2011-07-01 02:48:48 +04:00
|
|
|
/**
|
2012-10-09 07:02:04 +04:00
|
|
|
* FreeRDP: A Remote Desktop Protocol Implementation
|
2011-07-01 02:48:48 +04:00
|
|
|
* RDP Protocol Security Negotiation
|
|
|
|
|
*
|
|
|
|
|
* Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
|
|
|
|
|
*
|
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
|
*
|
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
*
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
* limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
2012-08-15 01:09:01 +04:00
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
|
#include "config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
2011-07-03 20:42:35 +04:00
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
|
|
#include <freerdp/constants.h>
|
2011-07-01 02:48:48 +04:00
|
|
|
#include <freerdp/utils/memory.h>
|
2012-09-24 02:41:07 +04:00
|
|
|
#include <freerdp/utils/unicode.h>
|
2011-07-01 02:48:48 +04:00
|
|
|
|
2011-07-03 20:42:35 +04:00
|
|
|
#include "tpkt.h"
|
|
|
|
|
|
2011-07-01 02:48:48 +04:00
|
|
|
#include "nego.h"
|
|
|
|
|
|
2012-07-25 14:29:49 +04:00
|
|
|
#include "transport.h"
|
|
|
|
|
|
2011-12-01 02:40:36 +04:00
|
|
|
static const char* const NEGO_STATE_STRINGS[] =
|
2011-07-10 09:48:10 +04:00
|
|
|
{
|
|
|
|
|
"NEGO_STATE_INITIAL",
|
|
|
|
|
"NEGO_STATE_NLA",
|
|
|
|
|
"NEGO_STATE_TLS",
|
|
|
|
|
"NEGO_STATE_RDP",
|
|
|
|
|
"NEGO_STATE_FAIL",
|
|
|
|
|
"NEGO_STATE_FINAL"
|
|
|
|
|
};
|
|
|
|
|
|
2011-12-01 02:40:36 +04:00
|
|
|
static const char PROTOCOL_SECURITY_STRINGS[3][4] =
|
2011-07-10 09:48:10 +04:00
|
|
|
{
|
|
|
|
|
"RDP",
|
|
|
|
|
"TLS",
|
|
|
|
|
"NLA"
|
|
|
|
|
};
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL nego_security_connect(rdpNego* nego);
|
2012-07-25 20:50:19 +04:00
|
|
|
|
2011-07-01 02:48:48 +04:00
|
|
|
/**
|
|
|
|
|
* Negotiate protocol security and connect.
|
|
|
|
|
* @param nego
|
|
|
|
|
* @return
|
|
|
|
|
*/
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL nego_connect(rdpNego* nego)
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
|
|
|
|
if (nego->state == NEGO_STATE_INITIAL)
|
|
|
|
|
{
|
|
|
|
|
if (nego->enabled_protocols[PROTOCOL_NLA] > 0)
|
|
|
|
|
nego->state = NEGO_STATE_NLA;
|
|
|
|
|
else if (nego->enabled_protocols[PROTOCOL_TLS] > 0)
|
|
|
|
|
nego->state = NEGO_STATE_TLS;
|
|
|
|
|
else if (nego->enabled_protocols[PROTOCOL_RDP] > 0)
|
|
|
|
|
nego->state = NEGO_STATE_RDP;
|
|
|
|
|
else
|
2012-07-25 14:29:49 +04:00
|
|
|
{
|
|
|
|
|
DEBUG_NEGO("No security protocol is enabled");
|
2011-07-01 02:48:48 +04:00
|
|
|
nego->state = NEGO_STATE_FAIL;
|
2012-07-25 14:29:49 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!nego->security_layer_negotiation_enabled)
|
|
|
|
|
{
|
|
|
|
|
DEBUG_NEGO("Security Layer Negotiation is disabled");
|
2012-08-01 00:58:41 +04:00
|
|
|
/* attempt only the highest enabled protocol (see nego_attempt_*) */
|
2012-07-25 14:29:49 +04:00
|
|
|
nego->enabled_protocols[PROTOCOL_NLA] = 0;
|
|
|
|
|
nego->enabled_protocols[PROTOCOL_TLS] = 0;
|
|
|
|
|
nego->enabled_protocols[PROTOCOL_RDP] = 0;
|
|
|
|
|
if(nego->state == NEGO_STATE_NLA)
|
2012-08-01 00:58:41 +04:00
|
|
|
{
|
2012-07-25 14:29:49 +04:00
|
|
|
nego->enabled_protocols[PROTOCOL_NLA] = 1;
|
2012-08-01 00:58:41 +04:00
|
|
|
nego->selected_protocol = PROTOCOL_NLA;
|
|
|
|
|
}
|
2012-07-25 14:29:49 +04:00
|
|
|
else if (nego->state == NEGO_STATE_TLS)
|
2012-08-01 00:58:41 +04:00
|
|
|
{
|
2012-07-25 14:29:49 +04:00
|
|
|
nego->enabled_protocols[PROTOCOL_TLS] = 1;
|
2012-08-01 00:58:41 +04:00
|
|
|
nego->selected_protocol = PROTOCOL_TLS;
|
|
|
|
|
}
|
2012-07-25 14:29:49 +04:00
|
|
|
else if (nego->state == NEGO_STATE_RDP)
|
2012-08-01 00:58:41 +04:00
|
|
|
{
|
2012-07-25 14:29:49 +04:00
|
|
|
nego->enabled_protocols[PROTOCOL_RDP] = 1;
|
2012-08-01 00:58:41 +04:00
|
|
|
nego->selected_protocol = PROTOCOL_RDP;
|
|
|
|
|
}
|
2012-07-25 14:29:49 +04:00
|
|
|
}
|
2012-07-25 20:46:43 +04:00
|
|
|
|
|
|
|
|
if(!nego_send_preconnection_pdu(nego))
|
|
|
|
|
{
|
|
|
|
|
DEBUG_NEGO("Failed to send preconnection information");
|
|
|
|
|
nego->state = NEGO_STATE_FINAL;
|
2012-10-09 10:31:28 +04:00
|
|
|
return FALSE;
|
2012-07-25 20:46:43 +04:00
|
|
|
}
|
2011-07-01 02:48:48 +04:00
|
|
|
}
|
|
|
|
|
|
2011-07-07 21:37:48 +04:00
|
|
|
do
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
2011-07-03 20:42:35 +04:00
|
|
|
DEBUG_NEGO("state: %s", NEGO_STATE_STRINGS[nego->state]);
|
|
|
|
|
|
2011-07-03 23:34:15 +04:00
|
|
|
nego_send(nego);
|
|
|
|
|
|
2011-07-01 02:48:48 +04:00
|
|
|
if (nego->state == NEGO_STATE_FAIL)
|
|
|
|
|
{
|
2011-07-07 21:37:48 +04:00
|
|
|
DEBUG_NEGO("Protocol Security Negotiation Failure");
|
2011-07-01 02:48:48 +04:00
|
|
|
nego->state = NEGO_STATE_FINAL;
|
2012-10-09 10:31:28 +04:00
|
|
|
return FALSE;
|
2011-07-01 02:48:48 +04:00
|
|
|
}
|
|
|
|
|
}
|
2011-07-07 21:37:48 +04:00
|
|
|
while (nego->state != NEGO_STATE_FINAL);
|
2011-07-01 02:48:48 +04:00
|
|
|
|
2011-07-03 23:34:15 +04:00
|
|
|
DEBUG_NEGO("Negotiated %s security", PROTOCOL_SECURITY_STRINGS[nego->selected_protocol]);
|
|
|
|
|
|
2011-07-07 21:37:48 +04:00
|
|
|
/* update settings with negotiated protocol security */
|
2011-08-19 19:56:47 +04:00
|
|
|
nego->transport->settings->requested_protocols = nego->requested_protocols;
|
2011-07-07 21:37:48 +04:00
|
|
|
nego->transport->settings->selected_protocol = nego->selected_protocol;
|
2011-12-18 21:10:56 +04:00
|
|
|
nego->transport->settings->negotiationFlags = nego->flags;
|
2011-07-07 21:37:48 +04:00
|
|
|
|
2011-10-05 02:54:38 +04:00
|
|
|
if(nego->selected_protocol == PROTOCOL_RDP)
|
|
|
|
|
{
|
2012-10-09 10:31:28 +04:00
|
|
|
nego->transport->settings->encryption = TRUE;
|
2011-10-05 02:54:38 +04:00
|
|
|
nego->transport->settings->encryption_method = ENCRYPTION_METHOD_40BIT | ENCRYPTION_METHOD_128BIT | ENCRYPTION_METHOD_FIPS;
|
|
|
|
|
nego->transport->settings->encryption_level = ENCRYPTION_LEVEL_CLIENT_COMPATIBLE;
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-25 20:50:19 +04:00
|
|
|
/* finally connect security layer (if not already done) */
|
|
|
|
|
if(!nego_security_connect(nego))
|
|
|
|
|
{
|
|
|
|
|
DEBUG_NEGO("Failed to connect with %s security", PROTOCOL_SECURITY_STRINGS[nego->selected_protocol]);
|
2012-10-09 10:31:28 +04:00
|
|
|
return FALSE;
|
2012-07-25 20:50:19 +04:00
|
|
|
}
|
|
|
|
|
|
2012-10-09 10:31:28 +04:00
|
|
|
return TRUE;
|
2011-07-01 02:48:48 +04:00
|
|
|
}
|
|
|
|
|
|
2012-07-25 14:29:49 +04:00
|
|
|
/* connect to selected security layer */
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL nego_security_connect(rdpNego* nego)
|
2012-07-25 14:29:49 +04:00
|
|
|
{
|
|
|
|
|
if(!nego->tcp_connected)
|
|
|
|
|
{
|
2012-10-09 10:31:28 +04:00
|
|
|
nego->security_connected = FALSE;
|
2012-07-25 14:29:49 +04:00
|
|
|
}
|
|
|
|
|
else if (!nego->security_connected)
|
|
|
|
|
{
|
2012-08-01 00:58:41 +04:00
|
|
|
if (nego->selected_protocol == PROTOCOL_NLA)
|
2012-07-27 16:43:57 +04:00
|
|
|
{
|
2012-08-01 00:58:41 +04:00
|
|
|
DEBUG_NEGO("nego_security_connect with PROTOCOL_NLA");
|
2012-07-25 14:29:49 +04:00
|
|
|
nego->security_connected = transport_connect_nla(nego->transport);
|
2012-07-27 16:43:57 +04:00
|
|
|
}
|
2012-08-01 00:58:41 +04:00
|
|
|
else if (nego->selected_protocol == PROTOCOL_TLS )
|
2012-07-27 16:43:57 +04:00
|
|
|
{
|
2012-08-01 00:58:41 +04:00
|
|
|
DEBUG_NEGO("nego_security_connect with PROTOCOL_TLS");
|
2012-07-25 14:29:49 +04:00
|
|
|
nego->security_connected = transport_connect_tls(nego->transport);
|
2012-07-27 16:43:57 +04:00
|
|
|
}
|
2012-08-01 00:58:41 +04:00
|
|
|
else if (nego->selected_protocol == PROTOCOL_RDP)
|
2012-07-27 16:43:57 +04:00
|
|
|
{
|
2012-08-01 00:58:41 +04:00
|
|
|
DEBUG_NEGO("nego_security_connect with PROTOCOL_RDP");
|
2012-07-25 14:29:49 +04:00
|
|
|
nego->security_connected = transport_connect_rdp(nego->transport);
|
2012-07-27 16:43:57 +04:00
|
|
|
}
|
2012-08-01 01:07:48 +04:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
DEBUG_NEGO("cannot connect security layer because no protocol has been selected yet.");
|
|
|
|
|
}
|
2012-07-25 14:29:49 +04:00
|
|
|
}
|
|
|
|
|
return nego->security_connected;
|
|
|
|
|
}
|
|
|
|
|
|
2011-07-01 02:48:48 +04:00
|
|
|
/**
|
|
|
|
|
* Connect TCP layer.
|
|
|
|
|
* @param nego
|
|
|
|
|
* @return
|
|
|
|
|
*/
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL nego_tcp_connect(rdpNego* nego)
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
2012-07-25 14:29:49 +04:00
|
|
|
if (!nego->tcp_connected)
|
|
|
|
|
nego->tcp_connected = transport_connect(nego->transport, nego->hostname, nego->port);
|
2012-09-09 01:49:37 +04:00
|
|
|
|
2012-07-25 14:29:49 +04:00
|
|
|
return nego->tcp_connected;
|
|
|
|
|
}
|
2011-07-01 02:48:48 +04:00
|
|
|
|
2012-07-25 14:29:49 +04:00
|
|
|
/**
|
|
|
|
|
* Connect TCP layer. For direct approach, connect security layer as well.
|
|
|
|
|
* @param nego
|
|
|
|
|
* @return
|
|
|
|
|
*/
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL nego_transport_connect(rdpNego* nego)
|
2012-07-25 14:29:49 +04:00
|
|
|
{
|
|
|
|
|
nego_tcp_connect(nego);
|
|
|
|
|
|
|
|
|
|
if (nego->tcp_connected && !nego->security_layer_negotiation_enabled)
|
2012-07-25 20:46:43 +04:00
|
|
|
return nego_security_connect(nego);
|
2012-07-25 14:29:49 +04:00
|
|
|
|
|
|
|
|
return nego->tcp_connected;
|
2011-07-01 02:48:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Disconnect TCP layer.
|
|
|
|
|
* @param nego
|
|
|
|
|
* @return
|
|
|
|
|
*/
|
|
|
|
|
|
2012-07-25 14:29:49 +04:00
|
|
|
int nego_transport_disconnect(rdpNego* nego)
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
|
|
|
|
if (nego->tcp_connected)
|
2011-07-03 20:42:35 +04:00
|
|
|
transport_disconnect(nego->transport);
|
2011-07-01 02:48:48 +04:00
|
|
|
|
|
|
|
|
nego->tcp_connected = 0;
|
2012-07-25 14:29:49 +04:00
|
|
|
nego->security_connected = 0;
|
2012-09-09 01:49:37 +04:00
|
|
|
|
2011-07-01 02:48:48 +04:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-25 20:46:43 +04:00
|
|
|
/**
|
|
|
|
|
* Send preconnection information if enabled.
|
|
|
|
|
* @param nego
|
|
|
|
|
* @return
|
|
|
|
|
*/
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL nego_send_preconnection_pdu(rdpNego* nego)
|
2012-07-25 20:46:43 +04:00
|
|
|
{
|
|
|
|
|
STREAM* s;
|
|
|
|
|
uint32 cbSize;
|
2012-10-09 11:01:37 +04:00
|
|
|
UINT16 cchPCB = 0;
|
2012-09-24 03:49:13 +04:00
|
|
|
WCHAR* wszPCB = NULL;
|
2012-07-25 20:46:43 +04:00
|
|
|
|
2012-07-29 03:30:21 +04:00
|
|
|
if (!nego->send_preconnection_pdu)
|
2012-10-09 10:31:28 +04:00
|
|
|
return TRUE;
|
2012-07-25 20:46:43 +04:00
|
|
|
|
|
|
|
|
DEBUG_NEGO("Sending preconnection PDU");
|
2012-07-29 03:30:21 +04:00
|
|
|
|
|
|
|
|
if (!nego_tcp_connect(nego))
|
2012-10-09 10:31:28 +04:00
|
|
|
return FALSE;
|
2012-07-25 20:46:43 +04:00
|
|
|
|
|
|
|
|
/* it's easier to always send the version 2 PDU, and it's just 2 bytes overhead */
|
|
|
|
|
cbSize = PRECONNECTION_PDU_V2_MIN_SIZE;
|
2012-07-29 03:30:21 +04:00
|
|
|
|
|
|
|
|
if (nego->preconnection_blob)
|
|
|
|
|
{
|
2012-10-09 11:01:37 +04:00
|
|
|
cchPCB = (UINT16) freerdp_AsciiToUnicodeAlloc(nego->preconnection_blob, &wszPCB, 0);
|
2012-09-24 03:49:13 +04:00
|
|
|
cchPCB += 1; /* zero-termination */
|
|
|
|
|
cbSize += cchPCB * 2;
|
2012-07-25 20:46:43 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s = transport_send_stream_init(nego->transport, cbSize);
|
|
|
|
|
stream_write_uint32(s, cbSize); /* cbSize */
|
|
|
|
|
stream_write_uint32(s, 0); /* Flags */
|
|
|
|
|
stream_write_uint32(s, PRECONNECTION_PDU_V2); /* Version */
|
|
|
|
|
stream_write_uint32(s, nego->preconnection_id); /* Id */
|
2012-10-09 11:01:37 +04:00
|
|
|
stream_write_UINT16(s, cchPCB); /* cchPCB */
|
2012-07-29 03:30:21 +04:00
|
|
|
|
|
|
|
|
if (wszPCB)
|
2012-07-25 20:46:43 +04:00
|
|
|
{
|
2012-09-24 03:49:13 +04:00
|
|
|
stream_write(s, wszPCB, cchPCB * 2); /* wszPCB */
|
2012-10-09 07:21:26 +04:00
|
|
|
free(wszPCB);
|
2012-07-25 20:46:43 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (transport_write(nego->transport, s) < 0)
|
2012-10-09 10:31:28 +04:00
|
|
|
return FALSE;
|
2012-07-25 20:46:43 +04:00
|
|
|
|
2012-10-09 10:31:28 +04:00
|
|
|
return TRUE;
|
2012-07-25 20:46:43 +04:00
|
|
|
}
|
|
|
|
|
|
2011-07-01 02:48:48 +04:00
|
|
|
/**
|
|
|
|
|
* Attempt negotiating NLA + TLS security.
|
|
|
|
|
* @param nego
|
|
|
|
|
*/
|
|
|
|
|
|
2011-07-07 21:37:48 +04:00
|
|
|
void nego_attempt_nla(rdpNego* nego)
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
|
|
|
|
nego->requested_protocols = PROTOCOL_NLA | PROTOCOL_TLS;
|
|
|
|
|
|
2011-07-03 20:42:35 +04:00
|
|
|
DEBUG_NEGO("Attempting NLA security");
|
|
|
|
|
|
2012-07-25 14:29:49 +04:00
|
|
|
if (!nego_transport_connect(nego))
|
2011-08-13 08:40:14 +04:00
|
|
|
{
|
|
|
|
|
nego->state = NEGO_STATE_FAIL;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2011-09-16 19:16:16 +04:00
|
|
|
if (!nego_send_negotiation_request(nego))
|
|
|
|
|
{
|
|
|
|
|
nego->state = NEGO_STATE_FAIL;
|
|
|
|
|
return;
|
|
|
|
|
}
|
2011-07-03 20:42:35 +04:00
|
|
|
|
2011-09-16 19:16:16 +04:00
|
|
|
if (!nego_recv_response(nego))
|
|
|
|
|
{
|
|
|
|
|
nego->state = NEGO_STATE_FAIL;
|
|
|
|
|
return;
|
|
|
|
|
}
|
2011-07-01 02:48:48 +04:00
|
|
|
|
2012-03-29 22:06:17 +04:00
|
|
|
DEBUG_NEGO("state: %s", NEGO_STATE_STRINGS[nego->state]);
|
2011-07-01 02:48:48 +04:00
|
|
|
if (nego->state != NEGO_STATE_FINAL)
|
|
|
|
|
{
|
2012-07-25 14:29:49 +04:00
|
|
|
nego_transport_disconnect(nego);
|
2011-07-01 02:48:48 +04:00
|
|
|
|
|
|
|
|
if (nego->enabled_protocols[PROTOCOL_TLS] > 0)
|
|
|
|
|
nego->state = NEGO_STATE_TLS;
|
|
|
|
|
else if (nego->enabled_protocols[PROTOCOL_RDP] > 0)
|
|
|
|
|
nego->state = NEGO_STATE_RDP;
|
|
|
|
|
else
|
|
|
|
|
nego->state = NEGO_STATE_FAIL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Attempt negotiating TLS security.
|
|
|
|
|
* @param nego
|
|
|
|
|
*/
|
|
|
|
|
|
2011-07-07 21:37:48 +04:00
|
|
|
void nego_attempt_tls(rdpNego* nego)
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
|
|
|
|
nego->requested_protocols = PROTOCOL_TLS;
|
|
|
|
|
|
2011-07-03 20:42:35 +04:00
|
|
|
DEBUG_NEGO("Attempting TLS security");
|
|
|
|
|
|
2012-07-25 14:29:49 +04:00
|
|
|
if (!nego_transport_connect(nego))
|
2011-08-13 08:40:14 +04:00
|
|
|
{
|
|
|
|
|
nego->state = NEGO_STATE_FAIL;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2011-09-16 19:16:16 +04:00
|
|
|
if (!nego_send_negotiation_request(nego))
|
|
|
|
|
{
|
|
|
|
|
nego->state = NEGO_STATE_FAIL;
|
|
|
|
|
return;
|
|
|
|
|
}
|
2011-07-03 20:42:35 +04:00
|
|
|
|
2011-09-16 19:16:16 +04:00
|
|
|
if (!nego_recv_response(nego))
|
|
|
|
|
{
|
|
|
|
|
nego->state = NEGO_STATE_FAIL;
|
|
|
|
|
return;
|
|
|
|
|
}
|
2011-07-01 02:48:48 +04:00
|
|
|
|
|
|
|
|
if (nego->state != NEGO_STATE_FINAL)
|
|
|
|
|
{
|
2012-07-25 14:29:49 +04:00
|
|
|
nego_transport_disconnect(nego);
|
2011-07-01 02:48:48 +04:00
|
|
|
|
|
|
|
|
if (nego->enabled_protocols[PROTOCOL_RDP] > 0)
|
|
|
|
|
nego->state = NEGO_STATE_RDP;
|
|
|
|
|
else
|
|
|
|
|
nego->state = NEGO_STATE_FAIL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Attempt negotiating standard RDP security.
|
|
|
|
|
* @param nego
|
|
|
|
|
*/
|
|
|
|
|
|
2011-07-07 21:37:48 +04:00
|
|
|
void nego_attempt_rdp(rdpNego* nego)
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
|
|
|
|
nego->requested_protocols = PROTOCOL_RDP;
|
|
|
|
|
|
2011-07-03 20:42:35 +04:00
|
|
|
DEBUG_NEGO("Attempting RDP security");
|
|
|
|
|
|
2012-07-25 14:29:49 +04:00
|
|
|
if (!nego_transport_connect(nego))
|
2011-08-13 08:40:14 +04:00
|
|
|
{
|
|
|
|
|
nego->state = NEGO_STATE_FAIL;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2011-09-16 19:16:16 +04:00
|
|
|
if (!nego_send_negotiation_request(nego))
|
|
|
|
|
{
|
|
|
|
|
nego->state = NEGO_STATE_FAIL;
|
|
|
|
|
return;
|
|
|
|
|
}
|
2011-07-01 02:48:48 +04:00
|
|
|
|
2011-09-16 19:16:16 +04:00
|
|
|
if (!nego_recv_response(nego))
|
|
|
|
|
{
|
|
|
|
|
nego->state = NEGO_STATE_FAIL;
|
|
|
|
|
return;
|
|
|
|
|
}
|
2011-07-07 21:37:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Wait to receive a negotiation response
|
|
|
|
|
* @param nego
|
|
|
|
|
*/
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL nego_recv_response(rdpNego* nego)
|
2011-07-07 21:37:48 +04:00
|
|
|
{
|
2011-07-10 23:34:43 +04:00
|
|
|
STREAM* s = transport_recv_stream_init(nego->transport, 1024);
|
2012-02-12 21:46:53 +04:00
|
|
|
|
2011-09-16 19:16:16 +04:00
|
|
|
if (transport_read(nego->transport, s) < 0)
|
2012-10-09 10:31:28 +04:00
|
|
|
return FALSE;
|
2012-02-12 21:46:53 +04:00
|
|
|
|
2012-06-02 23:35:34 +04:00
|
|
|
return nego_recv(nego->transport, s, nego);
|
2011-07-01 02:48:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2011-07-05 05:35:32 +04:00
|
|
|
* Receive protocol security negotiation message.\n
|
|
|
|
|
* @msdn{cc240501}
|
|
|
|
|
* @param transport transport
|
|
|
|
|
* @param s stream
|
|
|
|
|
* @param extra nego pointer
|
2011-07-01 02:48:48 +04:00
|
|
|
*/
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL nego_recv(rdpTransport* transport, STREAM* s, void* extra)
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
2012-10-09 11:01:37 +04:00
|
|
|
BYTE li;
|
|
|
|
|
BYTE type;
|
2011-07-07 21:37:48 +04:00
|
|
|
rdpNego* nego = (rdpNego*) extra;
|
2011-07-01 02:48:48 +04:00
|
|
|
|
2011-09-16 19:16:16 +04:00
|
|
|
if (tpkt_read_header(s) == 0)
|
2012-10-09 10:31:28 +04:00
|
|
|
return FALSE;
|
2011-09-25 22:54:07 +04:00
|
|
|
|
2011-07-03 21:49:06 +04:00
|
|
|
li = tpdu_read_connection_confirm(s);
|
|
|
|
|
|
|
|
|
|
if (li > 6)
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
2011-07-03 21:49:06 +04:00
|
|
|
/* rdpNegData (optional) */
|
|
|
|
|
|
2012-10-09 11:01:37 +04:00
|
|
|
stream_read_BYTE(s, type); /* Type */
|
2011-07-03 21:49:06 +04:00
|
|
|
|
|
|
|
|
switch (type)
|
|
|
|
|
{
|
|
|
|
|
case TYPE_RDP_NEG_RSP:
|
|
|
|
|
nego_process_negotiation_response(nego, s);
|
2012-03-29 22:06:17 +04:00
|
|
|
|
|
|
|
|
DEBUG_NEGO("selected_protocol: %d", nego->selected_protocol);
|
2012-03-31 18:09:19 +04:00
|
|
|
|
|
|
|
|
/* enhanced security selected ? */
|
2012-06-20 04:10:49 +04:00
|
|
|
|
|
|
|
|
if (nego->selected_protocol)
|
|
|
|
|
{
|
|
|
|
|
if ((nego->selected_protocol == PROTOCOL_NLA) &&
|
|
|
|
|
(!nego->enabled_protocols[PROTOCOL_NLA]))
|
|
|
|
|
{
|
2012-03-31 18:09:19 +04:00
|
|
|
nego->state = NEGO_STATE_FAIL;
|
2012-06-20 04:10:49 +04:00
|
|
|
}
|
|
|
|
|
if ((nego->selected_protocol == PROTOCOL_TLS) &&
|
|
|
|
|
(!nego->enabled_protocols[PROTOCOL_TLS]))
|
|
|
|
|
{
|
2012-03-31 18:09:19 +04:00
|
|
|
nego->state = NEGO_STATE_FAIL;
|
2012-06-20 04:10:49 +04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else if (!nego->enabled_protocols[PROTOCOL_RDP])
|
|
|
|
|
{
|
2012-03-29 22:06:17 +04:00
|
|
|
nego->state = NEGO_STATE_FAIL;
|
2012-06-20 04:10:49 +04:00
|
|
|
}
|
2011-07-03 21:49:06 +04:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case TYPE_RDP_NEG_FAILURE:
|
|
|
|
|
nego_process_negotiation_failure(nego, s);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2011-07-01 02:48:48 +04:00
|
|
|
}
|
2011-07-07 21:37:48 +04:00
|
|
|
else
|
|
|
|
|
{
|
2012-03-31 18:09:19 +04:00
|
|
|
DEBUG_NEGO("no rdpNegData");
|
2012-06-20 04:10:49 +04:00
|
|
|
|
2012-03-31 18:09:19 +04:00
|
|
|
if (!nego->enabled_protocols[PROTOCOL_RDP])
|
2012-03-29 22:06:17 +04:00
|
|
|
nego->state = NEGO_STATE_FAIL;
|
|
|
|
|
else
|
|
|
|
|
nego->state = NEGO_STATE_FINAL;
|
2011-07-07 21:37:48 +04:00
|
|
|
}
|
2011-07-03 21:49:06 +04:00
|
|
|
|
2012-10-09 10:31:28 +04:00
|
|
|
return TRUE;
|
2011-07-01 02:48:48 +04:00
|
|
|
}
|
|
|
|
|
|
2011-08-18 19:15:28 +04:00
|
|
|
/**
|
2011-08-22 11:03:58 +04:00
|
|
|
* Read protocol security negotiation request message.\n
|
2011-08-18 19:15:28 +04:00
|
|
|
* @param nego
|
|
|
|
|
* @param s stream
|
|
|
|
|
*/
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL nego_read_request(rdpNego* nego, STREAM* s)
|
2011-08-18 19:15:28 +04:00
|
|
|
{
|
2012-10-09 11:01:37 +04:00
|
|
|
BYTE li;
|
|
|
|
|
BYTE c;
|
|
|
|
|
BYTE type;
|
2011-08-18 19:15:28 +04:00
|
|
|
|
|
|
|
|
tpkt_read_header(s);
|
|
|
|
|
li = tpdu_read_connection_request(s);
|
2012-02-12 21:46:53 +04:00
|
|
|
|
2011-08-18 19:15:28 +04:00
|
|
|
if (li != stream_get_left(s) + 6)
|
|
|
|
|
{
|
|
|
|
|
printf("Incorrect TPDU length indicator.\n");
|
2012-10-09 10:31:28 +04:00
|
|
|
return FALSE;
|
2011-08-18 19:15:28 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (stream_get_left(s) > 8)
|
|
|
|
|
{
|
|
|
|
|
/* Optional routingToken or cookie, ending with CR+LF */
|
|
|
|
|
while (stream_get_left(s) > 0)
|
|
|
|
|
{
|
2012-10-09 11:01:37 +04:00
|
|
|
stream_read_BYTE(s, c);
|
2012-09-09 01:49:37 +04:00
|
|
|
|
2011-08-18 19:15:28 +04:00
|
|
|
if (c != '\x0D')
|
|
|
|
|
continue;
|
2012-09-09 01:49:37 +04:00
|
|
|
|
2012-10-09 11:01:37 +04:00
|
|
|
stream_peek_BYTE(s, c);
|
2012-09-09 01:49:37 +04:00
|
|
|
|
2011-08-18 19:15:28 +04:00
|
|
|
if (c != '\x0A')
|
|
|
|
|
continue;
|
|
|
|
|
|
2012-10-09 11:01:37 +04:00
|
|
|
stream_seek_BYTE(s);
|
2011-08-18 19:15:28 +04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (stream_get_left(s) >= 8)
|
|
|
|
|
{
|
|
|
|
|
/* rdpNegData (optional) */
|
|
|
|
|
|
2012-10-09 11:01:37 +04:00
|
|
|
stream_read_BYTE(s, type); /* Type */
|
2012-06-20 04:10:49 +04:00
|
|
|
|
2011-08-18 19:15:28 +04:00
|
|
|
if (type != TYPE_RDP_NEG_REQ)
|
|
|
|
|
{
|
|
|
|
|
printf("Incorrect negotiation request type %d\n", type);
|
2012-10-09 10:31:28 +04:00
|
|
|
return FALSE;
|
2011-08-18 19:15:28 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nego_process_negotiation_request(nego, s);
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-09 10:31:28 +04:00
|
|
|
return TRUE;
|
2011-08-18 19:15:28 +04:00
|
|
|
}
|
|
|
|
|
|
2011-07-01 02:48:48 +04:00
|
|
|
/**
|
|
|
|
|
* Send protocol security negotiation message.
|
|
|
|
|
* @param nego
|
|
|
|
|
*/
|
|
|
|
|
|
2011-07-07 21:37:48 +04:00
|
|
|
void nego_send(rdpNego* nego)
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
|
|
|
|
if (nego->state == NEGO_STATE_NLA)
|
|
|
|
|
nego_attempt_nla(nego);
|
|
|
|
|
else if (nego->state == NEGO_STATE_TLS)
|
|
|
|
|
nego_attempt_tls(nego);
|
|
|
|
|
else if (nego->state == NEGO_STATE_RDP)
|
|
|
|
|
nego_attempt_rdp(nego);
|
2011-07-07 21:37:48 +04:00
|
|
|
else
|
|
|
|
|
DEBUG_NEGO("invalid negotiation state for sending");
|
2011-07-01 02:48:48 +04:00
|
|
|
}
|
|
|
|
|
|
2011-07-05 05:35:32 +04:00
|
|
|
/**
|
|
|
|
|
* Send RDP Negotiation Request (RDP_NEG_REQ).\n
|
|
|
|
|
* @msdn{cc240500}\n
|
|
|
|
|
* @msdn{cc240470}
|
|
|
|
|
* @param nego
|
|
|
|
|
*/
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL nego_send_negotiation_request(rdpNego* nego)
|
2011-07-03 20:42:35 +04:00
|
|
|
{
|
|
|
|
|
STREAM* s;
|
|
|
|
|
int length;
|
2012-10-09 11:01:37 +04:00
|
|
|
BYTE *bm, *em;
|
2011-07-03 20:42:35 +04:00
|
|
|
|
2011-08-25 09:45:43 +04:00
|
|
|
s = transport_send_stream_init(nego->transport, 256);
|
2011-07-12 02:46:36 +04:00
|
|
|
length = TPDU_CONNECTION_REQUEST_LENGTH;
|
2011-07-03 20:42:35 +04:00
|
|
|
stream_get_mark(s, bm);
|
|
|
|
|
stream_seek(s, length);
|
|
|
|
|
|
2012-09-24 12:40:32 +04:00
|
|
|
if (nego->RoutingToken != NULL)
|
2011-09-04 02:21:21 +04:00
|
|
|
{
|
2012-09-24 12:40:32 +04:00
|
|
|
stream_write(s, nego->RoutingToken, nego->RoutingTokenLength);
|
|
|
|
|
length += nego->RoutingTokenLength;
|
2011-09-04 02:21:21 +04:00
|
|
|
}
|
2011-09-10 10:23:32 +04:00
|
|
|
else if (nego->cookie != NULL)
|
2011-07-03 20:42:35 +04:00
|
|
|
{
|
|
|
|
|
int cookie_length = strlen(nego->cookie);
|
2011-07-06 02:26:12 +04:00
|
|
|
stream_write(s, "Cookie: mstshash=", 17);
|
2012-10-09 11:01:37 +04:00
|
|
|
stream_write(s, (BYTE*) nego->cookie, cookie_length);
|
|
|
|
|
stream_write_BYTE(s, 0x0D); /* CR */
|
|
|
|
|
stream_write_BYTE(s, 0x0A); /* LF */
|
2011-07-03 20:42:35 +04:00
|
|
|
length += cookie_length + 19;
|
|
|
|
|
}
|
|
|
|
|
|
2012-03-29 22:06:17 +04:00
|
|
|
DEBUG_NEGO("requested_protocols: %d", nego->requested_protocols);
|
2012-09-09 01:49:37 +04:00
|
|
|
|
2011-07-03 21:49:06 +04:00
|
|
|
if (nego->requested_protocols > PROTOCOL_RDP)
|
|
|
|
|
{
|
|
|
|
|
/* RDP_NEG_DATA must be present for TLS and NLA */
|
2012-10-09 11:01:37 +04:00
|
|
|
stream_write_BYTE(s, TYPE_RDP_NEG_REQ);
|
|
|
|
|
stream_write_BYTE(s, 0); /* flags, must be set to zero */
|
|
|
|
|
stream_write_UINT16(s, 8); /* RDP_NEG_DATA length (8) */
|
2011-07-03 21:49:06 +04:00
|
|
|
stream_write_uint32(s, nego->requested_protocols); /* requestedProtocols */
|
|
|
|
|
length += 8;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
stream_get_mark(s, em);
|
2011-07-03 20:42:35 +04:00
|
|
|
stream_set_mark(s, bm);
|
|
|
|
|
tpkt_write_header(s, length);
|
|
|
|
|
tpdu_write_connection_request(s, length - 5);
|
|
|
|
|
stream_set_mark(s, em);
|
|
|
|
|
|
2011-09-16 19:16:16 +04:00
|
|
|
if (transport_write(nego->transport, s) < 0)
|
2012-10-09 10:31:28 +04:00
|
|
|
return FALSE;
|
2011-09-16 19:16:16 +04:00
|
|
|
|
2012-10-09 10:31:28 +04:00
|
|
|
return TRUE;
|
2011-07-03 20:42:35 +04:00
|
|
|
}
|
|
|
|
|
|
2011-08-18 19:15:28 +04:00
|
|
|
/**
|
|
|
|
|
* Process Negotiation Request from Connection Request message.
|
|
|
|
|
* @param nego
|
|
|
|
|
* @param s
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
void nego_process_negotiation_request(rdpNego* nego, STREAM* s)
|
|
|
|
|
{
|
2012-10-09 11:01:37 +04:00
|
|
|
BYTE flags;
|
|
|
|
|
UINT16 length;
|
2011-08-18 19:15:28 +04:00
|
|
|
|
|
|
|
|
DEBUG_NEGO("RDP_NEG_REQ");
|
|
|
|
|
|
2012-10-09 11:01:37 +04:00
|
|
|
stream_read_BYTE(s, flags);
|
|
|
|
|
stream_read_UINT16(s, length);
|
2011-08-18 19:15:28 +04:00
|
|
|
stream_read_uint32(s, nego->requested_protocols);
|
|
|
|
|
|
2012-06-20 04:10:49 +04:00
|
|
|
DEBUG_NEGO("requested_protocols: %d", nego->requested_protocols);
|
|
|
|
|
|
2011-08-18 19:15:28 +04:00
|
|
|
nego->state = NEGO_STATE_FINAL;
|
|
|
|
|
}
|
|
|
|
|
|
2011-07-01 02:48:48 +04:00
|
|
|
/**
|
|
|
|
|
* Process Negotiation Response from Connection Confirm message.
|
|
|
|
|
* @param nego
|
|
|
|
|
* @param s
|
|
|
|
|
*/
|
|
|
|
|
|
2011-07-07 21:37:48 +04:00
|
|
|
void nego_process_negotiation_response(rdpNego* nego, STREAM* s)
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
2012-10-09 11:01:37 +04:00
|
|
|
UINT16 length;
|
2011-07-01 02:48:48 +04:00
|
|
|
|
2011-07-03 21:49:06 +04:00
|
|
|
DEBUG_NEGO("RDP_NEG_RSP");
|
|
|
|
|
|
2012-10-09 11:01:37 +04:00
|
|
|
stream_read_BYTE(s, nego->flags);
|
|
|
|
|
stream_read_UINT16(s, length);
|
2011-07-07 21:37:48 +04:00
|
|
|
stream_read_uint32(s, nego->selected_protocol);
|
2011-07-01 02:48:48 +04:00
|
|
|
|
|
|
|
|
nego->state = NEGO_STATE_FINAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Process Negotiation Failure from Connection Confirm message.
|
|
|
|
|
* @param nego
|
|
|
|
|
* @param s
|
|
|
|
|
*/
|
|
|
|
|
|
2011-07-07 21:37:48 +04:00
|
|
|
void nego_process_negotiation_failure(rdpNego* nego, STREAM* s)
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
2012-10-09 11:01:37 +04:00
|
|
|
BYTE flags;
|
|
|
|
|
UINT16 length;
|
2011-07-01 02:48:48 +04:00
|
|
|
uint32 failureCode;
|
|
|
|
|
|
2011-07-03 21:49:06 +04:00
|
|
|
DEBUG_NEGO("RDP_NEG_FAILURE");
|
|
|
|
|
|
2012-10-09 11:01:37 +04:00
|
|
|
stream_read_BYTE(s, flags);
|
|
|
|
|
stream_read_UINT16(s, length);
|
2011-07-03 20:42:35 +04:00
|
|
|
stream_read_uint32(s, failureCode);
|
2011-07-01 02:48:48 +04:00
|
|
|
|
|
|
|
|
switch (failureCode)
|
|
|
|
|
{
|
|
|
|
|
case SSL_REQUIRED_BY_SERVER:
|
2011-07-03 20:42:35 +04:00
|
|
|
DEBUG_NEGO("Error: SSL_REQUIRED_BY_SERVER");
|
2011-07-01 02:48:48 +04:00
|
|
|
break;
|
|
|
|
|
case SSL_NOT_ALLOWED_BY_SERVER:
|
2011-07-03 20:42:35 +04:00
|
|
|
DEBUG_NEGO("Error: SSL_NOT_ALLOWED_BY_SERVER");
|
2011-07-01 02:48:48 +04:00
|
|
|
break;
|
|
|
|
|
case SSL_CERT_NOT_ON_SERVER:
|
2011-07-03 20:42:35 +04:00
|
|
|
DEBUG_NEGO("Error: SSL_CERT_NOT_ON_SERVER");
|
2011-07-01 02:48:48 +04:00
|
|
|
break;
|
|
|
|
|
case INCONSISTENT_FLAGS:
|
2011-07-03 20:42:35 +04:00
|
|
|
DEBUG_NEGO("Error: INCONSISTENT_FLAGS");
|
2011-07-01 02:48:48 +04:00
|
|
|
break;
|
|
|
|
|
case HYBRID_REQUIRED_BY_SERVER:
|
2011-07-03 20:42:35 +04:00
|
|
|
DEBUG_NEGO("Error: HYBRID_REQUIRED_BY_SERVER");
|
2011-07-01 02:48:48 +04:00
|
|
|
break;
|
|
|
|
|
default:
|
2011-07-03 20:42:35 +04:00
|
|
|
DEBUG_NEGO("Error: Unknown protocol security error %d", failureCode);
|
2011-07-01 02:48:48 +04:00
|
|
|
break;
|
|
|
|
|
}
|
2011-07-03 21:49:06 +04:00
|
|
|
|
|
|
|
|
nego->state = NEGO_STATE_FAIL;
|
2011-07-01 02:48:48 +04:00
|
|
|
}
|
|
|
|
|
|
2011-08-18 19:15:28 +04:00
|
|
|
/**
|
|
|
|
|
* Send RDP Negotiation Response (RDP_NEG_RSP).\n
|
|
|
|
|
* @param nego
|
|
|
|
|
*/
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL nego_send_negotiation_response(rdpNego* nego)
|
2011-08-18 19:15:28 +04:00
|
|
|
{
|
|
|
|
|
STREAM* s;
|
2012-10-09 11:01:37 +04:00
|
|
|
BYTE* bm;
|
|
|
|
|
BYTE* em;
|
2011-08-18 19:15:28 +04:00
|
|
|
int length;
|
2012-10-09 10:38:39 +04:00
|
|
|
BOOL status;
|
2012-06-20 04:10:49 +04:00
|
|
|
rdpSettings* settings;
|
2012-01-25 20:08:10 +04:00
|
|
|
|
2012-10-09 10:31:28 +04:00
|
|
|
status = TRUE;
|
2012-01-25 20:08:10 +04:00
|
|
|
settings = nego->transport->settings;
|
2011-08-18 19:15:28 +04:00
|
|
|
|
2011-08-25 09:45:43 +04:00
|
|
|
s = transport_send_stream_init(nego->transport, 256);
|
2011-08-18 19:15:28 +04:00
|
|
|
length = TPDU_CONNECTION_CONFIRM_LENGTH;
|
|
|
|
|
stream_get_mark(s, bm);
|
|
|
|
|
stream_seek(s, length);
|
|
|
|
|
|
|
|
|
|
if (nego->selected_protocol > PROTOCOL_RDP)
|
|
|
|
|
{
|
|
|
|
|
/* RDP_NEG_DATA must be present for TLS and NLA */
|
2012-10-09 11:01:37 +04:00
|
|
|
stream_write_BYTE(s, TYPE_RDP_NEG_RSP);
|
|
|
|
|
stream_write_BYTE(s, EXTENDED_CLIENT_DATA_SUPPORTED); /* flags */
|
|
|
|
|
stream_write_UINT16(s, 8); /* RDP_NEG_DATA length (8) */
|
2011-08-18 19:15:28 +04:00
|
|
|
stream_write_uint32(s, nego->selected_protocol); /* selectedProtocol */
|
|
|
|
|
length += 8;
|
|
|
|
|
}
|
2012-01-25 20:08:10 +04:00
|
|
|
else if (!settings->rdp_security)
|
|
|
|
|
{
|
2012-10-09 11:01:37 +04:00
|
|
|
stream_write_BYTE(s, TYPE_RDP_NEG_FAILURE);
|
|
|
|
|
stream_write_BYTE(s, 0); /* flags */
|
|
|
|
|
stream_write_UINT16(s, 8); /* RDP_NEG_DATA length (8) */
|
2012-01-25 20:08:10 +04:00
|
|
|
/*
|
|
|
|
|
* TODO: Check for other possibilities,
|
|
|
|
|
* like SSL_NOT_ALLOWED_BY_SERVER.
|
|
|
|
|
*/
|
|
|
|
|
printf("nego_send_negotiation_response: client supports only Standard RDP Security\n");
|
|
|
|
|
stream_write_uint32(s, SSL_REQUIRED_BY_SERVER);
|
|
|
|
|
length += 8;
|
2012-10-09 10:31:28 +04:00
|
|
|
status = FALSE;
|
2012-01-25 20:08:10 +04:00
|
|
|
}
|
2011-08-18 19:15:28 +04:00
|
|
|
|
|
|
|
|
stream_get_mark(s, em);
|
|
|
|
|
stream_set_mark(s, bm);
|
|
|
|
|
tpkt_write_header(s, length);
|
|
|
|
|
tpdu_write_connection_confirm(s, length - 5);
|
|
|
|
|
stream_set_mark(s, em);
|
|
|
|
|
|
2011-09-16 19:16:16 +04:00
|
|
|
if (transport_write(nego->transport, s) < 0)
|
2012-10-09 10:31:28 +04:00
|
|
|
return FALSE;
|
2011-08-19 13:39:37 +04:00
|
|
|
|
2012-06-20 04:10:49 +04:00
|
|
|
if (status)
|
2012-01-25 20:08:10 +04:00
|
|
|
{
|
|
|
|
|
/* update settings with negotiated protocol security */
|
|
|
|
|
settings->requested_protocols = nego->requested_protocols;
|
|
|
|
|
settings->selected_protocol = nego->selected_protocol;
|
2011-09-16 19:16:16 +04:00
|
|
|
|
2012-01-25 20:08:10 +04:00
|
|
|
if (settings->selected_protocol == PROTOCOL_RDP)
|
|
|
|
|
{
|
2012-10-09 10:31:28 +04:00
|
|
|
settings->tls_security = FALSE;
|
|
|
|
|
settings->nla_security = FALSE;
|
|
|
|
|
settings->rdp_security = TRUE;
|
2012-06-20 04:10:49 +04:00
|
|
|
|
2012-05-22 19:21:09 +04:00
|
|
|
if (!settings->local)
|
|
|
|
|
{
|
2012-10-09 10:31:28 +04:00
|
|
|
settings->encryption = TRUE;
|
2012-05-22 19:21:09 +04:00
|
|
|
settings->encryption_method = ENCRYPTION_METHOD_40BIT | ENCRYPTION_METHOD_128BIT | ENCRYPTION_METHOD_FIPS;
|
|
|
|
|
settings->encryption_level = ENCRYPTION_LEVEL_CLIENT_COMPATIBLE;
|
|
|
|
|
}
|
2012-06-20 04:10:49 +04:00
|
|
|
|
2012-05-30 07:24:39 +04:00
|
|
|
if (settings->encryption && settings->server_key == NULL && settings->rdp_key_file == NULL)
|
2012-10-09 10:31:28 +04:00
|
|
|
return FALSE;
|
2012-01-25 20:08:10 +04:00
|
|
|
}
|
|
|
|
|
else if (settings->selected_protocol == PROTOCOL_TLS)
|
|
|
|
|
{
|
2012-10-09 10:31:28 +04:00
|
|
|
settings->tls_security = TRUE;
|
|
|
|
|
settings->nla_security = FALSE;
|
|
|
|
|
settings->rdp_security = FALSE;
|
|
|
|
|
settings->encryption = FALSE;
|
2012-01-25 20:08:10 +04:00
|
|
|
settings->encryption_method = ENCRYPTION_METHOD_NONE;
|
|
|
|
|
settings->encryption_level = ENCRYPTION_LEVEL_NONE;
|
|
|
|
|
}
|
|
|
|
|
else if (settings->selected_protocol == PROTOCOL_NLA)
|
|
|
|
|
{
|
2012-10-09 10:31:28 +04:00
|
|
|
settings->tls_security = TRUE;
|
|
|
|
|
settings->nla_security = TRUE;
|
|
|
|
|
settings->rdp_security = FALSE;
|
|
|
|
|
settings->encryption = FALSE;
|
2012-01-25 20:08:10 +04:00
|
|
|
settings->encryption_method = ENCRYPTION_METHOD_NONE;
|
|
|
|
|
settings->encryption_level = ENCRYPTION_LEVEL_NONE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-06-20 04:10:49 +04:00
|
|
|
return status;
|
2011-08-18 19:15:28 +04:00
|
|
|
}
|
|
|
|
|
|
2011-07-03 20:42:35 +04:00
|
|
|
/**
|
|
|
|
|
* Initialize NEGO state machine.
|
|
|
|
|
* @param nego
|
|
|
|
|
*/
|
|
|
|
|
|
2011-07-07 21:37:48 +04:00
|
|
|
void nego_init(rdpNego* nego)
|
2011-07-03 20:42:35 +04:00
|
|
|
{
|
|
|
|
|
nego->state = NEGO_STATE_INITIAL;
|
|
|
|
|
nego->requested_protocols = PROTOCOL_RDP;
|
2011-07-03 21:49:06 +04:00
|
|
|
nego->transport->recv_callback = nego_recv;
|
|
|
|
|
nego->transport->recv_extra = (void*) nego;
|
2011-12-18 21:10:56 +04:00
|
|
|
nego->flags = 0;
|
2011-07-03 20:42:35 +04:00
|
|
|
}
|
|
|
|
|
|
2011-07-01 02:48:48 +04:00
|
|
|
/**
|
|
|
|
|
* Create a new NEGO state machine instance.
|
2011-07-03 20:42:35 +04:00
|
|
|
* @param transport
|
2011-07-01 02:48:48 +04:00
|
|
|
* @return
|
|
|
|
|
*/
|
|
|
|
|
|
2011-07-03 20:42:35 +04:00
|
|
|
rdpNego* nego_new(struct rdp_transport * transport)
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
2011-07-07 21:37:48 +04:00
|
|
|
rdpNego* nego = (rdpNego*) xzalloc(sizeof(rdpNego));
|
2011-07-01 02:48:48 +04:00
|
|
|
|
|
|
|
|
if (nego != NULL)
|
|
|
|
|
{
|
2011-07-03 20:42:35 +04:00
|
|
|
nego->transport = transport;
|
2011-07-01 02:48:48 +04:00
|
|
|
nego_init(nego);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nego;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2011-07-03 20:42:35 +04:00
|
|
|
* Free NEGO state machine.
