procxx
/
kepka
mirror of https://github.com/procxx/kepka.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Apply all MTP Key generation checks to calls. 

Also move all OpenSSL BN_* calls to base/openssl_help header.
This commit is contained in:
John Preston 2017-04-24 15:16:38 +03:00
parent 4925af69e2
commit b267957abe
13 changed files with 446 additions and 403 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
Telegram/SourceFiles/base/openssl_help.h
View File

@ -22,6 +22,7 @@ Copyright (c) 2014-2017 John Preston, https://desktop.telegram.org
#include <openssl/bn.h>
#include <openssl/sha.h>
#include <openssl/rand.h>
namespace openssl {
@ -98,9 +99,69 @@ public:
_failed = true;
}
}
void setSub(const BigNum &a, const BigNum &b) {
if (a.failed() || b.failed()) {
_failed = true;
} else if (!BN_sub(raw(), a.raw(), b.raw())) {
_failed = true;
}
}
void setSubWord(unsigned int word) {
if (failed()) {
return;
} else if (!BN_sub_word(raw(), word)) {
_failed = true;
}
}
unsigned int setDivWord(unsigned int word) {
Expects(word != 0);
if (failed()) {
return (BN_ULONG)-1;
}
auto result = BN_div_word(raw(), word);
if (result == (BN_ULONG)-1) {
_failed = true;
}
return result;
}
bool isNegative() const {
return BN_is_negative(raw());
return failed() ? false : BN_is_negative(raw());
}
bool isPrime(const Context &context = Context()) const {
if (failed()) {
return false;
}
constexpr auto kMillerRabinIterationCount = 30;
auto result = BN_is_prime_ex(raw(), kMillerRabinIterationCount, context.raw(), NULL);
if (result == 1) {
return true;
} else if (result != 0) {
_failed = true;
}
return false;
}
unsigned int modWord(unsigned int word) const {
Expects(word != 0);
if (failed()) {
return (BN_ULONG)-1;
}
auto result = BN_mod_word(raw(), word);
if (result == (BN_ULONG)-1) {
_failed = true;
}
return result;
}
int bitsSize() const {
return failed() ? 0 : BN_num_bits(raw());
}
int bytesSize() const {
return failed() ? 0 : BN_num_bytes(raw());
}
std::vector<gsl::byte> getBytes() const {
@ -125,12 +186,24 @@ public:
return _failed;
}
static BigNum ModExp(const BigNum &base, const BigNum &power, const openssl::BigNum &mod) {
BigNum result;
result.setModExp(base, power, mod);
return result;
}
private:
BIGNUM _data;
bool _failed = false;
mutable bool _failed = false;
};
inline BigNum operator-(const BigNum &a, const BigNum &b) {
BigNum result;
result.setSub(a, b);
return result;
}
inline std::array<gsl::byte, SHA256_DIGEST_LENGTH> Sha256(base::const_byte_span bytes) {
auto result = std::array<gsl::byte, SHA256_DIGEST_LENGTH>();
SHA256(reinterpret_cast<const unsigned char*>(bytes.data()), bytes.size(), reinterpret_cast<unsigned char*>(result.data()));
@ -143,4 +216,8 @@ inline std::array<gsl::byte, SHA_DIGEST_LENGTH> Sha1(base::const_byte_span bytes
return result;
}
inline int FillRandom(base::byte_span bytes) {
return RAND_bytes(reinterpret_cast<unsigned char*>(bytes.data()), bytes.size());
}
} // namespace openssl

107
Telegram/SourceFiles/calls/calls_call.cpp
View File

@ -24,9 +24,7 @@ Copyright (c) 2014-2017 John Preston, https://desktop.telegram.org
#include "mainwidget.h"
#include "calls/calls_instance.h"
#include "base/openssl_help.h"
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "mtproto/connection.h"
#ifdef slots
#undef slots
@ -59,25 +57,6 @@ void ConvertEndpoint(std::vector<tgvoip::Endpoint> &ep, const MTPDphoneConnectio
ep.push_back(Endpoint((int64_t)mtc.vid.v, (uint16_t)mtc.vport.v, ipv4, ipv6, EP_TYPE_UDP_RELAY, (unsigned char*)mtc.vpeer_tag.v.data()));
}
std::vector<gsl::byte> ComputeModExp(const DhConfig &config, const openssl::BigNum &base, const std::array<gsl::byte, Call::kRandomPowerSize> &randomPower) {
using namespace openssl;
BigNum resultBN;
resultBN.setModExp(base, BigNum(randomPower), BigNum(config.p));
auto result = resultBN.getBytes();
constexpr auto kMaxModExpSize = 256;
t_assert(result.size() <= kMaxModExpSize);
return result;
}
std::vector<gsl::byte> ComputeModExpFirst(const DhConfig &config, const std::array<gsl::byte, Call::kRandomPowerSize> &randomPower) {
return ComputeModExp(config, openssl::BigNum(config.g), randomPower);
}
std::vector<gsl::byte> ComputeModExpFinal(const DhConfig &config, base::const_byte_span first, const std::array<gsl::byte, Call::kRandomPowerSize> &randomPower) {
return ComputeModExp(config, openssl::BigNum(first), randomPower);
}
constexpr auto kFingerprintDataSize = 256;
uint64 ComputeFingerprint(const std::array<gsl::byte, kFingerprintDataSize> &authKey) {
auto hash = openssl::Sha1(authKey);
@ -102,11 +81,20 @@ Call::Call(gsl::not_null<Delegate*> delegate, gsl::not_null<UserData*> user, Typ
}
}
void Call::generateRandomPower(base::const_byte_span random) {
Expects(random.size() == _randomPower.size());
memset_rand(_randomPower.data(), _randomPower.size());
for (auto i = 0, count = int(_randomPower.size()); i != count; i++) {
_randomPower[i] ^= random[i];
void Call::generateModExpFirst(base::const_byte_span randomSeed) {
auto first = MTP::CreateModExp(_dhConfig.g, _dhConfig.p, randomSeed);
if (first.modexp.empty()) {
LOG(("Call Error: Could not compute mod-exp first."));
setState(State::Failed);
return;
}
_randomPower = first.randomPower;
if (_type == Type::Incoming) {
_gb = std::move(first.modexp);
} else {
_ga = std::move(first.modexp);
_gaHash = openssl::Sha256(_ga);
}
}
@ -117,27 +105,21 @@ void Call::start(base::const_byte_span random) {
t_assert(_dhConfig.g != 0);
t_assert(!_dhConfig.p.empty());
generateRandomPower(random);
if (_type == Type::Outgoing) {
startOutgoing();
} else {
startIncoming();
generateModExpFirst(random);
if (_state != State::Failed) {
if (_type == Type::Outgoing) {
startOutgoing();
} else {
startIncoming();
}
}
}
void Call::startOutgoing() {
_ga = ComputeModExpFirst(_dhConfig, _randomPower);
if (_ga.empty()) {
LOG(("Call Error: Could not compute mod-exp first."));
setState(State::Failed);
return;
}
_gaHash = openssl::Sha256(_ga);
auto randomID = rand_value<int32>();
Expects(_type == Type::Outgoing);
setState(State::Requesting);
request(MTPphone_RequestCall(_user->inputUser, MTP_int(randomID), MTP_bytes(_gaHash), MTP_phoneCallProtocol(MTP_flags(MTPDphoneCallProtocol::Flag::f_udp_p2p | MTPDphoneCallProtocol::Flag::f_udp_reflector), MTP_int(kMinLayer), MTP_int(kMaxLayer)))).done([this](const MTPphone_PhoneCall &result) {
request(MTPphone_RequestCall(_user->inputUser, MTP_int(rand_value<int32>()), MTP_bytes(_gaHash), MTP_phoneCallProtocol(MTP_flags(MTPDphoneCallProtocol::Flag::f_udp_p2p | MTPDphoneCallProtocol::Flag::f_udp_reflector), MTP_int(kMinLayer), MTP_int(kMaxLayer)))).done([this](const MTPphone_PhoneCall &result) {
Expects(result.type() == mtpc_phone_phoneCall);
auto &call = result.c_phone_phoneCall();
App::feedUsers(call.vusers);
@ -163,17 +145,17 @@ void Call::startOutgoing() {
}
void Call::startIncoming() {
setState(State::Ringing);
Expects(_type == Type::Incoming);
request(MTPphone_ReceivedCall(MTP_inputPhoneCall(MTP_long(_id), MTP_long(_accessHash)))).done([this](const MTPBool &result) {
setState(State::Ringing);
}).fail([this](const RPCError &error) {
setState(State::Failed);
}).send();
}
void Call::answer() {
Expects(_type == Type::Incoming);
_gb = ComputeModExpFirst(_dhConfig, _randomPower);
if (_gb.empty()) {
LOG(("Call Error: Could not compute mod-exp first."));
setState(State::Failed);
return;
}
setState(State::ExchangingKeys);
request(MTPphone_AcceptCall(MTP_inputPhoneCall(MTP_long(_id), MTP_long(_accessHash)), MTP_bytes(_gb), _protocol)).done([this](const MTPphone_PhoneCall &result) {
@ -300,23 +282,15 @@ bool Call::handleUpdate(const MTPPhoneCall &call) {
void Call::confirmAcceptedCall(const MTPDphoneCallAccepted &call) {
Expects(_type == Type::Outgoing);
// TODO check isGoodGaAndGb
auto computedAuthKey = ComputeModExpFinal(_dhConfig, byteVectorFromMTP(call.vg_b), _randomPower);
auto firstBytes = bytesFromMTP(call.vg_b);
auto computedAuthKey = MTP::CreateAuthKey(firstBytes, _randomPower, _dhConfig.p);
if (computedAuthKey.empty()) {
LOG(("Call Error: Could not compute mod-exp final."));
setState(State::Failed);
return;
}
auto computedAuthKeySize = computedAuthKey.size();
t_assert(computedAuthKeySize <= kAuthKeySize);
auto authKeyBytes = gsl::make_span(_authKey);
if (computedAuthKeySize < kAuthKeySize) {
base::set_bytes(authKeyBytes.subspan(0, kAuthKeySize - computedAuthKeySize), gsl::byte());
base::copy_bytes(authKeyBytes.subspan(kAuthKeySize - computedAuthKeySize), computedAuthKey);
} else {
base::copy_bytes(authKeyBytes, computedAuthKey);
}
MTP::AuthKey::FillData(_authKey, computedAuthKey);
_keyFingerprint = ComputeFingerprint(_authKey);
setState(State::ExchangingKeys);
@ -346,23 +320,14 @@ void Call::startConfirmedCall(const MTPDphoneCall &call) {
return;
}
// TODO check isGoodGaAndGb
auto computedAuthKey = ComputeModExpFinal(_dhConfig, firstBytes, _randomPower);
auto computedAuthKey = MTP::CreateAuthKey(firstBytes, _randomPower, _dhConfig.p);
if (computedAuthKey.empty()) {
LOG(("Call Error: Could not compute mod-exp final."));
setState(State::Failed);
return;
}
auto computedAuthKeySize = computedAuthKey.size();
t_assert(computedAuthKeySize <= kAuthKeySize);
auto authKeyBytes = gsl::make_span(_authKey);
if (computedAuthKeySize < kAuthKeySize) {
base::set_bytes(authKeyBytes.subspan(0, kAuthKeySize - computedAuthKeySize), gsl::byte());
base::copy_bytes(authKeyBytes.subspan(kAuthKeySize - computedAuthKeySize), computedAuthKey);
} else {
base::copy_bytes(authKeyBytes, computedAuthKey);
}
MTP::AuthKey::FillData(_authKey, computedAuthKey);
_keyFingerprint = ComputeFingerprint(_authKey);
createAndStartController(call);

8
Telegram/SourceFiles/calls/calls_call.h
View File

@ -21,8 +21,9 @@ Copyright (c) 2014-2017 John Preston, https://desktop.telegram.org
#pragma once
#include "base/weak_unique_ptr.h"
#include "mtproto/sender.h"
#include "base/timer.h"
#include "mtproto/sender.h"
#include "mtproto/auth_key.h"
namespace tgvoip {
class VoIPController;
@ -93,14 +94,13 @@ public:
~Call();
private:
static constexpr auto kAuthKeySize = 256;
static constexpr auto kSha256Size = 32;
void finish(const MTPPhoneCallDiscardReason &reason);
void startOutgoing();
void startIncoming();
void generateRandomPower(base::const_byte_span random);
void generateModExpFirst(base::const_byte_span randomSeed);
void handleControllerStateChange(tgvoip::VoIPController *controller, int state);
void createAndStartController(const MTPDphoneCall &call);
@ -129,7 +129,7 @@ private:
std::vector<gsl::byte> _gb;
std::array<gsl::byte, kSha256Size> _gaHash;
std::array<gsl::byte, kRandomPowerSize> _randomPower;
std::array<gsl::byte, kAuthKeySize> _authKey;
MTP::AuthKey::Data _authKey;
MTPPhoneCallProtocol _protocol;
uint64 _id = 0;

2
Telegram/SourceFiles/calls/calls_instance.cpp
View File

@ -63,7 +63,7 @@ void Instance::refreshDhConfig() {
switch (result.type()) {
case mtpc_messages_dhConfig: {
auto &config = result.c_messages_dhConfig();
if (!MTP::IsPrimeAndGood(config.vp.v, config.vg.v)) {
if (!MTP::IsPrimeAndGood(bytesFromMTP(config.vp), config.vg.v)) {
LOG(("API Error: bad p/g received in dhConfig."));
callFailed(call.get());
return;

9
Telegram/SourceFiles/core/utils.h
View File

@ -22,6 +22,7 @@ Copyright (c) 2014-2017 John Preston, https://desktop.telegram.org
#include "core/basic_types.h"
#include <array>
#include <vector>
#include <algorithm>
#include <set>
#include <gsl/gsl>
@ -204,6 +205,9 @@ using set_of_shared_ptr = std::set<std::shared_ptr<T>, base::pointer_comparator<
using byte_span = gsl::span<gsl::byte>;
using const_byte_span = gsl::span<const gsl::byte>;
using byte_vector = std::vector<gsl::byte>;
template <size_t N>
using byte_array = std::array<gsl::byte, N>;
inline void copy_bytes(byte_span destination, const_byte_span source) {
Expects(destination.size() >= source.size());
@ -214,6 +218,11 @@ inline void set_bytes(byte_span destination, gsl::byte value) {
memset(destination.data(), gsl::to_integer<unsigned char>(value), destination.size());
}
inline int compare_bytes(const_byte_span a, const_byte_span b) {
auto aSize = a.size(), bSize = b.size();
return (aSize > bSize) ? 1 : (aSize < bSize) ? -1 : memcmp(a.data(), b.data(), aSize);
}
} // namespace base
// using for_const instead of plain range-based for loop to ensure usage of const_iterator

18
Telegram/SourceFiles/mtproto/auth_key.h
View File

@ -28,7 +28,7 @@ namespace MTP {
class AuthKey {
public:
static constexpr auto kSize = 256; // 2048 bits.
using Data = std::array<char, kSize>;
using Data = std::array<gsl::byte, kSize>;
using KeyId = uint64;
enum class Type {
@ -94,13 +94,25 @@ public:
}
void write(QDataStream &to) const {
to.writeRawData(_key.data(), _key.size());
to.writeRawData(reinterpret_cast<const char*>(_key.data()), _key.size());
}
bool equals(const std::shared_ptr<AuthKey> &other) const {
return other ? (_key == other->_key) : false;
}
static void FillData(Data &authKey, base::const_byte_span computedAuthKey) {
auto computedAuthKeySize = computedAuthKey.size();
t_assert(computedAuthKeySize <= kSize);
auto authKeyBytes = gsl::make_span(authKey);
if (computedAuthKeySize < kSize) {
base::set_bytes(authKeyBytes.subspan(0, kSize - computedAuthKeySize), gsl::byte());
base::copy_bytes(authKeyBytes.subspan(kSize - computedAuthKeySize), computedAuthKey);
} else {
base::copy_bytes(authKeyBytes, computedAuthKey);
}
}
private:
void countKeyId() {
auto sha1 = hashSha1(_key.data(), _key.size());
@ -111,7 +123,7 @@ private:
Type _type = Type::Generated;
DcId _dcId = 0;
Data _key = { { 0 } };
Data _key = { { gsl::byte{} } };
KeyId _keyId = 0;
};

