diff --git a/src/capwap/Makefile b/src/capwap/Makefile index 4264ecfb..d777d9c0 100644 --- a/src/capwap/Makefile +++ b/src/capwap/Makefile @@ -154,10 +154,11 @@ CFLAGS+=$(GNUTLS_CFLAGS) CFLAGS+=-DWITH_GNUTLS DTLSOBJS+= dtls_gnutls.o \ dtls_gnutls_accept.o \ - dtls_bio.o \ - dtls_gnutls_bio.o + dtls_gnutls_bio.o \ + dtls_gnutls_get_cipher.o endif +DTLSOBJS+=dtls_bio.o CONNOBJS= conn.o \ conn_detect_capwap.o \ diff --git a/src/capwap/dtls_gnutls.c b/src/capwap/dtls_gnutls.c index 4fa80974..bcb1c570 100644 --- a/src/capwap/dtls_gnutls.c +++ b/src/capwap/dtls_gnutls.c @@ -16,15 +16,128 @@ */ +#include #include +#include "dtls_gnutls.h" + +#include "conn.h" #include "cw_log.h" +#include "cw_util.h" int dtls_gnutls_init() { cw_dbg(DBG_CW_INFO,"Init SSL library - using GnuTLS %s",gnutls_check_version(NULL)); gnutls_global_init(); - return 1; } + + +void dtls_gnutls_data_destroy(struct dtls_gnutls_data *d) +{ + free(d); +} + +int dtls_gnutls_write(struct conn * conn, const uint8_t *buffer, int len) +{ + struct dtls_gnutls_data * d = conn->dtls_data; + + int rc = gnutls_record_send(d->session,buffer,len); + + if ( rc < 0 ){ + cw_log(LOG_ERR, "DTLS - write error: %s", gnutls_strerror(rc)); + conn->dtls_error=1; + return -1; + } + + return rc; +} + + + +int dtls_gnutls_read(struct conn * conn, uint8_t *buffer, int len) +{ + struct dtls_gnutls_data * d = conn->dtls_data; + int rc = gnutls_record_recv(d->session,buffer,len); + + if ( rc == GNUTLS_E_AGAIN ) + return 0; + + if ( rc < 0 ){ + cw_log(LOG_ERR, "DTLS - read error: %s", gnutls_strerror(rc)); + conn->dtls_error=1; + return -1; + } + + return rc; +} + + +struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn) +{ + struct dtls_gnutls_data *d = malloc(sizeof(struct dtls_gnutls_data)); + if (!d) + return 0; + + gnutls_certificate_allocate_credentials(&d->x509_cred); + + + int rc; + + /* Set credentials */ + rc = gnutls_certificate_set_x509_key_file(d->x509_cred, conn->dtls_cert_file, + conn->dtls_key_file, GNUTLS_X509_FMT_PEM); + + if (rc < 0) { + cw_log(LOG_ERR, "DTLS - Can't set cert/key: %s", gnutls_strerror(rc)); + dtls_gnutls_data_destroy(d); + return 0; + } + + /* Set ciphers */ + const char *errpos; + rc = gnutls_priority_init(&d->priority_cache, conn->dtls_cipher, &errpos); + if (rc < 0) { + cw_log(LOG_ERR, "DTLS - Can't init ciphers '%s' at '%s' : %s", conn->dtls_cipher, + errpos, gnutls_strerror(rc)); + dtls_gnutls_data_destroy(d); + return 0; + } + + + rc = gnutls_init(&d->session, GNUTLS_SERVER | GNUTLS_DATAGRAM); + if (rc < 0) { + cw_log(LOG_ERR, "DTLS - Can't init session: %s", gnutls_strerror(rc)); + dtls_gnutls_data_destroy(d); + return 0; + } + + gnutls_transport_set_ptr(d->session, conn); + + + rc = gnutls_priority_set(d->session, d->priority_cache); + if (rc < 0) { + cw_log(LOG_ERR, "DTLS - Can't set priority: %s", gnutls_strerror(rc)); + dtls_gnutls_data_destroy(d); + return 0; + } + + + rc = gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509_cred); + + if (rc < 0) { + cw_log(LOG_ERR, "DTLS - Can't set credentials: %s", gnutls_strerror(rc)); + dtls_gnutls_data_destroy(d); + return 0; + } + + gnutls_certificate_server_set_request(d->session,GNUTLS_CERT_REQUEST); + + gnutls_transport_set_pull_function(d->session, dtls_gnutls_bio_read); + gnutls_transport_set_push_function(d->session, dtls_gnutls_bio_write); + + return