X-Git-Url: http://git.silcnet.org/gitweb/?a=blobdiff_plain;f=apps%2Fsilcd%2Fprotocol.c;h=a7a1b707d7d1a39000626dbf555ac8f20a52cd2d;hb=d47a87b03b846e2333ef57b2c0d81f1644992964;hp=88de68d42d742760b1cbcdd1430355e54ce637ad;hpb=72c7b823b3aa22af4f0c206e76e3fdabaf2ed7a6;p=silc.git diff --git a/apps/silcd/protocol.c b/apps/silcd/protocol.c index 88de68d4..a7a1b707 100644 --- a/apps/silcd/protocol.c +++ b/apps/silcd/protocol.c @@ -2,7 +2,7 @@ protocol.c - Author: Pekka Riikonen + Author: Pekka Riikonen Copyright (C) 1997 - 2001 Pekka Riikonen @@ -56,6 +56,13 @@ silc_verify_public_key_internal(SilcServer server, SilcSocketConnection sock, return TRUE; } + /* XXX For now, accept server keys without verification too. We are + currently always doing mutual authentication so the proof of posession + of the private key is verified, and if server is authenticated in + conn auth protocol with public key we MUST have the key already. */ + return TRUE; + /* Rest is unreachable code! */ + memset(filename, 0, sizeof(filename)); memset(file, 0, sizeof(file)); snprintf(file, sizeof(file) - 1, "serverkey_%s_%d.pub", sock->hostname, @@ -124,12 +131,11 @@ silc_verify_public_key_internal(SilcServer server, SilcSocketConnection sock, /* Save the key for future checking */ unlink(filename); - silc_pkcs_save_public_key_data(filename, pk, pk_len, - SILC_PKCS_FILE_PEM); + silc_pkcs_save_public_key_data(filename, pk, pk_len, SILC_PKCS_FILE_PEM); return TRUE; } - if (memcmp(encpk, pk, encpk_len)) { + if (memcmp(pk, encpk, encpk_len)) { SILC_LOG_WARNING(("%s (%s) port %d server public key does not match " "with local copy", sock->hostname, sock->ip, sock->port)); @@ -199,7 +205,8 @@ static void silc_server_protocol_ke_send_packet(SilcSKE ske, /* Sets the negotiated key material into use for particular connection. */ -int silc_server_protocol_ke_set_keys(SilcSKE ske, +int silc_server_protocol_ke_set_keys(SilcServer server, + SilcSKE ske, SilcSocketConnection sock, SilcSKEKeyMaterial *keymat, SilcCipher cipher, @@ -227,6 +234,23 @@ int silc_server_protocol_ke_set_keys(SilcSKE ske, return FALSE; } + if (!silc_hmac_alloc((char *)silc_hmac_get_name(hmac), NULL, + &idata->hmac_send)) { + silc_cipher_free(idata->send_key); + silc_cipher_free(idata->receive_key); + silc_free(conn_data); + return FALSE; + } + + if (!silc_hmac_alloc((char *)silc_hmac_get_name(hmac), NULL, + &idata->hmac_receive)) { + silc_cipher_free(idata->send_key); + silc_cipher_free(idata->receive_key); + silc_hmac_free(idata->hmac_send); + silc_free(conn_data); + return FALSE; + } + if (is_responder == TRUE) { silc_cipher_set_key(idata->send_key, keymat->receive_enc_key, keymat->enc_key_len); @@ -234,6 +258,10 @@ int silc_server_protocol_ke_set_keys(SilcSKE ske, silc_cipher_set_key(idata->receive_key, keymat->send_enc_key, keymat->enc_key_len); silc_cipher_set_iv(idata->receive_key, keymat->send_iv); + silc_hmac_set_key(idata->hmac_send, keymat->receive_hmac_key, + keymat->hmac_key_len); + silc_hmac_set_key(idata->hmac_receive, keymat->send_hmac_key, + keymat->hmac_key_len); } else { silc_cipher_set_key(idata->send_key, keymat->send_enc_key, keymat->enc_key_len); @@ -241,6 +269,10 @@ int silc_server_protocol_ke_set_keys(SilcSKE ske, silc_cipher_set_key(idata->receive_key, keymat->receive_enc_key, keymat->enc_key_len); silc_cipher_set_iv(idata->receive_key, keymat->receive_iv); + silc_hmac_set_key(idata->hmac_send, keymat->send_hmac_key, + keymat->hmac_key_len); + silc_hmac_set_key(idata->hmac_receive, keymat->receive_hmac_key, + keymat->hmac_key_len); } idata->rekey = silc_calloc(1, sizeof(*idata->rekey)); @@ -255,38 +287,38 @@ int silc_server_protocol_ke_set_keys(SilcSKE ske, idata->rekey->pfs = TRUE; idata->rekey->ske_group = silc_ske_group_get_number(group); - /* Save the remote host's public key */ - silc_pkcs_public_key_decode(ske->ke1_payload->pk_data, - ske->ke1_payload->pk_len, &idata->public_key); - /* Save the hash */ if (!silc_hash_alloc(hash->hash->name, &idata->hash)) { silc_cipher_free(idata->send_key); silc_cipher_free(idata->receive_key); + silc_hmac_free(idata->hmac_send); + silc_hmac_free(idata->hmac_receive); silc_free(conn_data); return FALSE; } - /* Save HMAC key to be used in the communication. */ - if (!silc_hmac_alloc(hmac->hmac->name, NULL, &idata->hmac_send)) { - silc_cipher_free(idata->send_key); - silc_cipher_free(idata->receive_key); - silc_hash_free(idata->hash); - silc_free(conn_data); - return FALSE; - } - silc_hmac_set_key(idata->hmac_send, keymat->hmac_key, keymat->hmac_key_len); - idata->hmac_receive = idata->hmac_send; + /* Save the remote host's public key */ + silc_pkcs_public_key_decode(ske->ke1_payload->pk_data, + ske->ke1_payload->pk_len, &idata->public_key); + if (ske->prop->flags & SILC_SKE_SP_FLAG_MUTUAL) + silc_hash_make(server->sha1hash, ske->ke1_payload->pk_data, + ske->ke1_payload->pk_len, idata->fingerprint); sock->user_data = (void *)conn_data; + SILC_LOG_INFO(("%s (%s) security properties: %s %s %s", + sock->hostname, sock->ip, + idata->send_key->cipher->name, + (char *)silc_hmac_get_name(idata->hmac_send), + idata->hash->hash->name)); + return TRUE; } /* Check remote host version string */ SilcSKEStatus silc_ske_check_version(SilcSKE ske, unsigned char *version, - uint32 len) + uint32 len, void *context) { SilcSKEStatus status = SILC_SKE_STATUS_OK; char *cp; @@ -335,9 +367,19 @@ SilcSKEStatus silc_ske_check_version(SilcSKE ske, unsigned char *version, if (maj != maj2) status = SILC_SKE_STATUS_BAD_VERSION; - if (min < min2) +#if 0 + if (min > min2) + status = SILC_SKE_STATUS_BAD_VERSION; +#endif + + /* XXX < 0.6 is not allowed */ + if (maj == 0 && min < 5) status = SILC_SKE_STATUS_BAD_VERSION; + /* XXX backward support for 0.6.1 */ + if (maj == 0 && min == 6 && build < 2) + ske->backward_version = 1; + return status; } @@ -359,20 +401,20 @@ static void silc_server_protocol_ke_continue(SilcSKE ske, void *context) SILC_LOG_DEBUG(("Start")); if (ske->status != SILC_SKE_STATUS_OK) { - SILC_LOG_WARNING(("Error (type %d) during Key Exchange protocol", - ske->status)); - SILC_LOG_DEBUG(("Error (type %d) during Key Exchange protocol", - ske->status)); + SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol", + silc_ske_map_status(ske->status))); + SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol", + silc_ske_map_status(ske->status))); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } /* Send Ok to the other end. We will end the protocol as responder sends Ok to us when we will take the new keys into use. */ if (ctx->responder == FALSE) { - silc_ske_end(ctx->ske, silc_server_protocol_ke_send_packet, context); + silc_ske_end(ctx->ske); /* End the protocol on the next round */ protocol->state = SILC_PROTOCOL_STATE_END; @@ -383,7 +425,7 @@ static void silc_server_protocol_ke_continue(SilcSKE ske, void *context) function. */ if (ctx->responder == TRUE) { protocol->state++; - silc_protocol_execute(protocol, server->timeout_queue, 0, 100000); + silc_protocol_execute(protocol, server->schedule, 0, 100000); } } @@ -419,27 +461,29 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange) ctx->ske = ske; ske->rng = server->rng; + silc_ske_set_callbacks(ske, silc_server_protocol_ke_send_packet, NULL, + silc_server_protocol_ke_verify_key, + silc_server_protocol_ke_continue, + silc_ske_check_version, context); + if (ctx->responder == TRUE) { /* Start the key exchange by processing the received security properties packet from initiator. */ status = silc_ske_responder_start(ske, ctx->rng, ctx->sock, silc_version_string, - ctx->packet->buffer, FALSE, - NULL, NULL); + ctx->packet->buffer, TRUE); } else { SilcSKEStartPayload *start_payload; /* Assemble security properties. */ - silc_ske_assemble_security_properties(ske, SILC_SKE_SP_FLAG_NONE, + silc_ske_assemble_security_properties(ske, SILC_SKE_SP_FLAG_MUTUAL, silc_version_string, &start_payload); /* Start the key exchange by sending our security properties to the remote end. */ status = silc_ske_initiator_start(ske, ctx->rng, ctx->sock, - start_payload, - silc_server_protocol_ke_send_packet, - context); + start_payload); } /* Return now if the procedure is pending. */ @@ -447,20 +491,20 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange) return; if (status != SILC_SKE_STATUS_OK) { - SILC_LOG_WARNING(("Error (type %d) during Key Exchange protocol", - status)); - SILC_LOG_DEBUG(("Error (type %d) during Key Exchange protocol", - status)); + SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol", + silc_ske_map_status(status))); + SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol", + silc_ske_map_status(status))); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } /* Advance protocol state and call the next state if we are responder */ protocol->state++; if (ctx->responder == TRUE) - silc_protocol_execute(protocol, server->timeout_queue, 0, 100000); + silc_protocol_execute(protocol, server->schedule, 0, 100000); } break; case 2: @@ -470,18 +514,14 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange) */ if (ctx->responder == TRUE) { /* Sends the selected security properties to the initiator. */ - status = - silc_ske_responder_phase_1(ctx->ske, - ctx->ske->start_payload, - silc_server_protocol_ke_send_packet, - context); + status = silc_ske_responder_phase_1(ctx->ske, + ctx->ske->start_payload); } else { /* Call Phase-1 function. This processes the Key Exchange Start paylaod reply we just got from the responder. The callback function will receive the processed payload where we will save it. */ - status = silc_ske_initiator_phase_1(ctx->ske, ctx->packet->buffer, - NULL, NULL); + status = silc_ske_initiator_phase_1(ctx->ske, ctx->packet->buffer); } /* Return now if the procedure is pending. */ @@ -489,20 +529,20 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange) return; if (status != SILC_SKE_STATUS_OK) { - SILC_LOG_WARNING(("Error (type %d) during Key Exchange protocol", - status)); - SILC_LOG_DEBUG(("Error (type %d) during Key Exchange protocol", - status)); + SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol", + silc_ske_map_status(status))); + SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol", + silc_ske_map_status(status))); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } /* Advance protocol state and call next state if we are initiator */ protocol->state++; if (ctx->responder == FALSE) - silc_protocol_execute(protocol, server->timeout_queue, 0, 100000); + silc_protocol_execute(protocol, server->schedule, 0, 100000); } break; case 3: @@ -515,22 +555,14 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange) the initiator. This also creates our parts of the Diffie Hellman algorithm. The silc_server_protocol_ke_continue will be called after the public key has been verified. */ - status = - silc_ske_responder_phase_2(ctx->ske, ctx->packet->buffer, - silc_server_protocol_ke_verify_key, - context, - silc_server_protocol_ke_continue, - context); + status = silc_ske_responder_phase_2(ctx->ske, ctx->packet->buffer); } else { /* Call the Phase-2 function. This creates Diffie Hellman key exchange parameters and sends our public part inside Key Exhange 1 Payload to the responder. */ - status = - silc_ske_initiator_phase_2(ctx->ske, - server->public_key, - server->private_key, - silc_server_protocol_ke_send_packet, - context); + status = silc_ske_initiator_phase_2(ctx->ske, + server->public_key, + server->private_key); protocol->state++; } @@ -539,13 +571,13 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange) return; if (status != SILC_SKE_STATUS_OK) { - SILC_LOG_WARNING(("Error (type %d) during Key Exchange protocol", - status)); - SILC_LOG_DEBUG(("Error (type %d) during Key Exchange protocol", - status)); + SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol", + silc_ske_map_status(status))); + SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol", + silc_ske_map_status(status))); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } } @@ -558,12 +590,10 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange) if (ctx->responder == TRUE) { /* This creates the key exchange material and sends our public parts to the initiator inside Key Exchange 2 Payload. */ - status = - silc_ske_responder_finish(ctx->ske, - server->public_key, server->private_key, - SILC_SKE_PK_TYPE_SILC, - silc_server_protocol_ke_send_packet, - context); + status = silc_ske_responder_finish(ctx->ske, + server->public_key, + server->private_key, + SILC_SKE_PK_TYPE_SILC); /* End the protocol on the next round */ protocol->state = SILC_PROTOCOL_STATE_END; @@ -571,11 +601,7 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange) /* Finish the protocol. This verifies the Key Exchange 2 payload sent by responder. The silc_server_protocol_ke_continue will be called after the public key has been verified. */ - status = silc_ske_initiator_finish(ctx->ske, ctx->packet->buffer, - silc_server_protocol_ke_verify_key, - context, - silc_server_protocol_ke_continue, - context); + status = silc_ske_initiator_finish(ctx->ske, ctx->packet->buffer); } /* Return now if the procedure is pending. */ @@ -583,13 +609,13 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange) return; if (status != SILC_SKE_STATUS_OK) { - SILC_LOG_WARNING(("Error (type %d) during Key Exchange protocol", - status)); - SILC_LOG_DEBUG(("Error (type %d) during Key Exchange protocol", - status)); + SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol", + silc_ske_map_status(status))); + SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol", + silc_ske_map_status(status))); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } } @@ -610,7 +636,7 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange) keymat); if (status != SILC_SKE_STATUS_OK) { protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); silc_ske_free_key_material(keymat); return; } @@ -619,17 +645,22 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange) /* Send Ok to the other end if we are responder. If we are initiator we have sent this already. */ if (ctx->responder == TRUE) - silc_ske_end(ctx->ske, silc_server_protocol_ke_send_packet, context); + silc_ske_end(ctx->ske); /* Unregister the timeout task since the protocol has ended. This was the timeout task to be executed if the protocol is not completed fast enough. */ if (ctx->timeout_task) - silc_task_unregister(server->timeout_queue, ctx->timeout_task); + silc_schedule_task_del(server->schedule, ctx->timeout_task); + + /* Assure that after calling final callback there cannot be pending + executions for this protocol anymore. This just unregisters any + timeout callbacks for this protocol. */ + silc_protocol_cancel(protocol, server->schedule); /* Call the final callback */ if (protocol->final_callback) - silc_protocol_execute_final(protocol, server->timeout_queue); + silc_protocol_execute_final(protocol, server->schedule); else silc_protocol_free(protocol); } @@ -641,19 +672,22 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange) */ /* Send abort notification */ - silc_ske_abort(ctx->ske, ctx->ske->status, - silc_server_protocol_ke_send_packet, - context); + silc_ske_abort(ctx->ske, ctx->ske->status); /* Unregister the timeout task since the protocol has ended. This was the timeout task to be executed if the protocol is not completed fast enough. */ if (ctx->timeout_task) - silc_task_unregister(server->timeout_queue, ctx->timeout_task); + silc_schedule_task_del(server->schedule, ctx->timeout_task); + + /* Assure that after calling final callback there cannot be pending + executions for this protocol anymore. This just unregisters any + timeout callbacks for this protocol. */ + silc_protocol_cancel(protocol, server->schedule); /* On error the final callback is always called. */ if (protocol->final_callback) - silc_protocol_execute_final(protocol, server->timeout_queue); + silc_protocol_execute_final(protocol, server->schedule); else silc_protocol_free(protocol); break; @@ -667,11 +701,16 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange) This was the timeout task to be executed if the protocol is not completed fast enough. */ if (ctx->timeout_task) - silc_task_unregister(server->timeout_queue, ctx->timeout_task); + silc_schedule_task_del(server->schedule, ctx->timeout_task); + /* Assure that after calling final callback there cannot be pending + executions for this protocol anymore. This just unregisters any + timeout callbacks for this protocol. */ + silc_protocol_cancel(protocol, server->schedule); + /* On error the final callback is always called. */ if (protocol->final_callback) - silc_protocol_execute_final(protocol, server->timeout_queue); + silc_protocol_execute_final(protocol, server->schedule); else silc_protocol_free(protocol); break; @@ -686,13 +725,13 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange) */ static int -silc_server_password_authentication(SilcServer server, char *auth1, - char *auth2) +silc_server_password_authentication(SilcServer server, char *remote_auth, + char *local_auth) { - if (!auth1 || !auth2) + if (!remote_auth || !local_auth) return FALSE; - if (!memcmp(auth1, auth2, strlen(auth1))) + if (!memcmp(remote_auth, local_auth, strlen(local_auth))) return TRUE; return FALSE; @@ -730,7 +769,8 @@ silc_server_public_key_authentication(SilcServer server, SILC_STR_END); /* Verify signature */ - if (silc_pkcs_verify(pkcs, sign, sign_len, auth->data, auth->len)) { + if (silc_pkcs_verify_with_hash(pkcs, ske->prop->hash, sign, sign_len, + auth->data, auth->len)) { silc_pkcs_free(pkcs); silc_buffer_free(auth); return TRUE; @@ -743,7 +783,6 @@ silc_server_public_key_authentication(SilcServer server, static int silc_server_get_public_key_auth(SilcServer server, - SilcPublicKey pub_key, unsigned char *auth_data, uint32 *auth_data_len, SilcSKE ske) @@ -752,14 +791,7 @@ silc_server_get_public_key_auth(SilcServer server, SilcPKCS pkcs; SilcBuffer auth; - if (!pub_key) - return FALSE; - - silc_pkcs_alloc(pub_key->name, &pkcs); - if (!silc_pkcs_public_key_set(pkcs, pub_key)) { - silc_pkcs_free(pkcs); - return FALSE; - } + pkcs = server->pkcs; /* Make the authentication data. Protocol says it is HASH plus KE Start Payload. */ @@ -772,13 +804,12 @@ silc_server_get_public_key_auth(SilcServer server, ske->start_payload_copy->len), SILC_STR_END); - if (silc_pkcs_sign(pkcs, auth->data, auth->len, auth_data, auth_data_len)) { - silc_pkcs_free(pkcs); + if (silc_pkcs_sign_with_hash(pkcs, ske->prop->hash, auth->data, + auth->len, auth_data, auth_data_len)) { silc_buffer_free(auth); return TRUE; } - silc_pkcs_free(pkcs); silc_buffer_free(auth); return FALSE; } @@ -829,14 +860,14 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) if (ret == -1) { SILC_LOG_DEBUG(("Bad payload in authentication packet")); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } if (payload_len != ctx->packet->buffer->len) { SILC_LOG_DEBUG(("Bad payload in authentication packet")); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } @@ -846,7 +877,7 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) conn_type > SILC_SOCKET_TYPE_ROUTER) { SILC_LOG_ERROR(("Bad connection type %d", conn_type)); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } @@ -860,7 +891,7 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) if (ret == -1) { SILC_LOG_DEBUG(("Bad payload in authentication packet")); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } } @@ -875,7 +906,7 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) /* Remote end is client */ if (conn_type == SILC_SOCKET_TYPE_CLIENT) { - SilcServerConfigSectionClientConnection *client = ctx->cconfig; + SilcServerConfigSectionClient *client = ctx->cconfig; if (client) { switch(client->auth_meth) { @@ -898,7 +929,7 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) SILC_LOG_DEBUG(("Authentication failed")); silc_free(auth_data); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; break; @@ -919,17 +950,17 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) SILC_LOG_DEBUG(("Authentication failed")); silc_free(auth_data); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } } else { - SILC_LOG_DEBUG(("No configuration for remote connection")); - SILC_LOG_ERROR(("Remote connection not configured")); + SILC_LOG_DEBUG(("No configuration for remote client connection")); + SILC_LOG_ERROR(("Remote client connection not configured")); SILC_LOG_ERROR(("Authentication failed")); silc_free(auth_data); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } @@ -937,7 +968,7 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) /* Remote end is server */ if (conn_type == SILC_SOCKET_TYPE_SERVER) { - SilcServerConfigSectionServerConnection *serv = ctx->sconfig; + SilcServerConfigSectionServer *serv = ctx->sconfig; if (serv) { switch(serv->auth_meth) { @@ -960,7 +991,7 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) SILC_LOG_DEBUG(("Authentication failed")); silc_free(auth_data); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; break; @@ -981,16 +1012,16 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) SILC_LOG_DEBUG(("Authentication