1 /* 2 * cryptsetup library API check functions 3 * 4 * Copyright (C) 2009 Red Hat, Inc. All rights reserved. 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * version 2 as published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program; if not, write to the Free Software 17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 */ 19 20 #include <stdio.h> 21 #include <stdlib.h> 22 #include <string.h> 23 #include <unistd.h> 24 #include <fcntl.h> 25 #include <linux/fs.h> 26 #include <errno.h> 27 #include <sys/stat.h> 28 #include <sys/ioctl.h> 29 30 #include "libcryptsetup.h" 31 32 #define DMDIR "/dev/mapper/" 33 34 #define DEVICE_1 "/dev/loop5" 35 #define DEVICE_1_UUID "28632274-8c8a-493f-835b-da802e1c576b" 36 #define DEVICE_2 "/dev/loop6" 37 #define DEVICE_EMPTY_name "crypt_zero" 38 #define DEVICE_EMPTY DMDIR DEVICE_EMPTY_name 39 #define DEVICE_ERROR_name "crypt_error" 40 #define DEVICE_ERROR DMDIR DEVICE_ERROR_name 41 42 #define CDEVICE_1 "ctest1" 43 #define CDEVICE_2 "ctest2" 44 #define CDEVICE_WRONG "O_o" 45 46 #define IMAGE1 "compatimage.img" 47 #define IMAGE_EMPTY "empty.img" 48 49 #define KEYFILE1 "key1.file" 50 #define KEY1 "compatkey" 51 52 #define KEYFILE2 "key2.file" 53 #define KEY2 "0123456789abcdef" 54 55 static int _debug = 0; 56 static int _verbose = 1; 57 58 static char global_log[4096]; 59 static int global_lines = 0; 60 61 static int gcrypt_compatible = 0; 62 63 // Helpers 64 static int _prepare_keyfile(const char *name, const char *passphrase) 65 { 66 int fd, r; 67 68 fd = open(name, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR); 69 if (fd != -1) { 70 r = write(fd, passphrase, strlen(passphrase)); 71 close(fd); 72 } else 73 r = 0; 74 75 return r == strlen(passphrase) ? 0 : 1; 76 } 77 78 static void _remove_keyfiles(void) 79 { 80 remove(KEYFILE1); 81 remove(KEYFILE2); 82 } 83 84 // Decode key from its hex representation 85 static int crypt_decode_key(char *key, char *hex, unsigned int size) 86 { 87 char buffer[3]; 88 char *endp; 89 unsigned int i; 90 91 buffer[2] = '\0'; 92 93 for (i = 0; i < size; i++) { 94 buffer[0] = *hex++; 95 buffer[1] = *hex++; 96 97 key[i] = (unsigned char)strtoul(buffer, &endp, 16); 98 99 if (endp != &buffer[2]) 100 return -1; 101 } 102 103 if (*hex != '\0') 104 return -1; 105 106 return 0; 107 } 108 109 static int yesDialog(char *msg) 110 { 111 return 1; 112 } 113 114 static void cmdLineLog(int level, char *msg) 115 { 116 strncat(global_log, msg, sizeof(global_log) - strlen(global_log)); 117 global_lines++; 118 } 119 120 static void new_log(int level, const char *msg, void *usrptr) 121 { 122 cmdLineLog(level, (char*)msg); 123 } 124 125 126 static void reset_log() 127 { 128 memset(global_log, 0, sizeof(global_log)); 129 global_lines = 0; 130 } 131 132 static struct interface_callbacks cmd_icb = { 133 .yesDialog = yesDialog, 134 .log = cmdLineLog, 135 }; 136 137 static void _cleanup(void) 138 { 139 int r; 140 struct stat st; 141 142 //r = system("udevadm settle"); 143 144 if (!stat(DMDIR CDEVICE_1, &st)) 145 r = system("dmsetup remove " CDEVICE_1); 146 147 if (!stat(DMDIR CDEVICE_2, &st)) 148 r = system("dmsetup remove " CDEVICE_2); 149 150 if (!stat(DEVICE_EMPTY, &st)) 151 r = system("dmsetup remove " DEVICE_EMPTY_name); 152 153 if (!stat(DEVICE_ERROR, &st)) 154 r = system("dmsetup remove " DEVICE_ERROR_name); 155 156 if (!strncmp("/dev/loop", DEVICE_1, 9)) 157 r = system("losetup -d " DEVICE_1); 158 159 if (!strncmp("/dev/loop", DEVICE_2, 9)) 160 r = system("losetup -d " DEVICE_2); 161 162 r = system("rm -f " IMAGE_EMPTY); 163 _remove_keyfiles(); 164 } 165 166 static void _setup(void) 167 { 168 int r; 169 170 r = system("dmsetup create " DEVICE_EMPTY_name " --table \"0 10000 zero\""); 171 r = system("dmsetup create " DEVICE_ERROR_name " --table \"0 10000 error\""); 172 if (!strncmp("/dev/loop", DEVICE_1, 9)) { 173 r = system(" [ ! -e " IMAGE1 " ] && bzip2 -dk " IMAGE1 ".bz2"); 174 r = system("losetup " DEVICE_1 " " IMAGE1); 175 } 176 if (!strncmp("/dev/loop", DEVICE_2, 9)) { 177 r = system("dd if=/dev/zero of=" IMAGE_EMPTY " bs=1M count=4"); 178 r = system("losetup " DEVICE_2 " " IMAGE_EMPTY); 179 } 180 181 } 182 183 void check_ok(int status, int line, const char *func) 184 { 185 char buf[256]; 186 187 if (status) { 188 crypt_get_error(buf, sizeof(buf)); 189 printf("FAIL line %d [%s]: code %d, %s\n", line, func, status, buf); 190 _cleanup(); 191 exit(-1); 192 } 193 } 194 195 void check_ko(int status, int line, const char *func) 196 { 197 char buf[256]; 198 199 memset(buf, 0, sizeof(buf)); 200 crypt_get_error(buf, sizeof(buf)); 201 if (status >= 0) { 202 printf("FAIL line %d [%s]: code %d, %s\n", line, func, status, buf); 203 _cleanup(); 204 exit(-1); 205 } else if (_verbose) 206 printf(" => errno %d, errmsg: %s\n", status, buf); 207 } 208 209 void check_equal(int line, const char *func) 210 { 211 printf("FAIL line %d [%s]: expected equal values differs.\n", line, func); 212 _cleanup(); 213 exit(-1); 214 } 215 216 void xlog(const char *msg, const char *tst, const char *func, int line, const char *txt) 217 { 218 if (_verbose) { 219 if (txt) 220 printf(" [%s,%s:%d] %s [%s]\n", msg, func, line, tst, txt); 221 else 222 printf(" [%s,%s:%d] %s\n", msg, func, line, tst); 223 } 224 } 225 #define OK_(x) do { xlog("(success)", #x, __FUNCTION__, __LINE__, NULL); \ 226 check_ok((x), __LINE__, __FUNCTION__); \ 227 } while(0) 228 #define FAIL_(x, y) do { xlog("(fail) ", #x, __FUNCTION__, __LINE__, y); \ 229 check_ko((x), __LINE__, __FUNCTION__); \ 230 } while(0) 231 #define EQ_(x, y) do { xlog("(equal) ", #x " == " #y, __FUNCTION__, __LINE__, NULL); \ 232 if ((x) != (y)) check_equal(__LINE__, __FUNCTION__); \ 233 } while(0) 234 235 #define RUN_(x, y) do { printf("%s: %s\n", #x, (y)); x(); } while (0) 236 237 // OLD API TESTS 238 static void LuksUUID(void) 239 { 240 struct crypt_options co = { .icb = &cmd_icb }; 241 242 co.device = DEVICE_EMPTY; 243 EQ_(crypt_luksUUID(&co), -EINVAL); 244 245 co.device = DEVICE_ERROR; 246 EQ_(crypt_luksUUID(&co), -EINVAL); 247 248 reset_log(); 249 co.device = DEVICE_1; 250 OK_(crypt_luksUUID(&co)); 251 EQ_(strlen(global_log), 37); /* UUID + "\n" */ 252 EQ_(strncmp(global_log, DEVICE_1_UUID, strlen(DEVICE_1_UUID)), 0); 253 254 } 255 256 static void IsLuks(void) 257 { 258 struct crypt_options co = { .icb = &cmd_icb }; 259 260 co.device = DEVICE_EMPTY; 261 EQ_(crypt_isLuks(&co), -EINVAL); 262 263 co.device = DEVICE_ERROR; 264 EQ_(crypt_isLuks(&co), -EINVAL); 265 266 co.device = DEVICE_1; 267 OK_(crypt_isLuks(&co)); 