Merge pull request #10312 from akallabeth/http_timeout

[gateway,http] implement proper timeouts
2024-06-27 10:17:40 +02:00 · 2024-06-27 10:17:40 +02:00 · c9aa349c52
parent 9b7fe9183a 431a96fe85
commit c9aa349c52
7 changed files with 228 additions and 189 deletions
--- a/libfreerdp/core/gateway/http.c
+++ b/libfreerdp/core/gateway/http.c
@ -26,6 +26,7 @@
 #include <winpr/stream.h>
 #include <winpr/string.h>
 #include <winpr/rpc.h>
+#include <winpr/sysinfo.h>

 #include <freerdp/log.h>
 #include <freerdp/crypto/crypto.h>
@ -1107,9 +1108,11 @@ static BOOL http_use_content_length(const char* cur)

 static int print_bio_error(const char* str, size_t len, void* bp)
 {
+	wLog* log = bp;
+
 	WINPR_UNUSED(len);
 	WINPR_UNUSED(bp);
-	WLog_ERR(TAG, "%s", str);
+	WLog_Print(log, WLOG_ERROR, "%s", str);
 	return len;
 }

@ -1219,56 +1222,65 @@ int http_chuncked_read(BIO* bio, BYTE* pBuffer, size_t size,
 	}
 }

-HttpResponse* http_response_recv(rdpTls* tls, BOOL readContentLength)
+#define sleep_or_timeout(tls, startMS, timeoutMS) \
+	sleep_or_timeout_((tls), (startMS), (timeoutMS), __FILE__, __func__, __LINE__)
+static BOOL sleep_or_timeout_(rdpTls* tls, UINT64 startMS, UINT32 timeoutMS, const char* file,
+                              const char* fkt, size_t line)
 {
-	size_t position = 0;
-	size_t bodyLength = 0;
-	size_t payloadOffset = 0;
-	HttpResponse* response = http_response_new();
+	WINPR_ASSERT(tls);

-	if (!response)
-		return NULL;
-
-	response->ContentLength = 0;
-
-	const UINT32 timeout = freerdp_settings_get_uint32(tls->settings, FreeRDP_TcpConnectTimeout);
-	while (payloadOffset == 0)
+	USleep(100);
+	const UINT64 nowMS = GetTickCount64();
+	if (nowMS - startMS > timeoutMS)
 	{
+		DWORD level = WLOG_ERROR;
+		wLog* log = WLog_Get(TAG);
+		if (WLog_IsLevelActive(log, level))
+			WLog_PrintMessage(log, WLOG_MESSAGE_TEXT, level, line, file, fkt,
+			                  "timeout [%" PRIu32 "ms] exceeded", timeoutMS);
+		return TRUE;
+	}
+	if (!BIO_should_retry(tls->bio))
+	{
+		DWORD level = WLOG_ERROR;
+		wLog* log = WLog_Get(TAG);
+		if (WLog_IsLevelActive(log, level))
+		{
+			WLog_PrintMessage(log, WLOG_MESSAGE_TEXT, level, line, file, fkt, "Retries exceeded");
+			ERR_print_errors_cb(print_bio_error, log);
+		}
+		return TRUE;
+	}
+	if (freerdp_shall_disconnect_context(tls->context))
+		return TRUE;
+
+	return FALSE;
+}
+
+static SSIZE_T http_response_recv_line(rdpTls* tls, HttpResponse* response)
+{
+	WINPR_ASSERT(tls);
+	WINPR_ASSERT(response);
+
+	SSIZE_T payloadOffset = -1;
+	const UINT32 timeoutMS =
+	    freerdp_settings_get_uint32(tls->context->settings, FreeRDP_TcpConnectTimeout);
+	const UINT64 startMS = GetTickCount64();
+	while (payloadOffset <= 0)
+	{
+		size_t bodyLength = 0;
+		size_t position = 0;
 		int status = -1;
 		size_t s = 0;
 		char* end = NULL;
 		/* Read until we encounter \r\n\r\n */
 		ERR_clear_error();
-		const long wstatus = BIO_wait_read(tls->bio, timeout);
-		if (wstatus < 0)
-		{
-			if (!BIO_should_retry(tls->bio))
-			{
-				WLog_ERR(TAG, "[BIO_wait_read] Retries exceeded");
-				ERR_print_errors_cb(print_bio_error, NULL);
-				goto out_error;
-			}
-			USleep(100);
-			continue;
-		}
-		else if (wstatus == 0)
-		{
-			WLog_ERR(TAG, "[BIO_wait] timeout exceeded");
-			ERR_print_errors_cb(print_bio_error, NULL);
-			goto out_error;
-		}

 		status = BIO_read(tls->bio, Stream_Pointer(response->data), 1);
 		if (status <= 0)
 		{
-			if (!BIO_should_retry(tls->bio))
-			{
-				WLog_ERR(TAG, "Retries exceeded");
-				ERR_print_errors_cb(print_bio_error, NULL);
+			if (sleep_or_timeout(tls, startMS, timeoutMS))
 				goto out_error;
-			}
-
-			USleep(100);
 			continue;
 		}

