mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-08 09:20:11 +01:00
Compare commits
1 Commits
ci-fuzzing
...
vm-test
| Author | SHA1 | Date | |
|---|---|---|---|
|
96c9ea98d0 |
34
.github/workflows/cifuzz.yml
vendored
34
.github/workflows/cifuzz.yml
vendored
@@ -1,34 +0,0 @@
|
||||
# Build and shortly run fuzzers in proper Docker environment
|
||||
# Note that this cannot work with git forks, known CIFuzz limitation
|
||||
|
||||
name: CIFuzz
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- 'main'
|
||||
paths-ignore:
|
||||
- 'docs/**'
|
||||
|
||||
jobs:
|
||||
Fuzzing:
|
||||
runs-on: ubuntu-latest
|
||||
if: github.repository == 'mbroz/cryptsetup'
|
||||
steps:
|
||||
- name: Build Fuzzers
|
||||
id: build
|
||||
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
|
||||
with:
|
||||
oss-fuzz-project-name: 'cryptsetup'
|
||||
dry-run: false
|
||||
- name: Run Fuzzers
|
||||
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
|
||||
with:
|
||||
oss-fuzz-project-name: 'cryptsetup'
|
||||
fuzz-seconds: 60
|
||||
dry-run: false
|
||||
- name: Upload Crash
|
||||
uses: actions/upload-artifact@v4
|
||||
if: failure() && steps.build.outcome == 'success'
|
||||
with:
|
||||
name: artifacts
|
||||
path: ./out/artifacts
|
||||
@@ -1,25 +1,46 @@
|
||||
cifuzz:
|
||||
image: ubuntu:noble
|
||||
tags:
|
||||
- gitlab-org-docker
|
||||
variables:
|
||||
OSS_FUZZ_PROJECT_NAME: cryptsetup
|
||||
CFL_PLATFORM: gitlab
|
||||
CIFUZZ_DEBUG: "True"
|
||||
FUZZ_SECONDS: 300 # 5 minutes per fuzzer
|
||||
ARCHITECTURE: "x86_64"
|
||||
DRY_RUN: "False"
|
||||
LOW_DISK_SPACE: "True"
|
||||
BAD_BUILD_CHECK: "True"
|
||||
LANGUAGE: "c"
|
||||
DOCKER_HOST: "tcp://docker:2375"
|
||||
DOCKER_IN_DOCKER: "true"
|
||||
DOCKER_DRIVER: overlay2
|
||||
DOCKER_TLS_CERTDIR: ""
|
||||
image:
|
||||
name: gcr.io/oss-fuzz-base/cifuzz-base
|
||||
entrypoint: [""]
|
||||
services:
|
||||
- docker:dind
|
||||
|
||||
stage: test
|
||||
interruptible: true
|
||||
parallel:
|
||||
matrix:
|
||||
- SANITIZER: [address, undefined, memory]
|
||||
rules:
|
||||
# Default code change.
|
||||
# - if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
||||
# variables:
|
||||
# MODE: "code-change"
|
||||
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
|
||||
when: never
|
||||
- if: $BUILD_AND_RUN_FUZZERS != null
|
||||
before_script:
|
||||
- apt-get -y update
|
||||
- >
|
||||
apt-get -y install -y -qq git clang make autoconf automake autopoint
|
||||
pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev
|
||||
libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev
|
||||
flex bison cmake ninja-build
|
||||
parallel:
|
||||
matrix:
|
||||
# memory does not work for now
|
||||
- SANITIZER: [address, undefined]
|
||||
# Get gitlab's container id.
|
||||
- export CFL_CONTAINER_ID=`cut -c9- < /proc/1/cpuset`
|
||||
script:
|
||||
- cd tests/fuzz
|
||||
- ./oss-fuzz-build.sh
|
||||
- ls -l out
|
||||
# Will build and run the fuzzers.
|
||||
# We use a hack to override CI_JOB_ID, because otherwise a bad path is used
|
||||
# in GitLab CI environment
|
||||
- CI_JOB_ID="$CI_PROJECT_NAMESPACE/$CI_PROJECT_TITLE" python3 "/opt/oss-fuzz/infra/cifuzz/cifuzz_combined_entrypoint.py"
|
||||
artifacts:
|
||||
# Upload artifacts when a crash makes the job fail.
|
||||
when: always
|
||||
paths:
|
||||
- artifacts/
|
||||
|
||||
@@ -17,48 +17,6 @@
|
||||
- ./configure --enable-libargon2 --enable-asciidoc
|
||||
|
||||
test-mergerq-job-debian:
|
||||
extends:
|
||||
- .debian-prep
|
||||
tags:
|
||||
- libvirt
|
||||
- cryptsetup-debian-unstable
|
||||
stage: test
|
||||
interruptible: true
|
||||
variables:
|
||||
DISTRO: cryptsetup-debian-unstable
|
||||
RUN_SSH_PLUGIN_TEST: "1"
|
||||
RUN_KEYRING_TRUSTED_TEST: "1"
|
||||
rules:
|
||||
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
|
||||
when: never
|
||||
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
||||
script:
|
||||
- make -j
|
||||
- make -j -C tests check-programs
|
||||
- sudo -E make check
|
||||
|
||||
test-main-commit-job-debian:
|
||||
extends:
|
||||
- .debian-prep
|
||||
tags:
|
||||
- libvirt
|
||||
- cryptsetup-debian-unstable
|
||||
stage: test
|
||||
interruptible: true
|
||||
variables:
|
||||
DISTRO: cryptsetup-debian-unstable
|
||||
RUN_SSH_PLUGIN_TEST: "1"
|
||||
RUN_KEYRING_TRUSTED_TEST: "1"
|
||||
rules:
|
||||
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
|
||||
when: never
|
||||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
|
||||
script:
|
||||
- make -j
|
||||
- make -j -C tests check-programs
|
||||
- sudo -E make check
|
||||
|
||||
test-mergerq-job-debian12:
|
||||
extends:
|
||||
- .debian-prep
|
||||
tags:
|
||||
@@ -79,7 +37,7 @@ test-mergerq-job-debian12:
|
||||
- make -j -C tests check-programs
|
||||
- sudo -E make check
|
||||
|
||||
test-main-commit-job-debian12:
|
||||
test-main-commit-job-debian:
|
||||
extends:
|
||||
- .debian-prep
|
||||
tags:
|
||||
@@ -106,11 +64,11 @@ test-mergerq-job-debian-meson:
|
||||
- .debian-prep
|
||||
tags:
|
||||
- libvirt
|
||||
- cryptsetup-debian-unstable
|
||||
- cryptsetup-debian-12
|
||||
stage: test
|
||||
interruptible: true
|
||||
variables:
|
||||
DISTRO: cryptsetup-debian-unstable
|
||||
DISTRO: cryptsetup-debian-12
|
||||
RUN_SSH_PLUGIN_TEST: "1"
|
||||
RUN_KEYRING_TRUSTED_TEST: "1"
|
||||
rules:
|
||||
@@ -124,50 +82,6 @@ test-mergerq-job-debian-meson:
|
||||
- cd build && sudo -E meson test --verbose --print-errorlogs
|
||||
|
||||
test-main-commit-job-debian-meson:
|
||||
extends:
|
||||
- .debian-prep
|
||||
tags:
|
||||
- libvirt
|
||||
- cryptsetup-debian-unstable
|
||||
stage: test
|
||||
interruptible: true
|
||||
variables:
|
||||
DISTRO: cryptsetup-debian-unstable
|
||||
RUN_SSH_PLUGIN_TEST: "1"
|
||||
RUN_KEYRING_TRUSTED_TEST: "1"
|
||||
rules:
|
||||
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
|
||||
when: never
|
||||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
|
||||
script:
|
||||
- sudo apt-get -y install -y -qq meson ninja-build
|
||||
- meson setup build
|
||||
- ninja -C build
|
||||
- cd build && sudo -E meson test --verbose --print-errorlogs
|
||||
|
||||
test-mergerq-job-debian12-meson:
|
||||
extends:
|
||||
- .debian-prep
|
||||
tags:
|
||||
- libvirt
|
||||
- cryptsetup-debian-12
|
||||
stage: test
|
||||
interruptible: true
|
||||
variables:
|
||||
DISTRO: cryptsetup-debian-12
|
||||
RUN_SSH_PLUGIN_TEST: "1"
|
||||
RUN_KEYRING_TRUSTED_TEST: "1"
|
||||
rules:
|
||||
- if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
|
||||
when: never
|
||||
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
||||
script:
|
||||
- sudo apt-get -y install -y -qq meson ninja-build
|
||||
- meson setup build
|
||||
- ninja -C build
|
||||
- cd build && sudo -E meson test --verbose --print-errorlogs
|
||||
|
||||
test-main-commit-job-debian12-meson:
|
||||
extends:
|
||||
- .debian-prep
|
||||
tags:
|
||||
|
||||
@@ -264,11 +264,10 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
|
||||
bool supported = false;
|
||||
int r = 0;
|
||||
|
||||
/* only passphrase, recovery passphrase, startup key and clearkey vmks are supported (can be used to activate) */
|
||||
/* only passphrase or recovery passphrase vmks are supported (can be used to activate) */
|
||||
supported = (*vmk)->protection == BITLK_PROTECTION_PASSPHRASE ||
|
||||
(*vmk)->protection == BITLK_PROTECTION_RECOVERY_PASSPHRASE ||
|
||||
(*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY ||
|
||||
(*vmk)->protection == BITLK_PROTECTION_CLEAR_KEY;
|
||||
(*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY;
|
||||
|
||||
while ((end - start) >= (ssize_t)(sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value))) {
|
||||
/* size of this entry */
|
||||
@@ -325,13 +324,17 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
|
||||
crypt_volume_key_add_next(&((*vmk)->vk), vk);
|
||||
/* clear key for a partially decrypted volume */
|
||||
} else if (key_entry_value == BITLK_ENTRY_VALUE_KEY) {
|
||||
/* For clearkey protection, we need to store this key */
|
||||
key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + 4);
|
||||
key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + 4;
|
||||
vk = crypt_alloc_volume_key(key_size, key);
|
||||
if (vk == NULL)
|
||||
return -ENOMEM;
|
||||
crypt_volume_key_add_next(&((*vmk)->vk), vk);
|
||||
/* We currently don't want to support opening a partially decrypted
|
||||
* device so we don't need to store this key.
