Fix support for LUKS device with an empty password

sergio-correia · sergio-correia · commit d969ee4331b9 · 2024-10-19T20:29:51.000+01:00
Signed-off-by: Sergio Correia &lt;scorreia@redhat.com&gt;
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
@@ -334,10 +334,18 @@ clevis_luks_check_valid_key_or_keyfile() {
     local EXISTING_TOKEN_ID="${5:-}"
 
     [ -z "${DEV}" ] && return 1
-    [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1
 
     local extra_args
     extra_args="$([ -n "${SLT}" ] && printf -- '--key-slot %s' "${SLT}")"
+
+    # We have an empty key here.
+    if [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] \
+         && [ -z "${KEY}" ]; then
+        echo | cryptsetup open --force-password --test-passphrase "${DEV}" \
+               ${extra_args}
+        return
+    fi
+
     if [ -n "${KEYFILE}" ]; then
         cryptsetup open --test-passphrase "${DEV}" --key-file "${KEYFILE}" \
                    ${extra_args}
@@ -798,7 +806,6 @@ clevis_luks_add_key() {
 
     [ -z "${DEV}" ] && return 1
     [ -z "${NEWKEY}" ] && return 1
-    [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1
 
     local extra_args='' input
     input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
diff --git a/src/luks/tests/bind-luks1 b/src/luks/tests/bind-luks1
@@ -40,18 +40,30 @@ UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
 new_device "luks1" "${DEV}"
 
 if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
-    error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2
+    error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
 fi
 
 SLT=1
 if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
-    error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
+    error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}."
 fi
 
 if [ "${state}" != "active" ]; then
-    error "${TEST}: state (${state}) is expected to be 'active'." >&2
+    error "${TEST}: state (${state}) is expected to be 'active'."
 fi
 
 if [ "${uuid}" != "${UUID}" ]; then
-    error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
+    error "${TEST}: UUID ($uuid) is expected to be '${UUID}'."
+fi
+
+# Empty password (issue #494)
+DEV="${TMP}/luks1-device-empty-pw"
+new_device "luks1" "${DEV}"
+
+# Let's create an empty password.
+printf '%s\n\n' "${DEFAULT_PASS}" | cryptsetup luksChangeKey \
+    --force-password --batch-mode "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< ""; then
+    error "${TEST}: Binding is expected to succeed when the password is empty."
 fi
diff --git a/src/luks/tests/bind-luks2 b/src/luks/tests/bind-luks2
@@ -45,9 +45,21 @@ TOKEN_ID=5
 new_device "luks2" "${DEV}"
 
 if ! clevis luks bind -d "${DEV}" -t "$TOKEN_ID" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
-    error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2
+    error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
 fi
 
 if ! cryptsetup token export --token-id=5 "${DEV}"; then
-    error "${TEST}: Clevis did not add the LUKS2 token to the correct slot." >&2
+    error "${TEST}: Clevis did not add the LUKS2 token to the correct slot."
+fi
+
+# Empty password (issue #494)
+DEV="${TMP}/luks2-device-empty-pw"
+new_device "luks2" "${DEV}"
+
+# Let's create an empty password.
+printf '%s\n\n' "${DEFAULT_PASS}" | cryptsetup luksChangeKey \
+    --force-password --batch-mode "${DEV}"
+
+if ! clevis luks bind -d "${DEV}" tang "${CFG}" <<< ""; then
+    error "${TEST}: Binding is expected to succeed when the password is empty."
 fi
