eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-12 19:30:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update tests for dm-crypt kernel key bugfix.

Browse Source 
cryptsetup now requires dm-crypt v1.18.1 or higher
to use kernel keyring service for passing VKs.

Also, relevant API functions fail if CRYPT_ACTIVATE_KEYRING_KEY
is set, but library is not allowed to use kernel keyring for
VK.
This commit is contained in:
Ondrej Kozina
2018-01-15 18:36:33 +01:00
committed by Milan Broz
parent de76628539
commit 2f890dea18
4 changed files with 29 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
tests/api-test-2.c
View File

@@ -1239,7 +1239,7 @@ static void ResizeDeviceLuks2(void)
else else
OK_(crypt_resize(cd, CDEVICE_1, 44)); OK_(crypt_resize(cd, CDEVICE_1, 44));
// reinstate the volume key in keyring // reinstate the volume key in keyring
OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, CRYPT_ACTIVATE_KEYRING_KEY)); OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
OK_(crypt_resize(cd, CDEVICE_1, 43)); OK_(crypt_resize(cd, CDEVICE_1, 43));
if (!t_device_size(DMDIR CDEVICE_1, &r_size)) if (!t_device_size(DMDIR CDEVICE_1, &r_size))
EQ_(43, r_size >> SECTOR_SHIFT); EQ_(43, r_size >> SECTOR_SHIFT);
@@ -2453,20 +2453,20 @@ static void Luks2Requirements(void)
FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)), "Unmet requirements detected"); FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)), "Unmet requirements detected");
EQ_(r, -ETXTBSY); EQ_(r, -ETXTBSY);
OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, 0)); OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, 0));
OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, CRYPT_ACTIVATE_KEYRING_KEY)); OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE); EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
/* crypt_activate_by_keyfile (restricted for activation only) */ /* crypt_activate_by_keyfile (restricted for activation only) */
FAIL_((r = crypt_activate_by_keyfile(cd, CDEVICE_1, 0, KEYFILE1, 0, 0)), "Unmet requirements detected"); FAIL_((r = crypt_activate_by_keyfile(cd, CDEVICE_1, 0, KEYFILE1, 0, 0)), "Unmet requirements detected");
EQ_(r, -ETXTBSY); EQ_(r, -ETXTBSY);
OK_(crypt_activate_by_keyfile(cd, NULL, 0, KEYFILE1, 0, 0)); OK_(crypt_activate_by_keyfile(cd, NULL, 0, KEYFILE1, 0, 0));
OK_(crypt_activate_by_keyfile(cd, NULL, 0, KEYFILE1, 0, CRYPT_ACTIVATE_KEYRING_KEY)); OK_(crypt_activate_by_keyfile(cd, NULL, 0, KEYFILE1, 0, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
/* crypt_activate_by_volume_key (restricted for activation only) */ /* crypt_activate_by_volume_key (restricted for activation only) */
