SIGUSR1 re-opens -l/-L log files; add defaults.h

Issue:		#52

defaults.h

@@ -0,0 +1,61 @@
+/*
+ * SSLsplit - transparent and scalable SSL/TLS interception
+ * Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
+ * All rights reserved.
+ * http://www.roe.ch/SSLsplit
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice unmodified, this list of conditions, and the following
+ *    disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DEFAULTS_H
+#define DEFAULTS_H
+
+/*
+ * Defaults for convenient tweaking or patching.
+ */
+
+/*
+ * User to drop privileges to by default.
+ * Packagers may want to use a specific service user account instead of
+ * overloading nobody with yet another use case.  Using nobody for source
+ * builds makes sense because chances are high that it exists.
+ */
+#define DFLT_DROPUSER "nobody"
+
+/*
+ * Default file and directory modes for newly created files and directories
+ * created as part of e.g. logging.  The default is to use full permissions
+ * subject to the system's umask, as is the default for system utilities.
+ * Use a more restrictive mode for the PID file.
+ */
+#define DFLT_DIRMODE  0777
+#define DFLT_FILEMODE 0666
+#define DFLT_PIDFMODE 0644
+
+/*
+ * Default elliptic curve for EC cipher suites.
+ */
+#define DFLT_CURVE "secp160r2"
+
+#endif /* !DEFAULTS_H */
+
+/* vim: set noet ft=c: */

log.c

@@ -32,6 +32,7 @@
 #include "sys.h"
 #include "attrib.h"
 #include "privsep.h"
+#include "defaults.h"
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -164,14 +165,37 @@ log_dbg_mode(int mode)
 
 logger_t *connect_log = NULL;
 static int connect_fd = -1;
+static char *connect_fn = NULL;
 
 static int
-log_connect_open(const char *logfile)
+log_connect_preinit(const char *logfile)
 {
-	connect_fd = open(logfile, O_WRONLY|O_APPEND|O_CREAT, 0660);
+	connect_fd = open(logfile, O_WRONLY|O_APPEND|O_CREAT, DFLT_FILEMODE);
+	if (connect_fd == -1) {
+		log_err_printf("Failed to open '%s' for writing: %s (%i)\n",
+		               logfile, strerror(errno), errno);
+		return -1;
+	}
+	if (!(connect_fn = realpath(logfile, NULL))) {
+		log_err_printf("Failed to realpath '%s': %s (%i)\n",
+		              logfile, strerror(errno), errno);
+		close(connect_fd);
+		connect_fd = -1;
+		return -1;
+	}
+	return 0;
+}
+
+static int
+log_connect_reopencb(void)
+{
+	close(connect_fd);
+	connect_fd = open(connect_fn, O_WRONLY|O_APPEND|O_CREAT, DFLT_FILEMODE);
 	if (connect_fd == -1) {
 		log_err_printf("Failed to open '%s' for writing: %s\n",
-		               logfile, strerror(errno));
+		               connect_fn, strerror(errno));
+		free(connect_fn);
+		connect_fn = NULL;
 		return -1;
 	}
 	return 0;
@@ -207,7 +231,7 @@ log_connect_writecb(UNUSED void *fh, const void *buf, size_t sz)
 }
 
 static void
-log_connect_close(void)
+log_connect_fini(void)
 {
 	close(connect_fd);
 }
@@ -227,46 +251,25 @@ log_connect_close(void)
 
 struct log_content_ctx {
 	unsigned int open : 1;
-	int fd;
 	union {
 		struct {
 			char *header_req;
 			char *header_resp;
 		} file;
 		struct {
+			int fd;
 			char *filename;
 		} dir;
 		struct {
+			int fd;
 			char *filename;
 		} spec;
 	} u;
 };
 
 static logger_t *content_log = NULL;
-static int content_fd = -1; /* set in 'file' mode */
 static int content_clisock = -1; /* privsep client socket for content logger */
 
