FreeRDP
Loading...
Searching...
No Matches
rdpear_main.c
1
19#include <krb5.h>
20#include <errno.h>
21
22#include <winpr/assert.h>
23#include <winpr/wtypes.h>
24
25#include <winpr/crt.h>
26#include <winpr/wlog.h>
27#include <winpr/print.h>
28#include <winpr/asn1.h>
29#include <winpr/sspi.h>
30#include <winpr/collections.h>
31
32#include <rdpear-common/ndr.h>
33#include <rdpear-common/rdpear_common.h>
34#include <rdpear-common/rdpear_asn1.h>
35
36#include <freerdp/config.h>
37#include <freerdp/freerdp.h>
38#include <freerdp/addin.h>
39#include <freerdp/client/channels.h>
40#include <freerdp/channels/log.h>
41#include <freerdp/channels/rdpear.h>
42
43#define TAG CHANNELS_TAG("rdpear.client")
44
45#ifndef MAX_KEYTAB_NAME_LEN
46#define MAX_KEYTAB_NAME_LEN 1100 /* Defined in MIT krb5.h */
47#endif
48
49/* defined in libkrb5 */
50krb5_error_code encode_krb5_authenticator(const krb5_authenticator* rep, krb5_data** code_out);
51krb5_error_code encode_krb5_ap_rep(const krb5_ap_rep* rep, krb5_data** code_out);
52
53typedef struct
54{
55 GENERIC_DYNVC_PLUGIN base;
56 rdpContext* rdp_context;
57 krb5_context krbContext;
58} RDPEAR_PLUGIN;
59
60static const BYTE payloadHeader[16] = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
61 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
62
63static krb5_error_code RPC_ENCRYPTION_KEY_to_keyblock(krb5_context ctx,
64 const KERB_RPC_ENCRYPTION_KEY* key,
65 krb5_keyblock** pkeyblock)
66{
67 WINPR_ASSERT(ctx);
68 WINPR_ASSERT(key);
69 WINPR_ASSERT(pkeyblock);
70
71 if (!key->reserved3.length)
72 return KRB5KDC_ERR_NULL_KEY;
73
74 krb5_error_code rv =
75 krb5_init_keyblock(ctx, (krb5_enctype)key->reserved2, key->reserved3.length, pkeyblock);
76 if (rv)
77 return rv;
78
79 krb5_keyblock* keyblock = *pkeyblock;
80 memcpy(keyblock->contents, key->reserved3.value, key->reserved3.length);
81 return rv;
82}
83
84static krb5_error_code kerb_do_checksum(krb5_context ctx, const KERB_RPC_ENCRYPTION_KEY* key,
85 krb5_keyusage kusage, krb5_cksumtype cksumtype,
86 const KERB_ASN1_DATA* plain, krb5_checksum* out)
87{
88 WINPR_ASSERT(ctx);
89 WINPR_ASSERT(key);
90 WINPR_ASSERT(plain);
91 WINPR_ASSERT(out);
92
93 krb5_keyblock* keyblock = NULL;
94 krb5_data data = { 0 };
95
96 krb5_error_code rv = RPC_ENCRYPTION_KEY_to_keyblock(ctx, key, &keyblock);
97 if (rv)
98 return rv;
99
100 data.data = (char*)plain->Asn1Buffer;
101 data.length = plain->Asn1BufferHints.count;
102
103 rv = krb5_c_make_checksum(ctx, cksumtype, keyblock, kusage, &data, out);
104
105 krb5_free_keyblock(ctx, keyblock);
106 return rv;
107}
108
109static krb5_error_code kerb_do_encrypt(krb5_context ctx, const KERB_RPC_ENCRYPTION_KEY* key,
110 krb5_keyusage kusage, const KERB_ASN1_DATA* plain,
111 krb5_data* out)
112{
113 WINPR_ASSERT(ctx);
114 WINPR_ASSERT(key);
115 WINPR_ASSERT(plain);
116 WINPR_ASSERT(out);
117
118 krb5_keyblock* keyblock = NULL;
119 krb5_data data = { 0 };
120 krb5_enc_data enc = { 0 };
121 size_t elen = 0;
122
123 krb5_error_code rv = RPC_ENCRYPTION_KEY_to_keyblock(ctx, key, &keyblock);
124 if (rv)
125 return rv;
126
127 data.data = (char*)plain->Asn1Buffer;
128 data.length = plain->Asn1BufferHints.count;
129
130 rv = krb5_c_encrypt_length(ctx, keyblock->enctype, data.length, &elen);
131 if (rv)
132 goto out;
133 if (!elen || (elen > UINT32_MAX))
134 {
135 rv = KRB5_PARSE_MALFORMED;
136 goto out;
137 }
138 enc.ciphertext.length = (unsigned int)elen;
139 enc.ciphertext.data = malloc(elen);
140 if (!enc.ciphertext.data)
141 {
142 rv = ENOMEM;
143 goto out;
144 }
145
146 rv = krb5_c_encrypt(ctx, keyblock, kusage, NULL, &data, &enc);
147
148 out->data = enc.ciphertext.data;
149 out->length = enc.ciphertext.length;
150out:
151 krb5_free_keyblock(ctx, keyblock);
152 return rv;
153}
154
155static krb5_error_code kerb_do_decrypt(krb5_context ctx, const KERB_RPC_ENCRYPTION_KEY* key,
156 krb5_keyusage kusage, const krb5_data* cipher,
157 KERB_ASN1_DATA* plain)
158{
159 WINPR_ASSERT(ctx);
160 WINPR_ASSERT(key);
161 WINPR_ASSERT(cipher);
162 WINPR_ASSERT(cipher->length);
163 WINPR_ASSERT(plain);
164
