7u83
/
freewtp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Removing the OpenSSL library for CyaSSL. 

OpenSSL license was not compatible with the GPL license.
This commit is contained in:
vemax78 2014-05-15 21:43:21 +02:00
parent e1023a388e
commit 3573dd4251
19 changed files with 434 additions and 1110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
COPYING
View File

@ -1,6 +1,6 @@
SmartCAPWAP -- An Open Source CAPWAP WTP / AC
Copyright (C) 2012-2013 Massimo Vellucci <vemax78@gmail.com>
Copyright (C) 2012-2014 Massimo Vellucci <vemax78@gmail.com>
This distribution contains multiple components, some
of which fall under different licenses. By using SmartCAPWAP
@ -18,137 +18,17 @@ Libconfig license:
Libconfig is Copyright (C) Mark Lindner, and is licensed under the LGPL.
Hostapd license:
Libxml2 license:
------------
Hostapd is Copyright (C) Jouni Malinen <j@w1.fi> and contributors,
and is licensed under the BSD license.
Libxml2 is Copyright (C) Daniel Veillard, and is licensed under the MIT.
OpenSSL License:
Libjson-c license:
------------
Libjson-c is Copyright (C) Eric Haszlakiewicz, and is licensed under the MIT.
CyaSSL License:
----------------
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
the OpenSSL License and the original SSLeay license apply to the toolkit.
See below for the actual license texts. Actually both licenses are BSD-style
Open Source licenses. In case of any license issues related to OpenSSL
please contact openssl-core@openssl.org.
/* ====================================================================
* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
Original SSLeay License
-----------------------
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
GNU Public License (GPL)
------------------------
SmartCAWAP, Libconfig distributions are
licensed under the GPL version 2 (see COPYRIGHT.GPL).
CyaSSL is Copyright (C) wolfSSL Inc, and is licensed under the GPL license version 2.

9
INSTALL
View File

@ -18,14 +18,19 @@ Requirements
* libjson0-dev
* libnl-dev
* libtool
* libssl-dev
* libxml2-dev
* cyassl 3.0 or newer
Build
-----
Run:
CyaSSL:
./configure --enable-dtls --enable-psk --prefix=/usr/
make
make install
SmartCAPWAP:
autoreconf -f -i
./configure
make

14
build/ac/Makefile.am
View File

@ -27,11 +27,8 @@ AM_CFLAGS = \
-D_REENTRANT \
-D_GNU_SOURCE
AM_CFLAGS += $(LIBXML2_CFLAGS)
if DTLS_ENABLED
AM_CFLAGS += $(SSL_CFLAGS)
endif
AM_CFLAGS += $(LIBXML2_CFLAGS) \
$(CYASSL_CFLAGS)
INCLUDES = \
-I$(top_srcdir)/build \
@ -92,8 +89,5 @@ ac_LDADD = \
$(CONFIG_LIBS) \
$(PTHREAD_LIBS) \
$(LIBXML2_LIBS) \
$(LIBJSON_LIBS)
if DTLS_ENABLED
ac_LDADD += $(SSL_LIBS)
endif
$(LIBJSON_LIBS) \
$(CYASSL_LIBS)

4
build/wtp/Makefile.am
View File

@ -27,7 +27,7 @@ AM_CFLAGS = \
-D_GNU_SOURCE
if DTLS_ENABLED
AM_CFLAGS += $(SSL_CFLAGS)
AM_CFLAGS += $(CYASSL_CFLAGS)
endif
INCLUDES = \
@ -63,7 +63,7 @@ wtp_LDADD = \
$(CONFIG_LIBS)
if DTLS_ENABLED
wtp_LDADD += $(SSL_LIBS)
wtp_LDADD += $(CYASSL_LIBS)
endif
if BUILD_WTP_WIFI_DRIVERS_NL80211

3
conf/ac.conf
View File

@ -61,7 +61,6 @@ application: {
calist = "/etc/capwap/ca.crt";
certificate = "/etc/capwap/ac.crt";
privatekey = "/etc/capwap/ac.key";
privatekeypassword = "";
};
};
@ -81,7 +80,7 @@ backend: {
version = "1.0";
server: (
{ url = "http://127.0.0.1/csoap.php"; }
#{ url = "https://127.0.0.1/csoap.php"; x509: { calist = "/etc/capwap/casoap.crt"; certificate = "/etc/capwap/clientsoap.crt"; privatekey = "/etc/capwap/clientsoap.key"; privatekeypassword = ""; }; }
#{ url = "https://127.0.0.1/csoap.php"; x509: { calist = "/etc/capwap/casoap.crt"; certificate = "/etc/capwap/clientsoap.crt"; privatekey = "/etc/capwap/clientsoap.key"; }; }
);
};

101
conf/ac.crt
View File

@ -1,26 +1,26 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, ST=Italy, L=Rome, O=Capwap CA, CN=CAPWAP_CA/emailAddress=ca@localhost
Issuer: C=IT, ST=IT, L=Rome, O=SmartCAPWAP, OU=SmartCAPWAP, CN=SmartCAPWAP CA/name=SmartCAPWAP/emailAddress=vemax78@gmail.com
Validity
Not Before: Apr 11 17:49:25 2009 GMT
Not After : Apr 9 17:49:25 2019 GMT
Subject: C=IT, ST=Italy, L=Rome, O=Capwap AC, CN=CAPWAP_AC/emailAddress=ac@localhost
Not Before: May 15 18:02:09 2014 GMT
Not After : May 12 18:02:09 2024 GMT
Subject: C=IT, ST=IT, L=Rome, O=SmartCAPWAP, OU=SmartCAPWAP, CN=ac1/name=SmartCAPWAP/emailAddress=vemax78@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:e2:9f:90:f6:f5:c5:52:23:cc:8d:28:6c:7c:0b:
4a:ec:0d:50:de:0d:37:0d:de:75:cb:61:d8:58:e3:
3f:ec:cb:5b:b5:e0:ca:87:93:cf:22:f3:7d:35:cf:
2d:ef:ad:a4:8a:d3:8c:ec:7f:d2:7e:19:cb:11:15:
28:b0:ee:74:33:e2:21:24:70:d0:e4:22:2f:eb:59:
3d:ef:c4:c2:1b:f7:7d:1b:ac:3c:f8:46:c9:0a:f4:
12:b0:71:11:0d:52:84:d9:a9:76:84:68:33:c6:7c:
54:1a:4c:34:f4:22:ad:fb:4c:7b:2e:ee:1a:fe:b3:
0d:18:38:16:46:48:9d:7a:b7
Public-Key: (1024 bit)
Modulus:
00:c3:98:2b:82:c3:1b:aa:13:8d:16:e4:d6:7f:c0:
88:d9:f8:2a:52:46:92:be:c2:3d:91:04:07:7a:fb:
c6:d1:3b:cc:8a:a0:c2:cd:25:b8:22:9c:11:c4:d5:
ca:be:23:43:af:76:80:fd:65:bc:38:4b:66:1c:ac:
05:b1:d2:a4:5b:57:ed:c9:62:e3:67:6e:83:37:c1:
cc:38:a7:9b:0b:87:52:da:b1:83:7b:19:4d:99:48:
96:c9:a3:6d:ad:93:8f:62:ee:f1:38:8a:81:99:0e:
27:f6:70:ac:0e:93:06:3b:a4:b9:5c:6c:ed:ab:be:
27:db:52:72:f5:7e:10:36:a5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
@ -30,44 +30,47 @@ Certificate:
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
63:7B:01:7C:B6:2B:DC:D5:E4:BD:A1:AC:D4:BB:E0:6F:A6:07:16:A4
C6:FE:48:73:99:7A:9E:24:87:8B:43:F8:13:6F:27:FB:4A:71:4D:22
X509v3 Authority Key Identifier:
keyid:49:62:46:06:E1:E5:D3:3A:08:79:C6:D6:FE:93:A8:D9:AA:75:EB:E4
DirName:/C=IT/ST=Italy/L=Rome/O=Capwap CA/CN=CAPWAP_CA/emailAddress=ca@localhost
serial:94:59:55:20:58:F6:66:33
keyid:B8:BE:B2:CB:C6:68:BD:0A:BB:E5:BC:DE:AE:56:FE:25:E6:E4:B3:1C
DirName:/C=IT/ST=IT/L=Rome/O=SmartCAPWAP/OU=SmartCAPWAP/CN=SmartCAPWAP CA/name=SmartCAPWAP/emailAddress=vemax78@gmail.com
serial:9A:6A:C6:B2:AA:33:22:C5
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
Signature Algorithm: sha1WithRSAEncryption
0a:be:9e:6c:a1:c6:0c:a6:d3:5e:92:6b:09:21:78:99:f0:83:
a1:a4:2f:56:56:55:51:61:f4:04:a5:fe:9a:c4:95:76:01:f3:
72:96:18:e2:96:f9:8d:cf:6d:32:6c:39:9c:92:a2:41:39:e2:
3f:32:ef:73:75:f0:3e:f4:9c:93:af:31:63:c7:55:2e:8d:de:
ab:99:59:82:36:54:49:ef:ef:13:a7:26:db:8f:2e:93:0c:a1:
d5:b5:e6:5d:7a:a4:3f:1d:8e:ad:73:c5:32:ba:24:d2:4a:f5:
ae:95:18:98:07:80:fc:be:95:45:ce:50:ab:fc:6e:90:7a:8b:
28:5d
78:50:cf:ba:f0:b7:98:92:ae:e9:88:ce:10:43:79:22:03:bf:
ad:9f:1b:87:26:00:37:c0:11:21:bd:9e:e9:40:92:1a:0b:50:
a1:de:a5:00:df:8c:4b:5d:6d:09:75:6e:4e:f3:c2:4b:9e:6b:
08:fe:d0:5c:27:98:fe:30:c9:96:a9:b5:2c:dc:ed:0b:c2:2d:
3e:aa:b7:fd:54:be:17:5e:2f:35:5a:f1:8f:ae:49:3b:87:d5:
99:8e:04:3a:e6:33:fd:30:4a:70:ac:34:c5:9c:0a:57:c6:ab:
26:e7:98:bf:5d:ac:13:4a:6b:8e:e3:af:5e:e6:9b:e2:80:80:
b9:ce
-----BEGIN CERTIFICATE-----
MIIDmTCCAwKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJJVDEO
MAwGA1UECBMFSXRhbHkxDTALBgNVBAcTBFJvbWUxEjAQBgNVBAoTCUNhcHdhcCBD
QTESMBAGA1UEAxQJQ0FQV0FQX0NBMRswGQYJKoZIhvcNAQkBFgxjYUBsb2NhbGhv
c3QwHhcNMDkwNDExMTc0OTI1WhcNMTkwNDA5MTc0OTI1WjBxMQswCQYDVQQGEwJJ
VDEOMAwGA1UECBMFSXRhbHkxDTALBgNVBAcTBFJvbWUxEjAQBgNVBAoTCUNhcHdh
cCBBQzESMBAGA1UEAxQJQ0FQV0FQX0FDMRswGQYJKoZIhvcNAQkBFgxhY0Bsb2Nh
bGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOKfkPb1xVIjzI0obHwL
SuwNUN4NNw3edcth2FjjP+zLW7XgyoeTzyLzfTXPLe+tpIrTjOx/0n4ZyxEVKLDu
dDPiISRw0OQiL+tZPe/Ewhv3fRusPPhGyQr0ErBxEQ1ShNmpdoRoM8Z8VBpMNPQi
rftMey7uGv6zDRg4FkZInXq3AgMBAAGjggE/MIIBOzAJBgNVHRMEAjAAMBEGCWCG
SAGG+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVk
IFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUY3sBfLYr3NXkvaGs1Lvgb6YH
FqQwgaMGA1UdIwSBmzCBmIAUSWJGBuHl0zoIecbW/pOo2ap16+ShdaRzMHExCzAJ
BgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTESMBAGA1UE
ChMJQ2Fwd2FwIENBMRIwEAYDVQQDFAlDQVBXQVBfQ0ExGzAZBgkqhkiG9w0BCQEW
DGNhQGxvY2FsaG9zdIIJAJRZVSBY9mYzMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsG
A1UdDwQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQAKvp5socYMptNekmsJIXiZ8IOh
pC9WVlVRYfQEpf6axJV2AfNylhjilvmNz20ybDmckqJBOeI/Mu9zdfA+9JyTrzFj
x1Uujd6rmVmCNlRJ7+8Tpybbjy6TDKHVteZdeqQ/HY6tc8UyuiTSSvWulRiYB4D8
vpVFzlCr/G6QeosoXQ==
MIIEMjCCA5ugAwIBAgIBATANBgkqhkiG9w0BAQUFADCBpjELMAkGA1UEBhMCSVQx
CzAJBgNVBAgTAklUMQ0wCwYDVQQHEwRSb21lMRQwEgYDVQQKEwtTbWFydENBUFdB
UDEUMBIGA1UECxMLU21hcnRDQVBXQVAxFzAVBgNVBAMTDlNtYXJ0Q0FQV0FQIENB
MRQwEgYDVQQpEwtTbWFydENBUFdBUDEgMB4GCSqGSIb3DQEJARYRdmVtYXg3OEBn
bWFpbC5jb20wHhcNMTQwNTE1MTgwMjA5WhcNMjQwNTEyMTgwMjA5WjCBmzELMAkG
A1UEBhMCSVQxCzAJBgNVBAgTAklUMQ0wCwYDVQQHEwRSb21lMRQwEgYDVQQKEwtT
bWFydENBUFdBUDEUMBIGA1UECxMLU21hcnRDQVBXQVAxDDAKBgNVBAMTA2FjMTEU
MBIGA1UEKRMLU21hcnRDQVBXQVAxIDAeBgkqhkiG9w0BCQEWEXZlbWF4NzhAZ21h
aWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDmCuCwxuqE40W5NZ/
wIjZ+CpSRpK+wj2RBAd6+8bRO8yKoMLNJbginBHE1cq+I0OvdoD9Zbw4S2YcrAWx
0qRbV+3JYuNnboM3wcw4p5sLh1LasYN7GU2ZSJbJo22tk49i7vE4ioGZDif2cKwO
kwY7pLlcbO2rvifbUnL1fhA2pQIDAQABo4IBdzCCAXMwCQYDVR0TBAIwADARBglg
hkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4QgENBCcWJUVhc3ktUlNBIEdlbmVyYXRl
ZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFMb+SHOZep4kh4tD+BNvJ/tK
cU0iMIHbBgNVHSMEgdMwgdCAFLi+ssvGaL0Ku+W83q5W/iXm5LMcoYGspIGpMIGm
MQswCQYDVQQGEwJJVDELMAkGA1UECBMCSVQxDTALBgNVBAcTBFJvbWUxFDASBgNV
BAoTC1NtYXJ0Q0FQV0FQMRQwEgYDVQQLEwtTbWFydENBUFdBUDEXMBUGA1UEAxMO
U21hcnRDQVBXQVAgQ0ExFDASBgNVBCkTC1NtYXJ0Q0FQV0FQMSAwHgYJKoZIhvcN
AQkBFhF2ZW1heDc4QGdtYWlsLmNvbYIJAJpqxrKqMyLFMBMGA1UdJQQMMAoGCCsG
AQUFBwMBMAsGA1UdDwQEAwIE8DANBgkqhkiG9w0BAQUFAAOBgQB4UM+68LeYkq7p
iM4QQ3kiA7+tnxuHJgA3wBEhvZ7pQJIaC1Ch3qUA34xLXW0JdW5O88JLnmsI/tBc
J5j+MMmWqbUs3O0Lwi0+qrf9VL4XXi81WvGPrkk7h9WZjgQ65jP9MEpwrDTFnApX
xqsm55i/XawTSmuO469e5pvigIC5zg==
-----END CERTIFICATE-----