-static int
-log_content_file_preinit(const char *logfile)
-{
-	content_fd = open(logfile, O_WRONLY|O_APPEND|O_CREAT, 0660);
-	if (content_fd == -1) {
-		log_err_printf("Failed to open '%s' for writing: %s\n",
-		               logfile, strerror(errno));
-		return -1;
-	}
-	return 0;
-}
-
-static void
-log_content_file_fini(void)
-{
-	if (content_fd != -1) {
-		close(content_fd);
-		content_fd = -1;
-	}
-}
-
 /*
  * Split a pathname into static LHS (including final slashes) and dynamic RHS.
  * Returns -1 on error, 0 on success.
@@ -503,7 +506,6 @@ log_content_open(log_content_ctx_t **pctx, opts_t *opts,
 		}
 	} else {
 		/* single-file content log (-L) */
-		ctx->fd = content_fd;
 		if (asprintf(&ctx->u.file.header_req, "%s -> %s",
 		             srcaddr, dstaddr) < 0) {
 			goto errout;
@@ -556,30 +558,20 @@ log_content_close(log_content_ctx_t **pctx)
 }
 
 /*
- * Callback functions that are executed in the logger thread.
+ * Log-type specific code.
+ *
+ * The init/fini functions are executed globally in the main thread.
+ * Callback functions are executed in the logger thread.
  */
 
-static ssize_t
-log_content_common_writecb(void *fh, const void *buf, size_t sz)
-{
-	log_content_ctx_t *ctx = fh;
-
-	if (write(ctx->fd, buf, sz) == -1) {
-		log_err_printf("Warning: Failed to write to content log: %s\n",
-		               strerror(errno));
-		return -1;
-	}
-	return 0;
-}
-
 static int
 log_content_dir_opencb(void *fh)
 {
 	log_content_ctx_t *ctx = fh;
 
-	if ((ctx->fd = privsep_client_openfile(content_clisock,
-	                                       ctx->u.dir.filename,
-	                                       0)) == -1) {
+	if ((ctx->u.dir.fd = privsep_client_openfile(content_clisock,
+	                                             ctx->u.dir.filename,
+	                                             0)) == -1) {
 		log_err_printf("Opening logdir file '%s' failed: %s (%i)\n",
 		               ctx->u.dir.filename, strerror(errno), errno);
 		return -1;
@@ -594,19 +586,32 @@ log_content_dir_closecb(void *fh)
 
 	if (ctx->u.dir.filename)
 		free(ctx->u.dir.filename);
-	if (ctx->fd != 1)
-		close(ctx->fd);
+	if (ctx->u.dir.fd != 1)
+		close(ctx->u.dir.fd);
 	free(ctx);
 }
 
+static ssize_t
+log_content_dir_writecb(void *fh, const void *buf, size_t sz)
+{
+	log_content_ctx_t *ctx = fh;
+
+	if (write(ctx->u.dir.fd, buf, sz) == -1) {
+		log_err_printf("Warning: Failed to write to content log: %s\n",
+		               strerror(errno));
+		return -1;
+	}
+	return 0;
+}
+
 static int
 log_content_spec_opencb(void *fh)
 {
 	log_content_ctx_t *ctx = fh;
 
-	if ((ctx->fd = privsep_client_openfile(content_clisock,
-	                                       ctx->u.spec.filename,
-	                                       1)) == -1) {
+	if ((ctx->u.spec.fd = privsep_client_openfile(content_clisock,
+	                                              ctx->u.spec.filename,
+	                                              1)) == -1) {
 		log_err_printf("Opening logspec file '%s' failed: %s (%i)\n",
 		               ctx->u.spec.filename, strerror(errno), errno);
 		return -1;
@@ -621,11 +626,74 @@ log_content_spec_closecb(void *fh)
 
 	if (ctx->u.spec.filename)
 		free(ctx->u.spec.filename);
-	if (ctx->fd != -1)
-		close(ctx->fd);
+	if (ctx->u.spec.fd != -1)
+		close(ctx->u.spec.fd);
 	free(ctx);
 }
 
