1 /* -*- c-basic-offset: 8 -*-
2 rdesktop: A Remote Desktop Protocol client.
3 Protocol services - RDP encryption and licensing
4 Copyright (C) Matthew Chapman 1999-2002
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 #include <openssl/rc4.h>
24 #include <openssl/md5.h>
25 #include <openssl/sha.h>
26 #include <openssl/bn.h>
27 #include <openssl/x509v3.h>
29 extern char hostname[16];
33 extern BOOL g_encryption;
34 extern BOOL g_licence_issued;
35 extern BOOL g_use_rdp5;
36 extern BOOL g_console_session;
37 extern int g_server_bpp;
38 extern uint16 mcs_userid;
39 extern VCHANNEL g_channels[];
40 extern unsigned int g_num_channels;
42 static int rc4_key_len;
43 static RC4_KEY rc4_decrypt_key;
44 static RC4_KEY rc4_encrypt_key;
45 static RSA *server_public_key;
47 static uint8 sec_sign_key[16];
48 static uint8 sec_decrypt_key[16];
49 static uint8 sec_encrypt_key[16];
50 static uint8 sec_decrypt_update_key[16];
51 static uint8 sec_encrypt_update_key[16];
52 static uint8 sec_crypted_random[SEC_MODULUS_SIZE];
56 uint16 g_server_rdp_version = 0;
59 * General purpose 48-byte transformation, using two 32-byte salts (generally,
60 * a client and server salt) and a global salt value used for padding.
61 * Both SHA1 and MD5 algorithms are used.
64 sec_hash_48(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2, uint8 salt)
72 for (i = 0; i < 3; i++)
74 memset(pad, salt + i, i + 1);
77 SHA1_Update(&sha, pad, i + 1);
78 SHA1_Update(&sha, in, 48);
79 SHA1_Update(&sha, salt1, 32);
80 SHA1_Update(&sha, salt2, 32);
81 SHA1_Final(shasig, &sha);
84 MD5_Update(&md5, in, 48);
85 MD5_Update(&md5, shasig, 20);
86 MD5_Final(&out[i * 16], &md5);
91 * Weaker 16-byte transformation, also using two 32-byte salts, but
92 * only using a single round of MD5.
95 sec_hash_16(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2)
100 MD5_Update(&md5, in, 16);
101 MD5_Update(&md5, salt1, 32);
102 MD5_Update(&md5, salt2, 32);
103 MD5_Final(out, &md5);
106 /* Reduce key entropy from 64 to 40 bits */
108 sec_make_40bit(uint8 * key)
115 /* Generate a session key and RC4 keys, given client and server randoms */
117 sec_generate_keys(uint8 * client_key, uint8 * server_key, int rc4_key_size)
119 uint8 session_key[48];
123 /* Construct input data to hash */
124 memcpy(input, client_key, 24);
125 memcpy(input + 24, server_key, 24);
127 /* Generate session key - two rounds of sec_hash_48 */
128 sec_hash_48(temp_hash, input, client_key, server_key, 65);
129 sec_hash_48(session_key, temp_hash, client_key, server_key, 88);
131 /* Store first 16 bytes of session key, for generating signatures */
132 memcpy(sec_sign_key, session_key, 16);
134 /* Generate RC4 keys */
135 sec_hash_16(sec_decrypt_key, &session_key[16], client_key, server_key);
136 sec_hash_16(sec_encrypt_key, &session_key[32], client_key, server_key);
138 if (rc4_key_size == 1)