31
conf/ac.key
View File

@ -1,15 +1,16 @@
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDin5D29cVSI8yNKGx8C0rsDVDeDTcN3nXLYdhY4z/sy1u14MqH
k88i8301zy3vraSK04zsf9J+GcsRFSiw7nQz4iEkcNDkIi/rWT3vxMIb930brDz4
RskK9BKwcRENUoTZqXaEaDPGfFQaTDT0Iq37THsu7hr+sw0YOBZGSJ16twIDAQAB
AoGAM0gEV735rsKnEPIqyk8L3yqMOBMpeBv079buS/7wgjbqQ9fgPJm376LFnJ2L
OYdDip6gbwvlp99SUkVFdfQfmwjmBDk1IfEWYiPO4CUrsIUzid2KtueZW5c6Cm0Q
RMutCQrsZw9s6VpL9bmV0zsm3MYNYfERs0rPOIW9I3YyrEECQQD5t5V4Uj7+gpZO
Qvb+tYAVb8NcYTPBfdVbZJ8MRrs9tH2Y2AkuE1D+g7S5qq+Ld1tBIcCeKhlG4+ee
ClH20s3RAkEA6FM8eGKOhZ4nmu4yzwdMJnqY0d4+56805VS5Z+uJJiXvCXKQ+wQr
e/8BLsWRLxXlqijshsWzHID2g8i/rlC6BwJADiHqrqWQ9Rx03zcA/YdOGWh62PaT
VEcH1SVLrwktvZ9CYG0Rj+797XmMt9lGGBGIM5ZybUEarx1k1VfmLZ7ekQJAKPOD
FTVKKgNWt9iE3DlNEvtJNLUYIX6gtEva4paB9ld5axDmvVhe0dyBON1aWhJiCTxt
dNQkXkHdMh2QrAlOwQJAcoEhG5Zl0wATXSCFvbvaJKiH9Ab1IjlCtNI3O/+TgQjN
ZQMA0nO5ZJ3p266M8zh2hgIRdNstv4oilqh/3DnO3g==
-----END RSA PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMOYK4LDG6oTjRbk
1n/AiNn4KlJGkr7CPZEEB3r7xtE7zIqgws0luCKcEcTVyr4jQ692gP1lvDhLZhys
BbHSpFtX7cli42dugzfBzDinmwuHUtqxg3sZTZlIlsmjba2Tj2Lu8TiKgZkOJ/Zw
rA6TBjukuVxs7au+J9tScvV+EDalAgMBAAECgYBh1N8OjKBttVHAvb08MQVCYQpq
FLqZh3Zb7nP/Y6fSR+LLBBXrno43YXDRz02VRPY58UAbfqNiVPRCKxi+FOn3li5l
LN9ad1S510MNg652vpKFnCQjpHDrxOQPxQHGc0XNeF4Xo12IhFxh0DbktloC3/Og
PXL0UdvMhZ+X0ErQEQJBAOqLxRYeUSB9HeSFcgNejd0wkM7DKoNyFmJ0jwEb46vO
mKJuA4CFbinX6PZfei8nXbZIBN5p3IS0TA7MU/b+erMCQQDVfEsfmEPUYx7M1oec
rT4+AeSO7KzcC83zeVEmEljwP3zvbM8gn7PLsJAU3K0HEh6scocP6UosTI4o6Ohw
ppVHAkEAsjCp9RnnTKWBlmIDsqedY9RHz63amK6ObxJaqt8DYz28HHs0UeoNPeD4
7mSvMS/ZNGkWudr3XCKWPg/iIp5HnQJBAMALdtzuMZ5+qDdmiUn1QrevJjc4S2wL
pnJu4QQZny5IPpB3VoCniasjowlRVsm0kClbQYqbt2DQYVYF5wtnn4MCQQCz7Rcj
eEZN1STdLv6K03cWKW8nqk+yLgsDFOZpzhIq5ezk/oEX38+1k/KCqwy+9xlQ/oJJ
5lGEUmKCh2XYCBcq
-----END PRIVATE KEY-----

39
conf/ca.crt
View File

@ -1,20 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDNzCCAqCgAwIBAgIJAJRZVSBY9mYzMA0GCSqGSIb3DQEBBQUAMHExCzAJBgNV
BAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTESMBAGA1UEChMJ
Q2Fwd2FwIENBMRIwEAYDVQQDFAlDQVBXQVBfQ0ExGzAZBgkqhkiG9w0BCQEWDGNh
QGxvY2FsaG9zdDAeFw0wOTA0MTExNzQ2MzlaFw0xOTA0MDkxNzQ2MzlaMHExCzAJ
BgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTESMBAGA1UE
ChMJQ2Fwd2FwIENBMRIwEAYDVQQDFAlDQVBXQVBfQ0ExGzAZBgkqhkiG9w0BCQEW
DGNhQGxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAw0gvx6qo
B4fd23/dU5yBdj/TKzVM1/kC/bwRRFjNd2FIMpjsJ7drbwhZo5CrOSFyKn8X4Exr
EdkfMjjNFi6mZVmdFfJO4ex+6qJqc1m52AocUEOkyG/52LOnCTsT91yps97obPUF
8ezK0m9a5dnuoJ8q7lxbGu7m0PJ0Qgws3dsCAwEAAaOB1jCB0zAdBgNVHQ4EFgQU
SWJGBuHl0zoIecbW/pOo2ap16+QwgaMGA1UdIwSBmzCBmIAUSWJGBuHl0zoIecbW
/pOo2ap16+ShdaRzMHExCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsG
A1UEBxMEUm9tZTESMBAGA1UEChMJQ2Fwd2FwIENBMRIwEAYDVQQDFAlDQVBXQVBf
Q0ExGzAZBgkqhkiG9w0BCQEWDGNhQGxvY2FsaG9zdIIJAJRZVSBY9mYzMAwGA1Ud
EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAsHOGDPcwslke/Ux3bp2tZj4MizTL
DJqTRbqoiQLOTfUI7KU0GQ2m+ywTwhpiUPhmqqmgtGKXbL9mQB/qcG6HGNzdRc56
4ttc1RVErhmM/LZEFjyHamuOryUY5FmS78XXBGFRkvPAap9OSQU4vXPfehYFCL+p
/L9CoKunApUqH3g=
MIID3TCCA0agAwIBAgIJAJpqxrKqMyLFMA0GCSqGSIb3DQEBBQUAMIGmMQswCQYD
VQQGEwJJVDELMAkGA1UECBMCSVQxDTALBgNVBAcTBFJvbWUxFDASBgNVBAoTC1Nt
YXJ0Q0FQV0FQMRQwEgYDVQQLEwtTbWFydENBUFdBUDEXMBUGA1UEAxMOU21hcnRD
QVBXQVAgQ0ExFDASBgNVBCkTC1NtYXJ0Q0FQV0FQMSAwHgYJKoZIhvcNAQkBFhF2
ZW1heDc4QGdtYWlsLmNvbTAeFw0xNDA1MTUxODAxNDNaFw0yNDA1MTIxODAxNDNa
MIGmMQswCQYDVQQGEwJJVDELMAkGA1UECBMCSVQxDTALBgNVBAcTBFJvbWUxFDAS
BgNVBAoTC1NtYXJ0Q0FQV0FQMRQwEgYDVQQLEwtTbWFydENBUFdBUDEXMBUGA1UE
AxMOU21hcnRDQVBXQVAgQ0ExFDASBgNVBCkTC1NtYXJ0Q0FQV0FQMSAwHgYJKoZI
hvcNAQkBFhF2ZW1heDc4QGdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA72PBMR4HQ+rA+ifXJdMtUujlUQX1yrtXZ0HMdKbHbAbfoY3Rvyfdwo2i
TMaZYomyCASawZRzkZJvPchu/q9au/UdLuTmeaUCDpvIkibMK5tahTgP5x90IMGu
+uzdgZQaPbv+fjYkAmMGkZYYTha8GhH+vNloSb6n8oUh2eGf1kUCAwEAAaOCAQ8w
ggELMB0GA1UdDgQWBBS4vrLLxmi9CrvlvN6uVv4l5uSzHDCB2wYDVR0jBIHTMIHQ
gBS4vrLLxmi9CrvlvN6uVv4l5uSzHKGBrKSBqTCBpjELMAkGA1UEBhMCSVQxCzAJ
BgNVBAgTAklUMQ0wCwYDVQQHEwRSb21lMRQwEgYDVQQKEwtTbWFydENBUFdBUDEU
MBIGA1UECxMLU21hcnRDQVBXQVAxFzAVBgNVBAMTDlNtYXJ0Q0FQV0FQIENBMRQw
EgYDVQQpEwtTbWFydENBUFdBUDEgMB4GCSqGSIb3DQEJARYRdmVtYXg3OEBnbWFp
bC5jb22CCQCaasayqjMixTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
ANZuFab2/jLSakpGc0nZjCWAlXm29TCkL1i0yxmpjgbg/tqZrSAb1tuK5IANI7Tz
deOObRRxjjRGgSHnFLcKXmJeGjTmIdX7DLALWQALmc0GG+A1T1vHqVKc3YqjmUP3
4X/JgFqJnF1KkKmcDLiLBmA8W4+rLPe3kKhNloKQ9G1m
-----END CERTIFICATE-----

1
conf/wtp.conf
View File

@ -70,7 +70,6 @@ application: {
calist = "/etc/capwap/ca.crt";
certificate = "/etc/capwap/wtp.crt";
privatekey = "/etc/capwap/wtp.key";
privatekeypassword = "";
};
};

101
conf/wtp.crt
View File

@ -1,70 +1,73 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, ST=Italy, L=Rome, O=Capwap CA, CN=CAPWAP_CA/emailAddress=ca@localhost
Issuer: C=IT, ST=IT, L=Rome, O=SmartCAPWAP, OU=SmartCAPWAP, CN=SmartCAPWAP CA/name=SmartCAPWAP/emailAddress=vemax78@gmail.com
Validity
Not Before: Apr 11 17:50:00 2009 GMT
Not After : Apr 9 17:50:00 2019 GMT
Subject: C=IT, ST=Italy, L=Rome, O=Capwap WTP, CN=CAPWAP_WTP/emailAddress=wtp@localhost
Not Before: May 15 18:02:22 2014 GMT
Not After : May 12 18:02:22 2024 GMT
Subject: C=IT, ST=IT, L=Rome, O=SmartCAPWAP, OU=SmartCAPWAP, CN=wtp1/name=SmartCAPWAP/emailAddress=vemax78@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d4:78:02:6f:d8:52:3b:ea:7c:13:a9:d4:74:58:
4c:d9:6d:e9:54:76:ea:6c:74:8a:70:b7:f8:72:9e:
71:63:bc:db:6e:43:d8:c6:6b:34:94:e4:28:98:a2:
5b:16:9e:a8:9e:19:50:61:01:d3:f6:fd:37:e7:8b:
be:9e:bf:bc:96:c2:3e:d3:fa:fe:1a:76:42:5c:92:
76:73:1f:97:94:42:38:93:d0:56:a5:b2:b1:5f:ba:
90:90:17:f4:88:cb:c6:35:9b:7d:0f:a4:75:6d:d2:
bb:b2:1d:cf:55:9d:e7:9b:03:35:fe:6f:1b:df:10:
3d:58:7b:77:1c:e5:ba:a5:75
Public-Key: (1024 bit)
Modulus:
00:b2:b1:a5:56:a7:ef:4d:76:76:0c:09:0f:5e:c3:
4b:cd:9c:80:ae:1b:fa:8a:63:6b:3e:5d:df:18:e5:
30:25:4a:bf:02:90:a0:1a:db:d9:7b:d3:c0:f2:5b:
82:de:07:bd:4c:43:66:4d:39:6c:fe:88:d5:1a:ac:
47:d0:4c:2d:e0:05:4d:95:80:b5:61:df:84:03:cb:
26:f7:b3:77:8c:e5:28:9e:71:5e:4b:01:42:64:64:
d4:1f:8b:e2:c6:12:af:9f:64:de:63:f0:b2:ff:fb:
0e:82:d8:ba:cf:a9:21:7f:43:4f:c9:19:e0:50:e1:
90:ac:ce:d2:ab:dc:87:b9:9f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
53:EB:37:11:23:CC:27:53:89:04:2F:08:C5:05:47:D4:65:23:73:2D
5D:1C:43:55:79:96:EC:CD:9F:81:47:7F:23:F2:88:C4:80:EF:7A:C6
X509v3 Authority Key Identifier:
keyid:49:62:46:06:E1:E5:D3:3A:08:79:C6:D6:FE:93:A8:D9:AA:75:EB:E4
DirName:/C=IT/ST=Italy/L=Rome/O=Capwap CA/CN=CAPWAP_CA/emailAddress=ca@localhost
serial:94:59:55:20:58:F6:66:33
keyid:B8:BE:B2:CB:C6:68:BD:0A:BB:E5:BC:DE:AE:56:FE:25:E6:E4:B3:1C
DirName:/C=IT/ST=IT/L=Rome/O=SmartCAPWAP/OU=SmartCAPWAP/CN=SmartCAPWAP CA/name=SmartCAPWAP/emailAddress=vemax78@gmail.com
serial:9A:6A:C6:B2:AA:33:22:C5
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha1WithRSAEncryption
57:93:d6:43:0b:e6:5f:b7:77:2c:1d:d3:b0:4c:6a:35:62:ec:
5b:56:e5:f7:34:b9:c7:8d:9f:e7:cb:12:0d:f0:cf:c7:a3:c1:
24:0f:64:f2:a2:ab:f7:80:e8:a5:66:8a:c3:2f:9b:4f:87:d7:
8e:27:e7:29:73:cc:fc:4c:0d:fb:8f:74:ee:7c:bd:ce:d3:01:
ee:69:1f:42:56:6f:e1:b3:6c:c3:a1:4d:60:14:06:ba:a7:38:
a0:78:1d:a9:cd:39:90:f2:33:6c:fb:48:cb:6e:80:00:ce:7c:
50:e2:e7:6f:83:f1:86:be:39:5c:0c:64:1f:01:7c:1b:9f:e6:
ea:e2
2e:1b:fb:12:36:08:97:f4:93:2d:5e:5a:94:e0:67:a9:69:9c:
d3:24:8b:51:87:b4:fd:02:cd:29:9c:54:5f:5c:27:4c:02:08:
6a:64:79:84:a9:dd:df:f4:9d:7d:b7:19:e9:26:a6:01:af:a7:
b4:00:50:51:9d:64:be:f6:38:6b:1d:04:e7:2d:34:16:26:75:
88:01:98:d8:4e:db:3f:a2:f1:9d:d7:9d:cd:8a:07:8a:82:b1:
9f:59:be:4c:e1:0f:8e:2f:ea:cc:98:0a:e1:54:6c:f4:00:a9:
21:fa:9d:ed:81:4d:c6:1f:cd:20:bb:4a:ed:4d:61:50:be:af:
02:f0
-----BEGIN CERTIFICATE-----
MIIDgjCCAuugAwIBAgIBAzANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJJVDEO
MAwGA1UECBMFSXRhbHkxDTALBgNVBAcTBFJvbWUxEjAQBgNVBAoTCUNhcHdhcCBD
QTESMBAGA1UEAxQJQ0FQV0FQX0NBMRswGQYJKoZIhvcNAQkBFgxjYUBsb2NhbGhv
c3QwHhcNMDkwNDExMTc1MDAwWhcNMTkwNDA5MTc1MDAwWjB0MQswCQYDVQQGEwJJ
VDEOMAwGA1UECBMFSXRhbHkxDTALBgNVBAcTBFJvbWUxEzARBgNVBAoTCkNhcHdh
cCBXVFAxEzARBgNVBAMUCkNBUFdBUF9XVFAxHDAaBgkqhkiG9w0BCQEWDXd0cEBs
b2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANR4Am/YUjvqfBOp
1HRYTNlt6VR26mx0inC3+HKecWO8225D2MZrNJTkKJiiWxaeqJ4ZUGEB0/b9N+eL
vp6/vJbCPtP6/hp2QlySdnMfl5RCOJPQVqWysV+6kJAX9IjLxjWbfQ+kdW3Su7Id
z1Wd55sDNf5vG98QPVh7dxzluqV1AgMBAAGjggElMIIBITAJBgNVHRMEAjAAMC0G
CWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFFPrNxEjzCdTiQQvCMUFR9RlI3MtMIGjBgNVHSMEgZswgZiAFEliRgbh
5dM6CHnG1v6TqNmqdevkoXWkczBxMQswCQYDVQQGEwJJVDEOMAwGA1UECBMFSXRh
bHkxDTALBgNVBAcTBFJvbWUxEjAQBgNVBAoTCUNhcHdhcCBDQTESMBAGA1UEAxQJ
Q0FQV0FQX0NBMRswGQYJKoZIhvcNAQkBFgxjYUBsb2NhbGhvc3SCCQCUWVUgWPZm
MzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQEF
BQADgYEAV5PWQwvmX7d3LB3TsExqNWLsW1bl9zS5x42f58sSDfDPx6PBJA9k8qKr
94DopWaKwy+bT4fXjifnKXPM/EwN+4907ny9ztMB7mkfQlZv4bNsw6FNYBQGuqc4
oHgdqc05kPIzbPtIy26AAM58UOLnb4Pxhr45XAxkHwF8G5/m6uI=
MIIEGTCCA4KgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBpjELMAkGA1UEBhMCSVQx
CzAJBgNVBAgTAklUMQ0wCwYDVQQHEwRSb21lMRQwEgYDVQQKEwtTbWFydENBUFdB
UDEUMBIGA1UECxMLU21hcnRDQVBXQVAxFzAVBgNVBAMTDlNtYXJ0Q0FQV0FQIENB
MRQwEgYDVQQpEwtTbWFydENBUFdBUDEgMB4GCSqGSIb3DQEJARYRdmVtYXg3OEBn
bWFpbC5jb20wHhcNMTQwNTE1MTgwMjIyWhcNMjQwNTEyMTgwMjIyWjCBnDELMAkG
A1UEBhMCSVQxCzAJBgNVBAgTAklUMQ0wCwYDVQQHEwRSb21lMRQwEgYDVQQKEwtT
bWFydENBUFdBUDEUMBIGA1UECxMLU21hcnRDQVBXQVAxDTALBgNVBAMTBHd0cDEx
FDASBgNVBCkTC1NtYXJ0Q0FQV0FQMSAwHgYJKoZIhvcNAQkBFhF2ZW1heDc4QGdt
YWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsrGlVqfvTXZ2DAkP
XsNLzZyArhv6imNrPl3fGOUwJUq/ApCgGtvZe9PA8luC3ge9TENmTTls/ojVGqxH
0Ewt4AVNlYC1Yd+EA8sm97N3jOUonnFeSwFCZGTUH4vixhKvn2TeY/Cy//sOgti6
z6khf0NPyRngUOGQrM7Sq9yHuZ8CAwEAAaOCAV0wggFZMAkGA1UdEwQCMAAwCwYD
VR0PBAQDAgTwMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2Vy
dGlmaWNhdGUwHQYDVR0OBBYEFF0cQ1V5luzNn4FHfyPyiMSA73rGMIHbBgNVHSME
gdMwgdCAFLi+ssvGaL0Ku+W83q5W/iXm5LMcoYGspIGpMIGmMQswCQYDVQQGEwJJ
VDELMAkGA1UECBMCSVQxDTALBgNVBAcTBFJvbWUxFDASBgNVBAoTC1NtYXJ0Q0FQ
V0FQMRQwEgYDVQQLEwtTbWFydENBUFdBUDEXMBUGA1UEAxMOU21hcnRDQVBXQVAg
Q0ExFDASBgNVBCkTC1NtYXJ0Q0FQV0FQMSAwHgYJKoZIhvcNAQkBFhF2ZW1heDc4
QGdtYWlsLmNvbYIJAJpqxrKqMyLFMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqG
SIb3DQEBBQUAA4GBAC4b+xI2CJf0ky1eWpTgZ6lpnNMki1GHtP0CzSmcVF9cJ0wC
CGpkeYSp3d/0nX23GekmpgGvp7QAUFGdZL72OGsdBOctNBYmdYgBmNhO2z+i8Z3X
nc2KB4qCsZ9ZvkzhD44v6syYCuFUbPQAqSH6ne2BTcYfzSC7Su1NYVC+rwLw
-----END CERTIFICATE-----

31
conf/wtp.key
View File

@ -1,15 +1,16 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDUeAJv2FI76nwTqdR0WEzZbelUdupsdIpwt/hynnFjvNtuQ9jG
azSU5CiYolsWnqieGVBhAdP2/Tfni76ev7yWwj7T+v4adkJcknZzH5eUQjiT0Fal
srFfupCQF/SIy8Y1m30PpHVt0ruyHc9VneebAzX+bxvfED1Ye3cc5bqldQIDAQAB
AoGAAIP2BY1xzaFpAac0079vGEvy9/h94xt5RoK7wJNv1P0dTyws93ZFH2NaUdx6
+hgScqe/ES0u9XdxzkcBhGMUswvNmofgk9w/ynQhey7g739TXeEh76zMphNVJf0z
pawFFP/FIIgYVf7CdHkQ8cU4LEvTUCxAE5bICHMuOgCiEQECQQDz5/PSc/ZuMOZq
ngYOCaf3p3CQdeFcFOeU3ldxW8j5eZR2Xdhu5CCeY5ELPq+yW4+J+6KBAVh6Q8Uv
MwDCSqrBAkEA3wEBMgaJvpEijv6P6Ryc+khazEASDAbvUmrcUD0t14aPrCoAHAUU
stCCcn8zV4MqETPr7bO9joh/oh7IpCGrtQJAMYzTydNpIuWoScykqkFn8DYB9jcc
e1p72ZB57zuYTqZWdN2H1K9fuQ29L62if/d956hJUS/2y4/tBTO1WcNVgQJBALQK
jJuF2cmoRV1rOma6+iW7KstCYw+gvbEtoyeI7SzXb8FQu3vjwj1HyDmGZr4doGX5
JF5pwf2ESH9sGRMiOA0CQGKVeegxodjqwNEY8WqJjgROHkI1aJhdHVehAcCLhtGX
WBcQEK73GJC5Kb4yTg0VEFkIWeGpy0aDnOyTJlNrQKc=
-----END RSA PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALKxpVan7012dgwJ
D17DS82cgK4b+opjaz5d3xjlMCVKvwKQoBrb2XvTwPJbgt4HvUxDZk05bP6I1Rqs
R9BMLeAFTZWAtWHfhAPLJvezd4zlKJ5xXksBQmRk1B+L4sYSr59k3mPwsv/7DoLY
us+pIX9DT8kZ4FDhkKzO0qvch7mfAgMBAAECgYB3oUyChi1EG9GN3ybmFzMRdPwF
FAAYU9TBTREF1rHz1WWpLu+w64xfRPWAi1lCkcXeX6UGgDKC+VJJ6BqvzcBLgkjh
GBaWBCN/F782Ss4svt1dyRrixixUw+RfJLakKSdFPsrdIHctdSLIKsSl4wxj+9ek
NmGbOBm/2ZJazSzgEQJBAN5abmR53pRdGKgfFKeqUo+ygWSi1IDFqn0niw7DS4TU
3h/QuI9qWZQlTIK8ibguvpc7wHUK4IZ0pk7TwmN1H6cCQQDNu+4vw2Xe2CFjEkLI
X1stba8tsdqP04BGFectrxoeUhLMZtG2Y0ZCx+BjAACXTqfchsSjv+G9Fj/QHJLg
TxVJAkB8VQjBejvxrhTpfWepUV4VJ/WedkZpMx5gGUpymNWTkwwZsjZhS1CHvEuK
Fy7TJKBCJJE7YTenN3b/QP3Da2ylAkEAwVzMdR/Vcyj32EGleuYEsCHS78OlhGBo
w3Z6nTlh9vV0raBFooKT2tg5UVMDOzK2GlKgJreF104+E7+HXEN34QJAYF76xuMm
bKi3V1bI7/t8hXs87LLHjR90PHNzLdy61lWxMvb8oWe8KjDyaE253h24a6tEPzT1
a8lIpqpuuuvTbg==
-----END PRIVATE KEY-----