268 } 269 270 static void LuksOpen(void) 271 { 272 struct crypt_options co = { 273 .name = CDEVICE_1, 274 //.passphrase = "blabla", 275 .icb = &cmd_icb, 276 }; 277 278 OK_(_prepare_keyfile(KEYFILE1, KEY1)); 279 co.key_file = KEYFILE1; 280 281 co.device = DEVICE_EMPTY; 282 EQ_(crypt_luksOpen(&co), -EINVAL); 283 284 co.device = DEVICE_ERROR; 285 EQ_(crypt_luksOpen(&co), -EINVAL); 286 287 co.device = DEVICE_1; 288 OK_(crypt_luksOpen(&co)); 289 FAIL_(crypt_luksOpen(&co), "already open"); 290 291 _remove_keyfiles(); 292 } 293 294 static void query_device(void) 295 { 296 struct crypt_options co = {. icb = &cmd_icb }; 297 298 co.name = CDEVICE_WRONG; 299 EQ_(crypt_query_device(&co), 0); 300 301 co.name = CDEVICE_1; 302 EQ_(crypt_query_device(&co), 1); 303 304 OK_(strncmp(crypt_get_dir(), DMDIR, 11)); 305 OK_(strcmp(co.cipher, "aes-cbc-essiv:sha256")); 306 EQ_(co.key_size, 16); 307 EQ_(co.offset, 1032); 308 EQ_(co.flags & CRYPT_FLAG_READONLY, 0); 309 EQ_(co.skip, 0); 310 crypt_put_options(&co); 311 } 312 313 static void remove_device(void) 314 { 315 int fd; 316 struct crypt_options co = {. icb = &cmd_icb }; 317 318 co.name = CDEVICE_WRONG; 319 EQ_(crypt_remove_device(&co), -ENODEV); 320 321 fd = open(DMDIR CDEVICE_1, O_RDONLY); 322 co.name = CDEVICE_1; 323 FAIL_(crypt_remove_device(&co), "device busy"); 324 close(fd); 325 326 OK_(crypt_remove_device(&co)); 327 } 328 329 static void LuksFormat(void) 330 { 331 struct crypt_options co = { 332 .device = DEVICE_2, 333 .key_size = 256 / 8, 334 .key_slot = -1, 335 .cipher = "aes-cbc-essiv:sha256", 336 .hash = "sha1", 337 .flags = 0, 338 .iteration_time = 10, 339 .align_payload = 0, 340 .icb = &cmd_icb, 341 }; 342 343 OK_(_prepare_keyfile(KEYFILE1, KEY1)); 344 345 co.new_key_file = KEYFILE1; 346 co.device = DEVICE_ERROR; 347 FAIL_(crypt_luksFormat(&co), "error device"); 348 349 co.device = DEVICE_2; 350 OK_(crypt_luksFormat(&co)); 351 352 co.new_key_file = NULL; 353 co.key_file = KEYFILE1; 354 co.name = CDEVICE_2; 355 OK_(crypt_luksOpen(&co)); 356 OK_(crypt_remove_device(&co)); 357 _remove_keyfiles(); 358 } 359 360 static void LuksKeyGame(void) 361 { 362 int i; 363 struct crypt_options co = { 364 .device = DEVICE_2, 365 .key_size = 256 / 8, 366 .key_slot = -1, 367 .cipher = "aes-cbc-essiv:sha256", 368 .hash = "sha1", 369 .flags = 0, 370 .iteration_time = 10, 371 .align_payload = 0, 372 .icb = &cmd_icb, 373 }; 374 375 OK_(_prepare_keyfile(KEYFILE1, KEY1)); 376 OK_(_prepare_keyfile(KEYFILE2, KEY2)); 377 378 co.new_key_file = KEYFILE1; 379 co.device = DEVICE_2; 380 co.key_slot = 8; 381 FAIL_(crypt_luksFormat(&co), "wrong slot #"); 382 383 co.key_slot = 7; // last slot 384 OK_(crypt_luksFormat(&co)); 385 386 co.new_key_file = KEYFILE1; 387 co.key_file = KEYFILE1; 388 co.key_slot = 8; 389 FAIL_(crypt_luksAddKey(&co), "wrong slot #"); 390 co.key_slot = 7; 391 FAIL_(crypt_luksAddKey(&co), "slot already used"); 392 393 co.key_slot = 6; 394 OK_(crypt_luksAddKey(&co)); 395 396 co.key_file = KEYFILE2 "blah"; 397 co.key_slot = 5; 398 FAIL_(crypt_luksAddKey(&co), "keyfile not found"); 399 400 co.new_key_file = KEYFILE2; // key to add 401 co.key_file = KEYFILE1; 402 co.key_slot = -1; 403 for (i = 0; i < 6; i++) 404 OK_(crypt_luksAddKey(&co)); //FIXME: EQ_(i)? 