diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2014-03-15 15:58:03 -0400 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2014-03-17 01:55:48 -0400 |
| commit | cc64d0175a3c2c974709e9962c00fbe04d74c43f (patch) | |
| tree | b03dc9591925761c583a8b14c101c1052f1ace0d /src/journal/microhttpd-util.c | |
| parent | fdfccdbc985944a57017a25f44dd6acc1a937bab (diff) | |
journal-remote: HTTP(s) support
The whole tool is made dependent on µhttpd availability. It should be
easy to make the µhttpd parts conditional, but since transfer over
HTTP seems to be the primary use case, currently this is not done.
Current implementation uses nested epoll loops: sd-event is used for
the external event loop, and µhttpd uses epoll in its own
loop. Unfortunately µhttpd does not expose enough information to add
the descriptors it uses to the external event loop. This means that
starvation of other events is possible, if one of the inner µhttpd
loops is constantly busy. This means that µhttpd servers should not
be mixed with other sources.
The TLS authentication parts haven't been really tested properly, and
should not be take too seriously.
Diffstat (limited to 'src/journal/microhttpd-util.c')
| -rw-r--r-- | src/journal/microhttpd-util.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/src/journal/microhttpd-util.c b/src/journal/microhttpd-util.c index 17135abf8b..f7f12e1a8e 100644 --- a/src/journal/microhttpd-util.c +++ b/src/journal/microhttpd-util.c @@ -49,13 +49,14 @@ void microhttpd_logger(void *arg, const char *fmt, va_list ap) { int respond_oom_internal(struct MHD_Connection *connection) { + const char *m = "Out of memory.\n"; + struct MHD_Response *response; - const char m[] = "Out of memory.\n"; int ret; assert(connection); - response = MHD_create_response_from_buffer(sizeof(m)-1, (char*) m, MHD_RESPMEM_PERSISTENT); + response = MHD_create_response_from_buffer(strlen(m), (char*) m, MHD_RESPMEM_PERSISTENT); if (!response) return MHD_NO; @@ -92,7 +93,7 @@ int respond_error(struct MHD_Connection *connection, return respond_oom(connection); } - log_debug("queing response %u: %s", code, m); + log_debug("Queing response %u: %s", code, m); MHD_add_response_header(response, "Content-Type", "text/plain"); r = MHD_queue_response(connection, code, response); MHD_destroy_response(response); @@ -227,8 +228,10 @@ int check_permissions(struct MHD_Connection *connection, int *code) { ci = MHD_get_connection_info(connection, MHD_CONNECTION_INFO_GNUTLS_SESSION); if (!ci) { - log_error("MHD_get_connection_info failed"); - return -EINVAL; + log_error("MHD_get_connection_info failed: session is unencrypted"); + *code = respond_error(connection, MHD_HTTP_FORBIDDEN, + "Encrypted connection is required"); + return -EPERM; } session = ci->tls_session; assert(session); @@ -247,11 +250,11 @@ int check_permissions(struct MHD_Connection *connection, int *code) { return -EPERM; } - log_info("Connection from %s", buf); + log_info("Connection from DN %s", buf); r = verify_cert_authorized(session); if (r < 0) { - log_error("Client is not authorized"); + log_warning("Client is not authorized"); *code = respond_error(connection, MHD_HTTP_UNAUTHORIZED, "Client certificate not signed by recognized authority"); } |