Examples of freenet.crypt.BlockCipher

• freenet.crypt.BlockCipher
  Defines the interface that must be implemented by symmetric block ciphers used in the Freenet cryptography architecture

                md.update(salt);
                md.update(outerKey);
                outerKey = md.digest();
            }
        }
        BlockCipher cipher;
        try {
          cipher = new Rijndael(256, 256);
        } catch (UnsupportedCipherException e) {
          // Impossible
          throw new Error(e);
        }
//        System.err.println("Outer key: "+HexUtil.bytesToHex(outerKey));
        cipher.initialize(outerKey);
        PCFBMode pcfb = PCFBMode.create(cipher, iv);
        pcfb.blockDecipher(dataAndHash, 0, dataAndHash.length);
//        System.err.println("Decrypted data and hash: "+HexUtil.bytesToHex(dataAndHash));
        byte[] data = Arrays.copyOf(dataAndHash, dataAndHash.length - HASH_LENGTH);
        byte[] hash = Arrays.copyOfRange(dataAndHash, data.length, dataAndHash.length);

        byte[] pwd = password.getBytes("UTF-8");
        MessageDigest md = SHA256.getMessageDigest();
        md.update(pwd);
        md.update(salt);
        byte[] outerKey = md.digest();
        BlockCipher cipher;
        try {
            cipher = new Rijndael(256, 256);
        } catch (UnsupportedCipherException e) {
            // Impossible
            throw new Error(e);
        }
//      System.err.println("Outer key: "+HexUtil.bytesToHex(outerKey));
        cipher.initialize(outerKey);
        PCFBMode pcfb = PCFBMode.create(cipher, iv);
        pcfb.blockDecipher(dataAndHash, 0, dataAndHash.length);
//      System.err.println("Decrypted data and hash: "+HexUtil.bytesToHex(dataAndHash));
        byte[] data = Arrays.copyOf(dataAndHash, dataAndHash.length - OLD_HASH_LENGTH);
        byte[] hash = Arrays.copyOfRange(dataAndHash, data.length, dataAndHash.length);

    byte[] hash = md.digest();
        SHA256.returnMessageDigest(md); md = null;
    baos.write(hash, 0, HASH_LENGTH);
    data = baos.toByteArray();

    BlockCipher cipher;
    try {
      cipher = new Rijndael(256, 256);
    } catch (UnsupportedCipherException e) {
      // Impossible
      throw new Error(e);
    }
    cipher.initialize(outerKey);
    PCFBMode pcfb = PCFBMode.create(cipher, iv);
    pcfb.blockEncipher(data, hashedStart, data.length - hashedStart);

    RandomAccessFile raf = new RandomAccessFile(masterKeysFile, "rw");

    return null;
  }

  /** Must NOT modify buf contents. */
  private NPFPacket decipherFromSeqnum(byte[] buf, int offset, int length, SessionKey sessionKey, int sequenceNumber) {
    BlockCipher ivCipher = sessionKey.ivCipher;

    byte[] IV = new byte[ivCipher.getBlockSize() / 8];
    System.arraycopy(sessionKey.ivNonce, 0, IV, 0, IV.length);
    IV[IV.length - 4] = (byte) (sequenceNumber >>> 24);
    IV[IV.length - 3] = (byte) (sequenceNumber >>> 16);
    IV[IV.length - 2] = (byte) (sequenceNumber >>> 8);
    IV[IV.length - 1] = (byte) (sequenceNumber);

    ivCipher.encipher(IV, IV);

    byte[] payload = Arrays.copyOfRange(buf, offset + hmacLength, offset + length);
    byte[] hash = Arrays.copyOfRange(buf, offset, offset + hmacLength);

    if(!HMAC.verifyWithSHA256(sessionKey.hmacKey, payload, hash)) return null;

    seqNumBytes[0] = (byte) (seqNum >>> 24);
    seqNumBytes[1] = (byte) (seqNum >>> 16);
    seqNumBytes[2] = (byte) (seqNum >>> 8);
    seqNumBytes[3] = (byte) (seqNum);

    BlockCipher ivCipher = sessionKey.ivCipher;

    byte[] IV = new byte[ivCipher.getBlockSize() / 8];
    System.arraycopy(sessionKey.ivNonce, 0, IV, 0, IV.length);
    System.arraycopy(seqNumBytes, 0, IV, IV.length - seqNumBytes.length, seqNumBytes.length);
    ivCipher.encipher(IV, IV);

