summaryrefslogtreecommitdiff
path: root/src/journal/journal-gatewayd.c
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2012-12-01 11:12:05 +0100
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2014-03-17 01:55:48 -0400
commitf12be7e8ca278a5a207d0fd051acec700b804a7a (patch)
tree356aff1c1330d60be79358fe668b4f88b4304a11 /src/journal/journal-gatewayd.c
parentcafc7f91306ea17ace4a6c3d76d81c8780c87452 (diff)
journal-gatewayd: check if certificate is signed by CA
If --trust=ca.crt is used, only clients presenting certificates signed by the ca will be allowed to proceed. No hostname matching is performed, so any client wielding a signed certificate will be authorized. Error functions are moved from journal-gateway to microhttp-util and made non-static, since now they are used in two source files.
Diffstat (limited to 'src/journal/journal-gatewayd.c')
-rw-r--r--src/journal/journal-gatewayd.c77
1 files changed, 19 insertions, 58 deletions
diff --git a/src/journal/journal-gatewayd.c b/src/journal/journal-gatewayd.c
index c9a243841d..ac16a7cf26 100644
--- a/src/journal/journal-gatewayd.c
+++ b/src/journal/journal-gatewayd.c
@@ -27,6 +27,10 @@
#include <microhttpd.h>
+#ifdef HAVE_GNUTLS
+#include <gnutls/gnutls.h>
+#endif
+
#include "log.h"
#include "util.h"
#include "sd-journal.h"
@@ -38,6 +42,10 @@
#include "build.h"
#include "fileio.h"
+static char *key_pem = NULL;
+static char *cert_pem = NULL;
+static char *trust_pem = NULL;
+
typedef struct RequestMeta {
sd_journal *journal;
@@ -111,60 +119,6 @@ static int open_journal(RequestMeta *m) {
return sd_journal_open(&m->journal, SD_JOURNAL_LOCAL_ONLY|SD_JOURNAL_SYSTEM);
}
-static int respond_oom_internal(struct MHD_Connection *connection) {
- struct MHD_Response *response;
- const char m[] = "Out of memory.\n";
- int ret;
-
- assert(connection);
-
- response = MHD_create_response_from_buffer(sizeof(m)-1, (char*) m, MHD_RESPMEM_PERSISTENT);
- if (!response)
- return MHD_NO;
-
- MHD_add_response_header(response, "Content-Type", "text/plain");
- ret = MHD_queue_response(connection, MHD_HTTP_SERVICE_UNAVAILABLE, response);
- MHD_destroy_response(response);
-
- return ret;
-}
-
-#define respond_oom(connection) log_oom(), respond_oom_internal(connection)
-
-_printf_(3,4)
-static int respond_error(
- struct MHD_Connection *connection,
- unsigned code,
- const char *format, ...) {
-
- struct MHD_Response *response;
- char *m;
- int r;
- va_list ap;
-
- assert(connection);
- assert(format);
-
- va_start(ap, format);
- r = vasprintf(&m, format, ap);
- va_end(ap);
-
- if (r < 0)
- return respond_oom(connection);
-
- response = MHD_create_response_from_buffer(strlen(m), m, MHD_RESPMEM_MUST_FREE);
- if (!response) {
- free(m);
- return respond_oom(connection);
- }
-
- MHD_add_response_header(response, "Content-Type", "text/plain");
- r = MHD_queue_response(connection, code, response);
- MHD_destroy_response(response);
-
- return r;
-}
-
static ssize_t request_reader_entries(
void *cls,
uint64_t pos,
@@ -859,6 +813,7 @@ static int request_handler(
const char *upload_data,
size_t *upload_data_size,
void **connection_cls) {
+ int r, code;
assert(connection);
assert(connection_cls);
@@ -876,6 +831,12 @@ static int request_handler(
return MHD_YES;
}
+ if (trust_pem) {
+ r = check_permissions(connection, &code);
+ if (r < 0)
+ return code;
+ }
+
if (streq(url, "/"))
return request_handler_redirect(connection, "/browse");
@@ -908,10 +869,6 @@ static int help(void) {
return 0;
}
-static char *key_pem = NULL;
-static char *cert_pem = NULL;
-static char *trust_pem = NULL;
-
static int parse_argv(int argc, char *argv[]) {
enum {
ARG_VERSION = 0x100,
@@ -973,6 +930,7 @@ static int parse_argv(int argc, char *argv[]) {
break;
case ARG_TRUST:
+#ifdef HAVE_GNUTLS
if (trust_pem) {
log_error("CA certificate file specified twice");
return -EINVAL;
@@ -984,6 +942,9 @@ static int parse_argv(int argc, char *argv[]) {
}
assert(trust_pem);
break;
+#else
+ log_error("Option --trust is not available.");
+#endif
case '?':
return -EINVAL;