mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-05 16:00:05 +01:00
db57571906
The test was supposed to check if invalid --luks2-keyslots-size metadata value will trigger failure. The 128MiB was valid value and the test failed only due to smaller test device size. (In case of OPAL2 device it spanned into locked region.)
1701 lines
88 KiB
Bash
Executable File
1701 lines
88 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
PS4='$LINENO:'
|
|
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
|
|
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
|
|
CRYPTSETUP_RAW=$CRYPTSETUP
|
|
|
|
if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
|
|
CRYPTSETUP_VALGRIND=$CRYPTSETUP
|
|
else
|
|
CRYPTSETUP_VALGRIND=../.libs/cryptsetup
|
|
CRYPTSETUP_LIB_VALGRIND=../.libs
|
|
fi
|
|
|
|
DEV_NAME=dummy
|
|
DEV_NAME2=dummy2
|
|
DEV_NAME3=dummy3
|
|
ORIG_IMG=luks-test-orig
|
|
IMG=luks-test
|
|
IMG10=luks-test-v10
|
|
HEADER_IMG=luks-header
|
|
HEADER_KEYU=luks2_keyslot_unassigned.img
|
|
HEADER_LUKS2_PV=blkid-luks2-pv.img
|
|
HEADER_LUKS2_INV=luks2_invalid_cipher.img
|
|
KEY1=key1
|
|
KEY2=key2
|
|
KEY5=key5
|
|
KEYE=keye
|
|
PWD0="compatkey"
|
|
PWD1="93R4P4pIqAH8"
|
|
PWD2="mymJeD8ivEhE"
|
|
PWD3="ocMakf3fAcQO"
|
|
PWD4="Qx3qn46vq0v"
|
|
PWDW="rUkL4RUryBom"
|
|
TEST_KEYRING_NAME="compattest2_keyring"
|
|
TEST_KEY_DESC0="compattest2_desc0"
|
|
TEST_KEY_DESC1="compattest2_desc1"
|
|
TEST_KEY_DESC2="compattest2_desc2"
|
|
VK_FILE="compattest2_vkfile"
|
|
IMPORT_TOKEN="{\"type\":\"some_type\",\"keyslots\":[],\"base64_data\":\"zxI7vKB1Qwl4VPB4D-N-OgcC14hPCG0IDu8O7eCqaQ\"}"
|
|
TOKEN_FILE0=test-token-file0
|
|
TOKEN_FILE1=test-token-file1
|
|
KEY_FILE0=test-key-file0
|
|
KEY_FILE1=test-key-file1
|
|
|
|
FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
|
|
|
TEST_UUID="12345678-1234-1234-1234-123456789abc"
|
|
|
|
LOOPDEV=$(losetup -f 2>/dev/null)
|
|
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
|
|
|
remove_mapping()
|
|
{
|
|
[ -b /dev/mapper/$DEV_NAME3 ] && dmsetup remove --retry $DEV_NAME3
|
|
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
|
|
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
|
|
losetup -d $LOOPDEV >/dev/null 2>&1
|
|
rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE \
|
|
$HEADER_LUKS2_PV $HEADER_LUKS2_INV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* \
|
|
$KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
|
|
|
|
# unlink whole test keyring
|
|
[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
|
|
unset TEST_KEYRING
|
|
|
|
rmmod scsi_debug >/dev/null 2>&1
|
|
scsi_debug_teardown $DEV
|
|
}
|
|
|
|
force_uevent()
|
|
{
|
|
DNAME=$(echo $LOOPDEV | cut -f3 -d /)
|
|
echo "change" >/sys/block/$DNAME/uevent
|
|
}
|
|
|
|
fail()
|
|
{
|
|
[ -n "$1" ] && echo "$1"
|
|
remove_mapping
|
|
echo "FAILED backtrace:"
|
|
while caller $frame; do ((frame++)); done
|
|
exit 2
|
|
}
|
|
|
|
_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
|
|
trap _sigchld CHLD
|
|
|
|
fips_mode()
|
|
{
|
|
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
|
|
}
|
|
|
|
can_fail_fips()
|
|
{
|
|
# Ignore this fail if running in FIPS mode
|
|
fips_mode || fail $1
|
|
}
|
|
|
|
skip()
|
|
{
|
|
[ -n "$1" ] && echo "$1"
|
|
remove_mapping
|
|
exit 77
|
|
}
|
|
|
|
prepare()
|
|
{
|
|
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
|
|
|
|
case "$2" in
|
|
wipe)
|
|
remove_mapping
|
|
dd if=/dev/zero of=$IMG bs=1M count=40 >/dev/null 2>&1
|
|
sync
|
|
losetup $LOOPDEV $IMG
|
|
;;
|
|
new)
|
|
remove_mapping
|
|
xz -cd compatimage.img.xz > $IMG
|
|
xz -dk $HEADER_KEYU.xz
|
|
# FIXME: switch to internal loop (no losetup at all)
|
|
echo "bad" | $CRYPTSETUP luksOpen --key-slot 0 --test-passphrase $IMG 2>&1 | \
|
|
grep "autoclear flag" && skip "WARNING: Too old kernel, test skipped."
|
|
losetup $LOOPDEV $IMG
|
|
xz -cd compatv10image.img.xz > $IMG10
|
|
;;
|
|
reuse | *)
|
|
if [ ! -e $IMG ]; then
|
|
xz -cd compatimage.img.xz > $IMG
|
|
losetup $LOOPDEV $IMG
|
|
fi
|
|
[ ! -e $IMG10 ] && xz -cd compatv10image.img.xz > $IMG10
|
|
;;
|
|
esac
|
|
|
|
if [ ! -e $KEY1 ]; then
|
|
#dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
|
|
echo -n $'\x48\xc6\x74\x4f\x41\x4e\x50\xc0\x79\xc2\x2d\x5b\x5f\x68\x84\x17' >$KEY1
|
|
echo -n $'\x9c\x03\x5e\x1b\x4d\x0f\x9a\x75\xb3\x90\x70\x32\x0a\xf8\xae\xc4'>>$KEY1
|
|
fi
|
|
|
|
if [ ! -e $KEY2 ]; then
|
|
dd if=/dev/urandom of=$KEY2 count=1 bs=16 >/dev/null 2>&1
|
|
fi
|
|
|
|
if [ ! -e $KEY5 ]; then
|
|
dd if=/dev/urandom of=$KEY5 count=1 bs=16 >/dev/null 2>&1
|
|
fi
|
|
|
|
if [ ! -e $KEYE ]; then
|
|
touch $KEYE
|
|
fi
|
|
|
|
cp $IMG $ORIG_IMG
|
|
[ -n "$1" ] && echo "CASE: $1"
|
|
}
|
|
|
|
check_exists()
|
|
{
|
|
[ -b /dev/mapper/$DEV_NAME ] || fail
|
|
}
|
|
|
|
valgrind_setup()
|
|
{
|
|
command -v valgrind >/dev/null || fail "Cannot find valgrind."
|
|
[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
|
|
[ ! -f valg.sh ] && fail "Unable to get location of valg runner script."
|
|
if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
|
|
export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
|
|
fi
|
|
}
|
|
|
|
valgrind_run()
|
|
{
|
|
INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
|
|
}
|
|
|
|
dm_crypt_capi_support()
|
|
{
|
|
VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
|
|
[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
|
|
|
|
VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
|
|
VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
|
|
|
|
[ $VER_MAJ -gt 1 ] && return 0
|
|
if [ $VER_MIN -ge 16 ]; then
|
|
return 0
|
|
fi
|
|
return 1
|
|
}
|
|
|
|
dm_crypt_keyring_support()
|
|
{
|
|
$CRYPTSETUP --version | grep -q KEYRING || return 1
|
|
|
|
VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
|
|
[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
|
|
|
|
VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
|
|
VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
|
|
VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
|
|
|
|
test -d /proc/sys/kernel/keys || return 1
|
|
|
|
[ $VER_MAJ -gt 1 ] && return 0
|
|
[ $VER_MAJ -eq 1 -a $VER_MIN -gt 18 ] && return 0
|
|
[ $VER_MAJ -eq 1 -a $VER_MIN -eq 18 -a $VER_PTC -ge 1 ] && return 0
|
|
return 1
|
|
}
|
|
|
|
dm_crypt_keyring_flawed()
|
|
{
|
|
dm_crypt_keyring_support && return 1;
|
|
|
|
[ $VER_MAJ -gt 1 ] && return 0
|
|
[ $VER_MAJ -eq 1 -a $VER_MIN -ge 15 ] && return 0
|
|
return 1
|
|
}
|
|
|
|
dm_crypt_keyring_new_kernel()
|
|
{
|
|
KER_STR=$(uname -r)
|
|
[ -z "$KER_STR" ] && fail "Failed to parse kernel version."
|
|
KER_MAJ=$(echo $KER_STR | cut -f 1 -d.)
|
|
KER_MIN=$(echo $KER_STR | cut -f 2 -d.)
|
|
|
|
[ $KER_MAJ -ge 5 ] && return 0
|
|
[ $KER_MAJ -eq 4 -a $KER_MIN -ge 15 ] && return 0
|
|
return 1
|
|
}
|
|
|
|
dm_crypt_sector_size_support()
|
|
{
|
|
VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
|
|
[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
|
|
|
|
VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
|
|
VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
|
|
VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
|
|
|
|
[ $VER_MAJ -gt 1 ] && return 0
|
|
if [ $VER_MIN -ge 17 -o \( $VER_MIN -eq 14 -a $VER_PTC -ge 5 \) ]; then
|
|
return 0
|
|
fi
|
|
|
|
return 1
|
|
}
|
|
|
|
test_and_prepare_keyring() {
|
|
command -v keyctl >/dev/null || skip "Cannot find keyctl, test skipped"
|
|
keyctl list "@s" > /dev/null || skip "Current session keyring is unreachable, test skipped"
|
|
TEST_KEYRING=$(keyctl newring $TEST_KEYRING_NAME "@u" 2> /dev/null)
|
|
test -n "$TEST_KEYRING" || skip "Failed to create keyring in user keyring"
|
|
keyctl search "@s" keyring "$TEST_KEYRING" > /dev/null 2>&1 || keyctl link "@u" "@s" > /dev/null 2>&1
|
|
load_key user test_key test_data "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
|
|
}
|
|
|
|
# $1 type
|
|
# $2 description
|
|
# $3 payload
|
|
# $4 keyring
|
|
load_key()
|
|
{
|
|
[ -z "$4" ] && fail "Keyring not defined!"
