Backport of pre-connect Hyper-V code
[freerdp-ubuntu-pcb-backport.git] / libfreerdp-core / connection.c
1 /**
2  * FreeRDP: A Remote Desktop Protocol Client
3  * Connection Sequence
4  *
5  * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  *     http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19
20 #include "per.h"
21 #include "info.h"
22 #include "input.h"
23
24 #include "connection.h"
25 #include "transport.h"
26
27 /**
28  *                                      Connection Sequence
29  *     client                                                                    server
30  *        |                                                                         |
31  *        |-----------------------X.224 Connection Request PDU--------------------->|
32  *        |<----------------------X.224 Connection Confirm PDU----------------------|
33  *        |-------MCS Connect-Initial PDU with GCC Conference Create Request------->|
34  *        |<-----MCS Connect-Response PDU with GCC Conference Create Response-------|
35  *        |------------------------MCS Erect Domain Request PDU-------------------->|
36  *        |------------------------MCS Attach User Request PDU--------------------->|
37  *        |<-----------------------MCS Attach User Confirm PDU----------------------|
38  *        |------------------------MCS Channel Join Request PDU-------------------->|
39  *        |<-----------------------MCS Channel Join Confirm PDU---------------------|
40  *        |----------------------------Security Exchange PDU----------------------->|
41  *        |-------------------------------Client Info PDU-------------------------->|
42  *        |<---------------------License Error PDU - Valid Client-------------------|
43  *        |<-----------------------------Demand Active PDU--------------------------|
44  *        |------------------------------Confirm Active PDU------------------------>|
45  *        |-------------------------------Synchronize PDU-------------------------->|
46  *        |---------------------------Control PDU - Cooperate---------------------->|
47  *        |------------------------Control PDU - Request Control------------------->|
48  *        |--------------------------Persistent Key List PDU(s)-------------------->|
49  *        |--------------------------------Font List PDU--------------------------->|
50  *        |<------------------------------Synchronize PDU---------------------------|
51  *        |<--------------------------Control PDU - Cooperate-----------------------|
52  *        |<-----------------------Control PDU - Granted Control--------------------|
53  *        |<-------------------------------Font Map PDU-----------------------------|
54  *
55  */
56
57 /**
58  * Establish RDP Connection.\n
59  * @msdn{cc240452}
60  * @param rdp RDP module
61  */
62
63 boolean rdp_client_connect(rdpRdp* rdp)
64 {
65         rdpSettings* settings = rdp->settings;
66
67         nego_init(rdp->nego);
68         nego_set_target(rdp->nego, settings->hostname, settings->port);
69         nego_set_cookie(rdp->nego, settings->username);
70         nego_set_send_preconnection_pdu(rdp->nego, settings->send_preconnection_pdu);
71         nego_set_preconnection_id(rdp->nego, settings->preconnection_id);
72         nego_set_preconnection_blob(rdp->nego, settings->preconnection_blob);
73
74         nego_set_negotiation_enabled(rdp->nego, settings->security_layer_negotiation);
75         nego_enable_rdp(rdp->nego, settings->rdp_security);
76         nego_enable_nla(rdp->nego, settings->nla_security);
77         nego_enable_tls(rdp->nego, settings->tls_security);
78
79         if (!nego_connect(rdp->nego))
80         {
81                 printf("Error: protocol security negotiation or connection failure\n");
82                 return false;
83         }
84
85         if ((rdp->nego->selected_protocol & PROTOCOL_TLS) || (rdp->nego->selected_protocol == PROTOCOL_RDP))
86         {
87                 if ((settings->username != NULL) && ((settings->password != NULL) || (settings->password_cookie != NULL && settings->password_cookie->length > 0)))
88                         settings->autologon = true;
89         }
90
91         rdp_set_blocking_mode(rdp, false);
92         rdp->state = CONNECTION_STATE_NEGO;
93         rdp->finalize_sc_pdus = 0;
94
95         if (!mcs_send_connect_initial(rdp->mcs))
96         {
97                 printf("Error: unable to send MCS Connect Initial\n");
98                 return false;
99         }
100
101         while (rdp->state != CONNECTION_STATE_ACTIVE)
102         {
103                 if (rdp_check_fds(rdp) < 0)
104                         return false;
105         }
106
107         return true;
108 }
109
110 boolean rdp_client_disconnect(rdpRdp* rdp)
111 {
112         return transport_disconnect(rdp->transport);
113 }
114
115 boolean rdp_client_redirect(rdpRdp* rdp)
116 {
117         rdpSettings* settings = rdp->settings;
118         rdpRedirection* redirection = rdp->redirection;
119
120         rdp_client_disconnect(rdp);
121
122         mcs_free(rdp->mcs);
123         nego_free(rdp->nego);
124         license_free(rdp->license);
125         transport_free(rdp->transport);
126         rdp->transport = transport_new(settings);
127         rdp->license = license_new(rdp);
128         rdp->nego = nego_new(rdp->transport);
129         rdp->mcs = mcs_new(rdp->transport);
130
131         rdp->transport->layer = TRANSPORT_LAYER_TCP;
132         settings->redirected_session_id = redirection->sessionID;
133
134         if (redirection->flags & LB_LOAD_BALANCE_INFO)
135         {
136                 nego_set_routing_token(rdp->nego, &redirection->loadBalanceInfo);
137         }
138         else
139         {
140                 if (redirection->flags & LB_TARGET_NET_ADDRESS)
141                 {
142                         xfree(settings->hostname);
143                         settings->hostname = xstrdup(redirection->targetNetAddress.ascii);
144                 }
145                 else if (redirection->flags & LB_TARGET_FQDN)
146                 {
147                         xfree(settings->hostname);
148                         settings->hostname = xstrdup(redirection->targetFQDN.ascii);
149                 }
150                 else if (redirection->flags & LB_TARGET_NETBIOS_NAME)
151                 {
152                         xfree(settings->hostname);
153                         settings->hostname = xstrdup(redirection->targetNetBiosName.ascii);
154                 }
155         }
156
157         if (redirection->flags & LB_USERNAME)
158         {
159                 xfree(settings->username);
160                 settings->username = xstrdup(redirection->username.ascii);
161         }
162
163         if (redirection->flags & LB_DOMAIN)
164         {
165                 xfree(settings->domain);
166                 settings->domain = xstrdup(redirection->domain.ascii);
167         }
168
169         if (redirection->flags & LB_PASSWORD)
170         {
171                 settings->password_cookie = &redirection->password_cookie;
172         }
173
174         return rdp_client_connect(rdp);
175 }
176
177 static boolean rdp_client_establish_keys(rdpRdp* rdp)
178 {
179         uint8 client_random[CLIENT_RANDOM_LENGTH];
180         uint8 crypt_client_random[256 + 8];
181         uint32 key_len;
182         uint8* mod;
183         uint8* exp;
184         uint32 length;
185         STREAM* s;
186
187         if (rdp->settings->encryption == false)
188         {
189                 /* no RDP encryption */
190                 return true;
191         }
192
193         /* encrypt client random */
194         memset(crypt_client_random, 0, sizeof(crypt_client_random));
195         crypto_nonce(client_random, sizeof(client_random));
196         key_len = rdp->settings->server_cert->cert_info.modulus.length;
197         mod = rdp->settings->server_cert->cert_info.modulus.data;
198         exp = rdp->settings->server_cert->cert_info.exponent;
199         crypto_rsa_public_encrypt(client_random, sizeof(client_random), key_len, mod, exp, crypt_client_random);
200
201         /* send crypt client random to server */
202         length = RDP_PACKET_HEADER_MAX_LENGTH + RDP_SECURITY_HEADER_LENGTH + 4 + key_len + 8;
203         s = transport_send_stream_init(rdp->mcs->transport, length);
204         rdp_write_header(rdp, s, length, MCS_GLOBAL_CHANNEL_ID);
205         rdp_write_security_header(s, SEC_EXCHANGE_PKT);
206         length = key_len + 8;
207         stream_write_uint32(s, length);
208         stream_write(s, crypt_client_random, length);
209         if (transport_write(rdp->mcs->transport, s) < 0)
210         {
211                 return false;
212         }
213
214         /* now calculate encrypt / decrypt and update keys */
