5 Author: Pekka Riikonen <priikone@silcnet.org>
7 Copyright (C) 1997 - 2001 Pekka Riikonen
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
21 * Server side of the protocols.
25 #include "serverincludes.h"
26 #include "server_internal.h"
28 SILC_TASK_CALLBACK(silc_server_protocol_connection_auth);
29 SILC_TASK_CALLBACK(silc_server_protocol_key_exchange);
30 SILC_TASK_CALLBACK(silc_server_protocol_rekey);
32 extern char *silc_version_string;
35 * Key Exhange protocol functions
39 silc_verify_public_key_internal(SilcServer server, SilcSocketConnection sock,
40 SilcSocketType conn_type,
41 unsigned char *pk, uint32 pk_len,
42 SilcSKEPKType pk_type)
44 char file[256], filename[256], *fingerprint;
47 if (pk_type != SILC_SKE_PK_TYPE_SILC) {
48 SILC_LOG_WARNING(("We don't support %s (%s) port %d public key type %d",
49 sock->hostname, sock->ip, sock->port, pk_type));
53 /* Accept client keys without verification */
54 if (conn_type == SILC_SOCKET_TYPE_CLIENT) {
55 SILC_LOG_DEBUG(("Accepting client public key without verification"));
59 /* XXX For now, accept server keys without verification too. We are
60 currently always doing mutual authentication so the proof of posession
61 of the private key is verified, and if server is authenticated in
62 conn auth protocol with public key we MUST have the key already. */
64 /* Rest is unreachable code! */
66 memset(filename, 0, sizeof(filename));
67 memset(file, 0, sizeof(file));
68 snprintf(file, sizeof(file) - 1, "serverkey_%s_%d.pub", sock->hostname,
70 snprintf(filename, sizeof(filename) - 1, SILC_ETCDIR "/serverkeys/%s",
73 /* Create serverkeys directory if it doesn't exist. */
74 if (stat(SILC_ETCDIR "/serverkeys", &st) < 0) {
75 /* If dir doesn't exist */
76 if (errno == ENOENT) {
77 if (mkdir(SILC_ETCDIR "/serverkeys", 0755) < 0) {
78 SILC_LOG_ERROR(("Couldn't create `%s' directory\n",
79 SILC_ETCDIR "/serverkeys"));
83 SILC_LOG_ERROR(("%s\n", strerror(errno)));
88 /* Take fingerprint of the public key */
89 fingerprint = silc_hash_fingerprint(NULL, pk, pk_len);
90 SILC_LOG_DEBUG(("Received server %s (%s) port %d public key (%s)",
91 sock->hostname, sock->ip, sock->port, fingerprint));
92 silc_free(fingerprint);
94 /* Check whether this key already exists */
95 if (stat(filename, &st) < 0) {
96 /* We don't have it, then cache it. */
97 SILC_LOG_DEBUG(("New public key from server"));
99 silc_pkcs_save_public_key_data(filename, pk, pk_len,
103 /* The key already exists, verify it. */
104 SilcPublicKey public_key;
105 unsigned char *encpk;
108 SILC_LOG_DEBUG(("We have the public key saved locally"));
110 /* Load the key file */
111 if (!silc_pkcs_load_public_key(filename, &public_key,
113 if (!silc_pkcs_load_public_key(filename, &public_key,
114 SILC_PKCS_FILE_BIN)) {
115 SILC_LOG_WARNING(("Could not load local copy of the %s (%s) port %d "
116 "server public key", sock->hostname, sock->ip,
119 /* Save the key for future checking */
121 silc_pkcs_save_public_key_data(filename, pk, pk_len,
126 /* Encode the key data */
127 encpk = silc_pkcs_public_key_encode(public_key, &encpk_len);
129 SILC_LOG_WARNING(("Local copy of the server %s (%s) port %d public key "
130 "is malformed", sock->hostname, sock->ip, sock->port));
132 /* Save the key for future checking */
134 silc_pkcs_save_public_key_data(filename, pk, pk_len, SILC_PKCS_FILE_PEM);
138 if (memcmp(pk, encpk, encpk_len)) {
139 SILC_LOG_WARNING(("%s (%s) port %d server public key does not match "
140 "with local copy", sock->hostname, sock->ip,
142 SILC_LOG_WARNING(("It is possible that the key has expired or changed"));
143 SILC_LOG_WARNING(("It is also possible that some one is performing "
144 "man-in-the-middle attack"));
145 SILC_LOG_WARNING(("Will not accept the server %s (%s) port %d public "
147 sock->hostname, sock->ip, sock->port));
151 /* Local copy matched */
156 /* Callback that is called when we have received KE2 payload from
157 responder. We try to verify the public key now. */
160 silc_server_protocol_ke_verify_key(SilcSKE ske,
161 unsigned char *pk_data,
163 SilcSKEPKType pk_type,
165 SilcSKEVerifyCbCompletion completion,
166 void *completion_context)
168 SilcProtocol protocol = (SilcProtocol)context;
169 SilcServerKEInternalContext *ctx =
170 (SilcServerKEInternalContext *)protocol->context;
171 SilcServer server = (SilcServer)ctx->server;
173 SILC_LOG_DEBUG(("Start"));
175 if (silc_verify_public_key_internal(server, ctx->sock,
176 (ctx->responder == FALSE ?
