Get rid of SHA1 in tests.

OpenSSL with FIPS provider now doesn't not support SHA1.
Kernel still does, but some operations fail anyway (we get
hash size from crypto backend).

Let's remove most of the SHA1 use in tests, SHA1 removal
will happen anyway.

The LUKS1 compatimage is regenerated with the same parameters,
just hash is switched to sha256 so we do not need to fix tests.

tests/api-test-2.c

@@ -1232,7 +1232,7 @@ static void Luks2HeaderRestore(void)
 		.sector_size = 512
 	};
 	struct crypt_params_plain pl_params = {
-		.hash = "sha1",
+		.hash = "sha256",
 		.skip = 0,
 		.offset = 0,
 		.size = 0
@@ -1242,7 +1242,7 @@ static void Luks2HeaderRestore(void)
 	};
 	uint32_t flags = 0;
 
-	const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+	const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
 	size_t key_size = strlen(mk_hex) / 2;
 	const char *cipher = "aes";
 	const char *cipher_mode = "cbc-essiv:sha256";
@@ -1337,7 +1337,7 @@ static void Luks2HeaderLoad(void)
 		.sector_size = 512
 	};
 	struct crypt_params_plain pl_params = {
-		.hash = "sha1",
+		.hash = "sha256",
 		.skip = 0,
 		.offset = 0,
 		.size = 0
@@ -2142,7 +2142,7 @@ static void LuksConvert(void)
 		.parallel_threads = 1
 	}, pbkdf2 = {
 		.type = CRYPT_KDF_PBKDF2,
-		.hash = "sha1",
+		.hash = "sha256",
 		.time_ms = 1
 	};
 
@@ -2675,7 +2675,7 @@ static void Pbkdf(void)
 		.hash = default_luks1_hash
 	};
 	struct crypt_params_plain params = {
-		.hash = "sha1",
+		.hash = "sha256",
 		.skip = 0,
 		.offset = 0,
 		.size = 0
@@ -2874,11 +2874,11 @@ static void Pbkdf(void)
 	pbkdf2.time_ms = 9;
 	pbkdf2.hash = NULL;
 	FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Hash is mandatory for pbkdf2");
-	pbkdf2.hash = "sha1";
+	pbkdf2.hash = "sha256";
 	OK_(crypt_set_pbkdf_type(cd, &pbkdf2));
 
 	argon2.time_ms = 9;
-	argon2.hash = "sha1"; // will be ignored
+	argon2.hash = "sha256"; // will be ignored
 	OK_(crypt_set_pbkdf_type(cd, &argon2));
 	argon2.hash = NULL;
 	OK_(crypt_set_pbkdf_type(cd, &argon2));
@@ -3839,7 +3839,7 @@ static void Luks2Reencryption(void)
 	struct crypt_params_reencrypt retparams = {}, rparams = {
 		.direction = CRYPT_REENCRYPT_FORWARD,
 		.resilience = "checksum",
-		.hash = "sha1",
+		.hash = "sha256",
 		.luks2 = &params2,
 	};
 	dev_t devno;
@@ -3983,7 +3983,7 @@ static void Luks2Reencryption(void)
 	rparams.hash = "hamSter";
 	FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams), "Invalid resilience hash.");
 
-	rparams.hash = "sha1";
+	rparams.hash = "sha256";
 	OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams));
 	OK_(crypt_reencrypt_run(cd, NULL, NULL));
 

tests/api-test.c

@@ -312,7 +312,7 @@ static int _setup(void)
 static void AddDevicePlain(void)
 {
 	struct crypt_params_plain params = {
-		.hash = "sha1",
+		.hash = "sha256",
 		.skip = 0,
 		.offset = 0,
 		.size = 0
@@ -322,7 +322,7 @@ static void AddDevicePlain(void)
 
 	const char *passphrase = PASSPHRASE;
 	// hashed hex version of PASSPHRASE
-	const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+	const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
 	size_t key_size = strlen(mk_hex) / 2;
 	const char *cipher = "aes";
 	const char *cipher_mode = "cbc-essiv:sha256";
@@ -438,7 +438,7 @@ static void AddDevicePlain(void)
 	OK_(crypt_deactivate(cd,CDEVICE_1));
 
 	CRYPT_FREE(cd);
-	params.hash = "sha1";
+	params.hash = "sha256";
 	params.offset = 0;
 	params.size = 0;
 	params.skip = 0;
@@ -620,7 +620,7 @@ static void new_log(int level, const char *msg, void *usrptr)
 static void CallbacksTest(void)
 {
 	struct crypt_params_plain params = {
-		.hash = "sha1",
+		.hash = "sha256",
 		.skip = 0,
 		.offset = 0,
 	};
@@ -1116,7 +1116,7 @@ static void LuksHeaderRestore(void)
 		.data_alignment = 2048, // 4M, data offset will be 4096
 	};
 	struct crypt_params_plain pl_params = {
-		.hash = "sha1",
+		.hash = "sha256",
 		.skip = 0,
 		.offset = 0,
 		.size = 0
@@ -1203,7 +1203,7 @@ static void LuksHeaderLoad(void)
 		.data_alignment = 2048,
 	};
 	struct crypt_params_plain pl_params = {
-		.hash = "sha1",
+		.hash = "sha256",
 		.skip = 0,
 		.offset = 0,
 		.size = 0

tests/compat-test

@@ -302,8 +302,8 @@ $CRYPTSETUP -q luksUUID $IMG | grep -q $TEST_UUID || fail
 prepare	"[1] open - compat image - acceptance check" new
 echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
 check_exists
-ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
+ORG_SHA256=$(sha256sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
-[ "$ORG_SHA1" = 676062b66ebf36669dab705442ea0762dfc091b0 ] || fail
+[ "$ORG_SHA256" = 7428e8f2436882a07eb32765086f5c899474c08b5576f556b573d2aabdf923e8 ] || fail
 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
 
 # Check it can be opened from header backup as well
@@ -315,6 +315,7 @@ $CRYPTSETUP -q luksClose  $DEV_NAME || fail
 $CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
 
 # Repeat for V1.0 header - not aligned first keyslot
+if [ ! fips_mode ] ; then
 echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail
 check_exists
 ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
@@ -326,6 +327,7 @@ $CRYPTSETUP luksHeaderBackup $IMG10 --header-backup-file $HEADER_IMG
 echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
 check_exists
 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
+fi
 
 prepare "[2] open - compat image - denial check" new
 echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
@@ -526,7 +528,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
 
 prepare "[19] create & status & resize" wipe
 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
 $CRYPTSETUP -q status  $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail
 $CRYPTSETUP -q status  $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail
 $CRYPTSETUP -q status  $DEV_NAME | grep "mode:" | grep -q "readonly" || fail
@@ -546,15 +548,15 @@ $CRYPTSETUP -q resize  $DEV_NAME || fail
 $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
 $CRYPTSETUP -q status  $DEV_NAME >/dev/null && fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
-echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 $LOOPDEV || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
-echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 --size 100 $LOOPDEV || fail
 $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
 # 4k sector resize (if kernel supports it)
-echo $PWD1 | $CRYPTSETUP -q open --type plain $LOOPDEV $DEV_NAME --sector-size 4096 --size 8  >/dev/null 2>&1
+echo $PWD1 | $CRYPTSETUP -q open --type plain --hash sha256 $LOOPDEV $DEV_NAME --sector-size 4096 --size 8  >/dev/null 2>&1
 if [ $? -eq 0 ] ; then
 	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail
 	$CRYPTSETUP -q resize  $DEV_NAME --size 16 || fail
@@ -567,7 +569,7 @@ if [ $? -eq 0 ] ; then
 fi
 # Resize not aligned to logical block size
 add_scsi_device dev_size_mb=32 sector_size=4096
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV || fail
 OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
 $CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail
 dmsetup info $DEV_NAME | grep -q SUSPENDED && fail
@@ -575,10 +577,10 @@ NEW_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+
 test $OLD_SIZE -eq $NEW_SIZE || fail
 $CRYPTSETUP close $DEV_NAME || fail
 # Add check for unaligned plain crypt activation
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV -b 7 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV -b 7 2>/dev/null && fail
 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
 # verify is ignored on non-tty input
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --verify-passphrase 2>/dev/null || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail
@@ -695,15 +697,15 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d /dev/mapper/$DEV_NAME2 \
 dmsetup remove --retry $DEV_NAME2
 
 prepare "[25] Create shared segments" wipe
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV  --hash sha1 --offset   0 --size 256 || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV  --hash sha256 --offset   0 --size 256 || fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 --shared || fail
 $CRYPTSETUP -q remove  $DEV_NAME2 || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
 
 prepare "[26] Suspend/Resume" wipe
 # only LUKS is supported
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
 $CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
 $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail

tests/compat-test2

@@ -774,7 +774,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
 $CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
 # hash test
-$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha1 || fail
+$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha512 || fail
 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail
 $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
 $CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail

tests/discards-test

@@ -80,7 +80,7 @@ dmsetup table $DEV_NAME | grep allow_discards >/dev/null || fail
 $CRYPTSETUP luksClose $DEV_NAME || fail
 
 echo "[2] Allowing discards for plain device"
-echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha1 --allow-discards || fail
+echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha256 --allow-discards || fail
 $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
 $CRYPTSETUP resize $DEV_NAME --size 100 || fail
 $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail

tests/integrity-compat-test

@@ -168,7 +168,7 @@ intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize]
 	echo -n "[FORMAT]"
 	$INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1
 	if [ $? -ne 0 ] ; then
-		if [[ $1 =~ "sha" || $1 =~ "crc" ]] ; then
+		if [[ $1 =~ "sha2" || $1 =~ "crc" ]] ; then
 			fail "Cannot format device."
 		fi
 		echo "[N/A]"
@@ -214,7 +214,14 @@ int_error_detection() # mode alg tagsize outtagsize sector_size key_file key_siz
 
 	echo -n "[INTEGRITY:$1:$2:$4:$5]"
 	echo -n "[FORMAT]"
-	$INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null || fail "Cannot format device."
+	$INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null 2>&1
+	if [ $? -ne 0 ] ; then
+		if [[ $2 =~ "sha2" || $2 =~ "crc" ]] ; then
+			fail "Cannot format device."
+		fi
+		echo "[N/A]"
+		return
+	fi
 	echo -n "[ACTIVATE]"
 	$INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device."
 

tests/keyring-compat-test

@@ -119,7 +119,7 @@ add_device() {
 command -v dmsetup >/dev/null || skip "Cannot find dmsetup, test skipped"
 command -v keyctl >/dev/null || skip "Cannot find keyctl, test skipped"
 command -v xxd >/dev/null || skip "Cannot find xxd, test skipped"
-command -v sha1sum >/dev/null || skip "Cannot find sha1sum, test skipped"
+command -v sha256sum >/dev/null || skip "Cannot find sha256sum, test skipped"
 modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
 dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped."
 
@@ -132,23 +132,23 @@ dd if=/dev/urandom of=$DEV bs=1M count=$DEVSIZEMB oflag=direct > /dev/null 2>&1
 #test aes cipher with xts mode, plain IV
 echo -n "Testing $CIPHER_XTS_PLAIN..."
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
 dmsetup remove --retry $NAME || fail
 load_key "$HEXKEY_32" logon  $LOGON_KEY_32_OK "$TEST_KEYRING" || fail "Cannot load 32 byte logon key type"
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN :32:logon:$LOGON_KEY_32_OK 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
 dmsetup remove --retry $NAME || fail
 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
 # same test using message
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
 dmsetup remove --retry $NAME || fail
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
 dmsetup suspend $NAME || fail
 dmsetup message $NAME 0 key wipe || fail
 dmsetup message $NAME 0 "key set :32:logon:$LOGON_KEY_32_OK" || fail
 dmsetup resume $NAME || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
 dmsetup remove --retry $NAME || fail
 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
 echo "OK"
@@ -156,23 +156,23 @@ echo "OK"
 #test aes cipher, xts mode, essiv IV
 echo -n "Testing $CIPHER_CBC_ESSIV..."
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
 dmsetup remove --retry $NAME || fail
 load_key "$HEXKEY_16" logon  $LOGON_KEY_16_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV :16:logon:$LOGON_KEY_16_OK 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
 dmsetup remove --retry $NAME || fail
 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
 # same test using message
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
 dmsetup remove --retry $NAME || fail
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
 dmsetup suspend $NAME || fail
 dmsetup message $NAME 0 key wipe || fail
 dmsetup message $NAME 0 "key set :16:logon:$LOGON_KEY_16_OK" || fail
 dmsetup resume $NAME || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
 dmsetup remove --retry $NAME || fail
 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
 echo "OK"
@@ -181,23 +181,23 @@ echo "OK"
 fips_mode || {
 echo -n "Testing $CIPHER_CBC_TCW..."
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
 dmsetup remove --retry $NAME || fail
 load_key "$HEXKEY_64" logon  $LOGON_KEY_64_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW :64:logon:$LOGON_KEY_64_OK 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
 dmsetup remove --retry $NAME || fail
 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
 # same test using message
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
 dmsetup remove --retry $NAME || fail
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
 dmsetup suspend $NAME || fail
 dmsetup message $NAME 0 key wipe || fail
 dmsetup message $NAME 0 "key set :64:logon:$LOGON_KEY_64_OK" || fail
 dmsetup resume $NAME || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
 dmsetup remove --retry $NAME || fail
 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
 echo "OK"
@@ -207,10 +207,10 @@ echo -n "Test LUKS2 key refresh..."
 echo $PWD | $CRYPTSETUP luksFormat --type luks2 --luks2-metadata-size 16k --luks2-keyslots-size 4064k --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --force-password $DEV || fail
 echo $PWD | $CRYPTSETUP open $DEV $NAME || fail
 $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" || skip "LUKS2 can't use keyring. Test skipped."
-dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_KEYRING || fail
+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_KEYRING || fail
 echo $PWD | $CRYPTSETUP refresh $NAME --disable-keyring || fail
 $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" && fail "Key is still in keyring"
-dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_DMCRYPT || fail
+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_DMCRYPT || fail
 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
 echo "OK"
 

tests/password-hash-test

@@ -75,7 +75,7 @@ crypt_key() # hash keysize pwd/file name outkey [limit] [offset]
 	esac
 
 	# ignore these cases, not all libs/kernel supports it
-	if [ "$1" != "sha1" -a "$1" != "sha256" ] || [ $2 -gt 256 ] ; then
+	if [ "$1" != "sha256" ] || [ $2 -gt 256 ] ; then
 		if [ $ret -ne 0 ] ; then
 			echo " [N/A] ($ret, SKIPPED)"
 			return

tests/reencryption-compat-test

@@ -339,7 +339,7 @@ simple_scsi_reenc "[4096/512 sector]"
 echo "[OK]"
 
 echo "[8] Header only reencryption (hash and iteration time)"
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha1 $FAST_PBKDF $LOOPDEV1 || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha512 $FAST_PBKDF $LOOPDEV1 || fail
 wipe $PWD1
 check_hash $PWD1 $HASH1
 echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key || fail

tests/verity-compat-test

@@ -148,7 +148,13 @@ function check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6
 	for fail in data hash; do
 	wipe
 	echo -n "V$4(sb=$sb root_hash_as_file=$root_hash_as_file) $5 block size $1: "
-	$VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT || fail
+	$VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT
+	if [ $? -ne 0 ] ; then
+		if [[ $1 =~ "sha2" ]] ; then
+			fail "Cannot format device."
+		fi
+		return
+	fi
 
 	echo -n "[root hash]"
 	compare_out "root hash" $2