1 | #define MODULE_LOG_PREFIX "scam"
|
---|
2 |
|
---|
3 | #include "globals.h"
|
---|
4 | #ifdef MODULE_SCAM
|
---|
5 | #include "oscam-client.h"
|
---|
6 | #include "oscam-ecm.h"
|
---|
7 | #include "oscam-net.h"
|
---|
8 | #include "oscam-string.h"
|
---|
9 | #include "oscam-reader.h"
|
---|
10 | #include "oscam-lock.h"
|
---|
11 | #include "oscam-time.h"
|
---|
12 | #include "oscam-chk.h"
|
---|
13 | #include "cscrypt/des.h"
|
---|
14 |
|
---|
15 | struct scam_data
|
---|
16 | {
|
---|
17 | uchar enckey[8];
|
---|
18 | uchar deckey[8];
|
---|
19 | uint8_t enc_xor_offset;
|
---|
20 | uint8_t dec_xor_offset;
|
---|
21 | uint8_t login_pending;
|
---|
22 | char login_username[64];
|
---|
23 | uint16_t version;
|
---|
24 | };
|
---|
25 |
|
---|
26 | static inline void xxor(uint8_t *data, int32_t len, const uint8_t *v1, const uint8_t *v2)
|
---|
27 | {
|
---|
28 | uint32_t i;
|
---|
29 | switch(len)
|
---|
30 | {
|
---|
31 | case 16:
|
---|
32 | for(i = 8; i < 16; ++i)
|
---|
33 | {
|
---|
34 | data[i] = v1[i] ^ v2[i];
|
---|
35 | }
|
---|
36 | case 8:
|
---|
37 | for(i = 4; i < 8; ++i)
|
---|
38 | {
|
---|
39 | data[i] = v1[i] ^ v2[i];
|
---|
40 | }
|
---|
41 | case 4:
|
---|
42 | for(i = 0; i < 4; ++i)
|
---|
43 | {
|
---|
44 | data[i] = v1[i] ^ v2[i];
|
---|
45 | }
|
---|
46 | break;
|
---|
47 | default:
|
---|
48 | while(len--) { *data++ = *v1++ ^ *v2++; }
|
---|
49 | break;
|
---|
50 | }
|
---|
51 | }
|
---|
52 |
|
---|
53 | static void scam_generate_deskey(char *keyString, uint8_t *desKey)
|
---|
54 | {
|
---|
55 | uint8_t iv[8], key[8], *tmpKey;
|
---|
56 | int32_t i, passLen, alignedPassLen;
|
---|
57 |
|
---|
58 | memset(iv, 0, 8);
|
---|
59 | memset(desKey, 0, 8);
|
---|
60 | memset(key, 0, 8);
|
---|
61 |
|
---|
62 | passLen = keyString == NULL ? 0 : strlen(keyString);
|
---|
63 | if(passLen > 1024) {
|
---|
64 | passLen = 1024;
|
---|
65 | }
|
---|
66 |
|
---|
67 | alignedPassLen = (passLen + 7) & -8;
|
---|
68 | if(alignedPassLen == 0) alignedPassLen = 8;
|
---|
69 |
|
---|
70 | if(!cs_malloc(&tmpKey, alignedPassLen)) {
|
---|
71 | return;
|
---|
72 | }
|
---|
73 |
|
---|
74 | if(passLen == 0) {
|
---|
75 | memset(tmpKey, 0xAA, 8);
|
---|
76 | passLen = 8;
|
---|
77 | }
|
---|
78 | else {
|
---|
79 | memcpy(tmpKey, keyString, passLen);
|
---|
80 | }
|
---|
81 |
|
---|
82 | for(i=0; i<alignedPassLen-passLen; i++) {
|
---|
83 | tmpKey[passLen+i] = (uint8_t)i;
|
---|
84 | }
|
---|
85 |
|
---|
86 | xxor(desKey,8,tmpKey,iv);
|
---|
87 |
|
---|
88 | for(i=0; i<alignedPassLen; i+=8) {
|
---|
89 | memcpy(key, &tmpKey[i], 8);
|
---|
90 | doPC1(key);
|
---|
91 | des(key,DES_ECS2_CRYPT,&tmpKey[i]);
|
---|
92 | xxor(desKey,8,desKey,&tmpKey[i]);
|
---|
93 | }
|
---|
94 |
|
---|
95 | NULLFREE(tmpKey);
|
---|
96 | }
|
---|
97 |
|
---|
98 | static void scam_encrypt_packet(uint8_t *packet, uint32_t packetLength, uint8_t *key, uint32_t dataLength, uint32_t dataOffset, uint8_t *xorOffset)
|
---|
99 | {
|
---|
100 | uint8_t iv[8];
|
---|
101 | uint32_t i;
|
---|
102 | memset(iv, 0, 8);
|
---|
103 |
|
---|
104 | des_cbc_encrypt(packet + dataOffset, iv, key, dataLength);
|
---|
105 |
|
---|
106 | for(i=0; i<packetLength; i++) {
|
---|
107 | key[*xorOffset] ^= packet[i];
|
---|
108 | *xorOffset = (*xorOffset + 1) & 7;
|
---|
109 | }
|
---|
110 | }
|
---|
111 |
|
---|
112 | static void scam_decrypt_packet(uint8_t *packet, uint32_t packetLength, uint8_t *key, uint32_t dataLength, uint32_t dataOffset, uint8_t *xorOffset)
|
---|
113 | {
|
---|
114 | uint8_t tmpKey[8], iv[8];
|
---|
115 | uint32_t i;
|
---|
116 | memcpy(tmpKey, key, 8);
|
---|
117 | memset(iv, 0, 8);
|
---|
118 |
|
---|
119 | for(i=0; i<packetLength; i++) {
|
---|
120 | tmpKey[*xorOffset] ^= packet[i];
|
---|
121 | *xorOffset = (*xorOffset + 1) & 7;
|
---|
122 | }
|
---|
123 |
|
---|
124 | des_cbc_decrypt(packet + dataOffset, iv, key, dataLength);
|
---|
125 | memcpy(key, tmpKey, 8);
|
---|
126 | }
|
---|
127 |
|
---|
128 | static void scam_decode_length(uint8_t *packet, uint32_t *dataLength, uint32_t *dataOffset)
|
---|
129 | {
|
---|
130 | uint32_t i, n;
|
---|
131 |
|
---|
132 | if(packet[1] & 0x80) {
|
---|
133 | n = packet[1]&~0x80;
|
---|
134 | *dataLength = 0;
|
---|
135 | for(i=0; i<n; i++) {
|
---|
136 | *dataLength = (*dataLength << 8) | packet[2+i];
|
---|
137 | }
|
---|
138 | *dataOffset = 2 + n;
|
---|
139 | }
|
---|
140 | else {
|
---|
141 | *dataLength = packet[1];
|
---|
142 | *dataOffset = 2;
|
---|
143 | }
|
---|
144 | }
|
---|
145 |
|
---|
146 | static uint32_t scam_get_length_data_length(uint8_t *packet)
|
---|
147 | {
|
---|
148 | if(packet[1] & 0x80) {
|
---|
149 | return packet[1]&~0x80;
|
---|
150 | }
|
---|
151 | else {
|
---|
152 | return 1;
|
---|
153 | }
|
---|
154 | }
|
---|
155 |
|
---|
156 | static void scam_encode_length(uint32_t len, uint8_t *data, uint8_t *dataLen)
|
---|
157 | {
|
---|
158 | if(len < 128)
|
---|
159 | {
|
---|
160 | data[0] = (uint8_t)len;
|
---|
161 | *dataLen = 1;
|
---|
162 | }
|
---|
163 | else if (len < 256 )
|
---|
164 | {
|
---|
165 | data[0] = 0x81;
|
---|
166 | data[1] = (uint8_t)len;
|
---|
167 | *dataLen = 2;
|
---|
168 | }
|
---|
169 | else if (len < 65536 ) {
|
---|
170 | data[0] = 0x82;
|
---|
171 | data[1] = (uint8_t)(len>>8);
|
---|
172 | data[2] = (uint8_t)(len&0xFF);
|
---|
173 | *dataLen = 3;
|
---|
174 | }
|
---|
175 | else if (len < 16777216 )
|
---|
176 | {
|
---|
177 | data[0] = 0x83;
|
---|
178 | data[1] = (uint8_t)(len>>16);
|
---|
179 | data[2] = (uint8_t)((len>>8)&0xFF);
|
---|
180 | data[3] = (uint8_t)(len&0xFF);
|
---|
181 | *dataLen = 4;
|
---|
182 | }
|
---|
183 | else
|
---|
184 | {
|
---|
185 | data[0] = 0x84;
|
---|
186 | data[1] = (uint8_t)(len>>24);
|
---|
187 | data[2] = (uint8_t)((len>>16)&0xFF);
|
---|
188 | data[3] = (uint8_t)((len>>8)&0xFF);
|
---|
189 | data[4] = (uint8_t)(len&0xFF);
|
---|
190 | *dataLen = 5;
|
---|
191 | }
|
---|
192 | }
|
---|
193 |
|
---|
194 |
|
---|
195 | static void scam_client_close(struct s_client *cl, int32_t call_conclose)
|
---|
196 | {
|
---|
197 | struct s_reader *rdr = cl->reader;
|
---|
198 | if(!rdr) { return; }
|
---|
199 |
|
---|
200 | if(rdr) { rdr->tcp_connected = 0; }
|
---|
201 | if(rdr) { rdr->card_status = NO_CARD; }
|
---|
202 | if(rdr) { rdr->last_s = rdr->last_g = 0; }
|
---|
203 | if(cl) { cl->last = 0; }
|
---|
204 |
|
---|
205 | if(call_conclose) //clears also pending ecms!
|
---|
206 | { network_tcp_connection_close(rdr, "close"); }
|
---|
207 | else
|
---|
208 | {
|
---|
209 | if(cl->udp_fd)
|
---|
210 | {
|
---|
211 | close(cl->udp_fd);
|
---|
212 | cl->udp_fd = 0;
|
---|
213 | cl->pfd = 0;
|
---|
214 | }
|
---|
215 | }
|
---|
216 | }
|
---|
217 |
|
---|
218 | static int32_t scam_send(struct s_client *cl, uchar *buf, uint32_t len)
|
---|
219 | {
|
---|
220 | uchar *mbuf, lenData[5];
|
---|
221 | uint8_t lenDataLen = 0, paddingLen = 0;
|
---|
222 | uint16_t crc = 0;
|
---|
223 | int32_t result, packetLen;
|
---|
224 | struct scam_data *scam = cl->scam;
|
---|
225 |
|
---|
226 | if(scam == NULL) { return 0; }
|
---|
227 | if(len == 0) { return 0; }
|
---|
228 |
|
---|
229 | paddingLen = 8 - ((4+len) % 8);
|
---|
230 | if(paddingLen == 8) {
|
---|
231 | paddingLen = 0;
|
---|
232 | }
|
---|
233 | else if(paddingLen > 0 && paddingLen < 3) {
|
---|
234 | paddingLen += 8;
|
---|
235 | }
|
---|
236 |
|
---|
237 | scam_encode_length(4+len+paddingLen, lenData, &lenDataLen);
|
---|
238 | if(lenDataLen == 0) { return -1; }
|
---|
239 | packetLen = 1+lenDataLen+4+len+paddingLen;
|
---|
240 | if(!cs_malloc(&mbuf, packetLen)) { return -1; }
|
---|
241 |
|
---|
242 | mbuf[0] = 0x0F;
|
---|
243 | memcpy(&mbuf[1], lenData, lenDataLen);
|
---|
244 | mbuf[1+lenDataLen] = 0x10;
|
---|
245 | mbuf[1+lenDataLen+1] = 0x02;
|
---|
246 | memcpy(&mbuf[1+lenDataLen+4], buf, len);
|
---|
247 |
|
---|
248 | if(paddingLen > 0) {
|
---|
249 | mbuf[1+lenDataLen+4+len] = 0x7F;
|
---|
250 | mbuf[1+lenDataLen+4+len+1] = paddingLen - 2;
|
---|
251 | get_random_bytes(mbuf+1+lenDataLen+4+len+2, paddingLen - 2);
|
---|
252 | }
|
---|
253 |
|
---|
254 | crc = ccitt_crc(mbuf+1+lenDataLen+4, len+paddingLen, 0xFFFF, 0);
|
---|
255 | i2b_buf(2, crc, &mbuf[1+lenDataLen+2]);
|
---|
256 |
|
---|
257 | scam_encrypt_packet(mbuf, packetLen, scam->enckey, 4+len+paddingLen, 1+lenDataLen, &scam->enc_xor_offset);
|
---|
258 | result = send(cl->pfd, mbuf, packetLen, 0);
|
---|
259 | NULLFREE(mbuf);
|
---|
260 |
|
---|
261 | return (result);
|
---|
262 | }
|
---|
263 |
|
---|
264 | static int32_t scam_msg_recv(struct s_client *cl, uint8_t *buf, int32_t maxlen)
|
---|
265 | {
|
---|
266 | int32_t len;
|
---|
267 | int32_t handle = cl->udp_fd;
|
---|
268 | struct scam_data *scam = cl->scam;
|
---|
269 |
|
---|
270 | if(scam == NULL) { return 0; }
|
---|
271 | if(handle <= 0 || maxlen < 3)
|
---|
272 | { cs_log("scam_msg_recv: fd is 0"); return -1; }
|
---|
273 |
|
---|
274 | len = recv(handle, buf, 2, MSG_WAITALL);
|
---|
275 | if(len != 2) // invalid header length read
|
---|
276 | {
|
---|
277 | if(len <= 0)
|
---|
278 | { cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "disconnected by remote server"); }
|
---|
279 | else
|
---|
280 | { cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "invalid header length (expected 2, read %d)", len); }
|
---|
281 | return -1;
|
---|
282 | }
|
---|
283 |
|
---|
284 | if(buf[0] != 0x0F)
|
---|
285 | {
|
---|
286 | cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "invalid packet tag");
|
---|
287 | return 0;
|
---|
288 | }
|
---|
289 |
|
---|
290 | int32_t headerSize = buf[1]&0x80 ? (2 + (buf[1]&~0x80)) : 2;
|
---|
291 | if(headerSize > 2) {
|
---|
292 | if(maxlen < headerSize+1) { return -1; }
|
---|
293 | len = recv(handle, buf+2, headerSize-2, MSG_WAITALL);
|
---|
294 | if(len != headerSize-2) // invalid header length read
|
---|
295 | {
|
---|
296 | if(len <= 0)
|
---|
297 | { cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "disconnected by remote server"); }
|
---|
298 | else
|
---|
299 | { cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "invalid header length (expected %d, read %d)", headerSize, 2+len); }
|
---|
300 | return -1;
|
---|
301 | }
|
---|
302 | }
|
---|
303 |
|
---|
304 | uint32_t dataLength, dataOffset;
|
---|
305 | scam_decode_length(buf, &dataLength, &dataOffset);
|
---|
306 |
|
---|
307 | if(dataLength) // check if any data is expected in msg
|
---|
308 | {
|
---|
309 | if(dataLength%8 != 0)
|
---|
310 | {
|
---|
311 | cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "message data has invalid size (size=%d)", dataLength);
|
---|
312 | return 0;
|
---|
313 | }
|
---|
314 |
|
---|
315 | if(headerSize+dataLength > (uint32_t)maxlen)
|
---|
316 | {
|
---|
317 | cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "message too big (size=%d max=%d)", headerSize+dataLength, maxlen);
|
---|
318 | return 0;
|
---|
319 | }
|
---|
320 |
|
---|
321 | len = recv(handle, buf + dataOffset, dataLength, MSG_WAITALL);
|
---|
322 | if((uint32_t)len != dataLength)
|
---|
323 | {
|
---|
324 | if(len <= 0) {
|
---|
325 | cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "disconnected by remote");
|
---|
326 | }
|
---|
327 | else {
|
---|
328 | cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "invalid message length read (expected %d, read %d)", dataLength, len);
|
---|
329 | }
|
---|
330 | return -1;
|
---|
331 | }
|
---|
332 |
|
---|
333 | scam_decrypt_packet(buf, headerSize+dataLength, scam->deckey, dataLength, dataOffset, &scam->dec_xor_offset);
|
---|
334 | }
|
---|
335 |
|
---|
336 | return headerSize+dataLength;
|
---|
337 | }
|
---|
338 |
|
---|
339 | static int32_t scam_recv(struct s_client *cl, uchar *buf, int32_t len)
|
---|
340 | {
|
---|
341 | int32_t n;
|
---|
342 | struct s_reader *rdr = (cl->typ == 'c') ? NULL : cl->reader;
|
---|
343 |
|
---|
344 | if(buf == NULL || len <= 0)
|
---|
345 | { return -1; }
|
---|
346 |
|
---|
347 | n = scam_msg_recv(cl, buf, len); // recv and decrypt msg
|
---|
348 | if(n <= 0)
|
---|
349 | {
|
---|
350 | cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "connection closed by %s, n=%d.", remote_txt(), n);
|
---|
351 | if(rdr)
|
---|
352 | {
|
---|
353 | scam_client_close(cl, 1);
|
---|
354 | }
|
---|
355 | else
|
---|
356 | {
|
---|
357 | cs_disconnect_client(cl);
|
---|
358 | }
|
---|
359 | cs_sleepms(150);
|
---|
360 | n = -1;
|
---|
361 | }
|
---|
362 | else
|
---|
363 | {
|
---|
364 | cl->last = time(NULL); // last client action is now
|
---|
365 | if(rdr) { rdr->last_g = time(NULL); } // last reader receive is now
|
---|
366 | }
|
---|
367 |
|
---|
368 | return n;
|
---|
369 | }
|
---|
370 |
|
---|
371 | //scam client functions
|
---|
372 |
|
---|
373 | static int32_t scam_client_init(struct s_client *cl);
|
---|
374 |
|
---|
375 | static int32_t scam_client_connect(void)
|
---|
376 | {
|
---|
377 | struct s_client *cl = cur_client();
|
---|
378 |
|
---|
379 | if(cl->reader->tcp_connected < 2 && scam_client_init(cl) < 0)
|
---|
380 | { return 0; }
|
---|
381 |
|
---|
382 | if(!cl->udp_fd)
|
---|
383 | { return 0; }
|
---|
384 |
|
---|
385 | return 1;
|
---|
386 | }
|
---|
387 |
|
---|
388 | static void scam_client_idle(void)
|
---|
389 | {
|
---|
390 | struct s_client *client = cur_client();
|
---|
391 | struct s_reader *rdr = client->reader;
|
---|
392 | time_t now = time(NULL);
|
---|
393 | if(!rdr) { return; }
|
---|
394 |
|
---|
395 | if(rdr->tcp_ito > 0)
|
---|
396 | {
|
---|
397 | int32_t time_diff;
|
---|
398 | time_diff = llabs(now - rdr->last_s);
|
---|
399 | if(time_diff > (rdr->tcp_ito))
|
---|
400 | {
|
---|
401 | network_tcp_connection_close(rdr, "inactivity");
|
---|
402 | return;
|
---|
403 | }
|
---|
404 | }
|
---|
405 | else if(rdr->tcp_ito == -1)
|
---|
406 | {
|
---|
407 | scam_client_connect();
|
---|
408 | return;
|
---|
409 | }
|
---|
410 | }
|
---|
411 |
|
---|
412 | static void scam_client_recv_caid(uint8_t *buf, uint32_t len)
|
---|
413 | {
|
---|
414 | uint16_t caid;
|
---|
415 |
|
---|
416 | if(len < 3) {
|
---|
417 | return;
|
---|
418 | }
|
---|
419 |
|
---|
420 | caid = buf[1] << 8 | buf[2];
|
---|
421 | if(buf[0]) {
|
---|
422 | cs_log("scam server has card: %04X", caid);
|
---|
423 | }
|
---|
424 | else {
|
---|
425 | cs_log("scam server no longer has card: %04X", caid);
|
---|
426 | }
|
---|
427 | }
|
---|
428 |
|
---|
429 | static void scam_client_recv_server_version(uint8_t *buf, uint32_t len)
|
---|
430 | {
|
---|
431 | uint32_t pos = 0, dataLength = 0, dataOffset = 0, usedLen = 0;
|
---|
432 | char versionString[128];
|
---|
433 | uint16_t versionShort = 0;
|
---|
434 | versionString[0] = 0;
|
---|
435 |
|
---|
436 | scam_decode_length(buf, &dataLength, &dataOffset);
|
---|
437 |
|
---|
438 | while(pos+dataOffset+dataLength-1 < len)
|
---|
439 | {
|
---|
440 | switch(buf[pos]) {
|
---|
441 |
|
---|
442 | case 0x01: // version string
|
---|
443 | usedLen = dataLength;
|
---|
444 | if(usedLen > 127) {
|
---|
445 | usedLen = 127;
|
---|
446 | }
|
---|
447 | memcpy(versionString, buf+dataOffset, usedLen);
|
---|
448 | versionString[usedLen] = 0;
|
---|
449 | break;
|
---|
450 |
|
---|
451 | case 0x0A: // version short
|
---|
452 | if(dataLength != 2) break;
|
---|
453 | versionShort = (buf[pos+dataOffset] << 8) | buf[pos+dataOffset+1];
|
---|
454 | break;
|
---|
455 |
|
---|
456 | default:
|
---|
457 | cs_log_dbg(D_READER, "unknown server version packet tag %X", buf[pos]);
|
---|
458 | break;
|
---|
459 | }
|
---|
460 |
|
---|
461 | pos += dataOffset+dataLength;
|
---|
462 | if(pos+2 < len && pos+1+scam_get_length_data_length(buf+pos) < len) {
|
---|
463 | scam_decode_length(buf+pos, &dataLength, &dataOffset);
|
---|
464 | }
|
---|
465 | else {
|
---|
466 | break;
|
---|
467 | }
|
---|
468 | }
|
---|
469 |
|
---|
470 | cs_log("scam server version: %s (%d)", versionString, versionShort);
|
---|
471 | }
|
---|
472 |
|
---|
473 | static void scam_client_recv_dcw(struct s_client *cl, uint8_t *buf, uint32_t len, uint8_t *dcw, int32_t *ecm_task_idx, int32_t *rc)
|
---|
474 | {
|
---|
475 | // 00C00000 enimga namespace
|
---|
476 | // 0455 tsid
|
---|
477 | // 0001 onid
|
---|
478 | // 151A srvid
|
---|
479 | // 200081 ???
|
---|
480 | // 943E85577035C469 dcw1
|
---|
481 | // C73882811721E31B dcw2
|
---|
482 |
|
---|
483 | if(len != 29) {
|
---|
484 | cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "unknown server dcw packet length %d", len);
|
---|
485 | return;
|
---|
486 | }
|
---|
487 |
|
---|
488 | *ecm_task_idx = b2i(4, &buf[0]); // we store idx here instead of ens
|
---|
489 | memcpy(dcw, &buf[13], 16);
|
---|
490 | *rc = 1;
|
---|
491 | }
|
---|
492 |
|
---|
493 | static void scam_client_send_hello(struct s_client *cl)
|
---|
494 | {
|
---|
495 | uchar mbuf[70];
|
---|
496 | uint32_t usernameLen, i = 0;
|
---|
497 | struct s_reader *rdr = cl->reader;
|
---|
498 | struct scam_data *scam = cl->scam;
|
---|
499 |
|
---|
500 | if(scam == NULL) { return; }
|
---|
501 | if(!rdr) { return; }
|
---|
502 |
|
---|
503 | usernameLen = strlen(rdr->r_usr);
|
---|
504 | if(usernameLen > 63) { // because rdr->r_usr is max. 63+1 chars
|
---|
505 | usernameLen = 63;
|
---|
506 | }
|
---|
507 |
|
---|
508 | mbuf[i++] = 0x46; // client hello data type
|
---|
509 | mbuf[i++] = 6 + usernameLen; // will never exceed 63+6 = 69 bytes (<127 bytes)
|
---|
510 |
|
---|
511 | // client version
|
---|
512 | mbuf[i++] = 0xA0; // client version data type
|
---|
513 | mbuf[i++] = 0x02; // data length (2)
|
---|
514 | mbuf[i++] = 0x00; // version ( 0x0007)
|
---|
515 | mbuf[i++] = 0x07;
|
---|
516 |
|
---|
517 | //username
|
---|
518 | mbuf[i++] = 0xA1; // username data type
|
---|
519 | mbuf[i++] = (uint8_t)usernameLen;
|
---|
520 | memcpy(mbuf+i, rdr->r_usr, usernameLen);
|
---|
521 | mbuf[i+usernameLen] = 0;
|
---|
522 |
|
---|
523 | scam_send(cl, mbuf, 8+usernameLen);
|
---|
524 |
|
---|
525 | scam_generate_deskey(rdr->r_pwd, scam->enckey);
|
---|
526 | scam_generate_deskey(rdr->r_pwd, scam->deckey);
|
---|
527 | scam->enc_xor_offset = 0;
|
---|
528 | scam->dec_xor_offset = 0;
|
---|
529 | }
|
---|
530 |
|
---|
531 | static int32_t scam_client_send_ecm(struct s_client *cl, ECM_REQUEST *er, uchar *UNUSED(buf))
|
---|
532 | {
|
---|
533 | // 2481A5 310A
|
---|
534 | // 00C00000 enimga namespace
|
---|
535 | // 0455 tsid
|
---|
536 | // 0001 onid
|
---|
537 | // 151A srvid
|
---|
538 | // 3002
|
---|
539 | // 1843 caid
|
---|
540 | // 3304
|
---|
541 | // 66A1AE16 pat/pmt crc? we currently fill it with chid
|
---|
542 | // 348189
|
---|
543 | // 8130.. ecm
|
---|
544 | // 3501
|
---|
545 | // 02 needed dcws?
|
---|
546 |
|
---|
547 | uchar *mbuf, packetLenData[5], ecmLenData[5];
|
---|
548 | uint32_t i = 0, ret = 0, dataLength = 0, packetLength = 0;
|
---|
549 | uint8_t pLenDataLen = 0, eLenDataLen = 0;
|
---|
550 |
|
---|
551 | if(!scam_client_connect())
|
---|
552 | { return (-1); }
|
---|
553 |
|
---|
554 | scam_encode_length(er->ecmlen, ecmLenData, &eLenDataLen);
|
---|
555 | dataLength = 23 + eLenDataLen + er->ecmlen + 3;
|
---|
556 | scam_encode_length(dataLength, packetLenData, &pLenDataLen);
|
---|
557 | packetLength = 1 + pLenDataLen + dataLength;
|
---|
558 |
|
---|
559 | if(!cs_malloc(&mbuf, packetLength))
|
---|
560 | { return -1; }
|
---|
561 |
|
---|
562 | mbuf[i++] = 0x24; // ecm request data type
|
---|
563 | memcpy(mbuf+i, packetLenData, pLenDataLen); i += pLenDataLen;
|
---|
564 |
|
---|
565 | mbuf[i++] = 0x31; // channel info data type
|
---|
566 | mbuf[i++] = 0x0A; // size is always 0x0A
|
---|
567 |
|
---|
568 | //i2b_buf(4, er->ens, mbuf+i); i += 4;
|
---|
569 | i2b_buf(4, er->idx, mbuf+i); i += 4; // we store idx instead of ens here
|
---|
570 |
|
---|
571 | i2b_buf(2, er->tsid, mbuf+i); i += 2;
|
---|
572 | i2b_buf(2, er->onid, mbuf+i); i += 2;
|
---|
573 | i2b_buf(2, er->srvid, mbuf+i); i += 2;
|
---|
574 |
|
---|
575 | mbuf[i++] = 0x30; // caid data type
|
---|
576 | mbuf[i++] = 0x02; // size is always 0x02
|
---|
577 | i2b_buf(2, er->caid, mbuf+i); i += 2;
|
---|
578 |
|
---|
579 | mbuf[i++] = 0x33; // ??? data type
|
---|
580 | mbuf[i++] = 0x04; // size is always 0x04
|
---|
581 | i2b_buf(2, er->chid, mbuf+i); i += 4;
|
---|
582 |
|
---|
583 | mbuf[i++] = 0x34; // ecm data type
|
---|
584 | memcpy(mbuf+i, ecmLenData, eLenDataLen); i += eLenDataLen;
|
---|
585 | memcpy(mbuf+i, er->ecm, er->ecmlen); i += er->ecmlen;
|
---|
586 |
|
---|
587 | mbuf[i++] = 0x35; // ??? data type
|
---|
588 | mbuf[i++] = 0x01; // size is always 0x01
|
---|
589 | mbuf[i++] = 0x02; // unknown value
|
---|
590 |
|
---|
591 | ret = scam_send(cl, mbuf, packetLength);
|
---|
592 |
|
---|
593 | cs_log_dbg(D_TRACE, "scam: sending ecm");
|
---|
594 | cs_log_dump_dbg(D_CLIENT, mbuf, packetLength, "ecm:");
|
---|
595 | NULLFREE(mbuf);
|
---|
596 | return ((ret < 1) ? (-1) : 0);
|
---|
597 | }
|
---|
598 |
|
---|
599 | static int32_t scam_client_init(struct s_client *cl)
|
---|
600 | {
|
---|
601 | int32_t handle;
|
---|
602 |
|
---|
603 | handle = network_tcp_connection_open(cl->reader);
|
---|
604 | if(handle < 0) {
|
---|
605 | cl->reader->last_s = 0; // set last send to zero
|
---|
606 | cl->reader->last_g = 0; // set last receive to zero
|
---|
607 | cl->last = 0; // set last client action to zero
|
---|
608 | return (0);
|
---|
609 | }
|
---|
610 |
|
---|
611 | if(cl->scam) {
|
---|
612 | memset(cl->scam, 0, sizeof(struct scam_data));
|
---|
613 | }
|
---|
614 |
|
---|
615 | if(!cl->scam && !cs_malloc(&cl->scam, sizeof(struct scam_data))) {
|
---|
616 | return 0;
|
---|
617 | }
|
---|
618 |
|
---|
619 | cs_log("scam: proxy %s:%d (fd=%d)",
|
---|
620 | cl->reader->device, cl->reader->r_port, cl->udp_fd);
|
---|
621 |
|
---|
622 | cl->reader->tcp_connected = 2;
|
---|
623 | cl->reader->card_status = CARD_INSERTED;
|
---|
624 | cl->reader->last_g = cl->reader->last_s = time((time_t *)0);
|
---|
625 |
|
---|
626 | cs_log_dbg(D_CLIENT, "scam: last_s=%ld, last_g=%ld", cl->reader->last_s, cl->reader->last_g);
|
---|
627 |
|
---|
628 | cl->pfd = cl->udp_fd;
|
---|
629 |
|
---|
630 | scam_client_send_hello(cl);
|
---|
631 |
|
---|
632 | return (0);
|
---|
633 | }
|
---|
634 |
|
---|
635 | static int32_t scam_client_handle(struct s_client *cl, uchar *dcw, int32_t *rc, uchar *buf, int32_t n)
|
---|
636 | {
|
---|
637 | uint32_t pos = 0, packetLength = 0, packetOffset = 0, dataLength = 0, dataOffset = 0;
|
---|
638 | int32_t ret = -1;
|
---|
639 |
|
---|
640 | if(n < 3) {
|
---|
641 | return (-1);
|
---|
642 | }
|
---|
643 |
|
---|
644 | scam_decode_length(buf, &packetLength, &packetOffset);
|
---|
645 | pos += packetOffset;
|
---|
646 |
|
---|
647 | if(pos+2 < (uint32_t)n && pos+1+scam_get_length_data_length(buf+pos) < (uint32_t)n) {
|
---|
648 | scam_decode_length(buf+pos, &dataLength, &dataOffset);
|
---|
649 | }
|
---|
650 | else {
|
---|
651 | return (-1);
|
---|
652 | }
|
---|
653 |
|
---|
654 | while(pos+dataOffset+dataLength-1 < (uint32_t)n)
|
---|
655 | {
|
---|
656 | switch(buf[pos]) {
|
---|
657 | case 0x10: // checksum
|
---|
658 | if(dataLength != 2) { break; }
|
---|
659 | if(b2i(2, &buf[pos+dataOffset]) != ccitt_crc(buf+pos+dataOffset+2, n-pos-dataOffset-2, 0xFFFF, 0)) {
|
---|
660 | cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "sent packet with invalid checksum");
|
---|
661 | return (-1);
|
---|
662 | }
|
---|
663 | break;
|
---|
664 |
|
---|
665 | case 0x20: // caid list
|
---|
666 | scam_client_recv_caid(buf+pos+dataOffset, dataLength);
|
---|
667 | break;
|
---|
668 |
|
---|
669 | case 0x45: // server version
|
---|
670 | scam_client_recv_server_version(buf+pos+dataOffset, dataLength);
|
---|
671 | break;
|
---|
672 |
|
---|
673 | case 0x63: // dcw
|
---|
674 | scam_client_recv_dcw(cl, buf+pos+dataOffset, dataLength, dcw, &ret, rc);
|
---|
675 | break;
|
---|
676 |
|
---|
677 | case 0x7F: // padding
|
---|
678 | break;
|
---|
679 |
|
---|
680 | default:
|
---|
681 | cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "unknown scam server packet %X", buf[pos]);
|
---|
682 | break;
|
---|
683 | }
|
---|
684 |
|
---|
685 | pos += dataOffset+dataLength;
|
---|
686 | if(pos+2 < (uint32_t)n && pos+1+scam_get_length_data_length(buf+pos) < (uint32_t)n) {
|
---|
687 | scam_decode_length(buf+pos, &dataLength, &dataOffset);
|
---|
688 | }
|
---|
689 | else {
|
---|
690 | break;
|
---|
691 | }
|
---|
692 | }
|
---|
693 |
|
---|
694 | return ret;
|
---|
695 | }
|
---|
696 |
|
---|
697 | // scam server functions
|
---|
698 | static uint8_t scam_server_authip_client(struct s_client *cl)
|
---|
699 | {
|
---|
700 | if(cfg.scam_allowed && !check_ip(cfg.scam_allowed, cl->ip))
|
---|
701 | {
|
---|
702 | cs_log("scam: IP not allowed");
|
---|
703 | cs_auth_client(cl, (struct s_auth *)0, NULL);
|
---|
704 | cs_disconnect_client(cl);
|
---|
705 | return 0;
|
---|
706 | }
|
---|
707 |
|
---|
708 | return 1;
|
---|
709 | }
|
---|
710 |
|
---|
711 | static void scam_server_init(struct s_client *cl)
|
---|
712 | {
|
---|
713 | if(!cl->init_done)
|
---|
714 | {
|
---|
715 | if(IP_ISSET(cl->ip))
|
---|
716 | { cs_log("scam: new connection from %s", cs_inet_ntoa(cl->ip)); }
|
---|
717 |
|
---|
718 | if(scam_server_authip_client(cl)) {
|
---|
719 | if(cl->scam) {
|
---|
720 | memset(cl->scam, 0, sizeof(struct scam_data));
|
---|
721 | }
|
---|
722 | if(cl->scam || cs_malloc(&cl->scam, sizeof(struct scam_data))) {
|
---|
723 | cl->init_done = 1;
|
---|
724 | }
|
---|
725 | }
|
---|
726 | }
|
---|
727 | return;
|
---|
728 | }
|
---|
729 |
|
---|
730 | static void scam_server_recv_ecm(struct s_client *cl, uchar *buf, int32_t len)
|
---|
731 | {
|
---|
732 | uint32_t pos = 0, dataLength = 0, dataOffset = 0, usedLen = 0;
|
---|
733 | ECM_REQUEST *er;
|
---|
734 | uint8_t gotCaid = 0, gotEcm = 0;
|
---|
735 |
|
---|
736 | if(len < 1) {
|
---|
737 | return;
|
---|
738 | }
|
---|
739 |
|
---|
740 | if(!(er = get_ecmtask()))
|
---|
741 | { return; }
|
---|
742 |
|
---|
743 | scam_decode_length(buf, &dataLength, &dataOffset);
|
---|
744 |
|
---|
745 | while(pos+dataOffset+dataLength-1 < (uint32_t)len)
|
---|
746 | {
|
---|
747 | switch(buf[pos]) {
|
---|
748 |
|
---|
749 | case 0x31: // channel data
|
---|
750 | if(dataLength != 0x0A) break;
|
---|
751 | er->ens = b2i(4, buf+pos+dataOffset);
|
---|
752 | er->tsid = b2i(2, buf+pos+dataOffset+4);
|
---|
753 | er->onid = b2i(2, buf+pos+dataOffset+6);
|
---|
754 | er->srvid = b2i(2, buf+pos+dataOffset+8);
|
---|
755 | break;
|
---|
756 |
|
---|
757 | case 0x30: // caid
|
---|
758 | if(dataLength != 0x02) break;
|
---|
759 | er->caid = b2i(2, buf+pos+dataOffset);
|
---|
760 | gotCaid = 1;
|
---|
761 | break;
|
---|
762 |
|
---|
763 | case 0x33: // unknown
|
---|
764 | break;
|
---|
765 |
|
---|
766 | case 0x34: // ecm
|
---|
767 | usedLen = dataLength;
|
---|
768 | if(usedLen > MAX_ECM_SIZE) {
|
---|
769 | usedLen = MAX_ECM_SIZE;
|
---|
770 | }
|
---|
771 | er->ecmlen = usedLen;
|
---|
772 | memcpy(er->ecm, buf+pos+dataOffset, usedLen);
|
---|
773 | gotEcm = 1;
|
---|
774 | break;
|
---|
775 |
|
---|
776 | case 0x35: // unknown
|
---|
777 | break;
|
---|
778 |
|
---|
779 | default:
|
---|
780 | cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "sent unknown scam client ecm tag %X", buf[pos]);
|
---|
781 | break;
|
---|
782 | }
|
---|
783 |
|
---|
784 | pos += dataOffset+dataLength;
|
---|
785 | if(pos+2 < (uint32_t)len && pos+1+scam_get_length_data_length(buf+pos) < (uint32_t)len) {
|
---|
786 | scam_decode_length(buf+pos, &dataLength, &dataOffset);
|
---|
787 | }
|
---|
788 | else {
|
---|
789 | break;
|
---|
790 | }
|
---|
791 | }
|
---|
792 |
|
---|
793 | if(gotCaid && gotEcm) {
|
---|
794 | get_cw(cl, er);
|
---|
795 | }
|
---|
796 | else {
|
---|
797 | NULLFREE(er);
|
---|
798 | cs_log("WARNING: ECM-request corrupt");
|
---|
799 | }
|
---|
800 | }
|
---|
801 |
|
---|
802 | static void scam_caidlist_add(uint16_t *caidlist, uint32_t listsize, uint32_t *count, uint16_t caid)
|
---|
803 | {
|
---|
804 | uint32_t i;
|
---|
805 | uint8_t exists = 0;
|
---|
806 |
|
---|
807 | if(*count >= listsize) {
|
---|
808 | return;
|
---|
809 | }
|
---|
810 |
|
---|
811 | for(i=0; i<*count; i++) {
|
---|
812 | if(caidlist[i] == caid) {
|
---|
813 | exists = 1;
|
---|
814 | break;
|
---|
815 | }
|
---|
816 | }
|
---|
817 |
|
---|
818 | if(!exists) {
|
---|
819 | caidlist[*count] = caid;
|
---|
820 | (*count)++;
|
---|
821 | }
|
---|
822 | }
|
---|
823 |
|
---|
824 | static void scam_server_send_caidlist(struct s_client *cl)
|
---|
825 | {
|
---|
826 | uchar mbuf[5];
|
---|
827 | int32_t j;
|
---|
828 | uint32_t i = 0;
|
---|
829 | uint16_t caids[55];
|
---|
830 | uint32_t cardcount = 0;
|
---|
831 | struct s_reader *rdr = NULL;
|
---|
832 |
|
---|
833 | cs_readlock(&readerlist_lock);
|
---|
834 | for(rdr = first_active_reader; rdr; rdr = rdr->next)
|
---|
835 | {
|
---|
836 | if(rdr->caid && chk_ctab(rdr->caid, &cl->ctab)) {
|
---|
837 | scam_caidlist_add(caids, ARRAY_SIZE(caids), &cardcount, rdr->caid);
|
---|
838 | }
|
---|
839 |
|
---|
840 | for(j = 0; j < rdr->ctab.ctnum; j++) {
|
---|
841 | CAIDTAB_DATA *d = &rdr->ctab.ctdata[j];
|
---|
842 | if(d->caid && chk_ctab(d->caid, &cl->ctab)) {
|
---|
843 | scam_caidlist_add(caids, ARRAY_SIZE(caids), &cardcount, d->caid);
|
---|
844 | }
|
---|
845 | }
|
---|
846 | }
|
---|
847 | cs_readunlock(&readerlist_lock);
|
---|
848 |
|
---|
849 | for(j=0; j < (int32_t)cardcount; j++) {
|
---|
850 | i = 0;
|
---|
851 | mbuf[i++] = 0x20; // caid data type
|
---|
852 | mbuf[i++] = 0x03; // length
|
---|
853 | mbuf[i++] = 0x01; // active card
|
---|
854 | i2b_buf(2, caids[j], mbuf+i);
|
---|
855 | scam_send(cl, mbuf, 5);
|
---|
856 | }
|
---|
857 | }
|
---|
858 |
|
---|
859 | static void scam_server_send_serverversion(struct s_client *cl)
|
---|
860 | {
|
---|
861 | uchar mbuf[64];
|
---|
862 | uint32_t i = 0;
|
---|
863 | char *version = "scam/3.60 oscam";
|
---|
864 | uint8_t vlen = strlen(version);
|
---|
865 |
|
---|
866 | mbuf[i++] = 0x45; // server version data type
|
---|
867 | mbuf[i++] = 2+vlen+4; // will never exceed 127 bytes
|
---|
868 |
|
---|
869 | mbuf[i++] = 0x01; // server version string data type
|
---|
870 | mbuf[i++] = vlen; // will never exceed 127 bytes
|
---|
871 | memcpy(mbuf+i, version, vlen); i += vlen;
|
---|
872 |
|
---|
873 | mbuf[i++] = 0x0A; // server version short data type
|
---|
874 | mbuf[i++] = 0x02; // is always 0x02
|
---|
875 | i2b_buf(2, 0x7, mbuf+i);
|
---|
876 |
|
---|
877 | scam_send(cl, mbuf, 2+2+vlen+4);
|
---|
878 | }
|
---|
879 |
|
---|
880 | static void scam_server_recv_auth(struct s_client *cl, uchar *buf, int32_t len)
|
---|
881 | {
|
---|
882 | uint32_t pos = 0, dataLength = 0, dataOffset = 0, usedLen = 0;
|
---|
883 | uint8_t userok = 0;
|
---|
884 | struct s_auth *account;
|
---|
885 | struct scam_data *scam = cl->scam;
|
---|
886 |
|
---|
887 | if(scam == NULL) { return; }
|
---|
888 | scam->login_username[0] = 0;
|
---|
889 |
|
---|
890 | if(len < 1) {
|
---|
891 | return;
|
---|
892 | }
|
---|
893 |
|
---|
894 | scam_decode_length(buf, &dataLength, &dataOffset);
|
---|
895 |
|
---|
896 | while(pos+dataOffset+dataLength-1 < (uint32_t)len)
|
---|
897 | {
|
---|
898 | switch(buf[pos]) {
|
---|
899 |
|
---|
900 | case 0xA0: // version short
|
---|
901 | if(dataLength != 2) break;
|
---|
902 | scam->version = (buf[pos+dataOffset] << 8) | buf[pos+dataOffset+1];
|
---|
903 | break;
|
---|
904 |
|
---|
905 | case 0xA1: // username string
|
---|
906 | usedLen = dataLength;
|
---|
907 | if(usedLen > 64) {
|
---|
908 | usedLen = 63;
|
---|
909 | }
|
---|
910 | memcpy(scam->login_username, buf+pos+dataOffset, usedLen);
|
---|
911 | scam->login_username[usedLen] = 0;
|
---|
912 | break;
|
---|
913 |
|
---|
914 | default:
|
---|
915 | cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "unknown client auth packet tag %X", buf[pos]);
|
---|
916 | break;
|
---|
917 | }
|
---|
918 |
|
---|
919 | pos += dataOffset+dataLength;
|
---|
920 | if(pos+2 < (uint32_t)len && pos+1+scam_get_length_data_length(buf+pos) < (uint32_t)len) {
|
---|
921 | scam_decode_length(buf+pos, &dataLength, &dataOffset);
|
---|
922 | }
|
---|
923 | else {
|
---|
924 | break;
|
---|
925 | }
|
---|
926 | }
|
---|
927 |
|
---|
928 | for(account = cfg.account; account; account = account->next)
|
---|
929 | {
|
---|
930 | if(streq(scam->login_username, account->usr))
|
---|
931 | {
|
---|
932 | userok = 1;
|
---|
933 | break;
|
---|
934 | }
|
---|
935 | }
|
---|
936 |
|
---|
937 | if(!userok)
|
---|
938 | {
|
---|
939 | cs_auth_client(cl, (struct s_auth *)0, NULL);
|
---|
940 | cs_disconnect_client(cl);
|
---|
941 | return;
|
---|
942 | }
|
---|
943 |
|
---|
944 | scam->login_pending = 1;
|
---|
945 | scam_generate_deskey(account->pwd, scam->enckey);
|
---|
946 | scam_generate_deskey(account->pwd, scam->deckey);
|
---|
947 | scam->enc_xor_offset = 0;
|
---|
948 | scam->dec_xor_offset = 0;
|
---|
949 |
|
---|
950 | scam_server_send_caidlist(cl);
|
---|
951 | scam_server_send_serverversion(cl);
|
---|
952 | }
|
---|
953 |
|
---|
954 | static void scam_server_send_dcw(struct s_client *cl, ECM_REQUEST *er)
|
---|
955 | {
|
---|
956 | uchar mbuf[31];
|
---|
957 | uint32_t i = 0;
|
---|
958 |
|
---|
959 | if(!(er->rc < E_NOTFOUND)) {
|
---|
960 | return;
|
---|
961 | }
|
---|
962 |
|
---|
963 | mbuf[i++] = 0x63; // dcw data type
|
---|
964 | mbuf[i++] = 0x1D; // fixed sized < 127
|
---|
965 |
|
---|
966 | i2b_buf(4, er->ens, mbuf+i); i += 4;
|
---|
967 | i2b_buf(2, er->tsid, mbuf+i); i += 2;
|
---|
968 | i2b_buf(2, er->onid, mbuf+i); i += 2;
|
---|
969 | i2b_buf(2, er->srvid, mbuf+i); i += 2;
|
---|
970 |
|
---|
971 | mbuf[i++] = 0x20; // unknown
|
---|
972 | mbuf[i++] = 0x00; // unknown
|
---|
973 | mbuf[i++] = 0x81; // unknown
|
---|
974 | memcpy(mbuf+i, er->cw, 16);
|
---|
975 |
|
---|
976 | scam_send(cl, mbuf, 31);
|
---|
977 | }
|
---|
978 |
|
---|
979 | static void *scam_server_handle(struct s_client *cl, uchar *buf, int32_t n)
|
---|
980 | {
|
---|
981 | uint32_t pos = 0, packetLength = 0, packetOffset = 0, dataLength = 0, dataOffset = 0;
|
---|
982 | struct s_auth *account;
|
---|
983 | struct scam_data *scam;
|
---|
984 |
|
---|
985 | if(n < 3)
|
---|
986 | { return NULL; }
|
---|
987 |
|
---|
988 | if(!cl->init_done)
|
---|
989 | {
|
---|
990 | if(!scam_server_authip_client(cl)) { return NULL; }
|
---|
991 | if(cl->scam) {
|
---|
992 | memset(cl->scam, 0, sizeof(struct scam_data));
|
---|
993 | }
|
---|
994 | if(cl->scam == NULL && !cs_malloc(&cl->scam, sizeof(struct scam_data))) {
|
---|
995 | return NULL;
|
---|
996 | }
|
---|
997 | cl->init_done = 1;
|
---|
998 | }
|
---|
999 |
|
---|
1000 | scam = cl->scam;
|
---|
1001 | if(scam == NULL) {
|
---|
1002 | return NULL;
|
---|
1003 | }
|
---|
1004 |
|
---|
1005 | scam_decode_length(buf, &packetLength, &packetOffset);
|
---|
1006 | pos += packetOffset;
|
---|
1007 |
|
---|
1008 | if(scam->login_pending && packetLength > 1 && (buf[pos] != 0x10 || buf[pos+1] != 0x02)) {
|
---|
1009 | scam->login_pending = 0;
|
---|
1010 | cs_auth_client(cl, (struct s_auth *)0, NULL);
|
---|
1011 | cs_disconnect_client(cl);
|
---|
1012 | return NULL;
|
---|
1013 | }
|
---|
1014 |
|
---|
1015 | if(pos+2 < (uint32_t)n && pos+1+scam_get_length_data_length(buf+pos) < (uint32_t)n) {
|
---|
1016 | scam_decode_length(buf+pos, &dataLength, &dataOffset);
|
---|
1017 | }
|
---|
1018 | else {
|
---|
1019 | return NULL;
|
---|
1020 | }
|
---|
1021 |
|
---|
1022 | while(pos+dataOffset+dataLength-1 < (uint32_t)n)
|
---|
1023 | {
|
---|
1024 | switch(buf[pos]) {
|
---|
1025 |
|
---|
1026 | case 0x10: // checksum
|
---|
1027 | if(dataLength != 2) { break; }
|
---|
1028 | if(b2i(2, &buf[pos+dataOffset]) != ccitt_crc(buf+pos+dataOffset+2, n-pos-dataOffset-2, 0xFFFF, 0)) {
|
---|
1029 | cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "sent packet with invalid checksum");
|
---|
1030 | return NULL;
|
---|
1031 | }
|
---|
1032 | if(scam->login_pending) {
|
---|
1033 | for(account = cfg.account; account; account = account->next) {
|
---|
1034 | if(streq(scam->login_username, account->usr)) {
|
---|
1035 | scam->login_pending = 0;
|
---|
1036 | if(!cs_auth_client(cl, account, NULL)) {
|
---|
1037 | cs_log("scam client login: %s version: %d", scam->login_username, scam->version);
|
---|
1038 | }
|
---|
1039 | else {
|
---|
1040 | cs_disconnect_client(cl);
|
---|
1041 | }
|
---|
1042 | break;
|
---|
1043 | }
|
---|
1044 | }
|
---|
1045 | if(scam->login_pending)
|
---|
1046 | {
|
---|
1047 | scam->login_pending = 0;
|
---|
1048 | cs_auth_client(cl, (struct s_auth *)0, NULL);
|
---|
1049 | cs_disconnect_client(cl);
|
---|
1050 | return NULL;
|
---|
1051 | }
|
---|
1052 | }
|
---|
1053 | break;
|
---|
1054 |
|
---|
1055 | case 0x46: // client auth
|
---|
1056 | scam_server_recv_auth(cl, buf+pos+dataOffset, dataLength);
|
---|
1057 | break;
|
---|
1058 |
|
---|
1059 | case 0x24: // ecm request
|
---|
1060 | scam_server_recv_ecm(cl, buf+pos+dataOffset, dataLength);
|
---|
1061 | break;
|
---|
1062 |
|
---|
1063 | case 0x7F: // padding
|
---|
1064 | break;
|
---|
1065 |
|
---|
1066 | default:
|
---|
1067 | cs_log_dbg(cl->typ == 'c' ? D_CLIENT : D_READER, "sent unknown scam client packet %X", buf[pos]);
|
---|
1068 | break;
|
---|
1069 | }
|
---|
1070 |
|
---|
1071 | pos += dataOffset+dataLength;
|
---|
1072 | if(pos+2 < (uint32_t)n && pos+1+scam_get_length_data_length(buf+pos) < (uint32_t)n) {
|
---|
1073 | scam_decode_length(buf+pos, &dataLength, &dataOffset);
|
---|
1074 | }
|
---|
1075 | else {
|
---|
1076 | break;
|
---|
1077 | }
|
---|
1078 | }
|
---|
1079 |
|
---|
1080 | return NULL;
|
---|
1081 | }
|
---|
1082 |
|
---|
1083 | void scam_cleanup(struct s_client *cl)
|
---|
1084 | {
|
---|
1085 | NULLFREE(cl->scam);
|
---|
1086 | }
|
---|
1087 |
|
---|
1088 | void module_scam(struct s_module *ph)
|
---|
1089 | {
|
---|
1090 | ph->desc = "scam";
|
---|
1091 | ph->type = MOD_CONN_TCP;
|
---|
1092 | ph->listenertype = LIS_SCAM;
|
---|
1093 | ph->num = R_SCAM;
|
---|
1094 | ph->large_ecm_support = 1;
|
---|
1095 | IP_ASSIGN(ph->s_ip, cfg.scam_srvip);
|
---|
1096 | ph->ptab.nports = 1;
|
---|
1097 | ph->ptab.ports[0].s_port = cfg.scam_port;
|
---|
1098 | // server + client
|
---|
1099 | ph->recv = scam_recv;
|
---|
1100 | ph->cleanup = scam_cleanup;
|
---|
1101 | // server
|
---|
1102 | ph->s_init = scam_server_init;
|
---|
1103 | ph->s_handler = scam_server_handle;
|
---|
1104 | ph->send_dcw = scam_server_send_dcw;
|
---|
1105 | // client
|
---|
1106 | ph->c_init = scam_client_init;
|
---|
1107 | ph->c_idle = scam_client_idle;
|
---|
1108 | ph->c_recv_chk = scam_client_handle;
|
---|
1109 | ph->c_send_ecm = scam_client_send_ecm;
|
---|
1110 | }
|
---|
1111 |
|
---|
1112 | #endif
|
---|