summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile-man.am4
-rw-r--r--Makefile.am24
-rw-r--r--man/systemd-journal-remote.xml21
-rw-r--r--src/journal/journal-remote-parse.c14
-rw-r--r--src/journal/journal-remote-parse.h1
-rw-r--r--src/journal/journal-remote.c491
-rw-r--r--src/journal/microhttpd-util.c17
7 files changed, 532 insertions, 40 deletions
diff --git a/Makefile-man.am b/Makefile-man.am
index eefd5eaa12..8a4ee9d179 100644
--- a/Makefile-man.am
+++ b/Makefile-man.am
@@ -68,7 +68,6 @@ MANPAGES += \
man/systemd-halt.service.8 \
man/systemd-inhibit.1 \
man/systemd-initctl.service.8 \
- man/systemd-journal-remote.8 \
man/systemd-journald.service.8 \
man/systemd-machine-id-setup.1 \
man/systemd-notify.1 \
@@ -1135,7 +1134,8 @@ endif
if HAVE_MICROHTTPD
MANPAGES += \
- man/systemd-journal-gatewayd.service.8
+ man/systemd-journal-gatewayd.service.8 \
+ man/systemd-journal-remote.8
MANPAGES_ALIAS += \
man/systemd-journal-gatewayd.8 \
man/systemd-journal-gatewayd.socket.8
diff --git a/Makefile.am b/Makefile.am
index 923e3c4720..4f94587f7d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3130,6 +3130,10 @@ systemd_cat_SOURCES = \
systemd_cat_LDADD = \
libsystemd-journal-core.la
+if HAVE_MICROHTTPD
+rootlibexec_PROGRAMS += \
+ systemd-journal-remote
+
systemd_journal_remote_SOURCES = \
src/journal/journal-remote-parse.h \
src/journal/journal-remote-parse.c \
@@ -3141,6 +3145,23 @@ systemd_journal_remote_LDADD = \
libsystemd-internal.la \
libsystemd-journal-core.la
+systemd_journal_remote_SOURCES += \
+ src/journal/microhttpd-util.h \
+ src/journal/microhttpd-util.c
+
+systemd_journal_remote_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(MICROHTTPD_CFLAGS)
+
+systemd_journal_remote_LDADD += \
+ $(MICROHTTPD_LIBS)
+
+if HAVE_GNUTLS
+systemd_journal_remote_LDADD += \
+ $(GNUTLS_LIBS)
+endif
+endif
+
# using _CFLAGS = in the conditional below would suppress AM_CFLAGS
journalctl_CFLAGS = \
$(AM_CFLAGS)
@@ -3391,8 +3412,7 @@ noinst_LTLIBRARIES += \
libsystemd-journal-internal.la
rootlibexec_PROGRAMS += \
- systemd-journald \
- systemd-journal-remote
+ systemd-journald
rootbin_PROGRAMS += \
journalctl
diff --git a/man/systemd-journal-remote.xml b/man/systemd-journal-remote.xml
index 036d0bcb4a..ef123ce481 100644
--- a/man/systemd-journal-remote.xml
+++ b/man/systemd-journal-remote.xml
@@ -21,7 +21,7 @@ You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
-<refentry id="systemd-journal-remote">
+<refentry id="systemd-journal-remote" conditional='HAVE_MICROHTTPD'>
<refentryinfo>
<title>systemd-journal-remote</title>
@@ -130,8 +130,8 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>.
<varlistentry>
<term><option>--listen-raw=<replaceable>ADDRESS</replaceable></option></term>
- <listitem><para><option>ADDRESS</option> must be an address
- suitable for <option>ListenStream=</option> (c.f.
+ <listitem><para><replaceable>ADDRESS</replaceable> must be an
+ address suitable for <option>ListenStream=</option> (c.f.
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
<command>systemd-journal-remote</command> will listen on this
socket for connections. Each connection is expected to be a
@@ -140,6 +140,21 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>.
</varlistentry>
<varlistentry>
+ <term><option>--listen-http=<replaceable>ADDRESS</replaceable></option></term>
+ <term><option>--listen-https=<replaceable>ADDRESS</replaceable></option></term>
+
+ <listitem><para><replaceable>ADDRESS</replaceable> must be an
+ address suitable for <option>ListenStream=</option> (c.f.
+ <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
+ HTTP or HTTPS server will be spawned on this port,
+ respectively, for the first and second options. Currenntly
+ Only POST requests to <filename>/upload</filename> with
+ <literal>Content-Type: application/vnd.fdo.journal</literal>
+ are supported.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>$LISTEN_FDS</varname></term>
<listitem><para><command>systemd-journal-remote</command>
diff --git a/src/journal/journal-remote-parse.c b/src/journal/journal-remote-parse.c
index ee2260c5a9..c961844c44 100644
--- a/src/journal/journal-remote-parse.c
+++ b/src/journal/journal-remote-parse.c
@@ -100,6 +100,20 @@ static int get_line(RemoteSource *source, char **line, size_t *size) {
return 1;
}
+int push_data(RemoteSource *source, const char *data, size_t size) {
+ assert(source);
+ assert(source->state != STATE_EOF);
+
+ if (!GREEDY_REALLOC(source->buf, source->size,
+ source->filled + size))
+ return log_oom();
+
+ memcpy(source->buf + source->filled, data, size);
+ source->filled += size;
+
+ return 0;
+}
+
static int fill_fixed_size(RemoteSource *source, void **data, size_t size) {
int n;
char *newbuf = NULL;
diff --git a/src/journal/journal-remote-parse.h b/src/journal/journal-remote-parse.h
index 3bda97e2d4..c1506d118d 100644
--- a/src/journal/journal-remote-parse.h
+++ b/src/journal/journal-remote-parse.h
@@ -57,4 +57,5 @@ static inline int source_non_empty(RemoteSource *source) {
void source_free(RemoteSource *source);
int process_data(RemoteSource *source);
+int push_data(RemoteSource *source, const char *data, size_t size);
int process_source(RemoteSource *source, Writer *writer, bool compress, bool seal);
diff --git a/src/journal/journal-remote.c b/src/journal/journal-remote.c
index f8979daca6..1a1ca2c480 100644
--- a/src/journal/journal-remote.c
+++ b/src/journal/journal-remote.c
@@ -41,6 +41,13 @@
#include "build.h"
#include "macro.h"
#include "strv.h"
+#include "fileio.h"
+#include "socket-util.h"
+#include "microhttpd-util.h"
+
+#ifdef HAVE_GNUTLS
+#include <gnutls/gnutls.h>
+#endif
#include "journal-remote-parse.h"
#include "journal-remote-write.h"
@@ -52,9 +59,15 @@ static char* arg_url = NULL;
static char* arg_getter = NULL;
static bool arg_stdin = false;
static char* arg_listen_raw = NULL;
+static char* arg_listen_http = NULL;
+static char* arg_listen_https = NULL;
static int arg_compress = true;
static int arg_seal = false;
+static char *key_pem = NULL;
+static char *cert_pem = NULL;
+static char *trust_pem = NULL;
+
/**********************************************************************
**********************************************************************
**********************************************************************/
@@ -201,6 +214,17 @@ static int open_output(Writer *s, const char* url) {
return r;
}
+/**********************************************************************
+ **********************************************************************
+ **********************************************************************/
+
+typedef struct MHDDaemonWrapper {
+ uint64_t fd;
+ struct MHD_Daemon *daemon;
+
+ sd_event_source *event;
+} MHDDaemonWrapper;
+
typedef struct RemoteServer {
RemoteSource **sources;
ssize_t sources_size;
@@ -210,8 +234,13 @@ typedef struct RemoteServer {
sd_event_source *sigterm_event, *sigint_event, *listen_event;
Writer writer;
+
