Commit 919e1c3f authored by Ondrej Kozina's avatar Ondrej Kozina Committed by Milan Broz

Adapt tests to --pbkdf-force-iterations restrictions.

parent 16dc5831
......@@ -729,17 +729,16 @@ $CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "TheLabel" || fail
prepare "[36] LUKS PBKDF setting" wipe
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf bla $LOOPDEV >/dev/null 2>&1 && fail
# Force setting, no benchmark. PBKDF2 has 1000 iterations as a minimum
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 999 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Iterations:" | grep -q "1000" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 999 $LOOPDEV 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 --pbkdf-force-iterations 1234 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Iterations:" | grep -q "1234" || fail
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 1 $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 3 $LOOPDEV 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 4 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2id" || fail
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf argon2i --pbkdf-force-iterations 1 \
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf argon2i --pbkdf-force-iterations 4 \
--pbkdf-memory 1234 --pbkdf-parallel 1 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2i" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | grep -q "1" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Time cost:" | grep -q "4" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Memory:" | grep -q "1234" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Threads:" | grep -q "1" || fail
# Benchmark
......
......@@ -211,7 +211,7 @@ HASH4=2daeb1f36095b44b318410b3f4e8b5d989dcc7bb023d1426c492dab0a3053e74
echo "[1] Reencryption"
prepare 8192
echo $PWD1 | $CRYPTSETUP -q luksFormat -s 128 -c aes-cbc-plain --pbkdf-force-iterations 1 --align-payload 4096 $LOOPDEV1 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat -s 128 -c aes-cbc-plain --pbkdf-force-iterations 1000 --align-payload 4096 $LOOPDEV1 || fail
wipe $PWD1
check_hash $PWD1 $HASH1
echo $PWD1 | $REENC $LOOPDEV1 -q
......@@ -225,7 +225,7 @@ check_hash $PWD1 $HASH1
$CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
echo "[2] Reencryption with data shift"
echo $PWD1 | $CRYPTSETUP -q luksFormat -c aes-cbc-essiv:sha256 -s 128 --pbkdf-force-iterations 1 --align-payload 2048 $LOOPDEV1 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat -c aes-cbc-essiv:sha256 -s 128 --pbkdf-force-iterations 1000 --align-payload 2048 $LOOPDEV1 || fail
wipe $PWD1
echo $PWD1 | $REENC $LOOPDEV1 -q -s 256 --reduce-device-size 1024S || fail
check_hash $PWD1 $HASH2
......@@ -234,10 +234,10 @@ check_hash $PWD1 $HASH2
$CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
echo "[3] Reencryption with keyfile"
echo $PWD1 | $CRYPTSETUP -q luksFormat -d $KEY1 -c aes-cbc-essiv:sha256 -s 128 --pbkdf-force-iterations 1 --align-payload 4096 $LOOPDEV1 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat -d $KEY1 -c aes-cbc-essiv:sha256 -s 128 --pbkdf-force-iterations 1000 --align-payload 4096 $LOOPDEV1 || fail
wipe
check_hash "" $HASH1
echo $PWD1 | $CRYPTSETUP -q luksAddKey -d $KEY1 $LOOPDEV1 --pbkdf-force-iterations 1 || fail
echo $PWD1 | $CRYPTSETUP -q luksAddKey -d $KEY1 $LOOPDEV1 --pbkdf-force-iterations 1000 || fail
$REENC $LOOPDEV1 -d $KEY1 -i 1 -q 2>/dev/null && fail
$REENC $LOOPDEV1 -d $KEY1 -S 0 -i 1 -q || fail
check_hash "" $HASH1
......@@ -258,14 +258,14 @@ check_hash $PWD1 $HASH3
$CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
echo "[5] Reencryption using specific keyslot"
echo $PWD2 | $CRYPTSETUP -q luksFormat --pbkdf-force-iterations 1 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1 -S 1 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1 -S 2 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1 -S 3 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1 -S 4 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1 -S 5 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1 -S 6 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD3" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1 -S 7 $LOOPDEV1 || fail
echo $PWD2 | $CRYPTSETUP -q luksFormat --pbkdf-force-iterations 1000 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1000 -S 1 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1000 -S 2 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1000 -S 3 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1000 -S 4 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1000 -S 5 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1000 -S 6 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD3" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1000 -S 7 $LOOPDEV1 || fail
backup_orig
echo $PWD2 | $REENC -i 1 -S 0 -q $LOOPDEV1 || fail
check_slot 0 || fail "Only keyslot 0 expected to be enabled"
......@@ -298,7 +298,7 @@ simple_scsi_reenc "[4096/512 sector]"
echo "[OK]"
echo "[8] Header only reencryption (hash and iteration time)"
echo $PWD1 | $CRYPTSETUP -q luksFormat --hash sha1 --pbkdf-force-iterations 1 $LOOPDEV1 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --hash sha1 --pbkdf-force-iterations 1000 $LOOPDEV1 || fail
wipe $PWD1
check_hash $PWD1 $HASH1
echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --hash sha256 --iter-time 1
......@@ -322,7 +322,7 @@ test_logging_tmpfs || fail
echo "[10] Removal of encryption"
prepare 8192
echo $PWD1 | $CRYPTSETUP -q luksFormat --pbkdf-force-iterations 1 $LOOPDEV1 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --pbkdf-force-iterations 1000 $LOOPDEV1 || fail
wipe $PWD1
check_hash $PWD1 $HASH1
echo $PWD1 | $REENC $LOOPDEV1 -q --decrypt
......
