1
Description: Fix keyfile=- processing in create command. (regression in 1.3.0)
2
Author: Milan Broz <milan.broz@redhat.com>
3
Last-Update: 2011-05-17
11
+ /* With hashing, read the whole keyfile */
12
r = crypt_activate_by_keyfile(cd, action_argv[0],
13
- CRYPT_ANY_SLOT, opt_key_file, key_size,
14
+ CRYPT_ANY_SLOT, opt_key_file, params.hash ? 0 : key_size,
15
opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
17
r = crypt_get_key(_("Enter passphrase: "),
18
--- a/tests/password-hash-test
19
+++ b/tests/password-hash-test
21
echo -e -n "$4" | $CRYPTSETUP create -c $MODE -h $1 -s $2 $LIMIT $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
26
echo -e -n "$4" | $CRYPTSETUP create -c $MODE -d "-" -h $1 -s $2 $LIMIT $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
30
+ echo -e -n "$4" | $CRYPTSETUP create -c $MODE -h $1 -s $2 $LIMIT $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
34
cat $4 | $CRYPTSETUP create -c $MODE -h $1 -s $2 $LIMIT $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
40
- if [ $ret -ne 0 ] ; then
43
+ # ignore these cases, not all libs/kernel supports it
44
+ if [ "$1" == "ripemd160" -o $2 -gt 256 ] ; then
45
+ if [ $ret -ne 0 ] ; then
46
+ echo " [N/A] ($ret, SKIPPED)"
51
VKEY=$(dmsetup table $DEV2 --showkeys 2>/dev/null | cut -d' ' -f 5)
53
crypt_key sha256 256 pwd "xxx" cd2eb0837c9b4c962c22d2ff8b5441b7b45805887f051d39bf133b583baf6860
54
crypt_key sha256 128 pwd "xxx" cd2eb0837c9b4c962c22d2ff8b5441b7
56
-crypt_key ripemd160 0 stdin "xxx" aeb26d1f69eb6dddfb9381eed4d7299f091e99aa5d3ff06866d4ce9f620f7aca
57
-crypt_key ripemd160 256 stdin "xxx\n" 625ce2a8dbdf08f1de400dba7ab9fab246f2a55ad6136e6cafd6703732dab8cf
58
+crypt_key sha256 0 std- "xxx" cd2eb0837c9b4c962c22d2ff8b5441b7b45805887f051d39bf133b583baf6860
59
+crypt_key sha256 256 std- "xxx\n" 042aea10a0f14f2d391373599be69d53a75dde9951fc3d3cd10b6100aa7a9f24
60
+crypt_key sha256 128 std- "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" \
61
+ 2a42b97084779dcedf2c66405c5d296c
62
+crypt_key sha256 256 stdin "xxx" cd2eb0837c9b4c962c22d2ff8b5441b7b45805887f051d39bf133b583baf6860
63
+crypt_key sha256 0 stdin "xxx\n" cd2eb0837c9b4c962c22d2ff8b5441b7b45805887f051d39bf133b583baf6860
65
# with keyfile, hash is ignored
66
crypt_key ripemd160 256 file /dev/zero 0000000000000000000000000000000000000000000000000000000000000000
67
crypt_key sha256 256 file /dev/zero 0000000000000000000000000000000000000000000000000000000000000000
68
+crypt_key unknown* 256 file /dev/zero 0000000000000000000000000000000000000000000000000000000000000000
71
crypt_key sha256:20 256 pwd "xxx" cd2eb0837c9b4c962c22d2ff8b5441b7b4580588000000000000000000000000
72
--- a/tests/api-test.c
73
+++ b/tests/api-test.c
77
#include <sys/ioctl.h>
78
+#include <libdevmapper.h>
80
#include "libcryptsetup.h"
81
#include "utils_loop.h"
83
static char *DEVICE_2 = NULL;
86
-static int _prepare_keyfile(const char *name, const char *passphrase)
88
+// Get key from kernel dm mapping table using dm-ioctl
89
+static int _get_key_dm(const char *name, char *buffer, unsigned int buffer_size)
91
+ struct dm_task *dmt;
93
+ uint64_t start, length;
94
+ char *target_type, *rcipher, *key, *params;
98
+ if (!(dmt = dm_task_create(DM_DEVICE_TABLE)))
100
+ if (!dm_task_set_name(dmt, name))
102
+ if (!dm_task_run(dmt))
104
+ if (!dm_task_get_info(dmt, &dmi))
109
+ next = dm_get_next_target(dmt, next, &start, &length, &target_type, ¶ms);
110
+ if (!target_type || strcmp(target_type, "crypt") != 0)
113
+ rcipher = strsep(¶ms, " ");
114
+ key = strsep(¶ms, " ");
116
+ if (buffer_size <= strlen(key))
119
+ strncpy(buffer, key, buffer_size);
123
+ dm_task_destroy(dmt);
128
+static int _prepare_keyfile(const char *name, const char *passphrase, int size)
132
fd = open(name, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR);
134
- r = write(fd, passphrase, strlen(passphrase));
135
+ r = write(fd, passphrase, size);
140
- return r == strlen(passphrase) ? 0 : 1;
141
+ return r == size ? 0 : 1;
144
static void _remove_keyfiles(void)
149
- OK_(_prepare_keyfile(KEYFILE1, KEY1));
150
+ OK_(_prepare_keyfile(KEYFILE1, KEY1, strlen(KEY1)));
151
co.key_file = KEYFILE1;
153
co.device = DEVICE_EMPTY;
158
- OK_(_prepare_keyfile(KEYFILE1, KEY1));
159
+ OK_(_prepare_keyfile(KEYFILE1, KEY1, strlen(KEY1)));
161
co.new_key_file = KEYFILE1;
162
co.device = DEVICE_ERROR;
167
- OK_(_prepare_keyfile(KEYFILE1, KEY1));
168
- OK_(_prepare_keyfile(KEYFILE2, KEY2));
169
+ OK_(_prepare_keyfile(KEYFILE1, KEY1, strlen(KEY1)));
170
+ OK_(_prepare_keyfile(KEYFILE2, KEY2, strlen(KEY2)));
172
co.new_key_file = KEYFILE1;
173
co.device = DEVICE_2;
176
orig_size = _get_device_size(DEVICE_2);
178
- OK_(_prepare_keyfile(KEYFILE2, KEY2));
179
+ OK_(_prepare_keyfile(KEYFILE2, KEY2, strlen(KEY2)));
181
co.key_file = KEYFILE2;
184
OK_(crypt_deactivate(cd, CDEVICE_1));
187
- OK_(_prepare_keyfile(KEYFILE1, KEY1));
188
+ OK_(_prepare_keyfile(KEYFILE1, KEY1, strlen(KEY1)));
189
FAIL_(crypt_activate_by_keyfile(cd, NULL, CRYPT_ANY_SLOT, KEYFILE1, 0, 0), "cannot verify key with plain");
190
EQ_(0, crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0, 0));
191
EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
193
OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)));
194
FAIL_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)), "not suspended");
196
- OK_(_prepare_keyfile(KEYFILE1, KEY1));
197
+ OK_(_prepare_keyfile(KEYFILE1, KEY1, strlen(KEY1)));
198
OK_(crypt_suspend(cd, CDEVICE_1));
199
FAIL_(crypt_resume_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1 "blah", 0), "wrong keyfile");
200
OK_(crypt_resume_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0));
202
OK_(crypt_deactivate(cd, CDEVICE_2));
204
EQ_(1, crypt_keyslot_add_by_volume_key(cd, 1, key, key_size, KEY1, strlen(KEY1)));
205
- OK_(_prepare_keyfile(KEYFILE1, KEY1));
206
- OK_(_prepare_keyfile(KEYFILE2, KEY2));
207
+ OK_(_prepare_keyfile(KEYFILE1, KEY1, strlen(KEY1)));
208
+ OK_(_prepare_keyfile(KEYFILE2, KEY2, strlen(KEY2)));
209
EQ_(2, crypt_keyslot_add_by_keyfile(cd, 2, KEYFILE1, 0, KEYFILE2, 0));
210
FAIL_(crypt_activate_by_keyfile(cd, CDEVICE_2, CRYPT_ANY_SLOT, KEYFILE2, strlen(KEY2)-1, 0), "key mismatch");
211
EQ_(2, crypt_activate_by_keyfile(cd, NULL, CRYPT_ANY_SLOT, KEYFILE2, 0, 0));
212
@@ -899,6 +941,110 @@
216
+static void HashDevicePlain(void)
218
+ struct crypt_device *cd;
219
+ struct crypt_params_plain params = {
226
+ char *mk_hex, *keystr, key[256];
228
+ OK_(crypt_init(&cd, DEVICE_1));
229
+ OK_(crypt_format(cd, CRYPT_PLAIN, "aes", "cbc-essiv:sha256", NULL, NULL, 16, ¶ms));
231
+ // hash PLAIN, short key
232
+ OK_(_prepare_keyfile(KEYFILE1, "tooshort", 8));
233
+ FAIL_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 16, 0), "not enough data in keyfile");
234
+ _remove_keyfiles();
236
+ // hash PLAIN, exact key
237
+ // 0 1 2 3 4 5 6 7 8 9 a b c d e f
238
+ mk_hex = "caffeecaffeecaffeecaffeecaffee88";
240
+ crypt_decode_key(key, mk_hex, key_size);
241
+ OK_(_prepare_keyfile(KEYFILE1, key, key_size));
242
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
243
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
244
+ OK_(strcmp(key, mk_hex));
245
+ OK_(crypt_deactivate(cd, CDEVICE_1));
248
+ mk_hex = "caffeecaffeecaffeecaffeeca000000";
249
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size - 3, 0));
250
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
251
+ OK_(strcmp(key, mk_hex));
252
+ OK_(crypt_deactivate(cd, CDEVICE_1));
254
+ _remove_keyfiles();
256
+ // hash PLAIN, long key
257
+ // 0 1 2 3 4 5 6 7 8 9 a b c d e f
258
+ mk_hex = "caffeecaffeecaffeecaffeecaffee88babebabe";
260
+ crypt_decode_key(key, mk_hex, key_size);
261
+ OK_(_prepare_keyfile(KEYFILE1, key, strlen(mk_hex) / 2));
262
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
263
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
264
+ FAIL_(strcmp(key, mk_hex), "only key length used");
265
+ OK_(strncmp(key, mk_hex, key_size));
266
+ OK_(crypt_deactivate(cd, CDEVICE_1));
268
+ // Now without explicit limit
269
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0, 0));
270
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
271
+ FAIL_(strcmp(key, mk_hex), "only key length used");
272
+ OK_(strncmp(key, mk_hex, key_size));
273
+ OK_(crypt_deactivate(cd, CDEVICE_1));
275
+ _remove_keyfiles();
278
+ params.hash = "sha256";
279
+ OK_(crypt_format(cd, CRYPT_PLAIN, "aes", "cbc-essiv:sha256", NULL, NULL, 16, ¶ms));
281
+ // 0 1 2 3 4 5 6 7 8 9 a b c d e f
282
+ mk_hex = "c62e4615bd39e222572f3a1bf7c2132e";
283
+ keystr = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
284
+ key_size = strlen(keystr); // 32
285
+ OK_(_prepare_keyfile(KEYFILE1, keystr, strlen(keystr)));
286
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
287
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
288
+ OK_(strcmp(key, mk_hex));
289
+ OK_(crypt_deactivate(cd, CDEVICE_1));
291
+ // Read full keyfile
292
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0, 0));
293
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
294
+ OK_(strcmp(key, mk_hex));
295
+ OK_(crypt_deactivate(cd, CDEVICE_1));
297
+ _remove_keyfiles();
299
+ // Limit keyfile read
300
+ keystr = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAAAAAAAA";
301
+ OK_(_prepare_keyfile(KEYFILE1, keystr, strlen(keystr)));
302
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
303
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
304
+ OK_(strcmp(key, mk_hex));
305
+ OK_(crypt_deactivate(cd, CDEVICE_1));
308
+ OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0, 0));
309
+ OK_(_get_key_dm(CDEVICE_1, key, sizeof(key)));
310
+ OK_(strcmp(key, "0e49cb34a1dee1df33f6505e4de44a66"));
311
+ OK_(crypt_deactivate(cd, CDEVICE_1));
313
+ _remove_keyfiles();
315
+ // FIXME: add keyfile="-" tests somehow
320
// Check that gcrypt is properly initialised in format
321
static void NonFIPSAlg(void)
324
RUN_(DeviceResizeGame, "regular crypto, resize calls");
326
RUN_(AddDevicePlain, "plain device API creation exercise");
327
+ RUN_(HashDevicePlain, "plain device API hash test");
328
RUN_(AddDeviceLuks, "Format and use LUKS device");
329
RUN_(UseLuksDevice, "Use pre-formated LUKS device");
330
RUN_(SuspendDevice, "Suspend/Resume test");
333
@@ -2003,8 +2003,9 @@
336
if (isPLAIN(cd->type)) {
337
- r = key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
338
- &passphrase_size_read, keyfile, keyfile_size);
339
+ r = key_from_file(cd, _("Enter passphrase: "),
340
+ &passphrase_read, &passphrase_size_read,
341
+ keyfile, keyfile_size);
344
r = create_device_helper(cd, name, cd->plain_hdr.hash,