|
|
keyctl add $@ >/dev/null
|
|
}
|
|
|
|
setup_luks2_env() {
|
|
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $LOOPDEV || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV >/dev/null || fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME || fail
|
|
HAVE_KEYRING=$($CRYPTSETUP status $DEV_NAME | grep "keyring")
|
|
if [ -n "$HAVE_KEYRING" ]; then
|
|
HAVE_KEYRING=1
|
|
else
|
|
HAVE_KEYRING=0
|
|
fi
|
|
if $($CRYPTSETUP --version | grep -q "BLKID"); then
|
|
HAVE_BLKID=1
|
|
else
|
|
HAVE_BLKID=0
|
|
fi
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
}
|
|
|
|
# $1 path to scsi debug bdev
|
|
scsi_debug_teardown() {
|
|
local _tries=15;
|
|
|
|
while [ -b "$1" -a $_tries -gt 0 ]; do
|
|
rmmod scsi_debug >/dev/null 2>&1
|
|
if [ -b "$1" ]; then
|
|
sleep .1
|
|
_tries=$((_tries-1))
|
|
fi
|
|
done
|
|
|
|
test ! -b "$1" || rmmod scsi_debug >/dev/null 2>&1
|
|
}
|
|
|
|
add_scsi_device() {
|
|
scsi_debug_teardown $DEV
|
|
if [ -d /sys/module/scsi_debug ] ; then
|
|
echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
|
|
exit 77
|
|
fi
|
|
modprobe scsi_debug $@ delay=0 >/dev/null 2>&1
|
|
if [ $? -ne 0 ] ; then
|
|
echo "This kernel seems to not support proper scsi_debug module, test skipped."
|
|
exit 77
|
|
fi
|
|
|
|
sleep 1
|
|
DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
|
|
[ -b $DEV ] || return 1
|
|
return 0
|
|
}
|
|
|
|
# $1 key name
|
|
# $2 keyring to link VK to
|
|
# $3 key type (optional)
|
|
test_vk_link_with_passphrase_check() {
|
|
KEY_TYPE=${3:-user}
|
|
if [ -z "$3" ]; then
|
|
KEY_DESC=$1
|
|
else
|
|
KEY_DESC="%$3:$1"
|
|
fi
|
|
|
|
KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
|
|
|
|
echo $PWD1 | $CRYPTSETUP open --test-passphrase $LOOPDEV --link-vk-to-keyring "$2"::"$KEY_DESC" || fail
|
|
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after --test-passphrase."
|
|
if [ $KEY_TYPE = "user" ]; then
|
|
$CRYPTSETUP open $LOOPDEV --test-passphrase --volume-key-keyring $KEY_DESC <&-|| fail "Failed to check volume passed via kernel keyring."
|
|
fi
|
|
keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail
|
|
|
|
echo $PWD1 | $CRYPTSETUP open --test-passphrase $LOOPDEV || fail
|
|
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 && fail "VK is unexpectedly linked to the specified keyring."
|
|
}
|
|
|
|
# $1 key name
|
|
# $2 keyring to link VK to
|
|
# $3 key type (optional)
|
|
test_vk_link() {
|
|
KEY_TYPE=${3:-user}
|
|
if [ -z "$3" ]; then
|
|
KEY_DESC=$1
|
|
else
|
|
KEY_DESC="%$3:$1"
|
|
fi
|
|
|
|
KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
|
|
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$2"::"$KEY_DESC" || fail
|
|
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
|
|
$CRYPTSETUP close $DEV_NAME
|
|
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
|
|
keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail
|
|
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME || fail
|
|
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 && fail "VK is linked to the specified keyring before resume with linking."
|
|
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --link-vk-to-keyring "$2"::"$KEY_DESC" || fail
|
|
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
|
|
$CRYPTSETUP close $DEV_NAME
|
|
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
|
|
keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail
|
|
}
|
|
|
|
# $1 key name
|
|
# $2 keyring to link VK to
|
|
# $3 key type (optional)
|
|
test_vk_link_and_reactivate() {
|
|
KEY_TYPE=${3:-user}
|
|
if [ -z "$3" ]; then
|
|
KEY_DESC=$1
|
|
else
|
|
KEY_DESC="%$3:$1"
|
|
fi
|
|
|
|
KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
|
|
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$2"::"$KEY_DESC" || fail
|
|
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
|
|
$CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring $KEY_DESC <&-|| fail "Failed to unlock volume via a VK in keyring."
|
|
$CRYPTSETUP luksSuspend $DEV_NAME || fail "Failed to suspend device."
|
|
$CRYPTSETUP luksResume $DEV_NAME --volume-key-keyring $KEY_DESC <&- || fail "Failed to resume via a VK in keyring."
|
|
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null || fail
|
|
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null && fail
|
|
echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --volume-key-keyring $KEY_DESC $LOOPDEV --new-key-slot 1 || fail "Failed to add passphrase by VK in keyring."
|
|
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null || fail
|
|
$CRYPTSETUP luksKillSlot -q $LOOPDEV 1 2>/dev/null || fail
|
|
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
# zero-out the key in keyring
|
|
keyctl pipe $KEYCTL_KEY_NAME | tr -c '\0' '\0' | keyctl pupdate $KEYCTL_KEY_NAME
|
|
$CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring $KEY_DESC <&- > /dev/null 2>&1 && fail "Unlocked volume via a bad VK in keyring."
|
|
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after bad activation."
|
|
keyctl unlink $KEYCTL_KEY_NAME "$2" || fail
|
|
}
|
|
|
|
# $1 first key name
|
|
# $2 second key name
|
|
# $3 keyring to link VK to
|
|
# $4 key type (optional)
|
|
test_reencrypt_vk_link() {
|
|
KEY_TYPE=${4:-user}
|
|
if [ -z "$4" ]; then
|
|
KEY_DESC=$1
|
|
else
|
|
KEY_DESC="%$4:$1"
|
|
fi
|
|
if [ -z "$4" ]; then
|
|
KEY_DESC2=$2
|
|
else
|
|
KEY_DESC2="%$4:$2"
|
|
fi
|
|
|
|
KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
|
|
KEYCTL_KEY_NAME2="%$KEY_TYPE:$2"
|
|
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$3"::"$KEY_DESC" --link-vk-to-keyring "$3"::"$KEY_DESC2" || fail
|
|
keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
|
|
|
|
keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
|
|
keyctl search "$3" $KEY_TYPE $2 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
|
|
keyctl search "$3" $KEY_TYPE $2 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
|
|
|
|
keyctl unlink $KEYCTL_KEY_NAME "$3" || fail
|
|
keyctl unlink $KEYCTL_KEY_NAME2 "$3" || fail
|
|
}
|
|
|
|
# $1 first key name
|
|
# $2 second key name
|
|
# $3 keyring to link VK to
|
|
# $4 key type (optional)
|
|
test_reencrypt_vk_link_and_reactivate() {
|
|
KEY_TYPE=${4:-user}
|
|
if [ -z "$4" ]; then
|
|
KEY_DESC=$1
|
|
else
|
|
KEY_DESC="%$4:$1"
|
|
fi
|
|
if [ -z "$4" ]; then
|
|
KEY_DESC2=$2
|
|
else
|
|
KEY_DESC2="%$4:$2"
|
|
fi
|
|
|
|
KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
|
|
KEYCTL_KEY_NAME2="%$KEY_TYPE:$2"
|
|
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$3"::"$KEY_DESC" --link-vk-to-keyring "$3"::"$KEY_DESC2" || fail
|
|
keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
|
|
|
|
keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
|
|
keyctl search "$3" $KEY_TYPE $2 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
keyctl search "$3" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
|
|
keyctl search "$3" $KEY_TYPE $2 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
|
|
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring "$KEY_DESC" --volume-key-keyring "$KEY_DESC2" || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
|
|
keyctl unlink $KEYCTL_KEY_NAME "$3" || fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring "$KEY_DESC" --volume-key-keyring "$KEY_DESC2" > /dev/null 2>&1 && fail
|
|
keyctl unlink $KEYCTL_KEY_NAME2 "$3" || fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring "$KEY_DESC" --volume-key-keyring "$KEY_DESC2" > /dev/null 2>&1 && fail
|
|
}
|
|
|
|
expect_run()
|
|
{
|
|
export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
|
|
expect "$@"
|
|
}
|
|
|
|
# expected unlocked keyslot id
|
|
# command arguments
|
|
expect_unlocked_keyslot()
|
|
{
|
|
command -v expect >/dev/null || {
|
|
echo "WARNING: expect tool missing, interactive test will be skipped."
|
|
return 0
|
|
}
|
|
|
|
EXPECT_TIMEOUT=60
|
|
EXPECT_KEY=$1
|
|
|
|
expect_run - >/dev/null <<EOF
|
|
proc abort {} { send_error "Timeout. "; exit 2 }
|
|
set timeout $EXPECT_TIMEOUT
|
|
eval spawn $CRYPTSETUP_RAW $2
|
|
expect timeout abort "Key slot $EXPECT_KEY unlocked."
|
|
expect timeout abort "Command successful."
|
|
expect timeout abort eof
|
|
exit
|
|
EOF
|
|
[ $? -eq 0 ] || return 1
|
|
}
|
|
|
|
# expected unlocked keyslot id
|
|
# password
|
|
# command arguments
|
|
expect_retried_unlocked_keyslot()
|
|
{
|
|
command -v expect >/dev/null || {
|
|
echo "WARNING: expect tool missing, interactive test will be skipped."
|
|
return 0
|
|
}
|
|
|
|
EXPECT_TIMEOUT=60
|
|
|
|
expect_run - >/dev/null <<EOF
|
|
proc abort {} { send_error "Timeout. "; exit 2 }
|
|
set timeout $EXPECT_TIMEOUT
|
|
eval spawn $CRYPTSETUP_RAW $3
|
|
expect timeout abort "Enter passphrase for*:"
|
|
sleep 0.1
|
|
send "$2 x\n"
|
|
expect timeout abort "No key available with this passphrase."
|
|
expect timeout abort "Enter passphrase for*:"
|
|
sleep 0.1
|
|
send "$2\n"
|
|
expect timeout abort "Key slot $1 unlocked."
|
|
expect timeout abort "Command successful."
|
|
expect timeout abort eof
|
|
exit
|
|
EOF
|
|
[ $? -eq 0 ] || return 1
|
|
}
|
|
|
|
export LANG=C
|
|
|
|
[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
|
|
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
|
|
[ -z "$LOOPDEV" ] && skip "WARNING: Cannot find free loop device, test skipped."
|
|
|
|
prepare "[0] Detect LUKS2 environment" wipe
|
|
setup_luks2_env
|
|
|
|
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
|
|
|
|
prepare "[1] Data offset" wipe
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --offset 1 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --offset 16385 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --offset 32 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --align-payload 16384 --offset 16384 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --offset 16384 || fail
|
|
$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "offset: $((512 * 16384)) \[bytes\]" || fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 1024 --offset 16384 >/dev/null || fail
|
|
$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "offset: $((512 * 16384)) \[bytes\]" || fail
|
|
truncate -s 4096 $HEADER_IMG
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG -q --offset 80000 >/dev/null 2>&1 || fail
|
|
|
|
prepare "[2] Sector size and old payload alignment" wipe
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 511 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 256 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 8192 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 512 || fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --align-payload 5 || fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 512 --align-payload 5 || fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 2048 --align-payload 32 >/dev/null || fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 4096 >/dev/null || fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 2048 --align-payload 32768 >/dev/null || fail
|
|
$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "offset: $((512 * 32768)) \[bytes\]" || fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 2048 >/dev/null || fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 4096 --align-payload 32768 >/dev/null || fail
|
|
$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "offset: $((512 * 32768)) \[bytes\]" || fail
|
|
|
|
prepare "[3] format" wipe
|
|
echo $PWD1 | $CRYPTSETUP -q $FAST_PBKDF_OPT -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $LOOPDEV || fail
|
|
prepare "[4] format using hash sha512" wipe
|
|
echo $PWD1 | $CRYPTSETUP $FAST_PBKDF_OPT -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $LOOPDEV || fail
|
|
$CRYPTSETUP -q luksDump $LOOPDEV | grep "0: pbkdf2" -A2 | grep "Hash:" | grep -qe sha512 || fail
|
|
# Check JSON dump for some mandatory section
|
|
$CRYPTSETUP -q luksDump $LOOPDEV --dump-json-metadata | grep -q '"tokens":' || fail
|
|
|
|
prepare "[5] open"
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase || fail
|
|
echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase 2>/dev/null && fail
|
|
[ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
|
|
check_exists
|
|
|
|
# Key Slot 1 and key material section 1 must change, the rest must not.
|
|
prepare "[6] add key"
|
|
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT || fail
|
|
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
|
|
|
|
# Unsuccessful Key Delete - nothing may change
|
|
prepare "[7] unsuccessful delete"
|
|
echo $PWDW | $CRYPTSETUP luksKillSlot $LOOPDEV 1 2>/dev/null && fail
|
|
[ $? -ne 2 ] && fail "luksKillSlot should return EPERM exit code"
|
|
#FIXME
|
|
#$CRYPTSETUP -q luksKillSlot $LOOPDEV 8 2>/dev/null && fail
|
|
#$CRYPTSETUP -q luksKillSlot $LOOPDEV 7 2>/dev/null && fail
|
|
|
|
# Delete Key Test
|
|
# Key Slot 1 and key material section 1 must change, the rest must not
|
|
prepare "[8] successful delete"
|
|
$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
|
|
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2> /dev/null && fail
|
|
[ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
|
|
|
|
# Key Slot 1 and key material section 1 must change, the rest must not
|
|
prepare "[9] add key test for key files"
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 || fail
|
|
$CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
|
|
|
|
# Key Slot 1 and key material section 1 must change, the rest must not
|
|
prepare "[10] delete key test with key1 as remaining key"
|
|
$CRYPTSETUP -d $KEY1 luksKillSlot $LOOPDEV 0 || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
|
|
|
|
# Delete last slot
|
|
prepare "[11] delete last key" wipe
|
|
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $LOOPDEV $FAST_PBKDF_OPT || fail
|
|
echo $PWD1 | $CRYPTSETUP luksKillSlot $LOOPDEV 0 || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
|
|
# Format test for ESSIV, and some other parameters.
|
|
prepare "[12] parameter variation test" wipe
|
|
$CRYPTSETUP -q $FAST_PBKDF_OPT -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $LOOPDEV $KEY1 || fail
|
|
$CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
|
|
|
|
prepare "[13] open/close - stacked devices" wipe
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $FAST_PBKDF_OPT || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 /dev/mapper/$DEV_NAME $FAST_PBKDF_OPT || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
|
|
$CRYPTSETUP -q luksClose $DEV_NAME2 || fail
|
|
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
|
|
|
prepare "[14] format/open - passphrase on stdin & new line" wipe
|
|
# stdin defined by "-" must take even newline
|
|
#echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksFormat $LOOPDEV - || fail
|
|
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q --key-file=- luksFormat --type luks2 $LOOPDEV || fail
|
|
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
|
|
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
|
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
# now also try --key-file
|
|
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q luksFormat --type luks2 $LOOPDEV --key-file=- || fail
|
|
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
|
|
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
|
# process newline if from stdin
|
|
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q luksFormat --type luks2 $LOOPDEV || fail
|
|
echo "$PWD1" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
|
|
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
|
|
|
prepare "[15] UUID - use and report provided UUID" wipe
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --uuid blah --type luks2 $LOOPDEV 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 $LOOPDEV || fail
|
|
tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
|
|
[ "$tst"x = "$TEST_UUID"x ] || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
|
|
$CRYPTSETUP -q luksUUID --uuid $TEST_UUID $LOOPDEV || fail
|
|
tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
|
|
[ "$tst"x = "$TEST_UUID"x ] || fail
|
|
|
|
prepare "[16] luksFormat" wipe
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --volume-key-file /dev/urandom --type luks2 $LOOPDEV || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --volume-key-file /dev/urandom --type luks2 $LOOPDEV -d $KEY1 || fail
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --volume-key-file /dev/urandom -s 256 --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
|
|
$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
|
|
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
|
# open by UUID
|
|
if [ -d /dev/disk/by-uuid ] ; then
|
|
force_uevent # some systems do not update loop by-uuid
|
|
$CRYPTSETUP luksOpen -d $KEY1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail
|
|
$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
|
|
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
|
fi
|
|
# skip tests using empty passphrases
|
|
if ! fips_mode; then
|
|
# empty keyfile
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail
|
|
$CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
|
|
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
|
fi
|
|
|
|
# open by volume key
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 --type luks2 $LOOPDEV || fail
|
|
$CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
$CRYPTSETUP luksOpen --volume-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
|
|
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
|
|
|
prepare "[17] AddKey volume key, passphrase and keyfile" wipe
|
|
# volumekey
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --volume-key-file /dev/zero --key-slot 3 || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" || fail
|
|
echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --volume-key-file /dev/zero --key-slot 4 || fail
|
|
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 4 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" || fail
|
|
echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --volume-key-file /dev/null --key-slot 5 2>/dev/null && fail
|
|
$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --volume-key-file /dev/zero --key-slot 5 $KEY1 || fail
|
|
$CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 5 -d $KEY1 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
|
|
|
|
# special "-" handling
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 3 || fail
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 - || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - --test-passphrase || fail
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d - $KEY2 || fail
|
|
$CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - -d $KEY1 --test-passphrase 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d $KEY1 -d $KEY1 --test-passphrase 2>/dev/null && fail
|
|
|
|
# [0]PWD1 [1]PWD2 [2]$KEY1/1 [3]$KEY1 [4]$KEY2
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 3 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" || fail
|
|
$CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 3 2>/dev/null && fail
|
|
# keyfile/keyfile
|
|
$CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 4 || fail
|
|
$CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase --key-slot 4 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" || fail
|
|
# passphrase/keyfile
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 --key-slot 0 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 || fail
|
|
# passphrase/passphrase
|
|
echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --key-slot 1 || fail
|
|
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
|
|
# keyfile/passphrase
|
|
echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
|
|
|
|
prepare "[18] RemoveKey passphrase and keyfile" reuse
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" || fail
|
|
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" && fail
|
|
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 2>/dev/null && fail
|
|
[ $? -ne 2 ] && fail "luksRemoveKey should return EPERM exit code"
|
|
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 --keyfile-size 1 2>/dev/null && fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" || fail
|
|
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" && fail
|
|
# if password or keyfile is provided, batch mode must not suppress it
|
|
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 2>/dev/null && fail
|
|
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 -q 2>/dev/null && fail
|
|
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- 2>/dev/null && fail
|
|
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- -q 2>/dev/null && fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
|
|
# kill slot using passphrase from 1
|
|
echo $PWD2 | $CRYPTSETUP luksKillSlot $LOOPDEV 2 2>/dev/null || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" && fail