100
configure.ac
View File

@ -70,18 +70,6 @@ AC_ARG_ENABLE(
[enable_wtp="yes"]
)
AC_ARG_WITH(
[ssl-library],
[AS_HELP_STRING([--with-ssl-library=library], [build with the given crypto library, TYPE=openssl|cyassl @<:@default=openssl@:>@])],
[
case "${withval}" in
openssl|cyassl) ;;
*) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
esac
],
[with_ssl_library="openssl"]
)
AC_ARG_WITH(
[mem-check],
[AS_HELP_STRING([--with-mem-check=TYPE], [build with debug memory checking, TYPE=no|internal|valgrind @<:@default=internal@:>@])],
@ -194,14 +182,13 @@ AC_DEFINE_UNQUOTED([LIBCONFIG_LOOKUP_INT_ARG], [$LIBCONFIG_LOOKUP_INT_ARG], [con
AC_CHECK_HEADER([pthread.h], [], [AC_MSG_ERROR(You need the pthread headers)])
AC_CHECK_LIB([pthread], [pthread_create], [PTHREAD_LIBS="-lpthread"], [AC_MSG_ERROR(You need the pthread library)])
# Check XML2 library
PKG_CHECK_MODULES(
[LIBXML2],
[libxml-2.0 >= 2.6]
)
# Check SSL library
PKG_CHECK_MODULES([CYASSL], [cyassl >= 3.0.0], [have_cyassl_ssl="yes"], [have_cyassl_ssl="no"])
# Check JSON library
if test "${enable_ac}" = "yes"; then
test "x${have_cyassl_ssl}" != "xyes" && AC_MSG_ERROR(You need the cyassl library)
PKG_CHECK_MODULES(
[LIBJSON],
[json-c >= 0.11],
@ -213,6 +200,12 @@ if test "${enable_ac}" = "yes"; then
[AC_MSG_ERROR(You need the libjson)]
)]
)
# Check XML2 library
PKG_CHECK_MODULES(
[LIBXML2],
[libxml-2.0 >= 2.6]
)
fi
# Check nl80211
@ -235,79 +228,8 @@ if test "${enable_wifi_drivers_nl80211}" = "yes"; then
fi
AM_CONDITIONAL([BUILD_WTP_WIFI_DRIVERS_NL80211], [test "${enable_wifi_drivers_nl80211}" = "yes"])
# Check SSL library
if test "${with_ssl_library}" = "openssl"; then
PKG_CHECK_MODULES(
[OPENSSL_CRYPTO],
[libcrypto >= 1.0.0],
[have_openssl_crypto="yes"],
[AC_CHECK_LIB(
[crypto],
[RSA_new],
[
have_openssl_crypto="yes"
OPENSSL_CRYPTO_LIBS="-lcrypto"
]
)]
)
PKG_CHECK_MODULES(
[OPENSSL_SSL],
[libssl >= 1.0.0],
[have_openssl_ssl="yes"],
[AC_CHECK_LIB(
[ssl],
[SSL_CTX_new],
[
have_openssl_ssl="yes"
OPENSSL_SSL_LIBS="-lssl"
]
)]
)
if test "x${have_openssl_ssl}" = "xyes"; then
have_openssl_engine="yes"
OPENSSL_SSL_LIBS="${OPENSSL_SSL_LIBS} -ldl"
#saved_CFLAGS="${CFLAGS}"
#saved_LIBS="${LIBS}"
#CFLAGS="${CFLAGS} ${OPENSSL_SSL_CFLAGS}"
#LIBS="${LIBS} ${OPENSSL_SSL_LIBS}"
#AC_CHECK_FUNC([SSL_CTX_set_cookie_generate_cb], , [AC_MSG_ERROR([${with_ssl_library} SSL_CTX_set_cookie_generate_cb function is required but missing])])
#AC_CHECK_FUNC([SSL_CTX_set_cookie_verify_cb], , [AC_MSG_ERROR([${with_ssl_library} SSL_CTX_set_cookie_verify_cb function is required but missing])])
#CFLAGS="${saved_CFLAGS}"
#LIBS="${saved_LIBS}"
fi
elif test "${with_ssl_library}" = "cyassl"; then
AC_CHECK_HEADER([cyassl/ssl.h], [], [AC_MSG_ERROR(You need the cyassl headers)])
AC_CHECK_HEADER([cyassl/openssl/ssl.h], [], [AC_MSG_ERROR(You need the cyassl opensslextra headers)])
AC_CHECK_LIB([cyassl], [CyaSSL_Init], [], [AC_MSG_ERROR(You need the cyassl library)])
have_cyassl_engine="yes"
have_cyassl_ssl="yes"
fi
case "${with_ssl_library}" in
openssl)
have_crypto_engine="${have_openssl_engine}"
have_crypto_crypto="${have_openssl_crypto}"
have_crypto_ssl="${have_openssl_ssl}"
SSL_CFLAGS="${OPENSSL_CRYPTO_CFLAGS} ${OPENSSL_SSL_CFLAGS}"
SSL_LIBS="${OPENSSL_SSL_LIBS}"
test "x${have_crypto_engine}" = "xyes" && AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [Use ssl library])
;;
cyassl)
have_crypto_engine="${have_cyassl_engine}"
have_crypto_crypto="${have_cyassl_ssl}"
have_crypto_ssl="${have_cyassl_ssl}"
SSL_CFLAGS=""
SSL_LIBS="-lcyassl"
test "x${have_crypto_engine}" = "xyes" && AC_DEFINE([HAVE_CYASSL_ENGINE], [1], [Use ssl library])
;;
esac
if test "${enable_dtls}" = "yes"; then
test "x${have_crypto_engine}" != "xyes" && AC_MSG_ERROR([${with_ssl_library} engine is required but missing])
test "x${have_crypto_ssl}" != "xyes" && AC_MSG_ERROR([${with_ssl_library} ssl is required but missing])
test "x${have_crypto_crypto}" != "xyes" && AC_MSG_ERROR([${with_ssl_library} crypto is required but missing])
test "x${have_cyassl_ssl}" != "xyes" && AC_MSG_ERROR(You need the cyassl library)
AC_DEFINE([ENABLE_DTLS], [1], [Enable DTLS])
fi

26
src/ac/ac.c
View File

@ -447,12 +447,6 @@ static int ac_parsing_configuration_1_0(config_t* config) {
}
}
if (config_lookup_string(config, "application.dtls.x509.privatekeypassword", &configString) == CONFIG_TRUE) {
if (strlen(configString) > 0) {
dtlsparam.cert.pwdprivatekey = capwap_duplicate_string(configString);
}
}
if (dtlsparam.cert.fileca && dtlsparam.cert.filecert && dtlsparam.cert.filekey) {
if (capwap_crypt_createcontext(&g_ac.dtlscontext, &dtlsparam)) {
g_ac.enabledtls = 1;
@ -471,10 +465,6 @@ static int ac_parsing_configuration_1_0(config_t* config) {
if (dtlsparam.cert.filekey) {
capwap_free(dtlsparam.cert.filekey);
}
if (dtlsparam.cert.pwdprivatekey) {
capwap_free(dtlsparam.cert.pwdprivatekey);
}
} else if (dtlsparam.mode == CAPWAP_DTLS_MODE_PRESHAREDKEY) {
if (config_lookup_string(config, "application.dtls.presharedkey.hint", &configString) == CONFIG_TRUE) {
if (strlen(configString) > 0) {
@ -630,7 +620,6 @@ static int ac_parsing_configuration_1_0(config_t* config) {
char* calist = NULL;
char* certificate = NULL;
char* privatekey = NULL;
char* privatekeypassword = NULL;
config_setting_t* configSSL;
/* */
@ -658,17 +647,11 @@ static int ac_parsing_configuration_1_0(config_t* config) {
}
}
if (config_setting_lookup_string(configSSL, "privatekeypassword", &configString) == CONFIG_TRUE) {
if (strlen(configString) > 0) {
privatekeypassword = capwap_duplicate_string(configString);
}
}
/* */
if (calist && certificate && privatekey) {
server->sslcontext = capwap_socket_crypto_createcontext(calist, certificate, privatekey, privatekeypassword);
server->sslcontext = capwap_socket_crypto_createcontext(calist, certificate, privatekey);
if (!server->sslcontext) {
capwap_logging_error("Invalid configuration file, invalid backend.server.x509 value");
capwap_logging_error("Invalid configuration file, unable to initialize crypto library");
return 0;
}
} else {
@ -680,9 +663,6 @@ static int ac_parsing_configuration_1_0(config_t* config) {
capwap_free(calist);
capwap_free(certificate);
capwap_free(privatekey);
if (privatekeypassword) {
capwap_free(privatekeypassword);
}
}
/* Add item */
@ -824,7 +804,7 @@ int main(int argc, char** argv) {
capwap_init_rand();
/* Init crypt */
if (!capwap_crypt_init()) {
if (capwap_crypt_init()) {
capwap_logging_fatal("Error to init crypt engine");
return CAPWAP_CRYPT_ERROR;
}

4
src/ac/ac_execute.c
View File

@ -831,7 +831,7 @@ int ac_execute(void) {
}
} else if (check == CAPWAP_DTLS_PACKET) {
/* Before create new session check if receive DTLS Client Hello */
if (capwap_sanity_check_dtls_clienthello(&((char*)buffer)[sizeof(struct capwap_dtls_header)], buffersize - sizeof(struct capwap_dtls_header))) {
if (capwap_crypt_has_dtls_clienthello(&((char*)buffer)[sizeof(struct capwap_dtls_header)], buffersize - sizeof(struct capwap_dtls_header))) {
struct capwap_socket ctrlsock;
/* Retrive socket info */
@ -868,7 +868,7 @@ int ac_execute(void) {
if (!plain) {
if (buffersize <= sizeof(struct capwap_dtls_header)) {
plain = -1;
} else if (!capwap_sanity_check_dtls_clienthello(&((char*)buffer)[sizeof(struct capwap_dtls_header)], buffersize - sizeof(struct capwap_dtls_header))) {
} else if (!capwap_crypt_has_dtls_clienthello(&((char*)buffer)[sizeof(struct capwap_dtls_header)], buffersize - sizeof(struct capwap_dtls_header))) {
plain = -1;
}
}

