enable DTLS negotiation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2016-09-16 at 15:07 +0200, Nikos Mavrogiannopoulos wrote:
> 
> Ok. For openconnect client it would be fairly easy to handle this,
> only send an extension with fairly static data, as it only sends a
> username. However, there is a catch, we should do that for both
> openssl and gnutls. Ocserv would require to be able to parse the TLS
> client hello since the extension data are in variable positions,
> however that shouldn't be really hard. I could do the ocserv part and
> the gnutls part if you do the openssl part :)

Have I got the actual payload of the extension right? I've done it as
an ASN.1 SEQUENCE containing one or more (in our case just one) ASN.1
OCTET-STRINGs each with an identity.

(I note that TLS1.3 is different here, and each PskIdentity contains
also a PskKeyExchangeMode and a PskAuthenticationMode. Is that likely
to end up in the draft for 1.2 before it becomes final?)

I have hex-printed the identity since it's often going to be treated as
a printable string. The existing PSK callback for OpenSSL, for example,
assumes that it's a string. As does gnutls_psk_set_cient_credentials().

I need to check that the server returns the correct identity too. That
one would just be the OCTET-STRING with no SEQUENCE since there can be
only one?

diff --git a/openssl-dtls.c b/openssl-dtls.c
index 84682a4..b3922fb 100644
--- a/openssl-dtls.c
+++ b/openssl-dtls.c
@@ -182,15 +182,54 @@ static unsigned int psk_callback(SSL *ssl, const char *hint, char *identity,
 				 unsigned int max_psk_len)
 {
 	struct openconnect_info *vpninfo = SSL_get_app_data(ssl);
-
-	if (!vpninfo || max_identity_len < 4 || max_psk_len < PSK_KEY_SIZE)
+	int i;
+	if (!vpninfo || max_identity_len <= sizeof(vpninfo->dtls_session_id) * 2 || max_psk_len < PSK_KEY_SIZE)
 		return 0;
 	vpn_progress(vpninfo, PRG_TRACE, _("PSK callback\n"));
 
-	snprintf(identity, max_psk_len, "psk");
+	for (i = 0; i < sizeof(vpninfo->dtls_session_id); i++)
+		sprintf(identity + (i*2), "%02x", vpninfo->dtls_session_id[i]);
+
 	memcpy(psk, vpninfo->dtls_secret, PSK_KEY_SIZE);
 	return PSK_KEY_SIZE;
 }
+
+static int pskident_add(SSL *s, unsigned int ext_type, const unsigned char **out, size_t *outlen,
+			int *al, void *add_arg)
+{
+	struct openconnect_info *vpninfo = add_arg;
+	unsigned char *buf;
+	int i;
+	buf = malloc(sizeof(vpninfo->dtls_session_id) * 2 + 5);
+	if (!buf) {
+		vpn_progress(vpninfo, PRG_ERR,
+			     _("Failed to create identity extension for OpenSSL\n"));
+		return 0;
+	}
+	buf[0] = 0x30;					   /* SEQUENCE	      */
+	buf[1] = sizeof(vpninfo->dtls_session_id) * 2 + 2; /* length	      */
+	buf[2] = 0x04;					   /*    OCTET-STRING */
+	buf[3] = sizeof(vpninfo->dtls_session_id) * 2;	   /*    length	      */
+	for (i = 0; i < sizeof(vpninfo->dtls_session_id); i++)
+		sprintf((char *)buf + 4 + (i*2), "%02x", vpninfo->dtls_session_id[i]);
+
+	*out = buf;
+	*outlen = sizeof(vpninfo->dtls_session_id) * 2 + 4;
+
+	return 1;
+}
+
+static void pskident_free(SSL *s, unsigned int ext_type, const unsigned char *out, void *add_arg)
+{
+	free((void *)out);
+}
+
+static int pskident_parse(SSL *s, unsigned int ext_type, const unsigned char *in, size_t inlen,
+			  int *al, void *parse_arg)
+{
+	return 1;
+}
+
 #endif
 
 int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
@@ -268,6 +307,9 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
 				vpninfo->dtls_attempt_period = 0;
 				return -EINVAL;
 			}
+			SSL_CTX_add_client_custom_ext(vpninfo->dtls_ctx, 10015,
+						      pskident_add, pskident_free, vpninfo,
+						      pskident_parse, vpninfo);
 			/* For SSL_CTX_set_cipher_list() */
 			cipher = "PSK";
 #endif
?
-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160916/15351e95/attachment-0001.bin>


[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux