tests/luks2-validation-test

   1 #!/bin/bash
   2
   3 #turn on debug mode by following env. variable _DEBUG=1
   4
   5 PS4='$LINENO:'
   6 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
   7 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
   8
   9 CRYPTSETUP_VALGRIND=../.libs/cryptsetup
  10 CRYPTSETUP_LIB_VALGRIND=../.libs
  11
  12 START_DIR=$(pwd)
  13
  14 IMG=luks2-backend.img
  15 ORIG_IMG=luks2_valid_hdr.img
  16 TST_IMGS=$START_DIR/luks2-images
  17
  18 GEN_DIR=generators
  19
  20 FAILS=0
  21
  22 [ -z "$srcdir" ] && srcdir="."
  23
  24 function remove_mapping()
  25 {
  26         rm -rf $IMG $TST_IMGS >/dev/null 2>&1
  27 }
  28
  29 function fail()
  30 {
  31         [ -n "$1" ] && echo "$1"
  32         echo "FAILED backtrace:"
  33         while caller $frame; do ((frame++)); done
  34         cd $START_DIR
  35         remove_mapping
  36         exit 2
  37 }
  38
  39 fail_count()
  40 {
  41         echo "$1"
  42         FAILS=$((FAILS+1))
  43 }
  44
  45 function skip()
  46 {
  47         [ -n "$1" ] && echo "$1"
  48         exit 77
  49 }
  50
  51 function prepare() # $1 dev1_size
  52 {
  53         remove_mapping
  54
  55         test -d $TST_IMGS || mkdir $TST_IMGS
  56
  57         test -e $ORIG_IMG || xz -dkc $srcdir/$ORIG_IMG.xz >$ORIG_IMG
  58         cp $ORIG_IMG $TST_IMGS
  59         cp $ORIG_IMG $IMG
  60 }
  61
  62 function test_load()
  63 {
  64         local _debug=
  65
  66         test -z "$_DEBUG" || _debug="--debug"
  67
  68         case "$1" in
  69         R)
  70                 if [ -n "$_debug" ]; then
  71                         $CRYPTSETUP luksDump $_debug $IMG
  72                 else
  73                         $CRYPTSETUP luksDump $_debug $IMG > /dev/null 2>&1
  74                 fi
  75                 test $? -eq 0 || return 1
  76                 ;;
  77         F)
  78                 if [ -n "$_debug" ]; then
  79                         $CRYPTSETUP luksDump $_debug $IMG
  80                 else
  81                         $CRYPTSETUP luksDump $_debug $IMG > /dev/null 2>&1
  82                 fi
  83                 test $? -ne 0 || return 1
  84                 ;;
  85         *)
  86                 fail "Internal test error"
  87                 ;;
  88         esac
  89 }
  90
  91 function RUN()
  92 {
  93         echo -n "Test image: $1..."
  94         cp $TST_IMGS/$1 $IMG || fail "Missing test image"
  95         test_load $2 "$3"
  96         if [ $? -ne 0 ]; then
  97                 fail_count "$3"
  98         else
  99                 echo "OK"
 100         fi
 101 }
 102
 103 function valgrind_setup()
 104 {
 105         which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
 106         [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
 107         export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
 108 }
 109
 110 function valgrind_run()
 111 {
 112         INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 113 }
 114
 115 [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
 116
 117 which jq >/dev/null 2>&1 || skip "Cannot find jq, test skipped."
 118
 119 prepare
 120
 121 echo "[0] Generating test headers"
 122 cd $srcdir/$GEN_DIR
 123 for scr in ./generate-*.sh; do
 124         echo -n "$(basename $scr)..."
 125         $scr $TST_IMGS $TST_IMGS/$ORIG_IMG || fail "Header generator $scr failed: '$?'"
