1 /**
2 * FreeRDP: A Remote Desktop Protocol Implementation
3 * RDP Security
4 *
5 * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
6 * Copyright 2014 Norbert Federa <norbert.federa@thincast.com>
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License");
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21 #ifdef HAVE_CONFIG_H
22 #include "config.h"
23 #endif
24
25 #include "security.h"
26
27 #include <freerdp/log.h>
28 #include <winpr/crypto.h>
29
30 #define TAG FREERDP_TAG("core")
31
32 /* 0x36 repeated 40 times */
33 static const BYTE pad1[40] = { "\x36\x36\x36\x36\x36\x36\x36\x36"
34 "\x36\x36\x36\x36\x36\x36\x36\x36"
35 "\x36\x36\x36\x36\x36\x36\x36\x36"
36 "\x36\x36\x36\x36\x36\x36\x36\x36"
37 "\x36\x36\x36\x36\x36\x36\x36\x36" };
38
39 /* 0x5C repeated 48 times */
40 static const BYTE pad2[48] = { "\x5C\x5C\x5C\x5C\x5C\x5C\x5C\x5C"
41 "\x5C\x5C\x5C\x5C\x5C\x5C\x5C\x5C"
42 "\x5C\x5C\x5C\x5C\x5C\x5C\x5C\x5C"
43 "\x5C\x5C\x5C\x5C\x5C\x5C\x5C\x5C"
44 "\x5C\x5C\x5C\x5C\x5C\x5C\x5C\x5C"
45 "\x5C\x5C\x5C\x5C\x5C\x5C\x5C\x5C" };
46
47 static const BYTE fips_reverse_table[256] = {
48 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
49 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8, 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
50 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4, 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
51 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec, 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
52 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2, 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
53 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea, 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
54 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6, 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
55 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee, 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
56 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1, 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
57 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9, 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
58 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5, 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
59 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed, 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
60 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3, 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
61 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb, 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
62 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7, 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
63 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef, 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff
64 };
65
66 static const BYTE fips_oddparity_table[256] = {
67 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07, 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
68 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16, 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
69 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26, 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
70 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37, 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
71 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46, 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
72 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57, 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
73 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67, 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
74 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76, 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
75 0x80, 0x80, 0x83, 0x83, 0x85, 0x85, 0x86, 0x86, 0x89, 0x89, 0x8a, 0x8a, 0x8c, 0x8c, 0x8f, 0x8f,
76 0x91, 0x91, 0x92, 0x92, 0x94, 0x94, 0x97, 0x97, 0x98, 0x98, 0x9b, 0x9b, 0x9d, 0x9d, 0x9e, 0x9e,
77 0xa1, 0xa1, 0xa2, 0xa2, 0xa4, 0xa4, 0xa7, 0xa7, 0xa8, 0xa8, 0xab, 0xab, 0xad, 0xad, 0xae, 0xae,
78 0xb0, 0xb0, 0xb3, 0xb3, 0xb5, 0xb5, 0xb6, 0xb6, 0xb9, 0xb9, 0xba, 0xba, 0xbc, 0xbc, 0xbf, 0xbf,
