1 /* -*- c-basic-offset: 8 -*-
2 rdesktop: A Remote Desktop Protocol client.
3 Protocol services - RDP encryption and licensing
4 Copyright (C) Matthew Chapman 1999-2002
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 #include <openssl/rc4.h>
24 #include <openssl/md5.h>
25 #include <openssl/sha.h>
26 #include <openssl/bn.h>
27 #include <openssl/x509v3.h>
29 extern char hostname[16];
33 extern BOOL g_encryption;
34 extern BOOL g_licence_issued;
35 extern BOOL g_use_rdp5;
36 extern BOOL g_console_session;
37 extern int g_server_bpp;
38 extern uint16 mcs_userid;
39 extern VCHANNEL g_channels[];
40 extern unsigned int g_num_channels;
42 static int rc4_key_len;
43 static RC4_KEY rc4_decrypt_key;
44 static RC4_KEY rc4_encrypt_key;
45 static RSA *server_public_key;
47 static uint8 sec_sign_key[16];
48 static uint8 sec_decrypt_key[16];
49 static uint8 sec_encrypt_key[16];
50 static uint8 sec_decrypt_update_key[16];
51 static uint8 sec_encrypt_update_key[16];
52 static uint8 sec_crypted_random[SEC_MODULUS_SIZE];
54 uint16 g_server_rdp_version = 0;
57 * General purpose 48-byte transformation, using two 32-byte salts (generally,
58 * a client and server salt) and a global salt value used for padding.
59 * Both SHA1 and MD5 algorithms are used.
62 sec_hash_48(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2, uint8 salt)
70 for (i = 0; i < 3; i++)
72 memset(pad, salt + i, i + 1);
75 SHA1_Update(&sha, pad, i + 1);
76 SHA1_Update(&sha, in, 48);
77 SHA1_Update(&sha, salt1, 32);
78 SHA1_Update(&sha, salt2, 32);
79 SHA1_Final(shasig, &sha);
82 MD5_Update(&md5, in, 48);
83 MD5_Update(&md5, shasig, 20);
84 MD5_Final(&out[i * 16], &md5);
89 * Weaker 16-byte transformation, also using two 32-byte salts, but
90 * only using a single round of MD5.
93 sec_hash_16(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2)
98 MD5_Update(&md5, in, 16);
99 MD5_Update(&md5, salt1, 32);
100 MD5_Update(&md5, salt2, 32);
101 MD5_Final(out, &md5);
104 /* Reduce key entropy from 64 to 40 bits */
106 sec_make_40bit(uint8 * key)
113 /* Generate a session key and RC4 keys, given client and server randoms */
115 sec_generate_keys(uint8 * client_key, uint8 * server_key, int rc4_key_size)
117 uint8 session_key[48];
121 /* Construct input data to hash */
122 memcpy(input, client_key, 24);
123 memcpy(input + 24, server_key, 24);
125 /* Generate session key - two rounds of sec_hash_48 */
126 sec_hash_48(temp_hash, input, client_key, server_key, 65);
127 sec_hash_48(session_key, temp_hash, client_key, server_key, 88);
129 /* Store first 16 bytes of session key, for generating signatures */
130 memcpy(sec_sign_key, session_key, 16);
132 /* Generate RC4 keys */
133 sec_hash_16(sec_decrypt_key, &session_key[16], client_key, server_key);
134 sec_hash_16(sec_encrypt_key, &session_key[32], client_key, server_key);
136 if (rc4_key_size == 1)
