[OpenWrt-Devel] [PATCH] ustream-ssl: add optional mutual authentication (mTLS)
John Crispin
john at phrozen.org
Wed Aug 22 05:27:25 EDT 2018
On 20/08/18 12:39, Nuno Morais wrote:
> For B2B applications, mutual authentication of peers is a requirement.
>
> Add operation to enable / disable peer authentication
> adding a new operation to the ustream_ssl_ops struct
> using "SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT",
> and "MBEDTLS_SSL_VERIFY_REQUIRED".
Hi,
2 nitpicks inline
> Signed-off-by: Nuno Morais <nuno.mcvmorais at gmail.com>
> ---
> ustream-internal.h | 1 +
> ustream-mbedtls.c | 10 ++++++++++
> ustream-openssl.c | 12 ++++++++++++
> ustream-ssl.c | 1 +
> ustream-ssl.h | 2 ++
> 5 files changed, 26 insertions(+)
>
> diff --git a/ustream-internal.h b/ustream-internal.h
> index a8c534f..923e9d2 100644
> --- a/ustream-internal.h
> +++ b/ustream-internal.h
> @@ -41,6 +41,7 @@ struct ustream_ssl_ctx *__ustream_ssl_context_new(bool server);
> int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx *ctx, const char *file);
> int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char *file);
> int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char *file);
> +int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth);
> void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx);
> enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us);
> int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len);
> diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
> index 347c600..d859a08 100644
> --- a/ustream-mbedtls.c
> +++ b/ustream-mbedtls.c
> @@ -217,6 +217,16 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
> return 0;
> }
>
> +__hidden int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth)
> +{
> + if(mutual_auth)
missing space betwen if and ( at various places inside the patch.
> + mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
> + else
> + mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
> +
> + return 0;
> +}
> +
> __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
> {
> #if defined(MBEDTLS_SSL_CACHE_C)
> diff --git a/ustream-openssl.c b/ustream-openssl.c
> index 7c72ce1..585e526 100644
> --- a/ustream-openssl.c
> +++ b/ustream-openssl.c
> @@ -154,6 +154,18 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
> return 0;
> }
>
> +__hidden int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth)
> +{
> +
> + if(mutual_auth)
> + SSL_CTX_set_verify((void *) ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
unneeded space between (void *) and ctx at various places inside the patch
John
> + else
> + SSL_CTX_set_verify((void *) ctx, SSL_VERIFY_NONE, NULL);
> +
> + return 0;
> +
> +}
> +
> __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
> {
> SSL_CTX_free((void *) ctx);
> diff --git a/ustream-ssl.c b/ustream-ssl.c
> index dd0faf9..ad80925 100644
> --- a/ustream-ssl.c
> +++ b/ustream-ssl.c
> @@ -208,6 +208,7 @@ const struct ustream_ssl_ops ustream_ssl_ops = {
> .context_set_crt_file = __ustream_ssl_set_crt_file,
> .context_set_key_file = __ustream_ssl_set_key_file,
> .context_add_ca_crt_file = __ustream_ssl_add_ca_crt_file,
> + .context_set_mutual_auth = __ustream_ssl_set_mutual_auth,
> .context_free = __ustream_ssl_context_free,
> .init = _ustream_ssl_init,
> .set_peer_cn = _ustream_ssl_set_peer_cn,
> diff --git a/ustream-ssl.h b/ustream-ssl.h
> index 7787788..3eb24ae 100644
> --- a/ustream-ssl.h
> +++ b/ustream-ssl.h
> @@ -52,6 +52,7 @@ struct ustream_ssl_ops {
> int (*context_set_crt_file)(struct ustream_ssl_ctx *ctx, const char *file);
> int (*context_set_key_file)(struct ustream_ssl_ctx *ctx, const char *file);
> int (*context_add_ca_crt_file)(struct ustream_ssl_ctx *ctx, const char *file);
> + int (*context_set_mutual_auth)(struct ustream_ssl_ctx *ctx, int mutual_auth);
> void (*context_free)(struct ustream_ssl_ctx *ctx);
>
> int (*init)(struct ustream_ssl *us, struct ustream *conn, struct ustream_ssl_ctx *ctx, bool server);
> @@ -64,6 +65,7 @@ extern const struct ustream_ssl_ops ustream_ssl_ops;
> #define ustream_ssl_context_set_crt_file ustream_ssl_ops.context_set_crt_file
> #define ustream_ssl_context_set_key_file ustream_ssl_ops.context_set_key_file
> #define ustream_ssl_context_add_ca_crt_file ustream_ssl_ops.context_add_ca_crt_file
> +#define ustream_ssl_context_set_mutual_auth ustream_ssl_ops.context_set_mutual_auth
> #define ustream_ssl_context_free ustream_ssl_ops.context_free
> #define ustream_ssl_init ustream_ssl_ops.init
> #define ustream_ssl_set_peer_cn ustream_ssl_ops.set_peer_cn
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list