Backport upstream tests and fixes
Commits backported: * Add tests for LUKS binding and unbinding -f5d42cb3ba
* Rework the logic for reading the existing key -834eda9db6
* fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 ( -62bd6de0b8
* pins/tang: check that key derivation key is available -c231352729
This commit is contained in:
parent
8f866ee158
commit
c3193c30ba
970
0001-Backport-upstream-tests-and-fixes.patch
Normal file
970
0001-Backport-upstream-tests-and-fixes.patch
Normal file
@ -0,0 +1,970 @@
|
|||||||
|
From c6d1b1a3128d29a2d13799cf869602d1afb02d57 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sergio Correia <scorreia@redhat.com>
|
||||||
|
Date: Wed, 4 Dec 2019 18:11:00 -0300
|
||||||
|
Subject: [PATCH] Backport upstream tests and fixes
|
||||||
|
|
||||||
|
Commits backported:
|
||||||
|
|
||||||
|
* Add tests for LUKS binding and unbinding
|
||||||
|
- https://github.com/latchset/clevis/pull/134/commits/f5d42cb3ba02ff8fcf39cc6c2751d2cd444f5a74
|
||||||
|
|
||||||
|
* Rework the logic for reading the existing key
|
||||||
|
- https://github.com/latchset/clevis/pull/141/commits/834eda9db62992fc235ecef41461502fd4084f6e
|
||||||
|
|
||||||
|
* fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 (
|
||||||
|
- https://github.com/latchset/clevis/commit/62bd6de0b8c36a238809546273ff08c3f3766564
|
||||||
|
|
||||||
|
* pins/tang: check that key derivation key is available
|
||||||
|
- https://github.com/latchset/clevis/pull/119/commits/c231352729223b08ade04e4e46c775bb934c9959
|
||||||
|
---
|
||||||
|
src/luks/clevis-luks-bind | 53 ++++++++---
|
||||||
|
src/luks/meson.build | 5 +-
|
||||||
|
.../tests/bind-key-file-non-interactive-luks1 | 59 ++++++++++++
|
||||||
|
src/luks/tests/bind-luks1 | 57 ++++++++++++
|
||||||
|
src/luks/tests/bind-luks2 | 48 ++++++++++
|
||||||
|
.../bind-pass-with-newline-keyfile-luks1 | 70 ++++++++++++++
|
||||||
|
src/luks/tests/bind-pass-with-newline-luks1 | 67 +++++++++++++
|
||||||
|
src/luks/tests/bind-wrong-pass-luks1 | 56 +++++++++++
|
||||||
|
src/luks/tests/bind-wrong-pass-luks2 | 47 ++++++++++
|
||||||
|
src/luks/tests/meson.build | 27 ++++++
|
||||||
|
src/luks/tests/tests-common-functions | 93 +++++++++++++++++++
|
||||||
|
src/luks/tests/unbind-luks1 | 74 +++++++++++++++
|
||||||
|
src/luks/tests/unbind-luks2 | 51 ++++++++++
|
||||||
|
src/luks/tests/unbind-unbound-slot-luks1 | 40 ++++++++
|
||||||
|
src/luks/tests/unbind-unbound-slot-luks2 | 41 ++++++++
|
||||||
|
src/pins/tang/clevis-encrypt-tang | 6 +-
|
||||||
|
16 files changed, 780 insertions(+), 14 deletions(-)
|
||||||
|
create mode 100755 src/luks/tests/bind-key-file-non-interactive-luks1
|
||||||
|
create mode 100755 src/luks/tests/bind-luks1
|
||||||
|
create mode 100755 src/luks/tests/bind-luks2
|
||||||
|
create mode 100755 src/luks/tests/bind-pass-with-newline-keyfile-luks1
|
||||||
|
create mode 100755 src/luks/tests/bind-pass-with-newline-luks1
|
||||||
|
create mode 100755 src/luks/tests/bind-wrong-pass-luks1
|
||||||
|
create mode 100755 src/luks/tests/bind-wrong-pass-luks2
|
||||||
|
create mode 100644 src/luks/tests/meson.build
|
||||||
|
create mode 100755 src/luks/tests/tests-common-functions
|
||||||
|
create mode 100755 src/luks/tests/unbind-luks1
|
||||||
|
create mode 100755 src/luks/tests/unbind-luks2
|
||||||
|
create mode 100755 src/luks/tests/unbind-unbound-slot-luks1
|
||||||
|
create mode 100755 src/luks/tests/unbind-unbound-slot-luks2
|
||||||
|
|
||||||
|
diff --git a/src/luks/clevis-luks-bind b/src/luks/clevis-luks-bind
|
||||||
|
index 7aae2ea..6edfccd 100755
|
||||||
|
--- a/src/luks/clevis-luks-bind
|
||||||
|
+++ b/src/luks/clevis-luks-bind
|
||||||
|
@@ -107,26 +107,55 @@ if cryptsetup isLuks --type luks1 "$DEV" && ! luksmeta test -d "$DEV"; then
|
||||||
|
luksmeta init -d "$DEV" $FRC
|
||||||
|
fi
|
||||||
|
|
||||||
|
-# Get the old key
|
||||||
|
+# Get the existing key.
