/** * FreeRDP: A Remote Desktop Protocol Implementation * RDP Core * * Copyright 2011 Marc-Andre Moreau * Copyright 2014 DI (FH) Martin Haimberger * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #ifdef HAVE_CONFIG_H #include "config.h" #endif #include #include "rdp.h" #include "info.h" #include "redirection.h" #include #include #define TAG FREERDP_TAG("core.rdp") #ifdef WITH_DEBUG_RDP const char* DATA_PDU_TYPE_STRINGS[80] = { "?", "?", /* 0x00 - 0x01 */ "Update", /* 0x02 */ "?", "?", "?", "?", "?", "?", "?", "?", /* 0x03 - 0x0A */ "?", "?", "?", "?", "?", "?", "?", "?", "?", /* 0x0B - 0x13 */ "Control", /* 0x14 */ "?", "?", "?", "?", "?", "?", /* 0x15 - 0x1A */ "Pointer", /* 0x1B */ "Input", /* 0x1C */ "?", "?", /* 0x1D - 0x1E */ "Synchronize", /* 0x1F */ "?", /* 0x20 */ "Refresh Rect", /* 0x21 */ "Play Sound", /* 0x22 */ "Suppress Output", /* 0x23 */ "Shutdown Request", /* 0x24 */ "Shutdown Denied", /* 0x25 */ "Save Session Info", /* 0x26 */ "Font List", /* 0x27 */ "Font Map", /* 0x28 */ "Set Keyboard Indicators", /* 0x29 */ "?", /* 0x2A */ "Bitmap Cache Persistent List", /* 0x2B */ "Bitmap Cache Error", /* 0x2C */ "Set Keyboard IME Status", /* 0x2D */ "Offscreen Cache Error", /* 0x2E */ "Set Error Info", /* 0x2F */ "Draw Nine Grid Error", /* 0x30 */ "Draw GDI+ Error", /* 0x31 */ "ARC Status", /* 0x32 */ "?", "?", "?", /* 0x33 - 0x35 */ "Status Info", /* 0x36 */ "Monitor Layout" /* 0x37 */ "FrameAcknowledge", "?", "?", /* 0x38 - 0x40 */ "?", "?", "?", "?", "?", "?" /* 0x41 - 0x46 */ }; #endif /** * Read RDP Security Header.\n * @msdn{cc240579} * @param s stream * @param flags security flags */ BOOL rdp_read_security_header(wStream* s, UINT16* flags) { /* Basic Security Header */ if (Stream_GetRemainingLength(s) < 4) return FALSE; Stream_Read_UINT16(s, *flags); /* flags */ Stream_Seek(s, 2); /* flagsHi (unused) */ return TRUE; } /** * Write RDP Security Header.\n * @msdn{cc240579} * @param s stream * @param flags security flags */ void rdp_write_security_header(wStream* s, UINT16 flags) { /* Basic Security Header */ Stream_Write_UINT16(s, flags); /* flags */ Stream_Write_UINT16(s, 0); /* flagsHi (unused) */ } BOOL rdp_read_share_control_header(wStream* s, UINT16* length, UINT16* type, UINT16* channel_id) { if (Stream_GetRemainingLength(s) < 2) return FALSE; /* Share Control Header */ Stream_Read_UINT16(s, *length); /* totalLength */ /* If length is 0x8000 then we actually got a flow control PDU that we should ignore http://msdn.microsoft.com/en-us/library/cc240576.aspx */ if (*length == 0x8000) { rdp_read_flow_control_pdu(s, type); *channel_id = 0; *length = 8; /* Flow control PDU is 8 bytes */ return TRUE; } if (((size_t) *length - 2) > Stream_GetRemainingLength(s)) return FALSE; Stream_Read_UINT16(s, *type); /* pduType */ *type &= 0x0F; /* type is in the 4 least significant bits */ if (*length > 4) Stream_Read_UINT16(s, *channel_id); /* pduSource */ else *channel_id = 0; /* Windows XP can send such short DEACTIVATE_ALL PDUs. */ return TRUE; } void rdp_write_share_control_header(wStream* s, UINT16 length, UINT16 type, UINT16 channel_id) { length -= RDP_PACKET_HEADER_MAX_LENGTH; /* Share Control Header */ Stream_Write_UINT16(s, length); /* totalLength */ Stream_Write_UINT16(s, type | 0x10); /* pduType */ Stream_Write_UINT16(s, channel_id); /* pduSource */ } BOOL rdp_read_share_data_header(wStream* s, UINT16* length, BYTE* type, UINT32* shareId, BYTE* compressedType, UINT16* compressedLength) { if (Stream_GetRemainingLength(s) < 12) return FALSE; /* Share Data Header */ Stream_Read_UINT32(s, *shareId); /* shareId (4 bytes) */ Stream_Seek_UINT8(s); /* pad1 (1 byte) */ Stream_Seek_UINT8(s); /* streamId (1 byte) */ Stream_Read_UINT16(s, *length); /* uncompressedLength (2 bytes) */ Stream_Read_UINT8(s, *type); /* pduType2, Data PDU Type (1 byte) */ Stream_Read_UINT8(s, *compressedType); /* compressedType (1 byte) */ Stream_Read_UINT16(s, *compressedLength); /* compressedLength (2 bytes) */ return TRUE; } void rdp_write_share_data_header(wStream* s, UINT16 length, BYTE type, UINT32 share_id) { length -= RDP_PACKET_HEADER_MAX_LENGTH; length -= RDP_SHARE_CONTROL_HEADER_LENGTH; length -= RDP_SHARE_DATA_HEADER_LENGTH; /* Share Data Header */ Stream_Write_UINT32(s, share_id); /* shareId (4 bytes) */ Stream_Write_UINT8(s, 0); /* pad1 (1 byte) */ Stream_Write_UINT8(s, STREAM_LOW); /* streamId (1 byte) */ Stream_Write_UINT16(s, length); /* uncompressedLength (2 bytes) */ Stream_Write_UINT8(s, type); /* pduType2, Data PDU Type (1 byte) */ Stream_Write_UINT8(s, 0); /* compressedType (1 byte) */ Stream_Write_UINT16(s, 0); /* compressedLength (2 bytes) */ } static int rdp_security_stream_init(rdpRdp* rdp, wStream* s, BOOL sec_header) { if (rdp->do_crypt) { Stream_Seek(s, 12); if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS) Stream_Seek(s, 4); rdp->sec_flags |= SEC_ENCRYPT; if (rdp->do_secure_checksum) rdp->sec_flags |= SEC_SECURE_CHECKSUM; } else if (rdp->sec_flags != 0 || sec_header) { Stream_Seek(s, 4); } return 0; } int rdp_init_stream(rdpRdp* rdp, wStream* s) { Stream_Seek(s, RDP_PACKET_HEADER_MAX_LENGTH); rdp_security_stream_init(rdp, s, FALSE); return 0; } wStream* rdp_send_stream_init(rdpRdp* rdp) { wStream* s; s = transport_send_stream_init(rdp->transport, 2048); rdp_init_stream(rdp, s); return s; } int rdp_init_stream_pdu(rdpRdp* rdp, wStream* s) { Stream_Seek(s, RDP_PACKET_HEADER_MAX_LENGTH); rdp_security_stream_init(rdp, s, FALSE); Stream_Seek(s, RDP_SHARE_CONTROL_HEADER_LENGTH); return 0; } int rdp_init_stream_data_pdu(rdpRdp* rdp, wStream* s) { Stream_Seek(s, RDP_PACKET_HEADER_MAX_LENGTH); rdp_security_stream_init(rdp, s, FALSE); Stream_Seek(s, RDP_SHARE_CONTROL_HEADER_LENGTH); Stream_Seek(s, RDP_SHARE_DATA_HEADER_LENGTH); return 0; } wStream* rdp_data_pdu_init(rdpRdp* rdp) { wStream* s; s = transport_send_stream_init(rdp->transport, 2048); rdp_init_stream_data_pdu(rdp, s); return s; } BOOL rdp_set_error_info(rdpRdp* rdp, UINT32 errorInfo) { rdp->errorInfo = errorInfo; if (rdp->errorInfo != ERRINFO_SUCCESS) { ErrorInfoEventArgs e; rdpContext* context = rdp->instance->context; rdp->context->LastError = MAKE_FREERDP_ERROR(ERRINFO, errorInfo); rdp_print_errinfo(rdp->errorInfo); EventArgsInit(&e, "freerdp"); e.code = rdp->errorInfo; PubSub_OnErrorInfo(context->pubSub, context, &e); } else { rdp->context->LastError = FREERDP_ERROR_SUCCESS; } return TRUE; } wStream* rdp_message_channel_pdu_init(rdpRdp* rdp) { wStream* s; s = transport_send_stream_init(rdp->transport, 2048); if (!s) return NULL; Stream_Seek(s, RDP_PACKET_HEADER_MAX_LENGTH); rdp_security_stream_init(rdp, s, TRUE); return s; } /** * Read an RDP packet header.\n * @param rdp rdp module * @param s stream * @param length RDP packet length * @param channel_id channel id */ BOOL rdp_read_header(rdpRdp* rdp, wStream* s, UINT16* length, UINT16* channelId) { BYTE li; BYTE byte; BYTE code; BYTE choice; UINT16 initiator; enum DomainMCSPDU MCSPDU; enum DomainMCSPDU domainMCSPDU; MCSPDU = (rdp->settings->ServerMode) ? DomainMCSPDU_SendDataRequest : DomainMCSPDU_SendDataIndication; *length = tpkt_read_header(s); if (!tpdu_read_header(s, &code, &li)) return FALSE; if (code != X224_TPDU_DATA) { if (code == X224_TPDU_DISCONNECT_REQUEST) { rdp->disconnect = TRUE; return TRUE; } return FALSE; } if (!per_read_choice(s, &choice)) return FALSE; domainMCSPDU = (enum DomainMCSPDU) (choice >> 2); if (domainMCSPDU != MCSPDU) { if (domainMCSPDU != DomainMCSPDU_DisconnectProviderUltimatum) return FALSE; } MCSPDU = domainMCSPDU; if ((size_t) (*length - 8) > Stream_GetRemainingLength(s)) return FALSE; if (MCSPDU == DomainMCSPDU_DisconnectProviderUltimatum) { int reason = 0; TerminateEventArgs e; rdpContext* context; if (!mcs_recv_disconnect_provider_ultimatum(rdp->mcs, s, &reason)) return FALSE; if (!rdp->instance) { rdp->disconnect = TRUE; return FALSE; } context = rdp->instance->context; if (rdp->errorInfo == ERRINFO_SUCCESS) { /** * Some servers like Windows Server 2008 R2 do not send the error info pdu * when the user logs off like they should. Map DisconnectProviderUltimatum * to a ERRINFO_LOGOFF_BY_USER when the errinfo code is ERRINFO_SUCCESS. */ if (reason == MCS_Reason_provider_initiated) rdp_set_error_info(rdp, ERRINFO_RPC_INITIATED_DISCONNECT); else if (reason == MCS_Reason_user_requested) rdp_set_error_info(rdp, ERRINFO_LOGOFF_BY_USER); else rdp_set_error_info(rdp, ERRINFO_RPC_INITIATED_DISCONNECT); } WLog_ERR(TAG, "DisconnectProviderUltimatum: reason: %d", reason); rdp->disconnect = TRUE; EventArgsInit(&e, "freerdp"); e.code = 0; PubSub_OnTerminate(context->pubSub, context, &e); return TRUE; } if (Stream_GetRemainingLength(s) < 5) return FALSE; per_read_integer16(s, &initiator, MCS_BASE_CHANNEL_ID); /* initiator (UserId) */ per_read_integer16(s, channelId, 0); /* channelId */ Stream_Read_UINT8(s, byte); /* dataPriority + Segmentation (0x70) */ if (!per_read_length(s, length)) /* userData (OCTET_STRING) */ return FALSE; if (*length > Stream_GetRemainingLength(s)) return FALSE; return TRUE; } /** * Write an RDP packet header.