* Fri Jun 02 2023 Tomas Bzatek <tbzatek@redhat.com> - 2.9.0-14

- iscsi: CHAP auth algorithm selection fixes (#2188991)
- tests: Use stronger passphrases for LUKS tests
- lvm2: Improve uevent processing (#2039772)

Resolves: #2188991,#2039772
This commit is contained in:
Tomas Bzatek 2023-06-02 17:14:09 +02:00
parent f9041eb9de
commit 2dd5a3fbfd
8 changed files with 891 additions and 2 deletions

View File

@ -0,0 +1,161 @@
From 26fcef727d68af97b1187d2ac3cad19acc3d97c8 Mon Sep 17 00:00:00 2001
From: Tomas Bzatek <tbzatek@redhat.com>
Date: Tue, 16 May 2023 18:33:59 +0200
Subject: [PATCH 1/2] iscsi: Set node parameters before the Login/Logout action
This allows to properly pass required arguments like the CHAP
auth algorithms, etc.
---
modules/iscsi/udisksiscsiutil.c | 54 ++++++++++++++++++---------------
1 file changed, 29 insertions(+), 25 deletions(-)
diff --git a/modules/iscsi/udisksiscsiutil.c b/modules/iscsi/udisksiscsiutil.c
index 78890106f0..b279442876 100644
--- a/modules/iscsi/udisksiscsiutil.c
+++ b/modules/iscsi/udisksiscsiutil.c
@@ -186,9 +186,10 @@ iscsi_perform_login_action (UDisksLinuxModuleISCSI *module,
}
static gint
-iscsi_node_set_parameters (struct libiscsi_context *ctx,
- struct libiscsi_node *node,
- GVariant *params)
+iscsi_node_set_parameters (struct libiscsi_context *ctx,
+ struct libiscsi_node *node,
+ GVariant *params,
+ gchar **errorstr)
{
GVariantIter iter;
GVariant *value;
@@ -207,9 +208,11 @@ iscsi_node_set_parameters (struct libiscsi_context *ctx,
/* Update the node parameter value. */
err = libiscsi_node_set_parameter (ctx, node, key, param_value);
+ if (errorstr && err != 0)
+ *errorstr = g_strdup (libiscsi_get_error_string (ctx));
g_variant_unref (value);
- g_free ((gpointer) key);
+ g_free (key);
}
return 0;
@@ -279,7 +282,7 @@ iscsi_login (UDisksLinuxModuleISCSI *module,
const gchar *password = NULL;
const gchar *reverse_username = NULL;
const gchar *reverse_password = NULL;
- gint err;
+ gint err = 0;
g_return_val_if_fail (UDISKS_IS_LINUX_MODULE_ISCSI (module), 1);
@@ -304,17 +307,18 @@ iscsi_login (UDisksLinuxModuleISCSI *module,
/* Get iscsi context. */
ctx = udisks_linux_module_iscsi_get_libiscsi_context (module);
- /* Login */
- err = iscsi_perform_login_action (module,
- ACTION_LOGIN,
- &node,
- &auth_info,
- errorstr);
+ /* Update node parameters. */
+ if (params)
+ err = iscsi_node_set_parameters (ctx, &node, params_without_chap, errorstr);
- if (err == 0 && params)
+ /* Login */
+ if (err == 0)
{
- /* Update node parameters. */
- err = iscsi_node_set_parameters (ctx, &node, params_without_chap);
+ err = iscsi_perform_login_action (module,
+ ACTION_LOGIN,
+ &node,
+ &auth_info,
+ errorstr);
}
g_variant_unref (params_without_chap);
@@ -334,7 +338,7 @@ iscsi_logout (UDisksLinuxModuleISCSI *module,
{
struct libiscsi_context *ctx;
struct libiscsi_node node = {0,};
- gint err;
+ gint err = 0;
g_return_val_if_fail (UDISKS_IS_LINUX_MODULE_ISCSI (module), 1);
@@ -344,18 +348,18 @@ iscsi_logout (UDisksLinuxModuleISCSI *module,
/* Get iscsi context. */
ctx = udisks_linux_module_iscsi_get_libiscsi_context (module);
- /* Logout */
- err = iscsi_perform_login_action (module,
- ACTION_LOGOUT,
- &node,
- NULL,
- errorstr);
+ /* Update node parameters. */
+ if (params)
+ err = iscsi_node_set_parameters (ctx, &node, params, errorstr);
- if (err == 0 && params)
+ /* Logout */
+ if (err == 0)
{
- /* Update node parameters. */
- err = iscsi_node_set_parameters (ctx, &node, params);
-
+ err = iscsi_perform_login_action (module,
+ ACTION_LOGOUT,
+ &node,
+ NULL,
+ errorstr);
}
return err;
From 749812784abcc4c0492bda0703bff5d3dae052f9 Mon Sep 17 00:00:00 2001
From: Tomas Bzatek <tbzatek@redhat.com>
Date: Tue, 16 May 2023 18:35:42 +0200
Subject: [PATCH 2/2] tests: Disallow MD5 for iscsi CHAP login
MD5 is unavailable in FIPS mode:
iscsid[82167]: iscsid: Ignoring CHAP algorthm request for MD5 due to crypto lib configuration
iscsid[82167]: iscsid: Couldn't set CHAP algorithm list
kernel: rx_data returned 0, expecting 48.
kernel: iSCSI Login negotiation failed.
---
src/tests/dbus-tests/test_30_iscsi.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/tests/dbus-tests/test_30_iscsi.py b/src/tests/dbus-tests/test_30_iscsi.py
index 09e975f30c..02ba6c92b0 100644
--- a/src/tests/dbus-tests/test_30_iscsi.py
+++ b/src/tests/dbus-tests/test_30_iscsi.py
@@ -161,6 +161,7 @@ def test_login_chap_auth(self):
self.assertEqual(port, self.port)
options = dbus.Dictionary(signature='sv')
+ options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5
options['username'] = self.initiator
msg = 'Login failed: initiator reported error \(24 - iSCSI login failed due to authorization failure\)'
@@ -227,6 +228,7 @@ def test_login_mutual_auth(self):
self.assertEqual(port, self.port)
options = dbus.Dictionary(signature='sv')
+ options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5
options['username'] = self.initiator
options['password'] = self.password
options['reverse-username'] = self.mutual_iqn
@@ -335,6 +337,7 @@ def test_login_noauth_badauth(self):
# first attempt - wrong password
options = dbus.Dictionary(signature='sv')
+ options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5
options['username'] = self.initiator
msg = r'Login failed: initiator reported error \((19 - encountered non-retryable iSCSI login failure|24 - iSCSI login failed due to authorization failure)\)'
with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg):

