[OpenWrt-Devel] [PATCH v2] uhttpd: add support for mutual authentication (mTLS)
Nuno Morais
nuno.mcvmorais at gmail.com
Thu Aug 23 05:34:24 EDT 2018
From: Nuno Morais <Nuno.mcvmorais at gmail.com>
Fix tabs vs spaces
Add new optional argument to function header
to add CA_certificate to avoid replicated code
This patch depends on patch
"[OpenWrt-Devel] [PATCH] ustream-ssl: add optional mutual authentication (mTLS)"
Signed-off-by: Nuno Morais <nuno.mcvmorais at gmail.com>
Co-Developed-by: Jose Vieira <josecarlosvieir at hotmail.com>
---
main.c | 18 ++++++++++++++----
tls.c | 20 ++++++++++++++++----
tls.h | 4 ++--
3 files changed, 32 insertions(+), 10 deletions(-)
diff --git a/main.c b/main.c
index 219e37e..ec9da85 100644
--- a/main.c
+++ b/main.c
@@ -139,6 +139,7 @@ static int usage(const char *name)
" -s [addr:]port Like -p but provide HTTPS on this port\n"
" -C file ASN.1 server certificate file\n"
" -K file ASN.1 server private key file\n"
+ " -M file ASN.1 certificate authority certificate file\n"
" -q Redirect all HTTP requests to HTTPS\n"
#endif
" -h directory Specify the document root, default is '.'\n"
@@ -246,7 +247,8 @@ int main(int argc, char **argv)
int bound = 0;
#ifdef HAVE_TLS
int n_tls = 0;
- const char *tls_key = NULL, *tls_crt = NULL;
+ int n_mtls = 0;
+ const char *tls_key = NULL, *tls_crt = NULL, *ca_crt = NULL;
#endif
#ifdef HAVE_LUA
const char *lua_prefix = NULL, *lua_handler = NULL;
@@ -258,7 +260,7 @@ int main(int argc, char **argv)
init_defaults_pre();
signal(SIGPIPE, SIG_IGN);
- while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
+ while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:M:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
switch(ch) {
#ifdef HAVE_TLS
case 'C':
@@ -269,6 +271,11 @@ int main(int argc, char **argv)
tls_key = optarg;
break;
+ case 'M':
+ ca_crt = optarg;
+ n_mtls++;
+ break;
+
case 'q':
conf.tls_redirect = 1;
break;
@@ -520,8 +527,11 @@ int main(int argc, char **argv)
return 1;
}
- if (uh_tls_init(tls_key, tls_crt))
- return 1;
+ if (n_mtls){
+ if (uh_tls_init(tls_key, tls_crt, ca_crt))
+ return 1;
+ } else if (uh_tls_init(tls_key, tls_crt, '\0'))
+ return 1;
}
#endif
diff --git a/tls.c b/tls.c
index d969b82..1b1ba52 100644
--- a/tls.c
+++ b/tls.c
@@ -31,9 +31,16 @@ static struct ustream_ssl_ops *ops;
static void *dlh;
static void *ctx;
-int uh_tls_init(const char *key, const char *crt)
+int uh_tls_init(const char *key, const char *crt, ...)
{
static bool _init = false;
+ const char *srv_crt, *ca_crt;
+ va_list arg;
+
+ va_start(arg, crt);
+ srv_crt = crt;
+ ca_crt = va_arg(arg, const char *);
+ va_end(arg);
if (_init)
return 0;
@@ -57,10 +64,15 @@ int uh_tls_init(const char *key, const char *crt)
return -EINVAL;
}
- if (ops->context_set_crt_file(ctx, crt) ||
- ops->context_set_key_file(ctx, key)) {
+ if (ops->context_set_crt_file(ctx, srv_crt) ||
+ ops->context_set_key_file(ctx, key)) {
fprintf(stderr, "Failed to load certificate/key files\n");
- return -EINVAL;
+ }
+
+ if(ca_crt){
+ if(ops->context_add_ca_crt_file(ctx, ca_crt))
+ return -EINVAL;
+ else ops->context_set_mutual_auth(ctx, 1);
}
return 0;
diff --git a/tls.h b/tls.h
index 9be74ba..7e437dd 100644
--- a/tls.h
+++ b/tls.h
@@ -22,13 +22,13 @@
#ifdef HAVE_TLS
-int uh_tls_init(const char *key, const char *crt);
+int uh_tls_init(const char *key, const char *crt, ...);
void uh_tls_client_attach(struct client *cl);
void uh_tls_client_detach(struct client *cl);
#else
-static inline int uh_tls_init(const char *key, const char *crt)
+static inline int uh_tls_init(const char *key, const char *crt, ...)
{
return -1;
}
--
2.18.0
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list