1/* 2 * This file Copyright (C) Mnemosyne LLC 3 * 4 * This file is licensed by the GPL version 2. Works owned by the 5 * Transmission project are granted a special exemption to clause 2(b) 6 * so that the bulk of its code can remain under the MIT license. 7 * This exemption does not extend to derived works not owned by 8 * the Transmission project. 9 * 10 * $Id: crypto.c 12885 2011-09-16 22:55:58Z jordan $ 11 */ 12 13#include <assert.h> 14#include <inttypes.h> /* uint8_t */ 15#include <limits.h> /* INT_MAX */ 16#include <stdarg.h> 17#include <stdlib.h> /* abs() */ 18#include <string.h> /* memcpy(), memset(), strcmp() */ 19 20#include <openssl/bn.h> 21#include <openssl/dh.h> 22#include <openssl/err.h> 23#include <openssl/rc4.h> 24#include <openssl/sha.h> 25#include <openssl/rand.h> 26 27#include "transmission.h" 28#include "crypto.h" 29#include "utils.h" 30 31#define MY_NAME "tr_crypto" 32 33/** 34*** 35**/ 36 37void 38tr_sha1( uint8_t * setme, const void * content1, int content1_len, ... ) 39{ 40 va_list vl; 41 SHA_CTX sha; 42 const void * content; 43 44 SHA1_Init( &sha ); 45 SHA1_Update( &sha, content1, content1_len ); 46 47 va_start( vl, content1_len ); 48 while(( content = va_arg( vl, const void* ))) 49 SHA1_Update( &sha, content, va_arg( vl, int ) ); 50 va_end( vl ); 51 52 SHA1_Final( setme, &sha ); 53} 54 55/** 56*** 57**/ 58 59#define KEY_LEN 96 60 61#define PRIME_LEN 96 62 63#define DH_PRIVKEY_LEN_MIN 16 64#define DH_PRIVKEY_LEN 20 65 66static const uint8_t dh_P[PRIME_LEN] = 67{ 68 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 69 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 70 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, 71 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, 72 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 73 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, 74 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, 75 0xA6, 0x3A, 0x36, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x05, 0x63, 76}; 77 78static const uint8_t dh_G[] = { 2 }; 79 80/** 81*** 82**/ 83 84#define logErrorFromSSL( ... ) \ 85 do { \ 86 if( tr_msgLoggingIsActive( TR_MSG_ERR ) ) { \ 87 char buf[512]; \ 88 ERR_error_string_n( ERR_get_error( ), buf, sizeof( buf ) ); \ 89 tr_msg( __FILE__, __LINE__, TR_MSG_ERR, MY_NAME, "%s", buf ); \ 90 } \ 91 } while( 0 ) 92 93static void 94ensureKeyExists( tr_crypto * crypto) 95{ 96 if( crypto->dh == NULL ) 97 { 98 int len, offset; 99 DH * dh = DH_new( ); 100 101 dh->p = BN_bin2bn( dh_P, sizeof( dh_P ), NULL ); 102 if( dh->p == NULL ) 103 logErrorFromSSL( ); 104 105 dh->g = BN_bin2bn( dh_G, sizeof( dh_G ), NULL ); 106 if( dh->g == NULL ) 107 logErrorFromSSL( ); 108 109 /* private DH value: strong random BN of DH_PRIVKEY_LEN*8 bits */ 110 dh->priv_key = BN_new( ); 111 do { 112 if( BN_rand( dh->priv_key, DH_PRIVKEY_LEN * 8, -1, 0 ) != 1 ) 113 logErrorFromSSL( ); 114 } while ( BN_num_bits( dh->priv_key ) < DH_PRIVKEY_LEN_MIN * 8 ); 115 116 if( !DH_generate_key( dh ) ) 117 logErrorFromSSL( ); 118 119 /* DH can generate key sizes that are smaller than the size of 120 P with exponentially decreasing probability, in which case 121 the msb's of myPublicKey need to be zeroed appropriately. */ 122 len = BN_num_bytes( dh->pub_key ); 123 offset = KEY_LEN - len; 124 assert( len <= KEY_LEN ); 125 memset( crypto->myPublicKey, 0, offset ); 126 BN_bn2bin( dh->pub_key, crypto->myPublicKey + offset ); 127 128 crypto->dh = dh; 129 } 130} 131 132void 133tr_cryptoConstruct( tr_crypto * crypto, const uint8_t * torrentHash, bool isIncoming ) 134{ 135 memset( crypto, 0, sizeof ( tr_crypto ) ); 136 137 crypto->dh = NULL; 138 crypto->isIncoming = isIncoming; 139 tr_cryptoSetTorrentHash( crypto, torrentHash ); 140} 141 142void 143tr_cryptoDestruct( tr_crypto * crypto ) 144{ 145 if( crypto->dh != NULL ) 146 DH_free( crypto->dh ); 147} 148 149/** 150*** 151**/ 152 153const uint8_t* 154tr_cryptoComputeSecret( tr_crypto * crypto, 155 const uint8_t * peerPublicKey ) 156{ 157 int len; 158 uint8_t secret[KEY_LEN]; 159 BIGNUM * bn = BN_bin2bn( peerPublicKey, KEY_LEN, NULL ); 160 DH * dh; 161 162 ensureKeyExists( crypto ); 163 dh = crypto->dh; 164 165 assert( DH_size( dh ) == KEY_LEN ); 166 167 len = DH_compute_key( secret, bn, dh ); 168 if( len == -1 ) 169 logErrorFromSSL( ); 170 else { 171 int offset; 172 assert( len <= KEY_LEN ); 173 offset = KEY_LEN - len; 174 memset( crypto->mySecret, 0, offset ); 175 memcpy( crypto->mySecret + offset, secret, len ); 176 crypto->mySecretIsSet = 1; 177 } 178 179 BN_free( bn ); 180 return crypto->mySecret; 181} 182 183const uint8_t* 184tr_cryptoGetMyPublicKey( const tr_crypto * crypto, 185 int * setme_len ) 186{ 187 ensureKeyExists( (tr_crypto *) crypto ); 188 *setme_len = KEY_LEN; 189 return crypto->myPublicKey; 190} 191 192/** 193*** 194**/ 195 196static void 197initRC4( tr_crypto * crypto, 198 RC4_KEY * setme, 199 const char * key ) 200{ 201 SHA_CTX sha; 202 uint8_t buf[SHA_DIGEST_LENGTH]; 203 204 assert( crypto->torrentHashIsSet ); 205 assert( crypto->mySecretIsSet ); 206 207 if( SHA1_Init( &sha ) 208 && SHA1_Update( &sha, key, 4 ) 209 && SHA1_Update( &sha, crypto->mySecret, KEY_LEN ) 210 && SHA1_Update( &sha, crypto->torrentHash, SHA_DIGEST_LENGTH ) 211 && SHA1_Final( buf, &sha ) ) 212 { 213 RC4_set_key( setme, SHA_DIGEST_LENGTH, buf ); 214 } 215 else 216 { 217 logErrorFromSSL( ); 218 } 219} 220 221void 222tr_cryptoDecryptInit( tr_crypto * crypto ) 223{ 224 unsigned char discard[1024]; 225 const char * txt = crypto->isIncoming ? "keyA" : "keyB"; 226 227 initRC4( crypto, &crypto->dec_key, txt ); 228 RC4( &crypto->dec_key, sizeof( discard ), discard, discard ); 229} 230 231void 232tr_cryptoDecrypt( tr_crypto * crypto, 233 size_t buf_len, 234 const void * buf_in, 235 void * buf_out ) 236{ 237 RC4( &crypto->dec_key, buf_len, 238 (const unsigned char*)buf_in, 239 (unsigned char*)buf_out ); 240} 241 242void 243tr_cryptoEncryptInit( tr_crypto * crypto ) 244{ 245 unsigned char discard[1024]; 246 const char * txt = crypto->isIncoming ? "keyB" : "keyA"; 247 248 initRC4( crypto, &crypto->enc_key, txt ); 249 RC4( &crypto->enc_key, sizeof( discard ), discard, discard ); 250} 251 252void 253tr_cryptoEncrypt( tr_crypto * crypto, 254 size_t buf_len, 255 const void * buf_in, 256 void * buf_out ) 257{ 258 RC4( &crypto->enc_key, buf_len, 259 (const unsigned char*)buf_in, 260 (unsigned char*)buf_out ); 261} 262 263/** 264*** 265**/ 266 267void 268tr_cryptoSetTorrentHash( tr_crypto * crypto, 269 const uint8_t * hash ) 270{ 271 crypto->torrentHashIsSet = hash ? 