4 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
5 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
6 CRYPTSETUP_RAW=$CRYPTSETUP
8 CRYPTSETUP_VALGRIND=../.libs/cryptsetup
9 CRYPTSETUP_LIB_VALGRIND=../.libs
15 ORIG_IMG=luks-test-orig
18 HEADER_IMG=luks-header
28 VK_FILE="compattest_vkfile"
30 FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
32 LUKS_HEADER="S0-5 S6-7 S8-39 S40-71 S72-103 S104-107 S108-111 R112-131 R132-163 S164-167 S168-207 A0-591"
33 KEY_SLOT0="S208-211 S212-215 R216-247 A248-251 A251-255"
34 KEY_MATERIAL0="R4096-68096"
35 KEY_MATERIAL0_EXT="R4096-68096"
37 KEY_SLOT1="S256-259 S260-263 R264-295 A296-299 A300-303"
38 KEY_MATERIAL1="R69632-133632"
39 KEY_MATERIAL1_EXT="S69632-133632"
41 KEY_SLOT5="S448-451 S452-455 R456-487 A488-491 A492-495"
42 KEY_MATERIAL5="R331776-395264"
43 KEY_MATERIAL5_EXT="S331776-395264"
45 TEST_UUID="12345678-1234-1234-1234-123456789abc"
47 LOOPDEV=$(losetup -f 2>/dev/null)
48 FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
50 function remove_mapping()
52 [ -b /dev/mapper/$DEV_NAME3 ] && dmsetup remove --retry $DEV_NAME3 >/dev/null 2>&1
53 [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2 >/dev/null 2>&1
54 [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME >/dev/null 2>&1
55 losetup -d $LOOPDEV >/dev/null 2>&1
56 rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $VK_FILE missing-file >/dev/null 2>&1
57 rmmod scsi_debug >/dev/null 2>&1
58 scsi_debug_teardown $DEV
61 function force_uevent()
63 DNAME=$(echo $LOOPDEV | cut -f3 -d /)
64 echo "change" >/sys/block/$DNAME/uevent
69 [ -n "$1" ] && echo "$1"
71 echo "FAILED backtrace:"
72 while caller $frame; do ((frame++)); done
78 [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
81 function can_fail_fips()
83 # Ignore this fail if running in FIPS mode
89 [ -n "$1" ] && echo "$1"
91 [ -n "$2" ] && exit $2
97 [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME >/dev/null 2>&1
102 dd if=/dev/zero of=$IMG bs=1k count=10000 >/dev/null 2>&1
107 dd if=/dev/zero of=$IMG bs=1k count=10000 >/dev/null 2>&1
109 losetup $LOOPDEV $IMG
113 xz -cd compatimage.img.xz > $IMG
114 # FIXME: switch to internal loop (no losetup at all)
115 echo "bad" | $CRYPTSETUP luksOpen --key-slot 0 --test-passphrase $IMG 2>&1 | \
116 grep "autoclear flag" && skip "WARNING: Too old kernel, test skipped."
117 losetup $LOOPDEV $IMG
118 xz -cd compatv10image.img.xz > $IMG10
121 if [ ! -e $IMG ]; then
122 xz -cd compatimage.img.xz > $IMG
123 losetup $LOOPDEV $IMG
125 [ ! -e $IMG10 ] && xz -cd compatv10image.img.xz > $IMG10
129 if [ ! -e $KEY1 ]; then
130 #dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
131 echo -n $'\x48\xc6\x74\x4f\x41\x4e\x50\xc0\x79\xc2\x2d\x5b\x5f\x68\x84\x17' >$KEY1
132 echo -n $'\x9c\x03\x5e\x1b\x4d\x0f\x9a\x75\xb3\x90\x70\x32\x0a\xf8\xae\xc4'>>$KEY1
135 if [ ! -e $KEY2 ]; then
136 dd if=/dev/urandom of=$KEY2 count=1 bs=16 >/dev/null 2>&1
139 if [ ! -e $KEY5 ]; then
140 dd if=/dev/urandom of=$KEY5 count=1 bs=16 >/dev/null 2>&1
143 if [ ! -e $KEYE ]; then
148 [ -n "$1" ] && echo "CASE: $1"
154 [ -z "$1" ] && return
155 $DIFFER $ORIG_IMG $IMG $1 || fail
158 function check_exists()
160 [ -b /dev/mapper/$DEV_NAME ] || fail
164 # $1 path to scsi debug bdev
165 scsi_debug_teardown() {
168 while [ -b "$1" -a $_tries -gt 0 ]; do
169 rmmod scsi_debug >/dev/null 2>&1
176 test ! -b "$1" || rmmod scsi_debug >/dev/null 2>&1
179 function add_scsi_device() {
180 scsi_debug_teardown $DEV
181 if [ -d /sys/module/scsi_debug ] ; then
182 echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
185 modprobe scsi_debug $@ delay=0 >/dev/null 2>&1
186 if [ $? -ne 0 ] ; then
187 echo "This kernel seems to not support proper scsi_debug module, test skipped."
192 DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
193 [ -b $DEV ] || fail "Cannot find $DEV."
196 function valgrind_setup()
198 [ -n "$VALG" ] || return
199 command -v valgrind >/dev/null || fail "Cannot find valgrind."
200 [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
201 export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
202 CRYPTSETUP=valgrind_run
203 CRYPTSETUP_RAW="./valg.sh ${CRYPTSETUP_VALGRIND}"
206 function valgrind_run()
208 export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
212 function expect_run()
214 export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
220 [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
223 # LUKS non-root-tests
224 if [ $(id -u) != 0 ]; then
225 $CRYPTSETUP benchmark -c aes-xts-plain64 >/dev/null 2>&1 || \
226 skip "WARNING: Cannot run test without kernel userspace crypto API, test skipped."
