Add test cases that make sure that CryFS notices if an attacker replaces the whole file system

2017-09-30 22:42:34 +01:00 · 2017-09-30 22:42:34 +01:00 · 04341f3f7d
commit 04341f3f7d
parent be8a1efd35
3 changed files with 45 additions and 4 deletions
--- a/test/cryfs-cli/CMakeLists.txt
+++ b/test/cryfs-cli/CMakeLists.txt
@ -11,7 +11,7 @@ set(SOURCES
    CliTest_ShowingHelp.cpp
    EnvironmentTest.cpp
    VersionCheckerTest.cpp
-    IntegrityCheckTest.cpp
+    CliTest_IntegrityCheck.cpp
 )
 add_executable(${PROJECT_NAME} ${SOURCES})
--- a/test/cryfs-cli/CliTest_IntegrityCheck.cpp
+++ b/test/cryfs-cli/CliTest_IntegrityCheck.cpp
@ -0,0 +1,44 @@
 #include "testutils/CliTest.h"
 #include <cryfs/config/CryConfigFile.h>
 using std::vector;
 using std::string;
 using cryfs::CryConfig;
 using cryfs::CryConfigFile;
 class CliTest_IntegrityCheck: public CliTest {
 public:
  void modifyFilesystemId() {
    auto configFile = CryConfigFile::load(basedir / "cryfs.config", "pass").value();
    configFile.config()->SetFilesystemId(CryConfig::FilesystemID::FromString("0123456789ABCDEF0123456789ABCDEF"));
    configFile.save();
  }
  void modifyFilesystemKey() {
    auto configFile = CryConfigFile::load(basedir / "cryfs.config", "pass").value();
    configFile.config()->SetEncryptionKey("0123456789ABCDEF0123456789ABCDEF");
    configFile.save();
  }
 };
 TEST_F(CliTest_IntegrityCheck, givenIncorrectFilesystemId_thenFails) {
  vector<const char*> args {basedir.c_str(), mountdir.c_str(), "--cipher", "aes-256-gcm", "-f"};
  //TODO Remove "-f" parameter, once EXPECT_RUN_SUCCESS can handle that
  EXPECT_RUN_SUCCESS(args, mountdir);
  modifyFilesystemId();
  EXPECT_RUN_ERROR(
      args,
      "Error: The filesystem id in the config file is different to the last time we loaded a filesystem from this basedir."
  );
 }
 TEST_F(CliTest_IntegrityCheck, givenIncorrectFilesystemKey_thenFails) {
  vector<const char*> args {basedir.c_str(), mountdir.c_str(), "--cipher", "aes-256-gcm", "-f"};
  //TODO Remove "-f" parameter, once EXPECT_RUN_SUCCESS can handle that
  EXPECT_RUN_SUCCESS(args, mountdir);
  modifyFilesystemKey();
  EXPECT_RUN_ERROR(
      args,
      "Error: The filesystem encryption key differs from the last time we loaded this filesystem. Did an attacker replace the file system?"
  );
 }
--- a/test/cryfs-cli/IntegrityCheckTest.cpp
+++ b/test/cryfs-cli/IntegrityCheckTest.cpp
@ -1,3 +0,0 @@
 //TODO Add cryfs-cli tests for
 // - filesystem id changed
 // - filesystem id correct but encryption key changed