From ccfb88b04919693af80b4913bbf51be26bb79d5b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Moreau?= <marcandre.moreau@gmail.com>
Date: Sun, 15 Jan 2012 15:01:16 -0500
Subject: [PATCH] libfreerdp-core: apply RDP signature verification patch from
 Pawel Jakub Dawidek

---
 libfreerdp-core/rdp.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/libfreerdp-core/rdp.c b/libfreerdp-core/rdp.c
index 389294dcf..f6d4a31e1 100644
--- a/libfreerdp-core/rdp.c
+++ b/libfreerdp-core/rdp.c
@@ -581,7 +581,9 @@ boolean rdp_recv_out_of_sequence_pdu(rdpRdp* rdp, STREAM* s)
 
 boolean rdp_decrypt(rdpRdp* rdp, STREAM* s, int length)
 {
-	int cryptlen;
+	uint8 cmac[8], wmac[8];
+	uint32 ml;
+	uint8* mk;
 
 	if (rdp->settings->encryption_method == ENCRYPTION_METHOD_FIPS)
 	{
@@ -596,15 +598,15 @@ boolean rdp_decrypt(rdpRdp* rdp, STREAM* s, int length)
 		sig = s->p;
 		stream_seek(s, 8);	/* signature */
 
-		cryptlen = length - 12;
+		length -= 12;
 
-		if (!security_fips_decrypt(s->p, cryptlen, rdp))
+		if (!security_fips_decrypt(s->p, length, rdp))
 		{
 			printf("FATAL: cannot decrypt\n");
 			return false; /* TODO */
 		}
 
-		if (!security_fips_check_signature(s->p, cryptlen-pad, sig, rdp))
+		if (!security_fips_check_signature(s->p, length - pad, sig, rdp))
 		{
 			printf("FATAL: invalid packet signature\n");
 			return false; /* TODO */
@@ -615,9 +617,16 @@ boolean rdp_decrypt(rdpRdp* rdp, STREAM* s, int length)
 		return true;
 	}
 
-	stream_seek(s, 8); /* signature */
-	cryptlen = length - 8;
-	security_decrypt(s->p, cryptlen, rdp);
+	stream_read(s, wmac, sizeof(wmac));
+	length -= sizeof(wmac);
+	security_decrypt(s->p, length, rdp);
+	mk = rdp->sign_key;
+	ml = rdp->rc4_key_len;
+	security_mac_signature(mk, ml, s->p, length, cmac);
+	if (memcmp(wmac, cmac, sizeof(wmac)) != 0) {
+		printf("FATAL: invalid packet signature\n");
+		return false;
+	}
 	return true;
 }