CLIENT_STATE_CHANNEL_CREATE;
634
635 return status;
636}
637
638static BOOL rdg_set_auth_header(rdpCredsspAuth* auth, HttpRequest* request)
639{
640 const SecBuffer* authToken = credssp_auth_get_output_buffer(auth);
641 char* base64AuthToken = NULL;
642
643 if (authToken)
644 {
645 if (authToken->cbBuffer > INT_MAX)
646 return FALSE;
647
648 base64AuthToken = crypto_base64_encode(authToken->pvBuffer, authToken->cbBuffer);
649 }
650
651 if (base64AuthToken)
652 {
653 BOOL rc = http_request_set_auth_scheme(request, credssp_auth_pkg_name(auth)) &&
654 http_request_set_auth_param(request, base64AuthToken);
655 free(base64AuthToken);
656
657 if (!rc)
658 return FALSE;
659 }
660
661 return TRUE;
662}
663
664static wStream* rdg_build_http_request(rdpRdg* rdg, const char* method,
665 TRANSFER_ENCODING transferEncoding)
666{
667 wStream* s = NULL;
668 HttpRequest* request = NULL;
669 const char* uri = NULL;
670
671 if (!rdg || !method)
672 return NULL;
673
674 uri = http_context_get_uri(rdg->http);
675 request = http_request_new();
676
677 if (!request)
678 return NULL;
679
680 if (!http_request_set_method(request, method) || !http_request_set_uri(request, uri))
681 goto out;
682
683 if (rdg->auth)
684 {
685 if (!rdg_set_auth_header(rdg->auth, request))
686 goto out;
687 }
688
689 else if (rdg->extAuth == HTTP_EXTENDED_AUTH_BEARER)
690 {
691 http_request_set_auth_scheme(request, "Bearer");
692 http_request_set_auth_param(request, rdg->context->settings->GatewayHttpExtAuthBearer);
693 }
694
695 http_request_set_transfer_encoding(request, transferEncoding);
696
697 s = http_request_write(rdg->http, request);
698out:
699 http_request_free(request);
700
701 if (s)
702 Stream_SealLength(s);
703
704 return s;
705}
706
707static BOOL rdg_recv_auth_token(wLog* log, rdpCredsspAuth* auth, HttpResponse* response)
708{
709 size_t len = 0;
710 size_t authTokenLength = 0;
711 BYTE* authTokenData = NULL;
712 SecBuffer authToken = { 0 };
713 int rc = 0;
714
715 if (!auth || !response)
716 return FALSE;
717
718 const UINT16 StatusCode = http_response_get_status_code(response);
719 switch (StatusCode)
720 {
721 case HTTP_STATUS_DENIED:
722 case HTTP_STATUS_OK:
723 case HTTP_STATUS_SWITCH_PROTOCOLS:
724 break;
725 default:
726 http_response_log_error_status(log, WLOG_WARN, response);
727 return FALSE;
728 }
729
730 const char* token64 = http_response_get_auth_token(response, credssp_auth_pkg_name(auth));
731 if (!token64)
732 return FALSE;
733
734 len = strlen(token64);
735
736 crypto_base64_decode(token64, len, &authTokenData, &authTokenLength);
737
738 if (authTokenLength && authTokenData && (authTokenLength <= UINT32_MAX))
739 {
740 authToken.pvBuffer = authTokenData;
741 authToken.cbBuffer = (UINT32)authTokenLength;
742 credssp_auth_take_input_buffer(auth, &authToken);
743 }
744 else
745 free(authTokenData);
746
747 rc = credssp_auth_authenticate(auth);
748 if (rc < 0)
749 return FALSE;
750
751 return TRUE;
752}
753
754static BOOL rdg_skip_seed_payload(rdpContext* context, rdpTls* tls, size_t lastResponseLength,
755 rdg_http_encoding_context* transferEncoding)
756{
757 BYTE seed_payload[10] = { 0 };
758 const size_t size = sizeof(seed_payload);
759
760 /* Per [MS-TSGU] 3.3.5.1 step 4, after final OK response RDG server sends
761 * random "seed" payload of limited size. In practice it's 10 bytes.
762 */
763 if (lastResponseLength < size)
764 {
765 if (!rdg_read_all(context, tls, seed_payload, size - lastResponseLength, transferEncoding))
766 {
767 return FALSE;
768 }
769 }
770
771 return TRUE;
772}
773
774static BOOL rdg_process_handshake_response(rdpRdg* rdg, wStream* s)
775{
776 UINT32 errorCode = 0;
777 UINT16 serverVersion = 0;
778 UINT16 extendedAuth = 0;
779 BYTE verMajor = 0;
780 BYTE verMinor = 0;
781 const char* error = NULL;
782 WLog_Print(rdg->log, WLOG_DEBUG, "Handshake response received");
783
784 if (rdg->state != RDG_CLIENT_STATE_HANDSHAKE)
785 {
786 return FALSE;
787 }
788
789 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 10))
790 return FALSE;
791
792 Stream_Read_UINT32(s, errorCode);
793 Stream_Read_UINT8(s, verMajor);
794 Stream_Read_UINT8(s, verMinor);
795 Stream_Read_UINT16(s, serverVersion);
796 Stream_Read_UINT16(s, extendedAuth);
797 error = rpc_error_to_string(errorCode);
798 WLog_Print(rdg->log, WLOG_DEBUG,
799 "errorCode=%s, verMajor=%" PRId8 ", verMinor=%" PRId8 ", serverVersion=%" PRId16
800 ", extendedAuth=%s",
801 error, verMajor, verMinor, serverVersion, extended_auth_to_string(extendedAuth));
802
803 if (FAILED((HRESULT)errorCode))
804 {
805 WLog_Print(rdg->log, WLOG_ERROR, "Handshake error %s", error);
806 freerdp_set_last_error_log(rdg->context, errorCode);
807 return FALSE;
808 }
809
810 if (rdg->extAuth == HTTP_EXTENDED_AUTH_SSPI_NTLM)
811 return rdg_send_extauth_sspi(rdg);
812
813 return rdg_send_tunnel_request(rdg);
814}
815
816static BOOL rdg_process_tunnel_response_optional(rdpRdg* rdg, wStream* s, UINT16 fieldsPresent)
817{
818 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_TUNNEL_ID)
819 {
820 /* Seek over tunnelId (4 bytes) */
821 if (!Stream_SafeSeek(s, 4))
822 {
823 WLog_Print(rdg->log, WLOG_ERROR, "Short tunnelId, got %" PRIuz ", expected 4",
824 Stream_GetRemainingLength(s));
825 return FALSE;
826 }
827 }
828
829 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_CAPS)
830 {
831 UINT32 caps = 0;
832 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 4))
833 return FALSE;
834
835 Stream_Read_UINT32(s, caps);
836 WLog_Print(rdg->log, WLOG_DEBUG, "capabilities=%s", capabilities_enum_to_string(caps));
837 }
838
839 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_SOH_REQ)
840 {
841 /* Seek over nonce (20 bytes) */
842 if (!Stream_SafeSeek(s, 20))
843 {
844 WLog_Print(rdg->log, WLOG_ERROR, "Short nonce, got %" PRIuz ", expected 20",
845 Stream_GetRemainingLength(s));
846 return FALSE;
847 }
848
