4 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
5 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
6 CRYPTSETUP_RAW=$CRYPTSETUP
8 CRYPTSETUP_VALGRIND=../.libs/cryptsetup
9 CRYPTSETUP_LIB_VALGRIND=../.libs
14 ORIG_IMG=luks-test-orig
17 HEADER_IMG=luks-header
27 VK_FILE="compattest_vkfile"
29 FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
31 LUKS_HEADER="S0-5 S6-7 S8-39 S40-71 S72-103 S104-107 S108-111 R112-131 R132-163 S164-167 S168-207 A0-591"
32 KEY_SLOT0="S208-211 S212-215 R216-247 A248-251 A251-255"
33 KEY_MATERIAL0="R4096-68096"
34 KEY_MATERIAL0_EXT="R4096-68096"
36 KEY_SLOT1="S256-259 S260-263 R264-295 A296-299 A300-303"
37 KEY_MATERIAL1="R69632-133632"
38 KEY_MATERIAL1_EXT="S69632-133632"
40 KEY_SLOT5="S448-451 S452-455 R456-487 A488-491 A492-495"
41 KEY_MATERIAL5="R331776-395264"
42 KEY_MATERIAL5_EXT="S331776-395264"
44 TEST_UUID="12345678-1234-1234-1234-123456789abc"
46 LOOPDEV=$(losetup -f 2>/dev/null)
47 [ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
49 function remove_mapping()
51 [ -b /dev/mapper/$DEV_NAME3 ] && dmsetup remove --retry $DEV_NAME3 >/dev/null 2>&1
52 [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2 >/dev/null 2>&1
53 [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME >/dev/null 2>&1
54 losetup -d $LOOPDEV >/dev/null 2>&1
55 rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $VK_FILE missing-file >/dev/null 2>&1
56 rmmod scsi_debug 2> /dev/null
57 scsi_debug_teardown $DEV
60 function force_uevent()
62 DNAME=$(echo $LOOPDEV | cut -f3 -d /)
63 echo "change" >/sys/block/$DNAME/uevent
68 [ -n "$1" ] && echo "$1"
70 echo "FAILED backtrace:"
71 while caller $frame; do ((frame++)); done
77 [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
80 function can_fail_fips()
82 # Ignore this fail if running in FIPS mode
88 [ -n "$1" ] && echo "$1"
90 [ -z "$2" ] && exit $2
96 [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME >/dev/null 2>&1
101 dd if=/dev/zero of=$IMG bs=1k count=10000 >/dev/null 2>&1
106 dd if=/dev/zero of=$IMG bs=1k count=10000 >/dev/null 2>&1
108 losetup $LOOPDEV $IMG
112 xz -cd compatimage.img.xz > $IMG
113 # FIXME: switch to internal loop (no losetup at all)
114 echo "bad" | $CRYPTSETUP luksOpen --key-slot 0 --test-passphrase $IMG 2>&1 | \
115 grep "autoclear flag" && skip "WARNING: Too old kernel, test skipped."
116 losetup $LOOPDEV $IMG
117 xz -cd compatv10image.img.xz > $IMG10
120 if [ ! -e $IMG ]; then
121 xz -cd compatimage.img.xz > $IMG
122 losetup $LOOPDEV $IMG
124 [ ! -e $IMG10 ] && xz -cd compatv10image.img.xz > $IMG10
128 if [ ! -e $KEY1 ]; then
129 #dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
130 echo -n $'\x48\xc6\x74\x4f\x41\x4e\x50\xc0\x79\xc2\x2d\x5b\x5f\x68\x84\x17' >$KEY1
131 echo -n $'\x9c\x03\x5e\x1b\x4d\x0f\x9a\x75\xb3\x90\x70\x32\x0a\xf8\xae\xc4'>>$KEY1
134 if [ ! -e $KEY2 ]; then
135 dd if=/dev/urandom of=$KEY2 count=1 bs=16 >/dev/null 2>&1
138 if [ ! -e $KEY5 ]; then
139 dd if=/dev/urandom of=$KEY5 count=1 bs=16 >/dev/null 2>&1
142 if [ ! -e $KEYE ]; then
147 [ -n "$1" ] && echo "CASE: $1"
153 [ -z "$1" ] && return
154 ./differ $ORIG_IMG $IMG $1 || fail
157 function check_exists()
159 [ -b /dev/mapper/$DEV_NAME ] || fail
163 # $1 path to scsi debug bdev
164 scsi_debug_teardown() {
167 while [ -b "$1" -a $_tries -gt 0 ]; do
168 rmmod scsi_debug 2> /dev/null
175 test ! -b "$1" || rmmod scsi_debug 2> /dev/null
178 function add_scsi_device() {
179 scsi_debug_teardown $DEV
180 modprobe scsi_debug $@ delay=0
181 if [ $? -ne 0 ] ; then
182 echo "This kernel seems to not support proper scsi_debug module, test skipped."
187 DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
188 [ -b $DEV ] || fail "Cannot find $DEV."
191 function valgrind_setup()
193 [ -n "$VALG" ] || return
194 which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
195 [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
196 export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
197 CRYPTSETUP=valgrind_run
198 CRYPTSETUP_RAW="./valg.sh ${CRYPTSETUP_VALGRIND}"
201 function valgrind_run()
203 export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
207 function expect_run()
209 export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
216 # LUKS non-root-tests
217 if [ $(id -u) != 0 ]; then
218 $CRYPTSETUP benchmark -c aes-xts-plain64 >/dev/null 2>&1 || \
219 skip "WARNING: Cannot run test without kernel userspace crypto API, test skipped."
