mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-05 16:00:05 +01:00
cbc143bf95
AFAIK older versions of the POSIX Standard didn't specify a way to
locate commands. Many operating systems and distributions added a
which(1) utility for that purpose, unfortunately without consistent
behavior across the board.
OTOH POSIX.1-2008 (or was it older? POSIX.1-2001 mentions it too, but
with a restriction: “On systems supporting the User Portability Utilities
option”) specifies that `command -v` can be used for that purpose:
https://pubs.opengroup.org/onlinepubs/9699919799.2008edition/utilities/command.html
Moreover the standard adds that if the argument is neither a valid
utility, builtin, shell function nor alias then “no output shall be
written and the exit status shall reflect that the name was not found”.
It's therefore no longer needed to void the error output (spewing error
messages was one of the inconsistent behavior of the different which(1)
utilities).
The upcoming Debian 12 (codename Bookworm) appears to have deprecated
its which(1) utility (as a first step for its removal from the base
system):
$ which foo
/usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
In most places the deprecation notice isn't visible when running the
test suite because most `which` calls run with the error output
redirected to /dev/null, however this is not the case everywhere:
https://gitlab.com/cryptsetup/cryptsetup/-/blob/v2.4.3/tests/integrity-compat-test#L333
https://gitlab.com/cryptsetup/cryptsetup/-/blob/v2.4.3/tests/reencryption-compat-test2#L232
This commit replaces all `which` calls from tests/* with `command -v`,
and removes the error output redirection.
239 lines
9.1 KiB
Bash
Executable File
239 lines
9.1 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
DEV_ZERO="dmtst-zero"
|
|
DEV_CRYPT="dmtst-crypt"
|
|
|
|
CIPHER="aes-xts-plain64"
|
|
|
|
TEST_KEYRING_NAME="keyringtest_keyring"
|
|
|
|
USER_KEY_32_OK="dmtst:ukey_32_ok"
|
|
USER_KEY_32_WRONG="dmtst:ukey_32_wrong_size"
|
|
|
|
LOGON_KEY_32_OK="dmtst:lkey_32_ok"
|
|
LOGON_KEY_32_WRONG="dmtst:lkey_32_wrong_size"
|
|
|
|
PAYLOAD_32="bb21158c733229347bd4e681891e213d"
|
|
PAYLOAD_31="bb21158c733229347bd4e681891e213"
|
|
|
|
HEXKEY_32="bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
|
|
HEXKEY_32_BAD="bb21158c733229347bd4e68189XXXX3d94c685be6a5b84818afe7a78a6de7a1a"
|
|
HEXKEY_31="bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a"
|
|
|
|
function remove_mapping()
|
|
{
|
|
[ -b /dev/mapper/$DEV_CRYPT ] && dmsetup remove --retry $DEV_CRYPT
|
|
[ -b /dev/mapper/$DEV_ZERO ] && dmsetup remove --retry $DEV_ZERO
|
|
|
|
# unlink whole test keyring
|
|
[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
|
|
}
|
|
|
|
function skip()
|
|
{
|
|
[ -n "$1" ] && echo "$1"
|
|
remove_mapping
|
|
exit 77
|
|
}
|
|
|
|
function fail()
|
|
{
|
|
[ -n "$1" ] && echo "$1"
|
|
echo "FAILED backtrace:"
|
|
while caller $frame; do ((frame++)); done
|
|
remove_mapping
|
|
exit 2
|
|
}
|
|
|
|
# $1 type
|
|
# $2 description
|
|
# $3 payload
|
|
# $4 keyring
|
|
function load_key()
|
|
{
|
|
keyctl add $@ >/dev/null
|
|
}
|
|
|
|
function dm_crypt_keyring_support()
|
|
{
|
|
VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
|
|
[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
|
|
|
|
VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
|
|
VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
|
|
|
|
[ $VER_MAJ -gt 1 ] && return 0
|
|
[ $VER_MAJ -lt 1 ] && return 1
|
|
[ $VER_MIN -ge 15 ]
|
|
}
|
|
|
|
function test_and_prepare_keyring() {
|
|
keyctl list "@s" > /dev/null || skip "Current session keyring is unreachable, test skipped"
|
|
TEST_KEYRING=$(keyctl newring $TEST_KEYRING_NAME "@u" 2> /dev/null)
|
|
test -n "$TEST_KEYRING" || skip "Failed to create keyring in user keyring"
|
|
keyctl search "@s" keyring "$TEST_KEYRING" > /dev/null 2>&1 || keyctl link "@u" "@s" > /dev/null 2>&1
|
|
load_key user test_key test_data "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
|
|
}
|
|
|
|
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
|
|
command -v dmsetup >/dev/null || skip "Cannot find dmsetup, test skipped"
|
|
command -v keyctl >/dev/null || skip "Cannot find keyctl, test skipped"
|
|
modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
|
|
dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped."
