Clean up X-DTLS-CipherSuite header generation to allow for DTLSv1.2

Allow crypto code to provide the values for both DTLS and DTLSv1.2 headers separately. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
sailfishos-mirror · Jan 9, 2019 · fd8806e · fd8806e
1 parent 6526aa6
commit fd8806e
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 10 deletions.
diff --git a/cstp.c b/cstp.c
@@ -274,19 +274,31 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
 			buf_append(reqbuf, "%02X", vpninfo->dtls_secret[i]);
 			dtls_secret_set |= vpninfo->dtls_secret[i];
 		}
+		buf_append(reqbuf, "\r\n");
+
 		if (!dtls_secret_set) {
 			vpn_progress(vpninfo, PRG_ERR,
 				     _("CRITICAL ERROR: DTLS master secret is uninitialised. Please report this.\n"));
 			buf_free(reqbuf);
 			return -EINVAL;
 		}
-		buf_append(reqbuf, "\r\nX-DTLS-CipherSuite: ");
-		if (vpninfo->dtls_ciphers)
-			buf_append(reqbuf, "%s", vpninfo->dtls_ciphers);
-		else
-			append_dtls_ciphers(vpninfo, reqbuf);
-		buf_append(reqbuf, "\r\n");
 
+
+		if (vpninfo->dtls_ciphers)
+			buf_append(reqbuf, "X-DTLS-CipherSuite: %s\r\n", vpninfo->dtls_ciphers);
+		else {
+			struct oc_text_buf *dtls_cl, *dtls12_cl;
+
+			dtls_cl = buf_alloc();
+			dtls12_cl = buf_alloc();
+			gather_dtls_ciphers(vpninfo, dtls_cl, dtls12_cl);
+			if (!buf_error(dtls_cl) && dtls_cl->pos)
+				buf_append(reqbuf, "X-DTLS-CipherSuite: %s\r\n", dtls_cl->data);
+			if (!buf_error(dtls12_cl) && dtls12_cl->pos)
+				buf_append(reqbuf, "X-DTLS12-CipherSuite: %s\r\n", dtls12_cl->data);
+			buf_free(dtls_cl);
+			buf_free(dtls12_cl);
+		}
 		append_compr_types(reqbuf, "DTLS", vpninfo->req_compr & ~COMPR_DEFLATE);
 	}
 #endif

diff --git a/gnutls-dtls.c b/gnutls-dtls.c
@@ -82,7 +82,8 @@ struct {
 };
 
 #if GNUTLS_VERSION_NUMBER < 0x030009
-void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
+void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf,
+			 struct oc_text_buf *buf12)
 {
 	int i, first = 1;
 
@@ -93,8 +94,10 @@ void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *b
 			first = 0;
 		}
 	}
+}
 #else
-void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
+void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf,
+			 struct oc_text_buf *buf12)
 {
 	/* only enable the ciphers that would have been negotiated in the TLS channel */
 	unsigned i, j, first = 1;

diff --git a/openconnect-internal.h b/openconnect-internal.h
@@ -832,7 +832,7 @@ int dtls_setup(struct openconnect_info *vpninfo, int dtls_attempt_period);
 int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
 void dtls_close(struct openconnect_info *vpninfo);
 void dtls_shutdown(struct openconnect_info *vpninfo);
-void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
+void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf, struct oc_text_buf *buf12);
 void dtls_detect_mtu(struct openconnect_info *vpninfo);
 int openconnect_dtls_read(struct openconnect_info *vpninfo, void *buf, size_t len, unsigned ms);
 int openconnect_dtls_write(struct openconnect_info *vpninfo, void *buf, size_t len);

diff --git a/openssl-dtls.c b/openssl-dtls.c
@@ -678,7 +678,8 @@ void dtls_ssl_free(struct openconnect_info *vpninfo)
 	SSL_free(vpninfo->dtls_ssl);
 }
 
-void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf)
+void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf,
+			 struct oc_text_buf *buf12)
 {
 #ifdef HAVE_DTLS12
 #ifndef OPENSSL_NO_PSK