Coverage Report

Created: 2026-03-07 07:07

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/FreeRDP/libfreerdp/core/fastpath.c
Line
Count
Source
1
/**
2
 * FreeRDP: A Remote Desktop Protocol Implementation
3
 * Fast Path
4
 *
5
 * Copyright 2011 Vic Lee
6
 * Copyright 2014 Norbert Federa <norbert.federa@thincast.com>
7
 * Copyright 2017 Armin Novak <armin.novak@thincast.com>
8
 * Copyright 2017 Thincast Technologies GmbH
9
 *
10
 * Licensed under the Apache License, Version 2.0 (the "License");
11
 * you may not use this file except in compliance with the License.
12
 * You may obtain a copy of the License at
13
 *
14
 *     http://www.apache.org/licenses/LICENSE-2.0
15
 *
16
 * Unless required by applicable law or agreed to in writing, software
17
 * distributed under the License is distributed on an "AS IS" BASIS,
18
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19
 * See the License for the specific language governing permissions and
20
 * limitations under the License.
21
 */
22
23
#include <freerdp/config.h>
24
25
#include "settings.h"
26
27
#include <stdio.h>
28
#include <stdlib.h>
29
#include <string.h>
30
31
#include <winpr/crt.h>
32
#include <winpr/assert.h>
33
#include <winpr/stream.h>
34
35
#include <freerdp/api.h>
36
#include <freerdp/log.h>
37
#include <freerdp/crypto/per.h>
38
39
#include "orders.h"
40
#include "update.h"
41
#include "surface.h"
42
#include "fastpath.h"
43
#include "rdp.h"
44
45
#include "../cache/pointer.h"
46
#include "../cache/palette.h"
47
#include "../cache/bitmap.h"
48
49
#define TAG FREERDP_TAG("core.fastpath")
50
51
enum FASTPATH_INPUT_ENCRYPTION_FLAGS
52
{
53
  FASTPATH_INPUT_SECURE_CHECKSUM = 0x1,
54
  FASTPATH_INPUT_ENCRYPTED = 0x2
55
};
56
57
enum FASTPATH_OUTPUT_ENCRYPTION_FLAGS
58
{
59
  FASTPATH_OUTPUT_SECURE_CHECKSUM = 0x1,
60
  FASTPATH_OUTPUT_ENCRYPTED = 0x2
61
};
62
63
struct rdp_fastpath
64
{
65
  rdpRdp* rdp;
66
  wStream* fs;
67
  BYTE encryptionFlags;
68
  BYTE numberEvents;
69
  wStream* updateData;
70
  int fragmentation;
71
};
72
73
/**
74
 * Fast-Path packet format is defined in [MS-RDPBCGR] 2.2.9.1.2, which revises
75
 * server output packets from the first byte with the goal of improving
76
 * bandwidth.
77
 *
78
 * Slow-Path packet always starts with TPKT header, which has the first
79
 * byte 0x03, while Fast-Path packet starts with 2 zero bits in the first
80
 * two less significant bits of the first byte.
81
 */
82
83
static const char* const FASTPATH_UPDATETYPE_STRINGS[] = {
84
  "Orders",                 /* 0x0 */
85
  "Bitmap",                 /* 0x1 */
86
  "Palette",                /* 0x2 */
87
  "Synchronize",            /* 0x3 */
88
  "Surface Commands",       /* 0x4 */
89
  "System Pointer Hidden",  /* 0x5 */
90
  "System Pointer Default", /* 0x6 */
91
  "???",                    /* 0x7 */
92
  "Pointer Position",       /* 0x8 */
93
  "Color Pointer",          /* 0x9 */
94
  "Cached Pointer",         /* 0xA */
95
  "New Pointer",            /* 0xB */
96
};
97
98
static const char* fastpath_update_to_string(UINT8 update)
99
8.23k
{
100
8.23k
  if (update >= ARRAYSIZE(FASTPATH_UPDATETYPE_STRINGS))
101
421
    return "UNKNOWN";
102
103
7.81k
  return FASTPATH_UPDATETYPE_STRINGS[update];
104
8.23k
}
105
106
static BOOL fastpath_read_update_header(wStream* s, BYTE* updateCode, BYTE* fragmentation,
107
                                        BYTE* compression)
108
28.3k
{
109
28.3k
  BYTE updateHeader = 0;
110
111
28.3k
  if (!s || !updateCode || !fragmentation || !compression)
112
0
    return FALSE;
113
114
28.3k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
115
0
    return FALSE;
116
117
28.3k
  Stream_Read_UINT8(s, updateHeader);
118
28.3k
  *updateCode = updateHeader & 0x0F;
119
28.3k
  *fragmentation = (updateHeader >> 4) & 0x03;
120
28.3k
  *compression = (updateHeader >> 6) & 0x03;
121
28.3k
  return TRUE;
122
28.3k
}
123
124
static BOOL fastpath_write_update_header(wStream* s, const FASTPATH_UPDATE_HEADER* fpUpdateHeader)
125
126
{
126
126
  BYTE updateHeader = 0;
127
126
  WINPR_ASSERT(fpUpdateHeader);
128
129
126
  updateHeader |= fpUpdateHeader->updateCode & 0x0F;
130
126
  updateHeader |= (fpUpdateHeader->fragmentation & 0x03) << 4;
131
126
  updateHeader |= (fpUpdateHeader->compression & 0x03) << 6;
132
133
126
  if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 1))
134
0
    return FALSE;
135
126
  Stream_Write_UINT8(s, updateHeader);
136
137
126
  if (fpUpdateHeader->compression)
138
0
  {
139
0
    if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 1))
140
0
      return FALSE;
141
142
0
    Stream_Write_UINT8(s, fpUpdateHeader->compressionFlags);
143
0
  }
144
145
126
  if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 2))
146
0
    return FALSE;
147
148
126
  Stream_Write_UINT16(s, fpUpdateHeader->size);
149
126
  return TRUE;
150
126
}
151
152
static UINT32 fastpath_get_update_header_size(FASTPATH_UPDATE_HEADER* fpUpdateHeader)
153
126
{
154
126
  WINPR_ASSERT(fpUpdateHeader);
155
126
  return (fpUpdateHeader->compression) ? 4 : 3;
156
126
}
157
158
static BOOL fastpath_write_update_pdu_header(wStream* s,
159
                                             const FASTPATH_UPDATE_PDU_HEADER* fpUpdatePduHeader,
160
                                             rdpRdp* rdp)
161
126
{
162
126
  BYTE fpOutputHeader = 0;
163
126
  WINPR_ASSERT(fpUpdatePduHeader);
164
126
  WINPR_ASSERT(rdp);
165
166
126
  if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 3))
167
0
    return FALSE;
168
169
126
  fpOutputHeader |= (fpUpdatePduHeader->action & 0x03);
170
126
  fpOutputHeader |= (fpUpdatePduHeader->secFlags & 0x03) << 6;
171
126
  Stream_Write_UINT8(s, fpOutputHeader);                          /* fpOutputHeader (1 byte) */
172
126
  Stream_Write_UINT8(s, 0x80 | (fpUpdatePduHeader->length >> 8)); /* length1 */
173
126
  Stream_Write_UINT8(s, fpUpdatePduHeader->length & 0xFF);        /* length2 */
174
175
126
  if (fpUpdatePduHeader->secFlags)
176
0
  {
177
0
    WINPR_ASSERT(rdp->settings);
178
0
    if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
179
0
    {
180
0
      if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 4))
181
0
        return FALSE;
182
183
0
      Stream_Write(s, fpUpdatePduHeader->fipsInformation, 4);
184
0
    }
185
186
0
    if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 8))
187
0
      return FALSE;
188
189
0
    Stream_Write(s, fpUpdatePduHeader->dataSignature, 8);
190
0
  }
191
192
126
  return TRUE;
193
126
}
194
195
static UINT32 fastpath_get_update_pdu_header_size(FASTPATH_UPDATE_PDU_HEADER* fpUpdatePduHeader,
196
                                                  rdpRdp* rdp)
197
126
{
198
126
  UINT32 size = 3; /* fpUpdatePduHeader + length1 + length2 */
199
200
126
  if (!fpUpdatePduHeader || !rdp)
201
0
    return 0;
202
203
126
  if (fpUpdatePduHeader->secFlags)
204
0
  {
205
0
    size += 8; /* dataSignature */
206
207
0
    WINPR_ASSERT(rdp->settings);
208
0
    if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
209
0
      size += 4; /* fipsInformation */
210
0
  }
211
212
126
  return size;
213
126
}
214
215
BOOL fastpath_read_header_rdp(rdpFastPath* fastpath, wStream* s, UINT16* length)
216
15.9k
{
217
15.9k
  BYTE header = 0;
218
219
15.9k
  if (!s || !length)
220
0
    return FALSE;
221
222
15.9k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
223
4.79k
    return FALSE;
224
225
11.1k
  Stream_Read_UINT8(s, header);
226
227
11.1k
  if (fastpath)
228
11.1k
  {
229
11.1k
    fastpath->encryptionFlags = (header & 0xC0) >> 6;
230
11.1k
    fastpath->numberEvents = (header & 0x3C) >> 2;
231
11.1k
  }
232
233
11.1k
  if (!per_read_length(s, length))
234
177
    return FALSE;
235
236
10.9k
  const size_t pos = Stream_GetPosition(s);
237
10.9k
  if (pos > *length)
238
7.61k
    return FALSE;
239
240
3.32k
  *length = *length - (UINT16)pos;
241
3.32k
  return TRUE;
242
10.9k
}
243
244
static BOOL fastpath_recv_orders(rdpFastPath* fastpath, wStream* s)
245
8.30k
{
246
8.30k
  rdpUpdate* update = nullptr;
247
8.30k
  UINT16 numberOrders = 0;
248
249
8.30k
  if (!fastpath || !fastpath->rdp || !s)
250
0
  {
251
0
    WLog_ERR(TAG, "Invalid arguments");
252
0
    return FALSE;
253
0
  }
254
255
8.30k
  update = fastpath->rdp->update;
256
257
8.30k
  if (!update)
258
0
  {
259
0
    WLog_ERR(TAG, "Invalid configuration");
260
0
    return FALSE;
261
0
  }
262
263
8.30k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
264
1.60k
    return FALSE;
265
266
6.69k
  Stream_Read_UINT16(s, numberOrders); /* numberOrders (2 bytes) */
267
268
187k
  while (numberOrders > 0)
269
182k
  {
270
182k
    if (!update_recv_order(update, s))
271
2.30k
      return FALSE;
272
273
180k
    numberOrders--;
274
180k
  }
275
276
4.39k
  return TRUE;
277
6.69k
}
278
279
static BOOL fastpath_recv_update_common(rdpFastPath* fastpath, wStream* s)
280
1.12k
{
281
1.12k
  BOOL rc = FALSE;
282
1.12k
  UINT16 updateType = 0;
283
1.12k
  rdpUpdate* update = nullptr;
284
1.12k
  rdpContext* context = nullptr;
285
1.12k
  BOOL defaultReturn = 0;
286
287
1.12k
  if (!fastpath || !s || !fastpath->rdp)
288
0
    return FALSE;
289
290
1.12k
  update = fastpath->rdp->update;
291
292
1.12k
  if (!update || !update->context)
293
0
    return FALSE;
294
295
1.12k
  context = update->context;
296
297
1.12k
  defaultReturn = freerdp_settings_get_bool(context->settings, FreeRDP_DeactivateClientDecoding);
298
299
1.12k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
300
551
    return FALSE;
301
302
575
  Stream_Read_UINT16(s, updateType); /* updateType (2 bytes) */
303
575
  switch (updateType)
304
575
  {
305
263
    case UPDATE_TYPE_BITMAP:
306
263
    {
307
263
      BITMAP_UPDATE* bitmap_update = update_read_bitmap_update(update, s);
308
309
263
      if (!bitmap_update)
310
150
        return FALSE;
311
312
113
      rc = IFCALLRESULT(defaultReturn, update->BitmapUpdate, context, bitmap_update);
313
113
      free_bitmap_update(context, bitmap_update);
314
113
    }
315
0
    break;
316
317
206
    case UPDATE_TYPE_PALETTE:
318
206
    {
319
206
      PALETTE_UPDATE* palette_update = update_read_palette(update, s);
320
321
206
      if (!palette_update)
322
162
        return FALSE;
323
324
44
      rc = IFCALLRESULT(defaultReturn, update->Palette, context, palette_update);
325
44
      free_palette_update(context, palette_update);
326
44
    }
327
0
    break;
328
329
106
    default:
330
106
      break;
331
575
  }
332
333
263
  return rc;
334
575
}
335
336
static BOOL fastpath_recv_update_synchronize(WINPR_ATTR_UNUSED rdpFastPath* fastpath, wStream* s)
337
3.79k
{
338
  /* server 2008 can send invalid synchronize packet with missing padding,
339
    so don't return FALSE even if the packet is invalid */
340
3.79k
  WINPR_ASSERT(fastpath);
341
3.79k
  WINPR_ASSERT(s);
342
343
3.79k
  const size_t len = Stream_GetRemainingLength(s);
344
3.79k
  const size_t skip = MIN(2, len);
345
3.79k
  return Stream_SafeSeek(s, skip); /* size (2 bytes), MUST be set to zero */
346
3.79k
}
347
348
static int fastpath_recv_update(rdpFastPath* fastpath, BYTE updateCode, wStream* s)
349
18.2k
{
350
18.2k
  BOOL rc = FALSE;
351
18.2k
  int status = 0;
352
353
18.2k
  if (!fastpath || !fastpath->rdp || !s)
354
0
    return -1;
355
356
18.2k
  Stream_SealLength(s);
357
18.2k
  Stream_ResetPosition(s);
358
359
18.2k
  rdpUpdate* update = fastpath->rdp->update;
360
361
18.2k
  if (!update || !update->pointer || !update->context)
362
0
    return -1;
363
364
18.2k
  rdpContext* context = update->context;
365
18.2k
  WINPR_ASSERT(context);
366
367
18.2k
  rdpPointerUpdate* pointer = update->pointer;
368
18.2k
  WINPR_ASSERT(pointer);
369
370
#ifdef WITH_DEBUG_RDP
371
  DEBUG_RDP(fastpath->rdp, "recv Fast-Path %s Update (0x%02" PRIX8 "), length:%" PRIuz "",
372
            fastpath_update_to_string(updateCode), updateCode, Stream_GetRemainingLength(s));
373
#endif
374
375
18.2k
  const BOOL defaultReturn =
376
18.2k
      freerdp_settings_get_bool(context->settings, FreeRDP_DeactivateClientDecoding);
377
18.2k
  switch (updateCode)
378
18.2k
  {
379
8.30k
    case FASTPATH_UPDATETYPE_ORDERS:
380
8.30k
      rc = fastpath_recv_orders(fastpath, s);
381
8.30k
      break;
382
383
886
    case FASTPATH_UPDATETYPE_BITMAP:
384
1.12k
    case FASTPATH_UPDATETYPE_PALETTE:
385
1.12k
      rc = fastpath_recv_update_common(fastpath, s);
386
1.12k
      break;
387
388
3.79k
    case FASTPATH_UPDATETYPE_SYNCHRONIZE:
389
3.79k
      if (!fastpath_recv_update_synchronize(fastpath, s))
390
0
        WLog_ERR(TAG, "fastpath_recv_update_synchronize failure but we continue");
391
3.79k
      else
392
3.79k
        rc = IFCALLRESULT(TRUE, update->Synchronize, context);
393
394
3.79k
      break;
395
396
3.76k
    case FASTPATH_UPDATETYPE_SURFCMDS:
397
3.76k
      status = update_recv_surfcmds(update, s);
398
3.76k
      rc = (status >= 0);
399
3.76k
      break;
400
401
65
    case FASTPATH_UPDATETYPE_PTR_NULL:
402
65
    {
403
65
      POINTER_SYSTEM_UPDATE pointer_system = WINPR_C_ARRAY_INIT;
404
65
      pointer_system.type = SYSPTR_NULL;
405
65
      rc = IFCALLRESULT(defaultReturn, pointer->PointerSystem, context, &pointer_system);
406
65
    }
407
65
    break;
408
409
78
    case FASTPATH_UPDATETYPE_PTR_DEFAULT:
410
78
    {
411
78
      POINTER_SYSTEM_UPDATE pointer_system = WINPR_C_ARRAY_INIT;
412
78
      pointer_system.type = SYSPTR_DEFAULT;
413
78
      rc = IFCALLRESULT(defaultReturn, pointer->PointerSystem, context, &pointer_system);
414
78
    }
415
78
    break;
416
417
165
    case FASTPATH_UPDATETYPE_PTR_POSITION:
418
165
    {
419
165
      POINTER_POSITION_UPDATE* pointer_position = update_read_pointer_position(update, s);
420
421
165
      if (pointer_position)
422
81
      {
423
81
        rc = IFCALLRESULT(defaultReturn, pointer->PointerPosition, context,
424
81
                          pointer_position);
425
81
        free_pointer_position_update(context, pointer_position);
426
81
      }
427
165
    }
428
165
    break;
429
430
238
    case FASTPATH_UPDATETYPE_COLOR:
431
238
    {
432
238
      POINTER_COLOR_UPDATE* pointer_color = update_read_pointer_color(update, s, 24);
433
434
238
      if (pointer_color)
435
101
      {
436
101
        rc = IFCALLRESULT(defaultReturn, pointer->PointerColor, context, pointer_color);
437
101
        free_pointer_color_update(context, pointer_color);
438
101
      }
439
238
    }
440
238
    break;
441
442
142
    case FASTPATH_UPDATETYPE_CACHED:
443
142
    {
444
142
      POINTER_CACHED_UPDATE* pointer_cached = update_read_pointer_cached(update, s);
445
446
142
      if (pointer_cached)
447
43
      {
448
43
        rc = IFCALLRESULT(defaultReturn, pointer->PointerCached, context, pointer_cached);
449
43
        free_pointer_cached_update(context, pointer_cached);
450
43
      }
451
142
    }
452
142
    break;
453
454
95
    case FASTPATH_UPDATETYPE_POINTER:
455
95
    {
456
95
      POINTER_NEW_UPDATE* pointer_new = update_read_pointer_new(update, s);
457
458
95
      if (pointer_new)
459
15
      {
460
15
        rc = IFCALLRESULT(defaultReturn, pointer->PointerNew, context, pointer_new);
461
15
        free_pointer_new_update(context, pointer_new);
462
15
      }
463
95
    }
464
95
    break;
465
466
405
    case FASTPATH_UPDATETYPE_LARGE_POINTER:
467
405
    {
468
405
      POINTER_LARGE_UPDATE* pointer_large = update_read_pointer_large(update, s);
469
470
405
      if (pointer_large)
471
114
      {
472
114
        rc = IFCALLRESULT(defaultReturn, pointer->PointerLarge, context, pointer_large);
473
114
        free_pointer_large_update(context, pointer_large);
474
114
      }
475
405
    }
476
405
    break;
477
41
    default:
478
41
      break;
479
18.2k
  }
480
481
18.2k
  Stream_ResetPosition(s);
482
18.2k
  if (!rc)
483
8.23k
  {
484
8.23k
    WLog_ERR(TAG, "Fastpath update %s [%" PRIx8 "] failed, status %d",
485
8.23k
             fastpath_update_to_string(updateCode), updateCode, status);
486
8.23k
    return -1;
487
8.23k
  }
488
489
9.98k
  return status;
490
18.2k
}
491
492
static int fastpath_recv_update_data(rdpFastPath* fastpath, wStream* s)
493
28.3k
{
494
28.3k
  int status = 0;
495
28.3k
  UINT16 size = 0;
496
28.3k
  BYTE updateCode = 0;
497
28.3k
  BYTE fragmentation = 0;
498
28.3k
  BYTE compression = 0;
499
28.3k
  BYTE compressionFlags = 0;
500
28.3k
  UINT32 DstSize = 0;
501
28.3k
  const BYTE* pDstData = nullptr;
502
503
28.3k
  if (!fastpath || !s)
504
0
    return -1;
505
506
28.3k
  rdpRdp* rdp = fastpath->rdp;
507
508
28.3k
  if (!rdp)
509
0
    return -1;
510
511
28.3k
  rdpTransport* transport = rdp->transport;
512
513
28.3k
  if (!transport)
514
0
    return -1;
515
516
28.3k
  if (!fastpath_read_update_header(s, &updateCode, &fragmentation, &compression))
517
0
    return -1;
518
519
28.3k
  if (compression == FASTPATH_OUTPUT_COMPRESSION_USED)
520
10.6k
  {
521
10.6k
    if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
522
0
      return -1;
523
524
10.6k
    Stream_Read_UINT8(s, compressionFlags);
525
10.6k
  }
526
17.6k
  else
527
17.6k
    compressionFlags = 0;
528
529
28.3k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
530
18
    return -1;
531
532
28.3k
  Stream_Read_UINT16(s, size);
533
534
28.3k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, size))
535
5.25k
    return -1;
536
537
23.0k
  const int bulkStatus =
538
23.0k
      bulk_decompress(rdp->bulk, Stream_Pointer(s), size, &pDstData, &DstSize, compressionFlags);
539
23.0k
  Stream_Seek(s, size);
540
541
23.0k
  if (bulkStatus < 0)
542
1.31k
  {
543
1.31k
    WLog_ERR(TAG, "bulk_decompress() failed");
544
1.31k
    return -1;
545
1.31k
  }
546
547
21.7k
  if (!Stream_EnsureRemainingCapacity(fastpath->updateData, DstSize))
548
0
    return -1;
549
550
21.7k
  Stream_Write(fastpath->updateData, pDstData, DstSize);
551
552
21.7k
  if (fragmentation == FASTPATH_FRAGMENT_SINGLE)
553
17.5k
  {
554
17.5k
    if (fastpath->fragmentation != -1)
555
66
    {
556
66
      WLog_ERR(TAG, "Unexpected FASTPATH_FRAGMENT_SINGLE");
557
66
      goto out_fail;
558
66
    }
559
560
17.4k
    status = fastpath_recv_update(fastpath, updateCode, fastpath->updateData);
561
562
17.4k
    if (status < 0)
563
8.23k
    {
564
8.23k
      WLog_ERR(TAG, "fastpath_recv_update() - %i", status);
565
8.23k
      goto out_fail;
566
8.23k
    }
567
17.4k
  }
568
4.24k
  else
569
4.24k
  {
570
4.24k
    rdpContext* context = nullptr;
571
4.24k
    const size_t totalSize = Stream_GetPosition(fastpath->updateData);
572
573
4.24k
    context = transport_get_context(transport);
574
4.24k
    WINPR_ASSERT(context);
575
4.24k
    WINPR_ASSERT(context->settings);
576
577
4.24k
    if (totalSize >
578
4.24k
        freerdp_settings_get_uint32(context->settings, FreeRDP_MultifragMaxRequestSize))
579
140
    {
580
140
      WLog_ERR(
581
140
          TAG, "Total size (%" PRIuz ") exceeds MultifragMaxRequestSize (%" PRIu32 ")",
582
140
          totalSize,
583
140
          freerdp_settings_get_uint32(context->settings, FreeRDP_MultifragMaxRequestSize));
584
140
      goto out_fail;
585
140
    }
586
587
4.10k
    if (fragmentation == FASTPATH_FRAGMENT_FIRST)
588
1.03k
    {
589
1.03k
      if (fastpath->fragmentation != -1)
590
22
      {
591
22
        WLog_ERR(TAG, "fastpath_recv_update_data: Unexpected FASTPATH_FRAGMENT_FIRST");
592
22
        goto out_fail;
593
22
      }
594
595
1.00k
      fastpath->fragmentation = FASTPATH_FRAGMENT_FIRST;
596
1.00k
    }
597
3.07k
    else if (fragmentation == FASTPATH_FRAGMENT_NEXT)
598
2.13k
    {
599
2.13k
      if ((fastpath->fragmentation != FASTPATH_FRAGMENT_FIRST) &&
600
1.81k
          (fastpath->fragmentation != FASTPATH_FRAGMENT_NEXT))
601
261
      {
602
261
        WLog_ERR(TAG, "fastpath_recv_update_data: Unexpected FASTPATH_FRAGMENT_NEXT");
603
261
        goto out_fail;
604
261
      }
605
606
1.87k
      fastpath->fragmentation = FASTPATH_FRAGMENT_NEXT;
607
1.87k
    }
608
934
    else if (fragmentation == FASTPATH_FRAGMENT_LAST)
609
934
    {
610
934
      if ((fastpath->fragmentation != FASTPATH_FRAGMENT_FIRST) &&
611
381
          (fastpath->fragmentation != FASTPATH_FRAGMENT_NEXT))
612
153
      {
613
153
        WLog_ERR(TAG, "fastpath_recv_update_data: Unexpected FASTPATH_FRAGMENT_LAST");
614
153
        goto out_fail;
615
153
      }
616
617
781
      fastpath->fragmentation = -1;
618
781
      status = fastpath_recv_update(fastpath, updateCode, fastpath->updateData);
619
620
781
      if (status < 0)
621
5
      {
622
5
        WLog_ERR(TAG, "fastpath_recv_update_data: fastpath_recv_update() - %i", status);
623
5
        goto out_fail;
624
5
      }
625
781
    }
626
4.10k
  }
627
628
12.8k
  return status;
629
8.87k
out_fail:
630
8.87k
  return -1;
631
21.7k
}
632
633
state_run_t fastpath_recv_updates(rdpFastPath* fastpath, wStream* s)
634
15.9k
{
635
15.9k
  state_run_t rc = STATE_RUN_FAILED;
636
637
15.9k
  WINPR_ASSERT(s);
638
15.9k
  WINPR_ASSERT(fastpath);
639
15.9k
  WINPR_ASSERT(fastpath->rdp);
640
641
15.9k
  rdpUpdate* update = fastpath->rdp->update;
642
15.9k
  WINPR_ASSERT(update);
643
644
15.9k
  if (!update_begin_paint(update))
645
0
    goto fail;
646
647
28.7k
  while (Stream_GetRemainingLength(s) >= 3)
648
28.3k
  {
649
28.3k
    if (fastpath_recv_update_data(fastpath, s) < 0)
650
15.4k
    {
651
15.4k
      WLog_ERR(TAG, "fastpath_recv_update_data() fail");
652
15.4k
      rc = STATE_RUN_FAILED;
653
15.4k
      goto fail;
654
15.4k
    }
655
28.3k
  }
656
657
444
  rc = STATE_RUN_SUCCESS;
658
15.9k
fail:
659
660
15.9k
  if (!update_end_paint(update))
661
533
    return STATE_RUN_FAILED;
662
663
15.3k
  return rc;
664
15.9k
}
665
666
static BOOL fastpath_read_input_event_header(wStream* s, BYTE* eventFlags, BYTE* eventCode)
667
95.2k
{
668
95.2k
  BYTE eventHeader = 0;
669
670
95.2k
  WINPR_ASSERT(s);
671
95.2k
  WINPR_ASSERT(eventFlags);
672
95.2k
  WINPR_ASSERT(eventCode);
673
674
95.2k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
675
783
    return FALSE;
676
677
94.4k
  Stream_Read_UINT8(s, eventHeader); /* eventHeader (1 byte) */
678
94.4k
  *eventFlags = (eventHeader & 0x1F);
679
94.4k
  *eventCode = (eventHeader >> 5);
680
94.4k
  return TRUE;
681
95.2k
}
682
683
static BOOL fastpath_recv_input_event_scancode(rdpFastPath* fastpath, wStream* s, BYTE eventFlags)
684
53.4k
{
685
53.4k
  WINPR_ASSERT(fastpath);
686
53.4k
  WINPR_ASSERT(fastpath->rdp);
687
53.4k
  WINPR_ASSERT(fastpath->rdp->input);
688
53.4k
  WINPR_ASSERT(s);
689
690
53.4k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
691
177
    return FALSE;
692
693
53.3k
  rdpInput* input = fastpath->rdp->input;
694
695
53.3k
  const UINT8 code = Stream_Get_UINT8(s); /* keyCode (1 byte) */
696
697
53.3k
  UINT16 flags = 0;
698
53.3k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_RELEASE))
699
7.88k
    flags |= KBD_FLAGS_RELEASE;
700
701
53.3k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_EXTENDED))
702
28.1k
    flags |= KBD_FLAGS_EXTENDED;
703
704
53.3k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_PREFIX_E1))
705
7.09k
    flags |= KBD_FLAGS_EXTENDED1;
706
707
53.3k
  return IFCALLRESULT(TRUE, input->KeyboardEvent, input, flags, code);
708
53.4k
}
709
710
static BOOL fastpath_recv_input_event_mouse(rdpFastPath* fastpath, wStream* s,
711
                                            WINPR_ATTR_UNUSED BYTE eventFlags)
712
6.24k
{
713
6.24k
  rdpInput* input = nullptr;
714
6.24k
  UINT16 pointerFlags = 0;
715
6.24k
  UINT16 xPos = 0;
716
6.24k
  UINT16 yPos = 0;
717
6.24k
  WINPR_ASSERT(fastpath);
718
6.24k
  WINPR_ASSERT(fastpath->rdp);
719
6.24k
  WINPR_ASSERT(fastpath->rdp->input);
720
6.24k
  WINPR_ASSERT(s);
721
722
6.24k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 6))
723
152
    return FALSE;
724
725
6.09k
  input = fastpath->rdp->input;
726
727
6.09k
  Stream_Read_UINT16(s, pointerFlags); /* pointerFlags (2 bytes) */
728
6.09k
  Stream_Read_UINT16(s, xPos);         /* xPos (2 bytes) */
729
6.09k
  Stream_Read_UINT16(s, yPos);         /* yPos (2 bytes) */
730
6.09k
  return IFCALLRESULT(TRUE, input->MouseEvent, input, pointerFlags, xPos, yPos);
731
6.24k
}
732
733
static BOOL fastpath_recv_input_event_relmouse(rdpFastPath* fastpath, wStream* s,
734
                                               WINPR_ATTR_UNUSED BYTE eventFlags)
735
4.41k
{
736
4.41k
  rdpInput* input = nullptr;
737
4.41k
  UINT16 pointerFlags = 0;
738
4.41k
  INT16 xDelta = 0;
739
4.41k
  INT16 yDelta = 0;
740
4.41k
  WINPR_ASSERT(fastpath);
741
4.41k
  WINPR_ASSERT(fastpath->rdp);
742
4.41k
  WINPR_ASSERT(fastpath->rdp->context);
743
4.41k
  WINPR_ASSERT(fastpath->rdp->input);
744
4.41k
  WINPR_ASSERT(s);
745
746
4.41k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 6))
747
74
    return FALSE;
748
749
4.33k
  input = fastpath->rdp->input;
750
751
4.33k
  Stream_Read_UINT16(s, pointerFlags); /* pointerFlags (2 bytes) */
752
4.33k
  Stream_Read_INT16(s, xDelta);        /* xDelta (2 bytes) */
753
4.33k
  Stream_Read_INT16(s, yDelta);        /* yDelta (2 bytes) */
754
755
4.33k
  if (!freerdp_settings_get_bool(input->context->settings, FreeRDP_HasRelativeMouseEvent))
756
0
  {
757
0
    WLog_ERR(TAG,
758
0
             "Received relative mouse event(flags=0x%04" PRIx16 ", xPos=%" PRId16
759
0
             ", yPos=%" PRId16 "), but we did not announce support for that",
760
0
             pointerFlags, xDelta, yDelta);
761
0
    return FALSE;
762
0
  }
763
764
4.33k
  return IFCALLRESULT(TRUE, input->RelMouseEvent, input, pointerFlags, xDelta, yDelta);
765
4.33k
}
766
767
static BOOL fastpath_recv_input_event_qoe(rdpFastPath* fastpath, wStream* s,
768
                                          WINPR_ATTR_UNUSED BYTE eventFlags)
769
2.55k
{
770
2.55k
  WINPR_ASSERT(fastpath);
771
2.55k
  WINPR_ASSERT(fastpath->rdp);
772
2.55k
  WINPR_ASSERT(fastpath->rdp->context);
773
2.55k
  WINPR_ASSERT(fastpath->rdp->input);
774
2.55k
  WINPR_ASSERT(s);
775
776
2.55k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 4))
777
57
    return FALSE;
778
779
2.49k
  rdpInput* input = fastpath->rdp->input;
780
781
2.49k
  UINT32 timestampMS = 0;
782
2.49k
  Stream_Read_UINT32(s, timestampMS); /* timestamp (4 bytes) */
783
784
2.49k
  if (!freerdp_settings_get_bool(input->context->settings, FreeRDP_HasQoeEvent))
785
0
  {
786
0
    WLog_ERR(TAG,
787
0
             "Received qoe event(timestamp=%" PRIu32
788
0
             "ms), but we did not announce support for that",
789
0
             timestampMS);
790
0
    return FALSE;
791
0
  }
792
793
2.49k
  return IFCALLRESULT(TRUE, input->QoEEvent, input, timestampMS);
794
2.49k
}
795
796
static BOOL fastpath_recv_input_event_mousex(rdpFastPath* fastpath, wStream* s,
797
                                             WINPR_ATTR_UNUSED BYTE eventFlags)
798
3.20k
{
799
3.20k
  rdpInput* input = nullptr;
800
3.20k
  UINT16 pointerFlags = 0;
801
3.20k
  UINT16 xPos = 0;
802
3.20k
  UINT16 yPos = 0;
803
804
3.20k
  WINPR_ASSERT(fastpath);
805
3.20k
  WINPR_ASSERT(fastpath->rdp);
806
3.20k
  WINPR_ASSERT(fastpath->rdp->context);
807
3.20k
  WINPR_ASSERT(fastpath->rdp->input);
808
3.20k
  WINPR_ASSERT(s);
809
810
3.20k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 6))
811
68
    return FALSE;
812
813
3.13k
  input = fastpath->rdp->input;
814
815
3.13k
  Stream_Read_UINT16(s, pointerFlags); /* pointerFlags (2 bytes) */
816
3.13k
  Stream_Read_UINT16(s, xPos);         /* xPos (2 bytes) */
817
3.13k
  Stream_Read_UINT16(s, yPos);         /* yPos (2 bytes) */
818
819
3.13k
  if (!freerdp_settings_get_bool(input->context->settings, FreeRDP_HasExtendedMouseEvent))
820
0
  {
821
0
    WLog_ERR(TAG,
822
0
             "Received extended mouse event(flags=0x%04" PRIx16 ", xPos=%" PRIu16
823
0
             ", yPos=%" PRIu16 "), but we did not announce support for that",
824
0
             pointerFlags, xPos, yPos);
825
0
    return FALSE;
826
0
  }
827
828
3.13k
  return IFCALLRESULT(TRUE, input->ExtendedMouseEvent, input, pointerFlags, xPos, yPos);
829
3.13k
}
830
831
static BOOL fastpath_recv_input_event_sync(rdpFastPath* fastpath, WINPR_ATTR_UNUSED wStream* s,
832
                                           BYTE eventFlags)
833
7.21k
{
834
7.21k
  rdpInput* input = nullptr;
835
836
7.21k
  WINPR_ASSERT(fastpath);
837
7.21k
  WINPR_ASSERT(fastpath->rdp);
838
7.21k
  WINPR_ASSERT(fastpath->rdp->input);
839
7.21k
  WINPR_ASSERT(s);
840
841
7.21k
  input = fastpath->rdp->input;
842
7.21k
  return IFCALLRESULT(TRUE, input->SynchronizeEvent, input, eventFlags);
843
7.21k
}
844
845
static BOOL fastpath_recv_input_event_unicode(rdpFastPath* fastpath, wStream* s, BYTE eventFlags)
846
1.95k
{
847
1.95k
  UINT16 unicodeCode = 0;
848
1.95k
  UINT16 flags = 0;
849
850
1.95k
  WINPR_ASSERT(fastpath);
851
1.95k
  WINPR_ASSERT(s);
852
853
1.95k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
854
47
    return FALSE;
855
856
1.90k
  Stream_Read_UINT16(s, unicodeCode); /* unicodeCode (2 bytes) */
857
1.90k
  flags = 0;
858
859
1.90k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_RELEASE))
860
1.38k
    flags |= KBD_FLAGS_RELEASE;
861
862
1.90k
  WINPR_ASSERT(fastpath->rdp);
863
1.90k
  WINPR_ASSERT(fastpath->rdp);
864
1.90k
  WINPR_ASSERT(fastpath->rdp->input);
865
1.90k
  return IFCALLRESULT(FALSE, fastpath->rdp->input->UnicodeKeyboardEvent, fastpath->rdp->input,
866
1.95k
                      flags, unicodeCode);
867
1.95k
}
868
869
static BOOL fastpath_recv_input_event(rdpFastPath* fastpath, wStream* s)
870
95.2k
{
871
95.2k
  BYTE eventFlags = 0;
872
95.2k
  BYTE eventCode = 0;
873
874
95.2k
  WINPR_ASSERT(fastpath);
875
95.2k
  WINPR_ASSERT(s);
876
877
95.2k
  if (!fastpath_read_input_event_header(s, &eventFlags, &eventCode))
878
783
    return FALSE;
879
880
94.4k
  switch (eventCode)
881
94.4k
  {
882
53.4k
    case FASTPATH_INPUT_EVENT_SCANCODE:
883
53.4k
      if (!fastpath_recv_input_event_scancode(fastpath, s, eventFlags))
884
177
        return FALSE;
885
886
53.3k
      break;
887
888
53.3k
    case FASTPATH_INPUT_EVENT_MOUSE:
889
6.24k
      if (!fastpath_recv_input_event_mouse(fastpath, s, eventFlags))
890
152
        return FALSE;
891
892
6.09k
      break;
893
894
6.09k
    case FASTPATH_INPUT_EVENT_MOUSEX:
895
3.20k
      if (!fastpath_recv_input_event_mousex(fastpath, s, eventFlags))
896
68
        return FALSE;
897
898
3.13k
      break;
899
900
7.21k
    case FASTPATH_INPUT_EVENT_SYNC:
901
7.21k
      if (!fastpath_recv_input_event_sync(fastpath, s, eventFlags))
902
0
        return FALSE;
903
904
7.21k
      break;
905
906
7.21k
    case FASTPATH_INPUT_EVENT_UNICODE:
907
1.95k
      if (!fastpath_recv_input_event_unicode(fastpath, s, eventFlags))
908
1.95k
        return FALSE;
909
910
0
      break;
911
912
4.41k
    case TS_FP_RELPOINTER_EVENT:
913
4.41k
      if (!fastpath_recv_input_event_relmouse(fastpath, s, eventFlags))
914
74
        return FALSE;
915
916
4.33k
      break;
917
918
4.33k
    case TS_FP_QOETIMESTAMP_EVENT:
919
2.55k
      if (!fastpath_recv_input_event_qoe(fastpath, s, eventFlags))
920
57
        return FALSE;
921
2.49k
      break;
922
923
15.4k
    default:
924
15.4k
      WLog_ERR(TAG, "Unknown eventCode %" PRIu8 "", eventCode);
925
15.4k
      break;
926
94.4k
  }
927
928
92.0k
  return TRUE;
929
94.4k
}
930
931
state_run_t fastpath_recv_inputs(rdpFastPath* fastpath, wStream* s)
932
15.9k
{
933
15.9k
  WINPR_ASSERT(fastpath);
934
15.9k
  WINPR_ASSERT(s);
935
936
15.9k
  if (fastpath->numberEvents == 0)
937
15.9k
  {
938
    /**
939
     * If numberEvents is not provided in fpInputHeader, it will be provided
940
     * as one additional byte here.
941
     */
942
15.9k
    if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
943
3.54k
      return STATE_RUN_FAILED;
944
945
12.3k
    Stream_Read_UINT8(s, fastpath->numberEvents); /* eventHeader (1 byte) */
946
12.3k
  }
947
948
104k
  for (BYTE i = 0; i < fastpath->numberEvents; i++)
949
95.2k
  {
950
95.2k
    if (!fastpath_recv_input_event(fastpath, s))
951
3.26k
      return STATE_RUN_FAILED;
952
95.2k
  }
953
954
9.10k
  return STATE_RUN_SUCCESS;
955
12.3k
}
956
957
static UINT32 fastpath_get_sec_bytes(rdpRdp* rdp)
958
0
{
959
0
  UINT32 sec_bytes = 0;
960
0
  sec_bytes = 0;
961
962
0
  if (!rdp)
963
0
    return 0;
964
965
0
  if (rdp->do_crypt)
966
0
  {
967
0
    sec_bytes = 8;
968
969
0
    if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
970
0
      sec_bytes += 4;
971
0
  }
972
973
0
  return sec_bytes;
974
0
}
975
976
wStream* fastpath_input_pdu_init_header(rdpFastPath* fastpath, UINT16* sec_flags)
977
0
{
978
0
  if (!fastpath || !fastpath->rdp)
979
0
    return nullptr;
980
981
0
  rdpRdp* rdp = fastpath->rdp;
982
0
  wStream* s = transport_send_stream_init(rdp->transport, 256);
983
984
0
  if (!s)
985
0
    return nullptr;
986
987
0
  Stream_Seek(s, 3); /* fpInputHeader, length1 and length2 */
988
989
0
  if (rdp->do_crypt)
990
0
  {
991
0
    *sec_flags |= SEC_ENCRYPT;
992
993
0
    if (rdp->do_secure_checksum)
994
0
      *sec_flags |= SEC_SECURE_CHECKSUM;
995
0
  }
996
997
0
  Stream_Seek(s, fastpath_get_sec_bytes(rdp));
998
0
  return s;
999
0
}
1000
1001
wStream* fastpath_input_pdu_init(rdpFastPath* fastpath, BYTE eventFlags, BYTE eventCode,
1002
                                 UINT16* sec_flags)
1003
0
{
1004
0
  wStream* s = nullptr;
1005
0
  s = fastpath_input_pdu_init_header(fastpath, sec_flags);
1006
1007
0
  if (!s)
1008
0
    return nullptr;
1009
1010
0
  WINPR_ASSERT(eventCode < 8);
1011
0
  WINPR_ASSERT(eventFlags < 0x20);
1012
0
  Stream_Write_UINT8(s, (UINT8)(eventFlags | (eventCode << 5))); /* eventHeader (1 byte) */
1013
0
  return s;
1014
0
}
1015
1016
BOOL fastpath_send_multiple_input_pdu(rdpFastPath* fastpath, wStream* s, size_t iNumEvents,
1017
                                      UINT16 sec_flags)
1018
0
{
1019
0
  BOOL rc = FALSE;
1020
0
  BYTE eventHeader = 0;
1021
0
  BOOL should_unlock = FALSE;
1022
0
  rdpRdp* rdp = nullptr;
1023
1024
0
  WINPR_ASSERT(iNumEvents > 0);
1025
0
  if (!s)
1026
0
    return FALSE;
1027
1028
0
  if (!fastpath)
1029
0
    goto fail;
1030
1031
0
  rdp = fastpath->rdp;
1032
0
  WINPR_ASSERT(rdp);
1033
1034
0
  {
1035
0
    const CONNECTION_STATE state = rdp_get_state(rdp);
1036
0
    if (!rdp_is_active_state(rdp))
1037
0
    {
1038
0
      WLog_WARN(TAG, "called before activation [%s]", rdp_state_string(state));
1039
0
      goto fail;
1040
0
    }
1041
0
  }
1042
1043
  /*
1044
   *  A maximum of 15 events are allowed per request
1045
   *  if the optional numEvents field isn't used
1046
   *  see MS-RDPBCGR 2.2.8.1.2 for details
1047
   */
1048
0
  if (iNumEvents > 15)
1049
0
    goto fail;
1050
1051
0
  {
1052
0
    size_t length = Stream_GetPosition(s);
1053
1054
0
    if (length >= (2u << 14))
1055
0
    {
1056
0
      WLog_ERR(TAG, "Maximum FastPath PDU length is 32767");
1057
0
      goto fail;
1058
0
    }
1059
1060
0
    eventHeader = FASTPATH_INPUT_ACTION_FASTPATH;
1061
0
    eventHeader |= (iNumEvents << 2); /* numberEvents */
1062
1063
0
    if (sec_flags & SEC_ENCRYPT)
1064
0
      eventHeader |= (FASTPATH_INPUT_ENCRYPTED << 6);
1065
1066
0
    if (sec_flags & SEC_SECURE_CHECKSUM)
1067
0
      eventHeader |= (FASTPATH_INPUT_SECURE_CHECKSUM << 6);
1068
1069
0
    Stream_ResetPosition(s);
1070
0
    Stream_Write_UINT8(s, eventHeader);
1071
    /* Write length later, RDP encryption might add a padding */
1072
0
    Stream_Seek(s, 2);
1073
1074
0
    if (sec_flags & SEC_ENCRYPT)
1075
0
    {
1076
0
      security_lock(rdp);
1077
0
      should_unlock = TRUE;
1078
1079
0
      const size_t sec_bytes = fastpath_get_sec_bytes(fastpath->rdp);
1080
0
      if (sec_bytes + 3ULL > length)
1081
0
        goto fail;
1082
1083
0
      BYTE* fpInputEvents = Stream_PointerAs(s, BYTE) + sec_bytes;
1084
0
      const UINT16 fpInputEvents_length = (UINT16)(length - 3 - sec_bytes);
1085
1086
0
      WINPR_ASSERT(rdp->settings);
1087
0
      if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
1088
0
      {
1089
0
        BYTE pad = 0;
1090
1091
0
        if ((pad = 8 - (fpInputEvents_length % 8)) == 8)
1092
0
          pad = 0;
1093
1094
0
        Stream_Write_UINT16(s, 0x10); /* length */
1095
0
        Stream_Write_UINT8(s, 0x1);   /* TSFIPS_VERSION 1*/
1096
0
        Stream_Write_UINT8(s, pad);   /* padding */
1097
1098
0
        if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 8))
1099
0
          goto fail;
1100
1101
0
        if (!security_hmac_signature(fpInputEvents, fpInputEvents_length, Stream_Pointer(s),
1102
0
                                     8, rdp))
1103
0
          goto fail;
1104
1105
0
        if (pad)
1106
0
          memset(fpInputEvents + fpInputEvents_length, 0, pad);
1107
1108
0
        if (!security_fips_encrypt(fpInputEvents, fpInputEvents_length + pad, rdp))
1109
0
          goto fail;
1110
1111
0
        length += pad;
1112
0
      }
1113
0
      else
1114
0
      {
1115
0
        BOOL res = 0;
1116
0
        if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 8))
1117
0
          goto fail;
1118
0
        if (sec_flags & SEC_SECURE_CHECKSUM)
1119
0
          res = security_salted_mac_signature(rdp, fpInputEvents, fpInputEvents_length,
1120
0
                                              TRUE, Stream_Pointer(s), 8);
1121
0
        else
1122
0
          res = security_mac_signature(rdp, fpInputEvents, fpInputEvents_length,
1123
0
                                       Stream_Pointer(s), 8);
1124
1125
0
        if (!res || !security_encrypt(fpInputEvents, fpInputEvents_length, rdp))
1126
0
          goto fail;
1127
0
      }
1128
0
    }
1129
1130
    /*
1131
     * We always encode length in two bytes, even though we could use
1132
     * only one byte if length <= 0x7F. It is just easier that way,
1133
     * because we can leave room for fixed-length header, store all
1134
     * the data first and then store the header.
1135
     */
1136
0
    WINPR_ASSERT(length < UINT16_MAX);
1137
0
    if (!Stream_SetPosition(s, 1))
1138
0
      goto fail;
1139
0
    Stream_Write_UINT16_BE(s, 0x8000 | (UINT16)length);
1140
0
    if (!Stream_SetPosition(s, length))
1141
0
      goto fail;
1142
0
    Stream_SealLength(s);
1143
0
  }
1144
1145
0
  if (transport_write(rdp->transport, s) < 0)
1146
0
    goto fail;
1147
1148
0
  rc = TRUE;
1149
0
fail:
1150
0
  if (should_unlock)
1151
0
    security_unlock(rdp);
1152
0
  Stream_Release(s);
1153
0
  return rc;
1154
0
}
1155
1156
BOOL fastpath_send_input_pdu(rdpFastPath* fastpath, wStream* s, UINT16 sec_flags)
1157
0
{
1158
0
  return fastpath_send_multiple_input_pdu(fastpath, s, 1, sec_flags);
1159
0
}
1160
1161
wStream* fastpath_update_pdu_init(rdpFastPath* fastpath)
1162
2.32k
{
1163
2.32k
  return transport_send_stream_init(fastpath->rdp->transport, FASTPATH_MAX_PACKET_SIZE);
1164
2.32k
}
1165
1166
wStream* fastpath_update_pdu_init_new(WINPR_ATTR_UNUSED rdpFastPath* fastpath)
1167
8.04k
{
1168
8.04k
  wStream* s = nullptr;
1169
8.04k
  s = Stream_New(nullptr, FASTPATH_MAX_PACKET_SIZE);
1170
8.04k
  return s;
1171
8.04k
}
1172
1173
BOOL fastpath_send_update_pdu(rdpFastPath* fastpath, BYTE updateCode, wStream* s,
1174
                              BOOL skipCompression)
1175
2.86k
{
1176
2.86k
  BOOL status = TRUE;
1177
2.86k
  wStream* fs = nullptr;
1178
2.86k
  rdpSettings* settings = nullptr;
1179
2.86k
  rdpRdp* rdp = nullptr;
1180
2.86k
  UINT32 fpHeaderSize = 6;
1181
2.86k
  UINT32 fpUpdatePduHeaderSize = 0;
1182
2.86k
  UINT32 fpUpdateHeaderSize = 0;
1183
2.86k
  FASTPATH_UPDATE_PDU_HEADER fpUpdatePduHeader = WINPR_C_ARRAY_INIT;
1184
2.86k
  FASTPATH_UPDATE_HEADER fpUpdateHeader = WINPR_C_ARRAY_INIT;
1185
2.86k
  UINT16 sec_flags = 0;
1186
1187
2.86k
  if (!fastpath || !fastpath->rdp || !fastpath->fs || !s)
1188
0
    return FALSE;
1189
1190
2.86k
  rdp = fastpath->rdp;
1191
2.86k
  fs = fastpath->fs;
1192
2.86k
  settings = rdp->settings;
1193
1194
2.86k
  if (!settings)
1195
0
    return FALSE;
1196
1197
2.86k
  UINT16 maxLength = FASTPATH_MAX_PACKET_SIZE - 20;
1198
1199
2.86k
  if (settings->CompressionEnabled && !skipCompression)
1200
2.86k
  {
1201
2.86k
    const UINT16 CompressionMaxSize = bulk_compression_max_size(rdp->bulk);
1202
2.86k
    maxLength = (maxLength < CompressionMaxSize) ? maxLength : CompressionMaxSize;
1203
2.86k
    maxLength -= 20;
1204
2.86k
  }
1205
1206
2.86k
  size_t totalLength = Stream_GetPosition(s);
1207
2.86k
  Stream_ResetPosition(s);
1208
1209
  /* check if fast path output is possible */
1210
2.86k
  if (!settings->FastPathOutput)
1211
0
  {
1212
0
    WLog_ERR(TAG, "client does not support fast path output");
1213
0
    return FALSE;
1214
0
  }
1215
1216
  /* check if the client's fast path pdu buffer is large enough */
1217
2.86k
  if (totalLength > freerdp_settings_get_uint32(settings, FreeRDP_MultifragMaxRequestSize))
1218
2.73k
  {
1219
2.73k
    WLog_ERR(TAG,
1220
2.73k
             "fast path update size (%" PRIuz
1221
2.73k
             ") exceeds the client's maximum request size (%" PRIu32 ")",
1222
2.73k
             totalLength,
1223
2.73k
             freerdp_settings_get_uint32(settings, FreeRDP_MultifragMaxRequestSize));
1224
2.73k
    return FALSE;
1225
2.73k
  }
1226
1227
126
  if (rdp->do_crypt)
1228
0
  {
1229
0
    sec_flags |= SEC_ENCRYPT;
1230
1231
0
    if (rdp->do_secure_checksum)
1232
0
      sec_flags |= SEC_SECURE_CHECKSUM;
1233
0
  }
1234
1235
126
  for (int fragment = 0; (totalLength > 0) || (fragment == 0); fragment++)
1236
126
  {
1237
126
    UINT32 DstSize = 0;
1238
126
    const BYTE* pDstData = nullptr;
1239
126
    UINT32 compressionFlags = 0;
1240
126
    BYTE pad = 0;
1241
126
    BYTE* pSignature = nullptr;
1242
126
    fpUpdatePduHeader.action = 0;
1243
126
    fpUpdatePduHeader.secFlags = 0;
1244
126
    fpUpdateHeader.compression = 0;
1245
126
    fpUpdateHeader.compressionFlags = 0;
1246
126
    fpUpdateHeader.updateCode = updateCode;
1247
126
    fpUpdateHeader.size = (UINT16)(totalLength > maxLength) ? maxLength : (UINT16)totalLength;
1248
126
    const BYTE* pSrcData = Stream_Pointer(s);
1249
126
    UINT32 SrcSize = DstSize = fpUpdateHeader.size;
1250
126
    BOOL should_unlock = FALSE;
1251
1252
126
    if (sec_flags & SEC_ENCRYPT)
1253
0
      fpUpdatePduHeader.secFlags |= FASTPATH_OUTPUT_ENCRYPTED;
1254
1255
126
    if (sec_flags & SEC_SECURE_CHECKSUM)
1256
0
      fpUpdatePduHeader.secFlags |= FASTPATH_OUTPUT_SECURE_CHECKSUM;
1257
1258
126
    if (settings->CompressionEnabled && !skipCompression)
1259
126
    {
1260
126
      if (bulk_compress(rdp->bulk, pSrcData, SrcSize, &pDstData, &DstSize,
1261
126
                        &compressionFlags) >= 0)
1262
126
      {
1263
126
        if (compressionFlags)
1264
0
        {
1265
0
          WINPR_ASSERT(compressionFlags <= UINT8_MAX);
1266
0
          fpUpdateHeader.compressionFlags = (UINT8)compressionFlags;
1267
0
          fpUpdateHeader.compression = FASTPATH_OUTPUT_COMPRESSION_USED;
1268
0
        }
1269
126
      }
1270
126
    }
1271
1272
126
    if (!fpUpdateHeader.compression)
1273
126
    {
1274
126
      pDstData = Stream_Pointer(s);
1275
126
      DstSize = fpUpdateHeader.size;
1276
126
    }
1277
1278
126
    if (DstSize > UINT16_MAX)
1279
0
      return FALSE;
1280
126
    fpUpdateHeader.size = (UINT16)DstSize;
1281
126
    totalLength -= SrcSize;
1282
1283
126
    if (totalLength == 0)
1284
126
      fpUpdateHeader.fragmentation =
1285
126
          (fragment == 0) ? FASTPATH_FRAGMENT_SINGLE : FASTPATH_FRAGMENT_LAST;
1286
0
    else
1287
0
      fpUpdateHeader.fragmentation =
1288
0
          (fragment == 0) ? FASTPATH_FRAGMENT_FIRST : FASTPATH_FRAGMENT_NEXT;
1289
1290
126
    fpUpdateHeaderSize = fastpath_get_update_header_size(&fpUpdateHeader);
1291
126
    fpUpdatePduHeaderSize = fastpath_get_update_pdu_header_size(&fpUpdatePduHeader, rdp);
1292
126
    fpHeaderSize = fpUpdateHeaderSize + fpUpdatePduHeaderSize;
1293
1294
126
    if (sec_flags & SEC_ENCRYPT)
1295
0
    {
1296
0
      pSignature = Stream_Buffer(fs) + 3;
1297
1298
0
      if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
1299
0
      {
1300
0
        pSignature += 4;
1301
1302
0
        if ((pad = 8 - ((DstSize + fpUpdateHeaderSize) % 8)) == 8)
1303
0
          pad = 0;
1304
1305
0
        fpUpdatePduHeader.fipsInformation[0] = 0x10;
1306
0
        fpUpdatePduHeader.fipsInformation[1] = 0x00;
1307
0
        fpUpdatePduHeader.fipsInformation[2] = 0x01;
1308
0
        fpUpdatePduHeader.fipsInformation[3] = pad;
1309
0
      }
1310
0
    }
1311
1312
126
    const size_t len = fpUpdateHeader.size + fpHeaderSize + pad;
1313
126
    if (len > UINT16_MAX)
1314
0
      return FALSE;
1315
1316
126
    fpUpdatePduHeader.length = (UINT16)len;
1317
126
    Stream_ResetPosition(fs);
1318
126
    if (!fastpath_write_update_pdu_header(fs, &fpUpdatePduHeader, rdp))
1319
0
      return FALSE;
1320
126
    if (!fastpath_write_update_header(fs, &fpUpdateHeader))
1321
0
      return FALSE;
1322
1323
126
    if (!Stream_CheckAndLogRequiredCapacity(TAG, (fs), (size_t)DstSize + pad))
1324
0
      return FALSE;
1325
126
    Stream_Write(fs, pDstData, DstSize);
1326
1327
126
    if (pad)
1328
0
      Stream_Zero(fs, pad);
1329
1330
126
    BOOL res = FALSE;
1331
126
    if (sec_flags & SEC_ENCRYPT)
1332
0
    {
1333
0
      security_lock(rdp);
1334
1335
0
      should_unlock = TRUE;
1336
0
      UINT32 dataSize = fpUpdateHeaderSize + DstSize + pad;
1337
0
      BYTE* data = Stream_PointerAs(fs, BYTE) - dataSize;
1338
1339
0
      if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
1340
0
      {
1341
        // TODO: Ensure stream capacity
1342
0
        if (!security_hmac_signature(data, dataSize - pad, pSignature, 8, rdp))
1343
0
          goto unlock;
1344
1345
0
        if (!security_fips_encrypt(data, dataSize, rdp))
1346
0
          goto unlock;
1347
0
      }
1348
0
      else
1349
0
      {
1350
        // TODO: Ensure stream capacity
1351
0
        if (sec_flags & SEC_SECURE_CHECKSUM)
1352
0
          status =
1353
0
              security_salted_mac_signature(rdp, data, dataSize, TRUE, pSignature, 8);
1354
0
        else
1355
0
          status = security_mac_signature(rdp, data, dataSize, pSignature, 8);
1356
1357
0
        if (!status || !security_encrypt(data, dataSize, rdp))
1358
0
          goto unlock;
1359
0
      }
1360
0
    }
1361
126
    res = TRUE;
1362
1363
126
    Stream_SealLength(fs);
1364
1365
126
    if (transport_write(rdp->transport, fs) < 0)
1366
126
    {
1367
126
      status = FALSE;
1368
126
    }
1369
1370
126
  unlock:
1371
126
    if (should_unlock)
1372
0
      security_unlock(rdp);
1373
1374
126
    if (!res || !status)
1375
126
      return FALSE;
1376
1377
0
    Stream_Seek(s, SrcSize);
1378
0
  }
1379
1380
0
  return status;
1381
126
}
1382
1383
rdpFastPath* fastpath_new(rdpRdp* rdp)
1384
15.9k
{
1385
15.9k
  rdpFastPath* fastpath = nullptr;
1386
1387
15.9k
  WINPR_ASSERT(rdp);
1388
1389
15.9k
  fastpath = (rdpFastPath*)calloc(1, sizeof(rdpFastPath));
1390
1391
15.9k
  if (!fastpath)
1392
0
    return nullptr;
1393
1394
15.9k
  fastpath->rdp = rdp;
1395
15.9k
  fastpath->fragmentation = -1;
1396
15.9k
  fastpath->fs = Stream_New(nullptr, FASTPATH_MAX_PACKET_SIZE);
1397
15.9k
  fastpath->updateData = Stream_New(nullptr, FASTPATH_MAX_PACKET_SIZE);
1398
1399
15.9k
  if (!fastpath->fs || !fastpath->updateData)
1400
0
    goto out_free;
1401
1402
15.9k
  return fastpath;
1403
0
out_free:
1404
0
  fastpath_free(fastpath);
1405
0
  return nullptr;
1406
15.9k
}
1407
1408
void fastpath_free(rdpFastPath* fastpath)
1409
15.9k
{
1410
15.9k
  if (fastpath)
1411
15.9k
  {
1412
15.9k
    Stream_Free(fastpath->updateData, TRUE);
1413
15.9k
    Stream_Free(fastpath->fs, TRUE);
1414
15.9k
    free(fastpath);
1415
15.9k
  }
1416
15.9k
}
1417
1418
BYTE fastpath_get_encryption_flags(rdpFastPath* fastpath)
1419
18.0k
{
1420
18.0k
  WINPR_ASSERT(fastpath);
1421
18.0k
  return fastpath->encryptionFlags;
1422
18.0k
}
1423
1424
BOOL fastpath_decrypt(rdpFastPath* fastpath, wStream* s, UINT16* length)
1425
15.9k
{
1426
15.9k
  WINPR_ASSERT(fastpath);
1427
15.9k
  if (fastpath_get_encryption_flags(fastpath) & FASTPATH_OUTPUT_ENCRYPTED)
1428
2.10k
  {
1429
2.10k
    const UINT16 flags =
1430
2.10k
        (fastpath_get_encryption_flags(fastpath) & FASTPATH_OUTPUT_SECURE_CHECKSUM)
1431
2.10k
            ? SEC_SECURE_CHECKSUM
1432
2.10k
            : 0;
1433
1434
2.10k
    if (!rdp_decrypt(fastpath->rdp, s, length, flags))
1435
0
      return FALSE;
1436
2.10k
  }
1437
1438
15.9k
  return TRUE;
1439
15.9k
}