Do not use fake-token-path in ssh and systemd plugin tests.

tests/Makefile.am

@@ -45,8 +45,7 @@ if EXTERNAL_TOKENS
 TESTS += systemd-test-plugin
 endif
 
-ssh-test-plugin: fake_token_path.so
-systemd-test-plugin: fake_token_path.so fake_systemd_tpm_path.so
+systemd-test-plugin: fake_systemd_tpm_path.so
 
 # Do not use global CFLAGS here as the *.so link does not support sanitizers
 fake_token_path.so: fake_token_path.c

tests/meson.build

@@ -157,6 +157,7 @@ tests_env = environment()
 tests_env.set('CRYPTSETUP_PATH', src_build_dir)
 tests_env.set('LIBCRYPTSETUP_DIR', lib_build_dir)
 tests_env.set('srcdir', meson.current_source_dir())
+tests_env.set('SSH_BUILD_DIR', tokens_ssh_build_dir)
 tests_env.set('CRYPTSETUP_TESTS_RUN_IN_MESON', '1')
 
 tests_env_valg = tests_env
@@ -728,7 +729,6 @@ if get_option('ssh-token') and not enable_static
         is_parallel: false,
         depends: [
             cryptsetup_ssh,
-            fake_token_path,
             libcryptsetup_token_ssh,
         ])
     test('valg-ssh-test-plugin',
@@ -740,7 +740,6 @@ if get_option('ssh-token') and not enable_static
         suite: 'valgrind',
         depends: [
             cryptsetup_ssh,
-            fake_token_path,
             libcryptsetup_token_ssh,
         ])
 endif
@@ -754,7 +753,6 @@ if get_option('external-tokens') and not enable_static
         is_parallel: false,
         depends: [
             fake_systemd_tpm_path,
-            fake_token_path,
         ])
 endif
 

tests/ssh-test-plugin

@@ -1,10 +1,10 @@
 #!/bin/bash
 
 [ -z "$CRYPTSETUP_PATH" ] && {
-	TOKEN_PATH="./fake_token_path.so"
-	[ ! -f $TOKEN_PATH ] && { echo "Please compile $TOKEN_PATH."; exit 77; }
-	export LD_PRELOAD=$TOKEN_PATH
 	CRYPTSETUP_PATH=".."
+	if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
+		SSH_BUILD_DIR="$PWD/../.libs"
+	fi
 }
 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
 CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh
@@ -35,12 +35,8 @@ fi
 [ -z "$srcdir" ] && srcdir="."
 
 [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ] || {
-    # test runs on meson build
-    TOKEN_PATH="$CRYPTSETUP_PATH/../tests/fake_token_path.so"
-    [ ! -f $TOKEN_PATH ] && { echo "Please compile $TOKEN_PATH."; exit 77; }
-    export LD_PRELOAD=$TOKEN_PATH
-
-    CRYPTSETUP_SSH="$CRYPTSETUP_PATH/../tokens/ssh/cryptsetup-ssh"
+	# test runs on meson build
+	CRYPTSETUP_SSH="$CRYPTSETUP_PATH/../tokens/ssh/cryptsetup-ssh"
 }
 
 function remove_mapping()
@@ -170,6 +166,9 @@ check_dump()
 	[ "$keyslot_dump" = "$keyslot" ] || fail " keyslot check from dump failed."
 }
 
+if [ -n "$SSH_BUILD_DIR" ]; then
+	CUSTOM_TOKENS_PATH="--external-tokens-path $SSH_BUILD_DIR"
+fi
 [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
 [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run && CRYPTSETUP_SSH=valgrind_run_ssh
 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
@@ -192,17 +191,17 @@ ssh_check
 create_user
 ssh_setup
 
-$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH
+$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH $CUSTOM_TOKENS_PATH
 [ $? -ne 0 ] && fail "Failed to add SSH token to $IMG"
 
-out=$($CRYPTSETUP luksDump $IMG)
+out=$($CRYPTSETUP luksDump $CUSTOM_TOKENS_PATH $IMG)
 check_dump "$out" 0
 echo "[OK]"
 
 echo -n "Activating using SSH token: "
 
 $CRYPTSETUP luksOpen --token-only --disable-external-tokens -r $IMG $MAP && fail "Tokens should be disabled"
-$CRYPTSETUP luksOpen -r $IMG $MAP -q >/dev/null 2>&1 <&-
+$CRYPTSETUP luksOpen $CUSTOM_TOKENS_PATH -r $IMG $MAP -q >/dev/null 2>&1 <&-
 [ $? -ne 0 ] && fail "Failed to open $IMG using SSH token"
 echo "[OK]"
 
@@ -211,10 +210,10 @@ $CRYPTSETUP token remove --token-id 0 $IMG || fail "Failed to remove token"
 
 echo -n "Adding SSH token with --key-slot: "
 
-$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH --key-slot 1
+$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH --key-slot 1 $CUSTOM_TOKENS_PATH
 [ $? -ne 0 ] && fail "Failed to add SSH token to $IMG"
 
-out=$($CRYPTSETUP luksDump $IMG)
+out=$($CRYPTSETUP luksDump $CUSTOM_TOKENS_PATH $IMG)
 check_dump "$out" 1
 echo "[OK]"
 

tests/systemd-test-plugin

@@ -67,8 +67,6 @@ CRYPTENROLL_LD_PRELOAD=""
     bin_check ninja
     bin_check pkgconf
 
-    TOKEN_PATH=fake_token_path.so
-    [ -f $TOKEN_PATH ] || skip "Please compile $TOKEN_PATH."
     INSTALL_PATH=$CRYPTSETUP_PATH/../external-tokens/install
     mkdir -p $INSTALL_PATH
     DESTDIR=$INSTALL_PATH meson install -C ..
@@ -90,12 +88,13 @@ CRYPTENROLL_LD_PRELOAD=""
     meson setup build/ -D tpm2=true -D libcryptsetup=true -D libcryptsetup-plugins=true || skip "Failed to configure systemd via meson, some dependencies are probably missing."
     ninja -C build/ systemd-cryptenroll libcryptsetup-token-systemd-tpm2.so || skip "Failed to build systemd."
 
+    CRYPTSETUP_TOKENS_PATH=$CRYPTSETUP_PATH/../tokens/ssh
+
     cd $CRYPTSETUP_PATH/../tests
-    cp $SYSTEMD_PATH/build/libcryptsetup-token-*.so $CRYPTSETUP_PATH/../tokens/ssh
-    cp $SYSTEMD_PATH/build/src/shared/*.so $CRYPTSETUP_PATH/../tests
+    cp $SYSTEMD_PATH/build/libcryptsetup-token-*.so $CRYPTSETUP_TOKENS_PATH
+    cp $SYSTEMD_PATH/build/src/shared/*.so $CRYPTSETUP_TOKENS_PATH
     export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$CRYPTSETUP_PATH/../tests"
 
-    export LD_PRELOAD="${LD_PRELOAD-}:$CRYPTSETUP_PATH/../tests/$TOKEN_PATH"
     CRYPTENROLL_LD_PRELOAD="$CRYPTSETUP_PATH/../lib/libcryptsetup.so"
 
     echo "CRYPTENROLL_LD_PRELOAD $CRYPTENROLL_LD_PRELOAD"
@@ -107,8 +106,6 @@ CRYPTENROLL_LD_PRELOAD=""
     bin_check ninja
     bin_check pkgconf
 
-    TOKEN_PATH=fake_token_path.so
-    [ -f $TOKEN_PATH ] || skip "Please compile $TOKEN_PATH."
     INSTALL_PATH=$(pwd)/external-tokens/install
     make -C .. install DESTDIR=$INSTALL_PATH
     PC_FILE="$(find $INSTALL_PATH -name 'libcryptsetup.pc')"
@@ -128,11 +125,12 @@ CRYPTENROLL_LD_PRELOAD=""
     meson setup build/ -D tpm2=true -D libcryptsetup=true -D libcryptsetup-plugins=true || skip "Failed to configure systemd via meson, some dependencies are probably missing."
     ninja -C build/ systemd-cryptenroll libcryptsetup-token-systemd-tpm2.so || skip "Failed to build systemd."
 
-    cd $CRYPTSETUP_PATH/tests
-    cp $SYSTEMD_PATH/build/libcryptsetup-token-*.so ../.libs/
-    cp $SYSTEMD_PATH/build/src/shared/*.so ../.libs/
+    CRYPTSETUP_TOKENS_PATH=$CRYPTSETUP_PATH/.libs
+
+    cd $CRYPTSETUP_PATH/tests
+    cp $SYSTEMD_PATH/build/libcryptsetup-token-*.so $CRYPTSETUP_TOKENS_PATH
+    cp $SYSTEMD_PATH/build/src/shared/*.so $CRYPTSETUP_TOKENS_PATH
 
-    export LD_PRELOAD="${LD_PRELOAD-}:$CRYPTSETUP_PATH/tests/$TOKEN_PATH"
     CRYPTENROLL_LD_PRELOAD="$CRYPTSETUP_PATH/.libs/libcryptsetup.so"
 }
 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
@@ -155,6 +153,9 @@ CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
     echo "Virtual TPM set up at $TPM_PATH"
 }
 
+if [ -n "$SSH_BUILD_DIR" ]; then
+	CUSTOM_TOKENS_PATH="--external-tokens-path $SSH_BUILD_DIR"
+fi
 FAKE_TPM_PATH="$(pwd)/fake_systemd_tpm_path.so"
 [ ! -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ] && FAKE_TPM_PATH="$CRYPTSETUP_PATH/../tests/fake_systemd_tpm_path.so"
 [ -f $FAKE_TPM_PATH ] || skip "Please compile $FAKE_TPM_PATH."
@@ -169,23 +170,23 @@ echo $PASSWD | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $IMG --force-
 echo "Enrolling the device to TPM 2 using systemd-cryptenroll.."
 LD_PRELOAD="$LD_PRELOAD:$CRYPTENROLL_LD_PRELOAD" PASSWORD="$PASSWD" $SYSTEMD_CRYPTENROLL $IMG --tpm2-device=$TPM_PATH >/dev/null 2>&1
 
-$CRYPTSETUP luksDump $IMG | grep -q "tpm2-blob" || fail "Failed to dump $IMG using systemd_tpm2 token (no tpm2-blob in output)."
+$CRYPTSETUP luksDump --external-tokens-path $CRYPTSETUP_TOKENS_PATH $IMG | grep -q "tpm2-blob" || fail "Failed to dump $IMG using systemd_tpm2 token (no tpm2-blob in output)."
 echo "Activating the device via TPM2 external token.."
-$CRYPTSETUP open --token-only $IMG $MAP >/dev/null 2>&1 || fail "Failed to open $IMG using systemd_tpm2 token."
+$CRYPTSETUP open --external-tokens-path $CRYPTSETUP_TOKENS_PATH --token-only $IMG $MAP >/dev/null 2>&1 || fail "Failed to open $IMG using systemd_tpm2 token."
 $CRYPTSETUP close $MAP >/dev/null 2>&1 || fail "Failed to close $MAP."
 
 echo "Adding passphrase via TPM2 token.."
-echo $PASSWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $IMG --force-password -q --token-only >/dev/null 2>&1 || fail "Failed to add passphrase by tpm2 token."
+echo $PASSWD2 | $CRYPTSETUP luksAddKey --external-tokens-path $CRYPTSETUP_TOKENS_PATH $FAST_PBKDF_OPT $IMG --force-password -q --token-only >/dev/null 2>&1 || fail "Failed to add passphrase by tpm2 token."
 echo $PASSWD2 | $CRYPTSETUP open $IMG --test-passphrase --disable-external-tokens >/dev/null 2>&1 || fail "Failed to test passphrase added by tpm2 token."
 
 echo "Exporting and removing TPM2 token.."
 EXPORTED_TOKEN=$($CRYPTSETUP token export $IMG --token-id 0)
 $CRYPTSETUP token remove $IMG --token-id 0
-$CRYPTSETUP open $IMG --test-passphrase --token-only >/dev/null 2>&1 && fail "Activating without passphrase should fail after TPM2 token removal."
+$CRYPTSETUP open --external-tokens-path $CRYPTSETUP_TOKENS_PATH $IMG --test-passphrase --token-only >/dev/null 2>&1 && fail "Activating without passphrase should fail after TPM2 token removal."
 
 echo "Re-importing TPM2 token.."
 echo $EXPORTED_TOKEN | $CRYPTSETUP token import $IMG --token-id 0 || fail "Failed to re-import deleted token."
-$CRYPTSETUP open $IMG --test-passphrase --token-only >/dev/null 2>&1 || fail "Failed to activate after re-importing deleted token."
+$CRYPTSETUP open --external-tokens-path $CRYPTSETUP_TOKENS_PATH $IMG --test-passphrase --token-only >/dev/null 2>&1 || fail "Failed to activate after re-importing deleted token."
 
 cleanup
 exit 0

tokens/ssh/cryptsetup-ssh.c

@@ -47,6 +47,7 @@
 #define OPT_DEBUG	5
 #define OPT_DEBUG_JSON	6
 #define OPT_KEY_SLOT	7
+#define OPT_TOKENS_PATH	8
 
 void tools_cleanup(void)
 {
@@ -59,6 +60,7 @@ static int token_add(
 		const char *user,
 		const char *path,
 		const char *keypath,
+		const char *plugin_path,
 		int keyslot)
 
 {
@@ -68,6 +70,12 @@ static int token_add(
 	const char *string_token;
 	int r, token;
 
+	if (plugin_path) {
+		r = crypt_token_set_external_path(plugin_path);
+		if (r < 0)
+			return r;
+	}
+
 	r = crypt_init(&cd, device);
 	if (r)
 		return r;
@@ -148,6 +156,8 @@ static struct argp_option options[] = {
 	{"ssh-user",	OPT_SSH_USER, 	"STRING", 0, N_("Username used for the remote server")},
 	{"ssh-path",	OPT_SSH_PATH,	"STRING", 0, N_("Path to the key file on the remote server")},
 	{"ssh-keypath",	OPT_KEY_PATH, 	"STRING", 0, N_("Path to the SSH key for connecting to the remote server")},
+	{"external-tokens-path",
+			OPT_TOKENS_PATH,"STRING", 0, N_("Path to directory containinig libcryptsetup external tokens")},
 	{"key-slot",	OPT_KEY_SLOT,	"NUM",	  0, N_("Keyslot to assign the token to. If not specified, token will "\
 						        "be assigned to the first keyslot matching provided passphrase.")},
 	{0,		0,		0,	  0, N_("Generic options:")},
@@ -164,6 +174,7 @@ struct arguments {
 	char *ssh_user;
 	char *ssh_path;
 	char *ssh_keypath;
+	char *ssh_plugin_path;
 	int keyslot;
 	int verbose;
 	int debug;
@@ -187,6 +198,9 @@ parse_opt (int key, char *arg, struct argp_state *state) {
 	case OPT_KEY_PATH:
 		arguments->ssh_keypath = arg;
 		break;
+	case OPT_TOKENS_PATH:
+		arguments->ssh_plugin_path = arg;
+		break;
 	case OPT_KEY_SLOT:
 		arguments->keyslot = atoi(arg);
 		break;
@@ -413,6 +427,7 @@ int main(int argc, char *argv[])
 				arguments.ssh_user,
 				arguments.ssh_path,
 				arguments.ssh_keypath,
+				arguments.ssh_plugin_path,
 				arguments.keyslot);
 		if (ret < 0)
 			return EXIT_FAILURE;