221 lines
6.5 KiB
Bash
Executable file
221 lines
6.5 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
[ -z "$CRYPTSETUP_PATH" ] && {
|
|
CRYPTSETUP_PATH=".."
|
|
if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
|
|
SSH_BUILD_DIR="$PWD/../.libs"
|
|
fi
|
|
}
|
|
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
|
|
CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh
|
|
IMG="ssh_test.img"
|
|
MAP="sshtest"
|
|
USER="sshtest"
|
|
PASSWD="sshtest1"
|
|
PASSWD2="sshtest2"
|
|
SSH_OPTIONS="-o StrictHostKeyChecking=no"
|
|
|
|
SSH_SERVER="localhost"
|
|
SSH_PATH="/home/$USER/keyfile"
|
|
SSH_KEY_PATH="$HOME/sshtest-key"
|
|
|
|
FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
|
|
|
if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
|
|
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
|
|
CRYPTSETUP_VALGRIND=$CRYPTSETUP
|
|
CRYPTSETUP_SSH=$CRYPTSETUP_PATH/../tokens/ssh/cryptsetup-ssh
|
|
CRYPTSETUP_SSH_VALGRIND=$CRYPTSETUP_SSH
|
|
else
|
|
CRYPTSETUP_VALGRIND=../.libs/cryptsetup
|
|
CRYPTSETUP_SSH_VALGRIND=../.libs/cryptsetup-ssh
|
|
CRYPTSETUP_LIB_VALGRIND=../.libs
|
|
fi
|
|
|
|
[ -z "$srcdir" ] && srcdir="."
|
|
|
|
[ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ] || {
|
|
# test runs on meson build
|
|
CRYPTSETUP_SSH="$CRYPTSETUP_PATH/../tokens/ssh/cryptsetup-ssh"
|
|
}
|
|
|
|
function remove_mapping()
|
|
{
|
|
[ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP
|
|
rm -f $IMG >/dev/null 2>&1
|
|
}
|
|
|
|
function remove_user()
|
|
{
|
|
id -u $USER >/dev/null 2>&1 && userdel -r -f $USER >/dev/null 2>&1
|
|
rm -f $SSH_KEY_PATH "$SSH_KEY_PATH.pub" >/dev/null 2>&1
|
|
}
|
|
|
|
function create_user()
|
|
{
|
|
id -u $USER >/dev/null 2>&1
|
|
[ $? -eq 0 ] && skip "User account $USER exists, aborting."
|
|
[ -f $SSH_KEY_PATH ] && skip "SSH key $SSH_KEY_PATH already exists, aborting."
|
|
|
|
useradd -m $USER -p $(openssl passwd $PASSWD) || skip "Failed to add user for SSH plugin test."
|
|
|
|
ssh-keygen -f $SSH_KEY_PATH -q -N "" >/dev/null 2>&1
|
|
[ $? -ne 0 ] && remove_user && skip "Failed to create SSH key."
|
|
}
|
|
|
|
function ssh_check()
|
|
{
|
|
# try to use netcat to check port 22
|
|
nc -zv $SSH_SERVER 22 >/dev/null 2>&1 || skip "SSH server does not seem to be running, skipping."
|
|
}
|
|
|
|
function bin_check()
|
|
{
|
|
command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
|
|
}
|
|
|
|
function ssh_setup()
|
|
{
|
|
# copy the ssh key
|
|
[ -d "/home/$USER/.ssh" ] || mkdir /home/$USER/.ssh
|
|
touch /home/$USER/.ssh/authorized_keys
|
|
|
|
cat $SSH_KEY_PATH.pub >> /home/$USER/.ssh/authorized_keys
|
|
[ $? -ne 0 ] && remove_user && fail "Failed to copy SSH key."
|
|
|
|
# make sure /home/sshtest/.ssh and /home/sshtest/.ssh/authorized_keys have correct permissions
|
|
chown -R $USER:$USER /home/$USER/.ssh
|
|
chmod 700 /home/$USER/.ssh
|
|
chmod 644 /home/$USER/.ssh/authorized_keys
|
|
|
|
# try to ssh and also create keyfile
|
|
ssh -i $SSH_KEY_PATH $SSH_OPTIONS -o BatchMode=yes -n $USER@$SSH_SERVER "echo -n $PASSWD > $SSH_PATH" >/dev/null 2>&1
|
|
[ $? -ne 0 ] && remove_user && fail "Failed to connect using SSH."
|
|
}
|
|
|
|
function fail()
|
|
{
|
|
echo "[FAILED]"
|
|
[ -n "$1" ] && echo "$1"
|
|
echo "FAILED backtrace:"
|
|
while caller $frame; do ((frame++)); done
|
|
remove_mapping
|
|
remove_user
|
|
exit 2
|
|
}
|
|
|
|
function skip()
|
|
{
|
|
[ -n "$1" ] && echo "$1"
|
|
remove_mapping
|
|
exit 77
|
|
}
|
|
|
|
function valgrind_setup()
|
|
{
|
|
command -v valgrind >/dev/null || fail "Cannot find valgrind."
