Clean up X-DTLS-CipherSuite header generation to allow for DTLSv1.2

author David Woodhouse <dwmw2@infradead.org>

Mon, 7 Jan 2019 11:51:34 +0000 (11:51 +0000)

committer David Woodhouse <dwmw2@infradead.org>

Wed, 9 Jan 2019 13:40:25 +0000 (13:40 +0000)
author David Woodhouse <dwmw2@infradead.org>
Mon, 7 Jan 2019 11:51:34 +0000 (11:51 +0000)
committer David Woodhouse <dwmw2@infradead.org>
Wed, 9 Jan 2019 13:40:25 +0000 (13:40 +0000)
diff --git a/cstp.c b/cstp.c

index 184c1c73aeb097c5802426bd489fa74705ba0e5f..cab1707f4edaf095d8589e845dbcad159ca18db0 100644 (file)
--- a/cstp.c
+++ b/cstp.c
@@ -274,19 +274,31 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
                         buf_append(reqbuf, "%02X", vpninfo->dtls_secret[i]);
                         dtls_secret_set |= vpninfo->dtls_secret[i];
                 }
+               buf_append(reqbuf, "\r\n");
+
                 if (!dtls_secret_set) {
                         vpn_progress(vpninfo, PRG_ERR,
                                      _("CRITICAL ERROR: DTLS master secret is uninitialised. Please report this.\n"));
                         buf_free(reqbuf);
                         return -EINVAL;
                 }
-               buf_append(reqbuf, "\r\nX-DTLS-CipherSuite: ");
-               if (vpninfo->dtls_ciphers)
-                       buf_append(reqbuf, "%s", vpninfo->dtls_ciphers);
-               else
-                       append_dtls_ciphers(vpninfo, reqbuf);
-               buf_append(reqbuf, "\r\n");
  
+
+               if (vpninfo->dtls_ciphers)
+                       buf_append(reqbuf, "X-DTLS-CipherSuite: %s\r\n", vpninfo->dtls_ciphers);
+               else {
+                       struct oc_text_buf *dtls_cl, *dtls12_cl;
+
+                       dtls_cl = buf_alloc();
+                       dtls12_cl = buf_alloc();
+                       gather_dtls_ciphers(vpninfo, dtls_cl, dtls12_cl);
+                       if (!buf_error(dtls_cl) && dtls_cl->pos)
+                               buf_append(reqbuf, "X-DTLS-CipherSuite: %s\r\n", dtls_cl->data);
+                       if (!buf_error(dtls12_cl) && dtls12_cl->pos)
+                               buf_append(reqbuf, "X-DTLS12-CipherSuite: %s\r\n", dtls12_cl->data);
+                       buf_free(dtls_cl);
+                       buf_free(dtls12_cl);
+               }
                 append_compr_types(reqbuf, "DTLS", vpninfo->req_compr & ~COMPR_DEFLATE);
         }
  #endif
diff --git a/gnutls-dtls.c b/gnutls-dtls.c

index 215c7f4b36c9d450b548ea56a33ff94bc43c9ddd..0942e7e10cfa2afc800c7df3f199e8e5fbdd4259 100644 (file)
--- a/gnutls-dtls.c
+++ b/gnutls-dtls.c
@@ -82,7 +82,8 @@ struct {
  };
  
  #if GNUTLS_VERSION_NUMBER < 0x030009
-void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
+void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf,
+                        struct oc_text_buf *buf12)
  {
         int i, first = 1;
  
@@ -93,8 +94,10 @@ void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *b
                         first = 0;
                 }
         }
+}
  #else
-void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
+void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf,
+                        struct oc_text_buf *buf12)
  {
         /* only enable the ciphers that would have been negotiated in the TLS channel */
         unsigned i, j, first = 1;
diff --git a/openconnect-internal.h b/openconnect-internal.h

index 43bbeea0e14b0041f551c427366ec221d54aaaf7..a696b1b7ca7ec3b70d9ec56de05c1df65939c64c 100644 (file)
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -832,7 +832,7 @@ int dtls_setup(struct openconnect_info *vpninfo, int dtls_attempt_period);
  int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
  void dtls_close(struct openconnect_info *vpninfo);
  void dtls_shutdown(struct openconnect_info *vpninfo);
-void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
+void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf, struct oc_text_buf *buf12);
  void dtls_detect_mtu(struct openconnect_info *vpninfo);
  int openconnect_dtls_read(struct openconnect_info *vpninfo, void *buf, size_t len, unsigned ms);
  int openconnect_dtls_write(struct openconnect_info *vpninfo, void *buf, size_t len);
diff --git a/openssl-dtls.c b/openssl-dtls.c

index e8ae5ac3c56834c1fe054f18bc147800d7c01696..3647c83d7c1e152bf61dd022d6efa80068ef9f06 100644 (file)
--- a/openssl-dtls.c
+++ b/openssl-dtls.c
@@ -678,7 +678,8 @@ void dtls_ssl_free(struct openconnect_info *vpninfo)
         SSL_free(vpninfo->dtls_ssl);
  }
  
-void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
+void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf,
+                        struct oc_text_buf *buf12)
  {
  #ifdef HAVE_DTLS12
  #ifndef OPENSSL_NO_PSK
author	David Woodhouse <dwmw2@infradead.org>
	Mon, 7 Jan 2019 11:51:34 +0000 (11:51 +0000)
committer	David Woodhouse <dwmw2@infradead.org>
	Wed, 9 Jan 2019 13:40:25 +0000 (13:40 +0000)
cstp.c		patch \| blob \| history
gnutls-dtls.c		patch \| blob \| history
openconnect-internal.h		patch \| blob \| history
openssl-dtls.c		patch \| blob \| history