From 580f0f1a285826a1845cff2b34f63375296648bb Mon Sep 17 00:00:00 2001 From: Milan Broz Date: Thu, 24 Jan 2019 14:51:44 +0100 Subject: [PATCH] Add some FIPS mode workarounds. We cannot (yet) use Argon2 in FIPS mode, hack scripts and library to use PBKDF2 or skip tests and fix tests to run in FIPS mode. --- lib/utils_pbkdf.c | 11 ++++- tests/align-test | 4 +- tests/api-test-2.c | 88 +++++++++++++++++++++++++++------ tests/compat-test | 4 +- tests/compat-test2 | 28 +++++------ tests/device-test | 26 +++++----- tests/reencryption-compat-test | 7 +++ tests/reencryption-compat-test2 | 7 +++ tests/tcrypt-compat-test | 37 +++++++------- 9 files changed, 149 insertions(+), 63 deletions(-) diff --git a/lib/utils_pbkdf.c b/lib/utils_pbkdf.c index d20b9350..c9c5c774 100644 --- a/lib/utils_pbkdf.c +++ b/lib/utils_pbkdf.c @@ -179,6 +179,15 @@ int init_pbkdf_type(struct crypt_device *cd, uint32_t old_flags, memory_kb; int r; + if (crypt_fips_mode()) { + if (pbkdf && strcmp(pbkdf->type, CRYPT_KDF_PBKDF2)) { + log_err(cd, "Only PBKDF2 is supported in FIPS mode."); + return -EINVAL; + } + if (!pbkdf) + pbkdf = crypt_get_pbkdf_type_params(CRYPT_KDF_PBKDF2); + } + if (!pbkdf && dev_type && !strcmp(dev_type, CRYPT_LUKS2)) pbkdf = crypt_get_pbkdf_type_params(DEFAULT_LUKS2_PBKDF); else if (!pbkdf) @@ -284,7 +293,7 @@ const struct crypt_pbkdf_type *crypt_get_pbkdf_default(const char *type) if (!type) return NULL; - if (!strcmp(type, CRYPT_LUKS1)) + if (!strcmp(type, CRYPT_LUKS1) || crypt_fips_mode()) return crypt_get_pbkdf_type_params(CRYPT_KDF_PBKDF2); else if (!strcmp(type, CRYPT_LUKS2)) return crypt_get_pbkdf_type_params(DEFAULT_LUKS2_PBKDF); diff --git a/tests/align-test b/tests/align-test index ef954f2f..5a7a0ae1 100755 --- a/tests/align-test +++ b/tests/align-test @@ -151,7 +151,7 @@ format_plain() # sector size { echo -n "Formatting plain device (sector size $1)..." if [ -n "$DM_SECTOR_SIZE" ] ; then - echo $PWD1 | $CRYPTSETUP open --type plain --sector-size $1 $DEV $DEV_NAME || fail + echo $PWD1 | $CRYPTSETUP open --type plain --hash sha256 --sector-size $1 $DEV $DEV_NAME || fail $CRYPTSETUP close $DEV_NAME || fail echo "PASSED" else @@ -163,7 +163,7 @@ format_plain_fail() # sector size { echo -n "Formatting plain device (sector size $1, must fail)..." if [ -n "$DM_SECTOR_SIZE" ] ; then - echo $PWD1 | $CRYPTSETUP open --type plain --sector-size $1 $DEV $DEV_NAME >/dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP open --type plain --hash sha256 --sector-size $1 $DEV $DEV_NAME >/dev/null 2>&1 && fail echo "PASSED" else echo "N/A" diff --git a/tests/api-test-2.c b/tests/api-test-2.c index 7fdc4c68..f2ef4982 100644 --- a/tests/api-test-2.c +++ b/tests/api-test-2.c @@ -581,6 +581,13 @@ static void AddDeviceLuks2(void) uint64_t r_payload_offset, r_header_size, r_size_1; uint64_t mdata_size, keyslots_size; + /* Cannot use Argon2 in FIPS */ + if (_fips_mode) { + pbkdf.type = CRYPT_KDF_PBKDF2; + pbkdf.parallel_threads = 0; + pbkdf.max_memory_kb = 0; + } + crypt_decode_key(key, mk_hex, key_size); crypt_decode_key(key3, mk_hex2, key_size); @@ -965,6 +972,13 @@ static void Luks2HeaderRestore(void) const char *cipher_mode = "cbc-essiv:sha256"; uint64_t r_payload_offset; + /* Cannot use Argon2 in FIPS */ + if (_fips_mode) { + pbkdf.type = CRYPT_KDF_PBKDF2; + pbkdf.parallel_threads = 0; + pbkdf.max_memory_kb = 0; + } + crypt_decode_key(key, mk_hex, key_size); OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset)); @@ -1061,6 +1075,13 @@ static void Luks2HeaderLoad(void) const char *cipher_mode = "cbc-essiv:sha256"; uint64_t r_payload_offset, r_header_size; + /* Cannot use Argon2 in FIPS */ + if (_fips_mode) { + pbkdf.type = CRYPT_KDF_PBKDF2; + pbkdf.parallel_threads = 0; + pbkdf.max_memory_kb = 0; + } + crypt_decode_key(key, mk_hex, key_size); // prepare