summaryrefslogtreecommitdiff
path: root/src/libtls
diff options
context:
space:
mode:
Diffstat (limited to 'src/libtls')
-rw-r--r--src/libtls/Makefile.am4
-rw-r--r--src/libtls/Makefile.in16
-rw-r--r--src/libtls/tests/Makefile.am2
-rw-r--r--src/libtls/tests/Makefile.in8
-rw-r--r--src/libtls/tls.c8
-rw-r--r--src/libtls/tls_crypto.c4
-rw-r--r--src/libtls/tls_eap.c113
-rw-r--r--src/libtls/tls_eap.h4
8 files changed, 98 insertions, 61 deletions
diff --git a/src/libtls/Makefile.am b/src/libtls/Makefile.am
index d565a1479..b6496363c 100644
--- a/src/libtls/Makefile.am
+++ b/src/libtls/Makefile.am
@@ -14,6 +14,10 @@ libtls_la_SOURCES = \
libtls_la_LIBADD = \
$(top_builddir)/src/libstrongswan/libstrongswan.la
+if USE_WINDOWS
+ libtls_la_LIBADD += -lws2_32
+endif
+
if USE_DEV_HEADERS
tls_includedir = ${dev_headers}/tls
nobase_tls_include_HEADERS = \
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index b6abd1eac..85f13d0c8 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -79,6 +79,7 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
+@USE_WINDOWS_TRUE@am__append_1 = -lws2_32
subdir = src/libtls
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp $(am__nobase_tls_include_HEADERS_DIST)
@@ -129,8 +130,10 @@ am__uninstall_files_from_dir = { \
am__installdirs = "$(DESTDIR)$(ipseclibdir)" \
"$(DESTDIR)$(tls_includedir)"
LTLIBRARIES = $(ipseclib_LTLIBRARIES)
+am__DEPENDENCIES_1 =
libtls_la_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(am__DEPENDENCIES_1)
am_libtls_la_OBJECTS = tls_protection.lo tls_compression.lo \
tls_fragmentation.lo tls_alert.lo tls_crypto.lo tls_prf.lo \
tls_socket.lo tls_eap.lo tls_cache.lo tls_peer.lo \
@@ -312,6 +315,7 @@ NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
@@ -330,6 +334,7 @@ PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -357,6 +362,7 @@ abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
@@ -448,6 +454,7 @@ srcdir = @srcdir@
starter_plugins = @starter_plugins@
strongswan_conf = @strongswan_conf@
strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
sysconfdir = @sysconfdir@
systemdsystemunitdir = @systemdsystemunitdir@
t_plugins = @t_plugins@
@@ -471,9 +478,8 @@ libtls_la_SOURCES = \
tls_aead_expl.c tls_aead_impl.c tls_aead_null.c tls_aead.c \
tls_server.c tls.c
-libtls_la_LIBADD = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
-
+libtls_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(am__append_1)
@USE_DEV_HEADERS_TRUE@tls_includedir = ${dev_headers}/tls
@USE_DEV_HEADERS_TRUE@nobase_tls_include_HEADERS = \
@USE_DEV_HEADERS_TRUE@ tls_protection.h tls_compression.h tls_fragmentation.h tls_alert.h \
diff --git a/src/libtls/tests/Makefile.am b/src/libtls/tests/Makefile.am
index 1c0e2f941..456383f02 100644
--- a/src/libtls/tests/Makefile.am
+++ b/src/libtls/tests/Makefile.am
@@ -11,7 +11,7 @@ tls_tests_CFLAGS = \
-I$(top_srcdir)/src/libtls \
-I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libstrongswan/tests \
- -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \
+ -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
-DPLUGINS=\""${s_plugins}\"" \
@COVERAGE_CFLAGS@
diff --git a/src/libtls/tests/Makefile.in b/src/libtls/tests/Makefile.in
index 0b8ba33c4..bbc364970 100644
--- a/src/libtls/tests/Makefile.in
+++ b/src/libtls/tests/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -260,6 +260,7 @@ NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
@@ -278,6 +279,7 @@ PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -305,6 +307,7 @@ abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
@@ -396,6 +399,7 @@ srcdir = @srcdir@
starter_plugins = @starter_plugins@
strongswan_conf = @strongswan_conf@
strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
sysconfdir = @sysconfdir@
systemdsystemunitdir = @systemdsystemunitdir@
t_plugins = @t_plugins@
@@ -415,7 +419,7 @@ tls_tests_CFLAGS = \
-I$(top_srcdir)/src/libtls \
-I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libstrongswan/tests \
- -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \
+ -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
-DPLUGINS=\""${s_plugins}\"" \
@COVERAGE_CFLAGS@
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 6e2955814..6a8d5030c 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -172,14 +172,14 @@ struct private_tls_t {
size_t outpos;
/**
- * Partial TLS record header received
+ * Position in partially received record header
*/
- tls_record_t head;
+ size_t headpos;
/**
- * Position in partially received record header
+ * Partial TLS record header received
*/
- size_t headpos;
+ tls_record_t head;
};
/**
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index 4f67b20d6..2cffeb820 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -959,8 +959,8 @@ static void filter_specific_config_suites(private_tls_crypto_t *this,
enumerator = enumerator_create_token(config, ",", " ");
while (enumerator->enumerate(enumerator, &token))
{
- suite = enum_from_name(tls_cipher_suite_names, token);
- if (suite == suites[i].suite)
+ if (enum_from_name(tls_cipher_suite_names, token, &suite) &&
+ suite == suites[i].suite)
{
suites[remaining++] = suites[i];
break;
diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c
index 68cebb994..ebe5bc3a8 100644
--- a/src/libtls/tls_eap.c
+++ b/src/libtls/tls_eap.c
@@ -47,7 +47,7 @@ struct private_tls_eap_t {
/**
* Current value of EAP identifier
*/
- u_int8_t identifier;
+ uint8_t identifier;
/**
* TLS stack
@@ -60,6 +60,11 @@ struct private_tls_eap_t {
bool is_server;
/**
+ * Supported version of the EAP tunnel protocol
+ */
+ uint8_t supported_version;
+
+ /**
* If FALSE include the total length of an EAP message
* in the first fragment of fragmented messages only.
