eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-13 11:50:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add tests for various keyslot cipher null bugs.

Browse Source
This commit is contained in:
Ondrej Kozina
2021-02-15 16:49:23 +01:00
parent 36fd8d6b3c
commit 65b43d5d12
2 changed files with 48 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
tests/api-test-2.c
View File

@@ -2903,6 +2903,12 @@ static void Luks2KeyslotParams(void)
const char *mk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e"; const char *mk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
size_t key_size_ret, key_size = strlen(mk_hex) / 2, keyslot_key_size = 16; size_t key_size_ret, key_size = strlen(mk_hex) / 2, keyslot_key_size = 16;
uint64_t r_payload_offset; uint64_t r_payload_offset;
const struct crypt_pbkdf_type fast_pbkdf = {
.type = "pbkdf2",
.hash = "sha256",
.iterations = 1000,
.flags = CRYPT_PBKDF_NO_BENCHMARK
};
crypt_decode_key(key, mk_hex, key_size); crypt_decode_key(key, mk_hex, key_size);
crypt_decode_key(key2, mk_hex2, key_size); crypt_decode_key(key2, mk_hex2, key_size);
@@ -2916,7 +2922,7 @@ static void Luks2KeyslotParams(void)
EQ_(key_size, 2 * keyslot_key_size); EQ_(key_size, 2 * keyslot_key_size);
/* test crypt_keyslot_add_by_key */ /* test crypt_keyslot_add_by_key */
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK)); OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
crypt_set_iteration_time(cd, 1); OK_(crypt_set_pbkdf_type(cd, &fast_pbkdf));
OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, NULL)); OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, NULL));
NULL_(crypt_keyslot_get_encryption(cd, 0, &key_size_ret)); NULL_(crypt_keyslot_get_encryption(cd, 0, &key_size_ret));
OK_(strcmp(crypt_keyslot_get_encryption(cd, CRYPT_ANY_SLOT, &key_size_ret), cipher_spec)); OK_(strcmp(crypt_keyslot_get_encryption(cd, CRYPT_ANY_SLOT, &key_size_ret), cipher_spec));
@@ -2975,7 +2981,7 @@ static void Luks2KeyslotParams(void)
OK_(strcmp(crypt_keyslot_get_encryption(cd, 7, &key_size_ret), cipher_keyslot)); OK_(strcmp(crypt_keyslot_get_encryption(cd, 7, &key_size_ret), cipher_keyslot));
EQ_(key_size_ret, keyslot_key_size); EQ_(key_size_ret, keyslot_key_size);
crypt_set_iteration_time(cd, 1); OK_(crypt_set_pbkdf_type(cd, &fast_pbkdf));
EQ_(8, crypt_keyslot_change_by_passphrase(cd, 1, 8, PASSPHRASE1, strlen(PASSPHRASE1), PASSPHRASE, strlen(PASSPHRASE))); EQ_(8, crypt_keyslot_change_by_passphrase(cd, 1, 8, PASSPHRASE1, strlen(PASSPHRASE1), PASSPHRASE, strlen(PASSPHRASE)));
OK_(strcmp(crypt_keyslot_get_encryption(cd, 8, &key_size_ret), cipher_spec)); OK_(strcmp(crypt_keyslot_get_encryption(cd, 8, &key_size_ret), cipher_spec));
EQ_(key_size_ret, key_size); EQ_(key_size_ret, key_size);
@@ -3004,7 +3010,7 @@ static void Luks2KeyslotParams(void)
/* LUKS1 compatible calls */ /* LUKS1 compatible calls */
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK)); OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
crypt_set_iteration_time(cd, 1); OK_(crypt_set_pbkdf_type(cd, &fast_pbkdf));
OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, NULL)); OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, NULL));
NULL_(crypt_keyslot_get_encryption(cd, 0, &key_size_ret)); NULL_(crypt_keyslot_get_encryption(cd, 0, &key_size_ret));
OK_(strcmp(crypt_keyslot_get_encryption(cd, CRYPT_ANY_SLOT, &key_size_ret), cipher_spec)); OK_(strcmp(crypt_keyslot_get_encryption(cd, CRYPT_ANY_SLOT, &key_size_ret), cipher_spec));
@@ -3014,6 +3020,18 @@ static void Luks2KeyslotParams(void)
EQ_(key_size_ret, key_size); EQ_(key_size_ret, key_size);
CRYPT_FREE(cd); CRYPT_FREE(cd);
/* LUKS2 cipher null checks */
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
OK_(crypt_set_pbkdf_type(cd, &fast_pbkdf));
OK_(crypt_format(cd, CRYPT_LUKS2, "cipher_null", "ecb", NULL, key, key_size, NULL));
FAIL_(crypt_keyslot_set_encryption(cd, "null", 32), "cipher null is not allowed");
FAIL_(crypt_keyslot_set_encryption(cd, "cipher_null", 32), "cipher null is not allowed");
FAIL_(crypt_keyslot_set_encryption(cd, "cipher_null-ecb", 32), "cipher null is not allowed");
EQ_(0, crypt_keyslot_add_by_volume_key(cd, 0, key, key_size, PASSPHRASE, strlen(PASSPHRASE)));
NOTNULL_(crypt_keyslot_get_encryption(cd, 0, &key_size_ret));
NULL_(strstr(crypt_keyslot_get_encryption(cd, 0, &key_size_ret), "null"));
CRYPT_FREE(cd);
_cleanup_dmdevices(); _cleanup_dmdevices();
_remove_keyfiles(); _remove_keyfiles();
} }

27
tests/luks2-reencryption-test
View File

@@ -1397,5 +1397,32 @@ $CRYPTSETUP luksErase -q $DEV || fail
echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_ARGON --master-key-file $VKEY1 -s 128 $DEV || fail echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_ARGON --master-key-file $VKEY1 -s 128 $DEV || fail
check_hash $PWD1 $HASH1 check_hash $PWD1 $HASH1
echo "[24] Reencryption with initial cipher_null"
# aka custom encryption
prepare dev_size_mb=32
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
check_hash $PWD1 $HASH1
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -c aes-xts-plain64 -q $FAST_PBKDF_ARGON || fail
check_hash $PWD1 $HASH1
# online
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
wipe $PWD1
echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -c aes-xts-plain64 -q $FAST_PBKDF_ARGON || fail
check_hash_dev /dev/mapper/$DEV_NAME $HASH1
$CRYPTSETUP status $DEV_NAME | grep -q "key location: keyring" || fail
$CRYPTSETUP close $DEV_NAME
# simulate LUKS2 device with cipher_null in both keyslot and segment (it can be created only by up conversion from LUKS1)
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF2 $DEV || fail
$CRYPTSETUP convert -q --type luks2 $DEV || fail
wipe $PWD1
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -c aes-xts-plain64 -q $FAST_PBKDF_ARGON || fail
check_hash $PWD1 $HASH1
# both keyslot and segment cipher must not be null
$CRYPTSETUP luksDump $DEV | grep -q "cipher_null" && fail
remove_mapping remove_mapping
exit 0 exit 0