7u83/freewtp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Enable presharedkey SSL

Browse Source
This commit is contained in:
vemax78 2013-05-27 23:10:49 +02:00
parent 6c55b4d71f
commit 16fe0bb6bd
6 changed files with 291 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
conf/ac.conf
View File

@ -50,7 +50,9 @@ application: {
type = "x509";
presharedkey: {
# TODO
hint = "esempio";
identity = "prova";
pskkey = "123456";
};
x509: {

3
conf/wtp.conf
View File

@ -64,7 +64,8 @@ application: {
type = "x509";
presharedkey: {
# TODO
identity = "prova";
pskkey = "123456";
};
x509: {

47
src/ac/ac.c
View File

@ -410,12 +410,49 @@ static int ac_parsing_configuration_1_0(config_t* config) {
if (dtlsparam.cert.pwdprivatekey) {
capwap_free(dtlsparam.cert.pwdprivatekey);
}
if (!g_ac.enabledtls) {
return 0;
}
} else if (dtlsparam.mode == CAPWAP_DTLS_MODE_PRESHAREDKEY) {
/* TODO */
if (config_lookup_string(config, "application.dtls.presharedkey.hint", &configString) == CONFIG_TRUE) {
if (strlen(configString) > 0) {
dtlsparam.presharedkey.hint = capwap_duplicate_string(configString);
}
}
if (config_lookup_string(config, "application.dtls.presharedkey.identity", &configString) == CONFIG_TRUE) {
if (strlen(configString) > 0) {
dtlsparam.presharedkey.identity = capwap_duplicate_string(configString);
}
}
if (config_lookup_string(config, "application.dtls.presharedkey.pskkey", &configString) == CONFIG_TRUE) {
if (strlen(configString) > 0) {
/* TODO controllare se è un valore hex */
dtlsparam.presharedkey.pskkey = capwap_duplicate_string(configString);
}
}
/* */
if (dtlsparam.presharedkey.identity && dtlsparam.presharedkey.pskkey) {
if (capwap_crypt_createcontext(&g_ac.dtlscontext, &dtlsparam)) {
g_ac.enabledtls = 1;
}
}
/* Free dtls param */
if (dtlsparam.presharedkey.hint) {
capwap_free(dtlsparam.presharedkey.hint);
}
if (dtlsparam.presharedkey.identity) {
capwap_free(dtlsparam.presharedkey.identity);
}
if (dtlsparam.presharedkey.pskkey) {
capwap_free(dtlsparam.presharedkey.pskkey);
}
}
if (!g_ac.enabledtls) {
return 0;
}
}
}

