Implemented TLS Alert handling
[strongswan.git] / src / libtls / tls.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls.h"
17
18 #include "tls_protection.h"
19 #include "tls_compression.h"
20 #include "tls_fragmentation.h"
21 #include "tls_crypto.h"
22 #include "tls_server.h"
23 #include "tls_peer.h"
24
25 ENUM_BEGIN(tls_version_names, SSL_2_0, SSL_2_0,
26 "SSLv2");
27 ENUM_NEXT(tls_version_names, SSL_3_0, TLS_1_2, SSL_2_0,
28 "SSLv3",
29 "TLS 1.0",
30 "TLS 1.1",
31 "TLS 1.2");
32 ENUM_END(tls_version_names, TLS_1_2);
33
34 ENUM(tls_content_type_names, TLS_CHANGE_CIPHER_SPEC, TLS_APPLICATION_DATA,
35 "ChangeCipherSpec",
36 "Alert",
37 "Handshake",
38 "ApplicationData",
39 );
40
41 ENUM_BEGIN(tls_handshake_type_names, TLS_HELLO_REQUEST, TLS_SERVER_HELLO,
42 "HelloRequest",
43 "ClientHello",
44 "ServerHello");
45 ENUM_NEXT(tls_handshake_type_names, TLS_CERTIFICATE, TLS_CLIENT_KEY_EXCHANGE, TLS_SERVER_HELLO,
46 "Certificate",
47 "ServerKeyExchange",
48 "CertificateRequest",
49 "ServerHelloDone",
50 "CertificateVerify",
51 "ClientKeyExchange");
52 ENUM_NEXT(tls_handshake_type_names, TLS_FINISHED, TLS_FINISHED, TLS_CLIENT_KEY_EXCHANGE,
53 "Finished");
54 ENUM_END(tls_handshake_type_names, TLS_FINISHED);
55
56
57 typedef struct private_tls_t private_tls_t;
58
59 /**
60 * Private data of an tls_protection_t object.
61 */
62 struct private_tls_t {
63
64 /**
65 * Public tls_t interface.
66 */
67 tls_t public;
68
69 /**
70 * Role this TLS stack acts as.
71 */
72 bool is_server;
73
74 /**
75 * Server identity
76 */
77 identification_t *server;
78
79 /**
80 * Peer identity
81 */
82 identification_t *peer;
83
84 /**
85 * Negotiated TLS version
86 */
87 tls_version_t version;
88
89 /**
90 * TLS stack purpose, as given to constructor
91 */
92 tls_purpose_t purpose;
93
94 /**
95 * TLS record protection layer
96 */
97 tls_protection_t *protection;
98
99 /**
100 * TLS record compression layer
101 */
102 tls_compression_t *compression;
103
104 /**
105 * TLS record fragmentation layer
106 */
107 tls_fragmentation_t *fragmentation;
108
109 /**
110 * TLS alert handler
111 */
112 tls_alert_t *alert;
113
114 /**
115 * TLS crypto helper context
116 */
117 tls_crypto_t *crypto;
118
119 /**
120 * TLS handshake protocol handler
121 */
122 tls_handshake_t *handshake;
123
124 /**
125 * TLS application data handler
126 */
127 tls_application_t *application;
128 };
129
130 METHOD(tls_t, process, status_t,
131 private_tls_t *this, tls_content_type_t type, chunk_t data)
132 {
133 return this->protection->process(this->protection, type, data);
134 }
135
136 METHOD(tls_t, build, status_t,
137 private_tls_t *this, tls_content_type_t *type, chunk_t *data)
138 {
139 return this->protection->build(this->protection, type, data);
140 }
141
142 METHOD(tls_t, is_server, bool,
143 private_tls_t *this)
144 {
145 return this->is_server;
146 }
147
148 METHOD(tls_t, get_version, tls_version_t,
149 private_tls_t *this)
150 {
151 return this->version;
152 }
153
154 METHOD(tls_t, set_version, bool,
155 private_tls_t *this, tls_version_t version)
156 {
157 if (version > this->version)
158 {
159 return FALSE;
160 }
161 switch (version)
162 {
163 case TLS_1_0:
164 case TLS_1_1:
165 case TLS_1_2:
166 this->version = version;
167 this->protection->set_version(this->protection, version);
168 return TRUE;
169 case SSL_2_0:
170 case SSL_3_0:
171 default:
172 return FALSE;
173 }
174 }
175
176 METHOD(tls_t, get_purpose, tls_purpose_t,
177 private_tls_t *this)
178 {
179 return this->purpose;
180 }
181
182 METHOD(tls_t, is_complete, bool,
183 private_tls_t *this)
184 {
185 return this->crypto->get_eap_msk(this->crypto).len != 0;
186 }
187
188 METHOD(tls_t, get_eap_msk, chunk_t,
189 private_tls_t *this)
190 {
191 return this->crypto->get_eap_msk(this->crypto);
192 }
193
194 METHOD(tls_t, destroy, void,
195 private_tls_t *this)
196 {
197 this->protection->destroy(this->protection);
198 this->compression->destroy(this->compression);
199 this->fragmentation->destroy(this->fragmentation);
200 this->crypto->destroy(this->crypto);
201 this->handshake->destroy(this->handshake);
202 this->peer->destroy(this->peer);
203 this->server->destroy(this->server);
204 DESTROY_IF(this->application);
205 this->alert->destroy(this->alert);
206
207 free(this);
208 }
209
210 /**
211 * See header
212 */
213 tls_t *tls_create(bool is_server, identification_t *server,
214 identification_t *peer, tls_purpose_t purpose,
215 tls_application_t *application)
216 {
217 private_tls_t *this;
218
219 switch (purpose)
220 {
221 case TLS_PURPOSE_EAP_TLS:
222 case TLS_PURPOSE_EAP_TTLS:
223 break;
224 default:
225 return NULL;
226 }
227
228 INIT(this,
229 .public = {
230 .process = _process,
231 .build = _build,
232 .is_server = _is_server,
233 .get_version = _get_version,
234 .set_version = _set_version,
235 .get_purpose = _get_purpose,
236 .is_complete = _is_complete,
237 .get_eap_msk = _get_eap_msk,
238 .destroy = _destroy,
239 },
240 .is_server = is_server,
241 .version = TLS_1_2,
242 .server = server->clone(server),
243 .peer = peer->clone(peer),
244 .application = application,
245 .purpose = purpose,
246 );
247
248 this->crypto = tls_crypto_create(&this->public);
249 this->alert = tls_alert_create();
250 if (is_server)
251 {
252 this->handshake = &tls_server_create(&this->public, this->crypto,
253 this->alert, this->server, this->peer)->handshake;
254 }
255 else
256 {
257 this->handshake = &tls_peer_create(&this->public, this->crypto,
258 this->alert, this->peer, this->server)->handshake;
259 }
260 this->fragmentation = tls_fragmentation_create(this->handshake, this->alert,
261 this->application);
262 this->compression = tls_compression_create(this->fragmentation, this->alert);
263 this->protection = tls_protection_create(this->compression, this->alert);
264 this->crypto->set_protection(this->crypto, this->protection);
265
266 return &this->public;
267 }