From fd8806e63b442e6997b1da73a18f5a41ffe0c30f Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Mon, 7 Jan 2019 11:51:34 +0000 Subject: [PATCH] Clean up X-DTLS-CipherSuite header generation to allow for DTLSv1.2 Allow crypto code to provide the values for both DTLS and DTLSv1.2 headers separately. Signed-off-by: David Woodhouse --- cstp.c | 24 ++++++++++++++++++------ gnutls-dtls.c | 7 +++++-- openconnect-internal.h | 2 +- openssl-dtls.c | 3 ++- 4 files changed, 26 insertions(+), 10 deletions(-) diff --git a/cstp.c b/cstp.c index 184c1c73..cab1707f 100644 --- a/cstp.c +++ b/cstp.c @@ -274,19 +274,31 @@ static int start_cstp_connection(struct openconnect_info *vpninfo) buf_append(reqbuf, "%02X", vpninfo->dtls_secret[i]); dtls_secret_set |= vpninfo->dtls_secret[i]; } + buf_append(reqbuf, "\r\n"); + if (!dtls_secret_set) { vpn_progress(vpninfo, PRG_ERR, _("CRITICAL ERROR: DTLS master secret is uninitialised. Please report this.\n")); buf_free(reqbuf); return -EINVAL; } - buf_append(reqbuf, "\r\nX-DTLS-CipherSuite: "); - if (vpninfo->dtls_ciphers) - buf_append(reqbuf, "%s", vpninfo->dtls_ciphers); - else - append_dtls_ciphers(vpninfo, reqbuf); - buf_append(reqbuf, "\r\n"); + + if (vpninfo->dtls_ciphers) + buf_append(reqbuf, "X-DTLS-CipherSuite: %s\r\n", vpninfo->dtls_ciphers); + else { + struct oc_text_buf *dtls_cl, *dtls12_cl; + + dtls_cl = buf_alloc(); + dtls12_cl = buf_alloc(); + gather_dtls_ciphers(vpninfo, dtls_cl, dtls12_cl); + if (!buf_error(dtls_cl) && dtls_cl->pos) + buf_append(reqbuf, "X-DTLS-CipherSuite: %s\r\n", dtls_cl->data); + if (!buf_error(dtls12_cl) && dtls12_cl->pos) + buf_append(reqbuf, "X-DTLS12-CipherSuite: %s\r\n", dtls12_cl->data); + buf_free(dtls_cl); + buf_free(dtls12_cl); + } append_compr_types(reqbuf, "DTLS", vpninfo->req_compr & ~COMPR_DEFLATE); } #endif diff --git a/gnutls-dtls.c b/gnutls-dtls.c index 215c7f4b..0942e7e1 100644 --- a/gnutls-dtls.c +++ b/gnutls-dtls.c @@ -82,7 +82,8 @@ struct { }; #if GNUTLS_VERSION_NUMBER < 0x030009 -void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf) +void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf, + struct oc_text_buf *buf12) { int i, first = 1; @@ -93,8 +94,10 @@ void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *b first = 0; } } +} #else -void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf) +void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf, + struct oc_text_buf *buf12) { /* only enable the ciphers that would have been negotiated in the TLS channel */ unsigned i, j, first = 1; diff --git a/openconnect-internal.h b/openconnect-internal.h index 43bbeea0..a696b1b7 100644 --- a/openconnect-internal.h +++ b/openconnect-internal.h @@ -832,7 +832,7 @@ int dtls_setup(struct openconnect_info *vpninfo, int dtls_attempt_period); int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout); void dtls_close(struct openconnect_info *vpninfo); void dtls_shutdown(struct openconnect_info *vpninfo); -void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf); +void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf, struct oc_text_buf *buf12); void dtls_detect_mtu(struct openconnect_info *vpninfo); int openconnect_dtls_read(struct openconnect_info *vpninfo, void *buf, size_t len, unsigned ms); int openconnect_dtls_write(struct openconnect_info *vpninfo, void *buf, size_t len); diff --git a/openssl-dtls.c b/openssl-dtls.c index e8ae5ac3..3647c83d 100644 --- a/openssl-dtls.c +++ b/openssl-dtls.c @@ -678,7 +678,8 @@ void dtls_ssl_free(struct openconnect_info *vpninfo) SSL_free(vpninfo->dtls_ssl); } -void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf) +void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf, + struct oc_text_buf *buf12) { #ifdef HAVE_DTLS12 #ifndef OPENSSL_NO_PSK -- 2.50.1