2 * FreeRDP: A Remote Desktop Protocol Client
3 * RDP Protocol Security Negotiation
5 * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
23 #include <freerdp/constants.h>
24 #include <freerdp/utils/memory.h>
30 #include "transport.h"
32 static const char* const NEGO_STATE_STRINGS[] =
42 static const char PROTOCOL_SECURITY_STRINGS[3][4] =
49 boolean nego_security_connect(rdpNego* nego);
52 * Negotiate protocol security and connect.
57 boolean nego_connect(rdpNego* nego)
59 if (nego->state == NEGO_STATE_INITIAL)
61 if (nego->enabled_protocols[PROTOCOL_NLA] > 0)
62 nego->state = NEGO_STATE_NLA;
63 else if (nego->enabled_protocols[PROTOCOL_TLS] > 0)
64 nego->state = NEGO_STATE_TLS;
65 else if (nego->enabled_protocols[PROTOCOL_RDP] > 0)
66 nego->state = NEGO_STATE_RDP;
69 DEBUG_NEGO("No security protocol is enabled");
70 nego->state = NEGO_STATE_FAIL;
73 if (!nego->security_layer_negotiation_enabled)
75 DEBUG_NEGO("Security Layer Negotiation is disabled");
76 nego->enabled_protocols[PROTOCOL_NLA] = 0;
77 nego->enabled_protocols[PROTOCOL_TLS] = 0;
78 nego->enabled_protocols[PROTOCOL_RDP] = 0;
79 if(nego->state == NEGO_STATE_NLA)
80 nego->enabled_protocols[PROTOCOL_NLA] = 1;
81 else if (nego->state == NEGO_STATE_TLS)
82 nego->enabled_protocols[PROTOCOL_TLS] = 1;
83 else if (nego->state == NEGO_STATE_RDP)
84 nego->enabled_protocols[PROTOCOL_RDP] = 1;
87 if(!nego_send_preconnection_pdu(nego))
89 DEBUG_NEGO("Failed to send preconnection information");
90 nego->state = NEGO_STATE_FINAL;
97 DEBUG_NEGO("state: %s", NEGO_STATE_STRINGS[nego->state]);
101 if (nego->state == NEGO_STATE_FAIL)
103 DEBUG_NEGO("Protocol Security Negotiation Failure");
104 nego->state = NEGO_STATE_FINAL;
108 while (nego->state != NEGO_STATE_FINAL);
110 DEBUG_NEGO("Negotiated %s security", PROTOCOL_SECURITY_STRINGS[nego->selected_protocol]);
112 /* update settings with negotiated protocol security */
113 nego->transport->settings->requested_protocols = nego->requested_protocols;
114 nego->transport->settings->selected_protocol = nego->selected_protocol;
115 nego->transport->settings->negotiationFlags = nego->flags;
117 if(nego->selected_protocol == PROTOCOL_RDP)
119 nego->transport->settings->encryption = true;
120 nego->transport->settings->encryption_method = ENCRYPTION_METHOD_40BIT | ENCRYPTION_METHOD_128BIT | ENCRYPTION_METHOD_FIPS;
121 nego->transport->settings->encryption_level = ENCRYPTION_LEVEL_CLIENT_COMPATIBLE;
124 /* finally connect security layer (if not already done) */
125 if(!nego_security_connect(nego))
127 DEBUG_NEGO("Failed to connect with %s security", PROTOCOL_SECURITY_STRINGS[nego->selected_protocol]);
134 /* connect to selected security layer */
135 boolean nego_security_connect(rdpNego* nego)
137 if(!nego->tcp_connected)
139 nego->security_connected = false;
141 else if (!nego->security_connected)
143 if (nego->enabled_protocols[PROTOCOL_NLA] > 0)
144 nego->security_connected = transport_connect_nla(nego->transport);
145 else if (nego->enabled_protocols[PROTOCOL_TLS] > 0)
146 nego->security_connected = transport_connect_tls(nego->transport);
147 else if (nego->enabled_protocols[PROTOCOL_RDP] > 0)
148 nego->security_connected = transport_connect_rdp(nego->transport);
150 return nego->security_connected;
159 boolean nego_tcp_connect(rdpNego* nego)
161 if (!nego->tcp_connected)
162 nego->tcp_connected = transport_connect(nego->transport, nego->hostname, nego->port);
163 return nego->tcp_connected;
167 * Connect TCP layer. For direct approach, connect security layer as well.
