From 5a933303a4335b9cf09fbb6962178255afa4af14 Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Thu, 10 Jan 2019 14:01:49 +0000
Subject: [PATCH] Add --dtls12-ciphers option

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---
 cstp.c                 | 9 ++++++---
 main.c                 | 5 +++++
 openconnect-internal.h | 1 +
 openconnect.8.in       | 4 ++++
 4 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/cstp.c b/cstp.c
index fcd4ba3b..14ed4b46 100644
--- a/cstp.c
+++ b/cstp.c
@@ -284,9 +284,12 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
 		}
 
 
-		if (vpninfo->dtls_ciphers)
-			buf_append(reqbuf, "X-DTLS-CipherSuite: %s\r\n", vpninfo->dtls_ciphers);
-		else {
+		if (vpninfo->dtls_ciphers || vpninfo->dtls12_ciphers) {
+			if (vpninfo->dtls_ciphers)
+				buf_append(reqbuf, "X-DTLS-CipherSuite: %s\r\n", vpninfo->dtls_ciphers);
+			if (vpninfo->dtls12_ciphers)
+				buf_append(reqbuf, "X-DTLS12-CipherSuite: %s\r\n", vpninfo->dtls12_ciphers);
+		} else {
 			struct oc_text_buf *dtls_cl, *dtls12_cl;
 
 			dtls_cl = buf_alloc();
diff --git a/main.c b/main.c
index c50b4f2a..5ec7334e 100644
--- a/main.c
+++ b/main.c
@@ -158,6 +158,7 @@ enum {
 	OPT_CSD_WRAPPER,
 	OPT_DISABLE_IPV6,
 	OPT_DTLS_CIPHERS,
+	OPT_DTLS12_CIPHERS,
 	OPT_DUMP_HTTP,
 	OPT_FORCE_DPD,
 	OPT_GNUTLS_DEBUG,
@@ -251,6 +252,7 @@ static const struct option long_options[] = {
 	OPTION("no-passwd", 0, OPT_NO_PASSWD),
 	OPTION("reconnect-timeout", 1, OPT_RECONNECT_TIMEOUT),
 	OPTION("dtls-ciphers", 1, OPT_DTLS_CIPHERS),
+	OPTION("dtls12-ciphers", 1, OPT_DTLS12_CIPHERS),
 	OPTION("authgroup", 1, OPT_AUTHGROUP),
 	OPTION("servercert", 1, OPT_SERVERCERT),
 	OPTION("resolve", 1, OPT_RESOLVE),
@@ -1307,6 +1309,9 @@ int main(int argc, char **argv)
 		case OPT_DTLS_CIPHERS:
 			vpninfo->dtls_ciphers = keep_config_arg();
 			break;
+		case OPT_DTLS12_CIPHERS:
+			vpninfo->dtls12_ciphers = keep_config_arg();
+			break;
 		case OPT_AUTHGROUP:
 			authgroup = keep_config_arg();
 			break;
diff --git a/openconnect-internal.h b/openconnect-internal.h
index e6af1708..8df7d24d 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -427,6 +427,7 @@ struct openconnect_info {
 	int nopasswd;
 	int xmlpost;
 	char *dtls_ciphers;
+	char *dtls12_ciphers;
 	char *csd_wrapper;
 	int no_http_keepalive;
 	int dump_http_traffic;
diff --git a/openconnect.8.in b/openconnect.8.in
index 6ff205ce..b7ba20fe 100644
--- a/openconnect.8.in
+++ b/openconnect.8.in
@@ -48,6 +48,7 @@ openconnect \- Multi-protocol VPN client, for Cisco AnyConnect VPNs and others
 .OP \-\-cafile file
 .OP \-\-disable\-ipv6
 .OP \-\-dtls\-ciphers list
+.OP \-\-dtls12\-ciphers list
 .OP \-\-dtls\-local\-port port
 .OP \-\-dump\-http\-traffic
 .OP \-\-no\-system\-trust
@@ -368,6 +369,9 @@ Do not advertise IPv6 capability to server
 .B \-\-dtls\-ciphers=LIST
 Set OpenSSL ciphers to support for DTLS
 .TP
+.B \-\-dtls12\-ciphers=LIST
+Set OpenSSL ciphers for Cisco's DTLS v1.2
+.TP
 .B \-\-dtls\-local\-port=PORT
 Use
 .I PORT