secure.c@ 86011

Last change on this file since 86011 was 76779, checked in by vboxsync, 6 years ago

RDP: add client-1.8.4.
bugref:9356: Update rdesktop-vrdp to 1.8.4
client-1.8.4 is a Subversion copy of 1.8.3 with the upstream 1.8.3 to 1.8.4
patch applied and a couple of fixes and changes after review, namely:

Stopped disabling the new pointer data format for our build, as this is no

longer needed.

Adjusted some snprintf buffers to make GCC happy.

Property svn:eol-style set to native
Property svn:keywords set to Author Date Id Revision

File size: 24.7 KB

Line
1	/* -- c-basic-offset: 8 --
2	rdesktop: A Remote Desktop Protocol client.
3	Protocol services - RDP encryption and licensing
4	Copyright (C) Matthew Chapman <matthewc.unsw.edu.au> 1999-2008
5	Copyright 2005-2011 Peter Astrand <astrand@cendio.se> for Cendio AB
6
7	This program is free software: you can redistribute it and/or modify
8	it under the terms of the GNU General Public License as published by
9	the Free Software Foundation, either version 3 of the License, or
10	(at your option) any later version.
11
12	This program is distributed in the hope that it will be useful,
13	but WITHOUT ANY WARRANTY; without even the implied warranty of
14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	GNU General Public License for more details.
16
17	You should have received a copy of the GNU General Public License
18	along with this program. If not, see <http://www.gnu.org/licenses/>.
19	*/
20
21	/*
22	* Oracle GPL Disclaimer: For the avoidance of doubt, except that if any license choice
23	* other than GPL or LGPL is available it will apply instead, Oracle elects to use only
24	* the General Public License version 2 (GPLv2) at this time for any software where
25	* a choice of GPL license versions is made available with the language indicating
26	* that GPLv2 or any later version may be used, or where a choice of which version
27	* of the GPL is applied is otherwise unspecified.
28	*/
29
30	#include "rdesktop.h"
31	#include "ssl.h"
32
33	extern char g_hostname[16];
34	extern int g_width;
35	extern int g_height;
36	extern unsigned int g_keylayout;
37	extern int g_keyboard_type;
38	extern int g_keyboard_subtype;
39	extern int g_keyboard_functionkeys;
40	extern RD_BOOL g_encryption;
41	extern RD_BOOL g_licence_issued;
42	extern RD_BOOL g_licence_error_result;
43	extern RDP_VERSION g_rdp_version;
44	extern RD_BOOL g_console_session;
45	extern uint32 g_redirect_session_id;
46	extern int g_server_depth;
47	extern VCHANNEL g_channels[];
48	extern unsigned int g_num_channels;
49	extern uint8 g_client_random[SEC_RANDOM_SIZE];
50
51	static int g_rc4_key_len;
52	static RDSSL_RC4 g_rc4_decrypt_key;
53	static RDSSL_RC4 g_rc4_encrypt_key;
54	static uint32 g_server_public_key_len;
55
56	static uint8 g_sec_sign_key[16];
57	static uint8 g_sec_decrypt_key[16];
58	static uint8 g_sec_encrypt_key[16];
59	static uint8 g_sec_decrypt_update_key[16];
60	static uint8 g_sec_encrypt_update_key[16];
61	static uint8 g_sec_crypted_random[SEC_MAX_MODULUS_SIZE];
62
63	uint16 g_server_rdp_version = 0;
64
65	/* These values must be available to reset state - Session Directory */
66	static int g_sec_encrypt_use_count = 0;
67	static int g_sec_decrypt_use_count = 0;
68
69	/*
70	* I believe this is based on SSLv3 with the following differences:
71	* MAC algorithm (5.2.3.1) uses only 32-bit length in place of seq_num/type/length fields
72	* MAC algorithm uses SHA1 and MD5 for the two hash functions instead of one or other
73	* key_block algorithm (6.2.2) uses 'X', 'YY', 'ZZZ' instead of 'A', 'BB', 'CCC'
74	* key_block partitioning is different (16 bytes each: MAC secret, decrypt key, encrypt key)
75	* encryption/decryption keys updated every 4096 packets
76	* See http://wp.netscape.com/eng/ssl3/draft302.txt
77	*/
78
79	/*
80	* 48-byte transformation used to generate master secret (6.1) and key material (6.2.2).
81	* Both SHA1 and MD5 algorithms are used.