|
2011-07-01 02:48:48 +04:00
|
|
|
* @param nego
|
|
|
|
|
*/
|
|
|
|
|
|
2011-07-07 21:37:48 +04:00
|
|
|
void nego_free(rdpNego* nego)
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
2012-10-09 07:21:26 +04:00
|
|
|
free(nego);
|
2011-07-01 02:48:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2011-07-03 20:42:35 +04:00
|
|
|
* Set target hostname and port.
|
2011-07-01 02:48:48 +04:00
|
|
|
* @param nego
|
2011-07-03 20:42:35 +04:00
|
|
|
* @param hostname
|
|
|
|
|
* @param port
|
2011-07-01 02:48:48 +04:00
|
|
|
*/
|
|
|
|
|
|
2011-07-07 21:37:48 +04:00
|
|
|
void nego_set_target(rdpNego* nego, char* hostname, int port)
|
2011-07-01 02:48:48 +04:00
|
|
|
{
|
2011-07-03 20:42:35 +04:00
|
|
|
nego->hostname = hostname;
|
|
|
|
|
nego->port = port;
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-25 14:29:49 +04:00
|
|
|
/**
|
|
|
|
|
* Enable security layer negotiation.
|
|
|
|
|
* @param nego pointer to the negotiation structure
|
2012-10-09 10:31:28 +04:00
|
|
|
* @param enable_rdp whether to enable security layer negotiation (TRUE for enabled, FALSE for disabled)
|
2012-07-25 14:29:49 +04:00
|
|
|
*/
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
void nego_set_negotiation_enabled(rdpNego* nego, BOOL security_layer_negotiation_enabled)
|
2012-07-25 14:29:49 +04:00
|
|
|
{
|
2012-10-09 10:31:28 +04:00
|
|
|
DEBUG_NEGO("Enabling security layer negotiation: %s", security_layer_negotiation_enabled ? "TRUE" : "FALSE");
|
2012-07-25 14:29:49 +04:00
|
|
|
nego->security_layer_negotiation_enabled = security_layer_negotiation_enabled;
|
|
|
|
|
}
|
|
|
|
|
|
2011-07-03 20:42:35 +04:00
|
|
|
/**
|
2011-07-31 07:51:26 +04:00
|
|
|
* Enable RDP security protocol.
|
|
|
|
|
* @param nego pointer to the negotiation structure
|
2012-10-09 10:31:28 +04:00
|
|
|
* @param enable_rdp whether to enable normal RDP protocol (TRUE for enabled, FALSE for disabled)
|
2011-07-31 07:51:26 +04:00
|
|
|
*/
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
void nego_enable_rdp(rdpNego* nego, BOOL enable_rdp)
|
2011-07-31 07:51:26 +04:00
|
|
|
{
|
2012-10-09 10:31:28 +04:00
|
|
|
DEBUG_NEGO("Enabling RDP security: %s", enable_rdp ? "TRUE" : "FALSE");
|
2011-07-31 07:51:26 +04:00
|
|
|
nego->enabled_protocols[PROTOCOL_RDP] = enable_rdp;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Enable TLS security protocol.
|
|
|
|
|
* @param nego pointer to the negotiation structure
|
2012-10-09 10:31:28 +04:00
|
|
|
* @param enable_tls whether to enable TLS + RDP protocol (TRUE for enabled, FALSE for disabled)
|
2011-07-31 07:51:26 +04:00
|
|
|
*/
|
2012-10-09 10:38:39 +04:00
|
|
|
void nego_enable_tls(rdpNego* nego, BOOL enable_tls)
|
2011-07-31 07:51:26 +04:00
|
|
|
{
|
2012-10-09 10:31:28 +04:00
|
|
|
DEBUG_NEGO("Enabling TLS security: %s", enable_tls ? "TRUE" : "FALSE");
|
2011-07-31 07:51:26 +04:00
|
|
|
nego->enabled_protocols[PROTOCOL_TLS] = enable_tls;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Enable NLA security protocol.
|
|
|
|
|
* @param nego pointer to the negotiation structure
|
2012-10-09 10:31:28 +04:00
|
|
|
* @param enable_nla whether to enable network level authentication protocol (TRUE for enabled, FALSE for disabled)
|
2011-07-03 20:42:35 +04:00
|
|
|
*/
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
void nego_enable_nla(rdpNego* nego, BOOL enable_nla)
|
2011-07-03 20:42:35 +04:00
|
|
|
{
|
2012-10-09 10:31:28 +04:00
|
|
|
DEBUG_NEGO("Enabling NLA security: %s", enable_nla ? "TRUE" : "FALSE");
|
2011-07-31 07:51:26 +04:00
|
|
|
nego->enabled_protocols[PROTOCOL_NLA] = enable_nla;
|
2011-07-03 20:42:35 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Set routing token.
|
|
|
|
|
* @param nego
|
2012-09-24 12:40:32 +04:00
|
|
|
* @param RoutingToken
|
|
|
|
|
* @param RoutingTokenLength
|
2011-07-03 20:42:35 +04:00
|
|
|
*/
|
|
|
|
|
|
2012-09-24 12:40:32 +04:00
|
|
|
void nego_set_routing_token(rdpNego* nego, BYTE* RoutingToken, DWORD RoutingTokenLength)
|
2011-07-03 20:42:35 +04:00
|
|
|
{
|
2012-09-24 12:40:32 +04:00
|
|
|
nego->RoutingToken = RoutingToken;
|
|
|
|
|
nego->RoutingTokenLength = RoutingTokenLength;
|
2011-07-03 20:42:35 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Set cookie.
|
|
|
|
|
* @param nego
|
|
|
|
|
* @param cookie
|
|
|
|
|
*/
|
|
|
|
|
|
2011-07-07 21:37:48 +04:00
|
|
|
void nego_set_cookie(rdpNego* nego, char* cookie)
|
2011-07-03 20:42:35 +04:00
|
|
|
{
|
|
|
|
|
nego->cookie = cookie;
|
2011-07-01 02:48:48 +04:00
|
|
|
}
|
2012-07-25 20:46:43 +04:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Enable / disable preconnection PDU.
|
|
|
|
|
* @param nego
|
|
|
|
|
* @param send_pcpdu
|
|
|
|
|
*/
|
|
|
|
|
|
2012-10-09 10:38:39 +04:00
|
|
|
void nego_set_send_preconnection_pdu(rdpNego* nego, BOOL send_pcpdu)
|
2012-07-25 20:46:43 +04:00
|
|
|
{
|
|
|
|
|
nego->send_preconnection_pdu = send_pcpdu;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Set preconnection id.
|
|
|
|
|
* @param nego
|
|
|
|
|
* @param id
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
void nego_set_preconnection_id(rdpNego* nego, uint32 id)
|
|
|
|
|
{
|
|
|
|
|
nego->preconnection_id = id;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Set preconnection blob.
|
|
|
|
|
* @param nego
|
|
|
|
|
* @param blob
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
void nego_set_preconnection_blob(rdpNego* nego, char* blob)
|
|
|
|
|
{
|
|
|
|
|
nego->preconnection_blob = blob;
|
|
|
|
|
}
|
