X-Git-Url: https://git.sesse.net/?p=rdpsrv;a=blobdiff_plain;f=secure.c;h=cf9867664a9a155e32c07bfa5d331757dd881133;hp=9147cbc21ba3b8903adc967866da4fa977af69e9;hb=HEAD;hpb=63fa9a9043d4a58ee7994e669bcc566f09bc9e9b diff --git a/secure.c b/secure.c index 9147cbc..cf98676 100644 --- a/secure.c +++ b/secure.c @@ -31,7 +31,7 @@ extern int g_width; extern int g_height; extern int keylayout; extern BOOL g_encryption; -extern BOOL g_licence_issued; +BOOL g_licence_issued; extern BOOL g_use_rdp5; extern BOOL g_console_session; extern int g_server_bpp; @@ -39,18 +39,20 @@ extern uint16 mcs_userid; extern VCHANNEL g_channels[]; extern unsigned int g_num_channels; -static int rc4_key_len; +int rc4_key_len; static RC4_KEY rc4_decrypt_key; static RC4_KEY rc4_encrypt_key; static RSA *server_public_key; -static uint8 sec_sign_key[16]; +uint8 sec_sign_key[16]; static uint8 sec_decrypt_key[16]; static uint8 sec_encrypt_key[16]; static uint8 sec_decrypt_update_key[16]; static uint8 sec_encrypt_update_key[16]; static uint8 sec_crypted_random[SEC_MODULUS_SIZE]; +RSA *privkey; + uint16 g_server_rdp_version = 0; /* @@ -154,6 +156,21 @@ sec_generate_keys(uint8 * client_key, uint8 * server_key, int rc4_key_size) /* Initialise RC4 state arrays */ RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key); RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key); + + { + int i; + printf("sec_decrypt_key: "); + for (i = 0; i < 16; ++i) + printf("0x%02x ", sec_decrypt_key[i]); + printf("\n"); + + printf("sec_encrypt_key: "); + for (i = 0; i < 16; ++i) + printf("0x%02x ", sec_encrypt_key[i]); + printf("\n"); + } + + g_encryption = 1; } static uint8 pad_54[40] = { @@ -237,19 +254,19 @@ sec_update(uint8 * key, uint8 * update_key) } /* Encrypt data using RC4 */ -static void +void sec_encrypt(uint8 * data, int length) { static int use_count; if (use_count == 4096) { - sec_update(sec_encrypt_key, sec_encrypt_update_key); - RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key); + sec_update(sec_decrypt_key, sec_decrypt_update_key); + RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key); use_count = 0; } - RC4(&rc4_encrypt_key, length, data, data); + RC4(&rc4_decrypt_key, length, data, data); use_count++; } @@ -261,12 +278,12 @@ sec_decrypt(uint8 * data, int length) if (use_count == 4096) { - sec_update(sec_decrypt_key, sec_decrypt_update_key); - RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key); + sec_update(sec_encrypt_key, sec_encrypt_update_key); + RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key); use_count = 0; } - RC4(&rc4_decrypt_key, length, data, data); + RC4(&rc4_encrypt_key, length, data, data); use_count++; } @@ -327,10 +344,11 @@ sec_init(uint32 flags, int maxlen) int hdrlen; STREAM s; - /*if (!g_licence_issued) */ + if (!g_licence_issued) hdrlen = (flags & SEC_ENCRYPT) ? 12 : 4; -/* else - hdrlen = (flags & SEC_ENCRYPT) ? 12 : 0; */ + else + hdrlen = (flags & SEC_ENCRYPT) ? 12 : 0; + printf("HDRLEN is %u\n", hdrlen); s = mcs_init(maxlen + hdrlen); s_push_layer(s, sec_hdr, hdrlen); @@ -343,21 +361,25 @@ sec_send_to_channel(STREAM s, uint32 flags, uint16 channel) { int datalen; +// DEBUG(("sending packet to channel %u\n", channel)); + s_pop_layer(s, sec_hdr); -// if (!g_licence_issued || (flags & SEC_ENCRYPT)) + if (!g_licence_issued || (flags & SEC_ENCRYPT)) { out_uint32_le(s, flags); + } if (flags & SEC_ENCRYPT) { flags &= ~SEC_ENCRYPT; datalen = s->end - s->p - 8; -#if WITH_DEBUG +#if WITH_DEBUG && 0 DEBUG(("Sending encrypted packet:\n")); hexdump(s->p + 8, datalen); #endif sec_sign(s->p, 8, sec_sign_key, rc4_key_len, s->p + 8, datalen); + printf("First byte of signature is 0x%x, at %p\n", (s->p)[0], s->p); sec_encrypt(s->p + 8, datalen); } @@ -711,6 +733,39 @@ sec_process_mcs_data(STREAM s) } } +extern unsigned char cacert[]; +extern BOOL g_licence_issued; + +unsigned char result_license[] = { + 0xff, 0x03, 0x10, 0x00, 0x07, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xa0, 0x5f, 0x00, 0x00 +}; +unsigned char demand_active[] = { + 0x24, 0x01, 0x11, 0x00, 0xea, 0x03, 0xea, 0x03, 0x01, 0x00, 0x04, 0x00, 0x0e, 0x01, 0x52, 0x44, + 0x50, 0x00, 0x09, 0x00, 0x00, 0x00, 0x09, 0x00, 0x08, 0x00, 0xea, 0x03, 0x40, 0xe4, 