470
Telegram/SourceFiles/mtproto/connection.cpp
View File

@ -28,6 +28,7 @@ Copyright (c) 2014-2017 John Preston, https://desktop.telegram.org
#include <openssl/rand.h>
#include "zlib.h"
#include "lang.h"
#include "base/openssl_help.h"
#include "mtproto/rsa_public_key.h"
#include "messenger.h"
@ -40,6 +41,149 @@ namespace {
constexpr auto kRecreateKeyId = AuthKey::KeyId(0xFFFFFFFFFFFFFFFFULL);
constexpr auto kIntSize = static_cast<int>(sizeof(mtpPrime));
constexpr auto kMaxModExpSize = 256;
bool IsGoodModExpFirst(const openssl::BigNum &modexp, const openssl::BigNum &prime) {
auto diff = prime - modexp;
if (modexp.failed() || prime.failed() || diff.failed()) {
return false;
}
constexpr auto kMinDiffBitsCount = 2048 - 64;
if (diff.isNegative() || diff.bitsSize() < kMinDiffBitsCount || modexp.bitsSize() < kMinDiffBitsCount) {
return false;
}
t_assert(modexp.bytesSize() <= kMaxModExpSize);
return true;
}
bool IsPrimeAndGoodCheck(const openssl::BigNum &prime, int g) {
constexpr auto kGoodPrimeBitsCount = 2048;
if (prime.failed() || prime.isNegative() || prime.bitsSize() != kGoodPrimeBitsCount) {
LOG(("MTP Error: Bad prime bits count %1, expected %2.").arg(prime.bitsSize()).arg(kGoodPrimeBitsCount));
return false;
}
openssl::Context context;
if (!prime.isPrime(context)) {
LOG(("MTP Error: Bad prime."));
return false;
}
switch (g) {
case 2: {
auto mod8 = prime.modWord(8);
if (mod8 != 7) {
LOG(("BigNum PT Error: bad g value: %1, mod8: %2").arg(g).arg(mod8));
return false;
}
} break;
case 3: {
auto mod3 = prime.modWord(3);
if (mod3 != 2) {
LOG(("BigNum PT Error: bad g value: %1, mod3: %2").arg(g).arg(mod3));
return false;
}
} break;
case 4: break;
case 5: {
auto mod5 = prime.modWord(5);
if (mod5 != 1 && mod5 != 4) {
LOG(("BigNum PT Error: bad g value: %1, mod5: %2").arg(g).arg(mod5));
return false;
}
} break;
case 6: {
auto mod24 = prime.modWord(24);
if (mod24 != 19 && mod24 != 23) {
LOG(("BigNum PT Error: bad g value: %1, mod24: %2").arg(g).arg(mod24));
return false;
}
} break;
case 7: {
auto mod7 = prime.modWord(7);
if (mod7 != 3 && mod7 != 5 && mod7 != 6) {
LOG(("BigNum PT Error: bad g value: %1, mod7: %2").arg(g).arg(mod7));
return false;
}
} break;
default: {
LOG(("BigNum PT Error: bad g value: %1").arg(g));
return false;
} break;
}
auto primeSubOneDivTwo = prime;
primeSubOneDivTwo.setSubWord(1);
primeSubOneDivTwo.setDivWord(2);
if (!primeSubOneDivTwo.isPrime(context)) {
LOG(("MTP Error: Bad (prime - 1) / 2."));
return false;
}
return true;
}
bool IsPrimeAndGood(base::const_byte_span primeBytes, int g) {
static constexpr unsigned char GoodPrime[] = {
0xC7, 0x1C, 0xAE, 0xB9, 0xC6, 0xB1, 0xC9, 0x04, 0x8E, 0x6C, 0x52, 0x2F, 0x70, 0xF1, 0x3F, 0x73,
0x98, 0x0D, 0x40, 0x23, 0x8E, 0x3E, 0x21, 0xC1, 0x49, 0x34, 0xD0, 0x37, 0x56, 0x3D, 0x93, 0x0F,
0x48, 0x19, 0x8A, 0x0A, 0xA7, 0xC1, 0x40, 0x58, 0x22, 0x94, 0x93, 0xD2, 0x25, 0x30, 0xF4, 0xDB,
0xFA, 0x33, 0x6F, 0x6E, 0x0A, 0xC9, 0x25, 0x13, 0x95, 0x43, 0xAE, 0xD4, 0x4C, 0xCE, 0x7C, 0x37,
0x20, 0xFD, 0x51, 0xF6, 0x94, 0x58, 0x70, 0x5A, 0xC6, 0x8C, 0xD4, 0xFE, 0x6B, 0x6B, 0x13, 0xAB,
0xDC, 0x97, 0x46, 0x51, 0x29, 0x69, 0x32, 0x84, 0x54, 0xF1, 0x8F, 0xAF, 0x8C, 0x59, 0x5F, 0x64,
0x24, 0x77, 0xFE, 0x96, 0xBB, 0x2A, 0x94, 0x1D, 0x5B, 0xCD, 0x1D, 0x4A, 0xC8, 0xCC, 0x49, 0x88,
0x07, 0x08, 0xFA, 0x9B, 0x37, 0x8E, 0x3C, 0x4F, 0x3A, 0x90, 0x60, 0xBE, 0xE6, 0x7C, 0xF9, 0xA4,
0xA4, 0xA6, 0x95, 0x81, 0x10, 0x51, 0x90, 0x7E, 0x16, 0x27, 0x53, 0xB5, 0x6B, 0x0F, 0x6B, 0x41,
0x0D, 0xBA, 0x74, 0xD8, 0xA8, 0x4B, 0x2A, 0x14, 0xB3, 0x14, 0x4E, 0x0E, 0xF1, 0x28, 0x47, 0x54,
0xFD, 0x17, 0xED, 0x95, 0x0D, 0x59, 0x65, 0xB4, 0xB9, 0xDD, 0x46, 0x58, 0x2D, 0xB1, 0x17, 0x8D,
0x16, 0x9C, 0x6B, 0xC4, 0x65, 0xB0, 0xD6, 0xFF, 0x9C, 0xA3, 0x92, 0x8F, 0xEF, 0x5B, 0x9A, 0xE4,
0xE4, 0x18, 0xFC, 0x15, 0xE8, 0x3E, 0xBE, 0xA0, 0xF8, 0x7F, 0xA9, 0xFF, 0x5E, 0xED, 0x70, 0x05,
0x0D, 0xED, 0x28, 0x49, 0xF4, 0x7B, 0xF9, 0x59, 0xD9, 0x56, 0x85, 0x0C, 0xE9, 0x29, 0x85, 0x1F,
0x0D, 0x81, 0x15, 0xF6, 0x35, 0xB1, 0x05, 0xEE, 0x2E, 0x4E, 0x15, 0xD0, 0x4B, 0x24, 0x54, 0xBF,
0x6F, 0x4F, 0xAD, 0xF0, 0x34, 0xB1, 0x04, 0x03, 0x11, 0x9C, 0xD8, 0xE3, 0xB9, 0x2F, 0xCC, 0x5B };
if (!base::compare_bytes(gsl::as_bytes(gsl::make_span(GoodPrime)), primeBytes)) {
if (g == 3 || g == 4 || g == 5 || g == 7) {
return true;
}
}
return IsPrimeAndGoodCheck(openssl::BigNum(primeBytes), g);
}
std::vector<gsl::byte> CreateAuthKey(base::const_byte_span firstBytes, base::const_byte_span randomBytes, base::const_byte_span primeBytes) {
using openssl::BigNum;
BigNum first(firstBytes);
BigNum prime(primeBytes);
if (!IsGoodModExpFirst(first, prime)) {
LOG(("AuthKey Error: Bad first prime in CreateAuthKey()."));
return std::vector<gsl::byte>();
}
return BigNum::ModExp(first, BigNum(randomBytes), prime).getBytes();
}
ModExpFirst CreateModExp(int g, base::const_byte_span primeBytes, base::const_byte_span randomSeed) {
Expects(randomSeed.size() == ModExpFirst::kRandomPowerSize);
using namespace openssl;
BigNum prime(primeBytes);
ModExpFirst result;
constexpr auto kMaxModExpFirstTries = 5;
for (auto tries = 0; tries != kMaxModExpFirstTries; ++tries) {
FillRandom(result.randomPower);
for (auto i = 0; i != ModExpFirst::kRandomPowerSize; ++i) {
result.randomPower[i] ^= randomSeed[i];
}
auto modexp = BigNum::ModExp(BigNum(g), BigNum(result.randomPower), prime);
if (IsGoodModExpFirst(modexp, prime)) {
result.modexp = modexp.getBytes();
break;
}
}
return result;
}
void wrapInvokeAfter(mtpRequest &to, const mtpRequest &from, const mtpRequestMap &haveSent, int32 skipBeforeRequest = 0) {
mtpMsgId afterId(*(mtpMsgId*)(from->after->data() + 4));
@ -106,240 +250,6 @@ bool parsePQ(const QByteArray &pqStr, QByteArray &pStr, QByteArray &qStr) {
return true;
}
class BigNumCounter {
public:
BigNumCounter() : ctx(BN_CTX_new()) {
BN_init(&bnPower);
BN_init(&bnModul);
BN_init(&bn_g);
BN_init(&bn_g_a);
BN_init(&bnResult);
BN_init(&bnTemp);
}
~BigNumCounter() {
BN_CTX_free(ctx);
BN_clear_free(&bnPower);
BN_clear_free(&bnModul);
BN_clear_free(&bn_g);
BN_clear_free(&bn_g_a);
BN_clear_free(&bnResult);
BN_clear_free(&bnTemp);
}
bool count(const void *power, const void *modul, uint32 g, void *gResult, const void *g_a, void *g_aResult) {
DEBUG_LOG(("BigNum Info: counting g_b = g ^ b % dh_prime and auth_key = g_a ^ b % dh_prime"));
uint32 g_be = qToBigEndian(g);
if (
!BN_bin2bn((const uchar*)power, 64 * sizeof(uint32), &bnPower) ||
!BN_bin2bn((const uchar*)modul, 64 * sizeof(uint32), &bnModul) ||
!BN_bin2bn((const uchar*)&g_be, sizeof(uint32), &bn_g) ||
!BN_bin2bn((const uchar*)g_a, 64 * sizeof(uint32), &bn_g_a)
) {
ERR_load_crypto_strings();
LOG(("BigNum Error: BN_bin2bn failed, error: %1").arg(ERR_error_string(ERR_get_error(), 0)));
