projects / reactos.git / blob
? search:


1e5c0efd287e349763a1cd131156a23d4c740204
[reactos.git] / reactos / base / applications / mstsc / secure.c
1 /* -*- c-basic-offset: 8 -*-
2 rdesktop: A Remote Desktop Protocol client.
3 Protocol services - RDP encryption and licensing
4 Copyright (C) Matthew Chapman <matthewc.unsw.edu.au> 1999-2008
5 Copyright 2005-2011 Peter Astrand <astrand@cendio.se> for Cendio AB
6
7 This program is free software: you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation, either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "precomp.h"
22
23 void *
24 ssl_sha1_info_create(void);
25 void
26 ssl_sha1_info_delete(void * sha1_info);
27 void
28 ssl_sha1_clear(void * sha1_info);
29 void
30 ssl_sha1_transform(void * sha1_info, char * data, int len);
31 void
32 ssl_sha1_complete(void * sha1_info, char * data);
33 void *
34 ssl_md5_info_create(void);
35 void
36 ssl_md5_info_delete(void * md5_info);
37 void *
38 ssl_md5_info_create(void);
39 void
40 ssl_md5_info_delete(void * md5_info);
41 void
42 ssl_md5_clear(void * md5_info);
43 void
44 ssl_md5_transform(void * md5_info, char * data, int len);
45 void
46 ssl_md5_complete(void * md5_info, char * data);
47 void *
48 ssl_rc4_info_create(void);
49 void
50 ssl_rc4_info_delete(void * rc4_info);
51 void
52 ssl_rc4_set_key(void * rc4_info, char * key, int len);
53 void
54 ssl_rc4_crypt(void * rc4_info, char * in_data, char * out_data, int len);
55 int
56 ssl_mod_exp(char* out, int out_len, char* in, int in_len,
57 char* mod, int mod_len, char* exp, int exp_len);
58 //int
59 //ssl_sig_ok(char * exp, int exp_size, char * mod, int mod_len,
60 // char * sig, int sig_len);
61
62 extern char g_hostname[16];
63 extern int g_width;
64 extern int g_height;
65 extern unsigned int g_keylayout;
66 extern int g_keyboard_type;
67 extern int g_keyboard_subtype;
68 extern int g_keyboard_functionkeys;
69 extern RD_BOOL g_encryption;
70 extern RD_BOOL g_licence_issued;
71 extern RD_BOOL g_licence_error_result;
72 extern RDP_VERSION g_rdp_version;
73 extern RD_BOOL g_console_session;
74 extern uint32 g_redirect_session_id;
75 extern int g_server_depth;
76 extern VCHANNEL g_channels[];
77 extern unsigned int g_num_channels;
78 extern uint8 g_client_random[SEC_RANDOM_SIZE];
79
80 static int g_rc4_key_len;
81 static void * g_rc4_decrypt_key;
82 static void * g_rc4_encrypt_key;
83 static uint32 g_server_public_key_len;
84
85 static uint8 g_sec_sign_key[16];
86 static uint8 g_sec_decrypt_key[16];
87 static uint8 g_sec_encrypt_key[16];
88 static uint8 g_sec_decrypt_update_key[16];
89 static uint8 g_sec_encrypt_update_key[16];
90 static uint8 g_sec_crypted_random[SEC_MAX_MODULUS_SIZE];
91
92 uint16 g_server_rdp_version = 0;
93
94 /* These values must be available to reset state - Session Directory */
95 static int g_sec_encrypt_use_count = 0;
96 static int g_sec_decrypt_use_count = 0;
97
98 #define SEC_MODULUS_SIZE 64
99
100 static uint8 g_ppk_n[72] =
101 {
102 0x3D, 0x3A, 0x5E, 0xBD, 0x72, 0x43, 0x3E, 0xC9,
103 0x4D, 0xBB, 0xC1, 0x1E, 0x4A, 0xBA, 0x5F, 0xCB,
104 0x3E, 0x88, 0x20, 0x87, 0xEF, 0xF5, 0xC1, 0xE2,
105 0xD7, 0xB7, 0x6B, 0x9A, 0xF2, 0x52, 0x45, 0x95,
106 0xCE, 0x63, 0x65, 0x6B, 0x58, 0x3A, 0xFE, 0xEF,
107 0x7C, 0xE7, 0xBF, 0xFE, 0x3D, 0xF6, 0x5C, 0x7D,
108 0x6C, 0x5E, 0x06, 0x09, 0x1A, 0xF5, 0x61, 0xBB,
109 0x20, 0x93, 0x09, 0x5F, 0x05, 0x6D, 0xEA, 0x87,
110 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
111 };
112
113 static uint8 g_ppk_d[108] =
114 {
115 0x87, 0xA7, 0x19, 0x32, 0xDA, 0x11, 0x87, 0x55,
