* cryptsetup library API check functions
*
* Copyright (C) 2009-2012 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2012, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
- * version 2 as published by the Free Software Foundation.
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
#include <linux/fs.h>
#include <errno.h>
#include <assert.h>
+#include <signal.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <libdevmapper.h>
static int _debug = 0;
static int _verbose = 1;
+static int _fips_mode = 0;
+
+static int _quit = 0;
static char global_log[4096];
static int global_lines = 0;
return r;
}
+static int fips_mode(void)
+{
+ int fd;
+ char buf = 0;
+
+ fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
+
+ if (fd < 0)
+ return 0;
+
+ if (read(fd, &buf, 1) != 1)
+ buf = '0';
+
+ close(fd);
+
+ return (buf == '1');
+}
+
static int get_luks_offsets(int metadata_device,
size_t keylength,
unsigned int alignpayload_sec,
_system("modprobe dm-crypt", 0);
_system("modprobe dm-verity", 0);
+
+ _fips_mode = fips_mode();
+ if (_debug)
+ printf("FIPS MODE: %d\n", _fips_mode);
+
return 0;
}
else
printf(" [%s,%s:%d] %s\n", msg, func, line, tst);
}
+ if (_quit) {
+ if (_verbose)
+ printf("Interrupted by a signal.\n");
+ _cleanup();
+ exit(-1);
+ }
}
/* crypt_device context must be "cd" to parse error properly here */
EQ_(r_size, size);
// size overlaps
- FAIL_(crypt_resize(cd, CDEVICE_1, ULLONG_MAX),"Backing device is too small");
+ FAIL_(crypt_resize(cd, CDEVICE_1, (uint64_t)-1),"Backing device is too small");
FAIL_(crypt_resize(cd, CDEVICE_1, (size>>SECTOR_SHIFT)+1),"crypt device overlaps backing device");
// resize ok
EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
// retrieve volume key check
- memset(key2, 0, key_size);
- key_size--;
- // small buffer
- FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)), "small buffer");
- key_size++;
- OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
-
- OK_(memcmp(key, key2, key_size));
+ if (!_fips_mode) {
+ memset(key2, 0, key_size);
+ key_size--;
+ // small buffer
+ FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)), "small buffer");
+ key_size++;
+ OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
+
+ OK_(memcmp(key, key2, key_size));
+ }
OK_(strcmp(cipher, crypt_get_cipher(cd)));
OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd)));
EQ_((int)key_size, crypt_get_volume_key_size(cd));
EQ_((int)key_size, crypt_get_volume_key_size(cd));
EQ_(1032, crypt_get_data_offset(cd));
- EQ_(0, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, KEY1, strlen(KEY1)));
- OK_(crypt_volume_key_verify(cd, key, key_size));
- OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
- OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
- EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
- OK_(crypt_deactivate(cd, CDEVICE_1));
-
- key[1] = ~key[1];
- FAIL_(crypt_volume_key_verify(cd, key, key_size), "key mismatch");
- FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "key mismatch");
+ if (!_fips_mode) {
+ EQ_(0, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, KEY1, strlen(KEY1)));
+ OK_(crypt_volume_key_verify(cd, key, key_size));
+ OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+
+ key[1] = ~key[1];
+ FAIL_(crypt_volume_key_verify(cd, key, key_size), "key mismatch");
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "key mismatch");
+ }
crypt_free(cd);
}
};
char key[128], key2[128];
- const char *passphrase = "blabla";
+ const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
size_t key_size = strlen(mk_hex) / 2;
const char *cipher = "aes";
EQ_(CRYPT_SLOT_INACTIVE, crypt_keyslot_status(cd, 7));
EQ_(CRYPT_SLOT_ACTIVE_LAST, crypt_keyslot_status(cd, 6));
- EQ_(6, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
- OK_(crypt_volume_key_verify(cd, key2, key_size));
+ EQ_(7, crypt_keyslot_change_by_passphrase(cd, 6, 7, passphrase, strlen(passphrase), passphrase2, strlen(passphrase2)));
+ EQ_(CRYPT_SLOT_ACTIVE_LAST, crypt_keyslot_status(cd, 7));
+ EQ_(7, crypt_activate_by_passphrase(cd, NULL, 7, passphrase2, strlen(passphrase2), 0));
+ EQ_(6, crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 6, passphrase2, strlen(passphrase2), passphrase, strlen(passphrase)));
+
+ if (!_fips_mode) {
+ EQ_(6, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
+ OK_(crypt_volume_key_verify(cd, key2, key_size));
- OK_(memcmp(key, key2, key_size));
+ OK_(memcmp(key, key2, key_size));
+ }
OK_(strcmp(cipher, crypt_get_cipher(cd)));
OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd)));
EQ_((int)key_size, crypt_get_volume_key_size(cd));
struct crypt_device *cd = NULL;
struct crypt_active_device cad;
const char *passphrase = "aaaaaaaaaaaa";
+ const char *kf1 = "tcrypt-images/keyfile1";
+ const char *kf2 = "tcrypt-images/keyfile2";
+ const char *keyfiles[] = { kf1, kf2 };
struct crypt_params_tcrypt params = {
.passphrase = passphrase,
.passphrase_size = strlen(passphrase),
+ .keyfiles = keyfiles,
+ .keyfiles_count = 2,
};
double enc_mbr = 0, dec_mbr = 0;
- const char *tcrypt_dev = "tcrypt-images/tc_5-sha512-xts-aes";
+ const char *tcrypt_dev = "tcrypt-images/tck_5-sha512-xts-aes";
size_t key_size = 64;
char key[key_size], key_def[key_size];
const char *key_hex =
- "e87dd14403a547b440f459aa8284da62db364658a286b94ba2f3c7957c03f290"
- "266d38facd211e12cd0abfc5b41555df6019d73374f85fbcb23fd4efc43b0c64";
+ "98dee64abe44bbf41d171c1f7b3e8eacda6d6b01f459097459a167f8c2872a96"
+ "3979531d1cdc18af62757cf22286f16f8583d848524f128d7594ac2082668c73";
int r;
crypt_decode_key(key_def, key_hex, strlen(key_hex) / 2);
EQ_(256, crypt_get_data_offset(cd));
memset(key, 0, key_size);
- key_size--;
- // small buffer
- FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0), "small buffer");
- key_size++;
- OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0));
- OK_(memcmp(key, key_def, key_size));
+ if (!_fips_mode) {
+ key_size--;
+ // small buffer
+ FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0), "small buffer");
+ key_size++;
+ OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0));
+ OK_(memcmp(key, key_def, key_size));
+ }
reset_log();
crypt_set_log_callback(cd, &new_log, NULL);
crypt_free(cd);
}
+static void int_handler(int sig __attribute__((__unused__)))
+{
+ _quit++;
+}
+
int main(int argc, char *argv[])
{
+ struct sigaction sa = { .sa_handler = int_handler };
int i;
if (getuid() != 0) {
_debug = _verbose = 1;
}
+ /* Handle interrupt properly */
+ sigaction(SIGINT, &sa, NULL);
+ sigaction(SIGTERM, &sa, NULL);
+
_cleanup();
if (_setup())
goto out;