@ -1299,6 +1311,119 @@ HttpResponse* http_response_recv(rdpTls* tls, BOOL readContentLength)
 			payloadOffset = Stream_GetPosition(response->data);
 	}

+out_error:
+	return payloadOffset;
+}
+
+static BOOL http_response_recv_body(rdpTls* tls, HttpResponse* response, BOOL readContentLength,
+                                    size_t payloadOffset, size_t bodyLength)
+{
+	BOOL rc = FALSE;
+
+	WINPR_ASSERT(tls);
+	WINPR_ASSERT(response);
+
+	const UINT64 startMS = GetTickCount64();
+	const UINT32 timeoutMS =
+	    freerdp_settings_get_uint32(tls->context->settings, FreeRDP_TcpConnectTimeout);
+
+	if ((response->TransferEncoding == TransferEncodingChunked) && readContentLength)
+	{
+		http_encoding_chunked_context ctx = { 0 };
+		ctx.state = ChunkStateLenghHeader;
+		ctx.nextOffset = 0;
+		ctx.headerFooterPos = 0;
+		int full_len = 0;
+		do
+		{
+			if (!Stream_EnsureRemainingCapacity(response->data, 2048))
+				goto out_error;
+
+			int status = http_chuncked_read(tls->bio, Stream_Pointer(response->data),
+			                                Stream_GetRemainingCapacity(response->data), &ctx);
+			if (status <= 0)
+			{
+				if (sleep_or_timeout(tls, startMS, timeoutMS))
+					goto out_error;
+			}
+			else
+			{
+				Stream_Seek(response->data, (size_t)status);
+				full_len += status;
+			}
+		} while (ctx.state != ChunkStateEnd);
+		response->BodyLength = full_len;
+		if (response->BodyLength > 0)
+			response->BodyContent = &(Stream_Buffer(response->data))[payloadOffset];
+	}
+	else
+	{
+		while (response->BodyLength < bodyLength)
+		{
+			int status = 0;
+
+			if (!Stream_EnsureRemainingCapacity(response->data, bodyLength - response->BodyLength))
+				goto out_error;
+
+			ERR_clear_error();
+			status = BIO_read(tls->bio, Stream_Pointer(response->data),
+			                  bodyLength - response->BodyLength);
+
+			if (status <= 0)
+			{
+				if (sleep_or_timeout(tls, startMS, timeoutMS))
+					goto out_error;
+				continue;
+			}
+
+			Stream_Seek(response->data, (size_t)status);
+			response->BodyLength += (unsigned long)status;
+
+			if (response->BodyLength > RESPONSE_SIZE_LIMIT)
+			{
+				WLog_ERR(TAG, "Request body too large! (%" PRIdz " bytes) Aborting!",
+				         response->BodyLength);
+				goto out_error;
+			}
+		}
+
+		if (response->BodyLength > 0)
+			response->BodyContent = &(Stream_Buffer(response->data))[payloadOffset];
+
+		if (bodyLength != response->BodyLength)
+		{
+			WLog_WARN(TAG, "%s unexpected body length: actual: %" PRIuz ", expected: %" PRIuz,
+			          response->ContentType, response->BodyLength, bodyLength);
+
+			if (bodyLength > 0)
+				response->BodyLength = MIN(bodyLength, response->BodyLength);
+		}
+
+		/* '\0' terminate the http body */
+		if (!Stream_EnsureRemainingCapacity(response->data, sizeof(UINT16)))
+			goto out_error;
+		Stream_Write_UINT16(response->data, 0);
+	}
+
+	rc = TRUE;
+out_error:
+	return rc;
+}
+
+HttpResponse* http_response_recv(rdpTls* tls, BOOL readContentLength)
+{
+	size_t bodyLength = 0;
+	HttpResponse* response = http_response_new();
+
+	if (!response)
+		return NULL;
+
+	response->ContentLength = 0;
+
+	const SSIZE_T payloadOffset = http_response_recv_line(tls, response);
+	if (payloadOffset < 0)
+		goto out_error;
+
 	if (payloadOffset)
 	{
 		size_t count = 0;
@ -1370,96 +1495,8 @@ HttpResponse* http_response_recv(rdpTls* tls, BOOL readContentLength)
 		}

 		/* Fetch remaining body! */
-		if ((response->TransferEncoding == TransferEncodingChunked) && readContentLength)
-		{
-			http_encoding_chunked_context ctx = { 0 };
-			ctx.state = ChunkStateLenghHeader;
-			ctx.nextOffset = 0;
-			ctx.headerFooterPos = 0;
-			int full_len = 0;
-			do
-			{
-				if (!Stream_EnsureRemainingCapacity(response->data, 2048))
-					goto out_error;
-
-				int status = http_chuncked_read(tls->bio, Stream_Pointer(response->data),
-				                                Stream_GetRemainingCapacity(response->data), &ctx);
-				if (status <= 0)
-				{
-					if (!BIO_should_retry(tls->bio))
-					{
-						WLog_ERR(TAG, "Retries exceeded");
-						ERR_print_errors_cb(print_bio_error, NULL);
-						goto out_error;
-					}
-
-					USleep(100);
-				}
-				else
-				{
-					Stream_Seek(response->data, (size_t)status);
-					full_len += status;
-				}
-			} while (ctx.state != ChunkStateEnd);
-			response->BodyLength = full_len;
-			if (response->BodyLength > 0)
-				response->BodyContent = &(Stream_Buffer(response->data))[payloadOffset];
-		}
-		else
-		{
-			while (response->BodyLength < bodyLength)
-			{
-				int status = 0;
-
-				if (!Stream_EnsureRemainingCapacity(response->data,
-				                                    bodyLength - response->BodyLength))
-					goto out_error;
-
-				ERR_clear_error();
-				status = BIO_read(tls->bio, Stream_Pointer(response->data),
-				                  bodyLength - response->BodyLength);
-
-				if (status <= 0)
-				{
-					if (!BIO_should_retry(tls->bio))
-					{
-						WLog_ERR(TAG, "Retries exceeded");
-						ERR_print_errors_cb(print_bio_error, NULL);
-						goto out_error;
-					}
-
-					USleep(100);
-					continue;
-				}
-
-				Stream_Seek(response->data, (size_t)status);
-				response->BodyLength += (unsigned long)status;
-
-				if (response->BodyLength > RESPONSE_SIZE_LIMIT)
-				{
-					WLog_ERR(TAG, "Request body too large! (%" PRIdz " bytes) Aborting!",
-					         response->BodyLength);
-					goto out_error;
-				}
-			}
-
-			if (response->BodyLength > 0)
-				response->BodyContent = &(Stream_Buffer(response->data))[payloadOffset];
-
-			if (bodyLength != response->BodyLength)
-			{
-				WLog_WARN(TAG, "%s unexpected body length: actual: %" PRIuz ", expected: %" PRIuz,
-				          response->ContentType, response->BodyLength, bodyLength);
-
-				if (bodyLength > 0)
-					response->BodyLength = MIN(bodyLength, response->BodyLength);
-			}
-
-			/* '\0' terminate the http body */
-			if (!Stream_EnsureRemainingCapacity(response->data, sizeof(UINT16)))
-				goto out_error;
-			Stream_Write_UINT16(response->data, 0);
-		}
+		if (!http_response_recv_body(tls, response, readContentLength, payloadOffset, bodyLength))
+			goto out_error;
 	}
 	Stream_SealLength(response->data);

--- a/libfreerdp/core/gateway/rdg.c
+++ b/libfreerdp/core/gateway/rdg.c
@ -117,7 +117,6 @@ typedef struct
 struct rdp_rdg
 {
 	rdpContext* context;
-	rdpSettings* settings;
 	BOOL attached;
 	BIO* frontBio;
 	rdpTls* tlsIn;
@ -500,7 +499,8 @@ static BOOL rdg_send_tunnel_request(rdpRdg* rdg)

 	if (rdg->extAuth == HTTP_EXTENDED_AUTH_PAA)
 	{
-		PAACookie = ConvertUtf8ToWCharAlloc(rdg->settings->GatewayAccessToken, &PAACookieLen);
+		PAACookie =
+		    ConvertUtf8ToWCharAlloc(rdg->context->settings->GatewayAccessToken, &PAACookieLen);

