TT#75350 update cipher lists and make the configurable

closes #918

Change-Id: I949810a7c84679eac25f65784f97fdd2e9abb07d

daemon/dtls.c

@@ -197,7 +197,7 @@ static int cert_init(void) {
 	if (!BN_set_word(exponent, 0x10001))
 		goto err;
 
-	if (!RSA_generate_key_ex(rsa, 1024, exponent, NULL))
+	if (!RSA_generate_key_ex(rsa, rtpe_config.dtls_rsa_key_size, exponent, NULL))
 		goto err;
 
 	if (!EVP_PKEY_assign_RSA(pkey, rsa))
@@ -247,7 +247,7 @@ static int cert_init(void) {
 
 	/* sign it */
 
-	if (!X509_sign(x509, pkey, EVP_sha1()))
+	if (!X509_sign(x509, pkey, rtpe_config.dtls_signature == 1 ? EVP_sha1() : EVP_sha256()))
 		goto err;
 
 	/* digest */
@@ -513,7 +513,7 @@ int dtls_connection_init(struct dtls_connection *d, struct packet_stream *ps, in
 	SSL_CTX_set_verify(d->ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 			verify_callback);
 	SSL_CTX_set_verify_depth(d->ssl_ctx, 4);
-	SSL_CTX_set_cipher_list(d->ssl_ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
+	SSL_CTX_set_cipher_list(d->ssl_ctx, rtpe_config.dtls_ciphers);
 
 	if (SSL_CTX_set_tlsext_use_srtp(d->ssl_ctx, ciphers_str))
 		goto error;

daemon/main.c

@@ -71,6 +71,9 @@ struct rtpengine_config rtpe_config = {
 	.rec_method = "pcap",
 	.rec_format = "raw",
 	.media_num_threads = -1,
+	.dtls_rsa_key_size = 2048,
+	.dtls_ciphers = "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK",
+	.dtls_signature = 256,
 };
 
 
@@ -310,6 +313,7 @@ static void options(int *argc, char ***argv) {
 	double max_cpu = 0;
 	char *dtmf_udp_ep = NULL;
 	char *endpoint_learning = NULL;
+	char *dtls_sig = NULL;
 
 	GOptionEntry e[] = {
 		{ "table",	't', 0, G_OPTION_ARG_INT,	&rtpe_config.kernel_table,		"Kernel table to use",		"INT"		},
@@ -380,6 +384,9 @@ static void options(int *argc, char ***argv) {
 		{ "jitter-buffer",0, 0,	G_OPTION_ARG_INT,	&rtpe_config.jb_length,	"Size of jitter buffer",		"INT" },
 		{ "jb-clock-drift",0,0,	G_OPTION_ARG_NONE,	&rtpe_config.jb_clock_drift,"Compensate for source clock drift",NULL },
 		{ "debug-srtp",0,0,	G_OPTION_ARG_NONE,	&rtpe_config.debug_srtp,"Log raw encryption details for SRTP",	NULL },
+		{ "dtls-rsa-key-size",0, 0,	G_OPTION_ARG_INT,&rtpe_config.dtls_rsa_key_size,"Size of RSA key for DTLS",	"INT"		},
+		{ "dtls-ciphers",0,  0,	G_OPTION_ARG_STRING,	&rtpe_config.dtls_ciphers,"List of ciphers for DTLS",		"STRING"	},
+		{ "dtls-signature",0,  0,G_OPTION_ARG_STRING,	&dtls_sig,		"Signature algorithm for DTLS",		"SHA-256|SHA-1"	},
 
 		{ NULL, }
 	};
@@ -570,6 +577,22 @@ static void options(int *argc, char ***argv) {
 	}
 	rtpe_config.endpoint_learning = el_config;
 
+	if (dtls_sig) {
+		if (!strcasecmp(dtls_sig, "sha-1"))
+			rtpe_config.dtls_signature = 1;
+		else if (!strcasecmp(dtls_sig, "sha1"))
+			rtpe_config.dtls_signature = 1;
+		else if (!strcasecmp(dtls_sig, "sha-256"))
+			rtpe_config.dtls_signature = 256;
+		else if (!strcasecmp(dtls_sig, "sha256"))
+			rtpe_config.dtls_signature = 256;
+		else
+			die("Invalid --dtls-signature option ('%s')", dtls_sig);
+	}
+
+	if (rtpe_config.dtls_rsa_key_size < 0)
+		die("Invalid --dtls-rsa-key-size (%i)", rtpe_config.dtls_rsa_key_size);
+
 	if (rtpe_config.jb_length < 0)
 		die("Invalid negative jitter buffer size");
 }

include/main.h

@@ -96,6 +96,9 @@ struct rtpengine_config {
 	int                     jb_length;
 	int                     jb_clock_drift;
 	int			debug_srtp;
+	int			dtls_rsa_key_size;
+	char			*dtls_ciphers;
+	int			dtls_signature;
 };