From: Ciprian Hacman Date: Mon, 6 Apr 2020 12:44:15 +0000 (+0300) Subject: Support journal-upload HTTPS without key and certificate X-Git-Tag: v246-rc1~574^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3dadb54f5f9efc781047b071471981ecf7194c1a;p=thirdparty%2Fsystemd.git Support journal-upload HTTPS without key and certificate --- diff --git a/man/systemd-journal-upload.service.xml b/man/systemd-journal-upload.service.xml index 1b8b0be6770..a073a37a295 100644 --- a/man/systemd-journal-upload.service.xml +++ b/man/systemd-journal-upload.service.xml @@ -165,7 +165,9 @@ - Takes a path to a SSL key file in PEM format. + Takes a path to a SSL key file in PEM format, or . + If is set, then client certificate authentication checking + will be disabled. Defaults to &CERTIFICATE_ROOT;/private/journal-upload.pem. @@ -174,7 +176,9 @@ - Takes a path to a SSL certificate file in PEM format. + Takes a path to a SSL certificate file in PEM format, or . + If is set, then client certificate authentication checking + will be disabled. Defaults to &CERTIFICATE_ROOT;/certs/journal-upload.pem. @@ -183,9 +187,8 @@ - Takes a path to a SSL CA certificate file in PEM format, - or . If is set, - then certificate checking will be disabled. + Takes a path to a SSL CA certificate file in PEM format, or /. + If / is set, then certificate checking will be disabled. Defaults to &CERTIFICATE_ROOT;/ca/trusted.pem. diff --git a/src/journal-remote/journal-upload.c b/src/journal-remote/journal-upload.c index 031e82587d9..2f9585df564 100644 --- a/src/journal-remote/journal-upload.c +++ b/src/journal-remote/journal-upload.c @@ -23,6 +23,7 @@ #include "main-func.h" #include "mkdir.h" #include "parse-util.h" +#include "path-util.h" #include "pretty-print.h" #include "process-util.h" #include "rlimit-util.h" @@ -240,14 +241,14 @@ int start_upload(Uploader *u, "systemd-journal-upload " GIT_VERSION, LOG_WARNING, ); - if (arg_key || startswith(u->url, "https://")) { + if (!streq_ptr(arg_key, "-") && (arg_key || startswith(u->url, "https://"))) { easy_setopt(curl, CURLOPT_SSLKEY, arg_key ?: PRIV_KEY_FILE, LOG_ERR, return -EXFULL); easy_setopt(curl, CURLOPT_SSLCERT, arg_cert ?: CERT_FILE, LOG_ERR, return -EXFULL); } - if (streq_ptr(arg_trust, "all")) + if (STRPTR_IN_SET(arg_trust, "-", "all")) easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0, LOG_ERR, return -EUCLEAN); else if (arg_trust || startswith(u->url, "https://")) @@ -515,12 +516,52 @@ static int perform_upload(Uploader *u) { return update_cursor_state(u); } +static int config_parse_path_or_ignore( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + _cleanup_free_ char *n = NULL; + bool fatal = ltype; + char **s = data; + int r; + + assert(filename); + assert(lvalue); + assert(rvalue); + assert(data); + + if (isempty(rvalue)) + goto finalize; + + n = strdup(rvalue); + if (!n) + return log_oom(); + + if (streq(n, "-")) + goto finalize; + + r = path_simplify_and_warn(n, PATH_CHECK_ABSOLUTE | (fatal ? PATH_CHECK_FATAL : 0), unit, filename, line, lvalue); + if (r < 0) + return fatal ? -ENOEXEC : 0; + +finalize: + return free_and_replace(*s, n); +} + static int parse_config(void) { const ConfigTableItem items[] = { - { "Upload", "URL", config_parse_string, 0, &arg_url }, - { "Upload", "ServerKeyFile", config_parse_path, 0, &arg_key }, - { "Upload", "ServerCertificateFile", config_parse_path, 0, &arg_cert }, - { "Upload", "TrustedCertificateFile", config_parse_path, 0, &arg_trust }, + { "Upload", "URL", config_parse_string, 0, &arg_url }, + { "Upload", "ServerKeyFile", config_parse_path_or_ignore, 0, &arg_key }, + { "Upload", "ServerCertificateFile", config_parse_path_or_ignore, 0, &arg_cert }, + { "Upload", "TrustedCertificateFile", config_parse_path_or_ignore, 0, &arg_trust }, {}}; return config_parse_many_nulstr(PKGSYSCONFDIR "/journal-upload.conf",