    PCFBMode cipher = PCFBMode.create(sessionKey.incommingCipher, IV);
    cipher.blockEncipher(seqNumBytes, 0, seqNumBytes.length);

    return seqNumBytes;

    }

    byte[] data = new byte[paddedLen];
    packet.toBytes(data, hmacLength, pn.paddingGen());

    BlockCipher ivCipher = sessionKey.ivCipher;

    byte[] IV = new byte[ivCipher.getBlockSize() / 8];
    System.arraycopy(sessionKey.ivNonce, 0, IV, 0, IV.length);
    System.arraycopy(data, hmacLength, IV, IV.length - 4, 4);

    ivCipher.encipher(IV, IV);

    PCFBMode payloadCipher = PCFBMode.create(sessionKey.outgoingCipher, IV);
    payloadCipher.blockEncipher(data, hmacLength, paddedLen - hmacLength);

    //Add hash

   * @param peer The Peer to send a reply to
   * @param now The time at which the packet was received
   * @return True if we handled a negotiation packet, false otherwise.
   */
  private boolean tryProcessAuth(byte[] buf, int offset, int length, PeerNode pn, Peer peer, boolean oldOpennetPeer, long now) {
    BlockCipher authKey = pn.incomingSetupCipher;
    if(logDEBUG) Logger.debug(this, "Decrypt key: "+HexUtil.bytesToHex(pn.incomingSetupKey)+" for "+peer+" : "+pn+" in tryProcessAuth");
    // Does the packet match IV E( H(data) data ) ?
    int ivLength = PCFBMode.lengthIV(authKey);
    int digestLength = HASH_LENGTH;
    if(length < digestLength + ivLength + 4) {

   * @param length The number of bytes to read
   * @param peer The Peer to send a reply to
   * @return True if we handled a negotiation packet, false otherwise.
   */
  private boolean tryProcessAuthAnon(byte[] buf, int offset, int length, Peer peer) {
    BlockCipher authKey = crypto.getAnonSetupCipher();
    // Does the packet match IV E( H(data) data ) ?
    int ivLength = PCFBMode.lengthIV(authKey);
    int digestLength = HASH_LENGTH;
    if(length < digestLength + ivLength + 5) {
      if(logMINOR) Logger.minor(this, "Too short: "+length+" should be at least "+(digestLength + ivLength + 5));

   * @param peer The Peer to send a reply to
   * @param now The time at which the packet was received
   * @return True if we handled a negotiation packet, false otherwise.
   */
  private boolean tryProcessAuthAnonReply(byte[] buf, int offset, int length, PeerNode pn, Peer peer, long now) {
    BlockCipher authKey = pn.anonymousInitiatorSetupCipher;
    // Does the packet match IV E( H(data) data ) ?
    int ivLength = PCFBMode.lengthIV(authKey);
    int digestLength = HASH_LENGTH;
    if(length < digestLength + ivLength + 5) {
      if(logDEBUG) Logger.debug(this, "Too short: "+length+" should be at least "+(digestLength + ivLength + 5));

    final long t1 = System.currentTimeMillis();
    int modulusLength = getModulusLength(negType);
    int nonceSize = getNonceSize(negType);
    if(logMINOR) Logger.minor(this, "Got a JFK(3) message, processing it - "+pn);

    BlockCipher c = null;
    try { c = new Rijndael(256, 256); } catch (UnsupportedCipherException e) { throw new RuntimeException(e); }

    final int expectedLength =
      nonceSize*2 + // Ni, Nr
      modulusLength*2 + // g^i, g^r
      HASH_LENGTH + // authenticator
      HASH_LENGTH + // HMAC of the cyphertext
      (c.getBlockSize() >> 3) + // IV
      HASH_LENGTH + // it's at least a signature
      8 +        // a bootid
      8 + // packet tracker ID
      1;        // znoderefI* is at least 1 byte long

    if(payload.length < expectedLength + 3) {
      Logger.error(this, "Packet too short from "+pn+": "+payload.length+" after decryption in JFK(3), should be "+(expectedLength + 3));
      return;
    }

    // Ni
    byte[] nonceInitiator = new byte[nonceSize];
    System.arraycopy(payload, inputOffset, nonceInitiator, 0, nonceSize);
    inputOffset += nonceSize;
    if(logDEBUG) Logger.debug(this, "We are receiving Ni : " + HexUtil.bytesToHex(nonceInitiator));
    // Before negtype 9 we didn't hash it!
    byte[] nonceInitiatorHashed = (negType > 8 ? SHA256.digest(nonceInitiator) : nonceInitiator);

    // Nr
    byte[] nonceResponder = new byte[nonceSize];
    System.arraycopy(payload, inputOffset, nonceResponder, 0, nonceSize);
    inputOffset += nonceSize;
    // g^i
    byte[] initiatorExponential = Arrays.copyOfRange(payload, inputOffset, inputOffset+modulusLength);
    inputOffset += modulusLength;
    // g^r
    byte[] responderExponential = Arrays.copyOfRange(payload, inputOffset, inputOffset+modulusLength);
    inputOffset += modulusLength;

    byte[] authenticator = Arrays.copyOfRange(payload, inputOffset, inputOffset+HASH_LENGTH);
    inputOffset += HASH_LENGTH;

    // We *WANT* to check the hmac before we do the lookup on the hashmap
    // @see https://bugs.freenetproject.org/view.php?id=1604
    if(!HMAC.verifyWithSHA256(getTransientKey(), assembleJFKAuthenticator(responderExponential, initiatorExponential, nonceResponder, nonceInitiatorHashed, replyTo.getAddress().getAddress()) , authenticator)) {
      if(shouldLogErrorInHandshake(t1)) {
          if(logDEBUG) Logger.debug(this, "We received the following HMAC : " + HexUtil.bytesToHex(authenticator));
          if(logDEBUG) Logger.debug(this, "We have Ni' : " + HexUtil.bytesToHex(nonceInitiatorHashed));
        Logger.normal(this, "The HMAC doesn't match; let's discard the packet (either we rekeyed or we are victim of forgery) - JFK3 - "+pn);
      }
      return;
    }
    // Check try to find the authenticator in the cache.
    // If authenticator is already present, indicates duplicate/replayed message3
    // Now simply transmit the corresponding message4
    Object message4 = null;
    synchronized (authenticatorCache) {
      message4 = authenticatorCache.get(new ByteArrayWrapper(authenticator));
    }
    if(message4 != null) {
      Logger.normal(this, "We replayed a message from the cache (shouldn't happen often) - "+pn);
      // We are replaying a JFK(4).
      // Therefore if it is anon-initiator it is encrypted with our setup key.
      if(unknownInitiator) {
        sendAnonAuthPacket(1,negType,3,setupType, (byte[]) message4, null, replyTo, crypto.anonSetupCipher);
      } else {
        sendAuthPacket(1, negType, 3, (byte[]) message4, pn, replyTo);
      }
      return;
    } else {
      if(logDEBUG) Logger.debug(this, "No message4 found for "+HexUtil.bytesToHex(authenticator)+" responderExponential "+Fields.hashCode(responderExponential)+" initiatorExponential "+Fields.hashCode(initiatorExponential)+" nonceResponder "+Fields.hashCode(nonceResponder)+" nonceInitiator "+Fields.hashCode(nonceInitiatorHashed)+" address "+HexUtil.bytesToHex(replyTo.getAddress().getAddress()));
    }

    byte[] hmac = Arrays.copyOfRange(payload, inputOffset, inputOffset+HASH_LENGTH);
    inputOffset += HASH_LENGTH;

    byte[] computedExponential;
    if(negType < 8) { // Legacy DH
      NativeBigInteger _hisExponential = new NativeBigInteger(1, initiatorExponential);
      NativeBigInteger _ourExponential = new NativeBigInteger(1, responderExponential);

      DiffieHellmanLightContext ctx = findContextByExponential(_ourExponential);
      if(ctx == null) {
        Logger.error(this, "WTF? the HMAC verified but we don't know about that exponential! SHOULDN'T HAPPEN! - JFK3 - "+pn);
        // Possible this is a replay or severely delayed? We don't keep every exponential we ever use.
        return;
      }
      computedExponential = ctx.getHMACKey(_hisExponential);
        } else {
            ECPublicKey initiatorKey = ECDH.getPublicKey(initiatorExponential, ecdhCurveToUse);
            ECPublicKey responderKey = ECDH.getPublicKey(responderExponential, ecdhCurveToUse);
            ECDHLightContext ctx = findECDHContextByPubKey(responderKey);
            if (ctx == null) {
                Logger.error(this, "WTF? the HMAC verified but we don't know about that exponential! SHOULDN'T HAPPEN! - JFK3 - "+pn);
                // Possible this is a replay or severely delayed? We don't keep
                // every exponential we ever use.
                return;
            }
            computedExponential = ctx.getHMACKey(initiatorKey);
        }
    if(logDEBUG) Logger.debug(this, "The shared Master secret is : "+HexUtil.bytesToHex(computedExponential) +" for " + pn);

    /* 0 is the outgoing key for the initiator, 7 for the responder */
    byte[] outgoingKey = computeJFKSharedKey(computedExponential, nonceInitiatorHashed, nonceResponder, "7");
    byte[] incommingKey = computeJFKSharedKey(computedExponential, nonceInitiatorHashed, nonceResponder, "0");
    byte[] Ke = computeJFKSharedKey(computedExponential, nonceInitiatorHashed, nonceResponder, "1");
    byte[] Ka = computeJFKSharedKey(computedExponential, nonceInitiatorHashed, nonceResponder, "2");

    byte[] hmacKey = computeJFKSharedKey(computedExponential, nonceInitiatorHashed, nonceResponder, "3");
    byte[] ivKey = computeJFKSharedKey(computedExponential, nonceInitiatorHashed, nonceResponder, "4");
    byte[] ivNonce = computeJFKSharedKey(computedExponential, nonceInitiatorHashed, nonceResponder, "5");

    /* Bytes  1-4:  Initial sequence number for the initiator
     * Bytes  5-8:  Initial sequence number for the responder
     * Bytes  9-12: Initial message id for the initiator
     * Bytes 13-16: Initial message id for the responder
     * Note that we are the responder */
    byte[] sharedData = computeJFKSharedKey(computedExponential, nonceInitiatorHashed, nonceResponder, "6");
    Arrays.fill(computedExponential, (byte)0);
    int theirInitialSeqNum = ((sharedData[0] & 0xFF) << 24)
        | ((sharedData[1] & 0xFF) << 16)
        | ((sharedData[2] & 0xFF) << 8)
        | (sharedData[3] & 0xFF);
    int ourInitialSeqNum = ((sharedData[4] & 0xFF) << 24)
        | ((sharedData[5] & 0xFF) << 16)
        | ((sharedData[6] & 0xFF) << 8)
        | (sharedData[7] & 0xFF);
    int theirInitialMsgID, ourInitialMsgID;
    if(negType >= 7) {
      theirInitialMsgID =
        unknownInitiator ? getInitialMessageID(crypto.myIdentity) :
          getInitialMessageID(pn.identity, crypto.myIdentity);
      ourInitialMsgID =
        unknownInitiator ? getInitialMessageID(crypto.myIdentity) :
          getInitialMessageID(crypto.myIdentity, pn.identity);
    } else {
      theirInitialMsgID= ((sharedData[8] & 0xFF) << 24)
        | ((sharedData[9] & 0xFF) << 16)
        | ((sharedData[10] & 0xFF) << 8)
        | (sharedData[11] & 0xFF);
      ourInitialMsgID= ((sharedData[12] & 0xFF) << 24)
        | ((sharedData[13] & 0xFF) << 16)
        | ((sharedData[14] & 0xFF) << 8)
        | (sharedData[15] & 0xFF);
    }
    if(logMINOR)
      Logger.minor(this, "Their initial message ID: "+theirInitialMsgID+" ours "+ourInitialMsgID);

    c.initialize(Ke);
    int ivLength = PCFBMode.lengthIV(c);
    int decypheredPayloadOffset = 0;
    // We compute the HMAC of ("I"+cyphertext) : the cyphertext includes the IV!
    byte[] decypheredPayload = Arrays.copyOf(JFK_PREFIX_INITIATOR, JFK_PREFIX_INITIATOR.length + payload.length - inputOffset);
    decypheredPayloadOffset += JFK_PREFIX_INITIATOR.length;
    System.arraycopy(payload, inputOffset, decypheredPayload, decypheredPayloadOffset, decypheredPayload.length-decypheredPayloadOffset);
    if(!HMAC.verifyWithSHA256(Ka, decypheredPayload, hmac)) {
      Logger.error(this, "The inner-HMAC doesn't match; let's discard the packet JFK(3) - "+pn);
      return;
    }

    final PCFBMode pk = PCFBMode.create(c, decypheredPayload, decypheredPayloadOffset);
    // Get the IV
    decypheredPayloadOffset += ivLength;
    // Decrypt the payload
    pk.blockDecipher(decypheredPayload, decypheredPayloadOffset, decypheredPayload.length-decypheredPayloadOffset);
    /*
     * DecipheredData Format:
     * Signature
     * Node Data (starting with BootID)
     */
    int sigLength = getSignatureLength(negType);
    byte[] sig = new byte[sigLength];
    System.arraycopy(decypheredPayload, decypheredPayloadOffset, sig, 0, sigLength);
    decypheredPayloadOffset += sigLength;
    byte[] data = new byte[decypheredPayload.length - decypheredPayloadOffset];
    System.arraycopy(decypheredPayload, decypheredPayloadOffset, data, 0, decypheredPayload.length - decypheredPayloadOffset);
    int ptr = 0;
    long trackerID;
    trackerID = Fields.bytesToLong(data, ptr);
    if(trackerID < 0) trackerID = -1;
    ptr += 8;
    long bootID = Fields.bytesToLong(data, ptr);
    ptr += 8;
    byte[] hisRef = Arrays.copyOfRange(data, ptr, data.length);

    // construct the peernode
    if(unknownInitiator) {
      pn = getPeerNodeFromUnknownInitiator(hisRef, setupType, pn, replyTo);
    }
    if(pn == null) {
      if(unknownInitiator) {
        // Reject
        Logger.normal(this, "Rejecting... unable to construct PeerNode");
      } else {
        Logger.error(this, "PeerNode is null and unknownInitiator is false!");
      }
      return;
    }

    // verify the signature
    byte[] toVerify = assembleDHParams(nonceInitiatorHashed, nonceResponder, initiatorExponential, responderExponential, crypto.getIdentity(negType, false), data);
    if(negType < 9) {
        byte[] r = new byte[Node.SIGNATURE_PARAMETER_LENGTH];
        System.arraycopy(sig, 0, r, 0, Node.SIGNATURE_PARAMETER_LENGTH);
            byte[] s = new byte[Node.SIGNATURE_PARAMETER_LENGTH];
            System.arraycopy(sig, Node.SIGNATURE_PARAMETER_LENGTH, s, 0, Node.SIGNATURE_PARAMETER_LENGTH);
        DSASignature remoteSignature = new DSASignature(new NativeBigInteger(1,r), new NativeBigInteger(1,s));
        if(!DSA.verify(pn.peerPubKey, remoteSignature, new NativeBigInteger(1, SHA256.digest(toVerify)), false)) {
            Logger.error(this, "The signature verification has failed!! JFK(3) - "+pn.getPeer());
            return;
        }
    } else {
        if(!ECDSA.verify(Curves.P256, pn.peerECDSAPubKey(), sig, toVerify)) {
                Logger.error(this, "The ECDSA signature verification has failed!! JFK(3) - "+pn.getPeer());
                  return;
        }
    }

    // At this point we know it's from the peer, so we can report a packet received.
    pn.receivedPacket(true, false);

    BlockCipher outgoingCipher = null;
    BlockCipher incommingCipher = null;
    BlockCipher ivCipher = null;
    try {
      outgoingCipher = new Rijndael(256, 256);
      incommingCipher = new Rijndael(256, 256);
      ivCipher = new Rijndael(256, 256);
    } catch (UnsupportedCipherException e) {
      throw new RuntimeException(e);
    }
    outgoingCipher.initialize(outgoingKey);
    incommingCipher.initialize(incommingKey);
    ivCipher.initialize(ivKey);

    // Promote if necessary
    boolean dontWant = false;
    if(oldOpennetPeer && pn instanceof OpennetPeerNode /* true */) {
      OpennetManager opennet = node.getOpennet();