FreeRDP/libfreerdp/core/gateway/wst.c
2023-07-20 14:20:28 +02:00

868 lines
19 KiB
C

/**
* FreeRDP: A Remote Desktop Protocol Implementation
* Websocket Transport
*
* Copyright 2023 Michael Saxl <mike@mwsys.mine.bz>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <freerdp/config.h>
#include <winpr/assert.h>
#include <winpr/crt.h>
#include <winpr/synch.h>
#include <winpr/print.h>
#include <winpr/stream.h>
#include <winpr/winsock.h>
#include <winpr/cred.h>
#include <freerdp/log.h>
#include <freerdp/error.h>
#include <freerdp/utils/ringbuffer.h>
#include <freerdp/utils/smartcardlogon.h>
#include "wst.h"
#include "websocket.h"
#include "http.h"
#include "../credssp_auth.h"
#include "../proxy.h"
#include "../rdp.h"
#include "../../crypto/opensslcompat.h"
#include "rpc_fault.h"
#include "../utils.h"
#include "../settings.h"
#define TAG FREERDP_TAG("core.gateway.wst")
#define AUTH_PKG NEGO_SSP_NAME
struct rdp_wst
{
rdpContext* context;
rdpSettings* settings;
BOOL attached;
BIO* frontBio;
rdpTls* tls;
rdpCredsspAuth* auth;
BOOL auth_required;
HttpContext* http;
CRITICAL_SECTION writeSection;
char* gwhostname;
uint16_t gwport;
char* gwpath;
websocket_context wscontext;
};
static const char arm_query_param[] = "%s%cClmTk=Bearer%%20%s&X-MS-User-Agent=FreeRDP%%2F3.0";
static BOOL wst_get_gateway_credentials(rdpContext* context, rdp_auth_reason reason)
{
WINPR_ASSERT(context);
freerdp* instance = context->instance;
auth_status rc = utils_authenticate_gateway(instance, reason);
switch (rc)
{
case AUTH_SUCCESS:
case AUTH_SKIP:
return TRUE;
case AUTH_CANCELLED:
freerdp_set_last_error_log(instance->context, FREERDP_ERROR_CONNECT_CANCELLED);
return FALSE;
case AUTH_NO_CREDENTIALS:
freerdp_set_last_error_log(instance->context,
FREERDP_ERROR_CONNECT_NO_OR_MISSING_CREDENTIALS);
return FALSE;
case AUTH_FAILED:
default:
return FALSE;
}
}
static BOOL wst_auth_init(rdpWst* wst, rdpTls* tls, TCHAR* authPkg)
{
WINPR_ASSERT(wst);
WINPR_ASSERT(tls);
WINPR_ASSERT(authPkg);
rdpContext* context = wst->context;
rdpSettings* settings = context->settings;
SEC_WINNT_AUTH_IDENTITY identity = { 0 };
int rc;
wst->auth_required = TRUE;
if (!credssp_auth_init(wst->auth, authPkg, tls->Bindings))
return FALSE;
if (!wst_get_gateway_credentials(context, GW_AUTH_RDG))
return FALSE;
if (!identity_set_from_settings(&identity, settings, FreeRDP_GatewayUsername,
FreeRDP_GatewayDomain, FreeRDP_GatewayPassword))
return FALSE;
if (!credssp_auth_setup_client(wst->auth, "HTTP", wst->gwhostname, &identity, NULL))
{
sspi_FreeAuthIdentity(&identity);
return FALSE;
}
sspi_FreeAuthIdentity(&identity);
credssp_auth_set_flags(wst->auth, ISC_REQ_CONFIDENTIALITY | ISC_REQ_MUTUAL_AUTH);
rc = credssp_auth_authenticate(wst->auth);
if (rc < 0)
return FALSE;
return TRUE;
}
static BOOL wst_set_auth_header(rdpCredsspAuth* auth, HttpRequest* request)
{
WINPR_ASSERT(auth);
WINPR_ASSERT(request);
const SecBuffer* authToken = credssp_auth_get_output_buffer(auth);
char* base64AuthToken = NULL;
if (authToken)
{
if (authToken->cbBuffer > INT_MAX)
return FALSE;
base64AuthToken = crypto_base64_encode(authToken->pvBuffer, (int)authToken->cbBuffer);
}
if (base64AuthToken)
{
BOOL rc = http_request_set_auth_scheme(request, credssp_auth_pkg_name(auth)) &&
http_request_set_auth_param(request, base64AuthToken);
free(base64AuthToken);
if (!rc)
return FALSE;
}
return TRUE;
}
static BOOL wst_recv_auth_token(rdpCredsspAuth* auth, HttpResponse* response)
{
char buffer[64] = { 0 };
size_t len;
const char* token64 = NULL;
size_t authTokenLength = 0;
BYTE* authTokenData = NULL;
SecBuffer authToken = { 0 };
long StatusCode;
int rc;
if (!auth || !response)
return FALSE;
StatusCode = http_response_get_status_code(response);
switch (StatusCode)
{
case HTTP_STATUS_DENIED:
case HTTP_STATUS_OK:
break;
default:
WLog_WARN(TAG, "Unexpected HTTP status: %s",
http_status_string_format(StatusCode, buffer, ARRAYSIZE(buffer)));
return FALSE;
}
token64 = http_response_get_auth_token(response, credssp_auth_pkg_name(auth));
if (!token64)
return FALSE;
len = strlen(token64);
crypto_base64_decode(token64, len, &authTokenData, &authTokenLength);
if (authTokenLength && authTokenData)
{
authToken.pvBuffer = authTokenData;
authToken.cbBuffer = authTokenLength;
credssp_auth_take_input_buffer(auth, &authToken);
}
rc = credssp_auth_authenticate(auth);
if (rc < 0)
return FALSE;
return TRUE;
}
static BOOL wst_tls_connect(rdpWst* wst, rdpTls* tls, int timeout)
{
WINPR_ASSERT(wst);
WINPR_ASSERT(tls);
int sockfd = 0;
long status = 0;
BIO* socketBio = NULL;
BIO* bufferedBio = NULL;
rdpSettings* settings = wst->settings;
const char* peerHostname = wst->gwhostname;
UINT16 peerPort = wst->gwport;
const char *proxyUsername, *proxyPassword;
BOOL isProxyConnection =
proxy_prepare(settings, &peerHostname, &peerPort, &proxyUsername, &proxyPassword);
sockfd = freerdp_tcp_connect(wst->context, peerHostname, peerPort, timeout);
WLog_DBG(TAG, "connecting to %s %d", peerHostname, peerPort);
if (sockfd < 0)
{
return FALSE;
}
socketBio = BIO_new(BIO_s_simple_socket());
if (!socketBio)
{
closesocket((SOCKET)sockfd);
return FALSE;
}
BIO_set_fd(socketBio, sockfd, BIO_CLOSE);
bufferedBio = BIO_new(BIO_s_buffered_socket());
if (!bufferedBio)
{
BIO_free_all(socketBio);
return FALSE;
}
bufferedBio = BIO_push(bufferedBio, socketBio);
status = BIO_set_nonblock(bufferedBio, TRUE);
if (isProxyConnection)
{
if (!proxy_connect(settings, bufferedBio, proxyUsername, proxyPassword, wst->gwhostname,
wst->gwport))
{
BIO_free_all(bufferedBio);
return FALSE;
}
}
if (!status)
{
BIO_free_all(bufferedBio);
return FALSE;
}
tls->hostname = wst->gwhostname;
tls->port = wst->gwport;
tls->isGatewayTransport = TRUE;
status = freerdp_tls_connect(tls, bufferedBio);
if (status < 1)
{
rdpContext* context = wst->context;
if (status < 0)
{
freerdp_set_last_error_if_not(context, FREERDP_ERROR_TLS_CONNECT_FAILED);
}
else
{
freerdp_set_last_error_if_not(context, FREERDP_ERROR_CONNECT_CANCELLED);
}
return FALSE;
}
return (status >= 1);
}
static wStream* wst_build_http_request(rdpWst* wst)
{
wStream* s = NULL;
HttpRequest* request = NULL;