FAIL_((r = crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0)), "Unmet requirements detected"); FAIL_((r = crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0)), "Unmet requirements detected");
EQ_(r, -ETXTBSY); EQ_(r, -ETXTBSY);
OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0)); OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, CRYPT_ACTIVATE_KEYRING_KEY)); OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
#ifdef KERNEL_KEYRING #ifdef KERNEL_KEYRING
kid = add_key("user", KEY_DESC_TEST0, "aaa", 3, KEY_SPEC_THREAD_KEYRING); kid = add_key("user", KEY_DESC_TEST0, "aaa", 3, KEY_SPEC_THREAD_KEYRING);
@@ -2479,7 +2479,7 @@ static void Luks2Requirements(void)
FAIL_((r = crypt_activate_by_keyring(cd, CDEVICE_1, KEY_DESC_TEST0, 0, 0)), "Unmet requirements detected"); FAIL_((r = crypt_activate_by_keyring(cd, CDEVICE_1, KEY_DESC_TEST0, 0, 0)), "Unmet requirements detected");
EQ_(r, -ETXTBSY); EQ_(r, -ETXTBSY);
OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0)); OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0));
OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, CRYPT_ACTIVATE_KEYRING_KEY)); OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
#endif #endif
/* crypt_volume_key_verify (unrestricted) */ /* crypt_volume_key_verify (unrestricted) */
@@ -2566,7 +2566,7 @@ static void Luks2Requirements(void)
FAIL_((r = crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0)), ""); // supposed to be silent FAIL_((r = crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0)), ""); // supposed to be silent
EQ_(r, -ETXTBSY); EQ_(r, -ETXTBSY);
OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0)); OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0));
OK_(crypt_activate_by_token(cd, NULL, 1, NULL, CRYPT_ACTIVATE_KEYRING_KEY)); OK_(crypt_activate_by_token(cd, NULL, 1, NULL, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
#endif #endif
OK_(get_luks2_offsets(1, 8192, 0, 0, NULL, &r_payload_offset)); OK_(get_luks2_offsets(1, 8192, 0, 0, NULL, &r_payload_offset));
OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 2)); OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 2));
@@ -2635,7 +2635,7 @@ static void Luks2Requirements(void)
OK_(crypt_init_by_name(&cd, CDEVICE_1)); OK_(crypt_init_by_name(&cd, CDEVICE_1));
/* load VK in keyring */ /* load VK in keyring */
OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, CRYPT_ACTIVATE_KEYRING_KEY)); OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
/* crypt_resize (restricted) */ /* crypt_resize (restricted) */
FAIL_((r = crypt_resize(cd, CDEVICE_1, 1)), "Unmet requirements detected"); FAIL_((r = crypt_resize(cd, CDEVICE_1, 1)), "Unmet requirements detected");
EQ_(r, -ETXTBSY); EQ_(r, -ETXTBSY);

25
tests/compat-test2
View File

@@ -23,8 +23,6 @@ PWD1="93R4P4pIqAH8"
PWD2="mymJeD8ivEhE" PWD2="mymJeD8ivEhE"
PWD3="ocMakf3fAcQO" PWD3="ocMakf3fAcQO"
PWDW="rUkL4RUryBom" PWDW="rUkL4RUryBom"
CHKS_DMCRYPT=vk_in_dmcrypt.chk
CHKS_KEYRING=vk_in_keyring.chk
TEST_KEYRING_NAME="compattest2_keyring" TEST_KEYRING_NAME="compattest2_keyring"
TEST_TOKEN0="compattest2_desc0" TEST_TOKEN0="compattest2_desc0"
TEST_TOKEN1="compattest2_desc1" TEST_TOKEN1="compattest2_desc1"
@@ -47,7 +45,7 @@ function remove_mapping()
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2 [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
losetup -d $LOOPDEV >/dev/null 2>&1 losetup -d $LOOPDEV >/dev/null 2>&1
rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $CHKS_DMCRYPT $CHKS_KEYRING $HEADER_KEYU >/dev/null 2>&1 rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU >/dev/null 2>&1
# unlink whole test keyring # unlink whole test keyring
[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null [ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
@@ -157,10 +155,13 @@ function dm_crypt_keyring_support()
VER_MAJ=$(echo $VER_STR | cut -f 1 -d.) VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
VER_MIN=$(echo $VER_STR | cut -f 2 -d.) VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
[ $VER_MAJ -gt 1 ] && return 0 [ $VER_MAJ -gt 1 ] && return 0
[ $VER_MAJ -lt 1 ] && return 1 [ $VER_MAJ -lt 1 ] && return 1
[ $VER_MIN -ge 15 ] [ $VER_MIN -gt 18 ] && return 0
[ $VER_MIN -eq 18 -a $VER_PTC -ge 1 ] && return 0
return 1
} }
function test_and_prepare_keyring() { function test_and_prepare_keyring() {
@@ -619,43 +620,29 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
$CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail $CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
# FIXME: perhaps better to test in keyring-test script
if dm_crypt_keyring_support; then if dm_crypt_keyring_support; then
prepare "[32] LUKS2 key in keyring" wipe prepare "[32] LUKS2 key in keyring" wipe
dd if=/dev/zero of=$HEADER_IMG bs=1M count=4 >/dev/null 2>&1
which sha1sum > /dev/null 2>&1 || skip "sha1sum is missing"
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
# check keyring support detection works as expected # check keyring support detection works as expected
rmmod dm-crypt > /dev/null 2>&1 || true rmmod dm-crypt > /dev/null 2>&1 || true
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail
dd if=/dev/urandom of=/dev/mapper/$DEV_NAME bs=4k count=2500 oflag=direct > /dev/null 2>&1 || fail
sha1sum /dev/mapper/$DEV_NAME > $CHKS_KEYRING
$CRYPTSETUP close $DEV_NAME || fail $CRYPTSETUP close $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail echo $PWD1 | $CRYPTSETUP open $LOOPDEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
sha1sum /dev/mapper/$DEV_NAME > $CHKS_DMCRYPT
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail
$CRYPTSETUP close $DEV_NAME || fail $CRYPTSETUP close $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail echo $PWD1 | $CRYPTSETUP open $LOOPDEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail
dd if=/dev/urandom of=/dev/mapper/$DEV_NAME bs=4k count=2500 oflag=direct > /dev/null 2>&1 || fail
sha1sum /dev/mapper/$DEV_NAME > $CHKS_DMCRYPT
$CRYPTSETUP luksSuspend $DEV_NAME || fail $CRYPTSETUP luksSuspend $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail
sha1sum /dev/mapper/$DEV_NAME > $CHKS_KEYRING
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail
$CRYPTSETUP close $DEV_NAME || fail $CRYPTSETUP close $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
dd if=/dev/urandom of=/dev/mapper/$DEV_NAME bs=4k count=2500 oflag=direct > /dev/null 2>&1 || fail
sha1sum /dev/mapper/$DEV_NAME > $CHKS_KEYRING
$CRYPTSETUP luksSuspend $DEV_NAME || fail $CRYPTSETUP luksSuspend $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksResume --disable-keyring $DEV_NAME --header $HEADER_IMG || fail echo $PWD1 | $CRYPTSETUP luksResume --disable-keyring $DEV_NAME --header $HEADER_IMG || fail
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
sha1sum /dev/mapper/$DEV_NAME > $CHKS_DMCRYPT
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail
$CRYPTSETUP close $DEV_NAME || fail $CRYPTSETUP close $DEV_NAME || fail
fi fi

2
tests/keyring-compat-test
View File

@@ -67,6 +67,8 @@ function dm_crypt_keyring_support()
VER_MAJ=$(echo $VER_STR | cut -f 1 -d.) VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
VER_MIN=$(echo $VER_STR | cut -f 2 -d.) VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
# run the test with dm-crypt v1.15.0+ on purpose
# the fix is in dm-crypt v1.18.1+
[ $VER_MAJ -gt 1 ] && return 0 [ $VER_MAJ -gt 1 ] && return 0
[ $VER_MAJ -lt 1 ] && return 1 [ $VER_MAJ -lt 1 ] && return 1
[ $VER_MIN -ge 15 ] [ $VER_MIN -ge 15 ]

28
tests/test_utils.c
View File

@@ -286,15 +286,15 @@ int _system(const char *command, int warn)
return r; return r;
} }
static int t_dm_satisfies_version(unsigned target_maj, unsigned target_min, static int t_dm_satisfies_version(unsigned target_maj, unsigned target_min, unsigned target_patch,
unsigned actual_maj, unsigned actual_min) unsigned actual_maj, unsigned actual_min, unsigned actual_patch)
{ {
if (actual_maj > target_maj) if (actual_maj > target_maj)
return 1; return 1;
if (actual_maj == target_maj && actual_min > target_min)
if (actual_maj == target_maj && actual_min >= target_min) return 1;
if (actual_maj == target_maj && actual_min == target_min && actual_patch >= target_patch)
return 1; return 1;
return 0; return 0;
} }
@@ -309,30 +309,30 @@ static void t_dm_set_crypt_compat(const char *dm_version, unsigned crypt_maj,
dm_patch = 0; dm_patch = 0;
} }
if (t_dm_satisfies_version(1, 2, crypt_maj, crypt_min)) if (t_dm_satisfies_version(1, 2, 0, crypt_maj, crypt_min, 0))
t_dm_crypt_flags |= T_DM_KEY_WIPE_SUPPORTED; t_dm_crypt_flags |= T_DM_KEY_WIPE_SUPPORTED;
if (t_dm_satisfies_version(1, 10, crypt_maj, crypt_min)) if (t_dm_satisfies_version(1, 10, 0, crypt_maj, crypt_min, 0))
t_dm_crypt_flags |= T_DM_LMK_SUPPORTED; t_dm_crypt_flags |= T_DM_LMK_SUPPORTED;
if (t_dm_satisfies_version(4, 20, dm_maj, dm_min)) if (t_dm_satisfies_version(4, 20, 0, dm_maj, dm_min, 0))
t_dm_crypt_flags |= T_DM_SECURE_SUPPORTED; t_dm_crypt_flags |= T_DM_SECURE_SUPPORTED;
if (t_dm_satisfies_version(1, 8, crypt_maj, crypt_min)) if (t_dm_satisfies_version(1, 8, 0, crypt_maj, crypt_min, 0))
t_dm_crypt_flags |= T_DM_PLAIN64_SUPPORTED; t_dm_crypt_flags |= T_DM_PLAIN64_SUPPORTED;
if (t_dm_satisfies_version(1, 11, crypt_maj, crypt_min)) if (t_dm_satisfies_version(1, 11, 0, crypt_maj, crypt_min, 0))
t_dm_crypt_flags |= T_DM_DISCARDS_SUPPORTED; t_dm_crypt_flags |= T_DM_DISCARDS_SUPPORTED;
if (t_dm_satisfies_version(1, 13, crypt_maj, crypt_min)) if (t_dm_satisfies_version(1, 13, 0, crypt_maj, crypt_min, 0))
t_dm_crypt_flags |= T_DM_TCW_SUPPORTED; t_dm_crypt_flags |= T_DM_TCW_SUPPORTED;
if (t_dm_satisfies_version(1, 14, crypt_maj, crypt_min)) { if (t_dm_satisfies_version(1, 14, 0, crypt_maj, crypt_min, 0)) {
t_dm_crypt_flags |= T_DM_SAME_CPU_CRYPT_SUPPORTED; t_dm_crypt_flags |= T_DM_SAME_CPU_CRYPT_SUPPORTED;
t_dm_crypt_flags |= T_DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED; t_dm_crypt_flags |= T_DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED;
} }
if (t_dm_satisfies_version(1, 15, crypt_maj, crypt_min)) if (t_dm_satisfies_version(1, 18, 1, crypt_maj, crypt_min, crypt_patch))
t_dm_crypt_flags |= T_DM_KERNEL_KEYRING_SUPPORTED; t_dm_crypt_flags |= T_DM_KERNEL_KEYRING_SUPPORTED;
} }
@@ -349,7 +349,7 @@ static void t_dm_set_verity_compat(const char *dm_version, unsigned verity_maj,
* (but some dm-verity targets 1.2 don't support it) * (but some dm-verity targets 1.2 don't support it)
* FEC is added in 1.3 as well. * FEC is added in 1.3 as well.
*/ */
if (t_dm_satisfies_version(1, 3, verity_maj, verity_min)) { if (t_dm_satisfies_version(1, 3, 0, verity_maj, verity_min, 0)) {
t_dm_crypt_flags |= T_DM_VERITY_ON_CORRUPTION_SUPPORTED; t_dm_crypt_flags |= T_DM_VERITY_ON_CORRUPTION_SUPPORTED;
t_dm_crypt_flags |= T_DM_VERITY_FEC_SUPPORTED; t_dm_crypt_flags |= T_DM_VERITY_FEC_SUPPORTED;
} }