From a39514e8365a313c59f3e3cd8ecceaf5a0a14442 Mon Sep 17 00:00:00 2001 From: "7u83@mail.ru" <7u83@mail.ru@noemail.net> Date: Tue, 3 Apr 2018 22:43:13 +0000 Subject: [PATCH] default params for dh implemented FossilOrigin-Name: a57ff3b0c45f4ddd9bec59ab4ce047ca1dd7729d78f12f4ad56950add5104f5b --- src/ac/config.ktv | 6 ++++-- src/cw/conn.h | 1 + src/cw/cw_setup_dtls.c | 3 +++ src/cw/dtls_gnutls.c | 11 ----------- src/cw/dtls_gnutls.h | 2 +- src/cw/dtls_gnutls_accept.c | 22 ++++++++++++++++++++++ src/wtp/config.ktv | 2 +- 7 files changed, 32 insertions(+), 15 deletions(-) diff --git a/src/ac/config.ktv b/src/ac/config.ktv index 155b895d..85bb0021 100644 --- a/src/ac/config.ktv +++ b/src/ac/config.ktv @@ -2,6 +2,7 @@ capwap/ac-descriptor/hardware/version:Bstr16: "ACTube 1.0" capwap/ac-descriptor/hardware/vendor:Bastr16: 12346 capwap/ssl-cert:Str: "/usr/local/etc/ssl/tube.ssl" capwap/ssl-key:Str: "/usr/local/etc/key" +capwap/ssl-dhbits:Word: 2048 ac-descriptor/stations:Word:05 ac-descriptor/station-limit:Word:6 @@ -15,7 +16,8 @@ ac-descriptor/hardware/vendor:Dword:1234567 ac-descriptor/hardware/version:Bstr16:"1.7.3" ac-name:Bstr16:"TubesAC" -capwap-control-ip-address/address.0:IPAddress:192.168.0.131 +capwap-control-ip-address/address.0:IPAddress:192.168.0.14 +#capwap-control-ip-address/address.0:IPAddress:192.168.0.131 #capwap-control-ip-address/address.1:IPAddress:2a00:c1a0:48c6:4a00:9965:1b6e:aca3:1398 capwap-control-ip-address/wtps.0:Word:0 #capwap-control-ip-address/wtps.1:Word:11 @@ -23,7 +25,7 @@ capwap-control-ip-address/wtps.0:Word:0 capwap/ssl-keyfile:Str:"../../ssl/certs/ac-cisco.key" capwap/ssl-certfile:Str:"../../ssl/certs/ac-cisco.pem" -capwap/ssl-cipher:Str:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+SHA1 +capwap/ssl-cipher:Str:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1 #capwap/ssl-psk:Str:"HalloWelt" diff --git a/src/cw/conn.h b/src/cw/conn.h index f3025646..d5f42fa5 100644 --- a/src/cw/conn.h +++ b/src/cw/conn.h @@ -177,6 +177,7 @@ struct conn { char *dtls_psk; int dtls_psk_len; + int dtls_dhbits; struct cw_Mod *cmod, *bmod; diff --git a/src/cw/cw_setup_dtls.c b/src/cw/cw_setup_dtls.c index c1534223..8968da64 100644 --- a/src/cw/cw_setup_dtls.c +++ b/src/cw/cw_setup_dtls.c @@ -39,5 +39,8 @@ int cw_setup_dtls(struct conn * conn, mavl_t cfg, const char *prefix, char * de security |= CAPWAP_FLAG_AC_SECURITY_X; } + sprintf(key,"%s/%s",prefix,"ssl-dhbits"); + conn->dtls_dhbits = cw_ktv_get_word(cfg,key,1024); + return security; } \ No newline at end of file diff --git a/src/cw/dtls_gnutls.c b/src/cw/dtls_gnutls.c index f802fd57..964dc569 100644 --- a/src/cw/dtls_gnutls.c +++ b/src/cw/dtls_gnutls.c @@ -172,17 +172,7 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config) */ bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY); /*#endif*/ - /* Generate Diffie-Hellman parameters - for use with DHE - * kx algorithms. When