Index: head/tests/sys/geom/class/eli/conf.sh =================================================================== --- head/tests/sys/geom/class/eli/conf.sh (revision 348453) +++ head/tests/sys/geom/class/eli/conf.sh (revision 348454) @@ -1,102 +1,92 @@ #!/bin/sh # $FreeBSD$ class="eli" base=$(atf_get ident) MAX_SECSIZE=8192 attach_md() { local test_md test_md=$(mdconfig -a "$@") || atf_fail "failed to allocate md(4)" echo $test_md >> $TEST_MDS_FILE || exit echo $test_md } # Execute `func` for each combination of cipher, sectorsize, and hmac algo # `func` usage should be: # func for_each_geli_config() { func=$1 backing_filename=$2 # Double the sector size to allow for the HMACs' storage space. osecsize=$(( $MAX_SECSIZE * 2 )) # geli needs 512B for the label. bytes=`expr $osecsize \* $sectors + 512`b if [ -n "$backing_filename" ]; then # Use a file-backed md(4) device, so we can deliberatly corrupt # it without detaching the geli device first. truncate -s $bytes backing_file md=$(attach_md -t vnode -f backing_file) else md=$(attach_md -t malloc -s $bytes) fi for cipher in aes-xts:128 aes-xts:256 \ aes-cbc:128 aes-cbc:192 aes-cbc:256 \ - 3des-cbc:192 \ - blowfish-cbc:128 blowfish-cbc:160 blowfish-cbc:192 \ - blowfish-cbc:224 blowfish-cbc:256 blowfish-cbc:288 \ - blowfish-cbc:320 blowfish-cbc:352 blowfish-cbc:384 \ - blowfish-cbc:416 blowfish-cbc:448 \ camellia-cbc:128 camellia-cbc:192 camellia-cbc:256; do ealgo=${cipher%%:*} keylen=${cipher##*:} - for aalgo in hmac/md5 hmac/sha1 hmac/ripemd160 hmac/sha256 \ + for aalgo in hmac/sha1 hmac/ripemd160 hmac/sha256 \ hmac/sha384 hmac/sha512; do for secsize in 512 1024 2048 4096 $MAX_SECSIZE; do ${func} $cipher $aalgo $secsize geli detach ${md} 2>/dev/null done done done } # Execute `func` for each combination of cipher, and sectorsize, with no hmac # `func` usage should be: # func for_each_geli_config_nointegrity() { func=$1 # geli needs 512B for the label. bytes=`expr $MAX_SECSIZE \* $sectors + 512`b md=$(attach_md -t malloc -s $bytes) for cipher in aes-xts:128 aes-xts:256 \ aes-cbc:128 aes-cbc:192 aes-cbc:256 \ - 3des-cbc:192 \ - blowfish-cbc:128 blowfish-cbc:160 blowfish-cbc:192 \ - blowfish-cbc:224 blowfish-cbc:256 blowfish-cbc:288 \ - blowfish-cbc:320 blowfish-cbc:352 blowfish-cbc:384 \ - blowfish-cbc:416 blowfish-cbc:448 \ camellia-cbc:128 camellia-cbc:192 camellia-cbc:256; do ealgo=${cipher%%:*} keylen=${cipher##*:} for secsize in 512 1024 2048 4096 $MAX_SECSIZE; do ${func} $cipher $secsize geli detach ${md} 2>/dev/null done done } geli_test_cleanup() { if [ -f "$TEST_MDS_FILE" ]; then while read md; do [ -c /dev/${md}.eli ] && \ geli detach $md.eli 2>/dev/null mdconfig -d -u $md 2>/dev/null done < $TEST_MDS_FILE fi true } geli_test_setup() { geom_atf_test_setup } ATF_TEST=true . `dirname $0`/../geom_subr.sh Index: head/tests/sys/geom/class/eli/init_test.sh =================================================================== --- head/tests/sys/geom/class/eli/init_test.sh (revision 348453) +++ head/tests/sys/geom/class/eli/init_test.sh (revision 348454) @@ -1,387 +1,380 @@ #!