1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
|
/***************************************************************************
* Copyright (C) 2005 by Joris Guisson *
* [email protected] *
* *
* This program is free software; you can redistribute it and/or modify *
* it under the terms of the GNU General Public License as published by *
* the Free Software Foundation; either version 2 of the License, or *
* (at your option) any later version. *
* *
* This program is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with this program; if not, write to the *
* Free Software Foundation, Inc., *
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. *
***************************************************************************/
#include <stdlib.h>
#include <algorithm>
#include <util/functions.h>
#include <util/log.h>
#include <torrent/globals.h>
#include <torrent/server.h>
#include "encryptedauthenticate.h"
#include "rc4encryptor.h"
#include "streamsocket.h"
#include "functions.h"
using namespace bt;
namespace mse
{
EncryptedAuthenticate::EncryptedAuthenticate(
const TQString& ip,
Uint16 port,
const SHA1Hash& info_hash,
const PeerID& peer_id,
PeerManager* pman)
: Authenticate(ip, port, info_hash, peer_id, pman)
{
mse::GeneratePublicPrivateKey(xa,ya);
state = NOT_CONNECTED;
buf_size = 0;
our_rc4 = 0;
vc_off = 0;
dec_bytes = 0;
crypto_select = 0;
pad_D_len = 0;
end_of_crypto_handshake = 0;
//Out(SYS_CON|LOG_DEBUG) << "EncryptedAuthenticate : " << ip << ":" << port << endl;
}
EncryptedAuthenticate::~EncryptedAuthenticate()
{
delete our_rc4;
}
void EncryptedAuthenticate::connected()
{
// we are connected so send ya and some padding
Uint8 tmp[608];
ya.toBuffer(tmp,96);
sock->sendData(tmp,96 + rand() % 512);
state = SENT_YA;
}
/*
1 A->B: Diffie Hellman Ya, PadA
2 B->A: Diffie Hellman Yb, PadB
3 A->B: HASH('req1', S), HASH('req2', SKEY) xor HASH('req3', S), ENCRYPT(VC, crypto_provide, len(PadC), PadC, len(IA)), ENCRYPT(IA)
4 B->A: ENCRYPT(VC, crypto_select, len(padD), padD), ENCRYPT2(Payload Stream)
5 A->B: ENCRYPT2(Payload Stream)
*/
void EncryptedAuthenticate::handleYB()
{
// if you can't sent 96 bytes you are not worth the effort
if (buf_size < 96)
{
Out(SYS_CON|LOG_DEBUG) << "Not enough data received, encrypted authentication failed" << endl;
onFinish(false);
return;
}
// read Yb
yb = BigInt::fromBuffer(buf,96);
// calculate s
s = mse::DHSecret(xa,yb);
state = GOT_YB;
// now we must send line 3
Uint8 tmp_buf[120]; // temporary buffer
bt::SHA1Hash h1,h2; // temporary hash
// generate and send the first hash
memcpy(tmp_buf,"req1",4);
s.toBuffer(tmp_buf + 4,96);
h1 = SHA1Hash::generate(tmp_buf,100);
sock->sendData(h1.getData(),20);
// generate second and third hash and xor them
memcpy(tmp_buf,"req2",4);
memcpy(tmp_buf+4,info_hash.getData(),20);
h1 = SHA1Hash::generate(tmp_buf,24);
memcpy(tmp_buf,"req3",4);
s.toBuffer(tmp_buf + 4,96);
h2 = SHA1Hash::generate(tmp_buf,100);
sock->sendData((h1 ^ h2).getData(),20);
// now we enter encrypted mode the keys are :
// HASH('keyA', S, SKEY) for the encryption key
// HASH('keyB', S, SKEY) for the decryption key
enc = mse::EncryptionKey(true,s,info_hash);
dec = mse::EncryptionKey(false,s,info_hash);
our_rc4 = new RC4Encryptor(dec,enc);
// now we must send ENCRYPT(VC, crypto_provide, len(PadC), PadC, len(IA))
memset(tmp_buf,0,16); // VC are 8 0x00's
if (Globals::instance().getServer().unencryptedConnectionsAllowed())
tmp_buf[11] = 0x03; // we support both plain text and rc4
else
tmp_buf[11] = 0x02;
WriteUint16(tmp_buf,12,0x0000); // no padC
WriteUint16(tmp_buf,14,68); // length of IA, which will be the bittorrent handshake
// send IA which is the handshake
makeHandshake(tmp_buf+16,info_hash,our_peer_id);
sock->sendData(our_rc4->encrypt(tmp_buf,84),84);
// search for the encrypted VC in the data
findVC();
}
void EncryptedAuthenticate::findVC()
{
Uint8 vc[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
RC4Encryptor rc4(enc,dec);
memcpy(vc,rc4.encrypt(vc,8),8);
Uint32 max_i = buf_size - 8;
for (Uint32 i = 96;i < max_i;i++)
{
if (vc[0] == buf[i] && memcmp(buf+i,vc,8) == 0)
{
state = FOUND_VC;
vc_off = i;
handleCryptoSelect();
return;
}
}
// we haven't found it in the first 616 bytes (96 + max 512 padding + 8 bytes VC)
if (buf_size >= 616)
{
onFinish(false);
}
}
void EncryptedAuthenticate::handleCryptoSelect()
{
// not enough data available so lets come back later
if (vc_off + 14 >= buf_size)
return;
// now decrypt the first 14 bytes
our_rc4->decrypt(buf + vc_off,14);
// check the VC
for (Uint32 i = vc_off;i < vc_off + 8;i++)
{
if (buf[i])
{
Out(SYS_CON|LOG_DEBUG) << "Invalid VC " << endl;
onFinish(false);
return;
}
}
crypto_select = ReadUint32(buf,vc_off + 8);
pad_D_len = ReadUint16(buf,vc_off + 12);
if (pad_D_len > 512)
{
Out(SYS_CON|LOG_DEBUG) << "Invalid pad D length" << endl;
onFinish(false);
return;
}
end_of_crypto_handshake = vc_off + 14 + pad_D_len;
if (!(vc_off + 14 + pad_D_len < buf_size))
{
// padD is not complete, wait for that
state = WAIT_FOR_PAD_D;
return;
}
handlePadD();
}
void EncryptedAuthenticate::handlePadD()
{
// decrypt the padding
our_rc4->decrypt(buf + (vc_off + 14),pad_D_len);
bool rc4 = false;
if (crypto_select & 0x00000001) // plain_text selected
{
delete our_rc4;
our_rc4 = 0;
}
else if (crypto_select & 0x00000002) // now it must be rc4 if not exit
{
sock->setRC4Encryptor(our_rc4);
our_rc4 = 0;
rc4 = true;
}
else // we don't support anything else so error out
{
onFinish(false);
return;
}
// noz we wait for the normal handshake
state = NORMAL_HANDSHAKE;
// if we have read more then the crypto handshake, reinsert it
if (buf_size > vc_off + 14 + pad_D_len)
{
Uint32 off = vc_off + 14 + pad_D_len;
sock->reinsert(buf + off,buf_size - off);
Authenticate::onReadyRead();
}
}
void EncryptedAuthenticate::onReadyRead()
{
if (finished)
return;
Uint32 ba = sock->bytesAvailable();
if (ba == 0)
{
onFinish(false);
return;
}
if (state != NORMAL_HANDSHAKE)
{
if (buf_size + ba > MAX_EA_BUF_SIZE)
ba = MAX_EA_BUF_SIZE - buf_size;
// do not read past the end of padD
if (pad_D_len > 0 && buf_size + ba > vc_off + 14 + pad_D_len)
ba = (vc_off + 14 + pad_D_len) - buf_size;
// read data
buf_size += sock->readData(buf + buf_size,ba);
}
switch (state)
{
case SENT_YA:
if (ba > 608)
{
onFinish(false);
}
else
{
handleYB();
}
break;
case GOT_YB:
findVC();
break;
case FOUND_VC:
handleCryptoSelect();
break;
case WAIT_FOR_PAD_D:
handlePadD();
break;
case NORMAL_HANDSHAKE:
// let AuthenticateBase deal with the data
AuthenticateBase::onReadyRead();
break;
};
}
}
#include "encryptedauthenticate.moc"
|