View File

@ -0,0 +1,75 @@
commit fab797fcf5e4c8e09e4cde45647951acd764415e
Author: Tomas Bzatek <tbzatek@redhat.com>
Date: Mon Oct 10 13:58:15 2022 +0200
tests: Add bad auth test for iscsi
This tests that the auth info is properly set for each login call,
overriding previously set auth info with no trace.
diff --git a/src/tests/dbus-tests/test_30_iscsi.py b/src/tests/dbus-tests/test_30_iscsi.py
index 34bdfc4b..6ac8386b 100644
--- a/src/tests/dbus-tests/test_30_iscsi.py
+++ b/src/tests/dbus-tests/test_30_iscsi.py
@@ -284,3 +284,61 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase):
# make sure the session object is no longer on dbus
objects = udisks.GetManagedObjects(dbus_interface='org.freedesktop.DBus.ObjectManager')
self.assertNotIn(session_path, objects.keys())
+
+ def test_login_noauth_badauth(self):
+ """
+ Test auth info override
+ """
+ manager = self.get_object('/Manager')
+ nodes, _ = manager.DiscoverSendTargets(self.address, self.port, self.no_options,
+ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator',
+ timeout=self.iscsi_timeout)
+
+ node = next((node for node in nodes if node[0] == self.noauth_iqn), None)
+ self.assertIsNotNone(node)
+
+ (iqn, tpg, host, port, iface) = node
+ self.assertEqual(iqn, self.noauth_iqn)
+ self.assertEqual(host, self.address)
+ self.assertEqual(port, self.port)
+
+ self.addCleanup(self._force_lougout, self.noauth_iqn)
+
+ # first attempt - wrong password
+ options = dbus.Dictionary(signature='sv')
+ options['username'] = self.initiator
+ msg = 'Login failed: initiator reported error'
+ with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg):
+ options['password'] = '12345'
+ manager.Login(iqn, tpg, host, port, iface, options,
+ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator',
+ timeout=self.iscsi_timeout)
+
+ # second atttempt - no password
+ manager.Login(iqn, tpg, host, port, iface, self.no_options,
+ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator',
+ timeout=self.iscsi_timeout)
+
+ devs = glob.glob('/dev/disk/by-path/*%s*' % iqn)
+ self.assertEqual(len(devs), 1)
+
+ # check if the block device have 'Symlinks' property updated
+ disk_name = os.path.realpath(devs[0]).split('/')[-1]
+ disk_obj = self.get_object('/block_devices/' + disk_name)
+ dbus_path = str(disk_obj.object_path)
+ self.assertIsNotNone(disk_obj)
+
+ symlinks = self.get_property_raw(disk_obj, '.Block', 'Symlinks')
+ self.assertIn(self.str_to_ay(devs[0]), symlinks)
+
+ manager.Logout(iqn, tpg, host, port, iface, self.no_options,
+ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator',
+ timeout=self.iscsi_timeout)
+
+ devs = glob.glob('/dev/disk/by-path/*%s*' % iqn)
+ self.assertEqual(len(devs), 0)
+
+ # make sure the disk is no longer on dbus
+ udisks = self.get_object('')
+ objects = udisks.GetManagedObjects(dbus_interface='org.freedesktop.DBus.ObjectManager')
+ self.assertNotIn(dbus_path, objects.keys())

View File

@ -0,0 +1,51 @@
commit 13a6a27eecdd1fb527b9151309366970b182a58d
Author: Tomas Bzatek <tbzatek@redhat.com>
Date: Thu Oct 20 17:17:10 2022 +0200
tests: Fix LIO target config auth
Linux kernel 6.0 brought number of the LIO target changes related to authentication
that made our tests fail. Turned out our target config was incorrect, e.g.
not requiring auth for CHAP tests, etc. The kernel 6.0 looks to be more strict
in this regard.
diff --git a/src/tests/dbus-tests/targetcli_config.json b/src/tests/dbus-tests/targetcli_config.json
index 25d506b6..3be9eac2 100644
--- a/src/tests/dbus-tests/targetcli_config.json
+++ b/src/tests/dbus-tests/targetcli_config.json
@@ -385,7 +385,7 @@
"tpgs": [
{
"attributes": {
- "authentication": 0,
+ "authentication": 1,
"cache_dynamic_acls": 0,
"default_cmdsn_depth": 64,
"default_erl": 0,
@@ -432,7 +432,7 @@
}
],
"parameters": {
- "AuthMethod": "CHAP,None",
+ "AuthMethod": "CHAP",
"DataDigest": "CRC32C,None",
"DataPDUInOrder": "Yes",
"DataSequenceInOrder": "Yes",
@@ -471,7 +471,7 @@
"tpgs": [
{
"attributes": {
- "authentication": 0,
+ "authentication": 1,
"cache_dynamic_acls": 0,
"default_cmdsn_depth": 64,
"default_erl": 0,
@@ -520,7 +520,7 @@
}
],
"parameters": {
- "AuthMethod": "CHAP,None",
+ "AuthMethod": "CHAP",
"DataDigest": "CRC32C,None",
"DataPDUInOrder": "Yes",
"DataSequenceInOrder": "Yes",

View File

@ -0,0 +1,37 @@
commit 1bf172603e4cc77da70d8fd13b6ba6c8b8c91600
Author: Tomas Bzatek <tbzatek@redhat.com>
Date: Thu Oct 20 17:53:20 2022 +0200
tests: Test iscsi noauth in test_login_chap_auth
The other way is already tested in test_login_noauth_badauth.
diff --git a/src/tests/dbus-tests/test_30_iscsi.py b/src/tests/dbus-tests/test_30_iscsi.py
index 2b75462a..f2594d99 100644
--- a/src/tests/dbus-tests/test_30_iscsi.py
+++ b/src/tests/dbus-tests/test_30_iscsi.py
@@ -151,8 +151,14 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase):
options = dbus.Dictionary(signature='sv')
options['username'] = self.initiator
+ msg = 'Login failed: initiator reported error \(24 - iSCSI login failed due to authorization failure\)'
+ # missing auth info
+ with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg):
+ manager.Login(iqn, tpg, host, port, iface, self.no_options,
+ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator',
+ timeout=self.iscsi_timeout)
+
# wrong password
- msg = 'Login failed: initiator reported error'
with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg):
options['password'] = '12345'
manager.Login(iqn, tpg, host, port, iface, options,
@@ -318,7 +324,7 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase):
# first attempt - wrong password
options = dbus.Dictionary(signature='sv')
options['username'] = self.initiator
- msg = 'Login failed: initiator reported error'
+ msg = r'Login failed: initiator reported error \((19 - encountered non-retryable iSCSI login failure|24 - iSCSI login failed due to authorization failure)\)'
with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg):
options['password'] = '12345'
manager.Login(iqn, tpg, host, port, iface, options,

View File

@ -0,0 +1,113 @@
From 28c39786927ad683f56c031d80a5c06f5b5b9aea Mon Sep 17 00:00:00 2001
From: Marius Vollmer <mvollmer@redhat.com>
Date: Tue, 5 Apr 2022 11:23:23 +0300
Subject: [PATCH] lvm2: Only install results of most recently started udpates
Fixes #966
---
modules/lvm2/udiskslinuxmodulelvm2.c | 13 ++++++++++++-
modules/lvm2/udiskslinuxvolumegroupobject.c | 12 ++++++++++++
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/modules/lvm2/udiskslinuxmodulelvm2.c b/modules/lvm2/udiskslinuxmodulelvm2.c
index 8e1ea13aec..77ecf94a6d 100644
--- a/modules/lvm2/udiskslinuxmodulelvm2.c
+++ b/modules/lvm2/udiskslinuxmodulelvm2.c
@@ -59,6 +59,8 @@ struct _UDisksLinuxModuleLVM2 {
gint delayed_update_id;
gboolean coldplug_done;
+
+ guint32 update_epoch;
};
typedef struct _UDisksLinuxModuleLVM2Class UDisksLinuxModuleLVM2Class;
@@ -86,6 +88,7 @@ udisks_linux_module_lvm2_constructed (GObject *object)
module->name_to_volume_group = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, (GDestroyNotify) g_object_unref);
module->coldplug_done = FALSE;
+ module->update_epoch = 0;
if (G_OBJECT_CLASS (udisks_linux_module_lvm2_parent_class)->constructed)
G_OBJECT_CLASS (udisks_linux_module_lvm2_parent_class)->constructed (object);
@@ -221,6 +224,12 @@ lvm_update_vgs (GObject *source_obj,
gpointer key, value;
const gchar *vg_name;
+ if (GPOINTER_TO_UINT (user_data) != module->update_epoch)
+ {
+ vgs_pvs_data_free (data);
+ return;
+ }
+
if (! data)
{
if (error)
@@ -303,11 +312,13 @@ lvm_update (UDisksLinuxModuleLVM2 *module)
{
GTask *task;
+ module->update_epoch++;
+
/* the callback (lvm_update_vgs) is called in the default main loop (context) */
task = g_task_new (module,
NULL /* cancellable */,
lvm_update_vgs,
- NULL /* callback_data */);
+ GUINT_TO_POINTER (module->update_epoch));
/* holds a reference to 'task' until it is finished */
g_task_run_in_thread (task, (GTaskThreadFunc) vgs_task_func);
diff --git a/modules/lvm2/udiskslinuxvolumegroupobject.c b/modules/lvm2/udiskslinuxvolumegroupobject.c
index ce941cb250..ead08de7b1 100644
--- a/modules/lvm2/udiskslinuxvolumegroupobject.c
+++ b/modules/lvm2/udiskslinuxvolumegroupobject.c
@@ -66,6 +66,7 @@ struct _UDisksLinuxVolumeGroupObject
gchar *name;
GHashTable *logical_volumes;
+ guint32 update_epoch;
guint32 poll_epoch;
guint poll_timeout_id;
gboolean poll_requested;
@@ -99,6 +100,7 @@ static void crypttab_changed (UDisksCrypttabMonitor *monitor,
typedef struct {
BDLVMVGdata *vg_info;
GSList *vg_pvs;
+ guint32 epoch;
} VGUpdateData;
static void
@@ -183,6 +185,7 @@ udisks_linux_volume_group_object_set_property (GObject *__object,
static void
udisks_linux_volume_group_object_init (UDisksLinuxVolumeGroupObject *object)
{
+ object->update_epoch = 0;
object->poll_epoch = 0;
object->poll_timeout_id = 0;
object->poll_requested = FALSE;
@@ -575,6 +578,12 @@ update_vg (GObject *source_obj,
BDLVMVGdata *vg_info = data->vg_info;
GSList *vg_pvs = data->vg_pvs;
+ if (data->epoch != object->update_epoch)
+ {
+ lv_list_free (lvs);
+ return;
+ }
+
/* free the data container (but not 'vg_info' and 'vg_pvs') */
g_free (data);
@@ -711,8 +720,11 @@ udisks_linux_volume_group_object_update (UDisksLinuxVolumeGroupObject *object, B
gchar *vg_name = g_strdup (vg_info->name);
GTask *task = NULL;
+ object->update_epoch++;
+
data->vg_info = vg_info;
data->vg_pvs = pvs;
+ data->epoch = object->update_epoch;
/* the callback (update_vg) is called in the default main loop (context) */
task = g_task_new (g_object_ref (object), NULL /* cancellable */, update_vg, data /* callback_data */);

View File

@ -0,0 +1,26 @@
From f24601b1d1302350fff15f326bfe3cfabde05f4c Mon Sep 17 00:00:00 2001
From: Tomas Bzatek <tbzatek@redhat.com>
Date: Fri, 19 May 2023 17:17:56 +0200
Subject: [PATCH] lvm2: Trigger uevent sync on block devices when creating new
VG
This will likely slow down processing with the hope that
more objects have their properties updated properly.
---
modules/lvm2/udiskslinuxmanagerlvm2.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/lvm2/udiskslinuxmanagerlvm2.c b/modules/lvm2/udiskslinuxmanagerlvm2.c
index b0c62fdcd6..5c06b921df 100644
--- a/modules/lvm2/udiskslinuxmanagerlvm2.c
+++ b/modules/lvm2/udiskslinuxmanagerlvm2.c
@@ -384,7 +384,8 @@ handle_volume_group_create (UDisksManagerLVM2 *_object,
UDisksObject *object_for_block;
object_for_block = udisks_daemon_util_dup_object (block, &error);
if (object_for_block != NULL)
- udisks_linux_block_object_trigger_uevent (UDISKS_LINUX_BLOCK_OBJECT (object_for_block));
+ udisks_linux_block_object_trigger_uevent_sync (UDISKS_LINUX_BLOCK_OBJECT (object_for_block),
+ UDISKS_DEFAULT_WAIT_TIMEOUT);
g_object_unref (object_for_block);
}

View File

@ -0,0 +1,405 @@
diff -up udisks-2.9.0/src/tests/dbus-tests/test_50_block.py.bak udisks-2.9.0/src/tests/dbus-tests/test_50_block.py
--- udisks-2.9.0/src/tests/dbus-tests/test_50_block.py.bak 2020-05-26 14:59:20.000000000 +0200
+++ udisks-2.9.0/src/tests/dbus-tests/test_50_block.py 2023-06-02 17:08:45.203845819 +0200
@@ -11,6 +11,8 @@ import udiskstestcase
class UdisksBlockTest(udiskstestcase.UdisksTestCase):
'''This is a basic block device test suite'''
+ LUKS_PASSPHRASE = 'shouldnotseeme'
+
def _close_luks(self, disk):
disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted')
@@ -201,7 +203,7 @@ class UdisksBlockTest(udiskstestcase.Udi
# format the disk
disk = self.get_object('/block_devices/' + os.path.basename(self.vdevs[0]))
- disk.Format('xfs', {'encrypt.passphrase': 'test'}, dbus_interface=self.iface_prefix + '.Block')
+ disk.Format('xfs', {'encrypt.passphrase': self.LUKS_PASSPHRASE}, dbus_interface=self.iface_prefix + '.Block')
# cleanup -- close the luks and remove format
self.addCleanup(self.wipe_fs, self.vdevs[0])
@@ -209,7 +211,7 @@ class UdisksBlockTest(udiskstestcase.Udi
# configuration items as arrays of dbus.Byte
opts = self.str_to_ay('verify')
- passwd = self.str_to_ay('test')
+ passwd = self.str_to_ay(self.LUKS_PASSPHRASE)
# set the new configuration
conf = dbus.Dictionary({'passphrase-contents': passwd,
@@ -254,7 +256,7 @@ class UdisksBlockTest(udiskstestcase.Udi
# format the disk
disk = self.get_object('/block_devices/' + os.path.basename(self.vdevs[0]))
- disk.Format('xfs', {'encrypt.passphrase': 'test'}, dbus_interface=self.iface_prefix + '.Block')
+ disk.Format('xfs', {'encrypt.passphrase': self.LUKS_PASSPHRASE}, dbus_interface=self.iface_prefix + '.Block')
# cleanup -- close the luks and remove format
self.addCleanup(self.wipe_fs, self.vdevs[0])
diff -up udisks-2.9.0/src/tests/dbus-tests/test_70_encrypted.py.bak udisks-2.9.0/src/tests/dbus-tests/test_70_encrypted.py
--- udisks-2.9.0/src/tests/dbus-tests/test_70_encrypted.py.bak 2020-05-26 14:59:20.000000000 +0200
+++ udisks-2.9.0/src/tests/dbus-tests/test_70_encrypted.py 2023-06-02 17:07:33.828531988 +0200
@@ -40,6 +40,9 @@ def _get_blkid_version():
class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):
'''This is an encrypted device test suite'''
+ PASSPHRASE = 'shouldnotseeme'
+ LUKS_NAME = 'myshinylittleluks'
+
def _create_luks(self, device, passphrase, binary=False):
raise NotImplementedError()
@@ -60,7 +63,7 @@ class UdisksEncryptedTest(udiskstestcase
disk_name = os.path.basename(self.vdevs[0])
disk = self.get_object('/block_devices/' + disk_name)
- self._create_luks(disk, 'test')
+ self._create_luks(disk, self.PASSPHRASE)
self.addCleanup(self._remove_luks, disk)
self.udev_settle()
@@ -124,7 +127,7 @@ class UdisksEncryptedTest(udiskstestcase
disk_name = os.path.basename(self.vdevs[0])
disk = self.get_object('/block_devices/' + disk_name)
- self._create_luks(disk, 'test')
+ self._create_luks(disk, self.PASSPHRASE)
self.addCleanup(self._remove_luks, disk)
self.udev_settle()
@@ -160,11 +163,11 @@ class UdisksEncryptedTest(udiskstestcase
# wrong password
msg = 'org.freedesktop.UDisks2.Error.Failed: Error unlocking %s *' % self.vdevs[0]
with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg):
- disk.Unlock('shbdkjaf', self.no_options,
+ disk.Unlock('abcdefghijklmn', self.no_options,
dbus_interface=self.iface_prefix + '.Encrypted')
# right password
- luks = disk.Unlock('test', self.no_options,
+ luks = disk.Unlock(self.PASSPHRASE, self.no_options,
dbus_interface=self.iface_prefix + '.Encrypted')
self.assertIsNotNone(luks)
self.assertTrue(os.path.exists('/dev/disk/by-uuid/%s' % luks_uuid))
@@ -180,7 +183,7 @@ class UdisksEncryptedTest(udiskstestcase
# read-only
ro_opts = dbus.Dictionary({'read-only': dbus.Boolean(True)}, signature=dbus.Signature('sv'))
- luks = disk.Unlock('test', ro_opts,
+ luks = disk.Unlock(self.PASSPHRASE, ro_opts,
dbus_interface=self.iface_prefix + '.Encrypted')
self.assertIsNotNone(luks)
self.assertTrue(os.path.exists('/dev/disk/by-uuid/%s' % luks_uuid))
@@ -196,13 +199,10 @@ class UdisksEncryptedTest(udiskstestcase
crypttab = self.read_file('/etc/crypttab')
self.addCleanup(self.write_file, '/etc/crypttab', crypttab)
- passwd = 'test'
- luks_name = 'myshinylittleluks'
-
disk_name = os.path.basename(self.vdevs[0])
disk = self.get_object('/block_devices/' + disk_name)
- self._create_luks(disk, passwd)
+ self._create_luks(disk, self.PASSPHRASE)
self.addCleanup(self._remove_luks, disk)
self.udev_settle()
@@ -212,22 +212,22 @@ class UdisksEncryptedTest(udiskstestcase
disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted')
# add new entry to the crypttab
- new_crypttab = crypttab + '%s UUID=%s none\n' % (luks_name, disk_uuid)
+ new_crypttab = crypttab + '%s UUID=%s none\n' % (self.LUKS_NAME, disk_uuid)
self.write_file('/etc/crypttab', new_crypttab)
# give udisks time to react to change of the file
time.sleep(5)
dbus_conf = disk.GetSecretConfiguration(self.no_options, dbus_interface=self.iface_prefix + '.Block')
self.assertIsNotNone(dbus_conf)
- self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), luks_name)
+ self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), self.LUKS_NAME)
# unlock the device
- luks = disk.Unlock(passwd, self.no_options,
+ luks = disk.Unlock(self.PASSPHRASE, self.no_options,
dbus_interface=self.iface_prefix + '.Encrypted')
self.assertIsNotNone(luks)
# unlock should use name from crypttab for the /dev/mapper device
- dm_path = '/dev/mapper/%s' % luks_name
+ dm_path = '/dev/mapper/%s' % self.LUKS_NAME
self.assertTrue(os.path.exists(dm_path))
# preferred 'device' should be /dev/mapper/name too
@@ -242,8 +242,7 @@ class UdisksEncryptedTest(udiskstestcase
crypttab = self.read_file('/etc/crypttab')
self.addCleanup(self.write_file, '/etc/crypttab', crypttab)
- passwd = b'test\0test'
- luks_name = 'myshinylittleluks'
+ passwd = b'testtesttest\0testtesttest'
# create key file
_fd, key_file = tempfile.mkstemp()
@@ -264,14 +263,14 @@ class UdisksEncryptedTest(udiskstestcase
disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted')
# add new entry to the crypttab
- new_crypttab = crypttab + '%s UUID=%s %s\n' % (luks_name, disk_uuid, key_file)
+ new_crypttab = crypttab + '%s UUID=%s %s\n' % (self.LUKS_NAME, disk_uuid, key_file)
self.write_file('/etc/crypttab', new_crypttab)
# give udisks time to react to change of the file
time.sleep(5)
dbus_conf = disk.GetSecretConfiguration(self.no_options, dbus_interface=self.iface_prefix + '.Block')
self.assertIsNotNone(dbus_conf)
- self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), luks_name)
+ self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), self.LUKS_NAME)
self.assertEqual(self.ay_to_str(dbus_conf[0][1]['passphrase-path']), key_file)
# unlock the device using empty passphrase (should use the key file)
@@ -280,7 +279,7 @@ class UdisksEncryptedTest(udiskstestcase
self.assertIsNotNone(luks)
# unlock should use name from crypttab for the /dev/mapper device
- dm_path = '/dev/mapper/%s' % luks_name
+ dm_path = '/dev/mapper/%s' % self.LUKS_NAME
self.assertTrue(os.path.exists(dm_path))
# preferred 'device' should be /dev/mapper/name too
@@ -293,7 +292,7 @@ class UdisksEncryptedTest(udiskstestcase
disk_name = os.path.basename(self.vdevs[0])
disk = self.get_object('/block_devices/' + disk_name)
- self._create_luks(disk, 'test')
+ self._create_luks(disk, self.PASSPHRASE)
self.addCleanup(self._remove_luks, disk)
self.udev_settle()
@@ -320,11 +319,11 @@ class UdisksEncryptedTest(udiskstestcase
disk_name = os.path.basename(self.vdevs[0])
disk = self.get_object('/block_devices/' + disk_name)
- self._create_luks(disk, 'test')
+ self._create_luks(disk, self.PASSPHRASE)
self.addCleanup(self._remove_luks, disk)
self.udev_settle()
- disk.ChangePassphrase('test', 'password', self.no_options,
+ disk.ChangePassphrase(self.PASSPHRASE, self.PASSPHRASE + '222', self.no_options,
dbus_interface=self.iface_prefix + '.Encrypted')
disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted')
@@ -332,11 +331,11 @@ class UdisksEncryptedTest(udiskstestcase
# old password, should fail
msg = 'org.freedesktop.UDisks2.Error.Failed: Error unlocking %s *' % self.vdevs[0]
with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg):
- disk.Unlock('test', self.no_options,
+ disk.Unlock(self.PASSPHRASE, self.no_options,
dbus_interface=self.iface_prefix + '.Encrypted')
# new password
- luks = disk.Unlock('password', self.no_options,
+ luks = disk.Unlock(self.PASSPHRASE + '222', self.no_options,
dbus_interface=self.iface_prefix + '.Encrypted')
self.assertIsNotNone(luks)
@@ -347,7 +346,7 @@ class UdisksEncryptedTest(udiskstestcase
def test_resize(self):
device = self.get_device(self.vdevs[0])
- self._create_luks(device, 'test')
+ self._create_luks(device, self.PASSPHRASE)
self.addCleanup(self._remove_luks, device)
self.udev_settle()
@@ -376,8 +375,6 @@ class UdisksEncryptedTest(udiskstestcase
fstab = self.read_file('/etc/fstab')
self.addCleanup(self.write_file, '/etc/fstab', fstab)
- passphrase = 'test'
-
disk_name = os.path.basename(self.vdevs[0])
disk = self.get_object('/block_devices/' + disk_name)
@@ -388,7 +385,7 @@ class UdisksEncryptedTest(udiskstestcase
self.assertIsNotNone(part)
# create LUKS on the partition and add it to crypttab
- self._create_luks(part, passphrase)
+ self._create_luks(part, self.PASSPHRASE)
self.udev_settle()
conf = dbus.Dictionary({'name': self.str_to_ay('udisks_luks_test'),
@@ -525,10 +522,8 @@ class UdisksEncryptedTestLUKS2(UdisksEnc
super(UdisksEncryptedTestLUKS2, self).setUp()
def test_resize(self):
- passwd = 'test'
-
device = self.get_device(self.vdevs[0])
- self._create_luks(device, passwd)
+ self._create_luks(device, self.PASSPHRASE)
self.addCleanup(self._remove_luks, device)
self.udev_settle()
@@ -554,7 +549,7 @@ class UdisksEncryptedTestLUKS2(UdisksEnc
# right passphrase
d = dbus.Dictionary(signature='sv')
- d['passphrase'] = passwd
+ d['passphrase'] = self.PASSPHRASE
device.Resize(dbus.UInt64(100*1024*1024), d,
dbus_interface=self.iface_prefix + '.Encrypted')
@@ -563,7 +558,7 @@ class UdisksEncryptedTestLUKS2(UdisksEnc
# resize back to the original size (using binary passphrase)
d = dbus.Dictionary(signature='sv')
- d['keyfile_contents'] = self.str_to_ay(passwd, False)
+ d['keyfile_contents'] = self.str_to_ay(self.PASSPHRASE, False)
device.Resize(dbus.UInt64(clear_size), d,
dbus_interface=self.iface_prefix + '.Encrypted')
@@ -581,7 +576,7 @@ class UdisksEncryptedTestLUKS2(UdisksEnc
# create LUKS without specifying version
options = dbus.Dictionary(signature='sv')
- options['encrypt.passphrase'] = 'test'
+ options['encrypt.passphrase'] = self.PASSPHRASE
disk.Format('xfs', options,
dbus_interface=self.iface_prefix + '.Block')
@@ -617,14 +612,12 @@ class UdisksEncryptedTestLUKS2(UdisksEnc
@udiskstestcase.tag_test(udiskstestcase.TestTags.UNSTABLE)
def test_integrity(self):
- passwd = 'test'
-
cryptsetup_version = _get_cryptsetup_version()
if cryptsetup_version < LooseVersion('2.2.0'):
self.skipTest('Integrity devices are not marked as internal in cryptsetup < 2.2.0')
device = self.get_device(self.vdevs[0])
- self._create_luks_integrity(self.vdevs[0], passwd)
+ self._create_luks_integrity(self.vdevs[0], self.PASSPHRASE)
self.addCleanup(self._remove_luks, device)
self.udev_settle()
@@ -634,7 +627,7 @@ class UdisksEncryptedTestLUKS2(UdisksEnc
# the device is not opened, we need to read the UUID from LUKS metadata
luks_uuid = BlockDev.crypto_luks_uuid(self.vdevs[0])
- luks_path = device.Unlock('test', self.no_options,
+ luks_path = device.Unlock(self.PASSPHRASE, self.no_options,
dbus_interface=self.iface_prefix + '.Encrypted')
self.assertIsNotNone(luks_path)
self.assertTrue(os.path.exists('/dev/disk/by-uuid/%s' % luks_uuid))
diff -up udisks-2.9.0/src/tests/integration-test.bak udisks-2.9.0/src/tests/integration-test
--- udisks-2.9.0/src/tests/integration-test.bak 2020-05-26 14:59:20.000000000 +0200
+++ udisks-2.9.0/src/tests/integration-test 2023-06-02 16:59:52.841963720 +0200
@@ -1321,7 +1321,7 @@ class Luks(UDisksTestCase):
def setup_crypto_device(self):
self.fs_create(None, 'ext4', GLib.Variant('a{sv}', {
- 'encrypt.passphrase': GLib.Variant('s', 's3kr1t'),
+ 'encrypt.passphrase': GLib.Variant('s', 's3kr1ts3kr1t'),
'label': GLib.Variant('s', 'treasure')}))
self.client.settle()
crypt_obj = self.client.get_object(self.udisks_block().get_object_path())
@@ -1332,7 +1332,7 @@ class Luks(UDisksTestCase):
@staticmethod
def unlock_crypto_device(encrypted):
return encrypted.call_unlock_sync(
- 's3kr1t', no_options, None)
+ 's3kr1ts3kr1t', no_options, None)
def tearDown(self):
"""clean up behind failed test cases"""
@@ -1400,7 +1400,7 @@ class Luks(UDisksTestCase):
udev_dump = subprocess.Popen(['udevadm', 'info', '--export-db'],
stdout=subprocess.PIPE)
out = udev_dump.communicate()[0]
- self.assertFalse(b's3kr1t' in out, 'password in udev properties')
+ self.assertFalse(b's3kr1ts3kr1t' in out, 'password in udev properties')
self.assertFalse(b'essiv:sha' in out, 'key information in udev properties')
finally:
@@ -1510,18 +1510,18 @@ class Luks(UDisksTestCase):
encrypted = self.setup_crypto_device()
# wrong password, has bytes after a trailing '\0'
self.assertRaises(GLib.GError, encrypted.call_unlock_sync,
- '', Luks.keyfile_options(b's3kr1t\0X'), None)
+ '', Luks.keyfile_options(b's3kr1ts3kr1t\0X'), None)
self.assertRaises(GLib.GError, encrypted.call_unlock_sync,
- '', Luks.keyfile_options(b's3kr1t\n'), None)
+ '', Luks.keyfile_options(b's3kr1ts3kr1t\n'), None)
# correct password, specified as keyfile
- encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1t'), None)
+ encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1ts3kr1t'), None)
encrypted.call_lock_sync(no_options, None)
def test_plaintext_keyfile(self):
"""Setup a device using a plaintext keyfile."""
# Using a plaintext keyfile should be equivalent to passphrase
self.fs_create(None, 'ext4', GLib.Variant('a{sv}', {
- 'encrypt.passphrase': GLib.Variant('ay', _bytes_to_ay(b's3kr1t')),
+ 'encrypt.passphrase': GLib.Variant('ay', _bytes_to_ay(b's3kr1ts3kr1t')),
'label': GLib.Variant('s', 'treasure')}))
crypt_obj = self.client.get_object(self.udisks_block().get_object_path())
@@ -1532,16 +1532,16 @@ class Luks(UDisksTestCase):
self.assertRaises(GLib.GError, encrypted.call_unlock_sync,
'h4ckpassword', no_options, None)
self.assertRaises(GLib.GError, encrypted.call_unlock_sync,
- '', Luks.keyfile_options(b's3kr1t\0X'), None)
+ '', Luks.keyfile_options(b's3kr1ts3kr1t\0X'), None)
self.assertRaises(GLib.GError, encrypted.call_unlock_sync,
- '', Luks.keyfile_options(b's3kr1t\n'), None)
+ '', Luks.keyfile_options(b's3kr1ts3kr1t\n'), None)
# correct password
- encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1t'), None)
+ encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1ts3kr1t'), None)
encrypted.call_lock_sync(no_options, None)
# correct password, specified as passphrase
- encrypted.call_unlock_sync('s3kr1t', no_options, None)
+ encrypted.call_unlock_sync('s3kr1ts3kr1t', no_options, None)
encrypted.call_lock_sync(no_options, None)
def test_binary_keyfile(self):
@@ -1607,11 +1607,11 @@ class Luks(UDisksTestCase):
encrypted = self.setup_crypto_device()
# change: passphrase -> passphrase
- encrypted.call_change_passphrase_sync('s3kr1t', 'passphrase', no_options, None)
+ encrypted.call_change_passphrase_sync('s3kr1ts3kr1t', 'passphrase', no_options, None)
# verify new password:
self.assertRaises(GLib.GError, encrypted.call_unlock_sync,
- 's3kr1t', no_options, None)
+ 's3kr1ts3kr1t', no_options, None)
encrypted.call_unlock_sync('passphrase', no_options, None)
encrypted.call_lock_sync(no_options, None)
@@ -1644,7 +1644,7 @@ class Luks(UDisksTestCase):
# change: keyfile -> passphrase
encrypted.call_change_passphrase_sync(
- '', 's3kr1t', GLib.Variant('a{sv}', {
+ '', 's3kr1ts3kr1t', GLib.Variant('a{sv}', {
'old_keyfile_contents': GLib.Variant('ay', _bytes_to_ay(key_file_1)),
}),
None)
@@ -1652,7 +1652,7 @@ class Luks(UDisksTestCase):
# verify new password:
self.assertRaises(GLib.GError, encrypted.call_unlock_sync,
'', Luks.keyfile_options(key_file_1), None)
- encrypted.call_unlock_sync('s3kr1t', no_options, None)
+ encrypted.call_unlock_sync('s3kr1ts3kr1t', no_options, None)
encrypted.call_lock_sync(no_options, None)

View File

@ -56,7 +56,7 @@
Name: udisks2
Summary: Disk Manager
Version: 2.9.0
Release: 13%{?dist}
Release: 14%{?dist}
License: GPLv2+
Group: System Environment/Libraries
URL: https://github.com/storaged-project/udisks
@ -91,7 +91,16 @@ Patch25: udisks-2.10.0-udiskslinuxpartition_GError.patch
Patch26: udisks-2.10.0-udiskslinuxpartitiontable_GError.patch
Patch27: udisks-2.10.0-udiskslinuxfilesystem_GError.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1966460
Patch28: udisks-2.10.0-iscsi_test_05_restart_iscsid.patch
Patch28: udisks-2.10.0-iscsi_test_01_badauth.patch
Patch29: udisks-2.10.0-iscsi_test_02_lio_target_conf.patch
Patch31: udisks-2.10.0-iscsi_test_04_fix_test_login_chap_auth.patch
Patch32: udisks-2.10.0-iscsi_test_05_restart_iscsid.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2188991
Patch33: udisks-2.10.0-iscsi-CHAP-auth-algs.patch
Patch34: udisks-2.9.4-FIPS_LUKS_fixes-2.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2039772
Patch35: udisks-2.10.0-lvm2_update_epoch.patch
Patch36: udisks-2.10.0-lvm2_vgcreate_uevent_sync.patch
BuildRequires: glib2-devel >= %{glib2_version}
BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version}
@ -318,6 +327,13 @@ This package contains module for VDO management.
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
sed -i udisks/udisks2.conf.in -e "s/encryption=luks1/encryption=%{default_luks_encryption}/"
%build
@ -510,6 +526,11 @@ fi
%endif
%changelog
* Fri Jun 02 2023 Tomas Bzatek <tbzatek@redhat.com> - 2.9.0-14
- iscsi: CHAP auth algorithm selection fixes (#2188991)
- tests: Use stronger passphrases for LUKS tests
- lvm2: Improve uevent processing (#2039772)
* Tue Nov 01 2022 Tomas Bzatek <tbzatek@redhat.com> - 2.9.0-13
- Fix iscsi test auth failures (#1966460)