Coverage Report

Created: 2026-06-15 06:57

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/FreeRDP/libfreerdp/core/fastpath.c
Line
Count
Source
1
/**
2
 * FreeRDP: A Remote Desktop Protocol Implementation
3
 * Fast Path
4
 *
5
 * Copyright 2011 Vic Lee
6
 * Copyright 2014 Norbert Federa <norbert.federa@thincast.com>
7
 * Copyright 2017 Armin Novak <armin.novak@thincast.com>
8
 * Copyright 2017 Thincast Technologies GmbH
9
 *
10
 * Licensed under the Apache License, Version 2.0 (the "License");
11
 * you may not use this file except in compliance with the License.
12
 * You may obtain a copy of the License at
13
 *
14
 *     http://www.apache.org/licenses/LICENSE-2.0
15
 *
16
 * Unless required by applicable law or agreed to in writing, software
17
 * distributed under the License is distributed on an "AS IS" BASIS,
18
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19
 * See the License for the specific language governing permissions and
20
 * limitations under the License.
21
 */
22
23
#include <freerdp/config.h>
24
25
#include "settings.h"
26
27
#include <stdio.h>
28
#include <stdlib.h>
29
#include <string.h>
30
31
#include <winpr/crt.h>
32
#include <winpr/assert.h>
33
#include <winpr/stream.h>
34
35
#include <freerdp/api.h>
36
#include <freerdp/log.h>
37
#include <freerdp/crypto/per.h>
38
39
#include "orders.h"
40
#include "update.h"
41
#include "surface.h"
42
#include "fastpath.h"
43
#include "rdp.h"
44
45
#include "../cache/pointer.h"
46
#include "../cache/palette.h"
47
#include "../cache/bitmap.h"
48
49
#define TAG FREERDP_TAG("core.fastpath")
50
51
enum FASTPATH_INPUT_ENCRYPTION_FLAGS
52
{
53
  FASTPATH_INPUT_SECURE_CHECKSUM = 0x1,
54
  FASTPATH_INPUT_ENCRYPTED = 0x2
55
};
56
57
enum FASTPATH_OUTPUT_ENCRYPTION_FLAGS
58
{
59
  FASTPATH_OUTPUT_SECURE_CHECKSUM = 0x1,
60
  FASTPATH_OUTPUT_ENCRYPTED = 0x2
61
};
62
63
struct rdp_fastpath
64
{
65
  rdpRdp* rdp;
66
  wStream* fs;
67
  BYTE encryptionFlags;
68
  BYTE numberEvents;
69
  wStream* updateData;
70
  int fragmentation;
71
};
72
73
/**
74
 * Fast-Path packet format is defined in [MS-RDPBCGR] 2.2.9.1.2, which revises
75
 * server output packets from the first byte with the goal of improving
76
 * bandwidth.
77
 *
78
 * Slow-Path packet always starts with TPKT header, which has the first
79
 * byte 0x03, while Fast-Path packet starts with 2 zero bits in the first
80
 * two less significant bits of the first byte.
81
 */
82
83
static const char* const FASTPATH_UPDATETYPE_STRINGS[] = {
84
  "Orders",                 /* 0x0 */
85
  "Bitmap",                 /* 0x1 */
86
  "Palette",                /* 0x2 */
87
  "Synchronize",            /* 0x3 */
88
  "Surface Commands",       /* 0x4 */
89
  "System Pointer Hidden",  /* 0x5 */
90
  "System Pointer Default", /* 0x6 */
91
  "???",                    /* 0x7 */
92
  "Pointer Position",       /* 0x8 */
93
  "Color Pointer",          /* 0x9 */
94
  "Cached Pointer",         /* 0xA */
95
  "New Pointer",            /* 0xB */
96
};
97
98
static const char* fastpath_update_to_string(UINT8 update)
99
7.96k
{
100
7.96k
  if (update >= ARRAYSIZE(FASTPATH_UPDATETYPE_STRINGS))
101
452
    return "UNKNOWN";
102
103
7.51k
  return FASTPATH_UPDATETYPE_STRINGS[update];
104
7.96k
}
105
106
static BOOL fastpath_read_update_header(wStream* s, BYTE* updateCode, BYTE* fragmentation,
107
                                        BYTE* compression)
108
38.8k
{
109
38.8k
  BYTE updateHeader = 0;
110
111
38.8k
  if (!s || !updateCode || !fragmentation || !compression)
112
0
    return FALSE;
113
114
38.8k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
115
0
    return FALSE;
116
117
38.8k
  Stream_Read_UINT8(s, updateHeader);
118
38.8k
  *updateCode = updateHeader & 0x0F;
119
38.8k
  *fragmentation = (updateHeader >> 4) & 0x03;
120
38.8k
  *compression = (updateHeader >> 6) & 0x03;
121
38.8k
  return TRUE;
122
38.8k
}
123
124
static BOOL fastpath_write_update_header(wStream* s, const FASTPATH_UPDATE_HEADER* fpUpdateHeader)
125
104
{
126
104
  BYTE updateHeader = 0;
127
104
  WINPR_ASSERT(fpUpdateHeader);
128
129
104
  updateHeader |= fpUpdateHeader->updateCode & 0x0F;
130
104
  updateHeader |= (fpUpdateHeader->fragmentation & 0x03) << 4;
131
104
  updateHeader |= (fpUpdateHeader->compression & 0x03) << 6;
132
133
104
  if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 1))
134
0
    return FALSE;
135
104
  Stream_Write_UINT8(s, updateHeader);
136
137
104
  if (fpUpdateHeader->compression)
138
0
  {
139
0
    if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 1))
140
0
      return FALSE;
141
142
0
    Stream_Write_UINT8(s, fpUpdateHeader->compressionFlags);
143
0
  }
144
145
104
  if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 2))
146
0
    return FALSE;
147
148
104
  Stream_Write_UINT16(s, fpUpdateHeader->size);
149
104
  return TRUE;
150
104
}
151
152
static UINT32 fastpath_get_update_header_size(FASTPATH_UPDATE_HEADER* fpUpdateHeader)
153
104
{
154
104
  WINPR_ASSERT(fpUpdateHeader);
155
104
  return (fpUpdateHeader->compression) ? 4 : 3;
156
104
}
157
158
static BOOL fastpath_write_update_pdu_header(wStream* s,
159
                                             const FASTPATH_UPDATE_PDU_HEADER* fpUpdatePduHeader,
160
                                             rdpRdp* rdp)
161
104
{
162
104
  BYTE fpOutputHeader = 0;
163
104
  WINPR_ASSERT(fpUpdatePduHeader);
164
104
  WINPR_ASSERT(rdp);
165
166
104
  if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 3))
167
0
    return FALSE;
168
169
104
  fpOutputHeader |= (fpUpdatePduHeader->action & 0x03);
170
104
  fpOutputHeader |= (fpUpdatePduHeader->secFlags & 0x03) << 6;
171
104
  Stream_Write_UINT8(s, fpOutputHeader);                          /* fpOutputHeader (1 byte) */
172
104
  Stream_Write_UINT8(s, 0x80 | (fpUpdatePduHeader->length >> 8)); /* length1 */
173
104
  Stream_Write_UINT8(s, fpUpdatePduHeader->length & 0xFF);        /* length2 */
174
175
104
  if (fpUpdatePduHeader->secFlags)
176
0
  {
177
0
    WINPR_ASSERT(rdp->settings);
178
0
    if (freerdp_settings_get_uint32(rdp->settings, FreeRDP_EncryptionMethods) ==
179
0
        ENCRYPTION_METHOD_FIPS)
180
0
    {
181
0
      if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 4))
182
0
        return FALSE;
183
184
0
      Stream_Write(s, fpUpdatePduHeader->fipsInformation, 4);
185
0
    }
186
187
0
    if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 8))
188
0
      return FALSE;
189
190
0
    Stream_Write(s, fpUpdatePduHeader->dataSignature, 8);
191
0
  }
192
193
104
  return TRUE;
194
104
}
195
196
static UINT32 fastpath_get_update_pdu_header_size(FASTPATH_UPDATE_PDU_HEADER* fpUpdatePduHeader,
197
                                                  rdpRdp* rdp)
198
104
{
199
104
  UINT32 size = 3; /* fpUpdatePduHeader + length1 + length2 */
200
201
104
  if (!fpUpdatePduHeader || !rdp)
202
0
    return 0;
203
204
104
  if (fpUpdatePduHeader->secFlags)
205
0
  {
206
0
    size += 8; /* dataSignature */
207
208
0
    WINPR_ASSERT(rdp->settings);
209
0
    if (freerdp_settings_get_uint32(rdp->settings, FreeRDP_EncryptionMethods) ==
210
0
        ENCRYPTION_METHOD_FIPS)
211
0
      size += 4; /* fipsInformation */
212
0
  }
213
214
104
  return size;
215
104
}
216
217
BOOL fastpath_read_header_rdp(rdpFastPath* fastpath, wStream* s, UINT16* length)
218
16.0k
{
219
16.0k
  BYTE header = 0;
220
221
16.0k
  if (!s || !length)
222
0
    return FALSE;
223
224
16.0k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
225
5.04k
    return FALSE;
226
227
11.0k
  Stream_Read_UINT8(s, header);
228
229
11.0k
  if (fastpath)
230
11.0k
  {
231
11.0k
    fastpath->encryptionFlags = (header & 0xC0) >> 6;
232
11.0k
    fastpath->numberEvents = (header & 0x3C) >> 2;
233
11.0k
  }
234
235
11.0k
  if (!per_read_length(s, length))
236
173
    return FALSE;
237
238
10.8k
  const size_t pos = Stream_GetPosition(s);
239
10.8k
  if (pos > *length)
240
7.40k
    return FALSE;
241
242
3.43k
  *length = *length - (UINT16)pos;
243
3.43k
  return TRUE;
244
10.8k
}
245
246
static BOOL fastpath_recv_orders(rdpUpdate* update, wStream* s)
247
8.74k
{
248
8.74k
  UINT16 numberOrders = 0;
249
250
8.74k
  if (!s)
251
0
  {
252
0
    WLog_ERR(TAG, "Invalid arguments");
253
0
    return FALSE;
254
0
  }
255
256
8.74k
  if (!update)
257
0
  {
258
0
    WLog_ERR(TAG, "Invalid configuration");
259
0
    return FALSE;
260
0
  }
261
262
8.74k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
263
1.59k
    return FALSE;
264
265
7.15k
  Stream_Read_UINT16(s, numberOrders); /* numberOrders (2 bytes) */
266
267
201k
  while (numberOrders > 0)
268
196k
  {
269
196k
    if (!update_recv_order(update, s))
270
2.25k
      return FALSE;
271
272
194k
    numberOrders--;
273
194k
  }
274
275
4.90k
  return TRUE;
276
7.15k
}
277
278
static BOOL fastpath_recv_update_common(rdpUpdate* update, wStream* s)
279
1.18k
{
280
1.18k
  BOOL rc = FALSE;
281
1.18k
  UINT16 updateType = 0;
282
1.18k
  BOOL defaultReturn = 0;
283
284
1.18k
  rdp_update_internal* up = update_cast(update);
285
1.18k
  if (!s)
286
0
    return FALSE;
287
288
1.18k
  if (!update || !update->context)
289
0
    return FALSE;
290
291
1.18k
  rdpContext* context = update->context;
292
293
1.18k
  defaultReturn = freerdp_settings_get_bool(context->settings, FreeRDP_DeactivateClientDecoding);
294
295
1.18k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
296
594
    return FALSE;
297
298
587
  Stream_Read_UINT16(s, updateType); /* updateType (2 bytes) */
299
587
  switch (updateType)
300
587
  {
301
262
    case UPDATE_TYPE_BITMAP:
302
262
    {
303
262
      BITMAP_UPDATE* bitmap_update = update_read_bitmap_update(update, s);
304
305
262
      if (!bitmap_update)
306
140
        return FALSE;
307
308
122
      up->stats.base[RDP_STATS_BITMAP_UPDATE]++;
309
122
      rc = IFCALLRESULT(defaultReturn, update->BitmapUpdate, context, bitmap_update);
310
122
      free_bitmap_update(context, bitmap_update);
311
122
    }
312
0
    break;
313
314
182
    case UPDATE_TYPE_PALETTE:
315
182
    {
316
182
      PALETTE_UPDATE* palette_update = update_read_palette(update, s);
317
318
182
      if (!palette_update)
319
133
        return FALSE;
320
321
49
      up->stats.base[RDP_STATS_PALETTE]++;
322
49
      rc = IFCALLRESULT(defaultReturn, update->Palette, context, palette_update);
323
49
      free_palette_update(context, palette_update);
324
49
    }
325
0
    break;
326
327
143
    default:
328
143
      break;
329
587
  }
330
331
314
  return rc;
332
587
}
333
334
static BOOL fastpath_recv_update_synchronize(WINPR_ATTR_UNUSED rdpFastPath* fastpath, wStream* s)
335
3.87k
{
336
  /* server 2008 can send invalid synchronize packet with missing padding,
337
    so don't return FALSE even if the packet is invalid */
338
3.87k
  WINPR_ASSERT(fastpath);
339
3.87k
  WINPR_ASSERT(s);
340
341
3.87k
  const size_t len = Stream_GetRemainingLength(s);
342
3.87k
  const size_t skip = MIN(2, len);
343
3.87k
  return Stream_SafeSeek(s, skip); /* size (2 bytes), MUST be set to zero */
344
3.87k
}
345
346
static BOOL fastpath_recv_update_paint_block(rdpUpdate* update, wStream* s,
347
                                             BOOL (*fkt)(rdpUpdate*, wStream*))
348
23.4k
{
349
23.4k
  WINPR_ASSERT(fkt);
350
23.4k
  if (!update_begin_paint(update))
351
0
    return FALSE;
352
353
23.4k
  BOOL res = fkt(update, s);
354
23.4k
  if (!update_end_paint(update))
355
561
    return FALSE;
356
22.9k
  return res;
357
23.4k
}
358
359
static int fastpath_recv_update(rdpFastPath* fastpath, BYTE updateCode, wStream* s)
360
28.6k
{
361
28.6k
  BOOL rc = FALSE;
362
28.6k
  int status = 0;
363
364
28.6k
  if (!fastpath || !fastpath->rdp || !s)
365
0
    return -1;
366
367
28.6k
  Stream_SealLength(s);
368
28.6k
  Stream_ResetPosition(s);
369
370
28.6k
  rdpUpdate* update = fastpath->rdp->update;
371
372
28.6k
  if (!update || !update->pointer || !update->context)
373
0
    return -1;
374
375
28.6k
  rdp_update_internal* up = update_cast(update);
376
377
28.6k
  rdpContext* context = update->context;
378
28.6k
  WINPR_ASSERT(context);
379
380
28.6k
  rdpPointerUpdate* pointer = update->pointer;
381
28.6k
  WINPR_ASSERT(pointer);
382
383
#ifdef WITH_DEBUG_RDP
384
  DEBUG_RDP(fastpath->rdp, "recv Fast-Path %s Update (0x%02" PRIX8 "), length:%" PRIuz "",
385
            fastpath_update_to_string(updateCode), updateCode, Stream_GetRemainingLength(s));
386
#endif
387
388
28.6k
  const BOOL defaultReturn =
389
28.6k
      freerdp_settings_get_bool(context->settings, FreeRDP_DeactivateClientDecoding);
390
28.6k
  switch (updateCode)
391
28.6k
  {
392
8.74k
    case FASTPATH_UPDATETYPE_ORDERS:
393
8.74k
      rc = fastpath_recv_update_paint_block(update, s, fastpath_recv_orders);
394
8.74k
      break;
395
396
913
    case FASTPATH_UPDATETYPE_BITMAP:
397
1.18k
    case FASTPATH_UPDATETYPE_PALETTE:
398
1.18k
      rc = fastpath_recv_update_paint_block(update, s, fastpath_recv_update_common);
