Cleaned up the public TLS interface

src/charon/plugins/eap_tls/tls/tls.c

@@ -134,13 +134,6 @@ METHOD(tls_t, set_version, void,
 	this->version = version;
 }
 
-METHOD(tls_t, change_cipher, void,
-	private_tls_t *this, bool inbound, signer_t *signer,
-	crypter_t *crypter, chunk_t iv)
-{
-	this->protection->set_cipher(this->protection, inbound, signer, crypter, iv);
-}
-
 METHOD(tls_t, get_eap_msk, chunk_t,
 	private_tls_t *this)
 {
@@ -174,7 +167,6 @@ tls_t *tls_create(bool is_server, identification_t *server,
 			.is_server = _is_server,
 			.get_version = _get_version,
 			.set_version = _set_version,
-			.change_cipher = _change_cipher,
 			.get_eap_msk = _get_eap_msk,
 			.destroy = _destroy,
 		},
@@ -196,6 +188,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
 	this->fragmentation = tls_fragmentation_create(this->handshake);
 	this->compression = tls_compression_create(this->fragmentation);
 	this->protection = tls_protection_create(&this->public, this->compression);
+	this->crypto->set_protection(this->crypto, this->protection);
 
 	return &this->public;
 }

src/charon/plugins/eap_tls/tls/tls.h

@@ -27,7 +27,6 @@
 typedef enum tls_version_t tls_version_t;
 typedef enum tls_content_type_t tls_content_type_t;
 typedef enum tls_handshake_type_t tls_handshake_type_t;
-typedef enum tls_cipher_suite_t tls_cipher_suite_t;
 typedef struct tls_t tls_t;
 
 #include <library.h>
@@ -84,46 +83,6 @@ enum tls_handshake_type_t {
  */
 extern enum_name_t *tls_handshake_type_names;
 
-enum tls_cipher_suite_t {
-	TLS_NULL_WITH_NULL_NULL =				0x00,
-	TLS_RSA_WITH_NULL_MD5 =					0x01,
-	TLS_RSA_WITH_NULL_SHA =					0x02,
-	TLS_RSA_WITH_NULL_SHA256 =				0x3B,
-	TLS_RSA_WITH_RC4_128_MD5 =				0x04,
-	TLS_RSA_WITH_RC4_128_SHA =				0x05,
-	TLS_RSA_WITH_3DES_EDE_CBC_SHA =			0x0A,
-	TLS_RSA_WITH_AES_128_CBC_SHA =			0x2F,
-	TLS_RSA_WITH_AES_256_CBC_SHA =			0x35,
-	TLS_RSA_WITH_AES_128_CBC_SHA256 =		0x3C,
-	TLS_RSA_WITH_AES_256_CBC_SHA256 =		0x3D,
-	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA =		0x0D,
-	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA =		0x10,
-	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA =		0x13,
-	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA =		0x16,
-	TLS_DH_DSS_WITH_AES_128_CBC_SHA =		0x30,
-	TLS_DH_RSA_WITH_AES_128_CBC_SHA =		0x31,
-	TLS_DHE_DSS_WITH_AES_128_CBC_SHA =		0x32,
-	TLS_DHE_RSA_WITH_AES_128_CBC_SHA =		0x33,
-	TLS_DH_DSS_WITH_AES_256_CBC_SHA =		0x36,
-	TLS_DH_RSA_WITH_AES_256_CBC_SHA =		0x37,
-	TLS_DHE_DSS_WITH_AES_256_CBC_SHA =		0x38,
-	TLS_DHE_RSA_WITH_AES_256_CBC_SHA =		0x39,
-	TLS_DH_DSS_WITH_AES_128_CBC_SHA256 =	0x3E,
-	TLS_DH_RSA_WITH_AES_128_CBC_SHA256 =	0x3F,
-	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 =	0x40,
-	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 =	0x67,
-	TLS_DH_DSS_WITH_AES_256_CBC_SHA256 =	0x68,
-	TLS_DH_RSA_WITH_AES_256_CBC_SHA256 =	0x69,
-	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 =	0x6A,
-	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 =	0x6B,
-	TLS_DH_ANON_WITH_RC4_128_MD5 =			0x18,
-	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA =		0x1B,
-	TLS_DH_ANON_WITH_AES_128_CBC_SHA =		0x34,
-	TLS_DH_ANON_WITH_AES_256_CBC_SHA =		0x3A,
-	TLS_DH_ANON_WITH_AES_128_CBC_SHA256 =	0x6C,
-	TLS_DH_ANON_WITH_AES_256_CBC_SHA256 =	0x6D,
-};
-
 /**
  * A bottom-up driven TLS stack, suitable for EAP implementations.
  */
@@ -175,17 +134,6 @@ struct tls_t {
 	 */
 	void (*set_version)(tls_t *this, tls_version_t version);
 
