xrdp使用rdp前端,无法连接2008,但连接2003是可以的。连接2008的时候,会在客户端发送Client Info PDU后主动RST掉连接。如下图
开始以为是客户端发送Client Info PDU有问题,后来发现包没明显问题,但对比更前面的包 Server MCS Connect Response PDU with GCC Conference Create Response,可发现2003与2008的RSA1长度是不一致的,如下
Server MCS Connect Response PDU with GCC Conference Create Response
Windows 2003的
0000 7f 66 82 01 3d 0a 01 00 02 01 00 30 1a 02 01 04 .f..=......0....
0010 02 01 03 02 01 00 02 01 01 02 01 00 02 01 01 02 ................
0020 03 00 ff f8 02 01 02 04 82 01 17 00 05 00 14 7c ...............|
0030 00 01 2a 14 76 0a 01 01 00 01 c0 00 4d 63 44 6e ..*.v.......McDn
0040 81 00 01 0c 0c 00 04 00 08 00 00 00 00 00 03 0c ................
0050 08 00 eb 03 00 00 02 0c ec 00 02 00 00 00 02 00 ................
0060 00 00 20 00 00 00 b8 00 00 00 3d 03 22 3a ea d4 .. .......=.":..
0070 34 b7 f2 01 fa 1f bf a3 62 04 01 b6 3b 28 c0 59 4.......b...;(.Y
0080 05 a3 be 50 d7 8a 61 d2 46 9d 01 00 00 00 01 00 ...P..a.F.......
0090 00 00 01 00 00 00 06 00 5c 00 52 53 41 31 48 00 .........RSA1H.
00a0 00 00 00 02 00 00 3f 00 00 00 01 00 01 00 55 a9 ......?.......U.
00b0 c2 9b fa 62 66 75 38 55 43 7f 9e 3f af 43 40 48 ...bfu8UC..?.C@H
00c0 82 cb 1f 64 dd 73 9e 61 80 c4 96 b3 15 d1 bf cc ...d.s.a........
00d0 39 29 7d bc 1b 7e 3d cb b7 1b 6e d5 0d 58 56 fe 9)}..~=...n..XV.
00e0 18 84 3e 97 12 45 2f d0 f9 34 9b 47 c9 d3 00 00 ..>..E/..4.G....
00f0 00 00 00 00 00 00 08 00 48 00 27 53 9b 2b 82 ae ........H.'S.+..
0100 24 af bb f6 bf 6d 58 cc 34 a2 1d 58 56 66 ed 34 $....mX.4..XVf.4
0110 18 5e 20 96 b4 cf af 1b 82 12 ee c6 13 91 f1 b8 .^ .............
0120 68 84 70 4a 22 49 30 1c ed 52 a4 c2 86 25 8a 3b h.pJ"I0..R...%.;
0130 e3 57 f4 8d 48 36 f5 24 c3 5c 00 00 00 00 00 00 .W..H6.$.......
0140 00 00
Windows 2008的
0000 7f 66 82 01 fd 0a 01 00 02 01 00 30 1a 02 01 04 .f.........0....
0010 02 01 03 02 01 00 02 01 01 02 01 00 02 01 01 02 ................
0020 03 00 ff f8 02 01 02 04 82 01 d7 00 05 00 14 7c ...............|
0030 00 01 2a 14 76 0a 01 01 00 01 c0 00 4d 63 44 6e ..*.v.......McDn
0040 81 c0 01 0c 0c 00 04 00 08 00 00 00 00 00 03 0c ................
0050 08 00 eb 03 00 00 02 0c ac 01 02 00 00 00 02 00 ................
0060 00 00 20 00 00 00 78 01 00 00 cd 0b e4 a7 8d bb .. ...x.........
0070 fd 29 fa 64 46 1d 09 43 50 24 df bd a9 81 82 5d .).dF..CP$.....]
0080 83 1c e2 29 c1 e7 36 a7 01 ca 01 00 00 00 01 00 ...)..6.........
0090 00 00 01 00 00 00 06 00 1c 01 52 53 41 31 08 01 ..........RSA1..
00a0 00 00 00 08 00 00 ff 00 00 00 01 00 01 00 c3 cd ................
00b0 d3 6b ca b1 a1 d5 0d d6 ef 2f 1a c3 ad a2 0d b1 .k......./......
00c0 69 7e eb 3b b5 8f c0 be 9e 45 73 44 18 98 a7 2a i~.;.....EsD...*
00d0 c0 35 d4 96 80 a3 7b 2e 18 56 5c c5 ae 5c 98 d7 .5....{..V....
00e0 79 39 ef 0b 9c 5b e2 f5 f1 82 4e b6 5c dd ce 58 y9...[....N...X
00f0 f2 94 14 ab 2d b4 3a d7 28 19 14 d2 fc 44 23 95 ....-.:.(....D#.
0100 ab 44 5c 95 73 e4 ab 0b d5 da db 11 87 05 18 85 .D.s...........
0110 f5 1d ec 3a 51 f5 0e f3 62 9c dc ab 9f 9f 9f 3c ...:Q...b......<
0120 91 d0 79 72 bc 40 94 97 22 13 46 0a f6 9f 8d b1 ..yr.@..".F.....
0130 9c 61 c2 09 60 bc 71 af 6a 7e de f5 d7 d1 45 b6 .a..`.q.j~....E.
0140 50 6b 54 49 78 b1 6d 50 e0 09 33 20 34 2b 5f ba PkTIx.mP..3 4+_.
0150 0a 9f e2 0e b2 3d 00 59 b0 be 75 82 4b cf 04 ad .....=.Y..u.K...
0160 6e d8 2d 9f 43 1a 8c af 15 e6 95 9b 6a fa 1b 04 n.-.C.......j...
0170 24 0a 18 b5 b0 5c 2c 09 f9 20 6a a1 ce 16 e6 ca $....\,.. j.....
0180 06 54 ec a5 c6 b6 52 bd 77 f7 3b ad fa f9 d0 d1 .T....R.w.;.....
0190 da 40 e6 69 7d cb 09 4c 85 eb c4 02 30 18 79 8b .@.i}..L....0.y.
01a0 d4 24 54 a9 2a 50 10 d6 8e 8e d7 6a 2b b0 00 00 .$T.*P.....j+...
01b0 00 00 00 00 00 00 08 00 48 00 de 89 12 1a 8c 09 ........H.......
01c0 23 3f 48 50 51 14 4a de 67 da 70 e2 54 9b 0c e2 #?HPQ.J.g.p.T...
01d0 36 40 5f a2 27 8f 82 3b de ad 4d f4 24 33 b8 7c 6@_.'..;..M.$3.|
01e0 9c ab 74 77 2d 61 15 ad d7 d2 97 28 db ae 8d d6 ..tw-a.....(....
01f0 ee ef 6b 7c 85 e4 ed 6c 29 84 00 00 00 00 00 00 ..k|...l).......
0200 00 00
红色为 TS_UD_HEADER::type
第一个绿色为 PROPRIETARYSERVERCERTIFICATE::dwVersion
第二个绿色为 RSA_PUBLIC_KEY::magic
对比发现,
连56.237时,返回的RSA1后面的长度为0x48 即64位key
连12.17时,返回的RSA1后面的长度为0x0108 即256位key
通过查看xrdp代码 xrdp/rdp/rdp_sec.c 可以发现,其将modulus的长度限定为64了
#define SEC_MODULUS_SIZE 64 /* Parse a public key structure */ /* returns boolean */ static int APP_CC rdp_sec_parse_public_key(struct rdp_sec *self, struct stream *s, char *modulus, char *exponent) { int magic; int modulus_len; in_uint32_le(s, magic); // RSA_PUBLIC_KEY::magic if (magic != SEC_RSA_MAGIC) { return 0; } in_uint32_le(s, modulus_len); // RSA_PUBLIC_KEY::keylen if (modulus_len != SEC_MODULUS_SIZE + SEC_PADDING_SIZE) { return 0; } in_uint8s(s, 8); // RSA_PUBLIC_KEY::bitlen RSA_PUBLIC_KEY::datalen in_uint8a(s, exponent, SEC_EXPONENT_SIZE); // RSA_PUBLIC_KEY::pubExp in_uint8a(s, modulus, SEC_MODULUS_SIZE); // RSA_PUBLIC_KEY::modulus in_uint8s(s, SEC_PADDING_SIZE); return s_check(s); }