From 9fdf616dd3a1dc8d9c17a7cd48995dd11068eedd Mon Sep 17 00:00:00 2001

From: Tomas Bzatek <tbzatek@redhat.com>

Date: Thu, 25 May 2023 14:20:05 +0200

Subject: [PATCH] LUKS FIPS fixes

---

 src/tests/dbus-tests/test_50_block.py     |  8 ++-

 src/tests/dbus-tests/test_70_encrypted.py | 67 ++++++++++-------------

 src/tests/integration-test                | 30 +++++-----

 3 files changed, 50 insertions(+), 55 deletions(-)

diff --git a/src/tests/dbus-tests/test_50_block.py b/src/tests/dbus-tests/test_50_block.py

index 2154eea8..09f8fb95 100644

--- a/src/tests/dbus-tests/test_50_block.py

+++ b/src/tests/dbus-tests/test_50_block.py

@@ -12,6 +12,8 @@ import udiskstestcase

 class UdisksBlockTest(udiskstestcase.UdisksTestCase):

     '''This is a basic block device test suite'''

+    LUKS_PASSPHRASE = 'shouldnotseeme'

+

     def _close_luks(self, disk):

         disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted')

@@ -241,7 +243,7 @@ class UdisksBlockTest(udiskstestcase.UdisksTestCase):

         # format the disk

         disk = self.get_object('/block_devices/' + os.path.basename(self.vdevs[0]))

-        disk.Format('xfs', {'encrypt.passphrase': 'test'}, dbus_interface=self.iface_prefix + '.Block')

+        disk.Format('xfs', {'encrypt.passphrase': self.LUKS_PASSPHRASE}, dbus_interface=self.iface_prefix + '.Block')

         # cleanup -- close the luks and remove format

         self.addCleanup(self.wipe_fs, self.vdevs[0])

@@ -249,7 +251,7 @@ class UdisksBlockTest(udiskstestcase.UdisksTestCase):

         # configuration items as arrays of dbus.Byte

         opts = self.str_to_ay('verify')

-        passwd = self.str_to_ay('test')

+        passwd = self.str_to_ay(self.LUKS_PASSPHRASE)

         # set the new configuration

         conf = dbus.Dictionary({'passphrase-contents': passwd,

@@ -294,7 +296,7 @@ class UdisksBlockTest(udiskstestcase.UdisksTestCase):

         # format the disk

         disk = self.get_object('/block_devices/' + os.path.basename(self.vdevs[0]))

-        disk.Format('xfs', {'encrypt.passphrase': 'test'}, dbus_interface=self.iface_prefix + '.Block')

+        disk.Format('xfs', {'encrypt.passphrase': self.LUKS_PASSPHRASE}, dbus_interface=self.iface_prefix + '.Block')

         # cleanup -- close the luks and remove format

         self.addCleanup(self.wipe_fs, self.vdevs[0])

diff --git a/src/tests/dbus-tests/test_70_encrypted.py b/src/tests/dbus-tests/test_70_encrypted.py

index effcceac..2f5a8854 100644

--- a/src/tests/dbus-tests/test_70_encrypted.py

+++ b/src/tests/dbus-tests/test_70_encrypted.py

@@ -40,6 +40,9 @@ def _get_blkid_version():

 class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

     '''This is an encrypted device test suite'''

+    PASSPHRASE = 'shouldnotseeme'

+    LUKS_NAME = 'myshinylittleluks'

+

     def _create_luks(self, device, passphrase, binary=False):

         raise NotImplementedError()

@@ -60,7 +63,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

         disk_name = os.path.basename(self.vdevs[0])

         disk = self.get_object('/block_devices/' + disk_name)

-        self._create_luks(disk, 'test')

+        self._create_luks(disk, self.PASSPHRASE)

         self.addCleanup(self._remove_luks, disk)

         self.udev_settle()

@@ -124,7 +127,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

         disk_name = os.path.basename(self.vdevs[0])

         disk = self.get_object('/block_devices/' + disk_name)

-        self._create_luks(disk, 'test')

+        self._create_luks(disk, self.PASSPHRASE)

         self.addCleanup(self._remove_luks, disk)

         self.udev_settle()

@@ -160,11 +163,11 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

         # wrong password

         msg = 'org.freedesktop.UDisks2.Error.Failed: Error unlocking %s *' % self.vdevs[0]

         with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg):

-            disk.Unlock('shbdkjaf', self.no_options,

+            disk.Unlock('abcdefghijklmn', self.no_options,

                         dbus_interface=self.iface_prefix + '.Encrypted')

         # right password

-        luks = disk.Unlock('test', self.no_options,

+        luks = disk.Unlock(self.PASSPHRASE, self.no_options,

                            dbus_interface=self.iface_prefix + '.Encrypted')

         self.assertIsNotNone(luks)

         self.assertTrue(os.path.exists('/dev/disk/by-uuid/%s' % luks_uuid))

@@ -180,7 +183,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

         # read-only

         ro_opts = dbus.Dictionary({'read-only': dbus.Boolean(True)}, signature=dbus.Signature('sv'))

-        luks = disk.Unlock('test', ro_opts,

+        luks = disk.Unlock(self.PASSPHRASE, ro_opts,

                            dbus_interface=self.iface_prefix + '.Encrypted')

         self.assertIsNotNone(luks)

         self.assertTrue(os.path.exists('/dev/disk/by-uuid/%s' % luks_uuid))

@@ -196,13 +199,10 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

         crypttab = self.read_file('/etc/crypttab')

         self.addCleanup(self.write_file, '/etc/crypttab', crypttab)

-        passwd = 'test'

-        luks_name = 'myshinylittleluks'

-

         disk_name = os.path.basename(self.vdevs[0])

         disk = self.get_object('/block_devices/' + disk_name)

-        self._create_luks(disk, passwd)

+        self._create_luks(disk, self.PASSPHRASE)

         self.addCleanup(self._remove_luks, disk)

         self.udev_settle()

@@ -212,20 +212,20 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

         disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted')

         # add new entry to the crypttab

-        new_crypttab = crypttab + '%s UUID=%s none\n' % (luks_name, disk_uuid)

+        new_crypttab = crypttab + '%s UUID=%s none\n' % (self.LUKS_NAME, disk_uuid)

         self.write_file('/etc/crypttab', new_crypttab)

         dbus_conf = disk.GetSecretConfiguration(self.no_options, dbus_interface=self.iface_prefix + '.Block')

         self.assertIsNotNone(dbus_conf)

-        self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), luks_name)

+        self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), self.LUKS_NAME)

         # unlock the device

-        luks = disk.Unlock(passwd, self.no_options,

+        luks = disk.Unlock(self.PASSPHRASE, self.no_options,

                            dbus_interface=self.iface_prefix + '.Encrypted')

         self.assertIsNotNone(luks)

         # unlock should use name from crypttab for the /dev/mapper device

-        dm_path = '/dev/mapper/%s' % luks_name

+        dm_path = '/dev/mapper/%s' % self.LUKS_NAME

         self.assertTrue(os.path.exists(dm_path))

         # preferred 'device' should be /dev/mapper/name too

@@ -240,8 +240,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

         crypttab = self.read_file('/etc/crypttab')

         self.addCleanup(self.write_file, '/etc/crypttab', crypttab)

-        passwd = b'test\0test'

-        luks_name = 'myshinylittleluks'

+        passwd = b'testtesttest\0testtesttest'

         # create key file

         _fd, key_file = tempfile.mkstemp()

@@ -262,12 +261,12 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

         disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted')

         # add new entry to the crypttab

-        new_crypttab = crypttab + '%s UUID=%s %s\n' % (luks_name, disk_uuid, key_file)

+        new_crypttab = crypttab + '%s UUID=%s %s\n' % (self.LUKS_NAME, disk_uuid, key_file)

         self.write_file('/etc/crypttab', new_crypttab)

         dbus_conf = disk.GetSecretConfiguration(self.no_options, dbus_interface=self.iface_prefix + '.Block')

         self.assertIsNotNone(dbus_conf)

-        self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), luks_name)

+        self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), self.LUKS_NAME)

         self.assertEqual(self.ay_to_str(dbus_conf[0][1]['passphrase-path']), key_file)

         # unlock the device using empty passphrase (should use the key file)

@@ -276,7 +275,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

         self.assertIsNotNone(luks)

         # unlock should use name from crypttab for the /dev/mapper device

-        dm_path = '/dev/mapper/%s' % luks_name

+        dm_path = '/dev/mapper/%s' % self.LUKS_NAME

         self.assertTrue(os.path.exists(dm_path))

         # preferred 'device' should be /dev/mapper/name too

@@ -289,7 +288,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

         disk_name = os.path.basename(self.vdevs[0])

         disk = self.get_object('/block_devices/' + disk_name)

-        self._create_luks(disk, 'test')

+        self._create_luks(disk, self.PASSPHRASE)

         self.addCleanup(self._remove_luks, disk)

         self.udev_settle()

@@ -316,11 +315,11 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

         disk_name = os.path.basename(self.vdevs[0])

         disk = self.get_object('/block_devices/' + disk_name)

-        self._create_luks(disk, 'test')

+        self._create_luks(disk, self.PASSPHRASE)

         self.addCleanup(self._remove_luks, disk)

         self.udev_settle()

-        disk.ChangePassphrase('test', 'password', self.no_options,

+        disk.ChangePassphrase(self.PASSPHRASE, self.PASSPHRASE + '222', self.no_options,

                               dbus_interface=self.iface_prefix + '.Encrypted')

         disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted')

@@ -328,11 +327,11 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

         # old password, should fail

         msg = 'org.freedesktop.UDisks2.Error.Failed: Error unlocking %s *' % self.vdevs[0]

         with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg):

-            disk.Unlock('test', self.no_options,

+            disk.Unlock(self.PASSPHRASE, self.no_options,

                         dbus_interface=self.iface_prefix + '.Encrypted')

         # new password

-        luks = disk.Unlock('password', self.no_options,

+        luks = disk.Unlock(self.PASSPHRASE + '222', self.no_options,

                            dbus_interface=self.iface_prefix + '.Encrypted')

         self.assertIsNotNone(luks)

@@ -343,7 +342,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

     def test_resize(self):

         device = self.get_device(self.vdevs[0])

-        self._create_luks(device, 'test')

+        self._create_luks(device, self.PASSPHRASE)

         self.addCleanup(self._remove_luks, device)

         self.udev_settle()

@@ -372,8 +371,6 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

         fstab = self.read_file('/etc/fstab')

         self.addCleanup(self.write_file, '/etc/fstab', fstab)

-        passphrase = 'test'

-

         disk_name = os.path.basename(self.vdevs[0])

         disk = self.get_object('/block_devices/' + disk_name)

@@ -384,7 +381,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase):

         self.assertIsNotNone(part)

         # create LUKS on the partition and add it to crypttab

-        self._create_luks(part, passphrase)

+        self._create_luks(part, self.PASSPHRASE)

         self.udev_settle()

         conf = dbus.Dictionary({'name': self.str_to_ay('udisks_luks_test'),

@@ -521,10 +518,8 @@ class UdisksEncryptedTestLUKS2(UdisksEncryptedTest):

         super(UdisksEncryptedTestLUKS2, self).setUp()

     def test_resize(self):

-        passwd = 'test'

-

         device = self.get_device(self.vdevs[0])

-        self._create_luks(device, passwd)

+        self._create_luks(device, self.PASSPHRASE)

         self.addCleanup(self._remove_luks, device)

         self.udev_settle()

@@ -550,7 +545,7 @@ class UdisksEncryptedTestLUKS2(UdisksEncryptedTest):

         # right passphrase

         d = dbus.Dictionary(signature='sv')

-        d['passphrase'] = passwd

+        d['passphrase'] = self.PASSPHRASE

         device.Resize(dbus.UInt64(100*1024*1024), d,

                       dbus_interface=self.iface_prefix + '.Encrypted')

