3 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
4 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
6 REENC="$REENC_BIN reencrypt"
7 FAST_PBKDF="--pbkdf-force-iterations 1000 --pbkdf pbkdf2"
9 CRYPTSETUP_VALGRIND=../.libs/cryptsetup
10 CRYPTSETUP_LIB_VALGRIND=../.libs
16 HEADER_LUKS2_PV=blkid-luks2-pv.img
17 ORIG_IMG=reenc-data-orig
18 DEV_LINK="reenc-test-link"
26 FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
30 [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
33 function del_scsi_device()
35 rmmod scsi_debug >/dev/null 2>&1
39 function remove_mapping()
41 [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
42 [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
43 [ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
44 rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV $DEV_LINK >/dev/null 2>&1
45 umount $MNT_DIR > /dev/null 2>&1
46 rmdir $MNT_DIR > /dev/null 2>&1
53 [ -n "$1" ] && echo "$1"
54 echo "FAILED backtrace:"
55 while caller $frame; do ((frame++)); done
63 [ -n "$1" ] && echo "$1"
67 function valgrind_setup()
69 command -v valgrind >/dev/null || fail "Cannot find valgrind."
70 [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
71 export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
74 function valgrind_run()
76 INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
79 function add_scsi_device() {
81 if [ -d /sys/module/scsi_debug ] ; then
82 echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
85 modprobe scsi_debug $@ delay=0 >/dev/null 2>&1
86 if [ $? -ne 0 ] ; then
87 echo "This kernel seems to not support proper scsi_debug module, test skipped."
92 SCSI_DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
93 [ -b $SCSI_DEV ] || fail "Cannot find $SCSI_DEV."
96 function open_crypt() # $1 pwd, $2 hdr
99 echo "$1" | $CRYPTSETUP luksOpen $LOOPDEV1 $DEV_NAME --header $2 || fail
100 elif [ -n "$1" ] ; then
101 echo "$1" | $CRYPTSETUP luksOpen $LOOPDEV1 $DEV_NAME || fail
103 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV1 $DEV_NAME || fail
107 function wipe_dev() # $1 dev
109 dd if=/dev/zero of=$1 bs=256k >/dev/null 2>&1
112 function wipe() # $1 pass
115 wipe_dev /dev/mapper/$DEV_NAME
116 udevadm settle >/dev/null 2>&1
117 $CRYPTSETUP luksClose $DEV_NAME || fail
120 function prepare() # $1 dev1_siz
124 dd if=/dev/zero of=$IMG bs=1k count=$1 >/dev/null 2>&1
125 LOOPDEV1=$(losetup -f 2>/dev/null)
126 [ -z "$LOOPDEV1" ] && fail "No free loop device"
127 losetup $LOOPDEV1 $IMG
129 if [ ! -e $KEY1 ]; then
130 dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
134 function check_hash_dev() # $1 dev, $2 hash
136 HASH=$(sha256sum $1 | cut -d' ' -f 1)
137 [ $HASH != "$2" ] && fail "HASH differs ($HASH)"
140 function check_hash() # $1 pwd, $2 hash, $3 hdr
143 check_hash_dev /dev/mapper/$DEV_NAME $2
144 $CRYPTSETUP remove $DEV_NAME || fail
147 function backup_orig()
152 losetup $LOOPDEV1 $IMG
160 losetup $LOOPDEV1 $IMG
163 function check_slot() #space separated list of ENABLED key slots
166 local _KS1=$_KS0 _KS2=$_KS0 _KS3=$_KS0 _KS4=$_KS0 _KS5=$_KS0 _KS6=$_KS0 _KS7=$_KS0
170 eval _KS$_tmp=ENABLED
173 local _out=$($CRYPTSETUP luksDump $LOOPDEV1 | grep -e "Key Slot" | cut -d ' ' -f 4)
176 for _tmp in $_out; do
177 eval local _orig="\${_KS${_i}}"
178 if [ "$_tmp" != "$_orig" ]; then
179 echo "Keyslot $_i is $_tmp, expected result: $_orig"
188 function simple_scsi_reenc()
191 echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF $SCSI_DEV || fail
193 echo $PWD1 | $CRYPTSETUP luksOpen $SCSI_DEV $DEV_NAME || fail
194 HASH=$(sha256sum /dev/mapper/$DEV_NAME | cut -d' ' -f 1)
195 $CRYPTSETUP luksClose $DEV_NAME || fail
