[OpenWrt-Devel] ustream-ssl: add optional mutual authentication (mTLS)
diff mbox series

Message ID 20180820103930.32455-1-nuno.mcvmorais@gmail.com
State Changes Requested
Delegated to: John Crispin
Headers show
Series
  • [OpenWrt-Devel] ustream-ssl: add optional mutual authentication (mTLS)
Related show

Commit Message

Nuno Morais Aug. 20, 2018, 10:39 a.m. UTC
For B2B applications, mutual authentication of peers is a requirement.

Add operation to enable / disable peer authentication
adding a new operation to the ustream_ssl_ops struct
using "SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT", 
and "MBEDTLS_SSL_VERIFY_REQUIRED".

Signed-off-by: Nuno Morais <nuno.mcvmorais@gmail.com>
---
 ustream-internal.h |  1 +
 ustream-mbedtls.c  | 10 ++++++++++
 ustream-openssl.c  | 12 ++++++++++++
 ustream-ssl.c      |  1 +
 ustream-ssl.h      |  2 ++
 5 files changed, 26 insertions(+)

Comments

John Crispin Aug. 22, 2018, 9:27 a.m. UTC | #1
On 20/08/18 12:39, Nuno Morais wrote:
> For B2B applications, mutual authentication of peers is a requirement.
>
> Add operation to enable / disable peer authentication
> adding a new operation to the ustream_ssl_ops struct
> using "SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT",
> and "MBEDTLS_SSL_VERIFY_REQUIRED".

Hi,
2 nitpicks inline

> Signed-off-by: Nuno Morais <nuno.mcvmorais@gmail.com>
> ---
>   ustream-internal.h |  1 +
>   ustream-mbedtls.c  | 10 ++++++++++
>   ustream-openssl.c  | 12 ++++++++++++
>   ustream-ssl.c      |  1 +
>   ustream-ssl.h      |  2 ++
>   5 files changed, 26 insertions(+)
>
> diff --git a/ustream-internal.h b/ustream-internal.h
> index a8c534f..923e9d2 100644
> --- a/ustream-internal.h
> +++ b/ustream-internal.h
> @@ -41,6 +41,7 @@ struct ustream_ssl_ctx *__ustream_ssl_context_new(bool server);
>   int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx *ctx, const char *file);
>   int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char *file);
>   int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char *file);
> +int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth);
>   void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx);
>   enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us);
>   int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len);
> diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
> index 347c600..d859a08 100644
> --- a/ustream-mbedtls.c
> +++ b/ustream-mbedtls.c
> @@ -217,6 +217,16 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
>   	return 0;
>   }
>   
> +__hidden int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth)
> +{
> +	if(mutual_auth)
missing space betwen if and ( at various places inside the patch.
> +		mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
> +	else
> +		mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
> +
> +	return 0;
> +}
> +
>   __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
>   {
>   #if defined(MBEDTLS_SSL_CACHE_C)
> diff --git a/ustream-openssl.c b/ustream-openssl.c
> index 7c72ce1..585e526 100644
> --- a/ustream-openssl.c
> +++ b/ustream-openssl.c
> @@ -154,6 +154,18 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
>   	return 0;
>   }
>   
> +__hidden int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth)
> +{
> +
> +	if(mutual_auth)
> +		SSL_CTX_set_verify((void *) ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
unneeded space between (void *) and ctx at various places inside the patch

     John


> +	else
> +		SSL_CTX_set_verify((void *) ctx, SSL_VERIFY_NONE, NULL);
> +
> +	return 0;
> +
> +}
> +
>   __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
>   {
>   	SSL_CTX_free((void *) ctx);
> diff --git a/ustream-ssl.c b/ustream-ssl.c
> index dd0faf9..ad80925 100644
> --- a/ustream-ssl.c
> +++ b/ustream-ssl.c
> @@ -208,6 +208,7 @@ const struct ustream_ssl_ops ustream_ssl_ops = {
>   	.context_set_crt_file = __ustream_ssl_set_crt_file,
>   	.context_set_key_file = __ustream_ssl_set_key_file,
>   	.context_add_ca_crt_file = __ustream_ssl_add_ca_crt_file,
> +	.context_set_mutual_auth = __ustream_ssl_set_mutual_auth,
>   	.context_free = __ustream_ssl_context_free,
>   	.init = _ustream_ssl_init,
>   	.set_peer_cn = _ustream_ssl_set_peer_cn,
> diff --git a/ustream-ssl.h b/ustream-ssl.h
> index 7787788..3eb24ae 100644
> --- a/ustream-ssl.h
> +++ b/ustream-ssl.h
> @@ -52,6 +52,7 @@ struct ustream_ssl_ops {
>   	int (*context_set_crt_file)(struct ustream_ssl_ctx *ctx, const char *file);
>   	int (*context_set_key_file)(struct ustream_ssl_ctx *ctx, const char *file);
>   	int (*context_add_ca_crt_file)(struct ustream_ssl_ctx *ctx, const char *file);
> +	int (*context_set_mutual_auth)(struct ustream_ssl_ctx *ctx, int mutual_auth);
>   	void (*context_free)(struct ustream_ssl_ctx *ctx);
>   
>   	int (*init)(struct ustream_ssl *us, struct ustream *conn, struct ustream_ssl_ctx *ctx, bool server);
> @@ -64,6 +65,7 @@ extern const struct ustream_ssl_ops ustream_ssl_ops;
>   #define ustream_ssl_context_set_crt_file	ustream_ssl_ops.context_set_crt_file
>   #define ustream_ssl_context_set_key_file	ustream_ssl_ops.context_set_key_file
>   #define ustream_ssl_context_add_ca_crt_file	ustream_ssl_ops.context_add_ca_crt_file
> +#define ustream_ssl_context_set_mutual_auth	ustream_ssl_ops.context_set_mutual_auth
>   #define ustream_ssl_context_free		ustream_ssl_ops.context_free
>   #define ustream_ssl_init			ustream_ssl_ops.init
>   #define ustream_ssl_set_peer_cn			ustream_ssl_ops.set_peer_cn

Patch
diff mbox series

diff --git a/ustream-internal.h b/ustream-internal.h
index a8c534f..923e9d2 100644
--- a/ustream-internal.h
+++ b/ustream-internal.h
@@ -41,6 +41,7 @@  struct ustream_ssl_ctx *__ustream_ssl_context_new(bool server);
 int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx *ctx, const char *file);
 int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char *file);
 int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char *file);
+int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth);
 void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx);
 enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us);
 int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len);
diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 347c600..d859a08 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -217,6 +217,16 @@  __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
 	return 0;
 }
 
+__hidden int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth)
+{
+	if(mutual_auth)
+		mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+	else
+		mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+
+	return 0;
+}
+
 __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
 {
 #if defined(MBEDTLS_SSL_CACHE_C)
diff --git a/ustream-openssl.c b/ustream-openssl.c
index 7c72ce1..585e526 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -154,6 +154,18 @@  __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
 	return 0;
 }
 
+__hidden int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth)
+{
+
+	if(mutual_auth)
+		SSL_CTX_set_verify((void *) ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+	else
+		SSL_CTX_set_verify((void *) ctx, SSL_VERIFY_NONE, NULL);
+
+	return 0;
+
+}
+
 __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
 {
 	SSL_CTX_free((void *) ctx);
diff --git a/ustream-ssl.c b/ustream-ssl.c
index dd0faf9..ad80925 100644
--- a/ustream-ssl.c
+++ b/ustream-ssl.c
@@ -208,6 +208,7 @@  const struct ustream_ssl_ops ustream_ssl_ops = {
 	.context_set_crt_file = __ustream_ssl_set_crt_file,
 	.context_set_key_file = __ustream_ssl_set_key_file,
 	.context_add_ca_crt_file = __ustream_ssl_add_ca_crt_file,
+	.context_set_mutual_auth = __ustream_ssl_set_mutual_auth,
 	.context_free = __ustream_ssl_context_free,
 	.init = _ustream_ssl_init,
 	.set_peer_cn = _ustream_ssl_set_peer_cn,
diff --git a/ustream-ssl.h b/ustream-ssl.h
index 7787788..3eb24ae 100644
--- a/ustream-ssl.h
+++ b/ustream-ssl.h
@@ -52,6 +52,7 @@  struct ustream_ssl_ops {
 	int (*context_set_crt_file)(struct ustream_ssl_ctx *ctx, const char *file);
 	int (*context_set_key_file)(struct ustream_ssl_ctx *ctx, const char *file);
 	int (*context_add_ca_crt_file)(struct ustream_ssl_ctx *ctx, const char *file);
+	int (*context_set_mutual_auth)(struct ustream_ssl_ctx *ctx, int mutual_auth);
 	void (*context_free)(struct ustream_ssl_ctx *ctx);
 
 	int (*init)(struct ustream_ssl *us, struct ustream *conn, struct ustream_ssl_ctx *ctx, bool server);
@@ -64,6 +65,7 @@  extern const struct ustream_ssl_ops ustream_ssl_ops;
 #define ustream_ssl_context_set_crt_file	ustream_ssl_ops.context_set_crt_file
 #define ustream_ssl_context_set_key_file	ustream_ssl_ops.context_set_key_file
 #define ustream_ssl_context_add_ca_crt_file	ustream_ssl_ops.context_add_ca_crt_file
+#define ustream_ssl_context_set_mutual_auth	ustream_ssl_ops.context_set_mutual_auth
 #define ustream_ssl_context_free		ustream_ssl_ops.context_free
 #define ustream_ssl_init			ustream_ssl_ops.init
 #define ustream_ssl_set_peer_cn			ustream_ssl_ops.set_peer_cn