VirtualBox

source: vbox/trunk/src/VBox/RDP/client/secure.c@ 9176

Last change on this file since 9176 was 7826, checked in by vboxsync, 17 years ago

Export modified rdesktop version including USB support to OSE. It's GPL anyway.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 24.0 KB
Line 
1/* -*- c-basic-offset: 8 -*-
2 rdesktop: A Remote Desktop Protocol client.
3 Protocol services - RDP encryption and licensing
4 Copyright (C) Matthew Chapman 1999-2005
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19*/
20
21#include "rdesktop.h"
22
23#include <openssl/rc4.h>
24#include <openssl/md5.h>
25#include <openssl/sha.h>
26#include <openssl/bn.h>
27#include <openssl/x509v3.h>
28
29extern char g_hostname[16];
30extern int g_width;
31extern int g_height;
32extern unsigned int g_keylayout;
33extern int g_keyboard_type;
34extern int g_keyboard_subtype;
35extern int g_keyboard_functionkeys;
36extern BOOL g_encryption;
37extern BOOL g_licence_issued;
38extern BOOL g_use_rdp5;
39extern BOOL g_console_session;
40extern int g_server_depth;
41extern uint16 mcs_userid;
42extern VCHANNEL g_channels[];
43extern unsigned int g_num_channels;
44
45static int rc4_key_len;
46static RC4_KEY rc4_decrypt_key;
47static RC4_KEY rc4_encrypt_key;
48static RSA *server_public_key;
49static uint32 server_public_key_len;
50
51static uint8 sec_sign_key[16];
52static uint8 sec_decrypt_key[16];
53static uint8 sec_encrypt_key[16];
54static uint8 sec_decrypt_update_key[16];
55static uint8 sec_encrypt_update_key[16];
56static uint8 sec_crypted_random[SEC_MAX_MODULUS_SIZE];
57
58uint16 g_server_rdp_version = 0;
59
60/* These values must be available to reset state - Session Directory */
61static int sec_encrypt_use_count = 0;
62static int sec_decrypt_use_count = 0;
63
64/*
65 * I believe this is based on SSLv3 with the following differences:
66 * MAC algorithm (5.2.3.1) uses only 32-bit length in place of seq_num/type/length fields
67 * MAC algorithm uses SHA1 and MD5 for the two hash functions instead of one or other
68 * key_block algorithm (6.2.2) uses 'X', 'YY', 'ZZZ' instead of 'A', 'BB', 'CCC'
69 * key_block partitioning is different (16 bytes each: MAC secret, decrypt key, encrypt key)
70 * encryption/decryption keys updated every 4096 packets
71 * See http://wp.netscape.com/eng/ssl3/draft302.txt
72 */
73
74/*
75 * 48-byte transformation used to generate master secret (6.1) and key material (6.2.2).
76 * Both SHA1 and MD5 algorithms are used.
77 */
78void
79sec_hash_48(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2, uint8 salt)
80{
81 uint8 shasig[20];
82 uint8 pad[4];
83 SHA_CTX sha;
84 MD5_CTX md5;
85 int i;
86
87 for (i = 0; i < 3; i++)
88 {
89 memset(pad, salt + i, i + 1);
90
91 SHA1_Init(&sha);
92 SHA1_Update(&sha, pad, i + 1);
93 SHA1_Update(&sha, in, 48);
94 SHA1_Update(&sha, salt1, 32);
95 SHA1_Update(&sha, salt2, 32);
96 SHA1_Final(shasig, &sha);
97
98 MD5_Init(&md5);
99 MD5_Update(&md5, in, 48);
100 MD5_Update(&md5, shasig, 20);
101 MD5_Final(&out[i * 16], &md5);
102 }
103}
104
105/*
106 * 16-byte transformation used to generate export keys (6.2.2).