|
|
# remove key0 / slot 0
|
|
echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" && fail
|
|
# last keyslot, in batch mode no passphrase needed...
|
|
$CRYPTSETUP luksKillSlot -q $LOOPDEV 1 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" && fail
|
|
|
|
prepare "[19] create & status & resize" wipe
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
|
|
if dm_crypt_keyring_support; then
|
|
echo | $CRYPTSETUP -q resize --size 100 $DEV_NAME 2>/dev/null && fail
|
|
if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
|
|
test_and_prepare_keyring
|
|
load_key user $TEST_KEY_DESC2 $PWD1 "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
|
|
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_KEY_DESC2 --token-id 1 || fail
|
|
$CRYPTSETUP -q resize --size 99 $DEV_NAME <&- || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "99 \[512-byte units\]" || fail
|
|
#replace kernel key with wrong pass
|
|
load_key user $TEST_KEY_DESC2 $PWD2 "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
|
|
# must fail due to --token-only
|
|
echo $PWD1 | $CRYPTSETUP -q resize --token-only --size 100 $DEV_NAME && fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 \[512-byte units\]" && fail
|
|
# resize with keyring description
|
|
load_key user $TEST_KEY_DESC1 $PWD1 "$TEST_KEYRING" || fail
|
|
$CRYPTSETUP -q resize --size 99 $DEV_NAME --key-description $TEST_KEY_DESC1 || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "99 \[512-byte units\]" || fail
|
|
fi
|
|
fi
|
|
echo $PWD1 | $CRYPTSETUP -q resize --size 100 $DEV_NAME || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 \[512-byte units\]" || fail
|
|
echo $PWD1 | $CRYPTSETUP -q resize --device-size 51200 $DEV_NAME || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 \[512-byte units\]" || fail
|
|
echo $PWD1 | $CRYPTSETUP -q resize --device-size 1M $DEV_NAME || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
|
|
echo $PWD1 | $CRYPTSETUP -q resize --device-size 512k --size 1024 $DEV_NAME > /dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP -q resize --device-size 4097 $DEV_NAME > /dev/null 2>&1 && fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen --disable-keyring $LOOPDEV $DEV_NAME || fail
|
|
echo | $CRYPTSETUP -q resize --size 100 $DEV_NAME || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 \[512-byte units\]" || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
|
|
if dm_crypt_keyring_support; then
|
|
$CRYPTSETUP -q resize --disable-keyring --size 100 $DEV_NAME 2>/dev/null && fail
|
|
fi
|
|
if dm_crypt_sector_size_support; then
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 4096 $LOOPDEV > /dev/null || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP -q resize --device-size 1M $DEV_NAME || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
|
|
echo $PWD1 | $CRYPTSETUP -q resize --device-size 2049s $DEV_NAME > /dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP -q resize --size 2049 $DEV_NAME > /dev/null 2>&1 && fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
|
|
fi
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
# Resize not aligned to logical block size
|
|
add_scsi_device dev_size_mb=32 sector_size=4096 || fail "scsi_debug device not found"
|
|
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $DEV || fail
|
|
echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
|
|
OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/') #'
|
|
echo $PWD1 | $CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail
|
|
dmsetup info $DEV_NAME | grep -q SUSPENDED && fail
|
|
NEW_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/') #'
|
|
test $OLD_SIZE -eq $NEW_SIZE || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
|
|
prepare "[20] Disallow open/create if already mapped." wipe
|
|
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --cipher aes-cbc-essiv:sha256 --key-size 256 || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV 2>/dev/null && fail
|
|
$CRYPTSETUP remove $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME2 2>/dev/null && fail
|
|
$CRYPTSETUP luksClose $DEV_NAME || fail
|
|
|
|
prepare "[21] luksDump" wipe
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --key-size 256 $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
|
|
echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-volume-key 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-volume-key | grep -q "MK dump:" || fail
|
|
$CRYPTSETUP luksDump -q $LOOPDEV --dump-volume-key -d $KEY1 | grep -q "MK dump:" || fail
|
|
echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key --master-key-file $VK_FILE >/dev/null || fail
|
|
rm -f $VK_FILE
|
|
echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-volume-key --volume-key-file $VK_FILE >/dev/null || fail
|
|
echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-volume-key --volume-key-file $VK_FILE 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --volume-key-file $VK_FILE $LOOPDEV || fail
|
|
# Use volume key file without keyslots
|
|
$CRYPTSETUP luksErase -q $LOOPDEV || fail
|
|
$CRYPTSETUP luksOpen --volume-key-file $VK_FILE --key-size 256 --test-passphrase $LOOPDEV || fail
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --volume-key-file $VK_FILE --key-size 256 $LOOPDEV || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen --test-passphrase $LOOPDEV || fail
|
|
|
|
prepare "[22] remove disappeared device" wipe
|
|
dmsetup create $DEV_NAME --table "0 39998 linear $LOOPDEV 2" || fail
|
|
echo $PWD1 | $CRYPTSETUP -q $FAST_PBKDF_OPT luksFormat --type luks2 /dev/mapper/$DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
|
|
# underlying device now returns error but node is still present
|
|
dmsetup load $DEV_NAME --table "0 40000 error" || fail
|
|
dmsetup resume $DEV_NAME || fail
|
|
$CRYPTSETUP -q luksClose $DEV_NAME2 || fail
|
|
dmsetup remove --retry $DEV_NAME || fail
|
|
|
|
prepare "[23] ChangeKey passphrase and keyfile" wipe
|
|
# [0]$KEY1 [1]key0
|
|
$CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --key-slot 0 --key-size 256 --luks2-keyslots-size 256k >/dev/null || fail
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 --key-slot 1 || fail
|
|
# keyfile [0] / keyfile [0]
|
|
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 0 || fail
|
|
# passphrase [1] / passphrase [1]
|
|
echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT --key-slot 1 || fail
|
|
# keyfile [0] / keyfile [new] - with LUKS2 it should stay
|
|
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" && fail
|
|
# passphrase [1] / passphrase [new]
|
|
echo -e "$PWD2\n$PWD1\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $LOOPDEV || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" && fail
|
|
# test out of raw area, change in-place (space only for 2 keyslots)
|
|
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
|
|
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 2>/dev/null && fail
|
|
# make a free space in keyslot area
|
|
echo $PWD1 | $CRYPTSETUP luksKillSlot -q $LOOPDEV 0 || fail
|
|
|
|
# assert LUKS2 does not overwrite existing area with specific keyslot id
|
|
AREA_OFFSET_OLD=$($CRYPTSETUP luksDump $LOOPDEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g')
|
|
[ 0$AREA_OFFSET_OLD -gt 0 ] || fail
|
|
echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey --key-slot 1 $LOOPDEV $FAST_PBKDF_OPT
|
|
AREA_OFFSET_NEW=$($CRYPTSETUP luksDump $LOOPDEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g')
|
|
[ 0$AREA_OFFSET_NEW -gt 0 ] || fail
|
|
[ $AREA_OFFSET_OLD -ne $AREA_OFFSET_NEW ] || fail "Area offsets remained same: old area $AREA_OFFSET_OLD, new area $AREA_OFFSET_NEW"
|
|
|
|
# assert LUKS2 does not overwrite existing area with any sklot
|
|
AREA_OFFSET_OLD=$($CRYPTSETUP luksDump $LOOPDEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g')
|
|
[ 0$AREA_OFFSET_OLD -gt 0 ] || fail
|
|
echo -e "$PWD2\n$PWD1\n" | $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT
|
|
AREA_OFFSET_NEW=$($CRYPTSETUP luksDump $LOOPDEV | grep -e "1: luks2" -A12 | grep -e "Area offset:" | cut -d: -f 2 | sed -e 's/[[:space:]]*\[bytes\]//g')
|
|
[ 0$AREA_OFFSET_NEW -gt 0 ] || fail
|
|
[ $AREA_OFFSET_OLD -ne $AREA_OFFSET_NEW ] || fail "Area offsets remained same: old area $AREA_OFFSET_OLD, new area $AREA_OFFSET_NEW"
|
|
|
|
prepare "[24] Keyfile limit" wipe
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 0 -l 13 || fail
|
|
$CRYPTSETUP --key-file=$KEY1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
$CRYPTSETUP --key-file=$KEY1 -l 0 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
$CRYPTSETUP --key-file=$KEY1 -l -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
$CRYPTSETUP --key-file=$KEY1 -l 14 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
$CRYPTSETUP --key-file=$KEY1 -l 13 luksOpen $LOOPDEV $DEV_NAME || fail
|
|
$CRYPTSETUP luksClose $DEV_NAME || fail
|
|
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 2>/dev/null && fail
|
|
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -l 14 2>/dev/null && fail
|
|
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -l -1 2>/dev/null && fail
|
|
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 --new-keyfile-size 12 || fail
|
|
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 2>/dev/null && fail
|
|
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 -l 12 || fail
|
|
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 2>/dev/null && fail
|
|
[ $? -ne 2 ] && fail "luksChangeKey should return EPERM exit code"
|
|
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 -l 14 2>/dev/null && fail
|
|
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 || fail
|
|
# -l is ignored for stdin if _only_ passphrase is used
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY2 $FAST_PBKDF_OPT || fail
|
|
# this is stupid, but expected
|
|
echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 11 2>/dev/null && fail
|
|
echo $PWDW"0" | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 12 2>/dev/null && fail
|
|
echo -e "$PWD1\n" | $CRYPTSETUP luksRemoveKey $LOOPDEV -d- -l 12 || fail
|
|
# offset
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 0 -l 13 --keyfile-offset 16 || fail
|
|
$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 15 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 16 luksOpen $LOOPDEV $DEV_NAME || fail
|
|
$CRYPTSETUP luksClose $DEV_NAME || fail
|
|
$CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 -l 13 --keyfile-offset 16 $KEY2 --new-keyfile-offset 1 || fail
|
|
$CRYPTSETUP --key-file=$KEY2 --keyfile-offset 11 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
$CRYPTSETUP --key-file=$KEY2 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME || fail
|
|
$CRYPTSETUP luksClose $DEV_NAME || fail
|
|
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 --keyfile-offset 1 $KEY2 --new-keyfile-offset 0 || fail
|
|
$CRYPTSETUP luksOpen -d $KEY2 $LOOPDEV $DEV_NAME || fail
|
|
$CRYPTSETUP luksClose $DEV_NAME || fail
|
|
|
|
prepare "[25] Suspend/Resume" wipe
|
|
# LUKS
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
|
|
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
|
|
$CRYPTSETUP -q resize $DEV_NAME 2>/dev/null && fail
|
|
echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
|
|
[ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
|
|
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
|
|
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
|
|
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
|
|
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
|
|
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
|
|
|
prepare "[26] luksOpen/Resume with specified key slot number" wipe
|
|
# first, let's try passphrase option
|
|
echo $PWD3 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -S 5 --type luks2 $LOOPDEV || fail
|
|
echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
[ -b /dev/mapper/$DEV_NAME ] && fail
|
|
echo $PWD3 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME || fail
|
|
check_exists
|
|
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
|
echo $PWD3 | $CRYPTSETUP luksResume -S 4 $DEV_NAME 2>/dev/null && fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
|
|
echo $PWD3 | $CRYPTSETUP luksResume -S 5 $DEV_NAME || fail
|
|
$CRYPTSETUP luksClose $DEV_NAME || fail
|
|
echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 0 $LOOPDEV || fail
|
|
echo $PWD3 | $CRYPTSETUP luksOpen -S 0 $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
[ -b /dev/mapper/$DEV_NAME ] && fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
[ -b /dev/mapper/$DEV_NAME ] && fail
|
|
# second, try it with keyfiles
|
|
$CRYPTSETUP -q luksFormat -q -S 5 $FAST_PBKDF_OPT -d $KEY5 --type luks2 $LOOPDEV || fail
|
|
$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
|
|
$CRYPTSETUP luksOpen -S 5 -d $KEY5 $LOOPDEV $DEV_NAME || fail
|
|
check_exists
|
|
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
|
$CRYPTSETUP luksResume -S 1 -d $KEY5 $DEV_NAME 2>/dev/null && fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
|
|
$CRYPTSETUP luksResume -S 5 -d $KEY5 $DEV_NAME || fail
|
|
$CRYPTSETUP luksClose $DEV_NAME || fail
|
|
$CRYPTSETUP luksOpen -S 1 -d $KEY5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
[ -b /dev/mapper/$DEV_NAME ] && fail
|
|
$CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
|
[ -b /dev/mapper/$DEV_NAME ] && fail
|
|
# test keyslot not assigned to segment is unable to unlock volume
|
|
# otoh it should be allowed to test for proper passphrase
|
|
prepare "" new
|
|
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
|
|
echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
|
|
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
|
|
[ -b /dev/mapper/$DEV_NAME ] && fail
|
|
echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
|
|
[ -b /dev/mapper/$DEV_NAME ] && fail
|
|
echo $PWD0 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
|
|
$CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
|
|
$CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
|
|
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
|
|
echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
|
|
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
|
|
|
|
prepare "[27] Detached LUKS header" wipe
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --align-payload 1 >/dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --align-payload 8192 || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --align-payload 4096 >/dev/null || fail
|
|
$CRYPTSETUP luksDump $HEADER_IMG | grep -e "0: crypt" -A1 | grep -qe $((4096*512)) || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --align-payload 0 --sector-size 512 || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV-missing --header $HEADER_IMG $DEV_NAME 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP -q resize $DEV_NAME --size 100 --header $HEADER_IMG || fail
|
|
$CRYPTSETUP -q status $DEV_NAME --header $HEADER_IMG | grep "size:" | grep -q "100 \[512-byte units\]" || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "type:" | grep -q "n/a" || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 \[512-byte units\]" || fail
|
|
$CRYPTSETUP luksSuspend $DEV_NAME --header $HEADER_IMG || fail
|
|
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
|
|
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
|
|
$CRYPTSETUP luksClose $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
|
|
$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" || fail
|
|
$CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
|
|
$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" && fail
|
|
echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_IMG || fail
|
|
rm $HEADER_IMG || fail
|
|
# create exactly 16 MiBs LUKS2 header
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --luks2-keyslots-size 16352k --luks2-metadata-size 16k --offset 131072 >/dev/null || fail
|
|
SIZE=$(stat --printf=%s $HEADER_IMG)
|
|
test $SIZE -eq 16777216 || fail
|
|
$CRYPTSETUP -q luksDump $HEADER_IMG | grep -q "offset: $((512 * 131072)) \[bytes\]" || fail
|
|
|
|
prepare "[28] Repair metadata" wipe
|
|
xz -dk $HEADER_LUKS2_PV.xz
|
|
if [ "$HAVE_BLKID" -gt 0 ]; then
|
|
$CRYPTSETUP isLuks --disable-locks $HEADER_LUKS2_PV && fail
|
|
$CRYPTSETUP isLuks $HEADER_LUKS2_PV && fail
|
|
$CRYPTSETUP isLuks --disable-locks --type luks2 $HEADER_LUKS2_PV && fail
|
|
$CRYPTSETUP isLuks --type luks2 $HEADER_LUKS2_PV && fail
|
|
fi
|
|
$CRYPTSETUP -q repair $HEADER_LUKS2_PV || fail
|
|
$CRYPTSETUP isLuks $HEADER_LUKS2_PV || fail
|
|
$CRYPTSETUP isLuks --type luks2 $HEADER_LUKS2_PV || fail
|
|
$CRYPTSETUP isLuks --type luks1 $HEADER_LUKS2_PV && fail
|
|
|
|
prepare "[29] LUKS erase" wipe
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
|
|
$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
|
|
$CRYPTSETUP luksErase -q $LOOPDEV || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" && fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" && fail
|
|
|
|
prepare "[30] LUKS convert" wipe
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV $KEY5 --key-slot 5 || fail
|
|
$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
|
|
$CRYPTSETUP -q luksDump $LOOPDEV --dump-json-metadata >/dev/null 2>&1 && fail
|
|
$CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail
|
|
$CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
|
|
$CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
|
|
# hash test
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha512 || fail
|
|
$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail
|
|
$CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
|
|
$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
|
|
$CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
|
|
$CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 -d $KEY5 || fail
|
|
# sector size test
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 1024 $LOOPDEV $KEY5 || fail
|
|
$CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
|
|
|
|
# create LUKS1 with data offset not aligned to 4KiB
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV $KEY5 --align-payload 4097 || fail
|
|
$CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
|
|
$CRYPTSETUP isLuks --type luks2 $LOOPDEV || fail
|
|
$CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 -d $KEY5 || fail
|
|
|
|
# keyslot 1 area offset is higher than keyslot 0 area
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --key-slot 0 $LOOPDEV || fail
|
|
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_OPT --key-slot 1 $LOOPDEV || fail
|
|
echo -e "$PWD1\n$PWD1" | $CRYPTSETUP -q luksChangeKey $FAST_PBKDF_OPT $LOOPDEV || fail
|
|
# convert to LUKS1 and back; LUKS1 does not store length, only offset
|
|
$CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
|
|
echo $PWD1 | $CRYPTSETUP -q open --test-passphrase $LOOPDEV || fail
|
|
echo $PWD2 | $CRYPTSETUP -q open --test-passphrase $LOOPDEV || fail
|
|
$CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
|
|
echo $PWD1 | $CRYPTSETUP -q open --test-passphrase $LOOPDEV || fail
|
|
echo $PWD2 | $CRYPTSETUP -q open --test-passphrase $LOOPDEV || fail
|
|
|
|
if dm_crypt_keyring_flawed; then
|
|
prepare "[31] LUKS2 keyring dm-crypt bug" wipe
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
# key must not load in kernel key even when dm-crypt module is missing
|
|
if rmmod dm-crypt >/dev/null 2>&1; then
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
fi
|
|
fi
|
|
|
|
if dm_crypt_keyring_support && dm_crypt_keyring_new_kernel; then
|
|
prepare "[32] LUKS2 key in keyring" wipe
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
|
|
|
|
# check keyring support detection works as expected
|
|
rmmod dm-crypt >/dev/null 2>&1 || true
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail
|
|
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
|
|
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP luksResume --disable-keyring $DEV_NAME --header $HEADER_IMG || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
fi
|
|
|
|
# FIXME: candidate for non-root tests
|
|
prepare "[33] tokens" wipe
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
|
|
if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
|
|
|
|
test_and_prepare_keyring
|
|
|
|
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_KEY_DESC0 --token-id 3 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q -e "3: luks2-keyring" || fail
|
|
# keyslot 5 is inactive
|
|
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_KEY_DESC1 --key-slot 5 2> /dev/null && fail
|
|
# key description is not reachable
|
|
$CRYPTSETUP open --token-only $LOOPDEV --test-passphrase && fail
|
|
# wrong passphrase
|
|
load_key user $TEST_KEY_DESC0 "blabla" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
|
|
$CRYPTSETUP open --token-only $LOOPDEV --test-passphrase 2>/dev/null && fail
|
|
load_key user $TEST_KEY_DESC0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
|
|
$CRYPTSETUP open --token-only $LOOPDEV --test-passphrase || fail
|
|
$CRYPTSETUP open --token-only $LOOPDEV $DEV_NAME || fail
|
|
$CRYPTSETUP status $DEV_NAME > /dev/null || fail
|
|
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
|
$CRYPTSETUP luksResume $DEV_NAME <&- || fail
|
|
$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" && fail
|
|
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
|
$CRYPTSETUP luksResume $DEV_NAME --token-type luks2-keyring <&- || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
|
|
# check --token-type sort of works (TODO: extend tests when native systemd tokens are available)
|
|
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 22 || fail
|
|
# this excludes keyring tokens from unlocking device
|
|
$CRYPTSETUP open --token-only --token-type some_type $LOOPDEV --test-passphrase && fail
|
|
$CRYPTSETUP open --token-only --token-type some_type $LOOPDEV $DEV_NAME && fail
|
|
$CRYPTSETUP status $DEV_NAME > /dev/null && fail
|
|
|
|
$CRYPTSETUP token remove --token-id 3 $LOOPDEV || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q -e "3: luks2-keyring" && fail
|
|
|
|
# test we can remove keyslot with token
|
|
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S4 $FAST_PBKDF_OPT $LOOPDEV || fail
|
|
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_KEY_DESC1 --key-slot 4 --token-id 0 || fail
|
|
$CRYPTSETUP -q luksKillSlot $LOOPDEV 4 || fail
|
|
$CRYPTSETUP token remove --token-id 0 $LOOPDEV || fail
|
|
|
|
# test we can add unassigned token
|
|
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_KEY_DESC0 --unbound --token-id 0 || fail
|
|
$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV && fail
|
|
$CRYPTSETUP token remove --token-id 0 $LOOPDEV || fail
|
|
|
|
# test token unassign works
|
|
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_KEY_DESC0 -S0 --token-id 0 || fail
|
|
$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV || fail
|
|
$CRYPTSETUP token unassign --token-id 0 $LOOPDEV 2>/dev/null && fail
|
|
$CRYPTSETUP token unassign -S0 $LOOPDEV 2>/dev/null && fail
|
|
$CRYPTSETUP token unassign --token-id 0 -S0 $LOOPDEV || fail
|
|
$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV && fail
|
|
$CRYPTSETUP token unassign --token-id 0 -S0 $LOOPDEV 2>/dev/null && fail
|
|
$CRYPTSETUP token unassign --token-id 0 -S44 $LOOPDEV 2>/dev/null && fail
|
|
$CRYPTSETUP token unassign --token-id 44 -S0 $LOOPDEV 2>/dev/null && fail
|
|
|
|
$CRYPTSETUP token remove $LOOPDEV --token-id 0 || fail
|
|
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_KEY_DESC0 -S0 --token-id 0 || fail
|
|
|
|
# token 8 assigned to keyslot 0 and 5. Unlocks only 5
|
|
echo "$PWD2" | $CRYPTSETUP luksAddKey -q -S5 $FAST_PBKDF_OPT --token-id 0 $LOOPDEV || fail
|
|
echo -n "{\"type\":\"luks2-keyring\",\"keyslots\":[\"0\",\"5\"],\"key_description\":\"$TEST_KEY_DESC1\"}" | $CRYPTSETUP token import $LOOPDEV --token-id 8 || fail
|
|
load_key user $TEST_KEY_DESC1 "$PWD2" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
|
|
|
|
# token 3 assigned to keyslot 1 (wrong passphrase)
|
|
echo "$PWD3" | $CRYPTSETUP luksAddKey -q -S1 $FAST_PBKDF_OPT --token-id 0 $LOOPDEV || fail
|
|
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_KEY_DESC2 -S1 --token-id 3 || fail
|
|
load_key user $TEST_KEY_DESC2 "$PWDW" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
|
|
|
|
# specific token, specific keyslot
|
|
$CRYPTSETUP open --test-passphrase --token-id 0 -S0 $LOOPDEV --token-only <&- || fail
|
|
# specific keyslot unlocked by any token
|
|
$CRYPTSETUP open --test-passphrase -S0 $LOOPDEV --token-only <&- || fail
|
|
|
|
# token 0 unusable for keyslot 5
|
|
$CRYPTSETUP open --test-passphrase --token-id 0 -S5 $LOOPDEV --token-only <&- >/dev/null && fail
|
|
# backup interactive prompt should work
|
|
echo $PWD2 | $CRYPTSETUP open --test-passphrase --token-id 0 -S5 $LOOPDEV || fail
|
|
|
|
$CRYPTSETUP open --test-passphrase -S5 --token-id 8 $LOOPDEV <&- || fail
|
|
$CRYPTSETUP open --test-passphrase -S5 $LOOPDEV <&- || fail
|
|
|
|
expect_unlocked_keyslot 5 "open -v --test-passphrase --token-id 8 -S5 $LOOPDEV" || fail
|
|
expect_unlocked_keyslot 5 "open -v --test-passphrase --token-id 8 $LOOPDEV" || fail
|
|
|
|
$CRYPTSETUP open --test-passphrase -S0 --token-id 8 $LOOPDEV --token-only >/dev/null && fail
|
|
[ $? -ne 2 ] && fail "open should return EPERM exit code."
|
|
$CRYPTSETUP open --test-passphrase -S1 $LOOPDEV --token-only && fail
|
|
[ $? -ne 2 ] && fail "open should return EPERM exit code."
|
|
fi
|
|
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 10 || fail
|
|
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 11 --json-file - || fail
|
|
echo -n "$IMPORT_TOKEN" > $TOKEN_FILE0
|
|
$CRYPTSETUP token import $LOOPDEV --token-id 12 --json-file $TOKEN_FILE0 || fail
|
|
$CRYPTSETUP token import $LOOPDEV --token-id 12 --json-file $TOKEN_FILE0 2>/dev/null && fail
|
|
$CRYPTSETUP token export $LOOPDEV --token-id 10 >$TOKEN_FILE1 || fail
|
|
diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
|
|
$CRYPTSETUP token export $LOOPDEV --token-id 11 >$TOKEN_FILE1 || fail
|
|
diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
|
|
$CRYPTSETUP token export $LOOPDEV --token-id 12 >$TOKEN_FILE1 || fail
|
|
diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
|
|
$CRYPTSETUP token export $LOOPDEV --token-id 12 --json-file $TOKEN_FILE1 || fail
|
|
diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
|
|
$CRYPTSETUP token export $LOOPDEV --token-id 12 > $TOKEN_FILE1 || fail
|
|
diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
|
|
|
|
prepare "[34] LUKS keyslot priority" wipe
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -S 1 || fail
|
|
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -S 5 || fail
|
|
$CRYPTSETUP config $LOOPDEV -S 0 --priority prefer && fail
|
|
$CRYPTSETUP config $LOOPDEV -S 1 --priority bla >/dev/null 2>&1 && fail
|
|
$CRYPTSETUP config $LOOPDEV -S 1 --priority ignore || fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase -S 1 || fail
|
|
echo $PWD2 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
|
|
$CRYPTSETUP config $LOOPDEV -S 1 --priority normal || fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
|
|
$CRYPTSETUP config $LOOPDEV -S 1 --priority ignore || fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase 2>/dev/null && fail
|
|
|
|
prepare "[35] LUKS label and subsystem" wipe
|
|
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "(no subsystem)" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "(no label)" || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --subsystem SatelliteTwo --label TheLabel || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "SatelliteTwo" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "TheLabel" || fail
|
|
$CRYPTSETUP config $LOOPDEV --subsystem SatelliteThree
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "SatelliteThree" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "(no label)" || fail
|
|
$CRYPTSETUP config $LOOPDEV --subsystem SatelliteThree --label TheLabel
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "SatelliteThree" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "TheLabel" || fail
|
|
|
|
prepare "[36] LUKS PBKDF setting" wipe
|
|
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf bla $LOOPDEV >/dev/null 2>&1 && fail
|
|
# Force setting, no benchmark. PBKDF2 has 1000 iterations as a minimum
|
|
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 999 $LOOPDEV 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 1234 $LOOPDEV || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Iterations:" | grep -q "1234" || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 3 $LOOPDEV 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 4 --pbkdf-memory 100000 $LOOPDEV || can_fail_fips
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2id" || can_fail_fips
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2i --pbkdf-force-iterations 4 \
|
|
--pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || can_fail_fips
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2i" || can_fail_fips
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | grep -q "4" || can_fail_fips
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | grep -q "1234" || can_fail_fips
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Threads:" | grep -q "1" || can_fail_fips
|
|
# Benchmark
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2i -i 500 --pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || can_fail_fips
|
|
[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || can_fail_fips
|
|
[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || can_fail_fips
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf pbkdf2 -i 500 $LOOPDEV || fail
|
|
[ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep -m1 "Iterations:" | cut -d' ' -f 2 | sed -e 's/\ //g')" -gt 1000 ] || fail
|
|
|
|
prepare "[37] LUKS Keyslot convert" wipe
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV $KEY5 --key-slot 5 || fail
|
|
$CRYPTSETUP -q luksConvertKey $LOOPDEV --key-file $KEY5 2>/dev/null && fail
|
|
$CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
|
|
$CRYPTSETUP -q luksConvertKey $LOOPDEV -S 5 --key-file $KEY5 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || can_fail_fips
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV -S 1 --key-file $KEY5 || fail
|
|
$CRYPTSETUP -q luksKillSlot $LOOPDEV 5 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips
|
|
echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 72 $LOOPDEV || fail
|
|
echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail
|
|
|
|
prepare "[38] luksAddKey unbound tests" wipe
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
|
|
# unbound key may have arbitrary size
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 72 $LOOPDEV || fail
|
|
echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 72 -S 2 $LOOPDEV || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" || fail
|
|
dd if=/dev/urandom of=$KEY_FILE0 bs=64 count=1 > /dev/null 2>&1 || fail
|
|
echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 512 -S 3 --volume-key-file $KEY_FILE0 $LOOPDEV || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2 (unbound)" || fail
|
|
# unbound key size is required
|
|
echo $PWD1 | $CRYPTSETUP -q luksAddKey --unbound $LOOPDEV 2>/dev/null && fail
|
|
echo $PWD3 | $CRYPTSETUP -q luksAddKey --unbound --volume-key-file /dev/urandom $LOOPDEV 2> /dev/null && fail
|
|
# do not allow one to replace keyslot by unbound slot
|
|
echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail
|
|
echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
|
|
echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
|
|
echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
|
|
echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
|
|
# check we're able to change passphrase for unbound keyslot
|
|
echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
|
|
echo $PWD3 | $CRYPTSETUP open --test-passphrase -S 2 $LOOPDEV || fail
|
|
echo $PWD3 | $CRYPTSETUP -q open -S 2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
|
|
# do not allow adding keyslot by unbound keyslot
|
|
echo -e "$PWD3\n$PWD1" | $CRYPTSETUP -q luksAddKey $LOOPDEV 2> /dev/null && fail
|
|
# check adding keyslot works when there's unbound keyslot
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --key-file $KEY5 -S8 || fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
$CRYPTSETUP luksKillSlot -q $LOOPDEV 2
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" && fail
|
|
echo $PWD3 | $CRYPTSETUP luksDump --unbound --volume-key-file $KEY_FILE1 $LOOPDEV 2> /dev/null && fail
|
|
echo $PWD3 | $CRYPTSETUP luksDump --unbound 2> /dev/null $LOOPDEV 2> /dev/null && fail
|
|
echo $PWD3 | $CRYPTSETUP luksDump --unbound --volume-key-file $KEY_FILE1 -S3 $LOOPDEV > /dev/null || fail
|
|
diff $KEY_FILE0 $KEY_FILE1 || fail
|
|
echo $PWD3 | $CRYPTSETUP luksDump --unbound --volume-key-file $KEY_FILE1 -S3 $LOOPDEV 2> /dev/null && fail
|
|
diff $KEY_FILE0 $KEY_FILE1 || fail
|
|
rm $KEY_FILE1 || fail
|
|
echo $PWD3 | $CRYPTSETUP luksDump --unbound --volume-key-file $KEY_FILE1 -S3 $LOOPDEV | grep -q "Unbound Key:" && fail
|
|