79 0xc1, 0xc1, 0xc2, 0xc2, 0xc4, 0xc4, 0xc7, 0xc7, 0xc8, 0xc8, 0xcb, 0xcb, 0xcd, 0xcd, 0xce, 0xce,
80 0xd0, 0xd0, 0xd3, 0xd3, 0xd5, 0xd5, 0xd6, 0xd6, 0xd9, 0xd9, 0xda, 0xda, 0xdc, 0xdc, 0xdf, 0xdf,
81 0xe0, 0xe0, 0xe3, 0xe3, 0xe5, 0xe5, 0xe6, 0xe6, 0xe9, 0xe9, 0xea, 0xea, 0xec, 0xec, 0xef, 0xef,
82 0xf1, 0xf1, 0xf2, 0xf2, 0xf4, 0xf4, 0xf7, 0xf7, 0xf8, 0xf8, 0xfb, 0xfb, 0xfd, 0xfd, 0xfe, 0xfe
83 };
84
security_salted_hash(const BYTE * salt,const BYTE * input,int length,const BYTE * salt1,const BYTE * salt2,BYTE * output)85 static BOOL security_salted_hash(const BYTE* salt, const BYTE* input, int length, const BYTE* salt1,
86 const BYTE* salt2, BYTE* output)
87 {
88 WINPR_DIGEST_CTX* sha1 = NULL;
89 WINPR_DIGEST_CTX* md5 = NULL;
90 BYTE sha1_digest[WINPR_SHA1_DIGEST_LENGTH];
91 BOOL result = FALSE;
92
93 /* SaltedHash(Salt, Input, Salt1, Salt2) = MD5(S + SHA1(Input + Salt + Salt1 + Salt2)) */
94
95 /* SHA1_Digest = SHA1(Input + Salt + Salt1 + Salt2) */
96 if (!(sha1 = winpr_Digest_New()))
97 goto out;
98
99 if (!winpr_Digest_Init(sha1, WINPR_MD_SHA1))
100 goto out;
101
102 if (!winpr_Digest_Update(sha1, input, length)) /* Input */
103 goto out;
104
105 if (!winpr_Digest_Update(sha1, salt, 48)) /* Salt (48 bytes) */
106 goto out;
107
108 if (!winpr_Digest_Update(sha1, salt1, 32)) /* Salt1 (32 bytes) */
109 goto out;
110
111 if (!winpr_Digest_Update(sha1, salt2, 32)) /* Salt2 (32 bytes) */
112 goto out;
113
114 if (!winpr_Digest_Final(sha1, sha1_digest, sizeof(sha1_digest)))
115 goto out;
116
117 /* SaltedHash(Salt, Input, Salt1, Salt2) = MD5(S + SHA1_Digest) */
118 if (!(md5 = winpr_Digest_New()))
119 goto out;
120
121 /* Allow FIPS override for use of MD5 here, this is used for creating hashes of the
122 * premaster_secret and master_secret */
123 /* used for RDP licensing as described in MS-RDPELE. This is for RDP licensing packets */
124 /* which will already be encrypted under FIPS, so the use of MD5 here is not for sensitive data
125 * protection. */
126 if (!winpr_Digest_Init_Allow_FIPS(md5, WINPR_MD_MD5))
127 goto out;
128
129 if (!winpr_Digest_Update(md5, salt, 48)) /* Salt (48 bytes) */
130 goto out;
131
132 if (!winpr_Digest_Update(md5, sha1_digest, sizeof(sha1_digest))) /* SHA1_Digest */
133 goto out;
134
135 if (!winpr_Digest_Final(md5, output, WINPR_MD5_DIGEST_LENGTH))
136 goto out;
137
138 result = TRUE;
139 out:
140 winpr_Digest_Free(sha1);
141 winpr_Digest_Free(md5);
142 return result;
143 }
144
security_premaster_hash(const char * input,int length,const BYTE * premaster_secret,const BYTE * client_random,const BYTE * server_random,BYTE * output)145 static BOOL security_premaster_hash(const char* input, int length, const BYTE* premaster_secret,
146 const BYTE* client_random, const BYTE* server_random,
147 BYTE* output)
148 {
149 /* PremasterHash(Input) = SaltedHash(PremasterSecret, Input, ClientRandom, ServerRandom) */
150 return security_salted_hash(premaster_secret, (BYTE*)input, length, client_random,
151 server_random, output);
152 }
153
security_master_secret(const BYTE * premaster_secret,const BYTE * client_random,const BYTE * server_random,BYTE * output)154 BOOL security_master_secret(const BYTE* premaster_secret, const BYTE* client_random,
155 const BYTE* server_random, BYTE* output)
156 {
157 /* MasterSecret = PremasterHash('A') + PremasterHash('BB') + PremasterHash('CCC') */
158 return security_premaster_hash("A", 1, premaster_secret, client_random, server_random,
159 &output[0]) &&
160 security_premaster_hash("BB", 2, premaster_secret, client_random, server_random,
161 &output[16]) &&
162 security_premaster_hash("CCC", 3, premaster_secret, client_random, server_random,
163 &output[32]);
164 }
165
security_master_hash(const char * input,int length,const BYTE * master_secret,const BYTE * client_random,const BYTE * server_random,BYTE * output)166 static BOOL security_master_hash(const char* input, int length, const BYTE* master_secret,
167 const BYTE* client_random, const BYTE* server_random, BYTE* output)
168 {
169 /* MasterHash(Input) = SaltedHash(MasterSecret, Input, ServerRandom, ClientRandom) */
170 return security_salted_hash(master_secret, (const BYTE*)input, length, server_random,