107 */
108void
109sec_hash_16(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2)
110{
111 MD5_CTX md5;
112
113 MD5_Init(&md5);
114 MD5_Update(&md5, in, 16);
115 MD5_Update(&md5, salt1, 32);
116 MD5_Update(&md5, salt2, 32);
117 MD5_Final(out, &md5);
118}
119
120/* Reduce key entropy from 64 to 40 bits */
121static void
122sec_make_40bit(uint8 * key)
123{
124 key[0] = 0xd1;
125 key[1] = 0x26;
126 key[2] = 0x9e;
127}
128
129/* Generate encryption keys given client and server randoms */
130static void
131sec_generate_keys(uint8 * client_random, uint8 * server_random, int rc4_key_size)
132{
133 uint8 pre_master_secret[48];
134 uint8 master_secret[48];
135 uint8 key_block[48];
136
137 /* Construct pre-master secret */
138 memcpy(pre_master_secret, client_random, 24);
139 memcpy(pre_master_secret + 24, server_random, 24);
140
141 /* Generate master secret and then key material */
142 sec_hash_48(master_secret, pre_master_secret, client_random, server_random, 'A');
143 sec_hash_48(key_block, master_secret, client_random, server_random, 'X');
144
145 /* First 16 bytes of key material is MAC secret */
146 memcpy(sec_sign_key, key_block, 16);
147
148 /* Generate export keys from next two blocks of 16 bytes */
149 sec_hash_16(sec_decrypt_key, &key_block[16], client_random, server_random);
150 sec_hash_16(sec_encrypt_key, &key_block[32], client_random, server_random);
151
152 if (rc4_key_size == 1)
153 {
154 DEBUG(("40-bit encryption enabled\n"));
155 sec_make_40bit(sec_sign_key);
156 sec_make_40bit(sec_decrypt_key);
157 sec_make_40bit(sec_encrypt_key);
158 rc4_key_len = 8;
159 }
160 else
161 {
162 DEBUG(("rc_4_key_size == %d, 128-bit encryption enabled\n", rc4_key_size));
163 rc4_key_len = 16;
164 }
165
166 /* Save initial RC4 keys as update keys */
167 memcpy(sec_decrypt_update_key, sec_decrypt_key, 16);
168 memcpy(sec_encrypt_update_key, sec_encrypt_key, 16);
169
170 /* Initialise RC4 state arrays */
171 RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key);
172 RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key);
173}
174
175static uint8 pad_54[40] = {
176 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54,
177 54, 54, 54,
178 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54,
179 54, 54, 54
180};
181
182static uint8 pad_92[48] = {
183 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92,
184 92, 92, 92, 92, 92, 92, 92,
185 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92,
186 92, 92, 92, 92, 92, 92, 92
187};
188
189/* Output a uint32 into a buffer (little-endian) */
190void
191buf_out_uint32(uint8 * buffer, uint32 value)
192{
193 buffer[0] = (value) & 0xff;
194 buffer[1] = (value >> 8) & 0xff;
195 buffer[2] = (value >> 16) & 0xff;
196 buffer[3] = (value >> 24) & 0xff;
197}
198
199/* Generate a MAC hash (5.2.3.1), using a combination of SHA1 and MD5 */
200void
201sec_sign(uint8 * signature, int siglen, uint8 * session_key, int keylen, uint8 * data, int datalen)
202{
203 uint8 shasig[20];
204 uint8 md5sig[16];
205 uint8 lenhdr[4];
206 SHA_CTX sha;
207 MD5_CTX md5;
208
209 buf_out_uint32(lenhdr, datalen);
210
211 SHA1_Init(&sha);
212 SHA1_Update(&sha, session_key, keylen);
213 SHA1_Update(&sha, pad_54, 40);
214 SHA1_Update(&sha, lenhdr, 4);
