path: root/tests/mode-test

#!/bin/bash
#
# Test mode compatibility, check input + kernel and cryptsetup cipher status
#
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
DEV_NAME=dmc_test
HEADER_IMG=mode-test.img
PASSWORD=3xrododenron
PASSWORD1=$PASSWORD
KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540"
FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"

# cipher-chainmode-ivopts:ivmode
CIPHERS="aes twofish serpent"
MODES="cbc lrw xts"
IVMODES="null benbi plain plain64 essiv:sha256"

LOOPDEV=$(losetup -f 2>/dev/null)

if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
	CRYPTSETUP_VALGRIND=$CRYPTSETUP
else
	CRYPTSETUP_VALGRIND=../.libs/cryptsetup
	CRYPTSETUP_LIB_VALGRIND=../.libs
fi

dmremove() { # device
	udevadm settle >/dev/null 2>&1
	dmsetup remove --retry $1 >/dev/null 2>&1
}

cleanup() {
	[ -b /dev/mapper/"$DEV_NAME"_tstdev ] && dmremove "$DEV_NAME"_tstdev
	[ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
	losetup -d $LOOPDEV >/dev/null 2>&1
	rm -f $HEADER_IMG >/dev/null 2>&1
}

fail()
{
	[ -n "$1" ] && echo "$1"
	echo "FAILED backtrace:"
	while caller $frame; do ((frame++)); done
	cleanup
	exit 100
}

skip()
{
	[ -n "$1" ] && echo "$1"
	exit 77
}

function valgrind_setup()
{
	command -v valgrind >/dev/null || fail "Cannot find valgrind."
	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
	[ ! -f valg.sh ] && fail "Unable to get location of valg runner script."
	if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
		export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
	fi
}

function valgrind_run()
{
	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
}


add_device() {
	cleanup
	dd if=/dev/zero of=$HEADER_IMG bs=1M count=6 >/dev/null 2>&1
	sync
	losetup $LOOPDEV $HEADER_IMG >/dev/null 2>&1
	dmsetup create $DEV_NAME --table "0 10240 linear $LOOPDEV 8" >/dev/null 2>&1
}

dmcrypt_check() # device outstring
{
	X=$(dmsetup table $1 2>/dev/null | sed 's/.*: //' | cut -d' '  -f 4)
	if [ "$X" = $2 ] ; then
		echo -n "[table OK]"
	else
		echo "[table FAIL]"
		echo " Expecting $2 got $X."
		fail
	fi

	X=$($CRYPTSETUP status $1 | grep cipher: | sed s/\.\*cipher:\\s*//)
	if [ $X = $2 ] ; then
		echo -n "[status OK]"
	else
		echo "[status FAIL]"
		echo " Expecting $2 got \"$X\"."
		fail
	fi

	dmremove $1
}

dmcrypt_check_sum() # cipher device
{
	EXPSUM="c036cbb7553a909f8b8877d4461924307f27ecb66cff928eeeafd569c3887e29"
	# Fill device with zeroes and reopen it
	dd if=/dev/zero of=/dev/mapper/$2 bs=1M count=6 >/dev/null 2>&1
	sync
	dmremove $2

	echo $PASSWORD | $CRYPTSETUP create -h sha256 -c $1 -s 256 $2 /dev/mapper/$DEV_NAME >/dev/null 2>&1
	ret=$?
	VSUM=$(sha256sum /dev/mapper/$2 | cut -d' ' -f 1)
	if [ $ret -eq 0 -a "$VSUM" = "$EXPSUM" ] ; then
		echo -n "[OK]"
	else
		echo "[FAIL]"
		echo " Expecting $EXPSUM got $VSUM."
		fail
	fi

	dmremove $2
}

dmcrypt()
{
	OUT=$2
	[ -z "$OUT" ] && OUT=$1
	printf "%-31s" "$1"

	echo $PASSWORD | $CRYPTSETUP create -h sha256 -c $1 -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME >/dev/null 2>&1
	if [ $? -eq 0 ] ; then
		echo -n -e "PLAIN:"
		dmcrypt_check "$DEV_NAME"_tstdev $OUT
	else
		echo -n "[n/a]"
	fi

	echo $PASSWORD | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF2 -c $1 -s 256 /dev/mapper/$DEV_NAME >/dev/null 2>&1
	if [ $? -eq 0 ] ; then
		echo -n -e " LUKS1:"
		echo $PASSWORD | $CRYPTSETUP luksOpen /dev/mapper/$DEV_NAME "$DEV_NAME"_tstdev >/dev/null 2>&1 || fail
		dmcrypt_check "$DEV_NAME"_tstdev $OUT
	fi

	echo $PASSWORD | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 $FAST_PBKDF2 -c $1 -s 256 --offset 8192 /dev/mapper/$DEV_NAME >/dev/null 2>&1
	if [ $? -eq 0 ] ; then
		echo -n -e " LUKS2:"
		echo $PASSWORD | $CRYPTSETUP luksOpen /dev/mapper/$DEV_NAME "$DEV_NAME"_tstdev >/dev/null 2>&1 || fail
		dmcrypt_check "$DEV_NAME"_tstdev $OUT
	fi

	# repeated device creation must return the same checksum
	echo $PASSWORD | $CRYPTSETUP create -h sha256 -c $1 -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME >/dev/null 2>&1
	if [ $? -eq 0 ] ; then
		echo -n -e " CHECKSUM:"
		dmcrypt_check_sum "$1" "$DEV_NAME"_tstdev
	fi
	echo
}

[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ -z "$LOOPDEV" ] && skip "Cannot find free loop device, test skipped."
[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run

add_device

# compatibility modes
dmcrypt aes aes-cbc-plain
dmcrypt aes-plain aes-cbc-plain

# empty cipher
PASSWORD=""
dmcrypt null cipher_null-ecb
dmcrypt cipher_null cipher_null-ecb
dmcrypt cipher_null-ecb

PASSWORD=$PASSWORD1
# codebook doesn't support IV at all
for cipher in $CIPHERS ; do
	dmcrypt "$cipher-ecb"
done

for cipher in $CIPHERS ; do
	for mode in $MODES ; do
		for ivmode in $IVMODES ; do
			dmcrypt "$cipher-$mode-$ivmode"
		done
	done
done

dmcrypt xchacha12,aes-adiantum-plain64
dmcrypt xchacha20,aes-adiantum-plain64

echo -n "CAPI format:"
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
$CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail
$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail
echo [OK]

cleanup