summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/journal/journal-authenticate.c6
-rw-r--r--src/journal/journal-authenticate.h5
-rw-r--r--src/journal/journalctl.c95
3 files changed, 65 insertions, 41 deletions
diff --git a/src/journal/journal-authenticate.c b/src/journal/journal-authenticate.c
index 827e4e4fb9..5a0314b4f6 100644
--- a/src/journal/journal-authenticate.c
+++ b/src/journal/journal-authenticate.c
@@ -432,3 +432,9 @@ int journal_file_append_first_tag(JournalFile *f) {
return 0;
}
+
+bool journal_file_fsprg_enabled(JournalFile *f) {
+ assert(f);
+
+ return !!(le32toh(f->header->compatible_flags) & HEADER_COMPATIBLE_AUTHENTICATED);
+}
diff --git a/src/journal/journal-authenticate.h b/src/journal/journal-authenticate.h
index c991b22e4a..566d7a81a9 100644
--- a/src/journal/journal-authenticate.h
+++ b/src/journal/journal-authenticate.h
@@ -21,6 +21,9 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdbool.h>
+#include <inttypes.h>
+
#include "journal-file.h"
int journal_file_append_tag(JournalFile *f);
@@ -33,3 +36,5 @@ int journal_file_hmac_put_object(JournalFile *f, int type, uint64_t p);
int journal_file_load_fsprg(JournalFile *f);
int journal_file_setup_hmac(JournalFile *f);
+
+bool journal_file_fsprg_enabled(JournalFile *f);
diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
index a70de0684e..3d274c8eb5 100644
--- a/src/journal/journalctl.c
+++ b/src/journal/journalctl.c
@@ -41,9 +41,10 @@
#include "logs-show.h"
#include "strv.h"
#include "journal-internal.h"
-#include "fsprg.h"
#include "journal-def.h"
#include "journal-verify.h"
+#include "journal-authenticate.h"
+#include "fsprg.h"
#define DEFAULT_FSPRG_INTERVAL_USEC (15*USEC_PER_MINUTE)
@@ -58,6 +59,7 @@ static bool arg_local = false;
static bool arg_this_boot = false;
static const char *arg_directory = NULL;
static int arg_priorities = 0xFF;
+static const char *arg_verify_seed = NULL;
static enum {
ACTION_SHOW,
@@ -71,25 +73,26 @@ static int help(void) {
printf("%s [OPTIONS...] [MATCH]\n\n"
"Send control commands to or query the journal.\n\n"
- " -h --help Show this help\n"
- " --version Show package version\n"
- " --no-pager Do not pipe output into a pager\n"
- " -a --all Show all fields, including long and unprintable\n"
- " -f --follow Follow journal\n"
- " -n --lines=INTEGER Journal entries to show\n"
- " --no-tail Show all lines, even in follow mode\n"
- " -o --output=STRING Change journal output mode (short, short-monotonic,\n"
- " verbose, export, json, cat)\n"
- " -q --quiet Don't show privilege warning\n"
- " -l --local Only local entries\n"
- " -b --this-boot Show data only from current boot\n"
- " -D --directory=PATH Show journal files from directory\n"
- " -p --priority=RANGE Show only messages within the specified priority range\n\n"
+ " -h --help Show this help\n"
+ " --version Show package version\n"
+ " --no-pager Do not pipe output into a pager\n"
+ " -a --all Show all fields, including long and unprintable\n"
+ " -f --follow Follow journal\n"
+ " -n --lines=INTEGER Journal entries to show\n"
+ " --no-tail Show all lines, even in follow mode\n"
+ " -o --output=STRING Change journal output mode (short, short-monotonic,\n"
+ " verbose, export, json, cat)\n"
+ " -q --quiet Don't show privilege warning\n"
+ " -l --local Only local entries\n"
+ " -b --this-boot Show data only from current boot\n"
+ " -D --directory=PATH Show journal files from directory\n"
+ " -p --priority=RANGE Show only messages within the specified priority range\n\n"
"Commands:\n"
- " --new-id128 Generate a new 128 Bit ID\n"
- " --header Show journal header information\n"
- " --setup-keys Generate new FSPRG key pair\n"
- " --verify Verify journal file consistency\n",
+ " --new-id128 Generate a new 128 Bit ID\n"
+ " --header Show journal header information\n"
+ " --verify Verify journal file consistency\n"
+ " --verify-seed=SEED Specify FSPRG seed for verification\n"
+ " --setup-keys Generate new FSPRG key and seed\n",
program_invocation_short_name);
return 0;
@@ -104,28 +107,30 @@ static int parse_argv(int argc, char *argv[]) {
ARG_NEW_ID128,
ARG_HEADER,
ARG_SETUP_KEYS,
- ARG_VERIFY
+ ARG_VERIFY,
+ ARG_VERIFY_SEED
};
static const struct option options[] = {
- { "help", no_argument, NULL, 'h' },
- { "version" , no_argument, NULL, ARG_VERSION },
- { "no-pager", no_argument, NULL, ARG_NO_PAGER },
- { "follow", no_argument, NULL, 'f' },
- { "output", required_argument, NULL, 'o' },
- { "all", no_argument, NULL, 'a' },
- { "lines", required_argument, NULL, 'n' },
- { "no-tail", no_argument, NULL, ARG_NO_TAIL },
- { "new-id128", no_argument, NULL, ARG_NEW_ID128 },
- { "quiet", no_argument, NULL, 'q' },
- { "local", no_argument, NULL, 'l' },
- { "this-boot", no_argument, NULL, 'b' },
- { "directory", required_argument, NULL, 'D' },
- { "header", no_argument, NULL, ARG_HEADER },
- { "priority", no_argument, NULL, 'p' },
- { "setup-keys",no_argument, NULL, ARG_SETUP_KEYS},
- { "verify", no_argument, NULL, ARG_VERIFY },
- { NULL, 0, NULL, 0 }
+ { "help", no_argument, NULL, 'h' },
+ { "version" , no_argument, NULL, ARG_VERSION },
+ { "no-pager", no_argument, NULL, ARG_NO_PAGER },
+ { "follow", no_argument, NULL, 'f' },
+ { "output", required_argument, NULL, 'o' },
+ { "all", no_argument, NULL, 'a' },
+ { "lines", required_argument, NULL, 'n' },
+ { "no-tail", no_argument, NULL, ARG_NO_TAIL },
+ { "new-id128", no_argument, NULL, ARG_NEW_ID128 },
+ { "quiet", no_argument, NULL, 'q' },
+ { "local", no_argument, NULL, 'l' },
+ { "this-boot", no_argument, NULL, 'b' },
+ { "directory", required_argument, NULL, 'D' },
+ { "header", no_argument, NULL, ARG_HEADER },
+ { "priority", no_argument, NULL, 'p' },
+ { "setup-keys", no_argument, NULL, ARG_SETUP_KEYS },
+ { "verify", no_argument, NULL, ARG_VERIFY },
+ { "verify-seed", required_argument, NULL, ARG_VERIFY_SEED },
+ { NULL, 0, NULL, 0 }
};
int c, r;
@@ -212,6 +217,11 @@ static int parse_argv(int argc, char *argv[]) {
arg_action = ACTION_VERIFY;
break;
+ case ARG_VERIFY_SEED:
+ arg_action = ACTION_VERIFY;
+ arg_verify_seed = optarg;
+ break;
+
case 'p': {
const char *dots;
@@ -541,8 +551,8 @@ static int setup_keys(void) {
fprintf(stderr,
"\n"
"The new key pair has been generated. The evolving key has been written to the\n"
- "following file. It will be used to protect local journal files. This file does\n"
- "not need to be kept secret. It should not be used on multiple hosts.\n"
+ "following file. It will be used to protect local journal files. This file\n"
+ "should be kept secret. It should not be used on multiple hosts.\n"
"\n"
"\t%s\n"
"\n"
@@ -591,7 +601,10 @@ static int verify(sd_journal *j) {
HASHMAP_FOREACH(f, j->files, i) {
int k;
- k = journal_file_verify(f, NULL);
+ if (!arg_verify_seed && journal_file_fsprg_enabled(f))
+ log_warning("Journal file %s has authentication enabled but verification seed has not been passed using --verify-seed=.", f->path);
+
+ k = journal_file_verify(f, arg_verify_seed);
if (k < 0) {
log_warning("FAIL: %s (%s)", f->path, strerror(-k));
r = -r;