197 echo $PWD1 | $REENC -q $FAST_PBKDF $SCSI_DEV || fail
199 echo $PWD1 | $CRYPTSETUP luksOpen $SCSI_DEV $DEV_NAME || fail
200 check_hash_dev /dev/mapper/$DEV_NAME $HASH
201 $CRYPTSETUP luksClose $DEV_NAME || fail
204 function mount_and_test() {
205 test -d $MNT_DIR || mkdir -p $MNT_DIR
206 mount $@ $MNT_DIR 2>/dev/null || {
207 echo -n "failed to mount [SKIP]"
210 rm $MNT_DIR/* 2>/dev/null
213 if [ "${REENC:0:1}" != "/" ] ; then
214 MNT_REENC=$START_DIR/$REENC
219 echo $PWD2 | $MNT_REENC $LOOPDEV1 -q --use-fsync --use-directio --write-log $FAST_PBKDF || return 1
225 function test_logging_tmpfs() {
227 mount_and_test -t tmpfs none -o size=$[25*1024*1024] || return 1
231 function test_logging() {
233 for img in $(ls img_fs*img.xz) ; do
234 wipefs -a $SCSI_DEV > /dev/null
235 echo -n "[${img%.img.xz}]"
236 xz -d -c $img | dd of=$SCSI_DEV bs=4k >/dev/null 2>&1
237 mount_and_test $SCSI_DEV || return 1
242 function check_blkid() {
243 xz -dkf $HEADER_LUKS2_PV.xz
244 if ! $($CRYPTSETUP --version | grep -q "BLKID"); then
246 elif $(blkid -p -n crypto_LUKS $HEADER_LUKS2_PV >/dev/null 2>&1); then
253 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
254 [ ! -x "$REENC_BIN" ] && skip "Cannot find $REENC_BIN, test skipped."
255 [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
256 command -v wipefs >/dev/null || skip "Cannot find wipefs, test skipped."
260 HASH1=b69dae56a14d1a8314ed40664c4033ea0a550eea2673e04df42a66ac6b9faf2c
261 HASH2=d85ef2a08aeac2812a648deb875485a6e3848fc3d43ce4aa380937f08199f86b
262 HASH3=e4e5749032a5163c45125eccf3e8598ba5ed840df442c97e1d5ad4ad84359605
263 HASH4=2daeb1f36095b44b318410b3f4e8b5d989dcc7bb023d1426c492dab0a3053e74
264 HASH5=5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
266 echo "[1] Reencryption"
268 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 -s 128 -c aes-cbc-plain $FAST_PBKDF --align-payload 4096 $LOOPDEV1 || fail
270 check_hash $PWD1 $HASH1
271 echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF || fail
272 check_hash $PWD1 $HASH1
273 echo $PWD1 | $REENC $LOOPDEV1 -q -s 256 $FAST_PBKDF || fail
274 check_hash $PWD1 $HASH1
275 echo $PWD1 | $REENC $LOOPDEV1 -q -s 256 -c aes-xts-plain64 -h sha256 $FAST_PBKDF || fail
276 check_hash $PWD1 $HASH1
277 echo $PWD1 | $REENC $LOOPDEV1 -q --use-directio $FAST_PBKDF || fail
278 check_hash $PWD1 $HASH1
279 echo $PWD1 | $REENC $LOOPDEV1 -q --volume-key-file /dev/urandom $FAST_PBKDF || fail
280 check_hash $PWD1 $HASH1
281 echo $PWD1 | $REENC $LOOPDEV1 -q -s 512 --volume-key-file /dev/urandom $FAST_PBKDF || fail
282 check_hash $PWD1 $HASH1
283 $CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
285 echo "[2] Reencryption with data shift"
286 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 -c aes-cbc-essiv:sha256 -s 128 $FAST_PBKDF --align-payload 2048 $LOOPDEV1 || fail
288 echo $PWD1 | $REENC $LOOPDEV1 -q -s 256 --reduce-device-size 1024S $FAST_PBKDF || fail
289 check_hash $PWD1 $HASH2
290 echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF || fail
291 check_hash $PWD1 $HASH2
292 $CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
294 echo "[3] Reencryption with keyfile"
295 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 -d $KEY1 -c aes-cbc-essiv:sha256 -s 128 $FAST_PBKDF --align-payload 4096 $LOOPDEV1 || fail
298 echo $PWD1 | $CRYPTSETUP -q luksAddKey -d $KEY1 $LOOPDEV1 $FAST_PBKDF || fail
299 $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q 2>/dev/null && fail
300 $REENC $LOOPDEV1 -d $KEY1 -S 0 $FAST_PBKDF -q || fail
302 check_slot 0 || fail "Only keyslot 0 expected to be enabled"
303 $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
304 # FIXME echo $PWD1 | $REENC ...
306 echo "[4] Encryption of not yet encrypted device"
307 # Encrypt without size reduction must not allow header device same as data device
309 echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $LOOPDEV1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
310 $CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
311 ln -s $LOOPDEV1 $DEV_LINK || fail
312 echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
313 $CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
314 rm -f $DEV_LINK || fail
315 echo $PWD1 | $REENC $IMG --type luks1 --new --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
316 $CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
317 ln -s $IMG $DEV_LINK || fail
318 echo $PWD1 | $REENC $IMG --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
319 $CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
321 if [ ! fips_mode ]; then
322 # well, movin' zeroes :-)
324 SIZE=$(blockdev --getsz $LOOPDEV1)
325 dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail
326 check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3
327 dmsetup remove --retry $DEV_NAME2 || fail
328 echo $PWD1 | $REENC $LOOPDEV1 -c aes-cbc-essiv:sha256 -s 128 --new --type luks1 --reduce-device-size "$OFFSET"S -q $FAST_PBKDF || fail
329 check_hash $PWD1 $HASH3
330 $CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
334 SIZE=$(blockdev --getsz $LOOPDEV1)
336 dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail
337 check_hash_dev /dev/mapper/$DEV_NAME2 $HASH5
338 dmsetup remove --retry $DEV_NAME2 || fail
339 echo $PWD1 | $REENC $LOOPDEV1 -c aes-cbc-essiv:sha256 -s 128 --new --type luks1 --reduce-device-size "$OFFSET"S -q $FAST_PBKDF || fail
340 check_hash $PWD1 $HASH5
341 $CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
344 echo fake | $REENC $LOOPDEV1 -d $KEY1 --new --type luks1 --reduce-device-size "$OFFSET"S -q $FAST_PBKDF || fail
345 $CRYPTSETUP open --test-passphrase $LOOPDEV1 -d $KEY1 || fail
349 echo "[5] Reencryption using specific keyslot"
350 echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
351 echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF -S 1 $LOOPDEV1 || fail
352 echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF -S 2 $LOOPDEV1 || fail
353 echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF -S 3 $LOOPDEV1 || fail
354 echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF -S 4 $LOOPDEV1 || fail
355 echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF -S 5 $LOOPDEV1 || fail
356 echo -e "$PWD2\n$PWD2" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF -S 6 $LOOPDEV1 || fail
357 echo -e "$PWD2\n$PWD3" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF -S 7 $LOOPDEV1 || fail
359 echo $PWD2 | $REENC $FAST_PBKDF -S 0 -q $LOOPDEV1 || fail
360 check_slot 0 || fail "Only keyslot 0 expected to be enabled"
363 echo $PWD1 | $REENC $FAST_PBKDF -S 1 -q $LOOPDEV1 || fail
364 check_slot 1 || fail "Only keyslot 1 expected to be enabled"
367 echo $PWD2 | $REENC $FAST_PBKDF -S 6 -q $LOOPDEV1 || fail
368 check_slot 6 || fail "Only keyslot 6 expected to be enabled"
371 echo $PWD3 | $REENC $FAST_PBKDF -S 7 -q $LOOPDEV1 || fail
372 check_slot 7 || fail "Only keyslot 7 expected to be enabled"
375 echo $PWD3 | $REENC $FAST_PBKDF -S 8 -q $LOOPDEV1 2>/dev/null && fail
376 $CRYPTSETUP luksDump $LOOPDEV1 > /dev/null || fail
378 echo "[6] Reencryption using all active keyslots"
379 echo -e "$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD3" | $REENC -q $LOOPDEV1 $FAST_PBKDF || fail
380 check_slot 0 1 2 3 4 5 6 7 || fail "All keyslots expected to be enabled"
382 echo "[7] Reencryption of block devices with different block size"
383 add_scsi_device sector_size=512 dev_size_mb=8
384 simple_scsi_reenc "[512 sector]"
385 add_scsi_device sector_size=4096 dev_size_mb=8
386 simple_scsi_reenc "[4096 sector]"
387 add_scsi_device sector_size=512 physblk_exp=3 dev_size_mb=8
388 simple_scsi_reenc "[4096/512 sector]"
391 echo "[8] Header only reencryption (hash and iteration time)"
392 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha512 $FAST_PBKDF $LOOPDEV1 || fail
394 check_hash $PWD1 $HASH1
395 echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key || fail
396 check_hash $PWD1 $HASH1
397 echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --pbkdf-force-iterations 999 2>/dev/null && fail
398 check_hash $PWD1 $HASH1
399 echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --hash sha256 --pbkdf-force-iterations 1001 || fail
400 check_hash $PWD1 $HASH1
401 [ "$($CRYPTSETUP luksDump $LOOPDEV1 | grep -A1 -m1 "Key Slot 0" | grep Iterations: | sed -e 's/[[:space:]]\+Iterations:\ \+//g')" -eq 1001 ] || fail
402 [ "$($CRYPTSETUP luksDump $LOOPDEV1 | grep -m1 "Hash spec:" | cut -f2)" = "sha256" ] || fail
403 echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key --hash sha512 $FAST_PBKDF || fail
404 check_hash $PWD1 $HASH1
405 [ "$($CRYPTSETUP luksDump $LOOPDEV1 | grep -A1 -m1 "Key Slot 0" | grep Iterations: | sed -e 's/[[:space:]]\+Iterations:\ \+//g')" -eq 1000 ] || fail
406 echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key $FAST_PBKDF || fail
407 check_hash $PWD1 $HASH1
408 $CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
410 echo "[9] Test log I/Os on various underlying block devices"
412 echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
413 add_scsi_device sector_size=512 dev_size_mb=32
414 test_logging "[512 sector]" || fail
415 add_scsi_device sector_size=4096 dev_size_mb=32
416 test_logging "[4096 sector]" || fail
417 add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3
418 test_logging "[4096/512 sector]" || fail
419 test_logging_tmpfs || fail
421 if [ ! fips_mode ]; then
422 echo "[10] Removal of encryption"
424 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
426 check_hash $PWD1 $HASH1
427 echo $PWD1 | $REENC $LOOPDEV1 -q --decrypt || fail
428 check_hash_dev $LOOPDEV1 $HASH4
430 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 -S5 $FAST_PBKDF $LOOPDEV1 || fail
432 check_hash $PWD1 $HASH1
433 echo $PWD1 | $REENC $LOOPDEV1 -q --decrypt || fail
434 check_hash_dev $LOOPDEV1 $HASH4
436 echo "[11] Detached header - adding encryption/reencryption/decryption"
438 check_hash_dev $IMG $HASH4
439 echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --header $IMG_HDR --new --type luks1
440 check_hash $PWD1 $HASH4 $IMG_HDR
441 echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --header $IMG_HDR || fail
442 check_hash $PWD1 $HASH4 $IMG_HDR
443 echo $PWD1 | $REENC $LOOPDEV1 -q --header $IMG_HDR --decrypt || fail
444 check_hash_dev $IMG $HASH4
445 # existing header of zero size
446 cat /dev/null >$IMG_HDR
447 echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --header $IMG_HDR --new --type luks1
448 check_hash $PWD1 $HASH4 $IMG_HDR
449 $CRYPTSETUP isLuks $LOOPDEV1 && fail
450 $CRYPTSETUP isLuks $IMG_HDR || fail
452 echo "[12] Prevent nested encryption"
454 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
456 #data device is already LUKS device (prevent nested encryption)
457 echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --new --type luks1 --reduce-device-size 1024S 2>/dev/null && fail
458 echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --new --type luks1 --header $IMG_HDR 2>/dev/null && fail
459 test -f $IMG_HDR && fail
460 echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --new --type luks2 --reduce-device-size 2048S 2>/dev/null && fail
461 echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --new --type luks2 --header $IMG_HDR 2>/dev/null && fail
462 test -f $IMG_HDR && fail
465 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --header $IMG_HDR $FAST_PBKDF $LOOPDEV1 || fail
467 echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --new --type luks1 --header $IMG_HDR 2>/dev/null && fail
468 echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_PBKDF --new --type luks2 --header $IMG_HDR 2>/dev/null && fail
471 if [ "$HAVE_BLKID" -gt 0 ]; then
472 echo "[13] Prevent nested encryption of broken LUKS device"
475 xz -dkf $HEADER_LUKS2_PV.xz
477 echo $PWD1 | $REENC --header $HEADER_LUKS2_PV $LOOPDEV1 -q $FAST_PBKDF --new --type luks1 2>/dev/null && fail
478 $CRYPTSETUP isLuks $HEADER_LUKS2_PV && fail
480 echo $PWD1 | $REENC $HEADER_LUKS2_PV -q $FAST_PBKDF --new --type luks1 --reduce-device-size 1024S 2>/dev/null && fail
481 $CRYPTSETUP isLuks $HEADER_LUKS2_PV && fail
482 # broken data device only
483 echo $PWD1 | $REENC --header $IMG_HDR $HEADER_LUKS2_PV -q $FAST_PBKDF --new --type luks1 2>/dev/null && fail
484 test -f $IMG_HDR && fail
486 fi # if [ ! fips_mode ]