journalctl: add --verify-seed= switch to specify seed value

diff --git a/src/journal/journal-authenticate.c b/src/journal/journal-authenticate.c
index 827e4e4fb9b0b00931270e9044a4e0e32dad3a09..5a0314b4f6538ab50b4c61ca4d919c0d0320b5dc 100644 (file)
--- a/src/journal/journal-authenticate.c
+++ b/src/journal/journal-authenticate.c
@@ -432,3 +432,9 @@ int journal_file_append_first_tag(JournalFile *f) {
 
         return 0;
 }
 
         return 0;
 }

+
+bool journal_file_fsprg_enabled(JournalFile *f) {
+        assert(f);
+
+        return !!(le32toh(f->header->compatible_flags) & HEADER_COMPATIBLE_AUTHENTICATED);
+}

diff --git a/src/journal/journal-authenticate.h b/src/journal/journal-authenticate.h
index c991b22e4a8c7610034991d9e762c77b83785a1f..566d7a81a9d35856c1f19b068b7a258afbb6c85f 100644 (file)
--- a/src/journal/journal-authenticate.h
+++ b/src/journal/journal-authenticate.h
@@ -21,6 +21,9 @@
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/
 
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/
 

+#include <stdbool.h>
+#include <inttypes.h>
+

 #include "journal-file.h"
 
 int journal_file_append_tag(JournalFile *f);
 #include "journal-file.h"
 
 int journal_file_append_tag(JournalFile *f);


@@ -33,3 +36,5 @@ int journal_file_hmac_put_object(JournalFile *f, int type, uint64_t p);
 int journal_file_load_fsprg(JournalFile *f);
 
 int journal_file_setup_hmac(JournalFile *f);
 int journal_file_load_fsprg(JournalFile *f);
 
 int journal_file_setup_hmac(JournalFile *f);

+
+bool journal_file_fsprg_enabled(JournalFile *f);

diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
index a70de0684ec97047ad2aafa6596fd2ca1a491f87..3d274c8eb5e64a172ff9c41f1f7b7e9e24f2ab20 100644 (file)
--- a/src/journal/journalctl.c
+++ b/src/journal/journalctl.c
@@ -41,9 +41,10 @@
 #include "logs-show.h"
 #include "strv.h"
 #include "journal-internal.h"
 #include "logs-show.h"
 #include "strv.h"
 #include "journal-internal.h"

-#include "fsprg.h"

 #include "journal-def.h"
 #include "journal-verify.h"
 #include "journal-def.h"
 #include "journal-verify.h"

+#include "journal-authenticate.h"
+#include "fsprg.h"

 
 #define DEFAULT_FSPRG_INTERVAL_USEC (15*USEC_PER_MINUTE)
 
 
 #define DEFAULT_FSPRG_INTERVAL_USEC (15*USEC_PER_MINUTE)
 


@@ -58,6 +59,7 @@ static bool arg_local = false;
 static bool arg_this_boot = false;
 static const char *arg_directory = NULL;
 static int arg_priorities = 0xFF;
 static bool arg_this_boot = false;
 static const char *arg_directory = NULL;
 static int arg_priorities = 0xFF;

+static const char *arg_verify_seed = NULL;

 
 static enum {
         ACTION_SHOW,
 
 static enum {
         ACTION_SHOW,


@@ -71,25 +73,26 @@ static int help(void) {
 
         printf("%s [OPTIONS...] [MATCH]\n\n"
                "Send control commands to or query the journal.\n\n"
 
         printf("%s [OPTIONS...] [MATCH]\n\n"
                "Send control commands to or query the journal.\n\n"

-               "  -h --help           Show this help\n"
-               "     --version        Show package version\n"
-               "     --no-pager       Do not pipe output into a pager\n"
-               "  -a --all            Show all fields, including long and unprintable\n"
-               "  -f --follow         Follow journal\n"
-               "  -n --lines=INTEGER  Journal entries to show\n"
-               "     --no-tail        Show all lines, even in follow mode\n"
-               "  -o --output=STRING  Change journal output mode (short, short-monotonic,\n"
-               "                      verbose, export, json, cat)\n"
-               "  -q --quiet          Don't show privilege warning\n"
-               "  -l --local          Only local entries\n"
-               "  -b --this-boot      Show data only from current boot\n"
-               "  -D --directory=PATH Show journal files from directory\n"
-               "  -p --priority=RANGE Show only messages within the specified priority range\n\n"
+               "  -h --help              Show this help\n"
+               "     --version           Show package version\n"
+               "     --no-pager          Do not pipe output into a pager\n"
+               "  -a --all               Show all fields, including long and unprintable\n"
+               "  -f --follow            Follow journal\n"
+               "  -n --lines=INTEGER     Journal entries to show\n"
+               "     --no-tail           Show all lines, even in follow mode\n"
+               "  -o --output=STRING     Change journal output mode (short, short-monotonic,\n"
+               "                         verbose, export, json, cat)\n"
+               "  -q --quiet             Don't show privilege warning\n"
+               "  -l --local             Only local entries\n"
+               "  -b --this-boot         Show data only from current boot\n"
+               "  -D --directory=PATH    Show journal files from directory\n"
+               "  -p --priority=RANGE    Show only messages within the specified priority range\n\n"

                "Commands:\n"
                "Commands:\n"