744
src/common/capwap_dtls.c
View File

@ -1,518 +1,228 @@
#include "capwap.h"
#include "capwap_dtls.h"
#include "capwap_protocol.h"
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/engine.h>
#include <openssl/conf.h>
#ifdef CAPWAP_MULTITHREADING_ENABLE
#include <pthread.h>
static pthread_mutex_t* l_mutex_buffer = NULL;
#endif
#define CAPWAP_DTLS_CERT_VERIFY_DEPTH 1
#define CAPWAP_DTLS_MTU_SIZE 16384
#define OPENSSL_EXDATA_APPLICATION 0
#define OPENSSL_EXDATA_DTLSCONTEXT 1
#define OPENSSL_EXDATA_DTLS 2
#include <cyassl/options.h>
#include <cyassl/ssl.h>
#include <cyassl/ctaocrypt/sha.h>
/* */
static int capwap_bio_method_new(BIO* bio);
static int capwap_bio_method_free(BIO* bio);
static int capwap_bio_method_puts(BIO* bio, const char* str);
static int capwap_bio_method_read(BIO* bio, char* str, int length);
static int capwap_bio_method_write(BIO* bio, const char* str, int length);
static long capwap_bio_method_ctrl(BIO* bio, int cmd, long num, void* ptr);
/* OpenSSL BIO methods */
static BIO_METHOD bio_methods_memory = {
BIO_TYPE_DGRAM,
"dtls capwap packet",
capwap_bio_method_write,
capwap_bio_method_read,
capwap_bio_method_puts,
NULL,
capwap_bio_method_ctrl,
capwap_bio_method_new,
capwap_bio_method_free,
NULL,
};
/* OpenSSL BIO custom data */
struct bio_capwap_data {
int mtu;
struct sockaddr_storage peer;
struct capwap_dtls* dtls;
capwap_bio_send send;
void* param;
static const char g_char2hex[] = {
0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
-1, -1, -1, -1, -1, -1, -1,
10, 11, 12, 13, 14, 15, /* Upper Case A - F */
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
10, 11, 12, 13, 14, 15 /* Lower Case a - f */
};
static const int g_char2hex_length = sizeof(g_char2hex) / sizeof(g_char2hex[0]);
/* */
static BIO* capwap_bio_new() {
BIO* result;
result = BIO_new(&bio_methods_memory);
if (result) {
memset(result->ptr, 0, sizeof(struct bio_capwap_data));
}
return result;
}
/* */
static int capwap_bio_method_new(BIO* bio) {
bio->init = 1;
bio->num = 0;
bio->flags = 0;
bio->ptr = (char*)capwap_alloc(sizeof(struct bio_capwap_data));
return 1;
}
/* */
static int capwap_bio_method_free(BIO* bio) {
if (bio == NULL) {
return 0;
} else if (bio->ptr) {
capwap_free(bio->ptr);
}
return 1;
}
/* */
static int capwap_bio_method_puts(BIO* bio, const char* str) {
return capwap_bio_method_write(bio, str, strlen(str));
}
/* */
static int capwap_bio_method_read(BIO* bio, char* str, int length) {
struct bio_capwap_data* data = (struct bio_capwap_data*)bio->ptr;
static int capwap_bio_method_recv(CYASSL* ssl, char* buffer, int length, void* context) {
struct capwap_dtls* dtls = (struct capwap_dtls*)context;
struct capwap_dtls_header* dtlspreamble;
int size;
/* Check read packet */
if ((data->dtls->length < sizeof(struct capwap_dtls_header)) || !data->dtls->buffer) {
if (!data->dtls->length && !data->dtls->buffer) {
BIO_set_retry_read(bio); /* Notify empty buffer */
if ((dtls->length < sizeof(struct capwap_dtls_header)) || !dtls->buffer) {
if (!dtls->length && !dtls->buffer) {
return CYASSL_CBIO_ERR_WANT_READ; /* Notify empty buffer */
}
return -1;
return CYASSL_CBIO_ERR_GENERAL;
}
/* Check DTLS Capwap Preamble */
dtlspreamble = (struct capwap_dtls_header*)data->dtls->buffer;
dtlspreamble = (struct capwap_dtls_header*)dtls->buffer;
if ((dtlspreamble->preamble.version != CAPWAP_PROTOCOL_VERSION) || (dtlspreamble->preamble.type != CAPWAP_PREAMBLE_DTLS_HEADER)) {
capwap_logging_debug("Wrong DTLS Capwap Preamble");
return -1; /* Wrong DTLS Capwap Preamble */
return CYASSL_CBIO_ERR_GENERAL; /* Wrong DTLS Capwap Preamble */
}
/* */
size = data->dtls->length - sizeof(struct capwap_dtls_header);
data->dtls->length = 0;
size = dtls->length - sizeof(struct capwap_dtls_header);
dtls->length = 0;
data->dtls->buffer += sizeof(struct capwap_dtls_header);
dtls->buffer += sizeof(struct capwap_dtls_header);
if (size > length) {
data->dtls->buffer = NULL;
return -1;
dtls->buffer = NULL;
return CYASSL_CBIO_ERR_GENERAL;
}
/* Copy DTLS packet */
memcpy(str, data->dtls->buffer, size);
data->dtls->buffer = NULL;
memcpy(buffer, dtls->buffer, size);
dtls->buffer = NULL;
return size;
}
/* */
static int capwap_bio_method_write(BIO* bio, const char* str, int length) {
struct bio_capwap_data* data = (struct bio_capwap_data*)bio->ptr;
char buffer[CAPWAP_MAX_PACKET_SIZE];
struct capwap_dtls_header* dtlspreamble = (struct capwap_dtls_header*)&buffer[0];
static int capwap_bio_method_send(CYASSL* ssl, char* buffer, int length, void* context) {
char data[CAPWAP_MAX_PACKET_SIZE];
struct capwap_dtls* dtls = (struct capwap_dtls*)context;
struct capwap_dtls_header* dtlspreamble = (struct capwap_dtls_header*)data;
/* Check for maxium size of packet */
if (length > (CAPWAP_MAX_PACKET_SIZE - sizeof(struct capwap_dtls_header))) {
return -1;
return CYASSL_CBIO_ERR_GENERAL;
}
/* Create DTLS Capwap Preamble */
dtlspreamble->preamble.version = CAPWAP_PROTOCOL_VERSION;
dtlspreamble->preamble.type = CAPWAP_PREAMBLE_DTLS_HEADER;
dtlspreamble->reserved1 = dtlspreamble->reserved2 = dtlspreamble->reserved3 = 0;
memcpy(&buffer[0] + sizeof(struct capwap_dtls_header), str, length);
memcpy(&data[0] + sizeof(struct capwap_dtls_header), buffer, length);
/* Send packet */
if (!data->send(data->dtls, buffer, length + sizeof(struct capwap_dtls_header), data->param)) {
return -1;
if (!dtls->send(dtls, data, length + sizeof(struct capwap_dtls_header), dtls->sendparam)) {
return CYASSL_CBIO_ERR_GENERAL;
}
/* Don't return size of DTLS Capwap Preamble */
return length;
}
/* */
static long capwap_bio_method_ctrl(BIO* bio, int cmd, long num, void* ptr) {
long result = 1;
struct bio_capwap_data* data = (struct bio_capwap_data*)bio->ptr;
switch (cmd) {
case BIO_CTRL_RESET: {
result = 0;
break;
}
case BIO_CTRL_EOF: {
result = 0;
break;
}
case BIO_CTRL_INFO: {
result = 0;
break;
}
case BIO_CTRL_GET_CLOSE: {
result = bio->shutdown;
break;
}
case BIO_CTRL_SET_CLOSE: {
bio->shutdown = (int)num;
break;
}
case BIO_CTRL_WPENDING:
case BIO_CTRL_PENDING: {
result = 0;
break;
}
case BIO_CTRL_DUP:
case BIO_CTRL_FLUSH: {
result = 1;
break;
}
case BIO_CTRL_PUSH: {
result = 0;
break;
}
case BIO_CTRL_POP: {
result = 0;
break;
}
case BIO_CTRL_DGRAM_QUERY_MTU: {
data->mtu = CAPWAP_DTLS_MTU_SIZE;
result = data->mtu;
break;
}
case BIO_CTRL_DGRAM_GET_MTU: {
result = data->mtu;
break;
}
case BIO_CTRL_DGRAM_SET_MTU: {
data->mtu = (int)num;
result = data->mtu;
break;
}
case BIO_CTRL_DGRAM_SET_PEER: {
memcpy(&data->peer, ptr, sizeof(struct sockaddr_storage));
break;
}
case BIO_CTRL_DGRAM_GET_PEER: {
memcpy(ptr, &data->peer, sizeof(struct sockaddr_storage));
break;
}
case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT: {
break;
}
default: {
result = 0;
break;
}
}
return result;
}
#ifdef CAPWAP_MULTITHREADING_ENABLE
/* */
unsigned long capwap_openssl_idcallback(void) {
return (unsigned long)pthread_self();
}
/* */
void capwap_openssl_lockingcallback(int mode, int n, const char* file, int line) {
ASSERT(l_mutex_buffer != NULL);
if (mode & CRYPTO_LOCK) {
pthread_mutex_lock(&l_mutex_buffer[n]);
} else {
pthread_mutex_unlock(&l_mutex_buffer[n]);
}
}
#endif
/* */
int capwap_crypt_init() {
#ifdef CAPWAP_MULTITHREADING_ENABLE
int i;
int numlocks;
#endif
int result;
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
#ifdef CAPWAP_MULTITHREADING_ENABLE
/* Configure OpenSSL thread-safe */
numlocks = CRYPTO_num_locks();
l_mutex_buffer = (pthread_mutex_t*)capwap_alloc(numlocks * sizeof(pthread_mutex_t));
for (i = 0; i < numlocks; i++) {
pthread_mutex_init(&l_mutex_buffer[i], NULL);
/* Init library */
result = CyaSSL_Init();
if (result != SSL_SUCCESS) {
return -1;
}
/* OpenSSL thread-safe callbacks */
CRYPTO_set_id_callback(capwap_openssl_idcallback);
CRYPTO_set_locking_callback(capwap_openssl_lockingcallback);
#endif
return 1;
return 0;
}
/* */
void capwap_crypt_free() {
/* Clear error queue */
ERR_clear_error();
ERR_remove_state(0);
ERR_remove_thread_state(NULL);
/* */
#ifdef CAPWAP_MULTITHREADING_ENABLE
int i;
int numlocks;
ASSERT(l_mutex_buffer != NULL);
/* */
CRYPTO_set_id_callback(NULL);
CRYPTO_set_locking_callback(NULL);
/* */
numlocks = CRYPTO_num_locks();
for (i = 0; i < numlocks; i++) {
pthread_mutex_destroy(&l_mutex_buffer[i]);
}
capwap_free(l_mutex_buffer);
l_mutex_buffer = NULL;
#endif
/* */
ERR_free_strings();
RAND_cleanup();
ENGINE_cleanup();
EVP_cleanup();
OBJ_cleanup();
CONF_modules_finish();
CONF_modules_free();
CONF_modules_unload(1);
CRYPTO_cleanup_all_ex_data();
sk_SSL_COMP_free (SSL_COMP_get_compression_methods());
CyaSSL_Cleanup();
}
/* */
static int check_passwd(char* buffer, int size, int rwflag, void* userdata) {
int length;
struct capwap_dtls_context* dtlscontext = (struct capwap_dtls_context*)userdata;
ASSERT(dtlscontext != NULL);
ASSERT(dtlscontext->mode == CAPWAP_DTLS_MODE_CERTIFICATE);
ASSERT(dtlscontext->cert.pwdprivatekey != NULL);
length = strlen(dtlscontext->cert.pwdprivatekey);
if (!buffer || (size < (length + 1))) {
return 0;
}
strcpy(buffer, dtlscontext->cert.pwdprivatekey);
return length;
}
/* */
static int verify_certificate(int preverify_ok, X509_STORE_CTX* ctx) {
int err;
int depth;
X509* err_cert;
char buf[256];
err_cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
X509_verify_cert_error_string(err);
depth = X509_STORE_CTX_get_error_depth(ctx);
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
if (depth > CAPWAP_DTLS_CERT_VERIFY_DEPTH) {
preverify_ok = 0;
err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
X509_STORE_CTX_set_error(ctx, err);
}
if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
}
static int capwap_crypt_verifycertificate(int preverify_ok, CYASSL_X509_STORE_CTX* ctx) {
return preverify_ok;
}
static int create_cookie(SSL* ssl, unsigned char* cookie, unsigned int* cookie_len) {
int length;
unsigned char* buffer;
struct sockaddr_storage peer;
struct capwap_app_data* appdata;
/* */
static unsigned int capwap_crypt_psk_client(CYASSL* ssl, const char* hint, char* identity, unsigned int max_identity_len, unsigned char* psk, unsigned int max_psk_len) {
struct capwap_dtls* dtls = (struct capwap_dtls*)CyaSSL_GetIOReadCtx(ssl);
ASSERT(dtls != NULL);
ASSERT(dtls->dtlscontext != NULL);
/* */
appdata = (struct capwap_app_data*)SSL_get_app_data(ssl);
if (!appdata) {
return 0;
}
/* Read peer information */
if (BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer) < 0) {
return 0;
}
/* Create buffer with peer's address and port */
if (peer.ss_family == AF_INET) {
length = sizeof(struct in_addr) + sizeof(in_port_t);
} else if (peer.ss_family == AF_INET6) {
length = sizeof(struct in6_addr) + sizeof(in_port_t);
} else {
if ((max_identity_len < strlen(dtls->dtlscontext->presharedkey.identity)) || (max_psk_len < dtls->dtlscontext->presharedkey.pskkeylength)) {
return 0;
}
/* */
buffer = capwap_alloc(length);
if (peer.ss_family == AF_INET) {
struct sockaddr_in* peeripv4 = (struct sockaddr_in*)&peer;
memcpy(buffer, &peeripv4->sin_port, sizeof(in_port_t));
memcpy(buffer + sizeof(in_port_t), &peeripv4->sin_addr, sizeof(struct in_addr));
} else if (peer.ss_family == AF_INET6) {
struct sockaddr_in6* peeripv6 = (struct sockaddr_in6*)&peer;
memcpy(buffer, &peeripv6->sin6_port, sizeof(in_port_t));
memcpy(buffer + sizeof(in_port_t), &peeripv6->sin6_addr, sizeof(struct in6_addr));
}
/* Calculate HMAC of buffer using the secret */
HMAC(EVP_sha1(), appdata->cookie, CAPWAP_COOKIE_SECRET_LENGTH, buffer, length, cookie, cookie_len);
capwap_free(buffer);
return 1;
strcpy(identity, dtls->dtlscontext->presharedkey.identity);
memcpy(psk, dtls->dtlscontext->presharedkey.pskkey, dtls->dtlscontext->presharedkey.pskkeylength);
return dtls->dtlscontext->presharedkey.pskkeylength;
}
/* */
static int generate_cookie(SSL* ssl, unsigned char* cookie, unsigned int* cookie_len) {
unsigned int resultlength;
unsigned char result[EVP_MAX_MD_SIZE];
static unsigned int capwap_crypt_psk_server(CYASSL* ssl, const char* identity, unsigned char* psk, unsigned int max_psk_len) {
struct capwap_dtls* dtls = (struct capwap_dtls*)CyaSSL_GetIOReadCtx(ssl);
if (!create_cookie(ssl, &result[0], &resultlength)) {
return 0;
}
/* Cookie generated */
memcpy(cookie, result, resultlength);
*cookie_len = resultlength;
return 1;
}
/* */
static int verify_cookie(SSL* ssl, unsigned char* cookie, unsigned int cookie_len) {
unsigned int resultlength;
unsigned char result[EVP_MAX_MD_SIZE];
if (!create_cookie(ssl, &result[0], &resultlength)) {
return 0;
}
/* Check cookie */
if ((cookie_len != resultlength) || (memcmp(result, cookie, resultlength) != 0)) {
return 0;
}
return 1;
}
/* */
static unsigned int capwap_crypt_psk_client(SSL* ssl, const char* hint, char* identity, unsigned int max_identity_len, unsigned char* psk, unsigned int max_psk_len) {
struct capwap_dtls_context* dtlscontext = (struct capwap_dtls_context*)SSL_get_ex_data(ssl, OPENSSL_EXDATA_DTLSCONTEXT);
ASSERT(dtlscontext != NULL);
ASSERT(dtls != NULL);
ASSERT(dtls->dtlscontext != NULL);
/* */
if ((max_identity_len < strlen(dtlscontext->presharedkey.identity)) || (max_psk_len < dtlscontext->presharedkey.pskkeylength)) {
if (strcmp(identity, dtls->dtlscontext->presharedkey.identity) || (max_psk_len < dtls->dtlscontext->presharedkey.pskkeylength)) {
return 0;
}
/* */
strcpy(identity, dtlscontext->presharedkey.identity);
memcpy(psk, dtlscontext->presharedkey.pskkey, dtlscontext->presharedkey.pskkeylength);
return dtlscontext->presharedkey.pskkeylength;
}
/* */
static unsigned int capwap_crypt_psk_server(SSL* ssl, const char* identity, unsigned char* psk, unsigned int max_psk_len) {
struct capwap_dtls_context* dtlscontext = (struct capwap_dtls_context*)SSL_get_ex_data(ssl, OPENSSL_EXDATA_DTLSCONTEXT);
ASSERT(dtlscontext != NULL);
/* */
if (strcmp(identity, dtlscontext->presharedkey.identity) || (max_psk_len < dtlscontext->presharedkey.pskkeylength)) {
return 0;
}
/* */
memcpy(psk, dtlscontext->presharedkey.pskkey, dtlscontext->presharedkey.pskkeylength);
return dtlscontext->presharedkey.pskkeylength;
memcpy(psk, dtls->dtlscontext->presharedkey.pskkey, dtls->dtlscontext->presharedkey.pskkeylength);
return dtls->dtlscontext->presharedkey.pskkeylength;
}
/* */
static unsigned int capwap_crypt_psk_to_bin(char* pskkey, unsigned char** pskbin) {
int i, j;
int length;
BIGNUM* bn = NULL;
/* */
if (!BN_hex2bn(&bn, pskkey)) {
if (bn) {
BN_free(bn);
}
int result;
unsigned char* buffer;
/* Convert string to hex */
length = strlen(pskkey);
if (!length || (length % 2)) {
return 0;
}
/* Convert into binary */
*pskbin = (unsigned char*)capwap_alloc(BN_num_bytes(bn));
length = BN_bn2bin(bn, *pskbin);
BN_free(bn);
/* */
result = length / 2;
buffer = (unsigned char*)capwap_alloc(result);
for (i = 0, j = 0; i < length; i += 2, j++) {
char valuehi = pskkey[i] - 48;
char valuelo = pskkey[i + 1] - 48;
return length;
/* Check value */
if ((valuehi < 0) || (valuehi >= g_char2hex_length) || (valuelo < 0) || (valuelo >= g_char2hex_length)) {
capwap_free(buffer);
return 0;
}
/* */
valuehi = g_char2hex[(int)valuehi];
valuelo = g_char2hex[(int)valuelo];
/* Check value */
if ((valuehi < 0) || (valuelo < 0)) {
capwap_free(buffer);
return 0;
}
/* */
buffer[j] = (unsigned char)(((unsigned char)valuehi << 4) | (unsigned char)valuelo);
}
/* */
*pskbin = buffer;
return result;
}
/* */
static int capwap_crypt_createcookie(CYASSL* ssl, unsigned char* buffer, int size, void* context) {
int length;
unsigned char temp[32];
Sha sha;
byte digest[SHA_DIGEST_SIZE];
struct capwap_dtls* dtls = (struct capwap_dtls*)context;
if (size != SHA_DIGEST_SIZE) {
return -1;
}
/* Create buffer with peer's address and port */
if (dtls->peeraddr.ss_family == AF_INET) {
struct sockaddr_in* peeripv4 = (struct sockaddr_in*)&dtls->peeraddr;
length = sizeof(struct in_addr) + sizeof(in_port_t);
memcpy(temp, &peeripv4->sin_port, sizeof(in_port_t));
memcpy(temp + sizeof(in_port_t), &peeripv4->sin_addr, sizeof(struct in_addr));
} else if (dtls->peeraddr.ss_family == AF_INET6) {
struct sockaddr_in6* peeripv6 = (struct sockaddr_in6*)&dtls->peeraddr;
length = sizeof(struct in6_addr) + sizeof(in_port_t);
memcpy(temp, &peeripv6->sin6_port, sizeof(in_port_t));
memcpy(temp + sizeof(in_port_t), &peeripv6->sin6_addr, sizeof(struct in6_addr));
} else {
return -1;
}
/* */
if (InitSha(&sha)) {
return -1;
}
ShaUpdate(&sha, temp, length);
ShaFinal(&sha, digest);
/* */
memcpy(buffer, digest, SHA_DIGEST_SIZE);
return SHA_DIGEST_SIZE;
}
/* */
@ -525,12 +235,18 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
dtlscontext->mode = param->mode;
/* Alloc context */
dtlscontext->sslcontext = (void*)SSL_CTX_new(((param->type == CAPWAP_DTLS_SERVER) ? DTLSv1_server_method() : DTLSv1_client_method()));
dtlscontext->sslcontext = (void*)CyaSSL_CTX_new(((param->type == CAPWAP_DTLS_SERVER) ? CyaDTLSv1_server_method() : CyaDTLSv1_client_method()));
if (!dtlscontext->sslcontext) {
capwap_logging_debug("Error to initialize dtls context");
return 0;
}
/* Set context IO */
CyaSSL_SetIORecv((CYASSL_CTX*)dtlscontext->sslcontext, capwap_bio_method_recv);
CyaSSL_SetIOSend((CYASSL_CTX*)dtlscontext->sslcontext, capwap_bio_method_send);
CyaSSL_CTX_SetGenCookie((CYASSL_CTX*)dtlscontext->sslcontext, capwap_crypt_createcookie);
/* */
if (dtlscontext->mode == CAPWAP_DTLS_MODE_CERTIFICATE) {
/* Check context */
if (!param->cert.filecert || !strlen(param->cert.filecert)) {
@ -548,45 +264,34 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
}
/* Public certificate */
if (!SSL_CTX_use_certificate_file((SSL_CTX*)dtlscontext->sslcontext, param->cert.filecert, SSL_FILETYPE_PEM)) {
if (!CyaSSL_CTX_use_certificate_file((CYASSL_CTX*)dtlscontext->sslcontext, param->cert.filecert, SSL_FILETYPE_PEM)) {
capwap_logging_debug("Error to load certificate file");
capwap_crypt_freecontext(dtlscontext);
return 0;
}
/* Passwork decrypt privatekey */
dtlscontext->cert.pwdprivatekey = capwap_duplicate_string((param->cert.pwdprivatekey ? param->cert.pwdprivatekey : ""));
SSL_CTX_set_default_passwd_cb((SSL_CTX*)dtlscontext->sslcontext, check_passwd);
SSL_CTX_set_default_passwd_cb_userdata((SSL_CTX*)dtlscontext->sslcontext, dtlscontext);
/* Private key */
if (!SSL_CTX_use_PrivateKey_file((SSL_CTX*)dtlscontext->sslcontext, param->cert.filekey, SSL_FILETYPE_PEM)) {
if (!CyaSSL_CTX_use_PrivateKey_file((CYASSL_CTX*)dtlscontext->sslcontext, param->cert.filekey, SSL_FILETYPE_PEM)) {
capwap_logging_debug("Error to load private key file");
capwap_crypt_freecontext(dtlscontext);
return 0;
}
if (!SSL_CTX_check_private_key((SSL_CTX*)dtlscontext->sslcontext)) {
if (!CyaSSL_CTX_check_private_key((CYASSL_CTX*)dtlscontext->sslcontext)) {
capwap_logging_debug("Error to check private key");
capwap_crypt_freecontext(dtlscontext);
return 0;
}
/* Certificate Authority */
if (!SSL_CTX_load_verify_locations((SSL_CTX*)dtlscontext->sslcontext, param->cert.fileca, NULL)) {
if (!CyaSSL_CTX_load_verify_locations((CYASSL_CTX*)dtlscontext->sslcontext, param->cert.fileca, NULL)) {
capwap_logging_debug("Error to load ca file");
capwap_crypt_freecontext(dtlscontext);
return 0;
}
/*if (!SSL_CTX_set_default_verify_paths((SSL_CTX*)dtlscontext->sslcontext)) {
capwap_crypt_freecontext(dtlscontext);
return 0;
}*/
/* Verify certificate callback */
SSL_CTX_set_verify((SSL_CTX*)dtlscontext->sslcontext, ((param->type == CAPWAP_DTLS_SERVER) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_PEER), verify_certificate);
CyaSSL_CTX_set_verify((CYASSL_CTX*)dtlscontext->sslcontext, ((param->type == CAPWAP_DTLS_SERVER) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_PEER), capwap_crypt_verifycertificate);
/* Cipher list:
TLS_RSA_WITH_AES_128_CBC_SHA
@ -594,7 +299,7 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*/
if (!SSL_CTX_set_cipher_list((SSL_CTX*)dtlscontext->sslcontext, "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:DHE-RSA-AES256-SHA")) {
if (!CyaSSL_CTX_set_cipher_list((CYASSL_CTX*)dtlscontext->sslcontext, "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:DHE-RSA-AES256-SHA")) {
capwap_logging_debug("Error to select cipher list");
capwap_crypt_freecontext(dtlscontext);
return 0;
@ -606,7 +311,7 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
TLS_PSK_WITH_AES_256_CBC_SHA
TLS_DHE_PSK_WITH_AES_256_CBC_SHA
*/
if (!SSL_CTX_set_cipher_list((SSL_CTX*)dtlscontext->sslcontext, "PSK-AES128-CBC-SHA:PSK-AES256-CBC-SHA")) {
if (!CyaSSL_CTX_set_cipher_list((CYASSL_CTX*)dtlscontext->sslcontext, "PSK-AES128-CBC-SHA:PSK-AES256-CBC-SHA")) {
capwap_logging_debug("Error to select cipher list");
capwap_crypt_freecontext(dtlscontext);
return 0;
@ -615,7 +320,7 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
/* */
if (dtlscontext->type == CAPWAP_DTLS_SERVER) {
if (param->presharedkey.hint) {
SSL_CTX_use_psk_identity_hint((SSL_CTX*)dtlscontext->sslcontext, param->presharedkey.hint);
CyaSSL_CTX_use_psk_identity_hint((CYASSL_CTX*)dtlscontext->sslcontext, param->presharedkey.hint);
} else {
capwap_logging_debug("Error to presharedkey hint");
capwap_crypt_freecontext(dtlscontext);
@ -634,9 +339,9 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
/* */
if (dtlscontext->type == CAPWAP_DTLS_SERVER) {
SSL_CTX_set_psk_server_callback((SSL_CTX*)dtlscontext->sslcontext, capwap_crypt_psk_server);
CyaSSL_CTX_set_psk_server_callback((CYASSL_CTX*)dtlscontext->sslcontext, capwap_crypt_psk_server);
} else {
SSL_CTX_set_psk_client_callback((SSL_CTX*)dtlscontext->sslcontext, capwap_crypt_psk_client);
CyaSSL_CTX_set_psk_client_callback((CYASSL_CTX*)dtlscontext->sslcontext, capwap_crypt_psk_client);
}
} else {
capwap_logging_debug("Invalid DTLS mode");
@ -644,13 +349,6 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
return 0;
}
/* Cookie callback */
RAND_bytes(dtlscontext->cookie, CAPWAP_COOKIE_SECRET_LENGTH);
SSL_CTX_set_cookie_generate_cb((SSL_CTX*)dtlscontext->sslcontext, generate_cookie);
SSL_CTX_set_cookie_verify_cb((SSL_CTX*)dtlscontext->sslcontext, verify_cookie);
/* */
SSL_CTX_set_read_ahead((SSL_CTX*)dtlscontext->sslcontext, 1);
return 1;
}
@ -659,11 +357,7 @@ void capwap_crypt_freecontext(struct capwap_dtls_context* dtlscontext) {
ASSERT(dtlscontext != NULL);
/* */
if (dtlscontext->mode == CAPWAP_DTLS_MODE_CERTIFICATE) {
if (dtlscontext->cert.pwdprivatekey) {
capwap_free(dtlscontext->cert.pwdprivatekey);
}
} else {
if (dtlscontext->mode == CAPWAP_DTLS_MODE_PRESHAREDKEY) {
if (dtlscontext->presharedkey.identity) {
capwap_free(dtlscontext->presharedkey.identity);
}
@ -675,80 +369,42 @@ void capwap_crypt_freecontext(struct capwap_dtls_context* dtlscontext) {
/* Free context */
if (dtlscontext->sslcontext) {
SSL_CTX_free((SSL_CTX*)dtlscontext->sslcontext);
CyaSSL_CTX_free((CYASSL_CTX*)dtlscontext->sslcontext);
}
memset(dtlscontext, 0, sizeof(struct capwap_dtls));
memset(dtlscontext, 0, sizeof(struct capwap_dtls_context));
}
/* */
int capwap_crypt_createsession(struct capwap_dtls* dtls, int sessiontype, struct capwap_dtls_context* dtlscontext, capwap_bio_send biosend, void* param) {
BIO* bio;
struct capwap_app_data* appdata;
ASSERT(dtls != NULL);
ASSERT(dtlscontext != NULL);
ASSERT(dtlscontext->sslcontext != NULL);
ASSERT(biosend != NULL);
memset(dtls, 0, sizeof(struct capwap_dtls));
/* Create ssl session */
dtls->sslsession = (void*)SSL_new((SSL_CTX*)dtlscontext->sslcontext);
dtls->sslsession = (void*)CyaSSL_new((CYASSL_CTX*)dtlscontext->sslcontext);
if (!dtls->sslsession) {
capwap_logging_debug("Error to initialize dtls session");
return 0;
}
/* Create BIO */
bio = capwap_bio_new();
if (!bio) {
capwap_logging_debug("Error to initialize bio");
capwap_crypt_free(dtls);
return 0;
} else {
struct bio_capwap_data* data = (struct bio_capwap_data*)bio->ptr;
data->dtls = dtls;
data->send = biosend;
data->param = param;
}
/* Configure BIO */
SSL_set_bio((SSL*)dtls->sslsession, bio, bio);
/* In server mode enable cookie exchange */
if (dtlscontext->type == CAPWAP_DTLS_SERVER) {
SSL_set_options((SSL*)dtls->sslsession, SSL_OP_COOKIE_EXCHANGE);
}
/* Set static MTU size */
SSL_set_options((SSL*)dtls->sslsession, SSL_OP_NO_QUERY_MTU);
SSL_set_mtu((SSL*)dtls->sslsession, CAPWAP_DTLS_MTU_SIZE);
/* Send callback */
dtls->send = biosend;
dtls->sendparam = param;
/* */
SSL_set_verify_depth((SSL*)dtls->sslsession, CAPWAP_DTLS_CERT_VERIFY_DEPTH + 1);
/* */
SSL_set_read_ahead((SSL*)dtls->sslsession, 1);
/* */
ERR_clear_error();
if (dtlscontext->type == CAPWAP_DTLS_SERVER) {
SSL_set_accept_state((SSL*)dtls->sslsession);
} else {
SSL_set_connect_state((SSL*)dtls->sslsession);
}
/* SSL session app data */
appdata = (struct capwap_app_data*)capwap_alloc(sizeof(struct capwap_app_data));
appdata->cookie = &dtlscontext->cookie[0];
SSL_set_ex_data((SSL*)dtls->sslsession, OPENSSL_EXDATA_APPLICATION, (void*)appdata);
SSL_set_ex_data((SSL*)dtls->sslsession, OPENSSL_EXDATA_DTLSCONTEXT, (void*)dtlscontext);
SSL_set_ex_data((SSL*)dtls->sslsession, OPENSSL_EXDATA_DTLS, (void*)dtls);
CyaSSL_set_using_nonblock((CYASSL*)dtls->sslsession, 1);
CyaSSL_SetIOReadCtx((CYASSL*)dtls->sslsession, (void*)dtls);
CyaSSL_SetIOWriteCtx((CYASSL*)dtls->sslsession, (void*)dtls);
CyaSSL_SetCookieCtx((CYASSL*)dtls->sslsession, (void*)dtls);
/* */
dtls->action = CAPWAP_DTLS_ACTION_NONE;
dtls->session = sessiontype;
dtls->dtlscontext = dtlscontext;
dtls->enable = 1;
return 1;
@ -762,10 +418,16 @@ static int capwap_crypt_handshake(struct capwap_dtls* dtls) {
ASSERT(dtls->enable != 0);
ASSERT((dtls->action == CAPWAP_DTLS_ACTION_NONE) || (dtls->action == CAPWAP_DTLS_ACTION_HANDSHAKE));
ERR_clear_error();
result = SSL_do_handshake((SSL*)dtls->sslsession);
if (result <= 0) {
result = SSL_get_error((SSL*)dtls->sslsession, result);
/* */
if (dtls->dtlscontext->type == CAPWAP_DTLS_SERVER) {
result = CyaSSL_accept((CYASSL*)dtls->sslsession);
} else {
result = CyaSSL_connect((CYASSL*)dtls->sslsession);
}
/* */
if (result != SSL_SUCCESS) {
result = CyaSSL_get_error((CYASSL*)dtls->sslsession, 0);
if ((result == SSL_ERROR_WANT_READ) || (result == SSL_ERROR_WANT_WRITE)) {
/* Incomplete handshake */
dtls->action = CAPWAP_DTLS_ACTION_HANDSHAKE;
@ -776,14 +438,7 @@ static int capwap_crypt_handshake(struct capwap_dtls* dtls) {
dtls->action = CAPWAP_DTLS_ACTION_ERROR;
return CAPWAP_HANDSHAKE_ERROR;
}
/* Check certificate */
result = SSL_get_verify_result((SSL*)dtls->sslsession);
if (result != X509_V_OK) {
dtls->action = CAPWAP_DTLS_ACTION_ERROR;
return CAPWAP_HANDSHAKE_ERROR;
}
/* Handshake complete */
dtls->action = CAPWAP_DTLS_ACTION_DATA;
return CAPWAP_HANDSHAKE_COMPLETE;
@ -791,10 +446,7 @@ static int capwap_crypt_handshake(struct capwap_dtls* dtls) {
/* */
int capwap_crypt_open(struct capwap_dtls* dtls, struct sockaddr_storage* peeraddr) {
if (BIO_dgram_set_peer(SSL_get_rbio((SSL*)dtls->sslsession), peeraddr) < 0) {
return CAPWAP_HANDSHAKE_ERROR;
}
memcpy(&dtls->peeraddr, peeraddr, sizeof(struct sockaddr_storage));
return capwap_crypt_handshake(dtls);
}
@ -803,8 +455,8 @@ void capwap_crypt_close(struct capwap_dtls* dtls) {
ASSERT(dtls != NULL);
ASSERT(dtls->enable != 0);
if ((dtls->action == CAPWAP_DTLS_ACTION_DATA) || (dtls->action == CAPWAP_DTLS_ACTION_SHUTDOWN)) {
SSL_shutdown((SSL*)dtls->sslsession);
if (dtls->sslsession) {
CyaSSL_shutdown((CYASSL*)dtls->sslsession);
}
}
@ -814,19 +466,9 @@ void capwap_crypt_freesession(struct capwap_dtls* dtls) {
/* Free SSL session */
if (dtls->sslsession) {
struct capwap_app_data* appdata = (struct capwap_app_data*)SSL_get_ex_data(dtls->sslsession, OPENSSL_EXDATA_APPLICATION);
if (appdata) {
capwap_free(appdata);
}
SSL_free((SSL*)dtls->sslsession);
CyaSSL_free((CYASSL*)dtls->sslsession);
}
/* */
ERR_clear_error();
ERR_remove_state(0);
ERR_remove_thread_state(NULL);
/* */
memset(dtls, 0, sizeof(struct capwap_dtls));
}
@ -847,8 +489,7 @@ int capwap_crypt_sendto(struct capwap_dtls* dtls, int sock, void* buffer, int si
return 0;
}
ERR_clear_error();
return SSL_write((SSL*)dtls->sslsession, buffer, size);
return CyaSSL_write((CYASSL*)dtls->sslsession, buffer, size);
}
/* */
@ -908,22 +549,13 @@ int capwap_decrypt_packet(struct capwap_dtls* dtls, void* encrybuffer, int size,
result = CAPWAP_ERROR_AGAIN; /* Don't parsing DTLS packet */
}
} else if (dtls->action == CAPWAP_DTLS_ACTION_DATA) {
ERR_clear_error();
result = SSL_read((SSL*)dtls->sslsession, (plainbuffer ? plainbuffer : encrybuffer), maxsize);
result = CyaSSL_read((CYASSL*)dtls->sslsession, (plainbuffer ? plainbuffer : encrybuffer), maxsize);
if (!result) {
int shutdown;
/* Check shutdown status */
shutdown = SSL_get_shutdown((SSL*)dtls->sslsession);
if (shutdown & SSL_RECEIVED_SHUTDOWN) {
dtls->action = CAPWAP_DTLS_ACTION_SHUTDOWN;
result = CAPWAP_ERROR_SHUTDOWN;
} else {
result = CAPWAP_ERROR_AGAIN;
}
dtls->action = CAPWAP_DTLS_ACTION_SHUTDOWN;
result = CAPWAP_ERROR_SHUTDOWN;
} else if (result < 0) {
/* Check error */
sslerror = SSL_get_error((SSL*)dtls->sslsession, result);
sslerror = CyaSSL_get_error((CYASSL*)dtls->sslsession, 0);
if ((sslerror == SSL_ERROR_WANT_READ) || (sslerror == SSL_ERROR_WANT_WRITE)) {
result = CAPWAP_ERROR_AGAIN; /* DTLS Renegotiation */
} else {
@ -952,7 +584,7 @@ int capwap_decrypt_packet(struct capwap_dtls* dtls, void* encrybuffer, int size,
#define DTLS_HANDSHAKE_LAYER_CLIENT_HELLO 1
/* */
int capwap_sanity_check_dtls_clienthello(void* buffer, int buffersize) {
int capwap_crypt_has_dtls_clienthello(void* buffer, int buffersize) {
unsigned char* dtlsdata = (unsigned char*)buffer;
/* Read DTLS packet in RAW mode */

31
src/common/capwap_dtls.h
View File

@ -23,12 +23,14 @@
#define CAPWAP_DTLS_CONTROL_SESSION 0
#define CAPWAP_DTLS_DATA_SESSION 1
#define CAPWAP_COOKIE_SECRET_LENGTH 16
#define CAPWAP_ERROR_AGAIN 0
#define CAPWAP_ERROR_SHUTDOWN -1
#define CAPWAP_ERROR_CLOSE -2
/* */
struct capwap_dtls;
typedef int(*capwap_bio_send)(struct capwap_dtls* dtls, char* buffer, int length, void* param);
/* */
struct capwap_dtls_context {
int type;
@ -36,19 +38,12 @@ struct capwap_dtls_context {
void* sslcontext;
/* Cookie */
unsigned char cookie[CAPWAP_COOKIE_SECRET_LENGTH];
union {
struct {
char* identity;
unsigned char* pskkey;
unsigned int pskkeylength;
} presharedkey;
struct {
char* pwdprivatekey; /* Password for private key */
} cert;
};
};
@ -59,6 +54,12 @@ struct capwap_dtls {
int session;
void* sslsession;
struct capwap_dtls_context* dtlscontext;
/* Send callback */
struct sockaddr_storage peeraddr;
capwap_bio_send send;
void* sendparam;
/* Buffer read */
void* buffer;
@ -82,21 +83,11 @@ struct capwap_dtls_param {
char* filecert;
char* filekey;
char* fileca;
/* Password for private key */
char* pwdprivatekey;
} cert;
};
};
/* */
struct capwap_app_data {
unsigned char* cookie;
};
/* */
typedef int(*capwap_bio_send)(struct capwap_dtls* dtls, char* buffer, int length, void* param);
int capwap_crypt_init();
void capwap_crypt_free();
@ -113,6 +104,6 @@ int capwap_crypt_sendto(struct capwap_dtls* dtls, int sock, void* buffer, int si
int capwap_crypt_sendto_fragmentpacket(struct capwap_dtls* dtls, int sock, struct capwap_list* fragmentlist, struct sockaddr_storage* sendfromaddr, struct sockaddr_storage* sendtoaddr);
int capwap_decrypt_packet(struct capwap_dtls* dtls, void* encrybuffer, int size, void* plainbuffer, int maxsize);
int capwap_sanity_check_dtls_clienthello(void* buffer, int buffersize);
int capwap_crypt_has_dtls_clienthello(void* buffer, int buffersize);
#endif /* __CAPWAP_DTLS_HEADER__ */

151
src/common/capwap_socket.c
View File

@ -1,14 +1,8 @@
#include "capwap.h"
#include "capwap_socket.h"
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/engine.h>
#include <openssl/conf.h>
/* */
#define OPENSSL_EXDATA_PRIVATE_KEY_PASSWORD 1
#include <cyassl/options.h>
#include <cyassl/ssl.h>
/* */
static int capwap_socket_nonblocking(int sock, int nonblocking) {
@ -60,7 +54,7 @@ int capwap_socket_connect(int sock, struct sockaddr_storage* address, int timeou
fds.events = POLLOUT;
result = poll(&fds, 1, timeout);
if ((result < 0) && (errno != EINTR)) {
if (!result || ((result < 0) && (errno != EINTR))) {
return 0;
} else if (result > 0) {
/* Check connection status */
@ -87,98 +81,57 @@ int capwap_socket_connect(int sock, struct sockaddr_storage* address, int timeou
}
/* */
static int capwap_socket_crypto_checkpasswd(char* buffer, int size, int rwflag, void* userdata) {
if (!userdata) {
return 0;
}
/* */
strncpy(buffer, (char*)userdata, size);
buffer[size - 1] = 0;
return strlen(buffer);
static int capwap_socket_crypto_verifycertificate(int preverify, CYASSL_X509_STORE_CTX* store) {
return preverify;
}
/* */
static int capwap_socket_crypto_verifycertificate(int preverify_ok, X509_STORE_CTX* ctx) {
int err;
X509* err_cert;
char buf[256];
err_cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
X509_verify_cert_error_string(err);
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
}
return preverify_ok;
}
/* */
void* capwap_socket_crypto_createcontext(char* calist, char* cert, char* privatekey, char* privatekeypasswd) {
SSL_CTX* context = NULL;
void* capwap_socket_crypto_createcontext(char* calist, char* cert, char* privatekey) {
CYASSL_CTX* context = NULL;
ASSERT(calist != NULL);
ASSERT(cert != NULL);
ASSERT(privatekey != NULL);
/* Create SSL context */
context = (void*)SSL_CTX_new(SSLv23_client_method());
context = CyaSSL_CTX_new(CyaTLSv1_2_client_method());
if (context) {
char* privkey = NULL;
/* Public certificate */
if (!SSL_CTX_use_certificate_file(context, cert, SSL_FILETYPE_PEM)) {
if (!CyaSSL_CTX_use_certificate_file(context, cert, SSL_FILETYPE_PEM)) {
capwap_logging_debug("Error to load certificate file");
capwap_socket_crypto_freecontext(context);
return NULL;
}
/* Save private key */
if (privatekeypasswd && *privatekeypasswd) {
privkey = capwap_duplicate_string(privatekeypasswd);
SSL_CTX_set_ex_data(context, OPENSSL_EXDATA_PRIVATE_KEY_PASSWORD, (void*)privkey);
}
/* */
SSL_CTX_set_default_passwd_cb(context, capwap_socket_crypto_checkpasswd);
SSL_CTX_set_default_passwd_cb_userdata(context, privkey);
/* Private key */
if (!SSL_CTX_use_PrivateKey_file(context, privatekey, SSL_FILETYPE_PEM)) {
if (!CyaSSL_CTX_use_PrivateKey_file(context, privatekey, SSL_FILETYPE_PEM)) {
capwap_logging_debug("Error to load private key file");
capwap_socket_crypto_freecontext(context);
return NULL;
}
if (!SSL_CTX_check_private_key(context)) {
if (!CyaSSL_CTX_check_private_key(context)) {
capwap_logging_debug("Error to check private key");
capwap_socket_crypto_freecontext(context);
return NULL;
}
/* Certificate Authority */
if (!SSL_CTX_load_verify_locations(context, calist, NULL)) {
if (!CyaSSL_CTX_load_verify_locations(context, calist, NULL)) {
capwap_logging_debug("Error to load ca file");
capwap_socket_crypto_freecontext(context);
return NULL;
}
/* Verify certificate callback */
SSL_CTX_set_verify(context, SSL_VERIFY_PEER, capwap_socket_crypto_verifycertificate);
CyaSSL_CTX_set_verify(context, SSL_VERIFY_PEER, capwap_socket_crypto_verifycertificate);
/* Set only high security cipher list */
if (!SSL_CTX_set_cipher_list(context, "HIGH:!DSS:!aNULL@STRENGTH")) {
if (!CyaSSL_CTX_set_cipher_list(context, "AES256-SHA")) {
capwap_logging_debug("Error to select cipher list");
capwap_socket_crypto_freecontext(context);
return NULL;
}
/* */
SSL_CTX_set_mode(context, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
}
return (void*)context;
@ -186,16 +139,10 @@ void* capwap_socket_crypto_createcontext(char* calist, char* cert, char* private
/* */
void capwap_socket_crypto_freecontext(void* context) {
char* privkey;
SSL_CTX* sslcontext = (SSL_CTX*)context;
CYASSL_CTX* sslcontext = (CYASSL_CTX*)context;
if (sslcontext) {
privkey = (char*)SSL_CTX_get_ex_data(sslcontext, OPENSSL_EXDATA_PRIVATE_KEY_PASSWORD);
if (privkey) {
capwap_free(privkey);
}
SSL_CTX_free(sslcontext);
CyaSSL_CTX_free(sslcontext);
}
}
@ -212,27 +159,29 @@ struct capwap_socket_ssl* capwap_socket_ssl_connect(int sock, void* sslcontext,
sslsock = capwap_alloc(sizeof(struct capwap_socket_ssl));
sslsock->sock = sock;
sslsock->sslcontext = sslcontext;
sslsock->sslsession = (void*)SSL_new((SSL_CTX*)sslcontext);
sslsock->sslsession = (void*)CyaSSL_new((CYASSL_CTX*)sslcontext);
if (!sslsock->sslsession) {
capwap_free(sslsock);
return NULL;
}
/* Set socket to SSL session */
if (!SSL_set_fd((SSL*)sslsock->sslsession, sock)) {
SSL_free((SSL*)sslsock->sslsession);
if (!CyaSSL_set_fd((CYASSL*)sslsock->sslsession, sock)) {
CyaSSL_free((CYASSL*)sslsock->sslsession);
capwap_free(sslsock);
return NULL;
}
/* */
CyaSSL_set_using_nonblock((CYASSL*)sslsock->sslsession, 1);
/* Establish SSL connection */
for (;;) {
ERR_clear_error();
result = SSL_connect((SSL*)sslsock->sslsession);
if (result == 1) {
result = CyaSSL_connect((CYASSL*)sslsock->sslsession);
if (result == SSL_SUCCESS) {
break; /* Connection complete */
} else {
int error = SSL_get_error((SSL*)sslsock->sslsession, result);
int error = CyaSSL_get_error((CYASSL*)sslsock->sslsession, 0);
if ((error == SSL_ERROR_WANT_READ) || (error == SSL_ERROR_WANT_WRITE)) {
memset(&fds, 0, sizeof(struct pollfd));
fds.fd = sock;
@ -240,12 +189,12 @@ struct capwap_socket_ssl* capwap_socket_ssl_connect(int sock, void* sslcontext,
result = poll(&fds, 1, timeout);
if (((result < 0) && (errno != EINTR)) || ((result > 0) && (fds.events != fds.revents))) {
SSL_free((SSL*)sslsock->sslsession);
CyaSSL_free((CYASSL*)sslsock->sslsession);
capwap_free(sslsock);
return NULL;
}
} else {
SSL_free((SSL*)sslsock->sslsession);
CyaSSL_free((CYASSL*)sslsock->sslsession);
capwap_free(sslsock);
return NULL;
}
@ -258,8 +207,6 @@ struct capwap_socket_ssl* capwap_socket_ssl_connect(int sock, void* sslcontext,
/* */
int capwap_socket_crypto_send(struct capwap_socket_ssl* sslsock, void* buffer, size_t length, int timeout) {
int result;
struct pollfd fds;
size_t sendlength;
ASSERT(sslsock != NULL);
ASSERT(sslsock->sslsession != NULL);
@ -267,32 +214,12 @@ int capwap_socket_crypto_send(struct capwap_socket_ssl* sslsock, void* buffer, s
ASSERT(buffer != NULL);
ASSERT(length > 0);
sendlength = 0;
while (sendlength < length) {
size_t leftlength = length - sendlength;
ERR_clear_error();
result = SSL_write((SSL*)sslsock->sslsession, &((char*)buffer)[sendlength], leftlength);
if (result > 0) {
sendlength += result;
} else {
int error = SSL_get_error((SSL*)sslsock->sslsession, result);
if ((error == SSL_ERROR_WANT_READ) || (error == SSL_ERROR_WANT_WRITE)) {
memset(&fds, 0, sizeof(struct pollfd));
fds.fd = sslsock->sock;
fds.events = ((error == SSL_ERROR_WANT_READ) ? POLLIN : POLLOUT);
result = poll(&fds, 1, timeout);
if (((result < 0) && (errno != EINTR)) || ((result > 0) && (fds.events != fds.revents))) {
return -1;
}
} else {
return -1;
}
}
result = CyaSSL_write((CYASSL*)sslsock->sslsession, buffer, length);
if (result != length) {
return -1;
}
return sendlength;
return length;
}
/* */
@ -307,12 +234,11 @@ int capwap_socket_crypto_recv(struct capwap_socket_ssl* sslsock, void* buffer, s
ASSERT(length > 0);
for (;;) {
ERR_clear_error();
result = SSL_read((SSL*)sslsock->sslsession, buffer, length);
result = CyaSSL_read((CYASSL*)sslsock->sslsession, buffer, length);
if (result >= 0) {
return result;
} else {
int error = SSL_get_error((SSL*)sslsock->sslsession, result);
int error = CyaSSL_get_error((CYASSL*)sslsock->sslsession, 0);
if ((error == SSL_ERROR_WANT_READ) || (error == SSL_ERROR_WANT_WRITE)) {
memset(&fds, 0, sizeof(struct pollfd));
fds.fd = sslsock->sock;
@ -342,12 +268,11 @@ void capwap_socket_ssl_shutdown(struct capwap_socket_ssl* sslsock, int timeout)
/* */
for (;;) {
ERR_clear_error();
result = SSL_shutdown((SSL*)sslsock->sslsession);
result = CyaSSL_shutdown((CYASSL*)sslsock->sslsession);
if (result >= 0) {
break; /* Shutdown complete */
} else {
int error = SSL_get_error((SSL*)sslsock->sslsession, result);
int error = CyaSSL_get_error((CYASSL*)sslsock->sslsession, 0);
if ((error == SSL_ERROR_WANT_READ) || (error == SSL_ERROR_WANT_WRITE)) {
memset(&fds, 0, sizeof(struct pollfd));
fds.fd = sslsock->sock;
@ -369,7 +294,7 @@ void capwap_socket_ssl_close(struct capwap_socket_ssl* sslsock) {
ASSERT(sslsock != NULL);
ASSERT(sslsock->sslsession != NULL);
SSL_free((SSL*)sslsock->sslsession);
CyaSSL_free((CYASSL*)sslsock->sslsession);
sslsock->sslsession = NULL;
}
@ -387,10 +312,6 @@ void capwap_socket_close(int sock) {
capwap_socket_shutdown(sock);
capwap_socket_nonblocking(sock, 0);
close(sock);
/* */
ERR_clear_error();
ERR_remove_state(0);
}
/* */

2
src/common/capwap_socket.h
View File

@ -17,7 +17,7 @@ struct capwap_socket_ssl {
void* sslsession;
};
void* capwap_socket_crypto_createcontext(char* calist, char* cert, char* privatekey, char* privatekeypasswd);
void* capwap_socket_crypto_createcontext(char* calist, char* cert, char* privatekey);
void capwap_socket_crypto_freecontext(void* context);
int capwap_socket_crypto_send(struct capwap_socket_ssl* sslsock, void* buffer, size_t length, int timeout);

12
src/wtp/wtp.c
View File

@ -1018,12 +1018,6 @@ static int wtp_parsing_configuration_1_0(config_t* config) {
}
}
if (config_lookup_string(config, "application.dtls.x509.privatekeypassword", &configString) == CONFIG_TRUE) {
if (strlen(configString) > 0) {
dtlsparam.cert.pwdprivatekey = capwap_duplicate_string(configString);
}
}
/* */
if (dtlsparam.cert.fileca && dtlsparam.cert.filecert && dtlsparam.cert.filekey) {
if (capwap_crypt_createcontext(&g_wtp.dtlscontext, &dtlsparam)) {
@ -1043,10 +1037,6 @@ static int wtp_parsing_configuration_1_0(config_t* config) {
if (dtlsparam.cert.filekey) {
capwap_free(dtlsparam.cert.filekey);
}
if (dtlsparam.cert.pwdprivatekey) {
capwap_free(dtlsparam.cert.pwdprivatekey);
}
} else if (dtlsparam.mode == CAPWAP_DTLS_MODE_PRESHAREDKEY) {
if (config_lookup_string(config, "application.dtls.presharedkey.identity", &configString) == CONFIG_TRUE) {
if (strlen(configString) > 0) {
@ -1373,7 +1363,7 @@ int main(int argc, char** argv) {
capwap_init_rand();
/* Init crypt */
if (!capwap_crypt_init()) {
if (capwap_crypt_init()) {
result = CAPWAP_CRYPT_ERROR;
capwap_logging_fatal("Error to init crypt engine");
} else {