Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Let TLS library build DTLS cipher list dynamically
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
  • Loading branch information
David Woodhouse authored and David Woodhouse committed Aug 6, 2015
1 parent 4aad4c8 commit babf14f
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 14 deletions.
20 changes: 6 additions & 14 deletions cstp.c
Expand Up @@ -129,18 +129,6 @@ static void calculate_mtu(struct openconnect_info *vpninfo, int *base_mtu, int *
*mtu = 1280;
}

/* For OpenSSL the configure script detects DTLS 1.2 support.
* For GnuTLS just check for v3.2.0+ */
#if defined(DTLS_GNUTLS) && GNUTLS_VERSION_NUMBER >= 0x030200
#define HAVE_DTLS12 1
#endif

#ifdef HAVE_DTLS12
# define DEFAULT_CIPHER_LIST "OC-DTLS1_2-AES256-GCM:OC-DTLS1_2-AES128-GCM:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA"
#else
# define DEFAULT_CIPHER_LIST "AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA"
#endif

static void append_compr_types(struct oc_text_buf *buf, const char *proto, int avail)
{
if (avail) {
Expand Down Expand Up @@ -239,8 +227,12 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
buf_free(reqbuf);
return -EINVAL;
}
buf_append(reqbuf, "\r\nX-DTLS-CipherSuite: %s\r\n",
vpninfo->dtls_ciphers ? : DEFAULT_CIPHER_LIST);
buf_append(reqbuf, "\r\nX-DTLS-CipherSuite: ");
if (vpninfo->dtls_ciphers)
buf_append(reqbuf, "%s", vpninfo->dtls_ciphers);
else
append_dtls_ciphers(vpninfo, reqbuf);
buf_append(reqbuf, "\r\n");

append_compr_types(reqbuf, "DTLS", vpninfo->req_compr & ~COMPR_DEFLATE);
}
Expand Down
17 changes: 17 additions & 0 deletions dtls.c
Expand Up @@ -434,6 +434,15 @@ void dtls_shutdown(struct openconnect_info *vpninfo)
SSL_CTX_free(vpninfo->dtls_ctx);
}

void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
{
#ifdef HAVE_DTLS12
buf_append(buf, "OC-DTLS1_2-AES256-GCM:OC-DTLS1_2-AES128-GCM:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA");
#else
buf_append(buf, "AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA");
#endif
}

#elif defined(DTLS_GNUTLS)
#include <gnutls/dtls.h>
#include "gnutls.h"
Expand All @@ -459,6 +468,14 @@ struct {
#endif
};

void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
{
int i;

for (i = 0; i < sizeof(gnutls_dtls_ciphers) / sizeof(gnutls_dtls_ciphers[0]); i++)
buf_append(buf, "%s%s", i ? ":" : "", gnutls_dtls_ciphers[i].name);
}

#define DTLS_SEND gnutls_record_send
#define DTLS_RECV gnutls_record_recv
#define DTLS_FREE gnutls_deinit
Expand Down
1 change: 1 addition & 0 deletions openconnect-internal.h
Expand Up @@ -768,6 +768,7 @@ int dtls_setup(struct openconnect_info *vpninfo, int dtls_attempt_period);
int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
void dtls_close(struct openconnect_info *vpninfo);
void dtls_shutdown(struct openconnect_info *vpninfo);
void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);

/* cstp.c */
void cstp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
Expand Down

0 comments on commit babf14f

Please sign in to comment.