116 0x58, 0x00, 0x16, 0x16, 0x25, 0x65, 0x68, 0xF8,
117 0x24, 0x3E, 0xE6, 0xFA, 0xE9, 0x67, 0x49, 0x94,
118 0xCF, 0x92, 0xCC, 0x33, 0x99, 0xE8, 0x08, 0x60,
119 0x17, 0x9A, 0x12, 0x9F, 0x24, 0xDD, 0xB1, 0x24,
120 0x99, 0xC7, 0x3A, 0xB8, 0x0A, 0x7B, 0x0D, 0xDD,
121 0x35, 0x07, 0x79, 0x17, 0x0B, 0x51, 0x9B, 0xB3,
122 0xC7, 0x10, 0x01, 0x13, 0xE7, 0x3F, 0xF3, 0x5F,
123 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
124 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
125 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
126 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
127 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
128 0x00, 0x00, 0x00, 0x00
129 };
130
131 static uint8 g_testkey[176] =
132 {
133 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
134 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x5c, 0x00,
135 0x52, 0x53, 0x41, 0x31, 0x48, 0x00, 0x00, 0x00,
136 0x00, 0x02, 0x00, 0x00, 0x3f, 0x00, 0x00, 0x00,
137 0x01, 0x00, 0x01, 0x00, 0x79, 0x6f, 0xb4, 0xdf,
138 0xa6, 0x95, 0xb9, 0xa9, 0x61, 0xe3, 0xc4, 0x5e,
139 0xff, 0x6b, 0xd8, 0x81, 0x8a, 0x12, 0x4a, 0x93,
140 0x42, 0x97, 0x18, 0x93, 0xac, 0xd1, 0x3a, 0x38,
141 0x3c, 0x68, 0x50, 0x19, 0x31, 0xb6, 0x84, 0x51,
142 0x79, 0xfb, 0x1c, 0xe7, 0xe3, 0x99, 0x20, 0xc7,
143 0x84, 0xdf, 0xd1, 0xaa, 0xb5, 0x15, 0xef, 0x47,
144 0x7e, 0xfc, 0x88, 0xeb, 0x29, 0xc3, 0x27, 0x5a,
145 0x35, 0xf8, 0xfd, 0xaa, 0x00, 0x00, 0x00, 0x00,
146 0x00, 0x00, 0x00, 0x00,
147 0x08, 0x00, 0x48, 0x00,
148 0x32, 0x3b, 0xde, 0x6f, 0x18, 0x97, 0x1e, 0xc3,
149 0x6b, 0x2b, 0x2d, 0xe4, 0xfc, 0x2d, 0xa2, 0x8e,
150 0x32, 0x3c, 0xf3, 0x1b, 0x24, 0x90, 0x57, 0x4d,
151 0x8e, 0xe4, 0x69, 0xfc, 0x16, 0x8d, 0x41, 0x92,
152 0x78, 0xc7, 0x9c, 0xb4, 0x26, 0xff, 0xe8, 0x3e,
153 0xa1, 0x8a, 0xf5, 0x57, 0xc0, 0x7f, 0x3e, 0x21,
154 0x17, 0x32, 0x30, 0x6f, 0x79, 0xe1, 0x36, 0xcd,
155 0xb6, 0x8e, 0xbe, 0x57, 0x57, 0xd2, 0xa9, 0x36
156 };
157
158 /*
159 * I believe this is based on SSLv3 with the following differences:
160 * MAC algorithm (5.2.3.1) uses only 32-bit length in place of seq_num/type/length fields
161 * MAC algorithm uses SHA1 and MD5 for the two hash functions instead of one or other
162 * key_block algorithm (6.2.2) uses 'X', 'YY', 'ZZZ' instead of 'A', 'BB', 'CCC'
163 * key_block partitioning is different (16 bytes each: MAC secret, decrypt key, encrypt key)
164 * encryption/decryption keys updated every 4096 packets
165 * See http://wp.netscape.com/eng/ssl3/draft302.txt
166 */
167
168 /*
169 * 48-byte transformation used to generate master secret (6.1) and key material (6.2.2).
170 * Both SHA1 and MD5 algorithms are used.
171 */
172 void
173 sec_hash_48(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2, uint8 salt)
174 {
175 uint8 shasig[20];
176 uint8 pad[4];
177 void * sha;
178 void * md5;
179 int i;
180
181 for (i = 0; i < 3; i++)
182 {
183 memset(pad, salt + i, i + 1);
184 sha = ssl_sha1_info_create();
185 ssl_sha1_clear(sha);
186 ssl_sha1_transform(sha, (char *)pad, i + 1);
187 ssl_sha1_transform(sha, (char *)in, 48);
188 ssl_sha1_transform(sha, (char *)salt1, 32);
189 ssl_sha1_transform(sha, (char *)salt2, 32);
190 ssl_sha1_complete(sha, (char *)shasig);
191 ssl_sha1_info_delete(sha);
192 md5 = ssl_md5_info_create();
193 ssl_md5_clear(md5);
194 ssl_md5_transform(md5, (char *)in, 48);
195 ssl_md5_transform(md5, (char *)shasig, 20);
196 ssl_md5_complete(md5, (char *)out + i * 16);
197 ssl_md5_info_delete(md5);
198 }
199 }
200
201 /*
202 * 16-byte transformation used to generate export keys (6.2.2).
203 */
204 void
205 sec_hash_16(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2)
206 {
207 void * md5;
208
209 md5 = ssl_md5_info_create();
210 ssl_md5_clear(md5);
211 ssl_md5_transform(md5, (char *)in, 16);
212 ssl_md5_transform(md5, (char *)salt1, 32);
213 ssl_md5_transform(md5, (char *)salt2, 32);
214 ssl_md5_complete(md5, (char *)out);
215 ssl_md5_info_delete(md5);
216 }
217
218 /*
219 * 16-byte sha1 hash
220 */
221 void
222 sec_hash_sha1_16(uint8 * out, uint8 * in, uint8 * salt1)
223 {
224 void * sha;
225 sha = ssl_sha1_info_create();
226 ssl_sha1_clear(sha);
227 ssl_sha1_transform(&sha, (char *)in, 16);
228 ssl_sha1_transform(&sha, (char *)salt1, 16);
229 ssl_sha1_complete(&sha, (char *)out);
230 ssl_sha1_info_delete(sha);
231 }
232
233 /* create string from hash */
234 void
235 sec_hash_to_string(char *out, int out_size, uint8 * in, int in_size)
236 {
237 int k;
238 memset(out, 0, out_size);
239 for (k = 0; k < in_size; k++, out += 2)
240 {
241 sprintf(out, "%.2x", in[k]);
242 }
243 }
244
245 /* Reduce key entropy from 64 to 40 bits */
246 static void
247 sec_make_40bit(uint8 * key)
248 {
249 key[0] = 0xd1;
250 key[1] = 0x26;
251 key[2] = 0x9e;
252 }
253
254 /* Generate encryption keys given client and server randoms */
255 static void
256 sec_generate_keys(uint8 * client_random, uint8 * server_random, int rc4_key_size)
257 {
258 uint8 pre_master_secret[48];
259 uint8 master_secret[48];
260 uint8 key_block[48];
261
262 /* Construct pre-master secret */
263 memcpy(pre_master_secret, client_random, 24);
264 memcpy(pre_master_secret + 24, server_random, 24);
265
266 /* Generate master secret and then key material */
267 sec_hash_48(master_secret, pre_master_secret, client_random, server_random, 'A');
268 sec_hash_48(key_block, master_secret, client_random, server_random, 'X');
269
270 /* First 16 bytes of key material is MAC secret */
271 memcpy(g_sec_sign_key, key_block, 16);
272
273 /* Generate export keys from next two blocks of 16 bytes */
274 sec_hash_16(g_sec_decrypt_key, &key_block[16], client_random, server_random);
275 sec_hash_16(g_sec_encrypt_key, &key_block[32], client_random, server_random);
276
277 if (rc4_key_size == 1)
278 {
279 DEBUG(("40-bit encryption enabled\n"));
280 sec_make_40bit(g_sec_sign_key);
281 sec_make_40bit(g_sec_decrypt_key);
282 sec_make_40bit(g_sec_encrypt_key);
283 g_rc4_key_len = 8;
284 }
285 else
286 {
287 DEBUG(("rc_4_key_size == %d, 128-bit encryption enabled\n", rc4_key_size));
288 g_rc4_key_len = 16;
289 }
290
291 /* Save initial RC4 keys as update keys */
292 memcpy(g_sec_decrypt_update_key, g_sec_decrypt_key, 16);
293 memcpy(g_sec_encrypt_update_key, g_sec_encrypt_key, 16);
294
295 /* Initialise RC4 state arrays */
296
297 ssl_rc4_info_delete(g_rc4_decrypt_key);
298 g_rc4_decrypt_key = ssl_rc4_info_create();
299 ssl_rc4_set_key(g_rc4_decrypt_key, (char *)g_sec_decrypt_key, g_rc4_key_len);
300
301 ssl_rc4_info_delete(g_rc4_encrypt_key);
302 g_rc4_encrypt_key = ssl_rc4_info_create();
303 ssl_rc4_set_key(g_rc4_encrypt_key, (char *)g_sec_encrypt_key, g_rc4_key_len);
304 }
305
306 static uint8 pad_54[40] = {
307 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54,
308 54, 54, 54,
309 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54,
310 54, 54, 54
311 };
312
313 static uint8 pad_92[48] = {
314 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92,
315 92, 92, 92, 92, 92, 92, 92,
316 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92,
317 92, 92, 92, 92, 92, 92, 92
318 };
319
320 /* Output a uint32 into a buffer (little-endian) */
321 void
322 buf_out_uint32(uint8 * buffer, uint32 value)
323 {
324 buffer[0] = (value) & 0xff;
325 buffer[1] = (value >> 8) & 0xff;
326 buffer[2] = (value >> 16) & 0xff;
327 buffer[3] = (value >> 24) & 0xff;
328 }
329
330 /* Generate a MAC hash (5.2.3.1), using a combination of SHA1 and MD5 */
331 void
332 sec_sign(uint8 * signature, int siglen, uint8 * session_key, int keylen, uint8 * data, int datalen)
333 {
334 uint8 shasig[20];
335 uint8 md5sig[16];
336 uint8 lenhdr[4];
337 void * sha;
338 void * md5;
339
340 buf_out_uint32(lenhdr, datalen);
341
342 sha = ssl_sha1_info_create();
343 ssl_sha1_clear(sha);
344 ssl_sha1_transform(sha, (char *)session_key, keylen);
345 ssl_sha1_transform(sha, (char *)pad_54, 40);
346 ssl_sha1_transform(sha, (char *)lenhdr, 4);
347 ssl_sha1_transform(sha, (char *)data, datalen);
348 ssl_sha1_complete(sha, (char *)shasig);
349 ssl_sha1_info_delete(sha);
350
351 md5 = ssl_md5_info_create();
352 ssl_md5_clear(md5);
353 ssl_md5_transform(md5, (char *)session_key, keylen);
354 ssl_md5_transform(md5, (char *)pad_92, 48);
355 ssl_md5_transform(md5, (char *)shasig, 20);
356 ssl_md5_complete(md5, (char *)md5sig);
357 ssl_md5_info_delete(md5);
358
359 memcpy(signature, md5sig, siglen);
360 }
361
362 /* Update an encryption key */
363 static void
364 sec_update(uint8 * key, uint8 * update_key)
365 {
366 uint8 shasig[20];
367 void * sha;
368 void * md5;
369 void * update;
370
371 sha = ssl_sha1_info_create();
372 ssl_sha1_clear(sha);
373 ssl_sha1_transform(sha, (char *)update_key, g_rc4_key_len);
374 ssl_sha1_transform(sha, (char *)pad_54, 40);
375 ssl_sha1_transform(sha, (char *)key, g_rc4_key_len);
376 ssl_sha1_complete(sha, (char *)shasig);
377 ssl_sha1_info_delete(sha);
378
379 md5 = ssl_md5_info_create();
380 ssl_md5_clear(md5);
381 ssl_md5_transform(md5, (char *)update_key, g_rc4_key_len);
382 ssl_md5_transform(md5, (char *)pad_92, 48);
383 ssl_md5_transform(md5, (char *)shasig, 20);
384 ssl_md5_complete(md5, (char *)key);
385 ssl_md5_info_delete(md5);
386
387
388 update = ssl_rc4_info_create();
389 ssl_rc4_set_key(update, (char *)key, g_rc4_key_len);
390 ssl_rc4_crypt(update, (char *)key, (char *)key, g_rc4_key_len);
391 ssl_rc4_info_delete(update);
392
393 if (g_rc4_key_len == 8)
394 sec_make_40bit(key);
395 }
396
397 /* Encrypt data using RC4 */
398 static void
399 sec_encrypt(uint8 * data, int length)
400 {
401 if (g_sec_encrypt_use_count == 4096)
402 {
403 sec_update(g_sec_encrypt_key, g_sec_encrypt_update_key);
404 ssl_rc4_set_key(g_rc4_encrypt_key, (char *)g_sec_encrypt_key, g_rc4_key_len);
405 g_sec_encrypt_use_count = 0;
406 }
407
408 ssl_rc4_crypt(g_rc4_encrypt_key, (char *)data, (char *)data, length);
409 g_sec_encrypt_use_count++;
410 }
411
412 /* Decrypt data using RC4 */
413 void
414 sec_decrypt(uint8 * data, int length)
415 {
416 if (g_sec_decrypt_use_count == 4096)
417 {
418 sec_update(g_sec_decrypt_key, g_sec_decrypt_update_key);
419 ssl_rc4_set_key(g_rc4_decrypt_key, (char *)g_sec_decrypt_key, g_rc4_key_len);
420 g_sec_decrypt_use_count = 0;
421 }
422
423 ssl_rc4_crypt(g_rc4_decrypt_key,(char *)data, (char *)data, length);
424 g_sec_decrypt_use_count++;
425 }
426
427 /* Perform an RSA public key encryption operation */
428 static void
429 sec_rsa_encrypt(uint8 * out, uint8 * in, int len, uint32 modulus_size, uint8 * modulus,
430 uint8 * exponent)
431 {
432 ssl_mod_exp((char *)out, 64, (char *)in, 32, (char *)modulus, 64, (char *)exponent, 4);
433 }
434
435 static int
436 sec_sign_ok(char* e_data, int e_len, char* n_data, int n_len,
437 char* sign_data, int sign_len, char* sign_data2, int sign_len2, char* testkey)
438 {
439 char* key;
440 char* md5_final;
441 void* md5;
442
443 if ((e_len != 4) || (n_len != 64) || (sign_len != 64) || (sign_len2 != 64))
444 {
445 return 1;
446 }
447 key = (char*)xmalloc(176);
448 md5_final = (char*)xmalloc(64);
449 md5 = ssl_md5_info_create();
450 // copy the test key
451 memcpy(key, testkey, 176);
452 // replace e and n
453 memcpy(key + 32, e_data, 4);
454 memcpy(key + 36, n_data, 64);
455 ssl_md5_clear(md5);
456 // the first 108 bytes
457 ssl_md5_transform(md5, key, 108);
458 // set the whole thing with 0xff
459 memset(md5_final, 0xff, 64);
460 // digest 16 bytes
461 ssl_md5_complete(md5, md5_final);
462 // set non 0xff array items
463 md5_final[16] = 0;
464 md5_final[62] = 1;
465 md5_final[63] = 0;
466 // encrypt
467 ssl_mod_exp(sign_data, 64, md5_final, 64, (char*)g_ppk_n, 64,
468 (char*)g_ppk_d, 64);
469 // cleanup
470 ssl_md5_info_delete(md5);
471 xfree(key);
472 xfree(md5_final);
473 return memcmp(sign_data, sign_data2, sign_len2);
474 }
475
476 /* Initialise secure transport packet */
477 STREAM
478 sec_init(uint32 flags, int maxlen)
479 {
480 int hdrlen;
481 STREAM s;
482
483 if (!g_licence_issued && !g_licence_error_result)
484 hdrlen = (flags & SEC_ENCRYPT) ? 12 : 4;
485 else
486 hdrlen = (flags & SEC_ENCRYPT) ? 12 : 0;
487 s = mcs_init(maxlen + hdrlen);
488 s_push_layer(s, sec_hdr, hdrlen);
489
490 return s;
491 }
492
493 /* Transmit secure transport packet over specified channel */
494 void
495 sec_send_to_channel(STREAM s, uint32 flags, uint16 channel)
496 {
497 int datalen;
498
499 #ifdef WITH_SCARD
500 scard_lock(SCARD_LOCK_SEC);
501 #endif
502
503 s_pop_layer(s, sec_hdr);
504 if ((!g_licence_issued && !g_licence_error_result) || (flags & SEC_ENCRYPT))
505 out_uint32_le(s, flags);
506
507 if (flags & SEC_ENCRYPT)
508 {
509 flags &= ~SEC_ENCRYPT;
510 datalen = s->end - s->p - 8;
511
512 #ifdef WITH_DEBUG
513 DEBUG(("Sending encrypted packet:\n"));
514 hexdump(s->p + 8, datalen);
515 #endif
516
517 sec_sign(s->p, 8, g_sec_sign_key, g_rc4_key_len, s->p + 8, datalen);
518 sec_encrypt(s->p + 8, datalen);
519 }
520
521 mcs_send_to_channel(s, channel);
522
523 #ifdef WITH_SCARD
524 scard_unlock(SCARD_LOCK_SEC);
525 #endif
526 }
527
528 /* Transmit secure transport packet */
529
530 void
531 sec_send(STREAM s, uint32 flags)
532 {
533 sec_send_to_channel(s, flags, MCS_GLOBAL_CHANNEL);
534 }
535
536
537 /* Transfer the client random to the server */
538 static void
539 sec_establish_key(void)
540 {
541 uint32 length = g_server_public_key_len + SEC_PADDING_SIZE;
542 uint32 flags = SEC_CLIENT_RANDOM;
543 STREAM s;
544
545 s = sec_init(flags, length + 4);
546
547 out_uint32_le(s, length);
548 out_uint8p(s, g_sec_crypted_random, g_server_public_key_len);
549 out_uint8s(s, SEC_PADDING_SIZE);
550
551 s_mark_end(s);
552 sec_send(s, flags);
553 }
554
555 /* Output connect initial data blob */
556 static void
557 sec_out_mcs_data(STREAM s, uint32 selected_protocol)
558 {
559 int hostlen = 2 * strlen(g_hostname);
560 int length = 162 + 76 + 12 + 4;
561 unsigned int i;
562 uint32 cluster_flags = 0;
563
564 if (g_num_channels > 0)
565 length += g_num_channels * 12 + 8;
566
567 if (hostlen > 30)
568 hostlen = 30;
569
570 /* Generic Conference Control (T.124) ConferenceCreateRequest */
571 out_uint16_be(s, 5);
572 out_uint16_be(s, 0x14);
573 out_uint8(s, 0x7c);
574 out_uint16_be(s, 1);
575
576 out_uint16_be(s, (length | 0x8000)); /* remaining length */
577
578 out_uint16_be(s, 8); /* length? */
579 out_uint16_be(s, 16);
580 out_uint8(s, 0);
581 out_uint16_le(s, 0xc001);
582 out_uint8(s, 0);
583
584 out_uint32_le(s, 0x61637544); /* OEM ID: "Duca", as in Ducati. */
585 out_uint16_be(s, ((length - 14) | 0x8000)); /* remaining length */
586
587 /* Client information */
588 out_uint16_le(s, SEC_TAG_CLI_INFO);
589 out_uint16_le(s, 216); /* length */
590 out_uint16_le(s, (g_rdp_version >= RDP_V5) ? 4 : 1); /* RDP version. 1 == RDP4, 4 >= RDP5 to RDP8 */
591 out_uint16_le(s, 8);
592 out_uint16_le(s, g_width);
593 out_uint16_le(s, g_height);
594 out_uint16_le(s, 0xca01);
595 out_uint16_le(s, 0xaa03);
596 out_uint32_le(s, g_keylayout);
597 out_uint32_le(s, 2600); /* Client build. We are now 2600 compatible :-) */
598
599 /* Unicode name of client, padded to 32 bytes */
600 rdp_out_unistr(s, g_hostname, hostlen);
601 out_uint8s(s, 30 - hostlen);
602
603 /* See
604 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wceddk40/html/cxtsksupportingremotedesktopprotocol.asp */
605 out_uint32_le(s, g_keyboard_type);
606 out_uint32_le(s, g_keyboard_subtype);
607 out_uint32_le(s, g_keyboard_functionkeys);
608 out_uint8s(s, 64); /* reserved? 4 + 12 doublewords */
609 out_uint16_le(s, 0xca01); /* colour depth? */
610 out_uint16_le(s, 1);
611
612 out_uint32(s, 0);
613 out_uint8(s, g_server_depth);
614 out_uint16_le(s, 0x0700);
615 out_uint8(s, 0);
616 out_uint32_le(s, 1);
617 out_uint8s(s, 64);
618 out_uint32_le(s, selected_protocol); /* End of client info */
619
620 /* Write a Client Cluster Data (TS_UD_CS_CLUSTER) */
621 out_uint16_le(s, SEC_TAG_CLI_CLUSTER); /* header.type */
622 out_uint16_le(s, 12); /* length */
623
624 cluster_flags |= SEC_CC_REDIRECTION_SUPPORTED;
625 cluster_flags |= (SEC_CC_REDIRECT_VERSION_3 << 2);
626
627 if (g_console_session || g_redirect_session_id != 0)
628 cluster_flags |= SEC_CC_REDIRECT_SESSIONID_FIELD_VALID;
629
630 out_uint32_le(s, cluster_flags);
631 out_uint32(s, g_redirect_session_id);
632
633 /* Client encryption settings */
634 out_uint16_le(s, SEC_TAG_CLI_CRYPT);
635 out_uint16_le(s, 12); /* length */
636 out_uint32_le(s, g_encryption ? 0x3 : 0); /* encryption supported, 128-bit supported */
637 out_uint32(s, 0); /* Unknown */
638
639 DEBUG_RDP5(("g_num_channels is %d\n", g_num_channels));
640 if (g_num_channels > 0)
641 {
642 out_uint16_le(s, SEC_TAG_CLI_CHANNELS);
643 out_uint16_le(s, g_num_channels * 12 + 8); /* length */
644 out_uint32_le(s, g_num_channels); /* number of virtual channels */
645 for (i = 0; i < g_num_channels; i++)
646 {
647 DEBUG_RDP5(("Requesting channel %s\n", g_channels[i].name));
648 out_uint8a(s, g_channels[i].name, 8);
649 out_uint32_be(s, g_channels[i].flags);
650 }
651 }
652
653 s_mark_end(s);
654 }
655
656 /* Parse a public key structure */
657 static RD_BOOL
658 sec_parse_public_key(STREAM s, uint8 * modulus, uint8 * exponent)
659 {
660 uint32 magic, modulus_len;
661
662 in_uint32_le(s, magic);
663 if (magic != SEC_RSA_MAGIC)
664 {
665 error("RSA magic 0x%x\n", magic);
666 return False;
667 }
668
669 in_uint32_le(s, modulus_len);
670 modulus_len -= SEC_PADDING_SIZE;
671 if ((modulus_len < SEC_MODULUS_SIZE) || (modulus_len > SEC_MAX_MODULUS_SIZE))
672 {
673 error("Bad server public key size (%u bits)\n", modulus_len * 8);
674 return False;
675 }
676
677 in_uint8s(s, 8); /* modulus_bits, unknown */
678 in_uint8a(s, exponent, SEC_EXPONENT_SIZE);
679 in_uint8a(s, modulus, modulus_len);
680 in_uint8s(s, SEC_PADDING_SIZE);
681 g_server_public_key_len = modulus_len;
682
683 return s_check(s);
684 }
685
686 /* Parse a public signature structure */
687 static RD_BOOL
688 sec_parse_public_sig(STREAM s, uint32 len, uint8 * modulus, uint8 * exponent)
689 {
690 uint8 signature[SEC_MAX_MODULUS_SIZE];
691 uint8 signature_[SEC_MAX_MODULUS_SIZE];
692 uint32 sig_len;
693
694 if (len != 72)
695 {
696 return True;
697 }
698 memset(signature, 0, sizeof(signature));
699 sig_len = len - 8;
700 in_uint8a(s, signature, sig_len);
701 if(sec_sign_ok((char *)exponent, SEC_EXPONENT_SIZE, (char *)modulus, g_server_public_key_len,
702 (char *)signature_, SEC_MODULUS_SIZE, (char *)signature, sig_len, (char *)g_testkey))
703 {
704 DEBUG_RDP5(("key signature doesn't match test key\n"));
705 }
706 return s_check(s);
707 }
708
709 /* Parse a crypto information structure */
710 static RD_BOOL
711 sec_parse_crypt_info(STREAM s, uint32 * rc4_key_size,
712 uint8 ** server_random, uint8 * modulus, uint8 * exponent)
713 {
714 uint32 crypt_level, random_len, rsa_info_len;
715 uint32 /*cacert_len, cert_len,*/ flags;
716 //RDSSL_CERT *cacert, *server_cert;
717 //RDSSL_RKEY *server_public_key;
718 uint16 tag, length;
719 uint8 *next_tag, *end;
720
721 in_uint32_le(s, *rc4_key_size); /* 1 = 40-bit, 2 = 128-bit */
722 in_uint32_le(s, crypt_level); /* 1 = low, 2 = medium, 3 = high */
723 if (crypt_level == 0)
724 {
725 /* no encryption */
726 return False;
727 }
728
729 in_uint32_le(s, random_len);
730 in_uint32_le(s, rsa_info_len);
731
732 if (random_len != SEC_RANDOM_SIZE)
733 {
734 error("random len %d, expected %d\n", random_len, SEC_RANDOM_SIZE);
735 return False;
736 }
737
738 in_uint8p(s, *server_random, random_len);
739
740 /* RSA info */
741 end = s->p + rsa_info_len;
742 if (end > s->end)
743 return False;
744
745 in_uint32_le(s, flags); /* 1 = RDP4-style, 0x80000002 = X.509 */
746 if (flags & 1)
747 {
748 DEBUG_RDP5(("We're going for the RDP4-style encryption\n"));
749 in_uint8s(s, 8); /* unknown */
750
751 while (s->p < end)
752 {
753 in_uint16_le(s, tag);
754 in_uint16_le(s, length);
755
756 next_tag = s->p + length;
757
758 switch (tag)
759 {
760 case SEC_TAG_PUBKEY:
761 if (!sec_parse_public_key(s, modulus, exponent))
762 return False;
763 DEBUG_RDP5(("Got Public key, RDP4-style\n"));
764
765 break;
766
767 case SEC_TAG_KEYSIG:
768 if (!sec_parse_public_sig(s, length, modulus, exponent))
769 return False;
770 break;
771
772 default:
773 unimpl("crypt tag 0x%x\n", tag);
774 }
775
776 s->p = next_tag;
777 }
778 }
779 else
780 {
781 #if 0
782 uint32 certcount;
783
784 DEBUG_RDP5(("We're going for the RDP5-style encryption\n"));
785 in_uint32_le(s, certcount); /* Number of certificates */
786 if (certcount < 2)
787 {
788 error("Server didn't send enough X509 certificates\n");
789 return False;
790 }
791 for (; certcount > 2; certcount--)
792 { /* ignore all the certificates between the root and the signing CA */
793 uint32 ignorelen;
794 RDSSL_CERT *ignorecert;
795
796 DEBUG_RDP5(("Ignored certs left: %d\n", certcount));
797 in_uint32_le(s, ignorelen);
798 DEBUG_RDP5(("Ignored Certificate length is %d\n", ignorelen));
799 ignorecert = rdssl_cert_read(s->p, ignorelen);
800 in_uint8s(s, ignorelen);
801 if (ignorecert == NULL)
802 { /* XXX: error out? */
803 DEBUG_RDP5(("got a bad cert: this will probably screw up the rest of the communication\n"));
804 }
805
806 #ifdef WITH_DEBUG_RDP5
807 DEBUG_RDP5(("cert #%d (ignored):\n", certcount));
808 rdssl_cert_print_fp(stdout, ignorecert);
809 #endif
810 }
811 /* Do da funky X.509 stuffy
812
813 "How did I find out about this? I looked up and saw a
814 bright light and when I came to I had a scar on my forehead
815 and knew about X.500"
816 - Peter Gutman in a early version of
817 http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
818 */
819 in_uint32_le(s, cacert_len);
820 DEBUG_RDP5(("CA Certificate length is %d\n", cacert_len));
821 cacert = rdssl_cert_read(s->p, cacert_len);
822 in_uint8s(s, cacert_len);
823 if (NULL == cacert)
824 {
825 error("Couldn't load CA Certificate from server\n");
826 return False;
827 }
828 in_uint32_le(s, cert_len);
829 DEBUG_RDP5(("Certificate length is %d\n", cert_len));
830 server_cert = rdssl_cert_read(s->p, cert_len);
831 in_uint8s(s, cert_len);
832 if (NULL == server_cert)
833 {
834 rdssl_cert_free(cacert);
835 error("Couldn't load Certificate from server\n");
836 return False;
837 }
838 if (!rdssl_certs_ok(server_cert, cacert))
839 {
840 rdssl_cert_free(server_cert);
841 rdssl_cert_free(cacert);
842 error("Security error CA Certificate invalid\n");
843 return False;
844 }
845 rdssl_cert_free(cacert);
846 in_uint8s(s, 16); /* Padding */
847 server_public_key = rdssl_cert_to_rkey(server_cert, &g_server_public_key_len);
848 if (NULL == server_public_key)
849 {
850 DEBUG_RDP5(("Didn't parse X509 correctly\n"));
851 rdssl_cert_free(server_cert);
852 return False;
853 }
854 rdssl_cert_free(server_cert);
855 if ((g_server_public_key_len < SEC_MODULUS_SIZE) ||
856 (g_server_public_key_len > SEC_MAX_MODULUS_SIZE))
857 {
858 error("Bad server public key size (%u bits)\n",
859 g_server_public_key_len * 8);
860 rdssl_rkey_free(server_public_key);
861 return False;
862 }
863 if (rdssl_rkey_get_exp_mod(server_public_key, exponent, SEC_EXPONENT_SIZE,
864 modulus, SEC_MAX_MODULUS_SIZE) != 0)
865 {
866 error("Problem extracting RSA exponent, modulus");
867 rdssl_rkey_free(server_public_key);
868 return False;
869 }
870 rdssl_rkey_free(server_public_key);
871 return True; /* There's some garbage here we don't care about */
872 #endif
873 }
874 return s_check_end(s);
875 }
876
877 /* Process crypto information blob */
878 static void
879 sec_process_crypt_info(STREAM s)
880 {
881 uint8 *server_random = NULL;
882 uint8 modulus[SEC_MAX_MODULUS_SIZE];
883 uint8 exponent[SEC_EXPONENT_SIZE];
884 uint32 rc4_key_size;
885
886 memset(modulus, 0, sizeof(modulus));
887 memset(exponent, 0, sizeof(exponent));
888 if (!sec_parse_crypt_info(s, &rc4_key_size, &server_random, modulus, exponent))
889 {
890 DEBUG(("Failed to parse crypt info\n"));
891 return;
892 }
893 DEBUG(("Generating client random\n"));
894 generate_random(g_client_random);
895 sec_rsa_encrypt(g_sec_crypted_random, g_client_random, SEC_RANDOM_SIZE,
896 g_server_public_key_len, modulus, exponent);
897 sec_generate_keys(g_client_random, server_random, rc4_key_size);
898 }
899
900
901 /* Process SRV_INFO, find RDP version supported by server */
902 static void
903 sec_process_srv_info(STREAM s)
904 {
905 in_uint16_le(s, g_server_rdp_version);
906 DEBUG_RDP5(("Server RDP version is %d\n", g_server_rdp_version));
907 if (1 == g_server_rdp_version)
908 {
909 g_rdp_version = RDP_V4;
910 g_server_depth = 8;
911 }
912 }
913
914
915 /* Process connect response data blob */
916 void
917 sec_process_mcs_data(STREAM s)
918 {
919 uint16 tag, length;
920 uint8 *next_tag;
921 uint8 len;
922
923 in_uint8s(s, 21); /* header (T.124 ConferenceCreateResponse) */
924 in_uint8(s, len);
925 if (len & 0x80)
926 in_uint8(s, len);
927
928 while (s->p < s->end)
929 {
930 in_uint16_le(s, tag);
931 in_uint16_le(s, length);
932
933 if (length <= 4)
934 return;
935
936 next_tag = s->p + length - 4;
937
938 switch (tag)
939 {
940 case SEC_TAG_SRV_INFO:
941 sec_process_srv_info(s);
942 break;
943
944 case SEC_TAG_SRV_CRYPT:
945 sec_process_crypt_info(s);
946 break;
947
948 case SEC_TAG_SRV_CHANNELS:
949 /* FIXME: We should parse this information and
950 use it to map RDP5 channels to MCS
951 channels */
952 break;
953
954 default:
955 unimpl("response tag 0x%x\n", tag);
956 }
957
958 s->p = next_tag;
959 }
960 }
961
962 /* Receive secure transport packet */
963 STREAM
964 sec_recv(uint8 * rdpver)
965 {
966 uint32 sec_flags;
967 uint16 channel;
968 STREAM s;
969
970 while ((s = mcs_recv(&channel, rdpver)) != NULL)
971 {
972 if (rdpver != NULL)
973 {
974 if (*rdpver != 3)
975 {
976 if (*rdpver & 0x80)
977 {
978 in_uint8s(s, 8); /* signature */
979 sec_decrypt(s->p, s->end - s->p);
980 }
981 return s;
982 }
983 }
984 if (g_encryption || (!g_licence_issued && !g_licence_error_result))
985 {
986 in_uint32_le(s, sec_flags);
987
988 if (g_encryption)
989 {
990 if (sec_flags & SEC_ENCRYPT)
991 {
992 in_uint8s(s, 8); /* signature */
993 sec_decrypt(s->p, s->end - s->p);
994 }
995
996 if (sec_flags & SEC_LICENCE_NEG)
997 {
998 licence_process(s);
999 continue;
1000 }
1001
1002 if (sec_flags & 0x0400) /* SEC_REDIRECT_ENCRYPT */
1003 {
1004 uint8 swapbyte;
1005
1006 in_uint8s(s, 8); /* signature */
1007 sec_decrypt(s->p, s->end - s->p);
1008
1009 /* Check for a redirect packet, starts with 00 04 */
1010 if (s->p[0] == 0 && s->p[1] == 4)
1011 {
1012 /* for some reason the PDU and the length seem to be swapped.
1013 This isn't good, but we're going to do a byte for byte
1014 swap. So the first four values appear as: 00 04 XX YY,
1015 where XX YY is the little endian length. We're going to
1016 use 04 00 as the PDU type, so after our swap this will look
1017 like: XX YY 04 00 */
1018 swapbyte = s->p[0];
1019 s->p[0] = s->p[2];
1020 s->p[2] = swapbyte;
1021
1022 swapbyte = s->p[1];
1023 s->p[1] = s->p[3];
1024 s->p[3] = swapbyte;
1025
1026 swapbyte = s->p[2];
1027 s->p[2] = s->p[3];
1028 s->p[3] = swapbyte;
1029 }
1030 #ifdef WITH_DEBUG
1031 /* warning! this debug statement will show passwords in the clear! */
1032 hexdump(s->p, s->end - s->p);
1033 #endif
1034 }
1035 }
1036 else
1037 {
1038 if ((sec_flags & 0xffff) == SEC_LICENCE_NEG)
1039 {
1040 licence_process(s);
1041 continue;
1042 }
1043 s->p -= 4;
1044 }
1045 }
1046
1047 if (channel != MCS_GLOBAL_CHANNEL)
1048 {
1049 channel_process(s, channel);
1050 if (rdpver != NULL)
1051 *rdpver = 0xff;
1052 return s;
1053 }
1054
1055 return s;
1056 }
1057
1058 return NULL;
1059 }
1060
1061 /* Establish a secure connection */
1062 RD_BOOL
1063 sec_connect(char *server, char *username, char *domain, char *password, RD_BOOL reconnect)
1064 {
1065 uint32 selected_proto;
1066 struct stream mcs_data;
1067
1068 /* Start a MCS connect sequence */
1069 if (!mcs_connect_start(server, username, domain, password, reconnect, &selected_proto))
1070 return False;
1071
1072 /* We exchange some RDP data during the MCS-Connect */
1073 mcs_data.size = 512;
1074 mcs_data.p = mcs_data.data = (uint8 *) xmalloc(mcs_data.size);
1075 sec_out_mcs_data(&mcs_data, selected_proto);
1076
1077 /* finalize the MCS connect sequence */
1078 if (!mcs_connect_finalize(&mcs_data))
1079 return False;
1080
1081 /* sec_process_mcs_data(&mcs_data); */
1082 if (g_encryption)
1083 sec_establish_key();
1084 xfree(mcs_data.data);
1085 return True;
1086 }
1087
1088 /* Disconnect a connection */
1089 void
1090 sec_disconnect(void)
1091 {
1092 mcs_disconnect();
1093 }
1094
1095 /* reset the state of the sec layer */
1096 void
1097 sec_reset_state(void)
1098 {
1099 g_server_rdp_version = 0;
1100 g_sec_encrypt_use_count = 0;
1101 g_sec_decrypt_use_count = 0;
1102 g_licence_issued = 0;
1103 g_licence_error_result = 0;
1104 mcs_reset_state();
1105 }
A free Windows-compatible Operating System