|
||||
*
|
||||
* key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + 4);
|
||||
* key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + 4;
|
||||
* vk = crypt_alloc_volume_key(key_size, key);
|
||||
* if (vk == NULL)
|
||||
* return -ENOMEM;
|
||||
* crypt_volume_key_add_next(&((*vmk)->vk), vk);
|
||||
*/
|
||||
log_dbg(cd, "Skipping clear key metadata entry.");
|
||||
/* unknown timestamps in recovery protected VMK */
|
||||
} else if (key_entry_value == BITLK_ENTRY_VALUE_RECOVERY_TIME) {
|
||||
;
|
||||
@@ -1132,9 +1135,6 @@ static int bitlk_kdf(const char *password,
|
||||
int i = 0;
|
||||
int r = 0;
|
||||
|
||||
if (!password)
|
||||
return -EINVAL;
|
||||
|
||||
memcpy(kdf.salt, salt, 16);
|
||||
|
||||
r = crypt_hash_init(&hd, BITLK_KDF_HASH);
|
||||
@@ -1249,41 +1249,6 @@ out:
|
||||
return r;
|
||||
}
|
||||
|
||||
static int get_clear_key(struct crypt_device *cd, const struct bitlk_vmk *vmk, struct volume_key **vmk_dec_key)
|
||||
{
|
||||
struct volume_key *nested_key = vmk->vk;
|
||||
|
||||
if (!nested_key) {
|
||||
log_dbg(cd, "Clearkey VMK structure incomplete - missing nested key");
|
||||
return -ENOTSUP;
|
||||
}
|
||||
|
||||
struct volume_key *encrypted_vmk = crypt_volume_key_next(nested_key);
|
||||
|
||||
if (!encrypted_vmk) {
|
||||
log_dbg(cd, "Clearkey VMK structure incomplete - missing encrypted VMK");
|
||||
return -ENOTSUP;
|
||||
}
|
||||
|
||||
/**
|
||||
* For clearkey protection, we need to decrypt the encrypted VMK using the nested key
|
||||
* and return the decrypted VMK as vmk_dec_key
|
||||
*/
|
||||
struct volume_key *decrypted_vmk = NULL;
|
||||
int r = decrypt_key(cd, &decrypted_vmk, encrypted_vmk, nested_key,
|
||||
vmk->mac_tag, BITLK_VMK_MAC_TAG_SIZE,
|
||||
vmk->nonce, BITLK_NONCE_SIZE, false);
|
||||
|
||||
if (r == 0 && decrypted_vmk) {
|
||||
log_dbg(cd, "Successfully decrypted VMK using nested key");
|
||||
*vmk_dec_key = decrypted_vmk;
|
||||
return 0;
|
||||
} else {
|
||||
log_dbg(cd, "Failed to decrypt VMK using nested key (error: %d)", r);
|
||||
return r;
|
||||
}
|
||||
}
|
||||
|
||||
int BITLK_get_volume_key(struct crypt_device *cd,
|
||||
const char *password,
|
||||
size_t passwordLen,
|
||||
@@ -1299,7 +1264,6 @@ int BITLK_get_volume_key(struct crypt_device *cd,
|
||||
|
||||
next_vmk = params->vmks;
|
||||
while (next_vmk) {
|
||||
bool is_decrypted = false;
|
||||
if (next_vmk->protection == BITLK_PROTECTION_PASSPHRASE) {
|
||||
r = bitlk_kdf(password, passwordLen, false, next_vmk->salt, &vmk_dec_key);
|
||||
if (r) {
|
||||
@@ -1334,18 +1298,8 @@ int BITLK_get_volume_key(struct crypt_device *cd,
|
||||
continue;
|
||||
}
|
||||
log_dbg(cd, "Trying to use external key found in provided password.");
|
||||
} else if (next_vmk->protection == BITLK_PROTECTION_CLEAR_KEY) {
|
||||
r = get_clear_key(cd, next_vmk, &vmk_dec_key);
|
||||
if (r) {
|
||||
/* something wrong happened, but we still want to check other key slots */
|
||||
next_vmk = next_vmk->next;
|
||||
continue;
|
||||
}
|
||||
is_decrypted = true;
|
||||
open_vmk_key = vmk_dec_key;
|
||||
log_dbg(cd, "Extracted VMK using clearkey.");
|
||||
} else {
|
||||
/* only passphrase, recovery passphrase, startup key and clearkey VMKs supported right now */
|
||||
/* only passphrase, recovery passphrase and startup key VMKs supported right now */
|
||||
log_dbg(cd, "Skipping %s", get_vmk_protection_string(next_vmk->protection));
|
||||
next_vmk = next_vmk->next;
|
||||
if (r == 0)
|
||||
@@ -1354,21 +1308,19 @@ int BITLK_get_volume_key(struct crypt_device *cd,
|
||||
continue;
|
||||
}
|
||||
|
||||
if (!is_decrypted) {
|
||||
r = decrypt_key(cd, &open_vmk_key, next_vmk->vk, vmk_dec_key,
|
||||
next_vmk->mac_tag, BITLK_VMK_MAC_TAG_SIZE,
|
||||
next_vmk->nonce, BITLK_NONCE_SIZE, false);
|
||||
|
||||
crypt_free_volume_key(vmk_dec_key);
|
||||
}
|
||||
log_dbg(cd, "Trying to decrypt %s.", get_vmk_protection_string(next_vmk->protection));
|
||||
r = decrypt_key(cd, &open_vmk_key, next_vmk->vk, vmk_dec_key,
|
||||
next_vmk->mac_tag, BITLK_VMK_MAC_TAG_SIZE,
|
||||
next_vmk->nonce, BITLK_NONCE_SIZE, false);
|
||||
if (r < 0) {
|
||||
log_dbg(cd, "Failed to decrypt VMK using provided passphrase.");
|
||||
|
||||
crypt_free_volume_key(vmk_dec_key);
|
||||
if (r == -ENOTSUP)
|
||||
return r;
|
||||
next_vmk = next_vmk->next;
|
||||
continue;
|
||||
}
|
||||
crypt_free_volume_key(vmk_dec_key);
|
||||
|
||||
log_dbg(cd, "Trying to decrypt validation metadata using VMK.");
|
||||
r = crypt_bitlk_decrypt_key(crypt_volume_key_get_key(open_vmk_key),
|
||||
@@ -1427,6 +1379,8 @@ int BITLK_get_volume_key(struct crypt_device *cd,
|
||||
static int _activate_check(struct crypt_device *cd,
|
||||
const struct bitlk_metadata *params)
|
||||
{
|
||||
const struct bitlk_vmk *next_vmk = NULL;
|
||||
|
||||
if (!params->state) {
|
||||
log_err(cd, _("This BITLK device is in an unsupported state and cannot be activated."));
|
||||
return -ENOTSUP;
|
||||
@@ -1437,6 +1391,15 @@ static int _activate_check(struct crypt_device *cd,
|
||||
return -ENOTSUP;
|
||||
}
|
||||
|
||||
next_vmk = params->vmks;
|
||||
while (next_vmk) {
|
||||
if (next_vmk->protection == BITLK_PROTECTION_CLEAR_KEY) {
|
||||
log_err(cd, _("Activation of BITLK device with clear key protection is not supported."));
|
||||
return -ENOTSUP;
|
||||
}
|
||||
next_vmk = next_vmk->next;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
@@ -8,8 +8,6 @@
|
||||
|
||||
#include <errno.h>
|
||||
#include <strings.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include "crypto_backend.h"
|
||||
|
||||
struct cipher_alg {
|
||||
@@ -79,21 +77,3 @@ int crypt_cipher_wrapped_key(const char *name, const char *mode)
|
||||
|
||||
return ca ? (int)ca->wrapped_key : 0;
|
||||
}
|
||||
|
||||
bool crypt_fips_mode_kernel(void)
|
||||
{
|
||||
int fd;
|
||||
char buf = 0;
|
||||
|
||||
fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
|
||||
|
||||
if (fd < 0)
|
||||
return false;
|
||||
|
||||
if (read(fd, &buf, 1) != 1)
|
||||
buf = '0';
|
||||
|
||||
close(fd);
|
||||
|
||||
return (buf == '1');
|
||||
}
|
||||
|
||||
@@ -30,7 +30,7 @@ struct crypt_hmac;
|
||||
struct crypt_cipher;
|
||||
struct crypt_storage;
|
||||
|
||||
int crypt_backend_init(void);
|
||||
int crypt_backend_init(bool fips);
|
||||
void crypt_backend_destroy(void);
|
||||
|
||||
#define CRYPT_BACKEND_KERNEL (1 << 0) /* Crypto uses kernel part, for benchmark */
|
||||
