Removing the OpenSSL library for CyaSSL.
OpenSSL license was not compatible with the GPL license.
This commit is contained in:
parent
e1023a388e
commit
3573dd4251
140
COPYING
140
COPYING
@ -1,6 +1,6 @@
|
|||||||
SmartCAPWAP -- An Open Source CAPWAP WTP / AC
|
SmartCAPWAP -- An Open Source CAPWAP WTP / AC
|
||||||
|
|
||||||
Copyright (C) 2012-2013 Massimo Vellucci <vemax78@gmail.com>
|
Copyright (C) 2012-2014 Massimo Vellucci <vemax78@gmail.com>
|
||||||
|
|
||||||
This distribution contains multiple components, some
|
This distribution contains multiple components, some
|
||||||
of which fall under different licenses. By using SmartCAPWAP
|
of which fall under different licenses. By using SmartCAPWAP
|
||||||
@ -18,137 +18,17 @@ Libconfig license:
|
|||||||
|
|
||||||
Libconfig is Copyright (C) Mark Lindner, and is licensed under the LGPL.
|
Libconfig is Copyright (C) Mark Lindner, and is licensed under the LGPL.
|
||||||
|
|
||||||
Hostapd license:
|
Libxml2 license:
|
||||||
------------
|
------------
|
||||||
|
|
||||||
Hostapd is Copyright (C) Jouni Malinen <j@w1.fi> and contributors,
|
Libxml2 is Copyright (C) Daniel Veillard, and is licensed under the MIT.
|
||||||
and is licensed under the BSD license.
|
|
||||||
|
|
||||||
OpenSSL License:
|
Libjson-c license:
|
||||||
|
------------
|
||||||
|
|
||||||
|
Libjson-c is Copyright (C) Eric Haszlakiewicz, and is licensed under the MIT.
|
||||||
|
|
||||||
|
CyaSSL License:
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
|
CyaSSL is Copyright (C) wolfSSL Inc, and is licensed under the GPL license version 2.
|
||||||
the OpenSSL License and the original SSLeay license apply to the toolkit.
|
|
||||||
See below for the actual license texts. Actually both licenses are BSD-style
|
|
||||||
Open Source licenses. In case of any license issues related to OpenSSL
|
|
||||||
please contact openssl-core@openssl.org.
|
|
||||||
|
|
||||||
/* ====================================================================
|
|
||||||
* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
|
|
||||||
*
|
|
||||||
* Redistribution and use in source and binary forms, with or without
|
|
||||||
* modification, are permitted provided that the following conditions
|
|
||||||
* are met:
|
|
||||||
*
|
|
||||||
* 1. Redistributions of source code must retain the above copyright
|
|
||||||
* notice, this list of conditions and the following disclaimer.
|
|
||||||
*
|
|
||||||
* 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
* notice, this list of conditions and the following disclaimer in
|
|
||||||
* the documentation and/or other materials provided with the
|
|
||||||
* distribution.
|
|
||||||
*
|
|
||||||
* 3. All advertising materials mentioning features or use of this
|
|
||||||
* software must display the following acknowledgment:
|
|
||||||
* "This product includes software developed by the OpenSSL Project
|
|
||||||
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
|
||||||
*
|
|
||||||
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
|
||||||
* endorse or promote products derived from this software without
|
|
||||||
* prior written permission. For written permission, please contact
|
|
||||||
* openssl-core@openssl.org.
|
|
||||||
*
|
|
||||||
* 5. Products derived from this software may not be called "OpenSSL"
|
|
||||||
* nor may "OpenSSL" appear in their names without prior written
|
|
||||||
* permission of the OpenSSL Project.
|
|
||||||
*
|
|
||||||
* 6. Redistributions of any form whatsoever must retain the following
|
|
||||||
* acknowledgment:
|
|
||||||
* "This product includes software developed by the OpenSSL Project
|
|
||||||
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
|
||||||
*
|
|
||||||
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
|
||||||
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
||||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
||||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
|
||||||
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
||||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
||||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
||||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
||||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
||||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
||||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
* ====================================================================
|
|
||||||
*
|
|
||||||
* This product includes cryptographic software written by Eric Young
|
|
||||||
* (eay@cryptsoft.com). This product includes software written by Tim
|
|
||||||
* Hudson (tjh@cryptsoft.com).
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
Original SSLeay License
|
|
||||||
-----------------------
|
|
||||||
|
|
||||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
|
||||||
* All rights reserved.
|
|
||||||
*
|
|
||||||
* This package is an SSL implementation written
|
|
||||||
* by Eric Young (eay@cryptsoft.com).
|
|
||||||
* The implementation was written so as to conform with Netscapes SSL.
|
|
||||||
*
|
|
||||||
* This library is free for commercial and non-commercial use as long as
|
|
||||||
* the following conditions are aheared to. The following conditions
|
|
||||||
* apply to all code found in this distribution, be it the RC4, RSA,
|
|
||||||
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
|
|
||||||
* included with this distribution is covered by the same copyright terms
|
|
||||||
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
|
|
||||||
*
|
|
||||||
* Copyright remains Eric Young's, and as such any Copyright notices in
|
|
||||||
* the code are not to be removed.
|
|
||||||
* If this package is used in a product, Eric Young should be given attribution
|
|
||||||
* as the author of the parts of the library used.
|
|
||||||
* This can be in the form of a textual message at program startup or
|
|
||||||
* in documentation (online or textual) provided with the package.
|
|
||||||
*
|
|
||||||
* Redistribution and use in source and binary forms, with or without
|
|
||||||
* modification, are permitted provided that the following conditions
|
|
||||||
* are met:
|
|
||||||
* 1. Redistributions of source code must retain the copyright
|
|
||||||
* notice, this list of conditions and the following disclaimer.
|
|
||||||
* 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
* notice, this list of conditions and the following disclaimer in the
|
|
||||||
* documentation and/or other materials provided with the distribution.
|
|
||||||
* 3. All advertising materials mentioning features or use of this software
|
|
||||||
* must display the following acknowledgement:
|
|
||||||
* "This product includes cryptographic software written by
|
|
||||||
* Eric Young (eay@cryptsoft.com)"
|
|
||||||
* The word 'cryptographic' can be left out if the rouines from the library
|
|
||||||
* being used are not cryptographic related :-).
|
|
||||||
* 4. If you include any Windows specific code (or a derivative thereof) from
|
|
||||||
* the apps directory (application code) you must include an acknowledgement:
|
|
||||||
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
|
|
||||||
*
|
|
||||||
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
|
|
||||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
||||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
||||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
||||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
||||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
||||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
||||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
||||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
||||||
* SUCH DAMAGE.
|
|
||||||
*
|
|
||||||
* The licence and distribution terms for any publically available version or
|
|
||||||
* derivative of this code cannot be changed. i.e. this code cannot simply be
|
|
||||||
* copied and put under another distribution licence
|
|
||||||
* [including the GNU Public Licence.]
|
|
||||||
*/
|
|
||||||
|
|
||||||
GNU Public License (GPL)
|
|
||||||
------------------------
|
|
||||||
|
|
||||||
SmartCAWAP, Libconfig distributions are
|
|
||||||
licensed under the GPL version 2 (see COPYRIGHT.GPL).
|
|
||||||
|
9
INSTALL
9
INSTALL
@ -18,14 +18,19 @@ Requirements
|
|||||||
* libjson0-dev
|
* libjson0-dev
|
||||||
* libnl-dev
|
* libnl-dev
|
||||||
* libtool
|
* libtool
|
||||||
* libssl-dev
|
|
||||||
* libxml2-dev
|
* libxml2-dev
|
||||||
|
* cyassl 3.0 or newer
|
||||||
|
|
||||||
Build
|
Build
|
||||||
-----
|
-----
|
||||||
|
|
||||||
Run:
|
CyaSSL:
|
||||||
|
./configure --enable-dtls --enable-psk --prefix=/usr/
|
||||||
|
make
|
||||||
|
make install
|
||||||
|
|
||||||
|
|
||||||
|
SmartCAPWAP:
|
||||||
autoreconf -f -i
|
autoreconf -f -i
|
||||||
./configure
|
./configure
|
||||||
make
|
make
|
||||||
|
@ -27,11 +27,8 @@ AM_CFLAGS = \
|
|||||||
-D_REENTRANT \
|
-D_REENTRANT \
|
||||||
-D_GNU_SOURCE
|
-D_GNU_SOURCE
|
||||||
|
|
||||||
AM_CFLAGS += $(LIBXML2_CFLAGS)
|
AM_CFLAGS += $(LIBXML2_CFLAGS) \
|
||||||
|
$(CYASSL_CFLAGS)
|
||||||
if DTLS_ENABLED
|
|
||||||
AM_CFLAGS += $(SSL_CFLAGS)
|
|
||||||
endif
|
|
||||||
|
|
||||||
INCLUDES = \
|
INCLUDES = \
|
||||||
-I$(top_srcdir)/build \
|
-I$(top_srcdir)/build \
|
||||||
@ -92,8 +89,5 @@ ac_LDADD = \
|
|||||||
$(CONFIG_LIBS) \
|
$(CONFIG_LIBS) \
|
||||||
$(PTHREAD_LIBS) \
|
$(PTHREAD_LIBS) \
|
||||||
$(LIBXML2_LIBS) \
|
$(LIBXML2_LIBS) \
|
||||||
$(LIBJSON_LIBS)
|
$(LIBJSON_LIBS) \
|
||||||
|
$(CYASSL_LIBS)
|
||||||
if DTLS_ENABLED
|
|
||||||
ac_LDADD += $(SSL_LIBS)
|
|
||||||
endif
|
|
||||||
|
@ -27,7 +27,7 @@ AM_CFLAGS = \
|
|||||||
-D_GNU_SOURCE
|
-D_GNU_SOURCE
|
||||||
|
|
||||||
if DTLS_ENABLED
|
if DTLS_ENABLED
|
||||||
AM_CFLAGS += $(SSL_CFLAGS)
|
AM_CFLAGS += $(CYASSL_CFLAGS)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
INCLUDES = \
|
INCLUDES = \
|
||||||
@ -63,7 +63,7 @@ wtp_LDADD = \
|
|||||||
$(CONFIG_LIBS)
|
$(CONFIG_LIBS)
|
||||||
|
|
||||||
if DTLS_ENABLED
|
if DTLS_ENABLED
|
||||||
wtp_LDADD += $(SSL_LIBS)
|
wtp_LDADD += $(CYASSL_LIBS)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
if BUILD_WTP_WIFI_DRIVERS_NL80211
|
if BUILD_WTP_WIFI_DRIVERS_NL80211
|
||||||
|
@ -61,7 +61,6 @@ application: {
|
|||||||
calist = "/etc/capwap/ca.crt";
|
calist = "/etc/capwap/ca.crt";
|
||||||
certificate = "/etc/capwap/ac.crt";
|
certificate = "/etc/capwap/ac.crt";
|
||||||
privatekey = "/etc/capwap/ac.key";
|
privatekey = "/etc/capwap/ac.key";
|
||||||
privatekeypassword = "";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -81,7 +80,7 @@ backend: {
|
|||||||
version = "1.0";
|
version = "1.0";
|
||||||
server: (
|
server: (
|
||||||
{ url = "http://127.0.0.1/csoap.php"; }
|
{ url = "http://127.0.0.1/csoap.php"; }
|
||||||
#{ url = "https://127.0.0.1/csoap.php"; x509: { calist = "/etc/capwap/casoap.crt"; certificate = "/etc/capwap/clientsoap.crt"; privatekey = "/etc/capwap/clientsoap.key"; privatekeypassword = ""; }; }
|
#{ url = "https://127.0.0.1/csoap.php"; x509: { calist = "/etc/capwap/casoap.crt"; certificate = "/etc/capwap/clientsoap.crt"; privatekey = "/etc/capwap/clientsoap.key"; }; }
|
||||||
);
|
);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
101
conf/ac.crt
101
conf/ac.crt
@ -1,26 +1,26 @@
|
|||||||
Certificate:
|
Certificate:
|
||||||
Data:
|
Data:
|
||||||
Version: 3 (0x2)
|
Version: 3 (0x2)
|
||||||
Serial Number: 2 (0x2)
|
Serial Number: 1 (0x1)
|
||||||
Signature Algorithm: sha1WithRSAEncryption
|
Signature Algorithm: sha1WithRSAEncryption
|
||||||
Issuer: C=IT, ST=Italy, L=Rome, O=Capwap CA, CN=CAPWAP_CA/emailAddress=ca@localhost
|
Issuer: C=IT, ST=IT, L=Rome, O=SmartCAPWAP, OU=SmartCAPWAP, CN=SmartCAPWAP CA/name=SmartCAPWAP/emailAddress=vemax78@gmail.com
|
||||||
Validity
|
Validity
|
||||||
Not Before: Apr 11 17:49:25 2009 GMT
|
Not Before: May 15 18:02:09 2014 GMT
|
||||||
Not After : Apr 9 17:49:25 2019 GMT
|
Not After : May 12 18:02:09 2024 GMT
|
||||||
Subject: C=IT, ST=Italy, L=Rome, O=Capwap AC, CN=CAPWAP_AC/emailAddress=ac@localhost
|
Subject: C=IT, ST=IT, L=Rome, O=SmartCAPWAP, OU=SmartCAPWAP, CN=ac1/name=SmartCAPWAP/emailAddress=vemax78@gmail.com
|
||||||
Subject Public Key Info:
|
Subject Public Key Info:
|
||||||
Public Key Algorithm: rsaEncryption
|
Public Key Algorithm: rsaEncryption
|
||||||
RSA Public Key: (1024 bit)
|
Public-Key: (1024 bit)
|
||||||
Modulus (1024 bit):
|
Modulus:
|
||||||
00:e2:9f:90:f6:f5:c5:52:23:cc:8d:28:6c:7c:0b:
|
00:c3:98:2b:82:c3:1b:aa:13:8d:16:e4:d6:7f:c0:
|
||||||
4a:ec:0d:50:de:0d:37:0d:de:75:cb:61:d8:58:e3:
|
88:d9:f8:2a:52:46:92:be:c2:3d:91:04:07:7a:fb:
|
||||||
3f:ec:cb:5b:b5:e0:ca:87:93:cf:22:f3:7d:35:cf:
|
c6:d1:3b:cc:8a:a0:c2:cd:25:b8:22:9c:11:c4:d5:
|
||||||
2d:ef:ad:a4:8a:d3:8c:ec:7f:d2:7e:19:cb:11:15:
|
ca:be:23:43:af:76:80:fd:65:bc:38:4b:66:1c:ac:
|
||||||
28:b0:ee:74:33:e2:21:24:70:d0:e4:22:2f:eb:59:
|
05:b1:d2:a4:5b:57:ed:c9:62:e3:67:6e:83:37:c1:
|
||||||
3d:ef:c4:c2:1b:f7:7d:1b:ac:3c:f8:46:c9:0a:f4:
|
cc:38:a7:9b:0b:87:52:da:b1:83:7b:19:4d:99:48:
|
||||||
12:b0:71:11:0d:52:84:d9:a9:76:84:68:33:c6:7c:
|
96:c9:a3:6d:ad:93:8f:62:ee:f1:38:8a:81:99:0e:
|
||||||
54:1a:4c:34:f4:22:ad:fb:4c:7b:2e:ee:1a:fe:b3:
|
27:f6:70:ac:0e:93:06:3b:a4:b9:5c:6c:ed:ab:be:
|
||||||
0d:18:38:16:46:48:9d:7a:b7
|
27:db:52:72:f5:7e:10:36:a5
|
||||||
Exponent: 65537 (0x10001)
|
Exponent: 65537 (0x10001)
|
||||||
X509v3 extensions:
|
X509v3 extensions:
|
||||||
X509v3 Basic Constraints:
|
X509v3 Basic Constraints:
|
||||||
@ -30,44 +30,47 @@ Certificate:
|
|||||||
Netscape Comment:
|
Netscape Comment:
|
||||||
Easy-RSA Generated Server Certificate
|
Easy-RSA Generated Server Certificate
|
||||||
X509v3 Subject Key Identifier:
|
X509v3 Subject Key Identifier:
|
||||||
63:7B:01:7C:B6:2B:DC:D5:E4:BD:A1:AC:D4:BB:E0:6F:A6:07:16:A4
|
C6:FE:48:73:99:7A:9E:24:87:8B:43:F8:13:6F:27:FB:4A:71:4D:22
|
||||||
X509v3 Authority Key Identifier:
|
X509v3 Authority Key Identifier:
|
||||||
keyid:49:62:46:06:E1:E5:D3:3A:08:79:C6:D6:FE:93:A8:D9:AA:75:EB:E4
|
keyid:B8:BE:B2:CB:C6:68:BD:0A:BB:E5:BC:DE:AE:56:FE:25:E6:E4:B3:1C
|
||||||
DirName:/C=IT/ST=Italy/L=Rome/O=Capwap CA/CN=CAPWAP_CA/emailAddress=ca@localhost
|
DirName:/C=IT/ST=IT/L=Rome/O=SmartCAPWAP/OU=SmartCAPWAP/CN=SmartCAPWAP CA/name=SmartCAPWAP/emailAddress=vemax78@gmail.com
|
||||||
serial:94:59:55:20:58:F6:66:33
|
serial:9A:6A:C6:B2:AA:33:22:C5
|
||||||
|
|
||||||
X509v3 Extended Key Usage:
|
X509v3 Extended Key Usage:
|
||||||
TLS Web Server Authentication
|
TLS Web Server Authentication
|
||||||
X509v3 Key Usage:
|
X509v3 Key Usage:
|
||||||
Digital Signature, Key Encipherment
|
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
|
||||||
Signature Algorithm: sha1WithRSAEncryption
|
Signature Algorithm: sha1WithRSAEncryption
|
||||||
0a:be:9e:6c:a1:c6:0c:a6:d3:5e:92:6b:09:21:78:99:f0:83:
|
78:50:cf:ba:f0:b7:98:92:ae:e9:88:ce:10:43:79:22:03:bf:
|
||||||
a1:a4:2f:56:56:55:51:61:f4:04:a5:fe:9a:c4:95:76:01:f3:
|
ad:9f:1b:87:26:00:37:c0:11:21:bd:9e:e9:40:92:1a:0b:50:
|
||||||
72:96:18:e2:96:f9:8d:cf:6d:32:6c:39:9c:92:a2:41:39:e2:
|
a1:de:a5:00:df:8c:4b:5d:6d:09:75:6e:4e:f3:c2:4b:9e:6b:
|
||||||
3f:32:ef:73:75:f0:3e:f4:9c:93:af:31:63:c7:55:2e:8d:de:
|
08:fe:d0:5c:27:98:fe:30:c9:96:a9:b5:2c:dc:ed:0b:c2:2d:
|
||||||
ab:99:59:82:36:54:49:ef:ef:13:a7:26:db:8f:2e:93:0c:a1:
|
3e:aa:b7:fd:54:be:17:5e:2f:35:5a:f1:8f:ae:49:3b:87:d5:
|
||||||
d5:b5:e6:5d:7a:a4:3f:1d:8e:ad:73:c5:32:ba:24:d2:4a:f5:
|
99:8e:04:3a:e6:33:fd:30:4a:70:ac:34:c5:9c:0a:57:c6:ab:
|
||||||
ae:95:18:98:07:80:fc:be:95:45:ce:50:ab:fc:6e:90:7a:8b:
|
26:e7:98:bf:5d:ac:13:4a:6b:8e:e3:af:5e:e6:9b:e2:80:80:
|
||||||
28:5d
|
b9:ce
|
||||||
-----BEGIN CERTIFICATE-----
|
-----BEGIN CERTIFICATE-----
|
||||||
MIIDmTCCAwKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJJVDEO
|
MIIEMjCCA5ugAwIBAgIBATANBgkqhkiG9w0BAQUFADCBpjELMAkGA1UEBhMCSVQx
|
||||||
MAwGA1UECBMFSXRhbHkxDTALBgNVBAcTBFJvbWUxEjAQBgNVBAoTCUNhcHdhcCBD
|
CzAJBgNVBAgTAklUMQ0wCwYDVQQHEwRSb21lMRQwEgYDVQQKEwtTbWFydENBUFdB
|
||||||
QTESMBAGA1UEAxQJQ0FQV0FQX0NBMRswGQYJKoZIhvcNAQkBFgxjYUBsb2NhbGhv
|
UDEUMBIGA1UECxMLU21hcnRDQVBXQVAxFzAVBgNVBAMTDlNtYXJ0Q0FQV0FQIENB
|
||||||
c3QwHhcNMDkwNDExMTc0OTI1WhcNMTkwNDA5MTc0OTI1WjBxMQswCQYDVQQGEwJJ
|
MRQwEgYDVQQpEwtTbWFydENBUFdBUDEgMB4GCSqGSIb3DQEJARYRdmVtYXg3OEBn
|
||||||
VDEOMAwGA1UECBMFSXRhbHkxDTALBgNVBAcTBFJvbWUxEjAQBgNVBAoTCUNhcHdh
|
bWFpbC5jb20wHhcNMTQwNTE1MTgwMjA5WhcNMjQwNTEyMTgwMjA5WjCBmzELMAkG
|
||||||
cCBBQzESMBAGA1UEAxQJQ0FQV0FQX0FDMRswGQYJKoZIhvcNAQkBFgxhY0Bsb2Nh
|
A1UEBhMCSVQxCzAJBgNVBAgTAklUMQ0wCwYDVQQHEwRSb21lMRQwEgYDVQQKEwtT
|
||||||
bGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOKfkPb1xVIjzI0obHwL
|
bWFydENBUFdBUDEUMBIGA1UECxMLU21hcnRDQVBXQVAxDDAKBgNVBAMTA2FjMTEU
|
||||||
SuwNUN4NNw3edcth2FjjP+zLW7XgyoeTzyLzfTXPLe+tpIrTjOx/0n4ZyxEVKLDu
|
MBIGA1UEKRMLU21hcnRDQVBXQVAxIDAeBgkqhkiG9w0BCQEWEXZlbWF4NzhAZ21h
|
||||||
dDPiISRw0OQiL+tZPe/Ewhv3fRusPPhGyQr0ErBxEQ1ShNmpdoRoM8Z8VBpMNPQi
|
aWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDmCuCwxuqE40W5NZ/
|
||||||
rftMey7uGv6zDRg4FkZInXq3AgMBAAGjggE/MIIBOzAJBgNVHRMEAjAAMBEGCWCG
|
wIjZ+CpSRpK+wj2RBAd6+8bRO8yKoMLNJbginBHE1cq+I0OvdoD9Zbw4S2YcrAWx
|
||||||
SAGG+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVk
|
0qRbV+3JYuNnboM3wcw4p5sLh1LasYN7GU2ZSJbJo22tk49i7vE4ioGZDif2cKwO
|
||||||
IFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUY3sBfLYr3NXkvaGs1Lvgb6YH
|
kwY7pLlcbO2rvifbUnL1fhA2pQIDAQABo4IBdzCCAXMwCQYDVR0TBAIwADARBglg
|
||||||
FqQwgaMGA1UdIwSBmzCBmIAUSWJGBuHl0zoIecbW/pOo2ap16+ShdaRzMHExCzAJ
|
hkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4QgENBCcWJUVhc3ktUlNBIEdlbmVyYXRl
|
||||||
BgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTESMBAGA1UE
|
ZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFMb+SHOZep4kh4tD+BNvJ/tK
|
||||||
ChMJQ2Fwd2FwIENBMRIwEAYDVQQDFAlDQVBXQVBfQ0ExGzAZBgkqhkiG9w0BCQEW
|
cU0iMIHbBgNVHSMEgdMwgdCAFLi+ssvGaL0Ku+W83q5W/iXm5LMcoYGspIGpMIGm
|
||||||
DGNhQGxvY2FsaG9zdIIJAJRZVSBY9mYzMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsG
|
MQswCQYDVQQGEwJJVDELMAkGA1UECBMCSVQxDTALBgNVBAcTBFJvbWUxFDASBgNV
|
||||||
A1UdDwQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQAKvp5socYMptNekmsJIXiZ8IOh
|
BAoTC1NtYXJ0Q0FQV0FQMRQwEgYDVQQLEwtTbWFydENBUFdBUDEXMBUGA1UEAxMO
|
||||||
pC9WVlVRYfQEpf6axJV2AfNylhjilvmNz20ybDmckqJBOeI/Mu9zdfA+9JyTrzFj
|
U21hcnRDQVBXQVAgQ0ExFDASBgNVBCkTC1NtYXJ0Q0FQV0FQMSAwHgYJKoZIhvcN
|
||||||
x1Uujd6rmVmCNlRJ7+8Tpybbjy6TDKHVteZdeqQ/HY6tc8UyuiTSSvWulRiYB4D8
|
AQkBFhF2ZW1heDc4QGdtYWlsLmNvbYIJAJpqxrKqMyLFMBMGA1UdJQQMMAoGCCsG
|
||||||
vpVFzlCr/G6QeosoXQ==
|
AQUFBwMBMAsGA1UdDwQEAwIE8DANBgkqhkiG9w0BAQUFAAOBgQB4UM+68LeYkq7p
|
||||||
|
iM4QQ3kiA7+tnxuHJgA3wBEhvZ7pQJIaC1Ch3qUA34xLXW0JdW5O88JLnmsI/tBc
|
||||||
|
J5j+MMmWqbUs3O0Lwi0+qrf9VL4XXi81WvGPrkk7h9WZjgQ65jP9MEpwrDTFnApX
|
||||||
|
xqsm55i/XawTSmuO469e5pvigIC5zg==
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
|
31
conf/ac.key
31
conf/ac.key
@ -1,15 +1,16 @@
|
|||||||
-----BEGIN RSA PRIVATE KEY-----
|
-----BEGIN PRIVATE KEY-----
|
||||||
MIICWwIBAAKBgQDin5D29cVSI8yNKGx8C0rsDVDeDTcN3nXLYdhY4z/sy1u14MqH
|
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMOYK4LDG6oTjRbk
|
||||||
k88i8301zy3vraSK04zsf9J+GcsRFSiw7nQz4iEkcNDkIi/rWT3vxMIb930brDz4
|
1n/AiNn4KlJGkr7CPZEEB3r7xtE7zIqgws0luCKcEcTVyr4jQ692gP1lvDhLZhys
|
||||||
RskK9BKwcRENUoTZqXaEaDPGfFQaTDT0Iq37THsu7hr+sw0YOBZGSJ16twIDAQAB
|
BbHSpFtX7cli42dugzfBzDinmwuHUtqxg3sZTZlIlsmjba2Tj2Lu8TiKgZkOJ/Zw
|
||||||
AoGAM0gEV735rsKnEPIqyk8L3yqMOBMpeBv079buS/7wgjbqQ9fgPJm376LFnJ2L
|
rA6TBjukuVxs7au+J9tScvV+EDalAgMBAAECgYBh1N8OjKBttVHAvb08MQVCYQpq
|
||||||
OYdDip6gbwvlp99SUkVFdfQfmwjmBDk1IfEWYiPO4CUrsIUzid2KtueZW5c6Cm0Q
|
FLqZh3Zb7nP/Y6fSR+LLBBXrno43YXDRz02VRPY58UAbfqNiVPRCKxi+FOn3li5l
|
||||||
RMutCQrsZw9s6VpL9bmV0zsm3MYNYfERs0rPOIW9I3YyrEECQQD5t5V4Uj7+gpZO
|
LN9ad1S510MNg652vpKFnCQjpHDrxOQPxQHGc0XNeF4Xo12IhFxh0DbktloC3/Og
|
||||||
Qvb+tYAVb8NcYTPBfdVbZJ8MRrs9tH2Y2AkuE1D+g7S5qq+Ld1tBIcCeKhlG4+ee
|
PXL0UdvMhZ+X0ErQEQJBAOqLxRYeUSB9HeSFcgNejd0wkM7DKoNyFmJ0jwEb46vO
|
||||||
ClH20s3RAkEA6FM8eGKOhZ4nmu4yzwdMJnqY0d4+56805VS5Z+uJJiXvCXKQ+wQr
|
mKJuA4CFbinX6PZfei8nXbZIBN5p3IS0TA7MU/b+erMCQQDVfEsfmEPUYx7M1oec
|
||||||
e/8BLsWRLxXlqijshsWzHID2g8i/rlC6BwJADiHqrqWQ9Rx03zcA/YdOGWh62PaT
|
rT4+AeSO7KzcC83zeVEmEljwP3zvbM8gn7PLsJAU3K0HEh6scocP6UosTI4o6Ohw
|
||||||
VEcH1SVLrwktvZ9CYG0Rj+797XmMt9lGGBGIM5ZybUEarx1k1VfmLZ7ekQJAKPOD
|
ppVHAkEAsjCp9RnnTKWBlmIDsqedY9RHz63amK6ObxJaqt8DYz28HHs0UeoNPeD4
|
||||||
FTVKKgNWt9iE3DlNEvtJNLUYIX6gtEva4paB9ld5axDmvVhe0dyBON1aWhJiCTxt
|
7mSvMS/ZNGkWudr3XCKWPg/iIp5HnQJBAMALdtzuMZ5+qDdmiUn1QrevJjc4S2wL
|
||||||
dNQkXkHdMh2QrAlOwQJAcoEhG5Zl0wATXSCFvbvaJKiH9Ab1IjlCtNI3O/+TgQjN
|
pnJu4QQZny5IPpB3VoCniasjowlRVsm0kClbQYqbt2DQYVYF5wtnn4MCQQCz7Rcj
|
||||||
ZQMA0nO5ZJ3p266M8zh2hgIRdNstv4oilqh/3DnO3g==
|
eEZN1STdLv6K03cWKW8nqk+yLgsDFOZpzhIq5ezk/oEX38+1k/KCqwy+9xlQ/oJJ
|
||||||
-----END RSA PRIVATE KEY-----
|
5lGEUmKCh2XYCBcq
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
39
conf/ca.crt
39
conf/ca.crt
@ -1,20 +1,23 @@
|
|||||||
-----BEGIN CERTIFICATE-----
|
-----BEGIN CERTIFICATE-----
|
||||||
MIIDNzCCAqCgAwIBAgIJAJRZVSBY9mYzMA0GCSqGSIb3DQEBBQUAMHExCzAJBgNV
|
MIID3TCCA0agAwIBAgIJAJpqxrKqMyLFMA0GCSqGSIb3DQEBBQUAMIGmMQswCQYD
|
||||||
BAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTESMBAGA1UEChMJ
|
VQQGEwJJVDELMAkGA1UECBMCSVQxDTALBgNVBAcTBFJvbWUxFDASBgNVBAoTC1Nt
|
||||||
Q2Fwd2FwIENBMRIwEAYDVQQDFAlDQVBXQVBfQ0ExGzAZBgkqhkiG9w0BCQEWDGNh
|
YXJ0Q0FQV0FQMRQwEgYDVQQLEwtTbWFydENBUFdBUDEXMBUGA1UEAxMOU21hcnRD
|
||||||
QGxvY2FsaG9zdDAeFw0wOTA0MTExNzQ2MzlaFw0xOTA0MDkxNzQ2MzlaMHExCzAJ
|
QVBXQVAgQ0ExFDASBgNVBCkTC1NtYXJ0Q0FQV0FQMSAwHgYJKoZIhvcNAQkBFhF2
|
||||||
BgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTESMBAGA1UE
|
ZW1heDc4QGdtYWlsLmNvbTAeFw0xNDA1MTUxODAxNDNaFw0yNDA1MTIxODAxNDNa
|
||||||
ChMJQ2Fwd2FwIENBMRIwEAYDVQQDFAlDQVBXQVBfQ0ExGzAZBgkqhkiG9w0BCQEW
|
MIGmMQswCQYDVQQGEwJJVDELMAkGA1UECBMCSVQxDTALBgNVBAcTBFJvbWUxFDAS
|
||||||
DGNhQGxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAw0gvx6qo
|
BgNVBAoTC1NtYXJ0Q0FQV0FQMRQwEgYDVQQLEwtTbWFydENBUFdBUDEXMBUGA1UE
|
||||||
B4fd23/dU5yBdj/TKzVM1/kC/bwRRFjNd2FIMpjsJ7drbwhZo5CrOSFyKn8X4Exr
|
AxMOU21hcnRDQVBXQVAgQ0ExFDASBgNVBCkTC1NtYXJ0Q0FQV0FQMSAwHgYJKoZI
|
||||||
EdkfMjjNFi6mZVmdFfJO4ex+6qJqc1m52AocUEOkyG/52LOnCTsT91yps97obPUF
|
hvcNAQkBFhF2ZW1heDc4QGdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
|
||||||
8ezK0m9a5dnuoJ8q7lxbGu7m0PJ0Qgws3dsCAwEAAaOB1jCB0zAdBgNVHQ4EFgQU
|
gYkCgYEA72PBMR4HQ+rA+ifXJdMtUujlUQX1yrtXZ0HMdKbHbAbfoY3Rvyfdwo2i
|
||||||
SWJGBuHl0zoIecbW/pOo2ap16+QwgaMGA1UdIwSBmzCBmIAUSWJGBuHl0zoIecbW
|
TMaZYomyCASawZRzkZJvPchu/q9au/UdLuTmeaUCDpvIkibMK5tahTgP5x90IMGu
|
||||||
/pOo2ap16+ShdaRzMHExCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsG
|
+uzdgZQaPbv+fjYkAmMGkZYYTha8GhH+vNloSb6n8oUh2eGf1kUCAwEAAaOCAQ8w
|
||||||
A1UEBxMEUm9tZTESMBAGA1UEChMJQ2Fwd2FwIENBMRIwEAYDVQQDFAlDQVBXQVBf
|
ggELMB0GA1UdDgQWBBS4vrLLxmi9CrvlvN6uVv4l5uSzHDCB2wYDVR0jBIHTMIHQ
|
||||||
Q0ExGzAZBgkqhkiG9w0BCQEWDGNhQGxvY2FsaG9zdIIJAJRZVSBY9mYzMAwGA1Ud
|
gBS4vrLLxmi9CrvlvN6uVv4l5uSzHKGBrKSBqTCBpjELMAkGA1UEBhMCSVQxCzAJ
|
||||||
EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAsHOGDPcwslke/Ux3bp2tZj4MizTL
|
BgNVBAgTAklUMQ0wCwYDVQQHEwRSb21lMRQwEgYDVQQKEwtTbWFydENBUFdBUDEU
|
||||||
DJqTRbqoiQLOTfUI7KU0GQ2m+ywTwhpiUPhmqqmgtGKXbL9mQB/qcG6HGNzdRc56
|
MBIGA1UECxMLU21hcnRDQVBXQVAxFzAVBgNVBAMTDlNtYXJ0Q0FQV0FQIENBMRQw
|
||||||
4ttc1RVErhmM/LZEFjyHamuOryUY5FmS78XXBGFRkvPAap9OSQU4vXPfehYFCL+p
|
EgYDVQQpEwtTbWFydENBUFdBUDEgMB4GCSqGSIb3DQEJARYRdmVtYXg3OEBnbWFp
|
||||||
/L9CoKunApUqH3g=
|
bC5jb22CCQCaasayqjMixTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
|
||||||
|
ANZuFab2/jLSakpGc0nZjCWAlXm29TCkL1i0yxmpjgbg/tqZrSAb1tuK5IANI7Tz
|
||||||
|
deOObRRxjjRGgSHnFLcKXmJeGjTmIdX7DLALWQALmc0GG+A1T1vHqVKc3YqjmUP3
|
||||||
|
4X/JgFqJnF1KkKmcDLiLBmA8W4+rLPe3kKhNloKQ9G1m
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
|
@ -70,7 +70,6 @@ application: {
|
|||||||
calist = "/etc/capwap/ca.crt";
|
calist = "/etc/capwap/ca.crt";
|
||||||
certificate = "/etc/capwap/wtp.crt";
|
certificate = "/etc/capwap/wtp.crt";
|
||||||
privatekey = "/etc/capwap/wtp.key";
|
privatekey = "/etc/capwap/wtp.key";
|
||||||
privatekeypassword = "";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
101
conf/wtp.crt
101
conf/wtp.crt
@ -1,70 +1,73 @@
|
|||||||
Certificate:
|
Certificate:
|
||||||
Data:
|
Data:
|
||||||
Version: 3 (0x2)
|
Version: 3 (0x2)
|
||||||
Serial Number: 3 (0x3)
|
Serial Number: 2 (0x2)
|
||||||
Signature Algorithm: sha1WithRSAEncryption
|
Signature Algorithm: sha1WithRSAEncryption
|
||||||
Issuer: C=IT, ST=Italy, L=Rome, O=Capwap CA, CN=CAPWAP_CA/emailAddress=ca@localhost
|
Issuer: C=IT, ST=IT, L=Rome, O=SmartCAPWAP, OU=SmartCAPWAP, CN=SmartCAPWAP CA/name=SmartCAPWAP/emailAddress=vemax78@gmail.com
|
||||||
Validity
|
Validity
|
||||||
Not Before: Apr 11 17:50:00 2009 GMT
|
Not Before: May 15 18:02:22 2014 GMT
|
||||||
Not After : Apr 9 17:50:00 2019 GMT
|
Not After : May 12 18:02:22 2024 GMT
|
||||||
Subject: C=IT, ST=Italy, L=Rome, O=Capwap WTP, CN=CAPWAP_WTP/emailAddress=wtp@localhost
|
Subject: C=IT, ST=IT, L=Rome, O=SmartCAPWAP, OU=SmartCAPWAP, CN=wtp1/name=SmartCAPWAP/emailAddress=vemax78@gmail.com
|
||||||
Subject Public Key Info:
|
Subject Public Key Info:
|
||||||
Public Key Algorithm: rsaEncryption
|
Public Key Algorithm: rsaEncryption
|
||||||
RSA Public Key: (1024 bit)
|
Public-Key: (1024 bit)
|
||||||
Modulus (1024 bit):
|
Modulus:
|
||||||
00:d4:78:02:6f:d8:52:3b:ea:7c:13:a9:d4:74:58:
|
00:b2:b1:a5:56:a7:ef:4d:76:76:0c:09:0f:5e:c3:
|
||||||
4c:d9:6d:e9:54:76:ea:6c:74:8a:70:b7:f8:72:9e:
|
4b:cd:9c:80:ae:1b:fa:8a:63:6b:3e:5d:df:18:e5:
|
||||||
71:63:bc:db:6e:43:d8:c6:6b:34:94:e4:28:98:a2:
|
30:25:4a:bf:02:90:a0:1a:db:d9:7b:d3:c0:f2:5b:
|
||||||
5b:16:9e:a8:9e:19:50:61:01:d3:f6:fd:37:e7:8b:
|
82:de:07:bd:4c:43:66:4d:39:6c:fe:88:d5:1a:ac:
|
||||||
be:9e:bf:bc:96:c2:3e:d3:fa:fe:1a:76:42:5c:92:
|
47:d0:4c:2d:e0:05:4d:95:80:b5:61:df:84:03:cb:
|
||||||
76:73:1f:97:94:42:38:93:d0:56:a5:b2:b1:5f:ba:
|
26:f7:b3:77:8c:e5:28:9e:71:5e:4b:01:42:64:64:
|
||||||
90:90:17:f4:88:cb:c6:35:9b:7d:0f:a4:75:6d:d2:
|
d4:1f:8b:e2:c6:12:af:9f:64:de:63:f0:b2:ff:fb:
|
||||||
bb:b2:1d:cf:55:9d:e7:9b:03:35:fe:6f:1b:df:10:
|
0e:82:d8:ba:cf:a9:21:7f:43:4f:c9:19:e0:50:e1:
|
||||||
3d:58:7b:77:1c:e5:ba:a5:75
|
90:ac:ce:d2:ab:dc:87:b9:9f
|
||||||
Exponent: 65537 (0x10001)
|
Exponent: 65537 (0x10001)
|
||||||
X509v3 extensions:
|
X509v3 extensions:
|
||||||
X509v3 Basic Constraints:
|
X509v3 Basic Constraints:
|
||||||
CA:FALSE
|
CA:FALSE
|
||||||
|
X509v3 Key Usage:
|
||||||
|
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
|
||||||
Netscape Comment:
|
Netscape Comment:
|
||||||
Easy-RSA Generated Certificate
|
Easy-RSA Generated Certificate
|
||||||
X509v3 Subject Key Identifier:
|
X509v3 Subject Key Identifier:
|
||||||
53:EB:37:11:23:CC:27:53:89:04:2F:08:C5:05:47:D4:65:23:73:2D
|
5D:1C:43:55:79:96:EC:CD:9F:81:47:7F:23:F2:88:C4:80:EF:7A:C6
|
||||||
X509v3 Authority Key Identifier:
|
X509v3 Authority Key Identifier:
|
||||||
keyid:49:62:46:06:E1:E5:D3:3A:08:79:C6:D6:FE:93:A8:D9:AA:75:EB:E4
|
keyid:B8:BE:B2:CB:C6:68:BD:0A:BB:E5:BC:DE:AE:56:FE:25:E6:E4:B3:1C
|
||||||
DirName:/C=IT/ST=Italy/L=Rome/O=Capwap CA/CN=CAPWAP_CA/emailAddress=ca@localhost
|
DirName:/C=IT/ST=IT/L=Rome/O=SmartCAPWAP/OU=SmartCAPWAP/CN=SmartCAPWAP CA/name=SmartCAPWAP/emailAddress=vemax78@gmail.com
|
||||||
serial:94:59:55:20:58:F6:66:33
