/* * This file Copyright (C) Mnemosyne LLC * * This file is licensed by the GPL version 2. Works owned by the * Transmission project are granted a special exemption to clause 2(b) * so that the bulk of its code can remain under the MIT license. * This exemption does not extend to derived works not owned by * the Transmission project. * * $Id$ */ #include #include /* uint8_t */ #include /* INT_MAX */ #include #include /* abs() */ #include /* memcpy(), memset(), strcmp() */ #include #include #include #include #include #include #include "transmission.h" #include "crypto.h" #include "utils.h" #define MY_NAME "tr_crypto" /** *** **/ void tr_sha1( uint8_t * setme, const void * content1, int content1_len, ... ) { va_list vl; SHA_CTX sha; const void * content; SHA1_Init( &sha ); SHA1_Update( &sha, content1, content1_len ); va_start( vl, content1_len ); while(( content = va_arg( vl, const void* ))) SHA1_Update( &sha, content, va_arg( vl, int ) ); va_end( vl ); SHA1_Final( setme, &sha ); } /** *** **/ #define KEY_LEN 96 #define PRIME_LEN 96 #define DH_PRIVKEY_LEN_MIN 16 #define DH_PRIVKEY_LEN 20 static const uint8_t dh_P[PRIME_LEN] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x3A, 0x36, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x05, 0x63, }; static const uint8_t dh_G[] = { 2 }; /** @brief Holds state information for encrypted peer communications */ struct tr_crypto { RC4_KEY dec_key; RC4_KEY enc_key; uint8_t torrentHash[SHA_DIGEST_LENGTH]; bool isIncoming; bool torrentHashIsSet; bool mySecretIsSet; uint8_t myPublicKey[KEY_LEN]; uint8_t mySecret[KEY_LEN]; DH * dh; }; /** *** **/ #define logErrorFromSSL( ... ) \ do { \ if( tr_msgLoggingIsActive( TR_MSG_ERR ) ) { \ char buf[512]; \ ERR_error_string_n( ERR_get_error( ), buf, sizeof( buf ) ); \ tr_msg( __FILE__, __LINE__, TR_MSG_ERR, MY_NAME, "%s", buf ); \ } \ } while( 0 ) static void ensureKeyExists( tr_crypto * crypto) { if( crypto->dh == NULL ) { int len, offset; DH * dh = DH_new( ); dh->p = BN_bin2bn( dh_P, sizeof( dh_P ), NULL ); if( dh->p == NULL ) logErrorFromSSL( ); dh->g = BN_bin2bn( dh_G, sizeof( dh_G ), NULL ); if( dh->g == NULL ) logErrorFromSSL( ); /* private DH value: strong random BN of DH_PRIVKEY_LEN*8 bits */ dh->priv_key = BN_new( ); do { if( BN_rand( dh->priv_key, DH_PRIVKEY_LEN * 8, -1, 0 ) != 1 ) logErrorFromSSL( ); } while ( BN_num_bits( dh->priv_key ) < DH_PRIVKEY_LEN_MIN * 8 ); if( !DH_generate_key( dh ) ) logErrorFromSSL( ); /* DH can generate key sizes that are smaller than the size of P with exponentially decreasing probability, in which case the msb's of myPublicKey need to be zeroed appropriately. */ len = BN_num_bytes( dh->pub_key ); offset = KEY_LEN - len; assert( len <= KEY_LEN ); memset( crypto->myPublicKey, 0, offset ); BN_bn2bin( dh->pub_key, crypto->myPublicKey + offset ); crypto->dh = dh; } } tr_crypto * tr_cryptoNew( const uint8_t * torrentHash, int isIncoming ) { tr_crypto * crypto; crypto = tr_new0( tr_crypto, 1 ); crypto->isIncoming = isIncoming ? 