"Fossies" - the Fresh Open Source Software Archive 
Member "cryptsetup-2.4.3/tests/compat-test2" (13 Jan 2022, 58746 Bytes) of package /linux/misc/cryptsetup-2.4.3.tar.xz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
See also the last
Fossies "Diffs" side-by-side code changes report for "compat-test2":
2.4.0_vs_2.4.1.
1 #!/bin/bash
2
3 PS4='$LINENO:'
4 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
5 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
6
7 CRYPTSETUP_VALGRIND=../.libs/cryptsetup
8 CRYPTSETUP_LIB_VALGRIND=../.libs
9
10 DEV_NAME=dummy
11 DEV_NAME2=dummy2
12 DEV_NAME3=dummy3
13 ORIG_IMG=luks-test-orig
14 IMG=luks-test
15 IMG10=luks-test-v10
16 HEADER_IMG=luks-header
17 HEADER_KEYU=luks2_keyslot_unassigned.img
18 HEADER_LUKS2_PV=blkid-luks2-pv.img
19 KEY1=key1
20 KEY2=key2
21 KEY5=key5
22 KEYE=keye
23 PWD0="compatkey"
24 PWD1="93R4P4pIqAH8"
25 PWD2="mymJeD8ivEhE"
26 PWD3="ocMakf3fAcQO"
27 PWD4="Qx3qn46vq0v"
28 PWDW="rUkL4RUryBom"
29 TEST_KEYRING_NAME="compattest2_keyring"
30 TEST_TOKEN0="compattest2_desc0"
31 TEST_TOKEN1="compattest2_desc1"
32 TEST_TOKEN2="compattest2_desc2"
33 VK_FILE="compattest2_vkfile"
34 IMPORT_TOKEN="{\"type\":\"some_type\",\"keyslots\":[],\"base64_data\":\"zxI7vKB1Qwl4VPB4D-N-OgcC14hPCG0IDu8O7eCqaQ\"}"
35 TOKEN_FILE0=test-token-file0
36 TOKEN_FILE1=test-token-file1
37 KEY_FILE0=test-key-file0
38 KEY_FILE1=test-key-file1
39
40 FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
41
42 TEST_UUID="12345678-1234-1234-1234-123456789abc"
43
44 LOOPDEV=$(losetup -f 2>/dev/null)
45 [ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
46
47 function remove_mapping()
48 {
49 [ -b /dev/mapper/$DEV_NAME3 ] && dmsetup remove --retry $DEV_NAME3
50 [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
51 [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
52 losetup -d $LOOPDEV >/dev/null 2>&1
53 rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE $HEADER_LUKS2_PV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
54
55 # unlink whole test keyring
56 [ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
57 unset TEST_KEYRING
58
59 rmmod scsi_debug >/dev/null 2>&1
60 scsi_debug_teardown $DEV
61 }
62
63 function force_uevent()
64 {
65 DNAME=$(echo $LOOPDEV | cut -f3 -d /)
66 echo "change" >/sys/block/$DNAME/uevent
67 }
68
69 function fail()
70 {
71 [ -n "$1" ] && echo "$1"
72 remove_mapping
73 echo "FAILED backtrace:"
74 while caller $frame; do ((frame++)); done
75 exit 2
76 }
77
78 function fips_mode()
79 {
80 [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
81 }
82
83 function can_fail_fips()
84 {
85 # Ignore this fail if running in FIPS mode
86 fips_mode || fail $1
87 }
88
89 function skip()
90 {
91 [ -n "$1" ] && echo "$1"
92 remove_mapping
93 exit 77
94 }
95
96 function prepare()
97 {
98 [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
99
100 case "$2" in
101 wipe)
102 remove_mapping
103 dd if=/dev/zero of=$IMG bs=1M count=40 >/dev/null 2>&1
104 sync
105 losetup $LOOPDEV $IMG
106 ;;
107 new)
108 remove_mapping
109 xz -cd compatimage.img.xz > $IMG
110 xz -dk $HEADER_KEYU.xz
111 # FIXME: switch to internal loop (no losetup at all)
112 echo "bad" | $CRYPTSETUP luksOpen --key-slot 0 --test-passphrase $IMG 2>&1 | \
113 grep "autoclear flag" && skip "WARNING: Too old kernel, test skipped."
114 losetup $LOOPDEV $IMG
115 xz -cd compatv10image.img.xz > $IMG10
116 ;;
117 reuse | *)
118 if [ ! -e $IMG ]; then
119 xz -cd compatimage.img.xz > $IMG
120 losetup $LOOPDEV $IMG
121 fi
122 [ ! -e $IMG10 ] && xz -cd compatv10image.img.xz > $IMG10
123 ;;
124 esac
125
126 if [ ! -e $KEY1 ]; then
127 #dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
128 echo -n $'\x48\xc6\x74\x4f\x41\x4e\x50\xc0\x79\xc2\x2d\x5b\x5f\x68\x84\x17' >$KEY1
129 echo -n $'\x9c\x03\x5e\x1b\x4d\x0f\x9a\x75\xb3\x90\x70\x32\x0a\xf8\xae\xc4'>>$KEY1
130 fi
131
132 if [ ! -e $KEY2 ]; then
133 dd if=/dev/urandom of=$KEY2 count=1 bs=16 >/dev/null 2>&1
134 fi
135
136 if [ ! -e $KEY5 ]; then
137 dd if=/dev/urandom of=$KEY5 count=1 bs=16 >/dev/null 2>&1
138 fi
139
140 if [ ! -e $KEYE ]; then
141 touch $KEYE
142 fi
143
144 cp $IMG $ORIG_IMG
145 [ -n "$1" ] && echo "CASE: $1"
146 }
147
148 function check_exists()
149 {
150 [ -b /dev/mapper/$DEV_NAME ] || fail
151 }
152
153 function valgrind_setup()
154 {
155 which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
156 [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
157 export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
158 }
159
160 function valgrind_run()
161 {
162 INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
163 }
164
165 function dm_crypt_keyring_support()
166 {
167 VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
168 [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
169
170 VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
171 VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
172 VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
173
174 test -d /proc/sys/kernel/keys || return 1
175
176 [ $VER_MAJ -gt 1 ] && return 0
177 [ $VER_MAJ -eq 1 -a $VER_MIN -gt 18 ] && return 0
178 [ $VER_MAJ -eq 1 -a $VER_MIN -eq 18 -a $VER_PTC -ge 1 ] && return 0
179 return 1
180 }
181
182 function dm_crypt_keyring_flawed()
183 {
184 dm_crypt_keyring_support && return 1;
185
186 [ $VER_MAJ -gt 1 ] && return 0
187 [ $VER_MAJ -eq 1 -a $VER_MIN -ge 15 ] && return 0
188 return 1
189 }
190
191 function dm_crypt_keyring_new_kernel()
192 {
193 KER_STR=$(uname -r)
194 [ -z "$KER_STR" ] && fail "Failed to parse kernel version."
