1 /*****************************************************************************\
5 **---------------------------------------------------------------------------**
6 ** Copyright: Andreas Eversberg **
10 \*****************************************************************************/
12 /* how authentication is performed:
15 -----------------------------------------------------------------
18 | -----> sending random number -----> (gets lost)
21 comparing | <----- sending random number <----- |
23 | -----> sending "slave" code -----> | slave state
27 done | -----> sending public key -----> |
31 | <----- sending session key <----- | done
32 decrypting | | enable crypt
40 When Bob and Alice activate their authentication process, they will make
43 Lets assume Alice starts encryption first. She activates the authentication
44 process. Bob hat not activates the process yet. Alice sends a random number
45 to Bob, but he will ignore it, because he is not listening.
47 Bob also activates the authentication process, and sends his random number.
48 Now Alice will receive that number and compares the values. If the values
49 are equal, the process will fail and Alice will send the message "LOOPED".
50 If Alice's random number is greater, she will identify herself as "master".
51 Bob will get a "SLAVE" message. Bob might also send a "MASTER" message,
52 if he got Alice's random number, due to parallel activation of the
55 After transmission or reception of a master message, more messages are
56 ignored. After reception of a "RANDOM" message, more messages are
57 ignored. A reception of a "RANDOM" message always causes to identify who
60 Now Alice starts calculating his public/private key pair, because she is
61 "master". When Bob receives the "SLAVE" message, he will change the timeout
62 value. If no random number or "SLAVE", "MASTER" or "LOOPED" is received within
63 a timeout value, the "ABORT" message is sent. If the "ABORT" message is
64 received at any state of the process, the process is aborted.
66 After the key of Alices is calculated, she will send it to Bob. Bob will use
67 the key to start encryption of a random session key. Both will change their
70 After Bob has finished is crypted session key, he will send it to Alice and
71 enable encryption. Bob has finished his process now.
73 As soon as Alice received the encrypted key, she will encrypt it and also
74 enable encryption with the same key as Bob. Alis has finished her process now.
76 Both will get displayed some of the first digits of the public key. Both can
77 talk about the digits now. A man in the middle cannot change the keys without
78 changing the public key. The voice of Alice and/or Bob is used to "sign" and
79 "check" that the public key is not modified.
81 If Alice or Bob wants to stop encryption, one will send the "ABORT" message.
82 After transmission or reception.
85 The states of the process:
93 Waiting for the remote random number or "MASTER", "SLAVE", "LOOPED" message.
97 The master generates the key and waits for the key engine to finish.
101 The slave waits for the master to send the key.
105 The slave generates the session key and waits for the encryption engine to
110 The master waits for the slave to send the crypted session key.
114 The master waits for the decryption engine to finish decryption of the session
119 The encryption is established.
124 CM_TO_IDENT = waiting for the remote party to enable encryption
125 CM_TO_KEY = waiting for key generation
126 CM_TO_CSKEY = waiting for session key encryption
127 CM_TO_DSKEY = waiting for session key decryption
130 Structure of message:
131 ---------------------
133 one octet message element
134 two octets element length (first octet = high-byte)
135 data as given in length
138 the message type is encoded as element
146 #include <sys/types.h>
148 #include <openssl/rsa.h>
153 /* convert key string to binary key vector
154 * returns 0 if an error ocurred
156 unsigned char *crypt_key(unsigned char *key, int *binary_len)
158 static unsigned char binary_key[2048];
161 binary_key[0] = '\0';
166 /* check for 0xXXXX... type of key */
167 if (!strncmp((char *)key, "0x", 2))
172 if (i == (int)sizeof(binary_key))
175 if (*key>='0' && *key<='9')
176 binary_key[i] = (*key-'0') << 8;
177 else if (*key>='a' && *key<='f')
178 binary_key[i] = (*key-'a'+10) << 8;
179 else if (*key>='A' && *key<='F')
180 binary_key[i] = (*key-'A'+10) << 8;
185 if (*key>='0' && *key<='9')
186 binary_key[i] += (*key - '0');
187 else if (*key>='a' && *key<='f')
188 binary_key[i] += (*key - 'a' + 10);
189 else if (*key>='A' && *key<='F')
190 binary_key[i] += (*key - 'A' + 10);
201 /* ascii key too long */
202 if (strlen((char *)key) >= sizeof((char *)binary_key))
205 memcpy(binary_key, key, strlen((char *)key));
206 *binary_len = strlen((char *)key);
211 * support routine to get cpu speed
213 static unsigned long get_bogomips(void)
218 fp = fopen("/proc/cpuinfo", "r");
221 PERROR("Cannot access /proc/cpuinfo. Will not use cpuinfo for identification of pear\n");
225 buffer[sizeof(buffer-1)] = '\0';
226 while(fgets(buffer, sizeof(buffer)-1, fp))
228 if (!!strncmp(buffer, "bogomips", 8))
230 if (!strchr(buffer, ':'))
232 p = strchr(buffer, ':')+1;
236 *strchr(p, '.') = '\0';
243 PERROR("Cannot find 'bogomips' in /proc/cpuinfo. Will not use cpuinfo for identification of pear\n");
251 static unsigned long crc_reflect(unsigned long ref, char ch)
253 unsigned long value = 0;
260 value |= 1 << (ch - i);
267 static unsigned long crc32_table[256];
268 static int crc_initialized = 0;
272 unsigned long ulPolynomial = 0x04c11db7;
278 crc32_table[i] = crc_reflect(i, 8) << 24;
282 crc32_table[i] = (crc32_table[i] << 1) ^ (crc32_table[i] & (1 << 31) ? ulPolynomial : 0);
285 crc32_table[i] = crc_reflect(crc32_table[i], 32);
291 unsigned long crc32(unsigned char *data, int len)
293 unsigned long crc = 0xffffffff;
295 if (!crc_initialized)
297 PERROR("crc not initialized, exitting...");
302 crc = (crc >> 8) ^ crc32_table[(crc & 0xFF) ^ *data++];
303 return(crc^0xffffffff);
309 /* give name of state */
310 static char *statename(int state)
312 if (state>=0 && state<cm_st_num)
313 return(cm_st_name[state]);
314 return("<<STATE UNKNOWN>>");
318 * authentication key generation, encryption, decryption
321 class EndpointAppPBX *apppbx;
325 static void *keyengine_child(void *arg)
327 struct auth_args *args = (struct auth_args *)arg;
328 class EndpointAppPBX *apppbx = args->apppbx;
336 struct sched_param schedp;
339 PDEBUG((DEBUG_EPOINT | DEBUG_CRYPT), "EPOINT(%d) child process started for using libcrypto\n", apppbx->ea_endpoint->ep_serial);
341 /* lower priority to keep pbx running fluently */
342 if (options.schedule > 0)
344 memset(&schedp, 0, sizeof(schedp));
345 schedp.sched_priority = 0;
346 ret = sched_setscheduler(0, SCHED_OTHER, &schedp);
349 PERROR("Scheduling to normal priority failed (errno = %d).\nExitting child process...\n", errno);
356 /* generate rsa key pair */
359 PERROR("Not compliled wiht crypto.\n");
360 apppbx->e_crypt_keyengine_return = -1;
362 srandom(*((unsigned int *)mISDN_rand) ^ random());
363 // exponent = (((random()<<1)|1) & 0x7f) + 0x80; /* odd */
365 // if (exponent < 3) exponent = 3; /* >= 3 */
366 rsa = RSA_generate_key(RSA_BITS, exponent, NULL, NULL);
369 PERROR("Failed to generate rsa key pair.\n");
370 apppbx->e_crypt_keyengine_return = -1;
374 apppbx->e_crypt_rsa_n_len = BN_num_bytes(rsa->n);
375 if (apppbx->e_crypt_rsa_n_len > (int)sizeof(apppbx->e_crypt_rsa_n))
378 PERROR("e_crypt_rsa_* too small for bignum.\n");
379 apppbx->e_crypt_keyengine_return = -1;
384 BN_bn2bin(rsa->n, apppbx->e_crypt_rsa_n);
385 apppbx->e_crypt_rsa_n_len = BN_num_bytes(rsa->n);
386 if (apppbx->e_crypt_rsa_e_len > (int)sizeof(apppbx->e_crypt_rsa_e))
388 BN_bn2bin(rsa->e, apppbx->e_crypt_rsa_e);
389 apppbx->e_crypt_rsa_e_len = BN_num_bytes(rsa->e);
390 if (apppbx->e_crypt_rsa_d_len > (int)sizeof(apppbx->e_crypt_rsa_d))
392 BN_bn2bin(rsa->d, apppbx->e_crypt_rsa_d);
393 apppbx->e_crypt_rsa_p_len = BN_num_bytes(rsa->p);
394 if (apppbx->e_crypt_rsa_p_len > (int)sizeof(apppbx->e_crypt_rsa_p))
396 BN_bn2bin(rsa->p, apppbx->e_crypt_rsa_p);
397 apppbx->e_crypt_rsa_q_len = BN_num_bytes(rsa->q);
398 if (apppbx->e_crypt_rsa_q_len > (int)sizeof(apppbx->e_crypt_rsa_q))
400 BN_bn2bin(rsa->q, apppbx->e_crypt_rsa_q);
401 apppbx->e_crypt_rsa_dmp1_len = BN_num_bytes(rsa->dmp1);
402 if (apppbx->e_crypt_rsa_dmp1_len > (int)sizeof(apppbx->e_crypt_rsa_dmp1))
404 BN_bn2bin(rsa->dmp1, apppbx->e_crypt_rsa_dmp1);
405 apppbx->e_crypt_rsa_dmq1_len = BN_num_bytes(rsa->dmq1);
406 if (apppbx->e_crypt_rsa_dmq1_len > (int)sizeof(apppbx->e_crypt_rsa_dmq1))
408 BN_bn2bin(rsa->dmq1, apppbx->e_crypt_rsa_dmq1);
409 apppbx->e_crypt_rsa_iqmp_len = BN_num_bytes(rsa->iqmp);
410 if (apppbx->e_crypt_rsa_iqmp_len > (int)sizeof(apppbx->e_crypt_rsa_iqmp))
412 BN_bn2bin(rsa->iqmp, apppbx->e_crypt_rsa_iqmp);
413 PDEBUG(DEBUG_CRYPT, "gen: rsa n=%02x...\n", *apppbx->e_crypt_rsa_n);
414 PDEBUG(DEBUG_CRYPT, "gen: rsa e=%02x...\n", *apppbx->e_crypt_rsa_e);
415 PDEBUG(DEBUG_CRYPT, "gen: rsa d=%02x...\n", *apppbx->e_crypt_rsa_d);
416 PDEBUG(DEBUG_CRYPT, "gen: rsa p=%02x...\n", *apppbx->e_crypt_rsa_p);
417 PDEBUG(DEBUG_CRYPT, "gen: rsa q=%02x...\n", *apppbx->e_crypt_rsa_q);
418 PDEBUG(DEBUG_CRYPT, "gen: rsa dmp1=%02x...\n", *apppbx->e_crypt_rsa_dmp1);
419 PDEBUG(DEBUG_CRYPT, "gen: rsa dmq1=%02x...\n", *apppbx->e_crypt_rsa_dmq1);
420 PDEBUG(DEBUG_CRYPT, "gen: rsa iqmp=%02x...\n", *apppbx->e_crypt_rsa_iqmp);
421 apppbx->e_crypt_keyengine_return = 1;
427 /* encrypt session key */
430 PERROR("No crypto lib.\n");
431 apppbx->e_crypt_keyengine_return = -1;
433 /* generating session key */
434 srandom(*((unsigned int *)mISDN_rand) ^ random());
438 apppbx->e_crypt_key[i] = random();
439 apppbx->e_crypt_key[i] ^= mISDN_rand[random() & 0xff];
442 apppbx->e_crypt_key_len = i;
443 /* encrypt via rsa */
447 PERROR("Failed to allocate rsa structure.\n");
448 apppbx->e_crypt_keyengine_return = 1;
454 if (!rsa->n || !rsa->e)
456 PERROR("Failed to generate rsa structure.\n");
457 apppbx->e_crypt_keyengine_return = -1;
462 if (!BN_bin2bn(apppbx->e_crypt_rsa_n, apppbx->e_crypt_rsa_n_len, rsa->n))
465 PERROR("Failed to convert binary to bignum.\n");
466 apppbx->e_crypt_keyengine_return = -1;
471 if ((apppbx->e_crypt_rsa_n_len*8) != BN_num_bits(rsa->n))
473 PERROR("SOFTWARE API ERROR: length not equal stored data. (%d != %d)\n", apppbx->e_crypt_rsa_n_len*8, BN_num_bits(rsa->n));
474 apppbx->e_crypt_keyengine_return = -1;
479 if (!BN_bin2bn(apppbx->e_crypt_rsa_e, apppbx->e_crypt_rsa_e_len, rsa->e))
481 PDEBUG(DEBUG_CRYPT, "crypt: rsa n=%02x...\n", *apppbx->e_crypt_rsa_n);
482 PDEBUG(DEBUG_CRYPT, "crypt: rsa e=%02x...\n", *apppbx->e_crypt_rsa_e);
483 PDEBUG(DEBUG_CRYPT, "crypt: key =%02x%02x%02x%02x... (len=%d)\n", apppbx->e_crypt_key[0], apppbx->e_crypt_key[1], apppbx->e_crypt_key[2], apppbx->e_crypt_key[3], apppbx->e_crypt_key_len);
484 apppbx->e_crypt_ckey_len = RSA_public_encrypt(
485 apppbx->e_crypt_key_len,
487 apppbx->e_crypt_ckey,
490 PDEBUG(DEBUG_CRYPT, "crypt: ckey =%02x%02x%02x%02x... (len=%d)\n", apppbx->e_crypt_ckey[0], apppbx->e_crypt_ckey[1], apppbx->e_crypt_ckey[2], apppbx->e_crypt_ckey[3], apppbx->e_crypt_ckey_len);
493 if (apppbx->e_crypt_ckey_len > 0)
494 apppbx->e_crypt_keyengine_return = 1;
496 apppbx->e_crypt_keyengine_return = -1;
500 /* decrypt session key */
503 PERROR("No crypto lib.\n");
504 apppbx->e_crypt_keyengine_return = -1;
509 PERROR("Failed to allocate rsa structure.\n");
510 apppbx->e_crypt_keyengine_return = 1;
519 rsa->dmp1 = BN_new();
520 rsa->dmq1 = BN_new();
521 rsa->iqmp = BN_new();
522 if (!rsa->n || !rsa->e
523 || !rsa->d || !rsa->p
524 || !rsa->q || !rsa->dmp1
525 || !rsa->dmq1 || !rsa->iqmp)
527 PERROR("Failed to generate rsa structure.\n");
528 apppbx->e_crypt_keyengine_return = 1;
533 if (!BN_bin2bn(apppbx->e_crypt_rsa_n, apppbx->e_crypt_rsa_n_len, rsa->n))
536 PERROR("Failed to convert binary to bignum.\n");
537 apppbx->e_crypt_keyengine_return = -1;
542 if (!BN_bin2bn(apppbx->e_crypt_rsa_e, apppbx->e_crypt_rsa_e_len, rsa->e))
544 if (!BN_bin2bn(apppbx->e_crypt_rsa_d, apppbx->e_crypt_rsa_d_len, rsa->d))
546 if (!BN_bin2bn(apppbx->e_crypt_rsa_p, apppbx->e_crypt_rsa_p_len, rsa->p))
548 if (!BN_bin2bn(apppbx->e_crypt_rsa_q, apppbx->e_crypt_rsa_q_len, rsa->q))
550 if (!BN_bin2bn(apppbx->e_crypt_rsa_dmp1, apppbx->e_crypt_rsa_dmp1_len, rsa->dmp1))
552 if (!BN_bin2bn(apppbx->e_crypt_rsa_dmq1, apppbx->e_crypt_rsa_dmq1_len, rsa->dmq1))
554 if (!BN_bin2bn(apppbx->e_crypt_rsa_iqmp, apppbx->e_crypt_rsa_iqmp_len, rsa->iqmp))
556 PDEBUG(DEBUG_CRYPT, "decrypt: ckey =%02x%02x%02x%02x... (len=%d)\n", apppbx->e_crypt_ckey[0], apppbx->e_crypt_ckey[1], apppbx->e_crypt_ckey[2], apppbx->e_crypt_ckey[3], apppbx->e_crypt_ckey_len);
557 apppbx->e_crypt_key_len = RSA_private_decrypt(
558 apppbx->e_crypt_ckey_len,
559 apppbx->e_crypt_ckey,
