From patchwork Mon Aug 20 11:11:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nuno Morais X-Patchwork-Id: 959596 X-Patchwork-Delegate: blogic@openwrt.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="fNdgyRui"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="ZCvuJOt5"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41vB3d1qxSz9s4c for ; Mon, 20 Aug 2018 21:12:29 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:Message-Id: Date:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=32WhU4PkIotczeNEDgpo8mi5UEciab5tNTkuEBKA1uk=; b=fNdgyRuiV/C9dw a/m++XH+qKIEAwLpT5BXWewELUlp0DlWV/SmMxvhIXsYhrQkGbUIPuZI1pqDfEWV/GOcrmCg7K5M9 J4rPL6kCJ3G+f7nDeW4ytXmOt+fmsYUSeUYmcFRuVl5v1mruaBnx1E+c6XZAQdIOjKEKo/kStHfDK cxCdSyPfRw9EPhsdl57f+KCSKRR6Wu8Yz1W4zXN8knpN6GIYFP8AR6+1bCXZZ10LC2TVpOUYRPnXN SLQKSIlmnYLRjB7zynw9KHmqugBhtnr0Sxr9+NbhvijAeLYAsM5Hd+QZ/OUchxhIPX2qaNtmc7kuH MSYWYAeR6qnA3h4zTe8g==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1fri6T-0005Uc-AS; Mon, 20 Aug 2018 11:12:09 +0000 Received: from mail-wr1-x431.google.com ([2a00:1450:4864:20::431]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1fri6P-0005Tf-NC for openwrt-devel@lists.openwrt.org; Mon, 20 Aug 2018 11:12:07 +0000 Received: by mail-wr1-x431.google.com with SMTP id a108-v6so9984610wrc.13 for ; Mon, 20 Aug 2018 04:11:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=BzpSUspx6YOTiPKh7r3jGt2JjvzDL9oMaigC1ny8Ygg=; b=ZCvuJOt5jQaZrYBLfHGW8+fbTM/Rp9CFXWIiJ51AwsYu4rdzuTPETKanPBzflsmeCN 5CPLDLQYq4GKI+BrwCs10Q4WCrS4p4e/qXVlWu7K/rWXi2i/oL5huMTwLI3haqJrhtFR Cw9X21LVlkkaJ9oBsg7iFhPhkr5hevneGhvKs4zESR9PPwgiUyfYaM7HbpHFxtNDZIHI 6TG9YumuJcHtnN7aoU86fa4xPDQyGQBiKWU9FVlqs8tc4HC7ZigQ+VbYfRbwDx3SfMhu enOJG1xGIErin65qDJnKf7j6pvMh44R9/QEyGJ/aJ0TOIJh0WOIvS8CiG8bSDDIOvvgw Cp5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=BzpSUspx6YOTiPKh7r3jGt2JjvzDL9oMaigC1ny8Ygg=; b=mEn5BO2SQcw3ynvcw4Gaefl3O/AZWBwqPbdADsu54ib8itUUtaPPn8nfEfFxGu5poF ZTUG2439P6y93tMoXI/ehh0HDlkU4zhU6XzNieQRdtiKXWVvHngil3r6MeQnzyxYYVXA visnWN4iWBhPfkpDgR1PoE+oebuBT0nZHxCyobd70prV/KHEFMBrf9tbFj0QVrpTJbLT yKGIQW23ZgpLYt4q7tpEVcl/Ot/zq8C0ZPvq3vdbsshxnJ+SrgnCL1E5hTD3GOYJ//3K 2hLJ5gb1Cvspo15bC8938lh/smsSn6/j2qWgOVlQtWQvcN8QAN4QRFDlPVpXwTIZYoEC nFaw== X-Gm-Message-State: AOUpUlFncMKsxa+KrQJbeP1SK880a+3moJb7xklN34fQ+GhCOrJgcSQm xaP6qJcy0qNi5V44gwBiths0FnV2Y1E= X-Google-Smtp-Source: AA+uWPxGR900EmB18OYY8/ASP1rSem4vZ3KH+FBc+RErrGwo6C4yPyyaeEHk48o/QSA4HU11ye3/yw== X-Received: by 2002:a5d:4b90:: with SMTP id b16-v6mr19407792wrt.168.1534763513536; Mon, 20 Aug 2018 04:11:53 -0700 (PDT) Received: from localhost.localdomain (bl10-198-147.dsl.telepac.pt. [85.243.198.147]) by smtp.googlemail.com with ESMTPSA id d1-v6sm10982036wrc.52.2018.08.20.04.11.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Aug 2018 04:11:52 -0700 (PDT) From: Nuno Morais To: openwrt-devel@lists.openwrt.org Date: Mon, 20 Aug 2018 12:11:36 +0100 Message-Id: <20180820111136.1458-1-nuno.mcvmorais@gmail.com> X-Mailer: git-send-email 2.18.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180820_041205_814465_75C92130 X-CRM114-Status: GOOD ( 14.29 ) X-Spam-Score: -0.1 (/) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-0.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:431 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (nuno.mcvmorais[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid Subject: [OpenWrt-Devel] [PATCH] uhttpd: add support for mutual authentication (mTLS) X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Nuno Morais MIME-Version: 1.0 Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Nuno Morais Optional mutual authentication (mTLS) by providing a CA certificate through a new new flag "-M" in order to verify client's identity. For B2B applications. This patch depends on patch "[OpenWrt-Devel] [PATCH] ustream-ssl: add optional mutual authentication (mTLS)" --- main.c | 19 +++++++++++++++---- tls.c | 38 ++++++++++++++++++++++++++++++++++++++ tls.h | 6 ++++++ 3 files changed, 59 insertions(+), 4 deletions(-) diff --git a/main.c b/main.c index fb27665..178d710 100644 --- a/main.c +++ b/main.c @@ -134,6 +134,7 @@ static int usage(const char *name) " -s [addr:]port Like -p but provide HTTPS on this port\n" " -C file ASN.1 server certificate file\n" " -K file ASN.1 server private key file\n" + " -M file ASN.1 certificate authority certificate file\n" " -q Redirect all HTTP requests to HTTPS\n" #endif " -h directory Specify the document root, default is '.'\n" @@ -223,7 +224,8 @@ int main(int argc, char **argv) int bound = 0; #ifdef HAVE_TLS int n_tls = 0; - const char *tls_key = NULL, *tls_crt = NULL; + int n_mtls = 0; + const char *tls_key = NULL, *tls_crt = NULL, *ca_crt = NULL; #endif BUILD_BUG_ON(sizeof(uh_buf) < PATH_MAX); @@ -232,7 +234,7 @@ int main(int argc, char **argv) init_defaults_pre(); signal(SIGPIPE, SIG_IGN); - while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) { + while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:M:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) { switch(ch) { #ifdef HAVE_TLS case 'C': @@ -242,6 +244,11 @@ int main(int argc, char **argv) case 'K': tls_key = optarg; break; + + case 'M': + ca_crt = optarg; + n_mtls++; + break; case 'q': conf.tls_redirect = 1; @@ -477,8 +484,12 @@ int main(int argc, char **argv) return 1; } - if (uh_tls_init(tls_key, tls_crt)) - return 1; + if (n_mtls){ + if (uh_mtls_init(tls_key, tls_crt, ca_crt)) + return 1; + } else if (uh_tls_init(tls_key, tls_crt)) + return 1; + } #endif diff --git a/tls.c b/tls.c index d969b82..bc1a19d 100644 --- a/tls.c +++ b/tls.c @@ -66,6 +66,44 @@ int uh_tls_init(const char *key, const char *crt) return 0; } +int uh_mtls_init(const char *key, const char *crt, const char *ca_crt) +{ + static bool _init = false; + + if (_init) + return 0; + + _init = true; + dlh = dlopen("libustream-ssl." LIB_EXT, RTLD_LAZY | RTLD_LOCAL); + if (!dlh) { + fprintf(stderr, "Failed to load ustream-ssl library: %s\n", dlerror()); + return -ENOENT; + } + + ops = dlsym(dlh, "ustream_ssl_ops"); + if (!ops) { + fprintf(stderr, "Could not find required symbol 'ustream_ssl_ops' in ustream-ssl library\n"); + return -ENOENT; + } + + ctx = ops->context_new(true); + + if (!ctx) { + fprintf(stderr, "Failed to initialize ustream-ssl\n"); + return -EINVAL; + } + + if (ops->context_set_crt_file(ctx, crt) || + ops->context_set_key_file(ctx, key) || + ops->context_add_ca_crt_file(ctx, ca_crt) || + ops->context_set_mutual_auth(ctx, 1)) { + fprintf(stderr, "Failed to load certificates/key files\n"); + return -EINVAL; + } + + return 0; +} + static void tls_ustream_read_cb(struct ustream *s, int bytes) { struct client *cl = container_of(s, struct client, ssl.stream); diff --git a/tls.h b/tls.h index 9be74ba..620ba8f 100644 --- a/tls.h +++ b/tls.h @@ -22,12 +22,18 @@ #ifdef HAVE_TLS +int uh_mtls_init(const char *key, const char *crt, const char *ca_crt); int uh_tls_init(const char *key, const char *crt); void uh_tls_client_attach(struct client *cl); void uh_tls_client_detach(struct client *cl); #else +static inline int uh_mtls_init(const char *key, const char *crt, const char *ca_crt) +{ + return -1; +} + static inline int uh_tls_init(const char *key, const char *crt) { return -1;