222 prepare "Image in file tests (root capabilities not required)" file
224 echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $IMG $FAST_PBKDF_OPT || fail
226 echo $PWD0 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
227 [ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
228 echo $PWD1 | $CRYPTSETUP luksOpen $IMG --test-passphrase || fail
229 # test detached header --test-passphrase
230 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --header $HEADER_IMG $IMG || fail
231 echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_IMG || fail
234 echo $PWD1 | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT 2>/dev/null && fail
235 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT || fail
236 echo -e "$PWD0\n$PWD1" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT 2>/dev/null && fail
237 echo "[4] change key"
238 echo -e "$PWD1\n$PWD0\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $IMG || fail
239 echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $IMG 2>/dev/null && fail
240 [ $? -ne 2 ] && fail "luksChangeKey should return EPERM exit code"
241 echo "[5] remove key"
242 # delete active keys PWD0, PWD2
243 echo $PWD1 | $CRYPTSETUP luksRemoveKey $IMG 2>/dev/null && fail
244 [ $? -ne 2 ] && fail "luksRemove should return EPERM exit code"
245 echo $PWD0 | $CRYPTSETUP luksRemoveKey $IMG || fail
246 echo $PWD2 | $CRYPTSETUP luksRemoveKey $IMG || fail
247 # check if keys were deleted
248 echo $PWD0 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
249 [ $? -ne 1 ] && fail "luksOpen should return ENOENT exit code"
250 echo $PWD2 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
251 [ $? -ne 1 ] && fail "luksOpen should return ENOENT exit code"
253 # format new luks device with active keys PWD1, PWD2
254 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $IMG $FAST_PBKDF_OPT || fail
255 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT || fail
256 # deactivate keys by killing slots
257 $CRYPTSETUP luksDump $IMG | grep -q "Key Slot 0: ENABLED" || fail
258 $CRYPTSETUP luksDump $IMG | grep -q "Key Slot 1: ENABLED" || fail
259 $CRYPTSETUP luksDump $IMG | grep -q "Key Slot 2: DISABLED" || fail
260 echo $PWD1 | $CRYPTSETUP -q luksKillSlot $IMG 0 2>/dev/null && fail
261 echo $PWD2 | $CRYPTSETUP -q luksKillSlot $IMG 0 || fail
262 $CRYPTSETUP luksDump $IMG | grep -q "Key Slot 0: DISABLED" || fail
263 echo $PWD1 | $CRYPTSETUP -q luksKillSlot $IMG 1 2>/dev/null && fail
264 [ $? -ne 2 ] && fail "luksKill should return EPERM exit code"
265 echo $PWD2 | $CRYPTSETUP -q luksKillSlot $IMG 1 || fail
266 $CRYPTSETUP luksDump $IMG | grep -q "Key Slot 1: DISABLED" || fail
267 # check if keys were deactivated
268 echo $PWD1 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
269 echo $PWD2 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
270 echo "[7] header backup"
271 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $IMG $FAST_PBKDF_OPT || fail
272 $CRYPTSETUP luksHeaderBackup $IMG --header-backup-file $HEADER_IMG || fail
273 echo $PWD1 | $CRYPTSETUP luksRemoveKey $IMG || fail
274 echo $PWD1 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
275 echo "[8] header restore"
276 $CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
277 echo $PWD1 | $CRYPTSETUP luksOpen $IMG --test-passphrase || fail
279 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST_UUID $IMG $KEY1 || fail
280 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $IMG -d $KEY1 || fail
281 $CRYPTSETUP luksDump $IMG | grep -q "Key Slot 0: ENABLED" || fail
282 $CRYPTSETUP luksDump $IMG | grep -q $TEST_UUID || fail
283 echo $PWDW | $CRYPTSETUP luksDump $IMG --dump-master-key 2>/dev/null && fail
284 echo $PWD1 | $CRYPTSETUP luksDump $IMG --dump-master-key | grep -q "MK dump:" || fail
285 $CRYPTSETUP luksDump -q $IMG --dump-master-key -d $KEY1 | grep -q "MK dump:" || fail
286 echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-master-key --master-key-file $VK_FILE >/dev/null || fail
287 echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-master-key --master-key-file $VK_FILE 2>/dev/null && fail
288 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE $IMG || fail
291 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST_UUID $IMG || fail
292 $CRYPTSETUP -q luksUUID $IMG | grep -q $TEST_UUID || fail
294 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
295 [ -z "$LOOPDEV" ] && skip "WARNING: Cannot find free loop device, test skipped."
298 prepare "[1] open - compat image - acceptance check" new
299 echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
301 ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
302 [ "$ORG_SHA1" = 676062b66ebf36669dab705442ea0762dfc091b0 ] || fail
303 $CRYPTSETUP -q luksClose $DEV_NAME || fail
305 # Check it can be opened from header backup as well
306 $CRYPTSETUP luksHeaderBackup $IMG --header-backup-file $HEADER_IMG || fail
307 echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
309 $CRYPTSETUP -q luksClose $DEV_NAME || fail
311 $CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
313 # Repeat for V1.0 header - not aligned first keyslot
314 echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail
316 ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
317 [ "$ORG_SHA1" = 51b48c2471a7593ceaf14dc5e66bca86ed05f6cc ] || fail
318 $CRYPTSETUP -q luksClose $DEV_NAME || fail
321 $CRYPTSETUP luksHeaderBackup $IMG10 --header-backup-file $HEADER_IMG
322 echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
324 $CRYPTSETUP -q luksClose $DEV_NAME || fail
326 prepare "[2] open - compat image - denial check" new
327 echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
328 echo $PWDW | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME 2>/dev/null && fail
331 # All headers items and first key material section must change
332 prepare "[3] format" wipe
333 echo $PWD1 | $CRYPTSETUP -i 1000 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks1 $LOOPDEV || fail
334 check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"
336 prepare "[4] format using hash sha512" wipe
337 echo $PWD1 | $CRYPTSETUP -i 1000 -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks1 $LOOPDEV || fail
338 check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"
341 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase || fail
342 echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase 2>/dev/null && fail
343 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
346 # Key Slot 1 and key material section 1 must change, the rest must not.
347 prepare "[6] add key"
348 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $LOOPDEV || fail
349 check "$KEY_SLOT1 $KEY_MATERIAL1"
350 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
352 # Unsuccessful Key Delete - nothing may change
353 prepare "[7] unsuccessful delete"
354 echo $PWDW | $CRYPTSETUP luksKillSlot $LOOPDEV 1 2>/dev/null && fail
355 $CRYPTSETUP -q luksKillSlot $LOOPDEV 8 2>/dev/null && fail
356 $CRYPTSETUP -q luksKillSlot $LOOPDEV 7 2>/dev/null && fail
360 # Key Slot 1 and key material section 1 must change, the rest must not
361 prepare "[8] successful delete"
362 $CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
363 check "$KEY_SLOT1 $KEY_MATERIAL1_EXT"
364 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2> /dev/null && fail
365 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
367 # Key Slot 1 and key material section 1 must change, the rest must not
368 prepare "[9] add key test for key files"
369 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 || fail
370 check "$KEY_SLOT1 $KEY_MATERIAL1"
371 $CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
373 # Key Slot 1 and key material section 1 must change, the rest must not
374 prepare "[10] delete key test with key1 as remaining key"
375 $CRYPTSETUP -d $KEY1 luksKillSlot $LOOPDEV 0 || fail
376 check "$KEY_SLOT0 $KEY_MATERIAL0_EXT"
377 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
378 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
381 prepare "[11] delete last key" wipe
382 echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $LOOPDEV $FAST_PBKDF_OPT || fail
383 echo $PWD1 | $CRYPTSETUP luksKillSlot $LOOPDEV 0 || fail
384 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
386 # Format test for ESSIV, and some other parameters.
387 prepare "[12] parameter variation test" wipe
388 $CRYPTSETUP -q -i 1000 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks1 $LOOPDEV $KEY1 || fail
389 check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"
390 $CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
392 prepare "[13] open/close - stacked devices" wipe
393 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV $FAST_PBKDF_OPT || fail
394 echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
395 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 /dev/mapper/$DEV_NAME || fail
396 echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
397 $CRYPTSETUP -q luksClose $DEV_NAME2 || fail
398 $CRYPTSETUP -q luksClose $DEV_NAME || fail
400 prepare "[14] format/open - passphrase on stdin & new line" wipe
401 # stdin defined by "-" must take even newline
402 #echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksFormat $LOOPDEV - || fail
403 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q --key-file=- luksFormat --type luks1 $LOOPDEV || fail
404 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
405 $CRYPTSETUP -q luksClose $DEV_NAME || fail
406 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
407 # now also try --key-file
408 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q luksFormat --type luks1 $LOOPDEV --key-file=- || fail
409 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
410 $CRYPTSETUP -q luksClose $DEV_NAME || fail
411 # process newline if from stdin
412 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q luksFormat --type luks1 $LOOPDEV || fail
413 echo "$PWD1" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
414 $CRYPTSETUP -q luksClose $DEV_NAME || fail
416 prepare "[15] UUID - use and report provided UUID" wipe
417 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid blah $LOOPDEV 2>/dev/null && fail
418 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST_UUID $LOOPDEV || fail
419 tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
420 [ "$tst"x = "$TEST_UUID"x ] || fail
421 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV || fail
422 $CRYPTSETUP -q luksUUID --uuid $TEST_UUID $LOOPDEV || fail
423 tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
424 [ "$tst"x = "$TEST_UUID"x ] || fail
426 prepare "[16] luksFormat" wipe
427 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --master-key-file /dev/urandom $LOOPDEV || fail
428 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --master-key-file /dev/urandom $LOOPDEV -d $KEY1 || fail
429 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --master-key-file /dev/urandom -s 256 --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
430 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
431 $CRYPTSETUP -q luksClose $DEV_NAME || fail
433 force_uevent # some systems do not update loop by-uuid
434 $CRYPTSETUP luksOpen -d $KEY1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail
435 $CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
436 $CRYPTSETUP -q luksClose $DEV_NAME || fail
438 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail
439 $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
440 $CRYPTSETUP -q luksClose $DEV_NAME || fail
442 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --master-key-file $KEY1 $LOOPDEV || fail
443 $CRYPTSETUP luksOpen --master-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
444 $CRYPTSETUP luksOpen --master-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
445 $CRYPTSETUP -q luksClose $DEV_NAME || fail
446 # unsupported pe-keyslot encryption
447 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 128 --keyslot-cipher "aes-cbc-plain" $LOOPDEV 2>/dev/null && fail
448 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 128 --keyslot-key-size 256 $LOOPDEV 2>/dev/null && fail
450 prepare "[17] AddKey volume key, passphrase and keyfile" wipe
452 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 3 || fail
453 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase || fail
454 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
455 echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 4 || fail
456 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 4 || fail
457 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: ENABLED" || fail
458 echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/null --key-slot 5 2>/dev/null && fail
459 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --master-key-file /dev/zero --key-slot 5 $KEY1 || fail
460 $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 5 -d $KEY1 || fail
461 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail
463 # special "-" handling
464 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 3 || fail
465 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 - || fail
466 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null && fail
467 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - --test-passphrase || fail
468 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d - $KEY2 || fail
469 $CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase || fail
470 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - -d $KEY1 --test-passphrase 2>/dev/null && fail
471 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d $KEY1 -d $KEY1 --test-passphrase 2>/dev/null && fail
473 # [0]PWD1 [1]PWD2 [2]$KEY1/1 [3]$KEY1 [4]$KEY2
474 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 3 || fail
475 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
476 $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 3 2>/dev/null && fail
478 $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 4 || fail
479 $CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase --key-slot 4 || fail
480 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: ENABLED" || fail
482 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 --key-slot 0 || fail
483 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
484 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 || fail
485 # passphrase/passphrase
486 echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --key-slot 1 || fail
487 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
488 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
490 echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
491 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
493 prepare "[18] RemoveKey passphrase and keyfile" reuse
494 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 || fail
495 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: DISABLED" || fail
496 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 2>/dev/null && fail
497 $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 3 2>/dev/null || fail
498 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
499 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 --keyfile-size 1 2>/dev/null && fail
500 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 || fail
501 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: DISABLED" || fail
502 # if password or keyfile is provided, batch mode must not suppress it
503 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 2>/dev/null && fail
504 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 -q 2>/dev/null && fail
505 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- 2>/dev/null && fail
506 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- -q 2>/dev/null && fail
507 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
508 # kill slot using passphrase from 1
509 echo $PWD2 | $CRYPTSETUP luksKillSlot $LOOPDEV 2 || fail
510 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: DISABLED" || fail
511 # kill slot with redirected stdin
512 $CRYPTSETUP luksKillSlot $LOOPDEV 3 </dev/null 2>/dev/null || fail
513 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: DISABLED" || fail
514 # remove key0 / slot 0
515 echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV || fail
516 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: DISABLED" || fail
517 # last keyslot, in batch mode no passphrase needed...
518 $CRYPTSETUP luksKillSlot -q $LOOPDEV 1 || fail
519 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
521 prepare "[19] create & status & resize" wipe
522 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail
523 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
524 $CRYPTSETUP -q status $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail
525 $CRYPTSETUP -q status $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail
526 $CRYPTSETUP -q status $DEV_NAME | grep "mode:" | grep -q "readonly" || fail
527 $CRYPTSETUP -q resize $DEV_NAME --size 100 || fail
528 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
529 $CRYPTSETUP -q resize $DEV_NAME || fail
530 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "19997 sectors" || fail
531 $CRYPTSETUP -q resize $DEV_NAME --device-size 1M || fail
532 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
533 $CRYPTSETUP -q resize $DEV_NAME --device-size 512k --size 1023 >/dev/null 2>&1 && fail
534 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
535 $CRYPTSETUP -q resize $DEV_NAME --device-size 513 >/dev/null 2>&1 && fail
536 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
