Coverage Report

Created: 2026-03-04 06:17

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/FreeRDP/libfreerdp/core/fastpath.c
Line
Count
Source
1
/**
2
 * FreeRDP: A Remote Desktop Protocol Implementation
3
 * Fast Path
4
 *
5
 * Copyright 2011 Vic Lee
6
 * Copyright 2014 Norbert Federa <norbert.federa@thincast.com>
7
 * Copyright 2017 Armin Novak <armin.novak@thincast.com>
8
 * Copyright 2017 Thincast Technologies GmbH
9
 *
10
 * Licensed under the Apache License, Version 2.0 (the "License");
11
 * you may not use this file except in compliance with the License.
12
 * You may obtain a copy of the License at
13
 *
14
 *     http://www.apache.org/licenses/LICENSE-2.0
15
 *
16
 * Unless required by applicable law or agreed to in writing, software
17
 * distributed under the License is distributed on an "AS IS" BASIS,
18
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19
 * See the License for the specific language governing permissions and
20
 * limitations under the License.
21
 */
22
23
#include <freerdp/config.h>
24
25
#include "settings.h"
26
27
#include <stdio.h>
28
#include <stdlib.h>
29
#include <string.h>
30
31
#include <winpr/crt.h>
32
#include <winpr/assert.h>
33
#include <winpr/stream.h>
34
35
#include <freerdp/api.h>
36
#include <freerdp/log.h>
37
#include <freerdp/crypto/per.h>
38
39
#include "orders.h"
40
#include "update.h"
41
#include "surface.h"
42
#include "fastpath.h"
43
#include "rdp.h"
44
45
#include "../cache/pointer.h"
46
#include "../cache/palette.h"
47
#include "../cache/bitmap.h"
48
49
#define TAG FREERDP_TAG("core.fastpath")
50
51
enum FASTPATH_INPUT_ENCRYPTION_FLAGS
52
{
53
  FASTPATH_INPUT_SECURE_CHECKSUM = 0x1,
54
  FASTPATH_INPUT_ENCRYPTED = 0x2
55
};
56
57
enum FASTPATH_OUTPUT_ENCRYPTION_FLAGS
58
{
59
  FASTPATH_OUTPUT_SECURE_CHECKSUM = 0x1,
60
  FASTPATH_OUTPUT_ENCRYPTED = 0x2
61
};
62
63
struct rdp_fastpath
64
{
65
  rdpRdp* rdp;
66
  wStream* fs;
67
  BYTE encryptionFlags;
68
  BYTE numberEvents;
69
  wStream* updateData;
70
  int fragmentation;
71
};
72
73
/**
74
 * Fast-Path packet format is defined in [MS-RDPBCGR] 2.2.9.1.2, which revises
75
 * server output packets from the first byte with the goal of improving
76
 * bandwidth.
77
 *
78
 * Slow-Path packet always starts with TPKT header, which has the first
79
 * byte 0x03, while Fast-Path packet starts with 2 zero bits in the first
80
 * two less significant bits of the first byte.
81
 */
82
83
static const char* const FASTPATH_UPDATETYPE_STRINGS[] = {
84
  "Orders",                 /* 0x0 */
85
  "Bitmap",                 /* 0x1 */
86
  "Palette",                /* 0x2 */
87
  "Synchronize",            /* 0x3 */
88
  "Surface Commands",       /* 0x4 */
89
  "System Pointer Hidden",  /* 0x5 */
90
  "System Pointer Default", /* 0x6 */
91
  "???",                    /* 0x7 */
92
  "Pointer Position",       /* 0x8 */
93
  "Color Pointer",          /* 0x9 */
94
  "Cached Pointer",         /* 0xA */
95
  "New Pointer",            /* 0xB */
96
};
97
98
static const char* fastpath_update_to_string(UINT8 update)
99
7.99k
{
100
7.99k
  if (update >= ARRAYSIZE(FASTPATH_UPDATETYPE_STRINGS))
101
425
    return "UNKNOWN";
102
103
7.56k
  return FASTPATH_UPDATETYPE_STRINGS[update];
104
7.99k
}
105
106
static BOOL fastpath_read_update_header(wStream* s, BYTE* updateCode, BYTE* fragmentation,
107
                                        BYTE* compression)
108
27.5k
{
109
27.5k
  BYTE updateHeader = 0;
110
111
27.5k
  if (!s || !updateCode || !fragmentation || !compression)
112
0
    return FALSE;
113
114
27.5k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
115
0
    return FALSE;
116
117
27.5k
  Stream_Read_UINT8(s, updateHeader);
118
27.5k
  *updateCode = updateHeader & 0x0F;
119
27.5k
  *fragmentation = (updateHeader >> 4) & 0x03;
120
27.5k
  *compression = (updateHeader >> 6) & 0x03;
121
27.5k
  return TRUE;
122
27.5k
}
123
124
static BOOL fastpath_write_update_header(wStream* s, const FASTPATH_UPDATE_HEADER* fpUpdateHeader)
125
123
{
126
123
  BYTE updateHeader = 0;
127
123
  WINPR_ASSERT(fpUpdateHeader);
128
129
123
  updateHeader |= fpUpdateHeader->updateCode & 0x0F;
130
123
  updateHeader |= (fpUpdateHeader->fragmentation & 0x03) << 4;
131
123
  updateHeader |= (fpUpdateHeader->compression & 0x03) << 6;
132
133
123
  if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 1))
134
0
    return FALSE;
135
123
  Stream_Write_UINT8(s, updateHeader);
136
137
123
  if (fpUpdateHeader->compression)
138
0
  {
139
0
    if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 1))
140
0
      return FALSE;
141
142
0
    Stream_Write_UINT8(s, fpUpdateHeader->compressionFlags);
143
0
  }
144
145
123
  if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 2))
146
0
    return FALSE;
147
148
123
  Stream_Write_UINT16(s, fpUpdateHeader->size);
149
123
  return TRUE;
150
123
}
151
152
static UINT32 fastpath_get_update_header_size(FASTPATH_UPDATE_HEADER* fpUpdateHeader)
153
123
{
154
123
  WINPR_ASSERT(fpUpdateHeader);
155
123
  return (fpUpdateHeader->compression) ? 4 : 3;
156
123
}
157
158
static BOOL fastpath_write_update_pdu_header(wStream* s,
159
                                             const FASTPATH_UPDATE_PDU_HEADER* fpUpdatePduHeader,
160
                                             rdpRdp* rdp)
161
123
{
162
123
  BYTE fpOutputHeader = 0;
163
123
  WINPR_ASSERT(fpUpdatePduHeader);
164
123
  WINPR_ASSERT(rdp);
165
166
123
  if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 3))
167
0
    return FALSE;
168
169
123
  fpOutputHeader |= (fpUpdatePduHeader->action & 0x03);
170
123
  fpOutputHeader |= (fpUpdatePduHeader->secFlags & 0x03) << 6;
171
123
  Stream_Write_UINT8(s, fpOutputHeader);                          /* fpOutputHeader (1 byte) */
172
123
  Stream_Write_UINT8(s, 0x80 | (fpUpdatePduHeader->length >> 8)); /* length1 */
173
123
  Stream_Write_UINT8(s, fpUpdatePduHeader->length & 0xFF);        /* length2 */
174
175
123
  if (fpUpdatePduHeader->secFlags)
176
0
  {
177
0
    WINPR_ASSERT(rdp->settings);
178
0
    if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
179
0
    {
180
0
      if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 4))
181
0
        return FALSE;
182
183
0
      Stream_Write(s, fpUpdatePduHeader->fipsInformation, 4);
184
0
    }
185
186
0
    if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 8))
187
0
      return FALSE;
188
189
0
    Stream_Write(s, fpUpdatePduHeader->dataSignature, 8);
190
0
  }
191
192
123
  return TRUE;
193
123
}
194
195
static UINT32 fastpath_get_update_pdu_header_size(FASTPATH_UPDATE_PDU_HEADER* fpUpdatePduHeader,
196
                                                  rdpRdp* rdp)
197
123
{
198
123
  UINT32 size = 3; /* fpUpdatePduHeader + length1 + length2 */
199
200
123
  if (!fpUpdatePduHeader || !rdp)
201
0
    return 0;
202
203
123
  if (fpUpdatePduHeader->secFlags)
204
0
  {
205
0
    size += 8; /* dataSignature */
206
207
0
    WINPR_ASSERT(rdp->settings);
208
0
    if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
209
0
      size += 4; /* fipsInformation */
210
0
  }
211
212
123
  return size;
213
123
}
214
215
BOOL fastpath_read_header_rdp(rdpFastPath* fastpath, wStream* s, UINT16* length)
216
15.4k
{
217
15.4k
  BYTE header = 0;
218
219
15.4k
  if (!s || !length)
220
0
    return FALSE;
221
222
15.4k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
223
4.60k
    return FALSE;
224
225
10.8k
  Stream_Read_UINT8(s, header);
226
227
10.8k
  if (fastpath)
228
10.8k
  {
229
10.8k
    fastpath->encryptionFlags = (header & 0xC0) >> 6;
230
10.8k
    fastpath->numberEvents = (header & 0x3C) >> 2;
231
10.8k
  }
232
233
10.8k
  if (!per_read_length(s, length))
234
163
    return FALSE;
235
236
10.6k
  const size_t pos = Stream_GetPosition(s);
237
10.6k
  if (pos > *length)
238
7.48k
    return FALSE;
239
240
3.17k
  *length = *length - (UINT16)pos;
241
3.17k
  return TRUE;
242
10.6k
}
243
244
static BOOL fastpath_recv_orders(rdpFastPath* fastpath, wStream* s)
245
8.25k
{
246
8.25k
  rdpUpdate* update = nullptr;
247
8.25k
  UINT16 numberOrders = 0;
248
249
8.25k
  if (!fastpath || !fastpath->rdp || !s)
250
0
  {
251
0
    WLog_ERR(TAG, "Invalid arguments");
252
0
    return FALSE;
253
0
  }
254
255
8.25k
  update = fastpath->rdp->update;
256
257
8.25k
  if (!update)
258
0
  {
259
0
    WLog_ERR(TAG, "Invalid configuration");
260
0
    return FALSE;
261
0
  }
262
263
8.25k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
264
1.56k
    return FALSE;
265
266
6.68k
  Stream_Read_UINT16(s, numberOrders); /* numberOrders (2 bytes) */
267
268
179k
  while (numberOrders > 0)
269
174k
  {
270
174k
    if (!update_recv_order(update, s))
271
2.28k
      return FALSE;
272
273
172k
    numberOrders--;
274
172k
  }
275
276
4.40k
  return TRUE;
277
6.68k
}
278
279
static BOOL fastpath_recv_update_common(rdpFastPath* fastpath, wStream* s)
280
1.07k
{
281
1.07k
  BOOL rc = FALSE;
282
1.07k
  UINT16 updateType = 0;
283
1.07k
  rdpUpdate* update = nullptr;
284
1.07k
  rdpContext* context = nullptr;
285
1.07k
  BOOL defaultReturn = 0;
286
287
1.07k
  if (!fastpath || !s || !fastpath->rdp)
288
0
    return FALSE;
289
290
1.07k
  update = fastpath->rdp->update;
291
292
1.07k
  if (!update || !update->context)
293
0
    return FALSE;
294
295
1.07k
  context = update->context;
296
297
1.07k
  defaultReturn = freerdp_settings_get_bool(context->settings, FreeRDP_DeactivateClientDecoding);
298
299
1.07k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
300
520
    return FALSE;
301
302
551
  Stream_Read_UINT16(s, updateType); /* updateType (2 bytes) */
303
551
  switch (updateType)
304
551
  {
305
253
    case UPDATE_TYPE_BITMAP:
306
253
    {
307
253
      BITMAP_UPDATE* bitmap_update = update_read_bitmap_update(update, s);
308
309
253
      if (!bitmap_update)
310
139
        return FALSE;
311
312
114
      rc = IFCALLRESULT(defaultReturn, update->BitmapUpdate, context, bitmap_update);
313
114
      free_bitmap_update(context, bitmap_update);
314
114
    }
315
0
    break;
316
317
182
    case UPDATE_TYPE_PALETTE:
318
182
    {
319
182
      PALETTE_UPDATE* palette_update = update_read_palette(update, s);
320
321
182
      if (!palette_update)
322
142
        return FALSE;
323
324
40
      rc = IFCALLRESULT(defaultReturn, update->Palette, context, palette_update);
325
40
      free_palette_update(context, palette_update);
326
40
    }
327
0
    break;
328
329
116
    default:
330
116
      break;
331
551
  }
332
333
270
  return rc;
334
551
}
335
336
static BOOL fastpath_recv_update_synchronize(WINPR_ATTR_UNUSED rdpFastPath* fastpath, wStream* s)
337
3.70k
{
338
  /* server 2008 can send invalid synchronize packet with missing padding,
339
    so don't return FALSE even if the packet is invalid */
340
3.70k
  WINPR_ASSERT(fastpath);
341
3.70k
  WINPR_ASSERT(s);
342
343
3.70k
  const size_t len = Stream_GetRemainingLength(s);
344
3.70k
  const size_t skip = MIN(2, len);
345
3.70k
  return Stream_SafeSeek(s, skip); /* size (2 bytes), MUST be set to zero */
346
3.70k
}
347
348
static int fastpath_recv_update(rdpFastPath* fastpath, BYTE updateCode, wStream* s)
349
17.8k
{
350
17.8k
  BOOL rc = FALSE;
351
17.8k
  int status = 0;
352
353
17.8k
  if (!fastpath || !fastpath->rdp || !s)
354
0
    return -1;
355
356
17.8k
  Stream_SealLength(s);
357
17.8k
  Stream_ResetPosition(s);
358
359
17.8k
  rdpUpdate* update = fastpath->rdp->update;
360
361
17.8k
  if (!update || !update->pointer || !update->context)
362
0
    return -1;
363
364
17.8k
  rdpContext* context = update->context;
365
17.8k
  WINPR_ASSERT(context);
366
367
17.8k
  rdpPointerUpdate* pointer = update->pointer;
368
17.8k
  WINPR_ASSERT(pointer);
369
370
#ifdef WITH_DEBUG_RDP
371
  DEBUG_RDP(fastpath->rdp, "recv Fast-Path %s Update (0x%02" PRIX8 "), length:%" PRIuz "",
372
            fastpath_update_to_string(updateCode), updateCode, Stream_GetRemainingLength(s));
373
#endif
374
375
17.8k
  const BOOL defaultReturn =
376
17.8k
      freerdp_settings_get_bool(context->settings, FreeRDP_DeactivateClientDecoding);
377
17.8k
  switch (updateCode)
378
17.8k
  {
379
8.25k
    case FASTPATH_UPDATETYPE_ORDERS:
380
8.25k
      rc = fastpath_recv_orders(fastpath, s);
381
8.25k
      break;
382
383
832
    case FASTPATH_UPDATETYPE_BITMAP:
384
1.07k
    case FASTPATH_UPDATETYPE_PALETTE:
385
1.07k
      rc = fastpath_recv_update_common(fastpath, s);
386
1.07k
      break;
387
388
3.70k
    case FASTPATH_UPDATETYPE_SYNCHRONIZE:
389
3.70k
      if (!fastpath_recv_update_synchronize(fastpath, s))
390
0
        WLog_ERR(TAG, "fastpath_recv_update_synchronize failure but we continue");
391
3.70k
      else
392
3.70k
        rc = IFCALLRESULT(TRUE, update->Synchronize, context);
393
394
3.70k
      break;
395
396
3.64k
    case FASTPATH_UPDATETYPE_SURFCMDS:
397
3.64k
      status = update_recv_surfcmds(update, s);
398
3.64k
      rc = (status >= 0);
399
3.64k
      break;
400
401
64
    case FASTPATH_UPDATETYPE_PTR_NULL:
402
64
    {
403
64
      POINTER_SYSTEM_UPDATE pointer_system = WINPR_C_ARRAY_INIT;
404
64
      pointer_system.type = SYSPTR_NULL;
405
64
      rc = IFCALLRESULT(defaultReturn, pointer->PointerSystem, context, &pointer_system);
406
64
    }
407
64
    break;
408
409
77
    case FASTPATH_UPDATETYPE_PTR_DEFAULT:
410
77
    {
411
77
      POINTER_SYSTEM_UPDATE pointer_system = WINPR_C_ARRAY_INIT;
412
77
      pointer_system.type = SYSPTR_DEFAULT;
413
77
      rc = IFCALLRESULT(defaultReturn, pointer->PointerSystem, context, &pointer_system);
414
77
    }
415
77
    break;
416
417
162
    case FASTPATH_UPDATETYPE_PTR_POSITION:
418
162
    {
419
162
      POINTER_POSITION_UPDATE* pointer_position = update_read_pointer_position(update, s);
420
421
162
      if (pointer_position)
422
78
      {
423
78
        rc = IFCALLRESULT(defaultReturn, pointer->PointerPosition, context,
424
78
                          pointer_position);
425
78
        free_pointer_position_update(context, pointer_position);
426
78
      }
427
162
    }
428
162
    break;
429
430
213
    case FASTPATH_UPDATETYPE_COLOR:
431
213
    {
432
213
      POINTER_COLOR_UPDATE* pointer_color = update_read_pointer_color(update, s, 24);
433
434
213
      if (pointer_color)
435
94
      {
436
94
        rc = IFCALLRESULT(defaultReturn, pointer->PointerColor, context, pointer_color);
437
94
        free_pointer_color_update(context, pointer_color);
438
94
      }
439
213
    }
440
213
    break;
441
442
147
    case FASTPATH_UPDATETYPE_CACHED:
443
147
    {
444
147
      POINTER_CACHED_UPDATE* pointer_cached = update_read_pointer_cached(update, s);
445
446
147
      if (pointer_cached)
447
44
      {
448
44
        rc = IFCALLRESULT(defaultReturn, pointer->PointerCached, context, pointer_cached);
449
44
        free_pointer_cached_update(context, pointer_cached);
450
44
      }
451
147
    }
452
147
    break;
453
454
92
    case FASTPATH_UPDATETYPE_POINTER:
455
92
    {
456
92
      POINTER_NEW_UPDATE* pointer_new = update_read_pointer_new(update, s);
457
458
92
      if (pointer_new)
459
16
      {
460
16
        rc = IFCALLRESULT(defaultReturn, pointer->PointerNew, context, pointer_new);
461
16
        free_pointer_new_update(context, pointer_new);
462
16
      }
463
92
    }
464
92
    break;
465
466
407
    case FASTPATH_UPDATETYPE_LARGE_POINTER:
467
407
    {
468
407
      POINTER_LARGE_UPDATE* pointer_large = update_read_pointer_large(update, s);
469
470
407
      if (pointer_large)
471
104
      {
472
104
        rc = IFCALLRESULT(defaultReturn, pointer->PointerLarge, context, pointer_large);
473
104
        free_pointer_large_update(context, pointer_large);
474
104
      }
475
407
    }
476
407
    break;
477
33
    default:
478
33
      break;
479
17.8k
  }
480
481
17.8k
  Stream_ResetPosition(s);
482
17.8k
  if (!rc)
483
7.99k
  {
484
7.99k
    WLog_ERR(TAG, "Fastpath update %s [%" PRIx8 "] failed, status %d",
485
7.99k
             fastpath_update_to_string(updateCode), updateCode, status);
486
7.99k
    return -1;
487
7.99k
  }
488
489
9.87k
  return status;
490
17.8k
}
491
492
static int fastpath_recv_update_data(rdpFastPath* fastpath, wStream* s)
493
27.5k
{
494
27.5k
  int status = 0;
495
27.5k
  UINT16 size = 0;
496
27.5k
  BYTE updateCode = 0;
497
27.5k
  BYTE fragmentation = 0;
498
27.5k
  BYTE compression = 0;
499
27.5k
  BYTE compressionFlags = 0;
500
27.5k
  UINT32 DstSize = 0;
501
27.5k
  const BYTE* pDstData = nullptr;
502
503
27.5k
  if (!fastpath || !s)
504
0
    return -1;
505
506
27.5k
  rdpRdp* rdp = fastpath->rdp;
507
508
27.5k
  if (!rdp)
509
0
    return -1;
510
511
27.5k
  rdpTransport* transport = rdp->transport;
512
513
27.5k
  if (!transport)
514
0
    return -1;
515
516
27.5k
  if (!fastpath_read_update_header(s, &updateCode, &fragmentation, &compression))
517
0
    return -1;
518
519
27.5k
  if (compression == FASTPATH_OUTPUT_COMPRESSION_USED)
520
10.4k
  {
521
10.4k
    if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
522
0
      return -1;
523
524
10.4k
    Stream_Read_UINT8(s, compressionFlags);
525
10.4k
  }
526
17.0k
  else
527
17.0k
    compressionFlags = 0;
528
529
27.5k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
530
19
    return -1;
531
532
27.5k
  Stream_Read_UINT16(s, size);
533
534
27.5k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, size))
535
5.10k
    return -1;
536
537
22.4k
  const int bulkStatus =
538
22.4k
      bulk_decompress(rdp->bulk, Stream_Pointer(s), size, &pDstData, &DstSize, compressionFlags);
539
22.4k
  Stream_Seek(s, size);
540
541
22.4k
  if (bulkStatus < 0)
542
1.25k
  {
543
1.25k
    WLog_ERR(TAG, "bulk_decompress() failed");
544
1.25k
    return -1;
545
1.25k
  }
546
547
21.1k
  if (!Stream_EnsureRemainingCapacity(fastpath->updateData, DstSize))
548
0
    return -1;
549
550
21.1k
  Stream_Write(fastpath->updateData, pDstData, DstSize);
551
552
21.1k
  if (fragmentation == FASTPATH_FRAGMENT_SINGLE)
553
17.1k
  {
554
17.1k
    if (fastpath->fragmentation != -1)
555
53
    {
556
53
      WLog_ERR(TAG, "Unexpected FASTPATH_FRAGMENT_SINGLE");
557
53
      goto out_fail;
558
53
    }
559
560
17.1k
    status = fastpath_recv_update(fastpath, updateCode, fastpath->updateData);
561
562
17.1k
    if (status < 0)
563
7.98k
    {
564
7.98k
      WLog_ERR(TAG, "fastpath_recv_update() - %i", status);
565
7.98k
      goto out_fail;
566
7.98k
    }
567
17.1k
  }
568
4.00k
  else
569
4.00k
  {
570
4.00k
    rdpContext* context = nullptr;
571
4.00k
    const size_t totalSize = Stream_GetPosition(fastpath->updateData);
572
573
4.00k
    context = transport_get_context(transport);
574
4.00k
    WINPR_ASSERT(context);
575
4.00k
    WINPR_ASSERT(context->settings);
576
577
4.00k
    if (totalSize >
578
4.00k
        freerdp_settings_get_uint32(context->settings, FreeRDP_MultifragMaxRequestSize))
579
137
    {
580
137
      WLog_ERR(
581
137
          TAG, "Total size (%" PRIuz ") exceeds MultifragMaxRequestSize (%" PRIu32 ")",
582
137
          totalSize,
583
137
