1
/* -*- c-basic-offset: 8 -*-
2
rdesktop: A Remote Desktop Protocol client.
3
Protocol services - RDP encryption and licensing
4
Copyright (C) Matthew Chapman 1999-2002
6
This program is free software; you can redistribute it and/or modify
7
it under the terms of the GNU General Public License as published by
8
the Free Software Foundation; either version 2 of the License, or
9
(at your option) any later version.
11
This program is distributed in the hope that it will be useful,
12
but WITHOUT ANY WARRANTY; without even the implied warranty of
13
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
GNU General Public License for more details.
16
You should have received a copy of the GNU General Public License
17
along with this program; if not, write to the Free Software
18
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24
#include <openssl/rc4.h>
25
#include <openssl/md5.h>
26
#include <openssl/sha.h>
27
#include <openssl/bn.h>
28
#include <openssl/x509v3.h>
30
#include "crypto/rc4.h"
31
#include "crypto/md5.h"
32
#include "crypto/sha.h"
33
#include "crypto/bn.h"
36
extern char hostname[16];
40
extern BOOL g_encryption;
41
extern BOOL g_licence_issued;
42
extern BOOL g_use_rdp5;
43
extern BOOL g_console_session;
44
extern int g_server_bpp;
45
extern uint16 mcs_userid;
46
extern VCHANNEL g_channels[];
47
extern unsigned int g_num_channels;
49
static int rc4_key_len;
50
static RC4_KEY rc4_decrypt_key;
51
static RC4_KEY rc4_encrypt_key;
52
static RSA *server_public_key;
54
static uint8 sec_sign_key[16];
55
static uint8 sec_decrypt_key[16];
56
static uint8 sec_encrypt_key[16];
57
static uint8 sec_decrypt_update_key[16];
58
static uint8 sec_encrypt_update_key[16];
59
static uint8 sec_crypted_random[SEC_MODULUS_SIZE];
61
uint16 g_server_rdp_version = 0;
64
* General purpose 48-byte transformation, using two 32-byte salts (generally,
65
* a client and server salt) and a global salt value used for padding.
66
* Both SHA1 and MD5 algorithms are used.
69
sec_hash_48(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2, uint8 salt)
77
for (i = 0; i < 3; i++)
79
memset(pad, salt + i, i + 1);
82
SHA1_Update(&sha, pad, i + 1);
83
SHA1_Update(&sha, in, 48);
84
SHA1_Update(&sha, salt1, 32);
85
SHA1_Update(&sha, salt2, 32);
86
SHA1_Final(shasig, &sha);
89
MD5_Update(&md5, in, 48);
90
MD5_Update(&md5, shasig, 20);
91
MD5_Final(&out[i * 16], &md5);
96
* Weaker 16-byte transformation, also using two 32-byte salts, but
97
* only using a single round of MD5.
