diff options
Diffstat (limited to 'src/libtls')
-rw-r--r-- | src/libtls/Makefile.am | 4 | ||||
-rw-r--r-- | src/libtls/Makefile.in | 16 | ||||
-rw-r--r-- | src/libtls/tests/Makefile.am | 2 | ||||
-rw-r--r-- | src/libtls/tests/Makefile.in | 8 | ||||
-rw-r--r-- | src/libtls/tls.c | 8 | ||||
-rw-r--r-- | src/libtls/tls_crypto.c | 4 | ||||
-rw-r--r-- | src/libtls/tls_eap.c | 113 | ||||
-rw-r--r-- | src/libtls/tls_eap.h | 4 |
8 files changed, 98 insertions, 61 deletions
diff --git a/src/libtls/Makefile.am b/src/libtls/Makefile.am index d565a1479..b6496363c 100644 --- a/src/libtls/Makefile.am +++ b/src/libtls/Makefile.am @@ -14,6 +14,10 @@ libtls_la_SOURCES = \ libtls_la_LIBADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la +if USE_WINDOWS + libtls_la_LIBADD += -lws2_32 +endif + if USE_DEV_HEADERS tls_includedir = ${dev_headers}/tls nobase_tls_include_HEADERS = \ diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in index b6abd1eac..85f13d0c8 100644 --- a/src/libtls/Makefile.in +++ b/src/libtls/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.3 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -79,6 +79,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ +@USE_WINDOWS_TRUE@am__append_1 = -lws2_32 subdir = src/libtls DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp $(am__nobase_tls_include_HEADERS_DIST) @@ -129,8 +130,10 @@ am__uninstall_files_from_dir = { \ am__installdirs = "$(DESTDIR)$(ipseclibdir)" \ "$(DESTDIR)$(tls_includedir)" LTLIBRARIES = $(ipseclib_LTLIBRARIES) +am__DEPENDENCIES_1 = libtls_la_DEPENDENCIES = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(am__DEPENDENCIES_1) am_libtls_la_OBJECTS = tls_protection.lo tls_compression.lo \ tls_fragmentation.lo tls_alert.lo tls_crypto.lo tls_prf.lo \ tls_socket.lo tls_eap.lo tls_cache.lo tls_peer.lo \ @@ -312,6 +315,7 @@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ @@ -330,6 +334,7 @@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ @@ -357,6 +362,7 @@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -448,6 +454,7 @@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ @@ -471,9 +478,8 @@ libtls_la_SOURCES = \ tls_aead_expl.c tls_aead_impl.c tls_aead_null.c tls_aead.c \ tls_server.c tls.c -libtls_la_LIBADD = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la - +libtls_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(am__append_1) @USE_DEV_HEADERS_TRUE@tls_includedir = ${dev_headers}/tls @USE_DEV_HEADERS_TRUE@nobase_tls_include_HEADERS = \ @USE_DEV_HEADERS_TRUE@ tls_protection.h tls_compression.h tls_fragmentation.h tls_alert.h \ diff --git a/src/libtls/tests/Makefile.am b/src/libtls/tests/Makefile.am index 1c0e2f941..456383f02 100644 --- a/src/libtls/tests/Makefile.am +++ b/src/libtls/tests/Makefile.am @@ -11,7 +11,7 @@ tls_tests_CFLAGS = \ -I$(top_srcdir)/src/libtls \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/tests \ - -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \ + -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ -DPLUGINS=\""${s_plugins}\"" \ @COVERAGE_CFLAGS@ diff --git a/src/libtls/tests/Makefile.in b/src/libtls/tests/Makefile.in index 0b8ba33c4..bbc364970 100644 --- a/src/libtls/tests/Makefile.in +++ b/src/libtls/tests/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.3 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -260,6 +260,7 @@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ @@ -278,6 +279,7 @@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ @@ -305,6 +307,7 @@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -396,6 +399,7 @@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ @@ -415,7 +419,7 @@ tls_tests_CFLAGS = \ -I$(top_srcdir)/src/libtls \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/tests \ - -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \ + -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ -DPLUGINS=\""${s_plugins}\"" \ @COVERAGE_CFLAGS@ diff --git a/src/libtls/tls.c b/src/libtls/tls.c index 6e2955814..6a8d5030c 100644 --- a/src/libtls/tls.c +++ b/src/libtls/tls.c @@ -172,14 +172,14 @@ struct private_tls_t { size_t outpos; /** - * Partial TLS record header received + * Position in partially received record header */ - tls_record_t head; + size_t headpos; /** - * Position in partially received record header + * Partial TLS record header received */ - size_t headpos; + tls_record_t head; }; /** diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index 4f67b20d6..2cffeb820 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -959,8 +959,8 @@ static void filter_specific_config_suites(private_tls_crypto_t *this, enumerator = enumerator_create_token(config, ",", " "); while (enumerator->enumerate(enumerator, &token)) { - suite = enum_from_name(tls_cipher_suite_names, token); - if (suite == suites[i].suite) + if (enum_from_name(tls_cipher_suite_names, token, &suite) && + suite == suites[i].suite) { suites[remaining++] = suites[i]; break; diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c index 68cebb994..ebe5bc3a8 100644 --- a/src/libtls/tls_eap.c +++ b/src/libtls/tls_eap.c @@ -47,7 +47,7 @@ struct private_tls_eap_t { /** * Current value of EAP identifier */ - u_int8_t identifier; + uint8_t identifier; /** * TLS stack @@ -60,6 +60,11 @@ struct private_tls_eap_t { bool is_server; /** + * Supported version of the EAP tunnel protocol + */ + uint8_t supported_version; + + /** * If FALSE include the total length of an EAP message * in the first fragment of fragmented messages only. * If TRUE also include the length in non-fragmented messages. @@ -94,22 +99,24 @@ typedef enum { EAP_TLS_LENGTH = (1<<7), /* shared with EAP-TTLS/TNC/PEAP */ EAP_TLS_MORE_FRAGS = (1<<6), /* shared with EAP-TTLS/TNC/PEAP */ EAP_TLS_START = (1<<5), /* shared with EAP-TTLS/TNC/PEAP */ - EAP_TTLS_VERSION = (0x07), /* shared with EAP-TNC/PEAP */ + EAP_TTLS_VERSION = (0x07), /* shared with EAP-TNC/PEAP/PT-EAP */ + EAP_PT_START = (1<<7) /* PT-EAP only */ } eap_tls_flags_t; -#define EAP_TTLS_SUPPORTED_VERSION 0 -#define EAP_TNC_SUPPORTED_VERSION 1 -#define EAP_PEAP_SUPPORTED_VERSION 0 +#define EAP_TTLS_SUPPORTED_VERSION 0 +#define EAP_TNC_SUPPORTED_VERSION 1 +#define EAP_PEAP_SUPPORTED_VERSION 0 +#define EAP_PT_EAP_SUPPORTED_VERSION 1 /** * EAP-TLS/TTLS packet format */ typedef struct __attribute__((packed)) { - u_int8_t code; - u_int8_t identifier; - u_int16_t length; - u_int8_t type; - u_int8_t flags; + uint8_t code; + uint8_t identifier; + uint16_t length; + uint8_t type; + uint8_t flags; } eap_tls_packet_t; METHOD(tls_eap_t, initiate, status_t, @@ -120,18 +127,18 @@ METHOD(tls_eap_t, initiate, status_t, eap_tls_packet_t pkt = { .type = this->type, .code = EAP_REQUEST, - .flags = EAP_TLS_START, + .flags = this->supported_version }; switch (this->type) { + case EAP_TLS: case EAP_TTLS: - pkt.flags |= EAP_TTLS_SUPPORTED_VERSION; - break; case EAP_TNC: - pkt.flags |= EAP_TNC_SUPPORTED_VERSION; - break; case EAP_PEAP: - pkt.flags |= EAP_PEAP_SUPPORTED_VERSION; + pkt.flags |= EAP_TLS_START; + break; + case EAP_PT_EAP: + pkt.flags |= EAP_PT_START; break; default: break; @@ -153,13 +160,25 @@ METHOD(tls_eap_t, initiate, status_t, */ static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt) { - u_int16_t pkt_len; - u_int32_t msg_len; + uint8_t version; + uint16_t pkt_len; + uint32_t msg_len; size_t msg_len_offset = 0; + /* EAP-TLS doesn't have a version field */ + if (this->type != EAP_TLS) + { + version = pkt->flags & EAP_TTLS_VERSION; + if (version != this->supported_version) + { + DBG1(DBG_TLS, "received %N packet with unsupported version v%u", + eap_type_names, this->type, version); + return FAILED; + } + } pkt_len = untoh16(&pkt->length); - if (pkt->flags & EAP_TLS_LENGTH) + if (this->type != EAP_PT_EAP && (pkt->flags & EAP_TLS_LENGTH)) { if (pkt_len < sizeof(eap_tls_packet_t) + sizeof(msg_len)) { @@ -200,27 +219,12 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out) pkt->code = this->is_server ? EAP_REQUEST : EAP_RESPONSE; pkt->identifier = this->identifier; pkt->type = this->type; - pkt->flags = 0; - - switch (this->type) - { - case EAP_TTLS: - pkt->flags |= EAP_TTLS_SUPPORTED_VERSION; - break; - case EAP_TNC: - pkt->flags |= EAP_TNC_SUPPORTED_VERSION; - break; - case EAP_PEAP: - pkt->flags |= EAP_PEAP_SUPPORTED_VERSION; - break; - default: - break; - } + pkt->flags = this->supported_version; if (this->first_fragment) { - len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(u_int32_t); - msg_len_offset = sizeof(u_int32_t); + len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(uint32_t); + msg_len_offset = sizeof(uint32_t); } else { @@ -251,7 +255,7 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out) } kind = "packet"; } - else if (this->type != EAP_TNC) + else if (this->type != EAP_TNC && this->type != EAP_PT_EAP) { this->first_fragment = TRUE; kind = "final fragment"; @@ -269,14 +273,14 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out) if (pkt->flags & EAP_TLS_LENGTH) { htoun32(pkt + 1, reclen); - len += sizeof(u_int32_t); + len += sizeof(uint32_t); pkt->flags |= EAP_TLS_LENGTH; } else { /* get rid of the reserved length field */ memmove(buf + sizeof(eap_tls_packet_t), - buf + sizeof(eap_tls_packet_t) + sizeof(u_int32_t), len); + buf + sizeof(eap_tls_packet_t) + sizeof(uint32_t), len); } } len += sizeof(eap_tls_packet_t); @@ -352,10 +356,11 @@ METHOD(tls_eap_t, process, status_t, } DBG3(DBG_TLS, "%N payload %B", eap_type_names, this->type, &in); - if (pkt->flags & EAP_TLS_START) + if ((this->type == EAP_PT_EAP && (pkt->flags & EAP_PT_START)) || + (pkt->flags & EAP_TLS_START)) { if (this->type == EAP_TTLS || this->type == EAP_TNC || - this->type == EAP_PEAP) + this->type == EAP_PEAP || this->type == EAP_PT_EAP) { DBG1(DBG_TLS, "%N version is v%u", eap_type_names, this->type, pkt->flags & EAP_TTLS_VERSION); @@ -409,14 +414,14 @@ METHOD(tls_eap_t, get_msk, chunk_t, return this->tls->get_eap_msk(this->tls); } -METHOD(tls_eap_t, get_identifier, u_int8_t, +METHOD(tls_eap_t, get_identifier, uint8_t, private_tls_eap_t *this) { return this->identifier; } METHOD(tls_eap_t, set_identifier, void, - private_tls_eap_t *this, u_int8_t identifier) + private_tls_eap_t *this, uint8_t identifier) { this->identifier = identifier; } @@ -452,13 +457,31 @@ tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size, }, .type = type, .is_server = tls->is_server(tls), - .first_fragment = (type != EAP_TNC), + .first_fragment = (type != EAP_TNC && type != EAP_PT_EAP), .frag_size = frag_size, .max_msg_count = max_msg_count, .include_length = include_length, .tls = tls, ); + switch (type) + { + case EAP_TTLS: + this->supported_version = EAP_TTLS_SUPPORTED_VERSION; + break; + case EAP_TNC: + this->supported_version = EAP_TNC_SUPPORTED_VERSION; + break; + case EAP_PEAP: + this->supported_version = EAP_PEAP_SUPPORTED_VERSION; + break; + case EAP_PT_EAP: + this->supported_version = EAP_PT_EAP_SUPPORTED_VERSION; + break; + default: + break; + } + if (this->is_server) { do diff --git a/src/libtls/tls_eap.h b/src/libtls/tls_eap.h index c7da832cb..f3fbba078 100644 --- a/src/libtls/tls_eap.h +++ b/src/libtls/tls_eap.h @@ -66,7 +66,7 @@ struct tls_eap_t { * * @return identifier */ - u_int8_t (*get_identifier)(tls_eap_t *this); + uint8_t (*get_identifier)(tls_eap_t *this); /** * Set the EAP identifier to a deterministic value, overwriting @@ -74,7 +74,7 @@ struct tls_eap_t { * * @param identifier EAP identifier */ - void (*set_identifier) (tls_eap_t *this, u_int8_t identifier); + void (*set_identifier) (tls_eap_t *this, uint8_t identifier); /** * Destroy a tls_eap_t. |