Re: syslogd TLS accept
sure. ok On Tuesday, 6 October 2015, Alexander Bluhmwrote: > On Fri, Sep 25, 2015 at 11:27:49PM +0200, Alexander Bluhm wrote: > > If syslogd is started with -S, it accepts TLS connections to receive > > encrypted traffic. The server certificates are taken from /etc/ssl > > like relayd does. > > Anyone? > > bluhm > > Index: usr.sbin/syslogd/evbuffer_tls.c > === > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/evbuffer_tls.c,v > retrieving revision 1.8 > diff -u -p -r1.8 evbuffer_tls.c > --- usr.sbin/syslogd/evbuffer_tls.c 20 Sep 2015 21:49:54 - 1.8 > +++ usr.sbin/syslogd/evbuffer_tls.c 6 Oct 2015 16:10:11 - > @@ -260,6 +260,19 @@ buffertls_set(struct buffertls *buftls, > } > > void > +buffertls_accept(struct buffertls *buftls, int fd) > +{ > + struct bufferevent *bufev = buftls->bt_bufev; > + > + event_del(>ev_read); > + event_del(>ev_write); > + event_set(>ev_read, fd, EV_READ, buffertls_handshakecb, > buftls); > + event_set(>ev_write, fd, EV_WRITE, buffertls_handshakecb, > + buftls); > + bufferevent_add(>ev_read, bufev->timeout_read); > +} > + > +void > buffertls_connect(struct buffertls *buftls, int fd) > { > struct bufferevent *bufev = buftls->bt_bufev; > Index: usr.sbin/syslogd/evbuffer_tls.h > === > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/evbuffer_tls.h,v > retrieving revision 1.4 > diff -u -p -r1.4 evbuffer_tls.h > --- usr.sbin/syslogd/evbuffer_tls.h 10 Sep 2015 18:32:06 - 1.4 > +++ usr.sbin/syslogd/evbuffer_tls.h 6 Oct 2015 16:10:11 - > @@ -31,6 +31,7 @@ struct buffertls { > > void buffertls_set(struct buffertls *, struct bufferevent *, struct tls > *, > int); > +void buffertls_accept(struct buffertls *, int); > void buffertls_connect(struct buffertls *, int); > > #endif /* _EVBUFFER_TLS_H_ */ > Index: usr.sbin/syslogd/privsep.c > === > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/privsep.c,v > retrieving revision 1.54 > diff -u -p -r1.54 privsep.c > --- usr.sbin/syslogd/privsep.c 7 Jul 2015 17:53:04 - 1.54 > +++ usr.sbin/syslogd/privsep.c 6 Oct 2015 16:10:11 - > @@ -184,6 +184,8 @@ priv_init(char *conf, int numeric, int l > close(fd_bind); > if (fd_listen != -1) > close(fd_listen); > + if (fd_tls != -1) > + close(fd_tls); > for (i = 0; i < nunix; i++) > if (fd_unix[i] != -1) > close(fd_unix[i]); > Index: usr.sbin/syslogd/syslogd.8 > === > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v > retrieving revision 1.38 > diff -u -p -r1.38 syslogd.8 > --- usr.sbin/syslogd/syslogd.8 7 Jul 2015 21:43:35 - 1.38 > +++ usr.sbin/syslogd/syslogd.8 6 Oct 2015 16:10:11 - > @@ -45,6 +45,7 @@ > .Op Fl f Ar config_file > .Op Fl m Ar mark_interval > .Op Fl p Ar log_socket > +.Op Fl S Ar listen_address > .Op Fl s Ar reporting_socket > .Op Fl T Ar listen_address > .Op Fl U Ar bind_address > @@ -108,6 +109,25 @@ the symbolic local host name. > Specify the pathname of an alternate log socket to be used instead; > the default is > .Pa /dev/log . > +.It Fl S Ar listen_address > +Create a TLS listen socket for receiving encrypted messages and > +bind it to the specified address. > +A port number may be specified using the > +.Ar host:port > +syntax. > +The syslog server will attempt to look up a private key in > +.Pa /etc/ssl/private/host:port.key > +and a public certificate in > +.Pa /etc/ssl/host:port.crt , > +where > +.Ar host > +is the specified host name or IP address and > +.Ar port > +is the specified port if given on the command line. > +If these files are not present, syslogd will continue to look in > +.Pa /etc/ssl/private/host.key > +and > +.Pa /etc/ssl/host.crt . > .It Fl s Ar reporting_socket > Specify path to an > .Dv AF_LOCAL > Index: usr.sbin/syslogd/syslogd.c > === > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v > retrieving revision 1.190 > diff -u -p -r1.190 syslogd.c > --- usr.sbin/syslogd/syslogd.c 29 Sep 2015 03:19:23 - 1.190 > +++ usr.sbin/syslogd/syslogd.c 6 Oct 2015 16:10:11 - > @@ -50,7 +50,7 @@ > * extensive changes by Ralph Campbell > * more extensive changes by Eric Allman (again) > * memory buffer logging by Damien Miller > - * IPv6, libevent, sending over TCP and TLS by Alexander Bluhm > + * IPv6, libevent, syslog over TCP and TLS by Alexander Bluhm > */ > > #define MAXLINE8192/* maximum line length */ > @@ -219,9 +219,13 @@ char *bind_host = NULL; /*
Re: syslogd TLS accept
On Fri, Sep 25, 2015 at 11:27:49PM +0200, Alexander Bluhm wrote: > If syslogd is started with -S, it accepts TLS connections to receive > encrypted traffic. The server certificates are taken from /etc/ssl > like relayd does. Anyone? bluhm Index: usr.sbin/syslogd/evbuffer_tls.c === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/evbuffer_tls.c,v retrieving revision 1.8 diff -u -p -r1.8 evbuffer_tls.c --- usr.sbin/syslogd/evbuffer_tls.c 20 Sep 2015 21:49:54 - 1.8 +++ usr.sbin/syslogd/evbuffer_tls.c 6 Oct 2015 16:10:11 - @@ -260,6 +260,19 @@ buffertls_set(struct buffertls *buftls, } void +buffertls_accept(struct buffertls *buftls, int fd) +{ + struct bufferevent *bufev = buftls->bt_bufev; + + event_del(>ev_read); + event_del(>ev_write); + event_set(>ev_read, fd, EV_READ, buffertls_handshakecb, buftls); + event_set(>ev_write, fd, EV_WRITE, buffertls_handshakecb, + buftls); + bufferevent_add(>ev_read, bufev->timeout_read); +} + +void buffertls_connect(struct buffertls *buftls, int fd) { struct bufferevent *bufev = buftls->bt_bufev; Index: usr.sbin/syslogd/evbuffer_tls.h === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/evbuffer_tls.h,v retrieving revision 1.4 diff -u -p -r1.4 evbuffer_tls.h --- usr.sbin/syslogd/evbuffer_tls.h 10 Sep 2015 18:32:06 - 1.4 +++ usr.sbin/syslogd/evbuffer_tls.h 6 Oct 2015 16:10:11 - @@ -31,6 +31,7 @@ struct buffertls { void buffertls_set(struct buffertls *, struct bufferevent *, struct tls *, int); +void buffertls_accept(struct buffertls *, int); void buffertls_connect(struct buffertls *, int); #endif /* _EVBUFFER_TLS_H_ */ Index: usr.sbin/syslogd/privsep.c === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/privsep.c,v retrieving revision 1.54 diff -u -p -r1.54 privsep.c --- usr.sbin/syslogd/privsep.c 7 Jul 2015 17:53:04 - 1.54 +++ usr.sbin/syslogd/privsep.c 6 Oct 2015 16:10:11 - @@ -184,6 +184,8 @@ priv_init(char *conf, int numeric, int l close(fd_bind); if (fd_listen != -1) close(fd_listen); + if (fd_tls != -1) + close(fd_tls); for (i = 0; i < nunix; i++) if (fd_unix[i] != -1) close(fd_unix[i]); Index: usr.sbin/syslogd/syslogd.8 === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v retrieving revision 1.38 diff -u -p -r1.38 syslogd.8 --- usr.sbin/syslogd/syslogd.8 7 Jul 2015 21:43:35 - 1.38 +++ usr.sbin/syslogd/syslogd.8 6 Oct 2015 16:10:11 - @@ -45,6 +45,7 @@ .Op Fl f Ar config_file .Op Fl m Ar mark_interval .Op Fl p Ar log_socket +.Op Fl S Ar listen_address .Op Fl s Ar reporting_socket .Op Fl T Ar listen_address .Op Fl U Ar bind_address @@ -108,6 +109,25 @@ the symbolic local host name. Specify the pathname of an alternate log socket to be used instead; the default is .Pa /dev/log . +.It Fl S Ar listen_address +Create a TLS listen socket for receiving encrypted messages and +bind it to the specified address. +A port number may be specified using the +.Ar host:port +syntax. +The syslog server will attempt to look up a private key in +.Pa /etc/ssl/private/host:port.key +and a public certificate in +.Pa /etc/ssl/host:port.crt , +where +.Ar host +is the specified host name or IP address and +.Ar port +is the specified port if given on the command line. +If these files are not present, syslogd will continue to look in +.Pa /etc/ssl/private/host.key +and +.Pa /etc/ssl/host.crt . .It Fl s Ar reporting_socket Specify path to an .Dv AF_LOCAL Index: usr.sbin/syslogd/syslogd.c === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v retrieving revision 1.190 diff -u -p -r1.190 syslogd.c --- usr.sbin/syslogd/syslogd.c 29 Sep 2015 03:19:23 - 1.190 +++ usr.sbin/syslogd/syslogd.c 6 Oct 2015 16:10:11 - @@ -50,7 +50,7 @@ * extensive changes by Ralph Campbell * more extensive changes by Eric Allman (again) * memory buffer logging by Damien Miller - * IPv6, libevent, sending over TCP and TLS by Alexander Bluhm + * IPv6, libevent, syslog over TCP and TLS by Alexander Bluhm */ #define MAXLINE8192/* maximum line length */ @@ -219,9 +219,13 @@ char *bind_host = NULL; /* bind UDP rece char *bind_port = NULL; char *listen_host = NULL;/* listen on TCP receive socket */ char *listen_port = NULL; +char *tls_hostport = NULL; /* listen on TLS receive socket */ +char *tls_host = NULL; +char *tls_port = NULL; char *path_ctlsock = NULL; /* Path to control socket */ -struct
syslogd TLS accept
Hi, If syslogd is started with -S, it accepts TLS connections to receive encrypted traffic. The server certificates are taken from /etc/ssl like relayd does. ok? bluhm Index: usr.sbin/syslogd/evbuffer_tls.c === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/evbuffer_tls.c,v retrieving revision 1.8 diff -u -p -r1.8 evbuffer_tls.c --- usr.sbin/syslogd/evbuffer_tls.c 20 Sep 2015 21:49:54 - 1.8 +++ usr.sbin/syslogd/evbuffer_tls.c 25 Sep 2015 13:35:52 - @@ -260,6 +260,19 @@ buffertls_set(struct buffertls *buftls, } void +buffertls_accept(struct buffertls *buftls, int fd) +{ + struct bufferevent *bufev = buftls->bt_bufev; + + event_del(>ev_read); + event_del(>ev_write); + event_set(>ev_read, fd, EV_READ, buffertls_handshakecb, buftls); + event_set(>ev_write, fd, EV_WRITE, buffertls_handshakecb, + buftls); + bufferevent_add(>ev_read, bufev->timeout_read); +} + +void buffertls_connect(struct buffertls *buftls, int fd) { struct bufferevent *bufev = buftls->bt_bufev; Index: usr.sbin/syslogd/evbuffer_tls.h === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/evbuffer_tls.h,v retrieving revision 1.4 diff -u -p -r1.4 evbuffer_tls.h --- usr.sbin/syslogd/evbuffer_tls.h 10 Sep 2015 18:32:06 - 1.4 +++ usr.sbin/syslogd/evbuffer_tls.h 25 Sep 2015 13:35:52 - @@ -31,6 +31,7 @@ struct buffertls { void buffertls_set(struct buffertls *, struct bufferevent *, struct tls *, int); +void buffertls_accept(struct buffertls *, int); void buffertls_connect(struct buffertls *, int); #endif /* _EVBUFFER_TLS_H_ */ Index: usr.sbin/syslogd/privsep.c === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/privsep.c,v retrieving revision 1.54 diff -u -p -r1.54 privsep.c --- usr.sbin/syslogd/privsep.c 7 Jul 2015 17:53:04 - 1.54 +++ usr.sbin/syslogd/privsep.c 25 Sep 2015 13:35:52 - @@ -184,6 +184,8 @@ priv_init(char *conf, int numeric, int l close(fd_bind); if (fd_listen != -1) close(fd_listen); + if (fd_tls != -1) + close(fd_tls); for (i = 0; i < nunix; i++) if (fd_unix[i] != -1) close(fd_unix[i]); Index: usr.sbin/syslogd/syslogd.8 === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v retrieving revision 1.38 diff -u -p -r1.38 syslogd.8 --- usr.sbin/syslogd/syslogd.8 7 Jul 2015 21:43:35 - 1.38 +++ usr.sbin/syslogd/syslogd.8 25 Sep 2015 13:35:52 - @@ -45,6 +45,7 @@ .Op Fl f Ar config_file .Op Fl m Ar mark_interval .Op Fl p Ar log_socket +.Op Fl S Ar listen_address .Op Fl s Ar reporting_socket .Op Fl T Ar listen_address .Op Fl U Ar bind_address @@ -108,6 +109,25 @@ the symbolic local host name. Specify the pathname of an alternate log socket to be used instead; the default is .Pa /dev/log . +.It Fl S Ar listen_address +Create a TLS listen socket for receiving encrypted messages and +bind it to the specified address. +A port number may be specified using the +.Ar host:port +syntax. +The syslog server will attempt to look up a private key in +.Pa /etc/ssl/private/host:port.key +and a public certificate in +.Pa /etc/ssl/host:port.crt , +where +.Ar host +is the specified host name or IP address and +.Ar port +is the specified port if given on the command line. +If these files are not present, syslogd will continue to look in +.Pa /etc/ssl/private/host.key +and +.Pa /etc/ssl/host.crt . .It Fl s Ar reporting_socket Specify path to an .Dv AF_LOCAL Index: usr.sbin/syslogd/syslogd.c === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v retrieving revision 1.189 diff -u -p -r1.189 syslogd.c --- usr.sbin/syslogd/syslogd.c 12 Sep 2015 13:50:29 - 1.189 +++ usr.sbin/syslogd/syslogd.c 25 Sep 2015 18:52:51 - @@ -219,9 +219,13 @@ char *bind_host = NULL; /* bind UDP rece char *bind_port = NULL; char *listen_host = NULL;/* listen on TCP receive socket */ char *listen_port = NULL; +char *tls_hostport = NULL; /* listen on TLS receive socket */ +char *tls_host = NULL; +char *tls_port = NULL; char *path_ctlsock = NULL; /* Path to control socket */ -struct tls_config *tlsconfig = NULL; +struct tls *server_ctx; +struct tls_config *client_config, *server_config; const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates */ intNoVerify = 0; /* do not verify TLS server x509 certificate */ inttcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */ @@ -273,12 +277,14 @@ size_tctl_reply_offset = 0; /* Number o char