From e3a774cff248c8300c32ce4f6d0a41be15a4ed5e Mon Sep 17 00:00:00 2001 From: Pekka Riikonen Date: Thu, 29 Jun 2006 21:35:00 +0000 Subject: [PATCH] Added SilcConnAuth connection auth protocol API. --- lib/silcske/silcconnauth.c | 694 +++++++++++++++++++++++++++++++++++++ lib/silcske/silcconnauth.h | 74 ++++ lib/silcske/silcske.h | 24 +- lib/silcske/silcske_i.h | 76 ++++ 4 files changed, 852 insertions(+), 16 deletions(-) create mode 100644 lib/silcske/silcconnauth.c create mode 100644 lib/silcske/silcconnauth.h create mode 100644 lib/silcske/silcske_i.h diff --git a/lib/silcske/silcconnauth.c b/lib/silcske/silcconnauth.c new file mode 100644 index 00000000..368b2aa7 --- /dev/null +++ b/lib/silcske/silcconnauth.c @@ -0,0 +1,694 @@ +/* + + silcconnauth.c + + Author: Pekka Riikonen + + Copyright (C) 2005 Pekka Riikonen + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + +*/ + +#include "silc.h" +#include "silcconnauth.h" + +/************************** Types and definitions ***************************/ + +static SilcBool silc_connauth_packet_receive(SilcPacketEngine engine, + SilcPacketStream stream, + SilcPacket packet, + void *callback_context, + void *app_context); + +/* Connection authentication context */ +struct SilcConnAuthStruct { + SilcSKE ske; + SilcFSMStruct fsm; + SilcConnectionType conn_type; + SilcAuthMethod auth_method; + void *auth_data; + SilcUInt32 auth_data_len; + SilcConnAuthCompletion completion; + SilcConnAuthGetAuthData get_auth_data; + void *context; + SilcDList public_keys; + SilcSKRStatus skr_status; + SilcUInt32 timeout_secs; + SilcPacket packet; + unsigned int aborted : 1; + unsigned int success : 1; +}; + +/* Packet stream callbacks */ +static SilcPacketCallbacks silc_connauth_stream_cbs = +{ + silc_connauth_packet_receive, NULL, NULL +}; + + +/************************ Static utility functions **************************/ + +/* Packet callback */ + +static SilcBool silc_connauth_packet_receive(SilcPacketEngine engine, + SilcPacketStream stream, + SilcPacket packet, + void *callback_context, + void *app_context) +{ + SilcConnAuth connauth = callback_context; + connauth->packet = packet; + silc_fsm_continue(&connauth->fsm); + return TRUE; +} + +/* Async operation abortion callback */ + +static void silc_connauth_abort(SilcAsyncOperation op, void *context) +{ + SilcConnAuth connauth = context; + connauth->aborted = TRUE; +} + +/* Generates signature for public key based authentication */ + +static SilcBool silc_connauth_get_signature(SilcConnAuth connauth, + unsigned char **auth_data, + SilcUInt32 *auth_data_len) +{ + int len; + SilcSKE ske; + SilcPrivateKey private_key; + SilcBuffer auth; + + SILC_LOG_DEBUG(("Compute signature")); + + ske = connauth->ske; + private_key = connauth->auth_data; + + /* Make the authentication data. Protocol says it is HASH plus + KE Start Payload. */ + len = ske->hash_len + silc_buffer_len(ske->start_payload_copy); + auth = silc_buffer_alloc_size(len); + if (!auth) + return FALSE; + silc_buffer_format(auth, + SILC_STR_UI_XNSTRING(ske->hash, ske->hash_len), + SILC_STR_UI_XNSTRING( + ske->start_payload_copy->data, + silc_buffer_len(ske->start_payload_copy)), + SILC_STR_END); + + len = ((silc_pkcs_private_key_get_len(private_key) + 7) / 8) + 1; + *auth_data = silc_calloc(len, sizeof(**auth_data)); + if (*auth_data == NULL) { + silc_buffer_free(auth); + return FALSE; + } + + /* Compute signature */ + if (!silc_pkcs_sign(private_key, auth->data, silc_buffer_len(auth), + *auth_data, len, auth_data_len, ske->prop->hash)) { + silc_free(*auth_data); + silc_buffer_free(auth); + return FALSE; + } + + silc_buffer_free(auth); + return TRUE; +} + +/* Verifies digital signature */ + +static SilcBool silc_connauth_verify_signature(SilcConnAuth connauth, + SilcPublicKey pub_key, + unsigned char *sign, + SilcUInt32 sign_len) +{ + int len; + SilcBuffer auth; + SilcSKE ske = connauth->ske; + + if (!pub_key || !sign) + return FALSE; + + /* Make the authentication data. Protocol says it is HASH plus + KE Start Payload. */ + len = ske->hash_len + silc_buffer_len(ske->start_payload_copy); + auth = silc_buffer_alloc_size(len); + if (!auth) + return FALSE; + silc_buffer_format(auth, + SILC_STR_UI_XNSTRING(ske->hash, ske->hash_len), + SILC_STR_UI_XNSTRING( + ske->start_payload_copy->data, + silc_buffer_len(ske->start_payload_copy)), + SILC_STR_END); + + /* Verify signature */ + if (!silc_pkcs_verify(pub_key, sign, sign_len, auth->data, + silc_buffer_len(auth), ske->prop->hash)) { + silc_buffer_free(auth); + return FALSE; + } + + silc_buffer_free(auth); + + return TRUE; +} + +/* Timeout */ + +SILC_TASK_CALLBACK(silc_connauth_timeout) +{ + SilcConnAuth connauth = context; + SILC_LOG_DEBUG(("Protocol timeout")); + connauth->aborted = TRUE; + silc_fsm_continue_sync(&connauth->fsm); +} + +/* SKR callback */ + +static void silc_connauth_skr_callback(SilcSKR skr, SilcSKRFind find, + SilcSKRStatus status, + SilcDList results, void *context) +{ + SilcConnAuth connauth = context; + + silc_skr_find_free(find); + + connauth->public_keys = results; + connauth->skr_status = status; + + SILC_FSM_CALL_CONTINUE(&connauth->fsm); +} + + +/******************************* Protocol API *******************************/ + +/* Allocate connection authentication context */ + +SilcConnAuth silc_connauth_alloc(SilcSchedule schedule, + SilcSKE ske, + SilcUInt32 timeout_secs) +{ + SilcConnAuth connauth; + + if (!schedule || !ske) + return NULL; + + connauth = silc_calloc(1, sizeof(*connauth)); + if (!connauth) + return NULL; + + if (!silc_fsm_init(&connauth->fsm, connauth, NULL, NULL, schedule)) { + silc_connauth_free(connauth); + return NULL; + } + + connauth->timeout_secs = timeout_secs; + connauth->ske = ske; + + return connauth; +} + +/* Free connection authentication context */ + +void silc_connauth_free(SilcConnAuth connauth) +{ + if (connauth->public_keys) + silc_dlist_uninit(connauth->public_keys); + silc_free(connauth); +} + +/* Return associated SKE context */ + +SilcSKE silc_connauth_get_ske(SilcConnAuth connauth) +{ + return connauth->ske; +} + + +/******************************** Initiator *********************************/ + +SILC_FSM_STATE(silc_connauth_st_initiator_start); +SILC_FSM_STATE(silc_connauth_st_initiator_result); +SILC_FSM_STATE(silc_connauth_st_initiator_failure); + +SILC_FSM_STATE(silc_connauth_st_initiator_start) +{ + SilcConnAuth connauth = fsm_context; + SilcBuffer packet; + int payload_len = 0; + unsigned char *auth_data = NULL; + SilcUInt32 auth_data_len = 0; + + SILC_LOG_DEBUG(("Start")); + + if (connauth->aborted) { + /** Aborted */ + silc_fsm_next(fsm, silc_connauth_st_initiator_failure); + return SILC_FSM_CONTINUE; + } + + /* Start timeout */ + if (connauth->timeout_secs) + silc_schedule_task_add_timeout(silc_fsm_get_schedule(fsm), + silc_connauth_timeout, connauth, + connauth->timeout_secs, 0); + + switch (connauth->auth_method) { + case SILC_AUTH_NONE: + /* No authentication required */ + break; + + case SILC_AUTH_PASSWORD: + auth_data = silc_memdup(connauth->auth_data, connauth->auth_data_len); + if (!auth_data) { + /** Out of memory */ + silc_fsm_next(fsm, silc_connauth_st_initiator_failure); + return SILC_FSM_CONTINUE; + } + auth_data_len = connauth->auth_data_len; + break; + + case SILC_AUTH_PUBLIC_KEY: + if (!silc_connauth_get_signature(connauth, &auth_data, &auth_data_len)) { + /** Error computing signature */ + silc_fsm_next(fsm, silc_connauth_st_initiator_failure); + return SILC_FSM_CONTINUE; + } + break; + } + + payload_len = 4 + auth_data_len; + packet = silc_buffer_alloc_size(payload_len); + if (!packet) { + /** Out of memory */ + silc_fsm_next(fsm, silc_connauth_st_initiator_failure); + return SILC_FSM_CONTINUE; + } + + silc_buffer_format(packet, + SILC_STR_UI_SHORT(payload_len), + SILC_STR_UI_SHORT(connauth->conn_type), + SILC_STR_UI_XNSTRING(auth_data, auth_data_len), + SILC_STR_END); + + /* Send the packet */ + if (!silc_packet_send(connauth->ske->stream, SILC_PACKET_CONNECTION_AUTH, 0, + packet->data, silc_buffer_len(packet))) { + /** Error sending packet */ + silc_fsm_next(fsm, silc_connauth_st_initiator_failure); + return SILC_FSM_CONTINUE; + } + + if (auth_data) { + memset(auth_data, 0, auth_data_len); + silc_free(auth_data); + } + silc_buffer_free(packet); + + /** Wait for responder */ + silc_fsm_next(fsm, silc_connauth_st_initiator_result); + return SILC_FSM_WAIT; +} + +SILC_FSM_STATE(silc_connauth_st_initiator_result) +{ + SilcConnAuth connauth = fsm_context; + + SILC_LOG_DEBUG(("Start")); + + if (connauth->aborted) { + /** Aborted */ + silc_fsm_next(fsm, silc_connauth_st_initiator_failure); + return SILC_FSM_CONTINUE; + } + + /* Check the status of authentication */ + if (connauth->packet->type == SILC_PACKET_SUCCESS) { + SILC_LOG_DEBUG(("Authentication successful")); + connauth->success = TRUE; + } else { + SILC_LOG_DEBUG(("Authentication failed")); + connauth->success = FALSE; + } + silc_packet_free(connauth->packet); + + /* Call completion callback */ + connauth->completion(connauth, connauth->success, connauth->context); + + silc_packet_stream_unlink(connauth->ske->stream, + &silc_connauth_stream_cbs, connauth); + silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth); + + return SILC_FSM_FINISH; +} + +SILC_FSM_STATE(silc_connauth_st_initiator_failure) +{ + SilcConnAuth connauth = fsm_context; + unsigned char error[4]; + + SILC_LOG_DEBUG(("Start")); + + /* Send FAILURE packet */ + SILC_PUT32_MSB(SILC_AUTH_FAILED, error); + silc_packet_send(connauth->ske->stream, SILC_PACKET_FAILURE, 0, error, 4); + + /* Call completion callback */ + connauth->completion(connauth, FALSE, connauth->context); + + silc_packet_stream_unlink(connauth->ske->stream, + &silc_connauth_stream_cbs, connauth); + silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth); + + return SILC_FSM_FINISH; +} + +SilcAsyncOperation +silc_connauth_initiator(SilcConnAuth connauth, + SilcConnectionType conn_type, + SilcAuthMethod auth_method, void *auth_data, + SilcUInt32 auth_data_len, + SilcConnAuthCompletion completion, + void *context) +{ + SilcAsyncOperation op; + + SILC_LOG_DEBUG(("Connection authentication as initiator")); + + if (auth_method == SILC_AUTH_PASSWORD && !auth_data) { + completion(connauth, FALSE, context); + return NULL; + } + + if (auth_method == SILC_AUTH_PUBLIC_KEY && !auth_data) { + completion(connauth, FALSE, context); + return NULL; + } + + connauth->conn_type = conn_type; + connauth->auth_method = auth_method; + connauth->auth_data = auth_data; + connauth->auth_data_len = auth_data_len; + connauth->completion = completion; + connauth->context = context; + + /* Link to packet stream to get packets */ + silc_packet_stream_link(connauth->ske->stream, + &silc_connauth_stream_cbs, connauth, 1000000, + SILC_PACKET_SUCCESS, + SILC_PACKET_FAILURE, -1); + + /* Start the protocol */ + op = silc_async_alloc(silc_connauth_abort, NULL, connauth); + silc_fsm_start(&connauth->fsm, silc_connauth_st_initiator_start); + + return op; +} + + +/******************************** Responder *********************************/ + +SILC_FSM_STATE(silc_connauth_st_responder_start); +SILC_FSM_STATE(silc_connauth_st_responder_authenticate); +SILC_FSM_STATE(silc_connauth_st_responder_authenticate_pk); +SILC_FSM_STATE(silc_connauth_st_responder_success); +SILC_FSM_STATE(silc_connauth_st_responder_failure); + +SILC_FSM_STATE(silc_connauth_st_responder_start) +{ + SilcConnAuth connauth = fsm_context; + + SILC_LOG_DEBUG(("Start")); + + if (connauth->aborted) { + /** Aborted */ + silc_fsm_next(fsm, silc_connauth_st_responder_failure); + return SILC_FSM_CONTINUE; + } + + /* Start timeout */ + if (connauth->timeout_secs) + silc_schedule_task_add_timeout(silc_fsm_get_schedule(fsm), + silc_connauth_timeout, connauth, + connauth->timeout_secs, 0); + + /** Wait for initiator */ + silc_fsm_next(fsm, silc_connauth_st_responder_authenticate); + return SILC_FSM_WAIT; +} + +SILC_FSM_STATE(silc_connauth_st_responder_authenticate) +{ + SilcConnAuth connauth = fsm_context; + SilcUInt16 payload_len; + SilcUInt16 conn_type; + unsigned char *auth_data = NULL, *passphrase = NULL; + SilcUInt32 passphrase_len; + SilcSKR repository = NULL; + int ret; + + SILC_LOG_DEBUG(("Start")); + + if (connauth->aborted) { + /** Aborted */ + silc_packet_free(connauth->packet); + silc_fsm_next(fsm, silc_connauth_st_responder_failure); + return SILC_FSM_CONTINUE; + } + + if (connauth->packet->type != SILC_PACKET_CONNECTION_AUTH) { + /** Protocol failure */ + silc_packet_free(connauth->packet); + silc_fsm_next(fsm, silc_connauth_st_responder_failure); + return SILC_FSM_CONTINUE; + } + + /* Parse the received authentication data packet. The received + payload is Connection Auth Payload. */ + ret = silc_buffer_unformat(&connauth->packet->buffer, + SILC_STR_UI_SHORT(&payload_len), + SILC_STR_UI_SHORT(&conn_type), + SILC_STR_END); + if (ret == -1) { + /** Bad payload */ + SILC_LOG_ERROR(("Bad payload in authentication packet")); + silc_packet_free(connauth->packet); + silc_fsm_next(fsm, silc_connauth_st_responder_failure); + return SILC_FSM_CONTINUE; + } + + if (payload_len != silc_buffer_len(&connauth->packet->buffer)) { + /** Bad payload length */ + SILC_LOG_ERROR(("Bad payload length in authentication packet")); + silc_packet_free(connauth->packet); + silc_fsm_next(fsm, silc_connauth_st_responder_failure); + return SILC_FSM_CONTINUE; + } + + payload_len -= 4; + + if (conn_type < SILC_CONN_CLIENT || conn_type > SILC_CONN_ROUTER) { + /** Bad connection type */ + SILC_LOG_ERROR(("Bad connection type (%d) in authentication packet", + conn_type)); + silc_packet_free(connauth->packet); + silc_fsm_next(fsm, silc_connauth_st_responder_failure); + return SILC_FSM_CONTINUE; + } + + if (payload_len > 0) { + /* Get authentication data */ + ret = silc_buffer_unformat(&connauth->packet->buffer, + SILC_STR_OFFSET(4), + SILC_STR_UI_XNSTRING(&auth_data, + payload_len), + SILC_STR_END); + if (ret == -1) { + /** Bad payload */ + SILC_LOG_DEBUG(("Bad payload in authentication payload")); + silc_packet_free(connauth->packet); + silc_fsm_next(fsm, silc_connauth_st_responder_failure); + return SILC_FSM_CONTINUE; + } + } + silc_packet_free(connauth->packet); + + SILC_LOG_DEBUG(("Remote connection type %d", conn_type)); + + /* Get authentication data */ + if (!connauth->get_auth_data(connauth, conn_type, &passphrase, + &passphrase_len, &repository, + connauth->context)) { + /** Connection not configured */ + SILC_LOG_ERROR(("Remote connection not