From patchwork Thu Aug 23 08:58:10 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nuno Morais X-Patchwork-Id: 961225 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="mpjvgwPr"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="R6EeXal9"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41wyy2056Zz9s5b for ; Thu, 23 Aug 2018 18:58:50 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:References: In-Reply-To:Message-Id:Date:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=cA5/3AZKJatUMRMB3FpMbrZ1mphmNSiMZp/dDnf/kiM=; b=mpjvgwPr3hVc3j 5TjfgH1s5gCepLm708rlI+zzlMuBOwBkqcFVzBwG1K4/rWsC6JKnHuNiWBGzJOuPXfStim3ftkf/p h3D/md6b7PgXU/hmFiTEl8cT9yHca9+S7KayXMVwCmlk0eG+fCMd35FZJc+YCXmnpjHYEB2WYamUR jkWpTqElqZtAYSBuVGd0abCKzrTM8kA9VN7O21Kdk+9ysdmh50Txt/j0uthSD52BIYma2YBDXPXKi LQ+viI6Pt3Myp44WD8X2K3R/l83CTLuq9H7dvrTBx3yvn+feu/CjqNUJi3zTdVxTMTTyJMdi3qvD4 TKaxwwjk/rSc0XPFzhLw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1fslRv-00072o-LJ; Thu, 23 Aug 2018 08:58:39 +0000 Received: from mail-wm0-x22f.google.com ([2a00:1450:400c:c09::22f]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1fslRs-000701-BK for openwrt-devel@lists.openwrt.org; Thu, 23 Aug 2018 08:58:37 +0000 Received: by mail-wm0-x22f.google.com with SMTP id n11-v6so4932058wmc.2 for ; Thu, 23 Aug 2018 01:58:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=FCsOtI0zDXaG2JgK8M5u8Eq2M+wzI8VPwlH7KOh2Dbs=; b=R6EeXal97X7hnLnssdZaY2F21aWOnhDtzkqRWjB2A1dvDxPz3iwMnnVsJ6nPhS+Usg T67U3eTSez7zfntMQsqeQ5osTczXWYeVARm7EUOt2k5tQLs/hWZs9AenAlG7aPfIZaWg 9UetJ2FVVgLJ3wGGpbN3gcfqcKxOK+sm6pgOHuBJbU/HQu2ArCaRKc+jJmMSHvETzcAI qKfvjo4ErEAHH5M2Szhi1emfisedhEOjgPK3yXbTdLbywVSl2TY3gHmDAjLFHbp5eHO0 G6pDH2jjeOogozW2SBZlf/8i2It3kkcJnthQAdv52OPbt5fPi4EjtfvcYSPv+pZidk3L aixw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=FCsOtI0zDXaG2JgK8M5u8Eq2M+wzI8VPwlH7KOh2Dbs=; b=cUom4OvqjFwCa35Gj+HUhwgClyubxuv1zFOfmXEi1BUqrwQa3HiU1ZoZQDG276vc54 5iClnaUOa6umpwvDy5niNpQ0m6fns9HNkJw2KL//dnOkSSHT/I9sfWSbsEE1+n7X557j sMeG0OyDhuPAXP3bfA2luNcRsBqS5GEwE02z3uAuK1NdscLIx+8J8DbiDuCxOYy4przR sUhLUOxREU9+qd4UV8mvbgcUt5yltyL2LOQSQYNUANjJplcwdUUKy3mF1AYvf6luNQ6P hnreQcqvzKmlMYC481yjCUMa0TxFJsZ8aD5mSAIuRuwVRThHlaKwQF0H3fYJwMcNQ7AH osXA== X-Gm-Message-State: APzg51Ds2Of1+iAU9xL84Vs7GBpCH6u+cRyuwPI4DJPl24ndv9s0PcFh 94t7HlFNmB6nhU97pLWnJTqqjY1U X-Google-Smtp-Source: ANB0VdbnRCZywyI3IuwY2GRb8hymGaUv4VerTR5LUnpscXXVvK3bFuqjLDD7omxkJMGwe2RvqtsydA== X-Received: by 2002:a1c:d946:: with SMTP id q67-v6mr4523816wmg.156.1535014703893; Thu, 23 Aug 2018 01:58:23 -0700 (PDT) Received: from localhost.localdomain (bl10-198-147.dsl.telepac.pt. [85.243.198.147]) by smtp.googlemail.com with ESMTPSA id s10-v6sm4886289wrw.35.2018.08.23.01.58.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Aug 2018 01:58:23 -0700 (PDT) From: Nuno Morais To: openwrt-devel@lists.openwrt.org Date: Thu, 23 Aug 2018 09:58:10 +0100 Message-Id: <20180823085810.49661-1-nuno.mcvmorais@gmail.com> X-Mailer: git-send-email 2.18.0 In-Reply-To: <16b402dd-ace6-36ae-9658-8d6dbee226c3@phrozen.org> References: <16b402dd-ace6-36ae-9658-8d6dbee226c3@phrozen.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180823_015836_457082_F6F82403 X-CRM114-Status: GOOD ( 12.22 ) X-Spam-Score: -0.1 (/) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-0.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:400c:c09:0:0:0:22f listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (nuno.mcvmorais[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid Subject: [OpenWrt-Devel] [PATCH v2] ustream-ssl: add optional mutual authentication (mTLS) X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: josecarlosvieir@hotmail.com, Nuno Morais MIME-Version: 1.0 Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Fix tabs vs spaces, the cast to (void *) is according to the other casts. Signed-off-by: Nuno Morais Co-Developed-by: Jose Vieira --- ustream-internal.h | 1 + ustream-mbedtls.c | 10 ++++++++++ ustream-openssl.c | 12 ++++++++++++ ustream-ssl.c | 1 + ustream-ssl.h | 2 ++ 5 files changed, 26 insertions(+) diff --git a/ustream-internal.h b/ustream-internal.h index a8c534f..923e9d2 100644 --- a/ustream-internal.h +++ b/ustream-internal.h @@ -41,6 +41,7 @@ struct ustream_ssl_ctx *__ustream_ssl_context_new(bool server); int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx *ctx, const char *file); int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char *file); int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char *file); +int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth); void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx); enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us); int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len); diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index 347c600..5c644da 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -217,6 +217,16 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char return 0; } +__hidden int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth) +{ + if (mutual_auth) + mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_REQUIRED); + else + mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_OPTIONAL); + + return 0; +} + __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx) { #if defined(MBEDTLS_SSL_CACHE_C) diff --git a/ustream-openssl.c b/ustream-openssl.c index 7c72ce1..d81238d 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -154,6 +154,18 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char return 0; } +__hidden int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth) +{ + + if (mutual_auth) + SSL_CTX_set_verify((void *) ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); + else + SSL_CTX_set_verify((void *) ctx, SSL_VERIFY_NONE, NULL); + + return 0; + +} + __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx) { SSL_CTX_free((void *) ctx); diff --git a/ustream-ssl.c b/ustream-ssl.c index dd0faf9..ad80925 100644 --- a/ustream-ssl.c +++ b/ustream-ssl.c @@ -208,6 +208,7 @@ const struct ustream_ssl_ops ustream_ssl_ops = { .context_set_crt_file = __ustream_ssl_set_crt_file, .context_set_key_file = __ustream_ssl_set_key_file, .context_add_ca_crt_file = __ustream_ssl_add_ca_crt_file, + .context_set_mutual_auth = __ustream_ssl_set_mutual_auth, .context_free = __ustream_ssl_context_free, .init = _ustream_ssl_init, .set_peer_cn = _ustream_ssl_set_peer_cn, diff --git a/ustream-ssl.h b/ustream-ssl.h index 7787788..3eb24ae 100644 --- a/ustream-ssl.h +++ b/ustream-ssl.h @@ -52,6 +52,7 @@ struct ustream_ssl_ops { int (*context_set_crt_file)(struct ustream_ssl_ctx *ctx, const char *file); int (*context_set_key_file)(struct ustream_ssl_ctx *ctx, const char *file); int (*context_add_ca_crt_file)(struct ustream_ssl_ctx *ctx, const char *file); + int (*context_set_mutual_auth)(struct ustream_ssl_ctx *ctx, int mutual_auth); void (*context_free)(struct ustream_ssl_ctx *ctx); int (*init)(struct ustream_ssl *us, struct ustream *conn, struct ustream_ssl_ctx *ctx, bool server); @@ -64,6 +65,7 @@ extern const struct ustream_ssl_ops ustream_ssl_ops; #define ustream_ssl_context_set_crt_file ustream_ssl_ops.context_set_crt_file #define ustream_ssl_context_set_key_file ustream_ssl_ops.context_set_key_file #define ustream_ssl_context_add_ca_crt_file ustream_ssl_ops.context_add_ca_crt_file +#define ustream_ssl_context_set_mutual_auth ustream_ssl_ops.context_set_mutual_auth #define ustream_ssl_context_free ustream_ssl_ops.context_free #define ustream_ssl_init ustream_ssl_ops.init #define ustream_ssl_set_peer_cn ustream_ssl_ops.set_peer_cn