search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Attempt to count descramblers used properly
[oscam.git] / module-scam.c
blob368fab08610c332313343c4ba1255d7b02e0fe46
1 #define MODULE_LOG_PREFIX "scam"
2
3 #include "globals.h"
4 #ifdef MODULE_SCAM
5 #include "oscam-client.h"
6 #include "oscam-ecm.h"
7 #include "oscam-net.h"
8 #include "oscam-string.h"
9 #include "oscam-reader.h"
10 #include "oscam-lock.h"
11 #include "oscam-time.h"
12 #include "oscam-chk.h"
13 #include "cscrypt/des.h"
14
15 struct scam_data
16 {
17 uint8_t enckey[8];
18 uint8_t deckey[8];
19 uint8_t enc_xor_offset;
20 uint8_t dec_xor_offset;
21 uint8_t login_pending;
22 char login_username[64];
23 uint16_t version;
24 };
25
26 static inline void xxor(uint8_t *data, int32_t len, const uint8_t *v1, const uint8_t *v2)
27 {
28 uint32_t i;
29 switch(len)
30 {
31 case 16:
32 for(i = 0; i < 16; ++i)
33 {
34 data[i] = v1[i] ^ v2[i];
35 }
36 break;
37
38 case 8:
39 for(i = 0; i < 8; ++i)
40 {
41 data[i] = v1[i] ^ v2[i];
42 }
43 break;
44
45 case 4:
46 for(i = 0; i < 4; ++i)
47 {
48 data[i] = v1[i] ^ v2[i];
49 }
50 break;
51
52 default:
53 while(len--)
54 {
55 *data++ = *v1++ ^ *v2++;
56 }
57 break;
58 }
59 }
60
61 static void scam_generate_deskey(char *keyString, uint8_t *desKey)
62 {
63 uint8_t iv[8], *tmpKey;
64 int32_t i, passLen, alignedPassLen;
65 uint32_t key_schedule[32];
66
67 memset(iv, 0, 8);
68 memset(desKey, 0, 8);
69
70 passLen = keyString == NULL ? 0 : strlen(keyString);
71 if(passLen > 1024) {
72 passLen = 1024;
73 }
74
75 alignedPassLen = (passLen + 7) & -8;
76 if(alignedPassLen == 0) alignedPassLen = 8;
77
78 if(!cs_malloc(&tmpKey, alignedPassLen))
79 {
80 return;
81 }
82
83 if(passLen == 0)
84 {
85 memset(tmpKey, 0xAA, 8);
86 passLen = 8;
87 }
88 else
89 {
90 memcpy(tmpKey, keyString, passLen);
91 }
92
93 for(i = 0; i < alignedPassLen - passLen; i++)
94 {
95 tmpKey[passLen + i] = (uint8_t)i;
96 }
97
98 xxor(desKey, 8, tmpKey, iv);
99
100 for(i = 0; i < alignedPassLen; i += 8)
101 {
102 des_set_key(&tmpKey[i], key_schedule);
103 des(&tmpKey[i], key_schedule, 1);
104 xxor(desKey, 8, desKey, &tmpKey[i]);
105 }
106
107 NULLFREE(tmpKey);
108 }
109
110 static void scam_encrypt_packet(uint8_t *packet, uint32_t packetLength, uint8_t *key, uint32_t dataLength, uint32_t dataOffset, uint8_t *xorOffset)
111 {
112 uint8_t iv[8];
113 uint32_t i;
114 memset(iv, 0, 8);
115
116 des_cbc_encrypt(packet + dataOffset, iv, key, dataLength);
117
118 for(i = 0; i < packetLength; i++)
119 {
120 key[*xorOffset] ^= packet[i];
121 *xorOffset = (*xorOffset + 1) & 7;
122 }
123 }
124
125 static void scam_decrypt_packet(uint8_t *packet, uint32_t packetLength, uint8_t *key, uint32_t dataLength, uint32_t dataOffset, uint8_t *xorOffset)
126 {
127 uint8_t tmpKey[8], iv[8];
128 uint32_t i;
129 memcpy(tmpKey, key, 8);
130 memset(iv, 0, 8);
131
132 for(i = 0; i < packetLength; i++)
133 {
134 tmpKey[*xorOffset] ^= packet[i];
135 *xorOffset = (*xorOffset + 1) & 7;
136 }
137
138 des_cbc_decrypt(packet + dataOffset, iv, key, dataLength);
139 memcpy(key, tmpKey, 8);
140 }
141
142 static void scam_decode_length(uint8_t *packet, uint32_t *dataLength, uint32_t *dataOffset)
143 {
144 uint32_t i, n;
145
146 if(packet[1] & 0x80)
147 {
148 n = packet[1] & ~0x80;
149 *dataLength = 0;
150
151 for(i = 0; i < n; i++)
152 {
153 *dataLength = (*dataLength << 8) | packet[2 + i];
154 }
155 *dataOffset = 2 + n;
156 }
157 else
158 {
159 *dataLength = packet[1];
160 *dataOffset = 2;
161 }
162 }
163
164 static uint32_t scam_get_length_data_length(uint8_t *packet)
165 {
166 if(packet[1] & 0x80)
167 {
168 return packet[1] & ~0x80;
169 }
170 else
171 {
172 return 1;
173 }
174 }
175
176 static void scam_encode_length(uint32_t len, uint8_t *data, uint8_t *dataLen)
177 {
178 if(len < 128)
179 {
180 data[0] = (uint8_t)len;
181 *dataLen = 1;
182 }
183 else if(len < 256)
184 {
185 data[0] = 0x81;
186 data[1] = (uint8_t)len;
187 *dataLen = 2;
188 }
189 else if(len < 65536)
190 {
191 data[0] = 0x82;
192 data[1] = (uint8_t)(len >> 8);
193 data[2] = (uint8_t)(len & 0xFF);
194 *dataLen = 3;
195 }
196 else if(len < 16777216)
197 {
198 data[0] = 0x83;
199 data[1] = (uint8_t)(len >> 16);
200 data[2] = (uint8_t)((len >> 8) & 0xFF);
201 data[3] = (uint8_t)(len & 0xFF);
202 *dataLen = 4;
203 }
204 else
205 {
206 data[0] = 0x84;
207 data[1] = (uint8_t)(len >> 24);
208 data[2] = (uint8_t)((len >> 16) & 0xFF);
209 data[3] = (uint8_t)((len >> 8) & 0xFF);
210 data[4] = (uint8_t)(len & 0xFF);
211 *dataLen = 5;
212 }
213 }
214
215
216 static void scam_client_close(struct s_client *cl, int32_t call_conclose)
217 {
218 struct s_reader *rdr = cl->reader;
219 if(!rdr) { return; }
220
221 if(rdr) { rdr->tcp_connected = 0; }
222 if(rdr) { rdr->card_status = NO_CARD; }
223 if(rdr) { rdr->last_s = rdr->last_g = 0; }
224 if(cl) { cl->last = 0; }
225
226 if(call_conclose) // clears also pending ecms!
227 { network_tcp_connection_close(rdr, "close"); }
228 else
229 {
230 if(cl->udp_fd)
231 {
232 close(cl->udp_fd);
233 cl->udp_fd = 0;
234 cl->pfd = 0;
235 }
236 }
237 }
238
239 static int32_t scam_send(struct s_client *cl, uint8_t *buf, uint32_t len)
240 {
241 uint8_t *mbuf, lenData[5];
242 uint8_t lenDataLen = 0, paddingLen = 0;
243 uint16_t crc = 0;
244 int32_t result, packetLen;
245 struct scam_data *scam = cl->scam;
246
247 if(scam == NULL) { return 0; }
248 if(len == 0) { return 0; }
249
250 paddingLen = 8 - ((4 + len) % 8);
251 if(paddingLen == 8)
252 {
253 paddingLen = 0;
254 }
255 else if(paddingLen > 0 && paddingLen < 3)
256 {
257 paddingLen += 8;
258 }
259
260 scam_encode_length(4 + len + paddingLen, lenData, &lenDataLen);
261
262 if(lenDataLen == 0) { return -1; }
263
264 packetLen = 1 + lenDataLen + 4 + len + paddingLen;
265
266 if(!cs_malloc(&mbuf, packetLen)) { return -1; }
267
268 mbuf[0] = 0x0F;
269 memcpy(&mbuf[1], lenData, lenDataLen);
270 mbuf[1 + lenDataLen] = 0x10;
271 mbuf[1 + lenDataLen + 1] = 0x02;
272 memcpy(&mbuf[1 + lenDataLen + 4], buf, len);
273
274 if(paddingLen > 0)
275 {
276 mbuf[1 + lenDataLen + 4 + len] = 0x7F;
277 mbuf[1 + lenDataLen + 4 + len + 1] = paddingLen - 2;
278 get_random_bytes(mbuf + 1 + lenDataLen + 4 + len + 2, paddingLen - 2);
279 }
280
281 crc = ccitt_crc(mbuf + 1 + lenDataLen + 4, len + paddingLen, 0xFFFF, 0);
282 i2b_buf(2, crc, &mbuf[1 + lenDataLen + 2]);
283
284 scam_encrypt_packet(mbuf, packetLen, scam->enckey, 4 + len + paddingLen, 1 + lenDataLen, &scam->enc_xor_offset);
285 result = send(cl->pfd, mbuf, packetLen, 0);
286 NULLFREE(mbuf);
287
288 return (result);
289 }
290
291 static int32_t scam_msg_recv(struct s_client *cl, uint8_t *buf, int32_t maxlen)
292 {
293 int32_t len;
294 int32_t handle = cl->udp_fd;
295 struct scam_data *scam = cl->scam;
296
297 if(scam == NULL) { return 0; }
298 if(handle <= 0 || maxlen < 3)
299 { cs_log("scam_msg_recv: fd is 0"); return -1; }
300
301 len = cs_recv(handle, buf, 2, MSG_WAITALL);
302 if(len != 2) // invalid header length read
303 {
304 if(len <= 0)
305 { cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "disconnected by remote server"); }
306 else
307 { cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "invalid header length (expected 2, read %d)", len); }
308 return -1;
309 }
310
311 if(buf[0] != 0x0F)
312 {
313 cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "invalid packet tag");
314 return 0;
315 }
316
317 int32_t headerSize = buf[1] & 0x80 ? (2 + (buf[1] & ~0x80)) : 2;
318 if(headerSize > 2)
319 {
320 if(maxlen < headerSize + 1) { return -1; }
321
322 len = cs_recv(handle, buf + 2, headerSize - 2, MSG_WAITALL);
323 if(len != headerSize - 2) // invalid header length read
324 {
325 if(len <= 0)
326 { cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "disconnected by remote server"); }
327 else
328 { cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "invalid header length (expected %d, read %d)", headerSize, 2+len); }
329 return -1;
330 }
331 }
332
333 uint32_t dataLength, dataOffset;
334 scam_decode_length(buf, &dataLength, &dataOffset);
335
336 if(dataLength) // check if any data is expected in msg
337 {
338 if(dataLength % 8 != 0)
339 {
340 cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "message data has invalid size (size=%d)", dataLength);
341 return 0;
342 }
343
344 if(headerSize + dataLength > (uint32_t)maxlen)
345 {
346 cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "message too big (size=%d max=%d)", headerSize+dataLength, maxlen);
347 return 0;
348 }
349
350 len = cs_recv(handle, buf + dataOffset, dataLength, MSG_WAITALL);
351 if((uint32_t)len != dataLength)
352 {
353 if(len <= 0)
354 {
355 cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "disconnected by remote");
356 }
357 else
358 {
359 cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "invalid message length read (expected %d, read %d)", dataLength, len);
360 }
361 return -1;
362 }
363
364 scam_decrypt_packet(buf, headerSize + dataLength, scam->deckey, dataLength, dataOffset, &scam->dec_xor_offset);
365 }
366
367 return headerSize+dataLength;
368 }
369
370 static int32_t scam_recv(struct s_client *cl, uint8_t *buf, int32_t len)
371 {
372 int32_t n;
373 struct s_reader *rdr = (cl->typ == 'c') ? NULL : cl->reader;
374
375 if(buf == NULL || len <= 0)
376 { return -1; }
377
378 n = scam_msg_recv(cl, buf, len); // recv and decrypt msg
379 if(n <= 0)
380 {
381 cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "connection closed by %s, n=%d.", remote_txt(), n);
382 if(rdr)
383 {
384 scam_client_close(cl, 1);
385 }
386 else
387 {
388 cs_disconnect_client(cl);
389 }
390 cs_sleepms(150);
391 n = -1;
392 }
393 else
394 {
395 cl->last = time(NULL); // last client action is now
396 if(rdr) { rdr->last_g = time(NULL); } // last reader receive is now
397 }
398
399 return n;
400 }
401
402 // scam client functions
403
404 static int32_t scam_client_init(struct s_client *cl);
405
406 static int32_t scam_client_connect(void)
407 {
408 struct s_client *cl = cur_client();
409
410 if(cl->reader->tcp_connected < 2 && scam_client_init(cl) < 0)
411 { return 0; }
412
413 if(!cl->udp_fd)
414 { return 0; }
415
416 return 1;
417 }
418
419 static void scam_client_idle(void)
420 {
421 struct s_client *client = cur_client();
422 struct s_reader *rdr = client->reader;
423 time_t now = time(NULL);
424 if(!rdr) { return; }
425
426 if(rdr->tcp_ito > 0)
427 {
428 int32_t time_diff;
429 time_diff = llabs(now - rdr->last_s);
430 if(time_diff > (rdr->tcp_ito))
431 {
432 network_tcp_connection_close(rdr, "inactivity");
433 return;
434 }
435 }
436 else if(rdr->tcp_ito == -1)
437 {
438 scam_client_connect();
439 return;
440 }
441 }
442
443 static void scam_client_recv_caid(uint8_t *buf, uint32_t len)
444 {
445 uint16_t caid;
446
447 if(len < 3)
448 {
449 return;
450 }
451
452 caid = buf[1] << 8 | buf[2];
453
454 if(buf[0])
455 {
456 cs_log("scam server has card: %04X", caid);
457 }
458 else
459 {
460 cs_log("scam server no longer has card: %04X", caid);
461 }
462 }
463
464 static void scam_client_recv_server_version(uint8_t *buf, uint32_t len)
465 {
466 uint32_t pos = 0, dataLength = 0, dataOffset = 0, usedLen = 0;
467 char versionString[128];
468 uint16_t versionShort = 0;
469 versionString[0] = 0;
470
471 scam_decode_length(buf, &dataLength, &dataOffset);
472
473 while(pos + dataOffset + dataLength - 1 < len)
474 {
475 switch(buf[pos])
476 {
477 case 0x01: // version string
478 usedLen = dataLength;
479 if(usedLen > 127)
480 {
481 usedLen = 127;
482 }
483 memcpy(versionString, buf + dataOffset, usedLen);
484 versionString[usedLen] = 0;
485 break;
486
487 case 0x0A: // version short
488 if(dataLength != 2) break;
489 versionShort = (buf[pos + dataOffset] << 8) | buf[pos + dataOffset + 1];
490 break;
491
492 default:
493 cs_log_dbg(D_READER, "unknown server version packet tag %X", buf[pos]);
494 break;
495 }
496
497 pos += dataOffset + dataLength;
498 if((pos + 2 < len) && (pos + 1 + scam_get_length_data_length(buf + pos)) < len)
499 {
500 scam_decode_length(buf + pos, &dataLength, &dataOffset);
501 }
502 else
503 {
504 break;
505 }
506 }
507
508 cs_log("scam server version: %s (%d)", versionString, versionShort);
509 }
510
511 static void scam_client_recv_dcw(struct s_client *cl, uint8_t *buf, uint32_t len, uint8_t *dcw, int32_t *ecm_task_idx, int32_t *rc)
512 {
513 // 00C00000 enigma namespace
514 // 0455 tsid
515 // 0001 onid
516 // 151A srvid
517 // 200081 ???
518 // 943E85577035C469 dcw1
519 // C73882811721E31B dcw2
520
521 if(len != 29)
522 {
523 cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "unknown server dcw packet length %d", len);
524 return;
525 }
526
527 *ecm_task_idx = b2i(4, &buf[0]); // we store idx here instead of ens
528 memcpy(dcw, &buf[13], 16);
529 *rc = 1;
530 }
531
532 static void scam_client_send_hello(struct s_client *cl)
533 {
534 uint8_t mbuf[70];
535 uint32_t usernameLen, i = 0;
536 struct s_reader *rdr = cl->reader;
537 struct scam_data *scam = cl->scam;
538
539 if(scam == NULL) { return; }
540 if(!rdr) { return; }
541
542 usernameLen = strlen(rdr->r_usr);
543 if(usernameLen > 63) // because rdr->r_usr is max. 63+1 chars
544 {
545 usernameLen = 63;
546 }
547
548 mbuf[i++] = 0x46; // client hello data type
549 mbuf[i++] = 6 + usernameLen; // will never exceed 63+6 = 69 bytes (<127 bytes)
550
551 // client version
552 mbuf[i++] = 0xA0; // client version data type
553 mbuf[i++] = 0x02; // data length (2)
554 mbuf[i++] = 0x00; // version ( 0x0007)
555 mbuf[i++] = 0x07;
556
557 // username
558 mbuf[i++] = 0xA1; // username data type
559 mbuf[i++] = (uint8_t)usernameLen;
560 memcpy(mbuf + i, rdr->r_usr, usernameLen);
561 mbuf[i + usernameLen] = 0;
562
563 scam_send(cl, mbuf, 8 + usernameLen);
564
565 scam_generate_deskey(rdr->r_pwd, scam->enckey);
566 scam_generate_deskey(rdr->r_pwd, scam->deckey);
567 scam->enc_xor_offset = 0;
568 scam->dec_xor_offset = 0;
569 }
570
571 static int32_t scam_client_send_ecm(struct s_client *cl, ECM_REQUEST *er)
572 {
573 // 2481A5 310A
574 // 00C00000 enigma namespace
575 // 0455 tsid
576 // 0001 onid
577 // 151A srvid
578 // 3002
579 // 1843 caid
580 // 3304
581 // 66A1AE16 pat/pmt crc? we currently fill it with chid
582 // 348189
583 // 8130.. ecm
584 // 3501
585 // 02 needed dcws?
586
587 uint8_t *mbuf, packetLenData[5], ecmLenData[5];
588 uint32_t i = 0, ret = 0, dataLength = 0, packetLength = 0;
589 uint8_t pLenDataLen = 0, eLenDataLen = 0;
590
591 if(!scam_client_connect())
592 { return (-1); }
593
594 scam_encode_length(er->ecmlen, ecmLenData, &eLenDataLen);
595 dataLength = 23 + eLenDataLen + er->ecmlen + 3;
596 scam_encode_length(dataLength, packetLenData, &pLenDataLen);
597 packetLength = 1 + pLenDataLen + dataLength;
598
599 if(!cs_malloc(&mbuf, packetLength))
600 { return -1; }
601
602 mbuf[i++] = 0x24; // ecm request data type
603 memcpy(mbuf + i, packetLenData, pLenDataLen); i += pLenDataLen;
604
605 mbuf[i++] = 0x31; // channel info data type
606 mbuf[i++] = 0x0A; // size is always 0x0A
607
608 //i2b_buf(4, er->ens, mbuf+i); i += 4;
609 i2b_buf(4, er->idx, mbuf+i); i += 4; // we store idx instead of ens here
610
611 i2b_buf(2, er->tsid, mbuf + i); i += 2;
612 i2b_buf(2, er->onid, mbuf + i); i += 2;
613 i2b_buf(2, er->srvid, mbuf + i); i += 2;
614
615 mbuf[i++] = 0x30; // caid data type
616 mbuf[i++] = 0x02; // size is always 0x02
617 i2b_buf(2, er->caid, mbuf + i); i += 2;
618
619 mbuf[i++] = 0x33; // ??? data type
620 mbuf[i++] = 0x04; // size is always 0x04
621 i2b_buf(2, er->chid, mbuf + i); i += 4;
622
623 mbuf[i++] = 0x34; // ecm data type
624 memcpy(mbuf + i, ecmLenData, eLenDataLen); i += eLenDataLen;
625 memcpy(mbuf + i, er->ecm, er->ecmlen); i += er->ecmlen;
626
627 mbuf[i++] = 0x35; // ??? data type
628 mbuf[i++] = 0x01; // size is always 0x01
629 mbuf[i++] = 0x02; // unknown value
630
631 ret = scam_send(cl, mbuf, packetLength);
632
633 cs_log_dbg(D_TRACE, "scam: sending ecm");
634 cs_log_dump_dbg(D_CLIENT, mbuf, packetLength, "ecm:");
635 NULLFREE(mbuf);
636 return ((ret < 1) ? (-1) : 0);
637 }
638
639 static int32_t scam_client_init(struct s_client *cl)
640 {
641 int32_t handle;
642
643 handle = network_tcp_connection_open(cl->reader);
644 if(handle < 0) {
645 cl->reader->last_s = 0; // set last send to zero
646 cl->reader->last_g = 0; // set last receive to zero
647 cl->last = 0; // set last client action to zero
648 return (0);
649 }
650
651 if(cl->scam) {
652 memset(cl->scam, 0, sizeof(struct scam_data));
653 }
654
655 if(!cl->scam && !cs_malloc(&cl->scam, sizeof(struct scam_data))) {
656 return 0;
657 }
658
659 cs_log("scam: proxy %s:%d (fd=%d)",
660 cl->reader->device, cl->reader->r_port, cl->udp_fd);
661
662 cl->reader->tcp_connected = 2;
663 cl->reader->card_status = CARD_INSERTED;
664 cl->reader->last_g = cl->reader->last_s = time((time_t *)0);
665
666 cs_log_dbg(D_CLIENT, "scam: last_s=%ld, last_g=%ld", cl->reader->last_s, cl->reader->last_g);
667
668 cl->pfd = cl->udp_fd;
669
670 scam_client_send_hello(cl);
671
672 return (0);
673 }
674
675 static int32_t scam_client_handle(struct s_client *cl, uint8_t *dcw, int32_t *rc, uint8_t *buf, int32_t n)
676 {
677 uint32_t pos = 0, packetLength = 0, packetOffset = 0, dataLength = 0, dataOffset = 0;
678 int32_t ret = -1;
679
680 if(n < 3)
681 {
682 return (-1);
683 }
684
685 scam_decode_length(buf, &packetLength, &packetOffset);
686 pos += packetOffset;
687
688 if((pos + 2 < (uint32_t)n) && (pos + 1 + scam_get_length_data_length(buf + pos) < (uint32_t)n))
689 {
690 scam_decode_length(buf + pos, &dataLength, &dataOffset);
691 }
692 else
693 {
694 return (-1);
695 }
696
697 while(pos + dataOffset + dataLength - 1 < (uint32_t)n)
698 {
699 switch(buf[pos])
700 {
701 case 0x10: // checksum
702 if(dataLength != 2) { break; }
703 if(b2i(2, &buf[pos + dataOffset]) != ccitt_crc(buf + pos + dataOffset + 2, n - pos - dataOffset - 2, 0xFFFF, 0))
704 {
705 cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "sent packet with invalid checksum");
706 return (-1);
707 }
708 break;
709
710 case 0x20: // caid list
711 scam_client_recv_caid(buf + pos + dataOffset, dataLength);
712 break;
713
714 case 0x45: // server version
715 scam_client_recv_server_version(buf + pos + dataOffset, dataLength);
716 break;
717
718 case 0x63: // dcw
719 scam_client_recv_dcw(cl, buf + pos + dataOffset, dataLength, dcw, &ret, rc);
720 break;
721
722 case 0x7F: // padding
723 break;
724
725 default:
726 cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "unknown scam server packet %X", buf[pos]);
727 break;
728 }
729
730 pos += dataOffset + dataLength;
731 if((pos + 2 < (uint32_t)n) && (pos + 1 + scam_get_length_data_length(buf + pos) < (uint32_t)n))
732 {
733 scam_decode_length(buf + pos, &dataLength, &dataOffset);
734 }
735 else
736 {
737 break;
738 }
739 }
740
741 return ret;
742 }
743
744 // scam server functions
745 static uint8_t scam_server_authip_client(struct s_client *cl)
746 {
747 if(cfg.scam_allowed && !check_ip(cfg.scam_allowed, cl->ip))
748 {
749 cs_log("scam: IP not allowed");
750 cs_auth_client(cl, (struct s_auth *)0, NULL);
751 cs_disconnect_client(cl);
752 return 0;
753 }
754
755 return 1;
756 }
757
758 static void scam_server_init(struct s_client *cl)
759 {
760 if(!cl->init_done)
761 {
762 if(IP_ISSET(cl->ip))
763 { cs_log("scam: new connection from %s", cs_inet_ntoa(cl->ip)); }
764
765 if(scam_server_authip_client(cl))
766 {
767 if(cl->scam)
768 {
769 memset(cl->scam, 0, sizeof(struct scam_data));
770 }
771
772 if(cl->scam || cs_malloc(&cl->scam, sizeof(struct scam_data)))
773 {
774 cl->init_done = 1;
775 }
776 }
777 }
778 return;
779 }
780
781 static void scam_server_recv_ecm(struct s_client *cl, uint8_t *buf, int32_t len)
782 {
783 uint32_t pos = 0, dataLength = 0, dataOffset = 0, usedLen = 0;
784 ECM_REQUEST *er;
785 uint8_t gotCaid = 0, gotEcm = 0;
786
787 if(len < 1)
788 {
789 return;
790 }
791
792 if(!(er = get_ecmtask()))
793 { return; }
794
795 scam_decode_length(buf, &dataLength, &dataOffset);
796
797 while(pos + dataOffset + dataLength - 1 < (uint32_t)len)
798 {
799 switch(buf[pos]) {
800
801 case 0x31: // channel data
802 if(dataLength != 0x0A) break;
803 er->ens = b2i(4, buf + pos + dataOffset);
804 er->tsid = b2i(2, buf + pos + dataOffset + 4);
805 er->onid = b2i(2, buf + pos + dataOffset + 6);
806 er->srvid = b2i(2, buf + pos + dataOffset + 8);
807 break;
808
809 case 0x30: // caid
810 if(dataLength != 0x02) break;
811 er->caid = b2i(2, buf + pos + dataOffset);
812 gotCaid = 1;
813 break;
814
815 case 0x33: // unknown
816 break;
817
818 case 0x34: // ecm
819 usedLen = dataLength;
820 if(usedLen > MAX_ECM_SIZE)
821 {
822 break;
823 }
824 er->ecmlen = usedLen;
825 memcpy(er->ecm, buf + pos + dataOffset, usedLen);
826 gotEcm = 1;
827 break;
828
829 case 0x35: // unknown
830 break;
831
832 default:
833 cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "sent unknown scam client ecm tag %X", buf[pos]);
834 break;
835 }
836
837 pos += dataOffset + dataLength;
838 if((pos + 2 < (uint32_t)len) && (pos + 1 + scam_get_length_data_length(buf + pos) < (uint32_t)len))
839 {
840 scam_decode_length(buf + pos, &dataLength, &dataOffset);
841 }
842 else
843 {
844 break;
845 }
846 }
847
848 if(gotCaid && gotEcm)
849 {
850 get_cw(cl, er);
851 }
852 else
853 {
854 NULLFREE(er);
855 cs_log("WARNING: ECM-request corrupt");
856 }
857 }
858
859 static void scam_caidlist_add(uint16_t *caidlist, uint32_t listsize, uint32_t *count, uint16_t caid)
860 {
861 uint32_t i;
862 uint8_t exists = 0;
863
864 if(*count >= listsize)
865 {
866 return;
867 }
868
869 for(i = 0; i < *count; i++)
870 {
871 if(caidlist[i] == caid)
872 {
873 exists = 1;
874 break;
875 }
876 }
877
878 if(!exists)
879 {
880 caidlist[*count] = caid;
881 (*count)++;
882 }
883 }
884
885 static void scam_server_send_caidlist(struct s_client *cl)
886 {
887 uint8_t mbuf[5];
888 int32_t j;
889 uint32_t i = 0;
890 uint16_t caids[55];
891 uint32_t cardcount = 0;
892 struct s_reader *rdr = NULL;
893
894 cs_readlock(__func__, &readerlist_lock);
895 for(rdr = first_active_reader; rdr; rdr = rdr->next)
896 {
897 if(rdr->caid && chk_ctab(rdr->caid, &cl->ctab))
898 {
899 scam_caidlist_add(caids, ARRAY_SIZE(caids), &cardcount, rdr->caid);
900 }
901
902 for(j = 0; j < rdr->ctab.ctnum; j++)
903 {
904 CAIDTAB_DATA *d = &rdr->ctab.ctdata[j];
905 if(d->caid && chk_ctab(d->caid, &cl->ctab))
906 {
907 scam_caidlist_add(caids, ARRAY_SIZE(caids), &cardcount, d->caid);
908 }
909 }
910 }
911 cs_readunlock(__func__, &readerlist_lock);
912
913 for(j = 0; j < (int32_t)cardcount; j++)
914 {
915 i = 0;
916 mbuf[i++] = 0x20; // caid data type
917 mbuf[i++] = 0x03; // length
918 mbuf[i++] = 0x01; // active card
919 i2b_buf(2, caids[j], mbuf + i);
920 scam_send(cl, mbuf, 5);
921 }
922 }
923
924 static void scam_server_send_serverversion(struct s_client *cl)
925 {
926 uint8_t mbuf[64];
927 uint32_t i = 0;
928 char *version = "scam/3.60 oscam";
929 uint8_t vlen = strlen(version);
930
931 mbuf[i++] = 0x45; // server version data type
932 mbuf[i++] = 2 + vlen + 4; // will never exceed 127 bytes
933
934 mbuf[i++] = 0x01; // server version string data type
935 mbuf[i++] = vlen; // will never exceed 127 bytes
936 memcpy(mbuf + i, version, vlen); i += vlen;
937
938 mbuf[i++] = 0x0A; // server version short data type
939 mbuf[i++] = 0x02; // is always 0x02
940 i2b_buf(2, 0x7, mbuf + i);
941
942 scam_send(cl, mbuf, 2 + 2 + vlen + 4);
943 }
944
945 static void scam_server_recv_auth(struct s_client *cl, uint8_t *buf, int32_t len)
946 {
947 uint32_t pos = 0, dataLength = 0, dataOffset = 0, usedLen = 0;
948 uint8_t userok = 0;
949 struct s_auth *account;
950 struct scam_data *scam = cl->scam;
951
952 if(scam == NULL) { return; }
953 scam->login_username[0] = 0;
954
955 if(len < 1)
956 {
957 return;
958 }
959
960 scam_decode_length(buf, &dataLength, &dataOffset);
961
962 while(pos + dataOffset + dataLength - 1 < (uint32_t)len)
963 {
964 switch(buf[pos])
965 {
966 case 0xA0: // version short
967 if(dataLength != 2) break;
968 scam->version = (buf[pos + dataOffset] << 8) | buf[pos + dataOffset + 1];
969 break;
970
971 case 0xA1: // username string
972 usedLen = dataLength;
973 if(usedLen > 64) {
974 usedLen = 63;
975 }
976 memcpy(scam->login_username, buf + pos + dataOffset, usedLen);
977 scam->login_username[usedLen] = 0;
978 break;
979
980 default:
981 cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "unknown client auth packet tag %X", buf[pos]);
982 break;
983 }
984
985 pos += dataOffset + dataLength;
986 if((pos + 2 < (uint32_t)len) && (pos + 1 + scam_get_length_data_length(buf + pos) < (uint32_t)len))
987 {
988 scam_decode_length(buf + pos, &dataLength, &dataOffset);
989 }
990 else
991 {
992 break;
993 }
994 }
995
996 for(account = cfg.account; account; account = account->next)
997 {
998 if(streq(scam->login_username, account->usr))
999 {
1000 userok = 1;
1001 break;
1002 }
1003 }
1004
1005 if(!userok)
1006 {
1007 cs_auth_client(cl, (struct s_auth *)0, NULL);
1008 cs_disconnect_client(cl);
1009 return;
1010 }
1011
1012 scam->login_pending = 1;
1013 scam_generate_deskey(account->pwd, scam->enckey);
1014 scam_generate_deskey(account->pwd, scam->deckey);
1015 scam->enc_xor_offset = 0;
1016 scam->dec_xor_offset = 0;
1017
1018 scam_server_send_caidlist(cl);
1019 scam_server_send_serverversion(cl);
1020 }
1021
1022 static void scam_server_send_dcw(struct s_client *cl, ECM_REQUEST *er)
1023 {
1024 uint8_t mbuf[31];
1025 uint32_t i = 0;
1026
1027 if(!(er->rc < E_NOTFOUND))
1028 {
1029 return;
1030 }
1031
1032 mbuf[i++] = 0x63; // dcw data type
1033 mbuf[i++] = 0x1D; // fixed sized < 127
1034
1035 i2b_buf(4, er->ens, mbuf + i); i += 4;
1036 i2b_buf(2, er->tsid, mbuf + i); i += 2;
1037 i2b_buf(2, er->onid, mbuf + i); i += 2;
1038 i2b_buf(2, er->srvid, mbuf + i); i += 2;
1039
1040 mbuf[i++] = 0x20; // unknown
1041 mbuf[i++] = 0x00; // unknown
1042 mbuf[i++] = 0x81; // unknown
1043 memcpy(mbuf + i, er->cw, 16);
1044
1045 scam_send(cl, mbuf, 31);
1046 }
1047
1048 static void *scam_server_handle(struct s_client *cl, uint8_t *buf, int32_t n)
1049 {
1050 uint32_t pos = 0, packetLength = 0, packetOffset = 0, dataLength = 0, dataOffset = 0;
1051 struct s_auth *account;
1052 struct scam_data *scam;
1053
1054 if(n < 3)
1055 { return NULL; }
1056
1057 if(!cl->init_done)
1058 {
1059 if(!scam_server_authip_client(cl)) { return NULL; }
1060
1061 if(cl->scam)
1062 {
1063 memset(cl->scam, 0, sizeof(struct scam_data));
1064 }
1065
1066 if(cl->scam == NULL && !cs_malloc(&cl->scam, sizeof(struct scam_data)))
1067 {
1068 return NULL;
1069 }
1070 cl->init_done = 1;
1071 }
1072
1073 scam = cl->scam;
1074 if(scam == NULL)
1075 {
1076 return NULL;
1077 }
1078
1079 scam_decode_length(buf, &packetLength, &packetOffset);
1080 pos += packetOffset;
1081
1082 if(scam->login_pending && packetLength > 1 && (buf[pos] != 0x10 || buf[pos + 1] != 0x02))
1083 {
1084 scam->login_pending = 0;
1085 cs_auth_client(cl, (struct s_auth *)0, NULL);
1086 cs_disconnect_client(cl);
1087 return NULL;
1088 }
1089
1090 if((pos + 2 < (uint32_t)n) && (pos + 1 + scam_get_length_data_length(buf + pos) < (uint32_t)n))
1091 {
1092 scam_decode_length(buf + pos, &dataLength, &dataOffset);
1093 }
1094 else
1095 {
1096 return NULL;
1097 }
1098
1099 while(pos + dataOffset + dataLength - 1 < (uint32_t)n)
1100 {
1101 switch(buf[pos])
1102 {
1103 case 0x10: // checksum
1104 if(dataLength != 2) { break; }
1105 if(b2i(2, &buf[pos + dataOffset]) != ccitt_crc(buf + pos + dataOffset + 2, n - pos - dataOffset - 2, 0xFFFF, 0))
1106 {
1107 cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "sent packet with invalid checksum");
1108 return NULL;
1109 }
1110 if(scam->login_pending)
1111 {
1112 for(account = cfg.account; account; account = account->next)
1113 {
1114 if(streq(scam->login_username, account->usr))
1115 {
1116 scam->login_pending = 0;
1117 if(!cs_auth_client(cl, account, NULL))
1118 {
1119 cs_log("scam client login: %s version: %d", scam->login_username, scam->version);
1120 }
1121 else
1122 {
1123 cs_disconnect_client(cl);
1124 }
1125 break;
1126 }
1127 }
1128 if(scam->login_pending)
1129 {
1130 scam->login_pending = 0;
1131 cs_auth_client(cl, (struct s_auth *)0, NULL);
1132 cs_disconnect_client(cl);
1133 return NULL;
1134 }
1135 }
1136 break;
1137
1138 case 0x46: // client auth
1139 scam_server_recv_auth(cl, buf + pos + dataOffset, dataLength);
1140 break;
1141
1142 case 0x24: // ecm request
1143 scam_server_recv_ecm(cl, buf + pos + dataOffset, dataLength);
1144 break;
1145
1146 case 0x7F: // padding
1147 break;
1148
1149 default:
1150 cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "sent unknown scam client packet %X", buf[pos]);
1151 break;
1152 }
1153
1154 pos += dataOffset + dataLength;
1155 if((pos + 2 < (uint32_t)n) && (pos + 1 + scam_get_length_data_length(buf + pos) < (uint32_t)n))
1156 {
1157 scam_decode_length(buf + pos, &dataLength, &dataOffset);
1158 }
1159 else
1160 {
1161 break;
1162 }
1163 }
1164
1165 return NULL;
1166 }
1167
1168 void scam_cleanup(struct s_client *cl)
1169 {
1170 NULLFREE(cl->scam);
1171 }
1172
1173 void module_scam(struct s_module *ph)
1174 {
1175 ph->desc = "scam";
1176 ph->type = MOD_CONN_TCP;
1177 ph->listenertype = LIS_SCAM;
1178 ph->num = R_SCAM;
1179 ph->large_ecm_support = 1;
1180 IP_ASSIGN(ph->s_ip, cfg.scam_srvip);
1181 ph->ptab.nports = 1;
1182 ph->ptab.ports[0].s_port = cfg.scam_port;
1183 // server + client
1184 ph->recv = scam_recv;
1185 ph->cleanup = scam_cleanup;
1186 // server
1187 ph->s_init = scam_server_init;
1188 ph->s_handler = scam_server_handle;
1189 ph->send_dcw = scam_server_send_dcw;
1190 // client
1191 ph->c_init = scam_client_init;
1192 ph->c_idle = scam_client_idle;
1193 ph->c_recv_chk = scam_client_handle;
1194 ph->c_send_ecm = scam_client_send_ecm;
1195 }
1196
1197 #endif
Open Source Conditional Access Modul