Merge ~paelzer/ubuntu/+source/libpam-mount:lp-1804408-LUKS2-support-bionic into ubuntu/+source/libpam-mount:ubuntu/bionic-devel

Proposed by Christian Ehrhardt  on 2019-02-06
Status: Merged
Approved by: Andreas Hasenack on 2019-02-07
Approved revision: 5c0a7edb8fe83691c7921d56f26b4a5eab8ae5bc
Merge reported by: Christian Ehrhardt 
Merged at revision: a88b66d8151dad0663e96c203e76d564ef031e35
Proposed branch: ~paelzer/ubuntu/+source/libpam-mount:lp-1804408-LUKS2-support-bionic
Merge into: ubuntu/+source/libpam-mount:ubuntu/bionic-devel
Diff against target: 157 lines (+123/-0)
5 files modified
debian/changelog (+9/-0)
debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch (+49/-0)
debian/patches/series (+1/-0)
debian/tests/control (+3/-0)
debian/tests/local-luks (+61/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack 2019-02-06 Approve on 2019-02-07
Canonical Server Team 2019-02-06 Pending
Ubuntu Server Dev import team 2019-02-06 Pending
Review via email: mp+362811@code.launchpad.net
To post a comment you must log in.
Christian Ehrhardt  (paelzer) wrote :

PPA available at: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3635

I added autopkgtests as I realized what I wrote for the bug would almost already make a good test.
For Disco I'd not upload the tests as Delta, but instead open them as MP/Bug to Debian to be included there. Only if there is no activity I'd consider adding a Delta.

But lets get a review here first :-)

The PPA worked on my box as outlined in the SRU template.

Tests will run soon (the PPA just rebuilds) and will be available in Bileto then.

Christian Ehrhardt  (paelzer) wrote :

I added an dep8 test for some extra confidence
Result example:
Cosmic with fix: http://paste.ubuntu.com/p/nfwBTqBdP9/
Cosmic without: http://paste.ubuntu.com/p/2rzYZJ3RYJ/
Bionic with fix: http://paste.ubuntu.com/p/WwFDY99dNh/

Christian Ehrhardt  (paelzer) wrote :

For Disco I submitted the test to Debian https://salsa.debian.org/debian/libpam-mount/merge_requests/1

5c0a7ed... by Christian Ehrhardt  on 2019-02-07

there is no Debian bug for lp 1804408, remove Bug-Debian

Signed-off-by: Christian Ehrhardt <email address hidden>

Andreas Hasenack (ahasenack) wrote :

+1, same suggestions as with the cosmic mp.

review: Approve
6722b92... by Christian Ehrhardt  on 2019-02-07

d/t/local-luks: also check for an active mount

Signed-off-by: Christian Ehrhardt <email address hidden>

a88b66d... by Christian Ehrhardt  on 2019-02-07

changelog: mark dep8 bug as fixed by the new autopkgtest

Signed-off-by: Christian Ehrhardt <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 27b42da..704ab48 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
1libpam-mount (2.16-3ubuntu0.1) bionic; urgency=medium
2
3 * d/p/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch:
4 allow more than just LUKS1 by detecting the type (LP: #1804408)
5 * d/tests/control, d/tests/local-luks: add autopkgtest for luks1/luks2
6 automount on user login. (LP: #1679327)
7
8 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 06 Feb 2019 10:02:48 +0100
9
1libpam-mount (2.16-3build2) bionic; urgency=high10libpam-mount (2.16-3build2) bionic; urgency=high
211
3 * No change rebuild against openssl1.1.12 * No change rebuild against openssl1.1.
diff --git a/debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch b/debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch
4new file mode 10064413new file mode 100644
index 0000000..de3095c
--- /dev/null
+++ b/debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch
@@ -0,0 +1,49 @@
1From: Jochen Sprickerhof <git@jochen.sprickerhof.de>
2Date: Sun, 30 Sep 2018 18:48:33 +0200
3Subject: Use crypt_get_type to get type and support CRYPT_LUKS2 as well
4
5Origin: debian, https://git.launchpad.net/ubuntu/+source/libpam-mount/plain/debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch
6
7Bug-Ubuntu: https://bugs.launchpad.net/bugs/1804408
8Last-Update: 2019-02-06
9
10---
11 src/crypto-dmc.c | 4 ++--
12 src/ehd.c | 2 +-
13 2 files changed, 3 insertions(+), 3 deletions(-)
14
15diff --git a/src/crypto-dmc.c b/src/crypto-dmc.c
16index d0ab6ca..4754c2d 100644
17--- a/src/crypto-dmc.c
18+++ b/src/crypto-dmc.c
19@@ -48,7 +48,7 @@ EXPORT_SYMBOL int ehd_is_luks(const char *path, bool blkdev)
20
21 ret = crypt_init(&cd, device);
22 if (ret == 0) {
23- ret = crypt_load(cd, CRYPT_LUKS1, NULL);
24+ ret = crypt_load(cd, crypt_get_type(cd), NULL);
25 if (ret == -EINVAL)
26 ret = false;
27 else if (ret == 0)
28@@ -106,7 +106,7 @@ static bool dmc_run(const struct ehd_mount_request *req,
29 #endif
30 }
31
32- ret = crypt_load(cd, CRYPT_LUKS1, NULL);
33+ ret = crypt_load(cd, crypt_get_type(cd), NULL);
34 if (ret == 0) {
35 ret = crypt_activate_by_passphrase(cd, mt->crypto_name,
36 CRYPT_ANY_SLOT, req->key_data, req->key_size, flags);
37diff --git a/src/ehd.c b/src/ehd.c
38index 07c8099..b550613 100644
39--- a/src/ehd.c
40+++ b/src/ehd.c
41@@ -309,7 +309,7 @@ static int ehd_init_volume_luks(struct ehd_mount_request *rq,
42 lower_dev, strerror(-ret));
43 goto out;
44 }
45- ret = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, NULL,
46+ ret = crypt_format(cd, crypt_get_type(cd), cipher, cipher_mode, NULL, NULL,
47 (cont->keybits + CHAR_BIT - 1) / CHAR_BIT, &format_params);
48 if (ret < 0) {
49 fprintf(stderr, "crypt_format: %s\n", strerror(-ret));
diff --git a/debian/patches/series b/debian/patches/series
index 165cd52..28cfaca 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@
110011-Fix-fd0ssh-name-according-to-version-in-hxtools.patch110011-Fix-fd0ssh-name-according-to-version-in-hxtools.patch
12013-fix-doc-target12013-fix-doc-target
13014-allow-luserconf-outside-home13014-allow-luserconf-outside-home
140015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch
diff --git a/debian/tests/control b/debian/tests/control
14new file mode 10064415new file mode 100644
index 0000000..7a02d06
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,3 @@
1Tests: local-luks
2Depends: @, cryptsetup, openssl, openssh-client, openssh-server
3Restrictions: allow-stderr, needs-root, isolation-machine
diff --git a/debian/tests/local-luks b/debian/tests/local-luks
0new file mode 1006444new file mode 100644
index 0000000..9471fd8
--- /dev/null
+++ b/debian/tests/local-luks
@@ -0,0 +1,61 @@
1#!/bin/bash
2set -uxe
3mkdir /etc/pam_mount_keys/
4echo -n alice > /etc/pam_mount_keys/alice.key
5echo "libpam-mount is working" > testfile
6
7createluks()
8{
9 local id=${1}
10 local type=${2}
11 local tdir=$(mktemp --directory)
12
13 fallocate -l 100M "/tmp/disk-l${id}.img"
14 cryptsetup luksFormat --batch-mode --verbose --force-password --key-file=/etc/pam_mount_keys/alice.key --type "${type}" "/tmp/disk-l${id}.img"
15 cryptsetup open --type "${type}" --batch-mode --verbose --key-file=/etc/pam_mount_keys/alice.key "/tmp/disk-l${id}.img" "img-luks${id}"
16 mkfs.ext4 -L "IMG-LUKS${id}" "/dev/mapper/img-luks${id}"
17 mount "/dev/mapper/img-luks${id}" "${tdir}"
18 cp testfile "${tdir}"
19 umount "/dev/mapper/img-luks${id}"
20 cryptsetup close "img-luks${id}"
21}
22
23checkluks()
24{
25 local id=${1}
26 local bckp=$(mktemp)
27
28 # backup and modify configuration
29 cp /etc/security/pam_mount.conf.xml "${bckp}"
30 sed -i -e 's/debug enable="0"/debug enable="1"/' /etc/security/pam_mount.conf.xml
31 sed -i -e "/<!-- Volume definitions -->/a<volume user='alice' path='/tmp/disk-l${id}.img' mountpoint='~/img-luks${id}' fstype='crypt' fskeycipher='none' fskeyhash='md5' fskeypath='/etc/pam_mount_keys/alice.key' />" /etc/security/pam_mount.conf.xml
32
33 # smoke tests the mount and if not working print debug from journal
34 ssh -o "StrictHostKeyChecking=no" -i test.key alice@localhost "ls -laF ~/img-luks${id}/testfile" || journalctl -xe -u ssh --no-pager
35
36 # make sure we are using an actual mount
37 ssh -o "StrictHostKeyChecking=no" -i test.key alice@localhost "mount" | grep img-luks${id}
38
39 # compare data on encrypted disk
40 ssh -o "StrictHostKeyChecking=no" -i test.key alice@localhost "cat ~/img-luks${id}/testfile" > "luks${id}"
41 cmp testfile "luks${id}"
42
43 # restore configuration
44 cp "${bckp}" /etc/security/pam_mount.conf.xml
45}
46
47# create user alice with PW alice
48sudo useradd -G users -m --password "$(openssl passwd -1 alice)" -s /bin/bash alice
49ssh-keygen -t rsa -N "" -f test.key
50mkdir -p ~alice/.ssh
51chown alice:alice ~alice/.ssh
52cp test.key.pub ~alice/.ssh/authorized_keys
53mkdir -p /home/alice/img-luks1 /home/alice/img-luks2
54chown alice:alice ~alice/.ssh/authorized_keys /home/alice/img-luks1 /home/alice/img-luks2
55
56# create LUKS devices with known content
57createluks 1 luks
58createluks 2 luks2
59
60checkluks 1
61checkluks 2

Subscribers

People subscribed via source and target branches