eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-13 03:40:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add libLUKS2 tests.

Browse Source
This commit is contained in:
Milan Broz
2017-05-28 18:31:28 +02:00
parent 9f2727bb77
commit c6d4ebd80c
40 changed files with 5571 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
tests/Makefile.am
View File

@@ -1,5 +1,7 @@
TESTS = api-test \
api-test-2 \
compat-test \
compat-test2 \
loopaes-test \
align-test \
discards-test \
@@ -8,7 +10,9 @@ TESTS = api-test \
tcrypt-compat-test \
luks1-compat-test \
device-test \
keyring-test
keyring-test \
luks2-validation-test \
luks2-integrity-test
if VERITYSETUP
TESTS += verity-compat-test
@@ -23,8 +27,15 @@ TESTS += integrity-compat-test
endif
EXTRA_DIST = compatimage.img.bz2 compatv10image.img.bz2 \
compatimage2.img.xz \
conversion_imgs.tar.xz \
luks2_keyslot_unassigned.img.xz \
img_fs_ext4.img.bz2 img_fs_vfat.img.bz2 img_fs_xfs.img.bz2 \
valid_header_file.bz2 \
luks2_header_file.xz \
luks2_valid_hdr.img.xz \
luks2_header_requirements.xz \
luks2_header_requirements_free.xz \
evil_hdr-payload_overwrite.bz2 \
evil_hdr-stripes_payload_dmg.bz2 \
evil_hdr-luks_hdr_damage.bz2 \
@@ -32,11 +43,15 @@ EXTRA_DIST = compatimage.img.bz2 compatv10image.img.bz2 \
evil_hdr-keyslot_overlap.bz2 \
tcrypt-images.tar.bz2 \
luks1-images.tar.bz2 \
compat-test loopaes-test align-test discards-test mode-test password-hash-test \
compat-test \
compat-test2 \
loopaes-test align-test discards-test mode-test password-hash-test \
verity-compat-test \
reencryption-compat-test \
tcrypt-compat-test \
luks1-compat-test \
luks2-validation-test generators \
luks2-integrity-test \
device-test \
keyring-test \
integrity-compat-test \
@@ -44,7 +59,7 @@ EXTRA_DIST = compatimage.img.bz2 compatv10image.img.bz2 \
CLEANFILES = cryptsetup-tst* valglog*
clean-local:
-rm -rf tcrypt-images luks1-images
-rm -rf tcrypt-images luks1-images luks2-images conversion_imgs luks2_valid_hdr.img
differ_SOURCES = differ.c
differ_CFLAGS = $(AM_CFLAGS) -Wall -O2
@@ -55,13 +70,25 @@ api_test_LDFLAGS = $(AM_LDFLAGS) -static
api_test_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1
api_test_CPPFLAGS = $(AM_CPPFLAGS) -include config.h
check_PROGRAMS = api-test differ
api_test_2_SOURCES = api-test-2.c api_test.h test_utils.c $(top_srcdir)/lib/utils_loop.c
api_test_2_LDADD = ../lib/libcryptsetup.la
api_test_2_LDFLAGS = $(AM_LDFLAGS) -static
api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1
api_test_2_CPPFLAGS = $(AM_CPPFLAGS) -include config.h
check_PROGRAMS = api-test api-test-2 differ
conversion_imgs:
@tar xJf conversion_imgs.tar.xz
compatimage.img:
@bzip2 -k -d compatimage.img.bz2
valgrind-check: api-test differ
valgrind-check: api-test api-test-2 differ
@VALG=1 ./compat-test
@VALG=1 ./compat-test2
@VALG=1 ./luks2-validation-test
@INFOSTRING="api-test-000" ./valg-api.sh ./api-test
@INFOSTRING="api-test-002" ./valg-api.sh ./api-test-2
.PHONY: valgrind-check

2744
tests/api-test-2.c Normal file
View File

File diff suppressed because it is too large Load Diff

5
tests/api-test.c
View File

@@ -1,8 +1,9 @@
/*
* cryptsetup library API check functions
*
* Copyright (C) 2009-2013 Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2014, Milan Broz
* Copyright (C) 2009-2017 Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
* Copyright (C) 2016-2017, Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License

3
tests/api_test.h
View File

@@ -2,7 +2,8 @@
* cryptsetup library API check functions
*
* Copyright (C) 2009-2017 Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2014, Milan Broz
* Copyright (C) 2009-2017, Milan Broz
* Copyright (C) 2016-2017, Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License

2
tests/compat-test
View File

@@ -62,7 +62,7 @@ function fail()
{
[ -n "$1" ] && echo "$1"
remove_mapping
echo "FAILED"
echo "FAILED at line $(caller)"
exit 2
}