122
src/common/capwap_dtls.c
View File

@ -17,6 +17,10 @@ static pthread_mutex_t* l_mutex_buffer = NULL;
#define CAPWAP_DTLS_CERT_VERIFY_DEPTH 1
#define CAPWAP_DTLS_MTU_SIZE 16384
#define OPENSSL_EXDATA_APPLICATION 0
#define OPENSSL_EXDATA_DTLSCONTEXT 1
#define OPENSSL_EXDATA_DTLS 2
/* */
static int capwap_bio_method_new(BIO* bio);
static int capwap_bio_method_free(BIO* bio);
@ -465,9 +469,62 @@ static int verify_cookie(SSL* ssl, unsigned char* cookie, unsigned int cookie_le
}
/* */
int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct capwap_dtls_param* param) {
int length;
static unsigned int capwap_crypt_psk_client(SSL* ssl, const char* hint, char* identity, unsigned int max_identity_len, unsigned char* psk, unsigned int max_psk_len) {
struct capwap_dtls_context* dtlscontext = (struct capwap_dtls_context*)SSL_get_ex_data(ssl, OPENSSL_EXDATA_DTLSCONTEXT);
ASSERT(dtlscontext != NULL);
/* */
if ((max_identity_len < strlen(dtlscontext->presharedkey.identity)) || (max_psk_len < dtlscontext->presharedkey.pskkeylength)) {
return 0;
}
/* */
strcpy(identity, dtlscontext->presharedkey.identity);
memcpy(psk, dtlscontext->presharedkey.pskkey, dtlscontext->presharedkey.pskkeylength);
return dtlscontext->presharedkey.pskkeylength;
}
/* */
static unsigned int capwap_crypt_psk_server(SSL* ssl, const char* identity, unsigned char* psk, unsigned int max_psk_len) {
struct capwap_dtls_context* dtlscontext = (struct capwap_dtls_context*)SSL_get_ex_data(ssl, OPENSSL_EXDATA_DTLSCONTEXT);
ASSERT(dtlscontext != NULL);
/* */
if (strcmp(identity, dtlscontext->presharedkey.identity) || (max_psk_len < dtlscontext->presharedkey.pskkeylength)) {
return 0;
}
/* */
memcpy(psk, dtlscontext->presharedkey.pskkey, dtlscontext->presharedkey.pskkeylength);
return dtlscontext->presharedkey.pskkeylength;
}
/* */
static unsigned int capwap_crypt_psk_to_bin(char* pskkey, unsigned char** pskbin) {
int length;
BIGNUM* bn = NULL;
/* */
if (!BN_hex2bn(&bn, pskkey)) {
if (bn) {
BN_free(bn);
}
return 0;
}
/* Convert into binary */
*pskbin = (unsigned char*)capwap_alloc(BN_num_bytes(bn));
length = BN_bn2bin(bn, *pskbin);
BN_free(bn);
return length;
}
/* */
int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct capwap_dtls_param* param) {
ASSERT(dtlscontext != NULL);
ASSERT(param != NULL);
@ -506,12 +563,7 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
}
/* Passwork decrypt privatekey */
length = (param->cert.pwdprivatekey ? strlen(param->cert.pwdprivatekey) : 0);
dtlscontext->cert.pwdprivatekey = (char*)capwap_alloc(sizeof(char) * (length + 1));
if (length > 0) {
strcpy(dtlscontext->cert.pwdprivatekey, param->cert.pwdprivatekey);
}
dtlscontext->cert.pwdprivatekey[length] = 0;
dtlscontext->cert.pwdprivatekey = capwap_duplicate_string((param->cert.pwdprivatekey ? param->cert.pwdprivatekey : ""));
SSL_CTX_set_default_passwd_cb((SSL_CTX*)dtlscontext->sslcontext, check_passwd);
SSL_CTX_set_default_passwd_cb_userdata((SSL_CTX*)dtlscontext->sslcontext, dtlscontext);
@ -556,7 +608,44 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
return 0;
}
} else if (dtlscontext->mode == CAPWAP_DTLS_MODE_PRESHAREDKEY) {
/* TODO */
/* Cipher list:
TLS_PSK_WITH_AES_128_CBC_SHA
TLS_DHE_PSK_WITH_AES_128_CBC_SHA
TLS_PSK_WITH_AES_256_CBC_SHA
TLS_DHE_PSK_WITH_AES_256_CBC_SHA
*/
if (!SSL_CTX_set_cipher_list((SSL_CTX*)dtlscontext->sslcontext, "PSK-AES128-CBC-SHA:PSK-AES256-CBC-SHA")) {
capwap_logging_debug("Error to select cipher list");
capwap_crypt_freecontext(dtlscontext);
return 0;
}
/* */
if (dtlscontext->type == CAPWAP_DTLS_SERVER) {
if (param->presharedkey.hint) {
SSL_CTX_use_psk_identity_hint((SSL_CTX*)dtlscontext->sslcontext, param->presharedkey.hint);
} else {
capwap_logging_debug("Error to presharedkey hint");
capwap_crypt_freecontext(dtlscontext);
return 0;
}
}
/* */
dtlscontext->presharedkey.identity = capwap_duplicate_string(param->presharedkey.identity);
dtlscontext->presharedkey.pskkeylength = capwap_crypt_psk_to_bin(param->presharedkey.pskkey, &dtlscontext->presharedkey.pskkey);
if (!dtlscontext->presharedkey.pskkeylength) {
capwap_logging_debug("Error to presharedkey");
capwap_crypt_freecontext(dtlscontext);
return 0;
}
/* */
if (dtlscontext->type == CAPWAP_DTLS_SERVER) {
SSL_CTX_set_psk_server_callback((SSL_CTX*)dtlscontext->sslcontext, capwap_crypt_psk_server);
} else {
SSL_CTX_set_psk_client_callback((SSL_CTX*)dtlscontext->sslcontext, capwap_crypt_psk_client);
}
} else {
capwap_logging_debug("Invalid DTLS mode");
capwap_crypt_freecontext(dtlscontext);
@ -582,6 +671,14 @@ void capwap_crypt_freecontext(struct capwap_dtls_context* dtlscontext) {
if (dtlscontext->cert.pwdprivatekey) {
capwap_free(dtlscontext->cert.pwdprivatekey);
}
} else {
if (dtlscontext->presharedkey.identity) {
capwap_free(dtlscontext->presharedkey.identity);
}
if (dtlscontext->presharedkey.pskkey) {
capwap_free(dtlscontext->presharedkey.pskkey);
}
}
/* Free context */
@ -655,8 +752,11 @@ int capwap_crypt_createsession(struct capwap_dtls* dtls, int sessiontype, struct
capwap_outofmemory();
}
/* */
appdata->cookie = &dtlscontext->cookie[0];
SSL_set_ex_data((SSL*)dtls->sslsession, 0, (void*)appdata);
SSL_set_ex_data((SSL*)dtls->sslsession, OPENSSL_EXDATA_APPLICATION, (void*)appdata);
SSL_set_ex_data((SSL*)dtls->sslsession, OPENSSL_EXDATA_DTLSCONTEXT, (void*)dtlscontext);
SSL_set_ex_data((SSL*)dtls->sslsession, OPENSSL_EXDATA_DTLS, (void*)dtls);
/* */
dtls->action = CAPWAP_DTLS_ACTION_NONE;
@ -759,7 +859,7 @@ void capwap_crypt_freesession(struct capwap_dtls* dtls) {
/* Free SSL session */
if (dtls->sslsession) {
struct capwap_app_data* appdata = (struct capwap_app_data*)SSL_get_ex_data(dtls->sslsession, 0);
struct capwap_app_data* appdata = (struct capwap_app_data*)SSL_get_ex_data(dtls->sslsession, OPENSSL_EXDATA_APPLICATION);
if (appdata) {
capwap_free(appdata);
}

8
src/common/capwap_dtls.h
View File

@ -41,7 +41,9 @@ struct capwap_dtls_context {
union {
struct {
int dummy; /* TODO */
char* identity;
unsigned char* pskkey;
unsigned int pskkeylength;
} presharedkey;
struct {
@ -70,7 +72,9 @@ struct capwap_dtls_param {
union {
struct {
int dummy; /* TODO */
char* hint;
char* identity;
char* pskkey;
} presharedkey;
struct {

37
src/wtp/wtp.c
View File

@ -672,6 +672,7 @@ static int wtp_parsing_configuration_1_0(config_t* config) {
}
}
/* */
if (dtlsparam.cert.fileca && dtlsparam.cert.filecert && dtlsparam.cert.filekey) {
if (capwap_crypt_createcontext(&g_wtp.dtlscontext, &dtlsparam)) {
g_wtp.enabledtls = 1;
@ -694,12 +695,38 @@ static int wtp_parsing_configuration_1_0(config_t* config) {
if (dtlsparam.cert.pwdprivatekey) {
capwap_free(dtlsparam.cert.pwdprivatekey);
}
if (!g_wtp.enabledtls) {
return 0;
}
} else if (dtlsparam.mode == CAPWAP_DTLS_MODE_PRESHAREDKEY) {
/* TODO */
if (config_lookup_string(config, "application.dtls.presharedkey.identity", &configString) == CONFIG_TRUE) {
if (strlen(configString) > 0) {
dtlsparam.presharedkey.identity = capwap_duplicate_string(configString);
}
}
if (config_lookup_string(config, "application.dtls.presharedkey.pskkey", &configString) == CONFIG_TRUE) {
if (strlen(configString) > 0) {
dtlsparam.presharedkey.pskkey = capwap_duplicate_string(configString);
}
}
/* */
if (dtlsparam.presharedkey.identity && dtlsparam.presharedkey.pskkey) {
if (capwap_crypt_createcontext(&g_wtp.dtlscontext, &dtlsparam)) {
g_wtp.enabledtls = 1;
}
}
/* Free dtls param */
if (dtlsparam.presharedkey.identity) {
capwap_free(dtlsparam.presharedkey.identity);
}
if (dtlsparam.presharedkey.pskkey) {
capwap_free(dtlsparam.presharedkey.pskkey);
}
}
if (!g_wtp.enabledtls) {
return 0;
}
}
}