commit 25bf87172d0d52dadb67aadda9a7dc10a57b4fb2 Author: Jiri Novotny Date: Thu Feb 18 16:11:46 2021 +0100 feat: mTLS support (#89) Signed-off-by: Jiri Novotny Index: rtty-7.1.4/README.md =================================================================== --- rtty-7.1.4.orig/README.md +++ rtty-7.1.4/README.md @@ -93,6 +93,8 @@ Select rtty in menuconfig and compile it -d, --description=string Adding a description to the device(Maximum 126 bytes) -a Auto reconnect to the server -s SSL on + -k, --key Device key (PEM file) for mTLS\n" + -c, --cert Device certificate (PEM file) for mTLS\n" -D Run in the background -t, --token=string Authorization token -f username Skip a second login authentication. See man login(1) about the details @@ -107,6 +109,13 @@ Replace the following parameters with yo sudo rtty -I 'My-device-ID' -h 'your-server' -p 5912 -a -v -d 'My Device Description' +If your rttys is configured with mTLS enabled (device key and certificate required), add the following parameters(Replace the following with valid paths to your own) + + -k /etc/ssl/private/abc.pem -c /etc/ssl/certs/abc.pem + +You can generate them e.g. via openssl tool + openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp521r1 -keyout /tmp/key.pem -out /tmp/cert.pem -days 18262 -nodes -subj "/C=CZ/O=Acme Inc./OU=ACME/CN=ACME-DEV-123" + If your rttys is configured with a token, add the following parameter(Replace the following token with your own) -t 34762d07637276694b938d23f10d7164 Index: rtty-7.1.4/src/main.c =================================================================== --- rtty-7.1.4.orig/src/main.c +++ rtty-7.1.4/src/main.c @@ -54,6 +54,8 @@ static struct option long_options[] = { {"port", required_argument, NULL, 'p'}, {"description", required_argument, NULL, 'd'}, {"token", required_argument, NULL, 't'}, + {"key", required_argument, NULL, 'k'}, + {"cert", required_argument, NULL, 'c'}, {"verbose", no_argument, NULL, 'v'}, {"version", no_argument, NULL, 'V'}, {"exit", required_argument, NULL, 'e'}, @@ -71,6 +73,8 @@ static void usage(const char *prog) " -d, --description=string Adding a description to the device(Maximum 126 bytes)\n" " -a Auto reconnect to the server\n" " -s SSL on\n" + " -k, --key Device key (PEM file) for mTLS\n" + " -c, --cert Device certificate (PEM file) for mTLS\n" " -D Run in the background\n" " -t, --token=string Authorization token\n" " -f username Skip a second login authentication. See man login(1) about the details\n" @@ -106,7 +110,7 @@ int main(int argc, char **argv) int c; while (true) { - c = getopt_long(argc, argv, "I:h:p:d:asDt:f:RS:vVe:", long_options, &option_index); + c = getopt_long(argc, argv, "I:h:p:d:asDt:f:RS:vVe:k:c:", long_options, &option_index); if (c == -1) break; @@ -133,6 +137,12 @@ int main(int argc, char **argv) case 's': rtty.ssl_on = true; break; + case 'k': + rtty.ssl_key = optarg; + break; + case 'c': + rtty.ssl_cert = optarg; + break; case 'D': background = true; break; Index: rtty-7.1.4/src/rtty.c =================================================================== --- rtty-7.1.4.orig/src/rtty.c +++ rtty-7.1.4/src/rtty.c @@ -417,7 +417,7 @@ static void on_net_connected(int sock, v if (rtty->ssl_on) { #if (RTTY_SSL_SUPPORT) - rtty_ssl_init((struct rtty_ssl_ctx **)&rtty->ssl, sock, rtty->host); + rtty_ssl_init((struct rtty_ssl_ctx **)&rtty->ssl, sock, rtty->host, rtty->ssl_key, rtty->ssl_cert); #endif } Index: rtty-7.1.4/src/rtty.h =================================================================== --- rtty-7.1.4.orig/src/rtty.h +++ rtty-7.1.4/src/rtty.h @@ -67,6 +67,8 @@ struct rtty { const char *description; const char *username; bool ssl_on; + const char *ssl_key; /* path to device key */ + const char *ssl_cert; /* path to device cert */ struct buffer rb; struct buffer wb; struct ev_io iow; Index: rtty-7.1.4/src/ssl.c =================================================================== --- rtty-7.1.4.orig/src/ssl.c +++ rtty-7.1.4/src/ssl.c @@ -68,6 +68,8 @@ struct rtty_ssl_ctx { mbedtls_ctr_drbg_context drbg; mbedtls_entropy_context etpy; mbedtls_x509_crt x509; + mbedtls_x509_crt crt; + mbedtls_pk_context key; bool last_read_ok; #else SSL_CTX *ctx; @@ -75,7 +77,7 @@ struct rtty_ssl_ctx { #endif }; -int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host) +int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host, const char *key, const char *cert) { struct rtty_ssl_ctx *c = calloc(1, sizeof(struct rtty_ssl_ctx)); if (!c) { @@ -99,6 +101,18 @@ int rtty_ssl_init(struct rtty_ssl_ctx ** mbedtls_ssl_conf_authmode(&c->cfg, MBEDTLS_SSL_VERIFY_OPTIONAL); mbedtls_ssl_conf_ca_chain(&c->cfg, &c->x509, NULL); mbedtls_ssl_conf_rng(&c->cfg, mbedtls_ctr_drbg_random, &c->drbg); + if (key && cert) { + if (0 != mbedtls_pk_parse_keyfile(&c->key, key, NULL) || + 0 != mbedtls_x509_crt_parse_file(&c->crt, cert)) { + free(c); + log_err("Loading mTLS key/cert failed\n"); + return -1; + } else { + if (0 != mbedtls_ssl_conf_own_cert(&c->cfg, &c->crt, &c->key)) { + log(LOG_WARNING, "Setting mTLS key/cert failed\n"); + } + } + } mbedtls_ssl_set_bio(&c->ssl, &c->net, mbedtls_net_send, mbedtls_net_recv, NULL); @@ -121,6 +135,14 @@ int rtty_ssl_init(struct rtty_ssl_ctx ** c->ctx = SSL_CTX_new(TLS_client_method()); #endif SSL_CTX_set_verify(c->ctx, SSL_VERIFY_NONE, NULL); + if (key && cert) { + if (1 != SSL_CTX_use_PrivateKey_file(c->ctx, key, SSL_FILETYPE_PEM) || + 1 != SSL_CTX_use_certificate_file(c->ctx, cert, SSL_FILETYPE_PEM)) { + free(c); + log_err("Setting mTLS key/cert failed: %s\n", strerror(errno)); + return -1; + } + } c->ssl = SSL_new(c->ctx); #if RTTY_HAVE_OPENSSL SSL_set_tlsext_host_name(c->ssl, host); Index: rtty-7.1.4/src/ssl.h =================================================================== --- rtty-7.1.4.orig/src/ssl.h +++ rtty-7.1.4/src/ssl.h @@ -34,7 +34,7 @@ struct rtty_ssl_ctx; -int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host); +int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host, const char *key, const char *cert); void rtty_ssl_free(struct rtty_ssl_ctx *ctx);