Hi,
This allows syslogd(8) to listen on multiple addresses for incomming
TLS connections.
ok?
bluhm
Index: usr.sbin/syslogd/syslogd.8
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v
retrieving revision 1.53
diff -u -p -r1.53 syslogd.8
--- usr.sbin/syslogd/syslogd.8 2 Jan 2017 15:58:02 -0000 1.53
+++ usr.sbin/syslogd/syslogd.8 16 Apr 2017 18:32:45 -0000
@@ -135,8 +135,9 @@ bind it to the specified address.
A port number may be specified using the
.Ar host : Ns Ar port
syntax.
-The parameter is also used to find a suitable server key and
-certificate in
+The first
+.Ar listen_address
+is also used to find a suitable server key and certificate in
.Pa /etc/ssl/ .
.It Fl s Ar reporting_socket
Specify path to an
@@ -175,7 +176,7 @@ in UTC.
.El
.Pp
The options
-.Fl a , T ,
+.Fl a , S, T ,
and
.Fl U
can be given more than once to specify multiple input sources.
Index: usr.sbin/syslogd/syslogd.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.241
diff -u -p -r1.241 syslogd.c
--- usr.sbin/syslogd/syslogd.c 7 Apr 2017 15:36:16 -0000 1.241
+++ usr.sbin/syslogd/syslogd.c 16 Apr 2017 18:53:53 -0000
@@ -350,9 +350,9 @@ main(int argc, char *argv[])
int ch, i;
int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd;
int fd_ctlsock, fd_klog, fd_sendsys, *fd_bind, *fd_listen;
- int fd_tls, *fd_unix, nbind, nlisten;
+ int *fd_tls, *fd_unix, nbind, nlisten, ntls;
char **bind_host, **bind_port, **listen_host, **listen_port;
- char *tls_hostport, *tls_host, *tls_port;
+ char *tls_hostport, **tls_host, **tls_port;
/* block signal until handler is set up */
sigemptyset(&sigmask);
@@ -365,9 +365,10 @@ main(int argc, char *argv[])
path_unix[0] = _PATH_LOG;
nunix = 1;
- bind_host = bind_port = listen_host = listen_port = NULL;
- tls_hostport = tls_host = NULL;
- nbind = nlisten = 0;
+ bind_host = listen_host = tls_host = NULL;
+ bind_port = listen_port = tls_port = NULL;
+ tls_hostport = NULL;
+ nbind = nlisten = ntls = 0;
while ((ch = getopt(argc, argv, "46a:C:c:dFf:hK:k:m:nP:p:S:s:T:U:uVZ"))
!= -1)
@@ -426,11 +427,10 @@ main(int argc, char *argv[])
path_unix[0] = optarg;
break;
case 'S': /* allow tls and listen on address */
- tls_hostport = optarg;
- if ((p = strdup(optarg)) == NULL)
- err(1, "strdup tls address");
- if (loghost_parse(p, NULL, &tls_host, &tls_port) == -1)
- errx(1, "bad tls address: %s", optarg);
+ if (tls_hostport == NULL)
+ tls_hostport = optarg;
+ address_alloc("tls", optarg, &tls_host, &tls_port,
+ &ntls);
break;
case 's':
path_ctlsock = optarg;
@@ -511,10 +511,13 @@ main(int argc, char *argv[])
&fd_listen[i], &fd_listen[i]) == -1)
log_warnx("socket listen tcp failed");
}
- fd_tls = -1;
- if (tls_host && socket_bind("tls", tls_host, tls_port, 0,
- &fd_tls, &fd_tls) == -1)
- log_warnx("socket listen tls failed");
+ if ((fd_tls = reallocarray(NULL, ntls, sizeof(*fd_tls))) == NULL)
+ fatal("allocate tls fd");
+ for (i = 0; i < ntls; i++) {
+ if (socket_bind("tls", tls_host[i], tls_port[i], 0,
+ &fd_tls[i], &fd_tls[i]) == -1)
+ log_warnx("socket listen tls failed");
+ }
if ((fd_unix = reallocarray(NULL, nunix, sizeof(*fd_unix))) == NULL)
fatal("allocate unix fd");
@@ -570,8 +573,14 @@ main(int argc, char *argv[])
log_warn("tls_config_new server");
if ((server_ctx = tls_server()) == NULL) {
log_warn("tls_server");
- close(fd_tls);
- fd_tls = -1;
+ for (i = 0; i < ntls; i++)
+ close(fd_tls[i]);
+ free(fd_tls);
+ fd_tls = NULL;
+ free(tls_host);
+ free(tls_port);
+ tls_host = tls_port = NULL;
+ ntls = 0;
}
}
}
@@ -618,7 +627,7 @@ main(int argc, char *argv[])
const char *names[2];
names[0] = tls_hostport;
- names[1] = tls_host;
+ names[1] = tls_host[0];
for (i = 0; i < 2; i++) {
if (asprintf(&p, "/etc/ssl/private/%s.key", names[i])
@@ -668,8 +677,14 @@ main(int argc, char *argv[])
tls_error(server_ctx));
tls_free(server_ctx);
server_ctx = NULL;
- close(fd_tls);
- fd_tls = -1;
+ for (i = 0; i < ntls; i++)
+ close(fd_tls[i]);
+ free(fd_tls);
+ fd_tls = NULL;
+ free(tls_host);
+ free(tls_port);
+ tls_host = tls_port = NULL;
+ ntls = 0;
}
}
@@ -723,11 +738,14 @@ main(int argc, char *argv[])
(ev_sendsys = malloc(sizeof(struct event))) == NULL ||
(ev_udp = malloc(sizeof(struct event))) == NULL ||
(ev_udp6 = malloc(sizeof(struct event))) == NULL ||
- (ev_bind = reallocarray(NULL, nbind, sizeof(struct event))) == NULL
||
+ (ev_bind = reallocarray(NULL, nbind, sizeof(struct event)))
+ == NULL ||
(ev_listen = reallocarray(NULL, nlisten, sizeof(struct event)))
== NULL ||
- (ev_tls = malloc(sizeof(struct event))) == NULL ||
- (ev_unix = reallocarray(NULL, nunix, sizeof(struct event))) == NULL
||
+ (ev_tls = reallocarray(NULL, ntls, sizeof(struct event)))
+ == NULL ||
+ (ev_unix = reallocarray(NULL, nunix, sizeof(struct event)))
+ == NULL ||
(ev_hup = malloc(sizeof(struct event))) == NULL ||
(ev_int = malloc(sizeof(struct event))) == NULL ||
(ev_quit = malloc(sizeof(struct event))) == NULL ||
@@ -752,7 +770,9 @@ main(int argc, char *argv[])
for (i = 0; i < nlisten; i++)
event_set(&ev_listen[i], fd_listen[i], EV_READ|EV_PERSIST,
tcp_acceptcb, &ev_listen[i]);
- event_set(ev_tls, fd_tls, EV_READ|EV_PERSIST, tls_acceptcb, ev_tls);
+ for (i = 0; i < ntls; i++)
+ event_set(&ev_tls[i], fd_tls[i], EV_READ|EV_PERSIST,
+ tls_acceptcb, &ev_tls[i]);
for (i = 0; i < nunix; i++)
event_set(&ev_unix[i], fd_unix[i], EV_READ|EV_PERSIST,
unix_readcb, &ev_unix[i]);
@@ -807,8 +827,9 @@ main(int argc, char *argv[])
for (i = 0; i < nlisten; i++)
if (fd_listen[i] != -1)
event_add(&ev_listen[i], NULL);
- if (fd_tls != -1)
- event_add(ev_tls, NULL);
+ for (i = 0; i < ntls; i++)
+ if (fd_tls[i] != -1)
+ event_add(&ev_tls[i], NULL);
for (i = 0; i < nunix; i++)
if (fd_unix[i] != -1)
event_add(&ev_unix[i], NULL);
