diff --git a/src/ac/ac.conf b/src/ac/ac.conf index b3194e8e..0a38b96a 100644 --- a/src/ac/ac.conf +++ b/src/ac/ac.conf @@ -212,9 +212,9 @@ ssl_cert="../../ssl/certs/ac-cisco.pem" dbg += pkt # CAPWAP packets both sent and received dbg += pkt_dmp # Hex dump CAPWAP packets. dbg += pkt_err # Show messages about malformed packets when detected -# dbg += dtls # Messages concerning DTLS -# dbg += -dtls_detail # DTLS in more detail -# dbg += dtls_bio # DTLS BIO operations + dbg += dtls # Messages concerning DTLS + dbg += -dtls_detail # DTLS in more detail + dbg += dtls_bio # DTLS BIO operations # dbg += dtls_bio_dmp # HeXy dump data in BIO operations dbg += warn # misc warnings dbg += mod # Debugs specific to mod diff --git a/src/ac/config.ktv b/src/ac/config.ktv index 48b98b24..53194cda 100644 --- a/src/ac/config.ktv +++ b/src/ac/config.ktv @@ -15,7 +15,7 @@ ac-descriptor/hardware/vendor:Dword:1234567 ac-descriptor/hardware/version:Bstr16:"1.7.3" ac-name:Bstr16:"TubesAC" -capwap-control-ip-address/address.0:IPAddress:172.16.66.229 +capwap-control-ip-address/address.0:IPAddress:192.168.0.14 #capwap-control-ip-address/address.1:IPAddress:2a00:c1a0:48c6:4a00:9965:1b6e:aca3:1398 capwap-control-ip-address/wtps.0:Word:0 #capwap-control-ip-address/wtps.1:Word:11 @@ -23,8 +23,9 @@ capwap-control-ip-address/wtps.0:Word:0 capwap/ssl-keyfile:Str:"../../ssl/certs/ac-cisco.key" capwap/ssl-certfile:Str:"../../ssl/certs/ac-cisco.pem" -capwap/ssl-cipher:Str:NORMAL +capwap/ssl-cipher:Str:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+SHA1 #capwap/ssl-psk:Str:"HalloWelt" +actube/listen::192.168.0.1 diff --git a/src/ac/wtpman.c b/src/ac/wtpman.c index 3c41f48c..9d04f9e1 100644 --- a/src/ac/wtpman.c +++ b/src/ac/wtpman.c @@ -133,6 +133,7 @@ int xprocess_message(struct conn *conn, uint8_t * rawmsg, int rawlen, static int wtpman_establish_dtls(void *arg) { + char cipherstr[512]; int dtls_ok; char sock_buf[SOCK_ADDR_BUFSIZE]; struct wtpman *wtpman = (struct wtpman *) arg; @@ -175,9 +176,9 @@ static int wtpman_establish_dtls(void *arg) return 0; } - cw_dbg(DBG_DTLS, "DTLS session established with %s, cipher=%s", - sock_addr2str_p(&wtpman->conn->addr,sock_buf), dtls_get_cipher(wtpman->conn)); - + cw_dbg(DBG_DTLS, "DTLS session established with %s, %s", + sock_addr2str_p(&wtpman->conn->addr,sock_buf), dtls_get_cipher(wtpman->conn,cipherstr)); +exit(0); return 1; } diff --git a/src/cw/capwap.h b/src/cw/capwap.h index 8427b7ca..d6f06274 100644 --- a/src/cw/capwap.h +++ b/src/cw/capwap.h @@ -389,12 +389,14 @@ //#define CAPWAP_CIPHER "AES128-SHA" */ +/* #ifdef WITH_GNUTLS -#define CAPWAP_CIPHER "NORMAL" -#else +#define CAPWAP_CIPHER "+RSA:+AES-128-CBC:+SHA1:" +#endif +#ifdef WITH_OPENSSL #define CAPWAP_CIPHER "ALL" #endif - +*/ /** diff --git a/src/cw/dtls_gnutls.c b/src/cw/dtls_gnutls.c index 84b697b1..2e0a7f46 100644 --- a/src/cw/dtls_gnutls.c +++ b/src/cw/dtls_gnutls.c @@ -111,19 +111,13 @@ static void dtls_log_cb(int level, const char * str) if (!cw_dbg_is_level(DBG_DTLS_DETAIL)) return; - switch (level){ +/* switch (level){ case 2: case 6: case 4: return; - - } - - - - - +*/ strcpy(buf,str); c = strchr(buf,'\n'); *c=0; @@ -141,6 +135,14 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config) gnutls_global_set_log_level(10); gnutls_global_set_log_function(dtls_log_cb); + + rc = gnutls_init(&d->session, config); + if (rc < 0) { + cw_log(LOG_ERR, "DTLS - Can't init session: %s", gnutls_strerror(rc)); + dtls_gnutls_data_destroy(d); + return 