171 client_random, output);
172 }
173
security_session_key_blob(const BYTE * master_secret,const BYTE * client_random,const BYTE * server_random,BYTE * output)174 BOOL security_session_key_blob(const BYTE* master_secret, const BYTE* client_random,
175 const BYTE* server_random, BYTE* output)
176 {
177 /* MasterHash = MasterHash('A') + MasterHash('BB') + MasterHash('CCC') */
178 return security_master_hash("A", 1, master_secret, client_random, server_random, &output[0]) &&
179 security_master_hash("BB", 2, master_secret, client_random, server_random,
180 &output[16]) &&
181 security_master_hash("CCC", 3, master_secret, client_random, server_random, &output[32]);
182 }
183
security_mac_salt_key(const BYTE * session_key_blob,const BYTE * client_random,const BYTE * server_random,BYTE * output)184 void security_mac_salt_key(const BYTE* session_key_blob, const BYTE* client_random,
185 const BYTE* server_random, BYTE* output)
186 {
187 /* MacSaltKey = First128Bits(SessionKeyBlob) */
188 memcpy(output, session_key_blob, 16);
189 }
190
security_md5_16_32_32(const BYTE * in0,const BYTE * in1,const BYTE * in2,BYTE * output)191 static BOOL security_md5_16_32_32(const BYTE* in0, const BYTE* in1, const BYTE* in2, BYTE* output)
192 {
193 WINPR_DIGEST_CTX* md5 = NULL;
194 BOOL result = FALSE;
195
196 if (!(md5 = winpr_Digest_New()))
197 return FALSE;
198
199 if (!winpr_Digest_Init(md5, WINPR_MD_MD5))
200 goto out;
201
202 if (!winpr_Digest_Update(md5, in0, 16))
203 goto out;
204
205 if (!winpr_Digest_Update(md5, in1, 32))
206 goto out;
207
208 if (!winpr_Digest_Update(md5, in2, 32))
209 goto out;
210
211 if (!winpr_Digest_Final(md5, output, WINPR_MD5_DIGEST_LENGTH))
212 goto out;
213
214 result = TRUE;
215 out:
216 winpr_Digest_Free(md5);
217 return result;
218 }
219
security_md5_16_32_32_Allow_FIPS(const BYTE * in0,const BYTE * in1,const BYTE * in2,BYTE * output)220 static BOOL security_md5_16_32_32_Allow_FIPS(const BYTE* in0, const BYTE* in1, const BYTE* in2,
221 BYTE* output)
222 {
223 WINPR_DIGEST_CTX* md5 = NULL;
224 BOOL result = FALSE;
225
226 if (!(md5 = winpr_Digest_New()))
227 return FALSE;
228 if (!winpr_Digest_Init_Allow_FIPS(md5, WINPR_MD_MD5))
229 goto out;
230 if (!winpr_Digest_Update(md5, in0, 16))
231 goto out;
232 if (!winpr_Digest_Update(md5, in1, 32))
233 goto out;
234 if (!winpr_Digest_Update(md5, in2, 32))
235 goto out;
236 if (!winpr_Digest_Final(md5, output, WINPR_MD5_DIGEST_LENGTH))
237 goto out;
238
239 result = TRUE;
240 out:
241 winpr_Digest_Free(md5);
242 return result;
243 }
244
security_licensing_encryption_key(const BYTE * session_key_blob,const BYTE * client_random,const BYTE * server_random,BYTE * output)245 BOOL security_licensing_encryption_key(const BYTE* session_key_blob, const BYTE* client_random,
246 const BYTE* server_random, BYTE* output)
247 {
248 /* LicensingEncryptionKey = MD5(Second128Bits(SessionKeyBlob) + ClientRandom + ServerRandom))
249 * Allow FIPS use of MD5 here, this is just used for creating the licensing encryption key as
250 * described in MS-RDPELE. This is for RDP licensing packets which will already be encrypted
251 * under FIPS, so the use of MD5 here is not for sensitive data protection. */
252 return security_md5_16_32_32_Allow_FIPS(&session_key_blob[16], client_random, server_random,
253 output);
254 }
255
security_UINT32_le(BYTE * output,UINT32 value)256 static void security_UINT32_le(BYTE* output, UINT32 value)
257 {
258 output[0] = (value)&0xFF;
259 output[1] = (value >> 8) & 0xFF;
260 output[2] = (value >> 16) & 0xFF;
261 output[3] = (value >> 24) & 0xFF;
262 }
263
security_mac_data(const BYTE * mac_salt_key,const BYTE * data,UINT32 length,BYTE * output)264 BOOL security_mac_data(const BYTE* mac_salt_key, const BYTE* data, UINT32 length, BYTE* output)
265 {
266 WINPR_DIGEST_CTX* sha1 = NULL;
267 WINPR_DIGEST_CTX* md5 = NULL;
268 BYTE length_le[4];
269 BYTE sha1_digest[WINPR_SHA1_DIGEST_LENGTH];
270 BOOL result = FALSE;
271 /* MacData = MD5(MacSaltKey + pad2 + SHA1(MacSaltKey + pad1 + length + data)) */
272 security_UINT32_le(length_le, length); /* length must be little-endian */
273
274 /* SHA1_Digest = SHA1(MacSaltKey + pad1 + length + data) */
275 if (!(sha1 = winpr_Digest_New()))
276 goto out;
