1 /*****************************************************************************\
5 **---------------------------------------------------------------------------**
6 ** Copyright: Andreas Eversberg **
10 \*****************************************************************************/
12 /* how authentication is performed:
15 -----------------------------------------------------------------
18 | -----> sending random number -----> (gets lost)
21 comparing | <----- sending random number <----- |
23 | -----> sending "slave" code -----> | slave state
27 done | -----> sending public key -----> |
31 | <----- sending session key <----- | done
32 decrypting | | enable crypt
40 When Bob and Alice activate their authentication process, they will make
43 Lets assume Alice starts encryption first. She activates the authentication
44 process. Bob hat not activates the process yet. Alice sends a random number
45 to Bob, but he will ignore it, because he is not listening.
47 Bob also activates the authentication process, and sends his random number.
48 Now Alice will receive that number and compares the values. If the values
49 are equal, the process will fail and Alice will send the message "LOOPED".
50 If Alice's random number is greater, she will identify herself as "master".
51 Bob will get a "SLAVE" message. Bob might also send a "MASTER" message,
52 if he got Alice's random number, due to parallel activation of the
55 After transmission or reception of a master message, more messages are
56 ignored. After reception of a "RANDOM" message, more messages are
57 ignored. A reception of a "RANDOM" message always causes to identify who
60 Now Alice starts calculating his public/private key pair, because she is
61 "master". When Bob receives the "SLAVE" message, he will change the timeout
62 value. If no random number or "SLAVE", "MASTER" or "LOOPED" is received within
63 a timeout value, the "ABORT" message is sent. If the "ABORT" message is
64 received at any state of the process, the process is aborted.
66 After the key of Alices is calculated, she will send it to Bob. Bob will use
67 the key to start encryption of a random session key. Both will change their
70 After Bob has finished is crypted session key, he will send it to Alice and
71 enable encryption. Bob has finished his process now.
73 As soon as Alice received the encrypted key, she will encrypt it and also
74 enable encryption with the same key as Bob. Alis has finished her process now.
76 Both will get displayed some of the first digits of the public key. Both can
77 talk about the digits now. A man in the middle cannot change the keys without
78 changing the public key. The voice of Alice and/or Bob is used to "sign" and
79 "check" that the public key is not modified.
81 If Alice or Bob wants to stop encryption, one will send the "ABORT" message.
82 After transmission or reception.
85 The states of the process:
93 Waiting for the remote random number or "MASTER", "SLAVE", "LOOPED" message.
97 The master generates the key and waits for the key engine to finish.
101 The slave waits for the master to send the key.
105 The slave generates the session key and waits for the encryption engine to
110 The master waits for the slave to send the crypted session key.
114 The master waits for the decryption engine to finish decryption of the session
119 The encryption is established.
124 CM_TO_IDENT = waiting for the remote party to enable encryption
125 CM_TO_KEY = waiting for key generation
126 CM_TO_CSKEY = waiting for session key encryption
127 CM_TO_DSKEY = waiting for session key decryption
130 Structure of message:
131 ---------------------
133 one octet message element
134 two octets element length (first octet = high-byte)
135 data as given in length
138 the message type is encoded as element
145 #include <openssl/rsa.h>
149 /* convert key string to binary key vector
150 * returns 0 if an error ocurred
152 unsigned char *crypt_key(unsigned char *key, int *binary_len)
154 static unsigned char binary_key[2048];
157 binary_key[0] = '\0';
162 /* check for 0xXXXX... type of key */
163 if (!strncmp((char *)key, "0x", 2)) {
166 if (i == (int)sizeof(binary_key))
169 if (*key>='0' && *key<='9')
170 binary_key[i] = (*key-'0') << 8;
171 else if (*key>='a' && *key<='f')
172 binary_key[i] = (*key-'a'+10) << 8;
173 else if (*key>='A' && *key<='F')
174 binary_key[i] = (*key-'A'+10) << 8;
179 if (*key>='0' && *key<='9')
180 binary_key[i] += (*key - '0');
181 else if (*key>='a' && *key<='f')
182 binary_key[i] += (*key - 'a' + 10);
183 else if (*key>='A' && *key<='F')
184 binary_key[i] += (*key - 'A' + 10);
195 /* ascii key too long */
196 if (strlen((char *)key) >= sizeof((char *)binary_key))
199 memcpy(binary_key, key, strlen((char *)key));
200 *binary_len = strlen((char *)key);
205 * support routine to get cpu speed
207 static unsigned int get_bogomips(void)
212 fp = fopen("/proc/cpuinfo", "r");
214 PERROR("Cannot access /proc/cpuinfo. Will not use cpuinfo for identification of pear\n");
218 buffer[sizeof(buffer-1)] = '\0';
219 while(GETLINE(buffer, fp)) {
220 if (!!strncmp(buffer, "bogomips", 8))
222 if (!strchr(buffer, ':'))
224 p = strchr(buffer, ':')+1;
228 *strchr(p, '.') = '\0';
235 PERROR("Cannot find 'bogomips' in /proc/cpuinfo. Will not use cpuinfo for identification of pear\n");
243 static unsigned int crc_reflect(unsigned int ref, char ch)
245 unsigned int value = 0;
251 value |= 1 << (ch - i);
258 static unsigned int crc32_table[256];
259 static int crc_initialized = 0;
263 unsigned int ulPolynomial = 0x04c11db7;
268 crc32_table[i] = crc_reflect(i, 8) << 24;
271 crc32_table[i] = (crc32_table[i] << 1) ^ (crc32_table[i] & (1 << 31) ? ulPolynomial : 0);
274 crc32_table[i] = crc_reflect(crc32_table[i], 32);
280 unsigned int crc32(unsigned char *data, int len)
282 unsigned int crc = 0xffffffff;
284 if (!crc_initialized)
285 FATAL("crc not initialized, exitting...");
288 crc = (crc >> 8) ^ crc32_table[(crc & 0xFF) ^ *data++];
289 return(crc^0xffffffff);
295 /* give name of state */
296 static const char *statename(int state)
298 if (state>=0 && state<cm_st_num)
299 return(cm_st_name[state]);
300 return("<<STATE UNKNOWN>>");
304 * authentication key generation, encryption, decryption
307 class EndpointAppPBX *apppbx;
311 static void *keyengine_child(void *arg)
313 struct auth_args *args = (struct auth_args *)arg;
314 class EndpointAppPBX *apppbx = args->apppbx;
322 struct sched_param schedp;
