5 Author: Pekka Riikonen <priikone@silcnet.org>
7 Copyright (C) 2005 - 2007 Pekka Riikonen
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; version 2 of the License.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
21 #include "silcconnauth.h"
23 /************************** Types and definitions ***************************/
25 static SilcBool silc_connauth_packet_receive(SilcPacketEngine engine,
26 SilcPacketStream stream,
28 void *callback_context,
31 /* Connection authentication context */
32 struct SilcConnAuthStruct {
35 SilcAsyncOperationStruct op;
36 SilcConnectionType conn_type;
37 SilcAuthMethod auth_method;
39 SilcUInt32 auth_data_len;
40 SilcConnAuthCompletion completion;
41 SilcConnAuthGetAuthData get_auth_data;
43 SilcDList public_keys;
44 SilcSKRStatus skr_status;
45 SilcUInt32 timeout_secs;
47 unsigned int aborted : 1;
48 unsigned int success : 1;
51 /* Packet stream callbacks */
52 static SilcPacketCallbacks silc_connauth_stream_cbs =
54 silc_connauth_packet_receive, NULL, NULL
58 /************************ Static utility functions **************************/
62 static SilcBool silc_connauth_packet_receive(SilcPacketEngine engine,
63 SilcPacketStream stream,
65 void *callback_context,
68 SilcConnAuth connauth = callback_context;
69 connauth->packet = packet;
70 silc_fsm_continue(connauth->fsm);
74 /* Async operation abortion callback */
76 static void silc_connauth_abort(SilcAsyncOperation op, void *context)
78 SilcConnAuth connauth = context;
79 connauth->aborted = TRUE;
82 /* Generates signature for public key based authentication */
84 static SilcBool silc_connauth_get_signature(SilcConnAuth connauth,
85 unsigned char **auth_data,
86 SilcUInt32 *auth_data_len)
90 SilcPrivateKey private_key;
93 SILC_LOG_DEBUG(("Compute signature"));
96 private_key = connauth->auth_data;
98 /* Make the authentication data. Protocol says it is HASH plus
100 len = ske->hash_len + silc_buffer_len(ske->start_payload_copy);
101 auth = silc_buffer_alloc_size(len);
104 silc_buffer_format(auth,
105 SILC_STR_UI_XNSTRING(ske->hash, ske->hash_len),
106 SILC_STR_UI_XNSTRING(
107 ske->start_payload_copy->data,
108 silc_buffer_len(ske->start_payload_copy)),
111 len = ((silc_pkcs_private_key_get_len(private_key) + 7) / 8) + 1;
112 *auth_data = silc_calloc(len, sizeof(**auth_data));
113 if (*auth_data == NULL) {
114 silc_buffer_free(auth);
118 /* Compute signature */
119 if (!silc_pkcs_sign(private_key, auth->data, silc_buffer_len(auth),
120 *auth_data, len, auth_data_len, TRUE, ske->prop->hash)) {
121 silc_free(*auth_data);
122 silc_buffer_free(auth);
126 silc_buffer_free(auth);
130 /* Verifies digital signature */
132 static SilcBool silc_connauth_verify_signature(SilcConnAuth connauth,
133 SilcPublicKey pub_key,
139 SilcSKE ske = connauth->ske;
141 if (!pub_key || !sign)
144 /* Make the authentication data. Protocol says it is HASH plus
146 len = ske->hash_len + silc_buffer_len(ske->start_payload_copy);
147 auth = silc_buffer_alloc_size(len);
150 silc_buffer_format(auth,
151 SILC_STR_UI_XNSTRING(ske->hash, ske->hash_len),
152 SILC_STR_UI_XNSTRING(
153 ske->start_payload_copy->data,
154 silc_buffer_len(ske->start_payload_copy)),
157 /* Verify signature */
158 if (!silc_pkcs_verify(pub_key, sign, sign_len, auth->data,
159 silc_buffer_len(auth), ske->prop->hash)) {
160 silc_buffer_free(auth);
164 silc_buffer_free(auth);
171 SILC_TASK_CALLBACK(silc_connauth_timeout)
173 SilcConnAuth connauth = context;
174 SILC_LOG_DEBUG(("Protocol timeout"));
175 connauth->aborted = TRUE;
176 silc_fsm_continue_sync(connauth->fsm);
181 static void silc_connauth_skr_callback(SilcSKR skr, SilcSKRFind find,
182 SilcSKRStatus status,
183 SilcDList results, void *context)
185 SilcConnAuth connauth = context;
187 silc_skr_find_free(find);
189 connauth->public_keys = results;
190 connauth->skr_status = status;
192 SILC_FSM_CALL_CONTINUE(connauth->fsm);
197 static void silc_connauth_fsm_destructor(SilcFSM fsm, void *fsm_context,
198 void *destructor_context)
204 /******************************* Protocol API *******************************/
206 /* Allocate connection authentication context */
208 SilcConnAuth silc_connauth_alloc(SilcSchedule schedule,
210 SilcUInt32 timeout_secs)
212 SilcConnAuth connauth;
214 if (!schedule || !ske)
217 connauth = silc_calloc(1, sizeof(*connauth));
221 connauth->fsm = silc_fsm_alloc(connauth, silc_connauth_fsm_destructor,
223 if (!connauth->fsm) {
224 silc_connauth_free(connauth);
228 connauth->timeout_secs = timeout_secs;
235 /* Free connection authentication context */
237 void silc_connauth_free(SilcConnAuth connauth)
239 if (connauth->public_keys)
240 silc_dlist_uninit(connauth->public_keys);
243 silc_ske_free(connauth->ske);
248 /* Return associated SKE context */
250 SilcSKE silc_connauth_get_ske(SilcConnAuth connauth)
252 return connauth->ske;
256 /******************************** Initiator *********************************/
258 SILC_FSM_STATE(silc_connauth_st_initiator_start);
259 SILC_FSM_STATE(silc_connauth_st_initiator_result);
260 SILC_FSM_STATE(silc_connauth_st_initiator_failure);
262 SILC_FSM_STATE(silc_connauth_st_initiator_start)
264 SilcConnAuth connauth = fsm_context;
267 unsigned char *auth_data = NULL;
268 SilcUInt32 auth_data_len = 0;
269 SilcPacketFlags flags = 0;
271 SILC_LOG_DEBUG(("Start"));
273 if (connauth->aborted) {
275 silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
276 return SILC_FSM_CONTINUE;
280 if (connauth->timeout_secs)
281 silc_schedule_task_add_timeout(silc_fsm_get_schedule(fsm),
282 silc_connauth_timeout, connauth,
283 connauth->timeout_secs, 0);
285 switch (connauth->auth_method) {
287 /* No authentication required */
290 case SILC_AUTH_PASSWORD:
291 auth_data = silc_memdup(connauth->auth_data, connauth->auth_data_len);
294 silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
295 return SILC_FSM_CONTINUE;
297 auth_data_len = connauth->auth_data_len;
298 flags = SILC_PACKET_FLAG_LONG_PAD;
301 case SILC_AUTH_PUBLIC_KEY:
302 if (!silc_connauth_get_signature(connauth, &auth_data, &auth_data_len)) {
303 /** Error computing signature */
304 silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
305 return SILC_FSM_CONTINUE;
310 payload_len = 4 + auth_data_len;
311 packet = silc_buffer_alloc_size(payload_len);
314 silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
315 return SILC_FSM_CONTINUE;
318 silc_buffer_format(packet,
319 SILC_STR_UI_SHORT(payload_len),
320 SILC_STR_UI_SHORT(connauth->conn_type),
321 SILC_STR_UI_XNSTRING(auth_data, auth_data_len),
324 /* Send the packet */
325 if (!silc_packet_send(connauth->ske->stream, SILC_PACKET_CONNECTION_AUTH,
326 flags, packet->data, silc_buffer_len(packet))) {
327 /** Error sending packet */
328 silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
329 return SILC_FSM_CONTINUE;
333 memset(auth_data, 0, auth_data_len);
334 silc_free(auth_data);
336 silc_buffer_free(packet);
338 /** Wait for responder */
339 silc_fsm_next(fsm, silc_connauth_st_initiator_result);
340 return SILC_FSM_WAIT;
343 SILC_FSM_STATE(silc_connauth_st_initiator_result)
345 SilcConnAuth connauth = fsm_context;
347 SILC_LOG_DEBUG(("Start"));
349 if (connauth->aborted) {
351 silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
352 return SILC_FSM_CONTINUE;
355 /* Check the status of authentication */
356 if (connauth->packet->type == SILC_PACKET_SUCCESS) {
357 SILC_LOG_DEBUG(("Authentication successful"));
358 connauth->success = TRUE;
360 SILC_LOG_DEBUG(("Authentication failed, packet %s received",
361 silc_get_packet_name(connauth->packet->type)));
362 connauth->success = FALSE;
364 silc_packet_free(connauth->packet);
366 silc_packet_stream_unlink(connauth->ske->stream,
367 &silc_connauth_stream_cbs, connauth);
368 silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
370 /* Call completion callback */
371 connauth->completion(connauth, connauth->success, connauth->context);
373 return SILC_FSM_FINISH;
376 SILC_FSM_STATE(silc_connauth_st_initiator_failure)
378 SilcConnAuth connauth = fsm_context;
379 unsigned char error[4];
381 SILC_LOG_DEBUG(("Start"));
383 if (!connauth->aborted) {
384 /* Send FAILURE packet */
385 SILC_PUT32_MSB(SILC_AUTH_FAILED, error);
386 silc_packet_send(connauth->ske->stream, SILC_PACKET_FAILURE, 0, error, 4);
388 silc_packet_stream_unlink(connauth->ske->stream,
389 &silc_connauth_stream_cbs, connauth);
390 silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
392 /* Call completion callback */
393 connauth->completion(connauth, FALSE, connauth->context);
394 return SILC_FSM_FINISH;
397 silc_packet_stream_unlink(connauth->ske->stream,
398 &silc_connauth_stream_cbs, connauth);
399 silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
401 return SILC_FSM_FINISH;
405 silc_connauth_initiator(SilcConnAuth connauth,
406 SilcConnectionType conn_type,
407 SilcAuthMethod auth_method, void *auth_data,
408 SilcUInt32 auth_data_len,
409 SilcConnAuthCompletion completion,
412 SILC_LOG_DEBUG(("Connection authentication as initiator"));
414 if (auth_method == SILC_AUTH_PASSWORD && !auth_data) {
415 completion(connauth, FALSE, context);
419 if (auth_method == SILC_AUTH_PUBLIC_KEY && !auth_data) {
420 completion(connauth, FALSE, context);
424 connauth->conn_type = conn_type;
425 connauth->auth_method = auth_method;
426 connauth->auth_data = auth_data;
427 connauth->auth_data_len = auth_data_len;
428 connauth->completion = completion;
429 connauth->context = context;
431 /* Link to packet stream to get packets */
432 silc_packet_stream_link(connauth->ske->stream,
433 &silc_connauth_stream_cbs, connauth, 1000000,
435 SILC_PACKET_FAILURE, -1);
437 /* Start the protocol */
438 silc_async_init(&connauth->op, silc_connauth_abort, NULL, connauth);
439 silc_fsm_start(connauth->fsm, silc_connauth_st_initiator_start);
441 return &connauth->op;
445 /******************************** Responder *********************************/
447 SILC_FSM_STATE(silc_connauth_st_responder_start);
448 SILC_FSM_STATE(silc_connauth_st_responder_authenticate);
449 SILC_FSM_STATE(silc_connauth_st_responder_authenticate_pk);
450 SILC_FSM_STATE(silc_connauth_st_responder_success);
451 SILC_FSM_STATE(silc_connauth_st_responder_failure);
453 SILC_FSM_STATE(silc_connauth_st_responder_start)
455 SilcConnAuth connauth = fsm_context;
457 SILC_LOG_DEBUG(("Start"));
459 if (connauth->aborted) {
461 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
462 return SILC_FSM_CONTINUE;
466 if (connauth->timeout_secs)
467 silc_schedule_task_add_timeout(silc_fsm_get_schedule(fsm),
468 silc_connauth_timeout, connauth,
469 connauth->timeout_secs, 0);
471 /** Wait for initiator */
472 silc_fsm_next(fsm, silc_connauth_st_responder_authenticate);
473 return SILC_FSM_WAIT;
476 SILC_FSM_STATE(silc_connauth_st_responder_authenticate)
478 SilcConnAuth connauth = fsm_context;
479 SilcUInt16 payload_len;
480 SilcUInt16 conn_type;
481 unsigned char *auth_data = NULL, *passphrase = NULL;
482 SilcUInt32 passphrase_len;
483 SilcSKR repository = NULL;
486 SILC_LOG_DEBUG(("Start"));
488 if (connauth->aborted) {
490 if (connauth->packet)
491 silc_packet_free(connauth->packet);
492 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
493 return SILC_FSM_CONTINUE;
496 if (connauth->packet->type != SILC_PACKET_CONNECTION_AUTH) {
497 /** Protocol failure */
498 silc_packet_free(connauth->packet);
499 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
500 return SILC_FSM_CONTINUE;
503 /* Parse the received authentication data packet. The received
504 payload is Connection Auth Payload. */
505 ret = silc_buffer_unformat(&connauth->packet->buffer,
506 SILC_STR_UI_SHORT(&payload_len),
507 SILC_STR_UI_SHORT(&conn_type),
511 SILC_LOG_ERROR(("Bad payload in authentication packet"));
512 silc_packet_free(connauth->packet);
513 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
514 return SILC_FSM_CONTINUE;
517 if (payload_len != silc_buffer_len(&connauth->packet->buffer)) {
518 /** Bad payload length */
519 SILC_LOG_ERROR(("Bad payload length in authentication packet"));
520 silc_packet_free(connauth->packet);
521 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
522 return SILC_FSM_CONTINUE;
527 if (conn_type < SILC_CONN_CLIENT || conn_type > SILC_CONN_ROUTER) {
528 /** Bad connection type */
529 SILC_LOG_ERROR(("Bad connection type (%d) in authentication packet",
531 silc_packet_free(connauth->packet);
532 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
533 return SILC_FSM_CONTINUE;
536 if (payload_len > 0) {
537 /* Get authentication data */
538 ret = silc_buffer_unformat(&connauth->packet->buffer,
540 SILC_STR_UI_XNSTRING(&auth_data,
545 SILC_LOG_DEBUG(("Bad payload in authentication payload"));
546 silc_packet_free(connauth->packet);
547 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
548 return SILC_FSM_CONTINUE;
551 silc_packet_free(connauth->packet);
553 SILC_LOG_DEBUG(("Remote connection type %d", conn_type));
555 /* Get authentication data */
556 if (!connauth->get_auth_data(connauth, conn_type, &passphrase,
557 &passphrase_len, &repository,
558 connauth->context)) {
559 /** Connection not configured */
560 SILC_LOG_ERROR(("Remote connection not configured"));
561 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
562 return SILC_FSM_CONTINUE;
567 /* Passphrase authentication */
568 if (passphrase && passphrase_len) {
569 SILC_LOG_DEBUG(("Passphrase authentication"));
570 if (!auth_data || payload_len != passphrase_len ||
571 memcmp(auth_data, passphrase, passphrase_len)) {
572 /** Authentication failed */
573 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
574 return SILC_FSM_CONTINUE;
576 } else if (repository) {
577 /* Digital signature */
580 SILC_LOG_DEBUG(("Digital signature authentication"));
583 /** Authentication failed */
584 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
585 return SILC_FSM_CONTINUE;
588 connauth->auth_data = silc_memdup(auth_data, payload_len);
589 connauth->auth_data_len = payload_len;
591 /* Allocate search constraints for finding the key */
592 find = silc_skr_find_alloc();
594 if (!find || !connauth->auth_data || !connauth->ske->prop->public_key) {
596 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
597 return SILC_FSM_CONTINUE;
600 silc_skr_find_set_pkcs_type(
601 find, silc_pkcs_get_type(connauth->ske->prop->public_key));
602 silc_skr_find_set_public_key(find, connauth->ske->prop->public_key);
603 silc_skr_find_set_usage(find, (SILC_SKR_USAGE_AUTH |
604 SILC_SKR_USAGE_KEY_AGREEMENT));
606 /** Find public key */
607 silc_fsm_next(fsm, silc_connauth_st_responder_authenticate_pk);
608 SILC_FSM_CALL(silc_skr_find(repository, silc_fsm_get_schedule(fsm),
609 find, silc_connauth_skr_callback,
614 /* Passphrase auth Ok, or no authentication required */
616 /** Authentication successful */
617 silc_fsm_next(fsm, silc_connauth_st_responder_success);
618 return SILC_FSM_CONTINUE;
621 SILC_FSM_STATE(silc_connauth_st_responder_authenticate_pk)
623 SilcConnAuth connauth = fsm_context;
626 if (connauth->aborted) {
628 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
629 return SILC_FSM_CONTINUE;
632 if (connauth->skr_status != SILC_SKR_OK) {
633 /** Public key not found */
634 SILC_LOG_DEBUG(("Public key not found, error %d", connauth->skr_status));
635 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
636 return SILC_FSM_CONTINUE;
639 SILC_LOG_DEBUG(("Found %d public keys",
640 silc_dlist_count(connauth->public_keys)));
642 /* Verify signature */
643 key = silc_dlist_get(connauth->public_keys);
644 if (!silc_connauth_verify_signature(connauth, key->key,
646 connauth->auth_data_len)) {
647 /** Invalid signature */
648 SILC_LOG_DEBUG(("Invalid signature"));
649 silc_free(connauth->auth_data);
650 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
651 return SILC_FSM_CONTINUE;
654 silc_free(connauth->auth_data);
656 SILC_LOG_DEBUG(("Signature is Ok"));
658 /** Authentication successful */
659 silc_fsm_next(fsm, silc_connauth_st_responder_success);
660 return SILC_FSM_CONTINUE;
663 SILC_FSM_STATE(silc_connauth_st_responder_success)
665 SilcConnAuth connauth = fsm_context;
666 unsigned char tmp[4];
668 SILC_LOG_DEBUG(("Authentication successful"));
670 /* Send FAILURE packet */
671 SILC_PUT32_MSB(SILC_AUTH_OK, tmp);
672 silc_packet_send(connauth->ske->stream, SILC_PACKET_SUCCESS, 0, tmp, 4);
674 silc_packet_stream_unlink(connauth->ske->stream,
675 &silc_connauth_stream_cbs, connauth);
676 silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
678 /* Call completion callback */
679 connauth->completion(connauth, TRUE, connauth->context);
681 return SILC_FSM_FINISH;
684 SILC_FSM_STATE(silc_connauth_st_responder_failure)
686 SilcConnAuth connauth = fsm_context;
687 unsigned char error[4];
689 SILC_LOG_ERROR(("Authentication failed"));
691 if (!connauth->aborted) {
692 /* Send FAILURE packet */
693 SILC_PUT32_MSB(SILC_AUTH_FAILED, error);
694 silc_packet_send(connauth->ske->stream, SILC_PACKET_FAILURE, 0, error, 4);
696 silc_packet_stream_unlink(connauth->ske->stream,
697 &silc_connauth_stream_cbs, connauth);
698 silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
700 /* Call completion callback */
701 connauth->completion(connauth, FALSE, connauth->context);
703 return SILC_FSM_FINISH;
706 silc_packet_stream_unlink(connauth->ske->stream,
707 &silc_connauth_stream_cbs, connauth);
708 silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
710 return SILC_FSM_FINISH;
714 silc_connauth_responder(SilcConnAuth connauth,
715 SilcConnAuthGetAuthData get_auth_data,
716 SilcConnAuthCompletion completion,
719 SILC_LOG_DEBUG(("Connection authentication as responder"));
721 connauth->get_auth_data = get_auth_data;
722 connauth->completion = completion;
723 connauth->context = context;
725 /* Link to packet stream to get packets */
726 silc_packet_stream_link(connauth->ske->stream,
727 &silc_connauth_stream_cbs, connauth, 1000000,
728 SILC_PACKET_CONNECTION_AUTH,
729 SILC_PACKET_FAILURE, -1);
731 /* Start the protocol */
732 silc_async_init(&connauth->op, silc_connauth_abort, NULL, connauth);
733 silc_fsm_start(connauth->fsm, silc_connauth_st_responder_start);
735 return &connauth->op;