5 Author: Pekka Riikonen <priikone@silcnet.org>
7 Copyright (C) 2005 Pekka Riikonen
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; version 2 of the License.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
21 #include "silcconnauth.h"
23 /************************** Types and definitions ***************************/
25 static SilcBool silc_connauth_packet_receive(SilcPacketEngine engine,
26 SilcPacketStream stream,
28 void *callback_context,
31 /* Connection authentication context */
32 struct SilcConnAuthStruct {
35 SilcConnectionType conn_type;
36 SilcAuthMethod auth_method;
38 SilcUInt32 auth_data_len;
39 SilcConnAuthCompletion completion;
40 SilcConnAuthGetAuthData get_auth_data;
42 SilcDList public_keys;
43 SilcSKRStatus skr_status;
44 SilcUInt32 timeout_secs;
46 unsigned int aborted : 1;
47 unsigned int success : 1;
50 /* Packet stream callbacks */
51 static SilcPacketCallbacks silc_connauth_stream_cbs =
53 silc_connauth_packet_receive, NULL, NULL
57 /************************ Static utility functions **************************/
61 static SilcBool silc_connauth_packet_receive(SilcPacketEngine engine,
62 SilcPacketStream stream,
64 void *callback_context,
67 SilcConnAuth connauth = callback_context;
68 connauth->packet = packet;
69 silc_fsm_continue(connauth->fsm);
73 /* Async operation abortion callback */
75 static void silc_connauth_abort(SilcAsyncOperation op, void *context)
77 SilcConnAuth connauth = context;
78 connauth->aborted = TRUE;
81 /* Generates signature for public key based authentication */
83 static SilcBool silc_connauth_get_signature(SilcConnAuth connauth,
84 unsigned char **auth_data,
85 SilcUInt32 *auth_data_len)
89 SilcPrivateKey private_key;
92 SILC_LOG_DEBUG(("Compute signature"));
95 private_key = connauth->auth_data;
97 /* Make the authentication data. Protocol says it is HASH plus
99 len = ske->hash_len + silc_buffer_len(ske->start_payload_copy);
100 auth = silc_buffer_alloc_size(len);
103 silc_buffer_format(auth,
104 SILC_STR_UI_XNSTRING(ske->hash, ske->hash_len),
105 SILC_STR_UI_XNSTRING(
106 ske->start_payload_copy->data,
107 silc_buffer_len(ske->start_payload_copy)),
110 len = ((silc_pkcs_private_key_get_len(private_key) + 7) / 8) + 1;
111 *auth_data = silc_calloc(len, sizeof(**auth_data));
112 if (*auth_data == NULL) {
113 silc_buffer_free(auth);
117 /* Compute signature */
118 if (!silc_pkcs_sign(private_key, auth->data, silc_buffer_len(auth),
119 *auth_data, len, auth_data_len, ske->prop->hash)) {
120 silc_free(*auth_data);
121 silc_buffer_free(auth);
125 silc_buffer_free(auth);
129 /* Verifies digital signature */
131 static SilcBool silc_connauth_verify_signature(SilcConnAuth connauth,
132 SilcPublicKey pub_key,
138 SilcSKE ske = connauth->ske;
140 if (!pub_key || !sign)
143 /* Make the authentication data. Protocol says it is HASH plus
145 len = ske->hash_len + silc_buffer_len(ske->start_payload_copy);
146 auth = silc_buffer_alloc_size(len);
149 silc_buffer_format(auth,
150 SILC_STR_UI_XNSTRING(ske->hash, ske->hash_len),
151 SILC_STR_UI_XNSTRING(
152 ske->start_payload_copy->data,
153 silc_buffer_len(ske->start_payload_copy)),
156 /* Verify signature */
157 if (!silc_pkcs_verify(pub_key, sign, sign_len, auth->data,
158 silc_buffer_len(auth), ske->prop->hash)) {
159 silc_buffer_free(auth);
163 silc_buffer_free(auth);
170 SILC_TASK_CALLBACK(silc_connauth_timeout)
172 SilcConnAuth connauth = context;
173 SILC_LOG_DEBUG(("Protocol timeout"));
174 connauth->aborted = TRUE;
175 silc_fsm_continue_sync(connauth->fsm);
180 static void silc_connauth_skr_callback(SilcSKR skr, SilcSKRFind find,
181 SilcSKRStatus status,
182 SilcDList results, void *context)
184 SilcConnAuth connauth = context;
186 silc_skr_find_free(find);
188 connauth->public_keys = results;
189 connauth->skr_status = status;
191 SILC_FSM_CALL_CONTINUE(connauth->fsm);
196 static void silc_connauth_fsm_destructor(SilcFSM fsm, void *fsm_context,
197 void *destructor_context)
203 /******************************* Protocol API *******************************/
205 /* Allocate connection authentication context */
207 SilcConnAuth silc_connauth_alloc(SilcSchedule schedule,
209 SilcUInt32 timeout_secs)
211 SilcConnAuth connauth;
213 if (!schedule || !ske)
216 connauth = silc_calloc(1, sizeof(*connauth));
220 connauth->fsm = silc_fsm_alloc(connauth, silc_connauth_fsm_destructor,
222 if (!connauth->fsm) {
223 silc_connauth_free(connauth);
227 connauth->timeout_secs = timeout_secs;
233 /* Free connection authentication context */
235 void silc_connauth_free(SilcConnAuth connauth)
237 if (connauth->public_keys)
238 silc_dlist_uninit(connauth->public_keys);
242 /* Return associated SKE context */
244 SilcSKE silc_connauth_get_ske(SilcConnAuth connauth)
246 return connauth->ske;
250 /******************************** Initiator *********************************/
252 SILC_FSM_STATE(silc_connauth_st_initiator_start);
253 SILC_FSM_STATE(silc_connauth_st_initiator_result);
254 SILC_FSM_STATE(silc_connauth_st_initiator_failure);
256 SILC_FSM_STATE(silc_connauth_st_initiator_start)
258 SilcConnAuth connauth = fsm_context;
261 unsigned char *auth_data = NULL;
262 SilcUInt32 auth_data_len = 0;
264 SILC_LOG_DEBUG(("Start"));
266 if (connauth->aborted) {
268 silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
269 return SILC_FSM_CONTINUE;
273 if (connauth->timeout_secs)
274 silc_schedule_task_add_timeout(silc_fsm_get_schedule(fsm),
275 silc_connauth_timeout, connauth,
276 connauth->timeout_secs, 0);
278 switch (connauth->auth_method) {
280 /* No authentication required */
283 case SILC_AUTH_PASSWORD:
284 auth_data = silc_memdup(connauth->auth_data, connauth->auth_data_len);
287 silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
288 return SILC_FSM_CONTINUE;
290 auth_data_len = connauth->auth_data_len;
293 case SILC_AUTH_PUBLIC_KEY:
294 if (!silc_connauth_get_signature(connauth, &auth_data, &auth_data_len)) {
295 /** Error computing signature */
296 silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
297 return SILC_FSM_CONTINUE;
302 payload_len = 4 + auth_data_len;
303 packet = silc_buffer_alloc_size(payload_len);
306 silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
307 return SILC_FSM_CONTINUE;
310 silc_buffer_format(packet,
311 SILC_STR_UI_SHORT(payload_len),
312 SILC_STR_UI_SHORT(connauth->conn_type),
313 SILC_STR_UI_XNSTRING(auth_data, auth_data_len),
316 /* Send the packet */
317 if (!silc_packet_send(connauth->ske->stream, SILC_PACKET_CONNECTION_AUTH, 0,
318 packet->data, silc_buffer_len(packet))) {
319 /** Error sending packet */
320 silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
321 return SILC_FSM_CONTINUE;
325 memset(auth_data, 0, auth_data_len);
326 silc_free(auth_data);
328 silc_buffer_free(packet);
330 /** Wait for responder */
331 silc_fsm_next(fsm, silc_connauth_st_initiator_result);
332 return SILC_FSM_WAIT;
335 SILC_FSM_STATE(silc_connauth_st_initiator_result)
337 SilcConnAuth connauth = fsm_context;
339 SILC_LOG_DEBUG(("Start"));
341 if (connauth->aborted) {
343 silc_fsm_next(fsm, silc_connauth_st_initiator_failure);
344 return SILC_FSM_CONTINUE;
347 /* Check the status of authentication */
348 if (connauth->packet->type == SILC_PACKET_SUCCESS) {
349 SILC_LOG_DEBUG(("Authentication successful"));
350 connauth->success = TRUE;
352 SILC_LOG_DEBUG(("Authentication failed"));
353 connauth->success = FALSE;
355 silc_packet_free(connauth->packet);
357 silc_packet_stream_unlink(connauth->ske->stream,
358 &silc_connauth_stream_cbs, connauth);
359 silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
361 /* Call completion callback */
362 connauth->completion(connauth, connauth->success, connauth->context);
364 return SILC_FSM_FINISH;
367 SILC_FSM_STATE(silc_connauth_st_initiator_failure)
369 SilcConnAuth connauth = fsm_context;
370 unsigned char error[4];
372 SILC_LOG_DEBUG(("Start"));
374 /* Send FAILURE packet */
375 SILC_PUT32_MSB(SILC_AUTH_FAILED, error);
376 silc_packet_send(connauth->ske->stream, SILC_PACKET_FAILURE, 0, error, 4);
378 /* Call completion callback */
379 connauth->completion(connauth, FALSE, connauth->context);
381 silc_packet_stream_unlink(connauth->ske->stream,
382 &silc_connauth_stream_cbs, connauth);
383 silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
385 return SILC_FSM_FINISH;
389 silc_connauth_initiator(SilcConnAuth connauth,
390 SilcConnectionType conn_type,
391 SilcAuthMethod auth_method, void *auth_data,
392 SilcUInt32 auth_data_len,
393 SilcConnAuthCompletion completion,
396 SilcAsyncOperation op;
398 SILC_LOG_DEBUG(("Connection authentication as initiator"));
400 if (auth_method == SILC_AUTH_PASSWORD && !auth_data) {
401 completion(connauth, FALSE, context);
405 if (auth_method == SILC_AUTH_PUBLIC_KEY && !auth_data) {
406 completion(connauth, FALSE, context);
410 connauth->conn_type = conn_type;
411 connauth->auth_method = auth_method;
412 connauth->auth_data = auth_data;
413 connauth->auth_data_len = auth_data_len;
414 connauth->completion = completion;
415 connauth->context = context;
417 /* Link to packet stream to get packets */
418 silc_packet_stream_link(connauth->ske->stream,
419 &silc_connauth_stream_cbs, connauth, 1000000,
421 SILC_PACKET_FAILURE, -1);
423 /* Start the protocol */
424 op = silc_async_alloc(silc_connauth_abort, NULL, connauth);
425 silc_fsm_start(connauth->fsm, silc_connauth_st_initiator_start);
431 /******************************** Responder *********************************/
433 SILC_FSM_STATE(silc_connauth_st_responder_start);
434 SILC_FSM_STATE(silc_connauth_st_responder_authenticate);
435 SILC_FSM_STATE(silc_connauth_st_responder_authenticate_pk);
436 SILC_FSM_STATE(silc_connauth_st_responder_success);
437 SILC_FSM_STATE(silc_connauth_st_responder_failure);
439 SILC_FSM_STATE(silc_connauth_st_responder_start)
441 SilcConnAuth connauth = fsm_context;
443 SILC_LOG_DEBUG(("Start"));
445 if (connauth->aborted) {
447 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
448 return SILC_FSM_CONTINUE;
452 if (connauth->timeout_secs)
453 silc_schedule_task_add_timeout(silc_fsm_get_schedule(fsm),
454 silc_connauth_timeout, connauth,
455 connauth->timeout_secs, 0);
457 /** Wait for initiator */
458 silc_fsm_next(fsm, silc_connauth_st_responder_authenticate);
459 return SILC_FSM_WAIT;
462 SILC_FSM_STATE(silc_connauth_st_responder_authenticate)
464 SilcConnAuth connauth = fsm_context;
465 SilcUInt16 payload_len;
466 SilcUInt16 conn_type;
467 unsigned char *auth_data = NULL, *passphrase = NULL;
468 SilcUInt32 passphrase_len;
469 SilcSKR repository = NULL;
472 SILC_LOG_DEBUG(("Start"));
474 if (connauth->aborted) {
476 silc_packet_free(connauth->packet);
477 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
478 return SILC_FSM_CONTINUE;
481 if (connauth->packet->type != SILC_PACKET_CONNECTION_AUTH) {
482 /** Protocol failure */
483 silc_packet_free(connauth->packet);
484 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
485 return SILC_FSM_CONTINUE;
488 /* Parse the received authentication data packet. The received
489 payload is Connection Auth Payload. */
490 ret = silc_buffer_unformat(&connauth->packet->buffer,
491 SILC_STR_UI_SHORT(&payload_len),
492 SILC_STR_UI_SHORT(&conn_type),
496 SILC_LOG_ERROR(("Bad payload in authentication packet"));
497 silc_packet_free(connauth->packet);
498 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
499 return SILC_FSM_CONTINUE;
502 if (payload_len != silc_buffer_len(&connauth->packet->buffer)) {
503 /** Bad payload length */
504 SILC_LOG_ERROR(("Bad payload length in authentication packet"));
505 silc_packet_free(connauth->packet);
506 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
507 return SILC_FSM_CONTINUE;
512 if (conn_type < SILC_CONN_CLIENT || conn_type > SILC_CONN_ROUTER) {
513 /** Bad connection type */
514 SILC_LOG_ERROR(("Bad connection type (%d) in authentication packet",
516 silc_packet_free(connauth->packet);
517 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
518 return SILC_FSM_CONTINUE;
521 if (payload_len > 0) {
522 /* Get authentication data */
523 ret = silc_buffer_unformat(&connauth->packet->buffer,
525 SILC_STR_UI_XNSTRING(&auth_data,
530 SILC_LOG_DEBUG(("Bad payload in authentication payload"));
531 silc_packet_free(connauth->packet);
532 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
533 return SILC_FSM_CONTINUE;
536 silc_packet_free(connauth->packet);
538 SILC_LOG_DEBUG(("Remote connection type %d", conn_type));
540 /* Get authentication data */
541 if (!connauth->get_auth_data(connauth, conn_type, &passphrase,
542 &passphrase_len, &repository,
543 connauth->context)) {
544 /** Connection not configured */
545 SILC_LOG_ERROR(("Remote connection not configured"));
546 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
547 return SILC_FSM_CONTINUE;
552 /* Passphrase authentication */
553 if (passphrase && passphrase_len) {
554 SILC_LOG_DEBUG(("Passphrase authentication"));
555 if (!memcmp(auth_data, passphrase, passphrase_len)) {
556 /** Authentication failed */
557 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
558 return SILC_FSM_CONTINUE;
560 } else if (repository) {
561 /* Digital signature */
564 SILC_LOG_DEBUG(("Digital signature authentication"));
566 connauth->auth_data = silc_memdup(auth_data, payload_len);
567 connauth->auth_data_len = payload_len;
569 /* Allocate search constraints for finding the key */
570 find = silc_skr_find_alloc();
572 if (!find || !connauth->auth_data) {
574 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
575 return SILC_FSM_CONTINUE;
578 silc_skr_find_set_pkcs_type(find, connauth->ske->pk_type);
579 silc_skr_find_set_public_key(find, connauth->ske->public_key);
580 silc_skr_find_set_usage(find, (SILC_SKR_USAGE_AUTH |
581 SILC_SKR_USAGE_KEY_AGREEMENT));
583 /** Find public key */
584 silc_fsm_next(fsm, silc_connauth_st_responder_authenticate_pk);
585 SILC_FSM_CALL(silc_skr_find(repository, find, silc_connauth_skr_callback,
590 /* Passphrase auth Ok, or no authentication required */
592 /** Authentication successful */
593 silc_fsm_next(fsm, silc_connauth_st_responder_success);
594 return SILC_FSM_CONTINUE;
597 SILC_FSM_STATE(silc_connauth_st_responder_authenticate_pk)
599 SilcConnAuth connauth = fsm_context;
602 if (connauth->aborted) {
604 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
605 return SILC_FSM_CONTINUE;
608 if (connauth->skr_status != SILC_SKR_OK) {
609 /** Public key not found */
610 SILC_LOG_DEBUG(("Public key not found, error %d", connauth->skr_status));
611 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
612 return SILC_FSM_CONTINUE;
615 SILC_LOG_DEBUG(("Found %d public keys",
616 silc_dlist_count(connauth->public_keys)));
618 /* Verify signature */
619 key = silc_dlist_get(connauth->public_keys);
620 if (!silc_connauth_verify_signature(connauth, key->key,
622 connauth->auth_data_len)) {
623 /** Invalid signature */
624 SILC_LOG_DEBUG(("Invalid signature"));
625 silc_free(connauth->auth_data);
626 silc_fsm_next(fsm, silc_connauth_st_responder_failure);
627 return SILC_FSM_CONTINUE;
630 silc_free(connauth->auth_data);
632 /** Authentication successful */
633 silc_fsm_next(fsm, silc_connauth_st_responder_success);
634 return SILC_FSM_CONTINUE;
637 SILC_FSM_STATE(silc_connauth_st_responder_success)
639 SilcConnAuth connauth = fsm_context;
640 unsigned char tmp[4];
642 SILC_LOG_DEBUG(("Authentication successful"));
644 /* Send FAILURE packet */
645 SILC_PUT32_MSB(SILC_AUTH_OK, tmp);
646 silc_packet_send(connauth->ske->stream, SILC_PACKET_SUCCESS, 0, tmp, 4);
648 /* Call completion callback */
649 connauth->completion(connauth, TRUE, connauth->context);
651 silc_packet_stream_unlink(connauth->ske->stream,
652 &silc_connauth_stream_cbs, connauth);
653 silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
655 return SILC_FSM_FINISH;
658 SILC_FSM_STATE(silc_connauth_st_responder_failure)
660 SilcConnAuth connauth = fsm_context;
661 unsigned char error[4];
663 SILC_LOG_ERROR(("Authentication failed"));
665 /* Send FAILURE packet */
666 SILC_PUT32_MSB(SILC_AUTH_FAILED, error);
667 silc_packet_send(connauth->ske->stream, SILC_PACKET_FAILURE, 0, error, 4);
669 /* Call completion callback */
670 connauth->completion(connauth, FALSE, connauth->context);
672 silc_packet_stream_unlink(connauth->ske->stream,
673 &silc_connauth_stream_cbs, connauth);
674 silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth);
676 return SILC_FSM_FINISH;
680 silc_connauth_responder(SilcConnAuth connauth,
681 SilcConnAuthGetAuthData get_auth_data,
682 SilcConnAuthCompletion completion,
685 SilcAsyncOperation op;
687 SILC_LOG_DEBUG(("Connection authentication as responder"));
689 connauth->get_auth_data = get_auth_data;
690 connauth->completion = completion;
691 connauth->context = context;
693 /* Link to packet stream to get packets */
694 silc_packet_stream_link(connauth->ske->stream,
695 &silc_connauth_stream_cbs, connauth, 1000000,
696 SILC_PACKET_CONNECTION_AUTH,
697 SILC_PACKET_FAILURE, -1);
699 /* Start the protocol */
700 op = silc_async_alloc(silc_connauth_abort, NULL, connauth);
701 silc_fsm_start(connauth->fsm, silc_connauth_st_responder_start);