563 PDEBUG(DEBUG_CRYPT, "decrypt: key =%02x%02x%02x%02x... (len=%d)\n", apppbx->e_crypt_key[0], apppbx->e_crypt_key[1], apppbx->e_crypt_key[2], apppbx->e_crypt_key[3], apppbx->e_crypt_key_len);
566 apppbx->e_crypt_keyengine_return = 1;
571 PERROR("Unknown job %d\n", job);
572 apppbx->e_crypt_keyengine_return = -1;
576 PDEBUG((DEBUG_EPOINT | DEBUG_CRYPT), "child process done after using libcrypto with return value %d\n", apppbx->e_crypt_keyengine_return);
579 apppbx->ea_endpoint->ep_use--;
580 memset(args, 0, sizeof(struct auth_args));
586 void EndpointAppPBX::cryptman_keyengine(int job)
588 struct auth_args *arg;
591 if (e_crypt_keyengine_busy)
593 e_crypt_keyengine_return = -1;
594 PERROR("engine currently busy.\n");
598 arg = (struct auth_args *)calloc(1, sizeof(struct auth_args));
601 PERROR("failed to alloc memory.\n");
602 e_crypt_keyengine_return = -1;
608 e_crypt_keyengine_return = 0;
609 e_crypt_keyengine_busy = job;
611 ea_endpoint->ep_use++;
612 if ((pthread_create(&tid, NULL, keyengine_child, arg)<0))
614 ea_endpoint->ep_use--;
615 PERROR("failed to create keyengine-thread.\n");
616 e_crypt_keyengine_return = -1;
621 PDEBUG((DEBUG_EPOINT | DEBUG_CRYPT), "send_mail(%d): child process created for doing crypto stuff\n", ea_endpoint->ep_serial);
626 /* handler for authentication (called by apppbx's handler)
628 void EndpointAppPBX::cryptman_handler(void)
630 if (e_crypt_keyengine_busy)
632 if (e_crypt_keyengine_return < 0)
634 e_crypt_keyengine_busy = 0;
635 cryptman_message(CK_ERROR_IND, NULL, 0);
637 if (e_crypt_keyengine_return > 0)
639 switch(e_crypt_keyengine_busy)
642 e_crypt_keyengine_busy = 0;
643 cryptman_message(CK_GENRSA_CONF, NULL, 0);
646 e_crypt_keyengine_busy = 0;
647 cryptman_message(CK_CPTRSA_CONF, NULL, 0);
650 e_crypt_keyengine_busy = 0;
651 cryptman_message(CK_DECRSA_CONF, NULL, 0);
657 /* check for event, make next event */
658 if (e_crypt_timeout_sec) if (e_crypt_timeout_sec<now_tv.tv_sec || (e_crypt_timeout_sec==now_tv.tv_sec && e_crypt_timeout_usec<now_tv.tv_usec))
660 e_crypt_timeout_sec = 0;
661 e_crypt_timeout_usec = 0;
662 cryptman_message(CT_TIMEOUT, NULL, 0);
668 * process message to the crypt manager
670 /* remote peer sends ident request */
671 void EndpointAppPBX::cr_ident(int message, unsigned char *param, int len)
673 unsigned char buf[4], *p;
674 unsigned long bogomips = 0, ran;
677 l = CM_SIZEOFINF(CM_INFO_RANDOM);
680 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) missing (or corrupt) random number, ignoring (len = %d)\n", ea_endpoint->ep_serial, l);
683 p = CM_GETINF(CM_INFO_RANDOM, buf);
684 ran = (p[0]<<24) + (p[1]<<16) + (p[2]<<8) + p[3];
685 l = CM_SIZEOFINF(CM_INFO_BOGOMIPS);
688 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) missing (or corrupt) random bogomips, just comparing random (len = %d)\n", ea_endpoint->ep_serial, l);
691 p = CM_GETINF(CM_INFO_BOGOMIPS, buf);
692 bogomips = (p[0]<<24) + (p[1]<<16) + (p[2]<<8) + p[3];
693 if (e_crypt_bogomips > bogomips)
695 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our cpu is faster, so we are master (%d > %d)\n", ea_endpoint->ep_serial, e_crypt_bogomips, bogomips);
696 cr_master(message, NULL, 0);
699 if (e_crypt_bogomips < bogomips)
701 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our cpu is slower, so we are slave (%d < %d)\n", ea_endpoint->ep_serial, e_crypt_bogomips, bogomips);
702 cr_slave(message, NULL, 0);
705 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our cpu is equal speed, so we check for random value (%d == %d)\n", ea_endpoint->ep_serial, e_crypt_bogomips, bogomips);
707 /* bogomips are equal, so we compare */
708 if (e_crypt_random > ran)
710 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our random value is greater, so we are master (%d > %d)\n", ea_endpoint->ep_serial, e_crypt_random, ran);
711 cr_master(message, NULL, 0);
714 if (e_crypt_random < ran)
716 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our random value is smaller, so we are slave (%d < %d)\n", ea_endpoint->ep_serial, e_crypt_random, ran);
717 cr_slave(message, NULL, 0);
720 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) random values are equal, so we are looped (%d == %d)\n", ea_endpoint->ep_serial, e_crypt_random, ran);
721 cr_looped(message, NULL, 0);
724 /* key-exchange activation by the user */
725 void EndpointAppPBX::cr_activate(int message, unsigned char *param, int len)
727 unsigned char buf[128] = "";
729 unsigned char bogomips[4], ran[4];
731 /* activate listener */
732 cryptman_msg2crengine(CR_LISTEN_REQ, NULL, 0);
733 /* send ident message */
735 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
736 /* random number element */
737 srandom(now_tv.tv_sec ^ now_tv.tv_usec ^ random());
738 e_crypt_random = random();
739 ran[0] = e_crypt_random >> 24;
740 ran[1] = e_crypt_random >> 16;
741 ran[2] = e_crypt_random >> 8;
742 ran[3] = e_crypt_random;
743 CM_ADDINF(CM_INFO_RANDOM, 4, ran);
744 /* cpu speed element */
745 e_crypt_bogomips = get_bogomips();
746 if (e_crypt_bogomips > 0)
748 bogomips[0] = e_crypt_bogomips >> 24;
749 bogomips[1] = e_crypt_bogomips >> 16;
750 bogomips[2] = e_crypt_bogomips >> 8;
751 bogomips[3] = e_crypt_bogomips;
752 CM_ADDINF(CM_INFO_BOGOMIPS, 4, bogomips);
754 /* send ident message */
755 cryptman_msg2peer(buf);
757 cryptman_state(CM_ST_IDENT);
759 cryptman_timeout(CM_TO_IDENT);
762 /* deactivation by the user */
763 void EndpointAppPBX::cr_deactivate(int message, unsigned char *param, int len)
765 unsigned char buf[128] = "";
768 /* deactivate listener (if not already) */
769 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
772 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
773 cryptman_msg2peer(buf);
774 /* deactivate encryption */
775 cryptman_msg2crengine(CC_DACT_REQ, NULL, 0);
777 cryptman_state(CM_ST_NULL);
778 /* send message to user */
779 cryptman_msg2user(CU_DACT_CONF, "Deactivated");
782 /* remote peer tells us to be master */
783 void EndpointAppPBX::cr_master(int message, unsigned char *param, int len)
785 unsigned char buf[128] = "";
788 /* change to master state */
789 cryptman_state(CM_ST_KEYGEN);
790 if (message == CP_IDENT)
792 /* send you-are-slave-message */
794 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
795 cryptman_msg2peer(buf);
797 /* start generation of key */
798 cryptman_keyengine(CK_GENRSA_REQ);
799 /* disable timeout */
801 /* send message to user */
802 cryptman_msg2user(CU_INFO_IND, "Master");
805 /* remote peer tells us to be slave */
