feat: mTLS support (#89)

Signed-off-by: Jiri Novotny <[email protected]>
zhaojh329 · Feb 18, 2021 · 25bf871 · 25bf871
1 parent ac7c489
commit 25bf871
Show file tree

Hide file tree

Showing 6 changed files with 47 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -95,6 +95,8 @@ Select rtty in menuconfig and compile it
         -d, --description=string Adding a description to the device(Maximum 126 bytes)
         -a                       Auto reconnect to the server
         -s                       SSL on
+        -k, --key                Device key (PEM file) for mTLS\n"
+        -c, --cert               Device certificate (PEM file) for mTLS\n"
         -D                       Run in the background
         -t, --token=string       Authorization token
         -f username              Skip a second login authentication. See man login(1) about the details
@@ -109,6 +111,13 @@ Replace the following parameters with your own parameters
 
     sudo rtty -I 'My-device-ID' -h 'your-server' -p 5912 -a -v -d 'My Device Description'
 
+If your rttys is configured with mTLS enabled (device key and certificate required), add the following parameters(Replace the following with valid paths to your own)
+
+    -k /etc/ssl/private/abc.pem -c /etc/ssl/certs/abc.pem
+
+You can generate them e.g. via openssl tool
+    openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp521r1 -keyout /tmp/key.pem -out /tmp/cert.pem -days 18262 -nodes -subj "/C=CZ/O=Acme Inc./OU=ACME/CN=ACME-DEV-123"
+
 If your rttys is configured with a token, add the following parameter(Replace the following token with your own)
 
     -t 34762d07637276694b938d23f10d7164

diff --git a/src/main.c b/src/main.c
@@ -49,6 +49,8 @@ static struct option long_options[] = {
     {"port",        required_argument, NULL, 'p'},
     {"description", required_argument, NULL, 'd'},
     {"token",       required_argument, NULL, 't'},
+    {"key",         required_argument, NULL, 'k'},
+    {"cert",        required_argument, NULL, 'c'},
     {"verbose",     no_argument,       NULL, 'v'},
     {"version",     no_argument,       NULL, 'V'},
     {"help",        no_argument,       NULL, LONG_OPT_HELP},
@@ -65,6 +67,8 @@ static void usage(const char *prog)
             "      -d, --description=string Adding a description to the device(Maximum 126 bytes)\n"
             "      -a                       Auto reconnect to the server\n"
             "      -s                       SSL on\n"
+            "      -k, --key                Device key (PEM file) for mTLS\n"
+            "      -c, --cert               Device certificate (PEM file) for mTLS\n"
             "      -D                       Run in the background\n"
             "      -t, --token=string       Authorization token\n"
             "      -f username              Skip a second login authentication. See man login(1) about the details\n"
@@ -93,7 +97,7 @@ int main(int argc, char **argv)
     int c;
 
     while (true) {
-        c = getopt_long(argc, argv, "I:h:p:d:asDt:f:RS:vV", long_options, &option_index);
+        c = getopt_long(argc, argv, "I:h:p:d:ask:c:Dt:f:RS:vV", long_options, &option_index);
         if (c == -1)
             break;
 
@@ -120,6 +124,12 @@ int main(int argc, char **argv)
         case 's':
             rtty.ssl_on = true;
             break;
+        case 'k':
+            rtty.ssl_key = optarg;
+            break;
+        case 'c':
+            rtty.ssl_cert = optarg;
+            break;
         case 'D':
             background = true;
             break;

diff --git a/src/rtty.c b/src/rtty.c
@@ -429,7 +429,7 @@ static void on_net_connected(int sock, void *arg)
 
     if (rtty->ssl_on) {
 #if (RTTY_SSL_SUPPORT)
-        rtty_ssl_init((struct rtty_ssl_ctx **)&rtty->ssl, sock, rtty->host);
+        rtty_ssl_init((struct rtty_ssl_ctx **)&rtty->ssl, sock, rtty->host, rtty->ssl_key, rtty->ssl_cert);
 #endif
     }
 

diff --git a/src/rtty.h b/src/rtty.h
@@ -69,6 +69,8 @@ struct rtty {
     const char *description;
     const char *username;
     bool ssl_on;
+    const char *ssl_key;      /* path to device key */
+    const char *ssl_cert;     /* path to device cert */
     struct buffer rb;
     struct buffer wb;
     struct ev_io iow;

diff --git a/src/ssl.c b/src/ssl.c
@@ -68,14 +68,16 @@ struct rtty_ssl_ctx {
     mbedtls_ctr_drbg_context drbg;
     mbedtls_entropy_context  etpy;
     mbedtls_x509_crt         x509;
+    mbedtls_x509_crt         crt;
+    mbedtls_pk_context       key;
     bool last_read_ok;
 #else
     SSL_CTX *ctx;
     SSL *ssl;
 #endif
 };
 
-int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host)
+int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host, const char *key, const char *cert)
 {
     struct rtty_ssl_ctx *c = calloc(1, sizeof(struct rtty_ssl_ctx));
     if (!c) {
@@ -99,6 +101,18 @@ int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host)
     mbedtls_ssl_conf_authmode(&c->cfg, MBEDTLS_SSL_VERIFY_OPTIONAL);
     mbedtls_ssl_conf_ca_chain(&c->cfg, &c->x509, NULL);
     mbedtls_ssl_conf_rng(&c->cfg, mbedtls_ctr_drbg_random, &c->drbg);
+    if (key && cert) {
+        if (0 != mbedtls_pk_parse_keyfile(&c->key, key, NULL) ||
+            0 != mbedtls_x509_crt_parse_file(&c->crt, cert)) {
+            free(c);
+            log_err("Loading mTLS key/cert failed\n");
+            return -1;
+        } else {
+            if (0 != mbedtls_ssl_conf_own_cert(&c->cfg, &c->crt, &c->key)) {
+                log(LOG_WARNING, "Setting mTLS key/cert failed\n");
+            }
+        }
+    }
 
     mbedtls_ssl_set_bio(&c->ssl, &c->net, mbedtls_net_send,
                         mbedtls_net_recv, NULL);
@@ -121,6 +135,14 @@ int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host)
     c->ctx = SSL_CTX_new(TLS_client_method());
 #endif
     SSL_CTX_set_verify(c->ctx, SSL_VERIFY_NONE, NULL);
+    if (key && cert) {
+        if (1 != SSL_CTX_use_PrivateKey_file(c->ctx, key, SSL_FILETYPE_PEM) ||
+            1 != SSL_CTX_use_certificate_file(c->ctx, cert, SSL_FILETYPE_PEM)) {
+            free(c);
+            log_err("Setting mTLS key/cert failed: %s\n", strerror(errno));
+            return -1;
+        }
+    }
     c->ssl = SSL_new(c->ctx);
 #if RTTY_HAVE_OPENSSL
     SSL_set_tlsext_host_name(c->ssl, host);

diff --git a/src/ssl.h b/src/ssl.h
@@ -34,7 +34,7 @@
 
 struct rtty_ssl_ctx;
 
-int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host);
+int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host, const char *key, const char *cert);
 
 void rtty_ssl_free(struct rtty_ssl_ctx *ctx);