* If TRUE also include the length in non-fragmented messages.
@@ -94,22 +99,24 @@ typedef enum {
EAP_TLS_LENGTH = (1<<7), /* shared with EAP-TTLS/TNC/PEAP */
EAP_TLS_MORE_FRAGS = (1<<6), /* shared with EAP-TTLS/TNC/PEAP */
EAP_TLS_START = (1<<5), /* shared with EAP-TTLS/TNC/PEAP */
- EAP_TTLS_VERSION = (0x07), /* shared with EAP-TNC/PEAP */
+ EAP_TTLS_VERSION = (0x07), /* shared with EAP-TNC/PEAP/PT-EAP */
+ EAP_PT_START = (1<<7) /* PT-EAP only */
} eap_tls_flags_t;
-#define EAP_TTLS_SUPPORTED_VERSION 0
-#define EAP_TNC_SUPPORTED_VERSION 1
-#define EAP_PEAP_SUPPORTED_VERSION 0
+#define EAP_TTLS_SUPPORTED_VERSION 0
+#define EAP_TNC_SUPPORTED_VERSION 1
+#define EAP_PEAP_SUPPORTED_VERSION 0
+#define EAP_PT_EAP_SUPPORTED_VERSION 1
/**
* EAP-TLS/TTLS packet format
*/
typedef struct __attribute__((packed)) {
- u_int8_t code;
- u_int8_t identifier;
- u_int16_t length;
- u_int8_t type;
- u_int8_t flags;
+ uint8_t code;
+ uint8_t identifier;
+ uint16_t length;
+ uint8_t type;
+ uint8_t flags;
} eap_tls_packet_t;
METHOD(tls_eap_t, initiate, status_t,
@@ -120,18 +127,18 @@ METHOD(tls_eap_t, initiate, status_t,
eap_tls_packet_t pkt = {
.type = this->type,
.code = EAP_REQUEST,
- .flags = EAP_TLS_START,
+ .flags = this->supported_version
};
switch (this->type)
{
+ case EAP_TLS:
case EAP_TTLS:
- pkt.flags |= EAP_TTLS_SUPPORTED_VERSION;
- break;
case EAP_TNC:
- pkt.flags |= EAP_TNC_SUPPORTED_VERSION;
- break;
case EAP_PEAP:
- pkt.flags |= EAP_PEAP_SUPPORTED_VERSION;
+ pkt.flags |= EAP_TLS_START;
+ break;
+ case EAP_PT_EAP:
+ pkt.flags |= EAP_PT_START;
break;
default:
break;
@@ -153,13 +160,25 @@ METHOD(tls_eap_t, initiate, status_t,
*/
static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt)
{
- u_int16_t pkt_len;
- u_int32_t msg_len;
+ uint8_t version;
+ uint16_t pkt_len;
+ uint32_t msg_len;
size_t msg_len_offset = 0;
+ /* EAP-TLS doesn't have a version field */
+ if (this->type != EAP_TLS)
+ {
+ version = pkt->flags & EAP_TTLS_VERSION;
+ if (version != this->supported_version)
+ {
+ DBG1(DBG_TLS, "received %N packet with unsupported version v%u",
+ eap_type_names, this->type, version);
+ return FAILED;
+ }
+ }
pkt_len = untoh16(&pkt->length);
- if (pkt->flags & EAP_TLS_LENGTH)
+ if (this->type != EAP_PT_EAP && (pkt->flags & EAP_TLS_LENGTH))
{
if (pkt_len < sizeof(eap_tls_packet_t) + sizeof(msg_len))
{
@@ -200,27 +219,12 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
pkt->code = this->is_server ? EAP_REQUEST : EAP_RESPONSE;
pkt->identifier = this->identifier;
pkt->type = this->type;
- pkt->flags = 0;
-
- switch (this->type)
- {
- case EAP_TTLS:
- pkt->flags |= EAP_TTLS_SUPPORTED_VERSION;
- break;
- case EAP_TNC:
- pkt->flags |= EAP_TNC_SUPPORTED_VERSION;
- break;
- case EAP_PEAP:
- pkt->flags |= EAP_PEAP_SUPPORTED_VERSION;
- break;
- default:
- break;
- }
+ pkt->flags = this->supported_version;
if (this->first_fragment)
{
- len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(u_int32_t);
- msg_len_offset = sizeof(u_int32_t);
+ len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(uint32_t);
+ msg_len_offset = sizeof(uint32_t);
}
else
{
@@ -251,7 +255,7 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
}
kind = "packet";
}
- else if (this->type != EAP_TNC)
+ else if (this->type != EAP_TNC && this->type != EAP_PT_EAP)
{
this->first_fragment = TRUE;
kind = "final fragment";
@@ -269,14 +273,14 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
if (pkt->flags & EAP_TLS_LENGTH)
{
htoun32(pkt + 1, reclen);
- len += sizeof(u_int32_t);
+ len += sizeof(uint32_t);
pkt->flags |= EAP_TLS_LENGTH;
}
else
{
/* get rid of the reserved length field */
memmove(buf + sizeof(eap_tls_packet_t),
- buf + sizeof(eap_tls_packet_t) + sizeof(u_int32_t), len);
+ buf + sizeof(eap_tls_packet_t) + sizeof(uint32_t), len);
}
}
len += sizeof(eap_tls_packet_t);
@@ -352,10 +356,11 @@ METHOD(tls_eap_t, process, status_t,
}
DBG3(DBG_TLS, "%N payload %B", eap_type_names, this->type, &in);
- if (pkt->flags & EAP_TLS_START)
+ if ((this->type == EAP_PT_EAP && (pkt->flags & EAP_PT_START)) ||
+ (pkt->flags & EAP_TLS_START))
{
if (this->type == EAP_TTLS || this->type == EAP_TNC ||
- this->type == EAP_PEAP)
+ this->type == EAP_PEAP || this->type == EAP_PT_EAP)
{
DBG1(DBG_TLS, "%N version is v%u", eap_type_names, this->type,
pkt->flags & EAP_TTLS_VERSION);
@@ -409,14 +414,14 @@ METHOD(tls_eap_t, get_msk, chunk_t,
return this->tls->get_eap_msk(this->tls);
}
-METHOD(tls_eap_t, get_identifier, u_int8_t,
+METHOD(tls_eap_t, get_identifier, uint8_t,
private_tls_eap_t *this)
{
return this->identifier;
}
METHOD(tls_eap_t, set_identifier, void,
- private_tls_eap_t *this, u_int8_t identifier)
+ private_tls_eap_t *this, uint8_t identifier)
{
this->identifier = identifier;
}
@@ -452,13 +457,31 @@ tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
},
.type = type,
.is_server = tls->is_server(tls),
- .first_fragment = (type != EAP_TNC),
+ .first_fragment = (type != EAP_TNC && type != EAP_PT_EAP),
.frag_size = frag_size,
.max_msg_count = max_msg_count,
.include_length = include_length,
.tls = tls,
);
+ switch (type)
+ {
+ case EAP_TTLS:
+ this->supported_version = EAP_TTLS_SUPPORTED_VERSION;
+ break;
+ case EAP_TNC:
+ this->supported_version = EAP_TNC_SUPPORTED_VERSION;
+ break;
+ case EAP_PEAP:
+ this->supported_version = EAP_PEAP_SUPPORTED_VERSION;
+ break;
+ case EAP_PT_EAP:
+ this->supported_version = EAP_PT_EAP_SUPPORTED_VERSION;
+ break;
+ default:
+ break;
+ }
+
if (this->is_server)
{
do
diff --git a/src/libtls/tls_eap.h b/src/libtls/tls_eap.h
index c7da832cb..f3fbba078 100644
--- a/src/libtls/tls_eap.h
+++ b/src/libtls/tls_eap.h
@@ -66,7 +66,7 @@ struct tls_eap_t {
*
* @return identifier
*/
- u_int8_t (*get_identifier)(tls_eap_t *this);
+ uint8_t (*get_identifier)(tls_eap_t *this);
/**
* Set the EAP identifier to a deterministic value, overwriting
@@ -74,7 +74,7 @@ struct tls_eap_t {
*
* @param identifier EAP identifier
*/
- void (*set_identifier) (tls_eap_t *this, u_int8_t identifier);
+ void (*set_identifier) (tls_eap_t *this, uint8_t identifier);
/**
* Destroy a tls_eap_t.