849 /* Read serverCert */
850 if (!rdg_read_http_unicode_string(rdg->log, s, NULL, NULL))
851 {
852 WLog_Print(rdg->log, WLOG_ERROR, "Failed to read server certificate");
853 return FALSE;
854 }
855 }
856
857 if (fieldsPresent & HTTP_TUNNEL_RESPONSE_FIELD_CONSENT_MSG)
858 {
859 const WCHAR* msg = NULL;
860 UINT16 msgLenBytes = 0;
861 rdpContext* context = rdg->context;
862
863 WINPR_ASSERT(context);
864 WINPR_ASSERT(context->instance);
865
866 /* Read message string and invoke callback */
867 if (!rdg_read_http_unicode_string(rdg->log, s, &msg, &msgLenBytes))
868 {
869 WLog_Print(rdg->log, WLOG_ERROR, "Failed to read consent message");
870 return FALSE;
871 }
872
873 return IFCALLRESULT(TRUE, context->instance->PresentGatewayMessage, context->instance,
874 GATEWAY_MESSAGE_CONSENT, TRUE, TRUE, msgLenBytes, msg);
875 }
876
877 return TRUE;
878}
879
880static BOOL rdg_process_tunnel_response(rdpRdg* rdg, wStream* s)
881{
882 UINT16 serverVersion = 0;
883 UINT16 fieldsPresent = 0;
884 UINT32 errorCode = 0;
885 const char* error = NULL;
886 WLog_Print(rdg->log, WLOG_DEBUG, "Tunnel response received");
887
888 if (rdg->state != RDG_CLIENT_STATE_TUNNEL_CREATE)
889 {
890 return FALSE;
891 }
892
893 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 10))
894 return FALSE;
895
896 Stream_Read_UINT16(s, serverVersion);
897 Stream_Read_UINT32(s, errorCode);
898 Stream_Read_UINT16(s, fieldsPresent);
899 Stream_Seek_UINT16(s); /* reserved */
900 error = rpc_error_to_string(errorCode);
901 WLog_Print(rdg->log, WLOG_DEBUG, "serverVersion=%" PRId16 ", errorCode=%s, fieldsPresent=%s",
902 serverVersion, error, tunnel_response_fields_present_to_string(fieldsPresent));
903
904 if (FAILED((HRESULT)errorCode))
905 {
906 WLog_Print(rdg->log, WLOG_ERROR, "Tunnel creation error %s", error);
907 freerdp_set_last_error_log(rdg->context, errorCode);
908 return FALSE;
909 }
910
911 if (!rdg_process_tunnel_response_optional(rdg, s, fieldsPresent))
912 return FALSE;
913
914 return rdg_send_tunnel_authorization(rdg);
915}
916
917static BOOL rdg_process_tunnel_authorization_response(rdpRdg* rdg, wStream* s)
918{
919 UINT32 errorCode = 0;
920 UINT16 fieldsPresent = 0;
921 const char* error = NULL;
922 WLog_Print(rdg->log, WLOG_DEBUG, "Tunnel authorization received");
923
924 if (rdg->state != RDG_CLIENT_STATE_TUNNEL_AUTHORIZE)
925 {
926 return FALSE;
927 }
928
929 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 8))
930 return FALSE;
931
932 Stream_Read_UINT32(s, errorCode);
933 Stream_Read_UINT16(s, fieldsPresent);
934 Stream_Seek_UINT16(s); /* reserved */
935 error = rpc_error_to_string(errorCode);
936 WLog_Print(rdg->log, WLOG_DEBUG, "errorCode=%s, fieldsPresent=%s", error,
937 tunnel_authorization_response_fields_present_to_string(fieldsPresent));
938
939 /* [MS-TSGU] 3.7.5.2.7 */
940 if (errorCode != S_OK && errorCode != E_PROXY_QUARANTINE_ACCESSDENIED)
941 {
942 WLog_Print(rdg->log, WLOG_ERROR, "Tunnel authorization error %s", error);
943 freerdp_set_last_error_log(rdg->context, errorCode);
944 return FALSE;
945 }
946
947 if (fieldsPresent & HTTP_TUNNEL_AUTH_RESPONSE_FIELD_REDIR_FLAGS)
948 {
949 UINT32 redirFlags = 0;
950 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 4))
951 return FALSE;
952 Stream_Read_UINT32(s, redirFlags);
953
954 rdpContext* context = rdg->context;
955 if (!utils_apply_gateway_policy(rdg->log, context, redirFlags, "RDG"))
956 return FALSE;
957 }
958
959 if (fieldsPresent & HTTP_TUNNEL_AUTH_RESPONSE_FIELD_IDLE_TIMEOUT)
960 {
961 UINT32 idleTimeout = 0;
962 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 4))
963 return FALSE;
964 Stream_Read_UINT32(s, idleTimeout);
965 WLog_Print(rdg->log, WLOG_DEBUG, "[IDLE_TIMEOUT] idleTimeout=%" PRIu32 ": TODO: unused",
966 idleTimeout);
967 }
968
969 if (fieldsPresent & HTTP_TUNNEL_AUTH_RESPONSE_FIELD_SOH_RESPONSE)
970 {
971 UINT16 cbLen = 0;
972 if (!Stream_CheckAndLogRequiredCapacityWLog(rdg->log, s, 2))
973 return FALSE;
974 Stream_Read_UINT16(s, cbLen);
975
976 WLog_Print(rdg->log, WLOG_DEBUG, "[SOH_RESPONSE] cbLen=%" PRIu16 ": TODO: unused", cbLen);
977 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, cbLen))
978 return FALSE;
979 Stream_Seek(s, cbLen);
980 }
981
982 return rdg_send_channel_create(rdg);
983}
984
985static BOOL rdg_process_extauth_sspi(rdpRdg* rdg, wStream* s)
986{
987 INT32 errorCode = 0;
988 UINT16 authBlobLen = 0;
989 SecBuffer authToken = { 0 };
990 BYTE* authTokenData = NULL;
991
992 WINPR_ASSERT(rdg);
993
994 Stream_Read_INT32(s, errorCode);
995 Stream_Read_UINT16(s, authBlobLen);
996
997 if (errorCode != ERROR_SUCCESS)
998 {
999 WLog_Print(rdg->log, WLOG_ERROR, "EXTAUTH_SSPI_NTLM failed with error %s [0x%08X]",
1000 GetSecurityStatusString(errorCode), WINPR_CXX_COMPAT_CAST(UINT32, errorCode));
1001 return FALSE;
1002 }
1003
1004 if (authBlobLen == 0)
1005 {
1006 if (credssp_auth_is_complete(rdg->auth))
1007 {
1008 credssp_auth_free(rdg->auth);
1009 rdg->auth = NULL;
1010 return rdg_send_tunnel_request(rdg);
1011 }
1012 return FALSE;
1013 }
1014
1015 authTokenData = malloc(authBlobLen);
1016 if (authTokenData == NULL)
1017 return FALSE;
1018 Stream_Read(s, authTokenData, authBlobLen);
1019
1020 authToken.pvBuffer = authTokenData;
1021 authToken.cbBuffer = authBlobLen;
1022
1023 credssp_auth_take_input_buffer(rdg->auth, &authToken);
1024
1025 if (credssp_auth_authenticate(rdg->auth) < 0)
1026 return FALSE;
1027
1028 if (credssp_auth_have_output_token(rdg->auth))
1029 return rdg_send_extauth_sspi(rdg);
1030
1031 return FALSE;
1032}
1033
1034static BOOL rdg_process_channel_response(rdpRdg* rdg, wStream* s)
1035{
1036 UINT16 fieldsPresent = 0;
1037 UINT32 errorCode = 0;
1038 const char* error = NULL;
1039 WLog_Print(rdg->log, WLOG_DEBUG, "Channel response received");
1040
1041 if (rdg->state != RDG_CLIENT_STATE_CHANNEL_CREATE)
1042 {
1043 return FALSE;
1044 }
1045
1046 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 8))
1047 return FALSE;
1048
1049 Stream_Read_UINT32(s, errorCode);
1050 Stream_Read_UINT16(s, fieldsPresent);
1051 Stream_Seek_UINT16(s); /* reserved */
1052 error = rpc_error_to_string(errorCode);
1053 WLog_Print(rdg->log, WLOG_DEBUG, "channel response errorCode=%s, fieldsPresent=%s", error,
1054 channel_response_fields_present_to_string(fieldsPresent));
1055
1056 if (FAILED((HRESULT)errorCode))
1057 {
1058 WLog_Print(rdg->log, WLOG_ERROR, "channel response errorCode=%s, fieldsPresent=%s", error,
1059 channel_response_fields_present_to_string(fieldsPresent));
1060 freerdp_set_last_error_log(rdg->context, errorCode);
1061 return FALSE;
1062 }
1063
1064 rdg->state = RDG_CLIENT_STATE_OPENED;
1065 return TRUE;
1066}
1067
1068static BOOL rdg_process_packet(rdpRdg* rdg, wStream* s)
1069{
1070 BOOL status = TRUE;
1071 UINT16 type = 0;
1072 UINT32 packetLength = 0;
1073 Stream_SetPosition(s, 0);
1074
1075 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 8))
1076 return FALSE;
1077
1078 Stream_Read_UINT16(s, type);
1079 Stream_Seek_UINT16(s); /* reserved */
1080 Stream_Read_UINT32(s, packetLength);
1081
1082 if (Stream_Length(s) < packetLength)
1083 {
1084 WLog_Print(rdg->log, WLOG_ERROR, "Short packet %" PRIuz ", expected %" PRIu32,
1085 Stream_Length(s), packetLength);
1086 return FALSE;
1087 }
1088
1089 switch (type)
1090 {
1091 case PKT_TYPE_HANDSHAKE_RESPONSE:
1092 status = rdg_process_handshake_response(rdg, s);
1093 break;
1094
1095 case PKT_TYPE_TUNNEL_RESPONSE:
1096 status = rdg_process_tunnel_response(rdg, s);
1097 break;
1098
1099 case PKT_TYPE_TUNNEL_AUTH_RESPONSE:
1100 status = rdg_process_tunnel_authorization_response(rdg, s);
1101 break;
1102
1103 case PKT_TYPE_CHANNEL_RESPONSE:
1104 status = rdg_process_channel_response(rdg, s);
1105 break;
1106
1107 case PKT_TYPE_DATA:
1108 WLog_Print(rdg->log, WLOG_ERROR, "Unexpected packet type DATA");
1109 return FALSE;
1110
1111 case PKT_TYPE_EXTENDED_AUTH_MSG:
1112 status = rdg_process_extauth_sspi(rdg, s);
1113 break;
1114
1115 default:
1116 WLog_Print(rdg->log, WLOG_ERROR, "PKG TYPE 0x%x not implemented", type);
1117 return FALSE;
1118 }
1119
1120 return status;
1121}
1122
1123DWORD rdg_get_event_handles(rdpRdg* rdg, HANDLE* events, DWORD count)
1124{
1125 DWORD nCount = 0;
1126 WINPR_ASSERT(rdg != NULL);
1127
1128 if (rdg->tlsOut && rdg->tlsOut->bio)
1129 {
1130 if (events && (nCount < count))
1131 {
1132 BIO_get_event(rdg->tlsOut->bio, &events[nCount]);
1133 nCount++;
1134 }
1135 else
1136 return 0;
1137 }
1138
1139 /* We just need the read event handle even in non-websocket mode. */
1140
1141 return nCount;
1142}
1143
1144static BOOL rdg_get_gateway_credentials(rdpContext* context, rdp_auth_reason reason)
1145{
1146 freerdp* instance = context->instance;
1147
1148 auth_status rc = utils_authenticate_gateway(instance, reason);
1149 switch (rc)
1150 {
1151 case AUTH_SUCCESS:
1152 case AUTH_SKIP:
1153 return TRUE;
1154 case AUTH_CANCELLED:
1155 freerdp_set_last_error_log(instance->context, FREERDP_ERROR_CONNECT_CANCELLED);
1156 return FALSE;
1157 case AUTH_NO_CREDENTIALS:
1158 WLog_INFO(TAG, "No credentials provided - using NULL identity");
1159 return TRUE;
1160 case AUTH_FAILED:
1161 default:
1162 return FALSE;
1163 }
1164}
1165
1166static BOOL rdg_auth_init(rdpRdg* rdg, rdpTls* tls, TCHAR* authPkg)
1167{
1168 rdpContext* context = rdg->context;
1169 rdpSettings* settings = context->settings;
1170 SEC_WINNT_AUTH_IDENTITY identity = { 0 };
1171 int rc = 0;
1172
1173 rdg->auth = credssp_auth_new(context);
1174 if (!rdg->auth)
1175 return FALSE;
1176
1177 if (!credssp_auth_init(rdg->auth, authPkg, tls->Bindings))
1178 return FALSE;
1179
1180 BOOL doSCLogon = freerdp_settings_get_bool(settings, FreeRDP_SmartcardLogon);
1181 if (doSCLogon)
1182 {
1183 if (!smartcard_getCert(context, &rdg->smartcard, TRUE))
1184 return FALSE;
1185
1186 if (!rdg_get_gateway_credentials(context, AUTH_SMARTCARD_PIN))
1187 return FALSE;
1188 }
1189 else
1190 {
1191 if (!rdg_get_gateway_credentials(context, GW_AUTH_RDG))
1192 return FALSE;
1193
1194 /* Auth callback might changed logon to smartcard so check again */
1195 doSCLogon = freerdp_settings_get_bool(settings, FreeRDP_SmartcardLogon);
1196 if (doSCLogon && !smartcard_getCert(context, &rdg->smartcard, TRUE))
1197 return FALSE;
1198 }
1199
1200 SEC_WINNT_AUTH_IDENTITY* identityArg = &identity;
1201 if (doSCLogon)
1202 {
1203 if (!identity_set_from_smartcard_hash(&identity, settings, FreeRDP_GatewayUsername,
1204 FreeRDP_GatewayDomain, FreeRDP_GatewayPassword,
1205 rdg->smartcard->sha1Hash,
1206 sizeof(rdg->smartcard->sha1Hash)))
1207 return FALSE;
1208 }
1209 else
1210 {
1211 if (!identity_set_from_settings(&identity, settings, FreeRDP_GatewayUsername,
1212 FreeRDP_GatewayDomain, FreeRDP_GatewayPassword))
1213 return FALSE;
1214
1215 if (!settings->GatewayUsername)
1216 identityArg = NULL;
1217 }
1218
1219 if (!credssp_auth_setup_client(rdg->auth, "HTTP", settings->GatewayHostname, identityArg,
1220 rdg->smartcard ? rdg->smartcard->pkinitArgs : NULL))
1221 {
1222 sspi_FreeAuthIdentity(&identity);
1223 return FALSE;
1224 }
1225 sspi_FreeAuthIdentity(&identity);
1226
1227 credssp_auth_set_flags(rdg->auth, ISC_REQ_CONFIDENTIALITY | ISC_REQ_MUTUAL_AUTH);
1228
1229 rc = credssp_auth_authenticate(rdg->auth);
1230 if (rc < 0)
1231 return FALSE;
1232
1233 return TRUE;
1234}
1235
1236static BOOL rdg_send_http_request(rdpRdg* rdg, rdpTls* tls, const char* method,
1237 TRANSFER_ENCODING transferEncoding)
1238{
1239 int status = -1;
1240 wStream* s = rdg_build_http_request(rdg, method, transferEncoding);
1241
1242 if (!s)
1243 return FALSE;
1244
1245 const size_t sz = Stream_Length(s);
1246 status = freerdp_tls_write_all(tls, Stream_Buffer(s), sz);
1247
1248 Stream_Free(s, TRUE);
1249 return (status >= 0);
1250}
1251
1252static BOOL rdg_tls_connect(rdpRdg* rdg, rdpTls* tls, const char* peerAddress, UINT32 timeout)
1253{
1254 long status = 0;
1255 BIO* layerBio = NULL;
1256 BIO* bufferedBio = NULL;
1257 rdpTransportLayer* layer = NULL;
1258 rdpSettings* settings = rdg->context->settings;
1259 rdpTransport* transport = freerdp_get_transport(rdg->context);
1260 const char* peerHostname = settings->GatewayHostname;
1261 UINT16 peerPort = (UINT16)settings->GatewayPort;
1262 const char* proxyUsername = NULL;
1263 const char* proxyPassword = NULL;
1264 BOOL isProxyConnection =
1265 proxy_prepare(settings, &peerHostname, &peerPort, &proxyUsername, &proxyPassword);
1266
1267 if (settings->GatewayPort > UINT16_MAX)
1268 return FALSE;
1269
1270 layer = transport_connect_layer(transport, peerAddress ? peerAddress : peerHostname, peerPort,
1271 timeout);
1272
1273 if (!layer)
1274 {
1275 return FALSE;
1276 }
1277
1278 layerBio = BIO_new(BIO_s_transport_layer());
1279 if (!layerBio)
1280 {
1281 transport_layer_free(layer);
1282 return FALSE;
1283 }
1284 BIO_set_data(layerBio, layer);
1285
1286 bufferedBio = BIO_new(BIO_s_buffered_socket());
1287 if (!bufferedBio)
1288 {
1289 BIO_free_all(layerBio);
1290 return FALSE;
1291 }
1292
1293 bufferedBio = BIO_push(bufferedBio, layerBio);
1294 status = BIO_set_nonblock(bufferedBio, TRUE);
1295
1296 if (isProxyConnection)
1297 {
1298 if (!proxy_connect(rdg->context, bufferedBio, proxyUsername, proxyPassword,
1299 settings->GatewayHostname, (UINT16)settings->GatewayPort))
1300 {
1301 BIO_free_all(bufferedBio);
1302 return FALSE;
1303 }
1304 }
1305
1306 if (!status)
1307 {
1308 BIO_free_all(bufferedBio);
1309 return FALSE;
1310 }
1311
1312 tls->hostname = settings->GatewayHostname;
1313 tls->port = WINPR_ASSERTING_INT_CAST(int32_t, MIN(UINT16_MAX, settings->GatewayPort));
1314 tls->isGatewayTransport = TRUE;
1315 status = freerdp_tls_connect(tls, bufferedBio);
1316 if (status < 1)
1317 {
1318 rdpContext* context = rdg->context;
1319 if (status < 0)
1320 {
1321 freerdp_set_last_error_if_not(context, FREERDP_ERROR_TLS_CONNECT_FAILED);
1322 }
1323 else
1324 {
1325 freerdp_set_last_error_if_not(context, FREERDP_ERROR_CONNECT_CANCELLED);
1326 }
1327
1328 return FALSE;
1329 }
1330 return (status >= 1);
1331}
1332
1333static BOOL rdg_establish_data_connection(rdpRdg* rdg, rdpTls* tls, const char* method,
1334 const char* peerAddress, UINT32 timeout,
1335 BOOL* rpcFallback)
1336{
1337 char buffer[64] = { 0 };
1338 HttpResponse* response = NULL;
1339
1340 if (!rdg_tls_connect(rdg, tls, peerAddress, timeout))
1341 return FALSE;
1342
1343 WINPR_ASSERT(rpcFallback);
1344 if (rdg->context->settings->GatewayHttpExtAuthBearer && rdg->extAuth == HTTP_EXTENDED_AUTH_NONE)
1345 rdg->extAuth = HTTP_EXTENDED_AUTH_BEARER;
1346 if (rdg->extAuth == HTTP_EXTENDED_AUTH_NONE)
1347 {
1348 if (!rdg_auth_init(rdg, tls, AUTH_PKG))
1349 return FALSE;
1350
1351 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingIdentity))
1352 return FALSE;
1353
1354 response = http_response_recv(tls, TRUE);
1355 /* MS RD Gateway seems to just terminate the tls connection without
1356 * sending an answer if it is not happy with the http request */
1357 if (!response)
1358 {
1359 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway HTTP transport broken.");
1360 *rpcFallback = TRUE;
1361 return FALSE;
1362 }
1363
1364 (void)http_response_extract_cookies(response, rdg->http);
1365
1366 const UINT16 StatusCode = http_response_get_status_code(response);
1367 switch (StatusCode)
1368 {
1369 case HTTP_STATUS_GONE:
1370 case HTTP_STATUS_FORBIDDEN:
1371 case HTTP_STATUS_NOT_FOUND:
1372 {
1373 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway does not support HTTP transport.");
1374 http_response_log_error_status(rdg->log, WLOG_DEBUG, response);
1375 *rpcFallback = TRUE;
1376
1377 http_response_free(response);
1378 return FALSE;
1379 }
1380 case HTTP_STATUS_OK:
1381 break;
1382
1383 case HTTP_STATUS_DENIED:
1384 http_response_log_error_status(rdg->log, WLOG_DEBUG, response);
1385 break;
1386
1387 default:
1388 http_response_log_error_status(rdg->log, WLOG_WARN, response);
1389 break;
1390 }
1391
1392 while (!credssp_auth_is_complete(rdg->auth))
1393 {
1394 if (!rdg_recv_auth_token(rdg->log, rdg->auth, response))
1395 {
1396 http_response_free(response);
1397 return FALSE;
1398 }
1399
1400 if (credssp_auth_have_output_token(rdg->auth))
1401 {
1402 http_response_free(response);
1403
1404 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingIdentity))
1405 return FALSE;
1406
1407 response = http_response_recv(tls, TRUE);
1408 if (!response)
1409 {
1410 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway HTTP transport broken.");
1411 *rpcFallback = TRUE;
1412 return FALSE;
1413 }
1414 (void)http_response_extract_cookies(response, rdg->http);
1415 }
1416 }
1417 credssp_auth_free(rdg->auth);
1418 rdg->auth = NULL;
1419 }
1420 else
1421 {
1422 credssp_auth_free(rdg->auth);
1423 rdg->auth = NULL;
1424
1425 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingIdentity))
1426 return FALSE;
1427
1428 response = http_response_recv(tls, TRUE);
1429
1430 if (!response)
1431 {
1432 WLog_Print(rdg->log, WLOG_INFO, "RD Gateway HTTP transport broken.");
1433 *rpcFallback = TRUE;
1434 return FALSE;
1435 }
1436 (void)http_response_extract_cookies(response, rdg->http);
1437 }
1438
1439 const UINT16 statusCode = http_response_get_status_code(response);
1440 const size_t bodyLength = http_response_get_body_length(response);
1441 const TRANSFER_ENCODING encoding = http_response_get_transfer_encoding(response);
1442 const BOOL isWebsocket = http_response_is_websocket(rdg->http, response);
1443
1444 WLog_Print(rdg->log, WLOG_DEBUG, "%s authorization result: %s", method,
1445 freerdp_http_status_string_format(statusCode, buffer, ARRAYSIZE(buffer)));
1446
1447 switch (statusCode)
1448 {
1449 case HTTP_STATUS_OK:
1450 /* old rdg endpoint without websocket support, don't request websocket for RDG_IN_DATA
1451 */
1452 http_context_enable_websocket_upgrade(rdg->http, FALSE);
1453 http_response_free(response);
1454 break;
1455 case HTTP_STATUS_DENIED:
1456 freerdp_set_last_error_log(rdg->context, FREERDP_ERROR_CONNECT_ACCESS_DENIED);
1457 http_response_free(response);
1458 return FALSE;
1459 case HTTP_STATUS_SWITCH_PROTOCOLS:
1460 http_response_free(response);
1461 if (!isWebsocket)
1462 {
1463 /*
1464 * webserver is broken, a fallback may be possible here
1465 * but only if already tested with oppurtonistic upgrade
1466 */
1467 if (http_context_is_websocket_upgrade_enabled(rdg->http))
1468 {
1469 long fd = BIO_get_fd(tls->bio, NULL);
1470 if (fd >= 0)
1471 closesocket((SOCKET)fd);
1472 http_context_enable_websocket_upgrade(rdg->http, FALSE);
1473 return rdg_establish_data_connection(rdg, tls, method, peerAddress, timeout,
1474 rpcFallback);
1475 }
1476 return FALSE;
1477 }
1478
1479 rdg->transferEncoding.isWebsocketTransport = TRUE;
1480 if (!websocket_context_reset(rdg->transferEncoding.context.websocket))
1481 return FALSE;
1482
1483 if (rdg->extAuth == HTTP_EXTENDED_AUTH_SSPI_NTLM)
1484 {
1485 /* create a new auth context for SSPI_NTLM. This must be done after the last
1486 * rdg_send_http_request */
1487 if (!rdg_auth_init(rdg, tls, NTLM_SSP_NAME))
1488 return FALSE;
1489 }
1490 return TRUE;
1491 default:
1492 http_response_log_error_status(rdg->log, WLOG_WARN, response);
1493 http_response_free(response);
1494 return FALSE;
1495 }
1496
1497 if (strcmp(method, "RDG_OUT_DATA") == 0)
1498 {
1499 if (encoding == TransferEncodingChunked)
1500 {
1501 rdg->transferEncoding.httpTransferEncoding = TransferEncodingChunked;
1502 rdg->transferEncoding.context.chunked.nextOffset = 0;
1503 rdg->transferEncoding.context.chunked.headerFooterPos = 0;
1504 rdg->transferEncoding.context.chunked.state = ChunkStateLenghHeader;
1505 }
1506 if (!rdg_skip_seed_payload(rdg->context, tls, bodyLength, &rdg->transferEncoding))
1507 {
1508 return FALSE;
1509 }
1510 }
1511 else
1512 {
1513 if (!rdg_send_http_request(rdg, tls, method, TransferEncodingChunked))
1514 return FALSE;
1515
1516 if (rdg->extAuth == HTTP_EXTENDED_AUTH_SSPI_NTLM)
1517 {
1518 /* create a new auth context for SSPI_NTLM. This must be done after the last
1519 * rdg_send_http_request (RDG_IN_DATA is always after RDG_OUT_DATA) */
1520 if (!rdg_auth_init(rdg, tls, NTLM_SSP_NAME))
1521 return FALSE;
1522 }
1523 }
1524
1525 return TRUE;
1526}
1527
1528static BOOL rdg_tunnel_connect(rdpRdg* rdg)
1529{
1530 BOOL status = 0;
1531 wStream* s = NULL;
1532 rdg_send_handshake(rdg);
1533
1534 while (rdg->state < RDG_CLIENT_STATE_OPENED)
1535 {
1536 status = FALSE;
1537 s = rdg_receive_packet(rdg);
1538
1539 if (s)
1540 {
1541 status = rdg_process_packet(rdg, s);
1542 Stream_Free(s, TRUE);
1543 }
1544
1545 if (!status)
1546 {
1547 WINPR_ASSERT(rdg);
1548 WINPR_ASSERT(rdg->context);
1549 WINPR_ASSERT(rdg->context->rdp);
1550 transport_set_layer(rdg->context->rdp->transport, TRANSPORT_LAYER_CLOSED);
1551 return FALSE;
1552 }
1553 }
1554
1555 return TRUE;
1556}
1557
1558BOOL rdg_connect(rdpRdg* rdg, DWORD timeout, BOOL* rpcFallback)
1559{
1560 BOOL status = 0;
1561 SOCKET outConnSocket = 0;
1562 char* peerAddress = NULL;
1563 BOOL rpcFallbackLocal = FALSE;
1564
1565 WINPR_ASSERT(rdg != NULL);
1566 freerdp_set_last_error(rdg->context, ERROR_SUCCESS);
1567 status = rdg_establish_data_connection(rdg, rdg->tlsOut, "RDG_OUT_DATA", NULL, timeout,
1568 &rpcFallbackLocal);
1569
1570 if (status)
1571 {
1572 if (rdg->transferEncoding.isWebsocketTransport)
1573 {
1574 WLog_Print(rdg->log, WLOG_DEBUG, "Upgraded to websocket. RDG_IN_DATA not required");
1575 }
1576 else
1577 {
1578 /* Establish IN connection with the same peer/server as OUT connection,
1579 * even when server hostname resolves to different IP addresses.
1580 */
1581 BIO_get_socket(rdg->tlsOut->underlying, &outConnSocket);
1582 peerAddress = freerdp_tcp_get_peer_address(outConnSocket);
1583 status = rdg_establish_data_connection(rdg, rdg->tlsIn, "RDG_IN_DATA", peerAddress,
1584 timeout, &rpcFallbackLocal);
1585 free(peerAddress);
1586 }
1587 }
1588
1589 if (rpcFallback)
1590 *rpcFallback = rpcFallbackLocal;
1591
1592 if (!status)
1593 {
1594 WINPR_ASSERT(rdg);
1595 WINPR_ASSERT(rdg->context);
1596 WINPR_ASSERT(rdg->context->rdp);
1597 if (rpcFallbackLocal)
1598 {
1599 http_context_enable_websocket_upgrade(rdg->http, FALSE);
1600 credssp_auth_free(rdg->auth);
1601 rdg->auth = NULL;
1602 }
1603
1604 transport_set_layer(rdg->context->rdp->transport, TRANSPORT_LAYER_CLOSED);
1605 return FALSE;
1606 }
1607
1608 status = rdg_tunnel_connect(rdg);
1609
1610 if (!status)
1611 return FALSE;
1612
1613 return TRUE;
1614}
1615
1616static int rdg_write_websocket_data_packet(rdpRdg* rdg, const BYTE* buf, int isize)
1617{
1618 WINPR_ASSERT(rdg);
1619 if (isize < 0)
1620 return -1;
1621
1622 const size_t payloadSize = (size_t)isize + 10;
1623 union
1624 {
1625 UINT32 u32;
1626 UINT8 u8[4];
1627 } maskingKey;
1628
1629 wStream* sWS =
1630 websocket_context_packet_new(payloadSize, WebsocketBinaryOpcode, &maskingKey.u32);
1631 if (!sWS)
1632 return FALSE;
1633
1634 Stream_Write_UINT16(
1635 sWS, WINPR_ASSERTING_INT_CAST(
1636 uint16_t, PKT_TYPE_DATA ^ (maskingKey.u8[0] | maskingKey.u8[1] << 8))); /* Type */
1637 Stream_Write_UINT16(
1638 sWS, WINPR_ASSERTING_INT_CAST(
1639 uint16_t, 0 ^ (maskingKey.u8[2] | maskingKey.u8[3] << 8))); /* Reserved */
1640 Stream_Write_UINT32(
1641 sWS, WINPR_ASSERTING_INT_CAST(uint32_t, payloadSize ^ maskingKey.u32)); /* Packet length */
1642 Stream_Write_UINT16(
1643 sWS, WINPR_ASSERTING_INT_CAST(
1644 uint16_t, isize ^ (maskingKey.u8[0] | maskingKey.u8[1] << 8))); /* Data size */
1645
1646 /* masking key is now off by 2 bytes. fix that */
1647 maskingKey.u32 = (maskingKey.u32 & 0xffff) << 16 | (maskingKey.u32 >> 16);
1648
1649 WINPR_ASSERT(rdg->tlsOut);
1650 wStream sPacket = { 0 };
1651 Stream_StaticConstInit(&sPacket, buf, (size_t)isize);
1652 if (!websocket_context_mask_and_send(rdg->tlsOut->bio, sWS, &sPacket, maskingKey.u32))
1653 return -1;
1654
1655 return isize;
1656}
1657
1658static int rdg_write_chunked_data_packet(rdpRdg* rdg, const BYTE* buf, int isize)
1659{
1660 int status = 0;
1661 size_t len = 0;
1662 wStream* sChunk = NULL;
1663
1664 if (isize > UINT16_MAX)
1665 return -1;
1666
1667 const size_t size = (size_t)isize;
1668 if (size < 1)
1669 return 0;
1670
1671 const size_t packetSize = size + 10;
1672 char chunkSize[11] = { 0 };
1673 (void)sprintf_s(chunkSize, sizeof(chunkSize), "%" PRIxz "\r\n", packetSize);
1674 sChunk = Stream_New(NULL, strnlen(chunkSize, sizeof(chunkSize)) + packetSize + 2);
1675
1676 if (!sChunk)
1677 return -1;
1678
1679 Stream_Write(sChunk, chunkSize, strnlen(chunkSize, sizeof(chunkSize)));
1680 Stream_Write_UINT16(sChunk, PKT_TYPE_DATA); /* Type */
1681 Stream_Write_UINT16(sChunk, 0); /* Reserved */
1682 Stream_Write_UINT32(sChunk, (UINT32)packetSize); /* Packet length */
1683 Stream_Write_UINT16(sChunk, (UINT16)size); /* Data size */
1684 Stream_Write(sChunk, buf, size); /* Data */
1685 Stream_Write(sChunk, "\r\n", 2);
1686 Stream_SealLength(sChunk);
1687 len = Stream_Length(sChunk);
1688
1689 status = freerdp_tls_write_all(rdg->tlsIn, Stream_Buffer(sChunk), len);
1690 Stream_Free(sChunk, TRUE);
1691
1692 if (status < 0)
1693 return -1;
1694
1695 return (int)size;
1696}
1697
1698static int rdg_write_data_packet(rdpRdg* rdg, const BYTE* buf, int isize)
1699{
1700 WINPR_ASSERT(rdg);
1701 if (rdg->transferEncoding.isWebsocketTransport)
1702 return rdg_write_websocket_data_packet(rdg, buf, isize);
1703 else
1704 return rdg_write_chunked_data_packet(rdg, buf, isize);
1705}
1706
1707static BOOL rdg_process_close_packet(rdpRdg* rdg, wStream* s)
1708{
1709 int status = -1;
1710 wStream* sClose = NULL;
1711 UINT32 errorCode = 0;
1712 UINT32 packetSize = 12;
1713
1714 /* Read error code */
1715 if (!Stream_CheckAndLogRequiredLengthWLog(rdg->log, s, 4))
1716 return FALSE;
1717 Stream_Read_UINT32(s, errorCode);
1718
1719 if (errorCode != 0)
1720 freerdp_set_last_error_log(rdg->context, errorCode);
1721
1722 sClose = Stream_New(NULL, packetSize);
1723 if (!sClose)
1724 return FALSE;
1725
1726 Stream_Write_UINT16(sClose, PKT_TYPE_CLOSE_CHANNEL_RESPONSE); /* Type */
1727 Stream_Write_UINT16(sClose, 0); /* Reserved */
1728 Stream_Write_UINT32(sClose, packetSize); /* Packet length */
1729 Stream_Write_UINT32(sClose, 0); /* Status code */
1730 Stream_SealLength(sClose);
1731 status = rdg_write_packet(rdg, sClose);
1732 Stream_Free(sClose, TRUE);
1733
1734 return (status < 0 ? FALSE : TRUE);
1735}
1736
1737static BOOL rdg_process_keep_alive_packet(rdpRdg* rdg)
1738{
1739 int status = -1;
1740 wStream* sKeepAlive = NULL;
1741 size_t packetSize = 8;
1742
1743 sKeepAlive = Stream_New(NULL, packetSize);
1744
1745 if (!sKeepAlive)
1746 return FALSE;
1747
1748 Stream_Write_UINT16(sKeepAlive, PKT_TYPE_KEEPALIVE); /* Type */
1749 Stream_Write_UINT16(sKeepAlive, 0); /* Reserved */
1750 Stream_Write_UINT32(sKeepAlive, (UINT32)packetSize); /* Packet length */
1751 Stream_SealLength(sKeepAlive);
1752 status = rdg_write_packet(rdg, sKeepAlive);
1753 Stream_Free(sKeepAlive, TRUE);
1754
1755 return (status < 0 ? FALSE : TRUE);
1756}
1757
1758static BOOL rdg_process_service_message(rdpRdg* rdg, wStream* s)
1759{
1760 const WCHAR* msg = NULL;
1761 UINT16 msgLenBytes = 0;
1762 rdpContext* context = rdg->context;
1763 WINPR_ASSERT(context);
1764 WINPR_ASSERT(context->instance);
1765
1766 /* Read message string */
1767 if (!rdg_read_http_unicode_string(rdg->log, s, &msg, &msgLenBytes))
1768 {
1769 WLog_Print(rdg->log, WLOG_ERROR, "Failed to read string");
1770 return FALSE;
1771 }
1772
1773 return IFCALLRESULT(TRUE, context->instance->PresentGatewayMessage, context->instance,
1774 GATEWAY_MESSAGE_SERVICE, TRUE, FALSE, msgLenBytes, msg);
1775}
1776
1777static BOOL rdg_process_unknown_packet(rdpRdg* rdg, int type)
1778{
1779 WINPR_UNUSED(rdg);
1780 WINPR_UNUSED(type);
1781 WLog_Print(rdg->log, WLOG_WARN, "Unknown Control Packet received: %" PRIX32,
1782 WINPR_CXX_COMPAT_CAST(UINT32, type));
1783 return TRUE;
1784}
1785
1786static BOOL rdg_process_control_packet(rdpRdg* rdg, int type, size_t packetLength)
1787{
1788 wStream* s = NULL;
1789 size_t readCount = 0;
1790 int status = 0;
1791 size_t payloadSize = packetLength - sizeof(RdgPacketHeader);
1792
1793 if (packetLength < sizeof(RdgPacketHeader))
1794 return FALSE;
1795
1796 // NOLINTNEXTLINE(bugprone-sizeof-expression)
1797 WINPR_ASSERT(sizeof(RdgPacketHeader) < INT_MAX);
1798
1799 if (payloadSize)
1800 {
1801 s = Stream_New(NULL, payloadSize);
1802
1803 if (!s)
1804 return FALSE;
1805
1806 while (readCount < payloadSize)
1807 {
1808 if (rdg_shall_abort(rdg))
1809 {
1810 Stream_Free(s, TRUE);
1811 return FALSE;
1812 }
1813 status = rdg_socket_read(rdg->tlsOut->bio, Stream_Pointer(s), payloadSize - readCount,
1814 &rdg->transferEncoding);
1815
1816 if (status <= 0)
1817 {
1818 if (!BIO_should_retry(rdg->tlsOut->bio))
1819 {
1820 Stream_Free(s, TRUE);
1821 return FALSE;
1822 }
1823
1824 continue;
1825 }
1826
1827 Stream_Seek(s, (size_t)status);
1828 readCount += (size_t)status;
1829
1830 if (readCount > INT_MAX)
1831 {
1832 Stream_Free(s, TRUE);
1833 return FALSE;
1834 }
1835 }
1836
1837 Stream_SetPosition(s, 0);
1838 }
1839
1840 switch (type)
1841 {
1842 case PKT_TYPE_CLOSE_CHANNEL:
1843 EnterCriticalSection(&rdg->writeSection);
1844 status = rdg_process_close_packet(rdg, s);
1845 LeaveCriticalSection(&rdg->writeSection);
1846 break;
1847
1848 case PKT_TYPE_KEEPALIVE:
1849 EnterCriticalSection(&rdg->writeSection);
1850 status = rdg_process_keep_alive_packet(rdg);
1851 LeaveCriticalSection(&rdg->writeSection);
1852 break;
1853
1854 case PKT_TYPE_SERVICE_MESSAGE:
1855 if (!s)
1856 {
1857 WLog_Print(rdg->log, WLOG_ERROR,
1858 "PKT_TYPE_SERVICE_MESSAGE requires payload but none was sent");
1859 return FALSE;
1860 }
1861 status = rdg_process_service_message(rdg, s);
1862 break;
1863
1864 case PKT_TYPE_REAUTH_MESSAGE:
1865 default:
1866 status = rdg_process_unknown_packet(rdg, type);
1867 break;
1868 }
1869
1870 Stream_Free(s, TRUE);
1871 return status;
1872}
1873
1874static int rdg_read_data_packet(rdpRdg* rdg, BYTE* buffer, size_t size)
1875{
1876 RdgPacketHeader header = { 0 };
1877 size_t readCount = 0;
1878 size_t readSize = 0;
1879 int status = 0;
1880
1881 if (!rdg->packetRemainingCount)
1882 {
1883 // NOLINTNEXTLINE(bugprone-sizeof-expression)
1884 WINPR_ASSERT(sizeof(RdgPacketHeader) < INT_MAX);
1885
1886 while (readCount < sizeof(RdgPacketHeader))
1887 {
1888 if (rdg_shall_abort(rdg))
1889 return -1;
1890
1891 status = rdg_socket_read(rdg->tlsOut->bio, (BYTE*)(&header) + readCount,
1892 sizeof(RdgPacketHeader) - readCount, &rdg->transferEncoding);
1893
1894 if (status <= 0)
1895 {
1896 if (!BIO_should_retry(rdg->tlsOut->bio))
1897 return -1;
1898
1899 if (!readCount)
1900 return 0;
1901
1902 BIO_wait_read(rdg->tlsOut->bio, 50);
1903 continue;
1904 }
1905
1906 readCount += (size_t)status;
1907
1908 if (readCount > INT_MAX)
1909 return -1;
1910 }
1911
1912 if (header.type != PKT_TYPE_DATA)
1913 {
1914 status = rdg_process_control_packet(rdg, header.type, header.packetLength);
1915
1916 if (!status)
1917 return -1;
1918
1919 return 0;
1920 }
1921
1922 readCount = 0;
1923
1924 while (readCount < 2)
1925 {
1926 if (rdg_shall_abort(rdg))
1927 return -1;
1928 status =
1929 rdg_socket_read(rdg->tlsOut->bio, (BYTE*)(&rdg->packetRemainingCount) + readCount,
1930 2 - readCount, &rdg->transferEncoding);
1931
1932 if (status < 0)
1933 {
1934 if (!BIO_should_retry(rdg->tlsOut->bio))
1935 return -1;
1936
1937 BIO_wait_read(rdg->tlsOut->bio, 50);
1938 continue;
1939 }
1940
1941 readCount += (size_t)status;
1942 }
1943 }
1944
1945 readSize = (rdg->packetRemainingCount < size) ? rdg->packetRemainingCount : size;
1946 status = rdg_socket_read(rdg->tlsOut->bio, buffer, readSize, &rdg->transferEncoding);
1947
1948 if (status <= 0)
1949 {
1950 if (!BIO_should_retry(rdg->tlsOut->bio))
1951 {
1952 return -1;
1953 }
1954
1955 return 0;
1956 }
1957
1958 rdg->packetRemainingCount -= status;
1959 return status;
1960}
1961
1962static int rdg_bio_write(BIO* bio, const char* buf, int num)
1963{
1964 int status = 0;
1965 rdpRdg* rdg = (rdpRdg*)BIO_get_data(bio);
1966 if (num < 0)
1967 return num;
1968
1969 BIO_clear_flags(bio, BIO_FLAGS_WRITE);
1970 EnterCriticalSection(&rdg->writeSection);
1971 status = rdg_write_data_packet(rdg, (const BYTE*)buf, num);
1972 LeaveCriticalSection(&rdg->writeSection);
1973
1974 if (status < 0)
1975 {
1976 BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
1977 return -1;
1978 }
1979 else if (status < num)
1980 {
1981 BIO_set_flags(bio, BIO_FLAGS_WRITE);
1982 WSASetLastError(WSAEWOULDBLOCK);
1983 }
1984 else
1985 {
1986 BIO_set_flags(bio, BIO_FLAGS_WRITE);
1987 }
1988
1989 return status;
1990}
1991
1992static int rdg_bio_read(BIO* bio, char* buf, int size)
1993{
1994 int status = 0;
1995 rdpRdg* rdg = (rdpRdg*)BIO_get_data(bio);
1996 if (size < 0)
1997 return size;
1998 status = rdg_read_data_packet(rdg, (BYTE*)buf, (size_t)size);
1999
2000 if (status < 0)
2001 {
2002 BIO_clear_retry_flags(bio);
2003 return -1;
2004 }
2005 else if (status == 0)
2006 {
2007 BIO_set_retry_read(bio);
2008 WSASetLastError(WSAEWOULDBLOCK);
2009 return -1;
2010 }
2011 else
2012 {
2013 BIO_set_flags(bio, BIO_FLAGS_READ);
2014 }
2015
2016 return status;
2017}
2018
2019static int rdg_bio_puts(BIO* bio, const char* str)
2020{
2021 WINPR_UNUSED(bio);
2022 WINPR_UNUSED(str);
2023 return -2;
2024}
2025
2026// NOLINTNEXTLINE(readability-non-const-parameter)
2027static int rdg_bio_gets(BIO* bio, char* str, int size)
2028{
2029 WINPR_UNUSED(bio);
2030 WINPR_UNUSED(str);
2031 WINPR_UNUSED(size);
2032 return -2;
2033}
2034
2035static long rdg_bio_ctrl(BIO* in_bio, int cmd, long arg1, void* arg2)
2036{
2037 long status = -1;
2038 rdpRdg* rdg = (rdpRdg*)BIO_get_data(in_bio);
2039 rdpTls* tlsOut = rdg->tlsOut;
2040 rdpTls* tlsIn = rdg->tlsIn;
2041
2042 if (cmd == BIO_CTRL_FLUSH)
2043 {
2044 (void)BIO_flush(tlsOut->bio);
2045 if (!rdg->transferEncoding.isWebsocketTransport)
2046 (void)BIO_flush(tlsIn->bio);
2047 status = 1;
2048 }
2049 else if (cmd == BIO_C_SET_NONBLOCK)
2050 {
2051 status = 1;
2052 }
2053 else if (cmd == BIO_C_READ_BLOCKED)
2054 {
2055 BIO* cbio = tlsOut->bio;
2056 status = BIO_read_blocked(cbio);
2057 }
2058 else if (cmd == BIO_C_WRITE_BLOCKED)
2059 {
2060 BIO* cbio = tlsIn->bio;
2061
2062 if (rdg->transferEncoding.isWebsocketTransport)
2063 cbio = tlsOut->bio;
2064
2065 status = BIO_write_blocked(cbio);
2066 }
2067 else if (cmd == BIO_C_WAIT_READ)
2068 {
2069 int timeout = (int)arg1;
2070 BIO* cbio = tlsOut->bio;
2071
2072 if (BIO_read_blocked(cbio))
2073 return BIO_wait_read(cbio, timeout);
2074 else if (BIO_write_blocked(cbio))
2075 return BIO_wait_write(cbio, timeout);
2076 else
2077 status = 1;
2078 }
2079 else if (cmd == BIO_C_WAIT_WRITE)
2080 {
2081 int timeout = (int)arg1;
2082 BIO* cbio = tlsIn->bio;
2083
2084 if (rdg->transferEncoding.isWebsocketTransport)
2085 cbio = tlsOut->bio;
2086
2087 if (BIO_write_blocked(cbio))
2088 status = BIO_wait_write(cbio, timeout);
2089 else if (BIO_read_blocked(cbio))
2090 status = BIO_wait_read(cbio, timeout);
2091 else
2092 status = 1;
2093 }
2094 else if (cmd == BIO_C_GET_EVENT || cmd == BIO_C_GET_FD)
2095 {
2096 /*
2097 * A note about BIO_C_GET_FD:
2098 * Even if two FDs are part of RDG, only one FD can be returned here.
2099 *
2100 * In FreeRDP, BIO FDs are only used for polling, so it is safe to use the outgoing FD only
2101 *
2102 * See issue #3602
2103 */
2104 status = BIO_ctrl(tlsOut->bio, cmd, arg1, arg2);
2105 }
2106#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2107 else if (cmd == BIO_CTRL_GET_KTLS_SEND)
2108 {
2109 /* Even though BIO_get_ktls_send says that returning negative values is valid
2110 * openssl internal sources are full of if(!BIO_get_ktls_send && ) stuff. This has some
2111 * nasty sideeffects. return 0 as proper no KTLS offloading flag
2112 */
2113 status = 0;
2114 }
2115 else if (cmd == BIO_CTRL_GET_KTLS_RECV)
2116 {
2117 /* Even though BIO_get_ktls_recv says that returning negative values is valid
2118 * there is no reason to trust trust negative values are implemented right everywhere
2119 */
2120 status = 0;
2121 }
2122#endif
2123 return status;
2124}
2125
2126static int rdg_bio_new(BIO* bio)
2127{
2128 BIO_set_init(bio, 1);
2129 BIO_set_flags(bio, BIO_FLAGS_SHOULD_RETRY);
2130 return 1;
2131}
2132
2133static int rdg_bio_free(BIO* bio)
2134{
2135 WINPR_UNUSED(bio);
2136 return 1;
2137}
2138
2139static BIO_METHOD* BIO_s_rdg(void)
2140{
2141 static BIO_METHOD* bio_methods = NULL;
2142
2143 if (bio_methods == NULL)
2144 {
2145 if (!(bio_methods = BIO_meth_new(BIO_TYPE_TSG, "RDGateway")))
2146 return NULL;
2147
2148 BIO_meth_set_write(bio_methods, rdg_bio_write);
2149 BIO_meth_set_read(bio_methods, rdg_bio_read);
2150 BIO_meth_set_puts(bio_methods, rdg_bio_puts);
2151 BIO_meth_set_gets(bio_methods, rdg_bio_gets);
2152 BIO_meth_set_ctrl(bio_methods, rdg_bio_ctrl);
2153 BIO_meth_set_create(bio_methods, rdg_bio_new);
2154 BIO_meth_set_destroy(bio_methods, rdg_bio_free);
2155 }
2156
2157 return bio_methods;
2158}
2159
2160rdpRdg* rdg_new(rdpContext* context)
2161{
2162 if (!context)
2163 return NULL;
2164
2165 rdpRdg* rdg = (rdpRdg*)calloc(1, sizeof(rdpRdg));
2166 if (!rdg)
2167 return NULL;
2168
2169 rdg->log = WLog_Get(TAG);
2170 rdg->state = RDG_CLIENT_STATE_INITIAL;
2171 rdg->context = context;
2172 rdg->extAuth =
2173 (rdg->context->settings->GatewayHttpExtAuthSspiNtlm ? HTTP_EXTENDED_AUTH_SSPI_NTLM
2174 : HTTP_EXTENDED_AUTH_NONE);
2175
2176 if (rdg->context->settings->GatewayAccessToken)
2177 rdg->extAuth = HTTP_EXTENDED_AUTH_PAA;
2178
2179 UuidCreate(&rdg->guid);
2180
2181 rdg->tlsOut = freerdp_tls_new(rdg->context);
2182
2183 if (!rdg->tlsOut)
2184 goto rdg_alloc_error;
2185
2186 rdg->tlsIn = freerdp_tls_new(rdg->context);
2187
2188 if (!rdg->tlsIn)
2189 goto rdg_alloc_error;
2190
2191 rdg->http = http_context_new();
2192
2193 if (!rdg->http)
2194 goto rdg_alloc_error;
2195
2196 if (!http_context_set_uri(rdg->http, "/remoteDesktopGateway/") ||
2197 !http_context_set_accept(rdg->http, "*/*") ||
2198 !http_context_set_cache_control(rdg->http, "no-cache") ||
2199 !http_context_set_pragma(rdg->http, "no-cache") ||
2200 !http_context_set_connection(rdg->http, "Keep-Alive") ||
2201 !http_context_set_user_agent(rdg->http, "MS-RDGateway/1.0") ||
2202 !http_context_set_host(rdg->http, rdg->context->settings->GatewayHostname) ||
2203 !http_context_set_rdg_connection_id(rdg->http, &rdg->guid) ||
2204 !http_context_set_rdg_correlation_id(rdg->http, &rdg->guid) ||
2205 !http_context_enable_websocket_upgrade(
2206 rdg->http,
2207 freerdp_settings_get_bool(rdg->context->settings, FreeRDP_GatewayHttpUseWebsockets)))
2208 {
2209 goto rdg_alloc_error;
2210 }
2211
2212 if (rdg->extAuth != HTTP_EXTENDED_AUTH_NONE)
2213 {
2214 switch (rdg->extAuth)
2215 {
2216 case HTTP_EXTENDED_AUTH_PAA:
2217 if (!http_context_set_rdg_auth_scheme(rdg->http, "PAA"))
2218 goto rdg_alloc_error;
2219
2220 break;
2221
2222 case HTTP_EXTENDED_AUTH_SSPI_NTLM:
2223 if (!http_context_set_rdg_auth_scheme(rdg->http, "SSPI_NTLM"))
2224 goto rdg_alloc_error;
2225
2226 break;
2227
2228 default:
2229 WLog_Print(rdg->log, WLOG_DEBUG,
2230 "RDG extended authentication method %d not supported", rdg->extAuth);
2231 }
2232 }
2233
2234 rdg->frontBio = BIO_new(BIO_s_rdg());
2235
2236 if (!rdg->frontBio)
2237 goto rdg_alloc_error;
2238
2239 BIO_set_data(rdg->frontBio, rdg);
2240 InitializeCriticalSection(&rdg->writeSection);
2241
2242 rdg->transferEncoding.httpTransferEncoding = TransferEncodingIdentity;
2243 rdg->transferEncoding.isWebsocketTransport = FALSE;
2244
2245 rdg->transferEncoding.context.websocket = websocket_context_new();
2246 if (!rdg->transferEncoding.context.websocket)
2247 goto rdg_alloc_error;
2248
2249 return rdg;
2250rdg_alloc_error:
2251 WINPR_PRAGMA_DIAG_PUSH
2252 WINPR_PRAGMA_DIAG_IGNORED_MISMATCHED_DEALLOC
2253 rdg_free(rdg);
2254 WINPR_PRAGMA_DIAG_POP
2255 return NULL;
2256}
2257
2258void rdg_free(rdpRdg* rdg)
2259{
2260 if (!rdg)
2261 return;
2262
2263 freerdp_tls_free(rdg->tlsOut);
2264 freerdp_tls_free(rdg->tlsIn);
2265 http_context_free(rdg->http);
2266 credssp_auth_free(rdg->auth);
2267
2268 if (!rdg->attached)
2269 BIO_free_all(rdg->frontBio);
2270
2271 DeleteCriticalSection(&rdg->writeSection);
2272
2273 smartcardCertInfo_Free(rdg->smartcard);
2274
2275 websocket_context_free(rdg->transferEncoding.context.websocket);
2276
2277 free(rdg);
2278}
2279
2280BIO* rdg_get_front_bio_and_take_ownership(rdpRdg* rdg)
2281{
2282 if (!rdg)
2283 return NULL;
2284
2285 rdg->attached = TRUE;
2286 return rdg->frontBio;
2287}
freerdp_settings_get_bool
FREERDP_API BOOL freerdp_settings_get_bool(const rdpSettings *settings, FreeRDP_Settings_Keys_Bool id)
Returns a boolean settings value.
freerdp_settings_get_string_as_utf16
FREERDP_API WCHAR * freerdp_settings_get_string_as_utf16(const rdpSettings *settings, FreeRDP_Settings_Keys_String id, size_t *pCharLen)
Return an allocated UTF16 string.
Definition common/settings.c:2298
RTL_CRITICAL_SECTION
Definition include/winpr/synch.h:158
UUID
Definition wtypes.h:254
http_encoding_chunked_context
Definition libfreerdp/core/gateway/http.h:46