CRYPTSETUP_LIB_VALGRIND=../.libs
IMG=reenc-mangle-data
IMG_HDR=$IMG.hdr
+IMG_HDR_BCP=$IMG_HDR.bcp
IMG_JSON=$IMG.json
KEY1=key1
DEV_NAME=reenc3492834
function remove_mapping()
{
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
- rm -f $IMG $IMG_HDR $IMG_JSON $KEY1 >/dev/null 2>&1
+ rm -f $IMG $IMG_HDR $IMG_HDR_BCP $IMG_JSON $KEY1 >/dev/null 2>&1
}
function fail()
function bin_check()
{
- which $1 >/dev/null 2>&1 || skip "WARNING: test require $1 binary, test skipped."
+ command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
}
function img_json_save()
{
+ local _hdr=$IMG
+ [ -z "$1" ] || _hdr="$1"
# FIXME: why --json-file cannot be used?
- #$CRYPTSETUP luksDump --dump-json-metadata $IMG | jq -c -M | tr -d '\n' >$IMG_JSON
- local LUKS2_JSON_SIZE=$(($JSON_MSIZE - 4096))
- _dd if=$IMG count=$LUKS2_JSON_SIZE skip=4096 | jq -c -M . | tr -d '\n' >$IMG_JSON
+ $CRYPTSETUP luksDump --dump-json-metadata $_hdr | jq -c -M . | tr -d '\n' >$IMG_JSON
}
function img_json_dump()
function img_prepare() # $1 options
{
img_prepare_raw
- # FIXME: resilience is not saved here (always none)?
$CRYPTSETUP reencrypt $IMG $CS_PARAMS -q --init-only --resilience none $1 >/dev/null 2>&1
[ $? -ne 0 ] && skip "Reencryption unsupported, test skipped."
img_json_save
# header mangle functions
function img_update_json()
{
+ local _hdr="$IMG"
local LUKS2_BIN1_OFFSET=448
local LUKS2_BIN2_OFFSET=$((LUKS2_BIN1_OFFSET + $JSON_MSIZE))
local LUKS2_JSON_SIZE=$(($JSON_MSIZE - 4096))
echo $JSON | tr -d '\n' >$IMG_JSON || fail
fi
+ [ -z "$2" ] || _hdr="$2"
+
# wipe JSON areas
- _dd if=/dev/zero of=$IMG count=$LUKS2_JSON_SIZE seek=4096
- _dd if=/dev/zero of=$IMG count=$LUKS2_JSON_SIZE seek=$(($JSON_MSIZE + 4096))
+ _dd if=/dev/zero of=$_hdr count=$LUKS2_JSON_SIZE seek=4096
+ _dd if=/dev/zero of=$_hdr count=$LUKS2_JSON_SIZE seek=$(($JSON_MSIZE + 4096))
# write JSON data
- _dd if=$IMG_JSON of=$IMG count=$LUKS2_JSON_SIZE seek=4096
- _dd if=$IMG_JSON of=$IMG count=$LUKS2_JSON_SIZE seek=$(($JSON_MSIZE + 4096))
+ _dd if=$IMG_JSON of=$_hdr count=$LUKS2_JSON_SIZE seek=4096
+ _dd if=$IMG_JSON of=$_hdr count=$LUKS2_JSON_SIZE seek=$(($JSON_MSIZE + 4096))
# erase sha256 checksums
- _dd if=/dev/zero of=$IMG count=64 seek=$LUKS2_BIN1_OFFSET
- _dd if=/dev/zero of=$IMG count=64 seek=$LUKS2_BIN2_OFFSET
+ _dd if=/dev/zero of=$_hdr count=64 seek=$LUKS2_BIN1_OFFSET
+ _dd if=/dev/zero of=$_hdr count=64 seek=$LUKS2_BIN2_OFFSET
# calculate sha256 and write chexksums
- local SUM1_HEX=$(_dd if=$IMG count=$JSON_MSIZE | sha256sum | cut -d ' ' -f 1)
- echo $SUM1_HEX | xxd -r -p | _dd of=$IMG seek=$LUKS2_BIN1_OFFSET count=64 || fail
+ local SUM1_HEX=$(_dd if=$_hdr count=$JSON_MSIZE | sha256sum | cut -d ' ' -f 1)
+ echo $SUM1_HEX | xxd -r -p | _dd of=$_hdr seek=$LUKS2_BIN1_OFFSET count=64 || fail
- local SUM2_HEX=$(_dd if=$IMG skip=$JSON_MSIZE count=$JSON_MSIZE | sha256sum | cut -d ' ' -f 1)
- echo $SUM2_HEX | xxd -r -p | _dd of=$IMG seek=$LUKS2_BIN2_OFFSET count=64 || fail
+ local SUM2_HEX=$(_dd if=$_hdr skip=$JSON_MSIZE count=$JSON_MSIZE | sha256sum | cut -d ' ' -f 1)
+ echo $SUM2_HEX | xxd -r -p | _dd of=$_hdr seek=$LUKS2_BIN2_OFFSET count=64 || fail
img_hash_save
}
$CRYPTSETUP repair $IMG $CS_PARAMS || fail
}
+function img_check_dump_ok()
+{
+ $CRYPTSETUP luksDump $IMG >/dev/null || fail
+ img_check_fail
+}
+
function img_check_fail()
{
if [ $(id -u) == 0 ]; then
function img_run_reenc_ok()
{
-local EXPECT_TIMEOUT=5
-[ -n "$VALG" ] && EXPECT_TIMEOUT=60
-# For now, we cannot run reencryption in batch mode for non-block device. Just fake the terminal here.
-expect_run - >/dev/null <<EOF
-proc abort {} { send_error "Timeout. "; exit 2 }
-set timeout $EXPECT_TIMEOUT
-eval spawn $CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS --disable-locks --resilience none
-expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
-send "YES\n"
-expect timeout abort eof
-exit
-EOF
-[ $? -eq 0 ] || fail "Expect script failed."
+ $CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS -q --disable-locks --force-offline-reencrypt --resilience none || fail
+}
+
+function img_run_reenc_ok_data_shift()
+{
+ $CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS -q --disable-locks --force-offline-reencrypt || fail
}
function img_run_reenc_fail()
{
-local EXPECT_TIMEOUT=5
-[ -n "$VALG" ] && EXPECT_TIMEOUT=60
-# For now, we cannot run reencryption in batch mode for non-block device. Just fake the terminal here.
-expect_run - >/dev/null <<EOF
-proc abort {} { send_error "Timeout. "; exit 42 }
-set timeout $EXPECT_TIMEOUT
-eval spawn $CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS --disable-locks
-expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
-send "YES\n"
-expect timeout abort eof
-catch wait result
-exit [lindex \$result 3]
-EOF
-local ret=$?
-[ $ret -eq 0 ] && fail "Reencryption passed (should have failed)."
-[ $ret -eq 42 ] && fail "Expect script failed."
+$CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS --force-offline-reencrypt --disable-locks -q 2>/dev/null && fail "Reencryption passed (should have failed)."
