Devolutions · irvingoujAtDevolution · May 15, 2025 · May 28, 2025 · May 26, 2025 · May 28, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/ironrdp-async/src/connector.rs b/crates/ironrdp-async/src/connector.rs
@@ -132,6 +132,7 @@ where
         server_name,
         server_public_key,
         kerberos_config,
+        connector.config.vmconnect.is_some(),
     )?;
 
     loop {

diff --git a/crates/ironrdp-blocking/src/connector.rs b/crates/ironrdp-blocking/src/connector.rs
@@ -137,6 +137,7 @@ where
         server_name,
         server_public_key,
         kerberos_config,
+        connector.config.vmconnect.is_some(),
     )?;
 
     loop {

diff --git a/crates/ironrdp-client/src/config.rs b/crates/ironrdp-client/src/config.rs
@@ -238,6 +238,10 @@ struct Args {
     /// The bitmap codecs to use (remotefx:on, ...)
     #[clap(long, value_parser, num_args = 1.., value_delimiter = ',')]
     codecs: Vec<String>,
+
+    /// The Virtual Machine ID for Hyper-V, used as Pre Connection Blob
+    #[clap(long)]
+    vmconnect: Option<String>,
 }
 
 impl Config {
@@ -253,21 +257,6 @@ impl Config {
                 .pipe(Destination::new)?
         };
 
-        let username = if let Some(username) = args.username {
-            username
-        } else {
-            inquire::Text::new("Username:").prompt().context("Username prompt")?
-        };
-
-        let password = if let Some(password) = args.password {
-            password
-        } else {
-            inquire::Password::new("Password:")
-                .without_confirmation()
-                .prompt()
-                .context("Password prompt")?
-        };
-
         let codecs: Vec<_> = args.codecs.iter().map(|s| s.as_str()).collect();
         let codecs = match client_codecs_capabilities(&codecs) {
             Ok(codecs) => codecs,
@@ -302,8 +291,24 @@ impl Config {
             args.clipboard_type
         };
 
+        let username = args.username.unwrap_or_else(|| {
+            inquire::Text::new("Username:")
+                .prompt()
+                .context("Username prompt")
+                .unwrap_or_else(|_| "Administrator".to_owned())
+        });
+
+        let password = args.password.unwrap_or_else(|| {
+            inquire::Password::new("Password:")
+                .prompt()
+                .context("Password prompt")
+                .unwrap_or_else(|_| "password".to_owned())
+        });
+
+        let credentials = Credentials::UsernamePassword { username, password };
+
         let connector = connector::Config {
-            credentials: Credentials::UsernamePassword { username, password },
+            credentials,
             domain: args.domain,
             enable_tls: !args.no_tls,
             enable_credssp: !args.no_credssp,
@@ -344,6 +349,7 @@ impl Config {
             request_data: None,
             pointer_software_rendering: true,
             performance_flags: PerformanceFlags::default(),
+            vmconnect: args.vmconnect,
         };
 
         let rdcleanpath = args

diff --git a/crates/ironrdp-client/src/rdp.rs b/crates/ironrdp-client/src/rdp.rs
@@ -148,7 +148,7 @@ async fn connect(
 
     let should_upgrade = ironrdp_tokio::connect_begin(&mut framed, &mut connector).await?;
 
-    debug!("TLS upgrade");
+    debug!(destination = ?config.destination,"TLS upgrade");
 
     // Ensure there is no leftover
     let (initial_stream, leftover_bytes) = framed.into_inner();
@@ -292,25 +292,30 @@ where
     {
         // RDCleanPath request
 
-        let connector::ClientConnectorState::ConnectionInitiationSendRequest = connector.state else {
-            return Err(connector::general_err!("invalid connector state (send request)"));
-        };
+        match connector.state {
+            connector::ClientConnectorState::ConnectionInitiationSendRequest { .. } => {
+                let written = connector.step_no_input(&mut buf)?;
+                let x224_pdu_len = written.size().expect("written size");
+                debug_assert_eq!(x224_pdu_len, buf.filled_len());
+                let x224_pdu = buf.filled().to_vec();
+
+                let rdcleanpath_req =
+                    ironrdp_rdcleanpath::RDCleanPathPdu::new_x224_request(x224_pdu, destination, proxy_auth_token)
+                        .map_err(|e| connector::custom_err!("new RDCleanPath request", e))?;
+                debug!(message = ?rdcleanpath_req, "Send RDCleanPath request");
+                let rdcleanpath_req = rdcleanpath_req
+                    .to_der()
+                    .map_err(|e| connector::custom_err!("RDCleanPath request encode", e))?;
+                rdcleanpath_req
+            }
+            connector::ClientConnectorState::PreconnectionBlob { .. } => {}
+            _ => {
+                return Err(connector::general_err!("invalid connector state (send request)"));
+            }
+        }
 
         debug_assert!(connector.next_pdu_hint().is_none());
 