|
serial:9A:6A:C6:B2:AA:33:22:C5
|
||||||
|
|
||||||
X509v3 Extended Key Usage:
|
X509v3 Extended Key Usage:
|
||||||
TLS Web Client Authentication
|
TLS Web Client Authentication
|
||||||
X509v3 Key Usage:
|
|
||||||
Digital Signature
|
|
||||||
Signature Algorithm: sha1WithRSAEncryption
|
Signature Algorithm: sha1WithRSAEncryption
|
||||||
57:93:d6:43:0b:e6:5f:b7:77:2c:1d:d3:b0:4c:6a:35:62:ec:
|
2e:1b:fb:12:36:08:97:f4:93:2d:5e:5a:94:e0:67:a9:69:9c:
|
||||||
5b:56:e5:f7:34:b9:c7:8d:9f:e7:cb:12:0d:f0:cf:c7:a3:c1:
|
d3:24:8b:51:87:b4:fd:02:cd:29:9c:54:5f:5c:27:4c:02:08:
|
||||||
24:0f:64:f2:a2:ab:f7:80:e8:a5:66:8a:c3:2f:9b:4f:87:d7:
|
6a:64:79:84:a9:dd:df:f4:9d:7d:b7:19:e9:26:a6:01:af:a7:
|
||||||
8e:27:e7:29:73:cc:fc:4c:0d:fb:8f:74:ee:7c:bd:ce:d3:01:
|
b4:00:50:51:9d:64:be:f6:38:6b:1d:04:e7:2d:34:16:26:75:
|
||||||
ee:69:1f:42:56:6f:e1:b3:6c:c3:a1:4d:60:14:06:ba:a7:38:
|
88:01:98:d8:4e:db:3f:a2:f1:9d:d7:9d:cd:8a:07:8a:82:b1:
|
||||||
a0:78:1d:a9:cd:39:90:f2:33:6c:fb:48:cb:6e:80:00:ce:7c:
|
9f:59:be:4c:e1:0f:8e:2f:ea:cc:98:0a:e1:54:6c:f4:00:a9:
|
||||||
50:e2:e7:6f:83:f1:86:be:39:5c:0c:64:1f:01:7c:1b:9f:e6:
|
21:fa:9d:ed:81:4d:c6:1f:cd:20:bb:4a:ed:4d:61:50:be:af:
|
||||||
ea:e2
|
02:f0
|
||||||
-----BEGIN CERTIFICATE-----
|
-----BEGIN CERTIFICATE-----
|
||||||
MIIDgjCCAuugAwIBAgIBAzANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJJVDEO
|
MIIEGTCCA4KgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBpjELMAkGA1UEBhMCSVQx
|
||||||
MAwGA1UECBMFSXRhbHkxDTALBgNVBAcTBFJvbWUxEjAQBgNVBAoTCUNhcHdhcCBD
|
CzAJBgNVBAgTAklUMQ0wCwYDVQQHEwRSb21lMRQwEgYDVQQKEwtTbWFydENBUFdB
|
||||||
QTESMBAGA1UEAxQJQ0FQV0FQX0NBMRswGQYJKoZIhvcNAQkBFgxjYUBsb2NhbGhv
|
UDEUMBIGA1UECxMLU21hcnRDQVBXQVAxFzAVBgNVBAMTDlNtYXJ0Q0FQV0FQIENB
|
||||||
c3QwHhcNMDkwNDExMTc1MDAwWhcNMTkwNDA5MTc1MDAwWjB0MQswCQYDVQQGEwJJ
|
MRQwEgYDVQQpEwtTbWFydENBUFdBUDEgMB4GCSqGSIb3DQEJARYRdmVtYXg3OEBn
|
||||||
VDEOMAwGA1UECBMFSXRhbHkxDTALBgNVBAcTBFJvbWUxEzARBgNVBAoTCkNhcHdh
|
bWFpbC5jb20wHhcNMTQwNTE1MTgwMjIyWhcNMjQwNTEyMTgwMjIyWjCBnDELMAkG
|
||||||
cCBXVFAxEzARBgNVBAMUCkNBUFdBUF9XVFAxHDAaBgkqhkiG9w0BCQEWDXd0cEBs
|
A1UEBhMCSVQxCzAJBgNVBAgTAklUMQ0wCwYDVQQHEwRSb21lMRQwEgYDVQQKEwtT
|
||||||
b2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANR4Am/YUjvqfBOp
|
bWFydENBUFdBUDEUMBIGA1UECxMLU21hcnRDQVBXQVAxDTALBgNVBAMTBHd0cDEx
|
||||||
1HRYTNlt6VR26mx0inC3+HKecWO8225D2MZrNJTkKJiiWxaeqJ4ZUGEB0/b9N+eL
|
FDASBgNVBCkTC1NtYXJ0Q0FQV0FQMSAwHgYJKoZIhvcNAQkBFhF2ZW1heDc4QGdt
|
||||||
vp6/vJbCPtP6/hp2QlySdnMfl5RCOJPQVqWysV+6kJAX9IjLxjWbfQ+kdW3Su7Id
|
YWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsrGlVqfvTXZ2DAkP
|
||||||
z1Wd55sDNf5vG98QPVh7dxzluqV1AgMBAAGjggElMIIBITAJBgNVHRMEAjAAMC0G
|
XsNLzZyArhv6imNrPl3fGOUwJUq/ApCgGtvZe9PA8luC3ge9TENmTTls/ojVGqxH
|
||||||
CWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
|
0Ewt4AVNlYC1Yd+EA8sm97N3jOUonnFeSwFCZGTUH4vixhKvn2TeY/Cy//sOgti6
|
||||||
VR0OBBYEFFPrNxEjzCdTiQQvCMUFR9RlI3MtMIGjBgNVHSMEgZswgZiAFEliRgbh
|
z6khf0NPyRngUOGQrM7Sq9yHuZ8CAwEAAaOCAV0wggFZMAkGA1UdEwQCMAAwCwYD
|
||||||
5dM6CHnG1v6TqNmqdevkoXWkczBxMQswCQYDVQQGEwJJVDEOMAwGA1UECBMFSXRh
|
VR0PBAQDAgTwMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2Vy
|
||||||
bHkxDTALBgNVBAcTBFJvbWUxEjAQBgNVBAoTCUNhcHdhcCBDQTESMBAGA1UEAxQJ
|
dGlmaWNhdGUwHQYDVR0OBBYEFF0cQ1V5luzNn4FHfyPyiMSA73rGMIHbBgNVHSME
|
||||||
Q0FQV0FQX0NBMRswGQYJKoZIhvcNAQkBFgxjYUBsb2NhbGhvc3SCCQCUWVUgWPZm
|
gdMwgdCAFLi+ssvGaL0Ku+W83q5W/iXm5LMcoYGspIGpMIGmMQswCQYDVQQGEwJJ
|
||||||
MzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQEF
|
VDELMAkGA1UECBMCSVQxDTALBgNVBAcTBFJvbWUxFDASBgNVBAoTC1NtYXJ0Q0FQ
|
||||||
BQADgYEAV5PWQwvmX7d3LB3TsExqNWLsW1bl9zS5x42f58sSDfDPx6PBJA9k8qKr
|
V0FQMRQwEgYDVQQLEwtTbWFydENBUFdBUDEXMBUGA1UEAxMOU21hcnRDQVBXQVAg
|
||||||
94DopWaKwy+bT4fXjifnKXPM/EwN+4907ny9ztMB7mkfQlZv4bNsw6FNYBQGuqc4
|
Q0ExFDASBgNVBCkTC1NtYXJ0Q0FQV0FQMSAwHgYJKoZIhvcNAQkBFhF2ZW1heDc4
|
||||||
oHgdqc05kPIzbPtIy26AAM58UOLnb4Pxhr45XAxkHwF8G5/m6uI=
|
QGdtYWlsLmNvbYIJAJpqxrKqMyLFMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqG
|
||||||
|
SIb3DQEBBQUAA4GBAC4b+xI2CJf0ky1eWpTgZ6lpnNMki1GHtP0CzSmcVF9cJ0wC
|
||||||
|
CGpkeYSp3d/0nX23GekmpgGvp7QAUFGdZL72OGsdBOctNBYmdYgBmNhO2z+i8Z3X
|
||||||
|
nc2KB4qCsZ9ZvkzhD44v6syYCuFUbPQAqSH6ne2BTcYfzSC7Su1NYVC+rwLw
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
|
31
conf/wtp.key
31
conf/wtp.key
@ -1,15 +1,16 @@
|
|||||||
-----BEGIN RSA PRIVATE KEY-----
|
-----BEGIN PRIVATE KEY-----
|
||||||
MIICXAIBAAKBgQDUeAJv2FI76nwTqdR0WEzZbelUdupsdIpwt/hynnFjvNtuQ9jG
|
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALKxpVan7012dgwJ
|
||||||
azSU5CiYolsWnqieGVBhAdP2/Tfni76ev7yWwj7T+v4adkJcknZzH5eUQjiT0Fal
|
D17DS82cgK4b+opjaz5d3xjlMCVKvwKQoBrb2XvTwPJbgt4HvUxDZk05bP6I1Rqs
|
||||||
srFfupCQF/SIy8Y1m30PpHVt0ruyHc9VneebAzX+bxvfED1Ye3cc5bqldQIDAQAB
|
R9BMLeAFTZWAtWHfhAPLJvezd4zlKJ5xXksBQmRk1B+L4sYSr59k3mPwsv/7DoLY
|
||||||
AoGAAIP2BY1xzaFpAac0079vGEvy9/h94xt5RoK7wJNv1P0dTyws93ZFH2NaUdx6
|
us+pIX9DT8kZ4FDhkKzO0qvch7mfAgMBAAECgYB3oUyChi1EG9GN3ybmFzMRdPwF
|
||||||
+hgScqe/ES0u9XdxzkcBhGMUswvNmofgk9w/ynQhey7g739TXeEh76zMphNVJf0z
|
FAAYU9TBTREF1rHz1WWpLu+w64xfRPWAi1lCkcXeX6UGgDKC+VJJ6BqvzcBLgkjh
|
||||||
pawFFP/FIIgYVf7CdHkQ8cU4LEvTUCxAE5bICHMuOgCiEQECQQDz5/PSc/ZuMOZq
|
GBaWBCN/F782Ss4svt1dyRrixixUw+RfJLakKSdFPsrdIHctdSLIKsSl4wxj+9ek
|
||||||
ngYOCaf3p3CQdeFcFOeU3ldxW8j5eZR2Xdhu5CCeY5ELPq+yW4+J+6KBAVh6Q8Uv
|
NmGbOBm/2ZJazSzgEQJBAN5abmR53pRdGKgfFKeqUo+ygWSi1IDFqn0niw7DS4TU
|
||||||
MwDCSqrBAkEA3wEBMgaJvpEijv6P6Ryc+khazEASDAbvUmrcUD0t14aPrCoAHAUU
|
3h/QuI9qWZQlTIK8ibguvpc7wHUK4IZ0pk7TwmN1H6cCQQDNu+4vw2Xe2CFjEkLI
|
||||||
stCCcn8zV4MqETPr7bO9joh/oh7IpCGrtQJAMYzTydNpIuWoScykqkFn8DYB9jcc
|
X1stba8tsdqP04BGFectrxoeUhLMZtG2Y0ZCx+BjAACXTqfchsSjv+G9Fj/QHJLg
|
||||||
e1p72ZB57zuYTqZWdN2H1K9fuQ29L62if/d956hJUS/2y4/tBTO1WcNVgQJBALQK
|
TxVJAkB8VQjBejvxrhTpfWepUV4VJ/WedkZpMx5gGUpymNWTkwwZsjZhS1CHvEuK
|
||||||
jJuF2cmoRV1rOma6+iW7KstCYw+gvbEtoyeI7SzXb8FQu3vjwj1HyDmGZr4doGX5
|
Fy7TJKBCJJE7YTenN3b/QP3Da2ylAkEAwVzMdR/Vcyj32EGleuYEsCHS78OlhGBo
|
||||||
JF5pwf2ESH9sGRMiOA0CQGKVeegxodjqwNEY8WqJjgROHkI1aJhdHVehAcCLhtGX
|
w3Z6nTlh9vV0raBFooKT2tg5UVMDOzK2GlKgJreF104+E7+HXEN34QJAYF76xuMm
|
||||||
WBcQEK73GJC5Kb4yTg0VEFkIWeGpy0aDnOyTJlNrQKc=
|
bKi3V1bI7/t8hXs87LLHjR90PHNzLdy61lWxMvb8oWe8KjDyaE253h24a6tEPzT1
|
||||||
-----END RSA PRIVATE KEY-----
|
a8lIpqpuuuvTbg==
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
100
configure.ac
100
configure.ac
@ -70,18 +70,6 @@ AC_ARG_ENABLE(
|
|||||||
[enable_wtp="yes"]
|
[enable_wtp="yes"]
|
||||||
)
|
)
|
||||||
|
|
||||||
AC_ARG_WITH(
|
|
||||||
[ssl-library],
|
|
||||||
[AS_HELP_STRING([--with-ssl-library=library], [build with the given crypto library, TYPE=openssl|cyassl @<:@default=openssl@:>@])],
|
|
||||||
[
|
|
||||||
case "${withval}" in
|
|
||||||
openssl|cyassl) ;;
|
|
||||||
*) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
|
|
||||||
esac
|
|
||||||
],
|
|
||||||
[with_ssl_library="openssl"]
|
|
||||||
)
|
|
||||||
|
|
||||||
AC_ARG_WITH(
|
AC_ARG_WITH(
|
||||||
[mem-check],
|
[mem-check],
|
||||||
[AS_HELP_STRING([--with-mem-check=TYPE], [build with debug memory checking, TYPE=no|internal|valgrind @<:@default=internal@:>@])],
|
[AS_HELP_STRING([--with-mem-check=TYPE], [build with debug memory checking, TYPE=no|internal|valgrind @<:@default=internal@:>@])],
|
||||||
@ -194,14 +182,13 @@ AC_DEFINE_UNQUOTED([LIBCONFIG_LOOKUP_INT_ARG], [$LIBCONFIG_LOOKUP_INT_ARG], [con
|
|||||||
AC_CHECK_HEADER([pthread.h], [], [AC_MSG_ERROR(You need the pthread headers)])
|
AC_CHECK_HEADER([pthread.h], [], [AC_MSG_ERROR(You need the pthread headers)])
|
||||||
AC_CHECK_LIB([pthread], [pthread_create], [PTHREAD_LIBS="-lpthread"], [AC_MSG_ERROR(You need the pthread library)])
|
AC_CHECK_LIB([pthread], [pthread_create], [PTHREAD_LIBS="-lpthread"], [AC_MSG_ERROR(You need the pthread library)])
|
||||||
|
|
||||||
# Check XML2 library
|
# Check SSL library
|
||||||
PKG_CHECK_MODULES(
|
PKG_CHECK_MODULES([CYASSL], [cyassl >= 3.0.0], [have_cyassl_ssl="yes"], [have_cyassl_ssl="no"])
|
||||||
[LIBXML2],
|
|
||||||
[libxml-2.0 >= 2.6]
|
|
||||||
)
|
|
||||||
|
|
||||||
# Check JSON library
|
# Check JSON library
|
||||||
if test "${enable_ac}" = "yes"; then
|
if test "${enable_ac}" = "yes"; then
|
||||||
|
test "x${have_cyassl_ssl}" != "xyes" && AC_MSG_ERROR(You need the cyassl library)
|
||||||
|
|
||||||
PKG_CHECK_MODULES(
|
PKG_CHECK_MODULES(
|
||||||
[LIBJSON],
|
[LIBJSON],
|
||||||
[json-c >= 0.11],
|
[json-c >= 0.11],
|
||||||
@ -213,6 +200,12 @@ if test "${enable_ac}" = "yes"; then
|
|||||||
[AC_MSG_ERROR(You need the libjson)]
|
[AC_MSG_ERROR(You need the libjson)]
|
||||||
)]
|
)]
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# Check XML2 library
|
||||||
|
PKG_CHECK_MODULES(
|
||||||
|
[LIBXML2],
|
||||||
|
[libxml-2.0 >= 2.6]
|
||||||
|
)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Check nl80211
|
# Check nl80211
|
||||||
@ -235,79 +228,8 @@ if test "${enable_wifi_drivers_nl80211}" = "yes"; then
|
|||||||
fi
|
fi
|
||||||
AM_CONDITIONAL([BUILD_WTP_WIFI_DRIVERS_NL80211], [test "${enable_wifi_drivers_nl80211}" = "yes"])
|
AM_CONDITIONAL([BUILD_WTP_WIFI_DRIVERS_NL80211], [test "${enable_wifi_drivers_nl80211}" = "yes"])
|
||||||
|
|
||||||
# Check SSL library
|
|
||||||
if test "${with_ssl_library}" = "openssl"; then
|
|
||||||
PKG_CHECK_MODULES(
|
|
||||||
[OPENSSL_CRYPTO],
|
|
||||||
[libcrypto >= 1.0.0],
|
|
||||||
[have_openssl_crypto="yes"],
|
|
||||||
[AC_CHECK_LIB(
|
|
||||||
[crypto],
|
|
||||||
[RSA_new],
|
|
||||||
[
|
|
||||||
have_openssl_crypto="yes"
|
|
||||||
OPENSSL_CRYPTO_LIBS="-lcrypto"
|
|
||||||
]
|
|
||||||
)]
|
|
||||||
)
|
|
||||||
|
|
||||||
PKG_CHECK_MODULES(
|
|
||||||
[OPENSSL_SSL],
|
|
||||||
[libssl >= 1.0.0],
|
|
||||||
[have_openssl_ssl="yes"],
|
|
||||||
[AC_CHECK_LIB(
|
|
||||||
[ssl],
|
|
||||||
[SSL_CTX_new],
|
|
||||||
[
|
|
||||||
have_openssl_ssl="yes"
|
|
||||||
OPENSSL_SSL_LIBS="-lssl"
|
|
||||||
]
|
|
||||||
)]
|
|
||||||
)
|
|
||||||
|
|
||||||
if test "x${have_openssl_ssl}" = "xyes"; then
|
|
||||||
have_openssl_engine="yes"
|
|
||||||
OPENSSL_SSL_LIBS="${OPENSSL_SSL_LIBS} -ldl"
|
|
||||||
#saved_CFLAGS="${CFLAGS}"
|
|
||||||
#saved_LIBS="${LIBS}"
|
|
||||||
#CFLAGS="${CFLAGS} ${OPENSSL_SSL_CFLAGS}"
|
|
||||||
#LIBS="${LIBS} ${OPENSSL_SSL_LIBS}"
|
|
||||||
#AC_CHECK_FUNC([SSL_CTX_set_cookie_generate_cb], , [AC_MSG_ERROR([${with_ssl_library} SSL_CTX_set_cookie_generate_cb function is required but missing])])
|
|
||||||
#AC_CHECK_FUNC([SSL_CTX_set_cookie_verify_cb], , [AC_MSG_ERROR([${with_ssl_library} SSL_CTX_set_cookie_verify_cb function is required but missing])])
|
|
||||||
#CFLAGS="${saved_CFLAGS}"
|
|
||||||
#LIBS="${saved_LIBS}"
|
|
||||||
fi
|
|
||||||
elif test "${with_ssl_library}" = "cyassl"; then
|
|
||||||
AC_CHECK_HEADER([cyassl/ssl.h], [], [AC_MSG_ERROR(You need the cyassl headers)])
|
|
||||||
AC_CHECK_HEADER([cyassl/openssl/ssl.h], [], [AC_MSG_ERROR(You need the cyassl opensslextra headers)])
|
|
||||||
AC_CHECK_LIB([cyassl], [CyaSSL_Init], [], [AC_MSG_ERROR(You need the cyassl library)])
|
|
||||||
have_cyassl_engine="yes"
|
|
||||||
have_cyassl_ssl="yes"
|
|
||||||
fi
|
|
||||||
|
|
||||||
case "${with_ssl_library}" in
|
|
||||||
openssl)
|
|
||||||
have_crypto_engine="${have_openssl_engine}"
|
|
||||||
have_crypto_crypto="${have_openssl_crypto}"
|
|
||||||
have_crypto_ssl="${have_openssl_ssl}"
|
|
||||||
SSL_CFLAGS="${OPENSSL_CRYPTO_CFLAGS} ${OPENSSL_SSL_CFLAGS}"
|
|
||||||
SSL_LIBS="${OPENSSL_SSL_LIBS}"
|
|
||||||
test "x${have_crypto_engine}" = "xyes" && AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [Use ssl library])
|
|
||||||
;;
|
|
||||||
cyassl)
|
|
||||||
have_crypto_engine="${have_cyassl_engine}"
|
|
||||||
have_crypto_crypto="${have_cyassl_ssl}"
|
|
||||||
have_crypto_ssl="${have_cyassl_ssl}"
|
|
||||||
SSL_CFLAGS=""
|
|
||||||
SSL_LIBS="-lcyassl"
|
|
||||||
test "x${have_crypto_engine}" = "xyes" && AC_DEFINE([HAVE_CYASSL_ENGINE], [1], [Use ssl library])
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
if test "${enable_dtls}" = "yes"; then
|
if test "${enable_dtls}" = "yes"; then
|
||||||
test "x${have_crypto_engine}" != "xyes" && AC_MSG_ERROR([${with_ssl_library} engine is required but missing])
|
test "x${have_cyassl_ssl}" != "xyes" && AC_MSG_ERROR(You need the cyassl library)
|
||||||
test "x${have_crypto_ssl}" != "xyes" && AC_MSG_ERROR([${with_ssl_library} ssl is required but missing])
|
|
||||||
test "x${have_crypto_crypto}" != "xyes" && AC_MSG_ERROR([${with_ssl_library} crypto is required but missing])
|
|
||||||
AC_DEFINE([ENABLE_DTLS], [1], [Enable DTLS])
|
AC_DEFINE([ENABLE_DTLS], [1], [Enable DTLS])
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
26
src/ac/ac.c
26
src/ac/ac.c
@ -447,12 +447,6 @@ static int ac_parsing_configuration_1_0(config_t* config) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (config_lookup_string(config, "application.dtls.x509.privatekeypassword", &configString) == CONFIG_TRUE) {
|
|
||||||
if (strlen(configString) > 0) {
|
|
||||||
dtlsparam.cert.pwdprivatekey = capwap_duplicate_string(configString);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (dtlsparam.cert.fileca && dtlsparam.cert.filecert && dtlsparam.cert.filekey) {
|
if (dtlsparam.cert.fileca && dtlsparam.cert.filecert && dtlsparam.cert.filekey) {
|
||||||
if (capwap_crypt_createcontext(&g_ac.dtlscontext, &dtlsparam)) {
|
if (capwap_crypt_createcontext(&g_ac.dtlscontext, &dtlsparam)) {
|
||||||
g_ac.enabledtls = 1;
|
g_ac.enabledtls = 1;
|
||||||
@ -471,10 +465,6 @@ static int ac_parsing_configuration_1_0(config_t* config) {
|
|||||||
if (dtlsparam.cert.filekey) {
|
if (dtlsparam.cert.filekey) {
|
||||||
capwap_free(dtlsparam.cert.filekey);
|
