From patchwork Thu Aug 30 13:26:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nuno Morais X-Patchwork-Id: 963875 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="lr5SWscu"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="orlPO3kD"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 421NZS2GQ9z9ryn for ; Thu, 30 Aug 2018 23:27:12 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:Message-Id: Date:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=pFg4tDomnNaKdDsBMKf22UI4gSuXS+P0xKuDryz6n3Q=; b=lr5SWscugpT2/1 94GkG/RLSbh6Sj/aKLWhrDk/N+3IEr1rhHQhZHFF291xyVF5bG/c+mlGUQ0x/x/ymzwMC9AaKela8 tNlwU9lWqcy8rSD/X+vbuJCABcqAts3NRFPm487vu3FhawwNkQJitmvqdBM7OwriTyfU/3hrEXVXp gvpqr0auw4axqv605XJ45wxji5GvP7Ii+80LBGZg0oAz1nD5PO8bmYEDDlllvush1ZxXrR07srFn2 kluoDHogKRipppxq2Mc1RxdeVMCGdWdzp46bmejDlbPlu6myktk5+y+n3Pueksy+yzPMnwVEq785k VwmxTQ514tiNPLh1XGfA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1fvMyO-0008ME-K9; Thu, 30 Aug 2018 13:26:56 +0000 Received: from mail-wm0-x231.google.com ([2a00:1450:400c:c09::231]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1fvMyK-0008LK-7M for openwrt-devel@lists.openwrt.org; Thu, 30 Aug 2018 13:26:53 +0000 Received: by mail-wm0-x231.google.com with SMTP id j25-v6so917885wmc.1 for ; Thu, 30 Aug 2018 06:26:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=ylyZl+z42zUxtwGq8leLOEyek0xsSehsnbMUZOdRHQw=; b=orlPO3kD5BYq2WkGkSOapncJ2hSpGBJzN25WB1p3vIlghtAyBCCpcmmu62l7H4sdHB yBE+GK4y/CR3sMh2wzxZB6xXSTLsePgo/QfCLdG6ZHUHlLbxL3iknS+xHe0+vSQCXOht KRAyCyP/qK+o96EDMUhLI5OMBB9vO9FYowiQ/82VNZy2wO5sKhqZyxlE0bVXxig5C+Kg gSQKfR2VTgabbTP1gahAgvd1w96V/tdfJ2uTQRY26izAe7+wA6afazPDI6PNWWpGqruz AifYxNxf+6xbYK8AiSYijtNkTJRLFNi2boQoDIcVHb+yiuWDGhBUdZ6UO+8355gH8luP LRNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=ylyZl+z42zUxtwGq8leLOEyek0xsSehsnbMUZOdRHQw=; b=h8YrabZfLCGeEgWxUCxfanMVcPX6Toqd+sq9M9PvrS4ISpXXOWU0AyAB2upCzX+G8p nquZ6GgVz/26p2JPBQ6etMKQd0jPAOGtE7hF5Q83RTiqzivL2ixvUXLeKxPYZ/s6zY7L 0q1C4lNnZaTu7nl9UPikKBx42b7C7sJN5KbGwWRMqqCMMhMKighYOybevKYkMNabmRyf WLWAlT9RwSK3jmepX1yD48c7ujj1du7F8b/DYJ5eQh0IDqqK9gnBQMElRDDH1ODmG47v Z6S9LUZ1NNcrwETnE3Fr6XOTAVVA+OOF8kA/jTVEmD9Ot3pSg4CsaTjK2ABXIEE6+TDL OJdA== X-Gm-Message-State: APzg51A0tck/0Cme57lDTH0yYwe/xcw2Opi375ina3ZzGJDaTNWQ4dGw kxT1AEB0RrbLhRJBAvuVoH7mB8/1 X-Google-Smtp-Source: ANB0VdZYMEHUtKcxMTA7GFOh6pdhUGCsUjrCd5YAyEHK2A8cRY9rAoRW12JqExhg9M68bEOQoiCrPA== X-Received: by 2002:a7b:c04c:: with SMTP id u12-v6mr1896185wmc.24.1535635599611; Thu, 30 Aug 2018 06:26:39 -0700 (PDT) Received: from localhost.localdomain (bl10-198-147.dsl.telepac.pt. [85.243.198.147]) by smtp.googlemail.com with ESMTPSA id t9-v6sm17073598wra.91.2018.08.30.06.26.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 Aug 2018 06:26:38 -0700 (PDT) From: Nuno Morais To: openwrt-devel@lists.openwrt.org Date: Thu, 30 Aug 2018 14:26:19 +0100 Message-Id: <20180830132619.75906-1-nuno.mcvmorais@gmail.com> X-Mailer: git-send-email 2.18.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180830_062652_291998_2BEC5B61 X-CRM114-Status: GOOD ( 14.31 ) X-Spam-Score: -0.1 (/) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-0.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:400c:c09:0:0:0:231 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (nuno.mcvmorais[at]gmail.com) -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid Subject: [OpenWrt-Devel] [PATCH v2] uhttpd: add support for mutual authentication (mTLS) X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: josecarlosvieir@hotmail.com, Nuno Morais MIME-Version: 1.0 Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Nuno Morais Fix tabs vs spaces Add new optional argument to function header to add CA_certificate to avoid replicated code This patch depends on patch "[OpenWrt-Devel] [PATCH] ustream-ssl: add optional mutual authentication (mTLS)" Signed-off-by: Nuno Morais Co-Developed-by: Jose Vieira --- main.c | 18 ++++++++++++++---- tls.c | 20 ++++++++++++++++---- tls.h | 4 ++-- 3 files changed, 32 insertions(+), 10 deletions(-) diff --git a/main.c b/main.c index 219e37e..ec9da85 100644 --- a/main.c +++ b/main.c @@ -139,6 +139,7 @@ static int usage(const char *name) " -s [addr:]port Like -p but provide HTTPS on this port\n" " -C file ASN.1 server certificate file\n" " -K file ASN.1 server private key file\n" + " -M file ASN.1 certificate authority certificate file\n" " -q Redirect all HTTP requests to HTTPS\n" #endif " -h directory Specify the document root, default is '.'\n" @@ -246,7 +247,8 @@ int main(int argc, char **argv) int bound = 0; #ifdef HAVE_TLS int n_tls = 0; - const char *tls_key = NULL, *tls_crt = NULL; + int n_mtls = 0; + const char *tls_key = NULL, *tls_crt = NULL, *ca_crt = NULL; #endif #ifdef HAVE_LUA const char *lua_prefix = NULL, *lua_handler = NULL; @@ -258,7 +260,7 @@ int main(int argc, char **argv) init_defaults_pre(); signal(SIGPIPE, SIG_IGN); - while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) { + while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:M:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) { switch(ch) { #ifdef HAVE_TLS case 'C': @@ -269,6 +271,11 @@ int main(int argc, char **argv) tls_key = optarg; break; + case 'M': + ca_crt = optarg; + n_mtls++; + break; + case 'q': conf.tls_redirect = 1; break; @@ -520,8 +527,11 @@ int main(int argc, char **argv) return 1; } - if (uh_tls_init(tls_key, tls_crt)) - return 1; + if (n_mtls){ + if (uh_tls_init(tls_key, tls_crt, ca_crt)) + return 1; + } else if (uh_tls_init(tls_key, tls_crt, '\0')) + return 1; } #endif diff --git a/tls.c b/tls.c index d969b82..1b1ba52 100644 --- a/tls.c +++ b/tls.c @@ -31,9 +31,16 @@ static struct ustream_ssl_ops *ops; static void *dlh; static void *ctx; -int uh_tls_init(const char *key, const char *crt) +int uh_tls_init(const char *key, const char *crt, ...) { static bool _init = false; + const char *srv_crt, *ca_crt; + va_list arg; + + va_start(arg, crt); + srv_crt = crt; + ca_crt = va_arg(arg, const char *); + va_end(arg); if (_init) return 0; @@ -57,10 +64,15 @@ int uh_tls_init(const char *key, const char *crt) return -EINVAL; } - if (ops->context_set_crt_file(ctx, crt) || - ops->context_set_key_file(ctx, key)) { + if (ops->context_set_crt_file(ctx, srv_crt) || + ops->context_set_key_file(ctx, key)) { fprintf(stderr, "Failed to load certificate/key files\n"); - return -EINVAL; + } + + if(ca_crt){ + if(ops->context_add_ca_crt_file(ctx, ca_crt)) + return -EINVAL; + else ops->context_set_mutual_auth(ctx, 1); } return 0; diff --git a/tls.h b/tls.h index 9be74ba..7e437dd 100644 --- a/tls.h +++ b/tls.h @@ -22,13 +22,13 @@ #ifdef HAVE_TLS -int uh_tls_init(const char *key, const char *crt); +int uh_tls_init(const char *key, const char *crt, ...); void uh_tls_client_attach(struct client *cl); void uh_tls_client_detach(struct client *cl); #else -static inline int uh_tls_init(const char *key, const char *crt) +static inline int uh_tls_init(const char *key, const char *crt, ...) { return -1; }