SILC_SKE_STATUS_BAD_PAYLOAD_LENGTH, /* Payload includes garbage */
SILC_SKE_STATUS_SIGNATURE_ERROR, /* Error computing signature */
SILC_SKE_STATUS_OUT_OF_MEMORY, /* System out of memory */
+ SILC_SKE_STATUS_TIMEOUT, /* Timeout */
} SilcSKEStatus;
/***/
SilcHmac hmac; /* Selected HMAC */
SilcHash hash; /* Selected hash algorithm */
SilcPublicKey public_key; /* Remote public key */
+ SilcUInt16 remote_port; /* Remote port, set when IV Included
+ set and using UDP/IP */
} *SilcSKESecurityProperties;
/***/
* DESCRIPTION
*
* This is the key material structure, and is passed as argument by the
- * application to silc_ske_process_key_material* functions. It includes
+ * application to silc_ske_process_key_material_data function. It includes
* the processed key material which can be used as SILC session keys.
*
* SOURCE
* This context is returned after key exchange protocol to application
* in the completion callback. Application may save it and use it later
* to perform the rekey with silc_ske_rekey_initiator_start and/or
- * silc_ske_rekey_responder_start functions. If application does not
+ * silc_ske_rekey_responder functions. If application does not
* need the context, it may free it with silc_free function.
*
* Application may save application specific data to `user_context'.
} *SilcSKERekeyMaterial;
/***/
+/****s* silcske/SilcSKEAPI/SilcSKEParams
+ *
+ * NAME
+ *
+ * typedef struct { ... } *SilcSKEParams, SilcSKEParamsStruct;
+ *
+ * DESCRIPTION
+ *
+ * SKE parameters structure. This structure is given as argument to
+ * silc_ske_initiator and silc_ske_responder functions.
+ *
+ * SOURCE
+ */
+typedef struct {
+ /* The SKE version string that is sent to the remote end. This field
+ must be set. Caller must free the pointer. */
+ char *version;
+
+ /* Security property flags. When initiator sets these it requests them
+ from the responder. Responder may set here the flags it supports
+ and wants to enforce for the initiator. */
+ SilcSKESecurityPropertyFlag flags;
+
+ /* SILC Session port when using UDP/IP and SILC_SKE_SP_FLAG_IV_INCLUDED
+ flag. It is the port the remote will use as SILC session port after
+ the key exchange protocol. Ignored without SILC_SKE_SP_FLAG_IV_INCLUDED
+ flag. */
+ SilcUInt16 session_port;
+} *SilcSKEParams, SilcSKEParamsStruct;
+/***/
+
/****d* silcske/SilcSKEAPI/SilcSKEPKType
*
* NAME
*
* Completion callback that will be called when the public key
* has been verified. The `status' will indicate whether the public
- * key were trusted or not. If the `status' is PENDING then the status
- * is not considered to be available at this moment. In this case the
- * SKE libary will assume that the caller will call this callback again
- * when the status is available. See silc_ske_set_callbacks for more
- * information.
+ * key were trusted or not.
*
***/
typedef void (*SilcSKEVerifyCbCompletion)(SilcSKE ske,
* callback is called only if the key is not found from the repository.
*
* The `public_key' and `private_key' is the caller's identity used
- * during the key exchange.
+ * during the key exchange. Giving `private_key' is optional if the
+ * SILC_SKE_SP_FLAG_MUTUAL is not set and you are initiator. For
+ * responder both `public_key' and `private_key' must be set.
*
* EXMPALE
*
* // Initiator example
+ * params.version = version;
+ * params.flags = SILC_SKE_SP_FLAG_PFS | SILC_SKE_SP_FLAG_MUTUAL;
* ske = silc_ske_alloc(rng, scheduler, NULL, pk, prv, app);
* silc_ske_set_callbacks(ske, verify_public_key, completion, app);
- * start_payload =
- * silc_ske_assemble_security_properties(ske, SILC_SKE_SP_FLAG_PFS |
- * SILC_SKE_SP_FLAG_MUTUAL,
- * version);
- * silc_ske_initiator_start(ske, stream, start_payload);
+ * silc_ske_initiator_start(ske, stream, ¶ms, NULL);
*
***/
SilcSKE silc_ske_alloc(SilcRng rng, SilcSchedule schedule,
* SYNOPSIS
*
* SilcAsyncOperation
- * silc_ske_initiator_start(SilcSKE ske,
- * SilcPacketStream stream,
- * SilcSKEStartPayload start_payload);
+ * silc_ske_initiator(SilcSKE ske,
+ * SilcPacketStream stream,
+ * SilcSKEParams params,
+ SilcSKEStartPayload start_payload);
*
* DESCRIPTION
*
* callback that was set in silc_ske_set_callbacks will be called once
* the protocol has completed. The `stream' is the network connection
* to the remote host. The SKE library will handle all key exchange
- * packets sent and received in the `stream' connection.
+ * packets sent and received in the `stream' connection. The library will
+ * also set the remote host's ID automatically to the `stream'. The
+ * `params' include SKE parameters, and it must be provided.
*
- * The `start_payload' includes all configured security properties that
- * will be sent to the responder. The `start_payload' must be provided.
- * It can be created by calling silc_ske_assemble_security_properties
- * function. The caller must not free the payload once it has been
- * given as argument to this function.
+ * If the `start_payload' is NULL the library will generate it
+ * automatically. Caller may provide it if it wants to send its own
+ * security properties instead of using the default ones library
+ * generates. If caller provides it, it must not free it once it has
+ * been given as argument to this function.
*
* This function returns SilcAsyncOperation operation context which can
* be used to control the protocol from the application. Application may
SilcAsyncOperation
silc_ske_initiator(SilcSKE ske,
SilcPacketStream stream,
+ SilcSKEParams params,
SilcSKEStartPayload start_payload);
-/****f* silcske/SilcSKEAPI/silc_ske_responder_start
+/****f* silcske/SilcSKEAPI/silc_ske_responder
*
* SYNOPSIS
*
* SilcAsyncOperation
- * silc_ske_responder_start(SilcSKE ske,
- * SilcPacketStream stream,
- * const char *version,
- * SilcBuffer start_payload,
- * SilcSKESecurityPropertyFlag flags);
+ * silc_ske_responder(SilcSKE ske,
+ * SilcPacketStream stream,
+ * SilcSKEParams params);
*
* DESCRIPTION
*
* callback that was set in silc_ske_set_callbacks will be called once
* the protocol has completed. The `stream' is the network connection
* to the remote host. The SKE library will handle all key exchange
- * packets sent and received in the `stream' connection.
- *
- * The `version' is the responder's SILC protocol version that will be
- * sent in reply to the initiator. The `flags' indicates the
- * SilcSKESecurityPropertyFlag flags that responder supports and enforces
- * for the initiator. Responder may, for example, enforce that the PFS
- * will be performed in rekey.
+ * packets sent and received in the `stream' connection. The `params'
+ * include SKE parameters, and must be provided.
*
* This function returns SilcAsyncOperation operation context which can
* be used to control the protocol from the application. Application may
SilcAsyncOperation
silc_ske_responder(SilcSKE ske,
SilcPacketStream stream,
- const char *version,
- SilcSKESecurityPropertyFlag flags);
+ SilcSKEParams params);
SilcAsyncOperation
silc_ske_rekey_initiator(SilcSKE ske,
SilcBuffer ke_payload,
SilcSKERekeyMaterial rekey);
-/****f* silcske/SilcSKEAPI/silc_ske_assemble_security_properties
- *
- * SYNOPSIS
- *
- * SilcSKEStartPayload
- * silc_ske_assemble_security_properties(SilcSKE ske,
- * SilcSKESecurityPropertyFlag flags,
- * const char *version);
- *
- * DESCRIPTION
- *
- * Assembles security properties to Key Exchange Start Payload to be
- * sent to the remote end. This checks system wide (SILC system, that is)
- * settings and chooses from those. However, if other properties
- * should be used this function is easy to replace by another function.
- * Returns NULL on error. This is an utility function. This is used
- * by the initiator of the protocol. The `version' is the local SILC
- * protocol version string.
- *
- ***/
-SilcSKEStartPayload
-silc_ske_assemble_security_properties(SilcSKE ske,
- SilcSKESecurityPropertyFlag flags,
- const char *version);
-
-/****f* silcske/SilcSKEAPI/silc_ske_assemble_security_properties
+/****f* silcske/SilcSKEAPI/silc_ske_set_keys
*
* SYNOPSIS
*
*
* DESCRIPTION
*
- * Utility function to parse the remote host's version string.
+ * Utility function to parse the remote host's version string. This can
+ * be called after the key exchange has been completed.
*
***/
SilcBool silc_ske_parse_version(SilcSKE ske,
char **software_version_string,
char **vendor_version);
+/****f* silcske/SilcSKEAPI/silc_ske_get_security_properties
+ *
+ * SYNOPSIS
+ *
+ * SilcSKESecurityProperties silc_ske_get_security_properties(SilcSKE ske);
+ *
+ * DESCRIPTION
+ *
+ * Returns negotiated security properties from the `ske' or NULL if they
+ * have not yet been negotiated. This may be called to retrieve the
+ * security properties after the SilcSKECompletionCb has been called.
+ *
+ ***/
+SilcSKESecurityProperties silc_ske_get_security_properties(SilcSKE ske);
+
+/****f* silcske/SilcSKEAPI/silc_ske_get_key_material
+ *
+ * SYNOPSIS
+ *
+ * SilcSKEKeyMaterial silc_ske_get_key_material(SilcSKE ske);
+ *
+ * DESCRIPTION
+ *
+ * Returns the negotiated key material from the `ske' or NULL if the
+ * key material does not exist. The caller must not free the returned
+ * pointer.
+ *
+ ***/
+SilcSKEKeyMaterial silc_ske_get_key_material(SilcSKE ske);
+
+/****f* silcske/SilcSKEAPI/silc_ske_process_key_material_data
+ *
+ * SYNOPSIS
+ *
+ * const char *silc_ske_map_status(SilcSKEStatus status);
+ *
+ * DESCRIPTION
+ *
+ * Utility function to process key data `data' in the way specified
+ * by the SILC Key Exchange protocol. This returns the processed key
+ * material or NULL on error. Caller must free the returned key
+ * material context by calling silc_ske_free_key_material.
+ *
+ ***/
+SilcSKEKeyMaterial
+silc_ske_process_key_material_data(unsigned char *data,
+ SilcUInt32 data_len,
+ SilcUInt32 req_iv_len,
+ SilcUInt32 req_enc_key_len,
+ SilcUInt32 req_hmac_key_len,
+ SilcHash hash);
+
+/****f* silcske/SilcSKEAPI/silc_ske_free_key_material
+ *
+ * SYNOPSIS
+ *
+ * void silc_ske_free_key_material(SilcSKEKeyMaterial key)
+ *
+ * DESCRIPTION
+ *
+ * Utility function to free the key material created by calling
+ * silc_ske_process_key_material_data.
+ *
+ ***/
+void silc_ske_free_key_material(SilcSKEKeyMaterial key);
+
/****f* silcske/SilcSKEAPI/silc_ske_map_status
*
* SYNOPSIS