Context Navigation

source: trunk/libtransmission/handshake.c @ 8889

Visit:

Last change on this file since 8889 was 8889, checked in by charles, 13 years ago
(trunk) remove trailing spaces
Property svn:keywords set to `Date Rev Author Id`
File size: 36.8 KB

Line
1	/*
2	* This file Copyright (C) 2007-2009 Charles Kerr <charles@transmissionbt.com>
3	*
4	* This file is licensed by the GPL version 2. Works owned by the
5	* Transmission project are granted a special exemption to clause 2(b)
6	* so that the bulk of its code can remain under the MIT license.
7	* This exemption does not extend to derived works not owned by
8	* the Transmission project.
9	*
10	* $Id: handshake.c 8889 2009-08-10 20:04:08Z charles $
11	*/
12
13	#include <assert.h>
14	#include <errno.h>
15	#include <inttypes.h>
16	#include <limits.h> /* UCHAR_MAX */
17	#include <string.h>
18	#include <stdio.h>
19
20	#include <event.h>
21
22	#include "transmission.h"
23	#include "bencode.h"
24	#include "clients.h"
25	#include "crypto.h"
26	#include "handshake.h"
27	#include "peer-io.h"
28	#include "peer-mgr.h"
29	#include "session.h"
30	#include "torrent.h"
31	#include "tr-dht.h"
32	#include "utils.h"
33
34	/* enable LibTransmission extension protocol */
35	#define ENABLE_LTEP * /
36	/* fast extensions */
37	#define ENABLE_FAST * /
38	/* DHT */
39	#define ENABLE_DHT * /
40
41	/***
42	****
43	***/
44
45	#define HANDSHAKE_NAME "\023BitTorrent protocol"
46
47	enum
48	{
49	/* BitTorrent Handshake Constants */
50	HANDSHAKE_NAME_LEN = 20,
51	HANDSHAKE_FLAGS_LEN = 8,
52	HANDSHAKE_SIZE = 68,
53	PEER_ID_LEN = 20,
54	INCOMING_HANDSHAKE_LEN = 48,
55
56	/* Encryption Constants */
57	PadA_MAXLEN = 512,
58	PadB_MAXLEN = 512,
59	PadC_MAXLEN = 512,
60	PadD_MAXLEN = 512,
61	VC_LENGTH = 8,
62	KEY_LEN = 96,
63	CRYPTO_PROVIDE_PLAINTEXT = 1,
64	CRYPTO_PROVIDE_CRYPTO = 2,
65
66	/* how long to wait before giving up on a handshake */
67	HANDSHAKE_TIMEOUT_SEC = 60
68	};
69
70
71	#ifdef ENABLE_LTEP
72	#define HANDSHAKE_HAS_LTEP( bits ) ( ( ( bits )[5] & 0x10 ) ? 1 : 0 )
73	#define HANDSHAKE_SET_LTEP( bits ) ( ( bits )[5] \|= 0x10 )
74	#else
75	#define HANDSHAKE_HAS_LTEP( bits ) ( 0 )
76	#define HANDSHAKE_SET_LTEP( bits ) ( (void)0 )
77	#endif
78
79	#ifdef ENABLE_FAST
80	#define HANDSHAKE_HAS_FASTEXT( bits ) ( ( ( bits )[7] & 0x04 ) ? 1 : 0 )
81	#define HANDSHAKE_SET_FASTEXT( bits ) ( ( bits )[7] \|= 0x04 )
82	#else
83	#define HANDSHAKE_HAS_FASTEXT( bits ) ( 0 )
84	#define HANDSHAKE_SET_FASTEXT( bits ) ( (void)0 )
85	#endif
86
87	#ifdef ENABLE_DHT
88	#define HANDSHAKE_HAS_DHT( bits ) ( ( ( bits )[7] & 0x01 ) ? 1 : 0 )
89	#define HANDSHAKE_SET_DHT( bits ) ( ( bits )[7] \|= 0x01 )
90	#else
91	#define HANDSHAKE_HAS_DHT( bits ) ( 0 )
92	#define HANDSHAKE_SET_DHT( bits ) ( (void)0 )
93	#endif
94
95	/* http://www.azureuswiki.com/index.php/Extension_negotiation_protocol
96	these macros are to be used if both extended messaging and the
97	azureus protocol is supported, they indicate which protocol is preferred */
98	#define HANDSHAKE_GET_EXTPREF( reserved ) ( ( reserved )[5] & 0x03 )
99	#define HANDSHAKE_SET_EXTPREF( reserved, val ) ( ( reserved )[5] \|= 0x03 &\
100	( val ) )
101
102	struct tr_handshake
103	{
104	tr_bool havePeerID;
105	tr_bool haveSentBitTorrentHandshake;
106	tr_peerIo * io;
107	tr_crypto * crypto;
108	tr_session * session;
109	uint8_t mySecret[KEY_LEN];
110	uint8_t state;
111	tr_encryption_mode encryptionMode;
112	uint16_t pad_c_len;
113	uint16_t pad_d_len;
114	uint16_t ia_len;
115	uint32_t crypto_select;
116	uint32_t crypto_provide;
117	uint8_t myReq1[SHA_DIGEST_LENGTH];
118	handshakeDoneCB doneCB;
119	void * doneUserData;
120	struct event timeout_timer;
121	};
122
123	/**
124	***
125	**/
126
127	enum
128	{
129	/* incoming */
130	AWAITING_HANDSHAKE,
131	AWAITING_PEER_ID,
132	AWAITING_YA,
133	AWAITING_PAD_A,
134	AWAITING_CRYPTO_PROVIDE,
135	AWAITING_PAD_C,
136	AWAITING_IA,
137	AWAITING_PAYLOAD_STREAM,
138
139	/* outgoing */
140	AWAITING_YB,
141	AWAITING_VC,
142	AWAITING_CRYPTO_SELECT,
143	AWAITING_PAD_D,
144	};
145
146	/**
147	***
148	**/
149
150	#define dbgmsg( handshake, ... ) \
151	do { \
152	if( tr_deepLoggingIsActive( ) ) \
153	tr_deepLog( __FILE__, __LINE__, tr_peerIoGetAddrStr( handshake->io ), __VA_ARGS__ ); \
154	} while( 0 )
155
156	static const char*
157	getStateName( short state )
158	{