100
sec_hash_16(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2)
105
MD5_Update(&md5, in, 16);
106
MD5_Update(&md5, salt1, 32);
107
MD5_Update(&md5, salt2, 32);
108
MD5_Final(out, &md5);
111
/* Reduce key entropy from 64 to 40 bits */
113
sec_make_40bit(uint8 * key)
120
/* Generate a session key and RC4 keys, given client and server randoms */
122
sec_generate_keys(uint8 * client_key, uint8 * server_key, int rc4_key_size)
124
uint8 session_key[48];
128
/* Construct input data to hash */
129
memcpy(input, client_key, 24);
130
memcpy(input + 24, server_key, 24);
132
/* Generate session key - two rounds of sec_hash_48 */
133
sec_hash_48(temp_hash, input, client_key, server_key, 65);
134
sec_hash_48(session_key, temp_hash, client_key, server_key, 88);
136
/* Store first 16 bytes of session key, for generating signatures */
137
memcpy(sec_sign_key, session_key, 16);
139
/* Generate RC4 keys */
140
sec_hash_16(sec_decrypt_key, &session_key[16], client_key, server_key);
141
sec_hash_16(sec_encrypt_key, &session_key[32], client_key, server_key);
143
if (rc4_key_size == 1)
145
DEBUG(("40-bit encryption enabled\n"));
146
sec_make_40bit(sec_sign_key);
147
sec_make_40bit(sec_decrypt_key);
148
sec_make_40bit(sec_encrypt_key);
153
DEBUG(("rc_4_key_size == %d, 128-bit encryption enabled\n", rc4_key_size));
157
/* Save initial RC4 keys as update keys */
158
memcpy(sec_decrypt_update_key, sec_decrypt_key, 16);
159
memcpy(sec_encrypt_update_key, sec_encrypt_key, 16);
161
/* Initialise RC4 state arrays */
162
RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key);
163
RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key);
166
static uint8 pad_54[40] = {
167
54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54,
169
54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54,
173
static uint8 pad_92[48] = {
174
92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92,
175
92, 92, 92, 92, 92, 92, 92,
176
92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92,
177
92, 92, 92, 92, 92, 92, 92
180
/* Output a uint32 into a buffer (little-endian) */
182
buf_out_uint32(uint8 * buffer, uint32 value)
184
buffer[0] = (value) & 0xff;
185
buffer[1] = (value >> 8) & 0xff;
186
buffer[2] = (value >> 16) & 0xff;
187
buffer[3] = (value >> 24) & 0xff;
190
/* Generate a signature hash, using a combination of SHA1 and MD5 */
192
sec_sign(uint8 * signature, int siglen, uint8 * session_key, int keylen, uint8 * data, int datalen)
200
buf_out_uint32(lenhdr, datalen);
203
SHA1_Update(&sha, session_key, keylen);
204
SHA1_Update(&sha, pad_54, 40);
205
SHA1_Update(&sha, lenhdr, 4);
206
SHA1_Update(&sha, data, datalen);
207
SHA1_Final(shasig, &sha);
210
MD5_Update(&md5, session_key, keylen);
211
MD5_Update(&md5, pad_92, 48);
212
MD5_Update(&md5, shasig, 20);
213
MD5_Final(md5sig, &md5);
215
memcpy(signature, md5sig, siglen);
218
/* Update an encryption key - similar to the signing process */
220
sec_update(uint8 * key, uint8 * update_key)
228
SHA1_Update(&sha, update_key, rc4_key_len);
229
