jle64/CryptoManager.cpp

## CryptoManager.cpp
/*
 * Copyright (C) 2001-2009 Jacek Sieka, arnetheduck on gmail point com
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

#include "stdinc.h"
#include "DCPlusPlus.h"

#include "CryptoManager.h"

#include "BitInputStream.h"
#include "BitOutputStream.h"
#include "File.h"
#include "LogManager.h"
#include "ClientManager.h"
#include "version.h"

#include <openssl/bn.h>

#ifdef _WIN32
#include "../bzip2/bzlib.h"
#else
#include <bzlib.h>
#endif

namespace dcpp {


CryptoManager::CryptoManager()
:
        certsLoaded(false),
        lock("EXTENDEDPROTOCOLABCABCABCABCABCABC"),
        pk("DCPLUSPLUS" VERSIONSTRING)
{
        SSL_library_init();

        clientContext.reset(SSL_CTX_new(TLSv1_client_method()));
        clientVerContext.reset(SSL_CTX_new(TLSv1_client_method()));
        serverContext.reset(SSL_CTX_new(TLSv1_server_method()));
        serverVerContext.reset(SSL_CTX_new(TLSv1_server_method()));

        if(clientContext && clientVerContext && serverContext && serverVerContext) {
                dh.reset(DH_new());

        static unsigned char dh4096_p[]={
                0xCA,0x35,0xA8,0xBB,0x65,0x33,0x28,0xC6,0x3F,0xD7,0x21,0x55,
                0x95,0xDF,0xC0,0xDC,0x11,0x10,0x23,0x2D,0x1E,0xD6,0x52,0x23,
                0xA1,0x52,0xB8,0xDD,0x4A,0x25,0xEE,0xF4,0x78,0xB6,0x89,0x9E,
                0xB6,0x33,0xEB,0x01,0xA6,0x46,0x31,0xD8,0x3D,0x12,0xB4,0x7B,
                0x1F,0x64,0x0C,0x84,0x10,0x80,0xFB,0x4F,0x74,0x21,0xA3,0x9B,
                0xF5,0x97,0xD1,0x05,0x97,0x9D,0x52,0x4F,0x91,0x3C,0xE1,0xA8,
                0x97,0xE0,0x33,0x9D,0xCB,0x9D,0x9D,0x2A,0xB5,0x3E,0xF5,0x8D,
                0x7F,0xEE,0x91,0xEE,0x4E,0xC5,0xA6,0xAB,0x54,0xD9,0xC2,0xA5,
                0x0D,0x2E,0xEA,0x1A,0x39,0xFD,0x30,0x4A,0x1C,0xB7,0x34,0x2B,
                0x7D,0x51,0xF6,0xB1,0xD1,0x8D,0xCE,0x28,0xDC,0xF9,0xDE,0x34,
                0xAF,0x1E,0xD1,0x7C,0xC2,0xD3,0x38,0x8E,0xBD,0x35,0x01,0x53,
                0xDD,0x2E,0xB5,0x83,0xC8,0xEF,0x08,0x15,0x59,0x6E,0xA3,0xC4,
                0x71,0x57,0x8C,0x4D,0xFD,0xA7,0x19,0x40,0x88,0x68,0x4E,0xD6,
                0x8F,0x5C,0xE5,0xEC,0xCF,0x5F,0xEB,0x9A,0xA4,0x66,0x40,0x8B,
                0x02,0x87,0xA7,0x3A,0x58,0x81,0xF1,0x6A,0x14,0x16,0x75,0x7D,
                0x33,0x01,0xEB,0x3F,0xA8,0x02,0xDC,0x09,0x32,0x12,0x00,0x20,
                0x47,0xFF,0x01,0x14,0xFE,0x9E,0x3A,0x44,0x4D,0xED,0x85,0xD5,
                0xDA,0x2F,0xE3,0x99,0xCE,0xDA,0x84,0x64,0xCB,0x0C,0x8C,0x00,
                0x90,0x19,0x70,0x1C,0x00,0x1D,0x63,0x3C,0x77,0x16,0x8D,0x3D,
                0x86,0x97,0x22,0x23,0x2F,0x7B,0xAB,0xB8,0xEB,0x94,0xA4,0x01,
                0xAA,0x34,0xBA,0xEA,0x7D,0x7A,0x37,0xB7,0x0C,0x75,0xEB,0x00,
                0x8D,0x52,0x7A,0xE2,0xDF,0x78,0x7C,0x4F,0x54,0x9E,0xA4,0xDD,
                0xC9,0xFC,0x08,0x7C,0x45,0x70,0x43,0x0F,0x39,0xE3,0x7E,0x48,
                0xB8,0xDC,0x9D,0xEC,0xB9,0x51,0x29,0x86,0x29,0x60,0xF6,0x4F,
                0xF7,0xCA,0xDD,0x3B,0x7F,0xAE,0xE2,0x54,0x4C,0x53,0x42,0x55,
                0xC0,0x39,0x24,0xE1,0x1A,0xAD,0x9E,0xCC,0x75,0x5E,0xF1,0xE2,
                0xD6,0xAE,0xCD,0x9A,0x91,0xC3,0x7B,0xE5,0x29,0xAD,0xCA,0xC2,
                0x00,0xC1,0xF9,0xF4,0x6D,0xD2,0x4B,0xD4,0x5A,0x56,0x39,0xCD,
                0xAC,0xCA,0xE7,0xD1,0x8C,0x15,0x4D,0x2B,0x59,0x67,0x29,0x72,
                0xE7,0x40,0x14,0x81,0x9E,0x26,0x48,0xF8,0x6C,0x51,0xF5,0xBE,
                0x64,0xD1,0xF4,0x4D,0x98,0xE7,0xFD,0x5E,0x23,0x1E,0xDF,0xBA,
                0xBD,0x2E,0xB1,0x81,0x26,0x98,0x9C,0x2F,0xE8,0xD5,0x32,0x6B,
                0x94,0x91,0x8C,0x2E,0xB8,0xD9,0xC9,0x2F,0x22,0x9D,0xA6,0x52,
                0x02,0xDF,0x99,0x63,0x64,0x7E,0xB8,0x68,0xAB,0x17,0x54,0x7E,
                0xED,0x9E,0xD1,0x45,0x64,0x36,0x65,0xE8,0x09,0x50,0xAB,0xB0,
                0xD4,0x8C,0x79,0x9F,0x4C,0xB8,0x26,0x45,0xBE,0x0F,0xDE,0x14,
                0x6F,0xEC,0x70,0x21,0x1A,0xA0,0x1D,0xD0,0x7D,0xA2,0x0F,0x85,
                0xA5,0x7C,0xC1,0x0A,0x74,0xB1,0x7B,0x5A,0xD2,0xC4,0x0F,0xD5,
                0x90,0x24,0x3E,0xEC,0x89,0x7E,0xB8,0xED,0x6E,0x19,0x85,0xB9,
                0x58,0x36,0xA1,0x33,0x7D,0x14,0xFE,0x4F,0x55,0xA9,0xB6,0x42,
                0x7E,0x97,0x2A,0x96,0x50,0x14,0x0D,0xEA,0x02,0xB1,0xD2,0x22,
                0xEB,0xE7,0xF4,0xAC,0xB6,0x37,0xCA,0xAB,0x4A,0x1E,0x4D,0x4E,
                0xCF,0xFE,0x5D,0xEF,0x23,0x78,0xC6,0xBB,
                };

        static unsigned char dh4096_g[]={
                0x02,
                };

                if(dh) {
                        BIGNUM *p, *q, *g;

                        if (!p || !g) {
                                dh.reset();
                        } else {
                                SSL_CTX_set_options(serverContext, SSL_OP_SINGLE_DH_USE);
                                SSL_CTX_set_options(serverVerContext, SSL_OP_SINGLE_DH_USE);
                                SSL_CTX_set_tmp_dh(serverContext, (DH*)dh);
                                SSL_CTX_set_tmp_dh(serverVerContext, (DH*)dh);
                        }
                }