|
|
[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
|
|
[ ! -f $CRYPTSETUP_SSH_VALGRIND ] && fail "Unable to get location of cryptsetup-ssh executable."
|
|
if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
|
|
export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
|
|
fi
|
|
}
|
|
|
|
function valgrind_run()
|
|
{
|
|
INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
|
|
}
|
|
|
|
function valgrind_run_ssh()
|
|
{
|
|
INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_SSH_VALGRIND} "$@"
|
|
}
|
|
|
|
format()
|
|
{
|
|
dd if=/dev/zero of=$IMG bs=1M count=32 >/dev/null 2>&1
|
|
|
|
echo $PASSWD | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $IMG --force-password -q
|
|
[ $? -ne 0 ] && fail "Format failed."
|
|
|
|
echo -e "$PASSWD\n$PASSWD2" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $IMG -q
|
|
[ $? -ne 0 ] && fail "Add key failed."
|
|
}
|
|
|
|
check_dump()
|
|
{
|
|
dump=$1
|
|
keyslot=$2
|
|
|
|
token=$(echo "$dump" | grep Tokens -A 1 | tail -1 | cut -d: -f2 | tr -d "\t\n ")
|
|
[ "$token" = "ssh" ] || fail " token check from dump failed."
|
|
|
|
server=$(echo "$dump" | grep ssh_server | cut -d: -f2 | tr -d "\t\n ")
|
|
[ "$server" = $SSH_SERVER ] || fail " server check from dump failed."
|
|
|
|
user=$(echo "$dump" | grep ssh_user | cut -d: -f2 | tr -d "\t\n ")
|
|
[ "$user" = "$USER" ] || fail " user check from dump failed."
|
|
|
|
path=$(echo "$dump" | grep ssh_path | cut -d: -f2 | tr -d "\t\n ")
|
|
[ "$path" = "$SSH_PATH" ] || fail " path check from dump failed."
|
|
|
|
key_path=$(echo "$dump" | grep ssh_key_path | cut -d: -f2 | tr -d "\t\n ")
|
|
[ "$key_path" = "$SSH_KEY_PATH" ] || fail " key_path check from dump failed."
|
|
|
|
keyslot_dump=$(echo "$dump" | grep Keyslot: | cut -d: -f2 | tr -d "\t\n ")
|
|
[ "$keyslot_dump" = "$keyslot" ] || fail " keyslot check from dump failed."
|
|
}
|
|
|
|
if [ -n "$SSH_BUILD_DIR" ]; then
|
|
CUSTOM_TOKENS_PATH="--external-tokens-path $SSH_BUILD_DIR"
|
|
fi
|
|
[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
|
|
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run && CRYPTSETUP_SSH=valgrind_run_ssh
|
|
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
|
|
|
|
# Prevent running dangerous useradd operation by default
|
|
[ -z "$RUN_SSH_PLUGIN_TEST" ] && skip "WARNING: Variable RUN_SSH_PLUGIN_TEST must be defined, test skipped."
|
|
|
|
bin_check nc
|
|
bin_check useradd
|
|
bin_check ssh
|
|
bin_check ssh-keygen
|
|
bin_check sshpass
|
|
bin_check openssl
|
|
|
|
format
|
|
|
|
echo -n "Adding SSH token: "
|
|
|
|
ssh_check
|
|
create_user
|
|
ssh_setup
|
|
|
|
$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH $CUSTOM_TOKENS_PATH
|
|
[ $? -ne 0 ] && fail "Failed to add SSH token to $IMG"
|
|
|
|
out=$($CRYPTSETUP luksDump $CUSTOM_TOKENS_PATH $IMG)
|
|
check_dump "$out" 0
|
|
echo "[OK]"
|
|
|
|
echo -n "Activating using SSH token: "
|
|
|
|
$CRYPTSETUP luksOpen --token-only --disable-external-tokens -r $IMG $MAP && fail "Tokens should be disabled"
|
|
$CRYPTSETUP luksOpen $CUSTOM_TOKENS_PATH -r $IMG $MAP -q >/dev/null 2>&1 <&-
|
|
[ $? -ne 0 ] && fail "Failed to open $IMG using SSH token"
|
|
echo "[OK]"
|
|
|
|
# Remove the newly added token and test adding with --key-slot
|
|
$CRYPTSETUP token remove --token-id 0 $IMG || fail "Failed to remove token"
|
|
|
|
echo -n "Adding SSH token with --key-slot: "
|
|
|
|
$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH --key-slot 1 $CUSTOM_TOKENS_PATH
|
|
[ $? -ne 0 ] && fail "Failed to add SSH token to $IMG"
|
|
|
|
out=$($CRYPTSETUP luksDump $CUSTOM_TOKENS_PATH $IMG)
|
|
check_dump "$out" 1
|
|
echo "[OK]"
|
|
|
|
remove_mapping
|
|
remove_user
|