 		if (!PAACookie || (PAACookieLen > UINT16_MAX / sizeof(WCHAR)))
 		{
@ -553,8 +553,8 @@ static BOOL rdg_send_tunnel_authorization(rdpRdg* rdg)
 	BOOL status = 0;
 	WINPR_ASSERT(rdg);
 	size_t clientNameLen = 0;
-	WCHAR* clientName =
-	    freerdp_settings_get_string_as_utf16(rdg->settings, FreeRDP_ClientHostname, &clientNameLen);
+	WCHAR* clientName = freerdp_settings_get_string_as_utf16(
+	    rdg->context->settings, FreeRDP_ClientHostname, &clientNameLen);

 	if (!clientName || (clientNameLen >= UINT16_MAX / sizeof(WCHAR)))
 	{
@ -600,8 +600,8 @@ static BOOL rdg_send_channel_create(rdpRdg* rdg)
 	size_t serverNameLen = 0;

 	WINPR_ASSERT(rdg);
-	serverName =
-	    freerdp_settings_get_string_as_utf16(rdg->settings, FreeRDP_ServerHostname, &serverNameLen);
+	serverName = freerdp_settings_get_string_as_utf16(rdg->context->settings,
+	                                                  FreeRDP_ServerHostname, &serverNameLen);

 	if (!serverName || (serverNameLen >= UINT16_MAX / sizeof(WCHAR)))
 		goto fail;
@ -618,7 +618,8 @@ static BOOL rdg_send_channel_create(rdpRdg* rdg)
 	Stream_Write_UINT32(s, packetSize);              /* PacketLength (4 bytes) */
 	Stream_Write_UINT8(s, 1);                        /* Number of resources. (1 byte) */
 	Stream_Write_UINT8(s, 0);                        /* Number of alternative resources (1 byte) */
-	Stream_Write_UINT16(s, (UINT16)rdg->settings->ServerPort); /* Resource port (2 bytes) */
+	Stream_Write_UINT16(s,
+	                    (UINT16)rdg->context->settings->ServerPort); /* Resource port (2 bytes) */
 	Stream_Write_UINT16(s, 3);                                 /* Protocol number (2 bytes) */
 	Stream_Write_UINT16(s, (UINT16)serverNameLen * sizeof(WCHAR));
 	Stream_Write_UTF16_String(s, serverName, (size_t)serverNameLen);
@ -688,7 +689,7 @@ static wStream* rdg_build_http_request(rdpRdg* rdg, const char* method,
 	else if (rdg->extAuth == HTTP_EXTENDED_AUTH_BEARER)
 	{
 		http_request_set_auth_scheme(request, "Bearer");
-		http_request_set_auth_param(request, rdg->settings->GatewayHttpExtAuthBearer);
+		http_request_set_auth_param(request, rdg->context->settings->GatewayHttpExtAuthBearer);
 	}

 	http_request_set_transfer_encoding(request, transferEncoding);
@ -1269,7 +1270,7 @@ static BOOL rdg_tls_connect(rdpRdg* rdg, rdpTls* tls, const char* peerAddress, i
 	long status = 0;
 	BIO* socketBio = NULL;
 	BIO* bufferedBio = NULL;
-	rdpSettings* settings = rdg->settings;
+	rdpSettings* settings = rdg->context->settings;
 	const char* peerHostname = settings->GatewayHostname;
 	UINT16 peerPort = (UINT16)settings->GatewayPort;
 	const char* proxyUsername = NULL;
@ -1355,7 +1356,7 @@ static BOOL rdg_establish_data_connection(rdpRdg* rdg, rdpTls* tls, const char*
 		return FALSE;

 	WINPR_ASSERT(rpcFallback);
-	if (rdg->settings->GatewayHttpExtAuthBearer && rdg->extAuth == HTTP_EXTENDED_AUTH_NONE)
+	if (rdg->context->settings->GatewayHttpExtAuthBearer && rdg->extAuth == HTTP_EXTENDED_AUTH_NONE)
 		rdg->extAuth = HTTP_EXTENDED_AUTH_BEARER;
 	if (rdg->extAuth == HTTP_EXTENDED_AUTH_NONE)
 	{
@ -2216,21 +2217,22 @@ rdpRdg* rdg_new(rdpContext* context)
 		rdg->log = WLog_Get(TAG);
 		rdg->state = RDG_CLIENT_STATE_INITIAL;
 		rdg->context = context;
-		rdg->settings = rdg->context->settings;
-		rdg->extAuth = (rdg->settings->GatewayHttpExtAuthSspiNtlm ? HTTP_EXTENDED_AUTH_SSPI_NTLM
-		                                                          : HTTP_EXTENDED_AUTH_NONE);
+		rdg->context->settings = rdg->context->settings;
+		rdg->extAuth =
+		    (rdg->context->settings->GatewayHttpExtAuthSspiNtlm ? HTTP_EXTENDED_AUTH_SSPI_NTLM
+		                                                        : HTTP_EXTENDED_AUTH_NONE);

-		if (rdg->settings->GatewayAccessToken)
+		if (rdg->context->settings->GatewayAccessToken)
 			rdg->extAuth = HTTP_EXTENDED_AUTH_PAA;

 		UuidCreate(&rdg->guid);

-		rdg->tlsOut = freerdp_tls_new(rdg->settings);
+		rdg->tlsOut = freerdp_tls_new(rdg->context);

 		if (!rdg->tlsOut)
 			goto rdg_alloc_error;

-		rdg->tlsIn = freerdp_tls_new(rdg->settings);
+		rdg->tlsIn = freerdp_tls_new(rdg->context);

 		if (!rdg->tlsIn)
 			goto rdg_alloc_error;
@ -2246,12 +2248,12 @@ rdpRdg* rdg_new(rdpContext* context)
 		    !http_context_set_pragma(rdg->http, "no-cache") ||
 		    !http_context_set_connection(rdg->http, "Keep-Alive") ||
 		    !http_context_set_user_agent(rdg->http, "MS-RDGateway/1.0") ||
-		    !http_context_set_host(rdg->http, rdg->settings->GatewayHostname) ||
+		    !http_context_set_host(rdg->http, rdg->context->settings->GatewayHostname) ||
 		    !http_context_set_rdg_connection_id(rdg->http, &rdg->guid) ||
 		    !http_context_set_rdg_correlation_id(rdg->http, &rdg->guid) ||
 		    !http_context_enable_websocket_upgrade(
-		        rdg->http,
-		        freerdp_settings_get_bool(rdg->settings, FreeRDP_GatewayHttpUseWebsockets)))
+		        rdg->http, freerdp_settings_get_bool(rdg->context->settings,
+		                                             FreeRDP_GatewayHttpUseWebsockets)))
 		{
 			goto rdg_alloc_error;
 		}
--- a/libfreerdp/core/gateway/rpc.c
+++ b/libfreerdp/core/gateway/rpc.c
@ -762,7 +762,7 @@ static BOOL rpc_channel_tls_connect(RpcChannel* channel, UINT32 timeout)
 	}

 	channel->bio = bufferedBio;
-	tls = channel->tls = freerdp_tls_new(settings);
+	tls = channel->tls = freerdp_tls_new(context);

 	if (!tls)
 		return FALSE;
--- a/libfreerdp/core/gateway/wst.c
+++ b/libfreerdp/core/gateway/wst.c
@ -53,7 +53,6 @@
 struct rdp_wst
 {
 	rdpContext* context;
-	rdpSettings* settings;
 	BOOL attached;
 	BIO* frontBio;
 	rdpTls* tls;
@ -217,7 +216,7 @@ static BOOL wst_tls_connect(rdpWst* wst, rdpTls* tls, int timeout)
 	long status = 0;
 	BIO* socketBio = NULL;
 	BIO* bufferedBio = NULL;
-	rdpSettings* settings = wst->settings;
+	rdpSettings* settings = wst->context->settings;
 	const char* peerHostname = wst->gwhostname;
 	UINT16 peerPort = wst->gwport;
 	const char* proxyUsername = NULL;
@ -313,11 +312,12 @@ static wStream* wst_build_http_request(rdpWst* wst)
 		if (!wst_set_auth_header(wst->auth, request))
 			goto out;
 	}
-	else if (freerdp_settings_get_string(wst->settings, FreeRDP_GatewayHttpExtAuthBearer))
+	else if (freerdp_settings_get_string(wst->context->settings, FreeRDP_GatewayHttpExtAuthBearer))
 	{
 		http_request_set_auth_scheme(request, "Bearer");
 		http_request_set_auth_param(
-		    request, freerdp_settings_get_string(wst->settings, FreeRDP_GatewayHttpExtAuthBearer));
+		    request,
+		    freerdp_settings_get_string(wst->context->settings, FreeRDP_GatewayHttpExtAuthBearer));
 	}

 	s = http_request_write(wst->http, request);
@ -362,7 +362,7 @@ static BOOL wst_handle_ok_or_forbidden(rdpWst* wst, HttpResponse** ppresponse, D

 	/* AVD returns a 403 response with a ARRAffinity cookie set. retry with that cookie */
 	const char* affinity = http_response_get_setcookie(*ppresponse, "ARRAffinity");
-	if (affinity && freerdp_settings_get_bool(wst->settings, FreeRDP_GatewayArmTransport))
+	if (affinity && freerdp_settings_get_bool(wst->context->settings, FreeRDP_GatewayArmTransport))
 	{
 		WLog_DBG(TAG, "Got Affinity cookie %s", affinity);
 		http_context_set_cookie(wst->http, "ARRAffinity", affinity);
@ -374,19 +374,19 @@ static BOOL wst_handle_ok_or_forbidden(rdpWst* wst, HttpResponse** ppresponse, D
 			closesocket((SOCKET)fd);
 		freerdp_tls_free(wst->tls);

-		wst->tls = freerdp_tls_new(wst->settings);
+		wst->tls = freerdp_tls_new(wst->context);
 		if (!wst_tls_connect(wst, wst->tls, timeout))
 			return FALSE;

-		if (freerdp_settings_get_string(wst->settings, FreeRDP_GatewayHttpExtAuthBearer) &&
-		    freerdp_settings_get_bool(wst->settings, FreeRDP_GatewayArmTransport))
+		if (freerdp_settings_get_string(wst->context->settings, FreeRDP_GatewayHttpExtAuthBearer) &&
+		    freerdp_settings_get_bool(wst->context->settings, FreeRDP_GatewayArmTransport))
 		{
 			char* urlWithAuth = NULL;
 			size_t urlLen = 0;
 			char firstParam = (strchr(wst->gwpath, '?') != NULL) ? '&' : '?';
-			winpr_asprintf(
-			    &urlWithAuth, &urlLen, arm_query_param, wst->gwpath, firstParam,
-			    freerdp_settings_get_string(wst->settings, FreeRDP_GatewayHttpExtAuthBearer));
+			winpr_asprintf(&urlWithAuth, &urlLen, arm_query_param, wst->gwpath, firstParam,
+			               freerdp_settings_get_string(wst->context->settings,
+			                                           FreeRDP_GatewayHttpExtAuthBearer));
 			if (!urlWithAuth)
 				return FALSE;
 			free(wst->gwpath);
@ -416,7 +416,7 @@ static BOOL wst_handle_denied(rdpWst* wst, HttpResponse** ppresponse, long* pSta
 	WINPR_ASSERT(*ppresponse);
 	WINPR_ASSERT(pStatusCode);

-	if (freerdp_settings_get_string(wst->settings, FreeRDP_GatewayHttpExtAuthBearer))
+	if (freerdp_settings_get_string(wst->context->settings, FreeRDP_GatewayHttpExtAuthBearer))
 		return FALSE;

 	if (!wst_auth_init(wst, wst->tls, AUTH_PKG))
@ -457,7 +457,7 @@ BOOL wst_connect(rdpWst* wst, DWORD timeout)
 	WINPR_ASSERT(wst);
 	if (!wst_tls_connect(wst, wst->tls, timeout))
 		return FALSE;
-	if (freerdp_settings_get_bool(wst->settings, FreeRDP_GatewayArmTransport))
+	if (freerdp_settings_get_bool(wst->context->settings, FreeRDP_GatewayArmTransport))
 	{
 		/*
 		 * If we are directed here from a ARM Gateway first
@ -793,7 +793,6 @@ rdpWst* wst_new(rdpContext* context)
 	if (wst)
 	{
 		wst->context = context;
-		wst->settings = wst->context->settings;

 		wst->gwhostname = NULL;
 		wst->gwport = 443;
@ -802,7 +801,7 @@ rdpWst* wst_new(rdpContext* context)
 		if (!wst_parse_url(wst, context->settings->GatewayUrl))
 			goto wst_alloc_error;

-		wst->tls = freerdp_tls_new(wst->settings);
+		wst->tls = freerdp_tls_new(wst->context);
 		if (!wst->tls)
 			goto wst_alloc_error;

--- a/libfreerdp/core/transport.c
+++ b/libfreerdp/core/transport.c
@ -291,7 +291,7 @@ static BOOL transport_default_connect_tls(rdpTransport* transport)
 	settings = context->settings;
 	WINPR_ASSERT(settings);

-	if (!(tls = freerdp_tls_new(settings)))
+	if (!(tls = freerdp_tls_new(context)))
 		return FALSE;

 	transport->tls = tls;
@ -629,7 +629,7 @@ static BOOL transport_default_accept_tls(rdpTransport* transport)
 	WINPR_ASSERT(settings);

 	if (!transport->tls)
-		transport->tls = freerdp_tls_new(settings);
+		transport->tls = freerdp_tls_new(context);

 	transport->layer = TRANSPORT_LAYER_TLS;

--- a/libfreerdp/crypto/tls.c
+++ b/libfreerdp/crypto/tls.c
@ -750,7 +750,7 @@ static BOOL tls_prepare(rdpTls* tls, BIO* underlying, SSL_METHOD* method, int op
 {
 	WINPR_ASSERT(tls);

-	rdpSettings* settings = tls->settings;
+	rdpSettings* settings = tls->context->settings;
 	WINPR_ASSERT(settings);

 	tls_reset(tls);
@ -1295,7 +1295,7 @@ static BOOL tls_match_hostname(const char* pattern, const size_t pattern_length,

 static BOOL is_redirected(rdpTls* tls)
 {
-	rdpSettings* settings = tls->settings;
+	rdpSettings* settings = tls->context->settings;

 	if (LB_NOREDIRECT & settings->RedirectionFlags)
 		return FALSE;
@ -1305,7 +1305,7 @@ static BOOL is_redirected(rdpTls* tls)

 static BOOL is_accepted(rdpTls* tls, const BYTE* pem, size_t length)
 {
-	rdpSettings* settings = tls->settings;
+	rdpSettings* settings = tls->context->settings;
 	char* AccpetedKey = NULL;
 	UINT32 AcceptedKeyLength = 0;

@ -1431,7 +1431,7 @@ static BOOL accept_cert(rdpTls* tls, const BYTE* pem, UINT32 length)
 	FreeRDP_Settings_Keys_String id = FreeRDP_AcceptedCert;
 	FreeRDP_Settings_Keys_UInt32 lid = FreeRDP_AcceptedCertLength;

-	rdpSettings* settings = tls->settings;
+	rdpSettings* settings = tls->context->settings;

 	if (tls->isGatewayTransport)
 	{
@ -1477,9 +1477,9 @@ int tls_verify_certificate(rdpTls* tls, const rdpCertificate* cert, const char*
 	freerdp* instance = NULL;

 	WINPR_ASSERT(tls);
-	WINPR_ASSERT(tls->settings);
+	WINPR_ASSERT(tls->context->settings);

-	instance = (freerdp*)tls->settings->instance;
+	instance = (freerdp*)tls->context->settings->instance;
 	WINPR_ASSERT(instance);

 	if (freerdp_shall_disconnect_context(instance->context))
@ -1495,7 +1495,7 @@ int tls_verify_certificate(rdpTls* tls, const rdpCertificate* cert, const char*
 		goto end;
 	}

-	if (is_accepted_fingerprint(cert, tls->settings->CertificateAcceptedFingerprints))
+	if (is_accepted_fingerprint(cert, tls->context->settings->CertificateAcceptedFingerprints))
 	{
 		verification_status = 1;
 		goto end;
@ -1511,7 +1511,7 @@ int tls_verify_certificate(rdpTls* tls, const rdpCertificate* cert, const char*
 		flags |= VERIFY_CERT_FLAG_REDIRECT;

 	/* Certificate management is done by the application */
-	if (tls->settings->ExternalCertificateManagement)
+	if (tls->context->settings->ExternalCertificateManagement)
 	{
 		if (instance->VerifyX509Certificate)
 			verification_status =
@ -1529,15 +1529,15 @@ int tls_verify_certificate(rdpTls* tls, const rdpCertificate* cert, const char*
 		}
 	}
 	/* ignore certificate verification if user explicitly required it (discouraged) */
-	else if (tls->settings->IgnoreCertificate)
+	else if (tls->context->settings->IgnoreCertificate)
 		verification_status = 1; /* success! */
-	else if (!tls->isGatewayTransport && (tls->settings->AuthenticationLevel == 0))
+	else if (!tls->isGatewayTransport && (tls->context->settings->AuthenticationLevel == 0))
 		verification_status = 1; /* success! */
 	else
 	{
 		/* if user explicitly specified a certificate name, use it instead of the hostname */
-		if (!tls->isGatewayTransport && tls->settings->CertificateName)
-			hostname = tls->settings->CertificateName;
+		if (!tls->isGatewayTransport && tls->context->settings->CertificateName)
+			hostname = tls->context->settings->CertificateName;

 		/* attempt verification using OpenSSL and the ~/.freerdp/certs certificate store */
 		certificate_status = freerdp_certificate_verify(
@ -1612,12 +1612,12 @@ int tls_verify_certificate(rdpTls* tls, const rdpCertificate* cert, const char*
 				}

 				/* Automatically accept certificate on first use */
-				if (tls->settings->AutoAcceptCertificate)
+				if (tls->context->settings->AutoAcceptCertificate)
 				{
 					WLog_INFO(TAG, "No certificate stored, automatically accepting.");
 					accept_certificate = 1;
 				}
-				else if (tls->settings->AutoDenyCertificate)
+				else if (tls->context->settings->AutoDenyCertificate)
 				{
 					WLog_INFO(TAG, "No certificate stored, automatically denying.");
 					accept_certificate = 0;
@ -1637,7 +1637,7 @@ int tls_verify_certificate(rdpTls* tls, const rdpCertificate* cert, const char*
 				else if (instance->VerifyCertificateEx)
 				{
 					const BOOL use_pem = freerdp_settings_get_bool(
-					    tls->settings, FreeRDP_CertificateCallbackPreferPEM);
+					    tls->context->settings, FreeRDP_CertificateCallbackPreferPEM);
 					char* fp = NULL;
 					DWORD cflags = flags;
 					if (use_pem)
@ -1682,7 +1682,7 @@ int tls_verify_certificate(rdpTls* tls, const rdpCertificate* cert, const char*
 					WLog_WARN(TAG, "Failed to get certificate entry for %s:%" PRIu16 "", hostname,
 					          port);

-				if (tls->settings->AutoDenyCertificate)
+				if (tls->context->settings->AutoDenyCertificate)
 				{
 					WLog_INFO(TAG, "No certificate stored, automatically denying.");
 					accept_certificate = 0;
@ -1708,8 +1708,9 @@ int tls_verify_certificate(rdpTls* tls, const rdpCertificate* cert, const char*
 					const char* old_fp = freerdp_certificate_data_get_fingerprint(stored_data);
 					const char* old_pem = freerdp_certificate_data_get_pem(stored_data);
 					const BOOL fpIsAllocated =
-					    !old_pem || !freerdp_settings_get_bool(
-					                    tls->settings, FreeRDP_CertificateCallbackPreferPEM);
+					    !old_pem ||
+					    !freerdp_settings_get_bool(tls->context->settings,
+					                               FreeRDP_CertificateCallbackPreferPEM);
 					char* fp = NULL;
 					if (!fpIsAllocated)
 					{
@ -1857,7 +1858,7 @@ void tls_print_certificate_name_mismatch_error(const char* hostname, UINT16 port
 	WLog_ERR(TAG, "A valid certificate for the wrong name should NOT be trusted!");
 }

-rdpTls* freerdp_tls_new(rdpSettings* settings)
+rdpTls* freerdp_tls_new(rdpContext* context)
 {
 	rdpTls* tls = NULL;
 	tls = (rdpTls*)calloc(1, sizeof(rdpTls));
@ -1865,11 +1866,11 @@ rdpTls* freerdp_tls_new(rdpSettings* settings)
 	if (!tls)
 		return NULL;

-	tls->settings = settings;
+	tls->context = context;

-	if (!settings->ServerMode)
+	if (!freerdp_settings_get_bool(tls->context->settings, FreeRDP_ServerMode))
 	{
-		tls->certificate_store = freerdp_certificate_store_new(settings);
+		tls->certificate_store = freerdp_certificate_store_new(tls->context->settings);

 		if (!tls->certificate_store)
 			goto out_free;
--- a/libfreerdp/crypto/tls.h
+++ b/libfreerdp/crypto/tls.h
@ -71,7 +71,7 @@ struct rdp_tls
 	SSL_CTX* ctx;
 	BYTE* PublicKey;
 	DWORD PublicKeyLength;
-	rdpSettings* settings;
+	rdpContext* context;
 	SecPkgContext_Bindings* Bindings;
 	rdpCertificateStore* certificate_store;
 	BIO* underlying;
@ -122,7 +122,7 @@ extern "C"
 	FREERDP_LOCAL void freerdp_tls_free(rdpTls* tls);

 	WINPR_ATTR_MALLOC(freerdp_tls_free, 1)
-	FREERDP_LOCAL rdpTls* freerdp_tls_new(rdpSettings* settings);
+	FREERDP_LOCAL rdpTls* freerdp_tls_new(rdpContext* context);

 #ifdef __cplusplus
 }