search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Upstream tarball 9847
[amule.git] / src / EncryptedStreamSocket.cpp
blobcc94fd95c13a5aa246024402e19bfdc55e55887a
1 //
2 // This file is part of the aMule Project.
3 //
4 // Copyright (c) 2003-2008 aMule Team ( admin@amule.org / http://www.amule.org )
5 // Copyright (c) 2002-2008 Merkur ( devs@emule-project.net / http://www.emule-project.net )
6 //
7 // Any parts of this program derived from the xMule, lMule or eMule project,
8 // or contributed by third-party developers are copyrighted by their
9 // respective authors.
10 //
11 // This program is free software; you can redistribute it and/or modify
12 // it under the terms of the GNU General Public License as published by
13 // the Free Software Foundation; either version 2 of the License, or
14 // (at your option) any later version.
15 //
16 // This program is distributed in the hope that it will be useful,
17 // but WITHOUT ANY WARRANTY; without even the implied warranty of
18 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 // GNU General Public License for more details.
20 //
21 // You should have received a copy of the GNU General Public License
22 // along with this program; if not, write to the Free Software
23 // Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
24 //
25
26 /* Basic Obfuscated Handshake Protocol Client <-> Client:
27 -Keycreation:
28 - Client A (Outgoing connection):
29 Sendkey: Md5(<UserHashClientB 16><MagicValue34 1><RandomKeyPartClientA 4>) 21
30 Receivekey: Md5(<UserHashClientB 16><MagicValue203 1><RandomKeyPartClientA 4>) 21
31 - Client B (Incomming connection):
32 Sendkey: Md5(<UserHashClientB 16><MagicValue203 1><RandomKeyPartClientA 4>) 21
33 Receivekey: Md5(<UserHashClientB 16><MagicValue34 1><RandomKeyPartClientA 4>) 21
34 NOTE: First 1024 Bytes are discarded
35
36 - Handshake
37 -> The handshake is encrypted - except otherwise noted - by the Keys created above
38 -> Handshake is blocking - do not start sending an answer before the request is completly received (this includes the random bytes)
39 -> EncryptionMethod = 0 is Obfusication and the only supported right now
40 Client A: <SemiRandomNotProtocolMarker 1[Unencrypted]><RandomKeyPart 4[Unencrypted]><MagicValue 4><EncryptionMethodsSupported 1><EncryptionMethodPreferred 1><PaddingLen 1><RandomBytes PaddingLen%max256>
41 Client B: <MagicValue 4><EncryptionMethodsSelected 1><PaddingLen 1><RandomBytes PaddingLen%max256>
42 -> The basic handshake is finished here, if an additional/different EncryptionMethod was selected it may continue negotiating details for this one
43
44 - Overhead: 18-48 (~33) Bytes + 2 * IP/TCP Headers per Connection
45
46 - Security for Basic Obfusication:
47 - Random looking stream, very limited protection against passive eavesdropping single connections
48
49 - Additional Comments:
50 - RandomKeyPart is needed to make multiple connections between two clients look different (but still random), since otherwise the same key
51 would be used and RC4 would create the same output. Since the key is a MD5 hash it doesnt weakens the key if that part is known
52 - Why DH-KeyAgreement isn't used as basic obfusication key: It doesn't offers substantial more protection against passive connection based protocol identification, it has about 200 bytes more overhead,
53 needs more CPU time, we cannot say if the received data is junk, unencrypted or part of the keyagreement before the handshake is finished without loosing the complete randomness,
54 it doesn't offers substantial protection against eavesdropping without added authentification
55
56 Basic Obfuscated Handshake Protocol Client <-> Server:
57 - RC4 Keycreation:
58 - Client (Outgoing connection):
59 Sendkey: Md5(<S 96><MagicValue34 1>) 97
60 Receivekey: Md5(<S 96><MagicValue203 1>) 97
61 - Server (Incomming connection):
62 Sendkey: Md5(<S 96><MagicValue203 1>) 97
63 Receivekey: Md5(<S 96><MagicValue34 1>) 97
64
65 NOTE: First 1024 Bytes are discarded
66
67 - Handshake
68 -> The handshake is encrypted - except otherwise noted - by the Keys created above
69 -> Handshake is blocking - do not start sending an answer before the request is completly received (this includes the random bytes)
70 -> EncryptionMethod = 0 is Obfusication and the only supported right now
71
72 Client: <SemiRandomNotProtocolMarker 1[Unencrypted]><G^A 96 [Unencrypted]><RandomBytes 0-15 [Unencrypted]>