195 KER_MAJ=$(echo $KER_STR | cut -f 1 -d.)
196 KER_MIN=$(echo $KER_STR | cut -f 2 -d.)
197
198 [ $KER_MAJ -ge 5 ] && return 0
199 [ $KER_MAJ -eq 4 -a $KER_MIN -ge 15 ] && return 0
200 return 1
201 }
202
203 function dm_crypt_sector_size_support()
204 {
205 VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
206 [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
207
208 VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
209 VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
210 VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
211
212 if [ $VER_MIN -ge 17 -o \( $VER_MIN -eq 14 -a $VER_PTC -ge 5 \) ]; then
213 return 0
214 fi
215
216 return 1
217 }
218
219 function test_and_prepare_keyring() {
220 which keyctl > /dev/null 2>&1 || skip "Cannot find keyctl, test skipped"
221 keyctl list "@s" > /dev/null || skip "Current session keyring is unreachable, test skipped"
222 TEST_KEYRING=$(keyctl newring $TEST_KEYRING_NAME "@u" 2> /dev/null)
223 test -n "$TEST_KEYRING" || skip "Failed to create keyring in user keyring"
224 keyctl search "@s" keyring "$TEST_KEYRING" > /dev/null 2>&1 || keyctl link "@u" "@s" > /dev/null 2>&1
225 load_key user test_key test_data "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
226 }
227
228 # $1 type
229 # $2 description
230 # $3 payload
231 # $4 keyring
232 function load_key()
233 {
234 keyctl add $@ >/dev/null
235 }
236
237 function setup_luks2_env() {
238 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $LOOPDEV || fail
239 $CRYPTSETUP luksDump $LOOPDEV >/dev/null || fail
240 echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME || fail
241 HAVE_KEYRING=$($CRYPTSETUP status $DEV_NAME | grep "keyring")
242 if [ -n "$HAVE_KEYRING" ]; then
243 HAVE_KEYRING=1
244 else
245 HAVE_KEYRING=0
246 fi
247 $CRYPTSETUP close $DEV_NAME || fail
248 }
249
250 # $1 path to scsi debug bdev
251 scsi_debug_teardown() {
252 local _tries=15;
253
254 while [ -b "$1" -a $_tries -gt 0 ]; do
255 rmmod scsi_debug >/dev/null 2>&1
256 if [ -b "$1" ]; then
257 sleep .1
258 _tries=$((_tries-1))
259 fi
260 done
261
262 test ! -b "$1" || rmmod scsi_debug >/dev/null 2>&1
263 }
264
265 function add_scsi_device() {
266 scsi_debug_teardown $DEV
267 if [ -d /sys/module/scsi_debug ] ; then
268 echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
269 exit 77
270 fi
271 modprobe scsi_debug $@ delay=0 >/dev/null 2>&1
272 if [ $? -ne 0 ] ; then
273 echo "This kernel seems to not support proper scsi_debug module, test skipped."
274 exit 77
275 fi
276
277 sleep 1
278 DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
279 [ -b $DEV ] || fail "Cannot find $DEV."
280 }
281
282 export LANG=C
283
284 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
285 [ -z "$LOOPDEV" ] && skip "WARNING: Cannot find free loop device, test skipped."
286
287 prepare "[0] Detect LUKS2 environment" wipe
288 setup_luks2_env
289
290 [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
291
292 prepare "[1] Data offset" wipe
293 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --offset 1 2>/dev/null && fail
294 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --offset 16385 2>/dev/null && fail
295 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --offset 32 2>/dev/null && fail
296 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --align-payload 16384 --offset 16384 2>/dev/null && fail
297 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --offset 16384 || fail
298 $CRYPTSETUP -q luksDump $LOOPDEV | grep -q "offset: $((512 * 16384)) \[bytes\]" || fail
299 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 1024 --offset 16384 >/dev/null || fail
300 $CRYPTSETUP -q luksDump $LOOPDEV | grep -q "offset: $((512 * 16384)) \[bytes\]" || fail
301 truncate -s 4096 $HEADER_IMG
302 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG -q --offset 80000 >/dev/null 2>&1 || fail
303
304 prepare "[2] Sector size and old payload alignment" wipe
305 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 511 2>/dev/null && fail
306 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 256 2>/dev/null && fail
307 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 8192 2>/dev/null && fail
308 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 512 || fail
309 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --align-payload 5 || fail
310 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 512 --align-payload 5 || fail
311 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 2048 --align-payload 32 >/dev/null || fail
312 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 4096 >/dev/null || fail
313 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 2048 --align-payload 32768 >/dev/null || fail
314 $CRYPTSETUP -q luksDump $LOOPDEV | grep -q "offset: $((512 * 32768)) \[bytes\]" || fail
315 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 2048 >/dev/null || fail
316 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 4096 --align-payload 32768 >/dev/null || fail
317 $CRYPTSETUP -q luksDump $LOOPDEV | grep -q "offset: $((512 * 32768)) \[bytes\]" || fail
318
319 prepare "[3] format" wipe
320 echo $PWD1 | $CRYPTSETUP -q $FAST_PBKDF_OPT -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $LOOPDEV || fail
321 prepare "[4] format using hash sha512" wipe
322 echo $PWD1 | $CRYPTSETUP $FAST_PBKDF_OPT -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $LOOPDEV || fail
323 $CRYPTSETUP -q luksDump $LOOPDEV | grep "0: pbkdf2" -A2 | grep "Hash:" | grep -qe sha512 || fail
324 # Check JSON dump for some mandatory section
325 $CRYPTSETUP -q luksDump $LOOPDEV --dump-json-metadata | grep -q '\"tokens\":' || fail
326
327 prepare "[5] open"
328 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase || fail
329 echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase 2>/dev/null && fail
330 [ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
331 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
332 check_exists
333
334 # Key Slot 1 and key material section 1 must change, the rest must not.
335 prepare "[6] add key"
336 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT || fail
337 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
338
339 # Unsuccessful Key Delete - nothing may change
340 prepare "[7] unsuccessful delete"
341 echo $PWDW | $CRYPTSETUP luksKillSlot $LOOPDEV 1 2>/dev/null && fail
342 [ $? -ne 2 ] && fail "luksKillSlot should return EPERM exit code"
343 #FIXME
344 #$CRYPTSETUP -q luksKillSlot $LOOPDEV 8 2>/dev/null && fail
345 #$CRYPTSETUP -q luksKillSlot $LOOPDEV 7 2>/dev/null && fail
346
347 # Delete Key Test
348 # Key Slot 1 and key material section 1 must change, the rest must not
349 prepare "[8] successful delete"
350 $CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
351 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2> /dev/null && fail
352 [ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
353 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
354
355 # Key Slot 1 and key material section 1 must change, the rest must not
356 prepare "[9] add key test for key files"
357 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 || fail
358 $CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
359
360 # Key Slot 1 and key material section 1 must change, the rest must not
361 prepare "[10] delete key test with key1 as remaining key"
362 $CRYPTSETUP -d $KEY1 luksKillSlot $LOOPDEV 0 || fail
363 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
364 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
365
366 # Delete last slot
367 prepare "[11] delete last key" wipe
368 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $LOOPDEV $FAST_PBKDF_OPT || fail
369 echo $PWD1 | $CRYPTSETUP luksKillSlot $LOOPDEV 0 || fail
370 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
371
372 # Format test for ESSIV, and some other parameters.
373 prepare "[12] parameter variation test" wipe
374 $CRYPTSETUP -q $FAST_PBKDF_OPT -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $LOOPDEV $KEY1 || fail
375 $CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
376
377 prepare "[13] open/close - stacked devices" wipe
378 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $FAST_PBKDF_OPT || fail
379 echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
380 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 /dev/mapper/$DEV_NAME $FAST_PBKDF_OPT || fail
381 echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
382 $CRYPTSETUP -q luksClose $DEV_NAME2 || fail
383 $CRYPTSETUP -q luksClose $DEV_NAME || fail
384
385 prepare "[14] format/open - passphrase on stdin & new line" wipe
386 # stdin defined by "-" must take even newline
387 #echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksFormat $LOOPDEV - || fail
388 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q --key-file=- luksFormat --type luks2 $LOOPDEV || fail
389 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
390 $CRYPTSETUP -q luksClose $DEV_NAME || fail
391 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
392 # now also try --key-file
393 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q luksFormat --type luks2 $LOOPDEV --key-file=- || fail
394 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
395 $CRYPTSETUP -q luksClose $DEV_NAME || fail
396 # process newline if from stdin
397 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q luksFormat --type luks2 $LOOPDEV || fail
398 echo "$PWD1" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
399 $CRYPTSETUP -q luksClose $DEV_NAME || fail
400
401 prepare "[15] UUID - use and report provided UUID" wipe
402 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --uuid blah --type luks2 $LOOPDEV 2>/dev/null && fail
403 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 $LOOPDEV || fail
404 tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
405 [ "$tst"x = "$TEST_UUID"x ] || fail
406 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
407 $CRYPTSETUP -q luksUUID --uuid $TEST_UUID $LOOPDEV || fail
408 tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
409 [ "$tst"x = "$TEST_UUID"x ] || fail
410
411 prepare "[16] luksFormat" wipe
412 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --master-key-file /dev/urandom --type luks2 $LOOPDEV || fail
413 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --master-key-file /dev/urandom --type luks2 $LOOPDEV -d $KEY1 || fail
414 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --master-key-file /dev/urandom -s 256 --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
415 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
416 $CRYPTSETUP -q luksClose $DEV_NAME || fail
417 # open by UUID
418 if [ -d /dev/disk/by-uuid ] ; then
419 force_uevent # some systems do not update loop by-uuid
420 $CRYPTSETUP luksOpen -d $KEY1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail
421 $CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
422 $CRYPTSETUP -q luksClose $DEV_NAME || fail
423 fi
424 # empty keyfile
425 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail
426 $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
427 $CRYPTSETUP -q luksClose $DEV_NAME || fail
428 # open by volume key
429 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --master-key-file $KEY1 --type luks2 $LOOPDEV || fail
430 $CRYPTSETUP luksOpen --master-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
431 $CRYPTSETUP luksOpen --master-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
432 $CRYPTSETUP -q luksClose $DEV_NAME || fail
433
434 prepare "[17] AddKey volume key, passphrase and keyfile" wipe
435 # masterkey
436 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --master-key-file /dev/zero --key-slot 3 || fail
437 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase || fail
438 $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" || fail
439 echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 4 || fail
440 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 4 || fail
441 $CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" || fail
442 echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/null --key-slot 5 2>/dev/null && fail
443 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 5 $KEY1 || fail
444 $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 5 -d $KEY1 || fail
445 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
446
447 # special "-" handling
448 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 3 || fail
449 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 - || fail
450 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null && fail
451 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - --test-passphrase || fail
452 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d - $KEY2 || fail
453 $CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase || fail
454 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - -d $KEY1 --test-passphrase 2>/dev/null && fail
455 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d $KEY1 -d $KEY1 --test-passphrase 2>/dev/null && fail
456
457 # [0]PWD1 [1]PWD2 [2]$KEY1/1 [3]$KEY1 [4]$KEY2
458 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 3 || fail
459 $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" || fail
460 $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 3 2>/dev/null && fail
461 # keyfile/keyfile
462 $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 4 || fail
463 $CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase --key-slot 4 || fail
464 $CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" || fail
465 # passphrase/keyfile
466 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 --key-slot 0 || fail
467 $CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
468 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 || fail
469 # passphrase/passphrase
470 echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --key-slot 1 || fail
471 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
472 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
473 # keyfile/passphrase
474 echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
475 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
476
477 prepare "[18] RemoveKey passphrase and keyfile" reuse
478 $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" || fail
479 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 || fail
480 $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2" && fail
481 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 2>/dev/null && fail
482 [ $? -ne 2 ] && fail "luksRemoveKey should return EPERM exit code"
483 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 --keyfile-size 1 2>/dev/null && fail
484 $CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" || fail
485 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 || fail
486 $CRYPTSETUP luksDump $LOOPDEV | grep -q "4: luks2" && fail
487 # if password or keyfile is provided, batch mode must not suppress it
488 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 2>/dev/null && fail
489 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 -q 2>/dev/null && fail
490 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- 2>/dev/null && fail
491 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- -q 2>/dev/null && fail
492 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
493 # kill slot using passphrase from 1
494 echo $PWD2 | $CRYPTSETUP luksKillSlot $LOOPDEV 2 2>/dev/null || fail
495 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" && fail
496 # remove key0 / slot 0
497 echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV || fail
498 $CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" && fail
499 # last keyslot, in batch mode no passphrase needed...
500 $CRYPTSETUP luksKillSlot -q $LOOPDEV 1 || fail
501 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" && fail
502
503 prepare "[19] create & status & resize" wipe
504 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
505 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
506 if dm_crypt_keyring_support; then
507 echo | $CRYPTSETUP -q resize --size 100 $DEV_NAME 2>/dev/null && fail
508 if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
509 test_and_prepare_keyring
510 load_key user $TEST_TOKEN2 $PWD1 "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
511 $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN2 --token-id 1 || fail
512 $CRYPTSETUP -q resize --size 99 $DEV_NAME <&- || fail
513 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "99 sectors" || fail
514 #replace kernel key with wrong pass
515 load_key user $TEST_TOKEN2 $PWD2 "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
516 # must fail due to --token-only
517 echo $PWD1 | $CRYPTSETUP -q resize --token-only --size 100 $DEV_NAME && fail
518 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" && fail
519 fi
520 fi
521 echo $PWD1 | $CRYPTSETUP -q resize --size 100 $DEV_NAME || fail
522 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
523 echo $PWD1 | $CRYPTSETUP -q resize --device-size 51200 $DEV_NAME || fail
524 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
525 echo $PWD1 | $CRYPTSETUP -q resize --device-size 1M $DEV_NAME || fail
526 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
527 echo $PWD1 | $CRYPTSETUP -q resize --device-size 512k --size 1024 $DEV_NAME > /dev/null 2>&1 && fail
528 echo $PWD1 | $CRYPTSETUP -q resize --device-size 4097 $DEV_NAME > /dev/null 2>&1 && fail
529 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
530 $CRYPTSETUP close $DEV_NAME || fail
531 echo $PWD1 | $CRYPTSETUP luksOpen --disable-keyring $LOOPDEV $DEV_NAME || fail
532 echo | $CRYPTSETUP -q resize --size 100 $DEV_NAME || fail
533 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
534 $CRYPTSETUP close $DEV_NAME || fail
535 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
536 if dm_crypt_keyring_support; then
537 $CRYPTSETUP -q resize --disable-keyring --size 100 $DEV_NAME 2>/dev/null && fail
538 fi
539 if dm_crypt_sector_size_support; then
540 $CRYPTSETUP close $DEV_NAME || fail
541 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 4096 $LOOPDEV > /dev/null || fail
542 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
543 echo $PWD1 | $CRYPTSETUP -q resize --device-size 1M $DEV_NAME || fail
544 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
545 echo $PWD1 | $CRYPTSETUP -q resize --device-size 2049s $DEV_NAME > /dev/null 2>&1 && fail
546 echo $PWD1 | $CRYPTSETUP -q resize --size 2049 $DEV_NAME > /dev/null 2>&1 && fail
547 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
548 fi
549 $CRYPTSETUP close $DEV_NAME || fail
550 # Resize not aligned to logical block size
551 add_scsi_device dev_size_mb=32 sector_size=4096
552 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $DEV || fail
553 echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
554 OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/') #'
555 echo $PWD1 | $CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail
556 dmsetup info $DEV_NAME | grep -q SUSPENDED && fail
557 NEW_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/') #'
558 test $OLD_SIZE -eq $NEW_SIZE || fail
559 $CRYPTSETUP close $DEV_NAME || fail
560
561 prepare "[20] Disallow open/create if already mapped." wipe
562 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
563 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV 2>/dev/null && fail
564 $CRYPTSETUP remove $DEV_NAME || fail
565 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
566 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
567 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME2 2>/dev/null && fail
568 $CRYPTSETUP luksClose $DEV_NAME || fail
569
570 prepare "[21] luksDump" wipe
571 echo $PWD1 | $CRYPTSETUP -q luksFormat --key-size 256 $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
572 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 || fail
573 $CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
574 $CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
575 echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key 2>/dev/null && fail
576 echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || fail
577 $CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || fail
578 echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key --master-key-file $VK_FILE >/dev/null || fail
579 echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key --master-key-file $VK_FILE 2>/dev/null && fail
580 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE $LOOPDEV || fail
581 # Use volume key file without keyslots
582 $CRYPTSETUP luksErase -q $LOOPDEV || fail
583 $CRYPTSETUP luksOpen --master-key-file $VK_FILE --key-size 256 --test-passphrase $LOOPDEV || fail
584 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE --key-size 256 $LOOPDEV || fail
585 echo $PWD1 | $CRYPTSETUP luksOpen --test-passphrase $LOOPDEV || fail
586
587 prepare "[22] remove disappeared device" wipe
588 dmsetup create $DEV_NAME --table "0 39998 linear $LOOPDEV 2" || fail
589 echo $PWD1 | $CRYPTSETUP -q $FAST_PBKDF_OPT luksFormat --type luks2 /dev/mapper/$DEV_NAME || fail
590 echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
591 # underlying device now returns error but node is still present
592 dmsetup load $DEV_NAME --table "0 40000 error" || fail
593 dmsetup resume $DEV_NAME || fail
594 $CRYPTSETUP -q luksClose $DEV_NAME2 || fail
595 dmsetup remove --retry $DEV_NAME || fail
596
597 prepare "[23] ChangeKey passphrase and keyfile" wipe
598 # [0]$KEY1 [1]key0
599 $CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --key-slot 0 --key-size 256 --luks2-keyslots-size 256k >/dev/null || fail
600 echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 --key-slot 1 || fail
601 # keyfile [0] / keyfile [0]
602 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 0 || fail
603 # passphrase [1] / passphrase [1]
604 echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT --key-slot 1 || fail
605 # keyfile [0] / keyfile [new] - with LUKS2 it should stay
606 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 || fail
607 $CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
608 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" && fail
609 # passphrase [1] / passphrase [new]
610 echo -e "$PWD2\n$PWD1\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $LOOPDEV || fail
611 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
612 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" && fail
613 # test out of raw area, change in-place (space only for 2 keyslots)
614 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 || fail
615 $CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
616 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 2>/dev/null && fail
617
618 prepare "[24] Keyfile limit" wipe
619 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 0 -l 13 || fail
620 $CRYPTSETUP --key-file=$KEY1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
621 $CRYPTSETUP --key-file=$KEY1 -l 0 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
622 $CRYPTSETUP --key-file=$KEY1 -l -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
623 $CRYPTSETUP --key-file=$KEY1 -l 14 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
624 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
625 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
626 $CRYPTSETUP --key-file=$KEY1 -l 13 luksOpen $LOOPDEV $DEV_NAME || fail
627 $CRYPTSETUP luksClose $DEV_NAME || fail
628 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 2>/dev/null && fail
629 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -l 14 2>/dev/null && fail
630 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -l -1 2>/dev/null && fail
631 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 --new-keyfile-size 12 || fail
632 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 2>/dev/null && fail
633 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 -l 12 || fail
634 $CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 2>/dev/null && fail
635 [ $? -ne 2 ] && fail "luksChangeKey should return EPERM exit code"
636 $CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 -l 14 2>/dev/null && fail
637 $CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 || fail
638 # -l is ignored for stdin if _only_ passphrase is used
639 echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY2 $FAST_PBKDF_OPT || fail
640 # this is stupid, but expected
641 echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 11 2>/dev/null && fail
642 echo $PWDW"0" | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 12 2>/dev/null && fail
643 echo -e "$PWD1\n" | $CRYPTSETUP luksRemoveKey $LOOPDEV -d- -l 12 || fail
644 # offset
645 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY1 --key-slot 0 -l 13 --keyfile-offset 16 || fail
646 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 15 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
647 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 16 luksOpen $LOOPDEV $DEV_NAME || fail
648 $CRYPTSETUP luksClose $DEV_NAME || fail
649 $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 -l 13 --keyfile-offset 16 $KEY2 --new-keyfile-offset 1 || fail
650 $CRYPTSETUP --key-file=$KEY2 --keyfile-offset 11 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
651 $CRYPTSETUP --key-file=$KEY2 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME || fail
652 $CRYPTSETUP luksClose $DEV_NAME || fail
653 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 --keyfile-offset 1 $KEY2 --new-keyfile-offset 0 || fail
654 $CRYPTSETUP luksOpen -d $KEY2 $LOOPDEV $DEV_NAME || fail
655 $CRYPTSETUP luksClose $DEV_NAME || fail
656
657 prepare "[26] Suspend/Resume" wipe
658 # LUKS
659 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
660 echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
661 $CRYPTSETUP luksSuspend $DEV_NAME || fail
662 $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
663 $CRYPTSETUP -q resize $DEV_NAME 2>/dev/null && fail
664 echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
665 [ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
666 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
667 $CRYPTSETUP -q luksClose $DEV_NAME || fail
668 echo $PWD1 | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
669 echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
670 $CRYPTSETUP luksSuspend $DEV_NAME || fail
671 $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
672 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
673 $CRYPTSETUP -q luksClose $DEV_NAME || fail
674
675 prepare "[27] luksOpen with specified key slot number" wipe
676 # first, let's try passphrase option
677 echo $PWD3 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -S 5 --type luks2 $LOOPDEV || fail
678 echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME 2>/dev/null && fail
679 [ -b /dev/mapper/$DEV_NAME ] && fail
680 echo $PWD3 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME || fail
681 check_exists
682 $CRYPTSETUP luksClose $DEV_NAME || fail
683 echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 0 $LOOPDEV || fail
684 echo $PWD3 | $CRYPTSETUP luksOpen -S 0 $LOOPDEV $DEV_NAME 2>/dev/null && fail
685 [ -b /dev/mapper/$DEV_NAME ] && fail
686 echo $PWD1 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
687 [ -b /dev/mapper/$DEV_NAME ] && fail
688 # second, try it with keyfiles
689 $CRYPTSETUP -q luksFormat -q -S 5 $FAST_PBKDF_OPT -d $KEY5 --type luks2 $LOOPDEV || fail
690 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
691 $CRYPTSETUP luksOpen -S 5 -d $KEY5 $LOOPDEV $DEV_NAME || fail
692 check_exists
693 $CRYPTSETUP luksClose $DEV_NAME || fail
694 $CRYPTSETUP luksOpen -S 1 -d $KEY5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
695 [ -b /dev/mapper/$DEV_NAME ] && fail
696 $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOPDEV $DEV_NAME 2>/dev/null && fail
697 [ -b /dev/mapper/$DEV_NAME ] && fail
698 # test keyslot not assigned to segment is unable to unlock volume
699 # otoh it should be allowed to test for proper passphrase
700 prepare "" new
701 echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
702 echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
703 echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
704 [ -b /dev/mapper/$DEV_NAME ] && fail
705 echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
706 [ -b /dev/mapper/$DEV_NAME ] && fail
707 echo $PWD0 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
708 $CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
709 $CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
710 echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
711 echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
712 echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
713
714 prepare "[28] Detached LUKS header" wipe
715 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
716 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --align-payload 1 >/dev/null 2>&1 && fail
717 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --align-payload 8192 || fail
718 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --align-payload 4096 >/dev/null || fail
719 $CRYPTSETUP luksDump $HEADER_IMG | grep -e "0: crypt" -A1 | grep -qe $((4096*512)) || fail
720 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --align-payload 0 --sector-size 512 || fail
721 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV-missing --header $HEADER_IMG $DEV_NAME 2>/dev/null && fail
722 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
723 echo $PWD1 | $CRYPTSETUP -q resize $DEV_NAME --size 100 --header $HEADER_IMG || fail
724 $CRYPTSETUP -q status $DEV_NAME --header $HEADER_IMG | grep "size:" | grep -q "100 sectors" || fail
725 $CRYPTSETUP -q status $DEV_NAME | grep "type:" | grep -q "n/a" || fail
726 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
727 $CRYPTSETUP luksSuspend $DEV_NAME --header $HEADER_IMG || fail
728 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
