From d969ee4331b9e5d9743eacc544d3f78f89b4f478 Mon Sep 17 00:00:00 2001 From: Sergio Correia Date: Sat, 19 Oct 2024 20:22:26 +0100 Subject: [PATCH] Fix support for LUKS device with an empty password Signed-off-by: Sergio Correia --- src/luks/clevis-luks-common-functions.in | 11 +++++++++-- src/luks/tests/bind-luks1 | 20 ++++++++++++++++---- src/luks/tests/bind-luks2 | 16 ++++++++++++++-- 3 files changed, 39 insertions(+), 8 deletions(-) diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in index 29e4631d..2b393160 100644 --- a/src/luks/clevis-luks-common-functions.in +++ b/src/luks/clevis-luks-common-functions.in @@ -334,10 +334,18 @@ clevis_luks_check_valid_key_or_keyfile() { local EXISTING_TOKEN_ID="${5:-}" [ -z "${DEV}" ] && return 1 - [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1 local extra_args extra_args="$([ -n "${SLT}" ] && printf -- '--key-slot %s' "${SLT}")" + + # We have an empty key here. + if [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] \ + && [ -z "${KEY}" ]; then + echo | cryptsetup open --force-password --test-passphrase "${DEV}" \ + ${extra_args} + return + fi + if [ -n "${KEYFILE}" ]; then cryptsetup open --test-passphrase "${DEV}" --key-file "${KEYFILE}" \ ${extra_args} @@ -798,7 +806,6 @@ clevis_luks_add_key() { [ -z "${DEV}" ] && return 1 [ -z "${NEWKEY}" ] && return 1 - [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1 local extra_args='' input input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")" diff --git a/src/luks/tests/bind-luks1 b/src/luks/tests/bind-luks1 index a66e5e83..0eae1be7 100755 --- a/src/luks/tests/bind-luks1 +++ b/src/luks/tests/bind-luks1 @@ -40,18 +40,30 @@ UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" new_device "luks1" "${DEV}" if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then - error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2 + error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." fi SLT=1 if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then - error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2 + error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." fi if [ "${state}" != "active" ]; then - error "${TEST}: state (${state}) is expected to be 'active'." >&2 + error "${TEST}: state (${state}) is expected to be 'active'." fi if [ "${uuid}" != "${UUID}" ]; then - error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2 + error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." +fi + +# Empty password (issue #494) +DEV="${TMP}/luks1-device-empty-pw" +new_device "luks1" "${DEV}" + +# Let's create an empty password. +printf '%s\n\n' "${DEFAULT_PASS}" | cryptsetup luksChangeKey \ + --force-password --batch-mode "${DEV}" + +if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< ""; then + error "${TEST}: Binding is expected to succeed when the password is empty." fi diff --git a/src/luks/tests/bind-luks2 b/src/luks/tests/bind-luks2 index 04c6b8e9..1965b00e 100755 --- a/src/luks/tests/bind-luks2 +++ b/src/luks/tests/bind-luks2 @@ -45,9 +45,21 @@ TOKEN_ID=5 new_device "luks2" "${DEV}" if ! clevis luks bind -d "${DEV}" -t "$TOKEN_ID" tang "${CFG}" <<< "${DEFAULT_PASS}"; then - error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2 + error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." fi if ! cryptsetup token export --token-id=5 "${DEV}"; then - error "${TEST}: Clevis did not add the LUKS2 token to the correct slot." >&2 + error "${TEST}: Clevis did not add the LUKS2 token to the correct slot." +fi + +# Empty password (issue #494) +DEV="${TMP}/luks2-device-empty-pw" +new_device "luks2" "${DEV}" + +# Let's create an empty password. +printf '%s\n\n' "${DEFAULT_PASS}" | cryptsetup luksChangeKey \ + --force-password --batch-mode "${DEV}" + +if ! clevis luks bind -d "${DEV}" tang "${CFG}" <<< ""; then + error "${TEST}: Binding is expected to succeed when the password is empty." fi