DEBUG_LOG(("BigNum Error: base %1, power %2, modul %3").arg(Logs::mb(&g_be, sizeof(uint32)).str()).arg(Logs::mb(power, 64 * sizeof(uint32)).str()).arg(Logs::mb(modul, 64 * sizeof(uint32)).str()));
return false;
}
if (!BN_mod_exp(&bnResult, &bn_g, &bnPower, &bnModul, ctx)) {
ERR_load_crypto_strings();
LOG(("BigNum Error: BN_mod_exp failed, error: %1").arg(ERR_error_string(ERR_get_error(), 0)));
DEBUG_LOG(("BigNum Error: base %1, power %2, modul %3").arg(Logs::mb(&g_be, sizeof(uint32)).str()).arg(Logs::mb(power, 64 * sizeof(uint32)).str()).arg(Logs::mb(modul, 64 * sizeof(uint32)).str()));
return false;
}
// check g_b > 2^{2048 - 8} and get the value of g_b
if (BN_is_negative(&bnResult)) {
LOG(("BigNum Error: bad g_b - negative"));
return false;
}
uint32 resultLen = BN_num_bytes(&bnResult);
if (resultLen != 64 * sizeof(uint32)) {
LOG(("BigNum Error: bad g_b len (%1)").arg(resultLen));
return false;
}
resultLen = BN_bn2bin(&bnResult, (uchar*)gResult);
if (resultLen != 64 * sizeof(uint32)) {
LOG(("BigNum Error: bad g_b export len (%1)").arg(resultLen));
return false;
}
// check g_b < dh_prime - 2^{2048 - 8}
BN_sub(&bnTemp, &bnModul, &bnResult);
if (BN_is_negative(&bnTemp)) {
DEBUG_LOG(("BigNum Error: bad g_b > dh_prime"));
return false;
}
if (BN_num_bytes(&bnTemp) != 64 * sizeof(uint32)) {
DEBUG_LOG(("BigNum Error: bad g_b > dh_prime - 2^{2048 - 8}"));
return false;
}
if (!BN_mod_exp(&bnResult, &bn_g_a, &bnPower, &bnModul, ctx)) {
ERR_load_crypto_strings();
LOG(("BigNum Error: BN_mod_exp failed, error: %1").arg(ERR_error_string(ERR_get_error(), 0)));
DEBUG_LOG(("BigNum Error: base %1, power %2, modul %3").arg(Logs::mb(&g_be, sizeof(uint32)).str()).arg(Logs::mb(power, 64 * sizeof(uint32)).str()).arg(Logs::mb(modul, 64 * sizeof(uint32)).str()));
return false;
}
resultLen = BN_num_bytes(&bnResult);
if (resultLen != 64 * sizeof(uint32)) {
DEBUG_LOG(("BigNum Error: bad g_aResult len (%1)").arg(resultLen));
return false;
}
resultLen = BN_bn2bin(&bnResult, (uchar*)g_aResult);
if (resultLen != 64 * sizeof(uint32)) {
DEBUG_LOG(("BigNum Error: bad g_aResult export len (%1)").arg(resultLen));
return false;
}
// check g_a > 2^{2048 - 8}
if (BN_is_negative(&bn_g_a)) {
LOG(("BigNum Error: bad g_a - negative"));
return false;
}
resultLen = BN_num_bytes(&bn_g_a);
if (resultLen != 64 * sizeof(uint32)) {
LOG(("BigNum Error: bad g_a len (%1)").arg(resultLen));
return false;
}
// check g_a < dh_prime - 2^{2048 - 8}
BN_sub(&bnTemp, &bnModul, &bn_g_a);
if (BN_is_negative(&bnTemp)) {
LOG(("BigNum Error: bad g_b > dh_prime"));
return false;
}
if (BN_num_bytes(&bnTemp) != 64 * sizeof(uint32)) {
LOG(("BigNum Error: bad g_b > dh_prime - 2^{2048 - 8}"));
return false;
}
return true;
}
private:
BIGNUM bnPower, bnModul, bn_g, bn_g_a, bnResult, bnTemp;
BN_CTX *ctx;
};
// Miller-Rabin primality test
class BigNumPrimeTest {
public:
BigNumPrimeTest() : _context(BN_CTX_new()) {
BN_init(&_prime);
}
~BigNumPrimeTest() {
BN_clear_free(&_prime);
BN_CTX_free(_context);
}
bool isPrimeAndGood(const QByteArray &data, int g) {
constexpr auto kMillerRabinIterationCount = 30;
constexpr auto kGoodPrimeSize = 256;
if (data.size() != kGoodPrimeSize) {
LOG(("BigNum PT Error: data size %1").arg(data.size()));
return false;
}
if (!memcmp(data.constData(), "\
\xC7\x1C\xAE\xB9\xC6\xB1\xC9\x04\x8E\x6C\x52\x2F\x70\xF1\x3F\x73\
\x98\x0D\x40\x23\x8E\x3E\x21\xC1\x49\x34\xD0\x37\x56\x3D\x93\x0F\
\x48\x19\x8A\x0A\xA7\xC1\x40\x58\x22\x94\x93\xD2\x25\x30\xF4\xDB\
\xFA\x33\x6F\x6E\x0A\xC9\x25\x13\x95\x43\xAE\xD4\x4C\xCE\x7C\x37\
\x20\xFD\x51\xF6\x94\x58\x70\x5A\xC6\x8C\xD4\xFE\x6B\x6B\x13\xAB\
\xDC\x97\x46\x51\x29\x69\x32\x84\x54\xF1\x8F\xAF\x8C\x59\x5F\x64\
\x24\x77\xFE\x96\xBB\x2A\x94\x1D\x5B\xCD\x1D\x4A\xC8\xCC\x49\x88\
\x07\x08\xFA\x9B\x37\x8E\x3C\x4F\x3A\x90\x60\xBE\xE6\x7C\xF9\xA4\
\xA4\xA6\x95\x81\x10\x51\x90\x7E\x16\x27\x53\xB5\x6B\x0F\x6B\x41\
\x0D\xBA\x74\xD8\xA8\x4B\x2A\x14\xB3\x14\x4E\x0E\xF1\x28\x47\x54\
\xFD\x17\xED\x95\x0D\x59\x65\xB4\xB9\xDD\x46\x58\x2D\xB1\x17\x8D\
\x16\x9C\x6B\xC4\x65\xB0\xD6\xFF\x9C\xA3\x92\x8F\xEF\x5B\x9A\xE4\
\xE4\x18\xFC\x15\xE8\x3E\xBE\xA0\xF8\x7F\xA9\xFF\x5E\xED\x70\x05\
\x0D\xED\x28\x49\xF4\x7B\xF9\x59\xD9\x56\x85\x0C\xE9\x29\x85\x1F\
\x0D\x81\x15\xF6\x35\xB1\x05\xEE\x2E\x4E\x15\xD0\x4B\x24\x54\xBF\
\x6F\x4F\xAD\xF0\x34\xB1\x04\x03\x11\x9C\xD8\xE3\xB9\x2F\xCC\x5B", kGoodPrimeSize)) {
if (g == 3 || g == 4 || g == 5 || g == 7) {
return true;
}
}
if (!BN_bin2bn((const uchar*)data.constData(), kGoodPrimeSize, &_prime)) {
ERR_load_crypto_strings();
LOG(("BigNum PT Error: BN_bin2bn failed, error: %1").arg(ERR_error_string(ERR_get_error(), 0)));
DEBUG_LOG(("BigNum PT Error: prime %1").arg(Logs::mb(data.constData(), kGoodPrimeSize).str()));
return false;
}
auto numBits = BN_num_bits(&_prime);
if (numBits != 2048) {
LOG(("BigNum PT Error: BN_bin2bn failed, bad dh_prime num bits: %1").arg(numBits));
return false;
}
if (BN_is_prime_ex(&_prime, kMillerRabinIterationCount, _context, NULL) == 0) {
return false;
}
switch (g) {
case 2: {
auto mod8 = BN_mod_word(&_prime, 8);
if (mod8 != 7) {
LOG(("BigNum PT Error: bad g value: %1, mod8: %2").arg(g).arg(mod8));
return false;
}
} break;
case 3: {
auto mod3 = BN_mod_word(&_prime, 3);
if (mod3 != 2) {
LOG(("BigNum PT Error: bad g value: %1, mod3: %2").arg(g).arg(mod3));
return false;
}
} break;
case 4: break;
case 5: {
auto mod5 = BN_mod_word(&_prime, 5);
if (mod5 != 1 && mod5 != 4) {
LOG(("BigNum PT Error: bad g value: %1, mod5: %2").arg(g).arg(mod5));
return false;
}
} break;
case 6: {
auto mod24 = BN_mod_word(&_prime, 24);
if (mod24 != 19 && mod24 != 23) {
LOG(("BigNum PT Error: bad g value: %1, mod24: %2").arg(g).arg(mod24));
return false;
}
} break;
case 7: {
auto mod7 = BN_mod_word(&_prime, 7);
if (mod7 != 3 && mod7 != 5 && mod7 != 6) {
LOG(("BigNum PT Error: bad g value: %1, mod7: %2").arg(g).arg(mod7));
return false;
}
} break;
default: {
LOG(("BigNum PT Error: bad g value: %1").arg(g));
return false;
} break;
}
BN_sub_word(&_prime, 1); // (p - 1) / 2
BN_div_word(&_prime, 2);
if (BN_is_prime_ex(&_prime, kMillerRabinIterationCount, _context, NULL) == 0) {
return false;
}
return true;
}
private:
BIGNUM _prime;
BN_CTX *_context;
};
} // namespace
Connection::Connection(Instance *instance) : _instance(instance) {
@ -2467,11 +2377,11 @@ void ConnectionPrivate::pqAnswered() {
req_DH_params.vpublic_key_fingerprint = MTP_long(rsaKey.getFingerPrint());
req_DH_params.vp = p_q_inner.c_p_q_inner_data().vp;
req_DH_params.vq = p_q_inner.c_p_q_inner_data().vq;
req_DH_params.vencrypted_data = MTP_string(std::move(dhEncString));
req_DH_params.vencrypted_data = MTP_bytes(dhEncString);
sendRequestNotSecure(req_DH_params);