806 void EndpointAppPBX::cr_slave(int message, unsigned char *param, int len)
808 unsigned char buf[128] = "";
811 /* change to slave state */
812 cryptman_state(CM_ST_KEYWAIT);
813 if (message == CP_IDENT)
815 /* send you-are-slave-message */
818 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
819 cryptman_msg2peer(buf);
822 cryptman_timeout(CM_TO_PUBKEY);
823 /* send message to user */
824 cryptman_msg2user(CU_INFO_IND, "Slave");
827 /* remote peer tells us about loop */
828 void EndpointAppPBX::cr_looped(int message, unsigned char *param, int len)
830 unsigned char buf[128] = "";
833 /* change to idle state */
834 cryptman_state(CM_ST_NULL);
835 /* deactivate listener */
836 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
837 if (message == CP_IDENT)
842 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
843 cryptman_msg2peer(buf);
845 /* disable timeout */
847 /* send message to user */
848 cryptman_msg2user(CU_ERROR_IND, "Loop Detected");
852 void EndpointAppPBX::cr_abort(int message, unsigned char *param, int len)
854 /* if already encrypting */
855 if (e_crypt_state==CM_ST_WAIT_CRYPT
856 || e_crypt_state==CM_ST_SWAIT
857 || e_crypt_state==CM_ST_ACTIVE)
859 /* deactivate blowfish */
860 cryptman_msg2crengine(CC_DACT_REQ, NULL, 0);
862 /* change to idle state */
863 cryptman_state(CM_ST_NULL);
864 /* deactivate listener */
865 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
866 /* disable timeout */
868 /* send message to user */
869 if (message == CT_TIMEOUT)
870 cryptman_msg2user(CU_ERROR_IND, "Timeout");
871 else if (message == CP_ABORT)
872 cryptman_msg2user(CU_ERROR_IND, "Remote Abort");
874 cryptman_msg2user(CU_DACT_IND, NULL);
877 /* abort but wait for engine to release*/
878 void EndpointAppPBX::cr_abort_engine(int message, unsigned char *param, int len)
880 /* change to release state */
881 cryptman_state(CM_ST_RELEASE);
882 /* deactivate listener */
883 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
884 /* disable timeout */
886 /* send message to user */
887 if (message == CT_TIMEOUT)
888 cryptman_msg2user(CU_ERROR_IND, "Timeout");
889 else if (message == CP_ABORT)
890 cryptman_msg2user(CU_ERROR_IND, "Remote Abort");
892 cryptman_msg2user(CU_DACT_IND, NULL);
895 /* abort and disable crypt engine */
896 void EndpointAppPBX::cr_abort_wait(int message, unsigned char *param, int len)
898 /* change to idle state */
899 cryptman_state(CM_ST_NULL);
900 /* deactivate listener (if not already) */
901 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
902 /* deactivate blowfish */
903 cryptman_msg2crengine(CC_DACT_REQ, NULL, 0);
904 /* disable timeout */
906 /* send message to user */
907 if (message == CT_TIMEOUT)
908 cryptman_msg2user(CU_ERROR_IND, "Timeout");
909 else if (message == CP_ABORT)
910 cryptman_msg2user(CU_ERROR_IND, "Remote Abort");
912 cryptman_msg2user(CU_DACT_IND, NULL);
915 /* key engine tells us that the rsa is ready */
916 void EndpointAppPBX::cr_genrsa(int message, unsigned char *param, int len)
918 unsigned char buf[1024] = "";
921 /* change to wait for crypted session key state */
922 cryptman_state(CM_ST_CSWAIT);
925 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
926 CM_ADDINF(CM_INFO_PUBKEY, e_crypt_rsa_n_len, &e_crypt_rsa_n);
927 CM_ADDINF(CM_INFO_PUBEXPONENT, e_crypt_rsa_e_len, &e_crypt_rsa_e);
928 cryptman_msg2peer(buf);
930 cryptman_timeout(CM_TO_CSKEY);
933 /* our engine has a key error */
934 void EndpointAppPBX::cr_keyerror(int message, unsigned char *param, int len)
936 unsigned char buf[128] = "";
939 /* change to idle state */
940 cryptman_state(CM_ST_NULL);
941 /* deactivate listener */
942 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
945 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
946 cryptman_msg2peer(buf);
947 /* send message to user */
948 cryptman_msg2user(CU_ERROR_IND, "Local Key Error");
951 /* remote sends us the rsa public key */
952 void EndpointAppPBX::cr_pubkey(int message, unsigned char *param, int len)
954 unsigned char buf[128] = "";
955 unsigned char msg = CMSG_ABORT;
958 l = CM_SIZEOFINF(CM_INFO_PUBKEY);
959 if (l<1 || l>(int)sizeof(e_crypt_rsa_n))
962 /* change to idle state */
963 cryptman_state(CM_ST_NULL);
964 /* deactivate listener */
965 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
967 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
968 cryptman_msg2peer(buf);
969 /* send message to user */
970 cryptman_msg2user(CU_ERROR_IND, "Remote Key Error");
973 CM_GETINF(CM_INFO_PUBKEY, e_crypt_rsa_n);
974 e_crypt_rsa_n_len = l;
975 l = CM_SIZEOFINF(CM_INFO_PUBEXPONENT);
976 if (l<1 || l>(int)sizeof(e_crypt_rsa_e))
978 CM_GETINF(CM_INFO_PUBEXPONENT, e_crypt_rsa_e);
979 e_crypt_rsa_e_len = l;
980 /* change to generating encrypted sessnion key state */
981 cryptman_state(CM_ST_CSKEY);
982 /* start generation of crypted session key */
983 cryptman_keyengine(CK_CPTRSA_REQ);
984 /* disable timeout */
988 /* key engine tells us that the crypted session key is ready */
989 void EndpointAppPBX::cr_cptrsa(int message, unsigned char *param, int len)
991 unsigned char buf[1024] = "";
992 unsigned char msg = CMSG_CSKEY;
994 /* change to wait for crypt engine state */
995 cryptman_state(CM_ST_WAIT_DELAY);
997 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
998 CM_ADDINF(CM_INFO_CSKEY, e_crypt_ckey_len, &e_crypt_ckey);
999 cryptman_msg2peer(buf);
1000 /* deactivate listener */
1001 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
1003 cryptman_timeout(1);
1006 /* now we waited for the remote to receive and decrypt the session key */
1007 void EndpointAppPBX::cr_waitdelay(int message, unsigned char *param, int len)
1009 /* change to wait for crypt engine state */
1010 cryptman_state(CM_ST_WAIT_CRYPT);
1011 /* disable timeout */
1012 cryptman_timeout(0);
1013 /* send message to crypt engine */
1014 cryptman_msg2crengine(CC_ACTBF_REQ, e_crypt_key, e_crypt_key_len);
1017 /* remote sends us the crypted session key */
1018 void EndpointAppPBX::cr_cskey(int message, unsigned char *param, int len)
1020 unsigned char buf[128] = "";
1021 unsigned char msg = CMSG_ABORT;
1024 /* disable timeout */
1025 cryptman_timeout(0);
1026 l = CM_SIZEOFINF(CM_INFO_CSKEY);
1027 if (l<1 || l>(int)sizeof(e_crypt_ckey))
1029 /* change to idle state */
1030 cryptman_state(CM_ST_NULL);
1031 /* deactivate listener */
1032 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
1034 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
1035 cryptman_msg2peer(buf);
