eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-13 03:40:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add repair test for keyslot with kdf leftover params.

Browse Source
This commit is contained in:
Ondrej Kozina
2018-04-20 14:31:22 +02:00
committed by Milan Broz
parent a702b7ccc5
commit 7c70e6ce74
4 changed files with 218 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
tests/generators/generate-luks2-argon2-leftover-params.img.sh Executable file
View File

@@ -0,0 +1,71 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with luks2 keyslot kdf object
# having left over params.
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
# add keyslot 1 to second digest
obj_len=$(jq -c -M '.keyslots."1".kdf | length' $TMPDIR/json0)
json_str=$(jq -r -c -M '.keyslots."1".kdf.type = "pbkdf2" | .keyslots."1".kdf.iterations = 1001 | .keyslots."1".kdf.hash = "sha256"' $TMPDIR/json0)
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
chks_res0=$(read_sha256_checksum $TGT_IMG)
test "$chks0" = "$chks_res0" || exit 2
new_obj_len=$(jq -c -M '.keyslots."1".kdf | length' $TMPDIR/json_res0)
test $((obj_len+2)) -eq $new_obj_len || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

71
tests/generators/generate-luks2-pbkdf2-leftover-params-0.img.sh Executable file
View File

@@ -0,0 +1,71 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with luks2 keyslot kdf object
# having left over params.
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
# add keyslot 1 to second digest
obj_len=$(jq -c -M '.keyslots."2".kdf | length' $TMPDIR/json0)
json_str=$(jq -r -c -M '.keyslots."2".kdf.type = "argon2i" | .keyslots."2".kdf.iterations = 1001 | .keyslots."2".kdf.hash = "sha256"' $TMPDIR/json0)
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
chks_res0=$(read_sha256_checksum $TGT_IMG)
test "$chks0" = "$chks_res0" || exit 2
new_obj_len=$(jq -c -M '.keyslots."2".kdf | length' $TMPDIR/json_res0)
test $((obj_len+2)) -eq $new_obj_len || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

71
tests/generators/generate-luks2-pbkdf2-leftover-params-1.img.sh Executable file
View File

@@ -0,0 +1,71 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with luks2 keyslot kdf object
# having left over params.
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
# add keyslot 1 to second digest
obj_len=$(jq -c -M '.keyslots."2".kdf | length' $TMPDIR/json0)
json_str=$(jq -r -c -M '.keyslots."2".kdf.type = "argon2id" | .keyslots."2".kdf.iterations = 1001 | .keyslots."2".kdf.hash = "sha256"' $TMPDIR/json0)
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
chks_res0=$(read_sha256_checksum $TGT_IMG)
test "$chks0" = "$chks_res0" || exit 2
new_obj_len=$(jq -c -M '.keyslots."2".kdf | length' $TMPDIR/json_res0)
test $((obj_len+2)) -eq $new_obj_len || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

5
tests/luks2-validation-test
View File

@@ -139,6 +139,11 @@ RUN luks2-correct-full-json0.img "R" "Failed to parse full and correct json area
# TODO: detect noop (norecovery, epoch untouched) # TODO: detect noop (norecovery, epoch untouched)
# TODO: check epoch is NOT incresed after recovery of secondary header # TODO: check epoch is NOT incresed after recovery of secondary header
# these tests auto-correct json in-memory only. It'll get fixed on-disk after write operation
RUN luks2-argon2-leftover-params.img "R" "Failed to repair keyslot with old argon2 parameters."
RUN luks2-pbkdf2-leftover-params-0.img "R" "Failed to repair keyslot with old pbkdf2 parameters."
RUN luks2-pbkdf2-leftover-params-1.img "R" "Failed to repair keyslot with old pbkdf2 parameters."
# Secondary header is always broken in following tests # Secondary header is always broken in following tests
echo "[3] Test LUKS2 json area restrictions" echo "[3] Test LUKS2 json area restrictions"
RUN luks2-non-null-byte-beyond-json0.img "F" "Failed to detect illegal data right beyond json data string" RUN luks2-non-null-byte-beyond-json0.img "F" "Failed to detect illegal data right beyond json data string"