140 DEBUG(("40-bit encryption enabled\n"));
141 sec_make_40bit(sec_sign_key);
142 sec_make_40bit(sec_decrypt_key);
143 sec_make_40bit(sec_encrypt_key);
148 DEBUG(("rc_4_key_size == %d, 128-bit encryption enabled\n", rc4_key_size));
152 /* Save initial RC4 keys as update keys */
153 memcpy(sec_decrypt_update_key, sec_decrypt_key, 16);
154 memcpy(sec_encrypt_update_key, sec_encrypt_key, 16);
156 /* Initialise RC4 state arrays */
157 RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key);
158 RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key);
161 static uint8 pad_54[40] = {
162 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54,
164 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54,
168 static uint8 pad_92[48] = {
169 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92,
170 92, 92, 92, 92, 92, 92, 92,
171 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92,
172 92, 92, 92, 92, 92, 92, 92
175 /* Output a uint32 into a buffer (little-endian) */
177 buf_out_uint32(uint8 * buffer, uint32 value)
179 buffer[0] = (value) & 0xff;
180 buffer[1] = (value >> 8) & 0xff;
181 buffer[2] = (value >> 16) & 0xff;
182 buffer[3] = (value >> 24) & 0xff;
185 /* Generate a signature hash, using a combination of SHA1 and MD5 */
187 sec_sign(uint8 * signature, int siglen, uint8 * session_key, int keylen, uint8 * data, int datalen)
195 buf_out_uint32(lenhdr, datalen);
198 SHA1_Update(&sha, session_key, keylen);
199 SHA1_Update(&sha, pad_54, 40);
200 SHA1_Update(&sha, lenhdr, 4);
201 SHA1_Update(&sha, data, datalen);
202 SHA1_Final(shasig, &sha);
205 MD5_Update(&md5, session_key, keylen);
206 MD5_Update(&md5, pad_92, 48);
207 MD5_Update(&md5, shasig, 20);
208 MD5_Final(md5sig, &md5);
210 memcpy(signature, md5sig, siglen);
213 /* Update an encryption key - similar to the signing process */
215 sec_update(uint8 * key, uint8 * update_key)
223 SHA1_Update(&sha, update_key, rc4_key_len);
224 SHA1_Update(&sha, pad_54, 40);
225 SHA1_Update(&sha, key, rc4_key_len);
226 SHA1_Final(shasig, &sha);
229 MD5_Update(&md5, update_key, rc4_key_len);
230 MD5_Update(&md5, pad_92, 48);
231 MD5_Update(&md5, shasig, 20);
232 MD5_Final(key, &md5);
234 RC4_set_key(&update, rc4_key_len, key);
235 RC4(&update, rc4_key_len, key, key);
237 if (rc4_key_len == 8)
241 /* Encrypt data using RC4 */
243 sec_encrypt(uint8 * data, int length)
245 static int use_count;
247 if (use_count == 4096)
249 sec_update(sec_encrypt_key, sec_encrypt_update_key);
250 RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key);
254 RC4(&rc4_encrypt_key, length, data, data);
258 /* Decrypt data using RC4 */
260 sec_decrypt(uint8 * data, int length)
262 static int use_count;
264 if (use_count == 4096)
266 sec_update(sec_decrypt_key, sec_decrypt_update_key);
267 RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key);
