eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2026-01-08 00:15:33 +01:00
Code Issues Packages Projects Releases Wiki Activity
3,593 Commits 13 Branches 81 Tags
db65a5ceac80d6ac2ad7227f5aec940adf673d65
Commit Graph

815 Commits

Author SHA1 Message Date
daniel.zatovic
132027bafa Force probe in tests instead of lsblk which can use udev cache. 2022-08-11 21:26:03 +02:00
Ondrej Kozina
5b001b7962 Delegate FIPS mode detection to configured crypto backend. 
System FIPS mode check is no longer dependent on /etc/system-fips
file. The change should be compatible with older distributions since
we now depend on crypto backend internal routine.

This commit affects only FIPS enabled systems (with FIPS enabled
builds). In case this causes any regression in current distributions
feel free to drop the patch.

For reference see https://bugzilla.redhat.com/show_bug.cgi?id=2080516
 2022-08-10 10:53:39 +02:00
daniel.zatovic
429afe8fc3 Add valgrind support to more tests. 2022-08-10 07:45:13 +00:00
Milan Broz
abfb5e374f Remove leftover debug option in test. 2022-08-09 22:54:43 +02:00
daniel.zatovic
f8c79f9a95 Fix valgrind summary leak detection. 
Currently, only 1-9 leaks are detected. More than 10 leaks are evaluated
as no leak.
 2022-08-05 16:38:38 +02:00
Ondrej Kozina
093adfc5f9 Fix user defined moved segment size in LUKS2 decryption. 
--hotzone-size argument was ignored in cases where actual data size
was less than original LUKS2 data offset.
 2022-08-01 07:05:06 +00:00
Ondrej Kozina
c6ed1becd7 Fix bogus conditions in tests. 
Do not test for dm-crypt versions not supported
by upstream kernels.
 2022-07-28 17:18:57 +02:00
Ondrej Kozina
17e6d2053a Add mangle tests for LUKS2 decryption with datashift. 2022-07-28 07:57:36 +00:00
Ondrej Kozina
912109ae66 Improve reencryption parameters verification in cli. 
Try to catch as many invalid parameters as possible
before entering library call.
 2022-07-28 07:57:36 +00:00
Ondrej Kozina
25b877a403 Fix bug in reencryption parameters verification. 2022-07-28 07:57:36 +00:00
Guilhem Moulin
803957cd3e Add support for --key-slot in luksResume action. 2022-07-20 20:00:09 +02:00
Milan Broz
bf4bfeac8a Rename some tests to simplify localtest parsing. 2022-07-18 15:09:28 +02:00
Milan Broz
090dca635a Add ssh-test-plugin to localtest if RUN_SSH_PLUGIN_TEST is set. 2022-07-18 11:16:23 +02:00
Milan Broz
0369ffdcc1 Rename ssh plugin test to ssh-test-plugin. 
So we can filter it out in local tests
(*-test means generic tests, *-test-plugin specific plugin tests).
 2022-07-18 09:11:23 +02:00
Milan Broz
648a85ed3a Unify use of tabulators in tests. 2022-07-16 19:14:31 +00:00
Milan Broz
8f3884e0d7 Change default target for Makefile.localtest. 2022-07-16 19:14:31 +00:00
Guilhem Moulin
289d5e5891 Add unit-utils-crypt-test to Makefile.localtest's list of tests. 
This requires (re-)building the executable with -DNO_CRYPTSETUP_PATH.
Only in that case do we allow the test to run under non-empty
$CRYPTSETUP_PATH.
 2022-07-16 19:14:31 +00:00
Guilhem Moulin
b37d04975d Add compat-test-args to Makefile.localtest's list of tests. 2022-07-16 19:14:31 +00:00
Guilhem Moulin
6578dac2f9 Add blockwise-compat to Makefile.localtest's list of tests. 
This requires (re-)building `unit-utils-io` with -DNO_CRYPTSETUP_PATH.
Only in that case do we allow the test to run under non-empty
$CRYPTSETUP_PATH.
 2022-07-16 19:14:31 +00:00
Guilhem Moulin
dc5f284e42 blockwise-compat: Wait a bit so scsi_debug has a chance to fully initialize. 
Similar to a76c96d361.  See also !386.
 2022-07-16 19:14:31 +00:00
Guilhem Moulin
32149e4ee7 blockwise-compat: Make skip() exit with status 77. 
This is mostly useful under TESTSUITE_NOSKIP=y.
 2022-07-16 19:14:31 +00:00
Guilhem Moulin
0e4857ee81 unit-wipe-test: Make skip() exit with status 77. 
This is mostly useful under TESTSUITE_NOSKIP=y.
 2022-07-16 19:14:31 +00:00
Milan Broz
06dd06ea27 tests: allow unit-wipe-test to run with local tests. 2022-07-16 19:14:31 +00:00
Milan Broz
03eb8f860a tests: check for differ existence in compat-test. 2022-07-16 19:14:31 +00:00
Guilhem Moulin
fbcef71c41 Pass $(LDFLAGS) when building fake_token_path.so. 
The Debian tooling sets ‘LDFLAGS = -Wl,-z,relro -Wl,-z,now’ and
complains when anything is built without hardened compiler/linker flags.

