231 lines
6.6 KiB
Bash
Executable file
231 lines
6.6 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# check tcrypt images parsing
|
|
|
|
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
|
|
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
|
|
TST_DIR=tcrypt-images
|
|
MAP=tctst
|
|
PASSWORD="aaaaaaaaaaaa"
|
|
PASSWORD_HIDDEN="bbbbbbbbbbbb"
|
|
PASSWORD_72C="aaaaaaaaaaaabbbbbbbbbbbbccccccccccccddddddddddddeeeeeeeeeeeeffffffffffff"
|
|
PIM=1234
|
|
|
|
if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
|
|
CRYPTSETUP_VALGRIND=$CRYPTSETUP
|
|
else
|
|
CRYPTSETUP_VALGRIND=../.libs/cryptsetup
|
|
CRYPTSETUP_LIB_VALGRIND=../.libs
|
|
fi
|
|
|
|
[ -z "$srcdir" ] && srcdir="."
|
|
|
|
function remove_mapping()
|
|
{
|
|
[ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP
|
|
[ -b /dev/mapper/"$MAP"_1 ] && dmsetup remove --retry "$MAP"_1
|
|
[ -b /dev/mapper/"$MAP"_2 ] && dmsetup remove --retry "$MAP"_2
|
|
rm -rf $TST_DIR
|
|
}
|
|
|
|
function fail()
|
|
{
|
|
[ -n "$1" ] && echo "$1"
|
|
echo " [FAILED]"
|
|
echo "FAILED backtrace:"
|
|
while caller $frame; do ((frame++)); done
|
|
remove_mapping
|
|
exit 2
|
|
}
|
|
|
|
function skip()
|
|
{
|
|
[ -n "$1" ] && echo "$1"
|
|
remove_mapping
|
|
exit 77
|
|
}
|
|
|
|
function test_one() # cipher mode keysize rm_pattern
|
|
{
|
|
$CRYPTSETUP benchmark -c "$1-$2" -s "$3" >/dev/null 2>&1
|
|
if [ $? -ne 0 ] ; then
|
|
echo "$1-$2 [N/A]"
|
|
IMGS=$(ls $TST_DIR/[tv]c* | grep "$4")
|
|
[ -n "$IMGS" ] && rm $IMGS
|
|
#echo $IMGS
|
|
else
|
|
echo "$1-$2 [OK]"
|
|
fi
|
|
}
|
|
|
|
function test_kdf() # hash img_hash
|
|
{
|
|
$CRYPTSETUP benchmark -h "$1" >/dev/null 2>&1
|
|
if [ $? -ne 0 ] ; then
|
|
echo "pbkdf2-$1 [N/A]"
|
|
IMGS=$(ls $TST_DIR/[tv]c* | grep "$2")
|
|
[ -n "$IMGS" ] && rm $IMGS
|
|
else
|
|
echo "pbkdf2-$1 [OK]"
|
|
fi
|
|
}
|
|
|
|
function get_HASH_CIPHER() # filename
|
|
{
|
|
# speed up the test by limiting options for hash and (first) cipher
|
|
HASH=$(echo $file | cut -d'-' -f3)
|
|
CIPHER=$(echo $file | cut -d'-' -f5)
|
|
}
|
|
|
|
function test_required()
|
|
{
|
|
command -v blkid >/dev/null || skip "blkid tool required, test skipped."
|
|
|
|
echo "REQUIRED KDF TEST"
|
|
test_kdf sha256 sha256
|
|
test_kdf sha512 sha512
|
|
test_kdf blake2s-256 blake2
|
|
test_kdf ripemd160 ripemd160
|
|
test_kdf whirlpool whirlpool
|
|
test_kdf stribog512 stribog
|
|
|
|
echo "REQUIRED CIPHERS TEST"
|
|
test_one aes cbc 256 cbc-aes
|
|
test_one aes lrw 384 lrw-aes
|
|
test_one aes xts 512 xts-aes
|
|
|
|
test_one twofish ecb 256 twofish
|
|
test_one twofish cbc 256 cbc-twofish
|
|
test_one twofish lrw 384 lrw-twofish
|
|
test_one twofish xts 512 xts-twofish
|
|
|
|
test_one serpent ecb 256 serpent
|
|
test_one serpent cbc 256 cbc-serpent
|
|
test_one serpent lrw 384 lrw-serpent
|
|
test_one serpent xts 512 xts-serpent
|
|
|
|
test_one blowfish cbc 256 blowfish
|
|
|
|
test_one des3_ede cbc 192 des3_ede
|
|
test_one cast5 cbc 128 cast5
|
|
|
|
test_one camellia xts 512 camellia
|
|
test_one kuznyechik xts 512 kuznyechik
|
|
|
|
ls $TST_DIR/[tv]c* >/dev/null 2>&1 || skip "No remaining images, test skipped."
|
|
}
|
|
|
|
function valgrind_setup()
|
|
{
|
|
command -v valgrind >/dev/null || fail "Cannot find valgrind."
|
|
[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
|
|
[ ! -f valg.sh ] && fail "Unable to get location of valg runner script."
|
|
if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
|
|
export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
|
|
fi
|
|
}
|
|
|
|
function valgrind_run()
|
|
{
|
|
INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
|
|
}
|
|
|
|
export LANG=C
|
|
[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
|
|
[ ! -d $TST_DIR ] && tar xJf $srcdir/tcrypt-images.tar.xz --no-same-owner
|
|
|
|
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
|
|
|
|
test_required
|
|
|
|
echo "HEADER CHECK"
|
|
for file in $(ls $TST_DIR/[tv]c_* $TST_DIR/vcpim_* $TST_DIR/sys_[tv]c_*) ; do
|
|
echo -n " $file"
|
|
PIM_OPT=""
|
|
[[ $file =~ vcpim.* ]] && PIM_OPT="--veracrypt-pim $PIM"
|
|
SYS_OPT=""
|
|
[[ $file =~ sys_.* ]] && SYS_OPT="--tcrypt-system"
|
|
get_HASH_CIPHER $file
|
|
echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT -h $HASH -c $CIPHER $file >/dev/null || fail
|
|
if [[ $file =~ .*-sha512-xts-aes$ ]] ; then
|
|
echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT -h sha512 -c aes $file >/dev/null || fail
|
|
echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT -h xxxx $file 2>/dev/null && fail
|
|
echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT -h sha512 -c xxx $file 2>/dev/null && fail
|
|
fi
|
|
echo " [OK]"
|
|
done
|
|
|
|
echo "HEADER CHECK (TCRYPT only)"
|
|
for file in $(ls $TST_DIR/vc_* $TST_DIR/vcpim_*) ; do
|
|
echo -n " $file"
|
|
PIM_OPT=""
|
|
[[ $file =~ vcpim.* ]] && PIM_OPT="--veracrypt-pim $PIM"
|
|
get_HASH_CIPHER $file
|
|
echo $PASSWORD | $CRYPTSETUP tcryptDump --disable-veracrypt $PIM_OPT -h $HASH -c $CIPHER $file >/dev/null 2>&1 && fail
|
|
echo " [OK]"
|
|
done
|
|
|
|
echo "HEADER CHECK (HIDDEN)"
|
|
for file in $(ls $TST_DIR/[tv]c_*-hidden) ; do
|
|
echo -n " $file (hidden)"
|
|
get_HASH_CIPHER $file
|
|
echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --tcrypt-hidden -h $HASH -c $CIPHER $file >/dev/null || fail
|
|
echo " [OK]"
|
|
done
|
|
|
|
echo "HEADER KEYFILES CHECK"
|
|
for file in $(ls $TST_DIR/[tv]ck_*) ; do
|
|
echo -n " $file"
|
|
PWD=$PASSWORD
|
|
[[ $file =~ vck_1_nopw.* ]] && PWD=""
|
|
[[ $file =~ vck_1_pw72.* ]] && PWD=$PASSWORD_72C
|
|
get_HASH_CIPHER $file
|
|
echo $PWD | $CRYPTSETUP tcryptDump -d $TST_DIR/keyfile1 -d $TST_DIR/keyfile2 -h $HASH -c $CIPHER $file >/dev/null || fail
|
|
echo " [OK]"
|
|
done
|
|
|
|
|
|
if [ $(id -u) != 0 ]; then
|
|
echo "WARNING: You must be root to run activation part of test, test skipped."
|
|
remove_mapping
|
|
exit 0
|
|
fi
|
|
|
|
echo "ACTIVATION FS UUID CHECK"
|
|
for file in $(ls $TST_DIR/[tv]c_* $TST_DIR/vcpim_* $TST_DIR/sys_[tv]c_*) ; do
|
|
echo -n " $file"
|
|
PIM_OPT=""
|
|
[[ $file =~ vcpim.* ]] && PIM_OPT="--veracrypt-pim $PIM"
|
|
SYS_OPT=""
|
|
[[ $file =~ sys_.* ]] && SYS_OPT="--tcrypt-system"
|
|
get_HASH_CIPHER $file
|
|
out=$(echo $PASSWORD | $CRYPTSETUP tcryptOpen $SYS_OPT $PIM_OPT -r -h $HASH -c $CIPHER $file $MAP 2>&1)
|
|
ret=$?
|
|
[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT legacy mode" ) && echo " [N/A]" && continue
|
|
[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT compatible mapping" ) && echo " [N/A]" && continue
|
|
[ $ret -ne 0 ] && fail
|
|
$CRYPTSETUP status $MAP >/dev/null || fail
|
|
$CRYPTSETUP status /dev/mapper/$MAP >/dev/null || fail
|
|
UUID=$(blkid -p -o value -s UUID /dev/mapper/$MAP)
|
|
$CRYPTSETUP remove $MAP || fail
|
|
[ "$UUID" != "DEAD-BABE" ] && fail "UUID check failed."
|
|
echo " [OK]"
|
|
done
|
|
|
|
echo "ACTIVATION FS UUID (HIDDEN) CHECK"
|
|
for file in $(ls $TST_DIR/[tv]c_*-hidden) ; do
|
|
echo -n " $file"
|
|
get_HASH_CIPHER $file
|
|
out=$(echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r -h $HASH -c $CIPHER $file $MAP --tcrypt-hidden 2>&1)
|
|
ret=$?
|
|
[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT legacy mode" ) && echo " [N/A]" && continue
|
|
[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT compatible mapping" ) && echo " [N/A]" && continue
|
|
[ $ret -ne 0 ] && fail
|
|
UUID=$(blkid -p -o value -s UUID /dev/mapper/$MAP)
|
|
$CRYPTSETUP remove $MAP || fail
|
|
[ "$UUID" != "CAFE-BABE" ] && fail "UUID check failed."
|
|
echo " [OK]"
|
|
done
|
|
|
|
remove_mapping
|
|
exit 0
|