0; + } + gnutls_certificate_allocate_credentials(&d->x509_cred); @@ -163,12 +165,13 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config) - +/* #if GNUTLS_VERSION_NUMBER >= 0x030100 bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_INSECURE); #else - bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_WEAK); -#endif +*/ bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH); +/*#endif*/ + /* Generate Diffie-Hellman parameters - for use with DHE * kx algorithms. When short bit length is used, it might * be wise to regenerate parameters often. @@ -181,7 +184,7 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config) /* Set ciphers */ - +/* rc = gnutls_priority_init(&d->priority_cache, conn->dtls_cipher, &errpos); if (rc < 0) { cw_log(LOG_ERR, "DTLS - Can't init ciphers '%s' at '%s' : %s", conn->dtls_cipher, @@ -191,16 +194,6 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config) } - rc = gnutls_init(&d->session, config); - if (rc < 0) { - cw_log(LOG_ERR, "DTLS - Can't init session: %s", gnutls_strerror(rc)); - dtls_gnutls_data_destroy(d); - return 0; - } - - gnutls_transport_set_ptr(d->session, conn); - - rc = gnutls_priority_set(d->session, d->priority_cache); if (rc < 0) { cw_log(LOG_ERR, "DTLS - Can't set priority: %s", gnutls_strerror(rc)); @@ -208,9 +201,18 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config) return 0; } +*/ + rc = gnutls_priority_set_direct(d->session,conn->dtls_cipher,&errpos); + if (rc < 0) { + cw_log(LOG_ERR, "DTLS - Can't init ciphers '%s' at '%s' : %s", conn->dtls_cipher, + errpos, gnutls_strerror(rc)); + dtls_gnutls_data_destroy(d); + return 0; + } + + rc = gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509_cred); - if (rc < 0) { cw_log(LOG_ERR, "DTLS - Can't set credentials: %s", gnutls_strerror(rc)); dtls_gnutls_data_destroy(d); @@ -219,7 +221,7 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config) gnutls_certificate_set_verify_function(d->x509_cred,verify_cert); - + gnutls_transport_set_ptr(d->session, conn); gnutls_transport_set_pull_function(d->session, dtls_gnutls_bio_read); gnutls_transport_set_push_function(d->session, dtls_gnutls_bio_write); gnutls_transport_set_pull_timeout_function(d->session, dtls_gnutls_bio_wait); @@ -227,7 +229,6 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config) #if GNUTLS_VERSION_NUMBER >= 0x030100 gnutls_handshake_set_timeout(d->session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); - gnutls_dtls_set_data_mtu(d->session, conn->dtls_mtu); #endif gnutls_dtls_set_mtu(d->session, conn->dtls_mtu); diff --git a/src/cw/dtls_gnutls.h b/src/cw/dtls_gnutls.h index c423dc89..a9f22f9b 100644 --- a/src/cw/dtls_gnutls.h +++ b/src/cw/dtls_gnutls.h @@ -28,10 +28,10 @@ #include "conn.h" /* "public" functions */ -extern int dtls_gnutls_init(); -extern int dtls_gnutls_accept(struct conn * conn); -extern int dtls_gnutls_connect(struct conn * conn); -extern const char * dtls_gnutls_get_cipher(struct conn * conn); +int dtls_gnutls_init(); +int dtls_gnutls_accept(struct conn * conn); +int dtls_gnutls_connect(struct conn * conn); +const char * dtls_gnutls_get_cipher(struct conn * conn, char * dst); struct dtls_ssl_cert dtls_gnutls_get_peers_cert(struct conn * conn,unsigned int n); extern int dtls_gnutls_shutdown(struct conn *conn); diff --git a/src/cw/dtls_gnutls_accept.c b/src/cw/dtls_gnutls_accept.c index 67e13842..927ff31a 100644 --- a/src/cw/dtls_gnutls_accept.c +++ b/src/cw/dtls_gnutls_accept.c @@ -56,7 +56,7 @@ int dtls_gnutls_accept(struct conn *conn) memset(&prestate, 0, sizeof(prestate)); - tlen = dtls_gnutls_bio_read(conn, buffer, sizeof(buffer)); + /*tlen = dtls_gnutls_bio_read(conn, buffer, sizeof(buffer));*/ gnutls_dtls_cookie_send(&cookie_key, &conn->addr, sizeof(conn->addr), &prestate, (gnutls_transport_ptr_t) conn, dtls_gnutls_bio_write); diff --git a/src/cw/dtls_gnutls_get_cipher.c b/src/cw/dtls_gnutls_get_cipher.c index 9e87bd97..1912d046 100644 --- a/src/cw/dtls_gnutls_get_cipher.c +++ b/src/cw/dtls_gnutls_get_cipher.c @@ -3,7 +3,33 @@ #include "dtls_common.h" #include "dtls_gnutls.h" -const char *dtls_gnutls_get_cipher(struct conn *conn) +const char *dtls_gnutls_get_cipher(struct conn *conn, char *dst) { - return "Unknown"; + struct dtls_gnutls_data * d; + const char *comp, *cipher, *mac, *proto, *kxname, *auth; + gnutls_kx_algorithm_t kx; + gnutls_credentials_type_t cred; + + if (!conn->dtls_data){ + sprintf(dst, "%s","None"); + return dst; + } + + d = (struct dtls_gnutls_data*)conn->dtls_data; + if ( !d->session ){ + sprintf(dst, "%s","None"); + return dst; + } + kx = gnutls_kx_get(d->session); + kxname = gnutls_kx_get_name(kx); + + cred = gnutls_auth_get_type(d->session); + + proto = gnutls_protocol_get_name(gnutls_protocol_get_version(d->session)); + comp = gnutls_compression_get_name(gnutls_compression_get(d->session)); + cipher = gnutls_cipher_get_name(gnutls_cipher_get(d->session)); + mac = gnutls_mac_get_name(gnutls_mac_get(d->session)); + sprintf(dst,"cipher: %s/%s/%s/%s/%s",proto,kxname,cipher,mac,comp); + + return dst; } diff --git a/src/cw/dtls_openssl.h b/src/cw/dtls_openssl.h index b038f337..27f9a2df 100644 --- a/src/cw/dtls_openssl.h +++ b/src/cw/dtls_openssl.h @@ -53,7 +53,7 @@ extern int dtls_openssl_verify_cookie(SSL *ssl, unsigned char *cookie, unsigned extern int dtls_openssl_read(struct conn * conn, uint8_t *buffer, int len); extern int dtls_openssl_write(struct conn * conn, const uint8_t *buffer, int len); extern int dtls_openssl_connect(struct conn * conn); -extern const char * dtls_openssl_get_cipher(struct conn * conn); +extern const char * dtls_openssl_get_cipher(struct conn * conn, char *dst); extern int dtls_openssl_log_error(SSL * ssl, int rc, const char *txt); diff --git a/src/cw/dtls_openssl_get_cipher.c b/src/cw/dtls_openssl_get_cipher.c index 00ad2162..3f9e3d1e 100644 --- a/src/cw/dtls_openssl_get_cipher.c +++ b/src/cw/dtls_openssl_get_cipher.c @@ -19,18 +19,23 @@ #include "dtls_openssl.h" -const char * dtls_openssl_get_cipher(struct conn * conn) +const char * dtls_openssl_get_cipher(struct conn * conn, char *dst) { struct dtls_openssl_data * d; const SSL_CIPHER * c; - if (!conn->dtls_data) - return "None"; + if (!conn->dtls_data){ + sprintf(dst, "%s","None"); + return dst; + } d = (struct dtls_openssl_data*)conn->dtls_data; - if ( !d->ssl ) - return "None"; + if ( !d->ssl ){ + sprintf(dst, "%s","None"); + return dst; + } c = SSL_get_current_cipher(d->ssl); - return SSL_CIPHER_get_name(c); + sprintf(dst,"%s",SSL_CIPHER_get_name(c)); + return dst; } diff --git a/src/wtp/config.ktv b/src/wtp/config.ktv index e1493b8f..25d9da78 100644 --- a/src/wtp/config.ktv +++ b/src/wtp/config.ktv @@ -4,7 +4,8 @@ capwap/ssl-certfile:Str:"../../ssl/certs/wtp.crt" capwap/ssl-keyfile:Str:"../../ssl/certs/wtp.key" -capwap/ssl-cipher:Str:NORMAL +#capwap/ssl-cipher:Str: +DHE-RSA:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1 +capwap/ssl-cipher:Str: +DHE-RSA:+AES-256-CBC:+AES-128-CBC:+SHA1 #capwap/ssl-psk:Str:"HalloWelt" cisco/ssl-certfile:Str:"../../ssl/certs/wtp.crt"