diff options
| author |   bluhm <bluhm@openbsd.org> | 2015-01-28 19:23:22 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2015-01-28 19:23:22 +0000 |
| commit | 61ffb8b2e76cce7dec09080d81f105c813eeaf5f (patch) | |
| tree | 6178013be3ab3b386f2c7e6da06287f0bc0cdd09 | |
| parent | If not explicitly disabled, syslogd verifies the x509 certificate (diff) | |
| download | wireguard-openbsd-61ffb8b2e76cce7dec09080d81f105c813eeaf5f.tar.xz wireguard-openbsd-61ffb8b2e76cce7dec09080d81f105c813eeaf5f.zip | |
Test the x509 certificate validation of syslog over TLS.
| -rw-r--r-- | regress/usr.sbin/syslogd/Makefile | 21 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/Proc.pm | 7 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/Syslogd.pm | 5 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-server-tcp.pl | 29 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-server-tls.pl | 29 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-sighup-config.pl | 2 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-tls-cafile-default.pl | 36 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-tls-cafile-empty.pl | 36 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-tls-cafile-fake.pl | 36 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-tls-cafile-noexist.pl | 36 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-tls-cafile-toobig.pl | 36 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-tls-host-bad.pl | 31 | ||||
| -rw-r--r-- | regress/usr.sbin/syslogd/args-tls-verify.pl | 30 |
13 files changed, 323 insertions, 11 deletions
diff --git a/regress/usr.sbin/syslogd/Makefile b/regress/usr.sbin/syslogd/Makefile index 5ffce4a0549..83a6e5df51b 100644 --- a/regress/usr.sbin/syslogd/Makefile +++ b/regress/usr.sbin/syslogd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.7 2014/12/31 01:25:07 bluhm Exp $ +# $OpenBSD: Makefile,v 1.8 2015/01/28 19:23:22 bluhm Exp $ # The following ports must be installed for the regression tests: # p5-IO-Socket-INET6 object interface for AF_INET and AF_INET6 domain sockets @@ -33,7 +33,7 @@ TARGETS ?= ${ARGS:Nargs-rsyslog*} REGRESS_TARGETS = ${TARGETS:S/^/run-regress-/} CLEANFILES += *.log *.log.? *.conf ktrace.out stamp-* CLEANFILES += *.out *.sock *.ktrace *.fstat -CLEANFILES += *.pem *.req *.crt *.key *.srl +CLEANFILES += *.pem *.req *.crt *.key *.srl empty toobig .MAIN: all @@ -68,16 +68,25 @@ run-regress-$a: $a # create certificates for TLS -ca.crt: - openssl req -batch -new -subj /L=OpenBSD/O=syslogd-regress/OU=ca/CN=root/ -nodes -newkey rsa -keyout ca.key -x509 -out ca.crt +ca.crt fake-ca.crt: + openssl req -batch -new -subj /L=OpenBSD/O=syslogd-regress/OU=ca/CN=root/ -nodes -newkey rsa -keyout ${@:R}.key -x509 -out $@ server.req: - openssl req -batch -new -subj /L=OpenBSD/O=syslogd-regress/OU=server/CN=localhost/ -nodes -newkey rsa -keyout server.key -out server.req + openssl req -batch -new -subj /L=OpenBSD/O=syslogd-regress/OU=server/CN=localhost/ -nodes -newkey rsa -keyout ${@:R}.key -out $@ server.crt: ca.crt server.req - openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in server.req -out server.crt + openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in ${@:R}.req -out $@ + +empty: + true >$@ + +toobig: + dd if=/dev/zero of=$@ bs=1 count=1 seek=1G ${REGRESS_TARGETS:M*tls*}: server.crt +${REGRESS_TARGETS:M*empty*}: empty +${REGRESS_TARGETS:M*toobig*}: toobig +${REGRESS_TARGETS:M*fake*}: fake-ca.crt # make perl syntax check for all args files diff --git a/regress/usr.sbin/syslogd/Proc.pm b/regress/usr.sbin/syslogd/Proc.pm index 37280ee651d..deee1328b91 100644 --- a/regress/usr.sbin/syslogd/Proc.pm +++ b/regress/usr.sbin/syslogd/Proc.pm @@ -1,4 +1,4 @@ -# $OpenBSD: Proc.pm,v 1.4 2015/01/01 19:58:48 bluhm Exp $ +# $OpenBSD: Proc.pm,v 1.5 2015/01/28 19:23:22 bluhm Exp $ # Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org> # Copyright (c) 2014 Florian Riehm <mail@friehm.de> @@ -148,7 +148,7 @@ sub wait { sub loggrep { my $self = shift; - my($regex, $timeout) = @_; + my($regex, $timeout, $count) = @_; my $exit = ($self->{exit} // 0) << 8; my $end = time() + $timeout if $timeout; @@ -162,7 +162,8 @@ sub loggrep { open(my $fh, '<', $self->{logfile}) or die ref($self), " log file open failed: $!"; my @match = grep { /$regex/ } <$fh>; - return wantarray ? @match : $match[0] if @match; + return wantarray ? @match : $match[0] + if !$count && @match or $count && @match >= $count; close($fh); # pattern not found if ($kid == 0) { diff --git a/regress/usr.sbin/syslogd/Syslogd.pm b/regress/usr.sbin/syslogd/Syslogd.pm index dceed7b6da8..16b4b1118b0 100644 --- a/regress/usr.sbin/syslogd/Syslogd.pm +++ b/regress/usr.sbin/syslogd/Syslogd.pm @@ -1,4 +1,4 @@ -# $OpenBSD: Syslogd.pm,v 1.9 2015/01/22 00:34:32 bluhm Exp $ +# $OpenBSD: Syslogd.pm,v 1.10 2015/01/28 19:23:22 bluhm Exp $ # Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org> # Copyright (c) 2014 Florian Riehm <mail@friehm.de> @@ -115,6 +115,9 @@ sub child { my $syslogd = $ENV{SYSLOGD} ? $ENV{SYSLOGD} : "syslogd"; my @cmd = (@sudo, @libevent, @ktrace, $syslogd, "-d", "-f", $self->{conffile}); + push @cmd, "-V", unless $self->{cacrt}; + push @cmd, "-C", $self->{cacrt} + if $self->{cacrt} && $self->{cacrt} ne "default"; push @cmd, "-s", $self->{ctlsock} if $self->{ctlsock}; push @cmd, @{$self->{options}} if $self->{options}; print STDERR "execute: @cmd\n"; diff --git a/regress/usr.sbin/syslogd/args-server-tcp.pl b/regress/usr.sbin/syslogd/args-server-tcp.pl new file mode 100644 index 00000000000..f270a4f7707 --- /dev/null +++ b/regress/usr.sbin/syslogd/args-server-tcp.pl @@ -0,0 +1,29 @@ +# The client writes a message to Sys::Syslog native method. +# The syslogd writes it into a file and through a pipe. +# The syslogd passes it via TCP to an explicit loghost. +# The server receives the message on its TCP socket. +# Find the message in client, file, pipe, syslogd, server log. +# Check that syslogd and server log contain localhost address. + +use strict; +use warnings; +use Socket; + +our %args = ( + syslogd => { + loghost => '@tcp://localhost:$connectport', + loggrep => { + qr/Logging to FORWTCP \@tcp:\/\/localhost:\d+/ => '>=4', + get_testlog() => 1, + }, + }, + server => { + listen => { domain => AF_UNSPEC, proto => "tcp", addr => "localhost" }, + loggrep => { + qr/listen sock: (127.0.0.1|::1) \d+/ => 1, + get_testlog() => 1, + }, + }, +); + +1; diff --git a/regress/usr.sbin/syslogd/args-server-tls.pl b/regress/usr.sbin/syslogd/args-server-tls.pl new file mode 100644 index 00000000000..f11a93b6b92 --- /dev/null +++ b/regress/usr.sbin/syslogd/args-server-tls.pl @@ -0,0 +1,29 @@ +# The client writes a message to Sys::Syslog native method. +# The syslogd writes it into a file and through a pipe. +# The syslogd passes it via TLS to an explicit loghost. +# The server receives the message on its TLS socket. +# Find the message in client, file, pipe, syslogd, server log. +# Check that syslogd and server log contain localhost address. + +use strict; +use warnings; +use Socket; + +our %args = ( + syslogd => { + loghost => '@tls://localhost:$connectport', + loggrep => { + qr/Logging to FORWTLS \@tls:\/\/localhost:\d+/ => '>=4', + get_testlog() => 1, + }, + }, + server => { + listen => { domain => AF_UNSPEC, proto => "tls", addr => "localhost" }, + loggrep => { + qr/listen sock: (127.0.0.1|::1) \d+/ => 1, + get_testlog() => 1, + }, + }, +); + +1; diff --git a/regress/usr.sbin/syslogd/args-sighup-config.pl b/regress/usr.sbin/syslogd/args-sighup-config.pl index 5f75fdd02a6..6643878ac68 100644 --- a/regress/usr.sbin/syslogd/args-sighup-config.pl +++ b/regress/usr.sbin/syslogd/args-sighup-config.pl @@ -42,7 +42,7 @@ our %args = ( print $fh "# modified\n"; close($fh); ${$self->{syslogd}}->kill_syslogd('HUP'); - ${$self->{syslogd}}->loggrep("syslogd: started", 5) + ${$self->{syslogd}}->loggrep("syslogd: started", 5, 2) or die ref($self), " no 'syslogd: started' between logs"; print STDERR "Signal\n"; }); diff --git a/regress/usr.sbin/syslogd/args-tls-cafile-default.pl b/regress/usr.sbin/syslogd/args-tls-cafile-default.pl new file mode 100644 index 00000000000..1f2c851e74d --- /dev/null +++ b/regress/usr.sbin/syslogd/args-tls-cafile-default.pl @@ -0,0 +1,36 @@ +# The client writes a message to Sys::Syslog native method. +# The syslogd writes it into a file and through a pipe. +# The syslogd passes it via TLS to localhost loghost. +# The cafile is the system default which has no matching cert. +# Find the message in client, file, pipe, syslogd log. +# Check that syslogd has verify failure and server has no message. + +use strict; +use warnings; +use Socket; + +our %args = ( + syslogd => { + loghost => '@tls://localhost:$connectport', + loggrep => { + qr/CAfile \/etc\/ssl\/cert.pem/ => 1, + qr/Logging to FORWTLS \@tls:\/\/localhost:\d+/ => '>=4', + qr/connection error: SSL connect failed: 1/ => 2, + get_testlog() => 1, + }, + cacrt => "default", + }, + server => { + listen => { domain => AF_UNSPEC, proto => "tls", addr => "localhost" }, + up => "IO::Socket::SSL socket accept failed", + down => "Server", + exit => 255, + loggrep => { + qr/listen sock: (127.0.0.1|::1) \d+/ => 1, + qr/SSL accept attempt failed because of handshake problems/ => 1, + get_testlog() => 0, + }, + }, +); + +1; diff --git a/regress/usr.sbin/syslogd/args-tls-cafile-empty.pl b/regress/usr.sbin/syslogd/args-tls-cafile-empty.pl new file mode 100644 index 00000000000..399f8fc7ec1 --- /dev/null +++ b/regress/usr.sbin/syslogd/args-tls-cafile-empty.pl @@ -0,0 +1,36 @@ +# The client writes a message to Sys::Syslog native method. +# The syslogd writes it into a file and through a pipe. +# The syslogd passes it via TLS to localhost loghost. +# The cafile is empty. +# Find the message in client, file, pipe, syslogd log. +# Check that syslogd has verify failure and server has no message. + +use strict; +use warnings; +use Socket; + +our %args = ( + syslogd => { + loghost => '@tls://localhost:$connectport', + loggrep => { + qr/CAfile empty, size 0/ => 1, + qr/Logging to FORWTLS \@tls:\/\/localhost:\d+/ => '>=4', + qr/error: ssl verify memory setup failure/ => 2, + get_testlog() => 1, + }, + cacrt => "empty", + }, + server => { + listen => { domain => AF_UNSPEC, proto => "tls", addr => "localhost" }, + up => "IO::Socket::SSL socket accept failed", + down => "Server", + exit => 255, + loggrep => { + qr/listen sock: (127.0.0.1|::1) \d+/ => 1, + qr/SSL accept attempt failed because of handshake problems/ => 1, + get_testlog() => 0, + }, + }, +); + +1; diff --git a/regress/usr.sbin/syslogd/args-tls-cafile-fake.pl b/regress/usr.sbin/syslogd/args-tls-cafile-fake.pl new file mode 100644 index 00000000000..33017d29a07 --- /dev/null +++ b/regress/usr.sbin/syslogd/args-tls-cafile-fake.pl @@ -0,0 +1,36 @@ +# The client writes a message to Sys::Syslog native method. +# The syslogd writes it into a file and through a pipe. +# The syslogd passes it via TLS to localhost loghost. +# The cafile is a fake ca with correct DN but wrong key. +# Find the message in client, file, pipe, syslogd log. +# Check that syslogd has verify failure and server has no message. + +use strict; +use warnings; +use Socket; + +our %args = ( + syslogd => { + loghost => '@tls://localhost:$connectport', + loggrep => { + qr/CAfile fake-ca.crt/ => 1, + qr/Logging to FORWTLS \@tls:\/\/localhost:\d+/ => '>=4', + qr/connection error: SSL connect failed: 1/ => 2, + get_testlog() => 1, + }, + cacrt => "fake-ca.crt", + }, + server => { + listen => { domain => AF_UNSPEC, proto => "tls", addr => "localhost" }, + up => "IO::Socket::SSL socket accept failed", + down => "Server", + exit => 255, + loggrep => { + qr/listen sock: (127.0.0.1|::1) \d+/ => 1, + qr/SSL accept attempt failed because of handshake problems/ => 1, + get_testlog() => 0, + }, + }, +); + +1; diff --git a/regress/usr.sbin/syslogd/args-tls-cafile-noexist.pl b/regress/usr.sbin/syslogd/args-tls-cafile-noexist.pl new file mode 100644 index 00000000000..d936bb8de57 --- /dev/null +++ b/regress/usr.sbin/syslogd/args-tls-cafile-noexist.pl @@ -0,0 +1,36 @@ +# The client writes a message to Sys::Syslog native method. +# The syslogd writes it into a file and through a pipe. +# The syslogd passes it via TLS to localhost loghost. +# The cafile does not exist. +# Find the message in client, file, pipe, syslogd log. +# Check that syslogd has verify failure and server has no message. + +use strict; +use warnings; +use Socket; + +our %args = ( + syslogd => { + loghost => '@tls://localhost:$connectport', + loggrep => { + qr/open CAfile: No such file or directory/ => 2, + qr/Logging to FORWTLS \@tls:\/\/localhost:\d+/ => '>=4', + qr/error: ssl verify setup failure/ => 2, + get_testlog() => 1, + }, + cacrt => "noexist", + }, + server => { + listen => { domain => AF_UNSPEC, proto => "tls", addr => "localhost" }, + up => "IO::Socket::SSL socket accept failed", + down => "Server", + exit => 255, + loggrep => { + qr/listen sock: (127.0.0.1|::1) \d+/ => 1, + qr/SSL accept attempt failed because of handshake problems/ => 1, + get_testlog() => 0, + }, + }, +); + +1; diff --git a/regress/usr.sbin/syslogd/args-tls-cafile-toobig.pl b/regress/usr.sbin/syslogd/args-tls-cafile-toobig.pl new file mode 100644 index 00000000000..80486fbed66 --- /dev/null +++ b/regress/usr.sbin/syslogd/args-tls-cafile-toobig.pl @@ -0,0 +1,36 @@ +# The client writes a message to Sys::Syslog native method. +# The syslogd writes it into a file and through a pipe. +# The syslogd passes it via TLS to localhost loghost. +# The cafile is too big. +# Find the message in client, file, pipe, syslogd log. +# Check that syslogd has verify failure and server has no message. + +use strict; +use warnings; +use Socket; + +our %args = ( + syslogd => { + loghost => '@tls://localhost:$connectport', + loggrep => { + qr/CAfile larger than 1GB/ => 2, + qr/Logging to FORWTLS \@tls:\/\/localhost:\d+/ => '>=4', + qr/error: ssl verify setup failure/ => 2, + get_testlog() => 1, + }, + cacrt => "toobig", + }, + server => { + listen => { domain => AF_UNSPEC, proto => "tls", addr => "localhost" }, + up => "IO::Socket::SSL socket accept failed", + down => "Server", + exit => 255, + loggrep => { + qr/listen sock: (127.0.0.1|::1) \d+/ => 1, + qr/SSL accept attempt failed because of handshake problems/ => 1, + get_testlog() => 0, + }, + }, +); + +1; diff --git a/regress/usr.sbin/syslogd/args-tls-host-bad.pl b/regress/usr.sbin/syslogd/args-tls-host-bad.pl new file mode 100644 index 00000000000..3067702989a --- /dev/null +++ b/regress/usr.sbin/syslogd/args-tls-host-bad.pl @@ -0,0 +1,31 @@ +# The client writes a message to Sys::Syslog native method. +# The syslogd writes it into a file and through a pipe. +# The syslogd passes it via TLS to 127.0.0.1 loghost. +# Server certificate is issued for localhost. +# Find the message in client, file, pipe, syslogd log. +# Check that syslogd denies host `127.0.0.1' and server has no message. + +use strict; +use warnings; +use Socket; + +our %args = ( + syslogd => { + loghost => '@tls://127.0.0.1:$connectport', + loggrep => { + qr/Logging to FORWTLS \@tls:\/\/127.0.0.1:\d+/ => '>=4', + qr/error: host `127.0.0.1' not present in server/ => '>=1', + get_testlog() => 1, + }, + cacrt => "ca.crt", + }, + server => { + listen => { domain => AF_INET, proto => "tls", addr => "127.0.0.1" }, + loggrep => { + qr/listen sock: 127.0.0.1 \d+/ => 1, + get_testlog() => 0, + }, + }, +); + +1; diff --git a/regress/usr.sbin/syslogd/args-tls-verify.pl b/regress/usr.sbin/syslogd/args-tls-verify.pl new file mode 100644 index 00000000000..284ac9903d5 --- /dev/null +++ b/regress/usr.sbin/syslogd/args-tls-verify.pl @@ -0,0 +1,30 @@ +# The client writes a message to Sys::Syslog native method. +# The syslogd writes it into a file and through a pipe. +# The syslogd passes it via TLS to localhost loghost. +# The server receives the message on its TLS socket. +# Find the message in client, file, pipe, syslogd, server log. +# Check that syslogd and server log contain localhost address. + +use strict; +use warnings; +use Socket; + +our %args = ( + syslogd => { + loghost => '@tls://localhost:$connectport', + loggrep => { + qr/Logging to FORWTLS \@tls:\/\/localhost:\d+/ => '>=4', + get_testlog() => 1, + }, + cacrt => "ca.crt", + }, + server => { + listen => { domain => AF_UNSPEC, proto => "tls", addr => "localhost" }, + loggrep => { + qr/listen sock: (127.0.0.1|::1) \d+/ => 1, + get_testlog() => 1, + }, + }, +); + +1; |