\n * @param rdp rdp module * @param s stream * @param length RDP packet length * @param channel_id channel id */ void rdp_write_header(rdpRdp* rdp, wStream* s, UINT16 length, UINT16 channelId) { int body_length; enum DomainMCSPDU MCSPDU; MCSPDU = (rdp->settings->ServerMode) ? DomainMCSPDU_SendDataIndication : DomainMCSPDU_SendDataRequest; if ((rdp->sec_flags & SEC_ENCRYPT) && (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)) { int pad; body_length = length - RDP_PACKET_HEADER_MAX_LENGTH - 16; pad = 8 - (body_length % 8); if (pad != 8) length += pad; } mcs_write_domain_mcspdu_header(s, MCSPDU, length, 0); per_write_integer16(s, rdp->mcs->userId, MCS_BASE_CHANNEL_ID); /* initiator */ per_write_integer16(s, channelId, 0); /* channelId */ Stream_Write_UINT8(s, 0x70); /* dataPriority + segmentation */ /* * We always encode length in two bytes, even though we could use * only one byte if length <= 0x7F. It is just easier that way, * because we can leave room for fixed-length header, store all * the data first and then store the header. */ length = (length - RDP_PACKET_HEADER_MAX_LENGTH) | 0x8000; Stream_Write_UINT16_BE(s, length); /* userData (OCTET_STRING) */ } static BOOL rdp_security_stream_out(rdpRdp* rdp, wStream* s, int length, UINT32 sec_flags, UINT32 *pad) { BYTE* data; BOOL status; sec_flags |= rdp->sec_flags; *pad = 0; if (sec_flags != 0) { rdp_write_security_header(s, sec_flags); if (sec_flags & SEC_ENCRYPT) { if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS) { data = Stream_Pointer(s) + 12; length = length - (data - Stream_Buffer(s)); Stream_Write_UINT16(s, 0x10); /* length */ Stream_Write_UINT8(s, 0x1); /* TSFIPS_VERSION 1*/ /* handle padding */ *pad = 8 - (length % 8); if (*pad == 8) *pad = 0; if (*pad) memset(data+length, 0, *pad); Stream_Write_UINT8(s, *pad); if (!security_hmac_signature(data, length, Stream_Pointer(s), rdp)) return FALSE; Stream_Seek(s, 8); security_fips_encrypt(data, length + *pad, rdp); } else { data = Stream_Pointer(s) + 8; length = length - (data - Stream_Buffer(s)); if (sec_flags & SEC_SECURE_CHECKSUM) status = security_salted_mac_signature(rdp, data, length, TRUE, Stream_Pointer(s)); else status = security_mac_signature(rdp, data, length, Stream_Pointer(s)); if (!status) return FALSE; Stream_Seek(s, 8); if (!security_encrypt(Stream_Pointer(s), length, rdp)) return FALSE; } } rdp->sec_flags = 0; } return TRUE; } static UINT32 rdp_get_sec_bytes(rdpRdp* rdp, UINT16 sec_flags) { UINT32 sec_bytes; if (rdp->sec_flags & SEC_ENCRYPT) { sec_bytes = 12; if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS) sec_bytes += 4; } else if (rdp->sec_flags != 0 || sec_flags != 0) { sec_bytes = 4; } else { sec_bytes = 0; } return sec_bytes; } /** * Send an RDP packet. * @param rdp RDP module * @param s stream * @param channel_id channel id */ BOOL rdp_send(rdpRdp* rdp, wStream* s, UINT16 channel_id) { UINT32 pad; UINT16 length; length = Stream_GetPosition(s); Stream_SetPosition(s, 0); rdp_write_header(rdp, s, length, channel_id); if (!rdp_security_stream_out(rdp, s, length, 0, &pad)) return FALSE; length += pad; Stream_SetPosition(s, length); Stream_SealLength(s); if (transport_write(rdp->transport, s) < 0) return FALSE; return TRUE; } BOOL rdp_send_pdu(rdpRdp* rdp, wStream* s, UINT16 type, UINT16 channel_id) { UINT16 length; UINT32 sec_bytes; int sec_hold; UINT32 pad; length = Stream_GetPosition(s); Stream_SetPosition(s, 0); rdp_write_header(rdp, s, length, MCS_GLOBAL_CHANNEL_ID); sec_bytes = rdp_get_sec_bytes(rdp, 0); sec_hold = Stream_GetPosition(s); Stream_Seek(s, sec_bytes); rdp_write_share_control_header(s, length - sec_bytes, type, channel_id); Stream_SetPosition(s, sec_hold); if (!rdp_security_stream_out(rdp, s, length, 0, &pad)) return FALSE; length += pad; Stream_SetPosition(s, length); Stream_SealLength(s); if (transport_write(rdp->transport, s) < 0) return FALSE; return TRUE; } BOOL rdp_send_data_pdu(rdpRdp* rdp, wStream* s, BYTE type, UINT16 channel_id) { UINT16 length; UINT32 sec_bytes; int sec_hold; UINT32 pad; length = Stream_GetPosition(s); Stream_SetPosition(s, 0); rdp_write_header(rdp, s, length, MCS_GLOBAL_CHANNEL_ID); sec_bytes = rdp_get_sec_bytes(rdp, 0); sec_hold = Stream_GetPosition(s); Stream_Seek(s, sec_bytes); rdp_write_share_control_header(s, length - sec_bytes, PDU_TYPE_DATA, channel_id); rdp_write_share_data_header(s, length - sec_bytes, type, rdp->settings->ShareId); Stream_SetPosition(s, sec_hold); if (!rdp_security_stream_out(rdp, s, length, 0, &pad)) return FALSE; length += pad; Stream_SetPosition(s, length); Stream_SealLength(s); if (transport_write(rdp->transport, s) < 0) return FALSE; return TRUE; } BOOL rdp_send_message_channel_pdu(rdpRdp* rdp, wStream* s, UINT16 sec_flags) { UINT16 length; UINT32 sec_bytes; int sec_hold; UINT32 pad; length = Stream_GetPosition(s); Stream_SetPosition(s, 0); rdp_write_header(rdp, s, length, rdp->mcs->messageChannelId); sec_bytes = rdp_get_sec_bytes(rdp, sec_flags); sec_hold = Stream_GetPosition(s); Stream_Seek(s, sec_bytes); Stream_SetPosition(s, sec_hold); if (!rdp_security_stream_out(rdp, s, length, sec_flags, &pad)) return FALSE; length += pad; Stream_SetPosition(s, length); Stream_SealLength(s); if (transport_write(rdp->transport, s) < 0) return FALSE; return TRUE; } BOOL rdp_recv_server_shutdown_denied_pdu(rdpRdp* rdp, wStream* s) { return TRUE; } BOOL rdp_recv_server_set_keyboard_indicators_pdu(rdpRdp* rdp, wStream* s) { UINT16 unitId; UINT16 ledFlags; rdpContext* context = rdp->instance->context; if (Stream_GetRemainingLength(s) < 4) return FALSE; Stream_Read_UINT16(s, unitId); /* unitId (2 bytes) */ Stream_Read_UINT16(s, ledFlags); /* ledFlags (2 bytes) */ IFCALL(context->update->SetKeyboardIndicators, context, ledFlags); return TRUE; } BOOL rdp_recv_server_set_keyboard_ime_status_pdu(rdpRdp* rdp, wStream* s) { UINT16 unitId; UINT32 imeState; UINT32 imeConvMode; if (Stream_GetRemainingLength(s) < 10) return FALSE; Stream_Read_UINT16(s, unitId); /* unitId (2 bytes) */ Stream_Read_UINT32(s, imeState); /* imeState (4 bytes) */ Stream_Read_UINT32(s, imeConvMode); /* imeConvMode (4 bytes) */ return TRUE; } BOOL rdp_recv_set_error_info_data_pdu(rdpRdp* rdp, wStream* s) { UINT32 errorInfo; if (Stream_GetRemainingLength(s) < 4) return FALSE; Stream_Read_UINT32(s, errorInfo); /* errorInfo (4 bytes) */ rdp_set_error_info(rdp, errorInfo); return TRUE; } BOOL rdp_recv_server_auto_reconnect_status_pdu(rdpRdp* rdp, wStream* s) { UINT32 arcStatus; if (Stream_GetRemainingLength(s) < 4) return FALSE; Stream_Read_UINT32(s, arcStatus); /* arcStatus (4 bytes) */ WLog_WARN(TAG, "AutoReconnectStatus: 0x%04X", arcStatus); return TRUE; } BOOL rdp_recv_server_status_info_pdu(rdpRdp* rdp, wStream* s) { UINT32 statusCode; if (Stream_GetRemainingLength(s) < 4) return FALSE; Stream_Read_UINT32(s, statusCode); /* statusCode (4 bytes) */ return TRUE; } BOOL rdp_recv_monitor_layout_pdu(rdpRdp* rdp, wStream* s) { UINT32 index; UINT32 monitorCount; MONITOR_DEF* monitor; MONITOR_DEF* monitorDefArray; if (Stream_GetRemainingLength(s) < 4) return FALSE; Stream_Read_UINT32(s, monitorCount); /* monitorCount (4 bytes) */ if (Stream_GetRemainingLength(s) < (monitorCount * 20)) return FALSE; monitorDefArray = (MONITOR_DEF*) calloc(monitorCount, sizeof(MONITOR_DEF)); if (!monitorDefArray) return FALSE; for (index = 0; index < monitorCount; index++) { monitor = &(monitorDefArray[index]); Stream_Read_UINT32(s, monitor->left); /* left (4 bytes) */ Stream_Read_UINT32(s, monitor->top); /* top (4 bytes) */ Stream_Read_UINT32(s, monitor->right); /* right (4 bytes) */ Stream_Read_UINT32(s, monitor->bottom); /* bottom (4 bytes) */ Stream_Read_UINT32(s, monitor->flags); /* flags (4 bytes) */ } free(monitorDefArray); return TRUE; } BOOL rdp_write_monitor_layout_pdu(wStream* s, UINT32 monitorCount, MONITOR_DEF* monitorDefArray) { UINT32 index; MONITOR_DEF* monitor; if (!Stream_EnsureRemainingCapacity(s, 4 + (monitorCount * 20))) return FALSE; Stream_Write_UINT32(s, monitorCount); /* monitorCount (4 bytes) */ for (index = 0; index < monitorCount; index++) { monitor = &(monitorDefArray[index]); Stream_Write_UINT32(s, monitor->left); /* left (4 bytes) */ Stream_Write_UINT32(s, monitor->top); /* top (4 bytes) */ Stream_Write_UINT32(s, monitor->right); /* right (4 bytes) */ Stream_Write_UINT32(s, monitor->bottom); /* bottom (4 bytes) */ Stream_Write_UINT32(s, monitor->flags); /* flags (4 bytes) */ } return TRUE; } int rdp_recv_data_pdu(rdpRdp* rdp, wStream* s) { BYTE type; wStream* cs; UINT16 length; UINT32 shareId; BYTE compressedType; UINT16 compressedLength; if (!rdp_read_share_data_header(s, &length, &type, &shareId, &compressedType, &compressedLength)) return -1; cs = s; if (compressedType & PACKET_COMPRESSED) { UINT32 DstSize = 0; BYTE* pDstData = NULL; UINT32 SrcSize = compressedLength - 18; if (Stream_GetRemainingLength(s) < (size_t) SrcSize) { WLog_ERR(TAG, "bulk_decompress: not enough bytes for compressedLength %d", compressedLength); return -1; } if (bulk_decompress(rdp->bulk, Stream_Pointer(s), SrcSize, &pDstData, &DstSize, compressedType)) { if (!(cs = StreamPool_Take(rdp->transport->ReceivePool, DstSize))) { WLog_ERR(TAG, "Coudn't take stream from pool"); return -1; } Stream_SetPosition(cs, 0); Stream_Write(cs, pDstData, DstSize); Stream_SealLength(cs); Stream_SetPosition(cs, 0); } else { WLog_ERR(TAG, "bulk_decompress() failed"); return -1; } Stream_Seek(s, SrcSize); } #ifdef WITH_DEBUG_RDP WLog_DBG(TAG, "recv %s Data PDU (0x%02X), length: %d", type < ARRAYSIZE(DATA_PDU_TYPE_STRINGS) ? DATA_PDU_TYPE_STRINGS[type] : "???", type, length); #endif switch (type) { case DATA_PDU_TYPE_UPDATE: if (!update_recv(rdp->update, cs)) return -1; break; case DATA_PDU_TYPE_CONTROL: if (!rdp_recv_server_control_pdu(rdp, cs)) return -1; break; case DATA_PDU_TYPE_POINTER: if (!update_recv_pointer(rdp->update, cs)) return -1; break; case DATA_PDU_TYPE_SYNCHRONIZE: if (!rdp_recv_synchronize_pdu(rdp, cs)) return -1; break; case DATA_PDU_TYPE_PLAY_SOUND: if (!update_recv_play_sound(rdp->update, cs)) return -1; break; case DATA_PDU_TYPE_SHUTDOWN_DENIED: if (!rdp_recv_server_shutdown_denied_pdu(rdp, cs)) return -1; break; case DATA_PDU_TYPE_SAVE_SESSION_INFO: if (!rdp_recv_save_session_info(rdp, cs)) return -1; break; case DATA_PDU_TYPE_FONT_MAP: if (!rdp_recv_font_map_pdu(rdp, cs)) return -1; break; case DATA_PDU_TYPE_SET_KEYBOARD_INDICATORS: if (!rdp_recv_server_set_keyboard_indicators_pdu(rdp, cs)) return -1; break; case DATA_PDU_TYPE_SET_KEYBOARD_IME_STATUS: if (!rdp_recv_server_set_keyboard_ime_status_pdu(rdp, cs)) return -1; break; case DATA_PDU_TYPE_SET_ERROR_INFO: if (!rdp_recv_set_error_info_data_pdu(rdp, cs)) return -1; break; case DATA_PDU_TYPE_ARC_STATUS: if (!rdp_recv_server_auto_reconnect_status_pdu(rdp, cs)) return -1; break; case DATA_PDU_TYPE_STATUS_INFO: if (!rdp_recv_server_status_info_pdu(rdp, cs)) return -1; break; case DATA_PDU_TYPE_MONITOR_LAYOUT: if (!rdp_recv_monitor_layout_pdu(rdp, cs)) return -1; break; default: break; } if (cs != s) Stream_Release(cs); return 0; } int rdp_recv_message_channel_pdu(rdpRdp* rdp, wStream* s) { UINT16 securityFlags; if (!rdp_read_security_header(s, &securityFlags)) return -1; if (securityFlags & SEC_AUTODETECT_REQ) { /* Server Auto-Detect Request PDU */ return rdp_recv_autodetect_request_packet(rdp, s); } if (securityFlags & SEC_AUTODETECT_RSP) { /* Client Auto-Detect Response PDU */ return rdp_recv_autodetect_response_packet(rdp, s); } if (securityFlags & SEC_HEARTBEAT) { /* Heartbeat PDU */ return rdp_recv_heartbeat_packet(rdp, s); } if (securityFlags & SEC_TRANSPORT_REQ) { /* Initiate Multitransport Request PDU */ return rdp_recv_multitransport_packet(rdp, s); } return -1; } int rdp_recv_out_of_sequence_pdu(rdpRdp* rdp, wStream* s) { UINT16 type; UINT16 length; UINT16 channelId; if (!rdp_read_share_control_header(s, &length, &type, &channelId)) return -1; if (type == PDU_TYPE_DATA) { return rdp_recv_data_pdu(rdp, s); } else if (type == PDU_TYPE_SERVER_REDIRECTION) { return rdp_recv_enhanced_security_redirection_packet(rdp, s); } else if (type == PDU_TYPE_FLOW_RESPONSE || type == PDU_TYPE_FLOW_STOP || type == PDU_TYPE_FLOW_TEST) { return 0; } else { return -1; } } void rdp_read_flow_control_pdu(wStream* s, UINT16* type) { /* * Read flow control PDU - documented in FlowPDU section in T.128 * http://www.itu.int/rec/T-REC-T.128-199802-S/en * The specification for the PDU has pad8bits listed BEFORE pduTypeFlow. * However, so far pad8bits has always been observed to arrive AFTER pduTypeFlow. * Switched the order of these two fields to match this observation. */ UINT8 pduType; Stream_Read_UINT8(s, pduType); /* pduTypeFlow */ *type = pduType; Stream_Seek_UINT8(s); /* pad8bits */ Stream_Seek_UINT8(s); /* flowIdentifier */ Stream_Seek_UINT8(s); /* flowNumber */ Stream_Seek_UINT16(s); /* pduSource */ } /** * Decrypt an RDP packet.\n * @param rdp RDP module * @param s stream * @param length int */ BOOL rdp_decrypt(rdpRdp* rdp, wStream* s, int length, UINT16 securityFlags) { BYTE cmac[8]; BYTE wmac[8]; BOOL status; if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS) { UINT16 len; BYTE version, pad; BYTE* sig; if (Stream_GetRemainingLength(s) < 12) return FALSE; Stream_Read_UINT16(s, len); /* 0x10 */ Stream_Read_UINT8(s, version); /* 0x1 */ Stream_Read_UINT8(s, pad); sig = Stream_Pointer(s); Stream_Seek(s, 8); /* signature */ length -= 12; if (!security_fips_decrypt(Stream_Pointer(s), length, rdp)) { WLog_ERR(TAG, "FATAL: cannot decrypt"); return FALSE; /* TODO */ } if (!security_fips_check_signature(Stream_Pointer(s), length - pad, sig, rdp)) { WLog_ERR(TAG, "FATAL: invalid packet signature"); return FALSE; /* TODO */ } Stream_Length(s) -= pad; return TRUE; } if (Stream_GetRemainingLength(s) < 8) return FALSE; Stream_Read(s, wmac, sizeof(wmac)); length -= sizeof(wmac); if (!security_decrypt(Stream_Pointer(s), length, rdp)) return FALSE; if (securityFlags & SEC_SECURE_CHECKSUM) status = security_salted_mac_signature(rdp, Stream_Pointer(s), length, FALSE, cmac); else status = security_mac_signature(rdp, Stream_Pointer(s), length, cmac); if (!status) return FALSE; if (memcmp(wmac, cmac, sizeof(wmac)) != 0) { WLog_ERR(TAG, "WARNING: invalid packet signature"); /* * Because Standard RDP Security is totally broken, * and cannot protect against MITM, don't treat signature * verification failure as critical. This at least enables * us to work with broken RDP clients and servers that * generate invalid signatures. */ //return FALSE; } return TRUE; } /** * Process an RDP packet.\n * @param rdp RDP module * @param s stream */ static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s) { UINT16 length; UINT16 pduType; UINT16 pduLength; UINT16 pduSource; UINT16 channelId = 0; UINT16 securityFlags; int nextPosition; if (!rdp_read_header(rdp, s, &length, &channelId)) { WLog_ERR(TAG, "Incorrect RDP header."); return -1; } if (rdp->disconnect) return 0; if (rdp->autodetect->bandwidthMeasureStarted) { rdp->autodetect->bandwidthMeasureByteCount += length; } if (rdp->settings->UseRdpSecurityLayer) { if (!rdp_read_security_header(s, &securityFlags)) return -1; if (securityFlags & (SEC_ENCRYPT | SEC_REDIRECTION_PKT)) { if (!rdp_decrypt(rdp, s, length - 4, securityFlags)) { WLog_ERR(TAG, "rdp_decrypt failed"); return -1; } } if (securityFlags & SEC_REDIRECTION_PKT) { /* * [MS-RDPBCGR] 2.2.13.2.1 * - no share control header, nor the 2 byte pad */ Stream_Rewind(s, 2); return rdp_recv_enhanced_security_redirection_packet(rdp, s); } } if (channelId == MCS_GLOBAL_CHANNEL_ID) { while (Stream_GetRemainingLength(s) > 3) { nextPosition = Stream_GetPosition(s); if (!rdp_read_share_control_header(s, &pduLength, &pduType, &pduSource)) return -1; nextPosition += pduLength; rdp->settings->PduSource = pduSource; switch (pduType) { case PDU_TYPE_DATA: if (rdp_recv_data_pdu(rdp, s) < 0) { WLog_ERR(TAG, "rdp_recv_data_pdu failed"); return -1; } break; case PDU_TYPE_DEACTIVATE_ALL: if (!rdp_recv_deactivate_all(rdp, s)) return -1; break; case PDU_TYPE_SERVER_REDIRECTION: return rdp_recv_enhanced_security_redirection_packet(rdp, s); break; case PDU_TYPE_FLOW_RESPONSE: case PDU_TYPE_FLOW_STOP: case PDU_TYPE_FLOW_TEST: break; default: WLog_ERR(TAG, "incorrect PDU type: 0x%04X", pduType); break; } Stream_SetPosition(s, nextPosition); } } else if (rdp->mcs->messageChannelId && channelId == rdp->mcs->messageChannelId) { return rdp_recv_message_channel_pdu(rdp, s); } else { if (!freerdp_channel_process(rdp->instance, s, channelId)) return -1; } return 0; } static int rdp_recv_fastpath_pdu(rdpRdp* rdp, wStream* s) { UINT16 length; rdpFastPath* fastpath; fastpath = rdp->fastpath; if (!fastpath_read_header_rdp(fastpath, s, &length)) return -1; if ((length == 0) || (length > Stream_GetRemainingLength(s))) { WLog_ERR(TAG, "incorrect FastPath PDU header length %d", length); return -1; } if (rdp->autodetect->bandwidthMeasureStarted) { rdp->autodetect->bandwidthMeasureByteCount += length; } if (fastpath->encryptionFlags & FASTPATH_OUTPUT_ENCRYPTED) { UINT16 flags = (fastpath->encryptionFlags & FASTPATH_OUTPUT_SECURE_CHECKSUM) ? SEC_SECURE_CHECKSUM : 0; if (!rdp_decrypt(rdp, s, length, flags)) return -1; } return fastpath_recv_updates(rdp->fastpath, s); } static int rdp_recv_pdu(rdpRdp* rdp, wStream* s) { if (tpkt_verify_header(s)) return rdp_recv_tpkt_pdu(rdp, s); else return rdp_recv_fastpath_pdu(rdp, s); } int rdp_recv_callback(rdpTransport* transport, wStream* s, void* extra) { int status = 0; rdpRdp* rdp = (rdpRdp*) extra; /* * At any point in the connection sequence between when all * MCS channels have been joined and when the RDP connection * enters the active state, an auto-detect PDU can be received * on the MCS message channel. */ if ((rdp->state > CONNECTION_STATE_MCS_CHANNEL_JOIN) && (rdp->state < CONNECTION_STATE_ACTIVE)) { if (rdp_client_connect_auto_detect(rdp, s)) return 0; } switch (rdp->state) { case CONNECTION_STATE_NLA: if (nla_recv_pdu(rdp->nla, s) < 1) return -1; if (rdp->nla->state == NLA_STATE_AUTH_INFO) { transport_set_nla_mode(rdp->transport, FALSE); nla_free(rdp->nla); rdp->nla = NULL; if (!mcs_client_begin(rdp->mcs)) return -1; } break; case CONNECTION_STATE_MCS_CONNECT: if (!mcs_recv_connect_response(rdp->mcs, s)) { WLog_ERR(TAG, "mcs_recv_connect_response failure"); return -1; } if (!mcs_send_erect_domain_request(rdp->mcs)) { WLog_ERR(TAG, "mcs_send_erect_domain_request failure"); return -1; } if (!mcs_send_attach_user_request(rdp->mcs)) { WLog_ERR(TAG, "mcs_send_attach_user_request failure"); return -1; } rdp_client_transition_to_state(rdp, CONNECTION_STATE_MCS_ATTACH_USER); break; case CONNECTION_STATE_MCS_ATTACH_USER: if (!mcs_recv_attach_user_confirm(rdp->mcs, s)) { WLog_ERR(TAG, "mcs_recv_attach_user_confirm failure"); return -1; } if (!mcs_send_channel_join_request(rdp->mcs, rdp->mcs->userId)) { WLog_ERR(TAG, "mcs_send_channel_join_request failure"); return -1; } rdp_client_transition_to_state(rdp, CONNECTION_STATE_MCS_CHANNEL_JOIN); break; case CONNECTION_STATE_MCS_CHANNEL_JOIN: if (!rdp_client_connect_mcs_channel_join_confirm(rdp, s)) status = -1; break; case CONNECTION_STATE_LICENSING: status = rdp_client_connect_license(rdp, s); break; case CONNECTION_STATE_CAPABILITIES_EXCHANGE: status = rdp_client_connect_demand_active(rdp, s); break; case CONNECTION_STATE_FINALIZATION: status = rdp_recv_pdu(rdp, s); if ((status >= 0) && (rdp->finalize_sc_pdus == FINALIZE_SC_COMPLETE)) { rdp_client_transition_to_state(rdp, CONNECTION_STATE_ACTIVE); return 2; } break; case CONNECTION_STATE_ACTIVE: status = rdp_recv_pdu(rdp, s); break; default: WLog_ERR(TAG, "Invalid state %d", rdp->state); status = -1; break; } return status; } int rdp_send_channel_data(rdpRdp* rdp, UINT16 channelId, BYTE* data, int size) { return freerdp_channel_send(rdp, channelId, data, size); } BOOL rdp_send_error_info(rdpRdp* rdp) { wStream* s; BOOL status; if (rdp->errorInfo == ERRINFO_SUCCESS) return TRUE; s = rdp_data_pdu_init(rdp); Stream_Write_UINT32(s, rdp->errorInfo); /* error id (4 bytes) */ status = rdp_send_data_pdu(rdp, s, DATA_PDU_TYPE_SET_ERROR_INFO, 0); return status; } int rdp_check_fds(rdpRdp* rdp) { int status; rdpTransport* transport = rdp->transport; if (transport->tsg) { rdpTsg* tsg = transport->tsg; status = tsg_check_event_handles(tsg); if (status < 0) return -1; if (tsg->state != TSG_STATE_PIPE_CREATED) return status; } status = transport_check_fds(transport); if (status == 1) { status = rdp_client_redirect(rdp); /* session redirection */ } return status; } /** * Instantiate new RDP module. * @return new RDP module */ rdpRdp* rdp_new(rdpContext* context) { rdpRdp* rdp; DWORD