summaryrefslogtreecommitdiffstats
path: root/debian/tests
diff options
context:
space:
mode:
Diffstat (limited to 'debian/tests')
-rwxr-xr-xdebian/tests/askpass.sh72
-rw-r--r--debian/tests/control7
-rwxr-xr-xdebian/tests/testsuite.sh9
3 files changed, 88 insertions, 0 deletions
diff --git a/debian/tests/askpass.sh b/debian/tests/askpass.sh
new file mode 100755
index 0000000..a04f272
--- /dev/null
+++ b/debian/tests/askpass.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+set -e
+
+cd ${AUTOPKGTEST_TMP:-/tmp}
+
+#verbose="--verbose --debug --debug-json"
+verbose="--verbose"
+
+echo ">> Setup the 'cryptedfs' file that will contain the luks container"
+dd if=/dev/zero of=cryptedfs count=1 bs=20M
+echo -n "this the passphrase" >keyfile-default
+echo -n "nuke-it" >keyfile-nuke
+
+echo ">> Format with cryptsetup"
+cryptsetup --batch-mode $verbose --use-urandom luksFormat cryptedfs keyfile-default
+
+echo ">> Add nuke passphrase"
+mkdir -p /etc/cryptsetup-nuke-password
+cat keyfile-nuke | /usr/lib/cryptsetup-nuke-password/crypt --generate \
+ >/etc/cryptsetup-nuke-password/password_hash
+
+echo ">> Open the luks container"
+cryptsetup $verbose open cryptedfs testnuke --key-file keyfile-default
+if [ ! -e /dev/mapper/testnuke ]; then
+ echo "ERROR: /dev/mapper/testnuke has not been created"
+ exit 1
+fi
+
+echo ">> Create the initial filesystem and put a flag file on it"
+mkfs.ext4 /dev/mapper/testnuke
+mount /dev/mapper/testnuke /mnt
+echo "Debian rules!" >/mnt/my-secret-file
+umount /mnt
+cryptsetup $verbose close testnuke
+
+echo ">> Backup the luks header"
+rm -f luks-header-backup
+cryptsetup $verbose luksHeaderBackup cryptedfs --header-backup-file luks-header-backup
+
+echo ">> Call askpass with the nuke password"
+export CRYPTTAB_SOURCE="$(pwd)/cryptedfs"
+export DIVERTED_ASKPASS="$(pwd)/askpass"
+cat >$DIVERTED_ASKPASS <<END
+#!/bin/sh
+cat keyfile-nuke
+END
+chmod 755 $DIVERTED_ASKPASS
+password=$(/lib/cryptsetup/askpass)
+if [ "$password" != "nuke-it" ]; then
+ echo "ERROR: askpass did not print the expected password on stdout (expected: 'nuke-it', was: '$password')"
+ exit 1
+fi
+
+echo ">> Ensuring that we can no longer open the luks container"
+cryptsetup $verbose open cryptedfs testnuke --key-file keyfile-default || RESULT=$?
+if [ $RESULT = 0 ]; then
+ echo "ERROR: open with nuke password worked!"
+ set +e
+ mount /dev/mapper/testnuke /mnt
+ if [ -e /mnt/my-secret-file ]; then
+ echo "ERROR: and the flag file can be seen"
+ fi
+ umount /mnt
+ cryptsetup $verbose close testnuke
+ exit 1
+fi
+if [ -e /dev/mapper/testnuke ]; then
+ echo "ERROR: /dev/mapper/testnuke should not exist"
+ cryptsetup $verbose close testnuke
+ exit 1
+fi
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..dbd7f33
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,7 @@
+Tests: testsuite.sh
+Depends: @, shunit2
+Restrictions: allow-stderr
+
+Tests: askpass.sh
+Depends: @, cryptsetup
+Restrictions: needs-root, allow-stderr, isolation-machine
diff --git a/debian/tests/testsuite.sh b/debian/tests/testsuite.sh
new file mode 100755
index 0000000..8ae11c6
--- /dev/null
+++ b/debian/tests/testsuite.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# Configure the test suite to run against the files installed
+# in the package
+export CRYPT=/usr/lib/cryptsetup-nuke-password/crypt
+export ASKPASS=/lib/cryptsetup/askpass
+
+# Run the upstream test-suite
+make check