325 PDEBUG((DEBUG_EPOINT | DEBUG_CRYPT), "EPOINT(%d) child process started for using libcrypto\n", apppbx->ea_endpoint->ep_serial);
327 /* lower priority to keep pbx running fluently */
328 if (options.schedule > 0) {
329 memset(&schedp, 0, sizeof(schedp));
330 schedp.sched_priority = 0;
331 ret = sched_setscheduler(0, SCHED_OTHER, &schedp);
333 PERROR("Scheduling to normal priority failed (errno = %d).\nExitting child process...\n", errno);
339 /* generate rsa key pair */
342 PERROR("Not compliled wiht crypto.\n");
343 apppbx->e_crypt_keyengine_return = -1;
345 srandom(*((unsigned int *)mISDN_rand) ^ random());
346 // exponent = (((random()<<1)|1) & 0x7f) + 0x80; /* odd */
348 // if (exponent < 3) exponent = 3; /* >= 3 */
349 rsa = RSA_generate_key(RSA_BITS, exponent, NULL, NULL);
351 PERROR("Failed to generate rsa key pair.\n");
352 apppbx->e_crypt_keyengine_return = -1;
356 apppbx->e_crypt_rsa_n_len = BN_num_bytes(rsa->n);
357 if (apppbx->e_crypt_rsa_n_len > (int)sizeof(apppbx->e_crypt_rsa_n)) {
359 PERROR("e_crypt_rsa_* too small for bignum.\n");
360 apppbx->e_crypt_keyengine_return = -1;
365 BN_bn2bin(rsa->n, apppbx->e_crypt_rsa_n);
366 apppbx->e_crypt_rsa_n_len = BN_num_bytes(rsa->n);
367 if (apppbx->e_crypt_rsa_e_len > (int)sizeof(apppbx->e_crypt_rsa_e))
369 BN_bn2bin(rsa->e, apppbx->e_crypt_rsa_e);
370 apppbx->e_crypt_rsa_e_len = BN_num_bytes(rsa->e);
371 if (apppbx->e_crypt_rsa_d_len > (int)sizeof(apppbx->e_crypt_rsa_d))
373 BN_bn2bin(rsa->d, apppbx->e_crypt_rsa_d);
374 apppbx->e_crypt_rsa_p_len = BN_num_bytes(rsa->p);
375 if (apppbx->e_crypt_rsa_p_len > (int)sizeof(apppbx->e_crypt_rsa_p))
377 BN_bn2bin(rsa->p, apppbx->e_crypt_rsa_p);
378 apppbx->e_crypt_rsa_q_len = BN_num_bytes(rsa->q);
379 if (apppbx->e_crypt_rsa_q_len > (int)sizeof(apppbx->e_crypt_rsa_q))
381 BN_bn2bin(rsa->q, apppbx->e_crypt_rsa_q);
382 apppbx->e_crypt_rsa_dmp1_len = BN_num_bytes(rsa->dmp1);
383 if (apppbx->e_crypt_rsa_dmp1_len > (int)sizeof(apppbx->e_crypt_rsa_dmp1))
385 BN_bn2bin(rsa->dmp1, apppbx->e_crypt_rsa_dmp1);
386 apppbx->e_crypt_rsa_dmq1_len = BN_num_bytes(rsa->dmq1);
387 if (apppbx->e_crypt_rsa_dmq1_len > (int)sizeof(apppbx->e_crypt_rsa_dmq1))
389 BN_bn2bin(rsa->dmq1, apppbx->e_crypt_rsa_dmq1);
390 apppbx->e_crypt_rsa_iqmp_len = BN_num_bytes(rsa->iqmp);
391 if (apppbx->e_crypt_rsa_iqmp_len > (int)sizeof(apppbx->e_crypt_rsa_iqmp))
393 BN_bn2bin(rsa->iqmp, apppbx->e_crypt_rsa_iqmp);
394 PDEBUG(DEBUG_CRYPT, "gen: rsa n=%02x...\n", *apppbx->e_crypt_rsa_n);
395 PDEBUG(DEBUG_CRYPT, "gen: rsa e=%02x...\n", *apppbx->e_crypt_rsa_e);
396 PDEBUG(DEBUG_CRYPT, "gen: rsa d=%02x...\n", *apppbx->e_crypt_rsa_d);
397 PDEBUG(DEBUG_CRYPT, "gen: rsa p=%02x...\n", *apppbx->e_crypt_rsa_p);
398 PDEBUG(DEBUG_CRYPT, "gen: rsa q=%02x...\n", *apppbx->e_crypt_rsa_q);
399 PDEBUG(DEBUG_CRYPT, "gen: rsa dmp1=%02x...\n", *apppbx->e_crypt_rsa_dmp1);
400 PDEBUG(DEBUG_CRYPT, "gen: rsa dmq1=%02x...\n", *apppbx->e_crypt_rsa_dmq1);
401 PDEBUG(DEBUG_CRYPT, "gen: rsa iqmp=%02x...\n", *apppbx->e_crypt_rsa_iqmp);
402 apppbx->e_crypt_keyengine_return = 1;
408 /* encrypt session key */
411 PERROR("No crypto lib.\n");
412 apppbx->e_crypt_keyengine_return = -1;
414 /* generating session key */
415 srandom(*((unsigned int *)mISDN_rand) ^ random());
418 apppbx->e_crypt_key[i] = random();
419 apppbx->e_crypt_key[i] ^= mISDN_rand[random() & 0xff];
422 apppbx->e_crypt_key_len = i;
423 /* encrypt via rsa */
426 PERROR("Failed to allocate rsa structure.\n");
427 apppbx->e_crypt_keyengine_return = 1;
433 if (!rsa->n || !rsa->e) {
434 PERROR("Failed to generate rsa structure.\n");
435 apppbx->e_crypt_keyengine_return = -1;
440 if (!BN_bin2bn(apppbx->e_crypt_rsa_n, apppbx->e_crypt_rsa_n_len, rsa->n)) {
442 PERROR("Failed to convert binary to bignum.\n");
443 apppbx->e_crypt_keyengine_return = -1;
448 if ((apppbx->e_crypt_rsa_n_len*8) != BN_num_bits(rsa->n)) {
449 PERROR("SOFTWARE API ERROR: length not equal stored data. (%d != %d)\n", apppbx->e_crypt_rsa_n_len*8, BN_num_bits(rsa->n));
450 apppbx->e_crypt_keyengine_return = -1;
455 if (!BN_bin2bn(apppbx->e_crypt_rsa_e, apppbx->e_crypt_rsa_e_len, rsa->e))
457 PDEBUG(DEBUG_CRYPT, "crypt: rsa n=%02x...\n", *apppbx->e_crypt_rsa_n);
458 PDEBUG(DEBUG_CRYPT, "crypt: rsa e=%02x...\n", *apppbx->e_crypt_rsa_e);
459 PDEBUG(DEBUG_CRYPT, "crypt: key =%02x%02x%02x%02x... (len=%d)\n", apppbx->e_crypt_key[0], apppbx->e_crypt_key[1], apppbx->e_crypt_key[2], apppbx->e_crypt_key[3], apppbx->e_crypt_key_len);
460 apppbx->e_crypt_ckey_len = RSA_public_encrypt(
461 apppbx->e_crypt_key_len,
463 apppbx->e_crypt_ckey,
466 PDEBUG(DEBUG_CRYPT, "crypt: ckey =%02x%02x%02x%02x... (len=%d)\n", apppbx->e_crypt_ckey[0], apppbx->e_crypt_ckey[1], apppbx->e_crypt_ckey[2], apppbx->e_crypt_ckey[3], apppbx->e_crypt_ckey_len);
469 if (apppbx->e_crypt_ckey_len > 0)
470 apppbx->e_crypt_keyengine_return = 1;
472 apppbx->e_crypt_keyengine_return = -1;
476 /* decrypt session key */
479 PERROR("No crypto lib.\n");
480 apppbx->e_crypt_keyengine_return = -1;
484 PERROR("Failed to allocate rsa structure.\n");
485 apppbx->e_crypt_keyengine_return = 1;
494 rsa->dmp1 = BN_new();
495 rsa->dmq1 = BN_new();
496 rsa->iqmp = BN_new();
497 if (!rsa->n || !rsa->e
498 || !rsa->d || !rsa->p
499 || !rsa->q || !rsa->dmp1
500 || !rsa->dmq1 || !rsa->iqmp) {
501 PERROR("Failed to generate rsa structure.\n");
502 apppbx->e_crypt_keyengine_return = 1;
507 if (!BN_bin2bn(apppbx->e_crypt_rsa_n, apppbx->e_crypt_rsa_n_len, rsa->n)) {
509 PERROR("Failed to convert binary to bignum.\n");
510 apppbx->e_crypt_keyengine_return = -1;
515 if (!BN_bin2bn(apppbx->e_crypt_rsa_e, apppbx->e_crypt_rsa_e_len, rsa->e))
517 if (!BN_bin2bn(apppbx->e_crypt_rsa_d, apppbx->e_crypt_rsa_d_len, rsa->d))
519 if (!BN_bin2bn(apppbx->e_crypt_rsa_p, apppbx->e_crypt_rsa_p_len, rsa->p))
521 if (!BN_bin2bn(apppbx->e_crypt_rsa_q, apppbx->e_crypt_rsa_q_len, rsa->q))
523 if (!BN_bin2bn(apppbx->e_crypt_rsa_dmp1, apppbx->e_crypt_rsa_dmp1_len, rsa->dmp1))
525 if (!BN_bin2bn(apppbx->e_crypt_rsa_dmq1, apppbx->e_crypt_rsa_dmq1_len, rsa->dmq1))
527 if (!BN_bin2bn(apppbx->e_crypt_rsa_iqmp, apppbx->e_crypt_rsa_iqmp_len, rsa->iqmp))
529 PDEBUG(DEBUG_CRYPT, "decrypt: ckey =%02x%02x%02x%02x... (len=%d)\n", apppbx->e_crypt_ckey[0], apppbx->e_crypt_ckey[1], apppbx->e_crypt_ckey[2], apppbx->e_crypt_ckey[3], apppbx->e_crypt_ckey_len);
530 apppbx->e_crypt_key_len = RSA_private_decrypt(
531 apppbx->e_crypt_ckey_len,
532 apppbx->e_crypt_ckey,
536 PDEBUG(DEBUG_CRYPT, "decrypt: key =%02x%02x%02x%02x... (len=%d)\n", apppbx->e_crypt_key[0], apppbx->e_crypt_key[1], apppbx->e_crypt_key[2], apppbx->e_crypt_key[3], apppbx->e_crypt_key_len);
539 apppbx->e_crypt_keyengine_return = 1;
544 PERROR("Unknown job %d\n", job);
545 apppbx->e_crypt_keyengine_return = -1;
549 PDEBUG((DEBUG_EPOINT | DEBUG_CRYPT), "child process done after using libcrypto with return value %d\n", apppbx->e_crypt_keyengine_return);
552 apppbx->ea_endpoint->ep_use--;
553 FREE(args, sizeof(struct auth_args));
558 void EndpointAppPBX::cryptman_keyengine(int job)
560 struct auth_args *arg;
563 if (e_crypt_keyengine_busy) {
564 e_crypt_keyengine_return = -1;
565 PERROR("engine currently busy.\n");
569 arg = (struct auth_args *)MALLOC(sizeof(struct auth_args));
572 e_crypt_keyengine_return = 0;
573 e_crypt_keyengine_busy = job;
575 ea_endpoint->ep_use++;
576 if ((pthread_create(&tid, NULL, keyengine_child, arg)<0)) {
577 ea_endpoint->ep_use--;
578 PERROR("failed to create keyengine-thread.\n");
579 e_crypt_keyengine_return = -1;
584 PDEBUG((DEBUG_EPOINT | DEBUG_CRYPT), "send_mail(%d): child process created for doing crypto stuff\n", ea_endpoint->ep_serial);
589 /* handler for authentication (called by apppbx's handler)
591 void EndpointAppPBX::cryptman_handler(void)
593 if (e_crypt_keyengine_busy) {
594 if (e_crypt_keyengine_return < 0) {
595 e_crypt_keyengine_busy = 0;
596 cryptman_message(CK_ERROR_IND, NULL, 0);
598 if (e_crypt_keyengine_return > 0) {
599 switch(e_crypt_keyengine_busy) {
601 e_crypt_keyengine_busy = 0;
602 cryptman_message(CK_GENRSA_CONF, NULL, 0);
605 e_crypt_keyengine_busy = 0;
606 cryptman_message(CK_CPTRSA_CONF, NULL, 0);
609 e_crypt_keyengine_busy = 0;
610 cryptman_message(CK_DECRSA_CONF, NULL, 0);
616 /* check for event, make next event */
617 if (e_crypt_timeout_sec) if (e_crypt_timeout_sec<now_tv.tv_sec || (e_crypt_timeout_sec==now_tv.tv_sec && e_crypt_timeout_usec<now_tv.tv_usec)) {
618 e_crypt_timeout_sec = 0;
619 e_crypt_timeout_usec = 0;
620 cryptman_message(CT_TIMEOUT, NULL, 0);
626 * process message to the crypt manager
628 /* remote peer sends ident request */
629 void EndpointAppPBX::cr_ident(int message, unsigned char *param, int len)
631 unsigned char buf[4], *p;
632 unsigned int bogomips = 0, ran;
635 l = CM_SIZEOFINF(CM_INFO_RANDOM);
637 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) missing (or corrupt) random number, ignoring (len = %d)\n", ea_endpoint->ep_serial, l);
640 p = CM_GETINF(CM_INFO_RANDOM, buf);
641 ran = (p[0]<<24) + (p[1]<<16) + (p[2]<<8) + p[3];
642 l = CM_SIZEOFINF(CM_INFO_BOGOMIPS);
644 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) missing (or corrupt) random bogomips, just comparing random (len = %d)\n", ea_endpoint->ep_serial, l);
647 p = CM_GETINF(CM_INFO_BOGOMIPS, buf);
648 bogomips = (p[0]<<24) + (p[1]<<16) + (p[2]<<8) + p[3];
649 if (e_crypt_bogomips > bogomips) {
650 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our cpu is faster, so we are master (%d > %d)\n", ea_endpoint->ep_serial, e_crypt_bogomips, bogomips);
651 cr_master(message, NULL, 0);
654 if (e_crypt_bogomips < bogomips) {
655 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our cpu is slower, so we are slave (%d < %d)\n", ea_endpoint->ep_serial, e_crypt_bogomips, bogomips);
656 cr_slave(message, NULL, 0);
659 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our cpu is equal speed, so we check for random value (%d == %d)\n", ea_endpoint->ep_serial, e_crypt_bogomips, bogomips);
661 /* bogomips are equal, so we compare */
662 if (e_crypt_random > ran) {
663 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our random value is greater, so we are master (%d > %d)\n", ea_endpoint->ep_serial, e_crypt_random, ran);
664 cr_master(message, NULL, 0);
667 if (e_crypt_random < ran) {
668 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our random value is smaller, so we are slave (%d < %d)\n", ea_endpoint->ep_serial, e_crypt_random, ran);
669 cr_slave(message, NULL, 0);
672 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) random values are equal, so we are looped (%d == %d)\n", ea_endpoint->ep_serial, e_crypt_random, ran);
673 cr_looped(message, NULL, 0);
676 /* key-exchange activation by the user */
677 void EndpointAppPBX::cr_activate(int message, unsigned char *param, int len)
679 unsigned char buf[128] = "";
681 unsigned char bogomips[4], ran[4];
683 /* activate listener */
684 cryptman_msg2crengine(CR_LISTEN_REQ, NULL, 0);
685 /* send ident message */
687 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
688 /* random number element */
689 srandom(now_tv.tv_sec ^ now_tv.tv_usec ^ random());
690 e_crypt_random = random();
691 ran[0] = e_crypt_random >> 24;
692 ran[1] = e_crypt_random >> 16;
693 ran[2] = e_crypt_random >> 8;
694 ran[3] = e_crypt_random;
695 CM_ADDINF(CM_INFO_RANDOM, 4, ran);
696 /* cpu speed element */
697 e_crypt_bogomips = get_bogomips();
698 if (e_crypt_bogomips > 0) {
699 bogomips[0] = e_crypt_bogomips >> 24;
700 bogomips[1] = e_crypt_bogomips >> 16;
701 bogomips[2] = e_crypt_bogomips >> 8;
702 bogomips[3] = e_crypt_bogomips;
703 CM_ADDINF(CM_INFO_BOGOMIPS, 4, bogomips);
705 /* send ident message */
706 cryptman_msg2peer(buf);
708 cryptman_state(CM_ST_IDENT);
710 cryptman_timeout(CM_TO_IDENT);
713 /* deactivation by the user */
714 void EndpointAppPBX::cr_deactivate(int message, unsigned char *param, int len)
716 unsigned char buf[128] = "";
719 /* deactivate listener (if not already) */
720 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
723 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
724 cryptman_msg2peer(buf);
725 /* deactivate encryption */
726 cryptman_msg2crengine(CC_DACT_REQ, NULL, 0);
728 cryptman_state(CM_ST_NULL);
729 /* send message to user */
730 cryptman_msg2user(CU_DACT_CONF, "Deactivated");
733 /* remote peer tells us to be master */
734 void EndpointAppPBX::cr_master(int message, unsigned char *param, int len)
736 unsigned char buf[128] = "";
739 /* change to master state */
740 cryptman_state(CM_ST_KEYGEN);
741 if (message == CP_IDENT) {
742 /* send you-are-slave-message */
744 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
745 cryptman_msg2peer(buf);
747 /* start generation of key */
748 cryptman_keyengine(CK_GENRSA_REQ);
749 /* disable timeout */
751 /* send message to user */
752 cryptman_msg2user(CU_INFO_IND, "Master");
755 /* remote peer tells us to be slave */
756 void EndpointAppPBX::cr_slave(int message, unsigned char *param, int len)
758 unsigned char buf[128] = "";
761 /* change to slave state */
762 cryptman_state(CM_ST_KEYWAIT);
763 if (message == CP_IDENT) {
764 /* send you-are-slave-message */
767 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
768 cryptman_msg2peer(buf);
771 cryptman_timeout(CM_TO_PUBKEY);
772 /* send message to user */
773 cryptman_msg2user(CU_INFO_IND, "Slave");
776 /* remote peer tells us about loop */
777 void EndpointAppPBX::cr_looped(int message, unsigned char *param, int len)
779 unsigned char buf[128] = "";
782 /* change to idle state */
783 cryptman_state(CM_ST_NULL);
784 /* deactivate listener */
785 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
786 if (message == CP_IDENT) {
790 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
791 cryptman_msg2peer(buf);
793 /* disable timeout */
795 /* send message to user */
796 cryptman_msg2user(CU_ERROR_IND, "Loop Detected");
800 void EndpointAppPBX::cr_abort(int message, unsigned char *param, int len)
802 /* if already encrypting */
803 if (e_crypt_state==CM_ST_WAIT_CRYPT
804 || e_crypt_state==CM_ST_SWAIT
805 || e_crypt_state==CM_ST_ACTIVE) {
806 /* deactivate blowfish */
807 cryptman_msg2crengine(CC_DACT_REQ, NULL, 0);
809 /* change to idle state */
810 cryptman_state(CM_ST_NULL);
811 /* deactivate listener */
812 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
813 /* disable timeout */
815 /* send message to user */
816 if (message == CT_TIMEOUT)
817 cryptman_msg2user(CU_ERROR_IND, "Timeout");
818 else if (message == CP_ABORT)
819 cryptman_msg2user(CU_ERROR_IND, "Remote Abort");
821 cryptman_msg2user(CU_DACT_IND, NULL);
824 /* abort but wait for engine to release*/
825 void EndpointAppPBX::cr_abort_engine(int message, unsigned char *param, int len)
827 /* change to release state */
828 cryptman_state(CM_ST_RELEASE);
829 /* deactivate listener */
830 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
831 /* disable timeout */
833 /* send message to user */
834 if (message == CT_TIMEOUT)
835 cryptman_msg2user(CU_ERROR_IND, "Timeout");
836 else if (message == CP_ABORT)
837 cryptman_msg2user(CU_ERROR_IND, "Remote Abort");
839 cryptman_msg2user(CU_DACT_IND, NULL);
842 /* abort and disable crypt engine */
843 void EndpointAppPBX::cr_abort_wait(int message, unsigned char *param, int len)
845 /* change to idle state */
846 cryptman_state(CM_ST_NULL);
847 /* deactivate listener (if not already) */
848 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
849 /* deactivate blowfish */
850 cryptman_msg2crengine(CC_DACT_REQ, NULL, 0);
851 /* disable timeout */
853 /* send message to user */
854 if (message == CT_TIMEOUT)
855 cryptman_msg2user(CU_ERROR_IND, "Timeout");
856 else if (message == CP_ABORT)
857 cryptman_msg2user(CU_ERROR_IND, "Remote Abort");
859 cryptman_msg2user(CU_DACT_IND, NULL);
862 /* key engine tells us that the rsa is ready */
863 void EndpointAppPBX::cr_genrsa(int message, unsigned char *param, int len)
865 unsigned char buf[1024] = "";
868 /* change to wait for crypted session key state */
869 cryptman_state(CM_ST_CSWAIT);
872 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
873 CM_ADDINF(CM_INFO_PUBKEY, e_crypt_rsa_n_len, &e_crypt_rsa_n);
874 CM_ADDINF(CM_INFO_PUBEXPONENT, e_crypt_rsa_e_len, &e_crypt_rsa_e);
875 cryptman_msg2peer(buf);
877 cryptman_timeout(CM_TO_CSKEY);
880 /* our engine has a key error */
881 void EndpointAppPBX::cr_keyerror(int message, unsigned char *param, int len)
883 unsigned char buf[128] = "";
886 /* change to idle state */
887 cryptman_state(CM_ST_NULL);
888 /* deactivate listener */
889 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
892 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
893 cryptman_msg2peer(buf);
894 /* send message to user */
895 cryptman_msg2user(CU_ERROR_IND, "Local Key Error");
898 /* remote sends us the rsa public key */
899 void EndpointAppPBX::cr_pubkey(int message, unsigned char *param, int len)
901 unsigned char buf[128] = "";
902 unsigned char msg = CMSG_ABORT;
905 l = CM_SIZEOFINF(CM_INFO_PUBKEY);
906 if (l<1 || l>(int)sizeof(e_crypt_rsa_n)) {
908 /* change to idle state */
909 cryptman_state(CM_ST_NULL);
910 /* deactivate listener */
911 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
913 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
914 cryptman_msg2peer(buf);
915 /* send message to user */
916 cryptman_msg2user(CU_ERROR_IND, "Remote Key Error");
919 CM_GETINF(CM_INFO_PUBKEY, e_crypt_rsa_n);
920 e_crypt_rsa_n_len = l;
921 l = CM_SIZEOFINF(CM_INFO_PUBEXPONENT);
922 if (l<1 || l>(int)sizeof(e_crypt_rsa_e))
924 CM_GETINF(CM_INFO_PUBEXPONENT, e_crypt_rsa_e);
925 e_crypt_rsa_e_len = l;
926 /* change to generating encrypted sessnion key state */
927 cryptman_state(CM_ST_CSKEY);
928 /* start generation of crypted session key */
929 cryptman_keyengine(CK_CPTRSA_REQ);
930 /* disable timeout */
934 /* key engine tells us that the crypted session key is ready */
935 void EndpointAppPBX::cr_cptrsa(int message, unsigned char *param, int len)
937 unsigned char buf[1024] = "";
938 unsigned char msg = CMSG_CSKEY;
940 /* change to wait for crypt engine state */
941 cryptman_state(CM_ST_WAIT_DELAY);
943 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
944 CM_ADDINF(CM_INFO_CSKEY, e_crypt_ckey_len, &e_crypt_ckey);
945 cryptman_msg2peer(buf);
946 /* deactivate listener */
947 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
952 /* now we waited for the remote to receive and decrypt the session key */
953 void EndpointAppPBX::cr_waitdelay(int message, unsigned char *param, int len)
955 /* change to wait for crypt engine state */
956 cryptman_state(CM_ST_WAIT_CRYPT);
957 /* disable timeout */
959 /* send message to crypt engine */
960 cryptman_msg2crengine(CC_ACTBF_REQ, e_crypt_key, e_crypt_key_len);
963 /* remote sends us the crypted session key */
964 void EndpointAppPBX::cr_cskey(int message, unsigned char *param, int len)
966 unsigned char buf[128] = "";
967 unsigned char msg = CMSG_ABORT;
970 /* disable timeout */
972 l = CM_SIZEOFINF(CM_INFO_CSKEY);
973 if (l<1 || l>(int)sizeof(e_crypt_ckey)) {
974 /* change to idle state */
975 cryptman_state(CM_ST_NULL);
976 /* deactivate listener */
977 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
979 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
980 cryptman_msg2peer(buf);
981 /* send message to user */
982 cryptman_msg2user(CU_ERROR_IND, "Remote Key Error");
985 CM_GETINF(CM_INFO_CSKEY, e_crypt_ckey);
986 e_crypt_ckey_len = l;
987 /* change to generating decrypted session key state */
988 cryptman_state(CM_ST_SESSION);
989 /* start generation of decrypted session key */
990 cryptman_keyengine(CK_DECRSA_REQ);
993 /* key engine tells us that the decrypted session key is ready */
994 void EndpointAppPBX::cr_decrsa(int message, unsigned char *param, int len)
996 /* change to wait for crypt engine state */
997 cryptman_state(CM_ST_WAIT_CRYPT);
998 /* deactivate listener */
999 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
1000 /* send message to crypt engine */
1001 cryptman_msg2crengine(CC_ACTBF_REQ, e_crypt_key, e_crypt_key_len);
1004 /* blowfish now active */
1005 void EndpointAppPBX::cr_bfactive(int message, unsigned char *param, int len)
1009 /* change to active state */
1010 cryptman_state(CM_ST_ACTIVE);
1011 /* send message to user */
1012 SPRINT(text, "PUB %02x%02x %02x%02x %02x%02x %02x%02x", e_crypt_key[0], e_crypt_key[1], e_crypt_key[2], e_crypt_key[3], e_crypt_key[4], e_crypt_key[5], e_crypt_key[6], e_crypt_key[7]);
1013 cryptman_msg2user(CU_ACTK_CONF, text);
1016 /* our crypt engine sends an error */
1017 void EndpointAppPBX::cr_crypterror(int message, unsigned char *param, int len)
1019 unsigned char buf[128] = "";
1020 unsigned char msg = CMSG_ABORT;
1022 /* change to idle state */
1023 cryptman_state(CM_ST_NULL);
1024 /* deactivate listener */
1025 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
1027 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
1028 cryptman_msg2peer(buf);
1029 /* send message to user */
1030 cryptman_msg2user(CU_ERROR_IND, "Blowfish Error");
1033 /* engine is done, now we are done with release */
1034 void EndpointAppPBX::cr_release(int message, unsigned char *param, int len)
1036 /* change to idle state */
1037 cryptman_state(CM_ST_NULL);
1040 /* activate using shared key */
1041 void EndpointAppPBX::cr_sactivate(int message, unsigned char *param, int len)
1043 /* change to 'wait for crypt engine' state */
1044 cryptman_state(CM_ST_SWAIT);
1045 /* disable timeout */
1046 cryptman_timeout(0);
1047 /* send key to crypt engine */
1048 cryptman_msg2crengine(CC_ACTBF_REQ, param, len);
1051 /* share key deactivation by the user */
1052 void EndpointAppPBX::cr_sdeactivate(int message, unsigned char *param, int len)
1054 /* deactivate encryption */
1055 cryptman_msg2crengine(CC_DACT_REQ, NULL, 0);
1057 cryptman_state(CM_ST_NULL);
1058 /* send message to user */
1059 cryptman_msg2user(CU_DACT_CONF, NULL);
1062 /* shared key abort */
1063 void EndpointAppPBX::cr_sabort(int message, unsigned char *param, int len)
1065 /* change to idle state */
1066 cryptman_state(CM_ST_NULL);
1067 /* send message to user */
1068 cryptman_msg2user(CU_DACT_IND, "Deactivated");
1071 /* shared key: our crypt engine sends an error */
1072 void EndpointAppPBX::cr_scrypterror(int message, unsigned char *param, int len)
1074 /* change to idle state */
1075 cryptman_state(CM_ST_NULL);
1076 /* send message to user */
1077 cryptman_msg2user(CU_ERROR_IND, "Blowfish Error");
1080 /* blowfish now active */
1081 void EndpointAppPBX::cr_sbfactive(int message, unsigned char *param, int len)
1085 /* change to active state */
1086 cryptman_state(CM_ST_SACTIVE);
1087 /* send message to user */
1088 SPRINT(text, "Call Secure");
1089 cryptman_msg2user(CU_ACTS_CONF, text);
1092 /* user requests info */
1093 void EndpointAppPBX::cr_info(int message, unsigned char *param, int len)
1095 /* send message to user */
1096 cryptman_msg2user(CU_INFO_CONF, e_crypt_info);
1102 void EndpointAppPBX::cryptman_message(int message, unsigned char *param, int len)
1104 const char *msgtext = "<<UNKNOWN MESSAGE>>";
1106 if (message>=0 && message<cm_msg_num)
1107 msgtext = cm_msg_name[message];
1109 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) CRYPT MANAGER in state '%s' received message: %s len: %d\n", ea_endpoint->ep_serial, statename(e_crypt_state), msgtext, len);
1112 if (message == CU_INFO_REQ)
1113 { cr_info(message, param, len); return; }
1115 switch(e_crypt_state) {
1118 if (message == CU_ACTK_REQ) /* request key-exchange encryption */
1119 { cr_activate(message, param, len); return; }
1120 if (message == CU_ACTS_REQ) /* request shared encryption */
1121 { cr_sactivate(message, param, len); return; }
1124 /* identifying state */
1126 if (message == CP_IDENT) /* request encryption */
1127 { cr_ident(message, param, len); return; }
1128 if (message == CP_SLAVE) /* we are slave */
1129 { cr_slave(message, param, len); return; }
1130 if (message == CP_MASTER) /* we are master */
1131 { cr_master(message, param, len); return; }
1132 if (message == CP_LOOPED) /* we are looped */
1133 { cr_looped(message, param, len); return; }
1134 if (message == CI_DISCONNECT_IND /* request aborting */
1135 || message == CT_TIMEOUT /* timeout */
1136 || message == CP_ABORT) /* request aborting */
1137 { cr_abort(message, param, len); return; }
1140 /* generating public key state */
1142 if (message == CK_GENRSA_CONF) /* public key is done */
1143 { cr_genrsa(message, param, len); return; }
1144 if (message == CK_ERROR_IND) /* key failed */
1145 { cr_keyerror(message, param, len); return; }
1146 if (message == CI_DISCONNECT_IND /* request aborting */
1147 || message == CP_ABORT) /* request aborting */
1148 { cr_abort_engine(message, param, len); return; }
1151 /* waiting for public key state */
1153 if (message == CP_PUBKEY) /* getting public key from remote */
1154 { cr_pubkey(message, param, len); return; }
1155 if (message == CI_DISCONNECT_IND /* request aborting */
1156 || message == CT_TIMEOUT /* timeout */
1157 || message == CP_ABORT) /* request aborting */
1158 { cr_abort(message, param, len); return; }
1161 /* generating crypted session key state */
1163 if (message == CK_CPTRSA_CONF) /* crypted session key is done */
1164 { cr_cptrsa(message, param, len); return; }
1165 if (message == CK_ERROR_IND) /* key failed */
1166 { cr_keyerror(message, param, len); return; }
1167 if (message == CI_DISCONNECT_IND /* request aborting */
1168 || message == CP_ABORT) /* request aborting */
1169 { cr_abort_engine(message, param, len); return; }
1172 /* waiting for crypted session key state */
1174 if (message == CP_CSKEY) /* getting crypted session key from remote */
1175 { cr_cskey(message, param, len); return; }
1176 if (message == CI_DISCONNECT_IND /* request aborting */
1177 || message == CT_TIMEOUT /* timeout */
1178 || message == CP_ABORT) /* request aborting */
1179 { cr_abort(message, param, len); return; }
1182 /* generating decrypted session key state */
1184 if (message == CK_DECRSA_CONF) /* decrypted is done */
1185 { cr_decrsa(message, param, len); return; }
1186 if (message == CK_ERROR_IND) /* key failed */
1187 { cr_keyerror(message, param, len); return; }
1188 if (message == CI_DISCONNECT_IND /* request aborting */
1189 || message == CP_ABORT) /* request aborting */
1190 { cr_abort_engine(message, param, len); return; }
1193 /* wait encryption on state */
1194 case CM_ST_WAIT_DELAY:
1195 if (message == CT_TIMEOUT) /* timeout of delay */
1196 { cr_waitdelay(message, param, len); return; }
1197 if (message == CC_ERROR_IND) /* encrpytion error */
1198 { cr_crypterror(message, param, len); return; }
1199 if (message == CI_DISCONNECT_IND /* request aborting */
1200 || message == CP_ABORT) /* request aborting */
1201 { cr_abort_wait(message, param, len); return; }
1204 /* wait encryption on state */
1205 case CM_ST_WAIT_CRYPT:
1206 if (message == CC_ACTBF_CONF) /* encrpytion active */
1207 { cr_bfactive(message, param, len); return; }
1208 if (message == CC_ERROR_IND) /* encrpytion error */
1209 { cr_crypterror(message, param, len); return; }
1210 if (message == CI_DISCONNECT_IND /* request aborting */
1211 || message == CP_ABORT) /* request aborting */
1212 { cr_abort_wait(message, param, len); return; }
1217 if (message == CU_DACT_REQ) /* deactivating encryption */
1218 { cr_deactivate(message, param, len); return; }
1219 if (message == CI_DISCONNECT_IND /* request aborting */
1220 || message == CP_ABORT) /* request aborting */
1221 { cr_abort(message, param, len); return; }
1225 /* engine done after abort state */
1227 if (message == CK_GENRSA_CONF /* engine done */
1228 || message == CK_CPTRSA_CONF /* engine done */
1229 || message == CK_DECRSA_CONF /* engine done */
1230 || message == CK_ERROR_IND) /* engine error */
1231 { cr_release(message, param, len); return; }
1234 /* shared active state */
1236 if (message == CU_DACT_REQ) /* deactivating encryption */
1237 { cr_sdeactivate(message, param, len); return; }
1238 if (message == CI_DISCONNECT_IND) /* request aborting */
1239 { cr_sabort(message, param, len); return; }
1242 /* wait shared encryption on state */
1244 if (message == CC_ACTBF_CONF) /* encrpytion active */
1245 { cr_sbfactive(message, param, len); return; }
1246 if (message == CC_ERROR_IND) /* encrpytion error */
1247 { cr_scrypterror(message, param, len); return; }
1248 if (message == CI_DISCONNECT_IND) /* request aborting */
1249 { cr_sabort(message, param, len); return; }
1254 PDEBUG(DEBUG_CRYPT, "message not handled in state %d\n", e_crypt_state);
1259 * analyze the message element within the received message from peer and call 'cryptman_message'
1261 void EndpointAppPBX::cryptman_msg2man(unsigned char *param, int len)
1267 /* check if frame is correct */
1268 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) message from peer to crypt_manager.\n", ea_endpoint->ep_serial);
1270 PDEBUG(DEBUG_CRYPT, "ignoring message with 0-length.\n");
1277 PDEBUG(DEBUG_CRYPT, "end of message without 0-termination.\n");
1281 PDEBUG(DEBUG_CRYPT, "message with element size, outside the frame length.\n");
1284 l = (p[1]<<8) + p[2];
1285 // PDEBUG(DEBUG_CRYPT, " inf %d (len = %d)\n", *p, l);
1287 PDEBUG(DEBUG_CRYPT, "message with element data, outside the frame length.\n");
1294 PDEBUG(DEBUG_CRYPT, "warning: received null-element before end of frame.\n");
1297 l = CM_SIZEOFINF(CM_INFO_MESSAGE);
1299 PDEBUG(DEBUG_CRYPT, "received message without (valid) message element (len = %d)\n", len);
1302 CM_GETINF(CM_INFO_MESSAGE, &msg);
1305 cryptman_message(CP_IDENT, param, len);
1308 cryptman_message(CP_SLAVE, param, len);
1311 cryptman_message(CP_MASTER, param, len);
1314 cryptman_message(CP_PUBKEY, param, len);
1317 cryptman_message(CP_CSKEY, param, len);
1320 cryptman_message(CP_ABORT, param, len);
1323 PDEBUG(DEBUG_CRYPT, "received unknown message element %d\n", msg);
1327 /* add information element to buffer
1329 void EndpointAppPBX::cryptman_addinf(unsigned char *buf, int buf_size, int element, int len, void *data)
1333 /* skip what we already have in the buffer */
1335 l = (buf[1]<<8) + buf[2];
1336 if (l >= buf_size-3) {
1337 PERROR("EPOINT(%d) buffer overflow while adding information to peer message.\n", ea_endpoint->ep_serial);
1343 /* check if we have not enough space to add element including id, len, data, and the null-termination */
1344 if (len+4 > buf_size) {
1345 PERROR("EPOINT(%d) cannot add element to message, because buffer would overflow.\n", ea_endpoint->ep_serial);
1351 memcpy(buf+3, data, len);
1355 /* get size of element in buffer
1357 int EndpointAppPBX::cryptman_sizeofinf(unsigned char *buf, int element)
1361 /* skip what we already have in the buffer */
1363 l = (buf[1]<<8) + buf[2];
1364 if (buf[0] == element)
1372 /* get information element from buffer
1374 unsigned char *EndpointAppPBX::cryptman_getinf(unsigned char *buf, int element, unsigned char *to)
1378 /* skip what we already have in the buffer */
1380 l = (buf[1]<<8) + buf[2];
1381 if (buf[0] == element) {
1382 memcpy(to, buf+3, l);
1391 /* send message to peer
1393 void EndpointAppPBX::cryptman_msg2peer(unsigned char *buf)
1395 struct lcr_msg *message;
1396 unsigned char *p = buf;
1402 l = (p[1]<<8) + p[2];
1406 if (len+1 > (int)sizeof(message->param.crypt.data)) {
1407 PERROR("EPOINT(%d) message larger than allowed in param->crypt.data.\n", ea_endpoint->ep_serial);
1411 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_CRYPT);
1412 message->param.crypt.type = CR_MESSAGE_REQ;
1413 message->param.crypt.len = len+1;
1414 memcpy(message->param.crypt.data, buf, len+1);
1415 message_put(message);
1417 if (options.deb & DEBUG_CRYPT) {
1418 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) sending message\n", ea_endpoint->ep_serial);
1421 l = (p[1]<<8) + p[2];
1422 PDEBUG(DEBUG_CRYPT, " inf %d (len = %d)\n", p[0], l);
1429 /* send message to crypt engine
1431 void EndpointAppPBX::cryptman_msg2crengine(int msg, unsigned char *buf, int len)
1433 struct lcr_msg *message;
1435 if (len > (int)sizeof(message->param.crypt.data)) {
1436 PERROR("EPOINT(%d) message larger than allowed in param->crypt.data.\n", ea_endpoint->ep_serial);
1440 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_CRYPT);
1441 message->param.crypt.type = msg;
1442 message->param.crypt.len = len;
1444 memcpy(message->param.crypt.data, buf, len);
1445 message_put(message);
1447 if (options.deb & DEBUG_CRYPT) {
1448 const char *msgtext = "<<UNKNOWN MESSAGE>>";
1450 if (msg>=0 && msg<cm_msg_num)
1451 msgtext = cm_msg_name[msg];
1452 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) sending message '%s' (len = %d)\n", ea_endpoint->ep_serial, msgtext, len);
1456 /* send message to user
1458 void EndpointAppPBX::cryptman_msg2user(int msg, const char *text)
1460 struct lcr_msg *message;
1462 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_join_id, EPOINT_TO_JOIN, MESSAGE_CRYPT);
1463 message->param.crypt.type = msg;
1466 SCPY(e_crypt_info, text);
1468 UNCPY((char *)message->param.crypt.data, e_crypt_info, sizeof(message->param.crypt.data)-1);
1469 message->param.crypt.len = strlen((char *)message->param.crypt.data)+1;
1471 message_put(message);
1473 if (options.deb & DEBUG_CRYPT) {
1474 const char *msgtext = "<<UNKNOWN MESSAGE>>";
1476 if (msg>=0 && msg<cm_msg_num)
1477 msgtext = cm_msg_name[msg];
1478 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) sending message '%s' (text = %s)\n", ea_endpoint->ep_serial, msgtext, text?text:"");
1484 void EndpointAppPBX::cryptman_state(int state)
1486 PDEBUG(DEBUG_CRYPT, "Changing state from %s to %s\n", statename(e_crypt_state), statename(state));
1487 e_crypt_state = state;
1493 void EndpointAppPBX::cryptman_timeout(int secs)
1496 e_crypt_timeout_sec = now_tv.tv_sec+secs;
1497 e_crypt_timeout_usec = now_tv.tv_usec;
1498 PDEBUG(DEBUG_CRYPT, "Changing timeout to %d seconds\n", secs);
1500 e_crypt_timeout_sec = 0;
1501 e_crypt_timeout_usec = 0;
1502 PDEBUG(DEBUG_CRYPT, "turning timeout off\n", secs);
1506 /* encode a message to be sent via b-channel
1508 int cryptman_encode_bch(unsigned char *data, int len, unsigned char *buf, int buf_len)
1513 len--; /* without null-termination */
1514 if (buf_len < len+overhead) {
1515 PERROR("frame too long for buffer");
1518 PDEBUG(DEBUG_CRYPT, "encoding a block of %d bytes.\n", len);
1520 /* write identification sequence to the header */
1521 UNCPY((char *)buf, "CRYPTMAN" ,8);
1523 /* length + checksumme */
1525 buf[1] = len & 0xff;
1526 crc = crc32(buf, 2);
1533 /* data + checksumme */
1534 memcpy(buf, data, len);
1535 crc = crc32(buf, len);
1542 return(len + overhead);
1545 /* decode a message from b-channel
1547 void PmISDN::cryptman_listen_bch(unsigned char *p, int l)
1550 struct lcr_msg *message;
1556 /* check for the keyword */
1557 if (p_m_crypt_listen_state == 0) {
1558 while((*p++)!='C' && l)
1563 p_m_crypt_listen_state++;
1567 if (p_m_crypt_listen_state < 8) {
1568 i = p_m_crypt_listen_state;
1571 if (*p++ != "CRYPTMAN"[i]) {
1572 p_m_crypt_listen_state = 0;
1575 p_m_crypt_listen_state++;
1583 /* high byte of length */
1584 if (p_m_crypt_listen_state == 8) {
1585 p_m_crypt_listen_len = (*p++) << 8;
1586 p_m_crypt_listen_state++;
1590 /* low byte of length */
1591 if (p_m_crypt_listen_state == 9) {
1592 p_m_crypt_listen_len += *p++;
1593 p_m_crypt_listen_state++;
1598 if (p_m_crypt_listen_state == 10) {
1599 p_m_crypt_listen_crc = (*p++) << 24;
1600 p_m_crypt_listen_state++;
1604 if (p_m_crypt_listen_state == 11) {
1605 p_m_crypt_listen_crc += (*p++) << 16;
1606 p_m_crypt_listen_state++;
1610 if (p_m_crypt_listen_state == 12) {
1611 p_m_crypt_listen_crc += (*p++) << 8;
1612 p_m_crypt_listen_state++;
1616 if (p_m_crypt_listen_state == 13) {
1617 unsigned char lencheck[2];
1618 p_m_crypt_listen_crc += *p++;
1620 lencheck[0] = p_m_crypt_listen_len >> 8;
1621 lencheck[1] = p_m_crypt_listen_len & 0xff;
1622 if (crc32(lencheck, 2) != p_m_crypt_listen_crc) {
1623 PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes, but checksumme of length is incorrect (must %08x is %08x\n", p_name, p_m_crypt_listen_len, crc32(lencheck, 2), p_m_crypt_listen_crc);
1624 p_m_crypt_listen_state = 0;
1627 if (p_m_crypt_listen_len > (int)sizeof(p_m_crypt_listen_msg)) {
1628 PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes, but too big for buffer (%d bytes)\n", p_name, p_m_crypt_listen_len, sizeof(p_m_crypt_listen_msg));
1629 p_m_crypt_listen_state = 0;
1632 if (!p_m_crypt_listen_len) {
1633 PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of 0 bytes\n", p_name);
1634 p_m_crypt_listen_state = 0;
1637 p_m_crypt_listen_state++;
1642 while (p_m_crypt_listen_state>=14 && p_m_crypt_listen_state<(p_m_crypt_listen_len+14)) {
1643 p_m_crypt_listen_msg[p_m_crypt_listen_state-14] = *p++;
1644 p_m_crypt_listen_state++;
1649 if (p_m_crypt_listen_state == 14+p_m_crypt_listen_len) {
1650 p_m_crypt_listen_crc = (*p++) << 24;
1651 p_m_crypt_listen_state++;
1655 if (p_m_crypt_listen_state == 15+p_m_crypt_listen_len) {
1656 p_m_crypt_listen_crc += (*p++) << 16;
1657 p_m_crypt_listen_state++;
1661 if (p_m_crypt_listen_state == 16+p_m_crypt_listen_len) {
1662 p_m_crypt_listen_crc += (*p++) << 8;
1663 p_m_crypt_listen_state++;
1667 if (p_m_crypt_listen_state == 17+p_m_crypt_listen_len) {
1669 p_m_crypt_listen_crc += *p++;
1671 if (crc32(p_m_crypt_listen_msg, p_m_crypt_listen_len) != p_m_crypt_listen_crc) {
1672 PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes, but checksumme of data block is incorrect\n", p_name, p_m_crypt_listen_len);
1673 p_m_crypt_listen_state = 0;
1678 /* now send message */
1679 p_m_crypt_listen_state = 0;
1680 PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes sending to crypt manager\n", p_name, p_m_crypt_listen_len);
1681 if ((int)sizeof(message->param.crypt.data) < p_m_crypt_listen_len+1) /* null-terminated */ {
1682 PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes that is too large for message buffer\n", p_name, p_m_crypt_listen_len);
1687 message = message_create(p_serial, ACTIVE_EPOINT(p_epointlist), PORT_TO_EPOINT, MESSAGE_CRYPT);
1688 message->param.crypt.type = CR_MESSAGE_IND;
1689 message->param.crypt.len = p_m_crypt_listen_len+1; /* null termination */
1690 memcpy(message->param.crypt.data, p_m_crypt_listen_msg, p_m_crypt_listen_len);
1691 message_put(message);
1692 p_m_crypt_listen_state = 0;
1700 /* encrypt call using share secret (keypad function)
1702 void EndpointAppPBX::encrypt_shared(void)
1704 struct lcr_msg *message;
1705 const char *errstr = "";
1709 char *auth_pointer, *crypt_pointer, *key_pointer;
1712 /* redisplay current crypt display */
1713 if (e_crypt != CRYPT_OFF) {
1714 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption in progress, so we request the current message.\n", ea_endpoint->ep_serial);
1715 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_join_id, EPOINT_TO_JOIN, MESSAGE_CRYPT);
1716 message->param.crypt.type = CU_INFO_REQ;
1717 message_put(message);
1721 if (check_external(&errstr, &port)) {
1723 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1724 SCPY(message->param.notifyinfo.display, errstr);
1725 message_put(message);
1726 set_tone(ea_endpoint->ep_portlist, "crypt_off");
1731 /* check the key for the call */
1732 if (port->p_type==PORT_TYPE_DSS1_TE_OUT || port->p_type==PORT_TYPE_DSS1_NT_OUT)
1733 ret = parse_secrets((char *)e_ext.number, (char *)port->p_dialinginfo.id, &auth_pointer, &crypt_pointer, &key_pointer);
1735 if (!port->p_callerinfo.id[0]) {
1736 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) incoming remote call has no caller ID.\n", ea_endpoint->ep_serial);
1737 errstr = "No Remote ID";
1740 ret = parse_secrets((char *)e_ext.number, (char *)numberrize_callerinfo(port->p_callerinfo.id, port->p_callerinfo.ntype, options.national, options.international), &auth_pointer, &crypt_pointer, &key_pointer);
1743 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key was not found.\n", ea_endpoint->ep_serial);
1747 key = crypt_key((unsigned char *)key_pointer, &key_len);
1749 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key invalid.\n", ea_endpoint->ep_serial);
1750 errstr = "Invalid Key";
1753 if (key_len > 128) {
1754 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key too long.\n", ea_endpoint->ep_serial);
1755 errstr = "Key Too Long";
1758 if (!!strcasecmp(auth_pointer, "manual")) {
1759 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Wrong authentication method.\n", ea_endpoint->ep_serial);
1760 errstr = "Wrong Auth Type";
1763 if (!strcasecmp(crypt_pointer, "blowfish")) {
1764 type = CC_ACTBF_REQ;
1766 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key too short.\n", ea_endpoint->ep_serial);
1767 errstr = "Key Too Short";
1771 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key too long.\n", ea_endpoint->ep_serial);
1772 errstr = "Key Too Long";
1776 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Wrong crypt method.\n", ea_endpoint->ep_serial);
1777 errstr = "Wrong Crypt Type";
1781 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key is ok, sending activation+key to cryptman.\n", ea_endpoint->ep_serial);
1782 /* setting display message and state */
1783 // SPRINT(e_crypt_display, "Shared Key");
1784 e_crypt = CRYPT_SWAIT;
1785 /* sending activation */
1786 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_join_id, EPOINT_TO_JOIN, MESSAGE_CRYPT);
1787 message->param.crypt.type = CU_ACTS_REQ;
1788 message->param.crypt.len = key_len;
1789 memcpy(message->param.crypt.data, key, key_len);
1790 message_put(message);
1794 /* encrypt call using rsa authentication (keypad function)
1796 void EndpointAppPBX::encrypt_keyex(void)
1798 struct lcr_msg *message;
1799 const char *errstr = "";
1802 /* redisplay current crypt display */
1803 if (e_crypt != CRYPT_OFF) {
1804 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption in progress, so we request the current message.\n", ea_endpoint->ep_serial);
1805 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_join_id, EPOINT_TO_JOIN, MESSAGE_CRYPT);
1806 message->param.crypt.type = CU_INFO_REQ;
1807 message_put(message);
1812 if (check_external(&errstr, &port)) {
1813 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1814 SCPY(message->param.notifyinfo.display, errstr);
1815 message_put(message);
1816 set_tone(ea_endpoint->ep_portlist, "crypt_off");
1822 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1823 SCPY(message->param.notifyinfo.display, "Not Compiled");
1824 message_put(message);
1825 set_tone(ea_endpoint->ep_portlist, "crypt_off");
1828 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Sending key-exchange activation to cryptman.\n", ea_endpoint->ep_serial);
1829 /* setting display message and state */
1830 // SPRINT(e_crypt_display, "Key-Exchange");
1831 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1832 SCPY(message->param.notifyinfo.display, "Key-Exchange");
1833 message_put(message);
1834 e_crypt = CRYPT_KWAIT;
1835 /* sending activation */
1836 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_join_id, EPOINT_TO_JOIN, MESSAGE_CRYPT);
1837 message->param.crypt.type = CU_ACTK_REQ;
1838 message_put(message);
1843 /* turn encryption off (keypad function)
1845 void EndpointAppPBX::encrypt_off(void)
1847 struct lcr_msg *message;
1849 if (e_crypt!=CRYPT_ON && e_crypt!=CRYPT_OFF) {
1850 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1851 SCPY(message->param.notifyinfo.display, "Please Wait");
1852 message_put(message);
1855 if (e_crypt == CRYPT_OFF) {
1856 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1857 SCPY(message->param.notifyinfo.display, "No Encryption");
1858 message_put(message);
1859 set_tone(ea_endpoint->ep_portlist, "crypt_off");
1864 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Sending deactivation to cryptman.\n", ea_endpoint->ep_serial);
1865 /* setting display message and state */
1866 // SPRINT(e_crypt_display, "Deactivating");
1867 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1868 SCPY(message->param.notifyinfo.display, "Deactivating");
1869 message_put(message);
1870 e_crypt = CRYPT_RELEASE;
1871 /* sending activation */
1872 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_join_id, EPOINT_TO_JOIN, MESSAGE_CRYPT);
1873 message->param.crypt.type = CU_DACT_REQ;
1874 message_put(message);
1878 /* messages from manager to endpoint
1880 void EndpointAppPBX::encrypt_result(int msg, char *text)
1882 struct lcr_msg *message;
1887 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption now active.\n", ea_endpoint->ep_serial);
1888 set_tone(ea_endpoint->ep_portlist, "crypt_on");
1892 if (text) if (text[0]) {
1893 SCPY(e_crypt_info, text);
1894 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1895 SCPY(message->param.notifyinfo.display, e_crypt_info);
1896 message_put(message);
1901 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption error. (%s)\n", ea_endpoint->ep_serial, text);
1902 set_tone(ea_endpoint->ep_portlist, "crypt_off");
1904 e_crypt = CRYPT_OFF;
1910 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption now off. (%s)\n", ea_endpoint->ep_serial, text);
1911 set_tone(ea_endpoint->ep_portlist, "crypt_off");
1913 e_crypt = CRYPT_OFF;
1919 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) information. (%s)\n", ea_endpoint->ep_serial, text);
1924 PERROR("EPOINT(%d) crypt manager sends us an invalid message. (type = %d)\n", ea_endpoint->ep_serial, msg);