Deprecated No Reply SKE flag, introduced IV Included flag.

[silc.git] / lib / silcske / silcske.c

diff --git a/lib/silcske/silcske.c b/lib/silcske/silcske.c
index e87b50b38b2da616a867abd863603dd4bfcea07e..4fd34f780c840b044f56b68d95f36f7f02c30774 100644 (file)
--- a/lib/silcske/silcske.c
+++ b/lib/silcske/silcske.c
@@ -495,6 +495,7 @@ static void silc_ske_initiator_finish_final(SilcSKE ske,
     if (!silc_pkcs_public_key_decode(payload->pk_data, payload->pk_len, 
                                     &public_key)) {
       status = SILC_SKE_STATUS_UNSUPPORTED_PUBLIC_KEY;
+      SILC_LOG_ERROR(("Unsupported/malformed public key received"));
       if (ske->callbacks->proto_continue)
        ske->callbacks->proto_continue(ske, ske->callbacks->context);
       return;
@@ -517,8 +518,7 @@ static void silc_ske_initiator_finish_final(SilcSKE ske,
     silc_pkcs_public_key_set(ske->prop->pkcs, public_key);
     if (silc_pkcs_verify(ske->prop->pkcs, payload->sign_data, 
                         payload->sign_len, hash, hash_len) == FALSE) {
-      
-      SILC_LOG_DEBUG(("Signature don't match"));
+      SILC_LOG_ERROR(("Signature verification failed, incorrect signature"));
       status = SILC_SKE_STATUS_INCORRECT_SIGNATURE;
       goto err;
     }
@@ -693,6 +693,13 @@ SilcSKEStatus silc_ske_responder_start(SilcSKE ske, SilcRng rng,
     remote_payload->flags |= SILC_SKE_SP_FLAG_PFS;
   }
 
+  /* Disable IV Included flag if requested */
+  if (remote_payload->flags & SILC_SKE_SP_FLAG_IV_INCLUDED &&
+      !(flags & SILC_SKE_SP_FLAG_IV_INCLUDED)) {
+    SILC_LOG_DEBUG(("We do not support IV Included flag"));
+    remote_payload->flags &= ~SILC_SKE_SP_FLAG_IV_INCLUDED;
+  }
+
   /* Parse and select the security properties from the payload */
   payload = silc_calloc(1, sizeof(*payload));
   status = silc_ske_select_security_properties(ske, version,
@@ -854,6 +861,7 @@ static void silc_ske_responder_phase2_final(SilcSKE ske,
                                     recv_payload->pk_len, 
                                     &public_key)) {
       ske->status = SILC_SKE_STATUS_UNSUPPORTED_PUBLIC_KEY;
+      SILC_LOG_ERROR(("Unsupported/malformed public key received"));
       if (ske->callbacks->proto_continue)
        ske->callbacks->proto_continue(ske, ske->callbacks->context);
       return;
@@ -876,9 +884,7 @@ static void silc_ske_responder_phase2_final(SilcSKE ske,
     silc_pkcs_public_key_set(ske->prop->pkcs, public_key);
     if (silc_pkcs_verify(ske->prop->pkcs, recv_payload->sign_data, 
                         recv_payload->sign_len, hash, hash_len) == FALSE) {
-      
-      SILC_LOG_DEBUG(("Signature don't match"));
-      
+      SILC_LOG_ERROR(("Signature verification failed, incorrect signature"));
       ske->status = SILC_SKE_STATUS_INCORRECT_SIGNATURE;
       if (ske->callbacks->proto_continue)
        ske->callbacks->proto_continue(ske, ske->callbacks->context);
@@ -969,7 +975,7 @@ SilcSKEStatus silc_ske_responder_phase_2(SilcSKE ske,
     SILC_LOG_DEBUG(("We are doing mutual authentication"));
     
     if (!recv_payload->pk_data && ske->callbacks->verify_key) {
-      SILC_LOG_DEBUG(("Remote end did not send its public key (or "
+      SILC_LOG_ERROR(("Remote end did not send its public key (or "
                      "certificate), even though we require it"));
       ske->status = SILC_SKE_STATUS_PUBLIC_KEY_NOT_PROVIDED;
       return status;
@@ -1598,18 +1604,17 @@ static SilcSKEStatus silc_ske_create_rnd(SilcSKE ske, SilcMPInt *n,
   SILC_LOG_DEBUG(("Creating random number"));
 
   /* Get the random number as string */
-  string = silc_rng_get_rn_data(ske->rng, (len / 8));
+  string = silc_rng_get_rn_data(ske->rng, ((len - 1) / 8));
   if (!string)
     return SILC_SKE_STATUS_OUT_OF_MEMORY;
 
   /* Decode the string into a MP integer */
-  silc_mp_bin2mp(string, (len / 8), rnd);
+  silc_mp_bin2mp(string, ((len - 1) / 8), rnd);
   silc_mp_mod_2exp(rnd, rnd, len);
 
   /* Checks */
   if (silc_mp_cmp_ui(rnd, 1) < 0)
     status = SILC_SKE_STATUS_ERROR;
-
   if (silc_mp_cmp(rnd, n) >= 0)
     status = SILC_SKE_STATUS_ERROR;