vmconnect mode: support all security modes when used in Hyper-V environment

gpotter2 · gpotter2 · commit f0bae0050c15 · 2025-05-06T21:49:56.000+02:00
diff --git a/common/ms-rdpbcgr.h b/common/ms-rdpbcgr.h
@@ -35,7 +35,12 @@
 #define PROTOCOL_RDSTLS                0x00000004
 #define PROTOCOL_HYBRID_EX             0x00000008
 
-/* Negotiation packet flags (2.2.1.2.1) */
+/* Negotiation request packet flags (2.2.1.1.1) */
+#define RESTRICTED_ADMIN_MODE_REQUIRED          0x00000001
+#define REDIRECTED_AUTHENTICATION_MODE_REQUIRED 0x00000002
+#define CORRELATION_INFO_PRESENT                0x00000008
+
+/* Negotiation response packet flags (2.2.1.2.1) */
 #define EXTENDED_CLIENT_DATA_SUPPORTED            0x01
 #define DYNVC_GFX_PROTOCOL_SUPPORTED              0x02
 #define NEGRSP_RESERVED                           0x04
diff --git a/common/xrdp_client_info.h b/common/xrdp_client_info.h
@@ -181,6 +181,8 @@ struct xrdp_client_info
     int require_credentials; /* when true, credentials *must* be passed on cmd line */
 
     int security_layer; /* SECURITY_LAYER_* */
+    int vmconnect; /* Used when used from inside Hyper-V */
+
     int multimon; /* 0 = deny , 1 = allow */
     struct display_size_description display_sizes;
 
diff --git a/libxrdp/xrdp_iso.c b/libxrdp/xrdp_iso.c
@@ -116,6 +116,11 @@ xrdp_iso_negotiate_security(struct xrdp_iso *self)
     {
         security_type_mask = PROTOCOL_SSL;
     }
+    /* But VMConnect mode supports everything. */
+    if (client_info->vmconnect)
+    {
+        security_type_mask |= PROTOCOL_HYBRID | PROTOCOL_HYBRID_EX;
+    }
 
     /* Logically 'and' this value with the mask requested by the client, and
      * see what's left */
@@ -124,8 +129,36 @@ xrdp_iso_negotiate_security(struct xrdp_iso *self)
         protostr);
     security_type_mask &= self->requestedProtocol;
 
+    /* In VMConnect mode, we support everything. */
+    if (client_info->vmconnect && (self->requestedProtocol > PROTOCOL_RDP))
+    {
+        if (security_type_mask & PROTOCOL_HYBRID_EX)
+        {
+            LOG(LOG_LEVEL_INFO, "Selected HYBRID_EX security");
+            self->selectedProtocol = PROTOCOL_HYBRID_EX;
+            got_protocol = 1;
+        }
+        else if (security_type_mask & PROTOCOL_HYBRID)
+        {
+            LOG(LOG_LEVEL_INFO, "Selected HYBRID security");
+            self->selectedProtocol = PROTOCOL_HYBRID;
+            got_protocol = 1;
+        }
+        else if (security_type_mask & PROTOCOL_SSL)
+        {
+            LOG(LOG_LEVEL_INFO, "Selected TLS security");
+            self->selectedProtocol = PROTOCOL_SSL;
+            got_protocol = 1;
+        }
+        else
+        {
+            /* Impossible */
+            LOG(LOG_LEVEL_ERROR, "Impossible case.");
+            rv = 1;
+        }
+    }
     /* Is there a match on SSL/TLS? */
-    if ((security_type_mask & PROTOCOL_SSL) != 0)
+    else if ((security_type_mask & PROTOCOL_SSL) != 0)
     {
         /* Can we do TLS? (basic check) */
         if (g_file_readable(client_info->certificate) &&
@@ -205,13 +238,20 @@ xrdp_iso_process_rdp_neg_req(struct xrdp_iso *self, struct stream *s)
     /* The type field has already been read to determine that this function
        should be called */
     in_uint8(s, flags); /* flags */
-    if (flags != 0x0 && flags != 0x8 && flags != 0x1)
+    if ((flags & 0x0000000b) != flags)
     {
         LOG(LOG_LEVEL_ERROR,
             "Unsupported [MS-RDPBCGR] RDP_NEG_REQ flags: 0x%2.2x", flags);
         return 1;
     }
 
+    /* If both flags are set, it means 'OR', so fail only if only the one is set. */
+    if ((flags & REDIRECTED_AUTHENTICATION_MODE_REQUIRED) && !(flags & RESTRICTED_ADMIN_MODE_REQUIRED))
+    {
+        LOG(LOG_LEVEL_ERROR, "[MS-RDPBCGR] RDP_NEG_REQ: RemoteGuard isn't supported !");
+        return 1;
+    }
+
     in_uint16_le(s, len); /* length */
     if (len != 8)
     {
@@ -374,9 +414,12 @@ xrdp_iso_send_cc(struct xrdp_iso *self)
     char *holdp;
     char *len_ptr;
     char *len_indicator_ptr;
+    char flags;
     int len;
     int len_indicator;
 