159	const char * str = "f00!";
160
161	switch( state )
162	{
163	case AWAITING_HANDSHAKE:
164	str = "awaiting handshake"; break;
165
166	case AWAITING_PEER_ID:
167	str = "awaiting peer id"; break;
168
169	case AWAITING_YA:
170	str = "awaiting ya"; break;
171
172	case AWAITING_PAD_A:
173	str = "awaiting pad a"; break;
174
175	case AWAITING_CRYPTO_PROVIDE:
176	str = "awaiting crypto_provide"; break;
177
178	case AWAITING_PAD_C:
179	str = "awaiting pad c"; break;
180
181	case AWAITING_IA:
182	str = "awaiting ia"; break;
183
184	case AWAITING_YB:
185	str = "awaiting yb"; break;
186
187	case AWAITING_VC:
188	str = "awaiting vc"; break;
189
190	case AWAITING_CRYPTO_SELECT:
191	str = "awaiting crypto select"; break;
192
193	case AWAITING_PAD_D:
194	str = "awaiting pad d"; break;
195	}
196	return str;
197	}
198
199	static void
200	setState( tr_handshake * handshake,
201	short state )
202	{
203	dbgmsg( handshake, "setting to state [%s]", getStateName( state ) );
204	handshake->state = state;
205	}
206
207	static void
208	setReadState( tr_handshake * handshake,
209	int state )
210	{
211	setState( handshake, state );
212	}
213
214	static void
215	buildHandshakeMessage( tr_handshake * handshake, uint8_t * buf )
216	{
217	uint8_t * walk = buf;
218	const uint8_t * torrentHash = tr_cryptoGetTorrentHash( handshake->crypto );
219	const tr_torrent * tor = tr_torrentFindFromHash( handshake->session, torrentHash );
220	const uint8_t * peer_id = tor && tor->peer_id ? tor->peer_id : tr_getPeerId( );
221
222	memcpy( walk, HANDSHAKE_NAME, HANDSHAKE_NAME_LEN );
223	walk += HANDSHAKE_NAME_LEN;
224	memset( walk, 0, HANDSHAKE_FLAGS_LEN );
225	HANDSHAKE_SET_LTEP( walk );
226	HANDSHAKE_SET_FASTEXT( walk );
227
228	/* Note that this doesn't depend on whether the torrent is private. We
229	don't accept DHT peers for a private torrent, but we participate in
230	the DHT regardless. */
231	if(tr_dhtEnabled(handshake->session))
232	HANDSHAKE_SET_DHT( walk );
233
234	walk += HANDSHAKE_FLAGS_LEN;
235	memcpy( walk, torrentHash, SHA_DIGEST_LENGTH );
236	walk += SHA_DIGEST_LENGTH;
237	memcpy( walk, peer_id, PEER_ID_LEN );
238	walk += PEER_ID_LEN;
239
240	assert( strlen( ( const char* )peer_id ) == PEER_ID_LEN );
241	assert( walk - buf == HANDSHAKE_SIZE );
242	}
243
244	static int tr_handshakeDone( tr_handshake * handshake,
245	tr_bool isConnected );
246
247	enum
248	{
249	HANDSHAKE_OK,
250	HANDSHAKE_ENCRYPTION_WRONG,
251	HANDSHAKE_BAD_TORRENT,
252	HANDSHAKE_PEER_IS_SELF,
253	};
254
255	static int
256	parseHandshake( tr_handshake * handshake,
257	struct evbuffer * inbuf )
258	{
259	uint8_t name[HANDSHAKE_NAME_LEN];
260	uint8_t reserved[HANDSHAKE_FLAGS_LEN];
261	uint8_t hash[SHA_DIGEST_LENGTH];
262	const tr_torrent * tor;
263	const uint8_t * tor_peer_id;
264	uint8_t peer_id[PEER_ID_LEN];
265
266	dbgmsg( handshake, "payload: need %d, got %zu",
267	(int)HANDSHAKE_SIZE, EVBUFFER_LENGTH( inbuf ) );
268
269	if( EVBUFFER_LENGTH( inbuf ) < HANDSHAKE_SIZE )
270	return READ_LATER;
271
272	/* confirm the protocol */
273	tr_peerIoReadBytes( handshake->io, inbuf, name, HANDSHAKE_NAME_LEN );
274	if( memcmp( name, HANDSHAKE_NAME, HANDSHAKE_NAME_LEN ) )
275	return HANDSHAKE_ENCRYPTION_WRONG;
276
277	/* read the reserved bytes */
278	tr_peerIoReadBytes( handshake->io, inbuf, reserved, HANDSHAKE_FLAGS_LEN );
279
280	/* torrent hash */
281	tr_peerIoReadBytes( handshake->io, inbuf, hash, sizeof( hash ) );
282	assert( tr_peerIoHasTorrentHash( handshake->io ) );
283	if( !tr_torrentExists( handshake->session, hash )
284	\|\| memcmp( hash, tr_peerIoGetTorrentHash( handshake->io ),
285	SHA_DIGEST_LENGTH ) )
286	{
287	dbgmsg( handshake, "peer returned the wrong hash. wtf?" );
288	return HANDSHAKE_BAD_TORRENT;
289	}
290
291	/* peer_id */
292	tr_peerIoReadBytes( handshake->io, inbuf, peer_id, sizeof( peer_id ) );
293	tr_peerIoSetPeersId( handshake->io, peer_id );
294
295	/* peer id */
296	handshake->havePeerID = TRUE;
297	dbgmsg( handshake, "peer-id is [%.s]", PEER_ID_LEN, PEER_ID_LEN, peer_id );
298
299	tor = tr_torrentFindFromHash( handshake->session, hash );
300	tor_peer_id = tor && tor->peer_id ? tor->peer_id : tr_getPeerId( );
301	if( !memcmp( peer_id, tor_peer_id, PEER_ID_LEN ) )
302	{
303	dbgmsg( handshake, "streuth! we've connected to ourselves." );
304	return HANDSHAKE_PEER_IS_SELF;
305	}
306
307	/**
308	*** Extensions
309	**/
310
311	tr_peerIoEnableLTEP( handshake->io, HANDSHAKE_HAS_LTEP( reserved ) );
312
313	tr_peerIoEnableFEXT( handshake->io, HANDSHAKE_HAS_FASTEXT( reserved ) );
314
315	/* This doesn't depend on whether the torrent is private. */
316	if( tor && tr_sessionAllowsDHT( tor->session ) )
317	tr_peerIoEnableDHT( handshake->io, HANDSHAKE_HAS_DHT( reserved ) );
318
319	return HANDSHAKE_OK;
320	}
321
322	/***
323	****
324	**** OUTGOING CONNECTIONS
325	****
326	***/
327
328	/* 1 A->B: Diffie Hellman Ya, PadA */
329	static void
330	sendYa( tr_handshake * handshake )
331	{
332	int len;
333	const uint8_t * public_key;
334	char outbuf[ KEY_LEN + PadA_MAXLEN ], *walk=outbuf;
335
336	/* add our public key (Ya) */
337	public_key = tr_cryptoGetMyPublicKey( handshake->crypto, &len );
338	assert( len == KEY_LEN );
339	assert( public_key );
340	memcpy( walk, public_key, len );
341	walk += len;
342
343	/* add some bullshit padding */
344	len = tr_cryptoRandInt( PadA_MAXLEN );
345	tr_cryptoRandBuf( walk, len );
346	walk += len;
347
348	/* send it */
349	setReadState( handshake, AWAITING_YB );
350	tr_peerIoWrite( handshake->io, outbuf, walk-outbuf, FALSE );
351	}
352
353	static uint32_t
354	getCryptoProvide( const tr_handshake * handshake )
355	{
356	uint32_t provide = 0;
357
358	switch( handshake->encryptionMode )
359	{
360	case TR_ENCRYPTION_REQUIRED:
361	case TR_ENCRYPTION_PREFERRED:
362	provide \|= CRYPTO_PROVIDE_CRYPTO;
363	break;
364
365	case TR_CLEAR_PREFERRED:
366	provide \|= CRYPTO_PROVIDE_CRYPTO \| CRYPTO_PROVIDE_PLAINTEXT;
367	break;
368	}
369
370	return provide;
371	}
372
373	static uint32_t
374	getCryptoSelect( const tr_handshake * handshake,
375	uint32_t crypto_provide )
376	{
377	uint32_t choices[4];
378	int i, nChoices = 0;
379
380	switch( handshake->encryptionMode )
381	{
382	case TR_ENCRYPTION_REQUIRED:
383	choices[nChoices++] = CRYPTO_PROVIDE_CRYPTO;
384	break;
385
386	case TR_ENCRYPTION_PREFERRED:
387	choices[nChoices++] = CRYPTO_PROVIDE_CRYPTO;
388	choices[nChoices++] = CRYPTO_PROVIDE_PLAINTEXT;
389	break;
390
391	case TR_CLEAR_PREFERRED:
392	choices[nChoices++] = CRYPTO_PROVIDE_PLAINTEXT;
393	choices[nChoices++] = CRYPTO_PROVIDE_CRYPTO;
394	break;
395	}
396
397	for( i = 0; i < nChoices; ++i )
398	if( crypto_provide & choices[i] )
399	return choices[i];
400
401	return 0;
402	}
403
404	static int
405	readYb( tr_handshake * handshake,
406	struct evbuffer * inbuf )
407	{
408	int isEncrypted;
409	const uint8_t * secret;
410	uint8_t yb[KEY_LEN];
411	struct evbuffer * outbuf;
412	size_t needlen = HANDSHAKE_NAME_LEN;
413
414	if( EVBUFFER_LENGTH( inbuf ) < needlen )
415	return READ_LATER;
416
417	isEncrypted = memcmp( EVBUFFER_DATA( inbuf ), HANDSHAKE_NAME, HANDSHAKE_NAME_LEN );
418	if( isEncrypted )
419	{
420	needlen = KEY_LEN;
421	if( EVBUFFER_LENGTH( inbuf ) < needlen )
422	return READ_LATER;
423	}
424
425	dbgmsg( handshake, "got a %s handshake",
426	( isEncrypted ? "encrypted" : "plaintext" ) );
427
428	tr_peerIoSetEncryption( handshake->io, isEncrypted ? PEER_ENCRYPTION_RC4
429	: PEER_ENCRYPTION_NONE );
430	if( !isEncrypted )
431	{
432	setState( handshake, AWAITING_HANDSHAKE );
433	return READ_NOW;
434	}
435
436	/* compute the secret */
437	evbuffer_remove( inbuf, yb, KEY_LEN );
438	secret = tr_cryptoComputeSecret( handshake->crypto, yb );
439	memcpy( handshake->mySecret, secret, KEY_LEN );
440
441	/* now send these: HASH('req1', S), HASH('req2', SKEY) xor HASH('req3', S),
442	* ENCRYPT(VC, crypto_provide, len(PadC), PadC, len(IA)), ENCRYPT(IA) */
443	outbuf = evbuffer_new( );
444
445	/* HASH('req1', S) */
446	{
447	uint8_t req1[SHA_DIGEST_LENGTH];
448	tr_sha1( req1, "req1", 4, secret, KEY_LEN, NULL );
449	evbuffer_add( outbuf, req1, SHA_DIGEST_LENGTH );
450	}
451
452	/* HASH('req2', SKEY) xor HASH('req3', S) */
453	{
454	int i;
455	uint8_t req2[SHA_DIGEST_LENGTH];
456	uint8_t req3[SHA_DIGEST_LENGTH];
457	uint8_t buf[SHA_DIGEST_LENGTH];
458	tr_sha1( req2, "req2", 4,
459	tr_cryptoGetTorrentHash( handshake->crypto ),
460	SHA_DIGEST_LENGTH, NULL );
461	tr_sha1( req3, "req3", 4, secret, KEY_LEN, NULL );
462	for( i = 0; i < SHA_DIGEST_LENGTH; ++i )
463	buf[i] = req2[i] ^ req3[i];
464	evbuffer_add( outbuf, buf, SHA_DIGEST_LENGTH );
465	}
466
467	/* ENCRYPT(VC, crypto_provide, len(PadC), PadC
468	* PadC is reserved for future extensions to the handshake...
