1/* 2 * RTMP Diffie-Hellmann utilities 3 * Copyright (c) 2009 Andrej Stepanchuk 4 * Copyright (c) 2009-2010 Howard Chu 5 * Copyright (c) 2012 Samuel Pitoiset 6 * 7 * This file is part of FFmpeg. 8 * 9 * FFmpeg is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU Lesser General Public 11 * License as published by the Free Software Foundation; either 12 * version 2.1 of the License, or (at your option) any later version. 13 * 14 * FFmpeg is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 17 * Lesser General Public License for more details. 18 * 19 * You should have received a copy of the GNU Lesser General Public 20 * License along with FFmpeg; if not, write to the Free Software 21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 22 */ 23 24/** 25 * @file 26 * RTMP Diffie-Hellmann utilities 27 */ 28 29#include "config.h" 30#include "rtmpdh.h" 31#include "libavutil/random_seed.h" 32 33#define P1024 \ 34 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ 35 "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ 36 "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ 37 "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ 38 "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381" \ 39 "FFFFFFFFFFFFFFFF" 40 41#define Q1024 \ 42 "7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68" \ 43 "948127044533E63A0105DF531D89CD9128A5043CC71A026E" \ 44 "F7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122" \ 45 "F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6" \ 46 "F71C35FDAD44CFD2D74F9208BE258FF324943328F67329C0" \ 47 "FFFFFFFFFFFFFFFF" 48 49#if CONFIG_NETTLE || CONFIG_GCRYPT 50#if CONFIG_NETTLE 51#define bn_new(bn) \ 52 do { \ 53 bn = av_malloc(sizeof(*bn)); \ 54 if (bn) \ 55 mpz_init2(bn, 1); \ 56 } while (0) 57#define bn_free(bn) \ 58 do { \ 59 mpz_clear(bn); \ 60 av_free(bn); \ 61 } while (0) 62#define bn_set_word(bn, w) mpz_set_ui(bn, w) 63#define bn_cmp(a, b) mpz_cmp(a, b) 64#define bn_copy(to, from) mpz_set(to, from) 65#define bn_sub_word(bn, w) mpz_sub_ui(bn, bn, w) 66#define bn_cmp_1(bn) mpz_cmp_ui(bn, 1) 67#define bn_num_bytes(bn) (mpz_sizeinbase(bn, 2) + 7) / 8 68#define bn_bn2bin(bn, buf, len) nettle_mpz_get_str_256(len, buf, bn) 69#define bn_bin2bn(bn, buf, len) \ 70 do { \ 71 bn_new(bn); \ 72 if (bn) \ 73 nettle_mpz_set_str_256_u(bn, len, buf); \ 74 } while (0) 75#define bn_hex2bn(bn, buf, ret) \ 76 do { \ 77 bn_new(bn); \ 78 if (bn) \ 79 ret = (mpz_set_str(bn, buf, 16) == 0); \ 80 } while (0) 81#define bn_modexp(bn, y, q, p) mpz_powm(bn, y, q, p) 82#define bn_random(bn, num_bytes) \ 83 do { \ 84 gmp_randstate_t rs; \ 85 gmp_randinit_mt(rs); \ 86 gmp_randseed_ui(rs, av_get_random_seed()); \ 87 mpz_urandomb(bn, rs, num_bytes); \ 88 gmp_randclear(rs); \ 89 } while (0) 90#elif CONFIG_GCRYPT 91#define bn_new(bn) bn = gcry_mpi_new(1) 92#define bn_free(bn) gcry_mpi_release(bn) 93#define bn_set_word(bn, w) gcry_mpi_set_ui(bn, w) 94#define bn_cmp(a, b) gcry_mpi_cmp(a, b) 95#define