libtls: Add control flags and replace GENERIC_NULLOK purpose with one

scripts/tls_test.c

@@ -131,7 +131,7 @@ static int run_client(host_t *host, identification_t *server,
 			return 1;
 		}
 		tls = tls_socket_create(FALSE, server, client, fd, cache, min_version,
-							    max_version, TRUE);
+							    max_version, TLS_FLAG_ENCRYPTION_OPTIONAL);
 		if (!tls)
 		{
 			close(fd);
@@ -190,7 +190,7 @@ static int serve(host_t *host, identification_t *server, identification_t *clien
 		DBG1(DBG_TLS, "%#H connected", host);
 
 		tls = tls_socket_create(TRUE, server, client, cfd, cache, min_version,
-								max_version, TRUE);
+								max_version, TLS_FLAG_ENCRYPTION_OPTIONAL);
 		if (!tls)
 		{
 			close(fd);

src/libcharon/plugins/eap_peap/eap_peap.c

@@ -173,7 +173,7 @@ static eap_peap_t *eap_peap_create(private_eap_peap_t * this,
 	include_length = lib->settings->get_bool(lib->settings,
 					"%s.plugins.eap-peap.include_length", FALSE, lib->ns);
 	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_PEAP,
-					 application, NULL);
+					 application, NULL, 0);
 	this->tls_eap = tls_eap_create(EAP_PEAP, tls, frag_size, max_msg_count,
 												  include_length);
 	if (!this->tls_eap)

src/libcharon/plugins/eap_tls/eap_tls.c

@@ -158,7 +158,7 @@ static eap_tls_t *eap_tls_create(identification_t *server,
 					lib->ns);
 	include_length = lib->settings->get_bool(lib->settings,
 					"%s.plugins.eap-tls.include_length", TRUE, lib->ns);
-	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL, NULL);
+	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL, NULL, 0);
 	this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count,
 												 include_length);
 	if (!this->tls_eap)

src/libcharon/plugins/eap_ttls/eap_ttls.c

@@ -170,7 +170,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
 	include_length = lib->settings->get_bool(lib->settings,
 					"%s.plugins.eap-ttls.include_length", TRUE, lib->ns);
 	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS,
-					 application, NULL);
+					 application, NULL, 0);
 	this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count,
 												  include_length);
 	if (!this->tls_eap)

src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c

@@ -877,7 +877,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
 
 	/* open TLS socket */
 	this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd,
-								  NULL, TLS_UNSPEC, TLS_UNSPEC, FALSE);
+								  NULL, TLS_UNSPEC, TLS_UNSPEC, 0);
 	if (!this->tls)
 	{
 		DBG1(DBG_TNC, "creating TLS socket failed");

src/libpttls/pt_tls_client.c

@@ -85,7 +85,7 @@ static bool make_connection(private_pt_tls_client_t *this)
 	}
 
 	this->tls = tls_socket_create(FALSE, this->server, this->client, fd,
-								  NULL, TLS_UNSPEC, TLS_UNSPEC, FALSE);
+								  NULL, TLS_UNSPEC, TLS_UNSPEC, 0);
 	if (!this->tls)
 	{
 		close(fd);

src/libpttls/pt_tls_server.c

@@ -545,7 +545,7 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
 		},
 		.state = PT_TLS_SERVER_VERSION,
 		.tls = tls_socket_create(TRUE, server, client, fd, NULL, TLS_UNSPEC,
-								 TLS_UNSPEC, FALSE),
+								 TLS_UNSPEC, 0),
 		.tnccs = (tls_t*)tnccs,
 		.auth = auth,
 	);

src/libtls/tests/suites/test_socket.c

@@ -412,7 +412,8 @@ static job_requeue_t serve_echo(echo_server_config_t *config)
 		}
 
 		tls = tls_socket_create(TRUE, server, client, cfd, NULL,
-								TLS_SUPPORTED_MIN, config->version, TRUE);
+								TLS_SUPPORTED_MIN, config->version,
+								TLS_FLAG_ENCRYPTION_OPTIONAL);
 		ck_assert(tls != NULL);
 
 		while (TRUE)
@@ -488,7 +489,8 @@ static void run_echo_client(echo_server_config_t *config)
 	ck_assert(connect(fd, host->get_sockaddr(host),
 					  *host->get_sockaddr_len(host)) != -1);
 	tls = tls_socket_create(FALSE, server, client, fd, NULL,
-							TLS_SUPPORTED_MIN, config->version, TRUE);
+							TLS_SUPPORTED_MIN, config->version,
+							TLS_FLAG_ENCRYPTION_OPTIONAL);
 	ck_assert(tls != NULL);
 
 	wr = rd = 0;

src/libtls/tls.c

@@ -202,6 +202,11 @@ struct private_tls_t {
 	 */
 	tls_purpose_t purpose;
 
+	/**
+	 * Flags for this TLS stack
+	 */
+	tls_flag_t flags;
+
 	/**
 	 * TLS record protection layer
 	 */
@@ -542,6 +547,12 @@ METHOD(tls_t, get_purpose, tls_purpose_t,
 	return this->purpose;
 }
 
+METHOD(tls_t, get_flags, tls_flag_t,
+	private_tls_t *this)
+{
+	return this->flags;
+}
+
 METHOD(tls_t, is_complete, bool,
 	private_tls_t *this)
 {
@@ -590,7 +601,8 @@ METHOD(tls_t, destroy, void,
  */
 tls_t *tls_create(bool is_server, identification_t *server,
 				  identification_t *peer, tls_purpose_t purpose,
-				  tls_application_t *application, tls_cache_t *cache)
+				  tls_application_t *application, tls_cache_t *cache,
+				  tls_flag_t flags)
 {
 	private_tls_t *this;
 
@@ -600,7 +612,6 @@ tls_t *tls_create(bool is_server, identification_t *server,
 		case TLS_PURPOSE_EAP_TTLS:
 		case TLS_PURPOSE_EAP_PEAP:
 		case TLS_PURPOSE_GENERIC:
-		case TLS_PURPOSE_GENERIC_NULLOK:
 			break;
 		default:
 			return NULL;
@@ -617,6 +628,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
 			.get_version_min = _get_version_min,
 			.set_version = _set_version,
 			.get_purpose = _get_purpose,
+			.get_flags = _get_flags,
 			.is_complete = _is_complete,
 			.get_eap_msk = _get_eap_msk,
 			.get_auth = _get_auth,
@@ -625,6 +637,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
 		.is_server = is_server,
 		.application = application,
 		.purpose = purpose,
+		.flags = flags,
 	);
 	lib->settings->add_fallback(lib->settings, "%s.tls", "libtls", lib->ns);
 

src/libtls/tls.h

@@ -40,6 +40,7 @@ typedef enum tls_version_t tls_version_t;
 typedef enum tls_content_type_t tls_content_type_t;
 typedef enum tls_handshake_type_t tls_handshake_type_t;
 typedef enum tls_purpose_t tls_purpose_t;
+typedef enum tls_flag_t tls_flag_t;
 typedef struct tls_t tls_t;
 
 #include <library.h>
@@ -130,8 +131,6 @@ enum tls_purpose_t {
 	TLS_PURPOSE_EAP_PEAP,
 	/** non-EAP TLS */
 	TLS_PURPOSE_GENERIC,
-	/** non-EAP TLS accepting NULL encryption */
-	TLS_PURPOSE_GENERIC_NULLOK,
 	/** EAP binding for TNC */
 	TLS_PURPOSE_EAP_TNC
 };
@@ -202,6 +201,14 @@ enum tls_name_type_t {
 	TLS_NAME_TYPE_HOST_NAME = 0,
 };
 
+/**
+ * Flags that control the behavior of the stack
+ */
+enum tls_flag_t {
+	/** set if cipher suites with null encryption are acceptable */
+	TLS_FLAG_ENCRYPTION_OPTIONAL = 1,
+};
+
 /**
  * Enum names for tls_extension_t
  */
@@ -318,6 +325,13 @@ struct tls_t {
 	 */
 	tls_purpose_t (*get_purpose)(tls_t *this);
 
+	/**
+	 * Get the flags controlling this TLS stack instance.
+	 *
+	 * @return			flags given during construction
+	 */
+	tls_flag_t (*get_flags)(tls_t *this);
+
 	/**
 	 * Check if TLS negotiation completed successfully.
 	 *
@@ -359,10 +373,12 @@ void libtls_init(void);
  * @param purpose			purpose this TLS stack instance is used for
  * @param application		higher layer application or NULL if none
  * @param cache				session cache to use, or NULL
+ * @param flags				flags that control the behavior of the TLS stack
  * @return					TLS stack
  */
 tls_t *tls_create(bool is_server, identification_t *server,
 				  identification_t *peer, tls_purpose_t purpose,
-				  tls_application_t *application, tls_cache_t *cache);
+				  tls_application_t *application, tls_cache_t *cache,
+				  tls_flag_t flags);
 
 #endif /** TLS_H_ @}*/

src/libtls/tls_crypto.c

@@ -1116,22 +1116,22 @@ static void build_cipher_suite_list(private_tls_crypto_t *this)
 {
 	suite_algs_t suites[countof(suite_algs)];
 	tls_version_t min_version, max_version, new_min_version, new_max_version;
-	bool require_encryption;
+	bool require_encryption = TRUE;
 	int count = 0, i;
 
 	switch (this->tls->get_purpose(this->tls))
 	{
 		case TLS_PURPOSE_EAP_TLS:
-		case TLS_PURPOSE_GENERIC_NULLOK:
 			require_encryption = FALSE;
 			break;
-		case TLS_PURPOSE_EAP_PEAP:
-		case TLS_PURPOSE_EAP_TTLS:
 		case TLS_PURPOSE_GENERIC:
-			require_encryption = TRUE;
+			if (this->tls->get_flags(this->tls) & TLS_FLAG_ENCRYPTION_OPTIONAL)
+			{
+				require_encryption = FALSE;
+			}
 			break;
 		default:
-			return;
+			break;
 	}
 
 	min_version = this->tls->get_version_min(this->tls);

src/libtls/tls_socket.c

@@ -423,10 +423,9 @@ METHOD(tls_socket_t, destroy, void,
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
 								identification_t *peer, int fd,
 								tls_cache_t *cache, tls_version_t min_version,
-								tls_version_t max_version, bool nullok)
+								tls_version_t max_version, tls_flag_t flags)
 {
 	private_tls_socket_t *this;
-	tls_purpose_t purpose;
 
 	INIT(this,
 		.public = {
@@ -448,17 +447,8 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
 		.fd = fd,
 	);
 
-	if (nullok)
-	{
-		purpose = TLS_PURPOSE_GENERIC_NULLOK;
-	}
-	else
-	{
-		purpose = TLS_PURPOSE_GENERIC;
-	}
-
-	this->tls = tls_create(is_server, server, peer, purpose,
-						   &this->app.application, cache);
+	this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_GENERIC,
+						   &this->app.application, cache, flags);
 	if (!this->tls ||
 		!this->tls->set_version(this->tls, min_version, max_version))
 	{

src/libtls/tls_socket.h

@@ -108,12 +108,12 @@ struct tls_socket_t {
  * @param cache				session cache to use, or NULL
  * @param min_version		minimum TLS version to negotiate or TLS_UNSPEC
  * @param max_version		maximum TLS version to negotiate or TLS_UNSPEC
- * @param nullok			accept NULL encryption ciphers
+ * @param flags				flags controlling the TLS stack
  * @return					TLS socket wrapper
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
 								identification_t *peer, int fd,
 								tls_cache_t *cache, tls_version_t min_version,
-								tls_version_t max_version, bool nullok);
+								tls_version_t max_version, tls_flag_t flags);
 
 #endif /** TLS_SOCKET_H_ @}*/