5 Author: Pekka Riikonen <priikone@silcnet.org>
7 Copyright (C) 1997 - 2001 Pekka Riikonen
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
21 * Server side of the protocols.
25 #include "serverincludes.h"
26 #include "server_internal.h"
28 SILC_TASK_CALLBACK(silc_server_protocol_connection_auth);
29 SILC_TASK_CALLBACK(silc_server_protocol_key_exchange);
30 SILC_TASK_CALLBACK(silc_server_protocol_rekey);
32 extern char *silc_version_string;
35 * Key Exhange protocol functions
39 silc_verify_public_key_internal(SilcServer server, SilcSocketConnection sock,
40 SilcSocketType conn_type,
41 unsigned char *pk, uint32 pk_len,
42 SilcSKEPKType pk_type)
44 char file[256], filename[256], *fingerprint;
47 if (pk_type != SILC_SKE_PK_TYPE_SILC) {
48 SILC_LOG_WARNING(("We don't support %s (%s) port %d public key type %d",
49 sock->hostname, sock->ip, sock->port, pk_type));
53 /* Accept client keys without verification */
54 if (conn_type == SILC_SOCKET_TYPE_CLIENT) {
55 SILC_LOG_DEBUG(("Accepting client public key without verification"));
59 /* XXX For now, accept server keys without verification too. We are
60 currently always doing mutual authentication so the proof of posession
61 of the private key is verified, and if server is authenticated in
62 conn auth protocol with public key we MUST have the key already. */
64 /* Rest is unreachable code! */
66 memset(filename, 0, sizeof(filename));
67 memset(file, 0, sizeof(file));
68 snprintf(file, sizeof(file) - 1, "serverkey_%s_%d.pub", sock->hostname,
70 snprintf(filename, sizeof(filename) - 1, SILC_ETCDIR "/serverkeys/%s",
73 /* Create serverkeys directory if it doesn't exist. */
74 if (stat(SILC_ETCDIR "/serverkeys", &st) < 0) {
75 /* If dir doesn't exist */
76 if (errno == ENOENT) {
77 if (mkdir(SILC_ETCDIR "/serverkeys", 0755) < 0) {
78 SILC_LOG_ERROR(("Couldn't create `%s' directory\n",
79 SILC_ETCDIR "/serverkeys"));
83 SILC_LOG_ERROR(("%s\n", strerror(errno)));
88 /* Take fingerprint of the public key */
89 fingerprint = silc_hash_fingerprint(NULL, pk, pk_len);
90 SILC_LOG_DEBUG(("Received server %s (%s) port %d public key (%s)",
91 sock->hostname, sock->ip, sock->port, fingerprint));
92 silc_free(fingerprint);
94 /* Check whether this key already exists */
95 if (stat(filename, &st) < 0) {
96 /* We don't have it, then cache it. */
97 SILC_LOG_DEBUG(("New public key from server"));
99 silc_pkcs_save_public_key_data(filename, pk, pk_len,
103 /* The key already exists, verify it. */
104 SilcPublicKey public_key;
105 unsigned char *encpk;
108 SILC_LOG_DEBUG(("We have the public key saved locally"));
110 /* Load the key file */
111 if (!silc_pkcs_load_public_key(filename, &public_key,
113 if (!silc_pkcs_load_public_key(filename, &public_key,
114 SILC_PKCS_FILE_BIN)) {
115 SILC_LOG_WARNING(("Could not load local copy of the %s (%s) port %d "
116 "server public key", sock->hostname, sock->ip,
119 /* Save the key for future checking */
121 silc_pkcs_save_public_key_data(filename, pk, pk_len,
126 /* Encode the key data */
127 encpk = silc_pkcs_public_key_encode(public_key, &encpk_len);
129 SILC_LOG_WARNING(("Local copy of the server %s (%s) port %d public key "
130 "is malformed", sock->hostname, sock->ip, sock->port));
132 /* Save the key for future checking */
134 silc_pkcs_save_public_key_data(filename, pk, pk_len,
139 if (memcmp(encpk, pk, encpk_len)) {
140 SILC_LOG_WARNING(("%s (%s) port %d server public key does not match "
141 "with local copy", sock->hostname, sock->ip,
143 SILC_LOG_WARNING(("It is possible that the key has expired or changed"));
144 SILC_LOG_WARNING(("It is also possible that some one is performing "
145 "man-in-the-middle attack"));
146 SILC_LOG_WARNING(("Will not accept the server %s (%s) port %d public "
148 sock->hostname, sock->ip, sock->port));
152 /* Local copy matched */
157 /* Callback that is called when we have received KE2 payload from
158 responder. We try to verify the public key now. */
161 silc_server_protocol_ke_verify_key(SilcSKE ske,
162 unsigned char *pk_data,
164 SilcSKEPKType pk_type,
166 SilcSKEVerifyCbCompletion completion,
167 void *completion_context)
169 SilcProtocol protocol = (SilcProtocol)context;
170 SilcServerKEInternalContext *ctx =
171 (SilcServerKEInternalContext *)protocol->context;
172 SilcServer server = (SilcServer)ctx->server;
174 SILC_LOG_DEBUG(("Start"));
176 if (silc_verify_public_key_internal(server, ctx->sock,
177 (ctx->responder == FALSE ?
178 SILC_SOCKET_TYPE_ROUTER:
179 ctx->sconfig ? SILC_SOCKET_TYPE_SERVER :
180 ctx->rconfig ? SILC_SOCKET_TYPE_ROUTER :
181 SILC_SOCKET_TYPE_CLIENT),
182 pk_data, pk_len, pk_type))
183 completion(ske, SILC_SKE_STATUS_OK, completion_context);
185 completion(ske, SILC_SKE_STATUS_UNSUPPORTED_PUBLIC_KEY,
189 /* Packet sending callback. This function is provided as packet sending
190 routine to the Key Exchange functions. */
192 static void silc_server_protocol_ke_send_packet(SilcSKE ske,
197 SilcProtocol protocol = (SilcProtocol)context;
198 SilcServerKEInternalContext *ctx =
199 (SilcServerKEInternalContext *)protocol->context;
200 SilcServer server = (SilcServer)ctx->server;
202 /* Send the packet immediately */
203 silc_server_packet_send(server, ske->sock,
204 type, 0, packet->data, packet->len, TRUE);
207 /* Sets the negotiated key material into use for particular connection. */
209 int silc_server_protocol_ke_set_keys(SilcServer server,
211 SilcSocketConnection sock,
212 SilcSKEKeyMaterial *keymat,
217 SilcSKEDiffieHellmanGroup group,
220 SilcUnknownEntry conn_data;
221 SilcIDListData idata;
223 SILC_LOG_DEBUG(("Setting new key into use"));
225 conn_data = silc_calloc(1, sizeof(*conn_data));
226 idata = (SilcIDListData)conn_data;
228 /* Allocate cipher to be used in the communication */
229 if (!silc_cipher_alloc(cipher->cipher->name, &idata->send_key)) {
230 silc_free(conn_data);
233 if (!silc_cipher_alloc(cipher->cipher->name, &idata->receive_key)) {
234 silc_free(conn_data);
238 if (!silc_hmac_alloc((char *)silc_hmac_get_name(hmac), NULL,
239 &idata->hmac_send)) {
240 silc_cipher_free(idata->send_key);
241 silc_cipher_free(idata->receive_key);
242 silc_free(conn_data);
246 if (!silc_hmac_alloc((char *)silc_hmac_get_name(hmac), NULL,
247 &idata->hmac_receive)) {
248 silc_cipher_free(idata->send_key);
249 silc_cipher_free(idata->receive_key);
250 silc_hmac_free(idata->hmac_send);
251 silc_free(conn_data);
255 if (is_responder == TRUE) {
256 silc_cipher_set_key(idata->send_key, keymat->receive_enc_key,
257 keymat->enc_key_len);
258 silc_cipher_set_iv(idata->send_key, keymat->receive_iv);
259 silc_cipher_set_key(idata->receive_key, keymat->send_enc_key,
260 keymat->enc_key_len);
261 silc_cipher_set_iv(idata->receive_key, keymat->send_iv);
262 silc_hmac_set_key(idata->hmac_send, keymat->receive_hmac_key,
263 keymat->hmac_key_len);
264 silc_hmac_set_key(idata->hmac_receive, keymat->send_hmac_key,
265 keymat->hmac_key_len);
267 silc_cipher_set_key(idata->send_key, keymat->send_enc_key,
268 keymat->enc_key_len);
269 silc_cipher_set_iv(idata->send_key, keymat->send_iv);
270 silc_cipher_set_key(idata->receive_key, keymat->receive_enc_key,
271 keymat->enc_key_len);
272 silc_cipher_set_iv(idata->receive_key, keymat->receive_iv);
273 silc_hmac_set_key(idata->hmac_send, keymat->send_hmac_key,
274 keymat->hmac_key_len);
275 silc_hmac_set_key(idata->hmac_receive, keymat->receive_hmac_key,
276 keymat->hmac_key_len);
279 idata->rekey = silc_calloc(1, sizeof(*idata->rekey));
280 idata->rekey->send_enc_key =
281 silc_calloc(keymat->enc_key_len / 8,
282 sizeof(*idata->rekey->send_enc_key));
283 memcpy(idata->rekey->send_enc_key,
284 keymat->send_enc_key, keymat->enc_key_len / 8);
285 idata->rekey->enc_key_len = keymat->enc_key_len / 8;
287 if (ske->start_payload->flags & SILC_SKE_SP_FLAG_PFS)
288 idata->rekey->pfs = TRUE;
289 idata->rekey->ske_group = silc_ske_group_get_number(group);
292 if (!silc_hash_alloc(hash->hash->name, &idata->hash)) {
293 silc_cipher_free(idata->send_key);
294 silc_cipher_free(idata->receive_key);
295 silc_hmac_free(idata->hmac_send);
296 silc_hmac_free(idata->hmac_receive);
297 silc_free(conn_data);
301 /* Save the remote host's public key */
302 silc_pkcs_public_key_decode(ske->ke1_payload->pk_data,
303 ske->ke1_payload->pk_len, &idata->public_key);
304 if (ske->prop->flags & SILC_SKE_SP_FLAG_MUTUAL)
305 silc_hash_make(server->sha1hash, ske->ke1_payload->pk_data,
306 ske->ke1_payload->pk_len, idata->fingerprint);
308 sock->user_data = (void *)conn_data;
310 SILC_LOG_INFO(("%s (%s) security properties: %s %s %s",
311 sock->hostname, sock->ip,
312 idata->send_key->cipher->name,
313 (char *)silc_hmac_get_name(idata->hmac_send),
314 idata->hash->hash->name));
319 /* Check remote host version string */
321 SilcSKEStatus silc_ske_check_version(SilcSKE ske, unsigned char *version,
322 uint32 len, void *context)
324 SilcSKEStatus status = SILC_SKE_STATUS_OK;
326 int maj = 0, min = 0, build = 0, maj2 = 0, min2 = 0, build2 = 0;
328 SILC_LOG_INFO(("%s (%s) is version %s", ske->sock->hostname,
329 ske->sock->ip, version));
331 /* Check for initial version string */
332 if (!strstr(version, "SILC-1.0-"))
333 status = SILC_SKE_STATUS_BAD_VERSION;
335 /* Check software version */
339 status = SILC_SKE_STATUS_BAD_VERSION;
342 cp = strchr(cp, '.');
348 cp = strchr(cp, '.');
350 build = atoi(cp + 1);
353 cp = silc_version_string + 9;
355 status = SILC_SKE_STATUS_BAD_VERSION;
358 cp = strchr(cp, '.');
364 cp = strchr(cp, '.');
366 build2 = atoi(cp + 1);
370 status = SILC_SKE_STATUS_BAD_VERSION;
372 status = SILC_SKE_STATUS_BAD_VERSION;
374 /* XXX < 0.6 is not allowed */
375 if (maj == 0 && min < 5)
376 status = SILC_SKE_STATUS_BAD_VERSION;
378 /* XXX backward support for 0.6.1 */
379 if (maj == 0 && min == 6 && build < 2)
380 ske->backward_version = 1;
385 /* Callback that is called by the SKE to indicate that it is safe to
386 continue the execution of the protocol. This is used only if we are
387 initiator. Is given as argument to the silc_ske_initiator_finish or
388 silc_ske_responder_phase_2 functions. This is called due to the fact
389 that the public key verification process is asynchronous and we must
390 not continue the protocl until the public key has been verified and
391 this callback is called. */
393 static void silc_server_protocol_ke_continue(SilcSKE ske, void *context)
395 SilcProtocol protocol = (SilcProtocol)context;
396 SilcServerKEInternalContext *ctx =
397 (SilcServerKEInternalContext *)protocol->context;
398 SilcServer server = (SilcServer)ctx->server;
400 SILC_LOG_DEBUG(("Start"));
402 if (ske->status != SILC_SKE_STATUS_OK) {
403 SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol",
404 silc_ske_map_status(ske->status)));
405 SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol",
406 silc_ske_map_status(ske->status)));
408 protocol->state = SILC_PROTOCOL_STATE_ERROR;
409 silc_protocol_execute(protocol, server->schedule, 0, 300000);
413 /* Send Ok to the other end. We will end the protocol as responder
414 sends Ok to us when we will take the new keys into use. */
415 if (ctx->responder == FALSE) {
416 silc_ske_end(ctx->ske);
418 /* End the protocol on the next round */
419 protocol->state = SILC_PROTOCOL_STATE_END;
422 /* Advance protocol state and call the next state if we are responder.
423 This happens when this callback was sent to silc_ske_responder_phase_2
425 if (ctx->responder == TRUE) {
427 silc_protocol_execute(protocol, server->schedule, 0, 100000);
431 /* Performs key exchange protocol. This is used for both initiator
432 and responder key exchange. This is performed always when accepting
433 new connection to the server. This may be called recursively. */
435 SILC_TASK_CALLBACK(silc_server_protocol_key_exchange)
437 SilcProtocol protocol = (SilcProtocol)context;
438 SilcServerKEInternalContext *ctx =
439 (SilcServerKEInternalContext *)protocol->context;
440 SilcServer server = (SilcServer)ctx->server;
441 SilcSKEStatus status = SILC_SKE_STATUS_OK;
443 SILC_LOG_DEBUG(("Start"));
445 if (protocol->state == SILC_PROTOCOL_STATE_UNKNOWN)
446 protocol->state = SILC_PROTOCOL_STATE_START;
448 SILC_LOG_DEBUG(("State=%d", protocol->state));
450 switch(protocol->state) {
451 case SILC_PROTOCOL_STATE_START:
458 /* Allocate Key Exchange object */
459 ske = silc_ske_alloc();
461 ske->rng = server->rng;
463 silc_ske_set_callbacks(ske, silc_server_protocol_ke_send_packet, NULL,
464 silc_server_protocol_ke_verify_key,
465 silc_server_protocol_ke_continue,
466 silc_ske_check_version, context);
468 if (ctx->responder == TRUE) {
469 /* Start the key exchange by processing the received security
470 properties packet from initiator. */
471 status = silc_ske_responder_start(ske, ctx->rng, ctx->sock,
473 ctx->packet->buffer, TRUE);
475 SilcSKEStartPayload *start_payload;
477 /* Assemble security properties. */
478 silc_ske_assemble_security_properties(ske, SILC_SKE_SP_FLAG_MUTUAL,
482 /* Start the key exchange by sending our security properties
483 to the remote end. */
484 status = silc_ske_initiator_start(ske, ctx->rng, ctx->sock,
488 /* Return now if the procedure is pending. */
489 if (status == SILC_SKE_STATUS_PENDING)
492 if (status != SILC_SKE_STATUS_OK) {
493 SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol",
494 silc_ske_map_status(status)));
495 SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol",
496 silc_ske_map_status(status)));
498 protocol->state = SILC_PROTOCOL_STATE_ERROR;
499 silc_protocol_execute(protocol, server->schedule, 0, 300000);
503 /* Advance protocol state and call the next state if we are responder */
505 if (ctx->responder == TRUE)
506 silc_protocol_execute(protocol, server->schedule, 0, 100000);
514 if (ctx->responder == TRUE) {
515 /* Sends the selected security properties to the initiator. */
516 status = silc_ske_responder_phase_1(ctx->ske,
517 ctx->ske->start_payload);
519 /* Call Phase-1 function. This processes the Key Exchange Start
520 paylaod reply we just got from the responder. The callback
521 function will receive the processed payload where we will
523 status = silc_ske_initiator_phase_1(ctx->ske, ctx->packet->buffer);
526 /* Return now if the procedure is pending. */
527 if (status == SILC_SKE_STATUS_PENDING)
530 if (status != SILC_SKE_STATUS_OK) {
531 SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol",
532 silc_ske_map_status(status)));
533 SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol",
534 silc_ske_map_status(status)));
536 protocol->state = SILC_PROTOCOL_STATE_ERROR;
537 silc_protocol_execute(protocol, server->schedule, 0, 300000);
541 /* Advance protocol state and call next state if we are initiator */
543 if (ctx->responder == FALSE)
544 silc_protocol_execute(protocol, server->schedule, 0, 100000);
552 if (ctx->responder == TRUE) {
553 /* Process the received Key Exchange 1 Payload packet from
554 the initiator. This also creates our parts of the Diffie
555 Hellman algorithm. The silc_server_protocol_ke_continue
556 will be called after the public key has been verified. */
557 status = silc_ske_responder_phase_2(ctx->ske, ctx->packet->buffer);
559 /* Call the Phase-2 function. This creates Diffie Hellman
560 key exchange parameters and sends our public part inside
561 Key Exhange 1 Payload to the responder. */
562 status = silc_ske_initiator_phase_2(ctx->ske,
564 server->private_key);
568 /* Return now if the procedure is pending. */
569 if (status == SILC_SKE_STATUS_PENDING)
572 if (status != SILC_SKE_STATUS_OK) {
573 SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol",
574 silc_ske_map_status(status)));
575 SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol",
576 silc_ske_map_status(status)));
578 protocol->state = SILC_PROTOCOL_STATE_ERROR;
579 silc_protocol_execute(protocol, server->schedule, 0, 300000);
589 if (ctx->responder == TRUE) {
590 /* This creates the key exchange material and sends our
591 public parts to the initiator inside Key Exchange 2 Payload. */
592 status = silc_ske_responder_finish(ctx->ske,
595 SILC_SKE_PK_TYPE_SILC);
597 /* End the protocol on the next round */
598 protocol->state = SILC_PROTOCOL_STATE_END;
600 /* Finish the protocol. This verifies the Key Exchange 2 payload
601 sent by responder. The silc_server_protocol_ke_continue will
602 be called after the public key has been verified. */
603 status = silc_ske_initiator_finish(ctx->ske, ctx->packet->buffer);
606 /* Return now if the procedure is pending. */
607 if (status == SILC_SKE_STATUS_PENDING)
610 if (status != SILC_SKE_STATUS_OK) {
611 SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol",
612 silc_ske_map_status(status)));
613 SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol",
614 silc_ske_map_status(status)));
616 protocol->state = SILC_PROTOCOL_STATE_ERROR;
617 silc_protocol_execute(protocol, server->schedule, 0, 300000);
623 case SILC_PROTOCOL_STATE_END:
628 SilcSKEKeyMaterial *keymat;
629 int key_len = silc_cipher_get_key_len(ctx->ske->prop->cipher);
630 int hash_len = ctx->ske->prop->hash->hash->hash_len;
632 /* Process the key material */
633 keymat = silc_calloc(1, sizeof(*keymat));
634 status = silc_ske_process_key_material(ctx->ske, 16, key_len, hash_len,
636 if (status != SILC_SKE_STATUS_OK) {
637 protocol->state = SILC_PROTOCOL_STATE_ERROR;
638 silc_protocol_execute(protocol, server->schedule, 0, 300000);
639 silc_ske_free_key_material(keymat);
642 ctx->keymat = keymat;
644 /* Send Ok to the other end if we are responder. If we are initiator
645 we have sent this already. */
646 if (ctx->responder == TRUE)
647 silc_ske_end(ctx->ske);
649 /* Unregister the timeout task since the protocol has ended.
650 This was the timeout task to be executed if the protocol is
651 not completed fast enough. */
652 if (ctx->timeout_task)
653 silc_schedule_task_del(server->schedule, ctx->timeout_task);
655 /* Call the final callback */
656 if (protocol->final_callback)
657 silc_protocol_execute_final(protocol, server->schedule);
659 silc_protocol_free(protocol);
663 case SILC_PROTOCOL_STATE_ERROR:
668 /* Send abort notification */
669 silc_ske_abort(ctx->ske, ctx->ske->status);
671 /* Unregister the timeout task since the protocol has ended.
672 This was the timeout task to be executed if the protocol is
673 not completed fast enough. */
674 if (ctx->timeout_task)
675 silc_schedule_task_del(server->schedule, ctx->timeout_task);
677 /* On error the final callback is always called. */
678 if (protocol->final_callback)
679 silc_protocol_execute_final(protocol, server->schedule);
681 silc_protocol_free(protocol);
684 case SILC_PROTOCOL_STATE_FAILURE:
686 * We have received failure from remote
689 /* Unregister the timeout task since the protocol has ended.
690 This was the timeout task to be executed if the protocol is
691 not completed fast enough. */
692 if (ctx->timeout_task)
693 silc_schedule_task_del(server->schedule, ctx->timeout_task);
695 /* On error the final callback is always called. */
696 if (protocol->final_callback)
697 silc_protocol_execute_final(protocol, server->schedule);
699 silc_protocol_free(protocol);
702 case SILC_PROTOCOL_STATE_UNKNOWN:
708 * Connection Authentication protocol functions
712 silc_server_password_authentication(SilcServer server, char *auth1,
715 if (!auth1 || !auth2)
718 if (!memcmp(auth1, auth2, strlen(auth1)))
725 silc_server_public_key_authentication(SilcServer server,
726 SilcPublicKey pub_key,
735 if (!pub_key || !sign)
738 silc_pkcs_alloc(pub_key->name, &pkcs);
739 if (!silc_pkcs_public_key_set(pkcs, pub_key)) {
740 silc_pkcs_free(pkcs);
744 /* Make the authentication data. Protocol says it is HASH plus
746 len = ske->hash_len + ske->start_payload_copy->len;
747 auth = silc_buffer_alloc(len);
748 silc_buffer_pull_tail(auth, len);
749 silc_buffer_format(auth,
750 SILC_STR_UI_XNSTRING(ske->hash, ske->hash_len),
751 SILC_STR_UI_XNSTRING(ske->start_payload_copy->data,
752 ske->start_payload_copy->len),
755 /* Verify signature */
756 if (silc_pkcs_verify_with_hash(pkcs, ske->prop->hash, sign, sign_len,
757 auth->data, auth->len)) {
758 silc_pkcs_free(pkcs);
759 silc_buffer_free(auth);
763 silc_pkcs_free(pkcs);
764 silc_buffer_free(auth);
769 silc_server_get_public_key_auth(SilcServer server,
770 unsigned char *auth_data,
771 uint32 *auth_data_len,
780 /* Make the authentication data. Protocol says it is HASH plus
782 len = ske->hash_len + ske->start_payload_copy->len;
783 auth = silc_buffer_alloc(len);
784 silc_buffer_pull_tail(auth, len);
785 silc_buffer_format(auth,
786 SILC_STR_UI_XNSTRING(ske->hash, ske->hash_len),
787 SILC_STR_UI_XNSTRING(ske->start_payload_copy->data,
788 ske->start_payload_copy->len),
791 if (silc_pkcs_sign_with_hash(pkcs, ske->prop->hash, auth->data,
792 auth->len, auth_data, auth_data_len)) {
793 silc_buffer_free(auth);
797 silc_buffer_free(auth);
801 /* Performs connection authentication protocol. If responder, we
802 authenticate the remote data received. If initiator, we will send
803 authentication data to the remote end. */
805 SILC_TASK_CALLBACK(silc_server_protocol_connection_auth)
807 SilcProtocol protocol = (SilcProtocol)context;
808 SilcServerConnAuthInternalContext *ctx =
809 (SilcServerConnAuthInternalContext *)protocol->context;
810 SilcServer server = (SilcServer)ctx->server;
812 SILC_LOG_DEBUG(("Start"));
814 if (protocol->state == SILC_PROTOCOL_STATE_UNKNOWN)
815 protocol->state = SILC_PROTOCOL_STATE_START;
817 SILC_LOG_DEBUG(("State=%d", protocol->state));
819 switch(protocol->state) {
820 case SILC_PROTOCOL_STATE_START:
826 if (ctx->responder == TRUE) {
828 * We are receiving party
833 unsigned char *auth_data = NULL;
835 SILC_LOG_INFO(("Performing authentication protocol for %s (%s)",
836 ctx->sock->hostname, ctx->sock->ip));
838 /* Parse the received authentication data packet. The received
839 payload is Connection Auth Payload. */
840 ret = silc_buffer_unformat(ctx->packet->buffer,
841 SILC_STR_UI_SHORT(&payload_len),
842 SILC_STR_UI_SHORT(&conn_type),
845 SILC_LOG_DEBUG(("Bad payload in authentication packet"));
846 protocol->state = SILC_PROTOCOL_STATE_ERROR;
847 silc_protocol_execute(protocol, server->schedule, 0, 300000);
851 if (payload_len != ctx->packet->buffer->len) {
852 SILC_LOG_DEBUG(("Bad payload in authentication packet"));
853 protocol->state = SILC_PROTOCOL_STATE_ERROR;
854 silc_protocol_execute(protocol, server->schedule, 0, 300000);
860 if (conn_type < SILC_SOCKET_TYPE_CLIENT ||
861 conn_type > SILC_SOCKET_TYPE_ROUTER) {
862 SILC_LOG_ERROR(("Bad connection type %d", conn_type));
863 protocol->state = SILC_PROTOCOL_STATE_ERROR;
864 silc_protocol_execute(protocol, server->schedule, 0, 300000);
868 if (payload_len > 0) {
869 /* Get authentication data */
870 silc_buffer_pull(ctx->packet->buffer, 4);
871 ret = silc_buffer_unformat(ctx->packet->buffer,
872 SILC_STR_UI_XNSTRING_ALLOC(&auth_data,
876 SILC_LOG_DEBUG(("Bad payload in authentication packet"));
877 protocol->state = SILC_PROTOCOL_STATE_ERROR;
878 silc_protocol_execute(protocol, server->schedule, 0, 300000);
884 * Check the remote connection type and make sure that we have
885 * configured this connection. If we haven't allowed this connection
886 * the authentication must be failed.
889 SILC_LOG_DEBUG(("Remote connection type %d", conn_type));
891 /* Remote end is client */
892 if (conn_type == SILC_SOCKET_TYPE_CLIENT) {
893 SilcServerConfigSectionClientConnection *client = ctx->cconfig;
896 switch(client->auth_meth) {
898 /* No authentication required */
899 SILC_LOG_DEBUG(("No authentication required"));
902 case SILC_AUTH_PASSWORD:
903 /* Password authentication */
904 SILC_LOG_DEBUG(("Password authentication"));
905 ret = silc_server_password_authentication(server, auth_data,
911 /* Authentication failed */
912 SILC_LOG_ERROR(("Authentication failed"));
913 SILC_LOG_DEBUG(("Authentication failed"));
914 silc_free(auth_data);
915 protocol->state = SILC_PROTOCOL_STATE_ERROR;
916 silc_protocol_execute(protocol, server->schedule,
921 case SILC_AUTH_PUBLIC_KEY:
922 /* Public key authentication */
923 SILC_LOG_DEBUG(("Public key authentication"));
924 ret = silc_server_public_key_authentication(server,
933 SILC_LOG_ERROR(("Authentication failed"));
934 SILC_LOG_DEBUG(("Authentication failed"));
935 silc_free(auth_data);
936 protocol->state = SILC_PROTOCOL_STATE_ERROR;
937 silc_protocol_execute(protocol, server->schedule,
942 SILC_LOG_DEBUG(("No configuration for remote connection"));
943 SILC_LOG_ERROR(("Remote connection not configured"));
944 SILC_LOG_ERROR(("Authentication failed"));
945 silc_free(auth_data);
946 protocol->state = SILC_PROTOCOL_STATE_ERROR;
947 silc_protocol_execute(protocol, server->schedule,
953 /* Remote end is server */
954 if (conn_type == SILC_SOCKET_TYPE_SERVER) {
955 SilcServerConfigSectionServerConnection *serv = ctx->sconfig;
958 switch(serv->auth_meth) {
960 /* No authentication required */
961 SILC_LOG_DEBUG(("No authentication required"));
964 case SILC_AUTH_PASSWORD:
965 /* Password authentication */
966 SILC_LOG_DEBUG(("Password authentication"));
967 ret = silc_server_password_authentication(server, auth_data,
973 /* Authentication failed */
974 SILC_LOG_ERROR(("Authentication failed"));
975 SILC_LOG_DEBUG(("Authentication failed"));
976 silc_free(auth_data);
977 protocol->state = SILC_PROTOCOL_STATE_ERROR;
978 silc_protocol_execute(protocol, server->schedule,
983 case SILC_AUTH_PUBLIC_KEY:
984 /* Public key authentication */
985 SILC_LOG_DEBUG(("Public key authentication"));
986 ret = silc_server_public_key_authentication(server,
995 SILC_LOG_ERROR(("Authentication failed"));
996 SILC_LOG_DEBUG(("Authentication failed"));
997 silc_free(auth_data);
998 protocol->state = SILC_PROTOCOL_STATE_ERROR;
999 silc_protocol_execute(protocol, server->schedule,
1004 SILC_LOG_DEBUG(("No configuration for remote connection"));
1005 SILC_LOG_ERROR(("Remote connection not configured"));
1006 SILC_LOG_ERROR(("Authentication failed"));
1007 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1008 silc_protocol_execute(protocol, server->schedule,
1010 silc_free(auth_data);
1015 /* Remote end is router */
1016 if (conn_type == SILC_SOCKET_TYPE_ROUTER) {
1017 SilcServerConfigSectionServerConnection *serv = ctx->rconfig;
1020 switch(serv->auth_meth) {
1021 case SILC_AUTH_NONE:
1022 /* No authentication required */
1023 SILC_LOG_DEBUG(("No authentication required"));
1026 case SILC_AUTH_PASSWORD:
1027 /* Password authentication */
1028 SILC_LOG_DEBUG(("Password authentication"));
1029 ret = silc_server_password_authentication(server, auth_data,
1035 /* Authentication failed */
1036 SILC_LOG_ERROR(("Authentication failed"));
1037 SILC_LOG_DEBUG(("Authentication failed"));
1038 silc_free(auth_data);
1039 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1040 silc_protocol_execute(protocol, server->schedule,
1045 case SILC_AUTH_PUBLIC_KEY:
1046 /* Public key authentication */
1047 SILC_LOG_DEBUG(("Public key authentication"));
1048 ret = silc_server_public_key_authentication(server,
1057 SILC_LOG_ERROR(("Authentication failed"));
1058 SILC_LOG_DEBUG(("Authentication failed"));
1059 silc_free(auth_data);
1060 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1061 silc_protocol_execute(protocol, server->schedule,
1066 SILC_LOG_DEBUG(("No configuration for remote connection"));
1067 SILC_LOG_ERROR(("Remote connection not configured"));
1068 SILC_LOG_ERROR(("Authentication failed"));
1069 silc_free(auth_data);
1070 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1071 silc_protocol_execute(protocol, server->schedule,
1077 silc_free(auth_data);
1079 /* Save connection type. This is later used to create the
1080 ID for the connection. */
1081 ctx->conn_type = conn_type;
1083 /* Advance protocol state. */
1084 protocol->state = SILC_PROTOCOL_STATE_END;
1085 silc_protocol_execute(protocol, server->schedule, 0, 0);
1089 * We are initiator. We are authenticating ourselves to a
1090 * remote server. We will send the authentication data to the
1091 * other end for verify.
1094 int payload_len = 0;
1095 unsigned char *auth_data = NULL;
1096 uint32 auth_data_len = 0;
1098 switch(ctx->auth_meth) {
1099 case SILC_AUTH_NONE:
1100 /* No authentication required */
1103 case SILC_AUTH_PASSWORD:
1104 /* Password authentication */
1105 if (ctx->auth_data && ctx->auth_data_len) {
1106 auth_data = strdup(ctx->auth_data);
1107 auth_data_len = ctx->auth_data_len;
1112 case SILC_AUTH_PUBLIC_KEY:
1114 unsigned char sign[1024];
1116 /* Public key authentication */
1117 silc_server_get_public_key_auth(server, sign, &auth_data_len,
1119 auth_data = silc_calloc(auth_data_len, sizeof(*auth_data));
1120 memcpy(auth_data, sign, auth_data_len);
1125 payload_len = 4 + auth_data_len;
1126 packet = silc_buffer_alloc(payload_len);
1127 silc_buffer_pull_tail(packet, SILC_BUFFER_END(packet));
1128 silc_buffer_format(packet,
1129 SILC_STR_UI_SHORT(payload_len),
1130 SILC_STR_UI_SHORT(server->server_type
1132 SILC_SOCKET_TYPE_SERVER :
1133 SILC_SOCKET_TYPE_ROUTER),
1134 SILC_STR_UI_XNSTRING(auth_data, auth_data_len),
1137 /* Send the packet to server */
1138 silc_server_packet_send(server, ctx->sock,
1139 SILC_PACKET_CONNECTION_AUTH, 0,
1140 packet->data, packet->len, TRUE);
1143 memset(auth_data, 0, auth_data_len);
1144 silc_free(auth_data);
1146 silc_buffer_free(packet);
1148 /* Next state is end of protocol */
1149 protocol->state = SILC_PROTOCOL_STATE_END;
1154 case SILC_PROTOCOL_STATE_END:
1159 unsigned char ok[4];
1161 SILC_PUT32_MSB(SILC_AUTH_OK, ok);
1163 /* Authentication successful */
1164 silc_server_packet_send(server, ctx->sock, SILC_PACKET_SUCCESS,
1167 /* Unregister the timeout task since the protocol has ended.
1168 This was the timeout task to be executed if the protocol is
1169 not completed fast enough. */
1170 if (ctx->timeout_task)
1171 silc_schedule_task_del(server->schedule, ctx->timeout_task);
1173 /* Protocol has ended, call the final callback */
1174 if (protocol->final_callback)
1175 silc_protocol_execute_final(protocol, server->schedule);
1177 silc_protocol_free(protocol);
1180 case SILC_PROTOCOL_STATE_ERROR:
1183 * Error. Send notify to remote.
1185 unsigned char error[4];
1187 SILC_PUT32_MSB(SILC_AUTH_FAILED, error);
1189 /* Authentication failed */
1190 silc_server_packet_send(server, ctx->sock, SILC_PACKET_FAILURE,
1193 /* Unregister the timeout task since the protocol has ended.
1194 This was the timeout task to be executed if the protocol is
1195 not completed fast enough. */
1196 if (ctx->timeout_task)
1197 silc_schedule_task_del(server->schedule, ctx->timeout_task);
1199 /* On error the final callback is always called. */
1200 if (protocol->final_callback)
1201 silc_protocol_execute_final(protocol, server->schedule);
1203 silc_protocol_free(protocol);
1207 case SILC_PROTOCOL_STATE_FAILURE:
1209 * We have received failure from remote
1212 /* Unregister the timeout task since the protocol has ended.
1213 This was the timeout task to be executed if the protocol is
1214 not completed fast enough. */
1215 if (ctx->timeout_task)
1216 silc_schedule_task_del(server->schedule, ctx->timeout_task);
1218 /* On error the final callback is always called. */
1219 if (protocol->final_callback)
1220 silc_protocol_execute_final(protocol, server->schedule);
1222 silc_protocol_free(protocol);
1225 case SILC_PROTOCOL_STATE_UNKNOWN:
1231 * Re-key protocol routines
1234 /* Actually takes the new keys into use. */
1237 silc_server_protocol_rekey_validate(SilcServer server,
1238 SilcServerRekeyInternalContext *ctx,
1239 SilcIDListData idata,
1240 SilcSKEKeyMaterial *keymat,
1243 if (ctx->responder == TRUE) {
1245 silc_cipher_set_key(idata->send_key, keymat->receive_enc_key,
1246 keymat->enc_key_len);
1247 silc_cipher_set_iv(idata->send_key, keymat->receive_iv);
1248 silc_hmac_set_key(idata->hmac_send, keymat->receive_hmac_key,
1249 keymat->hmac_key_len);
1251 silc_cipher_set_key(idata->receive_key, keymat->send_enc_key,
1252 keymat->enc_key_len);
1253 silc_cipher_set_iv(idata->receive_key, keymat->send_iv);
1254 silc_hmac_set_key(idata->hmac_receive, keymat->send_hmac_key,
1255 keymat->hmac_key_len);
1259 silc_cipher_set_key(idata->send_key, keymat->send_enc_key,
1260 keymat->enc_key_len);
1261 silc_cipher_set_iv(idata->send_key, keymat->send_iv);
1262 silc_hmac_set_key(idata->hmac_send, keymat->send_hmac_key,
1263 keymat->hmac_key_len);
1265 silc_cipher_set_key(idata->receive_key, keymat->receive_enc_key,
1266 keymat->enc_key_len);
1267 silc_cipher_set_iv(idata->receive_key, keymat->receive_iv);
1268 silc_hmac_set_key(idata->hmac_receive, keymat->receive_hmac_key,
1269 keymat->hmac_key_len);
1273 /* Save the current sending encryption key */
1275 memset(idata->rekey->send_enc_key, 0, idata->rekey->enc_key_len);
1276 silc_free(idata->rekey->send_enc_key);
1277 idata->rekey->send_enc_key =
1278 silc_calloc(keymat->enc_key_len / 8,
1279 sizeof(*idata->rekey->send_enc_key));
1280 memcpy(idata->rekey->send_enc_key, keymat->send_enc_key,
1281 keymat->enc_key_len / 8);
1282 idata->rekey->enc_key_len = keymat->enc_key_len / 8;
1286 /* This function actually re-generates (when not using PFS) the keys and
1287 takes them into use. */
1289 void silc_server_protocol_rekey_generate(SilcServer server,
1290 SilcServerRekeyInternalContext *ctx,
1293 SilcIDListData idata = (SilcIDListData)ctx->sock->user_data;
1294 SilcSKEKeyMaterial *keymat;
1295 uint32 key_len = silc_cipher_get_key_len(idata->send_key);
1296 uint32 hash_len = idata->hash->hash->hash_len;
1298 SILC_LOG_DEBUG(("Generating new %s session keys (no PFS)",
1299 send ? "sending" : "receiving"));
1301 /* Generate the new key */
1302 keymat = silc_calloc(1, sizeof(*keymat));
1303 silc_ske_process_key_material_data(idata->rekey->send_enc_key,
1304 idata->rekey->enc_key_len,
1305 16, key_len, hash_len,
1306 idata->hash, keymat);
1308 /* Set the keys into use */
1309 silc_server_protocol_rekey_validate(server, ctx, idata, keymat, send);
1311 silc_ske_free_key_material(keymat);
1314 /* This function actually re-generates (with PFS) the keys and
1315 takes them into use. */
1318 silc_server_protocol_rekey_generate_pfs(SilcServer server,
1319 SilcServerRekeyInternalContext *ctx,
1322 SilcIDListData idata = (SilcIDListData)ctx->sock->user_data;
1323 SilcSKEKeyMaterial *keymat;
1324 uint32 key_len = silc_cipher_get_key_len(idata->send_key);
1325 uint32 hash_len = idata->hash->hash->hash_len;
1326 unsigned char *tmpbuf;
1329 SILC_LOG_DEBUG(("Generating new %s session keys (with PFS)",
1330 send ? "sending" : "receiving"));
1332 /* Encode KEY to binary data */
1333 tmpbuf = silc_mp_mp2bin(ctx->ske->KEY, 0, &klen);
1335 /* Generate the new key */
1336 keymat = silc_calloc(1, sizeof(*keymat));
1337 silc_ske_process_key_material_data(tmpbuf, klen, 16, key_len, hash_len,
1338 idata->hash, keymat);
1340 /* Set the keys into use */
1341 silc_server_protocol_rekey_validate(server, ctx, idata, keymat, send);
1343 memset(tmpbuf, 0, klen);
1345 silc_ske_free_key_material(keymat);
1348 /* Packet sending callback. This function is provided as packet sending
1349 routine to the Key Exchange functions. */
1352 silc_server_protocol_rekey_send_packet(SilcSKE ske,
1354 SilcPacketType type,
1357 SilcProtocol protocol = (SilcProtocol)context;
1358 SilcServerRekeyInternalContext *ctx =
1359 (SilcServerRekeyInternalContext *)protocol->context;
1360 SilcServer server = (SilcServer)ctx->server;
1362 /* Send the packet immediately */
1363 silc_server_packet_send(server, ctx->sock,
1364 type, 0, packet->data, packet->len, FALSE);
1367 /* Performs re-key as defined in the SILC protocol specification. */
1369 SILC_TASK_CALLBACK(silc_server_protocol_rekey)
1371 SilcProtocol protocol = (SilcProtocol)context;
1372 SilcServerRekeyInternalContext *ctx =
1373 (SilcServerRekeyInternalContext *)protocol->context;
1374 SilcServer server = (SilcServer)ctx->server;
1375 SilcIDListData idata = (SilcIDListData)ctx->sock->user_data;
1376 SilcSKEStatus status;
1378 SILC_LOG_DEBUG(("Start"));
1380 if (protocol->state == SILC_PROTOCOL_STATE_UNKNOWN)
1381 protocol->state = SILC_PROTOCOL_STATE_START;
1383 SILC_LOG_DEBUG(("State=%d", protocol->state));
1385 switch(protocol->state) {
1386 case SILC_PROTOCOL_STATE_START:
1392 if (ctx->responder == TRUE) {
1394 * We are receiving party
1397 if (ctx->pfs == TRUE) {
1399 * Use Perfect Forward Secrecy, ie. negotiate the key material
1400 * using the SKE protocol.
1403 if (ctx->packet->type != SILC_PACKET_KEY_EXCHANGE_1) {
1404 /* Error in protocol */
1405 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1406 silc_protocol_execute(protocol, server->schedule, 0, 300000);
1410 ctx->ske = silc_ske_alloc();
1411 ctx->ske->rng = server->rng;
1412 ctx->ske->prop = silc_calloc(1, sizeof(*ctx->ske->prop));
1413 silc_ske_group_get_by_number(idata->rekey->ske_group,
1414 &ctx->ske->prop->group);
1416 silc_ske_set_callbacks(ctx->ske,
1417 silc_server_protocol_rekey_send_packet,
1418 NULL, NULL, NULL, silc_ske_check_version,
1421 status = silc_ske_responder_phase_2(ctx->ske, ctx->packet->buffer);
1422 if (status != SILC_SKE_STATUS_OK) {
1423 SILC_LOG_WARNING(("Error (%s) during Re-key (PFS)",
1424 silc_ske_map_status(status)));
1426 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1427 silc_protocol_execute(protocol, server->schedule, 0, 300000);
1431 /* Advance the protocol state */
1433 silc_protocol_execute(protocol, server->schedule, 0, 0);
1436 * Do normal and simple re-key.
1439 /* Send the REKEY_DONE to indicate we will take new keys into use */
1440 silc_server_packet_send(server, ctx->sock, SILC_PACKET_REKEY_DONE,
1443 /* After we send REKEY_DONE we must set the sending encryption
1444 key to the new key since all packets after this packet must
1445 encrypted with the new key. */
1446 silc_server_protocol_rekey_generate(server, ctx, TRUE);
1448 /* The protocol ends in next stage. */
1449 protocol->state = SILC_PROTOCOL_STATE_END;
1454 * We are the initiator of this protocol
1457 /* Start the re-key by sending the REKEY packet */
1458 silc_server_packet_send(server, ctx->sock, SILC_PACKET_REKEY,
1461 if (ctx->pfs == TRUE) {
1463 * Use Perfect Forward Secrecy, ie. negotiate the key material
1464 * using the SKE protocol.
1466 ctx->ske = silc_ske_alloc();
1467 ctx->ske->rng = server->rng;
1468 ctx->ske->prop = silc_calloc(1, sizeof(*ctx->ske->prop));
1469 silc_ske_group_get_by_number(idata->rekey->ske_group,
1470 &ctx->ske->prop->group);
1472 silc_ske_set_callbacks(ctx->ske,
1473 silc_server_protocol_rekey_send_packet,
1474 NULL, NULL, NULL, silc_ske_check_version,
1477 status = silc_ske_initiator_phase_2(ctx->ske, NULL, NULL);
1478 if (status != SILC_SKE_STATUS_OK) {
1479 SILC_LOG_WARNING(("Error (%s) during Re-key (PFS)",
1480 silc_ske_map_status(status)));
1482 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1483 silc_protocol_execute(protocol, server->schedule, 0, 300000);
1487 /* Advance the protocol state */
1491 * Do normal and simple re-key.
1494 /* Send the REKEY_DONE to indicate we will take new keys into use
1496 silc_server_packet_send(server, ctx->sock, SILC_PACKET_REKEY_DONE,
1499 /* After we send REKEY_DONE we must set the sending encryption
1500 key to the new key since all packets after this packet must
1501 encrypted with the new key. */
1502 silc_server_protocol_rekey_generate(server, ctx, TRUE);
1504 /* The protocol ends in next stage. */
1505 protocol->state = SILC_PROTOCOL_STATE_END;
1513 * Second state, used only when oding re-key with PFS.
1515 if (ctx->responder == TRUE) {
1516 if (ctx->pfs == TRUE) {
1518 * Send our KE packe to the initiator now that we've processed
1519 * the initiator's KE packet.
1521 status = silc_ske_responder_finish(ctx->ske, NULL, NULL,
1522 SILC_SKE_PK_TYPE_SILC);
1523 if (status != SILC_SKE_STATUS_OK) {
1524 SILC_LOG_WARNING(("Error (%s) during Re-key (PFS)",
1525 silc_ske_map_status(status)));
1527 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1528 silc_protocol_execute(protocol, server->schedule, 0, 300000);
1534 if (ctx->pfs == TRUE) {
1536 * The packet type must be KE packet
1538 if (ctx->packet->type != SILC_PACKET_KEY_EXCHANGE_2) {
1539 /* Error in protocol */
1540 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1541 silc_protocol_execute(protocol, server->schedule, 0, 300000);
1545 status = silc_ske_initiator_finish(ctx->ske, ctx->packet->buffer);
1546 if (status != SILC_SKE_STATUS_OK) {
1547 SILC_LOG_WARNING(("Error (%s) during Re-key (PFS)",
1548 silc_ske_map_status(status)));
1550 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1551 silc_protocol_execute(protocol, server->schedule, 0, 300000);
1557 /* Send the REKEY_DONE to indicate we will take new keys into use
1559 silc_server_packet_send(server, ctx->sock, SILC_PACKET_REKEY_DONE,
1562 /* After we send REKEY_DONE we must set the sending encryption
1563 key to the new key since all packets after this packet must
1564 encrypted with the new key. */
1565 silc_server_protocol_rekey_generate_pfs(server, ctx, TRUE);
1567 /* The protocol ends in next stage. */
1568 protocol->state = SILC_PROTOCOL_STATE_END;
1571 case SILC_PROTOCOL_STATE_END:
1576 if (ctx->packet->type != SILC_PACKET_REKEY_DONE) {
1577 /* Error in protocol */
1578 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1579 silc_protocol_execute(protocol, server->schedule, 0, 300000);
1583 /* We received the REKEY_DONE packet and all packets after this is
1584 encrypted with the new key so set the decryption key to the new key */
1585 silc_server_protocol_rekey_generate(server, ctx, FALSE);
1587 /* Protocol has ended, call the final callback */
1588 if (protocol->final_callback)
1589 silc_protocol_execute_final(protocol, server->schedule);
1591 silc_protocol_free(protocol);
1594 case SILC_PROTOCOL_STATE_ERROR:
1599 if (ctx->pfs == TRUE) {
1600 /* Send abort notification */
1601 silc_ske_abort(ctx->ske, ctx->ske->status);
1604 /* On error the final callback is always called. */
1605 if (protocol->final_callback)
1606 silc_protocol_execute_final(protocol, server->schedule);
1608 silc_protocol_free(protocol);
1611 case SILC_PROTOCOL_STATE_FAILURE:
1613 * We have received failure from remote
1616 /* On error the final callback is always called. */
1617 if (protocol->final_callback)
1618 silc_protocol_execute_final(protocol, server->schedule);
1620 silc_protocol_free(protocol);
1623 case SILC_PROTOCOL_STATE_UNKNOWN:
1629 /* Registers protocols used in server. */
1631 void silc_server_protocols_register(void)
1633 silc_protocol_register(SILC_PROTOCOL_SERVER_CONNECTION_AUTH,
1634 silc_server_protocol_connection_auth);
1635 silc_protocol_register(SILC_PROTOCOL_SERVER_KEY_EXCHANGE,
1636 silc_server_protocol_key_exchange);
1637 silc_protocol_register(SILC_PROTOCOL_SERVER_REKEY,
1638 silc_server_protocol_rekey);
1639 silc_protocol_register(SILC_PROTOCOL_SERVER_BACKUP,
1640 silc_server_protocol_backup);
1643 /* Unregisters protocols */
1645 void silc_server_protocols_unregister(void)
1647 silc_protocol_unregister(SILC_PROTOCOL_SERVER_CONNECTION_AUTH,
1648 silc_server_protocol_connection_auth);
1649 silc_protocol_unregister(SILC_PROTOCOL_SERVER_KEY_EXCHANGE,
1650 silc_server_protocol_key_exchange);
1651 silc_protocol_unregister(SILC_PROTOCOL_SERVER_REKEY,
1652 silc_server_protocol_rekey);
1653 silc_protocol_unregister(SILC_PROTOCOL_SERVER_BACKUP,
1654 silc_server_protocol_backup);