537 # Resize underlying loop device as well
538 truncate -s 16M $IMG || fail
539 $CRYPTSETUP -q resize $DEV_NAME || fail
540 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail
541 $CRYPTSETUP -q remove $DEV_NAME || fail
542 $CRYPTSETUP -q status $DEV_NAME >/dev/null && fail
543 echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
544 $CRYPTSETUP -q remove $DEV_NAME || fail
545 echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail
546 $CRYPTSETUP -q remove $DEV_NAME || fail
547 echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail
548 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
549 $CRYPTSETUP -q remove $DEV_NAME || fail
550 # 4k sector resize (if kernel supports it)
551 echo $PWD1 | $CRYPTSETUP -q open --type plain $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1
552 if [ $? -eq 0 ] ; then
553 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail
554 $CRYPTSETUP -q resize $DEV_NAME --size 16 || fail
555 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "16 sectors" || fail
556 $CRYPTSETUP -q resize $DEV_NAME --size 9 2>/dev/null && fail
557 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "16 sectors" || fail
558 $CRYPTSETUP -q resize $DEV_NAME --device-size 4608 2>/dev/null && fail
559 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "16 sectors" || fail
560 $CRYPTSETUP -q remove $DEV_NAME || fail
562 # Resize not aligned to logical block size
563 add_scsi_device dev_size_mb=32 sector_size=4096
564 echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV || fail
565 OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
566 $CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail
567 dmsetup info $DEV_NAME | grep -q SUSPENDED && fail
568 NEW_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
569 test $OLD_SIZE -eq $NEW_SIZE || fail
570 $CRYPTSETUP close $DEV_NAME || fail
571 # Add check for unaligned plain crypt activation
572 echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV -b 7 2>/dev/null && fail
573 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
574 # verify is ignored on non-tty input
575 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail
576 $CRYPTSETUP -q remove $DEV_NAME || fail
577 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
578 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail
579 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 -l -1 2>/dev/null && fail
580 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
581 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail
582 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d blah 2>/dev/null && fail
583 $CRYPTSETUP -q remove $DEV_NAME || fail
584 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d /dev/urandom || fail
585 $CRYPTSETUP -q remove $DEV_NAME || fail
587 prepare "[20] Disallow open/create if already mapped." wipe
588 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
589 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail
590 $CRYPTSETUP create $DEV_NAME2 $LOOPDEV -d $KEY1 2>/dev/null && fail
591 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV 2>/dev/null && fail
592 $CRYPTSETUP remove $DEV_NAME || fail
593 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV || fail
594 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
595 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME2 2>/dev/null && fail
596 $CRYPTSETUP luksClose $DEV_NAME || fail
598 prepare "[21] luksDump" wipe
599 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
600 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 || fail
601 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
602 $CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
603 echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key 2>/dev/null && fail
604 echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || fail
605 $CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || fail
606 echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key --master-key-file $VK_FILE > /dev/null || fail
607 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE $LOOPDEV || fail
609 prepare "[22] remove disappeared device" wipe
610 dmsetup create $DEV_NAME --table "0 5000 linear $LOOPDEV 2" || fail
611 echo $PWD1 | $CRYPTSETUP -q $FAST_PBKDF_OPT luksFormat --type luks1 /dev/mapper/$DEV_NAME || fail
612 echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
613 # underlying device now returns error but node is still present
614 dmsetup load $DEV_NAME --table "0 5000 error" || fail
615 dmsetup resume $DEV_NAME || fail
616 $CRYPTSETUP -q luksClose $DEV_NAME2 || fail
617 dmsetup remove --retry $DEV_NAME || fail
619 prepare "[23] ChangeKey passphrase and keyfile" wipe
621 $CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --key-slot 0 || fail
622 echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 --key-slot 1 || fail
623 # keyfile [0] / keyfile [0]
624 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 0 || fail
625 # passphrase [1] / passphrase [1]
626 echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT --key-slot 1 || fail
627 # keyfile [0] / keyfile [new]
628 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 || fail
629 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: DISABLED" || fail
630 # passphrase [1] / passphrase [new]
631 echo -e "$PWD2\n$PWD1\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $LOOPDEV || fail
632 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
634 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
635 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
636 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
637 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
638 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
639 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
640 # still allows replace
641 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 || fail
642 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 2>/dev/null && fail
644 prepare "[24] Keyfile limit" wipe
645 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 0 -l 13 || fail
646 $CRYPTSETUP --key-file=$KEY1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
647 $CRYPTSETUP --key-file=$KEY1 -l 0 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
648 $CRYPTSETUP --key-file=$KEY1 -l -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
649 $CRYPTSETUP --key-file=$KEY1 -l 14 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
650 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
651 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
652 $CRYPTSETUP --key-file=$KEY1 -l 13 luksOpen $LOOPDEV $DEV_NAME || fail
653 $CRYPTSETUP luksClose $DEV_NAME || fail
654 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT 2>/dev/null && fail
655 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 14 2>/dev/null && fail
656 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l -1 2>/dev/null && fail
657 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 --new-keyfile-size 12 || fail
658 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 2>/dev/null && fail
659 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 -l 12 || fail
660 $CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT 2>/dev/null && fail
661 $CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 14 2>/dev/null && fail
662 $CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 || fail
663 # -l is ignored for stdin if _only_ passphrase is used
664 echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY2 $FAST_PBKDF_OPT || fail
665 # this is stupid, but expected
666 echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 11 2>/dev/null && fail
667 echo $PWDW"0" | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 12 2>/dev/null && fail
668 echo -e "$PWD1\n" | $CRYPTSETUP luksRemoveKey $LOOPDEV -d- -l 12 || fail
670 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 0 -l 13 --keyfile-offset 16 || fail
671 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 15 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
672 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 16 luksOpen $LOOPDEV $DEV_NAME || fail
673 $CRYPTSETUP luksClose $DEV_NAME || fail
674 $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 -l 13 --keyfile-offset 16 $KEY2 --new-keyfile-offset 1 || fail
675 $CRYPTSETUP --key-file=$KEY2 --keyfile-offset 11 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
676 $CRYPTSETUP --key-file=$KEY2 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME || fail
677 $CRYPTSETUP luksClose $DEV_NAME || fail
678 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 --keyfile-offset 1 $KEY2 --new-keyfile-offset 0 || fail
679 $CRYPTSETUP luksOpen -d $KEY2 $LOOPDEV $DEV_NAME || fail
680 $CRYPTSETUP luksClose $DEV_NAME || fail
681 # large device with keyfile
682 echo -e '0 10000000 error'\\n'10000000 1000000 zero' | dmsetup create $DEV_NAME2 || fail
683 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV /dev/mapper/$DEV_NAME2 -l 13 --keyfile-offset 5120000000 || fail
684 $CRYPTSETUP --key-file=/dev/mapper/$DEV_NAME2 -l 13 --keyfile-offset 5119999999 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
685 $CRYPTSETUP --key-file=/dev/mapper/$DEV_NAME2 -l 13 --keyfile-offset 5120000000 luksOpen $LOOPDEV $DEV_NAME || fail
686 $CRYPTSETUP luksClose $DEV_NAME || fail
687 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d /dev/mapper/$DEV_NAME2 \
688 --keyfile-offset 5120000000 -l 13 /dev/mapper/$DEV_NAME2 --new-keyfile-offset 5120000001 --new-keyfile-size 15 || fail
689 dmsetup remove --retry $DEV_NAME2
691 prepare "[25] Create shared segments" wipe
692 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --offset 0 --size 256 || fail
693 echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail
694 echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail
695 $CRYPTSETUP -q remove $DEV_NAME2 || fail
696 $CRYPTSETUP -q remove $DEV_NAME || fail
698 prepare "[26] Suspend/Resume" wipe
699 # only LUKS is supported
700 echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
701 $CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
702 $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
703 $CRYPTSETUP -q remove $DEV_NAME || fail
704 $CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
706 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV || fail
707 echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
708 $CRYPTSETUP luksSuspend $DEV_NAME || fail
709 $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
710 $CRYPTSETUP -q resize $DEV_NAME 2>/dev/null && fail
711 echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
712 [ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
713 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
714 $CRYPTSETUP -q luksClose $DEV_NAME || fail
715 echo | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks1 $LOOPDEV || fail
716 echo | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
717 $CRYPTSETUP luksSuspend $DEV_NAME || fail
718 $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
719 echo | $CRYPTSETUP luksResume $DEV_NAME || fail
720 $CRYPTSETUP -q luksClose $DEV_NAME || fail
722 prepare "[27] luksOpen with specified key slot number" wipe
723 # first, let's try passphrase option
724 echo $PWD3 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT -S 5 $LOOPDEV || fail
725 check $LUKS_HEADER $KEY_SLOT5 $KEY_MATERIAL5
726 echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME 2>/dev/null && fail
727 [ -b /dev/mapper/$DEV_NAME ] && fail
728 echo $PWD3 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME || fail
730 $CRYPTSETUP luksClose $DEV_NAME || fail
731 echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 0 $LOOPDEV || fail
732 check $LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0
733 echo $PWD3 | $CRYPTSETUP luksOpen -S 0 $LOOPDEV $DEV_NAME 2>/dev/null && fail
734 [ -b /dev/mapper/$DEV_NAME ] && fail
735 echo $PWD1 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
736 [ -b /dev/mapper/$DEV_NAME ] && fail
737 # second, try it with keyfiles
738 $CRYPTSETUP luksFormat --type luks1 -q -S 5 -d $KEY5 $LOOPDEV || fail
739 check $LUKS_HEADER $KEY_SLOT5 $KEY_MATERIAL5
740 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
741 check $LUKS_HEADER $KEY_SLOT1 $KEY_MATERIAL1
742 $CRYPTSETUP luksOpen -S 5 -d $KEY5 $LOOPDEV $DEV_NAME || fail
744 $CRYPTSETUP luksClose $DEV_NAME || fail
745 $CRYPTSETUP luksOpen -S 1 -d $KEY5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
746 [ -b /dev/mapper/$DEV_NAME ] && fail
747 $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOPDEV $DEV_NAME 2>/dev/null && fail
748 [ -b /dev/mapper/$DEV_NAME ] && fail
750 prepare "[28] Detached LUKS header" wipe
751 echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG || fail
752 echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 1 >/dev/null 2>&1 && fail
753 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 8192 || fail
754 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 0 || fail
755 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 8192 --offset 8192 >/dev/null 2>&1 && fail
756 truncate -s 4096 $HEADER_IMG
757 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG -S7 >/dev/null 2>&1 || fail
758 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --offset 80000 >/dev/null 2>&1 || fail
759 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --offset 8192 || fail
760 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --offset 0 || fail
761 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV-missing --header $HEADER_IMG $DEV_NAME 2>/dev/null && fail
762 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
763 $CRYPTSETUP -q resize $DEV_NAME --size 100 --header $HEADER_IMG || fail
764 $CRYPTSETUP -q status $DEV_NAME --header $HEADER_IMG | grep "size:" | grep -q "100 sectors" || fail
765 $CRYPTSETUP -q status $DEV_NAME | grep "type:" | grep -q "n/a" || fail
766 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
767 $CRYPTSETUP luksSuspend $DEV_NAME --header $HEADER_IMG || fail
768 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
769 $CRYPTSETUP luksSuspend $DEV_NAME || fail
770 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
771 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
772 $CRYPTSETUP luksClose $DEV_NAME || fail
773 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
774 $CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: ENABLED" || fail
775 $CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
776 $CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: DISABLED" || fail
777 echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_IMG || fail
779 prepare "[29] Repair metadata" wipe
780 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 0 || fail
781 # second sector overwrite should corrupt keyslot 6+7
782 dd if=/dev/urandom of=$LOOPDEV bs=512 seek=1 count=1 >/dev/null 2>&1
783 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME >/dev/null 2>&1 && fail
784 $CRYPTSETUP -q repair $LOOPDEV >/dev/null 2>&1 || fail
785 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
786 $CRYPTSETUP luksClose $DEV_NAME || fail
788 prepare "[30] LUKS erase" wipe
789 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY5 --key-slot 5 || fail
790 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
791 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
792 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail
793 $CRYPTSETUP luksErase -q $LOOPDEV || fail
794 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
795 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: DISABLED" || fail
797 prepare "[31] Deferred removal of device" wipe
798 echo $PWD1 | $CRYPTSETUP open --type plain --hash sha256 $LOOPDEV $DEV_NAME || fail
799 echo $PWD2 | $CRYPTSETUP open --type plain --hash sha256 /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
800 $CRYPTSETUP close $DEV_NAME >/dev/null 2>&1 && fail
801 $CRYPTSETUP -q status $DEV_NAME >/dev/null 2>&1 || fail
802 $CRYPTSETUP close --deferred $DEV_NAME >/dev/null 2>&1
803 if [ $? -eq 0 ] ; then
804 dmsetup info $DEV_NAME | grep -q "DEFERRED REMOVE" || fail
805 $CRYPTSETUP -q status $DEV_NAME >/dev/null 2>&1 || fail
806 $CRYPTSETUP close $DEV_NAME2 || fail
807 $CRYPTSETUP -q status $DEV_NAME >/dev/null 2>&1 && fail
809 $CRYPTSETUP close $DEV_NAME2 >/dev/null 2>&1
810 $CRYPTSETUP close $DEV_NAME >/dev/null 2>&1
814 # Do not remove sleep 0.1 below, the password query flushes TTY buffer (so the code is racy).
815 which expect >/dev/null 2>&1 || skip "WARNING: expect tool missing, interactive test will be skipped." 0
817 prepare "[32] Interactive password retry from terminal." new
818 EXPECT_DEV=$(losetup $LOOPDEV | sed -e "s/.*(\(.*\))/\1/")
820 [ -n "$VALG" ] && EXPECT_TIMEOUT=60
822 expect_run - >/dev/null <<EOF
823 proc abort {} { send_error "Timeout. "; exit 2 }
824 set timeout $EXPECT_TIMEOUT
825 eval spawn $CRYPTSETUP_RAW luksOpen -v -T 2 $LOOPDEV $DEV_NAME
826 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
829 expect timeout abort "No key available with this passphrase."
830 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
833 expect timeout abort "Key slot 0 unlocked."
834 expect timeout abort "Command successful."
835 expect timeout abort eof
838 [ $? -eq 0 ] || fail "Expect script failed."
840 $CRYPTSETUP -q luksClose $DEV_NAME || fail
842 prepare "[33] Interactive unsuccessful password retry from terminal." new
843 expect_run - >/dev/null <<EOF
844 proc abort {} { send_error "Timeout. "; exit 2 }
845 set timeout $EXPECT_TIMEOUT
846 eval spawn $CRYPTSETUP_RAW luksOpen -v -T 2 $LOOPDEV $DEV_NAME
847 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
850 expect timeout abort "No key available with this passphrase."
851 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
854 expect timeout abort "No key available with this passphrase."
855 expect timeout abort eof
858 [ $? -eq 0 ] || fail "Expect script failed."
860 prepare "[34] Interactive kill of last key slot." new
861 expect_run - >/dev/null <<EOF
862 proc abort {} { send_error "Timeout. "; exit 2 }
863 set timeout $EXPECT_TIMEOUT
864 eval spawn $CRYPTSETUP_RAW luksKillSlot -v $LOOPDEV 0
865 expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
867 expect timeout abort "Enter any remaining passphrase:"
870 expect timeout abort "Command successful."
871 expect timeout abort eof
872 eval spawn $CRYPTSETUP_RAW luksKillSlot -v $LOOPDEV 0
873 expect timeout abort "Keyslot 0 is not active."
874 expect timeout abort eof
877 [ $? -eq 0 ] || fail "Expect script failed."
879 prepare "[35] Interactive format of device." wipe
880 expect_run - >/dev/null <<EOF
881 proc abort {} { send_error "Timeout. "; exit 2 }
882 set timeout $EXPECT_TIMEOUT
883 eval spawn $CRYPTSETUP_RAW luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
884 expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
886 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
889 expect timeout abort "Verify passphrase:"
892 expect timeout abort "Command successful."
893 expect timeout abort eof
894 eval spawn $CRYPTSETUP_RAW luksOpen -v $LOOPDEV --test-passphrase
895 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
898 expect timeout abort "Command successful."
899 expect timeout abort eof
902 [ $? -eq 0 ] || fail "Expect script failed."
904 prepare "[36] Interactive unsuccessful format of device." new
905 expect_run - >/dev/null <<EOF
906 proc abort {} { send_error "Timeout. "; exit 2 }
907 set timeout $EXPECT_TIMEOUT
908 eval spawn $CRYPTSETUP_RAW erase -v $LOOPDEV
909 expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
911 expect timeout abort "Command successful."
