libtls: Add control flags and replace GENERIC_NULLOK purpose with one
authorTobias Brunner <tobias@strongswan.org>
Thu, 18 Feb 2021 14:03:29 +0000 (15:03 +0100)
committerTobias Brunner <tobias@strongswan.org>
Thu, 18 Feb 2021 14:10:29 +0000 (15:10 +0100)
13 files changed:
scripts/tls_test.c
src/libcharon/plugins/eap_peap/eap_peap.c
src/libcharon/plugins/eap_tls/eap_tls.c
src/libcharon/plugins/eap_ttls/eap_ttls.c
src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
src/libpttls/pt_tls_client.c
src/libpttls/pt_tls_server.c
src/libtls/tests/suites/test_socket.c
src/libtls/tls.c
src/libtls/tls.h
src/libtls/tls_crypto.c
src/libtls/tls_socket.c
src/libtls/tls_socket.h

index 5ee7e37..4a9acbb 100644 (file)
@@ -131,7 +131,7 @@ static int run_client(host_t *host, identification_t *server,
                        return 1;
                }
                tls = tls_socket_create(FALSE, server, client, fd, cache, min_version,
-                                                           max_version, TRUE);
+                                                           max_version, TLS_FLAG_ENCRYPTION_OPTIONAL);
                if (!tls)
                {
                        close(fd);
@@ -190,7 +190,7 @@ static int serve(host_t *host, identification_t *server, identification_t *clien
                DBG1(DBG_TLS, "%#H connected", host);
 
                tls = tls_socket_create(TRUE, server, client, cfd, cache, min_version,
-                                                               max_version, TRUE);
+                                                               max_version, TLS_FLAG_ENCRYPTION_OPTIONAL);
                if (!tls)
                {
                        close(fd);
index 073af8d..1328449 100644 (file)
@@ -173,7 +173,7 @@ static eap_peap_t *eap_peap_create(private_eap_peap_t * this,
        include_length = lib->settings->get_bool(lib->settings,
                                        "%s.plugins.eap-peap.include_length", FALSE, lib->ns);
        tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_PEAP,
-                                        application, NULL);
+                                        application, NULL, 0);
        this->tls_eap = tls_eap_create(EAP_PEAP, tls, frag_size, max_msg_count,
                                                                                                  include_length);
        if (!this->tls_eap)
index 79e87dc..4283aa0 100644 (file)
@@ -158,7 +158,7 @@ static eap_tls_t *eap_tls_create(identification_t *server,
                                        lib->ns);
        include_length = lib->settings->get_bool(lib->settings,
                                        "%s.plugins.eap-tls.include_length", TRUE, lib->ns);
-       tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL, NULL);
+       tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL, NULL, 0);
        this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count,
                                                                                                 include_length);
        if (!this->tls_eap)
index 97dbe18..c56eb01 100644 (file)
@@ -170,7 +170,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
        include_length = lib->settings->get_bool(lib->settings,
                                        "%s.plugins.eap-ttls.include_length", TRUE, lib->ns);
        tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS,
-                                        application, NULL);
+                                        application, NULL, 0);
        this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count,
                                                                                                  include_length);
        if (!this->tls_eap)
index 4937f32..863d13c 100644 (file)
@@ -877,7 +877,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
 
        /* open TLS socket */
        this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd,
-                                                                 NULL, TLS_UNSPEC, TLS_UNSPEC, FALSE);
+                                                                 NULL, TLS_UNSPEC, TLS_UNSPEC, 0);
        if (!this->tls)
        {
                DBG1(DBG_TNC, "creating TLS socket failed");
index b7fc4c7..312078f 100644 (file)
@@ -85,7 +85,7 @@ static bool make_connection(private_pt_tls_client_t *this)
        }
 
        this->tls = tls_socket_create(FALSE, this->server, this->client, fd,
-                                                                 NULL, TLS_UNSPEC, TLS_UNSPEC, FALSE);
+                                                                 NULL, TLS_UNSPEC, TLS_UNSPEC, 0);
        if (!this->tls)
        {
                close(fd);
index ba217aa..d592403 100644 (file)
@@ -545,7 +545,7 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
                },
                .state = PT_TLS_SERVER_VERSION,
                .tls = tls_socket_create(TRUE, server, client, fd, NULL, TLS_UNSPEC,
-                                                                TLS_UNSPEC, FALSE),
+                                                                TLS_UNSPEC, 0),
                .tnccs = (tls_t*)tnccs,
                .auth = auth,
        );
index 4707f58..9e26e91 100644 (file)
@@ -412,7 +412,8 @@ static job_requeue_t serve_echo(echo_server_config_t *config)
                }
 
                tls = tls_socket_create(TRUE, server, client, cfd, NULL,
-                                                               TLS_SUPPORTED_MIN, config->version, TRUE);
+                                                               TLS_SUPPORTED_MIN, config->version,
+                                                               TLS_FLAG_ENCRYPTION_OPTIONAL);
                ck_assert(tls != NULL);
 
                while (TRUE)
@@ -488,7 +489,8 @@ static void run_echo_client(echo_server_config_t *config)
        ck_assert(connect(fd, host->get_sockaddr(host),
                                          *host->get_sockaddr_len(host)) != -1);
        tls = tls_socket_create(FALSE, server, client, fd, NULL,
-                                                       TLS_SUPPORTED_MIN, config->version, TRUE);
+                                                       TLS_SUPPORTED_MIN, config->version,
+                                                       TLS_FLAG_ENCRYPTION_OPTIONAL);
        ck_assert(tls != NULL);
 
        wr = rd = 0;
index ae14213..a441346 100644 (file)
@@ -203,6 +203,11 @@ struct private_tls_t {
        tls_purpose_t purpose;
 
        /**
+        * Flags for this TLS stack
+        */
+       tls_flag_t flags;
+
+       /**
         * TLS record protection layer
         */
        tls_protection_t *protection;
@@ -542,6 +547,12 @@ METHOD(tls_t, get_purpose, tls_purpose_t,
        return this->purpose;
 }
 
+METHOD(tls_t, get_flags, tls_flag_t,
+       private_tls_t *this)
+{
+       return this->flags;
+}
+
 METHOD(tls_t, is_complete, bool,
        private_tls_t *this)
 {
@@ -590,7 +601,8 @@ METHOD(tls_t, destroy, void,
  */
 tls_t *tls_create(bool is_server, identification_t *server,
                                  identification_t *peer, tls_purpose_t purpose,
-                                 tls_application_t *application, tls_cache_t *cache)
+                                 tls_application_t *application, tls_cache_t *cache,
+                                 tls_flag_t flags)
 {
        private_tls_t *this;
 
@@ -600,7 +612,6 @@ tls_t *tls_create(bool is_server, identification_t *server,
                case TLS_PURPOSE_EAP_TTLS:
                case TLS_PURPOSE_EAP_PEAP:
                case TLS_PURPOSE_GENERIC:
-               case TLS_PURPOSE_GENERIC_NULLOK:
                        break;
                default:
                        return NULL;
@@ -617,6 +628,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
                        .get_version_min = _get_version_min,
                        .set_version = _set_version,
                        .get_purpose = _get_purpose,
+                       .get_flags = _get_flags,
                        .is_complete = _is_complete,
                        .get_eap_msk = _get_eap_msk,
                        .get_auth = _get_auth,
@@ -625,6 +637,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
                .is_server = is_server,
                .application = application,
                .purpose = purpose,
+               .flags = flags,
        );
        lib->settings->add_fallback(lib->settings, "%s.tls", "libtls", lib->ns);
 
index 9de042b..0d9e1ff 100644 (file)
@@ -40,6 +40,7 @@ typedef enum tls_version_t tls_version_t;
 typedef enum tls_content_type_t tls_content_type_t;
 typedef enum tls_handshake_type_t tls_handshake_type_t;
 typedef enum tls_purpose_t tls_purpose_t;
+typedef enum tls_flag_t tls_flag_t;
 typedef struct tls_t tls_t;
 
 #include <library.h>
@@ -130,8 +131,6 @@ enum tls_purpose_t {
        TLS_PURPOSE_EAP_PEAP,
        /** non-EAP TLS */
        TLS_PURPOSE_GENERIC,
-       /** non-EAP TLS accepting NULL encryption */
-       TLS_PURPOSE_GENERIC_NULLOK,
        /** EAP binding for TNC */
        TLS_PURPOSE_EAP_TNC
 };
@@ -203,6 +202,14 @@ enum tls_name_type_t {
 };
 
 /**
+ * Flags that control the behavior of the stack
+ */
+enum tls_flag_t {
+       /** set if cipher suites with null encryption are acceptable */
+       TLS_FLAG_ENCRYPTION_OPTIONAL = 1,
+};
+
+/**
  * Enum names for tls_extension_t
  */
 extern enum_name_t *tls_extension_names;
@@ -319,6 +326,13 @@ struct tls_t {
        tls_purpose_t (*get_purpose)(tls_t *this);
 
        /**
+        * Get the flags controlling this TLS stack instance.
+        *
+        * @return                      flags given during construction
+        */
+       tls_flag_t (*get_flags)(tls_t *this);
+
+       /**
         * Check if TLS negotiation completed successfully.
         *
         * @return                      TRUE if TLS negotiation and authentication complete
@@ -359,10 +373,12 @@ void libtls_init(void);
  * @param purpose                      purpose this TLS stack instance is used for
  * @param application          higher layer application or NULL if none
  * @param cache                                session cache to use, or NULL
+ * @param flags                                flags that control the behavior of the TLS stack
  * @return                                     TLS stack
  */
 tls_t *tls_create(bool is_server, identification_t *server,
                                  identification_t *peer, tls_purpose_t purpose,
-                                 tls_application_t *application, tls_cache_t *cache);
+                                 tls_application_t *application, tls_cache_t *cache,
+                                 tls_flag_t flags);
 
 #endif /** TLS_H_ @}*/
index d3f187d..d94dde9 100644 (file)
@@ -1116,22 +1116,22 @@ static void build_cipher_suite_list(private_tls_crypto_t *this)
 {
        suite_algs_t suites[countof(suite_algs)];
        tls_version_t min_version, max_version, new_min_version, new_max_version;
-       bool require_encryption;
+       bool require_encryption = TRUE;
        int count = 0, i;
 
        switch (this->tls->get_purpose(this->tls))
        {
                case TLS_PURPOSE_EAP_TLS:
-               case TLS_PURPOSE_GENERIC_NULLOK:
                        require_encryption = FALSE;
                        break;
-               case TLS_PURPOSE_EAP_PEAP:
-               case TLS_PURPOSE_EAP_TTLS:
                case TLS_PURPOSE_GENERIC:
-                       require_encryption = TRUE;
+                       if (this->tls->get_flags(this->tls) & TLS_FLAG_ENCRYPTION_OPTIONAL)
+                       {
+                               require_encryption = FALSE;
+                       }
                        break;
                default:
-                       return;
+                       break;
        }
 
        min_version = this->tls->get_version_min(this->tls);
index 8b427dd..75f1469 100644 (file)
@@ -423,10 +423,9 @@ METHOD(tls_socket_t, destroy, void,
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
                                                                identification_t *peer, int fd,
                                                                tls_cache_t *cache, tls_version_t min_version,
-                                                               tls_version_t max_version, bool nullok)
+                                                               tls_version_t max_version, tls_flag_t flags)
 {
        private_tls_socket_t *this;
-       tls_purpose_t purpose;
 
        INIT(this,
                .public = {
@@ -448,17 +447,8 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
                .fd = fd,
        );
 
-       if (nullok)
-       {
-               purpose = TLS_PURPOSE_GENERIC_NULLOK;
-       }
-       else
-       {
-               purpose = TLS_PURPOSE_GENERIC;
-       }
-
-       this->tls = tls_create(is_server, server, peer, purpose,
-                                                  &this->app.application, cache);
+       this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_GENERIC,
+                                                  &this->app.application, cache, flags);
        if (!this->tls ||
                !this->tls->set_version(this->tls, min_version, max_version))
        {
index 08ccbd2..9449676 100644 (file)
@@ -108,12 +108,12 @@ struct tls_socket_t {
  * @param cache                                session cache to use, or NULL
  * @param min_version          minimum TLS version to negotiate or TLS_UNSPEC
  * @param max_version          maximum TLS version to negotiate or TLS_UNSPEC
- * @param nullok                       accept NULL encryption ciphers
+ * @param flags                                flags controlling the TLS stack
  * @return                                     TLS socket wrapper
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
                                                                identification_t *peer, int fd,
                                                                tls_cache_t *cache, tls_version_t min_version,
-                                                               tls_version_t max_version, bool nullok);
+                                                               tls_version_t max_version, tls_flag_t flags);
 
 #endif /** TLS_SOCKET_H_ @}*/