215 SHA1_Update(&sha, data, datalen);
216 SHA1_Final(shasig, &sha);
217
218 MD5_Init(&md5);
219 MD5_Update(&md5, session_key, keylen);
220 MD5_Update(&md5, pad_92, 48);
221 MD5_Update(&md5, shasig, 20);
222 MD5_Final(md5sig, &md5);
223
224 memcpy(signature, md5sig, siglen);
225}
226
227/* Update an encryption key */
228static void
229sec_update(uint8 * key, uint8 * update_key)
230{
231 uint8 shasig[20];
232 SHA_CTX sha;
233 MD5_CTX md5;
234 RC4_KEY update;
235
236 SHA1_Init(&sha);
237 SHA1_Update(&sha, update_key, rc4_key_len);
238 SHA1_Update(&sha, pad_54, 40);
239 SHA1_Update(&sha, key, rc4_key_len);
240 SHA1_Final(shasig, &sha);
241
242 MD5_Init(&md5);
243 MD5_Update(&md5, update_key, rc4_key_len);
244 MD5_Update(&md5, pad_92, 48);
245 MD5_Update(&md5, shasig, 20);
246 MD5_Final(key, &md5);
247
248 RC4_set_key(&update, rc4_key_len, key);
249 RC4(&update, rc4_key_len, key, key);
250
251 if (rc4_key_len == 8)
252 sec_make_40bit(key);
253}
254
255/* Encrypt data using RC4 */
256static void
257sec_encrypt(uint8 * data, int length)
258{
259 if (sec_encrypt_use_count == 4096)
260 {
261 sec_update(sec_encrypt_key, sec_encrypt_update_key);
262 RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key);
263 sec_encrypt_use_count = 0;
264 }
265
266 RC4(&rc4_encrypt_key, length, data, data);
267 sec_encrypt_use_count++;
268}
269
270/* Decrypt data using RC4 */
271void
272sec_decrypt(uint8 * data, int length)
273{
274 if (sec_decrypt_use_count == 4096)
275 {
276 sec_update(sec_decrypt_key, sec_decrypt_update_key);
277 RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key);
278 sec_decrypt_use_count = 0;
279 }
280
281 RC4(&rc4_decrypt_key, length, data, data);
282 sec_decrypt_use_count++;
283}
284
285static void
286reverse(uint8 * p, int len)
287{
288 int i, j;
289 uint8 temp;
290
291 for (i = 0, j = len - 1; i < j; i++, j--)
292 {
293 temp = p[i];
294 p[i] = p[j];
295 p[j] = temp;
296 }
297}
298
299/* Perform an RSA public key encryption operation */
300static void
301sec_rsa_encrypt(uint8 * out, uint8 * in, int len, uint32 modulus_size, uint8 * modulus,
302 uint8 * exponent)
303{
304 BN_CTX *ctx;
305 BIGNUM mod, exp, x, y;
306 uint8 inr[SEC_MAX_MODULUS_SIZE];
307 int outlen;
308
309 reverse(modulus, modulus_size);
310 reverse(exponent, SEC_EXPONENT_SIZE);
311 memcpy(inr, in, len);
312 reverse(inr, len);
313
314 ctx = BN_CTX_new();
315 BN_init(&mod);
316 BN_init(&exp);
317 BN_init(&x);
318 BN_init(&y);
319
320 BN_bin2bn(modulus, modulus_size, &mod);
321 BN_bin2bn(exponent, SEC_EXPONENT_SIZE, &exp);
322 BN_bin2bn(inr, len, &x);
323 BN_mod_exp(&y, &x, &exp, &mod, ctx);
324 outlen = BN_bn2bin(&y, out);
325 reverse(out, outlen);
326 if (outlen < modulus_size)
327 memset(out + outlen, 0, modulus_size - outlen);
328
329 BN_free(&y);
330 BN_clear_free(&x);
331 BN_free(&exp);
332 BN_free(&mod);
333 BN_CTX_free(ctx);
334}
335
336/* Initialise secure transport packet */
337STREAM
338sec_init(uint32 flags, int maxlen)
339{
340 int hdrlen;
341 STREAM s;
342
343 if (!g_licence_issued)
344 hdrlen = (flags & SEC_ENCRYPT) ? 12 : 4;
345 else
346 hdrlen = (flags & SEC_ENCRYPT) ? 12 : 0;
347 s = mcs_init(maxlen + hdrlen);
348 s_push_layer(s, sec_hdr, hdrlen);
349
350 return s;
