projects / silc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3dcbe27)
Bugfixes merged from trunk.
authorPekka Riikonen <priikone@silcnet.org>
Wed, 3 Apr 2002 10:36:27 +0000 (10:36 +0000)
committerPekka Riikonen <priikone@silcnet.org>
Wed, 3 Apr 2002 10:36:27 +0000 (10:36 +0000)
CHANGES patch | blob | history
apps/silcd/protocol.c patch | blob | history
lib/silcske/payload.c patch | blob | history
lib/silcske/silcske.c patch | blob | history

diff --git a/CHANGES b/CHANGES
index 3d78bdbfb6cdb1a7c9508144b194dba0d1c42eea..2dc369cd784fda698d833fd11c99b0598b00fbae 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,14 @@
+Wed Apr  3 12:36:05 CEST 2002  Pekka Riikonen <priikone@silcnet.org>
+
+        * Added better error logging in rekey protocol.  Affected file
+          silcd/protocol.c.
+
+        * Do not check public key types in SKE during rekey.  Affected
+          file lib/silcske/payload.c.
+
+        * Fixed the rekey protocol with PFS, which was totally broken.
+          Affected file silcd/protocol.c.
+
 Tue Apr  2 13:39:04 CEST 2002  Johnny Mnemonic <johnny@themnemonic.org>
 
        * Merged version 1.1.4 of zlib. Even if it not currently in use,
diff --git a/apps/silcd/protocol.c b/apps/silcd/protocol.c
index fb2d41d371021fe807bf55f71507ee64e738c602..65fafeeae26e53ab27c5f39f2231a9f7e39a4eaa 100644 (file)
--- a/apps/silcd/protocol.c
+++ b/apps/silcd/protocol.c
@@ -310,11 +310,12 @@ int silc_server_protocol_ke_set_keys(SilcServer server,
 
   sock->user_data = (void *)conn_data;
 
-  SILC_LOG_INFO(("%s (%s) security properties: %s %s %s", 
+  SILC_LOG_INFO(("%s (%s) security properties: %s %s %s %s", 
                 sock->hostname, sock->ip,
                 idata->send_key->cipher->name,
                 (char *)silc_hmac_get_name(idata->hmac_send),
-                idata->hash->hash->name));
+                idata->hash->hash->name, 
+                ske->prop->flags & SILC_SKE_SP_FLAG_PFS ? "PFS" : ""));
 
   return TRUE;
 }
@@ -1367,9 +1368,11 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey)
           */
 
          if (ctx->packet->type != SILC_PACKET_KEY_EXCHANGE_1) {
-           SILC_LOG_ERROR(("Error during Re-key (PFS): re-key state is "
-                           "incorrect (received %d, expected %d packet)",
-                           ctx->packet->type, SILC_PACKET_KEY_EXCHANGE_1));
+           SILC_LOG_ERROR(("Error during Re-key (R PFS): re-key state is "
+                           "incorrect (received %d, expected %d packet), "
+                           "with %s (%s)", ctx->packet->type, 
+                           SILC_PACKET_KEY_EXCHANGE_1, ctx->sock->hostname,
+                           ctx->sock->ip));
            protocol->state = SILC_PROTOCOL_STATE_ERROR;
            silc_protocol_execute(protocol, server->schedule, 0, 300000);
            return;
@@ -1387,8 +1390,9 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey)
       
          status = silc_ske_responder_phase_2(ctx->ske, ctx->packet->buffer);
          if (status != SILC_SKE_STATUS_OK) {
-           SILC_LOG_ERROR(("Error (%s) during Re-key (PFS)",
-                           silc_ske_map_status(status)));
+           SILC_LOG_ERROR(("Error (%s) during Re-key (R PFS), with %s (%s)",
+                           silc_ske_map_status(status), ctx->sock->hostname,
+                           ctx->sock->ip));
            protocol->state = SILC_PROTOCOL_STATE_ERROR;
            silc_protocol_execute(protocol, server->schedule, 0, 300000);
            return;
@@ -1441,8 +1445,9 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey)
       
          status = silc_ske_initiator_phase_2(ctx->ske, NULL, NULL, 0);
          if (status != SILC_SKE_STATUS_OK) {
-           SILC_LOG_ERROR(("Error (%s) during Re-key (PFS)",
-                           silc_ske_map_status(status)));
+           SILC_LOG_ERROR(("Error (%s) during Re-key (I PFS), with %s (%s)",
+                           silc_ske_map_status(status), ctx->sock->hostname,
+                           ctx->sock->ip));
            protocol->state = SILC_PROTOCOL_STATE_ERROR;
            silc_protocol_execute(protocol, server->schedule, 0, 300000);
            return;
@@ -1485,8 +1490,9 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey)
        status = silc_ske_responder_finish(ctx->ske, NULL, NULL, 
                                           SILC_SKE_PK_TYPE_SILC);
        if (status != SILC_SKE_STATUS_OK) {
-         SILC_LOG_ERROR(("Error (%s) during Re-key (PFS)",
-                         silc_ske_map_status(status)));
+         SILC_LOG_ERROR(("Error (%s) during Re-key (R PFS), with %s (%s)",
+                         silc_ske_map_status(status), ctx->sock->hostname,
+                         ctx->sock->ip));
          protocol->state = SILC_PROTOCOL_STATE_ERROR;
          silc_protocol_execute(protocol, server->schedule, 0, 300000);
          return;
@@ -1499,9 +1505,11 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey)
         * The packet type must be KE packet
         */
        if (ctx->packet->type != SILC_PACKET_KEY_EXCHANGE_2) {
-         SILC_LOG_ERROR(("Error during Re-key (PFS): re-key state is "
-                         "incorrect (received %d, expected %d packet)",
-                         ctx->packet->type, SILC_PACKET_KEY_EXCHANGE_2));
+         SILC_LOG_ERROR(("Error during Re-key (I PFS): re-key state is "
+                         "incorrect (received %d, expected %d packet), "
+                         "with %s (%s)", ctx->packet->type, 
+                         SILC_PACKET_KEY_EXCHANGE_2, ctx->sock->hostname,
+                         ctx->sock->ip));
          protocol->state = SILC_PROTOCOL_STATE_ERROR;
          silc_protocol_execute(protocol, server->schedule, 0, 300000);
          return;
@@ -1509,8 +1517,9 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey)
        
        status = silc_ske_initiator_finish(ctx->ske, ctx->packet->buffer);
        if (status != SILC_SKE_STATUS_OK) {
-         SILC_LOG_ERROR(("Error (%s) during Re-key (PFS)",
-                         silc_ske_map_status(status)));
+         SILC_LOG_ERROR(("Error (%s) during Re-key (I PFS), with %s (%s)",
+                         silc_ske_map_status(status), ctx->sock->hostname,
+                         ctx->sock->ip));
          protocol->state = SILC_PROTOCOL_STATE_ERROR;
          silc_protocol_execute(protocol, server->schedule, 0, 300000);
          return;
@@ -1538,9 +1547,11 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey)
      */
 
     if (ctx->packet->type != SILC_PACKET_REKEY_DONE) {
-      SILC_LOG_ERROR(("Error during Re-key (PFS): re-key state is "
-                     "incorrect (received %d, expected %d packet)",
-                     ctx->packet->type, SILC_PACKET_REKEY_DONE));
+      SILC_LOG_ERROR(("Error during Re-key (%s PFS): re-key state is "
+                     "incorrect (received %d, expected %d packet), "
+                     "with %s (%s)", ctx->responder ? "R" : "I",
+                     ctx->packet->type, SILC_PACKET_REKEY_DONE,
+                     ctx->sock->hostname, ctx->sock->ip));
       protocol->state = SILC_PROTOCOL_STATE_ERROR;
       silc_protocol_execute(protocol, server->schedule, 0, 300000);
       return;
@@ -1548,7 +1559,10 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey)
 
     /* We received the REKEY_DONE packet and all packets after this is
        encrypted with the new key so set the decryption key to the new key */
-    silc_server_protocol_rekey_generate(server, ctx, FALSE);
+    if (ctx->pfs == TRUE)
+      silc_server_protocol_rekey_generate_pfs(server, ctx, FALSE);
+    else
+      silc_server_protocol_rekey_generate(server, ctx, FALSE);
 
     /* Assure that after calling final callback there cannot be pending
        executions for this protocol anymore. This just unregisters any 
diff --git a/lib/silcske/payload.c b/lib/silcske/payload.c
index 9bf2aa862e9346096871103aa27c50fa43c6941d..eafbd873330404b36fe711a529c9476671b556db 100644 (file)
--- a/lib/silcske/payload.c
+++ b/lib/silcske/payload.c
@@ -265,7 +265,9 @@ SilcSKEStatus silc_ske_payload_ke_decode(SilcSKE ske,
     goto err;
   }
 
-  if (payload->pk_type == 0) {
+  if (ske->start_payload && 
+      (payload->pk_type < SILC_SKE_PK_TYPE_SILC || 
+       payload->pk_type > SILC_SKE_PK_TYPE_SPKI)) {
     status = SILC_SKE_STATUS_BAD_PAYLOAD;
     goto err;
   }
@@ -304,7 +306,7 @@ SilcSKEStatus silc_ske_payload_ke_decode(SilcSKE ske,
   }
 
   if (tot_len != len2) {
-    status = SILC_SKE_STATUS_BAD_PAYLOAD;
+    status = SILC_SKE_STATUS_BAD_PAYLOAD_LENGTH;
     goto err;
   }
   
diff --git a/lib/silcske/silcske.c b/lib/silcske/silcske.c
index 56b38eb44ca9db766e974a0bcec903131e6db83e..4694104599e0ad2afe2586cf8cceb6c72bd3d190 100644 (file)
--- a/lib/silcske/silcske.c
+++ b/lib/silcske/silcske.c
@@ -1100,6 +1100,9 @@ SilcSKEStatus silc_ske_abort(SilcSKE ske, SilcSKEStatus status)
 
   SILC_LOG_DEBUG(("Start"));
 
+  if (status > SILC_SKE_STATUS_INVALID_COOKIE)
+    status = SILC_SKE_STATUS_BAD_PAYLOAD;
+
   packet = silc_buffer_alloc(4);
   silc_buffer_pull_tail(packet, SILC_BUFFER_END(packet));
   silc_buffer_format(packet,
SILC - Secure Internet Live Conferencing