| 29 |
extern char g_hostname[16]; |
extern char g_hostname[16]; |
| 30 |
extern int g_width; |
extern int g_width; |
| 31 |
extern int g_height; |
extern int g_height; |
| 32 |
extern int g_keylayout; |
extern unsigned int g_keylayout; |
| 33 |
extern int g_keyboard_type; |
extern int g_keyboard_type; |
| 34 |
extern int g_keyboard_subtype; |
extern int g_keyboard_subtype; |
| 35 |
extern int g_keyboard_functionkeys; |
extern int g_keyboard_functionkeys; |
| 37 |
extern BOOL g_licence_issued; |
extern BOOL g_licence_issued; |
| 38 |
extern BOOL g_use_rdp5; |
extern BOOL g_use_rdp5; |
| 39 |
extern BOOL g_console_session; |
extern BOOL g_console_session; |
| 40 |
extern int g_server_bpp; |
extern int g_server_depth; |
| 41 |
extern uint16 mcs_userid; |
extern uint16 mcs_userid; |
| 42 |
extern VCHANNEL g_channels[]; |
extern VCHANNEL g_channels[]; |
| 43 |
extern unsigned int g_num_channels; |
extern unsigned int g_num_channels; |
| 56 |
|
|
| 57 |
uint16 g_server_rdp_version = 0; |
uint16 g_server_rdp_version = 0; |
| 58 |
|
|
| 59 |
|
/* These values must be available to reset state - Session Directory */ |
| 60 |
|
static int sec_encrypt_use_count = 0; |
| 61 |
|
static int sec_decrypt_use_count = 0; |
| 62 |
|
|
| 63 |
/* |
/* |
| 64 |
* I believe this is based on SSLv3 with the following differences: |
* I believe this is based on SSLv3 with the following differences: |
| 65 |
* MAC algorithm (5.2.3.1) uses only 32-bit length in place of seq_num/type/length fields |
* MAC algorithm (5.2.3.1) uses only 32-bit length in place of seq_num/type/length fields |
| 255 |
static void |
static void |
| 256 |
sec_encrypt(uint8 * data, int length) |
sec_encrypt(uint8 * data, int length) |
| 257 |
{ |
{ |
| 258 |
static int use_count; |
if (sec_encrypt_use_count == 4096) |
|
|
|
|
if (use_count == 4096) |
|
| 259 |
{ |
{ |
| 260 |
sec_update(sec_encrypt_key, sec_encrypt_update_key); |
sec_update(sec_encrypt_key, sec_encrypt_update_key); |
| 261 |
RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key); |
RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key); |
| 262 |
use_count = 0; |
sec_encrypt_use_count = 0; |
| 263 |
} |
} |
| 264 |
|
|
| 265 |
RC4(&rc4_encrypt_key, length, data, data); |
RC4(&rc4_encrypt_key, length, data, data); |
| 266 |
use_count++; |
sec_encrypt_use_count++; |
| 267 |
} |
} |
| 268 |
|
|
| 269 |
/* Decrypt data using RC4 */ |
/* Decrypt data using RC4 */ |
| 270 |
void |
void |
| 271 |
sec_decrypt(uint8 * data, int length) |
sec_decrypt(uint8 * data, int length) |
| 272 |
{ |
{ |
| 273 |
static int use_count; |
if (sec_decrypt_use_count == 4096) |
|
|
|
|
if (use_count == 4096) |
|
| 274 |
{ |
{ |
| 275 |
sec_update(sec_decrypt_key, sec_decrypt_update_key); |
sec_update(sec_decrypt_key, sec_decrypt_update_key); |
| 276 |
RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key); |
RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key); |