215         if (!security_establish_keys(client_random, rdp))
216         {
217                 return false;
218         }
219
220         rdp->do_crypt = true;
221         if (rdp->settings->secure_checksum)
222                 rdp->do_secure_checksum = true;
223
224         if (rdp->settings->encryption_method == ENCRYPTION_METHOD_FIPS)
225         {
226                 uint8 fips_ivec[8] = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF };
227                 rdp->fips_encrypt = crypto_des3_encrypt_init(rdp->fips_encrypt_key, fips_ivec);
228                 rdp->fips_decrypt = crypto_des3_decrypt_init(rdp->fips_decrypt_key, fips_ivec);
229
230                 rdp->fips_hmac = crypto_hmac_new();
231                 return true;
232         }
233
234         rdp->rc4_decrypt_key = crypto_rc4_init(rdp->decrypt_key, rdp->rc4_key_len);
235         rdp->rc4_encrypt_key = crypto_rc4_init(rdp->encrypt_key, rdp->rc4_key_len);
236
237         return true;
238 }
239
240 static boolean rdp_server_establish_keys(rdpRdp* rdp, STREAM* s)
241 {
242         uint8 client_random[64]; /* Should be only 32 after successfull decryption, but on failure might take up to 64 bytes. */
243         uint8 crypt_client_random[256 + 8];
244         uint32 rand_len, key_len;
245         uint16 channel_id, length, sec_flags;
246         uint8* mod;
247         uint8* priv_exp;
248
249         if (rdp->settings->encryption == false)
250         {
251                 /* No RDP Security. */
252                 return true;
253         }
254
255         if (!rdp_read_header(rdp, s, &length, &channel_id))
256         {
257                 printf("rdp_server_establish_keys: invalid RDP header\n");
258                 return false;
259         }
260         rdp_read_security_header(s, &sec_flags);
261         if ((sec_flags & SEC_EXCHANGE_PKT) == 0)
262         {
263                 printf("rdp_server_establish_keys: missing SEC_EXCHANGE_PKT in security header\n");
264                 return false;
265         }
266         stream_read_uint32(s, rand_len);
267         key_len = rdp->settings->server_key->modulus.length;
268         if (rand_len != key_len + 8)
269         {
270                 printf("rdp_server_establish_keys: invalid encrypted client random length\n");
271                 return false;
272         }
273         memset(crypt_client_random, 0, sizeof(crypt_client_random));
274         stream_read(s, crypt_client_random, rand_len);
275         /* 8 zero bytes of padding */
276         stream_seek(s, 8);
277         mod = rdp->settings->server_key->modulus.data;
278         priv_exp = rdp->settings->server_key->private_exponent.data;
279         crypto_rsa_private_decrypt(crypt_client_random, rand_len - 8, key_len, mod, priv_exp, client_random);
280
281         /* now calculate encrypt / decrypt and update keys */
282         if (!security_establish_keys(client_random, rdp))
283         {
284                 return false;
285         }
286
287         rdp->do_crypt = true;
288         if (rdp->settings->secure_checksum)
289                 rdp->do_secure_checksum = true;
290
291         if (rdp->settings->encryption_method == ENCRYPTION_METHOD_FIPS)
292         {
293                 uint8 fips_ivec[8] = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF };
294                 rdp->fips_encrypt = crypto_des3_encrypt_init(rdp->fips_encrypt_key, fips_ivec);
295                 rdp->fips_decrypt = crypto_des3_decrypt_init(rdp->fips_decrypt_key, fips_ivec);
296
297                 rdp->fips_hmac = crypto_hmac_new();
298                 return true;
299         }
300
301         rdp->rc4_decrypt_key = crypto_rc4_init(rdp->decrypt_key, rdp->rc4_key_len);
302         rdp->rc4_encrypt_key = crypto_rc4_init(rdp->encrypt_key, rdp->rc4_key_len);
303
304         return true;
305 }
306
307 boolean rdp_client_connect_mcs_connect_response(rdpRdp* rdp, STREAM* s)
308 {
309         if (!mcs_recv_connect_response(rdp->mcs, s))
310         {
311                 printf("rdp_client_connect_mcs_connect_response: mcs_recv_connect_response failed\n");
312                 return false;
313         }
314         if (!mcs_send_erect_domain_request(rdp->mcs))
315                 return false;
316         if (!mcs_send_attach_user_request(rdp->mcs))
317                 return false;
318
319         rdp->state = CONNECTION_STATE_MCS_ATTACH_USER;
320
321         return true;
