FreeRDP/libfreerdp/core/peer.c

879 lines
22 KiB
C
Raw Normal View History

2011-08-18 12:06:32 +04:00
/**
2012-10-09 07:02:04 +04:00
* FreeRDP: A Remote Desktop Protocol Implementation
2011-08-18 12:06:32 +04:00
* RDP Server Peer
*
* Copyright 2011 Vic Lee
* Copyright 2014 DI (FH) Martin Haimberger <martin.haimberger@thincast.com>
2011-08-18 12:06:32 +04:00
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <winpr/crt.h>
2014-11-12 22:06:34 +03:00
#include <winpr/winsock.h>
#include "info.h"
#include "certificate.h"
#include <freerdp/log.h>
#include "rdp.h"
2011-08-18 12:06:32 +04:00
#include "peer.h"
#define TAG FREERDP_TAG("core.peer")
2016-10-13 23:02:25 +03:00
static HANDLE freerdp_peer_virtual_channel_open(freerdp_peer* client, const char* name,
UINT32 flags)
{
int length;
UINT32 index;
BOOL joined = FALSE;
rdpMcsChannel* mcsChannel = NULL;
rdpPeerChannel* peerChannel = NULL;
rdpMcs* mcs = client->context->rdp->mcs;
if (flags & WTS_CHANNEL_OPTION_DYNAMIC)
return NULL; /* not yet supported */
length = strnlen(name, 9);
if (length > 8)
return NULL; /* SVC maximum name length is 8 */
for (index = 0; index < mcs->channelCount; index++)
{
mcsChannel = &(mcs->channels[index]);
if (!mcsChannel->joined)
continue;
if (_strnicmp(name, mcsChannel->Name, length) == 0)
{
joined = TRUE;
break;
}
}
if (!joined)
return NULL; /* channel is not joined */
peerChannel = (rdpPeerChannel*) mcsChannel->handle;
if (peerChannel)
{
/* channel is already open */
return (HANDLE) peerChannel;
}
peerChannel = (rdpPeerChannel*) calloc(1, sizeof(rdpPeerChannel));
if (peerChannel)
{
peerChannel->index = index;
peerChannel->client = client;
peerChannel->channelFlags = flags;
peerChannel->channelId = mcsChannel->ChannelId;
peerChannel->mcsChannel = mcsChannel;
mcsChannel->handle = (void*) peerChannel;
}
return (HANDLE) peerChannel;
}
static BOOL freerdp_peer_virtual_channel_close(freerdp_peer* client, HANDLE hChannel)
{
rdpMcsChannel* mcsChannel = NULL;
rdpPeerChannel* peerChannel = NULL;
if (!hChannel)
return FALSE;
peerChannel = (rdpPeerChannel*) hChannel;
mcsChannel = peerChannel->mcsChannel;
mcsChannel->handle = NULL;
free(peerChannel);
return TRUE;
}
2016-10-13 23:02:25 +03:00
int freerdp_peer_virtual_channel_read(freerdp_peer* client, HANDLE hChannel, BYTE* buffer,
UINT32 length)
{
return 0; /* this needs to be implemented by the server application */
}
2016-10-13 23:02:25 +03:00
static int freerdp_peer_virtual_channel_write(freerdp_peer* client, HANDLE hChannel, BYTE* buffer,
UINT32 length)
{
wStream* s;
UINT32 flags;
UINT32 chunkSize;
UINT32 maxChunkSize;
UINT32 totalLength;
rdpPeerChannel* peerChannel;
rdpMcsChannel* mcsChannel;
rdpRdp* rdp = client->context->rdp;
if (!hChannel)
return -1;
peerChannel = (rdpPeerChannel*) hChannel;
mcsChannel = peerChannel->mcsChannel;
if (peerChannel->channelFlags & WTS_CHANNEL_OPTION_DYNAMIC)
return -1; /* not yet supported */
maxChunkSize = rdp->settings->VirtualChannelChunkSize;
totalLength = length;
flags = CHANNEL_FLAG_FIRST;
while (length > 0)
{
s = rdp_send_stream_init(rdp);
2016-10-13 23:02:25 +03:00
if (!s)
return -1;
if (length > maxChunkSize)
{
chunkSize = rdp->settings->VirtualChannelChunkSize;
}
else
{
chunkSize = length;
flags |= CHANNEL_FLAG_LAST;
}
if (mcsChannel->options & CHANNEL_OPTION_SHOW_PROTOCOL)
flags |= CHANNEL_FLAG_SHOW_PROTOCOL;
Stream_Write_UINT32(s, totalLength);
Stream_Write_UINT32(s, flags);
2016-10-13 23:02:25 +03:00
if (!Stream_EnsureRemainingCapacity(s, chunkSize))
{
Stream_Release(s);
return -1;
}
2016-10-13 23:02:25 +03:00
Stream_Write(s, buffer, chunkSize);
if (!rdp_send(rdp, s, peerChannel->channelId))
return -1;
buffer += chunkSize;
length -= chunkSize;
flags = 0;
}
return 1;
}
void* freerdp_peer_virtual_channel_get_data(freerdp_peer* client, HANDLE hChannel)
{
rdpPeerChannel* peerChannel = (rdpPeerChannel*) hChannel;
if (!hChannel)
return NULL;
return peerChannel->extra;
}
int freerdp_peer_virtual_channel_set_data(freerdp_peer* client, HANDLE hChannel, void* data)
{
rdpPeerChannel* peerChannel = (rdpPeerChannel*) hChannel;
if (!hChannel)
return -1;
peerChannel->extra = data;
return 1;
}
static BOOL freerdp_peer_initialize(freerdp_peer* client)
2011-08-18 12:06:32 +04:00
{
rdpRdp* rdp = client->context->rdp;
rdpSettings* settings = rdp->settings;
settings->ServerMode = TRUE;
settings->FrameAcknowledge = 0;
settings->LocalConnection = client->local;
rdp->state = CONNECTION_STATE_INITIAL;
if (settings->RdpKeyFile)
2012-03-18 21:13:34 +04:00
{
settings->RdpServerRsaKey = key_new(settings->RdpKeyFile);
2016-10-13 23:02:25 +03:00
if (!settings->RdpServerRsaKey)
{
2015-05-27 16:13:43 +03:00
WLog_ERR(TAG, "invalid RDP key file %s", settings->RdpKeyFile);
return FALSE;
}
}
else if (settings->RdpKeyContent)
{
settings->RdpServerRsaKey = key_new_from_content(settings->RdpKeyContent, NULL);
2016-10-13 23:02:25 +03:00
if (!settings->RdpServerRsaKey)
{
WLog_ERR(TAG, "invalid RDP key content");
return FALSE;
}
}
return TRUE;
2011-08-18 12:06:32 +04:00
}
static BOOL freerdp_peer_get_fds(freerdp_peer* client, void** rfds, int* rcount)
2011-08-18 12:06:32 +04:00
{
rdpTransport* transport = client->context->rdp->transport;
transport_get_fds(transport, rfds, rcount);
return TRUE;
2011-08-18 12:06:32 +04:00
}
static HANDLE freerdp_peer_get_event_handle(freerdp_peer* client)
{
HANDLE hEvent = NULL;
rdpTransport* transport = client->context->rdp->transport;
BIO_get_event(transport->frontBio, &hEvent);
return hEvent;
}
static DWORD freerdp_peer_get_event_handles(freerdp_peer* client, HANDLE* events, DWORD count)
{
2016-10-29 08:18:17 +03:00
return transport_get_event_handles(client->context->rdp->transport, events, count);
}
static BOOL freerdp_peer_check_fds(freerdp_peer* peer)
2011-08-18 12:06:32 +04:00
{
int status;
2012-03-18 21:13:34 +04:00
rdpRdp* rdp;
rdp = peer->context->rdp;
status = rdp_check_fds(rdp);
2012-03-18 21:13:34 +04:00
if (status < 0)
return FALSE;
return TRUE;
2011-08-18 12:06:32 +04:00
}
static BOOL peer_recv_data_pdu(freerdp_peer* client, wStream* s)
2011-08-21 18:52:37 +04:00
{
BYTE type;
UINT16 length;
2012-10-09 11:26:39 +04:00
UINT32 share_id;
BYTE compressed_type;
UINT16 compressed_len;
2011-08-21 18:52:37 +04:00
if (!rdp_read_share_data_header(s, &length, &type, &share_id, &compressed_type, &compressed_len))
return FALSE;
2011-08-21 18:52:37 +04:00
#ifdef WITH_DEBUG_RDP
WLog_DBG(TAG, "recv %s Data PDU (0x%02"PRIX8"), length: %"PRIu16"",
2016-10-13 23:02:25 +03:00
type < ARRAYSIZE(DATA_PDU_TYPE_STRINGS) ? DATA_PDU_TYPE_STRINGS[type] : "???", type, length);
#endif
2011-08-21 18:52:37 +04:00
switch (type)
{
case DATA_PDU_TYPE_SYNCHRONIZE:
if (!rdp_recv_client_synchronize_pdu(client->context->rdp, s))
return FALSE;
2016-10-13 23:02:25 +03:00
2011-08-21 18:52:37 +04:00
break;
case DATA_PDU_TYPE_CONTROL:
if (!rdp_server_accept_client_control_pdu(client->context->rdp, s))
return FALSE;
2016-10-13 23:02:25 +03:00
break;
case DATA_PDU_TYPE_INPUT:
if (!input_recv(client->context->rdp->input, s))
return FALSE;
2016-10-13 23:02:25 +03:00
break;
case DATA_PDU_TYPE_BITMAP_CACHE_PERSISTENT_LIST:
/* TODO: notify server bitmap cache data */
break;
case DATA_PDU_TYPE_FONT_LIST:
if (!rdp_server_accept_client_font_list_pdu(client->context->rdp, s))
return FALSE;
2012-03-18 21:13:34 +04:00
2011-08-21 18:52:37 +04:00
break;
case DATA_PDU_TYPE_SHUTDOWN_REQUEST:
mcs_send_disconnect_provider_ultimatum(client->context->rdp->mcs);
return FALSE;
case DATA_PDU_TYPE_FRAME_ACKNOWLEDGE:
if (Stream_GetRemainingLength(s) < 4)
return FALSE;
2016-10-13 23:02:25 +03:00
2013-05-09 00:09:16 +04:00
Stream_Read_UINT32(s, client->ack_frame_id);
2013-06-02 00:57:34 +04:00
IFCALL(client->update->SurfaceFrameAcknowledge, client->update->context, client->ack_frame_id);
break;
case DATA_PDU_TYPE_REFRESH_RECT:
if (!update_read_refresh_rect(client->update, s))
return FALSE;
2016-10-13 23:02:25 +03:00
break;
case DATA_PDU_TYPE_SUPPRESS_OUTPUT:
if (!update_read_suppress_output(client->update, s))
return FALSE;
2016-10-13 23:02:25 +03:00