flags; BOOL newSettings = FALSE; rdp = (rdpRdp*) calloc(1, sizeof(rdpRdp)); if (!rdp) return NULL; rdp->context = context; rdp->instance = context->instance; flags = 0; if (context->ServerMode) flags |= FREERDP_SETTINGS_SERVER_MODE; if (!context->settings) { context->settings = freerdp_settings_new(flags); if (!context->settings) goto out_free; newSettings = TRUE; } rdp->settings = context->settings; rdp->settings->instance = context->instance; if (context->instance) context->instance->settings = rdp->settings; rdp->transport = transport_new(context); if (!rdp->transport) goto out_free_settings; rdp->license = license_new(rdp); if (!rdp->license) goto out_free_transport; rdp->input = input_new(rdp); if (!rdp->input) goto out_free_license; rdp->update = update_new(rdp); if (!rdp->update) goto out_free_input; rdp->fastpath = fastpath_new(rdp); if (!rdp->fastpath) goto out_free_update; rdp->nego = nego_new(rdp->transport); if (!rdp->nego) goto out_free_fastpath; rdp->mcs = mcs_new(rdp->transport); if (!rdp->mcs) goto out_free_nego; rdp->redirection = redirection_new(); if (!rdp->redirection) goto out_free_mcs; rdp->autodetect = autodetect_new(); if (!rdp->autodetect) goto out_free_redirection; rdp->heartbeat = heartbeat_new(); if (!rdp->heartbeat) goto out_free_autodetect; rdp->multitransport = multitransport_new(); if (!rdp->multitransport) goto out_free_heartbeat; rdp->bulk = bulk_new(context); if (!rdp->bulk) goto out_free_multitransport; return rdp; out_free_multitransport: multitransport_free(rdp->multitransport); out_free_heartbeat: heartbeat_free(rdp->heartbeat); out_free_autodetect: autodetect_free(rdp->autodetect); out_free_redirection: redirection_free(rdp->redirection); out_free_mcs: mcs_free(rdp->mcs); out_free_nego: nego_free(rdp->nego); out_free_fastpath: fastpath_free(rdp->fastpath); out_free_update: update_free(rdp->update); out_free_input: input_free(rdp->input); out_free_license: license_free(rdp->license); out_free_transport: transport_free(rdp->transport); out_free_settings: if (newSettings) freerdp_settings_free(rdp->settings); out_free: free(rdp); return NULL; } void rdp_reset(rdpRdp* rdp) { rdpContext* context; rdpSettings* settings; context = rdp->context; settings = rdp->settings; bulk_reset(rdp->bulk); if (rdp->rc4_decrypt_key) { crypto_rc4_free(rdp->rc4_decrypt_key); rdp->rc4_decrypt_key = NULL; } if (rdp->rc4_encrypt_key) { crypto_rc4_free(rdp->rc4_encrypt_key); rdp->rc4_encrypt_key = NULL; } if (rdp->fips_encrypt) { crypto_des3_free(rdp->fips_encrypt); rdp->fips_encrypt = NULL; } if (rdp->fips_decrypt) { crypto_des3_free(rdp->fips_decrypt); rdp->fips_decrypt = NULL; } if (rdp->fips_hmac) { crypto_hmac_free(rdp->fips_hmac); rdp->fips_hmac = NULL; } if (settings->ServerRandom) { free(settings->ServerRandom); settings->ServerRandom = NULL; settings->ServerRandomLength = 0; } if (settings->ServerCertificate) { free(settings->ServerCertificate); settings->ServerCertificate = NULL; } if (settings->ClientAddress) { free(settings->ClientAddress); settings->ClientAddress = NULL; } mcs_free(rdp->mcs); nego_free(rdp->nego); license_free(rdp->license); transport_free(rdp->transport); rdp->transport = transport_new(context); rdp->license = license_new(rdp); rdp->nego = nego_new(rdp->transport); rdp->mcs = mcs_new(rdp->transport); rdp->transport->layer = TRANSPORT_LAYER_TCP; rdp->disconnect = FALSE; rdp->errorInfo = 0; rdp->deactivation_reactivation = 0; rdp->finalize_sc_pdus = 0; } /** * Free RDP module. * @param rdp RDP module to be freed */ void rdp_free(rdpRdp* rdp) { if (rdp) { crypto_rc4_free(rdp->rc4_decrypt_key); crypto_rc4_free(rdp->rc4_encrypt_key); crypto_des3_free(rdp->fips_encrypt); crypto_des3_free(rdp->fips_decrypt); crypto_hmac_free(rdp->fips_hmac); freerdp_settings_free(rdp->settings); freerdp_settings_free(rdp->settingsCopy); transport_free(rdp->transport); license_free(rdp->license); input_free(rdp->input); update_free(rdp->update); fastpath_free(rdp->fastpath); nego_free(rdp->nego); mcs_free(rdp->mcs); nla_free(rdp->nla); redirection_free(rdp->redirection); autodetect_free(rdp->autodetect); heartbeat_free(rdp->heartbeat); multitransport_free(rdp->multitransport); bulk_free(rdp->bulk); free(rdp); } }