TT#172650 support EC keys for DTLS certificate

Change-Id: I695e9b334ce26c26de6a98a5d48fc930f6bebf41
3 years ago · cf076fc074
parent b171029ccf
commit cf076fc074
4 changed files with 59 additions and 10 deletions
--- a/daemon/dtls.c
+++ b/daemon/dtls.c
@ -189,6 +189,7 @@ static int cert_init(void) {
 	EVP_PKEY *pkey = NULL;
 	BIGNUM *exponent = NULL, *serial_number = NULL;
 	RSA *rsa = NULL;
+	EC_KEY *ec_key = NULL;
 	ASN1_INTEGER *asn1_serial_number;
 	X509_NAME *name;
 	struct dtls_cert *new_cert;
@ -198,25 +199,51 @@ static int cert_init(void) {
 	/* objects */

 	pkey = EVP_PKEY_new();
-	exponent = BN_new();
-	rsa = RSA_new();
 	serial_number = BN_new();
 	name = X509_NAME_new();
 	x509 = X509_new();
-	if (!exponent || !pkey || !rsa || !serial_number || !name || !x509)
+	if (!pkey || !serial_number || !name || !x509)
 		goto err;

 	/* key */

-	if (!BN_set_word(exponent, 0x10001))
-		goto err;
+	if (rtpe_config.dtls_cert_cipher == DCC_RSA) {
+		ilogs(crypto, LOG_DEBUG, "Using %i-bit RSA key for DTLS certificate",
+				rtpe_config.dtls_rsa_key_size);

-	if (!RSA_generate_key_ex(rsa, rtpe_config.dtls_rsa_key_size, exponent, NULL))
-		goto err;
+		exponent = BN_new();
+		rsa = RSA_new();

-	if (!EVP_PKEY_assign_RSA(pkey, rsa))
-		goto err;
-	rsa = NULL;
+		if (!exponent || !rsa)
+			goto err;
+
+		if (!BN_set_word(exponent, 0x10001))
+			goto err;
+
+		if (!RSA_generate_key_ex(rsa, rtpe_config.dtls_rsa_key_size, exponent, NULL))
+			goto err;
+
+		if (!EVP_PKEY_assign_RSA(pkey, rsa))
+			goto err;
+		rsa = NULL;
+	}
+	else if (rtpe_config.dtls_cert_cipher == DCC_EC_PRIME256v1) {
+		ilogs(crypto, LOG_DEBUG, "Using EC-prime256v1 key for DTLS certificate");
+
+		ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+
+		if (!ec_key)
+			goto err;
+
+		if (!EC_KEY_generate_key(ec_key))
+			goto err;
+
+		if (!EVP_PKEY_assign_EC_KEY(pkey, ec_key))
+			goto err;
+		ec_key = NULL;
+	}
+	else
+		abort();

 	/* x509 cert */

@ -311,6 +338,8 @@ err:
 		BN_free(exponent);
 	if (rsa)
 		RSA_free(rsa);
+	if (ec_key)
+		EC_KEY_free(ec_key);
 	if (x509)
 		X509_free(x509);
 	if (serial_number)
--- a/daemon/main.c
+++ b/daemon/main.c
@ -448,6 +448,7 @@ static void options(int *argc, char ***argv) {
 	AUTO_CLEANUP_GBUF(mqtt_publish_scope);
 #endif
 	AUTO_CLEANUP_GBUF(mos);
+	AUTO_CLEANUP_GBUF(dcc);

 	rwlock_lock_w(&rtpe_config.config_lock);

@ -533,6 +534,7 @@ static void options(int *argc, char ***argv) {
 		{ "debug-srtp",0,0,	G_OPTION_ARG_NONE,	&debug_srtp,		"Log raw encryption details for SRTP",	NULL },
 		{ "reject-invalid-sdp",0,0,	G_OPTION_ARG_NONE,	&rtpe_config.reject_invalid_sdp,"Refuse to process SDP bodies with broken syntax",	NULL },
 		{ "dtls-rsa-key-size",0, 0,	G_OPTION_ARG_INT,&rtpe_config.dtls_rsa_key_size,"Size of RSA key for DTLS",	"INT"		},
+		{ "dtls-cert-cipher",0,  0,G_OPTION_ARG_STRING,	&dcc,			"Cipher to use for the DTLS certificate","RSA"	},
 		{ "dtls-mtu",0, 0,	G_OPTION_ARG_INT,&rtpe_config.dtls_mtu,"DTLS MTU",	"INT"		},
 		{ "dtls-ciphers",0,  0,	G_OPTION_ARG_STRING,	&rtpe_config.dtls_ciphers,"List of ciphers for DTLS",		"STRING"	},
 		{ "dtls-signature",0,  0,G_OPTION_ARG_STRING,	&dtls_sig,		"Signature algorithm for DTLS",		"SHA-256|SHA-1"	},
@ -853,6 +855,19 @@ static void options(int *argc, char ***argv) {
 			die("Invalid --mos option ('%s')", mos);
 	}

+	if (dcc) {
+		if (!strcasecmp(dcc, "rsa"))
+			rtpe_config.dtls_cert_cipher = DCC_RSA;
+		else if (!strcasecmp(dcc, "prime256v1"))
+			rtpe_config.dtls_cert_cipher = DCC_EC_PRIME256v1;
+		else if (!strcasecmp(dcc, "ec_prime256v1"))
+			rtpe_config.dtls_cert_cipher = DCC_EC_PRIME256v1;
+		else if (!strcasecmp(dcc, "ec-prime256v1"))
+			rtpe_config.dtls_cert_cipher = DCC_EC_PRIME256v1;
+		else
+			die("Invalid --dtls-cert-cipher option ('%s')", dcc);
+	}
+
 	rwlock_unlock_w(&rtpe_config.config_lock);
 }

--- a/etc/rtpengine.conf
+++ b/etc/rtpengine.conf
@ -83,6 +83,7 @@ recording-method = proc
 # log-facility-rtcp = local1
 # debug-srtp = false
 # log-srtp-keys = false
+# dtls-cert-cipher = prime256v1
 # dtls-rsa-key-size = 2048
 # dtls-mtu = 1200
 # dtls-signature = sha-256
--- a/include/main.h
+++ b/include/main.h
@ -105,6 +105,10 @@ struct rtpengine_config {
 	enum endpoint_learning	endpoint_learning;
 	int                     jb_length;
 	int                     jb_clock_drift;
+	enum {
+		DCC_RSA = 0,
+		DCC_EC_PRIME256v1,
+	}			dtls_cert_cipher;
 	int			dtls_rsa_key_size;
 	int			dtls_mtu;
 	char			*dtls_ciphers;