/** * FreeRDP: A Remote Desktop Protocol Implementation * Terminal Server Gateway (TSG) * * Copyright 2012 Fujitsu Technology Solutions GmbH * Copyright 2012 Dmitrij Jasnov * Copyright 2015 Thincast Technologies GmbH * Copyright 2015 DI (FH) Martin Haimberger * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #ifdef HAVE_CONFIG_H #include "config.h" #endif #include #include #include #include #include #include #include #include "rpc_bind.h" #include "rpc_client.h" #include "tsg.h" #include "../../crypto/opensslcompat.h" #define TAG FREERDP_TAG("core.gateway.tsg") #define TSG_CAPABILITY_TYPE_NAP 0x00000001 #define TSG_PACKET_TYPE_HEADER 0x00004844 #define TSG_PACKET_TYPE_VERSIONCAPS 0x00005643 #define TSG_PACKET_TYPE_QUARCONFIGREQUEST 0x00005143 #define TSG_PACKET_TYPE_QUARREQUEST 0x00005152 #define TSG_PACKET_TYPE_RESPONSE 0x00005052 #define TSG_PACKET_TYPE_QUARENC_RESPONSE 0x00004552 #define TSG_PACKET_TYPE_CAPS_RESPONSE 0x00004350 #define TSG_PACKET_TYPE_MSGREQUEST_PACKET 0x00004752 #define TSG_PACKET_TYPE_MESSAGE_PACKET 0x00004750 #define TSG_PACKET_TYPE_AUTH 0x00004054 #define TSG_PACKET_TYPE_REAUTH 0x00005250 typedef WCHAR* RESOURCENAME; typedef struct _tsendpointinfo { RESOURCENAME* resourceName; UINT32 numResourceNames; RESOURCENAME* alternateResourceNames; UINT16 numAlternateResourceNames; UINT32 Port; } TSENDPOINTINFO, *PTSENDPOINTINFO; typedef struct _TSG_PACKET_HEADER { UINT16 ComponentId; UINT16 PacketId; } TSG_PACKET_HEADER, *PTSG_PACKET_HEADER; typedef struct _TSG_CAPABILITY_NAP { UINT32 capabilities; } TSG_CAPABILITY_NAP, *PTSG_CAPABILITY_NAP; typedef union { TSG_CAPABILITY_NAP tsgCapNap; } TSG_CAPABILITIES_UNION, *PTSG_CAPABILITIES_UNION; typedef struct _TSG_PACKET_CAPABILITIES { UINT32 capabilityType; TSG_CAPABILITIES_UNION tsgPacket; } TSG_PACKET_CAPABILITIES, *PTSG_PACKET_CAPABILITIES; typedef struct _TSG_PACKET_VERSIONCAPS { TSG_PACKET_HEADER tsgHeader; PTSG_PACKET_CAPABILITIES tsgCaps; UINT32 numCapabilities; UINT16 majorVersion; UINT16 minorVersion; UINT16 quarantineCapabilities; } TSG_PACKET_VERSIONCAPS, *PTSG_PACKET_VERSIONCAPS; typedef struct _TSG_PACKET_QUARCONFIGREQUEST { UINT32 flags; } TSG_PACKET_QUARCONFIGREQUEST, *PTSG_PACKET_QUARCONFIGREQUEST; typedef struct _TSG_PACKET_QUARREQUEST { UINT32 flags; WCHAR* machineName; UINT32 nameLength; BYTE* data; UINT32 dataLen; } TSG_PACKET_QUARREQUEST, *PTSG_PACKET_QUARREQUEST; typedef struct _TSG_REDIRECTION_FLAGS { BOOL enableAllRedirections; BOOL disableAllRedirections; BOOL driveRedirectionDisabled; BOOL printerRedirectionDisabled; BOOL portRedirectionDisabled; BOOL reserved; BOOL clipboardRedirectionDisabled; BOOL pnpRedirectionDisabled; } TSG_REDIRECTION_FLAGS, *PTSG_REDIRECTION_FLAGS; typedef struct _TSG_PACKET_RESPONSE { UINT32 flags; UINT32 reserved; BYTE* responseData; UINT32 responseDataLen; TSG_REDIRECTION_FLAGS redirectionFlags; } TSG_PACKET_RESPONSE, *PTSG_PACKET_RESPONSE; typedef struct _TSG_PACKET_QUARENC_RESPONSE { UINT32 flags; UINT32 certChainLen; WCHAR* certChainData; GUID nonce; PTSG_PACKET_VERSIONCAPS versionCaps; } TSG_PACKET_QUARENC_RESPONSE, *PTSG_PACKET_QUARENC_RESPONSE; typedef struct TSG_PACKET_STRING_MESSAGE { INT32 isDisplayMandatory; INT32 isConsentMandatory; UINT32 msgBytes; WCHAR* msgBuffer; } TSG_PACKET_STRING_MESSAGE; typedef struct TSG_PACKET_REAUTH_MESSAGE { UINT64 tunnelContext; } TSG_PACKET_REAUTH_MESSAGE, *PTSG_PACKET_REAUTH_MESSAGE; typedef struct _TSG_PACKET_MSG_RESPONSE { UINT32 msgID; UINT32 msgType; INT32 isMsgPresent; } TSG_PACKET_MSG_RESPONSE, *PTSG_PACKET_MSG_RESPONSE; typedef struct TSG_PACKET_CAPS_RESPONSE { TSG_PACKET_QUARENC_RESPONSE pktQuarEncResponse; TSG_PACKET_MSG_RESPONSE pktConsentMessage; } TSG_PACKET_CAPS_RESPONSE, *PTSG_PACKET_CAPS_RESPONSE; typedef struct TSG_PACKET_MSG_REQUEST { UINT32 maxMessagesPerBatch; } TSG_PACKET_MSG_REQUEST, *PTSG_PACKET_MSG_REQUEST; typedef struct _TSG_PACKET_AUTH { TSG_PACKET_VERSIONCAPS tsgVersionCaps; UINT32 cookieLen; BYTE* cookie; } TSG_PACKET_AUTH, *PTSG_PACKET_AUTH; typedef union { PTSG_PACKET_VERSIONCAPS packetVersionCaps; PTSG_PACKET_AUTH packetAuth; } TSG_INITIAL_PACKET_TYPE_UNION, *PTSG_INITIAL_PACKET_TYPE_UNION; typedef struct TSG_PACKET_REAUTH { UINT64 tunnelContext; UINT32 packetId; TSG_INITIAL_PACKET_TYPE_UNION tsgInitialPacket; } TSG_PACKET_REAUTH, *PTSG_PACKET_REAUTH; typedef union { PTSG_PACKET_HEADER packetHeader; PTSG_PACKET_VERSIONCAPS packetVersionCaps; PTSG_PACKET_QUARCONFIGREQUEST packetQuarConfigRequest; PTSG_PACKET_QUARREQUEST packetQuarRequest; PTSG_PACKET_RESPONSE packetResponse; PTSG_PACKET_QUARENC_RESPONSE packetQuarEncResponse; PTSG_PACKET_CAPS_RESPONSE packetCapsResponse; PTSG_PACKET_MSG_REQUEST packetMsgRequest; PTSG_PACKET_MSG_RESPONSE packetMsgResponse; PTSG_PACKET_AUTH packetAuth; PTSG_PACKET_REAUTH packetReauth; } TSG_PACKET_TYPE_UNION; typedef struct _TSG_PACKET { UINT32 packetId; TSG_PACKET_TYPE_UNION tsgPacket; } TSG_PACKET, *PTSG_PACKET; struct rdp_tsg { BIO* bio; rdpRpc* rpc; UINT16 Port; LPWSTR Hostname; LPWSTR MachineName; TSG_STATE state; UINT32 TunnelId; UINT32 ChannelId; BOOL reauthSequence; rdpTransport* transport; UINT64 ReauthTunnelContext; CONTEXT_HANDLE TunnelContext; CONTEXT_HANDLE ChannelContext; CONTEXT_HANDLE NewTunnelContext; CONTEXT_HANDLE NewChannelContext; TSG_PACKET_REAUTH packetReauth; TSG_PACKET_CAPABILITIES tsgCaps; TSG_PACKET_VERSIONCAPS packetVersionCaps; }; static const char* tsg_packet_id_to_string(UINT32 packetId) { switch (packetId) { case TSG_PACKET_TYPE_HEADER: return "TSG_PACKET_TYPE_HEADER"; case TSG_PACKET_TYPE_VERSIONCAPS: return "TSG_PACKET_TYPE_VERSIONCAPS"; case TSG_PACKET_TYPE_QUARCONFIGREQUEST: return "TSG_PACKET_TYPE_QUARCONFIGREQUEST"; case TSG_PACKET_TYPE_QUARREQUEST: return "TSG_PACKET_TYPE_QUARREQUEST"; case TSG_PACKET_TYPE_RESPONSE: return "TSG_PACKET_TYPE_RESPONSE"; case TSG_PACKET_TYPE_QUARENC_RESPONSE: return "TSG_PACKET_TYPE_QUARENC_RESPONSE"; case TSG_CAPABILITY_TYPE_NAP: return "TSG_CAPABILITY_TYPE_NAP"; case TSG_PACKET_TYPE_CAPS_RESPONSE: return "TSG_PACKET_TYPE_CAPS_RESPONSE"; case TSG_PACKET_TYPE_MSGREQUEST_PACKET: return "TSG_PACKET_TYPE_MSGREQUEST_PACKET"; case TSG_PACKET_TYPE_MESSAGE_PACKET: return "TSG_PACKET_TYPE_MESSAGE_PACKET"; case TSG_PACKET_TYPE_AUTH: return "TSG_PACKET_TYPE_AUTH"; case TSG_PACKET_TYPE_REAUTH: return "TSG_PACKET_TYPE_REAUTH"; default: return "UNKNOWN"; } } static const char* tsg_state_to_string(TSG_STATE state) { switch (state) { case TSG_STATE_INITIAL: return "TSG_STATE_INITIAL"; case TSG_STATE_CONNECTED: return "TSG_STATE_CONNECTED"; case TSG_STATE_AUTHORIZED: return "TSG_STATE_AUTHORIZED"; case TSG_STATE_CHANNEL_CREATED: return "TSG_STATE_CHANNEL_CREATED"; case TSG_STATE_PIPE_CREATED: return "TSG_STATE_PIPE_CREATED"; case TSG_STATE_TUNNEL_CLOSE_PENDING: return "TSG_STATE_TUNNEL_CLOSE_PENDING"; case TSG_STATE_CHANNEL_CLOSE_PENDING: return "TSG_STATE_CHANNEL_CLOSE_PENDING"; case TSG_STATE_FINAL: return "TSG_STATE_FINAL"; default: return "TSG_STATE_UNKNOWN"; } } static BOOL tsg_print(char** buffer, size_t* len, const char* fmt, ...) { int rc; va_list ap; if (!buffer || !len || !fmt) return FALSE; va_start(ap, fmt); rc = vsnprintf(*buffer, *len, fmt, ap); va_end(ap); if ((rc < 0) || ((size_t)rc > *len)) return FALSE; *len -= (size_t)rc; *buffer += (size_t)rc; return TRUE; } static BOOL tsg_packet_header_to_string(char** buffer, size_t* length, const TSG_PACKET_HEADER* header) { assert(buffer); assert(length); assert(header); return tsg_print(buffer, length, "header { ComponentId=0x%04" PRIx16 ", PacketId=0x%04" PRIx16 " }", header->ComponentId, header->PacketId); } static BOOL tsg_type_capability_nap_to_string(char** buffer, size_t* length, const TSG_CAPABILITY_NAP* cur) { assert(buffer); assert(length); assert(cur); return tsg_print(buffer, length, "%s { capabilities=0x%08" PRIx32 " }", tsg_packet_id_to_string(TSG_CAPABILITY_TYPE_NAP), cur->capabilities); } static BOOL tsg_packet_capabilities_to_string(char** buffer, size_t* length, const TSG_PACKET_CAPABILITIES* caps, UINT32 numCaps) { UINT32 x; assert(buffer); assert(length); assert(caps); if (!tsg_print(buffer, length, "capabilities { ")) return FALSE; for (x = 0; x < numCaps; x++) { const TSG_PACKET_CAPABILITIES* cur = &caps[x]; switch (cur->capabilityType) { case TSG_CAPABILITY_TYPE_NAP: if (!tsg_type_capability_nap_to_string(buffer, length, &cur->tsgPacket.tsgCapNap)) return FALSE; break; default: if (!tsg_print(buffer, length, "TSG_UNKNOWN_CAPABILITY")) return FALSE; break; } } return tsg_print(buffer, length, " }"); } static BOOL tsg_packet_versioncaps_to_string(char** buffer, size_t* length, const TSG_PACKET_VERSIONCAPS* caps) { assert(buffer); assert(length); assert(caps); if (!tsg_print(buffer, length, "versioncaps { ")) return FALSE; if (!tsg_packet_header_to_string(buffer, length, &caps->tsgHeader)) return FALSE; if (!tsg_print(buffer, length, " ")) return