From 9071d6b1a389d611426d285a9d8ed01322dd0359 Mon Sep 17 00:00:00 2001
From: Dan Streetman <ddstreet@ieee.org>
Date: Fri, 7 Jul 2023 13:37:28 -0400
Subject: [PATCH] test: Add DA lockout handling to TEST-70-TPM2

Since this test intentionally provides an incorrect PIN, the DA lockout counter
is incremented; the test needs to reset it so there is no DA lockout.
---
 test/TEST-70-TPM2/test.sh  |  3 ++-
 test/units/testsuite-70.sh | 25 ++++++++++++++++++++++---
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/test/TEST-70-TPM2/test.sh b/test/TEST-70-TPM2/test.sh
index f3ac1399fce..8d54c3c05c8 100755
--- a/test/TEST-70-TPM2/test.sh
+++ b/test/TEST-70-TPM2/test.sh
@@ -11,7 +11,7 @@ TEST_REQUIRE_INSTALL_TESTS=0
 # shellcheck source=test/test-functions
 . "${TEST_BASE_DIR:?}/test-functions"
 
-test_require_bin swtpm tpm2_pcrextend
+test_require_bin swtpm tpm2_pcrextend tpm2_dictionarylockout
 
 test_append_files() {
     local workspace="${1:?}"
@@ -19,6 +19,7 @@ test_append_files() {
     instmods tpm tpm_tis tpm_ibmvtpm
     install_dmevent
     generate_module_dependencies
+    inst_binary tpm2_dictionarylockout
     inst_binary tpm2_pcrextend
     inst_binary tpm2_pcrread
     inst_binary openssl
diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh
index 571a93faa02..4eb22366898 100755
--- a/test/units/testsuite-70.sh
+++ b/test/units/testsuite-70.sh
@@ -22,6 +22,21 @@ tpm_has_pcr() {
     [[ -f "/sys/class/tpm/tpm0/pcr-$algorithm/$pcr" ]]
 }
 
+tpm_check_failure_with_wrong_pin() {
+    local testimg="${1:?}"
+    local badpin="${2:?}"
+    local goodpin="${3:?}"
+
+    # We need to be careful not to trigger DA lockout; allow 2 failures
+    tpm2_dictionarylockout -s -n 2
+    (! PIN=$badpin "$SD_CRYPTSETUP" attach test-volume "$testimg" - tpm2-device=auto,headless=1)
+    # Verify the correct PIN works, to be sure the failure wasn't a DA lockout
+    PIN=$goodpin "$SD_CRYPTSETUP" attach test-volume "$testimg" - tpm2-device=auto,headless=1
+    "$SD_CRYPTSETUP" detach test-volume
+    # Clear/reset the DA lockout counter
+    tpm2_dictionarylockout -c
+}
+
 # Prepare a fresh disk image
 img="/tmp/test.img"
 truncate -s 20M "$img"
@@ -46,8 +61,10 @@ PASSWORD=passphrase NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-
 PIN=123456 "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1
 "$SD_CRYPTSETUP" detach test-volume
 
-# Check failure with wrong PIN
-(! PIN=123457 "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1)
+# Check failure with wrong PIN; try a few times to make sure we avoid DA lockout
+for _ in {0..3}; do
+    tpm_check_failure_with_wrong_pin "$img" 123457 123456
+done
 
 # Check LUKS2 token plugin unlock (i.e. without specifying tpm2-device=auto)
 if cryptsetup_has_token_plugin_support; then
@@ -55,7 +72,9 @@ if cryptsetup_has_token_plugin_support; then
     "$SD_CRYPTSETUP" detach test-volume
 
     # Check failure with wrong PIN
-    (! PIN=123457 "$SD_CRYPTSETUP" attach test-volume "$img" - headless=1)
+    for _ in {0..3}; do
+        tpm_check_failure_with_wrong_pin "$img" 123457 123456
+    done
 else
     echo 'cryptsetup has no LUKS2 token plugin support, skipping'
 fi