1 /**
2 * FreeRDP: A Remote Desktop Protocol Implementation
3 * RDP Core
4 *
5 * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
6 * Copyright 2014 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License");
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21 #ifdef HAVE_CONFIG_H
22 #include "config.h"
23 #endif
24
25 #include <winpr/crt.h>
26
27 #include "rdp.h"
28
29 #include "info.h"
30 #include "redirection.h"
31
32 #include <freerdp/crypto/per.h>
33 #include <freerdp/log.h>
34
35 #define TAG FREERDP_TAG("core.rdp")
36
37 static const char* DATA_PDU_TYPE_STRINGS[80] = {
38 "?",
39 "?", /* 0x00 - 0x01 */
40 "Update", /* 0x02 */
41 "?",
42 "?",
43 "?",
44 "?",
45 "?",
46 "?",
47 "?",
48 "?", /* 0x03 - 0x0A */
49 "?",
50 "?",
51 "?",
52 "?",
53 "?",
54 "?",
55 "?",
56 "?",
57 "?", /* 0x0B - 0x13 */
58 "Control", /* 0x14 */
59 "?",
60 "?",
61 "?",
62 "?",
63 "?",
64 "?", /* 0x15 - 0x1A */
65 "Pointer", /* 0x1B */
66 "Input", /* 0x1C */
67 "?",
68 "?", /* 0x1D - 0x1E */
69 "Synchronize", /* 0x1F */
70 "?", /* 0x20 */
71 "Refresh Rect", /* 0x21 */
72 "Play Sound", /* 0x22 */
73 "Suppress Output", /* 0x23 */
74 "Shutdown Request", /* 0x24 */
75 "Shutdown Denied", /* 0x25 */
76 "Save Session Info", /* 0x26 */
77 "Font List", /* 0x27 */
78 "Font Map", /* 0x28 */
79 "Set Keyboard Indicators", /* 0x29 */
80 "?", /* 0x2A */
81 "Bitmap Cache Persistent List", /* 0x2B */
82 "Bitmap Cache Error", /* 0x2C */
83 "Set Keyboard IME Status", /* 0x2D */
84 "Offscreen Cache Error", /* 0x2E */
85 "Set Error Info", /* 0x2F */
86 "Draw Nine Grid Error", /* 0x30 */
87 "Draw GDI+ Error", /* 0x31 */
88 "ARC Status", /* 0x32 */
89 "?",
90 "?",
91 "?", /* 0x33 - 0x35 */
92 "Status Info", /* 0x36 */
93 "Monitor Layout", /* 0x37 */
94 "FrameAcknowledge",
95 "?",
96 "?", /* 0x38 - 0x40 */
97 "?",
98 "?",
99 "?",
100 "?",
101 "?",
102 "?" /* 0x41 - 0x46 */
103 };
104
data_pdu_type_to_string(UINT8 type)105 const char* data_pdu_type_to_string(UINT8 type)
106 {
107 if (type > ARRAYSIZE(DATA_PDU_TYPE_STRINGS))
108 return "???";
109 return DATA_PDU_TYPE_STRINGS[type];
110 }
111
112 static BOOL rdp_read_flow_control_pdu(wStream* s, UINT16* type, UINT16* channel_id);
113 static BOOL rdp_write_share_control_header(wStream* s, UINT16 length, UINT16 type,
114 UINT16 channel_id);
115 static BOOL rdp_write_share_data_header(wStream* s, UINT16 length, BYTE type, UINT32 share_id);
116
117 /**
118 * Read RDP Security Header.\n
119 * @msdn{cc240579}
120 * @param s stream
121 * @param flags security flags
122 */
123
rdp_read_security_header(wStream * s,UINT16 * flags,UINT16 * length)124 BOOL rdp_read_security_header(wStream* s, UINT16* flags, UINT16* length)
125 {
126 /* Basic Security Header */
127 if ((Stream_GetRemainingLength(s) < 4) || (length && (*length < 4)))
128 return FALSE;
129
130 Stream_Read_UINT16(s, *flags); /* flags */
131 Stream_Seek(s, 2); /* flagsHi (unused) */
132
133 if (length)
134 *length -= 4;
135
136 return TRUE;
137 }
138
139 /**
140 * Write RDP Security Header.\n
141 * @msdn{cc240579}
142 * @param s stream
143 * @param flags security flags
144 */
145
rdp_write_security_header(wStream * s,UINT16 flags)146 void rdp_write_security_header(wStream* s, UINT16 flags)
147 {
148 /* Basic Security Header */
149 Stream_Write_UINT16(s, flags); /* flags */
150 Stream_Write_UINT16(s, 0); /* flagsHi (unused) */
151 }
152
rdp_read_share_control_header(wStream * s,UINT16 * tpktLength,UINT16 * remainingLength,UINT16 * type,UINT16 * channel_id)153 BOOL rdp_read_share_control_header(wStream* s, UINT16* tpktLength, UINT16* remainingLength,
154 UINT16* type, UINT16* channel_id)
155 {
156 UINT16 len;
157 if (Stream_GetRemainingLength(s) < 2)
158 return FALSE;
159
160 /* Share Control Header */
161 Stream_Read_UINT16(s, len); /* totalLength */
162
163 /* If length is 0x8000 then we actually got a flow control PDU that we should ignore
164 http://msdn.microsoft.com/en-us/library/cc240576.aspx */
165 if (len == 0x8000)
166 {
167 if (!rdp_read_flow_control_pdu(s, type, channel_id))
168 return FALSE;
169 *channel_id = 0;
170 if (tpktLength)
171 *tpktLength = 8; /* Flow control PDU is 8 bytes */
172 if (remainingLength)
173 *remainingLength = 0;
174 return TRUE;
175 }
176
177 if ((len < 4U) || ((len - 2U) > Stream_GetRemainingLength(s)))
178 return FALSE;
179
180 if (tpktLength)
181 *tpktLength = len;
182
183 Stream_Read_UINT16(s, *type); /* pduType */
184 *type &= 0x0F; /* type is in the 4 least significant bits */
185
186 if (len > 5)
187 {
188 Stream_Read_UINT16(s, *channel_id); /* pduSource */
189 if (remainingLength)
190 *remainingLength = len - 6;
191 }
192 else
193 {
194 *channel_id = 0; /* Windows XP can send such short DEACTIVATE_ALL PDUs. */
195 if (remainingLength)
196 *remainingLength = len - 4;
197 }
198
199 return TRUE;
200 }
201
rdp_write_share_control_header(wStream * s,UINT16 length,UINT16 type,UINT16 channel_id)202 BOOL rdp_write_share_control_header(wStream* s, UINT16 length, UINT16 type, UINT16 channel_id)
203 {
204 if (length < RDP_PACKET_HEADER_MAX_LENGTH)
205 return FALSE;
206 if (Stream_GetRemainingCapacity(s) < 6)
207 return FALSE;
208 length -= RDP_PACKET_HEADER_MAX_LENGTH;
209 /* Share Control Header */
210 Stream_Write_UINT16(s, length); /* totalLength */
211 Stream_Write_UINT16(s, type | 0x10); /* pduType */
212 Stream_Write_UINT16(s, channel_id); /* pduSource */
213 return TRUE;
214 }
215
rdp_read_share_data_header(wStream * s,UINT16 * length,BYTE * type,UINT32 * shareId,BYTE * compressedType,UINT16 * compressedLength)216 BOOL rdp_read_share_data_header(wStream* s, UINT16* length, BYTE* type, UINT32* shareId,
217 BYTE* compressedType, UINT16* compressedLength)
218 {
219 if (Stream_GetRemainingLength(s) < 12)
220 return FALSE;
221
222 /* Share Data Header */
223 Stream_Read_UINT32(s, *shareId); /* shareId (4 bytes) */
224 Stream_Seek_UINT8(s); /* pad1 (1 byte) */
225 Stream_Seek_UINT8(s); /* streamId (1 byte) */
226 Stream_Read_UINT16(s, *length); /* uncompressedLength (2 bytes) */
227 Stream_Read_UINT8(s, *type); /* pduType2, Data PDU Type (1 byte) */
228 Stream_Read_UINT8(s, *compressedType); /* compressedType (1 byte) */
229 Stream_Read_UINT16(s, *compressedLength); /* compressedLength (2 bytes) */
230 return TRUE;
231 }
232
rdp_write_share_data_header(wStream * s,UINT16 length,BYTE type,UINT32 share_id)233 BOOL rdp_write_share_data_header(wStream* s, UINT16 length, BYTE type, UINT32 share_id)
234 {
235 const size_t headerLen = RDP_PACKET_HEADER_MAX_LENGTH + RDP_SHARE_CONTROL_HEADER_LENGTH +
236 RDP_SHARE_DATA_HEADER_LENGTH;
237 if (length < headerLen)
238 return FALSE;
239 length -= headerLen;
240 if (Stream_GetRemainingCapacity(s) < 12)
241 return FALSE;
242
243 /* Share Data Header */
244 Stream_Write_UINT32(s, share_id); /* shareId (4 bytes) */
245 Stream_Write_UINT8(s, 0); /* pad1 (1 byte) */
246 Stream_Write_UINT8(s, STREAM_LOW); /* streamId (1 byte) */
247 Stream_Write_UINT16(s, length); /* uncompressedLength (2 bytes) */
248 Stream_Write_UINT8(s, type); /* pduType2, Data PDU Type (1 byte) */
249 Stream_Write_UINT8(s, 0); /* compressedType (1 byte) */
250 Stream_Write_UINT16(s, 0); /* compressedLength (2 bytes) */
251 return TRUE;
252 }
253
rdp_security_stream_init(rdpRdp * rdp,wStream * s,BOOL sec_header)254 static BOOL rdp_security_stream_init(rdpRdp* rdp, wStream* s, BOOL sec_header)
255 {
256 if (!rdp || !s)
257 return FALSE;
258
259 if (rdp->do_crypt)
260 {
261 if (!Stream_SafeSeek(s, 12))
262 return FALSE;
263
264 if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
265 {
266 if (!Stream_SafeSeek(s, 4))
267 return FALSE;
268 }
269
270 rdp->sec_flags |= SEC_ENCRYPT;
271
272 if (rdp->do_secure_checksum)
273 rdp->sec_flags |= SEC_SECURE_CHECKSUM;
274 }
275 else if (rdp->sec_flags != 0 || sec_header)
276 {
277 if (!Stream_SafeSeek(s, 4))
278 return FALSE;
279 }
280
281 return TRUE;
282 }
283
rdp_send_stream_init(rdpRdp * rdp)284 wStream* rdp_send_stream_init(rdpRdp* rdp)
285 {
286 wStream* s = transport_send_stream_init(rdp->transport, 4096);
287
288 if (!s)
289 return NULL;
290
291 if (!Stream_SafeSeek(s, RDP_PACKET_HEADER_MAX_LENGTH))
292 goto fail;
293
294 if (!rdp_security_stream_init(rdp, s, FALSE))
295 goto fail;
296
297 return s;
298 fail:
299 Stream_Release(s);
300 return NULL;
301 }
302
rdp_send_stream_pdu_init(rdpRdp * rdp)303 wStream* rdp_send_stream_pdu_init(rdpRdp* rdp)
304 {
305 wStream* s = rdp_send_stream_init(rdp);
306
307 if (!s)
308 return NULL;
309
310 if (!Stream_SafeSeek(s, RDP_SHARE_CONTROL_HEADER_LENGTH))
311 goto fail;
312
313 return s;
314 fail:
315 Stream_Release(s);
316 return NULL;
317 }
318
rdp_data_pdu_init(rdpRdp * rdp)319 wStream* rdp_data_pdu_init(rdpRdp* rdp)
320 {
321 wStream* s = rdp_send_stream_pdu_init(rdp);
322
323 if (!s)
324 return NULL;
325
326 if (!Stream_SafeSeek(s, RDP_SHARE_DATA_HEADER_LENGTH))
327 goto fail;
328
329 return s;
330 fail:
331 Stream_Release(s);
332 return NULL;
333 }
334
rdp_set_error_info(rdpRdp * rdp,UINT32 errorInfo)335 BOOL rdp_set_error_info(rdpRdp* rdp, UINT32 errorInfo)
336 {
337 rdp->errorInfo = errorInfo;
338
339 if (rdp->errorInfo != ERRINFO_SUCCESS)
340 {
341 rdpContext* context = rdp->context;
342 rdp_print_errinfo(rdp->errorInfo);
343
344 if (context)
345 {
346 freerdp_set_last_error_log(context, MAKE_FREERDP_ERROR(ERRINFO, errorInfo));
347
348 if (context->pubSub)
349 {
350 ErrorInfoEventArgs e;
351 EventArgsInit(&e, "freerdp");
352 e.code = rdp->errorInfo;
353 PubSub_OnErrorInfo(context->pubSub, context, &e);
354 }
355 }
356 else
357 WLog_ERR(TAG, "%s missing context=%p", __FUNCTION__, context);
358 }
359 else
360 {
361 freerdp_set_last_error_log(rdp->context, FREERDP_ERROR_SUCCESS);
362 }
363
364 return TRUE;
365 }
366
rdp_message_channel_pdu_init(rdpRdp * rdp)367 wStream* rdp_message_channel_pdu_init(rdpRdp* rdp)
368 {
369 wStream* s = transport_send_stream_init(rdp->transport, 4096);
370
371 if (!s)
372 return NULL;
373
374 if (!Stream_SafeSeek(s, RDP_PACKET_HEADER_MAX_LENGTH))
375 goto fail;
376
377 if (!rdp_security_stream_init(rdp, s, TRUE))
378 goto fail;
379
380 return s;
381 fail:
382 Stream_Release(s);
383 return NULL;
384 }
385
386 /**
387 * Read an RDP packet header.\n
388 * @param rdp rdp module
389 * @param s stream
390 * @param length RDP packet length
391 * @param channel_id channel id
392 */
393
rdp_read_header(rdpRdp * rdp,wStream * s,UINT16 * length,UINT16 * channelId)394 BOOL rdp_read_header(rdpRdp* rdp, wStream* s, UINT16* length, UINT16* channelId)
395 {
396 BYTE li;
397 BYTE byte;
398 BYTE code;
399 BYTE choice;
400 UINT16 initiator;
401 enum DomainMCSPDU MCSPDU;
402 enum DomainMCSPDU domainMCSPDU;
403 MCSPDU = (rdp->settings->ServerMode) ? DomainMCSPDU_SendDataRequest
404 : DomainMCSPDU_SendDataIndication;
405
406 *channelId = 0; /* Initialize in case of early abort */
407 if (!tpkt_read_header(s, length))
408 return FALSE;
409
410 if (!tpdu_read_header(s, &code, &li, *length))
411 return FALSE;
412
413 if (code != X224_TPDU_DATA)
414 {
415 if (code == X224_TPDU_DISCONNECT_REQUEST)
416 {
417 freerdp_abort_connect(rdp->instance);
418 return TRUE;
419 }
420
421 return FALSE;
422 }
423
424 if (!per_read_choice(s, &choice))
425 return FALSE;
426
427 domainMCSPDU = (enum DomainMCSPDU)(choice >> 2);
428
429 if (domainMCSPDU != MCSPDU)
430 {
431 if (domainMCSPDU != DomainMCSPDU_DisconnectProviderUltimatum)
432 return FALSE;
433 }
434
435 MCSPDU = domainMCSPDU;
436
437 if (*length < 8U)
438 return FALSE;
439
440 if ((*length - 8U) > Stream_GetRemainingLength(s))
441 return FALSE;
442
443 if (MCSPDU == DomainMCSPDU_DisconnectProviderUltimatum)
444 {
445 int reason = 0;
446 TerminateEventArgs e;
447 rdpContext* context;
448
449 if (!mcs_recv_disconnect_provider_ultimatum(rdp->mcs, s, &reason))
450 return FALSE;
451
452 if (!rdp->instance)
453 return FALSE;
454
455 context = rdp->instance->context;
456 context->disconnectUltimatum = reason;
457
458 if (rdp->errorInfo == ERRINFO_SUCCESS)
459 {
460 /**
461 * Some servers like Windows Server 2008 R2 do not send the error info pdu
462 * when the user logs off like they should. Map DisconnectProviderUltimatum
463 * to a ERRINFO_LOGOFF_BY_USER when the errinfo code is ERRINFO_SUCCESS.
464 */
465 if (reason == Disconnect_Ultimatum_provider_initiated)
466 rdp_set_error_info(rdp, ERRINFO_RPC_INITIATED_DISCONNECT);
467 else if (reason == Disconnect_Ultimatum_user_requested)
468 rdp_set_error_info(rdp, ERRINFO_LOGOFF_BY_USER);
469 else
470 rdp_set_error_info(rdp, ERRINFO_RPC_INITIATED_DISCONNECT);
471 }
472
473 WLog_DBG(TAG, "DisconnectProviderUltimatum: reason: %d", reason);
474 freerdp_abort_connect(rdp->instance);
475 EventArgsInit(&e, "freerdp");
476 e.code = 0;
477 PubSub_OnTerminate(context->pubSub, context, &e);
478 return TRUE;
479 }
480
481 if (Stream_GetRemainingLength(s) < 5)
482 return FALSE;
483
484 if (!per_read_integer16(s, &initiator, MCS_BASE_CHANNEL_ID)) /* initiator (UserId) */
485 return FALSE;
486
487 if (!per_read_integer16(s, channelId, 0)) /* channelId */
488 return FALSE;
489
490 Stream_Read_UINT8(s, byte); /* dataPriority + Segmentation (0x70) */
491
492 if (!per_read_length(s, length)) /* userData (OCTET_STRING) */
493 return FALSE;
494
495 if (*length > Stream_GetRemainingLength(s))
496 return FALSE;
497
498 return TRUE;
499 }
500
501 /**
502 * Write an RDP packet header.\n
503 * @param rdp rdp module
504 * @param s stream
505 * @param length RDP packet length
506 * @param channel_id channel id
507 */
508
rdp_write_header(rdpRdp * rdp,wStream * s,UINT16 length,UINT16 channelId)509 void rdp_write_header(rdpRdp* rdp, wStream* s, UINT16 length, UINT16 channelId)
510 {
511 int body_length;
512 enum DomainMCSPDU MCSPDU;
513 MCSPDU = (rdp->settings->ServerMode) ? DomainMCSPDU_SendDataIndication
514 : DomainMCSPDU_SendDataRequest;
515
516 if ((rdp->sec_flags & SEC_ENCRYPT) &&
517 (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS))
518 {
519 int pad;
520 body_length = length - RDP_PACKET_HEADER_MAX_LENGTH - 16;
521 pad = 8 - (body_length % 8);
522
523 if (pad != 8)
524 length += pad;
525 }
526
527 mcs_write_domain_mcspdu_header(s, MCSPDU, length, 0);
528 per_write_integer16(s, rdp->mcs->userId, MCS_BASE_CHANNEL_ID); /* initiator */
529 per_write_integer16(s, channelId, 0); /* channelId */
530 Stream_Write_UINT8(s, 0x70); /* dataPriority + segmentation */
531 /*
532 * We always encode length in two bytes, even though we could use
533 * only one byte if length <= 0x7F. It is just easier that way,
534 * because we can leave room for fixed-length header, store all
535 * the data first and then store the header.
536 */
537 length = (length - RDP_PACKET_HEADER_MAX_LENGTH) | 0x8000;
538 Stream_Write_UINT16_BE(s, length); /* userData (OCTET_STRING) */
539 }
540
rdp_security_stream_out(rdpRdp * rdp,wStream * s,int length,UINT32 sec_flags,UINT32 * pad)541 static BOOL rdp_security_stream_out(rdpRdp* rdp, wStream* s, int length, UINT32 sec_flags,
542 UINT32* pad)
543 {
544 BYTE* data;
545 BOOL status;
546 sec_flags |= rdp->sec_flags;
547 *pad = 0;
548
549 if (sec_flags != 0)
550 {
551 rdp_write_security_header(s, sec_flags);
552
553 if (sec_flags & SEC_ENCRYPT)
554 {
555 if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
556 {
557 data = Stream_Pointer(s) + 12;
558 length = length - (data - Stream_Buffer(s));
559 Stream_Write_UINT16(s, 0x10); /* length */
560 Stream_Write_UINT8(s, 0x1); /* TSFIPS_VERSION 1*/
561 /* handle padding */
562 *pad = 8 - (length % 8);
563
564 if (*pad == 8)
565 *pad = 0;
566
567 if (*pad)
568 memset(data + length, 0, *pad);
569
570 Stream_Write_UINT8(s, *pad);
571
572 if (!security_hmac_signature(data, length, Stream_Pointer(s), rdp))
573 return FALSE;
574
575 Stream_Seek(s, 8);
576 security_fips_encrypt(data, length + *pad, rdp);
577 }
578 else
579 {
580 data = Stream_Pointer(s) + 8;
581 length = length - (data - Stream_Buffer(s));
582
583 if (sec_flags & SEC_SECURE_CHECKSUM)
584 status =
585 security_salted_mac_signature(rdp, data, length, TRUE, Stream_Pointer(s));
586 else
587 status = security_mac_signature(rdp, data, length, Stream_Pointer(s));
588
589 if (!status)
590 return FALSE;
591
592 Stream_Seek(s, 8);
593
594 if (!security_encrypt(Stream_Pointer(s), length, rdp))
595 return FALSE;
596 }
597 }
598
599 rdp->sec_flags = 0;
600 }
601
602 return TRUE;
603 }
604
rdp_get_sec_bytes(rdpRdp * rdp,UINT16 sec_flags)605 static UINT32 rdp_get_sec_bytes(rdpRdp* rdp, UINT16 sec_flags)
606 {
607 UINT32 sec_bytes;
608
609 if (rdp->sec_flags & SEC_ENCRYPT)
610 {
611 sec_bytes = 12;
612
613 if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
614 sec_bytes += 4;
615 }
616 else if (rdp->sec_flags != 0 || sec_flags != 0)
617 {
618 sec_bytes = 4;
619 }
620 else
621 {
622 sec_bytes = 0;
623 }
624
625 return sec_bytes;
626 }
627
628 /**
629 * Send an RDP packet.
630 * @param rdp RDP module
631 * @param s stream
632 * @param channel_id channel id
633 */
634
rdp_send(rdpRdp * rdp,wStream * s,UINT16 channel_id)635 BOOL rdp_send(rdpRdp* rdp, wStream* s, UINT16 channel_id)
636 {
637 BOOL rc = FALSE;
638 UINT32 pad;
639 UINT16 length;
640
641 if (!s)
642 return FALSE;
643
644 if (!rdp)
645 goto fail;
646
647 length = Stream_GetPosition(s);
648 Stream_SetPosition(s, 0);
649 rdp_write_header(rdp, s, length, channel_id);
650
651 if (!rdp_security_stream_out(rdp, s, length, 0, &pad))
652 goto fail;
653
654 length += pad;
655 Stream_SetPosition(s, length);
656 Stream_SealLength(s);
657
658 if (transport_write(rdp->transport, s) < 0)
659 goto fail;
660
661 rc = TRUE;
662 fail:
663 Stream_Release(s);
664 return rc;
665 }
666
rdp_send_pdu(rdpRdp * rdp,wStream * s,UINT16 type,UINT16 channel_id)667 BOOL rdp_send_pdu(rdpRdp* rdp, wStream* s, UINT16 type, UINT16 channel_id)
668 {
669 UINT16 length;
670 UINT32 sec_bytes;
671 size_t sec_hold;
672 UINT32 pad;
673
674 if (!rdp || !s)
675 return FALSE;
676
677 length = Stream_GetPosition(s);
678 Stream_SetPosition(s, 0);
679 rdp_write_header(rdp, s, length, MCS_GLOBAL_CHANNEL_ID);
680 sec_bytes = rdp_get_sec_bytes(rdp, 0);
681 sec_hold = Stream_GetPosition(s);
682 Stream_Seek(s, sec_bytes);
683 if (!rdp_write_share_control_header(s, length - sec_bytes, type, channel_id))
684 return FALSE;
685 Stream_SetPosition(s, sec_hold);
686
687 if (!rdp_security_stream_out(rdp, s, length, 0, &pad))
688 return FALSE;
689
690 length += pad;
691 Stream_SetPosition(s, length);
692 Stream_SealLength(s);
693
694 if (transport_write(rdp->transport, s) < 0)
695 return FALSE;
696
697 return TRUE;
698 }
699
rdp_send_data_pdu(rdpRdp * rdp,wStream * s,BYTE type,UINT16 channel_id)700 BOOL rdp_send_data_pdu(rdpRdp* rdp, wStream* s, BYTE type, UINT16 channel_id)
701 {
702 BOOL rc = FALSE;
703 size_t length;
704 UINT32 sec_bytes;
705 size_t sec_hold;
706 UINT32 pad;
707
708 if (!s)
709 return FALSE;
710
711 if (!rdp)
712 goto fail;
713
714 length = Stream_GetPosition(s);
715 Stream_SetPosition(s, 0);
716 rdp_write_header(rdp, s, length, MCS_GLOBAL_CHANNEL_ID);
717 sec_bytes = rdp_get_sec_bytes(rdp, 0);
718 sec_hold = Stream_GetPosition(s);
719 Stream_Seek(s, sec_bytes);
720 if (!rdp_write_share_control_header(s, length - sec_bytes, PDU_TYPE_DATA, channel_id))
721 goto fail;
722 if (!rdp_write_share_data_header(s, length - sec_bytes, type, rdp->settings->ShareId))
723 goto fail;
724 Stream_SetPosition(s, sec_hold);
725
726 if (!rdp_security_stream_out(rdp, s, length, 0, &pad))
727 goto fail;
728
729 length += pad;
730 Stream_SetPosition(s, length);
731 Stream_SealLength(s);
732 WLog_DBG(TAG, "%s: sending data (type=0x%x size=%" PRIuz " channelId=%" PRIu16 ")",
733 __FUNCTION__, type, Stream_Length(s), channel_id);
734
735 rdp->outPackets++;
736 if (transport_write(rdp->transport, s) < 0)
737 goto fail;
738
739 rc = TRUE;
740 fail:
741 Stream_Release(s);
742 return rc;
743 }
744
rdp_send_message_channel_pdu(rdpRdp * rdp,wStream * s,UINT16 sec_flags)745 BOOL rdp_send_message_channel_pdu(rdpRdp* rdp, wStream* s, UINT16 sec_flags)
746 {
747 BOOL rc = FALSE;
748 UINT16 length;
749 UINT32 pad;
750
751 if (!s)
752 return FALSE;
753
754 if (!rdp)
755 goto fail;
756
757 length = Stream_GetPosition(s);
758 Stream_SetPosition(s, 0);
759 rdp_write_header(rdp, s, length, rdp->mcs->messageChannelId);
760
761 if (!rdp_security_stream_out(rdp, s, length, sec_flags, &pad))
762 goto fail;
763
764 length += pad;
765 Stream_SetPosition(s, length);
766 Stream_SealLength(s);
767
768 if (transport_write(rdp->transport, s) < 0)
769 goto fail;
770
771 rc = TRUE;
772 fail:
773 Stream_Release(s);
774 return rc;
775 }
776
rdp_recv_server_shutdown_denied_pdu(rdpRdp * rdp,wStream * s)777 static BOOL rdp_recv_server_shutdown_denied_pdu(rdpRdp* rdp, wStream* s)
778 {
779 return TRUE;
780 }
781
rdp_recv_server_set_keyboard_indicators_pdu(rdpRdp * rdp,wStream * s)782 static BOOL rdp_recv_server_set_keyboard_indicators_pdu(rdpRdp* rdp, wStream* s)
783 {
784 UINT16 unitId;
785 UINT16 ledFlags;
786 rdpContext* context = rdp->instance->context;
787
788 if (Stream_GetRemainingLength(s) < 4)
789 return FALSE;
790
791 Stream_Read_UINT16(s, unitId); /* unitId (2 bytes) */
792 Stream_Read_UINT16(s, ledFlags); /* ledFlags (2 bytes) */