 126         echo "done"
 127 done
 128 cd $START_DIR
 129
 130 echo "[1] Test basic auto-recovery"
 131 RUN luks2-invalid-checksum-hdr0.img "R" "Failed to recover from trivial header corruption at offset 0"
 132 # TODO: check epoch is incresed after recovery
 133 # TODO: check only sectors related to corrupted hdr at offset 0 are written (dmstats tool/differ.c)
 134
 135 RUN luks2-invalid-checksum-hdr1.img "R" "Failed to recover from trivial header corruption at offset 16384"
 136 # TODO: check epoch is incresed after recovery
 137 # TODO: check only sectors related to corrupted hdr at offset 16384 are written (dmstats tool/differ.c)
 138
 139 RUN luks2-invalid-checksum-both-hdrs.img "F" "Failed to recognise corrupted header beyond repair"
 140
 141 echo "[2] Test ability to auto-correct mallformed json area"
 142 RUN luks2-corrupted-hdr0-with-correct-chks.img "R" "Failed to auto correct malformed json area at offset 512"
 143 # TODO: check epoch is incresed after recovery
 144 # TODO: check only sectors related to corrupted hdr at offset 0 are written (dmstats tool/differ.c)
 145
 146 RUN luks2-corrupted-hdr1-with-correct-chks.img "R" "Failed to auto correct malformed json area at offset 16896"
 147 # TODO: check epoch is incresed after recovery
 148 # TODO: check only sectors related to corrupted hdr at offset 16384 are written (dmstats tool/differ.c)
 149
 150 RUN luks2-correct-full-json0.img "R" "Failed to parse full and correct json area"
 151 # TODO: detect noop (norecovery, epoch untouched)
 152 # TODO: check epoch is NOT incresed after recovery of secondary header
 153
 154 # these tests auto-correct json in-memory only. It'll get fixed on-disk after write operation
 155 RUN luks2-argon2-leftover-params.img   "R" "Failed to repair keyslot with old argon2 parameters."
 156 RUN luks2-pbkdf2-leftover-params-0.img "R" "Failed to repair keyslot with old pbkdf2 parameters."
 157 RUN luks2-pbkdf2-leftover-params-1.img "R" "Failed to repair keyslot with old pbkdf2 parameters."
 158
 159 # Secondary header is always broken in following tests
 160 echo "[3] Test LUKS2 json area restrictions"
 161 RUN luks2-non-null-byte-beyond-json0.img                "F" "Failed to detect illegal data right beyond json data string"
 162 RUN luks2-non-null-bytes-beyond-json0.img               "F" "Failed to detect illegal data in json area"
 163 RUN luks2-missing-trailing-null-byte-json0.img          "F" "Failed to detect missing terminal null byte"
 164 RUN luks2-invalid-opening-char-json0.img                "F" "Failed to detect invalid opening character in json area"
 165 RUN luks2-invalid-object-type-json0.img                 "F" "Failed to detect invalid json object type"
 166 RUN luks2-overlapping-areas-c0-json0.img                "F" "Failed to detect two exactly same area specifications"
 167 RUN luks2-overlapping-areas-c1-json0.img                "F" "Failed to detect two intersecting area specifications"
 168 RUN luks2-overlapping-areas-c2-json0.img                "F" "Failed to detect two slightly intersecting area specifications"
 169 RUN luks2-area-in-json-hdr-space-json0.img              "F" "Failed to detect area referencing LUKS2 header space"
 170 RUN luks2-missing-keyslot-referenced-in-digest.img      "F" "Failed to detect missing keyslot referenced in digest"
 171 RUN luks2-missing-segment-referenced-in-digest.img      "F" "Failed to detect missing segment referenced in digest"
 172 RUN luks2-missing-keyslot-referenced-in-token.img       "F" "Failed to detect missing keyslots referenced in token"
 173 RUN luks2-keyslot-missing-digest.img                    "F" "Failed to detect missing keyslot digest."
 174 RUN luks2-keyslot-too-many-digests.img                  "F" "Failed to detect keyslot has too many digests."
 175
 176 echo "[4] Test integers value limits"
 177 RUN luks2-uint64-max-segment-size.img                   "R" "Validation rejected correct value"
 178 RUN luks2-uint64-overflow-segment-size.img              "F" "Failed to detect uint64_t overflow"
 179 RUN luks2-uint64-signed-segment-size.img                "F" "Failed to detect negative value"
 180
 181 echo "[5] Test segments validation"
 182 RUN luks2-segment-missing-type.img                      "F" "Failed to detect missing type field"
 183 RUN luks2-segment-wrong-type.img                        "F" "Failed to detect invalid type field"
 184 RUN luks2-segment-missing-offset.img                    "F" "Failed to detect missing offset field"
 185 RUN luks2-segment-wrong-offset.img                      "F" "Failed to detect invalid offset field"
 186 RUN luks2-segment-missing-size.img                      "F" "Failed to detect missing size field"
 187 RUN luks2-segment-wrong-size-0.img                      "F" "Failed to detect invalid size field"
 188 RUN luks2-segment-wrong-size-1.img                      "F" "Failed to detect invalid size field"
 189 RUN luks2-segment-wrong-size-2.img                      "F" "Failed to detect invalid size field"
 190 RUN luks2-segment-crypt-missing-encryption.img          "F" "Failed to detect missing encryption field"
 191 RUN luks2-segment-crypt-wrong-encryption.img            "F" "Failed to detect invalid encryption field"
 192 RUN luks2-segment-crypt-missing-ivoffset.img            "F" "Failed to detect missing iv_tweak field"
 193 RUN luks2-segment-crypt-wrong-ivoffset.img              "F" "Failed to detect invalid iv_tweak field"
 194 RUN luks2-segment-crypt-missing-sectorsize.img          "F" "Failed to detect missing sector_size field"
 195 RUN luks2-segment-crypt-wrong-sectorsize-0.img          "F" "Failed to detect invalid sector_size field"
 196 RUN luks2-segment-crypt-wrong-sectorsize-1.img          "F" "Failed to detect invalid sector_size field"
 197 RUN luks2-segment-crypt-wrong-sectorsize-2.img          "F" "Failed to detect invalid sector_size field"
 198 RUN luks2-segment-unknown-type.img                      "R" "Validation rejected segment with all mandatory fields correct"
 199 RUN luks2-segment-two.img                               "R" "Validation rejected two valid segments"
 200 RUN luks2-segment-wrong-flags.img                       "F" "Failed to detect invalid flags field"
 201 RUN luks2-segment-wrong-flags-element.img               "F" "Failed to detect invalid flags content"
 202
 203 echo "[6] Test metadata size and keyslots size (config section)"
 204 RUN luks2-invalid-keyslots-size-c0.img                  "F" "Failed to detect too large keyslots_size in config section"
 205 RUN luks2-invalid-keyslots-size-c1.img                  "F" "Failed to detect unaligned keyslots_size in config section"
 206 RUN luks2-invalid-keyslots-size-c2.img                  "F" "Failed to detect too small keyslots_size config section"
 207 RUN luks2-invalid-json-size-c0.img                      "F" "Failed to detect invalid json_size config section"
 208 RUN luks2-invalid-json-size-c1.img                      "F" "Failed to detect invalid json_size config section"
 209 RUN luks2-invalid-json-size-c2.img                      "F" "Failed to detect mismatching json size in config and binary hdr"
 210 RUN luks2-metadata-size-32k.img                         "R" "Valid 32KiB metadata size failed to validate"
 211 RUN luks2-metadata-size-64k.img                         "R" "Valid 64KiB metadata size failed to validate"
 212 RUN luks2-metadata-size-64k-inv-area-c0.img             "F" "Failed to detect keyslot area trespassing in json area"
 213 RUN luks2-metadata-size-64k-inv-area-c1.img             "F" "Failed to detect keyslot area overflowing keyslots area"
 214 RUN luks2-metadata-size-64k-inv-keyslots-size-c0.img    "F" "Failed to detect keyslots size overflowing in data area"
 215 RUN luks2-metadata-size-128k.img                        "R" "Valid 128KiB metadata size failed to validate"
 216 RUN luks2-metadata-size-256k.img                        "R" "Valid 256KiB metadata size failed to validate"
 217 RUN luks2-metadata-size-512k.img                        "R" "Valid 512KiB metadata size failed to validate"
 218 RUN luks2-metadata-size-1m.img                          "R" "Valid 1MiB metadata size failed to validate"
 219 RUN luks2-metadata-size-2m.img                          "R" "Valid 2MiB metadata size failed to validate"
 220 RUN luks2-metadata-size-4m.img                          "R" "Valid 4MiB metadata size failed to validate"
 221 RUN luks2-metadata-size-16k-secondary.img               "R" "Valid 16KiB metadata size in secondary hdr failed to validate"
 222 RUN luks2-metadata-size-32k-secondary.img               "R" "Valid 32KiB metadata size in secondary hdr failed to validate"
 223 RUN luks2-metadata-size-64k-secondary.img               "R" "Valid 64KiB metadata size in secondary hdr failed to validate"
 224 RUN luks2-metadata-size-128k-secondary.img              "R" "Valid 128KiB metadata size in secondary hdr failed to validate"
 225 RUN luks2-metadata-size-256k-secondary.img              "R" "Valid 256KiB metadata size in secondary hdr failed to validate"
 226 RUN luks2-metadata-size-512k-secondary.img              "R" "Valid 512KiB metadata size in secondary hdr failed to validate"
 227 RUN luks2-metadata-size-1m-secondary.img                "R" "Valid 1MiB metadata size in secondary hdr failed to validate"
 228 RUN luks2-metadata-size-2m-secondary.img                "R" "Valid 2MiB metadata size in secondary hdr failed to validate"
 229 RUN luks2-metadata-size-4m-secondary.img                "R" "Valid 4MiB metadata size in secondary hdr failed to validate"
 230
 231 remove_mapping
 232
 233 test $FAILS -eq 0 || fail "($FAILS wrong result(s) in total)"