From: Yu Watanabe Date: Thu, 25 Jun 2026 14:38:16 +0000 (+0900) Subject: sd-journal: drop libgcrypt dependency from libsystemd X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=24c47291980c32c474ecbe6b3b68258e79308f6e;p=thirdparty%2Fsystemd.git sd-journal: drop libgcrypt dependency from libsystemd This introduce a vtable for journal tagging feature in sd-journal, and makes libgcrypt dependent features loaded by users (journald, journalctl, journal-remote, and unit tests) when necessary. --- diff --git a/man/sd-journal.xml b/man/sd-journal.xml index da4e4e1f823..bcde6779b51 100644 --- a/man/sd-journal.xml +++ b/man/sd-journal.xml @@ -94,7 +94,7 @@ sd_journal objects might cause optional shared libraries to be dynamically loaded via dlopen3, - such as decompression libraries (xz, lz4, zstd) or cryptographic libraries (gcrypt). + such as decompression libraries (xz, lz4, zstd). diff --git a/meson.build b/meson.build index f953eeab13f..943e00bfb27 100644 --- a/meson.build +++ b/meson.build @@ -1813,8 +1813,7 @@ if static_libsystemd != 'false' install_tag: 'libsystemd', install_dir : libdir, pic : static_libsystemd_pic, - dependencies : [libgcrypt_cflags, - liblz4_cflags, + dependencies : [liblz4_cflags, libm, libucontext, libxz_cflags, diff --git a/src/basic/meson.build b/src/basic/meson.build index 90a464f2c4c..31fd1298715 100644 --- a/src/basic/meson.build +++ b/src/basic/meson.build @@ -42,7 +42,6 @@ basic_sources = files( 'format-ifname.c', 'format-util.c', 'fs-util.c', - 'gcrypt-util.c', 'glob-util.c', 'glyph-util.c', 'gunicode.c', @@ -214,7 +213,6 @@ libbasic_static = static_library( include_directories : basic_includes, implicit_include_directories : false, dependencies : [libbzip2_cflags, - libgcrypt_cflags, liblz4_cflags, libxz_cflags, libz_cflags, diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c index 95d28ba1a5c..44b169c5919 100644 --- a/src/journal-remote/journal-remote-main.c +++ b/src/journal-remote/journal-remote-main.c @@ -15,6 +15,7 @@ #include "format-util.h" #include "fileio.h" #include "hashmap.h" +#include "journal-authenticate.h" #include "journal-compression-util.h" #include "journal-remote.h" #include "journal-remote-write.h" @@ -1166,6 +1167,8 @@ static int run(int argc, char **argv) { log_setup(); + journal_auth_init(); + r = parse_config(); if (r < 0) return r; diff --git a/src/journal/journalctl-misc.c b/src/journal/journalctl-misc.c index be0b09d8fee..000c1c6a2b0 100644 --- a/src/journal/journalctl-misc.c +++ b/src/journal/journalctl-misc.c @@ -9,6 +9,7 @@ #include "format-table.h" #include "format-util.h" #include "hashmap.h" +#include "journal-authenticate.h" #include "journal-internal.h" #include "journal-verify.h" #include "journalctl.h" @@ -40,6 +41,8 @@ int action_verify(void) { assert(arg_action == ACTION_VERIFY); + journal_auth_init(); + r = acquire_journal(&j); if (r < 0) return r; diff --git a/src/journal/journald.c b/src/journal/journald.c index f72ba2cc907..91f02178f50 100644 --- a/src/journal/journald.c +++ b/src/journal/journald.c @@ -52,6 +52,8 @@ static int run(int argc, char *argv[]) { sigbus_install(); + journal_auth_init(); + r = manager_new(&m); if (r < 0) return log_oom(); diff --git a/src/libsystemd/meson.build b/src/libsystemd/meson.build index e27f3ce3764..d1797722a42 100644 --- a/src/libsystemd/meson.build +++ b/src/libsystemd/meson.build @@ -3,8 +3,6 @@ sd_journal_sources = files( 'sd-journal/audit-type.c', 'sd-journal/catalog.c', - 'sd-journal/fsprg.c', - 'sd-journal/journal-authenticate.c', 'sd-journal/journal-authenticate-internal.c', 'sd-journal/journal-file.c', 'sd-journal/journal-send.c', diff --git a/src/libsystemd/sd-journal/journal-authenticate-internal.c b/src/libsystemd/sd-journal/journal-authenticate-internal.c index 2210bd1b3f3..7c23b4f0ce6 100644 --- a/src/libsystemd/sd-journal/journal-authenticate-internal.c +++ b/src/libsystemd/sd-journal/journal-authenticate-internal.c @@ -1,35 +1,51 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ -#include "journal-authenticate.h" #include "journal-authenticate-internal.h" #include "journal-file.h" +static const JournalAuthOps *auth_ops = NULL; + +void journal_auth_set_ops(const JournalAuthOps *ops) { + assert(ops); + assert(!auth_ops || auth_ops == ops); + + auth_ops = ops; +} + void journal_file_auth_done(JournalFile *f) { assert(f); -#if HAVE_GCRYPT - f->auth_context = journal_auth_free(f->auth_context); -#endif + if (!auth_ops) + return; + + assert(auth_ops->free); + f->auth_context = auth_ops->free(f->auth_context); } int journal_file_auth_load(JournalFile *f) { assert(f); -#if HAVE_GCRYPT - return journal_auth_load(&f->auth_context); -#else - return -EOPNOTSUPP; -#endif + if (!auth_ops) + return -EOPNOTSUPP; + + if (f->auth_context) + return -EBUSY; + + assert(auth_ops->load); + return auth_ops->load(&f->auth_context); } int journal_file_auth_load_key(JournalFile *f, const char *key) { assert(f); -#if HAVE_GCRYPT - return journal_auth_load_key(&f->auth_context, key); -#else - return -EOPNOTSUPP; -#endif + if (!auth_ops) + return -EOPNOTSUPP; + + if (f->auth_context) + return -EBUSY; + + assert(auth_ops->load_key); + return auth_ops->load_key(&f->auth_context, key); } int journal_file_auth_epoch_to_realtime_usec(JournalFile *f, uint64_t epoch, usec_t *ret_start, usec_t *ret_end) { @@ -38,11 +54,9 @@ int journal_file_auth_epoch_to_realtime_usec(JournalFile *f, uint64_t epoch, use if (!JOURNAL_HEADER_SEALED(f->header)) return -EOPNOTSUPP; -#if HAVE_GCRYPT - return journal_auth_epoch_to_realtime_usec(f->auth_context, epoch, ret_start, ret_end); -#else - assert_not_reached(); -#endif + assert(auth_ops); + assert(auth_ops->epoch_to_realtime_usec); + return auth_ops->epoch_to_realtime_usec(f->auth_context, epoch, ret_start, ret_end); } int journal_file_auth_next_evolve_usec(JournalFile *f, usec_t *ret) { @@ -51,11 +65,9 @@ int journal_file_auth_next_evolve_usec(JournalFile *f, usec_t *ret) { if (!JOURNAL_HEADER_SEALED(f->header)) return -EOPNOTSUPP; -#if HAVE_GCRYPT - return journal_auth_next_evolve_usec(f->auth_context, ret); -#else - assert_not_reached(); -#endif + assert(auth_ops); + assert(auth_ops->next_evolve_usec); + return auth_ops->next_evolve_usec(f->auth_context, ret); } int journal_file_auth_seek(JournalFile *f, uint64_t goal) { @@ -64,11 +76,9 @@ int journal_file_auth_seek(JournalFile *f, uint64_t goal) { if (!JOURNAL_HEADER_SEALED(f->header)) return 0; -#if HAVE_GCRYPT - return journal_auth_seek(f->auth_context, goal); -#else - assert_not_reached(); -#endif + assert(auth_ops); + assert(auth_ops->seek); + return auth_ops->seek(f->auth_context, goal); } int journal_file_auth_start(JournalFile *f) { @@ -77,11 +87,9 @@ int journal_file_auth_start(JournalFile *f) { if (!JOURNAL_HEADER_SEALED(f->header)) return 0; -#if HAVE_GCRYPT - return journal_auth_start(f->auth_context); -#else - assert_not_reached(); -#endif + assert(auth_ops); + assert(auth_ops->start); + return auth_ops->start(f->auth_context); } int journal_file_auth_end(JournalFile *f, uint8_t ret[static TAG_LENGTH]) { @@ -90,11 +98,9 @@ int journal_file_auth_end(JournalFile *f, uint8_t ret[static TAG_LENGTH]) { if (!JOURNAL_HEADER_SEALED(f->header)) return -EOPNOTSUPP; -#if HAVE_GCRYPT - return journal_auth_end(f->auth_context, ret); -#else - assert_not_reached(); -#endif + assert(auth_ops); + assert(auth_ops->end); + return auth_ops->end(f->auth_context, ret); } int journal_file_auth_put_header(JournalFile *f) { @@ -103,11 +109,9 @@ int journal_file_auth_put_header(JournalFile *f) { if (!JOURNAL_HEADER_SEALED(f->header)) return 0; -#if HAVE_GCRYPT - return journal_auth_put_header(f->auth_context, f); -#else - assert_not_reached(); -#endif + assert(auth_ops); + assert(auth_ops->put_header); + return auth_ops->put_header(f->auth_context, f); } int journal_file_auth_put_object(JournalFile *f, ObjectType type, Object *o, uint64_t p) { @@ -116,11 +120,9 @@ int journal_file_auth_put_object(JournalFile *f, ObjectType type, Object *o, uin if (!JOURNAL_HEADER_SEALED(f->header)) return 0; -#if HAVE_GCRYPT - return journal_auth_put_object(f->auth_context, f, type, o, p); -#else - assert_not_reached(); -#endif + assert(auth_ops); + assert(auth_ops->put_object); + return auth_ops->put_object(f->auth_context, f, type, o, p); } int journal_file_auth_append_tag(JournalFile *f) { @@ -132,11 +134,9 @@ int journal_file_auth_append_tag(JournalFile *f) { if (!journal_file_writable(f)) return 0; -#if HAVE_GCRYPT - return journal_auth_append_tag(f->auth_context, f); -#else - assert_not_reached(); -#endif + assert(auth_ops); + assert(auth_ops->append_tag); + return auth_ops->append_tag(f->auth_context, f); } int journal_file_auth_append_tag_first(JournalFile *f) { @@ -148,11 +148,9 @@ int journal_file_auth_append_tag_first(JournalFile *f) { if (!journal_file_writable(f)) return 0; -#if HAVE_GCRYPT - return journal_auth_append_tag_first(f->auth_context, f); -#else - assert_not_reached(); -#endif + assert(auth_ops); + assert(auth_ops->append_tag_first); + return auth_ops->append_tag_first(f->auth_context, f); } int journal_file_auth_append_tag_maybe(JournalFile *f, usec_t realtime) { @@ -164,9 +162,7 @@ int journal_file_auth_append_tag_maybe(JournalFile *f, usec_t realtime) { if (!journal_file_writable(f)) return 0; -#if HAVE_GCRYPT - return journal_auth_append_tag_maybe(f->auth_context, f, realtime); -#else - assert_not_reached(); -#endif + assert(auth_ops); + assert(auth_ops->append_tag_maybe); + return auth_ops->append_tag_maybe(f->auth_context, f, realtime); } diff --git a/src/libsystemd/sd-journal/journal-authenticate-internal.h b/src/libsystemd/sd-journal/journal-authenticate-internal.h index ee7ea6779fc..0c5e559370e 100644 --- a/src/libsystemd/sd-journal/journal-authenticate-internal.h +++ b/src/libsystemd/sd-journal/journal-authenticate-internal.h @@ -4,6 +4,24 @@ #include "journal-def.h" #include "sd-forward.h" +typedef struct JournalAuthOps { + JournalAuthContext* (*free)(JournalAuthContext *c); + int (*load)(JournalAuthContext **ret); + int (*load_key)(JournalAuthContext **ret, const char *key); + int (*epoch_to_realtime_usec)(const JournalAuthContext *c, uint64_t epoch, usec_t *ret_start, usec_t *ret_end); + int (*next_evolve_usec)(const JournalAuthContext *c, usec_t *ret); + int (*seek)(JournalAuthContext *c, uint64_t goal); + int (*start)(JournalAuthContext *c); + int (*end)(JournalAuthContext *c, uint8_t ret[static TAG_LENGTH]); + int (*put_header)(JournalAuthContext *c, JournalFile *f); + int (*put_object)(JournalAuthContext *c, JournalFile *f, ObjectType type, Object *o, uint64_t p); + int (*append_tag)(JournalAuthContext *c, JournalFile *f); + int (*append_tag_first)(JournalAuthContext *c, JournalFile *f); + int (*append_tag_maybe)(JournalAuthContext *c, JournalFile *f, usec_t realtime); +} JournalAuthOps; + +void journal_auth_set_ops(const JournalAuthOps *ops); + void journal_file_auth_done(JournalFile *f); int journal_file_auth_load(JournalFile *f); int journal_file_auth_load_key(JournalFile *f, const char *key); diff --git a/src/libsystemd/sd-journal/journal-authenticate.h b/src/libsystemd/sd-journal/journal-authenticate.h deleted file mode 100644 index c50c83a7a2d..00000000000 --- a/src/libsystemd/sd-journal/journal-authenticate.h +++ /dev/null @@ -1,24 +0,0 @@ -/* SPDX-License-Identifier: LGPL-2.1-or-later */ -#pragma once - -#include "journal-authenticate-internal.h" /* IWYU pragma: export */ -#include "journal-def.h" -#include "sd-forward.h" - -#if HAVE_GCRYPT - -JournalAuthContext* journal_auth_free(JournalAuthContext *c); -int journal_auth_load(JournalAuthContext **ret); -int journal_auth_load_key(JournalAuthContext **ret, const char *key); -int journal_auth_epoch_to_realtime_usec(const JournalAuthContext *c, uint64_t epoch, usec_t *ret_start, usec_t *ret_end); -int journal_auth_next_evolve_usec(const JournalAuthContext *c, usec_t *ret); -int journal_auth_seek(JournalAuthContext *c, uint64_t goal); -int journal_auth_start(JournalAuthContext *c); -int journal_auth_end(JournalAuthContext *c, uint8_t ret[static TAG_LENGTH]); -int journal_auth_put_header(JournalAuthContext *c, JournalFile *f); -int journal_auth_put_object(JournalAuthContext *c, JournalFile *f, ObjectType type, Object *o, uint64_t p); -int journal_auth_append_tag(JournalAuthContext *c, JournalFile *f); -int journal_auth_append_tag_first(JournalAuthContext *c, JournalFile *f); -int journal_auth_append_tag_maybe(JournalAuthContext *c, JournalFile *f, usec_t realtime); - -#endif diff --git a/src/libsystemd/sd-journal/test-journal-verify.c b/src/libsystemd/sd-journal/test-journal-verify.c index 2d797a18f3d..413f8ce05c6 100644 --- a/src/libsystemd/sd-journal/test-journal-verify.c +++ b/src/libsystemd/sd-journal/test-journal-verify.c @@ -9,6 +9,7 @@ #include "chattr-util.h" #include "fd-util.h" #include "iovec-util.h" +#include "journal-authenticate.h" #include "journal-file-util.h" #include "journal-verify.h" #include "log.h" @@ -174,6 +175,8 @@ int main(int argc, char *argv[]) { const char *verification_key = NULL; int max_iterations = 512; + journal_auth_init(); + if (argc > 1) { /* Don't limit the number of iterations when the verification key * is provided on the command line, we want to do that only in CIs */ diff --git a/src/libsystemd/sd-journal/test-journal.c b/src/libsystemd/sd-journal/test-journal.c index d638192dc39..645636d0d03 100644 --- a/src/libsystemd/sd-journal/test-journal.c +++ b/src/libsystemd/sd-journal/test-journal.c @@ -588,6 +588,8 @@ static int intro(void) { if (access("/etc/machine-id", F_OK) != 