Call tls_close() in libevent TLS wrapper of syslogd when the other

side terminates the TLS connection.  It results in a proper shutdown
and the TLS peer has a chance to detect errors.  This is expecially
important for the client side.  Due to the reduced TLS 1.3 handshake,
errors might be undetected and log messages dropped silently.  By
doing a matching TLS shutdown on his side, the client can receive
the error.
Instead of checking socket writability and calling tls_close()
repeatedly, syslogd calls it only once.  As the other side has
closed the connection anyway it is our turn to write the shutdown
message.  Do not care about errors here and avoid complexity.
OK tb@

diff --git a/usr.sbin/syslogd/evbuffer_tls.c b/usr.sbin/syslogd/evbuffer_tls.c
index 3fa75c4..56bd2cf 100644 (file)
--- a/usr.sbin/syslogd/evbuffer_tls.c
+++ b/usr.sbin/syslogd/evbuffer_tls.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: evbuffer_tls.c,v 1.12 2019/06/28 13:32:51 deraadt Exp $ */
+/*     $OpenBSD: evbuffer_tls.c,v 1.13 2022/03/22 22:58:00 bluhm Exp $ */
 
 /*
  * Copyright (c) 2002-2004 Niels Provos <provos@citi.umich.edu>
@@ -111,6 +111,7 @@ buffertls_readcb(int fd, short event, void *arg)
                what |= EVBUFFER_ERROR;
                break;
        case 0:
+               tls_close(ctx);
                what |= EVBUFFER_EOF;
                break;
        }