Implemented key derivation, output record signing and encryption
[strongswan.git] / src / charon / plugins / eap_tls / tls / tls.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls.h"
17
18 #include "tls_protection.h"
19 #include "tls_compression.h"
20 #include "tls_fragmentation.h"
21 #include "tls_crypto.h"
22 #include "tls_server.h"
23 #include "tls_peer.h"
24
25 #include <daemon.h>
26
27 ENUM_BEGIN(tls_version_names, SSL_2_0, SSL_2_0,
28 "SSLv2");
29 ENUM_NEXT(tls_version_names, SSL_3_0, TLS_1_2, SSL_2_0,
30 "SSLv3",
31 "TLS 1.0",
32 "TLS 1.1",
33 "TLS 1.2");
34 ENUM_END(tls_version_names, TLS_1_2);
35
36 ENUM(tls_content_type_names, TLS_CHANGE_CIPHER_SPEC, TLS_APPLICATION_DATA,
37 "ChangeCipherSpec",
38 "Alert",
39 "Handshake",
40 "ApplicationData",
41 );
42
43 ENUM_BEGIN(tls_handshake_type_names, TLS_HELLO_REQUEST, TLS_SERVER_HELLO,
44 "HelloRequest",
45 "ClientHello",
46 "ServerHello");
47 ENUM_NEXT(tls_handshake_type_names, TLS_CERTIFICATE, TLS_CLIENT_KEY_EXCHANGE, TLS_SERVER_HELLO,
48 "Certificate",
49 "ServerKeyExchange",
50 "CertificateRequest",
51 "ServerHelloDone",
52 "CertificateVerify",
53 "ClientKeyExchange");
54 ENUM_NEXT(tls_handshake_type_names, TLS_FINISHED, TLS_FINISHED, TLS_CLIENT_KEY_EXCHANGE,
55 "Finished");
56 ENUM_END(tls_handshake_type_names, TLS_FINISHED);
57
58
59 typedef struct private_tls_t private_tls_t;
60
61 /**
62 * Private data of an tls_protection_t object.
63 */
64 struct private_tls_t {
65
66 /**
67 * Public tls_t interface.
68 */
69 tls_t public;
70
71 /**
72 * Role this TLS stack acts as.
73 */
74 bool is_server;
75
76 /**
77 * Negotiated TLS version
78 */
79 tls_version_t version;
80
81 /**
82 * TLS record protection layer
83 */
84 tls_protection_t *protection;
85
86 /**
87 * TLS record compression layer
88 */
89 tls_compression_t *compression;
90
91 /**
92 * TLS record fragmentation layer
93 */
94 tls_fragmentation_t *fragmentation;
95
96 /**
97 * TLS crypto helper context
98 */
99 tls_crypto_t *crypto;
100
101 /**
102 * TLS handshake protocol handler
103 */
104 tls_handshake_t *handshake;
105 };
106
107 METHOD(tls_t, process, status_t,
108 private_tls_t *this, tls_content_type_t type, chunk_t data)
109 {
110 return this->protection->process(this->protection, type, data);
111 }
112
113 METHOD(tls_t, build, status_t,
114 private_tls_t *this, tls_content_type_t *type, chunk_t *data)
115 {
116 return this->protection->build(this->protection, type, data);
117 }
118
119 METHOD(tls_t, is_server, bool,
120 private_tls_t *this)
121 {
122 return this->is_server;
123 }
124
125 METHOD(tls_t, get_version, tls_version_t,
126 private_tls_t *this)
127 {
128 return this->version;
129 }
130
131 METHOD(tls_t, set_version, void,
132 private_tls_t *this, tls_version_t version)
133 {
134 this->version = version;
135 }
136
137 METHOD(tls_t, change_cipher, void,
138 private_tls_t *this, bool inbound, signer_t *signer,
139 crypter_t *crypter, chunk_t iv)
140 {
141 this->protection->set_cipher(this->protection, inbound, signer, crypter, iv);
142 }
143
144 METHOD(tls_t, destroy, void,
145 private_tls_t *this)
146 {
147 this->protection->destroy(this->protection);
148 this->compression->destroy(this->compression);
149 this->fragmentation->destroy(this->fragmentation);
150 this->crypto->destroy(this->crypto);
151 this->handshake->destroy(this->handshake);
152
153 free(this);
154 }
155
156 /**
157 * See header
158 */
159 tls_t *tls_create(bool is_server, identification_t *server,
160 identification_t *peer)
161 {
162 private_tls_t *this;
163
164 INIT(this,
165 .public = {
166 .process = _process,
167 .build = _build,
168 .is_server = _is_server,
169 .get_version = _get_version,
170 .set_version = _set_version,
171 .change_cipher = _change_cipher,
172 .destroy = _destroy,
173 },
174 .is_server = is_server,
175 .version = TLS_1_2,
176 );
177
178 this->crypto = tls_crypto_create(&this->public);
179 if (is_server)
180 {
181 this->handshake = &tls_server_create(&this->public, this->crypto,
182 server, peer)->handshake;
183 }
184 else
185 {
186 this->handshake = &tls_peer_create(&this->public, this->crypto,
187 peer, server)->handshake;
188 }
189 this->fragmentation = tls_fragmentation_create(this->handshake);
190 this->compression = tls_compression_create(this->fragmentation);
191 this->protection = tls_protection_create(&this->public, this->compression);
192
193 return &this->public;
194 }