"Fossies" - the Fresh Open Source Software Archive

Member "cryptsetup-2.4.3/tests/compat-test2" (13 Jan 2022, 58746 Bytes) of package /linux/misc/cryptsetup-2.4.3.tar.xz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. See also the last Fossies "Diffs" side-by-side code changes report for "compat-test2": 2.4.0_vs_2.4.1.

    1 #!/bin/bash
    2 
    3 PS4='$LINENO:'
    4 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
    5 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
    6 
    7 CRYPTSETUP_VALGRIND=../.libs/cryptsetup
    8 CRYPTSETUP_LIB_VALGRIND=../.libs
    9 
   10 DEV_NAME=dummy
   11 DEV_NAME2=dummy2
   12 DEV_NAME3=dummy3
   13 ORIG_IMG=luks-test-orig
   14 IMG=luks-test
   15 IMG10=luks-test-v10
   16 HEADER_IMG=luks-header
   17 HEADER_KEYU=luks2_keyslot_unassigned.img
   18 HEADER_LUKS2_PV=blkid-luks2-pv.img
   19 KEY1=key1
   20 KEY2=key2
   21 KEY5=key5
   22 KEYE=keye
   23 PWD0="compatkey"
   24 PWD1="93R4P4pIqAH8"
   25 PWD2="mymJeD8ivEhE"
   26 PWD3="ocMakf3fAcQO"
   27 PWD4="Qx3qn46vq0v"
   28 PWDW="rUkL4RUryBom"
   29 TEST_KEYRING_NAME="compattest2_keyring"
   30 TEST_TOKEN0="compattest2_desc0"
   31 TEST_TOKEN1="compattest2_desc1"
   32 TEST_TOKEN2="compattest2_desc2"
   33 VK_FILE="compattest2_vkfile"
   34 IMPORT_TOKEN="{\"type\":\"some_type\",\"keyslots\":[],\"base64_data\":\"zxI7vKB1Qwl4VPB4D-N-OgcC14hPCG0IDu8O7eCqaQ\"}"
   35 TOKEN_FILE0=test-token-file0
   36 TOKEN_FILE1=test-token-file1
   37 KEY_FILE0=test-key-file0
   38 KEY_FILE1=test-key-file1
   39 
   40 FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
   41 
   42 TEST_UUID="12345678-1234-1234-1234-123456789abc"
   43 
   44 LOOPDEV=$(losetup -f 2>/dev/null)
   45 [ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
   46 
   47 function remove_mapping()
   48 {
   49     [ -b /dev/mapper/$DEV_NAME3 ] && dmsetup remove --retry $DEV_NAME3
   50     [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
   51     [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
   52     losetup -d $LOOPDEV >/dev/null 2>&1
   53     rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE $HEADER_LUKS2_PV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
   54 
   55     # unlink whole test keyring
   56     [ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
   57     unset TEST_KEYRING
   58 
   59     rmmod scsi_debug >/dev/null 2>&1
   60     scsi_debug_teardown $DEV
   61 }
   62 
   63 function force_uevent()
   64 {
   65     DNAME=$(echo $LOOPDEV | cut -f3 -d /)
   66     echo "change" >/sys/block/$DNAME/uevent
   67 }
   68 
   69 function fail()
   70 {
   71     [ -n "$1" ] && echo "$1"
   72     remove_mapping
   73     echo "FAILED backtrace:"
   74     while caller $frame; do ((frame++)); done
   75     exit 2
   76 }
   77 
   78 function fips_mode()
   79 {
   80     [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
   81 }
   82 
   83 function can_fail_fips()
   84 {
   85     # Ignore this fail if running in FIPS mode
   86     fips_mode || fail $1
   87 }
   88 
   89 function skip()
   90 {
   91     [ -n "$1" ] && echo "$1"
   92     remove_mapping
   93     exit 77
   94 }
   95 
   96 function prepare()
   97 {
   98     [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
   99 
  100     case "$2" in
  101     wipe)
  102         remove_mapping
  103         dd if=/dev/zero of=$IMG bs=1M count=40 >/dev/null 2>&1
  104         sync
  105         losetup $LOOPDEV $IMG
  106         ;;
  107     new)
  108         remove_mapping
  109         xz -cd compatimage.img.xz > $IMG
  110         xz -dk $HEADER_KEYU.xz
  111         # FIXME: switch to internal loop (no losetup at all)
  112         echo "bad" | $CRYPTSETUP luksOpen --key-slot 0 --test-passphrase $IMG 2>&1 | \
  113             grep "autoclear flag" && skip "WARNING: Too old kernel, test skipped."
  114         losetup $LOOPDEV $IMG
  115         xz -cd compatv10image.img.xz > $IMG10
  116         ;;
  117     reuse | *)
  118         if [ ! -e $IMG ]; then
  119             xz -cd compatimage.img.xz > $IMG
  120             losetup $LOOPDEV $IMG
  121         fi
  122         [ ! -e $IMG10 ] && xz -cd compatv10image.img.xz > $IMG10
  123         ;;
  124     esac
  125 
  126     if [ ! -e $KEY1 ]; then
  127         #dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
  128         echo -n $'\x48\xc6\x74\x4f\x41\x4e\x50\xc0\x79\xc2\x2d\x5b\x5f\x68\x84\x17' >$KEY1
  129         echo -n $'\x9c\x03\x5e\x1b\x4d\x0f\x9a\x75\xb3\x90\x70\x32\x0a\xf8\xae\xc4'>>$KEY1
  130     fi
  131 
  132     if [ ! -e $KEY2 ]; then
  133         dd if=/dev/urandom of=$KEY2 count=1 bs=16 >/dev/null 2>&1
  134     fi
  135 
  136     if [ ! -e $KEY5 ]; then
  137         dd if=/dev/urandom of=$KEY5 count=1 bs=16 >/dev/null 2>&1
  138     fi
  139 
  140     if [ ! -e $KEYE ]; then
  141         touch $KEYE
  142     fi
  143 
  144     cp $IMG $ORIG_IMG
  145     [ -n "$1" ] && echo "CASE: $1"
  146 }
  147 
  148 function check_exists()
  149 {
  150     [ -b /dev/mapper/$DEV_NAME ] || fail
  151 }
  152 
  153 function valgrind_setup()
  154 {
  155     which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
  156     [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
  157     export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
  158 }
  159 
  160 function valgrind_run()
  161 {
  162     INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
  163 }
  164 
  165 function dm_crypt_keyring_support()
  166 {
  167     VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
  168     [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
  169 
  170     VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
  171     VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
  172     VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
  173 
  174     test -d /proc/sys/kernel/keys || return 1
  175 
  176     [ $VER_MAJ -gt 1 ] && return 0
  177     [ $VER_MAJ -eq 1 -a $VER_MIN -gt 18 ] && return 0
  178     [ $VER_MAJ -eq 1 -a $VER_MIN -eq 18 -a $VER_PTC -ge 1 ] && return 0
  179     return 1
  180 }
  181 
  182 function dm_crypt_keyring_flawed()
  183 {
  184     dm_crypt_keyring_support && return 1;
  185 
  186     [ $VER_MAJ -gt 1 ] && return 0
  187     [ $VER_MAJ -eq 1 -a $VER_MIN -ge 15 ] && return 0
  188     return 1
  189 }
  190 
  191 function dm_crypt_keyring_new_kernel()
  192 {
  193     KER_STR=$(uname -r)
  194     [ -z "$KER_STR" ] && fail "Failed to parse kernel version."