1 : 0; tr_cryptoSetTorrentHash( crypto, torrentHash ); crypto->dh = NULL; return crypto; } void tr_cryptoFree( tr_crypto * crypto ) { if( crypto->dh != NULL ) DH_free( crypto->dh ); tr_free( crypto ); } /** *** **/ const uint8_t* tr_cryptoComputeSecret( tr_crypto * crypto, const uint8_t * peerPublicKey ) { int len; uint8_t secret[KEY_LEN]; BIGNUM * bn = BN_bin2bn( peerPublicKey, KEY_LEN, NULL ); DH * dh; ensureKeyExists( crypto ); dh = crypto->dh; assert( DH_size( dh ) == KEY_LEN ); len = DH_compute_key( secret, bn, dh ); if( len == -1 ) logErrorFromSSL( ); else { int offset; assert( len <= KEY_LEN ); offset = KEY_LEN - len; memset( crypto->mySecret, 0, offset ); memcpy( crypto->mySecret + offset, secret, len ); crypto->mySecretIsSet = 1; } BN_free( bn ); return crypto->mySecret; } const uint8_t* tr_cryptoGetMyPublicKey( const tr_crypto * crypto, int * setme_len ) { ensureKeyExists( (tr_crypto *) crypto ); *setme_len = KEY_LEN; return crypto->myPublicKey; } /** *** **/ static void initRC4( tr_crypto * crypto, RC4_KEY * setme, const char * key ) { SHA_CTX sha; uint8_t buf[SHA_DIGEST_LENGTH]; assert( crypto->torrentHashIsSet ); assert( crypto->mySecretIsSet ); if( SHA1_Init( &sha ) && SHA1_Update( &sha, key, 4 ) && SHA1_Update( &sha, crypto->mySecret, KEY_LEN ) && SHA1_Update( &sha, crypto->torrentHash, SHA_DIGEST_LENGTH ) && SHA1_Final( buf, &sha ) ) { RC4_set_key( setme, SHA_DIGEST_LENGTH, buf ); } else { logErrorFromSSL( ); } } void tr_cryptoDecryptInit( tr_crypto * crypto ) { unsigned char discard[1024]; const char * txt = crypto->isIncoming ? "keyA" : "keyB"; initRC4( crypto, &crypto->dec_key, txt ); RC4( &crypto->dec_key, sizeof( discard ), discard, discard ); } void tr_cryptoDecrypt( tr_crypto * crypto, size_t buf_len, const void * buf_in, void * buf_out ) { RC4( &crypto->dec_key, buf_len, (const unsigned char*)buf_in, (unsigned char*)buf_out ); } void tr_cryptoEncryptInit( tr_crypto * crypto ) { unsigned char discard[1024]; const char * txt = crypto->isIncoming ? "keyB" : "keyA"; initRC4( crypto, &crypto->enc_key, txt ); RC4( &crypto->enc_key, sizeof( discard ), discard, discard ); } void tr_cryptoEncrypt( tr_crypto * crypto, size_t buf_len, const void * buf_in, void * buf_out ) { RC4( &crypto->enc_key, buf_len, (const unsigned char*)buf_in, (unsigned char*)buf_out ); } /** *** **/ void tr_cryptoSetTorrentHash( tr_crypto * crypto, const uint8_t * hash ) { crypto->torrentHashIsSet = hash ? 1 : 0; if( hash ) memcpy( crypto->torrentHash, hash, SHA_DIGEST_LENGTH ); else memset( crypto->torrentHash, 0, SHA_DIGEST_LENGTH ); } const uint8_t* tr_cryptoGetTorrentHash( const tr_crypto * crypto ) { assert( crypto ); assert( crypto->torrentHashIsSet ); return crypto->torrentHash; } int tr_cryptoHasTorrentHash( const tr_crypto * crypto ) { assert( crypto ); return crypto->torrentHashIsSet ? 1 : 0; } int tr_cryptoRandInt( int upperBound ) { int noise; int val; assert( upperBound > 0 ); if( RAND_pseudo_bytes ( (unsigned char *) &noise, sizeof noise ) >= 0 ) { val = abs( noise ) % upperBound; } else /* fall back to a weaker implementation... */ { val = tr_cryptoWeakRandInt( upperBound ); } return val; } int tr_cryptoWeakRandInt( int upperBound ) { static bool init = false; assert( upperBound > 0 ); if( !init ) { srand( tr_time_msec( ) ); init = true; } return rand( ) % upperBound; } void tr_cryptoRandBuf( void * buf, size_t len ) { if( RAND_pseudo_bytes ( (unsigned char*)buf, len ) != 1 ) logErrorFromSSL( ); } /*** **** ***/ char* tr_ssha1( const void * plaintext ) { enum { saltval_len = 8, salter_len = 64 }; static const char * salter = "0123456789" "abcdefghijklmnopqrstuvwxyz" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "./"; size_t i; unsigned char salt[saltval_len]; uint8_t sha[SHA_DIGEST_LENGTH]; char buf[2*SHA_DIGEST_LENGTH + saltval_len + 2]; tr_cryptoRandBuf( salt, saltval_len ); for( i=0; i