}
std::string ConnectionPrivate::encryptPQInnerRSA(const MTPP_Q_inner_data &data, const MTP::internal::RSAPublicKey &key) {
base::byte_vector ConnectionPrivate::encryptPQInnerRSA(const MTPP_Q_inner_data &data, const MTP::internal::RSAPublicKey &key) {
auto p_q_inner_size = data.innerLength();
auto encSize = (p_q_inner_size >> 2) + 6;
if (encSize >= 65) {
@ -2480,7 +2390,7 @@ std::string ConnectionPrivate::encryptPQInnerRSA(const MTPP_Q_inner_data &data,
data.write(tmp);
LOG(("AuthKey Error: too large data for RSA encrypt, size %1").arg(encSize * sizeof(mtpPrime)));
DEBUG_LOG(("AuthKey Error: bad data for RSA encrypt %1").arg(Logs::mb(&tmp[0], tmp.size() * 4).str()));
return std::string(); // can't be 255-byte string
return base::byte_vector(); // can't be 255-byte string
}
auto encBuffer = mtpBuffer();
@ -2495,11 +2405,9 @@ std::string ConnectionPrivate::encryptPQInnerRSA(const MTPP_Q_inner_data &data,
memset_rand(&encBuffer[encSize], (65 - encSize) * sizeof(mtpPrime));
}
auto dhEncString = std::string();
if (!key.encrypt(reinterpret_cast<const char*>(&encBuffer[0]) + 3, dhEncString)) {
return std::string();
}
return dhEncString;
auto bytes = gsl::as_bytes(gsl::make_span(encBuffer));
auto bytesToEncrypt = bytes.subspan(3, 256);
return key.encrypt(bytesToEncrypt);
}
void ConnectionPrivate::dhParamsAnswered() {
@ -2576,24 +2484,15 @@ void ConnectionPrivate::dhParamsAnswered() {
}
unixtimeSet(dh_inner_data.vserver_time.v);
auto &dhPrime = dh_inner_data.vdh_prime.v;
auto &g_a = dh_inner_data.vg_a.v;
if (dhPrime.length() != 256 || g_a.length() != 256) {
LOG(("AuthKey Error: bad dh_prime len (%1) or g_a len (%2)").arg(dhPrime.length()).arg(g_a.length()));
DEBUG_LOG(("AuthKey Error: dh_prime %1, g_a %2").arg(Logs::mb(dhPrime.constData(), dhPrime.length()).str()).arg(Logs::mb(g_a.constData(), g_a.length()).str()));
// check that dhPrime and (dhPrime - 1) / 2 are really prime
if (!IsPrimeAndGood(bytesFromMTP(dh_inner_data.vdh_prime), dh_inner_data.vg.v)) {
LOG(("AuthKey Error: bad dh_prime primality!"));
return restart();
}
// check that dhPrime and (dhPrime - 1) / 2 are really prime using openssl BIGNUM methods
if (!IsPrimeAndGood(dhPrime, dh_inner_data.vg.v)) {
LOG(("AuthKey Error: bad dh_prime primality!").arg(dhPrime.length()).arg(g_a.length()));
DEBUG_LOG(("AuthKey Error: dh_prime %1").arg(Logs::mb(dhPrime.constData(), dhPrime.length()).str()));
return restart();
}
_authKeyStrings->dh_prime = QByteArray(dhPrime.data(), dhPrime.size());
_authKeyStrings->dh_prime = byteVectorFromMTP(dh_inner_data.vdh_prime);
_authKeyData->g = dh_inner_data.vg.v;
_authKeyStrings->g_a = QByteArray(g_a.data(), g_a.size());
_authKeyStrings->g_a = byteVectorFromMTP(dh_inner_data.vg_a);
_authKeyData->retry_id = MTP_long(0);
_authKeyData->retries = 0;
} return dhClientParamsSend();
@ -2630,25 +2529,28 @@ void ConnectionPrivate::dhClientParamsSend() {
return restart();
}
auto g_b_string = std::string(256, ' ');
// gen rand 'b'
uint32 b[64];
auto g_b = reinterpret_cast<uint32*>(&g_b_string[0]);
memset_rand(b, sizeof(b));
// count g_b and auth_key using openssl BIGNUM methods
MTP::internal::BigNumCounter bnCounter;
if (!bnCounter.count(b, _authKeyStrings->dh_prime.constData(), _authKeyData->g, g_b, _authKeyStrings->g_a.constData(), _authKeyStrings->auth_key.data())) {
return dhClientParamsSend();
auto randomSeed = std::array<gsl::byte, ModExpFirst::kRandomPowerSize>();
openssl::FillRandom(randomSeed);
auto g_b_data = CreateModExp(_authKeyData->g, _authKeyStrings->dh_prime, randomSeed);
if (g_b_data.modexp.empty()) {
LOG(("AuthKey Error: could not generate good g_b."));
return restart();
}
auto computedAuthKey = CreateAuthKey(_authKeyStrings->g_a, g_b_data.randomPower, _authKeyStrings->dh_prime);
if (computedAuthKey.empty()) {
LOG(("AuthKey Error: could not generate auth_key."));
return restart();
}
AuthKey::FillData(_authKeyStrings->auth_key, computedAuthKey);
// count auth_key hashes - parts of sha1(auth_key)
auto auth_key_sha = hashSha1(_authKeyStrings->auth_key.data(), _authKeyStrings->auth_key.size());
memcpy(&_authKeyData->auth_key_aux_hash, auth_key_sha.data(), 8);
memcpy(&_authKeyData->auth_key_hash, auth_key_sha.data() + 12, 8);
auto client_dh_inner = MTP_client_DH_inner_data(_authKeyData->nonce, _authKeyData->server_nonce, _authKeyData->retry_id, MTP_string(std::move(g_b_string)));
auto client_dh_inner = MTP_client_DH_inner_data(_authKeyData->nonce, _authKeyData->server_nonce, _authKeyData->retry_id, MTP_bytes(g_b_data.modexp));
auto sdhEncString = encryptClientDHInner(client_dh_inner);
@ -2826,28 +2728,28 @@ void ConnectionPrivate::authKeyCreated() {
}
void ConnectionPrivate::clearAuthKeyData() {
auto zeroMemory = [](void *data, int size) {
#ifdef Q_OS_WIN
SecureZeroMemory(data, size);
auto zeroMemory = [](base::byte_span bytes) {
#ifdef Q_OS_WIN2
SecureZeroMemory(bytes.data(), bytes.size());
#else // Q_OS_WIN
auto end = static_cast<char*>(data) + size;
for (volatile auto p = static_cast<volatile char*>(data); p != end; ++p) {
auto end = reinterpret_cast<char*>(bytes.data()) + bytes.size();
for (volatile auto p = reinterpret_cast<volatile char*>(bytes.data()); p != end; ++p) {
*p = 0;
}
#endif // Q_OS_WIN
};
if (_authKeyData) {
zeroMemory(_authKeyData.get(), sizeof(AuthKeyCreateData));
zeroMemory(gsl::make_span(reinterpret_cast<gsl::byte*>(_authKeyData.get()), sizeof(AuthKeyCreateData)));
_authKeyData.reset();
}
if (_authKeyStrings) {
if (!_authKeyStrings->dh_prime.isEmpty()) {
zeroMemory(_authKeyStrings->dh_prime.data(), _authKeyStrings->dh_prime.size());
if (!_authKeyStrings->dh_prime.empty()) {
zeroMemory(_authKeyStrings->dh_prime);
}
if (!_authKeyStrings->g_a.isEmpty()) {
zeroMemory(_authKeyStrings->g_a.data(), _authKeyStrings->g_a.size());
if (!_authKeyStrings->g_a.empty()) {
zeroMemory(_authKeyStrings->g_a);
}
zeroMemory(_authKeyStrings->auth_key.data(), _authKeyStrings->auth_key.size());
zeroMemory(_authKeyStrings->auth_key);
_authKeyStrings.reset();
}
}
@ -3082,8 +2984,16 @@ void ConnectionPrivate::stop() {
} // namespace internal
bool IsPrimeAndGood(const QByteArray &data, int g) {
return MTP::internal::BigNumPrimeTest().isPrimeAndGood(data, g);
bool IsPrimeAndGood(base::const_byte_span primeBytes, int g) {
return internal::IsPrimeAndGood(primeBytes, g);
}
ModExpFirst CreateModExp(int g, base::const_byte_span primeBytes, base::const_byte_span randomSeed) {
return internal::CreateModExp(g, primeBytes, randomSeed);
}
std::vector<gsl::byte> CreateAuthKey(base::const_byte_span firstBytes, base::const_byte_span randomBytes, base::const_byte_span primeBytes) {
return internal::CreateAuthKey(firstBytes, randomBytes, primeBytes);
}
} // namespace MTP