277
278 if (!winpr_Digest_Init(sha1, WINPR_MD_SHA1))
279 goto out;
280
281 if (!winpr_Digest_Update(sha1, mac_salt_key, 16)) /* MacSaltKey */
282 goto out;
283
284 if (!winpr_Digest_Update(sha1, pad1, sizeof(pad1))) /* pad1 */
285 goto out;
286
287 if (!winpr_Digest_Update(sha1, length_le, sizeof(length_le))) /* length */
288 goto out;
289
290 if (!winpr_Digest_Update(sha1, data, length)) /* data */
291 goto out;
292
293 if (!winpr_Digest_Final(sha1, sha1_digest, sizeof(sha1_digest)))
294 goto out;
295
296 /* MacData = MD5(MacSaltKey + pad2 + SHA1_Digest) */
297 if (!(md5 = winpr_Digest_New()))
298 goto out;
299
300 /* Allow FIPS override for use of MD5 here, this is only used for creating the MACData field of
301 * the */
302 /* Client Platform Challenge Response packet (from MS-RDPELE section 2.2.2.5). This is for RDP
303 * licensing packets */
304 /* which will already be encrypted under FIPS, so the use of MD5 here is not for sensitive data
305 * protection. */
306 if (!winpr_Digest_Init_Allow_FIPS(md5, WINPR_MD_MD5))
307 goto out;
308
309 if (!winpr_Digest_Update(md5, mac_salt_key, 16)) /* MacSaltKey */
310 goto out;
311
312 if (!winpr_Digest_Update(md5, pad2, sizeof(pad2))) /* pad2 */
313 goto out;
314
315 if (!winpr_Digest_Update(md5, sha1_digest, sizeof(sha1_digest))) /* SHA1_Digest */
316 goto out;
317
318 if (!winpr_Digest_Final(md5, output, WINPR_MD5_DIGEST_LENGTH))
319 goto out;
320
321 result = TRUE;
322 out:
323 winpr_Digest_Free(sha1);
324 winpr_Digest_Free(md5);
325 return result;
326 }
327
security_mac_signature(rdpRdp * rdp,const BYTE * data,UINT32 length,BYTE * output)328 BOOL security_mac_signature(rdpRdp* rdp, const BYTE* data, UINT32 length, BYTE* output)
329 {
330 WINPR_DIGEST_CTX* sha1 = NULL;
331 WINPR_DIGEST_CTX* md5 = NULL;
332 BYTE length_le[4];
333 BYTE md5_digest[WINPR_MD5_DIGEST_LENGTH];
334 BYTE sha1_digest[WINPR_SHA1_DIGEST_LENGTH];
335 BOOL result = FALSE;
336 security_UINT32_le(length_le, length); /* length must be little-endian */
337
338 /* SHA1_Digest = SHA1(MACKeyN + pad1 + length + data) */
339 if (!(sha1 = winpr_Digest_New()))
340 goto out;
341
342 if (!winpr_Digest_Init(sha1, WINPR_MD_SHA1))
343 goto out;
344
345 if (!winpr_Digest_Update(sha1, rdp->sign_key, rdp->rc4_key_len)) /* MacKeyN */
346 goto out;
347
348 if (!winpr_Digest_Update(sha1, pad1, sizeof(pad1))) /* pad1 */
349 goto out;
350
351 if (!winpr_Digest_Update(sha1, length_le, sizeof(length_le))) /* length */
352 goto out;
353
354 if (!winpr_Digest_Update(sha1, data, length)) /* data */
355 goto out;
356
357 if (!winpr_Digest_Final(sha1, sha1_digest, sizeof(sha1_digest)))
358 goto out;
359
360 /* MACSignature = First64Bits(MD5(MACKeyN + pad2 + SHA1_Digest)) */
361 if (!(md5 = winpr_Digest_New()))
362 goto out;
363
364 if (!winpr_Digest_Init(md5, WINPR_MD_MD5))
365 goto out;
366
367 if (!winpr_Digest_Update(md5, rdp->sign_key, rdp->rc4_key_len)) /* MacKeyN */
368 goto out;
369
370 if (!winpr_Digest_Update(md5, pad2, sizeof(pad2))) /* pad2 */
371 goto out;
372
373 if (!winpr_Digest_Update(md5, sha1_digest, sizeof(sha1_digest))) /* SHA1_Digest */
374 goto out;
375
376 if (!winpr_Digest_Final(md5, md5_digest, sizeof(md5_digest)))
377 goto out;
378
379 memcpy(output, md5_digest, 8);
380 result = TRUE;
381 out:
382 winpr_Digest_Free(sha1);
383 winpr_Digest_Free(md5);
384 return result;
385 }
386
security_salted_mac_signature(rdpRdp * rdp,const BYTE * data,UINT32 length,BOOL encryption,BYTE * output)387 BOOL security_salted_mac_signature(rdpRdp* rdp, const BYTE* data, UINT32 length, BOOL encryption,
388 BYTE* output)
389 {
390 WINPR_DIGEST_CTX* sha1 = NULL;
391 WINPR_DIGEST_CTX* md5 = NULL;
392 BYTE length_le[4];
393 BYTE use_count_le[4];
394 BYTE md5_digest[WINPR_MD5_DIGEST_LENGTH];
395 BYTE sha1_digest[WINPR_SHA1_DIGEST_LENGTH];
396 BOOL result = FALSE;
397
398 EnterCriticalSection(&rdp->critical);
399 security_UINT32_le(length_le, length); /* length must be little-endian */
400
401 if (encryption)
402 {
403 security_UINT32_le(use_count_le, rdp->encrypt_checksum_use_count);
404 }
405 else
406 {
407 /*
408 * We calculate checksum on plain text, so we must have already
409 * decrypt it, which means decrypt_checksum_use_count is off by one.
410 */
411 security_UINT32_le(use_count_le, rdp->decrypt_checksum_use_count - 1);
412 }
413
414 /* SHA1_Digest = SHA1(MACKeyN + pad1 + length + data) */
415 if (!(sha1 = winpr_Digest_New()))
416 goto out;
417
418 if (!winpr_Digest_Init(sha1, WINPR_MD_SHA1))
419 goto out;
420
421 if (!winpr_Digest_Update(sha1, rdp->sign_key, rdp->rc4_key_len)) /* MacKeyN */
422 goto out;
423
424 if (!winpr_Digest_Update(sha1, pad1, sizeof(pad1))) /* pad1 */
425 goto out;
426
427 if (!winpr_Digest_Update(sha1, length_le, sizeof(length_le))) /* length */
428 goto out;
429
430 if (!winpr_Digest_Update(sha1, data, length)) /* data */
431 goto out;
432
433 if (!winpr_Digest_Update(sha1, use_count_le, sizeof(use_count_le))) /* encryptionCount */
434 goto out;
435
436 if (!winpr_Digest_Final(sha1, sha1_digest, sizeof(sha1_digest)))
437 goto out;
438
439 /* MACSignature = First64Bits(MD5(MACKeyN + pad2 + SHA1_Digest)) */
440 if (!(md5 = winpr_Digest_New()))
441 goto out;
442
443 if (!winpr_Digest_Init(md5, WINPR_MD_MD5))
444 goto out;
445
446 if (!winpr_Digest_Update(md5, rdp->sign_key, rdp->rc4_key_len)) /* MacKeyN */
447 goto out;
448
449 if (!winpr_Digest_Update(md5, pad2, sizeof(pad2))) /* pad2 */
450 goto out;
451
452 if (!winpr_Digest_Update(md5, sha1_digest, sizeof(sha1_digest))) /* SHA1_Digest */
453 goto out;
454
455 if (!winpr_Digest_Final(md5, md5_digest, sizeof(md5_digest)))
456 goto out;
457
458 memcpy(output, md5_digest, 8);
459 result = TRUE;
460 out:
461 LeaveCriticalSection(&rdp->critical);
462 winpr_Digest_Free(sha1);
463 winpr_Digest_Free(md5);
464 return result;
465 }
466
security_A(BYTE * master_secret,const BYTE * client_random,BYTE * server_random,BYTE * output)467 static BOOL security_A(BYTE* master_secret, const BYTE* client_random, BYTE* server_random,
468 BYTE* output)
469 {
470 return security_premaster_hash("A", 1, master_secret, client_random, server_random,
471 &output[0]) &&
472 security_premaster_hash("BB", 2, master_secret, client_random, server_random,
473 &output[16]) &&
474 security_premaster_hash("CCC", 3, master_secret, client_random, server_random,
475 &output[32]);
476 }
477
security_X(BYTE * master_secret,const BYTE * client_random,BYTE * server_random,BYTE * output)478 static BOOL security_X(BYTE* master_secret, const BYTE* client_random, BYTE* server_random,
479 BYTE* output)
480 {
481 return security_premaster_hash("X", 1, master_secret, client_random, server_random,
482 &output[0]) &&
483 security_premaster_hash("YY", 2, master_secret, client_random, server_random,
484 &output[16]) &&
485 security_premaster_hash("ZZZ", 3, master_secret, client_random, server_random,
486 &output[32]);
487 }
488
fips_expand_key_bits(BYTE * in,BYTE * out)489 static void fips_expand_key_bits(BYTE* in, BYTE* out)
490 {
491 BYTE buf[21], c;
492 int i, b, p, r;
493
494 /* reverse every byte in the key */
495 for (i = 0; i < 21; i++)
496 buf[i] = fips_reverse_table[in[i]];
497
498 /* insert a zero-bit after every 7th bit */
499 for (i = 0, b = 0; i < 24; i++, b += 7)
500 {
501 p = b / 8;
502 r = b % 8;
503
504 if (r <= 1)
505 {
506 out[i] = (buf[p] << r) & 0xfe;
507 }
508 else
509 {
510 /* c is accumulator */
511 c = buf[p] << r;
512 c |= buf[p + 1] >> (8 - r);
513 out[i] = c & 0xfe;
514 }
515 }
516
517 /* reverse every byte */
518 /* alter lsb so the byte has odd parity */
519 for (i = 0; i < 24; i++)
520 out[i] = fips_oddparity_table[fips_reverse_table[out[i]]];
521 }
522
