Allow syslogd(8) to listen on multiple addresses for incomming TLS

author bluhm <bluhm@openbsd.org>

Tue, 25 Apr 2017 17:45:50 +0000 (17:45 +0000)

committer bluhm <bluhm@openbsd.org>

Tue, 25 Apr 2017 17:45:50 +0000 (17:45 +0000)
author bluhm <bluhm@openbsd.org>
Tue, 25 Apr 2017 17:45:50 +0000 (17:45 +0000)
committer bluhm <bluhm@openbsd.org>
Tue, 25 Apr 2017 17:45:50 +0000 (17:45 +0000)
diff --git a/usr.sbin/syslogd/syslogd.8 b/usr.sbin/syslogd/syslogd.8

index 1e51f26..3e2c15f 100644 (file)
--- a/usr.sbin/syslogd/syslogd.8
+++ b/usr.sbin/syslogd/syslogd.8
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: syslogd.8,v 1.54 2017/04/17 14:18:44 bluhm Exp $
+.\"    $OpenBSD: syslogd.8,v 1.55 2017/04/25 17:45:50 bluhm Exp $
  .\"
  .\" Copyright (c) 1983, 1986, 1991, 1993
  .\"    The Regents of the University of California.  All rights reserved.
@@ -30,7 +30,7 @@
  .\"     from: @(#)syslogd.8    8.1 (Berkeley) 6/6/93
  .\"    $NetBSD: syslogd.8,v 1.3 1996/01/02 17:41:48 perry Exp $
  .\"
-.Dd $Mdocdate: April 17 2017 $
+.Dd $Mdocdate: April 25 2017 $
  .Dt SYSLOGD 8
  .Os
  .Sh NAME
@@ -140,8 +140,9 @@ bind it to the specified address.
  A port number may be specified using the
  .Ar host : Ns Ar port
  syntax.
-The parameter is also used to find a suitable server key and
-certificate in
+The first
+.Ar listen_address
+is also used to find a suitable server key and certificate in
  .Pa /etc/ssl/ .
  .It Fl s Ar reporting_socket
  Specify path to an
@@ -180,7 +181,7 @@ in UTC.
  .El
  .Pp
  The options
-.Fl a , T ,
+.Fl a , S , T ,
  and
  .Fl U
  can be given more than once to specify multiple input sources.
diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c

index d86d4d2..39ba842 100644 (file)
--- a/usr.sbin/syslogd/syslogd.c
+++ b/usr.sbin/syslogd/syslogd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: syslogd.c,v 1.242 2017/04/17 14:18:44 bluhm Exp $     */
+/*     $OpenBSD: syslogd.c,v 1.243 2017/04/25 17:45:50 bluhm Exp $     */
  
  /*
   * Copyright (c) 1983, 1988, 1993, 1994
@@ -351,9 +351,9 @@ main(int argc, char *argv[])
         int              ch, i;
         int              lockpipe[2] = { -1, -1}, pair[2], nullfd, fd;
         int              fd_ctlsock, fd_klog, fd_sendsys, *fd_bind, *fd_listen;
-       int              fd_tls, *fd_unix, nbind, nlisten;
+       int             *fd_tls, *fd_unix, nbind, nlisten, ntls;
         char            **bind_host, **bind_port, **listen_host, **listen_port;
-       char            *tls_hostport, *tls_host, *tls_port;
+       char            *tls_hostport, **tls_host, **tls_port;
  
         /* block signal until handler is set up */
         sigemptyset(&sigmask);
@@ -366,9 +366,10 @@ main(int argc, char *argv[])
         path_unix[0] = _PATH_LOG;
         nunix = 1;
  
-       bind_host = bind_port = listen_host = listen_port = NULL;
-       tls_hostport = tls_host = NULL;
-       nbind = nlisten = 0;
+       bind_host = listen_host = tls_host = NULL;
+       bind_port = listen_port = tls_port = NULL;
+       tls_hostport = NULL;
+       nbind = nlisten = ntls = 0;
  
         while ((ch = getopt(argc, argv,
             "46a:C:c:dFf:hK:k:m:nP:p:rS:s:T:U:uVZ")) != -1) {
@@ -430,11 +431,10 @@ main(int argc, char *argv[])
                         Repeat++;
                         break;
                 case 'S':               /* allow tls and listen on address */
-                       tls_hostport = optarg;
-                       if ((p = strdup(optarg)) == NULL)
-                               err(1, "strdup tls address");
-                       if (loghost_parse(p, NULL, &tls_host, &tls_port) == -1)
-                               errx(1, "bad tls address: %s", optarg);
+                       if (tls_hostport == NULL)
+                               tls_hostport = optarg;
+                       address_alloc("tls", optarg, &tls_host, &tls_port,
+                           &ntls);
                         break;
                 case 's':
                         path_ctlsock = optarg;
@@ -516,10 +516,13 @@ main(int argc, char *argv[])
                     &fd_listen[i], &fd_listen[i]) == -1)
                         log_warnx("socket listen tcp failed");
         }
-       fd_tls = -1;
-       if (tls_host && socket_bind("tls", tls_host, tls_port, 0,
-           &fd_tls, &fd_tls) == -1)
-               log_warnx("socket listen tls failed");
+       if ((fd_tls = reallocarray(NULL, ntls, sizeof(*fd_tls))) == NULL)
+               fatal("allocate tls fd");
+       for (i = 0; i < ntls; i++) {
+               if (socket_bind("tls", tls_host[i], tls_port[i], 0,
+                   &fd_tls[i], &fd_tls[i]) == -1)
+                       log_warnx("socket listen tls failed");
+       }
  
         if ((fd_unix = reallocarray(NULL, nunix, sizeof(*fd_unix))) == NULL)
                 fatal("allocate unix fd");
@@ -575,8 +578,14 @@ main(int argc, char *argv[])
                                 log_warn("tls_config_new server");
                         if ((server_ctx = tls_server()) == NULL) {
                                 log_warn("tls_server");
-                               close(fd_tls);
-                               fd_tls = -1;
+                               for (i = 0; i < ntls; i++)
+                                       close(fd_tls[i]);
+                               free(fd_tls);
+                               fd_tls = NULL;
+                               free(tls_host);
+                               free(tls_port);
+                               tls_host = tls_port = NULL;
+                               ntls = 0;
                         }
                 }
         }
@@ -623,7 +632,7 @@ main(int argc, char *argv[])
                 const char *names[2];
  
                 names[0] = tls_hostport;
-               names[1] = tls_host;
+               names[1] = tls_host[0];
  
                 for (i = 0; i < 2; i++) {
                         if (asprintf(&p, "/etc/ssl/private/%s.key", names[i])
@@ -673,8 +682,14 @@ main(int argc, char *argv[])
                             tls_error(server_ctx));
                         tls_free(server_ctx);
                         server_ctx = NULL;
-                       close(fd_tls);
-                       fd_tls = -1;
+                       for (i = 0; i < ntls; i++)
+                               close(fd_tls[i]);
+                       free(fd_tls);
+                       fd_tls = NULL;
+                       free(tls_host);
+                       free(tls_port);
+                       tls_host = tls_port = NULL;
+                       ntls = 0;
                 }
         }
  
@@ -728,11 +743,14 @@ main(int argc, char *argv[])
             (ev_sendsys = malloc(sizeof(struct event))) == NULL ||
             (ev_udp = malloc(sizeof(struct event))) == NULL ||
             (ev_udp6 = malloc(sizeof(struct event))) == NULL ||
-           (ev_bind = reallocarray(NULL, nbind, sizeof(struct event))) == NULL ||
+           (ev_bind = reallocarray(NULL, nbind, sizeof(struct event)))
+               == NULL ||
             (ev_listen = reallocarray(NULL, nlisten, sizeof(struct event)))
                 == NULL ||
-           (ev_tls = malloc(sizeof(struct event))) == NULL ||
-           (ev_unix = reallocarray(NULL, nunix, sizeof(struct event))) == NULL ||
+           (ev_tls = reallocarray(NULL, ntls, sizeof(struct event)))
+               == NULL ||
+           (ev_unix = reallocarray(NULL, nunix, sizeof(struct event)))
+               == NULL ||
             (ev_hup = malloc(sizeof(struct event))) == NULL ||
             (ev_int = malloc(sizeof(struct event))) == NULL ||
             (ev_quit = malloc(sizeof(struct event))) == NULL ||
@@ -757,7 +775,9 @@ main(int argc, char *argv[])
         for (i = 0; i < nlisten; i++)
                 event_set(&ev_listen[i], fd_listen[i], EV_READ|EV_PERSIST,
                     tcp_acceptcb, &ev_listen[i]);
-       event_set(ev_tls, fd_tls, EV_READ|EV_PERSIST, tls_acceptcb, ev_tls);
+       for (i = 0; i < ntls; i++)
+               event_set(&ev_tls[i], fd_tls[i], EV_READ|EV_PERSIST,
+                   tls_acceptcb, &ev_tls[i]);
         for (i = 0; i < nunix; i++)
                 event_set(&ev_unix[i], fd_unix[i], EV_READ|EV_PERSIST,
                     unix_readcb, &ev_unix[i]);
@@ -812,8 +832,9 @@ main(int argc, char *argv[])
         for (i = 0; i < nlisten; i++)
                 if (fd_listen[i] != -1)
                         event_add(&ev_listen[i], NULL);
-       if (fd_tls != -1)
-               event_add(ev_tls, NULL);
+       for (i = 0; i < ntls; i++)
+               if (fd_tls[i] != -1)
+                       event_add(&ev_tls[i], NULL);
         for (i = 0; i < nunix; i++)
                 if (fd_unix[i] != -1)
                         event_add(&ev_unix[i], NULL);
author	bluhm <bluhm@openbsd.org>
	Tue, 25 Apr 2017 17:45:50 +0000 (17:45 +0000)
committer	bluhm <bluhm@openbsd.org>
	Tue, 25 Apr 2017 17:45:50 +0000 (17:45 +0000)
usr.sbin/syslogd/syslogd.8		patch \| blob \| history
usr.sbin/syslogd/syslogd.c		patch \| blob \| history