322 }
323
324 boolean rdp_client_connect_mcs_attach_user_confirm(rdpRdp* rdp, STREAM* s)
325 {
326         if (!mcs_recv_attach_user_confirm(rdp->mcs, s))
327                 return false;
328
329         if (!mcs_send_channel_join_request(rdp->mcs, rdp->mcs->user_id))
330                 return false;
331
332         rdp->state = CONNECTION_STATE_MCS_CHANNEL_JOIN;
333
334         return true;
335 }
336
337 boolean rdp_client_connect_mcs_channel_join_confirm(rdpRdp* rdp, STREAM* s)
338 {
339         int i;
340         uint16 channel_id;
341         boolean all_joined = true;
342
343         if (!mcs_recv_channel_join_confirm(rdp->mcs, s, &channel_id))
344                 return false;
345
346         if (!rdp->mcs->user_channel_joined)
347         {
348                 if (channel_id != rdp->mcs->user_id)
349                         return false;
350                 rdp->mcs->user_channel_joined = true;
351
352                 if (!mcs_send_channel_join_request(rdp->mcs, MCS_GLOBAL_CHANNEL_ID))
353                         return false;
354         }
355         else if (!rdp->mcs->global_channel_joined)
356         {
357                 if (channel_id != MCS_GLOBAL_CHANNEL_ID)
358                         return false;
359                 rdp->mcs->global_channel_joined = true;
360
361                 if (rdp->settings->num_channels > 0)
362                 {
363                         if (!mcs_send_channel_join_request(rdp->mcs, rdp->settings->channels[0].channel_id))
364                                 return false;
365
366                         all_joined = false;
367                 }
368         }
369         else
370         {
371                 for (i = 0; i < rdp->settings->num_channels; i++)
372                 {
373                         if (rdp->settings->channels[i].joined)
374                                 continue;
375
376                         if (rdp->settings->channels[i].channel_id != channel_id)
377                                 return false;
378
379                         rdp->settings->channels[i].joined = true;
380                         break;
381                 }
382                 if (i + 1 < rdp->settings->num_channels)
383                 {
384                         if (!mcs_send_channel_join_request(rdp->mcs, rdp->settings->channels[i + 1].channel_id))
385                                 return false;
386
387                         all_joined = false;
388                 }
389         }
390
391         if (rdp->mcs->user_channel_joined && rdp->mcs->global_channel_joined && all_joined)
392         {
393                 if (!rdp_client_establish_keys(rdp))
394                         return false;
395                 if (!rdp_send_client_info(rdp))
396                         return false;
397                 rdp->state = CONNECTION_STATE_LICENSE;
398         }
399
400         return true;
401 }
402
403 boolean rdp_client_connect_license(rdpRdp* rdp, STREAM* s)
404 {
405         if (!license_recv(rdp->license, s))
406                 return false;
407
408         if (rdp->license->state == LICENSE_STATE_ABORTED)
409         {
410                 printf("license connection sequence aborted.\n");
411                 return false;
412         }
413
414         if (rdp->license->state == LICENSE_STATE_COMPLETED)
415         {
416                 rdp->state = CONNECTION_STATE_CAPABILITY;
417         }
418
419         return true;
420 }
421
422 boolean rdp_client_connect_demand_active(rdpRdp* rdp, STREAM* s)
423 {
424         uint8* mark;
425         uint16 width;
426         uint16 height;
427
428         width = rdp->settings->width;
429         height = rdp->settings->height;
430
431         stream_get_mark(s, mark);
432
433         if (!rdp_recv_demand_active(rdp, s))
434         {
435                 stream_set_mark(s, mark);
436                 stream_seek(s, RDP_PACKET_HEADER_MAX_LENGTH);
437
438                 if (rdp_recv_out_of_sequence_pdu(rdp, s) != true)
439                         return false;
440
441                 return true;
442         }
443
444         if (rdp->disconnect)
445                 return true;
446
447         if (!rdp_send_confirm_active(rdp))
448                 return false;
449
450         input_register_client_callbacks(rdp->input);
451
452         /**
453          * The server may request a different desktop size during Deactivation-Reactivation sequence.
454          * In this case, the UI should be informed and do actual window resizing at this point.
455          */
456         if (width != rdp->settings->width || height != rdp->settings->height)
457         {
458                 IFCALL(rdp->update->DesktopResize, rdp->update->context);
459         }
460
461         rdp->state = CONNECTION_STATE_FINALIZATION;
462         update_reset_state(rdp->update);
463
464         rdp_client_connect_finalize(rdp);
465
466         return true;
467 }
468
469 boolean rdp_client_connect_finalize(rdpRdp* rdp)
470 {
471         /**
472          * [MS-RDPBCGR] 1.3.1.1 - 8.
473          * The client-to-server PDUs sent during this phase have no dependencies on any of the server-to-
474          * client PDUs; they may be sent as a single batch, provided that sequencing is maintained.
475          */
476
477         if (!rdp_send_client_synchronize_pdu(rdp))
478                 return false;
479         if (!rdp_send_client_control_pdu(rdp, CTRLACTION_COOPERATE))
480                 return false;
481         if (!rdp_send_client_control_pdu(rdp, CTRLACTION_REQUEST_CONTROL))
482                 return false;
483
484         rdp->input->SynchronizeEvent(rdp->input, 0);
485
486         if (!rdp_send_client_persistent_key_list_pdu(rdp))
487                 return false;
488         if (!rdp_send_client_font_list_pdu(rdp, FONTLIST_FIRST | FONTLIST_LAST))
489                 return false;
490
491         return true;
492 }
493
494 boolean rdp_server_accept_nego(rdpRdp* rdp, STREAM* s)
495 {
496         boolean ret;
497
498         transport_set_blocking_mode(rdp->transport, true);
499
500         if (!nego_read_request(rdp->nego, s))
501                 return false;
502
503         rdp->nego->selected_protocol = 0;
504
505         printf("Requested protocols:");
506         if ((rdp->nego->requested_protocols & PROTOCOL_TLS))
507         {
508                 printf(" TLS");
509                 if (rdp->settings->tls_security)
510                 {
511                         printf("(Y)");
512                         rdp->nego->selected_protocol |= PROTOCOL_TLS;
513                 }
514                 else
515                         printf("(n)");
516         }
517         if ((rdp->nego->requested_protocols & PROTOCOL_NLA))
518         {
519                 printf(" NLA");
520                 if (rdp->settings->nla_security)
521                 {
522                         printf("(Y)");
523                         rdp->nego->selected_protocol |= PROTOCOL_NLA;
524                 }
525                 else
526                         printf("(n)");
527         }
528         printf(" RDP");
529         if (rdp->settings->rdp_security && rdp->nego->selected_protocol == 0)
530         {
531                 printf("(Y)");
532                 rdp->nego->selected_protocol = PROTOCOL_RDP;
533         }
534         else
535                 printf("(n)");
536         printf("\n");
537
538         if (!nego_send_negotiation_response(rdp->nego))
539                 return false;
540
541         ret = false;
542         if (rdp->nego->selected_protocol & PROTOCOL_NLA)
543                 ret = transport_accept_nla(rdp->transport);
544         else if (rdp->nego->selected_protocol & PROTOCOL_TLS)
545                 ret = transport_accept_tls(rdp->transport);
546         else if (rdp->nego->selected_protocol == PROTOCOL_RDP) /* 0 */
547                 ret = transport_accept_rdp(rdp->transport);
548
549         if (!ret)
550                 return false;
551
552         transport_set_blocking_mode(rdp->transport, false);
553
554         rdp->state = CONNECTION_STATE_NEGO;
555
556         return true;
557 }
558
559 boolean rdp_server_accept_mcs_connect_initial(rdpRdp* rdp, STREAM* s)
560 {
561         int i;
562
