From patchwork Thu Aug 23 09:34:24 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nuno Morais <nuno.mcvmorais@gmail.com>
X-Patchwork-Id: 961241
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="jtmzMKX1";
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="GaCYWaLM"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41wzm45vgWz9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Thu, 23 Aug 2018 19:35:12 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:References:
	In-Reply-To:Message-Id:Date:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=pFg4tDomnNaKdDsBMKf22UI4gSuXS+P0xKuDryz6n3Q=;
	b=jtmzMKX1YEBzoB
	Plh6iPRO3Wu8bWHszYTdXWmBrF9plqRyiFjom7TExfC+RZk369MeQrUUWAZ15UjPyJS7RX8MsQZow
	/5qpuL7Ns04q59kw/xVXyLnAleYvmZmgLXnEDjo4ZzOXWFfxTLi0+ZxLycMYxOJKOv385u/QjVRVf
	tIEAjueJGbELUeILmnOhOomHowo0Ns14bLxUbp0fmFH2yi6do078+vZtmngYmzHdHeT3CvZLa0GNF
	pOgnE0ktdEtQcOA2Hh/7OvizFb05egnAy0nvWc+CqBYL2WfldwLyt5CQJGODsTwO+KNF9+ytPsJBv
	B6MPlAUqjkzAGvQPcu5w==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1fsm0x-0003yC-SV; Thu, 23 Aug 2018 09:34:51 +0000
Received: from mail-wm0-x22f.google.com ([2a00:1450:400c:c09::22f])
	by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat
	Linux)) id 1fsm0v-0003xN-93
	for openwrt-devel@lists.openwrt.org; Thu, 23 Aug 2018 09:34:50 +0000
Received: by mail-wm0-x22f.google.com with SMTP id j192-v6so4771831wmj.1
	for <openwrt-devel@lists.openwrt.org>;
	Thu, 23 Aug 2018 02:34:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=ylyZl+z42zUxtwGq8leLOEyek0xsSehsnbMUZOdRHQw=;
	b=GaCYWaLM5bHnM79Ky+1JsrHElMN/vKSWCg9Mthhrhgqpkr6z7vl0UzmuGiAa3wBMcI
	i10uIrSEpyq2Hgc0wUvTY8OL9bAN+YxgjKsLPybTltjGXx5LUop8dotkSUtzFptUAeHM
	E6uu1f1fQ6BTSCa3D8Q767X35AM3h5C9V1T0toG4I/6PnuJOFH0YK8AR5RM6U0+R4yRl
	ho17qpJFDwa1ZmuZpr4ygJN9leks3vyTp6MxHsSolGVU9Lv7Aqqjn8j9V8UJGRDpSPaJ
	RYWxxGTWayMySC8xdyogwDyt8Z0vIc/pdVhAa+fkN81b09w3Iuul7v8WHxN+PYMDMvrb
	1jeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=ylyZl+z42zUxtwGq8leLOEyek0xsSehsnbMUZOdRHQw=;
	b=gcOvdYWomVjp96oLn25KJEzx39zjWvk+3L+5M5IDbOTTIjIq+kICXUAbMs6bCctfHW
	+4tcycSdal2qq/7QzbJw3N3+5BFMf29EzwNDISWlpxe4D6EduwcPSmifXUkifFcgsxAO
	F21qFAzooAr6MJHCRl9pZRjKFRwoqSAhNwZhTFJarnx0022rBdvBGrQoktoSwnwOoseW
	RdhzuX50DD9KeuWeIXlAD6S8sWxH4+4MvKNfQuMKnUBQsP+OKfys+tsb63qXMW7L+vlj
	BJEkVbaZ1dYeRZj34kTavNPl8dWyJAaR1f1iikrYBe3oZqqhvU9PwfYHmkSTm4wXCGNd
	k3Xg==
X-Gm-Message-State: APzg51BqM8OLUZTdlthH9qf7i3vt5Cz4k2YrmB0P5Kl9fwv+hXQh8gAk
	yOEqH34ObQfZaHSYEOToMNZfJKDfz0o=
X-Google-Smtp-Source: 
 ANB0VdZoJJdhsBKuWarwtxUslH/UHYrU13LeMiXF5Ysa2p5OALaQwOG4zYsDTPsSRrwFmlaP2o2HRg==
X-Received: by 2002:a1c:151:: with SMTP id 78-v6mr4147073wmb.4.1535016877629;
	Thu, 23 Aug 2018 02:34:37 -0700 (PDT)
Received: from localhost.localdomain (bl10-198-147.dsl.telepac.pt.
	[85.243.198.147]) by smtp.googlemail.com with ESMTPSA id
	e141-v6sm6600063wmd.32.2018.08.23.02.34.36
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 23 Aug 2018 02:34:36 -0700 (PDT)
From: Nuno Morais <nuno.mcvmorais@gmail.com>
To: openwrt-devel@lists.openwrt.org
Date: Thu, 23 Aug 2018 10:34:24 +0100
Message-Id: <20180823093424.53566-1-nuno.mcvmorais@gmail.com>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180820111136.1458-1-nuno.mcvmorais@gmail.com>
References: <20180820111136.1458-1-nuno.mcvmorais@gmail.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20180823_023449_344918_80960504 
X-CRM114-Status: GOOD (  15.53  )
X-Spam-Score: -0.1 (/)
X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary:
	Content analysis details:   (-0.1 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,
	no
	trust [2a00:1450:400c:c09:0:0:0:22f listed in] [list.dnswl.org]
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
	provider (nuno.mcvmorais[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
Subject: [OpenWrt-Devel] [PATCH v2] uhttpd: add support for mutual
	authentication (mTLS)
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Cc: josecarlosvieir@hotmail.com, Nuno Morais <nuno.mcvmorais@gmail.com>
MIME-Version: 1.0
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

From: Nuno Morais <Nuno.mcvmorais@gmail.com>

Fix tabs vs spaces
Add new optional argument to function header
to add CA_certificate to avoid replicated code

This patch depends on patch
"[OpenWrt-Devel] [PATCH] ustream-ssl: add optional mutual authentication (mTLS)"

Signed-off-by: Nuno Morais <nuno.mcvmorais@gmail.com>
Co-Developed-by: Jose Vieira <josecarlosvieir@hotmail.com>
---
 main.c | 18 ++++++++++++++----
 tls.c  | 20 ++++++++++++++++----
 tls.h  |  4 ++--
 3 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/main.c b/main.c
index 219e37e..ec9da85 100644
--- a/main.c
+++ b/main.c
@@ -139,6 +139,7 @@ static int usage(const char *name)
 		"	-s [addr:]port  Like -p but provide HTTPS on this port\n"
 		"	-C file         ASN.1 server certificate file\n"
 		"	-K file         ASN.1 server private key file\n"
+		"	-M file         ASN.1 certificate authority certificate file\n"
 		"	-q              Redirect all HTTP requests to HTTPS\n"
 #endif
 		"	-h directory    Specify the document root, default is '.'\n"
@@ -246,7 +247,8 @@ int main(int argc, char **argv)
 	int bound = 0;
 #ifdef HAVE_TLS
 	int n_tls = 0;
-	const char *tls_key = NULL, *tls_crt = NULL;
+	int n_mtls = 0;
+	const char *tls_key = NULL, *tls_crt = NULL, *ca_crt = NULL;
 #endif
 #ifdef HAVE_LUA
 	const char *lua_prefix = NULL, *lua_handler = NULL;
@@ -258,7 +260,7 @@ int main(int argc, char **argv)
 	init_defaults_pre();
 	signal(SIGPIPE, SIG_IGN);
 
-	while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
+	while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:M:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
 		switch(ch) {
 #ifdef HAVE_TLS
 		case 'C':
@@ -269,6 +271,11 @@ int main(int argc, char **argv)
 			tls_key = optarg;
 			break;
 
+		case 'M':
+			ca_crt = optarg;
+			n_mtls++;
+			break;
+
 		case 'q':
 			conf.tls_redirect = 1;
 			break;
@@ -520,8 +527,11 @@ int main(int argc, char **argv)
 			return 1;
 		}
 
-		if (uh_tls_init(tls_key, tls_crt))
-		    return 1;
+		if (n_mtls){
+			if (uh_tls_init(tls_key, tls_crt, ca_crt))
+				return 1;
+		} else if (uh_tls_init(tls_key, tls_crt, '\0'))
+				return 1;
 	}
 #endif
 
diff --git a/tls.c b/tls.c
index d969b82..1b1ba52 100644
--- a/tls.c
+++ b/tls.c
@@ -31,9 +31,16 @@ static struct ustream_ssl_ops *ops;
 static void *dlh;
 static void *ctx;
 
-int uh_tls_init(const char *key, const char *crt)
+int uh_tls_init(const char *key, const char *crt, ...)
 {
 	static bool _init = false;
+	const char *srv_crt, *ca_crt;
+	va_list arg;
+
+	va_start(arg, crt);
+	srv_crt = crt;
+	ca_crt = va_arg(arg, const char *);
+	va_end(arg);
 
 	if (_init)
 		return 0;
@@ -57,10 +64,15 @@ int uh_tls_init(const char *key, const char *crt)
 		return -EINVAL;
 	}
 
-	if (ops->context_set_crt_file(ctx, crt) ||
-	    ops->context_set_key_file(ctx, key)) {
+	if (ops->context_set_crt_file(ctx, srv_crt) ||
+		ops->context_set_key_file(ctx, key)) {
 		fprintf(stderr, "Failed to load certificate/key files\n");
-		return -EINVAL;
+	}
+
+	if(ca_crt){
+		if(ops->context_add_ca_crt_file(ctx, ca_crt))
+			return -EINVAL;
+		else ops->context_set_mutual_auth(ctx, 1);
 	}
 
 	return 0;
diff --git a/tls.h b/tls.h
index 9be74ba..7e437dd 100644
--- a/tls.h
+++ b/tls.h
@@ -22,13 +22,13 @@
 
 #ifdef HAVE_TLS
 
-int uh_tls_init(const char *key, const char *crt);
+int uh_tls_init(const char *key, const char *crt, ...);
 void uh_tls_client_attach(struct client *cl);
 void uh_tls_client_detach(struct client *cl);
 
 #else
 
-static inline int uh_tls_init(const char *key, const char *crt)
+static inline int uh_tls_init(const char *key, const char *crt, ...)
 {
 	return -1;
 }