80ece0e8f701913196b967d1238cb0f34ac98e03
[lcr.git] / crypt.cpp
1 /*****************************************************************************\
2 **                                                                           **
3 ** PBX4Linux                                                                 **
4 **                                                                           **
5 **---------------------------------------------------------------------------**
6 ** Copyright: Andreas Eversberg                                              **
7 **                                                                           **
8 ** cryption stuff                                                            **
9 **                                                                           **
10 \*****************************************************************************/ 
11
12 /* how authentication is performed:
13
14 Alice                                                         Bob
15 -----------------------------------------------------------------
16                          unencrypted call
17 start        *
18              | -----> sending random number -----> (gets lost)
19              |
20              |                                     *        start
21 comparing    | <----- sending random number <----- |
22 master state |                                     |
23              | -----> sending "slave" code  -----> |  slave state
24 calculating  |                                     |
25 rsa key pair |                                     |
26              |                                     |
27 done         | -----> sending public key    -----> |
28              |                                     |     crpyting
29              |                                     |  session key
30              |                                     |
31              | <----- sending session key   <----- |         done
32 decrypting   |                                     | enable crypt
33 dession key  |                                     *         stop
34              |
35 done         |
36 enable crypt |
37 stop         *
38                          encrypted call
39
40 When Bob and Alice activate their authentication process, they will make
41 up a random number.
42
43 Lets assume Alice starts encryption first. She activates the authentication
44 process. Bob hat not activates the process yet. Alice sends a random number
45 to Bob, but he will ignore it, because he is not listening.
46
47 Bob also activates the authentication process, and sends his random number.
48 Now Alice will receive that number and compares the values. If the values
49 are equal, the process will fail and Alice will send the message "LOOPED".
50 If Alice's random number is greater, she will identify herself as "master".
51 Bob will get a "SLAVE" message. Bob might also send a "MASTER" message,
52 if he got Alice's random number, due to parallel activation of the
53 authentication.
54
55 After transmission or reception of a master message, more messages are
56 ignored. After reception of a "RANDOM" message, more messages are
57 ignored. A reception of a "RANDOM" message always causes to identify who
58 is slave.
59
60 Now Alice starts calculating his public/private key pair, because she is
61 "master". When Bob receives the "SLAVE" message, he will change the timeout
62 value. If no random number or "SLAVE", "MASTER" or "LOOPED" is received within
63 a timeout value, the "ABORT" message is sent. If the "ABORT" message is
64 received at any state of the process, the process is aborted.
65
66 After the key of Alices is calculated, she will send it to Bob. Bob will use
67 the key to start encryption of a random session key. Both will change their
68 timeout values.
69
70 After Bob has finished is crypted session key, he will send it to Alice and
71 enable encryption. Bob has finished his process now.
72
73 As soon as Alice received the encrypted key, she will encrypt it and also
74 enable encryption with the same key as Bob. Alis has finished her process now.
75
76 Both will get displayed some of the first digits of the public key. Both can
77 talk about the digits now. A man in the middle cannot change the keys without
78 changing the public key. The voice of Alice and/or Bob is used to "sign" and
79 "check" that the public key is not modified.
80
81 If Alice or Bob wants to stop encryption, one will send the "ABORT" message.
82 After transmission or reception.
83
84
85 The states of the process:
86
87 CM_ST_NULL
88 ----------
89 no encryption
90
91 CM_ST_IDENT
92 -----------
93 Waiting for the remote random number or "MASTER", "SLAVE", "LOOPED" message.
94
95 CM_ST_KEYGEN
96 ------------
97 The master generates the key and waits for the key engine to finish.
98
99 CM_ST_KEYWAIT
100 -------------
101 The slave waits for the master to send the key.
102
103 CM_ST_CSKEY
104 -----------
105 The slave generates the session key and waits for the encryption engine to
106 finish.
107
108 CM_ST_CSWAIT
109 ------------
110 The master waits for the slave to send the crypted session key.
111
112 CM_ST_DSKEY
113 -----------
114 The master waits for the decryption engine to finish decryption of the session
115 key.
116
117 CM_ST_ACTIVE
118 ------------
119 The encryption is established.
120
121
122 Timouts
123 -------
124 CM_TO_IDENT     = waiting for the remote party to enable encryption
125 CM_TO_KEY       = waiting for key generation
126 CM_TO_CSKEY     = waiting for session key encryption
127 CM_TO_DSKEY     = waiting for session key decryption
128
129
130 Structure of message:
131 ---------------------
132
133 one octet message element
134 two octets element length (first octet = high-byte)
135 data as given in length
136
137 last element is 0
138 the message type is encoded as element
139
140
141 */
142
143 #include "main.h"
144 #ifdef CRYPTO
145 #include <openssl/rsa.h>
146 #endif
147
148
149 /* convert key string to binary key vector
150  * returns 0 if an error ocurred
151  */
152 unsigned char *crypt_key(unsigned char *key, int *binary_len)
153 {
154         static unsigned char binary_key[2048];
155         int i = 0;
156
157         binary_key[0] = '\0';
158
159         if (!key[0])
160                 return(NULL);
161
162         /* check for 0xXXXX... type of key */
163         if (!strncmp((char *)key, "0x", 2))
164         {
165                 key+=2;
166                 while(*key)
167                 {
168                         if (i == (int)sizeof(binary_key))
169                                 return(NULL);
170
171                         if (*key>='0' && *key<='9')
172                                 binary_key[i] = (*key-'0') << 8;
173                         else if (*key>='a' && *key<='f')
174                                 binary_key[i] = (*key-'a'+10) << 8;
175                         else if (*key>='A' && *key<='F')
176                                 binary_key[i] = (*key-'A'+10) << 8;
177                         else
178                                 return(NULL);
179                         key++;
180
181                         if (*key>='0' && *key<='9')
182                                 binary_key[i] += (*key - '0');
183                         else if (*key>='a' && *key<='f')
184                                 binary_key[i] += (*key - 'a' + 10);
185                         else if (*key>='A' && *key<='F')
186                                 binary_key[i] += (*key - 'A' + 10);
187                         else
188                                 return(NULL);
189                         key++;
190
191                         i++;
192                 }
193                 *binary_len = i;
194                 return(binary_key);
195         }
196
197         /* ascii key too long */
198         if (strlen((char *)key) >= sizeof((char *)binary_key))
199                 return(NULL);
200
201         memcpy(binary_key, key, strlen((char *)key));
202         *binary_len = strlen((char *)key);
203         return(binary_key);
204 }
205
206 /*
207  * support routine to get cpu speed
208  */
209 static unsigned long get_bogomips(void)
210 {
211         FILE *fp;
212         char buffer[64], *p;
213
214         fp = fopen("/proc/cpuinfo", "r");
215         if (!fp)
216         {
217                 PERROR("Cannot access /proc/cpuinfo. Will not use cpuinfo for identification of pear\n");
218                 return(0);
219         }
220         fduse++;
221         buffer[sizeof(buffer-1)] = '\0';
222         while(fgets(buffer, sizeof(buffer)-1, fp))
223         {
224                 if (!!strncmp(buffer, "bogomips", 8))
225                         continue;
226                 if (!strchr(buffer, ':'))
227                         continue;
228                 p = strchr(buffer, ':')+1;
229                 while(*p == ' ')
230                         p++;
231                 if (strchr(p, '.'))