const char* uri;
if (!wst)
return NULL;
uri = http_context_get_uri(wst->http);
request = http_request_new();
if (!request)
return NULL;
if (!http_request_set_method(request, "GET") || !http_request_set_uri(request, uri))
goto out;
if (wst->auth_required)
{
if (!wst_set_auth_header(wst->auth, request))
goto out;
}
else if (freerdp_settings_get_string(wst->settings, FreeRDP_GatewayHttpExtAuthBearer))
{
http_request_set_auth_scheme(request, "Bearer");
http_request_set_auth_param(
request, freerdp_settings_get_string(wst->settings, FreeRDP_GatewayHttpExtAuthBearer));
}
s = http_request_write(wst->http, request);
out:
http_request_free(request);
if (s)
Stream_SealLength(s);
return s;
}
static BOOL wst_send_http_request(rdpWst* wst, rdpTls* tls)
{
size_t sz;
wStream* s = NULL;
int status = -1;
WINPR_ASSERT(wst);
WINPR_ASSERT(tls);
s = wst_build_http_request(wst);
if (!s)
return FALSE;
sz = Stream_Length(s);
if (sz <= INT_MAX)
status = freerdp_tls_write_all(tls, Stream_Buffer(s), (int)sz);
Stream_Free(s, TRUE);
return (status >= 0);
}
static BOOL wst_handle_ok_or_forbidden(rdpWst* wst, HttpResponse** ppresponse, DWORD timeout,
long* pStatusCode)
{
WINPR_ASSERT(wst);
WINPR_ASSERT(ppresponse);
WINPR_ASSERT(*ppresponse);
WINPR_ASSERT(pStatusCode);
/* AVD returns a 403 response with a ARRAffinity cookie set. retry with that cookie */
const char* affinity = http_response_get_setcookie(*ppresponse, "ARRAffinity");
if (affinity && freerdp_settings_get_bool(wst->settings, FreeRDP_GatewayArmTransport))
{
WLog_DBG(TAG, "Got Affinity cookie %s", affinity);
http_context_set_cookie(wst->http, "ARRAffinity", affinity);
http_response_free(*ppresponse);
*ppresponse = NULL;
/* Terminate this connection and make a new one with the Loadbalancing Cookie */
int fd = BIO_get_fd(wst->tls->bio, NULL);
if (fd >= 0)
closesocket((SOCKET)fd);
freerdp_tls_free(wst->tls);
wst->tls = freerdp_tls_new(wst->settings);
if (!wst_tls_connect(wst, wst->tls, timeout))
return FALSE;
if (freerdp_settings_get_string(wst->settings, FreeRDP_GatewayHttpExtAuthBearer) &&
freerdp_settings_get_bool(wst->settings, FreeRDP_GatewayArmTransport))
{
char* urlWithAuth = NULL;
size_t urlLen = 0;
char firstParam = (strchr(wst->gwpath, '?') > 0 ? '&' : '?');
winpr_asprintf(
&urlWithAuth, &urlLen, arm_query_param, wst->gwpath, firstParam,
freerdp_settings_get_string(wst->settings, FreeRDP_GatewayHttpExtAuthBearer));
if (!urlWithAuth)
return FALSE;
free(wst->gwpath);
wst->gwpath = urlWithAuth;
http_context_set_uri(wst->http, wst->gwpath);
http_context_enable_websocket_upgrade(wst->http, TRUE);
}
if (!wst_send_http_request(wst, wst->tls))
return FALSE;
*ppresponse = http_response_recv(wst->tls, TRUE);
if (!*ppresponse)
return FALSE;
*pStatusCode = http_response_get_status_code(*ppresponse);
}
return TRUE;
}
static BOOL wst_handle_denied(rdpWst* wst, HttpResponse** ppresponse, long* pStatusCode)
{
WINPR_ASSERT(wst);
WINPR_ASSERT(ppresponse);
WINPR_ASSERT(*ppresponse);
WINPR_ASSERT(pStatusCode);
if (freerdp_settings_get_string(wst->settings, FreeRDP_GatewayHttpExtAuthBearer))
return FALSE;
if (!wst_auth_init(wst, wst->tls, AUTH_PKG))
return FALSE;
if (!wst_send_http_request(wst, wst->tls))
return FALSE;
http_response_free(*ppresponse);
*ppresponse = http_response_recv(wst->tls, TRUE);
if (!*ppresponse)
return FALSE;
while (!credssp_auth_is_complete(wst->auth))
{
if (!wst_recv_auth_token(wst->auth, *ppresponse))
return FALSE;
if (credssp_auth_have_output_token(wst->auth))
{
if (!wst_send_http_request(wst, wst->tls))
return FALSE;
http_response_free(*ppresponse);
*ppresponse = http_response_recv(wst->tls, TRUE);
if (!*ppresponse)
return FALSE;
}
}
*pStatusCode = http_response_get_status_code(*ppresponse);
return TRUE;
}
BOOL wst_connect(rdpWst* wst, DWORD timeout)
{
HttpResponse* response = NULL;
long StatusCode;
WINPR_ASSERT(wst);
if (!wst_tls_connect(wst, wst->tls, timeout))
return FALSE;
if (freerdp_settings_get_bool(wst->settings, FreeRDP_GatewayArmTransport))
{
/*
* If we are directed here from a ARM Gateway first
* we need to get a Loadbalancing Cookie (ARRAffinity)
* This is done by a plain GET request on the websocket URL
*/
http_context_enable_websocket_upgrade(wst->http, FALSE);
}
if (!wst_send_http_request(wst, wst->tls))
return FALSE;
response = http_response_recv(wst->tls, TRUE);
if (!response)
{
return FALSE;
}
StatusCode = http_response_get_status_code(response);
BOOL success = TRUE;
switch (StatusCode)
{
case HTTP_STATUS_FORBIDDEN:
case HTTP_STATUS_OK:
success = wst_handle_ok_or_forbidden(wst, &response, timeout, &StatusCode);
break;
case HTTP_STATUS_DENIED:
success = wst_handle_denied(wst, &response, &StatusCode);
default:
break;
}
const BOOL isWebsocket = http_response_is_websocket(wst->http, response);
http_response_free(response);
if (!success)
return FALSE;
if (isWebsocket)
{
wst->wscontext.state = WebsocketStateOpcodeAndFin;
wst->wscontext.responseStreamBuffer = NULL;
return TRUE;
}
else
{
char buffer[64] = { 0 };
WLog_ERR(TAG, "Unexpected HTTP status: %s",
http_status_string_format(StatusCode, buffer, ARRAYSIZE(buffer)));
}
return FALSE;
}
DWORD wst_get_event_handles(rdpWst* wst, HANDLE* events, DWORD count)
{
DWORD nCount = 0;
WINPR_ASSERT(wst != NULL);
if (wst->tls)
{
if (events && (nCount < count))
{
BIO_get_event(wst->tls->bio, &events[nCount]);
nCount++;
}
else
return 0;
}
return nCount;
}
static int wst_bio_write(BIO* bio, const char* buf, int num)
{
int status;
WINPR_ASSERT(bio);
WINPR_ASSERT(buf);
rdpWst* wst = (rdpWst*)BIO_get_data(bio);
WINPR_ASSERT(wst);
BIO_clear_flags(bio, BIO_FLAGS_WRITE);
EnterCriticalSection(&wst->writeSection);
status = websocket_write(wst->tls->bio, (const BYTE*)buf, num, WebsocketBinaryOpcode);
LeaveCriticalSection(&wst->writeSection);
if (status < 0)
{
BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
return -1;
}
else if (status < num)
{
BIO_set_flags(bio, BIO_FLAGS_WRITE);
WSASetLastError(WSAEWOULDBLOCK);
}
else
{
BIO_set_flags(bio, BIO_FLAGS_WRITE);
}
return status;
}
static int wst_bio_read(BIO* bio, char* buf, int size)
{
int status = 0;
WINPR_ASSERT(bio);
WINPR_ASSERT(buf);
rdpWst* wst = (rdpWst*)BIO_get_data(bio);
WINPR_ASSERT(wst);
while (status <= 0)
{
status = websocket_read(wst->tls->bio, (BYTE*)buf, size, &wst->wscontext);
if (status <= 0)
{
if (!BIO_should_retry(wst->tls->bio))
return -1;
return 0;
}
}
if (status < 0)
{
BIO_clear_retry_flags(bio);
return -1;
}
else if (status == 0)
{
BIO_set_retry_read(bio);
WSASetLastError(WSAEWOULDBLOCK);
return -1;
}
else
{
BIO_set_flags(bio, BIO_FLAGS_READ);
}
return status;
}
static int wst_bio_puts(BIO* bio, const char* str)
{
WINPR_UNUSED(bio);
WINPR_UNUSED(str);
return -2;
}
static int wst_bio_gets(BIO* bio, char* str, int size)
{
WINPR_UNUSED(bio);
WINPR_UNUSED(str);
WINPR_UNUSED(size);
return -2;
}
static long wst_bio_ctrl(BIO* bio, int cmd, long arg1, void* arg2)
{
long status = -1;
WINPR_ASSERT(bio);
rdpWst* wst = (rdpWst*)BIO_get_data(bio);
WINPR_ASSERT(wst);
rdpTls* tls = wst->tls;
if (cmd == BIO_CTRL_FLUSH)
{
(void)BIO_flush(tls->bio);
status = 1;
}
else if (cmd == BIO_C_SET_NONBLOCK)
{
status = 1;
}
else if (cmd == BIO_C_READ_BLOCKED)
{
status = BIO_read_blocked(tls->bio);
}
else if (cmd == BIO_C_WRITE_BLOCKED)
{
status = BIO_write_blocked(tls->bio);
}
else if (cmd == BIO_C_WAIT_READ)
{
int timeout = (int)arg1;
if (BIO_read_blocked(tls->bio))
return BIO_wait_read(tls->bio, timeout);
status = 1;
}
else if (cmd == BIO_C_WAIT_WRITE)
{
int timeout = (int)arg1;
if (BIO_write_blocked(tls->bio))
status = BIO_wait_write(tls->bio, timeout);
else
status = 1;
}
else if (cmd == BIO_C_GET_EVENT || cmd == BIO_C_GET_FD)
{
status = BIO_ctrl(tls->bio, cmd, arg1, arg2);
}
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
else if (cmd == BIO_CTRL_GET_KTLS_SEND)
{
/* Even though BIO_get_ktls_send says that returning negative values is valid
* openssl internal sources are full of if(!BIO_get_ktls_send && ) stuff. This has some
* nasty sideeffects. return 0 as proper no KTLS offloading flag
*/
status = 0;
}
else if (cmd == BIO_CTRL_GET_KTLS_RECV)
{
/* Even though BIO_get_ktls_recv says that returning negative values is valid
* there is no reason to trust trust negative values are implemented right everywhere
*/
status = 0;
}
#endif
return status;
}
static int wst_bio_new(BIO* bio)
{
BIO_set_init(bio, 1);
BIO_set_flags(bio, BIO_FLAGS_SHOULD_RETRY);
return 1;
}
static int wst_bio_free(BIO* bio)
{
WINPR_UNUSED(bio);
return 1;
}
static BIO_METHOD* BIO_s_wst(void)
{
static BIO_METHOD* bio_methods = NULL;
if (bio_methods == NULL)
{
if (!(bio_methods = BIO_meth_new(BIO_TYPE_TSG, "WSTransport")))
return NULL;
BIO_meth_set_write(bio_methods, wst_bio_write);
BIO_meth_set_read(bio_methods, wst_bio_read);
BIO_meth_set_puts(bio_methods, wst_bio_puts);
BIO_meth_set_gets(bio_methods, wst_bio_gets);
BIO_meth_set_ctrl(bio_methods, wst_bio_ctrl);
BIO_meth_set_create(bio_methods, wst_bio_new);
BIO_meth_set_destroy(bio_methods, wst_bio_free);
}
return bio_methods;
}
static BOOL wst_parse_url(rdpWst* wst, const char* url)
{
const char* hostStart;
const char* pos;
WINPR_ASSERT(wst);
WINPR_ASSERT(url);
free(wst->gwhostname);
wst->gwhostname = NULL;
free(wst->gwpath);
wst->gwpath = NULL;
if (strncmp("wss://", url, 6) != 0)
{
if (strncmp("https://", url, 8) != 0)
{
WLog_ERR(TAG, "Websocket URL is invalid. Only wss:// or https:// URLs are supported");
return FALSE;
}
else
hostStart = url + 8;
}
else
hostStart = url + 6;
pos = hostStart;
while (*pos != '\0' && *pos != ':' && *pos != '/')
pos++;
free(wst->gwhostname);
wst->gwhostname = NULL;
if (pos - hostStart == 0)
return FALSE;
wst->gwhostname = malloc(sizeof(char) * (pos - hostStart + 1));
if (!wst->gwhostname)
return FALSE;
strncpy(wst->gwhostname, hostStart, (pos - hostStart));
wst->gwhostname[pos - hostStart] = '\0';
if (*pos == ':')
{
char port[6];
char* portNumberEnd;
pos++;
const char* portStart = pos;
while (*pos != '\0' && *pos != '/')
pos++;
if (pos - portStart > 5 || pos - portStart == 0)
return FALSE;
strncpy(port, portStart, (pos - portStart));
port[pos - portStart] = '\0';
int _p = strtol(port, &portNumberEnd, 10);
if (portNumberEnd && *portNumberEnd == '\0' && _p > 0 && _p <= UINT16_MAX)
wst->gwport = _p;
else
return FALSE;
}
else
wst->gwport = 443;
wst->gwpath = _strdup(pos);
if (!wst->gwpath)
return FALSE;
return TRUE;
}
rdpWst* wst_new(rdpContext* context)
{
rdpWst* wst;
if (!context)
return NULL;
wst = (rdpWst*)calloc(1, sizeof(rdpWst));
if (wst)
{
wst->context = context;
wst->settings = wst->context->settings;
wst->gwhostname = NULL;
wst->gwport = 443;
wst->gwpath = NULL;
if (!wst_parse_url(wst, context->settings->GatewayUrl))
goto wst_alloc_error;
wst->tls = freerdp_tls_new(wst->settings);
if (!wst->tls)
goto wst_alloc_error;
wst->http = http_context_new();
if (!wst->http)
goto wst_alloc_error;
if (!http_context_set_uri(wst->http, wst->gwpath) ||
!http_context_set_accept(wst->http, "*/*") ||
!http_context_set_cache_control(wst->http, "no-cache") ||
!http_context_set_pragma(wst->http, "no-cache") ||
!http_context_set_connection(wst->http, "Keep-Alive") ||
!http_context_set_user_agent(wst->http, "FreeRDP/3.0") ||
!http_context_set_x_ms_user_agent(wst->http, "FreeRDP/3.0") ||
!http_context_set_host(wst->http, wst->gwhostname) ||
!http_context_enable_websocket_upgrade(wst->http, TRUE))
{
goto wst_alloc_error;
}
wst->frontBio = BIO_new(BIO_s_wst());
if (!wst->frontBio)
goto wst_alloc_error;
BIO_set_data(wst->frontBio, wst);
InitializeCriticalSection(&wst->writeSection);
wst->auth = credssp_auth_new(context);
if (!wst->auth)
goto wst_alloc_error;
}
return wst;
wst_alloc_error:
wst_free(wst);
return NULL;
}
void wst_free(rdpWst* wst)
{
if (!wst)
return;
freerdp_tls_free(wst->tls);
http_context_free(wst->http);
credssp_auth_free(wst->auth);
free(wst->gwhostname);
free(wst->gwpath);
if (!wst->attached)
BIO_free_all(wst->frontBio);
DeleteCriticalSection(&wst->writeSection);
if (wst->wscontext.responseStreamBuffer != NULL)
Stream_Free(wst->wscontext.responseStreamBuffer, TRUE);
free(wst);
}
BIO* wst_get_front_bio_and_take_ownership(rdpWst* wst)
{
if (!wst)
return NULL;
wst->attached = TRUE;
return wst->frontBio;
}