libtls: Add control flags and replace GENERIC_NULLOK purpose with one
This commit is contained in:
parent
602947d48a
commit
11a4687930
|
@ -131,7 +131,7 @@ static int run_client(host_t *host, identification_t *server,
|
|||
return 1;
|
||||
}
|
||||
tls = tls_socket_create(FALSE, server, client, fd, cache, min_version,
|
||||
max_version, TRUE);
|
||||
max_version, TLS_FLAG_ENCRYPTION_OPTIONAL);
|
||||
if (!tls)
|
||||
{
|
||||
close(fd);
|
||||
|
@ -190,7 +190,7 @@ static int serve(host_t *host, identification_t *server, identification_t *clien
|
|||
DBG1(DBG_TLS, "%#H connected", host);
|
||||
|
||||
tls = tls_socket_create(TRUE, server, client, cfd, cache, min_version,
|
||||
max_version, TRUE);
|
||||
max_version, TLS_FLAG_ENCRYPTION_OPTIONAL);
|
||||
if (!tls)
|
||||
{
|
||||
close(fd);
|
||||
|
|
|
@ -173,7 +173,7 @@ static eap_peap_t *eap_peap_create(private_eap_peap_t * this,
|
|||
include_length = lib->settings->get_bool(lib->settings,
|
||||
"%s.plugins.eap-peap.include_length", FALSE, lib->ns);
|
||||
tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_PEAP,
|
||||
application, NULL);
|
||||
application, NULL, 0);
|
||||
this->tls_eap = tls_eap_create(EAP_PEAP, tls, frag_size, max_msg_count,
|
||||
include_length);
|
||||
if (!this->tls_eap)
|
||||
|
|
|
@ -158,7 +158,7 @@ static eap_tls_t *eap_tls_create(identification_t *server,
|
|||
lib->ns);
|
||||
include_length = lib->settings->get_bool(lib->settings,
|
||||
"%s.plugins.eap-tls.include_length", TRUE, lib->ns);
|
||||
tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL, NULL);
|
||||
tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL, NULL, 0);
|
||||
this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count,
|
||||
include_length);
|
||||
if (!this->tls_eap)
|
||||
|
|
|
@ -170,7 +170,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
|
|||
include_length = lib->settings->get_bool(lib->settings,
|
||||
"%s.plugins.eap-ttls.include_length", TRUE, lib->ns);
|
||||
tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS,
|
||||
application, NULL);
|
||||
application, NULL, 0);
|
||||
this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count,
|
||||
include_length);
|
||||
if (!this->tls_eap)
|
||||
|
|
|
@ -877,7 +877,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
|
|||
|
||||
/* open TLS socket */
|
||||
this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd,
|
||||
NULL, TLS_UNSPEC, TLS_UNSPEC, FALSE);
|
||||
NULL, TLS_UNSPEC, TLS_UNSPEC, 0);
|
||||
if (!this->tls)
|
||||
{
|
||||
DBG1(DBG_TNC, "creating TLS socket failed");
|
||||
|
|
|
@ -85,7 +85,7 @@ static bool make_connection(private_pt_tls_client_t *this)
|
|||
}
|
||||
|
||||
this->tls = tls_socket_create(FALSE, this->server, this->client, fd,
|
||||
NULL, TLS_UNSPEC, TLS_UNSPEC, FALSE);
|
||||
NULL, TLS_UNSPEC, TLS_UNSPEC, 0);
|
||||
if (!this->tls)
|
||||
{
|
||||
close(fd);
|
||||
|
|
|
@ -545,7 +545,7 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
|
|||
},
|
||||
.state = PT_TLS_SERVER_VERSION,
|
||||
.tls = tls_socket_create(TRUE, server, client, fd, NULL, TLS_UNSPEC,
|
||||
TLS_UNSPEC, FALSE),
|
||||
TLS_UNSPEC, 0),
|
||||
.tnccs = (tls_t*)tnccs,
|
||||
.auth = auth,
|
||||
);
|
||||
|
|
|
@ -412,7 +412,8 @@ static job_requeue_t serve_echo(echo_server_config_t *config)
|
|||
}
|
||||
|
||||
tls = tls_socket_create(TRUE, server, client, cfd, NULL,
|
||||
TLS_SUPPORTED_MIN, config->version, TRUE);
|
||||
TLS_SUPPORTED_MIN, config->version,
|
||||
TLS_FLAG_ENCRYPTION_OPTIONAL);
|
||||
ck_assert(tls != NULL);
|
||||
|
||||
while (TRUE)
|
||||
|
@ -488,7 +489,8 @@ static void run_echo_client(echo_server_config_t *config)
|
|||
ck_assert(connect(fd, host->get_sockaddr(host),
|
||||
*host->get_sockaddr_len(host)) != -1);
|
||||
tls = tls_socket_create(FALSE, server, client, fd, NULL,
|
||||
TLS_SUPPORTED_MIN, config->version, TRUE);
|
||||
TLS_SUPPORTED_MIN, config->version,
|
||||
TLS_FLAG_ENCRYPTION_OPTIONAL);
|
||||
ck_assert(tls != NULL);
|
||||
|
||||
wr = rd = 0;
|
||||
|
|
|
@ -202,6 +202,11 @@ struct private_tls_t {
|
|||
*/
|
||||
tls_purpose_t purpose;
|
||||
|
||||
/**
|
||||
* Flags for this TLS stack
|
||||
*/
|
||||
tls_flag_t flags;
|
||||
|
||||
/**
|
||||
* TLS record protection layer
|
||||
*/
|
||||
|
@ -542,6 +547,12 @@ METHOD(tls_t, get_purpose, tls_purpose_t,
|
|||
return this->purpose;
|
||||
}
|
||||
|
||||
METHOD(tls_t, get_flags, tls_flag_t,
|
||||
private_tls_t *this)
|
||||
{
|
||||
return this->flags;
|
||||
}
|
||||
|
||||
METHOD(tls_t, is_complete, bool,
|
||||
private_tls_t *this)
|
||||
{
|
||||
|
@ -590,7 +601,8 @@ METHOD(tls_t, destroy, void,
|
|||
*/
|
||||
tls_t *tls_create(bool is_server, identification_t *server,
|
||||
identification_t *peer, tls_purpose_t purpose,
|
||||
tls_application_t *application, tls_cache_t *cache)
|
||||
tls_application_t *application, tls_cache_t *cache,
|
||||
tls_flag_t flags)
|
||||
{
|
||||
private_tls_t *this;
|
||||
|
||||
|
@ -600,7 +612,6 @@ tls_t *tls_create(bool is_server, identification_t *server,
|
|||
case TLS_PURPOSE_EAP_TTLS:
|
||||
case TLS_PURPOSE_EAP_PEAP:
|
||||
case TLS_PURPOSE_GENERIC:
|
||||
case TLS_PURPOSE_GENERIC_NULLOK:
|
||||
break;
|
||||
default:
|
||||
return NULL;
|
||||
|
@ -617,6 +628,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
|
|||
.get_version_min = _get_version_min,
|
||||
.set_version = _set_version,
|
||||
.get_purpose = _get_purpose,
|
||||
.get_flags = _get_flags,
|
||||
.is_complete = _is_complete,
|
||||
.get_eap_msk = _get_eap_msk,
|
||||
.get_auth = _get_auth,
|
||||
|
@ -625,6 +637,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
|
|||
.is_server = is_server,
|
||||
.application = application,
|
||||
.purpose = purpose,
|
||||
.flags = flags,
|
||||
);
|
||||
lib->settings->add_fallback(lib->settings, "%s.tls", "libtls", lib->ns);
|
||||
|
||||
|
|
|
@ -40,6 +40,7 @@ typedef enum tls_version_t tls_version_t;
|
|||
typedef enum tls_content_type_t tls_content_type_t;
|
||||
typedef enum tls_handshake_type_t tls_handshake_type_t;
|
||||
typedef enum tls_purpose_t tls_purpose_t;
|
||||
typedef enum tls_flag_t tls_flag_t;
|
||||
typedef struct tls_t tls_t;
|
||||
|
||||
#include <library.h>
|
||||
|
@ -130,8 +131,6 @@ enum tls_purpose_t {
|
|||
TLS_PURPOSE_EAP_PEAP,
|
||||
/** non-EAP TLS */
|
||||
TLS_PURPOSE_GENERIC,
|
||||
/** non-EAP TLS accepting NULL encryption */
|
||||
TLS_PURPOSE_GENERIC_NULLOK,
|
||||
/** EAP binding for TNC */
|
||||
TLS_PURPOSE_EAP_TNC
|
||||
};
|
||||
|
@ -202,6 +201,14 @@ enum tls_name_type_t {
|
|||
TLS_NAME_TYPE_HOST_NAME = 0,
|
||||
};
|
||||
|
||||
/**
|
||||
* Flags that control the behavior of the stack
|
||||
*/
|
||||
enum tls_flag_t {
|
||||
/** set if cipher suites with null encryption are acceptable */
|
||||
TLS_FLAG_ENCRYPTION_OPTIONAL = 1,
|
||||
};
|
||||
|
||||
/**
|
||||
* Enum names for tls_extension_t
|
||||
*/
|
||||
|
@ -318,6 +325,13 @@ struct tls_t {
|
|||
*/
|
||||
tls_purpose_t (*get_purpose)(tls_t *this);
|
||||
|
||||
/**
|
||||
* Get the flags controlling this TLS stack instance.
|
||||
*
|
||||
* @return flags given during construction
|
||||
*/
|
||||
tls_flag_t (*get_flags)(tls_t *this);
|
||||
|
||||
/**
|
||||
* Check if TLS negotiation completed successfully.
|
||||
*
|
||||
|
@ -359,10 +373,12 @@ void libtls_init(void);
|
|||
* @param purpose purpose this TLS stack instance is used for
|
||||
* @param application higher layer application or NULL if none
|
||||
* @param cache session cache to use, or NULL
|
||||
* @param flags flags that control the behavior of the TLS stack
|
||||
* @return TLS stack
|
||||
*/
|
||||
tls_t *tls_create(bool is_server, identification_t *server,
|
||||
identification_t *peer, tls_purpose_t purpose,
|
||||
tls_application_t *application, tls_cache_t *cache);
|
||||
tls_application_t *application, tls_cache_t *cache,
|
||||
tls_flag_t flags);
|
||||
|
||||
#endif /** TLS_H_ @}*/
|
||||
|
|
|
@ -1116,22 +1116,22 @@ static void build_cipher_suite_list(private_tls_crypto_t *this)
|
|||
{
|
||||
suite_algs_t suites[countof(suite_algs)];
|
||||
tls_version_t min_version, max_version, new_min_version, new_max_version;
|
||||
bool require_encryption;
|
||||
bool require_encryption = TRUE;
|
||||
int count = 0, i;
|
||||
|
||||
switch (this->tls->get_purpose(this->tls))
|
||||
{
|
||||
case TLS_PURPOSE_EAP_TLS:
|
||||
case TLS_PURPOSE_GENERIC_NULLOK:
|
||||
require_encryption = FALSE;
|
||||
break;
|
||||
case TLS_PURPOSE_EAP_PEAP:
|
||||
case TLS_PURPOSE_EAP_TTLS:
|
||||
case TLS_PURPOSE_GENERIC:
|
||||
require_encryption = TRUE;
|
||||
if (this->tls->get_flags(this->tls) & TLS_FLAG_ENCRYPTION_OPTIONAL)
|
||||
{
|
||||
require_encryption = FALSE;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
return;
|
||||
break;
|
||||
}
|
||||
|
||||
min_version = this->tls->get_version_min(this->tls);
|
||||
|
|
|
@ -423,10 +423,9 @@ METHOD(tls_socket_t, destroy, void,
|
|||
tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
|
||||
identification_t *peer, int fd,
|
||||
tls_cache_t *cache, tls_version_t min_version,
|
||||
tls_version_t max_version, bool nullok)
|
||||
tls_version_t max_version, tls_flag_t flags)
|
||||
{
|
||||
private_tls_socket_t *this;
|
||||
tls_purpose_t purpose;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
|
@ -448,17 +447,8 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
|
|||
.fd = fd,
|
||||
);
|
||||
|
||||
if (nullok)
|
||||
{
|
||||
purpose = TLS_PURPOSE_GENERIC_NULLOK;
|
||||
}
|
||||
else
|
||||
{
|
||||
purpose = TLS_PURPOSE_GENERIC;
|
||||
}
|
||||
|
||||
this->tls = tls_create(is_server, server, peer, purpose,
|
||||
&this->app.application, cache);
|
||||
this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_GENERIC,
|
||||
&this->app.application, cache, flags);
|
||||
if (!this->tls ||
|
||||
!this->tls->set_version(this->tls, min_version, max_version))
|
||||
{
|
||||
|
|
|
@ -108,12 +108,12 @@ struct tls_socket_t {
|
|||
* @param cache session cache to use, or NULL
|
||||
* @param min_version minimum TLS version to negotiate or TLS_UNSPEC
|
||||
* @param max_version maximum TLS version to negotiate or TLS_UNSPEC
|
||||
* @param nullok accept NULL encryption ciphers
|
||||
* @param flags flags controlling the TLS stack
|
||||
* @return TLS socket wrapper
|
||||
*/
|
||||
tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
|
||||
identification_t *peer, int fd,
|
||||
tls_cache_t *cache, tls_version_t min_version,
|
||||
tls_version_t max_version, bool nullok);
|
||||
tls_version_t max_version, tls_flag_t flags);
|
||||
|
||||
#endif /** TLS_SOCKET_H_ @}*/
|
||||
|
|
Loading…
Reference in New Issue