1036 /* send message to user */
1037 cryptman_msg2user(CU_ERROR_IND, "Remote Key Error");
1040 CM_GETINF(CM_INFO_CSKEY, e_crypt_ckey);
1041 e_crypt_ckey_len = l;
1042 /* change to generating decrypted session key state */
1043 cryptman_state(CM_ST_SESSION);
1044 /* start generation of decrypted session key */
1045 cryptman_keyengine(CK_DECRSA_REQ);
1048 /* key engine tells us that the decrypted session key is ready */
1049 void EndpointAppPBX::cr_decrsa(int message, unsigned char *param, int len)
1051 /* change to wait for crypt engine state */
1052 cryptman_state(CM_ST_WAIT_CRYPT);
1053 /* deactivate listener */
1054 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
1055 /* send message to crypt engine */
1056 cryptman_msg2crengine(CC_ACTBF_REQ, e_crypt_key, e_crypt_key_len);
1059 /* blowfish now active */
1060 void EndpointAppPBX::cr_bfactive(int message, unsigned char *param, int len)
1064 /* change to active state */
1065 cryptman_state(CM_ST_ACTIVE);
1066 /* send message to user */
1067 SPRINT(text, "PUB %02x%02x %02x%02x %02x%02x %02x%02x", e_crypt_key[0], e_crypt_key[1], e_crypt_key[2], e_crypt_key[3], e_crypt_key[4], e_crypt_key[5], e_crypt_key[6], e_crypt_key[7]);
1068 cryptman_msg2user(CU_ACTK_CONF, text);
1071 /* our crypt engine sends an error */
1072 void EndpointAppPBX::cr_crypterror(int message, unsigned char *param, int len)
1074 unsigned char buf[128] = "";
1075 unsigned char msg = CMSG_ABORT;
1077 /* change to idle state */
1078 cryptman_state(CM_ST_NULL);
1079 /* deactivate listener */
1080 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
1082 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
1083 cryptman_msg2peer(buf);
1084 /* send message to user */
1085 cryptman_msg2user(CU_ERROR_IND, "Blowfish Error");
1088 /* engine is done, now we are done with release */
1089 void EndpointAppPBX::cr_release(int message, unsigned char *param, int len)
1091 /* change to idle state */
1092 cryptman_state(CM_ST_NULL);
1095 /* activate using shared key */
1096 void EndpointAppPBX::cr_sactivate(int message, unsigned char *param, int len)
1098 /* change to 'wait for crypt engine' state */
1099 cryptman_state(CM_ST_SWAIT);
1100 /* disable timeout */
1101 cryptman_timeout(0);
1102 /* send key to crypt engine */
1103 cryptman_msg2crengine(CC_ACTBF_REQ, param, len);
1106 /* share key deactivation by the user */
1107 void EndpointAppPBX::cr_sdeactivate(int message, unsigned char *param, int len)
1109 /* deactivate encryption */
1110 cryptman_msg2crengine(CC_DACT_REQ, NULL, 0);
1112 cryptman_state(CM_ST_NULL);
1113 /* send message to user */
1114 cryptman_msg2user(CU_DACT_CONF, NULL);
1117 /* shared key abort */
1118 void EndpointAppPBX::cr_sabort(int message, unsigned char *param, int len)
1120 /* change to idle state */
1121 cryptman_state(CM_ST_NULL);
1122 /* send message to user */
1123 cryptman_msg2user(CU_DACT_IND, "Deactivated");
1126 /* shared key: our crypt engine sends an error */
1127 void EndpointAppPBX::cr_scrypterror(int message, unsigned char *param, int len)
1129 /* change to idle state */
1130 cryptman_state(CM_ST_NULL);
1131 /* send message to user */
1132 cryptman_msg2user(CU_ERROR_IND, "Blowfish Error");
1135 /* blowfish now active */
1136 void EndpointAppPBX::cr_sbfactive(int message, unsigned char *param, int len)
1140 /* change to active state */
1141 cryptman_state(CM_ST_SACTIVE);
1142 /* send message to user */
1143 SPRINT(text, "Call Secure");
1144 cryptman_msg2user(CU_ACTS_CONF, text);
1147 /* user requests info */
1148 void EndpointAppPBX::cr_info(int message, unsigned char *param, int len)
1150 /* send message to user */
1151 cryptman_msg2user(CU_INFO_CONF, e_crypt_info);
1157 void EndpointAppPBX::cryptman_message(int message, unsigned char *param, int len)
1159 char *msgtext = "<<UNKNOWN MESSAGE>>";
1161 if (message>=0 && message<cm_msg_num)
1162 msgtext = cm_msg_name[message];
1164 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) CRYPT MANAGER in state '%s' received message: %s len: %d\n", ea_endpoint->ep_serial, statename(e_crypt_state), msgtext, len);
1167 if (message == CU_INFO_REQ)
1168 { cr_info(message, param, len); return; }
1170 switch(e_crypt_state)
1174 if (message == CU_ACTK_REQ) /* request key-exchange encryption */
1175 { cr_activate(message, param, len); return; }
1176 if (message == CU_ACTS_REQ) /* request shared encryption */
1177 { cr_sactivate(message, param, len); return; }
1180 /* identifying state */
1182 if (message == CP_IDENT) /* request encryption */
1183 { cr_ident(message, param, len); return; }
1184 if (message == CP_SLAVE) /* we are slave */
1185 { cr_slave(message, param, len); return; }
1186 if (message == CP_MASTER) /* we are master */
1187 { cr_master(message, param, len); return; }
1188 if (message == CP_LOOPED) /* we are looped */
1189 { cr_looped(message, param, len); return; }
1190 if (message == CI_DISCONNECT_IND /* request aborting */
1191 || message == CT_TIMEOUT /* timeout */
1192 || message == CP_ABORT) /* request aborting */
1193 { cr_abort(message, param, len); return; }
1196 /* generating public key state */
1198 if (message == CK_GENRSA_CONF) /* public key is done */
1199 { cr_genrsa(message, param, len); return; }
1200 if (message == CK_ERROR_IND) /* key failed */
1201 { cr_keyerror(message, param, len); return; }
1202 if (message == CI_DISCONNECT_IND /* request aborting */
1203 || message == CP_ABORT) /* request aborting */
1204 { cr_abort_engine(message, param, len); return; }
1207 /* waiting for public key state */
1209 if (message == CP_PUBKEY) /* getting public key from remote */
1210 { cr_pubkey(message, param, len); return; }
1211 if (message == CI_DISCONNECT_IND /* request aborting */
1212 || message == CT_TIMEOUT /* timeout */
1213 || message == CP_ABORT) /* request aborting */
1214 { cr_abort(message, param, len); return; }
1217 /* generating crypted session key state */
1219 if (message == CK_CPTRSA_CONF) /* crypted session key is done */
1220 { cr_cptrsa(message, param, len); return; }
1221 if (message == CK_ERROR_IND) /* key failed */
1222 { cr_keyerror(message, param, len); return; }
1223 if (message == CI_DISCONNECT_IND /* request aborting */
1224 || message == CP_ABORT) /* request aborting */
1225 { cr_abort_engine(message, param, len); return; }
1228 /* waiting for crypted session key state */
1230 if (message == CP_CSKEY) /* getting crypted session key from remote */
1231 { cr_cskey(message, param, len); return; }
1232 if (message == CI_DISCONNECT_IND /* request aborting */
1233 || message == CT_TIMEOUT /* timeout */
1234 || message == CP_ABORT) /* request aborting */
1235 { cr_abort(message, param, len); return; }
1238 /* generating decrypted session key state */
1240 if (message == CK_DECRSA_CONF) /* decrypted is done */
1241 { cr_decrsa(message, param, len); return; }
1242 if (message == CK_ERROR_IND) /* key failed */
1243 { cr_keyerror(message, param, len); return; }
1244 if (message == CI_DISCONNECT_IND /* request aborting */
1245 || message == CP_ABORT) /* request aborting */
1246 { cr_abort_engine(message, param, len); return; }
1249 /* wait encryption on state */
1250 case CM_ST_WAIT_DELAY:
1251 if (message == CT_TIMEOUT) /* timeout of delay */
1252 { cr_waitdelay(message, param, len); return; }
1253 if (message == CC_ERROR_IND) /* encrpytion error */
1254 { cr_crypterror(message, param, len); return; }
1255 if (message == CI_DISCONNECT_IND /* request aborting */
1256 || message == CP_ABORT) /* request aborting */
1257 { cr_abort_wait(message, param, len); return; }
1260 /* wait encryption on state */
1261 case CM_ST_WAIT_CRYPT:
1262 if (message == CC_ACTBF_CONF) /* encrpytion active */
1263 { cr_bfactive(message, param, len); return; }
1264 if (message == CC_ERROR_IND) /* encrpytion error */
1265 { cr_crypterror(message, param, len); return; }
1266 if (message == CI_DISCONNECT_IND /* request aborting */
1267 || message == CP_ABORT) /* request aborting */
1268 { cr_abort_wait(message, param, len); return; }
1273 if (message == CU_DACT_REQ) /* deactivating encryption */
1274 { cr_deactivate(message, param, len); return; }
1275 if (message == CI_DISCONNECT_IND /* request aborting */
1276 || message == CP_ABORT) /* request aborting */
1277 { cr_abort(message, param, len); return; }
1281 /* engine done after abort state */
1283 if (message == CK_GENRSA_CONF /* engine done */
1284 || message == CK_CPTRSA_CONF /* engine done */
1285 || message == CK_DECRSA_CONF /* engine done */
1286 || message == CK_ERROR_IND) /* engine error */
1287 { cr_release(message, param, len); return; }
1290 /* shared active state */
1292 if (message == CU_DACT_REQ) /* deactivating encryption */
1293 { cr_sdeactivate(message, param, len); return; }
1294 if (message == CI_DISCONNECT_IND) /* request aborting */
1295 { cr_sabort(message, param, len); return; }
1298 /* wait shared encryption on state */
1300 if (message == CC_ACTBF_CONF) /* encrpytion active */
1301 { cr_sbfactive(message, param, len); return; }
1302 if (message == CC_ERROR_IND) /* encrpytion error */
1303 { cr_scrypterror(message, param, len); return; }
1304 if (message == CI_DISCONNECT_IND) /* request aborting */
1305 { cr_sabort(message, param, len); return; }
1310 PDEBUG(DEBUG_CRYPT, "message not handled in state %d\n", e_crypt_state);
1315 * analyze the message element within the received message from peer and call 'cryptman_message'
1317 void EndpointAppPBX::cryptman_msg2man(unsigned char *param, int len)
1323 /* check if frame is correct */
1324 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) message from peer to crypt_manager.\n", ea_endpoint->ep_serial);
1327 PDEBUG(DEBUG_CRYPT, "ignoring message with 0-length.\n");
1336 PDEBUG(DEBUG_CRYPT, "end of message without 0-termination.\n");
1341 PDEBUG(DEBUG_CRYPT, "message with element size, outside the frame length.\n");
1344 l = (p[1]<<8) + p[2];
1345 // PDEBUG(DEBUG_CRYPT, " inf %d (len = %d)\n", *p, l);
1348 PDEBUG(DEBUG_CRYPT, "message with element data, outside the frame length.\n");
1356 PDEBUG(DEBUG_CRYPT, "warning: received null-element before end of frame.\n");
1359 l = CM_SIZEOFINF(CM_INFO_MESSAGE);
1362 PDEBUG(DEBUG_CRYPT, "received message without (valid) message element (len = %d)\n", len);
1365 CM_GETINF(CM_INFO_MESSAGE, &msg);
1369 cryptman_message(CP_IDENT, param, len);
1372 cryptman_message(CP_SLAVE, param, len);
1375 cryptman_message(CP_MASTER, param, len);
1378 cryptman_message(CP_PUBKEY, param, len);
1381 cryptman_message(CP_CSKEY, param, len);
1384 cryptman_message(CP_ABORT, param, len);
1387 PDEBUG(DEBUG_CRYPT, "received unknown message element %d\n", msg);
1391 /* add information element to buffer
1393 void EndpointAppPBX::cryptman_addinf(unsigned char *buf, int buf_size, int element, int len, void *data)
1397 /* skip what we already have in the buffer */
1400 l = (buf[1]<<8) + buf[2];
1401 if (l >= buf_size-3)
1403 PERROR("EPOINT(%d) buffer overflow while adding information to peer message.\n", ea_endpoint->ep_serial);
1409 /* check if we have not enough space to add element including id, len, data, and the null-termination */
1410 if (len+4 > buf_size)
1412 PERROR("EPOINT(%d) cannot add element to message, because buffer would overflow.\n", ea_endpoint->ep_serial);
1418 memcpy(buf+3, data, len);
1422 /* get size of element in buffer
1424 int EndpointAppPBX::cryptman_sizeofinf(unsigned char *buf, int element)
1428 /* skip what we already have in the buffer */
1431 l = (buf[1]<<8) + buf[2];
1432 if (buf[0] == element)
1440 /* get information element from buffer
1442 unsigned char *EndpointAppPBX::cryptman_getinf(unsigned char *buf, int element, unsigned char *to)
1446 /* skip what we already have in the buffer */
1449 l = (buf[1]<<8) + buf[2];
1450 if (buf[0] == element)
1452 memcpy(to, buf+3, l);
1461 /* send message to peer
1463 void EndpointAppPBX::cryptman_msg2peer(unsigned char *buf)
1465 struct message *message;
1466 unsigned char *p = buf;
1473 l = (p[1]<<8) + p[2];
1477 if (len+1 > (int)sizeof(message->param.crypt.data))
1479 PERROR("EPOINT(%d) message larger than allowed in param->crypt.data.\n", ea_endpoint->ep_serial);
1483 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_CRYPT);
1484 message->param.crypt.type = CR_MESSAGE_REQ;
1485 message->param.crypt.len = len+1;
1486 memcpy(message->param.crypt.data, buf, len+1);
1487 message_put(message);
1489 if (options.deb & DEBUG_CRYPT)
1491 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) sending message\n", ea_endpoint->ep_serial);
1495 l = (p[1]<<8) + p[2];
1496 PDEBUG(DEBUG_CRYPT, " inf %d (len = %d)\n", p[0], l);
1503 /* send message to crypt engine
1505 void EndpointAppPBX::cryptman_msg2crengine(int msg, unsigned char *buf, int len)
1507 struct message *message;
1509 if (len > (int)sizeof(message->param.crypt.data))
1511 PERROR("EPOINT(%d) message larger than allowed in param->crypt.data.\n", ea_endpoint->ep_serial);
1515 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_CRYPT);
