diff options
| author |   bluhm <bluhm@openbsd.org> | 2016-07-12 09:47:25 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2016-07-12 09:47:25 +0000 |
| commit | ea1eb58efa7e567c5158b9dae86e23d07468dd9c (patch) | |
| tree | c9631a0d544b75d8b96b68d42ccd250f36a14f32 | |
| parent | Directly drop packets filtered by bpf(4) instead of going through the (diff) | |
| download | wireguard-openbsd-ea1eb58efa7e567c5158b9dae86e23d07468dd9c.tar.xz wireguard-openbsd-ea1eb58efa7e567c5158b9dae86e23d07468dd9c.zip | |
Add support for TLS client certificates in syslogd. This allows a
remote server to verify that the log messages from our syslogd are
authentic.
From Kapetanakis Giannis; man page input jmc@; OK jung@ deraadt@
| -rw-r--r-- | usr.sbin/syslogd/syslogd.8 | 16 | ||||
| -rw-r--r-- | usr.sbin/syslogd/syslogd.c | 45 |
2 files changed, 54 insertions, 7 deletions
diff --git a/usr.sbin/syslogd/syslogd.8 b/usr.sbin/syslogd/syslogd.8 index cbd4cf71cc0..0c09aa17038 100644 --- a/usr.sbin/syslogd/syslogd.8 +++ b/usr.sbin/syslogd/syslogd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: syslogd.8,v 1.40 2016/03/31 15:53:25 schwarze Exp $ +.\" $OpenBSD: syslogd.8,v 1.41 2016/07/12 09:47:25 bluhm Exp $ .\" .\" Copyright (c) 1983, 1986, 1991, 1993 .\" The Regents of the University of California. All rights reserved. @@ -30,7 +30,7 @@ .\" from: @(#)syslogd.8 8.1 (Berkeley) 6/6/93 .\" $NetBSD: syslogd.8,v 1.3 1996/01/02 17:41:48 perry Exp $ .\" -.Dd $Mdocdate: March 31 2016 $ +.Dd $Mdocdate: July 12 2016 $ .Dt SYSLOGD 8 .Os .Sh NAME @@ -42,7 +42,9 @@ .Op Fl 46dFhnuV .Op Fl a Ar path .Op Fl C Ar CAfile +.Op Fl c Ar cert_file .Op Fl f Ar config_file +.Op Fl k Ar key_file .Op Fl m Ar mark_interval .Op Fl p Ar log_socket .Op Fl S Ar listen_address @@ -81,6 +83,11 @@ PEM encoded file containing CA certificates used for certificate validation; the default is .Pa /etc/ssl/cert.pem . +.It Fl c Ar cert_file +PEM encoded file containing the client certificate for TLS connections +to a remote host. +The default is not to use a client certificate for the connection +to a syslog server. .It Fl d Enable debugging to the standard output, and do not disassociate from the controlling terminal. @@ -93,6 +100,11 @@ the default is .Pa /etc/syslog.conf . .It Fl h Include the hostname when forwarding messages to a remote host. +.It Fl k Ar key_file +PEM encoded file containing the client private key for TLS connections +to a remote host. +This option has to be used together with +.Fl c Ar cert_file . .It Fl m Ar mark_interval Select the number of minutes between .Dq mark diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index 881fe0b79c0..db8ef33f7f1 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: syslogd.c,v 1.208 2016/07/06 19:29:13 millert Exp $ */ +/* $OpenBSD: syslogd.c,v 1.209 2016/07/12 09:47:25 bluhm Exp $ */ /* * Copyright (c) 1983, 1988, 1993, 1994 @@ -225,6 +225,8 @@ struct tls *server_ctx; struct tls_config *client_config, *server_config; const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates */ int NoVerify = 0; /* do not verify TLS server x509 certificate */ +char *ClientCertfile = NULL; +char *ClientKeyfile = NULL; int tcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */ #define CTL_READING_CMD 1 @@ -353,7 +355,8 @@ main(int argc, char *argv[]) int ch, i; int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd; - while ((ch = getopt(argc, argv, "46a:C:dFf:hm:np:S:s:T:U:uV")) != -1) + while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV")) + != -1) switch (ch) { case '4': /* disable IPv6 */ Family = PF_INET; @@ -369,6 +372,9 @@ main(int argc, char *argv[]) case 'C': /* file containing CA certificates */ CAfile = optarg; break; + case 'c': /* file containing client certificate */ + ClientCertfile = optarg; + break; case 'd': /* debug */ Debug++; break; @@ -381,6 +387,9 @@ main(int argc, char *argv[]) case 'h': /* RFC 3164 hostnames */ IncludeHostname = 1; break; + case 'k': /* file containing client key */ + ClientKeyfile = optarg; + break; case 'm': /* mark interval */ MarkInterval = strtonum(optarg, 0, 365*24*60, &errstr); if (errstr) @@ -582,6 +591,31 @@ main(int argc, char *argv[]) free(p); close(fd); } + if (ClientCertfile && ClientKeyfile) { + uint8_t *cert, *key; + size_t certlen, keylen; + + cert = tls_load_file(ClientCertfile, &certlen, NULL); + if (cert == NULL) { + logerror("load client TLS cert failed"); + } else if (tls_config_set_cert_mem(client_config, cert, + certlen) == -1) { + logerror("set client TLS cert failed"); + } else { + logdebug("ClientCertfile %s\n", ClientCertfile); + } + key = tls_load_file(ClientKeyfile, &keylen, NULL); + if (key == NULL) { + logerror("load client TLS key failed"); + } else if (tls_config_set_key_mem(client_config, key, + keylen) == -1) { + logerror("set client TLS key failed"); + } else { + logdebug("ClientKeyfile %s\n", ClientKeyfile); + } + } else if (ClientCertfile || ClientKeyfile) { + logerrorx("options -c and -k must be used together"); + } tls_config_set_protocols(client_config, TLS_PROTOCOLS_ALL); if (tls_config_set_ciphers(client_config, "compat") != 0) logerror("tls set client ciphers"); @@ -1483,9 +1517,10 @@ usage(void) { (void)fprintf(stderr, - "usage: syslogd [-46dFhnuV] [-a path] [-C CAfile] [-f config_file]\n" - " [-m mark_interval] [-p log_socket] [-S listen_address]\n" - " [-s reporting_socket] [-T listen_address] [-U bind_address]\n"); + "usage: syslogd [-46dFhnuV] [-a path] [-C CAfile] [-c cert_file]\n" + "\t[-f config_file] [-k key_file] [-m mark_interval]\n" + "\t[-p log_socket] [-S listen_address] [-s reporting_socket]\n" + "\t[-T listen_address] [-U bind_address]\n"); exit(1); } |