          freerdp_settings_get_uint32(context->settings, FreeRDP_MultifragMaxRequestSize));
584
137
      goto out_fail;
585
137
    }
586
587
3.86k
    if (fragmentation == FASTPATH_FRAGMENT_FIRST)
588
977
    {
589
977
      if (fastpath->fragmentation != -1)
590
22
      {
591
22
        WLog_ERR(TAG, "fastpath_recv_update_data: Unexpected FASTPATH_FRAGMENT_FIRST");
592
22
        goto out_fail;
593
22
      }
594
595
955
      fastpath->fragmentation = FASTPATH_FRAGMENT_FIRST;
596
955
    }
597
2.89k
    else if (fragmentation == FASTPATH_FRAGMENT_NEXT)
598
1.99k
    {
599
1.99k
      if ((fastpath->fragmentation != FASTPATH_FRAGMENT_FIRST) &&
600
1.70k
          (fastpath->fragmentation != FASTPATH_FRAGMENT_NEXT))
601
265
      {
602
265
        WLog_ERR(TAG, "fastpath_recv_update_data: Unexpected FASTPATH_FRAGMENT_NEXT");
603
265
        goto out_fail;
604
265
      }
605
606
1.72k
      fastpath->fragmentation = FASTPATH_FRAGMENT_NEXT;
607
1.72k
    }
608
900
    else if (fragmentation == FASTPATH_FRAGMENT_LAST)
609
900
    {
610
900
      if ((fastpath->fragmentation != FASTPATH_FRAGMENT_FIRST) &&
611
340
          (fastpath->fragmentation != FASTPATH_FRAGMENT_NEXT))
612
151
      {
613
151
        WLog_ERR(TAG, "fastpath_recv_update_data: Unexpected FASTPATH_FRAGMENT_LAST");
614
151
        goto out_fail;
615
151
      }
616
617
749
      fastpath->fragmentation = -1;
618
749
      status = fastpath_recv_update(fastpath, updateCode, fastpath->updateData);
619
620
749
      if (status < 0)
621
5
      {
622
5
        WLog_ERR(TAG, "fastpath_recv_update_data: fastpath_recv_update() - %i", status);
623
5
        goto out_fail;
624
5
      }
625
749
    }
626
3.86k
  }
627
628
12.5k
  return status;
629
8.62k
out_fail:
630
8.62k
  return -1;
631
21.1k
}
632
633
state_run_t fastpath_recv_updates(rdpFastPath* fastpath, wStream* s)
634
15.4k
{
635
15.4k
  state_run_t rc = STATE_RUN_FAILED;
636
637
15.4k
  WINPR_ASSERT(s);
638
15.4k
  WINPR_ASSERT(fastpath);
639
15.4k
  WINPR_ASSERT(fastpath->rdp);
640
641
15.4k
  rdpUpdate* update = fastpath->rdp->update;
642
15.4k
  WINPR_ASSERT(update);
643
644
15.4k
  if (!update_begin_paint(update))
645
0
    goto fail;
646
647
27.9k
  while (Stream_GetRemainingLength(s) >= 3)
648
27.5k
  {
649
27.5k
    if (fastpath_recv_update_data(fastpath, s) < 0)
650
14.9k
    {
651
14.9k
      WLog_ERR(TAG, "fastpath_recv_update_data() fail");
652
14.9k
      rc = STATE_RUN_FAILED;
653
14.9k
      goto fail;
654
14.9k
    }
655
27.5k
  }
656
657
432
  rc = STATE_RUN_SUCCESS;
658
15.4k
fail:
659
660
15.4k
  if (!update_end_paint(update))
661
551
    return STATE_RUN_FAILED;
662
663
14.8k
  return rc;
664
15.4k
}
665
666
static BOOL fastpath_read_input_event_header(wStream* s, BYTE* eventFlags, BYTE* eventCode)
667
92.2k
{
668
92.2k
  BYTE eventHeader = 0;
669
670
92.2k
  WINPR_ASSERT(s);
671
92.2k
  WINPR_ASSERT(eventFlags);
672
92.2k
  WINPR_ASSERT(eventCode);
673
674
92.2k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
675
779
    return FALSE;
676
677
91.4k
  Stream_Read_UINT8(s, eventHeader); /* eventHeader (1 byte) */
678
91.4k
  *eventFlags = (eventHeader & 0x1F);
679
91.4k
  *eventCode = (eventHeader >> 5);
680
91.4k
  return TRUE;
681
92.2k
}
682
683
static BOOL fastpath_recv_input_event_scancode(rdpFastPath* fastpath, wStream* s, BYTE eventFlags)
684
53.1k
{
685
53.1k
  WINPR_ASSERT(fastpath);
686
53.1k
  WINPR_ASSERT(fastpath->rdp);
687
53.1k
  WINPR_ASSERT(fastpath->rdp->input);
688
53.1k
  WINPR_ASSERT(s);
689
690
53.1k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
691
174
    return FALSE;
692
693
52.9k
  rdpInput* input = fastpath->rdp->input;
694
695
52.9k
  const UINT8 code = Stream_Get_UINT8(s); /* keyCode (1 byte) */
696
697
52.9k
  UINT16 flags = 0;
698
52.9k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_RELEASE))
699
7.99k
    flags |= KBD_FLAGS_RELEASE;
700
701
52.9k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_EXTENDED))
702
27.4k
    flags |= KBD_FLAGS_EXTENDED;
703
704
52.9k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_PREFIX_E1))
705
7.12k
    flags |= KBD_FLAGS_EXTENDED1;
706
707
52.9k
  return IFCALLRESULT(TRUE, input->KeyboardEvent, input, flags, code);
708
53.1k
}
709
710
static BOOL fastpath_recv_input_event_mouse(rdpFastPath* fastpath, wStream* s,
711
                                            WINPR_ATTR_UNUSED BYTE eventFlags)
712
5.95k
{
713
5.95k
  rdpInput* input = nullptr;
714
5.95k
  UINT16 pointerFlags = 0;
715
5.95k
  UINT16 xPos = 0;
716
5.95k
  UINT16 yPos = 0;
717
5.95k
  WINPR_ASSERT(fastpath);
718
5.95k
  WINPR_ASSERT(fastpath->rdp);
719
5.95k
  WINPR_ASSERT(fastpath->rdp->input);
720
5.95k
  WINPR_ASSERT(s);
721
722
5.95k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 6))
723
141
    return FALSE;
724
725
5.80k
  input = fastpath->rdp->input;
726
727
5.80k
  Stream_Read_UINT16(s, pointerFlags); /* pointerFlags (2 bytes) */
728
5.80k
  Stream_Read_UINT16(s, xPos);         /* xPos (2 bytes) */
729
5.80k
  Stream_Read_UINT16(s, yPos);         /* yPos (2 bytes) */
730
5.80k
  return IFCALLRESULT(TRUE, input->MouseEvent, input, pointerFlags, xPos, yPos);
731
5.95k
}
732
733
static BOOL fastpath_recv_input_event_relmouse(rdpFastPath* fastpath, wStream* s,
734
                                               WINPR_ATTR_UNUSED BYTE eventFlags)
735
4.53k
{
736
4.53k
  rdpInput* input = nullptr;
737
4.53k
  UINT16 pointerFlags = 0;
738
4.53k
  INT16 xDelta = 0;
739
4.53k
  INT16 yDelta = 0;
740
4.53k
  WINPR_ASSERT(fastpath);
741
4.53k
  WINPR_ASSERT(fastpath->rdp);
742
4.53k
  WINPR_ASSERT(fastpath->rdp->context);
743
4.53k
  WINPR_ASSERT(fastpath->rdp->input);
744
4.53k
  WINPR_ASSERT(s);
745
746
4.53k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 6))
747
69
    return FALSE;
748
749
4.46k
  input = fastpath->rdp->input;
750
751
4.46k
  Stream_Read_UINT16(s, pointerFlags); /* pointerFlags (2 bytes) */
752
4.46k
  Stream_Read_INT16(s, xDelta);        /* xDelta (2 bytes) */
753
4.46k
  Stream_Read_INT16(s, yDelta);        /* yDelta (2 bytes) */
754
755
4.46k
  if (!freerdp_settings_get_bool(input->context->settings, FreeRDP_HasRelativeMouseEvent))
756
0
  {
757
0
    WLog_ERR(TAG,
758
0
             "Received relative mouse event(flags=0x%04" PRIx16 ", xPos=%" PRId16
759
0