-               "     --new-id128      Generate a new 128 Bit ID\n"
-               "     --header         Show journal header information\n"
-               "     --setup-keys     Generate new FSPRG key pair\n"
-               "     --verify         Verify journal file consistency\n",
+               "     --new-id128         Generate a new 128 Bit ID\n"
+               "     --header            Show journal header information\n"
+               "     --verify            Verify journal file consistency\n"
+               "     --verify-seed=SEED  Specify FSPRG seed for verification\n"
+               "     --setup-keys        Generate new FSPRG key and seed\n",

                program_invocation_short_name);
 
         return 0;
                program_invocation_short_name);
 
         return 0;


@@ -104,28 +107,30 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_NEW_ID128,
                 ARG_HEADER,
                 ARG_SETUP_KEYS,
                 ARG_NEW_ID128,
                 ARG_HEADER,
                 ARG_SETUP_KEYS,

-                ARG_VERIFY
+                ARG_VERIFY,
+                ARG_VERIFY_SEED

         };
 
         static const struct option options[] = {
         };
 
         static const struct option options[] = {

-                { "help",      no_argument,       NULL, 'h'           },
-                { "version" ,  no_argument,       NULL, ARG_VERSION   },
-                { "no-pager",  no_argument,       NULL, ARG_NO_PAGER  },
-                { "follow",    no_argument,       NULL, 'f'           },
-                { "output",    required_argument, NULL, 'o'           },
-                { "all",       no_argument,       NULL, 'a'           },
-                { "lines",     required_argument, NULL, 'n'           },
-                { "no-tail",   no_argument,       NULL, ARG_NO_TAIL   },
-                { "new-id128", no_argument,       NULL, ARG_NEW_ID128 },
-                { "quiet",     no_argument,       NULL, 'q'           },
-                { "local",     no_argument,       NULL, 'l'           },
-                { "this-boot", no_argument,       NULL, 'b'           },
-                { "directory", required_argument, NULL, 'D'           },
-                { "header",    no_argument,       NULL, ARG_HEADER    },
-                { "priority",  no_argument,       NULL, 'p'           },
-                { "setup-keys",no_argument,       NULL, ARG_SETUP_KEYS},
-                { "verify",    no_argument,       NULL, ARG_VERIFY    },
-                { NULL,        0,                 NULL, 0             }
+                { "help",        no_argument,       NULL, 'h'             },
+                { "version" ,    no_argument,       NULL, ARG_VERSION     },
+                { "no-pager",    no_argument,       NULL, ARG_NO_PAGER    },
+                { "follow",      no_argument,       NULL, 'f'             },
+                { "output",      required_argument, NULL, 'o'             },
+                { "all",         no_argument,       NULL, 'a'             },
+                { "lines",       required_argument, NULL, 'n'             },
+                { "no-tail",     no_argument,       NULL, ARG_NO_TAIL     },
+                { "new-id128",   no_argument,       NULL, ARG_NEW_ID128   },
+                { "quiet",       no_argument,       NULL, 'q'             },
+                { "local",       no_argument,       NULL, 'l'             },
+                { "this-boot",   no_argument,       NULL, 'b'             },
+                { "directory",   required_argument, NULL, 'D'             },
+                { "header",      no_argument,       NULL, ARG_HEADER      },
+                { "priority",    no_argument,       NULL, 'p'             },
+                { "setup-keys",  no_argument,       NULL, ARG_SETUP_KEYS  },
+                { "verify",      no_argument,       NULL, ARG_VERIFY      },
+                { "verify-seed", required_argument, NULL, ARG_VERIFY_SEED },
+                { NULL,          0,                 NULL, 0               }

         };
 
         int c, r;
         };
 
         int c, r;


@@ -212,6 +217,11 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_action = ACTION_VERIFY;
                         break;
 
                         arg_action = ACTION_VERIFY;
                         break;
 

+                case ARG_VERIFY_SEED:
+                        arg_action = ACTION_VERIFY;
+                        arg_verify_seed = optarg;
+                        break;
+

                 case 'p': {
                         const char *dots;
 
                 case 'p': {
                         const char *dots;
 


@@ -541,8 +551,8 @@ static int setup_keys(void) {
                 fprintf(stderr,
                         "\n"
                         "The new key pair has been generated. The evolving key has been written to the\n"
                 fprintf(stderr,
                         "\n"
                         "The new key pair has been generated. The evolving key has been written to the\n"

-                        "following file. It will be used to protect local journal files. This file does\n"
-                        "not need to be kept secret. It should not be used on multiple hosts.\n"
+                        "following file. It will be used to protect local journal files. This file\n"
+                        "should be kept secret. It should not be used on multiple hosts.\n"

                         "\n"
                         "\t%s\n"
                         "\n"
                         "\n"
                         "\t%s\n"
                         "\n"


@@ -591,7 +601,10 @@ static int verify(sd_journal *j) {
         HASHMAP_FOREACH(f, j->files, i) {
                 int k;
 
         HASHMAP_FOREACH(f, j->files, i) {
                 int k;
 

-                k = journal_file_verify(f, NULL);
+                if (!arg_verify_seed && journal_file_fsprg_enabled(f))
+                        log_warning("Journal file %s has authentication enabled but verification seed has not been passed using --verify-seed=.", f->path);
+
+                k = journal_file_verify(f, arg_verify_seed);

                 if (k < 0) {
                         log_warning("FAIL: %s (%s)", f->path, strerror(-k));
                         r = -r;
                 if (k < 0) {
                         log_warning("FAIL: %s (%s)", f->path, strerror(-k));
                         r = -r;