capwap_free(dtlsparam.cert.filekey);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (dtlsparam.cert.pwdprivatekey) {
|
|
||||||
capwap_free(dtlsparam.cert.pwdprivatekey);
|
|
||||||
}
|
|
||||||
} else if (dtlsparam.mode == CAPWAP_DTLS_MODE_PRESHAREDKEY) {
|
} else if (dtlsparam.mode == CAPWAP_DTLS_MODE_PRESHAREDKEY) {
|
||||||
if (config_lookup_string(config, "application.dtls.presharedkey.hint", &configString) == CONFIG_TRUE) {
|
if (config_lookup_string(config, "application.dtls.presharedkey.hint", &configString) == CONFIG_TRUE) {
|
||||||
if (strlen(configString) > 0) {
|
if (strlen(configString) > 0) {
|
||||||
@ -630,7 +620,6 @@ static int ac_parsing_configuration_1_0(config_t* config) {
|
|||||||
char* calist = NULL;
|
char* calist = NULL;
|
||||||
char* certificate = NULL;
|
char* certificate = NULL;
|
||||||
char* privatekey = NULL;
|
char* privatekey = NULL;
|
||||||
char* privatekeypassword = NULL;
|
|
||||||
config_setting_t* configSSL;
|
config_setting_t* configSSL;
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
@ -658,17 +647,11 @@ static int ac_parsing_configuration_1_0(config_t* config) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (config_setting_lookup_string(configSSL, "privatekeypassword", &configString) == CONFIG_TRUE) {
|
|
||||||
if (strlen(configString) > 0) {
|
|
||||||
privatekeypassword = capwap_duplicate_string(configString);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
if (calist && certificate && privatekey) {
|
if (calist && certificate && privatekey) {
|
||||||
server->sslcontext = capwap_socket_crypto_createcontext(calist, certificate, privatekey, privatekeypassword);
|
server->sslcontext = capwap_socket_crypto_createcontext(calist, certificate, privatekey);
|
||||||
if (!server->sslcontext) {
|
if (!server->sslcontext) {
|
||||||
capwap_logging_error("Invalid configuration file, invalid backend.server.x509 value");
|
capwap_logging_error("Invalid configuration file, unable to initialize crypto library");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
@ -680,9 +663,6 @@ static int ac_parsing_configuration_1_0(config_t* config) {
|
|||||||
capwap_free(calist);
|
capwap_free(calist);
|
||||||
capwap_free(certificate);
|
capwap_free(certificate);
|
||||||
capwap_free(privatekey);
|
capwap_free(privatekey);
|
||||||
if (privatekeypassword) {
|
|
||||||
capwap_free(privatekeypassword);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Add item */
|
/* Add item */
|
||||||
@ -824,7 +804,7 @@ int main(int argc, char** argv) {
|
|||||||
capwap_init_rand();
|
capwap_init_rand();
|
||||||
|
|
||||||
/* Init crypt */
|
/* Init crypt */
|
||||||
if (!capwap_crypt_init()) {
|
if (capwap_crypt_init()) {
|
||||||
capwap_logging_fatal("Error to init crypt engine");
|
capwap_logging_fatal("Error to init crypt engine");
|
||||||
return CAPWAP_CRYPT_ERROR;
|
return CAPWAP_CRYPT_ERROR;
|
||||||
}
|
}
|
||||||
|
@ -831,7 +831,7 @@ int ac_execute(void) {
|
|||||||
}
|
}
|
||||||
} else if (check == CAPWAP_DTLS_PACKET) {
|
} else if (check == CAPWAP_DTLS_PACKET) {
|
||||||
/* Before create new session check if receive DTLS Client Hello */
|
/* Before create new session check if receive DTLS Client Hello */
|
||||||
if (capwap_sanity_check_dtls_clienthello(&((char*)buffer)[sizeof(struct capwap_dtls_header)], buffersize - sizeof(struct capwap_dtls_header))) {
|
if (capwap_crypt_has_dtls_clienthello(&((char*)buffer)[sizeof(struct capwap_dtls_header)], buffersize - sizeof(struct capwap_dtls_header))) {
|
||||||
struct capwap_socket ctrlsock;
|
struct capwap_socket ctrlsock;
|
||||||
|
|
||||||
/* Retrive socket info */
|
/* Retrive socket info */
|
||||||
@ -868,7 +868,7 @@ int ac_execute(void) {
|
|||||||
if (!plain) {
|
if (!plain) {
|
||||||
if (buffersize <= sizeof(struct capwap_dtls_header)) {
|
if (buffersize <= sizeof(struct capwap_dtls_header)) {
|
||||||
plain = -1;
|
plain = -1;
|
||||||
} else if (!capwap_sanity_check_dtls_clienthello(&((char*)buffer)[sizeof(struct capwap_dtls_header)], buffersize - sizeof(struct capwap_dtls_header))) {
|
} else if (!capwap_crypt_has_dtls_clienthello(&((char*)buffer)[sizeof(struct capwap_dtls_header)], buffersize - sizeof(struct capwap_dtls_header))) {
|
||||||
plain = -1;
|
plain = -1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,518 +1,228 @@
|
|||||||
#include "capwap.h"
|
#include "capwap.h"
|
||||||
#include "capwap_dtls.h"
|
#include "capwap_dtls.h"
|
||||||
#include "capwap_protocol.h"
|
#include "capwap_protocol.h"
|
||||||
|
#include <cyassl/options.h>
|
||||||
#include <openssl/ssl.h>
|
#include <cyassl/ssl.h>
|
||||||
#include <openssl/bio.h>
|
#include <cyassl/ctaocrypt/sha.h>
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/engine.h>
|
|
||||||
#include <openssl/conf.h>
|
|
||||||
|
|
||||||
#ifdef CAPWAP_MULTITHREADING_ENABLE
|
|
||||||
#include <pthread.h>
|
|
||||||
|
|
||||||
static pthread_mutex_t* l_mutex_buffer = NULL;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#define CAPWAP_DTLS_CERT_VERIFY_DEPTH 1
|
|
||||||
#define CAPWAP_DTLS_MTU_SIZE 16384
|
|
||||||
|
|
||||||
#define OPENSSL_EXDATA_APPLICATION 0
|
|
||||||
#define OPENSSL_EXDATA_DTLSCONTEXT 1
|
|
||||||
#define OPENSSL_EXDATA_DTLS 2
|
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
static int capwap_bio_method_new(BIO* bio);
|
static const char g_char2hex[] = {
|
||||||
static int capwap_bio_method_free(BIO* bio);
|
0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
|
||||||
static int capwap_bio_method_puts(BIO* bio, const char* str);
|
-1, -1, -1, -1, -1, -1, -1,
|
||||||
static int capwap_bio_method_read(BIO* bio, char* str, int length);
|
10, 11, 12, 13, 14, 15, /* Upper Case A - F */
|
||||||
static int capwap_bio_method_write(BIO* bio, const char* str, int length);
|
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
|
||||||
static long capwap_bio_method_ctrl(BIO* bio, int cmd, long num, void* ptr);
|
10, 11, 12, 13, 14, 15 /* Lower Case a - f */
|
||||||
|
|
||||||
/* OpenSSL BIO methods */
|
|
||||||
static BIO_METHOD bio_methods_memory = {
|
|
||||||
BIO_TYPE_DGRAM,
|
|
||||||
"dtls capwap packet",
|
|
||||||
capwap_bio_method_write,
|
|
||||||
capwap_bio_method_read,
|
|
||||||
capwap_bio_method_puts,
|
|
||||||
NULL,
|
|
||||||
capwap_bio_method_ctrl,
|
|
||||||
capwap_bio_method_new,
|
|
||||||
capwap_bio_method_free,
|
|
||||||
NULL,
|
|
||||||
};
|
|
||||||
|
|
||||||
/* OpenSSL BIO custom data */
|
|
||||||
struct bio_capwap_data {
|
|
||||||
int mtu;
|
|
||||||
struct sockaddr_storage peer;
|
|
||||||
struct capwap_dtls* dtls;
|
|
||||||
capwap_bio_send send;
|
|
||||||
void* param;
|
|
||||||
};
|
};
|
||||||
|
static const int g_char2hex_length = sizeof(g_char2hex) / sizeof(g_char2hex[0]);
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
static BIO* capwap_bio_new() {
|
static int capwap_bio_method_recv(CYASSL* ssl, char* buffer, int length, void* context) {
|
||||||
BIO* result;
|
struct capwap_dtls* dtls = (struct capwap_dtls*)context;
|
||||||
|
|
||||||
result = BIO_new(&bio_methods_memory);
|
|
||||||
if (result) {
|
|
||||||
memset(result->ptr, 0, sizeof(struct bio_capwap_data));
|
|
||||||
}
|
|
||||||
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
|
||||||
static int capwap_bio_method_new(BIO* bio) {
|
|
||||||
bio->init = 1;
|
|
||||||
bio->num = 0;
|
|
||||||
bio->flags = 0;
|
|
||||||
bio->ptr = (char*)capwap_alloc(sizeof(struct bio_capwap_data));
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
|
||||||
static int capwap_bio_method_free(BIO* bio) {
|
|
||||||
if (bio == NULL) {
|
|
||||||
return 0;
|
|
||||||
} else if (bio->ptr) {
|
|
||||||
capwap_free(bio->ptr);
|
|
||||||
}
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
|
||||||
static int capwap_bio_method_puts(BIO* bio, const char* str) {
|
|
||||||
return capwap_bio_method_write(bio, str, strlen(str));
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
|
||||||
static int capwap_bio_method_read(BIO* bio, char* str, int length) {
|
|
||||||
struct bio_capwap_data* data = (struct bio_capwap_data*)bio->ptr;
|
|
||||||
struct capwap_dtls_header* dtlspreamble;
|
struct capwap_dtls_header* dtlspreamble;
|
||||||
int size;
|
int size;
|
||||||
|
|
||||||
/* Check read packet */
|
/* Check read packet */
|
||||||
if ((data->dtls->length < sizeof(struct capwap_dtls_header)) || !data->dtls->buffer) {
|
if ((dtls->length < sizeof(struct capwap_dtls_header)) || !dtls->buffer) {
|
||||||
if (!data->dtls->length && !data->dtls->buffer) {
|
if (!dtls->length && !dtls->buffer) {
|
||||||
BIO_set_retry_read(bio); /* Notify empty buffer */
|
return CYASSL_CBIO_ERR_WANT_READ; /* Notify empty buffer */
|
||||||
}
|
}
|
||||||
|
|
||||||
return -1;
|
return CYASSL_CBIO_ERR_GENERAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check DTLS Capwap Preamble */
|
/* Check DTLS Capwap Preamble */
|
||||||
dtlspreamble = (struct capwap_dtls_header*)data->dtls->buffer;
|
dtlspreamble = (struct capwap_dtls_header*)dtls->buffer;
|
||||||
if ((dtlspreamble->preamble.version != CAPWAP_PROTOCOL_VERSION) || (dtlspreamble->preamble.type != CAPWAP_PREAMBLE_DTLS_HEADER)) {
|
if ((dtlspreamble->preamble.version != CAPWAP_PROTOCOL_VERSION) || (dtlspreamble->preamble.type != CAPWAP_PREAMBLE_DTLS_HEADER)) {
|
||||||
capwap_logging_debug("Wrong DTLS Capwap Preamble");
|
capwap_logging_debug("Wrong DTLS Capwap Preamble");
|
||||||
return -1; /* Wrong DTLS Capwap Preamble */
|
return CYASSL_CBIO_ERR_GENERAL; /* Wrong DTLS Capwap Preamble */
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
size = data->dtls->length - sizeof(struct capwap_dtls_header);
|
size = dtls->length - sizeof(struct capwap_dtls_header);
|
||||||
data->dtls->length = 0;
|
dtls->length = 0;
|
||||||
|
|
||||||
data->dtls->buffer += sizeof(struct capwap_dtls_header);
|
dtls->buffer += sizeof(struct capwap_dtls_header);
|
||||||
if (size > length) {
|
if (size > length) {
|
||||||
data->dtls->buffer = NULL;
|
dtls->buffer = NULL;
|
||||||
return -1;
|
return CYASSL_CBIO_ERR_GENERAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Copy DTLS packet */
|
/* Copy DTLS packet */
|
||||||
memcpy(str, data->dtls->buffer, size);
|
memcpy(buffer, dtls->buffer, size);
|
||||||
data->dtls->buffer = NULL;
|
dtls->buffer = NULL;
|
||||||
|
|
||||||
return size;
|
return size;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
static int capwap_bio_method_write(BIO* bio, const char* str, int length) {
|
static int capwap_bio_method_send(CYASSL* ssl, char* buffer, int length, void* context) {
|
||||||
struct bio_capwap_data* data = (struct bio_capwap_data*)bio->ptr;
|
char data[CAPWAP_MAX_PACKET_SIZE];
|
||||||
char buffer[CAPWAP_MAX_PACKET_SIZE];
|
struct capwap_dtls* dtls = (struct capwap_dtls*)context;
|
||||||
struct capwap_dtls_header* dtlspreamble = (struct capwap_dtls_header*)&buffer[0];
|
struct capwap_dtls_header* dtlspreamble = (struct capwap_dtls_header*)data;
|
||||||
|
|
||||||
/* Check for maxium size of packet */
|
/* Check for maxium size of packet */
|
||||||
if (length > (CAPWAP_MAX_PACKET_SIZE - sizeof(struct capwap_dtls_header))) {
|
if (length > (CAPWAP_MAX_PACKET_SIZE - sizeof(struct capwap_dtls_header))) {
|
||||||
return -1;
|
return CYASSL_CBIO_ERR_GENERAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Create DTLS Capwap Preamble */
|
/* Create DTLS Capwap Preamble */
|
||||||
dtlspreamble->preamble.version = CAPWAP_PROTOCOL_VERSION;
|
dtlspreamble->preamble.version = CAPWAP_PROTOCOL_VERSION;
|
||||||
dtlspreamble->preamble.type = CAPWAP_PREAMBLE_DTLS_HEADER;
|
dtlspreamble->preamble.type = CAPWAP_PREAMBLE_DTLS_HEADER;
|
||||||
dtlspreamble->reserved1 = dtlspreamble->reserved2 = dtlspreamble->reserved3 = 0;
|
dtlspreamble->reserved1 = dtlspreamble->reserved2 = dtlspreamble->reserved3 = 0;
|
||||||
memcpy(&buffer[0] + sizeof(struct capwap_dtls_header), str, length);
|
memcpy(&data[0] + sizeof(struct capwap_dtls_header), buffer, length);
|
||||||
|
|
||||||
/* Send packet */
|
/* Send packet */
|
||||||
if (!data->send(data->dtls, buffer, length + sizeof(struct capwap_dtls_header), data->param)) {
|
if (!dtls->send(dtls, data, length + sizeof(struct capwap_dtls_header), dtls->sendparam)) {
|
||||||
return -1;
|
return CYASSL_CBIO_ERR_GENERAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Don't return size of DTLS Capwap Preamble */
|
/* Don't return size of DTLS Capwap Preamble */
|
||||||
return length;
|
return length;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
|
||||||
static long capwap_bio_method_ctrl(BIO* bio, int cmd, long num, void* ptr) {
|
|
||||||
long result = 1;
|
|
||||||
struct bio_capwap_data* data = (struct bio_capwap_data*)bio->ptr;
|
|
||||||
|
|
||||||
switch (cmd) {
|
|
||||||
case BIO_CTRL_RESET: {
|
|
||||||
result = 0;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case BIO_CTRL_EOF: {
|
|
||||||
result = 0;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case BIO_CTRL_INFO: {
|
|
||||||
result = 0;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case BIO_CTRL_GET_CLOSE: {
|
|
||||||
result = bio->shutdown;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case BIO_CTRL_SET_CLOSE: {
|
|
||||||
bio->shutdown = (int)num;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case BIO_CTRL_WPENDING:
|
|
||||||
case BIO_CTRL_PENDING: {
|
|
||||||
result = 0;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case BIO_CTRL_DUP:
|
|
||||||
case BIO_CTRL_FLUSH: {
|
|
||||||
result = 1;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case BIO_CTRL_PUSH: {
|
|
||||||
result = 0;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case BIO_CTRL_POP: {
|
|
||||||
result = 0;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case BIO_CTRL_DGRAM_QUERY_MTU: {
|
|
||||||
data->mtu = CAPWAP_DTLS_MTU_SIZE;
