From: Daan De Meyer Date: Sun, 20 Apr 2025 10:26:53 +0000 (+0200) Subject: journal: Always compile journal authentication related files X-Git-Tag: v258-rc1~755^2~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a843382d1e478fcadfdb6d017424ac165a09a324;p=thirdparty%2Fsystemd.git journal: Always compile journal authentication related files Tooling such as clang-tidy is bad at dealing with condition compilation on the build system level instead of at the source file level. What happens? It still tries to analyze the file and fails horribly if the required headers aren't available. Let's work around the issue and make things more consistent at the same time by doing the necessary HAVE_GCRYPT checks inside of the source files instead of doing them at the build system level. We also add some typedefs to allow getting rid of various HAVE_GCRYPT checks. --- diff --git a/src/basic/gcrypt-util.h b/src/basic/gcrypt-util.h index 2f9c35d15da..5fc176cb6c6 100644 --- a/src/basic/gcrypt-util.h +++ b/src/basic/gcrypt-util.h @@ -6,12 +6,13 @@ #include #include +#include "memory-util.h" + #if HAVE_GCRYPT #include #include "dlfcn-util.h" #include "macro.h" -#include "memory-util.h" extern DLSYM_PROTOTYPE(gcry_md_close); extern DLSYM_PROTOTYPE(gcry_md_copy); @@ -46,15 +47,6 @@ extern DLSYM_PROTOTYPE(gcry_strerror); int initialize_libgcrypt(bool secmem); -static inline gcry_md_hd_t* sym_gcry_md_closep(gcry_md_hd_t *md) { - if (!md || !*md) - return NULL; - sym_gcry_md_close(*md); - - return NULL; -} -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gcry_md_hd_t, gcry_md_close, NULL); - /* Copied from gcry_md_putc from gcrypt.h due to the need to call the sym_ variant */ #define sym_gcry_md_putc(h,c) \ do { \ @@ -63,4 +55,12 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gcry_md_hd_t, gcry_md_close, NULL); sym_gcry_md_write((h__), NULL, 0); \ (h__)->buf[(h__)->bufpos++] = (c) & 0xff; \ } while(false) +#else +typedef struct gcry_md_handle *gcry_md_hd_t; + +static inline void sym_gcry_md_close(gcry_md_hd_t h) { + assert(h == NULL); +} #endif + +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gcry_md_hd_t, sym_gcry_md_close, NULL); diff --git a/src/journal/journalctl-authenticate.c b/src/journal/journalctl-authenticate.c index d62d887b0e6..667c4f4a141 100644 --- a/src/journal/journalctl-authenticate.c +++ b/src/journal/journalctl-authenticate.c @@ -23,6 +23,7 @@ #include "terminal-util.h" #include "tmpfile-util.h" +#if HAVE_GCRYPT static int format_key( const void *seed, size_t seed_size, @@ -51,8 +52,10 @@ static int format_key( return memstream_finalize(&m, ret, NULL); } +#endif int action_setup_keys(void) { +#if HAVE_GCRYPT _cleanup_(unlink_and_freep) char *tmpfile = NULL; _cleanup_close_ int fd = -EBADF; _cleanup_free_ char *path = NULL; @@ -236,4 +239,7 @@ int action_setup_keys(void) { #endif return 0; +#else + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Forward-secure sealing not available."); +#endif } diff --git a/src/journal/journalctl-authenticate.h b/src/journal/journalctl-authenticate.h index 2a8ebd55f7f..afb6de6e116 100644 --- a/src/journal/journalctl-authenticate.h +++ b/src/journal/journalctl-authenticate.h @@ -1,16 +1,4 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ #pragma once -#if HAVE_GCRYPT - int action_setup_keys(void); - -#else - -#include "log.h" - -static inline int action_setup_keys(void) { - return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Forward-secure sealing not available."); -} - -#endif diff --git a/src/journal/meson.build b/src/journal/meson.build index b7925fb97f9..60cde31c86b 100644 --- a/src/journal/meson.build +++ b/src/journal/meson.build @@ -32,6 +32,7 @@ libjournal_core = static_library( journalctl_sources = files( 'journalctl.c', + 'journalctl-authenticate.c', 'journalctl-catalog.c', 