743
tests/compat-test2 Executable file
View File

@@ -0,0 +1,743 @@
#!/bin/bash
PS4='$LINENO:'
CRYPTSETUP=../src/cryptsetup
CRYPTSETUP_VALGRIND=../src/.libs/cryptsetup
CRYPTSETUP_LIB_VALGRIND=../lib/.libs
DEV_NAME=dummy
DEV_NAME2=dummy2
DEV_NAME3=dummy3
ORIG_IMG=luks-test-orig
IMG=luks-test
IMG10=luks-test-v10
HEADER_IMG=luks-header
HEADER_KEYU=luks2_keyslot_unassigned.img
KEY1=key1
KEY2=key2
KEY5=key5
KEYE=keye
PWD0="compatkey"
PWD1="93R4P4pIqAH8"
PWD2="mymJeD8ivEhE"
PWD3="ocMakf3fAcQO"
PWDW="rUkL4RUryBom"
CHKS_DMCRYPT=vk_in_dmcrypt.chk
CHKS_KEYRING=vk_in_keyring.chk
TEST_KEYRING_NAME="compattest2_keyring"
TEST_TOKEN0="compattest2_desc0"
TEST_TOKEN1="compattest2_desc1"
FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
TEST_UUID="12345678-1234-1234-1234-123456789abc"
LOOPDEV=$(losetup -f 2>/dev/null)
[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
LOCK_DIR=$(grep DEFAULT_LUKS2_LOCK_PATH ../config.h | cut -d\" -f 2)
HAVE_KEYRING=$(grep -e "#define KERNEL_KEYRING" ../config.h)
test -n "$HAVE_KEYRING" || HAVE_KEYRING=0
HAVE_KEYRING=${HAVE_KEYRING: -1}
function remove_mapping()
{
[ -b /dev/mapper/$DEV_NAME3 ] && dmsetup remove $DEV_NAME3
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
losetup -d $LOOPDEV >/dev/null 2>&1
rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $CHKS_DMCRYPT $CHKS_KEYRING $HEADER_KEYU >/dev/null 2>&1
# unlink whole test keyring
[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
unset TEST_KEYRING
}
function force_uevent()
{
DNAME=$(echo $LOOPDEV | cut -f3 -d /)
echo "change" >/sys/block/$DNAME/uevent
}
function fail()
{
[ -n "$1" ] && echo "$1"
remove_mapping
echo "FAILED at line $(caller)"
exit 2
}
function can_fail_fips()
{
# Ignore this fail if running in FIPS mode
[ -z "$FIPS_MODE" -o "$FIPS_MODE" -eq 0 ] && fail $1
}
function skip()
{
[ -n "$1" ] && echo "$1"
remove_mapping
exit 77
}
function prepare()
{
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
case "$2" in
wipe)
remove_mapping
dd if=/dev/zero of=$IMG bs=1k count=10000 >/dev/null 2>&1
sync
losetup $LOOPDEV $IMG
;;
new)
remove_mapping
bzip2 -cd compatimage.img.bz2 > $IMG
xz -dk $HEADER_KEYU.xz
# FIXME: switch to internal loop (no losetup at all)
echo "bad" | $CRYPTSETUP luksOpen --key-slot 0 --test-passphrase $IMG 2>&1 | \
grep "autoclear flag" && skip "WARNING: Too old kernel, test skipped."
losetup $LOOPDEV $IMG
bzip2 -cd compatv10image.img.bz2 > $IMG10
;;
reuse | *)
if [ ! -e $IMG ]; then
bzip2 -cd compatimage.img.bz2 > $IMG
losetup $LOOPDEV $IMG
fi
[ ! -e $IMG10 ] && bzip2 -cd compatv10image.img.bz2 > $IMG10
;;
esac
if [ ! -e $KEY1 ]; then
dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
fi
if [ ! -e $KEY2 ]; then
dd if=/dev/urandom of=$KEY2 count=1 bs=16 >/dev/null 2>&1
fi
if [ ! -e $KEY5 ]; then
dd if=/dev/urandom of=$KEY5 count=1 bs=16 >/dev/null 2>&1
fi
if [ ! -e $KEYE ]; then
touch $KEYE
fi
cp $IMG $ORIG_IMG
[ -n "$1" ] && echo "CASE: $1"
}
function check_exists()
{
[ -b /dev/mapper/$DEV_NAME ] || fail
}
function valgrind_setup()
{
which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
}
function valgrind_run()
{
INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
}
function dm_crypt_keyring_support()
{
VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
[ $VER_MAJ -gt 1 ] && return 0
[ $VER_MAJ -lt 1 ] && return 1
[ $VER_MIN -ge 15 ]
}
function test_and_prepare_keyring() {
which keyctl > /dev/null || skip "Cannot find keyctl, test skipped"
keyctl list "@s" > /dev/null || skip "Current session keyring is unreachable, test skipped"
TEST_KEYRING=$(keyctl newring $TEST_KEYRING_NAME "@u" 2> /dev/null)
test -n "$TEST_KEYRING" || skip "Failed to create keyring in user keyring"
keyctl search "@s" keyring "$TEST_KEYRING" > /dev/null 2>&1 || keyctl link "@u" "@s" > /dev/null 2>&1
load_key user test_key test_data "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
}
# $1 type
# $2 description
# $3 payload
# $4 keyring
function load_key()
{
keyctl add $@ >/dev/null
}
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ -z "$LOOPDEV" ] && skip "WARNING: Cannot find free loop device, test skipped."
[ -d "$LOCK_DIR" ] || skip "WARNING: LUKS2 locking directory ($LOCK_DIR) is missing, test skipped."
# LUKS tests
prepare "[3] format" new
echo $PWD1 | $CRYPTSETUP $FAST_PBKDF_OPT -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $LOOPDEV || fail
prepare "[4] format using hash sha512" wipe
echo $PWD1 | $CRYPTSETUP $FAST_PBKDF_OPT -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $LOOPDEV || fail
prepare "[5] open"
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase || fail
echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
check_exists
# Key Slot 1 and key material section 1 must change, the rest must not.
prepare "[6] add key"
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT || fail
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
# Unsuccessful Key Delete - nothing may change
prepare "[7] unsuccessful delete"
echo $PWDW | $CRYPTSETUP luksKillSlot $LOOPDEV 1 2>/dev/null && fail
#FIXME
#$CRYPTSETUP -q luksKillSlot $LOOPDEV 8 2>/dev/null && fail
#$CRYPTSETUP -q luksKillSlot $LOOPDEV 7 2>/dev/null && fail
# Delete Key Test
# Key Slot 1 and key material section 1 must change, the rest must not
prepare "[8] successful delete"
$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
# Key Slot 1 and key material section 1 must change, the rest must not
prepare "[9] add key test for key files"
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 || fail
$CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
# Key Slot 1 and key material section 1 must change, the rest must not
prepare "[10] delete key test with key1 as remaining key"
$CRYPTSETUP -d $KEY1 luksKillSlot $LOOPDEV 0 || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
# Delete last slot
prepare "[11] delete last key" wipe
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $LOOPDEV $FAST_PBKDF_OPT || fail
echo $PWD1 | $CRYPTSETUP luksKillSlot $LOOPDEV 0 || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
# Format test for ESSIV, and some other parameters.
prepare "[12] parameter variation test" wipe
$CRYPTSETUP -q $FAST_PBKDF_OPT -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $LOOPDEV $KEY1 || fail
$CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
prepare "[13] open/close - stacked devices" wipe
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $FAST_PBKDF_OPT || fail
echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 /dev/mapper/$DEV_NAME $FAST_PBKDF_OPT || fail
echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
$CRYPTSETUP -q luksClose $DEV_NAME2 || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
prepare "[14] format/open - passphrase on stdin & new line" wipe
# stdin defined by "-" must take even newline
#echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksFormat $LOOPDEV - || fail
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q --key-file=- luksFormat --type luks2 $LOOPDEV || fail
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
# now also try --key-file
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q luksFormat --type luks2 $LOOPDEV --key-file=- || fail
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
# process newline if from stdin
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q luksFormat --type luks2 $LOOPDEV || fail
echo "$PWD1" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
prepare "[15] UUID - use and report provided UUID" wipe
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --uuid blah --type luks2 $LOOPDEV 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 $LOOPDEV || fail
tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
[ "$tst"x = "$TEST_UUID"x ] || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
$CRYPTSETUP -q luksUUID --uuid $TEST_UUID $LOOPDEV || fail
tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
[ "$tst"x = "$TEST_UUID"x ] || fail
prepare "[16] luksFormat" wipe
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --master-key-file /dev/urandom --type luks2 $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --master-key-file /dev/urandom --type luks2 $LOOPDEV -d $KEY1 || fail
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --master-key-file /dev/urandom -s 256 --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
# open by UUID
force_uevent # some systems do not update loop by-uuid
$CRYPTSETUP luksOpen -d $KEY1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
# empty keyfile
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail
$CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
# open by volume key
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --master-key-file $KEY1 --type luks2 $LOOPDEV || fail
$CRYPTSETUP luksOpen --master-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP luksOpen --master-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
prepare "[17] AddKey volume key, passphrase and keyfile" wipe
# masterkey
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --master-key-file /dev/zero --key-slot 3 || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" || fail
echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 4 || fail
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 4 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" || fail
echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/null --key-slot 5 2>/dev/null && fail
$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 5 $KEY1 || fail
$CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 5 -d $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
# special "-" handling
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 3 || fail
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 - || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - --test-passphrase || fail
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d - $KEY2 || fail
$CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - -d $KEY1 --test-passphrase 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d $KEY1 -d $KEY1 --test-passphrase 2>/dev/null && fail
# [0]PWD1 [1]PWD2 [2]$KEY1/1 [3]$KEY1 [4]$KEY2
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 3 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" || fail
$CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 3 2>/dev/null && fail
# keyfile/keyfile
$CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 4 || fail
$CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase --key-slot 4 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" || fail
# passphrase/keyfile
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 --key-slot 0 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 || fail
# passphrase/passphrase
echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --key-slot 1 || fail
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
# keyfile/passphrase
echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
prepare "[18] RemoveKey passphrase and keyfile" reuse
$CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" || fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" && fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 2>/dev/null && fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 --keyfile-size 1 2>/dev/null && fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" || fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" && fail
# if password or keyfile is provided, batch mode must not suppress it
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 2>/dev/null && fail
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 -q 2>/dev/null && fail
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- 2>/dev/null && fail
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- -q 2>/dev/null && fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
# kill slot using passphrase from 1
echo $PWD2 | $CRYPTSETUP luksKillSlot $LOOPDEV 2 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" && fail
# remove key0 / slot 0
echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" && fail
# last keyslot, in batch mode no passphrase needed...
$CRYPTSETUP luksKillSlot -q $LOOPDEV 1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" && fail
prepare "[19] create & status & resize" wipe
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
$CRYPTSETUP -q status $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail
$CRYPTSETUP -q status $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail
$CRYPTSETUP -q status $DEV_NAME | grep "mode:" | grep -q "readonly" || fail
$CRYPTSETUP -q resize $DEV_NAME --size 100 || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
$CRYPTSETUP -q resize $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "19997 sectors" || fail
# Resize underlying loop device as well
truncate -s 16M $IMG || fail
$CRYPTSETUP -q resize $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME >/dev/null && fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
# verify is ignored on non-tty input
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 -l -1 2>/dev/null && fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d blah 2>/dev/null && fail
$CRYPTSETUP -q remove $DEV_NAME || fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d /dev/urandom || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
if dm_crypt_keyring_support; then
echo | $CRYPTSETUP -q resize --size 100 $DEV_NAME 2>/dev/null && fail
fi
echo $PWD1 | $CRYPTSETUP -q resize --size 100 $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
$CRYPTSETUP close $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksOpen --disable-keyring $LOOPDEV $DEV_NAME || fail
echo | $CRYPTSETUP -q resize --size 100 $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
$CRYPTSETUP close $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
if dm_crypt_keyring_support; then
$CRYPTSETUP -q resize --disable-keyring --size 100 $DEV_NAME 2>/dev/null && fail
fi
prepare "[20] Disallow open/create if already mapped." wipe
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail
$CRYPTSETUP create $DEV_NAME2 $LOOPDEV -d $KEY1 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV 2>/dev/null && fail
$CRYPTSETUP remove $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME2 2>/dev/null && fail
$CRYPTSETUP luksClose $DEV_NAME || fail