73 Server: <G^B 96 [Unencrypted]><MagicValue 4><EncryptionMethodsSupported 1><EncryptionMethodPreferred 1><PaddingLen 1><RandomBytes PaddingLen>
74 Client: <MagicValue 4><EncryptionMethodsSelected 1><PaddingLen 1><RandomBytes PaddingLen> (Answer delayed till first payload to save a frame)
75
76
77 -> The basic handshake is finished here, if an additional/different EncryptionMethod was selected it may continue negotiating details for this one
78
79 - Overhead: 206-251 (~229) Bytes + 2 * IP/TCP Headers Headers per Connectionon
80
81 - DH Agreement Specifics: sizeof(a) and sizeof(b) = 128 Bits, g = 2, p = dh768_p (see below), sizeof p, s, etc. = 768 bits
82 */
83 #include "EncryptedStreamSocket.h"
84 #include "amule.h"
85 #include "Logger.h"
86 #include "Preferences.h"
87 #include "ServerConnect.h"
88 #include "RC4Encrypt.h"
89 #include "MemFile.h"
90 #include "ClientList.h"
91 #include "RandomFunctions.h"
92
93 #include <algorithm>
94
95 #include <common/MD5Sum.h>
96 #include <protocol/Protocols.h>
97
98 #define MAGICVALUE_REQUESTER 34 // modification of the requester-send and server-receive key
99 #define MAGICVALUE_SERVER 203 // modification of the server-send and requester-send key
100 #define MAGICVALUE_SYNC 0x835E6FC4 // value to check if we have a working encrypted stream
101 #define DHAGREEMENT_A_BITS 128
102
103 #define PRIMESIZE_BYTES 96
104 static unsigned char dh768_p[]={
105 0xF2,0xBF,0x52,0xC5,0x5F,0x58,0x7A,0xDD,0x53,0x71,0xA9,0x36,
106 0xE8,0x86,0xEB,0x3C,0x62,0x17,0xA3,0x3E,0xC3,0x4C,0xB4,0x0D,
107 0xC7,0x3A,0x41,0xA6,0x43,0xAF,0xFC,0xE7,0x21,0xFC,0x28,0x63,
108 0x66,0x53,0x5B,0xDB,0xCE,0x25,0x9F,0x22,0x86,0xDA,0x4A,0x91,
109 0xB2,0x07,0xCB,0xAA,0x52,0x55,0xD4,0xF6,0x1C,0xCE,0xAE,0xD4,
110 0x5A,0xD5,0xE0,0x74,0x7D,0xF7,0x78,0x18,0x28,0x10,0x5F,0x34,
111 0x0F,0x76,0x23,0x87,0xF8,0x8B,0x28,0x91,0x42,0xFB,0x42,0x68,
112 0x8F,0x05,0x15,0x0F,0x54,0x8B,0x5F,0x43,0x6A,0xF7,0x0D,0xF3,
113 };
114
115 // winsock2.h already defines it
116 #ifdef SOCKET_ERROR
117 #undef SOCKET_ERROR
118 #endif
119 #define SOCKET_ERROR (-1)
120
121 CEncryptedStreamSocket::CEncryptedStreamSocket(wxSocketFlags flags, const CProxyData *proxyData) : CSocketClientProxy(flags, proxyData)
122 {
123 m_StreamCryptState = thePrefs::IsClientCryptLayerSupported() ? ECS_UNKNOWN : ECS_NONE;
124 m_NegotiatingState = ONS_NONE;
125 m_nObfusicationBytesReceived = 0;
126 m_bFullReceive = true;
127 m_dbgbyEncryptionSupported = 0xFF;
128 m_dbgbyEncryptionRequested = 0xFF;
129 m_dbgbyEncryptionMethodSet = 0xFF;
130 m_nReceiveBytesWanted = 0;
131 m_EncryptionMethod = ENM_OBFUSCATION;
132 m_nRandomKeyPart = 0;
133 m_bServerCrypt = false;
134 }
135
136 CEncryptedStreamSocket::~CEncryptedStreamSocket()
137 {
138
139 }
140
141
142 /* External interface */
143
144 void CEncryptedStreamSocket::SetConnectionEncryption(bool bEnabled, const uint8* pTargetClientHash, bool bServerConnection){
145 if (m_StreamCryptState != ECS_UNKNOWN && m_StreamCryptState != ECS_NONE){
146 if (!m_StreamCryptState == ECS_NONE || bEnabled) {
147 wxFAIL;
148 }
149 return;
150 }
151
152 if (bEnabled && pTargetClientHash != NULL && !bServerConnection){
153 m_StreamCryptState = ECS_PENDING;
154 // create obfuscation keys, see on top for key format
155
156 // use the crypt random generator
157 m_nRandomKeyPart = GetRandomUint32();
158
159 uint8 achKeyData[21];
160 md4cpy(achKeyData, pTargetClientHash);
161 PokeUInt32(achKeyData + 17, m_nRandomKeyPart);
162
163 achKeyData[16] = MAGICVALUE_REQUESTER;
164 MD5Sum md5(achKeyData, sizeof(achKeyData));
165 m_pfiSendBuffer.SetKey(md5);
166
167 achKeyData[16] = MAGICVALUE_SERVER;
168 md5.Calculate(achKeyData, sizeof(achKeyData));
169 m_pfiReceiveBuffer.SetKey(md5);
170
171 } else if (bServerConnection && bEnabled) {
172 //printf("->Server crypt\n");
173 m_bServerCrypt = true;
174 m_StreamCryptState = ECS_PENDING_SERVER;
175 } else {
176 wxASSERT( !bEnabled );
177 m_StreamCryptState = ECS_NONE;
178 }
179 }
180
181 /* Internals, common to base class */
182
183 // unfortunatly sending cannot be made transparent for the derived class, because of WSA_WOULDBLOCK
184 // together with the fact that each byte must pass the keystream only once
185 int CEncryptedStreamSocket::Write(const void* lpBuf, wxUint32 nBufLen){
186 //printf("Starting write for %s\n", (const char*) unicode2char(DbgGetIPString()));
187 if (!IsEncryptionLayerReady()) {
188 wxFAIL;
189 return 0;