security_establish_keys(const BYTE * client_random,rdpRdp * rdp)523 BOOL security_establish_keys(const BYTE* client_random, rdpRdp* rdp)
524 {
525 BYTE pre_master_secret[48];
526 BYTE master_secret[48];
527 BYTE session_key_blob[48];
528 BYTE* server_random;
529 BYTE salt[] = { 0xD1, 0x26, 0x9E }; /* 40 bits: 3 bytes, 56 bits: 1 byte */
530 rdpSettings* settings;
531 BOOL status;
532 settings = rdp->settings;
533 server_random = settings->ServerRandom;
534
535 if (settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
536 {
537 WINPR_DIGEST_CTX* sha1;
538 BYTE client_encrypt_key_t[WINPR_SHA1_DIGEST_LENGTH + 1];
539 BYTE client_decrypt_key_t[WINPR_SHA1_DIGEST_LENGTH + 1];
540
541 if (!(sha1 = winpr_Digest_New()))
542 return FALSE;
543
544 if (!winpr_Digest_Init(sha1, WINPR_MD_SHA1) ||
545 !winpr_Digest_Update(sha1, client_random + 16, 16) ||
546 !winpr_Digest_Update(sha1, server_random + 16, 16) ||
547 !winpr_Digest_Final(sha1, client_encrypt_key_t, sizeof(client_encrypt_key_t)))
548 {
549 winpr_Digest_Free(sha1);
550 return FALSE;
551 }
552
553 client_encrypt_key_t[20] = client_encrypt_key_t[0];
554
555 if (!winpr_Digest_Init(sha1, WINPR_MD_SHA1) ||
556 !winpr_Digest_Update(sha1, client_random, 16) ||
557 !winpr_Digest_Update(sha1, server_random, 16) ||
558 !winpr_Digest_Final(sha1, client_decrypt_key_t, sizeof(client_decrypt_key_t)))
559 {
560 winpr_Digest_Free(sha1);
561 return FALSE;
562 }
563
564 client_decrypt_key_t[20] = client_decrypt_key_t[0];
565
566 if (!winpr_Digest_Init(sha1, WINPR_MD_SHA1) ||
567 !winpr_Digest_Update(sha1, client_decrypt_key_t, WINPR_SHA1_DIGEST_LENGTH) ||
568 !winpr_Digest_Update(sha1, client_encrypt_key_t, WINPR_SHA1_DIGEST_LENGTH) ||
569 !winpr_Digest_Final(sha1, rdp->fips_sign_key, WINPR_SHA1_DIGEST_LENGTH))
570 {
571 winpr_Digest_Free(sha1);
572 return FALSE;
573 }
574
575 winpr_Digest_Free(sha1);
576
577 if (rdp->settings->ServerMode)
578 {
579 fips_expand_key_bits(client_encrypt_key_t, rdp->fips_decrypt_key);
580 fips_expand_key_bits(client_decrypt_key_t, rdp->fips_encrypt_key);
581 }
582 else
583 {
584 fips_expand_key_bits(client_encrypt_key_t, rdp->fips_encrypt_key);
585 fips_expand_key_bits(client_decrypt_key_t, rdp->fips_decrypt_key);
586 }
587 }
588
589 memcpy(pre_master_secret, client_random, 24);
590 memcpy(pre_master_secret + 24, server_random, 24);
591
592 if (!security_A(pre_master_secret, client_random, server_random, master_secret) ||
593 !security_X(master_secret, client_random, server_random, session_key_blob))
594 {
595 return FALSE;
596 }
597
598 memcpy(rdp->sign_key, session_key_blob, 16);
599
600 if (rdp->settings->ServerMode)
601 {
602 status = security_md5_16_32_32(&session_key_blob[16], client_random, server_random,
603 rdp->encrypt_key);
604 status &= security_md5_16_32_32(&session_key_blob[32], client_random, server_random,
605 rdp->decrypt_key);
606 }
607 else
608 {
609 /* Allow FIPS use of MD5 here, this is just used for generation of the SessionKeyBlob as
610 * described in MS-RDPELE. */
611 /* This is for RDP licensing packets which will already be encrypted under FIPS, so the use
612 * of MD5 here is not */
613 /* for sensitive data protection. */
614 status = security_md5_16_32_32_Allow_FIPS(&session_key_blob[16], client_random,
615 server_random, rdp->decrypt_key);
616 status &= security_md5_16_32_32_Allow_FIPS(&session_key_blob[32], client_random,
617 server_random, rdp->encrypt_key);
618 }
619
620 if (!status)
621 return FALSE;
622
623 if (settings->EncryptionMethods == ENCRYPTION_METHOD_40BIT)
624 {
625 memcpy(rdp->sign_key, salt, 3);