793 IFCALL(context->update->SetKeyboardIndicators, context, ledFlags);
794 return TRUE;
795 }
796
rdp_recv_server_set_keyboard_ime_status_pdu(rdpRdp * rdp,wStream * s)797 static BOOL rdp_recv_server_set_keyboard_ime_status_pdu(rdpRdp* rdp, wStream* s)
798 {
799 UINT16 unitId;
800 UINT32 imeState;
801 UINT32 imeConvMode;
802
803 if (!rdp || !rdp->input)
804 return FALSE;
805
806 if (Stream_GetRemainingLength(s) < 10)
807 return FALSE;
808
809 Stream_Read_UINT16(s, unitId); /* unitId (2 bytes) */
810 Stream_Read_UINT32(s, imeState); /* imeState (4 bytes) */
811 Stream_Read_UINT32(s, imeConvMode); /* imeConvMode (4 bytes) */
812 IFCALL(rdp->update->SetKeyboardImeStatus, rdp->context, unitId, imeState, imeConvMode);
813 return TRUE;
814 }
815
rdp_recv_set_error_info_data_pdu(rdpRdp * rdp,wStream * s)816 static BOOL rdp_recv_set_error_info_data_pdu(rdpRdp* rdp, wStream* s)
817 {
818 UINT32 errorInfo;
819
820 if (Stream_GetRemainingLength(s) < 4)
821 return FALSE;
822
823 Stream_Read_UINT32(s, errorInfo); /* errorInfo (4 bytes) */
824 return rdp_set_error_info(rdp, errorInfo);
825 }
826
rdp_recv_server_auto_reconnect_status_pdu(rdpRdp * rdp,wStream * s)827 static BOOL rdp_recv_server_auto_reconnect_status_pdu(rdpRdp* rdp, wStream* s)
828 {
829 UINT32 arcStatus;
830
831 if (Stream_GetRemainingLength(s) < 4)
832 return FALSE;
833
834 Stream_Read_UINT32(s, arcStatus); /* arcStatus (4 bytes) */
835 WLog_WARN(TAG, "AutoReconnectStatus: 0x%08" PRIX32 "", arcStatus);
836 return TRUE;
837 }
838
rdp_recv_server_status_info_pdu(rdpRdp * rdp,wStream * s)839 static BOOL rdp_recv_server_status_info_pdu(rdpRdp* rdp, wStream* s)
840 {
841 UINT32 statusCode;
842
843 if (Stream_GetRemainingLength(s) < 4)
844 return FALSE;
845
846 Stream_Read_UINT32(s, statusCode); /* statusCode (4 bytes) */
847
848 if (rdp->update->ServerStatusInfo)
849 return rdp->update->ServerStatusInfo(rdp->context, statusCode);
850
851 return TRUE;
852 }
853
rdp_recv_monitor_layout_pdu(rdpRdp * rdp,wStream * s)854 static BOOL rdp_recv_monitor_layout_pdu(rdpRdp* rdp, wStream* s)
855 {
856 UINT32 index;
857 UINT32 monitorCount;
858 MONITOR_DEF* monitor;
859 MONITOR_DEF* monitorDefArray;
860 BOOL ret = TRUE;
861
862 if (Stream_GetRemainingLength(s) < 4)
863 return FALSE;
864
865 Stream_Read_UINT32(s, monitorCount); /* monitorCount (4 bytes) */
866
867 if ((Stream_GetRemainingLength(s) / 20) < monitorCount)
868 return FALSE;
869
870 monitorDefArray = (MONITOR_DEF*)calloc(monitorCount, sizeof(MONITOR_DEF));
871
872 if (!monitorDefArray)
873 return FALSE;
874
875 for (monitor = monitorDefArray, index = 0; index < monitorCount; index++, monitor++)
876 {
877 Stream_Read_UINT32(s, monitor->left); /* left (4 bytes) */
878 Stream_Read_UINT32(s, monitor->top); /* top (4 bytes) */
879 Stream_Read_UINT32(s, monitor->right); /* right (4 bytes) */
880 Stream_Read_UINT32(s, monitor->bottom); /* bottom (4 bytes) */
881 Stream_Read_UINT32(s, monitor->flags); /* flags (4 bytes) */
882 }
883
884 IFCALLRET(rdp->update->RemoteMonitors, ret, rdp->context, monitorCount, monitorDefArray);
885 free(monitorDefArray);
886 return ret;
887 }
888
rdp_recv_data_pdu(rdpRdp * rdp,wStream * s)889 int rdp_recv_data_pdu(rdpRdp* rdp, wStream* s)
890 {
891 BYTE type;
892 wStream* cs;
893 UINT16 length;
894 UINT32 shareId;
895 BYTE compressedType;
896 UINT16 compressedLength;
897
898 if (!rdp_read_share_data_header(s, &length, &type, &shareId, &compressedType,
899 &compressedLength))
900 {
901 WLog_ERR(TAG, "rdp_read_share_data_header() failed");
902 return -1;
903 }
904
905 cs = s;
906
907 if (compressedType & PACKET_COMPRESSED)
908 {
909 UINT32 DstSize = 0;
910 BYTE* pDstData = NULL;
911 UINT16 SrcSize = compressedLength - 18;
912
913 if ((compressedLength < 18) || (Stream_GetRemainingLength(s) < SrcSize))
914 {
915 WLog_ERR(TAG, "bulk_decompress: not enough bytes for compressedLength %" PRIu16 "",
916 compressedLength);
917 return -1;
918 }
919
920 if (bulk_decompress(rdp->bulk, Stream_Pointer(s), SrcSize, &pDstData, &DstSize,
921 compressedType))
922 {
923 if (!(cs = StreamPool_Take(rdp->transport->ReceivePool, DstSize)))
924 {
925 WLog_ERR(TAG, "Couldn't take stream from pool");
926 return -1;
927 }
928
929 Stream_SetPosition(cs, 0);
930 Stream_Write(cs, pDstData, DstSize);
931 Stream_SealLength(cs);
932 Stream_SetPosition(cs, 0);
933 }
934 else
935 {
936 WLog_ERR(TAG, "bulk_decompress() failed");
937 return -1;
938 }
939
940 Stream_Seek(s, SrcSize);
941 }
942
943 WLog_DBG(TAG, "recv %s Data PDU (0x%02" PRIX8 "), length: %" PRIu16 "",
944 data_pdu_type_to_string(type), type, length);
945
946 switch (type)
947 {
948 case DATA_PDU_TYPE_UPDATE:
949 if (!update_recv(rdp->update, cs))
950 {
951 WLog_ERR(TAG, "DATA_PDU_TYPE_UPDATE - update_recv() failed");
952 goto out_fail;
953 }
954
955 break;
956
957 case DATA_PDU_TYPE_CONTROL:
958 if (!rdp_recv_server_control_pdu(rdp, cs))
959 {
960 WLog_ERR(TAG, "DATA_PDU_TYPE_CONTROL - rdp_recv_server_control_pdu() failed");
961 goto out_fail;
962 }
963
964 break;
965
966 case DATA_PDU_TYPE_POINTER:
967 if (!update_recv_pointer(rdp->update, cs))
968 {
969 WLog_ERR(TAG, "DATA_PDU_TYPE_POINTER - update_recv_pointer() failed");
970 goto out_fail;
971 }
972
973 break;
974
975 case DATA_PDU_TYPE_SYNCHRONIZE:
976 if (!rdp_recv_synchronize_pdu(rdp, cs))
977 {
978 WLog_ERR(TAG, "DATA_PDU_TYPE_SYNCHRONIZE - rdp_recv_synchronize_pdu() failed");
979 goto out_fail;
980 }
981
982 break;
983
984 case DATA_PDU_TYPE_PLAY_SOUND:
985 if (!update_recv_play_sound(rdp->update, cs))
986 {
987 WLog_ERR(TAG, "DATA_PDU_TYPE_PLAY_SOUND - update_recv_play_sound() failed");
988 goto out_fail;
989 }
990
991 break;
992
993 case DATA_PDU_TYPE_SHUTDOWN_DENIED:
994 if (!rdp_recv_server_shutdown_denied_pdu(rdp, cs))
995 {
996 WLog_ERR(
997 TAG,
998 "DATA_PDU_TYPE_SHUTDOWN_DENIED - rdp_recv_server_shutdown_denied_pdu() failed");
999 goto out_fail;
1000 }
1001
1002 break;
1003
1004 case DATA_PDU_TYPE_SAVE_SESSION_INFO:
1005 if (!rdp_recv_save_session_info(rdp, cs))
1006 {
1007 WLog_ERR(TAG,
1008 "DATA_PDU_TYPE_SAVE_SESSION_INFO - rdp_recv_save_session_info() failed");
1009 goto out_fail;
1010 }
1011
1012 break;
1013
1014 case DATA_PDU_TYPE_FONT_MAP:
1015 if (!rdp_recv_font_map_pdu(rdp, cs))
1016 {
1017 WLog_ERR(TAG, "DATA_PDU_TYPE_FONT_MAP - rdp_recv_font_map_pdu() failed");
1018 goto out_fail;
1019 }
1020
1021 break;
1022
1023 case DATA_PDU_TYPE_SET_KEYBOARD_INDICATORS:
1024 if (!rdp_recv_server_set_keyboard_indicators_pdu(rdp, cs))
1025 {
