eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-05 16:00:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Get rid of SHA1 in tests.

Browse Source 
OpenSSL with FIPS provider now doesn't not support SHA1.
Kernel still does, but some operations fail anyway (we get
hash size from crypto backend).

Let's remove most of the SHA1 use in tests, SHA1 removal
will happen anyway.

The LUKS1 compatimage is regenerated with the same parameters,
just hash is switched to sha256 so we do not need to fix tests.
This commit is contained in:
Milan Broz
2022-01-21 09:52:20 +01:00
parent 05a237be2a
commit 91db91352f
11 changed files with 66 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
tests/api-test-2.c
View File

@@ -1232,7 +1232,7 @@ static void Luks2HeaderRestore(void)
.sector_size = 512
};
struct crypt_params_plain pl_params = {
.hash = "sha1",
.hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
@@ -1242,7 +1242,7 @@ static void Luks2HeaderRestore(void)
};
uint32_t flags = 0;
const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
size_t key_size = strlen(mk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
@@ -1337,7 +1337,7 @@ static void Luks2HeaderLoad(void)
.sector_size = 512
};
struct crypt_params_plain pl_params = {
.hash = "sha1",
.hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
@@ -2142,7 +2142,7 @@ static void LuksConvert(void)
.parallel_threads = 1
}, pbkdf2 = {
.type = CRYPT_KDF_PBKDF2,
.hash = "sha1",
.hash = "sha256",
.time_ms = 1
};
@@ -2675,7 +2675,7 @@ static void Pbkdf(void)
.hash = default_luks1_hash
};
struct crypt_params_plain params = {
.hash = "sha1",
.hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
@@ -2874,11 +2874,11 @@ static void Pbkdf(void)
pbkdf2.time_ms = 9;
pbkdf2.hash = NULL;
FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Hash is mandatory for pbkdf2");
pbkdf2.hash = "sha1";
pbkdf2.hash = "sha256";
OK_(crypt_set_pbkdf_type(cd, &pbkdf2));
argon2.time_ms = 9;
argon2.hash = "sha1"; // will be ignored
argon2.hash = "sha256"; // will be ignored
OK_(crypt_set_pbkdf_type(cd, &argon2));
argon2.hash = NULL;
OK_(crypt_set_pbkdf_type(cd, &argon2));
@@ -3839,7 +3839,7 @@ static void Luks2Reencryption(void)
struct crypt_params_reencrypt retparams = {}, rparams = {
.direction = CRYPT_REENCRYPT_FORWARD,
.resilience = "checksum",
.hash = "sha1",
.hash = "sha256",
.luks2 = &params2,
};
dev_t devno;
@@ -3983,7 +3983,7 @@ static void Luks2Reencryption(void)
rparams.hash = "hamSter";
FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams), "Invalid resilience hash.");
rparams.hash = "sha1";
rparams.hash = "sha256";
OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams));
OK_(crypt_reencrypt_run(cd, NULL, NULL));

12
tests/api-test.c
View File

@@ -312,7 +312,7 @@ static int _setup(void)
static void AddDevicePlain(void)
{
struct crypt_params_plain params = {
.hash = "sha1",
.hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
@@ -322,7 +322,7 @@ static void AddDevicePlain(void)
const char *passphrase = PASSPHRASE;
// hashed hex version of PASSPHRASE
const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
size_t key_size = strlen(mk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
@@ -438,7 +438,7 @@ static void AddDevicePlain(void)
OK_(crypt_deactivate(cd,CDEVICE_1));
CRYPT_FREE(cd);
params.hash = "sha1";
params.hash = "sha256";
params.offset = 0;
params.size = 0;
params.skip = 0;
@@ -620,7 +620,7 @@ static void new_log(int level, const char *msg, void *usrptr)
static void CallbacksTest(void)
{
struct crypt_params_plain params = {
.hash = "sha1",
.hash = "sha256",
.skip = 0,
.offset = 0,
};
@@ -1116,7 +1116,7 @@ static void LuksHeaderRestore(void)
.data_alignment = 2048, // 4M, data offset will be 4096
};
struct crypt_params_plain pl_params = {
.hash = "sha1",
.hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
@@ -1203,7 +1203,7 @@ static void LuksHeaderLoad(void)
.data_alignment = 2048,
};
struct crypt_params_plain pl_params = {
.hash = "sha1",
.hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0

