From ecfc792340de6d2639b41cd7ec524c17821726b6 Mon Sep 17 00:00:00 2001
From: cspengl <cedric.spengler@stud.tu-darmstadt.de>
Date: Fri, 25 Mar 2022 19:31:44 +0100
Subject: [PATCH 1/3] Add dtls app id as psk identity hint

Signed-off-by: cspengl <cedric.spengler@stud.tu-darmstadt.de>
---
 gnutls-dtls.c  | 13 +++++++++----
 openssl-dtls.c | 10 ++++++++--
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/gnutls-dtls.c b/gnutls-dtls.c
index 3fd78e958..5f9ba1a26 100644
--- a/gnutls-dtls.c
+++ b/gnutls-dtls.c
@@ -249,10 +249,15 @@ static int start_dtls_psk_handshake(struct openconnect_info *vpninfo, gnutls_ses
 	key.data = vpninfo->dtls_secret;
 	key.size = PSK_KEY_SIZE;
 
-	/* we set an arbitrary username here. We cannot take advantage of the
-	 * username field to send our ID to the server, since the username in TLS-PSK
-	 * is sent after the server-hello. */
-	err = gnutls_psk_set_client_credentials(vpninfo->psk_cred, "psk", &key, 0);
+	/* setting the psk identity hint to the application id for giving
+	 * servers the chance to identify a client by the psk identity hint
+	 */
+	if (vpninfo->dtls_app_id_size > 0) {
+		err = gnutls_psk_set_client_credentials(vpninfo->psk_cred, (const char*)vpninfo->dtls_app_id, &key, 0);
+	} else {
+		err = gnutls_psk_set_client_credentials(vpninfo->psk_cred, "psk", &key, 0);
+	}
+
 	if (err < 0) {
 		vpn_progress(vpninfo, PRG_ERR,
 			     _("Failed to set DTLS key: %s\n"),
diff --git a/openssl-dtls.c b/openssl-dtls.c
index f9b728c17..c0e394897 100644
--- a/openssl-dtls.c
+++ b/openssl-dtls.c
@@ -303,11 +303,17 @@ static unsigned int psk_callback(SSL *ssl, const char *hint, char *identity,
 {
 	struct openconnect_info *vpninfo = SSL_get_app_data(ssl);
 
-	if (!vpninfo || max_identity_len < 4 || max_psk_len < PSK_KEY_SIZE)
+	if (!vpninfo || max_identity_len < 4 || max_psk_len < PSK_KEY_SIZE || vpninfo->dtls_app_id_size > max_identity_len)
 		return 0;
 	vpn_progress(vpninfo, PRG_TRACE, _("PSK callback\n"));
 
-	snprintf(identity, max_psk_len, "psk");
+	if(vpninfo->dtls_app_id_size > 0) {
+		memcpy(identity, vpninfo->dtls_app_id, vpninfo->dtls_app_id_size);
+	} else {
+		snprintf(identity, max_psk_len, "psk");
+	}
+
+	memcpy(identity, vpninfo->dtls_app_id, vpninfo->dtls_app_id_size);
 
 	memcpy(psk, vpninfo->dtls_secret, PSK_KEY_SIZE);
 	return PSK_KEY_SIZE;
-- 
GitLab


From d267f7f2fcf12aadc86ee089eb86450d1a54f3b4 Mon Sep 17 00:00:00 2001
From: cspengl <cedric.spengler@stud.tu-darmstadt.de>
Date: Fri, 25 Mar 2022 22:22:45 +0100
Subject: [PATCH 2/3] Add null termination to dtls app id

Signed-off-by: cspengl <cedric.spengler@stud.tu-darmstadt.de>
---
 gnutls-dtls.c  | 5 ++++-
 openssl-dtls.c | 2 --
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/gnutls-dtls.c b/gnutls-dtls.c
index 5f9ba1a26..149899ecb 100644
--- a/gnutls-dtls.c
+++ b/gnutls-dtls.c
@@ -253,7 +253,10 @@ static int start_dtls_psk_handshake(struct openconnect_info *vpninfo, gnutls_ses
 	 * servers the chance to identify a client by the psk identity hint
 	 */
 	if (vpninfo->dtls_app_id_size > 0) {
-		err = gnutls_psk_set_client_credentials(vpninfo->psk_cred, (const char*)vpninfo->dtls_app_id, &key, 0);
+		size_t size_terminated = vpninfo->dtls_app_id_size + sizeof(char);
+		char* dtls_app_id_terminated = (char*) malloc(size_terminated);
+		strncpy(dtls_app_id_terminated,(char*)vpninfo->dtls_app_id, size_terminated);
+		err = gnutls_psk_set_client_credentials(vpninfo->psk_cred, (const char*)dtls_app_id_terminated, &key, 0);
 	} else {
 		err = gnutls_psk_set_client_credentials(vpninfo->psk_cred, "psk", &key, 0);
 	}
diff --git a/openssl-dtls.c b/openssl-dtls.c
index c0e394897..f57df1dba 100644
--- a/openssl-dtls.c
+++ b/openssl-dtls.c
@@ -313,8 +313,6 @@ static unsigned int psk_callback(SSL *ssl, const char *hint, char *identity,
 		snprintf(identity, max_psk_len, "psk");
 	}
 
-	memcpy(identity, vpninfo->dtls_app_id, vpninfo->dtls_app_id_size);
-
 	memcpy(psk, vpninfo->dtls_secret, PSK_KEY_SIZE);
 	return PSK_KEY_SIZE;
 }
-- 
GitLab


From 297f369227d9250e7d9e740245756852fd009bac Mon Sep 17 00:00:00 2001
From: cspengl <cedric.spengler@stud.tu-darmstadt.de>
Date: Mon, 28 Mar 2022 20:58:01 +0200
Subject: [PATCH 3/3] Use 'gnutls_psk_set_client_credentials2()' for setting
 psk credentials

Signed-off-by: cspengl <cedric.spengler@stud.tu-darmstadt.de>
---
 gnutls-dtls.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/gnutls-dtls.c b/gnutls-dtls.c
index 149899ecb..42488eebe 100644
--- a/gnutls-dtls.c
+++ b/gnutls-dtls.c
@@ -253,10 +253,8 @@ static int start_dtls_psk_handshake(struct openconnect_info *vpninfo, gnutls_ses
 	 * servers the chance to identify a client by the psk identity hint
 	 */
 	if (vpninfo->dtls_app_id_size > 0) {
-		size_t size_terminated = vpninfo->dtls_app_id_size + sizeof(char);
-		char* dtls_app_id_terminated = (char*) malloc(size_terminated);
-		strncpy(dtls_app_id_terminated,(char*)vpninfo->dtls_app_id, size_terminated);
-		err = gnutls_psk_set_client_credentials(vpninfo->psk_cred, (const char*)dtls_app_id_terminated, &key, 0);
+		gnutls_datum_t id = {vpninfo->dtls_app_id, vpninfo->dtls_app_id_size};
+		err = gnutls_psk_set_client_credentials2(vpninfo->psk_cred, &id, &key, 0);
 	} else {
 		err = gnutls_psk_set_client_credentials(vpninfo->psk_cred, "psk", &key, 0);
 	}
-- 
GitLab