  195     KER_MAJ=$(echo $KER_STR | cut -f 1 -d.)
  196     KER_MIN=$(echo $KER_STR | cut -f 2 -d.)
  197 
  198     [ $KER_MAJ -ge 5 ] && return 0
  199     [ $KER_MAJ -eq 4 -a $KER_MIN -ge 15 ] && return 0
  200     return 1
  201 }
  202 
  203 function dm_crypt_sector_size_support()
  204 {
  205     VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
  206     [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
  207 
  208     VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
  209     VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
  210     VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
  211 
  212     if [ $VER_MIN -ge 17 -o \( $VER_MIN -eq 14 -a $VER_PTC -ge 5 \) ]; then
  213         return 0
  214     fi
  215 
  216     return 1
  217 }
  218 
  219 function test_and_prepare_keyring() {
  220     which keyctl > /dev/null 2>&1 || skip "Cannot find keyctl, test skipped"
  221     keyctl list "@s" > /dev/null || skip "Current session keyring is unreachable, test skipped"
  222     TEST_KEYRING=$(keyctl newring $TEST_KEYRING_NAME "@u" 2> /dev/null)
  223     test -n "$TEST_KEYRING" || skip "Failed to create keyring in user keyring"
  224     keyctl search "@s" keyring "$TEST_KEYRING" > /dev/null 2>&1 || keyctl link "@u" "@s" > /dev/null 2>&1
  225     load_key user test_key test_data "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
  226 }
  227 
  228 # $1 type
  229 # $2 description
  230 # $3 payload
  231 # $4 keyring
  232 function load_key()
  233 {
  234     keyctl add $@ >/dev/null
  235 }
  236 
  237 function setup_luks2_env() {
  238     echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $LOOPDEV || fail
  239     $CRYPTSETUP luksDump $LOOPDEV >/dev/null || fail
  240     echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME || fail
  241     HAVE_KEYRING=$($CRYPTSETUP status $DEV_NAME | grep "keyring")
  242     if [ -n "$HAVE_KEYRING" ]; then
  243         HAVE_KEYRING=1
  244     else
  245         HAVE_KEYRING=0
  246     fi
  247     $CRYPTSETUP close $DEV_NAME || fail
  248 }
  249 
  250 # $1 path to scsi debug bdev
  251 scsi_debug_teardown() {
  252     local _tries=15;
  253 
  254     while [ -b "$1" -a $_tries -gt 0 ]; do
  255         rmmod scsi_debug >/dev/null 2>&1
  256         if [ -b "$1" ]; then
  257             sleep .1
  258             _tries=$((_tries-1))
  259         fi
  260     done
  261 
  262     test ! -b "$1" || rmmod scsi_debug >/dev/null 2>&1
  263 }
  264 
  265 function add_scsi_device() {
  266     scsi_debug_teardown $DEV
  267     if [ -d /sys/module/scsi_debug ] ; then
  268         echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
  269         exit 77
  270     fi
  271     modprobe scsi_debug $@ delay=0 >/dev/null 2>&1
  272     if [ $? -ne 0 ] ; then
  273         echo "This kernel seems to not support proper scsi_debug module, test skipped."
  274         exit 77
  275     fi
  276 
  277     sleep 1
  278     DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
  279     [ -b $DEV ] || fail "Cannot find $DEV."
  280 }
  281 
  282 export LANG=C
  283 
  284 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
  285 [ -z "$LOOPDEV" ] && skip "WARNING: Cannot find free loop device, test skipped."
  286 
  287 prepare "[0] Detect LUKS2 environment" wipe
  288 setup_luks2_env
  289 
  290 [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
  291 
  292 prepare "[1] Data offset" wipe
  293 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --offset 1 2>/dev/null && fail
  294 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --offset 16385 2>/dev/null && fail
  295 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --offset 32 2>/dev/null && fail
  296 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --align-payload 16384 --offset 16384 2>/dev/null && fail
  297 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --offset 16384 || fail
  298 $CRYPTSETUP -q luksDump  $LOOPDEV | grep -q "offset: $((512 * 16384)) \[bytes\]" || fail
  299 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 1024 --offset 16384 >/dev/null || fail
  300 $CRYPTSETUP -q luksDump  $LOOPDEV | grep -q "offset: $((512 * 16384)) \[bytes\]" || fail
  301 truncate -s 4096 $HEADER_IMG
  302 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG -q --offset 80000 >/dev/null 2>&1 || fail
  303 
  304 prepare "[2] Sector size and old payload alignment" wipe
  305 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size  511 2>/dev/null && fail
  306 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size  256 2>/dev/null && fail
  307 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 8192 2>/dev/null && fail
  308 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size  512 || fail
  309 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --align-payload 5 || fail
  310 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size  512 --align-payload 5 || fail
  311 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 2048 --align-payload 32 >/dev/null || fail
  312 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 4096 >/dev/null || fail
  313 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 2048 --align-payload 32768 >/dev/null || fail
  314 $CRYPTSETUP -q luksDump  $LOOPDEV | grep -q "offset: $((512 * 32768)) \[bytes\]" || fail
  315 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 2048 >/dev/null || fail
  316 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 4096 --align-payload 32768 >/dev/null || fail
  317 $CRYPTSETUP -q luksDump  $LOOPDEV | grep -q "offset: $((512 * 32768)) \[bytes\]" || fail
  318 
  319 prepare "[3] format" wipe
  320 echo $PWD1 | $CRYPTSETUP -q $FAST_PBKDF_OPT -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $LOOPDEV || fail
  321 prepare "[4] format using hash sha512" wipe
  322 echo $PWD1 | $CRYPTSETUP $FAST_PBKDF_OPT -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $LOOPDEV || fail
  323 $CRYPTSETUP -q luksDump  $LOOPDEV | grep "0: pbkdf2" -A2 | grep "Hash:" | grep -qe sha512 || fail
  324 # Check JSON dump for some mandatory section
  325 $CRYPTSETUP -q luksDump  $LOOPDEV --dump-json-metadata | grep -q '\"tokens\":' || fail
  326 
  327 prepare "[5] open"
  328 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase || fail
  329 echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase 2>/dev/null && fail
  330 [ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
  331 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
  332 check_exists
  333 
  334 # Key Slot 1 and key material section 1 must change, the rest must not.
