Cleaned up the public TLS interface
authorMartin Willi <martin@revosec.ch>
Fri, 5 Feb 2010 13:39:19 +0000 (13:39 +0000)
committerMartin Willi <martin@revosec.ch>
Tue, 3 Aug 2010 13:39:25 +0000 (15:39 +0200)
src/charon/plugins/eap_tls/tls/tls.c
src/charon/plugins/eap_tls/tls/tls.h
src/charon/plugins/eap_tls/tls/tls_crypto.c
src/charon/plugins/eap_tls/tls/tls_crypto.h

index c011ad6..7bc7869 100644 (file)
@@ -134,13 +134,6 @@ METHOD(tls_t, set_version, void,
        this->version = version;
 }
 
-METHOD(tls_t, change_cipher, void,
-       private_tls_t *this, bool inbound, signer_t *signer,
-       crypter_t *crypter, chunk_t iv)
-{
-       this->protection->set_cipher(this->protection, inbound, signer, crypter, iv);
-}
-
 METHOD(tls_t, get_eap_msk, chunk_t,
        private_tls_t *this)
 {
@@ -174,7 +167,6 @@ tls_t *tls_create(bool is_server, identification_t *server,
                        .is_server = _is_server,
                        .get_version = _get_version,
                        .set_version = _set_version,
-                       .change_cipher = _change_cipher,
                        .get_eap_msk = _get_eap_msk,
                        .destroy = _destroy,
                },
@@ -196,6 +188,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
        this->fragmentation = tls_fragmentation_create(this->handshake);
        this->compression = tls_compression_create(this->fragmentation);
        this->protection = tls_protection_create(&this->public, this->compression);
+       this->crypto->set_protection(this->crypto, this->protection);
 
        return &this->public;
 }
index ffaa83e..f40a59a 100644 (file)
@@ -27,7 +27,6 @@
 typedef enum tls_version_t tls_version_t;
 typedef enum tls_content_type_t tls_content_type_t;
 typedef enum tls_handshake_type_t tls_handshake_type_t;
-typedef enum tls_cipher_suite_t tls_cipher_suite_t;
 typedef struct tls_t tls_t;
 
 #include <library.h>
@@ -84,46 +83,6 @@ enum tls_handshake_type_t {
  */
 extern enum_name_t *tls_handshake_type_names;
 
-enum tls_cipher_suite_t {
-       TLS_NULL_WITH_NULL_NULL =                               0x00,
-       TLS_RSA_WITH_NULL_MD5 =                                 0x01,
-       TLS_RSA_WITH_NULL_SHA =                                 0x02,
-       TLS_RSA_WITH_NULL_SHA256 =                              0x3B,
-       TLS_RSA_WITH_RC4_128_MD5 =                              0x04,
-       TLS_RSA_WITH_RC4_128_SHA =                              0x05,
-       TLS_RSA_WITH_3DES_EDE_CBC_SHA =                 0x0A,
-       TLS_RSA_WITH_AES_128_CBC_SHA =                  0x2F,
-       TLS_RSA_WITH_AES_256_CBC_SHA =                  0x35,
-       TLS_RSA_WITH_AES_128_CBC_SHA256 =               0x3C,
-       TLS_RSA_WITH_AES_256_CBC_SHA256 =               0x3D,
-       TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA =              0x0D,
-       TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA =              0x10,
-       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA =             0x13,
-       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA =             0x16,
-       TLS_DH_DSS_WITH_AES_128_CBC_SHA =               0x30,
-       TLS_DH_RSA_WITH_AES_128_CBC_SHA =               0x31,
-       TLS_DHE_DSS_WITH_AES_128_CBC_SHA =              0x32,
-       TLS_DHE_RSA_WITH_AES_128_CBC_SHA =              0x33,
-       TLS_DH_DSS_WITH_AES_256_CBC_SHA =               0x36,
-       TLS_DH_RSA_WITH_AES_256_CBC_SHA =               0x37,
-       TLS_DHE_DSS_WITH_AES_256_CBC_SHA =              0x38,
-       TLS_DHE_RSA_WITH_AES_256_CBC_SHA =              0x39,
-       TLS_DH_DSS_WITH_AES_128_CBC_SHA256 =    0x3E,
-       TLS_DH_RSA_WITH_AES_128_CBC_SHA256 =    0x3F,
-       TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 =   0x40,
-       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 =   0x67,
-       TLS_DH_DSS_WITH_AES_256_CBC_SHA256 =    0x68,
-       TLS_DH_RSA_WITH_AES_256_CBC_SHA256 =    0x69,
-       TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 =   0x6A,
-       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 =   0x6B,
-       TLS_DH_ANON_WITH_RC4_128_MD5 =                  0x18,
-       TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA =             0x1B,
-       TLS_DH_ANON_WITH_AES_128_CBC_SHA =              0x34,
-       TLS_DH_ANON_WITH_AES_256_CBC_SHA =              0x3A,
-       TLS_DH_ANON_WITH_AES_128_CBC_SHA256 =   0x6C,
-       TLS_DH_ANON_WITH_AES_256_CBC_SHA256 =   0x6D,
-};
-
 /**
  * A bottom-up driven TLS stack, suitable for EAP implementations.
  */
@@ -176,17 +135,6 @@ struct tls_t {
        void (*set_version)(tls_t *this, tls_version_t version);
 
