X-Git-Url: http://git.silcnet.org/gitweb/?a=blobdiff_plain;f=lib%2Fsilcske%2Fsilcconnauth.c;h=c3799a8187ead72e327813bf6c7e6b76fb8bf84b;hb=52e57c880aba9c5e89f59d962eb9af75670b76e0;hp=0f417d3304dc905ba623b1f120d7b6e00ab9f023;hpb=aa427d8e98d1b24952f869062536ca6c49670479;p=silc.git diff --git a/lib/silcske/silcconnauth.c b/lib/silcske/silcconnauth.c index 0f417d33..c3799a81 100644 --- a/lib/silcske/silcconnauth.c +++ b/lib/silcske/silcconnauth.c @@ -4,7 +4,7 @@ Author: Pekka Riikonen - Copyright (C) 2005 Pekka Riikonen + Copyright (C) 2005 - 2007 Pekka Riikonen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -32,6 +32,7 @@ static SilcBool silc_connauth_packet_receive(SilcPacketEngine engine, struct SilcConnAuthStruct { SilcSKE ske; SilcFSM fsm; + SilcAsyncOperationStruct op; SilcConnectionType conn_type; SilcAuthMethod auth_method; void *auth_data; @@ -116,7 +117,7 @@ static SilcBool silc_connauth_get_signature(SilcConnAuth connauth, /* Compute signature */ if (!silc_pkcs_sign(private_key, auth->data, silc_buffer_len(auth), - *auth_data, len, auth_data_len, ske->prop->hash)) { + *auth_data, len, auth_data_len, TRUE, ske->prop->hash)) { silc_free(*auth_data); silc_buffer_free(auth); return FALSE; @@ -226,6 +227,7 @@ SilcConnAuth silc_connauth_alloc(SilcSchedule schedule, connauth->timeout_secs = timeout_secs; connauth->ske = ske; + ske->refcnt++; return connauth; } @@ -236,6 +238,10 @@ void silc_connauth_free(SilcConnAuth connauth) { if (connauth->public_keys) silc_dlist_uninit(connauth->public_keys); + + /* Free reference */ + silc_ske_free(connauth->ske); + silc_free(connauth); } @@ -267,7 +273,7 @@ SILC_FSM_STATE(silc_connauth_st_initiator_start) if (connauth->aborted) { /** Aborted */ silc_fsm_next(fsm, silc_connauth_st_initiator_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } /* Start timeout */ @@ -286,7 +292,7 @@ SILC_FSM_STATE(silc_connauth_st_initiator_start) if (!auth_data) { /** Out of memory */ silc_fsm_next(fsm, silc_connauth_st_initiator_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } auth_data_len = connauth->auth_data_len; flags = SILC_PACKET_FLAG_LONG_PAD; @@ -296,7 +302,7 @@ SILC_FSM_STATE(silc_connauth_st_initiator_start) if (!silc_connauth_get_signature(connauth, &auth_data, &auth_data_len)) { /** Error computing signature */ silc_fsm_next(fsm, silc_connauth_st_initiator_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } break; } @@ -306,7 +312,7 @@ SILC_FSM_STATE(silc_connauth_st_initiator_start) if (!packet) { /** Out of memory */ silc_fsm_next(fsm, silc_connauth_st_initiator_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } silc_buffer_format(packet, @@ -320,7 +326,7 @@ SILC_FSM_STATE(silc_connauth_st_initiator_start) flags, packet->data, silc_buffer_len(packet))) { /** Error sending packet */ silc_fsm_next(fsm, silc_connauth_st_initiator_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } if (auth_data) { @@ -331,7 +337,7 @@ SILC_FSM_STATE(silc_connauth_st_initiator_start) /** Wait for responder */ silc_fsm_next(fsm, silc_connauth_st_initiator_result); - SILC_FSM_WAIT; + return SILC_FSM_WAIT; } SILC_FSM_STATE(silc_connauth_st_initiator_result) @@ -343,7 +349,7 @@ SILC_FSM_STATE(silc_connauth_st_initiator_result) if (connauth->aborted) { /** Aborted */ silc_fsm_next(fsm, silc_connauth_st_initiator_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } /* Check the status of authentication */ @@ -351,7 +357,8 @@ SILC_FSM_STATE(silc_connauth_st_initiator_result) SILC_LOG_DEBUG(("Authentication successful")); connauth->success = TRUE; } else { - SILC_LOG_DEBUG(("Authentication failed")); + SILC_LOG_DEBUG(("Authentication failed, packet %s received", + silc_get_packet_name(connauth->packet->type))); connauth->success = FALSE; } silc_packet_free(connauth->packet); @@ -363,7 +370,7 @@ SILC_FSM_STATE(silc_connauth_st_initiator_result) /* Call completion callback */ connauth->completion(connauth, connauth->success, connauth->context); - SILC_FSM_FINISH; + return SILC_FSM_FINISH; } SILC_FSM_STATE(silc_connauth_st_initiator_failure) @@ -373,18 +380,25 @@ SILC_FSM_STATE(silc_connauth_st_initiator_failure) SILC_LOG_DEBUG(("Start")); - /* Send FAILURE packet */ - SILC_PUT32_MSB(SILC_AUTH_FAILED, error); - silc_packet_send(connauth->ske->stream, SILC_PACKET_FAILURE, 0, error, 4); + if (!connauth->aborted) { + /* Send FAILURE packet */ + SILC_PUT32_MSB(SILC_AUTH_FAILED, error); + silc_packet_send(connauth->ske->stream, SILC_PACKET_FAILURE, 0, error, 4); - /* Call completion callback */ - connauth->completion(connauth, FALSE, connauth->context); + silc_packet_stream_unlink(connauth->ske->stream, + &silc_connauth_stream_cbs, connauth); + silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth); + + /* Call completion callback */ + connauth->completion(connauth, FALSE, connauth->context); + return SILC_FSM_FINISH; + } silc_packet_stream_unlink(connauth->ske->stream, &silc_connauth_stream_cbs, connauth); silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth); - SILC_FSM_FINISH; + return SILC_FSM_FINISH; } SilcAsyncOperation @@ -395,8 +409,6 @@ silc_connauth_initiator(SilcConnAuth connauth, SilcConnAuthCompletion completion, void *context) { - SilcAsyncOperation op; - SILC_LOG_DEBUG(("Connection authentication as initiator")); if (auth_method == SILC_AUTH_PASSWORD && !auth_data) { @@ -423,10 +435,10 @@ silc_connauth_initiator(SilcConnAuth connauth, SILC_PACKET_FAILURE, -1); /* Start the protocol */ - op = silc_async_alloc(silc_connauth_abort, NULL, connauth); + silc_async_init(&connauth->op, silc_connauth_abort, NULL, connauth); silc_fsm_start(connauth->fsm, silc_connauth_st_initiator_start); - return op; + return &connauth->op; } @@ -447,7 +459,7 @@ SILC_FSM_STATE(silc_connauth_st_responder_start) if (connauth->aborted) { /** Aborted */ silc_fsm_next(fsm, silc_connauth_st_responder_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } /* Start timeout */ @@ -458,7 +470,7 @@ SILC_FSM_STATE(silc_connauth_st_responder_start) /** Wait for initiator */ silc_fsm_next(fsm, silc_connauth_st_responder_authenticate); - SILC_FSM_WAIT; + return SILC_FSM_WAIT; } SILC_FSM_STATE(silc_connauth_st_responder_authenticate) @@ -475,16 +487,17 @@ SILC_FSM_STATE(silc_connauth_st_responder_authenticate) if (connauth->aborted) { /** Aborted */ - silc_packet_free(connauth->packet); + if (connauth->packet) + silc_packet_free(connauth->packet); silc_fsm_next(fsm, silc_connauth_st_responder_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } if (connauth->packet->type != SILC_PACKET_CONNECTION_AUTH) { /** Protocol failure */ silc_packet_free(connauth->packet); silc_fsm_next(fsm, silc_connauth_st_responder_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } /* Parse the received authentication data packet. The received @@ -498,7 +511,7 @@ SILC_FSM_STATE(silc_connauth_st_responder_authenticate) SILC_LOG_ERROR(("Bad payload in authentication packet")); silc_packet_free(connauth->packet); silc_fsm_next(fsm, silc_connauth_st_responder_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } if (payload_len != silc_buffer_len(&connauth->packet->buffer)) { @@ -506,7 +519,7 @@ SILC_FSM_STATE(silc_connauth_st_responder_authenticate) SILC_LOG_ERROR(("Bad payload length in authentication packet")); silc_packet_free(connauth->packet); silc_fsm_next(fsm, silc_connauth_st_responder_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } payload_len -= 4; @@ -517,7 +530,7 @@ SILC_FSM_STATE(silc_connauth_st_responder_authenticate) conn_type)); silc_packet_free(connauth->packet); silc_fsm_next(fsm, silc_connauth_st_responder_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } if (payload_len > 0) { @@ -532,7 +545,7 @@ SILC_FSM_STATE(silc_connauth_st_responder_authenticate) SILC_LOG_DEBUG(("Bad payload in authentication payload")); silc_packet_free(connauth->packet); silc_fsm_next(fsm, silc_connauth_st_responder_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } } silc_packet_free(connauth->packet); @@ -546,7 +559,7 @@ SILC_FSM_STATE(silc_connauth_st_responder_authenticate) /** Connection not configured */ SILC_LOG_ERROR(("Remote connection not configured")); silc_fsm_next(fsm, silc_connauth_st_responder_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } /* Verify */ @@ -554,10 +567,11 @@ SILC_FSM_STATE(silc_connauth_st_responder_authenticate) /* Passphrase authentication */ if (passphrase && passphrase_len) { SILC_LOG_DEBUG(("Passphrase authentication")); - if (!memcmp(auth_data, passphrase, passphrase_len)) { + if (!auth_data || payload_len != passphrase_len || + memcmp(auth_data, passphrase, passphrase_len)) { /** Authentication failed */ silc_fsm_next(fsm, silc_connauth_st_responder_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } } else if (repository) { /* Digital signature */ @@ -565,6 +579,12 @@ SILC_FSM_STATE(silc_connauth_st_responder_authenticate) SILC_LOG_DEBUG(("Digital signature authentication")); + if (!auth_data) { + /** Authentication failed */ + silc_fsm_next(fsm, silc_connauth_st_responder_failure); + return SILC_FSM_CONTINUE; + } + connauth->auth_data = silc_memdup(auth_data, payload_len); connauth->auth_data_len = payload_len; @@ -574,7 +594,7 @@ SILC_FSM_STATE(silc_connauth_st_responder_authenticate) if (!find || !connauth->auth_data) { /** Out of memory */ silc_fsm_next(fsm, silc_connauth_st_responder_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } silc_skr_find_set_pkcs_type(find, connauth->ske->pk_type); @@ -584,7 +604,8 @@ SILC_FSM_STATE(silc_connauth_st_responder_authenticate) /** Find public key */ silc_fsm_next(fsm, silc_connauth_st_responder_authenticate_pk); - SILC_FSM_CALL(silc_skr_find(repository, find, silc_connauth_skr_callback, + SILC_FSM_CALL(silc_skr_find(repository, silc_fsm_get_schedule(fsm), + find, silc_connauth_skr_callback, connauth)); /* NOT REACHED */ } @@ -593,7 +614,7 @@ SILC_FSM_STATE(silc_connauth_st_responder_authenticate) /** Authentication successful */ silc_fsm_next(fsm, silc_connauth_st_responder_success); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } SILC_FSM_STATE(silc_connauth_st_responder_authenticate_pk) @@ -604,14 +625,14 @@ SILC_FSM_STATE(silc_connauth_st_responder_authenticate_pk) if (connauth->aborted) { /** Aborted */ silc_fsm_next(fsm, silc_connauth_st_responder_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } if (connauth->skr_status != SILC_SKR_OK) { /** Public key not found */ SILC_LOG_DEBUG(("Public key not found, error %d", connauth->skr_status)); silc_fsm_next(fsm, silc_connauth_st_responder_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } SILC_LOG_DEBUG(("Found %d public keys", @@ -626,14 +647,14 @@ SILC_FSM_STATE(silc_connauth_st_responder_authenticate_pk) SILC_LOG_DEBUG(("Invalid signature")); silc_free(connauth->auth_data); silc_fsm_next(fsm, silc_connauth_st_responder_failure); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } silc_free(connauth->auth_data); /** Authentication successful */ silc_fsm_next(fsm, silc_connauth_st_responder_success); - SILC_FSM_CONTINUE; + return SILC_FSM_CONTINUE; } SILC_FSM_STATE(silc_connauth_st_responder_success) @@ -647,14 +668,14 @@ SILC_FSM_STATE(silc_connauth_st_responder_success) SILC_PUT32_MSB(SILC_AUTH_OK, tmp); silc_packet_send(connauth->ske->stream, SILC_PACKET_SUCCESS, 0, tmp, 4); - /* Call completion callback */ - connauth->completion(connauth, TRUE, connauth->context); - silc_packet_stream_unlink(connauth->ske->stream, &silc_connauth_stream_cbs, connauth); silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth); - SILC_FSM_FINISH; + /* Call completion callback */ + connauth->completion(connauth, TRUE, connauth->context); + + return SILC_FSM_FINISH; } SILC_FSM_STATE(silc_connauth_st_responder_failure) @@ -664,18 +685,26 @@ SILC_FSM_STATE(silc_connauth_st_responder_failure) SILC_LOG_ERROR(("Authentication failed")); - /* Send FAILURE packet */ - SILC_PUT32_MSB(SILC_AUTH_FAILED, error); - silc_packet_send(connauth->ske->stream, SILC_PACKET_FAILURE, 0, error, 4); + if (!connauth->aborted) { + /* Send FAILURE packet */ + SILC_PUT32_MSB(SILC_AUTH_FAILED, error); + silc_packet_send(connauth->ske->stream, SILC_PACKET_FAILURE, 0, error, 4); - /* Call completion callback */ - connauth->completion(connauth, FALSE, connauth->context); + silc_packet_stream_unlink(connauth->ske->stream, + &silc_connauth_stream_cbs, connauth); + silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth); + + /* Call completion callback */ + connauth->completion(connauth, FALSE, connauth->context); + + return SILC_FSM_FINISH; + } silc_packet_stream_unlink(connauth->ske->stream, &silc_connauth_stream_cbs, connauth); silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth); - SILC_FSM_FINISH; + return SILC_FSM_FINISH; } SilcAsyncOperation @@ -684,8 +713,6 @@ silc_connauth_responder(SilcConnAuth connauth, SilcConnAuthCompletion completion, void *context) { - SilcAsyncOperation op; - SILC_LOG_DEBUG(("Connection authentication as responder")); connauth->get_auth_data = get_auth_data; @@ -699,8 +726,8 @@ silc_connauth_responder(SilcConnAuth connauth, SILC_PACKET_FAILURE, -1); /* Start the protocol */ - op = silc_async_alloc(silc_connauth_abort, NULL, connauth); + silc_async_init(&connauth->op, silc_connauth_abort, NULL, connauth); silc_fsm_start(connauth->fsm, silc_connauth_st_responder_start); - return op; + return &connauth->op; }