failed")); silc_free(auth_data); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } } else { - SILC_LOG_DEBUG(("No configuration for remote connection")); - SILC_LOG_ERROR(("Remote connection not configured")); + SILC_LOG_DEBUG(("No configuration for remote server connection")); + SILC_LOG_ERROR(("Remote server connection not configured")); SILC_LOG_ERROR(("Authentication failed")); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, + silc_protocol_execute(protocol, server->schedule, 0, 300000); silc_free(auth_data); return; @@ -999,7 +1030,7 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) /* Remote end is router */ if (conn_type == SILC_SOCKET_TYPE_ROUTER) { - SilcServerConfigSectionServerConnection *serv = ctx->rconfig; + SilcServerConfigSectionRouter *serv = ctx->rconfig; if (serv) { switch(serv->auth_meth) { @@ -1022,7 +1053,7 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) SILC_LOG_DEBUG(("Authentication failed")); silc_free(auth_data); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; break; @@ -1043,17 +1074,17 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) SILC_LOG_DEBUG(("Authentication failed")); silc_free(auth_data); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } } else { - SILC_LOG_DEBUG(("No configuration for remote connection")); - SILC_LOG_ERROR(("Remote connection not configured")); + SILC_LOG_DEBUG(("No configuration for remote router connection")); + SILC_LOG_ERROR(("Remote router connection not configured")); SILC_LOG_ERROR(("Authentication failed")); silc_free(auth_data); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } @@ -1067,7 +1098,7 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) /* Advance protocol state. */ protocol->state = SILC_PROTOCOL_STATE_END; - silc_protocol_execute(protocol, server->timeout_queue, 0, 0); + silc_protocol_execute(protocol, server->schedule, 0, 0); } else { /* @@ -1099,8 +1130,7 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) unsigned char sign[1024]; /* Public key authentication */ - silc_server_get_public_key_auth(server, ctx->auth_data, - sign, &auth_data_len, + silc_server_get_public_key_auth(server, sign, &auth_data_len, ctx->ske); auth_data = silc_calloc(auth_data_len, sizeof(*auth_data)); memcpy(auth_data, sign, auth_data_len); @@ -1154,11 +1184,16 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) This was the timeout task to be executed if the protocol is not completed fast enough. */ if (ctx->timeout_task) - silc_task_unregister(server->timeout_queue, ctx->timeout_task); + silc_schedule_task_del(server->schedule, ctx->timeout_task); + /* Assure that after calling final callback there cannot be pending + executions for this protocol anymore. This just unregisters any + timeout callbacks for this protocol. */ + silc_protocol_cancel(protocol, server->schedule); + /* Protocol has ended, call the final callback */ if (protocol->final_callback) - silc_protocol_execute_final(protocol, server->timeout_queue); + silc_protocol_execute_final(protocol, server->schedule); else silc_protocol_free(protocol); } @@ -1180,11 +1215,16 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) This was the timeout task to be executed if the protocol is not completed fast enough. */ if (ctx->timeout_task) - silc_task_unregister(server->timeout_queue, ctx->timeout_task); + silc_schedule_task_del(server->schedule, ctx->timeout_task); + /* Assure that after calling final callback there cannot be pending + executions for this protocol anymore. This just unregisters any + timeout callbacks for this protocol. */ + silc_protocol_cancel(protocol, server->schedule); + /* On error the final callback is always called. */ if (protocol->final_callback) - silc_protocol_execute_final(protocol, server->timeout_queue); + silc_protocol_execute_final(protocol, server->schedule); else silc_protocol_free(protocol); } @@ -1199,11 +1239,16 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) This was the timeout task to be executed if the protocol is not completed fast enough. */ if (ctx->timeout_task) - silc_task_unregister(server->timeout_queue, ctx->timeout_task); + silc_schedule_task_del(server->schedule, ctx->timeout_task); + /* Assure that after calling final callback there cannot be pending + executions for this protocol anymore. This just unregisters any + timeout callbacks for this protocol. */ + silc_protocol_cancel(protocol, server->schedule); + /* On error the final callback is always called. */ if (protocol->final_callback) - silc_protocol_execute_final(protocol, server->timeout_queue); + silc_protocol_execute_final(protocol, server->schedule); else silc_protocol_free(protocol); break; @@ -1231,32 +1276,31 @@ silc_server_protocol_rekey_validate(SilcServer server, silc_cipher_set_key(idata->send_key, keymat->receive_enc_key, keymat->enc_key_len); silc_cipher_set_iv(idata->send_key, keymat->receive_iv); + silc_hmac_set_key(idata->hmac_send, keymat->receive_hmac_key, + keymat->hmac_key_len); } else { silc_cipher_set_key(idata->receive_key, keymat->send_enc_key, keymat->enc_key_len); silc_cipher_set_iv(idata->receive_key, keymat->send_iv); + silc_hmac_set_key(idata->hmac_receive, keymat->send_hmac_key, + keymat->hmac_key_len); } } else { if (send) { silc_cipher_set_key(idata->send_key, keymat->send_enc_key, keymat->enc_key_len); silc_cipher_set_iv(idata->send_key, keymat->send_iv); + silc_hmac_set_key(idata->hmac_send, keymat->send_hmac_key, + keymat->hmac_key_len); } else { silc_cipher_set_key(idata->receive_key, keymat->receive_enc_key, keymat->enc_key_len); silc_cipher_set_iv(idata->receive_key, keymat->receive_iv); + silc_hmac_set_key(idata->hmac_receive, keymat->receive_hmac_key, + keymat->hmac_key_len); } } - if (send) { - silc_hmac_alloc(idata->hmac_send->hmac->name, NULL, &idata->hmac_send); - silc_hmac_set_key(idata->hmac_send, keymat->hmac_key, - keymat->hmac_key_len); - } else { - silc_hmac_free(idata->hmac_receive); - idata->hmac_receive = idata->hmac_send; - } - /* Save the current sending encryption key */ if (!send) { memset(idata->rekey->send_enc_key, 0, idata->rekey->enc_key_len); @@ -1390,29 +1434,34 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) if (ctx->packet->type != SILC_PACKET_KEY_EXCHANGE_1) { /* Error in protocol */ protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); + return; } ctx->ske = silc_ske_alloc(); ctx->ske->rng = server->rng; ctx->ske->prop = silc_calloc(1, sizeof(*ctx->ske->prop)); - silc_ske_get_group_by_number(idata->rekey->ske_group, + silc_ske_group_get_by_number(idata->rekey->ske_group, &ctx->ske->prop->group); - status = silc_ske_responder_phase_2(ctx->ske, ctx->packet->buffer, - NULL, NULL, NULL, NULL); + silc_ske_set_callbacks(ctx->ske, + silc_server_protocol_rekey_send_packet, + NULL, NULL, NULL, silc_ske_check_version, + context); + + status = silc_ske_responder_phase_2(ctx->ske, ctx->packet->buffer); if (status != SILC_SKE_STATUS_OK) { - SILC_LOG_WARNING(("Error (type %d) during Re-key (PFS)", - status)); + SILC_LOG_WARNING(("Error (%s) during Re-key (PFS)", + silc_ske_map_status(status))); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } /* Advance the protocol state */ protocol->state++; - silc_protocol_execute(protocol, server->timeout_queue, 0, 0); + silc_protocol_execute(protocol, server->schedule, 0, 0); } else { /* * Do normal and simple re-key. @@ -1448,20 +1497,21 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) ctx->ske = silc_ske_alloc(); ctx->ske->rng = server->rng; ctx->ske->prop = silc_calloc(1, sizeof(*ctx->ske->prop)); - silc_ske_get_group_by_number(idata->rekey->ske_group, + silc_ske_group_get_by_number(idata->rekey->ske_group, &ctx->ske->prop->group); - status = - silc_ske_initiator_phase_2(ctx->ske, NULL, NULL, - silc_server_protocol_rekey_send_packet, - context); - + silc_ske_set_callbacks(ctx->ske, + silc_server_protocol_rekey_send_packet, + NULL, NULL, NULL, silc_ske_check_version, + context); + + status = silc_ske_initiator_phase_2(ctx->ske, NULL, NULL); if (status != SILC_SKE_STATUS_OK) { - SILC_LOG_WARNING(("Error (type %d) during Re-key (PFS)", - status)); + SILC_LOG_WARNING(("Error (%s) during Re-key (PFS)", + silc_ske_map_status(status))); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } @@ -1499,20 +1549,16 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) * Send our KE packe to the initiator now that we've processed * the initiator's KE packet. */ - status = - silc_ske_responder_finish(ctx->ske, NULL, NULL, - SILC_SKE_PK_TYPE_SILC, - silc_server_protocol_rekey_send_packet, - context); - - if (status != SILC_SKE_STATUS_OK) { - SILC_LOG_WARNING(("Error (type %d) during Re-key (PFS)", - status)); - - protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); - return; - } + status = silc_ske_responder_finish(ctx->ske, NULL, NULL, + SILC_SKE_PK_TYPE_SILC); + if (status != SILC_SKE_STATUS_OK) { + SILC_LOG_WARNING(("Error (%s) during Re-key (PFS)", + silc_ske_map_status(status))); + + protocol->state = SILC_PROTOCOL_STATE_ERROR; + silc_protocol_execute(protocol, server->schedule, 0, 300000); + return; + } } } else { @@ -1523,17 +1569,17 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) if (ctx->packet->type != SILC_PACKET_KEY_EXCHANGE_2) { /* Error in protocol */ protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); + return; } - status = silc_ske_initiator_finish(ctx->ske, ctx->packet->buffer, - NULL, NULL, NULL, NULL); + status = silc_ske_initiator_finish(ctx->ske, ctx->packet->buffer); if (status != SILC_SKE_STATUS_OK) { - SILC_LOG_WARNING(("Error (type %d) during Re-key (PFS)", - status)); + SILC_LOG_WARNING(("Error (%s) during Re-key (PFS)", + silc_ske_map_status(status))); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } } @@ -1561,16 +1607,22 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) if (ctx->packet->type != SILC_PACKET_REKEY_DONE) { /* Error in protocol */ protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->timeout_queue, 0, 0); + silc_protocol_execute(protocol, server->schedule, 0, 300000); + return; } /* We received the REKEY_DONE packet and all packets after this is encrypted with the new key so set the decryption key to the new key */ silc_server_protocol_rekey_generate(server, ctx, FALSE); + /* Assure that after calling final callback there cannot be pending + executions for this protocol anymore. This just unregisters any + timeout callbacks for this protocol. */ + silc_protocol_cancel(protocol, server->schedule); + /* Protocol has ended, call the final callback */ if (protocol->final_callback) - silc_protocol_execute_final(protocol, server->timeout_queue); + silc_protocol_execute_final(protocol, server->schedule); else silc_protocol_free(protocol); break; @@ -1582,14 +1634,17 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) if (ctx->pfs == TRUE) { /* Send abort notification */ - silc_ske_abort(ctx->ske, ctx->ske->status, - silc_server_protocol_ke_send_packet, - context); + silc_ske_abort(ctx->ske, ctx->ske->status); } + /* Assure that after calling final callback there cannot be pending + executions for this protocol anymore. This just unregisters any + timeout callbacks for this protocol. */ + silc_protocol_cancel(protocol, server->schedule); + /* On error the final callback is always called. */ if (protocol->final_callback) - silc_protocol_execute_final(protocol, server->timeout_queue); + silc_protocol_execute_final(protocol, server->schedule); else silc_protocol_free(protocol); break; @@ -1599,9 +1654,14 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) * We have received failure from remote */ + /* Assure that after calling final callback there cannot be pending + executions for this protocol anymore. This just unregisters any + timeout callbacks for this protocol. */ + silc_protocol_cancel(protocol, server->schedule); + /* On error the final callback is always called. */ if (protocol->final_callback) - silc_protocol_execute_final(protocol, server->timeout_queue); + silc_protocol_execute_final(protocol, server->schedule); else silc_protocol_free(protocol); break; @@ -1622,6 +1682,8 @@ void silc_server_protocols_register(void) silc_server_protocol_key_exchange); silc_protocol_register(SILC_PROTOCOL_SERVER_REKEY, silc_server_protocol_rekey); + silc_protocol_register(SILC_PROTOCOL_SERVER_BACKUP, + silc_server_protocol_backup); } /* Unregisters protocols */ @@ -1634,4 +1696,6 @@ void silc_server_protocols_unregister(void) silc_server_protocol_key_exchange); silc_protocol_unregister(SILC_PROTOCOL_SERVER_REKEY, silc_server_protocol_rekey); + silc_protocol_unregister(SILC_PROTOCOL_SERVER_BACKUP, + silc_server_protocol_backup); }