|
|
||||||
result = data->mtu;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case BIO_CTRL_DGRAM_GET_MTU: {
|
|
||||||
result = data->mtu;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case BIO_CTRL_DGRAM_SET_MTU: {
|
|
||||||
data->mtu = (int)num;
|
|
||||||
result = data->mtu;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case BIO_CTRL_DGRAM_SET_PEER: {
|
|
||||||
memcpy(&data->peer, ptr, sizeof(struct sockaddr_storage));
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case BIO_CTRL_DGRAM_GET_PEER: {
|
|
||||||
memcpy(ptr, &data->peer, sizeof(struct sockaddr_storage));
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT: {
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
default: {
|
|
||||||
result = 0;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef CAPWAP_MULTITHREADING_ENABLE
|
|
||||||
/* */
|
|
||||||
unsigned long capwap_openssl_idcallback(void) {
|
|
||||||
return (unsigned long)pthread_self();
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
|
||||||
void capwap_openssl_lockingcallback(int mode, int n, const char* file, int line) {
|
|
||||||
ASSERT(l_mutex_buffer != NULL);
|
|
||||||
|
|
||||||
if (mode & CRYPTO_LOCK) {
|
|
||||||
pthread_mutex_lock(&l_mutex_buffer[n]);
|
|
||||||
} else {
|
|
||||||
pthread_mutex_unlock(&l_mutex_buffer[n]);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
int capwap_crypt_init() {
|
int capwap_crypt_init() {
|
||||||
#ifdef CAPWAP_MULTITHREADING_ENABLE
|
int result;
|
||||||
int i;
|
|
||||||
int numlocks;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
SSL_load_error_strings();
|
/* Init library */
|
||||||
SSL_library_init();
|
result = CyaSSL_Init();
|
||||||
OpenSSL_add_all_algorithms();
|
if (result != SSL_SUCCESS) {
|
||||||
|
return -1;
|
||||||
#ifdef CAPWAP_MULTITHREADING_ENABLE
|
|
||||||
/* Configure OpenSSL thread-safe */
|
|
||||||
numlocks = CRYPTO_num_locks();
|
|
||||||
l_mutex_buffer = (pthread_mutex_t*)capwap_alloc(numlocks * sizeof(pthread_mutex_t));
|
|
||||||
for (i = 0; i < numlocks; i++) {
|
|
||||||
pthread_mutex_init(&l_mutex_buffer[i], NULL);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* OpenSSL thread-safe callbacks */
|
return 0;
|
||||||
CRYPTO_set_id_callback(capwap_openssl_idcallback);
|
|
||||||
CRYPTO_set_locking_callback(capwap_openssl_lockingcallback);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
void capwap_crypt_free() {
|
void capwap_crypt_free() {
|
||||||
/* Clear error queue */
|
CyaSSL_Cleanup();
|
||||||
ERR_clear_error();
|
|
||||||
ERR_remove_state(0);
|
|
||||||
ERR_remove_thread_state(NULL);
|
|
||||||
|
|
||||||
/* */
|
|
||||||
#ifdef CAPWAP_MULTITHREADING_ENABLE
|
|
||||||
int i;
|
|
||||||
int numlocks;
|
|
||||||
|
|
||||||
ASSERT(l_mutex_buffer != NULL);
|
|
||||||
|
|
||||||
/* */
|
|
||||||
CRYPTO_set_id_callback(NULL);
|
|
||||||
CRYPTO_set_locking_callback(NULL);
|
|
||||||
|
|
||||||
/* */
|
|
||||||
numlocks = CRYPTO_num_locks();
|
|
||||||
for (i = 0; i < numlocks; i++) {
|
|
||||||
pthread_mutex_destroy(&l_mutex_buffer[i]);
|
|
||||||
}
|
|
||||||
|
|
||||||
capwap_free(l_mutex_buffer);
|
|
||||||
l_mutex_buffer = NULL;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* */
|
|
||||||
ERR_free_strings();
|
|
||||||
RAND_cleanup();
|
|
||||||
ENGINE_cleanup();
|
|
||||||
EVP_cleanup();
|
|
||||||
OBJ_cleanup();
|
|
||||||
CONF_modules_finish();
|
|
||||||
CONF_modules_free();
|
|
||||||
CONF_modules_unload(1);
|
|
||||||
CRYPTO_cleanup_all_ex_data();
|
|
||||||
sk_SSL_COMP_free (SSL_COMP_get_compression_methods());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
static int check_passwd(char* buffer, int size, int rwflag, void* userdata) {
|
static int capwap_crypt_verifycertificate(int preverify_ok, CYASSL_X509_STORE_CTX* ctx) {
|
||||||
int length;
|
|
||||||
struct capwap_dtls_context* dtlscontext = (struct capwap_dtls_context*)userdata;
|
|
||||||
|
|
||||||
ASSERT(dtlscontext != NULL);
|
|
||||||
ASSERT(dtlscontext->mode == CAPWAP_DTLS_MODE_CERTIFICATE);
|
|
||||||
ASSERT(dtlscontext->cert.pwdprivatekey != NULL);
|
|
||||||
|
|
||||||
length = strlen(dtlscontext->cert.pwdprivatekey);
|
|
||||||
if (!buffer || (size < (length + 1))) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
strcpy(buffer, dtlscontext->cert.pwdprivatekey);
|
|
||||||
return length;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
|
||||||
static int verify_certificate(int preverify_ok, X509_STORE_CTX* ctx) {
|
|
||||||
int err;
|
|
||||||
int depth;
|
|
||||||
X509* err_cert;
|
|
||||||
char buf[256];
|
|
||||||
|
|
||||||
err_cert = X509_STORE_CTX_get_current_cert(ctx);
|
|
||||||
err = X509_STORE_CTX_get_error(ctx);
|
|
||||||
X509_verify_cert_error_string(err);
|
|
||||||
|
|
||||||
depth = X509_STORE_CTX_get_error_depth(ctx);
|
|
||||||
|
|
||||||
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
|
|
||||||
|
|
||||||
if (depth > CAPWAP_DTLS_CERT_VERIFY_DEPTH) {
|
|
||||||
preverify_ok = 0;
|
|
||||||
err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
|
|
||||||
X509_STORE_CTX_set_error(ctx, err);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
|
|
||||||
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
|
|
||||||
}
|
|
||||||
|
|
||||||
return preverify_ok;
|
return preverify_ok;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int create_cookie(SSL* ssl, unsigned char* cookie, unsigned int* cookie_len) {
|
/* */
|
||||||
int length;
|
static unsigned int capwap_crypt_psk_client(CYASSL* ssl, const char* hint, char* identity, unsigned int max_identity_len, unsigned char* psk, unsigned int max_psk_len) {
|
||||||
unsigned char* buffer;
|
struct capwap_dtls* dtls = (struct capwap_dtls*)CyaSSL_GetIOReadCtx(ssl);
|
||||||
struct sockaddr_storage peer;
|
|
||||||
struct capwap_app_data* appdata;
|
ASSERT(dtls != NULL);
|
||||||
|
ASSERT(dtls->dtlscontext != NULL);
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
appdata = (struct capwap_app_data*)SSL_get_app_data(ssl);
|
if ((max_identity_len < strlen(dtls->dtlscontext->presharedkey.identity)) || (max_psk_len < dtls->dtlscontext->presharedkey.pskkeylength)) {
|
||||||
if (!appdata) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Read peer information */
|
|
||||||
if (BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer) < 0) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Create buffer with peer's address and port */
|
|
||||||
if (peer.ss_family == AF_INET) {
|
|
||||||
length = sizeof(struct in_addr) + sizeof(in_port_t);
|
|
||||||
} else if (peer.ss_family == AF_INET6) {
|
|
||||||
length = sizeof(struct in6_addr) + sizeof(in_port_t);
|
|
||||||
} else {
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
buffer = capwap_alloc(length);
|
strcpy(identity, dtls->dtlscontext->presharedkey.identity);
|
||||||
if (peer.ss_family == AF_INET) {
|
memcpy(psk, dtls->dtlscontext->presharedkey.pskkey, dtls->dtlscontext->presharedkey.pskkeylength);
|
||||||
struct sockaddr_in* peeripv4 = (struct sockaddr_in*)&peer;
|
return dtls->dtlscontext->presharedkey.pskkeylength;
|
||||||
|
|
||||||
memcpy(buffer, &peeripv4->sin_port, sizeof(in_port_t));
|
|
||||||
memcpy(buffer + sizeof(in_port_t), &peeripv4->sin_addr, sizeof(struct in_addr));
|
|
||||||
} else if (peer.ss_family == AF_INET6) {
|
|
||||||
struct sockaddr_in6* peeripv6 = (struct sockaddr_in6*)&peer;
|
|
||||||
|
|
||||||
memcpy(buffer, &peeripv6->sin6_port, sizeof(in_port_t));
|
|
||||||
memcpy(buffer + sizeof(in_port_t), &peeripv6->sin6_addr, sizeof(struct in6_addr));
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Calculate HMAC of buffer using the secret */
|
|
||||||
HMAC(EVP_sha1(), appdata->cookie, CAPWAP_COOKIE_SECRET_LENGTH, buffer, length, cookie, cookie_len);
|
|
||||||
capwap_free(buffer);
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
static int generate_cookie(SSL* ssl, unsigned char* cookie, unsigned int* cookie_len) {
|
static unsigned int capwap_crypt_psk_server(CYASSL* ssl, const char* identity, unsigned char* psk, unsigned int max_psk_len) {
|
||||||
unsigned int resultlength;
|
struct capwap_dtls* dtls = (struct capwap_dtls*)CyaSSL_GetIOReadCtx(ssl);
|
||||||
unsigned char result[EVP_MAX_MD_SIZE];
|
|
||||||
|
|
||||||
if (!create_cookie(ssl, &result[0], &resultlength)) {
|
ASSERT(dtls != NULL);
|
||||||
return 0;
|
ASSERT(dtls->dtlscontext != NULL);
|
||||||
}
|
|
||||||
|
|
||||||
/* Cookie generated */
|
|
||||||
memcpy(cookie, result, resultlength);
|
|
||||||
*cookie_len = resultlength;
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
|
||||||
static int verify_cookie(SSL* ssl, unsigned char* cookie, unsigned int cookie_len) {
|
|
||||||
unsigned int resultlength;
|
|
||||||
unsigned char result[EVP_MAX_MD_SIZE];
|
|
||||||
|
|
||||||
if (!create_cookie(ssl, &result[0], &resultlength)) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check cookie */
|
|
||||||
if ((cookie_len != resultlength) || (memcmp(result, cookie, resultlength) != 0)) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
|
||||||
static unsigned int capwap_crypt_psk_client(SSL* ssl, const char* hint, char* identity, unsigned int max_identity_len, unsigned char* psk, unsigned int max_psk_len) {
|
|
||||||
struct capwap_dtls_context* dtlscontext = (struct capwap_dtls_context*)SSL_get_ex_data(ssl, OPENSSL_EXDATA_DTLSCONTEXT);
|
|
||||||
|
|
||||||
ASSERT(dtlscontext != NULL);
|
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
if ((max_identity_len < strlen(dtlscontext->presharedkey.identity)) || (max_psk_len < dtlscontext->presharedkey.pskkeylength)) {
|
if (strcmp(identity, dtls->dtlscontext->presharedkey.identity) || (max_psk_len < dtls->dtlscontext->presharedkey.pskkeylength)) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
strcpy(identity, dtlscontext->presharedkey.identity);
|
memcpy(psk, dtls->dtlscontext->presharedkey.pskkey, dtls->dtlscontext->presharedkey.pskkeylength);
|
||||||
memcpy(psk, dtlscontext->presharedkey.pskkey, dtlscontext->presharedkey.pskkeylength);
|
return dtls->dtlscontext->presharedkey.pskkeylength;
|
||||||
return dtlscontext->presharedkey.pskkeylength;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
|
||||||
static unsigned int capwap_crypt_psk_server(SSL* ssl, const char* identity, unsigned char* psk, unsigned int max_psk_len) {
|
|
||||||
struct capwap_dtls_context* dtlscontext = (struct capwap_dtls_context*)SSL_get_ex_data(ssl, OPENSSL_EXDATA_DTLSCONTEXT);
|
|
||||||
|
|
||||||
ASSERT(dtlscontext != NULL);
|
|
||||||
|
|
||||||
/* */
|
|
||||||
if (strcmp(identity, dtlscontext->presharedkey.identity) || (max_psk_len < dtlscontext->presharedkey.pskkeylength)) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
|
||||||
memcpy(psk, dtlscontext->presharedkey.pskkey, dtlscontext->presharedkey.pskkeylength);
|
|
||||||
return dtlscontext->presharedkey.pskkeylength;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
static unsigned int capwap_crypt_psk_to_bin(char* pskkey, unsigned char** pskbin) {
|
static unsigned int capwap_crypt_psk_to_bin(char* pskkey, unsigned char** pskbin) {
|
||||||
|
int i, j;
|
||||||
int length;
|
int length;
|
||||||
BIGNUM* bn = NULL;
|
int result;
|
||||||
|
unsigned char* buffer;
|
||||||
/* */
|
|
||||||
if (!BN_hex2bn(&bn, pskkey)) {
|
|
||||||
if (bn) {
|
|
||||||
BN_free(bn);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
/* Convert string to hex */
|
||||||
|
length = strlen(pskkey);
|
||||||
|
if (!length || (length % 2)) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Convert into binary */
|
/* */
|
||||||
*pskbin = (unsigned char*)capwap_alloc(BN_num_bytes(bn));
|
result = length / 2;
|
||||||
length = BN_bn2bin(bn, *pskbin);
|
buffer = (unsigned char*)capwap_alloc(result);
|
||||||
BN_free(bn);
|
for (i = 0, j = 0; i < length; i += 2, j++) {
|
||||||
|
char valuehi = pskkey[i] - 48;
|
||||||
|
char valuelo = pskkey[i + 1] - 48;
|
||||||
|
|
||||||
return length;
|
/* Check value */
|
||||||
|
if ((valuehi < 0) || (valuehi >= g_char2hex_length) || (valuelo < 0) || (valuelo >= g_char2hex_length)) {
|
||||||
|
capwap_free(buffer);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* */
|
||||||
|
valuehi = g_char2hex[(int)valuehi];
|
||||||
|
valuelo = g_char2hex[(int)valuelo];
|
||||||
|
|
||||||
|
/* Check value */
|
||||||
|
if ((valuehi < 0) || (valuelo < 0)) {
|
||||||
|
capwap_free(buffer);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* */
|
||||||
|
buffer[j] = (unsigned char)(((unsigned char)valuehi << 4) | (unsigned char)valuelo);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* */
|
||||||
|
*pskbin = buffer;
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* */
|
||||||
|
static int capwap_crypt_createcookie(CYASSL* ssl, unsigned char* buffer, int size, void* context) {
|
||||||
|
int length;
|
||||||
|
unsigned char temp[32];
|
||||||
|
Sha sha;
|
||||||
|
byte digest[SHA_DIGEST_SIZE];
|
||||||
|
struct capwap_dtls* dtls = (struct capwap_dtls*)context;
|
||||||
|
|
||||||
|
if (size != SHA_DIGEST_SIZE) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Create buffer with peer's address and port */
|
||||||
|
if (dtls->peeraddr.ss_family == AF_INET) {
|
||||||
|
struct sockaddr_in* peeripv4 = (struct sockaddr_in*)&dtls->peeraddr;
|
||||||
|
|
||||||
|
length = sizeof(struct in_addr) + sizeof(in_port_t);
|
||||||
|
memcpy(temp, &peeripv4->sin_port, sizeof(in_port_t));
|
||||||
|
memcpy(temp + sizeof(in_port_t), &peeripv4->sin_addr, sizeof(struct in_addr));
|
||||||
|
} else if (dtls->peeraddr.ss_family == AF_INET6) {
|
||||||
|
struct sockaddr_in6* peeripv6 = (struct sockaddr_in6*)&dtls->peeraddr;
|
||||||
|
|
||||||
|
length = sizeof(struct in6_addr) + sizeof(in_port_t);
|
||||||
|
memcpy(temp, &peeripv6->sin6_port, sizeof(in_port_t));
