On 12/07/16 02:28, Alexander Bluhm wrote: > On Mon, Jun 27, 2016 at 05:10:14PM +0300, Kapetanakis Giannis wrote: >> new version with all changes > > I have polished the diff a bit and would like to commit it. > > ok? > > bluhm
Nice, One question. Since you've already changed to tls_config_set_XXX_file for the server side https://www.marc.info/?l=openbsd-tech&m=146784645120595&w=2 would it be ok to use those functions for the client as well instead of tls_load_file && tls_config_set_XXX_mem ? G > > Index: usr.sbin/syslogd/syslogd.8 > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v > retrieving revision 1.40 > diff -u -p -r1.40 syslogd.8 > --- usr.sbin/syslogd/syslogd.8 31 Mar 2016 15:53:25 -0000 1.40 > +++ usr.sbin/syslogd/syslogd.8 11 Jul 2016 22:07:22 -0000 > @@ -42,7 +42,9 @@ > .Op Fl 46dFhnuV > .Op Fl a Ar path > .Op Fl C Ar CAfile > +.Op Fl c Ar cert_file > .Op Fl f Ar config_file > +.Op Fl k Ar key_file > .Op Fl m Ar mark_interval > .Op Fl p Ar log_socket > .Op Fl S Ar listen_address > @@ -81,6 +83,11 @@ PEM encoded file containing CA certifica > validation; > the default is > .Pa /etc/ssl/cert.pem . > +.It Fl c Ar cert_file > +PEM encoded file containing the client certificate for TLS connection > +to a remote host. > +The default is not to use a client certificate for the connection > +to a syslog server. > .It Fl d > Enable debugging to the standard output, > and do not disassociate from the controlling terminal. > @@ -93,6 +100,11 @@ the default is > .Pa /etc/syslog.conf . > .It Fl h > Include the hostname when forwarding messages to a remote host. > +.It Fl k Ar key_file > +PEM encoded file containing the client private key for TLS connection > +to a remote host. > +This option has to be used together with > +.Fl c Ar cert_file . > .It Fl m Ar mark_interval > Select the number of minutes between > .Dq mark > Index: usr.sbin/syslogd/syslogd.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v > retrieving revision 1.208 > diff -u -p -r1.208 syslogd.c > --- usr.sbin/syslogd/syslogd.c 6 Jul 2016 19:29:13 -0000 1.208 > +++ usr.sbin/syslogd/syslogd.c 11 Jul 2016 23:06:48 -0000 > @@ -225,6 +225,8 @@ struct tls *server_ctx; > struct tls_config *client_config, *server_config; > const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates > */ > int NoVerify = 0; /* do not verify TLS server x509 certificate */ > +char *ClientCertfile = NULL; > +char *ClientKeyfile = NULL; > int tcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */ > > #define CTL_READING_CMD 1 > @@ -353,7 +355,8 @@ main(int argc, char *argv[]) > int ch, i; > int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd; > > - while ((ch = getopt(argc, argv, "46a:C:dFf:hm:np:S:s:T:U:uV")) != -1) > + while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV")) > + != -1) > switch (ch) { > case '4': /* disable IPv6 */ > Family = PF_INET; > @@ -369,6 +372,9 @@ main(int argc, char *argv[]) > case 'C': /* file containing CA certificates */ > CAfile = optarg; > break; > + case 'c': /* file containing client certificate */ > + ClientCertfile = optarg; > + break; > case 'd': /* debug */ > Debug++; > break; > @@ -381,6 +387,9 @@ main(int argc, char *argv[]) > case 'h': /* RFC 3164 hostnames */ > IncludeHostname = 1; > break; > + case 'k': /* file containing client key */ > + ClientKeyfile = optarg; > + break; > case 'm': /* mark interval */ > MarkInterval = strtonum(optarg, 0, 365*24*60, &errstr); > if (errstr) > @@ -582,6 +591,31 @@ main(int argc, char *argv[]) > free(p); > close(fd); > } > + if (ClientCertfile && ClientKeyfile) { > + uint8_t *cert, *key; > + size_t certlen, keylen; > + > + cert = tls_load_file(ClientCertfile, &certlen, NULL); > + if (cert == NULL) { > + logerror("load client TLS cert failed"); > + } else if (tls_config_set_cert_mem(client_config, cert, > + certlen) == -1) { > + logerror("set client TLS cert failed"); > + } else { > + logdebug("ClientCertfile %s\n", ClientCertfile); > + } > + key = tls_load_file(ClientKeyfile, &keylen, NULL); > + if (key == NULL) { > + logerror("load client TLS key failed"); > + } else if (tls_config_set_key_mem(client_config, key, > + keylen) == -1) { > + logerror("set client TLS key failed"); > + } else { > + logdebug("ClientKeyfile %s\n", ClientKeyfile); > + } > + } else if (ClientCertfile || ClientKeyfile) { > + logerrorx("options -c and -k must be used together"); > + } > tls_config_set_protocols(client_config, TLS_PROTOCOLS_ALL); > if (tls_config_set_ciphers(client_config, "compat") != 0) > logerror("tls set client ciphers"); > @@ -1483,9 +1517,10 @@ usage(void) > { > > (void)fprintf(stderr, > - "usage: syslogd [-46dFhnuV] [-a path] [-C CAfile] [-f > config_file]\n" > - " [-m mark_interval] [-p log_socket] [-S > listen_address]\n" > - " [-s reporting_socket] [-T listen_address] [-U > bind_address]\n"); > + "usage: syslogd [-46dFhnuV] [-a path] [-C CAfile] [-c cert_file]\n" > + "\t[-f config_file] [-k key_file] [-m mark_interval]\n" > + "\t[-p log_socket] [-S listen_address] [-s reporting_socket]\n" > + "\t[-T listen_address] [-U bind_address]\n"); > exit(1); > } > >