729 $CRYPTSETUP luksSuspend $DEV_NAME || fail
730 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
731 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
732 $CRYPTSETUP luksClose $DEV_NAME || fail
733 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
734 $CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" || fail
735 $CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
736 $CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" && fail
737 echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_IMG || fail
738 rm $HEADER_IMG || fail
739 # create exactly 16 MiBs LUKS2 header
740 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --luks2-keyslots-size 16352k --luks2-metadata-size 16k --offset 131072 >/dev/null || fail
741 SIZE=$(stat --printf=%s $HEADER_IMG)
742 test $SIZE -eq 16777216 || fail
743 $CRYPTSETUP -q luksDump $HEADER_IMG | grep -q "offset: $((512 * 131072)) \[bytes\]" || fail
744
745 prepare "[29] Repair metadata" wipe
746 xz -dk $HEADER_LUKS2_PV.xz
747 $CRYPTSETUP isLuks --disable-locks $HEADER_LUKS2_PV && fail
748 $CRYPTSETUP isLuks $HEADER_LUKS2_PV && fail
749 $CRYPTSETUP isLuks --disable-locks --type luks2 $HEADER_LUKS2_PV && fail
750 $CRYPTSETUP isLuks --type luks2 $HEADER_LUKS2_PV && fail
751 $CRYPTSETUP -q repair $HEADER_LUKS2_PV || fail
752 $CRYPTSETUP isLuks $HEADER_LUKS2_PV || fail
753 $CRYPTSETUP isLuks --type luks2 $HEADER_LUKS2_PV || fail
754 $CRYPTSETUP isLuks --type luks1 $HEADER_LUKS2_PV && fail
755
756 prepare "[30] LUKS erase" wipe
757 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
758 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
759 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
760 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
761 $CRYPTSETUP luksErase -q $LOOPDEV || fail
762 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" && fail
763 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" && fail
764
765 prepare "[31] LUKS convert" wipe
766 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV $KEY5 --key-slot 5 || fail
767 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
768 $CRYPTSETUP -q luksDump $LOOPDEV --dump-json-metadata >/dev/null 2>&1 && fail
769 $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
770 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
771 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail
772 $CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
773 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
774 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
775 $CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
776 # hash test
777 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha1 || fail
778 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail
779 $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
780 $CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
781 $CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
782 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
783 $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 -d $KEY5 || fail
784 # sector size test
785 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 1024 $LOOPDEV $KEY5 || fail
786 $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
787
788 # create LUKS1 with data offset not aligned to 4KiB
789 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV $KEY5 --align-payload 4097 || fail
790 $CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
791 $CRYPTSETUP isLuks --type luks2 $LOOPDEV || fail
792 $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 -d $KEY5 || fail
793
794 if dm_crypt_keyring_flawed; then
795 prepare "[32a] LUKS2 keyring dm-crypt bug" wipe
796 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
797 echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
798 $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
799 $CRYPTSETUP close $DEV_NAME || fail
800 # key must not load in kernel key even when dm-crypt module is missing
801 if rmmod dm-crypt >/dev/null 2>&1; then
802 echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
803 $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
804 $CRYPTSETUP close $DEV_NAME || fail
805 fi
806 fi
807
808 if dm_crypt_keyring_support && dm_crypt_keyring_new_kernel; then
809 prepare "[32] LUKS2 key in keyring" wipe
810 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
811
812 # check keyring support detection works as expected
813 rmmod dm-crypt >/dev/null 2>&1 || true
814 echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
815 $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail
816 $CRYPTSETUP close $DEV_NAME || fail
817
818 echo $PWD1 | $CRYPTSETUP open $LOOPDEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail
819 $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
820 $CRYPTSETUP close $DEV_NAME || fail
821
822 echo $PWD1 | $CRYPTSETUP open $LOOPDEV --disable-keyring --header $HEADER_IMG $DEV_NAME || fail
823 $CRYPTSETUP luksSuspend $DEV_NAME || fail
824 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
825 $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "keyring" || fail
826 $CRYPTSETUP close $DEV_NAME || fail
827
828 echo $PWD1 | $CRYPTSETUP open $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
829 $CRYPTSETUP luksSuspend $DEV_NAME || fail
830 echo $PWD1 | $CRYPTSETUP luksResume --disable-keyring $DEV_NAME --header $HEADER_IMG || fail
831 $CRYPTSETUP -q status $DEV_NAME | grep "key location:" | grep -q "dm-crypt" || fail
832 $CRYPTSETUP close $DEV_NAME || fail
833 fi
834
835 # FIXME: candidate for non-root tests
836 prepare "[33] tokens" wipe
837 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
838 if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
839
840 test_and_prepare_keyring
841
842 $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN0 --token-id 3 || fail
843 $CRYPTSETUP luksDump $LOOPDEV | grep -q -e "3: luks2-keyring" || fail
844 # keyslot 5 is inactive
845 $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN1 --key-slot 5 2> /dev/null && fail
846 # key description is not reachable
847 $CRYPTSETUP open --token-only $LOOPDEV --test-passphrase && fail
848 # wrong passphrase
849 load_key user $TEST_TOKEN0 "blabla" "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
850 $CRYPTSETUP open --token-only $LOOPDEV --test-passphrase 2>/dev/null && fail
851 load_key user $TEST_TOKEN0 $PWD1 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
852 $CRYPTSETUP open --token-only $LOOPDEV --test-passphrase || fail
853 $CRYPTSETUP open --token-only $LOOPDEV $DEV_NAME || fail
854 $CRYPTSETUP status $DEV_NAME > /dev/null || fail
855 $CRYPTSETUP close $DEV_NAME || fail
856
857 # check --token-type sort of works (TODO: extend tests when native systemd tokens are available)
858 echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 22 || fail
859 # this excludes keyring tokens from unlocking device
860 $CRYPTSETUP open --token-only --token-type some_type $LOOPDEV --test-passphrase && fail
861 $CRYPTSETUP open --token-only --token-type some_type $LOOPDEV $DEV_NAME && fail
862 $CRYPTSETUP status $DEV_NAME > /dev/null && fail
863
864 $CRYPTSETUP token remove --token-id 3 $LOOPDEV || fail
865 $CRYPTSETUP luksDump $LOOPDEV | grep -q -e "3: luks2-keyring" && fail
866
867 # test we can remove keyslot with token
868 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -S4 $FAST_PBKDF_OPT $LOOPDEV || fail
869 $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN1 --key-slot 4 || fail
870 $CRYPTSETUP -q luksKillSlot $LOOPDEV 4 || fail
871 fi
872 echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 10 || fail
873 echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 11 --json-file - || fail
874 echo -n "$IMPORT_TOKEN" > $TOKEN_FILE0
875 $CRYPTSETUP token import $LOOPDEV --token-id 12 --json-file $TOKEN_FILE0 || fail
876 $CRYPTSETUP token import $LOOPDEV --token-id 12 --json-file $TOKEN_FILE0 2>/dev/null && fail
877 $CRYPTSETUP token export $LOOPDEV --token-id 10 >$TOKEN_FILE1 || fail
878 diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
879 $CRYPTSETUP token export $LOOPDEV --token-id 11 >$TOKEN_FILE1 || fail
880 diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
881 $CRYPTSETUP token export $LOOPDEV --token-id 12 >$TOKEN_FILE1 || fail
882 diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
883 $CRYPTSETUP token export $LOOPDEV --token-id 12 --json-file $TOKEN_FILE1 || fail
884 diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
885 $CRYPTSETUP token export $LOOPDEV --token-id 12 > $TOKEN_FILE1 || fail
886 diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
887
888 prepare "[34] LUKS keyslot priority" wipe
889 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -S 1 || fail
890 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -S 5 || fail
891 $CRYPTSETUP config $LOOPDEV -S 0 --priority prefer && fail
892 $CRYPTSETUP config $LOOPDEV -S 1 --priority bla >/dev/null 2>&1 && fail
893 $CRYPTSETUP config $LOOPDEV -S 1 --priority ignore || fail
894 echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase 2>/dev/null && fail
895 echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase -S 1 || fail
896 echo $PWD2 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
897 $CRYPTSETUP config $LOOPDEV -S 1 --priority normal || fail
898 echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
899 $CRYPTSETUP config $LOOPDEV -S 1 --priority ignore || fail
900 echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase 2>/dev/null && fail
901
902 prepare "[35] LUKS label and subsystem" wipe
903 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
904 $CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "(no subsystem)" || fail
905 $CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "(no label)" || fail
906 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --subsystem SatelliteTwo --label TheLabel || fail
907 $CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "SatelliteTwo" || fail
908 $CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "TheLabel" || fail
909 $CRYPTSETUP config $LOOPDEV --subsystem SatelliteThree
910 $CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "SatelliteThree" || fail
911 $CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "(no label)" || fail
912 $CRYPTSETUP config $LOOPDEV --subsystem SatelliteThree --label TheLabel
913 $CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "SatelliteThree" || fail
914 $CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "TheLabel" || fail
915
916 prepare "[36] LUKS PBKDF setting" wipe
917 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf bla $LOOPDEV >/dev/null 2>&1 && fail
918 # Force setting, no benchmark. PBKDF2 has 1000 iterations as a minimum
919 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 999 $LOOPDEV 2>/dev/null && fail
920 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 1234 $LOOPDEV || fail
921 $CRYPTSETUP luksDump $LOOPDEV | grep "Iterations:" | grep -q "1234" || fail
922 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 3 $LOOPDEV 2>/dev/null && fail
923 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 4 --pbkdf-memory 100000 $LOOPDEV || can_fail_fips
924 $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2id" || can_fail_fips
925 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2i --pbkdf-force-iterations 4 \
926 --pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || can_fail_fips
927 $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2i" || can_fail_fips
928 $CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | grep -q "4" || can_fail_fips
929 $CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | grep -q "1234" || can_fail_fips
930 $CRYPTSETUP luksDump $LOOPDEV | grep "Threads:" | grep -q "1" || can_fail_fips
931 # Benchmark
932 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2i -i 500 --pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || can_fail_fips
933 [ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || can_fail_fips
934 [ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | cut -d: -f 2 | sed -e 's/\ //g')" -gt 0 ] || can_fail_fips
935 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf pbkdf2 -i 500 $LOOPDEV || fail
936 [ 0"$($CRYPTSETUP luksDump $LOOPDEV | grep -m1 "Iterations:" | cut -d' ' -f 2 | sed -e 's/\ //g')" -gt 1000 ] || fail
937
938 prepare "[37] LUKS Keyslot convert" wipe
939 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV $KEY5 --key-slot 5 || fail
940 $CRYPTSETUP -q luksConvertKey $LOOPDEV --key-file $KEY5 2>/dev/null && fail
941 $CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
942 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
943 $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
944 $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 5 --key-file $KEY5 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
945 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || can_fail_fips
946 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -S 1 --key-file $KEY5 || fail
947 $CRYPTSETUP -q luksKillSlot $LOOPDEV 5 || fail
948 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
949 $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
950 echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
951 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips
952 echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail
953 echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail
954
955 prepare "[38] luksAddKey unbound tests" wipe
956 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
957 # unbound key may have arbitrary size
958 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 16 $LOOPDEV || fail
959 echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 32 -S 2 $LOOPDEV || fail
960 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" || fail
961 dd if=/dev/urandom of=$KEY_FILE0 bs=64 count=1 > /dev/null 2>&1 || fail
962 echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 512 -S 3 --master-key-file $KEY_FILE0 $LOOPDEV || fail
963 $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2 (unbound)" || fail
964 # unbound key size is required
965 echo $PWD1 | $CRYPTSETUP -q luksAddKey --unbound $LOOPDEV 2>/dev/null && fail
966 echo $PWD3 | $CRYPTSETUP -q luksAddKey --unbound --master-key-file /dev/urandom $LOOPDEV 2> /dev/null && fail
967 # do not allow to replace keyslot by unbound slot
968 echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail
969 echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
970 echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
971 echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
972 echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
973 echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
974 echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
975 # check we're able to change passphrase for unbound keyslot
976 echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
977 echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
978 echo $PWD3 | $CRYPTSETUP -q open -S 2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
979 # do not allow adding keyslot by unbound keyslot
980 echo -e "$PWD3\n$PWD1" | $CRYPTSETUP -q luksAddKey $LOOPDEV 2> /dev/null && fail
981 # check adding keyslot works when there's unbound keyslot
982 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --key-file $KEY5 -S8 || fail
983 echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME || fail
984 $CRYPTSETUP close $DEV_NAME || fail
985 $CRYPTSETUP luksKillSlot -q $LOOPDEV 2
986 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" && fail
987 echo $PWD3 | $CRYPTSETUP luksDump --unbound --master-key-file $KEY_FILE1 $LOOPDEV 2> /dev/null && fail
988 echo $PWD3 | $CRYPTSETUP luksDump --unbound 2> /dev/null $LOOPDEV 2> /dev/null && fail
989 echo $PWD3 | $CRYPTSETUP luksDump --unbound --master-key-file $KEY_FILE1 -S3 $LOOPDEV > /dev/null || fail
990 diff $KEY_FILE0 $KEY_FILE1 || fail
991 echo $PWD3 | $CRYPTSETUP luksDump --unbound --master-key-file $KEY_FILE1 -S3 $LOOPDEV 2> /dev/null && fail
992 diff $KEY_FILE0 $KEY_FILE1 || fail
993 rm $KEY_FILE1 || fail
994 echo $PWD3 | $CRYPTSETUP luksDump --unbound --master-key-file $KEY_FILE1 -S3 $LOOPDEV | grep -q "Unbound Key:" && fail
995 echo $PWD3 | $CRYPTSETUP luksDump --unbound -S3 $LOOPDEV | grep -q "Unbound Key:" || fail
996 $CRYPTSETUP luksKillSlot -q $LOOPDEV 3 || fail
997 $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2 (unbound)" && fail
998
999 prepare "[39] LUKS2 metadata variants" wipe
1000 tar xJf luks2_mda_images.tar.xz
1001 echo -n "$IMPORT_TOKEN" > $TOKEN_FILE0
1002 for mda in 16 32 64 128 256 512 1024 2048 4096 ; do
1003 echo -n "[$mda KiB]"
1004 echo $PWD4 | $CRYPTSETUP open test_image_$mda $DEV_NAME || fail
1005 $CRYPTSETUP close $DEV_NAME || fail
1006 echo -e "$PWD4\n$PWD3" | $CRYPTSETUP luksAddKey -S9 $FAST_PBKDF_OPT test_image_$mda || fail
1007 echo $PWD4 | $CRYPTSETUP open --test-passphrase test_image_$mda || fail
1008 echo $PWD3 | $CRYPTSETUP open -S9 --test-passphrase test_image_$mda || fail
1009 echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import test_image_$mda --token-id 10 || fail
1010 $CRYPTSETUP token export test_image_$mda --token-id 10 >$TOKEN_FILE1 || fail
1011 diff $TOKEN_FILE1 $TOKEN_FILE0 || fail
1012 echo -n "[OK]"
1013 done
1014 echo
1015
1016 prepare "[40] LUKS2 metadata areas" wipe
1017 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV 2> /dev/null || fail
1018 DEFAULT_OFFSET=$($CRYPTSETUP luksDump $LOOPDEV | grep "offset: " | cut -f 2 -d ' ')
1019 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128k 2> /dev/null && fail
1020 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=127k 2> /dev/null && fail
1021 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=127k --luks2-keyslots-size=128k 2> /dev/null && fail
1022 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128M >/dev/null 2>&1 && fail
1023 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128k >/dev/null || fail
1024 $CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "131072 \[bytes\]" || fail
1025 $CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "131072 \[bytes\]" || fail
1026 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k || fail
1027 $CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "131072 \[bytes\]" || fail
1028 $CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "$((DEFAULT_OFFSET-2*131072)) \[bytes\]" || fail
1029 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-keyslots-size=128k >/dev/null || fail
1030 $CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "16384 \[bytes\]" || fail
1031 $CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "131072 \[bytes\]" || fail
1032 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --offset 16384 || fail
1033 $CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "16384 \[bytes\]" || fail
1034 $CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "8355840 \[bytes\]" || fail
1035 # data offset vs area size
1036 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --offset 64 --luks2-keyslots-size=8192 >/dev/null 2>&1 && fail
1037 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --offset $((256+56)) >/dev/null 2>&1 && fail
1038 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --offset $((256+64)) >/dev/null || fail
1039
1040 prepare "[41] Per-keyslot encryption parameters" wipe
1041 KEYSLOT_CIPHER="aes-cbc-plain64"
1042 $CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --key-slot 0 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail
1043 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
1044 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "0: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
1045 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT --key-slot 1 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail
1046 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "1: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
1047 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "1: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
1048 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT --key-slot 2 || fail
1049 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 || fail
1050 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
1051 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
1052 # unbound keyslot
1053 echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --key-slot 21 --unbound -s 32 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
1054 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
1055 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
1056 echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --key-slot 22 --unbound -s 32 $LOOPDEV || fail
1057 echo $PWD3 | $CRYPTSETUP luksConvertKey --key-slot 22 $LOOPDEV --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
1058 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
1059 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
1060
1061 prepare "[42] Some encryption compatibility mode tests" wipe
1062 CIPHERS="aes-ecb aes-cbc-null aes-cbc-plain64 aes-cbc-essiv:sha256 aes-xts-plain64"
1063 key_size=256
1064 for cipher in $CIPHERS ; do
1065 echo -n "[$cipher/$key_size]"
1066 $CRYPTSETUP -q luksFormat --type luks2 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --cipher $cipher --key-size $key_size || fail
1067 done
1068 echo
1069
1070 remove_mapping
1071 exit 0