626 memcpy(rdp->decrypt_key, salt, 3);
627 memcpy(rdp->encrypt_key, salt, 3);
628 rdp->rc4_key_len = 8;
629 }
630 else if (settings->EncryptionMethods == ENCRYPTION_METHOD_56BIT)
631 {
632 memcpy(rdp->sign_key, salt, 1);
633 memcpy(rdp->decrypt_key, salt, 1);
634 memcpy(rdp->encrypt_key, salt, 1);
635 rdp->rc4_key_len = 8;
636 }
637 else if (settings->EncryptionMethods == ENCRYPTION_METHOD_128BIT)
638 {
639 rdp->rc4_key_len = 16;
640 }
641
642 EnterCriticalSection(&rdp->critical);
643 memcpy(rdp->decrypt_update_key, rdp->decrypt_key, 16);
644 memcpy(rdp->encrypt_update_key, rdp->encrypt_key, 16);
645 rdp->decrypt_use_count = 0;
646 rdp->decrypt_checksum_use_count = 0;
647 rdp->encrypt_use_count = 0;
648 rdp->encrypt_checksum_use_count = 0;
649 LeaveCriticalSection(&rdp->critical);
650 return TRUE;
651 }
652
security_key_update(BYTE * key,BYTE * update_key,int key_len,rdpRdp * rdp)653 static BOOL security_key_update(BYTE* key, BYTE* update_key, int key_len, rdpRdp* rdp)
654 {
655 BYTE sha1h[WINPR_SHA1_DIGEST_LENGTH];
656 WINPR_DIGEST_CTX* sha1 = NULL;
657 WINPR_DIGEST_CTX* md5 = NULL;
658 WINPR_RC4_CTX* rc4 = NULL;
659 BYTE salt[] = { 0xD1, 0x26, 0x9E }; /* 40 bits: 3 bytes, 56 bits: 1 byte */
660 BOOL result = FALSE;
661 WLog_DBG(TAG, "updating RDP key");
662
663 if (!(sha1 = winpr_Digest_New()))
664 goto out;
665
666 if (!winpr_Digest_Init(sha1, WINPR_MD_SHA1))
667 goto out;
668
669 if (!winpr_Digest_Update(sha1, update_key, key_len))
670 goto out;
671
672 if (!winpr_Digest_Update(sha1, pad1, sizeof(pad1)))
673 goto out;
674
675 if (!winpr_Digest_Update(sha1, key, key_len))
676 goto out;
677
678 if (!winpr_Digest_Final(sha1, sha1h, sizeof(sha1h)))
679 goto out;
680
681 if (!(md5 = winpr_Digest_New()))
682 goto out;
683
684 if (!winpr_Digest_Init(md5, WINPR_MD_MD5))
685 goto out;
686
687 if (!winpr_Digest_Update(md5, update_key, key_len))
688 goto out;
689
690 if (!winpr_Digest_Update(md5, pad2, sizeof(pad2)))
691 goto out;
692
693 if (!winpr_Digest_Update(md5, sha1h, sizeof(sha1h)))
694 goto out;
695
696 if (!winpr_Digest_Final(md5, key, WINPR_MD5_DIGEST_LENGTH))
697 goto out;
698
699 if (!(rc4 = winpr_RC4_New(key, key_len)))
700 goto out;
701
702 if (!winpr_RC4_Update(rc4, key_len, key, key))
703 goto out;
704
705 if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_40BIT)
706 memcpy(key, salt, 3);
707 else if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_56BIT)
708 memcpy(key, salt, 1);
709
710 result = TRUE;
711 out:
712 winpr_Digest_Free(sha1);
713 winpr_Digest_Free(md5);
714 winpr_RC4_Free(rc4);
715 return result;
716 }
717
security_encrypt(BYTE * data,size_t length,rdpRdp * rdp)718 BOOL security_encrypt(BYTE* data, size_t length, rdpRdp* rdp)
719 {
720 BOOL rc = FALSE;
721 EnterCriticalSection(&rdp->critical);
722 if (rdp->encrypt_use_count >= 4096)
723 {
724 if (!security_key_update(rdp->encrypt_key, rdp->encrypt_update_key, rdp->rc4_key_len, rdp))
725 goto fail;
726
727 winpr_RC4_Free(rdp->rc4_encrypt_key);
728 rdp->rc4_encrypt_key = winpr_RC4_New(rdp->encrypt_key, rdp->rc4_key_len);
729
730 if (!rdp->rc4_encrypt_key)
731 goto fail;
732
733 rdp->encrypt_use_count = 0;
734 }
735
736 if (!winpr_RC4_Update(rdp->rc4_encrypt_key, length, data, data))
737 goto fail;
738
739 rdp->encrypt_use_count++;
740 rdp->encrypt_checksum_use_count++;
741 rc = TRUE;
742 fail:
743 LeaveCriticalSection(&rdp->critical);
744 return rc;
745 }
746
security_decrypt(BYTE * data,size_t length,rdpRdp * rdp)747 BOOL security_decrypt(BYTE* data, size_t length, rdpRdp* rdp)