test env @@ -1185,6 +1206,13 @@ static void Luks2HeaderBackup(void) const char *passphrase = PASSPHRASE; + /* Cannot use Argon2 in FIPS */ + if (_fips_mode) { + pbkdf.type = CRYPT_KDF_PBKDF2; + pbkdf.parallel_threads = 0; + pbkdf.max_memory_kb = 0; + } + crypt_decode_key(key, mk_hex, key_size); OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset)); @@ -1272,6 +1300,13 @@ static void ResizeDeviceLuks2(void) const char *cipher_mode = "cbc-essiv:sha256"; uint64_t r_payload_offset, r_header_size, r_size; + /* Cannot use Argon2 in FIPS */ + if (_fips_mode) { + pbkdf.type = CRYPT_KDF_PBKDF2; + pbkdf.parallel_threads = 0; + pbkdf.max_memory_kb = 0; + } + crypt_decode_key(key, mk_hex, key_size); // prepare env @@ -1834,12 +1869,14 @@ static void LuksConvert(void) crypt_free(cd); // exercice non-pbkdf2 LUKSv2 conversion - OK_(crypt_init(&cd, DEVICE_1)); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); - OK_(crypt_set_pbkdf_type(cd, &argon)); - EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); - FAIL_(crypt_convert(cd, CRYPT_LUKS1, NULL), "Incompatible pbkdf with LUKSv1 format"); - crypt_free(cd); + if (!_fips_mode) { + OK_(crypt_init(&cd, DEVICE_1)); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); + OK_(crypt_set_pbkdf_type(cd, &argon)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); + FAIL_(crypt_convert(cd, CRYPT_LUKS1, NULL), "Incompatible pbkdf with LUKSv1 format"); + crypt_free(cd); + } // exercice non LUKS1 compatible keyslot OK_(crypt_init(&cd, DEVICE_1)); @@ -1856,10 +1893,12 @@ static void LuksConvert(void) OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); offset = crypt_get_data_offset(cd); EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); - OK_(crypt_set_pbkdf_type(cd, &argon)); - EQ_(crypt_keyslot_add_by_volume_key(cd, 1, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 1); - FAIL_(crypt_convert(cd, CRYPT_LUKS1, NULL), "Different hash for digest and keyslot."); - OK_(crypt_keyslot_destroy(cd, 1)); + if (!_fips_mode) { + OK_(crypt_set_pbkdf_type(cd, &argon)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 1, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 1); + FAIL_(crypt_convert(cd, CRYPT_LUKS1, NULL), "Different hash for digest and keyslot."); + OK_(crypt_keyslot_destroy(cd, 1)); + } OK_(crypt_convert(cd, CRYPT_LUKS1, NULL)); EQ_(crypt_get_data_offset(cd), offset); crypt_free(cd); @@ -2272,6 +2311,10 @@ static void Pbkdf(void) .data_alignment = 2048, }; + /* Only PBKDF2 is allowed in FIPS, these tests cannot be run. */ + if (_fips_mode) + return; + NULL_(crypt_get_pbkdf_type_params(NULL)); NULL_(crypt_get_pbkdf_type_params("suslik")); NOTNULL_(pbkdf = crypt_get_pbkdf_type_params(CRYPT_KDF_PBKDF2)); @@ -2793,8 +2836,11 @@ static void Luks2Requirements(void) reset_log(); /* get & set pbkdf params (unrestricted) */ - OK_(crypt_set_pbkdf_type(cd, &argon2)); - NOTNULL_(crypt_get_pbkdf_type(cd)); + if (!_fips_mode) { + OK_(crypt_set_pbkdf_type(cd, &argon2)); + NOTNULL_(crypt_get_pbkdf_type(cd)); + } + OK_(crypt_set_pbkdf_type(cd, &pbkdf2)); NOTNULL_(crypt_get_pbkdf_type(cd)); @@ -2836,9 +2882,11 @@ static void Luks2Requirements(void) EQ_(r, -ETXTBSY); /* crypt_volume_key_get (unrestricted, but see below) */ - /* FIXME: eventual fips requirement should stop this */ - if (!