autoconf: add option to disable journald authentication.

This way one can compile importd (need gcrypt), without linking
journald to gcrypt (previously authentication enabled whenever gcrypt
is present).

Makefile.am

@@ -4123,7 +4123,7 @@ libsystemd_journal_internal_la_LIBADD += \
 	-llz4
 endif
 
-if HAVE_GCRYPT
+if ENABLE_JOURNALD_AUTHENTICATE
 libsystemd_journal_internal_la_SOURCES += \
 	src/journal/journal-authenticate.c \
 	src/journal/journal-authenticate.h \

configure.ac

@@ -732,6 +732,15 @@ AC_SUBST(GCRYPT_LIBS)
 AC_SUBST(GCRYPT_CFLAGS)
 AM_CONDITIONAL([HAVE_GCRYPT], [test "x$have_gcrypt" != xno])
 
+# ------------------------------------------------------------------------------
+have_journald_authenticate=no
+AC_ARG_ENABLE(journald-authenticate, AS_HELP_STRING([--disable-journald-authenticate], [disable journal authentication (requires gcrypt)]))
+if test "x$enable_journald_authenticate" != "xno" && test "x$have_gcrypt" != "xno"; then
+        have_journald_authenticate=yes
+        AC_DEFINE(HAVE_JOURNALD_AUTHENTICATE, 1, [Journal authentication available])
+fi
+AM_CONDITIONAL(ENABLE_JOURNALD_AUTHENTICATE, [test "$have_journald_authenticate" = "yes"])
+
 # ------------------------------------------------------------------------------
 AC_ARG_ENABLE([audit],
         AS_HELP_STRING([--disable-audit],[Disable optional AUDIT support]),
@@ -1527,6 +1536,7 @@ AC_MSG_RESULT([
         randomseed:              ${have_randomseed}
         backlight:               ${have_backlight}
         rfkill:                  ${have_rfkill}
+        journald-authenticate:   ${have_journald_authenticate}
         logind:                  ${have_logind}
         machined:                ${have_machined}
         importd:                 ${have_importd}

src/journal/journal-def.h

@@ -180,7 +180,7 @@ enum {
 };
 
 #define HEADER_COMPATIBLE_ANY HEADER_COMPATIBLE_SEALED
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
 #  define HEADER_COMPATIBLE_SUPPORTED HEADER_COMPATIBLE_SEALED
 #else
 #  define HEADER_COMPATIBLE_SUPPORTED 0

src/journal/journal-file.c

@@ -137,7 +137,7 @@ int journal_file_set_offline(JournalFile *f) {
 JournalFile* journal_file_close(JournalFile *f) {
         assert(f);
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         /* Write the final tag */
         if (f->seal && f->writable)
                 journal_file_append_tag(f);
@@ -172,7 +172,7 @@ JournalFile* journal_file_close(JournalFile *f) {
         free(f->compress_buffer);
 #endif
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         if (f->fss_file)
                 munmap(f->fss_file, PAGE_ALIGN(f->fss_file_size));
         else
@@ -1023,7 +1023,7 @@ static int journal_file_append_field(
         if (r < 0)
                 return r;
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         r = journal_file_hmac_put_object(f, OBJECT_FIELD, o, p);
         if (r < 0)
                 return r;
@@ -1123,7 +1123,7 @@ static int journal_file_append_data(
                 fo->field.head_data_offset = le64toh(p);
         }
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         r = journal_file_hmac_put_object(f, OBJECT_DATA, o, p);
         if (r < 0)
                 return r;
@@ -1213,7 +1213,7 @@ static int link_entry_into_array(JournalFile *f,
         if (r < 0)
                 return r;
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         r = journal_file_hmac_put_object(f, OBJECT_ENTRY_ARRAY, o, q);
         if (r < 0)
                 return r;
@@ -1361,7 +1361,7 @@ static int journal_file_append_entry_internal(
         o->entry.xor_hash = htole64(xor_hash);
         o->entry.boot_id = f->header->boot_id;
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         r = journal_file_hmac_put_object(f, OBJECT_ENTRY, o, np);
         if (r < 0)
                 return r;
@@ -1423,7 +1423,7 @@ int journal_file_append_entry(JournalFile *f, const dual_timestamp *ts, const st
             ts->monotonic < le64toh(f->header->tail_entry_monotonic))
                 return -EINVAL;
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         r = journal_file_maybe_append_tag(f, ts->realtime);
         if (r < 0)
                 return r;
@@ -2624,7 +2624,7 @@ int journal_file_open(
 #elif defined(HAVE_XZ)
         f->compress_xz = compress;
 #endif
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         f->seal = seal;
 #endif
 
@@ -2676,7 +2676,7 @@ int journal_file_open(
 
                 fd_setcrtime(f->fd, 0);
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
                 /* Try to load the FSPRG state, and if we can't, then
                  * just don't do sealing */
                 if (f->seal) {
@@ -2714,7 +2714,7 @@ int journal_file_open(
                         goto fail;
         }
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         if (!newly_created && f->writable) {
                 r = journal_file_fss_load(f);
                 if (r < 0)
@@ -2734,7 +2734,7 @@ int journal_file_open(
                         goto fail;
         }
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         r = journal_file_hmac_setup(f);
         if (r < 0)
                 goto fail;
@@ -2749,7 +2749,7 @@ int journal_file_open(
                 if (r < 0)
                         goto fail;
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
                 r = journal_file_append_first_tag(f);
                 if (r < 0)
                         goto fail;

src/journal/journal-file.h

@@ -23,7 +23,7 @@
 
 #include <inttypes.h>
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
 #include <gcrypt.h>
 #endif
 
@@ -108,7 +108,7 @@ typedef struct JournalFile {
         size_t compress_buffer_size;
 #endif
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         gcry_md_hd_t hmac;
         bool hmac_running;
 

src/journal/journal-verify.c

@@ -819,13 +819,13 @@ int journal_file_verify(
         int data_fd = -1, entry_fd = -1, entry_array_fd = -1;
         unsigned i;
         bool found_last = false;
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         uint64_t last_tag = 0;
 #endif
         assert(f);
 
         if (key) {
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
                 r = journal_file_parse_verification_key(f, key);
                 if (r < 0) {
                         log_error("Failed to parse seed.");
@@ -1064,7 +1064,7 @@ int journal_file_verify(
                                 goto fail;
                         }
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
                         if (f->seal) {
                                 uint64_t q, rt;
 

src/journal/journalctl.c

@@ -91,7 +91,7 @@ static const char *arg_directory = NULL;
 static char **arg_file = NULL;
 static int arg_priorities = 0xFF;
 static const char *arg_verify_key = NULL;
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
 static usec_t arg_interval = DEFAULT_FSS_INTERVAL_USEC;
 static bool arg_force = false;
 #endif
@@ -224,7 +224,7 @@ static void help(void) {
                "  -D --directory=PATH      Show journal files from directory\n"
                "     --file=PATH           Show journal file\n"
                "     --root=ROOT           Operate on catalog files underneath the root ROOT\n"
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
                "     --interval=TIME       Time interval for changing the FSS sealing key\n"
                "     --verify-key=KEY      Specify FSS verification key\n"
                "     --force               Override of the FSS key pair with --setup-keys\n"
@@ -244,7 +244,7 @@ static void help(void) {
                "     --list-catalog        Show all message IDs in the catalog\n"
                "     --dump-catalog        Show entries in the message catalog\n"
                "     --update-catalog      Update the message catalog database\n"
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
                "     --setup-keys          Generate a new FSS key pair\n"
                "     --verify              Verify journal file consistency\n"
 #endif
@@ -562,7 +562,7 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_action = ACTION_VACUUM;
                         break;
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
                 case ARG_FORCE:
                         arg_force = true;
                         break;
@@ -1384,7 +1384,7 @@ static int add_syslog_identifier(sd_journal *j) {
 }
 
 static int setup_keys(void) {
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         size_t mpk_size, seed_size, state_size, i;
         uint8_t *mpk, *seed, *state;
         int fd = -1, r;
@@ -1587,7 +1587,7 @@ static int verify(sd_journal *j) {
                 int k;
                 usec_t first = 0, validated = 0, last = 0;
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
                 if (!arg_verify_key && JOURNAL_HEADER_SEALED(f->header))
                         log_notice("Journal file %s has sealing enabled but verification key has not been passed using --verify-key=.", f->path);
 #endif

src/journal/journald-server.c

@@ -1612,7 +1612,7 @@ int server_init(Server *s) {
 }
 
 void server_maybe_append_tags(Server *s) {
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         JournalFile *f;
         Iterator i;
         usec_t n;

src/journal/journald.c

@@ -91,7 +91,7 @@ int main(int argc, char *argv[]) {
                         t = server.oldest_file_usec + server.max_retention_usec - n;
                 }
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
                 if (server.system_journal) {
                         usec_t u;
 

src/journal/test-journal.c

@@ -60,7 +60,7 @@ static void test_non_empty(void) {
         iovec.iov_len = strlen(test);
         assert_se(journal_file_append_entry(f, &ts, &iovec, 1, NULL, NULL, NULL) == 0);
 
-#ifdef HAVE_GCRYPT
+#ifdef HAVE_JOURNALD_AUTHENTICATE
         journal_file_append_tag(f);
 #endif
         journal_file_dump(f);