1 /* -*- c-basic-offset: 8 -*-
2 rdesktop: A Remote Desktop Protocol client.
3 Protocol services - RDP encryption and licensing
4 Copyright (C) Matthew Chapman <matthewc.unsw.edu.au> 1999-2008
5 Copyright 2005-2011 Peter Astrand <astrand@cendio.se> for Cendio AB
7 This program is free software: you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation, either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 ssl_sha1_info_create(void);
26 ssl_sha1_info_delete(void * sha1_info
);
28 ssl_sha1_clear(void * sha1_info
);
30 ssl_sha1_transform(void * sha1_info
, char * data
, int len
);
32 ssl_sha1_complete(void * sha1_info
, char * data
);
34 ssl_md5_info_create(void);
36 ssl_md5_info_delete(void * md5_info
);
38 ssl_md5_info_create(void);
40 ssl_md5_info_delete(void * md5_info
);
42 ssl_md5_clear(void * md5_info
);
44 ssl_md5_transform(void * md5_info
, char * data
, int len
);
46 ssl_md5_complete(void * md5_info
, char * data
);
48 ssl_rc4_info_create(void);
50 ssl_rc4_info_delete(void * rc4_info
);
52 ssl_rc4_set_key(void * rc4_info
, char * key
, int len
);
54 ssl_rc4_crypt(void * rc4_info
, char * in_data
, char * out_data
, int len
);
56 ssl_mod_exp(char* out
, int out_len
, char* in
, int in_len
,
57 char* mod
, int mod_len
, char* exp
, int exp_len
);
59 //ssl_sig_ok(char * exp, int exp_size, char * mod, int mod_len,
60 // char * sig, int sig_len);
62 extern char g_hostname
[16];
65 extern unsigned int g_keylayout
;
66 extern int g_keyboard_type
;
67 extern int g_keyboard_subtype
;
68 extern int g_keyboard_functionkeys
;
69 extern RD_BOOL g_encryption
;
70 extern RD_BOOL g_licence_issued
;
71 extern RD_BOOL g_licence_error_result
;
72 extern RDP_VERSION g_rdp_version
;
73 extern RD_BOOL g_console_session
;
74 extern uint32 g_redirect_session_id
;
75 extern int g_server_depth
;
76 extern VCHANNEL g_channels
[];
77 extern unsigned int g_num_channels
;
78 extern uint8 g_client_random
[SEC_RANDOM_SIZE
];
80 static int g_rc4_key_len
;
81 static void * g_rc4_decrypt_key
;
82 static void * g_rc4_encrypt_key
;
83 static uint32 g_server_public_key_len
;
85 static uint8 g_sec_sign_key
[16];
86 static uint8 g_sec_decrypt_key
[16];
87 static uint8 g_sec_encrypt_key
[16];
88 static uint8 g_sec_decrypt_update_key
[16];
89 static uint8 g_sec_encrypt_update_key
[16];
90 static uint8 g_sec_crypted_random
[SEC_MAX_MODULUS_SIZE
];
92 uint16 g_server_rdp_version
= 0;
94 /* These values must be available to reset state - Session Directory */
95 static int g_sec_encrypt_use_count
= 0;
96 static int g_sec_decrypt_use_count
= 0;
98 #define SEC_MODULUS_SIZE 64
100 static uint8 g_ppk_n
[72] =
102 0x3D, 0x3A, 0x5E, 0xBD, 0x72, 0x43, 0x3E, 0xC9,
103 0x4D, 0xBB, 0xC1, 0x1E, 0x4A, 0xBA, 0x5F, 0xCB,
104 0x3E, 0x88, 0x20, 0x87, 0xEF, 0xF5, 0xC1, 0xE2,
105 0xD7, 0xB7, 0x6B, 0x9A, 0xF2, 0x52, 0x45, 0x95,
106 0xCE, 0x63, 0x65, 0x6B, 0x58, 0x3A, 0xFE, 0xEF,
107 0x7C, 0xE7, 0xBF, 0xFE, 0x3D, 0xF6, 0x5C, 0x7D,
108 0x6C, 0x5E, 0x06, 0x09, 0x1A, 0xF5, 0x61, 0xBB,
109 0x20, 0x93, 0x09, 0x5F, 0x05, 0x6D, 0xEA, 0x87,
110 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
113 static uint8 g_ppk_d
[108] =
115 0x87, 0xA7, 0x19, 0x32, 0xDA, 0x11, 0x87, 0x55,
116 0x58, 0x00, 0x16, 0x16, 0x25, 0x65, 0x68, 0xF8,
117 0x24, 0x3E, 0xE6, 0xFA, 0xE9, 0x67, 0x49, 0x94,
118 0xCF, 0x92, 0xCC, 0x33, 0x99, 0xE8, 0x08, 0x60,
119 0x17, 0x9A, 0x12, 0x9F, 0x24, 0xDD, 0xB1, 0x24,
120 0x99, 0xC7, 0x3A, 0xB8, 0x0A, 0x7B, 0x0D, 0xDD,
121 0x35, 0x07, 0x79, 0x17, 0x0B, 0x51, 0x9B, 0xB3,
122 0xC7, 0x10, 0x01, 0x13, 0xE7, 0x3F, 0xF3, 0x5F,
123 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
124 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
125 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
126 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
127 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
128 0x00, 0x00, 0x00, 0x00
131 static uint8 g_testkey
[176] =
133 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
134 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x5c, 0x00,
135 0x52, 0x53, 0x41, 0x31, 0x48, 0x00, 0x00, 0x00,
136 0x00, 0x02, 0x00, 0x00, 0x3f, 0x00, 0x00, 0x00,
137 0x01, 0x00, 0x01, 0x00, 0x79, 0x6f, 0xb4, 0xdf,
138 0xa6, 0x95, 0xb9, 0xa9, 0x61, 0xe3, 0xc4, 0x5e,
139 0xff, 0x6b, 0xd8, 0x81, 0x8a, 0x12, 0x4a, 0x93,
140 0x42, 0x97, 0x18, 0x93, 0xac, 0xd1, 0x3a, 0x38,
141 0x3c, 0x68, 0x50, 0x19, 0x31, 0xb6, 0x84, 0x51,
142 0x79, 0xfb, 0x1c, 0xe7, 0xe3, 0x99, 0x20, 0xc7,
143 0x84, 0xdf, 0xd1, 0xaa, 0xb5, 0x15, 0xef, 0x47,
144 0x7e, 0xfc, 0x88, 0xeb, 0x29, 0xc3, 0x27, 0x5a,
145 0x35, 0xf8, 0xfd, 0xaa, 0x00, 0x00, 0x00, 0x00,
146 0x00, 0x00, 0x00, 0x00,
147 0x08, 0x00, 0x48, 0x00,
148 0x32, 0x3b, 0xde, 0x6f, 0x18, 0x97, 0x1e, 0xc3,
149 0x6b, 0x2b, 0x2d, 0xe4, 0xfc, 0x2d, 0xa2, 0x8e,
150 0x32, 0x3c, 0xf3, 0x1b, 0x24, 0x90, 0x57, 0x4d,
151 0x8e, 0xe4, 0x69, 0xfc, 0x16, 0x8d, 0x41, 0x92,
152 0x78, 0xc7, 0x9c, 0xb4, 0x26, 0xff, 0xe8, 0x3e,
153 0xa1, 0x8a, 0xf5, 0x57, 0xc0, 0x7f, 0x3e, 0x21,
154 0x17, 0x32, 0x30, 0x6f, 0x79, 0xe1, 0x36, 0xcd,
155 0xb6, 0x8e, 0xbe, 0x57, 0x57, 0xd2, 0xa9, 0x36
159 * I believe this is based on SSLv3 with the following differences:
160 * MAC algorithm (5.2.3.1) uses only 32-bit length in place of seq_num/type/length fields
161 * MAC algorithm uses SHA1 and MD5 for the two hash functions instead of one or other
162 * key_block algorithm (6.2.2) uses 'X', 'YY', 'ZZZ' instead of 'A', 'BB', 'CCC'
163 * key_block partitioning is different (16 bytes each: MAC secret, decrypt key, encrypt key)
164 * encryption/decryption keys updated every 4096 packets
165 * See http://wp.netscape.com/eng/ssl3/draft302.txt
169 * 48-byte transformation used to generate master secret (6.1) and key material (6.2.2).
170 * Both SHA1 and MD5 algorithms are used.
173 sec_hash_48(uint8
* out
, uint8
* in
, uint8
* salt1
, uint8
* salt2
, uint8 salt
)
181 for (i
= 0; i
< 3; i
++)
183 memset(pad
, salt
+ i
, i
+ 1);
184 sha
= ssl_sha1_info_create();
186 ssl_sha1_transform(sha
, (char *)pad
, i
+ 1);
187 ssl_sha1_transform(sha
, (char *)in
, 48);
188 ssl_sha1_transform(sha
, (char *)salt1
, 32);
189 ssl_sha1_transform(sha
, (char *)salt2
, 32);
190 ssl_sha1_complete(sha
, (char *)shasig
);
191 ssl_sha1_info_delete(sha
);
192 md5
= ssl_md5_info_create();
194 ssl_md5_transform(md5
, (char *)in
, 48);
195 ssl_md5_transform(md5
, (char *)shasig
, 20);
196 ssl_md5_complete(md5
, (char *)out
+ i
* 16);
197 ssl_md5_info_delete(md5
);
202 * 16-byte transformation used to generate export keys (6.2.2).
205 sec_hash_16(uint8
* out
, uint8
* in
, uint8
* salt1
, uint8
* salt2
)
209 md5
= ssl_md5_info_create();
211 ssl_md5_transform(md5
, (char *)in
, 16);
212 ssl_md5_transform(md5
, (char *)salt1
, 32);
213 ssl_md5_transform(md5
, (char *)salt2
, 32);
214 ssl_md5_complete(md5
, (char *)out
);
215 ssl_md5_info_delete(md5
);
222 sec_hash_sha1_16(uint8
* out
, uint8
* in
, uint8
* salt1
)
225 sha
= ssl_sha1_info_create();
227 ssl_sha1_transform(&sha
, (char *)in
, 16);
228 ssl_sha1_transform(&sha
, (char *)salt1
, 16);
229 ssl_sha1_complete(&sha
, (char *)out
);
230 ssl_sha1_info_delete(sha
);
233 /* create string from hash */
235 sec_hash_to_string(char *out
, int out_size
, uint8
* in
, int in_size
)
238 memset(out
, 0, out_size
);
239 for (k
= 0; k
< in_size
; k
++, out
+= 2)
241 sprintf(out
, "%.2x", in
[k
]);
245 /* Reduce key entropy from 64 to 40 bits */
247 sec_make_40bit(uint8
* key
)
254 /* Generate encryption keys given client and server randoms */
256 sec_generate_keys(uint8
* client_random
, uint8
* server_random
, int rc4_key_size
)
258 uint8 pre_master_secret
[48];
259 uint8 master_secret
[48];
262 /* Construct pre-master secret */
263 memcpy(pre_master_secret
, client_random
, 24);
264 memcpy(pre_master_secret
+ 24, server_random
, 24);
266 /* Generate master secret and then key material */
267 sec_hash_48(master_secret
, pre_master_secret
, client_random
, server_random
, 'A');
268 sec_hash_48(key_block
, master_secret
, client_random
, server_random
, 'X');
270 /* First 16 bytes of key material is MAC secret */
271 memcpy(g_sec_sign_key
, key_block
, 16);
273 /* Generate export keys from next two blocks of 16 bytes */
274 sec_hash_16(g_sec_decrypt_key
, &key_block
[16], client_random
, server_random
);
275 sec_hash_16(g_sec_encrypt_key
, &key_block
[32], client_random
, server_random
);
277 if (rc4_key_size
== 1)
279 DEBUG(("40-bit encryption enabled\n"));
280 sec_make_40bit(g_sec_sign_key
);
281 sec_make_40bit(g_sec_decrypt_key
);
282 sec_make_40bit(g_sec_encrypt_key
);
287 DEBUG(("rc_4_key_size == %d, 128-bit encryption enabled\n", rc4_key_size
));
291 /* Save initial RC4 keys as update keys */
292 memcpy(g_sec_decrypt_update_key
, g_sec_decrypt_key
, 16);
293 memcpy(g_sec_encrypt_update_key
, g_sec_encrypt_key
, 16);
295 /* Initialise RC4 state arrays */
297 ssl_rc4_info_delete(g_rc4_decrypt_key
);
298 g_rc4_decrypt_key
= ssl_rc4_info_create();
299 ssl_rc4_set_key(g_rc4_decrypt_key
, (char *)g_sec_decrypt_key
, g_rc4_key_len
);
301 ssl_rc4_info_delete(g_rc4_encrypt_key
);
302 g_rc4_encrypt_key
= ssl_rc4_info_create();
303 ssl_rc4_set_key(g_rc4_encrypt_key
, (char *)g_sec_encrypt_key
, g_rc4_key_len
);
306 static uint8 pad_54
[40] = {
307 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54,
309 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54,
313 static uint8 pad_92
[48] = {
314 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92,
315 92, 92, 92, 92, 92, 92, 92,
316 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92,
317 92, 92, 92, 92, 92, 92, 92
320 /* Output a uint32 into a buffer (little-endian) */
322 buf_out_uint32(uint8
* buffer
, uint32 value
)
324 buffer
[0] = (value
) & 0xff;
325 buffer
[1] = (value
>> 8) & 0xff;
326 buffer
[2] = (value
>> 16) & 0xff;
327 buffer
[3] = (value
>> 24) & 0xff;
330 /* Generate a MAC hash (5.2.3.1), using a combination of SHA1 and MD5 */
332 sec_sign(uint8
* signature
, int siglen
, uint8
* session_key
, int keylen
, uint8
* data
, int datalen
)
340 buf_out_uint32(lenhdr
, datalen
);
342 sha
= ssl_sha1_info_create();
344 ssl_sha1_transform(sha
, (char *)session_key
, keylen
);
345 ssl_sha1_transform(sha
, (char *)pad_54
, 40);
346 ssl_sha1_transform(sha
, (char *)lenhdr
, 4);
347 ssl_sha1_transform(sha
, (char *)data
, datalen
);
348 ssl_sha1_complete(sha
, (char *)shasig
);
349 ssl_sha1_info_delete(sha
);
351 md5
= ssl_md5_info_create();
353 ssl_md5_transform(md5
, (char *)session_key
, keylen
);
354 ssl_md5_transform(md5
, (char *)pad_92
, 48);
355 ssl_md5_transform(md5
, (char *)shasig
, 20);
356 ssl_md5_complete(md5
, (char *)md5sig
);
357 ssl_md5_info_delete(md5
);
359 memcpy(signature
, md5sig
, siglen
);
362 /* Update an encryption key */
364 sec_update(uint8
* key
, uint8
* update_key
)
371 sha
= ssl_sha1_info_create();
373 ssl_sha1_transform(sha
, (char *)update_key
, g_rc4_key_len
);
374 ssl_sha1_transform(sha
, (char *)pad_54
, 40);
375 ssl_sha1_transform(sha
, (char *)key
, g_rc4_key_len
);
376 ssl_sha1_complete(sha
, (char *)shasig
);
377 ssl_sha1_info_delete(sha
);
379 md5
= ssl_md5_info_create();
381 ssl_md5_transform(md5
, (char *)update_key
, g_rc4_key_len
);
382 ssl_md5_transform(md5
, (char *)pad_92
, 48);
383 ssl_md5_transform(md5
, (char *)shasig
, 20);
384 ssl_md5_complete(md5
, (char *)key
);
385 ssl_md5_info_delete(md5
);
388 update
= ssl_rc4_info_create();
389 ssl_rc4_set_key(update
, (char *)key
, g_rc4_key_len
);
390 ssl_rc4_crypt(update
, (char *)key
, (char *)key
, g_rc4_key_len
);
391 ssl_rc4_info_delete(update
);
393 if (g_rc4_key_len
== 8)
397 /* Encrypt data using RC4 */
399 sec_encrypt(uint8
* data
, int length
)
401 if (g_sec_encrypt_use_count
== 4096)
403 sec_update(g_sec_encrypt_key
, g_sec_encrypt_update_key
);
404 ssl_rc4_set_key(g_rc4_encrypt_key
, (char *)g_sec_encrypt_key
, g_rc4_key_len
);
405 g_sec_encrypt_use_count
= 0;
408 ssl_rc4_crypt(g_rc4_encrypt_key
, (char *)data
, (char *)data
, length
);
409 g_sec_encrypt_use_count
++;
412 /* Decrypt data using RC4 */
414 sec_decrypt(uint8
* data
, int length
)
416 if (g_sec_decrypt_use_count
== 4096)
418 sec_update(g_sec_decrypt_key
, g_sec_decrypt_update_key
);
419 ssl_rc4_set_key(g_rc4_decrypt_key
, (char *)g_sec_decrypt_key
, g_rc4_key_len
);
420 g_sec_decrypt_use_count
= 0;
423 ssl_rc4_crypt(g_rc4_decrypt_key
,(char *)data
, (char *)data
, length
);
424 g_sec_decrypt_use_count
++;
427 /* Perform an RSA public key encryption operation */
429 sec_rsa_encrypt(uint8
* out
, uint8
* in
, int len
, uint32 modulus_size
, uint8
* modulus
,
432 ssl_mod_exp((char *)out
, 64, (char *)in
, 32, (char *)modulus
, 64, (char *)exponent
, 4);
436 sec_sign_ok(char* e_data
, int e_len
, char* n_data
, int n_len
,
437 char* sign_data
, int sign_len
, char* sign_data2
, int sign_len2
, char* testkey
)
443 if ((e_len
!= 4) || (n_len
!= 64) || (sign_len
!= 64) || (sign_len2
!= 64))
447 key
= (char*)xmalloc(176);
448 md5_final
= (char*)xmalloc(64);
449 md5
= ssl_md5_info_create();
451 memcpy(key
, testkey
, 176);
453 memcpy(key
+ 32, e_data
, 4);
454 memcpy(key
+ 36, n_data
, 64);
456 // the first 108 bytes
457 ssl_md5_transform(md5
, key
, 108);
458 // set the whole thing with 0xff
459 memset(md5_final
, 0xff, 64);
461 ssl_md5_complete(md5
, md5_final
);
462 // set non 0xff array items
467 ssl_mod_exp(sign_data
, 64, md5_final
, 64, (char*)g_ppk_n
, 64,
470 ssl_md5_info_delete(md5
);
473 return memcmp(sign_data
, sign_data2
, sign_len2
);
476 /* Initialise secure transport packet */
478 sec_init(uint32 flags
, int maxlen
)
483 if (!g_licence_issued
&& !g_licence_error_result
)
484 hdrlen
= (flags
& SEC_ENCRYPT
) ? 12 : 4;
486 hdrlen
= (flags
& SEC_ENCRYPT
) ? 12 : 0;
487 s
= mcs_init(maxlen
+ hdrlen
);
488 s_push_layer(s
, sec_hdr
, hdrlen
);
493 /* Transmit secure transport packet over specified channel */
495 sec_send_to_channel(STREAM s
, uint32 flags
, uint16 channel
)
500 scard_lock(SCARD_LOCK_SEC
);
503 s_pop_layer(s
, sec_hdr
);
504 if ((!g_licence_issued
&& !g_licence_error_result
) || (flags
& SEC_ENCRYPT
))
505 out_uint32_le(s
, flags
);
507 if (flags
& SEC_ENCRYPT
)
509 flags
&= ~SEC_ENCRYPT
;
510 datalen
= s
->end
- s
->p
- 8;
513 DEBUG(("Sending encrypted packet:\n"));
514 hexdump(s
->p
+ 8, datalen
);
517 sec_sign(s
->p
, 8, g_sec_sign_key
, g_rc4_key_len
, s
->p
+ 8, datalen
);
518 sec_encrypt(s
->p
+ 8, datalen
);
521 mcs_send_to_channel(s
, channel
);
524 scard_unlock(SCARD_LOCK_SEC
);
528 /* Transmit secure transport packet */
531 sec_send(STREAM s
, uint32 flags
)
533 sec_send_to_channel(s
, flags
, MCS_GLOBAL_CHANNEL
);
537 /* Transfer the client random to the server */
539 sec_establish_key(void)
541 uint32 length
= g_server_public_key_len
+ SEC_PADDING_SIZE
;
542 uint32 flags
= SEC_CLIENT_RANDOM
;
545 s
= sec_init(flags
, length
+ 4);
547 out_uint32_le(s
, length
);
548 out_uint8p(s
, g_sec_crypted_random
, g_server_public_key_len
);
549 out_uint8s(s
, SEC_PADDING_SIZE
);
555 /* Output connect initial data blob */
557 sec_out_mcs_data(STREAM s
, uint32 selected_protocol
)
559 int hostlen
= 2 * strlen(g_hostname
);
560 int length
= 162 + 76 + 12 + 4;
562 uint32 cluster_flags
= 0;
564 if (g_num_channels
> 0)
565 length
+= g_num_channels
* 12 + 8;
570 /* Generic Conference Control (T.124) ConferenceCreateRequest */
572 out_uint16_be(s
, 0x14);
576 out_uint16_be(s
, (length
| 0x8000)); /* remaining length */
578 out_uint16_be(s
, 8); /* length? */
579 out_uint16_be(s
, 16);
581 out_uint16_le(s
, 0xc001);
584 out_uint32_le(s
, 0x61637544); /* OEM ID: "Duca", as in Ducati. */
585 out_uint16_be(s
, ((length
- 14) | 0x8000)); /* remaining length */
587 /* Client information */
588 out_uint16_le(s
, SEC_TAG_CLI_INFO
);
589 out_uint16_le(s
, 216); /* length */
590 out_uint16_le(s
, (g_rdp_version
>= RDP_V5
) ? 4 : 1); /* RDP version. 1 == RDP4, 4 >= RDP5 to RDP8 */
592 out_uint16_le(s
, g_width
);
593 out_uint16_le(s
, g_height
);
594 out_uint16_le(s
, 0xca01);
595 out_uint16_le(s
, 0xaa03);
596 out_uint32_le(s
, g_keylayout
);
597 out_uint32_le(s
, 2600); /* Client build. We are now 2600 compatible :-) */
599 /* Unicode name of client, padded to 32 bytes */
600 rdp_out_unistr(s
, g_hostname
, hostlen
);
601 out_uint8s(s
, 30 - hostlen
);
604 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wceddk40/html/cxtsksupportingremotedesktopprotocol.asp */
605 out_uint32_le(s
, g_keyboard_type
);
606 out_uint32_le(s
, g_keyboard_subtype
);
607 out_uint32_le(s
, g_keyboard_functionkeys
);
608 out_uint8s(s
, 64); /* reserved? 4 + 12 doublewords */
609 out_uint16_le(s
, 0xca01); /* colour depth? */
613 out_uint8(s
, g_server_depth
);
614 out_uint16_le(s
, 0x0700);
618 out_uint32_le(s
, selected_protocol
); /* End of client info */
620 /* Write a Client Cluster Data (TS_UD_CS_CLUSTER) */
621 out_uint16_le(s
, SEC_TAG_CLI_CLUSTER
); /* header.type */
622 out_uint16_le(s
, 12); /* length */
624 cluster_flags
|= SEC_CC_REDIRECTION_SUPPORTED
;
625 cluster_flags
|= (SEC_CC_REDIRECT_VERSION_3
<< 2);
627 if (g_console_session
|| g_redirect_session_id
!= 0)
628 cluster_flags
|= SEC_CC_REDIRECT_SESSIONID_FIELD_VALID
;
630 out_uint32_le(s
, cluster_flags
);
631 out_uint32(s
, g_redirect_session_id
);
633 /* Client encryption settings */
634 out_uint16_le(s
, SEC_TAG_CLI_CRYPT
);
635 out_uint16_le(s
, 12); /* length */
636 out_uint32_le(s
, g_encryption
? 0x3 : 0); /* encryption supported, 128-bit supported */
637 out_uint32(s
, 0); /* Unknown */
639 DEBUG_RDP5(("g_num_channels is %d\n", g_num_channels
));
640 if (g_num_channels
> 0)
642 out_uint16_le(s
, SEC_TAG_CLI_CHANNELS
);
643 out_uint16_le(s
, g_num_channels
* 12 + 8); /* length */
644 out_uint32_le(s
, g_num_channels
); /* number of virtual channels */
645 for (i
= 0; i
< g_num_channels
; i
++)
647 DEBUG_RDP5(("Requesting channel %s\n", g_channels
[i
].name
));
648 out_uint8a(s
, g_channels
[i
].name
, 8);
649 out_uint32_be(s
, g_channels
[i
].flags
);
656 /* Parse a public key structure */
658 sec_parse_public_key(STREAM s
, uint8
* modulus
, uint8
* exponent
)
660 uint32 magic
, modulus_len
;
662 in_uint32_le(s
, magic
);
663 if (magic
!= SEC_RSA_MAGIC
)
665 error("RSA magic 0x%x\n", magic
);
669 in_uint32_le(s
, modulus_len
);
670 modulus_len
-= SEC_PADDING_SIZE
;
671 if ((modulus_len
< SEC_MODULUS_SIZE
) || (modulus_len
> SEC_MAX_MODULUS_SIZE
))
673 error("Bad server public key size (%u bits)\n", modulus_len
* 8);
677 in_uint8s(s
, 8); /* modulus_bits, unknown */
678 in_uint8a(s
, exponent
, SEC_EXPONENT_SIZE
);
679 in_uint8a(s
, modulus
, modulus_len
);
680 in_uint8s(s
, SEC_PADDING_SIZE
);
681 g_server_public_key_len
= modulus_len
;
686 /* Parse a public signature structure */
688 sec_parse_public_sig(STREAM s
, uint32 len
, uint8
* modulus
, uint8
* exponent
)
690 uint8 signature
[SEC_MAX_MODULUS_SIZE
];
691 uint8 signature_
[SEC_MAX_MODULUS_SIZE
];
698 memset(signature
, 0, sizeof(signature
));
700 in_uint8a(s
, signature
, sig_len
);
701 if(sec_sign_ok((char *)exponent
, SEC_EXPONENT_SIZE
, (char *)modulus
, g_server_public_key_len
,
702 (char *)signature_
, SEC_MODULUS_SIZE
, (char *)signature
, sig_len
, (char *)g_testkey
))
704 DEBUG_RDP5(("key signature doesn't match test key\n"));
709 /* Parse a crypto information structure */
711 sec_parse_crypt_info(STREAM s
, uint32
* rc4_key_size
,
712 uint8
** server_random
, uint8
* modulus
, uint8
* exponent
)
714 uint32 crypt_level
, random_len
, rsa_info_len
;
715 uint32
/*cacert_len, cert_len,*/ flags
;
716 //RDSSL_CERT *cacert, *server_cert;
717 //RDSSL_RKEY *server_public_key;
719 uint8
*next_tag
, *end
;
721 in_uint32_le(s
, *rc4_key_size
); /* 1 = 40-bit, 2 = 128-bit */
722 in_uint32_le(s
, crypt_level
); /* 1 = low, 2 = medium, 3 = high */
723 if (crypt_level
== 0)
729 in_uint32_le(s
, random_len
);
730 in_uint32_le(s
, rsa_info_len
);
732 if (random_len
!= SEC_RANDOM_SIZE
)
734 error("random len %d, expected %d\n", random_len
, SEC_RANDOM_SIZE
);
738 in_uint8p(s
, *server_random
, random_len
);
741 end
= s
->p
+ rsa_info_len
;
745 in_uint32_le(s
, flags
); /* 1 = RDP4-style, 0x80000002 = X.509 */
748 DEBUG_RDP5(("We're going for the RDP4-style encryption\n"));
749 in_uint8s(s
, 8); /* unknown */
753 in_uint16_le(s
, tag
);
754 in_uint16_le(s
, length
);
756 next_tag
= s
->p
+ length
;
761 if (!sec_parse_public_key(s
, modulus
, exponent
))
763 DEBUG_RDP5(("Got Public key, RDP4-style\n"));
768 if (!sec_parse_public_sig(s
, length
, modulus
, exponent
))
773 unimpl("crypt tag 0x%x\n", tag
);
784 DEBUG_RDP5(("We're going for the RDP5-style encryption\n"));
785 in_uint32_le(s
, certcount
); /* Number of certificates */
788 error("Server didn't send enough X509 certificates\n");
791 for (; certcount
> 2; certcount
--)
792 { /* ignore all the certificates between the root and the signing CA */
794 RDSSL_CERT
*ignorecert
;
796 DEBUG_RDP5(("Ignored certs left: %d\n", certcount
));
797 in_uint32_le(s
, ignorelen
);
798 DEBUG_RDP5(("Ignored Certificate length is %d\n", ignorelen
));
799 ignorecert
= rdssl_cert_read(s
->p
, ignorelen
);
800 in_uint8s(s
, ignorelen
);
801 if (ignorecert
== NULL
)
802 { /* XXX: error out? */
803 DEBUG_RDP5(("got a bad cert: this will probably screw up the rest of the communication\n"));
806 #ifdef WITH_DEBUG_RDP5
807 DEBUG_RDP5(("cert #%d (ignored):\n", certcount
));
808 rdssl_cert_print_fp(stdout
, ignorecert
);
811 /* Do da funky X.509 stuffy
813 "How did I find out about this? I looked up and saw a
814 bright light and when I came to I had a scar on my forehead
815 and knew about X.500"
816 - Peter Gutman in a early version of
817 http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
819 in_uint32_le(s
, cacert_len
);
820 DEBUG_RDP5(("CA Certificate length is %d\n", cacert_len
));
821 cacert
= rdssl_cert_read(s
->p
, cacert_len
);
822 in_uint8s(s
, cacert_len
);
825 error("Couldn't load CA Certificate from server\n");
828 in_uint32_le(s
, cert_len
);
829 DEBUG_RDP5(("Certificate length is %d\n", cert_len
));
830 server_cert
= rdssl_cert_read(s
->p
, cert_len
);
831 in_uint8s(s
, cert_len
);
832 if (NULL
== server_cert
)
834 rdssl_cert_free(cacert
);
835 error("Couldn't load Certificate from server\n");
838 if (!rdssl_certs_ok(server_cert
, cacert
))
840 rdssl_cert_free(server_cert
);
841 rdssl_cert_free(cacert
);
842 error("Security error CA Certificate invalid\n");
845 rdssl_cert_free(cacert
);
846 in_uint8s(s
, 16); /* Padding */
847 server_public_key
= rdssl_cert_to_rkey(server_cert
, &g_server_public_key_len
);
848 if (NULL
== server_public_key
)
850 DEBUG_RDP5(("Didn't parse X509 correctly\n"));
851 rdssl_cert_free(server_cert
);
854 rdssl_cert_free(server_cert
);
855 if ((g_server_public_key_len
< SEC_MODULUS_SIZE
) ||
856 (g_server_public_key_len
> SEC_MAX_MODULUS_SIZE
))
858 error("Bad server public key size (%u bits)\n",
859 g_server_public_key_len
* 8);
860 rdssl_rkey_free(server_public_key
);
863 if (rdssl_rkey_get_exp_mod(server_public_key
, exponent
, SEC_EXPONENT_SIZE
,
864 modulus
, SEC_MAX_MODULUS_SIZE
) != 0)
866 error("Problem extracting RSA exponent, modulus");
867 rdssl_rkey_free(server_public_key
);
870 rdssl_rkey_free(server_public_key
);
871 return True
; /* There's some garbage here we don't care about */
874 return s_check_end(s
);
877 /* Process crypto information blob */
879 sec_process_crypt_info(STREAM s
)
881 uint8
*server_random
= NULL
;
882 uint8 modulus
[SEC_MAX_MODULUS_SIZE
];
883 uint8 exponent
[SEC_EXPONENT_SIZE
];
886 memset(modulus
, 0, sizeof(modulus
));
887 memset(exponent
, 0, sizeof(exponent
));
888 if (!sec_parse_crypt_info(s
, &rc4_key_size
, &server_random
, modulus
, exponent
))
890 DEBUG(("Failed to parse crypt info\n"));
893 DEBUG(("Generating client random\n"));
894 generate_random(g_client_random
);
895 sec_rsa_encrypt(g_sec_crypted_random
, g_client_random
, SEC_RANDOM_SIZE
,
896 g_server_public_key_len
, modulus
, exponent
);
897 sec_generate_keys(g_client_random
, server_random
, rc4_key_size
);
901 /* Process SRV_INFO, find RDP version supported by server */
903 sec_process_srv_info(STREAM s
)
905 in_uint16_le(s
, g_server_rdp_version
);
906 DEBUG_RDP5(("Server RDP version is %d\n", g_server_rdp_version
));
907 if (1 == g_server_rdp_version
)
909 g_rdp_version
= RDP_V4
;
915 /* Process connect response data blob */
917 sec_process_mcs_data(STREAM s
)
923 in_uint8s(s
, 21); /* header (T.124 ConferenceCreateResponse) */
928 while (s
->p
< s
->end
)
930 in_uint16_le(s
, tag
);
931 in_uint16_le(s
, length
);
936 next_tag
= s
->p
+ length
- 4;
940 case SEC_TAG_SRV_INFO
:
941 sec_process_srv_info(s
);
944 case SEC_TAG_SRV_CRYPT
:
945 sec_process_crypt_info(s
);
948 case SEC_TAG_SRV_CHANNELS
:
949 /* FIXME: We should parse this information and
950 use it to map RDP5 channels to MCS
955 unimpl("response tag 0x%x\n", tag
);
962 /* Receive secure transport packet */
964 sec_recv(uint8
* rdpver
)
970 while ((s
= mcs_recv(&channel
, rdpver
)) != NULL
)
978 in_uint8s(s
, 8); /* signature */
979 sec_decrypt(s
->p
, s
->end
- s
->p
);
984 if (g_encryption
|| (!g_licence_issued
&& !g_licence_error_result
))
986 in_uint32_le(s
, sec_flags
);
990 if (sec_flags
& SEC_ENCRYPT
)
992 in_uint8s(s
, 8); /* signature */
993 sec_decrypt(s
->p
, s
->end
- s
->p
);
996 if (sec_flags
& SEC_LICENCE_NEG
)
1002 if (sec_flags
& 0x0400) /* SEC_REDIRECT_ENCRYPT */
1006 in_uint8s(s
, 8); /* signature */
1007 sec_decrypt(s
->p
, s
->end
- s
->p
);
1009 /* Check for a redirect packet, starts with 00 04 */
1010 if (s
->p
[0] == 0 && s
->p
[1] == 4)
1012 /* for some reason the PDU and the length seem to be swapped.
1013 This isn't good, but we're going to do a byte for byte
1014 swap. So the first four values appear as: 00 04 XX YY,
1015 where XX YY is the little endian length. We're going to
1016 use 04 00 as the PDU type, so after our swap this will look
1017 like: XX YY 04 00 */
1031 /* warning! this debug statement will show passwords in the clear! */
1032 hexdump(s
->p
, s
->end
- s
->p
);
1038 if ((sec_flags
& 0xffff) == SEC_LICENCE_NEG
)
1047 if (channel
!= MCS_GLOBAL_CHANNEL
)
1049 channel_process(s
, channel
);
1061 /* Establish a secure connection */
1063 sec_connect(char *server
, char *username
, char *domain
, char *password
, RD_BOOL reconnect
)
1065 uint32 selected_proto
;
1066 struct stream mcs_data
;
1068 /* Start a MCS connect sequence */
1069 if (!mcs_connect_start(server
, username
, domain
, password
, reconnect
, &selected_proto
))
1072 /* We exchange some RDP data during the MCS-Connect */
1073 mcs_data
.size
= 512;
1074 mcs_data
.p
= mcs_data
.data
= (uint8
*) xmalloc(mcs_data
.size
);
1075 sec_out_mcs_data(&mcs_data
, selected_proto
);
1077 /* finalize the MCS connect sequence */
1078 if (!mcs_connect_finalize(&mcs_data
))
1081 /* sec_process_mcs_data(&mcs_data); */
1083 sec_establish_key();
1084 xfree(mcs_data
.data
);
1088 /* Disconnect a connection */
1090 sec_disconnect(void)
1095 /* reset the state of the sec layer */
1097 sec_reset_state(void)
1099 g_server_rdp_version
= 0;
1100 g_sec_encrypt_use_count
= 0;
1101 g_sec_decrypt_use_count
= 0;
1102 g_licence_issued
= 0;
1103 g_licence_error_result
= 0;