|
||||||
|
memcpy(temp + sizeof(in_port_t), &peeripv6->sin6_addr, sizeof(struct in6_addr));
|
||||||
|
} else {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* */
|
||||||
|
if (InitSha(&sha)) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
ShaUpdate(&sha, temp, length);
|
||||||
|
ShaFinal(&sha, digest);
|
||||||
|
|
||||||
|
/* */
|
||||||
|
memcpy(buffer, digest, SHA_DIGEST_SIZE);
|
||||||
|
return SHA_DIGEST_SIZE;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
@ -525,12 +235,18 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
|
|||||||
dtlscontext->mode = param->mode;
|
dtlscontext->mode = param->mode;
|
||||||
|
|
||||||
/* Alloc context */
|
/* Alloc context */
|
||||||
dtlscontext->sslcontext = (void*)SSL_CTX_new(((param->type == CAPWAP_DTLS_SERVER) ? DTLSv1_server_method() : DTLSv1_client_method()));
|
dtlscontext->sslcontext = (void*)CyaSSL_CTX_new(((param->type == CAPWAP_DTLS_SERVER) ? CyaDTLSv1_server_method() : CyaDTLSv1_client_method()));
|
||||||
if (!dtlscontext->sslcontext) {
|
if (!dtlscontext->sslcontext) {
|
||||||
capwap_logging_debug("Error to initialize dtls context");
|
capwap_logging_debug("Error to initialize dtls context");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Set context IO */
|
||||||
|
CyaSSL_SetIORecv((CYASSL_CTX*)dtlscontext->sslcontext, capwap_bio_method_recv);
|
||||||
|
CyaSSL_SetIOSend((CYASSL_CTX*)dtlscontext->sslcontext, capwap_bio_method_send);
|
||||||
|
CyaSSL_CTX_SetGenCookie((CYASSL_CTX*)dtlscontext->sslcontext, capwap_crypt_createcookie);
|
||||||
|
|
||||||
|
/* */
|
||||||
if (dtlscontext->mode == CAPWAP_DTLS_MODE_CERTIFICATE) {
|
if (dtlscontext->mode == CAPWAP_DTLS_MODE_CERTIFICATE) {
|
||||||
/* Check context */
|
/* Check context */
|
||||||
if (!param->cert.filecert || !strlen(param->cert.filecert)) {
|
if (!param->cert.filecert || !strlen(param->cert.filecert)) {
|
||||||
@ -548,45 +264,34 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Public certificate */
|
/* Public certificate */
|
||||||
if (!SSL_CTX_use_certificate_file((SSL_CTX*)dtlscontext->sslcontext, param->cert.filecert, SSL_FILETYPE_PEM)) {
|
if (!CyaSSL_CTX_use_certificate_file((CYASSL_CTX*)dtlscontext->sslcontext, param->cert.filecert, SSL_FILETYPE_PEM)) {
|
||||||
capwap_logging_debug("Error to load certificate file");
|
capwap_logging_debug("Error to load certificate file");
|
||||||
capwap_crypt_freecontext(dtlscontext);
|
capwap_crypt_freecontext(dtlscontext);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Passwork decrypt privatekey */
|
|
||||||
dtlscontext->cert.pwdprivatekey = capwap_duplicate_string((param->cert.pwdprivatekey ? param->cert.pwdprivatekey : ""));
|
|
||||||
|
|
||||||
SSL_CTX_set_default_passwd_cb((SSL_CTX*)dtlscontext->sslcontext, check_passwd);
|
|
||||||
SSL_CTX_set_default_passwd_cb_userdata((SSL_CTX*)dtlscontext->sslcontext, dtlscontext);
|
|
||||||
|
|
||||||
/* Private key */
|
/* Private key */
|
||||||
if (!SSL_CTX_use_PrivateKey_file((SSL_CTX*)dtlscontext->sslcontext, param->cert.filekey, SSL_FILETYPE_PEM)) {
|
if (!CyaSSL_CTX_use_PrivateKey_file((CYASSL_CTX*)dtlscontext->sslcontext, param->cert.filekey, SSL_FILETYPE_PEM)) {
|
||||||
capwap_logging_debug("Error to load private key file");
|
capwap_logging_debug("Error to load private key file");
|
||||||
capwap_crypt_freecontext(dtlscontext);
|
capwap_crypt_freecontext(dtlscontext);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!SSL_CTX_check_private_key((SSL_CTX*)dtlscontext->sslcontext)) {
|
if (!CyaSSL_CTX_check_private_key((CYASSL_CTX*)dtlscontext->sslcontext)) {
|
||||||
capwap_logging_debug("Error to check private key");
|
capwap_logging_debug("Error to check private key");
|
||||||
capwap_crypt_freecontext(dtlscontext);
|
capwap_crypt_freecontext(dtlscontext);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Certificate Authority */
|
/* Certificate Authority */
|
||||||
if (!SSL_CTX_load_verify_locations((SSL_CTX*)dtlscontext->sslcontext, param->cert.fileca, NULL)) {
|
if (!CyaSSL_CTX_load_verify_locations((CYASSL_CTX*)dtlscontext->sslcontext, param->cert.fileca, NULL)) {
|
||||||
capwap_logging_debug("Error to load ca file");
|
capwap_logging_debug("Error to load ca file");
|
||||||
capwap_crypt_freecontext(dtlscontext);
|
capwap_crypt_freecontext(dtlscontext);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*if (!SSL_CTX_set_default_verify_paths((SSL_CTX*)dtlscontext->sslcontext)) {
|
|
||||||
capwap_crypt_freecontext(dtlscontext);
|
|
||||||
return 0;
|
|
||||||
}*/
|
|
||||||
|
|
||||||
/* Verify certificate callback */
|
/* Verify certificate callback */
|
||||||
SSL_CTX_set_verify((SSL_CTX*)dtlscontext->sslcontext, ((param->type == CAPWAP_DTLS_SERVER) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_PEER), verify_certificate);
|
CyaSSL_CTX_set_verify((CYASSL_CTX*)dtlscontext->sslcontext, ((param->type == CAPWAP_DTLS_SERVER) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_PEER), capwap_crypt_verifycertificate);
|
||||||
|
|
||||||
/* Cipher list:
|
/* Cipher list:
|
||||||
TLS_RSA_WITH_AES_128_CBC_SHA
|
TLS_RSA_WITH_AES_128_CBC_SHA
|
||||||
@ -594,7 +299,7 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
|
|||||||
TLS_RSA_WITH_AES_256_CBC_SHA
|
TLS_RSA_WITH_AES_256_CBC_SHA
|
||||||
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
||||||
*/
|
*/
|
||||||
if (!SSL_CTX_set_cipher_list((SSL_CTX*)dtlscontext->sslcontext, "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:DHE-RSA-AES256-SHA")) {
|
if (!CyaSSL_CTX_set_cipher_list((CYASSL_CTX*)dtlscontext->sslcontext, "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:DHE-RSA-AES256-SHA")) {
|
||||||
capwap_logging_debug("Error to select cipher list");
|
capwap_logging_debug("Error to select cipher list");
|
||||||
capwap_crypt_freecontext(dtlscontext);
|
capwap_crypt_freecontext(dtlscontext);
|
||||||
return 0;
|
return 0;
|
||||||
@ -606,7 +311,7 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
|
|||||||
TLS_PSK_WITH_AES_256_CBC_SHA
|
TLS_PSK_WITH_AES_256_CBC_SHA
|
||||||
TLS_DHE_PSK_WITH_AES_256_CBC_SHA
|
TLS_DHE_PSK_WITH_AES_256_CBC_SHA
|
||||||
*/
|
*/
|
||||||
if (!SSL_CTX_set_cipher_list((SSL_CTX*)dtlscontext->sslcontext, "PSK-AES128-CBC-SHA:PSK-AES256-CBC-SHA")) {
|
if (!CyaSSL_CTX_set_cipher_list((CYASSL_CTX*)dtlscontext->sslcontext, "PSK-AES128-CBC-SHA:PSK-AES256-CBC-SHA")) {
|
||||||
capwap_logging_debug("Error to select cipher list");
|
capwap_logging_debug("Error to select cipher list");
|
||||||
capwap_crypt_freecontext(dtlscontext);
|
capwap_crypt_freecontext(dtlscontext);
|
||||||
return 0;
|
return 0;
|
||||||
@ -615,7 +320,7 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
|
|||||||
/* */
|
/* */
|
||||||
if (dtlscontext->type == CAPWAP_DTLS_SERVER) {
|
if (dtlscontext->type == CAPWAP_DTLS_SERVER) {
|
||||||
if (param->presharedkey.hint) {
|
if (param->presharedkey.hint) {
|
||||||
SSL_CTX_use_psk_identity_hint((SSL_CTX*)dtlscontext->sslcontext, param->presharedkey.hint);
|
CyaSSL_CTX_use_psk_identity_hint((CYASSL_CTX*)dtlscontext->sslcontext, param->presharedkey.hint);
|
||||||
} else {
|
} else {
|
||||||
capwap_logging_debug("Error to presharedkey hint");
|
capwap_logging_debug("Error to presharedkey hint");
|
||||||
capwap_crypt_freecontext(dtlscontext);
|
capwap_crypt_freecontext(dtlscontext);
|
||||||
@ -634,9 +339,9 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
|
|||||||
|
|
||||||
/* */
|
/* */
|
||||||
if (dtlscontext->type == CAPWAP_DTLS_SERVER) {
|
if (dtlscontext->type == CAPWAP_DTLS_SERVER) {
|
||||||
SSL_CTX_set_psk_server_callback((SSL_CTX*)dtlscontext->sslcontext, capwap_crypt_psk_server);
|
CyaSSL_CTX_set_psk_server_callback((CYASSL_CTX*)dtlscontext->sslcontext, capwap_crypt_psk_server);
|
||||||
} else {
|
} else {
|
||||||
SSL_CTX_set_psk_client_callback((SSL_CTX*)dtlscontext->sslcontext, capwap_crypt_psk_client);
|
CyaSSL_CTX_set_psk_client_callback((CYASSL_CTX*)dtlscontext->sslcontext, capwap_crypt_psk_client);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
capwap_logging_debug("Invalid DTLS mode");
|
capwap_logging_debug("Invalid DTLS mode");
|
||||||
@ -644,13 +349,6 @@ int capwap_crypt_createcontext(struct capwap_dtls_context* dtlscontext, struct c
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Cookie callback */
|
|
||||||
RAND_bytes(dtlscontext->cookie, CAPWAP_COOKIE_SECRET_LENGTH);
|
|
||||||
SSL_CTX_set_cookie_generate_cb((SSL_CTX*)dtlscontext->sslcontext, generate_cookie);
|
|
||||||
SSL_CTX_set_cookie_verify_cb((SSL_CTX*)dtlscontext->sslcontext, verify_cookie);
|
|
||||||
|
|
||||||
/* */
|
|
||||||
SSL_CTX_set_read_ahead((SSL_CTX*)dtlscontext->sslcontext, 1);
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -659,11 +357,7 @@ void capwap_crypt_freecontext(struct capwap_dtls_context* dtlscontext) {
|
|||||||
ASSERT(dtlscontext != NULL);
|
ASSERT(dtlscontext != NULL);
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
if (dtlscontext->mode == CAPWAP_DTLS_MODE_CERTIFICATE) {
|
if (dtlscontext->mode == CAPWAP_DTLS_MODE_PRESHAREDKEY) {
|
||||||
if (dtlscontext->cert.pwdprivatekey) {
|
|
||||||
capwap_free(dtlscontext->cert.pwdprivatekey);
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if (dtlscontext->presharedkey.identity) {
|
if (dtlscontext->presharedkey.identity) {
|
||||||
capwap_free(dtlscontext->presharedkey.identity);
|
capwap_free(dtlscontext->presharedkey.identity);
|
||||||
}
|
}
|
||||||
@ -675,80 +369,42 @@ void capwap_crypt_freecontext(struct capwap_dtls_context* dtlscontext) {
|
|||||||
|
|
||||||
/* Free context */
|
/* Free context */
|
||||||
if (dtlscontext->sslcontext) {
|
if (dtlscontext->sslcontext) {
|
||||||
SSL_CTX_free((SSL_CTX*)dtlscontext->sslcontext);
|
CyaSSL_CTX_free((CYASSL_CTX*)dtlscontext->sslcontext);
|
||||||
}
|
}
|
||||||
|
|
||||||
memset(dtlscontext, 0, sizeof(struct capwap_dtls));
|
memset(dtlscontext, 0, sizeof(struct capwap_dtls_context));
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
int capwap_crypt_createsession(struct capwap_dtls* dtls, int sessiontype, struct capwap_dtls_context* dtlscontext, capwap_bio_send biosend, void* param) {
|
int capwap_crypt_createsession(struct capwap_dtls* dtls, int sessiontype, struct capwap_dtls_context* dtlscontext, capwap_bio_send biosend, void* param) {
|
||||||
BIO* bio;
|
|
||||||
struct capwap_app_data* appdata;
|
|
||||||
|
|
||||||
ASSERT(dtls != NULL);
|
ASSERT(dtls != NULL);
|
||||||
ASSERT(dtlscontext != NULL);
|
ASSERT(dtlscontext != NULL);
|
||||||
|
ASSERT(dtlscontext->sslcontext != NULL);
|
||||||
ASSERT(biosend != NULL);
|
ASSERT(biosend != NULL);
|
||||||
|
|
||||||
memset(dtls, 0, sizeof(struct capwap_dtls));
|
memset(dtls, 0, sizeof(struct capwap_dtls));
|
||||||
|
|
||||||
/* Create ssl session */
|
/* Create ssl session */
|
||||||
dtls->sslsession = (void*)SSL_new((SSL_CTX*)dtlscontext->sslcontext);
|
dtls->sslsession = (void*)CyaSSL_new((CYASSL_CTX*)dtlscontext->sslcontext);
|
||||||
if (!dtls->sslsession) {
|
if (!dtls->sslsession) {
|
||||||
capwap_logging_debug("Error to initialize dtls session");
|
capwap_logging_debug("Error to initialize dtls session");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Create BIO */
|
/* Send callback */
|
||||||
bio = capwap_bio_new();
|
dtls->send = biosend;
|
||||||
if (!bio) {
|
dtls->sendparam = param;
|
||||||
capwap_logging_debug("Error to initialize bio");
|
|
||||||
capwap_crypt_free(dtls);
|
|
||||||
return 0;
|
|
||||||
} else {
|
|
||||||
struct bio_capwap_data* data = (struct bio_capwap_data*)bio->ptr;
|
|
||||||
data->dtls = dtls;
|
|
||||||
data->send = biosend;
|
|
||||||
data->param = param;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Configure BIO */
|
|
||||||
SSL_set_bio((SSL*)dtls->sslsession, bio, bio);
|
|
||||||
|
|
||||||
/* In server mode enable cookie exchange */
|
|
||||||
if (dtlscontext->type == CAPWAP_DTLS_SERVER) {
|
|
||||||
SSL_set_options((SSL*)dtls->sslsession, SSL_OP_COOKIE_EXCHANGE);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Set static MTU size */
|
|
||||||
SSL_set_options((SSL*)dtls->sslsession, SSL_OP_NO_QUERY_MTU);
|
|
||||||
SSL_set_mtu((SSL*)dtls->sslsession, CAPWAP_DTLS_MTU_SIZE);
|
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
SSL_set_verify_depth((SSL*)dtls->sslsession, CAPWAP_DTLS_CERT_VERIFY_DEPTH + 1);
|
CyaSSL_set_using_nonblock((CYASSL*)dtls->sslsession, 1);
|
||||||
|
CyaSSL_SetIOReadCtx((CYASSL*)dtls->sslsession, (void*)dtls);
|
||||||
/* */
|
CyaSSL_SetIOWriteCtx((CYASSL*)dtls->sslsession, (void*)dtls);
|
||||||
SSL_set_read_ahead((SSL*)dtls->sslsession, 1);
|
CyaSSL_SetCookieCtx((CYASSL*)dtls->sslsession, (void*)dtls);
|
||||||
|
|
||||||
/* */
|
|
||||||
ERR_clear_error();
|
|
||||||
if (dtlscontext->type == CAPWAP_DTLS_SERVER) {
|
|
||||||
SSL_set_accept_state((SSL*)dtls->sslsession);
|
|
||||||
} else {
|
|
||||||
SSL_set_connect_state((SSL*)dtls->sslsession);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* SSL session app data */
|
|
||||||
appdata = (struct capwap_app_data*)capwap_alloc(sizeof(struct capwap_app_data));
|
|
||||||
appdata->cookie = &dtlscontext->cookie[0];
|
|
||||||
|
|
||||||
SSL_set_ex_data((SSL*)dtls->sslsession, OPENSSL_EXDATA_APPLICATION, (void*)appdata);
|
|
||||||
SSL_set_ex_data((SSL*)dtls->sslsession, OPENSSL_EXDATA_DTLSCONTEXT, (void*)dtlscontext);
|
|
||||||
SSL_set_ex_data((SSL*)dtls->sslsession, OPENSSL_EXDATA_DTLS, (void*)dtls);
|
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
dtls->action = CAPWAP_DTLS_ACTION_NONE;
|
dtls->action = CAPWAP_DTLS_ACTION_NONE;
|
||||||
dtls->session = sessiontype;
|
dtls->session = sessiontype;
|
||||||
|
dtls->dtlscontext = dtlscontext;
|
||||||
dtls->enable = 1;
|
dtls->enable = 1;
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
@ -762,10 +418,16 @@ static int capwap_crypt_handshake(struct capwap_dtls* dtls) {
|
|||||||
ASSERT(dtls->enable != 0);
|
ASSERT(dtls->enable != 0);
|
||||||
ASSERT((dtls->action == CAPWAP_DTLS_ACTION_NONE) || (dtls->action == CAPWAP_DTLS_ACTION_HANDSHAKE));
|
ASSERT((dtls->action == CAPWAP_DTLS_ACTION_NONE) || (dtls->action == CAPWAP_DTLS_ACTION_HANDSHAKE));
|
||||||
|
|
||||||
ERR_clear_error();
|
/* */
|
||||||
result = SSL_do_handshake((SSL*)dtls->sslsession);
|
if (dtls->dtlscontext->type == CAPWAP_DTLS_SERVER) {
|
||||||
if (result <= 0) {
|
result = CyaSSL_accept((CYASSL*)dtls->sslsession);
|
||||||
result = SSL_get_error((SSL*)dtls->sslsession, result);
|
} else {
|
||||||
|
result = CyaSSL_connect((CYASSL*)dtls->sslsession);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* */
|
||||||
|
if (result != SSL_SUCCESS) {
|
||||||
|
result = CyaSSL_get_error((CYASSL*)dtls->sslsession, 0);
|
||||||
if ((result == SSL_ERROR_WANT_READ) || (result == SSL_ERROR_WANT_WRITE)) {
|
if ((result == SSL_ERROR_WANT_READ) || (result == SSL_ERROR_WANT_WRITE)) {
|
||||||
/* Incomplete handshake */
|
/* Incomplete handshake */
|
||||||
dtls->action = CAPWAP_DTLS_ACTION_HANDSHAKE;
|
dtls->action = CAPWAP_DTLS_ACTION_HANDSHAKE;
|
||||||
@ -776,14 +438,7 @@ static int capwap_crypt_handshake(struct capwap_dtls* dtls) {
|
|||||||
dtls->action = CAPWAP_DTLS_ACTION_ERROR;
|
dtls->action = CAPWAP_DTLS_ACTION_ERROR;
|
||||||
return CAPWAP_HANDSHAKE_ERROR;
|
return CAPWAP_HANDSHAKE_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check certificate */
|
|
||||||
result = SSL_get_verify_result((SSL*)dtls->sslsession);
|
|
||||||
if (result != X509_V_OK) {
|
|
||||||
dtls->action = CAPWAP_DTLS_ACTION_ERROR;
|
|
||||||
return CAPWAP_HANDSHAKE_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Handshake complete */
|
/* Handshake complete */
|
||||||
dtls->action = CAPWAP_DTLS_ACTION_DATA;
|
dtls->action = CAPWAP_DTLS_ACTION_DATA;
|
||||||
return CAPWAP_HANDSHAKE_COMPLETE;
|
return CAPWAP_HANDSHAKE_COMPLETE;
|
||||||
@ -791,10 +446,7 @@ static int capwap_crypt_handshake(struct capwap_dtls* dtls) {
|
|||||||
|
|
||||||
/* */
|
/* */
|
||||||
int capwap_crypt_open(struct capwap_dtls* dtls, struct sockaddr_storage* peeraddr) {
|
int capwap_crypt_open(struct capwap_dtls* dtls, struct sockaddr_storage* peeraddr) {
|
||||||
if (BIO_dgram_set_peer(SSL_get_rbio((SSL*)dtls->sslsession), peeraddr) < 0) {
|
memcpy(&dtls->peeraddr, peeraddr, sizeof(struct sockaddr_storage));
|
||||||
return CAPWAP_HANDSHAKE_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
return capwap_crypt_handshake(dtls);
|
return capwap_crypt_handshake(dtls);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -803,8 +455,8 @@ void capwap_crypt_close(struct capwap_dtls* dtls) {
|
|||||||
ASSERT(dtls != NULL);
|
ASSERT(dtls != NULL);
|
||||||
ASSERT(dtls->enable != 0);
|
ASSERT(dtls->enable != 0);
|
||||||
|
|
||||||
if ((dtls->action == CAPWAP_DTLS_ACTION_DATA) || (dtls->action == CAPWAP_DTLS_ACTION_SHUTDOWN)) {
|
if (dtls->sslsession) {
|
||||||
SSL_shutdown((SSL*)dtls->sslsession);
|
CyaSSL_shutdown((CYASSL*)dtls->sslsession);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -814,19 +466,9 @@ void capwap_crypt_freesession(struct capwap_dtls* dtls) {
|
|||||||
|
|
||||||
/* Free SSL session */
|
/* Free SSL session */
|
||||||
if (dtls->sslsession) {
|
if (dtls->sslsession) {
|
||||||
struct capwap_app_data* appdata = (struct capwap_app_data*)SSL_get_ex_data(dtls->sslsession, OPENSSL_EXDATA_APPLICATION);
|
CyaSSL_free((CYASSL*)dtls->sslsession);
|
||||||
if (appdata) {
|
|
||||||
capwap_free(appdata);
|
|
||||||
}
|
|
||||||
|
|
||||||
SSL_free((SSL*)dtls->sslsession);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
|
||||||
ERR_clear_error();
|
|
||||||
ERR_remove_state(0);
|
|
||||||
ERR_remove_thread_state(NULL);
|
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
memset(dtls, 0, sizeof(struct capwap_dtls));
|
memset(dtls, 0, sizeof(struct capwap_dtls));
|
||||||
}
|
}
|
||||||
@ -847,8 +489,7 @@ int capwap_crypt_sendto(struct capwap_dtls* dtls, int sock, void* buffer, int si
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
ERR_clear_error();
|
return CyaSSL_write((CYASSL*)dtls->sslsession, buffer, size);
|
||||||
return SSL_write((SSL*)dtls->sslsession, buffer, size);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
@ -908,22 +549,13 @@ int capwap_decrypt_packet(struct capwap_dtls* dtls, void* encrybuffer, int size,
|
|||||||
result = CAPWAP_ERROR_AGAIN; /* Don't parsing DTLS packet */
|
result = CAPWAP_ERROR_AGAIN; /* Don't parsing DTLS packet */
|
||||||
}
|
}
|
||||||
} else if (dtls->action == CAPWAP_DTLS_ACTION_DATA) {
|
} else if (dtls->action == CAPWAP_DTLS_ACTION_DATA) {
|
||||||
ERR_clear_error();
|
result = CyaSSL_read((CYASSL*)dtls->sslsession, (plainbuffer ? plainbuffer : encrybuffer), maxsize);
|
||||||
result = SSL_read((SSL*)dtls->sslsession, (plainbuffer ? plainbuffer : encrybuffer), maxsize);
|
|
||||||
if (!result) {
|
if (!result) {
|
||||||
int shutdown;
|
dtls->action = CAPWAP_DTLS_ACTION_SHUTDOWN;
|
||||||
|
result = CAPWAP_ERROR_SHUTDOWN;
|
||||||
/* Check shutdown status */
|
|
||||||
shutdown = SSL_get_shutdown((SSL*)dtls->sslsession);
|
|
||||||
if (shutdown & SSL_RECEIVED_SHUTDOWN) {
|
|
||||||
dtls->action = CAPWAP_DTLS_ACTION_SHUTDOWN;
|
|
||||||
result = CAPWAP_ERROR_SHUTDOWN;
|
|
||||||
} else {
|
|
||||||
result = CAPWAP_ERROR_AGAIN;
|
|
||||||
}
|
|
||||||
} else if (result < 0) {
|
} else if (result < 0) {
|
||||||
/* Check error */
|
/* Check error */
|
||||||
sslerror = SSL_get_error((SSL*)dtls->sslsession, result);
|
sslerror = CyaSSL_get_error((CYASSL*)dtls->sslsession, 0);
|
||||||
if ((sslerror == SSL_ERROR_WANT_READ) || (sslerror == SSL_ERROR_WANT_WRITE)) {
|
if ((sslerror == SSL_ERROR_WANT_READ) || (sslerror == SSL_ERROR_WANT_WRITE)) {
|
||||||
result = CAPWAP_ERROR_AGAIN; /* DTLS Renegotiation */
|
result = CAPWAP_ERROR_AGAIN; /* DTLS Renegotiation */
|
||||||
} else {
|
} else {
|
||||||
@ -952,7 +584,7 @@ int capwap_decrypt_packet(struct capwap_dtls* dtls, void* encrybuffer, int size,
|
|||||||
#define DTLS_HANDSHAKE_LAYER_CLIENT_HELLO 1
|
#define DTLS_HANDSHAKE_LAYER_CLIENT_HELLO 1
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
int capwap_sanity_check_dtls_clienthello(void* buffer, int buffersize) {
|
int capwap_crypt_has_dtls_clienthello(void* buffer, int buffersize) {
|
||||||
unsigned char* dtlsdata = (unsigned char*)buffer;
|
unsigned char* dtlsdata = (unsigned char*)buffer;
|
||||||
|
|
||||||
/* Read DTLS packet in RAW mode */
|
/* Read DTLS packet in RAW mode */
|
||||||
|
@ -23,12 +23,14 @@
|
|||||||
#define CAPWAP_DTLS_CONTROL_SESSION 0
|
#define CAPWAP_DTLS_CONTROL_SESSION 0
|
||||||
#define CAPWAP_DTLS_DATA_SESSION 1
|
#define CAPWAP_DTLS_DATA_SESSION 1
|
||||||
|
|
||||||
#define CAPWAP_COOKIE_SECRET_LENGTH 16
|
|
||||||
|
|
||||||
#define CAPWAP_ERROR_AGAIN 0
|
#define CAPWAP_ERROR_AGAIN 0
|
||||||
#define CAPWAP_ERROR_SHUTDOWN -1
|
#define CAPWAP_ERROR_SHUTDOWN -1
|
||||||
#define CAPWAP_ERROR_CLOSE -2
|
#define CAPWAP_ERROR_CLOSE -2
|
||||||
|
|
||||||
|
/* */
|
||||||
|
struct capwap_dtls;
|
||||||
|
typedef int(*capwap_bio_send)(struct capwap_dtls* dtls, char* buffer, int length, void* param);
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
struct capwap_dtls_context {
|
struct capwap_dtls_context {
|
||||||
int type;
|
int type;
|
||||||
@ -36,19 +38,12 @@ struct capwap_dtls_context {
|
|||||||
|
|
||||||
void* sslcontext;
|
void* sslcontext;
|
||||||
|
|
||||||
/* Cookie */
|
|
||||||
unsigned char cookie[CAPWAP_COOKIE_SECRET_LENGTH];
|
|
||||||
|
|
||||||
union {
|
union {
|
||||||
struct {
|
struct {
|
||||||
char* identity;
|
char* identity;
|
||||||
unsigned char* pskkey;
|
unsigned char* pskkey;
|
||||||
unsigned int pskkeylength;
|
unsigned int pskkeylength;
|
||||||
} presharedkey;
|
} presharedkey;
|
||||||
|
|
||||||
struct {
|
|
||||||
char* pwdprivatekey; /* Password for private key */
|
|
||||||
} cert;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -59,6 +54,12 @@ struct capwap_dtls {
|
|||||||
int session;
|
int session;
|
||||||
|
|
||||||
void* sslsession;
|
void* sslsession;
|
||||||
|
struct capwap_dtls_context* dtlscontext;
|
||||||
|
|
||||||
|
/* Send callback */
|
||||||
|
struct sockaddr_storage peeraddr;
|
||||||
|
capwap_bio_send send;
|
||||||
|
void* sendparam;
|
||||||
|
|
||||||
/* Buffer read */
|
/* Buffer read */
|
||||||
void* buffer;
|
void* buffer;
|
||||||
@ -82,21 +83,11 @@ struct capwap_dtls_param {
|
|||||||
char* filecert;
|
char* filecert;
|
||||||
char* filekey;
|
char* filekey;
|
||||||
char* fileca;
|
char* fileca;
|
||||||
|
|
||||||
/* Password for private key */
|
|
||||||
char* pwdprivatekey;
|
|
||||||
} cert;
|
} cert;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
struct capwap_app_data {
|
|
||||||
unsigned char* cookie;
|
|
||||||
};
|
|
||||||
|
|
||||||
/* */
|
|
||||||
typedef int(*capwap_bio_send)(struct capwap_dtls* dtls, char* buffer, int length, void* param);
|
|
||||||
|
|
||||||
int capwap_crypt_init();
|
int capwap_crypt_init();
|
||||||
void capwap_crypt_free();
|
void capwap_crypt_free();
|
||||||
|
|
||||||
@ -113,6 +104,6 @@ int capwap_crypt_sendto(struct capwap_dtls* dtls, int sock, void* buffer, int si
|
|||||||
int capwap_crypt_sendto_fragmentpacket(struct capwap_dtls* dtls, int sock, struct capwap_list* fragmentlist, struct sockaddr_storage* sendfromaddr, struct sockaddr_storage* sendtoaddr);
|
int capwap_crypt_sendto_fragmentpacket(struct capwap_dtls* dtls, int sock, struct capwap_list* fragmentlist, struct sockaddr_storage* sendfromaddr, struct sockaddr_storage* sendtoaddr);
|
||||||
int capwap_decrypt_packet(struct capwap_dtls* dtls, void* encrybuffer, int size, void* plainbuffer, int maxsize);
|
int capwap_decrypt_packet(struct capwap_dtls* dtls, void* encrybuffer, int size, void* plainbuffer, int maxsize);
|
||||||
|
|
||||||
int capwap_sanity_check_dtls_clienthello(void* buffer, int buffersize);
|
int capwap_crypt_has_dtls_clienthello(void* buffer, int buffersize);
|
||||||
|
|
||||||
#endif /* __CAPWAP_DTLS_HEADER__ */
|
#endif /* __CAPWAP_DTLS_HEADER__ */
|
||||||
|
@ -1,14 +1,8 @@
|
|||||||
#include "capwap.h"
|
#include "capwap.h"
|
||||||
#include "capwap_socket.h"
|
#include "capwap_socket.h"
|
||||||
|
|
||||||
#include <openssl/ssl.h>
|
#include <cyassl/options.h>
|
||||||
#include <openssl/bio.h>
|
#include <cyassl/ssl.h>
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/engine.h>
|
|
||||||
#include <openssl/conf.h>
|
|
||||||
|
|
||||||
/* */
|
|
||||||
#define OPENSSL_EXDATA_PRIVATE_KEY_PASSWORD 1
|
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
static int capwap_socket_nonblocking(int sock, int nonblocking) {
|
static int capwap_socket_nonblocking(int sock, int nonblocking) {
|
||||||
@ -60,7 +54,7 @@ int capwap_socket_connect(int sock, struct sockaddr_storage* address, int timeou
|
|||||||
fds.events = POLLOUT;
|
fds.events = POLLOUT;
|
||||||
|
|
||||||
result = poll(&fds, 1, timeout);
|
result = poll(&fds, 1, timeout);
|
||||||
if ((result < 0) && (errno != EINTR)) {
|
if (!result || ((result < 0) && (errno != EINTR))) {
|
||||||
return 0;
|
return 0;
|
||||||
} else if (result > 0) {
|
} else if (result > 0) {
|
||||||
/* Check connection status */
|
/* Check connection status */
|
||||||
@ -87,98 +81,57 @@ int capwap_socket_connect(int sock, struct sockaddr_storage* address, int timeou
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
static int capwap_socket_crypto_checkpasswd(char* buffer, int size, int rwflag, void* userdata) {
|
static int capwap_socket_crypto_verifycertificate(int preverify, CYASSL_X509_STORE_CTX* store) {
|
||||||
if (!userdata) {
|
return preverify;
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
|
||||||
strncpy(buffer, (char*)userdata, size);
|
|
||||||
buffer[size - 1] = 0;
|
|
||||||
return strlen(buffer);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
static int capwap_socket_crypto_verifycertificate(int preverify_ok, X509_STORE_CTX* ctx) {
|
void* capwap_socket_crypto_createcontext(char* calist, char* cert, char* privatekey) {
|
||||||
int err;
|
CYASSL_CTX* context = NULL;
|
||||||
X509* err_cert;
|
|
||||||
char buf[256];
|
|
||||||
|
|
||||||
err_cert = X509_STORE_CTX_get_current_cert(ctx);
|
|
||||||
err = X509_STORE_CTX_get_error(ctx);
|
|
||||||
X509_verify_cert_error_string(err);
|
|
||||||
|
|
||||||
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
|
|
||||||
|
|
||||||
if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
|
|
||||||
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
|
|
||||||
}
|
|
||||||
|
|
||||||
return preverify_ok;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
|
||||||
void* capwap_socket_crypto_createcontext(char* calist, char* cert, char* privatekey, char* privatekeypasswd) {
|
|
||||||
SSL_CTX* context = NULL;
|
|
||||||
|
|
||||||
ASSERT(calist != NULL);
|
ASSERT(calist != NULL);
|
||||||
ASSERT(cert != NULL);
|
ASSERT(cert != NULL);
|
||||||
ASSERT(privatekey != NULL);
|
ASSERT(privatekey != NULL);
|
||||||
|
|
||||||
/* Create SSL context */
|
/* Create SSL context */
|
||||||
context = (void*)SSL_CTX_new(SSLv23_client_method());
|
context = CyaSSL_CTX_new(CyaTLSv1_2_client_method());
|
||||||
if (context) {
|
if (context) {
|
||||||
char* privkey = NULL;
|
|
||||||
|
|
||||||
/* Public certificate */
|
/* Public certificate */
|
||||||
if (!SSL_CTX_use_certificate_file(context, cert, SSL_FILETYPE_PEM)) {
|
if (!CyaSSL_CTX_use_certificate_file(context, cert, SSL_FILETYPE_PEM)) {
|
||||||
capwap_logging_debug("Error to load certificate file");
|
capwap_logging_debug("Error to load certificate file");
|
||||||
capwap_socket_crypto_freecontext(context);
|
capwap_socket_crypto_freecontext(context);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Save private key */
|
|
||||||
if (privatekeypasswd && *privatekeypasswd) {
|
|
||||||
privkey = capwap_duplicate_string(privatekeypasswd);
|
|
||||||
SSL_CTX_set_ex_data(context, OPENSSL_EXDATA_PRIVATE_KEY_PASSWORD, (void*)privkey);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
|
||||||
SSL_CTX_set_default_passwd_cb(context, capwap_socket_crypto_checkpasswd);
|
|
||||||
SSL_CTX_set_default_passwd_cb_userdata(context, privkey);
|
|
||||||
|
|
||||||
/* Private key */
|
/* Private key */
|
||||||
if (!SSL_CTX_use_PrivateKey_file(context, privatekey, SSL_FILETYPE_PEM)) {
|
if (!CyaSSL_CTX_use_PrivateKey_file(context, privatekey, SSL_FILETYPE_PEM)) {
|
||||||
capwap_logging_debug("Error to load private key file");
|
capwap_logging_debug("Error to load private key file");
|
||||||
capwap_socket_crypto_freecontext(context);
|
capwap_socket_crypto_freecontext(context);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!SSL_CTX_check_private_key(context)) {
|
if (!CyaSSL_CTX_check_private_key(context)) {
|
||||||
capwap_logging_debug("Error to check private key");
|
capwap_logging_debug("Error to check private key");
|
||||||
capwap_socket_crypto_freecontext(context);
|
capwap_socket_crypto_freecontext(context);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Certificate Authority */
|
/* Certificate Authority */
|
||||||
if (!SSL_CTX_load_verify_locations(context, calist, NULL)) {
|
if (!CyaSSL_CTX_load_verify_locations(context, calist, NULL)) {
|
||||||
capwap_logging_debug("Error to load ca file");
|
capwap_logging_debug("Error to load ca file");
|
||||||
capwap_socket_crypto_freecontext(context);
|
capwap_socket_crypto_freecontext(context);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Verify certificate callback */
|
/* Verify certificate callback */
|
||||||
SSL_CTX_set_verify(context, SSL_VERIFY_PEER, capwap_socket_crypto_verifycertificate);
|
CyaSSL_CTX_set_verify(context, SSL_VERIFY_PEER, capwap_socket_crypto_verifycertificate);
|
||||||
|
|
||||||
/* Set only high security cipher list */
|
/* Set only high security cipher list */
|
||||||
if (!SSL_CTX_set_cipher_list(context, "HIGH:!DSS:!aNULL@STRENGTH")) {
|
if (!CyaSSL_CTX_set_cipher_list(context, "AES256-SHA")) {
|
||||||
capwap_logging_debug("Error to select cipher list");
|
capwap_logging_debug("Error to select cipher list");
|
||||||
capwap_socket_crypto_freecontext(context);
|
capwap_socket_crypto_freecontext(context);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
|
||||||
SSL_CTX_set_mode(context, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return (void*)context;
|
return (void*)context;
|
||||||
@ -186,16 +139,10 @@ void* capwap_socket_crypto_createcontext(char* calist, char* cert, char* private
|
|||||||
|
|
||||||
/* */
|
/* */
|
||||||
void capwap_socket_crypto_freecontext(void* context) {
|
void capwap_socket_crypto_freecontext(void* context) {
|
||||||
char* privkey;
|
CYASSL_CTX* sslcontext = (CYASSL_CTX*)context;
|
||||||
SSL_CTX* sslcontext = (SSL_CTX*)context;
|
|
||||||
|
|
||||||
if (sslcontext) {
|
if (sslcontext) {
|
||||||
privkey = (char*)SSL_CTX_get_ex_data(sslcontext, OPENSSL_EXDATA_PRIVATE_KEY_PASSWORD);
|
CyaSSL_CTX_free(sslcontext);
|
||||||
if (privkey) {
|
|
||||||
capwap_free(privkey);
|
|
||||||
}
|
|
||||||
|
|
||||||
SSL_CTX_free(sslcontext);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -212,27 +159,29 @@ struct capwap_socket_ssl* capwap_socket_ssl_connect(int sock, void* sslcontext,
|
|||||||
sslsock = capwap_alloc(sizeof(struct capwap_socket_ssl));
|
sslsock = capwap_alloc(sizeof(struct capwap_socket_ssl));
|
||||||
sslsock->sock = sock;
|
sslsock->sock = sock;
|
||||||
sslsock->sslcontext = sslcontext;
|
sslsock->sslcontext = sslcontext;
|
||||||
sslsock->sslsession = (void*)SSL_new((SSL_CTX*)sslcontext);
|
sslsock->sslsession = (void*)CyaSSL_new((CYASSL_CTX*)sslcontext);
|
||||||
if (!sslsock->sslsession) {
|
if (!sslsock->sslsession) {
|
||||||
capwap_free(sslsock);
|
capwap_free(sslsock);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Set socket to SSL session */
|
/* Set socket to SSL session */
|
||||||
if (!SSL_set_fd((SSL*)sslsock->sslsession, sock)) {
|
if (!CyaSSL_set_fd((CYASSL*)sslsock->sslsession, sock)) {
|
||||||
SSL_free((SSL*)sslsock->sslsession);
|
CyaSSL_free((CYASSL*)sslsock->sslsession);
|
||||||
capwap_free(sslsock);
|
capwap_free(sslsock);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* */
|
||||||
|
CyaSSL_set_using_nonblock((CYASSL*)sslsock->sslsession, 1);
|
||||||
|
|
||||||
/* Establish SSL connection */
|
/* Establish SSL connection */
|
||||||
for (;;) {
|
for (;;) {
|
||||||
ERR_clear_error();
|
result = CyaSSL_connect((CYASSL*)sslsock->sslsession);
|
||||||
result = SSL_connect((SSL*)sslsock->sslsession);
|
if (result == SSL_SUCCESS) {
|
||||||
if (result == 1) {
|
|
||||||
break; /* Connection complete */
|
break; /* Connection complete */
|
||||||
} else {
|
} else {
|
||||||
int error = SSL_get_error((SSL*)sslsock->sslsession, result);
|
int error = CyaSSL_get_error((CYASSL*)sslsock->sslsession, 0);
|
||||||
if ((error == SSL_ERROR_WANT_READ) || (error == SSL_ERROR_WANT_WRITE)) {
|
if ((error == SSL_ERROR_WANT_READ) || (error == SSL_ERROR_WANT_WRITE)) {
|
||||||
memset(&fds, 0, sizeof(struct pollfd));
|
memset(&fds, 0, sizeof(struct pollfd));
|
||||||
fds.fd = sock;
|
fds.fd = sock;
|
||||||
@ -240,12 +189,12 @@ struct capwap_socket_ssl* capwap_socket_ssl_connect(int sock, void* sslcontext,
|
|||||||
|
|
||||||
result = poll(&fds, 1, timeout);
|
result = poll(&fds, 1, timeout);
|
||||||
if (((result < 0) && (errno != EINTR)) || ((result > 0) && (fds.events != fds.revents))) {
|
if (((result < 0) && (errno != EINTR)) || ((result > 0) && (fds.events != fds.revents))) {
|
||||||
SSL_free((SSL*)sslsock->sslsession);
|
CyaSSL_free((CYASSL*)sslsock->sslsession);
|
||||||
capwap_free(sslsock);
|
capwap_free(sslsock);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
SSL_free((SSL*)sslsock->sslsession);
|
CyaSSL_free((CYASSL*)sslsock->sslsession);
|
||||||
capwap_free(sslsock);
|
capwap_free(sslsock);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
@ -258,8 +207,6 @@ struct capwap_socket_ssl* capwap_socket_ssl_connect(int sock, void* sslcontext,
|
|||||||
/* */
|
/* */
|
||||||
int capwap_socket_crypto_send(struct capwap_socket_ssl* sslsock, void* buffer, size_t length, int timeout) {
|
int capwap_socket_crypto_send(struct capwap_socket_ssl* sslsock, void* buffer, size_t length, int timeout) {
|
||||||
int result;
|
int result;
|
||||||
struct pollfd fds;
|
|
||||||
size_t sendlength;
|
|
||||||
|
|
||||||
ASSERT(sslsock != NULL);
|
ASSERT(sslsock != NULL);
|
||||||
ASSERT(sslsock->sslsession != NULL);
|
ASSERT(sslsock->sslsession != NULL);
|
||||||
@ -267,32 +214,12 @@ int capwap_socket_crypto_send(struct capwap_socket_ssl* sslsock, void* buffer, s
|
|||||||
ASSERT(buffer != NULL);
|
ASSERT(buffer != NULL);
|
||||||
ASSERT(length > 0);
|
ASSERT(length > 0);
|
||||||
|
|
||||||
sendlength = 0;
|
result = CyaSSL_write((CYASSL*)sslsock->sslsession, buffer, length);
|
||||||
while (sendlength < length) {
|
if (result != length) {
|
||||||
size_t leftlength = length - sendlength;
|
return -1;
|
||||||
|
|
||||||
ERR_clear_error();
|
|
||||||
result = SSL_write((SSL*)sslsock->sslsession, &((char*)buffer)[sendlength], leftlength);
|
|
||||||
if (result > 0) {
|
|
||||||
sendlength += result;
|
|
||||||
} else {
|
|
||||||
int error = SSL_get_error((SSL*)sslsock->sslsession, result);
|
|
||||||
if ((error == SSL_ERROR_WANT_READ) || (error == SSL_ERROR_WANT_WRITE)) {
|
|
||||||
memset(&fds, 0, sizeof(struct pollfd));
|
|
||||||
fds.fd = sslsock->sock;
|
|
||||||
fds.events = ((error == SSL_ERROR_WANT_READ) ? POLLIN : POLLOUT);
|
|
||||||
|
|
||||||
result = poll(&fds, 1, timeout);
|
|
||||||
if (((result < 0) && (errno != EINTR)) || ((result > 0) && (fds.events != fds.revents))) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return sendlength;
|
return length;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
@ -307,12 +234,11 @@ int capwap_socket_crypto_recv(struct capwap_socket_ssl* sslsock, void* buffer, s
|
|||||||
ASSERT(length > 0);
|
ASSERT(length > 0);
|
||||||
|
|
||||||
for (;;) {
|
for (;;) {
|
||||||
ERR_clear_error();
|
result = CyaSSL_read((CYASSL*)sslsock->sslsession, buffer, length);
|
||||||
result = SSL_read((SSL*)sslsock->sslsession, buffer, length);
|
|
||||||
if (result >= 0) {
|
if (result >= 0) {
|
||||||
return result;
|
return result;
|
||||||
} else {
|
} else {
|
||||||
int error = SSL_get_error((SSL*)sslsock->sslsession, result);
|
int error = CyaSSL_get_error((CYASSL*)sslsock->sslsession, 0);
|
||||||
if ((error == SSL_ERROR_WANT_READ) || (error == SSL_ERROR_WANT_WRITE)) {
|
if ((error == SSL_ERROR_WANT_READ) || (error == SSL_ERROR_WANT_WRITE)) {
|
||||||
memset(&fds, 0, sizeof(struct pollfd));
|
memset(&fds, 0, sizeof(struct pollfd));
|
||||||
fds.fd = sslsock->sock;
|
fds.fd = sslsock->sock;
|
||||||
@ -342,12 +268,11 @@ void capwap_socket_ssl_shutdown(struct capwap_socket_ssl* sslsock, int timeout)
|
|||||||
|
|
||||||
/* */
|
/* */
|
||||||
for (;;) {
|
for (;;) {
|
||||||
ERR_clear_error();
|
result = CyaSSL_shutdown((CYASSL*)sslsock->sslsession);
|
||||||
result = SSL_shutdown((SSL*)sslsock->sslsession);
|
|
||||||
if (result >= 0) {
|
if (result >= 0) {
|
||||||
break; /* Shutdown complete */
|
break; /* Shutdown complete */
|
||||||
} else {
|
} else {
|
||||||
int error = SSL_get_error((SSL*)sslsock->sslsession, result);
|
int error = CyaSSL_get_error((CYASSL*)sslsock->sslsession, 0);
|
||||||
if ((error == SSL_ERROR_WANT_READ) || (error == SSL_ERROR_WANT_WRITE)) {
|
if ((error == SSL_ERROR_WANT_READ) || (error == SSL_ERROR_WANT_WRITE)) {
|
||||||
memset(&fds, 0, sizeof(struct pollfd));
|
memset(&fds, 0, sizeof(struct pollfd));
|
||||||
fds.fd = sslsock->sock;
|
fds.fd = sslsock->sock;
|
||||||
@ -369,7 +294,7 @@ void capwap_socket_ssl_close(struct capwap_socket_ssl* sslsock) {
|
|||||||
ASSERT(sslsock != NULL);
|
ASSERT(sslsock != NULL);
|
||||||
ASSERT(sslsock->sslsession != NULL);
|
ASSERT(sslsock->sslsession != NULL);
|
||||||
|
|
||||||
SSL_free((SSL*)sslsock->sslsession);
|
CyaSSL_free((CYASSL*)sslsock->sslsession);
|
||||||
sslsock->sslsession = NULL;
|
sslsock->sslsession = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -387,10 +312,6 @@ void capwap_socket_close(int sock) {
|
|||||||
capwap_socket_shutdown(sock);
|
capwap_socket_shutdown(sock);
|
||||||
capwap_socket_nonblocking(sock, 0);
|
capwap_socket_nonblocking(sock, 0);
|
||||||
close(sock);
|
close(sock);
|
||||||
|
|
||||||
/* */
|
|
||||||
ERR_clear_error();
|
|
||||||
ERR_remove_state(0);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
|
@ -17,7 +17,7 @@ struct capwap_socket_ssl {
|
|||||||
void* sslsession;
|
void* sslsession;
|
||||||
};
|
};
|
||||||
|
|
||||||
void* capwap_socket_crypto_createcontext(char* calist, char* cert, char* privatekey, char* privatekeypasswd);
|
void* capwap_socket_crypto_createcontext(char* calist, char* cert, char* privatekey);
|
||||||
void capwap_socket_crypto_freecontext(void* context);
|
void capwap_socket_crypto_freecontext(void* context);
|
||||||
|
|
||||||
int capwap_socket_crypto_send(struct capwap_socket_ssl* sslsock, void* buffer, size_t length, int timeout);
|
int capwap_socket_crypto_send(struct capwap_socket_ssl* sslsock, void* buffer, size_t length, int timeout);
|
||||||
|
@ -1018,12 +1018,6 @@ static int wtp_parsing_configuration_1_0(config_t* config) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (config_lookup_string(config, "application.dtls.x509.privatekeypassword", &configString) == CONFIG_TRUE) {
|
|
||||||
if (strlen(configString) > 0) {
|
|
||||||
dtlsparam.cert.pwdprivatekey = capwap_duplicate_string(configString);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
if (dtlsparam.cert.fileca && dtlsparam.cert.filecert && dtlsparam.cert.filekey) {
|
if (dtlsparam.cert.fileca && dtlsparam.cert.filecert && dtlsparam.cert.filekey) {
|
||||||
if (capwap_crypt_createcontext(&g_wtp.dtlscontext, &dtlsparam)) {
|
if (capwap_crypt_createcontext(&g_wtp.dtlscontext, &dtlsparam)) {
|
||||||
@ -1043,10 +1037,6 @@ static int wtp_parsing_configuration_1_0(config_t* config) {
|
|||||||
if (dtlsparam.cert.filekey) {
|
if (dtlsparam.cert.filekey) {
|
||||||
capwap_free(dtlsparam.cert.filekey);
|
capwap_free(dtlsparam.cert.filekey);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (dtlsparam.cert.pwdprivatekey) {
|
|
||||||
capwap_free(dtlsparam.cert.pwdprivatekey);
|
|
||||||
}
|
|
||||||
} else if (dtlsparam.mode == CAPWAP_DTLS_MODE_PRESHAREDKEY) {
|
} else if (dtlsparam.mode == CAPWAP_DTLS_MODE_PRESHAREDKEY) {
|
||||||
if (config_lookup_string(config, "application.dtls.presharedkey.identity", &configString) == CONFIG_TRUE) {
|
if (config_lookup_string(config, "application.dtls.presharedkey.identity", &configString) == CONFIG_TRUE) {
|
||||||
if (strlen(configString) > 0) {
|
if (strlen(configString) > 0) {
|
||||||
@ -1373,7 +1363,7 @@ int main(int argc, char** argv) {
|
|||||||
capwap_init_rand();
|
capwap_init_rand();
|
||||||
|
|
||||||
/* Init crypt */
|
/* Init crypt */
|
||||||
if (!capwap_crypt_init()) {
|
if (capwap_crypt_init()) {
|
||||||
result = CAPWAP_CRYPT_ERROR;
|
result = CAPWAP_CRYPT_ERROR;
|
||||||
capwap_logging_fatal("Error to init crypt engine");
|
capwap_logging_fatal("Error to init crypt engine");
|
||||||
} else {
|
} else {
|
||||||
|
Loading…
Reference in New Issue
Block a user