From 3bafa48a906abeb18357b64950cfa89463fcfa88 Mon Sep 17 00:00:00 2001 From: "7u83@mail.ru" <7u83@mail.ru@noemail.net> Date: Sat, 16 Aug 2014 11:13:23 +0000 Subject: [PATCH] Some clean-ups, DTLS psk stuff is now here. FossilOrigin-Name: e62ea09a2b98064395593c2a207c4280a51bbfbf01774b011656b216b7dc77af --- src/capwap/dtls_openssl.c | 49 ++++++++++++++++++++++++++++++--------- 1 file changed, 38 insertions(+), 11 deletions(-) diff --git a/src/capwap/dtls_openssl.c b/src/capwap/dtls_openssl.c index c1507e45..467a36f4 100644 --- a/src/capwap/dtls_openssl.c +++ b/src/capwap/dtls_openssl.c @@ -175,20 +175,20 @@ int dtls_openssl_set_certs(struct conn * conn, struct dtls_openssl_data *d) SSL_CTX_set_default_passwd_cb(d->ctx, pem_passwd_cb); - cw_log_debug1("DTLS - Setting key file %s",conn->dtls_key_file); + cw_dbg(DBG_DTLS,"DTLS - Using key file %s",conn->dtls_key_file); rc = SSL_CTX_use_PrivateKey_file(d->ctx,conn->dtls_key_file,SSL_FILETYPE_PEM); if (!rc){ - dtls_openssl_log_error(0,rc,"DTLS:"); + dtls_openssl_log_error(0,rc,"DTLS certificate errro:"); dtls_openssl_data_destroy(d); return 0; } - cw_log_debug1("DTLS - Setting cert file %s",conn->dtls_cert_file); + cw_dbg(DBG_DTLS,"DTLS - Using cert file %s",conn->dtls_cert_file); rc = SSL_CTX_use_certificate_file(d->ctx,conn->dtls_cert_file,SSL_FILETYPE_PEM); if (!rc){ - dtls_openssl_log_error(0,rc,"DTLS:"); + dtls_openssl_log_error(0,rc,"DTLS certificate error:"); dtls_openssl_data_destroy(d); return 0; } @@ -228,6 +228,18 @@ int dtls_verify_callback (int ok, X509_STORE_CTX *ctx) { } + + +static unsigned int psk_server_cb(SSL *ssl,const char *identity, unsigned char * psk, unsigned int max_psk_len) +{ + BIO * b = SSL_get_rbio(ssl); + struct conn * conn = b->ptr; + int l = conn->dtls_psk_len < max_psk_len ? conn->dtls_psk_len : max_psk_len; + memcpy(psk,conn->dtls_psk,l); + return l; +} + + struct dtls_openssl_data * dtls_openssl_data_create(struct conn * conn, const SSL_METHOD * method, BIO_METHOD * bio) { struct dtls_openssl_data * d = malloc(sizeof(struct dtls_openssl_data)); @@ -235,28 +247,44 @@ struct dtls_openssl_data * dtls_openssl_data_create(struct conn * conn, const SS return 0; memset(d,0,sizeof(struct dtls_openssl_data)); + /* create new SSL ctx. (In future this should not be done for every connection) */ d->ctx = SSL_CTX_new(method); if (!d->ctx){ dtls_openssl_data_destroy(d); return 0; } - SSL_CTX_set_read_ahead(d->ctx, 0); int rc = SSL_CTX_set_cipher_list(d->ctx, conn->dtls_cipher); if (!rc){ - dtls_openssl_log_error(0,rc,"DTLS:"); + dtls_openssl_log_error(0,rc,"DTLS setup error:"); dtls_openssl_data_destroy(d); return 0; } + /* set dtls psk if exists */ + if (conn->dtls_psk) + SSL_CTX_set_psk_server_callback( d->ctx, psk_server_cb); + + + + + rc = dtls_openssl_set_certs(conn,d); + if (!rc) + return 0; + + + + SSL_CTX_set_read_ahead(d->ctx, 0); + + + // SSL_CTX_set_session_cache_mode(d->ctx, SSL_SESS_CACHE_BOTH); SSL_CTX_set_options(d->ctx, SSL_OP_COOKIE_EXCHANGE); //|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET); rc = SSL_CTX_load_verify_locations(d->ctx,"/home/tube/v/actube/ssl/root-ca.pem",NULL); - printf("Locations RC = %d\n",rc); // SSL_CTX_set_options(d->ctx, SSL_OP_ALL); @@ -282,6 +310,9 @@ struct dtls_openssl_data * dtls_openssl_data_create(struct conn * conn, const SS SSL_CTX_set_mode(d->ctx,SSL_MODE_SEND_SERVERHELLO_TIME); + + + rsa_512 = RSA_generate_key(512,RSA_F4,NULL,NULL); // if (rsa_512 == NULL) // evaluate_error_queue(); @@ -323,10 +354,6 @@ struct dtls_openssl_data * dtls_openssl_data_create(struct conn * conn, const SS } */ - rc = dtls_openssl_set_certs(conn,d); - if (!rc) - return 0; - d->ssl = SSL_new(d->ctx);