prepare "[21] luksDump" wipe
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || can_fail_fips
$CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || can_fail_fips
prepare "[22] remove disappeared device" wipe
dmsetup create $DEV_NAME --table "0 10000 linear $LOOPDEV 2" || fail
echo $PWD1 | $CRYPTSETUP -q $FAST_PBKDF_OPT luksFormat --type luks2 /dev/mapper/$DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
# underlying device now returns error but node is still present
dmsetup load $DEV_NAME --table "0 10000 error" || fail
dmsetup resume $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME2 || fail
dmsetup remove $DEV_NAME || fail
prepare "[23] ChangeKey passphrase and keyfile" wipe
# [0]$KEY1 [1]key0
$CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --key-slot 0 || fail
echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 --key-slot 1 || fail
# keyfile [0] / keyfile [0]
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 0 || fail
# passphrase [1] / passphrase [1]
echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT --key-slot 1 || fail
# keyfile [0] / keyfile [new]
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" && fail
# passphrase [1] / passphrase [new]
echo -e "$PWD2\n$PWD1\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" && fail
# use all slots
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
# still allows replace
#FIXME
#$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 || fail
#$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 2>/dev/null && fail
prepare "[24] Keyfile limit" wipe
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 0 -l 13 || fail
$CRYPTSETUP --key-file=$KEY1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=$KEY1 -l 0 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=$KEY1 -l -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=$KEY1 -l 14 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=$KEY1 -l 13 luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 2>/dev/null && fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -l 14 2>/dev/null && fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -l -1 2>/dev/null && fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 --new-keyfile-size 12 || fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 2>/dev/null && fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 -l 12 || fail
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 2>/dev/null && fail
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 -l 14 2>/dev/null && fail
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 || fail
# -l is ignored for stdin if _only_ passphrase is used
echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY2 $FAST_PBKDF_OPT || fail
# this is stupid, but expected
echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 11 2>/dev/null && fail
echo $PWDW"0" | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 12 2>/dev/null && fail
echo -e "$PWD1\n" | $CRYPTSETUP luksRemoveKey $LOOPDEV -d- -l 12 || fail
# offset
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 0 -l 13 --keyfile-offset 16 || fail
$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 15 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 16 luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
$CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 -l 13 --keyfile-offset 16 $KEY2 --new-keyfile-offset 1 || fail
$CRYPTSETUP --key-file=$KEY2 --keyfile-offset 11 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=$KEY2 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 --keyfile-offset 1 $KEY2 --new-keyfile-offset 0 || fail
$CRYPTSETUP luksOpen -d $KEY2 $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
prepare "[25] Create shared segments" wipe
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --offset 0 --size 256 || fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail
$CRYPTSETUP -q remove $DEV_NAME2 || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
prepare "[26] Suspend/Resume" wipe
# only LUKS is supported
echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
$CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP -q remove $DEV_NAME || fail
$CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
# LUKS
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksSuspend $DEV_NAME || fail
$CRYPTSETUP -q resize $DEV_NAME 2>/dev/null && fail
echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME -T 1 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
prepare "[27] luksOpen with specified key slot number" new
# first, let's try passphrase option
echo $PWD3 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT -S 5 --type luks2 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
echo $PWD3 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME || fail
check_exists
$CRYPTSETUP luksClose $DEV_NAME || fail
echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 0 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP luksOpen -S 0 $LOOPDEV $DEV_NAME && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
echo $PWD1 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
# second, try it with keyfiles
$CRYPTSETUP luksFormat -q -S 5 $FAST_PBKDF_OPT -d $KEY5 --type luks2 $LOOPDEV || fail
$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksOpen -S 5 -d $KEY5 $LOOPDEV $DEV_NAME || fail
check_exists
$CRYPTSETUP luksClose $DEV_NAME || fail
$CRYPTSETUP luksOpen -S 1 -d $KEY5 $LOOPDEV $DEV_NAME && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
$CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOPDEV $DEV_NAME && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
# test keyslot not assigned to segment is unable to unlock volume
# otoh it should be allowed to test for proper passphrase
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
echo $PWD0 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU $DEV_NAME && fail
$CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
$CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME && fail
prepare "[28] Detached LUKS header" wipe
dd if=/dev/zero of=$HEADER_IMG bs=1M count=4 >/dev/null 2>&1
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
#FIXME
#echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 1 >/dev/null 2>&1 && fail
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --align-payload 8192 || fail
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --align-payload 0 || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP -q resize $DEV_NAME --size 100 --header $HEADER_IMG || fail
$CRYPTSETUP -q status $DEV_NAME --header $HEADER_IMG | grep "size:" | grep -q "100 sectors" || fail
$CRYPTSETUP -q status $DEV_NAME | grep "type:" | grep -q "n/a" || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
$CRYPTSETUP luksSuspend $DEV_NAME --header $HEADER_IMG || fail
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" || fail
$CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" && fail
#prepare "[29] Repair metadata" wipe
#FIXME
#$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 0 || fail
# second sector overwrite should corrupt keyslot 6+7
#dd if=/dev/urandom of=$LOOPDEV bs=512 seek=1 count=1 >/dev/null 2>&1
#$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME >/dev/null 2>&1 && fail
#$CRYPTSETUP -q repair $LOOPDEV >/dev/null 2>&1 || fail
#$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
#$CRYPTSETUP luksClose $DEV_NAME || fail
prepare "[30] LUKS erase" wipe
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
$CRYPTSETUP luksErase -q $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" && fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" && fail
prepare "[31] LUKS convert" wipe
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV $KEY5 --key-slot 5 || fail
$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
$CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail
$CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
$CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
# FIXME: perhaps better to test in keyring-test script
if dm_crypt_keyring_support; then
prepare "[32] LUKS2 key in keyring" wipe
dd if=/dev/zero of=$HEADER_IMG bs=1M count=4 >/dev/null 2>&1
which sha1sum > /dev/null 2>&1 || skip "sha1sum is missing"
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
# check keyring support detection works as expected
rmmod dm-crypt > /dev/null 2>&1 || true
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail
dd if=/dev/urandom of=/dev/mapper/$DEV_NAME bs=4k count=2500 oflag=direct > /dev/null 2>&1 || fail
sha1sum /dev/mapper/$DEV_NAME > $CHKS_KEYRING
$CRYPTSETUP close $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
sha1sum /dev/mapper/$DEV_NAME > $CHKS_DMCRYPT
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail
$CRYPTSETUP close $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail
dd if=/dev/urandom of=/dev/mapper/$DEV_NAME bs=4k count=2500 oflag=direct > /dev/null 2>&1 || fail
sha1sum /dev/mapper/$DEV_NAME > $CHKS_DMCRYPT
$CRYPTSETUP luksSuspend $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail
sha1sum /dev/mapper/$DEV_NAME > $CHKS_KEYRING
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail
$CRYPTSETUP close $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
dd if=/dev/urandom of=/dev/mapper/$DEV_NAME bs=4k count=2500 oflag=direct > /dev/null 2>&1 || fail
sha1sum /dev/mapper/$DEV_NAME > $CHKS_KEYRING
$CRYPTSETUP luksSuspend $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksResume --disable-keyring $DEV_NAME --header $HEADER_IMG || fail
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
sha1sum /dev/mapper/$DEV_NAME > $CHKS_DMCRYPT
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail
$CRYPTSETUP close $DEV_NAME || fail
fi
# FIXME: candidate for non-root tests
if [ $HAVE_KEYRING -gt 0 ]; then
prepare "[33] tokens" wipe
test_and_prepare_keyring
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN0 --token-id 3 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q -e "3: luks2-keyring" || fail
# keyslot 5 is inactive
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN1 --key-slot 5 2> /dev/null && fail
# key description is not reachable
$CRYPTSETUP open --token-only $LOOPDEV --test-passphrase && fail
# wrong passphrase
load_key user $TEST_TOKEN0 "blabla" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
$CRYPTSETUP open --token-only $LOOPDEV --test-passphrase && fail
load_key user $TEST_TOKEN0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
$CRYPTSETUP open --token-only $LOOPDEV --test-passphrase || fail
$CRYPTSETUP open --token-only $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP status $DEV_NAME > /dev/null || fail
$CRYPTSETUP close $DEV_NAME || fail
$CRYPTSETUP token remove --token-id 3 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q -e "3: luks2-keyring" && fail
# test we can remove keyslot with token
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -S4 $FAST_PBKDF_OPT $LOOPDEV || fail
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN1 --key-slot 4 || fail
$CRYPTSETUP -q luksKillSlot $LOOPDEV 4 || fail
fi
prepare "[34] LUKS keyslot priority" wipe
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -S 1 || fail
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -S 5 || fail
$CRYPTSETUP config $LOOPDEV -S 0 --priority prefer && fail
$CRYPTSETUP config $LOOPDEV -S 1 --priority bla >/dev/null 2>&1 && fail
$CRYPTSETUP config $LOOPDEV -S 1 --priority ignore || fail
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase && fail
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase -S 1 || fail
echo $PWD2 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
$CRYPTSETUP config $LOOPDEV -S 1 --priority normal || fail
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
$CRYPTSETUP config $LOOPDEV -S 1 --priority ignore || fail
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase && fail
prepare "[35] LUKS label and subsystem" wipe
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "(no subsystem)" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "(no label)" || fail
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --subsystem SatelliteTwo --label TheLabel || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "SatelliteTwo" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "TheLabel" || fail
$CRYPTSETUP config $LOOPDEV --subsystem SatelliteThree
$CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "SatelliteThree" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "(no label)" || fail
$CRYPTSETUP config $LOOPDEV --subsystem SatelliteThree --label TheLabel
$CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "SatelliteThree" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "TheLabel" || fail
prepare "[36] LUKS PBKDF setting" wipe
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf bla $LOOPDEV >/dev/null 2>&1 && fail
# Force setting, no benchmark. PBKDF2 has 1000 iterations as a minimum
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 999 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Iterations:" | grep -q "1000" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 1234 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Iterations:" | grep -q "1234" || fail
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 1 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2id" || fail
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf argon2i --pbkdf-force-iterations 1 \
--pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2i" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Time:" | grep -q "1" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | grep -q "1234" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Threads:" | grep -q "1" || fail
# Benchmark
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf argon2i -i 500 --pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || fail
[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Time:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || fail
[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || fail
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 -i 500 $LOOPDEV || fail
[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep -m1 "Iterations:" | cut -d' ' -f 2 | sed -e 's/\ //g')" -gt 1000 ] || fail
remove_mapping
exit 0

BIN
tests/compatimage2.img.xz Normal file
View File

Binary file not shown.

BIN
tests/conversion_imgs.tar.xz Normal file
View File

Binary file not shown.

26
tests/device-test
View File

@@ -5,6 +5,7 @@ MNT_DIR="./mnt_luks"
DEV_NAME="dummy"
PWD1="93R4P4pIqAH8"
PWD2="mymJeD8ivEhE"
FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
cleanup() {
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
@@ -30,11 +31,11 @@ skip()
exit 77
}
format() # key_bits expected [forced]
format() # format
{
dd if=/dev/zero of=$DEV bs=1M count=5 >/dev/null 2>&1
echo $PWD1 | $CRYPTSETUP luksFormat $DEV -q -i1 -c aes-cbc-essiv:sha256
echo $PWD1 | $CRYPTSETUP luksFormat --type $1 $DEV -q $FAST_PBKDF_OPT -c aes-cbc-essiv:sha256
[ $? -ne 0 ] && fail "Format failed."
# test some operation, just in case
@@ -55,7 +56,7 @@ fi
echo "[1] Using tmpfs for image"
DEV="$MNT_DIR/test.img"
mount -t tmpfs none $MNT_DIR || skip "Mounting tmpfs not available."
format
format luks1
echo "[2] Kernel dmcrypt performace options"
echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --perf-same_cpu_crypt >/dev/null 2>&1
@@ -81,6 +82,25 @@ else
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
$CRYPTSETUP close $DEV_NAME || fail
format luks2
echo -e "$PWD1" | $CRYPTSETUP open $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus --persistent || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail
$CRYPTSETUP close $DEV_NAME || fail
# Stored in metadata
echo -e "$PWD1" | $CRYPTSETUP open $DEV $DEV_NAME || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail
$CRYPTSETUP close $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP open $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards --persistent || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
$CRYPTSETUP close $DEV_NAME || fail
echo -e "$PWD1" | $CRYPTSETUP open $DEV $DEV_NAME || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
$CRYPTSETUP close $DEV_NAME || fail
fi
cleanup

72
tests/generators/generate-luks2-area-in-json-hdr-space-json0.img.sh Executable file
View File

@@ -0,0 +1,72 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with one area accessing luks
# header space
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
# make area 7 access the luks2 header space
OFFS=$((2*LUKS2_HDR_SIZE*512-1))
LEN=1
json_str=$(jq -c --arg off $OFFS --arg len $LEN \
'.keyslots."0".area.offset = $off | .keyslots."0".area.size = $len' $TMPDIR/json0)
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c --arg off $OFFS --arg len $LEN \
'if (.keyslots."0".area.offset != $off) or (.keyslots."0".area.size != $len)
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

87
tests/generators/generate-luks2-correct-full-json0.img.sh Executable file
View File

@@ -0,0 +1,87 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate header with correct json of maximal size in primary slot.
# Secondary header is broken on purpose.
#
# $1 full target dir
# $2 full source luks2 image
PATTERN="\"config\":{"
KEY="\"config_key\":\""
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
read -r json_str < $TMPDIR/json0
json_len=${#json_str}
pindex=$(strindex $json_str $PATTERN)
test $pindex -gt 0 || exit 2
offset=${#PATTERN}
offset=$((offset+pindex))
key_len=${#KEY}
remain=$((LUKS2_JSON_SIZE*512-json_len-key_len-2)) # -2: closing '"' and terminating '\0'
if [ ${json_str:offset:1} = "}" ]; then
format_str="%s%s%s"
else
format_str="%s%s,%s"
remain=$((remain-1)) # also count with separating ','
fi
test $remain -gt 0 || exit 2
fill=$(repeat_str "X" $remain)"\""
printf $format_str $KEY $fill ${json_str:$offset} | _dd of=$TMPDIR/json0 bs=1 seek=$offset conv=notrunc
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
chks_res0=$(read_sha256_checksum $TGT_IMG)
test "$chks0" = "$chks_res0" || exit 2
#json_str_res0=$(< $TMPDIR/json_res0)
read -r json_str_res0 < $TMPDIR/json_res0
test ${#json_str_res0} -eq $((LUKS2_JSON_SIZE*512-1)) || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

65
tests/generators/generate-luks2-corrupted-hdr0-with-correct-chks.img.sh Executable file
View File

@@ -0,0 +1,65 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate header with malformed json but correct checksum in primary header
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
}
function generate()
{
read -r json_str < $TMPDIR/json0
json_len=${#json_str}
json_len=$((json_len-1)) # to replace json closing '}'
json_new_str="${json_str:0:json_len},\""
while [ ${#json_new_str} -le $((LUKS2_JSON_SIZE*512)) ]; do
json_new_str=$json_new_str"all_work_and_no_play_makes_Jack_a_dull_boy_"
done
printf "%s" $json_new_str | _dd of=$TMPDIR/json0 bs=512 count=$LUKS2_JSON_SIZE
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
}
function check()
{
chks_res0=$(read_sha256_checksum $TGT_IMG)
test "$chks0" = "$chks_res0" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
read -r json_str_res0 < $TMPDIR/json_res0
test ${#json_str_res0} -eq $((LUKS2_JSON_SIZE*512)) || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

66
tests/generators/generate-luks2-corrupted-hdr1-with-correct-chks.img.sh Executable file
View File

@@ -0,0 +1,66 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate header with malformed json but correct checksum in secondary header
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json1 $TGT_IMG $TMPDIR/json1
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
read -r json_str < $TMPDIR/json1
json_len=${#json_str}
json_len=$((json_len-1)) # to replace json closing '}'
json_new_str="${json_str:0:json_len},\""
while [ ${#json_new_str} -le $((LUKS2_JSON_SIZE*512)) ]; do
json_new_str=$json_new_str"all_work_and_no_play_makes_Jack_a_dull_boy_"
done
printf "%s" $json_new_str | _dd of=$TMPDIR/json1 bs=512 count=$LUKS2_JSON_SIZE
merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json1 $TMPDIR/area1
erase_checksum $TMPDIR/area1
chks1=$(calc_sha256_checksum_file $TMPDIR/area1)
write_checksum $chks1 $TMPDIR/area1
write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
chks_res1=$(read_sha256_checksum $TMPDIR/hdr_res1)
test "$chks1" = "$chks_res1" || exit 2
read_luks2_json1 $TGT_IMG $TMPDIR/json_res1
read -r json_str_res1 < $TMPDIR/json_res1
test ${#json_str_res1} -eq $((LUKS2_JSON_SIZE*512)) || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