FALSE; if (!tsg_packet_capabilities_to_string(buffer, length, caps->tsgCaps, caps->numCapabilities)) return FALSE; if (!tsg_print(buffer, length, " numCapabilities=0x%08" PRIx32 ", majorVersion=0x%04" PRIx16 ", minorVersion=0x%04" PRIx16 ", quarantineCapabilities=0x%04" PRIx16, caps->numCapabilities, caps->majorVersion, caps->minorVersion, caps->quarantineCapabilities)) return FALSE; return tsg_print(buffer, length, " }"); } static BOOL tsg_packet_quarconfigrequest_to_string(char** buffer, size_t* length, const TSG_PACKET_QUARCONFIGREQUEST* caps) { assert(buffer); assert(length); assert(caps); if (!tsg_print(buffer, length, "quarconfigrequest { ")) return FALSE; if (!tsg_print(buffer, length, " ")) return FALSE; if (!tsg_print(buffer, length, " flags=0x%08" PRIx32, caps->flags)) return FALSE; return tsg_print(buffer, length, " }"); } static BOOL tsg_packet_quarrequest_to_string(char** buffer, size_t* length, const TSG_PACKET_QUARREQUEST* caps) { BOOL rc = FALSE; char* name = NULL; char* strdata = NULL; assert(buffer); assert(length); assert(caps); if (!tsg_print(buffer, length, "quarrequest { ")) return FALSE; if (!tsg_print(buffer, length, " ")) return FALSE; if (caps->nameLength > 0) { if (caps->nameLength > INT_MAX) return FALSE; if (ConvertFromUnicode(CP_UTF8, 0, caps->machineName, (int)caps->nameLength, &name, 0, NULL, NULL) < 0) return FALSE; } strdata = winpr_BinToHexString(caps->data, caps->dataLen, TRUE); if (strdata || (caps->dataLen == 0)) rc = tsg_print(buffer, length, " flags=0x%08" PRIx32 ", machineName=%s [%" PRIu32 "], data[%" PRIu32 "]=%s", caps->flags, name, caps->nameLength, caps->dataLen, strdata); free(name); free(strdata); if (!rc) return FALSE; return tsg_print(buffer, length, " }"); } static const char* tsg_bool_to_string(BOOL val) { if (val) return "true"; return "false"; } static const char* tsg_redirection_flags_to_string(char* buffer, size_t size, const TSG_REDIRECTION_FLAGS* flags) { assert(buffer || (size == 0)); assert(flags); _snprintf(buffer, size, "enableAllRedirections=%s, disableAllRedirections=%s, driveRedirectionDisabled=%s, " "printerRedirectionDisabled=%s, portRedirectionDisabled=%s, reserved=%s, " "clipboardRedirectionDisabled=%s, pnpRedirectionDisabled=%s", tsg_bool_to_string(flags->enableAllRedirections), tsg_bool_to_string(flags->disableAllRedirections), tsg_bool_to_string(flags->driveRedirectionDisabled), tsg_bool_to_string(flags->printerRedirectionDisabled), tsg_bool_to_string(flags->portRedirectionDisabled), tsg_bool_to_string(flags->reserved), tsg_bool_to_string(flags->clipboardRedirectionDisabled), tsg_bool_to_string(flags->pnpRedirectionDisabled)); return buffer; } static BOOL tsg_packet_response_to_string(char** buffer, size_t* length, const TSG_PACKET_RESPONSE* caps) { BOOL rc = FALSE; char* strdata = NULL; char tbuffer[8192] = { 0 }; assert(buffer); assert(length); assert(caps); if (!tsg_print(buffer, length, "response { ")) return FALSE; if (!tsg_print(buffer, length, " ")) return FALSE; strdata = winpr_BinToHexString(caps->responseData, caps->responseDataLen, TRUE); if (strdata || (caps->responseDataLen == 0)) rc = tsg_print( buffer, length, " flags=0x%08" PRIx32 ", reserved=0x%08" PRIx32 ", responseData[%" PRIu32 "]=%s, redirectionFlags={ %s }", caps->flags, caps->reserved, caps->responseDataLen, strdata, tsg_redirection_flags_to_string(tbuffer, ARRAYSIZE(tbuffer), &caps->redirectionFlags)); free(strdata); if (!rc) return FALSE; return tsg_print(buffer, length, " }"); } static BOOL tsg_packet_quarenc_response_to_string(char** buffer, size_t* length, const TSG_PACKET_QUARENC_RESPONSE* caps) { BOOL rc = FALSE; char* strdata = NULL; RPC_CSTR uuid; char tbuffer[8192] = { 0 }; size_t size = ARRAYSIZE(tbuffer); char* ptbuffer = tbuffer; assert(buffer); assert(length); assert(caps); if (!tsg_print(buffer, length, "quarenc_response { ")) return FALSE; if (!tsg_print(buffer, length, " ")) return FALSE; if (caps->certChainLen > 0) { if (caps->certChainLen > INT_MAX) return FALSE; if (ConvertFromUnicode(CP_UTF8, 0, caps->certChainData, (int)caps->certChainLen, &strdata, 0, NULL, NULL) <= 0) return FALSE; } tsg_packet_versioncaps_to_string(&ptbuffer, &size, caps->versionCaps); UuidToStringA(&caps->nonce, &uuid); if (strdata || (caps->certChainLen == 0)) rc = tsg_print(buffer, length, " flags=0x%08" PRIx32 ", certChain[%" PRIu32 "]=%s, nonce=%s, versionCaps=%s", caps->flags, caps->certChainLen, strdata, uuid, tbuffer); free(strdata); free(uuid); if (!rc) return FALSE; return tsg_print(buffer, length, " }"); } static BOOL tsg_packet_message_response_to_string(char** buffer, size_t* length, const TSG_PACKET_MSG_RESPONSE* caps) { assert(buffer); assert(length); assert(caps); if (!tsg_print(buffer, length, "msg_response { ")) return FALSE; if (!tsg_print(buffer, length, " msgID=0x%08" PRIx32 ", msgType=0x%08" PRIx32 ", isMsgPresent=%" PRId32, caps->msgID, caps->msgType, caps->isMsgPresent)) return FALSE; return tsg_print(buffer, length, " }"); } static BOOL tsg_packet_caps_response_to_string(char** buffer, size_t* length, const TSG_PACKET_CAPS_RESPONSE* caps) { assert(buffer); assert(length); assert(caps); if (!tsg_print(buffer, length, "caps_response { ")) return FALSE; if (!tsg_packet_quarenc_response_to_string(buffer, length, &caps->pktQuarEncResponse)) return FALSE; if (!tsg_packet_message_response_to_string(buffer, length, &caps->pktConsentMessage)) return FALSE; return tsg_print(buffer, length, " }"); } static BOOL tsg_packet_message_request_to_string(char** buffer, size_t* length, const TSG_PACKET_MSG_REQUEST* caps) { assert(buffer); assert(length); assert(caps); if (!tsg_print(buffer, length, "caps_message_request { ")) return FALSE; if (!tsg_print(buffer, length, " maxMessagesPerBatch=%" PRIu32, caps->maxMessagesPerBatch)) return FALSE; return tsg_print(buffer, length, " }"); } static BOOL tsg_packet_auth_to_string(char** buffer, size_t* length, const TSG_PACKET_AUTH* caps) { BOOL rc = FALSE; char* strdata = NULL; assert(buffer); assert(length); assert(caps); if (!tsg_print(buffer, length, "caps_message_request { ")) return FALSE; if (!tsg_packet_versioncaps_to_string(buffer, length, &caps->tsgVersionCaps)) return FALSE; strdata = winpr_BinToHexString(caps->cookie, caps->cookieLen, TRUE); if (strdata || (caps->cookieLen == 0)) rc = tsg_print(buffer, length, " cookie[%" PRIu32 "]=%s", caps->cookieLen, strdata); free(strdata); if (!rc) return FALSE; return tsg_print(buffer, length, " }"); } static BOOL tsg_packet_reauth_to_string(char** buffer, size_t* length, const TSG_PACKET_REAUTH* caps) { BOOL rc = FALSE; assert(buffer); assert(length); assert(caps); if (!tsg_print(buffer, length, "caps_message_request { ")) return FALSE; if (!tsg_print(buffer, length, " tunnelContext=0x%016" PRIx64 ", packetId=%s [0x%08" PRIx32 "]", caps->tunnelContext, tsg_packet_id_to_string(caps->packetId), caps->packetId)) return FALSE; switch (caps->packetId) { case TSG_PACKET_TYPE_VERSIONCAPS: rc = tsg_packet_versioncaps_to_string(buffer, length, caps->tsgInitialPacket.packetVersionCaps); break; case TSG_PACKET_TYPE_AUTH: rc = tsg_packet_auth_to_string(buffer, length, caps->tsgInitialPacket.packetAuth); break; default: rc = tsg_print(buffer, length, "TODO: Unhandled packet type %s [0x%08" PRIx32 "]", tsg_packet_id_to_string(caps->packetId), caps->packetId); break; } if (!rc) return FALSE; return tsg_print(buffer, length, " }"); } static const char* tsg_packet_to_string(const TSG_PACKET* packet) { size_t len = 8192; static char sbuffer[8193] = { 0 }; char* buffer = sbuffer; if (!tsg_print(&buffer, &len, "TSG_PACKET { packetId=%s [0x%08" PRIx32 "], ", tsg_packet_id_to_string(packet->packetId), packet->packetId)) goto fail; switch (packet->packetId) { case TSG_PACKET_TYPE_HEADER: if (!tsg_packet_header_to_string(&buffer, &len, packet->tsgPacket.packetHeader)) goto fail; break; case TSG_PACKET_TYPE_VERSIONCAPS: if (!tsg_packet_versioncaps_to_string(&buffer, &len, packet->tsgPacket.packetVersionCaps)) goto fail; break; case TSG_PACKET_TYPE_QUARCONFIGREQUEST: if (!tsg_packet_quarconfigrequest_to_string(&buffer, &len, packet->tsgPacket.packetQuarConfigRequest)) goto fail; break; case TSG_PACKET_TYPE_QUARREQUEST: if (!tsg_packet_quarrequest_to_string(&buffer, &len, packet->tsgPacket.packetQuarRequest)) goto fail; break; case TSG_PACKET_TYPE_RESPONSE: if (!tsg_packet_response_to_string(&buffer, &len, packet->tsgPacket.packetResponse)) goto fail; break; case TSG_PACKET_TYPE_QUARENC_RESPONSE: if (!tsg_packet_quarenc_response_to_string(&buffer, &len, packet->tsgPacket.packetQuarEncResponse)) goto fail; break; case TSG_PACKET_TYPE_CAPS_RESPONSE: if (!tsg_packet_caps_response_to_string(&buffer, &len, packet->tsgPacket.packetCapsResponse)) goto fail; break; case TSG_PACKET_TYPE_MSGREQUEST_PACKET: if (!tsg_packet_message_request_to_string(&buffer, &len, packet->tsgPacket.packetMsgRequest)) goto