|
|
|
|
test_and_prepare_keyring
|
|
|
|
load_key logon $LOGON_KEY_32_OK $PAYLOAD_32 "$TEST_KEYRING" || fail "Cannot load 32 byte logon key type"
|
|
load_key user $USER_KEY_32_OK $PAYLOAD_32 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
|
|
load_key logon $LOGON_KEY_32_WRONG $PAYLOAD_31 "$TEST_KEYRING" || fail "Cannot load 31 byte logon key type"
|
|
load_key user $USER_KEY_32_WRONG $PAYLOAD_31 "$TEST_KEYRING" || fail "Cannot load 31 byte user key type"
|
|
|
|
dmsetup create $DEV_ZERO --table "0 100 zero" || fail
|
|
|
|
echo "[1] Valid keyring keys"
|
|
|
|
# load logon type kernel key
|
|
KEY=":32:logon:$LOGON_KEY_32_OK"
|
|
dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $KEY 0 /dev/mapper/$DEV_ZERO 0" || fail
|
|
dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER $KEY 0" || fail
|
|
dmsetup remove --retry $DEV_CRYPT || fail
|
|
|
|
# load user type kernel key
|
|
KEY=":32:user:$USER_KEY_32_OK"
|
|
dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $KEY 0 /dev/mapper/$DEV_ZERO 0" || fail
|
|
dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER $KEY 0" || fail
|
|
dmsetup remove --retry $DEV_CRYPT || fail
|
|
|
|
# load logon type kernel key...
|
|
KEY=":32:logon:$LOGON_KEY_32_OK"
|
|
dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $KEY 0 /dev/mapper/$DEV_ZERO 0" || fail
