From 32a1406dc4f64542eff4606b7aa51719b70bd12a Mon Sep 17 00:00:00 2001 From: bjcollins Date: Tue, 4 Aug 2015 16:52:44 -0500 Subject: [PATCH] Return FREERDP_ERROR_AUTHENTICATION_FAILED on an authentication failure when using NLA with xfreerdp. --- client/X11/xf_client.c | 7 +++++-- client/X11/xfreerdp.h | 1 + include/freerdp/freerdp.h | 2 ++ libfreerdp/core/connection.c | 13 ++++++++++--- libfreerdp/core/freerdp.c | 12 ++++++++++++ libfreerdp/core/transport.c | 29 +++++++++++++++++++++++++++++ libfreerdp/core/transport.h | 2 ++ 7 files changed, 61 insertions(+), 5 deletions(-) diff --git a/client/X11/xf_client.c b/client/X11/xf_client.c index a788ab2b1..31efca8b7 100644 --- a/client/X11/xf_client.c +++ b/client/X11/xf_client.c @@ -1530,7 +1530,10 @@ void* xf_client_thread(void* param) if (instance->settings->AuthenticationOnly || !status) { WLog_ERR(TAG, "Authentication only, exit status %d", !status); - exit_code = XF_EXIT_CONN_FAILED; + if (freerdp_get_nla_failure(instance)) + exit_code = XF_EXIT_NLA_AUTH_FAILURE; + else + exit_code = XF_EXIT_CONN_FAILED; goto disconnect; } @@ -1641,7 +1644,7 @@ disconnect: DWORD xf_exit_code_from_disconnect_reason(DWORD reason) { - if (reason == 0 || (reason >= XF_EXIT_PARSE_ARGUMENTS && reason <= XF_EXIT_CONN_FAILED)) + if (reason == 0 || (reason >= XF_EXIT_PARSE_ARGUMENTS && reason <= XF_EXIT_NLA_AUTH_FAILURE)) return reason; /* License error set */ else if (reason >= 0x100 && reason <= 0x10A) diff --git a/client/X11/xfreerdp.h b/client/X11/xfreerdp.h index 5e1bdfab1..ec02fd00b 100644 --- a/client/X11/xfreerdp.h +++ b/client/X11/xfreerdp.h @@ -268,6 +268,7 @@ enum XF_EXIT_CODE XF_EXIT_MEMORY = 129, XF_EXIT_PROTOCOL = 130, XF_EXIT_CONN_FAILED = 131, + XF_EXIT_NLA_AUTH_FAILURE = 132, XF_EXIT_UNKNOWN = 255, }; diff --git a/include/freerdp/freerdp.h b/include/freerdp/freerdp.h index d2db002fa..b4c42547a 100644 --- a/include/freerdp/freerdp.h +++ b/include/freerdp/freerdp.h @@ -293,6 +293,8 @@ FREERDP_API const char* getChannelErrorDescription(rdpContext* context); FREERDP_API void setChannelError(rdpContext* context, UINT errorNum, char* description); FREERDP_API BOOL checkChannelErrorEvent(rdpContext* context); +FREERDP_API BOOL freerdp_get_nla_failure(freerdp* instance); + #ifdef __cplusplus } #endif diff --git a/libfreerdp/core/connection.c b/libfreerdp/core/connection.c index 295ed9907..c84e0a2e0 100644 --- a/libfreerdp/core/connection.c +++ b/libfreerdp/core/connection.c @@ -299,9 +299,16 @@ BOOL rdp_client_connect(rdpRdp* rdp) { if (rdp_check_fds(rdp) < 0) { - if (!freerdp_get_last_error(rdp->context)) - freerdp_set_last_error(rdp->context, FREERDP_ERROR_CONNECT_TRANSPORT_FAILED); - + if (rdp->transport->nlaFailure == TRUE) + { + if (!freerdp_get_last_error(rdp->context)) + freerdp_set_last_error(rdp->context, FREERDP_ERROR_AUTHENTICATION_FAILED); + } + else + { + if (!freerdp_get_last_error(rdp->context)) + freerdp_set_last_error(rdp->context, FREERDP_ERROR_CONNECT_TRANSPORT_FAILED); + } return FALSE; } } diff --git a/libfreerdp/core/freerdp.c b/libfreerdp/core/freerdp.c index cce07fe3b..00a37b332 100644 --- a/libfreerdp/core/freerdp.c +++ b/libfreerdp/core/freerdp.c @@ -815,3 +815,15 @@ FREERDP_API void setChannelError(rdpContext* context, UINT errorNum, char* descr strncpy(context->errorDescription, description, 499); SetEvent(context->channelErrorEvent); } + +BOOL freerdp_get_nla_failure(freerdp* instance) +{ + rdpRdp* rdp; + + rdp = instance->context->rdp; + + if (transport_get_nla_failure(rdp->transport)) + return TRUE; + + return FALSE; +} diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c index f20a5aa03..18b0b0d61 100644 --- a/libfreerdp/core/transport.c +++ b/libfreerdp/core/transport.c @@ -58,6 +58,17 @@ static void* transport_client_thread(void* arg); + +static void test_function(SSL* ssl, int where, int ret) +{ + rdpTransport *transport; + if ((where | SSL_CB_ALERT) && (ret == 561)) + { + transport = (rdpTransport *) SSL_get_app_data(ssl); + transport->nlaFailure = TRUE; + } +} + wStream* transport_send_stream_init(rdpTransport* transport, int size) { wStream* s; @@ -146,6 +157,9 @@ BOOL transport_connect_tls(rdpTransport* transport) transport->frontBio = tls->bio; + BIO_callback_ctrl(tls->bio, BIO_CTRL_SET_CALLBACK, (bio_info_cb*) test_function); + SSL_set_app_data(tls->ssl, transport); + if (!transport->frontBio) { WLog_ERR(TAG, "unable to prepend a filtering TLS bio"); @@ -186,6 +200,7 @@ BOOL transport_connect_nla(rdpTransport* transport) if (nla_client_begin(rdp->nla) < 0) { + transport->nlaFailure = TRUE; if (!freerdp_get_last_error(context)) freerdp_set_last_error(context, FREERDP_ERROR_AUTHENTICATION_FAILED); @@ -343,6 +358,7 @@ BOOL transport_accept_nla(rdpTransport* transport) if (nla_authenticate(transport->nla) < 0) { + transport->nlaFailure = TRUE; WLog_ERR(TAG, "client authentication failure"); transport_set_nla_mode(transport, FALSE); nla_free(transport->nla); @@ -989,6 +1005,7 @@ rdpTransport* transport_new(rdpContext* context) transport->blocking = TRUE; transport->GatewayEnabled = FALSE; transport->layer = TRANSPORT_LAYER_TCP; + transport->nlaFailure = FALSE; if (!InitializeCriticalSectionAndSpinCount(&(transport->ReadLock), 4000)) goto out_free_connectedEvent; @@ -1027,3 +1044,15 @@ void transport_free(rdpTransport* transport) free(transport); } + +BOOL transport_get_nla_failure(rdpTransport* transport) +{ + if (transport != NULL) + { + if (transport->nlaFailure == TRUE) + return TRUE; + } + + return FALSE; +} + diff --git a/libfreerdp/core/transport.h b/libfreerdp/core/transport.h index 1c6c9dcc0..43eabbee4 100644 --- a/libfreerdp/core/transport.h +++ b/libfreerdp/core/transport.h @@ -77,6 +77,7 @@ struct rdp_transport CRITICAL_SECTION ReadLock; CRITICAL_SECTION WriteLock; ULONG written; + BOOL nlaFailure; }; wStream* transport_send_stream_init(rdpTransport* transport, int size); @@ -109,5 +110,6 @@ int transport_receive_pool_return(rdpTransport* transport, wStream* pdu); rdpTransport* transport_new(rdpContext* context); void transport_free(rdpTransport* transport); +BOOL transport_get_nla_failure(rdpTransport* transport); #endif