469	* standard practice at this time is for it to be zero-length */
470	{
471	uint8_t vc[VC_LENGTH] = { 0, 0, 0, 0, 0, 0, 0, 0 };
472
473	tr_peerIoWriteBuf( handshake->io, outbuf, FALSE );
474	tr_cryptoEncryptInit( handshake->crypto );
475	tr_peerIoSetEncryption( handshake->io, PEER_ENCRYPTION_RC4 );
476
477	tr_peerIoWriteBytes( handshake->io, outbuf, vc, VC_LENGTH );
478	tr_peerIoWriteUint32( handshake->io, outbuf,
479	getCryptoProvide( handshake ) );
480	tr_peerIoWriteUint16( handshake->io, outbuf, 0 );
481	}
482
483	/* ENCRYPT len(IA)), ENCRYPT(IA) */
484	{
485	uint8_t msg[HANDSHAKE_SIZE];
486	buildHandshakeMessage( handshake, msg );
487
488	tr_peerIoWriteUint16( handshake->io, outbuf, sizeof( msg ) );
489	tr_peerIoWriteBytes( handshake->io, outbuf, msg, sizeof( msg ) );
490
491	handshake->haveSentBitTorrentHandshake = 1;
492	}
493
494	/* send it */
495	tr_cryptoDecryptInit( handshake->crypto );
496	setReadState( handshake, AWAITING_VC );
497	tr_peerIoWriteBuf( handshake->io, outbuf, FALSE );
498
499	/* cleanup */
500	evbuffer_free( outbuf );
501	return READ_LATER;
502	}
503
504	static int
505	readVC( tr_handshake * handshake,
506	struct evbuffer * inbuf )
507	{
508	const uint8_t key[VC_LENGTH] = { 0, 0, 0, 0, 0, 0, 0, 0 };
509	const int key_len = VC_LENGTH;
510	uint8_t tmp[VC_LENGTH];
511
512	/* note: this works w/o having to `unwind' the buffer if
513	* we read too much, but it is pretty brute-force.
514	* it would be nice to make this cleaner. */
515	for( ; ; )
516	{
517	if( EVBUFFER_LENGTH( inbuf ) < VC_LENGTH )
518	{
519	dbgmsg( handshake, "not enough bytes... returning read_more" );
520	return READ_LATER;
521	}
522
523	memcpy( tmp, EVBUFFER_DATA( inbuf ), key_len );
524	tr_cryptoDecryptInit( handshake->crypto );
525	tr_cryptoDecrypt( handshake->crypto, key_len, tmp, tmp );
526	if( !memcmp( tmp, key, key_len ) )
527	break;
528
529	evbuffer_drain( inbuf, 1 );
530	}
531
532	dbgmsg( handshake, "got it!" );
533	evbuffer_drain( inbuf, key_len );
534	setState( handshake, AWAITING_CRYPTO_SELECT );
535	return READ_NOW;
536	}
537
538	static int
539	readCryptoSelect( tr_handshake * handshake,
540	struct evbuffer * inbuf )
541	{
542	uint32_t crypto_select;
543	uint16_t pad_d_len;
544	const size_t needlen = sizeof( uint32_t ) + sizeof( uint16_t );
545
546	if( EVBUFFER_LENGTH( inbuf ) < needlen )
547	return READ_LATER;
548
549	tr_peerIoReadUint32( handshake->io, inbuf, &crypto_select );
550	handshake->crypto_select = crypto_select;
551	dbgmsg( handshake, "crypto select is %d", (int)crypto_select );
552	if( !( crypto_select & getCryptoProvide( handshake ) ) )
553	{
554	dbgmsg( handshake,
555	"peer selected an encryption option we didn't provide" );
556	return tr_handshakeDone( handshake, FALSE );
557	}
558
559	tr_peerIoReadUint16( handshake->io, inbuf, &pad_d_len );
560	dbgmsg( handshake, "pad_d_len is %d", (int)pad_d_len );
561
562	if( pad_d_len > 512 )
563	{
564	dbgmsg( handshake, "encryption handshake: pad_d_len is too long" );
565	return tr_handshakeDone( handshake, FALSE );
566	}
567
568	handshake->pad_d_len = pad_d_len;
569
570	setState( handshake, AWAITING_PAD_D );
571	return READ_NOW;
572	}
573
574	static int
575	readPadD( tr_handshake * handshake,
576	struct evbuffer * inbuf )
577	{
578	const size_t needlen = handshake->pad_d_len;
579	uint8_t * tmp;
580
581	dbgmsg( handshake, "pad d: need %zu, got %zu",
582	needlen, EVBUFFER_LENGTH( inbuf ) );
583	if( EVBUFFER_LENGTH( inbuf ) < needlen )
584	return READ_LATER;
585
586	tmp = tr_new( uint8_t, needlen );
587	tr_peerIoReadBytes( handshake->io, inbuf, tmp, needlen );
588	tr_free( tmp );
589
590	tr_peerIoSetEncryption( handshake->io,
591	handshake->crypto_select );
592
593	setState( handshake, AWAITING_HANDSHAKE );
594	return READ_NOW;
595	}
596
597	/***
598	****
599	**** INCOMING CONNECTIONS
600	****
601	***/
602
603	static int
604	readHandshake( tr_handshake * handshake,
605	struct evbuffer * inbuf )
606	{
607	uint8_t pstrlen;
608	uint8_t * pstr;
609	uint8_t reserved[HANDSHAKE_FLAGS_LEN];
610	uint8_t hash[SHA_DIGEST_LENGTH];
611
612	dbgmsg( handshake, "payload: need %d, got %zu",
613	(int)INCOMING_HANDSHAKE_LEN, EVBUFFER_LENGTH( inbuf ) );
614
615	if( EVBUFFER_LENGTH( inbuf ) < INCOMING_HANDSHAKE_LEN )
616	return READ_LATER;
617
618	pstrlen = EVBUFFER_DATA( inbuf )[0]; /* peek, don't read. We may be
619	handing inbuf to AWAITING_YA */
620
621	if( pstrlen == 19 ) /* unencrypted */
622	{
623	tr_peerIoSetEncryption( handshake->io, PEER_ENCRYPTION_NONE );
624
625	if( handshake->encryptionMode == TR_ENCRYPTION_REQUIRED )
626	{
627	dbgmsg( handshake,
628	"peer is unencrypted, and we're disallowing that" );
629	return tr_handshakeDone( handshake, FALSE );
630	}
631	}
632	else /* encrypted or corrupt */
633	{
634	tr_peerIoSetEncryption( handshake->io, PEER_ENCRYPTION_RC4 );
635
636	if( tr_peerIoIsIncoming( handshake->io ) )
637	{
638	dbgmsg( handshake,
639	"I think peer is sending us an encrypted handshake..." );
640	setState( handshake, AWAITING_YA );
641	return READ_NOW;
642	}
643	tr_cryptoDecrypt( handshake->crypto, 1, &pstrlen, &pstrlen );
