Skip to content

Commit

Permalink
Fix support for LUKS device with an empty password
Browse files Browse the repository at this point in the history
Signed-off-by: Sergio Correia <scorreia@redhat.com>
  • Loading branch information
sergio-correia committed Oct 19, 2024
1 parent ea01ad0 commit d969ee4
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 8 deletions.
11 changes: 9 additions & 2 deletions src/luks/clevis-luks-common-functions.in
Original file line number Diff line number Diff line change
Expand Up @@ -334,10 +334,18 @@ clevis_luks_check_valid_key_or_keyfile() {
local EXISTING_TOKEN_ID="${5:-}"

[ -z "${DEV}" ] && return 1
[ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1

local extra_args
extra_args="$([ -n "${SLT}" ] && printf -- '--key-slot %s' "${SLT}")"

# We have an empty key here.
if [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] \
&& [ -z "${KEY}" ]; then
echo | cryptsetup open --force-password --test-passphrase "${DEV}" \
${extra_args}
return
fi

if [ -n "${KEYFILE}" ]; then
cryptsetup open --test-passphrase "${DEV}" --key-file "${KEYFILE}" \
${extra_args}
Expand Down Expand Up @@ -798,7 +806,6 @@ clevis_luks_add_key() {

[ -z "${DEV}" ] && return 1
[ -z "${NEWKEY}" ] && return 1
[ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1

local extra_args='' input
input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
Expand Down
20 changes: 16 additions & 4 deletions src/luks/tests/bind-luks1
Original file line number Diff line number Diff line change
Expand Up @@ -40,18 +40,30 @@ UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
new_device "luks1" "${DEV}"

if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2
error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
fi

SLT=1
if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}."
fi

if [ "${state}" != "active" ]; then
error "${TEST}: state (${state}) is expected to be 'active'." >&2
error "${TEST}: state (${state}) is expected to be 'active'."
fi

if [ "${uuid}" != "${UUID}" ]; then
error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
error "${TEST}: UUID ($uuid) is expected to be '${UUID}'."
fi

# Empty password (issue #494)
DEV="${TMP}/luks1-device-empty-pw"
new_device "luks1" "${DEV}"

# Let's create an empty password.
printf '%s\n\n' "${DEFAULT_PASS}" | cryptsetup luksChangeKey \
--force-password --batch-mode "${DEV}"

if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< ""; then
error "${TEST}: Binding is expected to succeed when the password is empty."
fi
16 changes: 14 additions & 2 deletions src/luks/tests/bind-luks2
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,21 @@ TOKEN_ID=5
new_device "luks2" "${DEV}"

if ! clevis luks bind -d "${DEV}" -t "$TOKEN_ID" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2
error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
fi

if ! cryptsetup token export --token-id=5 "${DEV}"; then
error "${TEST}: Clevis did not add the LUKS2 token to the correct slot." >&2
error "${TEST}: Clevis did not add the LUKS2 token to the correct slot."
fi

# Empty password (issue #494)
DEV="${TMP}/luks2-device-empty-pw"
new_device "luks2" "${DEV}"

# Let's create an empty password.
printf '%s\n\n' "${DEFAULT_PASS}" | cryptsetup luksChangeKey \
--force-password --batch-mode "${DEV}"

if ! clevis luks bind -d "${DEV}" tang "${CFG}" <<< ""; then
error "${TEST}: Binding is expected to succeed when the password is empty."
fi

0 comments on commit d969ee4

Please sign in to comment.