compat-test 42.3 KB
Newer Older
1 2
#!/bin/bash

3
PS4='$LINENO:'
Milan Broz's avatar
Milan Broz committed
4
CRYPTSETUP=../cryptsetup
5

Milan Broz's avatar
Milan Broz committed
6 7
CRYPTSETUP_VALGRIND=../.libs/cryptsetup
CRYPTSETUP_LIB_VALGRIND=../.libs
8

9
DEV_NAME=dummy
10
DEV_NAME2=dummy2
11
DEV_NAME3=dummy3
12 13
ORIG_IMG=luks-test-orig
IMG=luks-test
14
IMG10=luks-test-v10
15
HEADER_IMG=luks-header
16
KEY1=key1
17
KEY2=key2
18
KEY5=key5
19
KEYE=keye
20 21 22 23 24
PWD0="compatkey"
PWD1="93R4P4pIqAH8"
PWD2="mymJeD8ivEhE"
PWD3="ocMakf3fAcQO"
PWDW="rUkL4RUryBom"
25
VK_FILE="compattest_vkfile"
26

27 28
FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"

29
LUKS_HEADER="S0-5 S6-7 S8-39 S40-71 S72-103 S104-107 S108-111 R112-131 R132-163 S164-167 S168-207 A0-591"
30
KEY_SLOT0="S208-211 S212-215 R216-247 A248-251 A251-255"
31 32 33
KEY_MATERIAL0="R4096-68096"
KEY_MATERIAL0_EXT="R4096-68096"

34
KEY_SLOT1="S256-259 S260-263 R264-295 A296-299 A300-303"
35 36 37
KEY_MATERIAL1="R69632-133632"
KEY_MATERIAL1_EXT="S69632-133632"

38 39 40 41
KEY_SLOT5="S448-451 S452-455 R456-487 A488-491 A492-495"
KEY_MATERIAL5="R331776-395264"
KEY_MATERIAL5_EXT="S331776-395264"

42 43
TEST_UUID="12345678-1234-1234-1234-123456789abc"

44
LOOPDEV=$(losetup -f 2>/dev/null)
45
[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
46

47 48
function remove_mapping()
{
49 50 51
	[ -b /dev/mapper/$DEV_NAME3 ] && dmsetup remove $DEV_NAME3 >/dev/null 2>&1
	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2 >/dev/null 2>&1
	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME >/dev/null 2>&1
52
	losetup -d $LOOPDEV >/dev/null 2>&1
53
	rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $VK_FILE missing-file >/dev/null 2>&1
54 55
}

56 57 58 59 60 61
function force_uevent()
{
	DNAME=$(echo $LOOPDEV | cut -f3 -d /)
	echo "change" >/sys/block/$DNAME/uevent
}

62 63
function fail()
{
64
	[ -n "$1" ] && echo "$1"
65
	remove_mapping
Milan Broz's avatar
Milan Broz committed
66
	echo "FAILED at line $(caller)"
67 68 69
	exit 2
}

70 71 72 73 74
function fips_mode()
{
	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
}

75 76 77
function can_fail_fips()
{
        # Ignore this fail if running in FIPS mode
78
	fips_mode || fail $1
79 80
}

81 82 83
function skip()
{
	[ -n "$1" ] && echo "$1"
84
	remove_mapping
85 86
	[ -z "$2" ] && exit $2
	exit 77
87 88
}

89 90
function prepare()
{
91
	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME >/dev/null 2>&1
92

93
	case "$2" in
Michal Virgovic's avatar
Michal Virgovic committed
94 95 96 97 98
	file)
		remove_mapping
		dd if=/dev/zero of=$IMG bs=1k count=10000 >/dev/null 2>&1
		sync
		;;
99 100 101 102 103 104 105 106
	wipe)
		remove_mapping
		dd if=/dev/zero of=$IMG bs=1k count=10000 >/dev/null 2>&1
		sync
		losetup $LOOPDEV $IMG
		;;
	new)
		remove_mapping
107
		xz -cd compatimage.img.xz > $IMG
108 109 110
		# FIXME: switch to internal loop (no losetup at all)
		echo "bad" | $CRYPTSETUP luksOpen --key-slot 0 --test-passphrase $IMG 2>&1 | \
			grep "autoclear flag" && skip "WARNING: Too old kernel, test skipped."
111
		losetup $LOOPDEV $IMG
112
		xz -cd compatv10image.img.xz > $IMG10
113 114 115
		;;
	reuse | *)
		if [ ! -e $IMG ]; then
116
			xz -cd compatimage.img.xz > $IMG
117 118
			losetup $LOOPDEV $IMG
		fi
119
		[ ! -e $IMG10 ] && xz -cd compatv10image.img.xz > $IMG10
120 121 122 123
		;;
	esac

	if [ ! -e $KEY1 ]; then
124 125 126
		#dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
                echo -n $'\x48\xc6\x74\x4f\x41\x4e\x50\xc0\x79\xc2\x2d\x5b\x5f\x68\x84\x17' >$KEY1
                echo -n $'\x9c\x03\x5e\x1b\x4d\x0f\x9a\x75\xb3\x90\x70\x32\x0a\xf8\xae\xc4'>>$KEY1
127 128
	fi

129 130 131 132
	if [ ! -e $KEY2 ]; then
		dd if=/dev/urandom of=$KEY2 count=1 bs=16 >/dev/null 2>&1
	fi

133 134 135 136
	if [ ! -e $KEY5 ]; then
		dd if=/dev/urandom of=$KEY5 count=1 bs=16 >/dev/null 2>&1
	fi

137 138 139 140
	if [ ! -e $KEYE ]; then
		touch $KEYE
	fi

141 142 143 144 145 146 147
	cp $IMG $ORIG_IMG
	[ -n "$1" ] && echo "CASE: $1"
}

function check()
{
	sync
148 149
	[ -z "$1" ] && return
	./differ $ORIG_IMG $IMG $1 || fail
150 151 152 153 154 155 156 157
}

function check_exists()
{
	[ -b /dev/mapper/$DEV_NAME ] || fail
	check $1
}

158 159
function valgrind_setup()
{
160 161 162
	which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
	export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
163 164 165 166
}

function valgrind_run()
{
167
	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
168 169
}

170 171
export LANG=C

172 173
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run

Michal Virgovic's avatar
Michal Virgovic committed
174 175 176 177 178 179 180 181
# LUKS non-root-tests
if [ $(id -u) != 0 ]; then
	$CRYPTSETUP benchmark -c aes-xts-plain64 >/dev/null 2>&1 || \
		skip "WARNING: Cannot run test without kernel userspace crypto API, test skipped."
fi

prepare "Image in file tests (root capabilities not required)" file
echo "[1] format"
182
echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $IMG $FAST_PBKDF_OPT || fail
Michal Virgovic's avatar
Michal Virgovic committed
183 184
echo "[2] open"
echo $PWD0 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
185
[ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
Michal Virgovic's avatar
Michal Virgovic committed
186 187
echo $PWD1 | $CRYPTSETUP luksOpen $IMG --test-passphrase || fail
echo "[3] add key"
188
echo $PWD1 | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT 2>/dev/null && fail
189 190
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT || fail
echo -e "$PWD0\n$PWD1" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT 2>/dev/null && fail
Michal Virgovic's avatar
Michal Virgovic committed
191
echo "[4] change key"
192 193
echo -e "$PWD1\n$PWD0\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $IMG || fail
echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $IMG 2>/dev/null && fail
194
[ $? -ne 2 ] && fail "luksChangeKey should return EPERM exit code"
Michal Virgovic's avatar
Michal Virgovic committed
195 196 197
echo "[5] remove key"
# delete active keys PWD0, PWD2
echo $PWD1 | $CRYPTSETUP luksRemoveKey $IMG 2>/dev/null && fail
198
[ $? -ne 2 ] && fail "luksRemove should return EPERM exit code"
Michal Virgovic's avatar
Michal Virgovic committed
199 200 201 202
echo $PWD0 | $CRYPTSETUP luksRemoveKey $IMG || fail
echo $PWD2 | $CRYPTSETUP luksRemoveKey $IMG || fail
# check if keys were deleted
echo $PWD0 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
203
[ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
Michal Virgovic's avatar
Michal Virgovic committed
204
echo $PWD2 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
205
[ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
Michal Virgovic's avatar
Michal Virgovic committed
206 207
echo "[6] kill slot"
# format new luks device with active keys PWD1, PWD2
208
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $IMG $FAST_PBKDF_OPT || fail
209
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT || fail
Michal Virgovic's avatar
Michal Virgovic committed
210 211 212 213 214 215 216 217
# deactivate keys by killing slots
$CRYPTSETUP luksDump $IMG | grep -q "Key Slot 0: ENABLED" || fail
$CRYPTSETUP luksDump $IMG | grep -q "Key Slot 1: ENABLED" || fail
$CRYPTSETUP luksDump $IMG | grep -q "Key Slot 2: DISABLED" || fail
echo $PWD1 | $CRYPTSETUP -q luksKillSlot $IMG 0 2>/dev/null && fail
echo $PWD2 | $CRYPTSETUP -q luksKillSlot $IMG 0 || fail
$CRYPTSETUP luksDump $IMG | grep -q "Key Slot 0: DISABLED" || fail
echo $PWD1 | $CRYPTSETUP -q luksKillSlot $IMG 1 2>/dev/null && fail
218
[ $? -ne 2 ] && fail "luksKill should return EPERM exit code"
Michal Virgovic's avatar
Michal Virgovic committed
219 220 221 222 223 224
echo $PWD2 | $CRYPTSETUP -q luksKillSlot $IMG 1 || fail
$CRYPTSETUP luksDump $IMG | grep -q "Key Slot 1: DISABLED" || fail
# check if keys were deactivated
echo $PWD1 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
echo $PWD2 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
echo "[7] header backup"
225
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $IMG $FAST_PBKDF_OPT || fail
Michal Virgovic's avatar
Michal Virgovic committed
226 227 228 229 230 231 232
$CRYPTSETUP luksHeaderBackup $IMG --header-backup-file $HEADER_IMG || fail
echo $PWD1 | $CRYPTSETUP luksRemoveKey $IMG || fail
echo $PWD1 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
echo "[8] header restore"
$CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
echo $PWD1 | $CRYPTSETUP luksOpen $IMG --test-passphrase || fail
echo "[9] luksDump"
233
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST_UUID $IMG $KEY1 || fail
234
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $IMG -d $KEY1 || fail
Michal Virgovic's avatar
Michal Virgovic committed
235 236 237 238 239
$CRYPTSETUP luksDump $IMG | grep -q "Key Slot 0: ENABLED" || fail
$CRYPTSETUP luksDump $IMG | grep -q $TEST_UUID || fail
echo $PWDW | $CRYPTSETUP luksDump $IMG --dump-master-key 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksDump $IMG --dump-master-key | grep -q "MK dump:" || can_fail_fips
$CRYPTSETUP luksDump -q $IMG --dump-master-key -d $KEY1 | grep -q "MK dump:" || can_fail_fips
240 241
echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-master-key --master-key-file $VK_FILE >/dev/null || can_fail_fips
echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-master-key --master-key-file $VK_FILE 2>/dev/null && fail
242 243 244
fips_mode || {
	echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE $IMG || fail
}
Michal Virgovic's avatar
Michal Virgovic committed
245
echo "[10] uuid"
246
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST_UUID $IMG || fail
Michal Virgovic's avatar
Michal Virgovic committed
247 248 249 250
$CRYPTSETUP -q luksUUID $IMG | grep -q $TEST_UUID || fail