@@ -148,9 +148,6 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n);
|
||||
/* crypto backend running in FIPS mode */
|
||||
bool crypt_fips_mode(void);
|
||||
|
||||
/* kernel running in FIPS mode */
|
||||
bool crypt_fips_mode_kernel(void);
|
||||
|
||||
# ifdef __cplusplus
|
||||
}
|
||||
# endif
|
||||
|
||||
@@ -80,7 +80,7 @@ static void crypt_hash_test_whirlpool_bug(void)
|
||||
crypto_backend_whirlpool_bug = 1;
|
||||
}
|
||||
|
||||
int crypt_backend_init(void)
|
||||
int crypt_backend_init(bool fips __attribute__((unused)))
|
||||
{
|
||||
int r;
|
||||
|
||||
@@ -684,7 +684,7 @@ bool crypt_fips_mode(void)
|
||||
if (fips_checked)
|
||||
return fips_mode;
|
||||
|
||||
if (crypt_backend_init())
|
||||
if (crypt_backend_init(false /* ignored */))
|
||||
return false;
|
||||
|
||||
fips_mode = gcry_fips_mode_active();
|
||||
|
||||
@@ -103,7 +103,7 @@ static int crypt_kernel_socket_init(struct sockaddr_alg *sa, int *tfmfd, int *op
|
||||
return 0;
|
||||
}
|
||||
|
||||
int crypt_backend_init(void)
|
||||
int crypt_backend_init(bool fips __attribute__((unused)))
|
||||
{
|
||||
struct utsname uts;
|
||||
struct sockaddr_alg sa = {
|
||||
@@ -408,5 +408,5 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
|
||||
|
||||
bool crypt_fips_mode(void)
|
||||
{
|
||||
return crypt_fips_mode_kernel();
|
||||
return false;
|
||||
}
|
||||
|
||||
@@ -69,13 +69,16 @@ static const mbedtls_md_info_t *crypt_get_hash(const char *name)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int crypt_backend_init(void)
|
||||
int crypt_backend_init(bool fips)
|
||||
{
|
||||
int ret;
|
||||
|
||||
if (g_initialized)
|
||||
return 0;
|
||||
|
||||
if (fips)
|
||||
return -ENOTSUP;
|
||||
|
||||
mbedtls_version_get_string_full(g_backend_version);
|
||||
|
||||
mbedtls_entropy_init(&g_entropy);
|
||||
|
||||
@@ -200,7 +200,7 @@ static struct hash_alg *_get_alg(const char *name)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int crypt_backend_init(void)
|
||||
int crypt_backend_init(bool fips __attribute__((unused)))
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -62,7 +62,7 @@ static struct hash_alg *_get_alg(const char *name)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int crypt_backend_init(void)
|
||||
int crypt_backend_init(bool fips __attribute__((unused)))
|
||||
{
|
||||
int r;
|
||||
|
||||
|
||||
@@ -205,12 +205,12 @@ static const char *openssl_backend_version(void)
|
||||
}
|
||||
#endif
|
||||
|
||||
int crypt_backend_init(void)
|
||||
int crypt_backend_init(bool fips)
|
||||
{
|
||||
if (crypto_backend_initialised)
|
||||
return 0;
|
||||
|
||||
if (openssl_backend_init(crypt_fips_mode()))
|
||||
if (openssl_backend_init(fips))
|
||||
return -EINVAL;
|
||||
|
||||
crypto_backend_initialised = 1;
|
||||
|
||||
@@ -980,7 +980,7 @@ int crypt_resume_by_keyfile(struct crypt_device *cd,
|
||||
* @param cd crypt device handle
|
||||
* @param name name of device to resume
|
||||
* @param volume_key provided volume key
|
||||
* @param volume_key_size size of volume_key in bytes
|
||||
* @param volume_key_size size of volume_key
|
||||
*
|
||||
* @return @e 0 on success or negative errno value otherwise.
|
||||
*/
|
||||
@@ -1152,7 +1152,7 @@ int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
|
||||
* @param cd crypt device handle
|
||||
* @param keyslot requested keyslot or CRYPT_ANY_SLOT
|
||||
* @param volume_key provided volume key or @e NULL if used after crypt_format
|
||||
* @param volume_key_size size of volume_key in bytes
|
||||
* @param volume_key_size size of volume_key
|
||||
* @param passphrase passphrase for new keyslot
|
||||
* @param passphrase_size size of passphrase
|
||||
*
|
||||
@@ -1182,7 +1182,7 @@ int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
|
||||
* @param cd crypt device handle
|
||||
* @param keyslot requested keyslot or CRYPT_ANY_SLOT
|
||||
* @param volume_key provided volume key or @e NULL (see note below)
|
||||
* @param volume_key_size size of volume_key in bytes
|
||||
* @param volume_key_size size of volume_key
|
||||
* @param passphrase passphrase for new keyslot
|
||||
* @param passphrase_size size of passphrase
|
||||
* @param flags key flags to set
|
||||
@@ -1289,7 +1289,7 @@ int crypt_keyslot_context_init_by_token(struct crypt_device *cd,
|
||||
*
|
||||
* @param volume_key provided volume key or @e NULL if used after crypt_format
|
||||
* or with CRYPT_VOLUME_KEY_NO_SEGMENT flag
|
||||
* @param volume_key_size size of volume_key in bytes
|
||||
* @param volume_key_size size of volume_key
|
||||
* @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEY
|
||||
*
|
||||
* @return zero on success or negative errno otherwise.
|
||||
@@ -1305,9 +1305,9 @@ int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd,
|
||||
* @param cd crypt device handle initialized to device context
|
||||
*
|
||||
* @param volume_key provided volume key
|
||||
* @param volume_key_size size of volume_key in bytes
|
||||
* @param volume_key_size size of volume_key
|
||||
* @param signature buffer with signature for the key
|
||||
* @param signature_size size of signature buffer
|
||||
* @param signature_size bsize of signature buffer
|
||||
* @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_SIGNED_KEY
|
||||
*
|
||||
* @return zero on success or negative errno otherwise.
|
||||
@@ -1753,7 +1753,7 @@ int crypt_activate_by_keyfile(struct crypt_device *cd,
|
||||
* @param cd crypt device handle
|
||||
* @param name name of device to create, if @e NULL only check volume key
|
||||
* @param volume_key provided volume key (or @e NULL to use internal)
|
||||
* @param volume_key_size size of volume_key in bytes
|
||||
* @param volume_key_size size of volume_key
|
||||
* @param flags activation flags
|
||||
*
|
||||
* @return @e 0 on success or negative errno value otherwise.
|
||||
@@ -1782,9 +1782,9 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
|
||||
* @param cd crypt device handle
|
||||
* @param name name of device to create
|
||||
* @param volume_key provided volume key
|
||||
* @param volume_key_size size of volume_key in bytes
|
||||
* @param volume_key_size size of volume_key
|
||||
* @param signature buffer with signature for the key
|
||||
* @param signature_size size of signature buffer
|
||||
* @param signature_size bsize of signature buffer
|
||||
* @param flags activation flags
|
||||
*
|
||||
* @return @e 0 on success or negative errno value otherwise.