912 expect timeout abort eof
913 eval spawn $CRYPTSETUP_RAW luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
914 expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
916 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
919 expect timeout abort "Verify passphrase:"
922 expect timeout abort "Passphrases do not match."
923 expect timeout abort eof
924 eval spawn $CRYPTSETUP_RAW luksOpen -v $LOOPDEV -T 1 --test-passphrase
925 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
928 expect timeout abort "No usable keyslot is available."
929 expect timeout abort eof
932 [ $? -eq 0 ] || fail "Expect script failed."
934 prepare "[37] Interactive add key." new
935 expect_run - >/dev/null <<EOF
936 proc abort {} { send_error "Timeout. "; exit 2 }
937 set timeout $EXPECT_TIMEOUT
938 eval spawn $CRYPTSETUP_RAW luksAddKey -S 2 $FAST_PBKDF_OPT -v $LOOPDEV
939 expect timeout abort "Enter any existing passphrase:"
942 expect timeout abort "Enter new passphrase for key slot:"
945 expect timeout abort "Verify passphrase:"
948 expect timeout abort "Command successful."
949 expect timeout abort eof
950 eval spawn $CRYPTSETUP_RAW luksOpen $FAST_PBKDF_OPT -v $LOOPDEV --test-passphrase
951 expect timeout abort "Enter passphrase"
954 expect timeout abort "Command successful."
955 expect timeout abort eof
956 eval spawn $CRYPTSETUP_RAW luksKillSlot -v $LOOPDEV 1
957 expect timeout abort "Keyslot 1 is not active."
958 expect timeout abort eof
959 eval spawn $CRYPTSETUP_RAW luksKillSlot -v $LOOPDEV 2
960 expect timeout abort "Enter any remaining passphrase:"
963 expect timeout abort "Key slot 2 removed."
964 expect timeout abort eof
967 [ $? -eq 0 ] || fail "Expect script failed."
969 prepare "[38] Interactive change key." new
970 expect_run - >/dev/null <<EOF
971 proc abort {} { send_error "Timeout. "; exit 2 }
972 set timeout $EXPECT_TIMEOUT
973 eval spawn $CRYPTSETUP_RAW luksChangeKey $FAST_PBKDF_OPT -v $LOOPDEV
974 expect timeout abort "Enter passphrase to be changed:"
977 expect timeout abort "Enter new passphrase:"
980 expect timeout abort "Verify passphrase:"
983 expect timeout abort "Command successful."
984 expect timeout abort eof
985 eval spawn $CRYPTSETUP_RAW luksOpen -v $LOOPDEV --test-passphrase
986 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
989 expect timeout abort "Command successful."
990 expect timeout abort eof
993 [ $? -eq 0 ] || fail "Expect script failed."
995 prepare "[39] Interactive suspend and resume." new
996 echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
997 expect_run - >/dev/null <<EOF
998 proc abort {} { send_error "Timeout. "; exit 2 }
999 set timeout $EXPECT_TIMEOUT
1000 eval spawn $CRYPTSETUP_RAW luksSuspend -v $DEV_NAME
1001 expect timeout abort "Command successful."
1002 expect timeout abort eof
1003 eval spawn $CRYPTSETUP_RAW luksResume -v -T 3 $DEV_NAME
1004 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
1007 expect timeout abort "No key available with this passphrase."
1008 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
1011 expect timeout abort "No key available with this passphrase."
1012 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
1015 expect timeout abort "No key available with this passphrase."
1016 expect timeout abort eof
1017 eval spawn $CRYPTSETUP_RAW luksResume -v $DEV_NAME
1018 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
1021 expect timeout abort "Command successful."
1022 expect timeout abort eof
1025 [ $? -eq 0 ] || fail "Expect script failed."
1026 $CRYPTSETUP remove $DEV_NAME || fail
1028 prepare "[40] Long passphrase from TTY." wipe
1029 EXPECT_DEV=$(losetup $LOOPDEV | sed -e "s/.*(\(.*\))/\1/")
1031 # Password of maximal length 512 characters
1033 "0123456789abcdef0123456789ABCDEF0123456789abcdef0123456789ABCDEF"\
1034 "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do "\
1035 "eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut e"\
1036 "nim ad minim veniam, quis nostrud exercitation ullamco laboris n"\
1037 "isi ut aliquip ex ea commodo consequat. Duis aute irure dolor in"\
1038 " reprehenderit in voluptate velit esse cillum dolore eu fugiat n"\
1039 "ulla pariatur. Excepteur sint occaecat cupidatat non proident, s"\
1040 "unt in culpa qui officia deserunt mollit anim id est laborum.DEF"
1042 echo -n "$LONG_PWD" >$KEYE
1044 expect_run - >/dev/null <<EOF
1045 proc abort {} { send_error "Timeout. "; exit 2 }
1046 set timeout $EXPECT_TIMEOUT
1047 eval spawn $CRYPTSETUP_RAW luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
1048 expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
1050 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
1053 expect timeout abort "Verify passphrase:"
1056 expect timeout abort "Command successful."
1057 expect timeout abort eof
1058 eval spawn $CRYPTSETUP_RAW luksOpen -v $LOOPDEV --test-passphrase --key-file $KEYE
1059 expect timeout abort "Command successful."
1060 expect timeout abort eof
1062 [ $? -eq 0 ] || fail "Expect script failed."