diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 08:06:26 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 08:06:26 +0000 |
commit | 1660d4b7a65d9ad2ce0deaa19d35579ca4084ac5 (patch) | |
tree | 6cf8220b628ebd2ccfc1375dd6516c6996e9abcc /tests/ssh-test-plugin | |
parent | Initial commit. (diff) | |
download | cryptsetup-1660d4b7a65d9ad2ce0deaa19d35579ca4084ac5.tar.xz cryptsetup-1660d4b7a65d9ad2ce0deaa19d35579ca4084ac5.zip |
Adding upstream version 2:2.6.1.upstream/2%2.6.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/ssh-test-plugin')
-rwxr-xr-x | tests/ssh-test-plugin | 204 |
1 files changed, 204 insertions, 0 deletions
diff --git a/tests/ssh-test-plugin b/tests/ssh-test-plugin new file mode 100755 index 0000000..5b3966e --- /dev/null +++ b/tests/ssh-test-plugin @@ -0,0 +1,204 @@ +#!/bin/bash + +[ -z "$CRYPTSETUP_PATH" ] && { + TOKEN_PATH="./fake_token_path.so" + [ ! -f $TOKEN_PATH ] && { echo "Please compile $TOKEN_PATH."; exit 77; } + export LD_PRELOAD=$TOKEN_PATH + CRYPTSETUP_PATH=".." +} +CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup +CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh +IMG="ssh_test.img" +MAP="sshtest" +USER="sshtest" +PASSWD="sshtest1" +PASSWD2="sshtest2" +SSH_OPTIONS="-o StrictHostKeyChecking=no" + +SSH_SERVER="localhost" +SSH_PATH="/home/$USER/keyfile" +SSH_KEY_PATH="$HOME/sshtest-key" + +FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + +CRYPTSETUP_VALGRIND=../.libs/cryptsetup +CRYPTSETUP_SSH_VALGRIND=../.libs/cryptsetup-ssh +CRYPTSETUP_LIB_VALGRIND=../.libs + +[ -z "$srcdir" ] && srcdir="." + +function remove_mapping() +{ + [ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP + rm -f $IMG >/dev/null 2>&1 +} + +function remove_user() +{ + id -u $USER >/dev/null 2>&1 && userdel -r -f $USER >/dev/null 2>&1 + rm -f $SSH_KEY_PATH "$SSH_KEY_PATH.pub" >/dev/null 2>&1 +} + +function create_user() +{ + id -u $USER >/dev/null 2>&1 + [ $? -eq 0 ] && skip "User account $USER exists, aborting." + [ -f $SSH_KEY_PATH ] && skip "SSH key $SSH_KEY_PATH already exists, aborting." + + useradd -m $USER -p $(openssl passwd $PASSWD) || skip "Failed to add user for SSH plugin test." + + ssh-keygen -f $SSH_KEY_PATH -q -N "" >/dev/null 2>&1 + [ $? -ne 0 ] && remove_user && skip "Failed to create SSH key." +} + +function ssh_check() +{ + # try to use netcat to check port 22 + nc -zv $SSH_SERVER 22 >/dev/null 2>&1 || skip "SSH server does not seem to be running, skipping." +} + +function bin_check() +{ + command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped." +} + +function ssh_setup() +{ + # copy the ssh key + [ -d "/home/$USER/.ssh" ] || mkdir /home/$USER/.ssh + touch /home/$USER/.ssh/authorized_keys + + cat $SSH_KEY_PATH.pub >> /home/$USER/.ssh/authorized_keys + [ $? -ne 0 ] && remove_user && fail "Failed to copy SSH key." + + # make sure /home/sshtest/.ssh and /home/sshtest/.ssh/authorized_keys have correct permissions + chown -R $USER:$USER /home/$USER/.ssh + chmod 700 /home/$USER/.ssh + chmod 644 /home/$USER/.ssh/authorized_keys + + # try to ssh and also create keyfile + ssh -i $SSH_KEY_PATH $SSH_OPTIONS -o BatchMode=yes -n $USER@$SSH_SERVER "echo -n $PASSWD > $SSH_PATH" >/dev/null 2>&1 + [ $? -ne 0 ] && remove_user && fail "Failed to connect using SSH." +} + +function fail() +{ + echo "[FAILED]" + [ -n "$1" ] && echo "$1" + echo "FAILED backtrace:" + while caller $frame; do ((frame++)); done + remove_mapping + remove_user + exit 2 +} + +function skip() +{ + [ -n "$1" ] && echo "$1" + remove_mapping + exit 77 +} + +function valgrind_setup() +{ + command -v valgrind >/dev/null || fail "Cannot find valgrind." + [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." + [ ! -f $CRYPTSETUP_SSH_VALGRIND ] && fail "Unable to get location of cryptsetup-ssh executable." + export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" +} + +function valgrind_run() +{ + INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@" +} + +function valgrind_run_ssh() +{ + INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_SSH_VALGRIND} "$@" +} + +format() +{ + dd if=/dev/zero of=$IMG bs=1M count=32 >/dev/null 2>&1 + + echo $PASSWD | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $IMG --force-password -q + [ $? -ne 0 ] && fail "Format failed." + + echo -e "$PASSWD\n$PASSWD2" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $IMG -q + [ $? -ne 0 ] && fail "Add key failed." +} + +check_dump() +{ + dump=$1 + keyslot=$2 + + token=$(echo "$dump" | grep Tokens -A 1 | tail -1 | cut -d: -f2 | tr -d "\t\n ") + [ "$token" = "ssh" ] || fail " token check from dump failed." + + server=$(echo "$dump" | grep ssh_server | cut -d: -f2 | tr -d "\t\n ") + [ "$server" = $SSH_SERVER ] || fail " server check from dump failed." + + user=$(echo "$dump" | grep ssh_user | cut -d: -f2 | tr -d "\t\n ") + [ "$user" = "$USER" ] || fail " user check from dump failed." + + path=$(echo "$dump" | grep ssh_path | cut -d: -f2 | tr -d "\t\n ") + [ "$path" = "$SSH_PATH" ] || fail " path check from dump failed." + + key_path=$(echo "$dump" | grep ssh_key_path | cut -d: -f2 | tr -d "\t\n ") + [ "$key_path" = "$SSH_KEY_PATH" ] || fail " key_path check from dump failed." + + keyslot_dump=$(echo "$dump" | grep Keyslot: | cut -d: -f2 | tr -d "\t\n ") + [ "$keyslot_dump" = "$keyslot" ] || fail " keyslot check from dump failed." +} + +[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped." +[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run && CRYPTSETUP_SSH=valgrind_run_ssh +[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." + +# Prevent running dangerous useradd operation by default +[ -z "$RUN_SSH_PLUGIN_TEST" ] && skip "WARNING: Variable RUN_SSH_PLUGIN_TEST must be defined, test skipped." + +bin_check nc +bin_check useradd +bin_check ssh +bin_check ssh-keygen +bin_check sshpass +bin_check openssl + +format + +echo -n "Adding SSH token: " + +ssh_check +create_user +ssh_setup + +$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH +[ $? -ne 0 ] && fail "Failed to add SSH token to $IMG" + +out=$($CRYPTSETUP luksDump $IMG) +check_dump "$out" 0 +echo "[OK]" + +echo -n "Activating using SSH token: " + +$CRYPTSETUP luksOpen --token-only --disable-external-tokens -r $IMG $MAP && fail "Tokens should be disabled" +$CRYPTSETUP luksOpen -r $IMG $MAP -q >/dev/null 2>&1 <&- +[ $? -ne 0 ] && fail "Failed to open $IMG using SSH token" +echo "[OK]" + +# Remove the newly added token and test adding with --key-slot +$CRYPTSETUP token remove --token-id 0 $IMG || fail "Failed to remove token" + +echo -n "Adding SSH token with --key-slot: " + +$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH --key-slot 1 +[ $? -ne 0 ] && fail "Failed to add SSH token to $IMG" + +out=$($CRYPTSETUP luksDump $IMG) +check_dump "$out" 1 +echo "[OK]" + +remove_mapping +remove_user |