271 RC4(&rc4_decrypt_key, length, data, data);
276 reverse(uint8 * p, int len)
281 for (i = 0, j = len - 1; i < j; i++, j--)
289 /* Perform an RSA public key encryption operation */
291 sec_rsa_encrypt(uint8 * out, uint8 * in, int len, uint8 * modulus, uint8 * exponent)
294 BIGNUM mod, exp, x, y;
295 uint8 inr[SEC_MODULUS_SIZE];
298 reverse(modulus, SEC_MODULUS_SIZE);
299 reverse(exponent, SEC_EXPONENT_SIZE);
300 memcpy(inr, in, len);
309 BN_bin2bn(modulus, SEC_MODULUS_SIZE, &mod);
310 BN_bin2bn(exponent, SEC_EXPONENT_SIZE, &exp);
311 BN_bin2bn(inr, len, &x);
312 BN_mod_exp(&y, &x, &exp, &mod, ctx);
313 outlen = BN_bn2bin(&y, out);
314 reverse(out, outlen);
315 if (outlen < SEC_MODULUS_SIZE)
316 memset(out + outlen, 0, SEC_MODULUS_SIZE - outlen);
325 /* Initialise secure transport packet */
327 sec_init(uint32 flags, int maxlen)
332 /*if (!g_licence_issued) */
333 hdrlen = (flags & SEC_ENCRYPT) ? 12 : 4;
335 hdrlen = (flags & SEC_ENCRYPT) ? 12 : 0; */
336 s = mcs_init(maxlen + hdrlen);
337 s_push_layer(s, sec_hdr, hdrlen);
342 /* Transmit secure transport packet over specified channel */
344 sec_send_to_channel(STREAM s, uint32 flags, uint16 channel)
348 // DEBUG(("sending packet to channel %u\n", channel));
350 s_pop_layer(s, sec_hdr);
351 // if (!g_licence_issued || (flags & SEC_ENCRYPT))
352 out_uint32_le(s, flags);
354 if (flags & SEC_ENCRYPT)
356 flags &= ~SEC_ENCRYPT;
357 datalen = s->end - s->p - 8;
360 DEBUG(("Sending encrypted packet:\n"));
361 hexdump(s->p + 8, datalen);
364 sec_sign(s->p, 8, sec_sign_key, rc4_key_len, s->p + 8, datalen);
365 sec_encrypt(s->p + 8, datalen);
368 mcs_send_to_channel(s, channel);
371 /* Transmit secure transport packet */
374 sec_send(STREAM s, uint32 flags)
376 sec_send_to_channel(s, flags, MCS_GLOBAL_CHANNEL);
380 /* Transfer the client random to the server */
382 sec_establish_key(void)
384 uint32 length = SEC_MODULUS_SIZE + SEC_PADDING_SIZE;
385 uint32 flags = SEC_CLIENT_RANDOM;
388 s = sec_init(flags, 76);
390 out_uint32_le(s, length);
391 out_uint8p(s, sec_crypted_random, SEC_MODULUS_SIZE);
392 out_uint8s(s, SEC_PADDING_SIZE);
398 /* Parse a public key structure */
400 sec_parse_public_key(STREAM s, uint8 ** modulus, uint8 ** exponent)
402 uint32 magic, modulus_len;
404 in_uint32_le(s, magic);
405 if (magic != SEC_RSA_MAGIC)
407 error("RSA magic 0x%x\n", magic);
411 in_uint32_le(s, modulus_len);
412 if (modulus_len != SEC_MODULUS_SIZE + SEC_PADDING_SIZE)
414 error("modulus len 0x%x\n", modulus_len);
418 in_uint8s(s, 8); /* modulus_bits, unknown */
419 in_uint8p(s, *exponent, SEC_EXPONENT_SIZE);
420 in_uint8p(s, *modulus, SEC_MODULUS_SIZE);
421 in_uint8s(s, SEC_PADDING_SIZE);
427 sec_parse_x509_key(X509 * cert)
429 EVP_PKEY *epk = NULL;
430 /* By some reason, Microsoft sets the OID of the Public RSA key to
431 the oid for "MD5 with RSA Encryption" instead of "RSA Encryption"
