From: Nuno Morais <nuno.mcvmor...@gmail.com>
Optional mutual authentication (mTLS)
by providing a CA certificate through a new new flag "-M"
in order to verify client's identity.
For B2B applications.
This patch depends on patch
"[OpenWrt-Devel] [PATCH] ustream-ssl: add optional mutual authentication (mTLS)"
---
main.c | 19 +++++++++++++++----
tls.c | 38 ++++++++++++++++++++++++++++++++++++++
tls.h | 6 ++++++
3 files changed, 59 insertions(+), 4 deletions(-)
diff --git a/main.c b/main.c
index fb27665..178d710 100644
--- a/main.c
+++ b/main.c
@@ -134,6 +134,7 @@ static int usage(const char *name)
" -s [addr:]port Like -p but provide HTTPS on this
port\n"
" -C file ASN.1 server certificate file\n"
" -K file ASN.1 server private key file\n"
+ " -M file ASN.1 certificate authority certificate
file\n"
" -q Redirect all HTTP requests to HTTPS\n"
#endif
" -h directory Specify the document root, default is
'.'\n"
@@ -223,7 +224,8 @@ int main(int argc, char **argv)
int bound = 0;
#ifdef HAVE_TLS
int n_tls = 0;
- const char *tls_key = NULL, *tls_crt = NULL;
+ int n_mtls = 0;
+ const char *tls_key = NULL, *tls_crt = NULL, *ca_crt = NULL;
#endif
BUILD_BUG_ON(sizeof(uh_buf) < PATH_MAX);
@@ -232,7 +234,7 @@ int main(int argc, char **argv)
init_defaults_pre();
signal(SIGPIPE, SIG_IGN);
- while ((ch = getopt(argc, argv,
"A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
+ while ((ch = getopt(argc, argv,
"A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:M:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
switch(ch) {
#ifdef HAVE_TLS
case 'C':
@@ -242,6 +244,11 @@ int main(int argc, char **argv)
case 'K':
tls_key = optarg;
break;
+
+ case 'M':
+ ca_crt = optarg;
+ n_mtls++;
+ break;
case 'q':
conf.tls_redirect = 1;
@@ -477,8 +484,12 @@ int main(int argc, char **argv)
return 1;
}
- if (uh_tls_init(tls_key, tls_crt))
- return 1;
+ if (n_mtls){
+ if (uh_mtls_init(tls_key, tls_crt, ca_crt))
+ return 1;
+ } else if (uh_tls_init(tls_key, tls_crt))
+ return 1;
+
}
#endif
diff --git a/tls.c b/tls.c
index d969b82..bc1a19d 100644
--- a/tls.c
+++ b/tls.c
@@ -66,6 +66,44 @@ int uh_tls_init(const char *key, const char *crt)
return 0;
}
+int uh_mtls_init(const char *key, const char *crt, const char *ca_crt)
+{
+ static bool _init = false;
+
+ if (_init)
+ return 0;
+
+ _init = true;
+ dlh = dlopen("libustream-ssl." LIB_EXT, RTLD_LAZY | RTLD_LOCAL);
+ if (!dlh) {
+ fprintf(stderr, "Failed to load ustream-ssl library: %s\n",
dlerror());
+ return -ENOENT;
+ }
+
+ ops = dlsym(dlh, "ustream_ssl_ops");
+ if (!ops) {
+ fprintf(stderr, "Could not find required symbol
'ustream_ssl_ops' in ustream-ssl library\n");
+ return -ENOENT;
+ }
+
+ ctx = ops->context_new(true);
+
+ if (!ctx) {
+ fprintf(stderr, "Failed to initialize ustream-ssl\n");
+ return -EINVAL;
+ }
+
+ if (ops->context_set_crt_file(ctx, crt) ||
+ ops->context_set_key_file(ctx, key) ||
+ ops->context_add_ca_crt_file(ctx, ca_crt) ||
+ ops->context_set_mutual_auth(ctx, 1)) {
+ fprintf(stderr, "Failed to load certificates/key files\n");
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
static void tls_ustream_read_cb(struct ustream *s, int bytes)
{
struct client *cl = container_of(s, struct client, ssl.stream);
diff --git a/tls.h b/tls.h
index 9be74ba..620ba8f 100644
--- a/tls.h
+++ b/tls.h
@@ -22,12 +22,18 @@
#ifdef HAVE_TLS
+int uh_mtls_init(const char *key, const char *crt, const char *ca_crt);
int uh_tls_init(const char *key, const char *crt);
void uh_tls_client_attach(struct client *cl);
void uh_tls_client_detach(struct client *cl);
#else
+static inline int uh_mtls_init(const char *key, const char *crt, const char
*ca_crt)
+{
+ return -1;
+}
+
static inline int uh_tls_init(const char *key, const char *crt)
{
return -1;
--
2.18.0
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