|
||||
@@ -1865,7 +1865,7 @@ int crypt_deactivate(struct crypt_device *cd, const char *name);
|
||||
* @param keyslot use this keyslot or @e CRYPT_ANY_SLOT
|
||||
* @param volume_key buffer for volume key
|
||||
* @param volume_key_size on input, size of buffer @e volume_key,
|
||||
* on output size of @e volume_key in bytes
|
||||
* on output size of @e volume_key
|
||||
* @param passphrase passphrase used to unlock volume key
|
||||
* @param passphrase_size size of @e passphrase
|
||||
*
|
||||
@@ -1892,7 +1892,7 @@ int crypt_volume_key_get(struct crypt_device *cd,
|
||||
* @param keyslot use this keyslot or @e CRYPT_ANY_SLOT
|
||||
* @param volume_key buffer for volume key
|
||||
* @param volume_key_size on input, size of buffer @e volume_key,
|
||||
* on output size of @e volume_key in bytes
|
||||
* on output size of @e volume_key
|
||||
* @param kc keyslot context used to unlock volume key
|
||||
*
|
||||
* @return unlocked key slot number or negative errno otherwise.
|
||||
@@ -1925,7 +1925,7 @@ int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
|
||||
*
|
||||
* @param cd crypt device handle
|
||||
* @param volume_key provided volume key
|
||||
* @param volume_key_size size of @e volume_key in bytes
|
||||
* @param volume_key_size size of @e volume_key
|
||||
*
|
||||
* @return @e 0 on success or negative errno value otherwise.
|
||||
*
|
||||
@@ -2117,18 +2117,6 @@ int crypt_header_is_detached(struct crypt_device *cd);
|
||||
int crypt_get_verity_info(struct crypt_device *cd,
|
||||
struct crypt_params_verity *vp);
|
||||
|
||||
/**
|
||||
* Get FEC repaired block count for VERITY device.
|
||||
*
|
||||
* @param cd crypt device handle
|
||||
* @param name verity device name
|
||||
* @param repaired FEC repaired blocks
|
||||
*
|
||||
* @return @e 0 on success or negative errno value otherwise.
|
||||
*/
|
||||
int crypt_get_verity_repaired(struct crypt_device *cd, const char *name,
|
||||
uint64_t *repaired);
|
||||
|
||||
/**
|
||||
* Get device parameters for INTEGRITY device.
|
||||
*
|
||||
@@ -2184,7 +2172,7 @@ int crypt_benchmark(struct crypt_device *cd,
|
||||
* @param password_size size of password
|
||||
* @param salt salt for benchmark
|
||||
* @param salt_size size of salt
|
||||
* @param volume_key_size output volume key size in bytes
|
||||
* @param volume_key_size output volume key size
|
||||
* @param progress callback function
|
||||
* @param usrptr provided identification in callback
|
||||
*
|
||||
@@ -2421,8 +2409,8 @@ void crypt_set_debug_level(int level);
|
||||
* @param cd crypt device handle
|
||||
* @param keyfile keyfile to read
|
||||
* @param key buffer for key
|
||||
* @param key_size_read size of read key in bytes
|
||||
* @param keyfile_offset key offset in bytes in keyfile
|
||||
* @param key_size_read size of read key
|
||||
* @param keyfile_offset key offset in keyfile
|
||||
* @param key_size exact key length to read from file or 0
|
||||
* @param flags keyfile read flags
|
||||
*
|
||||
|
||||
@@ -195,8 +195,3 @@ CRYPTSETUP_2.8 {
|
||||
crypt_get_old_volume_key_size;
|
||||
crypt_format_inline;
|
||||
} CRYPTSETUP_2.7;
|
||||
|
||||
CRYPTSETUP_2.9 {
|
||||
global:
|
||||
crypt_get_verity_repaired;
|
||||
} CRYPTSETUP_2.8;
|
||||
|
||||
@@ -1992,40 +1992,6 @@ int dm_status_verity_ok(struct crypt_device *cd, const char *name)
|
||||
return r;
|
||||
}
|
||||
|
||||
int dm_status_verity_repaired(struct crypt_device *cd, const char *name, uint64_t *repaired)
|
||||
{
|
||||
int r;
|
||||
struct dm_info dmi;
|
||||
char *status_line = NULL, *p;
|
||||
uint64_t val64;
|
||||
|
||||
if (dm_init_context(cd, DM_VERITY))
|
||||
return -ENOTSUP;
|
||||
|
||||
r = dm_status_dmi(name, &dmi, DM_VERITY_TARGET, &status_line);
|
||||
dm_exit_context();
|
||||
if (r < 0 || !status_line || !*status_line) {
|
||||
free(status_line);
|
||||
return r;
|
||||
}
|
||||
p = status_line + 1;
|
||||
while (*p == ' ')
|
||||
p++;
|
||||
|
||||
if (!*p || *p == '-' || sscanf(p, "%" PRIu64, &val64) != 1) {
|
||||
free(status_line);
|
||||
return -ENOTSUP;
|
||||
}
|
||||
|
||||
log_dbg(cd, "Verity volume %s status is %s.", name, status_line ?: "");
|
||||
|
||||
if (repaired)
|
||||
*repaired = val64;
|
||||
|
||||
free(status_line);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int dm_status_integrity_failures(struct crypt_device *cd, const char *name, uint64_t *count)
|
||||
{
|
||||
int r;
|
||||
|
||||
19
lib/setup.c
19
lib/setup.c
@@ -267,7 +267,7 @@ int init_crypto(struct crypt_device *ctx)
|
||||
return r;
|
||||
}
|
||||
|
||||
r = crypt_backend_init();
|
||||
r = crypt_backend_init(crypt_fips_mode());
|
||||
if (r < 0)
|
||||
log_err(ctx, _("Cannot initialize crypto backend."));
|
||||
|
||||
@@ -5450,9 +5450,6 @@ int crypt_activate_by_keyslot_context(struct crypt_device *cd,
|
||||
return _activate_loopaes(cd, name, passphrase, passphrase_size, flags);
|
||||
}
|
||||
|
||||
if (flags & CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF)
|
||||
cd->memory_hard_pbkdf_lock_enabled = true;
|
||||
|
||||
/* acquire the volume key(s) */
|
||||
r = -EINVAL;
|
||||
if (isLUKS1(cd->type)) {
|
||||
@@ -5924,7 +5921,7 @@ int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
|
||||
struct volume_key *vk = NULL;
|
||||
|
||||
if (!cd || !volume_key || !volume_key_size ||
|
||||
(!kc && !isLUKS(cd->type) && !isTCRYPT(cd->type) && !isVERITY(cd->type) && !isBITLK(cd->type)))
|
||||
(!kc && !isLUKS(cd->type) && !isTCRYPT(cd->type) && !isVERITY(cd->type)))
|
||||
return -EINVAL;
|
||||
|
||||
if (isLUKS2(cd->type) && keyslot != CRYPT_ANY_SLOT)
|
||||
@@ -5984,8 +5981,6 @@ int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
|
||||
} else if (isBITLK(cd->type)) {
|
||||
if (kc && kc->get_bitlk_volume_key)
|
||||
r = kc->get_bitlk_volume_key(cd, kc, &cd->u.bitlk.params, &vk);
|
||||
else if (!kc)
|
||||
r = BITLK_get_volume_key(cd, NULL, 0, &cd->u.bitlk.params, &vk);
|
||||
if (r < 0)
|
||||
log_err(cd, _("Cannot retrieve volume key for BITLK device."));
|
||||
} else if (isFVAULT2(cd->type)) {
|
||||
@@ -6795,16 +6790,6 @@ int crypt_get_verity_info(struct crypt_device *cd,
|
||||
return 0;
|
||||
}
|
||||
|
||||
int crypt_get_verity_repaired(struct crypt_device *cd, const char *name,
|
||||
uint64_t *repaired)
|
||||
|
||||
{
|
||||
if (!cd || !isVERITY(cd->type) || !name || !repaired)
|
||||
return -EINVAL;
|
||||
|
||||
return dm_status_verity_repaired(cd, name, repaired);
|
||||
}
|
||||
|
||||
int crypt_get_integrity_info(struct crypt_device *cd,
|
||||
struct crypt_params_integrity *ip)
|
||||
{
|
||||
|
||||
@@ -205,7 +205,6 @@ int dm_status_device(struct crypt_device *cd, const char *name);
|
||||
int dm_status_suspended(struct crypt_device *cd, const char *name);
|
||||
int dm_status_verity_ok(struct crypt_device *cd, const char *name);
|
||||
int dm_status_integrity_failures(struct crypt_device *cd, const char *name, uint64_t *count);
|
||||
int dm_status_verity_repaired(struct crypt_device *cd, const char *name, uint64_t *repaired);
|
||||
int dm_query_device(struct crypt_device *cd, const char *name,
|
||||
uint64_t get_flags, struct crypt_dm_active_device *dmd);
|
||||
int dm_device_deps(struct crypt_device *cd, const char *name, const char *prefix,
|
||||
|
||||
@@ -367,9 +367,8 @@ This option is available since the Linux kernel version 6.11.
