Return FREERDP_ERROR_AUTHENTICATION_FAILED on an authentication failure

when using NLA with xfreerdp.
2026-04-15 00:44:19 +09:00 · 2015-08-04 16:52:44 -05:00
parent 912cd96321
commit 32a1406dc4
7 changed files with 61 additions and 5 deletions
--- a/client/X11/xf_client.c
+++ b/client/X11/xf_client.c
@@ -1530,7 +1530,10 @@ void* xf_client_thread(void* param)
 	if (instance->settings->AuthenticationOnly || !status)
 	{
 		WLog_ERR(TAG, "Authentication only, exit status %d", !status);
-		exit_code = XF_EXIT_CONN_FAILED;
+		if (freerdp_get_nla_failure(instance))
+			exit_code = XF_EXIT_NLA_AUTH_FAILURE;
+		else
+			exit_code = XF_EXIT_CONN_FAILED;
 		goto disconnect;
 	}

@@ -1641,7 +1644,7 @@ disconnect:

 DWORD xf_exit_code_from_disconnect_reason(DWORD reason)
 {
-	if (reason == 0 || (reason >= XF_EXIT_PARSE_ARGUMENTS && reason <= XF_EXIT_CONN_FAILED))
+	if (reason == 0 || (reason >= XF_EXIT_PARSE_ARGUMENTS && reason <= XF_EXIT_NLA_AUTH_FAILURE))
 		return reason;
 	/* License error set */
 	else if (reason >= 0x100 && reason <= 0x10A)
--- a/client/X11/xfreerdp.h
+++ b/client/X11/xfreerdp.h
@@ -268,6 +268,7 @@ enum XF_EXIT_CODE
 	XF_EXIT_MEMORY = 129,
 	XF_EXIT_PROTOCOL = 130,
 	XF_EXIT_CONN_FAILED = 131,
+	XF_EXIT_NLA_AUTH_FAILURE = 132,

 	XF_EXIT_UNKNOWN = 255,
 };
--- a/include/freerdp/freerdp.h
+++ b/include/freerdp/freerdp.h
@@ -293,6 +293,8 @@ FREERDP_API const char* getChannelErrorDescription(rdpContext* context);
 FREERDP_API void setChannelError(rdpContext* context, UINT errorNum, char* description);
 FREERDP_API BOOL checkChannelErrorEvent(rdpContext* context);

+FREERDP_API BOOL freerdp_get_nla_failure(freerdp* instance);
+
 #ifdef __cplusplus
 }
 #endif
--- a/libfreerdp/core/connection.c
+++ b/libfreerdp/core/connection.c
@@ -299,9 +299,16 @@ BOOL rdp_client_connect(rdpRdp* rdp)
 	{
 		if (rdp_check_fds(rdp) < 0)
 		{
-			if (!freerdp_get_last_error(rdp->context))
-				freerdp_set_last_error(rdp->context, FREERDP_ERROR_CONNECT_TRANSPORT_FAILED);
-
+			if (rdp->transport->nlaFailure == TRUE)
+			{
+				if (!freerdp_get_last_error(rdp->context))
+                                        freerdp_set_last_error(rdp->context, FREERDP_ERROR_AUTHENTICATION_FAILED);
+			}
+			else
+			{
+				if (!freerdp_get_last_error(rdp->context))
+					freerdp_set_last_error(rdp->context, FREERDP_ERROR_CONNECT_TRANSPORT_FAILED);
+			}
 			return FALSE;
 		}
 	}
--- a/libfreerdp/core/freerdp.c
+++ b/libfreerdp/core/freerdp.c
@@ -815,3 +815,15 @@ FREERDP_API void setChannelError(rdpContext* context, UINT errorNum, char* descr
 	strncpy(context->errorDescription, description, 499);
 	SetEvent(context->channelErrorEvent);
 }
+
+BOOL freerdp_get_nla_failure(freerdp* instance)
+{
+	rdpRdp* rdp;
+
+	rdp = instance->context->rdp;
+
+	if (transport_get_nla_failure(rdp->transport))
+		return TRUE;
+
+	return FALSE;
+}
--- a/libfreerdp/core/transport.c
+++ b/libfreerdp/core/transport.c
@@ -58,6 +58,17 @@

 static void* transport_client_thread(void* arg);

+
+static void test_function(SSL* ssl, int where, int ret)
+{
+	rdpTransport *transport;
+	if ((where | SSL_CB_ALERT) && (ret == 561))
+	{
+		transport = (rdpTransport *) SSL_get_app_data(ssl);
+		transport->nlaFailure = TRUE;
+	}
+}
+
 wStream* transport_send_stream_init(rdpTransport* transport, int size)
 {
 	wStream* s;
@@ -146,6 +157,9 @@ BOOL transport_connect_tls(rdpTransport* transport)

 	transport->frontBio = tls->bio;

+	BIO_callback_ctrl(tls->bio, BIO_CTRL_SET_CALLBACK, (bio_info_cb*) test_function);
+	SSL_set_app_data(tls->ssl, transport);
+
 	if (!transport->frontBio)
 	{
 		WLog_ERR(TAG, "unable to prepend a filtering TLS bio");
@@ -186,6 +200,7 @@ BOOL transport_connect_nla(rdpTransport* transport)

 	if (nla_client_begin(rdp->nla) < 0)
 	{
+		transport->nlaFailure = TRUE;
 		if (!freerdp_get_last_error(context))
 			freerdp_set_last_error(context, FREERDP_ERROR_AUTHENTICATION_FAILED);

@@ -343,6 +358,7 @@ BOOL transport_accept_nla(rdpTransport* transport)

 	if (nla_authenticate(transport->nla) < 0)
 	{
+		transport->nlaFailure = TRUE;
 		WLog_ERR(TAG, "client authentication failure");
 		transport_set_nla_mode(transport, FALSE);
 		nla_free(transport->nla);
@@ -989,6 +1005,7 @@ rdpTransport* transport_new(rdpContext* context)
 	transport->blocking = TRUE;
 	transport->GatewayEnabled = FALSE;
 	transport->layer = TRANSPORT_LAYER_TCP;
+	transport->nlaFailure = FALSE;

 	if (!InitializeCriticalSectionAndSpinCount(&(transport->ReadLock), 4000))
 		goto out_free_connectedEvent;
@@ -1027,3 +1044,15 @@ void transport_free(rdpTransport* transport)

 	free(transport);
 }
+
+BOOL transport_get_nla_failure(rdpTransport* transport)
+{
+	if (transport != NULL)
+	{
+		if (transport->nlaFailure == TRUE)
+			return TRUE;
+	}
+
+	return FALSE;
+}
+
--- a/libfreerdp/core/transport.h
+++ b/libfreerdp/core/transport.h
@@ -77,6 +77,7 @@ struct rdp_transport
 	CRITICAL_SECTION ReadLock;
 	CRITICAL_SECTION WriteLock;
 	ULONG written;
+	BOOL nlaFailure;
 };

 wStream* transport_send_stream_init(rdpTransport* transport, int size);
@@ -109,5 +110,6 @@ int transport_receive_pool_return(rdpTransport* transport, wStream* pdu);

 rdpTransport* transport_new(rdpContext* context);
 void transport_free(rdpTransport* transport);
+BOOL transport_get_nla_failure(rdpTransport* transport);

 #endif