},
.is_server = is_server,
);
- /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
- this->tls = tls_create(is_server, server, peer, TRUE,
- "client EAP encryption", NULL);
+ this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL);
+ if (!this->tls)
+ {
+ free(this);
+ return NULL;
+ }
return &this->public;
}
},
.is_server = is_server,
);
- /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
- this->tls = tls_create(is_server, server, peer, FALSE,
- "ttls keying material", application);
+
+ this->tls = tls_create(is_server, server, peer,
+ TLS_PURPOSE_EAP_TTLS, application);
+ if (!this->tls)
+ {
+ application->destroy(application);
+ free(this);
+ return NULL;
+ }
return &this->public;
}
*/
tls_version_t version;
+ /**
+ * TLS stack purpose, as given to constructor
+ */
+ tls_purpose_t purpose;
+
/**
* TLS record protection layer
*/
this->version = version;
}
+METHOD(tls_t, get_purpose, tls_purpose_t,
+ private_tls_t *this)
+{
+ return this->purpose;
+}
+
METHOD(tls_t, is_complete, bool,
private_tls_t *this)
{
* See header
*/
tls_t *tls_create(bool is_server, identification_t *server,
- identification_t *peer, bool request_peer_auth,
- char *msk_label, tls_application_t *application)
+ identification_t *peer, tls_purpose_t purpose,
+ tls_application_t *application)
{
private_tls_t *this;
+ switch (purpose)
+ {
+ case TLS_PURPOSE_EAP_TLS:
+ case TLS_PURPOSE_EAP_TTLS:
+ break;
+ default:
+ return NULL;
+ }
+
INIT(this,
.public = {
.process = _process,
.is_server = _is_server,
.get_version = _get_version,
.set_version = _set_version,
+ .get_purpose = _get_purpose,
.is_complete = _is_complete,
.get_eap_msk = _get_eap_msk,
.destroy = _destroy,
.server = server->clone(server),
.peer = peer->clone(peer),
.application = application,
+ .purpose = purpose,
);
- this->crypto = tls_crypto_create(&this->public, msk_label);
+ this->crypto = tls_crypto_create(&this->public);
if (is_server)
{
this->handshake = &tls_server_create(&this->public, this->crypto,
- this->server, this->peer,
- request_peer_auth)->handshake;
+ this->server, this->peer)->handshake;
}
else
{
this->handshake = &tls_peer_create(&this->public, this->crypto,
- this->peer, this->server)->handshake;
+ this->peer, this->server)->handshake;
}
this->fragmentation = tls_fragmentation_create(this->handshake,
this->application);
typedef enum tls_version_t tls_version_t;
typedef enum tls_content_type_t tls_content_type_t;
typedef enum tls_handshake_type_t tls_handshake_type_t;
+typedef enum tls_purpose_t tls_purpose_t;
typedef struct tls_t tls_t;
#include <library.h>
*/
extern enum_name_t *tls_handshake_type_names;
+/**
+ * Purpose the TLS stack is initiated for.
+ */
+enum tls_purpose_t {
+ /** authentication in EAP-TLS */
+ TLS_PURPOSE_EAP_TLS,
+ /** outer authentication and protection in EAP-TTLS */
+ TLS_PURPOSE_EAP_TTLS,
+};
+
/**
* A bottom-up driven TLS stack, suitable for EAP implementations.
*/
*/
void (*set_version)(tls_t *this, tls_version_t version);
+ /**
+ * Get the purpose of this TLS stack instance.
+ *
+ * @return purpose given during construction
+ */
+ tls_purpose_t (*get_purpose)(tls_t *this);
+
/**
* Check if TLS negotiation completed successfully.
*
* @param is_server TRUE to act as server, FALSE for client
* @param server server identity
* @param peer peer identity
- * @param request_peer_auth TRUE to request certificate-based peer authentication
- * @param msk_label ASCII string constant used as seed for MSK PRF
+ * @param purpse purpose this TLS stack instance is used for
* @param application higher layer application or NULL if none
* @return TLS stack
*/
tls_t *tls_create(bool is_server, identification_t *server,
- identification_t *peer, bool request_peer_auth,
- char *msk_label, tls_application_t *application);
+ identification_t *peer, tls_purpose_t purpose,
+ tls_application_t *application);
#endif /** TLS_H_ @}*/
typedef struct tls_application_t tls_application_t;
-#include "tls.h"
#include "tls_reader.h"
#include "tls_writer.h"
*count = remaining;
}
+/**
+ * Purge NULL encryption cipher suites from list
+ */
+static void filter_null_suites(private_tls_crypto_t *this,
+ suite_algs_t suites[], int *count)
+{
+ int i, remaining = 0;
+
+ for (i = 0; i < *count; i++)
+ {
+ if (suites[i].encr != ENCR_NULL)
+ {
+ suites[remaining] = suites[i];
+ remaining++;
+ }
+ }
+ *count = remaining;
+}
+
/**
* Initialize the cipher suite list
*/
-static void build_cipher_suite_list(private_tls_crypto_t *this)
+static void build_cipher_suite_list(private_tls_crypto_t *this,
+ bool require_encryption)
{
suite_algs_t suites[countof(suite_algs)];
int count = countof(suite_algs), i;
{
suites[i] = suite_algs[i];
}
+ if (require_encryption)
+ {
+ filter_null_suites(this, suites, &count);
+ }
/* filter suite list by each algorithm */
filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
lib->crypto->create_crypter_enumerator);
/**
* See header
*/
-tls_crypto_t *tls_crypto_create(tls_t *tls, char *msk_label)
+tls_crypto_t *tls_crypto_create(tls_t *tls)
{
private_tls_crypto_t *this;
.destroy = _destroy,
},
.tls = tls,
- .msk_label = msk_label
);
- build_cipher_suite_list(this);
-
+ switch (tls->get_purpose(tls))
+ {
+ case TLS_PURPOSE_EAP_TLS:
+ /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
+ this->msk_label = "client EAP encryption";
+ build_cipher_suite_list(this, FALSE);
+ break;
+ case TLS_PURPOSE_EAP_TTLS:
+ /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
+ this->msk_label = "ttls keying material";
+ build_cipher_suite_list(this, TRUE);
+ break;
+ }
return &this->public;
}
/**
* Create a tls_crypto instance.
- *
- * @param msk_label ASCII string constant used as seed for MSK PRF
*/
-tls_crypto_t *tls_crypto_create(tls_t *tls, char *msk_label);
+tls_crypto_t *tls_crypto_create(tls_t *tls);
#endif /** TLS_CRYPTO_H_ @}*/
* See header
*/
tls_server_t *tls_server_create(tls_t *tls, tls_crypto_t *crypto,
- identification_t *server, identification_t *peer,
- bool request_peer_auth)
+ identification_t *server, identification_t *peer)
{
private_tls_server_t *this;
.server = server,
.peer = peer,
.state = STATE_INIT,
- .request_peer_auth = request_peer_auth,
.peer_auth = auth_cfg_create(),
.server_auth = auth_cfg_create(),
);
+ switch (tls->get_purpose(tls))
+ {
+ case TLS_PURPOSE_EAP_TLS:
+ this->request_peer_auth = TRUE;
+ break;
+ case TLS_PURPOSE_EAP_TTLS:
+ break;
+ }
return &this->public;
}
* Create a tls_server instance.
*/
tls_server_t *tls_server_create(tls_t *tls, tls_crypto_t *crypto,
- identification_t *server, identification_t *peer,
- bool request_peer_auth);
+ identification_t *server, identification_t *peer);
#endif /** TLS_SERVER_H_ @}*/
projects / people / ms / strongswan.git / commitdiff