190 } else if (m_bServerCrypt && m_StreamCryptState == ECS_ENCRYPTING && !m_pfiSendBuffer.IsEmpty()){
191 wxASSERT( m_NegotiatingState == ONS_BASIC_SERVER_DELAYEDSENDING );
192 // handshakedata was delayed to put it into one frame with the first paypload to the server
193 // do so now with the payload attached
194 int nRes = SendNegotiatingData(lpBuf, nBufLen, nBufLen);
195 wxASSERT( nRes != SOCKET_ERROR );
196 (void)nRes;
197 return nBufLen; // report a full send, even if we didn't for some reason - the data is now in our buffer and will be handled later
198 } else if (m_NegotiatingState == ONS_BASIC_SERVER_DELAYEDSENDING) {
199 wxFAIL;
200 }
201
202 if (m_StreamCryptState == ECS_UNKNOWN) {
203 //this happens when the encryption option was not set on a outgoing connection
204 //or if we try to send before receiving on a incoming connection - both shouldn't happen
205 m_StreamCryptState = ECS_NONE;
206 //DebugLogError(_T("CEncryptedStreamSocket: Overwriting State ECS_UNKNOWN with ECS_NONE because of premature Send() (%s)"), DbgGetIPString());
207 }
208
209 //printf("Writing %i bytes of data\n", nBufLen);
210 CSocketClientProxy::Write(lpBuf, nBufLen);
211 return CSocketClientProxy::LastCount();
212 }
213
214 int CEncryptedStreamSocket::Read(void* lpBuf, wxUint32 nBufLen) {
215 CSocketClientProxy::Read(lpBuf, nBufLen);
216 m_nObfusicationBytesReceived = CSocketClientProxy::LastCount();
217 m_bFullReceive = m_nObfusicationBytesReceived == (uint32)nBufLen;
218
219 //printf("Read %i bytes on %s, socket %p\n", m_nObfusicationBytesReceived, (const char*) unicode2char(DbgGetIPString()), this);
220
221 if (m_nObfusicationBytesReceived == (uint32)SOCKET_ERROR || m_nObfusicationBytesReceived <= 0){
222 return m_nObfusicationBytesReceived;
223 }
224
225 switch (m_StreamCryptState) {
226 case ECS_NONE: // disabled, just pass it through
227 return m_nObfusicationBytesReceived;
228 case ECS_PENDING:
229 case ECS_PENDING_SERVER:
230 //printf("Received %i bytes before sending?\n", m_nObfusicationBytesReceived);
231 wxFAIL;
232 //DebugLogError(_T("CEncryptedStreamSocket Received data before sending on outgoing connection"));
233 m_StreamCryptState = ECS_NONE;
234 return m_nObfusicationBytesReceived;
235 case ECS_UNKNOWN: {
236 //printf("Receiving encrypted data on ECS_UNKNOWN\n");
237 uint32 nRead = 1;
238 bool bNormalHeader = false;
239 switch (((uint8*)lpBuf)[0]){
240 case OP_EDONKEYPROT:
241 case OP_PACKEDPROT:
242 case OP_EMULEPROT:
243 bNormalHeader = true;
244 break;
245 }
246
247 if (!bNormalHeader) {
248 //printf("Not a normal header, negotiating encryption\n");
249 StartNegotiation(false);
250 const uint32 nNegRes = Negotiate((uint8*)lpBuf + nRead, m_nObfusicationBytesReceived - nRead);
251 if (nNegRes == (uint32)(-1)) {
252 return 0;
253 }
254 nRead += nNegRes;
255 if (nRead != (uint32)m_nObfusicationBytesReceived){
256 // this means we have more data then the current negotiation step required (or there is a bug) and this should never happen
257 // (note: even if it just finished the handshake here, there still can be no data left, since the other client didnt received our response yet)
258 //DebugLogError(_T("CEncryptedStreamSocket: Client %s sent more data then expected while negotiating, disconnecting (1)"), DbgGetIPString());
259 //printf("On error: encryption\n");
260 OnError(ERR_ENCRYPTION);
261 }
262 return 0;
263 } else {
264 // doesn't seems to be encrypted
265 //printf("Encrypted data doesn't seem to be encrypted\n");
266 m_StreamCryptState = ECS_NONE;
267
268 // if we require an encrypted connection, cut the connection here. This shouldn't happen that often
269 // at least with other up-to-date eMule clients because they check for incompability before connecting if possible
270 if (thePrefs::IsClientCryptLayerRequired()){
271 // TODO: Remove me when i have been solved
272 // Even if the Require option is enabled, we currently have to accept unencrypted connection which are made
273 // for lowid/firewall checks from servers and other from us selected client. Otherwise, this option would
274 // always result in a lowid/firewalled status. This is of course not nice, but we can't avoid this walkarround
275 // untill servers and kad completely support encryption too, which will at least for kad take a bit
276 // only exception is the .ini option ClientCryptLayerRequiredStrict which will even ignore test connections
277 // Update: New server now support encrypted callbacks
278 amuleIPV4Address address;
279 GetPeer(address);
280 uint32 ip = StringIPtoUint32(address.IPAddress());
281 if (thePrefs::IsClientCryptLayerRequiredStrict() || (!theApp->serverconnect->AwaitingTestFromIP(ip)
282 && !theApp->clientlist->IsKadFirewallCheckIP(ip)) )
283 {
284 OnError(ERR_ENCRYPTION_NOTALLOWED);
285 return 0;
286 } else {
287 //AddDebugLogLine(DLP_DEFAULT, false, _T("Incoming unencrypted firewallcheck connection permitted despite RequireEncryption setting - %s"), DbgGetIPString() );
288 }
289
290 }
291
292 return m_nObfusicationBytesReceived; // buffer was unchanged, we can just pass it through
293 }
294 }
295 case ECS_ENCRYPTING:
296 //printf("Encryption enabled on data receiving, decrypting and passing along\n");
297 // basic obfusication enabled and set, so decrypt and pass along
298 m_pfiReceiveBuffer.RC4Crypt((uint8*)lpBuf, (uint8*)lpBuf, m_nObfusicationBytesReceived);
299 //DumpMem(lpBuf, m_nObfusicationBytesReceived, wxT("Directly decrypted data:"));
300 return m_nObfusicationBytesReceived;
301 case ECS_NEGOTIATING:{
302 //printf("Negotiating on data receive\n");
303 const uint32 nRead = Negotiate((uint8*)lpBuf, m_nObfusicationBytesReceived);
304 if (nRead == (uint32)(-1)) {
305 //printf("-> Encryption read error on negotiation\n");
306 return 0;
307 } else if (nRead != (uint32)m_nObfusicationBytesReceived && m_StreamCryptState != ECS_ENCRYPTING) {
308 //printf("-> Too much data, bailing out of negotiation step\n");
309 // this means we have more data then the current negotiation step required (or there is a bug) and this should never happen
310 //DebugLogError(_T("CEncryptedStreamSocket: Client %s sent more data then expected while negotiating, disconnecting (2)"), DbgGetIPString());
311 OnError(ERR_ENCRYPTION);
312 return 0;
313 } else if (nRead != (uint32)m_nObfusicationBytesReceived && m_StreamCryptState == ECS_ENCRYPTING){
314 //printf("-> Handshake negotiation finished\n");
315 // we finished the handshake and if we this was an outgoing connection it is allowed (but strange and unlikely) that the client sent payload
316 //DebugLogWarning(_T("CEncryptedStreamSocket: Client %s has finished the handshake but also sent payload on a outgoing connection"), DbgGetIPString());
317 memmove(lpBuf, (uint8*)lpBuf + nRead, m_nObfusicationBytesReceived - nRead);
318 return m_nObfusicationBytesReceived - nRead;
319 } else {
320 //printf("-> Negotiation went probably ok\n");
321 return 0;
322 }
323 }
324 default:
325 wxFAIL;
326 return m_nObfusicationBytesReceived;
327 }
328 }
329
330 void CEncryptedStreamSocket::OnSend(int) {
331
332 // if the socket just connected and this is outgoing, we might want to start the handshake here
333 if (m_StreamCryptState == ECS_PENDING || m_StreamCryptState == ECS_PENDING_SERVER){
334 //printf("Starting connection negotiation on OnSend for %s\n", (const char*) unicode2char(DbgGetIPString()));
335 StartNegotiation(true);
336 return;
337 }
338
339 // check if we have negotiating data pending
340 if (!m_pfiSendBuffer.IsEmpty()){
341 wxASSERT( m_StreamCryptState >= ECS_NEGOTIATING );
342 SendNegotiatingData(NULL, 0);
343 }
344 }
345
346 void CEncryptedStreamSocket::CryptPrepareSendData(uint8* pBuffer, uint32 nLen){
347 if (!IsEncryptionLayerReady()){
348 wxFAIL; // must be a bug
349 return;
350 }
351 if (m_StreamCryptState == ECS_UNKNOWN){
352 //this happens when the encryption option was not set on a outgoing connection
353 //or if we try to send before receiving on a incoming connection - both shouldn't happen
354 m_StreamCryptState = ECS_NONE;
355 //DebugLogError(_T("CEncryptedStreamSocket: Overwriting State ECS_UNKNOWN with ECS_NONE because of premature Send() (%s)"), DbgGetIPString());
356 }
357 if (m_StreamCryptState == ECS_ENCRYPTING) {
358 //printf("Preparing crypt data on %s\n", (const char*) unicode2char(DbgGetIPString()));
359 //DumpMem(pBuffer, nLen, wxT("Before crypt prepare:\n"));
360 m_pfiSendBuffer.RC4Crypt(pBuffer, pBuffer, nLen);
361 //DumpMem(pBuffer, nLen, wxT("After crypt prepare:\n"));
362 }
363 }
364
365 /* Internals, just for this class (can be raped) */
366
367 bool CEncryptedStreamSocket::IsEncryptionLayerReady(){
368 return ( (m_StreamCryptState == ECS_NONE || m_StreamCryptState == ECS_ENCRYPTING || m_StreamCryptState == ECS_UNKNOWN )
369 && (m_pfiSendBuffer.IsEmpty() || (m_bServerCrypt && m_NegotiatingState == ONS_BASIC_SERVER_DELAYEDSENDING)) );
370 }
371
372
373 void CEncryptedStreamSocket::StartNegotiation(bool bOutgoing)
374 {
375 //printf("Starting socket negotiation\n");
376 if (!bOutgoing){
377 //printf("Incoming connection negotiation on %s\n", (const char*) unicode2char(DbgGetIPString()));
378 m_NegotiatingState = ONS_BASIC_CLIENTA_RANDOMPART;
379 m_StreamCryptState = ECS_NEGOTIATING;
380 m_nReceiveBytesWanted = 4;
381 } else if (m_StreamCryptState == ECS_PENDING) {
382 //printf("Socket is client.pending on negotiation\n");
383 CMemFile fileRequest(29);
384 const uint8 bySemiRandomNotProtocolMarker = GetSemiRandomNotProtocolMarker();
385 fileRequest.WriteUInt8(bySemiRandomNotProtocolMarker);
386 fileRequest.WriteUInt32(m_nRandomKeyPart);
387 fileRequest.WriteUInt32(MAGICVALUE_SYNC);
388 const uint8 bySupportedEncryptionMethod = ENM_OBFUSCATION; // we do not support any further encryption in this version
389 fileRequest.WriteUInt8(bySupportedEncryptionMethod);
390 fileRequest.WriteUInt8(bySupportedEncryptionMethod); // so we also prefer this one
391 uint8 byPadding = (uint8)(GetRandomUint8() % (thePrefs::GetCryptTCPPaddingLength() + 1));
392 fileRequest.WriteUInt8(byPadding);
393 for (int i = 0; i < byPadding; i++) {
394 fileRequest.WriteUInt8(GetRandomUint8());
395 }
396
397 m_NegotiatingState = ONS_BASIC_CLIENTB_MAGICVALUE;
398 m_StreamCryptState = ECS_NEGOTIATING;
399 m_nReceiveBytesWanted = 4;
400
401 SendNegotiatingData(fileRequest.GetRawBuffer(), (uint32)fileRequest.GetLength(), 5);
402 } else if (m_StreamCryptState == ECS_PENDING_SERVER) {
403 //printf("Socket is server.pending on negotiation\n");
404 CMemFile fileRequest(113);
405 const uint8 bySemiRandomNotProtocolMarker = GetSemiRandomNotProtocolMarker();
406 fileRequest.WriteUInt8(bySemiRandomNotProtocolMarker);
407
408 m_cryptDHA.Randomize((CryptoPP::AutoSeededRandomPool&)GetRandomPool(), DHAGREEMENT_A_BITS); // our random a
409 wxASSERT( m_cryptDHA.MinEncodedSize() <= DHAGREEMENT_A_BITS / 8 );
410 CryptoPP::Integer cryptDHPrime((byte*)dh768_p, PRIMESIZE_BYTES); // our fixed prime
411 // calculate g^a % p
412 CryptoPP::Integer cryptDHGexpAmodP = a_exp_b_mod_c(CryptoPP::Integer(2), m_cryptDHA, cryptDHPrime);
413 wxASSERT( m_cryptDHA.MinEncodedSize() <= PRIMESIZE_BYTES );
414 // put the result into a buffer
415 uint8 aBuffer[PRIMESIZE_BYTES];
416 cryptDHGexpAmodP.Encode(aBuffer, PRIMESIZE_BYTES);
417
418 fileRequest.Write(aBuffer, PRIMESIZE_BYTES);
419 uint8 byPadding = (uint8)(GetRandomUint8() % 16); // add random padding
420 fileRequest.WriteUInt8(byPadding);
421
422 for (int i = 0; i < byPadding; i++) {
423 fileRequest.WriteUInt8(GetRandomUint8());
424 }
425
426 m_NegotiatingState = ONS_BASIC_SERVER_DHANSWER;
427 m_StreamCryptState = ECS_NEGOTIATING;
428 m_nReceiveBytesWanted = 96;
429
430 SendNegotiatingData(fileRequest.GetRawBuffer(), (uint32)fileRequest.GetLength(), (uint32)fileRequest.GetLength());
431 } else {
432 wxFAIL;
433 m_StreamCryptState = ECS_NONE;
434 return;
435 }
436 }
437
438 int CEncryptedStreamSocket::Negotiate(const uint8* pBuffer, uint32 nLen){
439 uint32 nRead = 0;
440 wxASSERT( m_nReceiveBytesWanted > 0 );
441
442 //DumpMem(pBuffer, nLen, wxT("Negotiate buffer: "));
443
444 try{
445 while (m_NegotiatingState != ONS_COMPLETE && m_nReceiveBytesWanted > 0){
446 if (m_nReceiveBytesWanted > 512){
447 wxFAIL;
448 return 0;
449 }
450
451 const uint32 nToRead = std::min(nLen - nRead, m_nReceiveBytesWanted);
452 //printf("Reading %i bytes, add from %i position on %i position\n",nToRead, nRead, (int)m_pfiReceiveBuffer.GetPosition());
453 //DumpMem(pBuffer + nRead, nToRead, wxT("Recv Buffer: "));
454 m_pfiReceiveBuffer.Write(pBuffer + nRead, nToRead);
455 nRead += nToRead;
456 m_nReceiveBytesWanted -= nToRead;
457 if (m_nReceiveBytesWanted > 0) {
458 return nRead;
459 }
460
461 if (m_NegotiatingState != ONS_BASIC_CLIENTA_RANDOMPART && m_NegotiatingState != ONS_BASIC_SERVER_DHANSWER) {
462 // We have the keys, decrypt
463 //printf("We have the keys, so decrypt away on %s\n", (const char*) unicode2char(DbgGetIPString()));
464 m_pfiReceiveBuffer.Encrypt();
465 }
466
467 m_pfiReceiveBuffer.Seek(0);
468
469 switch (m_NegotiatingState){
470 case ONS_NONE: // would be a bug
471 wxFAIL;
472 return 0;
473 case ONS_BASIC_CLIENTA_RANDOMPART: {
474 //printf("We are on ONS_BASIC_CLIENTA_RANDOMPART, create the keys on %s\n", (const char*) unicode2char(DbgGetIPString()));
475 // This creates the send/receive keys.
476
477 uint8 achKeyData[21];
478 md4cpy(achKeyData, thePrefs::GetUserHash().GetHash());
479 m_pfiReceiveBuffer.Read(achKeyData + 17, 4);
480
481 achKeyData[16] = MAGICVALUE_REQUESTER;
482
483 //DumpMem(achKeyData, sizeof(achKeyData), wxT("ach:"));
484
485 MD5Sum md5(achKeyData, sizeof(achKeyData));
486 //DumpMem(md5.GetRawHash(), 16, wxT("Md5:"));
487 m_pfiReceiveBuffer.SetKey(md5);
488
489 achKeyData[16] = MAGICVALUE_SERVER;
490 md5.Calculate(achKeyData, sizeof(achKeyData));
491 m_pfiSendBuffer.SetKey(md5);
492
493 m_NegotiatingState = ONS_BASIC_CLIENTA_MAGICVALUE;
494 m_nReceiveBytesWanted = 4;
495 break;
496 }
497
498 case ONS_BASIC_CLIENTA_MAGICVALUE: {
499 // Check the magic value to confirm encryption works.
500 //printf("Creating magic value on negotiate on %s\n", (const char*) unicode2char(DbgGetIPString()));
501
502 uint32 dwValue = m_pfiReceiveBuffer.ReadUInt32();
503
504 if (dwValue == MAGICVALUE_SYNC){
505 // yup, the one or the other way it worked, this is an encrypted stream
506 //DEBUG_ONLY( DebugLog(_T("Received proper magic value, clientIP: %s"), DbgGetIPString()) );
507 // set the receiver key
508 //printf("Magic value works on %s\n", (const char*) unicode2char(DbgGetIPString()));
509 m_NegotiatingState = ONS_BASIC_CLIENTA_METHODTAGSPADLEN;
510 m_nReceiveBytesWanted = 3;
511 } else {
512 //printf("Wrong magic value: 0x%x != 0x%x on %s\n",dwValue, MAGICVALUE_SYNC, (const char*)unicode2char(DbgGetIPString()));
513 //DebugLogError(_T("CEncryptedStreamSocket: Received wrong magic value from clientIP %s on a supposly encrytped stream / Wrong Header"), DbgGetIPString());
514 OnError(ERR_ENCRYPTION);
515 return (-1);
516 }
517 break;
518 }
519 case ONS_BASIC_CLIENTA_METHODTAGSPADLEN: {
520
521 // Get encryption method and padding.
522 // Might fall back to padding process, but the bytes will be ignored.
523 //printf("Getting encryption method on negotiation\n");
524
525 m_dbgbyEncryptionSupported = m_pfiReceiveBuffer.ReadUInt8();
526 m_dbgbyEncryptionRequested = m_pfiReceiveBuffer.ReadUInt8();
527
528 if (m_dbgbyEncryptionRequested != ENM_OBFUSCATION) {
529 //printf("Unsupported encryption method!\n");
530 // AddDebugLogLine(DLP_LOW, false, _T("CEncryptedStreamSocket: Client %s preffered unsupported encryption method (%i)"), DbgGetIPString(), m_dbgbyEncryptionRequested);
531 }
532
533 m_nReceiveBytesWanted = m_pfiReceiveBuffer.ReadUInt8();
534
535 m_NegotiatingState = ONS_BASIC_CLIENTA_PADDING;
536
537 if (m_nReceiveBytesWanted > 0) {
538 // No padding
539 break;
540 }
541 }
542
543 case ONS_BASIC_CLIENTA_PADDING:{
544 //printf("Negotiating on padding, completing\n");
545 // ignore the random bytes, send the response, set status complete
546 CMemFile fileResponse(26);
547 fileResponse.WriteUInt32(MAGICVALUE_SYNC);
548 const uint8 bySelectedEncryptionMethod = ENM_OBFUSCATION; // we do not support any further encryption in this version, so no need to look which the other client preferred
549 fileResponse.WriteUInt8(bySelectedEncryptionMethod);
550
551 amuleIPV4Address address;
552 GetPeer(address);
553 const uint8 byPaddingLen = theApp->serverconnect->AwaitingTestFromIP(StringIPtoUint32(address.IPAddress())) ? 16 : (thePrefs::GetCryptTCPPaddingLength() + 1);
554 uint8 byPadding = (uint8)(GetRandomUint8() % byPaddingLen);
555
556 fileResponse.WriteUInt8(byPadding);
557 for (int i = 0; i < byPadding; i++) {
558 fileResponse.WriteUInt8((uint8)rand());
559 }
560 SendNegotiatingData(fileResponse.GetRawBuffer(), (uint32)fileResponse.GetLength());
561 m_NegotiatingState = ONS_COMPLETE;
562 m_StreamCryptState = ECS_ENCRYPTING;
563 //DEBUG_ONLY( DebugLog(_T("CEncryptedStreamSocket: Finished Obufscation handshake with client %s (incoming)"), DbgGetIPString()) );
564 break;
565 }
566
567 case ONS_BASIC_CLIENTB_MAGICVALUE:{
568 //printf("Negotiating on magic value\n");
569 if (m_pfiReceiveBuffer.ReadUInt32() != MAGICVALUE_SYNC){
570 //DebugLogError(_T("CEncryptedStreamSocket: EncryptedstreamSyncError: Client sent wrong Magic Value as answer, cannot complete handshake (%s)"), DbgGetIPString());