[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ -z "$LOOPDEV" ] && skip "WARNING: Cannot find free loop device, test skipped."
251

Michal Virgovic's avatar
Michal Virgovic committed
252
# LUKS root-tests
253
prepare	"[1] open - compat image - acceptance check" new
254
echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
255
check_exists
256 257
ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
[ "$ORG_SHA1" = 676062b66ebf36669dab705442ea0762dfc091b0 ] || fail
258 259 260
$CRYPTSETUP -q luksClose  $DEV_NAME || fail

# Check it can be opened from header backup as well
261
$CRYPTSETUP luksHeaderBackup $IMG --header-backup-file $HEADER_IMG || fail
262
echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
263 264
check_exists
$CRYPTSETUP -q luksClose  $DEV_NAME || fail
265 266
# Check restore
$CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
267 268

# Repeat for V1.0 header - not aligned first keyslot
269
echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail
270 271 272 273 274 275 276
check_exists
ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
[ "$ORG_SHA1" = 51b48c2471a7593ceaf14dc5e66bca86ed05f6cc ] || fail
$CRYPTSETUP -q luksClose  $DEV_NAME || fail

rm -f $HEADER_IMG
$CRYPTSETUP luksHeaderBackup $IMG10 --header-backup-file $HEADER_IMG
277
echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
278 279
check_exists
$CRYPTSETUP -q luksClose  $DEV_NAME || fail
280

281
prepare "[2] open - compat image - denial check" new
282 283
echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
echo $PWDW | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME 2>/dev/null && fail
284 285 286
check

# All headers items and first key material section must change
287
prepare "[3] format" wipe
288
echo $PWD1 | $CRYPTSETUP -i 1000 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks1 $LOOPDEV || fail
289 290
check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"

291
prepare "[4] format using hash sha512" wipe
292
echo $PWD1 | $CRYPTSETUP -i 1000 -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks1 $LOOPDEV || fail
293 294 295
check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"

prepare "[5] open"
296 297 298
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase || fail
echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
299 300 301 302
check_exists

# Key Slot 1 and key material section 1 must change, the rest must not.
prepare "[6] add key"
303
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $LOOPDEV || fail
304
check "$KEY_SLOT1 $KEY_MATERIAL1"
305
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
306 307 308

# Unsuccessful Key Delete - nothing may change
prepare "[7] unsuccessful delete"
309
echo $PWDW | $CRYPTSETUP luksKillSlot $LOOPDEV 1 2>/dev/null && fail
310 311
$CRYPTSETUP -q luksKillSlot $LOOPDEV 8 2>/dev/null && fail
$CRYPTSETUP -q luksKillSlot $LOOPDEV 7 2>/dev/null && fail
312 313 314 315 316
check

# Delete Key Test
# Key Slot 1 and key material section 1 must change, the rest must not
prepare "[8] successful delete"
317
$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
318
check "$KEY_SLOT1 $KEY_MATERIAL1_EXT"
319 320
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
321 322 323

# Key Slot 1 and key material section 1 must change, the rest must not
prepare "[9] add key test for key files"
324
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 || fail
325 326 327 328 329
check "$KEY_SLOT1 $KEY_MATERIAL1"
$CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail

# Key Slot 1 and key material section 1 must change, the rest must not
prepare "[10] delete key test with key1 as remaining key"
330
$CRYPTSETUP -d $KEY1 luksKillSlot $LOOPDEV 0 || fail
331
check "$KEY_SLOT0 $KEY_MATERIAL0_EXT"
332
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
333 334 335
$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail

# Delete last slot
336
prepare "[11] delete last key" wipe
337
echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $LOOPDEV $FAST_PBKDF_OPT || fail
338 339
echo $PWD1 | $CRYPTSETUP luksKillSlot $LOOPDEV 0 || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
340 341

# Format test for ESSIV, and some other parameters.
342
prepare "[12] parameter variation test" wipe
343
$CRYPTSETUP -q -i 1000 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks1 $LOOPDEV $KEY1 || fail
344 345 346
check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"
$CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail

347
prepare	"[13] open/close - stacked devices" wipe
348
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV $FAST_PBKDF_OPT || fail
349
echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
350
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 /dev/mapper/$DEV_NAME || fail
351
echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
352 353 354
$CRYPTSETUP -q luksClose  $DEV_NAME2 || fail
$CRYPTSETUP -q luksClose  $DEV_NAME || fail

355
prepare	"[14] format/open - passphrase on stdin & new line" wipe
356
# stdin defined by "-" must take even newline
357
#echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksFormat $LOOPDEV - || fail
358
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q --key-file=- luksFormat --type luks1 $LOOPDEV || fail
359
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
360
$CRYPTSETUP -q luksClose  $DEV_NAME || fail
361
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
362
# now also try --key-file
363
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q luksFormat --type luks1 $LOOPDEV --key-file=- || fail
364
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
365 366
$CRYPTSETUP -q luksClose  $DEV_NAME || fail
# process newline if from stdin
367
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q luksFormat --type luks1 $LOOPDEV || fail
368
echo "$PWD1" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
369 370
$CRYPTSETUP -q luksClose  $DEV_NAME || fail

371
prepare "[15] UUID - use and report provided UUID" wipe
372
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid blah $LOOPDEV 2>/dev/null && fail
373
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST_UUID $LOOPDEV || fail
374 375
tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
[ "$tst"x = "$TEST_UUID"x ] || fail
376
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV || fail
377 378 379 380
$CRYPTSETUP -q luksUUID --uuid $TEST_UUID $LOOPDEV || fail
tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
[ "$tst"x = "$TEST_UUID"x ] || fail

381
prepare "[16] luksFormat" wipe
382 383 384
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --master-key-file /dev/urandom $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --master-key-file /dev/urandom $LOOPDEV -d $KEY1 || fail
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --master-key-file /dev/urandom -s 256 --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
385 386
$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose  $DEV_NAME || fail
387
# open by UUID
388
force_uevent # some systems do not update loop by-uuid
389 390 391
$CRYPTSETUP luksOpen -d $KEY1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
$CRYPTSETUP -q luksClose  $DEV_NAME || fail
392
# empty keyfile
393
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail
394 395
$CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose  $DEV_NAME || fail
396
# open by volume key
397
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --master-key-file $KEY1 $LOOPDEV || fail
398
$CRYPTSETUP luksOpen --master-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
399 400
$CRYPTSETUP luksOpen --master-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose  $DEV_NAME || fail
401

402 403
prepare "[17] AddKey volume key, passphrase and keyfile" wipe
# masterkey
404
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 3 || fail
405
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase || fail
406
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
407
echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 4 || fail
408
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 4 || fail
409
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: ENABLED" || fail
410 411
echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/null --key-slot 5 2>/dev/null && fail
$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 5 $KEY1 || fail
412
$CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 5 -d $KEY1 || fail
413 414
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail

415
# special "-" handling
416
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 3 || fail
417
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 - || fail
418 419
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - --test-passphrase || fail
420
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d - $KEY2 || fail
421
$CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase || fail
422 423
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - -d $KEY1 --test-passphrase 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d $KEY1 -d $KEY1 --test-passphrase 2>/dev/null && fail
424

425
# [0]PWD1 [1]PWD2 [2]$KEY1/1 [3]$KEY1 [4]$KEY2
426
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 3 || fail
427
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
428
$CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 3 2>/dev/null && fail
429
# keyfile/keyfile
430
$CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 4 || fail
431
$CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase --key-slot 4 || fail
432 433
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: ENABLED" || fail
# passphrase/keyfile
434
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 --key-slot 0 || fail
435
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
436
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 || fail
437
# passphrase/passphrase
438
echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --key-slot 1 || fail
439
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
440 441
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
# keyfile/passphrase
442
echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
443 444 445 446 447 448
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail

prepare "[18] RemoveKey passphrase and keyfile" reuse
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: DISABLED" || fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 2>/dev/null && fail
449
$CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 3 2>/dev/null || fail
450
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
451 452 453
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 --keyfile-size 1 2>/dev/null && fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: DISABLED" || fail
454 455 456 457 458 459
# if password or keyfile is provided, batch mode must not suppress it
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 2>/dev/null && fail
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 -q 2>/dev/null && fail
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- 2>/dev/null && fail
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- -q 2>/dev/null && fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
460
# kill slot using passphrase from 1
461
echo $PWD2 | $CRYPTSETUP luksKillSlot $LOOPDEV 2 || fail
462
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: DISABLED" || fail
463
# kill slot with redirected stdin
464
$CRYPTSETUP luksKillSlot $LOOPDEV 3 </dev/null 2>/dev/null || fail
465
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: DISABLED" || fail
466
# remove key0 / slot 0
467
echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV || fail
468 469 470 471 472 473
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: DISABLED" || fail
# last keyslot, in batch mode no passphrase needed...
$CRYPTSETUP luksKillSlot -q $LOOPDEV 1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail

prepare "[19] create & status & resize" wipe
474 475
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
476 477 478 479 480 481 482
$CRYPTSETUP -q status  $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail
$CRYPTSETUP -q status  $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail
$CRYPTSETUP -q status  $DEV_NAME | grep "mode:" | grep -q "readonly" || fail
$CRYPTSETUP -q resize  $DEV_NAME --size 100 || fail
$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
$CRYPTSETUP -q resize  $DEV_NAME || fail
$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "19997 sectors" || fail
483 484 485 486
# Resize underlying loop device as well
truncate -s 16M $IMG || fail
$CRYPTSETUP -q resize  $DEV_NAME || fail
$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail
487
$CRYPTSETUP -q remove  $DEV_NAME || fail
488
$CRYPTSETUP -q status  $DEV_NAME >/dev/null && fail
489
echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
490
$CRYPTSETUP -q remove  $DEV_NAME || fail
491
echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail
492
$CRYPTSETUP -q remove  $DEV_NAME || fail
493
echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail
494 495
$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
$CRYPTSETUP -q remove  $DEV_NAME || fail
496 497 498 499 500 501 502 503 504
# 4k sector resize (if kernel supports it)
echo $PWD1 | $CRYPTSETUP -q open --type plain $LOOPDEV $DEV_NAME --sector-size 4096 --size 8  >/dev/null 2>&1
if [ $? -eq 0 ] ; then
	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "8 sectors"
	$CRYPTSETUP -q resize  $DEV_NAME --size 16 || fail
	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "16 sectors"
	$CRYPTSETUP -q resize  $DEV_NAME --size 9 2>/dev/null && fail
	$CRYPTSETUP -q remove  $DEV_NAME || fail
fi
505
# verify is ignored on non-tty input
506
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail
507 508
$CRYPTSETUP -q remove  $DEV_NAME || fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
509 510
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 -l -1 2>/dev/null && fail
511
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1  || fail
512 513 514
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d blah 2>/dev/null && fail
$CRYPTSETUP -q remove  $DEV_NAME || fail
515 516
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d /dev/urandom || fail
$CRYPTSETUP -q remove  $DEV_NAME || fail
517

518 519 520 521
prepare "[20] Disallow open/create if already mapped." wipe
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail
$CRYPTSETUP create $DEV_NAME2 $LOOPDEV -d $KEY1 2>/dev/null && fail
522
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV 2>/dev/null && fail
523
$CRYPTSETUP remove  $DEV_NAME || fail
524
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV || fail
525 526
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME2 2>/dev/null && fail
527 528
$CRYPTSETUP  luksClose  $DEV_NAME || fail

529
prepare "[21] luksDump" wipe
530
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
531
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 || fail
532 533
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
534
echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key 2>/dev/null && fail
535 536
echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || can_fail_fips
$CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || can_fail_fips
537 538 539 540
echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key --master-key-file $VK_FILE > /dev/null || can_fail_fips
fips_mode || {
	echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE $LOOPDEV || fail
}
541

542 543
prepare "[22] remove disappeared device" wipe
dmsetup create $DEV_NAME --table "0 5000 linear $LOOPDEV 2" || fail
544
echo $PWD1 | $CRYPTSETUP -q $FAST_PBKDF_OPT luksFormat --type luks1 /dev/mapper/$DEV_NAME || fail
545
echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
546 547 548 549 550 551
# underlying device now returns error but node is still present
dmsetup load $DEV_NAME --table "0 5000 error" || fail
dmsetup resume $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME2 || fail
dmsetup remove $DEV_NAME || fail

Milan Broz's avatar
Milan Broz committed
552 553
prepare "[23] ChangeKey passphrase and keyfile" wipe
# [0]$KEY1 [1]key0
554
$CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --key-slot 0 || fail
555
echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 --key-slot 1 || fail
Milan Broz's avatar
Milan Broz committed
556
# keyfile [0] / keyfile [0]
557
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 0 || fail
Milan Broz's avatar
Milan Broz committed
558
# passphrase [1] / passphrase [1]
559
echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT --key-slot 1 || fail
Milan Broz's avatar
Milan Broz committed
560
# keyfile [0] / keyfile [new]
561
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 || fail
Milan Broz's avatar
Milan Broz committed
562 563
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: DISABLED" || fail
# passphrase [1] / passphrase [new]
564
echo -e "$PWD2\n$PWD1\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $LOOPDEV || fail
Milan Broz's avatar
Milan Broz committed
565 566
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
# use all slots
567 568 569 570 571 572
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
Milan Broz's avatar
Milan Broz committed
573
# still allows replace
574 575
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 || fail
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 2>/dev/null && fail
Milan Broz's avatar
Milan Broz committed
576

577
prepare "[24] Keyfile limit" wipe
578
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 0 -l 13 || fail
579 580 581 582
$CRYPTSETUP --key-file=$KEY1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=$KEY1 -l 0 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=$KEY1 -l -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=$KEY1 -l 14 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
583 584
$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
585 586
$CRYPTSETUP --key-file=$KEY1 -l 13 luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksClose  $DEV_NAME || fail
587 588 589 590
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT 2>/dev/null && fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 14 2>/dev/null && fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l -1 2>/dev/null && fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 --new-keyfile-size 12 || fail
591 592
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 2>/dev/null && fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 -l 12 || fail
593 594 595
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT 2>/dev/null && fail
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 14 2>/dev/null && fail
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 || fail
596
# -l is ignored for stdin if _only_ passphrase is used
597
echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY2 $FAST_PBKDF_OPT || fail
598
# this is stupid, but expected
599 600 601
echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 11 2>/dev/null && fail
echo $PWDW"0" | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 12 2>/dev/null && fail
echo -e "$PWD1\n" | $CRYPTSETUP luksRemoveKey $LOOPDEV -d- -l 12 || fail
602
# offset
603
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 0 -l 13 --keyfile-offset 16 || fail
604 605 606
$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 15 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 16 luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksClose  $DEV_NAME || fail
607
$CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 -l 13 --keyfile-offset 16 $KEY2 --new-keyfile-offset 1 || fail
608 609 610
$CRYPTSETUP --key-file=$KEY2 --keyfile-offset 11 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=$KEY2 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksClose  $DEV_NAME || fail
611
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 --keyfile-offset 1 $KEY2 --new-keyfile-offset 0 || fail
612 613
$CRYPTSETUP luksOpen -d $KEY2 $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
614 615
# large device with keyfile
echo -e '0 10000000 error'\\n'10000000 1000000 zero' | dmsetup create $DEV_NAME2 || fail
616
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV /dev/mapper/$DEV_NAME2 -l 13 --keyfile-offset 5120000000 || fail
617 618 619 620 621 622
$CRYPTSETUP --key-file=/dev/mapper/$DEV_NAME2 -l 13 --keyfile-offset 5119999999 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP --key-file=/dev/mapper/$DEV_NAME2 -l 13 --keyfile-offset 5120000000 luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
$CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d /dev/mapper/$DEV_NAME2 \
  --keyfile-offset 5120000000 -l 13 /dev/mapper/$DEV_NAME2 --new-keyfile-offset 5120000001 --new-keyfile-size 15 || fail
dmsetup remove $DEV_NAME2
623