177 SILC_SOCKET_TYPE_ROUTER:
178 ctx->sconfig ? SILC_SOCKET_TYPE_SERVER :
179 ctx->rconfig ? SILC_SOCKET_TYPE_ROUTER :
180 SILC_SOCKET_TYPE_CLIENT),
181 pk_data, pk_len, pk_type))
182 completion(ske, SILC_SKE_STATUS_OK, completion_context);
184 completion(ske, SILC_SKE_STATUS_UNSUPPORTED_PUBLIC_KEY,
188 /* Packet sending callback. This function is provided as packet sending
189 routine to the Key Exchange functions. */
191 static void silc_server_protocol_ke_send_packet(SilcSKE ske,
196 SilcProtocol protocol = (SilcProtocol)context;
197 SilcServerKEInternalContext *ctx =
198 (SilcServerKEInternalContext *)protocol->context;
199 SilcServer server = (SilcServer)ctx->server;
201 /* Send the packet immediately */
202 silc_server_packet_send(server, ske->sock,
203 type, 0, packet->data, packet->len, TRUE);
206 /* Sets the negotiated key material into use for particular connection. */
208 int silc_server_protocol_ke_set_keys(SilcServer server,
210 SilcSocketConnection sock,
211 SilcSKEKeyMaterial *keymat,
216 SilcSKEDiffieHellmanGroup group,
219 SilcUnknownEntry conn_data;
220 SilcIDListData idata;
222 SILC_LOG_DEBUG(("Setting new key into use"));
224 conn_data = silc_calloc(1, sizeof(*conn_data));
225 idata = (SilcIDListData)conn_data;
227 /* Allocate cipher to be used in the communication */
228 if (!silc_cipher_alloc(cipher->cipher->name, &idata->send_key)) {
229 silc_free(conn_data);
232 if (!silc_cipher_alloc(cipher->cipher->name, &idata->receive_key)) {
233 silc_free(conn_data);
237 if (!silc_hmac_alloc((char *)silc_hmac_get_name(hmac), NULL,
238 &idata->hmac_send)) {
239 silc_cipher_free(idata->send_key);
240 silc_cipher_free(idata->receive_key);
241 silc_free(conn_data);
245 if (!silc_hmac_alloc((char *)silc_hmac_get_name(hmac), NULL,
246 &idata->hmac_receive)) {
247 silc_cipher_free(idata->send_key);
248 silc_cipher_free(idata->receive_key);
249 silc_hmac_free(idata->hmac_send);
250 silc_free(conn_data);
254 if (is_responder == TRUE) {
255 silc_cipher_set_key(idata->send_key, keymat->receive_enc_key,
256 keymat->enc_key_len);
257 silc_cipher_set_iv(idata->send_key, keymat->receive_iv);
258 silc_cipher_set_key(idata->receive_key, keymat->send_enc_key,
259 keymat->enc_key_len);
260 silc_cipher_set_iv(idata->receive_key, keymat->send_iv);
261 silc_hmac_set_key(idata->hmac_send, keymat->receive_hmac_key,
262 keymat->hmac_key_len);
263 silc_hmac_set_key(idata->hmac_receive, keymat->send_hmac_key,
264 keymat->hmac_key_len);
266 silc_cipher_set_key(idata->send_key, keymat->send_enc_key,
267 keymat->enc_key_len);
268 silc_cipher_set_iv(idata->send_key, keymat->send_iv);
269 silc_cipher_set_key(idata->receive_key, keymat->receive_enc_key,
270 keymat->enc_key_len);
271 silc_cipher_set_iv(idata->receive_key, keymat->receive_iv);
272 silc_hmac_set_key(idata->hmac_send, keymat->send_hmac_key,
273 keymat->hmac_key_len);
274 silc_hmac_set_key(idata->hmac_receive, keymat->receive_hmac_key,
275 keymat->hmac_key_len);
278 idata->rekey = silc_calloc(1, sizeof(*idata->rekey));
279 idata->rekey->send_enc_key =
280 silc_calloc(keymat->enc_key_len / 8,
281 sizeof(*idata->rekey->send_enc_key));
282 memcpy(idata->rekey->send_enc_key,
283 keymat->send_enc_key, keymat->enc_key_len / 8);
284 idata->rekey->enc_key_len = keymat->enc_key_len / 8;
286 if (ske->start_payload->flags & SILC_SKE_SP_FLAG_PFS)
287 idata->rekey->pfs = TRUE;
288 idata->rekey->ske_group = silc_ske_group_get_number(group);
291 if (!silc_hash_alloc(hash->hash->name, &idata->hash)) {
292 silc_cipher_free(idata->send_key);
293 silc_cipher_free(idata->receive_key);
294 silc_hmac_free(idata->hmac_send);
295 silc_hmac_free(idata->hmac_receive);
296 silc_free(conn_data);
300 /* Save the remote host's public key */
301 silc_pkcs_public_key_decode(ske->ke1_payload->pk_data,
302 ske->ke1_payload->pk_len, &idata->public_key);
303 if (ske->prop->flags & SILC_SKE_SP_FLAG_MUTUAL)
304 silc_hash_make(server->sha1hash, ske->ke1_payload->pk_data,
305 ske->ke1_payload->pk_len, idata->fingerprint);
307 sock->user_data = (void *)conn_data;
309 SILC_LOG_INFO(("%s (%s) security properties: %s %s %s",
310 sock->hostname, sock->ip,
311 idata->send_key->cipher->name,
312 (char *)silc_hmac_get_name(idata->hmac_send),
313 idata->hash->hash->name));
318 /* Check remote host version string */
320 SilcSKEStatus silc_ske_check_version(SilcSKE ske, unsigned char *version,
321 uint32 len, void *context)
323 SilcSKEStatus status = SILC_SKE_STATUS_OK;
325 int maj = 0, min = 0, build = 0, maj2 = 0, min2 = 0, build2 = 0;
327 SILC_LOG_INFO(("%s (%s) is version %s", ske->sock->hostname,
328 ske->sock->ip, version));
330 /* Check for initial version string */
331 if (!strstr(version, "SILC-1.0-"))
332 status = SILC_SKE_STATUS_BAD_VERSION;
334 /* Check software version */
338 status = SILC_SKE_STATUS_BAD_VERSION;
341 cp = strchr(cp, '.');
347 cp = strchr(cp, '.');
349 build = atoi(cp + 1);
352 cp = silc_version_string + 9;
354 status = SILC_SKE_STATUS_BAD_VERSION;
357 cp = strchr(cp, '.');
363 cp = strchr(cp, '.');
365 build2 = atoi(cp + 1);
369 status = SILC_SKE_STATUS_BAD_VERSION;
372 status = SILC_SKE_STATUS_BAD_VERSION;
375 /* XXX < 0.6 is not allowed */
376 if (maj == 0 && min < 5)
377 status = SILC_SKE_STATUS_BAD_VERSION;
379 /* XXX backward support for 0.6.1 */
380 if (maj == 0 && min == 6 && build < 2)
381 ske->backward_version = 1;
386 /* Callback that is called by the SKE to indicate that it is safe to
387 continue the execution of the protocol. This is used only if we are
388 initiator. Is given as argument to the silc_ske_initiator_finish or
389 silc_ske_responder_phase_2 functions. This is called due to the fact
390 that the public key verification process is asynchronous and we must
391 not continue the protocl until the public key has been verified and
392 this callback is called. */
394 static void silc_server_protocol_ke_continue(SilcSKE ske, void *context)
396 SilcProtocol protocol = (SilcProtocol)context;
397 SilcServerKEInternalContext *ctx =
398 (SilcServerKEInternalContext *)protocol->context;
399 SilcServer server = (SilcServer)ctx->server;
401 SILC_LOG_DEBUG(("Start"));
403 if (ske->status != SILC_SKE_STATUS_OK) {
404 SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol",
405 silc_ske_map_status(ske->status)));
406 SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol",
407 silc_ske_map_status(ske->status)));
409 protocol->state = SILC_PROTOCOL_STATE_ERROR;
410 silc_protocol_execute(protocol, server->schedule, 0, 300000);
414 /* Send Ok to the other end. We will end the protocol as responder
415 sends Ok to us when we will take the new keys into use. */
416 if (ctx->responder == FALSE) {
417 silc_ske_end(ctx->ske);
419 /* End the protocol on the next round */
420 protocol->state = SILC_PROTOCOL_STATE_END;
423 /* Advance protocol state and call the next state if we are responder.
424 This happens when this callback was sent to silc_ske_responder_phase_2
426 if (ctx->responder == TRUE) {
428 silc_protocol_execute(protocol, server->schedule, 0, 100000);
432 /* Performs key exchange protocol. This is used for both initiator
433 and responder key exchange. This is performed always when accepting
434 new connection to the server. This may be called recursively. */
436 SILC_TASK_CALLBACK(silc_server_protocol_key_exchange)
438 SilcProtocol protocol = (SilcProtocol)context;
439 SilcServerKEInternalContext *ctx =
440 (SilcServerKEInternalContext *)protocol->context;
441 SilcServer server = (SilcServer)ctx->server;
442 SilcSKEStatus status = SILC_SKE_STATUS_OK;
444 SILC_LOG_DEBUG(("Start"));
446 if (protocol->state == SILC_PROTOCOL_STATE_UNKNOWN)
447 protocol->state = SILC_PROTOCOL_STATE_START;
449 SILC_LOG_DEBUG(("State=%d", protocol->state));
451 switch(protocol->state) {
452 case SILC_PROTOCOL_STATE_START:
459 /* Allocate Key Exchange object */
460 ske = silc_ske_alloc();
462 ske->rng = server->rng;
464 silc_ske_set_callbacks(ske, silc_server_protocol_ke_send_packet, NULL,
465 silc_server_protocol_ke_verify_key,
466 silc_server_protocol_ke_continue,
467 silc_ske_check_version, context);
469 if (ctx->responder == TRUE) {
470 /* Start the key exchange by processing the received security
471 properties packet from initiator. */
472 status = silc_ske_responder_start(ske, ctx->rng, ctx->sock,
474 ctx->packet->buffer, TRUE);
476 SilcSKEStartPayload *start_payload;
478 /* Assemble security properties. */
479 silc_ske_assemble_security_properties(ske, SILC_SKE_SP_FLAG_MUTUAL,
483 /* Start the key exchange by sending our security properties
484 to the remote end. */
485 status = silc_ske_initiator_start(ske, ctx->rng, ctx->sock,
489 /* Return now if the procedure is pending. */
490 if (status == SILC_SKE_STATUS_PENDING)
493 if (status != SILC_SKE_STATUS_OK) {
494 SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol",
495 silc_ske_map_status(status)));
496 SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol",
497 silc_ske_map_status(status)));
499 protocol->state = SILC_PROTOCOL_STATE_ERROR;
500 silc_protocol_execute(protocol, server->schedule, 0, 300000);
504 /* Advance protocol state and call the next state if we are responder */
506 if (ctx->responder == TRUE)
507 silc_protocol_execute(protocol, server->schedule, 0, 100000);
515 if (ctx->responder == TRUE) {
516 /* Sends the selected security properties to the initiator. */
517 status = silc_ske_responder_phase_1(ctx->ske,
518 ctx->ske->start_payload);
520 /* Call Phase-1 function. This processes the Key Exchange Start
521 paylaod reply we just got from the responder. The callback
522 function will receive the processed payload where we will
524 status = silc_ske_initiator_phase_1(ctx->ske, ctx->packet->buffer);
527 /* Return now if the procedure is pending. */
528 if (status == SILC_SKE_STATUS_PENDING)
531 if (status != SILC_SKE_STATUS_OK) {
532 SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol",
533 silc_ske_map_status(status)));
534 SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol",
535 silc_ske_map_status(status)));
537 protocol->state = SILC_PROTOCOL_STATE_ERROR;
538 silc_protocol_execute(protocol, server->schedule, 0, 300000);
542 /* Advance protocol state and call next state if we are initiator */
544 if (ctx->responder == FALSE)
545 silc_protocol_execute(protocol, server->schedule, 0, 100000);
553 if (ctx->responder == TRUE) {
554 /* Process the received Key Exchange 1 Payload packet from
555 the initiator. This also creates our parts of the Diffie
556 Hellman algorithm. The silc_server_protocol_ke_continue
557 will be called after the public key has been verified. */
558 status = silc_ske_responder_phase_2(ctx->ske, ctx->packet->buffer);
560 /* Call the Phase-2 function. This creates Diffie Hellman
561 key exchange parameters and sends our public part inside
562 Key Exhange 1 Payload to the responder. */
563 status = silc_ske_initiator_phase_2(ctx->ske,
565 server->private_key);
569 /* Return now if the procedure is pending. */
570 if (status == SILC_SKE_STATUS_PENDING)
573 if (status != SILC_SKE_STATUS_OK) {
574 SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol",
575 silc_ske_map_status(status)));
576 SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol",
577 silc_ske_map_status(status)));
579 protocol->state = SILC_PROTOCOL_STATE_ERROR;
580 silc_protocol_execute(protocol, server->schedule, 0, 300000);
590 if (ctx->responder == TRUE) {
591 /* This creates the key exchange material and sends our
592 public parts to the initiator inside Key Exchange 2 Payload. */
593 status = silc_ske_responder_finish(ctx->ske,
596 SILC_SKE_PK_TYPE_SILC);
598 /* End the protocol on the next round */
599 protocol->state = SILC_PROTOCOL_STATE_END;
601 /* Finish the protocol. This verifies the Key Exchange 2 payload
602 sent by responder. The silc_server_protocol_ke_continue will
603 be called after the public key has been verified. */
604 status = silc_ske_initiator_finish(ctx->ske, ctx->packet->buffer);
607 /* Return now if the procedure is pending. */
608 if (status == SILC_SKE_STATUS_PENDING)
611 if (status != SILC_SKE_STATUS_OK) {
612 SILC_LOG_WARNING(("Error (%s) during Key Exchange protocol",
613 silc_ske_map_status(status)));
614 SILC_LOG_DEBUG(("Error (%s) during Key Exchange protocol",
615 silc_ske_map_status(status)));
617 protocol->state = SILC_PROTOCOL_STATE_ERROR;
618 silc_protocol_execute(protocol, server->schedule, 0, 300000);
624 case SILC_PROTOCOL_STATE_END:
629 SilcSKEKeyMaterial *keymat;
630 int key_len = silc_cipher_get_key_len(ctx->ske->prop->cipher);
631 int hash_len = ctx->ske->prop->hash->hash->hash_len;
633 /* Process the key material */
634 keymat = silc_calloc(1, sizeof(*keymat));
635 status = silc_ske_process_key_material(ctx->ske, 16, key_len, hash_len,
637 if (status != SILC_SKE_STATUS_OK) {
638 protocol->state = SILC_PROTOCOL_STATE_ERROR;
639 silc_protocol_execute(protocol, server->schedule, 0, 300000);
640 silc_ske_free_key_material(keymat);
643 ctx->keymat = keymat;
645 /* Send Ok to the other end if we are responder. If we are initiator
646 we have sent this already. */
647 if (ctx->responder == TRUE)
648 silc_ske_end(ctx->ske);
650 /* Unregister the timeout task since the protocol has ended.
651 This was the timeout task to be executed if the protocol is
652 not completed fast enough. */
653 if (ctx->timeout_task)
654 silc_schedule_task_del(server->schedule, ctx->timeout_task);
656 /* Call the final callback */
657 if (protocol->final_callback)
658 silc_protocol_execute_final(protocol, server->schedule);
660 silc_protocol_free(protocol);
664 case SILC_PROTOCOL_STATE_ERROR:
669 /* Send abort notification */
670 silc_ske_abort(ctx->ske, ctx->ske->status);
672 /* Unregister the timeout task since the protocol has ended.
673 This was the timeout task to be executed if the protocol is
674 not completed fast enough. */
675 if (ctx->timeout_task)
676 silc_schedule_task_del(server->schedule, ctx->timeout_task);
678 /* On error the final callback is always called. */
679 if (protocol->final_callback)
680 silc_protocol_execute_final(protocol, server->schedule);
682 silc_protocol_free(protocol);
685 case SILC_PROTOCOL_STATE_FAILURE:
687 * We have received failure from remote
690 /* Unregister the timeout task since the protocol has ended.
691 This was the timeout task to be executed if the protocol is
692 not completed fast enough. */
693 if (ctx->timeout_task)
694 silc_schedule_task_del(server->schedule, ctx->timeout_task);
696 /* On error the final callback is always called. */
697 if (protocol->final_callback)
698 silc_protocol_execute_final(protocol, server->schedule);
700 silc_protocol_free(protocol);
703 case SILC_PROTOCOL_STATE_UNKNOWN:
709 * Connection Authentication protocol functions
713 silc_server_password_authentication(SilcServer server, char *remote_auth,
716 if (!remote_auth || !local_auth)
719 if (!memcmp(remote_auth, local_auth, strlen(local_auth)))
726 silc_server_public_key_authentication(SilcServer server,
727 SilcPublicKey pub_key,
736 if (!pub_key || !sign)
739 silc_pkcs_alloc(pub_key->name, &pkcs);
740 if (!silc_pkcs_public_key_set(pkcs, pub_key)) {
741 silc_pkcs_free(pkcs);
745 /* Make the authentication data. Protocol says it is HASH plus
747 len = ske->hash_len + ske->start_payload_copy->len;
748 auth = silc_buffer_alloc(len);
749 silc_buffer_pull_tail(auth, len);
750 silc_buffer_format(auth,
751 SILC_STR_UI_XNSTRING(ske->hash, ske->hash_len),
752 SILC_STR_UI_XNSTRING(ske->start_payload_copy->data,
753 ske->start_payload_copy->len),
756 /* Verify signature */
757 if (silc_pkcs_verify_with_hash(pkcs, ske->prop->hash, sign, sign_len,
758 auth->data, auth->len)) {
759 silc_pkcs_free(pkcs);
760 silc_buffer_free(auth);
764 silc_pkcs_free(pkcs);
765 silc_buffer_free(auth);
770 silc_server_get_public_key_auth(SilcServer server,
771 unsigned char *auth_data,
772 uint32 *auth_data_len,
781 /* Make the authentication data. Protocol says it is HASH plus
783 len = ske->hash_len + ske->start_payload_copy->len;
784 auth = silc_buffer_alloc(len);
785 silc_buffer_pull_tail(auth, len);
786 silc_buffer_format(auth,
787 SILC_STR_UI_XNSTRING(ske->hash, ske->hash_len),
788 SILC_STR_UI_XNSTRING(ske->start_payload_copy->data,
789 ske->start_payload_copy->len),
792 if (silc_pkcs_sign_with_hash(pkcs, ske->prop->hash, auth->data,
793 auth->len, auth_data, auth_data_len)) {
794 silc_buffer_free(auth);
798 silc_buffer_free(auth);
802 /* Performs connection authentication protocol. If responder, we
803 authenticate the remote data received. If initiator, we will send
804 authentication data to the remote end. */
806 SILC_TASK_CALLBACK(silc_server_protocol_connection_auth)
808 SilcProtocol protocol = (SilcProtocol)context;
809 SilcServerConnAuthInternalContext *ctx =
810 (SilcServerConnAuthInternalContext *)protocol->context;
811 SilcServer server = (SilcServer)ctx->server;
813 SILC_LOG_DEBUG(("Start"));
815 if (protocol->state == SILC_PROTOCOL_STATE_UNKNOWN)
816 protocol->state = SILC_PROTOCOL_STATE_START;
818 SILC_LOG_DEBUG(("State=%d", protocol->state));
820 switch(protocol->state) {
821 case SILC_PROTOCOL_STATE_START:
827 if (ctx->responder == TRUE) {
829 * We are receiving party
834 unsigned char *auth_data = NULL;
836 SILC_LOG_INFO(("Performing authentication protocol for %s (%s)",
837 ctx->sock->hostname, ctx->sock->ip));
839 /* Parse the received authentication data packet. The received
840 payload is Connection Auth Payload. */
841 ret = silc_buffer_unformat(ctx->packet->buffer,
842 SILC_STR_UI_SHORT(&payload_len),
843 SILC_STR_UI_SHORT(&conn_type),
846 SILC_LOG_DEBUG(("Bad payload in authentication packet"));
847 protocol->state = SILC_PROTOCOL_STATE_ERROR;
848 silc_protocol_execute(protocol, server->schedule, 0, 300000);
852 if (payload_len != ctx->packet->buffer->len) {
853 SILC_LOG_DEBUG(("Bad payload in authentication packet"));
854 protocol->state = SILC_PROTOCOL_STATE_ERROR;
855 silc_protocol_execute(protocol, server->schedule, 0, 300000);
861 if (conn_type < SILC_SOCKET_TYPE_CLIENT ||
862 conn_type > SILC_SOCKET_TYPE_ROUTER) {
863 SILC_LOG_ERROR(("Bad connection type %d", conn_type));
864 protocol->state = SILC_PROTOCOL_STATE_ERROR;
865 silc_protocol_execute(protocol, server->schedule, 0, 300000);
869 if (payload_len > 0) {
870 /* Get authentication data */
871 silc_buffer_pull(ctx->packet->buffer, 4);
872 ret = silc_buffer_unformat(ctx->packet->buffer,
873 SILC_STR_UI_XNSTRING_ALLOC(&auth_data,
877 SILC_LOG_DEBUG(("Bad payload in authentication packet"));
878 protocol->state = SILC_PROTOCOL_STATE_ERROR;
879 silc_protocol_execute(protocol, server->schedule, 0, 300000);
885 * Check the remote connection type and make sure that we have
886 * configured this connection. If we haven't allowed this connection
887 * the authentication must be failed.