        /**
-        * Change used cipher, including encryption and integrity algorithms.
-        *
-        * @param inbound       TRUE to use cipher for inbound data, FALSE for outbound
-        * @param signer        new signer to use
-        * @param crypter       new crypter to use
-        * @param iv            initial IV for crypter
-        */
-       void (*change_cipher)(tls_t *this, bool inbound, signer_t *signer,
-                                                 crypter_t *crypter, chunk_t iv);
-
-       /**
         * Get the MSK for EAP-TLS.
         *
         * @return                      MSK, internal data
index 719003e..789b942 100644 (file)
@@ -30,6 +30,11 @@ struct private_tls_crypto_t {
        tls_crypto_t public;
 
        /**
+        * Protection layer
+        */
+       tls_protection_t *protection;
+
+       /**
         * List of supported/acceptable cipher suites
         */
        tls_cipher_suite_t *suites;
@@ -351,6 +356,12 @@ METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
        return 0;
 }
 
+METHOD(tls_crypto_t, set_protection, void,
+       private_tls_crypto_t *this, tls_protection_t *protection)
+{
+       this->protection = protection;
+}
+
 METHOD(tls_crypto_t, append_handshake, void,
        private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
 {
@@ -561,15 +572,18 @@ METHOD(tls_crypto_t, derive_secrets, void,
 METHOD(tls_crypto_t, change_cipher, void,
        private_tls_crypto_t *this, bool inbound)
 {
-       if (inbound)
-       {
-               this->tls->change_cipher(this->tls, TRUE, this->signer_in,
-                                                                this->crypter_in, this->iv_in);
-       }
-       else
+       if (this->protection)
        {
-               this->tls->change_cipher(this->tls, FALSE, this->signer_out,
-                                                                this->crypter_out, this->iv_out);
+               if (inbound)
+               {
+                       this->protection->set_cipher(this->protection, TRUE,
+                                                       this->signer_in, this->crypter_in, this->iv_in);
+               }
+               else
+               {
+                       this->protection->set_cipher(this->protection, FALSE,
+                                                       this->signer_out, this->crypter_out, this->iv_out);
+               }
        }
 }
 
@@ -618,6 +632,7 @@ tls_crypto_t *tls_crypto_create(tls_t *tls)
                .public = {
                        .get_cipher_suites = _get_cipher_suites,
                        .select_cipher_suite = _select_cipher_suite,
+                       .set_protection = _set_protection,
                        .append_handshake = _append_handshake,
                        .sign_handshake = _sign_handshake,
                        .calculate_finished = _calculate_finished,
index e3363cd..49bc09c 100644 (file)
 #define TLS_CRYPTO_H_
 
 typedef struct tls_crypto_t tls_crypto_t;
+typedef enum tls_cipher_suite_t tls_cipher_suite_t;
 
 #include "tls.h"
 #include "tls_prf.h"
+#include "tls_protection.h"
 
 #include <credentials/keys/private_key.h>
 
 /**
+ * TLS cipher suites
+ */
+enum tls_cipher_suite_t {
+       TLS_NULL_WITH_NULL_NULL =                               0x00,
+       TLS_RSA_WITH_NULL_MD5 =                                 0x01,
+       TLS_RSA_WITH_NULL_SHA =                                 0x02,
+       TLS_RSA_WITH_NULL_SHA256 =                              0x3B,
+       TLS_RSA_WITH_RC4_128_MD5 =                              0x04,
+       TLS_RSA_WITH_RC4_128_SHA =                              0x05,
+       TLS_RSA_WITH_3DES_EDE_CBC_SHA =                 0x0A,
+       TLS_RSA_WITH_AES_128_CBC_SHA =                  0x2F,
+       TLS_RSA_WITH_AES_256_CBC_SHA =                  0x35,
+       TLS_RSA_WITH_AES_128_CBC_SHA256 =               0x3C,
+       TLS_RSA_WITH_AES_256_CBC_SHA256 =               0x3D,
+       TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA =              0x0D,
+       TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA =              0x10,
+       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA =             0x13,
+       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA =             0x16,
+       TLS_DH_DSS_WITH_AES_128_CBC_SHA =               0x30,
+       TLS_DH_RSA_WITH_AES_128_CBC_SHA =               0x31,
+       TLS_DHE_DSS_WITH_AES_128_CBC_SHA =              0x32,
+       TLS_DHE_RSA_WITH_AES_128_CBC_SHA =              0x33,
+       TLS_DH_DSS_WITH_AES_256_CBC_SHA =               0x36,
+       TLS_DH_RSA_WITH_AES_256_CBC_SHA =               0x37,
+       TLS_DHE_DSS_WITH_AES_256_CBC_SHA =              0x38,
+       TLS_DHE_RSA_WITH_AES_256_CBC_SHA =              0x39,
+       TLS_DH_DSS_WITH_AES_128_CBC_SHA256 =    0x3E,
+       TLS_DH_RSA_WITH_AES_128_CBC_SHA256 =    0x3F,
+       TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 =   0x40,
+       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 =   0x67,
+       TLS_DH_DSS_WITH_AES_256_CBC_SHA256 =    0x68,
+       TLS_DH_RSA_WITH_AES_256_CBC_SHA256 =    0x69,
+       TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 =   0x6A,
+       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 =   0x6B,
+       TLS_DH_ANON_WITH_RC4_128_MD5 =                  0x18,
+       TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA =             0x1B,
+       TLS_DH_ANON_WITH_AES_128_CBC_SHA =              0x34,
+       TLS_DH_ANON_WITH_AES_256_CBC_SHA =              0x3A,
+       TLS_DH_ANON_WITH_AES_128_CBC_SHA256 =   0x6C,
+       TLS_DH_ANON_WITH_AES_256_CBC_SHA256 =   0x6D,
+};
+
+/**
  * TLS crypto helper functions.
  */
 struct tls_crypto_t {
@@ -52,6 +97,13 @@ struct tls_crypto_t {
                                                                                tls_cipher_suite_t *suites, int count);
 
        /**
+        * Set the protection layer of the TLS stack to control it.
+        *
+        * @param protection            protection layer to work on
+        */
+       void (*set_protection)(tls_crypto_t *this, tls_protection_t *protection);
+
+       /**
         * Store exchanged handshake data, used for cryptographic operations.
         *
         * @param type                  handshake sub type