7u83/capwap-mitm
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

reduce the required DTLS security level

Browse Source 
This is a debug proxy, so 612 bit DH primes are fine, also accept all and
any certificates.
This commit is contained in:
Andreas Schultz 2014-12-30 15:33:40 +01:00
parent 0ff432fcc6
commit c08598a315
1 changed files with 27 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
src/capwap-mitm.c
View File

@ -75,7 +75,8 @@ pcap_dumper_t *dumper = NULL;
gnutls_certificate_credentials_t x509_server_cred; gnutls_certificate_credentials_t x509_server_cred;
gnutls_certificate_credentials_t x509_client_cred; gnutls_certificate_credentials_t x509_client_cred;
gnutls_priority_t priority_cache; gnutls_priority_t priority_cache;
gnutls_dh_params_t dh_params; gnutls_dh_params_t dh_server_params;
gnutls_dh_params_t dh_client_params;
gnutls_datum_t cookie_key; gnutls_datum_t cookie_key;
pcap_t *pcap; pcap_t *pcap;
@ -567,6 +568,7 @@ static void capwap_server_in(EV_P_ struct capwap_port *capwap_port, unsigned cha
gnutls_init(&c->session, GNUTLS_CLIENT | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK); gnutls_init(&c->session, GNUTLS_CLIENT | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK);
gnutls_priority_set(c->session, priority_cache); gnutls_priority_set(c->session, priority_cache);
gnutls_credentials_set(c->session, GNUTLS_CRD_CERTIFICATE, x509_client_cred); gnutls_credentials_set(c->session, GNUTLS_CRD_CERTIFICATE, x509_client_cred);
gnutls_dh_set_prime_bits(c->session, 512);
gnutls_dtls_set_mtu(c->session, 1500); gnutls_dtls_set_mtu(c->session, 1500);
@ -689,6 +691,12 @@ static int dtls_pull_timeout_func(gnutls_transport_ptr_t p, unsigned int ms)
return 0; /* timeout */ return 0; /* timeout */
} }
static int dummy_certificate_verify_function(gnutls_session_t session)
{
/* accept anything */
return 0;
}
static void bind_capwap(struct capwap_port *capwap_port) static void bind_capwap(struct capwap_port *capwap_port)
{ {
int on = 1; int on = 1;
@ -885,6 +893,8 @@ int main(int argc, char *argv[])
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
gnutls_certificate_set_verify_function(x509_server_cred, dummy_certificate_verify_function);
if (access(dtls_client_keyfile, R_OK) < 0) if (access(dtls_client_keyfile, R_OK) < 0)
dtls_client_keyfile = dtls_client_certfile; dtls_client_keyfile = dtls_client_certfile;
@ -897,18 +907,28 @@ int main(int argc, char *argv[])
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
int bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY); int bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_INSECURE);
/* Generate Diffie-Hellman parameters - for use with DHE /* Generate Diffie-Hellman parameters - for use with DHE
* kx algorithms. When short bit length is used, it might * kx algorithms. When short bit length is used, it might
* be wise to regenerate parameters often. * be wise to regenerate parameters often.
*/ */
gnutls_dh_params_init(&dh_params); gnutls_dh_params_init(&dh_client_params);
gnutls_dh_params_generate2(dh_params, bits); gnutls_dh_params_generate2(dh_client_params, bits);
gnutls_certificate_set_dh_params(x509_server_cred, dh_params); gnutls_certificate_set_dh_params(x509_client_cred, dh_client_params);
gnutls_certificate_set_dh_params(x509_client_cred, dh_params);
bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
gnutls_dh_params_init(&dh_server_params);
gnutls_dh_params_generate2(dh_server_params, bits);
gnutls_certificate_set_dh_params(x509_server_cred, dh_server_params);
#if GNUTLS_VERSION_NUMBER > 0x0302ff
gnutls_priority_init(&priority_cache, gnutls_priority_init(&priority_cache,
"PERFORMANCE:-VERS-TLS-ALL:+VERS-DTLS1.0:%SERVER_PRECEDENCE", NULL); "LEGACY:-VERS-TLS-ALL:+VERS-DTLS1.0:%SERVER_PRECEDENCE", NULL);
#else
gnutls_priority_init(&priority_cache,
"NORMAL:-VERS-TLS-ALL:+VERS-DTLS1.0:%SERVER_PRECEDENCE", NULL);
#endif
gnutls_key_generate(&cookie_key, GNUTLS_COOKIE_KEY_SIZE); gnutls_key_generate(&cookie_key, GNUTLS_COOKIE_KEY_SIZE);