| 1 | #!/usr/bin/env bash |
| 2 | |
| 3 | CRYPTSETUP=/sbin/cryptsetup |
| 4 | |
| 5 | LOOPDEV=/dev/vn1 |
| 6 | DEV_NAME=dummy |
| 7 | DEV_NAME2=dummy2 |
| 8 | ORIG_IMG=luks-test-orig |
| 9 | IMG=luks-test |
| 10 | IMG1=luks-test1 |
| 11 | KEY1=key1 |
| 12 | |
| 13 | LUKS_HEADER="S0-5 S6-7 S8-39 S40-71 S72-103 S104-107 S108-111 R112-131 R132-163 S164-167 S168-207 A0-591" |
| 14 | KEY_SLOT0="S208-211 S212-215 R216-247 S248-251 S251-255" |
| 15 | KEY_MATERIAL0="R4096-68096" |
| 16 | KEY_MATERIAL0_EXT="R4096-68096" |
| 17 | |
| 18 | KEY_SLOT1="S256-259 S260-263 R264-295 S296-299 S300-303" |
| 19 | KEY_MATERIAL1="R69632-133632" |
| 20 | KEY_MATERIAL1_EXT="S69632-133632" |
| 21 | |
| 22 | function remove_mapping() |
| 23 | { |
| 24 | [ -e /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2 |
| 25 | [ -e /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME |
| 26 | vnconfig -u $LOOPDEV >/dev/null 2>&1 |
| 27 | # losetup -d $LOOPDEV >/dev/null 2>&1 |
| 28 | rm -f $ORIG_IMG $IMG $IMG1 $KEY1 >/dev/null 2>&1 |
| 29 | } |
| 30 | |
| 31 | function fail() |
| 32 | { |
| 33 | echo "last ret: $?" |
| 34 | remove_mapping |
| 35 | echo "FAILED" |
| 36 | exit 2 |
| 37 | } |
| 38 | |
| 39 | function prepare() |
| 40 | { |
| 41 | if [ $(id -u) != 0 ]; then |
| 42 | echo "WARNING: You must be root to run this test, test skipped." |
| 43 | exit 0 |
| 44 | fi |
| 45 | |
| 46 | [ -e /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME |
| 47 | |
| 48 | if [ ! -e $KEY1 ]; then |
| 49 | dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1 |
| 50 | fi |
| 51 | |
| 52 | if [ ! -e $IMG ]; then |
| 53 | bzip2 -cd compatimage.img.bz2 > $IMG |
| 54 | vnconfig -u $LOOPDEV >/dev/null 2>&1 |
| 55 | vnconfig -S labels -T $LOOPDEV $IMG |
| 56 | # losetup -d $LOOPDEV >/dev/null 2>&1 |
| 57 | # losetup $LOOPDEV $IMG |
| 58 | fi |
| 59 | |
| 60 | cp $IMG $ORIG_IMG |
| 61 | |
| 62 | echo "CASE: $1" |
| 63 | } |
| 64 | |
| 65 | function check() |
| 66 | { |
| 67 | sync |
| 68 | sync |
| 69 | sync |
| 70 | ./fileDiffer.py $IMG $ORIG_IMG $1|| fail |
| 71 | } |
| 72 | |
| 73 | function check_exists() |
| 74 | { |
| 75 | [ -e /dev/mapper/$DEV_NAME ] || fail |
| 76 | check $1 |
| 77 | } |
| 78 | |
| 79 | # LUKS tests |
| 80 | |
| 81 | prepare "[1] open - compat image - acceptance check" |
| 82 | echo "compatkey" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail |
| 83 | check_exists |
| 84 | |
| 85 | prepare "[2] open - compat image - denial check" |
| 86 | echo "wrongkey" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME && fail |
| 87 | check |
| 88 | |
| 89 | # All headers items and first key material section must change |
| 90 | prepare "[3] format" |
| 91 | echo "key0" | $CRYPTSETUP -i 1000 -c aes-cbc-essiv:sha256 -s 128 luksFormat $LOOPDEV || fail |
| 92 | check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0" |
| 93 | |
| 94 | prepare "[4] format using hash sha512" |
| 95 | echo "key0" | $CRYPTSETUP -i 1000 -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksFormat $LOOPDEV || fail |
| 96 | check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0" |
| 97 | |
| 98 | prepare "[5] open" |
| 99 | echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail |
| 100 | check_exists |
| 101 | |
| 102 | # Key Slot 1 and key material section 1 must change, the rest must not. |
| 103 | prepare "[6] add key" |
| 104 | echo -e "key0\nkey1" | $CRYPTSETUP luksAddKey $LOOPDEV || fail |
| 105 | check "$KEY_SLOT1 $KEY_MATERIAL1" |
| 106 | echo "key1" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail |
| 107 | |
| 108 | # Unsuccessful Key Delete - nothing may change |
| 109 | prepare "[7] unsuccessful delete" |
| 110 | echo "invalid" | $CRYPTSETUP luksDelKey $LOOPDEV 1 && fail |
| 111 | check |
| 112 | |
| 113 | # Delete Key Test |
| 114 | # Key Slot 1 and key material section 1 must change, the rest must not |
| 115 | prepare "[8] successful delete" |
| 116 | $CRYPTSETUP -q luksDelKey $LOOPDEV 1 || fail |
| 117 | check "$KEY_SLOT1 $KEY_MATERIAL1_EXT" |
| 118 | echo "key1" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME && fail |
| 119 | echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail |
| 120 | |
| 121 | # Key Slot 1 and key material section 1 must change, the rest must not |
| 122 | prepare "[9] add key test for key files" |
| 123 | echo "key0" | $CRYPTSETUP luksAddKey $LOOPDEV $KEY1 || fail |
| 124 | check "$KEY_SLOT1 $KEY_MATERIAL1" |
| 125 | $CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail |
| 126 | |
| 127 | # Key Slot 1 and key material section 1 must change, the rest must not |
| 128 | prepare "[10] delete key test with key1 as remaining key" |
| 129 | $CRYPTSETUP -d $KEY1 luksDelKey $LOOPDEV 0 || fail |
| 130 | check "$KEY_SLOT0 $KEY_MATERIAL0_EXT" |
| 131 | echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME && fail |
| 132 | $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail |
| 133 | |
| 134 | # Delete last slot |
| 135 | prepare "[11] delete last key" |
| 136 | echo "key0" | $CRYPTSETUP luksFormat $LOOPDEV || fail |
| 137 | echo "key0" | $CRYPTSETUP luksKillSlot $LOOPDEV 0 || fail |
| 138 | echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME && fail |
| 139 | |
| 140 | # Format test for ESSIV, and some other parameters. |
| 141 | prepare "[12] parameter variation test" |
| 142 | $CRYPTSETUP -q -i 1000 -c aes-cbc-essiv:sha256 -s 128 luksFormat $LOOPDEV $KEY1 || fail |
| 143 | check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0" |
| 144 | $CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail |
| 145 | |
| 146 | prepare "[13] open/close - stacked devices" |
| 147 | echo "key0" | $CRYPTSETUP -q luksFormat $LOOPDEV || fail |
| 148 | echo "key0" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail |
| 149 | echo "key0" | $CRYPTSETUP -q luksFormat /dev/mapper/$DEV_NAME || fail |
| 150 | echo "key0" | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail |
| 151 | $CRYPTSETUP -q luksClose $DEV_NAME2 || fail |
| 152 | $CRYPTSETUP -q luksClose $DEV_NAME || fail |
| 153 | |
| 154 | prepare "[14] format/open - passphrase on stdin & new line" |
| 155 | # stdin defined by "-" must take even newline |
| 156 | echo -n $'foo\nbar' | $CRYPTSETUP -q luksFormat $LOOPDEV - || fail |
| 157 | echo -n $'foo\nbar' | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail |
| 158 | $CRYPTSETUP -q luksClose $DEV_NAME || fail |
| 159 | echo -n $'foo\nbar' | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME && fail |
| 160 | # now also try --key-file |
| 161 | echo -n $'foo\nbar' | $CRYPTSETUP -q luksFormat $LOOPDEV --key-file=- || fail |
| 162 | echo -n $'foo\nbar' | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail |
| 163 | $CRYPTSETUP -q luksClose $DEV_NAME || fail |
| 164 | # process newline if from stdin |
| 165 | echo -n $'foo\nbar' | $CRYPTSETUP -q luksFormat $LOOPDEV || fail |
| 166 | echo 'foo' | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail |
| 167 | $CRYPTSETUP -q luksClose $DEV_NAME || fail |
| 168 | |
| 169 | remove_mapping |
| 170 | exit 0 |