                SSL_CTX_set_verify(serverContext, SSL_VERIFY_NONE, 0);
                SSL_CTX_set_verify(clientContext, SSL_VERIFY_NONE, 0);
                SSL_CTX_set_verify(clientVerContext, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
                SSL_CTX_set_verify(serverVerContext, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
        }
}

CryptoManager::~CryptoManager() {
}

bool CryptoManager::TLSOk() const throw() {
        return BOOLSETTING(USE_TLS) && certsLoaded;
}

void CryptoManager::generateCertificate() throw(CryptoException) {
        // Generate certificate using OpenSSL
        if(SETTING(TLS_PRIVATE_KEY_FILE).empty()) {
                throw CryptoException(_("No private key file chosen"));
        }
        if(SETTING(TLS_CERTIFICATE_FILE).empty()) {
                throw CryptoException(_("No certificate file chosen"));
        }

        ssl::BIGNUM bn(BN_new());
        ssl::RSA rsa(RSA_new());
        ssl::EVP_PKEY pkey(EVP_PKEY_new());
        ssl::X509_NAME nm(X509_NAME_new());
        const EVP_MD *digest = EVP_sha1();
        ssl::X509 x509ss(X509_new());

        if(!bn || !rsa || !pkey || !nm || !x509ss) {
                throw CryptoException(_("Error generating certificate"));
        }

        int days = 10;
        int keylength = 2048;

#define CHECK(n) if(!(n)) { throw CryptoException(#n); }

        // Generate key pair
        CHECK((BN_set_word(bn, RSA_F4)))
        CHECK((RSA_generate_key_ex(rsa, keylength, bn, NULL)))
        CHECK((EVP_PKEY_set1_RSA(pkey, rsa)))

        // Set CID
        CHECK((X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC,
                (const unsigned char*)ClientManager::getInstance()->getMyCID().toBase32().c_str(), -1, -1, 0)))

        // Prepare self-signed cert
        CHECK((X509_set_issuer_name(x509ss, nm)))
        CHECK((X509_set_subject_name(x509ss, nm)))
        CHECK((X509_gmtime_adj(X509_get_notBefore(x509ss), 0)))
        CHECK((X509_gmtime_adj(X509_get_notAfter(x509ss), (long)60*60*24*days)))
        CHECK((X509_set_pubkey(x509ss, pkey)))

        // Sign using own private key
        CHECK((X509_sign(x509ss, pkey, digest)))

#undef CHECK
        // Write the key and cert
        {
                File::ensureDirectory(SETTING(TLS_PRIVATE_KEY_FILE));
                FILE* f = fopen(SETTING(TLS_PRIVATE_KEY_FILE).c_str(), "w");
                if(!f) {
                        return;
                }
                PEM_write_RSAPrivateKey(f, rsa, NULL, NULL, 0, NULL, NULL);
                fclose(f);
        }
        {
                File::ensureDirectory(SETTING(TLS_CERTIFICATE_FILE));
                FILE* f = fopen(SETTING(TLS_CERTIFICATE_FILE).c_str(), "w");
                if(!f) {
                        File::deleteFile(SETTING(TLS_PRIVATE_KEY_FILE));
                        return;
                }
                PEM_write_X509(f, x509ss);
                fclose(f);
        }
}

void CryptoManager::loadCertificates() throw() {
        if(!BOOLSETTING(USE_TLS) || !clientContext || !clientVerContext || !serverContext || !serverVerContext)
                return;


        const string& cert = SETTING(TLS_CERTIFICATE_FILE);
        const string& key = SETTING(TLS_PRIVATE_KEY_FILE);

        if(cert.empty() || key.empty()) {
                LogManager::getInstance()->message(_("TLS disabled, no certificate file set"));
                return;
        }

        if(File::getSize(cert) == -1 || File::getSize(key) == -1 || !checkCertificate()) {
                // Try to generate them...
                try {
                        generateCertificate();
                        LogManager::getInstance()->message(_("Generated new TLS certificate"));
                } catch(const CryptoException& e) {
                        LogManager::getInstance()->message(str(F_("TLS disabled, failed to generate certificate: %1%") % e.getError()));
                }
        }

        if(SSL_CTX_use_certificate_file(serverContext, SETTING(TLS_CERTIFICATE_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
                LogManager::getInstance()->message(_("Failed to load certificate file"));
                return;
        }
        if(SSL_CTX_use_certificate_file(clientContext, SETTING(TLS_CERTIFICATE_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
                LogManager::getInstance()->message(_("Failed to load certificate file"));
                return;
        }

        if(SSL_CTX_use_certificate_file(serverVerContext, SETTING(TLS_CERTIFICATE_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
                LogManager::getInstance()->message(_("Failed to load certificate file"));
                return;
        }
        if(SSL_CTX_use_certificate_file(clientVerContext, SETTING(TLS_CERTIFICATE_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
                LogManager::getInstance()->message(_("Failed to load certificate file"));
                return;
        }

        if(SSL_CTX_use_PrivateKey_file(serverContext, SETTING(TLS_PRIVATE_KEY_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
                LogManager::getInstance()->message(_("Failed to load private key"));
                return;
        }
        if(SSL_CTX_use_PrivateKey_file(clientContext, SETTING(TLS_PRIVATE_KEY_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
                LogManager::getInstance()->message(_("Failed to load private key"));
                return;
        }

        if(SSL_CTX_use_PrivateKey_file(serverVerContext, SETTING(TLS_PRIVATE_KEY_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
                LogManager::getInstance()->message(_("Failed to load private key"));
                return;
        }
        if(SSL_CTX_use_PrivateKey_file(clientVerContext, SETTING(TLS_PRIVATE_KEY_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
                LogManager::getInstance()->message(_("Failed to load private key"));
                return;
        }

        StringList certs = File::findFiles(SETTING(TLS_TRUSTED_CERTIFICATES_PATH), "*.pem");
        StringList certs2 = File::findFiles(SETTING(TLS_TRUSTED_CERTIFICATES_PATH), "*.crt");
        certs.insert(certs.end(), certs2.begin(), certs2.end());

        for(StringIter i = certs.begin(); i != certs.end(); ++i) {
                if(
                        SSL_CTX_load_verify_locations(clientContext, i->c_str(), NULL) != SSL_SUCCESS ||
                        SSL_CTX_load_verify_locations(clientVerContext, i->c_str(), NULL) != SSL_SUCCESS ||
                        SSL_CTX_load_verify_locations(serverContext, i->c_str(), NULL) != SSL_SUCCESS ||
                        SSL_CTX_load_verify_locations(serverVerContext, i->c_str(), NULL) != SSL_SUCCESS
                ) {
                        LogManager::getInstance()->message("Failed to load trusted certificate from " + *i);
                }
        }

        certsLoaded = true;
}

bool CryptoManager::checkCertificate() throw() {
        FILE* f = fopen(SETTING(TLS_CERTIFICATE_FILE).c_str(), "r");
        if(!f) {
                return false;
        }

        X509* tmpx509 = NULL;
        PEM_read_X509(f, &tmpx509, NULL, NULL);
        fclose(f);

        if(!tmpx509) {
                return false;
        }
        ssl::X509 x509(tmpx509);

        // Check subject name
        X509_NAME* name = X509_get_subject_name(x509);
        if(!name) {
                return false;
        }
        int i = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
        if(i == -1) {
                return false;
        }
        X509_NAME_ENTRY* entry = X509_NAME_get_entry(name, i);
        ASN1_STRING* str = X509_NAME_ENTRY_get_data(entry);
        if(!str) {
                return false;
        }

        unsigned char* buf = 0;
        i = ASN1_STRING_to_UTF8(&buf, str);
        if(i < 0) {
                return false;
        }
        std::string cn((char*)buf, i);
        OPENSSL_free(buf);

        if(cn != ClientManager::getInstance()->getMyCID().toBase32()) {
                return false;
        }