break;
2011-08-21 18:52:37 +04:00
default:
WLog_ERR(TAG, "Data PDU type %"PRIu8"", type);
2011-08-21 18:52:37 +04:00
break;
}
return TRUE;
2011-08-21 18:52:37 +04:00
}
static int peer_recv_tpkt_pdu(freerdp_peer* client, wStream* s)
2011-08-21 18:52:37 +04:00
{
2012-03-18 21:13:34 +04:00
rdpRdp* rdp;
UINT16 length;
UINT16 pduType;
UINT16 pduLength;
UINT16 pduSource;
UINT16 channelId;
UINT16 securityFlags = 0;
2012-01-25 19:30:54 +04:00
rdp = client->context->rdp;
if (!rdp_read_header(rdp, s, &length, &channelId))
2011-08-21 18:52:37 +04:00
{
WLog_ERR(TAG, "Incorrect RDP header.");
return -1;
2011-08-21 18:52:37 +04:00
}
if (freerdp_shall_disconnect(rdp->instance))
return 0;
2016-10-13 23:02:25 +03:00
Standard RDP Security Layer Levels/Method Overhaul [MS-RDPBCGR] Section 5.3 describes the encryption level and method values for standard RDP security. Looking at the current usage of these values in the FreeRDP code gives me reason to believe that there is a certain lack of understanding of how these values should be handled. The encryption level is only configured on the server side in the "Encryption Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp properties dialog and this value is never transferred from the client to the server over the wire. The possible options are "None", "Low", "Client Compatible", "High" and "FIPS Compliant". The client receices this value in the Server Security Data block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to give the client the possibility to verify if the server's decision for the encryption method confirms to the server's encryption level. The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and "FIPS" and the RDP client advertises the ones it supports to the server in the Client Security Data block (TS_UD_CS_SEC). The server's configured encryption level value restricts the possible final encryption method. Something that I was not able to find in the documentation is the priority level of the individual encryption methods based on which the server makes its final method decision if there are several options. My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS. The server only chooses FIPS if the level is "FIPS Comliant" or if it is the only method advertised by the client. Bottom line: * FreeRDP's client side does not need to set settings->EncryptionLevel (which was done quite frequently). * FreeRDP's server side does not have to set the supported encryption methods list in settings->EncryptionMethods Changes in this commit: Removed unnecessary/confusing changes of EncryptionLevel/Methods settings Refactor settings->DisableEncryption * This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used" * The old name caused lots of confusion among developers * Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched) Any client's setting of settings->EncryptionMethods were annihilated * All clients "want" to set all supported methods * Some clients forgot 56bit because 56bit was not supported at the time the code was written * settings->EncryptionMethods was overwritten anyways in nego_connect() * Removed all client side settings of settings->EncryptionMethods The default is "None" (0) * Changed nego_connect() to advertise all supported methods if settings->EncryptionMethods is 0 (None) * Added a commandline option /encryption-methods:comma separated list of the values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128 * Print warning if server chooses non-advertised method Verify received level and method in client's gcc_read_server_security_data * Only accept valid/known encryption methods * Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2 Server implementations can now set settings->EncryptionLevel * The default for settings->EncryptionLevel is 0 (None) * nego_send_negotiation_response() changes it to ClientCompatible in that case * default to ClientCompatible if the server implementation set an invalid level Fix server's gcc_write_server_security_data * Verify server encryption level value set by server implementations * Choose rdp encryption method based on level and supported client methods * Moved FIPS to the lowest priority (only used if other methods are possible) Updated sample server * Support RDP Security (RdpKeyFile was not set) * Added commented sample code for setting the security level
2014-12-12 04:17:12 +03:00
if (rdp->settings->UseRdpSecurityLayer)
2012-01-25 19:30:54 +04:00
{
if (!rdp_read_security_header(s, &securityFlags, &length))
return -1;
2012-03-18 21:13:34 +04:00
2012-01-25 19:30:54 +04:00
if (securityFlags & SEC_ENCRYPT)
{
if (!rdp_decrypt(rdp, s, length, securityFlags))
2012-01-25 19:30:54 +04:00
{
WLog_ERR(TAG, "rdp_decrypt failed");
return -1;
2012-01-25 19:30:54 +04:00
}
}
}
if (channelId == MCS_GLOBAL_CHANNEL_ID)
2011-08-21 18:52:37 +04:00
{
if (!rdp_read_share_control_header(s, &pduLength, &pduType, &pduSource))
return -1;
2011-08-21 18:52:37 +04:00
client->settings->PduSource = pduSource;
2011-08-21 18:52:37 +04:00
switch (pduType)
{
case PDU_TYPE_DATA:
if (!peer_recv_data_pdu(client, s))
return -1;
2016-10-13 23:02:25 +03:00
2011-08-21 18:52:37 +04:00
break;
case PDU_TYPE_CONFIRM_ACTIVE:
if (!rdp_server_accept_confirm_active(rdp, s))
return -1;
2016-10-13 23:02:25 +03:00
break;
case PDU_TYPE_FLOW_RESPONSE:
case PDU_TYPE_FLOW_STOP:
case PDU_TYPE_FLOW_TEST:
break;
2011-08-21 18:52:37 +04:00
default:
WLog_ERR(TAG, "Client sent pduType %"PRIu16"", pduType);
return -1;
2011-08-21 18:52:37 +04:00
}
}
else if (rdp->mcs->messageChannelId && channelId == rdp->mcs->messageChannelId)
{
if (!rdp->settings->UseRdpSecurityLayer)
if (!rdp_read_security_header(s, &securityFlags, NULL))
return -1;
return rdp_recv_message_channel_pdu(rdp, s, securityFlags);
}
else
{
if (!freerdp_channel_peer_process(client, s, channelId))
return -1;
}
2011-08-21 18:52:37 +04:00
return 0;
2011-08-21 18:52:37 +04:00
}
static int peer_recv_fastpath_pdu(freerdp_peer* client, wStream* s)
2011-08-21 18:52:37 +04:00
{
2011-09-27 09:30:58 +04:00
rdpRdp* rdp;
UINT16 length;
2011-09-27 09:30:58 +04:00
rdpFastPath* fastpath;
rdp = client->context->rdp;
2011-09-27 09:30:58 +04:00
fastpath = rdp->fastpath;
fastpath_read_header_rdp(fastpath, s, &length);
2011-08-23 11:51:51 +04:00
if ((length == 0) || (length > Stream_GetRemainingLength(s)))
2011-08-23 11:51:51 +04:00
{
WLog_ERR(TAG, "incorrect FastPath PDU header length %"PRIu16"", length);
return -1;
2011-08-23 11:51:51 +04:00
}
2011-09-27 09:30:58 +04:00
if (fastpath->encryptionFlags & FASTPATH_OUTPUT_ENCRYPTED)
2011-09-15 01:14:50 +04:00
{
2016-10-13 23:02:25 +03:00
if (!rdp_decrypt(rdp, s, length,
(fastpath->encryptionFlags & FASTPATH_OUTPUT_SECURE_CHECKSUM) ? SEC_SECURE_CHECKSUM : 0))
return -1;
2011-09-15 01:14:50 +04:00
}
2011-09-27 09:30:58 +04:00
return fastpath_recv_inputs(fastpath, s);
2011-08-21 18:52:37 +04:00
}
static int peer_recv_pdu(freerdp_peer* client, wStream* s)
2011-08-21 18:52:37 +04:00
{
if (tpkt_verify_header(s))
return peer_recv_tpkt_pdu(client, s);
2011-08-21 18:52:37 +04:00
else
return peer_recv_fastpath_pdu(client, s);
2011-08-21 18:52:37 +04:00
}
static int peer_recv_callback(rdpTransport* transport, wStream* s, void* extra)
{
2018-11-20 18:38:06 +03:00
UINT32 SelectedProtocol;
freerdp_peer* client = (freerdp_peer*) extra;
rdpRdp* rdp = client->context->rdp;
switch (rdp->state)
{
case CONNECTION_STATE_INITIAL:
if (!rdp_server_accept_nego(rdp, s))
2015-05-02 06:26:08 +03:00
{
WLog_ERR(TAG, "peer_recv_callback: CONNECTION_STATE_INITIAL - rdp_server_accept_nego() fail");
return -1;
}
2018-11-20 18:38:06 +03:00
SelectedProtocol = nego_get_selected_protocol(rdp->nego);
client->settings->NlaSecurity = (SelectedProtocol & PROTOCOL_HYBRID) ? TRUE : FALSE;
client->settings->TlsSecurity = (SelectedProtocol & PROTOCOL_SSL) ? TRUE : FALSE;
2018-11-20 18:38:06 +03:00
client->settings->RdpSecurity = (SelectedProtocol == PROTOCOL_RDP) ? TRUE : FALSE;
if (SelectedProtocol & PROTOCOL_HYBRID)
{
2018-11-20 18:38:06 +03:00
