Devolutions · irvingoujAtDevolution · Dec 22, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/ironrdp-async/Cargo.toml b/crates/ironrdp-async/Cargo.toml
@@ -17,6 +17,7 @@ test = false
 
 [dependencies]
 ironrdp-connector = { path = "../ironrdp-connector", version = "0.8" } # public
+ironrdp-vmconnect = { path = "../ironrdp-vmconnect", version = "0.1" } # public
 ironrdp-core = { path = "../ironrdp-core", version = "0.1", features = ["alloc"] } # public
 ironrdp-pdu = { path = "../ironrdp-pdu", version = "0.6" } # public
 tracing = { version = "0.1", features = ["log"] }

diff --git a/crates/ironrdp-async/src/connector.rs b/crates/ironrdp-async/src/connector.rs
@@ -1,9 +1,9 @@
-use ironrdp_connector::credssp::{CredsspProcessGenerator, CredsspSequence, KerberosConfig};
+use ironrdp_connector::credssp::{CredsspProcessGenerator, KerberosConfig};
 use ironrdp_connector::sspi::credssp::ClientState;
 use ironrdp_connector::sspi::generator::GeneratorState;
 use ironrdp_connector::{
-    general_err, ClientConnector, ClientConnectorState, ConnectionResult, ConnectorError, ConnectorResult, ServerName,
-    State as _,
+    custom_err, general_err, ClientConnector, ClientConnectorState, ConnectionResult, ConnectorCore, ConnectorError,
+    ConnectorResult, SecurityConnector, ServerName,
 };
 use ironrdp_core::WriteBuf;
 use tracing::{debug, info, instrument, trace};
@@ -15,7 +15,10 @@ use crate::{single_sequence_step, NetworkClient};
 pub struct ShouldUpgrade;
 
 #[instrument(skip_all)]
-pub async fn connect_begin<S>(framed: &mut Framed<S>, connector: &mut ClientConnector) -> ConnectorResult<ShouldUpgrade>
+pub async fn connect_begin<S>(
+    framed: &mut Framed<S>,
+    connector: &mut dyn ConnectorCore,
+) -> ConnectorResult<ShouldUpgrade>
 where
     S: Sync + FramedRead + FramedWrite,
 {
@@ -33,7 +36,7 @@ where
 /// # Panics
 ///
 /// Panics if connector state is not [ClientConnectorState::EnhancedSecurityUpgrade].
-pub fn skip_connect_begin(connector: &mut ClientConnector) -> ShouldUpgrade {
+pub fn skip_connect_begin(connector: &mut dyn SecurityConnector) -> ShouldUpgrade {
     assert!(connector.should_perform_security_upgrade());
     ShouldUpgrade
 }
@@ -42,22 +45,27 @@ pub fn skip_connect_begin(connector: &mut ClientConnector) -> ShouldUpgrade {
 pub struct Upgraded;
 
 #[instrument(skip_all)]
-pub fn mark_as_upgraded(_: ShouldUpgrade, connector: &mut ClientConnector) -> Upgraded {
+pub fn mark_as_upgraded(_: ShouldUpgrade, connector: &mut dyn SecurityConnector) -> Upgraded {
     trace!("Marked as upgraded");
     connector.mark_security_upgrade_as_done();
     Upgraded
 }
 
+#[non_exhaustive]
+pub struct CredSSPFinished {
+    pub(crate) write_buf: WriteBuf,
+}
+
 #[instrument(skip_all)]
-pub async fn connect_finalize<S, N>(
+pub async fn perform_credssp<S, N>(
     _: Upgraded,
-    mut connector: ClientConnector,
+    connector: &mut dyn ConnectorCore,
     framed: &mut Framed<S>,
-    network_client: &mut N,
     server_name: ServerName,
     server_public_key: Vec<u8>,
+    network_client: Option<&mut N>,
     kerberos_config: Option<KerberosConfig>,
-) -> ConnectorResult<ConnectionResult>
+) -> ConnectorResult<CredSSPFinished>
 where
     S: FramedRead + FramedWrite,
     N: NetworkClient,
@@ -66,7 +74,7 @@ where
 
     if connector.should_perform_credssp() {
         perform_credssp_step(
-            &mut connector,
+            connector,
             framed,
             network_client,
             &mut buf,
@@ -77,6 +85,19 @@ where
         .await?;
     }
 
+    Ok(CredSSPFinished { write_buf: buf })
+}
+
+#[instrument(skip_all)]
+pub async fn connect_finalize<S>(
+    CredSSPFinished { write_buf: mut buf }: CredSSPFinished,
+    framed: &mut Framed<S>,
+    mut connector: ClientConnector,
+) -> ConnectorResult<ConnectionResult>
+where
+    S: FramedRead + FramedWrite,
+{
+    buf.clear();
     let result = loop {
         single_sequence_step(framed, &mut connector, &mut buf).await?;
 
@@ -90,9 +111,9 @@ where
     Ok(result)
 }
 
-async fn resolve_generator(
+async fn resolve_generator<N: NetworkClient>(
     generator: &mut CredsspProcessGenerator<'_>,
-    network_client: &mut impl NetworkClient,
+    network_client: &mut N,
 ) -> ConnectorResult<ClientState> {
     let mut state = generator.start();
 
@@ -112,9 +133,9 @@ async fn resolve_generator(
 
 #[instrument(level = "trace", skip_all)]
 async fn perform_credssp_step<S, N>(
-    connector: &mut ClientConnector,
+    connector: &mut dyn ConnectorCore,
     framed: &mut Framed<S>,
-    network_client: &mut N,
+    mut network_client: Option<&mut N>,
     buf: &mut WriteBuf,
     server_name: ServerName,
     server_public_key: Vec<u8>,
@@ -126,14 +147,13 @@ where
 {
     assert!(connector.should_perform_credssp());
 
-    let selected_protocol = match connector.state {
-        ClientConnectorState::Credssp { selected_protocol, .. } => selected_protocol,
-        _ => return Err(general_err!("invalid connector state for CredSSP sequence")),
-    };
+    let selected_protocol = connector
+        .selected_protocol()
+        .ok_or_else(|| general_err!("CredSSP protocol not selected, cannot perform CredSSP step"))?;
 
-    let (mut sequence, mut ts_request) = CredsspSequence::init(
-        connector.config.credentials.clone(),
-        connector.config.domain.as_deref(),
+    let (mut sequence, mut ts_request) = connector.init_credssp(
+        connector.config().credentials.clone(),
+        connector.config().domain.as_deref(),
         selected_protocol,
         server_name,
         server_public_key,
@@ -143,8 +163,15 @@ where
     loop {
         let client_state = {
             let mut generator = sequence.process_ts_request(ts_request);
-            trace!("resolving network");
-            resolve_generator(&mut generator, network_client).await?
+
+            if let Some(network_client_ref) = network_client.as_deref_mut() {
+                trace!("resolving network");
+                resolve_generator(&mut generator, network_client_ref).await?
+            } else {
+                generator
+                    .resolve_to_result()
+                    .map_err(|e| custom_err!("resolve without network client", e))?
+            }
         }; // drop generator
 
         buf.clear();
@@ -164,7 +191,7 @@ where
         };
 
         debug!(
-            connector.state = connector.state.name(),
+            connector.state = connector.state().name(),
             hint = ?next_pdu_hint,
             "Wait for PDU"
         );

diff --git a/crates/ironrdp-async/src/lib.rs b/crates/ironrdp-async/src/lib.rs
@@ -8,13 +8,14 @@ pub use bytes;
 mod connector;
 mod framed;
 mod session;
+mod vmconnector;
 
 use ironrdp_connector::sspi::generator::NetworkRequest;
 use ironrdp_connector::ConnectorResult;
 
 pub use self::connector::*;
 pub use self::framed::*;
-// pub use self::session::*;
+pub use self::vmconnector::*;
 
 pub trait NetworkClient {
     fn send(&mut self, network_request: &NetworkRequest) -> impl Future<Output = ConnectorResult<Vec<u8>>>;

diff --git a/crates/ironrdp-async/src/vmconnector.rs b/crates/ironrdp-async/src/vmconnector.rs
@@ -0,0 +1,57 @@
+use ironrdp_connector::{ClientConnector, ConnectorResult};
+use ironrdp_pdu::pcb::PcbVersion;
+use ironrdp_vmconnect::VmClientConnector;
+use tracing::info;
+
+use crate::{single_sequence_step, CredSSPFinished, Framed, FramedRead, FramedWrite};
+
+#[non_exhaustive]
+pub struct PcbSent;
+
+pub async fn send_pcb<S>(framed: &mut Framed<S>, payload: String) -> ConnectorResult<PcbSent>
+where
+    S: Sync + FramedRead + FramedWrite,
+{
+    let pcb_pdu = ironrdp_pdu::pcb::PreconnectionBlob {
+        id: 0,
+        version: PcbVersion::V2,
+        v2_payload: Some(payload),
+    };
+
+    let buf = ironrdp_core::encode_vec(&pcb_pdu)
+        .map_err(|e| ironrdp_connector::custom_err!("encode PreconnectionBlob PDU", e))?;
+
+    framed
+        .write_all(&buf)
+        .await
+        .map_err(|e| ironrdp_connector::custom_err!("write PCB PDU", e))?;
+
+    Ok(PcbSent)
+}
+
+pub fn mark_pcb_sent_by_rdclean_path() -> PcbSent {
+    PcbSent
+}
+
+pub fn vm_connector_take_over(_: PcbSent, connector: ClientConnector) -> ConnectorResult<VmClientConnector> {
+    VmClientConnector::take_over(connector)
+}
+
+pub async fn run_until_handover(
+    credssp_finished: &mut CredSSPFinished,
+    framed: &mut Framed<impl FramedRead + FramedWrite>,
+    mut connector: VmClientConnector,
+) -> ConnectorResult<ClientConnector> {
+    let result = loop {
+        single_sequence_step(framed, &mut connector, &mut credssp_finished.write_buf).await?;
+
+        if connector.should_hand_over() {
+            break connector.hand_over()?;
+        }
+    };
+
+    info!("Handover to client connector");
+    credssp_finished.write_buf.clear();
+
+    Ok(result)
+}
diff --git a/crates/ironrdp-blocking/src/connector.rs b/crates/ironrdp-blocking/src/connector.rs
@@ -1,12 +1,12 @@
 use std::io::{Read, Write};
 
-use ironrdp_connector::credssp::{CredsspProcessGenerator, CredsspSequence, KerberosConfig};
+use ironrdp_connector::credssp::{CredsspProcessGenerator, KerberosConfig};
 use ironrdp_connector::sspi::credssp::ClientState;
 use ironrdp_connector::sspi::generator::GeneratorState;
 use ironrdp_connector::sspi::network_client::NetworkClient;
 use ironrdp_connector::{
-    general_err, ClientConnector, ClientConnectorState, ConnectionResult, ConnectorError, ConnectorResult,
-    Sequence as _, ServerName, State as _,
+    general_err, ClientConnector, ClientConnectorState, ConnectionResult, ConnectorCore, ConnectorError,
+    ConnectorResult, CredsspSequenceFactory as _, SecurityConnector, Sequence, ServerName,
 };
 use ironrdp_core::WriteBuf;
 use tracing::{debug, info, instrument, trace};
@@ -17,7 +17,7 @@ use crate::framed::Framed;
 pub struct ShouldUpgrade;
 
 #[instrument(skip_all)]
-pub fn connect_begin<S>(framed: &mut Framed<S>, connector: &mut ClientConnector) -> ConnectorResult<ShouldUpgrade>
+pub fn connect_begin<S>(framed: &mut Framed<S>, connector: &mut dyn ConnectorCore) -> ConnectorResult<ShouldUpgrade>
 where
     S: Sync + Read + Write,
 {
@@ -35,7 +35,7 @@ where
 /// # Panics
 ///
 /// Panics if connector state is not [ClientConnectorState::EnhancedSecurityUpgrade].
-pub fn skip_connect_begin(connector: &mut ClientConnector) -> ShouldUpgrade {
+pub fn skip_connect_begin(connector: &mut dyn SecurityConnector) -> ShouldUpgrade {
     assert!(connector.should_perform_security_upgrade());
     ShouldUpgrade
 }
@@ -44,7 +44,7 @@ pub fn skip_connect_begin(connector: &mut ClientConnector) -> ShouldUpgrade {
 pub struct Upgraded;
 
 #[instrument(skip_all)]
-pub fn mark_as_upgraded(_: ShouldUpgrade, connector: &mut ClientConnector) -> Upgraded {
+pub fn mark_as_upgraded(_: ShouldUpgrade, connector: &mut dyn SecurityConnector) -> Upgraded {
     trace!("Marked as upgraded");
     connector.mark_security_upgrade_as_done();
     Upgraded
@@ -131,14 +131,13 @@ where
 {
     assert!(connector.should_perform_credssp());
 
-    let selected_protocol = match connector.state {
-        ClientConnectorState::Credssp { selected_protocol, .. } => selected_protocol,
-        _ => return Err(general_err!("invalid connector state for CredSSP sequence")),
-    };
+    let selected_protocol = connector
+        .selected_protocol()
+        .ok_or_else(|| general_err!("CredSSP protocol not selected, cannot perform CredSSP step"))?;
 
-    let (mut sequence, mut ts_request) = CredsspSequence::init(
-        connector.config.credentials.clone(),
-        connector.config.domain.as_deref(),
+    let (mut sequence, mut ts_request) = connector.init_credssp(
+        connector.config().credentials.clone(),
+        connector.config().domain.as_deref(),
         selected_protocol,
         server_name,
         server_public_key,
@@ -167,7 +166,7 @@ where
         };
 
         debug!(
-            connector.state = connector.state.name(),
+            connector.state = connector.state().name(),
             hint = ?next_pdu_hint,
             "Wait for PDU"
         );
@@ -192,7 +191,7 @@ where
 
 pub fn single_sequence_step<S>(
     framed: &mut Framed<S>,
-    connector: &mut ClientConnector,
+    connector: &mut dyn Sequence,
     buf: &mut WriteBuf,
 ) -> ConnectorResult<()>
 where
@@ -202,7 +201,7 @@ where
 
     let written = if let Some(next_pdu_hint) = connector.next_pdu_hint() {
         debug!(
-            connector.state = connector.state.name(),
+            connector.state = connector.state().name(),
             hint = ?next_pdu_hint,
             "Wait for PDU"
         );

diff --git a/crates/ironrdp-client/Cargo.toml b/crates/ironrdp-client/Cargo.toml
@@ -55,6 +55,7 @@ ironrdp-dvc-pipe-proxy.path = "../ironrdp-dvc-pipe-proxy"
 ironrdp-propertyset.path = "../ironrdp-propertyset"
 ironrdp-rdpfile.path = "../ironrdp-rdpfile"
 ironrdp-cfg.path = "../ironrdp-cfg"
+ironrdp-vmconnect.path = "../ironrdp-vmconnect"
 
 # Windowing and rendering
 winit = { version = "0.30", features = ["rwh_06"] }