52
tests/generators/generate-luks2-invalid-checksum-both-hdrs.img.sh Executable file
View File

@@ -0,0 +1,52 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate header with bad checksum in both binary headerer
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
chks0=$(echo "Arbitrary chosen string: D'oh!" | calc_sha256_checksum_stdin)
chks1=$(echo "D'oh!: arbitrary chosen string" | calc_sha256_checksum_stdin)
write_checksum $chks0 $TGT_IMG
write_checksum $chks1 $TMPDIR/hdr1
write_luks2_bin_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
chks_res0=$(read_sha256_checksum $TGT_IMG)
chks_res1=$(read_sha256_checksum $TMPDIR/hdr1)
test "$chks0" = "$chks_res0" || exit 2
test "$chks1" = "$chks_res1" || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

43
tests/generators/generate-luks2-invalid-checksum-hdr0.img.sh Executable file
View File

@@ -0,0 +1,43 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate header with bad checksum in primary binary header
#
# 1 full target dir
# 2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
}
function generate()
{
chks=$(echo "Arbitrary chosen string: D'oh!" | calc_sha256_checksum_stdin)
write_checksum $chks $TGT_IMG
}
function check()
{
chks_res=$(read_sha256_checksum $TGT_IMG)
test "$chks" = "$chks_res" || exit 2
}
#function cleanup()
#{
#}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
#cleanup

48
tests/generators/generate-luks2-invalid-checksum-hdr1.img.sh Executable file
View File

@@ -0,0 +1,48 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate header with bad checksum in secondary binary header
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
chks=$(echo "Arbitrary chosen string: D'oh!" | calc_sha256_checksum_stdin)
write_checksum $chks $TMPDIR/hdr1
write_luks2_bin_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
chks_res=$(read_sha256_checksum $TMPDIR/hdr1)
test "$chks" = "$chks_res" || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

68
tests/generators/generate-luks2-invalid-json-size-c0.img.sh Executable file
View File

@@ -0,0 +1,68 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with invalid json_size in config section
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
JS=$(((LUKS2_HDR_SIZE-LUKS2_BIN_HDR_SIZE)*512+4096))
json_str=$(jq -c --arg js $JS '.config.json_size = ($js | tostring)' $TMPDIR/json0)
test -n "$json_str" || exit 2
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c --arg js $JS 'if .config.json_size != ($js | tostring )
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

68
tests/generators/generate-luks2-invalid-json-size-c1.img.sh Executable file
View File

@@ -0,0 +1,68 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with invalid json_size in config section
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
JS=$(((LUKS2_HDR_SIZE-LUKS2_BIN_HDR_SIZE)*512-4096))
json_str=$(jq -c --arg js $JS '.config.json_size = ($js | tostring)' $TMPDIR/json0)
test -n "$json_str" || exit 2
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c --arg js $JS 'if .config.json_size != ($js | tostring )
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

71
tests/generators/generate-luks2-invalid-keyslots-size-c0.img.sh Executable file
View File

@@ -0,0 +1,71 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with too large keyslots_size set in config section
# (iow config.keyslots_size = data_offset - keyslots_offset + 512)
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
# make area 7 being included in area 6
OFFS=$((2*LUKS2_HDR_SIZE*512))
json_str=$(jq -c --arg off $OFFS '.config.keyslots_size = (.segments."0".offset | tonumber - ($off | tonumber) + 4096 | tostring)' $TMPDIR/json0)
test -n "$json_str" || exit 2
# [.keyslots[].area.offset | tonumber] | max | tostring ---> max offset in keyslot areas
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c --arg off $OFFS 'if .config.keyslots_size != ( .segments."0".offset | tonumber - ($off | tonumber) + 4096 | tostring )
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

67
tests/generators/generate-luks2-invalid-keyslots-size-c1.img.sh Executable file
View File

@@ -0,0 +1,67 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with unaligned keyslots_size config section
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
json_str=$(jq -c '.config.keyslots_size = (.config.keyslots_size | tonumber - 1 | tostring)' $TMPDIR/json0)
test -n "$json_str" || exit 2
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if (.config.keyslots_size | tonumber % 4096) == 0
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

68
tests/generators/generate-luks2-invalid-keyslots-size-c2.img.sh Executable file
View File

@@ -0,0 +1,68 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with keyslots_size less than sum of all keyslots area
# in json
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
json_str=$(jq '.config.keyslots_size = ([.keyslots[].area.size] | map(tonumber) | add - 4096 | tostring )' $TMPDIR/json0)
test -n "$json_str" || exit 2
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .config.keyslots_size != ([.keyslots[].area.size ] | map(tonumber) | add - 4096 | tostring)
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

70
tests/generators/generate-luks2-invalid-object-type-json0.img.sh Executable file
View File

@@ -0,0 +1,70 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with well-formed json format
# where top level value is not of type object.
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
read -r json_str < $TMPDIR/json0
json_str="[$json_str]" # make top level value an array
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
printf "%s" "$json_str" | _dd of=$TMPDIR/json0 bs=1 conv=notrunc
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
chks_res0=$(read_sha256_checksum $TGT_IMG)
test "$chks0" = "$chks_res0" || exit 2
read -r json_str_res0 < $TMPDIR/json_res0
test "$json_str" = "$json_str_res0" || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

70
tests/generators/generate-luks2-invalid-opening-char-json0.img.sh Executable file
View File

@@ -0,0 +1,70 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with well-formed json prefixed
# with useless whitespace.
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
read -r json_str < $TMPDIR/json0
json_str=" $json_str" # add useless opening whitespace
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
printf "%s" "$json_str" | _dd of=$TMPDIR/json0 bs=1 conv=notrunc
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
chks_res0=$(read_sha256_checksum $TGT_IMG)
test "$chks0" = "$chks_res0" || exit 2
IFS= read -r json_str_res0 < $TMPDIR/json_res0
test "$json_str" = "$json_str_res0" || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

74
tests/generators/generate-luks2-missing-keyslot-referenced-in-digest.img.sh Executable file
View File

@@ -0,0 +1,74 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with missing keyslot object referenced
# in digest object
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
read -r json_str_orig < $TMPDIR/json0
arr_len=$(jq -c -M '.digests."0".keyslots | length' $TMPDIR/json0)
# add missing keyslot reference in keyslots array of digest '0'
json_str=$(jq -r -c -M 'def arr: ["digests", "0", "keyslots"];
def missks: getpath(["keyslots"]) | keys | max | tonumber + 1 | tostring;
setpath(arr; getpath(arr) + [ missks ])' $TMPDIR/json0)
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
chks_res0=$(read_sha256_checksum $TGT_IMG)
test "$chks0" = "$chks_res0" || exit 2
new_arr_len=$(jq -c -M '.digests."0".keyslots | length' $TMPDIR/json_res0)
test $((arr_len+1)) -eq $new_arr_len || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

72
tests/generators/generate-luks2-missing-keyslot-referenced-in-token.img.sh Executable file
View File

@@ -0,0 +1,72 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with missing keyslot object referenced
# in token object
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
read -r json_str_orig < $TMPDIR/json0
# add missing keyslot reference in keyslots array of token '0'
json_str=$(jq -r -c -M 'def missks: getpath(["keyslots"]) | keys | max | tonumber + 1 | tostring;
.tokens += {"0":{"type":"dummy","keyslots":[ "0", missks ]}}' $TMPDIR/json0)
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
chks_res0=$(read_sha256_checksum $TGT_IMG)
test "$chks0" = "$chks_res0" || exit 2
new_arr_len=$(jq -c -M '.tokens."0".keyslots | length' $TMPDIR/json_res0)
test $new_arr_len -eq 2 || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

74
tests/generators/generate-luks2-missing-segment-referenced-in-digest.img.sh Executable file
View File

@@ -0,0 +1,74 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with missing segment object referenced
# in digest object
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
read -r json_str_orig < $TMPDIR/json0
arr_len=$(jq -c -M '.digests."0".segments | length' $TMPDIR/json0)
# add missing keyslot reference in keyslots array of digest '0'
json_str=$(jq -c 'def arr: ["digests", "0", "segments"];
def missseg: getpath(["segments"]) | keys | max | tonumber + 1 | tostring;
setpath(arr; getpath(arr) + [ missseg ])' $TMPDIR/json0)
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
chks_res0=$(read_sha256_checksum $TGT_IMG)
test "$chks0" = "$chks_res0" || exit 2
new_arr_len=$(jq -c -M '.digests."0".segments | length' $TMPDIR/json_res0)
test $((arr_len+1)) -eq $new_arr_len || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

89
tests/generators/generate-luks2-missing-trailing-null-byte-json0.img.sh Executable file
View File

@@ -0,0 +1,89 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with well-formed json but missing
# trailing null byte.
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
PATTERN="\"config\":{"
KEY="\"config_key\":\""
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
read -r json_str < $TMPDIR/json0
json_len=${#json_str}
pindex=$(strindex $json_str $PATTERN)
test $pindex -gt 0 || exit 2
offset=${#PATTERN}
offset=$((offset+pindex))
key_len=${#KEY}
remain=$((LUKS2_JSON_SIZE*512-key_len-json_len-1)) # -1: closing '"'
if [ ${json_str:offset:1} = "}" ]; then
format_str="%s%s%s"
else
format_str="%s%s,%s"
remain=$((remain-1)) # also count with separating ','
fi
test $remain -gt 0 || exit 2
fill=$(repeat_str "X" $remain)
fill=$(repeat_str "X" $remain)"\""
printf $format_str $KEY $fill ${json_str:$offset} | _dd of=$TMPDIR/json0 bs=1 seek=$offset conv=notrunc
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
chks_res0=$(read_sha256_checksum $TGT_IMG)
test "$chks0" = "$chks_res0" || exit 2
read -r json_str_res0 < $TMPDIR/json_res0
test ${#json_str_res0} -eq $((LUKS2_JSON_SIZE*512)) || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

72
tests/generators/generate-luks2-non-null-byte-beyond-json0.img.sh Executable file
View File

@@ -0,0 +1,72 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with json area concluded with illegal
# byte beyond terminating '}' charcter.
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
read -r json_str < $TMPDIR/json0
json_str="$json_str"X # add illegal 'X' beyond json format
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
printf '%s' $json_str | _dd of=$TMPDIR/json0 bs=1 conv=notrunc
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
chks_res0=$(read_sha256_checksum $TGT_IMG)
test "$chks0" = "$chks_res0" || exit 2
read -r json_str_res0 < $TMPDIR/json_res0
local len=${#json_str_res0}
len=$((len-1))
test ${json_str_res0:len:1} = "X" || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

76
tests/generators/generate-luks2-non-null-bytes-beyond-json0.img.sh Executable file
View File

@@ -0,0 +1,76 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with json area containing illegal bytes
# beyond well-formed json format.
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
QUOTE="[Homer J. Simpson]: Keep looking shocked and move slowly towards the cake."
SPACE=20
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
read -r json_str < $TMPDIR/json0
json_len_orig=${#json_str}
json_len=$((json_len_orig+${#QUOTE}+SPACE))
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
printf '%s' "$QUOTE" | _dd of=$TMPDIR/json0 seek=$((json_len_orig+SPACE)) bs=1 conv=notrunc
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
chks_res0=$(read_sha256_checksum $TGT_IMG)
test "$chks0" = "$chks_res0" || exit 2
_dd if=$TMPDIR/json_res0 of=$TMPDIR/quote skip=$((json_len_orig+SPACE)) count=${#QUOTE} bs=1
json_str_res0=$(head -c ${#QUOTE} $TMPDIR/quote)
test "$json_str_res0" = "$QUOTE" || exit 2
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

68
tests/generators/generate-luks2-overlapping-areas-c0-json0.img.sh Executable file
View File

@@ -0,0 +1,68 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with two exactly same areas in terms of 'offset' and 'length'.
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
# copy area 6 offset and length into area 7
json_str=$(jq -c '.keyslots."7".area.offset = .keyslots."6".area.offset |
.keyslots."7".area.size = .keyslots."6".area.size' $TMPDIR/json0)
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if (.keyslots."6".area.offset != .keyslots."7".area.offset) or (.keyslots."6".area.size != .keyslots."7".area.size)
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

70
tests/generators/generate-luks2-overlapping-areas-c1-json0.img.sh Executable file
View File

@@ -0,0 +1,70 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with one area incuded within another one (in terms of 'offset' + 'length')
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
# make area 7 being included in area 6
json_str=$(jq -c '.keyslots."7".area.offset = (.keyslots."6".area.offset | tonumber + 1 | tostring ) |
.keyslots."7".area.size = ( .keyslots."6".area.size | tonumber - 1 | tostring)' $TMPDIR/json0)
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if (.keyslots."7".area.offset != (.keyslots."6".area.offset | tonumber + 1 | tostring)) or
(.keyslots."7".area.size != (.keyslots."6".area.size | tonumber - 1 | tostring)) or
(.keyslots."7".area.size | tonumber <= 0)
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

67
tests/generators/generate-luks2-overlapping-areas-c2-json0.img.sh Executable file
View File

@@ -0,0 +1,67 @@
#!/bin/bash
. lib.sh
#
# *** Description ***
#
# generate primary header with one area slightly cross the boundary of another one
#
# secondary header is corrupted on purpose as well
#
# $1 full target dir
# $2 full source luks2 image
function prepare()
{
cp $SRC_IMG $TGT_IMG
test -d $TMPDIR || mkdir $TMPDIR
read_luks2_json0 $TGT_IMG $TMPDIR/json0
read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
}
function generate()
{
# make area 7 being included in area 6
json_str=$(jq -c '.keyslots."7".area.offset = ([ .keyslots."6".area.offset, .keyslots."6".area.size ] | map(tonumber) | add - 1 | tostring)' $TMPDIR/json0)
test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
write_luks2_json "$json_str" $TMPDIR/json0
merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
erase_checksum $TMPDIR/area0
chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
write_checksum $chks0 $TMPDIR/area0
write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
kill_bin_hdr $TMPDIR/hdr1
write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
}
function check()
{
read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
test "$str_res1" = "VACUUM" || exit 2
read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
jq -c 'if .keyslots."7".area.offset != ([.keyslots."6".area.offset, .keyslots."6".area.size ] | map(tonumber) | add - 1 | tostring)
then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
}
function cleanup()
{
rm -f $TMPDIR/*
rm -fd $TMPDIR
}
test $# -eq 2 || exit 1
TGT_IMG=$1/$(test_img_name $0)
SRC_IMG=$2
prepare
generate
check
cleanup

133
tests/generators/lib.sh Normal file
View File

@@ -0,0 +1,133 @@
#!/bin/bash
# all in 512 bytes blocks
# LUKS2 with 16KiB header
LUKS2_HDR_SIZE=32 # 16 KiB
LUKS2_BIN_HDR_SIZE=8 # 4096 B
LUKS2_JSON_SIZE=$((LUKS2_HDR_SIZE-LUKS2_BIN_HDR_SIZE))
LUKS2_BIN_HDR_CHKS_OFFSET=0x1C0
LUKS2_BIN_HDR_CHKS_LENGTH=64
[ -z "$srcdir" ] && srcdir="."
TMPDIR=$srcdir/tmp
repeat_str() {
printf "$1"'%.0s' $(eval "echo {1.."$(($2))"}");
}
function strindex()
{
local x="${1%%$2*}"
[[ $x = $1 ]] && echo -1 || echo ${#x}
}
function test_img_name()
{
local str=$(basename $1)
str=${str#generate-}
str=${str%%.sh}
echo $str
}
function read_luks2_bin_hdr0()
{
_dd if=$1 of=$2 bs=512 count=$LUKS2_BIN_HDR_SIZE
}
function read_luks2_json0()
{
_dd if=$1 of=$2 bs=512 skip=$LUKS2_BIN_HDR_SIZE count=$LUKS2_JSON_SIZE
}
function read_luks2_bin_hdr1()
{
_dd if=$1 of=$2 skip=$LUKS2_HDR_SIZE bs=512 count=$LUKS2_BIN_HDR_SIZE
}
function read_luks2_json1()
{
_dd if=$1 of=$2 bs=512 skip=$((LUKS2_BIN_HDR_SIZE+LUKS2_HDR_SIZE)) count=$LUKS2_JSON_SIZE
}
function read_luks2_hdr_area0()
{
_dd if=$1 of=$2 bs=512 count=$LUKS2_HDR_SIZE
}
function read_luks2_hdr_area1()
{
_dd if=$1 of=$2 bs=512 skip=$LUKS2_HDR_SIZE count=$LUKS2_HDR_SIZE
}
function write_luks2_bin_hdr1()
{
_dd if=$1 of=$2 bs=512 seek=$LUKS2_HDR_SIZE count=$LUKS2_BIN_HDR_SIZE conv=notrunc
}
function write_luks2_hdr0()
{
_dd if=$1 of=$2 bs=512 count=$LUKS2_HDR_SIZE conv=notrunc
}
function write_luks2_hdr1()
{
_dd if=$1 of=$2 bs=512 seek=$LUKS2_HDR_SIZE count=$LUKS2_HDR_SIZE conv=notrunc
}
# 1 - json str
function write_luks2_json()
{
local len=${#1}
printf '%s' "$1" | _dd of=$2 bs=1 count=$len conv=notrunc
_dd if=/dev/zero of=$2 bs=1 seek=$len count=$((LUKS2_JSON_SIZE*512-len))
}
function kill_bin_hdr()
{
printf "VACUUM" | _dd of=$1 bs=1 conv=notrunc
}
function erase_checksum()
{
_dd if=/dev/zero of=$1 bs=1 seek=$(printf %d $LUKS2_BIN_HDR_CHKS_OFFSET) count=$LUKS2_BIN_HDR_CHKS_LENGTH conv=notrunc
}
function read_sha256_checksum()
{
_dd if=$1 bs=1 skip=$(printf %d $LUKS2_BIN_HDR_CHKS_OFFSET) count=32 | xxd -c 32 -p
}
# 1 - string with checksum
function write_checksum()
{
test $# -eq 2 || return 1
test $((${#1}/2)) -le $LUKS2_BIN_HDR_CHKS_LENGTH || { echo "too long"; return 1; }
echo $1 | xxd -r -p | _dd of=$2 bs=1 seek=$(printf %d $LUKS2_BIN_HDR_CHKS_OFFSET) conv=notrunc
}
function calc_sha256_checksum_file()
{
sha256sum $1 | cut -d ' ' -f 1
}
function calc_sha256_checksum_stdin()
{
sha256sum - | cut -d ' ' -f 1
}
# 1 - bin
# 2 - json
# 3 - luks2_hdr_area
function merge_bin_hdr_with_json()
{
_dd if=$1 of=$3 bs=512 count=$LUKS2_BIN_HDR_SIZE
_dd if=$2 of=$3 bs=512 seek=$LUKS2_BIN_HDR_SIZE count=$LUKS2_JSON_SIZE
}
function _dd()
{
dd $@ 2>/dev/null
#dd $@
}

151
tests/luks2-integrity-test Executable file
View File

@@ -0,0 +1,151 @@
#!/bin/bash
#
# Test cryptsetup/authenticated encryption compatibility.
#
CRYPTSETUP=../src/cryptsetup
DEV_NAME=dmi_test
DEV=mode-test.img
PWD1=nHjJHjI23JK
KEY_FILE=key.img
FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
dmremove() { # device
udevadm settle >/dev/null 2>&1
dmsetup remove $1 >/dev/null 2>&1
}
cleanup() {
[ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
[ -b /dev/mapper/"$DEV_NAME"_dif ] && dmremove "$DEV_NAME"_dif
rm -f $DEV $KEY_FILE >/dev/null 2>&1
}
fail()
{
echo
[ -n "$1" ] && echo "FAIL: $1"
cleanup
exit 100
}
skip()
{
[ -n "$1" ] && echo "$1"
exit 77
}
add_device() {
cleanup
dd if=/dev/urandom of=$KEY_FILE bs=1 count=512 >/dev/null 2>&1
dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1
sync
}
status_check() # name value
{
#$CRYPTSETUP status $DEV_NAME
X=$($CRYPTSETUP status $DEV_NAME | grep -m1 "$1" | sed -e 's/.*:[ \t]\+//' | cut -d' ' -f1)
if [ "$X" != "$2" ] ; then
echo "[status FAIL]"
echo " Expecting $1:$2 got \"$X\"."
fail
fi
}
dump_check() # name value
{
#$CRYPTSETUP luksDump $DEV
X=$($CRYPTSETUP luksDump $DEV | grep -m1 "$1" | sed -e 's/.*:[ \t]\+//' | cut -d' ' -f1)
if [ "$X" != "$2" ] ; then
echo "[dump FAIL]"
echo " Expecting $1:$2 got \"$X\"."
fail
fi
}
int_check_sum() # alg checksum
{
VSUM=$(sha256sum /dev/mapper/$DEV_NAME | cut -d' ' -f 1)
if [ "$VSUM" = "$2" ] ; then
echo -n "[CHECKSUM]"
else
echo "[FAIL]"
echo " Expecting $2 got $VSUM."
fail
fi
}
int_error_detection() # alg int sector_size
{
# FIXME: this is just a trivial failure
echo -n "[DETECT_CORRUPTION]"
echo -n "XXXXX" | dd of=$DEV bs=1M seek=28 count=1 conv=notrunc >/dev/null 2>&1 || fail "Cannot write to device."
$CRYPTSETUP open -d $KEY_FILE $DEV $DEV_NAME || fail "Cannot activate device."
dd if=/dev/mapper/$DEV_NAME of=/dev/null >/dev/null 2>&1 && fail "Error detection failed."
$CRYPTSETUP close $DEV_NAME || fail "Cannot deactivate device."
}
intformat() # alg integrity integrity_out key_size int_key_size sector_size csum
{
echo -n "[$1:$2:$4:$6]"
echo -n "[FORMAT]"
$CRYPTSETUP luksFormat --type luks2 -q -c $1 --integrity $2 --sector-size $6 -s $4 \
$FAST_PBKDF_OPT -d $KEY_FILE $DEV >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo "[N/A]"
return
fi
dump_check "cipher" $1
dump_check "sector" $6
dump_check "integrity" $3
dump_check "Key:" $(($4 + $5))
echo -n "[ACTIVATE]"
$CRYPTSETUP open -d $KEY_FILE $DEV $DEV_NAME || fail "Cannot activate device."
status_check "cipher" $1
status_check "sector size" $6
status_check "integrity:" $3
status_check "keysize:" $(($4 + $5))
[ $5 -gt 0 ] && status_check "integrity keysize:" $5
int_check_sum $1 $7
echo -n "[REMOVE]"
$CRYPTSETUP close $DEV_NAME || fail "Cannot deactivate device."
int_error_detection
echo "[OK]"
}
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
modprobe dm-integrity >/dev/null 2>&1
dmsetup targets | grep integrity >/dev/null 2>&1 || skip "Cannot find dm-integrity target, test skipped."
add_device
intformat aes-xts-plain64 hmac-sha256 hmac\(sha256\) 256 256 512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c
intformat aes-xts-random hmac-sha256 hmac\(sha256\) 256 256 512 492c2d1cc9e222a850c399bfef4ed5a86bf5afc59e54f0f0c7ba8e2a64548323
intformat aes-xts-plain64 hmac-sha256 hmac\(sha256\) 512 256 512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c
intformat aes-xts-random hmac-sha256 hmac\(sha256\) 512 256 512 492c2d1cc9e222a850c399bfef4ed5a86bf5afc59e54f0f0c7ba8e2a64548323
intformat aes-xts-plain64 hmac-sha256 hmac\(sha256\) 256 256 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b
intformat aes-xts-random hmac-sha256 hmac\(sha256\) 256 256 4096 8c0463f5ac09613674bdf40b0ff6f985edbc3de04e51fdc688873cb333ef3cda
intformat aes-xts-plain64 hmac-sha256 hmac\(sha256\) 512 256 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b
intformat aes-xts-random hmac-sha256 hmac\(sha256\) 512 256 4096 8c0463f5ac09613674bdf40b0ff6f985edbc3de04e51fdc688873cb333ef3cda
intformat aes-xts-plain64 hmac-sha512 hmac\(sha512\) 512 512 4096 9873d864fccb866521e79c9f0f75ad0c578d6bd7620399bbf4779e698c6e92fd
intformat aes-xts-random hmac-sha512 hmac\(sha512\) 512 512 4096 621f6c03f7361c2bf8f10059ae822339223f8471c750b0cf8584fba7134bd4a2
intformat aes-gcm-random aead aead 128 0 512 5f6f3f6be03c74d9aaaeaf40dd310c99a20e2786045f78a1fc6a0b189d231f57
intformat aes-gcm-random aead aead 128 0 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b
intformat aes-gcm-random aead aead 256 0 512 5f6f3f6be03c74d9aaaeaf40dd310c99a20e2786045f78a1fc6a0b189d231f57
intformat aes-gcm-random aead aead 256 0 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b
intformat aes-ccm-random aead aead 152 0 512 288e5e9bc5be6c0bd2a74abbb72c7944da83198b5e3041dcf159e7ae250dafa8
intformat aes-ccm-random aead aead 152 0 4096 7370c66a92708fb71b186931468be6aa9b26f4f88373b00b1c57360b9ee1304e
intformat aes-ccm-random aead aead 280 0 512 288e5e9bc5be6c0bd2a74abbb72c7944da83198b5e3041dcf159e7ae250dafa8
intformat aes-ccm-random aead aead 280 0 4096 7370c66a92708fb71b186931468be6aa9b26f4f88373b00b1c57360b9ee1304e
intformat chacha20-plain64 poly1305 poly1305 256 0 512 3f82eae753ff52a689ddc559c691bbdff838361bbe9a3ce8c7212e16e51b5dbe
intformat chacha20-random poly1305 poly1305 256 0 512 5f6f3f6be03c74d9aaaeaf40dd310c99a20e2786045f78a1fc6a0b189d231f57
intformat chacha20-plain64 poly1305 poly1305 256 0 4096 7370c66a92708fb71b186931468be6aa9b26f4f88373b00b1c57360b9ee1304e
intformat chacha20-random poly1305 poly1305 256 0 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b
cleanup

162
tests/luks2-validation-test Executable file
View File

@@ -0,0 +1,162 @@
#!/bin/bash
#turn on debug mode by following env. variable _DEBUG=1
PS4='$LINENO:'
CRYPTSETUP=../src/cryptsetup
CRYPTSETUP_VALGRIND=../src/.libs/cryptsetup
CRYPTSETUP_LIB_VALGRIND=../lib/.libs
DM_CRYPT_SECTOR=512
LUKS2_HDR_SIZE=2112 # 16 KiB version, stored twice, including luks2 areas with keyslots
START_DIR=$(pwd)
IMG=luks2-backend.img
ORIG_IMG=luks2_valid_hdr.img
TST_IMGS=$START_DIR/luks2-images
GEN_DIR=generators
[ -z "$srcdir" ] && srcdir="."
function remove_mapping()
{
rm -rf $IMG $TST_IMGS >/dev/null 2>&1
}
function fail()
{
[ -n "$1" ] && echo "$1"
echo "FAILED"
cd $START_DIR
remove_mapping
exit 2
}
function skip()
{
[ -n "$1" ] && echo "$1"
exit 77
}
function prepare() # $1 dev1_size
{
remove_mapping
test -d $TST_IMGS || mkdir $TST_IMGS
test -e $ORIG_IMG || xz -dkc $srcdir/$ORIG_IMG.xz >$ORIG_IMG
cp $ORIG_IMG $TST_IMGS
cp $ORIG_IMG $IMG
}
function test_load()
{
local _debug=
test -z "$_DEBUG" || _debug="--debug"
case "$1" in
R)
if [ -n "$_debug" ]; then
$CRYPTSETUP luksDump $_debug $IMG || fail "$2"
else
$CRYPTSETUP luksDump $_debug $IMG > /dev/null || fail "$2"
fi
;;
F)
if [ -n "$_debug" ]; then
$CRYPTSETUP luksDump $_debug $IMG && fail "$2"
else
$CRYPTSETUP luksDump $_debug $IMG > /dev/null 2>&1 && fail "$2"
fi
;;
*)
fail "Internal test error"
;;
esac
}
function RUN()
{
echo -n "Test image: $1..."
cp $TST_IMGS/$1 $IMG || fail "Missing test image"
test_load $2 "$3"
echo "OK"
}
function valgrind_setup()
{
which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
}
function valgrind_run()
{
INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
}
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
which jq >/dev/null || skip "Cannot find jq, test skipped."
prepare
echo "[0] Generating test headers"
cd $srcdir/$GEN_DIR
for scr in ./generate-*.sh; do
echo -n "$(basename $scr)..."
$scr $TST_IMGS $TST_IMGS/$ORIG_IMG || fail "Header generator $scr failed: '$?'"
echo "done"
done
cd $START_DIR
echo "[1] Test basic auto-recovery"
RUN luks2-invalid-checksum-hdr0.img "R" "Failed to recover from trivial header corruption at offset 0"
# TODO: check epoch is incresed after recovery
# TODO: check only sectors related to corrupted hdr at offset 0 are written (dmstats tool/differ.c)
RUN luks2-invalid-checksum-hdr1.img "R" "Failed to recover from trivial header corruption at offset 16384"
# TODO: check epoch is incresed after recovery
# TODO: check only sectors related to corrupted hdr at offset 16384 are written (dmstats tool/differ.c)
RUN luks2-invalid-checksum-both-hdrs.img "F" "Failed to recognise corrupted header beyond repair"
echo "[2] Test ability to auto-correct mallformed json area"
RUN luks2-corrupted-hdr0-with-correct-chks.img "R" "Failed to auto correct malformed json area at offset 512"
# TODO: check epoch is incresed after recovery
# TODO: check only sectors related to corrupted hdr at offset 0 are written (dmstats tool/differ.c)
RUN luks2-corrupted-hdr1-with-correct-chks.img "R" "Failed to auto correct malformed json area at offset 16896"
# TODO: check epoch is incresed after recovery
# TODO: check only sectors related to corrupted hdr at offset 16384 are written (dmstats tool/differ.c)
RUN luks2-correct-full-json0.img "R" "Failed to parse full and correct json area"
# TODO: detect noop (norecovery, epoch untouched)
# TODO: check epoch is NOT incresed after recovery of secondary header
# Secondary header is always broken in following tests
echo "[3] Test LUKS2 json area restrictions"
RUN luks2-non-null-byte-beyond-json0.img "F" "Failed to detect illegal data right beyond json data string"
RUN luks2-non-null-bytes-beyond-json0.img "F" "Failed to detect illegal data in json area"
RUN luks2-missing-trailing-null-byte-json0.img "F" "Failed to detect missing terminal null byte"
RUN luks2-invalid-opening-char-json0.img "F" "Failed to detect invalid opening character in json area"
RUN luks2-invalid-object-type-json0.img "F" "Failed to detect invalid json object type"
RUN luks2-overlapping-areas-c0-json0.img "F" "Failed to detect two exactly same area specifications"
RUN luks2-overlapping-areas-c1-json0.img "F" "Failed to detect two intersecting area specifications"
RUN luks2-overlapping-areas-c2-json0.img "F" "Failed to detect two slightly intersecting area specifications"
RUN luks2-area-in-json-hdr-space-json0.img "F" "Failed to detect area referencing LUKS2 header space"
RUN luks2-missing-keyslot-referenced-in-digest.img "F" "Failed to detect missing keyslot referenced in digest"
RUN luks2-missing-segment-referenced-in-digest.img "F" "Failed to detect missing segment referenced in digest"
RUN luks2-missing-keyslot-referenced-in-token.img "F" "Failed to detect missing keyslots referenced in token"
RUN luks2-invalid-keyslots-size-c0.img "F" "Failed to detect too large keyslots_size in config section"
RUN luks2-invalid-keyslots-size-c1.img "F" "Failed to detect unaligned keyslots_size in config section"
RUN luks2-invalid-keyslots-size-c2.img "F" "Failed to detect too small keyslots_size config section"
RUN luks2-invalid-json-size-c0.img "F" "Failed to detect invalid json_size config section"
RUN luks2-invalid-json-size-c1.img "F" "Failed to detect invalid json_size config section"
remove_mapping

BIN
tests/luks2_header_file.xz Normal file
View File

Binary file not shown.

BIN
tests/luks2_header_requirements.xz Normal file
View File

Binary file not shown.

BIN
tests/luks2_header_requirements_free.xz Normal file
View File

Binary file not shown.

BIN
tests/luks2_keyslot_unassigned.img.xz Normal file
View File

Binary file not shown.

BIN
tests/luks2_valid_hdr.img.xz Normal file
View File

Binary file not shown.