#!/bin/bash # check tcrypt images parsing [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup TST_DIR=tcrypt-images MAP=tctst PASSWORD="aaaaaaaaaaaa" PASSWORD_HIDDEN="bbbbbbbbbbbb" PASSWORD_72C="aaaaaaaaaaaabbbbbbbbbbbbccccccccccccddddddddddddeeeeeeeeeeeeffffffffffff" PIM=1234 CRYPTSETUP_VALGRIND=../.libs/cryptsetup CRYPTSETUP_LIB_VALGRIND=../.libs [ -z "$srcdir" ] && srcdir="." function remove_mapping() { [ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP [ -b /dev/mapper/"$MAP"_1 ] && dmsetup remove --retry "$MAP"_1 [ -b /dev/mapper/"$MAP"_2 ] && dmsetup remove --retry "$MAP"_2 rm -rf $TST_DIR } function fail() { [ -n "$1" ] && echo "$1" echo " [FAILED]" echo "FAILED backtrace:" while caller $frame; do ((frame++)); done remove_mapping exit 2 } function skip() { [ -n "$1" ] && echo "$1" remove_mapping exit 77 } function test_one() # cipher mode keysize rm_pattern { $CRYPTSETUP benchmark -c "$1-$2" -s "$3" >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo "$1-$2 [N/A]" IMGS=$(ls $TST_DIR/[tv]c* | grep "$4") [ -n "$IMGS" ] && rm $IMGS #echo $IMGS else echo "$1-$2 [OK]" fi } function test_kdf() # hash { $CRYPTSETUP benchmark -h "$1" >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo "pbkdf2-$1 [N/A]" IMGS=$(ls $TST_DIR/[tv]c* | grep "$1") [ -n "$IMGS" ] && rm $IMGS else echo "pbkdf2-$1 [OK]" fi } function get_HASH_CIPHER() # filename { # speed up the test by limiting options for hash and (first) cipher HASH=$(echo $file | cut -d'-' -f3) CIPHER=$(echo $file | cut -d'-' -f5) } function test_required() { command -v blkid >/dev/null || skip "blkid tool required, test skipped." echo "REQUIRED KDF TEST" test_kdf sha256 test_kdf sha512 test_kdf ripemd160 test_kdf whirlpool test_kdf stribog512 echo "REQUIRED CIPHERS TEST" test_one aes cbc 256 cbc-aes test_one aes lrw 384 lrw-aes test_one aes xts 512 xts-aes test_one twofish ecb 256 twofish test_one twofish cbc 256 cbc-twofish test_one twofish lrw 384 lrw-twofish test_one twofish xts 512 xts-twofish test_one serpent ecb 256 serpent test_one serpent cbc 256 cbc-serpent test_one serpent lrw 384 lrw-serpent test_one serpent xts 512 xts-serpent test_one blowfish cbc 256 blowfish test_one des3_ede cbc 192 des3_ede test_one cast5 cbc 128 cast5 test_one camellia xts 512 camellia test_one kuznyechik xts 512 kuznyechik ls $TST_DIR/[tv]c* >/dev/null 2>&1 || skip "No remaining images, test skipped." } function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" } function valgrind_run() { INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@" } export LANG=C [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped." [ ! -d $TST_DIR ] && tar xJf $srcdir/tcrypt-images.tar.xz --no-same-owner [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run test_required echo "HEADER CHECK" for file in $(ls $TST_DIR/[tv]c_* $TST_DIR/vcpim_* $TST_DIR/sys_[tv]c_*) ; do echo -n " $file" PIM_OPT="" [[ $file =~ vcpim.* ]] && PIM_OPT="--veracrypt-pim $PIM" SYS_OPT="" [[ $file =~ sys_.* ]] && SYS_OPT="--tcrypt-system" get_HASH_CIPHER $file echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT -h $HASH -c $CIPHER $file >/dev/null || fail if [[ $file =~ .*-sha512-xts-aes$ ]] ; then echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT -h sha512 -c aes $file >/dev/null || fail echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT -h xxxx $file 2>/dev/null && fail echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT -h sha512 -c xxx $file 2>/dev/null && fail fi echo " [OK]" done echo "HEADER CHECK (TCRYPT only)" for file in $(ls $TST_DIR/vc_* $TST_DIR/vcpim_*) ; do echo -n " $file" PIM_OPT="" [[ $file =~ vcpim.* ]] && PIM_OPT="--veracrypt-pim $PIM" get_HASH_CIPHER $file echo $PASSWORD | $CRYPTSETUP tcryptDump --disable-veracrypt $PIM_OPT -h $HASH -c $CIPHER $file >/dev/null 2>&1 && fail echo " [OK]" done echo "HEADER CHECK (HIDDEN)" for file in $(ls $TST_DIR/[tv]c_*-hidden) ; do echo -n " $file (hidden)" get_HASH_CIPHER $file echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --tcrypt-hidden -h $HASH -c $CIPHER $file >/dev/null || fail echo " [OK]" done echo "HEADER KEYFILES CHECK" for file in $(ls $TST_DIR/[tv]ck_*) ; do echo -n " $file" PWD=$PASSWORD [[ $file =~ vck_1_nopw.* ]] && PWD="" [[ $file =~ vck_1_pw72.* ]] && PWD=$PASSWORD_72C get_HASH_CIPHER $file echo $PWD | $CRYPTSETUP tcryptDump -d $TST_DIR/keyfile1 -d $TST_DIR/keyfile2 -h $HASH -c $CIPHER $file >/dev/null || fail echo " [OK]" done if [ $(id -u) != 0 ]; then echo "WARNING: You must be root to run activation part of test, test skipped." remove_mapping exit 0 fi echo "ACTIVATION FS UUID CHECK" for file in $(ls $TST_DIR/[tv]c_* $TST_DIR/vcpim_* $TST_DIR/sys_[tv]c_*) ; do echo -n " $file" PIM_OPT="" [[ $file =~ vcpim.* ]] && PIM_OPT="--veracrypt-pim $PIM" SYS_OPT="" [[ $file =~ sys_.* ]] && SYS_OPT="--tcrypt-system" get_HASH_CIPHER $file out=$(echo $PASSWORD | $CRYPTSETUP tcryptOpen $SYS_OPT $PIM_OPT -r -h $HASH -c $CIPHER $file $MAP 2>&1) ret=$? [ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT legacy mode" ) && echo " [N/A]" && continue [ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT compatible mapping" ) && echo " [N/A]" && continue [ $ret -ne 0 ] && fail $CRYPTSETUP status $MAP >/dev/null || fail $CRYPTSETUP status /dev/mapper/$MAP >/dev/null || fail UUID=$(blkid -p -o value -s UUID /dev/mapper/$MAP) $CRYPTSETUP remove $MAP || fail [ "$UUID" != "DEAD-BABE" ] && fail "UUID check failed." echo " [OK]" done echo "ACTIVATION FS UUID (HIDDEN) CHECK" for file in $(ls $TST_DIR/[tv]c_*-hidden) ; do echo -n " $file" get_HASH_CIPHER $file out=$(echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r -h $HASH -c $CIPHER $file $MAP --tcrypt-hidden 2>&1) ret=$? [ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT legacy mode" ) && echo " [N/A]" && continue [ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT compatible mapping" ) && echo " [N/A]" && continue [ $ret -ne 0 ] && fail UUID=$(blkid -p -o value -s UUID /dev/mapper/$MAP) $CRYPTSETUP remove $MAP || fail [ "$UUID" != "CAFE-BABE" ] && fail "UUID check failed." echo " [OK]" done remove_mapping exit 0