|
||||
endif::[]
|
||||
|
||||
ifdef::ACTION_LUKSFORMAT[]
|
||||
*--integrity-key-size* _bits_::
|
||||
*--integrity-key-size* _bytes_::
|
||||
The size of the data integrity key.
|
||||
The argument has to be a multiple of 8.
|
||||
Configurable only for HMAC integrity.
|
||||
The default integrity key size is set to the same as the hash output length.
|
||||
endif::[]
|
||||
|
||||
@@ -509,10 +509,6 @@ static int action_open_bitlk(void)
|
||||
r = crypt_activate_by_volume_key(cd, activated_name,
|
||||
key, keysize, activate_flags);
|
||||
} else {
|
||||
r = crypt_activate_by_passphrase(cd, activated_name, CRYPT_ANY_SLOT, NULL, 0, activate_flags);
|
||||
if (r != -EPERM)
|
||||
goto out;
|
||||
|
||||
tries = set_tries_tty(false);
|
||||
do {
|
||||
r = tools_get_key(NULL, &password, &passwordLen,
|
||||
@@ -621,19 +617,14 @@ static int bitlkDump_with_volume_key(struct crypt_device *cd)
|
||||
if (!vk)
|
||||
return -ENOMEM;
|
||||
|
||||
r = tools_get_key(NULL, &password, &passwordLen,
|
||||
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
|
||||
ARG_UINT32(OPT_TIMEOUT_ID), 0, 0, cd);
|
||||
if (r < 0)
|
||||
goto out;
|
||||
|
||||
r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
|
||||
password, passwordLen);
|
||||
if (r < 0) {
|
||||
r = tools_get_key(NULL, &password, &passwordLen,
|
||||
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
|
||||
ARG_UINT32(OPT_TIMEOUT_ID), 0, 0, cd);
|
||||
if (r < 0)
|
||||
goto out;
|
||||
|
||||
r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
|
||||
password, passwordLen);
|
||||
}
|
||||
|
||||
password, passwordLen);
|
||||
tools_passphrase_msg(r);
|
||||
check_signal(&r);
|
||||
if (r < 0)
|
||||
|
||||
@@ -38,7 +38,7 @@ ARG(OPT_INTEGRITY_INLINE, '\0', POPT_ARG_NONE, N_("Use inline integrity mode (HW
|
||||
|
||||
ARG(OPT_INTEGRITY_KEY_FILE, '\0', POPT_ARG_STRING, N_("Read the integrity key from a file"), NULL, CRYPT_ARG_STRING, {}, {})
|
||||
|
||||
ARG(OPT_INTEGRITY_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the data integrity key"), N_("bytes"), CRYPT_ARG_UINT32, {}, {})
|
||||
ARG(OPT_INTEGRITY_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the data integrity key"), N_("BITS"), CRYPT_ARG_UINT32, {}, {})
|
||||
|
||||
ARG(OPT_INTEGRITY_LEGACY_PADDING, '\0', POPT_ARG_NONE, N_("Use inefficient legacy padding (old kernels)"), NULL, CRYPT_ARG_BOOL, {}, {})
|
||||
|
||||
@@ -60,7 +60,7 @@ ARG(OPT_JOURNAL_COMMIT_TIME, '\0', POPT_ARG_STRING, N_("Journal commit time"), N
|
||||
|
||||
ARG(OPT_JOURNAL_INTEGRITY, '\0', POPT_ARG_STRING, N_("Journal integrity algorithm"), NULL, CRYPT_ARG_STRING, {}, {})
|
||||
|
||||
ARG(OPT_JOURNAL_INTEGRITY_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the journal integrity key"), N_("bytes"), CRYPT_ARG_UINT32, {}, {})
|
||||
ARG(OPT_JOURNAL_INTEGRITY_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the journal integrity key"), N_("BITS"), CRYPT_ARG_UINT32, {}, {})
|
||||
|
||||
ARG(OPT_JOURNAL_INTEGRITY_KEY_FILE, '\0', POPT_ARG_STRING, N_("Read the journal integrity key from a file"), NULL, CRYPT_ARG_STRING, {}, {})
|
||||
|
||||
@@ -68,7 +68,7 @@ ARG(OPT_JOURNAL_CRYPT, '\0', POPT_ARG_STRING, N_("Journal encryption algorithm")
|
||||
|
||||
ARG(OPT_JOURNAL_CRYPT_KEY_FILE, '\0', POPT_ARG_STRING, N_("Read the journal encryption key from a file"), NULL, CRYPT_ARG_STRING,{}, {})
|
||||
|
||||
ARG(OPT_JOURNAL_CRYPT_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the journal encryption key"), N_("bytes"), CRYPT_ARG_UINT32, {}, {})
|
||||
ARG(OPT_JOURNAL_CRYPT_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the journal encryption key"), N_("BITS"), CRYPT_ARG_UINT32, {}, {})
|
||||
|
||||
ARG(OPT_JOURNAL_SIZE, 'j', POPT_ARG_STRING, N_("Journal size"), N_("bytes"), CRYPT_ARG_UINT64, {}, OPT_JOURNAL_SIZE_ACTIONS)
|
||||
|
||||
|
||||
@@ -1914,7 +1914,6 @@ static int reencrypt_luks2_init(struct crypt_device *cd, const char *data_device
|
||||
new_key_size = ARG_UINT32(OPT_NEW_KEY_SIZE_ID);
|
||||
|
||||
if (new_key_size || new_cipher)
|
||||
/* This will convert new key size to bytes from bits */
|
||||
new_key_size = get_adjusted_key_size(cipher, mode, new_key_size,
|
||||
DEFAULT_LUKS1_KEYBITS, 0);
|
||||
else
|
||||
|
||||
@@ -333,7 +333,6 @@ static int action_status(void)
|
||||
size_t root_hash_size;
|
||||
unsigned path = 0;
|
||||
int r = 0;
|
||||
uint64_t repaired;
|
||||
|
||||
/* perhaps a path, not a dm device name */
|
||||
if (strchr(action_argv[0], '/') && !stat(action_argv[0], &st))
|
||||
@@ -416,8 +415,6 @@ static int action_status(void)
|
||||
log_std(" FEC offset: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n",
|
||||
vp.fec_area_offset * vp.hash_block_size / SECTOR_SIZE, vp.fec_area_offset * vp.hash_block_size);
|
||||
log_std(" FEC roots: %u\n", vp.fec_roots);
|
||||
if (!crypt_get_verity_repaired(cd, action_argv[0], &repaired))
|
||||
log_std(" FEC repaired: %" PRIu64 " [events]\n", repaired);
|
||||
}
|
||||
|
||||
root_hash_size = crypt_get_volume_key_size(cd);
|
||||
|
||||
@@ -17,9 +17,6 @@ if [ "$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)" = "1" ] ; then
|
||||
echo "Kernel running in FIPS mode."
|
||||
fi
|
||||
|
||||
./crypto-check fips_mode && echo "Crypto backend running in FIPS mode."
|
||||
./crypto-check fips_mode_kernel && echo "Kernel running in FIPS mode."
