rtty: enable mTLS support

Fixes: WIFI-10516
Signed-off-by: John Crispin <john@phrozen.org>

feeds/ucentral/rtty/files/rtty.init

@@ -51,7 +51,7 @@ start_rtty() {
 	procd_set_param command $BIN -h $host -I "$id" -a
 	[ -n "$port" ] && procd_append_param command -p "$port"
 	[ -n "$description" ] && procd_append_param command -d "$description"
-	[ "$ssl" = "1" ] && procd_append_param command -s
+	[ "$ssl" = "1" ] && procd_append_param command -s -c /etc/ucentral/cert.pem -k /etc/ucentral/key.pem
 	[ -n "$token" ] && procd_append_param command -t "$token"
 	[ "$verbose" = "1" ] && procd_append_param command -v
 	[ "$timeout" -eq "0" ] || procd_append_param command -e $timeout

feeds/ucentral/rtty/patches/200-mtls.patch

@@ -0,0 +1,174 @@
+commit 25bf87172d0d52dadb67aadda9a7dc10a57b4fb2
+Author: Jiri Novotny <k4chn1k@gmail.com>
+Date:   Thu Feb 18 16:11:46 2021 +0100
+
+    feat: mTLS support (#89)
+    
+    Signed-off-by: Jiri Novotny <k4chn1k@gmail.com>
+
+Index: rtty-7.1.4/README.md
+===================================================================
+--- rtty-7.1.4.orig/README.md
++++ rtty-7.1.4/README.md
+@@ -93,6 +93,8 @@ Select rtty in menuconfig and compile it
+         -d, --description=string Adding a description to the device(Maximum 126 bytes)
+         -a                       Auto reconnect to the server
+         -s                       SSL on
++        -k, --key                Device key (PEM file) for mTLS\n"
++        -c, --cert               Device certificate (PEM file) for mTLS\n"
+         -D                       Run in the background
+         -t, --token=string       Authorization token
+         -f username              Skip a second login authentication. See man login(1) about the details
+@@ -107,6 +109,13 @@ Replace the following parameters with yo
+ 
+     sudo rtty -I 'My-device-ID' -h 'your-server' -p 5912 -a -v -d 'My Device Description'
+ 
++If your rttys is configured with mTLS enabled (device key and certificate required), add the following parameters(Replace the following with valid paths to your own)
++
++    -k /etc/ssl/private/abc.pem -c /etc/ssl/certs/abc.pem
++
++You can generate them e.g. via openssl tool
++    openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp521r1 -keyout /tmp/key.pem -out /tmp/cert.pem -days 18262 -nodes -subj "/C=CZ/O=Acme Inc./OU=ACME/CN=ACME-DEV-123"
++
+ If your rttys is configured with a token, add the following parameter(Replace the following token with your own)
+ 
+     -t 34762d07637276694b938d23f10d7164
+Index: rtty-7.1.4/src/main.c
+===================================================================
+--- rtty-7.1.4.orig/src/main.c
++++ rtty-7.1.4/src/main.c
+@@ -54,6 +54,8 @@ static struct option long_options[] = {
+     {"port",        required_argument, NULL, 'p'},
+     {"description", required_argument, NULL, 'd'},
+     {"token",       required_argument, NULL, 't'},
++    {"key",         required_argument, NULL, 'k'},
++    {"cert",        required_argument, NULL, 'c'},
+     {"verbose",     no_argument,       NULL, 'v'},
+     {"version",     no_argument,       NULL, 'V'},
+     {"exit",        required_argument, NULL, 'e'},
+@@ -71,6 +73,8 @@ static void usage(const char *prog)
+             "      -d, --description=string Adding a description to the device(Maximum 126 bytes)\n"
+             "      -a                       Auto reconnect to the server\n"
+             "      -s                       SSL on\n"
++            "      -k, --key                Device key (PEM file) for mTLS\n"
++            "      -c, --cert               Device certificate (PEM file) for mTLS\n"
+             "      -D                       Run in the background\n"
+             "      -t, --token=string       Authorization token\n"
+             "      -f username              Skip a second login authentication. See man login(1) about the details\n"
+@@ -106,7 +110,7 @@ int main(int argc, char **argv)
+     int c;
+ 
+     while (true) {
+-        c = getopt_long(argc, argv, "I:h:p:d:asDt:f:RS:vVe:", long_options, &option_index);
++        c = getopt_long(argc, argv, "I:h:p:d:asDt:f:RS:vVe:k:c:", long_options, &option_index);
+         if (c == -1)
+             break;
+ 
+@@ -133,6 +137,12 @@ int main(int argc, char **argv)
+         case 's':
+             rtty.ssl_on = true;
+             break;
++        case 'k':
++            rtty.ssl_key = optarg;
++            break;
++        case 'c':
++            rtty.ssl_cert = optarg;
++            break;
+         case 'D':
+             background = true;
+             break;
+Index: rtty-7.1.4/src/rtty.c
+===================================================================
+--- rtty-7.1.4.orig/src/rtty.c
++++ rtty-7.1.4/src/rtty.c
+@@ -417,7 +417,7 @@ static void on_net_connected(int sock, v
+ 
+     if (rtty->ssl_on) {
+ #if (RTTY_SSL_SUPPORT)
+-        rtty_ssl_init((struct rtty_ssl_ctx **)&rtty->ssl, sock, rtty->host);
++        rtty_ssl_init((struct rtty_ssl_ctx **)&rtty->ssl, sock, rtty->host, rtty->ssl_key, rtty->ssl_cert);
+ #endif
+     }
+ 
+Index: rtty-7.1.4/src/rtty.h
+===================================================================
+--- rtty-7.1.4.orig/src/rtty.h
++++ rtty-7.1.4/src/rtty.h
+@@ -67,6 +67,8 @@ struct rtty {
+     const char *description;
+     const char *username;
+     bool ssl_on;
++    const char *ssl_key;      /* path to device key */
++    const char *ssl_cert;     /* path to device cert */
+     struct buffer rb;
+     struct buffer wb;
+     struct ev_io iow;
+Index: rtty-7.1.4/src/ssl.c
+===================================================================
+--- rtty-7.1.4.orig/src/ssl.c
++++ rtty-7.1.4/src/ssl.c
+@@ -68,6 +68,8 @@ struct rtty_ssl_ctx {
+     mbedtls_ctr_drbg_context drbg;
+     mbedtls_entropy_context  etpy;
+     mbedtls_x509_crt         x509;
++    mbedtls_x509_crt         crt;
++    mbedtls_pk_context       key;
+     bool last_read_ok;
+ #else
+     SSL_CTX *ctx;
+@@ -75,7 +77,7 @@ struct rtty_ssl_ctx {
+ #endif
+ };
+ 
+-int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host)
++int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host, const char *key, const char *cert)
+ {
+     struct rtty_ssl_ctx *c = calloc(1, sizeof(struct rtty_ssl_ctx));
+     if (!c) {
+@@ -99,6 +101,18 @@ int rtty_ssl_init(struct rtty_ssl_ctx **
+     mbedtls_ssl_conf_authmode(&c->cfg, MBEDTLS_SSL_VERIFY_OPTIONAL);
+     mbedtls_ssl_conf_ca_chain(&c->cfg, &c->x509, NULL);
+     mbedtls_ssl_conf_rng(&c->cfg, mbedtls_ctr_drbg_random, &c->drbg);
++    if (key && cert) {
++        if (0 != mbedtls_pk_parse_keyfile(&c->key, key, NULL) ||
++            0 != mbedtls_x509_crt_parse_file(&c->crt, cert)) {
++            free(c);
++            log_err("Loading mTLS key/cert failed\n");
++            return -1;
++        } else {
++            if (0 != mbedtls_ssl_conf_own_cert(&c->cfg, &c->crt, &c->key)) {
++                log(LOG_WARNING, "Setting mTLS key/cert failed\n");
++            }
++        }
++    }
+ 
+     mbedtls_ssl_set_bio(&c->ssl, &c->net, mbedtls_net_send,
+                         mbedtls_net_recv, NULL);
+@@ -121,6 +135,14 @@ int rtty_ssl_init(struct rtty_ssl_ctx **
+     c->ctx = SSL_CTX_new(TLS_client_method());
+ #endif
+     SSL_CTX_set_verify(c->ctx, SSL_VERIFY_NONE, NULL);
++    if (key && cert) {
++        if (1 != SSL_CTX_use_PrivateKey_file(c->ctx, key, SSL_FILETYPE_PEM) ||
++            1 != SSL_CTX_use_certificate_file(c->ctx, cert, SSL_FILETYPE_PEM)) {
++            free(c);
++            log_err("Setting mTLS key/cert failed: %s\n", strerror(errno));
++            return -1;
++        }
++    }
+     c->ssl = SSL_new(c->ctx);
+ #if RTTY_HAVE_OPENSSL
+     SSL_set_tlsext_host_name(c->ssl, host);
+Index: rtty-7.1.4/src/ssl.h
+===================================================================
+--- rtty-7.1.4.orig/src/ssl.h
++++ rtty-7.1.4/src/ssl.h
+@@ -34,7 +34,7 @@
+ 
+ struct rtty_ssl_ctx;
+ 
+-int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host);
++int rtty_ssl_init(struct rtty_ssl_ctx **ctx, int sock, const char *host, const char *key, const char *cert);
+ 
+ void rtty_ssl_free(struct rtty_ssl_ctx *ctx);
+