From b7cf60f2298e442ea3a0241ec8a27662d9422b8f Mon Sep 17 00:00:00 2001 From: Ondrej Kozina Date: Fri, 11 Oct 2024 15:06:43 +0200 Subject: [PATCH] Add regression test for decryption with datashift. Test if decryption works when default segment is assigned to volume key with digest id set to non zero value. --- tests/luks2-reencryption-test | 69 ++++++++++++++++++++++++++++++++++- 1 file changed, 68 insertions(+), 1 deletion(-) diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test index 9c13cd27c..4e6a7f265 100755 --- a/tests/luks2-reencryption-test +++ b/tests/luks2-reencryption-test @@ -37,6 +37,8 @@ KEY_NAME2="luks2-reencryption-test2" KEY_SPEC1="${KEYRING}::%${KEY_TYPE}:${KEY_NAME1}" KEY_SPEC2="${KEYRING}::%${KEY_TYPE}:${KEY_NAME2}" HAVE_KEYRING=0 +JSON_MSIZE=16384 +IMG_JSON=luks2-digest-1.json FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) @@ -111,7 +113,7 @@ function remove_mapping() [ -b /dev/mapper/$OVRDEV-err ] && dmsetup remove --retry $OVRDEV-err 2>/dev/null [ -n "$LOOPDEV" ] && losetup -d $LOOPDEV unset LOOPDEV - rm -f $IMG $IMG_HDR $KEY1 $VKEY1 $DEVBIG $DEV_LINK $HEADER_LUKS2_PV $IMG_FS >/dev/null 2>&1 + rm -f $IMG $IMG_JSON $IMG_HDR $KEY1 $VKEY1 $DEVBIG $DEV_LINK $HEADER_LUKS2_PV $IMG_FS >/dev/null 2>&1 rmmod scsi_debug >/dev/null 2>&1 scsi_debug_teardown $DEV } @@ -901,6 +903,57 @@ function bin_check() command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped." } +function _dd() +{ + dd $@ status=none conv=notrunc bs=1 +} + +function img_json_save() +{ + local _hdr=$IMG + [ -z "$1" ] || _hdr="$1" + # FIXME: why --json-file cannot be used? + $CRYPTSETUP luksDump --dump-json-metadata $_hdr | jq -c -M . | tr -d '\n' >$IMG_JSON +} + +# header mangle functions +function img_update_json() +{ + local _hdr="$IMG" + local LUKS2_BIN1_OFFSET=448 + local LUKS2_BIN2_OFFSET=$((LUKS2_BIN1_OFFSET + $JSON_MSIZE)) + local LUKS2_JSON_SIZE=$(($JSON_MSIZE - 4096)) + + # if present jq script, mangle JSON + if [ -n "$1" ]; then + local JSON=$(cat $IMG_JSON) + echo $JSON | jq -M -c "$1" >$IMG_JSON || fail + local JSON=$(cat $IMG_JSON) + echo $JSON | tr -d '\n' >$IMG_JSON || fail + fi + + [ -z "$2" ] || _hdr="$2" + + # wipe JSON areas + _dd if=/dev/zero of=$_hdr count=$LUKS2_JSON_SIZE seek=4096 + _dd if=/dev/zero of=$_hdr count=$LUKS2_JSON_SIZE seek=$(($JSON_MSIZE + 4096)) + + # write JSON data + _dd if=$IMG_JSON of=$_hdr count=$LUKS2_JSON_SIZE seek=4096 + _dd if=$IMG_JSON of=$_hdr count=$LUKS2_JSON_SIZE seek=$(($JSON_MSIZE + 4096)) + + # erase sha256 checksums + _dd if=/dev/zero of=$_hdr count=64 seek=$LUKS2_BIN1_OFFSET + _dd if=/dev/zero of=$_hdr count=64 seek=$LUKS2_BIN2_OFFSET + + # calculate sha256 and write chexksums + local SUM1_HEX=$(_dd if=$_hdr count=$JSON_MSIZE | sha256sum | cut -d ' ' -f 1) + echo $SUM1_HEX | xxd -r -p | _dd of=$_hdr seek=$LUKS2_BIN1_OFFSET count=64 || fail + + local SUM2_HEX=$(_dd if=$_hdr skip=$JSON_MSIZE count=$JSON_MSIZE | sha256sum | cut -d ' ' -f 1) + echo $SUM2_HEX | xxd -r -p | _dd of=$_hdr seek=$LUKS2_BIN2_OFFSET count=64 || fail +} + [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped." fips_mode && skip "This test cannot be run in FIPS mode." @@ -908,6 +961,9 @@ modprobe --dry-run scsi_debug >/dev/null 2>&1 || skip "This kernel seems to not modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load" modprobe dm-delay > /dev/null 2>&1 dm_crypt_features +bin_check jq +bin_check sha256sum +bin_check xxd if [ -n "$DM_SECTOR_SIZE" ]; then TEST_SECTORS="512 4096" @@ -2160,6 +2216,17 @@ echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --header $IMG_HDR --active-name check_hash_dev_head $DEV 2048 $HASH2 rm -f $IMG_HDR +# Regression test for decryption with detached header and digest id != 0 +echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail +img_json_save $DEV +# replace digest id 0 with 1 +img_update_json '.digests."1" = .digests."0" | del(.digests."0")' $DEV +wipe $PWD1 +check_hash $PWD1 $HASH2 +echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --header $IMG_HDR $DEV || fail +check_hash_dev_head $DEV 2048 $HASH2 +rm -f $IMG_HDR + echo "[33] Decryption with datashift recovery (error in shift area)." prepare_linear_dev 32 echo "sector size 512"