_fips_mode) - OK_(crypt_volume_key_get(cd, 0, key, &key_size, "aaa", 3)); + /* FIXME: FIPS requirement stop this, restructure the whole order of calls */ + if (_fips_mode) + goto out; + + OK_(crypt_volume_key_get(cd, 0, key, &key_size, "aaa", 3)); /* crypt_keyslot_add_by_volume_key (restricted) */ FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3)), "Unmet requirements detected"); @@ -3069,7 +3117,7 @@ static void Luks2Requirements(void) /* crypt_keyslot_destroy (unrestricted) */ OK_(crypt_keyslot_destroy(cd, 0)); - +out: crypt_free(cd); _cleanup_dmdevices(); @@ -3129,6 +3177,14 @@ static int set_fast_pbkdf(struct crypt_device *cd) .parallel_threads = 1, .flags = CRYPT_PBKDF_NO_BENCHMARK }; + + /* Cannot use Argon2 in FIPS */ + if (_fips_mode) { + pbkdf.type = CRYPT_KDF_PBKDF2; + pbkdf.parallel_threads = 0; + pbkdf.max_memory_kb = 0; + pbkdf.iterations = 1000; + } return crypt_set_pbkdf_type(cd, &pbkdf); } diff --git a/tests/compat-test b/tests/compat-test index 0a3c4d27..62664f3c 100755 --- a/tests/compat-test +++ b/tests/compat-test @@ -721,8 +721,8 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: DISABLED" || fail prepare "[31] Deferred removal of device" wipe -echo $PWD1 | $CRYPTSETUP open --type plain $LOOPDEV $DEV_NAME || fail -echo $PWD2 | $CRYPTSETUP open --type plain /dev/mapper/$DEV_NAME $DEV_NAME2 || fail +echo $PWD1 | $CRYPTSETUP open --type plain --hash sha256 $LOOPDEV $DEV_NAME || fail +echo $PWD2 | $CRYPTSETUP open --type plain --hash sha256 /dev/mapper/$DEV_NAME $DEV_NAME2 || fail $CRYPTSETUP close $DEV_NAME >/dev/null 2>&1 && fail $CRYPTSETUP -q status $DEV_NAME >/dev/null 2>&1 || fail $CRYPTSETUP close --deferred $DEV_NAME >/dev/null 2>&1 diff --git a/tests/compat-test2 b/tests/compat-test2 index 31bf9be3..d1b64103 100755 --- a/tests/compat-test2 +++ b/tests/compat-test2 @@ -809,18 +809,18 @@ echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force- echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 1234 $LOOPDEV || fail $CRYPTSETUP luksDump $LOOPDEV | grep "Iterations:" | grep -q "1234" || fail echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 3 $LOOPDEV 2>/dev/null && fail -echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 4 --pbkdf-memory 100000 $LOOPDEV || fail -$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2id" || fail +echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 4 --pbkdf-memory 100000 $LOOPDEV || can_fail_fips +$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2id" || can_fail_fips echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2i --pbkdf-force-iterations 4 \ - --pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || fail -$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2i" || fail -$CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | grep -q "4" || fail -$CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | grep -q "1234" || fail -$CRYPTSETUP luksDump $LOOPDEV | grep "Threads:" | grep -q "1" || fail + --pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || can_fail_fips +$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2i" || can_fail_fips +$CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | grep -q "4" || can_fail_fips +$CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | grep -q "1234" || can_fail_fips +$CRYPTSETUP luksDump $LOOPDEV | grep "Threads:" | grep -q "1" || can_fail_fips # Benchmark -echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2i -i 500 --pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || fail -[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || fail -[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || fail +echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2i -i 500 --pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || can_fail_fips +[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || can_fail_fips +[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || can_fail_fips echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf pbkdf2 -i 500 $LOOPDEV || fail [ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep -m1 "Iterations:" | cut -d' ' -f 2 | sed -e 's/\ //g')" -gt 1000 ] || fail @@ -830,14 +830,14 @@ $CRYPTSETUP -q luksConvertKey $LOOPDEV --key-file $KEY5 2>/dev/null && fail $CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail -$CRYPTSETUP -q luksConvertKey $LOOPDEV -S 5 --key-file $KEY5 --pbkdf argon2i -i1 --pbkdf-memory 32 || fail -$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail +$CRYPTSETUP -q luksConvertKey $LOOPDEV -S 5 --key-file $KEY5 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips +$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || can_fail_fips echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -S 1 --key-file $KEY5 || fail $CRYPTSETUP -q luksKillSlot $LOOPDEV 5 || fail $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail -echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || fail -$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail +echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips +$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail diff --git a/tests/device-test b/tests/device-test index 24dedc09..b7338ea4 100755 --- a/tests/device-test +++ b/tests/device-test @@ -21,7 +21,11 @@ cleanup() { fail() { - if [ -n "$1" ] ; then echo "FAIL $1" ; else echo "FAIL" ; fi + if [ -n "$1" ] ; then + echo "FAIL $1 at line $(caller)" + else + echo "FAIL at line $(caller)" + fi cleanup exit 100 } @@ -117,27 +121,27 @@ if [ -z "$DM_PERF_CPU" ]; then SKIP_COUNT=$((SKIP_COUNT+1)) else # plain - echo -e "$PWD1" | $CRYPTSETUP open -q --type plain $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail + echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail $CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail $CRYPTSETUP close $DEV_NAME || fail - echo -e "$PWD1" | $CRYPTSETUP open -q --type plain $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail + echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail $CRYPTSETUP status $DEV_NAME | grep -q discards || fail $CRYPTSETUP close $DEV_NAME || fail - echo -e "$PWD1" | $CRYPTSETUP open -q --type plain $DEV $DEV_NAME || fail - echo -e "$PWD1" | $CRYPTSETUP refresh -q $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail + echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME || fail + echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail # Hash affects volume key for plain device. Check we can detect it echo -e "$PWD1" | $CRYPTSETUP refresh -q $DEV_NAME --hash sha512 --perf-same_cpu_crypt --allow-discards 2>/dev/null && fail $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail $CRYPTSETUP status $DEV_NAME | grep -q discards || fail - echo -e "$PWD1" | $CRYPTSETUP refresh -q $DEV_NAME --allow-discards || fail + echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME --allow-discards || fail $CRYPTSETUP status $DEV_NAME | grep -q discards || fail $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt && fail - echo -e "$PWD1" | $CRYPTSETUP refresh -q $DEV_NAME || fail + echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 -q $DEV_NAME || fail $CRYPTSETUP status $DEV_NAME | grep -q discards && fail $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt && fail - echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME2 2>/dev/null && fail + echo -e "$PWD1" | $CRYPTSETUP refresh --hash sha256 $DEV $DEV_NAME2 2>/dev/null && fail $CRYPTSETUP close $DEV_NAME || fail # LUKS echo -e "$PWD1" | $CRYPTSETUP open --type luks1 $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail @@ -216,7 +220,7 @@ else fi echo "[3] Kernel dmcrypt sector size options" -echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --sector-size 4096 >/dev/null 2>&1 +echo -e "$PWD1" | $CRYPTSETUP open --type plain --hash sha256 $DEV $DEV_NAME --sector-size 4096 >/dev/null 2>&1 ret=$? [ -z "$DM_SECTOR_SIZE" -a $ret -eq 0 ] && fail "cryptsetup activated device with --sector-size option on incompatible kernel!" if [ $ret -ne 0 ] ; then @@ -229,10 +233,10 @@ else $CRYPTSETUP close $DEV_NAME || fail echo -n "PLAIN sector size:" - echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --sector-size 1234 >/dev/null 2>&1 && fail + echo -e "$PWD1" | $CRYPTSETUP open --type plain --hash sha256 $DEV $DEV_NAME --sector-size 1234 >/dev/null 2>&1 && fail for S in 512 1024 2048 4096; do echo -n "[$S]" - echo -e "$PWD1" | $CRYPTSETUP open -q --type plain $DEV $DEV_NAME --sector-size $S || fail + echo -e "$PWD1" | $CRYPTSETUP open -q --type plain --hash sha256 $DEV $DEV_NAME --sector-size $S || fail check_sector_size $S $CRYPTSETUP close $DEV_NAME || fail done diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test index 3087af8b..288a4f42 100755 --- a/tests/reencryption-compat-test +++ b/tests/reencryption-compat-test @@ -16,6 +16,12 @@ PWD3="1-9Qu5Ejfnqv" MNT_DIR=./mnt_luks START_DIR=$(pwd) +[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) + +function fips_mode() +{ + [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] +} function del_scsi_device() { @@ -205,6 +211,7 @@ function test_logging() { [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." [ ! -x "$REENC" ] && skip "Cannot find $REENC, test skipped." which wipefs >/dev/null 2>&1 || skip "Cannot find wipefs, test skipped." +fips_mode && skip "This test cannot be run in FIPS mode." # REENCRYPTION tests diff --git a/tests/reencryption-compat-test2 b/tests/reencryption-compat-test2 index 9e4d60e1..cecd6ca3 100755 --- a/tests/reencryption-compat-test2 +++ b/tests/reencryption-compat-test2 @@ -18,6 +18,12 @@ PWD3="1-9Qu5Ejfnqv" MNT_DIR=./mnt_luks START_DIR=$(pwd) +[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) + +function fips_mode() +{ + [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] +} function dm_crypt_features() { @@ -209,6 +215,7 @@ function test_logging() { [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." [ ! -x "$REENC" ] && skip "Cannot find $REENC, test skipped." which wipefs >/dev/null || skip "Cannot find wipefs, test skipped." +fips_mode && skip "This test cannot be run in FIPS mode." # REENCRYPTION tests diff --git a/tests/tcrypt-compat-test b/tests/tcrypt-compat-test index 3846e04e..693e00ce 100755 --- a/tests/tcrypt-compat-test +++ b/tests/tcrypt-compat-test @@ -33,19 +33,20 @@ function skip() exit 77 } -function test_one() +function test_one() # cipher mode keysize rm_pattern { $CRYPTSETUP benchmark -c "$1-$2" -s "$3" >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo "$1-$2 [N/A]" - IMGS=$(ls $TST_DIR/[tv]c* | grep "$1") + IMGS=$(ls $TST_DIR/[tv]c* | grep "$4") [ -n "$IMGS" ] && rm $IMGS + #echo $IMGS else echo "$1-$2 [OK]" fi } -function test_kdf() +function test_kdf() # hash { $CRYPTSETUP benchmark -h "$1" >/dev/null 2>&1 if [ $? -ne 0 ] ; then @@ -69,25 +70,27 @@ function test_required() test_kdf stribog512 echo "REQUIRED CIPHERS TEST" - test_one aes cbc 256 - test_one aes lrw 384 - test_one aes xts 512 + test_one aes cbc 256 cbc-aes + test_one aes lrw 384 lrw-aes + test_one aes xts 512 xts-aes - test_one twofish cbc 256 - test_one twofish lrw 384 - test_one twofish xts 512 + test_one twofish ecb 256 twofish + test_one twofish cbc 256 cbc-twofish + test_one twofish lrw 384 lrw-twofish + test_one twofish xts 512 xts-twofish - test_one serpent cbc 256 - test_one serpent lrw 384 - test_one serpent xts 512 + test_one serpent ecb 256 serpent + test_one serpent cbc 256 cbc-serpent + test_one serpent lrw 384 lrw-serpent + test_one serpent xts 512 xts-serpent - test_one blowfish cbc 256 + test_one blowfish cbc 256 blowfish - test_one des3_ede cbc 192 - test_one cast5 cbc 128 + test_one des3_ede cbc 192 des3_ede + test_one cast5 cbc 128 cast5 - test_one camellia xts 512 - test_one kuznyechik xts 512 + test_one camellia xts 512 camellia + test_one kuznyechik xts 512 kuznyechik ls $TST_DIR/[tv]c* >/dev/null 2>&1 || skip "No remaining images." }