/* connect to selected security layer */
BOOL nego_security_connect(rdpNego* nego)
{
if (!nego->tcp_connected)
{
nego->security_connected = FALSE;
}
else if (!nego->security_connected)
{
if (nego->selected_protocol == PROTOCOL_NLA)
{
DEBUG_NEGO("nego_security_connect with PROTOCOL_NLA");
nego->security_connected = transport_connect_nla(nego->transport);
}
else if (nego->selected_protocol == PROTOCOL_TLS)
{
DEBUG_NEGO("nego_security_connect with PROTOCOL_TLS");
nego->security_connected = transport_connect_tls(nego->transport);
}
else if (nego->selected_protocol == PROTOCOL_RDP)
{
DEBUG_NEGO("nego_security_connect with PROTOCOL_RDP");
nego->security_connected = transport_connect_rdp(nego->transport);
}
else
{
DEBUG_NEGO("cannot connect security layer because no protocol has been selected yet.");
}
}
return nego->security_connected;
}
void nego_process_negotiation_request(rdpNego* nego, STREAM* s)
{
BYTE flags;
UINT16 length;
DEBUG_NEGO("RDP_NEG_REQ");
stream_read_BYTE(s, flags);
stream_read_UINT16(s, length);
stream_read_UINT32(s, nego->requested_protocols);
DEBUG_NEGO("requested_protocols: %d", nego->requested_protocols);
nego->state = NEGO_STATE_FINAL;
}
void nego_attempt_tls(rdpNego* nego)
{
nego->requested_protocols = PROTOCOL_TLS;
DEBUG_NEGO("Attempting TLS security");
if (!nego_tcp_connect(nego))
{
nego->state = NEGO_STATE_FAIL;
return;
}
if (!nego_send_negotiation_request(nego))
{
nego->state = NEGO_STATE_FAIL;
return;
}
if (!nego_recv_response(nego))
{
nego->state = NEGO_STATE_FAIL;
return;
}
if (nego->state != NEGO_STATE_FINAL)
{
nego_tcp_disconnect(nego);
if (nego->enabled_protocols[PROTOCOL_RDP] > 0)
nego->state = NEGO_STATE_RDP;
else
nego->state = NEGO_STATE_FAIL;
}
}
void nego_attempt_rdp(rdpNego* nego)
{
nego->requested_protocols = PROTOCOL_RDP;
DEBUG_NEGO("Attempting RDP security");
if (!nego_transport_connect(nego))
{
nego->state = NEGO_STATE_FAIL;
return;
}
if (!nego_send_negotiation_request(nego))
{
freerdp_log(nego->transport->settings->instance, "Error: RDP Negotiation failure\n");
nego->state = NEGO_STATE_FAIL;
return;
}
if (!nego_recv_response(nego))
{
freerdp_log(nego->transport->settings->instance, "Error: RDP Negotiation failure\n");
nego->state = NEGO_STATE_FAIL;
return;
}
}
boolean nego_connect(rdpNego* nego)
{
if (nego->state == NEGO_STATE_INITIAL)
{
if (nego->enabled_protocols[PROTOCOL_NLA] > 0)
nego->state = NEGO_STATE_NLA;
else if (nego->enabled_protocols[PROTOCOL_TLS] > 0)
nego->state = NEGO_STATE_TLS;
else if (nego->enabled_protocols[PROTOCOL_RDP] > 0)
nego->state = NEGO_STATE_RDP;
else
nego->state = NEGO_STATE_FAIL;
}
do
{
DEBUG_NEGO("state: %s", NEGO_STATE_STRINGS[nego->state]);
nego_send(nego);
if (nego->state == NEGO_STATE_FAIL)
{
DEBUG_NEGO("Protocol Security Negotiation Failure");
nego->state = NEGO_STATE_FINAL;
return false;
}
}
while (nego->state != NEGO_STATE_FINAL);
DEBUG_NEGO("Negotiated %s security", PROTOCOL_SECURITY_STRINGS[nego->selected_protocol]);
/* update settings with negotiated protocol security */
nego->transport->settings->requested_protocols = nego->requested_protocols;
nego->transport->settings->selected_protocol = nego->selected_protocol;
nego->transport->settings->negotiationFlags = nego->flags;
if(nego->selected_protocol == PROTOCOL_RDP)
{
nego->transport->settings->encryption = true;
nego->transport->settings->encryption_method = ENCRYPTION_METHOD_40BIT | ENCRYPTION_METHOD_128BIT | ENCRYPTION_METHOD_FIPS;
nego->transport->settings->encryption_level = ENCRYPTION_LEVEL_CLIENT_COMPATIBLE;
}
return true;
}
void nego_process_negotiation_response(rdpNego* nego, wStream* s)
{
UINT16 length;
DEBUG_NEGO("RDP_NEG_RSP");
if (Stream_GetRemainingLength(s) < 7)
{
DEBUG_NEGO("RDP_INVALID_NEG_RSP");
nego->state = NEGO_STATE_FAIL;
return;
}
Stream_Read_UINT8(s, nego->flags);
Stream_Read_UINT16(s, length);
Stream_Read_UINT32(s, nego->selected_protocol);
nego->state = NEGO_STATE_FINAL;
}
void nego_attempt_nla(rdpNego* nego)
{
nego->requested_protocols = PROTOCOL_NLA | PROTOCOL_TLS;
DEBUG_NEGO("Attempting NLA security");
if (!nego_transport_connect(nego))
{
freerdp_log(nego->transport->settings->instance, "Error: connection failure\n");
nego->state = NEGO_STATE_FAIL;
return;
}
if (!nego_send_negotiation_request(nego))
{
freerdp_log(nego->transport->settings->instance, "Error: NLA Negotiation failure\n");
nego->state = NEGO_STATE_FAIL;
return;
}
if (!nego_recv_response(nego))
{
freerdp_log(nego->transport->settings->instance, "Error: NLA Negotiation failure\n");
nego->state = NEGO_STATE_FAIL;
return;
}
DEBUG_NEGO("state: %s", NEGO_STATE_STRINGS[nego->state]);
if (nego->state != NEGO_STATE_FINAL)
{
nego_transport_disconnect(nego);
if (nego->enabled_protocols[PROTOCOL_TLS] > 0)
nego->state = NEGO_STATE_TLS;
else if (nego->enabled_protocols[PROTOCOL_RDP] > 0)
nego->state = NEGO_STATE_RDP;
else {
nego->state = NEGO_STATE_FAIL;
freerdp_log(nego->transport->settings->instance, "Error: NLA Negotiation failure\n");
}
}
}
void nego_send(rdpNego* nego)
{
if (nego->state == NEGO_STATE_NLA)
nego_attempt_nla(nego);
else if (nego->state == NEGO_STATE_TLS)
nego_attempt_tls(nego);
else if (nego->state == NEGO_STATE_RDP)
nego_attempt_rdp(nego);
else
DEBUG_NEGO("invalid negotiation state for sending");
}
BOOL nego_send_negotiation_request(rdpNego* nego)
{
STREAM* s;
int length;
BYTE *bm, *em;
int cookie_length;
s = transport_send_stream_init(nego->transport, 256);
length = TPDU_CONNECTION_REQUEST_LENGTH;
stream_get_mark(s, bm);
stream_seek(s, length);
if (nego->RoutingToken != NULL)
{
stream_write(s, nego->RoutingToken, nego->RoutingTokenLength);
length += nego->RoutingTokenLength;
}
else if (nego->cookie != NULL)
{
cookie_length = strlen(nego->cookie);
if (cookie_length > (int) nego->cookie_max_length)
cookie_length = nego->cookie_max_length;
stream_write(s, "Cookie: mstshash=", 17);
stream_write(s, (BYTE*) nego->cookie, cookie_length);
stream_write_BYTE(s, 0x0D); /* CR */
stream_write_BYTE(s, 0x0A); /* LF */
length += cookie_length + 19;
}
DEBUG_NEGO("requested_protocols: %d", nego->requested_protocols);
if (nego->requested_protocols > PROTOCOL_RDP)
{
/* RDP_NEG_DATA must be present for TLS and NLA */