/bin/sh # $FreeBSD$ . $(atf_get_srcdir)/conf.sh init_test() { cipher=$1 secsize=$2 ealgo=${cipher%%:*} keylen=${cipher##*:} atf_check -s exit:0 -e ignore \ geli init -B none -e $ealgo -l $keylen -P -K keyfile \ -s $secsize ${md} atf_check geli attach -p -k keyfile ${md} atf_check dd if=rnd of=/dev/${md}.eli bs=${secsize} count=${sectors} \ status=none md_rnd=`dd if=rnd bs=${secsize} count=${sectors} status=none | md5` atf_check_equal 0 $? md_ddev=`dd if=/dev/${md}.eli bs=${secsize} count=${sectors} status=none | md5` atf_check_equal 0 $? md_edev=`dd if=/dev/${md} bs=${secsize} count=${sectors} status=none | md5` atf_check_equal 0 $? if [ ${md_rnd} != ${md_ddev} ]; then atf_fail "Miscompare for ealgo=${ealgo} keylen=${keylen} sec=${secsize}" fi if [ ${md_rnd} == ${md_edev} ]; then atf_fail "Data was not encrypted for ealgo=${ealgo} keylen=${keylen} sec=${secsize}" fi } atf_test_case init cleanup init_head() { atf_set "descr" "Basic I/O with geli" atf_set "require.user" "root" atf_set "timeout" 600 } init_body() { geli_test_setup sectors=32 atf_check dd if=/dev/random of=keyfile bs=512 count=16 status=none atf_check dd if=/dev/random of=rnd bs=$MAX_SECSIZE count=${sectors} \ status=none for_each_geli_config_nointegrity init_test } init_cleanup() { geli_test_cleanup } atf_test_case init_B cleanup init_B_head() { atf_set "descr" "init -B can select an alternate backup metadata file" atf_set "require.user" "root" } init_B_body() { geli_test_setup sectors=100 atf_check dd if=/dev/random of=keyfile bs=512 count=16 status=none md=$(attach_md -t malloc -s $sectors) # -B none rm -f /var/backups/${md}.eli atf_check -s exit:0 -o ignore geli init -B none -P -K keyfile ${md} if [ -f /var/backups/${md}.eli ]; then atf_fail "geli created a backup file even with -B none" fi # no -B rm -f /var/backups/${md}.eli atf_check -s exit:0 -o ignore geli init -P -K keyfile ${md} if [ ! -f /var/backups/${md}.eli ]; then atf_fail "geli did not create a backup file" fi atf_check geli clear ${md} atf_check -s not-exit:0 -e ignore geli attach -p -k keyfile ${md} atf_check -s exit:0 -o ignore geli restore /var/backups/${md}.eli ${md} atf_check -s exit:0 -o ignore geli attach -p -k keyfile ${md} atf_check geli detach ${md} rm -f /var/backups/${md}.eli # -B file rm -f backupfile atf_check -s exit:0 -o ignore \ geli init -B backupfile -P -K keyfile ${md} if [ ! -f backupfile ]; then atf_fail "geli init -B did not create a backup file" fi atf_check geli clear ${md} atf_check -s not-exit:0 -e ignore geli attach -p -k keyfile ${md} atf_check geli restore backupfile ${md} atf_check geli attach -p -k keyfile ${md} } init_B_cleanup() { geli_test_cleanup } atf_test_case init_J cleanup init_J_head() { atf_set "descr" "init -J accepts a passfile" atf_set "require.user" "root" } init_J_body() { geli_test_setup sectors=100 md=$(attach_md -t malloc -s `expr $sectors + 1`) atf_check dd if=/dev/random of=keyfile0 bs=512 count=16 status=none atf_check dd if=/dev/random of=keyfile1 bs=512 count=16 status=none dd if=/dev/random bs=512 count=16 status=none | sha1 > passfile0 atf_check_equal 0 $? dd if=/dev/random bs=512 count=16 status=none | sha1 > passfile1 atf_check_equal 0 $? for iter in -1 0 64; do atf_check -s not-exit:0 -e ignore \ geli init -i ${iter} -B none -J passfile0 -P ${md} atf_check -s not-exit:0 -e ignore \ geli init -i ${iter} -B none -J passfile0 -P -K keyfile0 ${md} atf_check geli init -i ${iter} -B none -J passfile0 -K keyfile0 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile0 -p ${md} atf_check -s not-exit:0 -e ignore \ geli attach -j passfile0 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -j keyfile0 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k passfile0 -p ${md} atf_check -s not-exit:0 -e ignore \ geli attach -j keyfile0 -k passfile0 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -j keyfile0 -k keyfile0 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -j passfile0 -k passfile0 ${md} atf_check -s exit:0 -e ignore \ geli attach -j passfile0 -k keyfile0 ${md} atf_check -s exit:0 -e ignore geli detach ${md} atf_check -s exit:0 -e ignore -x \ "cat keyfile0 | geli attach -j passfile0 -k - ${md}" atf_check -s exit:0 -e ignore geli detach ${md} atf_check -s exit:0 -e ignore -x \ "cat passfile0 | geli attach -j - -k keyfile0 ${md}" atf_check -s exit:0 -e ignore geli detach ${md} atf_check -s not-exit:0 -e ignore \ geli init -i ${iter} -B none -J passfile0 -J passfile1 -P ${md} atf_check -s not-exit:0 -e ignore \ geli init -i ${iter} -B none -J passfile0 -J passfile1 -P -K keyfile0 -K keyfile1 ${md} atf_check -s exit:0 -e ignore \ geli init -i ${iter} -B none -J passfile0 -J passfile1 -K keyfile0 -K keyfile1 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile0 -p ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile1 -p ${md} atf_check -s not-exit:0 -e ignore \ geli attach -j passfile0 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -j passfile1 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile0 -k keyfile1 -p ${md} atf_check -s not-exit:0 -e ignore \ geli attach -j passfile0 -j passfile1 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile0 -j passfile0 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile0 -j passfile1 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile1 -j passfile0 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile1 -j passfile1 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile0 -j passfile0 -j passfile1 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile1 -j passfile0 -j passfile1 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile0 -k keyfile1 -j passfile0 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile0 -k keyfile1 -j passfile1 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile1 -k keyfile0 -j passfile0 -j passfile1 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile0 -k keyfile1 -j passfile1 -j passfile0 ${md} atf_check -s not-exit:0 -e ignore \ geli attach -k keyfile1 -k keyfile0 -j passfile1 -j passfile0 ${md} atf_check -s exit:0 -e ignore \ geli attach -j passfile0 -j passfile1 -k keyfile0 -k keyfile1 ${md} atf_check -s exit:0 -e ignore geli detach ${md} atf_check -s exit:0 -e ignore -x \ "cat passfile0 | geli attach -j - -j passfile1 -k keyfile0 -k keyfile1 ${md}" atf_check -s exit:0 -e ignore geli detach ${md} atf_check -s exit:0 -e ignore -x \ "cat passfile1 | geli attach -j passfile0 -j - -k keyfile0 -k keyfile1 ${md}" atf_check -s exit:0 -e ignore geli detach ${md} atf_check -s exit:0 -e ignore -x \ "cat keyfile0 | geli attach -j passfile0 -j passfile1 -k - -k keyfile1 ${md}" atf_check -s exit:0 -e ignore geli detach ${md} atf_check -s exit:0 -e ignore -x \ "cat keyfile1 | geli attach -j passfile0 -j passfile1 -k keyfile0 -k - ${md}" atf_check -s exit:0 -e ignore geli detach ${md} atf_check -s exit:0 -e ignore -x \ "cat keyfile0 keyfile1 | geli attach -j passfile0 -j passfile1 -k - ${md}" atf_check -s exit:0 -e ignore geli detach ${md} atf_check -s exit:0 -e ignore -x \ "cat passfile0 passfile1 | awk '{printf \"%s\", \$0}' | geli attach -j - -k keyfile0 -k keyfile1 ${md}" atf_check -s exit:0 -e ignore geli detach ${md} done } init_J_cleanup() { geli_test_cleanup } init_a_test() { cipher=$1 aalgo=$2 secsize=$3 ealgo=${cipher%%:*} keylen=${cipher##*:} atf_check -s exit:0 -e ignore \ geli init -B none -a $aalgo -e $ealgo -l $keylen -P -K keyfile \ -s $secsize ${md} atf_check geli attach -p -k keyfile ${md} atf_check dd if=rnd of=/dev/${md}.eli