configured")); + silc_fsm_next(fsm, silc_connauth_st_responder_failure); + return SILC_FSM_CONTINUE; + } + + /* Verify */ + + /* Passphrase authentication */ + if (passphrase && passphrase_len) { + SILC_LOG_DEBUG(("Passphrase authentication")); + if (!memcmp(auth_data, passphrase, passphrase_len)) { + /** Authentication failed */ + silc_fsm_next(fsm, silc_connauth_st_responder_failure); + return SILC_FSM_CONTINUE; + } + } else if (repository) { + /* Digital signature */ + SilcSKRFind find; + + SILC_LOG_DEBUG(("Digital signature authentication")); + + connauth->auth_data = silc_memdup(auth_data, payload_len); + connauth->auth_data_len = payload_len; + + /* Allocate search constraints for finding the key */ + find = silc_skr_find_alloc(); + + if (!find || !connauth->auth_data) { + /** Out of memory */ + silc_fsm_next(fsm, silc_connauth_st_responder_failure); + return SILC_FSM_CONTINUE; + } + + silc_skr_find_set_pkcs_type(find, connauth->ske->pk_type); + silc_skr_find_set_public_key(find, connauth->ske->public_key); + silc_skr_find_set_usage(find, (SILC_SKR_USAGE_AUTH | + SILC_SKR_USAGE_KEY_AGREEMENT)); + + /** Find public key */ + silc_fsm_next(fsm, silc_connauth_st_responder_authenticate_pk); + SILC_FSM_CALL(silc_skr_find(repository, find, silc_connauth_skr_callback, + connauth)); + /* NOT REACHED */ + } + + /* Passphrase auth Ok, or no authentication required */ + + /** Authentication successful */ + silc_fsm_next(fsm, silc_connauth_st_responder_success); + return SILC_FSM_CONTINUE; +} + +SILC_FSM_STATE(silc_connauth_st_responder_authenticate_pk) +{ + SilcConnAuth connauth = fsm_context; + SilcSKRKey key; + + if (connauth->aborted) { + /** Aborted */ + silc_fsm_next(fsm, silc_connauth_st_responder_failure); + return SILC_FSM_CONTINUE; + } + + if (connauth->skr_status != SILC_SKR_OK) { + /** Public key not found */ + SILC_LOG_DEBUG(("Public key not found, error %d", connauth->skr_status)); + silc_fsm_next(fsm, silc_connauth_st_responder_failure); + return SILC_FSM_CONTINUE; + } + + SILC_LOG_DEBUG(("Found %d public keys", + silc_dlist_count(connauth->public_keys))); + + /* Verify signature */ + key = silc_dlist_get(connauth->public_keys); + if (!silc_connauth_verify_signature(connauth, key->key, + connauth->auth_data, + connauth->auth_data_len)) { + /** Invalid signature */ + SILC_LOG_DEBUG(("Invalid signature")); + silc_free(connauth->auth_data); + silc_fsm_next(fsm, silc_connauth_st_responder_failure); + return SILC_FSM_CONTINUE; + } + + silc_free(connauth->auth_data); + + /** Authentication successful */ + silc_fsm_next(fsm, silc_connauth_st_responder_success); + return SILC_FSM_CONTINUE; +} + +SILC_FSM_STATE(silc_connauth_st_responder_success) +{ + SilcConnAuth connauth = fsm_context; + unsigned char tmp[4]; + + SILC_LOG_DEBUG(("Authentication successful")); + + /* Send FAILURE packet */ + SILC_PUT32_MSB(SILC_AUTH_OK, tmp); + silc_packet_send(connauth->ske->stream, SILC_PACKET_SUCCESS, 0, tmp, 4); + + /* Call completion callback */ + connauth->completion(connauth, TRUE, connauth->context); + + silc_packet_stream_unlink(connauth->ske->stream, + &silc_connauth_stream_cbs, connauth); + silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth); + + return SILC_FSM_FINISH; +} + +SILC_FSM_STATE(silc_connauth_st_responder_failure) +{ + SilcConnAuth connauth = fsm_context; + unsigned char error[4]; + + SILC_LOG_ERROR(("Authentication failed")); + + /* Send FAILURE packet */ + SILC_PUT32_MSB(SILC_AUTH_FAILED, error); + silc_packet_send(connauth->ske->stream, SILC_PACKET_FAILURE, 0, error, 4); + + /* Call completion callback */ + connauth->completion(connauth, FALSE, connauth->context); + + silc_packet_stream_unlink(connauth->ske->stream, + &silc_connauth_stream_cbs, connauth); + silc_schedule_task_del_by_context(silc_fsm_get_schedule(fsm), connauth); + + return SILC_FSM_FINISH; +} + +SilcAsyncOperation +silc_connauth_responder(SilcConnAuth connauth, + SilcConnAuthGetAuthData get_auth_data, + SilcConnAuthCompletion completion, + void *context) +{ + SilcAsyncOperation op; + + SILC_LOG_DEBUG(("Connection authentication as responder")); + + connauth->get_auth_data = get_auth_data; + connauth->completion = completion; + connauth->context = context; + + /* Link to packet stream to get packets */ + silc_packet_stream_link(connauth->ske->stream, + &silc_connauth_stream_cbs, connauth, 1000000, + SILC_PACKET_CONNECTION_AUTH, + SILC_PACKET_FAILURE, -1); + + /* Start the protocol */ + op = silc_async_alloc(silc_connauth_abort, NULL, connauth); + silc_fsm_start(&connauth->fsm, silc_connauth_st_responder_start); + + return op; +} diff --git a/lib/silcske/silcconnauth.h b/lib/silcske/silcconnauth.h new file mode 100644 index 00000000..76ceb536 --- /dev/null +++ b/lib/silcske/silcconnauth.h @@ -0,0 +1,74 @@ +/* + + silcconnauth.h + + Author: Pekka Riikonen + + Copyright (C) 2005 Pekka Riikonen + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + +*/ + +/****h* silcske/SILC Connection Authentication + * + * DESCRIPTION + * + * SILC Connection Authentication protocol is closely related to the SILC + * Key Exchange protocol. After successful key exchange, additional + * authentication is usually required to gain access to remote server or + * service. Connection authentication may be based on passphrase or + * digital signatures. It is also possible to have no authentication at + * all. + * + ***/ + +#ifndef SILCCONNAUTH_H +#define SILCCONNAUTH_H + +typedef struct SilcConnAuthStruct *SilcConnAuth; + +typedef enum { + SILC_CONN_UNKNOWN = 0, + SILC_CONN_CLIENT = 1, /* Client connection */ + SILC_CONN_SERVER = 2, /* Server connection */ + SILC_CONN_ROUTER = 3 /* Router connection */ +} SilcConnectionType; + +typedef SilcBool (*SilcConnAuthGetAuthData)(SilcConnAuth connauth, + SilcConnectionType conn_type, + unsigned char **passphrase, + SilcUInt32 *passphrase_len, + SilcSKR *repository, + void *context); + +typedef void (*SilcConnAuthCompletion)(SilcConnAuth connauth, + SilcBool success, + void *context); + +SilcConnAuth silc_connauth_alloc(SilcSchedule schedule, + SilcSKE ske, + SilcUInt32 timeout_secs); +void silc_connauth_free(SilcConnAuth connauth); +SilcSKE silc_connauth_get_ske(SilcConnAuth connauth); +SilcAsyncOperation +silc_connauth_initiator(SilcConnAuth connauth, + SilcConnectionType conn_type, + SilcAuthMethod auth_method, void *auth_data, + SilcUInt32 auth_data_len, + SilcConnAuthCompletion completion, + void *context); +SilcAsyncOperation +silc_connauth_responder(SilcConnAuth connauth, + SilcConnAuthGetAuthData get_auth_data, + SilcConnAuthCompletion completion, + void *context); + +#endif /* SILCCONNAUTH_H */ diff --git a/lib/silcske/silcske.h b/lib/silcske/silcske.h index ffe9f7c4..65802b83 100644 --- a/lib/silcske/silcske.h +++ b/lib/silcske/silcske.h @@ -4,7 +4,7 @@ Author: Pekka Riikonen - Copyright (C) 2000 - 2005 Pekka Riikonen + Copyright (C) 2000 - 2006 Pekka Riikonen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -311,7 +311,7 @@ typedef void (*SilcSKECompletionCb)(SilcSKE ske, * silc_ske_assemble_security_properties(ske, SILC_SKE_SP_FLAG_PFS | * SILC_SKE_SP_FLAG_MUTUAL, * version); - * silc_ske_initiator_start(ske); + * silc_ske_initiator_start(ske, stream, start_payload); * ***/ SilcSKE silc_ske_alloc(SilcRng rng, SilcSchedule schedule, @@ -391,13 +391,9 @@ void silc_ske_set_callbacks(SilcSKE ske, * * Starts the SILC Key Exchange protocol as initiator. The completion * callback that was set in silc_ske_set_callbacks will be called once - * the protocol has completed. - * - * The `stream' is the network connection to the remote host. Note that - * SKE library will take over the packet stream `stream' while the - * protocol is in process. The application will not receive any packets - * for `stream' after this function is called. The `stream' is turned - * over to application once the completion callback is called. + * the protocol has completed. The `stream' is the network connection + * to the remote host. The SKE library will handle all key exchange + * packets sent and received in the `stream' connection. * * The `start_payload' includes all configured security properties that * will be sent to the responder. The `start_payload' must be provided. @@ -431,13 +427,9 @@ silc_ske_initiator(SilcSKE ske, * * Starts SILC Key Exchange protocol as responder. The completion * callback that was set in silc_ske_set_callbacks will be called once - * the protocol has completed. - * - * The `stream' is the network connection to the remote host. Note that - * SKE library will take over the packet stream `stream' while the - * protocol is in process. The application will not receive any packets - * for `stream' after this function is called. The `stream' is turned - * over to application once the completion callback is called. + * the protocol has completed. The `stream' is the network connection + * to the remote host. The SKE library will handle all key exchange + * packets sent and received in the `stream' connection. * * The `version' is the responder's SILC protocol version that will be * sent in reply to the initiator. The `flags' indicates the diff --git a/lib/silcske/silcske_i.h b/lib/silcske/silcske_i.h new file mode 100644 index 00000000..833d157f --- /dev/null +++ b/lib/silcske/silcske_i.h @@ -0,0 +1,76 @@ +/* + + silcske_i.h + + Author: Pekka Riikonen + + Copyright (C) 2005 Pekka Riikonen + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + +*/ + +#ifndef SILCSKE_I_H +#define SILCSKE_I_H + +/* Length of cookie in Start Payload */ +#define SILC_SKE_COOKIE_LEN 16 + +/* SKE context */ +struct SilcSKEStruct { + SilcPacketStream stream; + SilcRng rng; + SilcSKECallbacks callbacks; + void *user_data; + SilcSKEStatus status; + + /* Negotiated Security properties. May be NULL in case of error. */ + SilcSKESecurityProperties prop; + + /* Key Exchange payloads filled during key negotiation with + remote data. Responder may save local data here as well. */ + SilcSKEStartPayload start_payload; + SilcSKEKEPayload ke1_payload; + SilcSKEKEPayload ke2_payload; + + /* Temporary copy of the KE Start Payload used in the + HASH computation. */ + SilcBuffer start_payload_copy; + + /* Random number x, 1 < x < q. This is the secret exponent + used in Diffie Hellman computations. */ + SilcMPInt *x; + + /* The secret shared key */ + SilcMPInt *KEY; + + /* The hash value HASH of the key exchange */ + unsigned char *hash; + SilcUInt32 hash_len; + + char *version; /* Local version */ + char *remote_version; /* Remote version */ + + SilcPublicKey public_key; + SilcPrivateKey private_key; + SilcSKEPKType pk_type; + SilcPacket packet; + SilcSKESecurityPropertyFlag flags; + SilcSKEKeyMaterial keymat; + SilcSKERekeyMaterial rekey; + SilcSchedule schedule; + SilcFSMStruct fsm; + SilcAsyncOperationStruct op; + + unsigned int aborted : 1; + unsigned int responder : 1; +}; + +#endif /* SILCSKE_I_H */ -- 2.24.0