172 boolean nego_transport_connect(rdpNego* nego)
174 nego_tcp_connect(nego);
176 if (nego->tcp_connected && !nego->security_layer_negotiation_enabled)
177 return nego_security_connect(nego);
179 return nego->tcp_connected;
183 * Disconnect TCP layer.
188 int nego_transport_disconnect(rdpNego* nego)
190 if (nego->tcp_connected)
191 transport_disconnect(nego->transport);
193 nego->tcp_connected = 0;
194 nego->security_connected = 0;
199 * Send preconnection information if enabled.
204 boolean nego_send_preconnection_pdu(rdpNego* nego)
209 size_t cchPCB_times2 = 0;
212 if(!nego->send_preconnection_pdu)
215 DEBUG_NEGO("Sending preconnection PDU");
216 if(!nego_tcp_connect(nego))
219 /* it's easier to always send the version 2 PDU, and it's just 2 bytes overhead */
220 cbSize = PRECONNECTION_PDU_V2_MIN_SIZE;
221 if(nego->preconnection_blob) {
222 uniconv = freerdp_uniconv_new();
223 wszPCB = freerdp_uniconv_out(uniconv, nego->preconnection_blob, &cchPCB_times2);
224 freerdp_uniconv_free(uniconv);
225 cchPCB_times2 += 2; /* zero-termination */
226 cbSize += cchPCB_times2;
229 s = transport_send_stream_init(nego->transport, cbSize);
230 stream_write_uint32(s, cbSize); /* cbSize */
231 stream_write_uint32(s, 0); /* Flags */
232 stream_write_uint32(s, PRECONNECTION_PDU_V2); /* Version */
233 stream_write_uint32(s, nego->preconnection_id); /* Id */
234 stream_write_uint16(s, cchPCB_times2 / 2); /* cchPCB */
237 stream_write(s, wszPCB, cchPCB_times2); /* wszPCB */
241 if (transport_write(nego->transport, s) < 0)
248 * Attempt negotiating NLA + TLS security.
252 void nego_attempt_nla(rdpNego* nego)
254 nego->requested_protocols = PROTOCOL_NLA | PROTOCOL_TLS;
256 DEBUG_NEGO("Attempting NLA security");
258 if (!nego_transport_connect(nego))
260 nego->state = NEGO_STATE_FAIL;
264 if (!nego_send_negotiation_request(nego))
266 nego->state = NEGO_STATE_FAIL;
270 if (!nego_recv_response(nego))
272 nego->state = NEGO_STATE_FAIL;
276 if (nego->state != NEGO_STATE_FINAL)
278 nego_transport_disconnect(nego);
280 if (nego->enabled_protocols[PROTOCOL_TLS] > 0)
281 nego->state = NEGO_STATE_TLS;
282 else if (nego->enabled_protocols[PROTOCOL_RDP] > 0)
283 nego->state = NEGO_STATE_RDP;
285 nego->state = NEGO_STATE_FAIL;
290 * Attempt negotiating TLS security.
294 void nego_attempt_tls(rdpNego* nego)
296 nego->requested_protocols = PROTOCOL_TLS;
298 DEBUG_NEGO("Attempting TLS security");
300 if (!nego_transport_connect(nego))
302 nego->state = NEGO_STATE_FAIL;
306 if (!nego_send_negotiation_request(nego))
308 nego->state = NEGO_STATE_FAIL;
312 if (!nego_recv_response(nego))
314 nego->state = NEGO_STATE_FAIL;
318 if (nego->state != NEGO_STATE_FINAL)
320 nego_transport_disconnect(nego);
322 if (nego->enabled_protocols[PROTOCOL_RDP] > 0)
323 nego->state = NEGO_STATE_RDP;
325 nego->state = NEGO_STATE_FAIL;
330 * Attempt negotiating standard RDP security.
334 void nego_attempt_rdp(rdpNego* nego)
336 nego->requested_protocols = PROTOCOL_RDP;
338 DEBUG_NEGO("Attempting RDP security");
340 if (!nego_transport_connect(nego))
342 nego->state = NEGO_STATE_FAIL;
346 if (!nego_send_negotiation_request(nego))
348 nego->state = NEGO_STATE_FAIL;
352 if (!nego_recv_response(nego))
354 nego->state = NEGO_STATE_FAIL;
360 * Wait to receive a negotiation response
364 boolean nego_recv_response(rdpNego* nego)
366 STREAM* s = transport_recv_stream_init(nego->transport, 1024);
367 if (transport_read(nego->transport, s) < 0)
369 return nego_recv(nego->transport, s, nego);
373 * Receive protocol security negotiation message.\n
375 * @param transport transport
377 * @param extra nego pointer
380 boolean nego_recv(rdpTransport* transport, STREAM* s, void* extra)
384 rdpNego* nego = (rdpNego*) extra;
386 if (tpkt_read_header(s) == 0)
389 li = tpdu_read_connection_confirm(s);
393 /* rdpNegData (optional) */
395 stream_read_uint8(s, type); /* Type */
399 case TYPE_RDP_NEG_RSP:
400 nego_process_negotiation_response(nego, s);
403 case TYPE_RDP_NEG_FAILURE:
404 nego_process_negotiation_failure(nego, s);
410 nego->state = NEGO_STATE_FINAL;
417 * Read protocol security negotiation request message.\n
422 boolean nego_read_request(rdpNego* nego, STREAM* s)
429 li = tpdu_read_connection_request(s);
430 if (li != stream_get_left(s) + 6)
432 printf("Incorrect TPDU length indicator.\n");
436 if (stream_get_left(s) > 8)
438 /* Optional routingToken or cookie, ending with CR+LF */
439 while (stream_get_left(s) > 0)
441 stream_read_uint8(s, c);
444 stream_peek_uint8(s, c);
448 stream_seek_uint8(s);
453 if (stream_get_left(s) >= 8)
455 /* rdpNegData (optional) */
457 stream_read_uint8(s, type); /* Type */
458 if (type != TYPE_RDP_NEG_REQ)
460 printf("Incorrect negotiation request type %d\n", type);
464 nego_process_negotiation_request(nego, s);
471 * Send protocol security negotiation message.
475 void nego_send(rdpNego* nego)
477 if (nego->state == NEGO_STATE_NLA)
478 nego_attempt_nla(nego);
479 else if (nego->state == NEGO_STATE_TLS)
480 nego_attempt_tls(nego);
481 else if (nego->state == NEGO_STATE_RDP)
482 nego_attempt_rdp(nego);
484 DEBUG_NEGO("invalid negotiation state for sending");
488 * Send RDP Negotiation Request (RDP_NEG_REQ).\n
494 boolean nego_send_negotiation_request(rdpNego* nego)
500 s = transport_send_stream_init(nego->transport, 256);
501 length = TPDU_CONNECTION_REQUEST_LENGTH;
502 stream_get_mark(s, bm);
503 stream_seek(s, length);
505 if (nego->routing_token != NULL)
507 stream_write(s, nego->routing_token->data, nego->routing_token->length);
508 length += nego->routing_token->length;
510 else if (nego->cookie != NULL)
512 int cookie_length = strlen(nego->cookie);
513 stream_write(s, "Cookie: mstshash=", 17);
514 stream_write(s, (uint8*)nego->cookie, cookie_length);
515 stream_write_uint8(s, 0x0D); /* CR */
516 stream_write_uint8(s, 0x0A); /* LF */
517 length += cookie_length + 19;
520 if (nego->requested_protocols > PROTOCOL_RDP)
522 /* RDP_NEG_DATA must be present for TLS and NLA */
523 stream_write_uint8(s, TYPE_RDP_NEG_REQ);
524 stream_write_uint8(s, 0); /* flags, must be set to zero */
525 stream_write_uint16(s, 8); /* RDP_NEG_DATA length (8) */
526 stream_write_uint32(s, nego->requested_protocols); /* requestedProtocols */
530 stream_get_mark(s, em);
531 stream_set_mark(s, bm);
532 tpkt_write_header(s, length);
533 tpdu_write_connection_request(s, length - 5);
534 stream_set_mark(s, em);
536 if (transport_write(nego->transport, s) < 0)
543 * Process Negotiation Request from Connection Request message.
548 void nego_process_negotiation_request(rdpNego* nego, STREAM* s)
553 DEBUG_NEGO("RDP_NEG_REQ");
555 stream_read_uint8(s, flags);
556 stream_read_uint16(s, length);
557 stream_read_uint32(s, nego->requested_protocols);
559 nego->state = NEGO_STATE_FINAL;
563 * Process Negotiation Response from Connection Confirm message.
568 void nego_process_negotiation_response(rdpNego* nego, STREAM* s)
572 DEBUG_NEGO("RDP_NEG_RSP");
574 stream_read_uint8(s, nego->flags);
575 stream_read_uint16(s, length);
576 stream_read_uint32(s, nego->selected_protocol);
578 nego->state = NEGO_STATE_FINAL;
582 * Process Negotiation Failure from Connection Confirm message.
587 void nego_process_negotiation_failure(rdpNego* nego, STREAM* s)
593 DEBUG_NEGO("RDP_NEG_FAILURE");
595 stream_read_uint8(s, flags);
596 stream_read_uint16(s, length);
597 stream_read_uint32(s, failureCode);
601 case SSL_REQUIRED_BY_SERVER:
602 DEBUG_NEGO("Error: SSL_REQUIRED_BY_SERVER");
604 case SSL_NOT_ALLOWED_BY_SERVER:
605 DEBUG_NEGO("Error: SSL_NOT_ALLOWED_BY_SERVER");
607 case SSL_CERT_NOT_ON_SERVER:
608 DEBUG_NEGO("Error: SSL_CERT_NOT_ON_SERVER");
610 case INCONSISTENT_FLAGS:
611 DEBUG_NEGO("Error: INCONSISTENT_FLAGS");
613 case HYBRID_REQUIRED_BY_SERVER:
614 DEBUG_NEGO("Error: HYBRID_REQUIRED_BY_SERVER");
617 DEBUG_NEGO("Error: Unknown protocol security error %d", failureCode);
621 nego->state = NEGO_STATE_FAIL;
625 * Send RDP Negotiation Response (RDP_NEG_RSP).\n
629 boolean nego_send_negotiation_response(rdpNego* nego)
632 rdpSettings* settings;
638 settings = nego->transport->settings;
640 s = transport_send_stream_init(nego->transport, 256);
641 length = TPDU_CONNECTION_CONFIRM_LENGTH;
642 stream_get_mark(s, bm);
643 stream_seek(s, length);
645 if (nego->selected_protocol > PROTOCOL_RDP)
647 /* RDP_NEG_DATA must be present for TLS and NLA */
648 stream_write_uint8(s, TYPE_RDP_NEG_RSP);
649 stream_write_uint8(s, EXTENDED_CLIENT_DATA_SUPPORTED); /* flags */
650 stream_write_uint16(s, 8); /* RDP_NEG_DATA length (8) */
651 stream_write_uint32(s, nego->selected_protocol); /* selectedProtocol */
654 else if (!settings->rdp_security)
656 stream_write_uint8(s, TYPE_RDP_NEG_FAILURE);
657 stream_write_uint8(s, 0); /* flags */
658 stream_write_uint16(s, 8); /* RDP_NEG_DATA length (8) */
660 * TODO: Check for other possibilities,
661 * like SSL_NOT_ALLOWED_BY_SERVER.
663 printf("nego_send_negotiation_response: client supports only Standard RDP Security\n");
664 stream_write_uint32(s, SSL_REQUIRED_BY_SERVER);
669 stream_get_mark(s, em);
670 stream_set_mark(s, bm);
671 tpkt_write_header(s, length);
672 tpdu_write_connection_confirm(s, length - 5);
673 stream_set_mark(s, em);
675 if (transport_write(nego->transport, s) < 0)
680 /* update settings with negotiated protocol security */
681 settings->requested_protocols = nego->requested_protocols;
682 settings->selected_protocol = nego->selected_protocol;
684 if (settings->selected_protocol == PROTOCOL_RDP)
686 settings->tls_security = false;
687 settings->nla_security = false;
688 settings->rdp_security = true;
689 settings->encryption = true;
690 settings->encryption_method = ENCRYPTION_METHOD_40BIT | ENCRYPTION_METHOD_128BIT | ENCRYPTION_METHOD_FIPS;
691 settings->encryption_level = ENCRYPTION_LEVEL_CLIENT_COMPATIBLE;
693 else if (settings->selected_protocol == PROTOCOL_TLS)
695 settings->tls_security = true;
696 settings->nla_security = false;
697 settings->rdp_security = false;
698 settings->encryption = false;
699 settings->encryption_method = ENCRYPTION_METHOD_NONE;
700 settings->encryption_level = ENCRYPTION_LEVEL_NONE;
702 else if (settings->selected_protocol == PROTOCOL_NLA)
704 settings->tls_security = true;
705 settings->nla_security = true;
706 settings->rdp_security = false;
707 settings->encryption = false;
708 settings->encryption_method = ENCRYPTION_METHOD_NONE;
709 settings->encryption_level = ENCRYPTION_LEVEL_NONE;
717 * Initialize NEGO state machine.