138 DEBUG(("40-bit encryption enabled\n"));
139 sec_make_40bit(sec_sign_key);
140 sec_make_40bit(sec_decrypt_key);
141 sec_make_40bit(sec_encrypt_key);
146 DEBUG(("rc_4_key_size == %d, 128-bit encryption enabled\n", rc4_key_size));
150 /* Save initial RC4 keys as update keys */
151 memcpy(sec_decrypt_update_key, sec_decrypt_key, 16);
152 memcpy(sec_encrypt_update_key, sec_encrypt_key, 16);
154 /* Initialise RC4 state arrays */
155 RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key);
156 RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key);
159 static uint8 pad_54[40] = {
160 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54,
162 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54,
166 static uint8 pad_92[48] = {
167 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92,
168 92, 92, 92, 92, 92, 92, 92,
169 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92,
170 92, 92, 92, 92, 92, 92, 92
173 /* Output a uint32 into a buffer (little-endian) */
175 buf_out_uint32(uint8 * buffer, uint32 value)
177 buffer[0] = (value) & 0xff;
178 buffer[1] = (value >> 8) & 0xff;
179 buffer[2] = (value >> 16) & 0xff;
180 buffer[3] = (value >> 24) & 0xff;
183 /* Generate a signature hash, using a combination of SHA1 and MD5 */
185 sec_sign(uint8 * signature, int siglen, uint8 * session_key, int keylen, uint8 * data, int datalen)
193 buf_out_uint32(lenhdr, datalen);
196 SHA1_Update(&sha, session_key, keylen);
197 SHA1_Update(&sha, pad_54, 40);
198 SHA1_Update(&sha, lenhdr, 4);
199 SHA1_Update(&sha, data, datalen);
200 SHA1_Final(shasig, &sha);
203 MD5_Update(&md5, session_key, keylen);
204 MD5_Update(&md5, pad_92, 48);
205 MD5_Update(&md5, shasig, 20);
206 MD5_Final(md5sig, &md5);
208 memcpy(signature, md5sig, siglen);
211 /* Update an encryption key - similar to the signing process */
213 sec_update(uint8 * key, uint8 * update_key)
221 SHA1_Update(&sha, update_key, rc4_key_len);
222 SHA1_Update(&sha, pad_54, 40);
223 SHA1_Update(&sha, key, rc4_key_len);
224 SHA1_Final(shasig, &sha);
227 MD5_Update(&md5, update_key, rc4_key_len);
228 MD5_Update(&md5, pad_92, 48);
229 MD5_Update(&md5, shasig, 20);
230 MD5_Final(key, &md5);
232 RC4_set_key(&update, rc4_key_len, key);
233 RC4(&update, rc4_key_len, key, key);
235 if (rc4_key_len == 8)
239 /* Encrypt data using RC4 */
241 sec_encrypt(uint8 * data, int length)
243 static int use_count;
245 if (use_count == 4096)
247 sec_update(sec_encrypt_key, sec_encrypt_update_key);
248 RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key);
252 RC4(&rc4_encrypt_key, length, data, data);
256 /* Decrypt data using RC4 */
258 sec_decrypt(uint8 * data, int length)
260 static int use_count;
262 if (use_count == 4096)
264 sec_update(sec_decrypt_key, sec_decrypt_update_key);
265 RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key);
269 RC4(&rc4_decrypt_key, length, data, data);
274 reverse(uint8 * p, int len)
279 for (i = 0, j = len - 1; i < j; i++, j--)
287 /* Perform an RSA public key encryption operation */
289 sec_rsa_encrypt(uint8 * out, uint8 * in, int len, uint8 * modulus, uint8 * exponent)
292 BIGNUM mod, exp, x, y;
293 uint8 inr[SEC_MODULUS_SIZE];
296 reverse(modulus, SEC_MODULUS_SIZE);
297 reverse(exponent, SEC_EXPONENT_SIZE);
298 memcpy(inr, in, len);
307 BN_bin2bn(modulus, SEC_MODULUS_SIZE, &mod);
308 BN_bin2bn(exponent, SEC_EXPONENT_SIZE, &exp);
309 BN_bin2bn(inr, len, &x);
310 BN_mod_exp(&y, &x, &exp, &mod, ctx);
311 outlen = BN_bn2bin(&y, out);
312 reverse(out, outlen);
313 if (outlen < SEC_MODULUS_SIZE)
314 memset(out + outlen, 0, SEC_MODULUS_SIZE - outlen);
323 /* Initialise secure transport packet */
325 sec_init(uint32 flags, int maxlen)
330 /*if (!g_licence_issued) */
331 hdrlen = (flags & SEC_ENCRYPT) ? 12 : 4;
333 hdrlen = (flags & SEC_ENCRYPT) ? 12 : 0; */
334 s = mcs_init(maxlen + hdrlen);
335 s_push_layer(s, sec_hdr, hdrlen);
340 /* Transmit secure transport packet over specified channel */
342 sec_send_to_channel(STREAM s, uint32 flags, uint16 channel)
346 DEBUG(("sending packet to channel %u", channel));
348 s_pop_layer(s, sec_hdr);
349 // if (!g_licence_issued || (flags & SEC_ENCRYPT))
350 out_uint32_le(s, flags);
352 if (flags & SEC_ENCRYPT)
354 flags &= ~SEC_ENCRYPT;
355 datalen = s->end - s->p - 8;
358 DEBUG(("Sending encrypted packet:\n"));
359 hexdump(s->p + 8, datalen);
362 sec_sign(s->p, 8, sec_sign_key, rc4_key_len, s->p + 8, datalen);
363 sec_encrypt(s->p + 8, datalen);
366 mcs_send_to_channel(s, channel);
369 /* Transmit secure transport packet */
372 sec_send(STREAM s, uint32 flags)
374 sec_send_to_channel(s, flags, MCS_GLOBAL_CHANNEL);
378 /* Transfer the client random to the server */
380 sec_establish_key(void)
382 uint32 length = SEC_MODULUS_SIZE + SEC_PADDING_SIZE;
383 uint32 flags = SEC_CLIENT_RANDOM;
386 s = sec_init(flags, 76);
388 out_uint32_le(s, length);
389 out_uint8p(s, sec_crypted_random, SEC_MODULUS_SIZE);
390 out_uint8s(s, SEC_PADDING_SIZE);
396 /* Parse a public key structure */
398 sec_parse_public_key(STREAM s, uint8 ** modulus, uint8 ** exponent)
400 uint32 magic, modulus_len;
402 in_uint32_le(s, magic);
403 if (magic != SEC_RSA_MAGIC)
405 error("RSA magic 0x%x\n", magic);
409 in_uint32_le(s, modulus_len);
410 if (modulus_len != SEC_MODULUS_SIZE + SEC_PADDING_SIZE)
412 error("modulus len 0x%x\n", modulus_len);
416 in_uint8s(s, 8); /* modulus_bits, unknown */
417 in_uint8p(s, *exponent, SEC_EXPONENT_SIZE);
418 in_uint8p(s, *modulus, SEC_MODULUS_SIZE);
419 in_uint8s(s, SEC_PADDING_SIZE);
425 sec_parse_x509_key(X509 * cert)
427 EVP_PKEY *epk = NULL;
428 /* By some reason, Microsoft sets the OID of the Public RSA key to
429 the oid for "MD5 with RSA Encryption" instead of "RSA Encryption"