229 prepare "Image in file tests (root capabilities not required)" file
231 echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $IMG $FAST_PBKDF_OPT || fail
233 echo $PWD0 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
234 [ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
235 echo $PWD1 | $CRYPTSETUP luksOpen $IMG --test-passphrase || fail
236 # test detached header --test-passphrase
237 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --header $HEADER_IMG $IMG || fail
238 echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_IMG || fail
241 echo $PWD1 | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT 2>/dev/null && fail
242 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT || fail
243 echo -e "$PWD0\n$PWD1" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT 2>/dev/null && fail
244 echo "[4] change key"
245 echo -e "$PWD1\n$PWD0\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $IMG || fail
246 echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $IMG 2>/dev/null && fail
247 [ $? -ne 2 ] && fail "luksChangeKey should return EPERM exit code"
248 echo "[5] remove key"
249 # delete active keys PWD0, PWD2
250 echo $PWD1 | $CRYPTSETUP luksRemoveKey $IMG 2>/dev/null && fail
251 [ $? -ne 2 ] && fail "luksRemove should return EPERM exit code"
252 echo $PWD0 | $CRYPTSETUP luksRemoveKey $IMG || fail
253 echo $PWD2 | $CRYPTSETUP luksRemoveKey $IMG || fail
254 # check if keys were deleted
255 echo $PWD0 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
256 [ $? -ne 1 ] && fail "luksOpen should return ENOENT exit code"
257 echo $PWD2 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
258 [ $? -ne 1 ] && fail "luksOpen should return ENOENT exit code"
260 # format new luks device with active keys PWD1, PWD2
261 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $IMG $FAST_PBKDF_OPT || fail
262 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT || fail
263 # deactivate keys by killing slots
264 $CRYPTSETUP luksDump $IMG | grep -q "Key Slot 0: ENABLED" || fail
265 $CRYPTSETUP luksDump $IMG | grep -q "Key Slot 1: ENABLED" || fail
266 $CRYPTSETUP luksDump $IMG | grep -q "Key Slot 2: DISABLED" || fail
267 echo $PWD1 | $CRYPTSETUP -q luksKillSlot $IMG 0 2>/dev/null && fail
268 echo $PWD2 | $CRYPTSETUP -q luksKillSlot $IMG 0 || fail
269 $CRYPTSETUP luksDump $IMG | grep -q "Key Slot 0: DISABLED" || fail
270 echo $PWD1 | $CRYPTSETUP -q luksKillSlot $IMG 1 2>/dev/null && fail
271 [ $? -ne 2 ] && fail "luksKill should return EPERM exit code"
272 echo $PWD2 | $CRYPTSETUP -q luksKillSlot $IMG 1 || fail
273 $CRYPTSETUP luksDump $IMG | grep -q "Key Slot 1: DISABLED" || fail
274 # check if keys were deactivated
275 echo $PWD1 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
276 echo $PWD2 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
277 echo "[7] header backup"
278 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $IMG $FAST_PBKDF_OPT || fail
279 $CRYPTSETUP luksHeaderBackup $IMG --header-backup-file $HEADER_IMG || fail
280 echo $PWD1 | $CRYPTSETUP luksRemoveKey $IMG || fail
281 echo $PWD1 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
282 echo "[8] header restore"
283 $CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
284 echo $PWD1 | $CRYPTSETUP luksOpen $IMG --test-passphrase || fail
286 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST_UUID $IMG $KEY1 || fail
287 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $IMG -d $KEY1 || fail
288 $CRYPTSETUP luksDump $IMG | grep -q "Key Slot 0: ENABLED" || fail
289 $CRYPTSETUP luksDump $IMG | grep -q $TEST_UUID || fail
290 echo $PWDW | $CRYPTSETUP luksDump $IMG --dump-volume-key 2>/dev/null && fail
291 echo $PWDW | $CRYPTSETUP luksDump $IMG --dump-master-key 2>/dev/null && fail
292 echo $PWD1 | $CRYPTSETUP luksDump $IMG --dump-volume-key | grep -q "MK dump:" || fail
293 echo $PWD1 | $CRYPTSETUP luksDump $IMG --dump-master-key | grep -q "MK dump:" || fail
294 $CRYPTSETUP luksDump -q $IMG --dump-volume-key -d $KEY1 | grep -q "MK dump:" || fail
295 echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-master-key --master-key-file $VK_FILE >/dev/null || fail
297 echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-volume-key --volume-key-file $VK_FILE >/dev/null || fail
298 echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-volume-key --volume-key-file $VK_FILE 2>/dev/null && fail
299 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --volume-key-file $VK_FILE $IMG || fail
302 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST_UUID $IMG || fail
303 $CRYPTSETUP -q luksUUID $IMG | grep -q $TEST_UUID || fail
305 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
306 [ -z "$LOOPDEV" ] && skip "WARNING: Cannot find free loop device, test skipped."
307 [ ! -x "$DIFFER" ] && skip "Cannot find $DIFFER, test skipped."
310 prepare "[1] open - compat image - acceptance check" new
311 echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
313 ORG_SHA256=$(sha256sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
314 [ "$ORG_SHA256" = 7428e8f2436882a07eb32765086f5c899474c08b5576f556b573d2aabdf923e8 ] || fail
315 $CRYPTSETUP -q luksClose $DEV_NAME || fail
317 # Check it can be opened from header backup as well
318 $CRYPTSETUP luksHeaderBackup $IMG --header-backup-file $HEADER_IMG || fail
319 echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
321 $CRYPTSETUP -q luksClose $DEV_NAME || fail
323 $CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
325 # Repeat for V1.0 header - not aligned first keyslot
326 if [ ! fips_mode ] ; then
327 echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail
329 ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
330 [ "$ORG_SHA1" = 51b48c2471a7593ceaf14dc5e66bca86ed05f6cc ] || fail
331 $CRYPTSETUP -q luksClose $DEV_NAME || fail
334 $CRYPTSETUP luksHeaderBackup $IMG10 --header-backup-file $HEADER_IMG
335 echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
337 $CRYPTSETUP -q luksClose $DEV_NAME || fail
340 prepare "[2] open - compat image - denial check" new
341 echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
342 echo $PWDW | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME 2>/dev/null && fail
345 # All headers items and first key material section must change
346 prepare "[3] format" wipe
347 echo $PWD1 | $CRYPTSETUP -i 1000 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks1 $LOOPDEV || fail
348 check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"
350 prepare "[4] format using hash sha512" wipe
351 echo $PWD1 | $CRYPTSETUP -i 1000 -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks1 $LOOPDEV || fail
352 check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"
355 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase || fail
356 echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --test-passphrase 2>/dev/null && fail
357 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
360 # Key Slot 1 and key material section 1 must change, the rest must not.