             ", yPos=%" PRId16 "), but we did not announce support for that",
760
0
             pointerFlags, xDelta, yDelta);
761
0
    return FALSE;
762
0
  }
763
764
4.46k
  return IFCALLRESULT(TRUE, input->RelMouseEvent, input, pointerFlags, xDelta, yDelta);
765
4.46k
}
766
767
static BOOL fastpath_recv_input_event_qoe(rdpFastPath* fastpath, wStream* s,
768
                                          WINPR_ATTR_UNUSED BYTE eventFlags)
769
2.36k
{
770
2.36k
  WINPR_ASSERT(fastpath);
771
2.36k
  WINPR_ASSERT(fastpath->rdp);
772
2.36k
  WINPR_ASSERT(fastpath->rdp->context);
773
2.36k
  WINPR_ASSERT(fastpath->rdp->input);
774
2.36k
  WINPR_ASSERT(s);
775
776
2.36k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 4))
777
53
    return FALSE;
778
779
2.31k
  rdpInput* input = fastpath->rdp->input;
780
781
2.31k
  UINT32 timestampMS = 0;
782
2.31k
  Stream_Read_UINT32(s, timestampMS); /* timestamp (4 bytes) */
783
784
2.31k
  if (!freerdp_settings_get_bool(input->context->settings, FreeRDP_HasQoeEvent))
785
0
  {
786
0
    WLog_ERR(TAG,
787
0
             "Received qoe event(timestamp=%" PRIu32
788
0
             "ms), but we did not announce support for that",
789
0
             timestampMS);
790
0
    return FALSE;
791
0
  }
792
793
2.31k
  return IFCALLRESULT(TRUE, input->QoEEvent, input, timestampMS);
794
2.31k
}
795
796
static BOOL fastpath_recv_input_event_mousex(rdpFastPath* fastpath, wStream* s,
797
                                             WINPR_ATTR_UNUSED BYTE eventFlags)
798
3.22k
{
799
3.22k
  rdpInput* input = nullptr;
800
3.22k
  UINT16 pointerFlags = 0;
801
3.22k
  UINT16 xPos = 0;
802
3.22k
  UINT16 yPos = 0;
803
804
3.22k
  WINPR_ASSERT(fastpath);
805
3.22k
  WINPR_ASSERT(fastpath->rdp);
806
3.22k
  WINPR_ASSERT(fastpath->rdp->context);
807
3.22k
  WINPR_ASSERT(fastpath->rdp->input);
808
3.22k
  WINPR_ASSERT(s);
809
810
3.22k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 6))
811
73
    return FALSE;
812
813
3.15k
  input = fastpath->rdp->input;
814
815
3.15k
  Stream_Read_UINT16(s, pointerFlags); /* pointerFlags (2 bytes) */
816
3.15k
  Stream_Read_UINT16(s, xPos);         /* xPos (2 bytes) */
817
3.15k
  Stream_Read_UINT16(s, yPos);         /* yPos (2 bytes) */
818
819
3.15k
  if (!freerdp_settings_get_bool(input->context->settings, FreeRDP_HasExtendedMouseEvent))
820
0
  {
821
0
    WLog_ERR(TAG,
822
0
             "Received extended mouse event(flags=0x%04" PRIx16 ", xPos=%" PRIu16
823
0
             ", yPos=%" PRIu16 "), but we did not announce support for that",
824
0
             pointerFlags, xPos, yPos);
825
0
    return FALSE;
826
0
  }
827
828
3.15k
  return IFCALLRESULT(TRUE, input->ExtendedMouseEvent, input, pointerFlags, xPos, yPos);
829
3.15k
}
830
831
static BOOL fastpath_recv_input_event_sync(rdpFastPath* fastpath, WINPR_ATTR_UNUSED wStream* s,
832
                                           BYTE eventFlags)
833
6.84k
{
834
6.84k
  rdpInput* input = nullptr;
835
836
6.84k
  WINPR_ASSERT(fastpath);
837
6.84k
  WINPR_ASSERT(fastpath->rdp);
838
6.84k
  WINPR_ASSERT(fastpath->rdp->input);
839
6.84k
  WINPR_ASSERT(s);
840
841
6.84k
  input = fastpath->rdp->input;
842
6.84k
  return IFCALLRESULT(TRUE, input->SynchronizeEvent, input, eventFlags);
843
6.84k
}
844
845
static BOOL fastpath_recv_input_event_unicode(rdpFastPath* fastpath, wStream* s, BYTE eventFlags)
846
1.88k
{
847
1.88k
  UINT16 unicodeCode = 0;
848
1.88k
  UINT16 flags = 0;
849
850
1.88k
  WINPR_ASSERT(fastpath);
851
1.88k
  WINPR_ASSERT(s);
852
853
1.88k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
854
49
    return FALSE;
855
856
1.83k
  Stream_Read_UINT16(s, unicodeCode); /* unicodeCode (2 bytes) */
857
1.83k
  flags = 0;
858
859
1.83k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_RELEASE))
860
1.34k
    flags |= KBD_FLAGS_RELEASE;
861
862
1.83k
  WINPR_ASSERT(fastpath->rdp);
863
1.83k
  WINPR_ASSERT(fastpath->rdp);
864
1.83k
  WINPR_ASSERT(fastpath->rdp->input);
865
1.83k
  return IFCALLRESULT(FALSE, fastpath->rdp->input->UnicodeKeyboardEvent, fastpath->rdp->input,
866
1.88k
                      flags, unicodeCode);
867
1.88k
}
868
869
static BOOL fastpath_recv_input_event(rdpFastPath* fastpath, wStream* s)
870
92.2k
{
871
92.2k
  BYTE eventFlags = 0;
872
92.2k
  BYTE eventCode = 0;
873
874
92.2k
  WINPR_ASSERT(fastpath);
875
92.2k
  WINPR_ASSERT(s);
876
877
92.2k
  if (!fastpath_read_input_event_header(s, &eventFlags, &eventCode))
878
779
    return FALSE;
879
880
91.4k
  switch (eventCode)
881
91.4k
  {
882
53.1k
    case FASTPATH_INPUT_EVENT_SCANCODE:
883
53.1k
      if (!fastpath_recv_input_event_scancode(fastpath, s, eventFlags))
884
174
        return FALSE;
885
886
52.9k
      break;
887
888
52.9k
    case FASTPATH_INPUT_EVENT_MOUSE:
889
5.95k
      if (!fastpath_recv_input_event_mouse(fastpath, s, eventFlags))
890
141
        return FALSE;
891
892
5.80k
      break;
893
894
5.80k
    case FASTPATH_INPUT_EVENT_MOUSEX:
895
3.22k
      if (!fastpath_recv_input_event_mousex(fastpath, s, eventFlags))
896
73
        return FALSE;
897
898
3.15k
      break;
899
900
6.84k
    case FASTPATH_INPUT_EVENT_SYNC:
901
6.84k
      if (!fastpath_recv_input_event_sync(fastpath, s, eventFlags))
902
0
        return FALSE;
903
904
6.84k
      break;
905
906
6.84k
    case FASTPATH_INPUT_EVENT_UNICODE:
907
1.88k
      if (!fastpath_recv_input_event_unicode(fastpath, s, eventFlags))
908
1.88k
        return FALSE;
909
910
0
      break;
911
912
4.53k
    case TS_FP_RELPOINTER_EVENT:
913
4.53k
      if (!fastpath_recv_input_event_relmouse(fastpath, s, eventFlags))
914
69
        return FALSE;
915
916
4.46k
      break;
917
918
4.46k
    case TS_FP_QOETIMESTAMP_EVENT:
919
2.36k
      if (!fastpath_recv_input_event_qoe(fastpath, s, eventFlags))
920
53
        return FALSE;
921
2.31k
      break;
922
923
13.5k
    default:
924
13.5k
      WLog_ERR(TAG, "Unknown eventCode %" PRIu8 "", eventCode);
925
13.5k
      break;
926
91.4k
  }
927
928
89.0k
  return TRUE;
929
91.4k
}
930
931
state_run_t fastpath_recv_inputs(rdpFastPath* fastpath, wStream* s)
932
15.4k
{
933
15.4k
  WINPR_ASSERT(fastpath);
934
15.4k
  WINPR_ASSERT(s);
935
936
15.4k
  if (fastpath->numberEvents == 0)
937
15.4k
  {
938
    /**
939
     * If numberEvents is not provided in fpInputHeader, it will be provided
940
     * as one additional byte here.
941
     */
942
15.4k
    if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
943
3.37k
      return STATE_RUN_FAILED;
944
945
12.0k
    Stream_Read_UINT8(s, fastpath->numberEvents); /* eventHeader (1 byte) */
946
12.0k
  }
947
948
101k
  for (BYTE i = 0; i < fastpath->numberEvents; i++)
949
92.2k
  {
950
92.2k
    if (!fastpath_recv_input_event(fastpath, s))
951
3.17k
      return STATE_RUN_FAILED;
952
92.2k
  }
953
954
8.88k
  return STATE_RUN_SUCCESS;
955
12.0k
}
956
957
static UINT32 fastpath_get_sec_bytes(rdpRdp* rdp)
958
0
{
959
0
  UINT32 sec_bytes = 0;
960
0
  sec_bytes = 0;
961
962
0
  if (!rdp)
963
0
    return 0;
964
965
0
  if (rdp->do_crypt)
966
0
  {
967
0
    sec_bytes = 8;
968
969
0
    if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
970
0
      sec_bytes += 4;
971
0
  }
972
973
0
  return sec_bytes;
974
0
}
975
976
wStream* fastpath_input_pdu_init_header(rdpFastPath* fastpath, UINT16* sec_flags)
977
0
{
978
0
  if (!fastpath || !fastpath->rdp)
979
0
    return nullptr;
980
981
0
  rdpRdp* rdp = fastpath->rdp;
982
0
  wStream* s = transport_send_stream_init(rdp->transport, 256);
983
984
0
  if (!s)
985
0
    return nullptr;
986
987
0
  Stream_Seek(s, 3); /* fpInputHeader, length1 and length2 */
988
989
0
  if (rdp->do_crypt)
990
0
  {
991
0
    *sec_flags |= SEC_ENCRYPT;
992
993
0
    if (rdp->do_secure_checksum)
994
0
      *sec_flags |= SEC_SECURE_CHECKSUM;
995
0
  }
996
997
0
  Stream_Seek(s, fastpath_get_sec_bytes(rdp));
998
0
  return s;
999
0
}
1000
1001
wStream* fastpath_input_pdu_init(rdpFastPath* fastpath, BYTE eventFlags, BYTE eventCode,
1002
                                 UINT16* sec_flags)
1003
0
{
1004
0
  wStream* s = nullptr;
1005
0
  s = fastpath_input_pdu_init_header(fastpath, sec_flags);
1006
1007
0
  if (!s)
1008
0
    return nullptr;
1009
1010
0
  WINPR_ASSERT(eventCode < 8);
1011
0
  WINPR_ASSERT(eventFlags < 0x20);
1012
0
  Stream_Write_UINT8(s, (UINT8)(eventFlags | (eventCode << 5))); /* eventHeader (1 byte) */
1013
0
  return s;
1014
0
}
1015
1016
BOOL fastpath_send_multiple_input_pdu(rdpFastPath* fastpath, wStream* s, size_t iNumEvents,
1017
                                      UINT16 sec_flags)
1018
0
{
1019
0
  BOOL rc = FALSE;
1020
0
  BYTE eventHeader = 0;
1021
0
  BOOL should_unlock = FALSE;
1022
0
  rdpRdp* rdp = nullptr;
1023
1024
0
  WINPR_ASSERT(iNumEvents > 0);
1025
0
  if (!s)
1026
0
    return FALSE;
1027
1028
0
  if (!fastpath)
1029
0
    goto fail;
1030
1031
0
  rdp = fastpath->rdp;
1032
0
  WINPR_ASSERT(rdp);
1033
1034
0
  {
1035
0
    const CONNECTION_STATE state = rdp_get_state(rdp);
1036
0
    if (!rdp_is_active_state(rdp))
1037
0
    {
1038
0
      WLog_WARN(TAG, "called before activation [%s]", rdp_state_string(state));
1039
0
      goto fail;
1040
0
    }
1041
0
  }
1042
1043
  /*
1044
   *  A maximum of 15 events are allowed per request
1045
   *  if the optional numEvents field isn't used
1046
   *  see MS-RDPBCGR 2.2.8.1.2 for details
1047
   */
1048
0
  if (iNumEvents > 15)
1049
0
    goto fail;
1050
1051
0
  {
1052
0
    size_t length = Stream_GetPosition(s);
1053
1054
0
    if (length >= (2 << 14))
1055
0
    {
1056
0
      WLog_ERR(TAG, "Maximum FastPath PDU length is 32767");
1057
0
      goto fail;
1058
0
    }
1059
1060
0
    eventHeader = FASTPATH_INPUT_ACTION_FASTPATH;
1061
0
    eventHeader |= (iNumEvents << 2); /* numberEvents */
1062
1063
0
    if (sec_flags & SEC_ENCRYPT)
1064
0
      eventHeader |= (FASTPATH_INPUT_ENCRYPTED << 6);
1065
1066
0
    if (sec_flags & SEC_SECURE_CHECKSUM)
1067
0
      eventHeader |= (FASTPATH_INPUT_SECURE_CHECKSUM << 6);
1068
1069
0
    Stream_ResetPosition(s);
1070
0
    Stream_Write_UINT8(s, eventHeader);
1071
    /* Write length later, RDP encryption might add a padding */
1072
0
    Stream_Seek(s, 2);
1073
1074
0
    if (sec_flags & SEC_ENCRYPT)
1075
0
    {
1076
0
      security_lock(rdp);
1077
0
      should_unlock = TRUE;
1078
1079
0
      const size_t sec_bytes = fastpath_get_sec_bytes(fastpath->rdp);
1080
0
      if (sec_bytes + 3ULL > length)
1081
0
        goto fail;
1082
1083
0
      BYTE* fpInputEvents = Stream_PointerAs(s, BYTE) + sec_bytes;
1084
0
      const UINT16 fpInputEvents_length = (UINT16)(length - 3 - sec_bytes);
1085
1086
0
      WINPR_ASSERT(rdp->settings);
1087
0
      if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
1088
0
      {
1089
0
        BYTE pad = 0;
1090
1091
0
        if ((pad = 8 - (fpInputEvents_length % 8)) == 8)
1092
0
          pad = 0;
1093
1094
0
        Stream_Write_UINT16(s, 0x10); /* length */
1095
0
        Stream_Write_UINT8(s, 0x1);   /* TSFIPS_VERSION 1*/
1096
0
        Stream_Write_UINT8(s, pad);   /* padding */
1097
1098
0
        if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 8))
1099
0
          goto fail;
1100
1101
0
        if (!security_hmac_signature(fpInputEvents, fpInputEvents_length, Stream_Pointer(s),
1102
0
                                     8, rdp))
1103
0
          goto fail;
1104
1105
0
        if (pad)
1106
0
          memset(fpInputEvents + fpInputEvents_length, 0, pad);
1107
1108
0
        if (!security_fips_encrypt(fpInputEvents, fpInputEvents_length + pad, rdp))
1109
0
          goto fail;
1110
1111
0
        length += pad;
1112
0
      }
1113
0
      else
1114
0
      {
1115
0
        BOOL res = 0;
1116
0
        if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 8))
1117
0
          goto fail;
1118
0
        if (sec_flags & SEC_SECURE_CHECKSUM)
1119
0
          res = security_salted_mac_signature(rdp, fpInputEvents, fpInputEvents_length,
1120
0
                                              TRUE, Stream_Pointer(s), 8);
1121
0
        else
1122
0
          res = security_mac_signature(rdp, fpInputEvents, fpInputEvents_length,
1123
0
                                       Stream_Pointer(s), 8);
1124
1125
0
        if (!res || !security_encrypt(fpInputEvents, fpInputEvents_length, rdp))
1126
0
          goto fail;
1127
0
      }
1128
0
    }
1129
1130
    /*
1131
     * We always encode length in two bytes, even though we could use
1132
     * only one byte if length <= 0x7F. It is just easier that way,
1133
     * because we can leave room for fixed-length header, store all
1134
     * the data first and then store the header.