18
Telegram/SourceFiles/mtproto/connection.h
View File

@ -29,7 +29,15 @@ namespace MTP {
class Instance;
bool IsPrimeAndGood(const QByteArray &data, int g);
bool IsPrimeAndGood(base::const_byte_span primeBytes, int g);
struct ModExpFirst {
static constexpr auto kRandomPowerSize = 256;
std::vector<gsl::byte> modexp;
std::array<gsl::byte, kRandomPowerSize> randomPower;
};
ModExpFirst CreateModExp(int g, base::const_byte_span primeBytes, base::const_byte_span randomSeed);
std::vector<gsl::byte> CreateAuthKey(base::const_byte_span firstBytes, base::const_byte_span randomBytes, base::const_byte_span primeBytes);
namespace internal {
@ -185,7 +193,7 @@ private:
bool setState(int32 state, int32 ifState = Connection::UpdateAlways);
std::string encryptPQInnerRSA(const MTPP_Q_inner_data &data, const MTP::internal::RSAPublicKey &key);
base::byte_vector encryptPQInnerRSA(const MTPP_Q_inner_data &data, const MTP::internal::RSAPublicKey &key);
std::string encryptClientDHInner(const MTPClient_DH_Inner_Data &data);
Instance *_instance = nullptr;
@ -272,9 +280,9 @@ private:
uint32 msgs_sent = 0;
};
struct AuthKeyCreateStrings {
QByteArray dh_prime;
QByteArray g_a;
AuthKey::Data auth_key = { { 0 } };
std::vector<gsl::byte> dh_prime;
std::vector<gsl::byte> g_a;
AuthKey::Data auth_key = { { gsl::byte{} } };
};
std::unique_ptr<AuthKeyCreateData> _authKeyData;
std::unique_ptr<AuthKeyCreateStrings> _authKeyStrings;

12
Telegram/SourceFiles/mtproto/dc_options.cpp
View File

@ -229,15 +229,15 @@ QByteArray DcOptions::serialize() const {
}
struct SerializedPublicKey {
DcId dcId;
QByteArray n;
QByteArray e;
base::byte_vector n;
base::byte_vector e;
};
std::vector<SerializedPublicKey> publicKeys;
publicKeys.reserve(count);
for (auto &keysInDc : _cdnPublicKeys) {
for (auto &entry : keysInDc.second) {
publicKeys.push_back({ keysInDc.first, entry.second.getN(), entry.second.getE() });
size += sizeof(qint32) + Serialize::bytearraySize(publicKeys.back().n) + Serialize::bytearraySize(publicKeys.back().e);
size += sizeof(qint32) + Serialize::bytesSize(publicKeys.back().n) + Serialize::bytesSize(publicKeys.back().e);
}
}
@ -260,7 +260,7 @@ QByteArray DcOptions::serialize() const {
}
stream << qint32(publicKeys.size());
for (auto &key : publicKeys) {
stream << qint32(key.dcId) << key.n << key.e;
stream << qint32(key.dcId) << Serialize::bytes(key.n) << Serialize::bytes(key.e);
}
}
return result;
@ -309,8 +309,8 @@ void DcOptions::constructFromSerialized(const QByteArray &serialized) {
for (auto i = 0; i != count; ++i) {
qint32 dcId = 0;
QByteArray n, e;
stream >> dcId >> n >> e;
base::byte_vector n, e;
stream >> dcId >> Serialize::bytes(n) >> Serialize::bytes(e);
if (stream.status() != QDataStream::Ok) {
LOG(("MTP Error: Bad data for CDN config inside DcOptions::constructFromSerialized()"));
return;

42
Telegram/SourceFiles/mtproto/rsa_public_key.cpp
View File

@ -20,6 +20,7 @@ Copyright (c) 2014-2017 John Preston, https://desktop.telegram.org
*/
#include "mtproto/rsa_public_key.h"
#include "base/openssl_help.h"
#include <openssl/rsa.h>
#include <openssl/pem.h>
#include <openssl/bio.h>
@ -37,10 +38,10 @@ public:
computeFingerprint();
}
}
Private(const QByteArray &n, const QByteArray &e) : _rsa(RSA_new()) {
Private(base::const_byte_span nBytes, base::const_byte_span eBytes) : _rsa(RSA_new()) {
if (_rsa) {
_rsa->n = BN_bin2bn((const uchar*)n.data(), n.size(), _rsa->n);
_rsa->e = BN_bin2bn((const uchar*)e.data(), e.size(), _rsa->e);
_rsa->n = BN_dup(openssl::BigNum(nBytes).raw());
_rsa->e = BN_dup(openssl::BigNum(eBytes).raw());
if (!_rsa->n || !_rsa->e) {
RSA_free(base::take(_rsa));
} else {
@ -48,11 +49,11 @@ public:
}
}
}
QByteArray getN() const {
base::byte_vector getN() const {
Expects(isValid());
return toBytes(_rsa->n);
}
QByteArray getE() const {
base::byte_vector getE() const {
Expects(isValid());
return toBytes(_rsa->e);
}
@ -62,17 +63,18 @@ public:
bool isValid() const {
return _rsa != nullptr;
}
bool encrypt(const void *data, string &result) const {
base::byte_vector encrypt(base::const_byte_span data) const {
Expects(isValid());
result.resize(256);
auto res = RSA_public_encrypt(256, reinterpret_cast<const unsigned char*>(data), reinterpret_cast<uchar*>(&result[0]), _rsa, RSA_NO_PADDING);
if (res != 256) {
constexpr auto kEncryptSize = 256;
auto result = base::byte_vector(kEncryptSize, gsl::byte {});
auto res = RSA_public_encrypt(kEncryptSize, reinterpret_cast<const unsigned char*>(data.data()), reinterpret_cast<unsigned char*>(result.data()), _rsa, RSA_NO_PADDING);
if (res != kEncryptSize) {
ERR_load_crypto_strings();
LOG(("RSA Error: RSA_public_encrypt failed, key fp: %1, result: %2, error: %3").arg(getFingerPrint()).arg(res).arg(ERR_error_string(ERR_get_error(), 0)));
return false;
return base::byte_vector();
}
return true;
return result;
}
~Private() {
RSA_free(_rsa);
@ -89,10 +91,10 @@ private:
uchar sha1Buffer[20];
_fingerprint = *(uint64*)(hashSha1(&string[0], string.size() * sizeof(mtpPrime), sha1Buffer) + 3);
}
static QByteArray toBytes(BIGNUM *number) {
auto size = static_cast<int>(BN_num_bytes(number));
auto result = QByteArray(size, 0);
BN_bn2bin(number, reinterpret_cast<uchar*>(result.data()));
static base::byte_vector toBytes(BIGNUM *number) {
auto size = BN_num_bytes(number);
auto result = base::byte_vector(size, gsl::byte {});
BN_bn2bin(number, reinterpret_cast<unsigned char*>(result.data()));
return result;
}
@ -104,7 +106,7 @@ private:
RSAPublicKey::RSAPublicKey(base::const_byte_span key) : _private(std::make_shared<Private>(key)) {
}
RSAPublicKey::RSAPublicKey(const QByteArray &n, const QByteArray &e) : _private(std::make_shared<Private>(n, e)) {
RSAPublicKey::RSAPublicKey(base::const_byte_span nBytes, base::const_byte_span eBytes) : _private(std::make_shared<Private>(nBytes, eBytes)) {
}
bool RSAPublicKey::isValid() const {
@ -116,19 +118,19 @@ uint64 RSAPublicKey::getFingerPrint() const {
return _private->getFingerPrint();
}
QByteArray RSAPublicKey::getN() const {
base::byte_vector RSAPublicKey::getN() const {
Expects(isValid());
return _private->getN();
}
QByteArray RSAPublicKey::getE() const {
base::byte_vector RSAPublicKey::getE() const {
Expects(isValid());
return _private->getE();
}
bool RSAPublicKey::encrypt(const void *data, string &result) const {
base::byte_vector RSAPublicKey::encrypt(base::const_byte_span data) const {
Expects(isValid());
return _private->encrypt(data, result);
return _private->encrypt(data);
}
} // namespace internal