351}
352
353/* Transmit secure transport packet over specified channel */
354void
355sec_send_to_channel(STREAM s, uint32 flags, uint16 channel)
356{
357 int datalen;
358
359 s_pop_layer(s, sec_hdr);
360 if (!g_licence_issued || (flags & SEC_ENCRYPT))
361 out_uint32_le(s, flags);
362
363 if (flags & SEC_ENCRYPT)
364 {
365 flags &= ~SEC_ENCRYPT;
366 datalen = s->end - s->p - 8;
367
368#if WITH_DEBUG
369 DEBUG(("Sending encrypted packet:\n"));
370 hexdump(s->p + 8, datalen);
371#endif
372
373 sec_sign(s->p, 8, sec_sign_key, rc4_key_len, s->p + 8, datalen);
374 sec_encrypt(s->p + 8, datalen);
375 }
376
377 mcs_send_to_channel(s, channel);
378}
379
380/* Transmit secure transport packet */
381
382void
383sec_send(STREAM s, uint32 flags)
384{
385 sec_send_to_channel(s, flags, MCS_GLOBAL_CHANNEL);
386}
387
388
389/* Transfer the client random to the server */
390static void
391sec_establish_key(void)
392{
393 uint32 length = server_public_key_len + SEC_PADDING_SIZE;
394 uint32 flags = SEC_CLIENT_RANDOM;
395 STREAM s;
396
397 s = sec_init(flags, length + 4);
398
399 out_uint32_le(s, length);
400 out_uint8p(s, sec_crypted_random, server_public_key_len);
401 out_uint8s(s, SEC_PADDING_SIZE);
402
403 s_mark_end(s);
404 sec_send(s, flags);
405}
406
407/* Output connect initial data blob */
408static void
409sec_out_mcs_data(STREAM s)
410{
411 int hostlen = 2 * strlen(g_hostname);
412 int length = 158 + 76 + 12 + 4;
413 unsigned int i;
414
415 if (g_num_channels > 0)
416 length += g_num_channels * 12 + 8;
417
418 if (hostlen > 30)
419 hostlen = 30;
420
421 /* Generic Conference Control (T.124) ConferenceCreateRequest */
422 out_uint16_be(s, 5);
423 out_uint16_be(s, 0x14);
424 out_uint8(s, 0x7c);
425 out_uint16_be(s, 1);
426
427 out_uint16_be(s, (length | 0x8000)); /* remaining length */
428
429 out_uint16_be(s, 8); /* length? */
430 out_uint16_be(s, 16);
431 out_uint8(s, 0);
432 out_uint16_le(s, 0xc001);
433 out_uint8(s, 0);
434
435 out_uint32_le(s, 0x61637544); /* OEM ID: "Duca", as in Ducati. */
436 out_uint16_be(s, ((length - 14) | 0x8000)); /* remaining length */
437
438 /* Client information */
439 out_uint16_le(s, SEC_TAG_CLI_INFO);
440 out_uint16_le(s, 212); /* length */
441 out_uint16_le(s, g_use_rdp5 ? 4 : 1); /* RDP version. 1 == RDP4, 4 == RDP5. */
442 out_uint16_le(s, 8);
443 out_uint16_le(s, g_width);
444 out_uint16_le(s, g_height);
445 out_uint16_le(s, 0xca01);
446 out_uint16_le(s, 0xaa03);
447 out_uint32_le(s, g_keylayout);
448 out_uint32_le(s, 2600); /* Client build. We are now 2600 compatible :-) */
449
450 /* Unicode name of client, padded to 32 bytes */
451 rdp_out_unistr(s, g_hostname, hostlen);
452 out_uint8s(s, 30 - hostlen);
453
454 /* See
455 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wceddk40/html/cxtsksupportingremotedesktopprotocol.asp */
456 out_uint32_le(s, g_keyboard_type);
457 out_uint32_le(s, g_keyboard_subtype);
458 out_uint32_le(s, g_keyboard_functionkeys);
459 out_uint8s(s, 64); /* reserved? 4 + 12 doublewords */
460 out_uint16_le(s, 0xca01); /* colour depth? */
461 out_uint16_le(s, 1);
462
463 out_uint32(s, 0);
464 out_uint8(s, g_server_depth);
465 out_uint16_le(s, 0x0700);
466 out_uint8(s, 0);
467 out_uint32_le(s, 1);
468 out_uint8s(s, 64); /* End of client info */
469
470 out_uint16_le(s, SEC_TAG_CLI_4);
471 out_uint16_le(s, 12);
472 out_uint32_le(s, g_console_session ? 0xb : 9);
473 out_uint32(s, 0);
474
475 /* Client encryption settings */
476 out_uint16_le(s, SEC_TAG_CLI_CRYPT);
477 out_uint16_le(s, 12); /* length */
478 out_uint32_le(s, g_encryption ? 0x3 : 0); /* encryption supported, 128-bit supported */
479 out_uint32(s, 0); /* Unknown */
480
481 DEBUG_RDP5(("g_num_channels is %d\n", g_num_channels));
482 if (g_num_channels > 0)
483 {
484 out_uint16_le(s, SEC_TAG_CLI_CHANNELS);
485 out_uint16_le(s, g_num_channels * 12 + 8); /* length */
486 out_uint32_le(s, g_num_channels); /* number of virtual channels */
487 for (i = 0; i < g_num_channels; i++)
488 {
489 DEBUG_RDP5(("Requesting channel %s\n", g_channels[i].name));
490 out_uint8a(s, g_channels[i].name, 8);
491 out_uint32_be(s, g_channels[i].flags);
492 }
493 }
494
495 s_mark_end(s);
496}
497
498/* Parse a public key structure */
499static BOOL
500sec_parse_public_key(STREAM s, uint8 ** modulus, uint8 ** exponent)
501{
502 uint32 magic, modulus_len;
503
504 in_uint32_le(s, magic);
505 if (magic != SEC_RSA_MAGIC)
506 {
507 error("RSA magic 0x%x\n", magic);
508 return False;
509 }
510
511 in_uint32_le(s, modulus_len);
512 modulus_len -= SEC_PADDING_SIZE;
513 if ((modulus_len < 64) || (modulus_len > SEC_MAX_MODULUS_SIZE))
514 {
515 error("Bad server public key size (%u bits)\n", modulus_len * 8);
516 return False;
517 }
518
519 in_uint8s(s, 8); /* modulus_bits, unknown */
520 in_uint8p(s, *exponent, SEC_EXPONENT_SIZE);
521 in_uint8p(s, *modulus, modulus_len);
522 in_uint8s(s, SEC_PADDING_SIZE);
523 server_public_key_len = modulus_len;
524
525 return s_check(s);
526}
527
528static BOOL
529sec_parse_x509_key(X509 * cert)
530{
531 EVP_PKEY *epk = NULL;
532 /* By some reason, Microsoft sets the OID of the Public RSA key to
533 the oid for "MD5 with RSA Encryption" instead of "RSA Encryption"
534
535 Kudos to Richard Levitte for the following (. intiutive .)
536 lines of code that resets the OID and let's us extract the key. */
537 if (OBJ_obj2nid(cert->cert_info->key->algor->algorithm) == NID_md5WithRSAEncryption)
538 {
539 DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n"));
540 ASN1_OBJECT_free(cert->cert_info->key->algor->algorithm);
541 cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
542 }
543 epk = X509_get_pubkey(cert);
544 if (NULL == epk)
545 {
546 error("Failed to extract public key from certificate\n");
547 return False;
548 }
549
550 server_public_key = RSAPublicKey_dup((RSA *) epk->pkey.ptr);
551 EVP_PKEY_free(epk);
552
553 server_public_key_len = RSA_size(server_public_key);
554 if ((server_public_key_len < 64) || (server_public_key_len > SEC_MAX_MODULUS_SIZE))
555 {
556 error("Bad server public key size (%u bits)\n", server_public_key_len * 8);
557 return False;
558 }
559
560 return True;
561}
562
563
564/* Parse a crypto information structure */
565static BOOL
566sec_parse_crypt_info(STREAM s, uint32 * rc4_key_size,
567 uint8 ** server_random, uint8 ** modulus, uint8 ** exponent)
568{
569 uint32 crypt_level, random_len, rsa_info_len;
570 uint32 cacert_len, cert_len, flags;
571 X509 *cacert, *server_cert;
