From 7292c357b0cd1c3ac28f712732a7cbeca6232f7d Mon Sep 17 00:00:00 2001
From: Pekka Riikonen <priikone@silcnet.org>
Date: Wed, 18 Apr 2001 20:56:46 +0000
Subject: [PATCH] 	updates.

---
 CHANGES                     |  8 +++++
 TODO                        |  8 -----
 apps/silcd/packet_receive.c | 30 -------------------
 apps/silcd/packet_send.c    | 59 +++++++++++++++++++++++++++++++++++--
 4 files changed, 64 insertions(+), 41 deletions(-)

diff --git a/CHANGES b/CHANGES
index 939fa274..98d40d75 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,11 @@
+Wed Apr 18 22:19:03 EEST 2001  Pekka Riikonen <priikone@poseidon.pspt.fi>
+
+	* Moved the channel message encrypting in the router betwen
+	  router connections from silc_server_channel_message to the
+	  silc_server_packet_relay_to_channel since we want to check
+	  whether we have anybody channel before encrypting anything.
+	  Affected files silcd/packet_[receive/send].c.
+
 Tue Apr 17 21:18:19 EEST 2001  Pekka Riikonen <priikone@poseidon.pspt.fi>
 
 	* Fixed the [AdminConnection] server config section to support
diff --git a/TODO b/TODO
index 658383a9..ddd804d8 100644
--- a/TODO
+++ b/TODO
@@ -35,14 +35,6 @@ TODO/bugs In SILC Server
    a bug and should be done only once per channel after all clients of
    the server has been removed.
 
- o Acceptance of incoming connections (client and server connections)
-   should be checked before key exchange protocol.  Currently it is
-   checked at the authentication phase after KE, that is ok, but it should
-   be checked before starting KE, as well.  This should be done so that
-   is first checks denied connections, then client connections and then
-   server connections.  There is no use to execute the SKE if the connection
-   will not be allowed.
-
  o DNS/IP lookup blocks the server.  This must be fixed.  Check the
    resolver stuff (resolver(3), resolver(5)).  Either we have to do the
    own resolver stuff (through scheduler, if possible without writing
diff --git a/apps/silcd/packet_receive.c b/apps/silcd/packet_receive.c
index b6caf4ef..f4d7e14f 100644
--- a/apps/silcd/packet_receive.c
+++ b/apps/silcd/packet_receive.c
@@ -1191,36 +1191,6 @@ void silc_server_channel_message(SilcServer server,
     }
   }
 
-  /* If we are router and the packet came from router and private key
-     has not been set for the channel then we must encrypt the packet
-     as it was decrypted with the session key shared between us and the
-     router which sent it. This is so, because cells does not share the
-     same channel key */
-  if (server->server_type == SILC_ROUTER &&
-      sock->type == SILC_SOCKET_TYPE_ROUTER &&
-      !(channel->mode & SILC_CHANNEL_MODE_PRIVKEY)) {
-    SilcBuffer chp;
-    uint32 iv_len, i;
-    uint16 data_len, flags;
-
-    iv_len = silc_cipher_get_block_len(channel->channel_key);
-    if (channel->iv[0] == '\0')
-      for (i = 0; i < iv_len; i++) channel->iv[i] = 
-				     silc_rng_get_byte(server->rng);
-    else
-      silc_hash_make(server->md5hash, channel->iv, iv_len, channel->iv);
-    
-    /* Encode new payload. This encrypts it also. */
-    SILC_GET16_MSB(flags, packet->buffer->data);
-    SILC_GET16_MSB(data_len, packet->buffer->data + 2);
-    chp = silc_channel_message_payload_encode(flags, data_len, 
-					      packet->buffer->data + 4,
-					      iv_len, channel->iv,
-					      channel->channel_key,
-					      channel->hmac);
-    silc_buffer_put(packet->buffer, chp->data, chp->len);
-    silc_buffer_free(chp);
-  }
 
   /* Distribute the packet to our local clients. This will send the
      packet for further routing as well, if needed. */
diff --git a/apps/silcd/packet_send.c b/apps/silcd/packet_send.c
index 00f30978..9e1582b9 100644
--- a/apps/silcd/packet_send.c
+++ b/apps/silcd/packet_send.c
@@ -533,6 +533,50 @@ void silc_server_packet_send_to_channel(SilcServer server,
   silc_free(packetdata.dst_id);
 }
 
+/* This checks whether the relayed packet came from router. If it did
+   then we'll need to encrypt it with the channel key. This is called
+   from the silc_server_packet_relay_to_channel. */
+
+static void
+silc_server_packet_relay_to_channel_encrypt(SilcServer server,
+					    SilcSocketConnection sock,
+					    SilcChannelEntry channel,
+					    unsigned char *data,
+					    unsigned int data_len)
+{
+  /* If we are router and the packet came from router and private key
+     has not been set for the channel then we must encrypt the packet
+     as it was decrypted with the session key shared between us and the
+     router which sent it. This is so, because cells does not share the
+     same channel key. */
+  if (server->server_type == SILC_ROUTER &&
+      sock->type == SILC_SOCKET_TYPE_ROUTER &&
+      !(channel->mode & SILC_CHANNEL_MODE_PRIVKEY) &&
+      channel->channel_key) {
+    SilcBuffer chp;
+    uint32 iv_len, i;
+    uint16 data_len, flags;
+
+    iv_len = silc_cipher_get_block_len(channel->channel_key);
+    if (channel->iv[0] == '\0')
+      for (i = 0; i < iv_len; i++) channel->iv[i] = 
+				     silc_rng_get_byte(server->rng);
+    else
+      silc_hash_make(server->md5hash, channel->iv, iv_len, channel->iv);
+    
+    /* Encode new payload. This encrypts it also. */
+    SILC_GET16_MSB(flags, data);
+    SILC_GET16_MSB(data_len, data + 2);
+    chp = silc_channel_message_payload_encode(flags, data_len, 
+					      data + 4,
+					      iv_len, channel->iv,
+					      channel->channel_key,
+					      channel->hmac);
+    memcpy(data, chp->data, chp->len);
+    silc_buffer_free(chp);
+  }
+}
+
 /* This routine is explicitly used to relay messages to some channel.
    Packets sent with this function we have received earlier and are
    totally encrypted. This just sends the packet to all clients on
@@ -551,7 +595,7 @@ void silc_server_packet_relay_to_channel(SilcServer server,
 					 uint32 data_len,
 					 int force_send)
 {
-  int found = FALSE;
+  bool found = FALSE;
   SilcSocketConnection sock = NULL;
   SilcPacketContext packetdata;
   SilcClientEntry client = NULL;
@@ -575,6 +619,14 @@ void silc_server_packet_relay_to_channel(SilcServer server,
 					  packetdata.src_id_len +
 					  packetdata.dst_id_len));
 
+  /* This encrypts the packet, if needed. It will be encrypted if
+     it came from the router thus it needs to be encrypted with the
+     channel key. If the channel key does not exist, then we know we
+     don't have a single local user on the channel. */
+  silc_server_packet_relay_to_channel_encrypt(server, sender_sock,
+					      channel, data,
+					      data_len);
+
   /* If there are global users in the channel we will send the message
      first to our router for further routing. */
   if (server->server_type == SILC_SERVER && !server->standalone &&
@@ -664,7 +716,8 @@ void silc_server_packet_relay_to_channel(SilcServer server,
 	    memcpy(tmp, data, data_len);
 
 	    /* Decrypt the channel message (we don't check the MAC) */
-	    if (!silc_channel_message_payload_decrypt(tmp, data_len, 
+	    if (channel->channel_key &&
+		!silc_channel_message_payload_decrypt(tmp, data_len, 
 						      channel->channel_key,
 						      NULL)) {
 	      memset(tmp, 0, data_len);
@@ -693,7 +746,7 @@ void silc_server_packet_relay_to_channel(SilcServer server,
 	  }
 	  continue;
 	}
-  
+
 	/* Send the packet (to normal server) */
 	silc_server_packet_send_to_channel_real(server, sock, &packetdata,
 						idata->send_key, 
-- 
2.24.0