diff options
| author |   bluhm <bluhm@openbsd.org> | 2016-09-21 11:54:57 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2016-09-21 11:54:57 +0000 |
| commit | fc5f61b54fb431177df083b1bcdf629794bdb778 (patch) | |
| tree | 4ab1b75eb5c84ecb2940773438757eca65bbd562 | |
| parent | Modernize arm assembly in the kernel for clang. (diff) | |
| download | wireguard-openbsd-fc5f61b54fb431177df083b1bcdf629794bdb778.tar.xz wireguard-openbsd-fc5f61b54fb431177df083b1bcdf629794bdb778.zip | |
Add an option to give syslogd a server CA that is used to validate
client certificates. This prevent that malicious clients can send
fake messages.
OK deraadt@
| -rw-r--r-- | usr.sbin/syslogd/syslogd.8 | 19 | ||||
| -rw-r--r-- | usr.sbin/syslogd/syslogd.c | 29 |
2 files changed, 38 insertions, 10 deletions
diff --git a/usr.sbin/syslogd/syslogd.8 b/usr.sbin/syslogd/syslogd.8 index 15a27549d9e..da9716b9afc 100644 --- a/usr.sbin/syslogd/syslogd.8 +++ b/usr.sbin/syslogd/syslogd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: syslogd.8,v 1.42 2016/07/12 23:04:30 bluhm Exp $ +.\" $OpenBSD: syslogd.8,v 1.43 2016/09/21 11:54:57 bluhm Exp $ .\" .\" Copyright (c) 1983, 1986, 1991, 1993 .\" The Regents of the University of California. All rights reserved. @@ -30,7 +30,7 @@ .\" from: @(#)syslogd.8 8.1 (Berkeley) 6/6/93 .\" $NetBSD: syslogd.8,v 1.3 1996/01/02 17:41:48 perry Exp $ .\" -.Dd $Mdocdate: July 12 2016 $ +.Dd $Mdocdate: September 21 2016 $ .Dt SYSLOGD 8 .Os .Sh NAME @@ -44,6 +44,7 @@ .Op Fl C Ar CAfile .Op Fl c Ar cert_file .Op Fl f Ar config_file +.Op Fl K Ar server_CAfile .Op Fl k Ar key_file .Op Fl m Ar mark_interval .Op Fl p Ar log_socket @@ -83,6 +84,11 @@ PEM encoded file containing CA certificates used for certificate validation; the default is .Pa /etc/ssl/cert.pem . +Validate remote server certificates and their hostnames with this +CA to prevent that malicious servers read messages. +This validation can be explicitly turned off using the +.Fl V +switch. .It Fl c Ar cert_file PEM encoded file containing the client certificate for TLS connections to a remote host. @@ -102,6 +108,12 @@ the default is .Pa /etc/syslog.conf . .It Fl h Include the hostname when forwarding messages to a remote host. +.It Fl K Ar server_CAfile +PEM encoded file containing CA certificates used for certificate +valitation on the local server socket. +By default incomming connections from any TLS server are allowed. +Enforce client certificates and validate them with this CA to prevent +that malicious clients send fake messages. .It Fl k Ar key_file PEM encoded file containing the client private key for TLS connections to a remote host. @@ -170,7 +182,8 @@ accept input from the UDP port. Some software wants this, but you can be subjected to a variety of attacks over the network, including attackers remotely filling logs. .It Fl V -Do not perform server certificate and hostname validation. +Do not perform remote server certificate and hostname validation +when sending messages. .El .Pp .Nm diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index 8ec0a297613..23de4e501a9 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: syslogd.c,v 1.212 2016/08/29 20:31:56 bluhm Exp $ */ +/* $OpenBSD: syslogd.c,v 1.213 2016/09/21 11:54:57 bluhm Exp $ */ /* * Copyright (c) 1983, 1988, 1993, 1994 @@ -225,8 +225,9 @@ struct tls *server_ctx; struct tls_config *client_config, *server_config; const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates */ int NoVerify = 0; /* do not verify TLS server x509 certificate */ -char *ClientCertfile = NULL; -char *ClientKeyfile = NULL; +const char *ClientCertfile = NULL; +const char *ClientKeyfile = NULL; +const char *ServerCAfile = NULL; int tcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */ #define CTL_READING_CMD 1 @@ -356,7 +357,7 @@ main(int argc, char *argv[]) int ch, i; int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd; - while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV")) + while ((ch = getopt(argc, argv, "46a:C:c:dFf:hK:k:m:np:S:s:T:U:uV")) != -1) switch (ch) { case '4': /* disable IPv6 */ @@ -388,6 +389,9 @@ main(int argc, char *argv[]) case 'h': /* RFC 3164 hostnames */ IncludeHostname = 1; break; + case 'K': /* verify client with CA file */ + ServerCAfile = optarg; + break; case 'k': /* file containing client key */ ClientKeyfile = optarg; break; @@ -625,6 +629,17 @@ main(int argc, char *argv[]) break; } + if (ServerCAfile) { + if (tls_config_set_ca_file(server_config, + ServerCAfile) == -1) { + logerrortlsconf("Load server TLS CA failed", + server_config); + /* avoid reading default certs in chroot */ + tls_config_set_ca_mem(server_config, "", 0); + } else + logdebug("Server CAfile %s\n", ServerCAfile); + tls_config_verify_client(server_config); + } tls_config_set_protocols(server_config, TLS_PROTOCOLS_ALL); if (tls_config_set_ciphers(server_config, "compat") != 0) logerrortlsconf("Set server TLS ciphers failed", @@ -1453,9 +1468,9 @@ usage(void) (void)fprintf(stderr, "usage: syslogd [-46dFhnuV] [-a path] [-C CAfile] [-c cert_file]\n" - "\t[-f config_file] [-k key_file] [-m mark_interval]\n" - "\t[-p log_socket] [-S listen_address] [-s reporting_socket]\n" - "\t[-T listen_address] [-U bind_address]\n"); + "\t[-f config_file] [-K server_CAfile] [-k key_file]\n" + "\t[-m mark_interval] [-p log_socket] [-S listen_address]\n" + "\t[-s reporting_socket] [-T listen_address] [-U bind_address]\n"); exit(1); } |