SHA1_Update(&sha, pad_54, 40);
230
SHA1_Update(&sha, key, rc4_key_len);
231
SHA1_Final(shasig, &sha);
234
MD5_Update(&md5, update_key, rc4_key_len);
235
MD5_Update(&md5, pad_92, 48);
236
MD5_Update(&md5, shasig, 20);
237
MD5_Final(key, &md5);
239
RC4_set_key(&update, rc4_key_len, key);
240
RC4(&update, rc4_key_len, key, key);
242
if (rc4_key_len == 8)
246
/* Encrypt data using RC4 */
248
sec_encrypt(uint8 * data, int length)
250
static int use_count;
252
if (use_count == 4096)
254
sec_update(sec_encrypt_key, sec_encrypt_update_key);
255
RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key);
259
RC4(&rc4_encrypt_key, length, data, data);
263
/* Decrypt data using RC4 */
265
sec_decrypt(uint8 * data, int length)
267
static int use_count;
269
if (use_count == 4096)
271
sec_update(sec_decrypt_key, sec_decrypt_update_key);
272
RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key);
276
RC4(&rc4_decrypt_key, length, data, data);
281
reverse(uint8 * p, int len)
286
for (i = 0, j = len - 1; i < j; i++, j--)
294
/* Perform an RSA public key encryption operation */
296
sec_rsa_encrypt(uint8 * out, uint8 * in, int len, uint8 * modulus, uint8 * exponent)
299
BIGNUM mod, exp, x, y;
300
uint8 inr[SEC_MODULUS_SIZE];
303
reverse(modulus, SEC_MODULUS_SIZE);
304
reverse(exponent, SEC_EXPONENT_SIZE);
305
memcpy(inr, in, len);
314
BN_bin2bn(modulus, SEC_MODULUS_SIZE, &mod);
315
BN_bin2bn(exponent, SEC_EXPONENT_SIZE, &exp);
316
BN_bin2bn(inr, len, &x);
317
BN_mod_exp(&y, &x, &exp, &mod, ctx);
318
outlen = BN_bn2bin(&y, out);
319
reverse(out, outlen);
320
if (outlen < SEC_MODULUS_SIZE)
321
memset(out + outlen, 0, SEC_MODULUS_SIZE - outlen);
330
/* Initialise secure transport packet */
332
sec_init(uint32 flags, int maxlen)
337
if (!g_licence_issued)
338
hdrlen = (flags & SEC_ENCRYPT) ? 12 : 4;
340
hdrlen = (flags & SEC_ENCRYPT) ? 12 : 0;
341
s = mcs_init(maxlen + hdrlen);
342
s_push_layer(s, sec_hdr, hdrlen);
347
/* Transmit secure transport packet over specified channel */
349
sec_send_to_channel(STREAM s, uint32 flags, uint16 channel)
353
s_pop_layer(s, sec_hdr);
354
if (!g_licence_issued || (flags & SEC_ENCRYPT))
355
out_uint32_le(s, flags);
357
if (flags & SEC_ENCRYPT)
359
flags &= ~SEC_ENCRYPT;
360
datalen = s->end - s->p - 8;
363
DEBUG(("Sending encrypted packet:\n"));
364
hexdump(s->p + 8, datalen);
367
sec_sign(s->p, 8, sec_sign_key, rc4_key_len, s->p + 8, datalen);
368
sec_encrypt(s->p + 8, datalen);
371
mcs_send_to_channel(s, channel);
374
/* Transmit secure transport packet */
377
sec_send(STREAM s, uint32 flags)
379
sec_send_to_channel(s, flags, MCS_GLOBAL_CHANNEL);
383
/* Transfer the client random to the server */
385
sec_establish_key(void)
387
uint32 length = SEC_MODULUS_SIZE + SEC_PADDING_SIZE;
388
uint32 flags = SEC_CLIENT_RANDOM;
391
s = sec_init(flags, 76);
393
out_uint32_le(s, length);
394
out_uint8p(s, sec_crypted_random, SEC_MODULUS_SIZE);
395
out_uint8s(s, SEC_PADDING_SIZE);
401
/* Output connect initial data blob */
403
sec_out_mcs_data(STREAM s)
405