399
1.18k
      break;
400
401
3.87k
    case FASTPATH_UPDATETYPE_SYNCHRONIZE:
402
3.87k
      if (!fastpath_recv_update_synchronize(fastpath, s))
403
0
        WLog_ERR(TAG, "fastpath_recv_update_synchronize failure but we continue");
404
3.87k
      else
405
3.87k
      {
406
3.87k
        up->stats.base[RDP_STATS_SYNC]++;
407
3.87k
        rc = IFCALLRESULT(TRUE, update->Synchronize, context);
408
3.87k
      }
409
410
3.87k
      break;
411
412
13.5k
    case FASTPATH_UPDATETYPE_SURFCMDS:
413
13.5k
      status = fastpath_recv_update_paint_block(update, s, update_recv_surfcmds);
414
13.5k
      rc = (status >= 0);
415
13.5k
      break;
416
417
50
    case FASTPATH_UPDATETYPE_PTR_NULL:
418
50
    {
419
50
      POINTER_SYSTEM_UPDATE pointer_system = WINPR_C_ARRAY_INIT;
420
50
      pointer_system.type = SYSPTR_NULL;
421
50
      up->stats.base[RDP_STATS_POINTER_SYSTEM]++;
422
50
      rc = IFCALLRESULT(defaultReturn, pointer->PointerSystem, context, &pointer_system);
423
50
    }
424
50
    break;
425
426
98
    case FASTPATH_UPDATETYPE_PTR_DEFAULT:
427
98
    {
428
98
      POINTER_SYSTEM_UPDATE pointer_system = WINPR_C_ARRAY_INIT;
429
98
      pointer_system.type = SYSPTR_DEFAULT;
430
98
      up->stats.base[RDP_STATS_POINTER_DEFAULT]++;
431
98
      rc = IFCALLRESULT(defaultReturn, pointer->PointerSystem, context, &pointer_system);
432
98
    }
433
98
    break;
434
435
157
    case FASTPATH_UPDATETYPE_PTR_POSITION:
436
157
    {
437
157
      POINTER_POSITION_UPDATE* pointer_position = update_read_pointer_position(update, s);
438
439
157
      if (pointer_position)
440
72
      {
441
72
        up->stats.base[RDP_STATS_POINTER_POSITION]++;
442
72
        rc = IFCALLRESULT(defaultReturn, pointer->PointerPosition, context,
443
72
                          pointer_position);
444
72
        free_pointer_position_update(context, pointer_position);
445
72
      }
446
157
    }
447
157
    break;
448
449
241
    case FASTPATH_UPDATETYPE_COLOR:
450
241
    {
451
241
      POINTER_COLOR_UPDATE* pointer_color = update_read_pointer_color(update, s, 24);
452
453
241
      if (pointer_color)
454
105
      {
455
105
        up->stats.base[RDP_STATS_POINTER_COLOR]++;
456
105
        rc = IFCALLRESULT(defaultReturn, pointer->PointerColor, context, pointer_color);
457
105
        free_pointer_color_update(context, pointer_color);
458
105
      }
459
241
    }
460
241
    break;
461
462
130
    case FASTPATH_UPDATETYPE_CACHED:
463
130
    {
464
130
      POINTER_CACHED_UPDATE* pointer_cached = update_read_pointer_cached(update, s);
465
466
130
      if (pointer_cached)
467
40
      {
468
40
        up->stats.base[RDP_STATS_POINTER_CACHED]++;
469
40
        rc = IFCALLRESULT(defaultReturn, pointer->PointerCached, context, pointer_cached);
470
40
        free_pointer_cached_update(context, pointer_cached);
471
40
      }
472
130
    }
473
130
    break;
474
475
79
    case FASTPATH_UPDATETYPE_POINTER:
476
79
    {
477
79
      POINTER_NEW_UPDATE* pointer_new = update_read_pointer_new(update, s);
478
479
79
      if (pointer_new)
480
16
      {
481
16
        up->stats.base[RDP_STATS_POINTER_NEW]++;
482
16
        rc = IFCALLRESULT(defaultReturn, pointer->PointerNew, context, pointer_new);
483
16
        free_pointer_new_update(context, pointer_new);
484
16
      }
485
79
    }
486
79
    break;
487
488
433
    case FASTPATH_UPDATETYPE_LARGE_POINTER:
489
433
    {
490
433
      POINTER_LARGE_UPDATE* pointer_large = update_read_pointer_large(update, s);
491
492
433
      if (pointer_large)
493
122
      {
494
122
        up->stats.base[RDP_STATS_POINTER_LARGE]++;
495
122
        rc = IFCALLRESULT(defaultReturn, pointer->PointerLarge, context, pointer_large);
496
122
        free_pointer_large_update(context, pointer_large);
497
122
      }
498
433
    }
499
433
    break;
500
49
    default:
501
49
      break;
502
28.6k
  }
503
504
28.6k
  Stream_ResetPosition(s);
505
28.6k
  if (!rc)
506
7.96k
  {
507
7.96k
    WLog_ERR(TAG, "Fastpath update %s [%" PRIx8 "] failed, status %d",
508
7.96k
             fastpath_update_to_string(updateCode), updateCode, status);
509
7.96k
    return -1;
510
7.96k
  }
511
512
20.6k
  return status;
513
28.6k
}
514
515
static int fastpath_recv_update_data(rdpFastPath* fastpath, wStream* s)
516
38.8k
{
517
38.8k
  int status = 0;
518
38.8k
  UINT16 size = 0;
519
38.8k
  BYTE updateCode = 0;
520
38.8k
  BYTE fragmentation = 0;
521
38.8k
  BYTE compression = 0;
522
38.8k
  BYTE compressionFlags = 0;
523
38.8k
  UINT32 DstSize = 0;
524
38.8k
  const BYTE* pDstData = nullptr;
525
526
38.8k
  if (!fastpath || !s)
527
0
    return -1;
528
529
38.8k
  rdpRdp* rdp = fastpath->rdp;
530
531
38.8k
  if (!rdp)
532
0
    return -1;
533
534
38.8k
  rdpTransport* transport = rdp->transport;
535
536
38.8k
  if (!transport)
537
0
    return -1;
538
539
38.8k
  if (!fastpath_read_update_header(s, &updateCode, &fragmentation, &compression))
540
0
    return -1;
541
542
38.8k
  if (compression == FASTPATH_OUTPUT_COMPRESSION_USED)
543
15.7k
  {
544
15.7k
    if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
545
0
      return -1;
546
547
15.7k
    Stream_Read_UINT8(s, compressionFlags);
548
15.7k
  }
549
23.1k
  else
550
23.1k
    compressionFlags = 0;
551
552
38.8k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
553
22
    return -1;
554
555
38.8k
  Stream_Read_UINT16(s, size);
556
557
38.8k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, size))
558
5.37k
    return -1;
559
560
33.4k
  const int bulkStatus =
561
33.4k
      bulk_decompress(rdp->bulk, Stream_Pointer(s), size, &pDstData, &DstSize, compressionFlags);
562
33.4k
  Stream_Seek(s, size);
563
564
33.4k
  if (bulkStatus < 0)
565
1.30k
  {
566
1.30k
    WLog_ERR(TAG, "bulk_decompress() failed");
567
1.30k
    return -1;
568
1.30k
  }
569
570
32.1k
  if (!Stream_EnsureRemainingCapacity(fastpath->updateData, DstSize))
571
0
    return -1;
572
573
32.1k
  Stream_Write(fastpath->updateData, pDstData, DstSize);
574
575
32.1k
  if (fragmentation == FASTPATH_FRAGMENT_SINGLE)
576
27.5k
  {
577
27.5k
    if (fastpath->fragmentation != -1)
578
31
    {
579
31
      WLog_ERR(TAG, "Unexpected FASTPATH_FRAGMENT_SINGLE");
580
31
      goto out_fail;
581
31
    }
582
583
27.4k
    status = fastpath_recv_update(fastpath, updateCode, fastpath->updateData);
584
585
27.4k
    if (status < 0)
586
7.95k
    {
587
7.95k
      WLog_ERR(TAG, "fastpath_recv_update() - %i", status);
588
7.95k
