From 98bb3da708a475ff67dc019fddcb307d18856e5f Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 17 Apr 2024 10:35:42 +0200 Subject: Merging debian version 2:2.7.0-1. Signed-off-by: Daniel Baumann --- debian/tests/control | 4 ++ debian/tests/cryptdisks | 6 +-- debian/tests/cryptdisks.init | 2 +- debian/tests/crypto-backend | 66 +++++++++++++++++++++++++++++++++ debian/tests/cryptroot-nested.d/preinst | 2 +- debian/tests/cryptroot-nested.d/setup | 4 +- debian/tests/utils/mock.pm | 28 +++++++++++--- 7 files changed, 100 insertions(+), 12 deletions(-) create mode 100755 debian/tests/crypto-backend (limited to 'debian/tests') diff --git a/debian/tests/control b/debian/tests/control index 52752a3..193d0f0 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -131,3 +131,7 @@ Depends: linux-image-generic, linux-image-686-pae [i386] Restrictions: hint-testsuite-triggers Architecture: amd64 i386 + +Tests: crypto-backend +Depends: cryptsetup-bin +Restrictions: superficial diff --git a/debian/tests/cryptdisks b/debian/tests/cryptdisks index 3d3223b..b8c6bcc 100755 --- a/debian/tests/cryptdisks +++ b/debian/tests/cryptdisks @@ -151,7 +151,7 @@ cryptdisks_stop plain_crypt disk_setup cat >/etc/crypttab <<-EOF - sector_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-cbc-essiv:sha256,size=256,sector-size=4096 + sector_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,sector-size=4096 EOF cryptdisks_start sector_crypt @@ -168,7 +168,7 @@ cryptdisks_stop sector_crypt disk_setup cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase" cat >/etc/crypttab <<-EOF - hash_crypt $CRYPT_DEV none plain,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256 + hash_crypt $CRYPT_DEV none plain,cipher=aes-xts-plain64,size=256,hash=sha256 EOF cryptdisks_start hash_crypt /etc/crypttab <<-EOF - offset_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-cbc-essiv:sha256,size=256,offset=$offset,skip=$skip + offset_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,offset=$offset,skip=$skip EOF # having an existing file system before the offset has no effect (cf. #994056) diff --git a/debian/tests/cryptdisks.init b/debian/tests/cryptdisks.init index 408c325..2019e03 100755 --- a/debian/tests/cryptdisks.init +++ b/debian/tests/cryptdisks.init @@ -23,7 +23,7 @@ dmsetup create disk12 <<-EOF $((64 * 2*1024)) $((64 * 2*1024)) linear /dev/mapper/disk2 0 EOF -cipher="aes-cbc-essiv:sha256" +cipher="aes-xts-plain64" size=32 # bytes cat >/etc/crypttab <<-EOF crypt_disk0 /dev/mapper/disk0 /dev/urandom plain,cipher=$cipher,size=$((8*size)) diff --git a/debian/tests/crypto-backend b/debian/tests/crypto-backend new file mode 100755 index 0000000..47dc5a8 --- /dev/null +++ b/debian/tests/crypto-backend @@ -0,0 +1,66 @@ +#!/bin/sh + +# Check crypto backend, see https://gitlab.com/cryptsetup/cryptsetup/-/issues/851 . + +set -ue +PATH="/usr/bin:/bin" +export PATH + +CRYPTSETUP="/sbin/cryptsetup" + +NAME="crypto-backend" +TEMPDIR="$AUTOPKGTEST_TMP/$NAME" + +mkdir "$TEMPDIR" +trap 'rm -rf -- "$TEMPDIR"' EXIT INT TERM + +IMG="$TEMPDIR/disk.img" +KEYFILE="$TEMPDIR/keyfile" +DEBUG="$TEMPDIR/debug" + +dd if=/dev/zero bs=1M count=64 status="none" of="$IMG" +head -c32 /dev/urandom >"$KEYFILE" + +"$CRYPTSETUP" luksFormat --batch-mode \ + --key-file="$KEYFILE" \ + --type=luks2 \ + --pbkdf=argon2id \ + --pbkdf-force-iterations=4 \ + --pbkdf-memory=32 \ + -- "$IMG" + +"$CRYPTSETUP" luksOpen --debug --key-file="$KEYFILE" --test-passphrase "$IMG" >"$DEBUG" +sed -nri '/^# Crypto backend\s+/ {s/.*?\(([^()]+)\).*/\1/p;q}' "$DEBUG" +cat "$DEBUG" + +if ! grep -qE '^OpenSSL\b' <"$DEBUG"; then + echo "ERROR: Crypto backend isn't OpenSSL" >&2 + exit 1 +fi + +sed -ri 's/^[^\[]*//' "$DEBUG" +# " [cryptsetup libargon2]": bundled libargon2 +# " [external libargon2]": system libargon2 +# "][argon2]": crypto backend's own implementation +if ! grep -qF " [external libargon2]" <"$DEBUG"; then + echo "ERROR: Unexpected argon2 backend" >&2 + exit 1 +fi + +LIBCRYPTSETUP="$(env --unset=LD_PRELOAD ldd "$CRYPTSETUP" | sed -nr '/^\s*libcryptsetup\.so(\.[0-9]+)*\s+=>\s+/ {s///;s/\s.*//;p;q}')" +if [ -z "$LIBCRYPTSETUP" ] || [ ! -e "$LIBCRYPTSETUP" ]; then + echo "ERROR: $CRYPTSETUP doesn't link against libcryptsetup??" >&2 + exit 1 +fi + +assert_linked_argon2() { + local path="$1" + if ! env --unset=LD_PRELOAD ldd "$path" | grep -qE '^\s*libargon2\.so(\.[0-9]+)*\s+=>\s'; then + echo "ERROR: $path does not link against libargon2" >&2 + exit 1 + fi + return 0 +} + +assert_linked_argon2 "$CRYPTSETUP" +assert_linked_argon2 "$LIBCRYPTSETUP" diff --git a/debian/tests/cryptroot-nested.d/preinst b/debian/tests/cryptroot-nested.d/preinst index c5f576b..bf5876a 100644 --- a/debian/tests/cryptroot-nested.d/preinst +++ b/debian/tests/cryptroot-nested.d/preinst @@ -2,7 +2,7 @@ cat >/etc/crypttab <<-EOF md0_crypt UUID=$(blkid -s UUID -o value /dev/md0) none vdd_crypt UUID=$(blkid -s UUID -o value /dev/vdd) none - testvg-lv0_crypt /dev/mapper/testvg-lv0 none plain,cipher=aes-cbc-essiv:sha256,size=256,hash=ripemd160 + testvg-lv0_crypt /dev/mapper/testvg-lv0 none plain,cipher=aes-xts-plain64,size=256,hash=sha256 testvg-lv1_crypt UUID=$(blkid -s UUID -o value /dev/testvg/lv1) none EOF diff --git a/debian/tests/cryptroot-nested.d/setup b/debian/tests/cryptroot-nested.d/setup index 6fb6ccd..b08da17 100644 --- a/debian/tests/cryptroot-nested.d/setup +++ b/debian/tests/cryptroot-nested.d/setup @@ -44,9 +44,9 @@ udevadm settle echo -n "testvg-lv0_crypt" >/keyfile cryptsetup open --batch-mode \ --type=plain \ - --cipher="aes-cbc-essiv:sha256" \ + --cipher="aes-xts-plain64" \ --key-size=256 \ - --hash="ripemd160" \ + --hash="sha256" \ -- "/dev/testvg/lv0" "testvg-lv0_crypt" 0) { + my $n = sysread($fh, my $buf, 4096); + if (defined $n and $n > 0) { STDOUT->printflush($buf); $BUFFER{$chan} .= $buf; } else { + die "read: $!" unless defined $n or $! == ECONNRESET; #print STDERR "INFO done reading from $chan\n"; shutdown($fh, SHUT_RD) or die "shutdown: $!"; vec($RBITS, fileno($fh), 1) = 0; @@ -228,6 +229,8 @@ sub shell($%) { # enter S3 sleep state (suspend to ram aka standby) sub suspend() { + @QMP::EVENTS = (); # flush the event queue + write_data($CONSOLE => q{systemctl suspend}); # while the command is asynchronous the system might suspend before # we have a chance to read the next $PS1 @@ -242,6 +245,8 @@ sub suspend() { } sub wakeup() { + @QMP::EVENTS = (); # flush the event queue + my $r = QMP::command(q{system_wakeup}); die if %$r; @@ -256,6 +261,8 @@ sub wakeup() { # enter S4 sleep state (suspend to disk aka hibernate) sub hibernate() { + @QMP::EVENTS = (); # flush the event queue + # an alternative is to send {"execute":"guest-suspend-disk"} on the # guest agent socket, but we don't want to require qemu-guest-agent # on the guest so this will have to do @@ -267,6 +274,8 @@ sub hibernate() { } sub poweroff() { + @QMP::EVENTS = (); # flush the event queue + # XXX would be nice to use the QEMU monitor here but the guest # doesn't seem to respond to system_powerdown QMP commands write_data($CONSOLE => q{poweroff}); @@ -283,6 +292,7 @@ package QMP; # https://qemu.readthedocs.io/en/latest/interop/qemu-qmp-ref.html use JSON (); +our @EVENTS; # read and decode a QMP server line sub getline() { @@ -305,6 +315,7 @@ sub command($;$) { my $resp = QMP::getline() // next; # ignore unsolicited server responses (such as events) return $resp->{return} if exists $resp->{return}; + push @EVENTS, $resp; } } @@ -330,9 +341,16 @@ BEGIN { sub wait_for_event($) { my $event_name = shift; + my @events2; while(1) { - my $resp = QMP::getline() // next; - return if exists $resp->{event} and $resp->{event} eq $event_name; + my $resp = @EVENTS ? shift @EVENTS : QMP::getline(); + next unless defined $resp; + if (exists $resp->{event} and $resp->{event} eq $event_name) { + @EVENTS = @events2; + return; + } else { + push @events2, $resp; + } } } -- cgit v1.2.3