From: Nikos Mavrogiannopoulos Date: Sat, 6 Oct 2018 17:52:49 +0000 (+0200) Subject: No longer send the TLS extension for the PSK protocol X-Git-Tag: v8.00~36 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=71d65998790fc921dc7113793b4429cc753e418d;p=users%2Fdwmw2%2Fopenconnect.git No longer send the TLS extension for the PSK protocol ocserv can read the identifier from the session ID field and as such there is no need to attach the extension any more. Signed-off-by: Nikos Mavrogiannopoulos Signed-off-by: David Woodhouse --- diff --git a/gnutls.c b/gnutls.c index b8bd8b6b..d0c733ce 100644 --- a/gnutls.c +++ b/gnutls.c @@ -2338,117 +2338,6 @@ void openconnect_close_https(struct openconnect_info *vpninfo, int final) } } -#if GNUTLS_VERSION_NUMBER >= 0x030400 -static int ext_recv_client(gnutls_session_t sess, const unsigned char *buf, size_t buflen) -{ - /* we shouldn't have received that */ - return 0; -} - -static int ext_send_client(gnutls_session_t sess, gnutls_buffer_t extdata) -{ - struct openconnect_info *vpninfo = gnutls_session_get_ptr(sess); - - if (vpninfo->dtls_ssl != sess) - return 0; - - if (vpninfo->dtls_app_id_size > 0) { - uint8_t size = vpninfo->dtls_app_id_size; - int ret; - - ret = gnutls_buffer_append_data(extdata, &size, 1); - if (ret < 0) - return ret; - - ret = gnutls_buffer_append_data(extdata, vpninfo->dtls_app_id, vpninfo->dtls_app_id_size); - if (ret < 0) - return ret; - - return vpninfo->dtls_app_id_size + 1; - } - - return 0; -} -#else - -/* previously to 3.4.0 we can only use internal-but-exported APIs - */ -typedef int (*gnutls_ext_recv_func) (gnutls_session_t session, - const unsigned char *data, - size_t len); -typedef int (*gnutls_ext_send_func) (gnutls_session_t session, - void* extdata); -int _gnutls_buffer_append_data(void *, const void *data, size_t data_size); - -typedef struct { - const char *name; - uint16_t type; - int parse_type; - - /* this function must return 0 when Not Applicable - * size of extension data if ok - * < 0 on other error. - */ - gnutls_ext_recv_func recv_func; - - /* this function must return 0 when Not Applicable - * size of extension data if ok - * GNUTLS_E_INT_RET_0 if extension data size is zero - * < 0 on other error. - */ - gnutls_ext_send_func send_func; - - void *deinit_func; /* this will be called to deinitialize - * internal data - */ - void *pack_func; /* packs internal data to machine independent format */ - void *unpack_func; /* unpacks internal data */ - void *epoch_func; /* called after the handshake is finished */ -} extension_entry_st; - -int _gnutls_ext_register(extension_entry_st *); - -static int ext_recv_client(gnutls_session_t sess, const unsigned char *buf, size_t buflen) -{ - /* we shouldn't have received that */ - return 0; -} -static int ext_send_client(gnutls_session_t sess, void *extdata) -{ - struct openconnect_info *vpninfo = gnutls_session_get_ptr(sess); - - if (vpninfo->dtls_ssl != sess) - return 0; - - if (vpninfo->dtls_app_id_size > 0) { - uint8_t size = vpninfo->dtls_app_id_size; - int ret; - - ret = _gnutls_buffer_append_data(extdata, &size, 1); - if (ret < 0) - return ret; - ret = _gnutls_buffer_append_data(extdata, vpninfo->dtls_app_id, vpninfo->dtls_app_id_size); - if (ret < 0) - return ret; - - return vpninfo->dtls_app_id_size + 1; - } - - return 0; -} - -extension_entry_st ext_app_id = { - .name = "app-id", - .type = DTLS_APP_ID_EXT, - .parse_type = 2, - .recv_func = ext_recv_client, - .send_func = ext_send_client, - .pack_func = NULL, - .unpack_func = NULL, - .deinit_func = NULL -}; -#endif - int openconnect_init_ssl(void) { #ifdef _WIN32 @@ -2459,12 +2348,6 @@ int openconnect_init_ssl(void) if (gnutls_global_init()) return -EIO; -#if GNUTLS_VERSION_NUMBER >= 0x030400 - gnutls_ext_register("APP-ID", DTLS_APP_ID_EXT, GNUTLS_EXT_TLS, ext_recv_client, ext_send_client, NULL, NULL, NULL); -#else - _gnutls_ext_register(&ext_app_id); -#endif - return 0; } diff --git a/openssl-dtls.c b/openssl-dtls.c index 9dffeb67..cd2128a4 100644 --- a/openssl-dtls.c +++ b/openssl-dtls.c @@ -313,39 +313,6 @@ static unsigned int psk_callback(SSL *ssl, const char *hint, char *identity, return PSK_KEY_SIZE; } -static int pskident_add(SSL *s, unsigned int ext_type, const unsigned char **out, size_t *outlen, - int *al, void *add_arg) -{ - struct openconnect_info *vpninfo = add_arg; - unsigned char *buf; - - buf = malloc(vpninfo->dtls_app_id_size + 1); - if (!buf) { - vpn_progress(vpninfo, PRG_ERR, - _("Failed to create app-identity extension for OpenSSL\n")); - return 0; - } - - buf[0] = vpninfo->dtls_app_id_size; - memcpy(&buf[1], vpninfo->dtls_app_id, vpninfo->dtls_app_id_size); - - *out = buf; - *outlen = vpninfo->dtls_app_id_size + 1; - - return 1; -} - -static void pskident_free(SSL *s, unsigned int ext_type, const unsigned char *out, void *add_arg) -{ - free((void *)out); -} - -static int pskident_parse(SSL *s, unsigned int ext_type, const unsigned char *in, size_t inlen, - int *al, void *parse_arg) -{ - return 1; -} - #endif #if OPENSSL_VERSION_NUMBER < 0x10002000L @@ -431,9 +398,6 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd) vpninfo->dtls_attempt_period = 0; return -EINVAL; } - SSL_CTX_add_client_custom_ext(vpninfo->dtls_ctx, DTLS_APP_ID_EXT, - pskident_add, pskident_free, vpninfo, - pskident_parse, vpninfo); /* For SSL_CTX_set_cipher_list() */ cipher = "PSK";