1 /* -*- c-basic-offset: 8 -*- 2 rdesktop: A Remote Desktop Protocol client. 3 Protocol services - RDP encryption and licensing 4 Copyright (C) Matthew Chapman <matthewc.unsw.edu.au> 1999-2008 5 Copyright 2005-2011 Peter Astrand <astrand@cendio.se> for Cendio AB 6 7 This program is free software: you can redistribute it and/or modify 8 it under the terms of the GNU General Public License as published by 9 the Free Software Foundation, either version 3 of the License, or 10 (at your option) any later version. 11 12 This program is distributed in the hope that it will be useful, 13 but WITHOUT ANY WARRANTY; without even the implied warranty of 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 GNU General Public License for more details. 16 17 You should have received a copy of the GNU General Public License 18 along with this program. If not, see <http://www.gnu.org/licenses/>. 19 */ 20 21 #include "precomp.h" 22 23 void * 24 rdssl_sha1_info_create(void); 25 void 26 rdssl_sha1_info_delete(void * sha1_info); 27 void 28 rdssl_sha1_clear(void * sha1_info); 29 void 30 rdssl_sha1_transform(void * sha1_info, char * data, int len); 31 void 32 rdssl_sha1_complete(void * sha1_info, char * data); 33 void * 34 rdssl_md5_info_create(void); 35 void 36 rdssl_md5_info_delete(void * md5_info); 37 void * 38 rdssl_md5_info_create(void); 39 void 40 rdssl_md5_info_delete(void * md5_info); 41 void 42 rdssl_md5_clear(void * md5_info); 43 void 44 rdssl_md5_transform(void * md5_info, char * data, int len); 45 void 46 rdssl_md5_complete(void * md5_info, char * data); 47 void * 48 rdssl_rc4_info_create(void); 49 void 50 rdssl_rc4_info_delete(void * rc4_info); 51 void 52 rdssl_rc4_set_key(void * rc4_info, char * key, int len); 53 void 54 rdssl_rc4_crypt(void * rc4_info, char * in_data, char * out_data, int len); 55 int 56 rdssl_mod_exp(char* out, int out_len, char* in, int in_len, 57 char* mod, int mod_len, char* exp, int exp_len); 58 int 59 rdssl_sign_ok(char* e_data, int e_len, char* n_data, int n_len, 60 char* sign_data, int sign_len, char* sign_data2, int sign_len2, char* testkey); 61 PCCERT_CONTEXT 62 rdssl_cert_read(uint8 * data, uint32 len); 63 void 64 rdssl_cert_free(PCCERT_CONTEXT context); 65 uint8 * 66 rdssl_cert_to_rkey(PCCERT_CONTEXT cert, uint32 * key_len); 67 RD_BOOL 68 rdssl_certs_ok(PCCERT_CONTEXT server_cert, PCCERT_CONTEXT cacert); 69 int 70 rdssl_rkey_get_exp_mod(uint8 * rkey, uint8 * exponent, uint32 max_exp_len, uint8 * modulus, 71 uint32 max_mod_len); 72 void 73 rdssl_rkey_free(uint8 * rkey); 74 75 extern char g_hostname[16]; 76 extern int g_width; 77 extern int g_height; 78 extern unsigned int g_keylayout; 79 extern int g_keyboard_type; 80 extern int g_keyboard_subtype; 81 extern int g_keyboard_functionkeys; 82 extern RD_BOOL g_encryption; 83 extern RD_BOOL g_licence_issued; 84 extern RD_BOOL g_licence_error_result; 85 extern RDP_VERSION g_rdp_version; 86 extern RD_BOOL g_console_session; 87 extern uint32 g_redirect_session_id; 88 extern int g_server_depth; 89 extern VCHANNEL g_channels[]; 90 extern unsigned int g_num_channels; 91 extern uint8 g_client_random[SEC_RANDOM_SIZE]; 92 93 static int g_rc4_key_len; 94 static void * g_rc4_decrypt_key; 95 static void * g_rc4_encrypt_key; 96 static uint32 g_server_public_key_len; 97 98 static uint8 g_sec_sign_key[16]; 99 static uint8 g_sec_decrypt_key[16]; 100 static uint8 g_sec_encrypt_key[16]; 101 static uint8 g_sec_decrypt_update_key[16]; 102 static uint8 g_sec_encrypt_update_key[16]; 103 static uint8 g_sec_crypted_random[SEC_MAX_MODULUS_SIZE]; 104 105 uint16 g_server_rdp_version = 0; 106 107 /* These values must be available to reset state - Session Directory */ 108 static int g_sec_encrypt_use_count = 0; 109 static int g_sec_decrypt_use_count = 0; 110 111 #define SEC_MODULUS_SIZE 64 112 113 static uint8 g_testkey[176] = 114 { 115 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 116 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x5c, 0x00, 117 0x52, 0x53, 0x41, 0x31, 0x48, 0x00, 0x00, 0x00, 118 0x00, 0x02, 0x00, 0x00, 0x3f, 0x00, 0x00, 0x00, 119 0x01, 0x00, 0x01, 0x00, 0x79, 0x6f, 0xb4, 0xdf, 120 0xa6, 0x95, 0xb9, 0xa9, 0x61, 0xe3, 0xc4, 0x5e, 121 0xff, 0x6b, 0xd8, 0x81, 0x8a, 0x12, 0x4a, 0x93, 122 0x42, 0x97, 0x18, 0x93, 0xac, 0xd1, 0x3a, 0x38, 123 0x3c, 0x68, 0x50, 0x19, 0x31, 0xb6, 0x84, 0x51, 124 0x79, 0xfb, 0x1c, 0xe7, 0xe3, 0x99, 0x20, 0xc7, 125 0x84, 0xdf, 0xd1, 0xaa, 0xb5, 0x15, 0xef, 0x47, 126 0x7e, 0xfc, 0x88, 0xeb, 0x29, 0xc3, 0x27, 0x5a, 127 0x35, 0xf8, 0xfd, 0xaa, 0x00, 0x00, 0x00, 0x00, 128 0x00, 0x00, 0x00, 0x00, 129 0x08, 0x00, 0x48, 0x00, 130 0x32, 0x3b, 0xde, 0x6f, 0x18, 0x97, 0x1e, 0xc3, 131 0x6b, 0x2b, 0x2d, 0xe4, 0xfc, 0x2d, 0xa2, 0x8e, 132 0x32, 0x3c, 0xf3, 0x1b, 0x24, 0x90, 0x57, 0x4d, 133 0x8e, 0xe4, 0x69, 0xfc, 0x16, 0x8d, 0x41, 0x92, 134 0x78, 0xc7, 0x9c, 0xb4, 0x26, 0xff, 0xe8, 0x3e, 135 0xa1, 0x8a, 0xf5, 0x57, 0xc0, 0x7f, 0x3e, 0x21, 136 0x17, 0x32, 0x30, 0x6f, 0x79, 0xe1, 0x36, 0xcd, 137 0xb6, 0x8e, 0xbe, 0x57, 0x57, 0xd2, 0xa9, 0x36 138 }; 139 140 /* 141 * I believe this is based on SSLv3 with the following differences: 142 * MAC algorithm (5.2.3.1) uses only 32-bit length in place of seq_num/type/length fields 143 * MAC algorithm uses SHA1 and MD5 for the two hash functions instead of one or other 144 * key_block algorithm (6.2.2) uses 'X', 'YY', 'ZZZ' instead of 'A', 'BB', 'CCC' 145 * key_block partitioning is different (16 bytes each: MAC secret, decrypt key, encrypt key) 146 * encryption/decryption keys updated every 4096 packets 147 * See http://wp.netscape.com/eng/ssl3/draft302.txt 148 */ 149 150 /* 151 * 48-byte transformation used to generate master secret (6.1) and key material (6.2.2). 152 * Both SHA1 and MD5 algorithms are used. 153 */ 154 void 155 sec_hash_48(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2, uint8 salt) 156 { 157 uint8 shasig[20]; 158 uint8 pad[4]; 159 void * sha; 160 void * md5; 161 int i; 162 163 for (i = 0; i < 3; i++) 164 { 165 memset(pad, salt + i, i + 1); 166 sha = rdssl_sha1_info_create(); 167 rdssl_sha1_clear(sha); 168 rdssl_sha1_transform(sha, (char *)pad, i + 1); 169 rdssl_sha1_transform(sha, (char *)in, 48); 170 rdssl_sha1_transform(sha, (char *)salt1, 32); 171 rdssl_sha1_transform(sha, (char *)salt2, 32); 172 rdssl_sha1_complete(sha, (char *)shasig); 173 rdssl_sha1_info_delete(sha); 174 md5 = rdssl_md5_info_create(); 175 rdssl_md5_clear(md5); 176 rdssl_md5_transform(md5, (char *)in, 48); 177 rdssl_md5_transform(md5, (char *)shasig, 20); 178 rdssl_md5_complete(md5, (char *)out + i * 16); 179 rdssl_md5_info_delete(md5); 180 } 181 } 182 183 /* 184 * 16-byte transformation used to generate export keys (6.2.2). 185 */ 186 void 187 sec_hash_16(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2) 188 { 189 void * md5; 190 191 md5 = rdssl_md5_info_create(); 192 rdssl_md5_clear(md5); 193 rdssl_md5_transform(md5, (char *)in, 16); 194 rdssl_md5_transform(md5, (char *)salt1, 32); 195 rdssl_md5_transform(md5, (char *)salt2, 32); 196 rdssl_md5_complete(md5, (char *)out); 197 rdssl_md5_info_delete(md5); 198 } 199 200 /* 201 * 16-byte sha1 hash 202 */ 203 void 204 sec_hash_sha1_16(uint8 * out, uint8 * in, uint8 * salt1) 205 { 206 void * sha; 207 sha = rdssl_sha1_info_create(); 208 rdssl_sha1_clear(sha); 209 rdssl_sha1_transform(&sha, (char *)in, 16); 210 rdssl_sha1_transform(&sha, (char *)salt1, 16); 211 rdssl_sha1_complete(&sha, (char *)out); 212 rdssl_sha1_info_delete(sha); 213 } 214 215 /* create string from hash */ 216 void 217 sec_hash_to_string(char *out, int out_size, uint8 * in, int in_size) 218 { 219 int k; 220 memset(out, 0, out_size); 221 for (k = 0; k < in_size; k++, out += 2) 222 { 223 sprintf(out, "%.2x", in[k]); 