Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Only enable the DTLS ciphersuites that match the ones enabled in TLS
That currently is restricted to gnutls code.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
  • Loading branch information
Nikos Mavrogiannopoulos authored and David Woodhouse committed Aug 6, 2015
1 parent 2106561 commit 20c2a03
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 5 deletions.
43 changes: 43 additions & 0 deletions dtls.c
Expand Up @@ -471,6 +471,7 @@ struct {
"NONE:+VERS-DTLS1.2:+COMP-NULL:+AES-256-GCM:+AEAD:+RSA:%COMPAT:+SIGN-ALL", "3.2.7" },
};

#if GNUTLS_VERSION_NUMBER < 0x030009
void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
{
int i, first = 1;
Expand All @@ -482,7 +483,49 @@ void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *b
first = 0;
}
}
#else
void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
{
/* only enable the ciphers that would have been negotiated in the TLS channel */
unsigned i, j, first = 1;
int ret;
unsigned idx;
gnutls_cipher_algorithm_t cipher;
gnutls_mac_algorithm_t mac;
gnutls_priority_t cache;
uint32_t used = 0;

ret = gnutls_priority_init(&cache, vpninfo->gnutls_prio, NULL);
if (ret < 0) {
buf->error = -EIO;
return;
}

for (j=0; ; j++) {
ret = gnutls_priority_get_cipher_suite_index(cache, j, &idx);
if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE)
continue;
else if (ret < 0)
break;

if (gnutls_cipher_suite_info(idx, NULL, NULL, &cipher, &mac, NULL) != NULL) {
for (i = 0; i < sizeof(gnutls_dtls_ciphers)/sizeof(gnutls_dtls_ciphers[0]); i++) {
if (used & (1 << i))
continue;
if (gnutls_dtls_ciphers[i].mac == mac && gnutls_dtls_ciphers[i].cipher == cipher) {
buf_append(buf, "%s%s", first ? "" : ":",
gnutls_dtls_ciphers[i].name);
first = 0;
used |= (1 << i);
break;
}
}
}
}

gnutls_priority_deinit(cache);
}
#endif

#define DTLS_SEND gnutls_record_send
#define DTLS_RECV gnutls_record_recv
Expand Down
9 changes: 4 additions & 5 deletions gnutls.c
Expand Up @@ -2069,7 +2069,6 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
{
int ssl_sock = -1;
int err;
char prio[256];

if (vpninfo->https_sess)
return 0;
Expand Down Expand Up @@ -2222,19 +2221,19 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
* 28065ce3896b1b0f87972d0bce9b17641ebb69b9
*/
if (gnutls_check_version("3.2.9")) {
snprintf(prio, sizeof(prio), DEFAULT_PRIO_3_2_9"%s", vpninfo->pfs?":-RSA":"");
snprintf(vpninfo->gnutls_prio, sizeof(vpninfo->gnutls_prio), DEFAULT_PRIO_3_2_9"%s", vpninfo->pfs?":-RSA":"");
} else {
if (gnutls_check_version("3.0.0")) {
snprintf(prio, sizeof(prio), DEFAULT_PRIO_3_0_0"%s", vpninfo->pfs?":-RSA":"");
snprintf(vpninfo->gnutls_prio, sizeof(vpninfo->gnutls_prio), DEFAULT_PRIO_3_0_0"%s", vpninfo->pfs?":-RSA":"");
} else {

snprintf(prio, sizeof(prio), DEFAULT_PRIO_2_12_0"%s",
snprintf(vpninfo->gnutls_prio, sizeof(vpninfo->gnutls_prio), DEFAULT_PRIO_2_12_0"%s",
vpninfo->pfs?":-RSA":"");
}
}

err = gnutls_priority_set_direct(vpninfo->https_sess,
prio, NULL);
vpninfo->gnutls_prio, NULL);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to set TLS priority string: %s\n"),
Expand Down
1 change: 1 addition & 0 deletions openconnect-internal.h
Expand Up @@ -470,6 +470,7 @@ struct openconnect_info {
gnutls_session_t https_sess;
gnutls_certificate_credentials_t https_cred;
char local_cert_md5[MD5_SIZE * 2 + 1]; /* For CSD */
char gnutls_prio[256];
#ifdef HAVE_TROUSERS
TSS_HCONTEXT tpm_context;
TSS_HKEY srk;
Expand Down

0 comments on commit 20c2a03

Please sign in to comment.