......@@ -206,7 +206,7 @@ HASH6=4d9cbaf3aa0935a8c113f139691b3daf9c94c8d6c278aedc8eec66a4b9f6c8ae
echo "[1] Reencryption"
prepare 8192
echo $PWD1 | $CRYPTSETUP -q luksFormat -s 128 -c aes-cbc-plain --pbkdf-force-iterations 1 --align-payload 4096 $LOOPDEV1 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat -s 128 -c aes-cbc-plain --pbkdf-force-iterations 4 --align-payload 4096 $LOOPDEV1 || fail
wipe $PWD1
check_hash $PWD1 $HASH5
echo $PWD1 | $REENC $LOOPDEV1 -q
......@@ -220,7 +220,7 @@ check_hash $PWD1 $HASH5
$CRYPTSETUP luksDump $LOOPDEV1 > /dev/null || fail
echo "[2] Reencryption with data shift"
echo $PWD1 | $CRYPTSETUP -q luksFormat -c aes-cbc-essiv:sha256 -s 128 --pbkdf-force-iterations 1 --align-payload 2048 $LOOPDEV1 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat -c aes-cbc-essiv:sha256 -s 128 --pbkdf-force-iterations 4 --align-payload 2048 $LOOPDEV1 || fail
wipe $PWD1
echo $PWD1 | $REENC $LOOPDEV1 -q -s 256 --reduce-device-size 1024S || fail
check_hash $PWD1 $HASH6
......@@ -229,7 +229,7 @@ check_hash $PWD1 $HASH6
$CRYPTSETUP luksDump $LOOPDEV1 > /dev/null || fail
echo "[3] Reencryption with keyfile"
echo $PWD1 | $CRYPTSETUP -q luksFormat -d $KEY1 -c aes-cbc-essiv:sha256 -s 128 --pbkdf-force-iterations 1 --align-payload 4096 $LOOPDEV1 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat -d $KEY1 -c aes-cbc-essiv:sha256 -s 128 --pbkdf-force-iterations 4 --align-payload 4096 $LOOPDEV1 || fail
wipe
check_hash "" $HASH5
echo $PWD1 | $CRYPTSETUP -q luksAddKey -d $KEY1 $LOOPDEV1 || fail
......@@ -254,14 +254,14 @@ check_hash $PWD1 $HASH5
$CRYPTSETUP luksDump $LOOPDEV1 > /dev/null || fail
echo "[5] Reencryption using specific keyslot"
echo $PWD2 | $CRYPTSETUP -q luksFormat --pbkdf-force-iterations 1 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1 -S 1 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1 -S 2 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1 -S 3 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1 -S 4 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1 -S 5 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1 -S 6 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD3" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 1 -S 7 $LOOPDEV1 || fail
echo $PWD2 | $CRYPTSETUP -q luksFormat --pbkdf-force-iterations 4 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 4 -S 1 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 4 -S 2 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 4 -S 3 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 4 -S 4 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 4 -S 5 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 4 -S 6 $LOOPDEV1 || fail
echo -e "$PWD2\n$PWD3" | $CRYPTSETUP -q luksAddKey --pbkdf-force-iterations 4 -S 7 $LOOPDEV1 || fail
backup_orig
echo $PWD2 | $REENC -i 1 -S 0 -q $LOOPDEV1 || fail
check_slot 0 || fail "Only keyslot 0 expected to be enabled"
......@@ -294,7 +294,7 @@ simple_scsi_reenc "[4096/512 sector]"
echo "[OK]"
echo "[8] Header only reencryption (hash and iteration time)"
echo $PWD1 | $CRYPTSETUP -q luksFormat --pbkdf-force-iterations 1 --hash sha1 $LOOPDEV1 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --pbkdf-force-iterations 4 --hash sha1 $LOOPDEV1 || fail
wipe $PWD1
check_hash $PWD1 $HASH5
echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --hash sha256 --iter-time 1
......@@ -307,7 +307,7 @@ $CRYPTSETUP luksDump $LOOPDEV1 > /dev/null || fail
echo "[9] Test log I/Os on various underlaying block devices"
prepare 8192
echo $PWD2 | $CRYPTSETUP -q luksFormat --pbkdf-force-iterations 1 $LOOPDEV1 || fail
echo $PWD2 | $CRYPTSETUP -q luksFormat --pbkdf-force-iterations 4 $LOOPDEV1 || fail
add_scsi_device sector_size=512 dev_size_mb=25
test_logging "[512 sector]" || fail
add_scsi_device sector_size=4096 dev_size_mb=25
......@@ -318,7 +318,7 @@ test_logging_tmpfs || fail
echo "[10] Removal of encryption"
prepare 8192
echo $PWD1 | $CRYPTSETUP -q luksFormat --pbkdf-force-iterations 1 $LOOPDEV1 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --pbkdf-force-iterations 4 $LOOPDEV1 || fail
wipe $PWD1
check_hash $PWD1 $HASH5
echo $PWD1 | $REENC $LOOPDEV1 -q --decrypt
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment