Replace binary blob with specified data

This commit changes the license response PDU to be constructed rather than simply being contained as a binary blob. Some constants in common/ms-rdpbcgr.h are renamed with the values from the specification.
neutrinolabs · Jul 2, 2024 · 48e6fee · 48e6fee
1 parent 21d79f0
commit 48e6fee
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 50 deletions.
diff --git a/common/ms-rdpbcgr.h b/common/ms-rdpbcgr.h
@@ -58,6 +58,10 @@
 #define SEC_TAG_CLI_4          0xc004 /* CS_CLUSTER? */
 #define SEC_TAG_CLI_MONITOR    0xc005 /* CS_MONITOR */
 #define SEC_TAG_CLI_MONITOR_EX 0xc008 /* CS_MONITOR_EX */
+#define SEC_TAG_SRV_INFO       0x0c01 /* SC_CORE */
+#define SEC_TAG_SRV_CRYPT      0x0c02 /* SC_SECURITY */
+#define SEC_TAG_SRV_CHANNELS   0x0c03 /* SC_NET? */
+
 
 /* Client Core Data: colorDepth, postBeta2ColorDepth (2.2.1.3.2) */
 #define RNS_UD_COLOR_4BPP      0xCA00
@@ -159,9 +163,16 @@
 #define RDP5_NO_CURSOR_SHADOW          0x20
 #define RDP5_NO_CURSORSETTINGS         0x40 /* disables cursor blinking */
 
+/* LICENSE_PREAMBLE (2.2.1.12.1.1) */
+#define ERROR_ALERT                    0xff
+#define PREAMBLE_VERSION_3_0           0x03
+
 /* LICENSE_BINARY_BLOB (2.2.1.12.1.2) */
-#define LICENCE_TAG_USER               0x000f /* BB_CLIENT_USER_NAME_BLOB */
-#define LICENCE_TAG_HOST               0x0010 /* BB_CLIENT_MACHINE_NAME_BLOB */
+#define BB_ERROR_BLOB                  0x0004
+
+/* LICENSE_ERROR_MESSAGE (2.2.1.12.1.3) */
+#define STATUS_VALID_CLIENT            0x00000007
+#define ST_NO_TRANSITION               0x00000002
 
 /* Maps to generalCapabilitySet in T.128 page 138 */
 
@@ -452,15 +463,11 @@
 #define PDUTYPE2_MONITOR_LAYOUT_PDU    55
 
 /* TS_SECURITY_HEADER: flags (2.2.8.1.1.2.1) */
-/* TODO: to be renamed */
-#define SEC_CLIENT_RANDOM              0x0001 /* SEC_EXCHANGE_PKT? */
+#define SEC_EXCHANGE_PKT               0x0001
 #define SEC_ENCRYPT                    0x0008
-#define SEC_LOGON_INFO                 0x0040 /* SEC_INFO_PKT */
-#define SEC_LICENCE_NEG                0x0080 /* SEC_LICENSE_PKT */
-
-#define SEC_TAG_SRV_INFO               0x0c01 /* SC_CORE */
-#define SEC_TAG_SRV_CRYPT              0x0c02 /* SC_SECURITY */
-#define SEC_TAG_SRV_CHANNELS           0x0c03 /* SC_NET? */
+#define SEC_INFO_PKT                   0x0040
+#define SEC_LICENSE_PKT                0x0080
+#define SEC_LICENSE_ENCRYPT_CS         0x0280
 
 /* Slow-Path Input Event: messageType (2.2.8.1.1.3.1.1) */
 /* TODO: to be renamed */

diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
@@ -43,43 +43,6 @@ static tui8 g_pad_92[48] =
     92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92
 };
 
-
-/*****************************************************************************/
-/* Licensing success response v3 PDU
- *
- * [MS-RDPBCGR] TS_SECURITY_HEADER - Basic
- * [MS-RDPELE] LICENSE_ERROR_MESSAGE with STATUS_VALID_CLIENT
- *
- * used for Media Center Edition
- */
-/* some compilers need unsigned char to avoid warnings */
-static tui8 g_lic3[20] =
-{
-    /* S */
-    /* [MS-RDPBCGR] TS_SECURITY_HEADER - Basic
-     * flags (2) = 0x0280 (SEC_LICENSE_PKT | SEC_LICENSE_ENCRYPT_CS)
-     * flagsHi (2) = unused (arbitrary data)
-     * [MS-RDPBCGR] LICENSE_PREAMBLE
-     * bMsgType (1) = 0xff (ERROR_ALERT)
-     * flags (1) = 0x03 (PREAMBLE_VERSION_3_0)
-     * wMsgSize (2) = 0x0010 (16, excludes the 4 bytes TS_SECURITY_HEADER Basic)
-     */
-    0x80, 0x02, 0x10, 0x00, 0xff, 0x03, 0x10, 0x00,
-    /*
-     * [MS-RDPBCGR] LICENSE_ERROR_MESSAGE
-     * dwErrorCode (4) = 0x00000007 (STATUS_VALID_CLIENT)
-     * dwStateTransition (4) = 0x00000002 (ST_NO_TRANSITION)
-     * bbErrorInfo = <LICENSE_BINARY_BLOB>
-     */
-    0x07, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
-    /*
-     * [MS-RDPBCGR] LICENSE_BINARY_BLOB
-     * wBlobType (2) = 0x0004 (BB_ERROR_BLOB)
-     * wBlobLen (2) = 0x0000 (0)
-     */
-    0x04, 0x00, 0x00, 0x00
-};
-
 static const tui8 g_fips_reverse_table[256] =
 {
     0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
@@ -1016,7 +979,28 @@ xrdp_sec_send_lic_response(struct xrdp_sec *self)
         return 1;
     }
 
-    out_uint8a(s, g_lic3, sizeof(g_lic3));
+    /* [MS-RDPBCGR] TS_SECURITY_HEADER */
+    /* A careful reading of [MS-RDPBCGR] 2.2.1.12 shows that a securityHeader
+     * MUST be included, and provided the flag fields of the header does
+     * not contain SEC_ENCRYPT, it is always possible to send a basic
+     * security header */
+    out_uint16_le(s, SEC_LICENSE_PKT | SEC_LICENSE_ENCRYPT_CS); /* flags */
+    out_uint16_le(s, 0); /* flagsHi */
+
+    /* [MS-RDPBCGR] LICENSE_VALID_CLIENT_DATA */
+    /* preamble (LICENSE_PREAMBLE) */
+    out_uint8(s, ERROR_ALERT);
+    out_uint8(s, PREAMBLE_VERSION_3_0);
+    out_uint16_le(s, 16); /* Message size, including pre-amble */
+
+    /* validClientMessage */
+    /* From [MS-RDPBCGR] 2.2.12.1, dwStateTransition must be ST_NO_TRANSITION,
+     * and the bbErrorInfo field must contain an empty blob of type
+     * BB_ERROR_BLOB */
+    out_uint32_le(s, STATUS_VALID_CLIENT); /* dwErrorCode */
+    out_uint32_le(s, ST_NO_TRANSITION); /* dwStateTransition */
+    out_uint16_le(s, BB_ERROR_BLOB);    /* wBlobType */
+    out_uint16_le(s, 0);                /* wBlobLen */
     s_mark_end(s);
 
     LOG_DEVEL(LOG_LEVEL_TRACE, "Sending [MS-RDPELE] LICENSE_ERROR_MESSAGE with STATUS_VALID_CLIENT");
@@ -1391,7 +1375,7 @@ xrdp_sec_recv(struct xrdp_sec *self, struct stream *s, int *chan)
         }
     }
 
-    if (flags & SEC_CLIENT_RANDOM) /* 0x01 TS_SECURITY_PACKET */
+    if (flags & SEC_EXCHANGE_PKT) /* 0x01 TS_SECURITY_PACKET */
     {
         if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPBCGR] TS_SECURITY_PACKET"))
         {
@@ -1430,7 +1414,7 @@ xrdp_sec_recv(struct xrdp_sec *self, struct stream *s, int *chan)
         return 0;
     }
 
-    if (flags & SEC_LOGON_INFO) /* 0x40 SEC_INFO_PKT */
+    if (flags & SEC_INFO_PKT)
     {
         if (xrdp_sec_process_logon_info(self, s) != 0)
         {