X-Git-Url: http://git.silcnet.org/gitweb/?p=silc.git;a=blobdiff_plain;f=lib%2Fsilccore%2Fsilcauth.c;h=7ac372d360238a57017c15427504d25b398f8126;hp=cd08d5edf7545f8b27d598c7ce8b7ce336b975af;hb=e5d8d3db6caa344b3d419b884556c21b15e7d123;hpb=9f7c7f0df8ad34668409608d5a1507da55395f39 diff --git a/lib/silccore/silcauth.c b/lib/silccore/silcauth.c index cd08d5ed..7ac372d3 100644 --- a/lib/silccore/silcauth.c +++ b/lib/silccore/silcauth.c @@ -30,27 +30,31 @@ /* Authentication Payload structure */ struct SilcAuthPayloadStruct { - unsigned short len; - unsigned short auth_method; - unsigned short random_len; + uint16 len; + uint16 auth_method; + uint16 random_len; unsigned char *random_data; - unsigned short auth_len; + uint16 auth_len; unsigned char *auth_data; }; /* Parses and returns Authentication Payload */ -SilcAuthPayload silc_auth_payload_parse(SilcBuffer buffer) +SilcAuthPayload silc_auth_payload_parse(unsigned char *data, + uint32 data_len) { + SilcBufferStruct buffer; SilcAuthPayload new; int ret; SILC_LOG_DEBUG(("Parsing Authentication Payload")); + silc_buffer_set(&buffer, data, data_len); + new = silc_calloc(1, sizeof(*new)); /* Parse the payload */ - ret = silc_buffer_unformat(buffer, + ret = silc_buffer_unformat(&buffer, SILC_STR_UI_SHORT(&new->len), SILC_STR_UI_SHORT(&new->auth_method), SILC_STR_UI16_NSTRING_ALLOC(&new->random_data, @@ -63,7 +67,7 @@ SilcAuthPayload silc_auth_payload_parse(SilcBuffer buffer) return NULL; } - if (new->len != buffer->len) { + if (new->len != buffer.len) { silc_auth_payload_free(new); return NULL; } @@ -81,16 +85,16 @@ SilcAuthPayload silc_auth_payload_parse(SilcBuffer buffer) SilcBuffer silc_auth_payload_encode(SilcAuthMethod method, unsigned char *random_data, - unsigned short random_len, + uint16 random_len, unsigned char *auth_data, - unsigned short auth_len) + uint16 auth_len) { SilcBuffer buffer; - unsigned int len; + uint32 len; SILC_LOG_DEBUG(("Encoding Authentication Payload")); - len = 4 + 4 + random_len + auth_len; + len = 2 + 2 + 2 + random_len + 2 + auth_len; buffer = silc_buffer_alloc(len); silc_buffer_pull_tail(buffer, SILC_BUFFER_END(buffer)); silc_buffer_format(buffer, @@ -122,6 +126,24 @@ void silc_auth_payload_free(SilcAuthPayload payload) } } +/* Get authentication method */ + +SilcAuthMethod silc_auth_get_method(SilcAuthPayload payload) +{ + return payload->auth_method; +} + +/* Get the authentication data */ + +unsigned char *silc_auth_get_data(SilcAuthPayload payload, + uint32 *auth_len) +{ + if (auth_len) + *auth_len = payload->auth_len; + + return payload->auth_data; +} + /****************************************************************************** Authentication Routines @@ -132,15 +154,16 @@ void silc_auth_payload_free(SilcAuthPayload payload) dictates. */ static unsigned char * -silc_auth_public_key_encode_data(SilcPKCS pkcs, unsigned char *random, - unsigned int random_len, void *id, - SilcIdType type, unsigned int *ret_len) +silc_auth_public_key_encode_data(SilcPublicKey public_key, + unsigned char *random, + uint32 random_len, void *id, + SilcIdType type, uint32 *ret_len) { SilcBuffer buf; unsigned char *pk, *id_data, *ret; - unsigned int pk_len, id_len; + uint32 pk_len, id_len; - pk = silc_pkcs_get_public_key(pkcs, &pk_len); + pk = silc_pkcs_public_key_encode(public_key, &pk_len); if (!pk) return NULL; @@ -149,9 +172,9 @@ silc_auth_public_key_encode_data(SilcPKCS pkcs, unsigned char *random, silc_free(pk); return NULL; } - id_len = silc_id_get_len(type); + id_len = silc_id_get_len(id, type); - buf = silc_buffer_alloc(random_len + pk_len); + buf = silc_buffer_alloc(random_len + id_len + pk_len); silc_buffer_pull_tail(buf, SILC_BUFFER_END(buf)); silc_buffer_format(buf, SILC_STR_UI_XNSTRING(random, random_len), @@ -159,7 +182,7 @@ silc_auth_public_key_encode_data(SilcPKCS pkcs, unsigned char *random, SILC_STR_UI_XNSTRING(pk, pk_len), SILC_STR_END); - ret = silc_calloc(buf->len, sizeof(*ret)); + ret = silc_calloc(buf->len + 1, sizeof(*ret)); memcpy(ret, buf->data, buf->len); if (ret_len) @@ -176,16 +199,18 @@ silc_auth_public_key_encode_data(SilcPKCS pkcs, unsigned char *random, to do public key based authentication. This generates the random data and the actual authentication data. Returns NULL on error. */ -SilcBuffer silc_auth_public_key_auth_generate(SilcPKCS pkcs, +SilcBuffer silc_auth_public_key_auth_generate(SilcPublicKey public_key, + SilcPrivateKey private_key, SilcHash hash, void *id, SilcIdType type) { unsigned char *random; - unsigned char auth_data[32]; - unsigned int auth_len; + unsigned char auth_data[1024]; + uint32 auth_len; unsigned char *tmp; - unsigned int tmp_len; + uint32 tmp_len; SilcBuffer buf; + SilcPKCS pkcs; SILC_LOG_DEBUG(("Generating Authentication Payload with data")); @@ -195,11 +220,20 @@ SilcBuffer silc_auth_public_key_auth_generate(SilcPKCS pkcs, return NULL; /* Encode the auth data */ - tmp = silc_auth_public_key_encode_data(pkcs, random, 256, id, type, + tmp = silc_auth_public_key_encode_data(public_key, random, 256, id, type, &tmp_len); if (!tmp) return NULL; + /* Allocate PKCS object */ + if (!silc_pkcs_alloc(public_key->name, &pkcs)) { + memset(tmp, 0, tmp_len); + silc_free(tmp); + return NULL; + } + silc_pkcs_public_key_set(pkcs, public_key); + silc_pkcs_private_key_set(pkcs, private_key); + /* Compute the hash and the signature. */ if (!silc_pkcs_sign_with_hash(pkcs, hash, tmp, tmp_len, auth_data, &auth_len)) { @@ -207,6 +241,7 @@ SilcBuffer silc_auth_public_key_auth_generate(SilcPKCS pkcs, memset(tmp, 0, tmp_len); silc_free(tmp); silc_free(random); + silc_pkcs_free(pkcs); return NULL; } @@ -219,24 +254,26 @@ SilcBuffer silc_auth_public_key_auth_generate(SilcPKCS pkcs, memset(random, 0, 256); silc_free(tmp); silc_free(random); + silc_pkcs_free(pkcs); return buf; } /* Verifies the authentication data. Returns TRUE if authentication was - successfull. */ + successful. */ int silc_auth_public_key_auth_verify(SilcAuthPayload payload, - SilcPKCS pkcs, SilcHash hash, + SilcPublicKey public_key, SilcHash hash, void *id, SilcIdType type) { unsigned char *tmp; - unsigned int tmp_len; + uint32 tmp_len; + SilcPKCS pkcs; SILC_LOG_DEBUG(("Verifying authentication data")); /* Encode auth data */ - tmp = silc_auth_public_key_encode_data(pkcs, payload->random_data, + tmp = silc_auth_public_key_encode_data(public_key, payload->random_data, payload->random_len, id, type, &tmp_len); if (!tmp) { @@ -244,20 +281,30 @@ int silc_auth_public_key_auth_verify(SilcAuthPayload payload, return FALSE; } + /* Allocate PKCS object */ + if (!silc_pkcs_alloc(public_key->name, &pkcs)) { + memset(tmp, 0, tmp_len); + silc_free(tmp); + return FALSE; + } + silc_pkcs_public_key_set(pkcs, public_key); + /* Verify the authentication data */ if (!silc_pkcs_verify_with_hash(pkcs, hash, payload->auth_data, payload->auth_len, tmp, tmp_len)) { memset(tmp, 0, tmp_len); silc_free(tmp); + silc_pkcs_free(pkcs); SILC_LOG_DEBUG(("Authentication failed")); return FALSE; } memset(tmp, 0, tmp_len); silc_free(tmp); + silc_pkcs_free(pkcs); - SILC_LOG_DEBUG(("Authentication successfull")); + SILC_LOG_DEBUG(("Authentication successful")); return TRUE; } @@ -265,19 +312,20 @@ int silc_auth_public_key_auth_verify(SilcAuthPayload payload, /* Same as above but the payload is not parsed yet. This will parse it. */ int silc_auth_public_key_auth_verify_data(SilcBuffer payload, - SilcPKCS pkcs, SilcHash hash, + SilcPublicKey public_key, + SilcHash hash, void *id, SilcIdType type) { SilcAuthPayload auth_payload; int ret; - auth_payload = silc_auth_payload_parse(payload); + auth_payload = silc_auth_payload_parse(payload->data, payload->len); if (!auth_payload) { SILC_LOG_DEBUG(("Authentication failed")); return FALSE; } - ret = silc_auth_public_key_auth_verify(auth_payload, pkcs, hash, + ret = silc_auth_public_key_auth_verify(auth_payload, public_key, hash, id, type); silc_auth_payload_free(auth_payload); @@ -285,6 +333,74 @@ int silc_auth_public_key_auth_verify_data(SilcBuffer payload, return ret; } +/* Verifies the authentication data directly from the Authentication + Payload. Supports all authentication methods. If the authentication + method is passphrase based then the `auth_data' and `auth_data_len' + are the passphrase and its length. If the method is public key + authentication then the `auth_data' is the SilcPublicKey and the + `auth_data_len' is ignored. */ + +int silc_auth_verify(SilcAuthPayload payload, SilcAuthMethod auth_method, + void *auth_data, uint32 auth_data_len, + SilcHash hash, void *id, SilcIdType type) +{ + SILC_LOG_DEBUG(("Verifying authentication")); + + if (auth_method != payload->auth_method) + return FALSE; + + switch (payload->auth_method) { + case SILC_AUTH_NONE: + /* No authentication */ + SILC_LOG_DEBUG(("No authentication required")); + return TRUE; + + case SILC_AUTH_PASSWORD: + /* Passphrase based authentication. The `pkcs', `hash', `id' and `type' + arguments are not needed. */ + if (!memcmp(payload->auth_data, auth_data, payload->auth_len)) { + SILC_LOG_DEBUG(("Authentication successful")); + return TRUE; + } + break; + + case SILC_AUTH_PUBLIC_KEY: + /* Public key based authentication */ + return silc_auth_public_key_auth_verify(payload, (SilcPublicKey)auth_data, + hash, id, type); + break; + + default: + break; + } + + SILC_LOG_DEBUG(("Authentication failed")); + + return FALSE; +} + +/* Same as above but parses the authentication payload before verify. */ + +int silc_auth_verify_data(unsigned char *payload, uint32 payload_len, + SilcAuthMethod auth_method, void *auth_data, + uint32 auth_data_len, SilcHash hash, + void *id, SilcIdType type) +{ + SilcAuthPayload auth_payload; + int ret; + + auth_payload = silc_auth_payload_parse(payload, payload_len); + if (!auth_payload) + return FALSE; + + ret = silc_auth_verify(auth_payload, auth_method, auth_data, auth_data_len, + hash, id, type); + + silc_auth_payload_free(auth_payload); + + return ret; +} + /****************************************************************************** Key Agreement Payload @@ -293,9 +409,9 @@ int silc_auth_public_key_auth_verify_data(SilcBuffer payload, /* The Key Agreement protocol structure */ struct SilcKeyAgreementPayloadStruct { - unsigned short hostname_len; + uint16 hostname_len; unsigned char *hostname; - unsigned int port; + uint32 port; }; /* Parses and returns an allocated Key Agreement payload. */ @@ -326,10 +442,10 @@ SilcKeyAgreementPayload silc_key_agreement_payload_parse(SilcBuffer buffer) /* Encodes the Key Agreement protocol and returns the encoded buffer */ SilcBuffer silc_key_agreement_payload_encode(char *hostname, - unsigned int port) + uint32 port) { SilcBuffer buffer; - unsigned int len = strlen(hostname); + uint32 len = hostname ? strlen(hostname) : 0; SILC_LOG_DEBUG(("Encoding Key Agreement Payload")); @@ -363,7 +479,7 @@ char *silc_key_agreement_get_hostname(SilcKeyAgreementPayload payload) /* Returns the port in the payload */ -unsigned int silc_key_agreement_get_port(SilcKeyAgreementPayload payload) +uint32 silc_key_agreement_get_port(SilcKeyAgreementPayload payload) { return payload->port; }