  335 prepare "[6] add key"
  336 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT || fail
  337 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
  338 
  339 # Unsuccessful Key Delete - nothing may change
  340 prepare "[7] unsuccessful delete"
  341 echo $PWDW | $CRYPTSETUP luksKillSlot $LOOPDEV 1 2>/dev/null && fail
  342 [ $? -ne 2 ] && fail "luksKillSlot should return EPERM exit code"
  343 #FIXME
  344 #$CRYPTSETUP -q luksKillSlot $LOOPDEV 8 2>/dev/null && fail
  345 #$CRYPTSETUP -q luksKillSlot $LOOPDEV 7 2>/dev/null && fail
  346 
  347 # Delete Key Test
  348 # Key Slot 1 and key material section 1 must change, the rest must not
  349 prepare "[8] successful delete"
  350 $CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
  351 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2> /dev/null && fail
  352 [ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
  353 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
  354 
  355 # Key Slot 1 and key material section 1 must change, the rest must not
  356 prepare "[9] add key test for key files"
  357 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 || fail
  358 $CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
  359 
  360 # Key Slot 1 and key material section 1 must change, the rest must not
  361 prepare "[10] delete key test with key1 as remaining key"
  362 $CRYPTSETUP -d $KEY1 luksKillSlot $LOOPDEV 0 || fail
  363 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
  364 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
  365 
  366 # Delete last slot
  367 prepare "[11] delete last key" wipe
  368 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $LOOPDEV $FAST_PBKDF_OPT || fail
  369 echo $PWD1 | $CRYPTSETUP luksKillSlot $LOOPDEV 0 || fail
  370 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
  371 
  372 # Format test for ESSIV, and some other parameters.
  373 prepare "[12] parameter variation test" wipe
  374 $CRYPTSETUP -q $FAST_PBKDF_OPT -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $LOOPDEV $KEY1 || fail
  375 $CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
  376 
  377 prepare "[13] open/close - stacked devices" wipe
  378 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $FAST_PBKDF_OPT || fail
  379 echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
  380 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 /dev/mapper/$DEV_NAME $FAST_PBKDF_OPT || fail
  381 echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
  382 $CRYPTSETUP -q luksClose  $DEV_NAME2 || fail
  383 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
  384 
  385 prepare "[14] format/open - passphrase on stdin & new line" wipe
  386 # stdin defined by "-" must take even newline
  387 #echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksFormat $LOOPDEV - || fail
  388 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q --key-file=- luksFormat --type luks2 $LOOPDEV || fail
  389 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
  390 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
  391 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
  392 # now also try --key-file
  393 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q luksFormat --type luks2 $LOOPDEV --key-file=- || fail
  394 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
  395 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
  396 # process newline if from stdin
  397 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q luksFormat --type luks2 $LOOPDEV || fail
  398 echo "$PWD1" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
  399 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
  400 
  401 prepare "[15] UUID - use and report provided UUID" wipe
  402 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --uuid blah --type luks2 $LOOPDEV 2>/dev/null && fail
  403 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 $LOOPDEV || fail
  404 tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
  405 [ "$tst"x = "$TEST_UUID"x ] || fail
  406 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
  407 $CRYPTSETUP -q luksUUID --uuid $TEST_UUID $LOOPDEV || fail
  408 tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
  409 [ "$tst"x = "$TEST_UUID"x ] || fail
  410 
  411 prepare "[16] luksFormat" wipe
  412 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --master-key-file /dev/urandom --type luks2 $LOOPDEV || fail
  413 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --master-key-file /dev/urandom --type luks2 $LOOPDEV -d $KEY1 || fail
  414 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --master-key-file /dev/urandom -s 256 --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
  415 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
  416 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
  417 # open by UUID
  418 if [ -d /dev/disk/by-uuid ] ; then
  419     force_uevent # some systems do not update loop by-uuid
  420     $CRYPTSETUP luksOpen -d $KEY1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail
  421     $CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
  422     $CRYPTSETUP -q luksClose  $DEV_NAME || fail
  423 fi
  424 # empty keyfile
  425 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail
  426 $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
  427 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
  428 # open by volume key
  429 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --master-key-file $KEY1 --type luks2 $LOOPDEV || fail
  430 $CRYPTSETUP luksOpen --master-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
  431 $CRYPTSETUP luksOpen --master-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
  432 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
  433 
  434 prepare "[17] AddKey volume key, passphrase and keyfile" wipe
  435 # masterkey
  436 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --master-key-file /dev/zero --key-slot 3 || fail
  437 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase || fail
  438 $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" || fail
  439 echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 4 || fail
  440 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 4 || fail
  441 $CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" || fail
  442 echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/null --key-slot 5 2>/dev/null && fail
  443 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 5 $KEY1 || fail
  444 $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 5 -d $KEY1 || fail
  445 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
  446 
  447 # special "-" handling
  448 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 3 || fail
  449 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 - || fail
  450 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null && fail
  451 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - --test-passphrase || fail
  452 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d - $KEY2 || fail
  453 $CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase || fail
  454 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - -d $KEY1 --test-passphrase 2>/dev/null && fail
  455 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d $KEY1 -d $KEY1 --test-passphrase 2>/dev/null && fail
  456 
  457 # [0]PWD1 [1]PWD2 [2]$KEY1/1 [3]$KEY1 [4]$KEY2
  458 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 3 || fail
  459 $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" || fail
  460 $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 3 2>/dev/null && fail
  461 # keyfile/keyfile
  462 $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 4 || fail
  463 $CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase --key-slot 4 || fail
  464 $CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" || fail
  465 # passphrase/keyfile
  466 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 --key-slot 0 || fail
  467 $CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
  468 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 || fail
  469 # passphrase/passphrase
  470 echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --key-slot 1 || fail
  471 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
  472 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
  473 # keyfile/passphrase
  474 echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
  475 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
  476 
  477 prepare "[18] RemoveKey passphrase and keyfile" reuse
  478 $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" || fail
  479 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 || fail
  480 $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" && fail
  481 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 2>/dev/null && fail
  482 [ $? -ne 2 ] && fail "luksRemoveKey should return EPERM exit code"
  483 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 --keyfile-size 1 2>/dev/null && fail
  484 $CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" || fail
  485 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 || fail
  486 $CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" && fail
  487 # if password or keyfile is provided, batch mode must not suppress it
  488 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 2>/dev/null && fail
  489 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 -q 2>/dev/null && fail
  490 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- 2>/dev/null && fail
  491 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- -q 2>/dev/null && fail
  492 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
  493 # kill slot using passphrase from 1
  494 echo $PWD2 | $CRYPTSETUP luksKillSlot $LOOPDEV 2 2>/dev/null || fail
  495 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" && fail
  496 # remove key0 / slot 0
  497 echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV || fail
  498 $CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" && fail
  499 # last keyslot, in batch mode no passphrase needed...