'journalctl-filter.c', 'journalctl-misc.c', @@ -40,10 +41,6 @@ journalctl_sources = files( 'journalctl-varlink.c', ) -if conf.get('HAVE_GCRYPT') == 1 - journalctl_sources += files('journalctl-authenticate.c') -endif - if get_option('link-journalctl-shared') journalctl_link_with = [libshared] else diff --git a/src/libsystemd/meson.build b/src/libsystemd/meson.build index fa28aa09fb8..0eb9392d5d0 100644 --- a/src/libsystemd/meson.build +++ b/src/libsystemd/meson.build @@ -3,6 +3,8 @@ sd_journal_sources = files( 'sd-journal/audit-type.c', 'sd-journal/catalog.c', + 'sd-journal/fsprg.c', + 'sd-journal/journal-authenticate.c', 'sd-journal/journal-file.c', 'sd-journal/journal-send.c', 'sd-journal/journal-vacuum.c', @@ -12,13 +14,6 @@ sd_journal_sources = files( 'sd-journal/sd-journal.c', ) -if conf.get('HAVE_GCRYPT') == 1 - sd_journal_sources += files( - 'sd-journal/fsprg.c', - 'sd-journal/journal-authenticate.c', - ) -endif - audit_type_includes = [config_h, missing_audit_h, 'linux/audit.h'] diff --git a/src/libsystemd/sd-journal/fsprg.c b/src/libsystemd/sd-journal/fsprg.c index 85632b06d3a..707177b9f44 100644 --- a/src/libsystemd/sd-journal/fsprg.c +++ b/src/libsystemd/sd-journal/fsprg.c @@ -26,6 +26,8 @@ #define RND_GEN_Q 0x02 #define RND_GEN_X 0x03 +#if HAVE_GCRYPT + #pragma GCC diagnostic ignored "-Wpointer-arith" /* TODO: remove void* arithmetic and this work-around */ @@ -201,6 +203,8 @@ static void CRT_compose(gcry_mpi_t *x, const gcry_mpi_t xp, const gcry_mpi_t xq, /******************************************************************************/ +#endif + size_t FSPRG_mskinbytes(unsigned _secpar) { VALIDATE_SECPAR(_secpar); return 2 + 2 * (_secpar / 2) / 8; /* to store header,p,q */ @@ -216,6 +220,7 @@ size_t FSPRG_stateinbytes(unsigned _secpar) { return 2 + 2 * _secpar / 8 + 8; /* to store header,n,x,epoch */ } +#if HAVE_GCRYPT static void store_secpar(void *buf, uint16_t secpar) { secpar = secpar / 16 - 1; ((uint8_t*) buf)[0] = (secpar >> 8) & 0xff; @@ -229,8 +234,10 @@ static uint16_t read_secpar(const void *buf) { (uint16_t)(((uint8_t*) buf)[1]) << 0; return 16 * (secpar + 1); } +#endif int FSPRG_GenMK(void *msk, void *mpk, const void *seed, size_t seedlen, unsigned _secpar) { +#if HAVE_GCRYPT uint8_t iseed[FSPRG_RECOMMENDED_SEEDLEN]; gcry_mpi_t n, p, q; uint16_t secpar; @@ -273,9 +280,13 @@ int FSPRG_GenMK(void *msk, void *mpk, const void *seed, size_t seedlen, unsigned sym_gcry_mpi_release(q); return 0; +#else + return -EOPNOTSUPP; +#endif } int FSPRG_GenState0(void *state, const void *mpk, const void *seed, size_t seedlen) { +#if HAVE_GCRYPT gcry_mpi_t n, x; uint16_t secpar; int r; @@ -296,9 +307,13 @@ int FSPRG_GenState0(void *state, const void *mpk, const void *seed, size_t seedl sym_gcry_mpi_release(x); return 0; +#else + return -EOPNOTSUPP; +#endif } int FSPRG_Evolve(void *state) { +#if HAVE_GCRYPT gcry_mpi_t n, x; uint16_t secpar; uint64_t epoch; @@ -323,15 +338,23 @@ int FSPRG_Evolve(void *state) { sym_gcry_mpi_release(x); return 0; +#else + return -EOPNOTSUPP; +#endif } uint64_t FSPRG_GetEpoch(const void *state) { +#if HAVE_GCRYPT uint16_t secpar; secpar = read_secpar(state + 0); return uint64_import(state + 2 + 2 * secpar / 8, 8); +#else + return -EOPNOTSUPP; +#endif } int FSPRG_Seek(void *state, uint64_t epoch, const void *msk, const void *seed, size_t seedlen) { +#if HAVE_GCRYPT gcry_mpi_t p, q, n, x, xp, xq, kp, kq, xm; uint16_t secpar; int r; @@ -374,9 +397,13 @@ int FSPRG_Seek(void *state, uint64_t epoch, const void *msk, const void *seed, s sym_gcry_mpi_release(xm); return 0; +#else + return -EOPNOTSUPP; +#endif } int FSPRG_GetKey(const void *state, void *key, size_t keylen, uint32_t idx) { +#if HAVE_GCRYPT uint16_t secpar; int r; @@ -388,4 +415,7 @@ int FSPRG_GetKey(const void *state, void *key, size_t