diff options
Diffstat (limited to '')
| -rw-r--r-- | tests/LUKS-d238e48a-0ed3-4169-b841-f26b44693134.tar.xz | bin | 0 -> 1056 bytes | |||
| -rw-r--r-- | tests/Makefile.am | 5 | ||||
| -rwxr-xr-x | tests/align-test | 15 | ||||
| -rwxr-xr-x | tests/align-test2 | 13 | ||||
| -rw-r--r-- | tests/api-test-2.c | 5 | ||||
| -rwxr-xr-x | tests/blockwise-compat-test | 9 | ||||
| -rwxr-xr-x | tests/compat-test | 6 | ||||
| -rwxr-xr-x | tests/compat-test-opal | 36 | ||||
| -rwxr-xr-x | tests/compat-test2 | 68 | ||||
| -rw-r--r-- | tests/crypto-vectors.c | 2 | ||||
| -rw-r--r-- | tests/img_fs_xfs5.img.xz | bin | 0 -> 8380 bytes | |||
| -rwxr-xr-x | tests/luks2-reencryption-test | 13 | ||||
| -rw-r--r-- | tests/meson.build | 4 | ||||
| -rwxr-xr-x | tests/mode-test | 37 | ||||
| -rwxr-xr-x | tests/reencryption-compat-test | 24 |
15 files changed, 189 insertions, 48 deletions
diff --git a/tests/LUKS-d238e48a-0ed3-4169-b841-f26b44693134.tar.xz b/tests/LUKS-d238e48a-0ed3-4169-b841-f26b44693134.tar.xz Binary files differnew file mode 100644 index 0000000..4a37d42 --- /dev/null +++ b/tests/LUKS-d238e48a-0ed3-4169-b841-f26b44693134.tar.xz diff --git a/tests/Makefile.am b/tests/Makefile.am index 75c1d3d..6947daa 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -55,7 +55,7 @@ EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \ compatimage2.img.xz \ conversion_imgs.tar.xz \ luks2_keyslot_unassigned.img.xz \ - img_fs_ext4.img.xz img_fs_vfat.img.xz img_fs_xfs.img.xz \ + img_fs_ext4.img.xz img_fs_vfat.img.xz img_fs_xfs.img.xz img_fs_xfs5.img.xz \ xfs_512_block_size.img.xz \ valid_header_file.xz \ luks2_valid_hdr.img.xz \ @@ -100,7 +100,8 @@ EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \ run-all-symbols \ fake_systemd_tpm_path.c \ unit-wipe-test \ - systemd-test-plugin + systemd-test-plugin \ + LUKS-d238e48a-0ed3-4169-b841-f26b44693134.tar.xz CLEANFILES = cryptsetup-tst* valglog* *-fail-*.log test-symbols-list.h fake_systemd_tpm_path.so clean-local: diff --git a/tests/align-test b/tests/align-test index d2932ae..0c1e02a 100755 --- a/tests/align-test +++ b/tests/align-test @@ -292,7 +292,7 @@ format_plain_fail 4096 cleanup # skip tests using empty passphrase (LUKS1 cipher_null) -if [ ! fips_mode ]; then +if ! fips_mode; then echo "# Offset check: 512B sector drive" add_device dev_size_mb=16 sector_size=512 num_tgts=1 # |k| expO reqO expected slot offsets @@ -338,12 +338,19 @@ echo "# Create enterprise-class 4K drive with fs and LUKS images." # cryptsetup should properly use 4k block on direct-io add_device dev_size_mb=32 sector_size=4096 physblk_exp=0 num_tgts=1 opt_blks=64 for file in $(ls img_fs_*.img.xz) ; do - echo "Format using fs image $file." + echo -n "Format using fs image $file " xz -d -c $file | dd of=$DEV bs=1M 2>/dev/null || fail "bad image" [ ! -d $MNT_DIR ] && mkdir $MNT_DIR - mount $DEV $MNT_DIR || skip "Mounting image is not available." + mount $DEV $MNT_DIR 2>/dev/null + if [ $? -ne 0 ] ; then + echo "[N/A]" + continue + fi echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 --key-size 256 $FAST_PBKDF $MNT_DIR/luks.img || fail echo $PWD2 | $CRYPTSETUP luksFormat --type luks1 --key-size 256 $FAST_PBKDF $MNT_DIR/luks.img --header $MNT_DIR/luks_header.img || fail - umount $MNT_DIR + umount $MNT_DIR || fail + echo "[OK]" done cleanup + +exit 0 diff --git a/tests/align-test2 b/tests/align-test2 index 23d418a..6ed82bc 100755 --- a/tests/align-test2 +++ b/tests/align-test2 @@ -421,13 +421,18 @@ echo "# Create enterprise-class 4K drive with fs and LUKS images." # cryptsetup should properly use 4k block on direct-io add_device dev_size_mb=32 sector_size=4096 physblk_exp=0 num_tgts=1 opt_blks=64 for file in $(ls img_fs_*.img.xz) ; do - echo "Format using fs image $file." + echo -n "Format using fs image $file. " xz -d -c $file | dd of=$DEV bs=1M 2>/dev/null || fail "bad image" [ ! -d $MNT_DIR ] && mkdir $MNT_DIR - mount $DEV $MNT_DIR || skip "Mounting image is not available." + mount $DEV $MNT_DIR 2>/dev/null + if [ $? -ne 0 ] ; then + echo "[N/A]" + continue + fi echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF --type luks2 $MNT_DIR/luks.img --offset 8192 || fail echo $PWD2 | $CRYPTSETUP luksFormat $FAST_PBKDF --type luks2 $MNT_DIR/luks.img --header $MNT_DIR/luks_header.img || fail - umount $MNT_DIR + umount $MNT_DIR || fail + echo "[OK]" done cleanup @@ -454,3 +459,5 @@ add_device dev_size_mb=32 sector_size=4096 num_tgts=1 opt_blks=64 auto_sector 4096 $DEV auto_sector 4096 $DEV $HDR cleanup + +exit 0 diff --git a/tests/api-test-2.c b/tests/api-test-2.c index 8a7a60e..9442c63 100644 --- a/tests/api-test-2.c +++ b/tests/api-test-2.c @@ -5304,6 +5304,11 @@ static void KeyslotContextAndKeyringLink(void) pbkdf.iterations = 1000; } + if (!t_dm_crypt_keyring_support()) { + printf("WARNING: dm-crypt does not support keyring, skipping test.\n"); + return; + } + OK_(get_luks2_offsets(0, 0, 0, NULL, &r_payload_offset)); OK_(create_dmdevice_over_loop(L_DEVICE_1S, r_payload_offset + 1)); diff --git a/tests/blockwise-compat-test b/tests/blockwise-compat-test index 8db91c9..0672ca2 100755 --- a/tests/blockwise-compat-test +++ b/tests/blockwise-compat-test @@ -80,12 +80,12 @@ falloc() { run_all_in_fs() { for file in $(ls img_fs_*.img.xz) ; do - echo "Run tests in $file put on top block device." + echo -n "Run tests in $file put on top block device. " xz -d -c $file | dd of=$DEV bs=1M 2>/dev/null || fail "bad image" [ ! -d $MNT_DIR ] && mkdir $MNT_DIR - mount $DEV $MNT_DIR + mount $DEV $MNT_DIR 2>/dev/null if [ $? -ne 0 ]; then - echo "Mounting image $file failed, skipped." + echo "[N/A]" continue; fi rm -rf $MNT_DIR/* 2>/dev/null @@ -97,7 +97,8 @@ run_all_in_fs() { BSIZE=$iobsize run_all $tfile BSIZE=$oldbsize - umount $MNT_DIR + umount $MNT_DIR || fail + echo "[OK]" done } diff --git a/tests/compat-test b/tests/compat-test index 433beb2..2dd39d5 100755 --- a/tests/compat-test +++ b/tests/compat-test @@ -331,7 +331,7 @@ $CRYPTSETUP -q luksClose $DEV_NAME || fail $CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail # Repeat for V1.0 header - not aligned first keyslot -if [ ! fips_mode ] ; then +if ! fips_mode; then echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail check_exists ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ') @@ -459,7 +459,7 @@ if [ -d /dev/disk/by-uuid ] ; then $CRYPTSETUP -q luksClose $DEV_NAME || fail fi # skip tests using empty passphrase -if [ ! fips_mode ]; then +if ! fips_mode; then # empty keyfile $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail @@ -740,7 +740,7 @@ echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail $CRYPTSETUP -q luksClose $DEV_NAME || fail # skip tests using empty passphrase -if [ ! fips_mode ]; then +if ! fips_mode; then echo | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks1 $LOOPDEV || fail echo | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail $CRYPTSETUP luksSuspend $DEV_NAME || fail diff --git a/tests/compat-test-opal b/tests/compat-test-opal index 3d5c07c..09384d9 100755 --- a/tests/compat-test-opal +++ b/tests/compat-test-opal @@ -234,6 +234,30 @@ function setup_luks2_env() { # $1 key name # $2 keyring to link VK to # $3 key type (optional) +test_vk_link_with_passphrase_check() { + KEY_TYPE=${3:-user} + if [ -z "$3" ]; then + KEY_DESC=$1 + else + KEY_DESC="%$3:$1" + fi + + KEYCTL_KEY_NAME="%$KEY_TYPE:$1" + + echo $PWD1 | $CRYPTSETUP open --test-passphrase $OPAL2_DEV --link-vk-to-keyring "$2"::"$KEY_DESC" || fail + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after --test-passphrase." + if [ $KEY_TYPE = "user" ]; then + $CRYPTSETUP open $OPAL2_DEV --test-passphrase --volume-key-keyring $KEY_DESC <&-|| fail "Failed to check volume passed via kernel keyring." + fi + keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail + + echo $PWD1 | $CRYPTSETUP open --test-passphrase $OPAL2_DEV || fail + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 && fail "VK is unexpectedly linked to the specified keyring." +} + +# $1 key name +# $2 keyring to link VK to +# $3 key type (optional) test_vk_link() { KEY_TYPE=${3:-user} if [ -z "$3" ]; then @@ -512,9 +536,9 @@ if [ -d /dev/disk/by-uuid ] ; then $CRYPTSETUP -q luksClose $DEV_NAME || fail fi # skip tests using empty passphrases -if [ ! fips_mode ]; then +if ! fips_mode; then # empty passphrase (OPAL admin pin cannot be empty) -echo -e "\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail +echo -e "\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --force-password || fail $CRYPTSETUP luksOpen -d $KEYE $OPAL2_DEV $DEV_NAME || fail $CRYPTSETUP -q luksClose $DEV_NAME || fail fi @@ -531,9 +555,9 @@ if [ -d /dev/disk/by-uuid ] ; then $CRYPTSETUP -q luksClose $DEV_NAME || fail fi # skip tests using empty passphrases -if [ ! fips_mode ]; then +if ! fips_mode; then # empty passphrase (OPAL admin pin cannot be empty) -echo -e "\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV || fail +echo -e "\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --force-password || fail $CRYPTSETUP luksOpen -d $KEYE $OPAL2_DEV $DEV_NAME || fail $CRYPTSETUP -q luksClose $DEV_NAME || fail fi @@ -1234,6 +1258,10 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then # explicitly specify keyring key type test_vk_link $KEY_NAME "%keyring:$TEST_KEYRING_NAME" + test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" + test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "user" + test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "logon" + test_vk_link_and_reactivate $KEY_NAME "@u" "user" test_vk_link_and_reactivate $KEY_NAME "@u" [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link_and_reactivate $KEY_NAME "@s" "user" diff --git a/tests/compat-test2 b/tests/compat-test2 index bc86563..5a5875a 100755 --- a/tests/compat-test2 +++ b/tests/compat-test2 @@ -173,6 +173,20 @@ function valgrind_run() INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@" } +function dm_crypt_capi_support() +{ + VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv) + [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version." + + VER_MAJ=$(echo $VER_STR | cut -f 1 -d.) + VER_MIN=$(echo $VER_STR | cut -f 2 -d.) + + if [ $VER_MIN -ge 16 ]; then + return 0 + fi + return 1 +} + function dm_crypt_keyring_support() { $CRYPTSETUP --version | grep -q KEYRING || return 1 @@ -300,6 +314,30 @@ function add_scsi_device() { # $1 key name # $2 keyring to link VK to # $3 key type (optional) +test_vk_link_with_passphrase_check() { + KEY_TYPE=${3:-user} + if [ -z "$3" ]; then + KEY_DESC=$1 + else + KEY_DESC="%$3:$1" + fi + + KEYCTL_KEY_NAME="%$KEY_TYPE:$1" + + echo $PWD1 | $CRYPTSETUP open --test-passphrase $LOOPDEV --link-vk-to-keyring "$2"::"$KEY_DESC" || fail + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after --test-passphrase." + if [ $KEY_TYPE = "user" ]; then + $CRYPTSETUP open $LOOPDEV --test-passphrase --volume-key-keyring $KEY_DESC <&-|| fail "Failed to check volume passed via kernel keyring." + fi + keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail + + echo $PWD1 | $CRYPTSETUP open --test-passphrase $LOOPDEV || fail + keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 && fail "VK is unexpectedly linked to the specified keyring." +} + +# $1 key name +# $2 keyring to link VK to +# $3 key type (optional) test_vk_link() { KEY_TYPE=${3:-user} if [ -z "$3" ]; then @@ -606,7 +644,7 @@ if [ -d /dev/disk/by-uuid ] ; then $CRYPTSETUP -q luksClose $DEV_NAME || fail fi # skip tests using empty passphrases -if [ ! fips_mode ]; then +if ! fips_mode; then # empty keyfile $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail @@ -1430,17 +1468,19 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then $CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $IMG || fail fi -prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe -xz -dk $HEADER_LUKS2_INV.xz -dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1 -$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail -echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail -echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail -echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail -dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \ - "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768" -$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail -$CRYPTSETUP close $DEV_NAME ||fail +if dm_crypt_capi_support; then + prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe + xz -dk $HEADER_LUKS2_INV.xz + dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1 + $CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail + echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail + echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail + echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail + dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \ + "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768" + $CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail + $CRYPTSETUP close $DEV_NAME ||fail +fi if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then prepare "[45] Link VK to a keyring and use custom VK type." wipe @@ -1474,6 +1514,10 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME" "user" test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME" + test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" + test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "user" + test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "logon" + # test numeric keyring name -5 is user session (@us) keyring echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring -5::%logon:$KEY_NAME || fail keyctl search @us logon $KEY_NAME > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." diff --git a/tests/crypto-vectors.c b/tests/crypto-vectors.c index 02e6be3..58d1309 100644 --- a/tests/crypto-vectors.c +++ b/tests/crypto-vectors.c @@ -1533,10 +1533,12 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[] { setvbuf(stdout, NULL, _IONBF, 0); +#ifndef NO_CRYPTSETUP_PATH if (getenv("CRYPTSETUP_PATH")) { printf("Cannot run this test with CRYPTSETUP_PATH set.\n"); exit(77); } +#endif if (crypt_backend_init(fips_mode())) exit_test("Crypto backend init error.", EXIT_FAILURE); diff --git a/tests/img_fs_xfs5.img.xz b/tests/img_fs_xfs5.img.xz Binary files differnew file mode 100644 index 0000000..26bd54c --- /dev/null +++ b/tests/img_fs_xfs5.img.xz diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test index 57acae0..a5f020e 100755 --- a/tests/luks2-reencryption-test +++ b/tests/luks2-reencryption-test @@ -858,6 +858,7 @@ function setup_luks2_env() { echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail local check_keyring=$($CRYPTSETUP status $DEV_NAME | grep "key location: keyring") if [ -n "$check_keyring" ]; then + bin_check keyctl HAVE_KEYRING=1 prepare_vk_keyring fi @@ -2137,7 +2138,7 @@ rm -f $IMG_HDR echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail wipe_dev /dev/mapper/$DEV_NAME -echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --active-name $DEV_NAME || fail +echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --header $IMG_HDR --active-name $DEV_NAME || fail check_hash_dev_head $DEV 2048 $HASH2 rm -f $IMG_HDR @@ -2145,12 +2146,20 @@ rm -f $IMG_HDR echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail wipe_dev /dev/mapper/$DEV_NAME -echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --active-name $DEV_NAME --init-only || fail +echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --header $IMG_HDR --active-name $DEV_NAME --init-only || fail check_hash_dev /dev/mapper/$DEV_NAME $HASH2 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --header $IMG_HDR --active-name $DEV_NAME || fail check_hash_dev_head $DEV 2048 $HASH2 rm -f $IMG_HDR +# run in single command by --active-name parameter +echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail +echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail +wipe_dev /dev/mapper/$DEV_NAME +echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --header $IMG_HDR --active-name $DEV_NAME || fail +check_hash_dev_head $DEV 2048 $HASH2 +rm -f $IMG_HDR + echo "[33] Decryption with datashift recovery (error in shift area)." prepare_linear_dev 32 echo "sector size 512" diff --git a/tests/meson.build b/tests/meson.build index 43fff9a..e6341e7 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -16,6 +16,9 @@ test_files_to_copy = [ 'fvault2-images.tar.xz', 'generators/generate-luks2-area-in-json-hdr-space-json0.img.sh', 'img_fs_ext4.img.xz', + 'img_fs_vfat.img.xz', + 'img_fs_xfs.img.xz', + 'img_fs_xfs5.img.xz', 'luks1-images.tar.xz', 'luks2_header_requirements.tar.xz', 'luks2_keyslot_unassigned.img.xz', @@ -27,6 +30,7 @@ test_files_to_copy = [ 'xfs_512_block_size.img.xz', 'valg.sh', 'cryptsetup-valg-supps', + 'LUKS-d238e48a-0ed3-4169-b841-f26b44693134.tar.xz' ] foreach file : test_files_to_copy diff --git a/tests/mode-test b/tests/mode-test index 81780cd..06daa40 100755 --- a/tests/mode-test +++ b/tests/mode-test @@ -52,6 +52,22 @@ skip() exit 77 } +function dm_crypt_capi_support() +{ + VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv) + [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version." + + VER_MAJ=$(echo $VER_STR | cut -f 1 -d.) + VER_MIN=$(echo $VER_STR | cut -f 2 -d.) + VER_PTC=$(echo $VER_STR | cut -f 3 -d.) + + if [ $VER_MIN -ge 16 ]; then + return 0 + fi + + return 1 +} + function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." @@ -132,7 +148,7 @@ dmcrypt() echo -n -e "PLAIN:" dmcrypt_check "$DEV_NAME"_tstdev $OUT else - echo -n "[n/a]" + echo -n "[N/A]" fi echo $PASSWORD | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF2 -c $1 -s 256 /dev/mapper/$DEV_NAME >/dev/null 2>&1 @@ -193,12 +209,17 @@ dmcrypt xchacha12,aes-adiantum-plain64 dmcrypt xchacha20,aes-adiantum-plain64 echo -n "CAPI format:" -echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail -$CRYPTSETUP close "$DEV_NAME"_tstdev || fail -echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail -dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail -$CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail -$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail -echo [OK] +if dm_crypt_capi_support ; then + echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME --debug || fail + $CRYPTSETUP close "$DEV_NAME"_tstdev || fail + echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail + dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail + $CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail + $CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail + echo [OK] +else + echo [N/A] +fi cleanup +exit 0 diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test index 68a8c1f..7a6301e 100755 --- a/tests/reencryption-compat-test +++ b/tests/reencryption-compat-test @@ -25,6 +25,9 @@ PWD1="93R4P4pIqAH8" PWD2="1cND4319812f" PWD3="1-9Qu5Ejfnqv" +LUKS1_DECRYPT_UUID=d238e48a-0ed3-4169-b841-f26b44693134 +LUKS1_DECRYPT="LUKS-$LUKS1_DECRYPT_UUID" + MNT_DIR=./mnt_luks START_DIR=$(pwd) FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) @@ -45,7 +48,7 @@ function remove_mapping() [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2 [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME [ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1 - rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV $DEV_LINK >/dev/null 2>&1 + rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV $DEV_LINK $LUKS1_DECRYPT.{org\|new\|log} >/dev/null 2>&1 umount $MNT_DIR > /dev/null 2>&1 rmdir $MNT_DIR > /dev/null 2>&1 LOOPDEV1="" @@ -211,7 +214,7 @@ function simple_scsi_reenc() function mount_and_test() { test -d $MNT_DIR || mkdir -p $MNT_DIR mount $@ $MNT_DIR 2>/dev/null || { - echo -n "failed to mount [SKIP]" + echo -n "[N/A]" return 0 } rm $MNT_DIR/* 2>/dev/null @@ -239,7 +242,7 @@ function test_logging() { echo -n "$1:" for img in $(ls img_fs*img.xz) ; do wipefs -a $SCSI_DEV > /dev/null - echo -n "[${img%.img.xz}]" + echo -n " [${img%.img.xz}]" xz -d -c $img | dd of=$SCSI_DEV bs=4k >/dev/null 2>&1 mount_and_test $SCSI_DEV || return 1 done @@ -325,7 +328,7 @@ ln -s $IMG $DEV_LINK || fail echo $PWD1 | $REENC $IMG --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail $CRYPTSETUP isLUKS $IMG 2>/dev/null && fail -if [ ! fips_mode ]; then +if ! fips_mode; then # well, movin' zeroes :-) OFFSET=2048 SIZE=$(blockdev --getsz $LOOPDEV1) @@ -425,7 +428,7 @@ add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3 test_logging "[4096/512 sector]" || fail test_logging_tmpfs || fail -if [ ! fips_mode ]; then +if ! fips_mode; then echo "[10] Removal of encryption" prepare 8192 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail @@ -490,7 +493,16 @@ if [ "$HAVE_BLKID" -gt 0 ]; then echo $PWD1 | $REENC --header $IMG_HDR $HEADER_LUKS2_PV -q $FAST_PBKDF --new --type luks1 2>/dev/null && fail test -f $IMG_HDR && fail fi -fi # if [ ! fips_mode ] + +# Only test if the LUKS1 decryption can be resumed with provided --uuid +echo "[14] Resume LUKS1 decryption" +prepare 8192 +tar xJf $LUKS1_DECRYPT.tar.xz || fail +echo $PWD1 | $REENC $LOOPDEV1 -q --decrypt --uuid $LUKS1_DECRYPT_UUID >/dev/null || fail +test -f $LUKS1_DECRYPT.org && fail +test -f $LUKS1_DECRYPT.new && fail +test -f $LUKS1_DECRYPT.log && fail +fi # if ! fips_mode remove_mapping exit 0 |