bn_copy(to, from) gcry_mpi_set(to, from) 96#define bn_sub_word(bn, w) gcry_mpi_sub_ui(bn, bn, w) 97#define bn_cmp_1(bn) gcry_mpi_cmp_ui(bn, 1) 98#define bn_num_bytes(bn) (gcry_mpi_get_nbits(bn) + 7) / 8 99#define bn_bn2bin(bn, buf, len) gcry_mpi_print(GCRYMPI_FMT_USG, buf, len, NULL, bn) 100#define bn_bin2bn(bn, buf, len) gcry_mpi_scan(&bn, GCRYMPI_FMT_USG, buf, len, NULL) 101#define bn_hex2bn(bn, buf, ret) ret = (gcry_mpi_scan(&bn, GCRYMPI_FMT_HEX, buf, 0, 0) == 0) 102#define bn_modexp(bn, y, q, p) gcry_mpi_powm(bn, y, q, p) 103#define bn_random(bn, num_bytes) gcry_mpi_randomize(bn, num_bytes, GCRY_WEAK_RANDOM) 104#endif 105 106#define MAX_BYTES 18000 107 108#define dh_new() av_malloc(sizeof(FF_DH)) 109 110static FFBigNum dh_generate_key(FF_DH *dh) 111{ 112 int num_bytes; 113 114 num_bytes = bn_num_bytes(dh->p) - 1; 115 if (num_bytes <= 0 || num_bytes > MAX_BYTES) 116 return NULL; 117 118 bn_new(dh->priv_key); 119 if (!dh->priv_key) 120 return NULL; 121 bn_random(dh->priv_key, num_bytes); 122 123 bn_new(dh->pub_key); 124 if (!dh->pub_key) { 125 bn_free(dh->priv_key); 126 return NULL; 127 } 128 129 bn_modexp(dh->pub_key, dh->g, dh->priv_key, dh->p); 130 131 return dh->pub_key; 132} 133 134static int dh_compute_key(FF_DH *dh, FFBigNum pub_key_bn, 135 uint32_t pub_key_len, uint8_t *secret_key) 136{ 137 FFBigNum k; 138 int num_bytes; 139 140 num_bytes = bn_num_bytes(dh->p); 141 if (num_bytes <= 0 || num_bytes > MAX_BYTES) 142 return -1; 143 144 bn_new(k); 145 if (!k) 146 return -1; 147 148 bn_modexp(k, pub_key_bn, dh->priv_key, dh->p); 149 bn_bn2bin(k, secret_key, pub_key_len); 150 bn_free(k); 151 152 /* return the length of the shared secret key like DH_compute_key */ 153 return pub_key_len; 154} 155 156void ff_dh_free(FF_DH *dh) 157{ 158 bn_free(dh->p); 159 bn_free(dh->g); 160 bn_free(dh->pub_key); 161 bn_free(dh->priv_key); 162 av_free(dh); 163} 164#elif CONFIG_OPENSSL 165#define bn_new(bn) bn = BN_new() 166#define bn_free(bn) BN_free(bn) 167#define bn_set_word(bn, w) BN_set_word(bn, w) 168#define bn_cmp(a, b) BN_cmp(a, b) 169#define bn_copy(to, from) BN_copy(to, from) 170#define bn_sub_word(bn, w) BN_sub_word(bn, w) 171#define bn_cmp_1(bn) BN_cmp(bn, BN_value_one()) 172#define bn_num_bytes(bn) BN_num_bytes(bn) 173#define bn_bn2bin(bn, buf, len) BN_bn2bin(bn, buf) 174#define bn_bin2bn(bn, buf, len) bn = BN_bin2bn(buf, len, 0) 175#define bn_hex2bn(bn, buf, ret) ret = BN_hex2bn(&bn, buf) 176#define bn_modexp(bn, y, q, p) \ 177 do { \ 178 BN_CTX *ctx = BN_CTX_new(); \ 179 if (!ctx) \ 180 return AVERROR(ENOMEM); \ 181 if (!BN_mod_exp(bn, y, q, p, ctx)) { \ 182 BN_CTX_free(ctx); \ 183 return AVERROR(EINVAL); \ 184 } \ 185 BN_CTX_free(ctx); \ 186 } while (0) 187 188#define dh_new() DH_new() 189#define dh_generate_key(dh) DH_generate_key(dh) 190#define dh_compute_key(dh, pub, len, secret) DH_compute_key(secret, pub, dh) 191 192void ff_dh_free(FF_DH *dh) 193{ 194 DH_free(dh); 195} 196#endif 197 198static int