From 11a4687930f4ea9e95ab75d2b40719d731f2f140 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 18 Feb 2021 15:03:29 +0100 Subject: [PATCH] libtls: Add control flags and replace GENERIC_NULLOK purpose with one --- scripts/tls_test.c | 4 ++-- src/libcharon/plugins/eap_peap/eap_peap.c | 2 +- src/libcharon/plugins/eap_tls/eap_tls.c | 2 +- src/libcharon/plugins/eap_ttls/eap_ttls.c | 2 +- .../plugins/tnc_ifmap/tnc_ifmap_soap.c | 2 +- src/libpttls/pt_tls_client.c | 2 +- src/libpttls/pt_tls_server.c | 2 +- src/libtls/tests/suites/test_socket.c | 6 +++-- src/libtls/tls.c | 17 ++++++++++++-- src/libtls/tls.h | 22 ++++++++++++++++--- src/libtls/tls_crypto.c | 12 +++++----- src/libtls/tls_socket.c | 16 +++----------- src/libtls/tls_socket.h | 4 ++-- 13 files changed, 57 insertions(+), 36 deletions(-) diff --git a/scripts/tls_test.c b/scripts/tls_test.c index 5ee7e3714..4a9acbb49 100644 --- a/scripts/tls_test.c +++ b/scripts/tls_test.c @@ -131,7 +131,7 @@ static int run_client(host_t *host, identification_t *server, return 1; } tls = tls_socket_create(FALSE, server, client, fd, cache, min_version, - max_version, TRUE); + max_version, TLS_FLAG_ENCRYPTION_OPTIONAL); if (!tls) { close(fd); @@ -190,7 +190,7 @@ static int serve(host_t *host, identification_t *server, identification_t *clien DBG1(DBG_TLS, "%#H connected", host); tls = tls_socket_create(TRUE, server, client, cfd, cache, min_version, - max_version, TRUE); + max_version, TLS_FLAG_ENCRYPTION_OPTIONAL); if (!tls) { close(fd); diff --git a/src/libcharon/plugins/eap_peap/eap_peap.c b/src/libcharon/plugins/eap_peap/eap_peap.c index 073af8dc0..1328449ec 100644 --- a/src/libcharon/plugins/eap_peap/eap_peap.c +++ b/src/libcharon/plugins/eap_peap/eap_peap.c @@ -173,7 +173,7 @@ static eap_peap_t *eap_peap_create(private_eap_peap_t * this, include_length = lib->settings->get_bool(lib->settings, "%s.plugins.eap-peap.include_length", FALSE, lib->ns); tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_PEAP, - application, NULL); + application, NULL, 0); this->tls_eap = tls_eap_create(EAP_PEAP, tls, frag_size, max_msg_count, include_length); if (!this->tls_eap) diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c index 79e87dc89..4283aa025 100644 --- a/src/libcharon/plugins/eap_tls/eap_tls.c +++ b/src/libcharon/plugins/eap_tls/eap_tls.c @@ -158,7 +158,7 @@ static eap_tls_t *eap_tls_create(identification_t *server, lib->ns); include_length = lib->settings->get_bool(lib->settings, "%s.plugins.eap-tls.include_length", TRUE, lib->ns); - tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL, NULL); + tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL, NULL, 0); this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count, include_length); if (!this->tls_eap) diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c index 97dbe1890..c56eb01d3 100644 --- a/src/libcharon/plugins/eap_ttls/eap_ttls.c +++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c @@ -170,7 +170,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server, include_length = lib->settings->get_bool(lib->settings, "%s.plugins.eap-ttls.include_length", TRUE, lib->ns); tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS, - application, NULL); + application, NULL, 0); this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count, include_length); if (!this->tls_eap) diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c index 4937f32a2..863d13ccb 100644 --- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c +++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c @@ -877,7 +877,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this) /* open TLS socket */ this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd, - NULL, TLS_UNSPEC, TLS_UNSPEC, FALSE); + NULL, TLS_UNSPEC, TLS_UNSPEC, 0); if (!this->tls) { DBG1(DBG_TNC, "creating TLS socket failed"); diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c index b7fc4c70d..312078fc1 100644 --- a/src/libpttls/pt_tls_client.c +++ b/src/libpttls/pt_tls_client.c @@ -85,7 +85,7 @@ static bool make_connection(private_pt_tls_client_t *this) } this->tls = tls_socket_create(FALSE, this->server, this->client, fd, - NULL, TLS_UNSPEC, TLS_UNSPEC, FALSE); + NULL, TLS_UNSPEC, TLS_UNSPEC, 0); if (!this->tls) { close(fd); diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c index ba217aa9b..d59240334 100644 --- a/src/libpttls/pt_tls_server.c +++ b/src/libpttls/pt_tls_server.c @@ -545,7 +545,7 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd, }, .state = PT_TLS_SERVER_VERSION, .tls = tls_socket_create(TRUE, server, client, fd, NULL, TLS_UNSPEC, - TLS_UNSPEC, FALSE), + TLS_UNSPEC, 0), .tnccs = (tls_t*)tnccs, .auth = auth, ); diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c index 4707f5849..9e26e91e4 100644 --- a/src/libtls/tests/suites/test_socket.c +++ b/src/libtls/tests/suites/test_socket.c @@ -412,7 +412,8 @@ static job_requeue_t serve_echo(echo_server_config_t *config) } tls = tls_socket_create(TRUE, server, client, cfd, NULL, - TLS_SUPPORTED_MIN, config->version, TRUE); + TLS_SUPPORTED_MIN, config->version, + TLS_FLAG_ENCRYPTION_OPTIONAL); ck_assert(tls != NULL); while (TRUE) @@ -488,7 +489,8 @@ static void run_echo_client(echo_server_config_t *config) ck_assert(connect(fd, host->get_sockaddr(host), *host->get_sockaddr_len(host)) != -1); tls = tls_socket_create(FALSE, server, client, fd, NULL, - TLS_SUPPORTED_MIN, config->version, TRUE); + TLS_SUPPORTED_MIN, config->version, + TLS_FLAG_ENCRYPTION_OPTIONAL); ck_assert(tls != NULL); wr = rd = 0; diff --git a/src/libtls/tls.c b/src/libtls/tls.c index ae14213a0..a44134696 100644 --- a/src/libtls/tls.c +++ b/src/libtls/tls.c @@ -202,6 +202,11 @@ struct private_tls_t { */ tls_purpose_t purpose; + /** + * Flags for this TLS stack + */ + tls_flag_t flags; + /** * TLS record protection layer */ @@ -542,6 +547,12 @@ METHOD(tls_t, get_purpose, tls_purpose_t, return this->purpose; } +METHOD(tls_t, get_flags, tls_flag_t, + private_tls_t *this) +{ + return this->flags; +} + METHOD(tls_t, is_complete, bool, private_tls_t *this) { @@ -590,7 +601,8 @@ METHOD(tls_t, destroy, void, */ tls_t *tls_create(bool is_server, identification_t *server, identification_t *peer, tls_purpose_t purpose, - tls_application_t *application, tls_cache_t *cache) + tls_application_t *application, tls_cache_t *cache, + tls_flag_t flags) { private_tls_t *this; @@ -600,7 +612,6 @@ tls_t *tls_create(bool is_server, identification_t *server, case TLS_PURPOSE_EAP_TTLS: case TLS_PURPOSE_EAP_PEAP: case TLS_PURPOSE_GENERIC: - case TLS_PURPOSE_GENERIC_NULLOK: break; default: return NULL; @@ -617,6 +628,7 @@ tls_t *tls_create(bool is_server, identification_t *server, .get_version_min = _get_version_min, .set_version = _set_version, .get_purpose = _get_purpose, + .get_flags = _get_flags, .is_complete = _is_complete, .get_eap_msk = _get_eap_msk, .get_auth = _get_auth, @@ -625,6 +637,7 @@ tls_t *tls_create(bool is_server, identification_t *server, .is_server = is_server, .application = application, .purpose = purpose, + .flags = flags, ); lib->settings->add_fallback(lib->settings, "%s.tls", "libtls", lib->ns); diff --git a/src/libtls/tls.h b/src/libtls/tls.h index 9de042b26..0d9e1ff0c 100644 --- a/src/libtls/tls.h +++ b/src/libtls/tls.h @@ -40,6 +40,7 @@ typedef enum tls_version_t tls_version_t; typedef enum tls_content_type_t tls_content_type_t; typedef enum tls_handshake_type_t tls_handshake_type_t; typedef enum tls_purpose_t tls_purpose_t; +typedef enum tls_flag_t tls_flag_t; typedef struct tls_t tls_t; #include @@ -130,8 +131,6 @@ enum tls_purpose_t { TLS_PURPOSE_EAP_PEAP, /** non-EAP TLS */ TLS_PURPOSE_GENERIC, - /** non-EAP TLS accepting NULL encryption */ - TLS_PURPOSE_GENERIC_NULLOK, /** EAP binding for TNC */ TLS_PURPOSE_EAP_TNC }; @@ -202,6 +201,14 @@ enum tls_name_type_t { TLS_NAME_TYPE_HOST_NAME = 0, }; +/** + * Flags that control the behavior of the stack + */ +enum tls_flag_t { + /** set if cipher suites with null encryption are acceptable */ + TLS_FLAG_ENCRYPTION_OPTIONAL = 1, +}; + /** * Enum names for tls_extension_t */ @@ -318,6 +325,13 @@ struct tls_t { */ tls_purpose_t (*get_purpose)(tls_t *this); + /** + * Get the flags controlling this TLS stack instance. + * + * @return flags given during construction + */ + tls_flag_t (*get_flags)(tls_t *this); + /** * Check if TLS negotiation completed successfully. * @@ -359,10 +373,12 @@ void libtls_init(void); * @param purpose purpose this TLS stack instance is used for * @param application higher layer application or NULL if none * @param cache session cache to use, or NULL + * @param flags flags that control the behavior of the TLS stack * @return TLS stack */ tls_t *tls_create(bool is_server, identification_t *server, identification_t *peer, tls_purpose_t purpose, - tls_application_t *application, tls_cache_t *cache); + tls_application_t *application, tls_cache_t *cache, + tls_flag_t flags); #endif /** TLS_H_ @}*/ diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index d3f187def..d94dde9b6 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -1116,22 +1116,22 @@ static void build_cipher_suite_list(private_tls_crypto_t *this) { suite_algs_t suites[countof(suite_algs)]; tls_version_t min_version, max_version, new_min_version, new_max_version; - bool require_encryption; + bool require_encryption = TRUE; int count = 0, i; switch (this->tls->get_purpose(this->tls)) { case TLS_PURPOSE_EAP_TLS: - case TLS_PURPOSE_GENERIC_NULLOK: require_encryption = FALSE; break; - case TLS_PURPOSE_EAP_PEAP: - case TLS_PURPOSE_EAP_TTLS: case TLS_PURPOSE_GENERIC: - require_encryption = TRUE; + if (this->tls->get_flags(this->tls) & TLS_FLAG_ENCRYPTION_OPTIONAL) + { + require_encryption = FALSE; + } break; default: - return; + break; } min_version = this->tls->get_version_min(this->tls); diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c index 8b427dd1a..75f146929 100644 --- a/src/libtls/tls_socket.c +++ b/src/libtls/tls_socket.c @@ -423,10 +423,9 @@ METHOD(tls_socket_t, destroy, void, tls_socket_t *tls_socket_create(bool is_server, identification_t *server, identification_t *peer, int fd, tls_cache_t *cache, tls_version_t min_version, - tls_version_t max_version, bool nullok) + tls_version_t max_version, tls_flag_t flags) { private_tls_socket_t *this; - tls_purpose_t purpose; INIT(this, .public = { @@ -448,17 +447,8 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server, .fd = fd, ); - if (nullok) - { - purpose = TLS_PURPOSE_GENERIC_NULLOK; - } - else - { - purpose = TLS_PURPOSE_GENERIC; - } - - this->tls = tls_create(is_server, server, peer, purpose, - &this->app.application, cache); + this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_GENERIC, + &this->app.application, cache, flags); if (!this->tls || !this->tls->set_version(this->tls, min_version, max_version)) { diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h index 08ccbd287..944967632 100644 --- a/src/libtls/tls_socket.h +++ b/src/libtls/tls_socket.h @@ -108,12 +108,12 @@ struct tls_socket_t { * @param cache session cache to use, or NULL * @param min_version minimum TLS version to negotiate or TLS_UNSPEC * @param max_version maximum TLS version to negotiate or TLS_UNSPEC - * @param nullok accept NULL encryption ciphers + * @param flags flags controlling the TLS stack * @return TLS socket wrapper */ tls_socket_t *tls_socket_create(bool is_server, identification_t *server, identification_t *peer, int fd, tls_cache_t *cache, tls_version_t min_version, - tls_version_t max_version, bool nullok); + tls_version_t max_version, tls_flag_t flags); #endif /** TLS_SOCKET_H_ @}*/