Allow ESP functions to be overridden

Signed-off-by: David Woodhouse <[email protected]>

esp.c

@@ -119,7 +119,7 @@ int construct_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt, uint
 
 	memcpy(pkt->esp.iv, vpninfo->esp_out.iv, sizeof(pkt->esp.iv));
 
-	ret = encrypt_esp_packet(vpninfo, pkt, pkt->len + padlen + 2);
+	ret = vpninfo->encrypt_esp_packet(vpninfo, pkt, pkt->len + padlen + 2);
 	if (ret)
 		return ret;
 
@@ -177,14 +177,14 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
 		pkt->len = len;
 
 		if (pkt->esp.spi == esp->spi) {
-			if (decrypt_esp_packet(vpninfo, esp, pkt))
+			if (vpninfo->decrypt_esp_packet(vpninfo, esp, pkt))
 				continue;
 		} else if (pkt->esp.spi == old_esp->spi &&
 			   ntohl(pkt->esp.seq) + esp->seq < vpninfo->old_esp_maxseq) {
 			vpn_progress(vpninfo, PRG_TRACE,
 				     _("Received ESP packet from old SPI 0x%x, seq %u\n"),
 				     (unsigned)ntohl(old_esp->spi), (unsigned)ntohl(pkt->esp.seq));
-			if (decrypt_esp_packet(vpninfo, old_esp, pkt))
+			if (vpninfo->decrypt_esp_packet(vpninfo, old_esp, pkt))
 				continue;
 		} else {
 			vpn_progress(vpninfo, PRG_DEBUG,
@@ -406,9 +406,11 @@ void esp_close(struct openconnect_info *vpninfo)
 
 void esp_shutdown(struct openconnect_info *vpninfo)
 {
-	destroy_esp_ciphers(&vpninfo->esp_in[0]);
-	destroy_esp_ciphers(&vpninfo->esp_in[1]);
-	destroy_esp_ciphers(&vpninfo->esp_out);
+	if (vpninfo->destroy_esp_ciphers) {
+		vpninfo->destroy_esp_ciphers(&vpninfo->esp_in[0]);
+		vpninfo->destroy_esp_ciphers(&vpninfo->esp_in[1]);
+		vpninfo->destroy_esp_ciphers(&vpninfo->esp_out);
+	}
 	if (vpninfo->proto->udp_close)
 		vpninfo->proto->udp_close(vpninfo);
 	if (vpninfo->dtls_state != DTLS_DISABLED)

gnutls-esp.c

@@ -27,7 +27,12 @@
 
 #include "openconnect-internal.h"
 
-void destroy_esp_ciphers(struct esp *esp)
+static int decrypt_esp_packet(struct openconnect_info *vpninfo, struct esp *esp,
+			      struct pkt *pkt);
+static int encrypt_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt,
+			      int crypt_len);
+
+static void destroy_esp_ciphers(struct esp *esp)
 {
 	if (esp->cipher) {
 		gnutls_cipher_deinit(esp->cipher);
@@ -113,11 +118,16 @@ int init_esp_ciphers(struct openconnect_info *vpninfo, struct esp *esp_out, stru
 		return ret;
 	}
 
+	vpninfo->decrypt_esp_packet = decrypt_esp_packet;
+	vpninfo->encrypt_esp_packet = encrypt_esp_packet;
+	vpninfo->destroy_esp_ciphers = destroy_esp_ciphers;
+
 	return 0;
 }
 
 /* pkt->len shall be the *payload* length. Omitting the header and the 12-byte HMAC */
-int decrypt_esp_packet(struct openconnect_info *vpninfo, struct esp *esp, struct pkt *pkt)
+static int decrypt_esp_packet(struct openconnect_info *vpninfo, struct esp *esp,
+			      struct pkt *pkt)
 {
 	unsigned char hmac_buf[MAX_HMAC_SIZE];
 	int err;

openconnect-internal.h

@@ -765,6 +765,10 @@ struct openconnect_info {
 		DELAY_CLOSE_IMMEDIATE_CALLBACK,
 	} delay_close;                          /* Delay close of mainloop */
 
+	void (*destroy_esp_ciphers)(struct esp *esp);
+	int (*decrypt_esp_packet)(struct openconnect_info *vpninfo, struct esp *esp, struct pkt *pkt);
+	int (*encrypt_esp_packet)(struct openconnect_info *vpninfo, struct pkt *pkt, int crypt_len);
+
 	int verbose;
 	void *cbdata;
 	openconnect_validate_peer_cert_vfn validate_peer_cert;
@@ -1176,10 +1180,7 @@ int openconnect_setup_esp_keys(struct openconnect_info *vpninfo, int new_keys);
 int construct_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt, uint8_t next_hdr);
 
 /* {gnutls,openssl}-esp.c */
-void destroy_esp_ciphers(struct esp *esp);
 int init_esp_ciphers(struct openconnect_info *vpninfo, struct esp *out, struct esp *in);
-int decrypt_esp_packet(struct openconnect_info *vpninfo, struct esp *esp, struct pkt *pkt);
-int encrypt_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt, int crypt_len);
 
 /* {gnutls,openssl}.c */
 const char *openconnect_get_tls_library_version();

openssl-esp.c

@@ -27,6 +27,11 @@
 #include <openssl/evp.h>
 #include <openssl/rand.h>
 
+static int decrypt_esp_packet(struct openconnect_info *vpninfo, struct esp *esp,
+			      struct pkt *pkt);
+static int encrypt_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt,
+			      int crypt_len);
+
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
 #define EVP_CIPHER_CTX_free(c) do {				\
@@ -45,7 +50,7 @@ static inline HMAC_CTX *HMAC_CTX_new(void)
 }
 #endif
 
-void destroy_esp_ciphers(struct esp *esp)
+static void destroy_esp_ciphers(struct esp *esp)
 {
 	if (esp->cipher) {
 		EVP_CIPHER_CTX_free(esp->cipher);
@@ -103,6 +108,10 @@ static int init_esp_cipher(struct openconnect_info *vpninfo, struct esp *esp,
 		destroy_esp_ciphers(esp);
 	}
 
+	vpninfo->decrypt_esp_packet = decrypt_esp_packet;
+	vpninfo->encrypt_esp_packet = encrypt_esp_packet;
+	vpninfo->destroy_esp_ciphers = destroy_esp_ciphers;
+
 	return 0;
 }
 
@@ -151,7 +160,8 @@ int init_esp_ciphers(struct openconnect_info *vpninfo, struct esp *esp_out, stru
 }
 
 /* pkt->len shall be the *payload* length. Omitting the header and the 12-byte HMAC */
-int decrypt_esp_packet(struct openconnect_info *vpninfo, struct esp *esp, struct pkt *pkt)
+static int decrypt_esp_packet(struct openconnect_info *vpninfo, struct esp *esp,
+			      struct pkt *pkt)
 {
 	unsigned char hmac_buf[MAX_HMAC_SIZE];
 	unsigned int hmac_len = sizeof(hmac_buf);
@@ -189,7 +199,7 @@ int decrypt_esp_packet(struct openconnect_info *vpninfo, struct esp *esp, struct
 	return 0;
 }
 
-int encrypt_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt, int crypt_len)
+static int encrypt_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt, int crypt_len)
 {
 	int blksize = 16;
 	unsigned int hmac_len = vpninfo->hmac_out_len;