Hi, This allows syslogd(8) to listen on multiple addresses for incomming TLS connections.
ok? bluhm Index: usr.sbin/syslogd/syslogd.8 =================================================================== RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v retrieving revision 1.53 diff -u -p -r1.53 syslogd.8 --- usr.sbin/syslogd/syslogd.8 2 Jan 2017 15:58:02 -0000 1.53 +++ usr.sbin/syslogd/syslogd.8 16 Apr 2017 18:32:45 -0000 @@ -135,8 +135,9 @@ bind it to the specified address. A port number may be specified using the .Ar host : Ns Ar port syntax. -The parameter is also used to find a suitable server key and -certificate in +The first +.Ar listen_address +is also used to find a suitable server key and certificate in .Pa /etc/ssl/ . .It Fl s Ar reporting_socket Specify path to an @@ -175,7 +176,7 @@ in UTC. .El .Pp The options -.Fl a , T , +.Fl a , S, T , and .Fl U can be given more than once to specify multiple input sources. Index: usr.sbin/syslogd/syslogd.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v retrieving revision 1.241 diff -u -p -r1.241 syslogd.c --- usr.sbin/syslogd/syslogd.c 7 Apr 2017 15:36:16 -0000 1.241 +++ usr.sbin/syslogd/syslogd.c 16 Apr 2017 18:53:53 -0000 @@ -350,9 +350,9 @@ main(int argc, char *argv[]) int ch, i; int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd; int fd_ctlsock, fd_klog, fd_sendsys, *fd_bind, *fd_listen; - int fd_tls, *fd_unix, nbind, nlisten; + int *fd_tls, *fd_unix, nbind, nlisten, ntls; char **bind_host, **bind_port, **listen_host, **listen_port; - char *tls_hostport, *tls_host, *tls_port; + char *tls_hostport, **tls_host, **tls_port; /* block signal until handler is set up */ sigemptyset(&sigmask); @@ -365,9 +365,10 @@ main(int argc, char *argv[]) path_unix[0] = _PATH_LOG; nunix = 1; - bind_host = bind_port = listen_host = listen_port = NULL; - tls_hostport = tls_host = NULL; - nbind = nlisten = 0; + bind_host = listen_host = tls_host = NULL; + bind_port = listen_port = tls_port = NULL; + tls_hostport = NULL; + nbind = nlisten = ntls = 0; while ((ch = getopt(argc, argv, "46a:C:c:dFf:hK:k:m:nP:p:S:s:T:U:uVZ")) != -1) @@ -426,11 +427,10 @@ main(int argc, char *argv[]) path_unix[0] = optarg; break; case 'S': /* allow tls and listen on address */ - tls_hostport = optarg; - if ((p = strdup(optarg)) == NULL) - err(1, "strdup tls address"); - if (loghost_parse(p, NULL, &tls_host, &tls_port) == -1) - errx(1, "bad tls address: %s", optarg); + if (tls_hostport == NULL) + tls_hostport = optarg; + address_alloc("tls", optarg, &tls_host, &tls_port, + &ntls); break; case 's': path_ctlsock = optarg; @@ -511,10 +511,13 @@ main(int argc, char *argv[]) &fd_listen[i], &fd_listen[i]) == -1) log_warnx("socket listen tcp failed"); } - fd_tls = -1; - if (tls_host && socket_bind("tls", tls_host, tls_port, 0, - &fd_tls, &fd_tls) == -1) - log_warnx("socket listen tls failed"); + if ((fd_tls = reallocarray(NULL, ntls, sizeof(*fd_tls))) == NULL) + fatal("allocate tls fd"); + for (i = 0; i < ntls; i++) { + if (socket_bind("tls", tls_host[i], tls_port[i], 0, + &fd_tls[i], &fd_tls[i]) == -1) + log_warnx("socket listen tls failed"); + } if ((fd_unix = reallocarray(NULL, nunix, sizeof(*fd_unix))) == NULL) fatal("allocate unix fd"); @@ -570,8 +573,14 @@ main(int argc, char *argv[]) log_warn("tls_config_new server"); if ((server_ctx = tls_server()) == NULL) { log_warn("tls_server"); - close(fd_tls); - fd_tls = -1; + for (i = 0; i < ntls; i++) + close(fd_tls[i]); + free(fd_tls); + fd_tls = NULL; + free(tls_host); + free(tls_port); + tls_host = tls_port = NULL; + ntls = 0; } } } @@ -618,7 +627,7 @@ main(int argc, char *argv[]) const char *names[2]; names[0] = tls_hostport; - names[1] = tls_host; + names[1] = tls_host[0]; for (i = 0; i < 2; i++) { if (asprintf(&p, "/etc/ssl/private/%s.key", names[i]) @@ -668,8 +677,14 @@ main(int argc, char *argv[]) tls_error(server_ctx)); tls_free(server_ctx); server_ctx = NULL; - close(fd_tls); - fd_tls = -1; + for (i = 0; i < ntls; i++) + close(fd_tls[i]); + free(fd_tls); + fd_tls = NULL; + free(tls_host); + free(tls_port); + tls_host = tls_port = NULL; + ntls = 0; } } @@ -723,11 +738,14 @@ main(int argc, char *argv[]) (ev_sendsys = malloc(sizeof(struct event))) == NULL || (ev_udp = malloc(sizeof(struct event))) == NULL || (ev_udp6 = malloc(sizeof(struct event))) == NULL || - (ev_bind = reallocarray(NULL, nbind, sizeof(struct event))) == NULL || + (ev_bind = reallocarray(NULL, nbind, sizeof(struct event))) + == NULL || (ev_listen = reallocarray(NULL, nlisten, sizeof(struct event))) == NULL || - (ev_tls = malloc(sizeof(struct event))) == NULL || - (ev_unix = reallocarray(NULL, nunix, sizeof(struct event))) == NULL || + (ev_tls = reallocarray(NULL, ntls, sizeof(struct event))) + == NULL || + (ev_unix = reallocarray(NULL, nunix, sizeof(struct event))) + == NULL || (ev_hup = malloc(sizeof(struct event))) == NULL || (ev_int = malloc(sizeof(struct event))) == NULL || (ev_quit = malloc(sizeof(struct event))) == NULL || @@ -752,7 +770,9 @@ main(int argc, char *argv[]) for (i = 0; i < nlisten; i++) event_set(&ev_listen[i], fd_listen[i], EV_READ|EV_PERSIST, tcp_acceptcb, &ev_listen[i]); - event_set(ev_tls, fd_tls, EV_READ|EV_PERSIST, tls_acceptcb, ev_tls); + for (i = 0; i < ntls; i++) + event_set(&ev_tls[i], fd_tls[i], EV_READ|EV_PERSIST, + tls_acceptcb, &ev_tls[i]); for (i = 0; i < nunix; i++) event_set(&ev_unix[i], fd_unix[i], EV_READ|EV_PERSIST, unix_readcb, &ev_unix[i]); @@ -807,8 +827,9 @@ main(int argc, char *argv[]) for (i = 0; i < nlisten; i++) if (fd_listen[i] != -1) event_add(&ev_listen[i], NULL); - if (fd_tls != -1) - event_add(ev_tls, NULL); + for (i = 0; i < ntls; i++) + if (fd_tls[i] != -1) + event_add(&ev_tls[i], NULL); for (i = 0; i < nunix; i++) if (fd_unix[i] != -1) event_add(&ev_unix[i], NULL);