Commit babf14fd authored by David Woodhouse's avatar David Woodhouse

Let TLS library build DTLS cipher list dynamically

Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
parent 4aad4c87
......@@ -129,18 +129,6 @@ static void calculate_mtu(struct openconnect_info *vpninfo, int *base_mtu, int *
*mtu = 1280;
}
/* For OpenSSL the configure script detects DTLS 1.2 support.
* For GnuTLS just check for v3.2.0+ */
#if defined(DTLS_GNUTLS) && GNUTLS_VERSION_NUMBER >= 0x030200
#define HAVE_DTLS12 1
#endif
#ifdef HAVE_DTLS12
# define DEFAULT_CIPHER_LIST "OC-DTLS1_2-AES256-GCM:OC-DTLS1_2-AES128-GCM:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA"
#else
# define DEFAULT_CIPHER_LIST "AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA"
#endif
static void append_compr_types(struct oc_text_buf *buf, const char *proto, int avail)
{
if (avail) {
......@@ -239,8 +227,12 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
buf_free(reqbuf);
return -EINVAL;
}
buf_append(reqbuf, "\r\nX-DTLS-CipherSuite: %s\r\n",
vpninfo->dtls_ciphers ? : DEFAULT_CIPHER_LIST);
buf_append(reqbuf, "\r\nX-DTLS-CipherSuite: ");
if (vpninfo->dtls_ciphers)
buf_append(reqbuf, "%s", vpninfo->dtls_ciphers);
else
append_dtls_ciphers(vpninfo, reqbuf);
buf_append(reqbuf, "\r\n");
append_compr_types(reqbuf, "DTLS", vpninfo->req_compr & ~COMPR_DEFLATE);
}
......
......@@ -434,6 +434,15 @@ void dtls_shutdown(struct openconnect_info *vpninfo)
SSL_CTX_free(vpninfo->dtls_ctx);
}
void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
{
#ifdef HAVE_DTLS12
buf_append(buf, "OC-DTLS1_2-AES256-GCM:OC-DTLS1_2-AES128-GCM:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA");
#else
buf_append(buf, "AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA");
#endif
}
#elif defined(DTLS_GNUTLS)
#include <gnutls/dtls.h>
#include "gnutls.h"
......@@ -459,6 +468,14 @@ struct {
#endif
};
void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
{
int i;
for (i = 0; i < sizeof(gnutls_dtls_ciphers) / sizeof(gnutls_dtls_ciphers[0]); i++)
buf_append(buf, "%s%s", i ? ":" : "", gnutls_dtls_ciphers[i].name);
}
#define DTLS_SEND gnutls_record_send
#define DTLS_RECV gnutls_record_recv
#define DTLS_FREE gnutls_deinit
......
......@@ -768,6 +768,7 @@ int dtls_setup(struct openconnect_info *vpninfo, int dtls_attempt_period);
int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
void dtls_close(struct openconnect_info *vpninfo);
void dtls_shutdown(struct openconnect_info *vpninfo);
void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
/* cstp.c */
void cstp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment