diff --git a/daemon/dtls.c b/daemon/dtls.c index f76c4772e..4b013e2fa 100644 --- a/daemon/dtls.c +++ b/daemon/dtls.c @@ -189,6 +189,7 @@ static int cert_init(void) { EVP_PKEY *pkey = NULL; BIGNUM *exponent = NULL, *serial_number = NULL; RSA *rsa = NULL; + EC_KEY *ec_key = NULL; ASN1_INTEGER *asn1_serial_number; X509_NAME *name; struct dtls_cert *new_cert; @@ -198,25 +199,51 @@ static int cert_init(void) { /* objects */ pkey = EVP_PKEY_new(); - exponent = BN_new(); - rsa = RSA_new(); serial_number = BN_new(); name = X509_NAME_new(); x509 = X509_new(); - if (!exponent || !pkey || !rsa || !serial_number || !name || !x509) + if (!pkey || !serial_number || !name || !x509) goto err; /* key */ - if (!BN_set_word(exponent, 0x10001)) - goto err; + if (rtpe_config.dtls_cert_cipher == DCC_RSA) { + ilogs(crypto, LOG_DEBUG, "Using %i-bit RSA key for DTLS certificate", + rtpe_config.dtls_rsa_key_size); - if (!RSA_generate_key_ex(rsa, rtpe_config.dtls_rsa_key_size, exponent, NULL)) - goto err; + exponent = BN_new(); + rsa = RSA_new(); - if (!EVP_PKEY_assign_RSA(pkey, rsa)) - goto err; - rsa = NULL; + if (!exponent || !rsa) + goto err; + + if (!BN_set_word(exponent, 0x10001)) + goto err; + + if (!RSA_generate_key_ex(rsa, rtpe_config.dtls_rsa_key_size, exponent, NULL)) + goto err; + + if (!EVP_PKEY_assign_RSA(pkey, rsa)) + goto err; + rsa = NULL; + } + else if (rtpe_config.dtls_cert_cipher == DCC_EC_PRIME256v1) { + ilogs(crypto, LOG_DEBUG, "Using EC-prime256v1 key for DTLS certificate"); + + ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + + if (!ec_key) + goto err; + + if (!EC_KEY_generate_key(ec_key)) + goto err; + + if (!EVP_PKEY_assign_EC_KEY(pkey, ec_key)) + goto err; + ec_key = NULL; + } + else + abort(); /* x509 cert */ @@ -311,6 +338,8 @@ err: BN_free(exponent); if (rsa) RSA_free(rsa); + if (ec_key) + EC_KEY_free(ec_key); if (x509) X509_free(x509); if (serial_number) diff --git a/daemon/main.c b/daemon/main.c index 5beadef3d..e237974d4 100644 --- a/daemon/main.c +++ b/daemon/main.c @@ -448,6 +448,7 @@ static void options(int *argc, char ***argv) { AUTO_CLEANUP_GBUF(mqtt_publish_scope); #endif AUTO_CLEANUP_GBUF(mos); + AUTO_CLEANUP_GBUF(dcc); rwlock_lock_w(&rtpe_config.config_lock); @@ -533,6 +534,7 @@ static void options(int *argc, char ***argv) { { "debug-srtp",0,0, G_OPTION_ARG_NONE, &debug_srtp, "Log raw encryption details for SRTP", NULL }, { "reject-invalid-sdp",0,0, G_OPTION_ARG_NONE, &rtpe_config.reject_invalid_sdp,"Refuse to process SDP bodies with broken syntax", NULL }, { "dtls-rsa-key-size",0, 0, G_OPTION_ARG_INT,&rtpe_config.dtls_rsa_key_size,"Size of RSA key for DTLS", "INT" }, + { "dtls-cert-cipher",0, 0,G_OPTION_ARG_STRING, &dcc, "Cipher to use for the DTLS certificate","RSA" }, { "dtls-mtu",0, 0, G_OPTION_ARG_INT,&rtpe_config.dtls_mtu,"DTLS MTU", "INT" }, { "dtls-ciphers",0, 0, G_OPTION_ARG_STRING, &rtpe_config.dtls_ciphers,"List of ciphers for DTLS", "STRING" }, { "dtls-signature",0, 0,G_OPTION_ARG_STRING, &dtls_sig, "Signature algorithm for DTLS", "SHA-256|SHA-1" }, @@ -853,6 +855,19 @@ static void options(int *argc, char ***argv) { die("Invalid --mos option ('%s')", mos); } + if (dcc) { + if (!strcasecmp(dcc, "rsa")) + rtpe_config.dtls_cert_cipher = DCC_RSA; + else if (!strcasecmp(dcc, "prime256v1")) + rtpe_config.dtls_cert_cipher = DCC_EC_PRIME256v1; + else if (!strcasecmp(dcc, "ec_prime256v1")) + rtpe_config.dtls_cert_cipher = DCC_EC_PRIME256v1; + else if (!strcasecmp(dcc, "ec-prime256v1")) + rtpe_config.dtls_cert_cipher = DCC_EC_PRIME256v1; + else + die("Invalid --dtls-cert-cipher option ('%s')", dcc); + } + rwlock_unlock_w(&rtpe_config.config_lock); } diff --git a/etc/rtpengine.conf b/etc/rtpengine.conf index 52914c8fb..aa41dce5e 100644 --- a/etc/rtpengine.conf +++ b/etc/rtpengine.conf @@ -83,6 +83,7 @@ recording-method = proc # log-facility-rtcp = local1 # debug-srtp = false # log-srtp-keys = false +# dtls-cert-cipher = prime256v1 # dtls-rsa-key-size = 2048 # dtls-mtu = 1200 # dtls-signature = sha-256 diff --git a/include/main.h b/include/main.h index f4d156fbb..12dc6f8ad 100644 --- a/include/main.h +++ b/include/main.h @@ -105,6 +105,10 @@ struct rtpengine_config { enum endpoint_learning endpoint_learning; int jb_length; int jb_clock_drift; + enum { + DCC_RSA = 0, + DCC_EC_PRIME256v1, + } dtls_cert_cipher; int dtls_rsa_key_size; int dtls_mtu; char *dtls_ciphers;