Coverage Report

Created: 2026-06-09 06:17

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/FreeRDP/libfreerdp/core/fastpath.c
Line
Count
Source
1
/**
2
 * FreeRDP: A Remote Desktop Protocol Implementation
3
 * Fast Path
4
 *
5
 * Copyright 2011 Vic Lee
6
 * Copyright 2014 Norbert Federa <norbert.federa@thincast.com>
7
 * Copyright 2017 Armin Novak <armin.novak@thincast.com>
8
 * Copyright 2017 Thincast Technologies GmbH
9
 *
10
 * Licensed under the Apache License, Version 2.0 (the "License");
11
 * you may not use this file except in compliance with the License.
12
 * You may obtain a copy of the License at
13
 *
14
 *     http://www.apache.org/licenses/LICENSE-2.0
15
 *
16
 * Unless required by applicable law or agreed to in writing, software
17
 * distributed under the License is distributed on an "AS IS" BASIS,
18
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19
 * See the License for the specific language governing permissions and
20
 * limitations under the License.
21
 */
22
23
#include <freerdp/config.h>
24
25
#include "settings.h"
26
27
#include <stdio.h>
28
#include <stdlib.h>
29
#include <string.h>
30
31
#include <winpr/crt.h>
32
#include <winpr/assert.h>
33
#include <winpr/stream.h>
34
35
#include <freerdp/api.h>
36
#include <freerdp/log.h>
37
#include <freerdp/crypto/per.h>
38
39
#include "orders.h"
40
#include "update.h"
41
#include "surface.h"
42
#include "fastpath.h"
43
#include "rdp.h"
44
45
#include "../cache/pointer.h"
46
#include "../cache/palette.h"
47
#include "../cache/bitmap.h"
48
49
#define TAG FREERDP_TAG("core.fastpath")
50
51
enum FASTPATH_INPUT_ENCRYPTION_FLAGS
52
{
53
  FASTPATH_INPUT_SECURE_CHECKSUM = 0x1,
54
  FASTPATH_INPUT_ENCRYPTED = 0x2
55
};
56
57
enum FASTPATH_OUTPUT_ENCRYPTION_FLAGS
58
{
59
  FASTPATH_OUTPUT_SECURE_CHECKSUM = 0x1,
60
  FASTPATH_OUTPUT_ENCRYPTED = 0x2
61
};
62
63
struct rdp_fastpath
64
{
65
  rdpRdp* rdp;
66
  wStream* fs;
67
  BYTE encryptionFlags;
68
  BYTE numberEvents;
69
  wStream* updateData;
70
  int fragmentation;
71
};
72
73
/**
74
 * Fast-Path packet format is defined in [MS-RDPBCGR] 2.2.9.1.2, which revises
75
 * server output packets from the first byte with the goal of improving
76
 * bandwidth.
77
 *
78
 * Slow-Path packet always starts with TPKT header, which has the first
79
 * byte 0x03, while Fast-Path packet starts with 2 zero bits in the first
80
 * two less significant bits of the first byte.
81
 */
82
83
static const char* const FASTPATH_UPDATETYPE_STRINGS[] = {
84
  "Orders",                 /* 0x0 */
85
  "Bitmap",                 /* 0x1 */
86
  "Palette",                /* 0x2 */
87
  "Synchronize",            /* 0x3 */
88
  "Surface Commands",       /* 0x4 */
89
  "System Pointer Hidden",  /* 0x5 */
90
  "System Pointer Default", /* 0x6 */
91
  "???",                    /* 0x7 */
92
  "Pointer Position",       /* 0x8 */
93
  "Color Pointer",          /* 0x9 */
94
  "Cached Pointer",         /* 0xA */
95
  "New Pointer",            /* 0xB */
96
};
97
98
static const char* fastpath_update_to_string(UINT8 update)
99
8.55k
{
100
8.55k
  if (update >= ARRAYSIZE(FASTPATH_UPDATETYPE_STRINGS))
101
436
    return "UNKNOWN";
102
103
8.12k
  return FASTPATH_UPDATETYPE_STRINGS[update];
104
8.55k
}
105
106
static BOOL fastpath_read_update_header(wStream* s, BYTE* updateCode, BYTE* fragmentation,
107
                                        BYTE* compression)
108
44.1k
{
109
44.1k
  BYTE updateHeader = 0;
110
111
44.1k
  if (!s || !updateCode || !fragmentation || !compression)
112
0
    return FALSE;
113
114
44.1k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
115
0
    return FALSE;
116
117
44.1k
  Stream_Read_UINT8(s, updateHeader);
118
44.1k
  *updateCode = updateHeader & 0x0F;
119
44.1k
  *fragmentation = (updateHeader >> 4) & 0x03;
120
44.1k
  *compression = (updateHeader >> 6) & 0x03;
121
44.1k
  return TRUE;
122
44.1k
}
123
124
static BOOL fastpath_write_update_header(wStream* s, const FASTPATH_UPDATE_HEADER* fpUpdateHeader)
125
115
{
126
115
  BYTE updateHeader = 0;
127
115
  WINPR_ASSERT(fpUpdateHeader);
128
129
115
  updateHeader |= fpUpdateHeader->updateCode & 0x0F;
130
115
  updateHeader |= (fpUpdateHeader->fragmentation & 0x03) << 4;
131
115
  updateHeader |= (fpUpdateHeader->compression & 0x03) << 6;
132
133
115
  if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 1))
134
0
    return FALSE;
135
115
  Stream_Write_UINT8(s, updateHeader);
136
137
115
  if (fpUpdateHeader->compression)
138
0
  {
139
0
    if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 1))
140
0
      return FALSE;
141
142
0
    Stream_Write_UINT8(s, fpUpdateHeader->compressionFlags);
143
0
  }
144
145
115
  if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 2))
146
0
    return FALSE;
147
148
115
  Stream_Write_UINT16(s, fpUpdateHeader->size);
149
115
  return TRUE;
150
115
}
151
152
static UINT32 fastpath_get_update_header_size(FASTPATH_UPDATE_HEADER* fpUpdateHeader)
153
115
{
154
115
  WINPR_ASSERT(fpUpdateHeader);
155
115
  return (fpUpdateHeader->compression) ? 4 : 3;
156
115
}
157
158
static BOOL fastpath_write_update_pdu_header(wStream* s,
159
                                             const FASTPATH_UPDATE_PDU_HEADER* fpUpdatePduHeader,
160
                                             rdpRdp* rdp)
161
115
{
162
115
  BYTE fpOutputHeader = 0;
163
115
  WINPR_ASSERT(fpUpdatePduHeader);
164
115
  WINPR_ASSERT(rdp);
165
166
115
  if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 3))
167
0
    return FALSE;
168
169
115
  fpOutputHeader |= (fpUpdatePduHeader->action & 0x03);
170
115
  fpOutputHeader |= (fpUpdatePduHeader->secFlags & 0x03) << 6;
171
115
  Stream_Write_UINT8(s, fpOutputHeader);                          /* fpOutputHeader (1 byte) */
172
115
  Stream_Write_UINT8(s, 0x80 | (fpUpdatePduHeader->length >> 8)); /* length1 */
173
115
  Stream_Write_UINT8(s, fpUpdatePduHeader->length & 0xFF);        /* length2 */
174
175
115
  if (fpUpdatePduHeader->secFlags)
176
0
  {
177
0
    WINPR_ASSERT(rdp->settings);
178
0
    if (freerdp_settings_get_uint32(rdp->settings, FreeRDP_EncryptionMethods) ==
179
0
        ENCRYPTION_METHOD_FIPS)
180
0
    {
181
0
      if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 4))
182
0
        return FALSE;
183
184
0
      Stream_Write(s, fpUpdatePduHeader->fipsInformation, 4);
185
0
    }
186
187
0
    if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 8))
188
0
      return FALSE;
189
190
0
    Stream_Write(s, fpUpdatePduHeader->dataSignature, 8);
191
0
  }
192
193
115
  return TRUE;
194
115
}
195
196
static UINT32 fastpath_get_update_pdu_header_size(FASTPATH_UPDATE_PDU_HEADER* fpUpdatePduHeader,
197
                                                  rdpRdp* rdp)
198
115
{
199
115
  UINT32 size = 3; /* fpUpdatePduHeader + length1 + length2 */
200
201
115
  if (!fpUpdatePduHeader || !rdp)
202
0
    return 0;
203
204
115
  if (fpUpdatePduHeader->secFlags)
205
0
  {
206
0
    size += 8; /* dataSignature */
207
208
0
    WINPR_ASSERT(rdp->settings);
209
0
    if (freerdp_settings_get_uint32(rdp->settings, FreeRDP_EncryptionMethods) ==
210
0
        ENCRYPTION_METHOD_FIPS)
211
0
      size += 4; /* fipsInformation */
212
0
  }
213
214
115
  return size;
215
115
}
216
217
BOOL fastpath_read_header_rdp(rdpFastPath* fastpath, wStream* s, UINT16* length)
218
17.5k
{
219
17.5k
  BYTE header = 0;
220
221
17.5k
  if (!s || !length)
222
0
    return FALSE;
223
224
17.5k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
225
5.61k
    return FALSE;
226
227
11.9k
  Stream_Read_UINT8(s, header);
228
229
11.9k
  if (fastpath)
230
11.9k
  {
231
11.9k
    fastpath->encryptionFlags = (header & 0xC0) >> 6;
232
11.9k
    fastpath->numberEvents = (header & 0x3C) >> 2;
233
11.9k
  }
234
235
11.9k
  if (!per_read_length(s, length))
236
173
    return FALSE;
237
238
11.7k
  const size_t pos = Stream_GetPosition(s);
239
11.7k
  if (pos > *length)
240
8.12k
    return FALSE;
241
242
3.62k
  *length = *length - (UINT16)pos;
243
3.62k
  return TRUE;
244
11.7k
}
245
246
static BOOL fastpath_recv_orders(rdpUpdate* update, wStream* s)
247
8.56k
{
248
8.56k
  UINT16 numberOrders = 0;
249
250
8.56k
  if (!s)
251
0
  {
252
0
    WLog_ERR(TAG, "Invalid arguments");
253
0
    return FALSE;
254
0
  }
255
256
8.56k
  if (!update)
257
0
  {
258
0
    WLog_ERR(TAG, "Invalid configuration");
259
0
    return FALSE;
260
0
  }
261
262
8.56k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
263
1.81k
    return FALSE;
264
265
6.75k
  Stream_Read_UINT16(s, numberOrders); /* numberOrders (2 bytes) */
266
267
207k
  while (numberOrders > 0)
268
203k
  {
269
203k
    if (!update_recv_order(update, s))
270
2.45k
      return FALSE;
271
272
200k
    numberOrders--;
273
200k
  }
274
275
4.30k
  return TRUE;
276
6.75k
}
277
278
static BOOL fastpath_recv_update_common(rdpUpdate* update, wStream* s)
279
1.25k
{
280
1.25k
  BOOL rc = FALSE;
281
1.25k
  UINT16 updateType = 0;
282
1.25k
  BOOL defaultReturn = 0;
283
284
1.25k
  if (!s)
285
0
    return FALSE;
286
287
1.25k
  if (!update || !update->context)
288
0
    return FALSE;
289
290
1.25k
  rdpContext* context = update->context;
291
292
1.25k
  defaultReturn = freerdp_settings_get_bool(context->settings, FreeRDP_DeactivateClientDecoding);
293
294
1.25k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
295
625
    return FALSE;
296
297
632
  Stream_Read_UINT16(s, updateType); /* updateType (2 bytes) */
298
632
  switch (updateType)
299
632
  {
300
273
    case UPDATE_TYPE_BITMAP:
301
273
    {
302
273
      BITMAP_UPDATE* bitmap_update = update_read_bitmap_update(update, s);
303
304
273
      if (!bitmap_update)
305
154
        return FALSE;
306
307
119
      rc = IFCALLRESULT(defaultReturn, update->BitmapUpdate, context, bitmap_update);
308
119
      free_bitmap_update(context, bitmap_update);
309
119
    }
310
0
    break;
311
312
211
    case UPDATE_TYPE_PALETTE:
313
211
    {
314
211
      PALETTE_UPDATE* palette_update = update_read_palette(update, s);
315
316
211
      if (!palette_update)
317
157
        return FALSE;
318
319
54
      rc = IFCALLRESULT(defaultReturn, update->Palette, context, palette_update);
320
54
      free_palette_update(context, palette_update);
321
54
    }
322
0
    break;
323
324
148
    default:
325
148
      break;
326
632
  }
327
328
321
  return rc;
329
632
}
330
331
static BOOL fastpath_recv_update_synchronize(WINPR_ATTR_UNUSED rdpFastPath* fastpath, wStream* s)
332
4.39k
{
333
  /* server 2008 can send invalid synchronize packet with missing padding,
334
    so don't return FALSE even if the packet is invalid */
335
4.39k
  WINPR_ASSERT(fastpath);
336
4.39k
  WINPR_ASSERT(s);
337
338
4.39k
  const size_t len = Stream_GetRemainingLength(s);
339
4.39k
  const size_t skip = MIN(2, len);
340
4.39k
  return Stream_SafeSeek(s, skip); /* size (2 bytes), MUST be set to zero */
341
4.39k
}
342
343
static BOOL fastpath_recv_update_paint_block(rdpUpdate* update, wStream* s,
344
                                             BOOL (*fkt)(rdpUpdate*, wStream*))
345
27.1k
{
346
27.1k
  WINPR_ASSERT(fkt);
347
27.1k
  if (!update_begin_paint(update))
348
0
    return FALSE;
349
350
27.1k
  BOOL res = fkt(update, s);
351
27.1k
  if (!update_end_paint(update))
352
583
    return FALSE;
353
26.5k
  return res;
354
27.1k
}
355
356
static int fastpath_recv_update(rdpFastPath* fastpath, BYTE updateCode, wStream* s)
357
32.8k
{
358
32.8k
  BOOL rc = FALSE;
359
32.8k
  int status = 0;
360
361
32.8k
  if (!fastpath || !fastpath->rdp || !s)
362
0
    return -1;
363
364
32.8k
  Stream_SealLength(s);
365
32.8k
  Stream_ResetPosition(s);
366
367
32.8k
  rdpUpdate* update = fastpath->rdp->update;
368
369
32.8k
  if (!update || !update->pointer || !update->context)
370
0
    return -1;
371
372
32.8k
  rdpContext* context = update->context;
373
32.8k
  WINPR_ASSERT(context);
374
375
32.8k
  rdpPointerUpdate* pointer = update->pointer;
376
32.8k
  WINPR_ASSERT(pointer);
377
378
#ifdef WITH_DEBUG_RDP
379
  DEBUG_RDP(fastpath->rdp, "recv Fast-Path %s Update (0x%02" PRIX8 "), length:%" PRIuz "",
380
            fastpath_update_to_string(updateCode), updateCode, Stream_GetRemainingLength(s));
381
#endif
382
383
32.8k
  const BOOL defaultReturn =
384
32.8k
      freerdp_settings_get_bool(context->settings, FreeRDP_DeactivateClientDecoding);
385
32.8k
  switch (updateCode)
386
32.8k
  {
387
8.56k
    case FASTPATH_UPDATETYPE_ORDERS:
388
8.56k
      rc = fastpath_recv_update_paint_block(update, s, fastpath_recv_orders);
389
8.56k
      break;
390
391
973
    case FASTPATH_UPDATETYPE_BITMAP:
392
1.25k
    case FASTPATH_UPDATETYPE_PALETTE:
393
1.25k