82	*/
83	void
84	sec_hash_48(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2, uint8 salt)
85	{
86	uint8 shasig[20];
87	uint8 pad[4];
88	RDSSL_SHA1 sha1;
89	RDSSL_MD5 md5;
90	int i;
91
92	for (i = 0; i < 3; i++)
93	{
94	memset(pad, salt + i, i + 1);
95
96	rdssl_sha1_init(&sha1);
97	rdssl_sha1_update(&sha1, pad, i + 1);
98	rdssl_sha1_update(&sha1, in, 48);
99	rdssl_sha1_update(&sha1, salt1, 32);
100	rdssl_sha1_update(&sha1, salt2, 32);
101	rdssl_sha1_final(&sha1, shasig);
102
103	rdssl_md5_init(&md5);
104	rdssl_md5_update(&md5, in, 48);
105	rdssl_md5_update(&md5, shasig, 20);
106	rdssl_md5_final(&md5, &out[i * 16]);
107	}
108	}
109
110	/*
111	* 16-byte transformation used to generate export keys (6.2.2).
112	*/
113	void
114	sec_hash_16(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2)
115	{
116	RDSSL_MD5 md5;
117
118	rdssl_md5_init(&md5);
119	rdssl_md5_update(&md5, in, 16);
120	rdssl_md5_update(&md5, salt1, 32);
121	rdssl_md5_update(&md5, salt2, 32);
122	rdssl_md5_final(&md5, out);
123	}
124
125	/*
126	* 16-byte sha1 hash
127	*/
128	void
129	sec_hash_sha1_16(uint8 * out, uint8 * in, uint8 * salt1)
130	{
131	RDSSL_SHA1 sha1;
132	rdssl_sha1_init(&sha1);
133	rdssl_sha1_update(&sha1, in, 16);
134	rdssl_sha1_update(&sha1, salt1, 16);
135	rdssl_sha1_final(&sha1, out);
136	}
137
138	/* create string from hash */
139	void
140	sec_hash_to_string(char out, int out_size, uint8 in, int in_size)
141	{
142	int k;
143	memset(out, 0, out_size);
144	for (k = 0; k < in_size; k++, out += 2)
145	{
146	sprintf(out, "%.2x", in[k]);
147	}
148	}
149
150	/* Reduce key entropy from 64 to 40 bits */
151	static void
152	sec_make_40bit(uint8 * key)
153	{
154	key[0] = 0xd1;
155	key[1] = 0x26;
156	key[2] = 0x9e;
157	}
158
159	/* Generate encryption keys given client and server randoms */
160	static void
161	sec_generate_keys(uint8 * client_random, uint8 * server_random, int rc4_key_size)
162	{
163	uint8 pre_master_secret[48];
164	uint8 master_secret[48];
165	uint8 key_block[48];
166
167	/* Construct pre-master secret */
168	memcpy(pre_master_secret, client_random, 24);
169	memcpy(pre_master_secret + 24, server_random, 24);
170
171	/* Generate master secret and then key material */
172	sec_hash_48(master_secret, pre_master_secret, client_random, server_random, 'A');
173	sec_hash_48(key_block, master_secret, client_random, server_random, 'X');
174
175	/* First 16 bytes of key material is MAC secret */
176	memcpy(g_sec_sign_key, key_block, 16);
177
178	/* Generate export keys from next two blocks of 16 bytes */
179	sec_hash_16(g_sec_decrypt_key, &key_block[16], client_random, server_random);
180	sec_hash_16(g_sec_encrypt_key, &key_block[32], client_random, server_random);
181
182	if (rc4_key_size == 1)
183	{
184	DEBUG(("40-bit encryption enabled\n"));
185	sec_make_40bit(g_sec_sign_key);
186	sec_make_40bit(g_sec_decrypt_key);
187	sec_make_40bit(g_sec_encrypt_key);
188	g_rc4_key_len = 8;
189	}
190	else
191	{
192	DEBUG(("rc_4_key_size == %d, 128-bit encryption enabled\n", rc4_key_size));
193	g_rc4_key_len = 16;
194	}
195
196	/* Save initial RC4 keys as update keys */
197	memcpy(g_sec_decrypt_update_key, g_sec_decrypt_key, 16);
198	memcpy(g_sec_encrypt_update_key, g_sec_encrypt_key, 16);
199
200	/* Initialise RC4 state arrays */
201	rdssl_rc4_set_key(&g_rc4_decrypt_key, g_sec_decrypt_key, g_rc4_key_len);
202	rdssl_rc4_set_key(&g_rc4_encrypt_key, g_sec_encrypt_key, g_rc4_key_len);
203	}
204
205	static uint8 pad_54[40] = {
206	54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54,
207	54, 54, 54,
208	54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54,
209	54, 54, 54
210	};
211
212	static uint8 pad_92[48] = {
213	92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92,
214	92, 92, 92, 92, 92, 92, 92,
215	92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92,
216	92, 92, 92, 92, 92, 92, 92
217	};
218
219	/* Output a uint32 into a buffer (little-endian) */
220	void
221	buf_out_uint32(uint8 * buffer, uint32 value)
222	{
223	buffer[0] = (value) & 0xff;
224	buffer[1] = (value >> 8) & 0xff;
225	buffer[2] = (value >> 16) & 0xff;
226	buffer[3] = (value >> 24) & 0xff;
227	}
228
229	/* Generate a MAC hash (5.2.3.1), using a combination of SHA1 and MD5 */
230	void
231	sec_sign(uint8 * signature, int siglen, uint8 * session_key, int keylen, uint8 * data, int datalen)
232	{
233	uint8 shasig[20];
234	uint8 md5sig[16];
235	uint8 lenhdr[4];
236	RDSSL_SHA1 sha1;
237	RDSSL_MD5 md5;
238
239	buf_out_uint32(lenhdr, datalen);
240
241	rdssl_sha1_init(&sha1);
242	rdssl_sha1_update(&sha1, session_key, keylen);
243	rdssl_sha1_update(&sha1, pad_54, 40);
244	rdssl_sha1_update(&sha1, lenhdr, 4);
245	rdssl_sha1_update(&sha1, data, datalen);
246	rdssl_sha1_final(&sha1, shasig);
247
248	rdssl_md5_init(&md5);
249	rdssl_md5_update(&md5, session_key, keylen);
250	rdssl_md5_update(&md5, pad_92, 48);
251	rdssl_md5_update(&md5, shasig, 20);
252	rdssl_md5_final(&md5, md5sig);
253
254	memcpy(signature, md5sig, siglen);
255	}
256
257	/* Update an encryption key */
258	static void
259	sec_update(uint8 * key, uint8 * update_key)
260	{
261	uint8 shasig[20];
262	RDSSL_SHA1 sha1;
263	RDSSL_MD5 md5;
264	RDSSL_RC4 update;
265
266	rdssl_sha1_init(&sha1);
267	rdssl_sha1_update(&sha1, update_key, g_rc4_key_len);
268	rdssl_sha1_update(&sha1, pad_54, 40);
269	rdssl_sha1_update(&sha1, key, g_rc4_key_len);
270	rdssl_sha1_final(&sha1, shasig);
271
272	rdssl_md5_init(&md5);
273	rdssl_md5_update(&md5, update_key, g_rc4_key_len);
274	rdssl_md5_update(&md5, pad_92, 48);
275	rdssl_md5_update(&md5, shasig, 20);
276	rdssl_md5_final(&md5, key);
277
278	rdssl_rc4_set_key(&update, key, g_rc4_key_len);
279	rdssl_rc4_crypt(&update, key, key, g_rc4_key_len);
280
281	if (g_rc4_key_len == 8)
282	sec_make_40bit(key);
283	}
284
285	/* Encrypt data using RC4 */
286	static void
287	sec_encrypt(uint8 * data, int length)
288	{
289	if (g_sec_encrypt_use_count == 4096)
290	{
291	sec_update(g_sec_encrypt_key, g_sec_encrypt_update_key);
292	rdssl_rc4_set_key(&g_rc4_encrypt_key, g_sec_encrypt_key, g_rc4_key_len);
293	g_sec_encrypt_use_count = 0;
294	}
295
296	rdssl_rc4_crypt(&g_rc4_encrypt_key, data, data, length);
297	g_sec_encrypt_use_count++;
298	}
299
300	/* Decrypt data using RC4 */
301	void
302	sec_decrypt(uint8 * data, int length)
303	{
304	if (length <= 0)
305	return;
306
307	if (g_sec_decrypt_use_count == 4096)
308	{
309	sec_update(g_sec_decrypt_key, g_sec_decrypt_update_key);
310	rdssl_rc4_set_key(&g_rc4_decrypt_key, g_sec_decrypt_key, g_rc4_key_len);
311	g_sec_decrypt_use_count = 0;
312	}
313
314	rdssl_rc4_crypt(&g_rc4_decrypt_key, data, data, length);
315	g_sec_decrypt_use_count++;
316	}
317
318	/* Perform an RSA public key encryption operation */
319	static void
320	sec_rsa_encrypt(uint8 * out, uint8 * in, int len, uint32 modulus_size, uint8 * modulus,
321	uint8 * exponent)
322	{
323	rdssl_rsa_encrypt(out, in, len, modulus_size, modulus, exponent);
324	}
325
326	/* Initialise secure transport packet */
327	STREAM
328	sec_init(uint32 flags, int maxlen)
329	{
330	int hdrlen;
331	STREAM s;
332
333	if (!g_licence_issued && !g_licence_error_result)
334	hdrlen = (flags & SEC_ENCRYPT) ? 12 : 4;
335	else
336	hdrlen = (flags & SEC_ENCRYPT) ? 12 : 0;
337	s = mcs_init(maxlen + hdrlen);
338	s_push_layer(s, sec_hdr, hdrlen);
339
340	return s;
341	}
342
343	/* Transmit secure transport packet over specified channel */
344	void
345	sec_send_to_channel(STREAM s, uint32 flags, uint16 channel)
346	{
347	int datalen;
348
349	#ifdef WITH_SCARD
350	scard_lock(SCARD_LOCK_SEC);
351	#endif
352
353	s_pop_layer(s, sec_hdr);
354	if ((!g_licence_issued && !g_licence_error_result) \|\| (flags & SEC_ENCRYPT))
355	out_uint32_le(s, flags);
356
357	if (flags & SEC_ENCRYPT)
358	{
359	flags &= ~SEC_ENCRYPT;
360	datalen = s->end - s->p - 8;
361
362	#if WITH_DEBUG
363	DEBUG(("Sending encrypted packet:\n"));
364	hexdump(s->p + 8, datalen);
365	#endif
366
367	sec_sign(s->p, 8, g_sec_sign_key, g_rc4_key_len, s->p + 8, datalen);
368	sec_encrypt(s->p + 8, datalen);
369	}
370
371	mcs_send_to_channel(s, channel);
372
373	#ifdef WITH_SCARD
374	scard_unlock(SCARD_LOCK_SEC);
375	#endif
376	}
377
378	/* Transmit secure transport packet */
379
380	void
381	sec_send(STREAM s, uint32 flags)
382	{
383	sec_send_to_channel(s, flags, MCS_GLOBAL_CHANNEL);
384	}
385
386
387	/* Transfer the client random to the server */
388	static void
389	sec_establish_key(void)
390	{
391	uint32 length = g_server_public_key_len + SEC_PADDING_SIZE;
392	uint32 flags = SEC_CLIENT_RANDOM;
393	STREAM s;
394
395	s = sec_init(flags, length + 4);
396
397	out_uint32_le(s, length);
398	out_uint8p(s, g_sec_crypted_random, g_server_public_key_len);
399	out_uint8s(s, SEC_PADDING_SIZE);
400
401	s_mark_end(s);
402	sec_send(s, flags);
403	}
404
405	/* Output connect initial data blob */
406	static void
407	sec_out_mcs_data(STREAM s, uint32 selected_protocol)
408	{
409	int hostlen = 2 * strlen(g_hostname);
410	int length = 162 + 76 + 12 + 4;
411	unsigned int i;
412
413	if (g_num_channels > 0)
414	length += g_num_channels * 12 + 8;
415
416	if (hostlen > 30)
417	hostlen = 30;
418
419	/* Generic Conference Control (T.124) ConferenceCreateRequest */
420	out_uint16_be(s, 5);
421	out_uint16_be(s, 0x14);
422	out_uint8(s, 0x7c);
423	out_uint16_be(s, 1);
424
425	out_uint16_be(s, (length \| 0x8000)); /* remaining length */
426
427	out_uint16_be(s, 8); /* length? */
428	out_uint16_be(s, 16);
429	out_uint8(s, 0);
430	out_uint16_le(s, 0xc001);
431	out_uint8(s, 0);
432
433	out_uint32_le(s, 0x61637544); /* OEM ID: "Duca", as in Ducati. */
434	out_uint16_be(s, ((length - 14) \| 0x8000)); /* remaining length */
435
436	/* Client information */
437	out_uint16_le(s, SEC_TAG_CLI_INFO);
438	out_uint16_le(s, 216); /* length */
439	out_uint16_le(s, (g_rdp_version >= RDP_V5) ? 4 : 1); /* RDP version. 1 == RDP4, 4 >= RDP5 to RDP8 */
440	out_uint16_le(s, 8);
441	out_uint16_le(s, g_width);
442	out_uint16_le(s, g_height);
443	out_uint16_le(s, 0xca01);
444	out_uint16_le(s, 0xaa03);
445	out_uint32_le(s, g_keylayout);
446	out_uint32_le(s, 2600); /* Client build. We are now 2600 compatible :-) */
447
448	/* Unicode name of client, padded to 32 bytes */
449	rdp_out_unistr(s, g_hostname, hostlen);
450	out_uint8s(s, 30 - hostlen);
451
452	/* See
453	http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wceddk40/html/cxtsksupportingremotedesktopprotocol.asp */
454	out_uint32_le(s, g_keyboard_type);
455	out_uint32_le(s, g_keyboard_subtype);
456	out_uint32_le(s, g_keyboard_functionkeys);
457	out_uint8s(s, 64); /* reserved? 4 + 12 doublewords */
458	out_uint16_le(s, 0xca01); /* colour depth? */
459	out_uint16_le(s, 1);
460
461	out_uint32(s, 0);
462	out_uint8(s, g_server_depth);
463	out_uint16_le(s, 0x0700);
464	out_uint8(s, 0);
465	out_uint32_le(s, 1);
466	out_uint8s(s, 64);
467	out_uint32_le(s, selected_protocol); /* End of client info */
468
469	/* Write a Client Cluster Data (TS_UD_CS_CLUSTER) */
470	uint32 cluster_flags = 0;
471	out_uint16_le(s, SEC_TAG_CLI_CLUSTER); /* header.type */
472	out_uint16_le(s, 12); /* length */
473
474	cluster_flags \|= SEC_CC_REDIRECTION_SUPPORTED;
475	cluster_flags \|= (SEC_CC_REDIRECT_VERSION_3 << 2);
476
477	if (g_console_session \|\| g_redirect_session_id != 0)
478	cluster_flags \|= SEC_CC_REDIRECT_SESSIONID_FIELD_VALID;
479
480	out_uint32_le(s, cluster_flags);
481	out_uint32(s, g_redirect_session_id);
482
483	/* Client encryption settings */
484	out_uint16_le(s, SEC_TAG_CLI_CRYPT);
485	out_uint16_le(s, 12); /* length */
486	out_uint32_le(s, g_encryption ? 0x3 : 0); /* encryption supported, 128-bit supported */
487	out_uint32(s, 0); /* Unknown */
488
489	DEBUG_RDP5(("g_num_channels is %d\n", g_num_channels));
490	if (g_num_channels > 0)
491	{
492	out_uint16_le(s, SEC_TAG_CLI_CHANNELS);
493	out_uint16_le(s, g_num_channels * 12 + 8); /* length */
494	out_uint32_le(s, g_num_channels); /* number of virtual channels */
495	for (i = 0; i < g_num_channels; i++)
496	{
497	DEBUG_RDP5(("Requesting channel %s\n", g_channels[i].name));
498	out_uint8a(s, g_channels[i].name, 8);
499	out_uint32_be(s, g_channels[i].flags);
500	}
501	}
502
503	s_mark_end(s);
504	}
505
506	/* Parse a public key structure */
507	static RD_BOOL
508	sec_parse_public_key(STREAM s, uint8 * modulus, uint8 * exponent)
509	{
510	uint32 magic, modulus_len;
511
512	in_uint32_le(s, magic);
513	if (magic != SEC_RSA_MAGIC)
514	{
515	error("RSA magic 0x%x\n", magic);
516	return False;
517	}
518
519	in_uint32_le(s, modulus_len);
520	modulus_len -= SEC_PADDING_SIZE;
521	if ((modulus_len < SEC_MODULUS_SIZE) \|\| (modulus_len > SEC_MAX_MODULUS_SIZE))
522	{
523	error("Bad server public key size (%u bits)\n", modulus_len * 8);
524	return False;
525	}
526
527	in_uint8s(s, 8); /* modulus_bits, unknown */
528	in_uint8a(s, exponent, SEC_EXPONENT_SIZE);
529	in_uint8a(s, modulus, modulus_len);
530	in_uint8s(s, SEC_PADDING_SIZE);
531	g_server_public_key_len = modulus_len;
532
533	return s_check(s);
534	}
535
536	/* Parse a public signature structure */
537	static RD_BOOL
538	sec_parse_public_sig(STREAM s, uint32 len, uint8 * modulus, uint8 * exponent)
539	{
540	uint8 signature[SEC_MAX_MODULUS_SIZE];
541	uint32 sig_len;
542
543	if (len != 72)
544	{
545	return True;
546	}
547	memset(signature, 0, sizeof(signature));
548	sig_len = len - 8;
549	in_uint8a(s, signature, sig_len);
550	return rdssl_sig_ok(exponent, SEC_EXPONENT_SIZE, modulus, g_server_public_key_len,
551	signature, sig_len);
552	}
553
554	/* Parse a crypto information structure */
555	static RD_BOOL
556	sec_parse_crypt_info(STREAM s, uint32 * rc4_key_size,
557	uint8 ** server_random, uint8 * modulus, uint8 * exponent)
558	{
559	uint32 crypt_level, random_len, rsa_info_len;
560	uint32 cacert_len, cert_len, flags;
561	RDSSL_CERT cacert, server_cert;
562	RDSSL_RKEY *server_public_key;
563	uint16 tag, length;
564	uint8 next_tag, end;
565	struct stream packet = *s;
566
567	in_uint32_le(s, rc4_key_size); / 1 = 40-bit, 2 = 128-bit */
568	in_uint32_le(s, crypt_level); /* 1 = low, 2 = medium, 3 = high */
569	if (crypt_level == 0)
570	{
571	/* no encryption */
572	return False;
573	}
574
575	in_uint32_le(s, random_len);
576	in_uint32_le(s, rsa_info_len);
577
578	if (random_len != SEC_RANDOM_SIZE)
579	{
580	error("random len %d, expected %d\n", random_len, SEC_RANDOM_SIZE);
581	return False;
582	}
583
584	in_uint8p(s, *server_random, random_len);
585
586	/* RSA info */
587	end = s->p + rsa_info_len;
588	if (end > s->end)
589	return False;
590
591	in_uint32_le(s, flags); /* 1 = RDP4-style, 0x80000002 = X.509 */
592	if (flags & 1)
593	{
594	DEBUG_RDP5(("We're going for the RDP4-style encryption\n"));
595	in_uint8s(s, 8); /* unknown */
596
597	while (s->p < end)
598	{
599	in_uint16_le(s, tag);
600	in_uint16_le(s, length);
601
602	next_tag = s->p + length;
603
604	switch (tag)
605	{
606	case SEC_TAG_PUBKEY:
607	if (!sec_parse_public_key(s, modulus, exponent))
608	return False;
609	DEBUG_RDP5(("Got Public key, RDP4-style\n"));
610
611	break;
612
613	case SEC_TAG_KEYSIG:
614	if (!sec_parse_public_sig(s, length, modulus, exponent))
615	return False;
616	break;
617
618	default:
619	unimpl("crypt tag 0x%x\n", tag);
620	}
621
622	s->p = next_tag;
623	}
624	}
625	else
626	{
627	uint32 certcount;
628
629	DEBUG_RDP5(("We're going for the RDP5-style encryption\n"));
630	in_uint32_le(s, certcount); /* Number of certificates */
631	if (certcount < 2)
632	{
633	error("Server didn't send enough X509 certificates\n");
634	return False;
635	}
636	for (; certcount > 2; certcount--)
637	{ /* ignore all the certificates between the root and the signing CA */
638	uint32 ignorelen;
639	RDSSL_CERT *ignorecert;
640
641	DEBUG_RDP5(("Ignored certs left: %d\n", certcount));
642	in_uint32_le(s, ignorelen);
643	DEBUG_RDP5(("Ignored Certificate length is %d\n", ignorelen));
644
645	if (!s_check_rem(s, ignorelen))
646	{
647	rdp_protocol_error("sec_parse_crypt_info(), consume ignored certificate from stream would overrun",
648	&packet);
649	}
650
651	ignorecert = rdssl_cert_read(s->p, ignorelen);
652	in_uint8s(s, ignorelen);
653	if (ignorecert == NULL)
654	{ /* XXX: error out? */
655	DEBUG_RDP5(("got a bad cert: this will probably screw up the rest of the communication\n"));
656	}
657
658	#ifdef WITH_DEBUG_RDP5
659	DEBUG_RDP5(("cert #%d (ignored):\n", certcount));
660	rdssl_cert_print_fp(stdout, ignorecert);
661	#endif
662	}
663	/* Do da funky X.509 stuffy
664
665	"How did I find out about this? I looked up and saw a
666	bright light and when I came to I had a scar on my forehead
667	and knew about X.500"
668	- Peter Gutman in a early version of
669	http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
670	*/
671	in_uint32_le(s, cacert_len);
672	DEBUG_RDP5(("CA Certificate length is %d\n", cacert_len));
673	cacert = rdssl_cert_read(s->p, cacert_len);
674	in_uint8s(s, cacert_len);
675	if (NULL == cacert)
676	{
677	error("Couldn't load CA Certificate from server\n");
678	return False;
679	}
680	in_uint32_le(s, cert_len);
681	DEBUG_RDP5(("Certificate length is %d\n", cert_len));
682	server_cert = rdssl_cert_read(s->p, cert_len);
683	in_uint8s(s, cert_len);
684	if (NULL == server_cert)
685	{
686	rdssl_cert_free(cacert);
687	error("Couldn't load Certificate from server\n");
688	return False;
689	}
690	if (!rdssl_certs_ok(server_cert, cacert))
691	{
692	rdssl_cert_free(server_cert);
693	rdssl_cert_free(cacert);
