255 lines
9.1 KiB
Diff
255 lines
9.1 KiB
Diff
From 9736f533bb90557e4522451b95e357920786f869 Mon Sep 17 00:00:00 2001
|
|
From: Ondrej Kozina <okozina@redhat.com>
|
|
Date: Fri, 2 Jul 2021 21:55:40 +0200
|
|
Subject: [PATCH] tests: Do not guess default pbkdf anymore.
|
|
|
|
Instead of guessing get pbkdf defaults via libcryptsetup
|
|
API.
|
|
---
|
|
tests/api-test-2.c | 109 +++++++++++++++++++++++++++------------------
|
|
1 file changed, 66 insertions(+), 43 deletions(-)
|
|
|
|
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
|
|
index fe7363e1..c769e2ed 100644
|
|
--- a/tests/api-test-2.c
|
|
+++ b/tests/api-test-2.c
|
|
@@ -119,16 +119,6 @@ typedef int32_t key_serial_t;
|
|
#define PASS7 "bbb"
|
|
#define PASS8 "iii"
|
|
|
|
-/* Allow to run without config.h */
|
|
-#ifndef DEFAULT_LUKS1_HASH
|
|
- #define DEFAULT_LUKS1_HASH "sha256"
|
|
- #define DEFAULT_LUKS1_ITER_TIME 2000
|
|
- #define DEFAULT_LUKS2_ITER_TIME 2000
|
|
- #define DEFAULT_LUKS2_MEMORY_KB 1048576
|
|
- #define DEFAULT_LUKS2_PARALLEL_THREADS 4
|
|
- #define DEFAULT_LUKS2_PBKDF "argon2i"
|
|
-#endif
|
|
-
|
|
static int _fips_mode = 0;
|
|
|
|
static char *DEVICE_1 = NULL;
|
|
@@ -145,6 +135,14 @@ unsigned int test_progress_steps;
|
|
|
|
struct crypt_device *cd = NULL, *cd2 = NULL;
|
|
|
|
+static const char *default_luks1_hash = NULL;
|
|
+static uint32_t default_luks1_iter_time = 0;
|
|
+
|
|
+static const char *default_luks2_pbkdf = NULL;
|
|
+static uint32_t default_luks2_iter_time = 0;
|
|
+static uint32_t default_luks2_memory_kb = 0;
|
|
+static uint32_t default_luks2_parallel_threads = 0;
|
|
+
|
|
// Helpers
|
|
|
|
static unsigned cpus_online(void)
|
|
@@ -167,14 +165,14 @@ static uint32_t adjusted_pbkdf_memory(void)
|
|
uint64_t memory_kb;
|
|
|
|
if (pagesize <= 0 || pages <= 0)
|
|
- return DEFAULT_LUKS2_MEMORY_KB;
|
|
+ return default_luks2_memory_kb;
|
|
|
|
memory_kb = pagesize / 1024 * pages / 2;
|
|
|
|
- if (memory_kb < DEFAULT_LUKS2_MEMORY_KB)
|
|
+ if (memory_kb < default_luks2_memory_kb)
|
|
return (uint32_t)memory_kb;
|
|
|
|
- return DEFAULT_LUKS2_MEMORY_KB;
|
|
+ return default_luks2_memory_kb;
|
|
}
|
|
|
|
static unsigned _min(unsigned a, unsigned b)
|
|
@@ -225,6 +223,28 @@ static int get_luks2_offsets(int metadata_device,
|
|
return 0;
|
|
}
|
|
|
|
+static bool get_luks_pbkdf_defaults(void)
|
|
+{
|
|
+ const struct crypt_pbkdf_type *pbkdf_defaults = crypt_get_pbkdf_default(CRYPT_LUKS1);
|
|
+
|
|
+ if (!pbkdf_defaults)
|
|
+ return false;
|
|
+
|
|
+ default_luks1_hash = pbkdf_defaults->hash;
|
|
+ default_luks1_iter_time = pbkdf_defaults->time_ms;
|
|
+
|
|
+ pbkdf_defaults = crypt_get_pbkdf_default(CRYPT_LUKS2);
|
|
+ if (!pbkdf_defaults)
|
|
+ return false;
|
|
+
|
|
+ default_luks2_pbkdf = pbkdf_defaults->type;
|
|
+ default_luks2_iter_time = pbkdf_defaults->time_ms;
|
|
+ default_luks2_memory_kb = pbkdf_defaults->max_memory_kb;
|
|
+ default_luks2_parallel_threads = pbkdf_defaults->parallel_threads;
|
|
+
|
|
+ return true;
|
|
+}
|
|
+
|
|
static void _remove_keyfiles(void)
|
|
{
|
|
remove(KEYFILE1);
|
|
@@ -413,6 +433,9 @@ static int _setup(void)
|
|
/* Use default log callback */
|
|
crypt_set_log_callback(NULL, &global_log_callback, NULL);
|
|
|
|
+ if (!get_luks_pbkdf_defaults())
|
|
+ return 1;
|
|
+
|
|
return 0;
|
|
}
|
|
|
|
@@ -2541,17 +2564,17 @@ static void Pbkdf(void)
|
|
const char *cipher = "aes", *mode="xts-plain64";
|
|
struct crypt_pbkdf_type argon2 = {
|
|
.type = CRYPT_KDF_ARGON2I,
|
|
- .hash = DEFAULT_LUKS1_HASH,
|
|
+ .hash = default_luks1_hash,
|
|
.time_ms = 6,
|
|
.max_memory_kb = 1024,
|
|
.parallel_threads = 1
|
|
}, pbkdf2 = {
|
|
.type = CRYPT_KDF_PBKDF2,
|
|
- .hash = DEFAULT_LUKS1_HASH,
|
|
+ .hash = default_luks1_hash,
|
|
.time_ms = 9
|
|
}, bad = {
|
|
.type = "hamster_pbkdf",
|
|
- .hash = DEFAULT_LUKS1_HASH
|
|
+ .hash = default_luks1_hash
|
|
};
|
|
struct crypt_params_plain params = {
|
|
.hash = "sha1",
|
|
@@ -2607,7 +2630,7 @@ static void Pbkdf(void)
|
|
OK_(crypt_set_pbkdf_type(cd, &pbkdf2));
|
|
OK_(crypt_set_pbkdf_type(cd, NULL));
|
|
NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
|
|
- EQ_(pbkdf->time_ms, DEFAULT_LUKS1_ITER_TIME);
|
|
+ EQ_(pbkdf->time_ms, default_luks1_iter_time);
|
|
CRYPT_FREE(cd);
|
|
// test value set in crypt_set_iteration_time() can be obtained via following crypt_get_pbkdf_type()
|
|
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
|
|
@@ -2617,7 +2640,7 @@ static void Pbkdf(void)
|
|
EQ_(pbkdf->time_ms, 42);
|
|
// test crypt_get_pbkdf_type() returns expected values for LUKSv1
|
|
OK_(strcmp(pbkdf->type, CRYPT_KDF_PBKDF2));
|
|
- OK_(strcmp(pbkdf->hash, DEFAULT_LUKS1_HASH));
|
|
+ OK_(strcmp(pbkdf->hash, default_luks1_hash));
|
|
EQ_(pbkdf->max_memory_kb, 0);
|
|
EQ_(pbkdf->parallel_threads, 0);
|
|
crypt_set_iteration_time(cd, 43);
|
|
@@ -2648,11 +2671,11 @@ static void Pbkdf(void)
|
|
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
|
|
OK_(crypt_format(cd, CRYPT_LUKS2, cipher, mode, NULL, NULL, 32, NULL));
|
|
NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
|
|
- OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF));
|
|
- OK_(strcmp(pbkdf->hash, DEFAULT_LUKS1_HASH));
|
|
- EQ_(pbkdf->time_ms, DEFAULT_LUKS2_ITER_TIME);
|
|
+ OK_(strcmp(pbkdf->type, default_luks2_pbkdf));
|
|
+ OK_(strcmp(pbkdf->hash, default_luks1_hash));
|
|
+ EQ_(pbkdf->time_ms, default_luks2_iter_time);
|
|
EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory());
|
|
- EQ_(pbkdf->parallel_threads, _min(cpus_online(), DEFAULT_LUKS2_PARALLEL_THREADS));
|
|
+ EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads));
|
|
// set and verify argon2 type
|
|
OK_(crypt_set_pbkdf_type(cd, &argon2));
|
|
NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
|
|
@@ -2673,11 +2696,11 @@ static void Pbkdf(void)
|
|
crypt_set_iteration_time(cd, 1); // it's supposed to override this call
|
|
OK_(crypt_set_pbkdf_type(cd, NULL));
|
|
NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
|
|
- OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF));
|
|
- OK_(strcmp(pbkdf->hash, DEFAULT_LUKS1_HASH));
|
|
- EQ_(pbkdf->time_ms, DEFAULT_LUKS2_ITER_TIME);
|
|
+ OK_(strcmp(pbkdf->type, default_luks2_pbkdf));
|
|
+ OK_(strcmp(pbkdf->hash, default_luks1_hash));
|
|
+ EQ_(pbkdf->time_ms, default_luks2_iter_time);
|
|
EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory());
|
|
- EQ_(pbkdf->parallel_threads, _min(cpus_online(), DEFAULT_LUKS2_PARALLEL_THREADS));
|
|
+ EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads));
|
|
// try to pass illegal values
|
|
argon2.parallel_threads = 0;
|
|
FAIL_(crypt_set_pbkdf_type(cd, &argon2), "Parallel threads can't be 0");
|
|
@@ -2695,7 +2718,7 @@ static void Pbkdf(void)
|
|
bad.hash = NULL;
|
|
FAIL_(crypt_set_pbkdf_type(cd, &bad), "Hash member is empty");
|
|
bad.type = NULL;
|
|
- bad.hash = DEFAULT_LUKS1_HASH;
|
|
+ bad.hash = default_luks1_hash;
|
|
FAIL_(crypt_set_pbkdf_type(cd, &bad), "Pbkdf type member is empty");
|
|
bad.hash = "hamster_hash";
|
|
FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Unknown hash member");
|
|
@@ -2704,18 +2727,18 @@ static void Pbkdf(void)
|
|
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
|
|
OK_(crypt_load(cd, CRYPT_LUKS, NULL));
|
|
NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
|
|
- OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF));
|
|
- OK_(strcmp(pbkdf->hash, DEFAULT_LUKS1_HASH));
|
|
- EQ_(pbkdf->time_ms, DEFAULT_LUKS2_ITER_TIME);
|
|
+ OK_(strcmp(pbkdf->type, default_luks2_pbkdf));
|
|
+ OK_(strcmp(pbkdf->hash, default_luks1_hash));
|
|
+ EQ_(pbkdf->time_ms, default_luks2_iter_time);
|
|
EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory());
|
|
- EQ_(pbkdf->parallel_threads, _min(cpus_online(), DEFAULT_LUKS2_PARALLEL_THREADS));
|
|
+ EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads));
|
|
crypt_set_iteration_time(cd, 1);
|
|
OK_(crypt_load(cd, CRYPT_LUKS, NULL));
|
|
- OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF));
|
|
- OK_(strcmp(pbkdf->hash, DEFAULT_LUKS1_HASH));
|
|
+ OK_(strcmp(pbkdf->type, default_luks2_pbkdf));
|
|
+ OK_(strcmp(pbkdf->hash, default_luks1_hash));
|
|
EQ_(pbkdf->time_ms, 1);
|
|
EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory());
|
|
- EQ_(pbkdf->parallel_threads, _min(cpus_online(), DEFAULT_LUKS2_PARALLEL_THREADS));
|
|
+ EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads));
|
|
CRYPT_FREE(cd);
|
|
|
|
// test crypt_set_pbkdf_type() overwrites invalid value set by crypt_set_iteration_time()
|
|
@@ -2766,17 +2789,17 @@ static void Pbkdf(void)
|
|
|
|
NOTNULL_(pbkdf = crypt_get_pbkdf_default(CRYPT_LUKS1));
|
|
OK_(strcmp(pbkdf->type, CRYPT_KDF_PBKDF2));
|
|
- EQ_(pbkdf->time_ms, DEFAULT_LUKS1_ITER_TIME);
|
|
- OK_(strcmp(pbkdf->hash, DEFAULT_LUKS1_HASH));
|
|
+ EQ_(pbkdf->time_ms, default_luks1_iter_time);
|
|
+ OK_(strcmp(pbkdf->hash, default_luks1_hash));
|
|
EQ_(pbkdf->max_memory_kb, 0);
|
|
EQ_(pbkdf->parallel_threads, 0);
|
|
|
|
NOTNULL_(pbkdf = crypt_get_pbkdf_default(CRYPT_LUKS2));
|
|
- OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF));
|
|
- EQ_(pbkdf->time_ms, DEFAULT_LUKS2_ITER_TIME);
|
|
- OK_(strcmp(pbkdf->hash, DEFAULT_LUKS1_HASH));
|
|
- EQ_(pbkdf->max_memory_kb, DEFAULT_LUKS2_MEMORY_KB);
|
|
- EQ_(pbkdf->parallel_threads, DEFAULT_LUKS2_PARALLEL_THREADS);
|
|
+ OK_(strcmp(pbkdf->type, default_luks2_pbkdf));
|
|
+ EQ_(pbkdf->time_ms, default_luks2_iter_time);
|
|
+ OK_(strcmp(pbkdf->hash, default_luks1_hash));
|
|
+ EQ_(pbkdf->max_memory_kb, default_luks2_memory_kb);
|
|
+ EQ_(pbkdf->parallel_threads, default_luks2_parallel_threads);
|
|
|
|
NULL_(pbkdf = crypt_get_pbkdf_default(CRYPT_PLAIN));
|
|
|
|
@@ -3149,13 +3172,13 @@ static void Luks2Requirements(void)
|
|
const char *token, *json = "{\"type\":\"test_token\",\"keyslots\":[]}";
|
|
struct crypt_pbkdf_type argon2 = {
|
|
.type = CRYPT_KDF_ARGON2I,
|
|
- .hash = DEFAULT_LUKS1_HASH,
|
|
+ .hash = default_luks1_hash,
|
|
.time_ms = 6,
|
|
.max_memory_kb = 1024,
|
|
.parallel_threads = 1
|
|
}, pbkdf2 = {
|
|
.type = CRYPT_KDF_PBKDF2,
|
|
- .hash = DEFAULT_LUKS1_HASH,
|
|
+ .hash = default_luks1_hash,
|
|
.time_ms = 9
|
|
};
|
|
struct crypt_token_params_luks2_keyring params_get, params = {
|
|
--
|
|
2.27.0
|
|
|