571 OnError(ERR_ENCRYPTION);
572 return (-1);
573 }
574 m_NegotiatingState = ONS_BASIC_CLIENTB_METHODTAGSPADLEN;
575 m_nReceiveBytesWanted = 2;
576 break;
577 }
578 case ONS_BASIC_CLIENTB_METHODTAGSPADLEN:{
579 //printf("Negotiating on client B pad length\n");
580 m_dbgbyEncryptionMethodSet = m_pfiReceiveBuffer.ReadUInt8();
581 if (m_dbgbyEncryptionMethodSet != ENM_OBFUSCATION){
582 //DebugLogError( _T("CEncryptedStreamSocket: Client %s set unsupported encryption method (%i), handshake failed"), DbgGetIPString(), m_dbgbyEncryptionMethodSet);
583 OnError(ERR_ENCRYPTION);
584 return (-1);
585 }
586 m_nReceiveBytesWanted = m_pfiReceiveBuffer.ReadUInt8();
587 m_NegotiatingState = ONS_BASIC_CLIENTB_PADDING;
588 if (m_nReceiveBytesWanted > 0) {
589 break;
590 }
591 }
592 case ONS_BASIC_CLIENTB_PADDING:
593 //printf("Negotiating on client B padding, handshake complete\n");
594 // ignore the random bytes, the handshake is complete
595 m_NegotiatingState = ONS_COMPLETE;
596 m_StreamCryptState = ECS_ENCRYPTING;
597 //DEBUG_ONLY( DebugLog(_T("CEncryptedStreamSocket: Finished Obufscation handshake with client %s (outgoing)"), DbgGetIPString()) );
598 break;
599 case ONS_BASIC_SERVER_DHANSWER:{
600 wxASSERT( !m_cryptDHA.IsZero() );
601 uint8 aBuffer[PRIMESIZE_BYTES + 1];
602 m_pfiReceiveBuffer.Read(aBuffer, PRIMESIZE_BYTES);
603 CryptoPP::Integer cryptDHAnswer((byte*)aBuffer, PRIMESIZE_BYTES);
604 CryptoPP::Integer cryptDHPrime((byte*)dh768_p, PRIMESIZE_BYTES); // our fixed prime
605 CryptoPP::Integer cryptResult = a_exp_b_mod_c(cryptDHAnswer, m_cryptDHA, cryptDHPrime);
606
607 m_cryptDHA = 0;
608 //DEBUG_ONLY( ZeroMemory(aBuffer, sizeof(aBuffer)) );
609 wxASSERT( cryptResult.MinEncodedSize() <= PRIMESIZE_BYTES );
610
611 // create the keys
612 cryptResult.Encode(aBuffer, PRIMESIZE_BYTES);
613 aBuffer[PRIMESIZE_BYTES] = MAGICVALUE_REQUESTER;
614 MD5Sum md5(aBuffer, sizeof(aBuffer));
615 m_pfiSendBuffer.SetKey(md5);
616 aBuffer[PRIMESIZE_BYTES] = MAGICVALUE_SERVER;
617 md5.Calculate(aBuffer, sizeof(aBuffer));
618 m_pfiReceiveBuffer.SetKey(md5);
619
620 m_NegotiatingState = ONS_BASIC_SERVER_MAGICVALUE;
621 m_nReceiveBytesWanted = 4;
622 break;
623 }
624 case ONS_BASIC_SERVER_MAGICVALUE:{
625 uint32 dwValue = m_pfiReceiveBuffer.ReadUInt32();
626 if (dwValue == MAGICVALUE_SYNC){
627 // yup, the one or the other way it worked, this is an encrypted stream
628 //DebugLog(_T("Received proper magic value after DH-Agreement from Serverconnection IP: %s"), DbgGetIPString());
629 // set the receiver key
630 m_NegotiatingState = ONS_BASIC_SERVER_METHODTAGSPADLEN;
631 m_nReceiveBytesWanted = 3;
632 } else {
633 //DebugLogError(_T("CEncryptedStreamSocket: Received wrong magic value after DH-Agreement from Serverconnection"), DbgGetIPString());
634 OnError(ERR_ENCRYPTION);
635 return (-1);
636 }
637 break;
638 }
639 case ONS_BASIC_SERVER_METHODTAGSPADLEN:
640 m_dbgbyEncryptionSupported = m_pfiReceiveBuffer.ReadUInt8();
641 m_dbgbyEncryptionRequested = m_pfiReceiveBuffer.ReadUInt8();
642 if (m_dbgbyEncryptionRequested != ENM_OBFUSCATION) {
643 // AddDebugLogLine(DLP_LOW, false, _T("CEncryptedStreamSocket: Server %s preffered unsupported encryption method (%i)"), DbgGetIPString(), m_dbgbyEncryptionRequested);
644 }
645 m_nReceiveBytesWanted = m_pfiReceiveBuffer.ReadUInt8();
646 m_NegotiatingState = ONS_BASIC_SERVER_PADDING;
647 if (m_nReceiveBytesWanted > 0) {
648 break;
649 }
650 case ONS_BASIC_SERVER_PADDING:{
651 // ignore the random bytes (they are decrypted already), send the response, set status complete
652 CMemFile fileResponse(26);
653 fileResponse.WriteUInt32(MAGICVALUE_SYNC);
654 const uint8 bySelectedEncryptionMethod = ENM_OBFUSCATION; // we do not support any further encryption in this version, so no need to look which the other client preferred
655 fileResponse.WriteUInt8(bySelectedEncryptionMethod);
656
657 // Server callback connection only allows 16 bytes of padding.
658 uint8 byPadding = (uint8)(GetRandomUint8() % 16);
659 fileResponse.WriteUInt8(byPadding);
660
661 for (int i = 0; i < byPadding; i++) {
662 fileResponse.WriteUInt8((uint8)rand());
663 }
664
665 m_NegotiatingState = ONS_BASIC_SERVER_DELAYEDSENDING;
666 SendNegotiatingData(fileResponse.GetRawBuffer(), (uint32)fileResponse.GetLength(), 0, true); // don't actually send it right now, store it in our sendbuffer
667 m_StreamCryptState = ECS_ENCRYPTING;
668 //DEBUG_ONLY( DebugLog(_T("CEncryptedStreamSocket: Finished DH Obufscation handshake with Server %s"), DbgGetIPString()) );
669 break;
670 }
671 default:
672 wxFAIL;
673 }
674 m_pfiReceiveBuffer.ResetData();
675 }
676 return nRead;
677 } catch(...){
678 // can only be caused by a bug in negationhandling, not by the datastream
679 //error->Delete();
680 //printf("Bug on negotiation?\n");
681 wxFAIL;
682 OnError(ERR_ENCRYPTION);
683 m_pfiReceiveBuffer.ResetData();
684 return (-1);
685 }
686
687 }
688
689 int CEncryptedStreamSocket::SendNegotiatingData(const void* lpBuf, uint32 nBufLen, uint32 nStartCryptFromByte, bool bDelaySend){
690 wxASSERT( m_StreamCryptState == ECS_NEGOTIATING || m_StreamCryptState == ECS_ENCRYPTING );
691 wxASSERT( nStartCryptFromByte <= nBufLen );
692 wxASSERT( m_NegotiatingState == ONS_BASIC_SERVER_DELAYEDSENDING || !bDelaySend );
693 //printf("Send negotiation data on %s\n", (const char*) unicode2char(DbgGetIPString()));
694 uint8* pBuffer = NULL;
695 bool bProcess = false;
696 if (lpBuf != NULL) {
697 pBuffer = new uint8[nBufLen];
698 if (pBuffer == NULL) {
699 throw CMuleException(wxT("Memory exception"), wxT("Memory exception on TCP encrypted socket"));
700 }
701
702 if (nStartCryptFromByte > 0) {
703 memcpy(pBuffer, lpBuf, nStartCryptFromByte);
704 }
705
706 if (nBufLen - nStartCryptFromByte > 0) {
707 //printf("Crypting negotiation data on %s starting on byte %i\n", (const char*) unicode2char(DbgGetIPString()), nStartCryptFromByte);
708 //DumpMem(lpBuf, nBufLen, wxT("Pre-encryption:"));
709 m_pfiSendBuffer.RC4Crypt((uint8*)lpBuf + nStartCryptFromByte, pBuffer + nStartCryptFromByte, nBufLen - nStartCryptFromByte);
710 //DumpMem(pBuffer, nBufLen, wxT("Post-encryption:"));
711 }
712
713 if (!m_pfiSendBuffer.IsEmpty()) {
714 // we already have data pending. Attach it and try to send
715 if (m_NegotiatingState == ONS_BASIC_SERVER_DELAYEDSENDING) {
716 m_NegotiatingState = ONS_COMPLETE;
717 } else {
718 wxFAIL;
719 }
720 m_pfiSendBuffer.Append(pBuffer, nBufLen);
721 delete[] pBuffer;
722 pBuffer = NULL;
723 nStartCryptFromByte = 0;
724 bProcess = true; // we want to try to send it right now
725 }
726 }
727
728 if (lpBuf == NULL || bProcess){
729 // this call is for processing pending data
730 if (m_pfiSendBuffer.IsEmpty() || nStartCryptFromByte != 0){
731 wxFAIL;
732 return 0; // or not
733 }
734 nBufLen = (uint32)m_pfiSendBuffer.GetLength();
735 pBuffer = m_pfiSendBuffer.Detach();
736 }
737
738 wxASSERT( m_pfiSendBuffer.IsEmpty() );
739
740 uint32 result = 0;
741 if (!bDelaySend) {
742 //printf("Writing negotiation data on %s: ", (const char*) unicode2char(DbgGetIPString()));
743 CSocketClientProxy::Write(pBuffer, nBufLen);
744 result = CSocketClientProxy::LastCount();
745 //printf("Wrote %i bytes\n",result);
746 }
747
748 if (result == (uint32)SOCKET_ERROR || bDelaySend){
749 m_pfiSendBuffer.Write(pBuffer, nBufLen);
750 delete[] pBuffer;
751 return result;
752 } else {
753 if (result < nBufLen){
754 // Store the partial data pending
755 //printf("Partial negotiation pending on %s\n", (const char*) unicode2char(DbgGetIPString()));
756 m_pfiSendBuffer.Write(pBuffer + result, nBufLen - result);
757 }
758 delete[] pBuffer;
759 return result;
760 }
761 }
762
763 wxString CEncryptedStreamSocket::DbgGetIPString(){
764 amuleIPV4Address address;
765 GetPeer(address);
766 return address.IPAddress();
767 }
768
769 uint8 CEncryptedStreamSocket::GetSemiRandomNotProtocolMarker() const{
770 uint8 bySemiRandomNotProtocolMarker = 0;
771 bool bOk = false;
772 for (int i = 0; i < 128; i++){
773 bySemiRandomNotProtocolMarker = GetRandomUint8();
774 switch (bySemiRandomNotProtocolMarker) { // not allowed values
775 case OP_EDONKEYPROT:
776 case OP_PACKEDPROT:
777 case OP_EMULEPROT:
778 break;
779 default:
780 bOk = true;
781 }
782
783 if (bOk) {
784 break;
785 }
786 }
787
788 if (!bOk){
789 // either we have _real_ bad luck or the randomgenerator is a bit messed up
790 wxFAIL;
791 bySemiRandomNotProtocolMarker = 0x01;
792 }
793 return bySemiRandomNotProtocolMarker;
794 }
aMule P2P client