|
||||
|
||||
if [ -f /etc/os-release ] ; then
|
||||
source /etc/os-release
|
||||
echo "$PRETTY_NAME ($NAME) $VERSION"
|
||||
@@ -54,4 +51,16 @@ dmsetup version
|
||||
echo "Device mapper targets:"
|
||||
dmsetup targets
|
||||
|
||||
echo "---------------------------"
|
||||
pwd
|
||||
lsblk
|
||||
lsblk -S
|
||||
lsblk -N
|
||||
lsblk -D
|
||||
lsblk -t
|
||||
nvme list
|
||||
mount
|
||||
time $CRYPTSETUP_PATH/cryptsetup benchmark
|
||||
echo "---------------------------"
|
||||
|
||||
exit 0
|
||||
|
||||
@@ -10,6 +10,8 @@ PWD1="93R4P4pIqAH8"
|
||||
PWD2="mymJeD8ivEhE"
|
||||
FAST_PBKDF="--pbkdf-force-iterations 1000"
|
||||
|
||||
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
|
||||
CRYPTSETUP_VALGRIND=$CRYPTSETUP
|
||||
else
|
||||
@@ -20,7 +22,7 @@ fi
|
||||
|
||||
fips_mode()
|
||||
{
|
||||
./crypto-check fips_mode
|
||||
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
|
||||
}
|
||||
|
||||
cleanup() {
|
||||
|
||||
@@ -64,7 +64,6 @@
|
||||
#define LUKS_PHDR_SIZE_B 1024
|
||||
|
||||
static int _fips_mode = 0;
|
||||
static int _fips_mode_kernel = 0;
|
||||
|
||||
static char *DEVICE_1 = NULL;
|
||||
static char *DEVICE_2 = NULL;
|
||||
@@ -294,9 +293,8 @@ static int _setup(void)
|
||||
return 1;
|
||||
|
||||
_fips_mode = fips_mode();
|
||||
_fips_mode_kernel = fips_mode_kernel();
|
||||
if (_debug)
|
||||
printf("FIPS MODE: LIB %d, KERNEL %d\n", _fips_mode, _fips_mode_kernel);
|
||||
printf("FIPS MODE: %d\n", _fips_mode);
|
||||
|
||||
/* Use default log callback */
|
||||
crypt_set_log_callback(NULL, &global_log_callback, NULL);
|
||||
@@ -1835,7 +1833,7 @@ static void TcryptTest(void)
|
||||
CRYPT_FREE(cd);
|
||||
|
||||
// Following test uses non-FIPS algorithms in the cipher chain
|
||||
if(_fips_mode || _fips_mode_kernel)
|
||||
if(_fips_mode)
|
||||
return;
|
||||
|
||||
OK_(crypt_init(&cd, tcrypt_dev2));
|
||||
|
||||
@@ -31,7 +31,6 @@ int t_dm_capi_string_supported(void);
|
||||
int t_set_readahead(const char *device, unsigned value);
|
||||
|
||||
int fips_mode(void);
|
||||
int fips_mode_kernel(void);
|
||||
|
||||
int create_dmdevice_over_device(const char *dm_name, const char *device, uint64_t size, uint64_t offset);
|
||||
|
||||
|
||||
@@ -49,9 +49,6 @@ load_vars()
|
||||
if echo "$1" | grep -q -e "two-recovery"; then
|
||||
# 2 extra variables for image with 2 recovery passphrases
|
||||
num_vars=10
|
||||
elif echo "$1" | grep -q -e "clearkey"; then
|
||||
# 1 extra variable for image with clearkey
|
||||
num_vars=9
|
||||
else
|
||||
num_vars=8
|
||||
fi
|
||||
@@ -70,7 +67,7 @@ check_dump()
|
||||
|
||||
# volume size
|
||||
dump_size=$(echo "$dump" | grep "Volume size:" | cut -d: -f2 | tr -d "\t\n ")
|
||||
[ "$dump_size" = "104857600[bytes]" -o "$dump_size" = "134217728[bytes]" -o "$dump_size" = "105906176[bytes]" ] || fail " volume size check from dump failed."
|
||||
[ "$dump_size" = "104857600[bytes]" -o "$dump_size" = "134217728[bytes]" -o "$dump_size" = "105906176[bytes]" ] || fail " volume size check from dump failed."
|
||||
|
||||
# description
|
||||
dump_desc=$(echo "$dump" | grep Description: | cut -d: -f2 | tr -d "\t\n ")
|
||||
@@ -98,11 +95,6 @@ check_dump()
|
||||
# second recovery passphrase protected VMK GUID
|
||||
dump_rp2_vmk=$(echo "$dump" | grep "VMK protected with recovery passphrase" -B 1 | tail -2 | head -1 | cut -d: -f2 | tr -d "\t ")
|
||||
[ ! -z "$RP2_VMK_GUID" -a "$dump_rp2_vmk" = "$RP2_VMK_GUID" ] || fail " second recovery passphrase protected VMK GUID check from dump failed."
|
||||
elif echo "$file" | grep -q -e "clearkey"; then
|
||||
# clearkey protected VMK GUID
|
||||
dump_clearkey_guid=$(echo "$dump" | grep "VMK protected with clear key" -B 1 | tail -2 | head -1 | cut -d: -f2 | tr -d "\t ")
|
||||
[ ! -z "$CLEARKEY_VMK_GUID" -a "$dump_clearkey_guid" = "$CLEARKEY_VMK_GUID" ] || fail " clear key protected VMK GUID check from dump failed."
|
||||
return
|
||||
else
|
||||
# password protected VMK GUID
|
||||
dump_pw_vmk=$(echo "$dump" | grep "VMK protected with passphrase" -B 1 | head -1 | cut -d: -f2 | tr -d "\t ")
|
||||
@@ -165,7 +157,7 @@ for file in $(ls $TST_DIR/bitlk-*) ; do
|
||||
ret=$?
|
||||
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "aes-cbc" ) && echo " [N/A]" && continue
|
||||
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "aes-cbc-elephant" ) && echo " [N/A]" && continue
|
||||
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "partially-encrypted" ) && echo " [N/A]" && continue
|
||||
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "clearkey" ) && echo " [N/A]" && continue
|
||||
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "eow" ) && echo " [N/A]" && continue
|
||||
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "-4k.img" ) && echo " [N/A]" && continue
|
||||
[ $ret -eq 0 ] || fail " failed to open $file ($ret)"
|
||||
@@ -192,7 +184,7 @@ for file in $(ls $TST_DIR/bitlk-*) ; do
|
||||
ret=$?
|
||||
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "aes-cbc" ) && echo " [N/A]" && continue
|
||||
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "aes-cbc-elephant" ) && echo " [N/A]" && continue
|
||||
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "partially-encrypted" ) && echo " [N/A]" && continue
|
||||
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "clearkey" ) && echo " [N/A]" && continue
|
||||
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "eow" ) && echo " [N/A]" && continue
|
||||
[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "-4k.img" ) && echo " [N/A]" && continue
|
||||
[ $ret -eq 0 ] || fail " failed to open $file using volume key ($ret)"
|
||||
@@ -244,27 +236,8 @@ for file in $(ls $TST_DIR/bitlk-*) ; do
|
||||
[ "$uuid" = "$UUID" ] || fail " UUID check failed."
|
||||
[ "$sha256sum" = "$SHA256SUM" ] || fail " SHA256 sum check failed."
|
||||
echo " [OK]"
|
||||
fi
|
||||
|
||||
# clear key
|
||||
if echo "$file" | grep -q -e "clearkey"; then
|
||||
echo -n " $file"
|
||||
echo $CRYPTSETUP bitlkOpen -r $file --test-passphrase >/dev/null 2>&1
|
||||
ret=$?
|
||||
[ $ret -eq 1 ] && echo " [N/A]" && continue
|
||||
$CRYPTSETUP bitlkOpen -r $file $MAP >/dev/null 2>&1
|
||||
ret=$?
|
||||
[ $ret -eq 0 ] || fail " failed to open $file ($ret)"
|
||||
$CRYPTSETUP status $MAP >/dev/null || fail
|
||||
$CRYPTSETUP status /dev/mapper/$MAP >/dev/null || fail
|
||||
uuid=$(blkid -p -o value -s UUID /dev/mapper/$MAP)
|
||||
sha256sum=$(sha256sum /dev/mapper/$MAP | cut -d" " -f1)
|
||||
$CRYPTSETUP remove $MAP || fail
|
||||
[ "$uuid" = "$UUID" ] || fail " UUID check failed."
|
||||
[ "$sha256sum" = "$SHA256SUM" ] || fail " SHA256 sum check failed."
|
||||
echo " [OK]"
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
remove_mapping
|
||||
|
||||
Binary file not shown.
@@ -50,6 +50,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
|
||||
TEST_UUID="12345678-1234-1234-1234-123456789abc"
|
||||
|
||||
LOOPDEV=$(losetup -f 2>/dev/null)
|
||||
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
remove_mapping()
|
||||
{
|
||||
@@ -82,7 +83,7 @@ trap _sigchld CHLD
|
||||
|
||||
fips_mode()
|
||||
{
|
||||
./crypto-check fips_mode
|
||||
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
|
||||
}
|
||||
|
||||
can_fail_fips()
|
||||
|
||||
@@ -42,6 +42,8 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||
|
||||
TEST_UUID="12345678-1234-1234-1234-123456789abc"
|
||||
|
||||
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
remove_mapping()
|
||||
{
|
||||
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
|
||||
@@ -71,7 +73,7 @@ trap _sigchld CHLD
|
||||
|
||||
fips_mode()
|
||||
{
|
||||
./crypto-check fips_mode
|
||||
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
|
||||
}
|
||||
|
||||
can_fail_fips()
|
||||
|
||||
@@ -45,17 +45,10 @@ KEY_FILE1=test-key-file1
|
||||
|
||||
FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||
|
||||
# 32 MiB + 1KiB to bypass minimal memory check (hardocoded)
|
||||
FAST_PBKDF_ARGON_OPT="--pbkdf argon2id --pbkdf-force-iterations 4 --pbkdf-memory 32769 --pbkdf-parallel 1"
|
||||
|
||||
# TODO: this is configurable
|
||||
LUKS2_LOCKING_DIR=/run/cryptsetup
|
||||
# hardcoded value
|
||||
MEMORY_HARD_LOCK_FILE=LN_memory-hard-access
|
||||
|
||||
TEST_UUID="12345678-1234-1234-1234-123456789abc"
|
||||
|
||||
LOOPDEV=$(losetup -f 2>/dev/null)
|
||||
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
remove_mapping()
|
||||
{
|
||||
@@ -95,7 +88,7 @@ trap _sigchld CHLD
|
||||
|
||||
fips_mode()
|
||||
{
|
||||
./crypto-check fips_mode
|
||||
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
|
||||
}
|
||||
|
||||
can_fail_fips()
|
||||
@@ -1706,14 +1699,5 @@ echo $PWD1 | $CRYPTSETUP luksFormat -q $FAST_PBKDF_OPT --type luks2 $LOOPDEV ||
|
||||
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DM_BAD_NAME 2>/dev/null && fail
|
||||
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DM_LONG_NAME 2>/dev/null && fail
|
||||
|
||||
if ! fips_mode -a -d $LUKS2_LOCKING_DIR; then
|
||||
touch $LUKS2_LOCKING_DIR/$MEMORY_HARD_LOCK_FILE
|
||||
prepare "[52] Test pbkdf serialization flag." wipe
|
||||
echo $PWD1 | $CRYPTSETUP luksFormat -q $FAST_PBKDF_ARGON_OPT --type luks2 $LOOPDEV || fail
|
||||
test -f $LUKS2_LOCKING_DIR/$MEMORY_HARD_LOCK_FILE || fail "The locking file disappeared unexpectedly"
|
||||
echo $PWD1 | $CRYPTSETUP open --serialize-memory-hard-pbkdf --test-passphrase $LOOPDEV || fail
|
||||
test -f $LUKS2_LOCKING_DIR/$MEMORY_HARD_LOCK_FILE && fail "The --serialize-memory-hard-pbkdf option did not remove the locking file (did not use the file)."
|
||||
fi
|
||||
|
||||
remove_mapping
|
||||
exit 0
|
||||
|
||||
@@ -12,6 +12,24 @@
|
||||
|
||||
#include "crypto_backend/crypto_backend.h"
|
||||
|
||||
static bool fips_mode(void)
|
||||
{
|
||||
int fd;
|
||||
char buf = 0;
|
||||
|
||||
fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
|
||||
|
||||
if (fd < 0)
|
||||
return false;
|
||||
|
||||
if (read(fd, &buf, 1) != 1)
|
||||
buf = '0';
|
||||
|
||||
close(fd);
|
||||
|
||||
return (buf == '1');
|
||||
}
|
||||
|
||||
static int check_cipher(const char *alg, const char *mode, unsigned long key_bits)
|
||||
{
|
||||
struct crypt_cipher *cipher;
|
||||
@@ -49,7 +67,7 @@ static int check_hash(const char *hash)
|
||||
|
||||
static void __attribute__((noreturn)) exit_help(bool destroy_backend)
|
||||
{
|
||||
printf("Use: crypto_check version | fips_mode | fips_mode_kernel | hash <alg> | cipher <alg> <mode> [key_bits]\n");
|
||||
printf("Use: crypto_check version | hash <alg> | cipher <alg> <mode> [key_bits]\n");
|
||||
if (destroy_backend)
|
||||
crypt_backend_destroy();
|
||||
exit(EXIT_FAILURE);
|
||||
@@ -62,21 +80,13 @@ int main(int argc, char *argv[])
|
||||
if (argc < 2)
|
||||
exit_help(false);
|
||||
|
||||
if (!strcmp(argv[1], "fips_mode"))
|
||||
return crypt_fips_mode() ? EXIT_SUCCESS : EXIT_FAILURE;
|
||||
|
||||
if (!strcmp(argv[1], "fips_mode_kernel"))
|
||||
return crypt_fips_mode_kernel() ? EXIT_SUCCESS : EXIT_FAILURE;
|
||||
|
||||
if (crypt_backend_init()) {
|
||||
if (crypt_backend_init(fips_mode())) {
|
||||
printf("Crypto backend init error.");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
if (!strcmp(argv[1], "version")) {
|
||||
printf("%s%s%s\n", crypt_backend_version(),
|
||||
crypt_fips_mode() ? " (FIPS mode)" : "",
|
||||
crypt_fips_mode_kernel() ? " (FIPS kernel)" : "");
|
||||
printf("%s%s\n", crypt_backend_version(), fips_mode() ? " (FIPS mode)" : "" );
|
||||
} else if (!strcmp(argv[1], "hash")) {
|
||||
if (argc != 3)
|
||||
exit_help(true);
|
||||
|
||||
@@ -18,6 +18,8 @@
|
||||
# define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
|
||||
#endif
|
||||
|
||||
static bool fips_active = false;
|
||||
|
||||
static void printhex(const char *s, const char *buf, size_t len)
|
||||
{
|
||||
size_t i;
|
||||
@@ -29,6 +31,24 @@ static void printhex(const char *s, const char *buf, size_t len)
|
||||
fflush(stdout);
|
||||
}
|
||||
|
||||
static bool fips_mode(void)
|
||||
{
|
||||
int fd;
|
||||
char buf = 0;
|
||||
|
||||
fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
|
||||
|
||||
if (fd < 0)
|
||||
return false;
|
||||
|
||||
if (read(fd, &buf, 1) != 1)
|
||||
buf = '0';
|
||||
|
||||
close(fd);
|
||||
|
||||
return (buf == '1');
|
||||
}
|
||||
|
||||
/*
|
||||
* KDF tests
|
||||
*/
|
||||
@@ -1023,7 +1043,7 @@ static int pbkdf_test_vectors(void)
|
||||
vec->salt, vec->salt_length,
|
||||
result, vec->output_length,
|
||||
vec->iterations, vec->memory, vec->parallelism) < 0) {
|
||||
if (vec->can_fail_fips && crypt_fips_mode()) {
|
||||
if (vec->can_fail_fips && fips_mode()) {
|
||||
printf("[API FAILED, IGNORED (FIPS mode)]\n");
|
||||
continue;
|
||||
}
|
||||
@@ -1532,7 +1552,7 @@ static int kernel_capi_check_test(void)
|
||||
if (!r)
|
||||
printf("[OK]\n");
|
||||
else if (r == -ENOENT || r == -ENOTSUP ||
|
||||
(crypt_fips_mode_kernel() && !capi_test_vectors[i].fips))
|
||||
(fips_active && !capi_test_vectors[i].fips))
|
||||
printf("[N/A]\n");
|
||||
else
|
||||
return EXIT_FAILURE;
|
||||
@@ -1560,7 +1580,9 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
|
||||
}
|
||||
#endif
|
||||
|
||||
if (crypt_backend_init())
|
||||
fips_active = fips_mode();
|
||||
|
||||
if (crypt_backend_init(fips_active))
|
||||
exit_test("Crypto backend init error.", EXIT_FAILURE);
|
||||
|
||||
printf("Test vectors using %s crypto backend.\n", crypt_backend_version());
|
||||
@@ -1593,7 +1615,7 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
|
||||
exit_test("Kernel CAPI test failed.", EXIT_FAILURE);
|
||||
|
||||
if (default_alg_test()) {
|
||||
if (crypt_fips_mode())
|
||||
if (fips_mode())
|
||||
printf("\nDefault compiled-in algorithms test ignored (FIPS mode on).\n");
|
||||
else
|
||||
exit_test("\nDefault compiled-in algorithms test failed.", EXIT_FAILURE);
|
||||
|
||||
@@ -33,6 +33,8 @@ else
|
||||
CRYPTSETUP_LIB_VALGRIND=../.libs
|
||||
fi
|
||||
|
||||
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
remove_mapping()
|
||||
{
|
||||
[ -b /dev/mapper/$NAME ] && dmsetup remove --retry $NAME
|
||||
@@ -113,9 +115,9 @@ test_and_prepare_keyring() {
|
||||
load_key "$HEXKEY_16" user test_key "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
|
||||
}
|
||||
|
||||
fips_mode_kernel()
|
||||
fips_mode()
|
||||
{
|
||||
./crypto-check fips_mode_kernel
|
||||
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
|
||||
}
|
||||
|
||||
add_device() {
|
||||
@@ -203,7 +205,7 @@ diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corrupti
|
||||
echo "OK"
|
||||
|
||||
#test serpent cipher, cbc mode, tcw IV
|
||||
fips_mode_kernel || {
|
||||
fips_mode || {
|
||||
echo -n "Testing $CIPHER_CBC_TCW..."
|
||||
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
|
||||
sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
|
||||
|
||||
@@ -54,6 +54,8 @@ HAVE_KEYRING=0
|
||||
JSON_MSIZE=16384
|
||||
IMG_JSON=luks2-digest-1.json
|
||||
|
||||
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
dm_crypt_features()
|
||||
{
|
||||
VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
|
||||
@@ -161,7 +163,7 @@ skip()
|
||||
|
||||
fips_mode()
|
||||
{
|
||||
./crypto-check fips_mode || ./crypto-check fips_mode_kernel
|
||||
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
|
||||
}
|
||||
|
||||
add_scsi_device() {
|
||||
|
||||
@@ -30,10 +30,11 @@ LUKS1_DECRYPT="LUKS-$LUKS1_DECRYPT_UUID"
|
||||
|
||||
MNT_DIR=./mnt_luks
|
||||
START_DIR=$(pwd)
|
||||
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
fips_mode()
|
||||
{
|
||||
./crypto-check fips_mode || ./crypto-check fips_mode_kernel
|
||||
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
|
||||
}
|
||||
|
||||
del_scsi_device()
|
||||
|
||||
@@ -165,12 +165,20 @@ int t_set_readahead(const char *device, unsigned value)
|
||||
|
||||
int fips_mode(void)
|
||||
{
|
||||
return _system("./crypto-check fips_mode", 1) == 0;
|
||||
}
|
||||
int fd;
|
||||
char buf = 0;
|
||||
|
||||
int fips_mode_kernel(void)
|
||||
{
|
||||
return _system("./crypto-check fips_mode_kernel", 1) == 0;
|
||||
fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
|
||||
|
||||
if (fd < 0)
|
||||
return 0;
|
||||
|
||||
if (read(fd, &buf, 1) != 1)
|
||||
buf = '0';
|
||||
|
||||
close(fd);
|
||||
|
||||
return (buf == '1');
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@@ -241,7 +241,6 @@ corrupt_device() # $1 device, $2 device_size(in bytes), $3 #{corrupted_bytes}
|
||||
# $1 data_device, $2 hash_device, $3 fec_device, $4 data/hash_block_size(in bytes),
|
||||
# $5 data_size(in blocks), $6 device_size(in blocks), $7 hash_offset(in bytes),
|
||||
# $8 fec_offset(in bytes), $9 fec_roots, ${10} corrupted_bytes, [${11} superblock(y/n), ${12} salt]
|
||||
# NOTE: do not use fail() in this function, use RET code
|
||||
check_fec()
|
||||
{
|
||||
INDEX=25
|
||||
@@ -293,32 +292,18 @@ check_fec()
|
||||
dd if=/dev/mapper/$DEV_NAME of=$IMG_TMP > /dev/null 2>&1
|
||||
HASH_REPAIRED=$(sha256sum $IMG_TMP | cut -d' ' -f 1)
|
||||
|
||||
# If empty, status not supported
|
||||
REPAIRED=$(dmsetup status $DEV_NAME |sed -e s/.*verity\ \[VC\]\ *//)
|
||||
if [ -n "$REPAIRED" -a "$REPAIRED" != "-" ] ; then
|
||||
echo -n "[EC events: $REPAIRED]"
|
||||
else
|
||||
REPAIRED=""
|
||||
fi
|
||||
|
||||
$VERITYSETUP close $DEV_NAME
|
||||
|
||||
if [ "$HASH_ORIG" != "$HASH_REPAIRED" ]; then
|
||||
RET=1
|
||||
if [ -n "$REPAIRED" ]; then
|
||||
[ "$REPAIRED" -eq 0 ] || { RET=4; echo "FEC repaired events should be 0."; }
|
||||
fi
|
||||
echo -n "[kernel correction failed]"
|
||||
$VERITYSETUP verify $1 $2 $ROOT_HASH --fec-device=$3 $PARAMS >/dev/null 2>&1 && { RET=5; echo "Userspace verify should fail"; }
|
||||
$VERITYSETUP verify $1 $2 $ROOT_HASH --fec-device=$3 $PARAMS >/dev/null 2>&1 && fail "Userspace verify should fail"
|
||||
echo -n "[userspace verify failed]"
|
||||
RET=1
|
||||
else
|
||||
RET=0
|
||||
echo -n "[repaired in kernel]"
|
||||
if [ -n "$REPAIRED" ]; then
|
||||
[ "$REPAIRED" -gt 0 ] || { RET=4; echo "FEC repaired events should be greater than 0."; }
|
||||
fi
|
||||
$VERITYSETUP verify $1 $2 $ROOT_HASH --fec-device=$3 $PARAMS >/dev/null 2>&1 || { RET=5; echo "Userspace verify failed"; }
|
||||
$VERITYSETUP verify $1 $2 $ROOT_HASH --fec-device=$3 $PARAMS >/dev/null 2>&1 || fail "Userspace verify failed"
|
||||
echo "[userspace verify][OK]"
|
||||
RET=0
|
||||
fi
|
||||
rm $1 $2 $3 $IMG_TMP > /dev/null 2>&1
|
||||
return $RET
|
||||
@@ -458,8 +443,6 @@ check_concurrent() # $1 hash
|
||||
wait
|
||||
grep -q "Command failed with code .* (wrong or missing parameters)" $DEV_OUT && fail
|
||||
grep -q "Command failed with code .* (wrong device or file specified)." $DEV_OUT && fail
|
||||
# Some distros have strange udev rules, settle here seems to be necessary
|
||||
udevadm settle >/dev/null 2>&1
|
||||
check_exists
|
||||
rm $DEV_OUT
|
||||
$VERITYSETUP close $DEV_NAME >/dev/null 2>&1 || fail
|
||||
@@ -548,10 +531,10 @@ if check_version 1 3; then
|
||||
echo "Veritysetup [FEC tests]"
|
||||
for INDEX in {1..4}; do
|
||||
# in the first iteration check if we can use FEC (it can be compiled-out)
|
||||
(check_fec $IMG $IMG $IMG 4096 30 150 163840 409600 $(($RANDOM % 23 + 2)) $(($INDEX * 4)))
|
||||
(check_fec $IMG $IMG $IMG 4096 30 150 163840 409600 $(($RANDOM % 23 + 2)) $(($INDEX * 4)) )
|
||||
RET=$?
|
||||
[ "$RET" -eq 3 ] && break
|
||||
[ "$RET" -eq 0 ] || fail "FEC repair failed"
|
||||
[ "$RET" -eq "3" ] && break
|
||||
[ "$RET" -eq "0" ] || fail "FEC repair failed"
|
||||
|
||||
(check_fec $IMG $IMG $IMG 512 500 50000 2457600 4915200 $(($RANDOM % 23 + 2)) $(($INDEX * 4)) 'n' $SALT) || fail "FEC repair failed"
|
||||
(check_fec $IMG $IMG $IMG 512 500 50000 2457600 4915200 $(($RANDOM % 23 + 2)) $(($INDEX * 4)) 'y' $SALT) || fail "FEC repair failed"
|
||||
@@ -563,9 +546,7 @@ if check_version 1 3; then
|
||||
(check_fec $IMG $IMG_HASH $FEC_DEV 512 2000 2000 0 0 $(($RANDOM % 23 + 2)) $(($INDEX * 4))) || fail "FEC repair failed"
|
||||
(check_fec $IMG $IMG_HASH $FEC_DEV 1024 2000 2000 0 0 $(($RANDOM % 23 + 2)) $(($INDEX * 4))) || fail "FEC repair failed"
|
||||
# this test should fail
|
||||
(check_fec $IMG $IMG_HASH $FEC_DEV 4096 30 30 0 0 $(($RANDOM % 23 + 2)) $(($RANDOM % 200 + 200)))
|
||||
RET=$?
|
||||
[ "$RET" -eq 1 ] || fail "FEC repair must fail"
|
||||
(check_fec $IMG $IMG_HASH $FEC_DEV 4096 30 30 0 0 $(($RANDOM % 23 + 2)) $(($RANDOM % 200 + 200))) && fail "FEC repair must fail"
|
||||
echo "[OK]"
|
||||
done
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user