2 * FreeRDP: A Remote Desktop Protocol Client
5 * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
24 #include "redirection.h"
26 static const char* const DATA_PDU_TYPE_STRINGS[] =
28 "", "", /* 0x00 - 0x01 */
30 "", "", "", "", "", "", "", "", /* 0x03 - 0x0A */
31 "", "", "", "", "", "", "", "", "", /* 0x0B - 0x13 */
33 "", "", "", "", "", "", /* 0x15 - 0x1A */
36 "", "", /* 0x1D - 0x1E */
37 "Synchronize", /* 0x1F */
39 "Refresh Rect", /* 0x21 */
40 "Play Sound", /* 0x22 */
41 "Suppress Output", /* 0x23 */
42 "Shutdown Request", /* 0x24 */
43 "Shutdown Denied", /* 0x25 */
44 "Save Session Info", /* 0x26 */
45 "Font List", /* 0x27 */
46 "Font Map", /* 0x28 */
47 "Set Keyboard Indicators", /* 0x29 */
49 "Bitmap Cache Persistent List", /* 0x2B */
50 "Bitmap Cache Error", /* 0x2C */
51 "Set Keyboard IME Status", /* 0x2D */
52 "Offscreen Cache Error", /* 0x2E */
53 "Set Error Info", /* 0x2F */
54 "Draw Nine Grid Error", /* 0x30 */
55 "Draw GDI+ Error", /* 0x31 */
56 "ARC Status", /* 0x32 */
57 "", "", "", /* 0x33 - 0x35 */
58 "Status Info", /* 0x36 */
59 "Monitor Layout" /* 0x37 */
60 "", "", "", /* 0x38 - 0x40 */
61 "", "", "", "", "", "" /* 0x41 - 0x46 */
65 * Read RDP Security Header.\n
68 * @param flags security flags
71 void rdp_read_security_header(STREAM* s, uint16* flags)
73 /* Basic Security Header */
74 stream_read_uint16(s, *flags); /* flags */
75 stream_seek(s, 2); /* flagsHi (unused) */
79 * Write RDP Security Header.\n
82 * @param flags security flags
85 void rdp_write_security_header(STREAM* s, uint16 flags)
87 /* Basic Security Header */
88 stream_write_uint16(s, flags); /* flags */
89 stream_write_uint16(s, 0); /* flagsHi (unused) */
92 boolean rdp_read_share_control_header(STREAM* s, uint16* length, uint16* type, uint16* channel_id)
94 /* Share Control Header */
95 stream_read_uint16(s, *length); /* totalLength */
97 if (*length - 2 > stream_get_left(s))
100 stream_read_uint16(s, *type); /* pduType */
101 *type &= 0x0F; /* type is in the 4 least significant bits */
104 stream_read_uint16(s, *channel_id); /* pduSource */
105 else /* Windows XP can send such short DEACTIVATE_ALL PDUs. */
111 void rdp_write_share_control_header(STREAM* s, uint16 length, uint16 type, uint16 channel_id)
113 length -= RDP_PACKET_HEADER_MAX_LENGTH;
115 /* Share Control Header */
116 stream_write_uint16(s, length); /* totalLength */
117 stream_write_uint16(s, type | 0x10); /* pduType */
118 stream_write_uint16(s, channel_id); /* pduSource */
121 boolean rdp_read_share_data_header(STREAM* s, uint16* length, uint8* type, uint32* share_id,
122 uint8 *compressed_type, uint16 *compressed_len)
124 if (stream_get_left(s) < 12)
127 /* Share Data Header */
128 stream_read_uint32(s, *share_id); /* shareId (4 bytes) */
129 stream_seek_uint8(s); /* pad1 (1 byte) */
130 stream_seek_uint8(s); /* streamId (1 byte) */
131 stream_read_uint16(s, *length); /* uncompressedLength (2 bytes) */
132 stream_read_uint8(s, *type); /* pduType2, Data PDU Type (1 byte) */
136 stream_read_uint8(s, *compressed_type); /* compressedType (1 byte) */
137 stream_read_uint16(s, *compressed_len); /* compressedLength (2 bytes) */
142 *compressed_type = 0;
149 void rdp_write_share_data_header(STREAM* s, uint16 length, uint8 type, uint32 share_id)
151 length -= RDP_PACKET_HEADER_MAX_LENGTH;
152 length -= RDP_SHARE_CONTROL_HEADER_LENGTH;
153 length -= RDP_SHARE_DATA_HEADER_LENGTH;
155 /* Share Data Header */
156 stream_write_uint32(s, share_id); /* shareId (4 bytes) */
