default params for dh implemented

FossilOrigin-Name: a57ff3b0c45f4ddd9bec59ab4ce047ca1dd7729d78f12f4ad56950add5104f5b
2018-04-03 22:43:13 +00:00 · 2018-04-03 22:43:13 +00:00 · a39514e836
commit a39514e836
parent 0900d058ea
7 changed files with 32 additions and 15 deletions
--- a/src/ac/config.ktv
+++ b/src/ac/config.ktv
@ -2,6 +2,7 @@ capwap/ac-descriptor/hardware/version:Bstr16: "ACTube 1.0"
 capwap/ac-descriptor/hardware/vendor:Bastr16: 12346
 capwap/ssl-cert:Str: "/usr/local/etc/ssl/tube.ssl"
 capwap/ssl-key:Str: "/usr/local/etc/key"
+capwap/ssl-dhbits:Word: 2048

 ac-descriptor/stations:Word:05
 ac-descriptor/station-limit:Word:6
@ -15,7 +16,8 @@ ac-descriptor/hardware/vendor:Dword:1234567
 ac-descriptor/hardware/version:Bstr16:"1.7.3"
 ac-name:Bstr16:"TubesAC"

-capwap-control-ip-address/address.0:IPAddress:192.168.0.131
+capwap-control-ip-address/address.0:IPAddress:192.168.0.14
+#capwap-control-ip-address/address.0:IPAddress:192.168.0.131
 #capwap-control-ip-address/address.1:IPAddress:2a00:c1a0:48c6:4a00:9965:1b6e:aca3:1398
 capwap-control-ip-address/wtps.0:Word:0
 #capwap-control-ip-address/wtps.1:Word:11
@ -23,7 +25,7 @@ capwap-control-ip-address/wtps.0:Word:0

 capwap/ssl-keyfile:Str:"../../ssl/certs/ac-cisco.key"
 capwap/ssl-certfile:Str:"../../ssl/certs/ac-cisco.pem"
-capwap/ssl-cipher:Str:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
+capwap/ssl-cipher:Str:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
 #capwap/ssl-psk:Str:"HalloWelt"


--- a/src/cw/conn.h
+++ b/src/cw/conn.h
@ -177,6 +177,7 @@ struct conn {

 	char *dtls_psk;
 	int dtls_psk_len;
+	int dtls_dhbits;

 	struct cw_Mod *cmod, *bmod;

--- a/src/cw/cw_setup_dtls.c
+++ b/src/cw/cw_setup_dtls.c
@ -39,5 +39,8 @@ int cw_setup_dtls(struct conn * conn, mavl_t cfg, const char *prefix, char  * de
 		security |= CAPWAP_FLAG_AC_SECURITY_X;
 	}

+	sprintf(key,"%s/%s",prefix,"ssl-dhbits");
+	conn->dtls_dhbits = cw_ktv_get_word(cfg,key,1024);
+
 	return security;
 }
--- a/src/cw/dtls_gnutls.c
+++ b/src/cw/dtls_gnutls.c
@ -172,17 +172,7 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
 */	bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
 /*#endif*/

-        /* Generate Diffie-Hellman parameters - for use with DHE
-         * kx algorithms. When short bit length is used, it might
-         * be wise to regenerate parameters often.
-         */
-        gnutls_dh_params_init(&d->dh_params);

-	cw_dbg(DBG_DTLS,"Generating DH params, %d",bits);
-        gnutls_dh_params_generate2(d->dh_params, bits);
-	cw_dbg(DBG_DTLS,"DH params generated, %d",bits);
-
-        gnutls_certificate_set_dh_params(d->x509_cred, d->dh_params);



@ -215,7 +205,6 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
 	}


-
 	rc = gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509_cred);
 	if (rc < 0) {
 		cw_log(LOG_ERR, "DTLS - Can't set credentials: %s", gnutls_strerror(rc));
--- a/src/cw/dtls_gnutls.h
+++ b/src/cw/dtls_gnutls.h
@ -35,7 +35,7 @@ const char * dtls_gnutls_get_cipher(struct conn * conn, char * dst);
 struct dtls_ssl_cert dtls_gnutls_get_peers_cert(struct conn * conn,unsigned int n);
 extern int dtls_gnutls_shutdown(struct conn *conn);

-#define CAPWAP_CIPHER	"+RSA:+AES-128-CBC:+SHA1:"
+#define CAPWAP_CIPHER	"+DHE-RSA:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1"


 /* functions used only by capwap libray */
--- a/src/cw/dtls_gnutls_accept.c
+++ b/src/cw/dtls_gnutls_accept.c
@ -43,10 +43,14 @@ int dtls_gnutls_accept(struct conn *conn)
 	uint8_t buffer[2048];
 	int tlen, rc;
 	time_t c_timer;
+	int bits;

 	gnutls_datum_t cookie_key;
 	gnutls_dtls_prestate_st prestate;
 	
+	
+
+	
 	gnutls_key_generate(&cookie_key, GNUTLS_COOKIE_KEY_SIZE);
 	cw_dbg(DBG_DTLS, "Session cookie for %s generated: %s",
 	       sock_addr2str(&conn->addr,sock_buf), 
@ -106,6 +110,24 @@ int dtls_gnutls_accept(struct conn *conn)
 	if (!d)
 		return 0;

+
+	/* Generate Diffie-Hellman parameters - for use with DHE
+         * kx algorithms. When short bit length is used, it might
+         * be wise to regenerate parameters often.
+         */
+	/*bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);*/
+	bits = conn->dtls_dhbits;
+	
+	gnutls_dh_params_init(&d->dh_params);
+
+	cw_dbg(DBG_DTLS,"Generating DH params, %d",bits);
+        gnutls_dh_params_generate2(d->dh_params, bits);
+	cw_dbg(DBG_DTLS,"DH params generated, %d",bits);
+
+        gnutls_certificate_set_dh_params(d->x509_cred, d->dh_params);
+
+
+
 	gnutls_certificate_server_set_request(d->session,GNUTLS_CERT_REQUEST);
 	gnutls_dtls_prestate_set(d->session, &prestate);

--- a/src/wtp/config.ktv
+++ b/src/wtp/config.ktv
@ -4,8 +4,8 @@

 capwap/ssl-certfile:Str:"../../ssl/certs/wtp.crt"
 capwap/ssl-keyfile:Str:"../../ssl/certs/wtp.key"
+#capwap/ssl-cipher:Str: +RSA:+AES-128-CBC:+SHA1
 #capwap/ssl-cipher:Str: +DHE-RSA:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
-capwap/ssl-cipher:Str: +DHE-RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
 #capwap/ssl-psk:Str:"HalloWelt"

 cisco/ssl-certfile:Str:"../../ssl/certs/wtp.crt"