        ASN1_TIME* t = X509_get_notAfter(x509);
        if(t) {
                if(X509_cmp_current_time(t) < 0) {
                        return false;
                }
        }
        return true;
}

SSLSocket* CryptoManager::getClientSocket(bool allowUntrusted) throw(SocketException) {
        return new SSLSocket(allowUntrusted ? clientContext : clientVerContext);
}
SSLSocket* CryptoManager::getServerSocket(bool allowUntrusted) throw(SocketException) {
        return new SSLSocket(allowUntrusted ? serverContext : serverVerContext);
}


void CryptoManager::decodeBZ2(const uint8_t* is, size_t sz, string& os) throw (CryptoException) {
        bz_stream bs = { 0 };

        if(BZ2_bzDecompressInit(&bs, 0, 0) != BZ_OK)
                throw CryptoException(_("Error during decompression"));

        // We assume that the files aren't compressed more than 2:1...if they are it'll work anyway,
        // but we'll have to do multiple passes...
        size_t bufsize = 2*sz;
        boost::scoped_array<char> buf(new char[bufsize]);

        bs.avail_in = sz;
        bs.avail_out = bufsize;
        bs.next_in = reinterpret_cast<char*>(const_cast<uint8_t*>(is));
        bs.next_out = &buf[0];

        int err;

        os.clear();

        while((err = BZ2_bzDecompress(&bs)) == BZ_OK) {
                if (bs.avail_in == 0 && bs.avail_out > 0) { // error: BZ_UNEXPECTED_EOF
                        BZ2_bzDecompressEnd(&bs);
                        throw CryptoException(_("Error during decompression"));
                }
                os.append(&buf[0], bufsize-bs.avail_out);
                bs.avail_out = bufsize;
                bs.next_out = &buf[0];
        }

        if(err == BZ_STREAM_END)
                os.append(&buf[0], bufsize-bs.avail_out);

        BZ2_bzDecompressEnd(&bs);

        if(err < 0) {
                // This was a real error
                throw CryptoException(_("Error during decompression"));
        }
}

string CryptoManager::keySubst(const uint8_t* aKey, size_t len, size_t n) {
        boost::scoped_array<uint8_t> temp(new uint8_t[len + n * 10]);

        size_t j=0;

        for(size_t i = 0; i<len; i++) {
                if(isExtra(aKey[i])) {
                        temp[j++] = '/'; temp[j++] = '%'; temp[j++] = 'D';
                        temp[j++] = 'C'; temp[j++] = 'N';
                        switch(aKey[i]) {
                        case 0: temp[j++] = '0'; temp[j++] = '0'; temp[j++] = '0'; break;
                        case 5: temp[j++] = '0'; temp[j++] = '0'; temp[j++] = '5'; break;
                        case 36: temp[j++] = '0'; temp[j++] = '3'; temp[j++] = '6'; break;
                        case 96: temp[j++] = '0'; temp[j++] = '9'; temp[j++] = '6'; break;
                        case 124: temp[j++] = '1'; temp[j++] = '2'; temp[j++] = '4'; break;
                        case 126: temp[j++] = '1'; temp[j++] = '2'; temp[j++] = '6'; break;
                        }
                        temp[j++] = '%'; temp[j++] = '/';
                } else {
                        temp[j++] = aKey[i];
                }
        }
        return string((const char*)&temp[0], j);
}

string CryptoManager::makeKey(const string& aLock) {
        if(aLock.size() < 3)
                return Util::emptyString;

        boost::scoped_array<uint8_t> temp(new uint8_t[aLock.length()]);
        uint8_t v1;
        size_t extra=0;

        v1 = (uint8_t)(aLock[0]^5);
        v1 = (uint8_t)(((v1 >> 4) | (v1 << 4)) & 0xff);
        temp[0] = v1;

        string::size_type i;

        for(i = 1; i<aLock.length(); i++) {
                v1 = (uint8_t)(aLock[i]^aLock[i-1]);
                v1 = (uint8_t)(((v1 >> 4) | (v1 << 4))&0xff);
                temp[i] = v1;
                if(isExtra(temp[i]))
                        extra++;
        }

        temp[0] = (uint8_t)(temp[0] ^ temp[aLock.length()-1]);

        if(isExtra(temp[0])) {
                extra++;
        }

        return keySubst(&temp[0], aLock.length(), extra);
}

} // namespace dcpp

## linuxdcpp-sconstruct.patch
diff --git a/SConstruct b/SConstruct
index 246be58..8e01d6a 100755
--- a/SConstruct
+++ b/SConstruct
@@ -2,13 +2,13 @@
 # -*- coding: utf-8 -*-

 import os
-import commands
+import subprocess
 import string

 try:
        from bzrlib import branch
 except ImportError:
-       print "bzrlib not installed"
+       print("bzrlib not installed")

 EnsureSConsVersion(0, 98, 1)

@@ -18,8 +18,8 @@ BUILD_PATH = '#/build/'
 BUILD_LOCALE_PATH = BUILD_PATH + 'locale/'

 BUILD_FLAGS = {
-       'common'  : ['-I#', '-D_GNU_SOURCE', '-D_LARGEFILE_SOURCE', '-D_FILE_OFFSET_BITS=64', '-D_REENTRANT'],
-       'debug'   : ['-g', '-ggdb', '-Wall', '-D_DEBUG'],
+       'common'  : ['-I#', '-D_GNU_SOURCE', '-D_LARGEFILE_SOURCE', '-D_FILE_OFFSET_BITS=64', '-D_REENTRANT', '-std=gnu++98', '-L/usr/lib/openssl-1.0', '-I/usr/include/openssl-1.0'],
+       'debug'   : ['-g', '-ggdb', '-Wall', '-D_DEBUG'],
        'release' : ['-O3', '-fomit-frame-pointer', '-DNDEBUG']
 }

@@ -41,15 +41,15 @@ def check_pkg(context, name):

 def check_cxx_version(context, name, major, minor):
        context.Message('Checking for %s >= %d.%d...' % (name, major, minor))
-       ret = commands.getoutput('%s -dumpversion' % name)
+       ret = subprocess.getoutput('%s -dumpversion' % name)

        retval = 0
        try:
-               if ((string.atoi(ret[0]) == major and string.atoi(ret[2]) >= minor)
-               or (string.atoi(ret[0]) > major)):
+               if ((int(ret[0]) == major and int(ret[2]) >= minor)
+               or (int(ret[0]) > major)):
                        retval = 1
        except ValueError:
-               print "No C++ compiler found!"
+               print("No C++ compiler found!")

        context.Result(retval)
        return retval
@@ -62,7 +62,7 @@ def check_bzr_revision(context):
                b = branch.Branch.open('.')
                revision = str(b.revno())
        except:
-               print "failed"
+               print("failed")

        context.env['BZR_REVISION'] = revision
        context.Result(revision)
@@ -121,22 +121,22 @@ env = Environment(ENV = os.environ, variables = vars, package = PACKAGE)
 env['mode'] = 'debug' if env.get('debug') else 'release'
 env['build_path'] = BUILD_PATH + env['mode'] + '/'

-if os.environ.has_key('CXX'):
+if 'CXX' in os.environ:
        env['CXX'] = os.environ['CXX']
 else:
-       print 'CXX env variable is not set, attempting to use g++'
+       print('CXX env variable is not set, attempting to use g++')
        env['CXX'] = 'g++'

-if os.environ.has_key('CC'):
+if 'CC' in os.environ:
        env['CC'] = os.environ['CC']

-if os.environ.has_key('CXXFLAGS'):
+if 'CXXFLAGS' in os.environ:
        env['CPPFLAGS'] = env['CXXFLAGS'] = os.environ['CXXFLAGS'].split()

-if os.environ.has_key('LDFLAGS'):
+if 'LDFLAGS' in os.environ:
        env['LINKFLAGS'] = os.environ['LDFLAGS'].split()

-if os.environ.has_key('CFLAGS'):
+if 'CFLAGS' in os.environ:
        env['CFLAGS'] = os.environ['CFLAGS'].split()

 env['CPPDEFINES'] = [] # Initialize as a list so Append doesn't concat strings
@@ -186,32 +186,32 @@ conf = env.Configure(
 if not 'install' in COMMAND_LINE_TARGETS:

        if not conf.CheckCXXVersion(env['CXX'], 4, 1):
-               print 'Compiler version check failed. g++ 4.1 or later is needed'
+               print('Compiler version check failed. g++ 4.1 or later is needed')
                Exit(1)

        if not conf.CheckPKGConfig():
-               print '\tpkg-config not found.'
+               print('\tpkg-config not found.')
                Exit(1)

        if not conf.CheckPKG('gtk+-2.0 >= 2.12'):
-               print '\tgtk+ >= 2.12 not found.'
-               print '\tNote: You might have the lib but not the headers'
+               print('\tgtk+ >= 2.12 not found.')
+               print('\tNote: You might have the lib but not the headers')
                Exit(1)

        if not conf.CheckPKG('gthread-2.0 >= 2.4'):
-               print '\tgthread >= 2.4 not found.'
-               print '\tNote: You might have the lib but not the headers'
+               print('\tgthread >= 2.4 not found.')
+               print('\tNote: You might have the lib but not the headers')
                Exit(1)

        if not conf.CheckPKG('libglade-2.0 >= 2.4'):
-               print '\tlibglade-2.0 >= 2.4 not found.'
-               print '\tNote: You might have the lib but not the headers'
+               print('\tlibglade-2.0 >= 2.4 not found.')
+               print('\tNote: You might have the lib but not the headers')
                Exit(1)

-
+
        if not conf.CheckCXXHeader('boost/version.hpp', '<>'):
-               print '\tboost not found.'
-               print '\tNote: You might have the lib but not the headers'
+               print('\tboost not found.')
+               print('\tNote: You might have the lib but not the headers')
                Exit(1)

        if not conf.CheckHeader('time.h'):
@@ -224,34 +224,34 @@ if not 'install' in COMMAND_LINE_TARGETS:
                Exit(1)

        if not conf.CheckLibWithHeader('pthread', 'pthread.h', 'c'):
-               print '\tpthread library not found'
-               print '\tNote: You might have the lib but not the headers'
+               print('\tpthread library not found')
+               print('\tNote: You might have the lib but not the headers')
                Exit(1)

        if not conf.CheckLibWithHeader('z', 'zlib.h', 'c'):
-               print '\tz library (gzip/z compression) not found'
-               print '\tNote: You might have the lib but not the headers'
+               print('\tz library (gzip/z compression) not found')
+               print('\tNote: You might have the lib but not the headers')
                Exit(1)

        if not conf.CheckLibWithHeader('bz2', 'bzlib.h', 'c'):
-               print '\tbz2 library (bz2 compression) not found'
-               print '\tNote: You might have the lib but not the headers'
+               print('\tbz2 library (bz2 compression) not found')
+               print('\tNote: You might have the lib but not the headers')
                Exit(1)

        # This needs to be before ssl check on *BSD systems
        if not conf.CheckLib('crypto'):
-               print '\tcrypto library not found'
-               print '\tNote: This library may be a part of libssl on your system'
+               print('\tcrypto library not found')
+               print('\tNote: This library may be a part of libssl on your system')
                Exit(1)

        if not conf.CheckLibWithHeader('ssl', 'openssl/ssl.h', 'c'):
-               print '\tOpenSSL library (libssl) not found'
-               print '\tNote: You might have the lib but not the headers'
+               print('\tOpenSSL library (libssl) not found')
+               print('\tNote: You might have the lib but not the headers')
                Exit(1)

        # Needed for XFlush(). Headers shouldn't be needed since we include gdk/gdkx.h
        if not conf.CheckLib('X11'):
-               print '\tX11 library not found'
+               print('\tX11 library not found')
                Exit(1)

        if not conf.CheckHeader('iconv.h'):
@@ -264,8 +264,8 @@ if not 'install' in COMMAND_LINE_TARGETS:

        # TODO: Implement a plugin system so libnotify doesn't have compile-time dependencies
        if not conf.CheckPKG('libnotify >= 0.4.1'):
-               print '\tlibnotify >= 0.4.1 not found, disabling notifications.'
-               print '\tNote: You might have the lib but not the headers'
+               print('\tlibnotify >= 0.4.1 not found, disabling notifications.')
+               print('\tNote: You might have the lib but not the headers')
        else:
                conf.env.Append(CPPDEFINES = 'HAVE_LIBNOTIFY')
                conf.env.ParseConfig('pkg-config --libs libnotify')
diff --git a/dcpp/CryptoManager.cpp b/dcpp/CryptoManager.cpp
index 395846c..5b173db 100644
--- a/dcpp/CryptoManager.cpp
+++ b/dcpp/CryptoManager.cpp
@@ -107,10 +107,13 @@ CryptoManager::CryptoManager()
                 };

                if(dh) {
-                       dh->p = BN_bin2bn(dh4096_p, sizeof(dh4096_p), 0);
-                       dh->g = BN_bin2bn(dh4096_g, sizeof(dh4096_g), 0);
+                       BIGNUM *p = BN_bin2bn(dh4096_p, sizeof(dh4096_p), 0);
+                       BIGNUM *q = BN_dup(DH_get0_q(dh));
+                       BIGNUM *g = BN_bin2bn(dh4096_g, sizeof(dh4096_g), 0);

-                       if (!dh->p || !dh->g) {
+                       DH_set0_pqg(dh, p, q, g);
+
+                       if (!p || !g) {
                                dh.reset();
                        } else {
                                SSL_CTX_set_options(serverContext, SSL_OP_SINGLE_DH_USE);

## PKGBUILD
#Contributor: SpepS <dreamspepser at yahoo dot it>
# Contributor: Andrea Scarpino <andrea@archlinux.org>
# Contributor: Tom K <tom@archlinux.org>
# Contributor: kaptoxic <kaptoxic at yahoo dot com>

pkgname=linuxdcpp
pkgver=1.1.0
pkgrel=8
pkgdesc="A Gtk+ Direct Connect client based on DC++."
url="https://launchpad.net/linuxdcpp/"
license=('GPL')
arch=('i686' 'x86_64')
depends=('openssl' 'glib2' 'libglade' 'bzip2' 'libnotify' 'hicolor-icon-theme')
makedepends=('scons' 'boost')
conflicts=('linuxdcpp-bzr')
source=(
    "$url${pkgver%%.?}/$pkgver/+download/$pkgname-$pkgver.tar.bz2"
    "linuxdcpp-sconstruct.patch"
    "CryptoManager.cpp"
)

prepare() {
  cd "$srcdir/$pkgname-$pkgver"
  patch -Np1 -i "$srcdir/linuxdcpp-sconstruct.patch"
  cat "$srcdir/CryptoManager.cpp" > dcpp/CryptoManager.cpp
}

build() {
  cd "$srcdir/$pkgname-$pkgver"

  scons PREFIX=/usr
}

package() {
  cd "$srcdir/$pkgname-$pkgver"

  scons install FAKE_ROOT="$pkgdir/"
}
	/*
	* Copyright (C) 2001-2009 Jacek Sieka, arnetheduck on gmail point com
	*
	* This program is free software; you can redistribute it and/or modify
	* it under the terms of the GNU General Public License as published by
	* the Free Software Foundation; either version 2 of the License, or
	* (at your option) any later version.
	*
	* This program is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	* GNU General Public License for more details.
	*
	* You should have received a copy of the GNU General Public License
	* along with this program; if not, write to the Free Software
	* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	*/

	#include "stdinc.h"
	#include "DCPlusPlus.h"

	#include "CryptoManager.h"

	#include "BitInputStream.h"
	#include "BitOutputStream.h"
	#include "File.h"
	#include "LogManager.h"
	#include "ClientManager.h"
	#include "version.h"

	#include <openssl/bn.h>

	#ifdef _WIN32
	#include "../bzip2/bzlib.h"
	#else
	#include <bzlib.h>
	#endif

	namespace dcpp {



	CryptoManager::CryptoManager()
	:
	certsLoaded(false),
	lock("EXTENDEDPROTOCOLABCABCABCABCABCABC"),
	pk("DCPLUSPLUS" VERSIONSTRING)
	{
	SSL_library_init();

	clientContext.reset(SSL_CTX_new(TLSv1_client_method()));
	clientVerContext.reset(SSL_CTX_new(TLSv1_client_method()));
	serverContext.reset(SSL_CTX_new(TLSv1_server_method()));
	serverVerContext.reset(SSL_CTX_new(TLSv1_server_method()));

	if(clientContext && clientVerContext && serverContext && serverVerContext) {
	dh.reset(DH_new());

	static unsigned char dh4096_p[]={
	0xCA,0x35,0xA8,0xBB,0x65,0x33,0x28,0xC6,0x3F,0xD7,0x21,0x55,
	0x95,0xDF,0xC0,0xDC,0x11,0x10,0x23,0x2D,0x1E,0xD6,0x52,0x23,
	0xA1,0x52,0xB8,0xDD,0x4A,0x25,0xEE,0xF4,0x78,0xB6,0x89,0x9E,
	0xB6,0x33,0xEB,0x01,0xA6,0x46,0x31,0xD8,0x3D,0x12,0xB4,0x7B,
	0x1F,0x64,0x0C,0x84,0x10,0x80,0xFB,0x4F,0x74,0x21,0xA3,0x9B,
	0xF5,0x97,0xD1,0x05,0x97,0x9D,0x52,0x4F,0x91,0x3C,0xE1,0xA8,
	0x97,0xE0,0x33,0x9D,0xCB,0x9D,0x9D,0x2A,0xB5,0x3E,0xF5,0x8D,
	0x7F,0xEE,0x91,0xEE,0x4E,0xC5,0xA6,0xAB,0x54,0xD9,0xC2,0xA5,
	0x0D,0x2E,0xEA,0x1A,0x39,0xFD,0x30,0x4A,0x1C,0xB7,0x34,0x2B,
	0x7D,0x51,0xF6,0xB1,0xD1,0x8D,0xCE,0x28,0xDC,0xF9,0xDE,0x34,
	0xAF,0x1E,0xD1,0x7C,0xC2,0xD3,0x38,0x8E,0xBD,0x35,0x01,0x53,
	0xDD,0x2E,0xB5,0x83,0xC8,0xEF,0x08,0x15,0x59,0x6E,0xA3,0xC4,
	0x71,0x57,0x8C,0x4D,0xFD,0xA7,0x19,0x40,0x88,0x68,0x4E,0xD6,
	0x8F,0x5C,0xE5,0xEC,0xCF,0x5F,0xEB,0x9A,0xA4,0x66,0x40,0x8B,
	0x02,0x87,0xA7,0x3A,0x58,0x81,0xF1,0x6A,0x14,0x16,0x75,0x7D,
	0x33,0x01,0xEB,0x3F,0xA8,0x02,0xDC,0x09,0x32,0x12,0x00,0x20,
	0x47,0xFF,0x01,0x14,0xFE,0x9E,0x3A,0x44,0x4D,0xED,0x85,0xD5,
	0xDA,0x2F,0xE3,0x99,0xCE,0xDA,0x84,0x64,0xCB,0x0C,0x8C,0x00,
	0x90,0x19,0x70,0x1C,0x00,0x1D,0x63,0x3C,0x77,0x16,0x8D,0x3D,
	0x86,0x97,0x22,0x23,0x2F,0x7B,0xAB,0xB8,0xEB,0x94,0xA4,0x01,
	0xAA,0x34,0xBA,0xEA,0x7D,0x7A,0x37,0xB7,0x0C,0x75,0xEB,0x00,
	0x8D,0x52,0x7A,0xE2,0xDF,0x78,0x7C,0x4F,0x54,0x9E,0xA4,0xDD,
	0xC9,0xFC,0x08,0x7C,0x45,0x70,0x43,0x0F,0x39,0xE3,0x7E,0x48,
	0xB8,0xDC,0x9D,0xEC,0xB9,0x51,0x29,0x86,0x29,0x60,0xF6,0x4F,
	0xF7,0xCA,0xDD,0x3B,0x7F,0xAE,0xE2,0x54,0x4C,0x53,0x42,0x55,
	0xC0,0x39,0x24,0xE1,0x1A,0xAD,0x9E,0xCC,0x75,0x5E,0xF1,0xE2,
	0xD6,0xAE,0xCD,0x9A,0x91,0xC3,0x7B,0xE5,0x29,0xAD,0xCA,0xC2,
	0x00,0xC1,0xF9,0xF4,0x6D,0xD2,0x4B,0xD4,0x5A,0x56,0x39,0xCD,
	0xAC,0xCA,0xE7,0xD1,0x8C,0x15,0x4D,0x2B,0x59,0x67,0x29,0x72,
	0xE7,0x40,0x14,0x81,0x9E,0x26,0x48,0xF8,0x6C,0x51,0xF5,0xBE,
	0x64,0xD1,0xF4,0x4D,0x98,0xE7,0xFD,0x5E,0x23,0x1E,0xDF,0xBA,
	0xBD,0x2E,0xB1,0x81,0x26,0x98,0x9C,0x2F,0xE8,0xD5,0x32,0x6B,
	0x94,0x91,0x8C,0x2E,0xB8,0xD9,0xC9,0x2F,0x22,0x9D,0xA6,0x52,
	0x02,0xDF,0x99,0x63,0x64,0x7E,0xB8,0x68,0xAB,0x17,0x54,0x7E,
	0xED,0x9E,0xD1,0x45,0x64,0x36,0x65,0xE8,0x09,0x50,0xAB,0xB0,
	0xD4,0x8C,0x79,0x9F,0x4C,0xB8,0x26,0x45,0xBE,0x0F,0xDE,0x14,
	0x6F,0xEC,0x70,0x21,0x1A,0xA0,0x1D,0xD0,0x7D,0xA2,0x0F,0x85,
	0xA5,0x7C,0xC1,0x0A,0x74,0xB1,0x7B,0x5A,0xD2,0xC4,0x0F,0xD5,
	0x90,0x24,0x3E,0xEC,0x89,0x7E,0xB8,0xED,0x6E,0x19,0x85,0xB9,
	0x58,0x36,0xA1,0x33,0x7D,0x14,0xFE,0x4F,0x55,0xA9,0xB6,0x42,
	0x7E,0x97,0x2A,0x96,0x50,0x14,0x0D,0xEA,0x02,0xB1,0xD2,0x22,
	0xEB,0xE7,0xF4,0xAC,0xB6,0x37,0xCA,0xAB,0x4A,0x1E,0x4D,0x4E,
	0xCF,0xFE,0x5D,0xEF,0x23,0x78,0xC6,0xBB,
	};

	static unsigned char dh4096_g[]={
	0x02,
	};

	if(dh) {
	BIGNUM p, q, *g;

	if (!p \|\| !g) {
	dh.reset();
	} else {
	SSL_CTX_set_options(serverContext, SSL_OP_SINGLE_DH_USE);
	SSL_CTX_set_options(serverVerContext, SSL_OP_SINGLE_DH_USE);
	SSL_CTX_set_tmp_dh(serverContext, (DH*)dh);
	SSL_CTX_set_tmp_dh(serverVerContext, (DH*)dh);
	}
	}

	SSL_CTX_set_verify(serverContext, SSL_VERIFY_NONE, 0);
	SSL_CTX_set_verify(clientContext, SSL_VERIFY_NONE, 0);
	SSL_CTX_set_verify(clientVerContext, SSL_VERIFY_PEER \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
	SSL_CTX_set_verify(serverVerContext, SSL_VERIFY_PEER \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
	}
	}

	CryptoManager::~CryptoManager() {
	}

	bool CryptoManager::TLSOk() const throw() {
	return BOOLSETTING(USE_TLS) && certsLoaded;
	}

	void CryptoManager::generateCertificate() throw(CryptoException) {
	// Generate certificate using OpenSSL
	if(SETTING(TLS_PRIVATE_KEY_FILE).empty()) {
	throw CryptoException(_("No private key file chosen"));
	}
	if(SETTING(TLS_CERTIFICATE_FILE).empty()) {
	throw CryptoException(_("No certificate file chosen"));
	}

	ssl::BIGNUM bn(BN_new());
	ssl::RSA rsa(RSA_new());
	ssl::EVP_PKEY pkey(EVP_PKEY_new());
	ssl::X509_NAME nm(X509_NAME_new());
	const EVP_MD *digest = EVP_sha1();
	ssl::X509 x509ss(X509_new());

	if(!bn \|\| !rsa \|\| !pkey \|\| !nm \|\| !x509ss) {
	throw CryptoException(_("Error generating certificate"));
	}

	int days = 10;
	int keylength = 2048;

	#define CHECK(n) if(!(n)) { throw CryptoException(#n); }

	// Generate key pair
	CHECK((BN_set_word(bn, RSA_F4)))
	CHECK((RSA_generate_key_ex(rsa, keylength, bn, NULL)))
	CHECK((EVP_PKEY_set1_RSA(pkey, rsa)))

	// Set CID
	CHECK((X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC,
	(const unsigned char*)ClientManager::getInstance()->getMyCID().toBase32().c_str(), -1, -1, 0)))

	// Prepare self-signed cert
	CHECK((X509_set_issuer_name(x509ss, nm)))
	CHECK((X509_set_subject_name(x509ss, nm)))
	CHECK((X509_gmtime_adj(X509_get_notBefore(x509ss), 0)))
	CHECK((X509_gmtime_adj(X509_get_notAfter(x509ss), (long)606024*days)))
	CHECK((X509_set_pubkey(x509ss, pkey)))

	// Sign using own private key
	CHECK((X509_sign(x509ss, pkey, digest)))

	#undef CHECK
	// Write the key and cert
	{
	File::ensureDirectory(SETTING(TLS_PRIVATE_KEY_FILE));
	FILE* f = fopen(SETTING(TLS_PRIVATE_KEY_FILE).c_str(), "w");
	if(!f) {
	return;
	}
	PEM_write_RSAPrivateKey(f, rsa, NULL, NULL, 0, NULL, NULL);
	fclose(f);
	}
	{
	File::ensureDirectory(SETTING(TLS_CERTIFICATE_FILE));
	FILE* f = fopen(SETTING(TLS_CERTIFICATE_FILE).c_str(), "w");
	if(!f) {
	File::deleteFile(SETTING(TLS_PRIVATE_KEY_FILE));
	return;
	}
	PEM_write_X509(f, x509ss);
	fclose(f);
	}
	}

	void CryptoManager::loadCertificates() throw() {
	if(!BOOLSETTING(USE_TLS) \|\| !clientContext \|\| !clientVerContext \|\| !serverContext \|\| !serverVerContext)
	return;


	const string& cert = SETTING(TLS_CERTIFICATE_FILE);
	const string& key = SETTING(TLS_PRIVATE_KEY_FILE);

	if(cert.empty() \|\| key.empty()) {
	LogManager::getInstance()->message(_("TLS disabled, no certificate file set"));
	return;
	}

	if(File::getSize(cert) == -1 \|\| File::getSize(key) == -1 \|\| !checkCertificate()) {
	// Try to generate them...
	try {
	generateCertificate();
	LogManager::getInstance()->message(_("Generated new TLS certificate"));
	} catch(const CryptoException& e) {
	LogManager::getInstance()->message(str(F_("TLS disabled, failed to generate certificate: %1%") % e.getError()));
	}
	}

	if(SSL_CTX_use_certificate_file(serverContext, SETTING(TLS_CERTIFICATE_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
	LogManager::getInstance()->message(_("Failed to load certificate file"));
	return;
	}
	if(SSL_CTX_use_certificate_file(clientContext, SETTING(TLS_CERTIFICATE_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
	LogManager::getInstance()->message(_("Failed to load certificate file"));
	return;
	}

	if(SSL_CTX_use_certificate_file(serverVerContext, SETTING(TLS_CERTIFICATE_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
	LogManager::getInstance()->message(_("Failed to load certificate file"));
	return;
	}
	if(SSL_CTX_use_certificate_file(clientVerContext, SETTING(TLS_CERTIFICATE_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
	LogManager::getInstance()->message(_("Failed to load certificate file"));
	return;
	}

	if(SSL_CTX_use_PrivateKey_file(serverContext, SETTING(TLS_PRIVATE_KEY_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
	LogManager::getInstance()->message(_("Failed to load private key"));
	return;
	}
	if(SSL_CTX_use_PrivateKey_file(clientContext, SETTING(TLS_PRIVATE_KEY_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
	LogManager::getInstance()->message(_("Failed to load private key"));
	return;
	}

	if(SSL_CTX_use_PrivateKey_file(serverVerContext, SETTING(TLS_PRIVATE_KEY_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
	LogManager::getInstance()->message(_("Failed to load private key"));
	return;
	}
	if(SSL_CTX_use_PrivateKey_file(clientVerContext, SETTING(TLS_PRIVATE_KEY_FILE).c_str(), SSL_FILETYPE_PEM) != SSL_SUCCESS) {
	LogManager::getInstance()->message(_("Failed to load private key"));
	return;
	}

	StringList certs = File::findFiles(SETTING(TLS_TRUSTED_CERTIFICATES_PATH), "*.pem");
	StringList certs2 = File::findFiles(SETTING(TLS_TRUSTED_CERTIFICATES_PATH), "*.crt");
	certs.insert(certs.end(), certs2.begin(), certs2.end());

	for(StringIter i = certs.begin(); i != certs.end(); ++i) {
	if(
	SSL_CTX_load_verify_locations(clientContext, i->c_str(), NULL) != SSL_SUCCESS \|\|
	SSL_CTX_load_verify_locations(clientVerContext, i->c_str(), NULL) != SSL_SUCCESS \|\|
	SSL_CTX_load_verify_locations(serverContext, i->c_str(), NULL) != SSL_SUCCESS \|\|
	SSL_CTX_load_verify_locations(serverVerContext, i->c_str(), NULL) != SSL_SUCCESS
	) {
	LogManager::getInstance()->message("Failed to load trusted certificate from " + *i);
	}
	}

	certsLoaded = true;
	}

	bool CryptoManager::checkCertificate() throw() {
	FILE* f = fopen(SETTING(TLS_CERTIFICATE_FILE).c_str(), "r");
	if(!f) {
	return false;
	}

	X509* tmpx509 = NULL;
	PEM_read_X509(f, &tmpx509, NULL, NULL);
	fclose(f);

	if(!tmpx509) {
	return false;
	}
	ssl::X509 x509(tmpx509);

	// Check subject name
	X509_NAME* name = X509_get_subject_name(x509);
	if(!name) {
	return false;
	}
	int i = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
	if(i == -1) {
	return false;
	}
	X509_NAME_ENTRY* entry = X509_NAME_get_entry(name, i);
	ASN1_STRING* str = X509_NAME_ENTRY_get_data(entry);
	if(!str) {
	return false;
	}

	unsigned char* buf = 0;
	i = ASN1_STRING_to_UTF8(&buf, str);
	if(i < 0) {
	return false;
	}
	std::string cn((char*)buf, i);
	OPENSSL_free(buf);

	if(cn != ClientManager::getInstance()->getMyCID().toBase32()) {
	return false;
	}

	ASN1_TIME* t = X509_get_notAfter(x509);
	if(t) {
	if(X509_cmp_current_time(t) < 0) {
	return false;
	}
	}
	return true;
	}

	SSLSocket* CryptoManager::getClientSocket(bool allowUntrusted) throw(SocketException) {
	return new SSLSocket(allowUntrusted ? clientContext : clientVerContext);
	}
	SSLSocket* CryptoManager::getServerSocket(bool allowUntrusted) throw(SocketException) {
	return new SSLSocket(allowUntrusted ? serverContext : serverVerContext);
	}


	void CryptoManager::decodeBZ2(const uint8_t* is, size_t sz, string& os) throw (CryptoException) {
	bz_stream bs = { 0 };

	if(BZ2_bzDecompressInit(&bs, 0, 0) != BZ_OK)
	throw CryptoException(_("Error during decompression"));

	// We assume that the files aren't compressed more than 2:1...if they are it'll work anyway,
	// but we'll have to do multiple passes...
	size_t bufsize = 2*sz;
	boost::scoped_array<char> buf(new char[bufsize]);

	bs.avail_in = sz;
	bs.avail_out = bufsize;
	bs.next_in = reinterpret_cast<char>(const_cast<uint8_t>(is));
	bs.next_out = &buf[0];

	int err;

	os.clear();

	while((err = BZ2_bzDecompress(&bs)) == BZ_OK) {
	if (bs.avail_in == 0 && bs.avail_out > 0) { // error: BZ_UNEXPECTED_EOF
	BZ2_bzDecompressEnd(&bs);
	throw CryptoException(_("Error during decompression"));
	}
	os.append(&buf[0], bufsize-bs.avail_out);
	bs.avail_out = bufsize;
	bs.next_out = &buf[0];
	}

	if(err == BZ_STREAM_END)
	os.append(&buf[0], bufsize-bs.avail_out);

	BZ2_bzDecompressEnd(&bs);

	if(err < 0) {
	// This was a real error
	throw CryptoException(_("Error during decompression"));
	}
	}

	string CryptoManager::keySubst(const uint8_t* aKey, size_t len, size_t n) {
	boost::scoped_array<uint8_t> temp(new uint8_t[len + n * 10]);

	size_t j=0;

	for(size_t i = 0; i<len; i++) {
	if(isExtra(aKey[i])) {
	temp[j++] = '/'; temp[j++] = '%'; temp[j++] = 'D';
	temp[j++] = 'C'; temp[j++] = 'N';
	switch(aKey[i]) {
	case 0: temp[j++] = '0'; temp[j++] = '0'; temp[j++] = '0'; break;
	case 5: temp[j++] = '0'; temp[j++] = '0'; temp[j++] = '5'; break;
	case 36: temp[j++] = '0'; temp[j++] = '3'; temp[j++] = '6'; break;
	case 96: temp[j++] = '0'; temp[j++] = '9'; temp[j++] = '6'; break;
	case 124: temp[j++] = '1'; temp[j++] = '2'; temp[j++] = '4'; break;
	case 126: temp[j++] = '1'; temp[j++] = '2'; temp[j++] = '6'; break;
	}
	temp[j++] = '%'; temp[j++] = '/';
	} else {
	temp[j++] = aKey[i];
	}
	}
	return string((const char*)&temp[0], j);
	}

	string CryptoManager::makeKey(const string& aLock) {
	if(aLock.size() < 3)
	return Util::emptyString;

	boost::scoped_array<uint8_t> temp(new uint8_t[aLock.length()]);
	uint8_t v1;
	size_t extra=0;

	v1 = (uint8_t)(aLock[0]^5);
	v1 = (uint8_t)(((v1 >> 4) \| (v1 << 4)) & 0xff);
	temp[0] = v1;

	string::size_type i;

	for(i = 1; i<aLock.length(); i++) {
	v1 = (uint8_t)(aLock[i]^aLock[i-1]);
	v1 = (uint8_t)(((v1 >> 4) \| (v1 << 4))&0xff);
	temp[i] = v1;
	if(isExtra(temp[i]))
	extra++;
	}

	temp[0] = (uint8_t)(temp[0] ^ temp[aLock.length()-1]);

	if(isExtra(temp[0])) {
	extra++;
	}

	return keySubst(&temp[0], aLock.length(), extra);
	}

	} // namespace dcpp
	diff --git a/SConstruct b/SConstruct
	index 246be58..8e01d6a 100755
	--- a/SConstruct
	+++ b/SConstruct
	@@ -2,13 +2,13 @@
	# -- coding: utf-8 --

	import os
	-import commands
	+import subprocess
	import string

	try:
	from bzrlib import branch
	except ImportError:
	- print "bzrlib not installed"
	+ print("bzrlib not installed")

	EnsureSConsVersion(0, 98, 1)

	@@ -18,8 +18,8 @@ BUILD_PATH = '#/build/'
	BUILD_LOCALE_PATH = BUILD_PATH + 'locale/'

	BUILD_FLAGS = {
	- 'common' : ['-I#', '-D_GNU_SOURCE', '-D_LARGEFILE_SOURCE', '-D_FILE_OFFSET_BITS=64', '-D_REENTRANT'],
	- 'debug' : ['-g', '-ggdb', '-Wall', '-D_DEBUG'],
	+ 'common' : ['-I#', '-D_GNU_SOURCE', '-D_LARGEFILE_SOURCE', '-D_FILE_OFFSET_BITS=64', '-D_REENTRANT', '-std=gnu++98', '-L/usr/lib/openssl-1.0', '-I/usr/include/openssl-1.0'],
	+ 'debug' : ['-g', '-ggdb', '-Wall', '-D_DEBUG'],
	'release' : ['-O3', '-fomit-frame-pointer', '-DNDEBUG']
	}

	@@ -41,15 +41,15 @@ def check_pkg(context, name):

	def check_cxx_version(context, name, major, minor):
	context.Message('Checking for %s >= %d.%d...' % (name, major, minor))
	- ret = commands.getoutput('%s -dumpversion' % name)
	+ ret = subprocess.getoutput('%s -dumpversion' % name)

	retval = 0
	try:
	- if ((string.atoi(ret[0]) == major and string.atoi(ret[2]) >= minor)
	- or (string.atoi(ret[0]) > major)):
	+ if ((int(ret[0]) == major and int(ret[2]) >= minor)
	+ or (int(ret[0]) > major)):
	retval = 1
	except ValueError:
	- print "No C++ compiler found!"
	+ print("No C++ compiler found!")

	context.Result(retval)
	return retval
	@@ -62,7 +62,7 @@ def check_bzr_revision(context):
	b = branch.Branch.open('.')
	revision = str(b.revno())
	except:
	- print "failed"
	+ print("failed")

	context.env['BZR_REVISION'] = revision
	context.Result(revision)
	@@ -121,22 +121,22 @@ env = Environment(ENV = os.environ, variables = vars, package = PACKAGE)
	env['mode'] = 'debug' if env.get('debug') else 'release'
	env['build_path'] = BUILD_PATH + env['mode'] + '/'

	-if os.environ.has_key('CXX'):
	+if 'CXX' in os.environ:
	env['CXX'] = os.environ['CXX']
	else:
	- print 'CXX env variable is not set, attempting to use g++'
	+ print('CXX env variable is not set, attempting to use g++')
	env['CXX'] = 'g++'

	-if os.environ.has_key('CC'):
	+if 'CC' in os.environ:
	env['CC'] = os.environ['CC']