165 krb5_keyblock* keyblock = NULL;
166 krb5_data data = { 0 };
167 krb5_enc_data enc = { 0 };
168
169 krb5_error_code rv = RPC_ENCRYPTION_KEY_to_keyblock(ctx, key, &keyblock);
170 if (rv)
171 return rv;
172
173 enc.kvno = KRB5_PVNO;
174 enc.enctype = (krb5_enctype)key->reserved2;
175 enc.ciphertext.length = cipher->length;
176 enc.ciphertext.data = cipher->data;
177
178 data.length = cipher->length;
179 data.data = (char*)malloc(cipher->length);
180 if (!data.data)
181 {
182 rv = ENOMEM;
183 goto out;
184 }
185
186 rv = krb5_c_decrypt(ctx, keyblock, kusage, NULL, &enc, &data);
187
188 plain->Asn1Buffer = (BYTE*)data.data;
189 plain->Asn1BufferHints.count = data.length;
190out:
191 krb5_free_keyblock(ctx, keyblock);
192 return rv;
193}
194
195static BOOL rdpear_send_payload(RDPEAR_PLUGIN* rdpear, IWTSVirtualChannelCallback* pChannelCallback,
196 BOOL isKerb, wStream* payload)
197{
198 GENERIC_CHANNEL_CALLBACK* callback = (GENERIC_CHANNEL_CALLBACK*)pChannelCallback;
199 BOOL ret = FALSE;
200 wStream* finalStream = NULL;
201 SecBuffer cryptedBuffer = { 0 };
202 wStream* unencodedContent = rdpear_encodePayload(isKerb, payload);
203 if (!unencodedContent)
204 goto out;
205
206 const size_t unencodedLen = Stream_GetPosition(unencodedContent);
207
208#if UINT32_MAX < SIZE_MAX
209 if (unencodedLen > UINT32_MAX)
210 goto out;
211#endif
212
213 SecBuffer inBuffer = { (ULONG)unencodedLen, SECBUFFER_DATA, Stream_Buffer(unencodedContent) };
214
215 if (!freerdp_nla_encrypt(rdpear->rdp_context, &inBuffer, &cryptedBuffer))
216 goto out;
217
218 finalStream = Stream_New(NULL, 200);
219 if (!finalStream)
220 goto out;
221 Stream_Write_UINT32(finalStream, 0x4EACC3C8); /* ProtocolMagic (4 bytes) */
222 Stream_Write_UINT32(finalStream, cryptedBuffer.cbBuffer); /* Length (4 bytes) */
223 Stream_Write_UINT32(finalStream, 0x00000000); /* Version (4 bytes) */
224 Stream_Write_UINT32(finalStream, 0x00000000); /* Reserved (4 bytes) */
225 Stream_Write_UINT64(finalStream, 0); /* TsPkgContext (8 bytes) */
226
227 /* payload */
228 if (!Stream_EnsureRemainingCapacity(finalStream, cryptedBuffer.cbBuffer))
229 goto out;
230
231 Stream_Write(finalStream, cryptedBuffer.pvBuffer, cryptedBuffer.cbBuffer);
232
233 const size_t pos = Stream_GetPosition(finalStream);
234#if UINT32_MAX < SIZE_MAX
235 if (pos > UINT32_MAX)
236 goto out;
237#endif
238
239 UINT status =
240 callback->channel->Write(callback->channel, (ULONG)pos, Stream_Buffer(finalStream), NULL);
241 ret = (status == CHANNEL_RC_OK);
242 if (!ret)
243 WLog_DBG(TAG, "rdpear_send_payload=0x%x", status);
244out:
245 sspi_SecBufferFree(&cryptedBuffer);
246 Stream_Free(unencodedContent, TRUE);
247 Stream_Free(finalStream, TRUE);
248 return ret;
249}
250
251static BOOL rdpear_prepare_response(NdrContext* rcontext, BOOL isKerb, UINT16 callId, UINT32 status,
252 NdrContext** pwcontext, wStream* retStream)
253{
254 WINPR_ASSERT(rcontext);
255 WINPR_ASSERT(pwcontext);
256
257 BOOL ret = FALSE;
258 *pwcontext = NULL;
259 NdrContext* wcontext = ndr_context_copy(rcontext);
260 if (!wcontext)
261 return FALSE;
262
263 if (!Stream_EnsureRemainingCapacity(retStream, sizeof(payloadHeader)))
264 goto out;
265
266 Stream_Write(retStream, payloadHeader, sizeof(payloadHeader));
267
268 if (!ndr_write_header(wcontext, retStream) || !ndr_start_constructed(wcontext, retStream) ||
269 !ndr_write_pickle(wcontext, retStream)) /* pickle header */
270 goto out;
271 if (isKerb)
272 {
273 /* for some reason there's 4 zero undocumented bytes here after the pickle record
274 * in the kerberos package packets */
275 UINT32 v = 0;
276 if (!ndr_write_uint32(wcontext, retStream, v))
277 goto out;
278 }
279 if (!ndr_write_uint16(wcontext, retStream, callId) || /* callId */
280 !ndr_write_uint16(wcontext, retStream, 0x0000) || /* align padding */
281 !ndr_write_uint32(wcontext, retStream, status) || /* status */
282 !ndr_write_uint16(wcontext, retStream, callId) || /* callId */
283 !ndr_write_uint16(wcontext, retStream, 0x0000)) /* align padding */
284 goto out;
285
286 *pwcontext = wcontext;
287 ret = TRUE;
288out:
289 if (!ret)
290 ndr_context_destroy(&wcontext);
291 return ret;
292}
293
294static BOOL rdpear_kerb_version(NdrContext* rcontext, wStream* s, UINT32* pstatus, UINT32* pversion)
295{
296 *pstatus = ERROR_INVALID_DATA;
297
298 if (!ndr_read_uint32(rcontext, s, pversion))
299 return TRUE;
300
301 WLog_DBG(TAG, "-> KerbNegotiateVersion(v=0x%x)", *pversion);
302 *pstatus = 0;
303
304 return TRUE;
305}
306
307static BOOL rdpear_kerb_ComputeTgsChecksum(RDPEAR_PLUGIN* rdpear, NdrContext* rcontext, wStream* s,
308 UINT32* pstatus, KERB_ASN1_DATA* resp)
309{
310 ComputeTgsChecksumReq req = { 0 };
311 krb5_checksum checksum = { 0 };
312 wStream* asn1Payload = NULL;
313
314 *pstatus = ERROR_INVALID_DATA;
315 WLog_DBG(TAG, "-> ComputeTgsChecksum");
316
317 if (!ndr_read_ComputeTgsChecksumReq(rcontext, s, NULL, &req) ||
318 !ndr_treat_deferred_read(rcontext, s))
319 goto out;
320 // ComputeTgsChecksumReq_dump(WLog_Get(""), WLOG_DEBUG, &req);
321
322 krb5_error_code rv =
323 kerb_do_checksum(rdpear->krbContext, req.Key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
324 (krb5_cksumtype)req.ChecksumType, req.requestBody, &checksum);
325 if (rv)
326 goto out;
327
328 asn1Payload = rdpear_enc_Checksum(req.ChecksumType, &checksum);
329 if (!asn1Payload)
330 goto out;
331
332 resp->Pdu = 8;
333 resp->Asn1Buffer = Stream_Buffer(asn1Payload);
334 const size_t pos = Stream_GetPosition(asn1Payload);
335 if (pos > UINT32_MAX)
336 goto out;
337 resp->Asn1BufferHints.count = (UINT32)pos;
338 *pstatus = 0;
339
340out:
341 ndr_destroy_ComputeTgsChecksumReq(rcontext, NULL, &req);
342 krb5_free_checksum_contents(rdpear->krbContext, &checksum);
343 Stream_Free(asn1Payload, FALSE);
344 return TRUE;
345}
346
347static BOOL rdpear_kerb_BuildEncryptedAuthData(RDPEAR_PLUGIN* rdpear, NdrContext* rcontext,
348 wStream* s, UINT32* pstatus, KERB_ASN1_DATA* asn1)
349{
350 BuildEncryptedAuthDataReq req = { 0 };
351 krb5_data encrypted = { 0 };
352 wStream* asn1Payload = NULL;
353 krb5_error_code rv = 0;
354
355 *pstatus = ERROR_INVALID_DATA;
356 WLog_DBG(TAG, "-> BuildEncryptedAuthData");
357
358 if (!ndr_read_BuildEncryptedAuthDataReq(rcontext, s, NULL, &req) ||
359 !ndr_treat_deferred_read(rcontext, s))
360 goto out;
361
362 rv = kerb_do_encrypt(rdpear->krbContext, req.Key, (krb5_keyusage)req.KeyUsage,
363 req.PlainAuthData, &encrypted);
364 if (rv)
365 goto out;
366
367 /* do the encoding */
368 asn1Payload = rdpear_enc_EncryptedData(req.Key->reserved2, &encrypted);
369 if (!asn1Payload)
370 goto out;
371
372 // WLog_DBG(TAG, "rdpear_kerb_BuildEncryptedAuthData resp=");
373 // winpr_HexDump(TAG, WLOG_DEBUG, Stream_Buffer(asn1Payload), Stream_GetPosition(asn1Payload));
374 asn1->Pdu = 6;
375 asn1->Asn1Buffer = Stream_Buffer(asn1Payload);
376 const size_t pos = Stream_GetPosition(asn1Payload);
377 if (pos > UINT32_MAX)
378 goto out;
379 asn1->Asn1BufferHints.count = (UINT32)pos;
380 *pstatus = 0;
381
382out:
383 krb5_free_data_contents(rdpear->krbContext, &encrypted);
384 ndr_destroy_BuildEncryptedAuthDataReq(rcontext, NULL, &req);
385 Stream_Free(asn1Payload, FALSE);
386 return TRUE;
387}
388
389static char* KERB_RPC_UNICODESTR_to_charptr(const RPC_UNICODE_STRING* src)
390{
391 WINPR_ASSERT(src);
392 return ConvertWCharNToUtf8Alloc(src->Buffer, src->strLength, NULL);
393}
394
395static BOOL extractAuthData(const KERB_ASN1_DATA* src, krb5_authdata* authData, BOOL* haveData)
396{
397 WinPrAsn1Decoder dec = { 0 };
398 WinPrAsn1Decoder dec2 = { 0 };
399 WinPrAsn1Decoder dec3 = { 0 };
400 WinPrAsn1Decoder_InitMem(&dec, WINPR_ASN1_DER, src->Asn1Buffer, src->Asn1BufferHints.count);
401 BOOL error = FALSE;
402 WinPrAsn1_INTEGER adType = 0;
403 WinPrAsn1_OctetString os = { 0 };
404
405 *haveData = FALSE;
406 if (!WinPrAsn1DecReadSequence(&dec, &dec2))
407 return FALSE;
408
409 wStream subStream = WinPrAsn1DecGetStream(&dec2);
410 if (!Stream_GetRemainingLength(&subStream))
411 return TRUE;
412
413 if (!WinPrAsn1DecReadSequence(&dec2, &dec3))
414 return FALSE;
415
416 if (!WinPrAsn1DecReadContextualInteger(&dec3, 0, &error, &adType) ||
417 !WinPrAsn1DecReadContextualOctetString(&dec3, 1, &error, &os, FALSE))
418 return FALSE;
419
420 if (os.len > UINT32_MAX)
421 return FALSE;
422
423 authData->ad_type = adType;
424 authData->length = (unsigned int)os.len;
425 authData->contents = os.data;
426 *haveData = TRUE;
427 return TRUE;
428}
429
430static BOOL extractChecksum(const KERB_ASN1_DATA* src, krb5_checksum* dst)
431{
432 WinPrAsn1Decoder dec = { 0 };
433 WinPrAsn1Decoder dec2 = { 0 };
434 WinPrAsn1Decoder_InitMem(&dec, WINPR_ASN1_DER, src->Asn1Buffer, src->Asn1BufferHints.count);
435 BOOL error = FALSE;
436 WinPrAsn1_OctetString os;
437
438 if (!WinPrAsn1DecReadSequence(&dec, &dec2))
439 return FALSE;
440
441 WinPrAsn1_INTEGER cksumtype = 0;
442 if (!WinPrAsn1DecReadContextualInteger(&dec2, 0, &error, &cksumtype) ||
443 !WinPrAsn1DecReadContextualOctetString(&dec2, 1, &error, &os, FALSE))
444 return FALSE;
445
446 if (os.len > UINT32_MAX)
447 return FALSE;
448 dst->checksum_type = cksumtype;
449 dst->length = (unsigned int)os.len;
450 dst->contents = os.data;
451 return TRUE;
452}
453
454#define FILETIME_TO_UNIX_OFFSET_S 11644473600LL
455
456static LONGLONG krb5_time_to_FILETIME(const krb5_timestamp* ts, krb5_int32 usec)
457{
458 WINPR_ASSERT(ts);
459 return (((*ts + FILETIME_TO_UNIX_OFFSET_S) * (1000LL * 1000LL) + usec) * 10LL);
460}
461
462static void krb5_free_principal_contents(krb5_context ctx, krb5_principal principal)
463{
464 WINPR_ASSERT(principal);
465 krb5_free_data_contents(ctx, &principal->realm);
466 krb5_free_data(ctx, principal->data);
467}
468
469static BOOL rdpear_kerb_CreateApReqAuthenticator(RDPEAR_PLUGIN* rdpear, NdrContext* rcontext,
470 wStream* s, UINT32* pstatus,
471 CreateApReqAuthenticatorResp* resp)
472{
473 krb5_error_code rv = 0;
474 wStream* asn1EncodedAuth = NULL;
475 CreateApReqAuthenticatorReq req = { 0 };
476 krb5_data authenticator = { 0 };
477 krb5_data* der = NULL;
478 krb5_keyblock* subkey = NULL;
479 krb5_principal_data client = { 0 };
480
481 *pstatus = ERROR_INVALID_DATA;
482 WLog_DBG(TAG, "-> CreateApReqAuthenticator");
483
484 if (!ndr_read_CreateApReqAuthenticatorReq(rcontext, s, NULL, &req) ||
485 !ndr_treat_deferred_read(rcontext, s))
486 goto out;
487
488 krb5_authdata authdata = { 0 };
489 krb5_authdata* authDataPtr[2] = { &authdata, NULL };
490 BOOL haveData = 0;
491
492 if (!extractAuthData(req.AuthData, &authdata, &haveData))
493 {
494 WLog_ERR(TAG, "error retrieving auth data");
495 winpr_HexDump(TAG, WLOG_DEBUG, req.AuthData->Asn1Buffer,
496 req.AuthData->Asn1BufferHints.count);
497 goto out;
498 }
499
500 if (req.SkewTime->QuadPart)
501 {
502 WLog_ERR(TAG, "!!!!! should handle SkewTime !!!!!");
503 }
504
505 if (req.SubKey)
506 {
507 rv = RPC_ENCRYPTION_KEY_to_keyblock(rdpear->krbContext, req.SubKey, &subkey);
508 if (rv)
509 {
510 WLog_ERR(TAG, "error importing subkey");
511 goto out;
512 }
513 }
514
515 krb5_authenticator authent = { .checksum = NULL,
516 .subkey = NULL,
517 .seq_number = req.SequenceNumber,
518 .authorization_data = haveData ? authDataPtr : NULL };
519
520 client.type = req.ClientName->NameType;
521 if (req.ClientName->nameHints.count > INT32_MAX)
522 goto out;
523
524 client.length = (krb5_int32)req.ClientName->nameHints.count;
525 client.data = calloc(req.ClientName->nameHints.count, sizeof(krb5_data));
526 if (!client.data)
527 goto out;
528
529 for (int i = 0; i < client.length; i++)
530 {
531 krb5_data* cur = &client.data[i];
532 cur->data = KERB_RPC_UNICODESTR_to_charptr(&req.ClientName->Names[i]);
533 if (!cur->data)
534 goto out;
535 const size_t len = strnlen(cur->data, MAX_KEYTAB_NAME_LEN + 1);
536 if (len > MAX_KEYTAB_NAME_LEN)
537 {
538 WLog_ERR(TAG,
539 "Invalid ClientName length %" PRIuz
540 ", limited to %u characters. ClientName: (%s)",
541 MAX_KEYTAB_NAME_LEN, len, cur->data);
542 goto out;
543 }
544 cur->length = (unsigned int)len;
545 }
546 client.realm.data = KERB_RPC_UNICODESTR_to_charptr(req.ClientRealm);
547 if (!client.realm.data)
548 goto out;
549
550 const size_t len = strnlen(client.realm.data, MAX_KEYTAB_NAME_LEN + 1);
551 if (len > MAX_KEYTAB_NAME_LEN)
552 {
553 WLog_ERR(TAG, "Invalid realm length %" PRIuz ", limited to %u characters. Realm: (%s)",
554 MAX_KEYTAB_NAME_LEN, len, client.realm.data);
555 goto out;
556 }
557 client.realm.length = (unsigned int)len;
558 authent.client = &client;
559
560 krb5_checksum checksum;
561 krb5_checksum* pchecksum = NULL;
562 if (req.GssChecksum)
563 {
564 if (!extractChecksum(req.GssChecksum, &checksum))
565 {
566 WLog_ERR(TAG, "Error getting the checksum");
567 goto out;
568 }
569 pchecksum = &checksum;
570 }
571 authent.checksum = pchecksum;
572
573 krb5_us_timeofday(rdpear->krbContext, &authent.ctime, &authent.cusec);
574
575 rv = encode_krb5_authenticator(&authent, &der);
576 if (rv)
577 {
578 WLog_ERR(TAG, "error encoding authenticator");
579 goto out;
580 }
581
582 KERB_ASN1_DATA plain_authent = { .Pdu = 0,
583 .Asn1Buffer = (BYTE*)der->data,
584 .Asn1BufferHints = { .count = der->length } };
585
586 rv = kerb_do_encrypt(rdpear->krbContext, req.EncryptionKey, (krb5_keyusage)req.KeyUsage,
587 &plain_authent, &authenticator);
588 if (rv)
589 {
590 WLog_ERR(TAG, "error encrypting authenticator");
591 goto out;
592 }
593
594 asn1EncodedAuth = rdpear_enc_EncryptedData(req.EncryptionKey->reserved2, &authenticator);
595 if (!asn1EncodedAuth)
596 {
597 WLog_ERR(TAG, "error encoding to ASN1");
598 rv = ENOMEM;
599 goto out;
600 }
601
602 // WLog_DBG(TAG, "authenticator=");
603 // winpr_HexDump(TAG, WLOG_DEBUG, Stream_Buffer(asn1EncodedAuth),
604 // Stream_GetPosition(asn1EncodedAuth));
605
606 const size_t size = Stream_GetPosition(asn1EncodedAuth);
607 if (size > UINT32_MAX)
608 goto out;
609 resp->Authenticator.Asn1BufferHints.count = (UINT32)size;
610 resp->Authenticator.Asn1Buffer = Stream_Buffer(asn1EncodedAuth);
611 resp->AuthenticatorTime.QuadPart = krb5_time_to_FILETIME(&authent.ctime, authent.cusec);
612 *pstatus = 0;
613
614out:
615 resp->Authenticator.Pdu = 6;
616 resp->KerbProtocolError = rv;
617 krb5_free_principal_contents(rdpear->krbContext, &client);
618 krb5_free_data(rdpear->krbContext, der);
619 krb5_free_data_contents(rdpear->krbContext, &authenticator);
620 if (subkey)
621 krb5_free_keyblock(rdpear->krbContext, subkey);
622 ndr_destroy_CreateApReqAuthenticatorReq(rcontext, NULL, &req);
623 Stream_Free(asn1EncodedAuth, FALSE);
624 return TRUE;
625}
626
627static BOOL rdpear_findEncryptedData(const KERB_ASN1_DATA* src, int* penctype, krb5_data* data)
628{
629 WinPrAsn1Decoder dec = { 0 };
630 WinPrAsn1Decoder dec2 = { 0 };
631 WinPrAsn1Decoder_InitMem(&dec, WINPR_ASN1_DER, src->Asn1Buffer, src->Asn1BufferHints.count);
632 BOOL error = FALSE;
633 WinPrAsn1_INTEGER encType = 0;
634 WinPrAsn1_OctetString os = { 0 };
635
636 if (!WinPrAsn1DecReadSequence(&dec, &dec2) ||
637 !WinPrAsn1DecReadContextualInteger(&dec2, 0, &error, &encType) ||
638 !WinPrAsn1DecReadContextualOctetString(&dec2, 2, &error, &os, FALSE))
639 return FALSE;
640
641 if (os.len > UINT32_MAX)
642 return FALSE;
643 data->data = (char*)os.data;
644 data->length = (unsigned int)os.len;
645 *penctype = encType;
646 return TRUE;
647}
648
649static BOOL rdpear_kerb_UnpackKdcReplyBody(RDPEAR_PLUGIN* rdpear, NdrContext* rcontext, wStream* s,
650 UINT32* pstatus, UnpackKdcReplyBodyResp* resp)
651{
652 UnpackKdcReplyBodyReq req = { 0 };
653
654 *pstatus = ERROR_INVALID_DATA;
655
656 if (!ndr_read_UnpackKdcReplyBodyReq(rcontext, s, NULL, &req) ||
657 !ndr_treat_deferred_read(rcontext, s))
658 goto out;
659
660 if (req.StrengthenKey)
661 {
662 WLog_ERR(TAG, "StrengthenKey not supported yet");
663 goto out;
664 }
665
666 WLog_DBG(TAG, "-> UnpackKdcReplyBody: KeyUsage=0x%x PDU=0x%x", req.KeyUsage, req.Pdu);
667 // WLog_DBG(TAG, "encryptedPayload=");
668 // winpr_HexDump(TAG, WLOG_DEBUG, req.EncryptedData->Asn1Buffer,
669 // req.EncryptedData->Asn1BufferHints.count);
670
671 krb5_data asn1Data = { 0 };
672 int encType = 0;
673 if (!rdpear_findEncryptedData(req.EncryptedData, &encType, &asn1Data) || !asn1Data.length)
674 goto out;
675
676 resp->KerbProtocolError = kerb_do_decrypt(
677 rdpear->krbContext, req.Key, (krb5_keyusage)req.KeyUsage, &asn1Data, &resp->ReplyBody);
678 resp->ReplyBody.Pdu = req.Pdu;
679
680 *pstatus = 0;
681
682out:
683 ndr_destroy_UnpackKdcReplyBodyReq(rcontext, NULL, &req);
684 return TRUE;
685}
686
687static BOOL rdpear_kerb_DecryptApReply(RDPEAR_PLUGIN* rdpear, NdrContext* rcontext, wStream* s,
688 UINT32* pstatus, KERB_ASN1_DATA* resp)
689{
690 DecryptApReplyReq req = { 0 };
691
692 *pstatus = ERROR_INVALID_DATA;
693 if (!ndr_read_DecryptApReplyReq(rcontext, s, NULL, &req) ||
694 !ndr_treat_deferred_read(rcontext, s))
695 goto out;
696
697 WLog_DBG(TAG, "-> DecryptApReply");
698 // winpr_HexDump(TAG, WLOG_DEBUG, req.EncryptedReply->Asn1Buffer,
699 // req.EncryptedReply->Asn1BufferHints.count);
700
701 krb5_data asn1Data = { 0 };
702 int encType = 0;
703 if (!rdpear_findEncryptedData(req.EncryptedReply, &encType, &asn1Data) || !asn1Data.length)
704 goto out;
705
706 resp->Pdu = 0x31;
707 krb5_error_code rv =
708 kerb_do_decrypt(rdpear->krbContext, req.Key, KRB5_KEYUSAGE_AP_REP_ENCPART, &asn1Data, resp);
709 if (rv != 0)
710 {
711 WLog_ERR(TAG, "error decrypting");
712 goto out;
713 }
714
715 // WLog_DBG(TAG, "response=");
716 // winpr_HexDump(TAG, WLOG_DEBUG, resp->Asn1Buffer, resp->Asn1BufferHints.count);
717 *pstatus = 0;
718out:
719 ndr_destroy_DecryptApReplyReq(rcontext, NULL, &req);
720 return TRUE;
721}
722
723static BOOL rdpear_kerb_PackApReply(RDPEAR_PLUGIN* rdpear, NdrContext* rcontext, wStream* s,
724 UINT32* pstatus, PackApReplyResp* resp)
725{
726 PackApReplyReq req = { 0 };
727 krb5_data asn1Data = { 0 };
728 krb5_data* out = NULL;
729
730 WLog_DBG(TAG, "-> PackApReply");
731 *pstatus = ERROR_INVALID_DATA;
732 if (!ndr_read_PackApReplyReq(rcontext, s, NULL, &req) || !ndr_treat_deferred_read(rcontext, s))
733 goto out;
734
735 krb5_error_code rv = kerb_do_encrypt(rdpear->krbContext, req.SessionKey,
736 KRB5_KEYUSAGE_AP_REP_ENCPART, req.ReplyBody, &asn1Data);
737 if (rv)
738 goto out;
739
740 krb5_ap_rep reply;
741 reply.enc_part.kvno = KRB5_PVNO;
742 reply.enc_part.enctype = (krb5_enctype)req.SessionKey->reserved2;
743 reply.enc_part.ciphertext.length = asn1Data.length;
744 reply.enc_part.ciphertext.data = asn1Data.data;
745
746 rv = encode_krb5_ap_rep(&reply, &out);
747 if (rv)
748 goto out;
749
750 resp->PackedReply = (BYTE*)out->data;
751 resp->PackedReplyHints.count = out->length;
752 *pstatus = 0;
753out:
754 free(out);
755 krb5_free_data_contents(rdpear->krbContext, &asn1Data);
756 ndr_destroy_PackApReplyReq(rcontext, NULL, &req);
757 return TRUE;
758}
759
760static BOOL rdpear_ntlm_version(NdrContext* rcontext, wStream* s, UINT32* pstatus, UINT32* pversion)
761{
762 *pstatus = ERROR_INVALID_DATA;
763
764 if (!ndr_read_uint32(rcontext, s, pversion))
765 return TRUE;
766
767 WLog_DBG(TAG, "-> NtlmNegotiateVersion(v=0x%x)", *pversion);
768 *pstatus = 0;
769
770 return TRUE;
771}
772
773static UINT rdpear_decode_payload(RDPEAR_PLUGIN* rdpear,
774 IWTSVirtualChannelCallback* pChannelCallback,
775 const WinPrAsn1_OctetString* packageName, wStream* s)
776{
777 UINT ret = ERROR_INVALID_DATA;
778 NdrContext* context = NULL;
779 NdrContext* wcontext = NULL;
780 UINT32 status = 0;
781
782 UINT32 uint32Resp = 0;
783 KERB_ASN1_DATA asn1Data = { 0 };
784 CreateApReqAuthenticatorResp createApReqAuthenticatorResp = { 0 };
785 UnpackKdcReplyBodyResp unpackKdcReplyBodyResp = { 0 };
786 PackApReplyResp packApReplyResp = { 0 };
787 void* resp = NULL;
788 NdrMessageType respDescr = NULL;
789
790 wStream* respStream = Stream_New(NULL, 500);
791 if (!respStream)
792 goto out;
793
794 BOOL isKerb = FALSE;
795 switch (rdpear_packageType_from_name(packageName))
796 {
797 case RDPEAR_PACKAGE_KERBEROS:
798 isKerb = TRUE;
799 break;
800 case RDPEAR_PACKAGE_NTLM:
801 isKerb = FALSE;
802 break;
803 default:
804 WLog_ERR(TAG, "unknown package type");
805 goto out;
806 }
807
808 Stream_Seek(s, 16); /* skip first 16 bytes */
809 wStream commandStream = { 0 };
810 UINT16 callId = 0;
811 UINT16 callId2 = 0;
812
813 context = ndr_read_header(s);
814 if (!context || !ndr_read_constructed(context, s, &commandStream) ||
815 !ndr_read_pickle(context, &commandStream))
816 goto out;
817
818 if (isKerb)
819 {
820 /* for some reason there's 4 zero undocumented bytes here after the pickle record
821 * in the kerberos package packets */
822 UINT32 v = 0;
823 if (!ndr_read_uint32(context, &commandStream, &v))
824 goto out;
825 }
826
827 if (!ndr_read_uint16(context, &commandStream, &callId) ||
828 !ndr_read_uint16(context, &commandStream, &callId2) || (callId != callId2))
829 goto out;
830
831 ret = CHANNEL_RC_NOT_OPEN;
832 switch (callId)
833 {
834 case RemoteCallKerbNegotiateVersion:
835 resp = &uint32Resp;
836 respDescr = ndr_uint32_descr();
837
838 if (rdpear_kerb_version(context, &commandStream, &status, &uint32Resp))
839 ret = CHANNEL_RC_OK;
840 break;
841 case RemoteCallKerbCreateApReqAuthenticator:
842 resp = &createApReqAuthenticatorResp;
843 respDescr = ndr_CreateApReqAuthenticatorResp_descr();
844
845 if (rdpear_kerb_CreateApReqAuthenticator(rdpear, context, &commandStream, &status,
846 &createApReqAuthenticatorResp))
847 ret = CHANNEL_RC_OK;
848 break;
849 case RemoteCallKerbDecryptApReply:
850 resp = &asn1Data;
851 respDescr = ndr_KERB_ASN1_DATA_descr();
852
853 if (rdpear_kerb_DecryptApReply(rdpear, context, &commandStream, &status, &asn1Data))
854 ret = CHANNEL_RC_OK;
855 break;
856 case RemoteCallKerbComputeTgsChecksum:
857 resp = &asn1Data;
858 respDescr = ndr_KERB_ASN1_DATA_descr();
859
860 if (rdpear_kerb_ComputeTgsChecksum(rdpear, context, &commandStream, &status, &asn1Data))
861 ret = CHANNEL_RC_OK;
862 break;
863 case RemoteCallKerbBuildEncryptedAuthData:
864 resp = &asn1Data;
865 respDescr = ndr_KERB_ASN1_DATA_descr();
866
867 if (rdpear_kerb_BuildEncryptedAuthData(rdpear, context, &commandStream, &status,
868 &asn1Data))
869 ret = CHANNEL_RC_OK;
870 break;
871 case RemoteCallKerbUnpackKdcReplyBody:
872 resp = &unpackKdcReplyBodyResp;
873 respDescr = ndr_UnpackKdcReplyBodyResp_descr();
874
875 if (rdpear_kerb_UnpackKdcReplyBody(rdpear, context, &commandStream, &status,
876 &unpackKdcReplyBodyResp))
877 ret = CHANNEL_RC_OK;
878 break;
879 case RemoteCallKerbPackApReply:
880 resp = &packApReplyResp;
881 respDescr = ndr_PackApReplyResp_descr();
882
883 if (rdpear_kerb_PackApReply(rdpear, context, &commandStream, &status, &packApReplyResp))
884 ret = CHANNEL_RC_OK;
885 break;
886 case RemoteCallNtlmNegotiateVersion:
887 resp = &uint32Resp;
888 respDescr = ndr_uint32_descr();
889
890 if (rdpear_ntlm_version(context, &commandStream, &status, &uint32Resp))
891 ret = CHANNEL_RC_OK;
892 break;
893
894 default:
895 WLog_DBG(TAG, "Unhandled callId=0x%x", callId);
896 winpr_HexDump(TAG, WLOG_DEBUG, Stream_PointerAs(&commandStream, BYTE),
897 Stream_GetRemainingLength(&commandStream));
898 break;
899 }
900
901 if (!rdpear_prepare_response(context, isKerb, callId, status, &wcontext, respStream))
902 goto out;
903
904 if (resp && respDescr)
905 {
906 WINPR_ASSERT(respDescr->writeFn);
907
908 BOOL r = respDescr->writeFn(wcontext, respStream, NULL, resp) &&
909 ndr_treat_deferred_write(wcontext, respStream);
910
911 if (respDescr->destroyFn)
912 respDescr->destroyFn(wcontext, NULL, resp);
913
914 if (!r)
915 {
916 WLog_DBG(TAG, "!writeFn || !ndr_treat_deferred_write");
917 goto out;
918 }
919 }
920
921 if (!ndr_end_constructed(wcontext, respStream) ||
922 !rdpear_send_payload(rdpear, pChannelCallback, isKerb, respStream))
923 {
924 WLog_DBG(TAG, "rdpear_send_payload !!!!!!!!");
925 goto out;
926 }
927out:
928 if (context)
929 ndr_context_destroy(&context);
930
931 if (wcontext)
932 ndr_context_destroy(&wcontext);
933
934 if (respStream)
935 Stream_Free(respStream, TRUE);
936 return ret;
937}
938
939static UINT rdpear_on_data_received(IWTSVirtualChannelCallback* pChannelCallback, wStream* s)
940{
941 GENERIC_CHANNEL_CALLBACK* callback = (GENERIC_CHANNEL_CALLBACK*)pChannelCallback;
942 WINPR_ASSERT(callback);
943 UINT ret = ERROR_INVALID_DATA;
944
945 // winpr_HexDump(TAG, WLOG_DEBUG, Stream_PointerAs(s, BYTE), Stream_GetRemainingLength(s));
946
947 if (!Stream_CheckAndLogRequiredLength(TAG, s, 24))
948 return ERROR_INVALID_DATA;
949
950 UINT32 protocolMagic = 0;
951 UINT32 Length = 0;
952 UINT32 Version = 0;
953 Stream_Read_UINT32(s, protocolMagic);
954 if (protocolMagic != 0x4EACC3C8)
955 return ERROR_INVALID_DATA;
956
957 Stream_Read_UINT32(s, Length);
958
959 Stream_Read_UINT32(s, Version);
960 if (Version != 0x00000000)
961 return ERROR_INVALID_DATA;
962
963 Stream_Seek(s, 4); /* Reserved (4 bytes) */
964 Stream_Seek(s, 8); /* TsPkgContext (8 bytes) */
965
966 if (!Stream_CheckAndLogRequiredLength(TAG, s, Length))
967 return ERROR_INVALID_DATA;
968
969 SecBuffer inBuffer = { Length, SECBUFFER_TOKEN, Stream_PointerAs(s, void) };
970 SecBuffer decrypted = { 0 };
971
972 RDPEAR_PLUGIN* rdpear = (RDPEAR_PLUGIN*)callback->plugin;
973 WINPR_ASSERT(rdpear);
974 if (!freerdp_nla_decrypt(rdpear->rdp_context, &inBuffer, &decrypted))
975 goto out;
976
977 WinPrAsn1Decoder dec = { 0 };
978 WinPrAsn1Decoder dec2 = { 0 };
979 wStream decodedStream = { 0 };
980 Stream_StaticInit(&decodedStream, decrypted.pvBuffer, decrypted.cbBuffer);
981 WinPrAsn1Decoder_Init(&dec, WINPR_ASN1_DER, &decodedStream);
982
983 if (!WinPrAsn1DecReadSequence(&dec, &dec2))
984 goto out;
985
986 WinPrAsn1_OctetString packageName = { 0 };
987 WinPrAsn1_OctetString payload = { 0 };
988 BOOL error = 0;
989 if (!WinPrAsn1DecReadContextualOctetString(&dec2, 1, &error, &packageName, FALSE))
990 goto out;
991
992 if (!WinPrAsn1DecReadContextualOctetString(&dec2, 2, &error, &payload, FALSE))
993 goto out;
994
995 wStream payloadStream = { 0 };
996 Stream_StaticInit(&payloadStream, payload.data, payload.len);
997
998 ret = rdpear_decode_payload(rdpear, pChannelCallback, &packageName, &payloadStream);
999out:
1000 sspi_SecBufferFree(&decrypted);
1001 return ret;
1002}
1003
1009static UINT rdpear_on_open(IWTSVirtualChannelCallback* pChannelCallback)
1010{
1011 WINPR_UNUSED(pChannelCallback);
1012 return CHANNEL_RC_OK;
1013}
1014
1020static UINT rdpear_on_close(IWTSVirtualChannelCallback* pChannelCallback)
1021{
1022 WINPR_UNUSED(pChannelCallback);
1023 return CHANNEL_RC_OK;
1024}
1025
1026static void terminate_plugin_cb(GENERIC_DYNVC_PLUGIN* base)
1027{
1028 WINPR_ASSERT(base);
1029
1030 RDPEAR_PLUGIN* rdpear = (RDPEAR_PLUGIN*)base;
1031 krb5_free_context(rdpear->krbContext);
1032}
1033
1034static UINT init_plugin_cb(GENERIC_DYNVC_PLUGIN* base, rdpContext* rcontext, rdpSettings* settings)
1035{
1036 WINPR_ASSERT(base);
1037 WINPR_UNUSED(settings);
1038
1039 RDPEAR_PLUGIN* rdpear = (RDPEAR_PLUGIN*)base;
1040 rdpear->rdp_context = rcontext;
1041 if (krb5_init_context(&rdpear->krbContext))
1042 return CHANNEL_RC_INITIALIZATION_ERROR;
1043 return CHANNEL_RC_OK;
1044}
1045
1046static const IWTSVirtualChannelCallback rdpear_callbacks = { rdpear_on_data_received,
1047 rdpear_on_open, rdpear_on_close,
1048 NULL };
1049
1055FREERDP_ENTRY_POINT(UINT rdpear_DVCPluginEntry(IDRDYNVC_ENTRY_POINTS* pEntryPoints))
1056{
1057 return freerdp_generic_DVCPluginEntry(pEntryPoints, TAG, RDPEAR_DVC_CHANNEL_NAME,
1058 sizeof(RDPEAR_PLUGIN), sizeof(GENERIC_CHANNEL_CALLBACK),
1059 &rdpear_callbacks, init_plugin_cb, terminate_plugin_cb);
1060}
BuildEncryptedAuthDataReq
2.2.2.1.8 BuildEncryptedAuthData
Definition rdpear_common.h:145
ComputeTgsChecksumReq
2.2.2.1.7 ComputeTgsChecksum
Definition rdpear_common.h:155
CreateApReqAuthenticatorReq
2.2.2.1.4 CreateApReqAuthenticator
Definition rdpear_common.h:165
CreateApReqAuthenticatorResp
2.2.2.1.4 CreateApReqAuthenticator
Definition rdpear_common.h:181
GENERIC_CHANNEL_CALLBACK
Definition include/freerdp/client/channels.h:35
GENERIC_DYNVC_PLUGIN
Definition include/freerdp/client/channels.h:57
KERB_ASN1_DATA
2.2.1.2.1 KERB_ASN1_DATA
Definition rdpear_common.h:105
KERB_RPC_ENCRYPTION_KEY
2.2.1.2.8 KERB_RPC_ENCRYPTION_KEY
Definition rdpear_common.h:135
NdrMessageDescr
message descriptor
Definition ndr.h:76
RPC_UNICODE_STRING
2.3.10 RPC_UNICODE_STRING (MS-DTYP)
Definition rdpear_common.h:115
UnpackKdcReplyBodyReq
2.2.2.1.6 UnpackKdcReplyBody
Definition rdpear_common.h:191
UnpackKdcReplyBodyResp
2.2.2.1.6 UnpackKdcReplyBody
Definition rdpear_common.h:203
WinPrAsn1_MemoryChunk
Definition asn1.h:79
rdp_context
Definition freerdp.h:335