/* * This file Copyright (C) 2007-2014 Mnemosyne LLC * * It may be used under the GNU GPL versions 2 or 3 * or any future license endorsed by Mnemosyne LLC. * * $Id$ */ #include #include /* uint8_t */ #include #include /* abs () */ #include /* memcpy (), memset (), strcmp () */ #include #include #include #include #include #include #include "transmission.h" #include "crypto.h" #include "log.h" #include "utils.h" #define MY_NAME "tr_crypto" /** *** **/ void tr_sha1 (uint8_t * setme, const void * content1, int content1_len, ...) { va_list vl; SHA_CTX sha; const void * content; SHA1_Init (&sha); SHA1_Update (&sha, content1, content1_len); va_start (vl, content1_len); while ((content = va_arg (vl, const void*))) SHA1_Update (&sha, content, va_arg (vl, int)); va_end (vl); SHA1_Final (setme, &sha); } /** *** **/ #define KEY_LEN 96 #define PRIME_LEN 96 #define DH_PRIVKEY_LEN_MIN 16 #define DH_PRIVKEY_LEN 20 static const uint8_t dh_P[PRIME_LEN] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x3A, 0x36, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x05, 0x63, }; static const uint8_t dh_G[] = { 2 }; /** *** **/ #define logErrorFromSSL(...) \ do { \ if (tr_logLevelIsActive (TR_LOG_ERROR)) { \ char buf[512]; \ ERR_error_string_n (ERR_get_error (), buf, sizeof (buf)); \ tr_logAddMessage (__FILE__, __LINE__, TR_LOG_ERROR, MY_NAME, "%s", buf); \ } \ } while (0) static void ensureKeyExists (tr_crypto * crypto) { if (crypto->dh == NULL) { int len, offset; DH * dh = DH_new (); dh->p = BN_bin2bn (dh_P, sizeof (dh_P), NULL); if (dh->p == NULL) logErrorFromSSL (); dh->g = BN_bin2bn (dh_G, sizeof (dh_G), NULL); if (dh->g == NULL) logErrorFromSSL (); /* private DH value: strong random BN of DH_PRIVKEY_LEN*8 bits */ dh->priv_key = BN_new (); do { if (BN_rand (dh->priv_key, DH_PRIVKEY_LEN * 8, -1, 0) != 1) logErrorFromSSL (); } while (BN_num_bits (dh->priv_key) < DH_PRIVKEY_LEN_MIN * 8); if (!DH_generate_key (dh)) logErrorFromSSL (); /* DH can generate key sizes that are smaller than the size of P with exponentially decreasing probability, in which case the msb's of myPublicKey need to be zeroed appropriately. */ len = BN_num_bytes (dh->pub_key); offset = KEY_LEN - len; assert (len <= KEY_LEN); memset (crypto->myPublicKey, 0, offset); BN_bn2bin (dh->pub_key, crypto->myPublicKey + offset); crypto->dh = dh; } } void tr_cryptoConstruct (tr_crypto * crypto, const uint8_t * torrentHash, bool isIncoming) { memset (crypto, 0, sizeof (tr_crypto)); crypto->dh = NULL; crypto->isIncoming = isIncoming; tr_cryptoSetTorrentHash (crypto, torrentHash); } void tr_cryptoDestruct (tr_crypto * crypto) { if (crypto->dh != NULL) DH_free (crypto->dh); } /** *** **/ const uint8_t* tr_cryptoComputeSecret (tr_crypto * crypto, const uint8_t * peerPublicKey) { DH * dh; int len; uint8_t secret[KEY_LEN]; BIGNUM * bn = BN_bin2bn (peerPublicKey, KEY_LEN, NULL); ensureKeyExists (crypto); dh = crypto->dh; assert (DH_size (dh) == KEY_LEN); len = DH_compute_key (secret, bn, dh); if (len == -1) { logErrorFromSSL (); } else { int offset; assert (len <= KEY_LEN); offset = KEY_LEN - len; memset (crypto->mySecret, 0, offset); memcpy (crypto->mySecret + offset, secret, len); crypto->mySecretIsSet = 1; } BN_free (bn); return crypto->mySecret; } const uint8_t* tr_cryptoGetMyPublicKey (const tr_crypto * crypto, int * setme_len) { ensureKeyExists ((tr_crypto *) crypto); *setme_len = KEY_LEN; return crypto->myPublicKey; } /** *** **/ static void initRC4 (tr_crypto * crypto, RC4_KEY * setme, const char * key) { SHA_CTX sha; uint8_t buf[SHA_DIGEST_LENGTH]; assert (crypto->torrentHashIsSet); assert (crypto->mySecretIsSet); if (SHA1_Init (&sha) && SHA1_Update (&sha, key, 4) && SHA1_Update (&sha, crypto->mySecret, KEY_LEN) && SHA1_Update (&sha, crypto->torrentHash, SHA_DIGEST_LENGTH) && SHA1_Final (buf, &sha)) { RC4_set_key (setme, SHA_DIGEST_LENGTH, buf); } else { logErrorFromSSL (); } } void tr_cryptoDecryptInit (tr_crypto * crypto) { unsigned char discard[1024]; const char * txt = crypto->isIncoming ? "keyA" : "keyB"; initRC4 (crypto, &crypto->dec_key, txt); RC4 (&crypto->dec_key, sizeof (discard), discard, discard); } void tr_cryptoDecrypt (tr_crypto * crypto, size_t buf_len, const void * buf_in, void * buf_out) { RC4 (&crypto->dec_key, buf_len, (const unsigned char*)buf_in, (unsigned char*)buf_out); } void tr_cryptoEncryptInit (tr_crypto * crypto) { unsigned char discard[1024]; const char * txt = crypto->isIncoming ? "keyB" : "keyA"; initRC4 (crypto, &crypto->enc_key, txt); RC4 (&crypto->enc_key, sizeof (discard), discard, discard); } void tr_cryptoEncrypt (tr_crypto * crypto, size_t buf_len, const void * buf_in, void * buf_out) { RC4 (&crypto->enc_key, buf_len, (const unsigned char*)buf_in, (unsigned char*)buf_out); } /** *** **/ void tr_cryptoSetTorrentHash (tr_crypto * crypto, const uint8_t * hash) { crypto->torrentHashIsSet = hash ? 1 : 0; if (hash) memcpy (crypto->torrentHash, hash, SHA_DIGEST_LENGTH); else memset (crypto->torrentHash, 0, SHA_DIGEST_LENGTH); } const uint8_t* tr_cryptoGetTorrentHash (const tr_crypto * crypto) { assert (crypto); assert (crypto->torrentHashIsSet); return crypto->torrentHash; } int tr_cryptoHasTorrentHash (const tr_crypto * crypto) { assert (crypto); return crypto->torrentHashIsSet ? 1 : 0; } int tr_cryptoRandInt (int upperBound) { int noise; int val; assert (upperBound > 0); if (RAND_pseudo_bytes ((unsigned char *) &noise, sizeof noise) >= 0) { val = abs (noise) % upperBound; } else /* fall back to a weaker implementation... */ { val = tr_cryptoWeakRandInt (upperBound); } return val; } int tr_cryptoWeakRandInt (int upperBound) { static bool init = false; assert (upperBound > 0); if (!init) { srand (tr_time_msec ()); init = true; } return rand () % upperBound; } void tr_cryptoRandBuf (void * buf, size_t len) { if (RAND_pseudo_bytes ((unsigned char*)buf, len) != 1) logErrorFromSSL (); } /*** **** ***/ char* tr_ssha1 (const void * plaintext) { enum { saltval_len = 8, salter_len = 64 }; static const char * salter = "0123456789" "abcdefghijklmnopqrstuvwxyz" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "./"; size_t i; unsigned char salt[saltval_len]; uint8_t sha[SHA_DIGEST_LENGTH]; char buf[2*SHA_DIGEST_LENGTH + saltval_len + 2]; tr_cryptoRandBuf (salt, saltval_len); for (i=0; i