diff --git a/feeds/ucentral/rtty/files/rtty.init b/feeds/ucentral/rtty/files/rtty.init index 7569c954c..1183812fe 100644 --- a/feeds/ucentral/rtty/files/rtty.init +++ b/feeds/ucentral/rtty/files/rtty.init @@ -51,7 +51,7 @@ start_rtty() { procd_set_param command $BIN -h $host -I "$id" -a [ -n "$port" ] && procd_append_param command -p "$port" [ -n "$description" ] && procd_append_param command -d "$description" - [ "$ssl" = "1" ] && procd_append_param command -s + [ "$ssl" = "1" ] && procd_append_param command -s -c /etc/ucentral/cert.pem -k /etc/ucentral/key.pem [ -n "$token" ] && procd_append_param command -t "$token" [ "$verbose" = "1" ] && procd_append_param command -v [ "$timeout" -eq "0" ] || procd_append_param command -e $timeout diff --git a/feeds/ucentral/rtty/patches/200-mtls.patch b/feeds/ucentral/rtty/patches/200-mtls.patch new file mode 100644 index 000000000..14655c544 --- /dev/null +++ b/feeds/ucentral/rtty/patches/200-mtls.patch @@ -0,0 +1,174 @@ +commit 25bf87172d0d52dadb67aadda9a7dc10a57b4fb2 +Author: Jiri Novotny +Date: Thu Feb 18 16:11:46 2021 +0100 + + feat: mTLS support (#89) + + Signed-off-by: Jiri Novotny + +Index: rtty-7.1.4/README.md +=================================================================== +--- rtty-7.1.4.orig/README.md ++++ rtty-7.1.4/README.md +@@ -93,6 +93,8 @@ Select rtty in menuconfig and compile it + -d, --description=string Adding a description to the device(Maximum 126 bytes) + -a Auto reconnect to the server + -s SSL on ++ -k, --key Device key (PEM file) for mTLS\n" ++ -c, --cert Device certificate (PEM file) for mTLS\n" + -D Run in the background + -t, --token=string Authorization token + -f username Skip a second login authentication. See man login(1) about the details +@@ -107,6 +109,13 @@ Replace the following parameters with yo + + sudo rtty -I 'My-device-ID' -h 'your-server' -p 5912 -a -v -d 'My Device Description' + ++If your rttys is configured with mTLS enabled (device key and certificate required), add the following parameters(Replace the following with valid paths to your own) ++ ++ -k /etc/ssl/private/abc.pem -c /etc/ssl/certs/abc.pem ++ ++You can generate them e.g. via openssl tool ++ openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp521r1 -keyout /tmp/key.pem -out /tmp/cert.pem -days 18262 -nodes -subj "/C=CZ/O=Acme Inc./OU=ACME/CN=ACME-DEV-123" ++ + If your rttys is configured with a token, add the following parameter(Replace the following token with your own) + + -t 34762d07637276694b938d23f10d7164 +Index: rtty-7.1.4/src/main.c +=================================================================== +--- rtty-7.1.4.orig/src/main.c ++++ rtty-7.1.4/src/main.c +@@ -54,6 +54,8 @@ static struct option long_options[] = { + {"port", required_argument, NULL, 'p'}, + {"description", required_argument, NULL, 'd'}, + {"token", required_argument, NULL, 't'}, ++ {"key", required_argument, NULL, 'k'}, ++ {"cert", required_argument, NULL, 'c'}, + {"verbose", no_argument, NULL, 'v'}, + {"version", no_argument, NULL, 'V'}, + {"exit", required_argument, NULL, 'e'}, +@@ -71,6 +73,8 @@ static void usage(const char *prog) + " -d, --description=string Adding a description to the device(Maximum 126 bytes)\n" + " -a Auto reconnect to the server\n" + " -s SSL on\n" ++ " -k, --key Device key (PEM file) for mTLS\n" ++ " -c, --cert Device certificate (PEM file) for mTLS\n" + " -D Run in the background\n" + " -t, --token=string Authorization token\n" + " -f username Skip a second login authentication. See man login(1) about the details\n" +@@ -106,7 +110,7 @@ int main(int argc, char **argv) + int c; + + while (true) { +- c = getopt_long(argc, argv, "I:h:p:d:asDt:f:RS:vVe:", long_options, &option_index); ++ c = getopt_long(argc, argv, "I:h:p:d:asDt:f:RS:vVe:k:c:", long_options, &option_index); + if (c == -1) + break; + +@@ -133,6 +137,12 @@ int main(int argc, char **argv) + case 's': + rtty.ssl_on = true; + break; ++ case 'k': ++ rtty.ssl_key = optarg; ++ break; ++ case 'c': ++ rtty.ssl_cert = optarg; ++ break; + case 'D': + background = true; + break; +Index: rtty-7.1.4/src/rtty.c +=================================================================== +--- rtty-7.1.4.orig/src/rtty.c ++++ rtty-7.1.4/src/rtty.c +@@ -417,7 +417,7 @@ static void on_net_connected(int sock, v + + if (rtty->ssl_on) { + #if (RTTY_SSL_SUPPORT) +- rtty_ssl_init((struct rtty_ssl_ctx **)&rtty->ssl, sock, rtty->host); ++ rtty_ssl_init((struct rtty_ssl_ctx **)&rtty->ssl, sock, rtty->host, rtty->ssl_key, rtty->ssl_cert); + #endif + } + +Index: rtty-7.1.4/src/rtty.h +=================================================================== +--- rtty-7.1.4.orig/src/rtty.h ++++ rtty-7.1.4/src/rtty.h +@@ -67,6 +67,8 @@ struct rtty { + const char *description; + const char *username; + bool ssl_on; ++ const char *ssl_key; /* path to device key */ ++ const char *ssl_cert; /* path to device cert */ + struct buffer rb; + struct buffer wb; + struct ev_io iow; +Index: rtty-7.1.4/src/ssl.c +=================================================================== +--- rtty-7.1.4.orig/src/ssl.c ++++ rtty-7.1.4/src/ssl.c +@@ -68,6 +68,8 @@ struct rtty_ssl_ctx { + mbedtls_ctr_drbg_context drbg; + mbedtls_entropy_context etpy; + mbedtls_x509_crt x509; ++ mbedtls_x509_crt crt; ++ mbedtls_pk_context key; + bool last_read_ok; + #else + SSL_CTX *ctx; +@@ -75,7 +77,7 @@ struct rtty_ssl_ctx { + #endif + }; + +-int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host) ++int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host, const char *key, const char *cert) + { + struct rtty_ssl_ctx *c = calloc(1, sizeof(struct rtty_ssl_ctx)); + if (!c) { +@@ -99,6 +101,18 @@ int rtty_ssl_init(struct rtty_ssl_ctx ** + mbedtls_ssl_conf_authmode(&c->cfg, MBEDTLS_SSL_VERIFY_OPTIONAL); + mbedtls_ssl_conf_ca_chain(&c->cfg, &c->x509, NULL); + mbedtls_ssl_conf_rng(&c->cfg, mbedtls_ctr_drbg_random, &c->drbg); ++ if (key && cert) { ++ if (0 != mbedtls_pk_parse_keyfile(&c->key, key, NULL) || ++ 0 != mbedtls_x509_crt_parse_file(&c->crt, cert)) { ++ free(c); ++ log_err("Loading mTLS key/cert failed\n"); ++ return -1; ++ } else { ++ if (0 != mbedtls_ssl_conf_own_cert(&c->cfg, &c->crt, &c->key)) { ++ log(LOG_WARNING, "Setting mTLS key/cert failed\n"); ++ } ++ } ++ } + + mbedtls_ssl_set_bio(&c->ssl, &c->net, mbedtls_net_send, + mbedtls_net_recv, NULL); +@@ -121,6 +135,14 @@ int rtty_ssl_init(struct rtty_ssl_ctx ** + c->ctx = SSL_CTX_new(TLS_client_method()); + #endif + SSL_CTX_set_verify(c->ctx, SSL_VERIFY_NONE, NULL); ++ if (key && cert) { ++ if (1 != SSL_CTX_use_PrivateKey_file(c->ctx, key, SSL_FILETYPE_PEM) || ++ 1 != SSL_CTX_use_certificate_file(c->ctx, cert, SSL_FILETYPE_PEM)) { ++ free(c); ++ log_err("Setting mTLS key/cert failed: %s\n", strerror(errno)); ++ return -1; ++ } ++ } + c->ssl = SSL_new(c->ctx); + #if RTTY_HAVE_OPENSSL + SSL_set_tlsext_host_name(c->ssl, host); +Index: rtty-7.1.4/src/ssl.h +=================================================================== +--- rtty-7.1.4.orig/src/ssl.h ++++ rtty-7.1.4/src/ssl.h +@@ -34,7 +34,7 @@ + + struct rtty_ssl_ctx; + +-int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host); ++int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host, const char *key, const char *cert); + + void rtty_ssl_free(struct rtty_ssl_ctx *ctx); +