|
||||||
|
case "$KEY" in
|
||||||
|
-"") read -s -p "Enter existing LUKS password: " old; echo;;
|
||||||
|
- -) old=`/bin/cat`;;
|
||||||
|
- *) old=`/bin/cat "$KEY"`;;
|
||||||
|
+"") read -r -s -p "Enter existing LUKS password: " existing_key; echo;;
|
||||||
|
+ -) existing_key="$(/bin/cat)";;
|
||||||
|
+ *) ! IFS= read -rd '' existing_key < "$KEY";;
|
||||||
|
esac
|
||||||
|
|
||||||
|
-# Add the new key
|
||||||
|
+
|
||||||
|
+#Add the new key
|
||||||
|
if [ -n "$SLT" ]; then
|
||||||
|
- if ! echo -e "$old\n$key" | cryptsetup luksAddKey --key-slot $SLT $DEV; then
|
||||||
|
- echo "Error while adding new key to LUKS header!" >&2
|
||||||
|
- exit 1
|
||||||
|
+ cryptsetup luksAddKey --key-slot "$SLT" --key-file \
|
||||||
|
+ <(echo -n "$existing_key") "$DEV"
|
||||||
|
+else
|
||||||
|
+ if cryptsetup isLuks --type luks2 "${DEV}"; then
|
||||||
|
+ readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \
|
||||||
|
+ | sed -rn 's|^\s+([0-9]+): luks2$|\1|p')
|
||||||
|
+ else
|
||||||
|
+ readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \
|
||||||
|
+ | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
|
||||||
|
fi
|
||||||
|
-elif ! SLT=`echo -e "$old\n$key" \
|
||||||
|
- | cryptsetup luksAddKey -v $DEV \
|
||||||
|
- | sed -rn 's|^Key slot ([0-9]+) created\.$|\1|p'`; then
|
||||||
|
+ cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV"
|
||||||
|
+fi < <(echo -n "${key}")
|
||||||
|
+if [ $? -ne 0 ]; then
|
||||||
|
echo "Error while adding new key to LUKS header!" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
+#Determine slot used by new key if a desired slot was not specified
|
||||||
|
+if [ -z "$SLT" ]; then
|
||||||
|
+ if cryptsetup isLuks --type luks2 "${DEV}"; then
|
||||||
|
+ readarray -t usedSlotsAfterAddKey < <(cryptsetup luksDump "${DEV}" \
|
||||||
|
+ | sed -rn 's|^\s+([0-9]+): luks2$|\1|p')
|
||||||
|
+ else
|
||||||
|
+ readarray -t usedSlotsAfterAddKey < <(cryptsetup luksDump "${DEV}" \
|
||||||
|
+ | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
|
||||||
|
+ fi
|
||||||
|
+ for i in "${usedSlotsAfterAddKey[@]}"; do
|
||||||
|
+ if [[ ! " ${usedSlotsBeforeAddKey[@]} " =~ " ${i} " ]]; then
|
||||||
|
+ SLT=$i
|
||||||
|
+ break
|
||||||
|
+ fi
|
||||||
|
+ done
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ -z "$SLT" ]; then
|
||||||
|
+ echo "Error while adding new key to LUKS header! Key slot is undefined." >&2
|
||||||
|
+ exit 1
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
if cryptsetup isLuks --type luks1 "$DEV"; then
|
||||||
|
if ! echo -n $jwe | luksmeta save -d "$DEV" -u "$UUID" -s $SLT 2>/dev/null; then
|
||||||
|
echo "Error while saving Clevis metadata in LUKSMeta!" >&2
|
||||||
|
@@ -142,4 +171,4 @@ else
|
||||||
|
cryptsetup luksRemoveKey "$DEV" <<<"$key"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
-fi
|
||||||
|
\ No newline at end of file
|
||||||
|
+fi
|
||||||
|
diff --git a/src/luks/meson.build b/src/luks/meson.build
|
||||||
|
index 1f64ab0..2935c3f 100644
|
||||||
|
--- a/src/luks/meson.build
|
||||||
|
+++ b/src/luks/meson.build
|
||||||
|
@@ -18,4 +18,7 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
|
||||||
|
mans += join_paths(meson.current_source_dir(), 'clevis-luks-unlockers.7')
|
||||||
|
else
|
||||||
|
warning('Will not install LUKS support due to missing dependencies!')
|
||||||
|
-endif
|
||||||
|
\ No newline at end of file
|
||||||
|
+endif
|
||||||
|
+
|
||||||
|
+# Tests.
|
||||||
|
+subdir('tests')
|
||||||
|
diff --git a/src/luks/tests/bind-key-file-non-interactive-luks1 b/src/luks/tests/bind-key-file-non-interactive-luks1
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..f5b5d03
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/bind-key-file-non-interactive-luks1
|
||||||
|
@@ -0,0 +1,59 @@
|
||||||
|
+#!/bin/bash -ex
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+TEST="${0}"
|
||||||
|
+. tests-common-functions
|
||||||
|
+
|
||||||
|
+on_exit() {
|
||||||
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+trap 'on_exit' EXIT
|
||||||
|
+trap 'exit' ERR
|
||||||
|
+
|
||||||
|
+TMP="$(mktemp -d)"
|
||||||
|
+
|
||||||
|
+ADV="${TMP}/adv.jws"
|
||||||
|
+create_tang_adv "${ADV}"
|
||||||
|
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
|
||||||
|
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
||||||
|
+KEYFILE="${TMP}/key"
|
||||||
|
+PASS=$(openssl rand -hex 8)
|
||||||
|
+echo -n "${PASS}" > "${KEYFILE}"
|
||||||
|
+
|
||||||
|
+# LUKS1.
|
||||||
|
+DEV="${TMP}/luks1-device"
|
||||||
|
+new_device_keyfile "luks1" "${DEV}" "${KEYFILE}"
|
||||||
|
+if ! clevis luks bind -f -k "${KEYFILE}" -d "${DEV}" tang "${CFG}"; then
|
||||||
|
+ error "${TEST}: Binding is expected to succeed when given a correct (${KEYFILE})." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+SLT=1
|
||||||
|
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
|
||||||
|
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "${state}" != "active" ]; then
|
||||||
|
+ error "${TEST}: state (${state}) is expected to be 'active'." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "${uuid}" != "${UUID}" ]; then
|
||||||
|
+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
|
||||||
|
+fi
|
||||||
|
diff --git a/src/luks/tests/bind-luks1 b/src/luks/tests/bind-luks1
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..281a328
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/bind-luks1
|
||||||
|
@@ -0,0 +1,57 @@
|
||||||
|
+#!/bin/bash -ex
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+TEST=$(basename "${0}")
|
||||||
|
+. tests-common-functions
|
||||||
|
+
|
||||||
|
+on_exit() {
|
||||||
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+trap 'on_exit' EXIT
|
||||||
|
+trap 'exit' ERR
|
||||||
|
+
|
||||||
|
+TMP="$(mktemp -d)"
|
||||||
|
+
|
||||||
|
+ADV="${TMP}/adv.jws"
|
||||||
|
+create_tang_adv "${ADV}"
|
||||||
|
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
|
||||||
|
+
|
||||||
|
+# LUKS1.
|
||||||
|
+DEV="${TMP}/luks1-device"
|
||||||
|
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
||||||
|
+new_device "luks1" "${DEV}"
|
||||||
|
+
|
||||||
|
+if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
|
||||||
|
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+SLT=1
|
||||||
|
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
|
||||||
|
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "${state}" != "active" ]; then
|
||||||
|
+ error "${TEST}: state (${state}) is expected to be 'active'." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "${uuid}" != "${UUID}" ]; then
|
||||||
|
+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
|
||||||
|
+fi
|
||||||
|
diff --git a/src/luks/tests/bind-luks2 b/src/luks/tests/bind-luks2
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..11f988c
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/bind-luks2
|
||||||
|
@@ -0,0 +1,48 @@
|
||||||
|
+#!/bin/bash -ex
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+TEST=$(basename "${0}")
|
||||||
|
+. tests-common-functions
|
||||||
|
+
|
||||||
|
+on_exit() {
|
||||||
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+trap 'on_exit' EXIT
|
||||||
|
+trap 'exit' ERR
|
||||||
|
+
|
||||||
|
+if ! luks2_supported; then
|
||||||
|
+ error "{TEST}: LUKS2 is not supported."
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+TMP="$(mktemp -d)"
|
||||||
|
+
|
||||||
|
+ADV="${TMP}/adv.jws"
|
||||||
|
+create_tang_adv "${ADV}"
|
||||||
|
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
|
||||||
|
+
|
||||||
|
+# LUKS2.
|
||||||
|
+
|
||||||
|
+DEV="${TMP}/luks2-device"
|
||||||
|
+new_device "luks2" "${DEV}"
|
||||||
|
+
|
||||||
|
+if ! clevis luks bind -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
|
||||||
|
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2
|
||||||
|
+fi
|
||||||
|
diff --git a/src/luks/tests/bind-pass-with-newline-keyfile-luks1 b/src/luks/tests/bind-pass-with-newline-keyfile-luks1
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..bce584e
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/bind-pass-with-newline-keyfile-luks1
|
||||||
|
@@ -0,0 +1,70 @@
|
||||||
|
+#!/bin/bash -ex
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+TEST="${0}"
|
||||||
|
+. tests-common-functions
|
||||||
|
+
|
||||||
|
+on_exit() {
|
||||||
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+trap 'on_exit' EXIT
|
||||||
|
+trap 'exit' ERR
|
||||||
|
+
|
||||||
|
+TMP="$(mktemp -d)"
|
||||||
|
+
|
||||||
|
+ADV="${TMP}/adv.jws"
|
||||||
|
+create_tang_adv "${ADV}"
|
||||||
|
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
|
||||||
|
+
|
||||||
|
+# LUKS1.
|
||||||
|
+DEV="${TMP}/luks1-device"
|
||||||
|
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
||||||
|
+
|
||||||
|
+# Using newlines and special chars in the passphrase.
|
||||||
|
+PASS="foo
|
||||||
|
+
|
||||||
|
+bar
|
||||||
|
+
|
||||||
|
+\\\&#@@&@*!)(
|
||||||
|
+
|
||||||
|
+$$$
|
||||||
|
+"
|
||||||
|
+
|
||||||
|
+KEYFILE="${TMP}/key"
|
||||||
|
+echo -n "${PASS}" > "${KEYFILE}"
|
||||||
|
+
|
||||||
|
+new_device_keyfile "luks1" "${DEV}" "${KEYFILE}"
|
||||||
|
+if ! clevis luks bind -f -k "${KEYFILE}" -d "${DEV}" tang "${CFG}"; then
|
||||||
|
+ error "${TEST}: Binding is expected to succeed when given a correct (${KEYFILE}) password." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+SLT=1
|
||||||
|
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
|
||||||
|
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "${state}" != "active" ]; then
|
||||||
|
+ error "${TEST}: state (${state}) is expected to be 'active'." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "${uuid}" != "${UUID}" ]; then
|
||||||
|
+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
|
||||||
|
+fi
|
||||||
|
diff --git a/src/luks/tests/bind-pass-with-newline-luks1 b/src/luks/tests/bind-pass-with-newline-luks1
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..89de082
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/bind-pass-with-newline-luks1
|
||||||
|
@@ -0,0 +1,67 @@
|
||||||
|
+#!/bin/bash -ex
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+TEST="${0}"
|
||||||
|
+. tests-common-functions
|
||||||
|
+
|
||||||
|
+on_exit() {
|
||||||
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+trap 'on_exit' EXIT
|
||||||
|
+trap 'exit' ERR
|
||||||
|
+
|
||||||
|
+TMP="$(mktemp -d)"
|
||||||
|
+
|
||||||
|
+ADV="${TMP}/adv.jws"
|
||||||
|
+create_tang_adv "${ADV}"
|
||||||
|
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
|
||||||
|
+
|
||||||
|
+# LUKS1.
|
||||||
|
+DEV="${TMP}/luks1-device"
|
||||||
|
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
||||||
|
+
|
||||||
|
+# Using newlines and special chars in the passphrase.
|
||||||
|
+PASS="foo
|
||||||
|
+
|
||||||
|
+bar
|
||||||
|
+
|
||||||
|
+\\\&#@@&@*!)(
|
||||||
|
+
|
||||||
|
+$$$
|
||||||
|
+"
|
||||||
|
+new_device "luks1" "${DEV}" "${PASS}"
|
||||||
|
+
|
||||||
|
+if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${PASS}"; then
|
||||||
|
+ error "${TEST}: Binding is expected to succeed when given a correct (${PASS}) password." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+SLT=1
|
||||||
|
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
|
||||||
|
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "${state}" != "active" ]; then
|
||||||
|
+ error "${TEST}: state (${state}) is expected to be 'active'." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "${uuid}" != "${UUID}" ]; then
|
||||||
|
+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
|
||||||
|
+fi
|
||||||
|
diff --git a/src/luks/tests/bind-wrong-pass-luks1 b/src/luks/tests/bind-wrong-pass-luks1
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..a15945e
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/bind-wrong-pass-luks1
|
||||||
|
@@ -0,0 +1,56 @@
|
||||||
|
+#!/bin/bash -ex
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+TEST=$(basename "${0}")
|
||||||
|
+. tests-common-functions
|
||||||
|
+
|
||||||
|
+on_exit() {
|
||||||
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+trap 'on_exit' EXIT
|
||||||
|
+trap 'exit' ERR
|
||||||
|
+
|
||||||
|
+TMP="$(mktemp -d)"
|
||||||
|
+
|
||||||
|
+ADV="${TMP}/adv.jws"
|
||||||
|
+create_tang_adv "${ADV}"
|
||||||
|
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
|
||||||
|
+
|
||||||
|
+# LUKS1.
|
||||||
|
+DEV="${TMP}/luks1-device"
|
||||||
|
+new_device "luks1" "${DEV}"
|
||||||
|
+
|
||||||
|
+if clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "wrong-passphrase"; then
|
||||||
|
+ error "${TEST}: Binding is expected to fail when given a wrong password." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+SLT=1
|
||||||
|
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
|
||||||
|
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "${state}" != "inactive" ]; then
|
||||||
|
+ error "${TEST}: state (${state}) is expected to be 'inactive'." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "${uuid}" != "empty" ]; then
|
||||||
|
+ error "${TEST}: UUID ($uuid) is expected to be 'empty'." >&2
|
||||||
|
+fi
|
||||||
|
diff --git a/src/luks/tests/bind-wrong-pass-luks2 b/src/luks/tests/bind-wrong-pass-luks2
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..cbbb095
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/bind-wrong-pass-luks2
|
||||||
|
@@ -0,0 +1,47 @@
|
||||||
|
+#!/bin/bash -ex
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+TEST=$(basename "${0}")
|
||||||
|
+. tests-common-functions
|
||||||
|
+
|
||||||
|
+on_exit() {
|
||||||
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+trap 'on_exit' EXIT
|
||||||
|
+trap 'exit' ERR
|
||||||
|
+
|
||||||
|
+if ! luks2_supported; then
|
||||||
|
+ error "{TEST}: LUKS2 is not supported."
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+TMP="$(mktemp -d)"
|
||||||
|
+
|
||||||
|
+ADV="${TMP}/adv.jws"
|
||||||
|
+create_tang_adv "${ADV}"
|
||||||
|
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
|
||||||
|
+
|
||||||
|
+# LUKS2.
|
||||||
|
+DEV="${TMP}/luks2-device"
|
||||||
|
+new_device "luks2" "${DEV}"
|
||||||
|
+
|
||||||
|
+if clevis luks bind -d "${DEV}" tang "${CFG}" <<< "wrong-passphrase"; then
|
||||||
|
+ error "${TEST}: Binding is expected to fail when given a wrong password." >&2
|
||||||
|
+fi
|
||||||
|
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..85b8a99
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/meson.build
|
||||||
|
@@ -0,0 +1,27 @@
|
||||||
|
+env = environment()
|
||||||
|
+env.prepend('PATH',
|
||||||
|
+ join_paths(meson.source_root(), 'src'),
|
||||||
|
+ join_paths(meson.source_root(), 'src', 'luks'),
|
||||||
|
+ join_paths(meson.source_root(), 'src', 'pins', 'tang'),
|
||||||
|
+ join_paths(meson.source_root(), 'src', 'pins', 'tpm2'),
|
||||||
|
+ meson.current_source_dir(),
|
||||||
|
+ meson.current_build_dir(),
|
||||||
|
+ join_paths(meson.build_root(), 'src'),
|
||||||
|
+ join_paths(meson.build_root(), 'src', 'luks'),
|
||||||
|
+ separator: ':'
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+test('bind-wrong-pass-luks1', find_program('bind-wrong-pass-luks1'), env: env)
|
||||||
|
+test('bind-luks1', find_program('bind-luks1'), env: env)
|
||||||
|
+test('unbind-unbound-slot-luks1', find_program('unbind-unbound-slot-luks1'), env: env)
|
||||||
|
+test('unbind-luks1', find_program('unbind-luks1'), env: env)
|
||||||
|
+test('bind-key-file-non-interactive', find_program('bind-key-file-non-interactive-luks1'), env: env)
|
||||||
|
+test('bind-pass-with-newline', find_program('bind-pass-with-newline-luks1'), env: env)
|
||||||
|
+test('bind-pass-with-newline-keyfile', find_program('bind-pass-with-newline-keyfile-luks1'), env: env)
|
||||||
|
+
|
||||||
|
+# LUKS2 tests go here.
|
||||||
|
+# Binding LUKS2 takes longer, so timeout is increased for a few tests.
