summaryrefslogtreecommitdiffstats
path: root/tests/compat-test2
diff options
context:
space:
mode:
Diffstat (limited to 'tests/compat-test2')
-rwxr-xr-xtests/compat-test2370
1 files changed, 365 insertions, 5 deletions
diff --git a/tests/compat-test2 b/tests/compat-test2
index c54dc7e..bc86563 100755
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -3,9 +3,14 @@
PS4='$LINENO:'
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+CRYPTSETUP_RAW=$CRYPTSETUP
-CRYPTSETUP_VALGRIND=../.libs/cryptsetup
-CRYPTSETUP_LIB_VALGRIND=../.libs
+if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
+ CRYPTSETUP_VALGRIND=$CRYPTSETUP
+else
+ CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+ CRYPTSETUP_LIB_VALGRIND=../.libs
+fi
DEV_NAME=dummy
DEV_NAME2=dummy2
@@ -16,6 +21,7 @@ IMG10=luks-test-v10
HEADER_IMG=luks-header
HEADER_KEYU=luks2_keyslot_unassigned.img
HEADER_LUKS2_PV=blkid-luks2-pv.img
+HEADER_LUKS2_INV=luks2_invalid_cipher.img
KEY1=key1
KEY2=key2
KEY5=key5
@@ -50,7 +56,9 @@ function remove_mapping()
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
losetup -d $LOOPDEV >/dev/null 2>&1
- rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE $HEADER_LUKS2_PV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
+ rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE \
+ $HEADER_LUKS2_PV $HEADER_LUKS2_INV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* \
+ $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
# unlink whole test keyring
[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
@@ -154,7 +162,10 @@ function valgrind_setup()
{
command -v valgrind >/dev/null || fail "Cannot find valgrind."
[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
- export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+ [ ! -f valg.sh ] && fail "Unable to get location of valg runner script."
+ if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+ fi
}
function valgrind_run()
@@ -164,6 +175,8 @@ function valgrind_run()
function dm_crypt_keyring_support()
{
+ $CRYPTSETUP --version | grep -q KEYRING || return 1
+
VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
@@ -284,6 +297,171 @@ function add_scsi_device() {
[ -b $DEV ] || fail "Cannot find $DEV."
}
+# $1 key name
+# $2 keyring to link VK to
+# $3 key type (optional)
+test_vk_link() {
+ KEY_TYPE=${3:-user}
+ if [ -z "$3" ]; then
+ KEY_DESC=$1
+ else
+ KEY_DESC="%$3:$1"
+ fi
+
+ KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
+
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$2"::"$KEY_DESC" || fail
+ keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
+ $CRYPTSETUP close $DEV_NAME
+ keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
+ keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail
+
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME || fail
+ keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 && fail "VK is linked to the specified keyring before resume with linking."
+ $CRYPTSETUP luksSuspend $DEV_NAME || fail
+ echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --link-vk-to-keyring "$2"::"$KEY_DESC" || fail
+ keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
+ $CRYPTSETUP close $DEV_NAME
+ keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
+ keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail
+}
+
+# $1 key name
+# $2 keyring to link VK to
+# $3 key type (optional)
+test_vk_link_and_reactivate() {
+ KEY_TYPE=${3:-user}
+ if [ -z "$3" ]; then
+ KEY_DESC=$1
+ else
+ KEY_DESC="%$3:$1"
+ fi
+
+ KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
+
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$2"::"$KEY_DESC" || fail
+ keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
+ $CRYPTSETUP close $DEV_NAME || fail
+ keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
+ $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring $KEY_DESC <&-|| fail "Failed to unlock volume via a VK in keyring."
+ $CRYPTSETUP luksSuspend $DEV_NAME || fail "Failed to suspend device."
+ $CRYPTSETUP luksResume $DEV_NAME --volume-key-keyring $KEY_DESC <&- || fail "Failed to resume via a VK in keyring."
+
+ echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null || fail
+ echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null && fail
+ echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --volume-key-keyring $KEY_DESC $LOOPDEV --new-key-slot 1 || fail "Failed to add passphrase by VK in keyring."
+ echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null || fail
+ $CRYPTSETUP luksKillSlot -q $LOOPDEV 1 2>/dev/null || fail
+
+ $CRYPTSETUP close $DEV_NAME || fail
+ # zero-out the key in keyring
+ keyctl pipe $KEYCTL_KEY_NAME | tr -c '\0' '\0' | keyctl pupdate $KEYCTL_KEY_NAME
+ $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring $KEY_DESC <&- > /dev/null 2>&1 && fail "Unlocked volume via a bad VK in keyring."
+ keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after bad activation."
+ keyctl unlink $KEYCTL_KEY_NAME "$2" || fail
+}
+
+# $1 first key name
+# $2 second key name
+# $3 keyring to link VK to
+# $4 key type (optional)
+test_reencrypt_vk_link() {
+ KEY_TYPE=${4:-user}
+ if [ -z "$4" ]; then
+ KEY_DESC=$1
+ else
+ KEY_DESC="%$4:$1"
+ fi
+ if [ -z "$4" ]; then
+ KEY_DESC2=$2
+ else
+ KEY_DESC2="%$4:$2"
+ fi
+
+ KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
+ KEYCTL_KEY_NAME2="%$KEY_TYPE:$2"
+
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$3"::"$KEY_DESC" --link-vk-to-keyring "$3"::"$KEY_DESC2" || fail
+ keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
+
+ keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
+ keyctl search "$3" $KEY_TYPE $2 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
+ $CRYPTSETUP close $DEV_NAME || fail
+ keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
+ keyctl search "$3" $KEY_TYPE $2 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
+
+ keyctl unlink $KEYCTL_KEY_NAME "$3" || fail
+ keyctl unlink $KEYCTL_KEY_NAME2 "$3" || fail
+}
+
+# $1 first key name
+# $2 second key name
+# $3 keyring to link VK to
+# $4 key type (optional)
+test_reencrypt_vk_link_and_reactivate() {
+ KEY_TYPE=${4:-user}
+ if [ -z "$4" ]; then
+ KEY_DESC=$1
+ else
+ KEY_DESC="%$4:$1"
+ fi
+ if [ -z "$4" ]; then
+ KEY_DESC2=$2
+ else
+ KEY_DESC2="%$4:$2"
+ fi
+
+ KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
+ KEYCTL_KEY_NAME2="%$KEY_TYPE:$2"
+
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$3"::"$KEY_DESC" --link-vk-to-keyring "$3"::"$KEY_DESC2" || fail
+ keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
+
+ keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
+ keyctl search "$3" $KEY_TYPE $2 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
+ $CRYPTSETUP close $DEV_NAME || fail
+ keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
+ keyctl search "$3" $KEY_TYPE $2 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
+
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring "$KEY_DESC" --volume-key-keyring "$KEY_DESC2" || fail
+ $CRYPTSETUP close $DEV_NAME || fail
+
+ keyctl unlink $KEYCTL_KEY_NAME "$3" || fail
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring "$KEY_DESC" --volume-key-keyring "$KEY_DESC2" > /dev/null 2>&1 && fail
+ keyctl unlink $KEYCTL_KEY_NAME2 "$3" || fail
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring "$KEY_DESC" --volume-key-keyring "$KEY_DESC2" > /dev/null 2>&1 && fail
+}
+
+function expect_run()
+{
+ export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
+ expect "$@"
+}
+
+# expected unlocked keyslot id
+# command arguments
+function expect_unlocked_keyslot()
+{
+ command -v expect >/dev/null || {
+ echo "WARNING: expect tool missing, interactive test will be skipped."
+ return 0
+ }
+
+ EXPECT_TIMEOUT=60
+ EXPECT_KEY=$1
+
+ expect_run - >/dev/null <<EOF
+proc abort {} { send_error "Timeout. "; exit 2 }
+set timeout $EXPECT_TIMEOUT
+eval spawn $CRYPTSETUP_RAW $2
+expect timeout abort "Key slot $EXPECT_KEY unlocked."
+expect timeout abort "Command successful."