624
prepare "[25] Create shared segments" wipe
625 626 627
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV  --hash sha1 --offset   0 --size 256 || fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail
628 629 630
$CRYPTSETUP -q remove  $DEV_NAME2 || fail
$CRYPTSETUP -q remove  $DEV_NAME || fail

631 632
prepare "[26] Suspend/Resume" wipe
# only LUKS is supported
633
echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
634 635 636 637 638
$CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP -q remove  $DEV_NAME || fail
$CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
# LUKS
639
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV || fail
640
echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
641 642
$CRYPTSETUP luksSuspend $DEV_NAME || fail
$CRYPTSETUP -q resize  $DEV_NAME 2>/dev/null && fail
643 644
echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
[ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
645
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME  || fail
646 647
$CRYPTSETUP -q luksClose $DEV_NAME || fail

648 649
prepare "[27] luksOpen with specified key slot number" wipe
# first, let's try passphrase option
650
echo $PWD3 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT -S 5 $LOOPDEV || fail
651
check $LUKS_HEADER $KEY_SLOT5 $KEY_MATERIAL5
652
echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME && fail
653
[ -b /dev/mapper/$DEV_NAME ] && fail
654
echo $PWD3 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME || fail
655 656
check_exists
$CRYPTSETUP luksClose $DEV_NAME || fail
657
echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 0 $LOOPDEV || fail
658
check $LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0
659
echo $PWD3 | $CRYPTSETUP luksOpen -S 0 $LOOPDEV $DEV_NAME 2>/dev/null && fail
660
[ -b /dev/mapper/$DEV_NAME ] && fail
661
echo $PWD1 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
662 663
[ -b /dev/mapper/$DEV_NAME ] && fail
# second, try it with keyfiles
664
$CRYPTSETUP luksFormat --type luks1 -q -S 5 -d $KEY5 $LOOPDEV || fail
665
check $LUKS_HEADER $KEY_SLOT5 $KEY_MATERIAL5
666
$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
667 668 669 670
check $LUKS_HEADER $KEY_SLOT1 $KEY_MATERIAL1
$CRYPTSETUP luksOpen -S 5 -d $KEY5 $LOOPDEV $DEV_NAME || fail
check_exists
$CRYPTSETUP luksClose $DEV_NAME || fail
671
$CRYPTSETUP luksOpen -S 1 -d $KEY5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
672
[ -b /dev/mapper/$DEV_NAME ] && fail
673
$CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOPDEV $DEV_NAME 2>/dev/null && fail
674 675
[ -b /dev/mapper/$DEV_NAME ] && fail

676
prepare "[28] Detached LUKS header" wipe
677
echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG || fail
678
echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 1 >/dev/null 2>&1 && fail
679 680
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 8192 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 0 || fail
681
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
682 683
$CRYPTSETUP -q resize  $DEV_NAME --size 100 --header $HEADER_IMG || fail
$CRYPTSETUP -q status  $DEV_NAME --header $HEADER_IMG | grep "size:" | grep -q "100 sectors" || fail
684 685
$CRYPTSETUP -q status  $DEV_NAME | grep "type:" | grep -q "n/a" || fail
$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
686
$CRYPTSETUP luksSuspend $DEV_NAME --header $HEADER_IMG || fail
687
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
688 689 690
$CRYPTSETUP luksSuspend $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME && fail
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
691
$CRYPTSETUP luksClose $DEV_NAME || fail
692
echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
693 694 695
$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: ENABLED" || fail
$CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: DISABLED" || fail
696

697
prepare "[29] Repair metadata" wipe
698
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 0 || fail
699 700 701 702 703 704 705
# second sector overwrite should corrupt keyslot 6+7
dd if=/dev/urandom of=$LOOPDEV bs=512 seek=1 count=1 >/dev/null 2>&1
$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME >/dev/null 2>&1 && fail
$CRYPTSETUP -q repair $LOOPDEV >/dev/null 2>&1 || fail
$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksClose $DEV_NAME || fail

Milan Broz's avatar
Milan Broz committed
706
prepare "[30] LUKS erase" wipe
707
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY5 --key-slot 5 || fail
708
$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
Milan Broz's avatar
Milan Broz committed
709 710 711 712 713 714
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail
$CRYPTSETUP luksErase -q $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: DISABLED" || fail

715 716 717 718 719
prepare "[31] Deferred removal of device" wipe
echo $PWD1 | $CRYPTSETUP open --type plain $LOOPDEV $DEV_NAME || fail
echo $PWD2 | $CRYPTSETUP open --type plain /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
$CRYPTSETUP close $DEV_NAME >/dev/null 2>&1 && fail
$CRYPTSETUP -q status $DEV_NAME >/dev/null 2>&1 || fail
720 721 722 723 724 725 726 727 728 729
$CRYPTSETUP close --deferred $DEV_NAME >/dev/null 2>&1
if [ $? -eq 0 ] ; then
  dmsetup info $DEV_NAME | grep -q "DEFERRED REMOVE" || fail
  $CRYPTSETUP -q status $DEV_NAME >/dev/null 2>&1 || fail
  $CRYPTSETUP close $DEV_NAME2 || fail
  $CRYPTSETUP -q status $DEV_NAME >/dev/null 2>&1 && fail
else
  $CRYPTSETUP close $DEV_NAME2 >/dev/null 2>&1
  $CRYPTSETUP close $DEV_NAME >/dev/null 2>&1
fi
730

Michal Virgovic's avatar
Michal Virgovic committed
731
# Interactive tests
732
# Do not remove sleep 0.1 below, the password query flushes TTY buffer (so the code is racy).
733
which expect >/dev/null 2>&1 || skip "WARNING: expect tool missing, interactive test will be skipped." 0
Michal Virgovic's avatar
Michal Virgovic committed
734 735

prepare "[32] Interactive password retry from terminal." new
736 737 738
expect - >/dev/null <<EOF
proc abort {} { send_error "Timeout. "; exit 2 }
set timeout 10
739
eval spawn $CRYPTSETUP luksOpen -v -T 2 $LOOPDEV $DEV_NAME
740 741 742 743 744 745
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
send "$PWD0 x\n"
expect timeout abort "No key available with this passphrase."
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
746
send "$PWD0\n"
747 748 749
expect timeout abort "Key slot 0 unlocked."
expect timeout abort "Command successful."
expect timeout abort eof
750 751
exit
EOF
752
[ $? -eq 0 ] || fail "Expect script failed."
753 754 755
check_exists
$CRYPTSETUP -q luksClose  $DEV_NAME || fail

Michal Virgovic's avatar
Michal Virgovic committed
756
prepare "[33] Interactive unsuccessful password retry from terminal." new
757 758 759
expect - >/dev/null <<EOF
proc abort {} { send_error "Timeout. "; exit 2 }
set timeout 10
Michal Virgovic's avatar
Michal Virgovic committed
760
eval spawn $CRYPTSETUP luksOpen -v -T 2 $LOOPDEV $DEV_NAME
761 762 763 764 765 766 767 768 769
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
send "$PWD0 x\n"
expect timeout abort "No key available with this passphrase."
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
send "$PWD0 y\n"
expect timeout abort "No key available with this passphrase."
expect timeout abort eof
Michal Virgovic's avatar
Michal Virgovic committed
770 771
exit
EOF
772
[ $? -eq 0 ] || fail "Expect script failed."
Michal Virgovic's avatar
Michal Virgovic committed
773 774

prepare "[34] Interactive kill of last key slot." new
775 776 777
expect - >/dev/null <<EOF
proc abort {} { send_error "Timeout. "; exit 2 }
set timeout 10
Michal Virgovic's avatar
Michal Virgovic committed
778
eval spawn $CRYPTSETUP luksKillSlot -v $LOOPDEV 0
779
expect timeout abort "Are you sure? (Type uppercase yes):"
Michal Virgovic's avatar
Michal Virgovic committed
780
send "YES\n"
781 782
expect timeout abort "Enter any remaining passphrase:"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
783
send "$PWD0\n"
784 785
expect timeout abort "Command successful."
expect timeout abort eof
Michal Virgovic's avatar
Michal Virgovic committed
786
eval spawn $CRYPTSETUP luksKillSlot -v $LOOPDEV 0
787 788
expect timeout abort "Keyslot 0 is not active."
expect timeout abort eof
Michal Virgovic's avatar
Michal Virgovic committed
789 790
exit
EOF
791
[ $? -eq 0 ] || fail "Expect script failed."
Michal Virgovic's avatar
Michal Virgovic committed
792 793

prepare "[35] Interactive format of device." wipe
794 795 796
expect - >/dev/null <<EOF
proc abort {} { send_error "Timeout. "; exit 2 }
set timeout 10
797
eval spawn $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
798
expect timeout abort "Are you sure? (Type uppercase yes):"
Michal Virgovic's avatar
Michal Virgovic committed
799
send "YES\n"
800 801
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
802
send "$PWD0\n"
803 804
expect timeout abort "Verify passphrase:"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
805
send "$PWD0\n"
806 807
expect timeout abort "Command successful."
expect timeout abort eof
Michal Virgovic's avatar
Michal Virgovic committed
808
eval spawn $CRYPTSETUP luksOpen -v $LOOPDEV --test-passphrase
809 810
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
811
send "$PWD0\n"
812 813
expect timeout abort "Command successful."
expect timeout abort eof
Michal Virgovic's avatar
Michal Virgovic committed
814 815
exit
EOF
816 817 818 819 820 821 822 823 824 825 826
[ $? -eq 0 ] || fail "Expect script failed."

prepare "[36] Interactive unsuccessful format of device." new
expect - >/dev/null <<EOF
proc abort {} { send_error "Timeout. "; exit 2 }
set timeout 10
eval spawn $CRYPTSETUP erase -v $LOOPDEV
expect timeout abort "Are you sure? (Type uppercase yes):"
send "YES\n"
expect timeout abort "Command successful."
expect timeout abort eof
827
eval spawn $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
828
expect timeout abort "Are you sure? (Type uppercase yes):"
Michal Virgovic's avatar
Michal Virgovic committed
829
send "YES\n"
830 831
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
832
send "$PWD0\n"
833 834 835 836 837 838 839 840
expect timeout abort "Verify passphrase:"
sleep 0.1
send "$PWD0 x\n"
expect timeout abort "Passphrases do not match."
expect timeout abort eof
eval spawn $CRYPTSETUP luksOpen -v $LOOPDEV -T 1 --test-passphrase
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
841
send "$PWD0\n"
842 843
expect timeout abort "No key available with this passphrase."
expect timeout abort eof
Michal Virgovic's avatar
Michal Virgovic committed
844 845
exit
EOF
846
[ $? -eq 0 ] || fail "Expect script failed."
Michal Virgovic's avatar
Michal Virgovic committed
847 848

prepare "[37] Interactive add key." new
849 850 851
expect - >/dev/null <<EOF
proc abort {} { send_error "Timeout. "; exit 2 }
set timeout 10
852
eval spawn $CRYPTSETUP luksAddKey -S 2 $FAST_PBKDF_OPT -v $LOOPDEV
853 854
expect timeout abort "Enter any existing passphrase:"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
855
send "$PWD0\n"
856 857
expect timeout abort "Enter new passphrase for key slot:"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
858
send "$PWD1\n"
859 860
expect timeout abort "Verify passphrase:"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
861
send "$PWD1\n"
862 863
expect timeout abort "Command successful."
expect timeout abort eof
864
eval spawn $CRYPTSETUP luksOpen $FAST_PBKDF_OPT -v $LOOPDEV --test-passphrase
865 866
expect timeout abort "Enter passphrase"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
867
send "$PWD1\n"
868 869
expect timeout abort "Command successful."
expect timeout abort eof
870 871 872 873 874 875 876 877 878
eval spawn $CRYPTSETUP luksKillSlot -v $LOOPDEV 1
expect timeout abort "Keyslot 1 is not active."
expect timeout abort eof
eval spawn $CRYPTSETUP luksKillSlot -v $LOOPDEV 2
expect timeout abort "Enter any remaining passphrase:"
sleep 0.1
send "$PWD0\n"
expect timeout abort "Key slot 2 removed."
expect timeout abort eof
Michal Virgovic's avatar
Michal Virgovic committed
879 880
exit
EOF
881
[ $? -eq 0 ] || fail "Expect script failed."
Michal Virgovic's avatar
Michal Virgovic committed
882 883

prepare "[38] Interactive change key." new
884 885 886
expect - >/dev/null <<EOF
proc abort {} { send_error "Timeout. "; exit 2 }
set timeout 10
887
eval spawn $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -v $LOOPDEV
888 889
expect timeout abort "Enter passphrase to be changed:"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
890
send "$PWD0\n"
891 892
expect timeout abort "Enter new passphrase:"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
893
send "$PWD1\n"
894 895
expect timeout abort "Verify passphrase:"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
896
send "$PWD1\n"
897 898
expect timeout abort "Command successful."
expect timeout abort eof
Michal Virgovic's avatar
Michal Virgovic committed
899
eval spawn $CRYPTSETUP luksOpen -v $LOOPDEV --test-passphrase
900 901
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
902
send "$PWD1\n"
903 904
expect timeout abort "Command successful."
expect timeout abort eof
Michal Virgovic's avatar
Michal Virgovic committed
905 906
exit
EOF
907
[ $? -eq 0 ] || fail "Expect script failed."
Michal Virgovic's avatar
Michal Virgovic committed
908 909 910

prepare "[39] Interactive suspend and resume." new
echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
911 912 913 914 915 916 917 918 919 920 921 922 923
expect - >/dev/null <<EOF
proc abort {} { send_error "Timeout. "; exit 2 }
set timeout 10
eval spawn $CRYPTSETUP luksSuspend -v $DEV_NAME
expect timeout abort "Command successful."
expect timeout abort eof
eval spawn $CRYPTSETUP luksResume -v -T 3  $DEV_NAME
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
send "$PWD0 x\n"
expect timeout abort "No key available with this passphrase."
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
Michal Virgovic's avatar
Michal Virgovic committed
924
send "$PWD1\n"
925 926 927 928 929 930 931 932 933 934 935 936
expect timeout abort "No key available with this passphrase."
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
send "$PWD0 y\n"
expect timeout abort "No key available with this passphrase."
expect timeout abort eof
eval spawn $CRYPTSETUP luksResume -v $DEV_NAME
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
send "$PWD0\n"
expect timeout abort "Command successful."
expect timeout abort eof
Michal Virgovic's avatar
Michal Virgovic committed
937 938
exit
EOF
939 940
[ $? -eq 0 ] || fail "Expect script failed."
$CRYPTSETUP remove $DEV_NAME || fail
Michal Virgovic's avatar
Michal Virgovic committed
941

942 943
remove_mapping
exit 0