|
||||||
|
+test('bind-wrong-pass-luks2', find_program('bind-wrong-pass-luks2'), env: env)
|
||||||
|
+test('bind-luks2', find_program('bind-luks2'), env: env, timeout: 60)
|
||||||
|
+test('unbind-unbound-slot-luks2', find_program('unbind-unbound-slot-luks2'), env: env)
|
||||||
|
+test('unbind-luks2', find_program('unbind-luks2'), env: env, timeout: 60)
|
||||||
|
diff --git a/src/luks/tests/tests-common-functions b/src/luks/tests/tests-common-functions
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..4befaa9
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/tests-common-functions
|
||||||
|
@@ -0,0 +1,93 @@
|
||||||
|
+#!/bin/bash -ex
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+error() {
|
||||||
|
+ echo "${1}" >&2
|
||||||
|
+ exit 1
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+# We require cryptsetup >= 2.0.4 to fully support LUKSv2.
|
||||||
|
+# Support is determined at build time.
|
||||||
|
+luks2_supported() {
|
||||||
|
+ return 0
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+# Creates a tang adv to be used in the test.
|
||||||
|
+create_tang_adv() {
|
||||||
|
+ local adv="${1}"
|
||||||
|
+ local SIG="${TMP}/sig.jwk"
|
||||||
|
+ jose jwk gen -i '{"alg":"ES512"}' > "${SIG}"
|
||||||
|
+
|
||||||
|
+ local EXC="${TMP}/exc.jwk"
|
||||||
|
+ jose jwk gen -i '{"alg":"ECMR"}' > "${EXC}"
|
||||||
|
+
|
||||||
|
+ local TEMPLATE='{"protected":{"cty":"jwk-set+json"}}'
|
||||||
|
+ jose jwk pub -s -i "${SIG}" -i "${EXC}" \
|
||||||
|
+ | jose jws sig -I- -s "${TEMPLATE}" -k "${SIG}" -o "${adv}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+# Creates a new LUKS1 or LUKS2 device to be used.
|
||||||
|
+new_device() {
|
||||||
|
+ local LUKS="${1}"
|
||||||
|
+ local DEV="${2}"
|
||||||
|
+ local PASS="${3}"
|
||||||
|
+
|
||||||
|
+ # Using a default password, if none has been provided.
|
||||||
|
+ if [ -z "${PASS}" ]; then
|
||||||
|
+ PASS="${DEFAULT_PASS}"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ local DEV_CACHED="${TMP}/${LUKS}.cached"
|
||||||
|
+
|
||||||
|
+ # Let's reuse an existing device, if there is one.
|
||||||
|
+ if [ -f "${DEV_CACHED}" ]; then
|
||||||
|
+ echo "Reusing cached ${LUKS} device..."
|
||||||
|
+ cp -f "${DEV_CACHED}" "${DEV}"
|
||||||
|
+ return 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ fallocate -l16M "${DEV}"
|
||||||
|
+ local extra_options=
|
||||||
|
+ if [ "${LUKS}" = "luks2" ]; then
|
||||||
|
+ extra_options="--pbkdf pbkdf2"
|
||||||
|
+ fi
|
||||||
|
+ if ! cryptsetup luksFormat --type "${LUKS}" --batch-mode --force-password "${DEV}" <<< "${PASS}"; then
|
||||||
|
+ cryptsetup luksFormat --type "${LUKS}" --batch-mode --force-password "${DEV}" --debug 2>&1 <<< "${PASS}"
|
||||||
|
+ fi
|
||||||
|
+ # Caching the just-formatted device for possible reuse.
|
||||||
|
+ cp -f "${DEV}" "${DEV_CACHED}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+# Creates a new LUKS1 or LUKS2 device to be used, using a keyfile.
|
||||||
|
+new_device_keyfile() {
|
||||||
|
+ local LUKS="${1}"
|
||||||
|
+ local DEV="${2}"
|
||||||
|
+ local KEYFILE="${3}"
|
||||||
|
+
|
||||||
|
+ if [[ -z "${KEYFILE}" ]] || [[ ! -f "${KEYFILE}" ]]; then
|
||||||
|
+ error "Invalid keyfile (${KEYFILE})."
