"Fossies" - the Fresh Open Source Software Archive

Member "cryptsetup-2.4.3/tests/keyring-compat-test" (13 Jan 2022, 8433 Bytes) of package /linux/misc/cryptsetup-2.4.3.tar.xz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. See also the last Fossies "Diffs" side-by-side code changes report for "keyring-compat-test": 2.3.6_vs_2.4.0.

    1 #!/bin/bash
    2 
    3 CIPHER_XTS_PLAIN="aes-xts-plain64"
    4 CIPHER_CBC_ESSIV="aes-cbc-essiv:sha256"
    5 CIPHER_CBC_TCW="serpent-cbc-tcw"
    6 # TODO: mode with LMK
    7 
    8 TEST_KEYRING_NAME="keyringtest_keyring"
    9 
   10 LOGON_KEY_16_OK="dmtst:lkey_16"
   11 LOGON_KEY_32_OK="dmtst:lkey_32"
   12 LOGON_KEY_64_OK="dmtst:lkey_64"
   13 
   14 HEXKEY_16="be21aa8c733229347bd4e681891e213d";
   15 HEXKEY_32="bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
   16 HEXKEY_64="34f95b96abff946b64f1339ff8653cc77c38697c93b797a496f3786e86eed7781850d5112bbae17d209b8310a8f3a034f1cd297667bc0cd1438fad28d87ef6a1"
   17 
   18 DEVSIZEMB=16
   19 DEVSECTORS=$((DEVSIZEMB*1024*1024/512))
   20 NAME=testcryptdev
   21 CHKS_DMCRYPT=vk_in_dmcrypt.chk
   22 CHKS_KEYRING=vk_in_keyring.chk
   23 
   24 PWD="aaa"
   25 
   26 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
   27 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
   28 
   29 [ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
   30 
   31 function remove_mapping()
   32 {
   33     [ -b /dev/mapper/$NAME ] && dmsetup remove --retry $NAME
   34 
   35     # unlink whole test keyring
   36     [ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
   37 
   38     rmmod scsi_debug >/dev/null 2>&1
   39 
   40     rm -f $CHKS_DMCRYPT $CHKS_KEYRING
   41 }
   42 
   43 function skip()
   44 {
   45     [ -n "$1" ] && echo "$1"
   46     remove_mapping
   47     exit 77
   48 }
   49 
   50 function fail()
   51 {
   52     [ -n "$1" ] && echo "$1"
   53     echo "FAILED backtrace:"
   54     while caller $frame; do ((frame++)); done
   55     remove_mapping
   56     exit 2
   57 }
   58 
   59 # $1 hexbyte key
   60 # $2 type
   61 # $3 description
   62 # $4 keyring
   63 function load_key()
   64 {
   65     local tmp="$1"
   66     shift
   67     echo -n "$tmp" | xxd -r -p | keyctl padd $@ >/dev/null
   68 }
   69 
   70 function dm_crypt_keyring_support()
   71 {
   72     VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
   73     [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
   74 
   75     VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
   76     VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
   77 
   78     # run the test with dm-crypt v1.15.0+ on purpose
   79     # the fix is in dm-crypt v1.18.1+
   80     [ $VER_MAJ -gt 1 ] && return 0
   81     [ $VER_MAJ -lt 1 ] && return 1
   82     [ $VER_MIN -ge 15 ]
   83 }
   84 
   85 function test_and_prepare_keyring() {
   86     keyctl list "@s" > /dev/null || skip "Current session keyring is unreachable, test skipped"
   87     TEST_KEYRING=$(keyctl newring $TEST_KEYRING_NAME "@u" 2> /dev/null)
   88     test -n "$TEST_KEYRING" || skip "Failed to create keyring in user keyring"
   89     keyctl search "@s" keyring "$TEST_KEYRING" > /dev/null 2>&1 || keyctl link "@u" "@s" > /dev/null 2>&1
   90     load_key "$HEXKEY_16" user test_key "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
   91 }
   92 
   93 function fips_mode()
   94 {
   95     [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
   96 }
   97 
   98 add_device() {
   99     rmmod scsi_debug >/dev/null 2>&1
  100     if [ -d /sys/module/scsi_debug ] ; then
  101         echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
  102         exit 77
  103     fi
  104 
  105     modprobe scsi_debug $@ delay=0 >/dev/null 2>&1
  106     if [ $? -ne 0 ] ; then
  107         echo "This kernel seems to not support proper scsi_debug module, test skipped."
  108         exit 77
  109     fi
  110 
  111     sleep 2
  112     DEV=$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
  113 
  114     DEV="/dev/$DEV"
  115     [ -b $DEV ] || fail "Cannot find $DEV."