@@ -559,7 +554,7 @@ class UdisksEncryptedTestLUKS2(UdisksEncryptedTest):

         # resize back to the original size (using binary passphrase)

         d = dbus.Dictionary(signature='sv')

-        d['keyfile_contents'] = self.str_to_ay(passwd, False)

+        d['keyfile_contents'] = self.str_to_ay(self.PASSPHRASE, False)

         device.Resize(dbus.UInt64(clear_size), d,

                       dbus_interface=self.iface_prefix + '.Encrypted')

@@ -577,7 +572,7 @@ class UdisksEncryptedTestLUKS2(UdisksEncryptedTest):

         # create LUKS without specifying version

         options = dbus.Dictionary(signature='sv')

-        options['encrypt.passphrase'] = 'test'

+        options['encrypt.passphrase'] = self.PASSPHRASE

         disk.Format('xfs', options,

                     dbus_interface=self.iface_prefix + '.Block')

@@ -613,14 +608,12 @@ class UdisksEncryptedTestLUKS2(UdisksEncryptedTest):

     @udiskstestcase.tag_test(udiskstestcase.TestTags.UNSTABLE)

     def test_integrity(self):

-        passwd = 'test'

-

         cryptsetup_version = _get_cryptsetup_version()

         if cryptsetup_version < LooseVersion('2.2.0'):

             self.skipTest('Integrity devices are not marked as internal in cryptsetup < 2.2.0')

         device = self.get_device(self.vdevs[0])

-        self._create_luks_integrity(self.vdevs[0], passwd)

+        self._create_luks_integrity(self.vdevs[0], self.PASSPHRASE)

         self.addCleanup(self._remove_luks, device)

         self.udev_settle()

@@ -630,7 +623,7 @@ class UdisksEncryptedTestLUKS2(UdisksEncryptedTest):

         # the device is not opened, we need to read the UUID from LUKS metadata

         luks_uuid = BlockDev.crypto_luks_uuid(self.vdevs[0])

-        luks_path = device.Unlock('test', self.no_options,

+        luks_path = device.Unlock(self.PASSPHRASE, self.no_options,

                                   dbus_interface=self.iface_prefix + '.Encrypted')

         self.assertIsNotNone(luks_path)

         self.assertTrue(os.path.exists('/dev/disk/by-uuid/%s' % luks_uuid))

diff --git a/src/tests/integration-test b/src/tests/integration-test

index 4499a6a9..71955559 100755

--- a/src/tests/integration-test

+++ b/src/tests/integration-test

@@ -1336,7 +1336,7 @@ class Luks(UDisksTestCase):

     def setup_crypto_device(self):

         self.fs_create(None, 'ext4', GLib.Variant('a{sv}', {

-            'encrypt.passphrase': GLib.Variant('s', 's3kr1t'),

+            'encrypt.passphrase': GLib.Variant('s', 's3kr1ts3kr1t'),

             'label': GLib.Variant('s', 'treasure')}))

         self.client.settle()

         crypt_obj = self.client.get_object(self.udisks_block().get_object_path())

@@ -1347,7 +1347,7 @@ class Luks(UDisksTestCase):

     @staticmethod

     def unlock_crypto_device(encrypted):

         return encrypted.call_unlock_sync(

-            's3kr1t', no_options, None)

+            's3kr1ts3kr1t', no_options, None)

     def tearDown(self):

         """clean up behind failed test cases"""

@@ -1415,7 +1415,7 @@ class Luks(UDisksTestCase):

             udev_dump = subprocess.Popen(['udevadm', 'info', '--export-db'],

                                          stdout=subprocess.PIPE)

             out = udev_dump.communicate()[0]

-            self.assertFalse(b's3kr1t' in out, 'password in udev properties')

+            self.assertFalse(b's3kr1ts3kr1t' in out, 'password in udev properties')

             self.assertFalse(b'essiv:sha' in out, 'key information in udev properties')

         finally:

@@ -1525,18 +1525,18 @@ class Luks(UDisksTestCase):

         encrypted = self.setup_crypto_device()