1026 WLog_ERR(TAG, "DATA_PDU_TYPE_SET_KEYBOARD_INDICATORS - "
1027 "rdp_recv_server_set_keyboard_indicators_pdu() failed");
1028 goto out_fail;
1029 }
1030
1031 break;
1032
1033 case DATA_PDU_TYPE_SET_KEYBOARD_IME_STATUS:
1034 if (!rdp_recv_server_set_keyboard_ime_status_pdu(rdp, cs))
1035 {
1036 WLog_ERR(TAG, "DATA_PDU_TYPE_SET_KEYBOARD_IME_STATUS - "
1037 "rdp_recv_server_set_keyboard_ime_status_pdu() failed");
1038 goto out_fail;
1039 }
1040
1041 break;
1042
1043 case DATA_PDU_TYPE_SET_ERROR_INFO:
1044 if (!rdp_recv_set_error_info_data_pdu(rdp, cs))
1045 {
1046 WLog_ERR(
1047 TAG,
1048 "DATA_PDU_TYPE_SET_ERROR_INFO - rdp_recv_set_error_info_data_pdu() failed");
1049 goto out_fail;
1050 }
1051
1052 break;
1053
1054 case DATA_PDU_TYPE_ARC_STATUS:
1055 if (!rdp_recv_server_auto_reconnect_status_pdu(rdp, cs))
1056 {
1057 WLog_ERR(TAG, "DATA_PDU_TYPE_ARC_STATUS - "
1058 "rdp_recv_server_auto_reconnect_status_pdu() failed");
1059 goto out_fail;
1060 }
1061
1062 break;
1063
1064 case DATA_PDU_TYPE_STATUS_INFO:
1065 if (!rdp_recv_server_status_info_pdu(rdp, cs))
1066 {
1067 WLog_ERR(TAG,
1068 "DATA_PDU_TYPE_STATUS_INFO - rdp_recv_server_status_info_pdu() failed");
1069 goto out_fail;
1070 }
1071
1072 break;
1073
1074 case DATA_PDU_TYPE_MONITOR_LAYOUT:
1075 if (!rdp_recv_monitor_layout_pdu(rdp, cs))
1076 {
1077 WLog_ERR(TAG,
1078 "DATA_PDU_TYPE_MONITOR_LAYOUT - rdp_recv_monitor_layout_pdu() failed");
1079 goto out_fail;
1080 }
1081
1082 break;
1083
1084 default:
1085 break;
1086 }
1087
1088 if (cs != s)
1089 Stream_Release(cs);
1090
1091 return 0;
1092 out_fail:
1093
1094 if (cs != s)
1095 Stream_Release(cs);
1096
1097 return -1;
1098 }
1099
rdp_recv_message_channel_pdu(rdpRdp * rdp,wStream * s,UINT16 securityFlags)1100 int rdp_recv_message_channel_pdu(rdpRdp* rdp, wStream* s, UINT16 securityFlags)
1101 {
1102 if (securityFlags & SEC_AUTODETECT_REQ)
1103 {
1104 /* Server Auto-Detect Request PDU */
1105 return rdp_recv_autodetect_request_packet(rdp, s);
1106 }
1107
1108 if (securityFlags & SEC_AUTODETECT_RSP)
1109 {
1110 /* Client Auto-Detect Response PDU */
1111 return rdp_recv_autodetect_response_packet(rdp, s);
1112 }
1113
1114 if (securityFlags & SEC_HEARTBEAT)
1115 {
1116 /* Heartbeat PDU */
1117 return rdp_recv_heartbeat_packet(rdp, s);
1118 }
1119
1120 if (securityFlags & SEC_TRANSPORT_REQ)
1121 {
1122 /* Initiate Multitransport Request PDU */
1123 return rdp_recv_multitransport_packet(rdp, s);
1124 }
1125
1126 return -1;
1127 }
1128
rdp_recv_out_of_sequence_pdu(rdpRdp * rdp,wStream * s)1129 int rdp_recv_out_of_sequence_pdu(rdpRdp* rdp, wStream* s)
1130 {
1131 UINT16 type;
1132 UINT16 length;
1133 UINT16 channelId;
1134
1135 if (!rdp_read_share_control_header(s, &length, NULL, &type, &channelId))
1136 return -1;
1137
1138 if (type == PDU_TYPE_DATA)
1139 {
1140 return rdp_recv_data_pdu(rdp, s);
1141 }
1142 else if (type == PDU_TYPE_SERVER_REDIRECTION)
1143 {
1144 return rdp_recv_enhanced_security_redirection_packet(rdp, s);
1145 }
1146 else if (type == PDU_TYPE_FLOW_RESPONSE || type == PDU_TYPE_FLOW_STOP ||
1147 type == PDU_TYPE_FLOW_TEST)
1148 {
1149 return 0;
1150 }
1151 else
1152 {
1153 return -1;
1154 }
1155 }
1156
rdp_read_flow_control_pdu(wStream * s,UINT16 * type,UINT16 * channel_id)1157 BOOL rdp_read_flow_control_pdu(wStream* s, UINT16* type, UINT16* channel_id)
1158 {
1159 /*
1160 * Read flow control PDU - documented in FlowPDU section in T.128
1161 * http://www.itu.int/rec/T-REC-T.128-199802-S/en
1162 * The specification for the PDU has pad8bits listed BEFORE pduTypeFlow.
1163 * However, so far pad8bits has always been observed to arrive AFTER pduTypeFlow.
1164 * Switched the order of these two fields to match this observation.
1165 */
1166 UINT8 pduType;
1167 if (!type)
1168 return FALSE;
1169 if (Stream_GetRemainingLength(s) < 6)
1170 return FALSE;
1171 Stream_Read_UINT8(s, pduType); /* pduTypeFlow */
1172 *type = pduType;
1173 Stream_Seek_UINT8(s); /* pad8bits */
1174 Stream_Seek_UINT8(s); /* flowIdentifier */
1175 Stream_Seek_UINT8(s); /* flowNumber */
1176 Stream_Read_UINT16(s, *channel_id); /* pduSource */
1177 return TRUE;
1178 }
1179
1180 /**
1181 * Decrypt an RDP packet.\n
1182 * @param rdp RDP module
1183 * @param s stream
1184 * @param length int
1185 */
1186
rdp_decrypt(rdpRdp * rdp,wStream * s,UINT16 * pLength,UINT16 securityFlags)1187 BOOL rdp_decrypt(rdpRdp* rdp, wStream* s, UINT16* pLength, UINT16 securityFlags)
1188 {
1189 BYTE cmac[8];
1190 BYTE wmac[8];
1191 BOOL status;
1192 INT32 length;
1193
1194 if (!rdp || !s || !pLength)
1195 return FALSE;
1196
1197 length = *pLength;
1198 if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
1199 {
1200 UINT16 len;
1201 BYTE version, pad;
1202 BYTE* sig;
1203 INT64 padLength;
1204
1205 if (Stream_GetRemainingLength(s) < 12)
1206 return FALSE;
1207
1208 Stream_Read_UINT16(s, len); /* 0x10 */
1209 Stream_Read_UINT8(s, version); /* 0x1 */
1210 Stream_Read_UINT8(s, pad);
1211 sig = Stream_Pointer(s);
1212 Stream_Seek(s, 8); /* signature */
1213 length -= 12;
1214 padLength = length - pad;
1215
1216 if ((length <= 0) || (padLength <= 0))
1217 return FALSE;
1218
1219 if (!security_fips_decrypt(Stream_Pointer(s), length, rdp))
1220 {
1221 WLog_ERR(TAG, "FATAL: cannot decrypt");
1222 return FALSE; /* TODO */
1223 }
1224
1225 if (!security_fips_check_signature(Stream_Pointer(s), length - pad, sig, rdp))
1226 {
1227 WLog_ERR(TAG, "FATAL: invalid packet signature");
1228 return FALSE; /* TODO */
1229 }
1230
1231 Stream_SetLength(s, Stream_Length(s) - pad);
1232 *pLength = padLength;
1233 return TRUE;
1234 }
1235
1236 if (Stream_GetRemainingLength(s) < sizeof(wmac))
1237 return FALSE;
1238
1239 Stream_Read(s, wmac, sizeof(wmac));
1240 length -= sizeof(wmac);
1241
1242 if (length <= 0)
1243 return FALSE;
1244
1245 if (!security_decrypt(Stream_Pointer(s), length, rdp))
1246 return FALSE;
1247
1248 if (securityFlags & SEC_SECURE_CHECKSUM)
1249 status = security_salted_mac_signature(rdp, Stream_Pointer(s), length, FALSE, cmac);
1250 else
1251 status = security_mac_signature(rdp, Stream_Pointer(s), length, cmac);
1252
1253 if (!status)
1254 return FALSE;
1255
1256 if (memcmp(wmac, cmac, sizeof(wmac)) != 0)
1257 {
1258 WLog_ERR(TAG, "WARNING: invalid packet signature");
1259 /*
1260 * Because Standard RDP Security is totally broken,
1261 * and cannot protect against MITM, don't treat signature
1262 * verification failure as critical. This at least enables
1263 * us to work with broken RDP clients and servers that
1264 * generate invalid signatures.
1265 */
1266 // return FALSE;
1267 }
1268
1269 *pLength = length;
1270 return TRUE;
1271 }
1272
pdu_type_to_str(UINT16 pduType)1273 const char* pdu_type_to_str(UINT16 pduType)
1274 {
1275 static char buffer[1024] = { 0 };
1276 switch (pduType)
1277 {
1278 case PDU_TYPE_DEMAND_ACTIVE:
1279 return "PDU_TYPE_DEMAND_ACTIVE";
1280 case PDU_TYPE_CONFIRM_ACTIVE:
1281 return "PDU_TYPE_CONFIRM_ACTIVE";
1282 case PDU_TYPE_DEACTIVATE_ALL:
1283 return "PDU_TYPE_DEACTIVATE_ALL";
1284 case PDU_TYPE_DATA:
1285 return "PDU_TYPE_DATA";
1286 case PDU_TYPE_SERVER_REDIRECTION:
1287 return "PDU_TYPE_SERVER_REDIRECTION";
1288 case PDU_TYPE_FLOW_TEST:
1289 return "PDU_TYPE_FLOW_TEST";
1290 case PDU_TYPE_FLOW_RESPONSE:
1291 return "PDU_TYPE_FLOW_RESPONSE";
1292 case PDU_TYPE_FLOW_STOP:
1293 return "PDU_TYPE_FLOW_STOP";
1294 default:
1295 _snprintf(buffer, sizeof(buffer), "UNKNOWN %04" PRIx16, pduType);
1296 return buffer;
1297 }
1298 }
1299
1300 /**
1301 * Process an RDP packet.\n
1302 * @param rdp RDP module
1303 * @param s stream
1304 */
1305
rdp_recv_tpkt_pdu(rdpRdp * rdp,wStream * s)1306 static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s)
1307 {
1308 int rc = 0;
1309 UINT16 length;
1310 UINT16 pduType;
1311 UINT16 pduSource;
1312 UINT16 channelId = 0;
1313 UINT16 securityFlags = 0;
1314
1315 if (!rdp_read_header(rdp, s, &length, &channelId))
1316 {
1317 WLog_ERR(TAG, "Incorrect RDP header.");
1318 return -1;
1319 }
1320
1321 if (freerdp_shall_disconnect(rdp->instance))
1322 return 0;
1323
1324 if (rdp->autodetect->bandwidthMeasureStarted)
1325 {
1326 rdp->autodetect->bandwidthMeasureByteCount += length;
1327 }
1328
1329 if (rdp->settings->UseRdpSecurityLayer)
1330 {
1331 if (!rdp_read_security_header(s, &securityFlags, &length))
1332 {
1333 WLog_ERR(TAG, "rdp_recv_tpkt_pdu: rdp_read_security_header() fail");
1334 return -1;
1335 }
1336
1337 if (securityFlags & (SEC_ENCRYPT | SEC_REDIRECTION_PKT))
1338 {
1339 if (!rdp_decrypt(rdp, s, &length, securityFlags))
1340 {
1341 WLog_ERR(TAG, "rdp_decrypt failed");
1342 return -1;
1343 }
1344 }
1345
1346 if (securityFlags & SEC_REDIRECTION_PKT)
1347 {
1348 /*
1349 * [MS-RDPBCGR] 2.2.13.2.1
1350 * - no share control header, nor the 2 byte pad
1351 */
1352 Stream_Rewind(s, 2);
1353 rdp->inPackets++;
1354
1355 rc = rdp_recv_enhanced_security_redirection_packet(rdp, s);
1356 goto out;
1357 }
1358 }
1359
1360 if (channelId == MCS_GLOBAL_CHANNEL_ID)
1361 {
1362 while (Stream_GetRemainingLength(s) > 3)
1363 {
1364 wStream sub;
1365 size_t diff;
1366 UINT16 remain;
1367
1368 if (!rdp_read_share_control_header(s, NULL, &remain, &pduType, &pduSource))
1369 {
1370 WLog_ERR(TAG, "rdp_recv_tpkt_pdu: rdp_read_share_control_header() fail");
1371 return -1;
1372 }
1373
1374 Stream_StaticInit(&sub, Stream_Pointer(s), remain);
1375 if (!Stream_SafeSeek(s, remain))
1376 return -1;
1377
1378 rdp->settings->PduSource = pduSource;
1379 rdp->inPackets++;
1380
1381 switch (pduType)
1382 {
1383 case PDU_TYPE_DATA:
1384 rc = rdp_recv_data_pdu(rdp, &sub);
1385 if (rc < 0)
1386 return rc;
1387 break;
1388
1389 case PDU_TYPE_DEACTIVATE_ALL:
1390 if (!rdp_recv_deactivate_all(rdp, &sub))
1391 {
1392 WLog_ERR(TAG, "rdp_recv_tpkt_pdu: rdp_recv_deactivate_all() fail");
1393 return -1;
1394 }
1395
1396 break;
1397
1398 case PDU_TYPE_SERVER_REDIRECTION:
1399 return rdp_recv_enhanced_security_redirection_packet(rdp, &sub);
1400
1401 case PDU_TYPE_FLOW_RESPONSE:
1402 case PDU_TYPE_FLOW_STOP:
1403 case PDU_TYPE_FLOW_TEST:
1404 WLog_DBG(TAG, "flow message 0x%04" PRIX16 "", pduType);
1405 /* http://msdn.microsoft.com/en-us/library/cc240576.aspx */
1406 if (!Stream_SafeSeek(&sub, remain))
1407 return -1;
1408 break;
1409
1410 default:
1411 WLog_ERR(TAG, "incorrect PDU type: 0x%04" PRIX16 "", pduType);
1412 break;
1413 }
1414
1415 diff = Stream_GetRemainingLength(&sub);
1416 if (diff > 0)
1417 {
1418 WLog_WARN(TAG,
1419 "pduType %s not properly parsed, %" PRIdz
1420 " bytes remaining unhandled. Skipping.",
1421 pdu_type_to_str(pduType), diff);
1422 }
1423 }
1424 }
1425 else if (rdp->mcs->messageChannelId && (channelId == rdp->mcs->messageChannelId))
1426 {
1427 if (!rdp->settings->UseRdpSecurityLayer)
1428 if (!rdp_read_security_header(s, &securityFlags, NULL))
1429 return -1;
1430 rdp->inPackets++;
1431 rc = rdp_recv_message_channel_pdu(rdp, s, securityFlags);
1432 }
1433 else
1434 {
1435 rdp->inPackets++;
1436
1437 if (!freerdp_channel_process(rdp->instance, s, channelId, length))
1438 return -1;
1439 }
1440
1441 out:
1442 if (!tpkt_ensure_stream_consumed(s, length))
1443 return -1;
1444 return rc;
1445 }
1446
rdp_recv_fastpath_pdu(rdpRdp * rdp,wStream * s)1447 static int rdp_recv_fastpath_pdu(rdpRdp* rdp, wStream* s)
1448 {
1449 UINT16 length;
1450 rdpFastPath* fastpath;
1451 fastpath = rdp->fastpath;
1452
1453 if (!fastpath_read_header_rdp(fastpath, s, &length))
1454 {
1455 WLog_ERR(TAG, "rdp_recv_fastpath_pdu: fastpath_read_header_rdp() fail");
1456 return -1;
1457 }
1458
1459 if ((length == 0) || (length > Stream_GetRemainingLength(s)))
1460 {
1461 WLog_ERR(TAG, "incorrect FastPath PDU header length %" PRIu16 "", length);
1462 return -1;
1463 }
1464
1465 if (rdp->autodetect->bandwidthMeasureStarted)
1466 {
1467 rdp->autodetect->bandwidthMeasureByteCount += length;
1468 }
1469
1470 if (fastpath->encryptionFlags & FASTPATH_OUTPUT_ENCRYPTED)
1471 {
1472 UINT16 flags =
1473 (fastpath->encryptionFlags & FASTPATH_OUTPUT_SECURE_CHECKSUM) ? SEC_SECURE_CHECKSUM : 0;
1474
1475 if (!rdp_decrypt(rdp, s, &length, flags))
1476 {
1477 WLog_ERR(TAG, "rdp_recv_fastpath_pdu: rdp_decrypt() fail");
1478 return -1;
1479 }
1480 }
1481
1482 return fastpath_recv_updates(rdp->fastpath, s);
1483 }
1484
rdp_recv_pdu(rdpRdp * rdp,wStream * s)1485 static int rdp_recv_pdu(rdpRdp* rdp, wStream* s)
1486 {
1487 if (tpkt_verify_header(s))
1488 return rdp_recv_tpkt_pdu(rdp, s);
1489 else
1490 return rdp_recv_fastpath_pdu(rdp, s);
1491 }
1492
rdp_recv_callback(rdpTransport * transport,wStream * s,void * extra)1493 int rdp_recv_callback(rdpTransport* transport, wStream* s, void* extra)
1494 {
1495 int status = 0;
1496 rdpRdp* rdp = (rdpRdp*)extra;
1497
1498 /*
1499 * At any point in the connection sequence between when all
1500 * MCS channels have been joined and when the RDP connection
1501 * enters the active state, an auto-detect PDU can be received
1502 * on the MCS message channel.