d; +} + + diff --git a/src/capwap/dtls_gnutls.h b/src/capwap/dtls_gnutls.h index 7b8447ef..39c31680 100644 --- a/src/capwap/dtls_gnutls.h +++ b/src/capwap/dtls_gnutls.h @@ -16,6 +16,10 @@ */ +/* + * GnuTLS specific definitions for DTLS + */ + #ifndef __DTLS_GNUTLS_H #define __DTLS_GNUTLS_H @@ -23,13 +27,28 @@ #include "conn.h" - +/* "public" functions */ extern int dtls_gnutls_init(); extern int dtls_gnutls_accept(struct conn * conn); +extern int dtls_gnutls_connect(struct conn * conn); extern const char * dtls_gnutls_get_cipher(struct conn * conn); + +/* functions used only by capwap libray */ + extern ssize_t dtls_gnutls_bio_read(gnutls_transport_ptr_t b, void *out, size_t maxlen); extern ssize_t dtls_gnutls_bio_write(gnutls_transport_ptr_t b, const void *data, size_t len); +extern int dtls_gnutls_bio_wait(gnutls_transport_ptr_t ptr, unsigned int ms); +extern int dtls_gnutls_read(struct conn * conn, uint8_t *buffer, int len); +extern int dtls_gnutls_write(struct conn * conn, const uint8_t *buffer, int len); + +struct dtls_gnutls_data { + gnutls_session_t session; + gnutls_certificate_credentials_t x509_cred; + gnutls_priority_t priority_cache; +}; + +struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn); #endif diff --git a/src/capwap/dtls_gnutls_accept.c b/src/capwap/dtls_gnutls_accept.c index 636991a9..0064f3cc 100644 --- a/src/capwap/dtls_gnutls_accept.c +++ b/src/capwap/dtls_gnutls_accept.c @@ -24,146 +24,11 @@ #include -#include "dtls_gnutls.h" - #include "conn.h" #include "cw_log.h" #include "sock.h" #include "cw_util.h" - - -struct dtls_gnutls_data { - gnutls_session_t session; - gnutls_certificate_credentials_t x509_cred; - gnutls_priority_t priority_cache; -}; - -void dtls_gnutls_data_destroy(struct dtls_gnutls_data *d) -{ - free(d); -} - - - -int dtls_gnutls_read(struct conn * conn, uint8_t *buffer, int len) -{ - struct dtls_gnutls_data * d = conn->dtls_data; - int rc = gnutls_record_recv(d->session,buffer,len); - - if ( rc == GNUTLS_E_AGAIN ) - return 0; - - if ( rc < 0 ){ - cw_log(LOG_ERR, "DTLS - read error: %s", gnutls_strerror(rc)); - conn->dtls_error=1; - return -1; - } - - return rc; - -} - -int dtls_gnutls_write(struct conn * conn, const uint8_t *buffer, int len) -{ - struct dtls_gnutls_data * d = conn->dtls_data; - - int rc = gnutls_record_send(d->session,buffer,len); - - if ( rc < 0 ){ - cw_log(LOG_ERR, "DTLS - write error: %s", gnutls_strerror(rc)); - conn->dtls_error=1; - return -1; - } - - return rc; -} - - -static int pull_timeout_func(gnutls_transport_ptr_t ptr, unsigned int ms) -{ - struct conn * conn = (struct conn*)ptr; - time_t timer = cw_timer_start(ms/1000); - int rc; - - uint8_t buffer[5]; - - do { - rc = conn_q_recv_packet_peek(conn,buffer,sizeof(buffer)); - - }while(!cw_timer_timeout(timer) && rc==GNUTLS_E_AGAIN); - - return rc; - -} - -struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn) -{ - struct dtls_gnutls_data *d = malloc(sizeof(struct dtls_gnutls_data)); - if (!d) - return 0; - - gnutls_certificate_allocate_credentials(&d->x509_cred); - - - int rc; - - /* Set credentials */ - rc = gnutls_certificate_set_x509_key_file(d->x509_cred, conn->dtls_cert_file, - conn->dtls_key_file, GNUTLS_X509_FMT_PEM); - - if (rc < 0) { - cw_log(LOG_ERR, "DTLS - Can't set cert/key: %s", gnutls_strerror(rc)); - dtls_gnutls_data_destroy(d); - return 0; - } - - /* Set ciphers */ - const char *errpos; - rc = gnutls_priority_init(&d->priority_cache, conn->dtls_cipher, &errpos); - if (rc < 0) { - cw_log(LOG_ERR, "DTLS - Can't init ciphers '%s' at '%s' : %s", conn->dtls_cipher, - errpos, gnutls_strerror(rc)); - dtls_gnutls_data_destroy(d); - return 0; - } - - - rc = gnutls_init(&d->session, GNUTLS_SERVER | GNUTLS_DATAGRAM); - if (rc < 0) { - cw_log(LOG_ERR, "DTLS - Can't init session: %s", gnutls_strerror(rc)); - dtls_gnutls_data_destroy(d); - return 0; - } - - gnutls_transport_set_ptr(d->session, conn); - - - rc = gnutls_priority_set(d->session, d->priority_cache); - if (rc < 0) { - cw_log(LOG_ERR, "DTLS - Can't set priority: %s", gnutls_strerror(rc)); - dtls_gnutls_data_destroy(d); - return 0; - } - - - rc = gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509_cred); - - if (rc < 0) { - cw_log(LOG_ERR, "DTLS - Can't set credentials: %s", gnutls_strerror(rc)); - dtls_gnutls_data_destroy(d); - return 0; - } - - gnutls_certificate_server_set_request(d->session,GNUTLS_CERT_REQUEST); - - gnutls_transport_set_pull_function(d->session, dtls_gnutls_bio_read); - gnutls_transport_set_push_function(d->session, dtls_gnutls_bio_write); - - - - return d; -} - +#include "dtls_gnutls.h" int dtls_gnutls_accept(struct conn *conn) @@ -231,7 +96,7 @@ int dtls_gnutls_accept(struct conn *conn) if (!d) return 0; - gnutls_transport_set_pull_timeout_function(d->session, pull_timeout_func); + gnutls_transport_set_pull_timeout_function(d->session, dtls_gnutls_bio_wait); gnutls_dtls_prestate_set(d->session, &prestate); c_timer = cw_timer_start(10); @@ -246,8 +111,6 @@ int dtls_gnutls_accept(struct conn *conn) return 0; } - // gnutls_certificate_allocate_credentials(&x509_cred); - cw_dbg(DBG_DTLS,"DTLS - Handshake successful"); @@ -255,12 +118,7 @@ int dtls_gnutls_accept(struct conn *conn) conn->read = dtls_gnutls_read; conn->write = dtls_gnutls_write; - return 1; } -const char *dtls_gnutls_get_cipher(struct conn *conn) -{ - return "Unknown"; -} diff --git a/src/capwap/dtls_gnutls_bio.c b/src/capwap/dtls_gnutls_bio.c index 9397c029..eccf9061 100644 --- a/src/capwap/dtls_gnutls_bio.c +++ b/src/capwap/dtls_gnutls_bio.c @@ -15,16 +15,17 @@ along with Foobar. If not, see . */ +#include +#include #include #include "dtls.h" #include "dtls_gnutls.h" +#include "cw_util.h" -#include -#include ssize_t dtls_gnutls_bio_read(gnutls_transport_ptr_t b, void *out, size_t maxlen) { @@ -45,4 +46,28 @@ ssize_t dtls_gnutls_bio_write(gnutls_transport_ptr_t b, const void *data, size_t return dtls_bio_write(conn,data,len); } +/* + * wait for an incoming packet, used by gnutls to determine if + * data is available on "asynchropnous" connections. + * + * Attention! This function only works for struct conn objects where + * queueing is enabled. Used by AC-Tube. + */ +int dtls_gnutls_bio_wait(gnutls_transport_ptr_t ptr, unsigned int ms) +{ + struct conn * conn = (struct conn*)ptr; + time_t timer = cw_timer_start(ms/1000); + int rc; + + uint8_t buffer[5]; + + do { + rc = conn_q_recv_packet_peek(conn,buffer,sizeof(buffer)); + + }while(!cw_timer_timeout(timer) && rc==GNUTLS_E_AGAIN); + + return rc; + +} +