1516 message->param.crypt.type = msg;
1517 message->param.crypt.len = len;
1519 memcpy(message->param.crypt.data, buf, len);
1520 message_put(message);
1522 if (options.deb & DEBUG_CRYPT)
1524 char *msgtext = "<<UNKNOWN MESSAGE>>";
1526 if (msg>=0 && msg<cm_msg_num)
1527 msgtext = cm_msg_name[msg];
1528 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) sending message '%s' (len = %d)\n", ea_endpoint->ep_serial, msgtext, len);
1532 /* send message to user
1534 void EndpointAppPBX::cryptman_msg2user(int msg, char *text)
1536 struct message *message;
1538 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_call_id, EPOINT_TO_CALL, MESSAGE_CRYPT);
1539 message->param.crypt.type = msg;
1542 SCPY(e_crypt_info, text);
1545 UNCPY((char *)message->param.crypt.data, e_crypt_info, sizeof(message->param.crypt.data)-1);
1546 message->param.crypt.len = strlen((char *)message->param.crypt.data)+1;
1548 message_put(message);
1550 if (options.deb & DEBUG_CRYPT)
1552 char *msgtext = "<<UNKNOWN MESSAGE>>";
1554 if (msg>=0 && msg<cm_msg_num)
1555 msgtext = cm_msg_name[msg];
1556 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) sending message '%s' (text = %s)\n", ea_endpoint->ep_serial, msgtext, text?text:"");
1562 void EndpointAppPBX::cryptman_state(int state)
1564 PDEBUG(DEBUG_CRYPT, "Changing state from %s to %s\n", statename(e_crypt_state), statename(state));
1565 e_crypt_state = state;
1571 void EndpointAppPBX::cryptman_timeout(int secs)
1575 e_crypt_timeout_sec = now_tv.tv_sec+secs;
1576 e_crypt_timeout_usec = now_tv.tv_usec;
1577 PDEBUG(DEBUG_CRYPT, "Changing timeout to %d seconds\n", secs);
1580 e_crypt_timeout_sec = 0;
1581 e_crypt_timeout_usec = 0;
1582 PDEBUG(DEBUG_CRYPT, "turning timeout off\n", secs);
1586 /* encode a message to be sent via b-channel
1588 int cryptman_encode_bch(unsigned char *data, int len, unsigned char *buf, int buf_len)
1593 len--; /* without null-termination */
1594 if (buf_len < len+overhead)
1596 PERROR("frame too long for buffer");
1599 PDEBUG(DEBUG_CRYPT, "encoding a block of %d bytes.\n", len);
1601 /* write identification sequence to the header */
1602 UNCPY((char *)buf, "CRYPTMAN" ,8);
1604 /* length + checksumme */
1606 buf[1] = len & 0xff;
1607 crc = crc32(buf, 2);
1614 /* data + checksumme */
1615 memcpy(buf, data, len);
1616 crc = crc32(buf, len);
1623 return(len + overhead);
1626 /* decode a message from b-channel
1628 void PmISDN::cryptman_listen_bch(unsigned char *p, int l)
1631 struct message *message;
1637 /* check for the keyword */
1638 if (p_m_crypt_listen_state == 0)
1640 while((*p++)!='C' && l)
1645 p_m_crypt_listen_state++;
1649 if (p_m_crypt_listen_state < 8)
1651 i = p_m_crypt_listen_state;
1655 if (*p++ != "CRYPTMAN"[i])
1657 p_m_crypt_listen_state = 0;
1660 p_m_crypt_listen_state++;
1668 /* high byte of length */
1669 if (p_m_crypt_listen_state == 8)
1671 p_m_crypt_listen_len = (*p++) << 8;
1672 p_m_crypt_listen_state++;
1676 /* low byte of length */
1677 if (p_m_crypt_listen_state == 9)
1679 p_m_crypt_listen_len += *p++;
1680 p_m_crypt_listen_state++;
1685 if (p_m_crypt_listen_state == 10)
1687 p_m_crypt_listen_crc = (*p++) << 24;
1688 p_m_crypt_listen_state++;
1692 if (p_m_crypt_listen_state == 11)
1694 p_m_crypt_listen_crc += (*p++) << 16;
1695 p_m_crypt_listen_state++;
1699 if (p_m_crypt_listen_state == 12)
1701 p_m_crypt_listen_crc += (*p++) << 8;
1702 p_m_crypt_listen_state++;
1706 if (p_m_crypt_listen_state == 13)
1708 unsigned char lencheck[2];
1709 p_m_crypt_listen_crc += *p++;
1711 lencheck[0] = p_m_crypt_listen_len >> 8;
1712 lencheck[1] = p_m_crypt_listen_len & 0xff;
1713 if (crc32(lencheck, 2) != p_m_crypt_listen_crc)
1715 PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes, but checksumme of length is incorrect (must %08x is %08x\n", p_name, p_m_crypt_listen_len, crc32(lencheck, 2), p_m_crypt_listen_crc);
1716 p_m_crypt_listen_state = 0;
1719 if (p_m_crypt_listen_len > (int)sizeof(p_m_crypt_listen_msg))
1721 PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes, but too big for buffer (%d bytes)\n", p_name, p_m_crypt_listen_len, sizeof(p_m_crypt_listen_msg));
1722 p_m_crypt_listen_state = 0;
1725 if (!p_m_crypt_listen_len)
1727 PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of 0 bytes\n", p_name);
1728 p_m_crypt_listen_state = 0;
1731 p_m_crypt_listen_state++;
1736 while (p_m_crypt_listen_state>=14 && p_m_crypt_listen_state<(p_m_crypt_listen_len+14))
1738 p_m_crypt_listen_msg[p_m_crypt_listen_state-14] = *p++;
1739 p_m_crypt_listen_state++;
1744 if (p_m_crypt_listen_state == 14+p_m_crypt_listen_len)
1746 p_m_crypt_listen_crc = (*p++) << 24;
1747 p_m_crypt_listen_state++;
1751 if (p_m_crypt_listen_state == 15+p_m_crypt_listen_len)
1753 p_m_crypt_listen_crc += (*p++) << 16;
1754 p_m_crypt_listen_state++;
1758 if (p_m_crypt_listen_state == 16+p_m_crypt_listen_len)
1760 p_m_crypt_listen_crc += (*p++) << 8;
1761 p_m_crypt_listen_state++;
1765 if (p_m_crypt_listen_state == 17+p_m_crypt_listen_len)
1768 p_m_crypt_listen_crc += *p++;
1770 if (crc32(p_m_crypt_listen_msg, p_m_crypt_listen_len) != p_m_crypt_listen_crc)
1772 PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes, but checksumme of data block is incorrect\n", p_name, p_m_crypt_listen_len);
1773 p_m_crypt_listen_state = 0;
1778 /* now send message */
1779 p_m_crypt_listen_state = 0;
1780 PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes sending to crypt manager\n", p_name, p_m_crypt_listen_len);
1781 if ((int)sizeof(message->param.crypt.data) < p_m_crypt_listen_len+1) /* null-terminated */
1783 PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes that is too large for message buffer\n", p_name, p_m_crypt_listen_len);
1788 message = message_create(p_serial, ACTIVE_EPOINT(p_epointlist), PORT_TO_EPOINT, MESSAGE_CRYPT);
1789 message->param.crypt.type = CR_MESSAGE_IND;
1790 message->param.crypt.len = p_m_crypt_listen_len+1; /* null termination */
1791 memcpy(message->param.crypt.data, p_m_crypt_listen_msg, p_m_crypt_listen_len);
1792 message_put(message);
1793 p_m_crypt_listen_state = 0;
1801 /* encrypt call using share secret (keypad function)
1803 void EndpointAppPBX::encrypt_shared(void)
1805 struct message *message;
1810 char *auth_pointer, *crypt_pointer, *key_pointer;
1813 /* redisplay current crypt display */
1814 if (e_crypt != CRYPT_OFF)
1816 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption in progress, so we request the current message.\n", ea_endpoint->ep_serial);