| 277 |
use_count = 0; |
sec_decrypt_use_count = 0; |
| 278 |
} |
} |
| 279 |
|
|
| 280 |
RC4(&rc4_decrypt_key, length, data, data); |
RC4(&rc4_decrypt_key, length, data, data); |
| 281 |
use_count++; |
sec_decrypt_use_count++; |
| 282 |
} |
} |
| 283 |
|
|
| 284 |
static void |
static void |
| 459 |
out_uint16_le(s, 1); |
out_uint16_le(s, 1); |
| 460 |
|
|
| 461 |
out_uint32(s, 0); |
out_uint32(s, 0); |
| 462 |
out_uint8(s, g_server_bpp); |
out_uint8(s, g_server_depth); |
| 463 |
out_uint16_le(s, 0x0700); |
out_uint16_le(s, 0x0700); |
| 464 |
out_uint8(s, 0); |
out_uint8(s, 0); |
| 465 |
out_uint32_le(s, 1); |
out_uint32_le(s, 1); |
| 533 |
if (OBJ_obj2nid(cert->cert_info->key->algor->algorithm) == NID_md5WithRSAEncryption) |
if (OBJ_obj2nid(cert->cert_info->key->algor->algorithm) == NID_md5WithRSAEncryption) |
| 534 |
{ |
{ |
| 535 |
DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n")); |
DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n")); |
| 536 |
|
ASN1_OBJECT_free(cert->cert_info->key->algor->algorithm); |
| 537 |
cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption); |
cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption); |
| 538 |
} |
} |
| 539 |
epk = X509_get_pubkey(cert); |
epk = X509_get_pubkey(cert); |
| 543 |
return False; |
return False; |
| 544 |
} |
} |
| 545 |
|
|
| 546 |
server_public_key = (RSA *) epk->pkey.ptr; |
server_public_key = RSAPublicKey_dup((RSA *) epk->pkey.ptr); |
| 547 |
|
|
| 548 |
|
EVP_PKEY_free(epk); |
| 549 |
|
|
| 550 |
return True; |
return True; |
| 551 |
} |
} |
| 683 |
MITM-attacks. |
MITM-attacks. |
| 684 |
*/ |
*/ |
| 685 |
|
|
| 686 |
|
X509_free(cacert); |
| 687 |
|
|
| 688 |
in_uint32_le(s, cert_len); |
in_uint32_le(s, cert_len); |
| 689 |
DEBUG_RDP5(("Certificate length is %d\n", cert_len)); |
DEBUG_RDP5(("Certificate length is %d\n", cert_len)); |
| 690 |
server_cert = d2i_X509(NULL, &(s->p), cert_len); |
server_cert = d2i_X509(NULL, &(s->p), cert_len); |
| 703 |
if (!sec_parse_x509_key(server_cert)) |
if (!sec_parse_x509_key(server_cert)) |
| 704 |
{ |
{ |
| 705 |
DEBUG_RDP5(("Didn't parse X509 correctly\n")); |
DEBUG_RDP5(("Didn't parse X509 correctly\n")); |
| 706 |
|
X509_free(server_cert); |
| 707 |
return False; |
return False; |
| 708 |
} |
} |
| 709 |
|
X509_free(server_cert); |
| 710 |
return True; /* There's some garbage here we don't care about */ |
return True; /* There's some garbage here we don't care about */ |
| 711 |
} |
} |
| 712 |
return s_check_end(s); |
return s_check_end(s); |
| 752 |
|
|
| 753 |
reverse(sec_crypted_random, SEC_MODULUS_SIZE); |
reverse(sec_crypted_random, SEC_MODULUS_SIZE); |
| 754 |
|
|
| 755 |
|
RSA_free(server_public_key); |
| 756 |
|
server_public_key = NULL; |
| 757 |
} |
} |
| 758 |
else |
else |
| 759 |
{ /* RDP4-style encryption */ |
{ /* RDP4-style encryption */ |
| 773 |
if (1 == g_server_rdp_version) |
if (1 == g_server_rdp_version) |
| 774 |
{ |
{ |
| 775 |
g_use_rdp5 = 0; |
g_use_rdp5 = 0; |
| 776 |
g_server_bpp = 8; |
g_server_depth = 8; |
| 777 |
} |
} |
| 778 |
} |
} |
| 779 |
|
|
| 862 |
licence_process(s); |
licence_process(s); |
| 863 |
continue; |
continue; |
| 864 |
} |
} |
| 865 |
|
|
| 866 |
|
if (sec_flags & 0x0400) /* SEC_REDIRECT_ENCRYPT */ |
| 867 |
|
{ |
| 868 |
|
uint8 swapbyte; |
| 869 |
|
|
| 870 |
|
in_uint8s(s, 8); /* signature */ |
| 871 |
|
sec_decrypt(s->p, s->end - s->p); |
| 872 |
|
|
| 873 |
|
/* Check for a redirect packet, starts with 00 04 */ |
| 874 |
|
if (s->p[0] == 0 && s->p[1] == 4) |
| 875 |
|
{ |
| 876 |
|
/* for some reason the PDU and the length seem to be swapped. |
| 877 |
|
This isn't good, but we're going to do a byte for byte |
| 878 |
|
swap. So the first foure value appear as: 00 04 XX YY, |
| 879 |
|
where XX YY is the little endian length. We're going to |
| 880 |
|
use 04 00 as the PDU type, so after our swap this will look |
| 881 |
|
like: XX YY 04 00 */ |
| 882 |
|
swapbyte = s->p[0]; |
| 883 |
|
s->p[0] = s->p[2]; |
| 884 |
|
s->p[2] = swapbyte; |
| 885 |
|
|
| 886 |
|
swapbyte = s->p[1]; |
| 887 |
|
s->p[1] = s->p[3]; |
| 888 |
|
s->p[3] = swapbyte; |
| 889 |
|
|
| 890 |
|
swapbyte = s->p[2]; |
| 891 |
|
s->p[2] = s->p[3]; |
| 892 |
|
s->p[3] = swapbyte; |
| 893 |
|
} |
| 894 |
|
#ifdef WITH_DEBUG |
| 895 |
|
/* warning! this debug statement will show passwords in the clear! */ |
| 896 |
|
hexdump(s->p, s->end - s->p); |
| 897 |
|
#endif |
| 898 |
|
} |
| 899 |
|
|
| 900 |
} |
} |
| 901 |
|
|
| 902 |
if (channel != MCS_GLOBAL_CHANNEL) |
if (channel != MCS_GLOBAL_CHANNEL) |
| 933 |
return True; |
return True; |
| 934 |
} |
} |
| 935 |
|
|
| 936 |
|
/* Establish a secure connection */ |
| 937 |
|
BOOL |
| 938 |
|
sec_reconnect(char *server) |
| 939 |
|
{ |
| 940 |
|
struct stream mcs_data; |
| 941 |
|
|
| 942 |
|
/* We exchange some RDP data during the MCS-Connect */ |
| 943 |
|
mcs_data.size = 512; |
| 944 |
|
mcs_data.p = mcs_data.data = (uint8 *) xmalloc(mcs_data.size); |
| 945 |
|
sec_out_mcs_data(&mcs_data); |
| 946 |
|
|
| 947 |
|
if (!mcs_reconnect(server, &mcs_data)) |
| 948 |
|
return False; |
| 949 |
|
|
| 950 |
|
/* sec_process_mcs_data(&mcs_data); */ |
| 951 |
|
if (g_encryption) |
| 952 |
|
sec_establish_key(); |
| 953 |
|
xfree(mcs_data.data); |
| 954 |
|
return True; |
| 955 |
|
} |
| 956 |
|
|
| 957 |
/* Disconnect a connection */ |
/* Disconnect a connection */ |
| 958 |
void |
void |
| 959 |
sec_disconnect(void) |
sec_disconnect(void) |
| 960 |
{ |
{ |
| 961 |
mcs_disconnect(); |
mcs_disconnect(); |
| 962 |
} |
} |
| 963 |
|
|
| 964 |
|
/* reset the state of the sec layer */ |
| 965 |
|
void |
| 966 |
|
sec_reset_state(void) |
| 967 |
|
{ |
| 968 |
|
g_server_rdp_version = 0; |
| 969 |
|
sec_encrypt_use_count = 0; |
| 970 |
|
sec_decrypt_use_count = 0; |
| 971 |
|
mcs_reset_state(); |
| 972 |
|
} |
Parent Directory
| 
Revision Log
| 
Patch