strongswan/src/charon/plugins/eap_tls/tls/tls.c

/*
 * Copyright (C) 2010 Martin Willi
 * Copyright (C) 2010 revosec AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "tls.h"

#include "tls_protection.h"
#include "tls_compression.h"
#include "tls_fragmentation.h"
#include "tls_crypto.h"
#include "tls_server.h"
#include "tls_peer.h"

#include <daemon.h>

ENUM_BEGIN(tls_version_names, SSL_2_0, SSL_2_0,
	"SSLv2");
ENUM_NEXT(tls_version_names, SSL_3_0, TLS_1_2, SSL_2_0,
	"SSLv3",
	"TLS 1.0",
	"TLS 1.1",
	"TLS 1.2");
ENUM_END(tls_version_names, TLS_1_2);

ENUM(tls_content_type_names, TLS_CHANGE_CIPHER_SPEC, TLS_APPLICATION_DATA,
	"ChangeCipherSpec",
	"Alert",
	"Handshake",
	"ApplicationData",
);

ENUM_BEGIN(tls_handshake_type_names, TLS_HELLO_REQUEST, TLS_SERVER_HELLO,
	"HelloRequest",
	"ClientHello",
	"ServerHello");
ENUM_NEXT(tls_handshake_type_names, TLS_CERTIFICATE, TLS_CLIENT_KEY_EXCHANGE, TLS_SERVER_HELLO,
	"Certificate",
	"ServerKeyExchange",
	"CertificateRequest",
	"ServerHelloDone",
	"CertificateVerify",
	"ClientKeyExchange");
ENUM_NEXT(tls_handshake_type_names, TLS_FINISHED, TLS_FINISHED, TLS_CLIENT_KEY_EXCHANGE,
	"Finished");
ENUM_END(tls_handshake_type_names, TLS_FINISHED);


typedef struct private_tls_t private_tls_t;

/**
 * Private data of an tls_protection_t object.
 */
struct private_tls_t {

	/**
	 * Public tls_t interface.
	 */
	tls_t public;

	/**
	 * Role this TLS stack acts as.
	 */
	bool is_server;

	/**
	 * Negotiated TLS version
	 */
	tls_version_t version;

	/**
	 * TLS record protection layer
	 */
	tls_protection_t *protection;

	/**
	 * TLS record compression layer
	 */
	tls_compression_t *compression;

	/**
	 * TLS record fragmentation layer
	 */
	tls_fragmentation_t *fragmentation;

	/**
	 * TLS crypto helper context
	 */
	tls_crypto_t *crypto;

	/**
	 * TLS handshake protocol handler
	 */
	tls_handshake_t *handshake;
};

METHOD(tls_t, process, status_t,
	private_tls_t *this, tls_content_type_t type, chunk_t data)
{
	return this->protection->process(this->protection, type, data);
}

METHOD(tls_t, build, status_t,
	private_tls_t *this, tls_content_type_t *type, chunk_t *data)
{
	return this->protection->build(this->protection, type, data);
}

METHOD(tls_t, is_server, bool,
	private_tls_t *this)
{
	return this->is_server;
}

METHOD(tls_t, get_version, tls_version_t,
	private_tls_t *this)
{
	return this->version;
}

METHOD(tls_t, set_version, void,
	private_tls_t *this, tls_version_t version)
{
	this->version = version;
}

METHOD(tls_t, change_cipher, void,
	private_tls_t *this, bool inbound, signer_t *signer,
	crypter_t *crypter, chunk_t iv)
{
	this->protection->set_cipher(this->protection, inbound, signer, crypter, iv);
}

METHOD(tls_t, get_eap_msk, chunk_t,
	private_tls_t *this)
{
	return this->crypto->get_eap_msk(this->crypto);
}

METHOD(tls_t, destroy, void,
	private_tls_t *this)
{
	this->protection->destroy(this->protection);
	this->compression->destroy(this->compression);
	this->fragmentation->destroy(this->fragmentation);
	this->crypto->destroy(this->crypto);
	this->handshake->destroy(this->handshake);

	free(this);
}

/**
 * See header
 */
tls_t *tls_create(bool is_server, identification_t *server,
				  identification_t *peer)
{
	private_tls_t *this;

	INIT(this,
		.public = {
			.process = _process,
			.build = _build,
			.is_server = _is_server,
			.get_version = _get_version,
			.set_version = _set_version,
			.change_cipher = _change_cipher,
			.get_eap_msk = _get_eap_msk,
			.destroy = _destroy,
		},
		.is_server = is_server,
		.version = TLS_1_2,
	);

	this->crypto = tls_crypto_create(&this->public);
	if (is_server)
	{
		this->handshake = &tls_server_create(&this->public, this->crypto,
											 server, peer)->handshake;
	}
	else
	{
		this->handshake = &tls_peer_create(&this->public, this->crypto,
										   peer, server)->handshake;
	}
	this->fragmentation = tls_fragmentation_create(this->handshake);
	this->compression = tls_compression_create(this->fragmentation);
	this->protection = tls_protection_create(&this->public, this->compression);

	return &this->public;
}
Added some TLS constants 2010-01-21 14:11:38 +00:00			`/*`
			`* Copyright (C) 2010 Martin Willi`
			`* Copyright (C) 2010 revosec AG`
			`*`
			`* This program is free software; you can redistribute it and/or modify it`
			`* under the terms of the GNU General Public License as published by the`
			`* Free Software Foundation; either version 2 of the License, or (at your`
			`* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.`
			`*`
			`* This program is distributed in the hope that it will be useful, but`
			`* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY`
			`* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License`
			`* for more details.`
			`*/`

			`#include "tls.h"`

Added dummy/identity implementations of the different TLS record layers 2010-01-22 16:24:17 +00:00			`#include "tls_protection.h"`
			`#include "tls_compression.h"`
			`#include "tls_fragmentation.h"`
Added TLS crypto helper, currently supports cipher suite selection 2010-01-25 11:21:57 +00:00			`#include "tls_crypto.h"`
Added stubs for handshake handling, server and peer variants 2010-01-25 09:44:35 +00:00			`#include "tls_server.h"`
			`#include "tls_peer.h"`
Added dummy/identity implementations of the different TLS record layers 2010-01-22 16:24:17 +00:00
Pass TLS records to newly introduced TLS stack 2010-01-22 14:35:29 +00:00			`#include <daemon.h>`

Process ServerHello(Done), Certificate(Request) messages 2010-01-25 16:31:55 +00:00			`ENUM_BEGIN(tls_version_names, SSL_2_0, SSL_2_0,`
			`"SSLv2");`
			`ENUM_NEXT(tls_version_names, SSL_3_0, TLS_1_2, SSL_2_0,`
Added some TLS constants 2010-01-21 14:11:38 +00:00			`"SSLv3",`
			`"TLS 1.0",`
			`"TLS 1.1",`
Process ServerHello(Done), Certificate(Request) messages 2010-01-25 16:31:55 +00:00			`"TLS 1.2");`
			`ENUM_END(tls_version_names, TLS_1_2);`
Added some TLS constants 2010-01-21 14:11:38 +00:00
			`ENUM(tls_content_type_names, TLS_CHANGE_CIPHER_SPEC, TLS_APPLICATION_DATA,`
			`"ChangeCipherSpec",`
			`"Alert",`
			`"Handshake",`
			`"ApplicationData",`
			`);`

			`ENUM_BEGIN(tls_handshake_type_names, TLS_HELLO_REQUEST, TLS_SERVER_HELLO,`
			`"HelloRequest",`
			`"ClientHello",`
			`"ServerHello");`
			`ENUM_NEXT(tls_handshake_type_names, TLS_CERTIFICATE, TLS_CLIENT_KEY_EXCHANGE, TLS_SERVER_HELLO,`
			`"Certificate",`
			`"ServerKeyExchange",`
			`"CertificateRequest",`
			`"ServerHelloDone",`
			`"CertificateVerify",`
			`"ClientKeyExchange");`
			`ENUM_NEXT(tls_handshake_type_names, TLS_FINISHED, TLS_FINISHED, TLS_CLIENT_KEY_EXCHANGE,`
			`"Finished");`
			`ENUM_END(tls_handshake_type_names, TLS_FINISHED);`
Pass TLS records to newly introduced TLS stack 2010-01-22 14:35:29 +00:00

			`typedef struct private_tls_t private_tls_t;`

			`/**`
			`* Private data of an tls_protection_t object.`
			`*/`
			`struct private_tls_t {`

			`/**`
			`* Public tls_t interface.`
			`*/`
			`tls_t public;`

			`/**`
			`* Role this TLS stack acts as.`
			`*/`
			`bool is_server;`
Added dummy/identity implementations of the different TLS record layers 2010-01-22 16:24:17 +00:00
Process ServerHello(Done), Certificate(Request) messages 2010-01-25 16:31:55 +00:00			`/**`
			`* Negotiated TLS version`
			`*/`
			`tls_version_t version;`

Added dummy/identity implementations of the different TLS record layers 2010-01-22 16:24:17 +00:00			`/**`
			`* TLS record protection layer`
			`*/`
			`tls_protection_t *protection;`

			`/**`
			`* TLS record compression layer`
			`*/`
			`tls_compression_t *compression;`

			`/**`
			`* TLS record fragmentation layer`
			`*/`
			`tls_fragmentation_t *fragmentation;`
Added stubs for handshake handling, server and peer variants 2010-01-25 09:44:35 +00:00
Added TLS crypto helper, currently supports cipher suite selection 2010-01-25 11:21:57 +00:00			`/**`
			`* TLS crypto helper context`
			`*/`
			`tls_crypto_t *crypto;`

Added stubs for handshake handling, server and peer variants 2010-01-25 09:44:35 +00:00			`/**`
			`* TLS handshake protocol handler`
			`*/`
			`tls_handshake_t *handshake;`
Pass TLS records to newly introduced TLS stack 2010-01-22 14:35:29 +00:00			`};`

			`METHOD(tls_t, process, status_t,`
			`private_tls_t *this, tls_content_type_t type, chunk_t data)`
			`{`
Added dummy/identity implementations of the different TLS record layers 2010-01-22 16:24:17 +00:00			`return this->protection->process(this->protection, type, data);`
Pass TLS records to newly introduced TLS stack 2010-01-22 14:35:29 +00:00			`}`

			`METHOD(tls_t, build, status_t,`
			`private_tls_t this, tls_content_type_t type, chunk_t *data)`
			`{`
Added dummy/identity implementations of the different TLS record layers 2010-01-22 16:24:17 +00:00			`return this->protection->build(this->protection, type, data);`
Pass TLS records to newly introduced TLS stack 2010-01-22 14:35:29 +00:00			`}`

Implemented key derivation, output record signing and encryption 2010-02-04 17:18:10 +00:00			`METHOD(tls_t, is_server, bool,`
			`private_tls_t *this)`
			`{`
			`return this->is_server;`
			`}`

Process ServerHello(Done), Certificate(Request) messages 2010-01-25 16:31:55 +00:00			`METHOD(tls_t, get_version, tls_version_t,`
			`private_tls_t *this)`
			`{`
			`return this->version;`
			`}`

			`METHOD(tls_t, set_version, void,`
			`private_tls_t *this, tls_version_t version)`
			`{`
			`this->version = version;`
			`}`

Implemented key derivation, output record signing and encryption 2010-02-04 17:18:10 +00:00			`METHOD(tls_t, change_cipher, void,`
			`private_tls_t this, bool inbound, signer_t signer,`
			`crypter_t *crypter, chunk_t iv)`
			`{`
			`this->protection->set_cipher(this->protection, inbound, signer, crypter, iv);`
			`}`

Derive MSK for EAP-TLS authentication 2010-02-05 11:28:48 +00:00			`METHOD(tls_t, get_eap_msk, chunk_t,`
			`private_tls_t *this)`
			`{`
			`return this->crypto->get_eap_msk(this->crypto);`
			`}`

Pass TLS records to newly introduced TLS stack 2010-01-22 14:35:29 +00:00			`METHOD(tls_t, destroy, void,`
			`private_tls_t *this)`
			`{`
Added dummy/identity implementations of the different TLS record layers 2010-01-22 16:24:17 +00:00			`this->protection->destroy(this->protection);`
			`this->compression->destroy(this->compression);`
			`this->fragmentation->destroy(this->fragmentation);`
Added TLS crypto helper, currently supports cipher suite selection 2010-01-25 11:21:57 +00:00			`this->crypto->destroy(this->crypto);`
Added stubs for handshake handling, server and peer variants 2010-01-25 09:44:35 +00:00			`this->handshake->destroy(this->handshake);`
Added dummy/identity implementations of the different TLS record layers 2010-01-22 16:24:17 +00:00
Pass TLS records to newly introduced TLS stack 2010-01-22 14:35:29 +00:00			`free(this);`
			`}`

			`/**`
			`* See header`
			`*/`
Implemented sending of Certificate, ClientKeyExchange, CertificateVerify and ChangeCipherSpec as peer 2010-02-03 18:53:40 +00:00			`tls_t tls_create(bool is_server, identification_t server,`
			`identification_t *peer)`
Pass TLS records to newly introduced TLS stack 2010-01-22 14:35:29 +00:00			`{`
			`private_tls_t *this;`

			`INIT(this,`
			`.public = {`
			`.process = _process,`
			`.build = _build,`
Implemented key derivation, output record signing and encryption 2010-02-04 17:18:10 +00:00			`.is_server = _is_server,`
Process ServerHello(Done), Certificate(Request) messages 2010-01-25 16:31:55 +00:00			`.get_version = _get_version,`
			`.set_version = _set_version,`
Implemented key derivation, output record signing and encryption 2010-02-04 17:18:10 +00:00			`.change_cipher = _change_cipher,`
Derive MSK for EAP-TLS authentication 2010-02-05 11:28:48 +00:00			`.get_eap_msk = _get_eap_msk,`
Pass TLS records to newly introduced TLS stack 2010-01-22 14:35:29 +00:00			`.destroy = _destroy,`
			`},`
			`.is_server = is_server,`
Process ServerHello(Done), Certificate(Request) messages 2010-01-25 16:31:55 +00:00			`.version = TLS_1_2,`
Pass TLS records to newly introduced TLS stack 2010-01-22 14:35:29 +00:00			`);`

Derive master secret, create Finished message 2010-02-04 10:17:48 +00:00			`this->crypto = tls_crypto_create(&this->public);`
Added stubs for handshake handling, server and peer variants 2010-01-25 09:44:35 +00:00			`if (is_server)`
			`{`
Implemented sending of Certificate, ClientKeyExchange, CertificateVerify and ChangeCipherSpec as peer 2010-02-03 18:53:40 +00:00			`this->handshake = &tls_server_create(&this->public, this->crypto,`
			`server, peer)->handshake;`
Added stubs for handshake handling, server and peer variants 2010-01-25 09:44:35 +00:00			`}`
			`else`
			`{`
Implemented sending of Certificate, ClientKeyExchange, CertificateVerify and ChangeCipherSpec as peer 2010-02-03 18:53:40 +00:00			`this->handshake = &tls_peer_create(&this->public, this->crypto,`
			`peer, server)->handshake;`
Added stubs for handshake handling, server and peer variants 2010-01-25 09:44:35 +00:00			`}`
			`this->fragmentation = tls_fragmentation_create(this->handshake);`
Added dummy/identity implementations of the different TLS record layers 2010-01-22 16:24:17 +00:00			`this->compression = tls_compression_create(this->fragmentation);`
Implemented key derivation, output record signing and encryption 2010-02-04 17:18:10 +00:00			`this->protection = tls_protection_create(&this->public, this->compression);`
Added dummy/identity implementations of the different TLS record layers 2010-01-22 16:24:17 +00:00
Pass TLS records to newly introduced TLS stack 2010-01-22 14:35:29 +00:00			`return &this->public;`
			`}`