10
Telegram/SourceFiles/mtproto/rsa_public_key.h
View File

@ -28,8 +28,8 @@ class RSAPublicKey final {
public:
// key in RSAPublicKey "-----BEGIN RSA PUBLIC KEY----- ..." format
RSAPublicKey() = default;
RSAPublicKey(base::const_byte_span key);
RSAPublicKey(const QByteArray &n, const QByteArray &e);
explicit RSAPublicKey(base::const_byte_span key);
RSAPublicKey(base::const_byte_span nBytes, base::const_byte_span eBytes);
RSAPublicKey(RSAPublicKey &&other) = default;
RSAPublicKey(const RSAPublicKey &other) = default;
RSAPublicKey &operator=(RSAPublicKey &&other) = default;
@ -37,11 +37,11 @@ public:
bool isValid() const;
uint64 getFingerPrint() const;
QByteArray getN() const;
QByteArray getE() const;
base::byte_vector getN() const;
base::byte_vector getE() const;
// data has exactly 256 chars to be encrypted
bool encrypt(const void *data, std::string &result) const;
base::byte_vector encrypt(base::const_byte_span data) const;
private:
class Private;

9
Telegram/SourceFiles/storage/localstorage.cpp
View File

@ -146,7 +146,7 @@ auto PassKey = MTP::AuthKeyPtr();
auto LocalKey = MTP::AuthKeyPtr();
void createLocalKey(const QByteArray &pass, QByteArray *salt, MTP::AuthKeyPtr *result) {
auto key = MTP::AuthKey::Data { { 0 } };
auto key = MTP::AuthKey::Data { { gsl::byte{} } };
auto iterCount = pass.size() ? LocalEncryptIterCount : LocalEncryptNoPwdIterCount; // dont slow down for no password
auto newSalt = QByteArray();
if (!salt) {
@ -931,9 +931,8 @@ bool _readSetting(quint32 blockId, QDataStream &stream, int version, ReadSetting
case dbiKey: {
qint32 dcId;
auto key = MTP::AuthKey::Data { { 0 } };
stream >> dcId;
stream.readRawData(key.data(), key.size());
auto key = Serialize::read<MTP::AuthKey::Data>(stream);
if (!_checkStreamStatus(stream)) return false;
Messenger::Instance().setMtpKey(dcId, key);
@ -1900,8 +1899,8 @@ ReadMapState _readMap(const QByteArray &pass) {
LOG(("App Info: could not decrypt pass-protected key from map file, maybe bad password..."));
return ReadMapPassNeeded;
}
auto key = MTP::AuthKey::Data { { 0 } };
if (keyData.stream.readRawData(key.data(), key.size()) != key.size() || !keyData.stream.atEnd()) {
auto key = Serialize::read<MTP::AuthKey::Data>(keyData.stream);
if (keyData.stream.status() != QDataStream::Ok || !keyData.stream.atEnd()) {
LOG(("App Error: could not read pass-protected key from map file"));
return ReadMapFailed;
}

63
Telegram/SourceFiles/storage/serialize_common.h
View File

@ -32,6 +32,67 @@ inline int bytearraySize(const QByteArray &arr) {
return sizeof(quint32) + arr.size();
}
inline int bytesSize(base::const_byte_span bytes) {
return sizeof(quint32) + bytes.size();
}
struct ReadBytesVectorWrap {
base::byte_vector &bytes;
};
inline ReadBytesVectorWrap bytes(base::byte_vector &bytes) {
return ReadBytesVectorWrap { bytes };
}
// Compatible with QDataStream &operator>>(QDataStream &, QByteArray &);
inline QDataStream &operator>>(QDataStream &stream, ReadBytesVectorWrap data) {
auto &bytes = data.bytes;
bytes.clear();
quint32 len;
stream >> len;
if (stream.status() != QDataStream::Ok || len == 0xFFFFFFFF) {
return stream;
}
constexpr auto kStep = quint32(1024 * 1024);
for (auto allocated = quint32(0); allocated < len;) {
auto blockSize = qMin(kStep, len - allocated);
bytes.resize(allocated + blockSize);
if (stream.readRawData(reinterpret_cast<char*>(bytes.data()) + allocated, blockSize) != blockSize) {
bytes.clear();
stream.setStatus(QDataStream::ReadPastEnd);
return stream;
}
allocated += blockSize;
}
return stream;
}
struct WriteBytesWrap {
base::const_byte_span bytes;
};
inline WriteBytesWrap bytes(base::const_byte_span bytes) {
return WriteBytesWrap { bytes };
}
inline QDataStream &operator<<(QDataStream &stream, WriteBytesWrap data) {
auto bytes = data.bytes;
if (bytes.empty()) {
stream << quint32(0xFFFFFFFF);
} else {
auto size = quint32(bytes.size());
stream << size;
stream.writeRawData(reinterpret_cast<const char*>(bytes.data()), size);
}
return stream;
}
inline QDataStream &operator<<(QDataStream &stream, ReadBytesVectorWrap data) {
return stream << WriteBytesWrap { data.bytes };
}
inline int dateTimeSize() {
return (sizeof(qint64) + sizeof(quint32) + sizeof(qint8));
}
@ -50,7 +111,7 @@ inline T read(QDataStream &stream) {
template <>
inline MTP::AuthKey::Data read<MTP::AuthKey::Data>(QDataStream &stream) {
auto result = MTP::AuthKey::Data();
stream.readRawData(result.data(), result.size());
stream.readRawData(reinterpret_cast<char*>(result.data()), result.size());
return result;
}