dh_is_valid_public_key(FFBigNum y, FFBigNum p, FFBigNum q) 199{ 200 FFBigNum bn = NULL; 201 int ret = AVERROR(EINVAL); 202 203 bn_new(bn); 204 if (!bn) 205 return AVERROR(ENOMEM); 206 207 /* y must lie in [2, p - 1] */ 208 bn_set_word(bn, 1); 209 if (!bn_cmp(y, bn)) 210 goto fail; 211 212 /* bn = p - 2 */ 213 bn_copy(bn, p); 214 bn_sub_word(bn, 1); 215 if (!bn_cmp(y, bn)) 216 goto fail; 217 218 /* Verify with Sophie-Germain prime 219 * 220 * This is a nice test to make sure the public key position is calculated 221 * correctly. This test will fail in about 50% of the cases if applied to 222 * random data. 223 */ 224 /* y must fulfill y^q mod p = 1 */ 225 bn_modexp(bn, y, q, p); 226 227 if (bn_cmp_1(bn)) 228 goto fail; 229 230 ret = 0; 231fail: 232 bn_free(bn); 233 234 return ret; 235} 236 237av_cold FF_DH *ff_dh_init(int key_len) 238{ 239 FF_DH *dh; 240 int ret; 241 242 if (!(dh = dh_new())) 243 return NULL; 244 245 bn_new(dh->g); 246 if (!dh->g) 247 goto fail; 248 249 bn_hex2bn(dh->p, P1024, ret); 250 if (!ret) 251 goto fail; 252 253 bn_set_word(dh->g, 2); 254 dh->length = key_len; 255 256 return dh; 257 258fail: 259 ff_dh_free(dh); 260 261 return NULL; 262} 263 264int ff_dh_generate_public_key(FF_DH *dh) 265{ 266 int ret = 0; 267 268 while (!ret) { 269 FFBigNum q1 = NULL; 270 271 if (!dh_generate_key(dh)) 272 return AVERROR(EINVAL); 273 274 bn_hex2bn(q1, Q1024, ret); 275 if (!ret) 276 return AVERROR(ENOMEM); 277 278 ret = dh_is_valid_public_key(dh->pub_key, dh->p, q1); 279 bn_free(q1); 280 281 if (!ret) { 282 /* the public key is valid */ 283 break; 284 } 285 } 286 287 return ret; 288} 289 290int ff_dh_write_public_key(FF_DH *dh, uint8_t *pub_key, int pub_key_len) 291{ 292 int len; 293 294 /* compute the length of the public key */ 295 len = bn_num_bytes(dh->pub_key); 296 if (len <= 0 || len > pub_key_len) 297 return AVERROR(EINVAL); 298 299 /* convert the public key value into big-endian form */ 300 memset(pub_key, 0, pub_key_len); 301 bn_bn2bin(dh->pub_key, pub_key + pub_key_len - len, len); 302 303 return 0; 304} 305 306int ff_dh_compute_shared_secret_key(FF_DH *dh, const uint8_t *pub_key, 307 int pub_key_len, uint8_t *secret_key) 308{ 309 FFBigNum q1 = NULL, pub_key_bn = NULL; 310 int ret; 311 312 /* convert the big-endian form of the public key into a bignum */ 313 bn_bin2bn(pub_key_bn, pub_key, pub_key_len); 314 if (!pub_key_bn) 315 return AVERROR(ENOMEM); 316 317 /* convert the string containing a hexadecimal number into a bignum */ 318 bn_hex2bn(q1, Q1024, ret); 319 if (!ret) { 320 ret = AVERROR(ENOMEM); 321 goto fail; 322 } 323 324 /* when the public key is valid we have to compute the shared secret key */ 325 if ((ret = dh_is_valid_public_key(pub_key_bn, dh->p, q1)) < 0) { 326 goto fail; 327 } else if ((ret = dh_compute_key(dh, pub_key_bn, pub_key_len, 328 secret_key)) < 0) { 329 ret = AVERROR(EINVAL); 330 goto fail; 331 } 332 333fail: 334 bn_free(pub_key_bn); 335 bn_free(q1); 336 337 return ret; 338} 339 340