/* -*- c-basic-offset: 8 -*- rdesktop: A Remote Desktop Protocol client. Protocol services - ISO layer Copyright (C) Matthew Chapman 1999-2008 Copyright 2005-2011 Peter Astrand for Cendio AB Copyright 2012 Henrik Andersson for Cendio AB This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ #include "precomp.h" extern RD_BOOL g_encryption; extern RD_BOOL g_encryption_initial; extern RDP_VERSION g_rdp_version; extern RD_BOOL g_use_password_as_pin; static RD_BOOL g_negotiate_rdp_protocol = True; extern char *g_sc_csp_name; extern char *g_sc_reader_name; extern char *g_sc_card_name; extern char *g_sc_container_name; /* Send a self-contained ISO PDU */ static void iso_send_msg(uint8 code) { STREAM s; s = tcp_init(11); out_uint8(s, 3); /* version */ out_uint8(s, 0); /* reserved */ out_uint16_be(s, 11); /* length */ out_uint8(s, 6); /* hdrlen */ out_uint8(s, code); out_uint16(s, 0); /* dst_ref */ out_uint16(s, 0); /* src_ref */ out_uint8(s, 0); /* class */ s_mark_end(s); tcp_send(s); } static void iso_send_connection_request(char *username, uint32 neg_proto) { STREAM s; int length = 30 + strlen(username); if (g_rdp_version >= RDP_V5 && g_negotiate_rdp_protocol) length += 8; s = tcp_init(length); out_uint8(s, 3); /* version */ out_uint8(s, 0); /* reserved */ out_uint16_be(s, length); /* length */ out_uint8(s, length - 5); /* hdrlen */ out_uint8(s, ISO_PDU_CR); out_uint16(s, 0); /* dst_ref */ out_uint16(s, 0); /* src_ref */ out_uint8(s, 0); /* class */ out_uint8p(s, "Cookie: mstshash=", strlen("Cookie: mstshash=")); out_uint8p(s, username, strlen(username)); out_uint8(s, 0x0d); /* cookie termination string: CR+LF */ out_uint8(s, 0x0a); if (g_rdp_version >= RDP_V5 && g_negotiate_rdp_protocol) { /* optional rdp protocol negotiation request for RDPv5 */ out_uint8(s, RDP_NEG_REQ); out_uint8(s, 0); out_uint16(s, 8); out_uint32(s, neg_proto); } s_mark_end(s); tcp_send(s); } /* Receive a message on the ISO layer, return code */ static STREAM iso_recv_msg(uint8 * code, uint8 * rdpver) { STREAM s; uint16 length; uint8 version; s = tcp_recv(NULL, 4); if (s == NULL) return NULL; in_uint8(s, version); if (rdpver != NULL) *rdpver = version; if (version == 3) { in_uint8s(s, 1); /* pad */ in_uint16_be(s, length); } else { in_uint8(s, length); if (length & 0x80) { length &= ~0x80; next_be(s, length); } } if (length < 4) { error("Bad packet header\n"); return NULL; } s = tcp_recv(s, length - 4); if (s == NULL) return NULL; if (version != 3) return s; in_uint8s(s, 1); /* hdrlen */ in_uint8(s, *code); if (*code == ISO_PDU_DT) { in_uint8s(s, 1); /* eot */ return s; } in_uint8s(s, 5); /* dst_ref, src_ref, class */ return s; } /* Initialise ISO transport data packet */ STREAM iso_init(int length) { STREAM s; s = tcp_init(length + 7); s_push_layer(s, iso_hdr, 7); return s; } /* Send an ISO data PDU */ void iso_send(STREAM s) { uint16 length; s_pop_layer(s, iso_hdr); length = s->end - s->p; out_uint8(s, 3); /* version */ out_uint8(s, 0); /* reserved */ out_uint16_be(s, length); out_uint8(s, 2); /* hdrlen */ out_uint8(s, ISO_PDU_DT); /* code */ out_uint8(s, 0x80); /* eot */ tcp_send(s); } /* Receive ISO transport data packet */ STREAM iso_recv(uint8 * rdpver) { STREAM s; uint8 code = 0; s = iso_recv_msg(&code, rdpver); if (s == NULL) return NULL; if (rdpver != NULL) if (*rdpver != 3) return s; if (code != ISO_PDU_DT) { error("expected DT, got 0x%x\n", code); return NULL; } return s; } /* Establish a connection up to the ISO layer */ RD_BOOL iso_connect(char *server, char *username, char *domain, char *password, RD_BOOL reconnect, uint32 * selected_protocol) { STREAM s; uint8 code; uint32 neg_proto; g_negotiate_rdp_protocol = True; neg_proto = PROTOCOL_SSL; #ifdef WITH_CREDSSP if (!g_use_password_as_pin) neg_proto |= PROTOCOL_HYBRID; else if (g_sc_csp_name || g_sc_reader_name || g_sc_card_name || g_sc_container_name) neg_proto |= PROTOCOL_HYBRID; else warning("Disables CredSSP due to missing smartcard information for SSO.