From babf14fdf7ff0c6adb04bc26869385ae8a20a1e1 Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse@intel.com>
Date: Thu, 6 Aug 2015 16:40:00 +0100
Subject: [PATCH] Let TLS library build DTLS cipher list dynamically

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---
 cstp.c                 | 20 ++++++--------------
 dtls.c                 | 17 +++++++++++++++++
 openconnect-internal.h |  1 +
 3 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/cstp.c b/cstp.c
index d0d7eff6..4aad2c1b 100644
--- a/cstp.c
+++ b/cstp.c
@@ -129,18 +129,6 @@ static void calculate_mtu(struct openconnect_info *vpninfo, int *base_mtu, int *
 		*mtu = 1280;
 }
 
-/* For OpenSSL the configure script detects DTLS 1.2 support.
- * For GnuTLS just check for v3.2.0+ */
-#if defined(DTLS_GNUTLS) && GNUTLS_VERSION_NUMBER >= 0x030200
-#define HAVE_DTLS12 1
-#endif
-
-#ifdef HAVE_DTLS12
-# define DEFAULT_CIPHER_LIST "OC-DTLS1_2-AES256-GCM:OC-DTLS1_2-AES128-GCM:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA"
-#else
-# define DEFAULT_CIPHER_LIST "AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA"
-#endif
-
 static void append_compr_types(struct oc_text_buf *buf, const char *proto, int avail)
 {
 	if (avail) {
@@ -239,8 +227,12 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
 			buf_free(reqbuf);
 			return -EINVAL;
 		}
-		buf_append(reqbuf, "\r\nX-DTLS-CipherSuite: %s\r\n",
-			   vpninfo->dtls_ciphers ? : DEFAULT_CIPHER_LIST);
+		buf_append(reqbuf, "\r\nX-DTLS-CipherSuite: ");
+		if (vpninfo->dtls_ciphers)
+			buf_append(reqbuf, "%s", vpninfo->dtls_ciphers);
+		else
+			append_dtls_ciphers(vpninfo, reqbuf);
+		buf_append(reqbuf, "\r\n");
 
 		append_compr_types(reqbuf, "DTLS", vpninfo->req_compr & ~COMPR_DEFLATE);
 	}
diff --git a/dtls.c b/dtls.c
index abffbf1f..f7b2f5ca 100644
--- a/dtls.c
+++ b/dtls.c
@@ -434,6 +434,15 @@ void dtls_shutdown(struct openconnect_info *vpninfo)
 	SSL_CTX_free(vpninfo->dtls_ctx);
 }
 
+void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
+{
+#ifdef HAVE_DTLS12
+	buf_append(buf, "OC-DTLS1_2-AES256-GCM:OC-DTLS1_2-AES128-GCM:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA");
+#else
+	buf_append(buf, "AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA");
+#endif
+}
+
 #elif defined(DTLS_GNUTLS)
 #include <gnutls/dtls.h>
 #include "gnutls.h"
@@ -459,6 +468,14 @@ struct {
 #endif
 };
 
+void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
+{
+	int i;
+
+	for (i = 0; i < sizeof(gnutls_dtls_ciphers) / sizeof(gnutls_dtls_ciphers[0]); i++)
+		buf_append(buf, "%s%s", i ? ":" : "", gnutls_dtls_ciphers[i].name);
+}
+
 #define DTLS_SEND gnutls_record_send
 #define DTLS_RECV gnutls_record_recv
 #define DTLS_FREE gnutls_deinit
diff --git a/openconnect-internal.h b/openconnect-internal.h
index 0385f392..a771c796 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -768,6 +768,7 @@ int dtls_setup(struct openconnect_info *vpninfo, int dtls_attempt_period);
 int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
 void dtls_close(struct openconnect_info *vpninfo);
 void dtls_shutdown(struct openconnect_info *vpninfo);
+void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
 
 /* cstp.c */
 void cstp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);