361 prepare "[6] add key"
362 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $LOOPDEV || fail
363 check "$KEY_SLOT1 $KEY_MATERIAL1"
364 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
366 # Unsuccessful Key Delete - nothing may change
367 prepare "[7] unsuccessful delete"
368 echo $PWDW | $CRYPTSETUP luksKillSlot $LOOPDEV 1 2>/dev/null && fail
369 $CRYPTSETUP -q luksKillSlot $LOOPDEV 8 2>/dev/null && fail
370 $CRYPTSETUP -q luksKillSlot $LOOPDEV 7 2>/dev/null && fail
374 # Key Slot 1 and key material section 1 must change, the rest must not
375 prepare "[8] successful delete"
376 $CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
377 check "$KEY_SLOT1 $KEY_MATERIAL1_EXT"
378 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2> /dev/null && fail
379 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
381 # Key Slot 1 and key material section 1 must change, the rest must not
382 prepare "[9] add key test for key files"
383 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 || fail
384 check "$KEY_SLOT1 $KEY_MATERIAL1"
385 $CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
387 # Key Slot 1 and key material section 1 must change, the rest must not
388 prepare "[10] delete key test with key1 as remaining key"
389 $CRYPTSETUP -d $KEY1 luksKillSlot $LOOPDEV 0 || fail
390 check "$KEY_SLOT0 $KEY_MATERIAL0_EXT"
391 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
392 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
395 prepare "[11] delete last key" wipe
396 echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $LOOPDEV $FAST_PBKDF_OPT || fail
397 echo $PWD1 | $CRYPTSETUP luksKillSlot $LOOPDEV 0 || fail
398 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
400 # Format test for ESSIV, and some other parameters.
401 prepare "[12] parameter variation test" wipe
402 $CRYPTSETUP -q -i 1000 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks1 $LOOPDEV $KEY1 || fail
403 check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"
404 $CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
406 prepare "[13] open/close - stacked devices" wipe
407 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV $FAST_PBKDF_OPT || fail
408 echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
409 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 /dev/mapper/$DEV_NAME || fail
410 echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
411 $CRYPTSETUP -q luksClose $DEV_NAME2 || fail
412 $CRYPTSETUP -q luksClose $DEV_NAME || fail
414 prepare "[14] format/open - passphrase on stdin & new line" wipe
415 # stdin defined by "-" must take even newline
416 #echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksFormat $LOOPDEV - || fail
417 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q --key-file=- luksFormat --type luks1 $LOOPDEV || fail
418 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
419 $CRYPTSETUP -q luksClose $DEV_NAME || fail
420 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
421 # now also try --key-file
422 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q luksFormat --type luks1 $LOOPDEV --key-file=- || fail
423 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
424 $CRYPTSETUP -q luksClose $DEV_NAME || fail
425 # process newline if from stdin
426 echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP $FAST_PBKDF_OPT -q luksFormat --type luks1 $LOOPDEV || fail
427 echo "$PWD1" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
428 $CRYPTSETUP -q luksClose $DEV_NAME || fail
430 prepare "[15] UUID - use and report provided UUID" wipe
431 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid blah $LOOPDEV 2>/dev/null && fail
432 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST_UUID $LOOPDEV || fail
433 tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
434 [ "$tst"x = "$TEST_UUID"x ] || fail
435 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV || fail
436 $CRYPTSETUP -q luksUUID --uuid $TEST_UUID $LOOPDEV || fail
437 tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
438 [ "$tst"x = "$TEST_UUID"x ] || fail
440 prepare "[16] luksFormat" wipe
441 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --volume-key-file /dev/urandom $LOOPDEV || fail
442 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --volume-key-file /dev/urandom $LOOPDEV -d $KEY1 || fail
443 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --volume-key-file /dev/urandom -s 256 --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
444 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
445 $CRYPTSETUP -q luksClose $DEV_NAME || fail
447 if [ -d /dev/disk/by-uuid ] ; then
448 force_uevent # some systems do not update loop by-uuid
449 $CRYPTSETUP luksOpen -d $KEY1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail
450 $CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
451 $CRYPTSETUP -q luksClose $DEV_NAME || fail
453 # skip tests using empty passphrase
454 if [ ! fips_mode ]; then
456 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail
457 $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
458 $CRYPTSETUP -q luksClose $DEV_NAME || fail
461 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 $LOOPDEV || fail
462 $CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
463 $CRYPTSETUP luksOpen --volume-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
464 $CRYPTSETUP -q luksClose $DEV_NAME || fail
465 # unsupported pe-keyslot encryption
466 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 128 --keyslot-cipher "aes-cbc-plain" $LOOPDEV 2>/dev/null && fail
467 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 128 --keyslot-key-size 256 $LOOPDEV 2>/dev/null && fail
469 prepare "[17] AddKey volume key, passphrase and keyfile" wipe
471 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --volume-key-file /dev/zero --key-slot 3 || fail
472 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase || fail
473 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
474 echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --volume-key-file /dev/zero --key-slot 4 || fail
475 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 4 || fail
476 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: ENABLED" || fail
477 echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --volume-key-file /dev/null --key-slot 5 2>/dev/null && fail
478 $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --volume-key-file /dev/zero --key-slot 5 $KEY1 || fail
479 $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 5 -d $KEY1 || fail
480 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail
482 # special "-" handling
483 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 3 || fail
484 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 - || fail
485 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null && fail
486 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - --test-passphrase || fail
487 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d - $KEY2 || fail
488 $CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase || fail
489 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - -d $KEY1 --test-passphrase 2>/dev/null && fail
490 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d $KEY1 -d $KEY1 --test-passphrase 2>/dev/null && fail
492 # [0]PWD1 [1]PWD2 [2]$KEY1/1 [3]$KEY1 [4]$KEY2
493 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 3 || fail
494 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
495 $CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 3 2>/dev/null && fail
497 $CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 4 || fail
498 $CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase --key-slot 4 || fail
499 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: ENABLED" || fail
501 echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 --key-slot 0 || fail
502 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
503 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 || fail
504 # passphrase/passphrase
505 echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --key-slot 1 || fail
506 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
507 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
509 echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
510 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
512 prepare "[18] RemoveKey passphrase and keyfile" reuse
513 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 || fail
514 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: DISABLED" || fail
515 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 2>/dev/null && fail
516 $CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 3 2>/dev/null || fail
517 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
518 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 --keyfile-size 1 2>/dev/null && fail
519 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 || fail
520 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: DISABLED" || fail
521 # if password or keyfile is provided, batch mode must not suppress it
522 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 2>/dev/null && fail
523 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 -q 2>/dev/null && fail
524 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- 2>/dev/null && fail
525 echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- -q 2>/dev/null && fail
526 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
527 # kill slot using passphrase from 1
528 echo $PWD2 | $CRYPTSETUP luksKillSlot $LOOPDEV 2 || fail
529 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: DISABLED" || fail
530 # kill slot with redirected stdin
531 $CRYPTSETUP luksKillSlot $LOOPDEV 3 </dev/null 2>/dev/null || fail
532 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: DISABLED" || fail
533 # remove key0 / slot 0
534 echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV || fail
535 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: DISABLED" || fail
536 # last keyslot, in batch mode no passphrase needed...
537 $CRYPTSETUP luksKillSlot -q $LOOPDEV 1 || fail
538 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
540 prepare "[19] create & status & resize" wipe
541 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail
542 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
543 $CRYPTSETUP -q status $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail
544 $CRYPTSETUP -q status $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail
545 $CRYPTSETUP -q status $DEV_NAME | grep "mode:" | grep -q "readonly" || fail
546 $CRYPTSETUP -q resize $DEV_NAME --size 100 || fail
547 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
548 $CRYPTSETUP -q resize $DEV_NAME || fail
549 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "19997 sectors" || fail
550 $CRYPTSETUP -q resize $DEV_NAME --device-size 1M || fail
551 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
552 $CRYPTSETUP -q resize $DEV_NAME --device-size 512k --size 1023 >/dev/null 2>&1 && fail
553 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
554 $CRYPTSETUP -q resize $DEV_NAME --device-size 513 >/dev/null 2>&1 && fail
555 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
556 # Resize underlying loop device as well
557 truncate -s 16M $IMG || fail
558 $CRYPTSETUP -q resize $DEV_NAME || fail
559 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail
560 $CRYPTSETUP -q remove $DEV_NAME || fail
561 $CRYPTSETUP -q status $DEV_NAME >/dev/null && fail
562 echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
563 $CRYPTSETUP -q remove $DEV_NAME || fail
564 echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 $LOOPDEV || fail
565 $CRYPTSETUP -q remove $DEV_NAME || fail
566 echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 --size 100 $LOOPDEV || fail
567 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
568 $CRYPTSETUP -q remove $DEV_NAME || fail
569 # 4k sector resize (if kernel supports it)
570 echo $PWD1 | $CRYPTSETUP -q open --type plain --hash sha256 $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1
571 if [ $? -eq 0 ] ; then
572 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail
573 $CRYPTSETUP -q resize $DEV_NAME --size 16 || fail
574 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "16 sectors" || fail
575 $CRYPTSETUP -q resize $DEV_NAME --size 9 2>/dev/null && fail
576 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "16 sectors" || fail
577 $CRYPTSETUP -q resize $DEV_NAME --device-size 4608 2>/dev/null && fail
578 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "16 sectors" || fail
579 $CRYPTSETUP -q remove $DEV_NAME || fail
581 # Resize not aligned to logical block size
582 add_scsi_device dev_size_mb=32 sector_size=4096
583 echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV || fail
584 OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
585 $CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail
586 dmsetup info $DEV_NAME | grep -q SUSPENDED && fail
587 NEW_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
588 test $OLD_SIZE -eq $NEW_SIZE || fail
589 $CRYPTSETUP close $DEV_NAME || fail
590 # Add check for unaligned plain crypt activation
591 echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV -b 7 2>/dev/null && fail
592 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
593 # verify is ignored on non-tty input
594 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --verify-passphrase 2>/dev/null || fail
595 $CRYPTSETUP -q remove $DEV_NAME || fail
596 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
597 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail
598 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 -l -1 2>/dev/null && fail
599 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
600 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail
601 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d blah 2>/dev/null && fail
602 $CRYPTSETUP -q remove $DEV_NAME || fail
603 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d /dev/urandom || fail
604 $CRYPTSETUP -q remove $DEV_NAME || fail
606 prepare "[20] Disallow open/create if already mapped." wipe
607 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
608 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail
609 $CRYPTSETUP create $DEV_NAME2 $LOOPDEV -d $KEY1 2>/dev/null && fail
610 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV 2>/dev/null && fail
611 $CRYPTSETUP remove $DEV_NAME || fail
612 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV || fail
613 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
614 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME2 2>/dev/null && fail
