On Mon, Sep 05, 2016 at 03:25:22AM +0200, Alexander Bluhm wrote: > Hi, > > Add an option to give syslogd a server CA that is used to validate > client certificates. This prevent that malicious clients can send > fake messages. > > ok?
Could anyone have a look at the validation code. I will create nicer man page together with jmc@ afterwards. bluhm > > bluhm > > Index: usr.sbin/syslogd/syslogd.8 > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v > retrieving revision 1.42 > diff -u -p -r1.42 syslogd.8 > --- usr.sbin/syslogd/syslogd.8 12 Jul 2016 23:04:30 -0000 1.42 > +++ usr.sbin/syslogd/syslogd.8 5 Sep 2016 01:18:00 -0000 > @@ -44,6 +44,7 @@ > .Op Fl C Ar CAfile > .Op Fl c Ar cert_file > .Op Fl f Ar config_file > +.Op Fl K Ar server_CAfile > .Op Fl k Ar key_file > .Op Fl m Ar mark_interval > .Op Fl p Ar log_socket > @@ -83,6 +84,11 @@ PEM encoded file containing CA certifica > validation; > the default is > .Pa /etc/ssl/cert.pem . > +Validate remote server certificates and their hostnames with this > +CA to prevent that malicious servers read messages. > +This validation can be explicitly turned off using the > +.Fl V > +switch. > .It Fl c Ar cert_file > PEM encoded file containing the client certificate for TLS connections > to a remote host. > @@ -102,6 +108,12 @@ the default is > .Pa /etc/syslog.conf . > .It Fl h > Include the hostname when forwarding messages to a remote host. > +.It Fl K Ar server_CAfile > +PEM encoded file containing CA certificates used for certificate > +valitation on the local server socket. > +By default incomming connections from any TLS server are allowed. > +Enforce client certificates and validate them with this CA to prevent > +that malicious clients send fake messages. > .It Fl k Ar key_file > PEM encoded file containing the client private key for TLS connections > to a remote host. > @@ -170,7 +182,8 @@ accept input from the UDP port. > Some software wants this, but you can be subjected to a variety of > attacks over the network, including attackers remotely filling logs. > .It Fl V > -Do not perform server certificate and hostname validation. > +Do not perform remote server certificate and hostname validation > +when sending messages. > .El > .Pp > .Nm > Index: usr.sbin/syslogd/syslogd.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v > retrieving revision 1.212 > diff -u -p -r1.212 syslogd.c > --- usr.sbin/syslogd/syslogd.c 29 Aug 2016 20:31:56 -0000 1.212 > +++ usr.sbin/syslogd/syslogd.c 5 Sep 2016 01:20:06 -0000 > @@ -225,8 +225,9 @@ struct tls *server_ctx; > struct tls_config *client_config, *server_config; > const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates > */ > int NoVerify = 0; /* do not verify TLS server x509 certificate */ > -char *ClientCertfile = NULL; > -char *ClientKeyfile = NULL; > +const char *ClientCertfile = NULL; > +const char *ClientKeyfile = NULL; > +const char *ServerCAfile = NULL; > int tcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */ > > #define CTL_READING_CMD 1 > @@ -356,7 +357,7 @@ main(int argc, char *argv[]) > int ch, i; > int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd; > > - while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV")) > + while ((ch = getopt(argc, argv, "46a:C:c:dFf:hK:k:m:np:S:s:T:U:uV")) > != -1) > switch (ch) { > case '4': /* disable IPv6 */ > @@ -388,6 +389,9 @@ main(int argc, char *argv[]) > case 'h': /* RFC 3164 hostnames */ > IncludeHostname = 1; > break; > + case 'K': /* verify client with CA file */ > + ServerCAfile = optarg; > + break; > case 'k': /* file containing client key */ > ClientKeyfile = optarg; > break; > @@ -625,6 +629,17 @@ main(int argc, char *argv[]) > break; > } > > + if (ServerCAfile) { > + if (tls_config_set_ca_file(server_config, > + ServerCAfile) == -1) { > + logerrortlsconf("Load server TLS CA failed", > + server_config); > + /* avoid reading default certs in chroot */ > + tls_config_set_ca_mem(server_config, "", 0); > + } else > + logdebug("Server CAfile %s\n", ServerCAfile); > + tls_config_verify_client(server_config); > + } > tls_config_set_protocols(server_config, TLS_PROTOCOLS_ALL); > if (tls_config_set_ciphers(server_config, "compat") != 0) > logerrortlsconf("Set server TLS ciphers failed", > @@ -1453,9 +1468,9 @@ usage(void) > > (void)fprintf(stderr, > "usage: syslogd [-46dFhnuV] [-a path] [-C CAfile] [-c cert_file]\n" > - "\t[-f config_file] [-k key_file] [-m mark_interval]\n" > - "\t[-p log_socket] [-S listen_address] [-s reporting_socket]\n" > - "\t[-T listen_address] [-U bind_address]\n"); > + "\t[-f config_file] [-K server_CAfile] [-k key_file]\n" > + "\t[-m mark_interval] [-p log_socket] [-S listen_address]\n" > + "\t[-s reporting_socket] [-T listen_address] [-U bind_address]\n"); > exit(1); > } >