+    struct xrdp_client_info *client_info = &(self->mcs_layer->sec_layer->rdp_layer->client_info);
+
     make_stream(s);
     init_stream(s, 8192);
 
@@ -410,10 +453,17 @@ xrdp_iso_send_cc(struct xrdp_iso *self)
         }
         else
         {
+            flags = EXTENDED_CLIENT_DATA_SUPPORTED;
+
+            if (client_info->vmconnect)
+            {
+                /* NLA is handled by the host and not us. */
+                flags |= RESTRICTED_ADMIN_MODE_SUPPORTED;
+            }
+
             /* [MS-RDPBCGR] RDP_NEG_RSP */
             out_uint8(s, RDP_NEG_RSP);                    /* type*/
-            //TODO: hardcoded flags
-            out_uint8(s, EXTENDED_CLIENT_DATA_SUPPORTED); /* flags */
+            out_uint8(s, flags);                          /* flags */
             out_uint16_le(s, 8);                          /* length (must be 8) */
             out_uint32_le(s, self->selectedProtocol);     /* selectedProtocol */
             LOG_DEVEL(LOG_LEVEL_TRACE, "Adding structure [MS-RDPBCGR] RDP_NEG_RSP "
diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c
@@ -211,6 +211,10 @@ xrdp_rdp_read_config(const char *xrdp_ini, struct xrdp_client_info *client_info)
                 client_info->security_layer = SECURITY_LAYER_NEGOTIATE;
             }
         }
+        else if (g_strcasecmp(item, "vmconnect") == 0)
+        {
+            client_info->vmconnect = g_text2bool(value);
+        }
         else if (g_strcasecmp(item, "certificate") == 0)
         {
             g_memset(client_info->certificate, 0, sizeof(char) * 1024);
diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
@@ -2252,7 +2252,11 @@ xrdp_sec_incoming(struct xrdp_sec *self)
     }
 
     /* initialize selected security layer */
-    if (iso->selectedProtocol > PROTOCOL_RDP)
+    if (self->rdp_layer->client_info.vmconnect && iso->selectedProtocol > PROTOCOL_RDP)
+    {
+        /* Security handled by host: do nothing. */
+    }
+    else if (iso->selectedProtocol > PROTOCOL_RDP)
     {
         /* init tls security */
 
diff --git a/xrdp/xrdp.ini.in b/xrdp/xrdp.ini.in
@@ -27,6 +27,10 @@ port=3389
 ; prefer use vsock://<cid>:<port> above
 use_vsock=false
 
+; if used inside a Hyper-V VM with vmconnect, turn this on to enable
+; wider protocol support.
+#vmconnect=true
+
 ; Unprivileged User name and group to run the xrdp daemon.
 ; It is HIGHLY RECOMMENDED you set these values. See the xrdp.ini(5)
 ; manpage for more information on setting and checking these.

Original file line number	Diff line number	Diff line change
`@@ -211,6 +211,10 @@ xrdp_rdp_read_config(const char xrdp_ini, struct xrdp_client_info client_info)`
`211`	`211`	`client_info->security_layer = SECURITY_LAYER_NEGOTIATE;`
`212`	`212`	`}`
`213`	`213`	`}`
	`214`	`+ else if (g_strcasecmp(item, "vmconnect") == 0)`
	`215`	`+ {`
	`216`	`+ client_info->vmconnect = g_text2bool(value);`
	`217`	`+ }`
`214`	`218`	`else if (g_strcasecmp(item, "certificate") == 0)`
`215`	`219`	`{`
`216`	`220`	`g_memset(client_info->certificate, 0, sizeof(char) * 1024);`
Original file line number	Diff line number	Diff line change
`@@ -2252,7 +2252,11 @@ xrdp_sec_incoming(struct xrdp_sec *self)`
`2252`	`2252`	`}`
`2253`	`2253`
`2254`	`2254`	`/* initialize selected security layer */`
`2255`		`- if (iso->selectedProtocol > PROTOCOL_RDP)`
	`2255`	`+ if (self->rdp_layer->client_info.vmconnect && iso->selectedProtocol > PROTOCOL_RDP)`
	`2256`	`+ {`
	`2257`	`+ /* Security handled by host: do nothing. */`
	`2258`	`+ }`
	`2259`	`+ else if (iso->selectedProtocol > PROTOCOL_RDP)`
`2256`	`2260`	`{`
`2257`	`2261`	`/* init tls security */`
`2258`	`2262`