SEC_WINNT_AUTH_IDENTITY* identity = nego_get_identity(rdp->nego);
sspi_CopyAuthIdentity(&client->identity, identity);
IFCALLRET(client->Logon, client->authenticated, client, &client->identity, TRUE);
2018-11-20 18:38:06 +03:00
nego_free_nla(rdp->nego);
}
else
{
IFCALLRET(client->Logon, client->authenticated, client, &client->identity, FALSE);
}
break;
case CONNECTION_STATE_NEGO:
if (!rdp_server_accept_mcs_connect_initial(rdp, s))
2015-05-02 06:26:08 +03:00
{
2018-11-20 18:38:06 +03:00
WLog_ERR(TAG,
"peer_recv_callback: CONNECTION_STATE_NEGO - rdp_server_accept_mcs_connect_initial() fail");
return -1;
}
2016-10-13 23:02:25 +03:00
break;
case CONNECTION_STATE_MCS_CONNECT:
if (!rdp_server_accept_mcs_erect_domain_request(rdp, s))
2015-05-02 06:26:08 +03:00
{
2016-10-13 23:02:25 +03:00
WLog_ERR(TAG,
"peer_recv_callback: CONNECTION_STATE_MCS_CONNECT - rdp_server_accept_mcs_erect_domain_request() fail");
return -1;
}
2016-10-13 23:02:25 +03:00
break;
case CONNECTION_STATE_MCS_ERECT_DOMAIN:
if (!rdp_server_accept_mcs_attach_user_request(rdp, s))
2015-05-02 06:26:08 +03:00
{
2016-10-13 23:02:25 +03:00
WLog_ERR(TAG,
"peer_recv_callback: CONNECTION_STATE_MCS_ERECT_DOMAIN - rdp_server_accept_mcs_attach_user_request() fail");
return -1;
}
2016-10-13 23:02:25 +03:00
break;
case CONNECTION_STATE_MCS_ATTACH_USER:
if (!rdp_server_accept_mcs_channel_join_request(rdp, s))
2015-05-02 06:26:08 +03:00
{
2016-10-13 23:02:25 +03:00
WLog_ERR(TAG,
"peer_recv_callback: CONNECTION_STATE_MCS_ATTACH_USER - rdp_server_accept_mcs_channel_join_request() fail");
return -1;
}
2016-10-13 23:02:25 +03:00
2011-08-20 14:22:14 +04:00
break;
case CONNECTION_STATE_RDP_SECURITY_COMMENCEMENT:
Standard RDP Security Layer Levels/Method Overhaul [MS-RDPBCGR] Section 5.3 describes the encryption level and method values for standard RDP security. Looking at the current usage of these values in the FreeRDP code gives me reason to believe that there is a certain lack of understanding of how these values should be handled. The encryption level is only configured on the server side in the "Encryption Level" setting found in the Remote Desktop Session Host Configuration RDP-Tcp properties dialog and this value is never transferred from the client to the server over the wire. The possible options are "None", "Low", "Client Compatible", "High" and "FIPS Compliant". The client receices this value in the Server Security Data block (TS_UD_SC_SEC1), probably only for informational purposes and maybe to give the client the possibility to verify if the server's decision for the encryption method confirms to the server's encryption level. The possible encryption methods are "NONE", "40BIT", "56BIT", "128BIT" and "FIPS" and the RDP client advertises the ones it supports to the server in the Client Security Data block (TS_UD_CS_SEC). The server's configured encryption level value restricts the possible final encryption method. Something that I was not able to find in the documentation is the priority level of the individual encryption methods based on which the server makes its final method decision if there are several options. My analysis with Windows Servers reveiled that the order is 128, 56, 40, FIPS. The server only chooses FIPS if the level is "FIPS Comliant" or if it is the only method advertised by the client. Bottom line: * FreeRDP's client side does not need to set settings->EncryptionLevel (which was done quite frequently). * FreeRDP's server side does not have to set the supported encryption methods list in settings->EncryptionMethods Changes in this commit: Removed unnecessary/confusing changes of EncryptionLevel/Methods settings Refactor settings->DisableEncryption * This value actually means "Advanced RDP Encryption (NLA/TLS) is NOT used" * The old name caused lots of confusion among developers * Renamed it to "UseRdpSecurityLayer" (the compare logic stays untouched) Any client's setting of settings->EncryptionMethods were annihilated * All clients "want" to set all supported methods * Some clients forgot 56bit because 56bit was not supported at the time the code was written * settings->EncryptionMethods was overwritten anyways in nego_connect() * Removed all client side settings of settings->EncryptionMethods The default is "None" (0) * Changed nego_connect() to advertise all supported methods if settings->EncryptionMethods is 0 (None) * Added a commandline option /encryption-methods:comma separated list of the values "40", "56", "128", "FIPS". E.g. /encryption-methods:56,128 * Print warning if server chooses non-advertised method Verify received level and method in client's gcc_read_server_security_data * Only accept valid/known encryption methods * Verify encryption level/method combinations according to MS-RDPBCGR 5.3.2 Server implementations can now set settings->EncryptionLevel * The default for settings->EncryptionLevel is 0 (None) * nego_send_negotiation_response() changes it to ClientCompatible in that case * default to ClientCompatible if the server implementation set an invalid level Fix server's gcc_write_server_security_data * Verify server encryption level value set by server implementations * Choose rdp encryption method based on level and supported client methods * Moved FIPS to the lowest priority (only used if other methods are possible) Updated sample server * Support RDP Security (RdpKeyFile was not set) * Added commented sample code for setting the security level
2014-12-12 04:17:12 +03:00
if (rdp->settings->UseRdpSecurityLayer)
{
if (!rdp_server_establish_keys(rdp, s))
2015-05-02 06:26:08 +03:00
{
2016-10-13 23:02:25 +03:00
WLog_ERR(TAG,
"peer_recv_callback: CONNECTION_STATE_RDP_SECURITY_COMMENCEMENT - rdp_server_establish_keys() fail");
return -1;
}
}
rdp_server_transition_to_state(rdp, CONNECTION_STATE_SECURE_SETTINGS_EXCHANGE);
2016-10-13 23:02:25 +03:00
if (Stream_GetRemainingLength(s) > 0)
return peer_recv_callback(transport, s, extra);
2016-10-13 23:02:25 +03:00
break;
2012-03-18 21:13:34 +04:00
case CONNECTION_STATE_SECURE_SETTINGS_EXCHANGE:
if (!rdp_recv_client_info(rdp, s))
2015-05-02 06:26:08 +03:00
{
2016-10-13 23:02:25 +03:00
WLog_ERR(TAG,
"peer_recv_callback: CONNECTION_STATE_SECURE_SETTINGS_EXCHANGE - rdp_recv_client_info() fail");
return -1;
}
rdp_server_transition_to_state(rdp, CONNECTION_STATE_LICENSING);
return peer_recv_callback(transport, NULL, extra);
2011-08-21 11:52:44 +04:00
break;
case CONNECTION_STATE_LICENSING:
2015-05-02 06:26:08 +03:00
{
LicenseCallbackResult res;
if (!client->LicenseCallback)
{
WLog_ERR(TAG,
"peer_recv_callback: LicenseCallback has been removed, assuming licensing is ok (please fix your app)");
res = LICENSE_CB_COMPLETED;
}
else
res = client->LicenseCallback(client, s);
switch (res)
{
case LICENSE_CB_INTERNAL_ERROR:
WLog_ERR(TAG, "peer_recv_callback: CONNECTION_STATE_LICENSING - callback internal error, aborting");
return -1;
case LICENSE_CB_ABORT:
return -1;
case LICENSE_CB_IN_PROGRESS:
break;
case LICENSE_CB_COMPLETED:
rdp_server_transition_to_state(rdp, CONNECTION_STATE_CAPABILITIES_EXCHANGE);
return peer_recv_callback(transport, NULL, extra);
default:
WLog_ERR(TAG, "peer_recv_callback: CONNECTION_STATE_LICENSING - unknown license callback result %d",
(int)res);
break;
}
break;
}
case CONNECTION_STATE_CAPABILITIES_EXCHANGE:
if (!rdp->AwaitCapabilities)
{
if (client->Capabilities && !client->Capabilities(client))
return -1;
if (!rdp_send_demand_active(rdp))
2015-05-02 06:26:08 +03:00
{
2016-10-13 23:02:25 +03:00
WLog_ERR(TAG,
"peer_recv_callback: CONNECTION_STATE_CAPABILITIES_EXCHANGE - rdp_send_demand_active() fail");
return -1;
}
rdp->AwaitCapabilities = TRUE;
if (s)
{
if (peer_recv_pdu(client, s) < 0)
2015-05-02 06:26:08 +03:00
{
WLog_ERR(TAG, "peer_recv_callback: CONNECTION_STATE_CAPABILITIES_EXCHANGE - peer_recv_pdu() fail");
return -1;
}
}
}
else
{
/**
* During reactivation sequence the client might sent some input or channel data
* before receiving the Deactivate All PDU. We need to process them as usual.
*/
if (peer_recv_pdu(client, s) < 0)
2015-05-02 06:26:08 +03:00
{
WLog_ERR(TAG, "peer_recv_callback: CONNECTION_STATE_CAPABILITIES_EXCHANGE - peer_recv_pdu() fail");
return -1;
}
}
break;
case CONNECTION_STATE_FINALIZATION:
if (peer_recv_pdu(client, s) < 0)
2015-05-02 06:26:08 +03:00
{
WLog_ERR(TAG, "peer_recv_callback: CONNECTION_STATE_FINALIZATION - peer_recv_pdu() fail");
return -1;
}
2016-10-13 23:02:25 +03:00
2011-08-21 18:52:37 +04:00
break;
case CONNECTION_STATE_ACTIVE:
if (peer_recv_pdu(client, s) < 0)
2015-05-02 06:26:08 +03:00
{
WLog_ERR(TAG, "peer_recv_callback: CONNECTION_STATE_ACTIVE - peer_recv_pdu() fail");
return -1;
}
2016-10-13 23:02:25 +03:00
break;
default:
WLog_ERR(TAG, "Invalid state %d", rdp->state);
return -1;
}
return 0;
}
static BOOL freerdp_peer_close(freerdp_peer* client)
{
2018-11-20 18:38:06 +03:00
UINT32 SelectedProtocol;
/** if negotiation has failed, we're not MCS connected. So don't
* send anything else, or some mstsc will consider that as an error
*/
2018-11-20 18:38:06 +03:00
SelectedProtocol = nego_get_selected_protocol(client->context->rdp->nego);
if (SelectedProtocol & PROTOCOL_FAILED_NEGO)
return TRUE;
/**
* [MS-RDPBCGR] 1.3.1.4.2 User-Initiated Disconnection Sequence on Server
* The server first sends the client a Deactivate All PDU followed by an
* optional MCS Disconnect Provider Ultimatum PDU.
*/
if (!rdp_send_deactivate_all(client->context->rdp))
return FALSE;
if (freerdp_settings_get_bool(client->settings, FreeRDP_SupportErrorInfoPdu))
2016-10-13 23:02:25 +03:00
{
rdp_send_error_info(client->context->rdp);
}
return mcs_send_disconnect_provider_ultimatum(client->context->rdp->mcs);
}
2011-08-18 12:06:32 +04:00
static void freerdp_peer_disconnect(freerdp_peer* client)
{
rdpTransport* transport = client->context->rdp->transport;
transport_disconnect(transport);
}
static int freerdp_peer_send_channel_data(freerdp_peer* client, UINT16 channelId, const BYTE* data,
2016-10-13 23:02:25 +03:00
int size)
{
return rdp_send_channel_data(client->context->rdp, channelId, data, size);
}
static BOOL freerdp_peer_is_write_blocked(freerdp_peer* peer)
{
rdpTransport* transport = peer->context->rdp->transport;
return transport_is_write_blocked(transport);
}
static int freerdp_peer_drain_output_buffer(freerdp_peer* peer)
{
rdpTransport* transport = peer->context->rdp->transport;
return transport_drain_output_buffer(transport);
}
2016-10-13 23:02:25 +03:00
static BOOL freerdp_peer_has_more_to_read(freerdp_peer* peer)
{
return peer->context->rdp->transport->haveMoreBytesToRead;
}
static LicenseCallbackResult freerdp_peer_nolicense(freerdp_peer* peer, wStream* s)
{
rdpRdp* rdp = peer->context->rdp;
if (!license_send_valid_client_error_packet(rdp))
{
WLog_ERR(TAG, "freerdp_peer_nolicense: license_send_valid_client_error_packet() failed");
return LICENSE_CB_ABORT;
}
return LICENSE_CB_COMPLETED;
}
BOOL freerdp_peer_context_new(freerdp_peer* client)
{
rdpRdp* rdp;
rdpContext* context;
BOOL ret = TRUE;
if (!client)
return FALSE;
if (!(context = (rdpContext*) calloc(1, client->ContextSize)))
goto fail_context;
client->context = context;
context->peer = client;
context->ServerMode = TRUE;
context->settings = client->settings;
if (!(context->metrics = metrics_new(context)))
goto fail_metrics;
if (!(rdp = rdp_new(context)))
goto fail_rdp;
client->input = rdp->input;
client->update = rdp->update;
client->settings = rdp->settings;
client->autodetect = rdp->autodetect;
context->rdp = rdp;
context->input = client->input;
context->update = client->update;
context->settings = client->settings;
context->autodetect = client->autodetect;
client->update->context = context;
client->input->context = context;
client->autodetect->context = context;
update_register_server_callbacks(client->update);
autodetect_register_server_callbacks(client->autodetect);
if (!(context->errorDescription = calloc(1, 500)))
{
WLog_ERR(TAG, "calloc failed!");
goto fail_error_description;
}
if (!transport_attach(rdp->transport, client->sockfd))
goto fail_transport_attach;
2011-08-23 12:14:32 +04:00
2012-12-22 00:49:02 +04:00
rdp->transport->ReceiveCallback = peer_recv_callback;
rdp->transport->ReceiveExtra = client;
transport_set_blocking_mode(rdp->transport, FALSE);
client->IsWriteBlocked = freerdp_peer_is_write_blocked;
client->DrainOutputBuffer = freerdp_peer_drain_output_buffer;
client->HasMoreToRead = freerdp_peer_has_more_to_read;
client->LicenseCallback = freerdp_peer_nolicense;
IFCALLRET(client->ContextNew, ret, client, client->context);
if (ret)
return TRUE;
WLog_ERR(TAG, "ContextNew callback failed");
fail_transport_attach:
free(context->errorDescription);
fail_error_description:
rdp_free(client->context->rdp);
fail_rdp:
metrics_free(context->metrics);
fail_metrics:
free(client->context);
fail_context:
client->context = NULL;
WLog_ERR(TAG, "Failed to create new peer context");
return FALSE;
}
void freerdp_peer_context_free(freerdp_peer* client)
{
IFCALL(client->ContextFree, client, client->context);
2014-06-03 16:54:56 +04:00
if (client->context)
{
free(client->context->errorDescription);
client->context->errorDescription = NULL;
rdp_free(client->context->rdp);
client->context->rdp = NULL;
metrics_free(client->context->metrics);
client->context->metrics = NULL;
free(client->context);
client->context = NULL;
}
2011-08-18 12:06:32 +04:00
}
freerdp_peer* freerdp_peer_new(int sockfd)
{
2014-11-12 22:06:34 +03:00
UINT32 option_value;
socklen_t option_len;
2011-08-18 12:06:32 +04:00
freerdp_peer* client;
client = (freerdp_peer*) calloc(1, sizeof(freerdp_peer));
2011-08-18 12:06:32 +04:00
2014-11-12 22:06:34 +03:00
if (!client)
return NULL;
option_value = TRUE;
option_len = sizeof(option_value);
setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, (void*) &option_value, option_len);
2012-03-18 21:13:34 +04:00
if (client)
2011-10-30 09:43:04 +04:00
{
client->sockfd = sockfd;
2013-06-14 05:34:46 +04:00
client->ContextSize = sizeof(rdpContext);
2011-10-30 09:43:04 +04:00
client->Initialize = freerdp_peer_initialize;
client->GetFileDescriptor = freerdp_peer_get_fds;
client->GetEventHandle = freerdp_peer_get_event_handle;
client->GetEventHandles = freerdp_peer_get_event_handles;
2011-10-30 09:43:04 +04:00
client->CheckFileDescriptor = freerdp_peer_check_fds;
client->Close = freerdp_peer_close;
2011-10-30 09:43:04 +04:00
client->Disconnect = freerdp_peer_disconnect;
client->SendChannelData = freerdp_peer_send_channel_data;
client->IsWriteBlocked = freerdp_peer_is_write_blocked;
client->DrainOutputBuffer = freerdp_peer_drain_output_buffer;
client->HasMoreToRead = freerdp_peer_has_more_to_read;
client->VirtualChannelOpen = freerdp_peer_virtual_channel_open;
client->VirtualChannelClose = freerdp_peer_virtual_channel_close;
client->VirtualChannelWrite = freerdp_peer_virtual_channel_write;
client->VirtualChannelRead = NULL; /* must be defined by server application */
client->VirtualChannelGetData = freerdp_peer_virtual_channel_get_data;
client->VirtualChannelSetData = freerdp_peer_virtual_channel_set_data;
2011-10-30 09:43:04 +04:00
}
2011-08-18 12:06:32 +04:00
return client;
}
void freerdp_peer_free(freerdp_peer* client)
{
if (!client)
return;
free(client);
2011-08-18 12:06:32 +04:00
}