|
|
dmsetup suspend $DEV_CRYPT || fail
|
|
dmsetup message $DEV_CRYPT 0 "key wipe" || fail
|
|
# ...replace the key with hexkey...
|
|
dmsetup message $DEV_CRYPT 0 "key set $HEXKEY_32" || fail
|
|
dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER $HEXKEY_32 0" || fail
|
|
dmsetup resume $DEV_CRYPT || fail
|
|
dmsetup suspend $DEV_CRYPT || fail
|
|
# ...and replace it again with user type kernel key...
|
|
dmsetup message $DEV_CRYPT 0 "key set :32:user:$USER_KEY_32_OK" || fail
|
|
dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER :32:user:$USER_KEY_32_OK 0" || fail
|
|
dmsetup message $DEV_CRYPT 0 "key set $HEXKEY_32" || fail
|
|
dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER $HEXKEY_32 0" || fail
|
|
dmsetup resume $DEV_CRYPT || fail
|
|
dmsetup remove --retry $DEV_CRYPT || fail
|
|
|
|
dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $HEXKEY_32 0 /dev/mapper/$DEV_ZERO 0" || fail
|
|
dmsetup suspend $DEV_CRYPT || fail
|
|
dmsetup message $DEV_CRYPT 0 "key wipe" || fail
|
|
dmsetup message $DEV_CRYPT 0 "key set :32:user:$USER_KEY_32_OK" || fail
|
|
dmsetup resume $DEV_CRYPT || fail
|
|
dmsetup suspend $DEV_CRYPT || fail
|
|
dmsetup message $DEV_CRYPT 0 "key set :32:logon:$LOGON_KEY_32_OK" || fail
|
|
dmsetup resume $DEV_CRYPT || fail
|
|
dmsetup remove --retry $DEV_CRYPT || fail
|
|
|
|
echo "[2] message ioctl"
|
|
dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $HEXKEY_32 0 /dev/mapper/$DEV_ZERO 0" || fail
|
|
dmsetup suspend $DEV_CRYPT || fail
|
|
dmsetup message $DEV_CRYPT 0 "key set :32:logon:$LOGON_KEY_32_WRONG" 2> /dev/null && fail
|
|
# old key should be intact and valid
|
|
dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER $HEXKEY_32 0" || fail
|
|
dmsetup resume $DEV_CRYPT || fail
|
|
dmsetup suspend $DEV_CRYPT || fail
|
|
# now the key gets destroyed by invalid input
|
|
dmsetup message $DEV_CRYPT 0 "key set $HEXKEY_32_BAD" 2> /dev/null && fail
|
|
dmsetup resume $DEV_CRYPT 2> /dev/null && fail
|
|
# hmm... see the output. don't like it
|
|
# dmsetup table --showkeys $DEV_CRYPT
|
|
|
|
dmsetup message $DEV_CRYPT 0 "key set :32:user:$USER_KEY_32_OK" || fail
|
|
dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER :32:user:$USER_KEY_32_OK 0" || fail
|
|
dmsetup message $DEV_CRYPT 0 "key set :31:logon:$LOGON_KEY_32_OK" 2> /dev/null && fail
|
|
dmsetup message $DEV_CRYPT 0 "key set :" 2> /dev/null && fail
|
|
dmsetup message $DEV_CRYPT 0 "key set ::::" 2> /dev/null && fail
|
|
dmsetup message $DEV_CRYPT 0 "key set :0:logon:$LOGON_KEY_32_OK" 2> /dev/null && fail
|
|
dmsetup message $DEV_CRYPT 0 "key set :32" 2> /dev/null && fail
|
|
dmsetup message $DEV_CRYPT 0 "key set :32:" 2> /dev/null && fail
|
|
dmsetup message $DEV_CRYPT 0 "key set :32:logon" 2> /dev/null && fail
|
|
dmsetup message $DEV_CRYPT 0 "key set :32:logo" 2> /dev/null && fail
|
|
dmsetup message $DEV_CRYPT 0 "key set :32:logon:" 2> /dev/null && fail
|
|
dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER :32:user:$USER_KEY_32_OK 0" || fail
|
|
dmsetup message $DEV_CRYPT 0 "key set :32:user:$USER_KEY_32_OK" || fail
|
|
dmsetup resume $DEV_CRYPT || fail
|
|
dmsetup remove --retry $DEV_CRYPT || fail
|
|
|
|
echo "[3] bOrked keys"
|
|
# declare the key having 32 bytes but load key which has in fact 31 bytes only
|
|
KEY=":32:logon:$LOGON_KEY_32_WRONG"
|
|
dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $KEY 0 /dev/mapper/$DEV_ZERO 0" 2> /dev/null && fail "dm-crypt accepted wrong key size"
|
|
|
|
# declare the key having 31 bytes (incompatible with cipher) and load key with 32 bytes in real
|
|
KEY=":31:logon:$LOGON_KEY_32_WRONG"
|
|
dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $KEY 0 /dev/mapper/$DEV_ZERO 0" 2> /dev/null && fail "dm-crypt accepted wrong key size"
|
|
|
|
# declare the key being user type but try to load logon one
|
|
KEY=":32:user:$LOGON_KEY_32"
|
|
dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $KEY 0 /dev/mapper/$DEV_ZERO 0" 2> /dev/null && fail "dm-crypt accepted key description for invalid key type"
|
|
|
|
# now the other way
|
|
KEY=":32:logon:$USER_KEY_32"
|
|
dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $KEY 0 /dev/mapper/$DEV_ZERO 0" 2> /dev/null && fail "dm-crypt accepted key description for invalid key type"
|
|
|
|
BORKED_KEYS=":\ 32:logon:$LOGON_KEY_32_OK
|
|
: 32:logon:$LOGON_KEY_32_OK
|
|
:+32:logon:$LOGON_KEY_32_OK
|
|
:-32:logon:$LOGON_KEY_32_OK
|
|
:32 :logon:$LOGON_KEY_32_OK
|
|
:32\ :logon:$LOGON_KEY_32_OK
|
|
:32_:logon:$LOGON_KEY_32_OK
|
|
:32+:logon:$LOGON_KEY_32_OK
|
|
:30+2:logon:$LOGON_KEY_32_OK
|
|
:32+0:logon:$LOGON_KEY_32_OK
|
|
:32: logon:$LOGON_KEY_32_OK
|
|
:32:\ logon:$LOGON_KEY_32_OK
|
|
:32:logonA:$LOGON_KEY_32_OK
|
|
:32:logo:$LOGON_KEY_32_OK
|
|
:32:llogon:$LOGON_KEY_32_OK
|
|
:32xlogon:$LOGON_KEY_32_OK
|
|
:32logon:$LOGON_KEY_32_OK
|
|
:32:logonx$LOGON_KEY_32_OK
|
|
:32:logon$LOGON_KEY_32_OK
|
|
: 32:user:$USER_KEY_32_OK
|
|
:\ 32:user:$USER_KEY_32_OK
|
|
:+32:user:$USER_KEY_32_OK
|
|
:-32:user:$USER_KEY_32_OK
|
|
:32 :user:$USER_KEY_32_OK
|
|
:32\ :user:$USER_KEY_32_OK
|
|
:32_:user:$USER_KEY_32_OK
|
|
:32+:user:$USER_KEY_32_OK
|
|
:30+2:user:$USER_KEY_32_OK
|
|
:32+0:user:$USER_KEY_32_OK
|
|
:32: user:$USER_KEY_32_OK
|
|
:32:\ user:$USER_KEY_32_OK
|
|
:32:userA:$USER_KEY_32_OK
|
|
:32:use:$USER_KEY_32_OK
|
|
:32:uuser:$USER_KEY_32_OK
|
|
:32xuser:$USER_KEY_32_OK
|
|
:32user:$USER_KEY_32_OK
|
|
:32:userx$USER_KEY_32_OK
|
|
:32:user$USER_KEY_32_OK
|
|
:32:userlogon:$USER_KEY_32_OK
|
|
:32:userlogon:$LOGON_KEY_32_OK
|
|
:32:logonuser:$USER_KEY_32_OK
|
|
:32:logonuser:$LOGON_KEY_32_OK
|
|
:32:logon:user:$USER_KEY_32_OK
|
|
:32:logon:user:$LOGON_KEY_32_OK
|
|
:32:user:logon:$USER_KEY_32_OK
|
|
:32:user:logon:$LOGON_KEY_32_OK"
|
|
|
|
# TODO: add tests with whitespace in key description (not possible with current libdevmapper)
|
|
|
|
IFS="
|
|
"
|
|
|
|
for key in $BORKED_KEYS; do
|
|
dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $key 0 /dev/mapper/$DEV_ZERO 0" 2> /dev/null && fail "dm-crypt accepted seriously borked key string"
|
|
done
|
|
|
|
remove_mapping
|