/* FIXME:
*
* - write bit mucking test
- * - tag timestamps should be between entry timestamps
- * - output validated time ranges
* - evolve key even if nothing happened in regular intervals
*
* - Allow building without libgcrypt
return 0;
}
-int journal_file_verify(JournalFile *f, const char *key) {
+int journal_file_verify(
+ JournalFile *f,
+ const char *key,
+ usec_t *first_validated, usec_t *last_validated, usec_t *last_contained) {
int r;
Object *o;
uint64_t p = 0, last_tag = 0, last_epoch = 0, last_tag_realtime = 0;
break;
case OBJECT_ENTRY:
+ if ((le32toh(f->header->compatible_flags) & HEADER_COMPATIBLE_SEALED) && n_tags <= 0) {
+ log_error("First entry before first tag at %llu", (unsigned long long) p);
+ r = -EBADMSG;
+ goto fail;
+ }
+
r = write_uint64(entry_fd, p);
if (r < 0)
goto fail;
break;
case OBJECT_TAG: {
- uint64_t q;
+ uint64_t q, rt;
if (!(le32toh(f->header->compatible_flags) & HEADER_COMPATIBLE_SEALED)) {
log_error("Tag object in file without sealing at %llu", (unsigned long long) p);
goto fail;
}
- last_tag_realtime = (o->tag.epoch + 1) * f->fss_interval_usec + f->fss_start_usec;
- if (entry_realtime_set && entry_realtime >= last_tag_realtime) {
+ rt = (o->tag.epoch + 1) * f->fss_interval_usec + f->fss_start_usec;
+ if (entry_realtime_set && entry_realtime >= rt) {
log_error("Tag/entry realtime timestamp out of synchronization at %llu", (unsigned long long) p);
r = -EBADMSG;
goto fail;
f->hmac_running = false;
last_tag = p + ALIGN64(le64toh(o->object.size));
+ last_tag_realtime = rt;
+
n_tags ++;
break;
}
close_nointr_nofail(entry_fd);
close_nointr_nofail(entry_array_fd);
+ if (first_validated)
+ *first_validated = le64toh(f->header->head_entry_realtime);
+ if (last_validated)
+ *last_validated = last_tag_realtime;
+ if (last_contained)
+ *last_contained = le64toh(f->header->tail_entry_realtime);
+
return 0;
fail:
#include "journal-file.h"
-int journal_file_verify(JournalFile *f, const char *key);
+int journal_file_verify(JournalFile *f, const char *key, usec_t *first_validated, usec_t *last_validated, usec_t *last_contained);
HASHMAP_FOREACH(f, j->files, i) {
int k;
+ usec_t from, to, total;
#ifdef HAVE_GCRYPT
if (!arg_verify_key && journal_file_fss_enabled(f))
log_warning("Journal file %s has sealing enabled but verification key has not been passed using --verify-key=.", f->path);
#endif
- k = journal_file_verify(f, arg_verify_key);
+ k = journal_file_verify(f, arg_verify_key, &from, &to, &total);
if (k == -EINVAL) {
/* If the key was invalid give up right-away. */
return k;
} else if (k < 0) {
log_warning("FAIL: %s (%s)", f->path, strerror(-k));
r = k;
- } else
+ } else {
+ char a[FORMAT_TIMESTAMP_MAX], b[FORMAT_TIMESTAMP_MAX], c[FORMAT_TIMESPAN_MAX];
log_info("PASS: %s", f->path);
+
+ if (journal_file_fss_enabled(f))
+ log_info("=> Validated from %s to %s, %s missing",
+ format_timestamp(a, sizeof(a), from),
+ format_timestamp(b, sizeof(b), to),
+ format_timespan(c, sizeof(c), total > to ? total - to : 0));
+ }
}
return r;
unsigned n;
JournalFile *f;
const char *verification_key = argv[1];
+ usec_t from, to, total;
+ char a[FORMAT_TIMESTAMP_MAX];
+ char b[FORMAT_TIMESTAMP_MAX];
+ char c[FORMAT_TIMESPAN_MAX];
log_set_max_level(LOG_DEBUG);
journal_file_print_header(f);
- assert_se(journal_file_verify(f, verification_key) >= 0);
+ assert_se(journal_file_verify(f, verification_key, &from, &to, &total) >= 0);
+
+ log_info("=> Validated from %s to %s, %s missing",
+ format_timestamp(a, sizeof(a), from),
+ format_timestamp(b, sizeof(b), to),
+ format_timespan(c, sizeof(c), total > to ? total - to : 0));
+
journal_file_close(f);
log_info("Exiting...");