From: Pekka Riikonen Date: Wed, 3 Apr 2002 10:36:27 +0000 (+0000) Subject: Bugfixes merged from trunk. X-Git-Tag: silc.client.0.8.6~7 X-Git-Url: http://git.silcnet.org/gitweb/?p=silc.git;a=commitdiff_plain;h=a85353d34a73d044027b7cf30c3b269754405102 Bugfixes merged from trunk. --- diff --git a/CHANGES b/CHANGES index 3d78bdbf..2dc369cd 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,14 @@ +Wed Apr 3 12:36:05 CEST 2002 Pekka Riikonen + + * Added better error logging in rekey protocol. Affected file + silcd/protocol.c. + + * Do not check public key types in SKE during rekey. Affected + file lib/silcske/payload.c. + + * Fixed the rekey protocol with PFS, which was totally broken. + Affected file silcd/protocol.c. + Tue Apr 2 13:39:04 CEST 2002 Johnny Mnemonic * Merged version 1.1.4 of zlib. Even if it not currently in use, diff --git a/apps/silcd/protocol.c b/apps/silcd/protocol.c index fb2d41d3..65fafeea 100644 --- a/apps/silcd/protocol.c +++ b/apps/silcd/protocol.c @@ -310,11 +310,12 @@ int silc_server_protocol_ke_set_keys(SilcServer server, sock->user_data = (void *)conn_data; - SILC_LOG_INFO(("%s (%s) security properties: %s %s %s", + SILC_LOG_INFO(("%s (%s) security properties: %s %s %s %s", sock->hostname, sock->ip, idata->send_key->cipher->name, (char *)silc_hmac_get_name(idata->hmac_send), - idata->hash->hash->name)); + idata->hash->hash->name, + ske->prop->flags & SILC_SKE_SP_FLAG_PFS ? "PFS" : "")); return TRUE; } @@ -1367,9 +1368,11 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) */ if (ctx->packet->type != SILC_PACKET_KEY_EXCHANGE_1) { - SILC_LOG_ERROR(("Error during Re-key (PFS): re-key state is " - "incorrect (received %d, expected %d packet)", - ctx->packet->type, SILC_PACKET_KEY_EXCHANGE_1)); + SILC_LOG_ERROR(("Error during Re-key (R PFS): re-key state is " + "incorrect (received %d, expected %d packet), " + "with %s (%s)", ctx->packet->type, + SILC_PACKET_KEY_EXCHANGE_1, ctx->sock->hostname, + ctx->sock->ip)); protocol->state = SILC_PROTOCOL_STATE_ERROR; silc_protocol_execute(protocol, server->schedule, 0, 300000); return; @@ -1387,8 +1390,9 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) status = silc_ske_responder_phase_2(ctx->ske, ctx->packet->buffer); if (status != SILC_SKE_STATUS_OK) { - SILC_LOG_ERROR(("Error (%s) during Re-key (PFS)", - silc_ske_map_status(status))); + SILC_LOG_ERROR(("Error (%s) during Re-key (R PFS), with %s (%s)", + silc_ske_map_status(status), ctx->sock->hostname, + ctx->sock->ip)); protocol->state = SILC_PROTOCOL_STATE_ERROR; silc_protocol_execute(protocol, server->schedule, 0, 300000); return; @@ -1441,8 +1445,9 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) status = silc_ske_initiator_phase_2(ctx->ske, NULL, NULL, 0); if (status != SILC_SKE_STATUS_OK) { - SILC_LOG_ERROR(("Error (%s) during Re-key (PFS)", - silc_ske_map_status(status))); + SILC_LOG_ERROR(("Error (%s) during Re-key (I PFS), with %s (%s)", + silc_ske_map_status(status), ctx->sock->hostname, + ctx->sock->ip)); protocol->state = SILC_PROTOCOL_STATE_ERROR; silc_protocol_execute(protocol, server->schedule, 0, 300000); return; @@ -1485,8 +1490,9 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) status = silc_ske_responder_finish(ctx->ske, NULL, NULL, SILC_SKE_PK_TYPE_SILC); if (status != SILC_SKE_STATUS_OK) { - SILC_LOG_ERROR(("Error (%s) during Re-key (PFS)", - silc_ske_map_status(status))); + SILC_LOG_ERROR(("Error (%s) during Re-key (R PFS), with %s (%s)", + silc_ske_map_status(status), ctx->sock->hostname, + ctx->sock->ip)); protocol->state = SILC_PROTOCOL_STATE_ERROR; silc_protocol_execute(protocol, server->schedule, 0, 300000); return; @@ -1499,9 +1505,11 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) * The packet type must be KE packet */ if (ctx->packet->type != SILC_PACKET_KEY_EXCHANGE_2) { - SILC_LOG_ERROR(("Error during Re-key (PFS): re-key state is " - "incorrect (received %d, expected %d packet)", - ctx->packet->type, SILC_PACKET_KEY_EXCHANGE_2)); + SILC_LOG_ERROR(("Error during Re-key (I PFS): re-key state is " + "incorrect (received %d, expected %d packet), " + "with %s (%s)", ctx->packet->type, + SILC_PACKET_KEY_EXCHANGE_2, ctx->sock->hostname, + ctx->sock->ip)); protocol->state = SILC_PROTOCOL_STATE_ERROR; silc_protocol_execute(protocol, server->schedule, 0, 300000); return; @@ -1509,8 +1517,9 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) status = silc_ske_initiator_finish(ctx->ske, ctx->packet->buffer); if (status != SILC_SKE_STATUS_OK) { - SILC_LOG_ERROR(("Error (%s) during Re-key (PFS)", - silc_ske_map_status(status))); + SILC_LOG_ERROR(("Error (%s) during Re-key (I PFS), with %s (%s)", + silc_ske_map_status(status), ctx->sock->hostname, + ctx->sock->ip)); protocol->state = SILC_PROTOCOL_STATE_ERROR; silc_protocol_execute(protocol, server->schedule, 0, 300000); return; @@ -1538,9 +1547,11 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) */ if (ctx->packet->type != SILC_PACKET_REKEY_DONE) { - SILC_LOG_ERROR(("Error during Re-key (PFS): re-key state is " - "incorrect (received %d, expected %d packet)", - ctx->packet->type, SILC_PACKET_REKEY_DONE)); + SILC_LOG_ERROR(("Error during Re-key (%s PFS): re-key state is " + "incorrect (received %d, expected %d packet), " + "with %s (%s)", ctx->responder ? "R" : "I", + ctx->packet->type, SILC_PACKET_REKEY_DONE, + ctx->sock->hostname, ctx->sock->ip)); protocol->state = SILC_PROTOCOL_STATE_ERROR; silc_protocol_execute(protocol, server->schedule, 0, 300000); return; @@ -1548,7 +1559,10 @@ SILC_TASK_CALLBACK(silc_server_protocol_rekey) /* We received the REKEY_DONE packet and all packets after this is encrypted with the new key so set the decryption key to the new key */ - silc_server_protocol_rekey_generate(server, ctx, FALSE); + if (ctx->pfs == TRUE) + silc_server_protocol_rekey_generate_pfs(server, ctx, FALSE); + else + silc_server_protocol_rekey_generate(server, ctx, FALSE); /* Assure that after calling final callback there cannot be pending executions for this protocol anymore. This just unregisters any diff --git a/lib/silcske/payload.c b/lib/silcske/payload.c index 9bf2aa86..eafbd873 100644 --- a/lib/silcske/payload.c +++ b/lib/silcske/payload.c @@ -265,7 +265,9 @@ SilcSKEStatus silc_ske_payload_ke_decode(SilcSKE ske, goto err; } - if (payload->pk_type == 0) { + if (ske->start_payload && + (payload->pk_type < SILC_SKE_PK_TYPE_SILC || + payload->pk_type > SILC_SKE_PK_TYPE_SPKI)) { status = SILC_SKE_STATUS_BAD_PAYLOAD; goto err; } @@ -304,7 +306,7 @@ SilcSKEStatus silc_ske_payload_ke_decode(SilcSKE ske, } if (tot_len != len2) { - status = SILC_SKE_STATUS_BAD_PAYLOAD; + status = SILC_SKE_STATUS_BAD_PAYLOAD_LENGTH; goto err; } diff --git a/lib/silcske/silcske.c b/lib/silcske/silcske.c index 56b38eb4..46941045 100644 --- a/lib/silcske/silcske.c +++ b/lib/silcske/silcske.c @@ -1100,6 +1100,9 @@ SilcSKEStatus silc_ske_abort(SilcSKE ske, SilcSKEStatus status) SILC_LOG_DEBUG(("Start")); + if (status > SILC_SKE_STATUS_INVALID_COOKIE) + status = SILC_SKE_STATUS_BAD_PAYLOAD; + packet = silc_buffer_alloc(4); silc_buffer_pull_tail(packet, SILC_BUFFER_END(packet)); silc_buffer_format(packet,