  116 }
  117 
  118 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
  119 which dmsetup >/dev/null 2>&1 || skip "Cannot find dmsetup, test skipped"
  120 which keyctl >/dev/null 2>&1 || skip "Cannot find keyctl, test skipped"
  121 which xxd >/dev/null 2>&1 || skip "Cannot find xxd, test skipped"
  122 which sha1sum > /dev/null 2>&1 || skip "Cannot find sha1sum, test skipped"
  123 modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
  124 dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped."
  125 
  126 test_and_prepare_keyring
  127 
  128 add_device dev_size_mb=$DEVSIZEMB
  129 
  130 dd if=/dev/urandom of=$DEV bs=1M count=$DEVSIZEMB oflag=direct > /dev/null 2>&1 || fail
  131 
  132 #test aes cipher with xts mode, plain IV
  133 echo -n "Testing $CIPHER_XTS_PLAIN..."
  134 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
  135 sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
  136 dmsetup remove --retry $NAME || fail
  137 load_key "$HEXKEY_32" logon  $LOGON_KEY_32_OK "$TEST_KEYRING" || fail "Cannot load 32 byte logon key type"
  138 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN :32:logon:$LOGON_KEY_32_OK 0 $DEV 0" || fail
  139 sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
  140 dmsetup remove --retry $NAME || fail
  141 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
  142 # same test using message
  143 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
  144 sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
  145 dmsetup remove --retry $NAME || fail
  146 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
  147 dmsetup suspend $NAME || fail
  148 dmsetup message $NAME 0 key wipe || fail
  149 dmsetup message $NAME 0 "key set :32:logon:$LOGON_KEY_32_OK" || fail
  150 dmsetup resume $NAME || fail
  151 sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
  152 dmsetup remove --retry $NAME || fail
  153 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
  154 echo "OK"
  155 
  156 #test aes cipher, xts mode, essiv IV
  157 echo -n "Testing $CIPHER_CBC_ESSIV..."
  158 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
  159 sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
  160 dmsetup remove --retry $NAME || fail
  161 load_key "$HEXKEY_16" logon  $LOGON_KEY_16_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
  162 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV :16:logon:$LOGON_KEY_16_OK 0 $DEV 0" || fail
  163 sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
  164 dmsetup remove --retry $NAME || fail
  165 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
  166 # same test using message
  167 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
  168 sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
  169 dmsetup remove --retry $NAME || fail
  170 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
  171 dmsetup suspend $NAME || fail
  172 dmsetup message $NAME 0 key wipe || fail
  173 dmsetup message $NAME 0 "key set :16:logon:$LOGON_KEY_16_OK" || fail
  174 dmsetup resume $NAME || fail
  175 sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
  176 dmsetup remove --retry $NAME || fail
  177 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
  178 echo "OK"
  179 
  180 #test serpent cipher, cbc mode, tcw IV
  181 fips_mode || {
  182 echo -n "Testing $CIPHER_CBC_TCW..."
  183 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
  184 sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
  185 dmsetup remove --retry $NAME || fail
  186 load_key "$HEXKEY_64" logon  $LOGON_KEY_64_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
  187 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW :64:logon:$LOGON_KEY_64_OK 0 $DEV 0" || fail
  188 sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
  189 dmsetup remove --retry $NAME || fail
  190 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
  191 # same test using message
  192 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
  193 sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
  194 dmsetup remove --retry $NAME || fail
  195 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
  196 dmsetup suspend $NAME || fail
  197 dmsetup message $NAME 0 key wipe || fail
  198 dmsetup message $NAME 0 "key set :64:logon:$LOGON_KEY_64_OK" || fail
  199 dmsetup resume $NAME || fail
  200 sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
  201 dmsetup remove --retry $NAME || fail
  202 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
  203 echo "OK"
  204 }
  205 
  206 echo -n "Test LUKS2 key refresh..."
  207 echo $PWD | $CRYPTSETUP luksFormat --type luks2 --luks2-metadata-size 16k --luks2-keyslots-size 4064k --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --force-password $DEV || fail
  208 echo $PWD | $CRYPTSETUP open $DEV $NAME || fail
  209 $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" || skip "LUKS2 can't use keyring. Test skipped."
  210 dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_KEYRING || fail
  211 echo $PWD | $CRYPTSETUP refresh $NAME --disable-keyring || fail
  212 $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" && fail "Key is still in keyring"
  213 dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_DMCRYPT || fail
  214 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
  215 echo "OK"
  216 
  217 remove_mapping