644
645	if( pstrlen != 19 )
646	{
647	dbgmsg( handshake,
648	"I think peer has sent us a corrupt handshake..." );
649	return tr_handshakeDone( handshake, FALSE );
650	}
651	}
652
653	evbuffer_drain( inbuf, 1 );
654
655	/* pstr (BitTorrent) */
656	pstr = tr_new( uint8_t, pstrlen + 1 );
657	tr_peerIoReadBytes( handshake->io, inbuf, pstr, pstrlen );
658	pstr[pstrlen] = '\0';
659	if( strcmp( (char*)pstr, "BitTorrent protocol" ) )
660	{
661	tr_free( pstr );
662	return tr_handshakeDone( handshake, FALSE );
663	}
664	tr_free( pstr );
665
666	/* reserved bytes */
667	tr_peerIoReadBytes( handshake->io, inbuf, reserved, sizeof( reserved ) );
668
669	/**
670	*** Extensions
671	**/
672
673	tr_peerIoEnableLTEP( handshake->io, HANDSHAKE_HAS_LTEP( reserved ) );
674
675	tr_peerIoEnableFEXT( handshake->io, HANDSHAKE_HAS_FASTEXT( reserved ) );
676
677	/* torrent hash */
678	tr_peerIoReadBytes( handshake->io, inbuf, hash, sizeof( hash ) );
679	if( tr_peerIoIsIncoming( handshake->io ) )
680	{
681	if( !tr_torrentExists( handshake->session, hash ) )
682	{
683	dbgmsg( handshake, "peer is trying to connect to us for a torrent we don't have." );
684	return tr_handshakeDone( handshake, FALSE );
685	}
686	else
687	{
688	assert( !tr_peerIoHasTorrentHash( handshake->io ) );
689	tr_peerIoSetTorrentHash( handshake->io, hash );
690	}
691	}
692	else /* outgoing */
693	{
694	assert( tr_peerIoHasTorrentHash( handshake->io ) );
695	if( memcmp( hash, tr_peerIoGetTorrentHash( handshake->io ),
696	SHA_DIGEST_LENGTH ) )
697	{
698	dbgmsg( handshake, "peer returned the wrong hash. wtf?" );
699	return tr_handshakeDone( handshake, FALSE );
700	}
701	}
702
703	/**
704	*** If it's an incoming message, we need to send a response handshake
705	**/
706
707	if( !handshake->haveSentBitTorrentHandshake )
708	{
709	uint8_t msg[HANDSHAKE_SIZE];
710	buildHandshakeMessage( handshake, msg );
711	tr_peerIoWrite( handshake->io, msg, sizeof( msg ), FALSE );
712	handshake->haveSentBitTorrentHandshake = 1;
713	}
714
715	setReadState( handshake, AWAITING_PEER_ID );
716	return READ_NOW;
717	}
718
719	static int
720	readPeerId( tr_handshake * handshake,
721	struct evbuffer * inbuf )
722	{
723	int peerIsGood;
724	char client[128];
725	tr_torrent * tor;
726	const uint8_t * tor_peer_id;
727	uint8_t peer_id[PEER_ID_LEN];
728
729	if( EVBUFFER_LENGTH( inbuf ) < PEER_ID_LEN )
730	return READ_LATER;
731
732	/* peer id */
733	tr_peerIoReadBytes( handshake->io, inbuf, peer_id, PEER_ID_LEN );
734	tr_peerIoSetPeersId( handshake->io, peer_id );
735	handshake->havePeerID = TRUE;
736	tr_clientForId( client, sizeof( client ), peer_id );
737	dbgmsg( handshake, "peer-id is [%s] ... isIncoming is %d", client,
738	tr_peerIoIsIncoming( handshake->io ) );
739
740	/* if we've somehow connected to ourselves, don't keep the connection */
741	tor = tr_torrentFindFromHash( handshake->session, tr_peerIoGetTorrentHash( handshake->io ) );
742	tor_peer_id = tor && tor->peer_id ? tor->peer_id : tr_getPeerId( );
743	peerIsGood = memcmp( peer_id, tor_peer_id, PEER_ID_LEN ) != 0;
744	dbgmsg( handshake, "isPeerGood == %d", peerIsGood );
745	return tr_handshakeDone( handshake, peerIsGood );
746	}
747
748	static int
749	readYa( tr_handshake * handshake,
750	struct evbuffer * inbuf )
751	{
752	uint8_t ya[KEY_LEN];
753	uint8_t * walk, outbuf[KEY_LEN + PadB_MAXLEN];
754	const uint8_t myKey, secret;
755	int len;
756
757	dbgmsg( handshake, "in readYa... need %d, have %zu",
758	(int)KEY_LEN, EVBUFFER_LENGTH( inbuf ) );
759	if( EVBUFFER_LENGTH( inbuf ) < KEY_LEN )
760	return READ_LATER;
761
762	/* read the incoming peer's public key */
763	evbuffer_remove( inbuf, ya, KEY_LEN );
764	secret = tr_cryptoComputeSecret( handshake->crypto, ya );
765	memcpy( handshake->mySecret, secret, KEY_LEN );
766	tr_sha1( handshake->myReq1, "req1", 4, secret, KEY_LEN, NULL );
767
768	dbgmsg( handshake, "sending B->A: Diffie Hellman Yb, PadB" );
769	/* send our public key to the peer */
770	walk = outbuf;
771	myKey = tr_cryptoGetMyPublicKey( handshake->crypto, &len );
772	memcpy( walk, myKey, len );
773	walk += len;
774	len = tr_cryptoRandInt( PadB_MAXLEN );
775	tr_cryptoRandBuf( walk, len );
776	walk += len;
777
778	setReadState( handshake, AWAITING_PAD_A );
779	tr_peerIoWrite( handshake->io, outbuf, walk - outbuf, FALSE );
780	return READ_NOW;
781	}
782
783	static int
784	readPadA( tr_handshake * handshake,
785	struct evbuffer * inbuf )
786	{
787	uint8_t * pch;
788
789	dbgmsg( handshake, "looking to get past pad a... & resync on hash('req',S) ... have %zu bytes",
790	EVBUFFER_LENGTH( inbuf ) );
791	/**
792	*** Resynchronizing on HASH('req1',S)
793	**/
794
795	pch = memchr( EVBUFFER_DATA( inbuf ),
796	handshake->myReq1[0],
797	EVBUFFER_LENGTH( inbuf ) );
798	if( pch == NULL )
799	{
800	dbgmsg( handshake, "no luck so far.. draining %zu bytes",
801	EVBUFFER_LENGTH( inbuf ) );
802	evbuffer_drain( inbuf, EVBUFFER_LENGTH( inbuf ) );
803	return READ_LATER;
804	}
805	dbgmsg( handshake, "looking for hash('req',S) ... draining %d bytes",
806	(int)( pch - EVBUFFER_DATA( inbuf ) ) );
807	evbuffer_drain( inbuf, pch - EVBUFFER_DATA( inbuf ) );
808	if( EVBUFFER_LENGTH( inbuf ) < SHA_DIGEST_LENGTH )
809	return READ_LATER;
810	if( memcmp( EVBUFFER_DATA( inbuf ), handshake->myReq1,
811	SHA_DIGEST_LENGTH ) )
812	{
813	dbgmsg( handshake, "draining one more byte" );
814	evbuffer_drain( inbuf, 1 );
815	return READ_NOW;
816	}
817
818	dbgmsg( handshake,
819	"found it... looking setting to awaiting_crypto_provide" );
820	setState( handshake, AWAITING_CRYPTO_PROVIDE );
821	return READ_NOW;
822	}
823
824	static int
825	readCryptoProvide( tr_handshake * handshake,
826	struct evbuffer * inbuf )
827	{
828	/* HASH('req2', SKEY) xor HASH('req3', S), ENCRYPT(VC, crypto_provide,
829	len(PadC)) */
830
831	int i;
832	uint8_t vc_in[VC_LENGTH];
833	uint8_t req2[SHA_DIGEST_LENGTH];
834	uint8_t req3[SHA_DIGEST_LENGTH];
835	uint8_t obfuscatedTorrentHash[SHA_DIGEST_LENGTH];
836	uint16_t padc_len = 0;
837	uint32_t crypto_provide = 0;
838	const size_t needlen = SHA_DIGEST_LENGTH /* HASH('req1',s) */
839	+ SHA_DIGEST_LENGTH /* HASH('req2', SKEY) xor
840	HASH('req3', S) */
841	+ VC_LENGTH
842	+ sizeof( crypto_provide )
843	+ sizeof( padc_len );
844	tr_torrent * tor = NULL;
845
846	if( EVBUFFER_LENGTH( inbuf ) < needlen )
847	return READ_LATER;
848
849	/* TODO: confirm they sent HASH('req1',S) here? */
850	evbuffer_drain( inbuf, SHA_DIGEST_LENGTH );
851
852	/* This next piece is HASH('req2', SKEY) xor HASH('req3', S) ...
853	* we can get the first half of that (the obufscatedTorrentHash)
854	* by building the latter and xor'ing it with what the peer sent us */
855	dbgmsg( handshake, "reading obfuscated torrent hash..." );
856	evbuffer_remove( inbuf, req2, SHA_DIGEST_LENGTH );
857	tr_sha1( req3, "req3", 4, handshake->mySecret, KEY_LEN, NULL );
858	for( i = 0; i < SHA_DIGEST_LENGTH; ++i )
859	obfuscatedTorrentHash[i] = req2[i] ^ req3[i];
860	if(( tor = tr_torrentFindFromObfuscatedHash( handshake->session, obfuscatedTorrentHash )))
861	{
862	const tr_bool clientIsSeed = tr_torrentIsSeed( tor );
863	const tr_bool peerIsSeed = tr_peerMgrPeerIsSeed( tor, tr_peerIoGetAddress( handshake->io, NULL ) );
864	dbgmsg( handshake, "got INCOMING connection's encrypted handshake for torrent [%s]",
865	tor->info.name );
866	tr_peerIoSetTorrentHash( handshake->io, tor->info.hash );
867
868	if( clientIsSeed && peerIsSeed )
869	{
870	dbgmsg( handshake, "another seed tried to reconnect to us!" );
871	return tr_handshakeDone( handshake, FALSE );
872	}
873	}
874	else
875	{
876	dbgmsg( handshake, "can't find that torrent..." );
877	return tr_handshakeDone( handshake, FALSE );
878	}
879
880	/* next part: ENCRYPT(VC, crypto_provide, len(PadC), */
881
882	tr_cryptoDecryptInit( handshake->crypto );
883
884	tr_peerIoReadBytes( handshake->io, inbuf, vc_in, VC_LENGTH );
885
886	tr_peerIoReadUint32( handshake->io, inbuf, &crypto_provide );
887	handshake->crypto_provide = crypto_provide;
888	dbgmsg( handshake, "crypto_provide is %d", (int)crypto_provide );
889
890	tr_peerIoReadUint16( handshake->io, inbuf, &padc_len );
891	dbgmsg( handshake, "padc is %d", (int)padc_len );
892	handshake->pad_c_len = padc_len;
893	setState( handshake, AWAITING_PAD_C );
894	return READ_NOW;
895	}
896
897	static int
898	readPadC( tr_handshake * handshake,
899	struct evbuffer * inbuf )
900	{
901	uint16_t ia_len;
902	const size_t needlen = handshake->pad_c_len + sizeof( uint16_t );
903
904	if( EVBUFFER_LENGTH( inbuf ) < needlen )
905	return READ_LATER;
906
907	evbuffer_drain( inbuf, handshake->pad_c_len );
908
909	tr_peerIoReadUint16( handshake->io, inbuf, &ia_len );
910	dbgmsg( handshake, "ia_len is %d", (int)ia_len );
911	handshake->ia_len = ia_len;
912	setState( handshake, AWAITING_IA );
913	return READ_NOW;
914	}
915
916	static int
917	readIA( tr_handshake * handshake,
918	struct evbuffer * inbuf )
919	{
920	const size_t needlen = handshake->ia_len;
921	struct evbuffer * outbuf;
922	uint32_t crypto_select;
923
924	dbgmsg( handshake, "reading IA... have %zu, need %zu",
925	EVBUFFER_LENGTH( inbuf ), needlen );
926	if( EVBUFFER_LENGTH( inbuf ) < needlen )
927	return READ_LATER;
928
929	/**
930	*** B->A: ENCRYPT(VC, crypto_select, len(padD), padD), ENCRYPT2(Payload Stream)
931	**/
932
933	tr_cryptoEncryptInit( handshake->crypto );
934	outbuf = evbuffer_new( );
935
936	dbgmsg( handshake, "sending vc" );
937	/* send VC */
938	{
939	uint8_t vc[VC_LENGTH];
940	memset( vc, 0, VC_LENGTH );
941	tr_peerIoWriteBytes( handshake->io, outbuf, vc, VC_LENGTH );
942	}
943
944	/* send crypto_select */
945	crypto_select = getCryptoSelect( handshake, handshake->crypto_provide );
946	if( crypto_select )
947	{
948	dbgmsg( handshake, "selecting crypto mode '%d'", (int)crypto_select );
949	tr_peerIoWriteUint32( handshake->io, outbuf, crypto_select );
950	}
951	else
952	{
953	dbgmsg( handshake, "peer didn't offer an encryption mode we like." );
954	evbuffer_free( outbuf );
955	return tr_handshakeDone( handshake, FALSE );
956	}
957
958	dbgmsg( handshake, "sending pad d" );
959	/* ENCRYPT(VC, crypto_provide, len(PadD), PadD
960	* PadD is reserved for future extensions to the handshake...
961	* standard practice at this time is for it to be zero-length */
962	{
963	const int len = 0;
964	tr_peerIoWriteUint16( handshake->io, outbuf, len );
965	}
966
967	/* maybe de-encrypt our connection */
968	if( crypto_select == CRYPTO_PROVIDE_PLAINTEXT )
969	{
970	tr_peerIoWriteBuf( handshake->io, outbuf, FALSE );
971	tr_peerIoSetEncryption( handshake->io, PEER_ENCRYPTION_NONE );
972	}
973
974	dbgmsg( handshake, "sending handshake" );
975	/* send our handshake */
976	{
977	uint8_t msg[HANDSHAKE_SIZE];
978	buildHandshakeMessage( handshake, msg );
979
980	tr_peerIoWriteBytes( handshake->io, outbuf, msg, sizeof( msg ) );
981	handshake->haveSentBitTorrentHandshake = 1;
982	}
983
984	/* send it out */
985	tr_peerIoWriteBuf( handshake->io, outbuf, FALSE );
986	evbuffer_free( outbuf );
987
988	/* now await the handshake */
989	setState( handshake, AWAITING_PAYLOAD_STREAM );
990	return READ_NOW;
991	}
992
993	static int
994	readPayloadStream( tr_handshake * handshake,
995	struct evbuffer * inbuf )
996	{
997	int i;
998	const size_t needlen = HANDSHAKE_SIZE;
999
1000	dbgmsg( handshake, "reading payload stream... have %zu, need %zu",
1001	EVBUFFER_LENGTH( inbuf ), needlen );
1002	if( EVBUFFER_LENGTH( inbuf ) < needlen )
1003	return READ_LATER;
1004
1005	/* parse the handshake ... */
1006	i = parseHandshake( handshake, inbuf );
1007	dbgmsg( handshake, "parseHandshake returned %d", i );
1008	if( i != HANDSHAKE_OK )
1009	return tr_handshakeDone( handshake, FALSE );
1010
1011	/* we've completed the BT handshake... pass the work on to peer-msgs */
1012	return tr_handshakeDone( handshake, TRUE );
1013	}
1014
1015	/***
1016	****
1017	****
1018	****
1019	***/
1020
1021	static ReadState
1022	canRead( struct tr_peerIo * io, void * arg, size_t * piece )
1023	{
1024	tr_handshake * handshake = arg;
1025	struct evbuffer * inbuf = tr_peerIoGetReadBuffer( io );
1026	ReadState ret;
1027	tr_bool readyForMore = TRUE;
1028
1029	/* no piece data in handshake */
1030	*piece = 0;
1031
1032	dbgmsg( handshake, "handling canRead; state is [%s]",
1033	getStateName( handshake->state ) );
1034
1035	while( readyForMore )
1036	{
1037	switch( handshake->state )
1038	{
1039	case AWAITING_HANDSHAKE:
1040	ret = readHandshake ( handshake, inbuf ); break;
1041
1042	case AWAITING_PEER_ID:
1043	ret = readPeerId ( handshake, inbuf ); break;
1044
1045	case AWAITING_YA:
1046	ret = readYa ( handshake, inbuf ); break;
1047
1048	case AWAITING_PAD_A:
1049	ret = readPadA ( handshake, inbuf ); break;
1050
1051	case AWAITING_CRYPTO_PROVIDE:
1052	ret = readCryptoProvide( handshake, inbuf ); break;
1053
1054	case AWAITING_PAD_C:
1055	ret = readPadC ( handshake, inbuf ); break;
1056
1057	case AWAITING_IA:
1058	ret = readIA ( handshake, inbuf ); break;
1059
1060	case AWAITING_PAYLOAD_STREAM:
1061	ret = readPayloadStream( handshake, inbuf ); break;
1062
1063	case AWAITING_YB:
1064	ret = readYb ( handshake, inbuf ); break;
1065
1066	case AWAITING_VC:
1067	ret = readVC ( handshake, inbuf ); break;
1068
1069	case AWAITING_CRYPTO_SELECT:
1070	ret = readCryptoSelect ( handshake, inbuf ); break;
1071
1072	case AWAITING_PAD_D:
1073	ret = readPadD ( handshake, inbuf ); break;
1074
1075	default:
1076	assert( 0 );
1077	}
1078
1079	if( ret != READ_NOW )
1080	readyForMore = FALSE;
1081	else if( handshake->state == AWAITING_PAD_C )
1082	readyForMore = EVBUFFER_LENGTH( inbuf ) >= handshake->pad_c_len;
1083	else if( handshake->state == AWAITING_PAD_D )
1084	readyForMore = EVBUFFER_LENGTH( inbuf ) >= handshake->pad_d_len;
1085	else if( handshake->state == AWAITING_IA )
1086	readyForMore = EVBUFFER_LENGTH( inbuf ) >= handshake->ia_len;
1087	}
1088
1089	return ret;
1090	}
1091
1092	static int
1093	fireDoneFunc( tr_handshake * handshake,
1094	tr_bool isConnected )
1095	{
1096	const uint8_t * peer_id = isConnected && handshake->havePeerID
1097	? tr_peerIoGetPeersId( handshake->io )
1098	: NULL;
1099	const int success = ( *handshake->doneCB )( handshake,
1100	handshake->io,
1101	isConnected,
1102	peer_id,
1103	handshake->doneUserData );
1104
1105	return success;
1106	}
1107
1108	static void
1109	tr_handshakeFree( tr_handshake * handshake )
1110	{