721 void nego_init(rdpNego* nego)
723 nego->state = NEGO_STATE_INITIAL;
724 nego->requested_protocols = PROTOCOL_RDP;
725 nego->transport->recv_callback = nego_recv;
726 nego->transport->recv_extra = (void*) nego;
731 * Create a new NEGO state machine instance.
736 rdpNego* nego_new(struct rdp_transport * transport)
738 rdpNego* nego = (rdpNego*) xzalloc(sizeof(rdpNego));
742 nego->transport = transport;
750 * Free NEGO state machine.
754 void nego_free(rdpNego* nego)
760 * Set target hostname and port.
766 void nego_set_target(rdpNego* nego, char* hostname, int port)
768 nego->hostname = hostname;
773 * Enable security layer negotiation.
774 * @param nego pointer to the negotiation structure
775 * @param enable_rdp whether to enable security layer negotiation (true for enabled, false for disabled)
778 void nego_set_negotiation_enabled(rdpNego* nego, boolean security_layer_negotiation_enabled)
780 DEBUG_NEGO("Enabling security layer negotiation: %s", security_layer_negotiation_enabled ? "true" : "false");
781 nego->security_layer_negotiation_enabled = security_layer_negotiation_enabled;
785 * Enable RDP security protocol.
786 * @param nego pointer to the negotiation structure
787 * @param enable_rdp whether to enable normal RDP protocol (true for enabled, false for disabled)
790 void nego_enable_rdp(rdpNego* nego, boolean enable_rdp)
792 DEBUG_NEGO("Enabling RDP security: %s", enable_rdp ? "true" : "false");
793 nego->enabled_protocols[PROTOCOL_RDP] = enable_rdp;
797 * Enable TLS security protocol.
798 * @param nego pointer to the negotiation structure
799 * @param enable_tls whether to enable TLS + RDP protocol (true for enabled, false for disabled)
801 void nego_enable_tls(rdpNego* nego, boolean enable_tls)
803 DEBUG_NEGO("Enabling TLS security: %s", enable_tls ? "true" : "false");
804 nego->enabled_protocols[PROTOCOL_TLS] = enable_tls;
809 * Enable NLA security protocol.
810 * @param nego pointer to the negotiation structure
811 * @param enable_nla whether to enable network level authentication protocol (true for enabled, false for disabled)
814 void nego_enable_nla(rdpNego* nego, boolean enable_nla)
816 DEBUG_NEGO("Enabling NLA security: %s", enable_nla ? "true" : "false");
817 nego->enabled_protocols[PROTOCOL_NLA] = enable_nla;
823 * @param routing_token
826 void nego_set_routing_token(rdpNego* nego, rdpBlob* routing_token)
828 nego->routing_token = routing_token;
837 void nego_set_cookie(rdpNego* nego, char* cookie)
839 nego->cookie = cookie;
843 * Enable / disable preconnection PDU.
848 void nego_set_send_preconnection_pdu(rdpNego* nego, boolean send_pcpdu)
850 nego->send_preconnection_pdu = send_pcpdu;
854 * Set preconnection id.
859 void nego_set_preconnection_id(rdpNego* nego, uint32 id)
861 nego->preconnection_id = id;
865 * Set preconnection blob.
870 void nego_set_preconnection_blob(rdpNego* nego, char* blob)
872 nego->preconnection_blob = blob;