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ fallocate -l16M "${DEV}"
|
||||||
|
+ cryptsetup luksFormat --type "${LUKS}" --batch-mode "${DEV}" "${KEYFILE}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+export DEFAULT_PASS='just-some-test-password-here'
|
||||||
|
diff --git a/src/luks/tests/unbind-luks1 b/src/luks/tests/unbind-luks1
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..56cf8c0
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/unbind-luks1
|
||||||
|
@@ -0,0 +1,74 @@
|
||||||
|
+#!/bin/bash -ex
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+TEST=$(basename "${0}")
|
||||||
|
+. tests-common-functions
|
||||||
|
+
|
||||||
|
+on_exit() {
|
||||||
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+trap 'on_exit' EXIT
|
||||||
|
+trap 'exit' ERR
|
||||||
|
+
|
||||||
|
+TMP="$(mktemp -d)"
|
||||||
|
+ADV="${TMP}/adv.jws"
|
||||||
|
+create_tang_adv "${ADV}"
|
||||||
|
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
|
||||||
|
+
|
||||||
|
+# LUKS1.
|
||||||
|
+DEV="${TMP}/luks1-device"
|
||||||
|
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
||||||
|
+new_device "luks1" "${DEV}"
|
||||||
|
+
|
||||||
|
+# Bind, initially.
|
||||||
|
+if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
|
||||||
|
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+SLT=1
|
||||||
|
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
|
||||||
|
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "${state}" != "active" ]; then
|
||||||
|
+ error "${TEST}: state (${state}) is expected to be 'active'." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "${uuid}" != "${UUID}" ]; then
|
||||||
|
+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+# Now unbind.
|
||||||
|
+if ! clevis luks unbind -f -d "${DEV}" -s "${SLT}"; then
|
||||||
|
+ error "${TEST}: Unbind is expected to succeed for device ${DEV} and slot ${SLT}" >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
|
||||||
|
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "${state}" != "inactive" ]; then
|
||||||
|
+ error "${TEST}: state (${state}) is expected to be 'inactive'." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "${uuid}" != "empty" ]; then
|
||||||
|
+ error "${TEST}: UUID ($uuid) is expected to be 'empty'." >&2
|
||||||
|
+fi
|
||||||
|
diff --git a/src/luks/tests/unbind-luks2 b/src/luks/tests/unbind-luks2
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..82871be
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/unbind-luks2
|
||||||
|
@@ -0,0 +1,51 @@
|
||||||
|
+#!/bin/bash -ex
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+TEST=$(basename "${0}")
|
||||||
|
+. tests-common-functions
|
||||||
|
+
|
||||||
|
+on_exit() {
|
||||||
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+trap 'on_exit' EXIT
|
||||||
|
+trap 'exit' ERR
|
||||||
|
+
|
||||||
|
+if ! luks2_supported; then
|
||||||
|
+ error "{TEST}: LUKS2 is not supported."
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+TMP="$(mktemp -d)"
|
||||||
|
+ADV="${TMP}/adv.jws"
|
||||||
|
+create_tang_adv "${ADV}"
|
||||||
|
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
|
||||||
|
+
|
||||||
|
+# LUKS2.
|
||||||
|
+DEV="${TMP}/luks2-device"
|
||||||
|
+new_device "luks2" "${DEV}"
|
||||||
|
+# Binding.
|
||||||
|
+if ! clevis luks bind -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
|
||||||
|
+ error "${TEST}: Binding is expected to succeed." >&2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+SLT=1
|
||||||
|
+if ! clevis luks unbind -f -d "${DEV}" -s "${SLT}"; then
|
||||||
|
+ error "${TEST}: Unbind is expected to succeed for device ${DEV} and slot ${SLT}" >&2
|
||||||
|
+fi
|
||||||
|
diff --git a/src/luks/tests/unbind-unbound-slot-luks1 b/src/luks/tests/unbind-unbound-slot-luks1
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..e562a36
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/unbind-unbound-slot-luks1
|
||||||
|
@@ -0,0 +1,40 @@
|
||||||
|
+#!/bin/bash -ex
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+TEST=$(basename "${0}")
|
||||||
|
+. tests-common-functions
|
||||||
|
+
|
||||||
|
+on_exit() {
|
||||||
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+trap 'on_exit' EXIT
|
||||||
|
+trap 'exit' ERR
|
||||||
|
+
|
||||||
|
+TMP="$(mktemp -d)"
|
||||||
|
+
|
||||||
|
+# LUKS1.
|
||||||
|
+DEV="${TMP}/luks1-device"
|
||||||
|
+new_device "luks1" "${DEV}"
|
||||||
|
+
|
||||||
|
+SLT=2
|
||||||
|
+if clevis luks unbind -d "${DEV}" -s "${SLT}"; then
|
||||||
|
+ error "${TEST}: Unbind is expected to fail for device ${DEV} and slot ${SLT}" >&2
|
||||||
|
+fi
|
||||||
|
diff --git a/src/luks/tests/unbind-unbound-slot-luks2 b/src/luks/tests/unbind-unbound-slot-luks2
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..6a2aca5
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/unbind-unbound-slot-luks2
|
||||||
|
@@ -0,0 +1,41 @@
|
||||||
|
+#!/bin/bash -ex
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+TEST=$(basename "${0}")
|
||||||
|
+. tests-common-functions
|
||||||
|
+
|
||||||
|
+on_exit() {
|
||||||
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+trap 'on_exit' EXIT
|
||||||
|
+trap 'exit' ERR
|
||||||
|
+
|
||||||
|
+if ! luks2_supported; then
|
||||||
|
+ error "{TEST}: LUKS2 is not supported."
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+TMP="$(mktemp -d)"
|
||||||
|
+
|
||||||
|
+DEV="${TMP}/luks2-device"
|
||||||
|
+new_device "luks2" "${DEV}"
|
||||||
|
+if clevis luks unbind -d "${DEV}" -s "${SLT}"; then
|
||||||
|
+ error "${TEST}: Unbind is expected to fail for device ${DEV} and slot ${SLT}" >&2
|
||||||
|
+fi
|
||||||
|
diff --git a/src/pins/tang/clevis-encrypt-tang b/src/pins/tang/clevis-encrypt-tang
|
||||||
|
index e65a7d1..5461b45 100755
|
||||||
|
--- a/src/pins/tang/clevis-encrypt-tang
|
||||||
|
+++ b/src/pins/tang/clevis-encrypt-tang
|
||||||
|
@@ -114,7 +114,11 @@ elif [ "$thp" != "any" ] && \
|
||||||
|
fi
|
||||||
|
|
||||||
|
### Perform encryption
|
||||||
|
-enc=`jose jwk use -i- -r -u deriveKey -o- <<< "$jwks"`
|
||||||
|
+if ! enc="$(jose jwk use -i- -r -u deriveKey -o- <<< "$jwks")"; then
|
||||||
|
+ echo "Key derivation key not available!" >&2
|
||||||
|
+ exit 1
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
jose fmt -j "$enc" -Og keys -A || enc="{\"keys\":[$enc]}"
|
||||||
|
|
||||||
|
for jwk in `jose fmt -j- -Og keys -Af- <<< "$enc"`; do
|
||||||
|
--
|
||||||
|
2.23.0
|
||||||
|
|
13
clevis.spec
13
clevis.spec
@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
Name: clevis
|
Name: clevis
|
||||||
Version: 11
|
Version: 11
|
||||||
Release: 8%{?dist}
|
Release: 9%{?dist}
|
||||||
Summary: Automated decryption framework
|
Summary: Automated decryption framework
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -18,6 +18,8 @@ Patch2: Add-device-TCTI-library-to-the-initramfs.patch
|
|||||||
Patch4: clevis-encrypt-tpm2-fix-TPM-object-attributes.patch
|
Patch4: clevis-encrypt-tpm2-fix-TPM-object-attributes.patch
|
||||||
Patch5: clevis-pin-tpm2-module-setup.sh-test-for-required-bi.patch
|
Patch5: clevis-pin-tpm2-module-setup.sh-test-for-required-bi.patch
|
||||||
Patch6: pins-tpm2-add-support-for-tpm2-tools-4.X.patch
|
Patch6: pins-tpm2-add-support-for-tpm2-tools-4.X.patch
|
||||||
|
# Backport of some fixes and also adding tests in the build.
|
||||||
|
Patch7: 0001-Backport-upstream-tests-and-fixes.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: meson
|
BuildRequires: meson
|
||||||
@ -38,6 +40,9 @@ BuildRequires: systemd
|
|||||||
BuildRequires: dracut
|
BuildRequires: dracut
|
||||||
BuildRequires: tang >= 6
|
BuildRequires: tang >= 6
|
||||||
BuildRequires: curl
|
BuildRequires: curl
|
||||||
|
BuildRequires: cracklib-dicts
|
||||||
|
BuildRequires: luksmeta
|
||||||
|
BuildRequires: openssl
|
||||||
|
|
||||||
Requires: tpm2-tools >= 3.0.0
|
Requires: tpm2-tools >= 3.0.0
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
@ -165,6 +170,12 @@ exit 0
|
|||||||
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
|
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Dec 04 2019 Sergio Correia <scorreia@redhat.com> - 11-9
|
||||||
|
- Backport of upstream patches and the following fixes:
|
||||||
|
- Rework the logic for reading the existing key
|
||||||
|
- fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 (
|
||||||
|
- pins/tang: check that key derivation key is available
|
||||||
|
|
||||||
* Wed Oct 30 2019 Peter Robinson <pbrobinson@fedoraproject.org> 11-8
|
* Wed Oct 30 2019 Peter Robinson <pbrobinson@fedoraproject.org> 11-8
|
||||||
- Drop need network patch
|
- Drop need network patch
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user