1111	if( handshake->io )
1112	tr_peerIoUnref( handshake->io ); /* balanced by the ref in tr_handshakeNew */
1113
1114	evtimer_del( &handshake->timeout_timer );
1115
1116	tr_free( handshake );
1117	}
1118
1119	static int
1120	tr_handshakeDone( tr_handshake * handshake,
1121	tr_bool isOK )
1122	{
1123	tr_bool success;
1124
1125	dbgmsg( handshake, "handshakeDone: %s", isOK ? "connected" : "aborting" );
1126	tr_peerIoSetIOFuncs( handshake->io, NULL, NULL, NULL, NULL );
1127
1128	success = fireDoneFunc( handshake, isOK );
1129
1130	tr_handshakeFree( handshake );
1131
1132	return success ? READ_LATER : READ_ERR;
1133	}
1134
1135	void
1136	tr_handshakeAbort( tr_handshake * handshake )
1137	{
1138	tr_handshakeDone( handshake, FALSE );
1139	}
1140
1141	static void
1142	gotError( tr_peerIo * io UNUSED,
1143	short what,
1144	void * arg )
1145	{
1146	tr_handshake * handshake = (tr_handshake *) arg;
1147
1148	/* if the error happened while we were sending a public key, we might
1149	* have encountered a peer that doesn't do encryption... reconnect and
1150	* try a plaintext handshake */
1151	if( ( ( handshake->state == AWAITING_YB )
1152	\|\| ( handshake->state == AWAITING_VC ) )
1153	&& ( handshake->encryptionMode != TR_ENCRYPTION_REQUIRED )
1154	&& ( !tr_peerIoReconnect( handshake->io ) ) )
1155	{
1156	uint8_t msg[HANDSHAKE_SIZE];
1157
1158	dbgmsg( handshake, "handshake failed, trying plaintext..." );
1159	buildHandshakeMessage( handshake, msg );
1160	handshake->haveSentBitTorrentHandshake = 1;
1161	setReadState( handshake, AWAITING_HANDSHAKE );
1162	tr_peerIoWrite( handshake->io, msg, sizeof( msg ), FALSE );
1163	}
1164	else
1165	{
1166	dbgmsg( handshake, "libevent got an error what==%d, errno=%d (%s)",
1167	(int)what, errno, tr_strerror( errno ) );
1168	tr_handshakeDone( handshake, FALSE );
1169	}
1170	}
1171
1172	/**
1173	***
1174	**/
1175
1176	static void
1177	handshakeTimeout( int foo UNUSED, short bar UNUSED, void * handshake )
1178	{
1179	tr_handshakeAbort( handshake );
1180	}
1181
1182	tr_handshake*
1183	tr_handshakeNew( tr_peerIo * io,
1184	tr_encryption_mode encryptionMode,
1185	handshakeDoneCB doneCB,
1186	void * doneUserData )
1187	{
1188	tr_handshake * handshake;
1189
1190	handshake = tr_new0( tr_handshake, 1 );
1191	handshake->io = io;
1192	handshake->crypto = tr_peerIoGetCrypto( io );
1193	handshake->encryptionMode = encryptionMode;
1194	handshake->doneCB = doneCB;
1195	handshake->doneUserData = doneUserData;
1196	handshake->session = tr_peerIoGetSession( io );
1197
1198	evtimer_set( &handshake->timeout_timer, handshakeTimeout, handshake );
1199	tr_timerAdd( &handshake->timeout_timer, HANDSHAKE_TIMEOUT_SEC, 0 );
1200
1201	tr_peerIoRef( io ); /* balanced by the unref in tr_handshakeFree */
1202	tr_peerIoSetIOFuncs( handshake->io, canRead, NULL, gotError, handshake );
1203	tr_peerIoSetEncryption( io, PEER_ENCRYPTION_NONE );
1204
1205	if( tr_peerIoIsIncoming( handshake->io ) )
1206	setReadState( handshake, AWAITING_HANDSHAKE );
1207	else if( encryptionMode != TR_CLEAR_PREFERRED )
1208	sendYa( handshake );
1209	else
1210	{
1211	uint8_t msg[HANDSHAKE_SIZE];
1212	buildHandshakeMessage( handshake, msg );
1213
1214	handshake->haveSentBitTorrentHandshake = 1;
1215	setReadState( handshake, AWAITING_HANDSHAKE );
1216	tr_peerIoWrite( handshake->io, msg, sizeof( msg ), FALSE );
1217	}
1218
1219	return handshake;
1220	}
1221
1222	struct tr_peerIo*
1223	tr_handshakeGetIO( tr_handshake * handshake )
1224	{
1225	assert( handshake );
1226	assert( handshake->io );
1227
1228	return handshake->io;
1229	}
1230
1231	struct tr_peerIo*
1232	tr_handshakeStealIO( tr_handshake * handshake )
1233	{
1234	struct tr_peerIo * io;
1235
1236	assert( handshake );
1237	assert( handshake->io );
1238
1239	io = handshake->io;
1240	handshake->io = NULL;
1241	return io;
1242	}
1243
1244	const tr_address *
1245	tr_handshakeGetAddr( const struct tr_handshake * handshake,
1246	tr_port * port )
1247	{
1248	assert( handshake );
1249	assert( handshake->io );
1250
1251	return tr_peerIoGetAddress( handshake->io, port );
1252	}
1253

Note: See TracBrowser for help on using the repository browser.

Download in other formats: