From: bluhm Date: Tue, 25 Apr 2017 17:45:50 +0000 (+0000) Subject: Allow syslogd(8) to listen on multiple addresses for incomming TLS X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=475f2335e7139c2014612e95543abdfba12b3c61;p=openbsd Allow syslogd(8) to listen on multiple addresses for incomming TLS connections. This expands the feature from UDP and TCP to syslog over TLS. input jmc@; OK millert@ --- diff --git a/usr.sbin/syslogd/syslogd.8 b/usr.sbin/syslogd/syslogd.8 index 1e51f26fc0c..3e2c15fa101 100644 --- a/usr.sbin/syslogd/syslogd.8 +++ b/usr.sbin/syslogd/syslogd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: syslogd.8,v 1.54 2017/04/17 14:18:44 bluhm Exp $ +.\" $OpenBSD: syslogd.8,v 1.55 2017/04/25 17:45:50 bluhm Exp $ .\" .\" Copyright (c) 1983, 1986, 1991, 1993 .\" The Regents of the University of California. All rights reserved. @@ -30,7 +30,7 @@ .\" from: @(#)syslogd.8 8.1 (Berkeley) 6/6/93 .\" $NetBSD: syslogd.8,v 1.3 1996/01/02 17:41:48 perry Exp $ .\" -.Dd $Mdocdate: April 17 2017 $ +.Dd $Mdocdate: April 25 2017 $ .Dt SYSLOGD 8 .Os .Sh NAME @@ -140,8 +140,9 @@ bind it to the specified address. A port number may be specified using the .Ar host : Ns Ar port syntax. -The parameter is also used to find a suitable server key and -certificate in +The first +.Ar listen_address +is also used to find a suitable server key and certificate in .Pa /etc/ssl/ . .It Fl s Ar reporting_socket Specify path to an @@ -180,7 +181,7 @@ in UTC. .El .Pp The options -.Fl a , T , +.Fl a , S , T , and .Fl U can be given more than once to specify multiple input sources. diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index d86d4d26b95..39ba8422464 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: syslogd.c,v 1.242 2017/04/17 14:18:44 bluhm Exp $ */ +/* $OpenBSD: syslogd.c,v 1.243 2017/04/25 17:45:50 bluhm Exp $ */ /* * Copyright (c) 1983, 1988, 1993, 1994 @@ -351,9 +351,9 @@ main(int argc, char *argv[]) int ch, i; int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd; int fd_ctlsock, fd_klog, fd_sendsys, *fd_bind, *fd_listen; - int fd_tls, *fd_unix, nbind, nlisten; + int *fd_tls, *fd_unix, nbind, nlisten, ntls; char **bind_host, **bind_port, **listen_host, **listen_port; - char *tls_hostport, *tls_host, *tls_port; + char *tls_hostport, **tls_host, **tls_port; /* block signal until handler is set up */ sigemptyset(&sigmask); @@ -366,9 +366,10 @@ main(int argc, char *argv[]) path_unix[0] = _PATH_LOG; nunix = 1; - bind_host = bind_port = listen_host = listen_port = NULL; - tls_hostport = tls_host = NULL; - nbind = nlisten = 0; + bind_host = listen_host = tls_host = NULL; + bind_port = listen_port = tls_port = NULL; + tls_hostport = NULL; + nbind = nlisten = ntls = 0; while ((ch = getopt(argc, argv, "46a:C:c:dFf:hK:k:m:nP:p:rS:s:T:U:uVZ")) != -1) { @@ -430,11 +431,10 @@ main(int argc, char *argv[]) Repeat++; break; case 'S': /* allow tls and listen on address */ - tls_hostport = optarg; - if ((p = strdup(optarg)) == NULL) - err(1, "strdup tls address"); - if (loghost_parse(p, NULL, &tls_host, &tls_port) == -1) - errx(1, "bad tls address: %s", optarg); + if (tls_hostport == NULL) + tls_hostport = optarg; + address_alloc("tls", optarg, &tls_host, &tls_port, + &ntls); break; case 's': path_ctlsock = optarg; @@ -516,10 +516,13 @@ main(int argc, char *argv[]) &fd_listen[i], &fd_listen[i]) == -1) log_warnx("socket listen tcp failed"); } - fd_tls = -1; - if (tls_host && socket_bind("tls", tls_host, tls_port, 0, - &fd_tls, &fd_tls) == -1) - log_warnx("socket listen tls failed"); + if ((fd_tls = reallocarray(NULL, ntls, sizeof(*fd_tls))) == NULL) + fatal("allocate tls fd"); + for (i = 0; i < ntls; i++) { + if (socket_bind("tls", tls_host[i], tls_port[i], 0, + &fd_tls[i], &fd_tls[i]) == -1) + log_warnx("socket listen tls failed"); + } if ((fd_unix = reallocarray(NULL, nunix, sizeof(*fd_unix))) == NULL) fatal("allocate unix fd"); @@ -575,8 +578,14 @@ main(int argc, char *argv[]) log_warn("tls_config_new server"); if ((server_ctx = tls_server()) == NULL) { log_warn("tls_server"); - close(fd_tls); - fd_tls = -1; + for (i = 0; i < ntls; i++) + close(fd_tls[i]); + free(fd_tls); + fd_tls = NULL; + free(tls_host); + free(tls_port); + tls_host = tls_port = NULL; + ntls = 0; } } } @@ -623,7 +632,7 @@ main(int argc, char *argv[]) const char *names[2]; names[0] = tls_hostport; - names[1] = tls_host; + names[1] = tls_host[0]; for (i = 0; i < 2; i++) { if (asprintf(&p, "/etc/ssl/private/%s.key", names[i]) @@ -673,8 +682,14 @@ main(int argc, char *argv[]) tls_error(server_ctx)); tls_free(server_ctx); server_ctx = NULL; - close(fd_tls); - fd_tls = -1; + for (i = 0; i < ntls; i++) + close(fd_tls[i]); + free(fd_tls); + fd_tls = NULL; + free(tls_host); + free(tls_port); + tls_host = tls_port = NULL; + ntls = 0; } } @@ -728,11 +743,14 @@ main(int argc, char *argv[]) (ev_sendsys = malloc(sizeof(struct event))) == NULL || (ev_udp = malloc(sizeof(struct event))) == NULL || (ev_udp6 = malloc(sizeof(struct event))) == NULL || - (ev_bind = reallocarray(NULL, nbind, sizeof(struct event))) == NULL || + (ev_bind = reallocarray(NULL, nbind, sizeof(struct event))) + == NULL || (ev_listen = reallocarray(NULL, nlisten, sizeof(struct event))) == NULL || - (ev_tls = malloc(sizeof(struct event))) == NULL || - (ev_unix = reallocarray(NULL, nunix, sizeof(struct event))) == NULL || + (ev_tls = reallocarray(NULL, ntls, sizeof(struct event))) + == NULL || + (ev_unix = reallocarray(NULL, nunix, sizeof(struct event))) + == NULL || (ev_hup = malloc(sizeof(struct event))) == NULL || (ev_int = malloc(sizeof(struct event))) == NULL || (ev_quit = malloc(sizeof(struct event))) == NULL || @@ -757,7 +775,9 @@ main(int argc, char *argv[]) for (i = 0; i < nlisten; i++) event_set(&ev_listen[i], fd_listen[i], EV_READ|EV_PERSIST, tcp_acceptcb, &ev_listen[i]); - event_set(ev_tls, fd_tls, EV_READ|EV_PERSIST, tls_acceptcb, ev_tls); + for (i = 0; i < ntls; i++) + event_set(&ev_tls[i], fd_tls[i], EV_READ|EV_PERSIST, + tls_acceptcb, &ev_tls[i]); for (i = 0; i < nunix; i++) event_set(&ev_unix[i], fd_unix[i], EV_READ|EV_PERSIST, unix_readcb, &ev_unix[i]); @@ -812,8 +832,9 @@ main(int argc, char *argv[]) for (i = 0; i < nlisten; i++) if (fd_listen[i] != -1) event_add(&ev_listen[i], NULL); - if (fd_tls != -1) - event_add(ev_tls, NULL); + for (i = 0; i < ntls; i++) + if (fd_tls[i] != -1) + event_add(&ev_tls[i], NULL); for (i = 0; i < nunix; i++) if (fd_unix[i] != -1) event_add(&ev_unix[i], NULL);