Only enable plaintext listened by default if not built with TLS support.

Previously, sudo_logsrvd would accept both TLS and plaintext
connections if no "listen_address" was specified.  With this change,
if sudo_logsrvd.conf doesn't specify a "listen_address", the TLS
listener will be enabled if built with TLS support, otherwise the
plaintext listener will be enabled.  There is no change in behavior
when a "listen_address" is specified.

Found by the ZeroPath AI Security Engineer <https://zeropath.com>

Author: millert

docs/sudo_logsrvd.conf.man.in

@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "September 28, 2025" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "November 7, 2025" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -56,7 +56,7 @@ section contains a copy of the default
 file.
 .PP
 The following configuration sections are recognized:
-.PP
+.sp
 .RS 1n
 .PD 0
 .TP 3n
@@ -113,19 +113,29 @@ service name as defined by the system service name database.
 If no port is specified, port 30343 will be used for plaintext
 connections and port 30344 will be used for TLS connections.
 .sp
-The default value is:
+Multiple
+\fIlisten_address\fR
+lines may be specified to listen on more than one port or address.
+.sp
+The default value for
+\fIlisten_address\fR
+depends on whether or not TLS has been configured.
+If any of the TLS options have been enabled, the default is:
 .nf
+.sp
 .RS 12n
-listen_address = *:30343
 listen_address = *:30344(tls)
 .RE
 .fi
 .RS 6n
-which will listen on all configured network interfaces for both
-plaintext and TLS connections.
-Multiple
-\fIlisten_address\fR
-lines may be specified to listen on more than one port or interface.
+.sp
+Otherwise, the plaintext listener is enabled by default:
+.nf
+.sp
+.RS 12n
+listen_address = *:30343
+.RE
+.fi
 .RE
 .TP 6n
 server_log = string

docs/sudo_logsrvd.conf.mdoc.in

@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd September 28, 2025
+.Dd November 7, 2025
 .Dt SUDO_LOGSRVD.CONF @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -104,16 +104,22 @@ service name as defined by the system service name database.
 If no port is specified, port 30343 will be used for plaintext
 connections and port 30344 will be used for TLS connections.
 .Pp
-The default value is:
-.Bd -literal -compact -offset indent
-listen_address = *:30343
-listen_address = *:30344(tls)
-.Ed
-which will listen on all configured network interfaces for both
-plaintext and TLS connections.
 Multiple
 .Em listen_address
-lines may be specified to listen on more than one port or interface.
+lines may be specified to listen on more than one port or address.
+.Pp
+The default value for
+.Em listen_address
+depends on whether or not TLS has been configured.
+If any of the TLS options have been enabled, the default is:
+.Bd -literal -offset indent
+listen_address = *:30344(tls)
+.Ed
+.Pp
+Otherwise, the plaintext listener is enabled by default:
+.Bd -literal -offset indent
+listen_address = *:30343
+.Ed
 .It server_log = string
 Where to log server warning and error messages.
 Supported values are

logsrvd/logsrvd_conf.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2019-2023 Todd C. Miller <[email protected]>
+ * Copyright (c) 2019-2025 Todd C. Miller <[email protected]>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -1740,13 +1740,10 @@ logsrvd_conf_apply(struct logsrvd_config *config)
     }
 
     /* There can be multiple addresses so we can't set a default earlier. */
-    if (TAILQ_EMPTY(&config->server.addresses.addrs)) {
-	/* Enable plaintext listender. */
-	if (!cb_server_listen_address(config, "*:" DEFAULT_PORT, 0))
-	    debug_return_bool(false);
 #if defined(HAVE_OPENSSL)
-	/* If a certificate was specified, enable the TLS listener too. */
-	if (config->server.tls_cert_path != NULL) {
+    if (TAILQ_EMPTY(&config->server.addresses.addrs)) {
+	/* If no listener but TLS has been configured, enable TLS listener. */
+	if (TLS_CONFIGURED(config->server)) {
 	    if (!cb_server_listen_address(config, "*:" DEFAULT_PORT_TLS "(tls)", 0))
 		debug_return_bool(false);
 	}
@@ -1770,7 +1767,12 @@ logsrvd_conf_apply(struct logsrvd_config *config)
 	    }
 	    break;
 	}
+    }
 #endif /* HAVE_OPENSSL */
+    if (TAILQ_EMPTY(&config->server.addresses.addrs)) {
+	/* TLS not configured, enable plaintext listener. */
+	if (!cb_server_listen_address(config, "*:" DEFAULT_PORT, 0))
+	    debug_return_bool(false);
     }
 
 #if defined(HAVE_OPENSSL)