157 stream_write_uint8(s, 0); /* pad1 (1 byte) */
158 stream_write_uint8(s, STREAM_LOW); /* streamId (1 byte) */
159 stream_write_uint16(s, length); /* uncompressedLength (2 bytes) */
160 stream_write_uint8(s, type); /* pduType2, Data PDU Type (1 byte) */
161 stream_write_uint8(s, 0); /* compressedType (1 byte) */
162 stream_write_uint16(s, 0); /* compressedLength (2 bytes) */
165 static int rdp_security_stream_init(rdpRdp* rdp, STREAM* s)
170 if (rdp->settings->encryption_method == ENCRYPTION_METHOD_FIPS)
172 rdp->sec_flags |= SEC_ENCRYPT;
173 if (rdp->do_secure_checksum)
174 rdp->sec_flags |= SEC_SECURE_CHECKSUM;
176 else if (rdp->sec_flags != 0)
184 * Initialize an RDP packet stream.\n
185 * @param rdp rdp module
189 STREAM* rdp_send_stream_init(rdpRdp* rdp)
193 s = transport_send_stream_init(rdp->transport, 2048);
194 stream_seek(s, RDP_PACKET_HEADER_MAX_LENGTH);
195 rdp_security_stream_init(rdp, s);
200 STREAM* rdp_pdu_init(rdpRdp* rdp)
203 s = transport_send_stream_init(rdp->transport, 2048);
204 stream_seek(s, RDP_PACKET_HEADER_MAX_LENGTH);
205 rdp_security_stream_init(rdp, s);
206 stream_seek(s, RDP_SHARE_CONTROL_HEADER_LENGTH);
210 STREAM* rdp_data_pdu_init(rdpRdp* rdp)
213 s = transport_send_stream_init(rdp->transport, 2048);
214 stream_seek(s, RDP_PACKET_HEADER_MAX_LENGTH);
215 rdp_security_stream_init(rdp, s);
216 stream_seek(s, RDP_SHARE_CONTROL_HEADER_LENGTH);
217 stream_seek(s, RDP_SHARE_DATA_HEADER_LENGTH);
222 * Read an RDP packet header.\n
223 * @param rdp rdp module
225 * @param length RDP packet length
226 * @param channel_id channel id
229 boolean rdp_read_header(rdpRdp* rdp, STREAM* s, uint16* length, uint16* channel_id)
232 enum DomainMCSPDU MCSPDU;
234 MCSPDU = (rdp->settings->server_mode) ? DomainMCSPDU_SendDataRequest : DomainMCSPDU_SendDataIndication;
235 mcs_read_domain_mcspdu_header(s, &MCSPDU, length);
237 if (*length - 8 > stream_get_left(s))
240 if (MCSPDU == DomainMCSPDU_DisconnectProviderUltimatum)
244 (void) per_read_enumerated(s, &reason, 0);
246 rdp->disconnect = true;
251 per_read_integer16(s, &initiator, MCS_BASE_CHANNEL_ID); /* initiator (UserId) */
252 per_read_integer16(s, channel_id, 0); /* channelId */
253 stream_seek(s, 1); /* dataPriority + Segmentation (0x70) */
254 per_read_length(s, length); /* userData (OCTET_STRING) */
256 if (*length > stream_get_left(s))
263 * Write an RDP packet header.\n
264 * @param rdp rdp module
266 * @param length RDP packet length
267 * @param channel_id channel id
270 void rdp_write_header(rdpRdp* rdp, STREAM* s, uint16 length, uint16 channel_id)
273 enum DomainMCSPDU MCSPDU;
275 MCSPDU = (rdp->settings->server_mode) ? DomainMCSPDU_SendDataIndication : DomainMCSPDU_SendDataRequest;
277 if ((rdp->sec_flags & SEC_ENCRYPT) && (rdp->settings->encryption_method == ENCRYPTION_METHOD_FIPS))
281 body_length = length - RDP_PACKET_HEADER_MAX_LENGTH - 16;
282 pad = 8 - (body_length % 8);
287 mcs_write_domain_mcspdu_header(s, MCSPDU, length, 0);
288 per_write_integer16(s, rdp->mcs->user_id, MCS_BASE_CHANNEL_ID); /* initiator */
289 per_write_integer16(s, channel_id, 0); /* channelId */
290 stream_write_uint8(s, 0x70); /* dataPriority + segmentation */
292 * We always encode length in two bytes, eventhough we could use
293 * only one byte if length <= 0x7F. It is just easier that way,
294 * because we can leave room for fixed-length header, store all
295 * the data first and then store the header.
