From: Pekka Riikonen Date: Wed, 13 Feb 2002 19:51:57 +0000 (+0000) Subject: updates. X-Git-Tag: silc.client.0.8.1~70 X-Git-Url: http://git.silcnet.org/gitweb/?p=silc.git;a=commitdiff_plain;h=8a5f64b6ead2707ba7f623e4e8c6f6a58f4d712f updates. --- diff --git a/CHANGES b/CHANGES index f3617b11..595b9068 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,27 @@ +Wed Feb 13 20:51:13 EET 2002 Johnny Mnemonic + + * Unified the serverconfig.[ch]'s helper function interface. + Affected file silcd/serverconfig.[ch]. + + * Removed doc/example_silc.conf.in since it is redundant. + The make install will now install irssi/silc.conf file. + + * Added new Passphrase and Publickey authentication methods to + config file, allowing both public key and passphrase based + authentication to be set at the same time. + + Added `prefer_passphrase_auth' setting in config file which + can be used to set to prefer passwd auth if both passwd and + public key is set. If not set, public key is preferred. + This has effect only when being initiator (responder will try + both anyway). + + Added support for authentication with passphrase and public key + at the same time. The passphrase is tried first always since + it is faster to check. + + Affected file silcd/serverconfig.[ch], server.c, protocol.[ch]. + Wed Feb 13 12:46:25 CET 2002 Johnny Mnemonic * Merged the new SILC Config library, with the server parsing diff --git a/Makefile.am.pre b/Makefile.am.pre index 177e366f..6bf3d2e3 100644 --- a/Makefile.am.pre +++ b/Makefile.am.pre @@ -87,7 +87,7 @@ etc-install: chmod go= $(etcdir)/silcd.conf; \ fi -@if test '!' -f $(etcdir)/silc.conf ; then \ - $(INSTALL_DATA) $(srcdir)/doc/example_silc.conf \ + $(INSTALL_DATA) $(srcdir)/irssi/silc.conf \ $(etcdir)/silc.conf; \ fi diff --git a/apps/silcd/command.c b/apps/silcd/command.c index b4d5bcee..9d521036 100644 --- a/apps/silcd/command.c +++ b/apps/silcd/command.c @@ -4585,6 +4585,7 @@ SILC_SERVER_CMD_FUNC(oper) uint32 tmp_len; SilcServerConfigSectionAdmin *admin; SilcIDListData idata = (SilcIDListData)client; + bool result = FALSE; SILC_SERVER_COMMAND_CHECK(SILC_COMMAND_OPER, cmd, 1, 2); @@ -4600,10 +4601,10 @@ SILC_SERVER_CMD_FUNC(oper) } /* Get the admin configuration */ - admin = silc_server_config_find_admin(server->config, cmd->sock->ip, + admin = silc_server_config_find_admin(server, cmd->sock->ip, username, client->nickname); if (!admin) { - admin = silc_server_config_find_admin(server->config, cmd->sock->hostname, + admin = silc_server_config_find_admin(server, cmd->sock->hostname, username, client->nickname); if (!admin) { silc_server_command_send_status_reply(cmd, SILC_COMMAND_OPER, @@ -4620,10 +4621,18 @@ SILC_SERVER_CMD_FUNC(oper) goto out; } - /* Verify the authentication data */ - if (!silc_auth_verify_data(auth, tmp_len, admin->auth_meth, - admin->auth_data, admin->auth_data_len, - idata->hash, client->id, SILC_ID_CLIENT)) { + /* Verify the authentication data. If both passphrase and public key + is set then try both of them. */ + if (admin->passphrase) + result = silc_auth_verify_data(auth, tmp_len, SILC_AUTH_PASSWORD, + admin->passphrase, admin->passphrase_len, + idata->hash, client->id, SILC_ID_CLIENT); + if (!result && admin->publickey) + result = silc_auth_verify_data(auth, tmp_len, SILC_AUTH_PUBLIC_KEY, + admin->publickey, 0, + idata->hash, client->id, SILC_ID_CLIENT); + if (!result) { + /* Authentication failed */ silc_server_command_send_status_reply(cmd, SILC_COMMAND_OPER, SILC_STATUS_ERR_AUTH_FAILED); goto out; @@ -4663,6 +4672,7 @@ SILC_SERVER_CMD_FUNC(silcoper) uint32 tmp_len; SilcServerConfigSectionAdmin *admin; SilcIDListData idata = (SilcIDListData)client; + bool result = FALSE; SILC_SERVER_COMMAND_CHECK(SILC_COMMAND_SILCOPER, cmd, 1, 2); @@ -4684,10 +4694,10 @@ SILC_SERVER_CMD_FUNC(silcoper) } /* Get the admin configuration */ - admin = silc_server_config_find_admin(server->config, cmd->sock->ip, + admin = silc_server_config_find_admin(server, cmd->sock->ip, username, client->nickname); if (!admin) { - admin = silc_server_config_find_admin(server->config, cmd->sock->hostname, + admin = silc_server_config_find_admin(server, cmd->sock->hostname, username, client->nickname); if (!admin) { silc_server_command_send_status_reply(cmd, SILC_COMMAND_SILCOPER, @@ -4704,11 +4714,19 @@ SILC_SERVER_CMD_FUNC(silcoper) goto out; } - /* Verify the authentication data */ - if (!silc_auth_verify_data(auth, tmp_len, admin->auth_meth, - admin->auth_data, admin->auth_data_len, - idata->hash, client->id, SILC_ID_CLIENT)) { - silc_server_command_send_status_reply(cmd, SILC_COMMAND_SILCOPER, + /* Verify the authentication data. If both passphrase and public key + is set then try both of them. */ + if (admin->passphrase) + result = silc_auth_verify_data(auth, tmp_len, SILC_AUTH_PASSWORD, + admin->passphrase, admin->passphrase_len, + idata->hash, client->id, SILC_ID_CLIENT); + if (!result && admin->publickey) + result = silc_auth_verify_data(auth, tmp_len, SILC_AUTH_PUBLIC_KEY, + admin->publickey, 0, + idata->hash, client->id, SILC_ID_CLIENT); + if (!result) { + /* Authentication failed */ + silc_server_command_send_status_reply(cmd, SILC_COMMAND_OPER, SILC_STATUS_ERR_AUTH_FAILED); goto out; } diff --git a/apps/silcd/packet_receive.c b/apps/silcd/packet_receive.c index 2f3aa2f7..0956be2d 100644 --- a/apps/silcd/packet_receive.c +++ b/apps/silcd/packet_receive.c @@ -2502,7 +2502,7 @@ void silc_server_connection_auth_request(SilcServer server, SilcServerConfigSectionClient *client = NULL; uint16 conn_type; int ret, port; - SilcAuthMethod auth_meth; + SilcAuthMethod auth_meth = SILC_AUTH_NONE; SILC_LOG_DEBUG(("Start")); @@ -2523,20 +2523,21 @@ void silc_server_connection_auth_request(SilcServer server, /* Get the authentication method for the client */ auth_meth = SILC_AUTH_NONE; port = server->sockets[server->sock]->port; /* Listenning port */ - client = silc_server_config_find_client(server->config, - sock->ip, - port); + client = silc_server_config_find_client(server, sock->ip, port); if (!client) - client = silc_server_config_find_client(server->config, - sock->hostname, - port); - if (client) - auth_meth = client->auth_meth; - + client = silc_server_config_find_client(server, sock->hostname, port); + if (client) { + if (client->passphrase) { + if (client->publickey && !server->config->prefer_passphrase_auth) + auth_meth = SILC_AUTH_PUBLIC_KEY; + else + auth_meth = SILC_AUTH_PASSWORD; + } else if (client->publickey) + auth_meth = SILC_AUTH_PUBLIC_KEY; + } + /* Send it back to the client */ - silc_server_send_connection_auth_request(server, sock, - conn_type, - auth_meth); + silc_server_send_connection_auth_request(server, sock, conn_type, auth_meth); } /* Received REKEY packet. The sender of the packet wants to regenerate diff --git a/apps/silcd/protocol.c b/apps/silcd/protocol.c index a7a1b707..449a6886 100644 --- a/apps/silcd/protocol.c +++ b/apps/silcd/protocol.c @@ -814,6 +814,51 @@ silc_server_get_public_key_auth(SilcServer server, return FALSE; } +/* Function that actually performs the authentication to the remote. This + supports both passphrase and public key authentication. */ + +static bool +silc_server_get_authentication(SilcServerConnAuthInternalContext *ctx, + char *local_passphrase, + void *local_publickey, + unsigned char *remote_auth, + uint32 remote_auth_len) +{ + SilcServer server = (SilcServer)ctx->server; + SilcSKE ske = ctx->ske; + bool result = FALSE; + + /* If we don't have authentication data set at all we do not require + authentication at all */ + if (!local_passphrase && !local_publickey) { + SILC_LOG_DEBUG(("No authentication required")); + return TRUE; + } + + /* If both passphrase and public key is provided then we'll try both of + them and see which one of them authenticates. If only one of them is + set, then try only that. */ + + /* Try first passphrase (as it is faster to check) */ + if (local_passphrase) { + SILC_LOG_DEBUG(("Password authentication")); + result = silc_server_password_authentication(server, local_passphrase, + remote_auth); + } + + /* Try public key authenetication */ + if (!result && local_publickey) { + SILC_LOG_DEBUG(("Public key authentication")); + result = silc_server_public_key_authentication(server, + local_publickey, + remote_auth, + remote_auth_len, + ske); + } + + return result; +} + /* Performs connection authentication protocol. If responder, we authenticate the remote data received. If initiator, we will send authentication data to the remote end. */ @@ -909,49 +954,16 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) SilcServerConfigSectionClient *client = ctx->cconfig; if (client) { - switch(client->auth_meth) { - case SILC_AUTH_NONE: - /* No authentication required */ - SILC_LOG_DEBUG(("No authentication required")); - break; - - case SILC_AUTH_PASSWORD: - /* Password authentication */ - SILC_LOG_DEBUG(("Password