-	/**
-	 * Change used cipher, including encryption and integrity algorithms.
-	 *
-	 * @param inbound	TRUE to use cipher for inbound data, FALSE for outbound
-	 * @param signer	new signer to use
-	 * @param crypter	new crypter to use
-	 * @param iv		initial IV for crypter
-	 */
-	void (*change_cipher)(tls_t *this, bool inbound, signer_t *signer,
-						  crypter_t *crypter, chunk_t iv);
-
 	/**
 	 * Get the MSK for EAP-TLS.
 	 *

src/charon/plugins/eap_tls/tls/tls_crypto.c

@@ -29,6 +29,11 @@ struct private_tls_crypto_t {
 	 */
 	tls_crypto_t public;
 
+	/**
+	 * Protection layer
+	 */
+	tls_protection_t *protection;
+
 	/**
 	 * List of supported/acceptable cipher suites
 	 */
@@ -351,6 +356,12 @@ METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
 	return 0;
 }
 
+METHOD(tls_crypto_t, set_protection, void,
+	private_tls_crypto_t *this, tls_protection_t *protection)
+{
+	this->protection = protection;
+}
+
 METHOD(tls_crypto_t, append_handshake, void,
 	private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
 {
@@ -561,15 +572,18 @@ METHOD(tls_crypto_t, derive_secrets, void,
 METHOD(tls_crypto_t, change_cipher, void,
 	private_tls_crypto_t *this, bool inbound)
 {
-	if (inbound)
+	if (this->protection)
 	{
-		this->tls->change_cipher(this->tls, TRUE, this->signer_in,
-								 this->crypter_in, this->iv_in);
-	}
-	else
-	{
-		this->tls->change_cipher(this->tls, FALSE, this->signer_out,
-								 this->crypter_out, this->iv_out);
+		if (inbound)
+		{
+			this->protection->set_cipher(this->protection, TRUE,
+							this->signer_in, this->crypter_in, this->iv_in);
+		}
+		else
+		{
+			this->protection->set_cipher(this->protection, FALSE,
+							this->signer_out, this->crypter_out, this->iv_out);
+		}
 	}
 }
 
@@ -618,6 +632,7 @@ tls_crypto_t *tls_crypto_create(tls_t *tls)
 		.public = {
 			.get_cipher_suites = _get_cipher_suites,
 			.select_cipher_suite = _select_cipher_suite,
+			.set_protection = _set_protection,
 			.append_handshake = _append_handshake,
 			.sign_handshake = _sign_handshake,
 			.calculate_finished = _calculate_finished,

src/charon/plugins/eap_tls/tls/tls_crypto.h

@@ -22,12 +22,57 @@
 #define TLS_CRYPTO_H_
 
 typedef struct tls_crypto_t tls_crypto_t;
+typedef enum tls_cipher_suite_t tls_cipher_suite_t;
 
 #include "tls.h"
 #include "tls_prf.h"
+#include "tls_protection.h"
 
 #include <credentials/keys/private_key.h>
 
+/**
+ * TLS cipher suites
+ */
+enum tls_cipher_suite_t {
+	TLS_NULL_WITH_NULL_NULL =				0x00,
+	TLS_RSA_WITH_NULL_MD5 =					0x01,
+	TLS_RSA_WITH_NULL_SHA =					0x02,
+	TLS_RSA_WITH_NULL_SHA256 =				0x3B,
+	TLS_RSA_WITH_RC4_128_MD5 =				0x04,
+	TLS_RSA_WITH_RC4_128_SHA =				0x05,
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA =			0x0A,
+	TLS_RSA_WITH_AES_128_CBC_SHA =			0x2F,
+	TLS_RSA_WITH_AES_256_CBC_SHA =			0x35,
+	TLS_RSA_WITH_AES_128_CBC_SHA256 =		0x3C,
+	TLS_RSA_WITH_AES_256_CBC_SHA256 =		0x3D,
+	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA =		0x0D,
+	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA =		0x10,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA =		0x13,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA =		0x16,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA =		0x30,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA =		0x31,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA =		0x32,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA =		0x33,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA =		0x36,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA =		0x37,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA =		0x38,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA =		0x39,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA256 =	0x3E,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA256 =	0x3F,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 =	0x40,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 =	0x67,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA256 =	0x68,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA256 =	0x69,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 =	0x6A,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 =	0x6B,
+	TLS_DH_ANON_WITH_RC4_128_MD5 =			0x18,
+	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA =		0x1B,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA =		0x34,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA =		0x3A,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA256 =	0x6C,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA256 =	0x6D,
+};
+
 /**
  * TLS crypto helper functions.
  */
@@ -51,6 +96,13 @@ struct tls_crypto_t {
 	tls_cipher_suite_t (*select_cipher_suite)(tls_crypto_t *this,
 										tls_cipher_suite_t *suites, int count);
 
+	/**
+	 * Set the protection layer of the TLS stack to control it.
+	 *
+	 * @param protection		protection layer to work on
+	 */
+	void (*set_protection)(tls_crypto_t *this, tls_protection_t *protection);
+
 	/**
 	 * Store exchanged handshake data, used for cryptographic operations.
 	 *