From 1eeea90b59eeccbb02854ae0bd1757c4d3d8e420 Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Fri, 23 Oct 2015 22:50:09 +0000
Subject: [PATCH] Test syslogd with empty or non existing server certificates
 and keys.

---
 .../usr.sbin/syslogd/args-tls-cert-empty.pl   | 53 ++++++++++++++++++
 .../usr.sbin/syslogd/args-tls-cert-noexist.pl | 54 +++++++++++++++++++
 .../usr.sbin/syslogd/args-tls-key-empty.pl    | 53 ++++++++++++++++++
 .../usr.sbin/syslogd/args-tls-key-noexist.pl  | 54 +++++++++++++++++++
 4 files changed, 214 insertions(+)
 create mode 100644 regress/usr.sbin/syslogd/args-tls-cert-empty.pl
 create mode 100644 regress/usr.sbin/syslogd/args-tls-cert-noexist.pl
 create mode 100644 regress/usr.sbin/syslogd/args-tls-key-empty.pl
 create mode 100644 regress/usr.sbin/syslogd/args-tls-key-noexist.pl

diff --git a/regress/usr.sbin/syslogd/args-tls-cert-empty.pl b/regress/usr.sbin/syslogd/args-tls-cert-empty.pl
new file mode 100644
index 00000000000..c9b1aece0d2
--- /dev/null
+++ b/regress/usr.sbin/syslogd/args-tls-cert-empty.pl
@@ -0,0 +1,53 @@
+# Syslogd gets an empty TLS server certificate.
+# The client cannot connect to 127.0.0.1 TLS socket.
+# Check that syslog log contains an error message.
+
+use strict;
+use warnings;
+use Socket;
+
+my $cert = "/etc/ssl/127.0.0.1:6514.crt";
+my @sudo = $ENV{SUDO} ? $ENV{SUDO} : ();
+my @cmd = (@sudo, "cp", "--", "empty", $cert);
+system(@cmd) and die "Command '@cmd' failed: $?";
+END {
+    my @cmd = (@sudo, "rm", "-f", "--", $cert);
+    system(@cmd) and warn "Command '@cmd' failed: $?";
+}
+
+our %args = (
+    client => {
+	func => sub {
+	    my $self = shift;
+	    IO::Socket::INET6->new(
+		Domain              => AF_INET,
+		Proto               => "tcp",
+		PeerAddr            => "127.0.0.1",
+		PeerPort            => 6514,
+	    ) and die "tcp socket connect to 127.0.0.1:6514 succeeded";
+	},
+	nocheck => 1,
+    },
+    syslogd => {
+	options => ["-S", "127.0.0.1:6514"],
+	ktrace => {
+	    qr{NAMI  "/etc/ssl/private/127.0.0.1:6514.key"} => 1,
+	    qr{NAMI  "/etc/ssl/private/127.0.0.1.key"} => 1,
+	    qr{NAMI  "/etc/ssl/127.0.0.1:6514.crt"} => 1,
+	    qr{NAMI  "/etc/ssl/127.0.0.1.crt"} => 0,
+	},
+	loggrep => {
+	    qr{Keyfile /etc/ssl/private/127.0.0.1.key} => 1,
+	    qr{Certfile $cert} => 1,
+	    qr{syslogd: tls_configure server} => 2,
+	},
+    },
+    server => {
+	noserver => 1,
+    },
+    file => { nocheck => 1 },
+    pipe => { nocheck => 1 },
+    tty => { nocheck => 1 },
+);
+
+1;
diff --git a/regress/usr.sbin/syslogd/args-tls-cert-noexist.pl b/regress/usr.sbin/syslogd/args-tls-cert-noexist.pl
new file mode 100644
index 00000000000..cc5f2e3d350
--- /dev/null
+++ b/regress/usr.sbin/syslogd/args-tls-cert-noexist.pl
@@ -0,0 +1,54 @@
+# Syslogd gets no TLS server certificate.
+# The client cannot connect to 127.0.0.1 TLS socket.
+# Check that syslog log contains an error message.
+
+use strict;
+use warnings;
+use Socket;
+
+my $cert = "/etc/ssl/127.0.0.1.crt";
+my @sudo = $ENV{SUDO} ? $ENV{SUDO} : ();
+my @cmd = (@sudo, "rm", "-f", "--", $cert);
+system(@cmd) and die "Command '@cmd' failed: $?";
+END {
+    my @cmd = (@sudo, "cp", "--", "127.0.0.1.crt", $cert);
+    system(@cmd) and warn "Command '@cmd' failed: $?";
+}
+
+our %args = (
+    client => {
+	func => sub {
+	    my $self = shift;
+	    IO::Socket::INET6->new(
+		Domain              => AF_INET,
+		Proto               => "tcp",
+		PeerAddr            => "127.0.0.1",
+		PeerPort            => 6514,
+	    ) and die "tcp socket connect to 127.0.0.1:6514 succeeded";
+	},
+	nocheck => 1,
+    },
+    syslogd => {
+	options => ["-S", "127.0.0.1:6514"],
+	ktrace => {
+	    qr{NAMI  "/etc/ssl/private/127.0.0.1:6514.key"} => 1,
+	    qr{NAMI  "/etc/ssl/private/127.0.0.1.key"} => 1,
+	    qr{NAMI  "/etc/ssl/127.0.0.1:6514.crt"} => 1,
+	    qr{NAMI  "/etc/ssl/127.0.0.1.crt"} => 1,
+	},
+	loggrep => {
+	    qr{Keyfile /etc/ssl/private/127.0.0.1.key} => 1,
+	    qr{Certfile } => 0,
+	    qr{syslogd: open certfile: No such file or directory} => 2,
+	    qr{syslogd: tls_configure server} => 2,
+	},
+    },
+    server => {
+	noserver => 1,
+    },
+    file => { nocheck => 1 },
+    pipe => { nocheck => 1 },
+    tty => { nocheck => 1 },
+);
+
+1;
diff --git a/regress/usr.sbin/syslogd/args-tls-key-empty.pl b/regress/usr.sbin/syslogd/args-tls-key-empty.pl
new file mode 100644
index 00000000000..be01b48199b
--- /dev/null
+++ b/regress/usr.sbin/syslogd/args-tls-key-empty.pl
@@ -0,0 +1,53 @@
+# Syslogd gets an empty TLS server key.
+# The client cannot connect to 127.0.0.1 TLS socket.
+# Check that syslog log contains an error message.
+
+use strict;
+use warnings;
+use Socket;
+
+my $key = "/etc/ssl/private/127.0.0.1:6514.key";
+my @sudo = $ENV{SUDO} ? $ENV{SUDO} : ();
+my @cmd = (@sudo, "cp", "--", "empty", $key);
+system(@cmd) and die "Command '@cmd' failed: $?";
+END {
+    my @cmd = (@sudo, "rm", "-f", "--", $key);
+    system(@cmd) and warn "Command '@cmd' failed: $?";
+}
+
+our %args = (
+    client => {
+	func => sub {
+	    my $self = shift;
+	    IO::Socket::INET6->new(
+		Domain              => AF_INET,
+		Proto               => "tcp",
+		PeerAddr            => "127.0.0.1",
+		PeerPort            => 6514,
+	    ) and die "tcp socket connect to 127.0.0.1:6514 succeeded";
+	},
+	nocheck => 1,
+    },
+    syslogd => {
+	options => ["-S", "127.0.0.1:6514"],
+	ktrace => {
+	    qr{NAMI  "/etc/ssl/private/127.0.0.1:6514.key"} => 1,
+	    qr{NAMI  "/etc/ssl/private/127.0.0.1.key"} => 0,
+	    qr{NAMI  "/etc/ssl/127.0.0.1:6514.crt"} => 1,
+	    qr{NAMI  "/etc/ssl/127.0.0.1.crt"} => 1,
+	},
+	loggrep => {
+	    qr{Keyfile $key} => 1,
+	    qr{Certfile /etc/ssl/127.0.0.1.crt} => 1,
+	    qr{syslogd: tls_configure server} => 2,
+	},
+    },
+    server => {
+	noserver => 1,
+    },
+    file => { nocheck => 1 },
+    pipe => { nocheck => 1 },
+    tty => { nocheck => 1 },
+);
+
+1;
diff --git a/regress/usr.sbin/syslogd/args-tls-key-noexist.pl b/regress/usr.sbin/syslogd/args-tls-key-noexist.pl
new file mode 100644
index 00000000000..d94bccc0bb1
--- /dev/null
+++ b/regress/usr.sbin/syslogd/args-tls-key-noexist.pl
@@ -0,0 +1,54 @@
+# Syslogd gets no TLS server key.
+# The client cannot connect to 127.0.0.1 TLS socket.
+# Check that syslog log contains an error message.
+
+use strict;
+use warnings;
+use Socket;
+
+my $key = "/etc/ssl/private/127.0.0.1.key";
+my @sudo = $ENV{SUDO} ? $ENV{SUDO} : ();
+my @cmd = (@sudo, "rm", "-f", "--", $key);
+system(@cmd) and die "Command '@cmd' failed: $?";
+END {
+    my @cmd = (@sudo, "cp", "--", "127.0.0.1.key", $key);
+    system(@cmd) and warn "Command '@cmd' failed: $?";
+}
+
+our %args = (
+    client => {
+	func => sub {
+	    my $self = shift;
+	    IO::Socket::INET6->new(
+		Domain              => AF_INET,
+		Proto               => "tcp",
+		PeerAddr            => "127.0.0.1",
+		PeerPort            => 6514,
+	    ) and die "tcp socket connect to 127.0.0.1:6514 succeeded";
+	},
+	nocheck => 1,
+    },
+    syslogd => {
+	options => ["-S", "127.0.0.1:6514"],
+	ktrace => {
+	    qr{NAMI  "/etc/ssl/private/127.0.0.1:6514.key"} => 1,
+	    qr{NAMI  "/etc/ssl/private/127.0.0.1.key"} => 1,
+	    qr{NAMI  "/etc/ssl/127.0.0.1:6514.crt"} => 1,
+	    qr{NAMI  "/etc/ssl/127.0.0.1.crt"} => 1,
+	},
+	loggrep => {
+	    qr{Keyfile } => 0,
+	    qr{Certfile /etc/ssl/127.0.0.1.crt} => 1,
+	    qr{syslogd: open keyfile: No such file or directory} => 2,
+	    qr{syslogd: tls_configure server} => 2,
+	},
+    },
+    server => {
+	noserver => 1,
+    },
+    file => { nocheck => 1 },
+    pipe => { nocheck => 1 },
+    tty => { nocheck => 1 },
+);
+
+1;
-- 
2.20.1