      goto out_fail;
589
7.95k
    }
590
27.4k
  }
591
4.64k
  else
592
4.64k
  {
593
4.64k
    rdpContext* context = nullptr;
594
4.64k
    const size_t totalSize = Stream_GetPosition(fastpath->updateData);
595
596
4.64k
    context = transport_get_context(transport);
597
4.64k
    WINPR_ASSERT(context);
598
4.64k
    WINPR_ASSERT(context->settings);
599
600
4.64k
    if (totalSize >
601
4.64k
        freerdp_settings_get_uint32(context->settings, FreeRDP_MultifragMaxRequestSize))
602
89
    {
603
89
      WLog_ERR(
604
89
          TAG, "Total size (%" PRIuz ") exceeds MultifragMaxRequestSize (%" PRIu32 ")",
605
89
          totalSize,
606
89
          freerdp_settings_get_uint32(context->settings, FreeRDP_MultifragMaxRequestSize));
607
89
      goto out_fail;
608
89
    }
609
610
4.55k
    if (fragmentation == FASTPATH_FRAGMENT_FIRST)
611
1.33k
    {
612
1.33k
      if (fastpath->fragmentation != -1)
613
25
      {
614
25
        WLog_ERR(TAG, "Unexpected FASTPATH_FRAGMENT_FIRST");
615
25
        goto out_fail;
616
25
      }
617
618
1.31k
      fastpath->fragmentation = FASTPATH_FRAGMENT_FIRST;
619
1.31k
    }
620
3.21k
    else if (fragmentation == FASTPATH_FRAGMENT_NEXT)
621
1.93k
    {
622
1.93k
      if ((fastpath->fragmentation != FASTPATH_FRAGMENT_FIRST) &&
623
1.53k
          (fastpath->fragmentation != FASTPATH_FRAGMENT_NEXT))
624
245
      {
625
245
        WLog_ERR(TAG, "Unexpected FASTPATH_FRAGMENT_NEXT");
626
245
        goto out_fail;
627
245
      }
628
629
1.69k
      fastpath->fragmentation = FASTPATH_FRAGMENT_NEXT;
630
1.69k
    }
631
1.27k
    else if (fragmentation == FASTPATH_FRAGMENT_LAST)
632
1.27k
    {
633
1.27k
      if ((fastpath->fragmentation != FASTPATH_FRAGMENT_FIRST) &&
634
457
          (fastpath->fragmentation != FASTPATH_FRAGMENT_NEXT))
635
140
      {
636
140
        WLog_ERR(TAG, "Unexpected FASTPATH_FRAGMENT_LAST");
637
140
        goto out_fail;
638
140
      }
639
640
1.13k
      fastpath->fragmentation = -1;
641
1.13k
      status = fastpath_recv_update(fastpath, updateCode, fastpath->updateData);
642
643
1.13k
      if (status < 0)
644
4
      {
645
4
        WLog_ERR(TAG, "fastpath_recv_update() - %i", status);
646
4
        goto out_fail;
647
4
      }
648
1.13k
    }
649
4.55k
  }
650
651
23.6k
  return status;
652
8.49k
out_fail:
653
8.49k
  return -1;
654
32.1k
}
655
656
state_run_t fastpath_recv_updates(rdpFastPath* fastpath, wStream* s)
657
16.0k
{
658
16.0k
  state_run_t rc = STATE_RUN_FAILED;
659
660
16.0k
  WINPR_ASSERT(s);
661
16.0k
  WINPR_ASSERT(fastpath);
662
16.0k
  WINPR_ASSERT(fastpath->rdp);
663
664
39.7k
  while (Stream_GetRemainingLength(s) >= 3)
665
38.8k
  {
666
38.8k
    if (fastpath_recv_update_data(fastpath, s) < 0)
667
15.1k
    {
668
15.1k
      WLog_ERR(TAG, "fastpath_recv_update_data() fail");
669
15.1k
      rc = STATE_RUN_FAILED;
670
15.1k
      goto fail;
671
15.1k
    }
672
38.8k
  }
673
674
853
  rc = STATE_RUN_SUCCESS;
675
16.0k
fail:
676
677
16.0k
  return rc;
678
853
}
679
680
static BOOL fastpath_read_input_event_header(wStream* s, BYTE* eventFlags, BYTE* eventCode)
681
99.8k
{
682
99.8k
  BYTE eventHeader = 0;
683
684
99.8k
  WINPR_ASSERT(s);
685
99.8k
  WINPR_ASSERT(eventFlags);
686
99.8k
  WINPR_ASSERT(eventCode);
687
688
99.8k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
689
668
    return FALSE;
690
691
99.1k
  Stream_Read_UINT8(s, eventHeader); /* eventHeader (1 byte) */
692
99.1k
  *eventFlags = (eventHeader & 0x1F);
693
99.1k
  *eventCode = (eventHeader >> 5);
694
99.1k
  return TRUE;
695
99.8k
}
696
697
static BOOL fastpath_recv_input_event_scancode(rdpFastPath* fastpath, wStream* s, BYTE eventFlags)
698
55.8k
{
699
55.8k
  WINPR_ASSERT(fastpath);
700
55.8k
  WINPR_ASSERT(fastpath->rdp);
701
55.8k
  WINPR_ASSERT(fastpath->rdp->input);
702
55.8k
  WINPR_ASSERT(s);
703
704
55.8k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
705
155
    return FALSE;
706
707
55.7k
  rdpInput* input = fastpath->rdp->input;
708
709
55.7k
  const UINT8 code = Stream_Get_UINT8(s); /* keyCode (1 byte) */
710
711
55.7k
  UINT16 flags = 0;
712
55.7k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_RELEASE))
713
7.87k
    flags |= KBD_FLAGS_RELEASE;
714
715
55.7k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_EXTENDED))
716
29.0k
    flags |= KBD_FLAGS_EXTENDED;
717
718
55.7k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_PREFIX_E1))
719
7.25k
    flags |= KBD_FLAGS_EXTENDED1;
720
721
55.7k
  return IFCALLRESULT(TRUE, input->KeyboardEvent, input, flags, code);
722
55.8k
}
723
724
static BOOL fastpath_recv_input_event_mouse(rdpFastPath* fastpath, wStream* s,
725
                                            WINPR_ATTR_UNUSED BYTE eventFlags)
726
6.11k
{
727
6.11k
  rdpInput* input = nullptr;
728
6.11k
  UINT16 pointerFlags = 0;
729
6.11k
  UINT16 xPos = 0;
730
6.11k
  UINT16 yPos = 0;
731
6.11k
  WINPR_ASSERT(fastpath);
732
6.11k
  WINPR_ASSERT(fastpath->rdp);
733
6.11k
  WINPR_ASSERT(fastpath->rdp->input);
734
6.11k
  WINPR_ASSERT(s);
735
736
6.11k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 6))
737
139
    return FALSE;
738
739
5.97k
  input = fastpath->rdp->input;
740
741
5.97k
  Stream_Read_UINT16(s, pointerFlags); /* pointerFlags (2 bytes) */
742
5.97k
  Stream_Read_UINT16(s, xPos);         /* xPos (2 bytes) */
743
5.97k
  Stream_Read_UINT16(s, yPos);         /* yPos (2 bytes) */
744
5.97k
  return IFCALLRESULT(TRUE, input->MouseEvent, input, pointerFlags, xPos, yPos);
745
6.11k
}
746
747
static BOOL fastpath_recv_input_event_relmouse(rdpFastPath* fastpath, wStream* s,
748
                                               WINPR_ATTR_UNUSED BYTE eventFlags)
749
4.05k
{
750
4.05k
  rdpInput* input = nullptr;
751
4.05k
  UINT16 pointerFlags = 0;
752
4.05k
  INT16 xDelta = 0;
753
4.05k
  INT16 yDelta = 0;
754
4.05k
  WINPR_ASSERT(fastpath);
755
4.05k
  WINPR_ASSERT(fastpath->rdp);
756
4.05k
  WINPR_ASSERT(fastpath->rdp->context);
757
4.05k
  WINPR_ASSERT(fastpath->rdp->input);
758
4.05k
  WINPR_ASSERT(s);
759
760
4.05k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 6))
761
66
    return FALSE;
762
763
3.98k
  input = fastpath->rdp->input;
764
765
3.98k
  Stream_Read_UINT16(s, pointerFlags); /* pointerFlags (2 bytes) */
766
3.98k
  Stream_Read_INT16(s, xDelta);        /* xDelta (2 bytes) */
767
3.98k
  Stream_Read_INT16(s, yDelta);        /* yDelta (2 bytes) */
768
769
3.98k
  if (!freerdp_settings_get_bool(input->context->settings, FreeRDP_HasRelativeMouseEvent))