563         if (!mcs_recv_connect_initial(rdp->mcs, s))
564                 return false;
565
566         printf("Accepted client: %s\n", rdp->settings->client_hostname);
567         printf("Accepted channels:");
568         for (i = 0; i < rdp->settings->num_channels; i++)
569         {
570                 printf(" %s", rdp->settings->channels[i].name);
571         }
572         printf("\n");
573
574         if (!mcs_send_connect_response(rdp->mcs))
575                 return false;
576
577         rdp->state = CONNECTION_STATE_MCS_CONNECT;
578
579         return true;
580 }
581
582 boolean rdp_server_accept_mcs_erect_domain_request(rdpRdp* rdp, STREAM* s)
583 {
584         if (!mcs_recv_erect_domain_request(rdp->mcs, s))
585                 return false;
586
587         rdp->state = CONNECTION_STATE_MCS_ERECT_DOMAIN;
588
589         return true;
590 }
591
592 boolean rdp_server_accept_mcs_attach_user_request(rdpRdp* rdp, STREAM* s)
593 {
594         if (!mcs_recv_attach_user_request(rdp->mcs, s))
595                 return false;
596
597         if (!mcs_send_attach_user_confirm(rdp->mcs))
598                 return false;
599
600         rdp->state = CONNECTION_STATE_MCS_ATTACH_USER;
601
602         return true;
603 }
604
605 boolean rdp_server_accept_mcs_channel_join_request(rdpRdp* rdp, STREAM* s)
606 {
607         int i;
608         uint16 channel_id;
609         boolean all_joined = true;
610
611         if (!mcs_recv_channel_join_request(rdp->mcs, s, &channel_id))
612                 return false;
613
614         if (!mcs_send_channel_join_confirm(rdp->mcs, channel_id))
615                 return false;
616
617         if (channel_id == rdp->mcs->user_id)
618                 rdp->mcs->user_channel_joined = true;
619         else if (channel_id == MCS_GLOBAL_CHANNEL_ID)
620                 rdp->mcs->global_channel_joined = true;
621
622         for (i = 0; i < rdp->settings->num_channels; i++)
623         {
624                 if (rdp->settings->channels[i].channel_id == channel_id)
625                         rdp->settings->channels[i].joined = true;
626
627                 if (!rdp->settings->channels[i].joined)
628                         all_joined = false;
629         }
630
631         if (rdp->mcs->user_channel_joined && rdp->mcs->global_channel_joined && all_joined)
632                 rdp->state = CONNECTION_STATE_MCS_CHANNEL_JOIN;
633
634         return true;
635 }
636
637 boolean rdp_server_accept_client_keys(rdpRdp* rdp, STREAM* s)
638 {
639
640         if (!rdp_server_establish_keys(rdp, s))
641                 return false;
642
643         rdp->state = CONNECTION_STATE_ESTABLISH_KEYS;
644
645         return true;
646 }
647
648 boolean rdp_server_accept_client_info(rdpRdp* rdp, STREAM* s)
649 {
650
651         if (!rdp_recv_client_info(rdp, s))
652                 return false;
653
654         if (!license_send_valid_client_error_packet(rdp->license))
655                 return false;
656
657         rdp->state = CONNECTION_STATE_LICENSE;
658
659         return true;
660 }
661
662 boolean rdp_server_accept_confirm_active(rdpRdp* rdp, STREAM* s)
663 {
664         if (!rdp_recv_confirm_active(rdp, s))
665                 return false;
666
667         rdp->state = CONNECTION_STATE_ACTIVE;
668         update_reset_state(rdp->update);
669
670         if (!rdp_send_server_synchronize_pdu(rdp))
671                 return false;
672
673         if (!rdp_send_server_control_cooperate_pdu(rdp))
674                 return false;
675
676         return true;
677 }
678
679 boolean rdp_server_reactivate(rdpRdp* rdp)
680 {
681         if (!rdp_send_deactivate_all(rdp))
682                 return false;
683
684         rdp->state = CONNECTION_STATE_LICENSE;
685
686         if (!rdp_send_demand_active(rdp))
687                 return false;
688
689         return true;
690 }
691