echo $PWD3 | $CRYPTSETUP luksDump --unbound -S3 $LOOPDEV | grep -q "Unbound Key:" || fail
|
|
$CRYPTSETUP luksKillSlot -q $LOOPDEV 3 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2 (unbound)" && fail
|
|
|
|
prepare "[39] LUKS2 metadata variants" wipe
|
|
tar xJf luks2_mda_images.tar.xz
|
|
echo -n "$IMPORT_TOKEN" > $TOKEN_FILE0
|
|
for mda in 16 32 64 128 256 512 1024 2048 4096 ; do
|
|
echo -n "[$mda KiB]"
|
|
echo $PWD4 | $CRYPTSETUP open test_image_$mda $DEV_NAME || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
echo -e "$PWD4\n$PWD3" | $CRYPTSETUP luksAddKey -q -S9 $FAST_PBKDF_OPT test_image_$mda || fail
|
|
echo $PWD4 | $CRYPTSETUP open --test-passphrase test_image_$mda || fail
|
|
echo $PWD3 | $CRYPTSETUP open -S9 --test-passphrase test_image_$mda || fail
|
|
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import test_image_$mda --token-id 10 || fail
|
|
$CRYPTSETUP token export test_image_$mda --token-id 10 >$TOKEN_FILE1 || fail
|
|
diff $TOKEN_FILE1 $TOKEN_FILE0 || fail
|
|
echo -n "[OK]"
|
|
done
|
|
echo
|
|
|
|
prepare "[40] LUKS2 metadata areas" wipe
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV 2> /dev/null || fail
|
|
DEFAULT_OFFSET=$($CRYPTSETUP luksDump $LOOPDEV | grep "offset: " | cut -f 2 -d ' ')
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128k 2> /dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=127k 2> /dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=127k --luks2-keyslots-size=128k 2> /dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=129M >/dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128k >/dev/null || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "131072 \[bytes\]" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "131072 \[bytes\]" || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "131072 \[bytes\]" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "$((DEFAULT_OFFSET-2*131072)) \[bytes\]" || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-keyslots-size=128k >/dev/null || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "16384 \[bytes\]" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "131072 \[bytes\]" || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --offset 16384 || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "16384 \[bytes\]" || fail
|
|
$CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "8355840 \[bytes\]" || fail
|
|
# data offset vs area size
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --offset 64 --luks2-keyslots-size=8192 >/dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --offset $((256+56)) >/dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --offset $((256+64)) >/dev/null || fail
|
|
|
|
prepare "[41] Per-keyslot encryption parameters" wipe
|
|
KEYSLOT_CIPHER="aes-cbc-plain64"
|
|
$CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --key-slot 0 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
|
|
$CRYPTSETUP luksAddKey -q $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT --key-slot 1 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "1: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "1: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
|
|
$CRYPTSETUP luksAddKey -q $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT --key-slot 2 || fail
|
|
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
|
|
# unbound keyslot
|
|
echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 72 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
|
|
echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 72 $LOOPDEV || fail
|
|
echo $PWD3 | $CRYPTSETUP luksConvertKey --key-slot 22 $LOOPDEV --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
|
|
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
|
|
|
|
prepare "[42] Some encryption compatibility mode tests" wipe
|
|
CIPHERS="aes-ecb aes-cbc-null aes-cbc-plain64 aes-cbc-essiv:sha256 aes-xts-plain64"
|
|
key_size=256
|
|
for cipher in $CIPHERS ; do
|
|
echo -n "[$cipher/$key_size]"
|
|
$CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --cipher $cipher --key-size $key_size || fail
|
|
done
|
|
echo
|
|
|
|
prepare "[43] New luksAddKey options." wipe
|
|
rm -f $VK_FILE
|
|
echo "$PWD1" | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $IMG || fail
|
|
echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-volume-key --volume-key-file $VK_FILE >/dev/null || fail
|
|
|
|
# pass pass
|
|
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S1 $FAST_PBKDF_OPT $IMG || fail
|
|
echo $PWD2 | $CRYPTSETUP open -q --test-passphrase -S1 $IMG || fail
|
|
|
|
# pass file
|
|
echo "$PWD2" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S1 --new-key-slot 2 $IMG $KEY1 || fail
|
|
$CRYPTSETUP open --test-passphrase -q -S2 -d $KEY1 $IMG || fail
|
|
|
|
# file pass
|
|
echo "$PWD3" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S2 -d $KEY1 --new-key-slot 3 $IMG || fail
|
|
echo $PWD3 | $CRYPTSETUP open -q --test-passphrase -S3 $IMG || fail
|
|
|
|
# file file
|
|
$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S2 --new-key-slot 4 -d $KEY1 --new-keyfile $KEY2 $IMG || fail
|
|
$CRYPTSETUP open --test-passphrase -q -S4 -d $KEY2 $IMG || fail
|
|
|
|
# vk pass
|
|
echo $PWD4 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S5 --volume-key-file $VK_FILE $IMG || fail
|
|
echo $PWD4 | $CRYPTSETUP open -q --test-passphrase -S5 $IMG || fail
|
|
|
|
# vk file
|
|
$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S6 --volume-key-file $VK_FILE --new-keyfile $KEY5 $IMG || fail
|
|
$CRYPTSETUP open --test-passphrase -q -S6 -d $KEY5 $IMG || fail
|
|
|
|
if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
|
|
test_and_prepare_keyring
|
|
load_key user $TEST_KEY_DESC0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
|
|
load_key user $TEST_KEY_DESC1 $PWDW "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
|
|
$CRYPTSETUP token add $IMG --key-description $TEST_KEY_DESC0 --token-id 0 -S0 || fail
|
|
$CRYPTSETUP token add $IMG --key-description $TEST_KEY_DESC1 --token-id 1 --unbound || fail
|
|
|
|
# pass token
|
|
echo -e "$PWD1" | $CRYPTSETUP luksAddKey -q -S7 --new-token-id 1 $FAST_PBKDF_OPT $IMG || fail
|
|
$CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG || fail
|
|
echo $PWD1 | $CRYPTSETUP luksKillSlot $IMG 7 || fail
|
|
$CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG && fail
|
|
|
|
# file token
|
|
$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S2 --new-key-slot 7 --new-token-id 1 -d $KEY1 $IMG || fail
|
|
$CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG || fail
|
|
echo $PWD1 | $CRYPTSETUP luksKillSlot $IMG 7 || fail
|
|
$CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG && fail
|
|
|
|
# vk token
|
|
$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S7 --volume-key-file $VK_FILE --new-token-id 1 $IMG || fail
|
|
$CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG || fail
|
|
echo $PWD1 | $CRYPTSETUP luksKillSlot $IMG 7 || fail
|
|
$CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG && fail
|
|
|
|
# token pass
|
|
echo $PWD4 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S7 --token-id 0 $IMG || fail
|
|
echo $PWD4 | $CRYPTSETUP open -q --test-passphrase -S7 $IMG || fail
|
|
|
|
# token file
|
|
echo $PWD4 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S8 --token-id 0 $IMG $KEY2 || fail
|
|
$CRYPTSETUP open -q --test-passphrase -S8 --key-file $KEY2 $IMG || fail
|
|
|
|
# token token
|
|
$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S9 --token-id 0 --new-token-id 1 $IMG || fail
|
|
$CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG || fail
|
|
echo $PWD1 | $CRYPTSETUP luksKillSlot $IMG 9 || fail
|
|
$CRYPTSETUP open -q --test-passphrase --token-only --token-id 1 -q $IMG && fail
|
|
|
|
# reuse same token
|
|
$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S0 --new-key-slot 9 --token-id 0 --new-token-id 0 $IMG || fail
|
|
$CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $IMG || fail
|
|
echo $PWD1 | $CRYPTSETUP luksKillSlot $IMG 9 || fail
|
|
|
|
# reuse same token
|
|
$CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --token-id 0 --new-token-id 0 $IMG || fail
|
|
echo $PWD1 | $CRYPTSETUP luksKillSlot $IMG 9 || fail
|
|
$CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $IMG || fail
|
|
fi
|
|
|
|
if dm_crypt_capi_support; then
|
|
prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe
|
|
xz -dk $HEADER_LUKS2_INV.xz
|
|
dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1
|
|
$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail
|
|
echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail
|
|
dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \
|
|
"0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768"
|
|
$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail
|
|
$CRYPTSETUP close $DEV_NAME ||fail
|
|
fi
|
|
|
|
if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
|
|
prepare "[45] Link VK to a keyring and use custom VK type." wipe
|
|
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV 2> /dev/null || fail
|
|
KEY_NAME="cryptsetup:test_volume_key_id"
|
|
KEY_NAME2="cryptsetup:test_volume_key_id2"
|
|
KEY_NAME3="cryptsetup:test_volume_key_id3"
|
|
test_and_prepare_keyring
|
|
KID=$(echo -n test | keyctl padd user my_token @s)
|
|
keyctl unlink $KID >/dev/null 2>&1 @s && SESSION_KEYRING_WORKS=1
|
|
KID=$(echo -n test | keyctl padd user my_token @us)
|
|
keyctl unlink $KID >/dev/null 2>&1 @us && USER_SESSION_KEYRING_WORKS=1
|
|
|
|
test_vk_link $KEY_NAME "@u"
|
|
test_vk_link $KEY_NAME "@u" "user"
|
|
[[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link $KEY_NAME "@s"
|
|
[[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link $KEY_NAME "@s" "logon"
|
|
[[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link $KEY_NAME "@s" "user"
|
|
test_vk_link $KEY_NAME "%:$TEST_KEYRING_NAME"
|
|
test_vk_link $KEY_NAME "%:$TEST_KEYRING_NAME" "user"
|
|
test_vk_link $KEY_NAME "%:$TEST_KEYRING_NAME" "logon"
|
|
# explicitly specify keyring key type
|
|
test_vk_link $KEY_NAME "%keyring:$TEST_KEYRING_NAME"
|
|
|
|
test_vk_link_and_reactivate $KEY_NAME "@u" "user"
|
|
test_vk_link_and_reactivate $KEY_NAME "@u"
|
|
[[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link_and_reactivate $KEY_NAME "@s" "user"
|
|
test_vk_link_and_reactivate $KEY_NAME "%:$TEST_KEYRING_NAME" "user"
|
|
# explicitly specify keyring key type
|
|
test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME" "user"
|
|
test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME"
|
|
|
|
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME"
|
|
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "user"
|
|
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "logon"
|
|
|
|
# test numeric keyring name -5 is user session (@us) keyring
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring -5::%logon:$KEY_NAME || fail
|
|
keyctl search @us logon $KEY_NAME > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
|
|
$CRYPTSETUP close $DEV_NAME
|
|
keyctl search @us logon $KEY_NAME > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after deactivation."
