On 27/06/16 02:02, Alexander Bluhm wrote: > On Thu, Jun 23, 2016 at 07:52:06PM +0300, Kapetanakis Giannis wrote: >> On 23/06/16 18:14, Kapetanakis Giannis wrote: >>> It adds two switches: >>> -c client_cert_file >>> -k client_key_file > > That's fine. > >>> Minor modification in CAfile setup as well to match the netcat code. > > Please do not change that now. There is a diff for libtls and > syslogd floating around that will make the code much simpler. > ... > bluhm
Thanks for the comments. new version with all changes ok? Giannis Index: syslogd.8 =================================================================== RCS file: /cvs/src/usr.sbin/syslogd/syslogd.8,v retrieving revision 1.40 diff -u -p -r1.40 syslogd.8 --- syslogd.8 31 Mar 2016 15:53:25 -0000 1.40 +++ syslogd.8 27 Jun 2016 13:53:50 -0000 @@ -42,7 +42,9 @@ .Op Fl 46dFhnuV .Op Fl a Ar path .Op Fl C Ar CAfile +.Op Fl c Ar cert_file .Op Fl f Ar config_file +.Op Fl k Ar key_file .Op Fl m Ar mark_interval .Op Fl p Ar log_socket .Op Fl S Ar listen_address @@ -81,6 +83,9 @@ PEM encoded file containing CA certifica validation; the default is .Pa /etc/ssl/cert.pem . +.It Fl c Ar cert_file +PEM encoded file containing the client certificate for TLS connection +to a remote host. The default is not to use a certificate. .It Fl d Enable debugging to the standard output, and do not disassociate from the controlling terminal. @@ -93,6 +98,9 @@ the default is .Pa /etc/syslog.conf . .It Fl h Include the hostname when forwarding messages to a remote host. +.It Fl k Ar key_file +PEM encoded file containing the client private key for TLS connection +to a remote host. .It Fl m Ar mark_interval Select the number of minutes between .Dq mark Index: syslogd.c =================================================================== RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v retrieving revision 1.205 diff -u -p -r1.205 syslogd.c --- syslogd.c 2 Apr 2016 19:55:10 -0000 1.205 +++ syslogd.c 27 Jun 2016 13:53:51 -0000 @@ -225,6 +225,8 @@ struct tls *server_ctx; struct tls_config *client_config, *server_config; const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates */ int NoVerify = 0; /* do not verify TLS server x509 certificate */ +char *ClientCertfile = NULL; +char *ClientKeyfile = NULL; int tcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */ #define CTL_READING_CMD 1 @@ -353,7 +355,7 @@ main(int argc, char *argv[]) int ch, i; int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd; - while ((ch = getopt(argc, argv, "46a:C:dFf:hm:np:S:s:T:U:uV")) != -1) + while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV")) != -1) switch (ch) { case '4': /* disable IPv6 */ Family = PF_INET; @@ -369,6 +371,9 @@ main(int argc, char *argv[]) case 'C': /* file containing CA certificates */ CAfile = optarg; break; + case 'c': /* file containing client certificate */ + ClientCertfile = optarg; + break; case 'd': /* debug */ Debug++; break; @@ -381,6 +386,9 @@ main(int argc, char *argv[]) case 'h': /* RFC 3164 hostnames */ IncludeHostname = 1; break; + case 'k': /* file containing client key */ + ClientKeyfile = optarg; + break; case 'm': /* mark interval */ MarkInterval = strtonum(optarg, 0, 365*24*60, &errstr); if (errstr) @@ -582,6 +590,31 @@ main(int argc, char *argv[]) free(p); close(fd); } + if (ClientCertfile && ClientKeyfile) { + uint8_t *clientcert, *clientkey; + size_t clientcertlen, clientkeylen; + + clientcert = tls_load_file(ClientCertfile, &clientcertlen, NULL); + if (clientcert == NULL) { + logerror("unable to load client TLS certificate file"); + } else if (tls_config_set_cert_mem(client_config, clientcert, + clientcertlen) == -1) { + logerror("unable to set client TLS certificate file"); + } else { + logdebug("Client cert_file %s\n", ClientCertfile); + } + clientkey = tls_load_file(ClientKeyfile, &clientkeylen, NULL); + if (clientkey == NULL) { + logerror("unable to load client TLS key file"); + } else if (tls_config_set_key_mem(client_config, clientkey, + clientkeylen) == -1) { + logerror("unable to set client TLS key file"); + } else { + logdebug("Client key_file %s\n", ClientKeyfile); + } + } else if (ClientCertfile || ClientKeyfile) { + logerrorx("options -c and -k must be used together"); + } tls_config_set_protocols(client_config, TLS_PROTOCOLS_ALL); if (tls_config_set_ciphers(client_config, "compat") != 0) logerror("tls set client ciphers"); @@ -1483,9 +1516,10 @@ usage(void) { (void)fprintf(stderr, - "usage: syslogd [-46dFhnuV] [-a path] [-C CAfile] [-f config_file]\n" - " [-m mark_interval] [-p log_socket] [-S listen_address]\n" - " [-s reporting_socket] [-T listen_address] [-U bind_address]\n"); + "usage: syslogd [-46dFhnuV] [-a path] [-C CAfile] [-c cert_file]\n" + " [-f config_file] [-k key_file] [-m mark_interval]\n" + " [-p log_socket] [-S listen_address] [-s reporting_socket]\n" + " [-T listen_address] [-U bind_address]\n"); exit(1); }