diff options
author | Lennart Poettering <lennart@poettering.net> | 2012-08-18 00:38:57 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2012-08-18 00:38:57 +0200 |
commit | c586dbf110abdbf0317bdd0f0a5900d709194409 (patch) | |
tree | 4f3d28392f34e9a76e259eb7cc96d5561204ddca /src/journal | |
parent | db11ac1ab56bc13514a029e7d126c5efe2c68bc2 (diff) |
journal: fix verification without key
Diffstat (limited to 'src/journal')
-rw-r--r-- | src/journal/journal-file.c | 6 | ||||
-rw-r--r-- | src/journal/journal-verify.c | 88 |
2 files changed, 51 insertions, 43 deletions
diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c index 3cf28a7f3c..e04ffd0452 100644 --- a/src/journal/journal-file.c +++ b/src/journal/journal-file.c @@ -65,7 +65,7 @@ void journal_file_close(JournalFile *f) { assert(f); /* Write the final tag */ - if (f->seal) + if (f->seal && f->writable) journal_file_append_tag(f); /* Sync everything to disk, before we mark the file offline */ @@ -252,7 +252,9 @@ static int journal_file_verify_header(JournalFile *f) { } f->compress = !!(le32toh(f->header->incompatible_flags) & HEADER_INCOMPATIBLE_COMPRESSED); - f->seal = !!(le32toh(f->header->compatible_flags) & HEADER_COMPATIBLE_SEALED); + + if (f->writable) + f->seal = !!(le32toh(f->header->compatible_flags) & HEADER_COMPATIBLE_SEALED); return 0; } diff --git a/src/journal/journal-verify.c b/src/journal/journal-verify.c index 7be0d2e5d7..39cf3a3313 100644 --- a/src/journal/journal-verify.c +++ b/src/journal/journal-verify.c @@ -696,7 +696,8 @@ int journal_file_verify( log_error("Failed to parse seed."); return r; } - } + } else if (f->seal) + return -ENOKEY; data_fd = mkostemp(data_path, O_CLOEXEC); if (data_fd < 0) { @@ -904,60 +905,65 @@ int journal_file_verify( goto fail; } - rt = (o->tag.epoch + 1) * f->fss_interval_usec + f->fss_start_usec; - if (entry_realtime_set && entry_realtime >= rt) { - log_error("Tag/entry realtime timestamp out of synchronization at %llu", (unsigned long long) p); - r = -EBADMSG; - goto fail; - } - - /* OK, now we know the epoch. So let's now set - * it, and calculate the HMAC for everything - * since the last tag. */ - r = journal_file_fsprg_seek(f, le64toh(o->tag.epoch)); - if (r < 0) - goto fail; + if (f->seal) { + log_debug("Checking tag %llu..", (unsigned long long) le64toh(o->tag.seqnum)); - r = journal_file_hmac_start(f); - if (r < 0) - goto fail; + rt = (o->tag.epoch + 1) * f->fss_interval_usec + f->fss_start_usec; + if (entry_realtime_set && entry_realtime >= rt) { + log_error("Tag/entry realtime timestamp out of synchronization at %llu", (unsigned long long) p); + r = -EBADMSG; + goto fail; + } - if (last_tag == 0) { - r = journal_file_hmac_put_header(f); + /* OK, now we know the epoch. So let's now set + * it, and calculate the HMAC for everything + * since the last tag. */ + r = journal_file_fsprg_seek(f, le64toh(o->tag.epoch)); if (r < 0) goto fail; - q = le64toh(f->header->header_size); - } else - q = last_tag; - - while (q <= p) { - r = journal_file_move_to_object(f, -1, q, &o); + r = journal_file_hmac_start(f); if (r < 0) goto fail; - r = journal_file_hmac_put_object(f, -1, q); + if (last_tag == 0) { + r = journal_file_hmac_put_header(f); + if (r < 0) + goto fail; + + q = le64toh(f->header->header_size); + } else + q = last_tag; + + while (q <= p) { + r = journal_file_move_to_object(f, -1, q, &o); + if (r < 0) + goto fail; + + r = journal_file_hmac_put_object(f, -1, q); + if (r < 0) + goto fail; + + q = q + ALIGN64(le64toh(o->object.size)); + } + + /* Position might have changed, let's reposition things */ + r = journal_file_move_to_object(f, -1, p, &o); if (r < 0) goto fail; - q = q + ALIGN64(le64toh(o->object.size)); - } - - /* Position might have changed, let's reposition things */ - r = journal_file_move_to_object(f, -1, p, &o); - if (r < 0) - goto fail; + if (memcmp(o->tag.tag, gcry_md_read(f->hmac, 0), TAG_LENGTH) != 0) { + log_error("Tag failed verification at %llu", (unsigned long long) p); + r = -EBADMSG; + goto fail; + } - if (memcmp(o->tag.tag, gcry_md_read(f->hmac, 0), TAG_LENGTH) != 0) { - log_error("Tag failed verification at %llu", (unsigned long long) p); - r = -EBADMSG; - goto fail; + f->hmac_running = false; + last_tag_realtime = rt; } - f->hmac_running = false; - last_tag = p + ALIGN64(le64toh(o->object.size)); - last_tag_realtime = rt; + last_epoch = le64toh(o->tag.epoch); n_tags ++; break; @@ -1087,7 +1093,7 @@ int journal_file_verify( close_nointr_nofail(entry_array_fd); if (first_validated) - *first_validated = le64toh(f->header->head_entry_realtime); + *first_validated = last_tag_realtime ? le64toh(f->header->head_entry_realtime) : 0; if (last_validated) *last_validated = last_tag_realtime; if (last_contained) |