      rc = fastpath_recv_update_paint_block(update, s, fastpath_recv_update_common);
394
1.25k
      break;
395
396
4.39k
    case FASTPATH_UPDATETYPE_SYNCHRONIZE:
397
4.39k
      if (!fastpath_recv_update_synchronize(fastpath, s))
398
0
        WLog_ERR(TAG, "fastpath_recv_update_synchronize failure but we continue");
399
4.39k
      else
400
4.39k
        rc = IFCALLRESULT(TRUE, update->Synchronize, context);
401
402
4.39k
      break;
403
404
17.2k
    case FASTPATH_UPDATETYPE_SURFCMDS:
405
17.2k
      status = fastpath_recv_update_paint_block(update, s, update_recv_surfcmds);
406
17.2k
      rc = (status >= 0);
407
17.2k
      break;
408
409
49
    case FASTPATH_UPDATETYPE_PTR_NULL:
410
49
    {
411
49
      POINTER_SYSTEM_UPDATE pointer_system = WINPR_C_ARRAY_INIT;
412
49
      pointer_system.type = SYSPTR_NULL;
413
49
      rc = IFCALLRESULT(defaultReturn, pointer->PointerSystem, context, &pointer_system);
414
49
    }
415
49
    break;
416
417
128
    case FASTPATH_UPDATETYPE_PTR_DEFAULT:
418
128
    {
419
128
      POINTER_SYSTEM_UPDATE pointer_system = WINPR_C_ARRAY_INIT;
420
128
      pointer_system.type = SYSPTR_DEFAULT;
421
128
      rc = IFCALLRESULT(defaultReturn, pointer->PointerSystem, context, &pointer_system);
422
128
    }
423
128
    break;
424
425
159
    case FASTPATH_UPDATETYPE_PTR_POSITION:
426
159
    {
427
159
      POINTER_POSITION_UPDATE* pointer_position = update_read_pointer_position(update, s);
428
429
159
      if (pointer_position)
430
76
      {
431
76
        rc = IFCALLRESULT(defaultReturn, pointer->PointerPosition, context,
432
76
                          pointer_position);
433
76
        free_pointer_position_update(context, pointer_position);
434
76
      }
435
159
    }
436
159
    break;
437
438
268
    case FASTPATH_UPDATETYPE_COLOR:
439
268
    {
440
268
      POINTER_COLOR_UPDATE* pointer_color = update_read_pointer_color(update, s, 24);
441
442
268
      if (pointer_color)
443
119
      {
444
119
        rc = IFCALLRESULT(defaultReturn, pointer->PointerColor, context, pointer_color);
445
119
        free_pointer_color_update(context, pointer_color);
446
119
      }
447
268
    }
448
268
    break;
449
450
157
    case FASTPATH_UPDATETYPE_CACHED:
451
157
    {
452
157
      POINTER_CACHED_UPDATE* pointer_cached = update_read_pointer_cached(update, s);
453
454
157
      if (pointer_cached)
455
51
      {
456
51
        rc = IFCALLRESULT(defaultReturn, pointer->PointerCached, context, pointer_cached);
457
51
        free_pointer_cached_update(context, pointer_cached);
458
51
      }
459
157
    }
460
157
    break;
461
462
89
    case FASTPATH_UPDATETYPE_POINTER:
463
89
    {
464
89
      POINTER_NEW_UPDATE* pointer_new = update_read_pointer_new(update, s);
465
466
89
      if (pointer_new)
467
18
      {
468
18
        rc = IFCALLRESULT(defaultReturn, pointer->PointerNew, context, pointer_new);
469
18
        free_pointer_new_update(context, pointer_new);
470
18
      }
471
89
    }
472
89
    break;
473
474
420
    case FASTPATH_UPDATETYPE_LARGE_POINTER:
475
420
    {
476
420
      POINTER_LARGE_UPDATE* pointer_large = update_read_pointer_large(update, s);
477
478
420
      if (pointer_large)
479
126
      {
480
126
        rc = IFCALLRESULT(defaultReturn, pointer->PointerLarge, context, pointer_large);
481
126
        free_pointer_large_update(context, pointer_large);
482
126
      }
483
420
    }
484
420
    break;
485
40
    default:
486
40
      break;
487
32.8k
  }
488
489
32.8k
  Stream_ResetPosition(s);
490
32.8k
  if (!rc)
491
8.55k
  {
492
8.55k
    WLog_ERR(TAG, "Fastpath update %s [%" PRIx8 "] failed, status %d",
493
8.55k
             fastpath_update_to_string(updateCode), updateCode, status);
494
8.55k
    return -1;
495
8.55k
  }
496
497
24.2k
  return status;
498
32.8k
}
499
500
static int fastpath_recv_update_data(rdpFastPath* fastpath, wStream* s)
501
44.1k
{
502
44.1k
  int status = 0;
503
44.1k
  UINT16 size = 0;
504
44.1k
  BYTE updateCode = 0;
505
44.1k
  BYTE fragmentation = 0;
506
44.1k
  BYTE compression = 0;
507
44.1k
  BYTE compressionFlags = 0;
508
44.1k
  UINT32 DstSize = 0;
509
44.1k
  const BYTE* pDstData = nullptr;
510
511
44.1k
  if (!fastpath || !s)
512
0
    return -1;
513
514
44.1k
  rdpRdp* rdp = fastpath->rdp;
515
516
44.1k
  if (!rdp)
517
0
    return -1;
518
519
44.1k
  rdpTransport* transport = rdp->transport;
520
521
44.1k
  if (!transport)
522
0
    return -1;
523
524
44.1k
  if (!fastpath_read_update_header(s, &updateCode, &fragmentation, &compression))
525
0
    return -1;
526
527
44.1k
  if (compression == FASTPATH_OUTPUT_COMPRESSION_USED)
528
15.2k
  {
529
15.2k
    if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
530
0
      return -1;
531
532
15.2k
    Stream_Read_UINT8(s, compressionFlags);
533
15.2k
  }
534
28.9k
  else
535
28.9k
    compressionFlags = 0;
536
537
44.1k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
538
24
    return -1;
539
540
44.1k
  Stream_Read_UINT16(s, size);
541
542
44.1k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, size))
543
5.99k
    return -1;
544
545
38.1k
  const int bulkStatus =
546
38.1k
      bulk_decompress(rdp->bulk, Stream_Pointer(s), size, &pDstData, &DstSize, compressionFlags);
547
38.1k
  Stream_Seek(s, size);
548
549
38.1k
  if (bulkStatus < 0)
550
1.40k
  {
551
1.40k
    WLog_ERR(TAG, "bulk_decompress() failed");
552
1.40k
    return -1;
553
1.40k
  }
554
555
36.7k
  if (!Stream_EnsureRemainingCapacity(fastpath->updateData, DstSize))
556
0
    return -1;
557
558
36.7k
  Stream_Write(fastpath->updateData, pDstData, DstSize);
559
560
36.7k
  if (fragmentation == FASTPATH_FRAGMENT_SINGLE)
561
31.6k
  {
562
31.6k
    if (fastpath->fragmentation != -1)
563
39
    {
564
39
      WLog_ERR(TAG, "Unexpected FASTPATH_FRAGMENT_SINGLE");
565
39
      goto out_fail;
566
39
    }
567
568
31.6k
    status = fastpath_recv_update(fastpath, updateCode, fastpath->updateData);
569
570
31.6k
    if (status < 0)
571
8.54k
    {
572
8.54k
      WLog_ERR(TAG, "fastpath_recv_update() - %i", status);
573
8.54k
      goto out_fail;
574
8.54k
    }
575
31.6k
  }
576
5.02k
  else
577
5.02k
  {
578
5.02k
    rdpContext* context = nullptr;
579
5.02k
    const size_t totalSize = Stream_GetPosition(fastpath->updateData);
580
581
5.02k
    context = transport_get_context(transport);
582
5.02k
    WINPR_ASSERT(context);