         # wrong password, has bytes after a trailing '\0'

         self.assertRaises(GLib.GError, encrypted.call_unlock_sync,

-                          '', Luks.keyfile_options(b's3kr1t\0X'), None)

+                          '', Luks.keyfile_options(b's3kr1ts3kr1t\0X'), None)

         self.assertRaises(GLib.GError, encrypted.call_unlock_sync,

-                          '', Luks.keyfile_options(b's3kr1t\n'), None)

+                          '', Luks.keyfile_options(b's3kr1ts3kr1t\n'), None)

         # correct password, specified as keyfile

-        encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1t'), None)

+        encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1ts3kr1t'), None)

         encrypted.call_lock_sync(no_options, None)

     def test_plaintext_keyfile(self):

         """Setup a device using a plaintext keyfile."""

         # Using a plaintext keyfile should be equivalent to passphrase

         self.fs_create(None, 'ext4', GLib.Variant('a{sv}', {

-            'encrypt.passphrase': GLib.Variant('ay', _bytes_to_ay(b's3kr1t')),

+            'encrypt.passphrase': GLib.Variant('ay', _bytes_to_ay(b's3kr1ts3kr1t')),

             'label': GLib.Variant('s', 'treasure')}))

         crypt_obj = self.client.get_object(self.udisks_block().get_object_path())

@@ -1547,16 +1547,16 @@ class Luks(UDisksTestCase):

         self.assertRaises(GLib.GError, encrypted.call_unlock_sync,

                           'h4ckpassword', no_options, None)

         self.assertRaises(GLib.GError, encrypted.call_unlock_sync,

-                          '', Luks.keyfile_options(b's3kr1t\0X'), None)

+                          '', Luks.keyfile_options(b's3kr1ts3kr1t\0X'), None)

         self.assertRaises(GLib.GError, encrypted.call_unlock_sync,

-                          '', Luks.keyfile_options(b's3kr1t\n'), None)

+                          '', Luks.keyfile_options(b's3kr1ts3kr1t\n'), None)

         # correct password

-        encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1t'), None)

+        encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1ts3kr1t'), None)

         encrypted.call_lock_sync(no_options, None)

         # correct password, specified as passphrase

-        encrypted.call_unlock_sync('s3kr1t', no_options, None)

+        encrypted.call_unlock_sync('s3kr1ts3kr1t', no_options, None)

         encrypted.call_lock_sync(no_options, None)

     def test_binary_keyfile(self):

@@ -1622,11 +1622,11 @@ class Luks(UDisksTestCase):

         encrypted = self.setup_crypto_device()

         # change: passphrase -> passphrase

-        encrypted.call_change_passphrase_sync('s3kr1t', 'passphrase', no_options, None)

+        encrypted.call_change_passphrase_sync('s3kr1ts3kr1t', 'passphrase', no_options, None)

         # verify new password:

         self.assertRaises(GLib.GError, encrypted.call_unlock_sync,

-                          's3kr1t', no_options, None)

+                          's3kr1ts3kr1t', no_options, None)

         encrypted.call_unlock_sync('passphrase', no_options, None)

         encrypted.call_lock_sync(no_options, None)

@@ -1659,7 +1659,7 @@ class Luks(UDisksTestCase):

         # change: keyfile -> passphrase

         encrypted.call_change_passphrase_sync(

-            '', 's3kr1t', GLib.Variant('a{sv}', {

+            '', 's3kr1ts3kr1t', GLib.Variant('a{sv}', {

                 'old_keyfile_contents': GLib.Variant('ay', _bytes_to_ay(key_file_1)),

             }),

             None)

@@ -1667,7 +1667,7 @@ class Luks(UDisksTestCase):

         # verify new password:

         self.assertRaises(GLib.GError, encrypted.call_unlock_sync,

                           '', Luks.keyfile_options(key_file_1), None)

-        encrypted.call_unlock_sync('s3kr1t', no_options, None)

+        encrypted.call_unlock_sync('s3kr1ts3kr1t', no_options, None)

         encrypted.call_lock_sync(no_options, None)

-- 

2.39.1