224 } 225 } 226 227 /* Reduce key entropy from 64 to 40 bits */ 228 static void 229 sec_make_40bit(uint8 * key) 230 { 231 key[0] = 0xd1; 232 key[1] = 0x26; 233 key[2] = 0x9e; 234 } 235 236 /* Generate encryption keys given client and server randoms */ 237 static void 238 sec_generate_keys(uint8 * client_random, uint8 * server_random, int rc4_key_size) 239 { 240 uint8 pre_master_secret[48]; 241 uint8 master_secret[48]; 242 uint8 key_block[48]; 243 244 /* Construct pre-master secret */ 245 memcpy(pre_master_secret, client_random, 24); 246 memcpy(pre_master_secret + 24, server_random, 24); 247 248 /* Generate master secret and then key material */ 249 sec_hash_48(master_secret, pre_master_secret, client_random, server_random, 'A'); 250 sec_hash_48(key_block, master_secret, client_random, server_random, 'X'); 251 252 /* First 16 bytes of key material is MAC secret */ 253 memcpy(g_sec_sign_key, key_block, 16); 254 255 /* Generate export keys from next two blocks of 16 bytes */ 256 sec_hash_16(g_sec_decrypt_key, &key_block[16], client_random, server_random); 257 sec_hash_16(g_sec_encrypt_key, &key_block[32], client_random, server_random); 258 259 if (rc4_key_size == 1) 260 { 261 DEBUG(("40-bit encryption enabled\n")); 262 sec_make_40bit(g_sec_sign_key); 263 sec_make_40bit(g_sec_decrypt_key); 264 sec_make_40bit(g_sec_encrypt_key); 265 g_rc4_key_len = 8; 266 } 267 else 268 { 269 DEBUG(("rc_4_key_size == %d, 128-bit encryption enabled\n", rc4_key_size)); 270 g_rc4_key_len = 16; 271 } 272 273 /* Save initial RC4 keys as update keys */ 274 memcpy(g_sec_decrypt_update_key, g_sec_decrypt_key, 16); 275 memcpy(g_sec_encrypt_update_key, g_sec_encrypt_key, 16); 276 277 /* Initialise RC4 state arrays */ 278 279 rdssl_rc4_info_delete(g_rc4_decrypt_key); 280 g_rc4_decrypt_key = rdssl_rc4_info_create(); 281 rdssl_rc4_set_key(g_rc4_decrypt_key, (char *)g_sec_decrypt_key, g_rc4_key_len); 282 283 rdssl_rc4_info_delete(g_rc4_encrypt_key); 284 g_rc4_encrypt_key = rdssl_rc4_info_create(); 285 rdssl_rc4_set_key(g_rc4_encrypt_key, (char *)g_sec_encrypt_key, g_rc4_key_len); 286 } 287 288 static uint8 pad_54[40] = { 289 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 290 54, 54, 54, 291 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 292 54, 54, 54 293 }; 294 295 static uint8 pad_92[48] = { 296 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 297 92, 92, 92, 92, 92, 92, 92, 298 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 299 92, 92, 92, 92, 92, 92, 92 300 }; 301 302 /* Output a uint32 into a buffer (little-endian) */ 303 void 304 buf_out_uint32(uint8 * buffer, uint32 value) 305 { 306 buffer[0] = (value) & 0xff; 307 buffer[1] = (value >> 8) & 0xff; 308 buffer[2] = (value >> 16) & 0xff; 309 buffer[3] = (value >> 24) & 0xff; 310 } 311 312 /* Generate a MAC hash (5.2.3.1), using a combination of SHA1 and MD5 */ 313 void 314 sec_sign(uint8 * signature, int siglen, uint8 * session_key, int keylen, uint8 * data, int datalen) 315 { 316 uint8 shasig[20]; 317 uint8 md5sig[16]; 318 uint8 lenhdr[4]; 319 void * sha; 320 void * md5; 321 322 buf_out_uint32(lenhdr, datalen); 323 324 sha = rdssl_sha1_info_create(); 325 rdssl_sha1_clear(sha); 326 rdssl_sha1_transform(sha, (char *)session_key, keylen); 327 rdssl_sha1_transform(sha, (char *)pad_54, 40); 328 rdssl_sha1_transform(sha, (char *)lenhdr, 4); 329 rdssl_sha1_transform(sha, (char *)data, datalen); 330 rdssl_sha1_complete(sha, (char *)shasig); 331 rdssl_sha1_info_delete(sha); 332 333 md5 = rdssl_md5_info_create(); 334 rdssl_md5_clear(md5); 335 rdssl_md5_transform(md5, (char *)session_key, keylen); 336 rdssl_md5_transform(md5, (char *)pad_92, 48); 337 rdssl_md5_transform(md5, (char *)shasig, 20); 338 rdssl_md5_complete(md5, (char *)md5sig); 339 rdssl_md5_info_delete(md5); 340 341 memcpy(signature, md5sig, siglen); 342 } 343 344 /* Update an encryption key */ 345 static void 346 sec_update(uint8 * key, uint8 * update_key) 347 { 348 uint8 shasig[20]; 349 void * sha; 350 void * md5; 351 void * update; 352 353 sha = rdssl_sha1_info_create(); 354 rdssl_sha1_clear(sha); 355 rdssl_sha1_transform(sha, (char *)update_key, g_rc4_key_len); 356 rdssl_sha1_transform(sha, (char *)pad_54, 40); 357 rdssl_sha1_transform(sha, (char *)key, g_rc4_key_len); 358 rdssl_sha1_complete(sha, (char *)shasig); 359 rdssl_sha1_info_delete(sha); 360 361 md5 = rdssl_md5_info_create(); 362 rdssl_md5_clear(md5); 363 rdssl_md5_transform(md5, (char *)update_key, g_rc4_key_len); 364 rdssl_md5_transform(md5, (char *)pad_92, 48); 365 rdssl_md5_transform(md5, (char *)shasig, 20); 366 rdssl_md5_complete(md5, (char *)key); 367 rdssl_md5_info_delete(md5); 368 369 370 update = rdssl_rc4_info_create(); 371 rdssl_rc4_set_key(update, (char *)key, g_rc4_key_len); 372 rdssl_rc4_crypt(update, (char *)key, (char *)key, g_rc4_key_len); 373 rdssl_rc4_info_delete(update); 374 375 if (g_rc4_key_len == 8) 376 sec_make_40bit(key); 377 } 378 379 /* Encrypt data using RC4 */ 380 static void 381 sec_encrypt(uint8 * data, int length) 382 { 383 if (g_sec_encrypt_use_count == 4096) 384 { 385 sec_update(g_sec_encrypt_key, g_sec_encrypt_update_key); 386 rdssl_rc4_set_key(g_rc4_encrypt_key, (char *)g_sec_encrypt_key, g_rc4_key_len); 387 g_sec_encrypt_use_count = 0; 388 } 389 390 rdssl_rc4_crypt(g_rc4_encrypt_key, (char *)data, (char *)data, length); 391 g_sec_encrypt_use_count++; 392 } 393 394 /* Decrypt data using RC4 */ 395 void 396 sec_decrypt(uint8 * data, int length) 397 { 398 if (g_sec_decrypt_use_count == 4096) 399 { 400 sec_update(g_sec_decrypt_key, g_sec_decrypt_update_key); 401 rdssl_rc4_set_key(g_rc4_decrypt_key, (char *)g_sec_decrypt_key, g_rc4_key_len); 402 g_sec_decrypt_use_count = 0; 403 } 404 405 rdssl_rc4_crypt(g_rc4_decrypt_key,(char *)data, (char *)data, length); 406 g_sec_decrypt_use_count++; 407 } 408 409 /* Perform an RSA public key encryption operation */ 410 static void 411 sec_rsa_encrypt(uint8 * out, uint8 * in, int len, uint32 modulus_size, uint8 * modulus, 412 uint8 * exponent) 413 { 414 rdssl_mod_exp((char *)out, 64, (char *)in, 32, (char *)modulus, 64, (char *)exponent, 4); 415 } 416 417 /* Initialise secure transport packet */ 418 STREAM 419 sec_init(uint32 flags, int maxlen) 420 { 421 int hdrlen; 422 STREAM s; 423 424 if (!g_licence_issued && !g_licence_error_result) 425 hdrlen = (flags & SEC_ENCRYPT) ? 12 : 4; 426 else 427 hdrlen = (flags & SEC_ENCRYPT) ? 12 : 0; 428 s = mcs_init(maxlen + hdrlen); 429 s_push_layer(s, sec_hdr, hdrlen); 430 431 return s; 432 } 433 434 /* Transmit secure transport packet over specified channel */ 435 void 436 sec_send_to_channel(STREAM s, uint32 flags, uint16 channel) 437 { 438 int datalen; 439 440 #ifdef WITH_SCARD 441 scard_lock(SCARD_LOCK_SEC); 442 #endif 443 444 s_pop_layer(s, sec_hdr); 445 if ((!g_licence_issued && !g_licence_error_result) || (flags & SEC_ENCRYPT)) 446 out_uint32_le(s, flags); 447 448 if (flags & SEC_ENCRYPT) 449 { 450 flags &= ~SEC_ENCRYPT; 451 datalen = s->end - s->p - 8; 452 453 #ifdef WITH_DEBUG 454 DEBUG(("Sending encrypted packet:\n")); 455 hexdump(s->p + 8, datalen); 456 #endif 457 458 sec_sign(s->p, 8, g_sec_sign_key, g_rc4_key_len, s->p + 8, datalen); 459 sec_encrypt(s->p + 8, datalen); 460 } 461 462 mcs_send_to_channel(s, channel); 463 464 #ifdef WITH_SCARD 465 scard_unlock(SCARD_LOCK_SEC); 466 #endif 467 } 468 469 /* Transmit secure transport packet */ 470 471 void 472 sec_send(STREAM s, uint32 flags) 473 { 474 sec_send_to_channel(s, flags, MCS_GLOBAL_CHANNEL); 475 } 476 477 478 /* Transfer the client random to the server */ 479 static void 480 sec_establish_key(void) 481 { 482 uint32 length = g_server_public_key_len + SEC_PADDING_SIZE; 483 uint32 flags = SEC_EXCHANGE_PKT; 484 STREAM s; 485 486 s = sec_init(flags, length + 4); 487 488 out_uint32_le(s, length); 489 out_uint8p(s, g_sec_crypted_random, g_server_public_key_len); 490 out_uint8s(s, SEC_PADDING_SIZE); 491 492 s_mark_end(s); 493 sec_send(s, flags); 494 } 495 496 /* Output connect initial data blob */ 497 static void 498 sec_out_mcs_data(STREAM s, uint32 selected_protocol) 499 { 500 int hostlen = 2 * strlen(g_hostname); 501 int length = 162 + 76 + 12 + 4; 502 unsigned int i; 503 uint32 cluster_flags = 0; 504 505 if (g_num_channels > 0) 506 length += g_num_channels * 12 + 8; 507 508 if (hostlen > 30) 509 hostlen = 30; 510 511 /* Generic Conference Control (T.124) ConferenceCreateRequest */ 512 out_uint16_be(s, 5); 513 out_uint16_be(s, 0x14); 514 out_uint8(s, 0x7c); 515 out_uint16_be(s, 1); 516 517 out_uint16_be(s, (length | 0x8000)); /* remaining length */ 518 519 out_uint16_be(s, 8); /* length? */ 520 out_uint16_be(s, 16); 521 out_uint8(s, 0); 522 out_uint16_le(s, 0xc001); 523 out_uint8(s, 0); 524 525 out_uint32_le(s, 0x61637544); /* OEM ID: "Duca", as in Ducati. */ 526 out_uint16_be(s, ((length - 14) | 0x8000)); /* remaining length */ 527 528 /* Client information */ 529 out_uint16_le(s, SEC_TAG_CLI_INFO); 530 out_uint16_le(s, 216); /* length */ 531 out_uint16_le(s, (g_rdp_version >= RDP_V5) ? 4 : 1); /* RDP version. 1 == RDP4, 4 >= RDP5 to RDP8 */ 532 out_uint16_le(s, 8); 533 out_uint16_le(s, g_width); 534 out_uint16_le(s, g_height); 535 out_uint16_le(s, 0xca01); 536 out_uint16_le(s, 0xaa03); 537 out_uint32_le(s, g_keylayout); 538 out_uint32_le(s, 2600); /* Client build. We are now 2600 compatible :-) */ 539 540 /* Unicode name of client, padded to 32 bytes */ 541 rdp_out_unistr(s, g_hostname, hostlen); 542 out_uint8s(s, 30 - hostlen); 543 544 /* See 545 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wceddk40/html/cxtsksupportingremotedesktopprotocol.asp */ 546 out_uint32_le(s, g_keyboard_type); 547 out_uint32_le(s, g_keyboard_subtype); 548 out_uint32_le(s, g_keyboard_functionkeys); 549 out_uint8s(s, 64); /* reserved? 4 + 12 doublewords */ 550 out_uint16_le(s, 0xca01); /* colour depth? */ 551 out_uint16_le(s, 1); 552 553 out_uint32(s, 0); 554 out_uint8(s, g_server_depth); 555 out_uint16_le(s, 0x0700); 556 out_uint8(s, 0); 557 out_uint32_le(s, 1); 558 out_uint8s(s, 64); 559 out_uint32_le(s, selected_protocol); /* End of client info */ 560 561 /* Write a Client Cluster Data (TS_UD_CS_CLUSTER) */ 562 out_uint16_le(s, SEC_TAG_CLI_CLUSTER); /* header.type */ 563 out_uint16_le(s, 12); /* length */ 564 565 cluster_flags |= SEC_CC_REDIRECTION_SUPPORTED; 566 cluster_flags |= (SEC_CC_REDIRECT_VERSION_3 << 2); 567 568 if (g_console_session || g_redirect_session_id != 0) 569 cluster_flags |= SEC_CC_REDIRECT_SESSIONID_FIELD_VALID; 570 571 out_uint32_le(s, cluster_flags); 572 out_uint32(s, g_redirect_session_id); 573 574 /* Client encryption settings */ 575 out_uint16_le(s, SEC_TAG_CLI_CRYPT); 576 out_uint16_le(s, 12); /* length */ 577 out_uint32_le(s, g_encryption ? 0x3 : 0); /* encryption supported, 128-bit supported */ 578 out_uint32(s, 0); /* Unknown */ 579 580 DEBUG_RDP5(("g_num_channels is %d\n", g_num_channels)); 581 if (g_num_channels > 0) 582 { 583 out_uint16_le(s, SEC_TAG_CLI_CHANNELS); 584 out_uint16_le(s, g_num_channels * 12 + 8); /* length */ 585 out_uint32_le(s, g_num_channels); /* number of virtual channels */ 586 for (i = 0; i < g_num_channels; i++) 587 { 588 DEBUG_RDP5(("Requesting channel %s\n", g_channels[i].name)); 589 out_uint8a(s, g_channels[i].name, 8); 590 out_uint32_be(s, g_channels[i].flags); 591 } 592 } 593 594 s_mark_end(s); 595 } 596 597 /* Parse a public key structure */ 598 static RD_BOOL 599 sec_parse_public_key(STREAM s, uint8 * modulus, uint8 * exponent) 600 { 601 uint32 magic, modulus_len; 602 603 in_uint32_le(s, magic); 604 if (magic != SEC_RSA_MAGIC) 605 { 606 error("RSA magic 0x%x\n", magic); 607 return False; 608 } 609 610 in_uint32_le(s, modulus_len); 611 modulus_len -= SEC_PADDING_SIZE; 612 if ((modulus_len < SEC_MODULUS_SIZE) || (modulus_len > SEC_MAX_MODULUS_SIZE)) 613 { 614 error("Bad server public key size (%u bits)\n", modulus_len * 8); 615 return False; 616 } 617 618 in_uint8s(s, 8); /* modulus_bits, unknown */ 619 in_uint8a(s, exponent, SEC_EXPONENT_SIZE); 620 in_uint8a(s, modulus, modulus_len); 621 in_uint8s(s, SEC_PADDING_SIZE); 622 g_server_public_key_len = modulus_len; 623 624 return s_check(s); 625 } 626 627 /* Parse a public signature structure */ 628 static RD_BOOL 629 sec_parse_public_sig(STREAM s, uint32 len, uint8 * modulus, uint8 * exponent) 630 { 631 uint8 signature[SEC_MAX_MODULUS_SIZE]; 632 uint8 signature_[SEC_MAX_MODULUS_SIZE]; 633 uint32 sig_len; 634 635 if (len != 72) 636 { 637 return True; 638 } 639 memset(signature, 0, sizeof(signature)); 640 sig_len = len - 8; 641 in_uint8a(s, signature, sig_len); 642 if(rdssl_sign_ok((char *)exponent, SEC_EXPONENT_SIZE, (char *)modulus, g_server_public_key_len, 643 (char *)signature_, SEC_MODULUS_SIZE, (char *)signature, sig_len, (char *)g_testkey)) 644 { 645 DEBUG_RDP5(("key signature doesn't match test key\n")); 646 } 647 return s_check(s); 648 } 649 650 /* Parse a crypto information structure */ 651 static RD_BOOL 652 sec_parse_crypt_info(STREAM s, uint32 * rc4_key_size, 653 uint8 ** server_random, uint8 * modulus, uint8 * exponent) 654 { 655 uint32 crypt_level, random_len, rsa_info_len; 656 uint32 cacert_len, cert_len, flags; 657 PCCERT_CONTEXT cacert, server_cert; 658 BYTE *server_public_key; 659 uint16 tag, length; 660 uint8 *next_tag, *end; 661 662 in_uint32_le(s, *rc4_key_size); /* 1 = 40-bit, 2 = 128-bit */ 663 in_uint32_le(s, crypt_level); /* 1 = low, 2 = medium, 3 = high */ 664 if (crypt_level == 0) 665 { 666 /* no encryption */ 667 return False; 668 } 669 670 in_uint32_le(s, random_len); 671 in_uint32_le(s, rsa_info_len); 672 673 if (random_len != SEC_RANDOM_SIZE) 674 { 675 error("random len %d, expected %d\n", random_len, SEC_RANDOM_SIZE); 676 return False; 677 } 678 679 in_uint8p(s, *server_random, random_len); 680 681 /* RSA info */ 682 end = s->p + rsa_info_len; 683 if (end > s->end) 684 return False; 685 686 in_uint32_le(s, flags); /* 1 = RDP4-style, 0x80000002 = X.509 */ 687 if (flags & 1) 688 { 689 DEBUG_RDP5(("We're going for the RDP4-style encryption\n")); 690 in_uint8s(s, 8); /* unknown */ 691 692 while (s->p < end) 693 { 694 in_uint16_le(s, tag); 695 in_uint16_le(s, length); 696 697 next_tag = s->p + length; 698 699 switch (tag) 700 { 701 case SEC_TAG_PUBKEY: 702 if (!sec_parse_public_key(s, modulus, exponent)) 703 return False; 704 DEBUG_RDP5(("Got Public key, RDP4-style\n")); 705 706 break; 707 708 case SEC_TAG_KEYSIG: 709 if (!sec_parse_public_sig(s, length, modulus, exponent)) 710 return False; 711 break; 712 713 default: 714 unimpl("crypt tag 0x%x\n", tag); 715 } 716 717 s->p = next_tag; 718 } 719 } 720 else 721 { 722 uint32 certcount; 723 724 DEBUG_RDP5(("We're going for the RDP5-style encryption\n")); 725 in_uint32_le(s, certcount); /* Number of certificates */ 726 if (certcount < 2) 727 { 728 error("Server didn't send enough X509 certificates\n"); 729 return False; 730 } 731 for (; certcount > 2; certcount--) 732 { /* ignore all the certificates between the root and the signing CA */ 733 uint32 ignorelen; 734 PCCERT_CONTEXT ignorecert; 735 736 DEBUG_RDP5(("Ignored certs left: %d\n", certcount)); 737 in_uint32_le(s, ignorelen); 738 DEBUG_RDP5(("Ignored Certificate length is %d\n", ignorelen)); 739 ignorecert = rdssl_cert_read(s->p, ignorelen); 740 in_uint8s(s, ignorelen); 741 if (ignorecert == NULL) 742 { /* XXX: error out? */ 743 DEBUG_RDP5(("got a bad cert: this will probably screw up the rest of the communication\n")); 744 } 745 746 #ifdef WITH_DEBUG_RDP5 747 DEBUG_RDP5(("cert #%d (ignored):\n", certcount)); 748 rdssl_cert_print_fp(stdout, ignorecert); 749 #endif 750 } 751 /* Do da funky X.509 stuffy 752 753 "How did I find out about this? I looked up and saw a 754 bright light and when I came to I had a scar on my forehead 755 and knew about X.500" 756 - Peter Gutman in a early version of 757 http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt 758 */ 759 in_uint32_le(s, cacert_len); 760 DEBUG_RDP5(("CA Certificate length is %d\n", cacert_len)); 761 cacert = rdssl_cert_read(s->p, cacert_len); 762 in_uint8s(s, cacert_len); 763 if (NULL == cacert) 764 { 765 error("Couldn't load CA Certificate from server\n"); 766 return False; 767 } 768 in_uint32_le(s, cert_len); 769 DEBUG_RDP5(("Certificate length is %d\n", cert_len)); 770 server_cert = rdssl_cert_read(s->p, cert_len); 771 in_uint8s(s, cert_len); 772 if (NULL == server_cert) 773 { 774 rdssl_cert_free(cacert); 775 error("Couldn't load Certificate from server\n"); 776 return False; 777 } 778 if (!rdssl_certs_ok(server_cert, cacert)) 779 { 780 rdssl_cert_free(server_cert); 781 rdssl_cert_free(cacert); 782 error("Security error CA Certificate invalid\n"); 783 return False; 784 } 785 rdssl_cert_free(cacert); 786 in_uint8s(s, 16); /* Padding */ 787 server_public_key = rdssl_cert_to_rkey(server_cert, &g_server_public_key_len); 788 if (NULL == server_public_key) 789 { 790 DEBUG_RDP5(("Didn't parse X509 correctly\n")); 791 rdssl_cert_free(server_cert); 792 return False; 793 } 794 rdssl_cert_free(server_cert); 795 if ((g_server_public_key_len < SEC_MODULUS_SIZE) || 796 (g_server_public_key_len > SEC_MAX_MODULUS_SIZE)) 797 { 798 error("Bad server public key size (%u bits)\n", 799 g_server_public_key_len * 8); 800 rdssl_rkey_free(server_public_key); 801 return False; 802 } 803 if (rdssl_rkey_get_exp_mod(server_public_key, exponent, SEC_EXPONENT_SIZE, 804 modulus, SEC_MAX_MODULUS_SIZE) != 0) 805 { 806 error("Problem extracting RSA exponent, modulus"); 807 rdssl_rkey_free(server_public_key); 808 return False; 809 } 810 rdssl_rkey_free(server_public_key); 811 return True; /* There's some garbage here we don't care about */ 812 } 813 return s_check_end(s); 814 } 815 816 /* Process crypto information blob */ 817 static void 818 sec_process_crypt_info(STREAM s) 819 { 820 uint8 *server_random = NULL; 821 uint8 modulus[SEC_MAX_MODULUS_SIZE]; 822 uint8 exponent[SEC_EXPONENT_SIZE]; 823 uint32 rc4_key_size; 824 825 memset(modulus, 0, sizeof(modulus)); 826 memset(exponent, 0, sizeof(exponent)); 827 if (!sec_parse_crypt_info(s, &rc4_key_size, &server_random, modulus, exponent)) 828 { 829 DEBUG(("Failed to parse crypt info\n")); 830 return; 831 } 832 DEBUG(("Generating client random\n")); 833 generate_random(g_client_random); 834 sec_rsa_encrypt(g_sec_crypted_random, g_client_random, SEC_RANDOM_SIZE, 835 g_server_public_key_len, modulus, exponent); 836 sec_generate_keys(g_client_random, server_random, rc4_key_size); 837 } 838 839 840 /* Process SRV_INFO, find RDP version supported by server */ 841 static void 842 sec_process_srv_info(STREAM s) 843 { 844 in_uint16_le(s, g_server_rdp_version); 845 DEBUG_RDP5(("Server RDP version is %d\n", g_server_rdp_version)); 846 if (1 == g_server_rdp_version) 847 { 848 g_rdp_version = RDP_V4; 849 g_server_depth = 8; 850 } 851 } 852 853 854 /* Process connect response data blob */ 855 void 856 sec_process_mcs_data(STREAM s) 857 { 858 uint16 tag, length; 859 uint8 *next_tag; 860 uint8 len; 861 862 in_uint8s(s, 21); /* header (T.124 ConferenceCreateResponse) */ 863 in_uint8(s, len); 864 if (len & 0x80) 865 in_uint8(s, len); 866 867 while (s->p < s->end) 868 { 869 in_uint16_le(s, tag); 870 in_uint16_le(s, length); 871 872 if (length <= 4) 873 return; 874 875 next_tag = s->p + length - 4; 876 877 switch (tag) 878 { 879 case SEC_TAG_SRV_INFO: 880 sec_process_srv_info(s); 881 break; 882 883 case SEC_TAG_SRV_CRYPT: 884 sec_process_crypt_info(s); 885 break; 886 887 case SEC_TAG_SRV_CHANNELS: 888 /* FIXME: We should parse this information and 889 use it to map RDP5 channels to MCS 890 channels */ 891 break; 892 893 default: 894 unimpl("response tag 0x%x\n", tag); 895 } 896 897 s->p = next_tag; 898 } 899 } 900 901 /* Receive secure transport packet */ 902 STREAM 903 sec_recv(uint8 * rdpver) 904 { 905 uint16 sec_flags; 906 /* uint16 sec_flags_hi; */ 907 uint16 channel; 908 STREAM s; 909 910 while ((s = mcs_recv(&channel, rdpver)) != NULL) 911 { 912 if (rdpver != NULL) 913 { 914 if (*rdpver != 3) 915 { 916 if (*rdpver & 0x80) 917 { 918 in_uint8s(s, 8); /* signature */ 919 sec_decrypt(s->p, s->end - s->p); 920 } 921 return s; 922 } 923 } 924 if (g_encryption || (!g_licence_issued && !g_licence_error_result)) 925 { 926 /* TS_SECURITY_HEADER */ 927 in_uint16_le(s, sec_flags); 928 in_uint8s(s, 2); /* sec_flags_hi */ 929 930 if (g_encryption) 931 { 932 if (sec_flags & SEC_ENCRYPT) 933 { 934 in_uint8s(s, 8); /* signature */ 935 sec_decrypt(s->p, s->end - s->p); 936 } 937 938 if (sec_flags & SEC_LICENSE_PKT) 939 { 940 licence_process(s); 941 continue; 942 } 943 944 if (sec_flags & SEC_REDIRECTION_PKT) /* SEC_REDIRECT_ENCRYPT */ 945 { 946 uint8 swapbyte; 947 948 in_uint8s(s, 8); /* signature */ 949 sec_decrypt(s->p, s->end - s->p); 950 951 /* Check for a redirect packet, starts with 00 04 */ 952 if (s->p[0] == 0 && s->p[1] == 4) 953 { 954 /* for some reason the PDU and the length seem to be swapped. 955 This isn't good, but we're going to do a byte for byte 956 swap. So the first four values appear as: 00 04 XX YY, 957 where XX YY is the little endian length. We're going to 958 use 04 00 as the PDU type, so after our swap this will look 959 like: XX YY 04 00 */ 960 swapbyte = s->p[0]; 961 s->p[0] = s->p[2]; 962 s->p[2] = swapbyte; 963 964 swapbyte = s->p[1]; 965 s->p[1] = s->p[3]; 966 s->p[3] = swapbyte; 967 968 swapbyte = s->p[2]; 969 s->p[2] = s->p[3]; 970 s->p[3] = swapbyte; 971 } 972 #ifdef WITH_DEBUG 973 /* warning! this debug statement will show passwords in the clear! */ 974 hexdump(s->p, s->end - s->p); 975 #endif 976 } 977 } 978 else 979 { 980 if (sec_flags & SEC_LICENSE_PKT) 981 { 982 licence_process(s); 983 continue; 984 } 985 s->p -= 4; 986 } 987 } 988 989 if (channel != MCS_GLOBAL_CHANNEL) 990 { 991 channel_process(s, channel); 992 if (rdpver != NULL) 993 *rdpver = 0xff; 994 return s; 995 } 996 997 return s; 998 } 999 1000 return NULL; 1001 } 1002 1003 /* Establish a secure connection */ 1004 RD_BOOL 1005 sec_connect(char *server, char *username, char *domain, char *password, RD_BOOL reconnect) 1006 { 1007 uint32 selected_proto; 1008 struct stream mcs_data; 1009 1010 /* Start a MCS connect sequence */ 1011 if (!mcs_connect_start(server, username, domain, password, reconnect, &selected_proto)) 1012 return False; 1013 1014 /* We exchange some RDP data during the MCS-Connect */ 1015 mcs_data.size = 512; 1016 mcs_data.p = mcs_data.data = (uint8 *) xmalloc(mcs_data.size); 1017 sec_out_mcs_data(&mcs_data, selected_proto); 1018 1019 /* finalize the MCS connect sequence */ 1020 if (!mcs_connect_finalize(&mcs_data)) 1021 return False; 1022 1023 /* sec_process_mcs_data(&mcs_data); */ 1024 if (g_encryption) 1025 sec_establish_key(); 1026 xfree(mcs_data.data); 1027 return True; 1028 } 1029 1030 /* Disconnect a connection */ 1031 void 1032 sec_disconnect(void) 1033 { 1034 mcs_disconnect(); 1035 } 1036 1037 /* reset the state of the sec layer */ 1038 void 1039 sec_reset_state(void) 1040 { 1041 g_server_rdp_version = 0; 1042 g_sec_encrypt_use_count = 0; 1043 g_sec_decrypt_use_count = 0; 1044 g_licence_issued = 0; 1045 g_licence_error_result = 0; 1046 mcs_reset_state(); 1047 } 1048