1503 */
1504 if ((rdp->state > CONNECTION_STATE_MCS_CHANNEL_JOIN) && (rdp->state < CONNECTION_STATE_ACTIVE))
1505 {
1506 if (rdp_client_connect_auto_detect(rdp, s))
1507 return 0;
1508 }
1509
1510 switch (rdp->state)
1511 {
1512 case CONNECTION_STATE_NLA:
1513 if (nla_get_state(rdp->nla) < NLA_STATE_AUTH_INFO)
1514 {
1515 if (nla_recv_pdu(rdp->nla, s) < 1)
1516 {
1517 WLog_ERR(TAG, "%s: %s - nla_recv_pdu() fail", __FUNCTION__,
1518 rdp_server_connection_state_string(rdp->state));
1519 return -1;
1520 }
1521 }
1522 else if (nla_get_state(rdp->nla) == NLA_STATE_POST_NEGO)
1523 {
1524 nego_recv(rdp->transport, s, (void*)rdp->nego);
1525
1526 if (nego_get_state(rdp->nego) != NEGO_STATE_FINAL)
1527 {
1528 WLog_ERR(TAG, "%s: %s - nego_recv() fail", __FUNCTION__,
1529 rdp_server_connection_state_string(rdp->state));
1530 return -1;
1531 }
1532
1533 if (!nla_set_state(rdp->nla, NLA_STATE_FINAL))
1534 return -1;
1535 }
1536
1537 if (nla_get_state(rdp->nla) == NLA_STATE_AUTH_INFO)
1538 {
1539 transport_set_nla_mode(rdp->transport, FALSE);
1540
1541 if (rdp->settings->VmConnectMode)
1542 {
1543 if (!nego_set_state(rdp->nego, NEGO_STATE_NLA))
1544 return -1;
1545
1546 if (!nego_set_requested_protocols(rdp->nego, PROTOCOL_HYBRID | PROTOCOL_SSL))
1547 return -1;
1548
1549 nego_send_negotiation_request(rdp->nego);
1550
1551 if (!nla_set_state(rdp->nla, NLA_STATE_POST_NEGO))
1552 return -1;
1553 }
1554 else
1555 {
1556 if (!nla_set_state(rdp->nla, NLA_STATE_FINAL))
1557 return -1;
1558 }
1559 }
1560
1561 if (nla_get_state(rdp->nla) == NLA_STATE_FINAL)
1562 {
1563 nla_free(rdp->nla);
1564 rdp->nla = NULL;
1565
1566 if (!mcs_client_begin(rdp->mcs))
1567 {
1568 WLog_ERR(TAG, "%s: %s - mcs_client_begin() fail", __FUNCTION__,
1569 rdp_server_connection_state_string(rdp->state));
1570 return -1;
1571 }
1572 }
1573
1574 break;
1575
1576 case CONNECTION_STATE_MCS_CONNECT:
1577 if (!mcs_recv_connect_response(rdp->mcs, s))
1578 {
1579 WLog_ERR(TAG, "mcs_recv_connect_response failure");
1580 return -1;
1581 }
1582
1583 if (!mcs_send_erect_domain_request(rdp->mcs))
1584 {
1585 WLog_ERR(TAG, "mcs_send_erect_domain_request failure");
1586 return -1;
1587 }
1588
1589 if (!mcs_send_attach_user_request(rdp->mcs))
1590 {
1591 WLog_ERR(TAG, "mcs_send_attach_user_request failure");
1592 return -1;
1593 }
1594
1595 rdp_client_transition_to_state(rdp, CONNECTION_STATE_MCS_ATTACH_USER);
1596 break;
1597
1598 case CONNECTION_STATE_MCS_ATTACH_USER:
1599 if (!mcs_recv_attach_user_confirm(rdp->mcs, s))
1600 {
1601 WLog_ERR(TAG, "mcs_recv_attach_user_confirm failure");
1602 return -1;
1603 }
1604
1605 if (!mcs_send_channel_join_request(rdp->mcs, rdp->mcs->userId))
1606 {
1607 WLog_ERR(TAG, "mcs_send_channel_join_request failure");
1608 return -1;
1609 }
1610
1611 rdp_client_transition_to_state(rdp, CONNECTION_STATE_MCS_CHANNEL_JOIN);
1612 break;
1613
1614 case CONNECTION_STATE_MCS_CHANNEL_JOIN:
1615 if (!rdp_client_connect_mcs_channel_join_confirm(rdp, s))
1616 {
1617 WLog_ERR(TAG,
1618 "%s: %s - "
1619 "rdp_client_connect_mcs_channel_join_confirm() fail",
1620 __FUNCTION__, rdp_server_connection_state_string(rdp->state));
1621 status = -1;
1622 }
1623
1624 break;
1625
1626 case CONNECTION_STATE_LICENSING:
1627 status = rdp_client_connect_license(rdp, s);
1628
1629 if (status < 0)
1630 WLog_DBG(TAG, "%s: %s - rdp_client_connect_license() - %i", __FUNCTION__,
1631 rdp_server_connection_state_string(rdp->state), status);
1632
1633 break;
1634
1635 case CONNECTION_STATE_CAPABILITIES_EXCHANGE:
1636 status = rdp_client_connect_demand_active(rdp, s);
1637
1638 if (status < 0)
1639 WLog_DBG(TAG,
1640 "%s: %s - "
1641 "rdp_client_connect_demand_active() - %i",
1642 __FUNCTION__, rdp_server_connection_state_string(rdp->state), status);
1643
1644 break;
1645
1646 case CONNECTION_STATE_FINALIZATION:
1647 status = rdp_recv_pdu(rdp, s);
1648
1649 if ((status >= 0) && (rdp->finalize_sc_pdus == FINALIZE_SC_COMPLETE))
1650 {
1651 rdp_client_transition_to_state(rdp, CONNECTION_STATE_ACTIVE);
1652 return 2;
1653 }
1654
1655 if (status < 0)
1656 WLog_DBG(TAG, "%s: %s - rdp_recv_pdu() - %i", __FUNCTION__,
1657 rdp_server_connection_state_string(rdp->state), status);
1658
1659 break;
1660
1661 case CONNECTION_STATE_ACTIVE:
1662 status = rdp_recv_pdu(rdp, s);
1663
1664 if (status < 0)
1665 WLog_DBG(TAG, "%s: %s - rdp_recv_pdu() - %i", __FUNCTION__,
1666 rdp_server_connection_state_string(rdp->state), status);
1667
1668 break;
1669
1670 default:
1671 WLog_ERR(TAG, "%s: %s state %d", __FUNCTION__,
1672 rdp_server_connection_state_string(rdp->state), rdp->state);
1673 status = -1;
1674 break;
1675 }
1676
1677 return status;
1678 }
1679
rdp_send_channel_data(rdpRdp * rdp,UINT16 channelId,const BYTE * data,size_t size)1680 BOOL rdp_send_channel_data(rdpRdp* rdp, UINT16 channelId, const BYTE* data, size_t size)
1681 {
1682 return freerdp_channel_send(rdp, channelId, data, size);
1683 }
1684
rdp_send_error_info(rdpRdp * rdp)1685 BOOL rdp_send_error_info(rdpRdp* rdp)
1686 {
1687 wStream* s;
1688 BOOL status;
1689
1690 if (rdp->errorInfo == ERRINFO_SUCCESS)
1691 return TRUE;
1692
1693 s = rdp_data_pdu_init(rdp);
1694
1695 if (!s)
1696 return FALSE;
1697
1698 Stream_Write_UINT32(s, rdp->errorInfo); /* error id (4 bytes) */
1699 status = rdp_send_data_pdu(rdp, s, DATA_PDU_TYPE_SET_ERROR_INFO, 0);
1700 return status;
1701 }
1702
rdp_check_fds(rdpRdp * rdp)1703 int rdp_check_fds(rdpRdp* rdp)
1704 {
1705 int status;
1706 rdpTransport* transport = rdp->transport;
1707
1708 if (transport->tsg)
1709 {
1710 rdpTsg* tsg = transport->tsg;
1711
1712 if (!tsg_check_event_handles(tsg))
1713 {
1714 WLog_ERR(TAG, "rdp_check_fds: tsg_check_event_handles()");
1715 return -1;
1716 }
1717
1718 if (tsg_get_state(tsg) != TSG_STATE_PIPE_CREATED)
1719 return 1;
1720 }
1721
1722 status = transport_check_fds(transport);
1723
1724 if (status == 1)
1725 {
1726 if (!rdp_client_redirect(rdp)) /* session redirection */
1727 return -1;
1728 }
1729
1730 if (status < 0)
1731 WLog_DBG(TAG, "transport_check_fds() - %i", status);
1732
1733 return status;
1734 }
1735
freerdp_get_stats(rdpRdp * rdp,UINT64 * inBytes,UINT64 * outBytes,UINT64 * inPackets,UINT64 * outPackets)1736 BOOL freerdp_get_stats(rdpRdp* rdp, UINT64* inBytes, UINT64* outBytes, UINT64* inPackets,
1737 UINT64* outPackets)
1738 {
1739 if (!rdp)
1740 return FALSE;
1741
1742 if (inBytes)
1743 *inBytes = rdp->inBytes;
1744 if (outBytes)
1745 *outBytes = rdp->outBytes;
1746 if (inPackets)
1747 *inPackets = rdp->inPackets;
1748 if (outPackets)
1749 *outPackets = rdp->outPackets;
1750
1751 return TRUE;
1752 }
1753
1754 /**
1755 * Instantiate new RDP module.
