default params for dh implemented
FossilOrigin-Name: a57ff3b0c45f4ddd9bec59ab4ce047ca1dd7729d78f12f4ad56950add5104f5b
This commit is contained in:
7u83@mail.ru
@ -177,6 +177,7 @@ struct conn {
|
||||
|
||||
char *dtls_psk;
|
||||
int dtls_psk_len;
|
||||
int dtls_dhbits;
|
||||
|
||||
struct cw_Mod *cmod, *bmod;
|
||||
|
||||
|
||||
@ -39,5 +39,8 @@ int cw_setup_dtls(struct conn * conn, mavl_t cfg, const char *prefix, char * de
|
||||
security |= CAPWAP_FLAG_AC_SECURITY_X;
|
||||
}
|
||||
|
||||
sprintf(key,"%s/%s",prefix,"ssl-dhbits");
|
||||
conn->dtls_dhbits = cw_ktv_get_word(cfg,key,1024);
|
||||
|
||||
return security;
|
||||
}
|
||||
@ -172,17 +172,7 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
|
||||
*/ bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
|
||||
/*#endif*/
|
||||
|
||||
/* Generate Diffie-Hellman parameters - for use with DHE
|
||||
* kx algorithms. When short bit length is used, it might
|
||||
* be wise to regenerate parameters often.
|
||||
*/
|
||||
gnutls_dh_params_init(&d->dh_params);
|
||||
|
||||
cw_dbg(DBG_DTLS,"Generating DH params, %d",bits);
|
||||
gnutls_dh_params_generate2(d->dh_params, bits);
|
||||
cw_dbg(DBG_DTLS,"DH params generated, %d",bits);
|
||||
|
||||
gnutls_certificate_set_dh_params(d->x509_cred, d->dh_params);
|
||||
|
||||
|
||||
|
||||
@ -215,7 +205,6 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
|
||||
}
|
||||
|
||||
|
||||
|
||||
rc = gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509_cred);
|
||||
if (rc < 0) {
|
||||
cw_log(LOG_ERR, "DTLS - Can't set credentials: %s", gnutls_strerror(rc));
|
||||
|
||||
@ -35,7 +35,7 @@ const char * dtls_gnutls_get_cipher(struct conn * conn, char * dst);
|
||||
struct dtls_ssl_cert dtls_gnutls_get_peers_cert(struct conn * conn,unsigned int n);
|
||||
extern int dtls_gnutls_shutdown(struct conn *conn);
|
||||
|
||||
#define CAPWAP_CIPHER "+RSA:+AES-128-CBC:+SHA1:"
|
||||
#define CAPWAP_CIPHER "+DHE-RSA:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1"
|
||||
|
||||
|
||||
/* functions used only by capwap libray */
|
||||
|
||||
@ -43,10 +43,14 @@ int dtls_gnutls_accept(struct conn *conn)
|
||||
uint8_t buffer[2048];
|
||||
int tlen, rc;
|
||||
time_t c_timer;
|
||||
int bits;
|
||||
|
||||
gnutls_datum_t cookie_key;
|
||||
gnutls_dtls_prestate_st prestate;
|
||||
|
||||
|
||||
|
||||
|
||||
gnutls_key_generate(&cookie_key, GNUTLS_COOKIE_KEY_SIZE);
|
||||
cw_dbg(DBG_DTLS, "Session cookie for %s generated: %s",
|
||||
sock_addr2str(&conn->addr,sock_buf),
|
||||
@ -106,6 +110,24 @@ int dtls_gnutls_accept(struct conn *conn)
|
||||
if (!d)
|
||||
return 0;
|
||||
|
||||
|
||||
/* Generate Diffie-Hellman parameters - for use with DHE
|
||||
* kx algorithms. When short bit length is used, it might
|
||||
* be wise to regenerate parameters often.
|
||||
*/
|
||||
/*bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);*/
|
||||
bits = conn->dtls_dhbits;
|
||||
|
||||
gnutls_dh_params_init(&d->dh_params);
|
||||
|
||||
cw_dbg(DBG_DTLS,"Generating DH params, %d",bits);
|
||||
gnutls_dh_params_generate2(d->dh_params, bits);
|
||||
cw_dbg(DBG_DTLS,"DH params generated, %d",bits);
|
||||
|
||||
gnutls_certificate_set_dh_params(d->x509_cred, d->dh_params);
|
||||
|
||||
|
||||
|
||||
gnutls_certificate_server_set_request(d->session,GNUTLS_CERT_REQUEST);
|
||||
gnutls_dtls_prestate_set(d->session, &prestate);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user