572 uint16 tag, length;
573 uint8 *next_tag, *end;
574
575 in_uint32_le(s, *rc4_key_size); /* 1 = 40-bit, 2 = 128-bit */
576 in_uint32_le(s, crypt_level); /* 1 = low, 2 = medium, 3 = high */
577 if (crypt_level == 0) /* no encryption */
578 return False;
579 in_uint32_le(s, random_len);
580 in_uint32_le(s, rsa_info_len);
581
582 if (random_len != SEC_RANDOM_SIZE)
583 {
584 error("random len %d, expected %d\n", random_len, SEC_RANDOM_SIZE);
585 return False;
586 }
587
588 in_uint8p(s, *server_random, random_len);
589
590 /* RSA info */
591 end = s->p + rsa_info_len;
592 if (end > s->end)
593 return False;
594
595 in_uint32_le(s, flags); /* 1 = RDP4-style, 0x80000002 = X.509 */
596 if (flags & 1)
597 {
598 DEBUG_RDP5(("We're going for the RDP4-style encryption\n"));
599 in_uint8s(s, 8); /* unknown */
600
601 while (s->p < end)
602 {
603 in_uint16_le(s, tag);
604 in_uint16_le(s, length);
605
606 next_tag = s->p + length;
607
608 switch (tag)
609 {
610 case SEC_TAG_PUBKEY:
611 if (!sec_parse_public_key(s, modulus, exponent))
612 return False;
613 DEBUG_RDP5(("Got Public key, RDP4-style\n"));
614
615 break;
616
617 case SEC_TAG_KEYSIG:
618 /* Is this a Microsoft key that we just got? */
619 /* Care factor: zero! */
620 /* Actually, it would probably be a good idea to check if the public key is signed with this key, and then store this
621 key as a known key of the hostname. This would prevent some MITM-attacks. */
622 break;
623
624 default:
625 unimpl("crypt tag 0x%x\n", tag);
626 }
627
628 s->p = next_tag;
629 }
630 }
631 else
632 {
633 uint32 certcount;
634
635 DEBUG_RDP5(("We're going for the RDP5-style encryption\n"));
636 in_uint32_le(s, certcount); /* Number of certificates */
637
638 if (certcount < 2)
639 {
640 error("Server didn't send enough X509 certificates\n");
641 return False;
642 }
643
644 for (; certcount > 2; certcount--)
645 { /* ignore all the certificates between the root and the signing CA */
646 uint32 ignorelen;
647 X509 *ignorecert;
648
649 DEBUG_RDP5(("Ignored certs left: %d\n", certcount));
650
651 in_uint32_le(s, ignorelen);
652 DEBUG_RDP5(("Ignored Certificate length is %d\n", ignorelen));
653 ignorecert = d2i_X509(NULL, &(s->p), ignorelen);
654
655 if (ignorecert == NULL)
656 { /* XXX: error out? */
657 DEBUG_RDP5(("got a bad cert: this will probably screw up the rest of the communication\n"));
658 }
659
660#ifdef WITH_DEBUG_RDP5
661 DEBUG_RDP5(("cert #%d (ignored):\n", certcount));
662 X509_print_fp(stdout, ignorecert);
663#endif
664 }
665
666 /* Do da funky X.509 stuffy
667
668 "How did I find out about this? I looked up and saw a
669 bright light and when I came to I had a scar on my forehead
670 and knew about X.500"
671 - Peter Gutman in a early version of
672 http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
673 */
674
675 in_uint32_le(s, cacert_len);
676 DEBUG_RDP5(("CA Certificate length is %d\n", cacert_len));
677 cacert = d2i_X509(NULL, &(s->p), cacert_len);
678 /* Note: We don't need to move s->p here - d2i_X509 is
679 "kind" enough to do it for us */
680 if (NULL == cacert)
681 {
682 error("Couldn't load CA Certificate from server\n");
683 return False;
684 }
685
686 /* Currently, we don't use the CA Certificate.
