worker: added safety check for selected DTLS ciphersuite prior to use

This avoids a crash when no DTLS ciphersuite is selected and adds a
test case for negotiation without DTLS.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

NEWS

@@ -1,3 +1,7 @@
+* Version 0.12.3 (unreleased)
+- Prevented crash when no DTLS ciphersuite is negotiated
+
+
 * Version 0.12.2 (released 2019-01-10)
 - Added support for AES256-SHA legacy cipher. This allows the anyconnect
   clients to use AES256.

src/worker-http.c

@@ -432,7 +432,6 @@ void header_value_check(struct worker_st *ws, struct http_req_st *req)
 	        req->selected_ciphersuite = cand;
 
 		break;
-
 	case HEADER_DTLS12_CIPHERSUITE:
 		if (req->use_psk || !WSCONFIG(ws)->dtls_legacy)
 			break;

src/worker-vpn.c

@@ -1751,7 +1751,7 @@ static void calc_mtu_values(worker_st * ws)
 						gnutls_cipher_get(ws->session),
 						gnutls_mac_get(ws->session));
 			}
-		} else {
+		} else if (ws->req.selected_ciphersuite) {
 			ws->dtls_crypto_overhead =
 			    tls_get_overhead(ws->req.
 					     selected_ciphersuite->gnutls_version,
@@ -2199,7 +2199,7 @@ static int connect_handler(worker_st * ws)
 			oclog(ws, LOG_INFO, "DTLS ciphersuite: "DTLS_PROTO_INDICATOR);
 			ret =
 			    cstp_printf(ws, "X-DTLS-CipherSuite: "DTLS_PROTO_INDICATOR"\r\n");
-		} else {
+		} else if (ws->req.selected_ciphersuite) {
 			ret =
 			    cstp_printf(ws, "X-DTLS-Session-ID: %s\r\n",
 				       ws->buffer);

tests/Makefile.am

@@ -59,7 +59,8 @@ dist_check_SCRIPTS += test-iroute test-multi-cookie test-pass-script \
 if ENABLE_NUTTCP_TESTS
 dist_check_SCRIPTS += traffic lz4-compression lzs-compression \
 	aes256-cipher aes128-cipher oc-aes256-gcm-cipher oc-aes128-gcm-cipher \
-	test-config-per-group ac-aes128-gcm-cipher ac-aes256-gcm-cipher
+	test-config-per-group ac-aes128-gcm-cipher ac-aes256-gcm-cipher \
+	no-dtls-cipher
 endif
 
 endif

tests/cipher-common.sh

@@ -144,12 +144,21 @@ if test $? != 0;then
 	exit 1
 fi
 
+if test -z "${GNUTLS_NAME}";then
+	grep "DTLS cipher:" ${OUTFILE}
+	if test $? = 0;then
+		${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
+		echo "occtl show user did show a cipher!"
+		exit 1
+	fi
+else
 	grep "DTLS cipher: ${GNUTLS_NAME}" ${OUTFILE}
 	if test $? != 0;then
 		${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
 		echo "occtl show user didn't show cipher!"
 		exit 1
 	fi
+fi
 
 grep ${CLI_ADDRESS} ${OUTFILE}
 if test $? != 0;then

tests/no-dtls-cipher

@@ -0,0 +1,28 @@
+#!/bin/bash
+#
+# Copyright (C) 2019 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# This tests support for anyconnect's DTLS1.2 support
+
+PKG_CONFIG="${PKG_CONFIG:-/usr/bin/pkg-config}"
+CIPHER_NAME="UNKNOWN"
+GNUTLS_NAME=""
+
+. cipher-common.sh
+