reencryption-compat-test 11.1 KB
Newer Older
Milan Broz's avatar
Milan Broz committed
1 2
#!/bin/bash

Milan Broz's avatar
Milan Broz committed
3 4
CRYPTSETUP=../cryptsetup
REENC=../cryptsetup-reencrypt
5
FAST_PBKDF="--pbkdf-force-iterations 1000"
Milan Broz's avatar
Milan Broz committed
6 7

DEV_NAME=reenc9768
8
DEV_NAME2=reenc1273
Milan Broz's avatar
Milan Broz committed
9
IMG=reenc-data
10
IMG_HDR=$IMG.hdr
11
ORIG_IMG=reenc-data-orig
Milan Broz's avatar
Milan Broz committed
12
KEY1=key1
13
PWD1="93R4P4pIqAH8"
14 15
PWD2="1cND4319812f"
PWD3="1-9Qu5Ejfnqv"
Milan Broz's avatar
Milan Broz committed
16

17 18
MNT_DIR=./mnt_luks
START_DIR=$(pwd)
19 20 21 22 23 24 25

function del_scsi_device()
{
	rmmod scsi_debug 2>/dev/null
	sleep 2
}

Milan Broz's avatar
Milan Broz committed
26 27
function remove_mapping()
{
28
	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2
Milan Broz's avatar
Milan Broz committed
29 30
	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
	[ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
31
	rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 >/dev/null 2>&1
32 33
	umount $MNT_DIR > /dev/null 2>&1
	rmdir $MNT_DIR > /dev/null 2>&1
Milan Broz's avatar
Milan Broz committed
34
	LOOPDEV1=""
35
	del_scsi_device
Milan Broz's avatar
Milan Broz committed
36 37 38 39 40
}

function fail()
{
	[ -n "$1" ] && echo "$1"
41
	echo "FAILED at line $(caller)"
42
	cd $START_DIR
Milan Broz's avatar
Milan Broz committed
43 44 45 46 47 48 49
	remove_mapping
	exit 2
}

function skip()
{
	[ -n "$1" ] && echo "$1"
50
	exit 77
Milan Broz's avatar
Milan Broz committed
51 52
}

53 54 55 56 57
function add_scsi_device() {
	del_scsi_device
        modprobe scsi_debug $@
        if [ $? -ne 0 ] ; then
                echo "This kernel seems to not support proper scsi_debug module, test skipped."
58
                exit 77
59 60 61
        fi

        sleep 2
62
        SCSI_DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
63 64 65
        [ -b $SCSI_DEV ] || fail "Cannot find $SCSI_DEV."
}

66
function open_crypt() # $1 pwd, $2 hdr
Milan Broz's avatar
Milan Broz committed
67
{
68 69 70
	if [ -n "$2" ] ; then
		echo "$1" | $CRYPTSETUP luksOpen $LOOPDEV1 $DEV_NAME --header $2 || fail
	elif [ -n "$1" ] ; then
Milan Broz's avatar
Milan Broz committed
71 72
		echo "$1" | $CRYPTSETUP luksOpen $LOOPDEV1 $DEV_NAME || fail
	else
73
		$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV1 $DEV_NAME || fail
Milan Broz's avatar
Milan Broz committed
74 75 76
	fi
}

77 78 79 80 81
function wipe_dev() # $1 dev
{
	dd if=/dev/zero of=$1 bs=256k >/dev/null 2>&1
}

Milan Broz's avatar
Milan Broz committed
82 83 84
function wipe() # $1 pass
{
	open_crypt $1
85
	wipe_dev /dev/mapper/$DEV_NAME
86
	udevadm settle >/dev/null 2>&1
Milan Broz's avatar
Milan Broz committed
87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103
	$CRYPTSETUP luksClose $DEV_NAME || fail
}

function prepare() # $1 dev1_siz
{
	remove_mapping

	dd if=/dev/zero of=$IMG      bs=1k count=$1 >/dev/null 2>&1
	LOOPDEV1=$(losetup -f 2>/dev/null)
	[ -z "$LOOPDEV1" ] && fail "No free loop device"
	losetup $LOOPDEV1 $IMG

	if [ ! -e $KEY1 ]; then
		dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
	fi
}

104 105 106 107 108 109
function check_hash_dev() # $1 dev, $2 hash
{
	HASH=$(sha256sum $1 | cut -d' ' -f 1)
	[ $HASH != "$2" ] && fail "HASH differs ($HASH)"
}

110
function check_hash() # $1 pwd, $2 hash, $3 hdr
Milan Broz's avatar
Milan Broz committed
111
{
112
	open_crypt $1 $3
113
	check_hash_dev /dev/mapper/$DEV_NAME $2
Milan Broz's avatar
Milan Broz committed
114 115 116
	$CRYPTSETUP remove $DEV_NAME || fail
}

117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157
function backup_orig()
{
	sync
	losetup -d $LOOPDEV1
	cp $IMG $ORIG_IMG
	losetup $LOOPDEV1 $IMG
}

function rollback()
{
	sync
	losetup -d $LOOPDEV1
	cp $ORIG_IMG $IMG
	losetup $LOOPDEV1 $IMG
}

function check_slot() #space separeted list of ENABLED key slots
{
	local _KS0=DISABLED
	local _KS1=$_KS0 _KS2=$_KS0 _KS3=$_KS0 _KS4=$_KS0 _KS5=$_KS0 _KS6=$_KS0 _KS7=$_KS0
	local _tmp

	for _tmp in $*; do
		eval _KS$_tmp=ENABLED
	done

	local _out=$($CRYPTSETUP luksDump $LOOPDEV1 | grep -e "Key Slot" | cut -d ' ' -f 4)

	local _i=0
	for _tmp in $_out; do
		eval local _orig="\${_KS${_i}}"
		if [ "$_tmp" != "$_orig" ]; then
			echo "Keyslot $_i is $_tmp, expected result: $_orig"
			return 1
		fi
		_i=$[_i+1]
	done

	return 0
}

158 159 160
function simple_scsi_reenc()
{
	echo -n "$1"
161
	echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF $SCSI_DEV || fail
162 163 164 165 166

	echo $PWD1 | $CRYPTSETUP luksOpen $SCSI_DEV $DEV_NAME || fail
	HASH=$(sha256sum /dev/mapper/$DEV_NAME | cut -d' ' -f 1)
	$CRYPTSETUP luksClose $DEV_NAME || fail

167
	echo $PWD1 | $REENC -q $FAST_PBKDF $SCSI_DEV || fail
168 169 170 171 172

	echo $PWD1 | $CRYPTSETUP luksOpen $SCSI_DEV $DEV_NAME || fail
	check_hash_dev /dev/mapper/$DEV_NAME $HASH
	$CRYPTSETUP luksClose $DEV_NAME || fail
}
173

174 175 176 177 178 179 180 181
function mount_and_test() {
	test -d $MNT_DIR || mkdir -p $MNT_DIR
	mount $@ $MNT_DIR 2>/dev/null || {
		echo -n "failed to mount [SKIP]"
		return 0
	}
	rm $MNT_DIR/* 2>/dev/null
	cd $MNT_DIR
182
	echo $PWD2 | $START_DIR/$REENC $LOOPDEV1 -q --use-fsync --use-directio --write-log $FAST_PBKDF || return 1
183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198
	cd $START_DIR
	umount $MNT_DIR
	echo -n [OK]
}

function test_logging_tmpfs() {
	echo -n "[tmpfs]"
	mount_and_test -t tmpfs none -o size=$[25*1024*1024] || return 1
	echo
}

function test_logging() {
	echo -n "$1:"
	for img in $(ls img_fs*img.bz2) ; do
		wipefs -a $SCSI_DEV > /dev/null
		echo -n "[${img%.img.bz2}]"
Milan Broz's avatar
Milan Broz committed
199
		bzip2 -d -c $img | dd of=$SCSI_DEV bs=4k >/dev/null 2>&1
200 201 202 203 204
		mount_and_test $SCSI_DEV || return 1
	done
	echo
}

Milan Broz's avatar
Milan Broz committed
205 206
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ ! -x "$REENC" ] && skip "Cannot find $REENC, test skipped."
207
which wipefs >/dev/null 2>&1 ||  skip "Cannot find wipefs, test skipped."
Milan Broz's avatar
Milan Broz committed
208 209 210 211 212

# REENCRYPTION tests

HASH1=b69dae56a14d1a8314ed40664c4033ea0a550eea2673e04df42a66ac6b9faf2c
HASH2=d85ef2a08aeac2812a648deb875485a6e3848fc3d43ce4aa380937f08199f86b
213
HASH3=e4e5749032a5163c45125eccf3e8598ba5ed840df442c97e1d5ad4ad84359605
214
HASH4=2daeb1f36095b44b318410b3f4e8b5d989dcc7bb023d1426c492dab0a3053e74
Milan Broz's avatar
Milan Broz committed
215 216

echo "[1] Reencryption"
217
prepare 8192
218
echo $PWD1 | $CRYPTSETUP -q luksFormat -s 128 -c aes-cbc-plain $FAST_PBKDF --align-payload 4096 $LOOPDEV1 || fail
219 220
wipe $PWD1
check_hash $PWD1 $HASH1
221
echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF
222
check_hash $PWD1 $HASH1
223
echo $PWD1 | $REENC $LOOPDEV1 -q -s 256 $FAST_PBKDF
224
check_hash $PWD1 $HASH1
225
echo $PWD1 | $REENC $LOOPDEV1 -q -s 256 -c aes-xts-plain64 -h sha256 $FAST_PBKDF
226
check_hash $PWD1 $HASH1
227
echo $PWD1 | $REENC $LOOPDEV1 -q --use-directio $FAST_PBKDF
228
check_hash $PWD1 $HASH1
229
$CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
230

Milan Broz's avatar
Milan Broz committed
231
echo "[2] Reencryption with data shift"
232
echo $PWD1 | $CRYPTSETUP -q luksFormat -c aes-cbc-essiv:sha256 -s 128 $FAST_PBKDF --align-payload 2048 $LOOPDEV1 || fail
233
wipe $PWD1
234
echo $PWD1 | $REENC $LOOPDEV1 -q -s 256 --reduce-device-size 1024S $FAST_PBKDF || fail
235
check_hash $PWD1 $HASH2
236
echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF || fail
237
check_hash $PWD1 $HASH2
238
$CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
239

Milan Broz's avatar
Milan Broz committed
240
echo "[3] Reencryption with keyfile"
241
echo $PWD1 | $CRYPTSETUP -q luksFormat -d $KEY1 -c aes-cbc-essiv:sha256 -s 128 $FAST_PBKDF --align-payload 4096 $LOOPDEV1 || fail
Milan Broz's avatar
Milan Broz committed
242 243
wipe
check_hash "" $HASH1
244 245 246
echo $PWD1 | $CRYPTSETUP -q luksAddKey -d $KEY1 $LOOPDEV1 $FAST_PBKDF || fail
$REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q 2>/dev/null && fail
$REENC $LOOPDEV1 -d $KEY1 -S 0 $FAST_PBKDF -q || fail
Milan Broz's avatar
Milan Broz committed
247
check_hash "" $HASH1
248
check_slot 0 || fail "Only keyslot 0 expected to be enabled"
249
$REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
250
# FIXME echo $PWD1 | $REENC ...
Milan Broz's avatar
Milan Broz committed
251

252 253 254 255 256 257 258 259
echo "[4] Encryption of not yet encrypted device"
# well, movin' zeroes :-)
OFFSET=2048
SIZE=$(blockdev --getsz $LOOPDEV1)
wipe_dev $LOOPDEV1
dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail
check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3
dmsetup remove $DEV_NAME2 || fail
260
echo $PWD1 | $REENC $LOOPDEV1 -c aes-cbc-essiv:sha256 -s 128 --new --reduce-device-size "$OFFSET"S -q $FAST_PBKDF
261
check_hash $PWD1 $HASH3
262
$CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
263

264
echo "[5] Reencryption using specific keyslot"
265 266 267 268 269 270 271 272
echo $PWD2 | $CRYPTSETUP -q luksFormat $FAST_PBKDF $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF -S 1 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF -S 2 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF -S 3 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF -S 4 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF -S 5 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF -S 6 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD3" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF -S 7 $LOOPDEV1 || fail
273
backup_orig
274
echo $PWD2 | $REENC $FAST_PBKDF -S 0 -q $LOOPDEV1 || fail
275 276 277
check_slot 0 || fail "Only keyslot 0 expected to be enabled"
wipe $PWD2
rollback
278
echo $PWD1 | $REENC $FAST_PBKDF -S 1 -q $LOOPDEV1 || fail
279 280 281
check_slot 1 || fail "Only keyslot 1 expected to be enabled"
wipe $PWD1
rollback
282
echo $PWD2 | $REENC $FAST_PBKDF -S 6 -q $LOOPDEV1 || fail
283 284 285
check_slot 6 || fail "Only keyslot 6 expected to be enabled"
wipe $PWD2
rollback
286
echo $PWD3 | $REENC $FAST_PBKDF -S 7 -q $LOOPDEV1 || fail
287 288 289
check_slot 7 || fail "Only keyslot 7 expected to be enabled"
wipe $PWD3
rollback
290 291
echo $PWD3 | $REENC $FAST_PBKDF -S 8 -q $LOOPDEV1 2>/dev/null && fail
$CRYPTSETUP luksDump $LOOPDEV1 > /dev/null || fail
292 293

echo "[6] Reencryption using all active keyslots"
294
echo -e "$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD3" | $REENC -q $LOOPDEV1 $FAST_PBKDF || fail
295
check_slot 0 1 2 3 4 5 6 7 || fail "All keyslots expected to be enabled"
296

297 298 299 300 301 302 303 304 305
echo "[7] Reencryption of block devices with different block size"
add_scsi_device sector_size=512 dev_size_mb=8
simple_scsi_reenc "[512 sector]"
add_scsi_device sector_size=4096 dev_size_mb=8
simple_scsi_reenc "[4096 sector]"
add_scsi_device sector_size=512 physblk_exp=3 dev_size_mb=8
simple_scsi_reenc "[4096/512 sector]"
echo "[OK]"

306
echo "[8] Header only reencryption (hash and iteration time)"
307
echo $PWD1 | $CRYPTSETUP -q luksFormat --hash sha1 $FAST_PBKDF $LOOPDEV1 || fail
308 309
wipe $PWD1
check_hash $PWD1 $HASH1
310
echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --pbkdf-force-iterations 999 2>/dev/null && fail
311
check_hash $PWD1 $HASH1
312
echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --hash sha256 --pbkdf-force-iterations 1001
313
check_hash $PWD1 $HASH1
314 315 316 317 318 319
[ "$($CRYPTSETUP luksDump $LOOPDEV1 | grep -A1 -m1 "Key Slot 0" | grep Iterations: | sed -e 's/[[:space:]]\+Iterations:\ \+//g')" -eq 1001 ] || fail
[ "$($CRYPTSETUP luksDump $LOOPDEV1 | grep -m1 "Hash spec:" | cut -f2)" = "sha256" ] || fail
echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --hash sha512 $FAST_PBKDF
check_hash $PWD1 $HASH1
[ "$($CRYPTSETUP luksDump $LOOPDEV1 | grep -A1 -m1 "Key Slot 0" | grep Iterations: | sed -e 's/[[:space:]]\+Iterations:\ \+//g')" -eq 1000 ] || fail
echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key $FAST_PBKDF
320
check_hash $PWD1 $HASH1
321
$CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
322

323 324
echo "[9] Test log I/Os on various underlaying block devices"
prepare 8192
325
echo $PWD2 | $CRYPTSETUP -q luksFormat $FAST_PBKDF $LOOPDEV1 || fail
326
add_scsi_device sector_size=512 dev_size_mb=32
327
test_logging "[512 sector]" || fail
328
add_scsi_device sector_size=4096 dev_size_mb=32
329
test_logging "[4096 sector]" || fail
330
add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3
331 332 333
test_logging "[4096/512 sector]" || fail
test_logging_tmpfs || fail

334 335
echo "[10] Removal of encryption"
prepare 8192
336
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF $LOOPDEV1 || fail
337 338 339 340 341
wipe $PWD1
check_hash $PWD1 $HASH1
echo $PWD1 | $REENC $LOOPDEV1 -q --decrypt
check_hash_dev $LOOPDEV1 $HASH4

342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357
echo "[11] Detached header - adding encryption/reencryption/decryption"
prepare 8192
check_hash_dev $IMG $HASH4
echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --header $IMG_HDR --new
check_hash $PWD1 $HASH4 $IMG_HDR
echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --header $IMG_HDR
check_hash $PWD1 $HASH4 $IMG_HDR
echo $PWD1 | $REENC $LOOPDEV1 -q --header $IMG_HDR --decrypt
check_hash_dev $IMG $HASH4
# existing header of zero size
cat /dev/null >$IMG_HDR
echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --header $IMG_HDR --new
check_hash $PWD1 $HASH4 $IMG_HDR
$CRYPTSETUP isLuks $LOOPDEV1 && fail
$CRYPTSETUP isLuks $IMG_HDR || fail

Milan Broz's avatar
Milan Broz committed
358 359
remove_mapping
exit 0