615 $CRYPTSETUP luksClose $DEV_NAME || fail
617 prepare "[21] luksDump" wipe
618 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
619 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 || fail
620 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
621 $CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
622 echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-volume-key 2>/dev/null && fail
623 echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-volume-key | grep -q "MK dump:" || fail
624 $CRYPTSETUP luksDump -q $LOOPDEV --dump-volume-key -d $KEY1 | grep -q "MK dump:" || fail
625 echo $PWD1 | $CRYPTSETUP luksDump -q $LOOPDEV --dump-volume-key --volume-key-file $VK_FILE > /dev/null || fail
626 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --volume-key-file $VK_FILE $LOOPDEV || fail
628 prepare "[22] remove disappeared device" wipe
629 dmsetup create $DEV_NAME --table "0 5000 linear $LOOPDEV 2" || fail
630 echo $PWD1 | $CRYPTSETUP -q $FAST_PBKDF_OPT luksFormat --type luks1 /dev/mapper/$DEV_NAME || fail
631 echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
632 # underlying device now returns error but node is still present
633 dmsetup load $DEV_NAME --table "0 5000 error" || fail
634 dmsetup resume $DEV_NAME || fail
635 $CRYPTSETUP -q luksClose $DEV_NAME2 || fail
636 dmsetup remove --retry $DEV_NAME || fail
638 prepare "[23] ChangeKey passphrase and keyfile" wipe
640 $CRYPTSETUP -q luksFormat --type luks1 $LOOPDEV $KEY1 $FAST_PBKDF_OPT --key-slot 0 || fail
641 echo $PWD1 | $CRYPTSETUP luksAddKey -q $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 --key-slot 1 || fail
642 # keyfile [0] / keyfile [0]
643 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 --key-slot 0 || fail
644 # passphrase [1] / passphrase [1]
645 echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT --key-slot 1 || fail
646 # keyfile [0] / keyfile [new]
647 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 || fail
648 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: DISABLED" || fail
649 # passphrase [1] / passphrase [new]
650 echo -e "$PWD2\n$PWD1\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $LOOPDEV || fail
651 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
653 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
654 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
655 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
656 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
657 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
658 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT || fail
659 # still allows replace
660 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 || fail
661 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 $KEY2 2>/dev/null && fail
663 prepare "[24] Keyfile limit" wipe
664 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 0 -l 13 || fail
665 $CRYPTSETUP --key-file=$KEY1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
666 $CRYPTSETUP --key-file=$KEY1 -l 0 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
667 $CRYPTSETUP --key-file=$KEY1 -l -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
668 $CRYPTSETUP --key-file=$KEY1 -l 14 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
669 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
670 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
671 $CRYPTSETUP --key-file=$KEY1 -l 13 luksOpen $LOOPDEV $DEV_NAME || fail
672 $CRYPTSETUP luksClose $DEV_NAME || fail
673 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT 2>/dev/null && fail
674 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 14 2>/dev/null && fail
675 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l -1 2>/dev/null && fail
676 $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 --new-keyfile-size 12 || fail
677 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 2>/dev/null && fail
678 $CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 -l 12 || fail
679 $CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT 2>/dev/null && fail
680 $CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 14 2>/dev/null && fail
681 $CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 $FAST_PBKDF_OPT -l 13 || fail
682 # -l is ignored for stdin if _only_ passphrase is used
683 echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY2 $FAST_PBKDF_OPT || fail
684 # this is stupid, but expected
685 echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 11 2>/dev/null && fail
686 echo $PWDW"0" | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 12 2>/dev/null && fail
687 echo -e "$PWD1\n" | $CRYPTSETUP luksRemoveKey $LOOPDEV -d- -l 12 || fail
689 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 0 -l 13 --keyfile-offset 16 || fail
690 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 15 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
691 $CRYPTSETUP --key-file=$KEY1 -l 13 --keyfile-offset 16 luksOpen $LOOPDEV $DEV_NAME || fail
692 $CRYPTSETUP luksClose $DEV_NAME || fail
693 $CRYPTSETUP luksAddKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY1 -l 13 --keyfile-offset 16 $KEY2 --new-keyfile-offset 1 || fail
694 $CRYPTSETUP --key-file=$KEY2 --keyfile-offset 11 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
695 $CRYPTSETUP --key-file=$KEY2 --keyfile-offset 1 luksOpen $LOOPDEV $DEV_NAME || fail
696 $CRYPTSETUP luksClose $DEV_NAME || fail
697 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 --keyfile-offset 1 $KEY2 --new-keyfile-offset 0 || fail
698 $CRYPTSETUP luksOpen -d $KEY2 $LOOPDEV $DEV_NAME || fail
699 $CRYPTSETUP luksClose $DEV_NAME || fail
700 # large device with keyfile
701 echo -e '0 10000000 error'\\n'10000000 1000000 zero' | dmsetup create $DEV_NAME2 || fail
702 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV /dev/mapper/$DEV_NAME2 -l 13 --keyfile-offset 5120000000 || fail
703 $CRYPTSETUP --key-file=/dev/mapper/$DEV_NAME2 -l 13 --keyfile-offset 5119999999 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
704 $CRYPTSETUP --key-file=/dev/mapper/$DEV_NAME2 -l 13 --keyfile-offset 5120000000 luksOpen $LOOPDEV $DEV_NAME || fail
705 $CRYPTSETUP luksClose $DEV_NAME || fail
706 $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d /dev/mapper/$DEV_NAME2 \
707 --keyfile-offset 5120000000 -l 13 /dev/mapper/$DEV_NAME2 --new-keyfile-offset 5120000001 --new-keyfile-size 15 || fail
708 dmsetup remove --retry $DEV_NAME2
710 prepare "[25] Create shared segments" wipe
711 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --offset 0 --size 256 || fail
712 echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 2>/dev/null && fail
713 echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 --shared || fail
714 $CRYPTSETUP -q remove $DEV_NAME2 || fail
715 $CRYPTSETUP -q remove $DEV_NAME || fail
717 prepare "[26] Suspend/Resume" wipe
718 # only LUKS is supported
719 echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
720 $CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
721 $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
722 $CRYPTSETUP -q remove $DEV_NAME || fail
723 $CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
725 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV || fail
726 echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
727 $CRYPTSETUP luksSuspend $DEV_NAME || fail
728 $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
729 $CRYPTSETUP -q resize $DEV_NAME 2>/dev/null && fail
730 echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
731 [ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
732 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
733 $CRYPTSETUP -q luksClose $DEV_NAME || fail
734 # skip tests using empty passphrase
735 if [ ! fips_mode ]; then
736 echo | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks1 $LOOPDEV || fail
737 echo | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
738 $CRYPTSETUP luksSuspend $DEV_NAME || fail
739 $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
740 echo | $CRYPTSETUP luksResume $DEV_NAME || fail
741 $CRYPTSETUP -q luksClose $DEV_NAME || fail
744 prepare "[27] luksOpen/luksResume with specified key slot number" wipe
745 # first, let's try passphrase option
746 echo $PWD3 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT -S 5 $LOOPDEV || fail
747 check $LUKS_HEADER $KEY_SLOT5 $KEY_MATERIAL5
748 echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME 2>/dev/null && fail
749 [ -b /dev/mapper/$DEV_NAME ] && fail
750 echo $PWD3 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME || fail
752 $CRYPTSETUP luksSuspend $DEV_NAME || fail
753 echo $PWD3 | $CRYPTSETUP luksResume -S 4 $DEV_NAME 2>/dev/null && fail
754 $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
755 echo $PWD3 | $CRYPTSETUP luksResume -S 5 $DEV_NAME || fail
756 $CRYPTSETUP luksClose $DEV_NAME || fail
757 echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 0 $LOOPDEV || fail
758 check $LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0
759 echo $PWD3 | $CRYPTSETUP luksOpen -S 0 $LOOPDEV $DEV_NAME 2>/dev/null && fail
760 [ -b /dev/mapper/$DEV_NAME ] && fail
761 echo $PWD1 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
762 [ -b /dev/mapper/$DEV_NAME ] && fail
763 # second, try it with keyfiles
764 $CRYPTSETUP luksFormat --type luks1 -q -S 5 -d $KEY5 $LOOPDEV || fail
765 check $LUKS_HEADER $KEY_SLOT5 $KEY_MATERIAL5
766 $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
767 check $LUKS_HEADER $KEY_SLOT1 $KEY_MATERIAL1
768 $CRYPTSETUP luksOpen -S 5 -d $KEY5 $LOOPDEV $DEV_NAME || fail
770 $CRYPTSETUP luksSuspend $DEV_NAME || fail
771 $CRYPTSETUP luksResume -S 1 -d $KEY5 $DEV_NAME 2>/dev/null && fail
772 $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
773 $CRYPTSETUP luksResume -S 5 -d $KEY5 $DEV_NAME || fail
774 $CRYPTSETUP luksClose $DEV_NAME || fail
775 $CRYPTSETUP luksOpen -S 1 -d $KEY5 $LOOPDEV $DEV_NAME 2>/dev/null && fail
776 [ -b /dev/mapper/$DEV_NAME ] && fail
777 $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOPDEV $DEV_NAME 2>/dev/null && fail
778 [ -b /dev/mapper/$DEV_NAME ] && fail
780 prepare "[28] Detached LUKS header" wipe
781 echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG || fail
782 echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 1 >/dev/null 2>&1 && fail
783 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 8192 || fail
784 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 0 || fail
785 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 8192 --offset 8192 >/dev/null 2>&1 && fail
786 truncate -s 4096 $HEADER_IMG
787 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG -S7 >/dev/null 2>&1 || fail
788 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --offset 80000 >/dev/null 2>&1 || fail
789 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --offset 8192 || fail
790 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --offset 0 || fail
791 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV-missing --header $HEADER_IMG $DEV_NAME 2>/dev/null && fail
792 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
793 $CRYPTSETUP -q resize $DEV_NAME --size 100 --header $HEADER_IMG || fail
794 $CRYPTSETUP -q status $DEV_NAME --header $HEADER_IMG | grep "size:" | grep -q "100 sectors" || fail
795 $CRYPTSETUP -q status $DEV_NAME | grep "type:" | grep -q "n/a" || fail
796 $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
797 $CRYPTSETUP luksSuspend $DEV_NAME --header $HEADER_IMG || fail
798 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
799 $CRYPTSETUP luksSuspend $DEV_NAME || fail
800 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
801 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
802 $CRYPTSETUP luksClose $DEV_NAME || fail
803 echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
804 $CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: ENABLED" || fail
805 $CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
806 $CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: DISABLED" || fail
807 echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_IMG || fail
809 prepare "[29] Repair metadata" wipe
810 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 0 || fail
811 # second sector overwrite should corrupt keyslot 6+7
812 dd if=/dev/urandom of=$LOOPDEV bs=512 seek=1 count=1 >/dev/null 2>&1
813 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME >/dev/null 2>&1 && fail
814 $CRYPTSETUP -q repair $LOOPDEV >/dev/null 2>&1 || fail
815 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
816 $CRYPTSETUP luksClose $DEV_NAME || fail
818 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --hash sha256 -c aes-ecb || fail
819 echo -n "ecb-xxx" | dd of=$LOOPDEV bs=1 seek=40 >/dev/null 2>&1
820 $CRYPTSETUP -q repair $LOOPDEV >/dev/null 2>&1 || fail
821 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
822 $CRYPTSETUP luksClose $DEV_NAME || fail
824 echo -n "SHA256" | dd of=$LOOPDEV bs=1 seek=72 >/dev/null 2>&1
825 $CRYPTSETUP -q repair $LOOPDEV >/dev/null 2>&1 || fail
826 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
827 $CRYPTSETUP luksClose $DEV_NAME || fail
829 prepare "[30] LUKS erase" wipe
830 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY5 --key-slot 5 || fail
831 $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
832 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
833 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail
834 $CRYPTSETUP luksErase -q $LOOPDEV || fail
835 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
836 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: DISABLED" || fail
838 prepare "[31] Deferred removal of device" wipe
839 echo $PWD1 | $CRYPTSETUP open --type plain --hash sha256 $LOOPDEV $DEV_NAME || fail
840 echo $PWD2 | $CRYPTSETUP open --type plain --hash sha256 /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
841 $CRYPTSETUP close $DEV_NAME >/dev/null 2>&1 && fail
842 $CRYPTSETUP -q status $DEV_NAME >/dev/null 2>&1 || fail
843 $CRYPTSETUP close --deferred $DEV_NAME >/dev/null 2>&1
844 if [ $? -eq 0 ] ; then
845 dmsetup info $DEV_NAME | grep -q "DEFERRED REMOVE" || fail
846 $CRYPTSETUP -q status $DEV_NAME >/dev/null 2>&1 || fail
847 $CRYPTSETUP close --cancel-deferred $DEV_NAME >/dev/null 2>&1
848 dmsetup info $DEV_NAME | grep -q "DEFERRED REMOVE" >/dev/null 2>&1 && fail
849 $CRYPTSETUP close --deferred $DEV_NAME >/dev/null 2>&1
850 $CRYPTSETUP close $DEV_NAME2 || fail
851 $CRYPTSETUP -q status $DEV_NAME >/dev/null 2>&1 && fail
853 $CRYPTSETUP close $DEV_NAME2 >/dev/null 2>&1
854 $CRYPTSETUP close $DEV_NAME >/dev/null 2>&1
858 # Do not remove sleep 0.1 below, the password query flushes TTY buffer (so the code is racy).
859 command -v expect >/dev/null || skip "WARNING: expect tool missing, interactive test will be skipped." 0
861 prepare "[32] Interactive password retry from terminal." new
862 EXPECT_DEV=$(losetup $LOOPDEV | sed -e "s/.*(\(.*\))/\1/")
865 expect_run - >/dev/null <<EOF
866 proc abort {} { send_error "Timeout. "; exit 2 }
867 set timeout $EXPECT_TIMEOUT
868 eval spawn $CRYPTSETUP_RAW luksOpen -v -T 2 $LOOPDEV $DEV_NAME
869 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
872 expect timeout abort "No key available with this passphrase."
873 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
876 expect timeout abort "Key slot 0 unlocked."
877 expect timeout abort "Command successful."
878 expect timeout abort eof
881 [ $? -eq 0 ] || fail "Expect script failed."
883 $CRYPTSETUP -q luksClose $DEV_NAME || fail
885 prepare "[33] Interactive unsuccessful password retry from terminal." new
886 expect_run - >/dev/null <<EOF
887 proc abort {} { send_error "Timeout. "; exit 2 }
888 set timeout $EXPECT_TIMEOUT
889 eval spawn $CRYPTSETUP_RAW luksOpen -v -T 2 $LOOPDEV $DEV_NAME
890 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
893 expect timeout abort "No key available with this passphrase."
894 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
897 expect timeout abort "No key available with this passphrase."
898 expect timeout abort eof
901 [ $? -eq 0 ] || fail "Expect script failed."
903 prepare "[34] Interactive kill of last key slot." new
904 expect_run - >/dev/null <<EOF
905 proc abort {} { send_error "Timeout. "; exit 2 }
906 set timeout $EXPECT_TIMEOUT
907 eval spawn $CRYPTSETUP_RAW luksKillSlot -v $LOOPDEV 0
908 expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
910 expect timeout abort "Enter any remaining passphrase:"
913 expect timeout abort "Command successful."
914 expect timeout abort eof
915 eval spawn $CRYPTSETUP_RAW luksKillSlot -v $LOOPDEV 0
916 expect timeout abort "Keyslot 0 is not active."
917 expect timeout abort eof
920 [ $? -eq 0 ] || fail "Expect script failed."
922 prepare "[35] Interactive format of device." wipe
923 expect_run - >/dev/null <<EOF
924 proc abort {} { send_error "Timeout. "; exit 2 }
925 set timeout $EXPECT_TIMEOUT
926 eval spawn $CRYPTSETUP_RAW luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
927 expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
929 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
932 expect timeout abort "Verify passphrase:"
935 expect timeout abort "Command successful."
936 expect timeout abort eof
937 eval spawn $CRYPTSETUP_RAW luksOpen -v $LOOPDEV --test-passphrase
938 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
941 expect timeout abort "Command successful."
942 expect timeout abort eof
945 [ $? -eq 0 ] || fail "Expect script failed."
947 prepare "[36] Interactive unsuccessful format of device." new
948 expect_run - >/dev/null <<EOF
949 proc abort {} { send_error "Timeout. "; exit 2 }
950 set timeout $EXPECT_TIMEOUT
951 eval spawn $CRYPTSETUP_RAW erase -v $LOOPDEV
952 expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
954 expect timeout abort "Command successful."
955 expect timeout abort eof
956 eval spawn $CRYPTSETUP_RAW luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
957 expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
959 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
962 expect timeout abort "Verify passphrase:"
965 expect timeout abort "Passphrases do not match."
966 expect timeout abort eof
967 eval spawn $CRYPTSETUP_RAW luksOpen -v $LOOPDEV -T 1 --test-passphrase
968 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
971 expect timeout abort "No usable keyslot is available."
972 expect timeout abort eof
975 [ $? -eq 0 ] || fail "Expect script failed."
977 prepare "[37] Interactive add key." new
978 expect_run - >/dev/null <<EOF
979 proc abort {} { send_error "Timeout. "; exit 2 }
980 set timeout $EXPECT_TIMEOUT
981 eval spawn $CRYPTSETUP_RAW luksAddKey -S 2 $FAST_PBKDF_OPT -v $LOOPDEV
982 expect timeout abort "Enter any existing passphrase:"
985 expect timeout abort "Enter new passphrase for key slot:"
988 expect timeout abort "Verify passphrase:"
991 expect timeout abort "Command successful."
992 expect timeout abort eof
993 eval spawn $CRYPTSETUP_RAW luksOpen -v $LOOPDEV --test-passphrase
994 expect timeout abort "Enter passphrase"
997 expect timeout abort "Command successful."
998 expect timeout abort eof
999 eval spawn $CRYPTSETUP_RAW luksKillSlot -v $LOOPDEV 1
1000 expect timeout abort "Keyslot 1 is not active."
1001 expect timeout abort eof
1002 eval spawn $CRYPTSETUP_RAW luksKillSlot -v $LOOPDEV 2
1003 expect timeout abort "Enter any remaining passphrase:"
1006 expect timeout abort "Key slot 2 removed."
1007 expect timeout abort eof
1010 [ $? -eq 0 ] || fail "Expect script failed."
1012 prepare "[38] Interactive change key." new
1013 expect_run - >/dev/null <<EOF
1014 proc abort {} { send_error "Timeout. "; exit 2 }
1015 set timeout $EXPECT_TIMEOUT
1016 eval spawn $CRYPTSETUP_RAW luksChangeKey $FAST_PBKDF_OPT -v $LOOPDEV
1017 expect timeout abort "Enter passphrase to be changed:"
1020 expect timeout abort "Enter new passphrase:"
1023 expect timeout abort "Verify passphrase:"
1026 expect timeout abort "Command successful."
1027 expect timeout abort eof
1028 eval spawn $CRYPTSETUP_RAW luksOpen -v $LOOPDEV --test-passphrase
1029 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
1032 expect timeout abort "Command successful."
1033 expect timeout abort eof
1036 [ $? -eq 0 ] || fail "Expect script failed."
1038 prepare "[39] Interactive suspend and resume." new
1039 echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
1040 expect_run - >/dev/null <<EOF
1041 proc abort {} { send_error "Timeout. "; exit 2 }
1042 set timeout $EXPECT_TIMEOUT
1043 eval spawn $CRYPTSETUP_RAW luksSuspend -v $DEV_NAME
1044 expect timeout abort "Command successful."
1045 expect timeout abort eof
1046 eval spawn $CRYPTSETUP_RAW luksResume -v -T 3 $DEV_NAME
1047 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
1050 expect timeout abort "No key available with this passphrase."
1051 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
1054 expect timeout abort "No key available with this passphrase."
1055 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
1058 expect timeout abort "No key available with this passphrase."
1059 expect timeout abort eof
1060 eval spawn $CRYPTSETUP_RAW luksResume -v $DEV_NAME
1061 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
1064 expect timeout abort "Command successful."
1065 expect timeout abort eof
1068 [ $? -eq 0 ] || fail "Expect script failed."
1069 $CRYPTSETUP remove $DEV_NAME || fail
1071 prepare "[40] Long passphrase from TTY." wipe
1072 EXPECT_DEV=$(losetup $LOOPDEV | sed -e "s/.*(\(.*\))/\1/")
1074 # Password of maximal length 512 characters
1076 "0123456789abcdef0123456789ABCDEF0123456789abcdef0123456789ABCDEF"\
1077 "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do "\
1078 "eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut e"\
1079 "nim ad minim veniam, quis nostrud exercitation ullamco laboris n"\
1080 "isi ut aliquip ex ea commodo consequat. Duis aute irure dolor in"\
1081 " reprehenderit in voluptate velit esse cillum dolore eu fugiat n"\
1082 "ulla pariatur. Excepteur sint occaecat cupidatat non proident, s"\
1083 "unt in culpa qui officia deserunt mollit anim id est laborum.DEF"
1085 echo -n "$LONG_PWD" >$KEYE
1087 expect_run - >/dev/null <<EOF
1088 proc abort {} { send_error "Timeout. "; exit 2 }
1089 set timeout $EXPECT_TIMEOUT
1090 eval spawn $CRYPTSETUP_RAW luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
1091 expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
1093 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
1096 expect timeout abort "Verify passphrase:"
1099 expect timeout abort "Command successful."
1100 expect timeout abort eof
1101 eval spawn $CRYPTSETUP_RAW luksOpen -v $LOOPDEV --test-passphrase --key-file $KEYE
1102 expect timeout abort "Command successful."
1103 expect timeout abort eof
1105 [ $? -eq 0 ] || fail "Expect script failed."
1107 prepare "[41] New luksAddKey options." file
1109 echo "$PWD1" | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT $IMG || fail
1110 echo $PWD1 | $CRYPTSETUP luksDump -q $IMG --dump-volume-key --volume-key-file $VK_FILE >/dev/null || fail
1113 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -q -S1 $FAST_PBKDF_OPT $IMG || fail
1114 echo $PWD2 | $CRYPTSETUP open -q --test-passphrase -S1 $IMG || fail
1117 echo "$PWD2" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S1 --new-key-slot 2 $IMG $KEY1 || fail
1118 $CRYPTSETUP open --test-passphrase -q -S2 -d $KEY1 $IMG || fail
1121 echo "$PWD3" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S2 -d $KEY1 --new-key-slot 3 $IMG || fail
1122 echo $PWD3 | $CRYPTSETUP open -q --test-passphrase -S3 $IMG || fail
1125 $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S2 --new-key-slot 4 -d $KEY1 --new-keyfile $KEY2 $IMG || fail
1126 $CRYPTSETUP open --test-passphrase -q -S4 -d $KEY2 $IMG || fail
1129 echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S5 --volume-key-file $VK_FILE $IMG || fail
1130 echo $PWD3 | $CRYPTSETUP open -q --test-passphrase -S5 $IMG || fail
1133 $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S6 --volume-key-file $VK_FILE --new-keyfile $KEY5 $IMG || fail
1134 $CRYPTSETUP open --test-passphrase -q -S6 -d $KEY5 $IMG || fail