lib/silcske/silcconnauth.c

   1 /*
   2
   3   silcconnauth.c
   4
   5   Author: Pekka Riikonen <priikone@silcnet.org>
   6
   7   Copyright (C) 2005 - 2007 Pekka Riikonen
   8
   9   This program is free software; you can redistribute it and/or modify
  10   it under the terms of the GNU General Public License as published by
  11   the Free Software Foundation; version 2 of the License.
  12
  13   This program is distributed in the hope that it will be useful,
  14   but WITHOUT ANY WARRANTY; without even the implied warranty of
  15   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16   GNU General Public License for more details.
  17
  18 */
  19
  20 #include "silc.h"
  21 #include "silcconnauth.h"
  22
  23 /************************** Types and definitions ***************************/
  24
  25 SILC_FSM_STATE(silc_connauth_st_initiator_start);
  26 SILC_FSM_STATE(silc_connauth_st_initiator_auth_send);
  27 SILC_FSM_STATE(silc_connauth_st_initiator_result);
  28 SILC_FSM_STATE(silc_connauth_st_initiator_failure);
  29 SILC_FSM_STATE(silc_connauth_st_responder_start);
  30 SILC_FSM_STATE(silc_connauth_st_responder_authenticate);
  31 SILC_FSM_STATE(silc_connauth_st_responder_authenticate_pk);
  32 SILC_FSM_STATE(silc_connauth_st_responder_success);
  33 SILC_FSM_STATE(silc_connauth_st_responder_failure);
  34
  35 static SilcBool silc_connauth_packet_receive(SilcPacketEngine engine,
  36                                              SilcPacketStream stream,
  37                                              SilcPacket packet,
  38                                              void *callback_context,
  39                                              void *app_context);
  40
  41 /* Connection authentication context */
  42 struct SilcConnAuthStruct {
  43   SilcSKE ske;
  44   SilcFSM fsm;
  45   SilcAsyncOperationStruct op;
  46   SilcAsyncOperation key_op;
  47   SilcConnectionType conn_type;
  48   SilcAuthMethod auth_method;
  49   void *auth_data;
  50   SilcUInt32 auth_data_len;
  51   SilcConnAuthCompletion completion;
  52   SilcConnAuthGetAuthData get_auth_data;
  53   void *context;
  54   SilcDList public_keys;
  55   SilcSKRStatus skr_status;
  56   SilcUInt32 timeout_secs;
  57   SilcPacket packet;
  58   unsigned int aborted   : 1;
  59   unsigned int success   : 1;
  60 };
  61
  62 /* Packet stream callbacks */
  63 static SilcPacketCallbacks silc_connauth_stream_cbs =
  64 {
  65   silc_connauth_packet_receive, NULL, NULL
  66 };
  67
  68
  69 /************************ Static utility functions **************************/
  70
  71 /* Packet callback */
  72
  73 static SilcBool silc_connauth_packet_receive(SilcPacketEngine engine,
  74                                              SilcPacketStream stream,
  75                                              SilcPacket packet,
  76                                              void *callback_context,
  77                                              void *app_context)
  78 {
  79   SilcConnAuth connauth = callback_context;
  80   connauth->packet = packet;
  81   silc_fsm_continue(connauth->fsm);
  82   return TRUE;
  83 }
  84
  85 /* Async operation abortion callback */
  86
  87 static void silc_connauth_abort(SilcAsyncOperation op, void *context)
  88 {
  89   SilcConnAuth connauth = context;
  90   if (connauth->key_op)
  91     silc_async_abort(connauth->key_op, NULL, NULL);
  92   connauth->aborted = TRUE;
  93 }
  94
  95 /* Signature callback */
  96
  97 static void silc_connauth_get_signature_cb(SilcBool success,
  98                                            const unsigned char *signature,
  99                                            SilcUInt32 signature_len,
 100                                            void *context)
 101 {
 102   SilcConnAuth connauth = context;
 103
 104   connauth->key_op = NULL;
 105
 106   if (!success) {
 107     silc_fsm_next(connauth->fsm, silc_connauth_st_initiator_failure);
 108     SILC_FSM_CALL_CONTINUE(connauth->fsm);
 109     return;
 110   }
 111
 112   connauth->auth_data = silc_memdup(signature, signature_len);
 113   connauth->auth_data_len = signature_len;
 114
 115   SILC_FSM_CALL_CONTINUE(connauth->fsm);
 116 }
 117
 118 /* Generates signature for public key based authentication */
 119
 120 static SilcAsyncOperation
 121 silc_connauth_get_signature(SilcConnAuth connauth)
 122 {
 123   SilcAsyncOperation op;
 124   SilcSKE ske;
 125   SilcPrivateKey private_key;
 126   SilcBuffer auth;
 127   int len;
 128
 129   SILC_LOG_DEBUG(("Compute signature"));
 130
 131   ske = connauth->ske;
 132   private_key = connauth->auth_data;
 133
 134   /* Make the authentication data. Protocol says it is HASH plus
 135      KE Start Payload. */
 136   len = ske->hash_len + silc_buffer_len(ske->start_payload_copy);
 137   auth = silc_buffer_alloc_size(len);
 138   if (!auth) {
 139     silc_connauth_get_signature_cb(FALSE, NULL, 0, connauth);
 140     return NULL;
 141   }
 142   silc_buffer_format(auth,
 143                      SILC_STR_DATA(ske->hash, ske->hash_len),
 144                      SILC_STR_DATA(ske->start_payload_copy->data,
 145                                    silc_buffer_len(ske->start_payload_copy)),
 146                      SILC_STR_END);
 147
 148   /* Compute signature */
 149   op = silc_pkcs_sign_async(private_key, auth->data, silc_buffer_len(auth),
 150                             TRUE, ske->prop->hash, ske->rng,
 151                             silc_connauth_get_signature_cb, connauth);
 152
 153   silc_buffer_free(auth);
 154
 155   return op;
 156 }
 157
 158 /* Verify callback */
 159
 160 static void silc_connauth_verify_signature_cb(SilcBool success,
 161                                               void *context)
 162 {
 163   SilcConnAuth connauth = context;
 164
 165   connauth->key_op = NULL;
 166   silc_free(connauth->auth_data);
 167
 168   if (!success) {
 169     SILC_LOG_DEBUG(("Invalid signature"));
 170     silc_fsm_next(connauth->fsm, silc_connauth_st_responder_failure);
 171     SILC_FSM_CALL_CONTINUE(connauth->fsm);
 172     return;
 173   }
 174
 175   SILC_LOG_DEBUG(("Signature is Ok"));
 176   SILC_FSM_CALL_CONTINUE(connauth->fsm);
 177 }
 178
 179 /* Verifies digital signature */
 180
 181 static SilcAsyncOperation
 182 silc_connauth_verify_signature(SilcConnAuth connauth,
 183                                SilcPublicKey pub_key,
 184                                unsigned char *sign,
 185                                SilcUInt32 sign_len)
 186 {
 187   SilcAsyncOperation op;
 188   SilcBuffer auth;
 189   SilcSKE ske = connauth->ske;
 190   int len;
 191
 192   if (!pub_key || !sign) {
 193     silc_connauth_verify_signature_cb(FALSE, connauth);
 194     return NULL;
 195   }
 196
 197   /* Make the authentication data. Protocol says it is HASH plus
 198      KE Start Payload. */
 199   len = ske->hash_len + silc_buffer_len(ske->start_payload_copy);
 200   auth = silc_buffer_alloc_size(len);
 201   if (!auth) {
 202     silc_connauth_verify_signature_cb(FALSE, connauth);
 203     return NULL;
 204   }
 205   silc_buffer_format(auth,
 206                      SILC_STR_UI_XNSTRING(ske->hash, ske->hash_len),
 207                      SILC_STR_UI_XNSTRING(
 208                                   ske->start_payload_copy->data,
 209                                   silc_buffer_len(ske->start_payload_copy)),
 210                      SILC_STR_END);
 211
 212   /* Verify signature */
 213   op = silc_pkcs_verify_async(pub_key, sign, sign_len, auth->data,
 214                               silc_buffer_len(auth), TRUE, ske->prop->hash,
 215                               silc_connauth_verify_signature_cb, connauth);
 216
 217   silc_buffer_free(auth);
 218
 219   return op;
 220 }
 221
 222 /* Timeout */
 223
 224 SILC_TASK_CALLBACK(silc_connauth_timeout)
 225 {
 226   SilcConnAuth connauth = context;
 227   SILC_LOG_DEBUG(("Protocol timeout"));
 228   if (connauth->key_op)
 229     silc_async_abort(connauth->key_op, NULL, NULL);
 230   connauth->aborted = TRUE;
 231   silc_fsm_continue_sync(connauth->fsm);
 232 }
 233
 234 /* SKR callback */
 235
 236 static void silc_connauth_skr_callback(SilcSKR skr, SilcSKRFind find,
 237                                        SilcSKRStatus status,
 238                                        SilcDList results, void *context)
 239 {
 240   SilcConnAuth connauth = context;
 241
 242   silc_skr_find_free(find);
 243
 244   connauth->public_keys = results;
 245   connauth->skr_status = status;
 246
 247   SILC_FSM_CALL_CONTINUE(connauth->fsm);
 248 }
 249
 250 /* FSM destructor */
 251
 252 static void silc_connauth_fsm_destructor(SilcFSM fsm, void *fsm_context,
 253                                          void *destructor_context)
 254 {
 255   silc_fsm_free(fsm);
 256 }
 257
 258
 259 /******************************* Protocol API *******************************/
 260
 261 /* Allocate connection authentication context */
 262
 263 SilcConnAuth silc_connauth_alloc(SilcSchedule schedule,
 264                                  SilcSKE ske,
 265                                  SilcUInt32 timeout_secs)
 266 {
 267   SilcConnAuth connauth;
 268
 269   if (!schedule || !ske)
 270     return NULL;
 271
 272   connauth = silc_calloc(1, sizeof(*connauth));
 273   if (!connauth)
 274     return NULL;
 275
 276   connauth->fsm = silc_fsm_alloc(connauth, silc_connauth_fsm_destructor,
 277                                  NULL, schedule);
 278   if (!connauth->fsm) {
 279     silc_connauth_free(connauth);
 280     return NULL;
 281   }
 282
 283   connauth->timeout_secs = timeout_secs;
 284   connauth->ske = ske;
 285   ske->refcnt++;
 286
 287   return connauth;
 288 }
 289
 290 /* Free connection authentication context */
 291
 292 void silc_connauth_free(SilcConnAuth connauth)
 293 {
 294   if (connauth->public_keys)
 295     silc_dlist_uninit(connauth->public_keys);
 296
 297   /* Free reference */
 298   silc_ske_free(connauth->ske);
 299
 300   silc_free(connauth);
 301 }
 302
 303 /* Return associated SKE context */
 304
 305 SilcSKE silc_connauth_get_ske(SilcConnAuth connauth)
 306 {
 307   return connauth->ske;
 308 }
 309
 310
 311 /******************************** Initiator *********************************/
 312
 313 SILC_FSM_STATE(silc_connauth_st_initiator_start)
 314 {
 315   SilcConnAuth connauth = fsm_context;
 316
 317   SILC_LOG_DEBUG(("Start"));
 318
 319   if (connauth->aborted) {
 320     /** Aborted */
 321     silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
 322     return SILC_FSM_CONTINUE;
 323   }
 324
 325   /* Start timeout */
 326   if (connauth->timeout_secs)
 327     silc_schedule_task_add_timeout(silc_fsm_get_schedule(fsm),
 328                                    silc_connauth_timeout, connauth,
 329                                    connauth->timeout_secs, 0);
 330
 331   /** Generate auth data */
 332   silc_fsm_next(fsm, silc_connauth_st_initiator_auth_send);
 333
 334   /* Get authentication data */
 335   switch (connauth->auth_method) {
 336   case SILC_AUTH_NONE:
 337     /* No authentication required */
 338     connauth->auth_data = NULL;
 339     connauth->auth_data_len = 0;
 340     return SILC_FSM_CONTINUE;
 341     break;
 342
 343   case SILC_AUTH_PASSWORD:
 344     /* We have authentication data already */
 345     return SILC_FSM_CONTINUE;
 346     break;
 347
 348   case SILC_AUTH_PUBLIC_KEY:
 349     /* Compute signature */
 350     SILC_FSM_CALL(connauth->key_op = silc_connauth_get_signature(connauth));
 351     /* NOT REACHED */
 352     break;
 353   }
 354
 355   silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
 356   return SILC_FSM_CONTINUE;
 357 }
 358
 359 SILC_FSM_STATE(silc_connauth_st_initiator_auth_send)
 360 {
 361   SilcConnAuth connauth = fsm_context;
 362   SilcBuffer packet;
 363   int payload_len ;
 364   SilcPacketFlags flags = 0;
 365
 366   if (connauth->auth_method == SILC_AUTH_PASSWORD)
 367     flags |= SILC_PACKET_FLAG_LONG_PAD;
 368
 369   payload_len = 4 + connauth->auth_data_len;
 370   packet = silc_buffer_alloc_size(payload_len);
 371   if (!packet) {
 372     /** Out of memory */
 373     silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
 374     return SILC_FSM_CONTINUE;
 375   }
 376
 377   silc_buffer_format(packet,
 378                      SILC_STR_UI_SHORT(payload_len),
 379                      SILC_STR_UI_SHORT(connauth->conn_type),
 380                      SILC_STR_DATA(connauth->auth_data,
 381                                    connauth->auth_data_len),
 382                      SILC_STR_END);
 383
 384   silc_free(connauth->auth_data);
 385
 386   /* Send the packet */
 387   if (!silc_packet_send(connauth->ske->stream, SILC_PACKET_CONNECTION_AUTH,
 388                         flags, packet->data, silc_buffer_len(packet))) {
 389     /** Error sending packet */
 390     silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
 391     return SILC_FSM_CONTINUE;
 392   }
 393
 394   silc_buffer_free(packet);
 395
 396   /** Wait for responder */
 397   silc_fsm_next(fsm, silc_connauth_st_initiator_result);
 398   return SILC_FSM_WAIT;
 399 }
 400
 401 SILC_FSM_STATE(silc_connauth_st_initiator_result)
 402 {
 403   SilcConnAuth connauth = fsm_context;
 404
 405   SILC_LOG_DEBUG(("Start"));
 406
 407   if (connauth->aborted) {
 408     /** Aborted */
 409     silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
 410     return SILC_FSM_CONTINUE;
 411   }
 412
 413   /* Check the status of authentication */
 414   if (connauth->packet->type == SILC_PACKET_SUCCESS) {
 415     SILC_LOG_DEBUG(("Authentication successful"));
 416     connauth->success = TRUE;
 417   } else {
 418     SILC_LOG_DEBUG(("Authentication failed, packet %s received",
 419                     silc_get_packet_name(connauth->packet->type)));
 420     connauth->success = FALSE;
 421   }
 422   silc_packet_free(connauth->packet);
 423
 424   silc_packet_stream_unlink(connauth->ske->stream,
 425                             &silc_connauth_stream_cbs, connauth);
 426   silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
 427
 428   /* Call completion callback */
 429   connauth->completion(connauth, connauth->success, connauth->context);
 430
 431   return SILC_FSM_FINISH;
 432 }
 433
 434 SILC_FSM_STATE(silc_connauth_st_initiator_failure)
 435 {
 436   SilcConnAuth connauth = fsm_context;
 437   unsigned char error[4];
 438
 439   SILC_LOG_DEBUG(("Start"));
 440
 441   if (!connauth->aborted) {
 442     /* Send FAILURE packet */
 443     SILC_PUT32_MSB(SILC_AUTH_FAILED, error);
 444     silc_packet_send(connauth->ske->stream, SILC_PACKET_FAILURE, 0, error, 4);
 445
 446     silc_packet_stream_unlink(connauth->ske->stream,
 447                               &silc_connauth_stream_cbs, connauth);
 448     silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
 449
 450     /* Call completion callback */
 451     connauth->completion(connauth, FALSE, connauth->context);
 452     return SILC_FSM_FINISH;
 453   }
 454
 455   silc_packet_stream_unlink(connauth->ske->stream,
 456                             &silc_connauth_stream_cbs, connauth);
 457   silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
 458
 459   return SILC_FSM_FINISH;
 460 }
 461
 462 SilcAsyncOperation
 463 silc_connauth_initiator(SilcConnAuth connauth,
 464                         SilcConnectionType conn_type,
 465                         SilcAuthMethod auth_method, void *auth_data,
 466                         SilcUInt32 auth_data_len,
 467                         SilcConnAuthCompletion completion,
 468                         void *context)
 469 {
 470   SILC_LOG_DEBUG(("Connection authentication as initiator"));
 471
 472   if (auth_method == SILC_AUTH_PASSWORD && !auth_data) {
 473     completion(connauth, FALSE, context);
 474     return NULL;
 475   }
 476
 477   if (auth_method == SILC_AUTH_PUBLIC_KEY && !auth_data) {
 478     completion(connauth, FALSE, context);
 479     return NULL;
 480   }
 481
 482   connauth->conn_type = conn_type;
 483   connauth->auth_method = auth_method;
 484   connauth->completion = completion;
 485   connauth->context = context;
 486   connauth->auth_data = auth_data;
 487   connauth->auth_data_len = auth_data_len;
 488
 489   if (connauth->auth_method == SILC_AUTH_PASSWORD)
 490     connauth->auth_data = silc_memdup(connauth->auth_data,
 491                                       connauth->auth_data_len);
 492
 493   /* Link to packet stream to get packets */
 494   silc_packet_stream_link(connauth->ske->stream,
 495                           &silc_connauth_stream_cbs, connauth, 1000000,
 496                           SILC_PACKET_SUCCESS,
 497                           SILC_PACKET_FAILURE, -1);
 498
 499   /* Start the protocol */
 500   silc_async_init(&connauth->op, silc_connauth_abort, NULL, connauth);
 501   silc_fsm_start(connauth->fsm, silc_connauth_st_initiator_start);
 502
 503   return &connauth->op;
 504 }
 505
 506
 507 /******************************** Responder *********************************/
 508
 509 SILC_FSM_STATE(silc_connauth_st_responder_start)
 510 {
 511   SilcConnAuth connauth = fsm_context;
 512
 513   SILC_LOG_DEBUG(("Start"));
 514
 515   if (connauth->aborted) {
 516     /** Aborted */
 517     silc_fsm_next(fsm, silc_connauth_st_responder_failure);
 518     return SILC_FSM_CONTINUE;
 519   }
 520
 521   /* Start timeout */
 522   if (connauth->timeout_secs)
 523     silc_schedule_task_add_timeout(silc_fsm_get_schedule(fsm),
 524                                    silc_connauth_timeout, connauth,
 525                                    connauth->timeout_secs, 0);
 526
 527   /** Wait for initiator */
 528   silc_fsm_next(fsm, silc_connauth_st_responder_authenticate);
 529   return SILC_FSM_WAIT;
 530 }
 531
 532 SILC_FSM_STATE(silc_connauth_st_responder_authenticate)
 533 {
 534   SilcConnAuth connauth = fsm_context;
 535   SilcUInt16 payload_len;
 536   SilcUInt16 conn_type;
 537   unsigned char *auth_data = NULL, *passphrase = NULL;
 538   SilcUInt32 passphrase_len;
 539   SilcSKR repository = NULL;
 540   int ret;
 541
 542   SILC_LOG_DEBUG(("Start"));
 543
 544   if (connauth->aborted) {
 545     /** Aborted */
 546     if (connauth->packet)
 547       silc_packet_free(connauth->packet);
 548     silc_fsm_next(fsm, silc_connauth_st_responder_failure);
 549     return SILC_FSM_CONTINUE;
 550   }
 551
 552   if (connauth->packet->type != SILC_PACKET_CONNECTION_AUTH) {
 553     /** Protocol failure */
 554     silc_packet_free(connauth->packet);
 555     silc_fsm_next(fsm, silc_connauth_st_responder_failure);
 556     return SILC_FSM_CONTINUE;
 557   }
 558
 559   /* Parse the received authentication data packet. The received
 560      payload is Connection Auth Payload. */
 561   ret = silc_buffer_unformat(&connauth->packet->buffer,
 562                              SILC_STR_UI_SHORT(&payload_len),
 563                              SILC_STR_UI_SHORT(&conn_type),
 564                              SILC_STR_END);
 565   if (ret == -1) {
 566     /** Bad payload */
 567     SILC_LOG_ERROR(("Bad payload in authentication packet"));
 568     silc_packet_free(connauth->packet);
 569     silc_fsm_next(fsm, silc_connauth_st_responder_failure);
 570     return SILC_FSM_CONTINUE;
 571   }
 572
 573   if (payload_len != silc_buffer_len(&connauth->packet->buffer)) {
 574     /** Bad payload length */
 575     SILC_LOG_ERROR(("Bad payload length in authentication packet"));
 576     silc_packet_free(connauth->packet);
 577     silc_fsm_next(fsm, silc_connauth_st_responder_failure);
 578     return SILC_FSM_CONTINUE;
 579   }
 580
 581   payload_len -= 4;
 582
 583   if (conn_type < SILC_CONN_CLIENT || conn_type > SILC_CONN_ROUTER) {
 584     /** Bad connection type */
 585     SILC_LOG_ERROR(("Bad connection type (%d) in authentication packet",
 586                     conn_type));
 587     silc_packet_free(connauth->packet);
 588     silc_fsm_next(fsm, silc_connauth_st_responder_failure);
 589     return SILC_FSM_CONTINUE;
 590   }
 591
 592   if (payload_len > 0) {
 593     /* Get authentication data */
 594     ret = silc_buffer_unformat(&connauth->packet->buffer,
 595                                SILC_STR_OFFSET(4),
 596                                SILC_STR_UI_XNSTRING(&auth_data,
 597                                                     payload_len),
 598                                SILC_STR_END);
 599     if (ret == -1) {
 600       /** Bad payload */
 601       SILC_LOG_DEBUG(("Bad payload in authentication payload"));
 602       silc_packet_free(connauth->packet);
 603       silc_fsm_next(fsm, silc_connauth_st_responder_failure);
 604       return SILC_FSM_CONTINUE;
 605     }
 606   }
 607   silc_packet_free(connauth->packet);
 608
 609   SILC_LOG_DEBUG(("Remote connection type %d", conn_type));
 610
 611   /* Get authentication data */
 612   if (!connauth->get_auth_data(connauth, conn_type, &passphrase,
 613                                &passphrase_len, &repository,
 614                                connauth->context)) {
 615     /** Connection not configured */
 616     SILC_LOG_ERROR(("Remote connection not configured"));
 617     silc_fsm_next(fsm, silc_connauth_st_responder_failure);
 618     return SILC_FSM_CONTINUE;
 619   }
 620
 621   /* Verify */
 622
 623   /* Passphrase authentication */
 624   if (passphrase && passphrase_len) {
 625     SILC_LOG_DEBUG(("Passphrase authentication"));
 626     if (!auth_data || payload_len != passphrase_len ||
 627         memcmp(auth_data, passphrase, passphrase_len)) {
 628       /** Authentication failed */
 629       silc_fsm_next(fsm, silc_connauth_st_responder_failure);
 630       return SILC_FSM_CONTINUE;
 631     }
 632   } else if (repository) {
 633     /* Digital signature */
 634     SilcSKRFind find;
 635
 636     SILC_LOG_DEBUG(("Digital signature authentication"));
 637
 638     if (!auth_data) {
 639       /** Authentication failed */
 640       silc_fsm_next(fsm, silc_connauth_st_responder_failure);
 641       return SILC_FSM_CONTINUE;
 642     }
 643
 644     connauth->auth_data = silc_memdup(auth_data, payload_len);
 645     connauth->auth_data_len = payload_len;
 646
 647     /* Allocate search constraints for finding the key */
 648     find = silc_skr_find_alloc();
 649
 650     if (!find || !connauth->auth_data || !connauth->ske->prop->public_key) {
 651       /** Out of memory */
 652       silc_fsm_next(fsm, silc_connauth_st_responder_failure);
 653       return SILC_FSM_CONTINUE;
 654     }
 655
 656     silc_skr_find_set_pkcs_type(
 657                   find, silc_pkcs_get_type(connauth->ske->prop->public_key));
 658     silc_skr_find_set_public_key(find, connauth->ske->prop->public_key);
 659     silc_skr_find_set_usage(find, (SILC_SKR_USAGE_AUTH |
 660                                    SILC_SKR_USAGE_KEY_AGREEMENT));
 661
 662     /** Find public key */
 663     silc_fsm_next(fsm, silc_connauth_st_responder_authenticate_pk);
 664     SILC_FSM_CALL(connauth->key_op =
 665                   silc_skr_find(repository, silc_fsm_get_schedule(fsm),
 666                                 find, silc_connauth_skr_callback,
 667                                 connauth));
 668     /* NOT REACHED */
 669   }
 670
 671   /* Passphrase auth Ok, or no authentication required */
 672
 673   /** Authentication successful */
 674   silc_fsm_next(fsm, silc_connauth_st_responder_success);
 675   return SILC_FSM_CONTINUE;
 676 }
 677
 678 SILC_FSM_STATE(silc_connauth_st_responder_authenticate_pk)
 679 {
 680   SilcConnAuth connauth = fsm_context;
 681   SilcSKRKey key;
 682
 683   if (connauth->aborted) {
 684     /** Aborted */
 685     silc_fsm_next(fsm, silc_connauth_st_responder_failure);
 686     return SILC_FSM_CONTINUE;
 687   }
 688
 689   if (connauth->skr_status != SILC_SKR_OK) {
 690     /** Public key not found */
 691     SILC_LOG_DEBUG(("Public key not found, error %d", connauth->skr_status));
 692     silc_fsm_next(fsm, silc_connauth_st_responder_failure);
 693     return SILC_FSM_CONTINUE;
 694   }
 695
 696   SILC_LOG_DEBUG(("Found %d public keys",
 697                   silc_dlist_count(connauth->public_keys)));
 698
 699   /** Verify signature */
 700   key = silc_dlist_get(connauth->public_keys);
 701   silc_fsm_next(fsm, silc_connauth_st_responder_success);
 702   SILC_FSM_CALL(connauth->key_op =
 703                 silc_connauth_verify_signature(connauth, key->key,
 704                                                connauth->auth_data,
 705                                                connauth->auth_data_len));
 706   /* NOT REACHED */
 707
 708   SILC_LOG_DEBUG(("Signature is Ok"));
 709 }
 710
 711 SILC_FSM_STATE(silc_connauth_st_responder_success)
 712 {
 713   SilcConnAuth connauth = fsm_context;
 714   unsigned char tmp[4];
 715
 716   SILC_LOG_DEBUG(("Authentication successful"));
 717
 718   /* Send FAILURE packet */
 719   SILC_PUT32_MSB(SILC_AUTH_OK, tmp);
 720   silc_packet_send(connauth->ske->stream, SILC_PACKET_SUCCESS, 0, tmp, 4);
 721
 722   silc_packet_stream_unlink(connauth->ske->stream,
 723                             &silc_connauth_stream_cbs, connauth);
 724   silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
 725
 726   /* Call completion callback */
 727   connauth->completion(connauth, TRUE, connauth->context);
 728
 729   return SILC_FSM_FINISH;
 730 }
 731
 732 SILC_FSM_STATE(silc_connauth_st_responder_failure)
 733 {
 734   SilcConnAuth connauth = fsm_context;
 735   unsigned char error[4];
 736
 737   SILC_LOG_ERROR(("Authentication failed"));
 738
 739   if (!connauth->aborted) {
 740     /* Send FAILURE packet */
 741     SILC_PUT32_MSB(SILC_AUTH_FAILED, error);
 742     silc_packet_send(connauth->ske->stream, SILC_PACKET_FAILURE, 0, error, 4);
 743
 744     silc_packet_stream_unlink(connauth->ske->stream,
 745                               &silc_connauth_stream_cbs, connauth);
 746     silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
 747
 748     /* Call completion callback */
 749     connauth->completion(connauth, FALSE, connauth->context);
 750
 751     return SILC_FSM_FINISH;
 752   }
 753
 754   silc_packet_stream_unlink(connauth->ske->stream,
 755                             &silc_connauth_stream_cbs, connauth);
 756   silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
 757
 758   return SILC_FSM_FINISH;
 759 }
 760
 761 SilcAsyncOperation
 762 silc_connauth_responder(SilcConnAuth connauth,
 763                         SilcConnAuthGetAuthData get_auth_data,
 764                         SilcConnAuthCompletion completion,
 765                         void *context)
 766 {
 767   SILC_LOG_DEBUG(("Connection authentication as responder"));
 768
 769   connauth->get_auth_data = get_auth_data;
 770   connauth->completion = completion;
 771   connauth->context = context;
 772
 773   /* Link to packet stream to get packets */
 774   silc_packet_stream_link(connauth->ske->stream,
 775                           &silc_connauth_stream_cbs, connauth, 1000000,
 776                           SILC_PACKET_CONNECTION_AUTH,
 777                           SILC_PACKET_FAILURE, -1);
 778
 779   /* Start the protocol */
 780   silc_async_init(&connauth->op, silc_connauth_abort, NULL, connauth);
 781   silc_fsm_start(connauth->fsm, silc_connauth_st_responder_start);
 782
 783   return &connauth->op;
 784 }