1135
     */
1136
0
    WINPR_ASSERT(length < UINT16_MAX);
1137
0
    if (!Stream_SetPosition(s, 1))
1138
0
      goto fail;
1139
0
    Stream_Write_UINT16_BE(s, 0x8000 | (UINT16)length);
1140
0
    if (!Stream_SetPosition(s, length))
1141
0
      goto fail;
1142
0
    Stream_SealLength(s);
1143
0
  }
1144
1145
0
  if (transport_write(rdp->transport, s) < 0)
1146
0
    goto fail;
1147
1148
0
  rc = TRUE;
1149
0
fail:
1150
0
  if (should_unlock)
1151
0
    security_unlock(rdp);
1152
0
  Stream_Release(s);
1153
0
  return rc;
1154
0
}
1155
1156
BOOL fastpath_send_input_pdu(rdpFastPath* fastpath, wStream* s, UINT16 sec_flags)
1157
0
{
1158
0
  return fastpath_send_multiple_input_pdu(fastpath, s, 1, sec_flags);
1159
0
}
1160
1161
wStream* fastpath_update_pdu_init(rdpFastPath* fastpath)
1162
2.23k
{
1163
2.23k
  return transport_send_stream_init(fastpath->rdp->transport, FASTPATH_MAX_PACKET_SIZE);
1164
2.23k
}
1165
1166
wStream* fastpath_update_pdu_init_new(WINPR_ATTR_UNUSED rdpFastPath* fastpath)
1167
7.90k
{
1168
7.90k
  wStream* s = nullptr;
1169
7.90k
  s = Stream_New(nullptr, FASTPATH_MAX_PACKET_SIZE);
1170
7.90k
  return s;
1171
7.90k
}
1172
1173
BOOL fastpath_send_update_pdu(rdpFastPath* fastpath, BYTE updateCode, wStream* s,
1174
                              BOOL skipCompression)
1175
2.79k
{
1176
2.79k
  BOOL status = TRUE;
1177
2.79k
  wStream* fs = nullptr;
1178
2.79k
  rdpSettings* settings = nullptr;
1179
2.79k
  rdpRdp* rdp = nullptr;
1180
2.79k
  UINT32 fpHeaderSize = 6;
1181
2.79k
  UINT32 fpUpdatePduHeaderSize = 0;
1182
2.79k
  UINT32 fpUpdateHeaderSize = 0;
1183
2.79k
  FASTPATH_UPDATE_PDU_HEADER fpUpdatePduHeader = WINPR_C_ARRAY_INIT;
1184
2.79k
  FASTPATH_UPDATE_HEADER fpUpdateHeader = WINPR_C_ARRAY_INIT;
1185
2.79k
  UINT16 sec_flags = 0;
1186
1187
2.79k
  if (!fastpath || !fastpath->rdp || !fastpath->fs || !s)
1188
0
    return FALSE;
1189
1190
2.79k
  rdp = fastpath->rdp;
1191
2.79k
  fs = fastpath->fs;
1192
2.79k
  settings = rdp->settings;
1193
1194
2.79k
  if (!settings)
1195
0
    return FALSE;
1196
1197
2.79k
  UINT16 maxLength = FASTPATH_MAX_PACKET_SIZE - 20;
1198
1199
2.79k
  if (settings->CompressionEnabled && !skipCompression)
1200
2.79k
  {
1201
2.79k
    const UINT16 CompressionMaxSize = bulk_compression_max_size(rdp->bulk);
1202
2.79k
    maxLength = (maxLength < CompressionMaxSize) ? maxLength : CompressionMaxSize;
1203
2.79k
    maxLength -= 20;
1204
2.79k
  }
1205
1206
2.79k
  size_t totalLength = Stream_GetPosition(s);
1207
2.79k
  Stream_ResetPosition(s);
1208
1209
  /* check if fast path output is possible */
1210
2.79k
  if (!settings->FastPathOutput)
1211
0
  {
1212
0
    WLog_ERR(TAG, "client does not support fast path output");
1213
0
    return FALSE;
1214
0
  }
1215
1216
  /* check if the client's fast path pdu buffer is large enough */
1217
2.79k
  if (totalLength > freerdp_settings_get_uint32(settings, FreeRDP_MultifragMaxRequestSize))
1218
2.67k
  {
1219
2.67k
    WLog_ERR(TAG,
1220
2.67k
             "fast path update size (%" PRIuz
1221
2.67k
             ") exceeds the client's maximum request size (%" PRIu32 ")",
1222
2.67k
             totalLength,
1223
2.67k
             freerdp_settings_get_uint32(settings, FreeRDP_MultifragMaxRequestSize));
1224
2.67k
    return FALSE;
1225
2.67k
  }
1226
1227
123
  if (rdp->do_crypt)
1228
0
  {
1229
0
    sec_flags |= SEC_ENCRYPT;
1230
1231
0
    if (rdp->do_secure_checksum)
1232
0
      sec_flags |= SEC_SECURE_CHECKSUM;
1233
0
  }
1234
1235
123
  for (int fragment = 0; (totalLength > 0) || (fragment == 0); fragment++)
1236
123
  {
1237
123
    UINT32 DstSize = 0;
1238
123
    const BYTE* pDstData = nullptr;
1239
123
    UINT32 compressionFlags = 0;
1240
123
    BYTE pad = 0;
1241
123
    BYTE* pSignature = nullptr;
1242
123
    fpUpdatePduHeader.action = 0;
1243
123
    fpUpdatePduHeader.secFlags = 0;
1244
123
    fpUpdateHeader.compression = 0;
1245
123
    fpUpdateHeader.compressionFlags = 0;
1246
123
    fpUpdateHeader.updateCode = updateCode;
1247
123
    fpUpdateHeader.size = (UINT16)(totalLength > maxLength) ? maxLength : (UINT16)totalLength;
1248
123
    const BYTE* pSrcData = Stream_Pointer(s);
1249
123
    UINT32 SrcSize = DstSize = fpUpdateHeader.size;
1250
123
    BOOL should_unlock = FALSE;
1251
1252
123
    if (sec_flags & SEC_ENCRYPT)
1253
0
      fpUpdatePduHeader.secFlags |= FASTPATH_OUTPUT_ENCRYPTED;
1254
1255
123
    if (sec_flags & SEC_SECURE_CHECKSUM)
1256
0
      fpUpdatePduHeader.secFlags |= FASTPATH_OUTPUT_SECURE_CHECKSUM;
1257
1258
123
    if (settings->CompressionEnabled && !skipCompression)
1259
123
    {
1260
123
      if (bulk_compress(rdp->bulk, pSrcData, SrcSize, &pDstData, &DstSize,
1261
123
                        &compressionFlags) >= 0)
1262
123
      {
1263
123
        if (compressionFlags)
1264
0
        {
1265
0
          WINPR_ASSERT(compressionFlags <= UINT8_MAX);
1266
0
          fpUpdateHeader.compressionFlags = (UINT8)compressionFlags;
1267
0
          fpUpdateHeader.compression = FASTPATH_OUTPUT_COMPRESSION_USED;
1268
0
        }
1269
123
      }
1270
123
    }
1271
1272
123
    if (!fpUpdateHeader.compression)
1273
123
    {
1274
123
      pDstData = Stream_Pointer(s);
1275
123
      DstSize = fpUpdateHeader.size;
1276
123
    }
1277
1278
123
    if (DstSize > UINT16_MAX)
1279
0
      return FALSE;
1280
123
    fpUpdateHeader.size = (UINT16)DstSize;
1281
123
    totalLength -= SrcSize;
1282
1283
123
    if (totalLength == 0)
1284
123
      fpUpdateHeader.fragmentation =
1285
123
          (fragment == 0) ? FASTPATH_FRAGMENT_SINGLE : FASTPATH_FRAGMENT_LAST;
1286
0
    else
1287
0
      fpUpdateHeader.fragmentation =
1288
0
          (fragment == 0) ? FASTPATH_FRAGMENT_FIRST : FASTPATH_FRAGMENT_NEXT;
1289
1290
123
    fpUpdateHeaderSize = fastpath_get_update_header_size(&fpUpdateHeader);
1291
123
    fpUpdatePduHeaderSize = fastpath_get_update_pdu_header_size(&fpUpdatePduHeader, rdp);
1292
123
    fpHeaderSize = fpUpdateHeaderSize + fpUpdatePduHeaderSize;
1293
1294
123
    if (sec_flags & SEC_ENCRYPT)
1295
0
    {
1296
0
      pSignature = Stream_Buffer(fs) + 3;
1297
1298
0
      if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
1299
0
      {
1300
0
        pSignature += 4;
1301
1302
0
        if ((pad = 8 - ((DstSize + fpUpdateHeaderSize) % 8)) == 8)
1303
0
          pad = 0;
1304
1305
0
        fpUpdatePduHeader.fipsInformation[0] = 0x10;
1306
0
        fpUpdatePduHeader.fipsInformation[1] = 0x00;
1307
0
        fpUpdatePduHeader.fipsInformation[2] = 0x01;
1308
0
        fpUpdatePduHeader.fipsInformation[3] = pad;
1309
0
      }
1310
0
    }
1311
1312
123
    const size_t len = fpUpdateHeader.size + fpHeaderSize + pad;
1313
123
    if (len > UINT16_MAX)
1314
0
      return FALSE;
1315
1316
123
    fpUpdatePduHeader.length = (UINT16)len;
1317
123
    Stream_ResetPosition(fs);
1318
123
    if (!fastpath_write_update_pdu_header(fs, &fpUpdatePduHeader, rdp))
1319
0
      return FALSE;
1320
123
    if (!fastpath_write_update_header(fs, &fpUpdateHeader))
1321
0
      return FALSE;
1322
1323
123
    if (!Stream_CheckAndLogRequiredCapacity(TAG, (fs), (size_t)DstSize + pad))
1324
0
      return FALSE;
1325
123
    Stream_Write(fs, pDstData, DstSize);
1326
1327
123
    if (pad)
1328
0
      Stream_Zero(fs, pad);
1329
1330
123
    BOOL res = FALSE;
1331
123
    if (sec_flags & SEC_ENCRYPT)
1332
0
    {
1333
0
      security_lock(rdp);
1334
1335
0
      should_unlock = TRUE;
1336
0
      UINT32 dataSize = fpUpdateHeaderSize + DstSize + pad;
1337
0
      BYTE* data = Stream_PointerAs(fs, BYTE) - dataSize;
1338
1339
0
      if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
1340
0
      {
1341
        // TODO: Ensure stream capacity
1342
0
        if (!security_hmac_signature(data, dataSize - pad, pSignature, 8, rdp))
1343
0
          goto unlock;
1344
1345
0
        if (!security_fips_encrypt(data, dataSize, rdp))
1346
0
          goto unlock;
1347
0
      }
1348
0
      else
1349
0
      {
1350
        // TODO: Ensure stream capacity
1351
0
        if (sec_flags & SEC_SECURE_CHECKSUM)
1352
0
          status =
1353
0
              security_salted_mac_signature(rdp, data, dataSize, TRUE, pSignature, 8);
1354
0
        else
1355
0
          status = security_mac_signature(rdp, data, dataSize, pSignature, 8);
1356
1357
0
        if (!status || !security_encrypt(data, dataSize, rdp))
1358
0
          goto unlock;
1359
0
      }
1360
0
    }
1361
123
    res = TRUE;
1362
1363
123
    Stream_SealLength(fs);
1364
1365
123
    if (transport_write(rdp->transport, fs) < 0)
1366
123
    {
1367
123
      status = FALSE;
1368
123
    }
1369
1370
123
  unlock:
1371
123
    if (should_unlock)
1372
0
      security_unlock(rdp);
1373
1374
123
    if (!res || !status)
1375
123
      return FALSE;
1376
1377
0
    Stream_Seek(s, SrcSize);
1378
0
  }
1379
1380
0
  return status;
1381
123
}
1382
1383
rdpFastPath* fastpath_new(rdpRdp* rdp)
1384
15.4k
{
1385
15.4k
  rdpFastPath* fastpath = nullptr;
1386
1387
15.4k
  WINPR_ASSERT(rdp);
1388
1389
15.4k
  fastpath = (rdpFastPath*)calloc(1, sizeof(rdpFastPath));
1390
1391
15.4k
  if (!fastpath)
1392
0
    return nullptr;
1393
1394
15.4k
  fastpath->rdp = rdp;
1395
15.4k
  fastpath->fragmentation = -1;
1396
15.4k
  fastpath->fs = Stream_New(nullptr, FASTPATH_MAX_PACKET_SIZE);
1397
15.4k
  fastpath->updateData = Stream_New(nullptr, FASTPATH_MAX_PACKET_SIZE);
1398
1399
15.4k
  if (!fastpath->fs || !fastpath->updateData)
1400
0
    goto out_free;
1401
1402
15.4k
  return fastpath;
1403
0
out_free:
1404
0
  fastpath_free(fastpath);
1405
0
  return nullptr;
1406
15.4k
}
1407
1408
void fastpath_free(rdpFastPath* fastpath)
1409
15.4k
{
1410
15.4k
  if (fastpath)
1411
15.4k
  {
1412
15.4k
    Stream_Free(fastpath->updateData, TRUE);
1413
15.4k
    Stream_Free(fastpath->fs, TRUE);
1414
15.4k
    free(fastpath);
1415
15.4k
  }
1416
15.4k
}
1417
1418
BYTE fastpath_get_encryption_flags(rdpFastPath* fastpath)
1419
17.4k
{
1420
17.4k
  WINPR_ASSERT(fastpath);
1421
17.4k
  return fastpath->encryptionFlags;
1422
17.4k
}
1423
1424
BOOL fastpath_decrypt(rdpFastPath* fastpath, wStream* s, UINT16* length)
1425
15.4k
{
1426
15.4k
  WINPR_ASSERT(fastpath);
1427
15.4k
  if (fastpath_get_encryption_flags(fastpath) & FASTPATH_OUTPUT_ENCRYPTED)
1428
1.97k
  {
1429
1.97k
    const UINT16 flags =
1430
1.97k
        (fastpath_get_encryption_flags(fastpath) & FASTPATH_OUTPUT_SECURE_CHECKSUM)
1431
1.97k
            ? SEC_SECURE_CHECKSUM
1432
1.97k
            : 0;
1433
1434
1.97k
    if (!rdp_decrypt(fastpath->rdp, s, length, flags))
1435
0
      return FALSE;
1436
1.97k
  }
1437
1438
15.4k
  return TRUE;
1439
15.4k
}