1/*
2 This file is part of Mtproto-proxy Library.
3
4 Mtproto-proxy Library is free software: you can redistribute it and/or modify
5 it under the terms of the GNU Lesser General Public License as published by
6 the Free Software Foundation, either version 2 of the License, or
7 (at your option) any later version.
8
9 Mtproto-proxy Library is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU Lesser General Public License for more details.
13
14 You should have received a copy of the GNU Lesser General Public License
15 along with Mtproto-proxy Library. If not, see <http://www.gnu.org/licenses/>.
16
17 Copyright 2014 Telegram Messenger Inc
18 2014 Nikolai Durov
19 2014 Andrey Lopatin
20
21*/
22#define _FILE_OFFSET_BITS 64
23#define _XOPEN_SOURCE 500
24
25
26#include <assert.h>
27#include <errno.h>
28#include <pthread.h>
29#include <signal.h>
30#include <stddef.h>
31#include <stdio.h>
32#include <stdlib.h>
33#include <string.h>
34#include <time.h>
35#include <unistd.h>
36#include <openssl/bn.h>
37#include <openssl/sha.h>
38#include <openssl/rand.h>
39
40#include "crc32.h"
41#include "net/net-events.h"
42#include "server-functions.h"
43#include "kprintf.h"
44#include "precise-time.h"
45#include "net/net-connections.h"
46#include "jobs/jobs.h"
47
48#include "net/net-crypto-dh.h"
49#include "common/common-stats.h"
50
51#define MODULE crypto_dh
52
53MODULE_STAT_TYPE {
54 long long tot_dh_rounds[3];
55};
56
57MODULE_INIT
58
59MODULE_STAT_FUNCTION
60 sb_printf (sb,
61 "tot_dh_rounds\t%lld %lld %lld\n", SB_SUM_LL(tot_dh_rounds[0]), SB_SUM_LL(tot_dh_rounds[1]), SB_SUM_LL(tot_dh_rounds[2])
62 );
63MODULE_STAT_FUNCTION_END
64
65void fetch_tot_dh_rounds_stat (long long _tot_dh_rounds[3]) {
66 int i;
67 for (i = 0; i < 3; i++) {
68 _tot_dh_rounds[i] = SB_SUM_LL(tot_dh_rounds[i]);
69 }
70}
71
72const unsigned char rpc_dh_prime_bin[256] = {0x89, 0x52, 0x13, 0x1b, 0x1e, 0x3a, 0x69, 0xba, 0x5f, 0x85, 0xcf, 0x8b, 0xd2, 0x66, 0xc1, 0x2b, 0x13, 0x83, 0x16, 0x13, 0xbd, 0x2a, 0x4e, 0xf8, 0x35, 0xa4, 0xd5, 0x3f, 0x9d, 0xbb, 0x42, 0x48, 0x2d, 0xbd, 0x46, 0x2b, 0x31, 0xd8, 0x6c, 0x81, 0x6c, 0x59, 0x77, 0x52, 0x0f, 0x11, 0x70, 0x73, 0x9e, 0xd2, 0xdd, 0xd6, 0xd8, 0x1b, 0x9e, 0xb6, 0x5f, 0xaa, 0xac, 0x14, 0x87, 0x53, 0xc9, 0xe4, 0xf0, 0x72, 0xdc, 0x11, 0xa4, 0x92, 0x73, 0x06, 0x83, 0xfa, 0x00, 0x67, 0x82, 0x6b, 0x18, 0xc5, 0x1d, 0x7e, 0xcb, 0xa5, 0x2b, 0x82, 0x60, 0x75, 0xc0, 0xb9, 0x55, 0xe5, 0xac, 0xaf, 0xdd, 0x74, 0xc3, 0x79, 0x5f, 0xd9, 0x52, 0x0b, 0x48, 0x0f, 0x3b, 0xe3, 0xba, 0x06, 0x65, 0x33, 0x8a, 0x49, 0x8c, 0xa5, 0xda, 