--- sourceforge.net/trunk/rdesktop/secure.c 2003/12/10 08:02:59 557 +++ sourceforge.net/trunk/rdesktop/secure.c 2004/10/04 03:21:58 779 @@ -20,23 +20,16 @@ #include "rdesktop.h" -#ifdef WITH_OPENSSL #include #include #include #include #include -#else -#include "crypto/rc4.h" -#include "crypto/md5.h" -#include "crypto/sha.h" -#include "crypto/bn.h" -#endif -extern char hostname[16]; +extern char g_hostname[16]; extern int g_width; extern int g_height; -extern int keylayout; +extern int g_keylayout; extern BOOL g_encryption; extern BOOL g_licence_issued; extern BOOL g_use_rdp5; @@ -61,8 +54,17 @@ uint16 g_server_rdp_version = 0; /* - * General purpose 48-byte transformation, using two 32-byte salts (generally, - * a client and server salt) and a global salt value used for padding. + * I believe this is based on SSLv3 with the following differences: + * MAC algorithm (5.2.3.1) uses only 32-bit length in place of seq_num/type/length fields + * MAC algorithm uses SHA1 and MD5 for the two hash functions instead of one or other + * key_block algorithm (6.2.2) uses 'X', 'YY', 'ZZZ' instead of 'A', 'BB', 'CCC' + * key_block partitioning is different (16 bytes each: MAC secret, decrypt key, encrypt key) + * encryption/decryption keys updated every 4096 packets + * See http://wp.netscape.com/eng/ssl3/draft302.txt + */ + +/* + * 48-byte transformation used to generate master secret (6.1) and key material (6.2.2). * Both SHA1 and MD5 algorithms are used. */ void @@ -93,8 +95,7 @@ } /* - * Weaker 16-byte transformation, also using two 32-byte salts, but - * only using a single round of MD5. + * 16-byte transformation used to generate export keys (6.2.2). */ void sec_hash_16(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2) @@ -117,28 +118,28 @@ key[2] = 0x9e; } -/* Generate a session key and RC4 keys, given client and server randoms */ +/* Generate encryption keys given client and server randoms */ static void -sec_generate_keys(uint8 * client_key, uint8 * server_key, int rc4_key_size) +sec_generate_keys(uint8 * client_random, uint8 * server_random, int rc4_key_size) { - uint8 session_key[48]; - uint8 temp_hash[48]; - uint8 input[48]; - - /* Construct input data to hash */ - memcpy(input, client_key, 24); - memcpy(input + 24, server_key, 24); - - /* Generate session key - two rounds of sec_hash_48 */ - sec_hash_48(temp_hash, input, client_key, server_key, 65); - sec_hash_48(session_key, temp_hash, client_key, server_key, 88); - - /* Store first 16 bytes of session key, for generating signatures */ - memcpy(sec_sign_key, session_key, 16); - - /* Generate RC4 keys */ - sec_hash_16(sec_decrypt_key, &session_key[16], client_key, server_key); - sec_hash_16(sec_encrypt_key, &session_key[32], client_key, server_key); + uint8 pre_master_secret[48]; + uint8 master_secret[48]; + uint8 key_block[48]; + + /* Construct pre-master secret */ + memcpy(pre_master_secret, client_random, 24); + memcpy(pre_master_secret + 24, server_random, 24); + + /* Generate master secret and then key material */ + sec_hash_48(master_secret, pre_master_secret, client_random, server_random, 'A'); + sec_hash_48(key_block, master_secret, client_random, server_random, 'X'); + + /* First 16 bytes of key material is MAC secret */ + memcpy(sec_sign_key, key_block, 16); + + /* Generate export keys from next two blocks of 16 bytes */ + sec_hash_16(sec_decrypt_key, &key_block[16], client_random, server_random); + sec_hash_16(sec_encrypt_key, &key_block[32], client_random, server_random); if (rc4_key_size == 1) { @@ -187,7 +188,7 @@ buffer[3] = (value >> 24) & 0xff; } -/* Generate a signature hash, using a combination of SHA1 and MD5 */ +/* Generate a MAC hash (5.2.3.1), using a combination of SHA1 and MD5 */ void sec_sign(uint8 * signature, int siglen, uint8 * session_key, int keylen, uint8 * data, int datalen) { @@ -215,7 +216,7 @@ memcpy(signature, md5sig, siglen); } -/* Update an encryption key - similar to the signing process */ +/* Update an encryption key */ static void sec_update(uint8 * key, uint8 * update_key) { @@ -402,7 +403,7 @@ static void sec_out_mcs_data(STREAM s) { - int hostlen = 2 * strlen(hostname); + int hostlen = 2 * strlen(g_hostname); int length = 158 + 76 + 12 + 4; unsigned int i; @@ -412,7 +413,8 @@ if (hostlen > 30) hostlen = 30; - out_uint16_be(s, 5); /* unknown */ + /* Generic Conference Control (T.124) ConferenceCreateRequest */ + out_uint16_be(s, 5); out_uint16_be(s, 0x14); out_uint8(s, 0x7c); out_uint16_be(s, 1); @@ -425,7 +427,7 @@ out_uint16_le(s, 0xc001); out_uint8(s, 0); - out_uint32_le(s, 0x61637544); /* "Duca" ?! */ + out_uint32_le(s, 0x61637544); /* OEM ID: "Duca", as in Ducati. */ out_uint16_be(s, ((length - 14) | 0x8000)); /* remaining length */ /* Client information */ @@ -437,33 +439,18 @@ out_uint16_le(s, g_height); out_uint16_le(s, 0xca01); out_uint16_le(s, 0xaa03); - out_uint32_le(s, keylayout); + out_uint32_le(s, g_keylayout); out_uint32_le(s, 2600); /* Client build. We are now 2600 compatible :-) */ /* Unicode name of client, padded to 32 bytes */ - rdp_out_unistr(s, hostname, hostlen); + rdp_out_unistr(s, g_hostname, hostlen); out_uint8s(s, 30 - hostlen); out_uint32_le(s, 4); out_uint32(s, 0); out_uint32_le(s, 12); out_uint8s(s, 64); /* reserved? 4 + 12 doublewords */ - - switch (g_server_bpp) - { - case 8: - out_uint16_le(s, 0xca01); - break; - case 15: - out_uint16_le(s, 0xca02); - break; - case 16: - out_uint16_le(s, 0xca03); - break; - case 24: - out_uint16_le(s, 0xca04); - break; - } + out_uint16_le(s, 0xca01); /* colour depth? */ out_uint16_le(s, 1); out_uint32(s, 0); @@ -628,16 +615,16 @@ uint32 certcount; DEBUG_RDP5(("We're going for the RDP5-style encryption\n")); - in_uint32_le(s, certcount); /* Number of certificates */ + in_uint32_le(s, certcount); /* Number of certificates */ - if(certcount < 2) + if (certcount < 2) { error("Server didn't send enough X509 certificates\n"); return False; } - for(; certcount > 2; certcount--) - { /* ignore all the certificates between the root and the signing CA */ + for (; certcount > 2; certcount--) + { /* ignore all the certificates between the root and the signing CA */ uint32 ignorelen; X509 *ignorecert; @@ -647,13 +634,13 @@ DEBUG_RDP5(("Ignored Certificate length is %d\n", ignorelen)); ignorecert = d2i_X509(NULL, &(s->p), ignorelen); - if(ignorecert == NULL) - { /* XXX: error out? */ + if (ignorecert == NULL) + { /* XXX: error out? */ DEBUG_RDP5(("got a bad cert: this will probably screw up the rest of the communication\n")); } #ifdef WITH_DEBUG_RDP5 - DEBUG_RDP5(("cert #%d (ignored):\n",certcount)); + DEBUG_RDP5(("cert #%d (ignored):\n", certcount)); X509_print_fp(stdout, ignorecert); #endif } @@ -770,7 +757,10 @@ in_uint16_le(s, g_server_rdp_version); DEBUG_RDP5(("Server RDP version is %d\n", g_server_rdp_version)); if (1 == g_server_rdp_version) + { g_use_rdp5 = 0; + g_server_bpp = 8; + } } @@ -782,7 +772,7 @@ uint8 *next_tag; uint8 len; - in_uint8s(s, 21); /* header (T.124 stuff, probably) */ + in_uint8s(s, 21); /* header (T.124 ConferenceCreateResponse) */ in_uint8(s, len); if (len & 0x80) in_uint8(s, len); @@ -823,14 +813,26 @@ /* Receive secure transport packet */ STREAM -sec_recv(void) +sec_recv(uint8 * rdpver) { uint32 sec_flags; uint16 channel; STREAM s; - while ((s = mcs_recv(&channel)) != NULL) + while ((s = mcs_recv(&channel, rdpver)) != NULL) { + if (rdpver != NULL) + { + if (*rdpver != 3) + { + if (*rdpver & 0x80) + { + in_uint8s(s, 8); /* signature */ + sec_decrypt(s->p, s->end - s->p); + } + return s; + } + } if (g_encryption || !g_licence_issued) { in_uint32_le(s, sec_flags); @@ -851,7 +853,8 @@ if (channel != MCS_GLOBAL_CHANNEL) { channel_process(s, channel); - continue; + *rdpver = 0xff; + return s; } return s;