FreeRDP
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Modules Pages
redirection.c
1
22#include <freerdp/config.h>
23
24#include "settings.h"
25
26#include <winpr/crt.h>
27#include <winpr/string.h>
28#include <freerdp/log.h>
29#include <freerdp/crypto/certificate.h>
30#include <freerdp/redirection.h>
31#include <freerdp/utils/string.h>
32
33#include "../crypto/certificate.h"
34#include "redirection.h"
35#include "utils.h"
36
37#define TAG FREERDP_TAG("core.redirection")
38
39struct rdp_redirection
40{
41 UINT32 flags;
42 UINT32 sessionID;
43 BYTE* TsvUrl;
44 UINT32 TsvUrlLength;
45 char* Username;
46 char* Domain;
47 BYTE* Password;
48 UINT32 PasswordLength;
49 char* TargetFQDN;
50 BYTE* LoadBalanceInfo;
51 UINT32 LoadBalanceInfoLength;
52 char* TargetNetBiosName;
53 char* TargetNetAddress;
54 UINT32 TargetNetAddressesCount;
55 char** TargetNetAddresses;
56 UINT32 RedirectionGuidLength;
57 BYTE* RedirectionGuid;
58
59 rdpCertificate* TargetCertificate;
60};
61
62static void redirection_free_array(char*** what, UINT32* count)
63{
64 WINPR_ASSERT(what);
65 WINPR_ASSERT(count);
66
67 if (*what)
68 {
69 for (UINT32 x = 0; x < *count; x++)
70 free((*what)[x]);
71 free((void*)*what);
72 }
73
74 *what = NULL;
75 *count = 0;
76}
77
78static void redirection_free_string(char** str)
79{
80 WINPR_ASSERT(str);
81 free(*str);
82 *str = NULL;
83}
84
85static void redirection_free_data(BYTE** str, UINT32* length)
86{
87 WINPR_ASSERT(str);
88 free(*str);
89 if (length)
90 *length = 0;
91 *str = NULL;
92}
93
94static BOOL redirection_copy_string(char** dst, const char* str)
95{
96 redirection_free_string(dst);
97 if (!str)
98 return TRUE;
99
100 *dst = _strdup(str);
101 return *dst != NULL;
102}
103
104static BOOL redirection_copy_data(BYTE** dst, UINT32* plen, const BYTE* str, size_t len)
105{
106 redirection_free_data(dst, plen);
107
108 if (!str || (len == 0))
109 return TRUE;
110 if (len > UINT32_MAX)
111 return FALSE;
112
113 *dst = malloc(len);
114 if (!*dst)
115 return FALSE;
116 memcpy(*dst, str, len);
117 *plen = (UINT32)len;
118 return *dst != NULL;
119}
120
121static BOOL redirection_copy_array(char*** dst, UINT32* plen, const char** str, size_t len)
122{
123 redirection_free_array(dst, plen);
124
125 if (len > UINT32_MAX)
126 return FALSE;
127 if (!str || (len == 0))
128 return TRUE;
129
130 *dst = (char**)calloc(len, sizeof(char*));
131 if (!*dst)
132 return FALSE;
133 *plen = (UINT32)len;
134
135 for (size_t x = 0; x < len; x++)
136 {
137 if (str[x])
138 (*dst)[x] = _strdup(str[x]);
139
140 if (!((*dst)[x]))
141 {
142 redirection_free_array(dst, plen);
143 return FALSE;
144 }
145 }
146
147 return *dst != NULL;
148}
149
150static BOOL rdp_redirection_get_data(wStream* s, UINT32* pLength, const BYTE** pData)
151{
152 WINPR_ASSERT(pLength);
153 WINPR_ASSERT(pData);
154
155 if (!Stream_CheckAndLogRequiredLength(TAG, s, 4))
156 return FALSE;
157
158 Stream_Read_UINT32(s, *pLength);
159
160 if (!Stream_CheckAndLogRequiredLength(TAG, s, *pLength))
161 return FALSE;
162
163 *pData = Stream_ConstPointer(s);
164 Stream_Seek(s, *pLength);
165 return TRUE;
166}
167
168static BOOL rdp_redirection_read_unicode_string(wStream* s, char** str, size_t maxLength)
169{
170 UINT32 length = 0;
171 const BYTE* data = NULL;
172
173 if (!rdp_redirection_get_data(s, &length, &data))
174 return FALSE;
175
176 const WCHAR* wstr = (const WCHAR*)data;
177
178 if ((length % 2) || length < 2 || length > maxLength)
179 {
180 WLog_ERR(TAG, "failure: invalid unicode string length: %" PRIu32 "", length);
181 return FALSE;
182 }
183
184 if (wstr[length / 2 - 1])
185 {
186 WLog_ERR(TAG, "failure: unterminated unicode string");
187 return FALSE;
188 }
189
190 redirection_free_string(str);
191 *str = ConvertWCharNToUtf8Alloc(wstr, length / sizeof(WCHAR), NULL);
192 if (!*str)
193 {
194 WLog_ERR(TAG, "failure: string conversion failed");
195 return FALSE;
196 }
197
198 return TRUE;
199}
200
201static BOOL rdp_redirection_write_data(wStream* s, size_t length, const void* data)
202{
203 WINPR_ASSERT(data || (length == 0));
204 WINPR_ASSERT(length <= UINT32_MAX);
205
206 if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 4))
207 return FALSE;
208
209 Stream_Write_UINT32(s, (UINT32)length);
210
211 if (!Stream_CheckAndLogRequiredCapacity(TAG, s, length))
212 return FALSE;
213
214 Stream_Write(s, data, length);
215 return TRUE;
216}
217
218static BOOL rdp_redirection_write_base64_wchar(WINPR_ATTR_UNUSED UINT32 flag, wStream* s,
219 size_t length, const void* data)
220{
221 BOOL rc = FALSE;
222
223 char* base64 = crypto_base64_encode(data, length);
224 if (!base64)
225 return FALSE;
226
227 size_t wbase64len = 0;
228 WCHAR* wbase64 = ConvertUtf8ToWCharAlloc(base64, &wbase64len);
229 free(base64);
230 if (!wbase64)
231 return FALSE;
232
233 rc = rdp_redirection_write_data(s, wbase64len * sizeof(WCHAR), wbase64);
234 free(wbase64);
235 return rc;
236}
237
238static BOOL rdp_redirection_read_base64_wchar(UINT32 flag, wStream* s, UINT32* pLength,
239 BYTE** pData)
240{
241 BOOL rc = FALSE;
242 char buffer[64] = { 0 };
243 const BYTE* ptr = NULL;
244
245 if (!rdp_redirection_get_data(s, pLength, &ptr))
246 return FALSE;
247 const WCHAR* wchar = (const WCHAR*)ptr;
248
249 size_t utf8_len = 0;
250 char* utf8 = ConvertWCharNToUtf8Alloc(wchar, *pLength / sizeof(WCHAR), &utf8_len);
251 if (!utf8)
252 goto fail;
253
254 redirection_free_data(pData, NULL);
255
256 utf8_len = strnlen(utf8, utf8_len);
257 *pData = NULL;
258 if (utf8_len > 0)
259 *pData = calloc(utf8_len, sizeof(BYTE));
260 if (!*pData)
261 goto fail;
262
263 size_t rlen = utf8_len;
264 size_t wpos = 0;
265 char* saveptr = NULL;
266 char* tok = strtok_s(utf8, "\r\n", &saveptr);
267 while (tok)
268 {
269 const size_t len = strnlen(tok, rlen);
270 rlen -= len;
271
272 size_t bplen = 0;
273 BYTE* bptr = NULL;
274 crypto_base64_decode(tok, len, &bptr, &bplen);
275 if (!bptr)
276 goto fail;
277 memcpy(&(*pData)[wpos], bptr, bplen);
278 wpos += bplen;
279 free(bptr);
280
281 tok = strtok_s(NULL, "\r\n", &saveptr);
282 }
283 if (wpos > UINT32_MAX)
284 goto fail;
285
286 *pLength = (UINT32)wpos;
287
288 WLog_DBG(TAG, "%s:", rdp_redirection_flags_to_string(flag, buffer, sizeof(buffer)));
289
290 rc = TRUE;
291fail:
292 if (!rc)
293 WLog_ERR(TAG, "failed to read base64 data");
294 free(utf8);
295 return rc;
296}
297
298static BOOL rdp_target_cert_get_element(wStream* s, UINT32* pType, UINT32* pEncoding,
299 const BYTE** ptr, size_t* pLength)
300{
301 WINPR_ASSERT(pType);
302 WINPR_ASSERT(pEncoding);
303 WINPR_ASSERT(ptr);
304 WINPR_ASSERT(pLength);
305
306 if (!Stream_CheckAndLogRequiredLength(TAG, s, 12))
307 return FALSE;
308
309 UINT32 type = 0;
310 UINT32 encoding = 0;
311 UINT32 elementSize = 0;
312
313 Stream_Read_UINT32(s, type);
314 Stream_Read_UINT32(s, encoding);
315 Stream_Read_UINT32(s, elementSize);
316
317 if (!Stream_CheckAndLogRequiredLength(TAG, s, elementSize))
318 return FALSE;
319
320 *ptr = Stream_ConstPointer(s);
321 *pLength = elementSize;
322 Stream_Seek(s, elementSize);
323
324 *pType = type;
325 *pEncoding = encoding;
326 return TRUE;
327}
328
329static BOOL rdp_target_cert_write_element(wStream* s, UINT32 Type, UINT32 Encoding,
330 const BYTE* data, size_t length)
331{
332 WINPR_ASSERT(data || (length == 0));
333 WINPR_ASSERT(length <= UINT32_MAX);
334
335 if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 12))
336 return FALSE;
337
338 Stream_Write_UINT32(s, Type);
339 Stream_Write_UINT32(s, Encoding);
340 Stream_Write_UINT32(s, (UINT32)length);
341
342 if (!Stream_CheckAndLogRequiredCapacity(TAG, s, length))
343 return FALSE;
344
345 Stream_Write(s, data, length);
346 return TRUE;
347}
348
349BOOL rdp_redirection_read_target_cert(rdpCertificate** ptargetCertificate, const BYTE* data,
350 size_t length)
351{
352 WINPR_ASSERT(ptargetCertificate);
353
354 wStream sbuffer = { 0 };
355 wStream* s = Stream_StaticConstInit(&sbuffer, data, length);
356
357 freerdp_certificate_free(*ptargetCertificate);
358 *ptargetCertificate = NULL;
359
360 size_t plength = 0;
361 const BYTE* ptr = NULL;
362 while (Stream_GetRemainingLength(s) > 0)
363 {
364 UINT32 type = 0;
365 UINT32 encoding = 0;
366 if (!rdp_target_cert_get_element(s, &type, &encoding, &ptr, &plength))
367 return FALSE;
368
369 switch (type)
370 {
371 case CERT_cert_file_element:
372 if (encoding == ENCODING_TYPE_ASN1_DER)
373 {
374 if (*ptargetCertificate)
375 WLog_WARN(TAG, "Duplicate TargetCertificate in data detected!");
376 else
377 {
378 *ptargetCertificate = freerdp_certificate_new_from_der(ptr, plength);
379 if (!*ptargetCertificate)
380 WLog_ERR(TAG, "TargetCertificate parsing DER data failed");
381 }
382 }
383 else
384 {
385 WLog_ERR(TAG,
386 "TargetCertificate data in unknown encoding %" PRIu32 " detected!");
387 }
388 break;
389 default: /* ignore unknown fields */
390 WLog_VRB(TAG,
391 "Unknown TargetCertificate field type %" PRIu32 ", encoding %" PRIu32
392 " of length %" PRIu32,
393 type, encoding, plength);
394 break;
395 }
396 }
397
398 return *ptargetCertificate != NULL;
399}
400
401static BOOL rdp_redirection_write_target_cert(wStream* s, const rdpRedirection* redirection)
402{
403 BOOL rc = FALSE;
404 WINPR_ASSERT(redirection);
405
406 const rdpCertificate* cert = redirection->TargetCertificate;
407 if (!cert)
408 return FALSE;
409
410 size_t derlen = 0;
411
412 BYTE* der = freerdp_certificate_get_der(cert, &derlen);
413 if (!rdp_target_cert_write_element(s, CERT_cert_file_element, ENCODING_TYPE_ASN1_DER, der,
414 derlen))
415 goto fail;
416
417 rc = TRUE;
418
419fail:
420 free(der);
421 return rc;
422}
423
424static BOOL rdp_redireciton_write_target_cert_stream(wStream* s, const rdpRedirection* redirection)
425{
426 BOOL rc = FALSE;
427 wStream* serialized = Stream_New(NULL, 2048);
428 if (!serialized)
429 goto fail;
430
431 if (!rdp_redirection_write_target_cert(serialized, redirection))
432 goto fail;
433
434 rc = rdp_redirection_write_base64_wchar(
435 LB_TARGET_CERTIFICATE, s, Stream_GetPosition(serialized), Stream_Buffer(serialized));
436
437fail:
438 Stream_Free(serialized, TRUE);
439 return rc;
440}
441
442static BOOL rdp_redirection_read_target_cert_stream(wStream* s, rdpRedirection* redirection)
443{
444 UINT32 length = 0;
445 BYTE* ptr = NULL;
446
447 WINPR_ASSERT(redirection);
448
449 BOOL rc = FALSE;
450 if (rdp_redirection_read_base64_wchar(LB_TARGET_CERTIFICATE, s, &length, &ptr))
451 rc = rdp_redirection_read_target_cert(&redirection->TargetCertificate, ptr, length);
452 free(ptr);
453 return rc;
454}
455
456int rdp_redirection_apply_settings(rdpRdp* rdp)
457{
458 rdpSettings* settings = NULL;
459 rdpRedirection* redirection = NULL;
460
461 if (!rdp_reset_runtime_settings(rdp))
462 return -1;
463
464 settings = rdp->settings;
465 WINPR_ASSERT(settings);
466
467 redirection = rdp->redirection;
468 WINPR_ASSERT(redirection);
469
470 settings->RedirectionFlags = redirection->flags;
471 settings->RedirectedSessionId = redirection->sessionID;
472
473 if (settings->RedirectionFlags & LB_TARGET_NET_ADDRESS)
474 {
475 if (!freerdp_settings_set_string(settings, FreeRDP_TargetNetAddress,
476 redirection->TargetNetAddress))
477 return -1;
478 }
479
480 if (settings->RedirectionFlags & LB_USERNAME)
481 {
482 if (!freerdp_settings_set_string(settings, FreeRDP_RedirectionUsername,
483 redirection->Username))
484 return -1;
485 }
486
487 if (settings->RedirectionFlags & LB_DOMAIN)
488 {
489 if (!freerdp_settings_set_string(settings, FreeRDP_RedirectionDomain, redirection->Domain))
490 return -1;
491 }
492
493 if (settings->RedirectionFlags & LB_PASSWORD)
494 {
495 /* Password may be a cookie without a null terminator */
496 if (!freerdp_settings_set_pointer_len(settings, FreeRDP_RedirectionPassword,
497 redirection->Password, redirection->PasswordLength))
498 return -1;
499 }
500
501 if (settings->RedirectionFlags & LB_DONTSTOREUSERNAME)
502 {
503 // TODO
504 }
505
506 if (settings->RedirectionFlags & LB_SMARTCARD_LOGON)
507 {
508 // TODO
509 }
510
511 if (settings->RedirectionFlags & LB_NOREDIRECT)
512 {
513 // TODO
514 }
515
516 if (settings->RedirectionFlags & LB_TARGET_FQDN)
517 {
518 if (!freerdp_settings_set_string(settings, FreeRDP_RedirectionTargetFQDN,
519 redirection->TargetFQDN))
520 return -1;
521 }
522
523 if (settings->RedirectionFlags & LB_TARGET_NETBIOS_NAME)
524 {
525 if (!freerdp_settings_set_string(settings, FreeRDP_RedirectionTargetNetBiosName,
526 redirection->TargetNetBiosName))
527 return -1;
528 }
529
530 if (settings->RedirectionFlags & LB_TARGET_NET_ADDRESSES)
531 {
532 if (!freerdp_target_net_addresses_copy(settings, redirection->TargetNetAddresses,
533 redirection->TargetNetAddressesCount))
534 return -1;
535 }
536
537 if (settings->RedirectionFlags & LB_CLIENT_TSV_URL)
538 {
539 /* TsvUrl may not contain a null terminator */
540 if (!freerdp_settings_set_pointer_len(settings, FreeRDP_RedirectionTsvUrl,
541 redirection->TsvUrl, redirection->TsvUrlLength))
542 return -1;
543
544 const size_t lblen = freerdp_settings_get_uint32(settings, FreeRDP_LoadBalanceInfoLength);
545 const char* lb = freerdp_settings_get_pointer(settings, FreeRDP_LoadBalanceInfo);
546 if (lblen > 0)
547 {
548 BOOL valid = TRUE;
549 size_t tsvlen = 0;
550
551 char* tsv =
552 ConvertWCharNToUtf8Alloc((const WCHAR*)redirection->TsvUrl,
553 redirection->TsvUrlLength / sizeof(WCHAR), &tsvlen);
554 if (!tsv || !lb)
555 valid = FALSE;
556 else if (tsvlen != lblen)
557 valid = FALSE;
558 else if (memcmp(tsv, lb, lblen) != 0)
559 valid = FALSE;
560
561 if (!valid)
562 {
563 WLog_ERR(TAG,
564 "[redirection] Expected TsvUrl '%s' [%" PRIuz "], but got '%s' [%" PRIuz
565 "]",
566 lb, lblen, tsv, tsvlen);
567 }
568 free(tsv);
569
570 if (!valid)
571 return -2;
572 }
573 }
574
575 if (settings->RedirectionFlags & LB_SERVER_TSV_CAPABLE)
576 {
577 // TODO
578 }
579
580 if (settings->RedirectionFlags & LB_LOAD_BALANCE_INFO)
581 {
582 /* LoadBalanceInfo may not contain a null terminator */
583 if (!freerdp_settings_set_pointer_len(settings, FreeRDP_LoadBalanceInfo,
584 redirection->LoadBalanceInfo,
585 redirection->LoadBalanceInfoLength))
586 return -1;
587 }
588 else
589 {
594 if (!freerdp_settings_set_pointer_len(settings, FreeRDP_LoadBalanceInfo, NULL, 0))
595 return -1;
596 }
597
598 if (settings->RedirectionFlags & LB_PASSWORD_IS_PK_ENCRYPTED)
599 {
600 // TODO
601 }
602
603 if (settings->RedirectionFlags & LB_REDIRECTION_GUID)
604 {
605 if (!freerdp_settings_set_pointer_len(settings, FreeRDP_RedirectionGuid,
606 redirection->RedirectionGuid,
607 redirection->RedirectionGuidLength))
608 return -1;
609 }
610
611 if (settings->RedirectionFlags & LB_TARGET_CERTIFICATE)
612 {
613 rdpCertificate* cert = freerdp_certificate_clone(redirection->TargetCertificate);
614 if (!freerdp_settings_set_pointer(settings, FreeRDP_RedirectionTargetCertificate, cert))
615 return -1;
616
617 BOOL pres = FALSE;
618 size_t length = 0;
619 char* pem = freerdp_certificate_get_pem(cert, &length);
620 if (pem && (length <= UINT32_MAX))
621 {
622 pres = freerdp_settings_set_string_len(settings, FreeRDP_RedirectionAcceptedCert, pem,
623 length);
624 if (pres)
625 pres = freerdp_settings_set_uint32(settings, FreeRDP_RedirectionAcceptedCertLength,
626 (UINT32)length);
627 }
628 free(pem);
629 if (!pres)
630 return -1;
631 }
632
633 return 0;
634}
635
636static BOOL rdp_redirection_read_data(UINT32 flag, wStream* s, UINT32* pLength, BYTE** pData)
637{
638 char buffer[64] = { 0 };
639 const BYTE* ptr = NULL;
640
641 if (!rdp_redirection_get_data(s, pLength, &ptr))
642 return FALSE;
643
644 redirection_free_data(pData, NULL);
645 *pData = (BYTE*)malloc(*pLength);
646
647 if (!*pData)
648 return FALSE;
649 memcpy(*pData, ptr, *pLength);
650
651 WLog_DBG(TAG, "%s:", rdp_redirection_flags_to_string(flag, buffer, sizeof(buffer)));
652
653 return TRUE;
654}
655
656static state_run_t rdp_recv_server_redirection_pdu(rdpRdp* rdp, wStream* s)
657{
658 char buffer[256] = { 0 };
659 UINT16 flags = 0;
660 UINT16 length = 0;
661 rdpRedirection* redirection = rdp->redirection;
662
663 if (!Stream_CheckAndLogRequiredLength(TAG, s, 12))
664 return STATE_RUN_FAILED;
665
666 Stream_Read_UINT16(s, flags); /* flags (2 bytes) */
667 if (flags != SEC_REDIRECTION_PKT)
668 {
669 char buffer1[1024] = { 0 };
670 char buffer2[1024] = { 0 };
671 WLog_ERR(TAG, "received invalid flags=%s, expected %s",
672 rdp_security_flag_string(flags, buffer1, sizeof(buffer1)),
673 rdp_security_flag_string(SEC_REDIRECTION_PKT, buffer2, sizeof(buffer2)));
674 return STATE_RUN_FAILED;
675 }
676 Stream_Read_UINT16(s, length); /* length (2 bytes) */
677 Stream_Read_UINT32(s, redirection->sessionID); /* sessionID (4 bytes) */
678 Stream_Read_UINT32(s, redirection->flags); /* redirFlags (4 bytes) */
679 WLog_INFO(TAG,
680 "flags: 0x%04" PRIX16 ", length: %" PRIu16 ", sessionID: 0x%08" PRIX32
681 ", redirFlags: %s [0x%08" PRIX32 "]",
682 flags, length, redirection->sessionID,
683 rdp_redirection_flags_to_string(redirection->flags, buffer, sizeof(buffer)),
684 redirection->flags);
685
686 /* Although MS-RDPBCGR does not mention any length constraints limits for the
687 * variable length null-terminated unicode strings in the RDP_SERVER_REDIRECTION_PACKET
688 * structure we will use the following limits in bytes including the null terminator:
689 *
690 * TargetNetAddress: 80 bytes
691 * UserName: 512 bytes
692 * Domain: 52 bytes
693 * Password(Cookie): 512 bytes
694 * TargetFQDN: 512 bytes
695 * TargetNetBiosName: 32 bytes
696 */
697
698 if (redirection->flags & LB_TARGET_NET_ADDRESS)
699 {
700 if (!rdp_redirection_read_unicode_string(s, &(redirection->TargetNetAddress), 80))
701 return STATE_RUN_FAILED;
702 }
703
704 if (redirection->flags & LB_LOAD_BALANCE_INFO)
705 {
706 /* See [MSFT-SDLBTS] (a.k.a. TS_Session_Directory.doc)
707 * load balance info example data:
708 * 0000 43 6f 6f 6b 69 65 3a 20 6d 73 74 73 3d 32 31 33 Cookie: msts=213
709 * 0010 34 30 32 36 34 33 32 2e 31 35 36 32 39 2e 30 30 4026432.15629.00
710 * 0020 30 30 0d 0a 00..
711 */
712 if (!rdp_redirection_read_data(LB_LOAD_BALANCE_INFO, s, &redirection->LoadBalanceInfoLength,
713 &redirection->LoadBalanceInfo))
714 return STATE_RUN_FAILED;
715 }
716
717 if (redirection->flags & LB_USERNAME)
718 {
719 if (!rdp_redirection_read_unicode_string(s, &(redirection->Username), 512))
720 return STATE_RUN_FAILED;
721
722 WLog_DBG(TAG, "Username: %s", redirection->Username);
723 }
724
725 if (redirection->flags & LB_DOMAIN)
726 {
727 if (!rdp_redirection_read_unicode_string(s, &(redirection->Domain), 52))
728 return STATE_RUN_FAILED;
729
730 WLog_DBG(TAG, "Domain: %s", redirection->Domain);
731 }
732
733 if (redirection->flags & LB_PASSWORD)
734 {
735 /* Note: Password is a variable-length array of bytes containing the
736 * password used by the user in Unicode format, including a null-terminator
737 * or (!) or a cookie value that MUST be passed to the target server on
738 * successful connection.
739 * Since the format of the password cookie (probably some salted hash) is
740 * currently unknown we'll treat it as opaque data. All cookies seen so far
741 * are 120 bytes including \0\0 termination.
742 * Here is an observed example of a redirection password cookie:
743 *
744 * 0000 02 00 00 80 44 53 48 4c 60 ab 69 2f 07 d6 9e 2d ....DSHL`.i/...-
745 * 0010 f0 3a 97 3b a9 c5 ec 7e 66 bd b3 84 6c b1 ef b9 .:.;...~f...l...
746 * 0020 b6 82 4e cc 3a df 64 b7 7b 25 04 54 c2 58 98 f8 ..N.:.d.{%.T.X..
747 * 0030 97 87 d4 93 c7 c1 e1 5b c2 85 f8 22 49 1f 81 88 .......[..."I...
748 * 0040 43 44 83 f6 9a 72 40 24 dc 4d 43 cb d9 92 3c 8f CD...r@$.MC...<.
749 * 0050 3a 37 5c 77 13 a0 72 3c 72 08 64 2a 29 fb dc eb :7\w..r<r.d*)...
750 * 0060 0d 2b 06 b4 c6 08 b4 73 34 16 93 62 6d 24 e9 93 .+.....s4..bm$..
751 * 0070 97 27 7b dd 9a 72 00 00 .'{..r..
752 *
753 * Notwithstanding the above, we'll allocated an additional zero WCHAR at the
754 * end of the buffer which won't get counted in PasswordLength.
755 */
756 if (!rdp_redirection_read_data(LB_PASSWORD, s, &redirection->PasswordLength,
757 &redirection->Password))
758 return STATE_RUN_FAILED;
759
760 /* [MS-RDPBCGR] specifies 512 bytes as the upper limit for the password length
761 * including the null terminatior(s). This should also be enough for the unknown
762 * password cookie format (see previous comment).
763 */
764 if ((redirection->flags & LB_PASSWORD_IS_PK_ENCRYPTED) == 0)
765 {
766 const size_t charLen = redirection->PasswordLength / sizeof(WCHAR);
767 if (redirection->PasswordLength > LB_PASSWORD_MAX_LENGTH)
768 {
769 WLog_ERR(TAG, "LB_PASSWORD: %" PRIuz " exceeds limit of %d", charLen,
770 LB_PASSWORD_MAX_LENGTH);
771 return STATE_RUN_FAILED;
772 }
773
774 /* Ensure the text password is '\0' terminated */
775 if (_wcsnlen((const WCHAR*)redirection->Password, charLen) == charLen)
776 {
777 WLog_ERR(TAG, "LB_PASSWORD: missing '\0' termination");
778 return STATE_RUN_FAILED;
779 }
780 }
781 }
782
783 if (redirection->flags & LB_TARGET_FQDN)
784 {
785 if (!rdp_redirection_read_unicode_string(s, &(redirection->TargetFQDN), 512))
786 return STATE_RUN_FAILED;
787
788 WLog_DBG(TAG, "TargetFQDN: %s", redirection->TargetFQDN);
789 }
790
791 if (redirection->flags & LB_TARGET_NETBIOS_NAME)
792 {
793 if (!rdp_redirection_read_unicode_string(s, &(redirection->TargetNetBiosName), 32))
794 return STATE_RUN_FAILED;
795
796 WLog_DBG(TAG, "TargetNetBiosName: %s", redirection->TargetNetBiosName);
797 }
798
799 if (redirection->flags & LB_CLIENT_TSV_URL)
800 {
801 if (!rdp_redirection_read_data(LB_CLIENT_TSV_URL, s, &redirection->TsvUrlLength,
802 &redirection->TsvUrl))
803 return STATE_RUN_FAILED;
804 }
805
806 if (redirection->flags & LB_REDIRECTION_GUID)
807 {
808 if (!rdp_redirection_read_data(LB_REDIRECTION_GUID, s, &redirection->RedirectionGuidLength,
809 &redirection->RedirectionGuid))
810 return STATE_RUN_FAILED;
811 }
812
813 if (redirection->flags & LB_TARGET_CERTIFICATE)
814 {
815 if (!rdp_redirection_read_target_cert_stream(s, redirection))
816 return STATE_RUN_FAILED;
817 }
818
819 if (redirection->flags & LB_TARGET_NET_ADDRESSES)
820 {
821 UINT32 targetNetAddressesLength = 0;
822 UINT32 TargetNetAddressesCount = 0;
823
824 if (!Stream_CheckAndLogRequiredLength(TAG, s, 8))
825 return STATE_RUN_FAILED;
826
827 Stream_Read_UINT32(s, targetNetAddressesLength);
828 Stream_Read_UINT32(s, TargetNetAddressesCount);
829
830 /* sanity check: the whole packet has a length limit of UINT16_MAX
831 * each TargetNetAddress is a WCHAR string, so minimum length 2 bytes
832 */
833 const size_t size = TargetNetAddressesCount * sizeof(WCHAR);
834 if ((size > Stream_GetRemainingLength(s)) || (size > targetNetAddressesLength))
835 {
836 WLog_ERR(TAG,
837 "Invalid RDP_SERVER_REDIRECTION_PACKET::TargetNetAddressLength %" PRIuz
838 ", sanity limit is %" PRIuz,
839 TargetNetAddressesCount * sizeof(WCHAR), Stream_GetRemainingLength(s));
840 return STATE_RUN_FAILED;
841 }
842
843 redirection_free_array(&redirection->TargetNetAddresses,
844 &redirection->TargetNetAddressesCount);
845 if (TargetNetAddressesCount > 0)
846 {
847 redirection->TargetNetAddresses =
848 (char**)calloc(TargetNetAddressesCount, sizeof(char*));
849
850 if (!redirection->TargetNetAddresses)
851 {
852 WLog_ERR(TAG, "TargetNetAddresses %" PRIu32 " failed to allocate",
853 TargetNetAddressesCount);
854 return STATE_RUN_FAILED;
855 }
856 }
857 redirection->TargetNetAddressesCount = TargetNetAddressesCount;
858
859 WLog_DBG(TAG, "TargetNetAddressesCount: %" PRIu32 "", TargetNetAddressesCount);
860
861 for (UINT32 i = 0; i < TargetNetAddressesCount; i++)
862 {
863 if (!rdp_redirection_read_unicode_string(s, &(redirection->TargetNetAddresses[i]), 80))
864 return STATE_RUN_FAILED;
865
866 WLog_DBG(TAG, "TargetNetAddresses[%" PRIu32 "]: %s", i,
867 redirection->TargetNetAddresses[i]);
868 }
869 }
870
871 if (Stream_GetRemainingLength(s) >= 8)
872 {
873 /* some versions of windows don't included this padding before closing the connection */
874 Stream_Seek(s, 8); /* pad (8 bytes) */
875 }
876
877 if (redirection->flags & LB_NOREDIRECT)
878 return STATE_RUN_SUCCESS;
879
880 return STATE_RUN_REDIRECT;
881}
882
883state_run_t rdp_recv_enhanced_security_redirection_packet(rdpRdp* rdp, wStream* s)
884{
885 state_run_t status = STATE_RUN_SUCCESS;
886
887 if (!Stream_SafeSeek(s, 2)) /* pad2Octets (2 bytes) */
888 return STATE_RUN_FAILED;
889
890 status = rdp_recv_server_redirection_pdu(rdp, s);
891
892 if (state_run_failed(status))
893 return status;
894
895 if (Stream_GetRemainingLength(s) >= 1)
896 {
897 /* this field is optional, and its absence is not an error */
898 Stream_Seek(s, 1); /* pad2Octets (1 byte) */
899 }
900
901 return status;
902}
903
904rdpRedirection* redirection_new(void)
905{
906 rdpRedirection* redirection = (rdpRedirection*)calloc(1, sizeof(rdpRedirection));
907
908 if (redirection)
909 {
910 }
911
912 return redirection;
913}
914
915void redirection_free(rdpRedirection* redirection)
916{
917 if (redirection)
918 {
919 redirection_free_data(&redirection->TsvUrl, &redirection->TsvUrlLength);
920 redirection_free_string(&redirection->Username);
921 redirection_free_string(&redirection->Domain);
922 redirection_free_string(&redirection->TargetFQDN);
923 redirection_free_string(&redirection->TargetNetBiosName);
924 redirection_free_string(&redirection->TargetNetAddress);
925 redirection_free_data(&redirection->LoadBalanceInfo, &redirection->LoadBalanceInfoLength);
926 redirection_free_data(&redirection->Password, &redirection->PasswordLength);
927 redirection_free_data(&redirection->RedirectionGuid, &redirection->RedirectionGuidLength);
928 freerdp_certificate_free(redirection->TargetCertificate);
929 redirection_free_array(&redirection->TargetNetAddresses,
930 &redirection->TargetNetAddressesCount);
931
932 free(redirection);
933 }
934}
935
936static SSIZE_T redir_write_string(WINPR_ATTR_UNUSED UINT32 flag, wStream* s, const char* str)
937{
938 const size_t length = (strlen(str) + 1);
939 if (!Stream_EnsureRemainingCapacity(s, 4ull + length * sizeof(WCHAR)))
940 return -1;
941
942 const size_t pos = Stream_GetPosition(s);
943 Stream_Write_UINT32(s, (UINT32)length * sizeof(WCHAR));
944 if (Stream_Write_UTF16_String_From_UTF8(s, length, str, length, TRUE) < 0)
945 return -1;
946 return (SSIZE_T)(Stream_GetPosition(s) - pos);
947}
948
949static BOOL redir_write_data(WINPR_ATTR_UNUSED UINT32 flag, wStream* s, UINT32 length,
950 const BYTE* data)
951{
952 if (!Stream_EnsureRemainingCapacity(s, 4ull + length))
953 return FALSE;
954
955 Stream_Write_UINT32(s, length);
956 Stream_Write(s, data, length);
957 return TRUE;
958}
959
960BOOL rdp_write_enhanced_security_redirection_packet(wStream* s, const rdpRedirection* redirection)
961{
962 BOOL rc = FALSE;
963
964 WINPR_ASSERT(s);
965 WINPR_ASSERT(redirection);
966
967 if (!Stream_EnsureRemainingCapacity(s, 14))
968 goto fail;
969
970 Stream_Write_UINT16(s, 0);
971
972 const size_t start = Stream_GetPosition(s);
973 Stream_Write_UINT16(s, SEC_REDIRECTION_PKT);
974 const size_t lengthOffset = Stream_GetPosition(s);
975 Stream_Seek_UINT16(s); /* placeholder for length */
976
977 if (redirection->sessionID)
978 Stream_Write_UINT32(s, redirection->sessionID);
979 else
980 Stream_Write_UINT32(s, 0);
981
982 Stream_Write_UINT32(s, redirection->flags);
983
984 if (redirection->flags & LB_TARGET_NET_ADDRESS)
985 {
986 if (redir_write_string(LB_TARGET_NET_ADDRESS, s, redirection->TargetNetAddress) < 0)
987 goto fail;
988 }
989
990 if (redirection->flags & LB_LOAD_BALANCE_INFO)
991 {
992 const UINT32 length = 13 + redirection->LoadBalanceInfoLength + 2;
993 if (!Stream_EnsureRemainingCapacity(s, length))
994 goto fail;
995 Stream_Write_UINT32(s, length);
996 Stream_Write(s, "Cookie: msts=", 13);
997 Stream_Write(s, redirection->LoadBalanceInfo, redirection->LoadBalanceInfoLength);
998 Stream_Write_UINT8(s, 0x0d);
999 Stream_Write_UINT8(s, 0x0a);
1000 }
1001
1002 if (redirection->flags & LB_USERNAME)
1003 {
1004 if (redir_write_string(LB_USERNAME, s, redirection->Username) < 0)
1005 goto fail;
1006 }
1007
1008 if (redirection->flags & LB_DOMAIN)
1009 {
1010 if (redir_write_string(LB_DOMAIN, s, redirection->Domain) < 0)
1011 goto fail;
1012 }
1013
1014 if (redirection->flags & LB_PASSWORD)
1015 {
1016 /* Password is either UNICODE or opaque data */
1017 if (!redir_write_data(LB_PASSWORD, s, redirection->PasswordLength, redirection->Password))
1018 goto fail;
1019 }
1020
1021 if (redirection->flags & LB_TARGET_FQDN)
1022 {
1023 if (redir_write_string(LB_TARGET_FQDN, s, redirection->TargetFQDN) < 0)
1024 goto fail;
1025 }
1026
1027 if (redirection->flags & LB_TARGET_NETBIOS_NAME)
1028 {
1029 if (redir_write_string(LB_TARGET_NETBIOS_NAME, s, redirection->TargetNetBiosName) < 0)
1030 goto fail;
1031 }
1032
1033 if (redirection->flags & LB_CLIENT_TSV_URL)
1034 {
1035 if (!redir_write_data(LB_CLIENT_TSV_URL, s, redirection->TsvUrlLength, redirection->TsvUrl))
1036 goto fail;
1037 }
1038
1039 if (redirection->flags & LB_REDIRECTION_GUID)
1040 {
1041 if (!redir_write_data(LB_REDIRECTION_GUID, s, redirection->RedirectionGuidLength,
1042 redirection->RedirectionGuid))
1043 goto fail;
1044 }
1045
1046 if (redirection->flags & LB_TARGET_CERTIFICATE)
1047 {
1048 if (!rdp_redireciton_write_target_cert_stream(s, redirection))
1049 goto fail;
1050 }
1051
1052 if (redirection->flags & LB_TARGET_NET_ADDRESSES)
1053 {
1054 UINT32 length = sizeof(UINT32);
1055
1056 if (!Stream_EnsureRemainingCapacity(s, 2 * sizeof(UINT32)))
1057 goto fail;
1058
1059 const size_t lstart = Stream_GetPosition(s);
1060 Stream_Seek_UINT32(s); /* length of field */
1061 Stream_Write_UINT32(s, redirection->TargetNetAddressesCount);
1062 for (UINT32 i = 0; i < redirection->TargetNetAddressesCount; i++)
1063 {
1064 const SSIZE_T rcc =
1065 redir_write_string(LB_TARGET_NET_ADDRESSES, s, redirection->TargetNetAddresses[i]);
1066 if (rcc < 0)
1067 goto fail;
1068 length += (UINT32)rcc;
1069 }
1070
1071 /* Write length field */
1072 const size_t lend = Stream_GetPosition(s);
1073 Stream_SetPosition(s, lstart);
1074 Stream_Write_UINT32(s, length);
1075 Stream_SetPosition(s, lend);
1076 }
1077
1078 /* Padding 8 bytes */
1079 if (!Stream_EnsureRemainingCapacity(s, 8))
1080 goto fail;
1081 Stream_Zero(s, 8);
1082
1083 const size_t end = Stream_GetPosition(s);
1084 Stream_SetPosition(s, lengthOffset);
1085 Stream_Write_UINT16(s, (UINT16)(end - start));
1086 Stream_SetPosition(s, end);
1087
1088 rc = TRUE;
1089fail:
1090 return rc;
1091}
1092
1093BOOL redirection_settings_are_valid(rdpRedirection* redirection, UINT32* pFlags)
1094{
1095 UINT32 flags = 0;
1096
1097 WINPR_ASSERT(redirection);
1098
1099 if (redirection->flags & LB_CLIENT_TSV_URL)
1100 {
1101 if (!redirection->TsvUrl || (redirection->TsvUrlLength == 0))
1102 flags |= LB_CLIENT_TSV_URL;
1103 }
1104
1105 if (redirection->flags & LB_SERVER_TSV_CAPABLE)
1106 {
1107 if ((redirection->flags & LB_CLIENT_TSV_URL) == 0)
1108 flags |= LB_SERVER_TSV_CAPABLE;
1109 }
1110
1111 if (redirection->flags & LB_USERNAME)
1112 {
1113 if (utils_str_is_empty(redirection->Username))
1114 flags |= LB_USERNAME;
1115 }
1116
1117 if (redirection->flags & LB_DOMAIN)
1118 {
1119 if (utils_str_is_empty(redirection->Domain))
1120 flags |= LB_DOMAIN;
1121 }
1122
1123 if (redirection->flags & LB_PASSWORD)
1124 {
1125 if (!redirection->Password || (redirection->PasswordLength == 0))
1126 flags |= LB_PASSWORD;
1127 }
1128
1129 if (redirection->flags & LB_TARGET_FQDN)
1130 {
1131 if (utils_str_is_empty(redirection->TargetFQDN))
1132 flags |= LB_TARGET_FQDN;
1133 }
1134
1135 if (redirection->flags & LB_LOAD_BALANCE_INFO)
1136 {
1137 if (!redirection->LoadBalanceInfo || (redirection->LoadBalanceInfoLength == 0))
1138 flags |= LB_LOAD_BALANCE_INFO;
1139 }
1140
1141 if (redirection->flags & LB_TARGET_NETBIOS_NAME)
1142 {
1143 if (utils_str_is_empty(redirection->TargetNetBiosName))
1144 flags |= LB_TARGET_NETBIOS_NAME;
1145 }
1146
1147 if (redirection->flags & LB_TARGET_NET_ADDRESS)
1148 {
1149 if (utils_str_is_empty(redirection->TargetNetAddress))
1150 flags |= LB_TARGET_NET_ADDRESS;
1151 }
1152
1153 if (redirection->flags & LB_TARGET_NET_ADDRESSES)
1154 {
1155 if (!redirection->TargetNetAddresses || (redirection->TargetNetAddressesCount == 0))
1156 flags |= LB_TARGET_NET_ADDRESSES;
1157 else
1158 {
1159 for (UINT32 x = 0; x < redirection->TargetNetAddressesCount; x++)
1160 {
1161 if (!redirection->TargetNetAddresses[x])
1162 flags |= LB_TARGET_NET_ADDRESSES;
1163 }
1164 }
1165 }
1166
1167 if (redirection->flags & LB_REDIRECTION_GUID)
1168 {
1169 if (!redirection->RedirectionGuid || (redirection->RedirectionGuidLength == 0))
1170 flags |= LB_REDIRECTION_GUID;
1171 }
1172
1173 if (redirection->flags & LB_TARGET_CERTIFICATE)
1174 {
1175 if (!redirection->TargetCertificate)
1176 flags |= LB_TARGET_CERTIFICATE;
1177 }
1178
1179 if (pFlags)
1180 *pFlags = flags;
1181 return flags == 0;
1182}
1183
1184BOOL redirection_set_flags(rdpRedirection* redirection, UINT32 flags)
1185{
1186 WINPR_ASSERT(redirection);
1187 redirection->flags = flags;
1188 return TRUE;
1189}
1190
1191BOOL redirection_set_session_id(rdpRedirection* redirection, UINT32 session_id)
1192{
1193 WINPR_ASSERT(redirection);
1194 redirection->sessionID = session_id;
1195 return TRUE;
1196}
1197
1198static BOOL redirection_unsupported(const char* fkt, UINT32 flag, UINT32 mask)
1199{
1200 char buffer[1024] = { 0 };
1201 char buffer2[1024] = { 0 };
1202 WLog_WARN(TAG, "[%s] supported flags are {%s}, have {%s}", fkt,
1203 rdp_redirection_flags_to_string(mask, buffer, sizeof(buffer)),
1204 rdp_redirection_flags_to_string(flag, buffer2, sizeof(buffer2)));
1205 return FALSE;
1206}
1207
1208BOOL redirection_set_byte_option(rdpRedirection* redirection, UINT32 flag, const BYTE* data,
1209 size_t length)
1210{
1211 WINPR_ASSERT(redirection);
1212 switch (flag)
1213 {
1214 case LB_CLIENT_TSV_URL:
1215 return redirection_copy_data(&redirection->TsvUrl, &redirection->TsvUrlLength, data,
1216 length);
1217 case LB_PASSWORD:
1218 return redirection_copy_data(&redirection->Password, &redirection->PasswordLength, data,
1219 length);
1220 case LB_LOAD_BALANCE_INFO:
1221 return redirection_copy_data(&redirection->LoadBalanceInfo,
1222 &redirection->LoadBalanceInfoLength, data, length);
1223 case LB_REDIRECTION_GUID:
1224 return redirection_copy_data(&redirection->RedirectionGuid,
1225 &redirection->RedirectionGuidLength, data, length);
1226 case LB_TARGET_CERTIFICATE:
1227 return rdp_redirection_read_target_cert(&redirection->TargetCertificate, data, length);
1228 default:
1229 return redirection_unsupported(__func__, flag,
1230 LB_CLIENT_TSV_URL | LB_PASSWORD | LB_LOAD_BALANCE_INFO |
1231 LB_REDIRECTION_GUID | LB_TARGET_CERTIFICATE);
1232 }
1233}
1234
1235BOOL redirection_set_string_option(rdpRedirection* redirection, UINT32 flag, const char* str)
1236{
1237 WINPR_ASSERT(redirection);
1238 switch (flag)
1239 {
1240 case LB_USERNAME:
1241 return redirection_copy_string(&redirection->Username, str);
1242 case LB_DOMAIN:
1243 return redirection_copy_string(&redirection->Domain, str);
1244 case LB_TARGET_FQDN:
1245 return redirection_copy_string(&redirection->TargetFQDN, str);
1246 case LB_TARGET_NETBIOS_NAME:
1247 return redirection_copy_string(&redirection->TargetNetBiosName, str);
1248 case LB_TARGET_NET_ADDRESS:
1249 return redirection_copy_string(&redirection->TargetNetAddress, str);
1250 default:
1251 return redirection_unsupported(__func__, flag,
1252 LB_USERNAME | LB_DOMAIN | LB_TARGET_FQDN |
1253 LB_TARGET_NETBIOS_NAME | LB_TARGET_NET_ADDRESS);
1254 }
1255}
1256
1257BOOL redirection_set_array_option(rdpRedirection* redirection, UINT32 flag, const char** str,
1258 size_t count)
1259{
1260 WINPR_ASSERT(redirection);
1261 switch (flag)
1262 {
1263 case LB_TARGET_NET_ADDRESSES:
1264 return redirection_copy_array(&redirection->TargetNetAddresses,
1265 &redirection->TargetNetAddressesCount, str, count);
1266 default:
1267 return redirection_unsupported(__func__, flag, LB_TARGET_NET_ADDRESSES);
1268 }
1269}
freerdp_settings_get_uint32
FREERDP_API UINT32 freerdp_settings_get_uint32(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id)
Returns a UINT32 settings value.
freerdp_settings_set_string
FREERDP_API BOOL freerdp_settings_set_string(rdpSettings *settings, FreeRDP_Settings_Keys_String id, const char *param)
Sets a string settings value. The param is copied.
Definition settings_getters.c:3685
freerdp_settings_set_pointer_len
FREERDP_API BOOL freerdp_settings_set_pointer_len(rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id, const void *data, size_t len)
Set a pointer to value data.
Definition common/settings.c:1344
freerdp_settings_set_pointer
FREERDP_API BOOL freerdp_settings_set_pointer(rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id, const void *data)
Set a pointer to value data.
freerdp_settings_get_pointer
FREERDP_API const void * freerdp_settings_get_pointer(const rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a immutable pointer settings value.
Definition common/settings.c:1332
freerdp_settings_set_string_len
FREERDP_API BOOL freerdp_settings_set_string_len(rdpSettings *settings, FreeRDP_Settings_Keys_String id, const char *param, size_t len)
Sets a string settings value. The param is copied.
Definition settings_getters.c:3679
freerdp_settings_set_uint32
FREERDP_API BOOL freerdp_settings_set_uint32(rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id, UINT32 param)
Sets a UINT32 settings value.