431 Kudos to Richard Levitte for the following (. intiutive .)
432 lines of code that resets the OID and let's us extract the key. */
433 if (OBJ_obj2nid(cert->cert_info->key->algor->algorithm) == NID_md5WithRSAEncryption)
435 DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n"));
436 cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
438 epk = X509_get_pubkey(cert);
441 error("Failed to extract public key from certificate\n");
445 server_public_key = (RSA *) epk->pkey.ptr;
451 /* Parse a crypto information structure */
453 sec_parse_crypt_info(STREAM s, uint32 * rc4_key_size,
454 uint8 ** server_random, uint8 ** modulus, uint8 ** exponent)
456 uint32 crypt_level, random_len, rsa_info_len;
457 uint32 cacert_len, cert_len, flags;
458 X509 *cacert, *server_cert;
460 uint8 *next_tag, *end;
462 in_uint32_le(s, *rc4_key_size); /* 1 = 40-bit, 2 = 128-bit */
463 in_uint32_le(s, crypt_level); /* 1 = low, 2 = medium, 3 = high */
464 if (crypt_level == 0) /* no encryption */
466 in_uint32_le(s, random_len);
467 in_uint32_le(s, rsa_info_len);
469 if (random_len != SEC_RANDOM_SIZE)
471 error("random len %d, expected %d\n", random_len, SEC_RANDOM_SIZE);
475 in_uint8p(s, *server_random, random_len);
478 end = s->p + rsa_info_len;
482 in_uint32_le(s, flags); /* 1 = RDP4-style, 0x80000002 = X.509 */
485 DEBUG_RDP5(("We're going for the RDP4-style encryption\n"));
486 in_uint8s(s, 8); /* unknown */
490 in_uint16_le(s, tag);
491 in_uint16_le(s, length);
493 next_tag = s->p + length;
498 if (!sec_parse_public_key(s, modulus, exponent))
500 DEBUG_RDP5(("Got Public key, RDP4-style\n"));
505 /* Is this a Microsoft key that we just got? */
506 /* Care factor: zero! */
507 /* Actually, it would probably be a good idea to check if the public key is signed with this key, and then store this
508 key as a known key of the hostname. This would prevent some MITM-attacks. */
512 unimpl("crypt tag 0x%x\n", tag);
522 DEBUG_RDP5(("We're going for the RDP5-style encryption\n"));
523 in_uint32_le(s, certcount); /* Number of certificates */
527 error("Server didn't send enough X509 certificates\n");
531 for(; certcount > 2; certcount--)
532 { /* ignore all the certificates between the root and the signing CA */
536 DEBUG_RDP5(("Ignored certs left: %d\n", certcount));
538 in_uint32_le(s, ignorelen);
539 DEBUG_RDP5(("Ignored Certificate length is %d\n", ignorelen));
540 ignorecert = d2i_X509(NULL, &(s->p), ignorelen);
542 if(ignorecert == NULL)
543 { /* XXX: error out? */
544 DEBUG_RDP5(("got a bad cert: this will probably screw up the rest of the communication\n"));
547 #ifdef WITH_DEBUG_RDP5
548 DEBUG_RDP5(("cert #%d (ignored):\n",certcount));
549 X509_print_fp(stdout, ignorecert);
553 /* Do da funky X.509 stuffy
555 "How did I find out about this? I looked up and saw a
556 bright light and when I came to I had a scar on my forehead
557 and knew about X.500"
558 - Peter Gutman in a early version of
559 http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
562 in_uint32_le(s, cacert_len);
563 DEBUG_RDP5(("CA Certificate length is %d\n", cacert_len));
564 cacert = d2i_X509(NULL, &(s->p), cacert_len);
565 /* Note: We don't need to move s->p here - d2i_X509 is
566 "kind" enough to do it for us */
569 error("Couldn't load CA Certificate from server\n");
573 /* Currently, we don't use the CA Certificate.
575 *) Verify the server certificate (server_cert) with the
577 *) Store the CA Certificate with the hostname of the
578 server we are connecting to as key, and compare it
579 when we connect the next time, in order to prevent
583 in_uint32_le(s, cert_len);
584 DEBUG_RDP5(("Certificate length is %d\n", cert_len));
585 server_cert = d2i_X509(NULL, &(s->p), cert_len);
586 if (NULL == server_cert)
588 error("Couldn't load Certificate from server\n");
592 in_uint8s(s, 16); /* Padding */
594 /* Note: Verifying the server certificate must be done here,
595 before sec_parse_public_key since we'll have to apply
596 serious violence to the key after this */
598 if (!sec_parse_x509_key(server_cert))
600 DEBUG_RDP5(("Didn't parse X509 correctly\n"));
603 return True; /* There's some garbage here we don't care about */
605 return s_check_end(s);
608 /* Process crypto information blob */
610 sec_process_crypt_info(STREAM s)
612 uint8 *server_random, *modulus, *exponent;
613 uint8 client_random[SEC_RANDOM_SIZE];
615 uint8 inr[SEC_MODULUS_SIZE];
617 if (!sec_parse_crypt_info(s, &rc4_key_size, &server_random, &modulus, &exponent))
619 DEBUG(("Failed to parse crypt info\n"));
623 DEBUG(("Generating client random\n"));
624 /* Generate a client random, and hence determine encryption keys */
625 /* This is what the MS client do: */
626 memset(inr, 0, SEC_RANDOM_SIZE);
627 /* *ARIGL!* Plaintext attack, anyone?
629 generate_random(inr);
630 ..but that generates connection errors now and then (yes,
631 "now and then". Something like 0 to 3 attempts needed before a
632 successful connection. Nice. Not!
635 generate_random(client_random);
636 if (NULL != server_public_key)
637 { /* Which means we should use
638 RDP5-style encryption */
640 memcpy(inr + SEC_RANDOM_SIZE, client_random, SEC_RANDOM_SIZE);
641 reverse(inr + SEC_RANDOM_SIZE, SEC_RANDOM_SIZE);
643 RSA_public_encrypt(SEC_MODULUS_SIZE,
644 inr, sec_crypted_random, server_public_key, RSA_NO_PADDING);
646 reverse(sec_crypted_random, SEC_MODULUS_SIZE);
650 { /* RDP4-style encryption */
651 sec_rsa_encrypt(sec_crypted_random,
652 client_random, SEC_RANDOM_SIZE, modulus, exponent);
654 sec_generate_keys(client_random, server_random, rc4_key_size);
658 /* Process SRV_INFO, find RDP version supported by server */
660 sec_process_srv_info(STREAM s)
662 in_uint16_le(s, g_server_rdp_version);
663 DEBUG_RDP5(("Server RDP version is %d\n", g_server_rdp_version));
664 /* if (1 == g_server_rdp_version)
669 /* Process connect response data blob */
671 sec_process_mcs_data(STREAM s)
677 in_uint8s(s, 21); /* header (T.124 stuff, probably) */
682 while (s->p < s->end)
684 in_uint16_le(s, tag);
685 in_uint16_le(s, length);
690 next_tag = s->p + length - 4;
694 case SEC_TAG_SRV_INFO:
695 sec_process_srv_info(s);
698 case SEC_TAG_SRV_CRYPT:
699 sec_process_crypt_info(s);
702 case SEC_TAG_SRV_CHANNELS:
703 /* FIXME: We should parse this information and
704 use it to map RDP5 channels to MCS
709 unimpl("response tag 0x%x\n", tag);
716 /* Receive secure transport packet */
724 while ((s = mcs_recv(&channel)) != NULL)
726 if (/*g_encryption || !g_licence_issued*/ 1)
728 in_uint32_le(s, sec_flags);
729 printf("sec_flags=%x\n", sec_flags);
731 if (sec_flags & SEC_ENCRYPT)
734 in_uint8s(s, 8); /* signature */
735 sec_decrypt(s->p, s->end - s->p);
738 if (sec_flags & SEC_LICENCE_NEG)
740 printf("SEC_LICENSE_NEG unknown\n");
741 //licence_process(s);
745 if (sec_flags & SEC_LOGON_INFO)
747 printf("Received logon packet!\n");
748 rdp_get_logon_info(s);
752 printf("Received MCS data on ch %u\n", channel);
753 if (channel != MCS_GLOBAL_CHANNEL)
755 channel_process(s, channel);
765 /* Disconnect a connection */