\n"); #endif retry: *selected_protocol = PROTOCOL_RDP; code = 0; if (!tcp_connect(server)) return False; iso_send_connection_request(username, neg_proto); s = iso_recv_msg(&code, NULL); if (s == NULL) return False; if (code != ISO_PDU_CC) { error("expected CC, got 0x%x\n", code); tcp_disconnect(); return False; } if (g_rdp_version >= RDP_V5 && s_check_rem(s, 8)) { /* handle RDP_NEG_REQ response */ const char *reason = NULL; uint8 type = 0, flags = 0; uint16 length = 0; uint32 data = 0; in_uint8(s, type); in_uint8(s, flags); in_uint16(s, length); in_uint32(s, data); if (type == RDP_NEG_FAILURE) { RD_BOOL retry_without_neg = False; switch (data) { case SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER: reason = "SSL with user authentication required by server"; break; case SSL_NOT_ALLOWED_BY_SERVER: reason = "SSL not allowed by server"; retry_without_neg = True; break; case SSL_CERT_NOT_ON_SERVER: reason = "no valid authentication certificate on server"; retry_without_neg = True; break; case INCONSISTENT_FLAGS: reason = "inconsistent negotiation flags"; break; case SSL_REQUIRED_BY_SERVER: reason = "SSL required by server"; break; case HYBRID_REQUIRED_BY_SERVER: reason = "CredSSP required by server"; break; default: reason = "unknown reason"; } tcp_disconnect(); if (retry_without_neg) { fprintf(stderr, "Failed to negotiate protocol, retrying with plain RDP.\n"); g_negotiate_rdp_protocol = False; goto retry; } fprintf(stderr, "Failed to connect, %s.\n", reason); return False; } if (type != RDP_NEG_RSP) { tcp_disconnect(); error("Expected RDP_NEG_RSP, got type = 0x%x\n", type); return False; } /* handle negotiation response */ if (data == PROTOCOL_SSL) { #ifdef WITH_SSL if (!tcp_tls_connect()) { /* failed to connect using cssp, let retry with plain TLS */ tcp_disconnect(); neg_proto = PROTOCOL_RDP; goto retry; } /* do not use encryption when using TLS */ g_encryption = False; fprintf(stderr, "Connection established using SSL.\n"); #else /* WITH_SSL */ fprintf(stderr, "SSL not compiled in.\n"); #endif /* WITH_SSL */ } #ifdef WITH_CREDSSP else if (data == PROTOCOL_HYBRID) { if (!cssp_connect(server, username, domain, password, s)) { /* failed to connect using cssp, let retry with plain TLS */ tcp_disconnect(); neg_proto = PROTOCOL_SSL; goto retry; } /* do not use encryption when using TLS */ fprintf(stderr, "Connection established using CredSSP.\n"); g_encryption = False; } #endif else if (data == PROTOCOL_RDP) { fprintf(stderr, "Connection established using plain RDP.\n"); } else if (data != PROTOCOL_RDP) { tcp_disconnect(); error("Unexpected protocol in negotiation response, got data = 0x%x.\n", data); return False; } if (length || flags) {} *selected_protocol = data; } return True; } /* Disconnect from the ISO layer */ void iso_disconnect(void) { iso_send_msg(ISO_PDU_DR); tcp_disconnect(); } /* reset the state to support reconnecting */ void iso_reset_state(void) { g_encryption = g_encryption_initial; tcp_reset_state(); }