770
0
  {
771
0
    WLog_ERR(TAG,
772
0
             "Received relative mouse event(flags=0x%04" PRIx16 ", xPos=%" PRId16
773
0
             ", yPos=%" PRId16 "), but we did not announce support for that",
774
0
             pointerFlags, xDelta, yDelta);
775
0
    return FALSE;
776
0
  }
777
778
3.98k
  return IFCALLRESULT(TRUE, input->RelMouseEvent, input, pointerFlags, xDelta, yDelta);
779
3.98k
}
780
781
static BOOL fastpath_recv_input_event_qoe(rdpFastPath* fastpath, wStream* s,
782
                                          WINPR_ATTR_UNUSED BYTE eventFlags)
783
2.89k
{
784
2.89k
  WINPR_ASSERT(fastpath);
785
2.89k
  WINPR_ASSERT(fastpath->rdp);
786
2.89k
  WINPR_ASSERT(fastpath->rdp->context);
787
2.89k
  WINPR_ASSERT(fastpath->rdp->input);
788
2.89k
  WINPR_ASSERT(s);
789
790
2.89k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 4))
791
57
    return FALSE;
792
793
2.84k
  rdpInput* input = fastpath->rdp->input;
794
795
2.84k
  UINT32 timestampMS = 0;
796
2.84k
  Stream_Read_UINT32(s, timestampMS); /* timestamp (4 bytes) */
797
798
2.84k
  if (!freerdp_settings_get_bool(input->context->settings, FreeRDP_HasQoeEvent))
799
0
  {
800
0
    WLog_ERR(TAG,
801
0
             "Received qoe event(timestamp=%" PRIu32
802
0
             "ms), but we did not announce support for that",
803
0
             timestampMS);
804
0
    return FALSE;
805
0
  }
806
807
2.84k
  return IFCALLRESULT(TRUE, input->QoEEvent, input, timestampMS);
808
2.84k
}
809
810
static BOOL fastpath_recv_input_event_mousex(rdpFastPath* fastpath, wStream* s,
811
                                             WINPR_ATTR_UNUSED BYTE eventFlags)
812
3.77k
{
813
3.77k
  rdpInput* input = nullptr;
814
3.77k
  UINT16 pointerFlags = 0;
815
3.77k
  UINT16 xPos = 0;
816
3.77k
  UINT16 yPos = 0;
817
818
3.77k
  WINPR_ASSERT(fastpath);
819
3.77k
  WINPR_ASSERT(fastpath->rdp);
820
3.77k
  WINPR_ASSERT(fastpath->rdp->context);
821
3.77k
  WINPR_ASSERT(fastpath->rdp->input);
822
3.77k
  WINPR_ASSERT(s);
823
824
3.77k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 6))
825
67
    return FALSE;
826
827
3.71k
  input = fastpath->rdp->input;
828
829
3.71k
  Stream_Read_UINT16(s, pointerFlags); /* pointerFlags (2 bytes) */
830
3.71k
  Stream_Read_UINT16(s, xPos);         /* xPos (2 bytes) */
831
3.71k
  Stream_Read_UINT16(s, yPos);         /* yPos (2 bytes) */
832
833
3.71k
  if (!freerdp_settings_get_bool(input->context->settings, FreeRDP_HasExtendedMouseEvent))
834
0
  {
835
0
    WLog_ERR(TAG,
836
0
             "Received extended mouse event(flags=0x%04" PRIx16 ", xPos=%" PRIu16
837
0
             ", yPos=%" PRIu16 "), but we did not announce support for that",
838
0
             pointerFlags, xPos, yPos);
839
0
    return FALSE;
840
0
  }
841
842
3.71k
  return IFCALLRESULT(TRUE, input->ExtendedMouseEvent, input, pointerFlags, xPos, yPos);
843
3.71k
}
844
845
static BOOL fastpath_recv_input_event_sync(rdpFastPath* fastpath, WINPR_ATTR_UNUSED wStream* s,
846
                                           BYTE eventFlags)
847
7.22k
{
848
7.22k
  rdpInput* input = nullptr;
849
850
7.22k
  WINPR_ASSERT(fastpath);
851
7.22k
  WINPR_ASSERT(fastpath->rdp);
852
7.22k
  WINPR_ASSERT(fastpath->rdp->input);
853
7.22k
  WINPR_ASSERT(s);
854
855
7.22k
  input = fastpath->rdp->input;
856
7.22k
  return IFCALLRESULT(TRUE, input->SynchronizeEvent, input, eventFlags);
857
7.22k
}
858
859
static BOOL fastpath_recv_input_event_unicode(rdpFastPath* fastpath, wStream* s, BYTE eventFlags)
860
1.73k
{
861
1.73k
  UINT16 unicodeCode = 0;
862
1.73k
  UINT16 flags = 0;
863
864
1.73k
  WINPR_ASSERT(fastpath);
865
1.73k
  WINPR_ASSERT(s);
866
867
1.73k
  if (!Stream_CheckAndLogRequiredLength(TAG, s, 2))
868
34
    return FALSE;
869
870
1.70k
  Stream_Read_UINT16(s, unicodeCode); /* unicodeCode (2 bytes) */
871
1.70k
  flags = 0;
872
873
1.70k
  if ((eventFlags & FASTPATH_INPUT_KBDFLAGS_RELEASE))
874
1.10k
    flags |= KBD_FLAGS_RELEASE;
875
876
1.70k
  WINPR_ASSERT(fastpath->rdp);
877
1.70k
  WINPR_ASSERT(fastpath->rdp);
878
1.70k
  WINPR_ASSERT(fastpath->rdp->input);
879
1.70k
  return IFCALLRESULT(FALSE, fastpath->rdp->input->UnicodeKeyboardEvent, fastpath->rdp->input,
880
1.73k
                      flags, unicodeCode);
881
1.73k
}
882
883
static BOOL fastpath_recv_input_event(rdpFastPath* fastpath, wStream* s)
884
99.8k
{
885
99.8k
  BYTE eventFlags = 0;
886
99.8k
  BYTE eventCode = 0;
887
888
99.8k
  WINPR_ASSERT(fastpath);
889
99.8k
  WINPR_ASSERT(s);
890
891
99.8k
  if (!fastpath_read_input_event_header(s, &eventFlags, &eventCode))
892
668
    return FALSE;
893
894
99.1k
  switch (eventCode)
895
99.1k
  {
896
55.8k
    case FASTPATH_INPUT_EVENT_SCANCODE:
897
55.8k
      if (!fastpath_recv_input_event_scancode(fastpath, s, eventFlags))
898
155
        return FALSE;
899
900
55.7k
      break;
901
902
55.7k
    case FASTPATH_INPUT_EVENT_MOUSE:
903
6.11k
      if (!fastpath_recv_input_event_mouse(fastpath, s, eventFlags))
904
139
        return FALSE;
905
906
5.97k
      break;
907
908
5.97k
    case FASTPATH_INPUT_EVENT_MOUSEX:
909
3.77k
      if (!fastpath_recv_input_event_mousex(fastpath, s, eventFlags))
910
67
        return FALSE;
911
912
3.71k
      break;
913
914
7.22k
    case FASTPATH_INPUT_EVENT_SYNC:
915
7.22k
      if (!fastpath_recv_input_event_sync(fastpath, s, eventFlags))
916
0
        return FALSE;
917
918
7.22k
      break;
919
920
7.22k
    case FASTPATH_INPUT_EVENT_UNICODE:
921
1.73k
      if (!fastpath_recv_input_event_unicode(fastpath, s, eventFlags))
922
1.73k
        return FALSE;
923
924
0
      break;
925
926
4.05k
    case TS_FP_RELPOINTER_EVENT:
927
4.05k
      if (!fastpath_recv_input_event_relmouse(fastpath, s, eventFlags))
928
66
        return FALSE;
929
930
3.98k
      break;
931
932
3.98k
    case TS_FP_QOETIMESTAMP_EVENT:
933
2.89k
      if (!fastpath_recv_input_event_qoe(fastpath, s, eventFlags))
934
57
        return FALSE;
935
2.84k
      break;
936
937
17.4k
    default:
938
17.4k
      WLog_ERR(TAG, "Unknown eventCode %" PRIu8 "", eventCode);
939
17.4k
      break;
940
99.1k
  }
941
942
96.9k
  return TRUE;
943
99.1k
}
944
945
state_run_t fastpath_recv_inputs(rdpFastPath* fastpath, wStream* s)
946
16.0k
{
947
16.0k
  WINPR_ASSERT(fastpath);
948
16.0k
  WINPR_ASSERT(s);
949
950
16.0k
  if (fastpath->numberEvents == 0)
951
16.0k
  {
952
    /**
953
     * If numberEvents is not provided in fpInputHeader, it will be provided
954
     * as one additional byte here.