Granted this is a non-issue here since fake_token_path.so isn't included
in any binary package, but muting the false positive is arguably no
better fix than honoring $(LDFLAGS) during the build.
 2022-07-16 13:51:11 +02:00
Milan Broz
8315ada3b0 Fix wipe unit test if direct-io not available. 
If test is run in tmpfs, direct-io is not supported.

Thanks Guilhem Moulin for reporting the issue.
 2022-07-15 21:50:21 +02:00
Guilhem Moulin
a76c96d361 unit-wipe-test: Wait a bit so scsi_debug has a chance to fully initialize. 
On my test system `tests/unit-wipe-test` fails (as root) due to a race
condition in add_device():

	root@host:~# ./unit-wipe-test
	[1] Wipe full file [0/DIO][0][1048576/DIO][1048576][4194304/DIO][4194304][OK]
	[2] Wipe blocks in file [0/DIO][0][1048576/DIO][1048576][4194304/DIO][4194304][OK]
	[  105.828258] scsi_debug:sdebug_driver_probe: scsi_debug: trim poll_queues to 0. poll_q/nr_hw = (0/1)
	[  105.830450] scsi host2: scsi_debug: version 0191 [20210520]
	[  105.830450]   dev_size_mb=8, opts=0x0, submit_queues=1, statistics=0
	[  105.832924] scsi 2:0:0:0: Direct-Access     Linux    scsi_debug       0191 PQ: 0 ANSI: 7
	[  105.835417] scsi 2:0:0:0: Attached scsi generic sg1 type 0
	FAIL Cannot find /dev/.
	FAILED backtrace:
	48 ./unit-wipe-test
	144 main ./unit-wipe-test
	[  105.875131] sd 2:0:0:0: Power-on or device reset occurred
	[  105.876069] sd 2:0:0:0: [sda] 16384 512-byte logical blocks: (8.39 MB/8.00 MiB)
	[  105.877190] sd 2:0:0:0: [sda] Write Protect is off
	[  105.878002] sd 2:0:0:0: [sda] Write cache: enabled, read cache: enabled, supports DPO and FUA
	[  105.879619] sd 2:0:0:0: [sda] Optimal transfer size 524288 bytes
	[  105.914222] sd 2:0:0:0: [sda] Attached SCSI disk
	[  106.866296] sd 2:0:0:0: [sda] Synchronizing SCSI cache

Observe how the “Power-on or device reset occurred” event occurs only
after add_device() has returned.  Interestingly, for subsequent runs the
delay appears to be much shorter and doesn't trigger the race condition:

	root@host:~# ./unit-wipe-test
	[1] Wipe full file [0/DIO][0][1048576/DIO][1048576][4194304/DIO][4194304][OK]
	[2] Wipe blocks in file [0/DIO][0][1048576/DIO][1048576][4194304/DIO][4194304][OK]
	[  130.639855] scsi_debug:sdebug_driver_probe: scsi_debug: trim poll_queues to 0. poll_q/nr_hw = (0/1)
	[  130.641463] scsi host2: scsi_debug: version 0191 [20210520]
	[  130.641463]   dev_size_mb=8, opts=0x0, submit_queues=1, statistics=0
	[  130.643809] scsi 2:0:0:0: Direct-Access     Linux    scsi_debug       0191 PQ: 0 ANSI: 7
	[  130.645342] sd 2:0:0:0: Power-on or device reset occurred
	[  130.646364] sd 2:0:0:0: [sda] 16384 512-byte logical blocks: (8.39 MB/8.00 MiB)
	[  130.647585] sd 2:0:0:0: [sda] Write Protect is off
	[  130.648428] sd 2:0:0:0: Attached scsi generic sg1 type 0
	[  130.649339] sd 2:0:0:0: [sda] Write cache: enabled, read cache: enabled, supports DPO and FUA
	[  130.650763] sd 2:0:0:0: [sda] Optimal transfer size 524288 bytes
	[  130.682223] sd 2:0:0:0: [sda] Attached SCSI disk
	[3] Wipe full block device [0/DIO][0][1048576/DIO][1048576][4194304/DIO][4194304][OK]
	[4] Wipe blocks in block device [0/DIO][0][1048576/DIO][1048576][4194304/DIO][4194304][OK]
	[  137.858283] sd 2:0:0:0: [sda] Synchronizing SCSI cache

This commit adds an optional 2s delay if scsi_debug hasn't shown up in
sysfs after the modprobe call.
 2022-07-15 18:13:37 +00:00
Guilhem Moulin
3106b4e2c1 More typo and spelling fixes. 
Reported by `git ls-tree -rz --name-only | grep -Evz -e '\.(pdf|xz)$' -e
^po/ | xargs -r0 spellintian --`.  All changes are
documentation-related (comments, manuals, etc.) except for s/fial/fail/
in tests/unit-wipe-test.

The remaining entry are AFAICT all false positives, mostly annotations
such as `@param name name of xyz` or `struct foo foo`:

	$ git ls-tree -rz HEAD --name-only | grep -Evz -e '\.(pdf|xz)$' -e ^po/ | xargs -r0 spellintian --
	COPYING.LGPL: "GNU Library Public License" -> "GNU Library General Public License"
	autogen.sh: echo echo (duplicate word) -> echo
	configure.ac: fi fi (duplicate word) -> fi
	docs/v1.7.2-ReleaseNotes: option option (duplicate word) -> option
	lib/crypto_backend/cipher_check.c: block block (duplicate word) -> block
	lib/libcryptsetup.h: name name (duplicate word) -> name
	lib/libcryptsetup.h: type type (duplicate word) -> type
	lib/libcryptsetup.h: passphrase passphrase (duplicate word) -> passphrase
	lib/libcryptsetup.h: flags flags (duplicate word) -> flags
	lib/libcryptsetup.h: password password (duplicate word) -> password
	lib/libcryptsetup.h: salt salt (duplicate word) -> salt
	lib/libcryptsetup.h: keyslot keyslot (duplicate word) -> keyslot
	lib/libcryptsetup.h: priority priority (duplicate word) -> priority
	lib/libcryptsetup.h: offset offset (duplicate word) -> offset
	lib/libcryptsetup.h: length length (duplicate word) -> length
	lib/libcryptsetup.h: keyfile keyfile (duplicate word) -> keyfile
	lib/libcryptsetup.h: token token (duplicate word) -> token
	lib/libcryptsetup.h: cipher cipher (duplicate word) -> cipher
	lib/libcryptsetup.h: size size (duplicate word) -> size
	lib/luks2/luks2_json_metadata.c: long long (duplicate word) -> long
	lib/luks2/luks2_keyslot_luks2.c: AFEKSize AFEKSize (duplicate word) -> AFEKSize
	lib/luks2/luks2_reencrypt.c: alignment alignment (duplicate word) -> alignment
	lib/luks2/luks2_reencrypt_digest.c: ptr ptr (duplicate word) -> ptr
	lib/luks2/luks2_reencrypt_digest.c: buffer buffer (duplicate word) -> buffer
	lib/luks2/luks2_segment.c: min min (duplicate word) -> min
	lib/verity/verity_fec.c: blocks blocks (duplicate word) -> blocks
	man/cryptsetup.8.adoc: LUKS LUKS (duplicate word) -> LUKS
	scripts/cryptsetup.conf.in: root root (duplicate word) -> root
	src/Makemodule.am: endif endif (duplicate word) -> endif
	src/cryptsetup.c: long long (duplicate word) -> long
	src/utils_args.c: long long (duplicate word) -> long
	tests/compat-test2: fi fi (duplicate word) -> fi
	tests/device-test: echo echo (duplicate word) -> echo
	tests/differ.c: long long (duplicate word) -> long
	tests/loopaes-test: done done (duplicate word) -> done
	tests/luks2-integrity-test: aead aead (duplicate word) -> aead
	tests/luks2-reencryption-test: fi fi (duplicate word) -> fi
	tests/mode-test: done done (duplicate word) -> done
	tests/password-hash-test: cat cat (duplicate word) -> cat
	tests/password-hash-test: fi fi (duplicate word) -> fi
	tests/unit-wipe.c: long long (duplicate word) -> long
	tests/verity-compat-test: done done (duplicate word) -> done
	tests/verity-compat-test: fi fi (duplicate word) -> fi
	tokens/ssh/cryptsetup-ssh.c: argp argp (duplicate word) -> argp
	tokens/ssh/cryptsetup-ssh.c: arguments arguments (duplicate word) -> arguments

(Treated COPYING.LGPL as a false positive too since it's the exact text
from https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html .)
 2022-07-15 16:35:02 +02:00
Ondrej Kozina
56d4e9924e Add LUKS2 reencryption mangle tests. 2022-07-12 14:05:03 +02:00
Milan Broz
5904516122 Skip reencryption test if required ciphers are not available in userspace. 
This happens for some very old systems like CentOS6 or own compiled
crypto libraries.
 2022-07-05 15:08:43 +02:00
Milan Broz
b4603f1e28 Fix valgrind test in compat-test. 2022-07-04 14:34:04 +02:00
Ondrej Kozina
0009d9532e Extend LUKS2 decryption with datashift API tests. 2022-06-30 11:21:38 +02:00
Ondrej Kozina
f531b567e0 Test reencryption initalization error path. 
Test cli behaves properly when there's not enough
space in keyslots area for new unbound keyslot or
reencryption keyslot.

Fixes: #688.
 2022-06-27 16:01:43 +02:00
Milan Broz
d22b003640 Fix possible keyslot area size overflow during convert to LUKS2 
If keyslots are not sorted according to binary area offset,
the calculation of area size is wrong and can overflow
(LUKS1 does not store area size, only offset).

Let's just use function that calculates size from volume key size.
Images where keyslot areas are not aligned to 4k offset
are not supported anyway.

Fixes: #753
 2022-06-23 07:06:38 +02:00
Ondrej Kozina
a485f44b57 Fix decryption with datashift initialization. 
It did not work with --active-name option for
active LUKS2 devices.
 2022-06-21 15:27:43 +02:00
Ondrej Kozina
f182d73001 Speed up reencryption tests. 
By not testing repeatedly that 'wipe' test utility actually
wipes the device. This test is supposed to test reencryption
code.

I have left untouched already existing first time checks
for each data digest.
 2022-06-21 10:47:42 +02:00
Milan Broz
857d17d210 Fix makefile to include wipe-test in dist tarball. 2022-06-17 19:57:31 +02:00
Milan Broz
279490b622 Add test for keyslot area overflow during validation. 2022-06-17 16:03:32 +02:00
Milan Broz
ba9e36ceae Add empty string check to LUKS2 JSON validation. 
Most of the LUKS2 fields cannot be empty,
add check for JSON validation for it to fail early.

Fixes: #746
 2022-06-17 14:46:50 +02:00
Ondrej Kozina
f97af5dcfe Add LUKS2 decryption with datashift tests. 2022-06-17 13:48:15 +02:00
Ondrej Kozina
369a18cd3b Rename sector size related variables. 2022-06-14 17:11:25 +02:00
Ondrej Kozina
692bb8a455 Properly define uint32_t constants in API. 
We do not change any value but it was not declared properly
and limit values had to be type cast to avoid compiler warnings
with strict options.
 2022-06-07 11:30:34 +02:00
Milan Broz
59692e3ca2 Add a test for LUKS2 integrity with detached header. 2022-05-26 06:44:53 +00:00
Milan Broz
7e6c48f67c integritysetup: mention and test xxhash64 non-crypto hash 
Fast xxhash64 algoritm can be used for integrity protection.
Add implicit tag size (so user do not need to use --tag-size),
mention it in man page and add a test.

Fixes: #632
 2022-05-24 14:36:25 +00:00
Vojtech Trefny
795b37d128 bitlk: Add BitLocker volume size to dump 2022-05-24 06:48:26 +00:00
Vojtech Trefny
6c73057156 integrity: Fix integrity_key_size for algorithms without keys 
INTEGRITY_key_size returns -EINVAL for algorithms without a key
and because crypt_params_integrity.integrity_key_size is an
unsigned integer we get key size 4294967274 instead of more
appropriate 0 for these algorithms.
 2022-05-22 19:58:00 +02:00
Milan Broz
4d6e9e7c32 Add crypt_wipe unit test. 
It uses simple C wrapper aroung crypt_wipe() libcryptsetup
and then bash test scripts wipung simple file and block device.
 2022-05-18 16:39:48 +02:00
Milan Broz
8606865e15 Avoid using top_srcdir in SOURCES. 2022-05-11 09:36:26 +00:00
Milan Broz
3173595fc9 Avoid using bash arrays in verity test. 
This will break on every small change (as in following patch).
Just grep the key word as used elsewhere.
 2022-05-09 13:46:24 +02:00
Milan Broz
ede2a8a45f Add some basic UTF conversion function test. 
Used only in bitlk format.
 2022-05-03 15:48:09 +00:00