1756 * @return new RDP module
1757 */
1758
rdp_new(rdpContext * context)1759 rdpRdp* rdp_new(rdpContext* context)
1760 {
1761 rdpRdp* rdp;
1762 DWORD flags;
1763 BOOL newSettings = FALSE;
1764 rdp = (rdpRdp*)calloc(1, sizeof(rdpRdp));
1765
1766 if (!rdp)
1767 return NULL;
1768
1769 InitializeCriticalSection(&rdp->critical);
1770 rdp->context = context;
1771 rdp->instance = context->instance;
1772 flags = 0;
1773
1774 if (context->ServerMode)
1775 flags |= FREERDP_SETTINGS_SERVER_MODE;
1776
1777 if (!context->settings)
1778 {
1779 context->settings = freerdp_settings_new(flags);
1780
1781 if (!context->settings)
1782 goto fail;
1783
1784 newSettings = TRUE;
1785 }
1786
1787 rdp->settings = context->settings;
1788
1789 if (context->instance)
1790 {
1791 rdp->settings->instance = context->instance;
1792 context->instance->settings = rdp->settings;
1793 }
1794 else if (context->peer)
1795 {
1796 rdp->settings->instance = context->peer;
1797 context->peer->settings = rdp->settings;
1798 }
1799
1800 rdp->transport = transport_new(context);
1801
1802 if (!rdp->transport)
1803 goto fail;
1804
1805 rdp->license = license_new(rdp);
1806
1807 if (!rdp->license)
1808 goto fail;
1809
1810 rdp->input = input_new(rdp);
1811
1812 if (!rdp->input)
1813 goto fail;
1814
1815 rdp->update = update_new(rdp);
1816
1817 if (!rdp->update)
1818 goto fail;
1819
1820 rdp->fastpath = fastpath_new(rdp);
1821
1822 if (!rdp->fastpath)
1823 goto fail;
1824
1825 rdp->nego = nego_new(rdp->transport);
1826
1827 if (!rdp->nego)
1828 goto fail;
1829
1830 rdp->mcs = mcs_new(rdp->transport);
1831
1832 if (!rdp->mcs)
1833 goto fail;
1834
1835 rdp->redirection = redirection_new();
1836
1837 if (!rdp->redirection)
1838 goto fail;
1839
1840 rdp->autodetect = autodetect_new();
1841
1842 if (!rdp->autodetect)
1843 goto fail;
1844
1845 rdp->heartbeat = heartbeat_new();
1846
1847 if (!rdp->heartbeat)
1848 goto fail;
1849
1850 rdp->multitransport = multitransport_new();
1851
1852 if (!rdp->multitransport)
1853 goto fail;
1854
1855 rdp->bulk = bulk_new(context);
1856
1857 if (!rdp->bulk)
1858 goto fail;
1859
1860 return rdp;
1861
1862 fail:
1863 rdp_free(rdp);
1864 return NULL;
1865 }
1866
rdp_reset(rdpRdp * rdp)1867 void rdp_reset(rdpRdp* rdp)
1868 {
1869 rdpContext* context;
1870 rdpSettings* settings;
1871 context = rdp->context;
1872 settings = rdp->settings;
1873 bulk_reset(rdp->bulk);
1874
1875 if (rdp->rc4_decrypt_key)
1876 {
1877 winpr_RC4_Free(rdp->rc4_decrypt_key);
1878 rdp->rc4_decrypt_key = NULL;
1879 }
1880
1881 if (rdp->rc4_encrypt_key)
1882 {
1883 winpr_RC4_Free(rdp->rc4_encrypt_key);
1884 rdp->rc4_encrypt_key = NULL;
1885 }
1886
1887 if (rdp->fips_encrypt)
1888 {
1889 winpr_Cipher_Free(rdp->fips_encrypt);
1890 rdp->fips_encrypt = NULL;
1891 }
1892
1893 if (rdp->fips_decrypt)
1894 {
1895 winpr_Cipher_Free(rdp->fips_decrypt);
1896 rdp->fips_decrypt = NULL;
1897 }
1898
1899 if (settings->ServerRandom)
1900 {
1901 free(settings->ServerRandom);
1902 settings->ServerRandom = NULL;
1903 settings->ServerRandomLength = 0;
1904 }
1905
1906 if (settings->ServerCertificate)
1907 {
1908 free(settings->ServerCertificate);
1909 settings->ServerCertificate = NULL;
1910 }
1911
1912 if (settings->ClientAddress)
1913 {
1914 free(settings->ClientAddress);
1915 settings->ClientAddress = NULL;
1916 }
1917
1918 mcs_free(rdp->mcs);
1919 nego_free(rdp->nego);
1920 license_free(rdp->license);
1921 transport_free(rdp->transport);
1922 fastpath_free(rdp->fastpath);
1923 rdp->transport = transport_new(context);
1924 rdp->license = license_new(rdp);
1925 rdp->nego = nego_new(rdp->transport);
1926 rdp->mcs = mcs_new(rdp->transport);
1927 rdp->fastpath = fastpath_new(rdp);
1928 rdp->transport->layer = TRANSPORT_LAYER_TCP;
1929 rdp->errorInfo = 0;
1930 rdp->deactivation_reactivation = 0;
1931 rdp->finalize_sc_pdus = 0;
1932 }
1933
1934 /**
1935 * Free RDP module.
1936 * @param rdp RDP module to be freed
1937 */
1938
rdp_free(rdpRdp * rdp)1939 void rdp_free(rdpRdp* rdp)
1940 {
1941 if (rdp)
1942 {
1943 DeleteCriticalSection(&rdp->critical);
1944 winpr_RC4_Free(rdp->rc4_decrypt_key);
1945 winpr_RC4_Free(rdp->rc4_encrypt_key);
1946 winpr_Cipher_Free(rdp->fips_encrypt);
1947 winpr_Cipher_Free(rdp->fips_decrypt);
1948 freerdp_settings_free(rdp->settings);
1949 transport_free(rdp->transport);
1950 license_free(rdp->license);
1951 input_free(rdp->input);
1952 update_free(rdp->update);
1953 fastpath_free(rdp->fastpath);
1954 nego_free(rdp->nego);
1955 mcs_free(rdp->mcs);
1956 nla_free(rdp->nla);
1957 redirection_free(rdp->redirection);
1958 autodetect_free(rdp->autodetect);
1959 heartbeat_free(rdp->heartbeat);
1960 multitransport_free(rdp->multitransport);
1961 bulk_free(rdp->bulk);
1962 free(rdp);
1963 }
1964 }
1965