syslogd validate client certificates

Sun, 04 Sep 2016 18:30:38 -0700 

Hi,

Add an option to give syslogd a server CA that is used to validate
client certificates.  This prevent that malicious clients can send
fake messages.

ok?

bluhm

Index: usr.sbin/syslogd/syslogd.8
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v
retrieving revision 1.42
diff -u -p -r1.42 syslogd.8
--- usr.sbin/syslogd/syslogd.8  12 Jul 2016 23:04:30 -0000      1.42
+++ usr.sbin/syslogd/syslogd.8  5 Sep 2016 01:18:00 -0000
@@ -44,6 +44,7 @@
 .Op Fl C Ar CAfile
 .Op Fl c Ar cert_file
 .Op Fl f Ar config_file
+.Op Fl K Ar server_CAfile
 .Op Fl k Ar key_file
 .Op Fl m Ar mark_interval
 .Op Fl p Ar log_socket
@@ -83,6 +84,11 @@ PEM encoded file containing CA certifica
 validation;
 the default is
 .Pa /etc/ssl/cert.pem .
+Validate remote server certificates and their hostnames with this
+CA to prevent that malicious servers read messages.
+This validation can be explicitly turned off using the
+.Fl V
+switch.
 .It Fl c Ar cert_file
 PEM encoded file containing the client certificate for TLS connections
 to a remote host.
@@ -102,6 +108,12 @@ the default is
 .Pa /etc/syslog.conf .
 .It Fl h
 Include the hostname when forwarding messages to a remote host.
+.It Fl K Ar server_CAfile
+PEM encoded file containing CA certificates used for certificate
+valitation on the local server socket.
+By default incomming connections from any TLS server are allowed.
+Enforce client certificates and validate them with this CA to prevent
+that malicious clients send fake messages.
 .It Fl k Ar key_file
 PEM encoded file containing the client private key for TLS connections
 to a remote host.
@@ -170,7 +182,8 @@ accept input from the UDP port.
 Some software wants this, but you can be subjected to a variety of
 attacks over the network, including attackers remotely filling logs.
 .It Fl V
-Do not perform server certificate and hostname validation.
+Do not perform remote server certificate and hostname validation
+when sending messages.
 .El
 .Pp
 .Nm
Index: usr.sbin/syslogd/syslogd.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.212
diff -u -p -r1.212 syslogd.c
--- usr.sbin/syslogd/syslogd.c  29 Aug 2016 20:31:56 -0000      1.212
+++ usr.sbin/syslogd/syslogd.c  5 Sep 2016 01:20:06 -0000
@@ -225,8 +225,9 @@ struct      tls *server_ctx;
 struct tls_config *client_config, *server_config;
 const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates */
 int    NoVerify = 0;           /* do not verify TLS server x509 certificate */
-char   *ClientCertfile = NULL;
-char   *ClientKeyfile = NULL;
+const char *ClientCertfile = NULL;
+const char *ClientKeyfile = NULL;
+const char *ServerCAfile = NULL;
 int    tcpbuf_dropped = 0;     /* count messages dropped from TCP or TLS */
 
 #define CTL_READING_CMD                1
@@ -356,7 +357,7 @@ main(int argc, char *argv[])
        int              ch, i;
        int              lockpipe[2] = { -1, -1}, pair[2], nullfd, fd;
 
-       while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV"))
+       while ((ch = getopt(argc, argv, "46a:C:c:dFf:hK:k:m:np:S:s:T:U:uV"))
            != -1)
                switch (ch) {
                case '4':               /* disable IPv6 */
@@ -388,6 +389,9 @@ main(int argc, char *argv[])
                case 'h':               /* RFC 3164 hostnames */
                        IncludeHostname = 1;
                        break;
+               case 'K':               /* verify client with CA file */
+                       ServerCAfile = optarg;
+                       break;
                case 'k':               /* file containing client key */
                        ClientKeyfile = optarg;
                        break;
@@ -625,6 +629,17 @@ main(int argc, char *argv[])
                        break;
                }
 
+               if (ServerCAfile) {
+                       if (tls_config_set_ca_file(server_config,
+                           ServerCAfile) == -1) {
+                               logerrortlsconf("Load server TLS CA failed",
+                                   server_config);
+                               /* avoid reading default certs in chroot */
+                               tls_config_set_ca_mem(server_config, "", 0);
+                       } else
+                               logdebug("Server CAfile %s\n", ServerCAfile);
+                       tls_config_verify_client(server_config);
+               }
                tls_config_set_protocols(server_config, TLS_PROTOCOLS_ALL);
                if (tls_config_set_ciphers(server_config, "compat") != 0)
                        logerrortlsconf("Set server TLS ciphers failed",
@@ -1453,9 +1468,9 @@ usage(void)
 
        (void)fprintf(stderr,
            "usage: syslogd [-46dFhnuV] [-a path] [-C CAfile] [-c cert_file]\n"
-           "\t[-f config_file] [-k key_file] [-m mark_interval]\n"
-           "\t[-p log_socket] [-S listen_address] [-s reporting_socket]\n"
-           "\t[-T listen_address] [-U bind_address]\n");
+           "\t[-f config_file] [-K server_CAfile] [-k key_file]\n"
+           "\t[-m mark_interval] [-p log_socket] [-S listen_address]\n"
+           "\t[-s reporting_socket] [-T listen_address] [-U bind_address]\n");
        exit(1);
 }

Reply via email to