0x01, 0x00, + 0x18, 0x00, 0x01, 0x00, 0x03, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x11, 0x04, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x0e, 0x00, 0x04, 0x00, 0x02, 0x00, 0x1c, 0x00, 0x08, 0x00, + 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x20, 0x03, 0x58, 0x02, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, + 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00, 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x42, 0x0f, 0x00, 0x01, 0x00, + 0x14, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x22, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, + 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0xa1, 0x06, 0x00, 0x00, 0x40, 0x42, + 0x0f, 0x00, 0x40, 0x42, 0x0f, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, + 0x08, 0x00, 0x06, 0x00, 0x00, 0x00, 0x12, 0x00, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, + 0x0a, 0x00, 0x01, 0x00, 0x19, 0x00, 0x19, 0x00, 0x0d, 0x00, 0x58, 0x00, 0x35, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0xed, 0xbf, 0xa5, 0xcd, 0xb1, 0xae, 0xbe, + 0x88, 0x35, 0x56, 0xe5, 0xc2, 0x01, 0xaf, 0xbe, 0xc8, 0xed, 0xbf, 0xa5, 0x8c, 0x33, 0x40, 0xe4, + 0x08, 0x30, 0x40, 0xe4, 0x01, 0x00, 0x00, 0x00, 0x08, 0x30, 0x40, 0xe4, 0x00, 0x00, 0x00, 0x00, + 0xc0, 0xed, 0xbf, 0xa5, 0x34, 0xf5, 0xae, 0xbe, 0x08, 0x30, 0x40, 0xe4, 0xb4, 0xed, 0xbf, 0xa5, + 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x19, 0x00, 0x19, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00 +}; + +#define EXPECT8(value) { in_uint8(s, unknown); if (unknown != (value)) printf("Unknown value on code line %u; expected 0x%x, got 0x%x\n", __LINE__, (value), unknown); } +#define EXPECT16(value) { in_uint16_le(s, unknown); if (unknown != (value)) printf("Unknown value on code line %u; expected 0x%x, got 0x%x\n", __LINE__, (value), unknown); } +#define EXPECT32(value) { in_uint32_le(s, unknown); if (unknown != (value)) printf("Unknown value on code line %u; expected 0x%x, got 0x%x\n", __LINE__, (value), unknown); } + + /* Receive secure transport packet */ STREAM sec_recv(void) @@ -719,31 +774,83 @@ sec_recv(void) uint16 channel; STREAM s; - while ((s = mcs_recv(&channel)) != NULL) + if ((s = mcs_recv(&channel)) != NULL) { if (/*g_encryption || !g_licence_issued*/ 1) { in_uint32_le(s, sec_flags); - printf("sec_flags=%x\n", sec_flags); if (sec_flags & SEC_ENCRYPT) { - printf("encrypt\n"); in_uint8s(s, 8); /* signature */ sec_decrypt(s->p, s->end - s->p); } if (sec_flags & SEC_LICENCE_NEG) { - printf("SEC_LICENSE_NEG unknown\n"); - //licence_process(s); - continue; + uint8 tag; + in_uint8(s, tag); + + printf("License tag %x, unimplemented\n", tag); + + return NULL; } if (sec_flags & SEC_LOGON_INFO) { - printf("Received logon packet!\n"); + rdp_get_logon_info(s); + + // say "licensing is OK", then demand + // activity + { + STREAM s; + s = sec_init(SEC_LICENCE_NEG, sizeof(result_license)); + out_uint8p(s, result_license, sizeof(result_license)); + s_mark_end(s); + sec_send(s, SEC_LICENCE_NEG); + } + + { + STREAM s; + s = sec_init(SEC_ENCRYPT, sizeof(demand_active)); + out_uint8p(s, demand_active, sizeof(demand_active)); + s_mark_end(s); + sec_send(s, SEC_ENCRYPT); + } + + return NULL; + } + if (sec_flags & SEC_CLIENT_RANDOM) { + uint32 length; + uint8 inr[SEC_MODULUS_SIZE]; + int i; + + in_uint32_le(s, length); + if (length != SEC_MODULUS_SIZE + SEC_PADDING_SIZE) { + error("Client random was wrong size, %u bytes\n", length); + } + in_uint8a(s, sec_crypted_random, SEC_MODULUS_SIZE); + in_uint8s(s, SEC_PADDING_SIZE); + if (!s_check_end(s)) { + error("Junk after client random\n"); + } + + reverse(sec_crypted_random, SEC_MODULUS_SIZE); + + RSA_private_decrypt(SEC_MODULUS_SIZE, sec_crypted_random, inr, privkey, RSA_NO_PADDING); + + reverse(inr + SEC_RANDOM_SIZE, SEC_RANDOM_SIZE); + + printf("Unencrypted client random: "); + for (i = 0; i < SEC_RANDOM_SIZE; ++i) { + printf("0x%x ", inr[i + SEC_RANDOM_SIZE]); + } + printf("\n"); + + // now we can generate the keys + sec_generate_keys(inr + SEC_RANDOM_SIZE, cacert, 1); + return NULL; } } @@ -751,7 +858,7 @@ sec_recv(void) if (channel != MCS_GLOBAL_CHANNEL) { channel_process(s, channel); - continue; + return NULL; } return s;