![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to tls_protection.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libtls|
Return to tls_protection.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libtls |
1.1 misho 1: /*
2: * Copyright (C) 2010 Martin Willi
3: * Copyright (C) 2010 revosec AG
4: *
5: * This program is free software; you can redistribute it and/or modify it
6: * under the terms of the GNU General Public License as published by the
7: * Free Software Foundation; either version 2 of the License, or (at your
8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9: *
10: * This program is distributed in the hope that it will be useful, but
11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13: * for more details.
14: */
15:
16: #include "tls_protection.h"
17:
18: #include <utils/debug.h>
19:
20: typedef struct private_tls_protection_t private_tls_protection_t;
21:
22: /**
23: * Private data of an tls_protection_t object.
24: */
25: struct private_tls_protection_t {
26:
27: /**
28: * Public tls_protection_t interface.
29: */
30: tls_protection_t public;
31:
32: /**
33: * negotiated TLS version
34: */
35: tls_version_t version;
36:
37: /**
38: * Upper layer, TLS record compression
39: */
40: tls_compression_t *compression;
41:
42: /**
43: * TLS alert handler
44: */
45: tls_alert_t *alert;
46:
47: /**
48: * Sequence number of incoming records
49: */
50: uint64_t seq_in;
51:
52: /**
53: * Sequence number for outgoing records
54: */
55: uint64_t seq_out;
56:
57: /**
58: * AEAD transform for inbound traffic
59: */
60: tls_aead_t *aead_in;
61:
62: /**
63: * AEAD transform for outbound traffic
64: */
65: tls_aead_t *aead_out;
66: };
67:
68: METHOD(tls_protection_t, process, status_t,
69: private_tls_protection_t *this, tls_content_type_t type, chunk_t data)
70: {
71: if (this->alert->fatal(this->alert))
72: { /* don't accept more input, fatal error occurred */
73: return NEED_MORE;
74: }
75:
1.1.1.2 ! misho 76: if (this->version < TLS_1_3 ||
! 77: type == TLS_APPLICATION_DATA)
1.1 misho 78: {
1.1.1.2 ! misho 79: if (this->aead_in)
1.1 misho 80: {
1.1.1.2 ! misho 81: if (!this->aead_in->decrypt(this->aead_in, this->version,
! 82: &type, this->seq_in, &data))
! 83: {
! 84: DBG1(DBG_TLS, "TLS record decryption failed");
! 85: this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
! 86: return NEED_MORE;
! 87: }
1.1 misho 88: }
89: this->seq_in++;
90: }
91: return this->compression->process(this->compression, type, data);
92: }
93:
94: METHOD(tls_protection_t, build, status_t,
95: private_tls_protection_t *this, tls_content_type_t *type, chunk_t *data)
96: {
97: status_t status;
98:
99: status = this->compression->build(this->compression, type, data);
100: if (status == NEED_MORE)
101: {
1.1.1.2 ! misho 102: if (*type == TLS_CHANGE_CIPHER_SPEC && this->version < TLS_1_3)
1.1 misho 103: {
104: return status;
105: }
106: if (this->aead_out)
107: {
108: if (!this->aead_out->encrypt(this->aead_out, this->version,
1.1.1.2 ! misho 109: type, this->seq_out, data))
1.1 misho 110: {
111: DBG1(DBG_TLS, "TLS record encryption failed");
112: chunk_free(data);
113: return FAILED;
114: }
115: }
116: this->seq_out++;
117: }
118: return status;
119: }
120:
121: METHOD(tls_protection_t, set_cipher, void,
122: private_tls_protection_t *this, bool inbound, tls_aead_t *aead)
123: {
124: if (inbound)
125: {
1.1.1.2 ! misho 126: DESTROY_IF(this->aead_in);
1.1 misho 127: this->aead_in = aead;
1.1.1.2 ! misho 128: this->seq_in = 0;
1.1 misho 129: }
130: else
131: {
1.1.1.2 ! misho 132: DESTROY_IF(this->aead_out);
1.1 misho 133: this->aead_out = aead;
1.1.1.2 ! misho 134: this->seq_out = 0;
1.1 misho 135: }
136: }
137:
138: METHOD(tls_protection_t, set_version, void,
139: private_tls_protection_t *this, tls_version_t version)
140: {
141: this->version = version;
142: }
143:
144: METHOD(tls_protection_t, destroy, void,
145: private_tls_protection_t *this)
146: {
1.1.1.2 ! misho 147: DESTROY_IF(this->aead_in);
! 148: DESTROY_IF(this->aead_out);
1.1 misho 149: free(this);
150: }
151:
152: /**
153: * See header
154: */
155: tls_protection_t *tls_protection_create(tls_compression_t *compression,
156: tls_alert_t *alert)
157: {
158: private_tls_protection_t *this;
159:
160: INIT(this,
161: .public = {
162: .process = _process,
163: .build = _build,
164: .set_cipher = _set_cipher,
165: .set_version = _set_version,
166: .destroy = _destroy,
167: },
168: .alert = alert,
169: .compression = compression,
170: );
171:
172: return &this->public;
173: }