keylen, uint32_t idx) { det_randomize(key, keylen, state + 2, 2 * secpar / 8 + 8, idx); return 0; +#else + return -EOPNOTSUPP; +#endif } diff --git a/src/libsystemd/sd-journal/journal-authenticate.c b/src/libsystemd/sd-journal/journal-authenticate.c index 35412fe39aa..9ad9ce3ef33 100644 --- a/src/libsystemd/sd-journal/journal-authenticate.c +++ b/src/libsystemd/sd-journal/journal-authenticate.c @@ -25,6 +25,7 @@ static void* fssheader_free(FSSHeader *p) { DEFINE_TRIVIAL_CLEANUP_FUNC(FSSHeader*, fssheader_free); +#if HAVE_GCRYPT static uint64_t journal_file_tag_seqnum(JournalFile *f) { uint64_t r; @@ -35,8 +36,10 @@ static uint64_t journal_file_tag_seqnum(JournalFile *f) { return r; } +#endif int journal_file_append_tag(JournalFile *f) { +#if HAVE_GCRYPT Object *o; uint64_t p; int r; @@ -76,9 +79,13 @@ int journal_file_append_tag(JournalFile *f) { f->hmac_running = false; return 0; +#else + return -EOPNOTSUPP; +#endif } int journal_file_hmac_start(JournalFile *f) { +#if HAVE_GCRYPT uint8_t key[256 / 8]; /* Let's pass 256 bit from FSPRG to HMAC */ gcry_error_t err; int r; @@ -107,6 +114,9 @@ int journal_file_hmac_start(JournalFile *f) { f->hmac_running = true; return 0; +#else + return -EOPNOTSUPP; +#endif } static int journal_file_get_epoch(JournalFile *f, uint64_t realtime, uint64_t *epoch) { @@ -252,6 +262,7 @@ int journal_file_maybe_append_tag(JournalFile *f, uint64_t realtime) { } int journal_file_hmac_put_object(JournalFile *f, ObjectType type, Object *o, uint64_t p) { +#if HAVE_GCRYPT int r; assert(f); @@ -307,9 +318,13 @@ int journal_file_hmac_put_object(JournalFile *f, ObjectType type, Object *o, uin } return 0; +#else + return -EOPNOTSUPP; +#endif } int journal_file_hmac_put_header(JournalFile *f) { +#if HAVE_GCRYPT int r; assert(f); @@ -334,6 +349,9 @@ int journal_file_hmac_put_header(JournalFile *f) { sym_gcry_md_write(f->hmac, &f->header->data_hash_table_offset, offsetof(Header, tail_object_offset) - offsetof(Header, data_hash_table_offset)); return 0; +#else + return -EOPNOTSUPP; +#endif } int journal_file_fss_load(JournalFile *f) { @@ -415,6 +433,7 @@ int journal_file_fss_load(JournalFile *f) { } int journal_file_hmac_setup(JournalFile *f) { +#if HAVE_GCRYPT gcry_error_t e; int r; @@ -430,6 +449,9 @@ int journal_file_hmac_setup(JournalFile *f) { return -EOPNOTSUPP; return 0; +#else + return -EOPNOTSUPP; +#endif } int journal_file_append_first_tag(JournalFile *f) { diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c index 04203148944..c4e2bd15918 100644 --- a/src/libsystemd/sd-journal/journal-file.c +++ b/src/libsystemd/sd-journal/journal-file.c @@ -302,7 +302,6 @@ JournalFile* journal_file_close(JournalFile *f) { free(f->compress_buffer); #endif -#if HAVE_GCRYPT if (f->fss_file) { size_t sz = PAGE_ALIGN(f->fss_file_size); assert(sz < SIZE_MAX); @@ -314,7 +313,6 @@ JournalFile* journal_file_close(JournalFile *f) { if (f->hmac) sym_gcry_md_close(f->hmac); -#endif return mfree(f); } diff --git a/src/libsystemd/sd-journal/journal-file.h b/src/libsystemd/sd-journal/journal-file.h index 35f8f6ce6b4..60196813163 100644 --- a/src/libsystemd/sd-journal/journal-file.h +++ b/src/libsystemd/sd-journal/journal-file.h @@ -4,14 +4,11 @@ #include #include -#if HAVE_GCRYPT -# include -#endif - #include "sd-event.h" #include "sd-id128.h" #include "compress.h" +#include "gcrypt-util.h" #include "hashmap.h" #include "journal-def.h" #include "missing_fcntl.h" @@ -106,7 +103,6 @@ typedef struct JournalFile { void *compress_buffer; #endif -#if HAVE_GCRYPT gcry_md_hd_t hmac; bool hmac_running; @@ -121,7 +117,6 @@ typedef struct JournalFile { void *fsprg_seed; size_t fsprg_seed_size; -#endif /* When we insert this file into the per-boot priority queue 'newest_by_boot_id' in sd_journal, then by these keys */ sd_id128_t newest_boot_id;