0xf1, 0x01, 0x76, 0x05, 0x09, 0xa3, 0x8c, 0x49, 0xe3, 0x00, 0x74, 0x64, 0x08, 0x77, 0x4b, 0xb3, 0xed, 0x26, 0x18, 0x1a, 0x64, 0x55, 0x76, 0x6a, 0xe9, 0x49, 0x7b, 0xb9, 0xc3, 0xa3, 0xad, 0x5c, 0xba, 0xf7, 0x6b, 0x73, 0x84, 0x5f, 0xbb, 0x96, 0xbb, 0x6d, 0x0f, 0x68, 0x4f, 0x95, 0xd2, 0xd3, 0x9c, 0xcb, 0xb4, 0xa9, 0x04, 0xfa, 0xb1, 0xde, 0x43, 0x49, 0xce, 0x1c, 0x20, 0x87, 0xb6, 0xc9, 0x51, 0xed, 0x99, 0xf9, 0x52, 0xe3, 0x4f, 0xd1, 0xa3, 0xfd, 0x14, 0x83, 0x35, 0x75, 0x41, 0x47, 0x29, 0xa3, 0x8b, 0xe8, 0x68, 0xa4, 0xf9, 0xec, 0x62, 0x3a, 0x5d, 0x24, 0x62, 0x1a, 0xba, 0x01, 0xb2, 0x55, 0xc7, 0xe8, 0x38, 0x5d, 0x16, 0xac, 0x93, 0xb0, 0x2d, 0x2a, 0x54, 0x0a, 0x76, 0x42, 0x98, 0x2d, 0x22, 0xad, 0xa3, 0xcc, 0xde, 0x5c, 0x8d, 0x26, 0x6f, 0xaa, 0x25, 0xdd, 0x2d, 0xe9, 0xf6, 0xd4, 0x91, 0x04, 0x16, 0x2f, 0x68, 0x5c, 0x45, 0xfe, 0x34, 0xdd, 0xab};
73#define RPC_DH_GEN 3
74
75#define RPC_PARAM_HASH 0x00620b93
76
77int dh_params_select;
78
79BIGNUM *rpc_dh_prime, *rpc_dh_generator;
80
81__thread BN_CTX *rpc_BN_ctx;
82
83
84
85static int is_good_rpc_dh_bin (const unsigned char *data) {
86 int i;
87 int ok = 0;
88 for (i = 0; i < 8; i++) {
89 if (data[i]) {
90 ok = 1;
91 break;
92 }
93 }
94 if (!ok) {
95 return 0;
96 }
97 for (i = 0; i < 8; i++) {
98 if (data[i] > rpc_dh_prime_bin[i]) {
99 return 0;
100 }
101 if (data[i] < rpc_dh_prime_bin[i]) {
102 return 1;
103 }
104 }
105 return 0;
106}
107
108
109pthread_mutex_t DhInitLock = PTHREAD_MUTEX_INITIALIZER;
110
111// result: 1 = OK, 0 = already done, -1 = error
112int init_dh_params (void) {
113 if (dh_params_select) {
114 return 0;
115 }
116 pthread_mutex_lock (&DhInitLock);
117 if (dh_params_select) {
118 pthread_mutex_unlock (&DhInitLock);
119 return 0;
120 }
121
122 rpc_dh_prime = BN_new();
123 assert (BN_bin2bn (rpc_dh_prime_bin, sizeof (rpc_dh_prime_bin), rpc_dh_prime));
124
125 rpc_dh_generator = BN_new();
126 BN_set_word (rpc_dh_generator, RPC_DH_GEN);
127
128 static unsigned char buf[264], shabuf[20];
129 *(int *)buf = RPC_DH_GEN;
130 *(int *)(buf + 4) = 0x000100fe;
131 assert (sizeof (rpc_dh_prime_bin) == sizeof (buf) - 8);
132 memcpy (buf + 8, rpc_dh_prime_bin, sizeof (rpc_dh_prime_bin));
133 SHA1 (buf, sizeof (buf), shabuf);
134
135 rpc_BN_ctx = BN_CTX_new ();
136
137 dh_params_select = *(int *)shabuf;
138 assert (dh_params_select == RPC_PARAM_HASH);
139
140 pthread_mutex_unlock (&DhInitLock);
141 return 1;
142}
143
144
145void create_g_a (unsigned char g_a[256], unsigned char a[256]) {
146 if (!rpc_BN_ctx) {
147 rpc_BN_ctx = BN_CTX_new ();
148 }
149 do {