authentication")); - ret = silc_server_password_authentication(server, auth_data, - client->auth_data); - - if (ret) - break; - + ret = silc_server_get_authentication(ctx, client->passphrase, + client->publickey, + auth_data, payload_len); + if (!ret) { /* Authentication failed */ SILC_LOG_ERROR(("Authentication failed")); SILC_LOG_DEBUG(("Authentication failed")); silc_free(auth_data); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->schedule, - 0, 300000); - return; - break; - - case SILC_AUTH_PUBLIC_KEY: - /* Public key authentication */ - SILC_LOG_DEBUG(("Public key authentication")); - ret = silc_server_public_key_authentication(server, - client->auth_data, - auth_data, - payload_len, - ctx->ske); - - if (ret) - break; - - SILC_LOG_ERROR(("Authentication failed")); - SILC_LOG_DEBUG(("Authentication failed")); - silc_free(auth_data); - protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->schedule, - 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } } else { @@ -971,49 +983,16 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) SilcServerConfigSectionServer *serv = ctx->sconfig; if (serv) { - switch(serv->auth_meth) { - case SILC_AUTH_NONE: - /* No authentication required */ - SILC_LOG_DEBUG(("No authentication required")); - break; - - case SILC_AUTH_PASSWORD: - /* Password authentication */ - SILC_LOG_DEBUG(("Password authentication")); - ret = silc_server_password_authentication(server, auth_data, - serv->auth_data); - - if (ret) - break; - + ret = silc_server_get_authentication(ctx, serv->passphrase, + serv->publickey, + auth_data, payload_len); + if (!ret) { /* Authentication failed */ SILC_LOG_ERROR(("Authentication failed")); SILC_LOG_DEBUG(("Authentication failed")); silc_free(auth_data); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->schedule, - 0, 300000); - return; - break; - - case SILC_AUTH_PUBLIC_KEY: - /* Public key authentication */ - SILC_LOG_DEBUG(("Public key authentication")); - ret = silc_server_public_key_authentication(server, - serv->auth_data, - auth_data, - payload_len, - ctx->ske); - - if (ret) - break; - - SILC_LOG_ERROR(("Authentication failed")); - SILC_LOG_DEBUG(("Authentication failed")); - silc_free(auth_data); - protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->schedule, - 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } } else { @@ -1033,49 +1012,16 @@ SILC_TASK_CALLBACK(silc_server_protocol_connection_auth) SilcServerConfigSectionRouter *serv = ctx->rconfig; if (serv) { - switch(serv->auth_meth) { - case SILC_AUTH_NONE: - /* No authentication required */ - SILC_LOG_DEBUG(("No authentication required")); - break; - - case SILC_AUTH_PASSWORD: - /* Password authentication */ - SILC_LOG_DEBUG(("Password authentication")); - ret = silc_server_password_authentication(server, auth_data, - serv->auth_data); - - if (ret) - break; - + ret = silc_server_get_authentication(ctx, serv->passphrase, + serv->publickey, + auth_data, payload_len); + if (!ret) { /* Authentication failed */ SILC_LOG_ERROR(("Authentication failed")); SILC_LOG_DEBUG(("Authentication failed")); silc_free(auth_data); protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->schedule, - 0, 300000); - return; - break; - - case SILC_AUTH_PUBLIC_KEY: - /* Public key authentication */ - SILC_LOG_DEBUG(("Public key authentication")); - ret = silc_server_public_key_authentication(server, - serv->auth_data, - auth_data, - payload_len, - ctx->ske); - - if (ret) - break; - - SILC_LOG_ERROR(("Authentication failed")); - SILC_LOG_DEBUG(("Authentication failed")); - silc_free(auth_data); - protocol->state = SILC_PROTOCOL_STATE_ERROR; - silc_protocol_execute(protocol, server->schedule, - 0, 300000); + silc_protocol_execute(protocol, server->schedule, 0, 300000); return; } } else { diff --git a/apps/silcd/protocol.h b/apps/silcd/protocol.h index 303fdc93..26be5e89 100644 --- a/apps/silcd/protocol.h +++ b/apps/silcd/protocol.h @@ -67,14 +67,10 @@ typedef struct { /* SKE object from Key Exchange protocol. */ SilcSKE ske; - /* Auth method that must be used. This is resolved before this - connection authentication protocol is started. Used when we are - initiating. */ + /* Authentication method and data if we alreay know it. This is filled + before starting the protocol if we know the authentication data. + Otherwise these are and remain NULL. Used when we are initiating. */ uint32 auth_meth; - - /* Authentication data if we alreay know it. This is filled before - starting the protocol if we know the authentication data. Otherwise - these are and remain NULL. Used when we are initiating. */ void *auth_data; uint32 auth_data_len; diff --git a/apps/silcd/server.c b/apps/silcd/server.c index f0ed13f8..32287521 100644 --- a/apps/silcd/server.c +++ b/apps/silcd/server.c @@ -177,7 +177,7 @@ int silc_server_init(SilcServer server) SILC_LOG_ERROR(("Could not create server listener: %s on %hd", server->config->server_info->server_ip, server->config->server_info->port)); - goto err0; + goto err; } sock = silc_realloc(sock, sizeof(*sock) * (sock_count + 1)); @@ -229,7 +229,7 @@ int silc_server_init(SilcServer server) newsocket->hostname ? newsocket->hostname : newsocket->ip ? newsocket->ip : "")); server->stat.conn_failures++; - goto err0; + goto err; } if (!newsocket->hostname) newsocket->hostname = strdup(newsocket->ip); @@ -239,7 +239,7 @@ int silc_server_init(SilcServer server) /* Create a Server ID for the server. */ silc_id_create_server_id(newsocket->ip, newsocket->port, server->rng, &id); if (!id) - goto err0; + goto err; server->id = id; server->id_string = silc_id_id2str(id, SILC_ID_SERVER); @@ -257,7 +257,7 @@ int silc_server_init(SilcServer server) server->server_type, server->id, NULL, NULL); if (!id_entry) { SILC_LOG_ERROR(("Could not add ourselves to cache")); - goto err0; + goto err; } id_entry->data.status |= SILC_IDLIST_STATUS_REGISTERED; @@ -274,7 +274,7 @@ int silc_server_init(SilcServer server) /* Initialize the scheduler. */ server->schedule = silc_schedule_init(SILC_SERVER_MAX_CONNECTIONS); if (!server->schedule) - goto err0; + goto err; /* Add the first task to the scheduler. This is task that is executed by timeout. It expires as soon as the caller calls silc_server_run. This @@ -297,7 +297,7 @@ int silc_server_init(SilcServer server) server->listenning = TRUE; /* Send log file configuration */ - silc_server_config_setlogfiles(server->config, server->schedule); + silc_server_config_setlogfiles(server); /* If server connections has been configured then we must be router as normal server cannot have server connections, only router connections. */ @@ -344,7 +344,7 @@ int silc_server_init(SilcServer server) /* We are done here, return succesfully */ return TRUE; - err0: + err: for (i = 0; i < sock_count; i++) silc_net_close_server(sock[i]); @@ -786,15 +786,26 @@ SILC_TASK_CALLBACK(silc_server_connect_to_router_second) /* Resolve the authentication method used in this connection. Check if we find a match from user configured connections */ - conn = silc_server_config_find_router_conn(server->config, - sock->hostname, + conn = silc_server_config_find_router_conn(server, sock->hostname, sock->port); if (conn) { /* Match found. Use the configured authentication method */ - proto_ctx->auth_meth = conn->auth_meth; - if (conn->auth_data) { - proto_ctx->auth_data = strdup(conn->auth_data); - proto_ctx->auth_data_len = strlen(conn->auth_data); + if (conn->passphrase) { + if (conn->publickey && !server->config->prefer_passphrase_auth) { + proto_ctx->auth_data = conn->publickey; + proto_ctx->auth_data_len = 0; + proto_ctx->auth_meth = SILC_AUTH_PUBLIC_KEY; + } else { + proto_ctx->auth_data = strdup(conn->passphrase); + proto_ctx->auth_data_len = strlen(conn->passphrase); + proto_ctx->auth_meth = SILC_AUTH_PASSWORD; + } + } else if (conn->publickey) { + proto_ctx->auth_data = conn->publickey; + proto_ctx->auth_data_len = 0; + proto_ctx->auth_meth = SILC_AUTH_PUBLIC_KEY; + } else { + proto_ctx->auth_meth = SILC_AUTH_NONE; } } else { SILC_LOG_ERROR(("Could not find connection data for %s (%s) on port", @@ -1002,7 +1013,8 @@ SILC_TASK_CALLBACK(silc_server_connect_to_router_final) silc_packet_context_free(ctx->packet); if (ctx->ske) silc_ske_free(ctx->ske); - silc_free(ctx->auth_data); + if (ctx->auth_meth == SILC_AUTH_PASSWORD) + silc_free(ctx->auth_data); silc_free(ctx); } @@ -1049,10 +1061,9 @@ silc_server_accept_new_connection_lookup(SilcSocketConnection sock, port = server->sockets[server->sock]->port; /* Listenning port */ /* Check whether this connection is denied to connect to us. */ - deny = silc_server_config_find_denied(server->config, sock->ip, port); + deny = silc_server_config_find_denied(server, sock->ip, port); if (!deny) - deny = silc_server_config_find_denied(server->config, sock->hostname, - port); + deny = silc_server_config_find_denied(server, sock->hostname, port); if (deny) { /* The connection is denied */ SILC_LOG_INFO(("Connection %s (%s) is denied", @@ -1068,25 +1079,16 @@ silc_server_accept_new_connection_lookup(SilcSocketConnection sock, /* Check whether we have configred this sort of connection at all. We have to check all configurations since we don't know what type of connection this is. */ - if (!(cconfig = silc_server_config_find_client(server->config, - sock->ip, port))) - cconfig = silc_server_config_find_client(server->config, - sock->hostname, - port); - if (!(sconfig = silc_server_config_find_server_conn(server->config, - sock->ip, - port))) - sconfig = silc_server_config_find_server_conn(server->config, - sock->hostname, - port); - if (!(rconfig = silc_server_config_find_router_conn(server->config, - sock->ip, port))) - rconfig = silc_server_config_find_router_conn(server->config, - sock->hostname, - port); + if (!(cconfig = silc_server_config_find_client(server, sock->ip, port))) + cconfig = silc_server_config_find_client(server, sock->hostname, port); + if (!(sconfig = silc_server_config_find_server_conn(server, sock->ip))) + sconfig = silc_server_config_find_server_conn(server, sock->hostname); + if (!(rconfig = silc_server_config_find_router_conn(server, sock->ip, port))) + rconfig = silc_server_config_find_router_conn(server, sock->hostname, + sock->port); if (!cconfig && !sconfig && !rconfig) { - SILC_LOG_INFO(("Connection %s (%s) is not allowed", - sock->hostname, sock->ip)); + SILC_LOG_INFO(("Connection %s (%s) is not allowed", sock->hostname, + sock->ip)); silc_server_disconnect_remote(server, sock, "Server closed connection: " "Connection refused"); @@ -1418,7 +1420,7 @@ SILC_TASK_CALLBACK(silc_server_accept_new_connection_final) /* Check whether this connection is to be our primary router connection if we do not already have the primary route. */ if (server->standalone && ctx->conn_type == SILC_SOCKET_TYPE_ROUTER) { - if (silc_server_config_is_primary_route(server->config) && + if (silc_server_config_is_primary_route(server) && !conn->initiator) break; diff --git a/apps/silcd/server_backup.c b/apps/silcd/server_backup.c index 6b3d876a..1c553e96 100644 --- a/apps/silcd/server_backup.c +++ b/apps/silcd/server_backup.c @@ -882,7 +882,7 @@ SILC_TASK_CALLBACK_GLOBAL(silc_server_protocol_backup) /* Connect to the primary router that was down that is now supposed to be back online. We send the CONNECTED packet after we've established the connection to the primary router. */ - primary = silc_server_config_get_primary_router(server->config); + primary = silc_server_config_get_primary_router(server); if (primary && server->backup_primary) { silc_server_backup_reconnect(server, primary->host, primary->port, @@ -975,7 +975,7 @@ SILC_TASK_CALLBACK_GLOBAL(silc_server_protocol_backup) to next state. */ if (server->router && !(server->router->data.status & SILC_IDLIST_STATUS_DISABLED) && - silc_server_config_is_primary_route(server->config)) { + silc_server_config_is_primary_route(server)) { /* We'll wait for RESUMED packet */ protocol->state = SILC_PROTOCOL_STATE_END; break; diff --git a/apps/silcd/serverconfig.c b/apps/silcd/serverconfig.c index 23e1b58e..7cb2a9e5 100644 --- a/apps/silcd/serverconfig.c +++ b/apps/silcd/serverconfig.c @@ -96,7 +96,7 @@ SILC_CONFIG_CALLBACK(fetch_generic) { SilcServerConfig config = (SilcServerConfig) context; - if (!strcmp(name, "modulepath")) { + if (!strcmp(name, "module_path")) { if (config->module_path) return SILC_CONFIG_EDOUBLE; @@ -147,9 +147,9 @@ SILC_CONFIG_CALLBACK(fetch_cipher) /* dup it only if non-empty, otherwise point it to NULL */ tmp->module = (*(char *)val ? strdup((char *) val) : NULL); } - else if (!strcmp(name, "key_length")) + else if (!strcmp(name, "keylength")) tmp->key_length = *(uint32 *)val; - else if (!strcmp(name, "block_length")) + else if (!strcmp(name, "blocklength")) tmp->block_length = *(uint32 *)val; else return SILC_CONFIG_EINTERNAL; @@ -198,9 +198,9 @@ SILC_CONFIG_CALLBACK(fetch_hash) /* dup it only if non-empty, otherwise point it to NULL */ tmp->module = (*(char *)val ? strdup((char *) val) : NULL); } - else if (!strcmp(name, "block_length")) + else if (!strcmp(name, "blocklength")) tmp->block_length = *(int *)val; - else if (!strcmp(name, "digest_length")) + else if (!strcmp(name, "digestlength")) tmp->digest_length = *(int *)val; else return SILC_CONFIG_EINTERNAL; @@ -248,7 +248,7 @@ SILC_CONFIG_CALLBACK(fetch_hmac) if (tmp->hash) { got_errno = SILC_CONFIG_EDOUBLE; goto got_err; } tmp->hash = strdup((char *) val); } - else if (!strcmp(name, "mac_length")) + else if (!strcmp(name, "maclength")) tmp->mac_length = *(int *)val; else return SILC_CONFIG_EINTERNAL; diff --git a/apps/silcd/serverconfig.h b/apps/silcd/serverconfig.h index 8be6d7cb..858abcf6 100644 --- a/apps/silcd/serverconfig.h +++ b/apps/silcd/serverconfig.h @@ -4,7 +4,7 @@ Author: Johnny Mnemonic - Copyright (C) 1997 - 2002 Pekka Riikonen + Copyright (C) 1997 - 2002 Johnny Mnemonic This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -82,9 +82,9 @@ typedef struct SilcServerConfigSectionLoggingStruct { /* Holds all client authentication data from config file */ typedef struct SilcServerConfigSectionClientStruct { char *host; - SilcAuthMethod auth_meth; - void *auth_data; - uint32 auth_data_len; + unsigned char *passphrase; + uint32 passphrase_len; + void *publickey; uint16 port; uint32 class; struct SilcServerConfigSectionClientStruct *next; @@ -95,9 +95,9 @@ typedef struct SilcServerConfigSectionAdminStruct { char *host; char *user; char *nick; - SilcAuthMethod auth_meth; - void *auth_data; - uint32 auth_data_len; + unsigned char *passphrase; + uint32 passphrase_len; + void *publickey; struct SilcServerConfigSectionAdminStruct *next; } SilcServerConfigSectionAdmin; @@ -112,10 +112,9 @@ typedef struct SilcServerConfigSectionDenyStruct { /* Holds all configured server connections from config file */ typedef struct SilcServerConfigSectionServerStruct { char *host; - SilcAuthMethod auth_meth; - void *auth_data; - uint32 auth_data_len; - uint16 port; + unsigned char *passphrase; + uint32 passphrase_len; + void *publickey; char *version; uint32 class; bool backup_router; @@ -125,9 +124,9 @@ typedef struct SilcServerConfigSectionServerStruct { /* Holds all configured router connections from config file */ typedef struct SilcServerConfigSectionRouterStruct { char *host; - SilcAuthMethod auth_meth; - void *auth_data; - uint32 auth_data_len; + unsigned char *passphrase; + uint32 passphrase_len; + void *publickey; uint16 port; char *version; uint32 class; @@ -143,6 +142,7 @@ typedef struct SilcServerConfigSectionRouterStruct { typedef struct { void *tmp; char *module_path; + bool prefer_passphrase_auth; SilcServerConfigSectionCipher *cipher; SilcServerConfigSectionHash *hash; @@ -163,38 +163,31 @@ typedef struct { /* Prototypes */ -/* basic config operations */ +/* Basic config operations */ SilcServerConfig silc_server_config_alloc(char *filename); void silc_server_config_destroy(SilcServerConfig config); -/* algorithm registering and reset functions */ +/* Algorithm registering and reset functions */ bool silc_server_config_register_ciphers(SilcServer server); bool silc_server_config_register_hashfuncs(SilcServer server); bool silc_server_config_register_hmacs(SilcServer server); bool silc_server_config_register_pkcs(SilcServer server); -void silc_server_config_setlogfiles(SilcServerConfig config, SilcSchedule sked); +void silc_server_config_setlogfiles(SilcServer server); -/* run-time config access functions */ +/* Run-time config access functions */ SilcServerConfigSectionClient * -silc_server_config_find_client(SilcServerConfig config, char *host, int port); - +silc_server_config_find_client(SilcServer server, char *host, int port); SilcServerConfigSectionAdmin * -silc_server_config_find_admin(SilcServerConfig config, - char *host, char *user, char *nick); - +silc_server_config_find_admin(SilcServer server, char *host, char *user, + char *nick); SilcServerConfigSectionDeny * -silc_server_config_find_denied(SilcServerConfig config, - char *host, uint16 port); - -/* Prototypes - OLD */ +silc_server_config_find_denied(SilcServer server, char *host, uint16 port); SilcServerConfigSectionServer * -silc_server_config_find_server_conn(SilcServerConfig config, - char *host, int port); +silc_server_config_find_server_conn(SilcServer server, char *host); SilcServerConfigSectionRouter * -silc_server_config_find_router_conn(SilcServerConfig config, - char *host, int port); -bool silc_server_config_is_primary_route(SilcServerConfig config); +silc_server_config_find_router_conn(SilcServer server, char *host, int port); +bool silc_server_config_is_primary_route(SilcServer server); SilcServerConfigSectionRouter * -silc_server_config_get_primary_router(SilcServerConfig config); +silc_server_config_get_primary_router(SilcServer server); #endif /* !SERVERCONFIG_H */ diff --git a/configure.in.pre b/configure.in.pre index 8472feb0..8fd771e7 100644 --- a/configure.in.pre +++ b/configure.in.pre @@ -1,9 +1,9 @@ # -# configure.in +# configure.in.pre # -# Author: Pekka Riikonen +# Author: Pekka Riikonen # -# Copyright (C) 2000 - 2001 Pekka Riikonen +# Copyright (C) 2000 - 2002 Pekka Riikonen # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -795,9 +795,8 @@ lib/silcutil/unix/Makefile lib/silcutil/win32/Makefile lib/silcsftp/Makefile lib/silcsftp/tests/Makefile -doc/example_silc.conf doc/example_silcd.conf -) +) if test "x$silc_dist" = "xsilc-client" || test "x$silc_dist" = "xsilc-toolkit"; then diff --git a/doc/Makefile.am.pre b/doc/Makefile.am.pre index 39455419..d61ac41b 100644 --- a/doc/Makefile.am.pre +++ b/doc/Makefile.am.pre @@ -91,5 +91,4 @@ EXTRA_DIST = \ CodingStyle \ FAQ \ example_silcd.conf \ - example_silc.conf \ draft-riikonen*.txt $(SILC_EXTRA_DIST) diff --git a/doc/example_silc.conf.in b/doc/example_silc.conf.in deleted file mode 100644 index 0820d9e8..00000000 --- a/doc/example_silc.conf.in +++ /dev/null @@ -1,68 +0,0 @@ -# -# Configured ciphers. -# -# Format: ::: -# -# If the cipher is builtin the maybe omitted. -# -[cipher] -aes-256-cbc:@MODULESDIR@/aes.sim.so:32:16 -aes-192-cbc:@MODULESDIR@/aes.sim.so:24:16 -aes-128-cbc:@MODULESDIR@/aes.sim.so:16:16 -twofish-256-cbc:@MODULESDIR@/twofish.sim.so:32:16 -twofish-192-cbc:@MODULESDIR@/twofish.sim.so:24:16 -twofish-128-cbc:@MODULESDIR@/twofish.sim.so:16:16 -mars-256-cbc:@MODULESDIR@/mars.sim.so:32:16 -mars-192-cbc:@MODULESDIR@/mars.sim.so:24:16 -mars-128-cbc:@MODULESDIR@/mars.sim.so:16:16 -none:@MODULESDIR@/none.sim.so:0:0 - -# -# Configured hash functions. -# -# Format: ::: -# -# If the hash function is builtin the maybe omitted. -# -[hash] -sha1::64:20 -md5::64:16 - -# -# Configured HMAC functions. The hash function used in the HMAC must -# configured to the [hash] section. -# -# Format: :: -# -[hmac] -hmac-sha1-96:sha1:12 -hmac-md5-96:md5:12 -hmac-sha1:sha1:20 -hmac-md5:md5:16 - -# -# Configured PKCS. -# -# Format: -# -[pkcs] -rsa - -# -# Configured connections to servers. -# -# Format: ::: -# -# maybe `passwd' or `pubkey'. -# -[connection] -#lassi.kuo.fi.ssh.com:passwd::706 - -# -# Commands. These are executed when SILC client is run. Normal -# SILC commands may be executed here. -# -# Format: -# -[commands] -/server silc.pspt.fi diff --git a/doc/example_silcd.conf.in b/doc/example_silcd.conf.in index afe74b3e..86501409 100644 --- a/doc/example_silcd.conf.in +++ b/doc/example_silcd.conf.in @@ -10,7 +10,14 @@ General { # This is the default path where to search modules # You can comment it out to use builtin modules globally. - ModulePath = "@MODULESDIR@"; + module_path = "@MODULESDIR@"; + + # If both passphrase and public key authentication is set for a + # connection the public key authentication is the preferred one + # to use. Set this to `true' to prefer passphrase authentication + # over public key authentication in these cases. + # + # prefer_passphrase_auth = true; }; # @@ -23,56 +30,56 @@ General { cipher { name = "aes-256-cbc"; module = "aes.sim.so"; - key_length = 32; - block_length = 16; + keylength = 32; + blocklength = 16; }; cipher { name = "aes-192-cbc"; module = "aes.sim.so"; - key_length = 24; - block_length = 16; + keylength = 24; + blocklength = 16; }; cipher { name = "aes-128-cbc"; module = "aes.sim.so"; - key_length = 16; - block_length = 16; + keylength = 16; + blocklength = 16; }; cipher { name = "twofish-256-cbc"; module = "twofish.sim.so"; - key_length = 32; - block_length = 16; + keylength = 32; + blocklength = 16; }; cipher { name = "twofish-192-cbc"; module = "twofish.sim.so"; - key_length = 24; - block_length = 16; + keylength = 24; + blocklength = 16; }; cipher { name = "twofish-128-cbc"; module = "twofish.sim.so"; - key_length = 16; - block_length = 16; + keylength = 16; + blocklength = 16; }; cipher { name = "mars-256-cbc"; module = "mars.sim.so"; - key_length = 32; - block_length = 16; + keylength = 32; + blocklength = 16; }; cipher { name = "mars-192-cbc"; module = "mars.sim.so"; - key_length = 24; - block_length = 16; + keylength = 24; + blocklength = 16; }; cipher { name = "mars-128-cbc"; module = "mars.sim.so"; - key_length = 16; - block_length = 16; + keylength = 16; + blocklength = 16; }; cipher { name = "none"; @@ -84,13 +91,13 @@ cipher { # hash { name = "sha1"; - block_length = 64; - digest_length = 20; + blocklength = 64; + digestlength = 20; }; hash { name = "md5"; - block_length = 64; - digest_length = 16; + blocklength = 64; + digestlength = 16; }; # @@ -100,22 +107,22 @@ hash { hmac { name = "hmac-sha1-96"; hash = "sha1"; - mac_length = 12; + maclength = 12; }; hmac { name = "hmac-md5-96"; hash = "md5"; - mac_length = 12; + maclength = 12; }; hmac { name = "hmac-sha1"; hash = "sha1"; - mac_length = 20; + maclength = 20; }; hmac { name = "hmac-md5"; hash = "md5"; - mac_length = 16; + maclength = 16; }; # @@ -156,8 +163,8 @@ ServerInfo { EMail = "priikone@poseidon.pspt.fi"; # - # Run SILC server as specific user and group. The server must be initially - # run as root. + # Run SILC server as specific user and group. The server must be + # initially run as root. # User = "nobody"; Group = "nobody"; @@ -261,16 +268,19 @@ Client { # # The fields "Host", "User", and "Nick", are optional but you are encouraged # in using them to better identify your admins. -# "AuthMethod" and "AuthData" fields are mandatory. The "AuthMethod" field -# can be either the special string "passwd" or "pubkey" to identify the type -# of data specified by "AuthData". +# +# The authentication data is specified by Passphrase and/or Publickey. +# If both are provided then both password and public key based authentication +# is allowed. If the Publickey is used it includes the file path to the +# public key file. If none of them is provided then authentication is not +# required. # Admin { Host = "10.2.1.199"; User = "priikone"; Nick = "pekka"; - AuthMethod = "passwd"; - AuthData = "verysecret"; + Passphrase = "verysecret"; + # Publickey = "/path/to/the/public.key"; }; # @@ -299,16 +309,20 @@ Admin { # Thus, if this server is not router do not configure this section. If # your server is router, this must be configured. # -# The "AuthData" option is either passphrase or file path to the public key -# file. If the connection is backup connection then set the "Backup" option -# to true. For normal connections set it false. If it is -# set to true then this server will be backup router. +# The authentication data is specified by Passphrase and/or Publickey. +# If both are provided then both password and public key based authentication +# is allowed. If the Publickey is used it includes the file path to the +# public key file. If none of them is provided then authentication is not +# required. +# +# If the connection is backup connection then set the "Backup" option +# to true. For normal connections set it false. If it is set to true then +# this server will be backup router. # ServerConnection { Host = "10.2.1.7"; - AuthMethod = passwd; - AuthData = "verysecret"; - Port = 706; + Passphrase = "verysecret"; + # Publickey = "/path/to/the/public.key"; VersionID = 1; Class = "norm"; Backup = false; @@ -322,8 +336,13 @@ ServerConnection { # this section includes all configured router connections. The first # configured connection is the primary route. # -# The "AuthData" option is either passphrase or file path to the public key -# file. If you are the initiator of the connection then set the "Initiator" +# The authentication data is specified by Passphrase and/or Publickey. +# If both are provided then both password and public key based authentication +# is allowed. If the Publickey is used it includes the file path to the +# public key file. If none of them is provided then authentication is not +# required. +# +# If you are the initiator of the connection then set the "Initiator" # option to true. If you are the responder of the connection (waiting for # incoming connection) then set it to false. # @@ -336,9 +355,9 @@ ServerConnection { # RouterConnection { Host = "10.2.1.100"; - AuthMethod = passwd; - AuthData = "verysecret"; Port = 706; + Passphrase = "verysecret"; + # Publickey = "/path/to/the/public.key"; VersionID = 1; Class = "norm"; Initiator = true; diff --git a/lib/silcclient/command.c b/lib/silcclient/command.c index 7c948383..2d4aa6c5 100644 --- a/lib/silcclient/command.c +++ b/lib/silcclient/command.c @@ -2303,7 +2303,7 @@ void silc_client_commands_register(SilcClient client) SILC_CLIENT_CMD(info, INFO, "INFO", 2); SILC_CLIENT_CMD(connect, CONNECT, "CONNECT", 3); SILC_CLIENT_CMD(ping, PING, "PING", 2); - SILC_CLIENT_CMD(oper, OPER, "OPER", 2); + SILC_CLIENT_CMD(oper, OPER, "OPER", 3); SILC_CLIENT_CMD(join, JOIN, "JOIN", 9); SILC_CLIENT_CMD(motd, MOTD, "MOTD", 2); SILC_CLIENT_CMD(umode, UMODE, "UMODE", 2);