Simplify DTLS conditionals

These can look like ESP now too

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Makefile.am

@@ -22,7 +22,7 @@ openconnect_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFL
 openconnect_LDADD = libopenconnect.la $(SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(INTL_LIBS) $(ICONV_LIBS)
 
 library_srcs = ssl.c http.c http-auth.c auth-common.c library.c compat.c lzs.c mainloop.c script.c ntlm.c digest.c
-lib_srcs_cisco = auth.c cstp.c dtls.c
+lib_srcs_cisco = auth.c cstp.c
 lib_srcs_juniper = oncp.c lzo.c auth-juniper.c
 lib_srcs_gnutls = gnutls.c gnutls_pkcs12.c gnutls_tpm.c
 lib_srcs_openssl = openssl.c openssl-pkcs11.c
@@ -59,6 +59,9 @@ if OPENCONNECT_OPENSSL
 library_srcs += $(lib_srcs_openssl)
 lib_srcs_esp += openssl-esp.c
 endif
+if OPENCONNECT_DTLS
+lib_srcs_cisco += dtls.c
+endif
 if OPENCONNECT_ESP
 lib_srcs_juniper += $(lib_srcs_esp)
 endif

configure.ac

@@ -267,6 +267,7 @@ AC_ARG_WITH([openssl],
 
 ssl_library=
 esp=
+dtls=
 
 if test "$with_openssl" != "" -a "$with_openssl" != "no"; then
     if test "$with_gnutls" = ""; then
@@ -446,8 +447,8 @@ case "$ssl_library" in
 	LIBS="${oldLIBS}"
 	CFLAGS="${oldCFLAGS}"
 
+	dtls=yes
 	AC_DEFINE(OPENCONNECT_OPENSSL, 1, [Using OpenSSL])
-	AC_DEFINE(DTLS_OPENSSL, 1, [Using OpenSSL for DTLS])
 	AC_SUBST(SSL_PC, [openssl])
 	AC_SUBST(SSL_LIBS, ['$(OPENSSL_LIBS)'])
 	AC_SUBST(SSL_CFLAGS, ['$(OPENSSL_CFLAGS)'])
@@ -515,7 +516,7 @@ case "$ssl_library" in
 	AC_CHECK_FUNC(gnutls_system_key_add_x509,
 		      [AC_DEFINE(HAVE_GNUTLS_SYSTEM_KEYS, 1, [From GnuTLS 3.4.0])], [])
 	AC_CHECK_FUNC(gnutls_session_set_premaster,
-		      [AC_DEFINE(DTLS_GNUTLS, 1, [Using GnuTLS for DTLS])])
+		      [dtls=yes], [])
 	AC_CHECK_FUNC(gnutls_pkcs11_add_provider,
 		      [PKG_CHECK_MODULES(P11KIT, p11-kit-1,
 					 [AC_DEFINE(HAVE_P11KIT, 1, [Have. P11. Kit.])
@@ -570,11 +571,14 @@ AM_CONDITIONAL(TEST_DSA, [test "$enable_dsa_tests" = "yes"])
 AM_CONDITIONAL(OPENCONNECT_GNUTLS,  [ test "$ssl_library" = "GnuTLS" ])
 AM_CONDITIONAL(OPENCONNECT_OPENSSL, [ test "$ssl_library" = "OpenSSL" ])
 AM_CONDITIONAL(OPENCONNECT_ESP, [ test "$esp" != "" ])
+AM_CONDITIONAL(OPENCONNECT_DTLS, [ test "$dtls" != "" ])
 
 if test "$esp" != ""; then
     AC_DEFINE(HAVE_ESP, 1, [Build with ESP support])
 fi
-
+if test "$dtls" != ""; then
+    AC_DEFINE(HAVE_DTLS, 1, [Build with DTLS support])
+fi
 
 AC_ARG_WITH(lz4,
   AS_HELP_STRING([--without-lz4], [disable support for LZ4 compression]),
@@ -1016,6 +1020,7 @@ AC_DEFUN([SUMMARY],
 echo "BUILD OPTIONS:"
 SUMMARY([SSL library], [$ssl_library])
 SUMMARY([[PKCS#11 support]], [$pkcs11_support])
+SUMMARY([DTLS support], [$dtls])
 SUMMARY([ESP support], [$esp])
 SUMMARY([libproxy support], [$libproxy_pkg])
 SUMMARY([RSA SecurID support], [$libstoken_pkg])

dtls.c

@@ -91,7 +91,7 @@ int RAND_bytes(char *buf, int len)
  * their clients use anyway.
  */
 
-#if defined(DTLS_OPENSSL)
+#if defined(OPENCONNECT_OPENSSL)
 #define DTLS_SEND SSL_write
 #define DTLS_RECV SSL_read
 #define DTLS_FREE SSL_free
@@ -489,7 +489,7 @@ void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *b
 #endif
 }
 
-#elif defined(DTLS_GNUTLS)
+#elif defined(OPENCONNECT_GNUTLS)
 #include <gnutls/dtls.h>
 #include "gnutls.h"
 
@@ -811,15 +811,6 @@ int dtls_setup(struct openconnect_info *vpninfo, int dtls_attempt_period)
 	if (!dtls_attempt_period)
 		return 0;
 
-#if defined(OPENCONNECT_GNUTLS) && defined(DTLS_OPENSSL)
-	/* If we're using GnuTLS for authentication but OpenSSL for DTLS,
-	   we'll need to initialise OpenSSL now... */
-	SSL_library_init();
-	ERR_clear_error();
-	SSL_load_error_strings();
-	OpenSSL_add_all_algorithms();
-#endif
-
 	while (dtls_opt) {
 		vpn_progress(vpninfo, PRG_DEBUG,
 			     _("DTLS option %s : %s\n"),
@@ -1085,7 +1076,7 @@ int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout)
 				send_pkt->cstp.hdr[7] = AC_PKT_COMPRESSED;
 		}
 
-#if defined(DTLS_OPENSSL)
+#ifdef OPENCONNECT_OPENSSL
 		ret = SSL_write(vpninfo->dtls_ssl, &send_pkt->cstp.hdr[7], send_pkt->len + 1);
 		if (ret <= 0) {
 			ret = SSL_get_error(vpninfo->dtls_ssl, ret);
@@ -1106,7 +1097,7 @@ int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout)
 			}
 			return work_done;
 		}
-#elif defined(DTLS_GNUTLS)
+#else /* GnuTLS */
 		ret = gnutls_record_send(vpninfo->dtls_ssl, &send_pkt->cstp.hdr[7], send_pkt->len + 1);
 		if (ret <= 0) {
 			if (ret != GNUTLS_E_AGAIN && ret != GNUTLS_E_INTERRUPTED) {

library.c

@@ -290,9 +290,9 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
 	free(vpninfo->dtls_cipher);
 #ifdef OPENCONNECT_GNUTLS
 	gnutls_free(vpninfo->cstp_cipher); /* In OpenSSL this is const */
-#endif
-#ifdef DTLS_GNUTLS
+#ifdef HAVE_DTLS
 	gnutls_free(vpninfo->gnutls_dtls_cipher);
+#endif
 #endif
 	free(vpninfo->dtls_addr);
 
@@ -873,7 +873,7 @@ const char *openconnect_get_dtls_compression(struct openconnect_info * vpninfo)
 
 const char *openconnect_get_dtls_cipher(struct openconnect_info *vpninfo)
 {
-#if defined(DTLS_GNUTLS)
+#if defined(OPENCONNECT_GNUTLS)
 	if (vpninfo->dtls_state != DTLS_CONNECTED) {
 		gnutls_free(vpninfo->gnutls_dtls_cipher);
 		vpninfo->gnutls_dtls_cipher = NULL;

main.c

@@ -617,11 +617,7 @@ static void print_build_opts(void)
 	}
 
 #ifdef HAVE_DTLS
-	printf("%sDTLS", sep);
-#if defined(OPENCONNECT_GNUTLS) && defined(DTLS_OPENSSL)
-	printf(" (%s)", _("using OpenSSL"));
-#endif
-	printf("\n");
+	printf("%sDTLS\n", sep);
 #else
 	printf(_("\nWARNING: No DTLS support in this binary. Performance will be impaired.\n"));
 #endif

openconnect-internal.h

@@ -41,7 +41,7 @@
 
 #include "openconnect.h"
 
-#if defined(OPENCONNECT_OPENSSL) || defined(DTLS_OPENSSL)
+#if defined(OPENCONNECT_OPENSSL)
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 /* Ick */
@@ -528,10 +528,10 @@ struct openconnect_info {
 	int reconnect_interval;
 	int dtls_attempt_period;
 	time_t new_dtls_started;
-#if defined(DTLS_OPENSSL)
+#if defined(OPENCONNECT_OPENSSL)
 	SSL_CTX *dtls_ctx;
 	SSL *dtls_ssl;
-#elif defined(DTLS_GNUTLS)
+#elif defined(OPENCONNECT_GNUTLS)
 	/* Call this dtls_ssl rather than dtls_sess because it's just a
 	   pointer, and generic code in dtls.c wants to check if it's
 	   NULL or not or pass it to DTLS_SEND/DTLS_RECV. This way we
@@ -664,10 +664,6 @@ struct openconnect_info {
 #define read_fd_monitored(_v, _n) FD_ISSET(_v->_n##_fd, &_v->_select_rfds)
 #endif
 
-#if defined(DTLS_OPENSSL) || defined(DTLS_GNUTLS)
-#define HAVE_DTLS 1
-#endif
-
 /* Packet types */
 
 #define AC_PKT_DATA		0	/* Uncompressed data */

ssl.c

@@ -613,7 +613,7 @@ int openconnect_passphrase_from_fsid(struct openconnect_info *vpninfo)
 }
 #endif
 
-#if defined(OPENCONNECT_OPENSSL) || defined(DTLS_OPENSSL)
+#if defined(OPENCONNECT_OPENSSL)
 /* We put this here rather than in openssl.c because it might be needed
    for OpenSSL DTLS support even when GnuTLS is being used for HTTPS */
 int openconnect_print_err_cb(const char *str, size_t len, void *ptr)