405 406 FAIL_(crypt_luksAddKey(&co), "all slots full"); 407 408 // REMOVE KEY 409 co.new_key_file = KEYFILE1; // key to remove 410 co.key_file = NULL; 411 co.key_slot = 8; // should be ignored 412 // only 2 slots should use KEYFILE1 413 OK_(crypt_luksRemoveKey(&co)); 414 OK_(crypt_luksRemoveKey(&co)); 415 FAIL_(crypt_luksRemoveKey(&co), "no slot with this passphrase"); 416 417 co.new_key_file = KEYFILE2 "blah"; 418 co.key_file = NULL; 419 FAIL_(crypt_luksRemoveKey(&co), "keyfile not found"); 420 421 // KILL SLOT 422 co.new_key_file = NULL; 423 co.key_file = NULL; 424 co.key_slot = 8; 425 FAIL_(crypt_luksKillSlot(&co), "wrong slot #"); 426 co.key_slot = 7; 427 FAIL_(crypt_luksKillSlot(&co), "slot already wiped"); 428 429 co.key_slot = 5; 430 OK_(crypt_luksKillSlot(&co)); 431 432 _remove_keyfiles(); 433 } 434 435 size_t _get_device_size(const char *device) 436 { 437 unsigned long size = 0; 438 int fd; 439 440 fd = open(device, O_RDONLY); 441 if (fd == -1) 442 return 0; 443 (void)ioctl(fd, BLKGETSIZE, &size); 444 close(fd); 445 446 return size; 447 } 448 449 void DeviceResizeGame(void) 450 { 451 size_t orig_size; 452 struct crypt_options co = { 453 .name = CDEVICE_2, 454 .device = DEVICE_2, 455 .key_size = 128 / 8, 456 .cipher = "aes-cbc-plain", 457 .hash = "sha1", 458 .offset = 333, 459 .skip = 0, 460 .icb = &cmd_icb, 461 }; 462 463 orig_size = _get_device_size(DEVICE_2); 464 465 OK_(_prepare_keyfile(KEYFILE2, KEY2)); 466 467 co.key_file = KEYFILE2; 468 co.size = 1000; 469 OK_(crypt_create_device(&co)); 470 EQ_(_get_device_size(DMDIR CDEVICE_2), 1000); 471 472 co.size = 2000; 473 OK_(crypt_resize_device(&co)); 474 EQ_(_get_device_size(DMDIR CDEVICE_2), 2000); 475 476 co.size = 0; 477 OK_(crypt_resize_device(&co)); 478 EQ_(_get_device_size(DMDIR CDEVICE_2), (orig_size - 333)); 479 co.size = 0; 480 co.offset = 444; 481 co.skip = 555; 482 co.cipher = "aes-cbc-essiv:sha256"; 483 OK_(crypt_update_device(&co)); 484 EQ_(_get_device_size(DMDIR CDEVICE_2), (orig_size - 444)); 485 486 memset(&co, 0, sizeof(co)); 487 co.icb = &cmd_icb, 488 co.name = CDEVICE_2; 489 EQ_(crypt_query_device(&co), 1); 490 EQ_(strcmp(co.cipher, "aes-cbc-essiv:sha256"), 0); 491 EQ_(co.key_size, 128 / 8); 492 EQ_(co.offset, 444); 493 EQ_(co.skip, 555); 494 crypt_put_options(&co); 495 496 // dangerous switch device still works 497 memset(&co, 0, sizeof(co)); 498 co.name = CDEVICE_2, 499 co.device = DEVICE_1; 500 co.key_file = KEYFILE2; 501 co.key_size = 128 / 8; 502 co.cipher = "aes-cbc-plain"; 503 co.hash = "sha1"; 504 co.icb = &cmd_icb; 505 OK_(crypt_update_device(&co)); 506 507 memset(&co, 0, sizeof(co)); 508 co.icb = &cmd_icb, 509 co.name = CDEVICE_2; 510 EQ_(crypt_query_device(&co), 1); 511 EQ_(strcmp(co.cipher, "aes-cbc-plain"), 0); 512 EQ_(co.key_size, 128 / 8); 513 EQ_(co.offset, 0); 514 EQ_(co.skip, 0); 515 // This expect lookup returns prefered /dev/loopX 516 EQ_(strcmp(co.device, DEVICE_1), 0); 517 crypt_put_options(&co); 518 519 memset(&co, 0, sizeof(co)); 520 co.icb = &cmd_icb, 521 co.name = CDEVICE_2; 522 OK_(crypt_remove_device(&co)); 523 524 _remove_keyfiles(); 525 } 526 527 // NEW API tests 528 529 static void AddDevicePlain(void) 530 { 531 struct crypt_device *cd; 532 struct crypt_params_plain params = { 533 .hash = "sha1", 534 .skip = 0, 535 .offset = 0, 536 }; 537 int fd; 538 char key[128], key2[128], path[128]; 539 540 char *passphrase = "blabla"; 541 char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; 542 size_t key_size = strlen(mk_hex) / 2; 543 char *cipher = "aes"; 544 char *cipher_mode = "cbc-essiv:sha256"; 545 546 crypt_decode_key(key, mk_hex, key_size); 547 548 FAIL_(crypt_init(&cd, ""), "empty device string"); 549 550 // default is "plain" hash - no password hash 551 OK_(crypt_init(&cd, DEVICE_1)); 552 OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, NULL)); 553 OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0)); 554 EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE); 555 // FIXME: this should get key from active device? 556 //OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase))); 557 //OK_(memcmp(key, key2, key_size)); 558 OK_(crypt_deactivate(cd, CDEVICE_1)); 559 crypt_free(cd); 560 561 // Now use hashed password 562 OK_(crypt_init(&cd, DEVICE_1)); 563 OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, ¶ms)); 564 OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0)); 565 566 // device status check 567 EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE); 568 snprintf(path, sizeof(path), "%s/%s", crypt_get_dir(), CDEVICE_1); 569 fd = open(path, O_RDONLY); 570 EQ_(crypt_status(cd, CDEVICE_1), CRYPT_BUSY); 571 FAIL_(crypt_deactivate(cd, CDEVICE_1), "Device is busy"); 572 close(fd); 573 OK_(crypt_deactivate(cd, CDEVICE_1)); 574 EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE); 575 576 OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0)); 577 EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE); 578 579 // retrieve volume key check 580 memset(key2, 0, key_size); 581 key_size--; 582 // small buffer 583 FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)), "small buffer"); 584 key_size++; 585 OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase))); 586 587 OK_(memcmp(key, key2, key_size)); 588 OK_(strcmp(cipher, crypt_get_cipher(cd))); 589 OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd))); 590 EQ_(key_size, crypt_get_volume_key_size(cd)); 591 EQ_(0, crypt_get_data_offset(cd)); 592 OK_(crypt_deactivate(cd, CDEVICE_1)); 593 crypt_free(cd); 594 } 595 596 static void UseLuksDevice(void) 597 { 598 struct crypt_device *cd; 599 char key[128]; 600 size_t key_size; 601 602 OK_(crypt_init(&cd, DEVICE_1)); 603 OK_(crypt_load(cd, CRYPT_LUKS1, NULL)); 604 EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE); 605 OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1), 0)); 606 FAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1), 0), "already open"); 607 EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE); 608 OK_(crypt_deactivate(cd, CDEVICE_1)); 609 FAIL_(crypt_deactivate(cd, CDEVICE_1), "no such device"); 610 611 key_size = 16; 612 OK_(strcmp("aes", crypt_get_cipher(cd))); 613 OK_(strcmp("cbc-essiv:sha256", crypt_get_cipher_mode(cd))); 614 OK_(strcmp(DEVICE_1_UUID, crypt_get_uuid(cd))); 615 EQ_(key_size, crypt_get_volume_key_size(cd)); 616 EQ_(1032, crypt_get_data_offset(cd)); 617 618 EQ_(0, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, KEY1, strlen(KEY1))); 619 OK_(crypt_volume_key_verify(cd, key, key_size)); 620 OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0)); 621 EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE); 622 OK_(crypt_deactivate(cd, CDEVICE_1)); 623 624 key[1] = ~key[1]; 625 FAIL_(crypt_volume_key_verify(cd, key, key_size), "key mismatch"); 626 FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "key mismatch"); 627 crypt_free(cd); 628 } 629 630 static void SuspendDevice(void) 631 { 632 int suspend_status; 633 struct crypt_device *cd; 634 635 OK_(crypt_init(&cd, DEVICE_1)); 636 OK_(crypt_load(cd, CRYPT_LUKS1, NULL)); 637 OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1), 0)); 638 639 suspend_status = crypt_suspend(cd, CDEVICE_1); 640 if (suspend_status == -ENOTSUP) { 641 printf("WARNING: Suspend/Resume not supported, skipping test.\n"); 642 goto out; 643 } 644 OK_(suspend_status); 645 FAIL_(crypt_suspend(cd, CDEVICE_1), "already suspended"); 646 647 FAIL_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)-1), "wrong key"); 648 OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1))); 649 FAIL_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)), "not suspended"); 650 651 OK_(_prepare_keyfile(KEYFILE1, KEY1)); 652 OK_(crypt_suspend(cd, CDEVICE_1)); 653 FAIL_(crypt_resume_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1 "blah", 0), "wrong keyfile"); 654 OK_(crypt_resume_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0)); 655 FAIL_(crypt_resume_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0), "not suspended"); 656 _remove_keyfiles(); 657 out: 658 OK_(crypt_deactivate(cd, CDEVICE_1)); 659 crypt_free(cd); 660 } 661 662 static void AddDeviceLuks(void) 663 { 664 struct crypt_device *cd; 665 struct crypt_params_luks1 params = { 666 .hash = "sha512", 667 .data_alignment = 2048, // 4M, data offset will be 4096 668 }; 669 char key[128], key2[128]; 670 671 char *passphrase = "blabla"; 672 char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; 673 size_t key_size = strlen(mk_hex) / 2; 674 char *cipher = "aes"; 675 char *cipher_mode = "cbc-essiv:sha256"; 676 677 crypt_decode_key(key, mk_hex, key_size); 678 679 OK_(crypt_init(&cd, DEVICE_2)); 680 OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms)); 681 682 // even with no keyslots defined it can be activated by volume key 683 OK_(crypt_volume_key_verify(cd, key, key_size)); 684 OK_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0)); 685 EQ_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE); 686 OK_(crypt_deactivate(cd, CDEVICE_2)); 687 688 // now with keyslot 689 EQ_(7, crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase))); 690 EQ_(CRYPT_SLOT_ACTIVE_LAST, crypt_keyslot_status(cd, 7)); 691 EQ_(7, crypt_activate_by_passphrase(cd, CDEVICE_2, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0)); 692 EQ_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE); 693 OK_(crypt_deactivate(cd, CDEVICE_2)); 694 695 FAIL_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)), "slot used"); 696 key[1] = ~key[1]; 697 FAIL_(crypt_keyslot_add_by_volume_key(cd, 6, key, key_size, passphrase, strlen(passphrase)), "key mismatch"); 698 key[1] = ~key[1]; 699 EQ_(6, crypt_keyslot_add_by_volume_key(cd, 6, key, key_size, passphrase, strlen(passphrase))); 700 EQ_(CRYPT_SLOT_ACTIVE, crypt_keyslot_status(cd, 6)); 701 702 FAIL_(crypt_keyslot_destroy(cd, 8), "invalid keyslot"); 703 FAIL_(crypt_keyslot_destroy(cd, CRYPT_ANY_SLOT), "invalid keyslot"); 704 FAIL_(crypt_keyslot_destroy(cd, 0), "keyslot not used"); 705 OK_(crypt_keyslot_destroy(cd, 7)); 706 EQ_(CRYPT_SLOT_INACTIVE, crypt_keyslot_status(cd, 7)); 707 EQ_(CRYPT_SLOT_ACTIVE_LAST, crypt_keyslot_status(cd, 6)); 708 709 EQ_(6, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase))); 710 OK_(crypt_volume_key_verify(cd, key2, key_size)); 711 712 OK_(memcmp(key, key2, key_size)); 713 OK_(strcmp(cipher, crypt_get_cipher(cd))); 714 OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd))); 715 EQ_(key_size, crypt_get_volume_key_size(cd)); 716 EQ_(4096, crypt_get_data_offset(cd)); 717 718 reset_log(); 719 crypt_set_log_callback(cd, &new_log, NULL); 720 OK_(crypt_dump(cd)); 721 OK_(!(global_lines != 0)); 722 crypt_set_log_callback(cd, NULL, NULL); 723 reset_log(); 724 725 FAIL_(crypt_deactivate(cd, CDEVICE_2), "not active"); 726 crypt_free(cd); 727 } 728 729 // Check that gcrypt is properly initialised in format 730 static void NonFIPSAlg(void) 731 { 732 struct crypt_device *cd; 733 struct crypt_params_luks1 params = { 734 .hash = "whirlpool", 735 }; 736 char key[128] = ""; 737 size_t key_size = 128; 738 char *cipher = "aes"; 739 char *cipher_mode = "cbc-essiv:sha256"; 740 741 if (!gcrypt_compatible) { 742 printf("WARNING: old libgcrypt, skipping test.\n"); 743 return; 744 } 745 OK_(crypt_init(&cd, DEVICE_2)); 746 OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, ¶ms)); 747 crypt_free(cd); 748 } 749 750 751 static void _gcrypt_compatible() 752 { 753 int maj, min, patch; 754 FILE *f; 755 756 if (!(f = popen("libgcrypt-config --version", "r"))) 757 return; 758 759 if (fscanf(f, "%d.%d.%d", &maj, &min, &patch) == 3 && 760 maj >= 1 && min >= 4) 761 gcrypt_compatible = 1; 762 if (_debug) 763 printf("libgcrypt version %d.%d.%d detected.\n", maj, min, patch); 764 765 (void)fclose(f); 766 return; 767 } 768 769 int main (int argc, char *argv[]) 770 { 771 int i; 772 773 if (getuid() != 0) { 774 printf("You must be root to run this test.\n"); 775 exit(0); 776 } 777 778 for (i = 1; i < argc; i++) { 779 if (!strcmp("-v", argv[i]) || !strcmp("--verbose", argv[i])) 780 _verbose = 1; 781 else if (!strcmp("--debug", argv[i])) 782 _debug = _verbose = 1; 783 } 784 785 _cleanup(); 786 _setup(); 787 _gcrypt_compatible(); 788 789 crypt_set_debug_level(_debug ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE); 790 791 RUN_(NonFIPSAlg, "Crypto is properly initialised in format"); //must be the first! 792 RUN_(LuksUUID, "luksUUID API call"); 793 RUN_(IsLuks, "isLuks API call"); 794 RUN_(LuksOpen, "luksOpen API call"); 795 RUN_(query_device, "crypt_query_device API call"); 796 RUN_(remove_device, "crypt_remove_device API call"); 797 RUN_(LuksFormat, "luksFormat API call"); 798 RUN_(LuksKeyGame, "luksAddKey, RemoveKey, KillSlot API calls"); 799 RUN_(DeviceResizeGame, "regular crypto, resize calls"); 800 801 RUN_(AddDevicePlain, "plain device API creation exercise"); 802 RUN_(AddDeviceLuks, "Format and use LUKS device"); 803 RUN_(UseLuksDevice, "Use pre-formated LUKS device"); 804 RUN_(SuspendDevice, "Suspend/Resume test"); 805 806 _cleanup(); 807 return 0; 808 } 809