694	error("Security error CA Certificate invalid\n");
695	return False;
696	}
697	rdssl_cert_free(cacert);
698	in_uint8s(s, 16); /* Padding */
699	server_public_key = rdssl_cert_to_rkey(server_cert, &g_server_public_key_len);
700	if (NULL == server_public_key)
701	{
702	DEBUG_RDP5(("Didn't parse X509 correctly\n"));
703	rdssl_cert_free(server_cert);
704	return False;
705	}
706	rdssl_cert_free(server_cert);
707	if ((g_server_public_key_len < SEC_MODULUS_SIZE) \|\|
708	(g_server_public_key_len > SEC_MAX_MODULUS_SIZE))
709	{
710	error("Bad server public key size (%u bits)\n",
711	g_server_public_key_len * 8);
712	rdssl_rkey_free(server_public_key);
713	return False;
714	}
715	if (rdssl_rkey_get_exp_mod(server_public_key, exponent, SEC_EXPONENT_SIZE,
716	modulus, SEC_MAX_MODULUS_SIZE) != 0)
717	{
718	error("Problem extracting RSA exponent, modulus");
719	rdssl_rkey_free(server_public_key);
720	return False;
721	}
722	rdssl_rkey_free(server_public_key);
723	return True; /* There's some garbage here we don't care about */
724	}
725	return s_check_end(s);
726	}
727
728	/* Process crypto information blob */
729	static void
730	sec_process_crypt_info(STREAM s)
731	{
732	uint8 *server_random = NULL;
733	uint8 modulus[SEC_MAX_MODULUS_SIZE];
734	uint8 exponent[SEC_EXPONENT_SIZE];
735	uint32 rc4_key_size;
736
737	memset(modulus, 0, sizeof(modulus));
738	memset(exponent, 0, sizeof(exponent));
739	if (!sec_parse_crypt_info(s, &rc4_key_size, &server_random, modulus, exponent))
740	{
741	DEBUG(("Failed to parse crypt info\n"));
742	return;
743	}
744	DEBUG(("Generating client random\n"));
745	generate_random(g_client_random);
746	sec_rsa_encrypt(g_sec_crypted_random, g_client_random, SEC_RANDOM_SIZE,
747	g_server_public_key_len, modulus, exponent);
748	sec_generate_keys(g_client_random, server_random, rc4_key_size);
749	}
750
751
752	/* Process SRV_INFO, find RDP version supported by server */
753	static void
754	sec_process_srv_info(STREAM s)
755	{
756	in_uint16_le(s, g_server_rdp_version);
757	DEBUG_RDP5(("Server RDP version is %d\n", g_server_rdp_version));
758	if (1 == g_server_rdp_version)
759	{
760	g_rdp_version = RDP_V4;
761	g_server_depth = 8;
762	}
763	}
764
765
766	/* Process connect response data blob */
767	void
768	sec_process_mcs_data(STREAM s)
769	{
770	uint16 tag, length;
771	uint8 *next_tag;
772	uint8 len;
773
774	in_uint8s(s, 21); /* header (T.124 ConferenceCreateResponse) */
775	in_uint8(s, len);
776	if (len & 0x80)
777	in_uint8(s, len);
778
779	while (s->p < s->end)
780	{
781	in_uint16_le(s, tag);
782	in_uint16_le(s, length);
783
784	if (length <= 4)
785	return;
786
787	next_tag = s->p + length - 4;
788
789	switch (tag)
790	{
791	case SEC_TAG_SRV_INFO:
792	sec_process_srv_info(s);
793	break;
794
795	case SEC_TAG_SRV_CRYPT:
796	sec_process_crypt_info(s);
797	break;
798
799	case SEC_TAG_SRV_CHANNELS:
800	/* FIXME: We should parse this information and
801	use it to map RDP5 channels to MCS
802	channels */
803	break;
804
805	default:
806	unimpl("response tag 0x%x\n", tag);
807	}
808
809	s->p = next_tag;
810	}
811	}
812
813	/* Receive secure transport packet */
814	STREAM
815	sec_recv(uint8 * rdpver)
816	{
817	uint32 sec_flags;
818	uint16 channel;
819	STREAM s;
820	struct stream packet;
821
822	while ((s = mcs_recv(&channel, rdpver)) != NULL)
823	{
824	packet = *s;
825	if (rdpver != NULL)
826	{
827	if (*rdpver != 3)
828	{
829	if (*rdpver & 0x80)
830	{
831	if (!s_check_rem(s, 8)) {
832	rdp_protocol_error("sec_recv(), consume fastpath signature from stream would overrun", &packet);
833	}
834
835	in_uint8s(s, 8); /* signature */
836	sec_decrypt(s->p, s->end - s->p);
837	}
838	return s;
839	}
840	}
841	if (g_encryption \|\| (!g_licence_issued && !g_licence_error_result))
842	{
843	in_uint32_le(s, sec_flags);
844
845	if (g_encryption)
846	{
847	if (sec_flags & SEC_ENCRYPT)
848	{
849	if (!s_check_rem(s, 8)) {
850	rdp_protocol_error("sec_recv(), consume encrypt signature from stream would overrun", &packet);
851	}
852
853	in_uint8s(s, 8); /* signature */
854	sec_decrypt(s->p, s->end - s->p);
855	}
856
857	if (sec_flags & SEC_LICENCE_NEG)
858	{
859	licence_process(s);
860	continue;
861	}
862
863	if (sec_flags & 0x0400) /* SEC_REDIRECT_ENCRYPT */
864	{
865	uint8 swapbyte;
866
867	if (!s_check_rem(s, 8)) {
868	rdp_protocol_error("sec_recv(), consume redirect signature from stream would overrun", &packet);
869	}
870
871	in_uint8s(s, 8); /* signature */
872	sec_decrypt(s->p, s->end - s->p);
873
874	/* Check for a redirect packet, starts with 00 04 */
875	if (s->p[0] == 0 && s->p[1] == 4)
876	{
877	/* for some reason the PDU and the length seem to be swapped.
878	This isn't good, but we're going to do a byte for byte
879	swap. So the first foure value appear as: 00 04 XX YY,
880	where XX YY is the little endian length. We're going to
881	use 04 00 as the PDU type, so after our swap this will look
882	like: XX YY 04 00 */
883	swapbyte = s->p[0];
884	s->p[0] = s->p[2];
885	s->p[2] = swapbyte;
886
887	swapbyte = s->p[1];
888	s->p[1] = s->p[3];
889	s->p[3] = swapbyte;
890
891	swapbyte = s->p[2];
892	s->p[2] = s->p[3];
893	s->p[3] = swapbyte;
894	}
895	#ifdef WITH_DEBUG
896	/* warning! this debug statement will show passwords in the clear! */
897	hexdump(s->p, s->end - s->p);
898	#endif
899	}
900	}
901	else
902	{
903	if ((sec_flags & 0xffff) == SEC_LICENCE_NEG)
904	{
905	licence_process(s);
906	continue;
907	}
908	s->p -= 4;
909	}
910	}
911
912	if (channel != MCS_GLOBAL_CHANNEL)
913	{
914	channel_process(s, channel);
915	if (rdpver != NULL)
916	*rdpver = 0xff;
917	return s;
918	}
919
920	return s;
921	}
922
923	return NULL;
924	}
925
926	/* Establish a secure connection */
927	RD_BOOL
928	sec_connect(char server, char username, char domain, char password, RD_BOOL reconnect)
929	{
930	uint32 selected_proto;
931	struct stream mcs_data;
932
933	/* Start a MCS connect sequence */
934	if (!mcs_connect_start(server, username, domain, password, reconnect, &selected_proto))
935	return False;
936
937	/* We exchange some RDP data during the MCS-Connect */
938	mcs_data.size = 512;
939	mcs_data.p = mcs_data.data = (uint8 *) xmalloc(mcs_data.size);
940	sec_out_mcs_data(&mcs_data, selected_proto);
941
942	/* finialize the MCS connect sequence */
943	if (!mcs_connect_finalize(&mcs_data))
944	return False;
945
946	/* sec_process_mcs_data(&mcs_data); */
947	if (g_encryption)
948	sec_establish_key();
949	xfree(mcs_data.data);
950	return True;
951	}
952
953	/* Disconnect a connection */
954	void
955	sec_disconnect(void)
956	{
957	mcs_disconnect();
958	}
959
960	/* reset the state of the sec layer */
961	void
962	sec_reset_state(void)
963	{
964	g_server_rdp_version = 0;
965	g_sec_encrypt_use_count = 0;
966	g_sec_decrypt_use_count = 0;
967	g_licence_issued = 0;
968	g_licence_error_result = 0;
969	mcs_reset_state();
970	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/RDP/client-1.8.4/secure.c@ 86011

Download in other formats: