You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
441 lines
22 KiB
441 lines
22 KiB
diff -rupN cryptsetup-2.4.3.old/tests/api-test.c cryptsetup-2.4.3/tests/api-test.c |
|
--- cryptsetup-2.4.3.old/tests/api-test.c 2022-02-17 16:37:09.535345938 +0100 |
|
+++ cryptsetup-2.4.3/tests/api-test.c 2022-02-17 16:37:29.156459763 +0100 |
|
@@ -312,7 +312,7 @@ static int _setup(void) |
|
static void AddDevicePlain(void) |
|
{ |
|
struct crypt_params_plain params = { |
|
- .hash = "sha1", |
|
+ .hash = "sha256", |
|
.skip = 0, |
|
.offset = 0, |
|
.size = 0 |
|
@@ -322,7 +322,7 @@ static void AddDevicePlain(void) |
|
|
|
const char *passphrase = PASSPHRASE; |
|
// hashed hex version of PASSPHRASE |
|
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; |
|
+ const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea"; |
|
size_t key_size = strlen(mk_hex) / 2; |
|
const char *cipher = "aes"; |
|
const char *cipher_mode = "cbc-essiv:sha256"; |
|
@@ -438,7 +438,7 @@ static void AddDevicePlain(void) |
|
OK_(crypt_deactivate(cd,CDEVICE_1)); |
|
|
|
CRYPT_FREE(cd); |
|
- params.hash = "sha1"; |
|
+ params.hash = "sha256"; |
|
params.offset = 0; |
|
params.size = 0; |
|
params.skip = 0; |
|
@@ -620,7 +620,7 @@ static void new_log(int level, const cha |
|
static void CallbacksTest(void) |
|
{ |
|
struct crypt_params_plain params = { |
|
- .hash = "sha1", |
|
+ .hash = "sha256", |
|
.skip = 0, |
|
.offset = 0, |
|
}; |
|
@@ -1116,7 +1116,7 @@ static void LuksHeaderRestore(void) |
|
.data_alignment = 2048, // 4M, data offset will be 4096 |
|
}; |
|
struct crypt_params_plain pl_params = { |
|
- .hash = "sha1", |
|
+ .hash = "sha256", |
|
.skip = 0, |
|
.offset = 0, |
|
.size = 0 |
|
@@ -1203,7 +1203,7 @@ static void LuksHeaderLoad(void) |
|
.data_alignment = 2048, |
|
}; |
|
struct crypt_params_plain pl_params = { |
|
- .hash = "sha1", |
|
+ .hash = "sha256", |
|
.skip = 0, |
|
.offset = 0, |
|
.size = 0 |
|
diff -rupN cryptsetup-2.4.3.old/tests/api-test-2.c cryptsetup-2.4.3/tests/api-test-2.c |
|
--- cryptsetup-2.4.3.old/tests/api-test-2.c 2022-02-17 16:37:09.535345938 +0100 |
|
+++ cryptsetup-2.4.3/tests/api-test-2.c 2022-02-17 16:37:29.155459758 +0100 |
|
@@ -1232,7 +1232,7 @@ static void Luks2HeaderRestore(void) |
|
.sector_size = 512 |
|
}; |
|
struct crypt_params_plain pl_params = { |
|
- .hash = "sha1", |
|
+ .hash = "sha256", |
|
.skip = 0, |
|
.offset = 0, |
|
.size = 0 |
|
@@ -1242,7 +1242,7 @@ static void Luks2HeaderRestore(void) |
|
}; |
|
uint32_t flags = 0; |
|
|
|
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; |
|
+ const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea"; |
|
size_t key_size = strlen(mk_hex) / 2; |
|
const char *cipher = "aes"; |
|
const char *cipher_mode = "cbc-essiv:sha256"; |
|
@@ -1337,7 +1337,7 @@ static void Luks2HeaderLoad(void) |
|
.sector_size = 512 |
|
}; |
|
struct crypt_params_plain pl_params = { |
|
- .hash = "sha1", |
|
+ .hash = "sha256", |
|
.skip = 0, |
|
.offset = 0, |
|
.size = 0 |
|
@@ -2142,7 +2142,7 @@ static void LuksConvert(void) |
|
.parallel_threads = 1 |
|
}, pbkdf2 = { |
|
.type = CRYPT_KDF_PBKDF2, |
|
- .hash = "sha1", |
|
+ .hash = "sha256", |
|
.time_ms = 1 |
|
}; |
|
|
|
@@ -2675,7 +2675,7 @@ static void Pbkdf(void) |
|
.hash = default_luks1_hash |
|
}; |
|
struct crypt_params_plain params = { |
|
- .hash = "sha1", |
|
+ .hash = "sha256", |
|
.skip = 0, |
|
.offset = 0, |
|
.size = 0 |
|
@@ -2874,11 +2874,11 @@ static void Pbkdf(void) |
|
pbkdf2.time_ms = 9; |
|
pbkdf2.hash = NULL; |
|
FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Hash is mandatory for pbkdf2"); |
|
- pbkdf2.hash = "sha1"; |
|
+ pbkdf2.hash = "sha256"; |
|
OK_(crypt_set_pbkdf_type(cd, &pbkdf2)); |
|
|
|
argon2.time_ms = 9; |
|
- argon2.hash = "sha1"; // will be ignored |
|
+ argon2.hash = "sha256"; // will be ignored |
|
OK_(crypt_set_pbkdf_type(cd, &argon2)); |
|
argon2.hash = NULL; |
|
OK_(crypt_set_pbkdf_type(cd, &argon2)); |
|
@@ -3839,7 +3839,7 @@ static void Luks2Reencryption(void) |
|
struct crypt_params_reencrypt retparams = {}, rparams = { |
|
.direction = CRYPT_REENCRYPT_FORWARD, |
|
.resilience = "checksum", |
|
- .hash = "sha1", |
|
+ .hash = "sha256", |
|
.luks2 = ¶ms2, |
|
}; |
|
dev_t devno; |
|
@@ -3983,7 +3983,7 @@ static void Luks2Reencryption(void) |
|
rparams.hash = "hamSter"; |
|
FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams), "Invalid resilience hash."); |
|
|
|
- rparams.hash = "sha1"; |
|
+ rparams.hash = "sha256"; |
|
OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams)); |
|
OK_(crypt_reencrypt_run(cd, NULL, NULL)); |
|
|
|
diff -rupN cryptsetup-2.4.3.old/tests/compat-test cryptsetup-2.4.3/tests/compat-test |
|
--- cryptsetup-2.4.3.old/tests/compat-test 2022-02-17 16:37:09.541345973 +0100 |
|
+++ cryptsetup-2.4.3/tests/compat-test 2022-02-17 16:37:29.157459769 +0100 |
|
@@ -302,8 +302,8 @@ $CRYPTSETUP -q luksUUID $IMG | grep -q $ |
|
prepare "[1] open - compat image - acceptance check" new |
|
echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail |
|
check_exists |
|
-ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ') |
|
-[ "$ORG_SHA1" = 676062b66ebf36669dab705442ea0762dfc091b0 ] || fail |
|
+ORG_SHA256=$(sha256sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ') |
|
+[ "$ORG_SHA256" = 7428e8f2436882a07eb32765086f5c899474c08b5576f556b573d2aabdf923e8 ] || fail |
|
$CRYPTSETUP -q luksClose $DEV_NAME || fail |
|
|
|
# Check it can be opened from header backup as well |
|
@@ -315,6 +315,7 @@ $CRYPTSETUP -q luksClose $DEV_NAME || f |
|
$CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail |
|
|
|
# Repeat for V1.0 header - not aligned first keyslot |
|
+if [ ! fips_mode ] ; then |
|
echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail |
|
check_exists |
|
ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ') |
|
@@ -326,6 +327,7 @@ $CRYPTSETUP luksHeaderBackup $IMG10 --he |
|
echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail |
|
check_exists |
|
$CRYPTSETUP -q luksClose $DEV_NAME || fail |
|
+fi |
|
|
|
prepare "[2] open - compat image - denial check" new |
|
echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail |
|
@@ -526,7 +528,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q |
|
|
|
prepare "[19] create & status & resize" wipe |
|
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail |
|
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail |
|
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail |
|
$CRYPTSETUP -q status $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail |
|
$CRYPTSETUP -q status $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail |
|
$CRYPTSETUP -q status $DEV_NAME | grep "mode:" | grep -q "readonly" || fail |
|
@@ -546,15 +548,15 @@ $CRYPTSETUP -q resize $DEV_NAME || fail |
|
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail |
|
$CRYPTSETUP -q remove $DEV_NAME || fail |
|
$CRYPTSETUP -q status $DEV_NAME >/dev/null && fail |
|
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail |
|
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail |
|
$CRYPTSETUP -q remove $DEV_NAME || fail |
|
-echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail |
|
+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 $LOOPDEV || fail |
|
$CRYPTSETUP -q remove $DEV_NAME || fail |
|
-echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail |
|
+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 --size 100 $LOOPDEV || fail |
|
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail |
|
$CRYPTSETUP -q remove $DEV_NAME || fail |
|
# 4k sector resize (if kernel supports it) |
|
-echo $PWD1 | $CRYPTSETUP -q open --type plain $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1 |
|
+echo $PWD1 | $CRYPTSETUP -q open --type plain --hash sha256 $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1 |
|
if [ $? -eq 0 ] ; then |
|
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail |
|
$CRYPTSETUP -q resize $DEV_NAME --size 16 || fail |
|
@@ -567,7 +569,7 @@ if [ $? -eq 0 ] ; then |
|
fi |
|
# Resize not aligned to logical block size |
|
add_scsi_device dev_size_mb=32 sector_size=4096 |
|
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV || fail |
|
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV || fail |
|
OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/') |
|
$CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail |
|
dmsetup info $DEV_NAME | grep -q SUSPENDED && fail |
|
@@ -575,10 +577,10 @@ NEW_SIZE=$($CRYPTSETUP status $DEV_NAME |
|
test $OLD_SIZE -eq $NEW_SIZE || fail |
|
$CRYPTSETUP close $DEV_NAME || fail |
|
# Add check for unaligned plain crypt activation |
|
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV -b 7 2>/dev/null && fail |
|
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV -b 7 2>/dev/null && fail |
|
$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail |
|
# verify is ignored on non-tty input |
|
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail |
|
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --verify-passphrase 2>/dev/null || fail |
|
$CRYPTSETUP -q remove $DEV_NAME || fail |
|
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail |
|
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail |
|
@@ -695,15 +697,15 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST |
|
dmsetup remove --retry $DEV_NAME2 |
|
|
|
prepare "[25] Create shared segments" wipe |
|
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --offset 0 --size 256 || fail |
|
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail |
|
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail |
|
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --offset 0 --size 256 || fail |
|
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 2>/dev/null && fail |
|
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 --shared || fail |
|
$CRYPTSETUP -q remove $DEV_NAME2 || fail |
|
$CRYPTSETUP -q remove $DEV_NAME || fail |
|
|
|
prepare "[26] Suspend/Resume" wipe |
|
# only LUKS is supported |
|
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail |
|
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail |
|
$CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail |
|
$CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail |
|
$CRYPTSETUP -q remove $DEV_NAME || fail |
|
diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2 |
|
--- cryptsetup-2.4.3.old/tests/compat-test2 2022-02-17 16:37:09.541345973 +0100 |
|
+++ cryptsetup-2.4.3/tests/compat-test2 2022-02-17 16:37:29.158459775 +0100 |
|
@@ -774,7 +774,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q |
|
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail |
|
$CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail |
|
# hash test |
|
-$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha1 || fail |
|
+$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha512 || fail |
|
$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail |
|
$CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail |
|
$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail |
|
diff -rupN cryptsetup-2.4.3.old/tests/discards-test cryptsetup-2.4.3/tests/discards-test |
|
--- cryptsetup-2.4.3.old/tests/discards-test 2022-02-17 16:37:09.541345973 +0100 |
|
+++ cryptsetup-2.4.3/tests/discards-test 2022-02-17 16:37:29.158459775 +0100 |
|
@@ -80,7 +80,7 @@ dmsetup table $DEV_NAME | grep allow_dis |
|
$CRYPTSETUP luksClose $DEV_NAME || fail |
|
|
|
echo "[2] Allowing discards for plain device" |
|
-echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha1 --allow-discards || fail |
|
+echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha256 --allow-discards || fail |
|
$CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail |
|
$CRYPTSETUP resize $DEV_NAME --size 100 || fail |
|
$CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail |
|
diff -rupN cryptsetup-2.4.3.old/tests/integrity-compat-test cryptsetup-2.4.3/tests/integrity-compat-test |
|
--- cryptsetup-2.4.3.old/tests/integrity-compat-test 2022-02-17 16:37:09.542345979 +0100 |
|
+++ cryptsetup-2.4.3/tests/integrity-compat-test 2022-02-17 16:37:29.159459781 +0100 |
|
@@ -168,7 +168,7 @@ intformat() # alg alg_out tagsize outtag |
|
echo -n "[FORMAT]" |
|
$INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1 |
|
if [ $? -ne 0 ] ; then |
|
- if [[ $1 =~ "sha" || $1 =~ "crc" ]] ; then |
|
+ if [[ $1 =~ "sha2" || $1 =~ "crc" ]] ; then |
|
fail "Cannot format device." |
|
fi |
|
echo "[N/A]" |
|
@@ -214,7 +214,14 @@ int_error_detection() # mode alg tagsize |
|
|
|
echo -n "[INTEGRITY:$1:$2:$4:$5]" |
|
echo -n "[FORMAT]" |
|
- $INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null || fail "Cannot format device." |
|
+ $INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null 2>&1 |
|
+ if [ $? -ne 0 ] ; then |
|
+ if [[ $2 =~ "sha2" || $2 =~ "crc" ]] ; then |
|
+ fail "Cannot format device." |
|
+ fi |
|
+ echo "[N/A]" |
|
+ return |
|
+ fi |
|
echo -n "[ACTIVATE]" |
|
$INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device." |
|
|
|
diff -rupN cryptsetup-2.4.3.old/tests/keyring-compat-test cryptsetup-2.4.3/tests/keyring-compat-test |
|
--- cryptsetup-2.4.3.old/tests/keyring-compat-test 2022-02-17 16:37:09.542345979 +0100 |
|
+++ cryptsetup-2.4.3/tests/keyring-compat-test 2022-02-17 16:39:07.132028140 +0100 |
|
@@ -119,7 +119,7 @@ add_device() { |
|
which dmsetup >/dev/null 2>&1 || skip "Cannot find dmsetup, test skipped" |
|
which keyctl >/dev/null 2>&1 || skip "Cannot find keyctl, test skipped" |
|
which xxd >/dev/null 2>&1 || skip "Cannot find xxd, test skipped" |
|
-which sha1sum > /dev/null 2>&1 || skip "Cannot find sha1sum, test skipped" |
|
+which sha256sum >/dev/null 2>&1 || skip "Cannot find sha256sum, test skipped" |
|
modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load" |
|
dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped." |
|
|
|
@@ -132,23 +132,23 @@ dd if=/dev/urandom of=$DEV bs=1M count=$ |
|
#test aes cipher with xts mode, plain IV |
|
echo -n "Testing $CIPHER_XTS_PLAIN..." |
|
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail |
|
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail |
|
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail |
|
dmsetup remove --retry $NAME || fail |
|
load_key "$HEXKEY_32" logon $LOGON_KEY_32_OK "$TEST_KEYRING" || fail "Cannot load 32 byte logon key type" |
|
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN :32:logon:$LOGON_KEY_32_OK 0 $DEV 0" || fail |
|
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail |
|
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail |
|
dmsetup remove --retry $NAME || fail |
|
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" |
|
# same test using message |
|
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail |
|
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail |
|
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail |
|
dmsetup remove --retry $NAME || fail |
|
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail |
|
dmsetup suspend $NAME || fail |
|
dmsetup message $NAME 0 key wipe || fail |
|
dmsetup message $NAME 0 "key set :32:logon:$LOGON_KEY_32_OK" || fail |
|
dmsetup resume $NAME || fail |
|
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail |
|
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail |
|
dmsetup remove --retry $NAME || fail |
|
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" |
|
echo "OK" |
|
@@ -156,23 +156,23 @@ echo "OK" |
|
#test aes cipher, xts mode, essiv IV |
|
echo -n "Testing $CIPHER_CBC_ESSIV..." |
|
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail |
|
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail |
|
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail |
|
dmsetup remove --retry $NAME || fail |
|
load_key "$HEXKEY_16" logon $LOGON_KEY_16_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type" |
|
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV :16:logon:$LOGON_KEY_16_OK 0 $DEV 0" || fail |
|
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail |
|
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail |
|
dmsetup remove --retry $NAME || fail |
|
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" |
|
# same test using message |
|
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail |
|
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail |
|
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail |
|
dmsetup remove --retry $NAME || fail |
|
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail |
|
dmsetup suspend $NAME || fail |
|
dmsetup message $NAME 0 key wipe || fail |
|
dmsetup message $NAME 0 "key set :16:logon:$LOGON_KEY_16_OK" || fail |
|
dmsetup resume $NAME || fail |
|
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail |
|
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail |
|
dmsetup remove --retry $NAME || fail |
|
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" |
|
echo "OK" |
|
@@ -181,23 +181,23 @@ echo "OK" |
|
fips_mode || { |
|
echo -n "Testing $CIPHER_CBC_TCW..." |
|
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail |
|
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail |
|
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail |
|
dmsetup remove --retry $NAME || fail |
|
load_key "$HEXKEY_64" logon $LOGON_KEY_64_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type" |
|
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW :64:logon:$LOGON_KEY_64_OK 0 $DEV 0" || fail |
|
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail |
|
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail |
|
dmsetup remove --retry $NAME || fail |
|
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)" |
|
# same test using message |
|
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail |
|
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail |
|
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail |
|
dmsetup remove --retry $NAME || fail |
|
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail |
|
dmsetup suspend $NAME || fail |
|
dmsetup message $NAME 0 key wipe || fail |
|
dmsetup message $NAME 0 "key set :64:logon:$LOGON_KEY_64_OK" || fail |
|
dmsetup resume $NAME || fail |
|
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail |
|
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail |
|
dmsetup remove --retry $NAME || fail |
|
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" |
|
echo "OK" |
|
@@ -207,10 +207,10 @@ echo -n "Test LUKS2 key refresh..." |
|
echo $PWD | $CRYPTSETUP luksFormat --type luks2 --luks2-metadata-size 16k --luks2-keyslots-size 4064k --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --force-password $DEV || fail |
|
echo $PWD | $CRYPTSETUP open $DEV $NAME || fail |
|
$CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" || skip "LUKS2 can't use keyring. Test skipped." |
|
-dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_KEYRING || fail |
|
+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_KEYRING || fail |
|
echo $PWD | $CRYPTSETUP refresh $NAME --disable-keyring || fail |
|
$CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" && fail "Key is still in keyring" |
|
-dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_DMCRYPT || fail |
|
+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_DMCRYPT || fail |
|
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)" |
|
echo "OK" |
|
|
|
diff -rupN cryptsetup-2.4.3.old/tests/password-hash-test cryptsetup-2.4.3/tests/password-hash-test |
|
--- cryptsetup-2.4.3.old/tests/password-hash-test 2022-02-17 16:37:09.541345973 +0100 |
|
+++ cryptsetup-2.4.3/tests/password-hash-test 2022-02-17 16:37:29.160459787 +0100 |
|
@@ -75,7 +75,7 @@ crypt_key() # hash keysize pwd/file name |
|
esac |
|
|
|
# ignore these cases, not all libs/kernel supports it |
|
- if [ "$1" != "sha1" -a "$1" != "sha256" ] || [ $2 -gt 256 ] ; then |
|
+ if [ "$1" != "sha256" ] || [ $2 -gt 256 ] ; then |
|
if [ $ret -ne 0 ] ; then |
|
echo " [N/A] ($ret, SKIPPED)" |
|
return |
|
diff -rupN cryptsetup-2.4.3.old/tests/reencryption-compat-test cryptsetup-2.4.3/tests/reencryption-compat-test |
|
--- cryptsetup-2.4.3.old/tests/reencryption-compat-test 2022-02-17 16:37:09.541345973 +0100 |
|
+++ cryptsetup-2.4.3/tests/reencryption-compat-test 2022-02-17 16:37:29.160459787 +0100 |
|
@@ -338,7 +338,7 @@ simple_scsi_reenc "[4096/512 sector]" |
|
echo "[OK]" |
|
|
|
echo "[8] Header only reencryption (hash and iteration time)" |
|
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha1 $FAST_PBKDF $LOOPDEV1 || fail |
|
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha512 $FAST_PBKDF $LOOPDEV1 || fail |
|
wipe $PWD1 |
|
check_hash $PWD1 $HASH1 |
|
echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key || fail |
|
diff -rupN cryptsetup-2.4.3.old/tests/verity-compat-test cryptsetup-2.4.3/tests/verity-compat-test |
|
--- cryptsetup-2.4.3.old/tests/verity-compat-test 2022-02-17 16:37:09.541345973 +0100 |
|
+++ cryptsetup-2.4.3/tests/verity-compat-test 2022-02-17 16:37:29.161459793 +0100 |
|
@@ -148,7 +148,13 @@ function check_root_hash() # $1 size, $2 |
|
for fail in data hash; do |
|
wipe |
|
echo -n "V$4(sb=$sb root_hash_as_file=$root_hash_as_file) $5 block size $1: " |
|
- $VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT || fail |
|
+ $VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT |
|
+ if [ $? -ne 0 ] ; then |
|
+ if [[ $1 =~ "sha2" ]] ; then |
|
+ fail "Cannot format device." |
|
+ fi |
|
+ return |
|
+ fi |
|
|
|
echo -n "[root hash]" |
|
compare_out "root hash" $2
|
|
|