0) return log_tests_skipped("/etc/machine-id not found"); + journal_auth_init(); + return EXIT_SUCCESS; } diff --git a/src/libsystemd/sd-journal/fsprg.c b/src/shared/fsprg.c similarity index 100% rename from src/libsystemd/sd-journal/fsprg.c rename to src/shared/fsprg.c diff --git a/src/libsystemd/sd-journal/fsprg.h b/src/shared/fsprg.h similarity index 100% rename from src/libsystemd/sd-journal/fsprg.h rename to src/shared/fsprg.h diff --git a/src/basic/gcrypt-util.c b/src/shared/gcrypt-util.c similarity index 100% rename from src/basic/gcrypt-util.c rename to src/shared/gcrypt-util.c diff --git a/src/basic/gcrypt-util.h b/src/shared/gcrypt-util.h similarity index 100% rename from src/basic/gcrypt-util.h rename to src/shared/gcrypt-util.h diff --git a/src/libsystemd/sd-journal/journal-authenticate.c b/src/shared/journal-authenticate.c similarity index 88% rename from src/libsystemd/sd-journal/journal-authenticate.c rename to src/shared/journal-authenticate.c index e77ccb9e29b..ea582f41b1a 100644 --- a/src/libsystemd/sd-journal/journal-authenticate.c +++ b/src/shared/journal-authenticate.c @@ -34,7 +34,7 @@ struct JournalAuthContext { struct iovec fsprg_seed; }; -JournalAuthContext* journal_auth_free(JournalAuthContext *c) { +static JournalAuthContext* journal_auth_free(JournalAuthContext *c) { if (!c) return NULL; @@ -64,7 +64,7 @@ static void* fssheader_free(FSSHeader *p) { DEFINE_TRIVIAL_CLEANUP_FUNC(FSSHeader*, fssheader_free); -int journal_auth_load(JournalAuthContext **ret) { +static int journal_auth_load(JournalAuthContext **ret) { int r; assert(ret); @@ -158,7 +158,7 @@ int journal_auth_load(JournalAuthContext **ret) { return 0; } -int journal_auth_load_key(JournalAuthContext **ret, const char *key) { +static int journal_auth_load_key(JournalAuthContext **ret, const char *key) { int r; assert(ret); @@ -219,7 +219,7 @@ int journal_auth_load_key(JournalAuthContext **ret, const char *key) { return 0; } -int journal_auth_epoch_to_realtime_usec(const JournalAuthContext *c, uint64_t epoch, usec_t *ret_start, usec_t *ret_end) { +static int journal_auth_epoch_to_realtime_usec(const JournalAuthContext *c, uint64_t epoch, usec_t *ret_start, usec_t *ret_end) { assert(c); assert(c->fss_start_usec > 0); assert(c->fss_interval_usec > 0); @@ -238,7 +238,7 @@ int journal_auth_epoch_to_realtime_usec(const JournalAuthContext *c, uint64_t ep return 0; } -int journal_auth_next_evolve_usec(const JournalAuthContext *c, usec_t *ret) { +static int journal_auth_next_evolve_usec(const JournalAuthContext *c, usec_t *ret) { assert(c); uint64_t epoch = FSPRG_GetEpoch(c->fsprg_state.iov_base); @@ -246,7 +246,7 @@ int journal_auth_next_evolve_usec(const JournalAuthContext *c, usec_t *ret) { return journal_auth_epoch_to_realtime_usec(c, epoch, /* ret_start= */ NULL, ret); } -int journal_auth_seek(JournalAuthContext *c, uint64_t goal) { +static int journal_auth_seek(JournalAuthContext *c, uint64_t goal) { int r; assert(c); @@ -293,7 +293,7 @@ static int journal_auth_setup(JournalAuthContext *c) { return 0; } -int journal_auth_start(JournalAuthContext *c) { +static int journal_auth_start(JournalAuthContext *c) { int r; assert(c); @@ -324,7 +324,7 @@ int journal_auth_start(JournalAuthContext *c) { return 0; } -int journal_auth_end(JournalAuthContext *c, uint8_t ret[static TAG_LENGTH]) { +static int journal_auth_end(JournalAuthContext *c, uint8_t ret[static TAG_LENGTH]) { assert(c); assert(ret); @@ -336,7 +336,7 @@ int journal_auth_end(JournalAuthContext *c, uint8_t ret[static TAG_LENGTH]) { return 0; } -int journal_auth_put_header(JournalAuthContext *c, JournalFile *f) { +static int journal_auth_put_header(JournalAuthContext *c, JournalFile *f) { int r; assert(c); @@ -361,7 +361,7 @@ int journal_auth_put_header(JournalAuthContext *c, JournalFile *f) { return 0; } -int journal_auth_put_object(JournalAuthContext *c, JournalFile *f, ObjectType type, Object *o, uint64_t p) { +static int journal_auth_put_object(JournalAuthContext *c, JournalFile *f, ObjectType type, Object *o, uint64_t p) { int r; assert(c); @@ -417,7 +417,7 @@ int journal_auth_put_object(JournalAuthContext *c, JournalFile *f, ObjectType ty return 0; } -int journal_auth_append_tag(JournalAuthContext *c, JournalFile *f) { +static int journal_auth_append_tag(JournalAuthContext *c, JournalFile *f) { int r; assert(c); @@ -452,7 +452,7 @@ int journal_auth_append_tag(JournalAuthContext *c, JournalFile *f) { return journal_auth_end(c, o->tag.tag); } -int journal_auth_append_tag_first(JournalAuthContext *c, JournalFile *f) { +static int journal_auth_append_tag_first(JournalAuthContext *c, JournalFile *f) { uint64_t p; int r; @@ -486,7 +486,7 @@ int journal_auth_append_tag_first(JournalAuthContext *c, JournalFile *f) { return journal_auth_append_tag(c, f); } -int journal_auth_append_tag_maybe(JournalAuthContext *c, JournalFile *f, usec_t realtime) { +static int journal_auth_append_tag_maybe(JournalAuthContext *c, JournalFile *f, usec_t realtime) { int r; assert(c); @@ -514,4 +514,29 @@ int journal_auth_append_tag_maybe(JournalAuthContext *c, JournalFile *f, usec_t } } +static const JournalAuthOps journal_auth_ops = { + .free = journal_auth_free, + .load = journal_auth_load, + .load_key = journal_auth_load_key, + .epoch_to_realtime_usec = journal_auth_epoch_to_realtime_usec, + .next_evolve_usec = journal_auth_next_evolve_usec, + .seek = journal_auth_seek, + .start = journal_auth_start, + .end = journal_auth_end, + .put_header = journal_auth_put_header, + .put_object = journal_auth_put_object, + .append_tag = journal_auth_append_tag, + .append_tag_first = journal_auth_append_tag_first, + .append_tag_maybe = journal_auth_append_tag_maybe, +}; + +void journal_auth_init(void) { + journal_auth_set_ops(&journal_auth_ops); +} + +#else + +void journal_auth_init(void) { +} + #endif /* HAVE_GCRYPT */ diff --git a/src/shared/journal-authenticate.h b/src/shared/journal-authenticate.h new file mode 100644 index 00000000000..a12afb9ac7a --- /dev/null +++ b/src/shared/journal-authenticate.h @@ -0,0 +1,7 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +#include "journal-authenticate-internal.h" /* IWYU pragma: export */ +#include "shared-forward.h" + +void journal_auth_init(void); diff --git a/src/shared/meson.build b/src/shared/meson.build index def42815c7f..0bd41719f7a 100644 --- a/src/shared/meson.build +++ b/src/shared/meson.build @@ -87,7 +87,9 @@ shared_sources = files( 'firewall-util.c', 'fork-notify.c', 'format-table.c', + 'fsprg.c', 'fstab-util.c', + 'gcrypt-util.c', 'generator.c', 'geneve-util.c', 'gnutls-util.c', @@ -110,6 +112,7 @@ shared_sources = files( 'ioprio-util.c', 'ip-protocol-list.c', 'ipvlan-util.c', + 'journal-authenticate.c', 'journal-file-util.c', 'journal-importer.c', 'journal-util.c',