short bit length is used, it might - * be wise to regenerate parameters often. - */ - gnutls_dh_params_init(&d->dh_params); - cw_dbg(DBG_DTLS,"Generating DH params, %d",bits); - gnutls_dh_params_generate2(d->dh_params, bits); - cw_dbg(DBG_DTLS,"DH params generated, %d",bits); - - gnutls_certificate_set_dh_params(d->x509_cred, d->dh_params); @@ -215,7 +205,6 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config) } - rc = gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509_cred); if (rc < 0) { cw_log(LOG_ERR, "DTLS - Can't set credentials: %s", gnutls_strerror(rc)); diff --git a/src/cw/dtls_gnutls.h b/src/cw/dtls_gnutls.h index 6979bd34..44a16d74 100644 --- a/src/cw/dtls_gnutls.h +++ b/src/cw/dtls_gnutls.h @@ -35,7 +35,7 @@ const char * dtls_gnutls_get_cipher(struct conn * conn, char * dst); struct dtls_ssl_cert dtls_gnutls_get_peers_cert(struct conn * conn,unsigned int n); extern int dtls_gnutls_shutdown(struct conn *conn); -#define CAPWAP_CIPHER "+RSA:+AES-128-CBC:+SHA1:" +#define CAPWAP_CIPHER "+DHE-RSA:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1" /* functions used only by capwap libray */ diff --git a/src/cw/dtls_gnutls_accept.c b/src/cw/dtls_gnutls_accept.c index 67e13842..cfca75d0 100644 --- a/src/cw/dtls_gnutls_accept.c +++ b/src/cw/dtls_gnutls_accept.c @@ -43,10 +43,14 @@ int dtls_gnutls_accept(struct conn *conn) uint8_t buffer[2048]; int tlen, rc; time_t c_timer; + int bits; gnutls_datum_t cookie_key; gnutls_dtls_prestate_st prestate; + + + gnutls_key_generate(&cookie_key, GNUTLS_COOKIE_KEY_SIZE); cw_dbg(DBG_DTLS, "Session cookie for %s generated: %s", sock_addr2str(&conn->addr,sock_buf), @@ -106,6 +110,24 @@ int dtls_gnutls_accept(struct conn *conn) if (!d) return 0; + + /* Generate Diffie-Hellman parameters - for use with DHE + * kx algorithms. When short bit length is used, it might + * be wise to regenerate parameters often. + */ + /*bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);*/ + bits = conn->dtls_dhbits; + + gnutls_dh_params_init(&d->dh_params); + + cw_dbg(DBG_DTLS,"Generating DH params, %d",bits); + gnutls_dh_params_generate2(d->dh_params, bits); + cw_dbg(DBG_DTLS,"DH params generated, %d",bits); + + gnutls_certificate_set_dh_params(d->x509_cred, d->dh_params); + + + gnutls_certificate_server_set_request(d->session,GNUTLS_CERT_REQUEST); gnutls_dtls_prestate_set(d->session, &prestate); diff --git a/src/wtp/config.ktv b/src/wtp/config.ktv index 25d9da78..6666528a 100644 --- a/src/wtp/config.ktv +++ b/src/wtp/config.ktv @@ -4,8 +4,8 @@ capwap/ssl-certfile:Str:"../../ssl/certs/wtp.crt" capwap/ssl-keyfile:Str:"../../ssl/certs/wtp.key" +#capwap/ssl-cipher:Str: +RSA:+AES-128-CBC:+SHA1 #capwap/ssl-cipher:Str: +DHE-RSA:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1 -capwap/ssl-cipher:Str: +DHE-RSA:+AES-256-CBC:+AES-128-CBC:+SHA1 #capwap/ssl-psk:Str:"HalloWelt" cisco/ssl-certfile:Str:"../../ssl/certs/wtp.crt"