diff options
| author |   bluhm <bluhm@openbsd.org> | 2016-09-21 12:01:17 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2016-09-21 12:01:17 +0000 |
| commit | 15bf65a95adb27d247393db7cd2d24378af16a4f (patch) | |
| tree | 28b57ced7b6b375bf2a4a71180148d13c77d18fc | |
| parent | Add an option to give syslogd a server CA that is used to validate (diff) | |
| download | wireguard-openbsd-15bf65a95adb27d247393db7cd2d24378af16a4f.tar.xz wireguard-openbsd-15bf65a95adb27d247393db7cd2d24378af16a4f.zip | |
Test syslogd TLS client certificate validation.
| -rw-r--r-- | regress/usr.sbin/syslogd/Client.pm | 11 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/Server.pm | 11 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-client-tls-cert.pl | 36 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-client-tls-fake.pl | 57 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-client-tls-verify.pl | 30 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-server-tls-client-cert.pl | 2 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-server-tls-client-fake.pl | 3 |
7 files changed, 140 insertions, 10 deletions
diff --git a/regress/usr.sbin/syslogd/Client.pm b/regress/usr.sbin/syslogd/Client.pm index d53f32a8d4d..91db547c232 100644 --- a/regress/usr.sbin/syslogd/Client.pm +++ b/regress/usr.sbin/syslogd/Client.pm @@ -1,4 +1,4 @@ -# $OpenBSD: Client.pm,v 1.6 2015/11/02 00:48:17 bluhm Exp $ +# $OpenBSD: Client.pm,v 1.7 2016/09/21 12:01:17 bluhm Exp $ # Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org> # @@ -62,7 +62,14 @@ sub child { Domain => $self->{connectdomain}, PeerAddr => $self->{connectaddr}, PeerPort => $self->{connectport}, - SSL_verify_mode => SSL_VERIFY_NONE, + $self->{sslcert} ? + (SSL_cert_file => $self->{sslcert}) : (), + $self->{sslkey} ? + (SSL_key_file => $self->{sslkey}) : (), + $self->{sslca} ? + (SSL_ca_file => $self->{sslca}) : (), + SSL_verify_mode => ($self->{sslca} ? + SSL_VERIFY_PEER : SSL_VERIFY_NONE), $self->{sslversion} ? (SSL_version => $self->{sslversion}) : (), $self->{sslciphers} ? diff --git a/regress/usr.sbin/syslogd/Server.pm b/regress/usr.sbin/syslogd/Server.pm index 48d69b644f0..a044bb691e1 100644 --- a/regress/usr.sbin/syslogd/Server.pm +++ b/regress/usr.sbin/syslogd/Server.pm @@ -1,4 +1,4 @@ -# $OpenBSD: Server.pm,v 1.8 2016/07/12 09:57:20 bluhm Exp $ +# $OpenBSD: Server.pm,v 1.9 2016/09/21 12:01:17 bluhm Exp $ # Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org> # @@ -54,9 +54,10 @@ sub listen { $self->{listenport} ? (LocalPort => $self->{listenport}) : (), SSL_key_file => "server.key", SSL_cert_file => "server.crt", - SSL_ca_file => ($self->{cacrt} || "ca.crt"), - $self->{sslverify} ? (SSL_verify_mode => SSL_VERIFY_PEER) : (), - $self->{sslverify} ? (SSL_verifycn_scheme => "none") : (), + SSL_ca_file => ($self->{sslca} || "ca.crt"), + SSL_verify_mode => ($self->{sslca} ? + SSL_VERIFY_PEER : SSL_VERIFY_NONE), + $self->{sslca} ? (SSL_verifycn_scheme => "none") : (), $self->{sslversion} ? (SSL_version => $self->{sslversion}) : (), $self->{sslciphers} ? (SSL_cipher_list => $self->{sslciphers}) : (), ) or die ref($self), " $iosocket socket failed: $!,$SSL_ERROR"; @@ -104,7 +105,7 @@ sub child { print STDERR "ssl version: ",$as->get_sslversion(),"\n"; print STDERR "ssl cipher: ",$as->get_cipher(),"\n"; print STDERR "ssl subject: ", $as->peer_certificate("subject") - ,"\n" if $self->{sslverify}; + ,"\n" if $self->{sslca}; } *STDIN = *STDOUT = $self->{as} = $as; diff --git a/regress/usr.sbin/syslogd/args-client-tls-cert.pl b/regress/usr.sbin/syslogd/args-client-tls-cert.pl new file mode 100644 index 00000000000..38ba81ff016 --- /dev/null +++ b/regress/usr.sbin/syslogd/args-client-tls-cert.pl @@ -0,0 +1,36 @@ +# The syslogd listens on localhost TLS socket with client verification. +# The client connects with a client certificate and writes a message. +# The syslogd writes it into a file and through a pipe. +# The syslogd passes it via UDP to the loghost. +# The server receives the message on its UDP socket. +# Find the message in client, file, pipe, syslogd, server log. +# Check that the syslogd accepts client. + +use strict; +use warnings; +use Socket; + +our %args = ( + client => { + connect => { domain => AF_UNSPEC, proto => "tls", addr => "localhost", + port => 6514 }, + sslcert => "client.crt", + sslkey => "client.key", + loggrep => { + qr/connect sock: (127.0.0.1|::1) \d+/ => 1, + get_testgrep() => 1, + }, + }, + syslogd => { + options => ["-S", "localhost", "-K", "ca.crt"], + ktrace => { + qr{NAMI "ca.crt"} => 1, + }, + loggrep => { + qr{Server CAfile ca.crt} => 1, + qr{tls logger .* accepted} => 1, + }, + }, +); + +1; diff --git a/regress/usr.sbin/syslogd/args-client-tls-fake.pl b/regress/usr.sbin/syslogd/args-client-tls-fake.pl new file mode 100644 index 00000000000..97e90c873e4 --- /dev/null +++ b/regress/usr.sbin/syslogd/args-client-tls-fake.pl @@ -0,0 +1,57 @@ +# The syslogd listens on localhost TLS socket with false client verification. +# The client connects with a wrong client certificate. +# The syslogd writes error into a file and through a pipe. +# The syslogd passes error via UDP to the loghost. +# The server receives the error message on its UDP socket. +# Find the error message in client, file, syslogd, server log. +# Check that the syslogd rejects client. + +use strict; +use warnings; +use Socket; + +our %args = ( + client => { + connect => { domain => AF_UNSPEC, proto => "tls", addr => "localhost", + port => 6514 }, + sslcert => "client.crt", + sslkey => "client.key", + up => qr/IO::Socket::SSL socket connect failed/, + down => qr/SSL connect attempt failed/, + exit => 255, + loggrep => { + qr/Client IO::Socket::SSL socket connect failed: /. + qr/,SSL connect attempt failed /. + qr/because of handshake problems error:/ => 1, + }, + }, + syslogd => { + options => ["-S", "localhost", "-K", "fake-ca.crt"], + ktrace => { + qr{NAMI "fake-ca.crt"} => 1, + }, + loggrep => { + qr{Server CAfile fake-ca.crt} => 1, + qr{tls logger .* accepted} => 1, + qr/syslogd: tls logger .* connection error: /. + qr/handshake failed: error:.*/. + qr/RSA_padding_check_PKCS1_type_1:block type is not 01/ => 1, + }, + }, + server => { + func => sub { + my $self = shift; + read_message($self, qr/syslogd: tls logger .* connection error/); + }, + loggrep => {}, + }, + file => { + loggrep => { + qr/syslogd: tls logger .* connection error: handshake failed/ => 1, + }, + }, + pipe => { nocheck => 1, }, + tty => { nocheck => 1, }, +); + +1; diff --git a/regress/usr.sbin/syslogd/args-client-tls-verify.pl b/regress/usr.sbin/syslogd/args-client-tls-verify.pl new file mode 100644 index 00000000000..1ed3db206c9 --- /dev/null +++ b/regress/usr.sbin/syslogd/args-client-tls-verify.pl @@ -0,0 +1,30 @@ +# The syslogd listens on 127.0.0.1 TLS socket with self-signed certificate. +# The client validates cert and writes message into a 127.0.0.1 TLS socket. +# The syslogd writes it into a file and through a pipe. +# The syslogd passes it via UDP to the loghost. +# The server receives the message on its UDP socket. +# Find the message in client, file, pipe, syslogd, server log. +# Check that the client file log contains the syslogd certifcate. + +use strict; +use warnings; +use Socket; + +our %args = ( + client => { + connect => { domain => AF_UNSPEC, proto => "tls", addr => "127.0.0.1", + port => 6514 }, + loggrep => { + qr/connect sock: 127.0.0.1 \d+/ => 1, + qr/ssl subject: /. + qr{/L=OpenBSD/O=syslogd-regress/OU=syslogd/CN=127.0.0.1} => 1, + get_testgrep() => 1, + }, + sslca => "127.0.0.1.crt", + }, + syslogd => { + options => ["-S", "127.0.0.1"], + }, +); + +1; diff --git a/regress/usr.sbin/syslogd/args-server-tls-client-cert.pl b/regress/usr.sbin/syslogd/args-server-tls-client-cert.pl index d27fe254d0b..2b579f6590f 100644 --- a/regress/usr.sbin/syslogd/args-server-tls-client-cert.pl +++ b/regress/usr.sbin/syslogd/args-server-tls-client-cert.pl @@ -22,7 +22,7 @@ our %args = ( }, server => { listen => { domain => AF_UNSPEC, proto => "tls", addr => "localhost" }, - sslverify => 1, + sslca => "ca.crt", loggrep => { qr/ssl subject: /. qr{/L=OpenBSD/O=syslogd-regress/OU=client/CN=localhost} => 1, diff --git a/regress/usr.sbin/syslogd/args-server-tls-client-fake.pl b/regress/usr.sbin/syslogd/args-server-tls-client-fake.pl index ae3cf8c41de..43185d608cf 100644 --- a/regress/usr.sbin/syslogd/args-server-tls-client-fake.pl +++ b/regress/usr.sbin/syslogd/args-server-tls-client-fake.pl @@ -24,8 +24,7 @@ our %args = ( }, server => { listen => { domain => AF_UNSPEC, proto => "tls", addr => "localhost" }, - sslverify => 1, - cacrt => "fake-ca.crt", + sslca => "fake-ca.crt", up => qr/IO::Socket::SSL socket accept failed/, down => qr/SSL accept attempt failed error/, exit => 255, |