Compare commits

..

5 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek a8cff0034c
Merge pull request #15347 from hakman/journald-upload-public-cloud
Support journal-upload HTTPS without key and certificate
2020-04-17 11:26:34 +02:00
Zbigniew Jędrzejewski-Szmek c3b22a92a9
Merge pull request #15452 from keszybz/fix-ipproto-assert
Fix static assertion failure with recent glibc
2020-04-17 11:25:40 +02:00
Zbigniew Jędrzejewski-Szmek fac2166359 network: use "FooOverUDP" as one word
The whole thing is one name, and I think it's confusing to break it
up into separate words.
2020-04-16 17:23:41 +02:00
Zbigniew Jędrzejewski-Szmek 3d58d7328a network: fix static assertion on IPPROTO_MAX range
Builds with recent glibc would fail with:
../src/network/netdev/fou-tunnel.c: In function ‘config_parse_ip_protocol’:
../src/basic/macro.h:380:9: error: static assertion failed: "IPPROTO_MAX-1 <= UINT8_MAX"
  380 |         static_assert(expr, #expr)
      |         ^~~~~~~~~~~~~
../src/network/netdev/fou-tunnel.c:161:9: note: in expansion of macro ‘assert_cc’
  161 |         assert_cc(IPPROTO_MAX-1 <= UINT8_MAX);
      |         ^~~~~~~~~

This is because f9ac84f92f151e07586c55e14ed628d493a5929d (present in
glibc-2.31.9000-9.fc33.x86_64) added IPPROTO_MPTCP=262, following
v5.5-rc5-1002-gfaf391c382 in the kernel.
2020-04-16 17:21:49 +02:00
Ciprian Hacman 3dadb54f5f Support journal-upload HTTPS without key and certificate 2020-04-16 14:05:41 +03:00
3 changed files with 73 additions and 19 deletions

View File

@ -165,7 +165,9 @@
<term><option>--key=</option></term> <term><option>--key=</option></term>
<listitem><para> <listitem><para>
Takes a path to a SSL key file in PEM format. Takes a path to a SSL key file in PEM format, or <option>-</option>.
If <option>-</option> is set, then client certificate authentication checking
will be disabled.
Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-upload.pem</filename>. Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-upload.pem</filename>.
</para></listitem> </para></listitem>
</varlistentry> </varlistentry>
@ -174,7 +176,9 @@
<term><option>--cert=</option></term> <term><option>--cert=</option></term>
<listitem><para> <listitem><para>
Takes a path to a SSL certificate file in PEM format. Takes a path to a SSL certificate file in PEM format, or <option>-</option>.
If <option>-</option> is set, then client certificate authentication checking
will be disabled.
Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-upload.pem</filename>. Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-upload.pem</filename>.
</para></listitem> </para></listitem>
</varlistentry> </varlistentry>
@ -183,9 +187,8 @@
<term><option>--trust=</option></term> <term><option>--trust=</option></term>
<listitem><para> <listitem><para>
Takes a path to a SSL CA certificate file in PEM format, Takes a path to a SSL CA certificate file in PEM format, or <option>-</option>/<option>all</option>.
or <option>all</option>. If <option>all</option> is set, If <option>-</option>/<option>all</option> is set, then certificate checking will be disabled.
then certificate checking will be disabled.
Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>. Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>.
</para></listitem> </para></listitem>
</varlistentry> </varlistentry>

View File

@ -23,6 +23,7 @@
#include "main-func.h" #include "main-func.h"
#include "mkdir.h" #include "mkdir.h"
#include "parse-util.h" #include "parse-util.h"
#include "path-util.h"
#include "pretty-print.h" #include "pretty-print.h"
#include "process-util.h" #include "process-util.h"
#include "rlimit-util.h" #include "rlimit-util.h"
@ -240,14 +241,14 @@ int start_upload(Uploader *u,
"systemd-journal-upload " GIT_VERSION, "systemd-journal-upload " GIT_VERSION,
LOG_WARNING, ); LOG_WARNING, );
if (arg_key || startswith(u->url, "https://")) { if (!streq_ptr(arg_key, "-") && (arg_key || startswith(u->url, "https://"))) {
easy_setopt(curl, CURLOPT_SSLKEY, arg_key ?: PRIV_KEY_FILE, easy_setopt(curl, CURLOPT_SSLKEY, arg_key ?: PRIV_KEY_FILE,
LOG_ERR, return -EXFULL); LOG_ERR, return -EXFULL);
easy_setopt(curl, CURLOPT_SSLCERT, arg_cert ?: CERT_FILE, easy_setopt(curl, CURLOPT_SSLCERT, arg_cert ?: CERT_FILE,
LOG_ERR, return -EXFULL); LOG_ERR, return -EXFULL);
} }
if (streq_ptr(arg_trust, "all")) if (STRPTR_IN_SET(arg_trust, "-", "all"))
easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0, easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0,
LOG_ERR, return -EUCLEAN); LOG_ERR, return -EUCLEAN);
else if (arg_trust || startswith(u->url, "https://")) else if (arg_trust || startswith(u->url, "https://"))
@ -515,12 +516,52 @@ static int perform_upload(Uploader *u) {
return update_cursor_state(u); return update_cursor_state(u);
} }
static int config_parse_path_or_ignore(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
_cleanup_free_ char *n = NULL;
bool fatal = ltype;
char **s = data;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
if (isempty(rvalue))
goto finalize;
n = strdup(rvalue);
if (!n)
return log_oom();
if (streq(n, "-"))
goto finalize;
r = path_simplify_and_warn(n, PATH_CHECK_ABSOLUTE | (fatal ? PATH_CHECK_FATAL : 0), unit, filename, line, lvalue);
if (r < 0)
return fatal ? -ENOEXEC : 0;
finalize:
return free_and_replace(*s, n);
}
static int parse_config(void) { static int parse_config(void) {
const ConfigTableItem items[] = { const ConfigTableItem items[] = {
{ "Upload", "URL", config_parse_string, 0, &arg_url }, { "Upload", "URL", config_parse_string, 0, &arg_url },
{ "Upload", "ServerKeyFile", config_parse_path, 0, &arg_key }, { "Upload", "ServerKeyFile", config_parse_path_or_ignore, 0, &arg_key },
{ "Upload", "ServerCertificateFile", config_parse_path, 0, &arg_cert }, { "Upload", "ServerCertificateFile", config_parse_path_or_ignore, 0, &arg_cert },
{ "Upload", "TrustedCertificateFile", config_parse_path, 0, &arg_trust }, { "Upload", "TrustedCertificateFile", config_parse_path_or_ignore, 0, &arg_trust },
{}}; {}};
return config_parse_many_nulstr(PKGSYSCONFDIR "/journal-upload.conf", return config_parse_many_nulstr(PKGSYSCONFDIR "/journal-upload.conf",

View File

@ -149,7 +149,10 @@ int config_parse_ip_protocol(
void *data, void *data,
void *userdata) { void *userdata) {
uint8_t *protocol = data; uint8_t *ret = data;
unsigned protocol;
/* linux/fou.h defines the netlink field as one byte, so we need to reject protocols numbers that
* don't fit in one byte. */
int r; int r;
assert(filename); assert(filename);
@ -158,19 +161,26 @@ int config_parse_ip_protocol(
assert(rvalue); assert(rvalue);
assert(data); assert(data);
assert_cc(IPPROTO_MAX-1 <= UINT8_MAX);
r = parse_ip_protocol(rvalue); r = parse_ip_protocol(rvalue);
if (r < 0) { if (r >= 0)
r = safe_atou8(rvalue, protocol); protocol = r;
else {
r = safe_atou(rvalue, &protocol);
if (r < 0) if (r < 0)
log_syntax(unit, LOG_ERR, filename, line, r, log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to parse IP protocol '%s' for Foo over UDP tunnel, " "Failed to parse IP protocol '%s' for FooOverUDP tunnel, "
"ignoring assignment: %m", rvalue); "ignoring assignment: %m", rvalue);
return 0; return 0;
} }
*protocol = r; if (protocol > UINT8_MAX) {
log_syntax(unit, LOG_ERR, filename, line, 0,
"IP protocol '%s' for FooOverUDP tunnel out of range, "
"ignoring assignment: %m", rvalue);
return 0;
}
*ret = protocol;
return 0; return 0;
} }
@ -203,7 +213,7 @@ int config_parse_fou_tunnel_address(
r = in_addr_from_string_auto(rvalue, f, addr); r = in_addr_from_string_auto(rvalue, f, addr);
if (r < 0) if (r < 0)
log_syntax(unit, LOG_ERR, filename, line, r, log_syntax(unit, LOG_ERR, filename, line, r,
"Foo over UDP tunnel '%s' address is invalid, ignoring assignment: %s", "FooOverUDP tunnel '%s' address is invalid, ignoring assignment: %s",
lvalue, rvalue); lvalue, rvalue);
return 0; return 0;