583
5.02k
    WINPR_ASSERT(context->settings);
584
585
5.02k
    if (totalSize >
586
5.02k
        freerdp_settings_get_uint32(context->settings, FreeRDP_MultifragMaxRequestSize))
587
89
    {
588
89
      WLog_ERR(
589
89
          TAG, "Total size (%" PRIuz ") exceeds MultifragMaxRequestSize (%" PRIu32 ")",
590
89
          totalSize,
591
89
          freerdp_settings_get_uint32(context->settings, FreeRDP_MultifragMaxRequestSize));
592
89
      goto out_fail;
593
89
    }
594
595
4.93k
    if (fragmentation == FASTPATH_FRAGMENT_FIRST)
596
1.40k
    {
597
1.40k
      if (fastpath->fragmentation != -1)
598
28
      {
599
28
        WLog_ERR(TAG, "Unexpected FASTPATH_FRAGMENT_FIRST");
600
28
        goto out_fail;
601
28
      }
602
603
1.37k
      fastpath->fragmentation = FASTPATH_FRAGMENT_FIRST;
604
1.37k
    }
605
3.52k
    else if (fragmentation == FASTPATH_FRAGMENT_NEXT)
606
2.17k
    {
607
2.17k
      if ((fastpath->fragmentation != FASTPATH_FRAGMENT_FIRST) &&
608
1.78k
          (fastpath->fragmentation != FASTPATH_FRAGMENT_NEXT))
609
295
      {
610
295
        WLog_ERR(TAG, "Unexpected FASTPATH_FRAGMENT_NEXT");
611
295
        goto out_fail;
612
295
      }
613
614
1.88k
      fastpath->fragmentation = FASTPATH_FRAGMENT_NEXT;
615
1.88k
    }
616
1.35k
    else if (fragmentation == FASTPATH_FRAGMENT_LAST)
617
1.35k
    {
618
1.35k
      if ((fastpath->fragmentation != FASTPATH_FRAGMENT_FIRST) &&
619
474
          (fastpath->fragmentation != FASTPATH_FRAGMENT_NEXT))
620
178
      {
621
178
        WLog_ERR(TAG, "Unexpected FASTPATH_FRAGMENT_LAST");
622
178
        goto out_fail;
623
178
      }
624
625
1.17k
      fastpath->fragmentation = -1;
626
1.17k
      status = fastpath_recv_update(fastpath, updateCode, fastpath->updateData);
627
628
1.17k
      if (status < 0)
629
8
      {
630
8
        WLog_ERR(TAG, "fastpath_recv_update() - %i", status);
631
8
        goto out_fail;
632
8
      }
633
1.17k
    }
634
4.93k
  }
635
636
27.5k
  return status;
637
9.18k
out_fail:
638
9.18k
  return -1;
639
36.7k
}
640
641
state_run_t fastpath_recv_updates(rdpFastPath* fastpath, wStream* s)
642
17.5k
{
643
17.5k
  state_run_t rc = STATE_RUN_FAILED;
644
645
17.5k
  WINPR_ASSERT(s);
646
17.5k
  WINPR_ASSERT(fastpath);
647
17.5k
  WINPR_ASSERT(fastpath->rdp);
648
649
45.0k
  while (Stream_GetRemainingLength(s) >= 3)
650
44.1k
  {
651
44.1k
    if (fastpath_recv_update_data(fastpath, s) < 0)
652
16.6k
    {
653
16.6k
      WLog_ERR(TAG, "fastpath_recv_update_data() fail");
654
16.6k
      rc = STATE_RUN_FAILED;
655
16.6k
      goto fail;
656
16.6k
    }
657
44.1k
  }
658
659
927
  rc = STATE_RUN_SUCCESS;
660
17.5k
fail:
661
662
17.5k
  return rc;
663
927
}
664
665
static BOOL fastpath_read_input_event_header(wStream* s, BYTE* eventFlags, BYTE* eventCode)
666
97.0k
{
667
97.0k
  BYTE eventHeader = 0;
668
669
97.0k
  WINPR_ASSERT(s);
670
97.0k
  WINPR_ASSERT(eventFlags);
671
97.0k
  WINPR_ASSERT(eventCode);
672
673
97.0k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
674
772
    return FALSE;
675
676
96.2k
  Stream_Read_UINT8(s, eventHeader); /* eventHeader (1 byte) */
677
96.2k
  *eventFlags = (eventHeader & 0x1F);
678
96.2k
  *eventCode = (eventHeader >> 5);
679
96.2k
  return TRUE;
680
97.0k
}
681
682
static BOOL fastpath_recv_input_event_scancode(rdpFastPath* fastpath, wStream* s, BYTE eventFlags)
683
58.5k
{
684
58.5k
  WINPR_ASSERT(fastpath);
685
58.5k
  WINPR_ASSERT(fastpath->rdp);
686
58.5k
  WINPR_ASSERT(fastpath->rdp->input);
687
58.5k
  WINPR_ASSERT(s);
688
689
58.5k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
690
161
    return FALSE;
691
692
58.4k
  rdpInput* input = fastpath->rdp->input;
693
694
58.4k
  const UINT8 code = Stream_Get_UINT8(s); /* keyCode (1 byte) */
695
696
58.4k
  UINT16 flags = 0;
697
58.4k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_RELEASE))
698
8.12k
    flags |= KBD_FLAGS_RELEASE;
699
700
58.4k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_EXTENDED))
701
31.7k
    flags |= KBD_FLAGS_EXTENDED;
702
703
58.4k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_PREFIX_E1))
704
7.45k
    flags |= KBD_FLAGS_EXTENDED1;
705
706
58.4k
  return IFCALLRESULT(TRUE, input->KeyboardEvent, input, flags, code);
707
58.5k
}
708
709
static BOOL fastpath_recv_input_event_mouse(rdpFastPath* fastpath, wStream* s,
710
                                            WINPR_ATTR_UNUSED BYTE eventFlags)
711
5.85k
{
712
5.85k
  rdpInput* input = nullptr;
713
5.85k
  UINT16 pointerFlags = 0;
714
5.85k
  UINT16 xPos = 0;
715
5.85k
  UINT16 yPos = 0;
716
5.85k
  WINPR_ASSERT(fastpath);
717
5.85k
  WINPR_ASSERT(fastpath->rdp);
718
5.85k
  WINPR_ASSERT(fastpath->rdp->input);
719
5.85k
  WINPR_ASSERT(s);
720
721
5.85k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 6))
722
155
    return FALSE;
723
724
5.69k
  input = fastpath->rdp->input;
725
726
5.69k
  Stream_Read_UINT16(s, pointerFlags); /* pointerFlags (2 bytes) */
727
5.69k
  Stream_Read_UINT16(s, xPos);         /* xPos (2 bytes) */
728
5.69k
  Stream_Read_UINT16(s, yPos);         /* yPos (2 bytes) */
729
5.69k
  return IFCALLRESULT(TRUE, input->MouseEvent, input, pointerFlags, xPos, yPos);
730
5.85k
}
731
732
static BOOL fastpath_recv_input_event_relmouse(rdpFastPath* fastpath, wStream* s,
733
                                               WINPR_ATTR_UNUSED BYTE eventFlags)
734
3.93k
{
735
3.93k
  rdpInput* input = nullptr;
736
3.93k
  UINT16 pointerFlags = 0;
737
3.93k
  INT16 xDelta = 0;
738
3.93k
  INT16 yDelta = 0;
739
3.93k
  WINPR_ASSERT(fastpath);
740
3.93k
  WINPR_ASSERT(fastpath->rdp);
741
3.93k
  WINPR_ASSERT(fastpath->rdp->context);
742
3.93k
  WINPR_ASSERT(fastpath->rdp->input);
743
3.93k
  WINPR_ASSERT(s);
744
745
3.93k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 6))
746
67
    return FALSE;
747
748
3.87k
  input = fastpath->rdp->input;
749
750
3.87k
  Stream_Read_UINT16(s, pointerFlags); /* pointerFlags (2 bytes) */
751
3.87k
  Stream_Read_INT16(s, xDelta);        /* xDelta (2 bytes) */
752
3.87k
  Stream_Read_INT16(s, yDelta);        /* yDelta (2 bytes) */
753
754
3.87k
  if (!freerdp_settings_get_bool(input->context->settings, FreeRDP_HasRelativeMouseEvent))
755
0
  {
756
0
    WLog_ERR(TAG,
757
0
             "Received relative mouse event(flags=0x%04" PRIx16 ", xPos=%" PRId16
758
0
             ", yPos=%" PRId16 "), but we did not announce support for that",
759
0
             pointerFlags, xDelta, yDelta);
760
0
    return FALSE;
761
0
  }
762
763
3.87k
  return IFCALLRESULT(TRUE, input->RelMouseEvent, input, pointerFlags, xDelta, yDelta);
764
3.87k
}
765
766
static BOOL fastpath_recv_input_event_qoe(rdpFastPath* fastpath, wStream* s,
767
                                          WINPR_ATTR_UNUSED BYTE eventFlags)
768
2.88k
{
769
2.88k
  WINPR_ASSERT(fastpath);
770
2.88k
  WINPR_ASSERT(fastpath->rdp);
771
2.88k
  WINPR_ASSERT(fastpath->rdp->context);
772
2.88k
  WINPR_ASSERT(fastpath->rdp->input);
773
2.88k
  WINPR_ASSERT(s);
774
775
2.88k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 4))
776
51
    return FALSE;
777
778
2.83k
  rdpInput* input = fastpath->rdp->input;
779
780
2.83k
  UINT32 timestampMS = 0;
781
2.83k
  Stream_Read_UINT32(s, timestampMS); /* timestamp (4 bytes) */
782
783
2.83k
  if (!freerdp_settings_get_bool(input->context->settings, FreeRDP_HasQoeEvent))
784
0
  {
785
0
    WLog_ERR(TAG,
786
0
             "Received qoe event(timestamp=%" PRIu32
787
0
             "ms), but we did not announce support for that",
788
0
             timestampMS);
789
0
    return FALSE;
790
0
  }
791
792
2.83k
  return IFCALLRESULT(TRUE, input->QoEEvent, input, timestampMS);
793
2.83k
}
794
795
static BOOL fastpath_recv_input_event_mousex(rdpFastPath* fastpath, wStream* s,
796
                                             WINPR_ATTR_UNUSED BYTE eventFlags)
797
3.53k
{
798
3.53k
  rdpInput* input = nullptr;
799
3.53k
  UINT16 pointerFlags = 0;
800
3.53k
  UINT16 xPos = 0;
801
3.53k
  UINT16 yPos = 0;
802
803
3.53k
  WINPR_ASSERT(fastpath);
804
3.53k
  WINPR_ASSERT(fastpath->rdp);
805
3.53k
  WINPR_ASSERT(fastpath->rdp->context);
806
3.53k
  WINPR_ASSERT(fastpath->rdp->input);
807
3.53k
  WINPR_ASSERT(s);
808
809
3.53k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 6))
810
70
    return FALSE;
811
812
3.46k
  input = fastpath->rdp->input;
813
814
3.46k
  Stream_Read_UINT16(s, pointerFlags); /* pointerFlags (2 bytes) */
815
3.46k
  Stream_Read_UINT16(s, xPos);         /* xPos (2 bytes) */
816
3.46k
  Stream_Read_UINT16(s, yPos);         /* yPos (2 bytes) */
817
818
3.46k
  if (!freerdp_settings_get_bool(input->context->settings, FreeRDP_HasExtendedMouseEvent))
819
0
  {
820
0
    WLog_ERR(TAG,
821
0
             "Received extended mouse event(flags=0x%04" PRIx16 ", xPos=%" PRIu16
822
0
             ", yPos=%" PRIu16 "), but we did not announce support for that",
823
0
             pointerFlags, xPos, yPos);
824
0
    return FALSE;
825
0
  }
826
827
3.46k
  return IFCALLRESULT(TRUE, input->ExtendedMouseEvent, input, pointerFlags, xPos, yPos);
828
3.46k
}
829
830
static BOOL fastpath_recv_input_event_sync(rdpFastPath* fastpath, WINPR_ATTR_UNUSED wStream* s,
831
                                           BYTE eventFlags)
832
6.90k
{
833
6.90k
  rdpInput* input = nullptr;
834
835
6.90k
  WINPR_ASSERT(fastpath);
836
6.90k
  WINPR_ASSERT(fastpath->rdp);
837
6.90k
  WINPR_ASSERT(fastpath->rdp->input);
838
6.90k
  WINPR_ASSERT(s);
839
840
6.90k
  input = fastpath->rdp->input;
841
6.90k
  return IFCALLRESULT(TRUE, input->SynchronizeEvent, input, eventFlags);
842
6.90k
}
843
844
static BOOL fastpath_recv_input_event_unicode(rdpFastPath* fastpath, wStream* s, BYTE eventFlags)
845
1.88k
{
846
1.88k
  UINT16 unicodeCode = 0;
847
1.88k
  UINT16 flags = 0;
848
849
1.88k
  WINPR_ASSERT(fastpath);
850
1.88k
  WINPR_ASSERT(s);
851
852
1.88k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
853
47
    return FALSE;
854
855
1.83k
  Stream_Read_UINT16(s, unicodeCode); /* unicodeCode (2 bytes) */
856
1.83k
  flags = 0;
857
858
1.83k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_RELEASE))
859
1.19k
    flags |= KBD_FLAGS_RELEASE;
860
861
1.83k
  WINPR_ASSERT(fastpath->rdp);
862
1.83k
  WINPR_ASSERT(fastpath->rdp);
863
1.83k
  WINPR_ASSERT(fastpath->rdp->input);
864
1.83k
  return IFCALLRESULT(FALSE, fastpath->rdp->input->UnicodeKeyboardEvent, fastpath->rdp->input,
865
1.88k
                      flags, unicodeCode);
866
1.88k
}
867
868
static BOOL fastpath_recv_input_event(rdpFastPath* fastpath, wStream* s)
869
97.0k
{
870
97.0k
  BYTE eventFlags = 0;
871
97.0k
  BYTE eventCode = 0;
872
873
97.0k
  WINPR_ASSERT(fastpath);
874
97.0k
  WINPR_ASSERT(s);
875
876
97.0k
  if (!fastpath_read_input_event_header(s, &eventFlags, &eventCode))
877
772
    return FALSE;
878
879
96.2k
  switch (eventCode)
880
96.2k
  {
881
58.5k
    case FASTPATH_INPUT_EVENT_SCANCODE:
882
58.5k
      if (!fastpath_recv_input_event_scancode(fastpath, s, eventFlags))
883
161
        return FALSE;
884
885
58.4k
      break;
886
887
58.4k
    case FASTPATH_INPUT_EVENT_MOUSE:
888
5.85k
      if (!fastpath_recv_input_event_mouse(fastpath, s, eventFlags))
889
155
        return FALSE;
890
891
5.69k
      break;
892
893
5.69k
    case FASTPATH_INPUT_EVENT_MOUSEX:
894
3.53k
      if (!fastpath_recv_input_event_mousex(fastpath, s, eventFlags))
895
70
        return FALSE;
896
897
3.46k
      break;
898
899
6.90k
    case FASTPATH_INPUT_EVENT_SYNC:
900
6.90k
      if (!fastpath_recv_input_event_sync(fastpath, s, eventFlags))
901
0
        return FALSE;
902
903
6.90k
      break;
904
905
6.90k
    case FASTPATH_INPUT_EVENT_UNICODE:
906
1.88k
      if (!fastpath_recv_input_event_unicode(fastpath, s, eventFlags))
907
1.88k
        return FALSE;
908
909
0
      break;
910
911
3.93k
    case TS_FP_RELPOINTER_EVENT:
912
3.93k
      if (!fastpath_recv_input_event_relmouse(fastpath, s, eventFlags))
913
67
        return FALSE;
914
915
3.87k
      break;
916
917
3.87k
    case TS_FP_QOETIMESTAMP_EVENT:
918
2.88k
      if (!fastpath_recv_input_event_qoe(fastpath, s, eventFlags))
919
51
        return FALSE;
920
2.83k
      break;
921
922
12.6k
    default:
923
12.6k
      WLog_ERR(TAG, "Unknown eventCode %" PRIu8 "", eventCode);
924
12.6k
      break;
925
96.2k
  }
926
927
93.8k
  return TRUE;
928
96.2k
}
929
930
state_run_t fastpath_recv_inputs(rdpFastPath* fastpath, wStream* s)
931
17.5k
{
932
17.5k
  WINPR_ASSERT(fastpath);
933
17.5k
  WINPR_ASSERT(s);
934
935
17.5k
  if (fastpath->numberEvents == 0)
936
17.5k
  {
937
    /**
938
     * If numberEvents is not provided in fpInputHeader, it will be provided
939
     * as one additional byte here.
940
     */
941
17.5k
    if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
942
4.41k
      return STATE_RUN_FAILED;
943
944
13.1k
    Stream_Read_UINT8(s, fastpath->numberEvents); /* eventHeader (1 byte) */
945
13.1k
  }
946
947
106k
  for (BYTE i = 0; i < fastpath->numberEvents; i++)
948
97.0k
  {
949
97.0k
    if (!fastpath_recv_input_event(fastpath, s))
950
3.15k
      return STATE_RUN_FAILED;
951
97.0k
  }
952
953
9.95k
  return STATE_RUN_SUCCESS;
954
13.1k
}
955
956
static UINT32 fastpath_get_sec_bytes(rdpRdp* rdp)
957
0
{
958
0
  UINT32 sec_bytes = 0;
959
960
0
  if (!rdp)
961
0
    return 0;
962
963
0
  if (rdp->do_crypt)
964
0
  {
965
0
    sec_bytes = 8;
966
967
0
    if (freerdp_settings_get_uint32(rdp->settings, FreeRDP_EncryptionMethods) ==
968
0
        ENCRYPTION_METHOD_FIPS)
969
0
      sec_bytes += 4;
970
0
  }
971
972
0
  return sec_bytes;
973
0
}
974
975
wStream* fastpath_input_pdu_init_header(rdpFastPath* fastpath, UINT16* sec_flags)
976
0
{
977
0
  if (!fastpath || !fastpath->rdp)
978
0
    return nullptr;
979
980
0
  rdpRdp* rdp = fastpath->rdp;
981
0
  wStream* s = transport_send_stream_init(rdp->transport, 256);
982
983
0
  if (!s)
984
0
    return nullptr;
985
986
0
  Stream_Seek(s, 3); /* fpInputHeader, length1 and length2 */
987
988
0
  if (rdp->do_crypt)
989
0
  {
990
0
    *sec_flags |= SEC_ENCRYPT;
991
992
0
    if (rdp->do_secure_checksum)
993
0
      *sec_flags |= SEC_SECURE_CHECKSUM;
994
0
  }
995
996
0
  Stream_Seek(s, fastpath_get_sec_bytes(rdp));
997
0
  return s;
998
0
}
999
1000
wStream* fastpath_input_pdu_init(rdpFastPath* fastpath, BYTE eventFlags, BYTE eventCode,
1001
                                 UINT16* sec_flags)
1002
0
{
1003
0
  wStream* s = nullptr;
1004
0
  s = fastpath_input_pdu_init_header(fastpath, sec_flags);
1005
1006
0
  if (!s)
1007
0
    return nullptr;
1008
1009
0
  WINPR_ASSERT(eventCode < 8);
1010
0
  WINPR_ASSERT(eventFlags < 0x20);
1011
0
  Stream_Write_UINT8(s, (UINT8)(eventFlags | (eventCode << 5))); /* eventHeader (1 byte) */
1012
0
  return s;
1013
0
}
1014
1015
BOOL fastpath_send_multiple_input_pdu(rdpFastPath* fastpath, wStream* s, size_t iNumEvents,
1016
                                      UINT16 sec_flags)
1017
0
{
1018
0
  BOOL rc = FALSE;
1019
0
  BYTE eventHeader = 0;
1020
0
  BOOL should_unlock = FALSE;
1021
0
  rdpRdp* rdp = nullptr;
1022
1023
0
  WINPR_ASSERT(iNumEvents > 0);
1024
0
  if (!s)
1025
0
    return FALSE;
1026
1027
0
  if (!fastpath)
1028
0
    goto fail;
1029
1030
0
  rdp = fastpath->rdp;
1031
0
  WINPR_ASSERT(rdp);
1032
1033
0
  {
1034
0
    const CONNECTION_STATE state = rdp_get_state(rdp);
1035
0
    if (!rdp_is_active_state(rdp))
1036
0
    {
1037
0
      WLog_WARN(TAG, "called before activation [%s]", rdp_state_string(state));
1038
0
      goto fail;
1039
0
    }
1040
0
  }
1041
1042
  /*
1043
   *  A maximum of 15 events are allowed per request
1044
   *  if the optional numEvents field isn't used
1045
   *  see MS-RDPBCGR 2.2.8.1.2 for details
1046
   */
1047
0
  if (iNumEvents > 15)
1048
0
    goto fail;
1049
1050
0
  {
1051
0
    size_t length = Stream_GetPosition(s);
1052
1053
0
    if (length >= (2u << 14))
1054
0
    {
1055
0
      WLog_ERR(TAG, "Maximum FastPath PDU length is 32767");
1056
0
      goto fail;
1057
0
    }
1058
1059
0
    eventHeader = FASTPATH_INPUT_ACTION_FASTPATH;
1060
0
    eventHeader |= (iNumEvents << 2); /* numberEvents */
1061
1062
0
    if (sec_flags & SEC_ENCRYPT)
1063
0
      eventHeader |= (FASTPATH_INPUT_ENCRYPTED << 6);
1064
1065
0
    if (sec_flags & SEC_SECURE_CHECKSUM)
1066
0
      eventHeader |= (FASTPATH_INPUT_SECURE_CHECKSUM << 6);
1067
1068
0
    Stream_ResetPosition(s);
1069
0
    Stream_Write_UINT8(s, eventHeader);
1070
    /* Write length later, RDP encryption might add a padding */
1071
0
    Stream_Seek(s, 2);
1072
1073
0
    if (sec_flags & SEC_ENCRYPT)
1074
0
    {
1075
0
      security_lock(rdp);
1076
0
      should_unlock = TRUE;
1077
1078
0
      const size_t sec_bytes = fastpath_get_sec_bytes(fastpath->rdp);
1079
0
      if (sec_bytes + 3ULL > length)
1080
0
        goto fail;
1081
1082
0
      BYTE* fpInputEvents = Stream_PointerAs(s, BYTE) + sec_bytes;
1083
0
      const UINT16 fpInputEvents_length = (UINT16)(length - 3 - sec_bytes);
1084
1085
0
      WINPR_ASSERT(rdp->settings);
1086
0
      if (freerdp_settings_get_uint32(rdp->settings, FreeRDP_EncryptionMethods) ==
1087
0
          ENCRYPTION_METHOD_FIPS)
1088
0
      {
1089
0
        BYTE pad = 0;
1090
1091
0
        if ((pad = 8 - (fpInputEvents_length % 8)) == 8)
1092
0
          pad = 0;
1093
1094
0
        Stream_Write_UINT16(s, 0x10); /* length */
1095
0
        Stream_Write_UINT8(s, 0x1);   /* TSFIPS_VERSION 1*/
1096
0
        Stream_Write_UINT8(s, pad);   /* padding */
1097
1098
0
        if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 8))
1099
0
          goto fail;
1100
1101
0
        if (!security_hmac_signature(fpInputEvents, fpInputEvents_length, Stream_Pointer(s),
1102
0
                                     8, rdp))
1103
0
          goto fail;
1104
1105
0
        if (pad)
1106
0
          memset(fpInputEvents + fpInputEvents_length, 0, pad);
1107
1108
0
        if (!security_fips_encrypt(fpInputEvents, fpInputEvents_length + pad, rdp))
1109
0
          goto fail;
1110
1111
0
        length += pad;
1112
0
      }
1113
0
      else
1114
0
      {
1115
0
        BOOL res = 0;
1116
0
        if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 8))
1117
0
          goto fail;
1118
0
        if (sec_flags & SEC_SECURE_CHECKSUM)
1119
0
          res = security_salted_mac_signature(rdp, fpInputEvents, fpInputEvents_length,
1120
0
                                              TRUE, Stream_Pointer(s), 8);
1121
0
        else
1122
0
          res = security_mac_signature(rdp, fpInputEvents, fpInputEvents_length,
1123
0
                                       Stream_Pointer(s), 8);
1124
1125
0
        if (!res || !security_encrypt(fpInputEvents, fpInputEvents_length, rdp))
1126
0
          goto fail;
1127
0
      }
1128
0
    }
1129
1130
    /*
1131
     * We always encode length in two bytes, even though we could use
1132
     * only one byte if length <= 0x7F. It is just easier that way,
1133
     * because we can leave room for fixed-length header, store all
1134
     * the data first and then store the header.
1135
     */
1136
0
    WINPR_ASSERT(length < UINT16_MAX);
1137
0
    if (!Stream_SetPosition(s, 1))
1138
0
      goto fail;
1139
0
    Stream_Write_UINT16_BE(s, 0x8000 | (UINT16)length);
1140
0
    if (!Stream_SetPosition(s, length))
1141
0
      goto fail;
1142
0
    Stream_SealLength(s);
1143
0
  }
1144
1145
0
  if (transport_write(rdp->transport, s) < 0)
1146
0
    goto fail;
1147
1148
0
  rc = TRUE;
1149
0
fail:
1150
0
  if (should_unlock)
1151
0
    security_unlock(rdp);
1152
0
  Stream_Release(s);
1153
0
  return rc;
1154
0
}
1155
1156
BOOL fastpath_send_input_pdu(rdpFastPath* fastpath, wStream* s, UINT16 sec_flags)
1157
0
{
1158
0
  return fastpath_send_multiple_input_pdu(fastpath, s, 1, sec_flags);
1159
0
}
1160
1161
wStream* fastpath_update_pdu_init(rdpFastPath* fastpath)
1162
3.79k
{
1163
3.79k
  return transport_send_stream_init(fastpath->rdp->transport, FASTPATH_MAX_PACKET_SIZE);
1164
3.79k
}
1165
1166
wStream* fastpath_update_pdu_init_new(WINPR_ATTR_UNUSED rdpFastPath* fastpath)
1167
17.9k
{
1168
17.9k
  wStream* s = nullptr;
1169
17.9k
  s = Stream_New(nullptr, FASTPATH_MAX_PACKET_SIZE);
1170
17.9k
  return s;
1171
17.9k
}
1172
1173
BOOL fastpath_send_update_pdu(rdpFastPath* fastpath, BYTE updateCode, wStream* s,
1174
                              BOOL skipCompression)
1175
4.38k
{
1176
4.38k
  BOOL status = TRUE;
1177
4.38k
  wStream* fs = nullptr;
1178
4.38k
  rdpSettings* settings = nullptr;
1179
4.38k
  rdpRdp* rdp = nullptr;
1180
4.38k
  UINT32 fpHeaderSize = 6;
1181
4.38k
  UINT32 fpUpdatePduHeaderSize = 0;
1182
4.38k
  UINT32 fpUpdateHeaderSize = 0;
1183
4.38k
  FASTPATH_UPDATE_PDU_HEADER fpUpdatePduHeader = WINPR_C_ARRAY_INIT;
1184
4.38k
  FASTPATH_UPDATE_HEADER fpUpdateHeader = WINPR_C_ARRAY_INIT;
1185
4.38k
  UINT16 sec_flags = 0;
1186
1187
4.38k
  if (!fastpath || !fastpath->rdp || !fastpath->fs || !s)
1188
0
    return FALSE;
1189
1190
4.38k
  rdp = fastpath->rdp;
1191
4.38k
  fs = fastpath->fs;
1192
4.38k
  settings = rdp->settings;
1193
1194
4.38k
  if (!settings)
1195
0
    return FALSE;
1196
1197
4.38k
  UINT16 maxLength = FASTPATH_MAX_PACKET_SIZE - 20;
1198
1199
4.38k
  if (freerdp_settings_get_bool(rdp->settings, FreeRDP_CompressionEnabled) && !skipCompression)
1200
4.38k
  {
1201
4.38k
    const UINT16 CompressionMaxSize = bulk_compression_max_size(rdp->bulk);
1202
4.38k
    maxLength = (maxLength < CompressionMaxSize) ? maxLength : CompressionMaxSize;
1203
4.38k
    maxLength -= 20;
1204
4.38k
  }
1205
1206
4.38k
  size_t totalLength = Stream_GetPosition(s);
1207
4.38k
  Stream_ResetPosition(s);
1208
1209
  /* check if fast path output is possible */
1210
4.38k
  if (!freerdp_settings_get_bool(rdp->settings, FreeRDP_FastPathOutput))
1211
0
  {
1212
0
    WLog_ERR(TAG, "client does not support fast path output");
1213
0
    return FALSE;
1214
0
  }
1215
1216
  /* check if the client's fast path pdu buffer is large enough */
1217
4.38k
  if (totalLength > freerdp_settings_get_uint32(settings, FreeRDP_MultifragMaxRequestSize))
1218
4.26k
  {
1219
4.26k
    WLog_ERR(TAG,
1220
4.26k
             "fast path update size (%" PRIuz
1221
4.26k
             ") exceeds the client's maximum request size (%" PRIu32 ")",
1222
4.26k
             totalLength,
1223
4.26k
             freerdp_settings_get_uint32(settings, FreeRDP_MultifragMaxRequestSize));
1224
4.26k
    return FALSE;
1225
4.26k
  }
1226
1227
115
  if (rdp->do_crypt)
1228
0
  {
1229
0
    sec_flags |= SEC_ENCRYPT;
1230
1231
0
    if (rdp->do_secure_checksum)
1232
0
      sec_flags |= SEC_SECURE_CHECKSUM;
1233
0
  }
1234
1235
115
  for (int fragment = 0; (totalLength > 0) || (fragment == 0); fragment++)
1236
115
  {
1237
115
    UINT32 DstSize = 0;
1238
115
    const BYTE* pDstData = nullptr;
1239
115
    UINT32 compressionFlags = 0;
1240
115
    BYTE pad = 0;
1241
115
    BYTE* pSignature = nullptr;
1242
115
    fpUpdatePduHeader.action = 0;
1243
115
    fpUpdatePduHeader.secFlags = 0;
1244
115
    fpUpdateHeader.compression = 0;
1245
115
    fpUpdateHeader.compressionFlags = 0;
1246
115
    fpUpdateHeader.updateCode = updateCode;
1247
115
    fpUpdateHeader.size = (UINT16)(totalLength > maxLength) ? maxLength : (UINT16)totalLength;
1248
115
    const BYTE* pSrcData = Stream_Pointer(s);
1249
115
    UINT32 SrcSize = DstSize = fpUpdateHeader.size;
1250
115
    BOOL should_unlock = FALSE;
1251
1252
115
    if (sec_flags & SEC_ENCRYPT)
1253
0
      fpUpdatePduHeader.secFlags |= FASTPATH_OUTPUT_ENCRYPTED;
1254
1255
115
    if (sec_flags & SEC_SECURE_CHECKSUM)
1256
0
      fpUpdatePduHeader.secFlags |= FASTPATH_OUTPUT_SECURE_CHECKSUM;
1257
1258
115
    if (freerdp_settings_get_bool(settings, FreeRDP_CompressionEnabled) && !skipCompression)
1259
115
    {
1260
115
      if (bulk_compress(rdp->bulk, pSrcData, SrcSize, &pDstData, &DstSize,
1261
115
                        &compressionFlags) >= 0)
1262
115
      {
1263
115
        if (compressionFlags)
1264
0
        {
1265
0
          WINPR_ASSERT(compressionFlags <= UINT8_MAX);
1266
0
          fpUpdateHeader.compressionFlags = (UINT8)compressionFlags;
1267
0
          fpUpdateHeader.compression = FASTPATH_OUTPUT_COMPRESSION_USED;
1268
0
        }
1269
115
      }
1270
115
    }
1271
1272
115
    if (!fpUpdateHeader.compression)
1273
115
    {
1274
115
      pDstData = Stream_Pointer(s);
1275
115
      DstSize = fpUpdateHeader.size;
1276
115
    }
1277
1278
115
    if (DstSize > UINT16_MAX)
1279
0
      return FALSE;
1280
115
    fpUpdateHeader.size = (UINT16)DstSize;
1281
115
    totalLength -= SrcSize;
1282
1283
115
    if (totalLength == 0)
1284
115
      fpUpdateHeader.fragmentation =
1285
115
          (fragment == 0) ? FASTPATH_FRAGMENT_SINGLE : FASTPATH_FRAGMENT_LAST;
1286
0
    else
1287
0
      fpUpdateHeader.fragmentation =
1288
0
          (fragment == 0) ? FASTPATH_FRAGMENT_FIRST : FASTPATH_FRAGMENT_NEXT;
1289
1290
115
    fpUpdateHeaderSize = fastpath_get_update_header_size(&fpUpdateHeader);
1291
115
    fpUpdatePduHeaderSize = fastpath_get_update_pdu_header_size(&fpUpdatePduHeader, rdp);
1292
115
    fpHeaderSize = fpUpdateHeaderSize + fpUpdatePduHeaderSize;
1293
1294
115
    if (sec_flags & SEC_ENCRYPT)
1295
0
    {
1296
0
      pSignature = Stream_Buffer(fs) + 3;
1297
1298
0
      if (freerdp_settings_get_uint32(rdp->settings, FreeRDP_EncryptionMethods) ==
1299
0
          ENCRYPTION_METHOD_FIPS)
1300
0
      {
1301
0
        pSignature += 4;
1302
1303
0
        if ((pad = 8 - ((DstSize + fpUpdateHeaderSize) % 8)) == 8)
1304
0
          pad = 0;
1305
1306
0
        fpUpdatePduHeader.fipsInformation[0] = 0x10;
1307
0
        fpUpdatePduHeader.fipsInformation[1] = 0x00;
1308
0
        fpUpdatePduHeader.fipsInformation[2] = 0x01;
1309
0
        fpUpdatePduHeader.fipsInformation[3] = pad;
1310
0
      }
1311
0
    }
1312
1313
115
    const size_t len = fpUpdateHeader.size + fpHeaderSize + pad;
1314
115
    if (len > UINT16_MAX)
1315
0
      return FALSE;
1316
1317
115
    fpUpdatePduHeader.length = (UINT16)len;
1318
115
    Stream_ResetPosition(fs);
1319
115
    if (!fastpath_write_update_pdu_header(fs, &fpUpdatePduHeader, rdp))
1320
0
      return FALSE;
1321
115
    if (!fastpath_write_update_header(fs, &fpUpdateHeader))
1322
0
      return FALSE;
1323
1324
115
    if (!Stream_CheckAndLogRequiredCapacity(TAG, (fs), (size_t)DstSize + pad))
1325
0
      return FALSE;
1326
115
    Stream_Write(fs, pDstData, DstSize);
1327
1328
115
    if (pad)
1329
0
      Stream_Zero(fs, pad);
1330
1331
115
    BOOL res = FALSE;
1332
115
    if (sec_flags & SEC_ENCRYPT)
1333
0
    {
1334
0
      security_lock(rdp);
1335
1336
0
      should_unlock = TRUE;
1337
0
      UINT32 dataSize = fpUpdateHeaderSize + DstSize + pad;
1338
0
      BYTE* data = Stream_PointerAs(fs, BYTE) - dataSize;
1339
1340
0
      if (freerdp_settings_get_uint32(rdp->settings, FreeRDP_EncryptionMethods) ==
1341
0
          ENCRYPTION_METHOD_FIPS)
1342
0
      {
1343
        // TODO: Ensure stream capacity
1344
0
        if (!security_hmac_signature(data, dataSize - pad, pSignature, 8, rdp))
1345
0
          goto unlock;
1346
1347
0
        if (!security_fips_encrypt(data, dataSize, rdp))
1348
0
          goto unlock;
1349
0
      }
1350
0
      else
1351
0
      {
1352
        // TODO: Ensure stream capacity
1353
0
        if (sec_flags & SEC_SECURE_CHECKSUM)
1354
0
          status =
1355
0
              security_salted_mac_signature(rdp, data, dataSize, TRUE, pSignature, 8);
1356
0
        else
1357
0
          status = security_mac_signature(rdp, data, dataSize, pSignature, 8);
1358
1359
0
        if (!status || !security_encrypt(data, dataSize, rdp))
1360
0
          goto unlock;
1361
0
      }
1362
0
    }
1363
115
    res = TRUE;
1364
1365
115
    Stream_SealLength(fs);
1366
1367
115
    if (transport_write(rdp->transport, fs) < 0)
1368
115
    {
1369
115
      status = FALSE;
1370
115
    }
1371
1372
115
  unlock:
1373
115
    if (should_unlock)
1374
0
      security_unlock(rdp);
1375
1376
115
    if (!res || !status)
1377
115
      return FALSE;
1378
1379
0
    Stream_Seek(s, SrcSize);
1380
0
  }
1381
1382
0
  return status;
1383
115
}
1384
1385
rdpFastPath* fastpath_new(rdpRdp* rdp)
1386
17.5k
{
1387
17.5k
  rdpFastPath* fastpath = nullptr;
1388
1389
17.5k
  WINPR_ASSERT(rdp);
1390
1391
17.5k
  fastpath = (rdpFastPath*)calloc(1, sizeof(rdpFastPath));
1392
1393
17.5k
  if (!fastpath)
1394
0
    return nullptr;
1395
1396
17.5k
  fastpath->rdp = rdp;
1397
17.5k
  fastpath->fragmentation = -1;
1398
17.5k
  fastpath->fs = Stream_New(nullptr, FASTPATH_MAX_PACKET_SIZE);
1399
17.5k
  fastpath->updateData = Stream_New(nullptr, FASTPATH_MAX_PACKET_SIZE);
1400
1401
17.5k
  if (!fastpath->fs || !fastpath->updateData)
1402
0
    goto out_free;
1403
1404
17.5k
  return fastpath;
1405
0
out_free:
1406
0
  fastpath_free(fastpath);
1407
0
  return nullptr;
1408
17.5k
}
1409
1410
void fastpath_free(rdpFastPath* fastpath)
1411
17.5k
{
1412
17.5k
  if (fastpath)
1413
17.5k
  {
1414
17.5k
    Stream_Free(fastpath->updateData, TRUE);
1415
17.5k
    Stream_Free(fastpath->fs, TRUE);
1416
17.5k
    free(fastpath);
1417
17.5k
  }
1418
17.5k
}
1419
1420
BYTE fastpath_get_encryption_flags(rdpFastPath* fastpath)
1421
19.6k
{
1422
19.6k
  WINPR_ASSERT(fastpath);
1423
19.6k
  return fastpath->encryptionFlags;
1424
19.6k
}
1425
1426
BOOL fastpath_decrypt(rdpFastPath* fastpath, wStream* s, UINT16* length)
1427
17.5k
{
1428
17.5k
  WINPR_ASSERT(fastpath);
1429
17.5k
  if (fastpath_get_encryption_flags(fastpath) & FASTPATH_OUTPUT_ENCRYPTED)
1430
2.10k
  {
1431
2.10k
    const UINT16 flags =
1432
2.10k
        (fastpath_get_encryption_flags(fastpath) & FASTPATH_OUTPUT_SECURE_CHECKSUM)
1433
2.10k
            ? SEC_SECURE_CHECKSUM
1434
2.10k
            : 0;
1435
1436
2.10k
    if (!rdp_decrypt(fastpath->rdp, s, length, flags))
1437
0
      return FALSE;
1438
2.10k
  }
1439
1440
17.5k
  return TRUE;
1441
17.5k
}