eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-05 16:00:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add some FIPS mode workarounds.

Browse Source 
We cannot (yet) use Argon2 in FIPS mode, hack scripts and library
to use PBKDF2 or skip tests and fix tests to run in FIPS mode.
This commit is contained in:
Milan Broz
2019-01-24 14:51:44 +01:00
parent 715b0c9b6c
commit 580f0f1a28
9 changed files with 149 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
lib/utils_pbkdf.c
View File

@@ -179,6 +179,15 @@ int init_pbkdf_type(struct crypt_device *cd,
uint32_t old_flags, memory_kb;
int r;
if (crypt_fips_mode()) {
if (pbkdf && strcmp(pbkdf->type, CRYPT_KDF_PBKDF2)) {
log_err(cd, "Only PBKDF2 is supported in FIPS mode.");
return -EINVAL;
}
if (!pbkdf)
pbkdf = crypt_get_pbkdf_type_params(CRYPT_KDF_PBKDF2);
}
if (!pbkdf && dev_type && !strcmp(dev_type, CRYPT_LUKS2))
pbkdf = crypt_get_pbkdf_type_params(DEFAULT_LUKS2_PBKDF);
else if (!pbkdf)
@@ -284,7 +293,7 @@ const struct crypt_pbkdf_type *crypt_get_pbkdf_default(const char *type)
if (!type)
return NULL;
if (!strcmp(type, CRYPT_LUKS1))
if (!strcmp(type, CRYPT_LUKS1) || crypt_fips_mode())
return crypt_get_pbkdf_type_params(CRYPT_KDF_PBKDF2);
else if (!strcmp(type, CRYPT_LUKS2))
return crypt_get_pbkdf_type_params(DEFAULT_LUKS2_PBKDF);

4
tests/align-test
View File

@@ -151,7 +151,7 @@ format_plain() # sector size
{
echo -n "Formatting plain device (sector size $1)..."
if [ -n "$DM_SECTOR_SIZE" ] ; then
echo $PWD1 | $CRYPTSETUP open --type plain --sector-size $1 $DEV $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP open --type plain --hash sha256 --sector-size $1 $DEV $DEV_NAME || fail
$CRYPTSETUP close $DEV_NAME || fail
echo "PASSED"
else
@@ -163,7 +163,7 @@ format_plain_fail() # sector size
{
echo -n "Formatting plain device (sector size $1, must fail)..."
if [ -n "$DM_SECTOR_SIZE" ] ; then
echo $PWD1 | $CRYPTSETUP open --type plain --sector-size $1 $DEV $DEV_NAME >/dev/null 2>&1 && fail
echo $PWD1 | $CRYPTSETUP open --type plain --hash sha256 --sector-size $1 $DEV $DEV_NAME >/dev/null 2>&1 && fail
echo "PASSED"
else
echo "N/A"

88
tests/api-test-2.c
View File

@@ -581,6 +581,13 @@ static void AddDeviceLuks2(void)
uint64_t r_payload_offset, r_header_size, r_size_1;
uint64_t mdata_size, keyslots_size;
/* Cannot use Argon2 in FIPS */
if (_fips_mode) {
pbkdf.type = CRYPT_KDF_PBKDF2;
pbkdf.parallel_threads = 0;
pbkdf.max_memory_kb = 0;
}
crypt_decode_key(key, mk_hex, key_size);
crypt_decode_key(key3, mk_hex2, key_size);
@@ -965,6 +972,13 @@ static void Luks2HeaderRestore(void)
const char *cipher_mode = "cbc-essiv:sha256";
uint64_t r_payload_offset;
/* Cannot use Argon2 in FIPS */
if (_fips_mode) {
pbkdf.type = CRYPT_KDF_PBKDF2;
pbkdf.parallel_threads = 0;
pbkdf.max_memory_kb = 0;
}
crypt_decode_key(key, mk_hex, key_size);
OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset));
@@ -1061,6 +1075,13 @@ static void Luks2HeaderLoad(void)
const char *cipher_mode = "cbc-essiv:sha256";
uint64_t r_payload_offset, r_header_size;
/* Cannot use Argon2 in FIPS */
if (_fips_mode) {
pbkdf.type = CRYPT_KDF_PBKDF2;
pbkdf.parallel_threads = 0;
pbkdf.max_memory_kb = 0;
}
crypt_decode_key(key, mk_hex, key_size);
// prepare test env
@@ -1185,6 +1206,13 @@ static void Luks2HeaderBackup(void)
const char *passphrase = PASSPHRASE;
/* Cannot use Argon2 in FIPS */
if (_fips_mode) {
pbkdf.type = CRYPT_KDF_PBKDF2;
pbkdf.parallel_threads = 0;
pbkdf.max_memory_kb = 0;
}
crypt_decode_key(key, mk_hex, key_size);
OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset));
@@ -1272,6 +1300,13 @@ static void ResizeDeviceLuks2(void)
const char *cipher_mode = "cbc-essiv:sha256";
uint64_t r_payload_offset, r_header_size, r_size;
/* Cannot use Argon2 in FIPS */
if (_fips_mode) {
pbkdf.type = CRYPT_KDF_PBKDF2;
pbkdf.parallel_threads = 0;
pbkdf.max_memory_kb = 0;
}
crypt_decode_key(key, mk_hex, key_size);
// prepare env
@@ -1834,12 +1869,14 @@ static void LuksConvert(void)
crypt_free(cd);
// exercice non-pbkdf2 LUKSv2 conversion
OK_(crypt_init(&cd, DEVICE_1));
OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL));
OK_(crypt_set_pbkdf_type(cd, &argon));
EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0);
FAIL_(crypt_convert(cd, CRYPT_LUKS1, NULL), "Incompatible pbkdf with LUKSv1 format");
crypt_free(cd);
if (!_fips_mode) {
OK_(crypt_init(&cd, DEVICE_1));
OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL));
OK_(crypt_set_pbkdf_type(cd, &argon));
EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0);
FAIL_(crypt_convert(cd, CRYPT_LUKS1, NULL), "Incompatible pbkdf with LUKSv1 format");
crypt_free(cd);
}
// exercice non LUKS1 compatible keyslot
OK_(crypt_init(&cd, DEVICE_1));
@@ -1856,10 +1893,12 @@ static void LuksConvert(void)
OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL));
offset = crypt_get_data_offset(cd);
EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0);
OK_(crypt_set_pbkdf_type(cd, &argon));
EQ_(crypt_keyslot_add_by_volume_key(cd, 1, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 1);
FAIL_(crypt_convert(cd, CRYPT_LUKS1, NULL), "Different hash for digest and keyslot.");
OK_(crypt_keyslot_destroy(cd, 1));
if (!_fips_mode) {
OK_(crypt_set_pbkdf_type(cd, &argon));
EQ_(crypt_keyslot_add_by_volume_key(cd, 1, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 1);
FAIL_(crypt_convert(cd, CRYPT_LUKS1, NULL), "Different hash for digest and keyslot.");
OK_(crypt_keyslot_destroy(cd, 1));
}
OK_(crypt_convert(cd, CRYPT_LUKS1, NULL));
EQ_(crypt_get_data_offset(cd), offset);
crypt_free(cd);
@@ -2272,6 +2311,10 @@ static void Pbkdf(void)
.data_alignment = 2048,
};
/* Only PBKDF2 is allowed in FIPS, these tests cannot be run. */
if (_fips_mode)
return;
NULL_(crypt_get_pbkdf_type_params(NULL));
NULL_(crypt_get_pbkdf_type_params("suslik"));
NOTNULL_(pbkdf = crypt_get_pbkdf_type_params(CRYPT_KDF_PBKDF2));
@@ -2793,8 +2836,11 @@ static void Luks2Requirements(void)
reset_log();
/* get & set pbkdf params (unrestricted) */
OK_(crypt_set_pbkdf_type(cd, &argon2));
NOTNULL_(crypt_get_pbkdf_type(cd));
if (!_fips_mode) {
OK_(crypt_set_pbkdf_type(cd, &argon2));
NOTNULL_(crypt_get_pbkdf_type(cd));
}
OK_(crypt_set_pbkdf_type(cd, &pbkdf2));
NOTNULL_(crypt_get_pbkdf_type(cd));
@@ -2836,9 +2882,11 @@ static void Luks2Requirements(void)
EQ_(r, -ETXTBSY);
/* crypt_volume_key_get (unrestricted, but see below) */
/* FIXME: eventual fips requirement should stop this */
if (!_fips_mode)
OK_(crypt_volume_key_get(cd, 0, key, &key_size, "aaa", 3));
/* FIXME: FIPS requirement stop this, restructure the whole order of calls */
if (_fips_mode)
goto out;
OK_(crypt_volume_key_get(cd, 0, key, &key_size, "aaa", 3));
/* crypt_keyslot_add_by_volume_key (restricted) */
FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3)), "Unmet requirements detected");
@@ -3069,7 +3117,7 @@ static void Luks2Requirements(void)
/* crypt_keyslot_destroy (unrestricted) */
OK_(crypt_keyslot_destroy(cd, 0));
out:
crypt_free(cd);
_cleanup_dmdevices();
@@ -3129,6 +3177,14 @@ static int set_fast_pbkdf(struct crypt_device *cd)
.parallel_threads = 1,
.flags = CRYPT_PBKDF_NO_BENCHMARK
};
/* Cannot use Argon2 in FIPS */
if (_fips_mode) {
pbkdf.type = CRYPT_KDF_PBKDF2;
pbkdf.parallel_threads = 0;
pbkdf.max_memory_kb = 0;
pbkdf.iterations = 1000;
}
return crypt_set_pbkdf_type(cd, &pbkdf);
}

4
tests/compat-test
View File

@@ -721,8 +721,8 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: DISABLED" || fail
prepare "[31] Deferred removal of device" wipe
echo $PWD1 | $CRYPTSETUP open --type plain $LOOPDEV $DEV_NAME || fail
echo $PWD2 | $CRYPTSETUP open --type plain /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
echo $PWD1 | $CRYPTSETUP open --type plain --hash sha256 $LOOPDEV $DEV_NAME || fail
echo $PWD2 | $CRYPTSETUP open --type plain --hash sha256 /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
$CRYPTSETUP close $DEV_NAME >/dev/null 2>&1 && fail
$CRYPTSETUP -q status $DEV_NAME >/dev/null 2>&1 || fail
$CRYPTSETUP close --deferred $DEV_NAME >/dev/null 2>&1

28
tests/compat-test2
View File

@@ -809,18 +809,18 @@ echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 1234 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Iterations:" | grep -q "1234" || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 3 $LOOPDEV 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 4 --pbkdf-memory 100000 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2id" || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 4 --pbkdf-memory 100000 $LOOPDEV || can_fail_fips
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2id" || can_fail_fips
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2i --pbkdf-force-iterations 4 \
--pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2i" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | grep -q "4" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | grep -q "1234" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Threads:" | grep -q "1" || fail
--pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || can_fail_fips
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2i" || can_fail_fips
$CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | grep -q "4" || can_fail_fips
$CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | grep -q "1234" || can_fail_fips
$CRYPTSETUP luksDump $LOOPDEV | grep "Threads:" | grep -q "1" || can_fail_fips
# Benchmark
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2i -i 500 --pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || fail
[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || fail
[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2i -i 500 --pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || can_fail_fips
[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || can_fail_fips
[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || can_fail_fips
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf pbkdf2 -i 500 $LOOPDEV || fail
[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep -m1 "Iterations:" | cut -d' ' -f 2 | sed -e 's/\ //g')" -gt 1000 ] || fail
@@ -830,14 +830,14 @@ $CRYPTSETUP -q luksConvertKey $LOOPDEV --key-file $KEY5 2>/dev/null && fail
$CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
$CRYPTSETUP -q luksConvertKey $LOOPDEV -S 5 --key-file $KEY5 --pbkdf argon2i -i1 --pbkdf-memory 32 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
$CRYPTSETUP -q luksConvertKey $LOOPDEV -S 5 --key-file $KEY5 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || can_fail_fips
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -S 1 --key-file $KEY5 || fail
$CRYPTSETUP -q luksKillSlot $LOOPDEV 5 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips
echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail

26
tests/device-test
View File

@@ -21,7 +21,11 @@ cleanup() {
fail()
{
if [ -n "$1" ] ; then echo "FAIL $1" ; else echo "FAIL" ; fi
if [ -n "$1" ] ; then
echo "FAIL $1 at line $(caller)"
else
echo "FAIL at line $(caller)"
fi
cleanup
exit 100
}
@@ -117,27 +121,27 @@ if [ -z "$DM_PERF_CPU" ]; then
SKIP_COUNT=$((SKIP_COUNT+1))
else
# plain
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail
$CRYPTSETUP close $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
$CRYPTSETUP close $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain $DEV $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP refresh -q $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail
# Hash affects volume key for plain device. Check we can detect it
echo -e "$PWD1" | $CRYPTSETUP refresh -q $DEV_NAME --hash sha512 --perf-same_cpu_crypt --allow-discards 2>/dev/null && fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
echo -e "$PWD1" | $CRYPTSETUP refresh -q $DEV_NAME --allow-discards || fail
echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME --allow-discards || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt && fail
echo -e "$PWD1" | $CRYPTSETUP refresh -q $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards && fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt && fail
echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME2 2>/dev/null && fail
echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 $DEV $DEV_NAME2 2>/dev/null && fail
$CRYPTSETUP close $DEV_NAME || fail
# LUKS
echo -e "$PWD1" | $CRYPTSETUP open --type luks1 $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail
@@ -216,7 +220,7 @@ else
fi
echo "[3] Kernel dmcrypt sector size options"
echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --sector-size 4096 >/dev/null 2>&1
echo -e "$PWD1" | $CRYPTSETUP open --type plain --hash sha256 $DEV $DEV_NAME --sector-size 4096 >/dev/null 2>&1
ret=$?
[ -z "$DM_SECTOR_SIZE" -a $ret -eq 0 ] && fail "cryptsetup activated device with --sector-size option on incompatible kernel!"
if [ $ret -ne 0 ] ; then
@@ -229,10 +233,10 @@ else
$CRYPTSETUP close $DEV_NAME || fail
echo -n "PLAIN sector size:"
echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --sector-size 1234 >/dev/null 2>&1 && fail
echo -e "$PWD1" | $CRYPTSETUP open --type plain --hash sha256 $DEV $DEV_NAME --sector-size 1234 >/dev/null 2>&1 && fail
for S in 512 1024 2048 4096; do
echo -n "[$S]"
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain $DEV $DEV_NAME --sector-size $S || fail
echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --sector-size $S || fail
check_sector_size $S
$CRYPTSETUP close $DEV_NAME || fail
done

7
tests/reencryption-compat-test
View File

@@ -16,6 +16,12 @@ PWD3="1-9Qu5Ejfnqv"
MNT_DIR=./mnt_luks
START_DIR=$(pwd)
[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function fips_mode()
{
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
}
function del_scsi_device()
{
@@ -205,6 +211,7 @@ function test_logging() {
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ ! -x "$REENC" ] && skip "Cannot find $REENC, test skipped."
which wipefs >/dev/null 2>&1 || skip "Cannot find wipefs, test skipped."
fips_mode && skip "This test cannot be run in FIPS mode."
# REENCRYPTION tests

7
tests/reencryption-compat-test2
View File

@@ -18,6 +18,12 @@ PWD3="1-9Qu5Ejfnqv"
MNT_DIR=./mnt_luks
START_DIR=$(pwd)
[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function fips_mode()
{
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
}
function dm_crypt_features()
{
@@ -209,6 +215,7 @@ function test_logging() {
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ ! -x "$REENC" ] && skip "Cannot find $REENC, test skipped."
which wipefs >/dev/null || skip "Cannot find wipefs, test skipped."
fips_mode && skip "This test cannot be run in FIPS mode."
# REENCRYPTION tests

37
tests/tcrypt-compat-test
View File

@@ -33,19 +33,20 @@ function skip()
exit 77
}
function test_one()
function test_one() # cipher mode keysize rm_pattern
{
$CRYPTSETUP benchmark -c "$1-$2" -s "$3" >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo "$1-$2 [N/A]"
IMGS=$(ls $TST_DIR/[tv]c* | grep "$1")
IMGS=$(ls $TST_DIR/[tv]c* | grep "$4")
[ -n "$IMGS" ] && rm $IMGS
#echo $IMGS
else
echo "$1-$2 [OK]"
fi
}
function test_kdf()
function test_kdf() # hash
{
$CRYPTSETUP benchmark -h "$1" >/dev/null 2>&1
if [ $? -ne 0 ] ; then
@@ -69,25 +70,27 @@ function test_required()
test_kdf stribog512
echo "REQUIRED CIPHERS TEST"
test_one aes cbc 256
test_one aes lrw 384
test_one aes xts 512
test_one aes cbc 256 cbc-aes
test_one aes lrw 384 lrw-aes
test_one aes xts 512 xts-aes
test_one twofish cbc 256
test_one twofish lrw 384
test_one twofish xts 512
test_one twofish ecb 256 twofish
test_one twofish cbc 256 cbc-twofish
test_one twofish lrw 384 lrw-twofish
test_one twofish xts 512 xts-twofish
test_one serpent cbc 256
test_one serpent lrw 384
test_one serpent xts 512
test_one serpent ecb 256 serpent
test_one serpent cbc 256 cbc-serpent
test_one serpent lrw 384 lrw-serpent
test_one serpent xts 512 xts-serpent
test_one blowfish cbc 256
test_one blowfish cbc 256 blowfish
test_one des3_ede cbc 192
test_one cast5 cbc 128
test_one des3_ede cbc 192 des3_ede
test_one cast5 cbc 128 cast5
test_one camellia xts 512
test_one kuznyechik xts 512
test_one camellia xts 512 camellia
test_one kuznyechik xts 512 kuznyechik
ls $TST_DIR/[tv]c* >/dev/null 2>&1 || skip "No remaining images."
}