projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
tls: Separate TLS protection to abstracted AEAD modes
[strongswan.git] / src / libtls / tls_protection.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_protection.h"
17
18 #include <utils/debug.h>
19
20 typedef struct private_tls_protection_t private_tls_protection_t;
21
22 /**
23 * Private data of an tls_protection_t object.
24 */
25 struct private_tls_protection_t {
26
27 /**
28 * Public tls_protection_t interface.
29 */
30 tls_protection_t public;
31
32 /**
33 * negotiated TLS version
34 */
35 tls_version_t version;
36
37 /**
38 * Upper layer, TLS record compression
39 */
40 tls_compression_t *compression;
41
42 /**
43 * TLS alert handler
44 */
45 tls_alert_t *alert;
46
47 /**
48 * Sequence number of incoming records
49 */
50 u_int64_t seq_in;
51
52 /**
53 * Sequence number for outgoing records
54 */
55 u_int64_t seq_out;
56
57 /**
58 * AEAD transform for inbound traffic
59 */
60 tls_aead_t *aead_in;
61
62 /**
63 * AEAD transform for outbound traffic
64 */
65 tls_aead_t *aead_out;
66 };
67
68 METHOD(tls_protection_t, process, status_t,
69 private_tls_protection_t *this, tls_content_type_t type, chunk_t data)
70 {
71 if (this->alert->fatal(this->alert))
72 { /* don't accept more input, fatal error occurred */
73 return NEED_MORE;
74 }
75
76 if (this->aead_in)
77 {
78 if (!this->aead_in->decrypt(this->aead_in, this->version,
79 type, this->seq_in, &data))
80 {
81 DBG1(DBG_TLS, "TLS record decryption failed");
82 this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
83 return NEED_MORE;
84 }
85 }
86
87 if (type == TLS_CHANGE_CIPHER_SPEC)
88 {
89 this->seq_in = 0;
90 }
91 else
92 {
93 this->seq_in++;
94 }
95 return this->compression->process(this->compression, type, data);
96 }
97
98 METHOD(tls_protection_t, build, status_t,
99 private_tls_protection_t *this, tls_content_type_t *type, chunk_t *data)
100 {
101 status_t status;
102
103 status = this->compression->build(this->compression, type, data);
104 if (*type == TLS_CHANGE_CIPHER_SPEC)
105 {
106 this->seq_out = 0;
107 return status;
108 }
109
110 if (status == NEED_MORE)
111 {
112 if (this->aead_out)
113 {
114 if (!this->aead_out->encrypt(this->aead_out, this->version,
115 *type, this->seq_out, data))
116 {
117 DBG1(DBG_TLS, "TLS record encryption failed");
118 chunk_free(data);
119 return FAILED;
120 }
121 }
122 this->seq_out++;
123 }
124 return status;
125 }
126
127 METHOD(tls_protection_t, set_cipher, void,
128 private_tls_protection_t *this, bool inbound, tls_aead_t *aead)
129 {
130 if (inbound)
131 {
132 this->aead_in = aead;
133 }
134 else
135 {
136 this->aead_out = aead;
137 }
138 }
139
140 METHOD(tls_protection_t, set_version, void,
141 private_tls_protection_t *this, tls_version_t version)
142 {
143 this->version = version;
144 }
145
146 METHOD(tls_protection_t, destroy, void,
147 private_tls_protection_t *this)
148 {
149 free(this);
150 }
151
152 /**
153 * See header
154 */
155 tls_protection_t *tls_protection_create(tls_compression_t *compression,
156 tls_alert_t *alert)
157 {
158 private_tls_protection_t *this;
159
160 INIT(this,
161 .public = {
162 .process = _process,
163 .build = _build,
164 .set_cipher = _set_cipher,
165 .set_version = _set_version,
166 .destroy = _destroy,
167 },
168 .alert = alert,
169 .compression = compression,
170 );
171
172 return &this->public;
173 }
strongSwan - IPsec VPN