232                         *strchr(p, '.') = '\0';
233                 fclose(fp);
234                 fduse--;
235                 return(atoi(p));
236         }
237         fclose(fp);
238         fduse--;
239         PERROR("Cannot find 'bogomips' in /proc/cpuinfo. Will not use cpuinfo for identification of pear\n");
240         return(0);
241 }
242
243
244 /*
245  * crc 32 stuff
246  */
247 static unsigned long crc_reflect(unsigned long ref, char ch)
248 {
249         unsigned long value = 0;
250         int i;
251
252         i = 1;
253         while(i < ch+1)
254         {
255                 if(ref & 1)
256                         value |= 1 << (ch - i);
257                 ref >>= 1;
258                 i++;
259         }
260         return(value);
261 }
262
263 static unsigned long crc32_table[256];
264 static int crc_initialized = 0;
265
266 void crc_init(void)
267 {
268         unsigned long ulPolynomial = 0x04c11db7;
269         int i, j;
270
271         i = 0;
272         while(i < 256)
273         {
274                 crc32_table[i] = crc_reflect(i, 8) << 24;
275                 j = 0;
276                 while(j < 8)
277                 {
278                         crc32_table[i] = (crc32_table[i] << 1) ^ (crc32_table[i] & (1 << 31) ? ulPolynomial : 0);
279                         j++;
280                 }
281                 crc32_table[i] = crc_reflect(crc32_table[i], 32);
282                 i++;
283         }
284         crc_initialized = 1;
285 }
286
287 unsigned long crc32(unsigned char *data, int len)
288 {
289         unsigned long crc = 0xffffffff;
290
291         if (!crc_initialized)
292                 FATAL("crc not initialized, exitting...");
293
294         while (len--)
295                 crc = (crc >> 8) ^ crc32_table[(crc & 0xFF) ^ *data++];
296         return(crc^0xffffffff);
297 }
298
299
300 CM_ST_NAMES
301
302 /* give name of state */
303 static char *statename(int state)
304 {
305         if (state>=0 && state<cm_st_num)
306                 return(cm_st_name[state]);
307         return("<<STATE UNKNOWN>>");
308 }
309
310 /*
311  * authentication key generation, encryption, decryption
312  */
313 struct auth_args {
314         class EndpointAppPBX *apppbx;
315         int     job;
316 };
317
318 static void *keyengine_child(void *arg)
319 {
320         struct auth_args *args = (struct auth_args *)arg;
321         class EndpointAppPBX *apppbx = args->apppbx;
322         int job = args->job;
323 #ifdef CRYPTO
324         RSA *rsa;
325         int exponent;
326         int i;
327 #endif
328
329         struct sched_param schedp;
330         int ret;
331
332         PDEBUG((DEBUG_EPOINT | DEBUG_CRYPT), "EPOINT(%d) child process started for using libcrypto\n", apppbx->ea_endpoint->ep_serial);
333
334         /* lower priority to keep pbx running fluently */
335         if (options.schedule > 0)
336         {
337                 memset(&schedp, 0, sizeof(schedp));
338                 schedp.sched_priority = 0;
339                 ret = sched_setscheduler(0, SCHED_OTHER, &schedp);
340                 if (ret < 0)
341                 {
342                         PERROR("Scheduling to normal priority failed (errno = %d).\nExitting child process...\n", errno);
343                         goto done;
344                 }
345         }
346
347         switch(job)
348         {
349                 /* generate rsa key pair */
350                 case CK_GENRSA_REQ:
351 #ifndef CRYPTO
352                 PERROR("Not compliled wiht crypto.\n");
353                 apppbx->e_crypt_keyengine_return = -1;
354 #else
355                 srandom(*((unsigned int *)mISDN_rand) ^ random());
356 //              exponent = (((random()<<1)|1) & 0x7f) + 0x80; /* odd */
357                 exponent = 65537;
358 //              if (exponent < 3) exponent = 3; /* >= 3 */
359                 rsa = RSA_generate_key(RSA_BITS, exponent, NULL, NULL);
360                 if (!rsa)
361                 {
362                         PERROR("Failed to generate rsa key pair.\n");
363                         apppbx->e_crypt_keyengine_return = -1;
364                         break;
365                 }
366                 ememuse++;
367                 apppbx->e_crypt_rsa_n_len = BN_num_bytes(rsa->n);
368                 if (apppbx->e_crypt_rsa_n_len > (int)sizeof(apppbx->e_crypt_rsa_n))
369                 {
370                         kerror_buffer:
371                         PERROR("e_crypt_rsa_* too small for bignum.\n");
372                         apppbx->e_crypt_keyengine_return = -1;
373                         RSA_free(rsa);
374                         ememuse--;
375                         break;
376                 }
377                 BN_bn2bin(rsa->n, apppbx->e_crypt_rsa_n);
378                 apppbx->e_crypt_rsa_n_len = BN_num_bytes(rsa->n);
379                 if (apppbx->e_crypt_rsa_e_len > (int)sizeof(apppbx->e_crypt_rsa_e))
380                         goto kerror_buffer;
381                 BN_bn2bin(rsa->e, apppbx->e_crypt_rsa_e);
382                 apppbx->e_crypt_rsa_e_len = BN_num_bytes(rsa->e);
383                 if (apppbx->e_crypt_rsa_d_len > (int)sizeof(apppbx->e_crypt_rsa_d))
384                         goto kerror_buffer;
385                 BN_bn2bin(rsa->d, apppbx->e_crypt_rsa_d);
386                 apppbx->e_crypt_rsa_p_len = BN_num_bytes(rsa->p);
387                 if (apppbx->e_crypt_rsa_p_len > (int)sizeof(apppbx->e_crypt_rsa_p))
388                         goto kerror_buffer;
389                 BN_bn2bin(rsa->p, apppbx->e_crypt_rsa_p);
390                 apppbx->e_crypt_rsa_q_len = BN_num_bytes(rsa->q);
391                 if (apppbx->e_crypt_rsa_q_len > (int)sizeof(apppbx->e_crypt_rsa_q))
392                         goto kerror_buffer;
393                 BN_bn2bin(rsa->q, apppbx->e_crypt_rsa_q);
394                 apppbx->e_crypt_rsa_dmp1_len = BN_num_bytes(rsa->dmp1);
395                 if (apppbx->e_crypt_rsa_dmp1_len > (int)sizeof(apppbx->e_crypt_rsa_dmp1))
396                         goto kerror_buffer;
397                 BN_bn2bin(rsa->dmp1, apppbx->e_crypt_rsa_dmp1);
398                 apppbx->e_crypt_rsa_dmq1_len = BN_num_bytes(rsa->dmq1);
399                 if (apppbx->e_crypt_rsa_dmq1_len > (int)sizeof(apppbx->e_crypt_rsa_dmq1))
400                         goto kerror_buffer;
401                 BN_bn2bin(rsa->dmq1, apppbx->e_crypt_rsa_dmq1);
402                 apppbx->e_crypt_rsa_iqmp_len = BN_num_bytes(rsa->iqmp);
403                 if (apppbx->e_crypt_rsa_iqmp_len > (int)sizeof(apppbx->e_crypt_rsa_iqmp))
404                         goto kerror_buffer;
405                 BN_bn2bin(rsa->iqmp, apppbx->e_crypt_rsa_iqmp);
406                 PDEBUG(DEBUG_CRYPT, "gen: rsa n=%02x...\n", *apppbx->e_crypt_rsa_n);
407                 PDEBUG(DEBUG_CRYPT, "gen: rsa e=%02x...\n", *apppbx->e_crypt_rsa_e);
408                 PDEBUG(DEBUG_CRYPT, "gen: rsa d=%02x...\n", *apppbx->e_crypt_rsa_d);
409                 PDEBUG(DEBUG_CRYPT, "gen: rsa p=%02x...\n", *apppbx->e_crypt_rsa_p);
410                 PDEBUG(DEBUG_CRYPT, "gen: rsa q=%02x...\n", *apppbx->e_crypt_rsa_q);
411                 PDEBUG(DEBUG_CRYPT, "gen: rsa dmp1=%02x...\n", *apppbx->e_crypt_rsa_dmp1);
412                 PDEBUG(DEBUG_CRYPT, "gen: rsa dmq1=%02x...\n", *apppbx->e_crypt_rsa_dmq1);
413                 PDEBUG(DEBUG_CRYPT, "gen: rsa iqmp=%02x...\n", *apppbx->e_crypt_rsa_iqmp);
414                 apppbx->e_crypt_keyengine_return = 1;
415                 RSA_free(rsa);
416                 ememuse--;
417 #endif
418                 break;
419
420                 /* encrypt session key */
421                 case CK_CPTRSA_REQ:
422 #ifndef CRYPTO
423                 PERROR("No crypto lib.\n");
424                 apppbx->e_crypt_keyengine_return = -1;
425 #else
426                 /* generating session key */
427                 srandom(*((unsigned int *)mISDN_rand) ^ random());
428                 i = 0;
429                 while(i < 56)
430                 {
431                         apppbx->e_crypt_key[i] = random();
432                         apppbx->e_crypt_key[i] ^= mISDN_rand[random() & 0xff];
433                         i++;
434                 }
435                 apppbx->e_crypt_key_len = i;
436                 /* encrypt via rsa */
437                 rsa = RSA_new();
438                 if (!rsa)
439                 {
440                         PERROR("Failed to allocate rsa structure.\n");
441                         apppbx->e_crypt_keyengine_return = 1;
442                         break;
443                 }
444                 ememuse++;
445                 rsa->n = BN_new();
446                 rsa->e = BN_new();
447                 if (!rsa->n || !rsa->e)
448                 {
449                         PERROR("Failed to generate rsa structure.\n");
450                         apppbx->e_crypt_keyengine_return = -1;
451                         RSA_free(rsa);
452                         ememuse--;
453                         break;
454                 }
455                 if (!BN_bin2bn(apppbx->e_crypt_rsa_n, apppbx->e_crypt_rsa_n_len, rsa->n))
456                 {
457                         eerror_bin2bn:
458                         PERROR("Failed to convert binary to bignum.\n");
459                         apppbx->e_crypt_keyengine_return = -1;
460                         RSA_free(rsa);
461                         ememuse--;
462                         break;
463                 }
464                 if ((apppbx->e_crypt_rsa_n_len*8) != BN_num_bits(rsa->n))
465                 {
466                         PERROR("SOFTWARE API ERROR: length not equal stored data. (%d != %d)\n", apppbx->e_crypt_rsa_n_len*8, BN_num_bits(rsa->n));
467                         apppbx->e_crypt_keyengine_return = -1;
468                         RSA_free(rsa);
469                         ememuse--;
470                         break;
471                 }
472                 if (!BN_bin2bn(apppbx->e_crypt_rsa_e, apppbx->e_crypt_rsa_e_len, rsa->e))
473                         goto eerror_bin2bn;
474                 PDEBUG(DEBUG_CRYPT, "crypt: rsa n=%02x...\n", *apppbx->e_crypt_rsa_n);
475                 PDEBUG(DEBUG_CRYPT, "crypt: rsa e=%02x...\n", *apppbx->e_crypt_rsa_e);
476                 PDEBUG(DEBUG_CRYPT, "crypt: key =%02x%02x%02x%02x... (len=%d)\n", apppbx->e_crypt_key[0], apppbx->e_crypt_key[1], apppbx->e_crypt_key[2], apppbx->e_crypt_key[3], apppbx->e_crypt_key_len);
477                 apppbx->e_crypt_ckey_len = RSA_public_encrypt(
478                         apppbx->e_crypt_key_len,
479                         apppbx->e_crypt_key,
480                         apppbx->e_crypt_ckey,
481                         rsa,
482                         RSA_PKCS1_PADDING);