+expect timeout abort eof
+exit
+EOF
+ [ $? -eq 0 ] || return 1
+}
+
export LANG=C
[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
@@ -569,7 +747,7 @@ test $OLD_SIZE -eq $NEW_SIZE || fail
$CRYPTSETUP close $DEV_NAME || fail
prepare "[20] Disallow open/create if already mapped." wipe
-$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --cipher aes-cbc-essiv:sha256 --key-size 256 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV 2>/dev/null && fail
$CRYPTSETUP remove $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
@@ -626,6 +804,24 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" && fail
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 2>/dev/null && fail
+# make a free space in keyslot area
+echo $PWD1 | $CRYPTSETUP luksKillSlot -q $LOOPDEV 0 || fail
+
+# assert LUKS2 does not overwrite existing area with specific keyslot id
+AREA_OFFSET_OLD=$($CRYPTSETUP luksDump $LOOPDEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g')
+[ 0$AREA_OFFSET_OLD -gt 0 ] || fail
+echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey --key-slot 1 $LOOPDEV $FAST_PBKDF_OPT
+AREA_OFFSET_NEW=$($CRYPTSETUP luksDump $LOOPDEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g')
+[ 0$AREA_OFFSET_NEW -gt 0 ] || fail
+[ $AREA_OFFSET_OLD -ne $AREA_OFFSET_NEW ] || fail "Area offsets remained same: old area $AREA_OFFSET_OLD, new area $AREA_OFFSET_NEW"
+
+# assert LUKS2 does not overwrite existing area with any sklot
+AREA_OFFSET_OLD=$($CRYPTSETUP luksDump $LOOPDEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g')
+[ 0$AREA_OFFSET_OLD -gt 0 ] || fail
+echo -e "$PWD2\n$PWD1\n" | $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT
+AREA_OFFSET_NEW=$($CRYPTSETUP luksDump $LOOPDEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g')
+[ 0$AREA_OFFSET_NEW -gt 0 ] || fail
+[ $AREA_OFFSET_OLD -ne $AREA_OFFSET_NEW ] || fail "Area offsets remained same: old area $AREA_OFFSET_OLD, new area $AREA_OFFSET_NEW"
prepare "[24] Keyfile limit" wipe
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 0 -l 13 || fail
@@ -924,6 +1120,40 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
$CRYPTSETUP token unassign --token-id 0 -S0 $LOOPDEV 2>/dev/null && fail
$CRYPTSETUP token unassign --token-id 0 -S44 $LOOPDEV 2>/dev/null && fail
$CRYPTSETUP token unassign --token-id 44 -S0 $LOOPDEV 2>/dev/null && fail
+
+ $CRYPTSETUP token remove $LOOPDEV --token-id 0 || fail
+ $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN0 -S0 --token-id 0 || fail
+
+ # token 8 assigned to keyslot 0 and 5. Unlocks only 5
+ echo "$PWD2" | $CRYPTSETUP luksAddKey -q -S5 $FAST_PBKDF_OPT --token-id 0 $LOOPDEV || fail
+ echo -n "{\"type\":\"luks2-keyring\",\"keyslots\":[\"0\",\"5\"],\"key_description\":\"$TEST_TOKEN1\"}" | $CRYPTSETUP token import $LOOPDEV --token-id 8 || fail
+ load_key user $TEST_TOKEN1 "$PWD2" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
+
+ # token 3 assigned to keyslot 1 (wrong passphrase)
+ echo "$PWD3" | $CRYPTSETUP luksAddKey -q -S1 $FAST_PBKDF_OPT --token-id 0 $LOOPDEV || fail
+ $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN2 -S1 --token-id 3 || fail
+ load_key user $TEST_TOKEN2 "$PWDW" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
+
+ # specific token, specific keyslot
+ $CRYPTSETUP open --test-passphrase --token-id 0 -S0 $LOOPDEV --token-only <&- || fail
+ # specific keyslot unlocked by any token
+ $CRYPTSETUP open --test-passphrase -S0 $LOOPDEV --token-only <&- || fail
+
+ # token 0 unusable for keyslot 5
+ $CRYPTSETUP open --test-passphrase --token-id 0 -S5 $LOOPDEV --token-only <&- >/dev/null && fail
+ # backup interactive prompt should work
+ echo $PWD2 | $CRYPTSETUP open --test-passphrase --token-id 0 -S5 $LOOPDEV || fail
+
+ $CRYPTSETUP open --test-passphrase -S5 --token-id 8 $LOOPDEV <&- || fail
+ $CRYPTSETUP open --test-passphrase -S5 $LOOPDEV <&- || fail
+
+ expect_unlocked_keyslot 5 "open -v --test-passphrase --token-id 8 -S5 $LOOPDEV" || fail
+ expect_unlocked_keyslot 5 "open -v --test-passphrase --token-id 8 $LOOPDEV" || fail
+
+ $CRYPTSETUP open --test-passphrase -S0 --token-id 8 $LOOPDEV --token-only >/dev/null && fail
+ [ $? -ne 2 ] && fail "open should return EPERM exit code."
+ $CRYPTSETUP open --test-passphrase -S1 $LOOPDEV --token-only && fail
+ [ $? -ne 2 ] && fail "open should return EPERM exit code."
fi
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 10 || fail
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 11 --json-file - || fail
@@ -1200,5 +1430,135 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
$CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $IMG || fail
fi
+prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe
+xz -dk $HEADER_LUKS2_INV.xz
+dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1
+$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail
+echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
+echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail
+dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \
+ "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768"
+$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail
+$CRYPTSETUP close $DEV_NAME ||fail
+
+if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
+ prepare "[45] Link VK to a keyring and use custom VK type." wipe
+
+ echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV 2> /dev/null || fail
+ KEY_NAME="cryptsetup:test_volume_key_id"
+ KEY_NAME2="cryptsetup:test_volume_key_id2"
+ KEY_NAME3="cryptsetup:test_volume_key_id3"
+ test_and_prepare_keyring
+ KID=$(echo -n test | keyctl padd user my_token @s)
+ keyctl unlink $KID >/dev/null 2>&1 @s && SESSION_KEYRING_WORKS=1
+ KID=$(echo -n test | keyctl padd user my_token @us)
+ keyctl unlink $KID >/dev/null 2>&1 @us && USER_SESSION_KEYRING_WORKS=1
+
+ test_vk_link $KEY_NAME "@u"
+ test_vk_link $KEY_NAME "@u" "user"
+ [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link $KEY_NAME "@s"
+ [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link $KEY_NAME "@s" "logon"
+ [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link $KEY_NAME "@s" "user"
+ test_vk_link $KEY_NAME "%:$TEST_KEYRING_NAME"
+ test_vk_link $KEY_NAME "%:$TEST_KEYRING_NAME" "user"
+ test_vk_link $KEY_NAME "%:$TEST_KEYRING_NAME" "logon"
+ # explicitly specify keyring key type
+ test_vk_link $KEY_NAME "%keyring:$TEST_KEYRING_NAME"
+
+ test_vk_link_and_reactivate $KEY_NAME "@u" "user"
+ test_vk_link_and_reactivate $KEY_NAME "@u"
+ [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link_and_reactivate $KEY_NAME "@s" "user"
+ test_vk_link_and_reactivate $KEY_NAME "%:$TEST_KEYRING_NAME" "user"
+ # explicitly specify keyring key type
+ test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME" "user"
+ test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME"
+
+ # test numeric keyring name -5 is user session (@us) keyring
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring -5::%logon:$KEY_NAME || fail
+ keyctl search @us logon $KEY_NAME > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
+ $CRYPTSETUP close $DEV_NAME
+ keyctl search @us logon $KEY_NAME > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
+ keyctl unlink "%logon:$KEY_NAME" @us || fail
+
+ # test malformed keyring descriptions and key types
+ # missing key description
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "%$TEST_KEYRING_NAME::" > /dev/null 2>&1 && fail
+ # malformed keyring description
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring ":$TEST_KEYRING_NAME::$KEY_NAME" > /dev/null 2>&1 && fail
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@uuu::$KEY_NAME" > /dev/null 2>&1 && fail
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@usu::$KEY_NAME" > /dev/null 2>&1 && fail
+
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$TEST_KEYRING_NAME::%user" > /dev/null 2>&1 && fail
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$TEST_KEYRING_NAME::%user:" > /dev/null 2>&1 && fail
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "%user:$KEY_NAME" > /dev/null 2>&1 && fail
+
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@t::%0:$KEY_NAME" > /dev/null 2>&1 && fail
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@t::%blah:$KEY_NAME" > /dev/null 2>&1 && fail
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@t::%userlogon:$KEY_NAME" > /dev/null 2>&1 && fail
+
+ # test that only one VK name is used, when the device is not in reencryption
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@u::%user:$KEY_NAME" --link-vk-to-keyring "@u::%user:$KEY_NAME2" > /dev/null 2>&1 || fail
+ keyctl unlink "%user:$KEY_NAME" @u || fail
+ keyctl unlink "%user:$KEY_NAME2" @u > /dev/null 2>&1 && fail
+ $CRYPTSETUP close $DEV_NAME || fail
+
+ # test linkning multiple VKs during reencryption
+ echo $PWD1 | $CRYPTSETUP -q reencrypt $LOOPDEV --init-only
+
+ test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@u"
+ test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@u" "user"
+ [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@s"
+ [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@s" "logon"
+ [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@s" "user"
+ test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME"
+ test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME" "user"
+ test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME" "logon"
+ # explicitly specify keyring key type
+ test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%keyring:$TEST_KEYRING_NAME"
+
+ test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "@u"
+ test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "@u" "user"
+ [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "@s"
+ [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "@s" "user"
+ test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME"
+ test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME" "user"
+
+ # explicitly specify keyring key type
+ test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%keyring:$TEST_KEYRING_NAME"
+
+ # the keyring and key type have to be the same for both keys
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@s::%user:$KEY_NAME" --link-vk-to-keyring "@u::%user:$KEY_NAME2" > /dev/null 2>&1 && fail
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@u::%logon:$KEY_NAME" --link-vk-to-keyring "@u::%user:$KEY_NAME2" > /dev/null 2>&1 && fail
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@s::%logon:$KEY_NAME" --link-vk-to-keyring "@u::%user:$KEY_NAME2" > /dev/null 2>&1 && fail
+
+ # supply one/three key name(s) when two names are required
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@s::%logon:$KEY_NAME" > /dev/null 2>&1 && fail
+ echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@s::%logon:$KEY_NAME" --link-vk-to-keyring "@s::%logon:$KEY_NAME2" --link-vk-to-keyring "@s::%logon:$KEY_NAME3" > /dev/null 2>&1 && fail
+fi
+
+prepare "[45] Blkid disable check" wipe
+if [ "$HAVE_BLKID" -gt 0 ]; then
+ xz -dkf $HEADER_LUKS2_PV.xz
+ # batch mode disables blkid print, use --debug to check it
+ echo $PWD1 | $CRYPTSETUP -q --debug luksFormat $FAST_PBKDF_OPT --type luks2 $HEADER_LUKS2_PV 2>&1 | grep -q "LVM2_member" || fail
+ xz -dkf $HEADER_LUKS2_PV.xz
+ echo $PWD1 | $CRYPTSETUP -q --debug --disable-blkid luksFormat $FAST_PBKDF_OPT --type luks2 $HEADER_LUKS2_PV 2>&1 | grep -q "LVM2_member" && fail
+fi
+
+prepare "[46] Init from suspended device" wipe
+dmsetup create $DEV_NAME --table "0 39998 linear $LOOPDEV 2" || fail
+echo $PWD1 | $CRYPTSETUP -q $FAST_PBKDF_OPT luksFormat --type luks2 --header $HEADER_IMG /dev/mapper/$DEV_NAME || fail
+echo $PWD1 | $CRYPTSETUP -q luksOpen --header $HEADER_IMG /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
+# underlying device now returns error but node is still present
+dmsetup load $DEV_NAME --table "0 40000 error" || fail
+dmsetup resume $DEV_NAME || fail
+dmsetup suspend $DEV_NAME || fail
+# status must print data even if data device is suspended
+$CRYPTSETUP -q status --debug --header $HEADER_IMG $DEV_NAME2 | grep "type:" | grep -q "LUKS2" || fail
+dmsetup resume $DEV_NAME || fail
+$CRYPTSETUP -q luksClose $DEV_NAME2 || fail
+dmsetup remove --retry $DEV_NAME || fail
+
remove_mapping
exit 0
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-07 03:34:40 +0000