297 length = (length - RDP_PACKET_HEADER_MAX_LENGTH) | 0x8000;
298 stream_write_uint16_be(s, length); /* userData (OCTET_STRING) */
301 static uint32 rdp_security_stream_out(rdpRdp* rdp, STREAM* s, int length)
307 sec_flags = rdp->sec_flags;
311 rdp_write_security_header(s, sec_flags);
313 if (sec_flags & SEC_ENCRYPT)
315 if (rdp->settings->encryption_method == ENCRYPTION_METHOD_FIPS)
319 length = length - (data - s->data);
320 stream_write_uint16(s, 0x10); /* length */
321 stream_write_uint8(s, 0x1); /* TSFIPS_VERSION 1*/
324 pad = 8 - (length % 8);
329 memset(data+length, 0, pad);
331 stream_write_uint8(s, pad);
333 security_hmac_signature(data, length, s->p, rdp);
335 security_fips_encrypt(data, length + pad, rdp);
340 length = length - (data - s->data);
341 if (sec_flags & SEC_SECURE_CHECKSUM)
342 security_salted_mac_signature(rdp, data, length, true, s->p);
344 security_mac_signature(rdp, data, length, s->p);
346 security_encrypt(s->p, length, rdp);
356 static uint32 rdp_get_sec_bytes(rdpRdp* rdp)
360 if (rdp->sec_flags & SEC_ENCRYPT)
364 if (rdp->settings->encryption_method == ENCRYPTION_METHOD_FIPS)
367 else if (rdp->sec_flags != 0)
380 * Send an RDP packet.\n
381 * @param rdp RDP module
383 * @param channel_id channel id
386 boolean rdp_send(rdpRdp* rdp, STREAM* s, uint16 channel_id)
392 length = stream_get_length(s);
393 stream_set_pos(s, 0);
395 rdp_write_header(rdp, s, length, channel_id);
397 sec_bytes = rdp_get_sec_bytes(rdp);
399 stream_seek(s, sec_bytes);
402 length += rdp_security_stream_out(rdp, s, length);
404 stream_set_pos(s, length);
405 if (transport_write(rdp->transport, s) < 0)
411 boolean rdp_send_pdu(rdpRdp* rdp, STREAM* s, uint16 type, uint16 channel_id)
417 length = stream_get_length(s);
418 stream_set_pos(s, 0);
420 rdp_write_header(rdp, s, length, MCS_GLOBAL_CHANNEL_ID);
422 sec_bytes = rdp_get_sec_bytes(rdp);
424 stream_seek(s, sec_bytes);
426 rdp_write_share_control_header(s, length - sec_bytes, type, channel_id);
429 length += rdp_security_stream_out(rdp, s, length);
431 stream_set_pos(s, length);
432 if (transport_write(rdp->transport, s) < 0)
438 boolean rdp_send_data_pdu(rdpRdp* rdp, STREAM* s, uint8 type, uint16 channel_id)
444 length = stream_get_length(s);
445 stream_set_pos(s, 0);
447 rdp_write_header(rdp, s, length, MCS_GLOBAL_CHANNEL_ID);
449 sec_bytes = rdp_get_sec_bytes(rdp);
451 stream_seek(s, sec_bytes);
453 rdp_write_share_control_header(s, length - sec_bytes, PDU_TYPE_DATA, channel_id);
454 rdp_write_share_data_header(s, length - sec_bytes, type, rdp->settings->share_id);
457 length += rdp_security_stream_out(rdp, s, length);
459 stream_set_pos(s, length);
460 if (transport_write(rdp->transport, s) < 0)
466 void rdp_recv_set_error_info_data_pdu(rdpRdp* rdp, STREAM* s)
468 stream_read_uint32(s, rdp->errorInfo); /* errorInfo (4 bytes) */
470 if (rdp->errorInfo != ERRINFO_SUCCESS)
471 rdp_print_errinfo(rdp->errorInfo);
474 void rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s)
479 uint8 compressed_type;
480 uint16 compressed_len;
482 rdp_read_share_data_header(s, &length, &type, &share_id, &compressed_type, &compressed_len);
484 #ifdef WITH_DEBUG_RDP
485 if (type != DATA_PDU_TYPE_UPDATE)
486 printf("recv %s Data PDU (0x%02X), length:%d\n", DATA_PDU_TYPE_STRINGS[type], type, length);
491 case DATA_PDU_TYPE_UPDATE:
492 update_recv(rdp->update, s);
495 case DATA_PDU_TYPE_CONTROL:
496 rdp_recv_server_control_pdu(rdp, s);
499 case DATA_PDU_TYPE_POINTER:
500 update_recv_pointer(rdp->update, s);
503 case DATA_PDU_TYPE_INPUT:
506 case DATA_PDU_TYPE_SYNCHRONIZE:
507 rdp_recv_synchronize_pdu(rdp, s);
510 case DATA_PDU_TYPE_REFRESH_RECT:
513 case DATA_PDU_TYPE_PLAY_SOUND:
514 update_recv_play_sound(rdp->update, s);
517 case DATA_PDU_TYPE_SUPPRESS_OUTPUT:
520 case DATA_PDU_TYPE_SHUTDOWN_REQUEST:
523 case DATA_PDU_TYPE_SHUTDOWN_DENIED:
526 case DATA_PDU_TYPE_SAVE_SESSION_INFO:
527 rdp_recv_save_session_info(rdp, s);
530 case DATA_PDU_TYPE_FONT_LIST:
533 case DATA_PDU_TYPE_FONT_MAP:
534 rdp_recv_font_map_pdu(rdp, s);
537 case DATA_PDU_TYPE_SET_KEYBOARD_INDICATORS:
540 case DATA_PDU_TYPE_BITMAP_CACHE_PERSISTENT_LIST:
543 case DATA_PDU_TYPE_BITMAP_CACHE_ERROR:
546 case DATA_PDU_TYPE_SET_KEYBOARD_IME_STATUS:
549 case DATA_PDU_TYPE_OFFSCREEN_CACHE_ERROR:
552 case DATA_PDU_TYPE_SET_ERROR_INFO:
553 rdp_recv_set_error_info_data_pdu(rdp, s);
556 case DATA_PDU_TYPE_DRAW_NINEGRID_ERROR:
559 case DATA_PDU_TYPE_DRAW_GDIPLUS_ERROR:
562 case DATA_PDU_TYPE_ARC_STATUS:
565 case DATA_PDU_TYPE_STATUS_INFO:
568 case DATA_PDU_TYPE_MONITOR_LAYOUT:
576 boolean rdp_recv_out_of_sequence_pdu(rdpRdp* rdp, STREAM* s)
582 rdp_read_share_control_header(s, &length, &type, &channelId);
584 if (type == PDU_TYPE_DATA)
586 rdp_recv_data_pdu(rdp, s);
589 else if (type == PDU_TYPE_SERVER_REDIRECTION)
591 rdp_recv_enhanced_security_redirection_packet(rdp, s);
601 * Decrypt an RDP packet.\n
602 * @param rdp RDP module
607 boolean rdp_decrypt(rdpRdp* rdp, STREAM* s, int length, uint16 securityFlags)
609 uint8 cmac[8], wmac[8];
611 if (rdp->settings->encryption_method == ENCRYPTION_METHOD_FIPS)
617 stream_read_uint16(s, len); /* 0x10 */
618 stream_read_uint8(s, version); /* 0x1 */
619 stream_read_uint8(s, pad);
622 stream_seek(s, 8); /* signature */
626 if (!security_fips_decrypt(s->p, length, rdp))
628 printf("FATAL: cannot decrypt\n");
629 return false; /* TODO */
632 if (!security_fips_check_signature(s->p, length - pad, sig, rdp))
634 printf("FATAL: invalid packet signature\n");
635 return false; /* TODO */
638 /* is this what needs adjusting? */
643 stream_read(s, wmac, sizeof(wmac));
644 length -= sizeof(wmac);
645 security_decrypt(s->p, length, rdp);
646 if (securityFlags & SEC_SECURE_CHECKSUM)
647 security_salted_mac_signature(rdp, s->p, length, false, cmac);
649 security_mac_signature(rdp, s->p, length, cmac);
650 if (memcmp(wmac, cmac, sizeof(wmac)) != 0)
652 printf("WARNING: invalid packet signature\n");
654 * Because Standard RDP Security is totally broken,
655 * and cannot protect against MITM, don't treat signature
656 * verification failure as critical. This at least enables
657 * us to work with broken RDP clients and servers that
658 * generate invalid signatures.
666 * Process an RDP packet.\n
667 * @param rdp RDP module
671 static boolean rdp_recv_tpkt_pdu(rdpRdp* rdp, STREAM* s)
678 uint16 securityFlags;
680 if (!rdp_read_header(rdp, s, &length, &channelId))
682 printf("Incorrect RDP header.\n");
686 if (rdp->settings->encryption)
688 rdp_read_security_header(s, &securityFlags);
689 if (securityFlags & (SEC_ENCRYPT|SEC_REDIRECTION_PKT))
691 if (!rdp_decrypt(rdp, s, length - 4, securityFlags))
693 printf("rdp_decrypt failed\n");
697 if (securityFlags & SEC_REDIRECTION_PKT)
700 * [MS-RDPBCGR] 2.2.13.2.1
701 * - no share control header, nor the 2 byte pad
704 rdp_recv_enhanced_security_redirection_packet(rdp, s);
709 if (channelId != MCS_GLOBAL_CHANNEL_ID)
711 freerdp_channel_process(rdp->instance, s, channelId);
715 rdp_read_share_control_header(s, &pduLength, &pduType, &pduSource);
717 rdp->settings->pdu_source = pduSource;
722 rdp_recv_data_pdu(rdp, s);
725 case PDU_TYPE_DEACTIVATE_ALL:
726 if (!rdp_recv_deactivate_all(rdp, s))
730 case PDU_TYPE_SERVER_REDIRECTION:
731 rdp_recv_enhanced_security_redirection_packet(rdp, s);
735 printf("incorrect PDU type: 0x%04X\n", pduType);
743 static boolean rdp_recv_fastpath_pdu(rdpRdp* rdp, STREAM* s)
746 rdpFastPath* fastpath;
748 fastpath = rdp->fastpath;
749 length = fastpath_read_header_rdp(fastpath, s);
751 if (length == 0 || length > stream_get_left(s))
753 printf("incorrect FastPath PDU header length %d\n", length);
757 if (fastpath->encryptionFlags & FASTPATH_OUTPUT_ENCRYPTED)
759 rdp_decrypt(rdp, s, length, (fastpath->encryptionFlags & FASTPATH_OUTPUT_SECURE_CHECKSUM) ? SEC_SECURE_CHECKSUM : 0);
762 return fastpath_recv_updates(rdp->fastpath, s);
765 static boolean rdp_recv_pdu(rdpRdp* rdp, STREAM* s)
767 if (tpkt_verify_header(s))
768 return rdp_recv_tpkt_pdu(rdp, s);
770 return rdp_recv_fastpath_pdu(rdp, s);
774 * Receive an RDP packet.\n
775 * @param rdp RDP module
778 void rdp_recv(rdpRdp* rdp)
782 s = transport_recv_stream_init(rdp->transport, 4096);
783 transport_read(rdp->transport, s);
785 rdp_recv_pdu(rdp, s);
788 static boolean rdp_recv_callback(rdpTransport* transport, STREAM* s, void* extra)
790 rdpRdp* rdp = (rdpRdp*) extra;
794 case CONNECTION_STATE_NEGO:
795 if (!rdp_client_connect_mcs_connect_response(rdp, s))
799 case CONNECTION_STATE_MCS_ATTACH_USER:
800 if (!rdp_client_connect_mcs_attach_user_confirm(rdp, s))
804 case CONNECTION_STATE_MCS_CHANNEL_JOIN:
805 if (!rdp_client_connect_mcs_channel_join_confirm(rdp, s))
809 case CONNECTION_STATE_LICENSE:
810 if (!rdp_client_connect_license(rdp, s))
814 case CONNECTION_STATE_CAPABILITY:
815 if (!rdp_client_connect_demand_active(rdp, s))
817 printf("rdp_client_connect_demand_active failed\n");
822 case CONNECTION_STATE_FINALIZATION:
823 if (!rdp_recv_pdu(rdp, s))
825 if (rdp->finalize_sc_pdus == FINALIZE_SC_COMPLETE)
826 rdp->state = CONNECTION_STATE_ACTIVE;
829 case CONNECTION_STATE_ACTIVE:
830 if (!rdp_recv_pdu(rdp, s))
835 printf("Invalid state %d\n", rdp->state);
842 int rdp_send_channel_data(rdpRdp* rdp, int channel_id, uint8* data, int size)
844 return freerdp_channel_send(rdp, channel_id, data, size);
848 * Set non-blocking mode information.
849 * @param rdp RDP module
850 * @param blocking blocking mode
852 void rdp_set_blocking_mode(rdpRdp* rdp, boolean blocking)
854 rdp->transport->recv_callback = rdp_recv_callback;
855 rdp->transport->recv_extra = rdp;
856 transport_set_blocking_mode(rdp->transport, blocking);
859 int rdp_check_fds(rdpRdp* rdp)
861 return transport_check_fds(rdp->transport);
865 * Instantiate new RDP module.
866 * @return new RDP module
869 rdpRdp* rdp_new(freerdp* instance)
873 rdp = (rdpRdp*) xzalloc(sizeof(rdpRdp));
877 rdp->instance = instance;
878 rdp->settings = settings_new((void*) instance);
879 if (instance != NULL)
880 instance->settings = rdp->settings;
881 rdp->extension = extension_new(instance);
882 rdp->transport = transport_new(rdp->settings);
883 rdp->license = license_new(rdp);
884 rdp->input = input_new(rdp);
885 rdp->update = update_new(rdp);
886 rdp->fastpath = fastpath_new(rdp);
887 rdp->nego = nego_new(rdp->transport);
888 rdp->mcs = mcs_new(rdp->transport);
889 rdp->redirection = redirection_new();
890 rdp->mppc = mppc_new(rdp);
898 * @param rdp RDP module to be freed
901 void rdp_free(rdpRdp* rdp)
905 extension_free(rdp->extension);
906 settings_free(rdp->settings);
907 transport_free(rdp->transport);
908 license_free(rdp->license);
909 input_free(rdp->input);
910 update_free(rdp->update);
911 fastpath_free(rdp->fastpath);
912 nego_free(rdp->nego);
914 redirection_free(rdp->redirection);