|
|
keyctl unlink "%logon:$KEY_NAME" @us || fail
|
|
|
|
# test malformed keyring descriptions and key types
|
|
# missing key description
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "%$TEST_KEYRING_NAME::" > /dev/null 2>&1 && fail
|
|
# malformed keyring description
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring ":$TEST_KEYRING_NAME::$KEY_NAME" > /dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@uuu::$KEY_NAME" > /dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@usu::$KEY_NAME" > /dev/null 2>&1 && fail
|
|
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$TEST_KEYRING_NAME::%user" > /dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "$TEST_KEYRING_NAME::%user:" > /dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "%user:$KEY_NAME" > /dev/null 2>&1 && fail
|
|
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@t::%0:$KEY_NAME" > /dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@t::%blah:$KEY_NAME" > /dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@t::%userlogon:$KEY_NAME" > /dev/null 2>&1 && fail
|
|
|
|
# test that only one VK name is used, when the device is not in reencryption
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@u::%user:$KEY_NAME" --link-vk-to-keyring "@u::%user:$KEY_NAME2" > /dev/null 2>&1 || fail
|
|
keyctl unlink "%user:$KEY_NAME" @u || fail
|
|
keyctl unlink "%user:$KEY_NAME2" @u > /dev/null 2>&1 && fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
|
|
# test linkning multiple VKs during reencryption
|
|
echo $PWD1 | $CRYPTSETUP -q reencrypt $LOOPDEV --init-only
|
|
|
|
test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@u"
|
|
test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@u" "user"
|
|
[[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@s"
|
|
[[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@s" "logon"
|
|
[[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "@s" "user"
|
|
test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME"
|
|
test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME" "user"
|
|
test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME" "logon"
|
|
# explicitly specify keyring key type
|
|
test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%keyring:$TEST_KEYRING_NAME"
|
|
|
|
test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "@u"
|
|
test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "@u" "user"
|
|
[[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "@s"
|
|
[[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "@s" "user"
|
|
test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME"
|
|
test_reencrypt_vk_link_and_reactivate $KEY_NAME $KEY_NAME2 "%:$TEST_KEYRING_NAME" "user"
|
|
|
|
# explicitly specify keyring key type
|
|
test_reencrypt_vk_link $KEY_NAME $KEY_NAME2 "%keyring:$TEST_KEYRING_NAME"
|
|
|
|
# the keyring and key type have to be the same for both keys
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@s::%user:$KEY_NAME" --link-vk-to-keyring "@u::%user:$KEY_NAME2" > /dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@u::%logon:$KEY_NAME" --link-vk-to-keyring "@u::%user:$KEY_NAME2" > /dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@s::%logon:$KEY_NAME" --link-vk-to-keyring "@u::%user:$KEY_NAME2" > /dev/null 2>&1 && fail
|
|
|
|
# supply one/three key name(s) when two names are required
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@s::%logon:$KEY_NAME" > /dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring "@s::%logon:$KEY_NAME" --link-vk-to-keyring "@s::%logon:$KEY_NAME2" --link-vk-to-keyring "@s::%logon:$KEY_NAME3" > /dev/null 2>&1 && fail
|
|
fi
|
|
|
|
prepare "[46] Blkid disable check" wipe
|
|
if [ "$HAVE_BLKID" -gt 0 ]; then
|
|
xz -dkf $HEADER_LUKS2_PV.xz
|
|
# batch mode disables blkid print, use --debug to check it
|
|
echo $PWD1 | $CRYPTSETUP -q --debug luksFormat $FAST_PBKDF_OPT --type luks2 $HEADER_LUKS2_PV 2>&1 | grep "signature" | grep -q "LVM2_member" || fail
|
|
xz -dkf $HEADER_LUKS2_PV.xz
|
|
echo $PWD1 | $CRYPTSETUP -q --debug --disable-blkid luksFormat $FAST_PBKDF_OPT --type luks2 $HEADER_LUKS2_PV 2>&1 | grep -q "LVM2_member" && fail
|
|
fi
|
|
|
|
prepare "[47] Init from suspended device" wipe
|
|
dmsetup create $DEV_NAME --table "0 39998 linear $LOOPDEV 2" || fail
|
|
echo $PWD1 | $CRYPTSETUP -q $FAST_PBKDF_OPT luksFormat --type luks2 --header $HEADER_IMG /dev/mapper/$DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP -q luksOpen --header $HEADER_IMG /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
|
|
# underlying device now returns error but node is still present
|
|
dmsetup load $DEV_NAME --table "0 40000 error" || fail
|
|
dmsetup resume $DEV_NAME || fail
|
|
dmsetup suspend $DEV_NAME || fail
|
|
# status must print data even if data device is suspended
|
|
$CRYPTSETUP -q status --debug --header $HEADER_IMG $DEV_NAME2 | grep "type:" | grep -q "LUKS2" || fail
|
|
dmsetup resume $DEV_NAME || fail
|
|
$CRYPTSETUP -q luksClose $DEV_NAME2 || fail
|
|
dmsetup remove --retry $DEV_NAME || fail
|
|
|
|
prepare "[48] Zoned device is unusable for LUKS header" wipe
|
|
add_scsi_device dev_size_mb=32 sector_size=4096 zbc=host-managed
|
|
if [ $? -eq 0 ] ; then
|
|
echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT $DEV > /dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT --header $HEADER_IMG $DEV >/dev/null || fail
|
|
echo $PWD1 | $CRYPTSETUP open --header $HEADER_IMG $DEV $DEV_NAME || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $DEV > /dev/null 2>&1 && fail
|
|
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT --header $HEADER_IMG $DEV >/dev/null || fail
|
|
echo $PWD1 | $CRYPTSETUP open --header $HEADER_IMG $DEV $DEV_NAME || fail
|
|
$CRYPTSETUP close $DEV_NAME || fail
|
|
fi
|
|
|
|
if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
|
|
prepare "[49] Keyring description use" wipe
|
|
test_and_prepare_keyring
|
|
load_key user $TEST_KEY_DESC1 $PWD1 "$TEST_KEYRING" || fail
|
|
load_key user $TEST_KEY_DESC2 $PWD2 "$TEST_KEYRING" || fail
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --disable-keyring --key-description $TEST_KEY_DESC1 2>/dev/null && fail
|
|
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-description $TEST_KEY_DESC1 || fail
|
|
$CRYPTSETUP -q luksDump $LOOPDEV --dump-volume-key --key-description $TEST_KEY_DESC1 >/dev/null || fail
|
|
$CRYPTSETUP -q open $LOOPDEV $DEV_NAME --key-description $TEST_KEY_DESC1 || fail
|
|
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
|
$CRYPTSETUP luksResume $DEV_NAME --key-description $TEST_KEY_DESC1 || fail
|
|
$CRYPTSETUP -q close $DEV_NAME || fail
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --new-key-description $TEST_KEY_DESC2 $LOOPDEV --disable-keyring 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --new-key-description $TEST_KEY_DESC2 $LOOPDEV --new-key-slot 1 || fail
|
|
$CRYPTSETUP -q open $LOOPDEV --test-passphrase --key-description $TEST_KEY_DESC2 || fail
|
|
$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
|
|
echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --key-description $TEST_KEY_DESC1 $LOOPDEV --new-key-slot 1 || fail
|
|
$CRYPTSETUP -q open $LOOPDEV --test-passphrase --key-description $TEST_KEY_DESC2 || fail
|
|
$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
|
|
$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --key-description $TEST_KEY_DESC1 --new-key-description $TEST_KEY_DESC2 $LOOPDEV --new-key-slot 1 || fail
|
|
$CRYPTSETUP -q open $LOOPDEV --test-passphrase --key-description $TEST_KEY_DESC2 || fail
|
|
$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
|
|
fi
|
|
|
|
prepare "[50] Interactive retry keyslot test" wipe
|
|
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
|
|
echo $PWD2 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_OPT --unbound --key-size 256 $LOOPDEV || fail
|
|
expect_retried_unlocked_keyslot 0 $PWD1 "open -v --test-passphrase --tries 2 $LOOPDEV" || fail
|
|
expect_retried_unlocked_keyslot 1 $PWD2 "open -v --test-passphrase --tries 2 -S1 $LOOPDEV" || fail
|
|
|
|
prepare "[51] Early check for active name." wipe
|
|
DM_BAD_NAME=x/x
|
|
DM_LONG_NAME=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
|
|
echo $PWD1 | $CRYPTSETUP luksFormat -q $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DM_BAD_NAME 2>/dev/null && fail
|
|
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DM_LONG_NAME 2>/dev/null && fail
|
|
|
|
remove_mapping
|
|
exit 0
|