748 {
749 BOOL rc = FALSE;
750 EnterCriticalSection(&rdp->critical);
751 if (rdp->rc4_decrypt_key == NULL)
752 goto fail;
753
754 if (rdp->decrypt_use_count >= 4096)
755 {
756 if (!security_key_update(rdp->decrypt_key, rdp->decrypt_update_key, rdp->rc4_key_len, rdp))
757 goto fail;
758
759 winpr_RC4_Free(rdp->rc4_decrypt_key);
760 rdp->rc4_decrypt_key = winpr_RC4_New(rdp->decrypt_key, rdp->rc4_key_len);
761
762 if (!rdp->rc4_decrypt_key)
763 goto fail;
764
765 rdp->decrypt_use_count = 0;
766 }
767
768 if (!winpr_RC4_Update(rdp->rc4_decrypt_key, length, data, data))
769 goto fail;
770
771 rdp->decrypt_use_count += 1;
772 rdp->decrypt_checksum_use_count++;
773 rc = TRUE;
774 fail:
775 LeaveCriticalSection(&rdp->critical);
776 return rc;
777 }
778
security_hmac_signature(const BYTE * data,size_t length,BYTE * output,rdpRdp * rdp)779 BOOL security_hmac_signature(const BYTE* data, size_t length, BYTE* output, rdpRdp* rdp)
780 {
781 BYTE buf[WINPR_SHA1_DIGEST_LENGTH];
782 BYTE use_count_le[4];
783 WINPR_HMAC_CTX* hmac;
784 BOOL result = FALSE;
785 EnterCriticalSection(&rdp->critical);
786 security_UINT32_le(use_count_le, rdp->encrypt_use_count);
787 LeaveCriticalSection(&rdp->critical);
788
789 if (!(hmac = winpr_HMAC_New()))
790 return FALSE;
791
792 if (!winpr_HMAC_Init(hmac, WINPR_MD_SHA1, rdp->fips_sign_key, WINPR_SHA1_DIGEST_LENGTH))
793 goto out;
794
795 if (!winpr_HMAC_Update(hmac, data, length))
796 goto out;
797
798 if (!winpr_HMAC_Update(hmac, use_count_le, 4))
799 goto out;
800
801 if (!winpr_HMAC_Final(hmac, buf, WINPR_SHA1_DIGEST_LENGTH))
802 goto out;
803
804 memmove(output, buf, 8);
805 result = TRUE;
806 out:
807 winpr_HMAC_Free(hmac);
808 return result;
809 }
810
security_fips_encrypt(BYTE * data,size_t length,rdpRdp * rdp)811 BOOL security_fips_encrypt(BYTE* data, size_t length, rdpRdp* rdp)
812 {
813 BOOL rc = FALSE;
814 size_t olen;
815
816 EnterCriticalSection(&rdp->critical);
817 if (!winpr_Cipher_Update(rdp->fips_encrypt, data, length, data, &olen))
818 goto fail;
819
820 rdp->encrypt_use_count++;
821 rc = TRUE;
822 fail:
823 LeaveCriticalSection(&rdp->critical);
824 return rc;
825 }
826
security_fips_decrypt(BYTE * data,size_t length,rdpRdp * rdp)827 BOOL security_fips_decrypt(BYTE* data, size_t length, rdpRdp* rdp)
828 {
829 size_t olen;
830
831 if (!rdp || !rdp->fips_decrypt)
832 return FALSE;
833
834 if (!winpr_Cipher_Update(rdp->fips_decrypt, data, length, data, &olen))
835 return FALSE;
836
837 return TRUE;
838 }
839
security_fips_check_signature(const BYTE * data,size_t length,const BYTE * sig,rdpRdp * rdp)840 BOOL security_fips_check_signature(const BYTE* data, size_t length, const BYTE* sig, rdpRdp* rdp)
841 {
842 BYTE buf[WINPR_SHA1_DIGEST_LENGTH];
843 BYTE use_count_le[4];
844 WINPR_HMAC_CTX* hmac;
845 BOOL result = FALSE;
846 EnterCriticalSection(&rdp->critical);
847 security_UINT32_le(use_count_le, rdp->decrypt_use_count++);
848 LeaveCriticalSection(&rdp->critical);
849
850 if (!(hmac = winpr_HMAC_New()))
851 return FALSE;
852
853 if (!winpr_HMAC_Init(hmac, WINPR_MD_SHA1, rdp->fips_sign_key, WINPR_SHA1_DIGEST_LENGTH))
854 goto out;
855
856 if (!winpr_HMAC_Update(hmac, data, length))
857 goto out;
858
859 if (!winpr_HMAC_Update(hmac, use_count_le, 4))
860 goto out;
861
862 if (!winpr_HMAC_Final(hmac, buf, WINPR_SHA1_DIGEST_LENGTH))
863 goto out;
864
865 if (!memcmp(sig, buf, 8))
866 result = TRUE;
867
868 out:
869 winpr_HMAC_Free(hmac);
870 return result;
871 }
872