483                 PDEBUG(DEBUG_CRYPT, "crypt: ckey =%02x%02x%02x%02x... (len=%d)\n", apppbx->e_crypt_ckey[0], apppbx->e_crypt_ckey[1], apppbx->e_crypt_ckey[2], apppbx->e_crypt_ckey[3], apppbx->e_crypt_ckey_len);
484                 RSA_free(rsa);
485                 ememuse--;
486                 if (apppbx->e_crypt_ckey_len > 0)
487                         apppbx->e_crypt_keyengine_return = 1;
488                 else
489                         apppbx->e_crypt_keyengine_return = -1;
490 #endif
491                 break;
492
493                 /* decrypt session key */
494                 case CK_DECRSA_REQ:
495 #ifndef CRYPTO
496                 PERROR("No crypto lib.\n");
497                 apppbx->e_crypt_keyengine_return = -1;
498 #else
499                 rsa = RSA_new();
500                 if (!rsa)
501                 {
502                         PERROR("Failed to allocate rsa structure.\n");
503                         apppbx->e_crypt_keyengine_return = 1;
504                         break;
505                 }
506                 ememuse++;
507                 rsa->n = BN_new();
508                 rsa->e = BN_new();
509                 rsa->d = BN_new();
510                 rsa->p = BN_new();
511                 rsa->q = BN_new();
512                 rsa->dmp1 = BN_new();
513                 rsa->dmq1 = BN_new();
514                 rsa->iqmp = BN_new();
515                 if (!rsa->n || !rsa->e
516                  || !rsa->d || !rsa->p
517                  || !rsa->q || !rsa->dmp1
518                  || !rsa->dmq1 || !rsa->iqmp)
519                 {
520                         PERROR("Failed to generate rsa structure.\n");
521                         apppbx->e_crypt_keyengine_return = 1;
522                         RSA_free(rsa);
523                         ememuse--;
524                         break;
525                 }
526                 if (!BN_bin2bn(apppbx->e_crypt_rsa_n, apppbx->e_crypt_rsa_n_len, rsa->n))
527                 {
528                         derror_bin2bn:
529                         PERROR("Failed to convert binary to bignum.\n");
530                         apppbx->e_crypt_keyengine_return = -1;
531                         RSA_free(rsa);
532                         ememuse--;
533                         break;
534                 }
535                 if (!BN_bin2bn(apppbx->e_crypt_rsa_e, apppbx->e_crypt_rsa_e_len, rsa->e))
536                         goto derror_bin2bn;
537                 if (!BN_bin2bn(apppbx->e_crypt_rsa_d, apppbx->e_crypt_rsa_d_len, rsa->d))
538                         goto derror_bin2bn;
539                 if (!BN_bin2bn(apppbx->e_crypt_rsa_p, apppbx->e_crypt_rsa_p_len, rsa->p))
540                         goto derror_bin2bn;
541                 if (!BN_bin2bn(apppbx->e_crypt_rsa_q, apppbx->e_crypt_rsa_q_len, rsa->q))
542                         goto derror_bin2bn;
543                 if (!BN_bin2bn(apppbx->e_crypt_rsa_dmp1, apppbx->e_crypt_rsa_dmp1_len, rsa->dmp1))
544                         goto derror_bin2bn;
545                 if (!BN_bin2bn(apppbx->e_crypt_rsa_dmq1, apppbx->e_crypt_rsa_dmq1_len, rsa->dmq1))
546                         goto derror_bin2bn;
547                 if (!BN_bin2bn(apppbx->e_crypt_rsa_iqmp, apppbx->e_crypt_rsa_iqmp_len, rsa->iqmp))
548                         goto derror_bin2bn;
549                 PDEBUG(DEBUG_CRYPT, "decrypt: ckey =%02x%02x%02x%02x... (len=%d)\n", apppbx->e_crypt_ckey[0], apppbx->e_crypt_ckey[1], apppbx->e_crypt_ckey[2], apppbx->e_crypt_ckey[3], apppbx->e_crypt_ckey_len);
550                 apppbx->e_crypt_key_len = RSA_private_decrypt(
551                         apppbx->e_crypt_ckey_len,
552                         apppbx->e_crypt_ckey,
553                         apppbx->e_crypt_key,
554                         rsa,
555                         RSA_PKCS1_PADDING);
556                 PDEBUG(DEBUG_CRYPT, "decrypt: key =%02x%02x%02x%02x... (len=%d)\n", apppbx->e_crypt_key[0], apppbx->e_crypt_key[1], apppbx->e_crypt_key[2], apppbx->e_crypt_key[3], apppbx->e_crypt_key_len);
557                 RSA_free(rsa);
558                 ememuse--;
559                 apppbx->e_crypt_keyengine_return = 1;
560 #endif
561                 break;
562
563                 default:
564                 PERROR("Unknown job %d\n", job);
565                 apppbx->e_crypt_keyengine_return = -1;
566         }
567
568         done:
569         PDEBUG((DEBUG_EPOINT | DEBUG_CRYPT), "child process done after using libcrypto with return value %d\n", apppbx->e_crypt_keyengine_return);
570
571         /* exit process */
572         apppbx->ea_endpoint->ep_use--;
573         FREE(args, sizeof(struct auth_args));
574         amemuse--;
575         return(NULL);
576 }
577
578 void EndpointAppPBX::cryptman_keyengine(int job)
579 {
580         struct auth_args *arg;
581         pthread_t tid;
582
583         if (e_crypt_keyengine_busy)
584         {
585                 e_crypt_keyengine_return = -1;
586                 PERROR("engine currently busy.\n");
587                 return;
588         }
589
590         arg = (struct auth_args *)MALLOC(sizeof(struct auth_args));
591         arg->apppbx = this;
592         arg->job = job;
593         e_crypt_keyengine_return = 0;
594         e_crypt_keyengine_busy = job;
595
596         ea_endpoint->ep_use++;
597         if ((pthread_create(&tid, NULL, keyengine_child, arg)<0))
598         {
599                 ea_endpoint->ep_use--;
600                 PERROR("failed to create keyengine-thread.\n");
601                 e_crypt_keyengine_return = -1;
602                 return;
603         }
604         amemuse++;
605
606         PDEBUG((DEBUG_EPOINT | DEBUG_CRYPT), "send_mail(%d): child process created for doing crypto stuff\n", ea_endpoint->ep_serial);
607
608 }
609
610
611 /* handler for authentication (called by apppbx's handler)
612  */
613 void EndpointAppPBX::cryptman_handler(void)
614 {
615         if (e_crypt_keyengine_busy)
616         {
617                 if (e_crypt_keyengine_return < 0)
618                 {
619                         e_crypt_keyengine_busy = 0;
620                         cryptman_message(CK_ERROR_IND, NULL, 0);
621                 } else
622                 if (e_crypt_keyengine_return > 0)
623                 {
624                         switch(e_crypt_keyengine_busy)
625                         {
626                                 case CK_GENRSA_REQ:
627                                 e_crypt_keyengine_busy = 0;
628                                 cryptman_message(CK_GENRSA_CONF, NULL, 0);
629                                 break;
630                                 case CK_CPTRSA_REQ:
631                                 e_crypt_keyengine_busy = 0;
632                                 cryptman_message(CK_CPTRSA_CONF, NULL, 0);
633                                 break;
634                                 case CK_DECRSA_REQ:
635                                 e_crypt_keyengine_busy = 0;
636                                 cryptman_message(CK_DECRSA_CONF, NULL, 0);
637                                 break;
638                         }
639                 }
640         }
641
642         /* check for event, make next event */
643         if (e_crypt_timeout_sec) if (e_crypt_timeout_sec<now_tv.tv_sec || (e_crypt_timeout_sec==now_tv.tv_sec && e_crypt_timeout_usec<now_tv.tv_usec))
644         {
645                 e_crypt_timeout_sec = 0;
646                 e_crypt_timeout_usec = 0;
647                 cryptman_message(CT_TIMEOUT, NULL, 0);
648         }
649 }
650
651
652 /*
653  * process message to the crypt manager
654  */
655 /* remote peer sends ident request */
656 void EndpointAppPBX::cr_ident(int message, unsigned char *param, int len)
657 {
658         unsigned char buf[4], *p;
659         unsigned long bogomips = 0, ran;
660         int l;
661
662         l = CM_SIZEOFINF(CM_INFO_RANDOM);
663         if (l != 4)
664         {
665                 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) missing (or corrupt) random number, ignoring (len = %d)\n", ea_endpoint->ep_serial, l);
666                 return;
667         }
668         p = CM_GETINF(CM_INFO_RANDOM, buf);
669         ran = (p[0]<<24) + (p[1]<<16) + (p[2]<<8) + p[3];
670         l = CM_SIZEOFINF(CM_INFO_BOGOMIPS);
671         if (l != 4)
672         {
673                 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) missing (or corrupt) random bogomips, just comparing random (len = %d)\n", ea_endpoint->ep_serial, l);
674                 goto compare_random;
675         }
676         p = CM_GETINF(CM_INFO_BOGOMIPS, buf);
677         bogomips = (p[0]<<24) + (p[1]<<16) + (p[2]<<8) + p[3];
678         if (e_crypt_bogomips > bogomips)
679         {
680                 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our cpu is faster, so we are master (%d > %d)\n", ea_endpoint->ep_serial, e_crypt_bogomips, bogomips);
681                 cr_master(message, NULL, 0);
682                 return;
683         }
684         if (e_crypt_bogomips < bogomips)
685         {
686                 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our cpu is slower, so we are slave (%d < %d)\n", ea_endpoint->ep_serial, e_crypt_bogomips, bogomips);
687                 cr_slave(message, NULL, 0);
688                 return;
689         }
690         PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our cpu is equal speed, so we check for random value (%d == %d)\n", ea_endpoint->ep_serial, e_crypt_bogomips, bogomips);
691         compare_random:
692         /* bogomips are equal, so we compare */
693         if (e_crypt_random > ran)
694         {
695                 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our random value is greater, so we are master (%d > %d)\n", ea_endpoint->ep_serial, e_crypt_random, ran);
696                 cr_master(message, NULL, 0);
697                 return;
698         }
699         if (e_crypt_random < ran)
700         {
701                 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) our random value is smaller, so we are slave (%d < %d)\n", ea_endpoint->ep_serial, e_crypt_random, ran);
702                 cr_slave(message, NULL, 0);
703                 return;
704         }
705         PDEBUG(DEBUG_CRYPT, "EPOINT(%d) random values are equal, so we are looped (%d == %d)\n", ea_endpoint->ep_serial, e_crypt_random, ran);
706         cr_looped(message, NULL, 0);
707 }
708
709 /* key-exchange activation by the user */
710 void EndpointAppPBX::cr_activate(int message, unsigned char *param, int len)
711 {
712         unsigned char buf[128] = "";
713         unsigned char msg;
714         unsigned char bogomips[4], ran[4];
715
716         /* activate listener */
717         cryptman_msg2crengine(CR_LISTEN_REQ, NULL, 0);
718         /* send ident message */
719         msg = CMSG_IDENT;
720         CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
721         /* random number element */
722         srandom(now_tv.tv_sec ^ now_tv.tv_usec ^ random());
723         e_crypt_random = random();
724         ran[0] = e_crypt_random >> 24;
725         ran[1] = e_crypt_random >> 16;
726         ran[2] = e_crypt_random >> 8;
727         ran[3] = e_crypt_random;
728         CM_ADDINF(CM_INFO_RANDOM, 4, ran);
729         /* cpu speed element */
730         e_crypt_bogomips = get_bogomips();
731         if (e_crypt_bogomips > 0)
732         {
733                 bogomips[0] = e_crypt_bogomips >> 24;
734                 bogomips[1] = e_crypt_bogomips >> 16;
735                 bogomips[2] = e_crypt_bogomips >> 8;
736                 bogomips[3] = e_crypt_bogomips;
737                 CM_ADDINF(CM_INFO_BOGOMIPS, 4, bogomips);
738         }
739         /* send ident message */
740         cryptman_msg2peer(buf);
741         /* change state */
742         cryptman_state(CM_ST_IDENT);
743         /* set timeout */
744         cryptman_timeout(CM_TO_IDENT);
745 }
746
747 /* deactivation by the user */
748 void EndpointAppPBX::cr_deactivate(int message, unsigned char *param, int len)
749 {
750         unsigned char buf[128] = "";
751         unsigned char msg;
752
753         /* deactivate listener (if not already) */
754         cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
755         /* message */
756         msg = CMSG_ABORT;
757         CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
758         cryptman_msg2peer(buf);
759         /* deactivate encryption */
760         cryptman_msg2crengine(CC_DACT_REQ, NULL, 0);
761         /* change state */
762         cryptman_state(CM_ST_NULL);
763         /* send message to user */
764         cryptman_msg2user(CU_DACT_CONF, "Deactivated");
765 }
766
767 /* remote peer tells us to be master */
768 void EndpointAppPBX::cr_master(int message, unsigned char *param, int len)
769 {
770         unsigned char buf[128] = "";
771         unsigned char msg;
772
773         /* change to master state */
774         cryptman_state(CM_ST_KEYGEN);
775         if (message == CP_IDENT)
776         {
777                 /* send you-are-slave-message */
778                 msg = CMSG_SLAVE;
779                 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
780                 cryptman_msg2peer(buf);
781         }
782         /* start generation of key */
783         cryptman_keyengine(CK_GENRSA_REQ);
784         /* disable timeout */
785         cryptman_timeout(0);
786         /* send message to user */
787         cryptman_msg2user(CU_INFO_IND, "Master");
788 }
789
790 /* remote peer tells us to be slave */
791 void EndpointAppPBX::cr_slave(int message, unsigned char *param, int len)
792 {
793         unsigned char buf[128] = "";
794         unsigned char msg;
795
796         /* change to slave state */
797         cryptman_state(CM_ST_KEYWAIT);
798         if (message == CP_IDENT)
799         {
800                 /* send you-are-slave-message */
801                 msg = CMSG_MASTER;
802                 /* message */
803                 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
804                 cryptman_msg2peer(buf);
805         }
806         /* set timeout */
807         cryptman_timeout(CM_TO_PUBKEY);
808         /* send message to user */
809         cryptman_msg2user(CU_INFO_IND, "Slave");
810 }
811
812 /* remote peer tells us about loop */
813 void EndpointAppPBX::cr_looped(int message, unsigned char *param, int len)
814 {
815         unsigned char buf[128] = "";
816         unsigned char msg;
817
818         /* change to idle state */
819         cryptman_state(CM_ST_NULL);
820         /* deactivate listener */
821         cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
822         if (message == CP_IDENT)
823         {
824                 /* send looped */
825                 msg = CMSG_LOOPED;
826                 /* message */
827                 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
828                 cryptman_msg2peer(buf);
829         }
830         /* disable timeout */
831         cryptman_timeout(0);
832         /* send message to user */
833         cryptman_msg2user(CU_ERROR_IND, "Loop Detected");
834 }
835
836 /* abort */
837 void EndpointAppPBX::cr_abort(int message, unsigned char *param, int len)
838 {
839         /* if already encrypting */
840         if (e_crypt_state==CM_ST_WAIT_CRYPT
841          || e_crypt_state==CM_ST_SWAIT
842          || e_crypt_state==CM_ST_ACTIVE)
843         {
844                 /* deactivate blowfish */
845                 cryptman_msg2crengine(CC_DACT_REQ, NULL, 0);
846         }
847         /* change to idle state */
848         cryptman_state(CM_ST_NULL);
849         /* deactivate listener */
850         cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
851         /* disable timeout */
852         cryptman_timeout(0);
853         /* send message to user */
854         if (message == CT_TIMEOUT)
855                 cryptman_msg2user(CU_ERROR_IND, "Timeout");
856         else if (message == CP_ABORT)
857                 cryptman_msg2user(CU_ERROR_IND, "Remote Abort");
858         else
859                 cryptman_msg2user(CU_DACT_IND, NULL);
860 }
861
862 /* abort but wait for engine to release*/
863 void EndpointAppPBX::cr_abort_engine(int message, unsigned char *param, int len)
864 {
865         /* change to release state */
866         cryptman_state(CM_ST_RELEASE);
867         /* deactivate listener */
868         cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
869         /* disable timeout */
870         cryptman_timeout(0);
871         /* send message to user */
872         if (message == CT_TIMEOUT)
873                 cryptman_msg2user(CU_ERROR_IND, "Timeout");
874         else if (message == CP_ABORT)
875                 cryptman_msg2user(CU_ERROR_IND, "Remote Abort");
876         else
877                 cryptman_msg2user(CU_DACT_IND, NULL);
878 }
879
880 /* abort and disable crypt engine */
881 void EndpointAppPBX::cr_abort_wait(int message, unsigned char *param, int len)
882 {
883         /* change to idle state */
884         cryptman_state(CM_ST_NULL);
885         /* deactivate listener (if not already) */
886         cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
887         /* deactivate blowfish */
888         cryptman_msg2crengine(CC_DACT_REQ, NULL, 0);
889         /* disable timeout */
890         cryptman_timeout(0);
891         /* send message to user */
892         if (message == CT_TIMEOUT)
893                 cryptman_msg2user(CU_ERROR_IND, "Timeout");
894         else if (message == CP_ABORT)
895                 cryptman_msg2user(CU_ERROR_IND, "Remote Abort");
896         else
897                 cryptman_msg2user(CU_DACT_IND, NULL);
898 }
899
900 /* key engine tells us that the rsa is ready */
901 void EndpointAppPBX::cr_genrsa(int message, unsigned char *param, int len)
902 {
903         unsigned char buf[1024] = "";
904         unsigned char msg;
905
906         /* change to wait for crypted session key state */
907         cryptman_state(CM_ST_CSWAIT);
908         /* message */
909         msg = CMSG_PUBKEY;
910         CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
911         CM_ADDINF(CM_INFO_PUBKEY, e_crypt_rsa_n_len, &e_crypt_rsa_n);
912         CM_ADDINF(CM_INFO_PUBEXPONENT, e_crypt_rsa_e_len, &e_crypt_rsa_e);
913         cryptman_msg2peer(buf);
914         /* set timeout */
915         cryptman_timeout(CM_TO_CSKEY);
916 }
917
918 /* our engine has a key error */
919 void EndpointAppPBX::cr_keyerror(int message, unsigned char *param, int len)
920 {
921         unsigned char buf[128] = "";
922         unsigned char msg;
923
924         /* change to idle state */
925         cryptman_state(CM_ST_NULL);
926         /* deactivate listener */
927         cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
928         /* message */
929         msg = CMSG_ABORT;
930         CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
931         cryptman_msg2peer(buf);
932         /* send message to user */
933         cryptman_msg2user(CU_ERROR_IND, "Local Key Error");
934 }
935
936 /* remote sends us the rsa public key */
937 void EndpointAppPBX::cr_pubkey(int message, unsigned char *param, int len)
938 {
939         unsigned char buf[128] = "";
940         unsigned char msg = CMSG_ABORT;
941         int l;
942
943         l = CM_SIZEOFINF(CM_INFO_PUBKEY);
944         if (l<1 || l>(int)sizeof(e_crypt_rsa_n))
945         {
946                 size_error:
947                 /* change to idle state */
948                 cryptman_state(CM_ST_NULL);
949                 /* deactivate listener */
950                 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
951                 /* message */
952                 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
953                 cryptman_msg2peer(buf);
954                 /* send message to user */
955                 cryptman_msg2user(CU_ERROR_IND, "Remote Key Error");
956                 return;
957         }
958         CM_GETINF(CM_INFO_PUBKEY, e_crypt_rsa_n);
959         e_crypt_rsa_n_len = l;
960         l = CM_SIZEOFINF(CM_INFO_PUBEXPONENT);
961         if (l<1 || l>(int)sizeof(e_crypt_rsa_e))
962                 goto size_error;
963         CM_GETINF(CM_INFO_PUBEXPONENT, e_crypt_rsa_e);
964         e_crypt_rsa_e_len = l;
965         /* change to generating encrypted sessnion key state */
966         cryptman_state(CM_ST_CSKEY);
967         /* start generation of crypted session key */
968         cryptman_keyengine(CK_CPTRSA_REQ);
969         /* disable timeout */
970         cryptman_timeout(0);
971 }
972
973 /* key engine tells us that the crypted session key is ready */
974 void EndpointAppPBX::cr_cptrsa(int message, unsigned char *param, int len)
975 {
976         unsigned char buf[1024] = "";
977         unsigned char msg = CMSG_CSKEY;
978
979         /* change to wait for crypt engine state */
980         cryptman_state(CM_ST_WAIT_DELAY);
981         /* message */
982         CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
983         CM_ADDINF(CM_INFO_CSKEY, e_crypt_ckey_len, &e_crypt_ckey);
984         cryptman_msg2peer(buf);
985         /* deactivate listener */
986         cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
987         /* timeout 1 sec */
988         cryptman_timeout(1);
989 }
990
991 /* now we waited for the remote to receive and decrypt the session key */
992 void EndpointAppPBX::cr_waitdelay(int message, unsigned char *param, int len)
993 {
994         /* change to wait for crypt engine state */
995         cryptman_state(CM_ST_WAIT_CRYPT);
996         /* disable timeout */
997         cryptman_timeout(0);
998         /* send message to crypt engine */
999         cryptman_msg2crengine(CC_ACTBF_REQ, e_crypt_key, e_crypt_key_len);
1000 }
1001
1002 /* remote sends us the crypted session key */
1003 void EndpointAppPBX::cr_cskey(int message, unsigned char *param, int len)
1004 {
1005         unsigned char buf[128] = "";
1006         unsigned char msg = CMSG_ABORT;
1007         int l;
1008
1009         /* disable timeout */
1010         cryptman_timeout(0);
1011         l = CM_SIZEOFINF(CM_INFO_CSKEY);
1012         if (l<1 || l>(int)sizeof(e_crypt_ckey))
1013         {
1014                 /* change to idle state */
1015                 cryptman_state(CM_ST_NULL);
1016                 /* deactivate listener */
1017                 cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
1018                 /* message */
1019                 CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
1020                 cryptman_msg2peer(buf);
1021                 /* send message to user */
1022                 cryptman_msg2user(CU_ERROR_IND, "Remote Key Error");
1023                 return;
1024         }
1025         CM_GETINF(CM_INFO_CSKEY, e_crypt_ckey);
1026         e_crypt_ckey_len = l;
1027         /* change to generating decrypted session key state */
1028         cryptman_state(CM_ST_SESSION);
1029         /* start generation of decrypted session key */
1030         cryptman_keyengine(CK_DECRSA_REQ);
1031 }
1032
1033 /* key engine tells us that the decrypted session key is ready */
1034 void EndpointAppPBX::cr_decrsa(int message, unsigned char *param, int len)
1035 {
1036         /* change to wait for crypt engine state */
1037         cryptman_state(CM_ST_WAIT_CRYPT);
1038         /* deactivate listener */
1039         cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
1040         /* send message to crypt engine */
1041         cryptman_msg2crengine(CC_ACTBF_REQ, e_crypt_key, e_crypt_key_len);
1042 }
1043
1044 /* blowfish now active */
1045 void EndpointAppPBX::cr_bfactive(int message, unsigned char *param, int len)
1046 {
1047         char text[64];
1048
1049         /* change to active state */
1050         cryptman_state(CM_ST_ACTIVE);
1051         /* send message to user */
1052         SPRINT(text, "PUB %02x%02x %02x%02x %02x%02x %02x%02x", e_crypt_key[0], e_crypt_key[1], e_crypt_key[2], e_crypt_key[3], e_crypt_key[4], e_crypt_key[5], e_crypt_key[6], e_crypt_key[7]);
1053         cryptman_msg2user(CU_ACTK_CONF, text);
1054 }
1055
1056 /* our crypt engine sends an error */
1057 void EndpointAppPBX::cr_crypterror(int message, unsigned char *param, int len)
1058 {
1059         unsigned char buf[128] = "";
1060         unsigned char msg = CMSG_ABORT;
1061
1062         /* change to idle state */
1063         cryptman_state(CM_ST_NULL);
1064         /* deactivate listener */
1065         cryptman_msg2crengine(CR_UNLISTEN_REQ, NULL, 0);
1066         /* message */
1067         CM_ADDINF(CM_INFO_MESSAGE, 1, &msg);
1068         cryptman_msg2peer(buf);
1069         /* send message to user */
1070         cryptman_msg2user(CU_ERROR_IND, "Blowfish Error");
1071 }
1072
1073 /* engine is done, now we are done with release */
1074 void EndpointAppPBX::cr_release(int message, unsigned char *param, int len)
1075 {
1076         /* change to idle state */
1077         cryptman_state(CM_ST_NULL);
1078 }
1079
1080 /* activate using shared key */
1081 void EndpointAppPBX::cr_sactivate(int message, unsigned char *param, int len)
1082 {
1083         /* change to 'wait for crypt engine' state */
1084         cryptman_state(CM_ST_SWAIT);
1085         /* disable timeout */
1086         cryptman_timeout(0);
1087         /* send key to crypt engine */
1088         cryptman_msg2crengine(CC_ACTBF_REQ, param, len);
1089 }
1090
1091 /* share key deactivation by the user */
1092 void EndpointAppPBX::cr_sdeactivate(int message, unsigned char *param, int len)
1093 {
1094         /* deactivate encryption */
1095         cryptman_msg2crengine(CC_DACT_REQ, NULL, 0);
1096         /* change state */
1097         cryptman_state(CM_ST_NULL);
1098         /* send message to user */
1099         cryptman_msg2user(CU_DACT_CONF, NULL);
1100 }
1101
1102 /* shared key abort */
1103 void EndpointAppPBX::cr_sabort(int message, unsigned char *param, int len)
1104 {
1105         /* change to idle state */
1106         cryptman_state(CM_ST_NULL);
1107         /* send message to user */
1108         cryptman_msg2user(CU_DACT_IND, "Deactivated");
1109 }
1110
1111 /* shared key: our crypt engine sends an error */
1112 void EndpointAppPBX::cr_scrypterror(int message, unsigned char *param, int len)
1113 {
1114         /* change to idle state */
1115         cryptman_state(CM_ST_NULL);
1116         /* send message to user */
1117         cryptman_msg2user(CU_ERROR_IND, "Blowfish Error");
1118 }
1119
1120 /* blowfish now active */
1121 void EndpointAppPBX::cr_sbfactive(int message, unsigned char *param, int len)
1122 {
1123         char text[64];
1124
1125         /* change to active state */
1126         cryptman_state(CM_ST_SACTIVE);
1127         /* send message to user */
1128         SPRINT(text, "Call Secure");
1129         cryptman_msg2user(CU_ACTS_CONF, text);
1130 }
1131
1132 /* user requests info */
1133 void EndpointAppPBX::cr_info(int message, unsigned char *param, int len)
1134 {
1135         /* send message to user */
1136         cryptman_msg2user(CU_INFO_CONF, e_crypt_info);
1137 }
1138
1139
1140 CM_MSG_NAMES
1141
1142 void EndpointAppPBX::cryptman_message(int message, unsigned char *param, int len)
1143 {
1144         char *msgtext = "<<UNKNOWN MESSAGE>>";
1145
1146         if (message>=0 && message<cm_msg_num)
1147                 msgtext = cm_msg_name[message];
1148
1149         PDEBUG(DEBUG_CRYPT, "EPOINT(%d) CRYPT MANAGER in state '%s' received message: %s len: %d\n", ea_endpoint->ep_serial, statename(e_crypt_state), msgtext, len);
1150
1151         /* all states */
1152         if (message == CU_INFO_REQ)
1153                 { cr_info(message, param, len); return; }
1154
1155         switch(e_crypt_state)
1156         {
1157                 /* in idle state */
1158                 case CM_ST_NULL:
1159                 if (message == CU_ACTK_REQ) /* request key-exchange encryption */
1160                         { cr_activate(message, param, len); return; }
1161                 if (message == CU_ACTS_REQ) /* request shared encryption */
1162                         { cr_sactivate(message, param, len); return; }
1163                 break;
1164
1165                 /* identifying state */
1166                 case CM_ST_IDENT:
1167                 if (message == CP_IDENT) /* request encryption */
1168                         { cr_ident(message, param, len); return; }
1169                 if (message == CP_SLAVE) /* we are slave */
1170                         { cr_slave(message, param, len); return; }
1171                 if (message == CP_MASTER) /* we are master */
1172                         { cr_master(message, param, len); return; }
1173                 if (message == CP_LOOPED) /* we are looped */
1174                         { cr_looped(message, param, len); return; }
1175                 if (message == CI_DISCONNECT_IND /* request aborting */
1176                  || message == CT_TIMEOUT /* timeout */
1177                  || message == CP_ABORT) /* request aborting */
1178                         { cr_abort(message, param, len); return; }
1179                 break;
1180
1181                 /* generating public key state */
1182                 case CM_ST_KEYGEN:
1183                 if (message == CK_GENRSA_CONF) /* public key is done */
1184                         { cr_genrsa(message, param, len); return; }
1185                 if (message == CK_ERROR_IND) /* key failed */
1186                         { cr_keyerror(message, param, len); return; }
1187                 if (message == CI_DISCONNECT_IND /* request aborting */
1188                  || message == CP_ABORT) /* request aborting */
1189                         { cr_abort_engine(message, param, len); return; }
1190                 break;
1191
1192                 /* waiting for public key state */
1193                 case CM_ST_KEYWAIT:
1194                 if (message == CP_PUBKEY) /* getting public key from remote */
1195                         { cr_pubkey(message, param, len); return; }
1196                 if (message == CI_DISCONNECT_IND /* request aborting */
1197                  || message == CT_TIMEOUT /* timeout */
1198                  || message == CP_ABORT) /* request aborting */
1199                         { cr_abort(message, param, len); return; }
1200                 break;
1201
1202                 /* generating crypted session key state */
1203                 case CM_ST_CSKEY:
1204                 if (message == CK_CPTRSA_CONF) /* crypted session key is done */
1205                         { cr_cptrsa(message, param, len); return; }
1206                 if (message == CK_ERROR_IND) /* key failed */
1207                         { cr_keyerror(message, param, len); return; }
1208                 if (message == CI_DISCONNECT_IND /* request aborting */
1209                  || message == CP_ABORT) /* request aborting */
1210                         { cr_abort_engine(message, param, len); return; }
1211                 break;
1212
1213                 /* waiting for crypted session key state */
1214                 case CM_ST_CSWAIT:
1215                 if (message == CP_CSKEY) /* getting crypted session key from remote */
1216                         { cr_cskey(message, param, len); return; }
1217                 if (message == CI_DISCONNECT_IND /* request aborting */
1218                  || message == CT_TIMEOUT /* timeout */
1219                  || message == CP_ABORT) /* request aborting */
1220                         { cr_abort(message, param, len); return; }
1221                 break;
1222
1223                 /* generating decrypted session key state */
1224                 case CM_ST_SESSION:
1225                 if (message == CK_DECRSA_CONF) /* decrypted is done */
1226                         { cr_decrsa(message, param, len); return; }
1227                 if (message == CK_ERROR_IND) /* key failed */
1228                         { cr_keyerror(message, param, len); return; }
1229                 if (message == CI_DISCONNECT_IND /* request aborting */
1230                  || message == CP_ABORT) /* request aborting */
1231                         { cr_abort_engine(message, param, len); return; }
1232                 break;
1233
1234                 /* wait encryption on state */
1235                 case CM_ST_WAIT_DELAY:
1236                 if (message == CT_TIMEOUT) /* timeout of delay */
1237                         { cr_waitdelay(message, param, len); return; }
1238                 if (message == CC_ERROR_IND) /* encrpytion error */
1239                         { cr_crypterror(message, param, len); return; }
1240                 if (message == CI_DISCONNECT_IND /* request aborting */
1241                  || message == CP_ABORT) /* request aborting */
1242                         { cr_abort_wait(message, param, len); return; }
1243                 break;
1244
1245                 /* wait encryption on state */
1246                 case CM_ST_WAIT_CRYPT:
1247                 if (message == CC_ACTBF_CONF) /* encrpytion active */
1248                         { cr_bfactive(message, param, len); return; }
1249                 if (message == CC_ERROR_IND) /* encrpytion error */
1250                         { cr_crypterror(message, param, len); return; }
1251                 if (message == CI_DISCONNECT_IND /* request aborting */
1252                  || message == CP_ABORT) /* request aborting */
1253                         { cr_abort_wait(message, param, len); return; }
1254                 break;
1255
1256                 /* active state */
1257                 case CM_ST_ACTIVE:
1258                 if (message == CU_DACT_REQ) /* deactivating encryption */
1259                         { cr_deactivate(message, param, len); return; }
1260                 if (message == CI_DISCONNECT_IND /* request aborting */
1261                  || message == CP_ABORT) /* request aborting */
1262                         { cr_abort(message, param, len); return; }
1263                 break;
1264
1265
1266                 /* engine done after abort state */
1267                 case CM_ST_RELEASE:
1268                 if (message == CK_GENRSA_CONF /* engine done */
1269                  || message == CK_CPTRSA_CONF /* engine done */
1270                  || message == CK_DECRSA_CONF /* engine done */
1271                  || message == CK_ERROR_IND) /* engine error */
1272                         { cr_release(message, param, len); return; }
1273                 break;
1274
1275                 /* shared active state */
1276                 case CM_ST_SACTIVE:
1277                 if (message == CU_DACT_REQ) /* deactivating encryption */
1278                         { cr_sdeactivate(message, param, len); return; }
1279                 if (message == CI_DISCONNECT_IND) /* request aborting */
1280                         { cr_sabort(message, param, len); return; }
1281                 break;
1282
1283                 /* wait shared encryption on state */
1284                 case CM_ST_SWAIT:
1285                 if (message == CC_ACTBF_CONF) /* encrpytion active */
1286                         { cr_sbfactive(message, param, len); return; }
1287                 if (message == CC_ERROR_IND) /* encrpytion error */
1288                         { cr_scrypterror(message, param, len); return; }
1289                 if (message == CI_DISCONNECT_IND) /* request aborting */
1290                         { cr_sabort(message, param, len); return; }
1291                 break;
1292
1293         }
1294
1295         PDEBUG(DEBUG_CRYPT, "message not handled in state %d\n", e_crypt_state);
1296 }
1297
1298
1299 /*
1300  * analyze the message element within the received message from peer and call 'cryptman_message'
1301  */
1302 void EndpointAppPBX::cryptman_msg2man(unsigned char *param, int len)
1303 {
1304         unsigned char *p;
1305         unsigned char msg;
1306         int i, l;
1307
1308         /* check if frame is correct */
1309         PDEBUG(DEBUG_CRYPT, "EPOINT(%d) message from peer to crypt_manager.\n", ea_endpoint->ep_serial);
1310         if (len == 0)
1311         {
1312                 PDEBUG(DEBUG_CRYPT, "ignoring message with 0-length.\n");
1313                 return;
1314         }
1315         i = 0;
1316         p = param;
1317         while(*p)
1318         {
1319                 if (i == len)
1320                 {
1321                         PDEBUG(DEBUG_CRYPT, "end of message without 0-termination.\n");
1322                         return;
1323                 }
1324                 if (i+3 > len)
1325                 {
1326                         PDEBUG(DEBUG_CRYPT, "message with element size, outside the frame length.\n");
1327                         return;
1328                 }
1329                 l = (p[1]<<8) + p[2];
1330 //              PDEBUG(DEBUG_CRYPT, "   inf %d (len = %d)\n", *p, l);
1331                 if (i+3+l > len)
1332                 {
1333                         PDEBUG(DEBUG_CRYPT, "message with element data, outside the frame length.\n");
1334                         return;
1335                 }
1336                 i += l + 3;
1337                 p += l + 3;
1338         }
1339         if (i+1 != len)
1340         {
1341                 PDEBUG(DEBUG_CRYPT, "warning: received null-element before end of frame.\n");
1342         }
1343
1344         l = CM_SIZEOFINF(CM_INFO_MESSAGE);
1345         if (l != 1)
1346         {
1347                 PDEBUG(DEBUG_CRYPT, "received message without (valid) message element (len = %d)\n", len);
1348                 return;
1349         }
1350         CM_GETINF(CM_INFO_MESSAGE, &msg);
1351         switch (msg)
1352         {
1353                 case CMSG_IDENT:
1354                 cryptman_message(CP_IDENT, param, len);
1355                 break;
1356                 case CMSG_SLAVE:
1357                 cryptman_message(CP_SLAVE, param, len);
1358                 break;
1359                 case CMSG_MASTER:
1360                 cryptman_message(CP_MASTER, param, len);
1361                 break;
1362                 case CMSG_PUBKEY:
1363                 cryptman_message(CP_PUBKEY, param, len);
1364                 break;
1365                 case CMSG_CSKEY:
1366                 cryptman_message(CP_CSKEY, param, len);
1367                 break;
1368                 case CMSG_ABORT:
1369                 cryptman_message(CP_ABORT, param, len);
1370                 break;
1371                 default:
1372                 PDEBUG(DEBUG_CRYPT, "received unknown message element %d\n", msg);
1373         }
1374 }
1375
1376 /* add information element to buffer
1377  */
1378 void EndpointAppPBX::cryptman_addinf(unsigned char *buf, int buf_size, int element, int len, void *data)
1379 {
1380         int l;
1381
1382         /* skip what we already have in the buffer */
1383         while (buf[0])
1384         {
1385                 l = (buf[1]<<8) + buf[2];
1386                 if (l >= buf_size-3)
1387                 {
1388                         PERROR("EPOINT(%d) buffer overflow while adding information to peer message.\n", ea_endpoint->ep_serial);
1389                         return;
1390                 }
1391                 buf_size -= l + 3;
1392                 buf += l + 3;
1393         }
1394         /* check if we have not enough space to add element including id, len, data, and the null-termination */
1395         if (len+4 > buf_size)
1396         {
1397                 PERROR("EPOINT(%d) cannot add element to message, because buffer would overflow.\n", ea_endpoint->ep_serial);
1398                 return;
1399         }
1400         buf[0] = element;
1401         buf[1] = len >> 8;
1402         buf[2] = len;
1403         memcpy(buf+3, data, len);
1404 }
1405
1406
1407 /* get size of element in buffer
1408  */
1409 int EndpointAppPBX::cryptman_sizeofinf(unsigned char *buf, int element)
1410 {
1411         int l;
1412
1413         /* skip what we already have in the buffer */
1414         while (buf[0])
1415         {
1416                 l = (buf[1]<<8) + buf[2];
1417                 if (buf[0] == element)
1418                         return(l);
1419                 buf += l + 3;
1420         }
1421         return(-1);
1422 }
1423
1424
1425 /* get information element from buffer
1426  */
1427 unsigned char *EndpointAppPBX::cryptman_getinf(unsigned char *buf, int element, unsigned char *to)
1428 {
1429         int l;
1430
1431         /* skip what we already have in the buffer */
1432         while (buf[0])
1433         {
1434                 l = (buf[1]<<8) + buf[2];
1435                 if (buf[0] == element)
1436                 {
1437                         memcpy(to, buf+3, l);
1438                         return(to);
1439                 }
1440                 buf += l + 3;
1441         }
1442         return(NULL);
1443 }
1444
1445
1446 /* send message to peer
1447  */
1448 void EndpointAppPBX::cryptman_msg2peer(unsigned char *buf)
1449 {
1450         struct lcr_msg *message;
1451         unsigned char *p = buf;
1452         int len = 0;
1453         int l;
1454
1455         /* get len */
1456         while(p[0])
1457         {
1458                 l = (p[1]<<8) + p[2];
1459                 len += l + 3;
1460                 p += l + 3;
1461         }
1462         if (len+1 > (int)sizeof(message->param.crypt.data))
1463         {
1464                 PERROR("EPOINT(%d) message larger than allowed in param->crypt.data.\n", ea_endpoint->ep_serial);
1465                 return;
1466         }
1467         /* send message */
1468         message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_CRYPT);
1469         message->param.crypt.type = CR_MESSAGE_REQ;
1470         message->param.crypt.len = len+1;
1471         memcpy(message->param.crypt.data, buf, len+1);
1472         message_put(message);
1473
1474         if (options.deb & DEBUG_CRYPT)
1475         {
1476                 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) sending message\n", ea_endpoint->ep_serial);
1477                 p = buf;
1478                 while(p[0])
1479                 {
1480                         l = (p[1]<<8) + p[2];
1481                         PDEBUG(DEBUG_CRYPT, "   inf %d (len = %d)\n", p[0], l);
1482                         len += l + 3;
1483                         p += l + 3;
1484                 }
1485         }
1486 }
1487
1488 /* send message to crypt engine
1489  */
1490 void EndpointAppPBX::cryptman_msg2crengine(int msg, unsigned char *buf, int len)
1491 {
1492         struct lcr_msg *message;
1493
1494         if (len > (int)sizeof(message->param.crypt.data))
1495         {
1496                 PERROR("EPOINT(%d) message larger than allowed in param->crypt.data.\n", ea_endpoint->ep_serial);
1497                 return;
1498         }
1499         /* send message */
1500         message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_CRYPT);
1501         message->param.crypt.type = msg;
1502         message->param.crypt.len = len;
1503         if (len)
1504                 memcpy(message->param.crypt.data, buf, len);
1505         message_put(message);
1506
1507         if (options.deb & DEBUG_CRYPT)
1508         {
1509                 char *msgtext = "<<UNKNOWN MESSAGE>>";
1510
1511                 if (msg>=0 && msg<cm_msg_num)
1512                         msgtext = cm_msg_name[msg];
1513                 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) sending message '%s' (len = %d)\n", ea_endpoint->ep_serial, msgtext, len);
1514         }
1515 }
1516
1517 /* send message to user
1518  */
1519 void EndpointAppPBX::cryptman_msg2user(int msg, char *text)
1520 {
1521         struct lcr_msg *message;
1522         /* send message */
1523         message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_join_id, EPOINT_TO_JOIN, MESSAGE_CRYPT);
1524         message->param.crypt.type = msg;
1525         if (!text)
1526                 text = "";
1527         SCPY(e_crypt_info, text);
1528         if (text[0])
1529         {
1530                 UNCPY((char *)message->param.crypt.data, e_crypt_info, sizeof(message->param.crypt.data)-1);
1531                 message->param.crypt.len = strlen((char *)message->param.crypt.data)+1;
1532         }
1533         message_put(message);
1534
1535         if (options.deb & DEBUG_CRYPT)
1536         {
1537                 char *msgtext = "<<UNKNOWN MESSAGE>>";
1538
1539                 if (msg>=0 && msg<cm_msg_num)
1540                         msgtext = cm_msg_name[msg];
1541                 PDEBUG(DEBUG_CRYPT, "EPOINT(%d) sending message '%s' (text = %s)\n", ea_endpoint->ep_serial, msgtext, text?text:"");
1542         }
1543 }
1544
1545 /* change state
1546  */
1547 void EndpointAppPBX::cryptman_state(int state)
1548 {
1549         PDEBUG(DEBUG_CRYPT, "Changing state from %s to %s\n", statename(e_crypt_state), statename(state));
1550         e_crypt_state = state;
1551 }
1552
1553
1554 /* set timeout
1555  */
1556 void EndpointAppPBX::cryptman_timeout(int secs)
1557 {
1558         if (secs)
1559         {
1560                 e_crypt_timeout_sec = now_tv.tv_sec+secs;
1561                 e_crypt_timeout_usec = now_tv.tv_usec;
1562                 PDEBUG(DEBUG_CRYPT, "Changing timeout to %d seconds\n", secs);
1563         } else
1564         {
1565                 e_crypt_timeout_sec = 0;
1566                 e_crypt_timeout_usec = 0;
1567                 PDEBUG(DEBUG_CRYPT, "turning timeout off\n", secs);
1568         }
1569 }
1570
1571 /* encode a message to be sent via b-channel
1572  */
1573 int cryptman_encode_bch(unsigned char *data, int len, unsigned char *buf, int buf_len)
1574 {
1575         unsigned long crc;
1576         int overhead = 18;
1577
1578         len--; /* without null-termination */
1579         if (buf_len < len+overhead)
1580         {
1581                 PERROR("frame too long for buffer");
1582                 return(0);
1583         }
1584         PDEBUG(DEBUG_CRYPT, "encoding a block of %d bytes.\n", len);
1585
1586         /* write identification sequence to the header */
1587         UNCPY((char *)buf, "CRYPTMAN" ,8);
1588         buf += 8;
1589         /* length + checksumme */
1590         buf[0] = len >> 8;
1591         buf[1] = len & 0xff;
1592         crc = crc32(buf, 2);
1593         buf += 2;
1594         buf[0] = crc >> 24;
1595         buf[1] = crc >> 16;
1596         buf[2] = crc >> 8;
1597         buf[3] = crc;
1598         buf += 4;
1599         /* data + checksumme */
1600         memcpy(buf, data, len);
1601         crc = crc32(buf, len);
1602         buf += len;
1603         buf[0] = crc >> 24;
1604         buf[1] = crc >> 16;
1605         buf[2] = crc >> 8;
1606         buf[3] = crc;
1607         buf += 4;
1608         return(len + overhead);
1609 }
1610         
1611 /* decode a message from b-channel
1612  */
1613 void PmISDN::cryptman_listen_bch(unsigned char *p, int l)
1614 {
1615         int i;
1616         struct lcr_msg *message;
1617
1618         retry:
1619         if (!l)
1620                 return;
1621
1622         /* check for the keyword */
1623         if (p_m_crypt_listen_state == 0)
1624         {
1625                 while((*p++)!='C' && l)
1626                         l--;
1627                 if (!l)
1628                         return;
1629                 l--;
1630                 p_m_crypt_listen_state++;
1631                 if (!l)
1632                         return;
1633         }
1634         if (p_m_crypt_listen_state < 8)
1635         {
1636                 i = p_m_crypt_listen_state;
1637                 while(i < 8)
1638                 {
1639                         l--;
1640                         if (*p++ != "CRYPTMAN"[i])
1641                         {
1642                                 p_m_crypt_listen_state = 0;
1643                                 goto retry;
1644                         }
1645                         p_m_crypt_listen_state++;
1646                         if (!l)
1647                                 break;
1648                         i++;
1649                 }
1650                 if (!l)
1651                         return;
1652         }
1653         /* high byte of length */
1654         if (p_m_crypt_listen_state == 8)
1655         {
1656                 p_m_crypt_listen_len = (*p++) << 8;
1657                 p_m_crypt_listen_state++;
1658                 if (!(--l))
1659                         return;
1660         }
1661         /* low byte of length */
1662         if (p_m_crypt_listen_state == 9)
1663         {
1664                 p_m_crypt_listen_len += *p++;
1665                 p_m_crypt_listen_state++;
1666                 if (!(--l))
1667                         return;
1668         }
1669         /* crc */
1670         if (p_m_crypt_listen_state == 10)
1671         {
1672                 p_m_crypt_listen_crc = (*p++) << 24;
1673                 p_m_crypt_listen_state++;
1674                 if (!(--l))
1675                         return;
1676         }
1677         if (p_m_crypt_listen_state == 11)
1678         {
1679                 p_m_crypt_listen_crc += (*p++) << 16;
1680                 p_m_crypt_listen_state++;
1681                 if (!(--l))
1682                         return;
1683         }
1684         if (p_m_crypt_listen_state == 12)
1685         {
1686                 p_m_crypt_listen_crc += (*p++) << 8;
1687                 p_m_crypt_listen_state++;
1688                 if (!(--l))
1689                         return;
1690         }
1691         if (p_m_crypt_listen_state == 13)
1692         {
1693                 unsigned char lencheck[2];
1694                 p_m_crypt_listen_crc += *p++;
1695                 /* check for CRC */
1696                 lencheck[0] = p_m_crypt_listen_len >> 8;
1697                 lencheck[1] = p_m_crypt_listen_len & 0xff;
1698                 if (crc32(lencheck, 2) != p_m_crypt_listen_crc)
1699                 {
1700                         PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes, but checksumme of length is incorrect (must %08x is %08x\n", p_name, p_m_crypt_listen_len, crc32(lencheck, 2), p_m_crypt_listen_crc);
1701                         p_m_crypt_listen_state = 0;
1702                         goto retry;
1703                 }
1704                 if (p_m_crypt_listen_len > (int)sizeof(p_m_crypt_listen_msg))
1705                 {
1706                         PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes, but too big for buffer (%d bytes)\n", p_name, p_m_crypt_listen_len, sizeof(p_m_crypt_listen_msg));
1707                         p_m_crypt_listen_state = 0;
1708                         goto retry;
1709                 }
1710                 if (!p_m_crypt_listen_len)
1711                 {
1712                         PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of 0 bytes\n", p_name);
1713                         p_m_crypt_listen_state = 0;
1714                         goto retry;
1715                 }
1716                 p_m_crypt_listen_state++;
1717                 if (!(--l))
1718                         return;
1719         }
1720         /* read message */
1721         while (p_m_crypt_listen_state>=14 && p_m_crypt_listen_state<(p_m_crypt_listen_len+14))
1722         {
1723                 p_m_crypt_listen_msg[p_m_crypt_listen_state-14] = *p++;
1724                 p_m_crypt_listen_state++;
1725                 if (!(--l))
1726                         return;
1727         }
1728         /* crc */
1729         if (p_m_crypt_listen_state == 14+p_m_crypt_listen_len)
1730         {
1731                 p_m_crypt_listen_crc = (*p++) << 24;
1732                 p_m_crypt_listen_state++;
1733                 if (!(--l))
1734                         return;
1735         }
1736         if (p_m_crypt_listen_state == 15+p_m_crypt_listen_len)
1737         {
1738                 p_m_crypt_listen_crc += (*p++) << 16;
1739                 p_m_crypt_listen_state++;
1740                 if (!(--l))
1741                         return;
1742         }
1743         if (p_m_crypt_listen_state == 16+p_m_crypt_listen_len)
1744         {
1745                 p_m_crypt_listen_crc += (*p++) << 8;
1746                 p_m_crypt_listen_state++;
1747                 if (!(--l))
1748                         return;
1749         }
1750         if (p_m_crypt_listen_state == 17+p_m_crypt_listen_len)
1751         {
1752                 l--;
1753                 p_m_crypt_listen_crc += *p++;
1754                 /* check for CRC */
1755                 if (crc32(p_m_crypt_listen_msg, p_m_crypt_listen_len) != p_m_crypt_listen_crc)
1756                 {
1757                         PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes, but checksumme of data block is incorrect\n", p_name, p_m_crypt_listen_len);
1758                         p_m_crypt_listen_state = 0;
1759                         if (!l)
1760                                 return;
1761                         goto retry;
1762                 }
1763                 /* now send message */
1764                 p_m_crypt_listen_state = 0;
1765                 PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes sending to crypt manager\n", p_name, p_m_crypt_listen_len);
1766                 if ((int)sizeof(message->param.crypt.data) < p_m_crypt_listen_len+1) /* null-terminated */
1767                 {
1768                         PDEBUG(DEBUG_CRYPT, "PmISDN(%s) received a block of %d bytes that is too large for message buffer\n", p_name, p_m_crypt_listen_len);
1769                         if (!l)
1770                                 return;
1771                         goto retry;
1772                 }
1773                 message = message_create(p_serial, ACTIVE_EPOINT(p_epointlist), PORT_TO_EPOINT, MESSAGE_CRYPT);
1774                 message->param.crypt.type = CR_MESSAGE_IND;
1775                 message->param.crypt.len = p_m_crypt_listen_len+1; /* null termination */
1776                 memcpy(message->param.crypt.data, p_m_crypt_listen_msg, p_m_crypt_listen_len);
1777                 message_put(message);
1778                 p_m_crypt_listen_state = 0;
1779                 if (!l)
1780                         return;
1781                 goto retry;
1782         }
1783 }
1784
1785
1786 /* encrypt call using share secret (keypad function)
1787  */
1788 void EndpointAppPBX::encrypt_shared(void)
1789 {
1790         struct lcr_msg *message;
1791         char *errstr = "";
1792         class Port *port;
1793         int type, key_len;
1794         unsigned char *key;
1795         char *auth_pointer, *crypt_pointer, *key_pointer;
1796         int ret;
1797
1798         /* redisplay current crypt display */
1799         if (e_crypt != CRYPT_OFF)
1800         {
1801                 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption in progress, so we request the current message.\n", ea_endpoint->ep_serial);
1802                 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_join_id, EPOINT_TO_JOIN, MESSAGE_CRYPT);
1803                 message->param.crypt.type = CU_INFO_REQ;
1804                 message_put(message);
1805                 return;
1806         }
1807
1808         if (check_external(&errstr, &port))
1809         {
1810                 reject:
1811                 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1812                 SCPY(message->param.notifyinfo.display, errstr);
1813                 message_put(message);
1814                 set_tone(ea_endpoint->ep_portlist, "crypt_off");
1815                 e_tone[0] = '\0';
1816                 return;
1817         }
1818
1819         /* check the key for the call */
1820         if (port->p_type==PORT_TYPE_DSS1_TE_OUT || port->p_type==PORT_TYPE_DSS1_NT_OUT)
1821                 ret = parse_secrets((char *)e_ext.number, (char *)port->p_dialinginfo.id, &auth_pointer, &crypt_pointer, &key_pointer);
1822         else
1823         {
1824                 if (!port->p_callerinfo.id[0])
1825                 {
1826                         PDEBUG(DEBUG_EPOINT, "EPOINT(%d) incoming remote call has no caller ID.\n", ea_endpoint->ep_serial);
1827                         errstr = "No Remote ID";
1828                         goto reject;
1829                 }
1830                 ret = parse_secrets((char *)e_ext.number, (char *)numberrize_callerinfo(port->p_callerinfo.id, port->p_callerinfo.ntype, options.national, options.international), &auth_pointer, &crypt_pointer, &key_pointer);
1831         }
1832         if (!ret)
1833         {
1834                 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key was not found.\n", ea_endpoint->ep_serial);
1835                 errstr = "No Key";
1836                 goto reject;
1837         }
1838         key = crypt_key((unsigned char *)key_pointer, &key_len);
1839         if (!key)
1840         {
1841                 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key invalid.\n", ea_endpoint->ep_serial);
1842                 errstr = "Invalid Key";
1843                 goto reject;
1844         }
1845         if (key_len > 128)
1846         {
1847                 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key too long.\n", ea_endpoint->ep_serial);
1848                 errstr = "Key Too Long";
1849                 goto reject;
1850         }
1851         if (!!strcasecmp(auth_pointer, "manual"))
1852         {
1853                 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Wrong authentication method.\n", ea_endpoint->ep_serial);
1854                 errstr = "Wrong Auth Type";
1855                 goto reject;
1856         }
1857         if (!strcasecmp(crypt_pointer, "blowfish"))
1858         {
1859                 type = CC_ACTBF_REQ;
1860                 if (key_len < 4)
1861                 {
1862                         PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key too short.\n", ea_endpoint->ep_serial);
1863                         errstr = "Key Too Short";
1864                         goto reject;
1865                 }
1866                 if (key_len > 56)
1867                 {
1868                         PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key too long.\n", ea_endpoint->ep_serial);
1869                         errstr = "Key Too Long";
1870                         goto reject;
1871                 }
1872         } else
1873         {
1874                 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Wrong crypt method.\n", ea_endpoint->ep_serial);
1875                 errstr = "Wrong Crypt Type";
1876                 goto reject;
1877         }
1878
1879         PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Key is ok, sending activation+key to cryptman.\n", ea_endpoint->ep_serial);
1880         /* setting display message and state */
1881 //      SPRINT(e_crypt_display, "Shared Key");
1882         e_crypt = CRYPT_SWAIT;
1883         /* sending activation */
1884         message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_join_id, EPOINT_TO_JOIN, MESSAGE_CRYPT);
1885         message->param.crypt.type = CU_ACTS_REQ;
1886         message->param.crypt.len = key_len;
1887         memcpy(message->param.crypt.data, key, key_len);
1888         message_put(message);
1889 }
1890
1891
1892 /* encrypt call using rsa authentication (keypad function)
1893  */
1894 void EndpointAppPBX::encrypt_keyex(void)
1895 {
1896         struct lcr_msg *message;
1897         char *errstr = "";
1898         class Port *port;
1899
1900         /* redisplay current crypt display */
1901         if (e_crypt != CRYPT_OFF)
1902         {
1903                 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption in progress, so we request the current message.\n", ea_endpoint->ep_serial);
1904                 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_join_id, EPOINT_TO_JOIN, MESSAGE_CRYPT);
1905                 message->param.crypt.type = CU_INFO_REQ;
1906                 message_put(message);
1907                 return;
1908         }
1909
1910
1911         if (check_external(&errstr, &port))
1912         {
1913                 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1914                 SCPY(message->param.notifyinfo.display, errstr);
1915                 message_put(message);
1916                 set_tone(ea_endpoint->ep_portlist, "crypt_off");
1917                 e_tone[0] = '\0';
1918                 return;
1919         }
1920
1921 #ifndef CRYPTO
1922         message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1923         SCPY(message->param.notifyinfo.display, "Not Compiled");
1924         message_put(message);
1925         set_tone(ea_endpoint->ep_portlist, "crypt_off");
1926         e_tone[0] = '\0';
1927 #else
1928         PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Sending key-exchange activation to cryptman.\n", ea_endpoint->ep_serial);
1929         /* setting display message and state */
1930 //      SPRINT(e_crypt_display, "Key-Exchange");
1931         message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1932         SCPY(message->param.notifyinfo.display, "Key-Exchange");
1933         message_put(message);
1934         e_crypt = CRYPT_KWAIT;
1935         /* sending activation */
1936         message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_join_id, EPOINT_TO_JOIN, MESSAGE_CRYPT);
1937         message->param.crypt.type = CU_ACTK_REQ;
1938         message_put(message);
1939 #endif /* CRYPTO */
1940 }
1941
1942
1943 /* turn encryption off (keypad function)
1944  */
1945 void EndpointAppPBX::encrypt_off(void)
1946 {
1947         struct lcr_msg *message;
1948
1949         if (e_crypt!=CRYPT_ON && e_crypt!=CRYPT_OFF)
1950         {
1951                 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1952                 SCPY(message->param.notifyinfo.display, "Please Wait");
1953                 message_put(message);
1954                 return;
1955         }
1956         if (e_crypt == CRYPT_OFF)
1957         {
1958                 message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1959                 SCPY(message->param.notifyinfo.display, "No Encryption");
1960                 message_put(message);
1961                 set_tone(ea_endpoint->ep_portlist, "crypt_off");
1962                 e_tone[0] = '\0';
1963                 return;
1964         }
1965
1966         PDEBUG(DEBUG_EPOINT, "EPOINT(%d) Sending deactivation to cryptman.\n", ea_endpoint->ep_serial);
1967         /* setting display message and state */
1968 //      SPRINT(e_crypt_display, "Deactivating");
1969         message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1970         SCPY(message->param.notifyinfo.display, "Deactivating");
1971         message_put(message);
1972         e_crypt = CRYPT_RELEASE;
1973         /* sending activation */
1974         message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_join_id, EPOINT_TO_JOIN, MESSAGE_CRYPT);
1975         message->param.crypt.type = CU_DACT_REQ;
1976         message_put(message);
1977 }
1978
1979
1980 /* messages from manager to endpoint
1981  */
1982 void EndpointAppPBX::encrypt_result(int msg, char *text)
1983 {
1984         struct lcr_msg *message;
1985
1986         switch(msg)
1987         {
1988                 case CU_ACTK_CONF:
1989                 case CU_ACTS_CONF:
1990                 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption now active.\n", ea_endpoint->ep_serial);
1991                 set_tone(ea_endpoint->ep_portlist, "crypt_on");
1992                 e_tone[0] = '\0';
1993                 e_crypt = CRYPT_ON;
1994                 display:
1995                 if (text) if (text[0])
1996                 {
1997                         SCPY(e_crypt_info, text);
1998                         message = message_create(ea_endpoint->ep_serial, ea_endpoint->ep_portlist->port_id, EPOINT_TO_PORT, MESSAGE_NOTIFY);
1999                         SCPY(message->param.notifyinfo.display, e_crypt_info);
2000                         message_put(message);
2001                 }
2002                 break;
2003
2004                 case CU_ERROR_IND:
2005                 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption error. (%s)\n", ea_endpoint->ep_serial, text);
2006                 set_tone(ea_endpoint->ep_portlist, "crypt_off");
2007                 e_tone[0] = '\0';
2008                 e_crypt = CRYPT_OFF;
2009                 goto display;
2010                 break;
2011
2012                 case CU_DACT_CONF:
2013                 case CU_DACT_IND:
2014                 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) encryption now off. (%s)\n", ea_endpoint->ep_serial, text);
2015                 set_tone(ea_endpoint->ep_portlist, "crypt_off");
2016                 e_tone[0] = '\0';
2017                 e_crypt = CRYPT_OFF;
2018                 goto display;
2019                 break;
2020
2021                 case CU_INFO_CONF:
2022                 case CU_INFO_IND:
2023                 PDEBUG(DEBUG_EPOINT, "EPOINT(%d) information. (%s)\n", ea_endpoint->ep_serial, text);
2024                 goto display;
2025                 break;
2026
2027                 default:
2028                 PERROR("EPOINT(%d) crypt manager sends us an invalid message. (type = %d)\n", ea_endpoint->ep_serial, msg);
2029         }
2030 }
2031
2032