30
tests/compat-test
View File

@@ -302,8 +302,8 @@ $CRYPTSETUP -q luksUUID $IMG | grep -q $TEST_UUID || fail
prepare "[1] open - compat image - acceptance check" new
echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
check_exists
ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
[ "$ORG_SHA1" = 676062b66ebf36669dab705442ea0762dfc091b0 ] || fail
ORG_SHA256=$(sha256sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
[ "$ORG_SHA256" = 7428e8f2436882a07eb32765086f5c899474c08b5576f556b573d2aabdf923e8 ] || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
# Check it can be opened from header backup as well
@@ -315,6 +315,7 @@ $CRYPTSETUP -q luksClose $DEV_NAME || fail
$CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
# Repeat for V1.0 header - not aligned first keyslot
if [ ! fips_mode ] ; then
echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail
check_exists
ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
@@ -326,6 +327,7 @@ $CRYPTSETUP luksHeaderBackup $IMG10 --header-backup-file $HEADER_IMG
echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
check_exists
$CRYPTSETUP -q luksClose $DEV_NAME || fail
fi
prepare "[2] open - compat image - denial check" new
echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
@@ -526,7 +528,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
prepare "[19] create & status & resize" wipe
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
$CRYPTSETUP -q status $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail
$CRYPTSETUP -q status $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail
$CRYPTSETUP -q status $DEV_NAME | grep "mode:" | grep -q "readonly" || fail
@@ -546,15 +548,15 @@ $CRYPTSETUP -q resize $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME >/dev/null && fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 $LOOPDEV || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 --size 100 $LOOPDEV || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
# 4k sector resize (if kernel supports it)
echo $PWD1 | $CRYPTSETUP -q open --type plain $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1
echo $PWD1 | $CRYPTSETUP -q open --type plain --hash sha256 $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1
if [ $? -eq 0 ] ; then
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail
$CRYPTSETUP -q resize $DEV_NAME --size 16 || fail
@@ -567,7 +569,7 @@ if [ $? -eq 0 ] ; then
fi
# Resize not aligned to logical block size
add_scsi_device dev_size_mb=32 sector_size=4096
echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV || fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV || fail
OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
$CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail
dmsetup info $DEV_NAME | grep -q SUSPENDED && fail
@@ -575,10 +577,10 @@ NEW_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+
test $OLD_SIZE -eq $NEW_SIZE || fail
$CRYPTSETUP close $DEV_NAME || fail
# Add check for unaligned plain crypt activation
echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV -b 7 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV -b 7 2>/dev/null && fail
$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
# verify is ignored on non-tty input
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --verify-passphrase 2>/dev/null || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail
@@ -695,15 +697,15 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d /dev/mapper/$DEV_NAME2 \
dmsetup remove --retry $DEV_NAME2
prepare "[25] Create shared segments" wipe
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --offset 0 --size 256 || fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --offset 0 --size 256 || fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 --shared || fail
$CRYPTSETUP -q remove $DEV_NAME2 || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
prepare "[26] Suspend/Resume" wipe
# only LUKS is supported
echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
$CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP -q remove $DEV_NAME || fail

2
tests/compat-test2
View File

@@ -774,7 +774,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
$CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
# hash test
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha1 || fail
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha512 || fail
$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail
$CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail

BIN
tests/compatimage.img.xz
View File

Binary file not shown.

2
tests/discards-test
View File

@@ -80,7 +80,7 @@ dmsetup table $DEV_NAME | grep allow_discards >/dev/null || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
echo "[2] Allowing discards for plain device"
echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha1 --allow-discards || fail
echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha256 --allow-discards || fail
$CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
$CRYPTSETUP resize $DEV_NAME --size 100 || fail
$CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail

11
tests/integrity-compat-test
View File

@@ -168,7 +168,7 @@ intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize]
echo -n "[FORMAT]"
$INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1
if [ $? -ne 0 ] ; then
if [[ $1 =~ "sha" || $1 =~ "crc" ]] ; then
if [[ $1 =~ "sha2" || $1 =~ "crc" ]] ; then
fail "Cannot format device."
fi
echo "[N/A]"
@@ -214,7 +214,14 @@ int_error_detection() # mode alg tagsize outtagsize sector_size key_file key_siz
echo -n "[INTEGRITY:$1:$2:$4:$5]"
echo -n "[FORMAT]"
$INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null || fail "Cannot format device."
$INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null 2>&1
if [ $? -ne 0 ] ; then
if [[ $2 =~ "sha2" || $2 =~ "crc" ]] ; then
fail "Cannot format device."
fi
echo "[N/A]"
return
fi
echo -n "[ACTIVATE]"
$INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device."

30
tests/keyring-compat-test
View File

@@ -119,7 +119,7 @@ add_device() {
command -v dmsetup >/dev/null || skip "Cannot find dmsetup, test skipped"
command -v keyctl >/dev/null || skip "Cannot find keyctl, test skipped"
command -v xxd >/dev/null || skip "Cannot find xxd, test skipped"
command -v sha1sum >/dev/null || skip "Cannot find sha1sum, test skipped"
command -v sha256sum >/dev/null || skip "Cannot find sha256sum, test skipped"
modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped."
@@ -132,23 +132,23 @@ dd if=/dev/urandom of=$DEV bs=1M count=$DEVSIZEMB oflag=direct > /dev/null 2>&1
#test aes cipher with xts mode, plain IV
echo -n "Testing $CIPHER_XTS_PLAIN..."
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
load_key "$HEXKEY_32" logon $LOGON_KEY_32_OK "$TEST_KEYRING" || fail "Cannot load 32 byte logon key type"
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN :32:logon:$LOGON_KEY_32_OK 0 $DEV 0" || fail
sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
# same test using message
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
dmsetup suspend $NAME || fail
dmsetup message $NAME 0 key wipe || fail
dmsetup message $NAME 0 "key set :32:logon:$LOGON_KEY_32_OK" || fail
dmsetup resume $NAME || fail
sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
echo "OK"
@@ -156,23 +156,23 @@ echo "OK"
#test aes cipher, xts mode, essiv IV
echo -n "Testing $CIPHER_CBC_ESSIV..."
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
load_key "$HEXKEY_16" logon $LOGON_KEY_16_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV :16:logon:$LOGON_KEY_16_OK 0 $DEV 0" || fail
sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
# same test using message
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
dmsetup suspend $NAME || fail
dmsetup message $NAME 0 key wipe || fail
dmsetup message $NAME 0 "key set :16:logon:$LOGON_KEY_16_OK" || fail
dmsetup resume $NAME || fail
sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
echo "OK"
@@ -181,23 +181,23 @@ echo "OK"
fips_mode || {
echo -n "Testing $CIPHER_CBC_TCW..."
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
load_key "$HEXKEY_64" logon $LOGON_KEY_64_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW :64:logon:$LOGON_KEY_64_OK 0 $DEV 0" || fail
sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
# same test using message
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
dmsetup suspend $NAME || fail
dmsetup message $NAME 0 key wipe || fail
dmsetup message $NAME 0 "key set :64:logon:$LOGON_KEY_64_OK" || fail
dmsetup resume $NAME || fail
sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
echo "OK"
@@ -207,10 +207,10 @@ echo -n "Test LUKS2 key refresh..."
echo $PWD | $CRYPTSETUP luksFormat --type luks2 --luks2-metadata-size 16k --luks2-keyslots-size 4064k --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --force-password $DEV || fail
echo $PWD | $CRYPTSETUP open $DEV $NAME || fail
$CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" || skip "LUKS2 can't use keyring. Test skipped."
dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_KEYRING || fail
dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_KEYRING || fail
echo $PWD | $CRYPTSETUP refresh $NAME --disable-keyring || fail
$CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" && fail "Key is still in keyring"
dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_DMCRYPT || fail
dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_DMCRYPT || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
echo "OK"

2
tests/password-hash-test
View File

@@ -75,7 +75,7 @@ crypt_key() # hash keysize pwd/file name outkey [limit] [offset]
esac
# ignore these cases, not all libs/kernel supports it
if [ "$1" != "sha1" -a "$1" != "sha256" ] || [ $2 -gt 256 ] ; then
if [ "$1" != "sha256" ] || [ $2 -gt 256 ] ; then
if [ $ret -ne 0 ] ; then
echo " [N/A] ($ret, SKIPPED)"
return

2
tests/reencryption-compat-test
View File

@@ -339,7 +339,7 @@ simple_scsi_reenc "[4096/512 sector]"
echo "[OK]"
echo "[8] Header only reencryption (hash and iteration time)"
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha1 $FAST_PBKDF $LOOPDEV1 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha512 $FAST_PBKDF $LOOPDEV1 || fail
wipe $PWD1
check_hash $PWD1 $HASH1
echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key || fail

8
tests/verity-compat-test
View File

@@ -148,7 +148,13 @@ function check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6
for fail in data hash; do
wipe
echo -n "V$4(sb=$sb root_hash_as_file=$root_hash_as_file) $5 block size $1: "
$VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT || fail
$VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT
if [ $? -ne 0 ] ; then
if [[ $1 =~ "sha2" ]] ; then
fail "Cannot format device."
fi
return
fi
echo -n "[root hash]"
compare_out "root hash" $2