890 SILC_LOG_DEBUG(("Remote connection type %d", conn_type));
892 /* Remote end is client */
893 if (conn_type == SILC_SOCKET_TYPE_CLIENT) {
894 SilcServerConfigSectionClientConnection *client = ctx->cconfig;
897 switch(client->auth_meth) {
899 /* No authentication required */
900 SILC_LOG_DEBUG(("No authentication required"));
903 case SILC_AUTH_PASSWORD:
904 /* Password authentication */
905 SILC_LOG_DEBUG(("Password authentication"));
906 ret = silc_server_password_authentication(server, auth_data,
912 /* Authentication failed */
913 SILC_LOG_ERROR(("Authentication failed"));
914 SILC_LOG_DEBUG(("Authentication failed"));
915 silc_free(auth_data);
916 protocol->state = SILC_PROTOCOL_STATE_ERROR;
917 silc_protocol_execute(protocol, server->schedule,
922 case SILC_AUTH_PUBLIC_KEY:
923 /* Public key authentication */
924 SILC_LOG_DEBUG(("Public key authentication"));
925 ret = silc_server_public_key_authentication(server,
934 SILC_LOG_ERROR(("Authentication failed"));
935 SILC_LOG_DEBUG(("Authentication failed"));
936 silc_free(auth_data);
937 protocol->state = SILC_PROTOCOL_STATE_ERROR;
938 silc_protocol_execute(protocol, server->schedule,
943 SILC_LOG_DEBUG(("No configuration for remote connection"));
944 SILC_LOG_ERROR(("Remote connection not configured"));
945 SILC_LOG_ERROR(("Authentication failed"));
946 silc_free(auth_data);
947 protocol->state = SILC_PROTOCOL_STATE_ERROR;
948 silc_protocol_execute(protocol, server->schedule,
954 /* Remote end is server */
955 if (conn_type == SILC_SOCKET_TYPE_SERVER) {
956 SilcServerConfigSectionServerConnection *serv = ctx->sconfig;
959 switch(serv->auth_meth) {
961 /* No authentication required */
962 SILC_LOG_DEBUG(("No authentication required"));
965 case SILC_AUTH_PASSWORD:
966 /* Password authentication */
967 SILC_LOG_DEBUG(("Password authentication"));
968 ret = silc_server_password_authentication(server, auth_data,
974 /* Authentication failed */
975 SILC_LOG_ERROR(("Authentication failed"));
976 SILC_LOG_DEBUG(("Authentication failed"));
977 silc_free(auth_data);
978 protocol->state = SILC_PROTOCOL_STATE_ERROR;
979 silc_protocol_execute(protocol, server->schedule,
984 case SILC_AUTH_PUBLIC_KEY:
985 /* Public key authentication */
986 SILC_LOG_DEBUG(("Public key authentication"));
987 ret = silc_server_public_key_authentication(server,
996 SILC_LOG_ERROR(("Authentication failed"));
997 SILC_LOG_DEBUG(("Authentication failed"));
998 silc_free(auth_data);
999 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1000 silc_protocol_execute(protocol, server->schedule,
1005 SILC_LOG_DEBUG(("No configuration for remote connection"));
1006 SILC_LOG_ERROR(("Remote connection not configured"));
1007 SILC_LOG_ERROR(("Authentication failed"));
1008 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1009 silc_protocol_execute(protocol, server->schedule,
1011 silc_free(auth_data);
1016 /* Remote end is router */
1017 if (conn_type == SILC_SOCKET_TYPE_ROUTER) {
1018 SilcServerConfigSectionServerConnection *serv = ctx->rconfig;
1021 switch(serv->auth_meth) {
1022 case SILC_AUTH_NONE:
1023 /* No authentication required */
1024 SILC_LOG_DEBUG(("No authentication required"));
1027 case SILC_AUTH_PASSWORD:
1028 /* Password authentication */
1029 SILC_LOG_DEBUG(("Password authentication"));
1030 ret = silc_server_password_authentication(server, auth_data,
1036 /* Authentication failed */
1037 SILC_LOG_ERROR(("Authentication failed"));
1038 SILC_LOG_DEBUG(("Authentication failed"));
1039 silc_free(auth_data);
1040 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1041 silc_protocol_execute(protocol, server->schedule,
1046 case SILC_AUTH_PUBLIC_KEY:
1047 /* Public key authentication */
1048 SILC_LOG_DEBUG(("Public key authentication"));
1049 ret = silc_server_public_key_authentication(server,
1058 SILC_LOG_ERROR(("Authentication failed"));
1059 SILC_LOG_DEBUG(("Authentication failed"));
1060 silc_free(auth_data);
1061 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1062 silc_protocol_execute(protocol, server->schedule,
1067 SILC_LOG_DEBUG(("No configuration for remote connection"));
1068 SILC_LOG_ERROR(("Remote connection not configured"));
1069 SILC_LOG_ERROR(("Authentication failed"));
1070 silc_free(auth_data);
1071 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1072 silc_protocol_execute(protocol, server->schedule,
1078 silc_free(auth_data);
1080 /* Save connection type. This is later used to create the
1081 ID for the connection. */
1082 ctx->conn_type = conn_type;
1084 /* Advance protocol state. */
1085 protocol->state = SILC_PROTOCOL_STATE_END;
1086 silc_protocol_execute(protocol, server->schedule, 0, 0);
1090 * We are initiator. We are authenticating ourselves to a
1091 * remote server. We will send the authentication data to the
1092 * other end for verify.
1095 int payload_len = 0;
1096 unsigned char *auth_data = NULL;
1097 uint32 auth_data_len = 0;
1099 switch(ctx->auth_meth) {
1100 case SILC_AUTH_NONE:
1101 /* No authentication required */
1104 case SILC_AUTH_PASSWORD:
1105 /* Password authentication */
1106 if (ctx->auth_data && ctx->auth_data_len) {
1107 auth_data = strdup(ctx->auth_data);
1108 auth_data_len = ctx->auth_data_len;
1113 case SILC_AUTH_PUBLIC_KEY:
1115 unsigned char sign[1024];
1117 /* Public key authentication */
1118 silc_server_get_public_key_auth(server, sign, &auth_data_len,
1120 auth_data = silc_calloc(auth_data_len, sizeof(*auth_data));
1121 memcpy(auth_data, sign, auth_data_len);
1126 payload_len = 4 + auth_data_len;
1127 packet = silc_buffer_alloc(payload_len);
1128 silc_buffer_pull_tail(packet, SILC_BUFFER_END(packet));
1129 silc_buffer_format(packet,
1130 SILC_STR_UI_SHORT(payload_len),
1131 SILC_STR_UI_SHORT(server->server_type
1133 SILC_SOCKET_TYPE_SERVER :
1134 SILC_SOCKET_TYPE_ROUTER),
1135 SILC_STR_UI_XNSTRING(auth_data, auth_data_len),
1138 /* Send the packet to server */
1139 silc_server_packet_send(server, ctx->sock,
1140 SILC_PACKET_CONNECTION_AUTH, 0,
1141 packet->data, packet->len, TRUE);
1144 memset(auth_data, 0, auth_data_len);
1145 silc_free(auth_data);
1147 silc_buffer_free(packet);
1149 /* Next state is end of protocol */
1150 protocol->state = SILC_PROTOCOL_STATE_END;
1155 case SILC_PROTOCOL_STATE_END:
1160 unsigned char ok[4];
1162 SILC_PUT32_MSB(SILC_AUTH_OK, ok);
1164 /* Authentication successful */
1165 silc_server_packet_send(server, ctx->sock, SILC_PACKET_SUCCESS,
1168 /* Unregister the timeout task since the protocol has ended.
1169 This was the timeout task to be executed if the protocol is
1170 not completed fast enough. */
1171 if (ctx->timeout_task)
1172 silc_schedule_task_del(server->schedule, ctx->timeout_task);
1174 /* Protocol has ended, call the final callback */
1175 if (protocol->final_callback)
1176 silc_protocol_execute_final(protocol, server->schedule);
1178 silc_protocol_free(protocol);
1181 case SILC_PROTOCOL_STATE_ERROR:
1184 * Error. Send notify to remote.
1186 unsigned char error[4];
1188 SILC_PUT32_MSB(SILC_AUTH_FAILED, error);
1190 /* Authentication failed */
1191 silc_server_packet_send(server, ctx->sock, SILC_PACKET_FAILURE,
1194 /* Unregister the timeout task since the protocol has ended.
1195 This was the timeout task to be executed if the protocol is
1196 not completed fast enough. */
1197 if (ctx->timeout_task)
1198 silc_schedule_task_del(server->schedule, ctx->timeout_task);
1200 /* On error the final callback is always called. */
1201 if (protocol->final_callback)
1202 silc_protocol_execute_final(protocol, server->schedule);
1204 silc_protocol_free(protocol);
1208 case SILC_PROTOCOL_STATE_FAILURE:
1210 * We have received failure from remote
1213 /* Unregister the timeout task since the protocol has ended.
1214 This was the timeout task to be executed if the protocol is
1215 not completed fast enough. */
1216 if (ctx->timeout_task)
1217 silc_schedule_task_del(server->schedule, ctx->timeout_task);
1219 /* On error the final callback is always called. */
1220 if (protocol->final_callback)
1221 silc_protocol_execute_final(protocol, server->schedule);
1223 silc_protocol_free(protocol);
1226 case SILC_PROTOCOL_STATE_UNKNOWN:
1232 * Re-key protocol routines
1235 /* Actually takes the new keys into use. */
1238 silc_server_protocol_rekey_validate(SilcServer server,
1239 SilcServerRekeyInternalContext *ctx,
1240 SilcIDListData idata,
1241 SilcSKEKeyMaterial *keymat,
1244 if (ctx->responder == TRUE) {
1246 silc_cipher_set_key(idata->send_key, keymat->receive_enc_key,
1247 keymat->enc_key_len);
1248 silc_cipher_set_iv(idata->send_key, keymat->receive_iv);
1249 silc_hmac_set_key(idata->hmac_send, keymat->receive_hmac_key,
1250 keymat->hmac_key_len);
1252 silc_cipher_set_key(idata->receive_key, keymat->send_enc_key,
1253 keymat->enc_key_len);
1254 silc_cipher_set_iv(idata->receive_key, keymat->send_iv);
1255 silc_hmac_set_key(idata->hmac_receive, keymat->send_hmac_key,
1256 keymat->hmac_key_len);
1260 silc_cipher_set_key(idata->send_key, keymat->send_enc_key,
1261 keymat->enc_key_len);
1262 silc_cipher_set_iv(idata->send_key, keymat->send_iv);
1263 silc_hmac_set_key(idata->hmac_send, keymat->send_hmac_key,
1264 keymat->hmac_key_len);
1266 silc_cipher_set_key(idata->receive_key, keymat->receive_enc_key,
1267 keymat->enc_key_len);
1268 silc_cipher_set_iv(idata->receive_key, keymat->receive_iv);
1269 silc_hmac_set_key(idata->hmac_receive, keymat->receive_hmac_key,
1270 keymat->hmac_key_len);
1274 /* Save the current sending encryption key */
1276 memset(idata->rekey->send_enc_key, 0, idata->rekey->enc_key_len);
1277 silc_free(idata->rekey->send_enc_key);
1278 idata->rekey->send_enc_key =
1279 silc_calloc(keymat->enc_key_len / 8,
1280 sizeof(*idata->rekey->send_enc_key));
1281 memcpy(idata->rekey->send_enc_key, keymat->send_enc_key,
1282 keymat->enc_key_len / 8);
1283 idata->rekey->enc_key_len = keymat->enc_key_len / 8;
1287 /* This function actually re-generates (when not using PFS) the keys and
1288 takes them into use. */
1290 void silc_server_protocol_rekey_generate(SilcServer server,
1291 SilcServerRekeyInternalContext *ctx,
1294 SilcIDListData idata = (SilcIDListData)ctx->sock->user_data;
1295 SilcSKEKeyMaterial *keymat;
1296 uint32 key_len = silc_cipher_get_key_len(idata->send_key);
1297 uint32 hash_len = idata->hash->hash->hash_len;
1299 SILC_LOG_DEBUG(("Generating new %s session keys (no PFS)",
1300 send ? "sending" : "receiving"));
1302 /* Generate the new key */
1303 keymat = silc_calloc(1, sizeof(*keymat));
1304 silc_ske_process_key_material_data(idata->rekey->send_enc_key,
1305 idata->rekey->enc_key_len,
1306 16, key_len, hash_len,
1307 idata->hash, keymat);
1309 /* Set the keys into use */
1310 silc_server_protocol_rekey_validate(server, ctx, idata, keymat, send);
1312 silc_ske_free_key_material(keymat);
1315 /* This function actually re-generates (with PFS) the keys and
1316 takes them into use. */
1319 silc_server_protocol_rekey_generate_pfs(SilcServer server,
1320 SilcServerRekeyInternalContext *ctx,
1323 SilcIDListData idata = (SilcIDListData)ctx->sock->user_data;
1324 SilcSKEKeyMaterial *keymat;
1325 uint32 key_len = silc_cipher_get_key_len(idata->send_key);
1326 uint32 hash_len = idata->hash->hash->hash_len;
1327 unsigned char *tmpbuf;
1330 SILC_LOG_DEBUG(("Generating new %s session keys (with PFS)",
1331 send ? "sending" : "receiving"));
1333 /* Encode KEY to binary data */
1334 tmpbuf = silc_mp_mp2bin(ctx->ske->KEY, 0, &klen);
1336 /* Generate the new key */
1337 keymat = silc_calloc(1, sizeof(*keymat));
1338 silc_ske_process_key_material_data(tmpbuf, klen, 16, key_len, hash_len,
1339 idata->hash, keymat);
1341 /* Set the keys into use */
1342 silc_server_protocol_rekey_validate(server, ctx, idata, keymat, send);
1344 memset(tmpbuf, 0, klen);
1346 silc_ske_free_key_material(keymat);
1349 /* Packet sending callback. This function is provided as packet sending
1350 routine to the Key Exchange functions. */
1353 silc_server_protocol_rekey_send_packet(SilcSKE ske,
1355 SilcPacketType type,
1358 SilcProtocol protocol = (SilcProtocol)context;
1359 SilcServerRekeyInternalContext *ctx =
1360 (SilcServerRekeyInternalContext *)protocol->context;
1361 SilcServer server = (SilcServer)ctx->server;
1363 /* Send the packet immediately */
1364 silc_server_packet_send(server, ctx->sock,
1365 type, 0, packet->data, packet->len, FALSE);
1368 /* Performs re-key as defined in the SILC protocol specification. */
1370 SILC_TASK_CALLBACK(silc_server_protocol_rekey)
1372 SilcProtocol protocol = (SilcProtocol)context;
1373 SilcServerRekeyInternalContext *ctx =
1374 (SilcServerRekeyInternalContext *)protocol->context;
1375 SilcServer server = (SilcServer)ctx->server;
1376 SilcIDListData idata = (SilcIDListData)ctx->sock->user_data;
1377 SilcSKEStatus status;
1379 SILC_LOG_DEBUG(("Start"));
1381 if (protocol->state == SILC_PROTOCOL_STATE_UNKNOWN)
1382 protocol->state = SILC_PROTOCOL_STATE_START;
1384 SILC_LOG_DEBUG(("State=%d", protocol->state));
1386 switch(protocol->state) {
1387 case SILC_PROTOCOL_STATE_START:
1393 if (ctx->responder == TRUE) {
1395 * We are receiving party
1398 if (ctx->pfs == TRUE) {
1400 * Use Perfect Forward Secrecy, ie. negotiate the key material
1401 * using the SKE protocol.
1404 if (ctx->packet->type != SILC_PACKET_KEY_EXCHANGE_1) {
1405 /* Error in protocol */
1406 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1407 silc_protocol_execute(protocol, server->schedule, 0, 300000);
1411 ctx->ske = silc_ske_alloc();
1412 ctx->ske->rng = server->rng;
1413 ctx->ske->prop = silc_calloc(1, sizeof(*ctx->ske->prop));
1414 silc_ske_group_get_by_number(idata->rekey->ske_group,
1415 &ctx->ske->prop->group);
1417 silc_ske_set_callbacks(ctx->ske,
1418 silc_server_protocol_rekey_send_packet,
1419 NULL, NULL, NULL, silc_ske_check_version,
1422 status = silc_ske_responder_phase_2(ctx->ske, ctx->packet->buffer);
1423 if (status != SILC_SKE_STATUS_OK) {
1424 SILC_LOG_WARNING(("Error (%s) during Re-key (PFS)",
1425 silc_ske_map_status(status)));
1427 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1428 silc_protocol_execute(protocol, server->schedule, 0, 300000);
1432 /* Advance the protocol state */
1434 silc_protocol_execute(protocol, server->schedule, 0, 0);
1437 * Do normal and simple re-key.
1440 /* Send the REKEY_DONE to indicate we will take new keys into use */
1441 silc_server_packet_send(server, ctx->sock, SILC_PACKET_REKEY_DONE,
1444 /* After we send REKEY_DONE we must set the sending encryption
1445 key to the new key since all packets after this packet must
1446 encrypted with the new key. */
1447 silc_server_protocol_rekey_generate(server, ctx, TRUE);
1449 /* The protocol ends in next stage. */
1450 protocol->state = SILC_PROTOCOL_STATE_END;
1455 * We are the initiator of this protocol
1458 /* Start the re-key by sending the REKEY packet */
1459 silc_server_packet_send(server, ctx->sock, SILC_PACKET_REKEY,
1462 if (ctx->pfs == TRUE) {
1464 * Use Perfect Forward Secrecy, ie. negotiate the key material
1465 * using the SKE protocol.
1467 ctx->ske = silc_ske_alloc();
1468 ctx->ske->rng = server->rng;
1469 ctx->ske->prop = silc_calloc(1, sizeof(*ctx->ske->prop));
1470 silc_ske_group_get_by_number(idata->rekey->ske_group,
1471 &ctx->ske->prop->group);
1473 silc_ske_set_callbacks(ctx->ske,
1474 silc_server_protocol_rekey_send_packet,
1475 NULL, NULL, NULL, silc_ske_check_version,
1478 status = silc_ske_initiator_phase_2(ctx->ske, NULL, NULL);
1479 if (status != SILC_SKE_STATUS_OK) {
1480 SILC_LOG_WARNING(("Error (%s) during Re-key (PFS)",
1481 silc_ske_map_status(status)));
1483 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1484 silc_protocol_execute(protocol, server->schedule, 0, 300000);
1488 /* Advance the protocol state */
1492 * Do normal and simple re-key.
1495 /* Send the REKEY_DONE to indicate we will take new keys into use
1497 silc_server_packet_send(server, ctx->sock, SILC_PACKET_REKEY_DONE,
1500 /* After we send REKEY_DONE we must set the sending encryption
1501 key to the new key since all packets after this packet must
1502 encrypted with the new key. */
1503 silc_server_protocol_rekey_generate(server, ctx, TRUE);
1505 /* The protocol ends in next stage. */
1506 protocol->state = SILC_PROTOCOL_STATE_END;
1514 * Second state, used only when oding re-key with PFS.
1516 if (ctx->responder == TRUE) {
1517 if (ctx->pfs == TRUE) {
1519 * Send our KE packe to the initiator now that we've processed
1520 * the initiator's KE packet.
1522 status = silc_ske_responder_finish(ctx->ske, NULL, NULL,
1523 SILC_SKE_PK_TYPE_SILC);
1524 if (status != SILC_SKE_STATUS_OK) {
1525 SILC_LOG_WARNING(("Error (%s) during Re-key (PFS)",
1526 silc_ske_map_status(status)));
1528 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1529 silc_protocol_execute(protocol, server->schedule, 0, 300000);
1535 if (ctx->pfs == TRUE) {
1537 * The packet type must be KE packet
1539 if (ctx->packet->type != SILC_PACKET_KEY_EXCHANGE_2) {
1540 /* Error in protocol */
1541 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1542 silc_protocol_execute(protocol, server->schedule, 0, 300000);
1546 status = silc_ske_initiator_finish(ctx->ske, ctx->packet->buffer);
1547 if (status != SILC_SKE_STATUS_OK) {
1548 SILC_LOG_WARNING(("Error (%s) during Re-key (PFS)",
1549 silc_ske_map_status(status)));
1551 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1552 silc_protocol_execute(protocol, server->schedule, 0, 300000);
1558 /* Send the REKEY_DONE to indicate we will take new keys into use
1560 silc_server_packet_send(server, ctx->sock, SILC_PACKET_REKEY_DONE,
1563 /* After we send REKEY_DONE we must set the sending encryption
1564 key to the new key since all packets after this packet must
1565 encrypted with the new key. */
1566 silc_server_protocol_rekey_generate_pfs(server, ctx, TRUE);
1568 /* The protocol ends in next stage. */
1569 protocol->state = SILC_PROTOCOL_STATE_END;
1572 case SILC_PROTOCOL_STATE_END:
1577 if (ctx->packet->type != SILC_PACKET_REKEY_DONE) {
1578 /* Error in protocol */
1579 protocol->state = SILC_PROTOCOL_STATE_ERROR;
1580 silc_protocol_execute(protocol, server->schedule, 0, 300000);
1584 /* We received the REKEY_DONE packet and all packets after this is
1585 encrypted with the new key so set the decryption key to the new key */
1586 silc_server_protocol_rekey_generate(server, ctx, FALSE);
1588 /* Protocol has ended, call the final callback */
1589 if (protocol->final_callback)
1590 silc_protocol_execute_final(protocol, server->schedule);
1592 silc_protocol_free(protocol);
1595 case SILC_PROTOCOL_STATE_ERROR:
1600 if (ctx->pfs == TRUE) {
1601 /* Send abort notification */
1602 silc_ske_abort(ctx->ske, ctx->ske->status);
1605 /* On error the final callback is always called. */
1606 if (protocol->final_callback)
1607 silc_protocol_execute_final(protocol, server->schedule);
1609 silc_protocol_free(protocol);
1612 case SILC_PROTOCOL_STATE_FAILURE:
1614 * We have received failure from remote
1617 /* On error the final callback is always called. */
1618 if (protocol->final_callback)
1619 silc_protocol_execute_final(protocol, server->schedule);
1621 silc_protocol_free(protocol);
1624 case SILC_PROTOCOL_STATE_UNKNOWN:
1630 /* Registers protocols used in server. */
1632 void silc_server_protocols_register(void)
1634 silc_protocol_register(SILC_PROTOCOL_SERVER_CONNECTION_AUTH,
1635 silc_server_protocol_connection_auth);
1636 silc_protocol_register(SILC_PROTOCOL_SERVER_KEY_EXCHANGE,
1637 silc_server_protocol_key_exchange);
1638 silc_protocol_register(SILC_PROTOCOL_SERVER_REKEY,
1639 silc_server_protocol_rekey);
1640 silc_protocol_register(SILC_PROTOCOL_SERVER_BACKUP,
1641 silc_server_protocol_backup);
1644 /* Unregisters protocols */
1646 void silc_server_protocols_unregister(void)
1648 silc_protocol_unregister(SILC_PROTOCOL_SERVER_CONNECTION_AUTH,
1649 silc_server_protocol_connection_auth);
1650 silc_protocol_unregister(SILC_PROTOCOL_SERVER_KEY_EXCHANGE,
1651 silc_server_protocol_key_exchange);
1652 silc_protocol_unregister(SILC_PROTOCOL_SERVER_REKEY,
1653 silc_server_protocol_rekey);
1654 silc_protocol_unregister(SILC_PROTOCOL_SERVER_BACKUP,
1655 silc_server_protocol_backup);