-        let written = connector.step_no_input(&mut buf)?;
-        let x224_pdu_len = written.size().expect("written size");
-        debug_assert_eq!(x224_pdu_len, buf.filled_len());
-        let x224_pdu = buf.filled().to_vec();
-
-        let rdcleanpath_req =
-            ironrdp_rdcleanpath::RDCleanPathPdu::new_request(x224_pdu, destination, proxy_auth_token, pcb)
-                .map_err(|e| connector::custom_err!("new RDCleanPath request", e))?;
-        debug!(message = ?rdcleanpath_req, "Send RDCleanPath request");
-        let rdcleanpath_req = rdcleanpath_req
-            .to_der()
-            .map_err(|e| connector::custom_err!("RDCleanPath request encode", e))?;
-
         framed
             .write_all(&rdcleanpath_req)
             .await

diff --git a/crates/ironrdp-connector/src/connection.rs b/crates/ironrdp-connector/src/connection.rs
@@ -36,7 +36,10 @@ pub enum ClientConnectorState {
     #[default]
     Consumed,
 
-    ConnectionInitiationSendRequest,
+    PreconnectionBlob,
+    ConnectionInitiationSendRequest {
+        selected_protocol: Option<nego::SecurityProtocol>,
+    },
     ConnectionInitiationWaitConfirm {
         requested_protocol: nego::SecurityProtocol,
     },
@@ -88,7 +91,8 @@ impl State for ClientConnectorState {
     fn name(&self) -> &'static str {
         match self {
             Self::Consumed => "Consumed",
-            Self::ConnectionInitiationSendRequest => "ConnectionInitiationSendRequest",
+            Self::PreconnectionBlob => "PreconnectionBlob",
+            Self::ConnectionInitiationSendRequest { .. } => "ConnectionInitiationSendRequest",
             Self::ConnectionInitiationWaitConfirm { .. } => "ConnectionInitiationWaitResponse",
             Self::EnhancedSecurityUpgrade { .. } => "EnhancedSecurityUpgrade",
             Self::Credssp { .. } => "Credssp",
@@ -132,7 +136,7 @@ impl ClientConnector {
     pub fn new(config: Config, client_addr: SocketAddr) -> Self {
         Self {
             config,
-            state: ClientConnectorState::ConnectionInitiationSendRequest,
+            state: ClientConnectorState::PreconnectionBlob,
             client_addr,
             static_channels: StaticChannelSet::new(),
         }
@@ -180,7 +184,8 @@ impl Sequence for ClientConnector {
     fn next_pdu_hint(&self) -> Option<&dyn PduHint> {
         match &self.state {
             ClientConnectorState::Consumed => None,
-            ClientConnectorState::ConnectionInitiationSendRequest => None,
+            ClientConnectorState::PreconnectionBlob => None,
+            ClientConnectorState::ConnectionInitiationSendRequest { .. } => None,
             ClientConnectorState::ConnectionInitiationWaitConfirm { .. } => Some(&ironrdp_pdu::X224_HINT),
             ClientConnectorState::EnhancedSecurityUpgrade { .. } => None,
             ClientConnectorState::Credssp { .. } => None,
@@ -211,12 +216,86 @@ impl Sequence for ClientConnector {
             ClientConnectorState::Consumed => {
                 return Err(general_err!("connector sequence state is consumed (this is a bug)",))
             }
+            ClientConnectorState::PreconnectionBlob => 'state: {
+                let Some(connection_id) = self.config.vmconnect.as_ref() else {
+                    break 'state (
+                        Written::Nothing,
+                        ClientConnectorState::ConnectionInitiationSendRequest {
+                            selected_protocol: None,
+                        },
+                    );
+                };
+
+                let pcb = ironrdp_pdu::pcb::PreconnectionBlob {
+                    version: ironrdp_pdu::pcb::PcbVersion::V2,
+                    id: 0,
+                    // v2_payload: Some(connection_id.to_owned()),
+                    v2_payload: Some(format!("{connection_id};EnhancedMode=1").into()),
+                };
+
+                debug!(message = ?pcb, "Send");
+
+                let written = ironrdp_core::encode_buf(&pcb, output).map_err(ConnectorError::encode)?;
+
+                let mut security_protocol = nego::SecurityProtocol::empty();
+                if self.config.enable_tls {
+                    security_protocol.insert(nego::SecurityProtocol::SSL);
+                }
+
+                if self.config.enable_credssp {
+                    // https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/902b090b-9cb3-4efc-92bf-ee13373371e3
+                    // The spec is stating that `PROTOCOL_SSL` "SHOULD" also be set when using `PROTOCOL_HYBRID`.
+                    // > PROTOCOL_HYBRID (0x00000002)
+                    // > Credential Security Support Provider protocol (CredSSP) (section 5.4.5.2).
+                    // > If this flag is set, then the PROTOCOL_SSL (0x00000001) flag SHOULD also be set
+                    // > because Transport Layer Security (TLS) is a subset of CredSSP.
+                    // However, crucially, it’s not strictly required (not "MUST").
+                    // In fact, we purposefully choose to not set `PROTOCOL_SSL` unless `enable_winlogon` is `true`.
+                    // This tells the server that we are not going to accept downgrading NLA to TLS security.
+                    security_protocol.insert(nego::SecurityProtocol::HYBRID | nego::SecurityProtocol::HYBRID_EX);
+                }
 
+                if security_protocol.is_standard_rdp_security() {
+                    return Err(reason_err!("Initiation", "standard RDP security is not supported",));
+                }
+
+                break 'state (
+                    Written::from_size(written)?,
+                    ClientConnectorState::EnhancedSecurityUpgrade {
+                        selected_protocol: security_protocol,
+                    },
+                );
+            }
             //== Connection Initiation ==//
             // Exchange supported security protocols and a few other connection flags.
-            ClientConnectorState::ConnectionInitiationSendRequest => {
+            ClientConnectorState::ConnectionInitiationSendRequest { selected_protocol } => 'state: {
                 debug!("Connection Initiation");
 
+                if self.config.vmconnect.is_some() {
+                    let selected_protocol = selected_protocol.ok_or(reason_err!(
+                        "Initiation",
+                        "VMConnect requires a selected protocol at ConnectionInitiationSendRequest state",
+                    ))?;
+
+                    let connection_request = nego::ConnectionRequest {
+                        nego_data: None,
+                        flags: nego::RequestFlags::empty(),
+                        protocol: selected_protocol,
+                    };
+
+                    debug!(message = ?connection_request, "Send");
+
+                    let written =
+                        ironrdp_core::encode_buf(&X224(connection_request), output).map_err(ConnectorError::encode)?;
+
+                    break 'state (
+                        Written::from_size(written)?,
+                        ClientConnectorState::ConnectionInitiationWaitConfirm {
+                            requested_protocol: selected_protocol,
+                        },
+                    );
+                }
+
                 let mut security_protocol = nego::SecurityProtocol::empty();
 
                 if self.config.enable_tls {
@@ -289,7 +368,10 @@ impl Sequence for ClientConnector {
 
                 (
                     Written::Nothing,
-                    ClientConnectorState::EnhancedSecurityUpgrade { selected_protocol },
+                    match self.config.vmconnect.is_some() {
+                        false => ClientConnectorState::EnhancedSecurityUpgrade { selected_protocol },
+                        true => ClientConnectorState::BasicSettingsExchangeSendInitial { selected_protocol },
+                    },
                 )
             }
 
@@ -311,10 +393,20 @@ impl Sequence for ClientConnector {
             }
 
             //== CredSSP ==//
-            ClientConnectorState::Credssp { selected_protocol } => (
-                Written::Nothing,
-                ClientConnectorState::BasicSettingsExchangeSendInitial { selected_protocol },
-            ),
+            ClientConnectorState::Credssp { selected_protocol } => 'state: {
+                if self.config.vmconnect.is_some() {
+                    break 'state (
+                        Written::Nothing,
+                        ClientConnectorState::ConnectionInitiationSendRequest {
+                            selected_protocol: Some(selected_protocol),
+                        },
+                    );
+                }
+                (
+                    Written::Nothing,
+                    ClientConnectorState::BasicSettingsExchangeSendInitial { selected_protocol },
+                )
+            }
 
             //== Basic Settings Exchange ==//
             // Exchange basic settings including Core Data, Security Data and Network Data.

diff --git a/crates/ironrdp-connector/src/lib.rs b/crates/ironrdp-connector/src/lib.rs
@@ -187,6 +187,8 @@ pub struct Config {
     pub no_server_pointer: bool,
     pub pointer_software_rendering: bool,
     pub performance_flags: PerformanceFlags,
+
+    pub vmconnect: Option<String>,
 }
 
 ironrdp_core::assert_impl!(Config: Send, Sync);

diff --git a/crates/ironrdp-core/src/cursor.rs b/crates/ironrdp-core/src/cursor.rs
@@ -578,6 +578,12 @@ impl<'a> WriteCursor<'a> {
         self.pos
     }
 
+    /// Returns the number of bytes written.
+    #[inline]
+    pub const fn bytes_written(&self) -> usize {
+        self.pos
+    }
+
     /// Write an array of bytes to the buffer.
     #[inline]
     #[track_caller]

diff --git a/crates/ironrdp-pdu/src/rdp/client_info.rs b/crates/ironrdp-pdu/src/rdp/client_info.rs
@@ -313,6 +313,9 @@ impl Encode for ExtendedClientOptionalInfo {
             dst.write_array(reconnect_cookie);
         }
 
+        dst.write_u16(0); // reserved1
+        dst.write_u16(0); // reserved2
+
         Ok(())
     }
 
@@ -336,6 +339,8 @@ impl Encode for ExtendedClientOptionalInfo {
             size += RECONNECT_COOKIE_LENGTH_SIZE + RECONNECT_COOKIE_LEN;
         }
 
+        size += 2 * 2; // reserved1 and reserved2
+
         size
     }
 }