stream_write_BYTE(s, TYPE_RDP_NEG_REQ);
stream_write_BYTE(s, 0); /* flags, must be set to zero */
stream_write_UINT16(s, 8); /* RDP_NEG_DATA length (8) */
stream_write_UINT32(s, nego->requested_protocols); /* requestedProtocols */
length += 8;
}
stream_get_mark(s, em);
stream_set_mark(s, bm);
tpkt_write_header(s, length);
tpdu_write_connection_request(s, length - 5);
stream_set_mark(s, em);
if (transport_write(nego->transport, s) < 0)
return FALSE;
return TRUE;
}
void nego_process_negotiation_response(rdpNego* nego, STREAM* s)
{
UINT16 length;
DEBUG_NEGO("RDP_NEG_RSP");
stream_read_BYTE(s, nego->flags);
stream_read_UINT16(s, length);
stream_read_UINT32(s, nego->selected_protocol);
nego->state = NEGO_STATE_FINAL;
}
void nego_attempt_ext(rdpNego* nego)
{
nego->requested_protocols = PROTOCOL_NLA | PROTOCOL_TLS | PROTOCOL_EXT;
DEBUG_NEGO("Attempting NLA extended security");
if (!nego_transport_connect(nego))
{
nego->state = NEGO_STATE_FAIL;
return;
}
if (!nego_send_negotiation_request(nego))
{
nego->state = NEGO_STATE_FAIL;
return;
}
if (!nego_recv_response(nego))
{
nego->state = NEGO_STATE_FAIL;
return;
}
DEBUG_NEGO("state: %s", NEGO_STATE_STRINGS[nego->state]);
if (nego->state != NEGO_STATE_FINAL)
{
nego_transport_disconnect(nego);
if (nego->enabled_protocols[PROTOCOL_NLA])
nego->state = NEGO_STATE_NLA;
else if (nego->enabled_protocols[PROTOCOL_TLS])
nego->state = NEGO_STATE_TLS;
else if (nego->enabled_protocols[PROTOCOL_RDP])
nego->state = NEGO_STATE_RDP;
else
nego->state = NEGO_STATE_FAIL;
}
}
void nego_process_negotiation_request(rdpNego* nego, STREAM* s)
{
uint8 flags;
uint16 length;
DEBUG_NEGO("RDP_NEG_REQ");
stream_read_uint8(s, flags);
stream_read_uint16(s, length);
stream_read_uint32(s, nego->requested_protocols);
nego->state = NEGO_STATE_FINAL;
}
BOOL nego_send_preconnection_pdu(rdpNego* nego)
{
wStream* s;
UINT32 cbSize;
UINT16 cchPCB = 0;
WCHAR* wszPCB = NULL;
if (!nego->send_preconnection_pdu)
return TRUE;
DEBUG_NEGO("Sending preconnection PDU");
if (!nego_tcp_connect(nego))
return FALSE;
/* it's easier to always send the version 2 PDU, and it's just 2 bytes overhead */
cbSize = PRECONNECTION_PDU_V2_MIN_SIZE;
if (nego->preconnection_blob)
{
cchPCB = (UINT16) ConvertToUnicode(CP_UTF8, 0, nego->preconnection_blob, -1, &wszPCB, 0);
cchPCB += 1; /* zero-termination */
cbSize += cchPCB * 2;
}
s = Stream_New(NULL, cbSize);
Stream_Write_UINT32(s, cbSize); /* cbSize */
Stream_Write_UINT32(s, 0); /* Flags */
Stream_Write_UINT32(s, PRECONNECTION_PDU_V2); /* Version */
Stream_Write_UINT32(s, nego->preconnection_id); /* Id */
Stream_Write_UINT16(s, cchPCB); /* cchPCB */
if (wszPCB)
{
Stream_Write(s, wszPCB, cchPCB * 2); /* wszPCB */
free(wszPCB);
}
Stream_SealLength(s);
if (transport_write(nego->transport, s) < 0)
{
Stream_Free(s, TRUE);
return FALSE;
}
Stream_Free(s, TRUE);
return TRUE;
}
boolean nego_send_negotiation_request(rdpNego* nego)
{
STREAM* s;
int length;
uint8 *bm, *em;
s = transport_send_stream_init(nego->transport, 256);
length = TPDU_CONNECTION_REQUEST_LENGTH;
stream_get_mark(s, bm);
stream_seek(s, length);
if (nego->routing_token != NULL)
{
stream_write(s, nego->routing_token->data, nego->routing_token->length);
length += nego->routing_token->length;
}
else if (nego->cookie != NULL)
{
int cookie_length = strlen(nego->cookie);
stream_write(s, "Cookie: mstshash=", 17);
stream_write(s, (uint8*) nego->cookie, cookie_length);
stream_write_uint8(s, 0x0D); /* CR */
stream_write_uint8(s, 0x0A); /* LF */
length += cookie_length + 19;
}
DEBUG_NEGO("requested_protocols: %d", nego->requested_protocols);
if (nego->requested_protocols > PROTOCOL_RDP)
{
/* RDP_NEG_DATA must be present for TLS and NLA */
stream_write_uint8(s, TYPE_RDP_NEG_REQ);
stream_write_uint8(s, 0); /* flags, must be set to zero */
stream_write_uint16(s, 8); /* RDP_NEG_DATA length (8) */
stream_write_uint32(s, nego->requested_protocols); /* requestedProtocols */
length += 8;
}
stream_get_mark(s, em);
stream_set_mark(s, bm);
tpkt_write_header(s, length);
tpdu_write_connection_request(s, length - 5);
stream_set_mark(s, em);
if (transport_write(nego->transport, s) < 0)
return false;
return true;
}
boolean nego_send_preconnection_pdu(rdpNego* nego)
{
STREAM* s;
uint32 cbSize;
UNICONV* uniconv;
uint16 cchPCB_times2 = 0;
char* wszPCB = NULL;
if (!nego->send_preconnection_pdu)
return true;
DEBUG_NEGO("Sending preconnection PDU");
if (!nego_tcp_connect(nego))
return false;
/* it's easier to always send the version 2 PDU, and it's just 2 bytes overhead */
cbSize = PRECONNECTION_PDU_V2_MIN_SIZE;
if (nego->preconnection_blob)
{
size_t size;
uniconv = freerdp_uniconv_new();
wszPCB = freerdp_uniconv_out(uniconv, nego->preconnection_blob, &size);
cchPCB_times2 = (uint16) size;
freerdp_uniconv_free(uniconv);
cchPCB_times2 += 2; /* zero-termination */
cbSize += cchPCB_times2;
}
s = transport_send_stream_init(nego->transport, cbSize);
stream_write_uint32(s, cbSize); /* cbSize */
stream_write_uint32(s, 0); /* Flags */
stream_write_uint32(s, PRECONNECTION_PDU_V2); /* Version */
stream_write_uint32(s, nego->preconnection_id); /* Id */
stream_write_uint16(s, cchPCB_times2 / 2); /* cchPCB */
if (wszPCB)
{
stream_write(s, wszPCB, cchPCB_times2); /* wszPCB */
xfree(wszPCB);
}
if (transport_write(nego->transport, s) < 0)
return false;
return true;
}
BOOL nego_send_preconnection_pdu(rdpNego* nego)
{
STREAM* s;
UINT32 cbSize;
UINT16 cchPCB = 0;
WCHAR* wszPCB = NULL;
if (!nego->send_preconnection_pdu)
return TRUE;
DEBUG_NEGO("Sending preconnection PDU");
if (!nego_tcp_connect(nego))
return FALSE;
/* it's easier to always send the version 2 PDU, and it's just 2 bytes overhead */
cbSize = PRECONNECTION_PDU_V2_MIN_SIZE;
if (nego->preconnection_blob)
{
cchPCB = (UINT16) freerdp_AsciiToUnicodeAlloc(nego->preconnection_blob, &wszPCB, 0);
cchPCB += 1; /* zero-termination */
cbSize += cchPCB * 2;
}
s = transport_send_stream_init(nego->transport, cbSize);
stream_write_UINT32(s, cbSize); /* cbSize */
stream_write_UINT32(s, 0); /* Flags */
stream_write_UINT32(s, PRECONNECTION_PDU_V2); /* Version */
stream_write_UINT32(s, nego->preconnection_id); /* Id */
stream_write_UINT16(s, cchPCB); /* cchPCB */
if (wszPCB)
{
stream_write(s, wszPCB, cchPCB * 2); /* wszPCB */
free(wszPCB);
}
if (transport_write(nego->transport, s) < 0)
return FALSE;
return TRUE;
}
void nego_process_negotiation_failure(rdpNego* nego, wStream* s)
{
BYTE flags;
UINT16 length;
UINT32 failureCode;
DEBUG_NEGO("RDP_NEG_FAILURE");
Stream_Read_UINT8(s, flags);
Stream_Read_UINT16(s, length);
Stream_Read_UINT32(s, failureCode);
switch (failureCode)
{
case SSL_REQUIRED_BY_SERVER:
DEBUG_NEGO("Error: SSL_REQUIRED_BY_SERVER");
break;
case SSL_NOT_ALLOWED_BY_SERVER:
DEBUG_NEGO("Error: SSL_NOT_ALLOWED_BY_SERVER");
nego->sendNegoData = TRUE;
break;
case SSL_CERT_NOT_ON_SERVER:
DEBUG_NEGO("Error: SSL_CERT_NOT_ON_SERVER");
nego->sendNegoData = TRUE;
break;
case INCONSISTENT_FLAGS:
DEBUG_NEGO("Error: INCONSISTENT_FLAGS");
break;
case HYBRID_REQUIRED_BY_SERVER:
DEBUG_NEGO("Error: HYBRID_REQUIRED_BY_SERVER");
break;
default:
DEBUG_NEGO("Error: Unknown protocol security error %d", failureCode);
break;
}
nego->state = NEGO_STATE_FAIL;
}
void nego_attempt_rdp(rdpNego* nego)
{
nego->requested_protocols = PROTOCOL_RDP;
DEBUG_NEGO("Attempting RDP security");
if (!nego_tcp_connect(nego))
{
nego->state = NEGO_STATE_FAIL;
return;
}
if (!nego_send_negotiation_request(nego))
{
nego->state = NEGO_STATE_FAIL;
return;
}
if (!nego_recv_response(nego))
{
nego->state = NEGO_STATE_FAIL;
return;
}
}
void nego_process_negotiation_failure(rdpNego* nego, STREAM* s)
{
uint8 flags;
uint16 length;
uint32 failureCode;
DEBUG_NEGO("RDP_NEG_FAILURE");
stream_read_uint8(s, flags);
stream_read_uint16(s, length);
stream_read_uint32(s, failureCode);
switch (failureCode)
{
case SSL_REQUIRED_BY_SERVER:
DEBUG_NEGO("Error: SSL_REQUIRED_BY_SERVER");
break;
case SSL_NOT_ALLOWED_BY_SERVER:
DEBUG_NEGO("Error: SSL_NOT_ALLOWED_BY_SERVER");
break;
case SSL_CERT_NOT_ON_SERVER:
DEBUG_NEGO("Error: SSL_CERT_NOT_ON_SERVER");
break;
case INCONSISTENT_FLAGS:
DEBUG_NEGO("Error: INCONSISTENT_FLAGS");
break;
case HYBRID_REQUIRED_BY_SERVER:
DEBUG_NEGO("Error: HYBRID_REQUIRED_BY_SERVER");
break;
default:
DEBUG_NEGO("Error: Unknown protocol security error %d", failureCode);
break;
}
nego->state = NEGO_STATE_FAIL;
}
void nego_enable_rdp(rdpNego* nego, boolean enable_rdp)
{
DEBUG_NEGO("Enabling RDP security: %s", enable_rdp ? "true" : "false");
nego->enabled_protocols[PROTOCOL_RDP] = enable_rdp;
}
void nego_set_negotiation_enabled(rdpNego* nego, boolean security_layer_negotiation_enabled)
{
DEBUG_NEGO("Enabling security layer negotiation: %s", security_layer_negotiation_enabled ? "true" : "false");
nego->security_layer_negotiation_enabled = security_layer_negotiation_enabled;
}
void nego_enable_ext(rdpNego* nego, BOOL enable_ext)
{
DEBUG_NEGO("Enabling NLA extended security: %s", enable_ext ? "TRUE" : "FALSE");
nego->enabled_protocols[PROTOCOL_EXT] = enable_ext;
}
void nego_enable_nla(rdpNego* nego, BOOL enable_nla)
{
DEBUG_NEGO("Enabling NLA security: %s", enable_nla ? "TRUE" : "FALSE");
nego->enabled_protocols[PROTOCOL_NLA] = enable_nla;
}
/**
* Enable TLS security protocol.
* @param nego pointer to the negotiation structure
* @param enable_tls whether to enable TLS + RDP protocol (TRUE for enabled, FALSE for disabled)
*/
void nego_enable_tls(rdpNego* nego, BOOL enable_tls)
{
DEBUG_NEGO("Enabling TLS security: %s", enable_tls ? "TRUE" : "FALSE");
nego->enabled_protocols[PROTOCOL_TLS] = enable_tls;
}
void nego_enable_rdp(rdpNego* nego, BOOL enable_rdp)
{
DEBUG_NEGO("Enabling RDP security: %s", enable_rdp ? "TRUE" : "FALSE");
nego->enabled_protocols[PROTOCOL_RDP] = enable_rdp;
}
/**
* Enable TLS security protocol.
* @param nego pointer to the negotiation structure
* @param enable_tls whether to enable TLS + RDP protocol (true for enabled, false for disabled)
*/
void nego_enable_tls(rdpNego* nego, boolean enable_tls)
{
DEBUG_NEGO("Enabling TLS security: %s", enable_tls ? "true" : "false");
nego->enabled_protocols[PROTOCOL_TLS] = enable_tls;
}
BOOL nego_recv(rdpTransport* transport, STREAM* s, void* extra)
{
BYTE li;
BYTE type;
UINT16 length;
rdpNego* nego = (rdpNego*) extra;
length = tpkt_read_header(s);
if (length == 0)
return FALSE;
if(!tpdu_read_connection_confirm(s, &li))
return FALSE;
if (li > 6)
{
/* rdpNegData (optional) */
stream_read_BYTE(s, type); /* Type */
switch (type)
{
case TYPE_RDP_NEG_RSP:
nego_process_negotiation_response(nego, s);
DEBUG_NEGO("selected_protocol: %d", nego->selected_protocol);
/* enhanced security selected ? */
if (nego->selected_protocol)
{
if ((nego->selected_protocol == PROTOCOL_NLA) &&
(!nego->enabled_protocols[PROTOCOL_NLA]))
{
nego->state = NEGO_STATE_FAIL;
}
if ((nego->selected_protocol == PROTOCOL_TLS) &&
(!nego->enabled_protocols[PROTOCOL_TLS]))
{
nego->state = NEGO_STATE_FAIL;
}
}
else if (!nego->enabled_protocols[PROTOCOL_RDP])
{
nego->state = NEGO_STATE_FAIL;
}
break;
case TYPE_RDP_NEG_FAILURE:
nego_process_negotiation_failure(nego, s);
break;
}
}
else if (li == 6)
{
DEBUG_NEGO("no rdpNegData");
if (!nego->enabled_protocols[PROTOCOL_RDP])
nego->state = NEGO_STATE_FAIL;
else
nego->state = NEGO_STATE_FINAL;
}
else
{
printf("invalid negotiation response\n");
nego->state = NEGO_STATE_FAIL;
}
return TRUE;
}
BOOL nego_connect(rdpNego* nego)
{
if (nego->state == NEGO_STATE_INITIAL)
{
if (nego->enabled_protocols[PROTOCOL_EXT])
{
nego->state = NEGO_STATE_EXT;
}
else if (nego->enabled_protocols[PROTOCOL_NLA])
{
nego->state = NEGO_STATE_NLA;
}
else if (nego->enabled_protocols[PROTOCOL_TLS])
{
nego->state = NEGO_STATE_TLS;
}
else if (nego->enabled_protocols[PROTOCOL_RDP])
{
nego->state = NEGO_STATE_RDP;
}
else
{
DEBUG_NEGO("No security protocol is enabled");
nego->state = NEGO_STATE_FAIL;
}
if (!nego->NegotiateSecurityLayer_enabled)
{
DEBUG_NEGO("Security Layer Negotiation is disabled");
/* attempt only the highest enabled protocol (see nego_attempt_*) */
nego->enabled_protocols[PROTOCOL_NLA] = FALSE;
nego->enabled_protocols[PROTOCOL_TLS] = FALSE;
nego->enabled_protocols[PROTOCOL_RDP] = FALSE;
nego->enabled_protocols[PROTOCOL_EXT] = FALSE;
if (nego->state == NEGO_STATE_EXT)
{
nego->enabled_protocols[PROTOCOL_EXT] = TRUE;
nego->enabled_protocols[PROTOCOL_NLA] = TRUE;
nego->selected_protocol = PROTOCOL_EXT;
}
else if (nego->state == NEGO_STATE_NLA)
{
nego->enabled_protocols[PROTOCOL_NLA] = TRUE;
nego->selected_protocol = PROTOCOL_NLA;
}
else if (nego->state == NEGO_STATE_TLS)
{
nego->enabled_protocols[PROTOCOL_TLS] = TRUE;
nego->selected_protocol = PROTOCOL_TLS;
}
else if (nego->state == NEGO_STATE_RDP)
{
nego->enabled_protocols[PROTOCOL_RDP] = TRUE;
nego->selected_protocol = PROTOCOL_RDP;
}
}
if (!nego_send_preconnection_pdu(nego))
{
DEBUG_NEGO("Failed to send preconnection pdu");
nego->state = NEGO_STATE_FINAL;
return FALSE;
}
}
do
{
DEBUG_NEGO("state: %s", NEGO_STATE_STRINGS[nego->state]);
nego_send(nego);
if (nego->state == NEGO_STATE_FAIL)
{
DEBUG_NEGO("Protocol Security Negotiation Failure");
nego->state = NEGO_STATE_FINAL;
return FALSE;
}
}
while (nego->state != NEGO_STATE_FINAL);
DEBUG_NEGO("Negotiated %s security", PROTOCOL_SECURITY_STRINGS[nego->selected_protocol]);
/* update settings with negotiated protocol security */
nego->transport->settings->RequestedProtocols = nego->requested_protocols;
nego->transport->settings->SelectedProtocol = nego->selected_protocol;
nego->transport->settings->NegotiationFlags = nego->flags;
if (nego->selected_protocol == PROTOCOL_RDP)
{
nego->transport->settings->DisableEncryption = TRUE;
nego->transport->settings->EncryptionMethods = ENCRYPTION_METHOD_40BIT | ENCRYPTION_METHOD_128BIT | ENCRYPTION_METHOD_FIPS;
nego->transport->settings->EncryptionLevel = ENCRYPTION_LEVEL_CLIENT_COMPATIBLE;
}
/* finally connect security layer (if not already done) */
if (!nego_security_connect(nego))
{
DEBUG_NEGO("Failed to connect with %s security", PROTOCOL_SECURITY_STRINGS[nego->selected_protocol]);
return FALSE;
}
return TRUE;
}
void nego_enable_nla(rdpNego* nego, boolean enable_nla)
{
DEBUG_NEGO("Enabling NLA security: %s", enable_nla ? "true" : "false");
nego->enabled_protocols[PROTOCOL_NLA] = enable_nla;
}
void nego_set_negotiation_enabled(rdpNego* nego, BOOL NegotiateSecurityLayer_enabled)
{
DEBUG_NEGO("Enabling security layer negotiation: %s", NegotiateSecurityLayer_enabled ? "TRUE" : "FALSE");
nego->NegotiateSecurityLayer_enabled = NegotiateSecurityLayer_enabled;
}