+static ssize_t
+log_content_spec_writecb(void *fh, const void *buf, size_t sz)
+{
+	log_content_ctx_t *ctx = fh;
+
+	if (write(ctx->u.spec.fd, buf, sz) == -1) {
+		log_err_printf("Warning: Failed to write to content log: %s\n",
+		               strerror(errno));
+		return -1;
+	}
+	return 0;
+}
+
+static int content_file_fd = -1;
+static char *content_file_fn = NULL;
+
+static int
+log_content_file_preinit(const char *logfile)
+{
+	content_file_fd = open(logfile, O_WRONLY|O_APPEND|O_CREAT,
+	                       DFLT_FILEMODE);
+	if (content_file_fd == -1) {
+		log_err_printf("Failed to open '%s' for writing: %s (%i)\n",
+		               logfile, strerror(errno), errno);
+		return -1;
+	}
+	if (!(content_file_fn = realpath(logfile, NULL))) {
+		log_err_printf("Failed to realpath '%s': %s (%i)\n",
+		              logfile, strerror(errno), errno);
+		close(content_file_fd);
+		connect_fd = -1;
+		return -1;
+	}
+	return 0;
+}
+
+static void
+log_content_file_fini(void)
+{
+	if (content_file_fn) {
+		free(content_file_fn);
+		content_file_fn = NULL;
+	}
+	if (content_file_fd != -1) {
+		close(content_file_fd);
+		content_file_fd = -1;
+	}
+}
+
+static int
+log_content_file_reopencb(void)
+{
+	close(content_file_fd);
+	content_file_fd = open(content_file_fn,
+	                       O_WRONLY|O_APPEND|O_CREAT, DFLT_FILEMODE);
+	if (content_file_fd == -1) {
+		log_err_printf("Failed to open '%s' for writing: %s (%i)\n",
+		               content_file_fn, strerror(errno), errno);
+		return -1;
+	}
+	return 0;
+}
+
 /*
 static int
 log_content_file_opencb(void *fh)
@@ -649,6 +717,19 @@ log_content_file_closecb(void *fh)
 	free(ctx);
 }
 
+static ssize_t
+log_content_file_writecb(void *fh, const void *buf, size_t sz)
+{
+	UNUSED log_content_ctx_t *ctx = fh;
+
+	if (write(content_file_fd, buf, sz) == -1) {
+		log_err_printf("Warning: Failed to write to content log: %s\n",
+		               strerror(errno));
+		return -1;
+	}
+	return 0;
+}
+
 static logbuf_t *
 log_content_file_prepcb(void *fh, unsigned long prepflags, logbuf_t *lb)
 {
@@ -711,6 +792,7 @@ out:
 int
 log_preinit(opts_t *opts)
 {
+	logger_reopen_func_t reopencb;
 	logger_open_func_t opencb;
 	logger_close_func_t closecb;
 	logger_write_func_t writecb;
@@ -718,39 +800,42 @@ log_preinit(opts_t *opts)
 
 	if (opts->contentlog) {
 		if (opts->contentlog_isdir) {
+			reopencb = NULL;
 			opencb = log_content_dir_opencb;
 			closecb = log_content_dir_closecb;
-			writecb = log_content_common_writecb;
+			writecb = log_content_dir_writecb;
 			prepcb = NULL;
 		} else if (opts->contentlog_isspec) {
+			reopencb = NULL;
 			opencb = log_content_spec_opencb;
 			closecb = log_content_spec_closecb;
-			writecb = log_content_common_writecb;
+			writecb = log_content_spec_writecb;
 			prepcb = NULL;
 		} else {
 			if (log_content_file_preinit(opts->contentlog) == -1)
 				goto out;
+			reopencb = log_content_file_reopencb;
 			opencb = NULL;
 			closecb = log_content_file_closecb;
-			writecb = log_content_common_writecb;
+			writecb = log_content_file_writecb;
 			prepcb = log_content_file_prepcb;
 		}
-		if (!(content_log = logger_new(opencb, closecb, writecb,
-		                               prepcb))) {
+		if (!(content_log = logger_new(reopencb, opencb, closecb,
+		                               writecb, prepcb))) {
 			log_content_file_fini();
 			goto out;
 		}
 	}
 	if (opts->connectlog) {
-		if (log_connect_open(opts->connectlog) == -1)
+		if (log_connect_preinit(opts->connectlog) == -1)
 			goto out;
-		if (!(connect_log = logger_new(NULL, NULL,
+		if (!(connect_log = logger_new(log_connect_reopencb, NULL, NULL,
 		                               log_connect_writecb, NULL))) {
-			log_connect_close();
+			log_connect_fini();
 			goto out;
 		}
 	}
-	if (!(err_log = logger_new(NULL, NULL, log_err_writecb, NULL)))
+	if (!(err_log = logger_new(NULL, NULL, NULL, log_err_writecb, NULL)))
 		goto out;
 	return 0;
 
@@ -760,7 +845,7 @@ out:
 		logger_free(content_log);
 	}
 	if (connect_log) {
-		log_connect_close();
+		log_connect_fini();
 		logger_free(connect_log);
 	}
 	return -1;
@@ -778,7 +863,7 @@ log_preinit_undo(void)
 		logger_free(content_log);
 	}
 	if (connect_log) {
-		log_connect_close();
+		log_connect_fini();
 		logger_free(connect_log);
 	}
 }
@@ -844,10 +929,25 @@ log_fini(void)
 	if (content_log)
 		log_content_file_fini();
 	if (connect_log)
-		log_connect_close();
+		log_connect_fini();
 
 	if (content_clisock != -1)
 		privsep_client_close(content_clisock);
 }
 
+int
+log_reopen(void)
+{
+	int rv = 0;
+
+	if (content_log)
+		if (logger_reopen(content_log) == -1)
+			rv = -1;
+	if (connect_log)
+		if (logger_reopen(connect_log) == -1)
+			rv = -1;
+
+	return rv;
+}
+
 /* vim: set noet ft=c: */

log.h

@@ -70,6 +70,7 @@ int log_preinit(opts_t *) NONNULL(1) WUNRES;
 void log_preinit_undo(void);
 int log_init(opts_t *, int) NONNULL(1) WUNRES;
 void log_fini(void);
+int log_reopen(void) WUNRES;
 
 #endif /* !LOG_H */
 

logger.c

@@ -45,6 +45,7 @@
 
 struct logger {
 	pthread_t thr;
+	logger_reopen_func_t reopen;
 	logger_open_func_t open;
 	logger_close_func_t close;
 	logger_prep_func_t prep;
@@ -52,8 +53,9 @@ struct logger {
 	thrqueue_t *queue;
 };
 
-#define LBFLAG_OPEN	1
-#define LBFLAG_CLOSE	2
+#define LBFLAG_REOPEN	(1 << 0)
+#define LBFLAG_OPEN	(1 << 1)
+#define LBFLAG_CLOSE	(1 << 2)
 
 static void
 logger_clear(logger_t *logger)
@@ -67,8 +69,9 @@ logger_clear(logger_t *logger)
  * not in the thread calling logger_submit().
  */
 logger_t *
-logger_new(logger_open_func_t openfunc, logger_close_func_t closefunc,
-           logger_write_func_t writefunc, logger_prep_func_t prepfunc)
+logger_new(logger_reopen_func_t reopenfunc, logger_open_func_t openfunc,
+           logger_close_func_t closefunc, logger_write_func_t writefunc,
+           logger_prep_func_t prepfunc)
 {
 	logger_t *logger;
 
@@ -76,6 +79,7 @@ logger_new(logger_open_func_t openfunc, logger_close_func_t closefunc,
 	if (!logger)
 		return NULL;
 	logger_clear(logger);
+	logger->reopen = reopenfunc;
 	logger->open = openfunc;
 	logger->close = closefunc;
 	logger->write = writefunc;
@@ -115,13 +119,30 @@ logger_submit(logger_t *logger, void *fh, unsigned long prepflags,
 	return thrqueue_enqueue(logger->queue, lb) ? 0 : -1;
 }
 
+/*
+ * Submit a log reopen event to the logger thread.
+ */
+int
+logger_reopen(logger_t *logger)
+{
+	logbuf_t *lb;
+
+	if (!logger->reopen)
+		return 0;
+
+	lb = logbuf_new(NULL, 0, NULL, NULL);
+	logbuf_ctl_set(lb, LBFLAG_REOPEN);
+	return thrqueue_enqueue(logger->queue, lb) ? 0 : -1;
+}
+
 /*
  * Submit a file open event to the logger thread.
  * fh is the file handle; an opaque unique address identifying the new file.
  * If no open callback is configured, returns successfully.
  * Returns 0 on success, -1 on failure.
  */
-int logger_open(logger_t *logger, void *fh)
+int
+logger_open(logger_t *logger, void *fh)
 {
 	logbuf_t *lb;
 
@@ -139,7 +160,8 @@ int logger_open(logger_t *logger, void *fh)
  * If no close callback is configured, returns successfully.
  * Returns 0 on success, -1 on failure.
  */
-int logger_close(logger_t *logger, void *fh)
+int
+logger_close(logger_t *logger, void *fh)
 {
 	logbuf_t *lb;
 
@@ -162,7 +184,9 @@ logger_thread(void *arg)
 	logbuf_t *lb;
 
 	while ((lb = thrqueue_dequeue(logger->queue))) {
-		if (logbuf_ctl_isset(lb, LBFLAG_OPEN)) {
+		if (logbuf_ctl_isset(lb, LBFLAG_REOPEN)) {
+			logger->reopen();
+		} else if (logbuf_ctl_isset(lb, LBFLAG_OPEN)) {
 			logger->open(lb->fh);
 		} else if (logbuf_ctl_isset(lb, LBFLAG_CLOSE)) {
 			logger->close(lb->fh);

logger.h

@@ -35,20 +35,22 @@
 #include <unistd.h>
 #include <pthread.h>
 
+typedef int (*logger_reopen_func_t)(void);
 typedef int (*logger_open_func_t)(void *);
 typedef void (*logger_close_func_t)(void *);
 typedef ssize_t (*logger_write_func_t)(void *, const void *, size_t);
 typedef logbuf_t * (*logger_prep_func_t)(void *, unsigned long, logbuf_t *);
 typedef struct logger logger_t;
 
-logger_t * logger_new(logger_open_func_t, logger_close_func_t,
-                      logger_write_func_t, logger_prep_func_t)
-                      NONNULL(3) MALLOC;
+logger_t * logger_new(logger_reopen_func_t, logger_open_func_t,
+                      logger_close_func_t, logger_write_func_t,
+                      logger_prep_func_t) NONNULL(4) MALLOC;
 void logger_free(logger_t *) NONNULL(1);
 int logger_start(logger_t *) NONNULL(1) WUNRES;
 void logger_leave(logger_t *) NONNULL(1);
 int logger_join(logger_t *) NONNULL(1);
 int logger_stop(logger_t *) NONNULL(1) WUNRES;
+int logger_reopen(logger_t *) NONNULL(1) WUNRES;
 int logger_open(logger_t *, void *) NONNULL(1,2) WUNRES;
 int logger_close(logger_t *, void *) NONNULL(1,2) WUNRES;
 int logger_submit(logger_t *, void *, unsigned long,

main.c

@@ -41,6 +41,7 @@
 #include "sys.h"
 #include "log.h"
 #include "version.h"
+#include "defaults.h"
 
 #include <stdlib.h>
 #include <stdio.h>
@@ -62,7 +63,6 @@
 extern int daemon(int, int);
 #endif /* __APPLE__ */
 
-#define DEFAULT_DROPUSER "nobody"
 
 /*
  * Print version information to stderr.
@@ -131,7 +131,7 @@ main_usage(void)
 #define OPT_g 
 #endif /* !OPENSSL_NO_DH */
 #ifndef OPENSSL_NO_ECDH
-"  -G curve    use ECDH named curve (default: %s for non-RSA leafkey)\n"
+"  -G curve    use ECDH named curve (default: " DFLT_CURVE " for non-RSA leafkey)\n"
 #define OPT_G "G:"
 #else /* OPENSSL_NO_ECDH */
 #define OPT_G 
@@ -147,8 +147,7 @@ main_usage(void)
 "  -s ciphers  use the given OpenSSL cipher suite spec (default: ALL:-aNULL)\n"
 "  -e engine   specify default NAT engine to use (default: %s)\n"
 "  -E          list available NAT engines and exit\n"
-"  -u user     drop privileges to user (default if run as root: "
-               DEFAULT_DROPUSER ")\n"
+"  -u user     drop privileges to user (default if run as root: " DFLT_DROPUSER ")\n"
 "  -m group    when using -u, override group (default: primary group of user)\n"
 "  -j jaildir  chroot() to jaildir (impacts sni proxyspecs, see manual page)\n"
 "  -p pidfile  write pid to pidfile (default: no pid file)\n"
@@ -186,11 +185,7 @@ main_usage(void)
 "              ssl 2001:db8::2 9999 pf          # ssl/6; NAT engine 'pf'\n"
 "Example:\n"
 "  %s -k ca.key -c ca.pem -P  https 127.0.0.1 8443  https ::1 8443\n"
-	"%s", BNAME,
-#ifndef OPENSSL_NO_ECDH
-	SSL_EC_KEY_CURVE_DEFAULT,
-#endif /* !OPENSSL_NO_ECDH */
-	dflt, BNAME, warn);
+	"%s", BNAME, dflt, BNAME, warn);
 }
 
 /*
@@ -721,8 +716,8 @@ main(int argc, char *argv[])
 			oom_die(argv0);
 	}
 	if (!opts->dropuser && !geteuid() && !getuid() &&
-	    sys_isuser(DEFAULT_DROPUSER)) {
-		opts->dropuser = strdup(DEFAULT_DROPUSER);
+	    sys_isuser(DFLT_DROPUSER)) {
+		opts->dropuser = strdup(DFLT_DROPUSER);
 		if (!opts->dropuser)
 			oom_die(argv0);
 	}

privsep.c

@@ -32,6 +32,7 @@
 #include "util.h"
 #include "log.h"
 #include "attrib.h"
+#include "defaults.h"
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -151,7 +152,7 @@ privsep_server_openfile(char *fn, int mkpath)
 			free(fn2);
 			return -1;
 		}
-		if (sys_mkpath(filedir, 0777) == -1) {
+		if (sys_mkpath(filedir, DFLT_DIRMODE) == -1) {
 			log_err_printf("Could not create directory '%s': %s (%i)\n",
 			               filedir, strerror(errno), errno);
 			free(fn2);
@@ -160,7 +161,7 @@ privsep_server_openfile(char *fn, int mkpath)
 		free(fn2);
 	}
 
-	fd = open(fn, O_WRONLY|O_APPEND|O_CREAT, 0666);
+	fd = open(fn, O_WRONLY|O_APPEND|O_CREAT, DFLT_FILEMODE);
 	if (fd == -1) {
 		log_err_printf("Failed to open '%s': %s (%i)\n",
 		               fn, strerror(errno), errno);

proxy.c

@@ -57,7 +57,7 @@
  * Proxy engine, built around libevent 2.x.
  */
 
-static int signals[] = { SIGQUIT, SIGHUP, SIGINT, SIGPIPE };
+static int signals[] = { SIGQUIT, SIGHUP, SIGINT, SIGPIPE, SIGUSR1 };
 
 struct proxy_ctx {
 	pxy_thrmgr_ctx_t *thrmgr;
@@ -194,7 +194,7 @@ proxy_listener_setup(struct event_base *evbase, pxy_thrmgr_ctx_t *thrmgr,
 }
 
 /*
- * Signal handler for SIGQUIT, SIGINT, SIGHUP and SIGPIPE.
+ * Signal handler for SIGQUIT, SIGINT, SIGHUP, SIGPIPE and SIGUSR1.
  */
 static void
 proxy_signal_cb(evutil_socket_t fd, UNUSED short what, void *arg)
@@ -205,10 +205,25 @@ proxy_signal_cb(evutil_socket_t fd, UNUSED short what, void *arg)
 		log_dbg_printf("Received signal %i\n", fd);
 	}
 
-	if (fd == SIGPIPE) {
-		log_err_printf("Warning: Received SIGPIPE; ignoring.\n");
-	} else {
+	switch(fd) {
+	case SIGQUIT:
+	case SIGINT:
+	case SIGHUP:
 		event_base_loopbreak(ctx->evbase);
+		break;
+	case SIGUSR1:
+		if (log_reopen() == -1) {
+			log_err_printf("Warning: Failed to reopen logs\n");
+		} else {
+			log_dbg_printf("Reopened log files\n");
+		}
+		break;
+	case SIGPIPE:
+		log_err_printf("Warning: Received SIGPIPE; ignoring.\n");
+		break;
+	default:
+		log_err_printf("Warning: Received unexpected signal %i\n", fd);
+		break;
 	}
 }
 

ssl.c

@@ -29,6 +29,7 @@
 #include "ssl.h"
 
 #include "log.h"
+#include "defaults.h"
 
 #include <sys/types.h>
 #include <fcntl.h>
@@ -609,7 +610,7 @@ ssl_ec_by_name(const char *curvename)
 	int nid;
 
 	if (!curvename)
-		curvename = SSL_EC_KEY_CURVE_DEFAULT;
+		curvename = DFLT_CURVE;
 
 	if ((nid = OBJ_sn2nid(curvename)) == NID_undef) {
 		return NULL;

ssl.h

@@ -122,7 +122,6 @@ void ssl_dh_refcount_inc(DH *) NONNULL(1);
 #endif /* !OPENSSL_NO_DH */
 
 #ifndef OPENSSL_NO_EC
-#define SSL_EC_KEY_CURVE_DEFAULT "secp160r2"
 EC_KEY * ssl_ec_by_name(const char *) MALLOC;
 #endif /* !OPENSSL_NO_EC */
 

sslsplit.1

@@ -184,11 +184,13 @@ If \fB-K\fP is not given, SSLsplit will generate a random 1024-bit RSA key.
 .B \-l \fIlogfile\fP
 Log connections to \fIlogfile\fP in a single line per connection format,
 including addresses and ports and some HTTP and SSL information, if available.
+SIGUSR1 will cause \fIlogfile\fP to be re-opened.
 .TP
 .B \-L \fIlogfile\fP
 Log connection content to \fIlogfile\fP.  The content log will contain a
 parsable log format with transmitted data, prepended with headers identifying
 the connection and the data length of each logged segment.
+SIGUSR1 will cause \fIlogfile\fP to be re-opened.
 .TP
 .B \-m
 When dropping privileges using \fB-u\fP, override the target primary group
@@ -356,6 +358,11 @@ than the NAT rules redirecting the actual connections.
 Note that when using \fB-j\fP with \fBsni\fP, you may need to prepare
 \fIjaildir\fP to make name resolution work from within the chroot directory.
 .LP
+.SH SIGNALS
+A running \fBsslsplit\fP accepts SIGINT and SIGQUIT for a clean shutdown and
+SIGUSR1 to re-open the long-living log files (\fB-l\fP and \fB-L\fP).
+Per-connection log files (\fB-S\fP and \fB-F\fP) are not re-opened because
+their filename is specific to the connection.
 .SH "LOG SPECIFICATIONS"
 Log specifications are composed of zero or more printf-style directives;
 ordinary characters are included directly in the output path.

sys.c

@@ -29,6 +29,7 @@
 #include "sys.h"
 
 #include "log.h"
+#include "defaults.h"
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -190,7 +191,7 @@ sys_pidf_open(const char *fn)
 {
 	int fd;
 
-	if ((fd = open(fn, O_RDWR|O_CREAT, 0640)) == -1) {
+	if ((fd = open(fn, O_RDWR|O_CREAT, DFLT_PIDFMODE)) == -1) {
 		log_err_printf("Failed to open '%s': %s\n", fn,
 		               strerror(errno));
 		return -1;

sys.t.c

@@ -28,6 +28,8 @@
 
 #include "sys.h"
 
+#include "defaults.h"
+
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
@@ -61,7 +63,7 @@ sys_isdir_setup(void)
 		perror("asprintf");
 		exit(EXIT_FAILURE);
 	}
-	close(open(file, O_CREAT|O_WRONLY|O_APPEND, 0600));
+	close(open(file, O_CREAT|O_WRONLY|O_APPEND, DFLT_FILEMODE));
 	symlink(file, lfile);
 	mkdir(dir, 0700);
 	symlink(dir, ldir);
@@ -141,7 +143,7 @@ START_TEST(sys_mkpath_01)
 	         basedir);
 	fail_unless(!!dir, "asprintf failed");
 	fail_unless(!sys_isdir(dir), "dir already sys_isdir()");
-	fail_unless(!sys_mkpath(dir, 0777), "sys_mkpath failed");
+	fail_unless(!sys_mkpath(dir, DFLT_DIRMODE), "sys_mkpath failed");
 	fail_unless(sys_isdir(dir), "dir not sys_isdir()");
 	free(dir);
 }