  500 $CRYPTSETUP luksKillSlot -q $LOOPDEV 1 || fail
  501 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" && fail
  502 
  503 prepare "[19] create & status & resize" wipe
  504 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
  505 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
  506 if dm_crypt_keyring_support; then
  507     echo | $CRYPTSETUP -q resize --size 100 $DEV_NAME 2>/dev/null && fail
  508     if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
  509         test_and_prepare_keyring
  510         load_key user $TEST_TOKEN2 $PWD1 "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
  511         $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN2 --token-id 1 || fail
  512         $CRYPTSETUP -q resize --size 99 $DEV_NAME <&- || fail
  513         $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "99 sectors" || fail
  514         #replace kernel key with wrong pass
  515         load_key user $TEST_TOKEN2 $PWD2 "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
  516         # must fail due to --token-only
  517         echo $PWD1 | $CRYPTSETUP -q resize --token-only --size 100 $DEV_NAME && fail
  518         $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" && fail
  519     fi
  520 fi
  521 echo $PWD1 | $CRYPTSETUP -q resize --size 100 $DEV_NAME || fail
  522 $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
  523 echo $PWD1 | $CRYPTSETUP -q resize --device-size 51200 $DEV_NAME || fail
  524 $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
  525 echo $PWD1 | $CRYPTSETUP -q resize --device-size 1M $DEV_NAME || fail
  526 $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
  527 echo $PWD1 | $CRYPTSETUP -q resize --device-size 512k --size 1024 $DEV_NAME > /dev/null 2>&1 && fail
  528 echo $PWD1 | $CRYPTSETUP -q resize --device-size 4097 $DEV_NAME > /dev/null 2>&1 && fail
  529 $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
  530 $CRYPTSETUP close $DEV_NAME || fail
  531 echo $PWD1 | $CRYPTSETUP luksOpen --disable-keyring $LOOPDEV $DEV_NAME || fail
  532 echo | $CRYPTSETUP -q resize --size 100 $DEV_NAME || fail
  533 $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
  534 $CRYPTSETUP close $DEV_NAME || fail
  535 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
  536 if dm_crypt_keyring_support; then
  537     $CRYPTSETUP -q resize --disable-keyring --size 100 $DEV_NAME 2>/dev/null && fail
  538 fi
  539 if dm_crypt_sector_size_support; then
  540     $CRYPTSETUP close $DEV_NAME || fail
  541     echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 4096 $LOOPDEV > /dev/null || fail
  542     echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
  543     echo $PWD1 | $CRYPTSETUP -q resize --device-size 1M $DEV_NAME || fail
  544     $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
  545     echo $PWD1 | $CRYPTSETUP -q resize --device-size 2049s $DEV_NAME > /dev/null 2>&1 && fail
  546     echo $PWD1 | $CRYPTSETUP -q resize --size 2049 $DEV_NAME > /dev/null 2>&1 && fail
  547     $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
  548 fi
  549 $CRYPTSETUP close $DEV_NAME || fail
  550 # Resize not aligned to logical block size
  551 add_scsi_device dev_size_mb=32 sector_size=4096
  552 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $DEV || fail
  553 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
  554 OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/') #'
  555 echo $PWD1 | $CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail
  556 dmsetup info $DEV_NAME | grep -q SUSPENDED && fail
  557 NEW_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/') #'
  558 test $OLD_SIZE -eq $NEW_SIZE || fail
  559 $CRYPTSETUP close $DEV_NAME || fail
  560 
  561 prepare "[20] Disallow open/create if already mapped." wipe
  562 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
  563 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV 2>/dev/null && fail
  564 $CRYPTSETUP remove  $DEV_NAME || fail
  565 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
  566 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
  567 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME2 2>/dev/null && fail
  568 $CRYPTSETUP  luksClose  $DEV_NAME || fail
  569 
  570 prepare "[21] luksDump" wipe
  571 echo $PWD1 | $CRYPTSETUP -q luksFormat --key-size 256 $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
  572 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 || fail
  573 $CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
  574 $CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
  575 echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key 2>/dev/null && fail
  576 echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || fail
  577 $CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || fail
  578 echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key --master-key-file $VK_FILE >/dev/null || fail
  579 echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key --master-key-file $VK_FILE 2>/dev/null && fail
  580 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE $LOOPDEV || fail
  581 # Use volume key file without keyslots
  582 $CRYPTSETUP luksErase -q $LOOPDEV || fail
  583 $CRYPTSETUP luksOpen --master-key-file $VK_FILE --key-size 256 --test-passphrase $LOOPDEV || fail
  584 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE --key-size 256 $LOOPDEV || fail
  585 echo $PWD1 | $CRYPTSETUP luksOpen --test-passphrase $LOOPDEV || fail
  586 
  587 prepare "[22] remove disappeared device" wipe
  588 dmsetup create $DEV_NAME --table "0 39998 linear $LOOPDEV 2" || fail
  589 echo $PWD1 | $CRYPTSETUP -q $FAST_PBKDF_OPT luksFormat --type luks2 /dev/mapper/$DEV_NAME || fail
  590 echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
  591 # underlying device now returns error but node is still present
  592 dmsetup load $DEV_NAME --table "0 40000 error" || fail
  593 dmsetup resume $DEV_NAME || fail
  594 $CRYPTSETUP -q luksClose $DEV_NAME2 || fail
  595 dmsetup remove --retry $DEV_NAME || fail
  596 
  597 prepare "[23] ChangeKey passphrase and keyfile" wipe
  598 # [0]$KEY1 [1]key0
  599 $CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --key-slot 0 --key-size 256 --luks2-keyslots-size 256k >/dev/null || fail
  600 echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 --key-slot 1 || fail
  601 # keyfile [0] / keyfile [0]
  602 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 0 || fail
  603 # passphrase [1] / passphrase [1]
  604 echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT --key-slot 1 || fail
  605 # keyfile [0] / keyfile [new] - with LUKS2 it should stay
  606 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 || fail
  607 $CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
  608 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" && fail
  609 # passphrase [1] / passphrase [new]
  610 echo -e "$PWD2\n$PWD1\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $LOOPDEV || fail
  611 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
  612 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" && fail
  613 # test out of raw area, change in-place (space only for 2 keyslots)
  614 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 || fail
  615 $CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
  616 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 2>/dev/null && fail
  617 
  618 prepare "[24] Keyfile limit" wipe
  619 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 0 -l 13 || fail
  620 $CRYPTSETUP --key-file=$KEY1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
  621 $CRYPTSETUP --key-file=$KEY1 -l 0 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
  622 $CRYPTSETUP --key-file=$KEY1 -l -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
  623 $CRYPTSETUP --key-file=$KEY1 -l 14 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
  624 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
  625 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
  626 $CRYPTSETUP --key-file=$KEY1 -l 13 luksOpen $LOOPDEV $DEV_NAME || fail
  627 $CRYPTSETUP luksClose  $DEV_NAME || fail
  628 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 2>/dev/null && fail
  629 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -l 14 2>/dev/null && fail
  630 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -l -1 2>/dev/null && fail
  631 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 --new-keyfile-size 12 || fail
  632 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 2>/dev/null && fail
  633 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 -l 12 || fail
  634 $CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 2>/dev/null && fail
  635 [ $? -ne 2 ] && fail "luksChangeKey should return EPERM exit code"
  636 $CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 -l 14 2>/dev/null && fail
  637 $CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 || fail
  638 # -l is ignored for stdin if _only_ passphrase is used
  639 echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY2 $FAST_PBKDF_OPT || fail
  640 # this is stupid, but expected
  641 echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 11 2>/dev/null && fail
  642 echo $PWDW"0" | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 12 2>/dev/null && fail
  643 echo -e "$PWD1\n" | $CRYPTSETUP luksRemoveKey $LOOPDEV -d- -l 12 || fail
  644 # offset
  645 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 0 -l 13 --keyfile-offset 16 || fail
  646 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 15 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
  647 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 16 luksOpen $LOOPDEV $DEV_NAME || fail
  648 $CRYPTSETUP luksClose  $DEV_NAME || fail
  649 $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 -l 13 --keyfile-offset 16 $KEY2 --new-keyfile-offset 1 || fail
  650 $CRYPTSETUP --key-file=$KEY2 --keyfile-offset 11 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
  651 $CRYPTSETUP --key-file=$KEY2 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME || fail
  652 $CRYPTSETUP luksClose  $DEV_NAME || fail
  653 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 --keyfile-offset 1 $KEY2 --new-keyfile-offset 0 || fail
  654 $CRYPTSETUP luksOpen -d $KEY2 $LOOPDEV $DEV_NAME || fail
  655 $CRYPTSETUP luksClose $DEV_NAME || fail
  656 
  657 prepare "[26] Suspend/Resume" wipe
  658 # LUKS
  659 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
  660 echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
  661 $CRYPTSETUP luksSuspend $DEV_NAME || fail
  662 $CRYPTSETUP -q status  $DEV_NAME | grep -q "(suspended)" || fail
  663 $CRYPTSETUP -q resize  $DEV_NAME 2>/dev/null && fail
  664 echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
  665 [ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
  666 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME  || fail
  667 $CRYPTSETUP -q luksClose $DEV_NAME || fail
  668 echo $PWD1 | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
  669 echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
  670 $CRYPTSETUP luksSuspend $DEV_NAME || fail
  671 $CRYPTSETUP -q status  $DEV_NAME | grep -q "(suspended)" || fail
  672 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME  || fail
  673 $CRYPTSETUP -q luksClose $DEV_NAME || fail
  674 
  675 prepare "[27] luksOpen with specified key slot number" wipe
  676 # first, let's try passphrase option
  677 echo $PWD3 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -S 5 --type luks2 $LOOPDEV || fail
  678 echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME 2>/dev/null && fail
  679 [ -b /dev/mapper/$DEV_NAME ] && fail
  680 echo $PWD3 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME || fail
  681 check_exists
  682 $CRYPTSETUP luksClose $DEV_NAME || fail
  683 echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 0 $LOOPDEV || fail
  684 echo $PWD3 | $CRYPTSETUP luksOpen -S 0 $LOOPDEV $DEV_NAME 2>/dev/null && fail
  685 [ -b /dev/mapper/$DEV_NAME ] && fail
  686 echo $PWD1 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
  687 [ -b /dev/mapper/$DEV_NAME ] && fail
  688 # second, try it with keyfiles
  689 $CRYPTSETUP -q luksFormat -q -S 5 $FAST_PBKDF_OPT -d $KEY5 --type luks2 $LOOPDEV || fail
  690 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
  691 $CRYPTSETUP luksOpen -S 5 -d $KEY5 $LOOPDEV $DEV_NAME || fail
  692 check_exists
  693 $CRYPTSETUP luksClose $DEV_NAME || fail
  694 $CRYPTSETUP luksOpen -S 1 -d $KEY5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
  695 [ -b /dev/mapper/$DEV_NAME ] && fail
  696 $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOPDEV $DEV_NAME 2>/dev/null && fail
  697 [ -b /dev/mapper/$DEV_NAME ] && fail
  698 # test keyslot not assigned to segment is unable to unlock volume
  699 # otoh it should be allowed to test for proper passphrase
  700 prepare "" new
  701 echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
  702 echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
  703 echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
  704 [ -b /dev/mapper/$DEV_NAME ] && fail
  705 echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
  706 [ -b /dev/mapper/$DEV_NAME ] && fail
  707 echo $PWD0 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
  708 $CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
  709 $CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
  710 echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
  711 echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
  712 echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
  713 
  714 prepare "[28] Detached LUKS header" wipe
  715 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
  716 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --align-payload 1 >/dev/null 2>&1 && fail
  717 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --align-payload 8192 || fail
  718 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --align-payload 4096 >/dev/null || fail
  719 $CRYPTSETUP luksDump $HEADER_IMG | grep -e "0: crypt" -A1 | grep -qe $((4096*512)) || fail
  720 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --align-payload 0 --sector-size 512 || fail
  721 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV-missing --header $HEADER_IMG $DEV_NAME 2>/dev/null && fail
  722 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
  723 echo $PWD1 | $CRYPTSETUP -q resize  $DEV_NAME --size 100 --header $HEADER_IMG || fail
  724 $CRYPTSETUP -q status  $DEV_NAME --header $HEADER_IMG | grep "size:" | grep -q "100 sectors" || fail
  725 $CRYPTSETUP -q status  $DEV_NAME | grep "type:" | grep -q "n/a" || fail
  726 $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
  727 $CRYPTSETUP luksSuspend $DEV_NAME --header $HEADER_IMG || fail
  728 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
  729 $CRYPTSETUP luksSuspend $DEV_NAME || fail
  730 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
  731 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
  732 $CRYPTSETUP luksClose $DEV_NAME || fail
  733 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
  734 $CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" || fail
  735 $CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
  736 $CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" && fail
  737 echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_IMG || fail
  738 rm $HEADER_IMG || fail
  739 # create exactly 16 MiBs LUKS2 header
  740 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --luks2-keyslots-size 16352k --luks2-metadata-size 16k --offset 131072 >/dev/null || fail
  741 SIZE=$(stat --printf=%s $HEADER_IMG)
  742 test $SIZE -eq 16777216 || fail
  743 $CRYPTSETUP -q luksDump  $HEADER_IMG | grep -q "offset: $((512 * 131072)) \[bytes\]" || fail
  744 
  745 prepare "[29] Repair metadata" wipe
  746 xz -dk $HEADER_LUKS2_PV.xz
  747 $CRYPTSETUP isLuks --disable-locks $HEADER_LUKS2_PV && fail
  748 $CRYPTSETUP isLuks $HEADER_LUKS2_PV && fail
  749 $CRYPTSETUP isLuks --disable-locks --type luks2 $HEADER_LUKS2_PV && fail
  750 $CRYPTSETUP isLuks --type luks2 $HEADER_LUKS2_PV && fail
  751 $CRYPTSETUP -q repair $HEADER_LUKS2_PV || fail
  752 $CRYPTSETUP isLuks $HEADER_LUKS2_PV || fail
  753 $CRYPTSETUP isLuks --type luks2 $HEADER_LUKS2_PV || fail
  754 $CRYPTSETUP isLuks --type luks1 $HEADER_LUKS2_PV && fail
  755 
  756 prepare "[30] LUKS erase" wipe
  757 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
  758 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
  759 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
  760 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
  761 $CRYPTSETUP luksErase -q $LOOPDEV || fail
  762 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" && fail
  763 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" && fail
  764 
  765 prepare "[31] LUKS convert" wipe
  766 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV $KEY5 --key-slot 5 || fail
  767 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
  768 $CRYPTSETUP -q luksDump  $LOOPDEV --dump-json-metadata >/dev/null 2>&1 && fail
  769 $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
  770 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
  771 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail
  772 $CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
  773 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
  774 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
  775 $CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
  776 # hash test
  777 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha1 || fail
  778 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail
  779 $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
  780 $CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
  781 $CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
  782 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
  783 $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 -d $KEY5 || fail
  784 # sector size test
  785 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 1024 $LOOPDEV $KEY5 || fail
  786 $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
  787 
  788 # create LUKS1 with data offset not aligned to 4KiB
  789 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV $KEY5 --align-payload 4097 || fail
  790 $CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
  791 $CRYPTSETUP isLuks --type luks2 $LOOPDEV || fail
  792 $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 -d $KEY5 || fail
  793 
  794 if dm_crypt_keyring_flawed; then
  795     prepare "[32a] LUKS2 keyring dm-crypt bug" wipe
  796     echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
  797     echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
  798     $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
  799     $CRYPTSETUP close $DEV_NAME || fail
  800     # key must not load in kernel key even when dm-crypt module is missing
  801     if rmmod dm-crypt >/dev/null 2>&1; then
  802         echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
  803         $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
  804         $CRYPTSETUP close $DEV_NAME || fail
  805     fi
  806 fi
  807 
  808 if dm_crypt_keyring_support && dm_crypt_keyring_new_kernel; then
  809     prepare "[32] LUKS2 key in keyring" wipe
  810     echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
  811 
  812     # check keyring support detection works as expected
  813     rmmod dm-crypt >/dev/null 2>&1 || true
  814     echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
  815     $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail
  816     $CRYPTSETUP close $DEV_NAME || fail
  817 
  818     echo $PWD1 | $CRYPTSETUP open  $LOOPDEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail
  819     $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
  820     $CRYPTSETUP close $DEV_NAME || fail
  821 
  822     echo $PWD1 | $CRYPTSETUP open $LOOPDEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail
  823     $CRYPTSETUP luksSuspend $DEV_NAME || fail
  824     echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
  825     $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail
  826     $CRYPTSETUP close $DEV_NAME || fail
  827 
  828     echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
  829     $CRYPTSETUP luksSuspend $DEV_NAME || fail
  830     echo $PWD1 | $CRYPTSETUP luksResume --disable-keyring $DEV_NAME --header $HEADER_IMG || fail
  831     $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
  832     $CRYPTSETUP close $DEV_NAME || fail
  833 fi
  834 
  835 # FIXME: candidate for non-root tests
  836 prepare "[33] tokens" wipe
  837 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
  838 if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
  839 
  840     test_and_prepare_keyring
  841 
  842     $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN0 --token-id 3 || fail
  843     $CRYPTSETUP luksDump $LOOPDEV | grep -q -e "3: luks2-keyring" || fail
  844     # keyslot 5 is inactive
  845     $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN1 --key-slot 5 2> /dev/null && fail
  846     # key description is not reachable
  847     $CRYPTSETUP open --token-only $LOOPDEV --test-passphrase && fail
  848     # wrong passphrase
  849     load_key user $TEST_TOKEN0 "blabla" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
  850     $CRYPTSETUP open --token-only $LOOPDEV --test-passphrase 2>/dev/null && fail
  851     load_key user $TEST_TOKEN0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
  852     $CRYPTSETUP open --token-only $LOOPDEV --test-passphrase || fail
  853     $CRYPTSETUP open --token-only $LOOPDEV $DEV_NAME || fail
  854     $CRYPTSETUP status $DEV_NAME > /dev/null || fail
  855     $CRYPTSETUP close $DEV_NAME || fail
  856 
  857     # check --token-type sort of works (TODO: extend tests when native systemd tokens are available)
  858     echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 22 || fail
  859     # this excludes keyring tokens from unlocking device
  860     $CRYPTSETUP open --token-only --token-type some_type $LOOPDEV --test-passphrase && fail
  861     $CRYPTSETUP open --token-only --token-type some_type $LOOPDEV $DEV_NAME && fail
  862     $CRYPTSETUP status $DEV_NAME > /dev/null && fail
  863 
  864     $CRYPTSETUP token remove --token-id 3 $LOOPDEV || fail
  865     $CRYPTSETUP luksDump $LOOPDEV | grep -q -e "3: luks2-keyring" && fail
  866 
  867     # test we can remove keyslot with token
  868     echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -S4 $FAST_PBKDF_OPT $LOOPDEV || fail
  869     $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN1 --key-slot 4 || fail
  870     $CRYPTSETUP -q luksKillSlot $LOOPDEV 4 || fail
  871 fi
  872 echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 10 || fail
  873 echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 11 --json-file - || fail
  874 echo -n "$IMPORT_TOKEN" > $TOKEN_FILE0
  875 $CRYPTSETUP token import $LOOPDEV --token-id 12 --json-file $TOKEN_FILE0 || fail
  876 $CRYPTSETUP token import $LOOPDEV --token-id 12 --json-file $TOKEN_FILE0 2>/dev/null && fail
  877 $CRYPTSETUP token export $LOOPDEV --token-id 10 >$TOKEN_FILE1 || fail
  878 diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
  879 $CRYPTSETUP token export $LOOPDEV --token-id 11 >$TOKEN_FILE1 || fail
  880 diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
  881 $CRYPTSETUP token export $LOOPDEV --token-id 12 >$TOKEN_FILE1 || fail
  882 diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
  883 $CRYPTSETUP token export $LOOPDEV --token-id 12 --json-file $TOKEN_FILE1 || fail
  884 diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
  885 $CRYPTSETUP token export $LOOPDEV --token-id 12 > $TOKEN_FILE1 || fail
  886 diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
  887 
  888 prepare "[34] LUKS keyslot priority" wipe
  889 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -S 1 || fail
  890 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -S 5 || fail
  891 $CRYPTSETUP config $LOOPDEV -S 0 --priority prefer && fail
  892 $CRYPTSETUP config $LOOPDEV -S 1 --priority bla >/dev/null 2>&1 && fail
  893 $CRYPTSETUP config $LOOPDEV -S 1 --priority ignore || fail
  894 echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase 2>/dev/null && fail
  895 echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase -S 1 || fail
  896 echo $PWD2 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
  897 $CRYPTSETUP config $LOOPDEV -S 1 --priority normal || fail
  898 echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
  899 $CRYPTSETUP config $LOOPDEV -S 1 --priority ignore || fail
  900 echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase 2>/dev/null && fail
  901 
  902 prepare "[35] LUKS label and subsystem" wipe
  903 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
  904 $CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "(no subsystem)" || fail
  905 $CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "(no label)" || fail
  906 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --subsystem SatelliteTwo --label TheLabel || fail
  907 $CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "SatelliteTwo" || fail
  908 $CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "TheLabel" || fail
  909 $CRYPTSETUP config $LOOPDEV --subsystem SatelliteThree
  910 $CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "SatelliteThree" || fail
  911 $CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "(no label)" || fail
  912 $CRYPTSETUP config $LOOPDEV --subsystem SatelliteThree --label TheLabel
  913 $CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "SatelliteThree" || fail
  914 $CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "TheLabel" || fail
  915 
  916 prepare "[36] LUKS PBKDF setting" wipe
  917 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf bla $LOOPDEV >/dev/null 2>&1 && fail
  918 # Force setting, no benchmark. PBKDF2 has 1000 iterations as a minimum
  919 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2   --pbkdf-force-iterations 999 $LOOPDEV 2>/dev/null && fail
  920 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf pbkdf2   --pbkdf-force-iterations 1234 $LOOPDEV || fail
  921 $CRYPTSETUP luksDump $LOOPDEV | grep "Iterations:" | grep -q "1234" || fail
  922 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 3 $LOOPDEV 2>/dev/null && fail
  923 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 4 --pbkdf-memory 100000 $LOOPDEV || can_fail_fips
  924 $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2id" || can_fail_fips
  925 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2i  --pbkdf-force-iterations 4 \
  926     --pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || can_fail_fips
  927 $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2i" || can_fail_fips
  928 $CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | grep -q "4" || can_fail_fips
  929 $CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | grep -q "1234" || can_fail_fips
  930 $CRYPTSETUP luksDump $LOOPDEV | grep "Threads:" | grep -q "1" || can_fail_fips
  931 # Benchmark
  932 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2i -i 500 --pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || can_fail_fips
  933 [ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || can_fail_fips
  934 [ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || can_fail_fips
  935 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf pbkdf2 -i 500 $LOOPDEV || fail
  936 [ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep -m1 "Iterations:" | cut -d' ' -f 2 | sed -e 's/\ //g')" -gt 1000 ] || fail
  937 
  938 prepare "[37] LUKS Keyslot convert" wipe
  939 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV $KEY5 --key-slot 5 || fail
  940 $CRYPTSETUP -q luksConvertKey $LOOPDEV --key-file $KEY5 2>/dev/null && fail
  941 $CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
  942 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
  943 $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
  944 $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 5 --key-file $KEY5 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
  945 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || can_fail_fips
  946 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -S 1 --key-file $KEY5 || fail
  947 $CRYPTSETUP -q luksKillSlot $LOOPDEV 5 || fail
  948 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
  949 $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
  950 echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
  951 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips
  952 echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail
  953 echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail
  954 
  955 prepare "[38] luksAddKey unbound tests" wipe
  956 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
  957 # unbound key may have arbitrary size
  958 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 16 $LOOPDEV || fail
  959 echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 32 -S 2 $LOOPDEV || fail
  960 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" || fail
  961 dd if=/dev/urandom of=$KEY_FILE0 bs=64 count=1 > /dev/null 2>&1 || fail
  962 echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 512 -S 3 --master-key-file $KEY_FILE0 $LOOPDEV || fail
  963 $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2 (unbound)" || fail
  964 # unbound key size is required
  965 echo $PWD1 | $CRYPTSETUP -q luksAddKey --unbound $LOOPDEV 2>/dev/null && fail
  966 echo $PWD3 | $CRYPTSETUP -q luksAddKey --unbound --master-key-file /dev/urandom $LOOPDEV 2> /dev/null && fail
  967 # do not allow to replace keyslot by unbound slot
  968 echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail
  969 echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
  970 echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
  971 echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
  972 echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
  973 echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
  974 echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
  975 # check we're able to change passphrase for unbound keyslot
  976 echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
  977 echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
  978 echo $PWD3 | $CRYPTSETUP -q open -S 2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
  979 # do not allow adding keyslot by unbound keyslot
  980 echo -e "$PWD3\n$PWD1" | $CRYPTSETUP -q luksAddKey $LOOPDEV 2> /dev/null && fail
  981 # check adding keyslot works when there's unbound keyslot
  982 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --key-file $KEY5 -S8 || fail
  983 echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME || fail
  984 $CRYPTSETUP close $DEV_NAME || fail
  985 $CRYPTSETUP luksKillSlot -q $LOOPDEV 2
  986 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" && fail
  987 echo $PWD3 | $CRYPTSETUP luksDump --unbound --master-key-file $KEY_FILE1 $LOOPDEV 2> /dev/null && fail
  988 echo $PWD3 | $CRYPTSETUP luksDump --unbound 2> /dev/null $LOOPDEV 2> /dev/null && fail
  989 echo $PWD3 | $CRYPTSETUP luksDump --unbound --master-key-file $KEY_FILE1 -S3 $LOOPDEV > /dev/null || fail
  990 diff $KEY_FILE0 $KEY_FILE1 || fail
  991 echo $PWD3 | $CRYPTSETUP luksDump --unbound --master-key-file $KEY_FILE1 -S3 $LOOPDEV 2> /dev/null && fail
  992 diff $KEY_FILE0 $KEY_FILE1 || fail
  993 rm $KEY_FILE1 || fail
  994 echo $PWD3 | $CRYPTSETUP luksDump --unbound --master-key-file $KEY_FILE1 -S3 $LOOPDEV | grep -q "Unbound Key:" && fail
  995 echo $PWD3 | $CRYPTSETUP luksDump --unbound -S3 $LOOPDEV | grep -q "Unbound Key:" || fail
  996 $CRYPTSETUP luksKillSlot -q $LOOPDEV 3 || fail
  997 $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2 (unbound)" && fail
  998 
  999 prepare "[39] LUKS2 metadata variants" wipe
 1000 tar xJf luks2_mda_images.tar.xz
 1001 echo -n "$IMPORT_TOKEN" > $TOKEN_FILE0
 1002 for mda in 16 32 64 128 256 512 1024 2048 4096 ; do
 1003     echo -n "[$mda KiB]"
 1004     echo $PWD4 | $CRYPTSETUP open test_image_$mda $DEV_NAME || fail
 1005     $CRYPTSETUP close $DEV_NAME || fail
 1006     echo -e "$PWD4\n$PWD3" | $CRYPTSETUP luksAddKey -S9 $FAST_PBKDF_OPT test_image_$mda || fail
 1007     echo $PWD4 | $CRYPTSETUP open --test-passphrase test_image_$mda || fail
 1008     echo $PWD3 | $CRYPTSETUP open -S9 --test-passphrase test_image_$mda || fail
 1009     echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import test_image_$mda --token-id 10 || fail
 1010     $CRYPTSETUP token export test_image_$mda --token-id 10 >$TOKEN_FILE1 || fail
 1011     diff $TOKEN_FILE1 $TOKEN_FILE0 || fail
 1012     echo -n "[OK]"
 1013 done
 1014 echo
 1015 
 1016 prepare "[40] LUKS2 metadata areas" wipe
 1017 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV 2> /dev/null || fail
 1018 DEFAULT_OFFSET=$($CRYPTSETUP luksDump $LOOPDEV | grep "offset: " | cut -f 2 -d ' ')
 1019 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128k 2> /dev/null && fail
 1020 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=127k 2> /dev/null && fail
 1021 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=127k --luks2-keyslots-size=128k 2> /dev/null && fail
 1022 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128M >/dev/null 2>&1 && fail
 1023 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128k >/dev/null || fail
 1024 $CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "131072 \[bytes\]" || fail
 1025 $CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "131072 \[bytes\]" || fail
 1026 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k || fail
 1027 $CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "131072 \[bytes\]" || fail
 1028 $CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "$((DEFAULT_OFFSET-2*131072)) \[bytes\]" || fail
 1029 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-keyslots-size=128k >/dev/null || fail
 1030 $CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "16384 \[bytes\]" || fail
 1031 $CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "131072 \[bytes\]" || fail
 1032 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --offset 16384 || fail
 1033 $CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "16384 \[bytes\]" || fail
 1034 $CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "8355840 \[bytes\]" || fail
 1035 # data offset vs area size
 1036 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --offset 64 --luks2-keyslots-size=8192 >/dev/null 2>&1 && fail
 1037 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --offset $((256+56)) >/dev/null 2>&1 && fail
 1038 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --offset $((256+64)) >/dev/null || fail
 1039 
 1040 prepare "[41] Per-keyslot encryption parameters" wipe
 1041 KEYSLOT_CIPHER="aes-cbc-plain64"
 1042 $CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --key-slot 0 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail
 1043 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep "Cipher:"    | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
 1044 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
 1045 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT --key-slot 1 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail
 1046 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "1: luks2" | grep "Cipher:"    | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
 1047 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "1: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
 1048 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT --key-slot 2 || fail
 1049 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail
 1050 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher:"    | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
 1051 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
 1052 # unbound keyslot
 1053 echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --key-slot 21 --unbound -s 32 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
 1054 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher:"    | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
 1055 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
 1056 echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --key-slot 22 --unbound -s 32 $LOOPDEV || fail
 1057 echo $PWD3 | $CRYPTSETUP luksConvertKey --key-slot 22 $LOOPDEV --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
 1058 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher:"    | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
 1059 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
 1060 
 1061 prepare "[42] Some encryption compatibility mode tests" wipe
 1062 CIPHERS="aes-ecb aes-cbc-null aes-cbc-plain64 aes-cbc-essiv:sha256 aes-xts-plain64"
 1063 key_size=256
 1064 for cipher in $CIPHERS ; do
 1065     echo -n "[$cipher/$key_size]"
 1066     $CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --cipher $cipher --key-size $key_size || fail
 1067 done
 1068 echo
 1069 
 1070 remove_mapping
 1071 exit 0