955
     */
956
16.0k
    if (!Stream_CheckAndLogRequiredLength(TAG, s, 1))
957
3.96k
      return STATE_RUN_FAILED;
958
959
12.0k
    Stream_Read_UINT8(s, fastpath->numberEvents); /* eventHeader (1 byte) */
960
12.0k
  }
961
962
109k
  for (BYTE i = 0; i < fastpath->numberEvents; i++)
963
99.8k
  {
964
99.8k
    if (!fastpath_recv_input_event(fastpath, s))
965
2.89k
      return STATE_RUN_FAILED;
966
99.8k
  }
967
968
9.19k
  return STATE_RUN_SUCCESS;
969
12.0k
}
970
971
static UINT32 fastpath_get_sec_bytes(rdpRdp* rdp)
972
0
{
973
0
  UINT32 sec_bytes = 0;
974
975
0
  if (!rdp)
976
0
    return 0;
977
978
0
  if (rdp->do_crypt)
979
0
  {
980
0
    sec_bytes = 8;
981
982
0
    if (freerdp_settings_get_uint32(rdp->settings, FreeRDP_EncryptionMethods) ==
983
0
        ENCRYPTION_METHOD_FIPS)
984
0
      sec_bytes += 4;
985
0
  }
986
987
0
  return sec_bytes;
988
0
}
989
990
wStream* fastpath_input_pdu_init_header(rdpFastPath* fastpath, UINT16* sec_flags)
991
0
{
992
0
  if (!fastpath || !fastpath->rdp)
993
0
    return nullptr;
994
995
0
  rdpRdp* rdp = fastpath->rdp;
996
0
  wStream* s = transport_send_stream_init(rdp->transport, 256);
997
998
0
  if (!s)
999
0
    return nullptr;
1000
1001
0
  Stream_Seek(s, 3); /* fpInputHeader, length1 and length2 */
1002
1003
0
  if (rdp->do_crypt)
1004
0
  {
1005
0
    *sec_flags |= SEC_ENCRYPT;
1006
1007
0
    if (rdp->do_secure_checksum)
1008
0
      *sec_flags |= SEC_SECURE_CHECKSUM;
1009
0
  }
1010
1011
0
  Stream_Seek(s, fastpath_get_sec_bytes(rdp));
1012
0
  return s;
1013
0
}
1014
1015
wStream* fastpath_input_pdu_init(rdpFastPath* fastpath, BYTE eventFlags, BYTE eventCode,
1016
                                 UINT16* sec_flags)
1017
0
{
1018
0
  wStream* s = nullptr;
1019
0
  s = fastpath_input_pdu_init_header(fastpath, sec_flags);
1020
1021
0
  if (!s)
1022
0
    return nullptr;
1023
1024
0
  WINPR_ASSERT(eventCode < 8);
1025
0
  WINPR_ASSERT(eventFlags < 0x20);
1026
0
  Stream_Write_UINT8(s, (UINT8)(eventFlags | (eventCode << 5))); /* eventHeader (1 byte) */
1027
0
  return s;
1028
0
}
1029
1030
BOOL fastpath_send_multiple_input_pdu(rdpFastPath* fastpath, wStream* s, size_t iNumEvents,
1031
                                      UINT16 sec_flags)
1032
0
{
1033
0
  BOOL rc = FALSE;
1034
0
  BYTE eventHeader = 0;
1035
0
  BOOL should_unlock = FALSE;
1036
0
  rdpRdp* rdp = nullptr;
1037
1038
0
  WINPR_ASSERT(iNumEvents > 0);
1039
0
  if (!s)
1040
0
    return FALSE;
1041
1042
0
  if (!fastpath)
1043
0
    goto fail;
1044
1045
0
  rdp = fastpath->rdp;
1046
0
  WINPR_ASSERT(rdp);
1047
1048
0
  {
1049
0
    const CONNECTION_STATE state = rdp_get_state(rdp);
1050
0
    if (!rdp_is_active_state(rdp))
1051
0
    {
1052
0
      WLog_WARN(TAG, "called before activation [%s]", rdp_state_string(state));
1053
0
      goto fail;
1054
0
    }
1055
0
  }
1056
1057
  /*
1058
   *  A maximum of 15 events are allowed per request
1059
   *  if the optional numEvents field isn't used
1060
   *  see MS-RDPBCGR 2.2.8.1.2 for details
1061
   */
1062
0
  if (iNumEvents > 15)
1063
0
    goto fail;
1064
1065
0
  {
1066
0
    size_t length = Stream_GetPosition(s);
1067
1068
0
    if (length >= (2u << 14))
1069
0
    {
1070
0
      WLog_ERR(TAG, "Maximum FastPath PDU length is 32767");
1071
0
      goto fail;
1072
0
    }
1073
1074
0
    eventHeader = FASTPATH_INPUT_ACTION_FASTPATH;
1075
0
    eventHeader |= (iNumEvents << 2); /* numberEvents */
1076
1077
0
    if (sec_flags & SEC_ENCRYPT)
1078
0
      eventHeader |= (FASTPATH_INPUT_ENCRYPTED << 6);
1079
1080
0
    if (sec_flags & SEC_SECURE_CHECKSUM)
1081
0
      eventHeader |= (FASTPATH_INPUT_SECURE_CHECKSUM << 6);
1082
1083
0
    Stream_ResetPosition(s);
1084
0
    Stream_Write_UINT8(s, eventHeader);
1085
    /* Write length later, RDP encryption might add a padding */
1086
0
    Stream_Seek(s, 2);
1087
1088
0
    if (sec_flags & SEC_ENCRYPT)
1089
0
    {
1090
0
      security_lock(rdp);
1091
0
      should_unlock = TRUE;
1092
1093
0
      const size_t sec_bytes = fastpath_get_sec_bytes(fastpath->rdp);
1094
0
      if (sec_bytes + 3ULL > length)
1095
0
        goto fail;
1096
1097
0
      BYTE* fpInputEvents = Stream_PointerAs(s, BYTE) + sec_bytes;
1098
0
      const UINT16 fpInputEvents_length = (UINT16)(length - 3 - sec_bytes);
1099
1100
0
      WINPR_ASSERT(rdp->settings);
1101
0
      if (freerdp_settings_get_uint32(rdp->settings, FreeRDP_EncryptionMethods) ==
1102
0
          ENCRYPTION_METHOD_FIPS)
1103
0
      {
1104
0
        BYTE pad = 0;
1105
1106
0
        if ((pad = 8 - (fpInputEvents_length % 8)) == 8)
1107
0
          pad = 0;
1108
1109
0
        Stream_Write_UINT16(s, 0x10); /* length */
1110
0
        Stream_Write_UINT8(s, 0x1);   /* TSFIPS_VERSION 1*/
1111
0
        Stream_Write_UINT8(s, pad);   /* padding */
1112
1113
0
        if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 8))
1114
0
          goto fail;
1115
1116
0
        if (!security_hmac_signature(fpInputEvents, fpInputEvents_length, Stream_Pointer(s),
1117
0
                                     8, rdp))
1118
0
          goto fail;
1119
1120
0
        if (pad)
1121
0
          memset(fpInputEvents + fpInputEvents_length, 0, pad);
1122
1123
0
        if (!security_fips_encrypt(fpInputEvents, fpInputEvents_length + pad, rdp))
1124
0
          goto fail;
1125
1126
0
        length += pad;
1127
0
      }
1128
0
      else
1129
0
      {
1130
0
        BOOL res = 0;
1131
0
        if (!Stream_CheckAndLogRequiredCapacity(TAG, s, 8))
1132
0
          goto fail;
1133
0
        if (sec_flags & SEC_SECURE_CHECKSUM)
1134
0
          res = security_salted_mac_signature(rdp, fpInputEvents, fpInputEvents_length,
1135
0
                                              TRUE, Stream_Pointer(s), 8);
1136
0
        else
1137
0
          res = security_mac_signature(rdp, fpInputEvents, fpInputEvents_length,
1138
0
                                       Stream_Pointer(s), 8);
1139
1140
0
        if (!res || !security_encrypt(fpInputEvents, fpInputEvents_length, rdp))
1141
0
          goto fail;
1142
0
      }
1143
0
    }
1144
1145
    /*
1146
     * We always encode length in two bytes, even though we could use
1147
     * only one byte if length <= 0x7F. It is just easier that way,
1148
     * because we can leave room for fixed-length header, store all
1149
     * the data first and then store the header.
