libtls: Add control flags and replace GENERIC_NULLOK purpose with one

diff --git a/scripts/tls_test.c b/scripts/tls_test.c
index 5ee7e371427cf1ea7eeba25f82070d8f66b18b3d..4a9acbb49207f9635501d8eef8110bbc5731c583 100644 (file)
--- a/scripts/tls_test.c
+++ b/scripts/tls_test.c
@@ -131,7 +131,7 @@ static int run_client(host_t *host, identification_t *server,
                        return 1;
                }
                tls = tls_socket_create(FALSE, server, client, fd, cache, min_version,
-                                                           max_version, TRUE);
+                                                           max_version, TLS_FLAG_ENCRYPTION_OPTIONAL);
                if (!tls)
                {
                        close(fd);
@@ -190,7 +190,7 @@ static int serve(host_t *host, identification_t *server, identification_t *clien
                DBG1(DBG_TLS, "%#H connected", host);
 
                tls = tls_socket_create(TRUE, server, client, cfd, cache, min_version,
-                                                               max_version, TRUE);
+                                                               max_version, TLS_FLAG_ENCRYPTION_OPTIONAL);
                if (!tls)
                {
                        close(fd);

diff --git a/src/libcharon/plugins/eap_peap/eap_peap.c b/src/libcharon/plugins/eap_peap/eap_peap.c
index 073af8dc061e5df3bf034ea5feae86a23f04cec6..1328449ecc6178583bbda52ce11198fac80d1e78 100644 (file)
--- a/src/libcharon/plugins/eap_peap/eap_peap.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap.c
@@ -173,7 +173,7 @@ static eap_peap_t *eap_peap_create(private_eap_peap_t * this,
        include_length = lib->settings->get_bool(lib->settings,
                                        "%s.plugins.eap-peap.include_length", FALSE, lib->ns);
        tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_PEAP,
-                                        application, NULL);
+                                        application, NULL, 0);
        this->tls_eap = tls_eap_create(EAP_PEAP, tls, frag_size, max_msg_count,
                                                                                                  include_length);
        if (!this->tls_eap)

diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c
index 79e87dc89b56d2eb28422448caa21f624b301415..4283aa025efefbea6260618d5681950b4a4c59fb 100644 (file)
--- a/src/libcharon/plugins/eap_tls/eap_tls.c
+++ b/src/libcharon/plugins/eap_tls/eap_tls.c
@@ -158,7 +158,7 @@ static eap_tls_t *eap_tls_create(identification_t *server,
                                        lib->ns);
        include_length = lib->settings->get_bool(lib->settings,
                                        "%s.plugins.eap-tls.include_length", TRUE, lib->ns);
-       tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL, NULL);
+       tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL, NULL, 0);
        this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count,
                                                                                                 include_length);
        if (!this->tls_eap)

diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c
index 97dbe1890a013c7172c5e54ab6635060a147e237..c56eb01d3f4b8798ba20746b57ded69dc907573f 100644 (file)
--- a/src/libcharon/plugins/eap_ttls/eap_ttls.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c
@@ -170,7 +170,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
        include_length = lib->settings->get_bool(lib->settings,
                                        "%s.plugins.eap-ttls.include_length", TRUE, lib->ns);
        tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS,
-                                        application, NULL);
+                                        application, NULL, 0);
        this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count,
                                                                                                  include_length);
        if (!this->tls_eap)

diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
index 4937f32a2a225af8038b3a30205a33ebbbf368dd..863d13ccb77d316e400d4425f9377b8057a054c8 100644 (file)
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
@@ -877,7 +877,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
 
        /* open TLS socket */
        this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd,
-                                                                 NULL, TLS_UNSPEC, TLS_UNSPEC, FALSE);
+                                                                 NULL, TLS_UNSPEC, TLS_UNSPEC, 0);
        if (!this->tls)
        {
                DBG1(DBG_TNC, "creating TLS socket failed");

diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c
index b7fc4c70d5611a5dc3e409825544b2052b6d3acb..312078fc1b4d3b75671bf7a1fbeec7087bbc2b9b 100644 (file)
--- a/src/libpttls/pt_tls_client.c
+++ b/src/libpttls/pt_tls_client.c
@@ -85,7 +85,7 @@ static bool make_connection(private_pt_tls_client_t *this)
        }
 
        this->tls = tls_socket_create(FALSE, this->server, this->client, fd,
-                                                                 NULL, TLS_UNSPEC, TLS_UNSPEC, FALSE);
+                                                                 NULL, TLS_UNSPEC, TLS_UNSPEC, 0);
        if (!this->tls)
        {
                close(fd);

diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
index ba217aa9b8996e73af7775240d57c7a7581d7b81..d592403343f5eec08ad3d757ce2e215d77d2cf18 100644 (file)
--- a/src/libpttls/pt_tls_server.c
+++ b/src/libpttls/pt_tls_server.c
@@ -545,7 +545,7 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
                },
                .state = PT_TLS_SERVER_VERSION,
                .tls = tls_socket_create(TRUE, server, client, fd, NULL, TLS_UNSPEC,
-                                                                TLS_UNSPEC, FALSE),
+                                                                TLS_UNSPEC, 0),
                .tnccs = (tls_t*)tnccs,
                .auth = auth,
        );

diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
index 4707f5849a21f73015c151c03d5c0f08100bcccd..9e26e91e4b634b62137d0be55bb66d5255e887ff 100644 (file)
--- a/src/libtls/tests/suites/test_socket.c
+++ b/src/libtls/tests/suites/test_socket.c
@@ -412,7 +412,8 @@ static job_requeue_t serve_echo(echo_server_config_t *config)
                }
 
                tls = tls_socket_create(TRUE, server, client, cfd, NULL,
-                                                               TLS_SUPPORTED_MIN, config->version, TRUE);
+                                                               TLS_SUPPORTED_MIN, config->version,
+                                                               TLS_FLAG_ENCRYPTION_OPTIONAL);
                ck_assert(tls != NULL);
 
                while (TRUE)
@@ -488,7 +489,8 @@ static void run_echo_client(echo_server_config_t *config)
        ck_assert(connect(fd, host->get_sockaddr(host),
                                          *host->get_sockaddr_len(host)) != -1);
        tls = tls_socket_create(FALSE, server, client, fd, NULL,
-                                                       TLS_SUPPORTED_MIN, config->version, TRUE);
+                                                       TLS_SUPPORTED_MIN, config->version,
+                                                       TLS_FLAG_ENCRYPTION_OPTIONAL);
        ck_assert(tls != NULL);
 
        wr = rd = 0;

diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index ae14213a03949b1162c098333952d6e2cf1e6bc3..a4413469695144f96ec99f6702fcfcf35ec1e0f4 100644 (file)
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -202,6 +202,11 @@ struct private_tls_t {
         */
        tls_purpose_t purpose;
 
+       /**
+        * Flags for this TLS stack
+        */
+       tls_flag_t flags;
+
        /**
         * TLS record protection layer
         */
@@ -542,6 +547,12 @@ METHOD(tls_t, get_purpose, tls_purpose_t,
        return this->purpose;
 }
 
+METHOD(tls_t, get_flags, tls_flag_t,
+       private_tls_t *this)
+{
+       return this->flags;
+}
+
 METHOD(tls_t, is_complete, bool,
        private_tls_t *this)
 {
@@ -590,7 +601,8 @@ METHOD(tls_t, destroy, void,
  */
 tls_t *tls_create(bool is_server, identification_t *server,
                                  identification_t *peer, tls_purpose_t purpose,
-                                 tls_application_t *application, tls_cache_t *cache)
+                                 tls_application_t *application, tls_cache_t *cache,
+                                 tls_flag_t flags)
 {
        private_tls_t *this;
 
@@ -600,7 +612,6 @@ tls_t *tls_create(bool is_server, identification_t *server,
                case TLS_PURPOSE_EAP_TTLS:
                case TLS_PURPOSE_EAP_PEAP:
                case TLS_PURPOSE_GENERIC:
-               case TLS_PURPOSE_GENERIC_NULLOK:
                        break;
                default:
                        return NULL;
@@ -617,6 +628,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
                        .get_version_min = _get_version_min,
                        .set_version = _set_version,
                        .get_purpose = _get_purpose,
+                       .get_flags = _get_flags,
                        .is_complete = _is_complete,
                        .get_eap_msk = _get_eap_msk,
                        .get_auth = _get_auth,
@@ -625,6 +637,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
                .is_server = is_server,
                .application = application,
                .purpose = purpose,
+               .flags = flags,
        );
        lib->settings->add_fallback(lib->settings, "%s.tls", "libtls", lib->ns);
 

diff --git a/src/libtls/tls.h b/src/libtls/tls.h
index 9de042b26f68ae9d7f40bb8b17da1dfaad792585..0d9e1ff0c8ec2b4f7d8524102161cb7a9bb6634e 100644 (file)
--- a/src/libtls/tls.h
+++ b/src/libtls/tls.h
@@ -40,6 +40,7 @@ typedef enum tls_version_t tls_version_t;
 typedef enum tls_content_type_t tls_content_type_t;
 typedef enum tls_handshake_type_t tls_handshake_type_t;
 typedef enum tls_purpose_t tls_purpose_t;
+typedef enum tls_flag_t tls_flag_t;
 typedef struct tls_t tls_t;
 
 #include <library.h>
@@ -130,8 +131,6 @@ enum tls_purpose_t {
        TLS_PURPOSE_EAP_PEAP,
        /** non-EAP TLS */
        TLS_PURPOSE_GENERIC,
-       /** non-EAP TLS accepting NULL encryption */
-       TLS_PURPOSE_GENERIC_NULLOK,
        /** EAP binding for TNC */
        TLS_PURPOSE_EAP_TNC
 };
@@ -202,6 +201,14 @@ enum tls_name_type_t {
        TLS_NAME_TYPE_HOST_NAME = 0,
 };
 
+/**
+ * Flags that control the behavior of the stack
+ */
+enum tls_flag_t {
+       /** set if cipher suites with null encryption are acceptable */
+       TLS_FLAG_ENCRYPTION_OPTIONAL = 1,
+};
+
 /**
  * Enum names for tls_extension_t
  */
@@ -318,6 +325,13 @@ struct tls_t {
         */
        tls_purpose_t (*get_purpose)(tls_t *this);
 
+       /**
+        * Get the flags controlling this TLS stack instance.
+        *
+        * @return                      flags given during construction
+        */
+       tls_flag_t (*get_flags)(tls_t *this);
+
        /**
         * Check if TLS negotiation completed successfully.
         *
@@ -359,10 +373,12 @@ void libtls_init(void);
  * @param purpose                      purpose this TLS stack instance is used for
  * @param application          higher layer application or NULL if none
  * @param cache                                session cache to use, or NULL
+ * @param flags                                flags that control the behavior of the TLS stack
  * @return                                     TLS stack
  */
 tls_t *tls_create(bool is_server, identification_t *server,
                                  identification_t *peer, tls_purpose_t purpose,
-                                 tls_application_t *application, tls_cache_t *cache);
+                                 tls_application_t *application, tls_cache_t *cache,
+                                 tls_flag_t flags);
 
 #endif /** TLS_H_ @}*/

diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index d3f187def17edd17e27488b843a9e6459454c1dd..d94dde9b6e68b26cebbe31af804c8b9192eb75a5 100644 (file)
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -1116,22 +1116,22 @@ static void build_cipher_suite_list(private_tls_crypto_t *this)
 {
        suite_algs_t suites[countof(suite_algs)];
        tls_version_t min_version, max_version, new_min_version, new_max_version;
-       bool require_encryption;
+       bool require_encryption = TRUE;
        int count = 0, i;
 
        switch (this->tls->get_purpose(this->tls))
        {
                case TLS_PURPOSE_EAP_TLS:
-               case TLS_PURPOSE_GENERIC_NULLOK:
                        require_encryption = FALSE;
                        break;
-               case TLS_PURPOSE_EAP_PEAP:
-               case TLS_PURPOSE_EAP_TTLS:
                case TLS_PURPOSE_GENERIC:
-                       require_encryption = TRUE;
+                       if (this->tls->get_flags(this->tls) & TLS_FLAG_ENCRYPTION_OPTIONAL)
+                       {
+                               require_encryption = FALSE;
+                       }
                        break;
                default:
-                       return;
+                       break;
        }
 
        min_version = this->tls->get_version_min(this->tls);

diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
index 8b427dd1a46b0830dac2dcd83d0f744e8c743dd9..75f1469298515cbfc6a1639d2b3a0a0139015fde 100644 (file)
--- a/src/libtls/tls_socket.c
+++ b/src/libtls/tls_socket.c
@@ -423,10 +423,9 @@ METHOD(tls_socket_t, destroy, void,
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
                                                                identification_t *peer, int fd,
                                                                tls_cache_t *cache, tls_version_t min_version,
-                                                               tls_version_t max_version, bool nullok)
+                                                               tls_version_t max_version, tls_flag_t flags)
 {
        private_tls_socket_t *this;
-       tls_purpose_t purpose;
 
        INIT(this,
                .public = {
@@ -448,17 +447,8 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
                .fd = fd,
        );
 
-       if (nullok)
-       {
-               purpose = TLS_PURPOSE_GENERIC_NULLOK;
-       }
-       else
-       {
-               purpose = TLS_PURPOSE_GENERIC;
-       }
-
-       this->tls = tls_create(is_server, server, peer, purpose,
-                                                  &this->app.application, cache);
+       this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_GENERIC,
+                                                  &this->app.application, cache, flags);
        if (!this->tls ||
                !this->tls->set_version(this->tls, min_version, max_version))
        {

diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h
index 08ccbd287a0a7cfcf8fc73befd32b7923b5e37a0..944967632e06fc0dbef2192069104d4965719cd0 100644 (file)
--- a/src/libtls/tls_socket.h
+++ b/src/libtls/tls_socket.h
@@ -108,12 +108,12 @@ struct tls_socket_t {
  * @param cache                                session cache to use, or NULL
  * @param min_version          minimum TLS version to negotiate or TLS_UNSPEC
  * @param max_version          maximum TLS version to negotiate or TLS_UNSPEC
- * @param nullok                       accept NULL encryption ciphers
+ * @param flags                                flags controlling the TLS stack
  * @return                                     TLS socket wrapper
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
                                                                identification_t *peer, int fd,
                                                                tls_cache_t *cache, tls_version_t min_version,
-                                                               tls_version_t max_version, bool nullok);
+                                                               tls_version_t max_version, tls_flag_t flags);
 
 #endif /** TLS_SOCKET_H_ @}*/