You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Mike Jumper (Jira)" <ji...@apache.org> on 2021/04/02 00:41:00 UTC

[jira] [Commented] (GUACAMOLE-1283) Legacy RDP encryption may fail with "ERRINFO_DECRYPT_FAILED"

    [ https://issues.apache.org/jira/browse/GUACAMOLE-1283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17313486#comment-17313486 ] 

Mike Jumper commented on GUACAMOLE-1283:
----------------------------------------

I've been looking into this and found the following FreeRDP issue:

https://github.com/FreeRDP/FreeRDP/issues/6156 ("Possible race in security_encrypt")

The nature of the issue is that legacy RDP encryption uses a key that rotates every 4096 packets, but a lack of synchronization around the parts of the library that might update that key can result in data being sent with the wrong key, causing connection failures.

Based on commit history and [the corresponding pull request|https://github.com/FreeRDP/FreeRDP/pull/6242], this was expected to be resolved with [commit d2c653b|https://github.com/FreeRDP/FreeRDP/commit/d2c653baf3b8eb2f737adc9f71ac0267418657a2], which is present from FreeRDP 2.1.2 onward.

BUT, I can confirm this behavior when connecting with RDP and with audio input enabled, even with a FreeRDP version later than 2.1.2. Adding locking around absolutely every place in Guacamole's RDP support that might result in FreeRDP sending further data over the network, the problem disappears, so it looks like additional locking is needed within FreeRDP if the intent is that the library is threadsafe.

Ideally, this should be fixed in the library, but the guaranteed solution is to add locking independently of FreeRDP. Given that most people will be using older versions of FreeRDP 2.x, I think this is something we need to work around, even if it will one day be fixed upstream.

> Legacy RDP encryption may fail with "ERRINFO_DECRYPT_FAILED"
> ------------------------------------------------------------
>
>                 Key: GUACAMOLE-1283
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1283
>             Project: Guacamole
>          Issue Type: Bug
>          Components: RDP
>    Affects Versions: 1.2.0
>         Environment: guacd 1.2 running in Docker on RHEL 7 deployed in AWS
>            Reporter: Shaun Tarves
>            Assignee: Mike Jumper
>            Priority: Minor
>         Attachments: RemoteDesktop.txt, TerminalServices.txt
>
>
> We are experiencing semi-regular disconnects of the guacamole-server (guacd) while a user is interacting with a remote machine. Attached are the DEBUG-level logs, which we see every time we experience the disconnects. I'm not sure how to further debug this issue.
> {code}
> Feb  8 14:46:21 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011Clipboard data received. Reporting availability of clipboard data to RDP server.
> Feb  8 14:46:24 ip-172-16-10-253 journal: guacd[84]: DEBUG:#011Clipboard data received. Reporting availability of clipboard data to RDP server.
> Feb  8 14:46:41 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011Clipboard data received. Reporting availability of clipboard data to RDP server.
> Feb  8 14:47:13 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011Clipboard data received. Reporting availability of clipboard data to RDP server.
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011Clipboard data received. Reporting availability of clipboard data to RDP server.
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011ERRINFO_DECRYPT_FAILED (0x00001192):(a) Decryption using Standard RDP Security mechanisms (section 5.3.6) failed.
> Feb  8 14:47:22 ip-172-16-10-253 journal: (b) Session key creation using Standard RDP Security mechanisms (section 5.3.5) failed.
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011BIO_read returned a system error 104: Connection reset by peer
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: ERROR:#011Connection closed.
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011Unloading device 0 (Remote Access Filesystem)
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011SVC "rdpdr" disconnected.
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011SVC "rdpsnd" disconnected.
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: INFO:#011Internal RDP client disconnected
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: INFO:#011User "@5dd34373-1e17-4091-9670-c00fc2d68684" disconnected (0 users remain)
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: INFO:#011Last user of connection "$60bea827-60a1-403b-84b8-3c7358f490ee" disconnected
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011Requesting termination of client...
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011Client terminated successfully.
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[8]: INFO:#011Connection "$60bea827-60a1-403b-84b8-3c7358f490ee" removed.
> {code}
> Attached are the MS Event Logs for the `RemoteDesktop*` and `TerminalServices*` log sources



--
This message was sent by Atlassian Jira
(v8.3.4#803005)