687 FIXME:
688 *) Verify the server certificate (server_cert) with the
689 CA certificate.
690 *) Store the CA Certificate with the hostname of the
691 server we are connecting to as key, and compare it
692 when we connect the next time, in order to prevent
693 MITM-attacks.
694 */
695
696 X509_free(cacert);
697
698 in_uint32_le(s, cert_len);
699 DEBUG_RDP5(("Certificate length is %d\n", cert_len));
700 server_cert = d2i_X509(NULL, &(s->p), cert_len);
701 if (NULL == server_cert)
702 {
703 error("Couldn't load Certificate from server\n");
704 return False;
705 }
706
707 in_uint8s(s, 16); /* Padding */
708
709 /* Note: Verifying the server certificate must be done here,
710 before sec_parse_public_key since we'll have to apply
711 serious violence to the key after this */
712
713 if (!sec_parse_x509_key(server_cert))
714 {
715 DEBUG_RDP5(("Didn't parse X509 correctly\n"));
716 X509_free(server_cert);
717 return False;
718 }
719 X509_free(server_cert);
720 return True; /* There's some garbage here we don't care about */
721 }
722 return s_check_end(s);
723}
724
725/* Process crypto information blob */
726static void
727sec_process_crypt_info(STREAM s)
728{
729 uint8 *server_random, *modulus = NULL, *exponent = NULL;
730 uint8 client_random[SEC_RANDOM_SIZE];
731 uint32 rc4_key_size;
732
733 if (!sec_parse_crypt_info(s, &rc4_key_size, &server_random, &modulus, &exponent))
734 {
735 DEBUG(("Failed to parse crypt info\n"));
736 return;
737 }
738
739 DEBUG(("Generating client random\n"));
740 generate_random(client_random);
741
742 if (NULL != server_public_key)
743 { /* Which means we should use
744 RDP5-style encryption */
745 uint8 inr[SEC_MAX_MODULUS_SIZE];
746 uint32 padding_len = server_public_key_len - SEC_RANDOM_SIZE;
747
748 /* This is what the MS client do: */
749 memset(inr, 0, padding_len);
750 /* *ARIGL!* Plaintext attack, anyone?
751 I tried doing:
752 generate_random(inr);
753 ..but that generates connection errors now and then (yes,
754 "now and then". Something like 0 to 3 attempts needed before a
755 successful connection. Nice. Not!
756 */
757 memcpy(inr + padding_len, client_random, SEC_RANDOM_SIZE);
758 reverse(inr + padding_len, SEC_RANDOM_SIZE);
759
760 RSA_public_encrypt(server_public_key_len,
761 inr, sec_crypted_random, server_public_key, RSA_NO_PADDING);
762
763 reverse(sec_crypted_random, server_public_key_len);
764
765 RSA_free(server_public_key);
766 server_public_key = NULL;
767 }
768 else
769 { /* RDP4-style encryption */
770 sec_rsa_encrypt(sec_crypted_random,
771 client_random, SEC_RANDOM_SIZE, server_public_key_len, modulus,
772 exponent);
773 }
774 sec_generate_keys(client_random, server_random, rc4_key_size);
775}
776
777
778/* Process SRV_INFO, find RDP version supported by server */
779static void
780sec_process_srv_info(STREAM s)
781{
782 in_uint16_le(s, g_server_rdp_version);
783 DEBUG_RDP5(("Server RDP version is %d\n", g_server_rdp_version));
784 if (1 == g_server_rdp_version)
785 {
786 g_use_rdp5 = 0;
787 g_server_depth = 8;
788 }
789}
790
791
792/* Process connect response data blob */
793void
794sec_process_mcs_data(STREAM s)
795{
796 uint16 tag, length;
797 uint8 *next_tag;
798 uint8 len;
799
800 in_uint8s(s, 21); /* header (T.124 ConferenceCreateResponse) */
801 in_uint8(s, len);
802 if (len & 0x80)
803 in_uint8(s, len);
804
805 while (s->p < s->end)
806 {
807 in_uint16_le(s, tag);
808 in_uint16_le(s, length);
809
810 if (length <= 4)
811 return;
812
813 next_tag = s->p + length - 4;
814
815 switch (tag)
816 {
817 case SEC_TAG_SRV_INFO:
818 sec_process_srv_info(s);
819 break;
820
821 case SEC_TAG_SRV_CRYPT:
822 sec_process_crypt_info(s);
823 break;
824
825 case SEC_TAG_SRV_CHANNELS:
826 /* FIXME: We should parse this information and
827 use it to map RDP5 channels to MCS
828 channels */
829 break;
830
831 default:
832 unimpl("response tag 0x%x\n", tag);
833 }
834
835 s->p = next_tag;
836 }
837}
838
839/* Receive secure transport packet */
840STREAM
841sec_recv(uint8 * rdpver)
842{
843 uint32 sec_flags;
844 uint16 channel;
845 STREAM s;
846
847 while ((s = mcs_recv(&channel, rdpver)) != NULL)
848 {
849 if (rdpver != NULL)
850 {
851 if (*rdpver != 3)
852 {
853 if (*rdpver & 0x80)
854 {
855 in_uint8s(s, 8); /* signature */
856 sec_decrypt(s->p, s->end - s->p);
857 }
858 return s;
859 }
860 }
861 if (g_encryption || !g_licence_issued)
862 {
863 in_uint32_le(s, sec_flags);
864
865 if (sec_flags & SEC_ENCRYPT)
866 {
867 in_uint8s(s, 8); /* signature */
868 sec_decrypt(s->p, s->end - s->p);
869 }
870
871 if (sec_flags & SEC_LICENCE_NEG)
872 {
873 licence_process(s);
874 continue;
875 }
876
877 if (sec_flags & 0x0400) /* SEC_REDIRECT_ENCRYPT */
878 {
879 uint8 swapbyte;
880
881 in_uint8s(s, 8); /* signature */
882 sec_decrypt(s->p, s->end - s->p);
883
884 /* Check for a redirect packet, starts with 00 04 */
885 if (s->p[0] == 0 && s->p[1] == 4)
886 {
887 /* for some reason the PDU and the length seem to be swapped.
888 This isn't good, but we're going to do a byte for byte
889 swap. So the first foure value appear as: 00 04 XX YY,
890 where XX YY is the little endian length. We're going to
891 use 04 00 as the PDU type, so after our swap this will look
892 like: XX YY 04 00 */
893 swapbyte = s->p[0];
894 s->p[0] = s->p[2];
895 s->p[2] = swapbyte;
896
897 swapbyte = s->p[1];
898 s->p[1] = s->p[3];
899 s->p[3] = swapbyte;
900
901 swapbyte = s->p[2];
902 s->p[2] = s->p[3];
903 s->p[3] = swapbyte;
904 }
905#ifdef WITH_DEBUG
906 /* warning! this debug statement will show passwords in the clear! */
907 hexdump(s->p, s->end - s->p);
908#endif
909 }
910
911 }
912
913 if (channel != MCS_GLOBAL_CHANNEL)
914 {
915 channel_process(s, channel);
916 *rdpver = 0xff;
917 return s;
918 }
919
920 return s;
921 }
922
923 return NULL;
924}
925
926/* Establish a secure connection */
927BOOL
928sec_connect(char *server, char *username)
929{
930 struct stream mcs_data;
931
932 /* We exchange some RDP data during the MCS-Connect */
933 mcs_data.size = 512;
934 mcs_data.p = mcs_data.data = (uint8 *) xmalloc(mcs_data.size);
935 sec_out_mcs_data(&mcs_data);
936
937 if (!mcs_connect(server, &mcs_data, username))
938 return False;
939
940 /* sec_process_mcs_data(&mcs_data); */
941 if (g_encryption)
942 sec_establish_key();
943 xfree(mcs_data.data);
944 return True;
945}
946
947/* Establish a secure connection */
948BOOL
949sec_reconnect(char *server)
950{
951 struct stream mcs_data;
952
953 /* We exchange some RDP data during the MCS-Connect */
954 mcs_data.size = 512;
955 mcs_data.p = mcs_data.data = (uint8 *) xmalloc(mcs_data.size);
956 sec_out_mcs_data(&mcs_data);
957
958 if (!mcs_reconnect(server, &mcs_data))
959 return False;
960
961 /* sec_process_mcs_data(&mcs_data); */
962 if (g_encryption)
963 sec_establish_key();
964 xfree(mcs_data.data);
965 return True;
966}
967
968/* Disconnect a connection */
969void
970sec_disconnect(void)
971{
972 mcs_disconnect();
973}
974
975/* reset the state of the sec layer */
976void
977sec_reset_state(void)
978{
979 g_server_rdp_version = 0;
980 sec_encrypt_use_count = 0;
981 sec_decrypt_use_count = 0;
982 mcs_reset_state();
983}
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette