From 0284adc6a60ce0af1107cb0b50041a65d731f39e Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 16 Aug 2012 01:51:54 +0200 Subject: journal: split up journal-file.c --- src/journal/journal-verify.h | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 src/journal/journal-verify.h (limited to 'src/journal/journal-verify.h') diff --git a/src/journal/journal-verify.h b/src/journal/journal-verify.h new file mode 100644 index 0000000000..3ebdd5e7f2 --- /dev/null +++ b/src/journal/journal-verify.h @@ -0,0 +1,26 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +#pragma once + +/*** + This file is part of systemd. + + Copyright 2011 Lennart Poettering + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see . +***/ + +#include "journal-file.h" + +int journal_file_verify(JournalFile *f, const char *key); -- cgit v1.2.3-54-g00ecf From 6c7be122acd666d4e93541179d89747aa12efb67 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 17 Aug 2012 03:30:22 +0200 Subject: journal: after verification output validated time range --- src/journal/journal-verify.c | 28 ++++++++++++++++++++++------ src/journal/journal-verify.h | 2 +- src/journal/journalctl.c | 13 +++++++++++-- src/journal/test-journal-verify.c | 12 +++++++++++- 4 files changed, 45 insertions(+), 10 deletions(-) (limited to 'src/journal/journal-verify.h') diff --git a/src/journal/journal-verify.c b/src/journal/journal-verify.c index 598fc9bead..f9a930e42e 100644 --- a/src/journal/journal-verify.c +++ b/src/journal/journal-verify.c @@ -36,8 +36,6 @@ /* FIXME: * * - write bit mucking test - * - tag timestamps should be between entry timestamps - * - output validated time ranges * - evolve key even if nothing happened in regular intervals * * - Allow building without libgcrypt @@ -652,7 +650,10 @@ static int journal_file_parse_verification_key(JournalFile *f, const char *key) return 0; } -int journal_file_verify(JournalFile *f, const char *key) { +int journal_file_verify( + JournalFile *f, + const char *key, + usec_t *first_validated, usec_t *last_validated, usec_t *last_contained) { int r; Object *o; uint64_t p = 0, last_tag = 0, last_epoch = 0, last_tag_realtime = 0; @@ -749,6 +750,12 @@ int journal_file_verify(JournalFile *f, const char *key) { break; case OBJECT_ENTRY: + if ((le32toh(f->header->compatible_flags) & HEADER_COMPATIBLE_SEALED) && n_tags <= 0) { + log_error("First entry before first tag at %llu", (unsigned long long) p); + r = -EBADMSG; + goto fail; + } + r = write_uint64(entry_fd, p); if (r < 0) goto fail; @@ -854,7 +861,7 @@ int journal_file_verify(JournalFile *f, const char *key) { break; case OBJECT_TAG: { - uint64_t q; + uint64_t q, rt; if (!(le32toh(f->header->compatible_flags) & HEADER_COMPATIBLE_SEALED)) { log_error("Tag object in file without sealing at %llu", (unsigned long long) p); @@ -876,8 +883,8 @@ int journal_file_verify(JournalFile *f, const char *key) { goto fail; } - last_tag_realtime = (o->tag.epoch + 1) * f->fss_interval_usec + f->fss_start_usec; - if (entry_realtime_set && entry_realtime >= last_tag_realtime) { + rt = (o->tag.epoch + 1) * f->fss_interval_usec + f->fss_start_usec; + if (entry_realtime_set && entry_realtime >= rt) { log_error("Tag/entry realtime timestamp out of synchronization at %llu", (unsigned long long) p); r = -EBADMSG; goto fail; @@ -929,6 +936,8 @@ int journal_file_verify(JournalFile *f, const char *key) { f->hmac_running = false; last_tag = p + ALIGN64(le64toh(o->object.size)); + last_tag_realtime = rt; + n_tags ++; break; } @@ -1056,6 +1065,13 @@ int journal_file_verify(JournalFile *f, const char *key) { close_nointr_nofail(entry_fd); close_nointr_nofail(entry_array_fd); + if (first_validated) + *first_validated = le64toh(f->header->head_entry_realtime); + if (last_validated) + *last_validated = last_tag_realtime; + if (last_contained) + *last_contained = le64toh(f->header->tail_entry_realtime); + return 0; fail: diff --git a/src/journal/journal-verify.h b/src/journal/journal-verify.h index 3ebdd5e7f2..e4449c6ad7 100644 --- a/src/journal/journal-verify.h +++ b/src/journal/journal-verify.h @@ -23,4 +23,4 @@ #include "journal-file.h" -int journal_file_verify(JournalFile *f, const char *key); +int journal_file_verify(JournalFile *f, const char *key, usec_t *first_validated, usec_t *last_validated, usec_t *last_contained); diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c index 0df8ce57fd..5c21ab0adf 100644 --- a/src/journal/journalctl.c +++ b/src/journal/journalctl.c @@ -618,21 +618,30 @@ static int verify(sd_journal *j) { HASHMAP_FOREACH(f, j->files, i) { int k; + usec_t from, to, total; #ifdef HAVE_GCRYPT if (!arg_verify_key && journal_file_fss_enabled(f)) log_warning("Journal file %s has sealing enabled but verification key has not been passed using --verify-key=.", f->path); #endif - k = journal_file_verify(f, arg_verify_key); + k = journal_file_verify(f, arg_verify_key, &from, &to, &total); if (k == -EINVAL) { /* If the key was invalid give up right-away. */ return k; } else if (k < 0) { log_warning("FAIL: %s (%s)", f->path, strerror(-k)); r = k; - } else + } else { + char a[FORMAT_TIMESTAMP_MAX], b[FORMAT_TIMESTAMP_MAX], c[FORMAT_TIMESPAN_MAX]; log_info("PASS: %s", f->path); + + if (journal_file_fss_enabled(f)) + log_info("=> Validated from %s to %s, %s missing", + format_timestamp(a, sizeof(a), from), + format_timestamp(b, sizeof(b), to), + format_timespan(c, sizeof(c), total > to ? total - to : 0)); + } } return r; diff --git a/src/journal/test-journal-verify.c b/src/journal/test-journal-verify.c index 9a99bcba4b..df0a5ddef9 100644 --- a/src/journal/test-journal-verify.c +++ b/src/journal/test-journal-verify.c @@ -36,6 +36,10 @@ int main(int argc, char *argv[]) { unsigned n; JournalFile *f; const char *verification_key = argv[1]; + usec_t from, to, total; + char a[FORMAT_TIMESTAMP_MAX]; + char b[FORMAT_TIMESTAMP_MAX]; + char c[FORMAT_TIMESPAN_MAX]; log_set_max_level(LOG_DEBUG); @@ -71,7 +75,13 @@ int main(int argc, char *argv[]) { journal_file_print_header(f); - assert_se(journal_file_verify(f, verification_key) >= 0); + assert_se(journal_file_verify(f, verification_key, &from, &to, &total) >= 0); + + log_info("=> Validated from %s to %s, %s missing", + format_timestamp(a, sizeof(a), from), + format_timestamp(b, sizeof(b), to), + format_timespan(c, sizeof(c), total > to ? total - to : 0)); + journal_file_close(f); log_info("Exiting..."); -- cgit v1.2.3-54-g00ecf From b72631e59c1b9f62bcfaf1ce3f7e72e4a3beee89 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Sat, 18 Aug 2012 00:40:03 +0200 Subject: jounral: write bit fiddling test This test goes through every single bit in a journal file, toggles it, and checks if this change is detected by the verification. --- src/journal/journal-verify.c | 32 +++++++++++------- src/journal/journal-verify.h | 2 +- src/journal/journalctl.c | 4 +-- src/journal/test-journal-verify.c | 71 ++++++++++++++++++++++++++++++++++----- 4 files changed, 85 insertions(+), 24 deletions(-) (limited to 'src/journal/journal-verify.h') diff --git a/src/journal/journal-verify.c b/src/journal/journal-verify.c index 39cf3a3313..f66b23556b 100644 --- a/src/journal/journal-verify.c +++ b/src/journal/journal-verify.c @@ -394,7 +394,8 @@ static int verify_hash_table( int data_fd, uint64_t n_data, int entry_fd, uint64_t n_entries, int entry_array_fd, uint64_t n_entry_arrays, - usec_t *last_usec) { + usec_t *last_usec, + bool show_progress) { uint64_t i, n; int r; @@ -409,7 +410,8 @@ static int verify_hash_table( for (i = 0; i < n; i++) { uint64_t last = 0, p; - draw_progress(0xC000 + (0x3FFF * i / n), last_usec); + if (show_progress) + draw_progress(0xC000 + (0x3FFF * i / n), last_usec); p = le64toh(f->data_hash_table[i].head_hash_offset); while (p != 0) { @@ -535,7 +537,8 @@ static int verify_entry_array( int data_fd, uint64_t n_data, int entry_fd, uint64_t n_entries, int entry_array_fd, uint64_t n_entry_arrays, - usec_t *last_usec) { + usec_t *last_usec, + bool show_progress) { uint64_t i = 0, a, n, last = 0; int r; @@ -552,7 +555,8 @@ static int verify_entry_array( uint64_t next, m, j; Object *o; - draw_progress(0x8000 + (0x3FFF * i / n), last_usec); + if (show_progress) + draw_progress(0x8000 + (0x3FFF * i / n), last_usec); if (a == 0) { log_error("Array chain too short at %llu of %llu", @@ -674,7 +678,8 @@ static int journal_file_parse_verification_key(JournalFile *f, const char *key) int journal_file_verify( JournalFile *f, const char *key, - usec_t *first_validated, usec_t *last_validated, usec_t *last_contained) { + usec_t *first_validated, usec_t *last_validated, usec_t *last_contained, + bool show_progress) { int r; Object *o; uint64_t p = 0, last_tag = 0, last_epoch = 0, last_tag_realtime = 0; @@ -728,7 +733,8 @@ int journal_file_verify( p = le64toh(f->header->header_size); while (p != 0) { - draw_progress(0x7FFF * p / le64toh(f->header->tail_object_offset), &last_usec); + if (show_progress) + draw_progress(0x7FFF * p / le64toh(f->header->tail_object_offset), &last_usec); r = journal_file_move_to_object(f, -1, p, &o); if (r < 0) { @@ -891,8 +897,6 @@ int journal_file_verify( goto fail; } - log_debug("Checking tag %llu..", (unsigned long long) le64toh(o->tag.seqnum)); - if (le64toh(o->tag.seqnum) != n_tags + 1) { log_error("Tag sequence number out of synchronization at %llu", (unsigned long long) p); r = -EBADMSG; @@ -1070,7 +1074,8 @@ int journal_file_verify( data_fd, n_data, entry_fd, n_entries, entry_array_fd, n_entry_arrays, - &last_usec); + &last_usec, + show_progress); if (r < 0) goto fail; @@ -1078,11 +1083,13 @@ int journal_file_verify( data_fd, n_data, entry_fd, n_entries, entry_array_fd, n_entry_arrays, - &last_usec); + &last_usec, + show_progress); if (r < 0) goto fail; - flush_progress(); + if (show_progress) + flush_progress(); mmap_cache_close_fd(f->mmap, data_fd); mmap_cache_close_fd(f->mmap, entry_fd); @@ -1102,7 +1109,8 @@ int journal_file_verify( return 0; fail: - flush_progress(); + if (show_progress) + flush_progress(); log_error("File corruption detected at %s:%llu (of %llu, %llu%%).", f->path, diff --git a/src/journal/journal-verify.h b/src/journal/journal-verify.h index e4449c6ad7..a4633adea9 100644 --- a/src/journal/journal-verify.h +++ b/src/journal/journal-verify.h @@ -23,4 +23,4 @@ #include "journal-file.h" -int journal_file_verify(JournalFile *f, const char *key, usec_t *first_validated, usec_t *last_validated, usec_t *last_contained); +int journal_file_verify(JournalFile *f, const char *key, usec_t *first_validated, usec_t *last_validated, usec_t *last_contained, bool show_progress); diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c index 25f41f6322..ba678a289f 100644 --- a/src/journal/journalctl.c +++ b/src/journal/journalctl.c @@ -637,7 +637,7 @@ static int verify(sd_journal *j) { log_warning("Journal file %s has sealing enabled but verification key has not been passed using --verify-key=.", f->path); #endif - k = journal_file_verify(f, arg_verify_key, &from, &to, &total); + k = journal_file_verify(f, arg_verify_key, &from, &to, &total, true); if (k == -EINVAL) { /* If the key was invalid give up right-away. */ return k; @@ -648,7 +648,7 @@ static int verify(sd_journal *j) { char a[FORMAT_TIMESTAMP_MAX], b[FORMAT_TIMESTAMP_MAX], c[FORMAT_TIMESPAN_MAX]; log_info("PASS: %s", f->path); - if (journal_file_fss_enabled(f)) + if (arg_verify_key && journal_file_fss_enabled(f)) log_info("=> Validated from %s to %s, %s missing", format_timestamp(a, sizeof(a), from), format_timestamp(b, sizeof(b), to), diff --git a/src/journal/test-journal-verify.c b/src/journal/test-journal-verify.c index df0a5ddef9..4e6c119b6d 100644 --- a/src/journal/test-journal-verify.c +++ b/src/journal/test-journal-verify.c @@ -27,19 +27,55 @@ #include "log.h" #include "journal-file.h" #include "journal-verify.h" +#include "journal-authenticate.h" #define N_ENTRIES 6000 #define RANDOM_RANGE 77 +static void bit_toggle(const char *fn, uint64_t p) { + uint8_t b; + ssize_t r; + int fd; + + fd = open(fn, O_RDWR|O_CLOEXEC); + assert(fd >= 0); + + r = pread(fd, &b, 1, p/8); + assert(r == 1); + + b ^= 1 << (p % 8); + + r = pwrite(fd, &b, 1, p/8); + assert(r == 1); + + close_nointr_nofail(fd); +} + +static int raw_verify(const char *fn, const char *verification_key) { + JournalFile *f; + int r; + + r = journal_file_open(fn, O_RDONLY, 0666, true, true, NULL, NULL, NULL, &f); + if (r < 0) + return r; + + r = journal_file_verify(f, verification_key, NULL, NULL, NULL, false); + journal_file_close(f); + + return r; +} + int main(int argc, char *argv[]) { char t[] = "/tmp/journal-XXXXXX"; unsigned n; JournalFile *f; const char *verification_key = argv[1]; - usec_t from, to, total; + usec_t from = 0, to = 0, total = 0; char a[FORMAT_TIMESTAMP_MAX]; char b[FORMAT_TIMESTAMP_MAX]; char c[FORMAT_TIMESPAN_MAX]; + struct stat st; + uint64_t p; log_set_max_level(LOG_DEBUG); @@ -71,19 +107,36 @@ int main(int argc, char *argv[]) { log_info("Verifying..."); - assert_se(journal_file_open("test.journal", O_RDONLY, 0666, false, false, NULL, NULL, NULL, &f) == 0); - + assert_se(journal_file_open("test.journal", O_RDONLY, 0666, true, true, NULL, NULL, NULL, &f) == 0); journal_file_print_header(f); - assert_se(journal_file_verify(f, verification_key, &from, &to, &total) >= 0); - - log_info("=> Validated from %s to %s, %s missing", - format_timestamp(a, sizeof(a), from), - format_timestamp(b, sizeof(b), to), - format_timespan(c, sizeof(c), total > to ? total - to : 0)); + assert_se(journal_file_verify(f, verification_key, &from, &to, &total, true) >= 0); + if (verification_key && journal_file_fss_enabled(f)) { + log_info("=> Validated from %s to %s, %s missing", + format_timestamp(a, sizeof(a), from), + format_timestamp(b, sizeof(b), to), + format_timespan(c, sizeof(c), total > to ? total - to : 0)); + } journal_file_close(f); + log_info("Toggling bits..."); + + assert_se(stat("test.journal", &st) >= 0); + + for (p = 240*8; p < ((uint64_t) st.st_size * 8); p ++) { + bit_toggle("test.journal", p); + + log_info("[ %llu+%llu]", (unsigned long long) p / 8, (unsigned long long) p % 8); + + if (raw_verify("test.journal", verification_key) >= 0) { + log_notice(ANSI_HIGHLIGHT_RED_ON ">>>> %llu (bit %llu) can be toggled without detection." ANSI_HIGHLIGHT_OFF, (unsigned long long) p / 8, (unsigned long long) p % 8); + sleep(1); + } + + bit_toggle("test.journal", p); + } + log_info("Exiting..."); assert_se(rm_rf_dangerous(t, false, true, false) >= 0); -- cgit v1.2.3-54-g00ecf From 2a7b539a82a45202c0e990c45da25ccdc487d633 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 24 Sep 2012 15:02:43 +0200 Subject: journald: always pass first entry timestamp back from journal_file_verify() --- src/journal/journal-verify.c | 6 +++--- src/journal/journal-verify.h | 2 +- src/journal/journalctl.c | 16 ++++++++-------- 3 files changed, 12 insertions(+), 12 deletions(-) (limited to 'src/journal/journal-verify.h') diff --git a/src/journal/journal-verify.c b/src/journal/journal-verify.c index 629b2389bc..7d2e5eb1c2 100644 --- a/src/journal/journal-verify.c +++ b/src/journal/journal-verify.c @@ -666,7 +666,7 @@ static int verify_entry_array( int journal_file_verify( JournalFile *f, const char *key, - usec_t *first_validated, usec_t *last_validated, usec_t *last_contained, + usec_t *first_contained, usec_t *last_validated, usec_t *last_contained, bool show_progress) { int r; Object *o; @@ -1121,8 +1121,8 @@ int journal_file_verify( close_nointr_nofail(entry_fd); close_nointr_nofail(entry_array_fd); - if (first_validated) - *first_validated = last_sealed_realtime > 0 ? le64toh(f->header->head_entry_realtime) : 0; + if (first_contained) + *first_contained = le64toh(f->header->head_entry_realtime); if (last_validated) *last_validated = last_sealed_realtime; if (last_contained) diff --git a/src/journal/journal-verify.h b/src/journal/journal-verify.h index a4633adea9..e392ab61d7 100644 --- a/src/journal/journal-verify.h +++ b/src/journal/journal-verify.h @@ -23,4 +23,4 @@ #include "journal-file.h" -int journal_file_verify(JournalFile *f, const char *key, usec_t *first_validated, usec_t *last_validated, usec_t *last_contained, bool show_progress); +int journal_file_verify(JournalFile *f, const char *key, usec_t *first_contained, usec_t *last_validated, usec_t *last_contained, bool show_progress); diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c index b9be0c6ef7..62bdcb7c68 100644 --- a/src/journal/journalctl.c +++ b/src/journal/journalctl.c @@ -684,14 +684,14 @@ static int verify(sd_journal *j) { HASHMAP_FOREACH(f, j->files, i) { int k; - usec_t from, to, total; + usec_t first, validated, last; #ifdef HAVE_GCRYPT if (!arg_verify_key && JOURNAL_HEADER_SEALED(f->header)) log_notice("Journal file %s has sealing enabled but verification key has not been passed using --verify-key=.", f->path); #endif - k = journal_file_verify(f, arg_verify_key, &from, &to, &total, true); + k = journal_file_verify(f, arg_verify_key, &first, &validated, &last, true); if (k == -EINVAL) { /* If the key was invalid give up right-away. */ return k; @@ -703,14 +703,14 @@ static int verify(sd_journal *j) { log_info("PASS: %s", f->path); if (arg_verify_key && JOURNAL_HEADER_SEALED(f->header)) { - if (from > 0) { + if (validated > 0) { log_info("=> Validated from %s to %s, final %s entries not sealed.", - format_timestamp(a, sizeof(a), from), - format_timestamp(b, sizeof(b), to), - format_timespan(c, sizeof(c), total > to ? total - to : 0)); - } else if (total > 0) + format_timestamp(a, sizeof(a), first), + format_timestamp(b, sizeof(b), validated), + format_timespan(c, sizeof(c), last > validated ? last - validated : 0)); + } else if (last > 0) log_info("=> No sealing yet, %s of entries not sealed.", - format_timespan(c, sizeof(c), total - f->header->head_entry_realtime)); + format_timespan(c, sizeof(c), last - first)); else log_info("=> No sealing yet, no entries in file."); } -- cgit v1.2.3-54-g00ecf