	-if os.environ.has_key('CXXFLAGS'):
	+if 'CXXFLAGS' in os.environ:
	env['CPPFLAGS'] = env['CXXFLAGS'] = os.environ['CXXFLAGS'].split()

	-if os.environ.has_key('LDFLAGS'):
	+if 'LDFLAGS' in os.environ:
	env['LINKFLAGS'] = os.environ['LDFLAGS'].split()

	-if os.environ.has_key('CFLAGS'):
	+if 'CFLAGS' in os.environ:
	env['CFLAGS'] = os.environ['CFLAGS'].split()

	env['CPPDEFINES'] = [] # Initialize as a list so Append doesn't concat strings
	@@ -186,32 +186,32 @@ conf = env.Configure(
	if not 'install' in COMMAND_LINE_TARGETS:

	if not conf.CheckCXXVersion(env['CXX'], 4, 1):
	- print 'Compiler version check failed. g++ 4.1 or later is needed'
	+ print('Compiler version check failed. g++ 4.1 or later is needed')
	Exit(1)

	if not conf.CheckPKGConfig():
	- print '\tpkg-config not found.'
	+ print('\tpkg-config not found.')
	Exit(1)

	if not conf.CheckPKG('gtk+-2.0 >= 2.12'):
	- print '\tgtk+ >= 2.12 not found.'
	- print '\tNote: You might have the lib but not the headers'
	+ print('\tgtk+ >= 2.12 not found.')
	+ print('\tNote: You might have the lib but not the headers')
	Exit(1)

	if not conf.CheckPKG('gthread-2.0 >= 2.4'):
	- print '\tgthread >= 2.4 not found.'
	- print '\tNote: You might have the lib but not the headers'
	+ print('\tgthread >= 2.4 not found.')
	+ print('\tNote: You might have the lib but not the headers')
	Exit(1)

	if not conf.CheckPKG('libglade-2.0 >= 2.4'):
	- print '\tlibglade-2.0 >= 2.4 not found.'
	- print '\tNote: You might have the lib but not the headers'
	+ print('\tlibglade-2.0 >= 2.4 not found.')
	+ print('\tNote: You might have the lib but not the headers')
	Exit(1)

	-
	+
	if not conf.CheckCXXHeader('boost/version.hpp', '<>'):
	- print '\tboost not found.'
	- print '\tNote: You might have the lib but not the headers'
	+ print('\tboost not found.')
	+ print('\tNote: You might have the lib but not the headers')
	Exit(1)

	if not conf.CheckHeader('time.h'):
	@@ -224,34 +224,34 @@ if not 'install' in COMMAND_LINE_TARGETS:
	Exit(1)

	if not conf.CheckLibWithHeader('pthread', 'pthread.h', 'c'):
	- print '\tpthread library not found'
	- print '\tNote: You might have the lib but not the headers'
	+ print('\tpthread library not found')
	+ print('\tNote: You might have the lib but not the headers')
	Exit(1)

	if not conf.CheckLibWithHeader('z', 'zlib.h', 'c'):
	- print '\tz library (gzip/z compression) not found'
	- print '\tNote: You might have the lib but not the headers'
	+ print('\tz library (gzip/z compression) not found')
	+ print('\tNote: You might have the lib but not the headers')
	Exit(1)

	if not conf.CheckLibWithHeader('bz2', 'bzlib.h', 'c'):
	- print '\tbz2 library (bz2 compression) not found'
	- print '\tNote: You might have the lib but not the headers'
	+ print('\tbz2 library (bz2 compression) not found')
	+ print('\tNote: You might have the lib but not the headers')
	Exit(1)

	# This needs to be before ssl check on *BSD systems
	if not conf.CheckLib('crypto'):
	- print '\tcrypto library not found'
	- print '\tNote: This library may be a part of libssl on your system'
	+ print('\tcrypto library not found')
	+ print('\tNote: This library may be a part of libssl on your system')
	Exit(1)

	if not conf.CheckLibWithHeader('ssl', 'openssl/ssl.h', 'c'):
	- print '\tOpenSSL library (libssl) not found'
	- print '\tNote: You might have the lib but not the headers'
	+ print('\tOpenSSL library (libssl) not found')
	+ print('\tNote: You might have the lib but not the headers')
	Exit(1)

	# Needed for XFlush(). Headers shouldn't be needed since we include gdk/gdkx.h
	if not conf.CheckLib('X11'):
	- print '\tX11 library not found'
	+ print('\tX11 library not found')
	Exit(1)

	if not conf.CheckHeader('iconv.h'):
	@@ -264,8 +264,8 @@ if not 'install' in COMMAND_LINE_TARGETS:

	# TODO: Implement a plugin system so libnotify doesn't have compile-time dependencies
	if not conf.CheckPKG('libnotify >= 0.4.1'):
	- print '\tlibnotify >= 0.4.1 not found, disabling notifications.'
	- print '\tNote: You might have the lib but not the headers'
	+ print('\tlibnotify >= 0.4.1 not found, disabling notifications.')
	+ print('\tNote: You might have the lib but not the headers')
	else:
	conf.env.Append(CPPDEFINES = 'HAVE_LIBNOTIFY')
	conf.env.ParseConfig('pkg-config --libs libnotify')
	diff --git a/dcpp/CryptoManager.cpp b/dcpp/CryptoManager.cpp
	index 395846c..5b173db 100644
	--- a/dcpp/CryptoManager.cpp
	+++ b/dcpp/CryptoManager.cpp
	@@ -107,10 +107,13 @@ CryptoManager::CryptoManager()
	};

	if(dh) {
	- dh->p = BN_bin2bn(dh4096_p, sizeof(dh4096_p), 0);
	- dh->g = BN_bin2bn(dh4096_g, sizeof(dh4096_g), 0);
	+ BIGNUM *p = BN_bin2bn(dh4096_p, sizeof(dh4096_p), 0);
	+ BIGNUM *q = BN_dup(DH_get0_q(dh));
	+ BIGNUM *g = BN_bin2bn(dh4096_g, sizeof(dh4096_g), 0);

	- if (!dh->p \|\| !dh->g) {
	+ DH_set0_pqg(dh, p, q, g);
	+
	+ if (!p \|\| !g) {
	dh.reset();
	} else {
	SSL_CTX_set_options(serverContext, SSL_OP_SINGLE_DH_USE);
	#Contributor: SpepS <dreamspepser at yahoo dot it>
	# Contributor: Andrea Scarpino <andrea@archlinux.org>
	# Contributor: Tom K <tom@archlinux.org>
	# Contributor: kaptoxic <kaptoxic at yahoo dot com>

	pkgname=linuxdcpp
	pkgver=1.1.0
	pkgrel=8
	pkgdesc="A Gtk+ Direct Connect client based on DC++."
	url="https://launchpad.net/linuxdcpp/"
	license=('GPL')
	arch=('i686' 'x86_64')
	depends=('openssl' 'glib2' 'libglade' 'bzip2' 'libnotify' 'hicolor-icon-theme')
	makedepends=('scons' 'boost')
	conflicts=('linuxdcpp-bzr')
	source=(
	"$url${pkgver%%.?}/$pkgver/+download/$pkgname-$pkgver.tar.bz2"
	"linuxdcpp-sconstruct.patch"
	"CryptoManager.cpp"
	)

	prepare() {
	cd "$srcdir/$pkgname-$pkgver"
	patch -Np1 -i "$srcdir/linuxdcpp-sconstruct.patch"
	cat "$srcdir/CryptoManager.cpp" > dcpp/CryptoManager.cpp
	}

	build() {
	cd "$srcdir/$pkgname-$pkgver"

	scons PREFIX=/usr
	}

	package() {
	cd "$srcdir/$pkgname-$pkgver"

	scons install FAKE_ROOT="$pkgdir/"
	}