int hostlen = 2 * strlen(hostname);
406
int length = 158 + 76 + 12 + 4;
409
if (g_num_channels > 0)
410
length += g_num_channels * 12 + 8;
415
out_uint16_be(s, 5); /* unknown */
416
out_uint16_be(s, 0x14);
420
out_uint16_be(s, (length | 0x8000)); /* remaining length */
422
out_uint16_be(s, 8); /* length? */
423
out_uint16_be(s, 16);
425
out_uint16_le(s, 0xc001);
428
out_uint32_le(s, 0x61637544); /* "Duca" ?! */
429
out_uint16_be(s, ((length - 14) | 0x8000)); /* remaining length */
431
/* Client information */
432
out_uint16_le(s, SEC_TAG_CLI_INFO);
433
out_uint16_le(s, 212); /* length */
434
out_uint16_le(s, g_use_rdp5 ? 4 : 1); /* RDP version. 1 == RDP4, 4 == RDP5. */
436
out_uint16_le(s, g_width);
437
out_uint16_le(s, g_height);
438
out_uint16_le(s, 0xca01);
439
out_uint16_le(s, 0xaa03);
440
out_uint32_le(s, keylayout);
441
out_uint32_le(s, 2600); /* Client build. We are now 2600 compatible :-) */
443
/* Unicode name of client, padded to 32 bytes */
444
rdp_out_unistr(s, hostname, hostlen);
445
out_uint8s(s, 30 - hostlen);
449
out_uint32_le(s, 12);
450
out_uint8s(s, 64); /* reserved? 4 + 12 doublewords */
452
switch (g_server_bpp)
455
out_uint16_le(s, 0xca01);
458
out_uint16_le(s, 0xca02);
461
out_uint16_le(s, 0xca03);
464
out_uint16_le(s, 0xca04);
470
out_uint8(s, g_server_bpp);
471
out_uint16_le(s, 0x0700);
474
out_uint8s(s, 64); /* End of client info */
476
out_uint16_le(s, SEC_TAG_CLI_4);
477
out_uint16_le(s, 12);
478
out_uint32_le(s, g_console_session ? 0xb : 9);
481
/* Client encryption settings */
482
out_uint16_le(s, SEC_TAG_CLI_CRYPT);
483
out_uint16_le(s, 12); /* length */
484
out_uint32_le(s, g_encryption ? 0x3 : 0); /* encryption supported, 128-bit supported */
485
out_uint32(s, 0); /* Unknown */
487
DEBUG_RDP5(("g_num_channels is %d\n", g_num_channels));
488
if (g_num_channels > 0)
490
out_uint16_le(s, SEC_TAG_CLI_CHANNELS);
491
out_uint16_le(s, g_num_channels * 12 + 8); /* length */
492
out_uint32_le(s, g_num_channels); /* number of virtual channels */
493
for (i = 0; i < g_num_channels; i++)
495
DEBUG_RDP5(("Requesting channel %s\n", g_channels[i].name));
496
out_uint8a(s, g_channels[i].name, 8);
497
out_uint32_be(s, g_channels[i].flags);
504
/* Parse a public key structure */
506
sec_parse_public_key(STREAM s, uint8 ** modulus, uint8 ** exponent)
508
uint32 magic, modulus_len;
510
in_uint32_le(s, magic);
511
if (magic != SEC_RSA_MAGIC)
513
error("RSA magic 0x%x\n", magic);
517
in_uint32_le(s, modulus_len);
518
if (modulus_len != SEC_MODULUS_SIZE + SEC_PADDING_SIZE)
520
error("modulus len 0x%x\n", modulus_len);
524
in_uint8s(s, 8); /* modulus_bits, unknown */
525
in_uint8p(s, *exponent, SEC_EXPONENT_SIZE);
526
in_uint8p(s, *modulus, SEC_MODULUS_SIZE);
527
in_uint8s(s, SEC_PADDING_SIZE);
533
sec_parse_x509_key(X509 * cert)
535
EVP_PKEY *epk = NULL;
536
/* By some reason, Microsoft sets the OID of the Public RSA key to
537
the oid for "MD5 with RSA Encryption" instead of "RSA Encryption"
539
Kudos to Richard Levitte for the following (. intiutive .)
540
lines of code that resets the OID and let's us extract the key. */
541
if (OBJ_obj2nid(cert->cert_info->key->algor->algorithm) == NID_md5WithRSAEncryption)
543
DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n"));
544
cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
546
epk = X509_get_pubkey(cert);
549
error("Failed to extract public key from certificate\n");
553
server_public_key = (RSA *) epk->pkey.ptr;
559
/* Parse a crypto information structure */
561
sec_parse_crypt_info(STREAM s, uint32 * rc4_key_size,
562
uint8 ** server_random, uint8 ** modulus, uint8 ** exponent)
564
uint32 crypt_level, random_len, rsa_info_len;
565
uint32 cacert_len, cert_len, flags;
566
X509 *cacert, *server_cert;
568
uint8 *next_tag, *end;
570
in_uint32_le(s, *rc4_key_size); /* 1 = 40-bit, 2 = 128-bit */
571
in_uint32_le(s, crypt_level); /* 1 = low, 2 = medium, 3 = high */
572
if (crypt_level == 0) /* no encryption */
574
in_uint32_le(s, random_len);
575
in_uint32_le(s, rsa_info_len);
577
if (random_len != SEC_RANDOM_SIZE)
579
error("random len %d, expected %d\n", random_len, SEC_RANDOM_SIZE);
583
in_uint8p(s, *server_random, random_len);
586
end = s->p + rsa_info_len;
590
in_uint32_le(s, flags); /* 1 = RDP4-style, 0x80000002 = X.509 */
593
DEBUG_RDP5(("We're going for the RDP4-style encryption\n"));
594
in_uint8s(s, 8); /* unknown */
598
in_uint16_le(s, tag);
599
in_uint16_le(s, length);
601
next_tag = s->p + length;
606
if (!sec_parse_public_key(s, modulus, exponent))
608
DEBUG_RDP5(("Got Public key, RDP4-style\n"));
613
/* Is this a Microsoft key that we just got? */
614
/* Care factor: zero! */
615
/* Actually, it would probably be a good idea to check if the public key is signed with this key, and then store this
616
key as a known key of the hostname. This would prevent some MITM-attacks. */
620
unimpl("crypt tag 0x%x\n", tag);
630
DEBUG_RDP5(("We're going for the RDP5-style encryption\n"));
631
in_uint32_le(s, certcount); /* Number of certificates */
635
error("Server didn't send enough X509 certificates\n");
639
for(; certcount > 2; certcount--)
640
{ /* ignore all the certificates between the root and the signing CA */
644
DEBUG_RDP5(("Ignored certs left: %d\n", certcount));
646
in_uint32_le(s, ignorelen);
647
DEBUG_RDP5(("Ignored Certificate length is %d\n", ignorelen));
648
ignorecert = d2i_X509(NULL, &(s->p), ignorelen);
650
if(ignorecert == NULL)
651
{ /* XXX: error out? */
652
DEBUG_RDP5(("got a bad cert: this will probably screw up the rest of the communication\n"));
655
#ifdef WITH_DEBUG_RDP5
656
DEBUG_RDP5(("cert #%d (ignored):\n",certcount));
657
X509_print_fp(stdout, ignorecert);
661
/* Do da funky X.509 stuffy
663
"How did I find out about this? I looked up and saw a
664
bright light and when I came to I had a scar on my forehead
665
and knew about X.500"
666
- Peter Gutman in a early version of
667
http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
670
in_uint32_le(s, cacert_len);
671
DEBUG_RDP5(("CA Certificate length is %d\n", cacert_len));
672
cacert = d2i_X509(NULL, &(s->p), cacert_len);
673
/* Note: We don't need to move s->p here - d2i_X509 is
674
"kind" enough to do it for us */
677
error("Couldn't load CA Certificate from server\n");
681
/* Currently, we don't use the CA Certificate.
683
*) Verify the server certificate (server_cert) with the
685
*) Store the CA Certificate with the hostname of the
686
server we are connecting to as key, and compare it
687
when we connect the next time, in order to prevent
691
in_uint32_le(s, cert_len);
692
DEBUG_RDP5(("Certificate length is %d\n", cert_len));
693
server_cert = d2i_X509(NULL, &(s->p), cert_len);
694
if (NULL == server_cert)
696
error("Couldn't load Certificate from server\n");
700
in_uint8s(s, 16); /* Padding */
702
/* Note: Verifying the server certificate must be done here,
703
before sec_parse_public_key since we'll have to apply
704
serious violence to the key after this */
706
if (!sec_parse_x509_key(server_cert))
708
DEBUG_RDP5(("Didn't parse X509 correctly\n"));
711
return True; /* There's some garbage here we don't care about */
713
return s_check_end(s);
716
/* Process crypto information blob */
718
sec_process_crypt_info(STREAM s)
720
uint8 *server_random, *modulus, *exponent;
721
uint8 client_random[SEC_RANDOM_SIZE];
723
uint8 inr[SEC_MODULUS_SIZE];
725
if (!sec_parse_crypt_info(s, &rc4_key_size, &server_random, &modulus, &exponent))
727
DEBUG(("Failed to parse crypt info\n"));
731
DEBUG(("Generating client random\n"));
732
/* Generate a client random, and hence determine encryption keys */
733
/* This is what the MS client do: */
734
memset(inr, 0, SEC_RANDOM_SIZE);
735
/* *ARIGL!* Plaintext attack, anyone?
737
generate_random(inr);
738
..but that generates connection errors now and then (yes,
739
"now and then". Something like 0 to 3 attempts needed before a
740
successful connection. Nice. Not!
743
generate_random(client_random);
744
if (NULL != server_public_key)
745
{ /* Which means we should use
746
RDP5-style encryption */
748
memcpy(inr + SEC_RANDOM_SIZE, client_random, SEC_RANDOM_SIZE);
749
reverse(inr + SEC_RANDOM_SIZE, SEC_RANDOM_SIZE);
751
RSA_public_encrypt(SEC_MODULUS_SIZE,
752
inr, sec_crypted_random, server_public_key, RSA_NO_PADDING);
754
reverse(sec_crypted_random, SEC_MODULUS_SIZE);
758
{ /* RDP4-style encryption */
759
sec_rsa_encrypt(sec_crypted_random,
760
client_random, SEC_RANDOM_SIZE, modulus, exponent);
762
sec_generate_keys(client_random, server_random, rc4_key_size);
766
/* Process SRV_INFO, find RDP version supported by server */
768
sec_process_srv_info(STREAM s)
770
in_uint16_le(s, g_server_rdp_version);
771
DEBUG_RDP5(("Server RDP version is %d\n", g_server_rdp_version));
772
if (1 == g_server_rdp_version)
777
/* Process connect response data blob */
779
sec_process_mcs_data(STREAM s)
785
in_uint8s(s, 21); /* header (T.124 stuff, probably) */
790
while (s->p < s->end)
792
in_uint16_le(s, tag);
793
in_uint16_le(s, length);
798
next_tag = s->p + length - 4;
802
case SEC_TAG_SRV_INFO:
803
sec_process_srv_info(s);
806
case SEC_TAG_SRV_CRYPT:
807
sec_process_crypt_info(s);
810
case SEC_TAG_SRV_CHANNELS:
811
/* FIXME: We should parse this information and
812
use it to map RDP5 channels to MCS
817
unimpl("response tag 0x%x\n", tag);
824
/* Receive secure transport packet */
832
while ((s = mcs_recv(&channel)) != NULL)
834
if (g_encryption || !g_licence_issued)
836
in_uint32_le(s, sec_flags);
838
if (sec_flags & SEC_ENCRYPT)
840
in_uint8s(s, 8); /* signature */
841
sec_decrypt(s->p, s->end - s->p);
844
if (sec_flags & SEC_LICENCE_NEG)
851
if (channel != MCS_GLOBAL_CHANNEL)
853
channel_process(s, channel);
863
/* Establish a secure connection */
865
sec_connect(char *server, char *username)
867
struct stream mcs_data;
869
/* We exchange some RDP data during the MCS-Connect */
871
mcs_data.p = mcs_data.data = (uint8 *) xmalloc(mcs_data.size);
872
sec_out_mcs_data(&mcs_data);
874
if (!mcs_connect(server, &mcs_data, username))
877
/* sec_process_mcs_data(&mcs_data); */
880
xfree(mcs_data.data);
884
/* Disconnect a connection */