+ Hashmap *daemons;
} RemoteServer;
+/* This should go away as soon as µhttpd allows state to be passed around. */
+static RemoteServer *server;
+
static int dispatch_raw_source_event(sd_event_source *event,
int fd,
uint32_t revents,
@@ -220,6 +249,10 @@ static int dispatch_raw_connection_event(sd_event_source *event,
int fd,
uint32_t revents,
void *userdata);
+static int dispatch_http_event(sd_event_source *event,
+ int fd,
+ uint32_t revents,
+ void *userdata);
static int get_source_for_fd(RemoteServer *s, int fd, RemoteSource **source) {
assert(fd >= 0);
@@ -325,6 +358,285 @@ static int setup_raw_socket(RemoteServer *s, const char *address) {
**********************************************************************
**********************************************************************/
+static RemoteSource *request_meta(void **connection_cls) {
+ RemoteSource *source;
+
+ assert(connection_cls);
+ if (*connection_cls)
+ return *connection_cls;
+
+ source = new0(RemoteSource, 1);
+ if (!source)
+ return NULL;
+ source->fd = -1;
+
+ log_debug("Added RemoteSource as connection metadata %p", source);
+
+ *connection_cls = source;
+ return source;
+}
+
+static void request_meta_free(void *cls,
+ struct MHD_Connection *connection,
+ void **connection_cls,
+ enum MHD_RequestTerminationCode toe) {
+ RemoteSource *s;
+
+ assert(connection_cls);
+ s = *connection_cls;
+
+ log_debug("Cleaning up connection metadata %p", s);
+ source_free(s);
+ *connection_cls = NULL;
+}
+
+static int process_http_upload(
+ struct MHD_Connection *connection,
+ const char *upload_data,
+ size_t *upload_data_size,
+ RemoteSource *source) {
+
+ bool finished = false;
+ int r;
+
+ assert(source);
+
+ log_debug("request_handler_upload: connection %p, %zu bytes",
+ connection, *upload_data_size);
+
+ if (*upload_data_size) {
+ log_info("Received %zu bytes", *upload_data_size);
+
+ r = push_data(source, upload_data, *upload_data_size);
+ if (r < 0) {
+ log_error("Failed to store received data of size %zu: %s",
+ *upload_data_size, strerror(-r));
+ return respond_oom_internal(connection);
+ }
+ *upload_data_size = 0;
+ } else
+ finished = true;
+
+ while (true) {
+ r = process_source(source, &server->writer, arg_compress, arg_seal);
+ if (r == -E2BIG)
+ log_warning("Entry too big, skipped");
+ else if (r == -EAGAIN || r == -EWOULDBLOCK)
+ break;
+ else if (r < 0) {
+ log_warning("Failed to process data for connection %p", connection);
+ return respond_error(connection, MHD_HTTP_UNPROCESSABLE_ENTITY,
+ "Processing failed: %s", strerror(-r));
+ }
+ }
+
+ if (!finished)
+ return MHD_YES;
+
+ /* The upload is finished */
+
+ if (source_non_empty(source)) {
+ log_warning("EOF reached with incomplete data");
+ return respond_error(connection, MHD_HTTP_EXPECTATION_FAILED,
+ "Trailing data not processed.");
+ }
+
+ return respond_error(connection, MHD_HTTP_ACCEPTED, "OK.\n");
+};
+
+static int request_handler(
+ void *cls,
+ struct MHD_Connection *connection,
+ const char *url,
+ const char *method,
+ const char *version,
+ const char *upload_data,
+ size_t *upload_data_size,
+ void **connection_cls) {
+
+ const char *header;
+ int r ,code;
+
+ assert(connection);
+ assert(connection_cls);
+ assert(url);
+ assert(method);
+
+ log_debug("Handling a connection %s %s %s", method, url, version);
+
+ if (*connection_cls)
+ return process_http_upload(connection,
+ upload_data, upload_data_size,
+ *connection_cls);
+
+ if (!streq(method, "POST"))
+ return respond_error(connection, MHD_HTTP_METHOD_NOT_ACCEPTABLE,
+ "Unsupported method.\n");
+
+ if (!streq(url, "/upload"))
+ return respond_error(connection, MHD_HTTP_NOT_FOUND,
+ "Not found.\n");
+
+ header = MHD_lookup_connection_value(connection,
+ MHD_HEADER_KIND, "Content-Type");
+ if (!header || !streq(header, "application/vnd.fdo.journal"))
+ return respond_error(connection, MHD_HTTP_UNSUPPORTED_MEDIA_TYPE,
+ "Content-Type: application/vnd.fdo.journal"
+ " is required.\n");
+
+ if (trust_pem) {
+ r = check_permissions(connection, &code);
+ if (r < 0)
+ return code;
+ }
+
+ if (!request_meta(connection_cls))
+ return respond_oom(connection);
+ return MHD_YES;
+}
+
+static int setup_microhttpd_server(RemoteServer *s, int fd, bool https) {
+ struct MHD_OptionItem opts[] = {
+ { MHD_OPTION_NOTIFY_COMPLETED, (intptr_t) request_meta_free},
+ { MHD_OPTION_EXTERNAL_LOGGER, (intptr_t) microhttpd_logger},
+ { MHD_OPTION_LISTEN_SOCKET, fd},
+ { MHD_OPTION_END},
+ { MHD_OPTION_END},
+ { MHD_OPTION_END},
+ { MHD_OPTION_END}};
+ int opts_pos = 3;
+ int flags =
+ MHD_USE_DEBUG |
+ MHD_USE_PEDANTIC_CHECKS |
+ MHD_USE_EPOLL_LINUX_ONLY |
+ MHD_USE_DUAL_STACK;
+
+ const union MHD_DaemonInfo *info;
+ int r, epoll_fd;
+ MHDDaemonWrapper *d;
+
+ assert(fd >= 0);
+
+ r = fd_nonblock(fd, true);
+ if (r < 0) {
+ log_error("Failed to make fd:%d nonblocking: %s", fd, strerror(-r));
+ return r;
+ }
+
+ if (https) {
+ opts[opts_pos++] = (struct MHD_OptionItem)
+ {MHD_OPTION_HTTPS_MEM_KEY, 0, key_pem};
+ opts[opts_pos++] = (struct MHD_OptionItem)
+ {MHD_OPTION_HTTPS_MEM_CERT, 0, cert_pem};
+
+ flags |= MHD_USE_SSL;
+
+ if (trust_pem)
+ opts[opts_pos++] = (struct MHD_OptionItem)
+ {MHD_OPTION_HTTPS_MEM_TRUST, 0, trust_pem};
+ }
+
+ d = new(MHDDaemonWrapper, 1);
+ if (!d)
+ return log_oom();
+
+ d->fd = (uint64_t) fd;
+
+ d->daemon = MHD_start_daemon(flags, 0,
+ NULL, NULL,
+ request_handler, NULL,
+ MHD_OPTION_ARRAY, opts,
+ MHD_OPTION_END);
+ if (!d->daemon) {
+ log_error("Failed to start µhttp daemon");
+ r = -EINVAL;
+ goto error;
+ }
+
+ log_debug("Started MHD %s daemon on fd:%d (wrapper @ %p)",
+ https ? "HTTPS" : "HTTP", fd, d);
+
+
+ info = MHD_get_daemon_info(d->daemon, MHD_DAEMON_INFO_EPOLL_FD_LINUX_ONLY);
+ if (!info) {
+ log_error("µhttp returned NULL daemon info");
+ r = -ENOTSUP;
+ goto error;
+ }
+
+ epoll_fd = info->listen_fd;
+ if (epoll_fd < 0) {
+ log_error("µhttp epoll fd is invalid");
+ r = -EUCLEAN;
+ goto error;
+ }
+
+ r = sd_event_add_io(s->events, &d->event,
+ epoll_fd, EPOLLIN, dispatch_http_event, d);
+ if (r < 0) {
+ log_error("Failed to add event callback: %s", strerror(-r));
+ goto error;
+ }
+
+ r = hashmap_ensure_allocated(&s->daemons, uint64_hash_func, uint64_compare_func);
+ if (r < 0) {
+ log_oom();
+ goto error;
+ }
+
+ r = hashmap_put(s->daemons, &d->fd, d);
+ if (r < 0) {
+ log_error("Failed to add daemon to hashmap: %s", strerror(-r));
+ goto error;
+ }
+
+ s->active ++;
+ return 0;
+
+error:
+ MHD_stop_daemon(d->daemon);
+ free(d->daemon);
+ free(d);
+ return r;
+}
+
+static int setup_microhttpd_socket(RemoteServer *s,
+ const char *address,
+ bool https) {
+ int fd;
+
+ fd = make_socket_fd(LOG_INFO, address, SOCK_STREAM | SOCK_CLOEXEC);
+ if (fd < 0)
+ return fd;
+
+ return setup_microhttpd_server(s, fd, https);
+}
+
+static int dispatch_http_event(sd_event_source *event,
+ int fd,
+ uint32_t revents,
+ void *userdata) {
+ MHDDaemonWrapper *d = userdata;
+ int r;
+
+ assert(d);
+
+ log_info("%s", __func__);
+
+ r = MHD_run(d->daemon);
+ if (r == MHD_NO) {
+ log_error("MHD_run failed!");
+ // XXX: unregister daemon
+ return -EINVAL;
+ }
+
+ return 1; /* work to do */
+}
+
+/**********************************************************************
+ **********************************************************************
+ **********************************************************************/
+
static int dispatch_sigterm(sd_event_source *event,
const struct signalfd_siginfo *si,
void *userdata) {
@@ -369,6 +681,9 @@ static int remoteserver_init(RemoteServer *s) {
setup_signals(s);
+ assert(server == NULL);
+ server = s;
+
n = sd_listen_fds(true);
if (n < 0) {
log_error("Failed to read listening file descriptors from environment: %s",
@@ -426,6 +741,22 @@ static int remoteserver_init(RemoteServer *s) {
output_name = arg_listen_raw;
}
+ if (arg_listen_http) {
+ r = setup_microhttpd_socket(s, arg_listen_http, false);
+ if (r < 0)
+ return r;
+
+ output_name = arg_listen_http;
+ }
+
+ if (arg_listen_https) {
+ r = setup_microhttpd_socket(s, arg_listen_https, true);
+ if (r < 0)
+ return r;
+
+ output_name = arg_listen_https;
+ }
+
if (arg_stdin) {
log_info("Reading standard input...");
r = add_source(s, STDIN_FILENO, "stdin");
@@ -454,11 +785,20 @@ static int remoteserver_init(RemoteServer *s) {
static int server_destroy(RemoteServer *s) {
int r;
ssize_t i;
+ MHDDaemonWrapper *d;
r = writer_close(&s->writer);
+ while ((d = hashmap_steal_first(s->daemons))) {
+ MHD_stop_daemon(d->daemon);
+ sd_event_source_unref(d->event);
+ free(d);
+ }
+
+ hashmap_free(s->daemons);
+
assert(s->sources_size == 0 || s->sources);
- for(i = 0; i < s->sources_size; i++)
+ for (i = 0; i < s->sources_size; i++)
remove_source(s, i);
free(s->sources);
@@ -506,56 +846,61 @@ static int dispatch_raw_source_event(sd_event_source *event,
return r;
}
-static int dispatch_raw_connection_event(sd_event_source *event,
- int fd,
- uint32_t revents,
- void *userdata) {
- RemoteServer *s = userdata;
-
- SocketAddress addr = {
- .size = sizeof(union sockaddr_union),
- .type = SOCK_STREAM,
- };
+static int accept_connection(const char* type, int fd, SocketAddress *addr) {
int fd2, r;
- log_debug("Accepting new connection on fd:%d", fd);
- fd2 = accept4(fd, &addr.sockaddr.sa, &addr.size, SOCK_NONBLOCK|SOCK_CLOEXEC);
+ log_debug("Accepting new %s connection on fd:%d", type, fd);
+ fd2 = accept4(fd, &addr->sockaddr.sa, &addr->size, SOCK_NONBLOCK|SOCK_CLOEXEC);
if (fd2 < 0) {
log_error("accept() on fd:%d failed: %m", fd);
return -errno;
}
- switch(socket_address_family(&addr)) {
+ switch(socket_address_family(addr)) {
case AF_INET:
case AF_INET6: {
char* _cleanup_free_ a = NULL;
- r = socket_address_print(&addr, &a);
+ r = socket_address_print(addr, &a);
if (r < 0) {
log_error("socket_address_print(): %s", strerror(-r));
close(fd2);
return r;
}
- log_info("Accepted %s connection from %s",
- socket_address_family(&addr) == AF_INET ? "IP" : "IPv6",
+ log_info("Accepted %s %s connection from %s",
+ type,
+ socket_address_family(addr) == AF_INET ? "IP" : "IPv6",
a);
- break;
+
+ return fd2;
};
default:
- log_error("Connection with unsupported family %d",
- socket_address_family(&addr));
+ log_error("Rejected %s connection with unsupported family %d",
+ type, socket_address_family(addr));
close(fd2);
+
return -EINVAL;
}
+}
- r = add_source(s, fd2, NULL);
- if (r < 0)
- log_error("failed to create source from fd:%d: %s", fd2, strerror(-r));
+static int dispatch_raw_connection_event(sd_event_source *event,
+ int fd,
+ uint32_t revents,
+ void *userdata) {
+ RemoteServer *s = userdata;
+ int fd2;
+ SocketAddress addr = {
+ .size = sizeof(union sockaddr_union),
+ .type = SOCK_STREAM,
+ };
- return r;
-}
+ fd2 = accept_connection("raw", fd, &addr);
+ if (fd2 < 0)
+ return fd2;
+ return add_source(s, fd2, NULL);
+}
/**********************************************************************
**********************************************************************
@@ -568,6 +913,8 @@ static int help(void) {
" --url=URL Read events from systemd-journal-gatewayd at URL\n"
" --getter=COMMAND Read events from the output of COMMAND\n"
" --listen-raw=ADDR Listen for connections at ADDR\n"
+ " --listen-http=ADDR Listen for HTTP connections at ADDR\n"
+ " --listen-https=ADDR Listen for HTTPS connections at ADDR\n"
" --stdin Read events from standard input\n"
" -o --output=FILE|DIR Write output to FILE or DIR/external-*.journal\n"
" --[no-]compress Use XZ-compression in the output journal (default: yes)\n"
@@ -586,12 +933,17 @@ static int parse_argv(int argc, char *argv[]) {
ARG_VERSION = 0x100,
ARG_URL,
ARG_LISTEN_RAW,
+ ARG_LISTEN_HTTP,
+ ARG_LISTEN_HTTPS,
ARG_STDIN,
ARG_GETTER,
ARG_COMPRESS,
ARG_NO_COMPRESS,
ARG_SEAL,
ARG_NO_SEAL,
+ ARG_KEY,
+ ARG_CERT,
+ ARG_TRUST,
};
static const struct option options[] = {
@@ -600,16 +952,21 @@ static int parse_argv(int argc, char *argv[]) {
{ "url", required_argument, NULL, ARG_URL },
{ "getter", required_argument, NULL, ARG_GETTER },
{ "listen-raw", required_argument, NULL, ARG_LISTEN_RAW },
+ { "listen-http", required_argument, NULL, ARG_LISTEN_HTTP },
+ { "listen-https", required_argument, NULL, ARG_LISTEN_HTTPS },
{ "stdin", no_argument, NULL, ARG_STDIN },
{ "output", required_argument, NULL, 'o' },
{ "compress", no_argument, NULL, ARG_COMPRESS },
{ "no-compress", no_argument, NULL, ARG_NO_COMPRESS },
{ "seal", no_argument, NULL, ARG_SEAL },
{ "no-seal", no_argument, NULL, ARG_NO_SEAL },
+ { "key", required_argument, NULL, ARG_KEY },
+ { "cert", required_argument, NULL, ARG_CERT },
+ { "trust", required_argument, NULL, ARG_TRUST },
{}
};
- int c;
+ int c, r;
assert(argc >= 0);
assert(argv);
@@ -652,6 +1009,67 @@ static int parse_argv(int argc, char *argv[]) {
arg_listen_raw = optarg;
break;
+ case ARG_LISTEN_HTTP:
+ if (arg_listen_http) {
+ log_error("cannot currently use --listen-http more than once");
+ return -EINVAL;
+ }
+
+ arg_listen_http = optarg;
+ break;
+
+ case ARG_LISTEN_HTTPS:
+ if (arg_listen_https) {
+ log_error("cannot currently use --listen-https more than once");
+ return -EINVAL;
+ }
+
+ arg_listen_https = optarg;
+ break;
+
+ case ARG_KEY:
+ if (key_pem) {
+ log_error("Key file specified twice");
+ return -EINVAL;
+ }
+ r = read_full_file(optarg, &key_pem, NULL);
+ if (r < 0) {
+ log_error("Failed to read key file: %s", strerror(-r));
+ return r;
+ }
+ assert(key_pem);
+ break;
+
+ case ARG_CERT:
+ if (cert_pem) {
+ log_error("Certificate file specified twice");
+ return -EINVAL;
+ }
+ r = read_full_file(optarg, &cert_pem, NULL);
+ if (r < 0) {
+ log_error("Failed to read certificate file: %s", strerror(-r));
+ return r;
+ }
+ assert(cert_pem);
+ break;
+
+ case ARG_TRUST:
+#ifdef HAVE_GNUTLS
+ if (trust_pem) {
+ log_error("CA certificate file specified twice");
+ return -EINVAL;
+ }
+ r = read_full_file(optarg, &trust_pem, NULL);
+ if (r < 0) {
+ log_error("Failed to read CA certificate file: %s", strerror(-r));
+ return r;
+ }
+ assert(trust_pem);
+ break;
+#else
+ log_error("Option --trust is not available.");
+#endif
+
case ARG_STDIN:
arg_stdin = true;
break;
@@ -686,6 +1104,11 @@ static int parse_argv(int argc, char *argv[]) {
return -EINVAL;
}
+ if (arg_listen_https && !(key_pem && cert_pem)) {
+ log_error("Options --key and --cert must be used when https sources are specified");
+ return -EINVAL;
+ }
+
if (optind < argc) {
log_error("This program takes no positional arguments");
return -EINVAL;
@@ -694,6 +1117,18 @@ static int parse_argv(int argc, char *argv[]) {
return 1 /* work to do */;
}
+static int setup_gnutls_logger(void) {
+ if (!arg_listen_http && !arg_listen_https)
+ return 0;
+
+#ifdef HAVE_GNUTLS
+ gnutls_global_set_log_function(log_func_gnutls);
+ gnutls_global_set_log_level(GNUTLS_LOG_LEVEL);
+#endif
+
+ return 0;
+}
+
int main(int argc, char **argv) {
RemoteServer s = {};
int r, r2;
@@ -706,6 +1141,10 @@ int main(int argc, char **argv) {
if (r <= 0)
return r == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+ r = setup_gnutls_logger();
+ if (r < 0)
+ return EXIT_FAILURE;
+
if (remoteserver_init(&s) < 0)
return EXIT_FAILURE;
diff --git a/src/journal/microhttpd-util.c b/src/journal/microhttpd-util.c
index 17135abf8b..f7f12e1a8e 100644
--- a/src/journal/microhttpd-util.c
+++ b/src/journal/microhttpd-util.c
@@ -49,13 +49,14 @@ void microhttpd_logger(void *arg, const char *fmt, va_list ap) {
int respond_oom_internal(struct MHD_Connection *connection) {
+ const char *m = "Out of memory.\n";
+
struct MHD_Response *response;
- const char m[] = "Out of memory.\n";
int ret;
assert(connection);
- response = MHD_create_response_from_buffer(sizeof(m)-1, (char*) m, MHD_RESPMEM_PERSISTENT);
+ response = MHD_create_response_from_buffer(strlen(m), (char*) m, MHD_RESPMEM_PERSISTENT);
if (!response)
return MHD_NO;
@@ -92,7 +93,7 @@ int respond_error(struct MHD_Connection *connection,
return respond_oom(connection);
}
- log_debug("queing response %u: %s", code, m);
+ log_debug("Queing response %u: %s", code, m);
MHD_add_response_header(response, "Content-Type", "text/plain");
r = MHD_queue_response(connection, code, response);
MHD_destroy_response(response);
@@ -227,8 +228,10 @@ int check_permissions(struct MHD_Connection *connection, int *code) {
ci = MHD_get_connection_info(connection,
MHD_CONNECTION_INFO_GNUTLS_SESSION);
if (!ci) {
- log_error("MHD_get_connection_info failed");
- return -EINVAL;
+ log_error("MHD_get_connection_info failed: session is unencrypted");
+ *code = respond_error(connection, MHD_HTTP_FORBIDDEN,
+ "Encrypted connection is required");
+ return -EPERM;
}
session = ci->tls_session;
assert(session);
@@ -247,11 +250,11 @@ int check_permissions(struct MHD_Connection *connection, int *code) {
return -EPERM;
}
- log_info("Connection from %s", buf);
+ log_info("Connection from DN %s", buf);
r = verify_cert_authorized(session);
if (r < 0) {
- log_error("Client is not authorized");
+ log_warning("Client is not authorized");
*code = respond_error(connection, MHD_HTTP_UNAUTHORIZED,
"Client certificate not signed by recognized authority");
}