planix.org/actube
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

default params for dh implemented

Browse Source 
FossilOrigin-Name: a57ff3b0c45f4ddd9bec59ab4ce047ca1dd7729d78f12f4ad56950add5104f5b
This commit is contained in:
7u83@mail.ru 2018-04-03 22:43:13 +00:00
parent 0900d058ea
commit a39514e836
7 changed files with 32 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/ac/config.ktv
View File

@ -2,6 +2,7 @@ capwap/ac-descriptor/hardware/version:Bstr16: "ACTube 1.0"
capwap/ac-descriptor/hardware/vendor:Bastr16: 12346 capwap/ac-descriptor/hardware/vendor:Bastr16: 12346
capwap/ssl-cert:Str: "/usr/local/etc/ssl/tube.ssl" capwap/ssl-cert:Str: "/usr/local/etc/ssl/tube.ssl"
capwap/ssl-key:Str: "/usr/local/etc/key" capwap/ssl-key:Str: "/usr/local/etc/key"
capwap/ssl-dhbits:Word: 2048
ac-descriptor/stations:Word:05 ac-descriptor/stations:Word:05
ac-descriptor/station-limit:Word:6 ac-descriptor/station-limit:Word:6
@ -15,7 +16,8 @@ ac-descriptor/hardware/vendor:Dword:1234567
ac-descriptor/hardware/version:Bstr16:"1.7.3" ac-descriptor/hardware/version:Bstr16:"1.7.3"
ac-name:Bstr16:"TubesAC" ac-name:Bstr16:"TubesAC"
capwap-control-ip-address/address.0:IPAddress:192.168.0.131 capwap-control-ip-address/address.0:IPAddress:192.168.0.14
#capwap-control-ip-address/address.0:IPAddress:192.168.0.131
#capwap-control-ip-address/address.1:IPAddress:2a00:c1a0:48c6:4a00:9965:1b6e:aca3:1398 #capwap-control-ip-address/address.1:IPAddress:2a00:c1a0:48c6:4a00:9965:1b6e:aca3:1398
capwap-control-ip-address/wtps.0:Word:0 capwap-control-ip-address/wtps.0:Word:0
#capwap-control-ip-address/wtps.1:Word:11 #capwap-control-ip-address/wtps.1:Word:11
@ -23,7 +25,7 @@ capwap-control-ip-address/wtps.0:Word:0
capwap/ssl-keyfile:Str:"../../ssl/certs/ac-cisco.key" capwap/ssl-keyfile:Str:"../../ssl/certs/ac-cisco.key"
capwap/ssl-certfile:Str:"../../ssl/certs/ac-cisco.pem" capwap/ssl-certfile:Str:"../../ssl/certs/ac-cisco.pem"
capwap/ssl-cipher:Str:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+SHA1 capwap/ssl-cipher:Str:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
#capwap/ssl-psk:Str:"HalloWelt" #capwap/ssl-psk:Str:"HalloWelt"

1
src/cw/conn.h
View File

@ -177,6 +177,7 @@ struct conn {
char *dtls_psk; char *dtls_psk;
int dtls_psk_len; int dtls_psk_len;
int dtls_dhbits;
struct cw_Mod *cmod, *bmod; struct cw_Mod *cmod, *bmod;

3
src/cw/cw_setup_dtls.c
View File

@ -39,5 +39,8 @@ int cw_setup_dtls(struct conn * conn, mavl_t cfg, const char *prefix, char * de
security |= CAPWAP_FLAG_AC_SECURITY_X; security |= CAPWAP_FLAG_AC_SECURITY_X;
} }
sprintf(key,"%s/%s",prefix,"ssl-dhbits");
conn->dtls_dhbits = cw_ktv_get_word(cfg,key,1024);
return security; return security;
} }

11
src/cw/dtls_gnutls.c
View File

@ -172,17 +172,7 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
*/ bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY); */ bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
/*#endif*/ /*#endif*/
/* Generate Diffie-Hellman parameters - for use with DHE
* kx algorithms. When short bit length is used, it might
* be wise to regenerate parameters often.
*/
gnutls_dh_params_init(&d->dh_params);
cw_dbg(DBG_DTLS,"Generating DH params, %d",bits);
gnutls_dh_params_generate2(d->dh_params, bits);
cw_dbg(DBG_DTLS,"DH params generated, %d",bits);
gnutls_certificate_set_dh_params(d->x509_cred, d->dh_params);
@ -215,7 +205,6 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
} }
rc = gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509_cred); rc = gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509_cred);
if (rc < 0) { if (rc < 0) {
cw_log(LOG_ERR, "DTLS - Can't set credentials: %s", gnutls_strerror(rc)); cw_log(LOG_ERR, "DTLS - Can't set credentials: %s", gnutls_strerror(rc));

2
src/cw/dtls_gnutls.h
View File

@ -35,7 +35,7 @@ const char * dtls_gnutls_get_cipher(struct conn * conn, char * dst);
struct dtls_ssl_cert dtls_gnutls_get_peers_cert(struct conn * conn,unsigned int n); struct dtls_ssl_cert dtls_gnutls_get_peers_cert(struct conn * conn,unsigned int n);
extern int dtls_gnutls_shutdown(struct conn *conn); extern int dtls_gnutls_shutdown(struct conn *conn);
#define CAPWAP_CIPHER "+RSA:+AES-128-CBC:+SHA1:" #define CAPWAP_CIPHER "+DHE-RSA:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1"
/* functions used only by capwap libray */ /* functions used only by capwap libray */

22
src/cw/dtls_gnutls_accept.c
View File

@ -43,10 +43,14 @@ int dtls_gnutls_accept(struct conn *conn)
uint8_t buffer[2048]; uint8_t buffer[2048];
int tlen, rc; int tlen, rc;
time_t c_timer; time_t c_timer;
int bits;
gnutls_datum_t cookie_key; gnutls_datum_t cookie_key;
gnutls_dtls_prestate_st prestate; gnutls_dtls_prestate_st prestate;
gnutls_key_generate(&cookie_key, GNUTLS_COOKIE_KEY_SIZE); gnutls_key_generate(&cookie_key, GNUTLS_COOKIE_KEY_SIZE);
cw_dbg(DBG_DTLS, "Session cookie for %s generated: %s", cw_dbg(DBG_DTLS, "Session cookie for %s generated: %s",
sock_addr2str(&conn->addr,sock_buf), sock_addr2str(&conn->addr,sock_buf),
@ -106,6 +110,24 @@ int dtls_gnutls_accept(struct conn *conn)
if (!d) if (!d)
return 0; return 0;
/* Generate Diffie-Hellman parameters - for use with DHE
* kx algorithms. When short bit length is used, it might
* be wise to regenerate parameters often.
*/
/*bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);*/
bits = conn->dtls_dhbits;
gnutls_dh_params_init(&d->dh_params);
cw_dbg(DBG_DTLS,"Generating DH params, %d",bits);
gnutls_dh_params_generate2(d->dh_params, bits);
cw_dbg(DBG_DTLS,"DH params generated, %d",bits);
gnutls_certificate_set_dh_params(d->x509_cred, d->dh_params);
gnutls_certificate_server_set_request(d->session,GNUTLS_CERT_REQUEST); gnutls_certificate_server_set_request(d->session,GNUTLS_CERT_REQUEST);
gnutls_dtls_prestate_set(d->session, &prestate); gnutls_dtls_prestate_set(d->session, &prestate);

2
src/wtp/config.ktv
View File

@ -4,8 +4,8 @@
capwap/ssl-certfile:Str:"../../ssl/certs/wtp.crt" capwap/ssl-certfile:Str:"../../ssl/certs/wtp.crt"
capwap/ssl-keyfile:Str:"../../ssl/certs/wtp.key" capwap/ssl-keyfile:Str:"../../ssl/certs/wtp.key"
#capwap/ssl-cipher:Str: +RSA:+AES-128-CBC:+SHA1
#capwap/ssl-cipher:Str: +DHE-RSA:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1 #capwap/ssl-cipher:Str: +DHE-RSA:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
capwap/ssl-cipher:Str: +DHE-RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
#capwap/ssl-psk:Str:"HalloWelt" #capwap/ssl-psk:Str:"HalloWelt"
cisco/ssl-certfile:Str:"../../ssl/certs/wtp.crt" cisco/ssl-certfile:Str:"../../ssl/certs/wtp.crt"