123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115 |
- #!/bin/bash -ex
- # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
- #
- # Copyright (c) 2019 Red Hat, Inc.
- # Author: Sergio Correia <scorreia@redhat.com>
- #
- # This program is free software: you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
- # the Free Software Foundation, either version 3 of the License, or
- # (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program. If not, see <http://www.gnu.org/licenses/>.
- #
- error() {
- echo "${1}" >&2
- exit 1
- }
- skip_test() {
- echo "${1}" >&2
- exit 77
- }
- # We require cryptsetup >= 2.0.4 to fully support LUKSv2.
- # Support is determined at build time.
- luks2_supported() {
- return @OLD_CRYPTSETUP@
- }
- # Creates a tang adv to be used in the test.
- create_tang_adv() {
- local adv="${1}"
- local SIG="${TMP}/sig.jwk"
- jose jwk gen -i '{"alg":"ES512"}' > "${SIG}"
- local EXC="${TMP}/exc.jwk"
- jose jwk gen -i '{"alg":"ECMR"}' > "${EXC}"
- local TEMPLATE='{"protected":{"cty":"jwk-set+json"}}'
- jose jwk pub -s -i "${SIG}" -i "${EXC}" \
- | jose jws sig -I- -s "${TEMPLATE}" -k "${SIG}" -o "${adv}"
- }
- # Creates a new LUKS1 or LUKS2 device to be used.
- new_device() {
- local LUKS="${1}"
- local DEV="${2}"
- local PASS="${3}"
- # Some builders fail if the cryptsetup steps are not ran as root, so let's
- # skip the test now if not running as root.
- if [ $(id -u) != 0 ]; then
- skip_test "WARNING: You must be root to run this test; test skipped."
- fi
- # Using a default password, if none has been provided.
- if [ -z "${PASS}" ]; then
- PASS="${DEFAULT_PASS}"
- fi
- local DEV_CACHED="${TMP}/${LUKS}.cached"
- # Let's reuse an existing device, if there is one.
- if [ -f "${DEV_CACHED}" ]; then
- echo "Reusing cached ${LUKS} device..."
- cp -f "${DEV_CACHED}" "${DEV}"
- return 0
- fi
- fallocate -l16M "${DEV}"
- local extra_options='--pbkdf pbkdf2 --pbkdf-force-iterations 1000'
- cryptsetup luksFormat --type "${LUKS}" ${extra_options} --batch-mode \
- --force-password "${DEV}" <<< "${PASS}"
- # Caching the just-formatted device for possible reuse.
- cp -f "${DEV}" "${DEV_CACHED}"
- }
- # Creates a new LUKS1 or LUKS2 device to be used, using a keyfile.
- new_device_keyfile() {
- local LUKS="${1}"
- local DEV="${2}"
- local KEYFILE="${3}"
- # Some builders fail if the cryptsetup steps are not ran as root, so let's
- # skip the test now if not running as root.
- if [ $(id -u) != 0 ]; then
- skip_test "WARNING: You must be root to run this test; test skipped."
- fi
- if [[ -z "${KEYFILE}" ]] || [[ ! -f "${KEYFILE}" ]]; then
- error "Invalid keyfile (${KEYFILE})."
- fi
- fallocate -l16M "${DEV}"
- local extra_options='--pbkdf pbkdf2 --pbkdf-force-iterations 1000'
- cryptsetup luksFormat --type "${LUKS}" ${extra_options} --batch-mode \
- "${DEV}" "${KEYFILE}"
- }
- pin_cfg_equal() {
- local cfg1="${1}"
- local cfg2="${1}"
- diff <(jq -S . < <(echo -n "${cfg1}")) \
- <(jq -S . < <(echo -n "${cfg2}"))
- }
- export DEFAULT_PASS='just-some-test-password-here'
|