150 assert (RAND_pseudo_bytes (a, 256) >= 0); /* if you write '>0', the assert will fail. It's very sad */
151
152 BIGNUM *dh_power = BN_new ();
153 assert (BN_bin2bn (a, 256, dh_power) == dh_power);
154 BIGNUM *value = BN_new ();
155 assert (BN_mod_exp (value, rpc_dh_generator, dh_power, rpc_dh_prime, rpc_BN_ctx) == 1);
156 BN_clear_free (dh_power);
157
158 int len = BN_num_bytes (value);
159 assert (len > 240 && len <= 256);
160
161 memset (g_a, 0, 256 - len);
162 assert (BN_bn2bin (value, g_a + (256 - len)) == len);
163
164 BN_free (value);
165 } while (!is_good_rpc_dh_bin (g_a));
166}
167
168
169int dh_first_round (unsigned char g_a[256], struct crypto_temp_dh_params *dh_params) {
170 dh_params->dh_params_select = dh_params_select;
171 create_g_a (g_a, dh_params->a);
172 dh_params->magic = CRYPTO_TEMP_DH_PARAMS_MAGIC;
173 MODULE_STAT->tot_dh_rounds[0] ++;
174
175 return 1;
176}
177
178
179static void dh_inner_round (unsigned char g_ab[256], const unsigned char g_b[256], const unsigned char a[256]) {
180 if (!rpc_BN_ctx) {
181 rpc_BN_ctx = BN_CTX_new ();
182 }
183 BIGNUM *dh_base = BN_new ();
184 assert (BN_bin2bn (g_b, 256, dh_base) == dh_base);
185
186 BIGNUM *dh_power = BN_new ();
187 assert (BN_bin2bn (a, 256, dh_power) == dh_power);
188
189 BIGNUM *key = BN_new ();
190 assert (BN_mod_exp (key, dh_base, dh_power, rpc_dh_prime, rpc_BN_ctx) == 1);
191
192 BN_free (dh_base);
193 BN_clear_free (dh_power);
194
195 int len = BN_num_bytes (key);
196 assert (len > 240 && len <= 256);
197
198 memset (g_ab, 0, 256 - len);
199 assert (BN_bn2bin (key, g_ab + (256 - len)) == len);
200
201 BN_clear_free (key);
202}
203
204
205int dh_second_round (unsigned char g_ab[256], unsigned char g_a[256], const unsigned char g_b[256]) {
206 unsigned char a[256];
207
208 if (!is_good_rpc_dh_bin (g_b)) {
209 return 0;
210 }
211
212 create_g_a (g_a, a);
213
214 dh_inner_round (g_ab, g_b, a);
215
216 memset (a, 0, sizeof (a));
217
218 vkprintf (2, "DH key is %02x%02x%02x...%02x%02x%02x\n", g_ab[0], g_ab[1], g_ab[2], g_ab[253], g_ab[254], g_ab[255]);
219 MODULE_STAT->tot_dh_rounds[1]++;
220
221 return 256;
222}
223
224int dh_third_round (unsigned char g_ab[256], const unsigned char g_b[256], struct crypto_temp_dh_params *dh_params) {
225 if (!is_good_rpc_dh_bin (g_b)) {
226 return 0;
227 }
228
229 dh_inner_round (g_ab, g_b, dh_params->a);
230
231 vkprintf (2, "DH key is %02x%02x%02x...%02x%02x%02x\n", g_ab[0], g_ab[1], g_ab[2], g_ab[253], g_ab[254], g_ab[255]);
232 MODULE_STAT->tot_dh_rounds[2]++;
233
234 return 256;
235}
236