4 DEV_CRYPT="dmtst-crypt"
6 CIPHER="aes-xts-plain64"
8 TEST_KEYRING_NAME="keyringtest_keyring"
10 USER_KEY_32_OK="dmtst:ukey_32_ok"
11 USER_KEY_32_WRONG="dmtst:ukey_32_wrong_size"
13 LOGON_KEY_32_OK="dmtst:lkey_32_ok"
14 LOGON_KEY_32_WRONG="dmtst:lkey_32_wrong_size"
16 PAYLOAD_32="bb21158c733229347bd4e681891e213d"
17 PAYLOAD_31="bb21158c733229347bd4e681891e213"
19 HEXKEY_32="bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
20 HEXKEY_32_BAD="bb21158c733229347bd4e68189XXXX3d94c685be6a5b84818afe7a78a6de7a1a"
21 HEXKEY_31="bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a"
23 function remove_mapping()
25 [ -b /dev/mapper/$DEV_CRYPT ] && dmsetup remove --retry $DEV_CRYPT
26 [ -b /dev/mapper/$DEV_ZERO ] && dmsetup remove --retry $DEV_ZERO
28 # unlink whole test keyring
29 [ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
34 [ -n "$1" ] && echo "$1"
41 [ -n "$1" ] && echo "$1"
42 echo "FAILED backtrace:"
43 while caller $frame; do ((frame++)); done
54 keyctl add $@ >/dev/null
57 function dm_crypt_keyring_support()
59 VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
60 [ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
62 VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
63 VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
65 [ $VER_MAJ -gt 1 ] && return 0
66 [ $VER_MAJ -lt 1 ] && return 1
70 function test_and_prepare_keyring() {
71 keyctl list "@s" > /dev/null || skip "Current session keyring is unreachable, test skipped"
72 TEST_KEYRING=$(keyctl newring $TEST_KEYRING_NAME "@u" 2> /dev/null)
73 test -n "$TEST_KEYRING" || skip "Failed to create keyring in user keyring"
74 keyctl search "@s" keyring "$TEST_KEYRING" > /dev/null 2>&1 || keyctl link "@u" "@s" > /dev/null 2>&1
75 load_key user test_key test_data "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
78 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
79 which dmsetup >/dev/null 2>&1 || skip "Cannot find dmsetup, test skipped"
80 which keyctl >/dev/null 2>&1 || skip "Cannot find keyctl, test skipped"
81 modprobe dm-crypt || fail "dm-crypt failed to load"
82 dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped."
84 test_and_prepare_keyring
86 load_key logon $LOGON_KEY_32_OK $PAYLOAD_32 "$TEST_KEYRING" || fail "Cannot load 32 byte logon key type"
87 load_key user $USER_KEY_32_OK $PAYLOAD_32 "$TEST_KEYRING" || fail "Cannot load 32 byte user key type"
88 load_key logon $LOGON_KEY_32_WRONG $PAYLOAD_31 "$TEST_KEYRING" || fail "Cannot load 31 byte logon key type"
89 load_key user $USER_KEY_32_WRONG $PAYLOAD_31 "$TEST_KEYRING" || fail "Cannot load 31 byte user key type"
91 dmsetup create $DEV_ZERO --table "0 100 zero" || fail
93 echo "[1] Valid keyring keys"
95 # load logon type kernel key
96 KEY=":32:logon:$LOGON_KEY_32_OK"
97 dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $KEY 0 /dev/mapper/$DEV_ZERO 0" || fail
98 dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER $KEY 0" || fail
99 dmsetup remove --retry $DEV_CRYPT || fail
101 # load user type kernel key
102 KEY=":32:user:$USER_KEY_32_OK"
103 dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $KEY 0 /dev/mapper/$DEV_ZERO 0" || fail
104 dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER $KEY 0" || fail
105 dmsetup remove --retry $DEV_CRYPT || fail
107 # load logon type kernel key...
108 KEY=":32:logon:$LOGON_KEY_32_OK"
109 dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $KEY 0 /dev/mapper/$DEV_ZERO 0" || fail
110 dmsetup suspend $DEV_CRYPT || fail
111 dmsetup message $DEV_CRYPT 0 "key wipe" || fail
112 # ...replace the key with hexkey...
113 dmsetup message $DEV_CRYPT 0 "key set $HEXKEY_32" || fail
114 dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER $HEXKEY_32 0" || fail
115 dmsetup resume $DEV_CRYPT || fail
116 dmsetup suspend $DEV_CRYPT || fail
117 # ...and replace it again with user type kernel key...
118 dmsetup message $DEV_CRYPT 0 "key set :32:user:$USER_KEY_32_OK" || fail
119 dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER :32:user:$USER_KEY_32_OK 0" || fail
120 dmsetup message $DEV_CRYPT 0 "key set $HEXKEY_32" || fail
121 dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER $HEXKEY_32 0" || fail
122 dmsetup resume $DEV_CRYPT || fail
123 dmsetup remove --retry $DEV_CRYPT || fail
125 dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $HEXKEY_32 0 /dev/mapper/$DEV_ZERO 0" || fail
126 dmsetup suspend $DEV_CRYPT || fail
127 dmsetup message $DEV_CRYPT 0 "key wipe" || fail
128 dmsetup message $DEV_CRYPT 0 "key set :32:user:$USER_KEY_32_OK" || fail
129 dmsetup resume $DEV_CRYPT || fail
130 dmsetup suspend $DEV_CRYPT || fail
131 dmsetup message $DEV_CRYPT 0 "key set :32:logon:$LOGON_KEY_32_OK" || fail
132 dmsetup resume $DEV_CRYPT || fail
133 dmsetup remove --retry $DEV_CRYPT || fail
135 echo "[2] message ioctl"
136 dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $HEXKEY_32 0 /dev/mapper/$DEV_ZERO 0" || fail
137 dmsetup suspend $DEV_CRYPT || fail
138 dmsetup message $DEV_CRYPT 0 "key set :32:logon:$LOGON_KEY_32_WRONG" 2> /dev/null && fail
139 # old key should be intact and valid
140 dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER $HEXKEY_32 0" || fail
141 dmsetup resume $DEV_CRYPT || fail
142 dmsetup suspend $DEV_CRYPT || fail
143 # now the key gets destroyed by invalid input
144 dmsetup message $DEV_CRYPT 0 "key set $HEXKEY_32_BAD" 2> /dev/null && fail
145 dmsetup resume $DEV_CRYPT 2> /dev/null && fail
146 # hmm... see the output. don't like it
147 # dmsetup table --showkeys $DEV_CRYPT
149 dmsetup message $DEV_CRYPT 0 "key set :32:user:$USER_KEY_32_OK" || fail
150 dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER :32:user:$USER_KEY_32_OK 0" || fail
151 dmsetup message $DEV_CRYPT 0 "key set :31:logon:$LOGON_KEY_32_OK" 2> /dev/null && fail
152 dmsetup message $DEV_CRYPT 0 "key set :" 2> /dev/null && fail
153 dmsetup message $DEV_CRYPT 0 "key set ::::" 2> /dev/null && fail
154 dmsetup message $DEV_CRYPT 0 "key set :0:logon:$LOGON_KEY_32_OK" 2> /dev/null && fail
155 dmsetup message $DEV_CRYPT 0 "key set :32" 2> /dev/null && fail
156 dmsetup message $DEV_CRYPT 0 "key set :32:" 2> /dev/null && fail
157 dmsetup message $DEV_CRYPT 0 "key set :32:logon" 2> /dev/null && fail
158 dmsetup message $DEV_CRYPT 0 "key set :32:logo" 2> /dev/null && fail
159 dmsetup message $DEV_CRYPT 0 "key set :32:logon:" 2> /dev/null && fail
160 dmsetup table --showkeys $DEV_CRYPT | grep -q "crypt $CIPHER :32:user:$USER_KEY_32_OK 0" || fail
161 dmsetup message $DEV_CRYPT 0 "key set :32:user:$USER_KEY_32_OK" || fail
162 dmsetup resume $DEV_CRYPT || fail
163 dmsetup remove --retry $DEV_CRYPT || fail
165 echo "[3] bOrked keys"
166 # declare the key having 32 bytes but load key which has in fact 31 bytes only
167 KEY=":32:logon:$LOGON_KEY_32_WRONG"
168 dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $KEY 0 /dev/mapper/$DEV_ZERO 0" 2> /dev/null && fail "dm-crypt accepted wrong key size"
170 # declare the key having 31 bytes (incompatible with cipher) and load key with 32 bytes in real
171 KEY=":31:logon:$LOGON_KEY_32_WRONG"
172 dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $KEY 0 /dev/mapper/$DEV_ZERO 0" 2> /dev/null && fail "dm-crypt accepted wrong key size"
174 # declare the key being user type but try to load logon one
175 KEY=":32:user:$LOGON_KEY_32"
176 dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $KEY 0 /dev/mapper/$DEV_ZERO 0" 2> /dev/null && fail "dm-crypt accepted key description for invalid key type"
179 KEY=":32:logon:$USER_KEY_32"
180 dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $KEY 0 /dev/mapper/$DEV_ZERO 0" 2> /dev/null && fail "dm-crypt accepted key description for invalid key type"
182 BORKED_KEYS=":\ 32:logon:$LOGON_KEY_32_OK
183 : 32:logon:$LOGON_KEY_32_OK
184 :+32:logon:$LOGON_KEY_32_OK
185 :-32:logon:$LOGON_KEY_32_OK
186 :32 :logon:$LOGON_KEY_32_OK
187 :32\ :logon:$LOGON_KEY_32_OK
188 :32_:logon:$LOGON_KEY_32_OK
189 :32+:logon:$LOGON_KEY_32_OK
190 :30+2:logon:$LOGON_KEY_32_OK
191 :32+0:logon:$LOGON_KEY_32_OK
192 :32: logon:$LOGON_KEY_32_OK
193 :32:\ logon:$LOGON_KEY_32_OK
194 :32:logonA:$LOGON_KEY_32_OK
195 :32:logo:$LOGON_KEY_32_OK
196 :32:llogon:$LOGON_KEY_32_OK
197 :32xlogon:$LOGON_KEY_32_OK
198 :32logon:$LOGON_KEY_32_OK
199 :32:logonx$LOGON_KEY_32_OK
200 :32:logon$LOGON_KEY_32_OK
201 : 32:user:$USER_KEY_32_OK
202 :\ 32:user:$USER_KEY_32_OK
203 :+32:user:$USER_KEY_32_OK
204 :-32:user:$USER_KEY_32_OK
205 :32 :user:$USER_KEY_32_OK
206 :32\ :user:$USER_KEY_32_OK
207 :32_:user:$USER_KEY_32_OK
208 :32+:user:$USER_KEY_32_OK
209 :30+2:user:$USER_KEY_32_OK
210 :32+0:user:$USER_KEY_32_OK
211 :32: user:$USER_KEY_32_OK
212 :32:\ user:$USER_KEY_32_OK
213 :32:userA:$USER_KEY_32_OK
214 :32:use:$USER_KEY_32_OK
215 :32:uuser:$USER_KEY_32_OK
216 :32xuser:$USER_KEY_32_OK
217 :32user:$USER_KEY_32_OK
218 :32:userx$USER_KEY_32_OK
219 :32:user$USER_KEY_32_OK
220 :32:userlogon:$USER_KEY_32_OK
221 :32:userlogon:$LOGON_KEY_32_OK
222 :32:logonuser:$USER_KEY_32_OK
223 :32:logonuser:$LOGON_KEY_32_OK
224 :32:logon:user:$USER_KEY_32_OK
225 :32:logon:user:$LOGON_KEY_32_OK
226 :32:user:logon:$USER_KEY_32_OK
227 :32:user:logon:$LOGON_KEY_32_OK"
229 # TODO: add tests with whitespace in key description (not possible with current libdevmapper)
234 for key in $BORKED_KEYS; do
235 dmsetup create $DEV_CRYPT --table "0 100 crypt $CIPHER $key 0 /dev/mapper/$DEV_ZERO 0" 2> /dev/null && fail "dm-crypt accepted seriously borked key string"