Improving gnutls

FossilOrigin-Name: 7db736ebb872c7c4ffcca6f353858c5f71db6a44404877e6b2ee3d0577794ac6

src/ac/ac.conf

@@ -212,9 +212,9 @@ ssl_cert="../../ssl/certs/ac-cisco.pem"
  dbg += pkt          	# CAPWAP packets both sent and received
  dbg += pkt_dmp      	# Hex dump CAPWAP packets.
  dbg += pkt_err      	# Show messages about malformed packets when detected
-# dbg += dtls         	# Messages concerning DTLS
+ dbg += dtls         	# Messages concerning DTLS
-# dbg += -dtls_detail	# DTLS in more detail
+ dbg += -dtls_detail	# DTLS in more detail
-# dbg += dtls_bio	# DTLS BIO operations
+ dbg += dtls_bio	# DTLS BIO operations
 # dbg += dtls_bio_dmp	# HeXy dump data in BIO operations
  dbg += warn		# misc warnings	
  dbg += mod		# Debugs specific to  mod

src/ac/config.ktv

@@ -15,7 +15,7 @@ ac-descriptor/hardware/vendor:Dword:1234567
 ac-descriptor/hardware/version:Bstr16:"1.7.3"
 ac-name:Bstr16:"TubesAC"
 
-capwap-control-ip-address/address.0:IPAddress:172.16.66.229
+capwap-control-ip-address/address.0:IPAddress:192.168.0.14
 #capwap-control-ip-address/address.1:IPAddress:2a00:c1a0:48c6:4a00:9965:1b6e:aca3:1398
 capwap-control-ip-address/wtps.0:Word:0
 #capwap-control-ip-address/wtps.1:Word:11
@@ -23,8 +23,9 @@ capwap-control-ip-address/wtps.0:Word:0
 
 capwap/ssl-keyfile:Str:"../../ssl/certs/ac-cisco.key"
 capwap/ssl-certfile:Str:"../../ssl/certs/ac-cisco.pem"
-capwap/ssl-cipher:Str:NORMAL
+capwap/ssl-cipher:Str:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
 #capwap/ssl-psk:Str:"HalloWelt"
 
 
+actube/listen::192.168.0.1
 

src/ac/wtpman.c

@@ -133,6 +133,7 @@ int xprocess_message(struct conn *conn, uint8_t * rawmsg, int rawlen,
 
 static int wtpman_establish_dtls(void *arg)
 {
+	char cipherstr[512];
 	int dtls_ok;
 	char sock_buf[SOCK_ADDR_BUFSIZE];
 	struct wtpman *wtpman = (struct wtpman *) arg;
@@ -175,9 +176,9 @@ static int wtpman_establish_dtls(void *arg)
 		return 0;
 	}
 
-	cw_dbg(DBG_DTLS, "DTLS session established with %s, cipher=%s",
+	cw_dbg(DBG_DTLS, "DTLS session established with %s, %s",
-	       sock_addr2str_p(&wtpman->conn->addr,sock_buf), dtls_get_cipher(wtpman->conn));
+	       sock_addr2str_p(&wtpman->conn->addr,sock_buf), dtls_get_cipher(wtpman->conn,cipherstr));
-
+exit(0);
 	return 1;
 }
 

src/cw/capwap.h

@@ -389,12 +389,14 @@
 //#define CAPWAP_CIPHER "AES128-SHA"
 */
 
+/*
 #ifdef WITH_GNUTLS
-#define CAPWAP_CIPHER	"NORMAL"
+#define CAPWAP_CIPHER	"+RSA:+AES-128-CBC:+SHA1:"
-#else
+#endif
+#ifdef WITH_OPENSSL
 #define CAPWAP_CIPHER	"ALL"
 #endif
-
+*/
 
 
 /**

src/cw/dtls_gnutls.c

@@ -111,19 +111,13 @@ static void dtls_log_cb(int level, const char * str)
 	if (!cw_dbg_is_level(DBG_DTLS_DETAIL))
 		return;
 
-	switch (level){
+/*	switch (level){
 		case 2:
 		case 6:
 		case 4:
 			return;
-
-
 	}
-
+*/
-
-	
-	
-
 	strcpy(buf,str);
 	c = strchr(buf,'\n');
 	*c=0;
@@ -141,6 +135,14 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
 
 	gnutls_global_set_log_level(10);
 	gnutls_global_set_log_function(dtls_log_cb);
+	
+	rc = gnutls_init(&d->session, config); 
+	if (rc < 0) {
+		cw_log(LOG_ERR, "DTLS - Can't init session: %s", gnutls_strerror(rc));
+		dtls_gnutls_data_destroy(d);
+		return 0;
+	}
+
 
 	gnutls_certificate_allocate_credentials(&d->x509_cred);
 
@@ -163,12 +165,13 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
 
 
 
-
+/*
 #if GNUTLS_VERSION_NUMBER >= 0x030100
 	bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_INSECURE);
 #else
-	bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_WEAK);
+*/	bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH);
-#endif
+/*#endif*/
+
         /* Generate Diffie-Hellman parameters - for use with DHE
          * kx algorithms. When short bit length is used, it might
          * be wise to regenerate parameters often.
@@ -181,7 +184,7 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
 
 
 	/* Set ciphers */
-	
+/*
 	rc = gnutls_priority_init(&d->priority_cache, conn->dtls_cipher, &errpos);
 	if (rc < 0) {
 		cw_log(LOG_ERR, "DTLS - Can't init ciphers '%s' at '%s' : %s", conn->dtls_cipher,
@@ -191,16 +194,6 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
 	}
 
 
-	rc = gnutls_init(&d->session, config); 
-	if (rc < 0) {
-		cw_log(LOG_ERR, "DTLS - Can't init session: %s", gnutls_strerror(rc));
-		dtls_gnutls_data_destroy(d);
-		return 0;
-	}
-
-	gnutls_transport_set_ptr(d->session, conn);
-
-
 	rc = gnutls_priority_set(d->session, d->priority_cache);
 	if (rc < 0) {
 		cw_log(LOG_ERR, "DTLS - Can't set priority: %s", gnutls_strerror(rc));
@@ -208,9 +201,18 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
 		return 0;
 	}
 
+*/
+	rc = gnutls_priority_set_direct(d->session,conn->dtls_cipher,&errpos);
+	if (rc < 0) {
+		cw_log(LOG_ERR, "DTLS - Can't init ciphers '%s' at '%s' : %s", conn->dtls_cipher,
+		       errpos, gnutls_strerror(rc));
+		dtls_gnutls_data_destroy(d);
+		return 0;
+	}
+
+
 
 	rc = gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509_cred);
-
 	if (rc < 0) {
 		cw_log(LOG_ERR, "DTLS - Can't set credentials: %s", gnutls_strerror(rc));
 		dtls_gnutls_data_destroy(d);
@@ -219,7 +221,7 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
 
 	gnutls_certificate_set_verify_function(d->x509_cred,verify_cert);
 
-
+	gnutls_transport_set_ptr(d->session, conn);
 	gnutls_transport_set_pull_function(d->session, dtls_gnutls_bio_read);
 	gnutls_transport_set_push_function(d->session, dtls_gnutls_bio_write);
 	gnutls_transport_set_pull_timeout_function(d->session, dtls_gnutls_bio_wait);
@@ -227,7 +229,6 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
 
 #if GNUTLS_VERSION_NUMBER >= 0x030100
 	gnutls_handshake_set_timeout(d->session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
-
 	gnutls_dtls_set_data_mtu(d->session, conn->dtls_mtu);
 #endif
 	gnutls_dtls_set_mtu(d->session, conn->dtls_mtu);

src/cw/dtls_gnutls.h

@@ -28,10 +28,10 @@
 #include "conn.h"
 
 /* "public" functions */
-extern int dtls_gnutls_init();
+int dtls_gnutls_init();
-extern int dtls_gnutls_accept(struct conn * conn);
+int dtls_gnutls_accept(struct conn * conn);
-extern int dtls_gnutls_connect(struct conn * conn);
+int dtls_gnutls_connect(struct conn * conn);
-extern const char * dtls_gnutls_get_cipher(struct conn * conn);
+const char * dtls_gnutls_get_cipher(struct conn * conn, char * dst);
 struct dtls_ssl_cert dtls_gnutls_get_peers_cert(struct conn * conn,unsigned int n);
 extern int dtls_gnutls_shutdown(struct conn *conn);
 

src/cw/dtls_gnutls_accept.c

@@ -56,7 +56,7 @@ int dtls_gnutls_accept(struct conn *conn)
 
 	memset(&prestate, 0, sizeof(prestate));
 
-	tlen = dtls_gnutls_bio_read(conn, buffer, sizeof(buffer));
+	/*tlen = dtls_gnutls_bio_read(conn, buffer, sizeof(buffer));*/
 
 	gnutls_dtls_cookie_send(&cookie_key, &conn->addr, sizeof(conn->addr),
 				&prestate, (gnutls_transport_ptr_t) conn, dtls_gnutls_bio_write);

src/cw/dtls_gnutls_get_cipher.c

@@ -3,7 +3,33 @@
 #include "dtls_common.h"
 #include "dtls_gnutls.h"
 
-const char *dtls_gnutls_get_cipher(struct conn *conn)
+const char *dtls_gnutls_get_cipher(struct conn *conn, char *dst)
 {
-	return "Unknown";
+	struct dtls_gnutls_data * d;
+	const char *comp, *cipher, *mac, *proto, *kxname, *auth;
+	gnutls_kx_algorithm_t kx;
+	gnutls_credentials_type_t cred;
+	
+	if (!conn->dtls_data){
+		sprintf(dst, "%s","None");
+		return dst;
+	}
+
+	d = (struct dtls_gnutls_data*)conn->dtls_data;
+	if ( !d->session ){
+		sprintf(dst, "%s","None");
+		return dst;
+	}
+	kx = gnutls_kx_get(d->session);
+	kxname = gnutls_kx_get_name(kx);
+
+	cred = gnutls_auth_get_type(d->session);
+
+	proto = gnutls_protocol_get_name(gnutls_protocol_get_version(d->session));
+	comp = gnutls_compression_get_name(gnutls_compression_get(d->session));
+	cipher = gnutls_cipher_get_name(gnutls_cipher_get(d->session));
+	mac = gnutls_mac_get_name(gnutls_mac_get(d->session));
+	sprintf(dst,"cipher: %s/%s/%s/%s/%s",proto,kxname,cipher,mac,comp);
+
+	return dst;
 }

src/cw/dtls_openssl.h

@@ -53,7 +53,7 @@ extern int dtls_openssl_verify_cookie(SSL *ssl, unsigned char *cookie, unsigned
 extern int dtls_openssl_read(struct conn * conn, uint8_t *buffer, int len);
 extern int dtls_openssl_write(struct conn * conn, const uint8_t *buffer, int len);
 extern int dtls_openssl_connect(struct conn * conn);
-extern const char * dtls_openssl_get_cipher(struct conn * conn);
+extern const char * dtls_openssl_get_cipher(struct conn * conn, char *dst);
 
 extern int dtls_openssl_log_error(SSL * ssl, int rc, const char *txt);
 

src/cw/dtls_openssl_get_cipher.c

@@ -19,18 +19,23 @@
 
 #include "dtls_openssl.h"
 
-const char * dtls_openssl_get_cipher(struct conn * conn)
+const char * dtls_openssl_get_cipher(struct conn * conn, char *dst)
 {
 	struct dtls_openssl_data * d;
 	const SSL_CIPHER * c;
-	if (!conn->dtls_data)
+	if (!conn->dtls_data){
-		return "None";
+		sprintf(dst, "%s","None");
+		return dst;
+	}
 
 	d = (struct dtls_openssl_data*)conn->dtls_data;
 
-	if ( !d->ssl )
+	if ( !d->ssl ){
-		return "None";
+		sprintf(dst, "%s","None");
+		return dst;
+	}
 
 	c = SSL_get_current_cipher(d->ssl);
-	return SSL_CIPHER_get_name(c);
+	sprintf(dst,"%s",SSL_CIPHER_get_name(c));
+	return dst;
 }

src/wtp/config.ktv

@@ -4,7 +4,8 @@
 
 capwap/ssl-certfile:Str:"../../ssl/certs/wtp.crt"
 capwap/ssl-keyfile:Str:"../../ssl/certs/wtp.key"
-capwap/ssl-cipher:Str:NORMAL
+#capwap/ssl-cipher:Str: +DHE-RSA:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
+capwap/ssl-cipher:Str: +DHE-RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
 #capwap/ssl-psk:Str:"HalloWelt"
 
 cisco/ssl-certfile:Str:"../../ssl/certs/wtp.crt"