img_hash_unchanged
}
-function img_check_fail_repair_ok()
+function img_check_fail_repair()
{
if [ $(id -u) == 0 ]; then
$CRYPTSETUP open $CS_PWPARAMS $IMG $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP repair $IMG $CS_PARAMS || fail
img_check_ok
+}
+
+function img_check_fail_repair_ok()
+{
+ img_check_fail_repair
img_run_reenc_ok
}
+function img_check_fail_repair_ok_data_shift()
+{
+ img_check_fail_repair
+ img_run_reenc_ok_data_shift
+}
+
function valgrind_setup()
{
bin_check valgrind
function valgrind_run()
{
- INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+ export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
+ $CRYPTSETUP_RAW "$@"
}
-function expect_run()
-{
- export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
- expect "$@"
-}
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
bin_check jq
bin_check sha256sum
bin_check xxd
-bin_check expect
export LANG=C
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
-#while false; do
-
echo "[1] Reencryption with old flag is rejected"
img_prepare
img_update_json '.config.requirements.mandatory = ["online-reencryptx"]'
img_update_json 'del(.digests."2") | .config.requirements.mandatory = ["online-reencrypt"]'
img_check_fail_repair_ok
+# Simulate future version of reencrypt flag (should pass luksDump)
+img_prepare
+img_update_json '.config.requirements.mandatory = ["online-reencrypt-v999"]'
+img_check_dump_ok
+
+# Multiple reencrypt requirement flags makes LUKS2 invalid
+img_prepare
+img_update_json '.config.requirements.mandatory = .config.requirements.mandatory + ["online-reencrypt-v999"]'
+img_check_fail
+
+img_prepare
+img_update_json '.config.requirements.mandatory = .config.requirements.mandatory + ["online-reencrypt"]'
+img_check_fail
+
+# just regular unknown requirement
+img_prepare
+img_update_json '.config.requirements.mandatory = .config.requirements.mandatory + ["online-reencrypt-v3X"]'
+img_check_dump_ok
+
# This must fail for new releases
echo "[2] Old reencryption in-progress (journal)"
img_prepare
.digests."0".segments = ["0","2"] |
.digests."1".segments = ["1","3"] |
.config.requirements.mandatory = ["online-reencrypt"]'
-img_check_fail_repair_ok
+img_check_fail_repair_ok_data_shift
#
# NEW metadata (with reenc digest)
img_update_json '.keyslots."2".area.shift_size = ((.keyslots."2".area.shift_size|tonumber / 2)|tostring)'
img_check_fail
-#FIXME: cannot check with correct digest for now (--init-only does not store area type)
img_prepare
img_update_json '
.keyslots."2".area.type = "checksum" |
}'
$CRYPTSETUP reencrypt $IMG $CS_PARAMS >/dev/null 2>&1 && fail
+echo "[9] Decryption with datashift"
+img_prepare_raw
+$CRYPTSETUP reencrypt $CS_PARAMS --decrypt --init-only --force-offline-reencrypt --resilience checksum --header $IMG_HDR $IMG || fail
+cp $IMG_HDR $IMG_HDR_BCP
+
+# change hash
+img_json_save $IMG_HDR_BCP
+img_update_json '.keyslots."1".area.hash = "sha12345"' $IMG_HDR
+$CRYPTSETUP reencrypt --header $IMG_HDR $IMG $CS_PARAMS --force-offline-reencrypt 2>/dev/null && fail
+
+# change sector size
+img_json_save $IMG_HDR_BCP
+img_update_json '.keyslots."1".area.sector_size = 1024' $IMG_HDR
+$CRYPTSETUP reencrypt --header $IMG_HDR $IMG $CS_PARAMS --force-offline-reencrypt 2>/dev/null && fail
+
+# replace with new resilience mode
+img_json_save $IMG_HDR_BCP
+img_update_json 'del(.keyslots."1".area.hash) |
+ del(.keyslots."1".sector_size) |
+ .keyslots."1".area.type = "datashift-journal"' $IMG_HDR
+$CRYPTSETUP reencrypt --header $IMG_HDR $IMG $CS_PARAMS --force-offline-reencrypt 2>/dev/null && fail
+
+# downgrade reencryption requirement
+img_json_save $IMG_HDR_BCP
+img_update_json '.config.requirements.mandatory = ["online-reencrypt-v2"]' $IMG_HDR
+$CRYPTSETUP reencrypt --header $IMG_HDR $IMG $CS_PARAMS --force-offline-reencrypt 2>/dev/null && fail
+
+# change datashift value
+img_json_save $IMG_HDR_BCP
+img_update_json '.keyslots."1".area.shift_size = (((.keyslots."1".area.shift_size | tonumber) - 4096) | tostring)' $IMG_HDR
+$CRYPTSETUP reencrypt --header $IMG_HDR $IMG $CS_PARAMS --force-offline-reencrypt 2>/dev/null && fail
+
remove_mapping
exit 0
projects / platform / upstream / cryptsetup.git / blobdiff