433 Kudos to Richard Levitte for the following (. intiutive .)
434 lines of code that resets the OID and let's us extract the key. */
435 if (OBJ_obj2nid(cert->cert_info->key->algor->algorithm) == NID_md5WithRSAEncryption)
437 DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n"));
438 cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
440 epk = X509_get_pubkey(cert);
443 error("Failed to extract public key from certificate\n");
447 server_public_key = (RSA *) epk->pkey.ptr;
453 /* Parse a crypto information structure */
455 sec_parse_crypt_info(STREAM s, uint32 * rc4_key_size,
456 uint8 ** server_random, uint8 ** modulus, uint8 ** exponent)
458 uint32 crypt_level, random_len, rsa_info_len;
459 uint32 cacert_len, cert_len, flags;
460 X509 *cacert, *server_cert;
462 uint8 *next_tag, *end;
464 in_uint32_le(s, *rc4_key_size); /* 1 = 40-bit, 2 = 128-bit */
465 in_uint32_le(s, crypt_level); /* 1 = low, 2 = medium, 3 = high */
466 if (crypt_level == 0) /* no encryption */
468 in_uint32_le(s, random_len);
469 in_uint32_le(s, rsa_info_len);
471 if (random_len != SEC_RANDOM_SIZE)
473 error("random len %d, expected %d\n", random_len, SEC_RANDOM_SIZE);
477 in_uint8p(s, *server_random, random_len);
480 end = s->p + rsa_info_len;
484 in_uint32_le(s, flags); /* 1 = RDP4-style, 0x80000002 = X.509 */
487 DEBUG_RDP5(("We're going for the RDP4-style encryption\n"));
488 in_uint8s(s, 8); /* unknown */
492 in_uint16_le(s, tag);
493 in_uint16_le(s, length);
495 next_tag = s->p + length;
500 if (!sec_parse_public_key(s, modulus, exponent))
502 DEBUG_RDP5(("Got Public key, RDP4-style\n"));
507 /* Is this a Microsoft key that we just got? */
508 /* Care factor: zero! */
509 /* Actually, it would probably be a good idea to check if the public key is signed with this key, and then store this
510 key as a known key of the hostname. This would prevent some MITM-attacks. */
514 unimpl("crypt tag 0x%x\n", tag);
524 DEBUG_RDP5(("We're going for the RDP5-style encryption\n"));
525 in_uint32_le(s, certcount); /* Number of certificates */
529 error("Server didn't send enough X509 certificates\n");
533 for(; certcount > 2; certcount--)
534 { /* ignore all the certificates between the root and the signing CA */
538 DEBUG_RDP5(("Ignored certs left: %d\n", certcount));
540 in_uint32_le(s, ignorelen);
541 DEBUG_RDP5(("Ignored Certificate length is %d\n", ignorelen));
542 ignorecert = d2i_X509(NULL, &(s->p), ignorelen);
544 if(ignorecert == NULL)
545 { /* XXX: error out? */
546 DEBUG_RDP5(("got a bad cert: this will probably screw up the rest of the communication\n"));
549 #ifdef WITH_DEBUG_RDP5
550 DEBUG_RDP5(("cert #%d (ignored):\n",certcount));
551 X509_print_fp(stdout, ignorecert);
555 /* Do da funky X.509 stuffy
557 "How did I find out about this? I looked up and saw a
558 bright light and when I came to I had a scar on my forehead
559 and knew about X.500"
560 - Peter Gutman in a early version of
561 http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
564 in_uint32_le(s, cacert_len);
565 DEBUG_RDP5(("CA Certificate length is %d\n", cacert_len));
566 cacert = d2i_X509(NULL, &(s->p), cacert_len);
567 /* Note: We don't need to move s->p here - d2i_X509 is
568 "kind" enough to do it for us */
571 error("Couldn't load CA Certificate from server\n");
575 /* Currently, we don't use the CA Certificate.
577 *) Verify the server certificate (server_cert) with the
579 *) Store the CA Certificate with the hostname of the
580 server we are connecting to as key, and compare it
581 when we connect the next time, in order to prevent
585 in_uint32_le(s, cert_len);
586 DEBUG_RDP5(("Certificate length is %d\n", cert_len));
587 server_cert = d2i_X509(NULL, &(s->p), cert_len);
588 if (NULL == server_cert)
590 error("Couldn't load Certificate from server\n");
594 in_uint8s(s, 16); /* Padding */
596 /* Note: Verifying the server certificate must be done here,
597 before sec_parse_public_key since we'll have to apply
598 serious violence to the key after this */
600 if (!sec_parse_x509_key(server_cert))
602 DEBUG_RDP5(("Didn't parse X509 correctly\n"));
605 return True; /* There's some garbage here we don't care about */
607 return s_check_end(s);
610 /* Process crypto information blob */
612 sec_process_crypt_info(STREAM s)
614 uint8 *server_random, *modulus, *exponent;
615 uint8 client_random[SEC_RANDOM_SIZE];
617 uint8 inr[SEC_MODULUS_SIZE];
619 if (!sec_parse_crypt_info(s, &rc4_key_size, &server_random, &modulus, &exponent))
621 DEBUG(("Failed to parse crypt info\n"));
625 DEBUG(("Generating client random\n"));
626 /* Generate a client random, and hence determine encryption keys */
627 /* This is what the MS client do: */
628 memset(inr, 0, SEC_RANDOM_SIZE);
629 /* *ARIGL!* Plaintext attack, anyone?
631 generate_random(inr);
632 ..but that generates connection errors now and then (yes,
633 "now and then". Something like 0 to 3 attempts needed before a
634 successful connection. Nice. Not!
637 generate_random(client_random);
638 if (NULL != server_public_key)
639 { /* Which means we should use
640 RDP5-style encryption */
642 memcpy(inr + SEC_RANDOM_SIZE, client_random, SEC_RANDOM_SIZE);
643 reverse(inr + SEC_RANDOM_SIZE, SEC_RANDOM_SIZE);
645 RSA_public_encrypt(SEC_MODULUS_SIZE,
646 inr, sec_crypted_random, server_public_key, RSA_NO_PADDING);
648 reverse(sec_crypted_random, SEC_MODULUS_SIZE);
652 { /* RDP4-style encryption */
653 sec_rsa_encrypt(sec_crypted_random,
654 client_random, SEC_RANDOM_SIZE, modulus, exponent);
656 sec_generate_keys(client_random, server_random, rc4_key_size);
660 /* Process SRV_INFO, find RDP version supported by server */
662 sec_process_srv_info(STREAM s)
664 in_uint16_le(s, g_server_rdp_version);
665 DEBUG_RDP5(("Server RDP version is %d\n", g_server_rdp_version));
666 /* if (1 == g_server_rdp_version)
671 /* Process connect response data blob */
673 sec_process_mcs_data(STREAM s)
679 in_uint8s(s, 21); /* header (T.124 stuff, probably) */
684 while (s->p < s->end)
686 in_uint16_le(s, tag);
687 in_uint16_le(s, length);
692 next_tag = s->p + length - 4;
696 case SEC_TAG_SRV_INFO:
697 sec_process_srv_info(s);
700 case SEC_TAG_SRV_CRYPT:
701 sec_process_crypt_info(s);
704 case SEC_TAG_SRV_CHANNELS:
705 /* FIXME: We should parse this information and
706 use it to map RDP5 channels to MCS
711 unimpl("response tag 0x%x\n", tag);
718 /* Receive secure transport packet */
726 while ((s = mcs_recv(&channel)) != NULL)
728 if (/*g_encryption || !g_licence_issued*/ 1)
730 in_uint32_le(s, sec_flags);
731 printf("sec_flags=%x\n", sec_flags);
733 if (sec_flags & SEC_ENCRYPT)
736 in_uint8s(s, 8); /* signature */
737 sec_decrypt(s->p, s->end - s->p);
740 if (sec_flags & SEC_LICENCE_NEG)
742 printf("SEC_LICENSE_NEG unknown\n");
743 //licence_process(s);
747 if (sec_flags & SEC_LOGON_INFO)
749 printf("Received logon packet!\n");
750 rdp_get_logon_info(s);
753 if (sec_flags & SEC_CLIENT_RANDOM) {
756 printf("Receiving the client random!\n");
757 in_uint32_le(s, length);
758 if (length != SEC_MODULUS_SIZE + SEC_PADDING_SIZE) {
759 error("Client random was wrong size, %u bytes\n", length);
761 in_uint8a(s, sec_crypted_random, SEC_MODULUS_SIZE);
762 in_uint8s(s, SEC_PADDING_SIZE);
763 if (!s_check_end(s)) {
764 error("Junk after client random\n");
769 printf("Received MCS data on ch %u\n", channel);
770 if (channel != MCS_GLOBAL_CHANNEL)
772 channel_process(s, channel);
782 /* Disconnect a connection */