1150
     */
1151
0
    WINPR_ASSERT(length < UINT16_MAX);
1152
0
    if (!Stream_SetPosition(s, 1))
1153
0
      goto fail;
1154
0
    Stream_Write_UINT16_BE(s, 0x8000 | (UINT16)length);
1155
0
    if (!Stream_SetPosition(s, length))
1156
0
      goto fail;
1157
0
    Stream_SealLength(s);
1158
0
  }
1159
1160
0
  if (transport_write(rdp->transport, s) < 0)
1161
0
    goto fail;
1162
1163
0
  rc = TRUE;
1164
0
fail:
1165
0
  if (should_unlock)
1166
0
    security_unlock(rdp);
1167
0
  Stream_Release(s);
1168
0
  return rc;
1169
0
}
1170
1171
BOOL fastpath_send_input_pdu(rdpFastPath* fastpath, wStream* s, UINT16 sec_flags)
1172
0
{
1173
0
  return fastpath_send_multiple_input_pdu(fastpath, s, 1, sec_flags);
1174
0
}
1175
1176
wStream* fastpath_update_pdu_init(rdpFastPath* fastpath)
1177
3.42k
{
1178
3.42k
  return transport_send_stream_init(fastpath->rdp->transport, FASTPATH_MAX_PACKET_SIZE);
1179
3.42k
}
1180
1181
wStream* fastpath_update_pdu_init_new(WINPR_ATTR_UNUSED rdpFastPath* fastpath)
1182
14.3k
{
1183
14.3k
  wStream* s = nullptr;
1184
14.3k
  s = Stream_New(nullptr, FASTPATH_MAX_PACKET_SIZE);
1185
14.3k
  return s;
1186
14.3k
}
1187
1188
BOOL fastpath_send_update_pdu(rdpFastPath* fastpath, BYTE updateCode, wStream* s,
1189
                              BOOL skipCompression)
1190
3.99k
{
1191
3.99k
  BOOL status = TRUE;
1192
3.99k
  wStream* fs = nullptr;
1193
3.99k
  rdpSettings* settings = nullptr;
1194
3.99k
  rdpRdp* rdp = nullptr;
1195
3.99k
  UINT32 fpHeaderSize = 6;
1196
3.99k
  UINT32 fpUpdatePduHeaderSize = 0;
1197
3.99k
  UINT32 fpUpdateHeaderSize = 0;
1198
3.99k
  FASTPATH_UPDATE_PDU_HEADER fpUpdatePduHeader = WINPR_C_ARRAY_INIT;
1199
3.99k
  FASTPATH_UPDATE_HEADER fpUpdateHeader = WINPR_C_ARRAY_INIT;
1200
3.99k
  UINT16 sec_flags = 0;
1201
1202
3.99k
  if (!fastpath || !fastpath->rdp || !fastpath->fs || !s)
1203
0
    return FALSE;
1204
1205
3.99k
  rdp = fastpath->rdp;
1206
3.99k
  fs = fastpath->fs;
1207
3.99k
  settings = rdp->settings;
1208
1209
3.99k
  if (!settings)
1210
0
    return FALSE;
1211
1212
3.99k
  UINT16 maxLength = FASTPATH_MAX_PACKET_SIZE - 20;
1213
1214
3.99k
  if (freerdp_settings_get_bool(rdp->settings, FreeRDP_CompressionEnabled) && !skipCompression)
1215
3.99k
  {
1216
3.99k
    const UINT16 CompressionMaxSize = bulk_compression_max_size(rdp->bulk);
1217
3.99k
    maxLength = (maxLength < CompressionMaxSize) ? maxLength : CompressionMaxSize;
1218
3.99k
    maxLength -= 20;
1219
3.99k
  }
1220
1221
3.99k
  size_t totalLength = Stream_GetPosition(s);
1222
3.99k
  Stream_ResetPosition(s);
1223
1224
  /* check if fast path output is possible */
1225
3.99k
  if (!freerdp_settings_get_bool(rdp->settings, FreeRDP_FastPathOutput))
1226
0
  {
1227
0
    WLog_ERR(TAG, "client does not support fast path output");
1228
0
    return FALSE;
1229
0
  }
1230
1231
  /* check if the client's fast path pdu buffer is large enough */
1232
3.99k
  if (totalLength > freerdp_settings_get_uint32(settings, FreeRDP_MultifragMaxRequestSize))
1233
3.88k
  {
1234
3.88k
    WLog_ERR(TAG,
1235
3.88k
             "fast path update size (%" PRIuz
1236
3.88k
             ") exceeds the client's maximum request size (%" PRIu32 ")",
1237
3.88k
             totalLength,
1238
3.88k
             freerdp_settings_get_uint32(settings, FreeRDP_MultifragMaxRequestSize));
1239
3.88k
    return FALSE;
1240
3.88k
  }
1241
1242
104
  if (rdp->do_crypt)
1243
0
  {
1244
0
    sec_flags |= SEC_ENCRYPT;
1245
1246
0
    if (rdp->do_secure_checksum)
1247
0
      sec_flags |= SEC_SECURE_CHECKSUM;
1248
0
  }
1249
1250
104
  for (int fragment = 0; (totalLength > 0) || (fragment == 0); fragment++)
1251
104
  {
1252
104
    UINT32 DstSize = 0;
1253
104
    const BYTE* pDstData = nullptr;
1254
104
    UINT32 compressionFlags = 0;
1255
104
    BYTE pad = 0;
1256
104
    BYTE* pSignature = nullptr;
1257
104
    fpUpdatePduHeader.action = 0;
1258
104
    fpUpdatePduHeader.secFlags = 0;
1259
104
    fpUpdateHeader.compression = 0;
1260
104
    fpUpdateHeader.compressionFlags = 0;
1261
104
    fpUpdateHeader.updateCode = updateCode;
1262
104
    fpUpdateHeader.size = (UINT16)(totalLength > maxLength) ? maxLength : (UINT16)totalLength;
1263
104
    const BYTE* pSrcData = Stream_Pointer(s);
1264
104
    UINT32 SrcSize = DstSize = fpUpdateHeader.size;
1265
104
    BOOL should_unlock = FALSE;
1266
1267
104
    if (sec_flags & SEC_ENCRYPT)
1268
0
      fpUpdatePduHeader.secFlags |= FASTPATH_OUTPUT_ENCRYPTED;
1269
1270
104
    if (sec_flags & SEC_SECURE_CHECKSUM)
1271
0
      fpUpdatePduHeader.secFlags |= FASTPATH_OUTPUT_SECURE_CHECKSUM;
1272
1273
104
    if (freerdp_settings_get_bool(settings, FreeRDP_CompressionEnabled) && !skipCompression)
1274
104
    {
1275
104
      if (bulk_compress(rdp->bulk, pSrcData, SrcSize, &pDstData, &DstSize,
1276
104
                        &compressionFlags) >= 0)
1277
104
      {
1278
104
        if (compressionFlags)
1279
0
        {
1280
0
          WINPR_ASSERT(compressionFlags <= UINT8_MAX);
1281
0
          fpUpdateHeader.compressionFlags = (UINT8)compressionFlags;
1282
0
          fpUpdateHeader.compression = FASTPATH_OUTPUT_COMPRESSION_USED;
1283
0
        }
1284
104
      }
1285
104
    }
1286
1287
104
    if (!fpUpdateHeader.compression)
1288
104
    {
1289
104
      pDstData = Stream_Pointer(s);
1290
104
      DstSize = fpUpdateHeader.size;
1291
104
    }
1292
1293
104
    if (DstSize > UINT16_MAX)
1294
0
      return FALSE;
1295
104
    fpUpdateHeader.size = (UINT16)DstSize;
1296
104
    totalLength -= SrcSize;
1297
1298
104
    if (totalLength == 0)
1299
104
      fpUpdateHeader.fragmentation =
1300
104
          (fragment == 0) ? FASTPATH_FRAGMENT_SINGLE : FASTPATH_FRAGMENT_LAST;
1301
0
    else
1302
0
      fpUpdateHeader.fragmentation =
1303
0
          (fragment == 0) ? FASTPATH_FRAGMENT_FIRST : FASTPATH_FRAGMENT_NEXT;
1304
1305
104
    fpUpdateHeaderSize = fastpath_get_update_header_size(&fpUpdateHeader);
1306
104
    fpUpdatePduHeaderSize = fastpath_get_update_pdu_header_size(&fpUpdatePduHeader, rdp);
1307
104
    fpHeaderSize = fpUpdateHeaderSize + fpUpdatePduHeaderSize;
1308
1309
104
    if (sec_flags & SEC_ENCRYPT)
1310
0
    {
1311
0
      pSignature = Stream_Buffer(fs) + 3;
1312
1313
0
      if (freerdp_settings_get_uint32(rdp->settings, FreeRDP_EncryptionMethods) ==
1314
0
          ENCRYPTION_METHOD_FIPS)
1315
0
      {
1316
0
        pSignature += 4;
1317
1318
0
        if ((pad = 8 - ((DstSize + fpUpdateHeaderSize) % 8)) == 8)
1319
0
          pad = 0;
1320
1321
0
        fpUpdatePduHeader.fipsInformation[0] = 0x10;
1322
0
        fpUpdatePduHeader.fipsInformation[1] = 0x00;
1323
0
        fpUpdatePduHeader.fipsInformation[2] = 0x01;
1324
0
        fpUpdatePduHeader.fipsInformation[3] = pad;
1325
0
      }
1326
0
    }
1327
1328
104
    const size_t len = fpUpdateHeader.size + fpHeaderSize + pad;
1329
104
    if (len > UINT16_MAX)
1330
0
      return FALSE;
1331
1332
104
    fpUpdatePduHeader.length = (UINT16)len;
1333
104
    Stream_ResetPosition(fs);
1334
104
    if (!fastpath_write_update_pdu_header(fs, &fpUpdatePduHeader, rdp))
1335
0
      return FALSE;
1336
104
    if (!fastpath_write_update_header(fs, &fpUpdateHeader))
1337
0
      return FALSE;
1338
1339
104
    if (!Stream_CheckAndLogRequiredCapacity(TAG, (fs), (size_t)DstSize + pad))
1340
0
      return FALSE;
1341
104
    Stream_Write(fs, pDstData, DstSize);
1342
1343
104
    if (pad)
1344
0
      Stream_Zero(fs, pad);
1345
1346
104
    BOOL res = FALSE;
1347
104
    if (sec_flags & SEC_ENCRYPT)
1348
0
    {
1349
0
      security_lock(rdp);
1350
1351
0
      should_unlock = TRUE;
1352
0
      UINT32 dataSize = fpUpdateHeaderSize + DstSize + pad;
1353
0
      BYTE* data = Stream_PointerAs(fs, BYTE) - dataSize;
1354
1355
0
      if (freerdp_settings_get_uint32(rdp->settings, FreeRDP_EncryptionMethods) ==
1356
0
          ENCRYPTION_METHOD_FIPS)
1357
0
      {
1358
        // TODO: Ensure stream capacity
1359
0
        if (!security_hmac_signature(data, dataSize - pad, pSignature, 8, rdp))
1360
0
          goto unlock;
1361
1362
0
        if (!security_fips_encrypt(data, dataSize, rdp))
1363
0
          goto unlock;
1364
0
      }
1365
0
      else
1366
0
      {
1367
        // TODO: Ensure stream capacity
1368
0
        if (sec_flags & SEC_SECURE_CHECKSUM)
1369
0
          status =
1370
0
              security_salted_mac_signature(rdp, data, dataSize, TRUE, pSignature, 8);
1371
0
        else
1372
0
          status = security_mac_signature(rdp, data, dataSize, pSignature, 8);
1373
1374
0
        if (!status || !security_encrypt(data, dataSize, rdp))
1375
0
          goto unlock;
1376
0
      }
1377
0
    }
1378
104
    res = TRUE;
1379
1380
104
    Stream_SealLength(fs);
1381
1382
104
    if (transport_write(rdp->transport, fs) < 0)
1383
104
    {
1384
104
      status = FALSE;
1385
104
    }
1386
1387
104
  unlock:
1388
104
    if (should_unlock)
1389
0
      security_unlock(rdp);
1390
1391
104
    if (!res || !status)
1392
104
      return FALSE;
1393
1394
0
    Stream_Seek(s, SrcSize);
1395
0
  }
1396
1397
0
  return status;
1398
104
}
1399
1400
rdpFastPath* fastpath_new(rdpRdp* rdp)
1401
16.0k
{
1402
16.0k
  rdpFastPath* fastpath = nullptr;
1403
1404
16.0k
  WINPR_ASSERT(rdp);
1405
1406
16.0k
  fastpath = (rdpFastPath*)calloc(1, sizeof(rdpFastPath));
1407
1408
16.0k
  if (!fastpath)
1409
0
    return nullptr;
1410
1411
16.0k
  fastpath->rdp = rdp;
1412
16.0k
  fastpath->fragmentation = -1;
1413
16.0k
  fastpath->fs = Stream_New(nullptr, FASTPATH_MAX_PACKET_SIZE);
1414
16.0k
  fastpath->updateData = Stream_New(nullptr, FASTPATH_MAX_PACKET_SIZE);
1415
1416
16.0k
  if (!fastpath->fs || !fastpath->updateData)
1417
0
    goto out_free;
1418
1419
16.0k
  return fastpath;
1420
0
out_free:
1421
0
  fastpath_free(fastpath);
1422
0
  return nullptr;
1423
16.0k
}
1424
1425
void fastpath_free(rdpFastPath* fastpath)
1426
16.0k
{
1427
16.0k
  if (fastpath)
1428
16.0k
  {
1429
16.0k
    Stream_Free(fastpath->updateData, TRUE);
1430
16.0k
    Stream_Free(fastpath->fs, TRUE);
1431
16.0k
    free(fastpath);
1432
16.0k
  }
1433
16.0k
}
1434
1435
BYTE fastpath_get_encryption_flags(rdpFastPath* fastpath)
1436
18.1k
{
1437
18.1k
  WINPR_ASSERT(fastpath);
1438
18.1k
  return fastpath->encryptionFlags;
1439
18.1k
}
1440
1441
BOOL fastpath_decrypt(rdpFastPath* fastpath, wStream* s, UINT16* length)
1442
16.0k
{
1443
16.0k
  WINPR_ASSERT(fastpath);
1444
16.0k
  if (fastpath_get_encryption_flags(fastpath) & FASTPATH_OUTPUT_ENCRYPTED)
1445
2.08k
  {
1446
2.08k
    const UINT16 flags =
1447
2.08k
        (fastpath_get_encryption_flags(fastpath) & FASTPATH_OUTPUT_SECURE_CHECKSUM)
1448
2.08k
            ? SEC_SECURE_CHECKSUM
1449
2.08k
            : 0;
1450
1451
2.08k
    if (!rdp_decrypt(fastpath->rdp, s, length, flags))
1452
0
      return FALSE;
1453
2.08k
  }
1454
1455
16.0k
  return TRUE;
1456
16.0k
}