fail; break; case TSG_PACKET_TYPE_MESSAGE_PACKET: if (!tsg_packet_message_response_to_string(&buffer, &len, packet->tsgPacket.packetMsgResponse)) goto fail; break; case TSG_PACKET_TYPE_AUTH: if (!tsg_packet_auth_to_string(&buffer, &len, packet->tsgPacket.packetAuth)) goto fail; break; case TSG_PACKET_TYPE_REAUTH: if (!tsg_packet_reauth_to_string(&buffer, &len, packet->tsgPacket.packetReauth)) goto fail; break; default: if (!tsg_print(&buffer, &len, "INVALID")) goto fail; break; } if (!tsg_print(&buffer, &len, " }")) goto fail; fail: return sbuffer; } static BOOL tsg_stream_align(wStream* s, size_t align) { size_t pos; size_t offset = 0; if (!s) return FALSE; pos = Stream_GetPosition(s); if ((pos % align) != 0) offset = align - pos % align; return Stream_SafeSeek(s, offset); } static BIO_METHOD* BIO_s_tsg(void); /** * RPC Functions: http://msdn.microsoft.com/en-us/library/windows/desktop/aa378623/ * Remote Procedure Call: http://msdn.microsoft.com/en-us/library/windows/desktop/aa378651/ * RPC NDR Interface Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/hh802752/ */ /** * call sequence with silent reauth: * * TsProxyCreateTunnelRequest() * TsProxyCreateTunnelResponse(TunnelContext) * TsProxyAuthorizeTunnelRequest(TunnelContext) * TsProxyAuthorizeTunnelResponse() * TsProxyMakeTunnelCallRequest(TunnelContext) * TsProxyCreateChannelRequest(TunnelContext) * TsProxyCreateChannelResponse(ChannelContext) * TsProxySetupReceivePipeRequest(ChannelContext) * TsProxySendToServerRequest(ChannelContext) * * ... * * TsProxyMakeTunnelCallResponse(reauth) * TsProxyCreateTunnelRequest() * TsProxyMakeTunnelCallRequest(TunnelContext) * TsProxyCreateTunnelResponse(NewTunnelContext) * TsProxyAuthorizeTunnelRequest(NewTunnelContext) * TsProxyAuthorizeTunnelResponse() * TsProxyCreateChannelRequest(NewTunnelContext) * TsProxyCreateChannelResponse(NewChannelContext) * TsProxyCloseChannelRequest(NewChannelContext) * TsProxyCloseTunnelRequest(NewTunnelContext) * TsProxyCloseChannelResponse(NullChannelContext) * TsProxyCloseTunnelResponse(NullTunnelContext) * TsProxySendToServerRequest(ChannelContext) */ static int TsProxySendToServer(handle_t IDL_handle, const byte pRpcMessage[], UINT32 count, UINT32* lengths) { wStream* s; rdpTsg* tsg; size_t length; const byte* buffer1 = NULL; const byte* buffer2 = NULL; const byte* buffer3 = NULL; UINT32 buffer1Length; UINT32 buffer2Length; UINT32 buffer3Length; UINT32 numBuffers = 0; UINT32 totalDataBytes = 0; tsg = (rdpTsg*)IDL_handle; buffer1Length = buffer2Length = buffer3Length = 0; if (count > 0) { numBuffers++; buffer1 = &pRpcMessage[0]; buffer1Length = lengths[0]; totalDataBytes += lengths[0] + 4; } if (count > 1) { numBuffers++; buffer2 = &pRpcMessage[1]; buffer2Length = lengths[1]; totalDataBytes += lengths[1] + 4; } if (count > 2) { numBuffers++; buffer3 = &pRpcMessage[2]; buffer3Length = lengths[2]; totalDataBytes += lengths[2] + 4; } length = 28ull + totalDataBytes; if (length > INT_MAX) return -1; s = Stream_New(NULL, length); if (!s) { WLog_ERR(TAG, "Stream_New failed!"); return -1; } /* PCHANNEL_CONTEXT_HANDLE_NOSERIALIZE_NR (20 bytes) */ Stream_Write(s, &tsg->ChannelContext.ContextType, 4); /* ContextType (4 bytes) */ Stream_Write(s, tsg->ChannelContext.ContextUuid, 16); /* ContextUuid (16 bytes) */ Stream_Write_UINT32_BE(s, totalDataBytes); /* totalDataBytes (4 bytes) */ Stream_Write_UINT32_BE(s, numBuffers); /* numBuffers (4 bytes) */ if (buffer1Length > 0) Stream_Write_UINT32_BE(s, buffer1Length); /* buffer1Length (4 bytes) */ if (buffer2Length > 0) Stream_Write_UINT32_BE(s, buffer2Length); /* buffer2Length (4 bytes) */ if (buffer3Length > 0) Stream_Write_UINT32_BE(s, buffer3Length); /* buffer3Length (4 bytes) */ if (buffer1Length > 0) Stream_Write(s, buffer1, buffer1Length); /* buffer1 (variable) */ if (buffer2Length > 0) Stream_Write(s, buffer2, buffer2Length); /* buffer2 (variable) */ if (buffer3Length > 0) Stream_Write(s, buffer3, buffer3Length); /* buffer3 (variable) */ if (!rpc_client_write_call(tsg->rpc, s, TsProxySendToServerOpnum)) return -1; return (int)length; } /** * OpNum = 1 * * HRESULT TsProxyCreateTunnel( * [in, ref] PTSG_PACKET tsgPacket, * [out, ref] PTSG_PACKET* tsgPacketResponse, * [out] PTUNNEL_CONTEXT_HANDLE_SERIALIZE* tunnelContext, * [out] unsigned long* tunnelId * ); */ static BOOL TsProxyCreateTunnelWriteRequest(rdpTsg* tsg, const PTSG_PACKET tsgPacket) { BOOL rc = FALSE; BOOL write = TRUE; UINT16 opnum = 0; wStream* s; rdpRpc* rpc; if (!tsg || !tsg->rpc) return FALSE; rpc = tsg->rpc; WLog_DBG(TAG, "%s: %s", __FUNCTION__, tsg_packet_to_string(tsgPacket)); s = Stream_New(NULL, 108); if (!s) return FALSE; switch (tsgPacket->packetId) { case TSG_PACKET_TYPE_VERSIONCAPS: { PTSG_PACKET_VERSIONCAPS packetVersionCaps = tsgPacket->tsgPacket.packetVersionCaps; PTSG_CAPABILITY_NAP tsgCapNap = &packetVersionCaps->tsgCaps->tsgPacket.tsgCapNap; Stream_Write_UINT32(s, tsgPacket->packetId); /* PacketId (4 bytes) */ Stream_Write_UINT32(s, tsgPacket->packetId); /* SwitchValue (4 bytes) */ Stream_Write_UINT32(s, 0x00020000); /* PacketVersionCapsPtr (4 bytes) */ Stream_Write_UINT16( s, packetVersionCaps->tsgHeader.ComponentId); /* ComponentId (2 bytes) */ Stream_Write_UINT16(s, packetVersionCaps->tsgHeader.PacketId); /* PacketId (2 bytes) */ Stream_Write_UINT32(s, 0x00020004); /* TsgCapsPtr (4 bytes) */ Stream_Write_UINT32(s, packetVersionCaps->numCapabilities); /* NumCapabilities (4 bytes) */ Stream_Write_UINT16(s, packetVersionCaps->majorVersion); /* MajorVersion (2 bytes) */ Stream_Write_UINT16(s, packetVersionCaps->minorVersion); /* MinorVersion (2 bytes) */ Stream_Write_UINT16( s, packetVersionCaps->quarantineCapabilities); /* QuarantineCapabilities (2 bytes) */ /* 4-byte alignment (30 + 2) */ Stream_Write_UINT16(s, 0x0000); /* pad (2 bytes) */ Stream_Write_UINT32(s, packetVersionCaps->numCapabilities); /* MaxCount (4 bytes) */ Stream_Write_UINT32( s, packetVersionCaps->tsgCaps->capabilityType); /* CapabilityType (4 bytes) */ Stream_Write_UINT32( s, packetVersionCaps->tsgCaps->capabilityType); /* SwitchValue (4 bytes) */ Stream_Write_UINT32(s, tsgCapNap->capabilities); /* capabilities (4 bytes) */ /** * The following 60-byte structure is apparently undocumented, * but parts of it can be matched to known C706 data structures. */ /* * 8-byte constant (8A E3 13 71 02 F4 36 71) also observed here: * http://lists.samba.org/archive/cifs-protocol/2010-July/001543.html */ Stream_Write_UINT8(s, 0x8A); Stream_Write_UINT8(s, 0xE3); Stream_Write_UINT8(s, 0x13); Stream_Write_UINT8(s, 0x71); Stream_Write_UINT8(s, 0x02); Stream_Write_UINT8(s, 0xF4); Stream_Write_UINT8(s, 0x36); Stream_Write_UINT8(s, 0x71); Stream_Write_UINT32(s, 0x00040001); /* 1.4 (version?) */ Stream_Write_UINT32(s, 0x00000001); /* 1 (element count?) */ /* p_cont_list_t */ Stream_Write_UINT8(s, 2); /* ncontext_elem */ Stream_Write_UINT8(s, 0x40); /* reserved1 */ Stream_Write_UINT16(s, 0x0028); /* reserved2 */ /* p_syntax_id_t */ Stream_Write(s, &TSGU_UUID, sizeof(p_uuid_t)); Stream_Write_UINT32(s, TSGU_SYNTAX_IF_VERSION); /* p_syntax_id_t */ Stream_Write(s, &NDR_UUID, sizeof(p_uuid_t)); Stream_Write_UINT32(s, NDR_SYNTAX_IF_VERSION); opnum = TsProxyCreateTunnelOpnum; } break; case TSG_PACKET_TYPE_REAUTH: { PTSG_PACKET_REAUTH packetReauth = tsgPacket->tsgPacket.packetReauth; PTSG_PACKET_VERSIONCAPS packetVersionCaps = packetReauth->tsgInitialPacket.packetVersionCaps; PTSG_CAPABILITY_NAP tsgCapNap = &packetVersionCaps->tsgCaps->tsgPacket.tsgCapNap; Stream_Write_UINT32(s, tsgPacket->packetId); /* PacketId (4 bytes) */ Stream_Write_UINT32(s, tsgPacket->packetId); /* SwitchValue (4 bytes) */ Stream_Write_UINT32(s, 0x00020000); /* PacketReauthPtr (4 bytes) */ Stream_Write_UINT32(s, 0); /* ??? (4 bytes) */ Stream_Write_UINT64(s, packetReauth->tunnelContext); /* TunnelContext (8 bytes) */ Stream_Write_UINT32(s, TSG_PACKET_TYPE_VERSIONCAPS); /* PacketId (4 bytes) */ Stream_Write_UINT32(s, TSG_PACKET_TYPE_VERSIONCAPS); /* SwitchValue (4 bytes) */ Stream_Write_UINT32(s, 0x00020004); /* PacketVersionCapsPtr (4 bytes) */ Stream_Write_UINT16( s, packetVersionCaps->tsgHeader.ComponentId); /* ComponentId (2 bytes) */ Stream_Write_UINT16(s, packetVersionCaps->tsgHeader.PacketId); /* PacketId (2 bytes) */ Stream_Write_UINT32(s, 0x00020008); /* TsgCapsPtr (4 bytes) */ Stream_Write_UINT32(s, packetVersionCaps->numCapabilities); /* NumCapabilities (4 bytes) */ Stream_Write_UINT16(s, packetVersionCaps->majorVersion); /* MajorVersion (2 bytes) */ Stream_Write_UINT16(s, packetVersionCaps->minorVersion); /* MinorVersion (2 bytes) */ Stream_Write_UINT16( s, packetVersionCaps->quarantineCapabilities); /* QuarantineCapabilities (2 bytes) */ /* 4-byte alignment (30 + 2) */ Stream_Write_UINT16(s, 0x0000); /* pad (2 bytes) */ Stream_Write_UINT32(s, packetVersionCaps->numCapabilities); /* MaxCount (4 