Improving gnutls

FossilOrigin-Name: 7db736ebb872c7c4ffcca6f353858c5f71db6a44404877e6b2ee3d0577794ac6
This commit is contained in:
7u83@mail.ru 2018-04-03 21:35:09 +00:00
parent 13fd5bdc27
commit fed07fb7c8
11 changed files with 88 additions and 51 deletions

View File

@ -212,9 +212,9 @@ ssl_cert="../../ssl/certs/ac-cisco.pem"
dbg += pkt # CAPWAP packets both sent and received
dbg += pkt_dmp # Hex dump CAPWAP packets.
dbg += pkt_err # Show messages about malformed packets when detected
# dbg += dtls # Messages concerning DTLS
# dbg += -dtls_detail # DTLS in more detail
# dbg += dtls_bio # DTLS BIO operations
dbg += dtls # Messages concerning DTLS
dbg += -dtls_detail # DTLS in more detail
dbg += dtls_bio # DTLS BIO operations
# dbg += dtls_bio_dmp # HeXy dump data in BIO operations
dbg += warn # misc warnings
dbg += mod # Debugs specific to mod

View File

@ -15,7 +15,7 @@ ac-descriptor/hardware/vendor:Dword:1234567
ac-descriptor/hardware/version:Bstr16:"1.7.3"
ac-name:Bstr16:"TubesAC"
capwap-control-ip-address/address.0:IPAddress:172.16.66.229
capwap-control-ip-address/address.0:IPAddress:192.168.0.14
#capwap-control-ip-address/address.1:IPAddress:2a00:c1a0:48c6:4a00:9965:1b6e:aca3:1398
capwap-control-ip-address/wtps.0:Word:0
#capwap-control-ip-address/wtps.1:Word:11
@ -23,8 +23,9 @@ capwap-control-ip-address/wtps.0:Word:0
capwap/ssl-keyfile:Str:"../../ssl/certs/ac-cisco.key"
capwap/ssl-certfile:Str:"../../ssl/certs/ac-cisco.pem"
capwap/ssl-cipher:Str:NORMAL
capwap/ssl-cipher:Str:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
#capwap/ssl-psk:Str:"HalloWelt"
actube/listen::192.168.0.1

View File

@ -133,6 +133,7 @@ int xprocess_message(struct conn *conn, uint8_t * rawmsg, int rawlen,
static int wtpman_establish_dtls(void *arg)
{
char cipherstr[512];
int dtls_ok;
char sock_buf[SOCK_ADDR_BUFSIZE];
struct wtpman *wtpman = (struct wtpman *) arg;
@ -175,9 +176,9 @@ static int wtpman_establish_dtls(void *arg)
return 0;
}
cw_dbg(DBG_DTLS, "DTLS session established with %s, cipher=%s",
sock_addr2str_p(&wtpman->conn->addr,sock_buf), dtls_get_cipher(wtpman->conn));
cw_dbg(DBG_DTLS, "DTLS session established with %s, %s",
sock_addr2str_p(&wtpman->conn->addr,sock_buf), dtls_get_cipher(wtpman->conn,cipherstr));
exit(0);
return 1;
}

View File

@ -389,12 +389,14 @@
//#define CAPWAP_CIPHER "AES128-SHA"
*/
/*
#ifdef WITH_GNUTLS
#define CAPWAP_CIPHER "NORMAL"
#else
#define CAPWAP_CIPHER "+RSA:+AES-128-CBC:+SHA1:"
#endif
#ifdef WITH_OPENSSL
#define CAPWAP_CIPHER "ALL"
#endif
*/
/**

View File

@ -111,19 +111,13 @@ static void dtls_log_cb(int level, const char * str)
if (!cw_dbg_is_level(DBG_DTLS_DETAIL))
return;
switch (level){
/* switch (level){
case 2:
case 6:
case 4:
return;
}
*/
strcpy(buf,str);
c = strchr(buf,'\n');
*c=0;
@ -142,6 +136,14 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
gnutls_global_set_log_level(10);
gnutls_global_set_log_function(dtls_log_cb);
rc = gnutls_init(&d->session, config);
if (rc < 0) {
cw_log(LOG_ERR, "DTLS - Can't init session: %s", gnutls_strerror(rc));
dtls_gnutls_data_destroy(d);
return 0;
}
gnutls_certificate_allocate_credentials(&d->x509_cred);
@ -163,12 +165,13 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
/*
#if GNUTLS_VERSION_NUMBER >= 0x030100
bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_INSECURE);
#else
bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_WEAK);
#endif
*/ bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH);
/*#endif*/
/* Generate Diffie-Hellman parameters - for use with DHE
* kx algorithms. When short bit length is used, it might
* be wise to regenerate parameters often.
@ -181,7 +184,7 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
/* Set ciphers */
/*
rc = gnutls_priority_init(&d->priority_cache, conn->dtls_cipher, &errpos);
if (rc < 0) {
cw_log(LOG_ERR, "DTLS - Can't init ciphers '%s' at '%s' : %s", conn->dtls_cipher,
@ -191,16 +194,6 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
}
rc = gnutls_init(&d->session, config);
if (rc < 0) {
cw_log(LOG_ERR, "DTLS - Can't init session: %s", gnutls_strerror(rc));
dtls_gnutls_data_destroy(d);
return 0;
}
gnutls_transport_set_ptr(d->session, conn);
rc = gnutls_priority_set(d->session, d->priority_cache);
if (rc < 0) {
cw_log(LOG_ERR, "DTLS - Can't set priority: %s", gnutls_strerror(rc));
@ -208,9 +201,18 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
return 0;
}
*/
rc = gnutls_priority_set_direct(d->session,conn->dtls_cipher,&errpos);
if (rc < 0) {
cw_log(LOG_ERR, "DTLS - Can't init ciphers '%s' at '%s' : %s", conn->dtls_cipher,
errpos, gnutls_strerror(rc));
dtls_gnutls_data_destroy(d);
return 0;
}
rc = gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509_cred);
if (rc < 0) {
cw_log(LOG_ERR, "DTLS - Can't set credentials: %s", gnutls_strerror(rc));
dtls_gnutls_data_destroy(d);
@ -219,7 +221,7 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
gnutls_certificate_set_verify_function(d->x509_cred,verify_cert);
gnutls_transport_set_ptr(d->session, conn);
gnutls_transport_set_pull_function(d->session, dtls_gnutls_bio_read);
gnutls_transport_set_push_function(d->session, dtls_gnutls_bio_write);
gnutls_transport_set_pull_timeout_function(d->session, dtls_gnutls_bio_wait);
@ -227,7 +229,6 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
#if GNUTLS_VERSION_NUMBER >= 0x030100
gnutls_handshake_set_timeout(d->session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
gnutls_dtls_set_data_mtu(d->session, conn->dtls_mtu);
#endif
gnutls_dtls_set_mtu(d->session, conn->dtls_mtu);

View File

@ -28,10 +28,10 @@
#include "conn.h"
/* "public" functions */
extern int dtls_gnutls_init();
extern int dtls_gnutls_accept(struct conn * conn);
extern int dtls_gnutls_connect(struct conn * conn);
extern const char * dtls_gnutls_get_cipher(struct conn * conn);
int dtls_gnutls_init();
int dtls_gnutls_accept(struct conn * conn);
int dtls_gnutls_connect(struct conn * conn);
const char * dtls_gnutls_get_cipher(struct conn * conn, char * dst);
struct dtls_ssl_cert dtls_gnutls_get_peers_cert(struct conn * conn,unsigned int n);
extern int dtls_gnutls_shutdown(struct conn *conn);

View File

@ -56,7 +56,7 @@ int dtls_gnutls_accept(struct conn *conn)
memset(&prestate, 0, sizeof(prestate));
tlen = dtls_gnutls_bio_read(conn, buffer, sizeof(buffer));
/*tlen = dtls_gnutls_bio_read(conn, buffer, sizeof(buffer));*/
gnutls_dtls_cookie_send(&cookie_key, &conn->addr, sizeof(conn->addr),
&prestate, (gnutls_transport_ptr_t) conn, dtls_gnutls_bio_write);

View File

@ -3,7 +3,33 @@
#include "dtls_common.h"
#include "dtls_gnutls.h"
const char *dtls_gnutls_get_cipher(struct conn *conn)
const char *dtls_gnutls_get_cipher(struct conn *conn, char *dst)
{
return "Unknown";
struct dtls_gnutls_data * d;
const char *comp, *cipher, *mac, *proto, *kxname, *auth;
gnutls_kx_algorithm_t kx;
gnutls_credentials_type_t cred;
if (!conn->dtls_data){
sprintf(dst, "%s","None");
return dst;
}
d = (struct dtls_gnutls_data*)conn->dtls_data;
if ( !d->session ){
sprintf(dst, "%s","None");
return dst;
}
kx = gnutls_kx_get(d->session);
kxname = gnutls_kx_get_name(kx);
cred = gnutls_auth_get_type(d->session);
proto = gnutls_protocol_get_name(gnutls_protocol_get_version(d->session));
comp = gnutls_compression_get_name(gnutls_compression_get(d->session));
cipher = gnutls_cipher_get_name(gnutls_cipher_get(d->session));
mac = gnutls_mac_get_name(gnutls_mac_get(d->session));
sprintf(dst,"cipher: %s/%s/%s/%s/%s",proto,kxname,cipher,mac,comp);
return dst;
}

View File

@ -53,7 +53,7 @@ extern int dtls_openssl_verify_cookie(SSL *ssl, unsigned char *cookie, unsigned
extern int dtls_openssl_read(struct conn * conn, uint8_t *buffer, int len);
extern int dtls_openssl_write(struct conn * conn, const uint8_t *buffer, int len);
extern int dtls_openssl_connect(struct conn * conn);
extern const char * dtls_openssl_get_cipher(struct conn * conn);
extern const char * dtls_openssl_get_cipher(struct conn * conn, char *dst);
extern int dtls_openssl_log_error(SSL * ssl, int rc, const char *txt);

View File

@ -19,18 +19,23 @@
#include "dtls_openssl.h"
const char * dtls_openssl_get_cipher(struct conn * conn)
const char * dtls_openssl_get_cipher(struct conn * conn, char *dst)
{
struct dtls_openssl_data * d;
const SSL_CIPHER * c;
if (!conn->dtls_data)
return "None";
if (!conn->dtls_data){
sprintf(dst, "%s","None");
return dst;
}
d = (struct dtls_openssl_data*)conn->dtls_data;
if ( !d->ssl )
return "None";
if ( !d->ssl ){
sprintf(dst, "%s","None");
return dst;
}
c = SSL_get_current_cipher(d->ssl);
return SSL_CIPHER_get_name(c);
sprintf(dst,"%s",SSL_CIPHER_get_name(c));
return dst;
}

View File

@ -4,7 +4,8 @@
capwap/ssl-certfile:Str:"../../ssl/certs/wtp.crt"
capwap/ssl-keyfile:Str:"../../ssl/certs/wtp.key"
capwap/ssl-cipher:Str:NORMAL
#capwap/ssl-cipher:Str: +DHE-RSA:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
capwap/ssl-cipher:Str: +DHE-RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
#capwap/ssl-psk:Str:"HalloWelt"
cisco/ssl-certfile:Str:"../../ssl/certs/wtp.crt"