/* Copyright (c) 2007-2014, Un Shyam, Arvid Norberg, Steven Siloti All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the author nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #if !defined(TORRENT_DISABLE_ENCRYPTION) && !defined(TORRENT_DISABLE_EXTENSIONS) #include #include #if defined TORRENT_USE_GCRYPT #include #elif defined TORRENT_USE_OPENSSL #include #include "libtorrent/random.hpp" #elif defined TORRENT_USE_TOMMATH extern "C" { #include "libtorrent/tommath.h" } #include "libtorrent/random.hpp" #endif #include "libtorrent/pe_crypto.hpp" #include "libtorrent/hasher.hpp" #include "libtorrent/assert.hpp" namespace libtorrent { namespace { const unsigned char dh_prime[96] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x3A, 0x36, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x05, 0x63 }; } // Set the prime P and the generator, generate local public key dh_key_exchange::dh_key_exchange() { #ifdef TORRENT_USE_GCRYPT // create local key gcry_randomize(m_dh_local_secret, sizeof(m_dh_local_secret), GCRY_STRONG_RANDOM); // build gcrypt big ints from the prime and the secret gcry_mpi_t prime = 0; gcry_mpi_t secret = 0; gcry_mpi_t key = 0; gcry_error_t e; e = gcry_mpi_scan(&prime, GCRYMPI_FMT_USG, dh_prime, sizeof(dh_prime), 0); if (e) goto get_out; e = gcry_mpi_scan(&secret, GCRYMPI_FMT_USG, m_dh_local_secret, sizeof(m_dh_local_secret), 0); if (e) goto get_out; key = gcry_mpi_new(8); // generator is 2 gcry_mpi_set_ui(key, 2); // key = (2 ^ secret) % prime gcry_mpi_powm(key, key, secret, prime); // key is now our local key size_t written; gcry_mpi_print(GCRYMPI_FMT_USG, (unsigned char*)m_dh_local_key , sizeof(m_dh_local_key), &written, key); if (written < 96) { memmove(m_dh_local_key + (sizeof(m_dh_local_key) - written), m_dh_local_key, written); memset(m_dh_local_key, 0, sizeof(m_dh_local_key) - written); } get_out: if (key) gcry_mpi_release(key); if (prime) gcry_mpi_release(prime); if (secret) gcry_mpi_release(secret); #elif defined TORRENT_USE_OPENSSL // create local key for (int i = 0; i < sizeof(m_dh_local_secret); ++i) m_dh_local_secret[i] = random() & 0xff; BIGNUM* prime = 0; BIGNUM* secret = 0; BIGNUM* key = 0; BN_CTX* ctx = 0; int size; prime = BN_bin2bn(dh_prime, sizeof(dh_prime), 0); if (prime == 0) goto get_out; secret = BN_bin2bn((unsigned char*)m_dh_local_secret, sizeof(m_dh_local_secret), 0); if (secret == 0) goto get_out; key = BN_new(); if (key == 0) goto get_out; // generator is 2 BN_set_word(key, 2); ctx = BN_CTX_new(); if (ctx == 0) goto get_out; BN_mod_exp(key, key, secret, prime, ctx); BN_CTX_free(ctx); // print key to m_dh_local_key size = BN_num_bytes(key); memset(m_dh_local_key, 0, sizeof(m_dh_local_key) - size); BN_bn2bin(key, (unsigned char*)m_dh_local_key + sizeof(m_dh_local_key) - size); get_out: if (key) BN_free(key); if (secret) BN_free(secret); if (prime) BN_free(prime); #elif defined TORRENT_USE_TOMMATH // create local key for (int i = 0; i < int(sizeof(m_dh_local_secret)); ++i) m_dh_local_secret[i] = random() & 0xff; mp_int prime; mp_int secret; mp_int key; int e; int size; mp_init(&prime); mp_init(&secret); mp_init(&key); e = mp_read_unsigned_bin(&prime, dh_prime, sizeof(dh_prime)); if (e) goto get_out; e = mp_read_unsigned_bin(&secret, (unsigned char*)m_dh_local_secret, sizeof(m_dh_local_secret)); if (e) goto get_out; // generator is 2 mp_set_int(&key, 2); // key = (2 ^ secret) % prime e = mp_exptmod(&key, &secret, &prime, &key); if (e) goto get_out; // key is now our local key size = mp_unsigned_bin_size(&key); memset(m_dh_local_key, 0, sizeof(m_dh_local_key) - size); mp_to_unsigned_bin(&key, (unsigned char*)m_dh_local_key + sizeof(m_dh_local_key) - size); get_out: mp_clear(&key); mp_clear(&prime); mp_clear(&secret); #else #error you must define which bigint library to use #endif } char const* dh_key_exchange::get_local_key() const { return m_dh_local_key; } // compute shared secret given remote public key int dh_key_exchange::compute_secret(char const* remote_pubkey) { TORRENT_ASSERT(remote_pubkey); int ret = 0; #ifdef TORRENT_USE_GCRYPT gcry_mpi_t prime = 0; gcry_mpi_t remote_key = 0; gcry_mpi_t secret = 0; size_t written; gcry_error_t e; e = gcry_mpi_scan(&prime, GCRYMPI_FMT_USG, dh_prime, sizeof(dh_prime), 0); if (e != 0) { ret = 1; goto get_out; } e = gcry_mpi_scan(&remote_key, GCRYMPI_FMT_USG, remote_pubkey, 96, 0); if (e != 0) { ret = 1; goto get_out; } e = gcry_mpi_scan(&secret, GCRYMPI_FMT_USG, (unsigned char const*)m_dh_local_secret , sizeof(m_dh_local_secret), 0); if (e != 0) { ret = 1; goto get_out; } gcry_mpi_powm(remote_key, remote_key, secret, prime); // remote_key is now the shared secret e = gcry_mpi_print(GCRYMPI_FMT_USG, (unsigned char*)m_dh_shared_secret , sizeof(m_dh_shared_secret), &written, remote_key); if (e != 0) { ret = 1; goto get_out; } if (written < 96) { memmove(m_dh_shared_secret, m_dh_shared_secret + (sizeof(m_dh_shared_secret) - written), written); memset(m_dh_shared_secret, 0, sizeof(m_dh_shared_secret) - written); } get_out: // TODO: 3 clean this up using destructors instead if (prime) gcry_mpi_release(prime); if (remote_key) gcry_mpi_release(remote_key); if (secret) gcry_mpi_release(secret); #elif defined TORRENT_USE_OPENSSL BIGNUM* prime = 0; BIGNUM* secret = 0; BIGNUM* remote_key = 0; BN_CTX* ctx = 0; int size; prime = BN_bin2bn(dh_prime, sizeof(dh_prime), 0); if (prime == 0) { ret = 1; goto get_out; } secret = BN_bin2bn((unsigned char*)m_dh_local_secret, sizeof(m_dh_local_secret), 0); if (secret == 0) { ret = 1; goto get_out; } remote_key = BN_bin2bn((unsigned char*)remote_pubkey, 96, 0); if (remote_key == 0) { ret = 1; goto get_out; } ctx = BN_CTX_new(); if (ctx == 0) { ret = 1; goto get_out; } BN_mod_exp(remote_key, remote_key, secret, prime, ctx); BN_CTX_free(ctx); // remote_key is now the shared secret size = BN_num_bytes(remote_key); memset(m_dh_shared_secret, 0, sizeof(m_dh_shared_secret) - size); BN_bn2bin(remote_key, (unsigned char*)m_dh_shared_secret + sizeof(m_dh_shared_secret) - size); get_out: BN_free(remote_key); BN_free(secret); BN_free(prime); #elif defined TORRENT_USE_TOMMATH mp_int prime; mp_int secret; mp_int remote_key; int size; int e; mp_init(&prime); mp_init(&secret); mp_init(&remote_key); e = mp_read_unsigned_bin(&prime, dh_prime, sizeof(dh_prime)); if (e) { ret = 1; goto get_out; } e = mp_read_unsigned_bin(&secret, (unsigned char*)m_dh_local_secret, sizeof(m_dh_local_secret)); if (e) { ret = 1; goto get_out; } e = mp_read_unsigned_bin(&remote_key, (unsigned char*)remote_pubkey, 96); if (e) { ret = 1; goto get_out; } e = mp_exptmod(&remote_key, &secret, &prime, &remote_key); if (e) goto get_out; // remote_key is now the shared secret size = mp_unsigned_bin_size(&remote_key); memset(m_dh_shared_secret, 0, sizeof(m_dh_shared_secret) - size); mp_to_unsigned_bin(&remote_key, (unsigned char*)m_dh_shared_secret + sizeof(m_dh_shared_secret) - size); get_out: mp_clear(&remote_key); mp_clear(&secret); mp_clear(&prime); #else #error you must define which bigint library to use #endif // calculate the xor mask for the obfuscated hash hasher h; h.update("req3", 4); h.update(m_dh_shared_secret, sizeof(m_dh_shared_secret)); m_xor_mask = h.final(); return ret; } int encryption_handler::encrypt(std::vector& iovec) { TORRENT_ASSERT(!m_send_barriers.empty()); TORRENT_ASSERT(m_send_barriers.front().enc_handler); int to_process = m_send_barriers.front().next; if (to_process != INT_MAX) { for (std::vector::iterator i = iovec.begin(); to_process >= 0; ++i) { if (to_process == 0) { iovec.erase(i, iovec.end()); break; } else if (to_process < asio::buffer_size(*i)) { *i = asio::mutable_buffer(asio::buffer_cast(*i), to_process); iovec.erase(++i, iovec.end()); to_process = 0; break; } to_process -= asio::buffer_size(*i); } TORRENT_ASSERT(to_process == 0); } #if defined TORRENT_DEBUG || TORRENT_RELEASE_ASSERTS to_process = 0; for (std::vector::iterator i = iovec.begin(); i != iovec.end(); ++i) to_process += asio::buffer_size(*i); #endif int next_barrier = 0; if (iovec.empty() || (next_barrier = m_send_barriers.front().enc_handler->encrypt(iovec))) { if (m_send_barriers.front().next != INT_MAX) { if (m_send_barriers.size() == 1) // transitioning back to plaintext next_barrier = INT_MAX; m_send_barriers.pop_front(); } #if defined TORRENT_DEBUG || TORRENT_RELEASE_ASSERTS if (next_barrier != INT_MAX) { int overhead = 0; for (std::vector::iterator i = iovec.begin(); i != iovec.end(); ++i) overhead += asio::buffer_size(*i); TORRENT_ASSERT(overhead + to_process == next_barrier); } #endif } else { iovec.clear(); } return next_barrier; } int encryption_handler::decrypt(crypto_receive_buffer& recv_buffer, std::size_t& bytes_transferred) { TORRENT_ASSERT(!is_recv_plaintext()); int consume = 0; if (recv_buffer.crypto_packet_finished()) { std::vector wr_buf; recv_buffer.mutable_buffers(wr_buf, bytes_transferred); int packet_size = 0; int produce = bytes_transferred; m_dec_handler->decrypt(wr_buf, consume, produce, packet_size); TORRENT_ASSERT(packet_size || produce); TORRENT_ASSERT(packet_size >= 0); bytes_transferred = produce; if (packet_size) recv_buffer.crypto_cut(consume, packet_size); } else bytes_transferred = 0; return consume; } bool encryption_handler::switch_send_crypto(boost::shared_ptr crypto , int pending_encryption) { bool place_barrier = false; if (!m_send_barriers.empty()) { std::list::iterator end = m_send_barriers.end(); --end; for (std::list::iterator b = m_send_barriers.begin(); b != end; ++b) pending_encryption -= b->next; TORRENT_ASSERT(pending_encryption >= 0); m_send_barriers.back().next = pending_encryption; } else if (crypto) place_barrier = true; if (crypto) m_send_barriers.push_back(barrier(crypto, INT_MAX)); return place_barrier; } void encryption_handler::switch_recv_crypto(boost::shared_ptr crypto , crypto_receive_buffer& recv_buffer) { m_dec_handler = crypto; int packet_size = 0; if (crypto) { int consume = 0; int produce = 0; std::vector wr_buf; crypto->decrypt(wr_buf, consume, produce, packet_size); TORRENT_ASSERT(wr_buf.empty()); TORRENT_ASSERT(consume == 0); TORRENT_ASSERT(produce == 0); } recv_buffer.crypto_reset(packet_size); } void rc4_handler::set_incoming_key(unsigned char const* key, int len) { m_decrypt = true; #ifdef TORRENT_USE_GCRYPT gcry_cipher_close(m_rc4_incoming); gcry_cipher_open(&m_rc4_incoming, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0); gcry_cipher_setkey(m_rc4_incoming, key, len); #elif defined TORRENT_USE_OPENSSL RC4_set_key(&m_remote_key, len, key); #else rc4_init(key, len, &m_rc4_incoming); #endif // Discard first 1024 bytes char buf[1024]; std::vector vec(1, boost::asio::mutable_buffer(buf, 1024)); int consume = 0; int produce = 0; int packet_size = 0; decrypt(vec, consume, produce, packet_size); } void rc4_handler::set_outgoing_key(unsigned char const* key, int len) { m_encrypt = true; #ifdef TORRENT_USE_GCRYPT gcry_cipher_close(m_rc4_outgoing); gcry_cipher_open(&m_rc4_outgoing, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0); gcry_cipher_setkey(m_rc4_outgoing, key, len); #elif defined TORRENT_USE_OPENSSL RC4_set_key(&m_local_key, len, key); #else rc4_init(key, len, &m_rc4_outgoing); #endif // Discard first 1024 bytes char buf[1024]; std::vector vec(1, boost::asio::mutable_buffer(buf, 1024)); encrypt(vec); } int rc4_handler::encrypt(std::vector& buf) { if (!m_encrypt) return 0; if (buf.empty()) return 0; int bytes_processed = 0; for (std::vector::iterator i = buf.begin(); i != buf.end(); ++i) { char* pos = boost::asio::buffer_cast(*i); int len = boost::asio::buffer_size(*i); TORRENT_ASSERT(len >= 0); TORRENT_ASSERT(pos); bytes_processed += len; #ifdef TORRENT_USE_GCRYPT gcry_cipher_encrypt(m_rc4_outgoing, pos, len, 0, 0); #elif defined TORRENT_USE_OPENSSL RC4(&m_local_key, len, (const unsigned char*)pos, (unsigned char*)pos); #else rc4_encrypt((unsigned char*)pos, len, &m_rc4_outgoing); #endif } buf.clear(); return bytes_processed; } void rc4_handler::decrypt(std::vector& buf , int& consume , int& produce , int& packet_size) { if (!m_decrypt) return; int bytes_processed = 0; for (std::vector::iterator i = buf.begin(); i != buf.end(); ++i) { char* pos = boost::asio::buffer_cast(*i); int len = boost::asio::buffer_size(*i); TORRENT_ASSERT(len >= 0); TORRENT_ASSERT(pos); bytes_processed += len; #ifdef TORRENT_USE_GCRYPT gcry_cipher_decrypt(m_rc4_incoming, pos, len, 0, 0); #elif defined TORRENT_USE_OPENSSL RC4(&m_remote_key, len, (const unsigned char*)pos, (unsigned char*)pos); #else rc4_encrypt((unsigned char*)pos, len, &m_rc4_incoming); #endif } buf.clear(); produce = bytes_processed; } } // namespace libtorrent #if !defined TORRENT_USE_OPENSSL && !defined TORRENT_USE_GCRYPT // All this code is based on libTomCrypt (http://www.libtomcrypt.com/) // this library is public domain and has been specially // tailored for libtorrent by Arvid Norberg void rc4_init(const unsigned char* in, unsigned long len, rc4 *state) { unsigned char key[256], tmp, *s; int keylen, x, y, j; TORRENT_ASSERT(state != 0); TORRENT_ASSERT(len <= 256); state->x = 0; while (len--) { state->buf[state->x++] = *in++; } /* extract the key */ s = state->buf; memcpy(key, s, 256); keylen = state->x; /* make RC4 perm and shuffle */ for (x = 0; x < 256; x++) { s[x] = x; } for (j = x = y = 0; x < 256; x++) { y = (y + state->buf[x] + key[j++]) & 255; if (j == keylen) { j = 0; } tmp = s[x]; s[x] = s[y]; s[y] = tmp; } state->x = 0; state->y = 0; } unsigned long rc4_encrypt(unsigned char *out, unsigned long outlen, rc4 *state) { unsigned char x, y, *s, tmp; unsigned long n; TORRENT_ASSERT(out != 0); TORRENT_ASSERT(state != 0); n = outlen; x = state->x; y = state->y; s = state->buf; while (outlen--) { x = (x + 1) & 255; y = (y + s[x]) & 255; tmp = s[x]; s[x] = s[y]; s[y] = tmp; tmp = (s[x] + s[y]) & 255; *out++ ^= s[tmp]; } state->x = x; state->y = y; return n; } #endif #endif // #if !defined(TORRENT_DISABLE_ENCRYPTION) && !defined(TORRENT_DISABLE_EXTENSIONS)