updates.

[silc.git] / apps / silcd / protocol.c

diff --git a/apps/silcd/protocol.c b/apps/silcd/protocol.c
index 50fdc7075a85a081b4e82bf81fe3192893780685..50caf2403a30142a903c0948733449d92280a6da 100644 (file)
--- a/apps/silcd/protocol.c
+++ b/apps/silcd/protocol.c
@@ -56,6 +56,13 @@ silc_verify_public_key_internal(SilcServer server, SilcSocketConnection sock,
     return TRUE;
   }
 
+  /* XXX For now, accept server keys without verification too. We are
+     currently always doing mutual authentication so the proof of posession
+     of the private key is verified, and if server is authenticated in
+     conn auth protocol with public key we MUST have the key already. */
+  return TRUE;
+  /* Rest is unreachable code! */
+  
   memset(filename, 0, sizeof(filename));
   memset(file, 0, sizeof(file));
   snprintf(file, sizeof(file) - 1, "serverkey_%s_%d.pub", sock->hostname, 
@@ -199,7 +206,8 @@ static void silc_server_protocol_ke_send_packet(SilcSKE ske,
 
 /* Sets the negotiated key material into use for particular connection. */
 
-int silc_server_protocol_ke_set_keys(SilcSKE ske,
+int silc_server_protocol_ke_set_keys(SilcServer server,
+                                    SilcSKE ske,
                                     SilcSocketConnection sock,
                                     SilcSKEKeyMaterial *keymat,
                                     SilcCipher cipher,
@@ -244,15 +252,6 @@ int silc_server_protocol_ke_set_keys(SilcSKE ske,
     return FALSE;
   }
 
-  /* XXX backwards support for old MAC thingy
-     XXX Remove ing 0.7.x */
-  if (ske->backward_version) {
-    silc_hmac_set_b(idata->hmac_send);
-    silc_hmac_set_b(idata->hmac_receive);
-    idata->send_key->back = TRUE;
-    idata->receive_key->back = TRUE;
-  }
-
   if (is_responder == TRUE) {
     silc_cipher_set_key(idata->send_key, keymat->receive_enc_key, 
                        keymat->enc_key_len);
@@ -302,6 +301,9 @@ int silc_server_protocol_ke_set_keys(SilcSKE ske,
   /* Save the remote host's public key */
   silc_pkcs_public_key_decode(ske->ke1_payload->pk_data, 
                              ske->ke1_payload->pk_len, &idata->public_key);
+  if (ske->prop->flags & SILC_SKE_SP_FLAG_MUTUAL)
+    silc_hash_make(server->sha1hash, ske->ke1_payload->pk_data,
+                  ske->ke1_payload->pk_len, idata->fingerprint);
 
   sock->user_data = (void *)conn_data;
 
@@ -369,9 +371,12 @@ SilcSKEStatus silc_ske_check_version(SilcSKE ske, unsigned char *version,
   if (min > min2)
     status = SILC_SKE_STATUS_BAD_VERSION;
 
-  /* Backwards support for 0.5.x for various MAC related issues.
-     XXX Remove in 0.7.x */
-  if (maj == 0 && min < 6)
+  /* XXX < 0.6 is not allowed */
+  if (maj == 0 && min < 5)
+    status = SILC_SKE_STATUS_BAD_VERSION;
+
+  /* XXX backward support for 0.6.1 */
+  if (maj == 0 && min == 6 && build < 2)
     ske->backward_version = 1;
 
   return status;
@@ -465,12 +470,12 @@ SILC_TASK_CALLBACK(silc_server_protocol_key_exchange)
           properties packet from initiator. */
        status = silc_ske_responder_start(ske, ctx->rng, ctx->sock,
                                          silc_version_string,
-                                         ctx->packet->buffer, FALSE);
+                                         ctx->packet->buffer, TRUE);
       } else {
        SilcSKEStartPayload *start_payload;
 
        /* Assemble security properties. */
-       silc_ske_assemble_security_properties(ske, SILC_SKE_SP_FLAG_NONE, 
+       silc_ske_assemble_security_properties(ske, SILC_SKE_SP_FLAG_MUTUAL, 
                                              silc_version_string,
                                              &start_payload);