bytes) */ Stream_Write_UINT32( s, packetVersionCaps->tsgCaps->capabilityType); /* CapabilityType (4 bytes) */ Stream_Write_UINT32( s, packetVersionCaps->tsgCaps->capabilityType); /* SwitchValue (4 bytes) */ Stream_Write_UINT32(s, tsgCapNap->capabilities); /* capabilities (4 bytes) */ opnum = TsProxyCreateTunnelOpnum; } break; default: write = FALSE; break; } rc = TRUE; if (write) return rpc_client_write_call(rpc, s, opnum); Stream_Free(s, TRUE); return rc; } static BOOL TsProxyCreateTunnelReadResponse(rdpTsg* tsg, RPC_PDU* pdu, CONTEXT_HANDLE* tunnelContext, UINT32* tunnelId) { BOOL rc = FALSE; UINT32 count; UINT32 Pointer; PTSG_PACKET packet; UINT32 SwitchValue; UINT32 MessageSwitchValue = 0; UINT32 IsMessagePresent; rdpContext* context; PTSG_PACKET_CAPABILITIES tsgCaps = NULL; PTSG_PACKET_VERSIONCAPS versionCaps = NULL; TSG_PACKET_STRING_MESSAGE packetStringMessage; PTSG_PACKET_CAPS_RESPONSE packetCapsResponse = NULL; PTSG_PACKET_QUARENC_RESPONSE packetQuarEncResponse = NULL; assert(tsg); assert(tsg->rpc); context = tsg->rpc->context; assert(context); if (!pdu) return FALSE; packet = (PTSG_PACKET)calloc(1, sizeof(TSG_PACKET)); if (!packet) return FALSE; if (Stream_GetRemainingLength(pdu->s) < 12) goto fail; Stream_Seek_UINT32(pdu->s); /* PacketPtr (4 bytes) */ Stream_Read_UINT32(pdu->s, packet->packetId); /* PacketId (4 bytes) */ Stream_Read_UINT32(pdu->s, SwitchValue); /* SwitchValue (4 bytes) */ WLog_DBG(TAG, "%s: %s", __FUNCTION__, tsg_packet_id_to_string(packet->packetId)); if ((packet->packetId == TSG_PACKET_TYPE_CAPS_RESPONSE) && (SwitchValue == TSG_PACKET_TYPE_CAPS_RESPONSE)) { packetCapsResponse = (PTSG_PACKET_CAPS_RESPONSE)calloc(1, sizeof(TSG_PACKET_CAPS_RESPONSE)); if (!packetCapsResponse) goto fail; packet->tsgPacket.packetCapsResponse = packetCapsResponse; if (Stream_GetRemainingLength(pdu->s) < 32) goto fail; Stream_Seek_UINT32(pdu->s); /* PacketQuarResponsePtr (4 bytes) */ Stream_Read_UINT32(pdu->s, packetCapsResponse->pktQuarEncResponse.flags); /* Flags (4 bytes) */ Stream_Read_UINT32( pdu->s, packetCapsResponse->pktQuarEncResponse.certChainLen); /* CertChainLength (4 bytes) */ Stream_Seek_UINT32(pdu->s); /* CertChainDataPtr (4 bytes) */ Stream_Read(pdu->s, &packetCapsResponse->pktQuarEncResponse.nonce, 16); /* Nonce (16 bytes) */ Stream_Read_UINT32(pdu->s, Pointer); /* VersionCapsPtr (4 bytes) */ if ((Pointer == 0x0002000C) || (Pointer == 0x00020008)) { if (Stream_GetRemainingLength(pdu->s) < 16) goto fail; Stream_Seek_UINT32(pdu->s); /* MsgId (4 bytes) */ Stream_Seek_UINT32(pdu->s); /* MsgType (4 bytes) */ Stream_Read_UINT32(pdu->s, IsMessagePresent); /* IsMessagePresent (4 bytes) */ Stream_Read_UINT32(pdu->s, MessageSwitchValue); /* MessageSwitchValue (4 bytes) */ } if (packetCapsResponse->pktQuarEncResponse.certChainLen > 0) { if (Stream_GetRemainingLength(pdu->s) < 16) goto fail; Stream_Read_UINT32(pdu->s, Pointer); /* MsgPtr (4 bytes): 0x00020014 */ Stream_Seek_UINT32(pdu->s); /* MaxCount (4 bytes) */ Stream_Seek_UINT32(pdu->s); /* Offset (4 bytes) */ Stream_Read_UINT32(pdu->s, count); /* ActualCount (4 bytes) */ /* * CertChainData is a wide character string, and the count is * given in characters excluding the null terminator, therefore: * size = (count * 2) */ if (!Stream_SafeSeek(pdu->s, count * 2)) /* CertChainData */ goto fail; /* 4-byte alignment */ if (!tsg_stream_align(pdu->s, 4)) goto fail; } else { if (Stream_GetRemainingLength(pdu->s) < 4) goto fail; Stream_Read_UINT32(pdu->s, Pointer); /* Ptr (4 bytes) */ } versionCaps = (PTSG_PACKET_VERSIONCAPS)calloc(1, sizeof(TSG_PACKET_VERSIONCAPS)); if (!versionCaps) goto fail; packetCapsResponse->pktQuarEncResponse.versionCaps = versionCaps; if (Stream_GetRemainingLength(pdu->s) < 18) goto fail; Stream_Read_UINT16(pdu->s, versionCaps->tsgHeader.ComponentId); /* ComponentId (2 bytes) */ Stream_Read_UINT16(pdu->s, versionCaps->tsgHeader.PacketId); /* PacketId (2 bytes) */ if (versionCaps->tsgHeader.ComponentId != TS_GATEWAY_TRANSPORT) { WLog_ERR(TAG, "Unexpected ComponentId: 0x%04" PRIX16 ", Expected TS_GATEWAY_TRANSPORT", versionCaps->tsgHeader.ComponentId); goto fail; } Stream_Read_UINT32(pdu->s, Pointer); /* TsgCapsPtr (4 bytes) */ Stream_Read_UINT32(pdu->s, versionCaps->numCapabilities); /* NumCapabilities (4 bytes) */ Stream_Read_UINT16(pdu->s, versionCaps->majorVersion); /* MajorVersion (2 bytes) */ Stream_Read_UINT16(pdu->s, versionCaps->minorVersion); /* MinorVersion (2 bytes) */ Stream_Read_UINT16( pdu->s, versionCaps->quarantineCapabilities); /* QuarantineCapabilities (2 bytes) */ /* 4-byte alignment */ if (!tsg_stream_align(pdu->s, 4)) goto fail; tsgCaps = (PTSG_PACKET_CAPABILITIES)calloc(1, sizeof(TSG_PACKET_CAPABILITIES)); if (!tsgCaps) goto fail; versionCaps->tsgCaps = tsgCaps; if (Stream_GetRemainingLength(pdu->s) < 16) goto fail; Stream_Seek_UINT32(pdu->s); /* MaxCount (4 bytes) */ Stream_Read_UINT32(pdu->s, tsgCaps->capabilityType); /* CapabilityType (4 bytes) */ Stream_Read_UINT32(pdu->s, SwitchValue); /* SwitchValue (4 bytes) */ if ((SwitchValue != TSG_CAPABILITY_TYPE_NAP) || (tsgCaps->capabilityType != TSG_CAPABILITY_TYPE_NAP)) { WLog_ERR(TAG, "Unexpected CapabilityType: 0x%08" PRIX32 ", Expected TSG_CAPABILITY_TYPE_NAP", tsgCaps->capabilityType); goto fail; } Stream_Read_UINT32(pdu->s, tsgCaps->tsgPacket.tsgCapNap.capabilities); /* Capabilities (4 bytes) */ switch (MessageSwitchValue) { case TSG_ASYNC_MESSAGE_CONSENT_MESSAGE: case TSG_ASYNC_MESSAGE_SERVICE_MESSAGE: if (Stream_GetRemainingLength(pdu->s) < 16) goto fail; Stream_Read_INT32(pdu->s, packetStringMessage.isDisplayMandatory); Stream_Read_INT32(pdu->s, packetStringMessage.isConsentMandatory); Stream_Read_UINT32(pdu->s, packetStringMessage.msgBytes); Stream_Read_UINT32(pdu->s, Pointer); if (Pointer) { if (Stream_GetRemainingLength(pdu->s) < 12) goto fail; Stream_Seek_UINT32(pdu->s); /* MaxCount (4 bytes) */ Stream_Seek_UINT32(pdu->s); /* Offset (4 bytes) */ Stream_Seek_UINT32(pdu->s); /* Length (4 bytes) */ } if (packetStringMessage.msgBytes > TSG_MESSAGING_MAX_MESSAGE_LENGTH) { WLog_ERR(TAG, "Out of Spec Message Length %" PRIu32 "", packetStringMessage.msgBytes); goto fail; } packetStringMessage.msgBuffer = (WCHAR*)Stream_Pointer(pdu->s); if (Stream_GetRemainingLength(pdu->s) < packetStringMessage.msgBytes) { WLog_ERR(TAG, "Unable to read message (%" PRIu32 " remaining %" PRId32 ")", packetStringMessage.msgBytes, Stream_GetRemainingLength(pdu->s)); goto fail; } if (context->instance) { rc = IFCALLRESULT( TRUE, context->instance->PresentGatewayMessage, context->instance, TSG_ASYNC_MESSAGE_CONSENT_MESSAGE ? GATEWAY_MESSAGE_CONSENT : TSG_ASYNC_MESSAGE_SERVICE_MESSAGE, packetStringMessage.isDisplayMandatory != 0, packetStringMessage.isConsentMandatory != 0, packetStringMessage.msgBytes, packetStringMessage.msgBuffer); if (!rc) goto fail; } Stream_Seek(pdu->s, packetStringMessage.msgBytes); break; case TSG_ASYNC_MESSAGE_REAUTH: { if (!tsg_stream_align(pdu->s, 8)) goto fail; if (Stream_GetRemainingLength(pdu->s) < 8) goto fail; Stream_Seek_UINT64(pdu->s); /* TunnelContext (8 bytes) */ } break; default: WLog_ERR(TAG, "Unexpected Message Type: 0x%" PRIX32 "", MessageSwitchValue); goto fail; } if (!tsg_stream_align(pdu->s, 4)) goto fail; /* TunnelContext (20 bytes) */ if (Stream_GetRemainingLength(pdu->s) < 24) goto fail; Stream_Read_UINT32(pdu->s, tunnelContext->ContextType); /* ContextType (4 bytes) */ Stream_Read(pdu->s, tunnelContext->ContextUuid, 16); /* ContextUuid (16 bytes) */ Stream_Read_UINT32(pdu->s, *tunnelId); /* TunnelId (4 bytes) */ /* ReturnValue (4 bytes) */ } else if ((packet->packetId == TSG_PACKET_TYPE_QUARENC_RESPONSE) && (SwitchValue == TSG_PACKET_TYPE_QUARENC_RESPONSE)) { packetQuarEncResponse = (PTSG_PACKET_QUARENC_RESPONSE)calloc(1, sizeof(TSG_PACKET_QUARENC_RESPONSE)); if (!packetQuarEncResponse) goto fail; packet->tsgPacket.packetQuarEncResponse = packetQuarEncResponse; if (Stream_GetRemainingLength(pdu->s) < 32) goto fail; Stream_Seek_UINT32(pdu->s); /* PacketQuarResponsePtr (4 bytes) */ Stream_Read_UINT32(pdu->s, packetQuarEncResponse->flags); /* Flags (4 bytes) */ Stream_Read_UINT32(pdu->s, packetQuarEncResponse->certChainLen); /* CertChainLength (4 bytes) */ Stream_Seek_UINT32(pdu->s); /* CertChainDataPtr (4 bytes) */ Stream_Read(pdu->s, &packetQuarEncResponse->nonce, 16); /* Nonce (16 bytes) */ if (packetQuarEncResponse->certChainLen > 0) { if (Stream_GetRemainingLength(pdu->s) < 16) goto fail; Stream_Read_UINT32(pdu->s, Pointer); /* Ptr (4 bytes): 0x0002000C */ Stream_Seek_UINT32(pdu->s); /* MaxCount (4 bytes) */ Stream_Seek_UINT32(pdu->s); /* Offset (4 bytes) */ Stream_Read_UINT32(pdu->s, count); /* ActualCount (4 bytes) */ /* * CertChainData is a wide character string, and the count is * given in characters excluding the null terminator, therefore: * size = (count * 2) */ if (!Stream_SafeSeek(pdu->s, count * 2)) /* CertChainData */ goto fail; /* 4-byte alignment */ if (!tsg_stream_align(pdu->s, 4)) goto fail; } else { if (Stream_GetRemainingLength(pdu->s) < 4) goto fail; Stream_Read_UINT32(pdu->s, Pointer); /* Ptr (4 bytes): 0x00020008 */ } versionCaps = (PTSG_PACKET_VERSIONCAPS)calloc(1, sizeof(TSG_PACKET_VERSIONCAPS)); if (!versionCaps) goto fail; packetQuarEncResponse->versionCaps = versionCaps; if (Stream_GetRemainingLength(pdu->s) < 18) goto fail; Stream_Read_UINT16(pdu->s, versionCaps->tsgHeader.ComponentId); /* ComponentId (2 bytes) */ Stream_Read_UINT16(pdu->s, versionCaps->tsgHeader.PacketId); /* PacketId (2 bytes) */ if (versionCaps->tsgHeader.ComponentId != TS_GATEWAY_TRANSPORT) { WLog_ERR(TAG, "Unexpected ComponentId: 0x%04" PRIX16 ", Expected TS_GATEWAY_TRANSPORT", versionCaps->tsgHeader.ComponentId); goto fail; } Stream_Read_UINT32(pdu->s, Pointer); /* TsgCapsPtr (4 bytes) */ Stream_Read_UINT32(pdu->s, versionCaps->numCapabilities); /* NumCapabilities (4 bytes) */ Stream_Read_UINT16(pdu->s, versionCaps->majorVersion); /* MajorVersion (2 bytes) */ Stream_Read_UINT16(pdu->s, versionCaps->minorVersion); /* MinorVersion (2 bytes) */ Stream_Read_UINT16( pdu->s, versionCaps->quarantineCapabilities); /* QuarantineCapabilities (2 bytes) */ /* 4-byte alignment */ if (!tsg_stream_align(pdu->s, 4)) goto fail; if (Stream_GetRemainingLength(pdu->s) < 36) goto fail; /* Not sure exactly what this is */ Stream_Seek_UINT32(pdu->s); /* 0x00000001 (4 bytes) */ Stream_Seek_UINT32(pdu->s); /* 0x00000001 (4 bytes) */ Stream_Seek_UINT32(pdu->s); /* 0x00000001 (4 bytes) */ Stream_Seek_UINT32(pdu->s); /* 0x00000002 (4 bytes) */ /* TunnelContext (20 bytes) */ Stream_Read_UINT32(pdu->s, tunnelContext->ContextType); /* ContextType (4 bytes) */ Stream_Read(pdu->s, tunnelContext->ContextUuid, 16); /* ContextUuid (16 bytes) */ } else { WLog_ERR(TAG, "Unexpected PacketId: 0x%08" PRIX32 ", Expected TSG_PACKET_TYPE_CAPS_RESPONSE " "or TSG_PACKET_TYPE_QUARENC_RESPONSE", packet->packetId); goto fail; } rc = TRUE; fail: free(packetQuarEncResponse); free(packetCapsResponse); free(versionCaps); free(tsgCaps); free(packet); return rc; } /** * OpNum = 2 * * HRESULT TsProxyAuthorizeTunnel( * [in] PTUNNEL_CONTEXT_HANDLE_NOSERIALIZE tunnelContext, * [in, ref] PTSG_PACKET tsgPacket, * [out, ref] PTSG_PACKET* tsgPacketResponse * ); * */ static BOOL TsProxyAuthorizeTunnelWriteRequest(rdpTsg* tsg, CONTEXT_HANDLE* tunnelContext) { size_t pad; wStream* s; size_t count; size_t offset; rdpRpc* rpc; if (!tsg || !tsg->rpc || !tunnelContext || !tsg->MachineName) return FALSE; count = _wcslen(tsg->MachineName) + 1; if (count > UINT32_MAX) return FALSE; rpc = tsg->rpc; WLog_DBG(TAG, "TsProxyAuthorizeTunnelWriteRequest"); s = Stream_New(NULL, 1024 + count * 2); if (!s) return FALSE; /* TunnelContext (20 bytes) */ Stream_Write_UINT32(s, tunnelContext->ContextType); /* ContextType (4 bytes) */ Stream_Write(s, &tunnelContext->ContextUuid, 16); /* ContextUuid (16 bytes) */ /* 4-byte alignment */ Stream_Write_UINT32(s, TSG_PACKET_TYPE_QUARREQUEST); /* PacketId (4 bytes) */ Stream_Write_UINT32(s, TSG_PACKET_TYPE_QUARREQUEST); /* SwitchValue (4 bytes) */ Stream_Write_UINT32(s, 0x00020000); /* PacketQuarRequestPtr (4 bytes) */ Stream_Write_UINT32(s, 0x00000000); /* Flags (4 bytes) */ Stream_Write_UINT32(s, 0x00020004); /* MachineNamePtr (4 bytes) */ Stream_Write_UINT32(s, (UINT32)count); /* NameLength (4 bytes) */ Stream_Write_UINT32(s, 0x00020008); /* DataPtr (4 bytes) */ Stream_Write_UINT32(s, 0); /* DataLength (4 bytes) */ /* MachineName */ Stream_Write_UINT32(s, (UINT32)count); /* MaxCount (4 bytes) */ Stream_Write_UINT32(s, 0); /* Offset (4 bytes) */ Stream_Write_UINT32(s, (UINT32)count); /* ActualCount (4 bytes) */ Stream_Write_UTF16_String(s, tsg->MachineName, count); /* Array */ /* 4-byte alignment */ offset = Stream_GetPosition(s); pad = rpc_offset_align(&offset, 4); Stream_Zero(s, pad); Stream_Write_UINT32(s, 0x00000000); /* MaxCount (4 bytes) */ Stream_SealLength(s); return rpc_client_write_call(rpc, s, TsProxyAuthorizeTunnelOpnum); } static BOOL TsProxyAuthorizeTunnelReadResponse(RPC_PDU* pdu) { BOOL rc = FALSE; UINT32 Pointer; UINT32 SizeValue; UINT32 SwitchValue; UINT32 idleTimeout; PTSG_PACKET packet = NULL; PTSG_PACKET_RESPONSE packetResponse = NULL; if (!pdu) return FALSE; packet = (PTSG_PACKET)calloc(1, sizeof(TSG_PACKET)); if (!packet) return FALSE; if (Stream_GetRemainingLength(pdu->s) < 68) goto fail; Stream_Seek_UINT32(pdu->s); /* PacketPtr (4 bytes) */ Stream_Read_UINT32(pdu->s, packet->packetId); /* PacketId (4 bytes) */ Stream_Read_UINT32(pdu->s, SwitchValue); /* SwitchValue (4 bytes) */ WLog_DBG(TAG, "%s: %s", __FUNCTION__, tsg_packet_id_to_string(packet->packetId)); if (packet->packetId == E_PROXY_NAP_ACCESSDENIED) { WLog_ERR(TAG, "status: E_PROXY_NAP_ACCESSDENIED (0x%08X)", E_PROXY_NAP_ACCESSDENIED); WLog_ERR(TAG, "Ensure that the Gateway Connection Authorization Policy is correct"); goto fail; } if ((packet->packetId != TSG_PACKET_TYPE_RESPONSE) || (SwitchValue != TSG_PACKET_TYPE_RESPONSE)) { WLog_ERR(TAG, "Unexpected PacketId: 0x%08" PRIX32 ", Expected TSG_PACKET_TYPE_RESPONSE", packet->packetId); goto fail; } packetResponse = (PTSG_PACKET_RESPONSE)calloc(1, sizeof(TSG_PACKET_RESPONSE)); if (!packetResponse) goto fail; packet->tsgPacket.packetResponse = packetResponse; Stream_Read_UINT32(pdu->s, Pointer); /* PacketResponsePtr (4 bytes) */ Stream_Read_UINT32(pdu->s, packetResponse->flags); /* Flags (4 bytes) */ if (packetResponse->flags != TSG_PACKET_TYPE_QUARREQUEST) { WLog_ERR(TAG, "Unexpected Packet Response Flags: 0x%08" PRIX32 ", Expected TSG_PACKET_TYPE_QUARREQUEST", packetResponse->flags); goto fail; } Stream_Seek_UINT32(pdu->s); /* Reserved (4 bytes) */ Stream_Read_UINT32(pdu->s, Pointer); /* ResponseDataPtr (4 bytes) */ Stream_Read_UINT32(pdu->s, packetResponse->responseDataLen); /* ResponseDataLength (4 bytes) */ Stream_Read_INT32(pdu->s, packetResponse->redirectionFlags .enableAllRedirections); /* EnableAllRedirections (4 bytes) */ Stream_Read_INT32(pdu->s, packetResponse->redirectionFlags .disableAllRedirections); /* DisableAllRedirections (4 bytes) */ Stream_Read_INT32(pdu->s, packetResponse->redirectionFlags .driveRedirectionDisabled); /* DriveRedirectionDisabled (4 bytes) */ Stream_Read_INT32(pdu->s, packetResponse->redirectionFlags .printerRedirectionDisabled); /* PrinterRedirectionDisabled (4 bytes) */ Stream_Read_INT32(pdu->s, packetResponse->redirectionFlags .portRedirectionDisabled); /* PortRedirectionDisabled (4 bytes) */ Stream_Read_INT32(pdu->s, packetResponse->redirectionFlags.reserved); /* Reserved (4 bytes) */ Stream_Read_INT32( pdu->s, packetResponse->redirectionFlags .clipboardRedirectionDisabled); /* ClipboardRedirectionDisabled (4 bytes) */ Stream_Read_INT32(pdu->s, packetResponse->redirectionFlags .pnpRedirectionDisabled); /* PnpRedirectionDisabled (4 bytes) */ Stream_Read_UINT32(pdu->s, SizeValue); /* (4 bytes) */ if (SizeValue != packetResponse->responseDataLen) { WLog_ERR(TAG, "Unexpected size value: %" PRIu32 ", expected: %" PRIu32 "", SizeValue, packetResponse->responseDataLen); goto fail; } if (Stream_GetRemainingLength(pdu->s) < SizeValue) goto fail; if (SizeValue == 4) Stream_Read_UINT32(pdu->s, idleTimeout); else Stream_Seek(pdu->s, SizeValue); /* ResponseData */ rc = TRUE; fail: free(packetResponse); free(packet); return rc; } /** * OpNum = 3 * * HRESULT TsProxyMakeTunnelCall( * [in] PTUNNEL_CONTEXT_HANDLE_NOSERIALIZE tunnelContext, * [in] unsigned long procId, * [in, ref] PTSG_PACKET tsgPacket, * [out, ref] PTSG_PACKET* tsgPacketResponse * ); */ static BOOL TsProxyMakeTunnelCallWriteRequest(rdpTsg* tsg, CONTEXT_HANDLE* tunnelContext, UINT32 procId) { wStream* s; rdpRpc* rpc; if (!tsg || !tsg->rpc || !tunnelContext) return FALSE; rpc = tsg->rpc; WLog_DBG(TAG, "TsProxyMakeTunnelCallWriteRequest"); s = Stream_New(NULL, 40); if (!s) return FALSE; /* TunnelContext (20 bytes) */ Stream_Write_UINT32(s, tunnelContext->ContextType); /* ContextType (4 bytes) */ Stream_Write(s, tunnelContext->ContextUuid, 16); /* ContextUuid (16 bytes) */ Stream_Write_UINT32(s, procId); /* ProcId (4 bytes) */ /* 4-byte alignment */ Stream_Write_UINT32(s, TSG_PACKET_TYPE_MSGREQUEST_PACKET); /* PacketId (4 bytes) */ Stream_Write_UINT32(s, TSG_PACKET_TYPE_MSGREQUEST_PACKET); /* SwitchValue (4 bytes) */ Stream_Write_UINT32(s, 0x00020000); /* PacketMsgRequestPtr (4 bytes) */ Stream_Write_UINT32(s, 0x00000001); /* MaxMessagesPerBatch (4 bytes) */ return rpc_client_write_call(rpc, s, TsProxyMakeTunnelCallOpnum); } static BOOL TsProxyReadPacketSTringMessage(rdpTsg* tsg, wStream* s, TSG_PACKET_STRING_MESSAGE* msg) { UINT32 Pointer, ActualCount, MaxCount; if (!tsg || !s || !msg) return FALSE; if (Stream_GetRemainingLength(s) < 32) return FALSE; Stream_Read_UINT32(s, Pointer); /* ConsentMessagePtr (4 bytes) */ Stream_Read_INT32(s, msg->isDisplayMandatory); /* IsDisplayMandatory (4 bytes) */ Stream_Read_INT32(s, msg->isConsentMandatory); /* IsConsentMandatory (4 bytes) */ Stream_Read_UINT32(s, msg->msgBytes); /* MsgBytes (4 bytes) */ Stream_Read_UINT32(s, Pointer); /* MsgPtr (4 bytes) */ Stream_Read_UINT32(s, MaxCount); /* MaxCount (4 bytes) */ Stream_Seek_UINT32(s); /* Offset (4 bytes) */ Stream_Read_UINT32(s, ActualCount); /* ActualCount (4 bytes) */ if (msg->msgBytes < ActualCount * 2) return FALSE; if (Stream_GetRemainingLength(s) < msg->msgBytes) return FALSE; msg->msgBuffer = (WCHAR*)Stream_Pointer(s); Stream_Seek(s, msg->msgBytes); return TRUE; } static BOOL TsProxyMakeTunnelCallReadResponse(rdpTsg* tsg, RPC_PDU* pdu) { BOOL rc = FALSE; UINT32 Pointer; UINT32 SwitchValue; TSG_PACKET packet; rdpContext* context; char* messageText = NULL; TSG_PACKET_MSG_RESPONSE packetMsgResponse = { 0 }; TSG_PACKET_STRING_MESSAGE packetStringMessage = { 0 }; TSG_PACKET_REAUTH_MESSAGE packetReauthMessage = { 0 }; assert(tsg); assert(tsg->rpc); context = tsg->rpc->context; assert(context); /* This is an asynchronous response */ if (!pdu) return FALSE; if (Stream_GetRemainingLength(pdu->s) < 28) goto fail; Stream_Seek_UINT32(pdu->s); /* PacketPtr (4 bytes) */ Stream_Read_UINT32(pdu->s, packet.packetId); /* PacketId (4 bytes) */ Stream_Read_UINT32(pdu->s, SwitchValue); /* SwitchValue (4 bytes) */ WLog_DBG(TAG, "%s: %s", __FUNCTION__, tsg_packet_id_to_string(packet.packetId)); if ((packet.packetId != TSG_PACKET_TYPE_MESSAGE_PACKET) || (SwitchValue != TSG_PACKET_TYPE_MESSAGE_PACKET)) { WLog_ERR(TAG, "Unexpected PacketId: 0x%08" PRIX32 ", Expected TSG_PACKET_TYPE_MESSAGE_PACKET", packet.packetId); goto fail; } Stream_Read_UINT32(pdu->s, Pointer); /* PacketMsgResponsePtr (4 bytes) */ Stream_Read_UINT32(pdu->s, packetMsgResponse.msgID); /* MsgId (4 bytes) */ Stream_Read_UINT32(pdu->s, packetMsgResponse.msgType); /* MsgType (4 bytes) */ Stream_Read_INT32(pdu->s, packetMsgResponse.isMsgPresent); /* IsMsgPresent (4 bytes) */ /* 2.2.9.2.1.9 TSG_PACKET_MSG_RESPONSE: Ignore empty message body. */ if (!packetMsgResponse.isMsgPresent) { rc = TRUE; goto fail; } Stream_Read_UINT32(pdu->s, SwitchValue); /* SwitchValue (4 bytes) */ switch (SwitchValue) { case TSG_ASYNC_MESSAGE_CONSENT_MESSAGE: if (!TsProxyReadPacketSTringMessage(tsg, pdu->s, &packetStringMessage)) goto fail; ConvertFromUnicode(CP_UTF8, 0, packetStringMessage.msgBuffer, packetStringMessage.msgBytes / 2, &messageText, 0, NULL, NULL); WLog_INFO(TAG, "Consent Message: %s", messageText); free(messageText); if (context->instance) { rc = IFCALLRESULT(TRUE, context->instance->PresentGatewayMessage, context->instance, GATEWAY_MESSAGE_CONSENT, packetStringMessage.isDisplayMandatory != 0, packetStringMessage.isConsentMandatory != 0, packetStringMessage.msgBytes, packetStringMessage.msgBuffer); } break; case TSG_ASYNC_MESSAGE_SERVICE_MESSAGE: if (!TsProxyReadPacketSTringMessage(tsg, pdu->s, &packetStringMessage)) goto fail; ConvertFromUnicode(CP_UTF8, 0, packetStringMessage.msgBuffer, packetStringMessage.msgBytes / 2, &messageText, 0, NULL, NULL); WLog_INFO(TAG, "Service Message: %s", messageText); free(messageText); if (context->instance) { rc = IFCALLRESULT(TRUE, context->instance->PresentGatewayMessage, context->instance, GATEWAY_MESSAGE_SERVICE, packetStringMessage.isDisplayMandatory != 0, packetStringMessage.isConsentMandatory != 0, packetStringMessage.msgBytes, packetStringMessage.msgBuffer); } break; case TSG_ASYNC_MESSAGE_REAUTH: if (Stream_GetRemainingLength(pdu->s) < 20) goto fail; Stream_Read_UINT32(pdu->s, Pointer); /* ReauthMessagePtr (4 bytes) */ Stream_Seek_UINT32(pdu->s); /* alignment pad (4 bytes) */ Stream_Read_UINT64(pdu->s, packetReauthMessage.tunnelContext); /* TunnelContext (8 bytes) */ Stream_Seek_UINT32(pdu->s); /* ReturnValue (4 bytes) */ tsg->ReauthTunnelContext = packetReauthMessage.tunnelContext; break; default: WLog_ERR(TAG, "unexpected message type: %" PRIu32 "", SwitchValue); goto fail; } rc = TRUE; fail: return rc; } /** * OpNum = 4 * * HRESULT TsProxyCreateChannel( * [in] PTUNNEL_CONTEXT_HANDLE_NOSERIALIZE tunnelContext, * [in, ref] PTSENDPOINTINFO tsEndPointInfo, * [out] PCHANNEL_CONTEXT_HANDLE_SERIALIZE* channelContext, * [out] unsigned long* channelId * ); */ static BOOL TsProxyCreateChannelWriteRequest(rdpTsg* tsg, CONTEXT_HANDLE* tunnelContext) { size_t count; wStream* s; rdpRpc* rpc; WLog_DBG(TAG, "TsProxyCreateChannelWriteRequest"); if (!tsg || !tsg->rpc || !tunnelContext || !tsg->Hostname) return FALSE; rpc = tsg->rpc; count = _wcslen(tsg->Hostname) + 1; if (count > UINT32_MAX) return FALSE; s = Stream_New(NULL, 60 + count * 2); if (!s) return FALSE; /* TunnelContext (20 bytes) */ Stream_Write_UINT32(s, tunnelContext->ContextType); /* ContextType (4 bytes) */ Stream_Write(s, tunnelContext->ContextUuid, 16); /* ContextUuid (16 bytes) */ /* TSENDPOINTINFO */ Stream_Write_UINT32(s, 0x00020000); /* ResourceNamePtr (4 bytes) */ Stream_Write_UINT32(s, 0x00000001); /* NumResourceNames (4 bytes) */ Stream_Write_UINT32(s, 0x00000000); /* AlternateResourceNamesPtr (4 bytes) */ Stream_Write_UINT16(s, 0x0000); /* NumAlternateResourceNames (2 bytes) */ Stream_Write_UINT16(s, 0x0000); /* Pad (2 bytes) */ /* Port (4 bytes) */ Stream_Write_UINT16(s, 0x0003); /* ProtocolId (RDP = 3) (2 bytes) */ Stream_Write_UINT16(s, tsg->Port); /* PortNumber (0xD3D = 3389) (2 bytes) */ Stream_Write_UINT32(s, 0x00000001); /* NumResourceNames (4 bytes) */ Stream_Write_UINT32(s, 0x00020004); /* ResourceNamePtr (4 bytes) */ Stream_Write_UINT32(s, (UINT32)count); /* MaxCount (4 bytes) */ Stream_Write_UINT32(s, 0); /* Offset (4 bytes) */ Stream_Write_UINT32(s, (UINT32)count); /* ActualCount (4 bytes) */ Stream_Write_UTF16_String(s, tsg->Hostname, count); /* Array */ return rpc_client_write_call(rpc, s, TsProxyCreateChannelOpnum); } static BOOL TsProxyCreateChannelReadResponse(RPC_PDU* pdu, CONTEXT_HANDLE* channelContext, UINT32* channelId) { BOOL rc = FALSE; WLog_DBG(TAG, "TsProxyCreateChannelReadResponse"); if (!pdu) return FALSE; if (Stream_GetRemainingLength(pdu->s) < 28) goto fail; /* ChannelContext (20 bytes) */ Stream_Read_UINT32(pdu->s, channelContext->ContextType); /* ContextType (4 bytes) */ Stream_Read(pdu->s, channelContext->ContextUuid, 16); /* ContextUuid (16 bytes) */ Stream_Read_UINT32(pdu->s, *channelId); /* ChannelId (4 bytes) */ Stream_Seek_UINT32(pdu->s); /* ReturnValue (4 bytes) */ rc = TRUE; fail: return rc; } /** * HRESULT TsProxyCloseChannel( * [in, out] PCHANNEL_CONTEXT_HANDLE_NOSERIALIZE* context * ); */ static BOOL TsProxyCloseChannelWriteRequest(rdpTsg* tsg, CONTEXT_HANDLE* context) { wStream* s; rdpRpc* rpc; WLog_DBG(TAG, "TsProxyCloseChannelWriteRequest"); if (!tsg || !tsg->rpc || !context) return FALSE; rpc = tsg->rpc; s = Stream_New(NULL, 20); if (!s) return FALSE; /* ChannelContext (20 bytes) */ Stream_Write_UINT32(s, context->ContextType); /* ContextType (4 bytes) */ Stream_Write(s, context->ContextUuid, 16); /* ContextUuid (16 bytes) */ return rpc_client_write_call(rpc, s, TsProxyCloseChannelOpnum); } static BOOL TsProxyCloseChannelReadResponse(RPC_PDU* pdu, CONTEXT_HANDLE* context) { BOOL rc = FALSE; WLog_DBG(TAG, "TsProxyCloseChannelReadResponse"); if (!pdu) return FALSE; if (Stream_GetRemainingLength(pdu->s) < 24) goto fail; /* ChannelContext (20 bytes) */ Stream_Read_UINT32(pdu->s, context->ContextType); /* ContextType (4 bytes) */ Stream_Read(pdu->s, context->ContextUuid, 16); /* ContextUuid (16 bytes) */ Stream_Seek_UINT32(pdu->s); /* ReturnValue (4 bytes) */ rc = TRUE; fail: return rc; } /** * HRESULT TsProxyCloseTunnel( * [in, out] PTUNNEL_CONTEXT_HANDLE_SERIALIZE* context * ); */ static BOOL TsProxyCloseTunnelWriteRequest(rdpTsg* tsg, CONTEXT_HANDLE* context) { wStream* s; rdpRpc* rpc; WLog_DBG(TAG, "TsProxyCloseTunnelWriteRequest"); if (!tsg || !tsg->rpc || !context) return FALSE; rpc = tsg->rpc; s = Stream_New(NULL, 20); if (!s) return FALSE; /* TunnelContext (20 bytes) */ Stream_Write_UINT32(s, context->ContextType); /* ContextType (4 bytes) */ Stream_Write(s, context->ContextUuid, 16); /* ContextUuid (16 bytes) */ return rpc_client_write_call(rpc, s, TsProxyCloseTunnelOpnum); } static BOOL TsProxyCloseTunnelReadResponse(RPC_PDU* pdu, CONTEXT_HANDLE* context) { BOOL rc = FALSE; WLog_DBG(TAG, "TsProxyCloseTunnelReadResponse"); if (!pdu || !context) return FALSE; if (Stream_GetRemainingLength(pdu->s) < 24) goto fail; /* TunnelContext (20 bytes) */ Stream_Read_UINT32(pdu->s, context->ContextType); /* ContextType (4 bytes) */ Stream_Read(pdu->s, context->ContextUuid, 16); /* ContextUuid (16 bytes) */ Stream_Seek_UINT32(pdu->s); /* ReturnValue (4 bytes) */ rc = TRUE; fail: return rc; } /** * OpNum = 8 * * DWORD TsProxySetupReceivePipe( * [in, max_is(32767)] byte pRpcMessage[] * ); */ static BOOL TsProxySetupReceivePipeWriteRequest(rdpTsg* tsg, CONTEXT_HANDLE* channelContext) { wStream* s; rdpRpc* rpc; WLog_DBG(TAG, "TsProxySetupReceivePipeWriteRequest"); if (!tsg || !tsg->rpc || !channelContext) return FALSE; rpc = tsg->rpc; s = Stream_New(NULL, 20); if (!s) return FALSE; /* ChannelContext (20 bytes) */ Stream_Write_UINT32(s, channelContext->ContextType); /* ContextType (4 bytes) */ Stream_Write(s, channelContext->ContextUuid, 16); /* ContextUuid (16 bytes) */ return rpc_client_write_call(rpc, s, TsProxySetupReceivePipeOpnum); } static BOOL tsg_transition_to_state(rdpTsg* tsg, TSG_STATE state) { const char* oldState = tsg_state_to_string(tsg->state); const char* newState = tsg_state_to_string(state); WLog_DBG(TAG, "%s -> %s", oldState, newState); return tsg_set_state(tsg, state); } BOOL tsg_proxy_begin(rdpTsg* tsg) { TSG_PACKET tsgPacket = { 0 }; PTSG_CAPABILITY_NAP tsgCapNap; PTSG_PACKET_VERSIONCAPS packetVersionCaps; if (!tsg) return FALSE; packetVersionCaps = &tsg->packetVersionCaps; packetVersionCaps->tsgCaps = &tsg->tsgCaps; tsgCapNap = &tsg->tsgCaps.tsgPacket.tsgCapNap; tsgPacket.packetId = TSG_PACKET_TYPE_VERSIONCAPS; tsgPacket.tsgPacket.packetVersionCaps = packetVersionCaps; packetVersionCaps->tsgHeader.ComponentId = TS_GATEWAY_TRANSPORT; packetVersionCaps->tsgHeader.PacketId = TSG_PACKET_TYPE_VERSIONCAPS; packetVersionCaps->numCapabilities = 1; packetVersionCaps->majorVersion = 1; packetVersionCaps->minorVersion = 1; packetVersionCaps->quarantineCapabilities = 0; packetVersionCaps->tsgCaps->capabilityType = TSG_CAPABILITY_TYPE_NAP; /* * Using reduced capabilities appears to trigger * TSG_PACKET_TYPE_QUARENC_RESPONSE instead of TSG_PACKET_TYPE_CAPS_RESPONSE * * However, reduced capabilities may break connectivity with servers enforcing features, such as * "Only allow connections from Remote Desktop Services clients that support RD Gateway * messaging" */ tsgCapNap->capabilities = TSG_NAP_CAPABILITY_QUAR_SOH | TSG_NAP_CAPABILITY_IDLE_TIMEOUT | TSG_MESSAGING_CAP_CONSENT_SIGN | TSG_MESSAGING_CAP_SERVICE_MSG | TSG_MESSAGING_CAP_REAUTH; if (!TsProxyCreateTunnelWriteRequest(tsg, &tsgPacket)) { WLog_ERR(TAG, "TsProxyCreateTunnel failure"); tsg_transition_to_state(tsg, TSG_STATE_FINAL); return FALSE; } return tsg_transition_to_state(tsg, TSG_STATE_INITIAL); } static BOOL tsg_proxy_reauth(rdpTsg* tsg) { TSG_PACKET tsgPacket = { 0 }; PTSG_PACKET_REAUTH packetReauth; PTSG_PACKET_VERSIONCAPS packetVersionCaps; if (!tsg) return FALSE; tsg->reauthSequence = TRUE; packetReauth = &tsg->packetReauth; packetVersionCaps = &tsg->packetVersionCaps; if (!packetReauth || !packetVersionCaps) return FALSE; tsgPacket.packetId = TSG_PACKET_TYPE_REAUTH; tsgPacket.tsgPacket.packetReauth = &tsg->packetReauth; packetReauth->tunnelContext = tsg->ReauthTunnelContext; packetReauth->packetId = TSG_PACKET_TYPE_VERSIONCAPS; packetReauth->tsgInitialPacket.packetVersionCaps = packetVersionCaps; if (!TsProxyCreateTunnelWriteRequest(tsg, &tsgPacket)) { WLog_ERR(TAG, "TsProxyCreateTunnel failure"); tsg_transition_to_state(tsg, TSG_STATE_FINAL); return FALSE; } if (!TsProxyMakeTunnelCallWriteRequest(tsg, &tsg->TunnelContext, TSG_TUNNEL_CALL_ASYNC_MSG_REQUEST)) { WLog_ERR(TAG, "TsProxyMakeTunnelCall failure"); tsg_transition_to_state(tsg, TSG_STATE_FINAL); return FALSE; } return tsg_transition_to_state(tsg, TSG_STATE_INITIAL); } BOOL tsg_recv_pdu(rdpTsg* tsg, RPC_PDU* pdu) { BOOL rc = FALSE; RpcClientCall* call; rdpRpc* rpc; if (!tsg || !tsg->rpc || !pdu) return FALSE; rpc = tsg->rpc; if (!(pdu->Flags & RPC_PDU_FLAG_STUB)) { if (!Stream_SafeSeek(pdu->s, 24)) return FALSE; } switch (tsg->state) { case TSG_STATE_INITIAL: { CONTEXT_HANDLE* TunnelContext; TunnelContext = (tsg->reauthSequence) ? &tsg->NewTunnelContext : &tsg->TunnelContext; if (!TsProxyCreateTunnelReadResponse(tsg, pdu, TunnelContext, &tsg->TunnelId)) { WLog_ERR(TAG, "TsProxyCreateTunnelReadResponse failure"); return FALSE; } if (!tsg_transition_to_state(tsg, TSG_STATE_CONNECTED)) return FALSE; if (!TsProxyAuthorizeTunnelWriteRequest(tsg, TunnelContext)) { WLog_ERR(TAG, "TsProxyAuthorizeTunnel failure"); return FALSE; } rc = TRUE; } break; case TSG_STATE_CONNECTED: { CONTEXT_HANDLE* TunnelContext; TunnelContext = (tsg->reauthSequence) ? &tsg->NewTunnelContext : &tsg->TunnelContext; if (!TsProxyAuthorizeTunnelReadResponse(pdu)) { WLog_ERR(TAG, "TsProxyAuthorizeTunnelReadResponse failure"); return FALSE; } if (!tsg_transition_to_state(tsg, TSG_STATE_AUTHORIZED)) return FALSE; if (!tsg->reauthSequence) { if (!TsProxyMakeTunnelCallWriteRequest(tsg, TunnelContext, TSG_TUNNEL_CALL_ASYNC_MSG_REQUEST)) { WLog_ERR(TAG, "TsProxyMakeTunnelCall failure"); return FALSE; } } if (!TsProxyCreateChannelWriteRequest(tsg, TunnelContext)) { WLog_ERR(TAG, "TsProxyCreateChannel failure"); return FALSE; } rc = TRUE; } break; case TSG_STATE_AUTHORIZED: call = rpc_client_call_find_by_id(rpc->client, pdu->CallId); if (!call) return FALSE; if (call->OpNum == TsProxyMakeTunnelCallOpnum) { if (!TsProxyMakeTunnelCallReadResponse(tsg, pdu)) { WLog_ERR(TAG, "TsProxyMakeTunnelCallReadResponse failure"); return FALSE; } rc = TRUE; } else if (call->OpNum == TsProxyCreateChannelOpnum) { CONTEXT_HANDLE ChannelContext; if (!TsProxyCreateChannelReadResponse(pdu, &ChannelContext, &tsg->ChannelId)) { WLog_ERR(TAG, "TsProxyCreateChannelReadResponse failure"); return FALSE; } if (!tsg->reauthSequence) CopyMemory(&tsg->ChannelContext, &ChannelContext, sizeof(CONTEXT_HANDLE)); else CopyMemory(&tsg->NewChannelContext, &ChannelContext, sizeof(CONTEXT_HANDLE)); if (!tsg_transition_to_state(tsg, TSG_STATE_CHANNEL_CREATED)) return FALSE; if (!tsg->reauthSequence) { if (!TsProxySetupReceivePipeWriteRequest(tsg, &tsg->ChannelContext)) { WLog_ERR(TAG, "TsProxySetupReceivePipe failure"); return FALSE; } } else { if (!TsProxyCloseChannelWriteRequest(tsg, &tsg->NewChannelContext)) { WLog_ERR(TAG, "TsProxyCloseChannelWriteRequest failure"); return FALSE; } if (!TsProxyCloseTunnelWriteRequest(tsg, &tsg->NewTunnelContext)) { WLog_ERR(TAG, "TsProxyCloseTunnelWriteRequest failure"); return FALSE; } } rc = tsg_transition_to_state(tsg, TSG_STATE_PIPE_CREATED); tsg->reauthSequence = FALSE; } else { WLog_ERR(TAG, "TSG_STATE_AUTHORIZED unexpected OpNum: %" PRIu32 "\n", call->OpNum); } break; case TSG_STATE_CHANNEL_CREATED: break; case TSG_STATE_PIPE_CREATED: call = rpc_client_call_find_by_id(rpc->client, pdu->CallId); if (!call) return FALSE; if (call->OpNum == TsProxyMakeTunnelCallOpnum) { if (!TsProxyMakeTunnelCallReadResponse(tsg, pdu)) { WLog_ERR(TAG, "TsProxyMakeTunnelCallReadResponse failure"); return FALSE; } rc = TRUE; if (tsg->ReauthTunnelContext) rc = tsg_proxy_reauth(tsg); } else if (call->OpNum == TsProxyCloseChannelOpnum) { CONTEXT_HANDLE ChannelContext; if (!TsProxyCloseChannelReadResponse(pdu, &ChannelContext)) { WLog_ERR(TAG, "TsProxyCloseChannelReadResponse failure"); return FALSE; } rc = TRUE; } else if (call->OpNum == TsProxyCloseTunnelOpnum) { CONTEXT_HANDLE TunnelContext; if (!TsProxyCloseTunnelReadResponse(pdu, &TunnelContext)) { WLog_ERR(TAG, "TsProxyCloseTunnelReadResponse failure"); return FALSE; } rc = TRUE; } break; case TSG_STATE_TUNNEL_CLOSE_PENDING: { CONTEXT_HANDLE ChannelContext; if (!TsProxyCloseChannelReadResponse(pdu, &ChannelContext)) { WLog_ERR(TAG, "TsProxyCloseChannelReadResponse failure"); return FALSE; } if (!tsg_transition_to_state(tsg, TSG_STATE_CHANNEL_CLOSE_PENDING)) return FALSE; if (!TsProxyCloseChannelWriteRequest(tsg, NULL)) { WLog_ERR(TAG, "TsProxyCloseChannelWriteRequest failure"); return FALSE; } if (!TsProxyMakeTunnelCallWriteRequest(tsg, &tsg->TunnelContext, TSG_TUNNEL_CANCEL_ASYNC_MSG_REQUEST)) { WLog_ERR(TAG, "TsProxyMakeTunnelCall failure"); return FALSE; } rc = TRUE; } break; case TSG_STATE_CHANNEL_CLOSE_PENDING: { CONTEXT_HANDLE TunnelContext; if (!TsProxyCloseTunnelReadResponse(pdu, &TunnelContext)) { WLog_ERR(TAG, "TsProxyCloseTunnelReadResponse failure"); return FALSE; } rc = tsg_transition_to_state(tsg, TSG_STATE_FINAL); } break; case TSG_STATE_FINAL: break; } return rc; } BOOL tsg_check_event_handles(rdpTsg* tsg) { if (rpc_client_in_channel_recv(tsg->rpc) < 0) return FALSE; if (rpc_client_out_channel_recv(tsg->rpc) < 0) return FALSE; return TRUE; } DWORD tsg_get_event_handles(rdpTsg* tsg, HANDLE* events, DWORD count) { UINT32 nCount = 0; rdpRpc* rpc = tsg->rpc; RpcVirtualConnection* connection = rpc->VirtualConnection; if (events && (nCount < count)) { events[nCount] = rpc->client->PipeEvent; nCount++; } else return 0; if (connection->DefaultInChannel && connection->DefaultInChannel->common.tls) { if (events && (nCount < count)) { BIO_get_event(connection->DefaultInChannel->common.tls->bio, &events[nCount]); nCount++; } else return 0; } if (connection->NonDefaultInChannel && connection->NonDefaultInChannel->common.tls) { if (events && (nCount < count)) { BIO_get_event(connection->NonDefaultInChannel->common.tls->bio, &events[nCount]); nCount++; } else return 0; } if (connection->DefaultOutChannel && connection->DefaultOutChannel->common.tls) { if (events && (nCount < count)) { BIO_get_event(connection->DefaultOutChannel->common.tls->bio, &events[nCount]); nCount++; } else return 0; } if (connection->NonDefaultOutChannel && connection->NonDefaultOutChannel->common.tls) { if (events && (nCount < count)) { BIO_get_event(connection->NonDefaultOutChannel->common.tls->bio, &events[nCount]); nCount++; } else return 0; } return nCount; } static BOOL tsg_set_hostname(rdpTsg* tsg, const char* hostname) { free(tsg->Hostname); tsg->Hostname = NULL; ConvertToUnicode(CP_UTF8, 0, hostname, -1, &tsg->Hostname, 0); return TRUE; } static BOOL tsg_set_machine_name(rdpTsg* tsg, const char* machineName) { free(tsg->MachineName); tsg->MachineName = NULL; ConvertToUnicode(CP_UTF8, 0, machineName, -1, &tsg->MachineName, 0); return TRUE; } BOOL tsg_connect(rdpTsg* tsg, const char* hostname, UINT16 port, DWORD timeout) { UINT64 looptimeout = timeout * 1000ULL; DWORD nCount; HANDLE events[MAXIMUM_WAIT_OBJECTS] = { 0 }; rdpRpc* rpc; rdpContext* context; rdpSettings* settings; rdpTransport* transport; assert(tsg); rpc = tsg->rpc; assert(rpc); transport = rpc->transport; assert(transport); context = tsg->rpc->context; assert(context); settings = context->settings; tsg->Port = port; tsg->transport = transport; if (!settings->GatewayPort) settings->GatewayPort = 443; if (!tsg_set_hostname(tsg, hostname)) return FALSE; if (!tsg_set_machine_name(tsg, settings->ComputerName)) return FALSE; if (!rpc_connect(rpc, timeout)) { WLog_ERR(TAG, "rpc_connect error!"); return FALSE; } nCount = tsg_get_event_handles(tsg, events, ARRAYSIZE(events)); if (nCount == 0) return FALSE; while (tsg->state != TSG_STATE_PIPE_CREATED) { const DWORD polltimeout = 250; DWORD status = WaitForMultipleObjects(nCount, events, FALSE, polltimeout); if (status == WAIT_TIMEOUT) { if (timeout > 0) { if (looptimeout < polltimeout) return FALSE; looptimeout -= polltimeout; } } else looptimeout = timeout * 1000ULL; if (!tsg_check_event_handles(tsg)) { WLog_ERR(TAG, "tsg_check failure"); transport->layer = TRANSPORT_LAYER_CLOSED; return FALSE; } } WLog_INFO(TAG, "TS Gateway Connection Success"); tsg->bio = BIO_new(BIO_s_tsg()); if (!tsg->bio) return FALSE; BIO_set_data(tsg->bio, (void*)tsg); return TRUE; } BOOL tsg_disconnect(rdpTsg* tsg) { /** * Gateway Shutdown Phase * * Client Server * | | * |-------------TsProxyCloseChannel Request---------->| * | | * |<-------TsProxySetupReceivePipe Final Response-----| * |<-----------TsProxyCloseChannel Response-----------| * | | * |----TsProxyMakeTunnelCall Request (cancel async)-->| * | | * |<---TsProxyMakeTunnelCall Response (call async)----| * |<---TsProxyMakeTunnelCall Response (cancel async)--| * | | * |--------------TsProxyCloseTunnel Request---------->| * |<-------------TsProxyCloseTunnel Response----------| * | | */ if (!tsg) return FALSE; if (tsg->state != TSG_STATE_TUNNEL_CLOSE_PENDING) { if (!TsProxyCloseChannelWriteRequest(tsg, &tsg->ChannelContext)) return FALSE; return tsg_transition_to_state(tsg, TSG_STATE_CHANNEL_CLOSE_PENDING); } return TRUE; } /** * @brief * * @param[in] tsg * @param[in] data * @param[in] length * @return < 0 on error; 0 if not enough data is available (non blocking mode); > 0 bytes to read */ static int tsg_read(rdpTsg* tsg, BYTE* data, size_t length) { rdpRpc* rpc; int status = 0; if (!tsg || !data) return -1; rpc = tsg->rpc; if (rpc->transport->layer == TRANSPORT_LAYER_CLOSED) { WLog_ERR(TAG, "tsg_read error: connection lost"); return -1; } do { status = rpc_client_receive_pipe_read(rpc->client, data, length); if (status < 0) return -1; if (!status && !rpc->transport->blocking) return 0; if (rpc->transport->layer == TRANSPORT_LAYER_CLOSED) { WLog_ERR(TAG, "tsg_read error: connection lost"); return -1; } if (status > 0) break; if (rpc->transport->blocking) { while (WaitForSingleObject(rpc->client->PipeEvent, 0) != WAIT_OBJECT_0) { if (!tsg_check_event_handles(tsg)) return -1; WaitForSingleObject(rpc->client->PipeEvent, 100); } } } while (rpc->transport->blocking); return status; } static int tsg_write(rdpTsg* tsg, const BYTE* data, UINT32 length) { int status; if (!tsg || !data || !tsg->rpc || !tsg->rpc->transport) return -1; if (tsg->rpc->transport->layer == TRANSPORT_LAYER_CLOSED) { WLog_ERR(TAG, "error, connection lost"); return -1; } status = TsProxySendToServer((handle_t)tsg, data, 1, &length); if (status < 0) return -1; return (int)length; } rdpTsg* tsg_new(rdpTransport* transport) { rdpTsg* tsg; tsg = (rdpTsg*)calloc(1, sizeof(rdpTsg)); if (!tsg) return NULL; tsg->transport = transport; tsg->rpc = rpc_new(tsg->transport); if (!tsg->rpc) goto out_free; return tsg; out_free: free(tsg); return NULL; } void tsg_free(rdpTsg* tsg) { if (tsg) { rpc_free(tsg->rpc); free(tsg->Hostname); free(tsg->MachineName); free(tsg); } } static int transport_bio_tsg_write(BIO* bio, const char* buf, int num) { int status; rdpTsg* tsg = (rdpTsg*)BIO_get_data(bio); BIO_clear_flags(bio, BIO_FLAGS_WRITE); if (num < 0) return -1; status = tsg_write(tsg, (const BYTE*)buf, (UINT32)num); if (status < 0) { BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY); return -1; } else if (status == 0) { BIO_set_flags(bio, BIO_FLAGS_WRITE); WSASetLastError(WSAEWOULDBLOCK); } else { BIO_set_flags(bio, BIO_FLAGS_WRITE); } return status >= 0 ? status : -1; } static int transport_bio_tsg_read(BIO* bio, char* buf, int size) { int status; rdpTsg* tsg = (rdpTsg*)BIO_get_data(bio); if (!tsg || (size < 0)) { BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY); return -1; } BIO_clear_flags(bio, BIO_FLAGS_READ); status = tsg_read(tsg, (BYTE*)buf, (size_t)size); if (status < 0) { BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY); return -1; } else if (status == 0) { BIO_set_flags(bio, BIO_FLAGS_READ); WSASetLastError(WSAEWOULDBLOCK); } else { BIO_set_flags(bio, BIO_FLAGS_READ); } return status > 0 ? status : -1; } static int transport_bio_tsg_puts(BIO* bio, const char* str) { WINPR_UNUSED(bio); WINPR_UNUSED(str); return 1; } static int transport_bio_tsg_gets(BIO* bio, char* str, int size) { WINPR_UNUSED(bio); WINPR_UNUSED(str); WINPR_UNUSED(size); return 1; } static long transport_bio_tsg_ctrl(BIO* bio, int cmd, long arg1, void* arg2) { long status = -1; rdpTsg* tsg = (rdpTsg*)BIO_get_data(bio); RpcVirtualConnection* connection = tsg->rpc->VirtualConnection; RpcInChannel* inChannel = connection->DefaultInChannel; RpcOutChannel* outChannel = connection->DefaultOutChannel; switch (cmd) { case BIO_CTRL_FLUSH: (void)BIO_flush(inChannel->common.tls->bio); (void)BIO_flush(outChannel->common.tls->bio); status = 1; break; case BIO_C_GET_EVENT: if (arg2) { *((HANDLE*)arg2) = tsg->rpc->client->PipeEvent; status = 1; } break; case BIO_C_SET_NONBLOCK: status = 1; break; case BIO_C_READ_BLOCKED: { BIO* cbio = outChannel->common.bio; status = BIO_read_blocked(cbio); } break; case BIO_C_WRITE_BLOCKED: { BIO* cbio = inChannel->common.bio; status = BIO_write_blocked(cbio); } break; case BIO_C_WAIT_READ: { int timeout = (int)arg1; BIO* cbio = outChannel->common.bio; if (BIO_read_blocked(cbio)) return BIO_wait_read(cbio, timeout); else if (BIO_write_blocked(cbio)) return BIO_wait_write(cbio, timeout); else status = 1; } break; case BIO_C_WAIT_WRITE: { int timeout = (int)arg1; BIO* cbio = inChannel->common.bio; if (BIO_write_blocked(cbio)) status = BIO_wait_write(cbio, timeout); else if (BIO_read_blocked(cbio)) status = BIO_wait_read(cbio, timeout); else status = 1; } break; #if OPENSSL_VERSION_NUMBER >= 0x30000000L case BIO_CTRL_GET_KTLS_SEND: status = 0; break; case BIO_CTRL_GET_KTLS_RECV: status = 0; break; #endif default: break; } return status; } static int transport_bio_tsg_new(BIO* bio) { assert(bio); BIO_set_init(bio, 1); BIO_set_flags(bio, BIO_FLAGS_SHOULD_RETRY); return 1; } static int transport_bio_tsg_free(BIO* bio) { assert(bio); WINPR_UNUSED(bio); return 1; } BIO_METHOD* BIO_s_tsg(void) { static BIO_METHOD* bio_methods = NULL; if (bio_methods == NULL) { if (!(bio_methods = BIO_meth_new(BIO_TYPE_TSG, "TSGateway"))) return NULL; BIO_meth_set_write(bio_methods, transport_bio_tsg_write); BIO_meth_set_read(bio_methods, transport_bio_tsg_read); BIO_meth_set_puts(bio_methods, transport_bio_tsg_puts); BIO_meth_set_gets(bio_methods, transport_bio_tsg_gets); BIO_meth_set_ctrl(bio_methods, transport_bio_tsg_ctrl); BIO_meth_set_create(bio_methods, transport_bio_tsg_new); BIO_meth_set_destroy(bio_methods, transport_bio_tsg_free); } return bio_methods; } TSG_STATE tsg_get_state(rdpTsg* tsg) { if (!tsg) return TSG_STATE_INITIAL; return tsg->state; } BIO* tsg_get_bio(rdpTsg* tsg) { if (!tsg) return NULL; return tsg->bio; } BOOL tsg_set_state(rdpTsg* tsg, TSG_STATE state) { if (!tsg) return FALSE; tsg->state = state; return TRUE; }