1817 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_call_id, EPOINT_TO_CALL, MESSAGE_CRYPT);
1818 message->param.crypt.type = CU_INFO_REQ;
1819 message_put(message);
1823 if (check_external(&errstr, &port))
1826 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1827 SCPY(message->param.notifyinfo.display, errstr);
1828 message_put(message);
1829 set_tone(ea_endpoint->ep_portlist, "crypt_off");
1834 /* check the key for the call */
1835 if (port->p_type==PORT_TYPE_DSS1_TE_OUT || port->p_type==PORT_TYPE_DSS1_NT_OUT)
1836 ret = parse_secrets((char *)e_ext.number, (char *)port->p_dialinginfo.id, &auth_pointer, &crypt_pointer, &key_pointer);
1839 if (!port->p_callerinfo.id[0])
1841 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) incoming remote call has no caller ID.\n", ea_endpoint->ep_serial);
1842 errstr = "No Remote ID";
1845 ret = parse_secrets((char *)e_ext.number, (char *)numberrize_callerinfo(port->p_callerinfo.id, port->p_callerinfo.ntype), &auth_pointer, &crypt_pointer, &key_pointer);
1849 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key was not found.\n", ea_endpoint->ep_serial);
1853 key = crypt_key((unsigned char *)key_pointer, &key_len);
1856 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key invalid.\n", ea_endpoint->ep_serial);
1857 errstr = "Invalid Key";
1862 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key too long.\n", ea_endpoint->ep_serial);
1863 errstr = "Key Too Long";
1866 if (!!strcasecmp(auth_pointer, "manual"))
1868 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Wrong authentication method.\n", ea_endpoint->ep_serial);
1869 errstr = "Wrong Auth Type";
1872 if (!strcasecmp(crypt_pointer, "blowfish"))
1874 type = CC_ACTBF_REQ;
1877 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key too short.\n", ea_endpoint->ep_serial);
1878 errstr = "Key Too Short";
1883 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key too long.\n", ea_endpoint->ep_serial);
1884 errstr = "Key Too Long";
1889 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Wrong crypt method.\n", ea_endpoint->ep_serial);
1890 errstr = "Wrong Crypt Type";
1894 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key is ok, sending activation+key to cryptman.\n", ea_endpoint->ep_serial);
1895 /* setting display message and state */
1896 // SPRINT(e_crypt_display, "Shared Key");
1897 e_crypt = CRYPT_SWAIT;
1898 /* sending activation */
1899 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_call_id, EPOINT_TO_CALL, MESSAGE_CRYPT);
1900 message->param.crypt.type = CU_ACTS_REQ;
1901 message->param.crypt.len = key_len;
1902 memcpy(message->param.crypt.data, key, key_len);
1903 message_put(message);
1907 /* encrypt call using rsa authentication (keypad function)
1909 void EndpointAppPBX::encrypt_keyex(void)
1911 struct message *message;
1915 /* redisplay current crypt display */
1916 if (e_crypt != CRYPT_OFF)
1918 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption in progress, so we request the current message.\n", ea_endpoint->ep_serial);
1919 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_call_id, EPOINT_TO_CALL, MESSAGE_CRYPT);
1920 message->param.crypt.type = CU_INFO_REQ;
1921 message_put(message);
1926 if (check_external(&errstr, &port))
1928 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1929 SCPY(message->param.notifyinfo.display, errstr);
1930 message_put(message);
1931 set_tone(ea_endpoint->ep_portlist, "crypt_off");
1937 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1938 SCPY(message->param.notifyinfo.display, "Not Compiled");
1939 message_put(message);
1940 set_tone(ea_endpoint->ep_portlist, "crypt_off");
1943 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Sending key-exchange activation to cryptman.\n", ea_endpoint->ep_serial);
1944 /* setting display message and state */
1945 // SPRINT(e_crypt_display, "Key-Exchange");
1946 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1947 SCPY(message->param.notifyinfo.display, "Key-Exchange");
1948 message_put(message);
1949 e_crypt = CRYPT_KWAIT;
1950 /* sending activation */
1951 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_call_id, EPOINT_TO_CALL, MESSAGE_CRYPT);
1952 message->param.crypt.type = CU_ACTK_REQ;
1953 message_put(message);
1958 /* turn encryption off (keypad function)
1960 void EndpointAppPBX::encrypt_off(void)
1962 struct message *message;
1964 if (e_crypt!=CRYPT_ON && e_crypt!=CRYPT_OFF)
1966 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1967 SCPY(message->param.notifyinfo.display, "Please Wait");
1968 message_put(message);
1971 if (e_crypt == CRYPT_OFF)
1973 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1974 SCPY(message->param.notifyinfo.display, "No Encryption");
1975 message_put(message);
1976 set_tone(ea_endpoint->ep_portlist, "crypt_off");
1981 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Sending deactivation to cryptman.\n", ea_endpoint->ep_serial);
1982 /* setting display message and state */
1983 // SPRINT(e_crypt_display, "Deactivating");
1984 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1985 SCPY(message->param.notifyinfo.display, "Deactivating");
1986 message_put(message);
1987 e_crypt = CRYPT_RELEASE;
1988 /* sending activation */
1989 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_call_id, EPOINT_TO_CALL, MESSAGE_CRYPT);
1990 message->param.crypt.type = CU_DACT_REQ;
1991 message_put(message);
1995 /* messages from manager to endpoint
1997 void EndpointAppPBX::encrypt_result(int msg, char *text)
1999 struct message *message;
2005 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption now active.\n", ea_endpoint->ep_serial);
2006 set_tone(ea_endpoint->ep_portlist, "crypt_on");
2010 if (text) if (text[0])
2012 SCPY(e_crypt_info, text);
2013 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
2014 SCPY(message->param.notifyinfo.display, e_crypt_info);
2015 message_put(message);
2020 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption error. (%s)\n", ea_endpoint->ep_serial, text);
2021 set_tone(ea_endpoint->ep_portlist, "crypt_off");
2023 e_crypt = CRYPT_OFF;
2029 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption now off. (%s)\n", ea_endpoint->ep_serial, text);
2030 set_tone(ea_endpoint->ep_portlist, "crypt_off");
2032 e_crypt = CRYPT_OFF;
2038 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) information. (%s)\n", ea_endpoint->ep_serial, text);
2043 PERROR("EPOINT(%d) crypt manager sends us an invalid message. (type = %d)\n", ea_endpoint->ep_serial, msg);