bs=${secsize} count=${sectors} status=none md_rnd=`dd if=rnd bs=${secsize} count=${sectors} status=none | md5` atf_check_equal 0 $? md_ddev=`dd if=/dev/${md}.eli bs=${secsize} count=${sectors} status=none | md5` atf_check_equal 0 $? if [ ${md_rnd} != ${md_ddev} ]; then atf_fail "Miscompare for aalgo=${aalgo} ealgo=${ealgo} keylen=${keylen} sec=${secsize}" fi } atf_test_case init_a cleanup init_a_head() { atf_set "descr" "I/O with geli and HMACs" atf_set "require.user" "root" atf_set "timeout" 3600 } init_a_body() { geli_test_setup sectors=100 atf_check dd if=/dev/random of=keyfile bs=512 count=16 status=none atf_check dd if=/dev/random of=rnd bs=$MAX_SECSIZE count=${sectors} \ status=none for_each_geli_config init_a_test true } init_a_cleanup() { geli_test_cleanup } init_alias_test() { ealgo=$1 keylen=$2 expected_ealgo=$3 expected_keylen=$4 atf_check geli init -B none -e $ealgo -l $keylen -P -K keyfile ${md} atf_check geli attach -p -k keyfile ${md} real_ealgo=`geli list ${md}.eli | awk '/EncryptionAlgorithm/ {print $2}'` real_keylen=`geli list ${md}.eli | awk '/KeyLength/ {print $2}'` if [ "${real_ealgo}" != "${expected_ealgo}" ]; then atf_fail "expected ${expected_ealgo} but got ${real_ealgo}" fi if [ "${real_keylen}" != "${expected_keylen}" ]; then atf_fail "expected ${expected_keylen} but got ${real_keylen}" fi atf_check geli detach ${md} } atf_test_case init_alias cleanup init_alias_head() { atf_set "descr" "geli init accepts cipher aliases" atf_set "require.user" "root" } init_alias_body() { geli_test_setup md=$(attach_md -t malloc -s 1024k) atf_check dd if=/dev/random of=keyfile bs=512 count=16 status=none for spec in aes:0:AES-XTS:128 aes:128:AES-XTS:128 aes:256:AES-XTS:256 \ - 3des:0:3DES-CBC:192 3des:192:3DES-CBC:192 \ - blowfish:0:Blowfish-CBC:128 blowfish:128:Blowfish-CBC:128 \ - blowfish:160:Blowfish-CBC:160 blowfish:192:Blowfish-CBC:192 \ - blowfish:224:Blowfish-CBC:224 blowfish:256:Blowfish-CBC:256 \ - blowfish:288:Blowfish-CBC:288 blowfish:352:Blowfish-CBC:352 \ - blowfish:384:Blowfish-CBC:384 blowfish:416:Blowfish-CBC:416 \ - blowfish:448:Blowfish-CBC:448 \ camellia:0:CAMELLIA-CBC:128 camellia:128:CAMELLIA-CBC:128 \ camellia:256:CAMELLIA-CBC:256 ; do ealgo=`echo $spec | cut -d : -f 1` keylen=`echo $spec | cut -d : -f 2` expected_ealgo=`echo $spec | cut -d : -f 3` expected_keylen=`echo $spec | cut -d : -f 4` init_alias_test $ealgo $keylen $expected_ealgo $expected_keylen done } init_alias_cleanup() { geli_test_cleanup } atf_test_case init_i_P cleanup init_i_P_head() { atf_set "descr" "geli: Options -i and -P are mutually exclusive" atf_set "require.user" "root" } init_i_P_body() { geli_test_setup sectors=100 md=$(attach_md -t malloc -s `expr $sectors + 1`) atf_check dd if=/dev/random of=keyfile bs=512 count=16 status=none atf_check -s not-exit:0 -e "match:Options -i and -P are mutually exclusive"\ geli init -B none -i 64 -P -K keyfile $md } init_i_P_cleanup() { geli_test_cleanup } atf_test_case nokey cleanup nokey_head() { atf_set "descr" "geli init fails if called with no key component" atf_set "require.user" "root" } nokey_body() { geli_test_setup sectors=100 md=$(attach_md -t malloc -s `expr $sectors + 1`) atf_check -s not-exit:0 -e match:"No key components given" \ geli init -B none -P ${md} } nokey_cleanup() { geli_test_cleanup } atf_init_test_cases() { atf_add_test_case init atf_add_test_case init_B atf_add_test_case init_J atf_add_test_case init_a atf_add_test_case init_alias atf_add_test_case init_i_P atf_add_test_case nokey }