1 : 0; 272 273 if( hash ) 274 memcpy( crypto->torrentHash, hash, SHA_DIGEST_LENGTH ); 275 else 276 memset( crypto->torrentHash, 0, SHA_DIGEST_LENGTH ); 277} 278 279const uint8_t* 280tr_cryptoGetTorrentHash( const tr_crypto * crypto ) 281{ 282 assert( crypto ); 283 assert( crypto->torrentHashIsSet ); 284 285 return crypto->torrentHash; 286} 287 288int 289tr_cryptoHasTorrentHash( const tr_crypto * crypto ) 290{ 291 assert( crypto ); 292 293 return crypto->torrentHashIsSet ? 1 : 0; 294} 295 296int 297tr_cryptoRandInt( int upperBound ) 298{ 299 int noise; 300 int val; 301 302 assert( upperBound > 0 ); 303 304 if( RAND_pseudo_bytes ( (unsigned char *) &noise, sizeof noise ) >= 0 ) 305 { 306 val = abs( noise ) % upperBound; 307 } 308 else /* fall back to a weaker implementation... */ 309 { 310 val = tr_cryptoWeakRandInt( upperBound ); 311 } 312 313 return val; 314} 315 316int 317tr_cryptoWeakRandInt( int upperBound ) 318{ 319 static bool init = false; 320 321 assert( upperBound > 0 ); 322 323 if( !init ) 324 { 325 srand( tr_time_msec( ) ); 326 init = true; 327 } 328 329 return rand( ) % upperBound; 330} 331 332void 333tr_cryptoRandBuf( void * buf, size_t len ) 334{ 335 if( RAND_pseudo_bytes ( (unsigned char*)buf, len ) != 1 ) 336 logErrorFromSSL( ); 337} 338 339/*** 340**** 341***/ 342 343char* 344tr_ssha1( const void * plaintext ) 345{ 346 enum { saltval_len = 8, 347 salter_len = 64 }; 348 static const char * salter = "0123456789" 349 "abcdefghijklmnopqrstuvwxyz" 350 "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 351 "./"; 352 353 size_t i; 354 unsigned char salt[saltval_len]; 355 uint8_t sha[SHA_DIGEST_LENGTH]; 356 char buf[2*SHA_DIGEST_LENGTH + saltval_len + 2]; 357 358 tr_cryptoRandBuf( salt, saltval_len ); 359 for( i=0; i<saltval_len; ++i ) 360 salt[i] = salter[ salt[i] % salter_len ]; 361 362 tr_sha1( sha, plaintext, strlen( plaintext ), salt, saltval_len, NULL ); 363 tr_sha1_to_hex( &buf[1], sha ); 364 memcpy( &buf[1+2*SHA_DIGEST_LENGTH], &salt, saltval_len ); 365 buf[1+2*SHA_DIGEST_LENGTH + saltval_len] = '\0'; 366 buf[0] = '{'; /* signal that this is a hash. this makes saving/restoring 367 easier */ 368 369 return tr_strdup( &buf ); 370} 371 372bool 373tr_ssha1_matches( const char * source, const char * pass ) 374{ 375 char * salt; 376 size_t saltlen; 377 char * hashed; 378 uint8_t buf[SHA_DIGEST_LENGTH]; 379 bool result; 380 const size_t sourcelen = strlen( source ); 381 382 /* extract the salt */ 383 if( sourcelen < 2*SHA_DIGEST_LENGTH-1 ) 384 return false; 385 saltlen = sourcelen - 2*SHA_DIGEST_LENGTH-1; 386 salt = tr_malloc( saltlen ); 387 memcpy( salt, source + 2*SHA_DIGEST_LENGTH+1, saltlen ); 388 389 /* hash pass + salt */ 390 hashed = tr_malloc( 2*SHA_DIGEST_LENGTH + saltlen + 2 ); 391 tr_sha1( buf, pass, strlen( pass ), salt, saltlen, NULL ); 392 tr_sha1_to_hex( &hashed[1], buf ); 393 memcpy( hashed + 1+2*SHA_DIGEST_LENGTH, salt, saltlen ); 394 hashed[1+2*SHA_DIGEST_LENGTH + saltlen] = '\0'; 395 hashed[0] = '{'; 396 397 result = strcmp( source, hashed ) == 0 ? true : false; 398 399 tr_free( hashed ); 400 tr_free( salt ); 401 402 return result; 403} 404