rpms / cryptsetup

Clone
Source Code
GIT

Blame SOURCES/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   38c00b94cfaab32db50ccb34db0f8402b7174c83
  2.   SOURCES
  3.   cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch
Blob History Raw
38c00b 
From e7a1f18d976771efc06987107da12ccae4d0b360 Mon Sep 17 00:00:00 2001
38c00b 
From: Ondrej Kozina <okozina@redhat.com>
38c00b 
Date: Fri, 2 Dec 2022 11:40:24 +0100
38c00b 
Subject: [PATCH 2/3] Change tests to use passphrases with minimal 8 chars
38c00b 
 length.
38c00b
38c00b 
Skip tests that can not satisfy minimal test passphrase length:
38c00b
38c00b 
- empty passphrase
38c00b 
- LUKS1 cipher_null tests (empty passphrase is mandatory)
38c00b 
- LUKS1 encryption
38c00b 
---
38c00b 
 tests/Makefile.am              |   3 +-
38c00b 
 tests/align-test               |  10 +++
38c00b 
 tests/api-test-2.c             | 117 +++++++++++++++++----------------
38c00b 
 tests/api-test.c               |  14 ++--
38c00b 
 tests/compat-test              |   8 ++-
38c00b 
 tests/compat-test2             |  16 +++--
38c00b 
 tests/keyring-compat-test      |   2 +-
38c00b 
 tests/reencryption-compat-test |  10 +++
38c00b 
 tests/ssh-plugin-test          |   2 +-
38c00b 
 9 files changed, 110 insertions(+), 72 deletions(-)
38c00b
38c00b 
diff --git a/tests/align-test b/tests/align-test
38c00b 
index eedf8b77..5941cde2 100755
38c00b 
--- a/tests/align-test
38c00b 
+++ b/tests/align-test
38c00b 
@@ -10,6 +10,13 @@ PWD1="93R4P4pIqAH8"
38c00b 
 PWD2="mymJeD8ivEhE"
38c00b 
 FAST_PBKDF="--pbkdf-force-iterations 1000"
38c00b
38c00b 
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
38c00b 
+
38c00b 
+function fips_mode()
38c00b 
+{
38c00b 
+	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
38c00b 
+}
38c00b 
+
38c00b 
 cleanup() {
38c00b 
 	udevadm settle >/dev/null 2>&1
38c00b 
 	if [ -d "$MNT_DIR" ] ; then
38c00b 
@@ -276,6 +283,8 @@ format_plain_fail 2048
38c00b 
 format_plain_fail 4096
38c00b 
 cleanup
38c00b
38c00b 
+# skip tests using empty passphrase (LUKS1 cipher_null)
38c00b 
+if [ ! fips_mode ]; then
38c00b 
 echo "# Offset check: 512B sector drive"
38c00b 
 add_device dev_size_mb=16 sector_size=512 num_tgts=1
38c00b 
 #           |k| expO reqO expected slot offsets
38c00b 
@@ -314,6 +323,7 @@ format_null 512 4040    8
38c00b 
 format_null 512 4096  128
38c00b 
 format_null 512 4096 2048
38c00b 
 cleanup
38c00b 
+fi
38c00b
38c00b 
 echo "# Create enterprise-class 4K drive with fs and LUKS images."
38c00b 
 # loop device here presents 512 block but images have 4k block
38c00b 
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
38c00b 
index b7c762d9..2c39191b 100644
38c00b 
--- a/tests/api-test-2.c
38c00b 
+++ b/tests/api-test-2.c
38c00b 
@@ -74,8 +74,8 @@ typedef int32_t key_serial_t;
38c00b 
 #define KEYFILE2 "key2.file"
38c00b 
 #define KEY2 "0123456789abcdef"
38c00b
38c00b 
-#define PASSPHRASE "blabla"
38c00b 
-#define PASSPHRASE1 "albalb"
38c00b 
+#define PASSPHRASE "blablabl"
38c00b 
+#define PASSPHRASE1 "albalbal"
38c00b
38c00b 
 #define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
38c00b
38c00b 
@@ -107,15 +107,15 @@ typedef int32_t key_serial_t;
38c00b 
 #define CONV_L2_512_DET_FULL "l2_512b_det_full"
38c00b 
 #define CONV_L1_256_LEGACY "l1_256b_legacy_offset"
38c00b 
 #define CONV_L1_256_UNMOVABLE "l1_256b_unmovable"
38c00b 
-#define PASS0 "aaa"
38c00b 
-#define PASS1 "hhh"
38c00b 
-#define PASS2 "ccc"
38c00b 
-#define PASS3 "ddd"
38c00b 
-#define PASS4 "eee"
38c00b 
-#define PASS5 "fff"
38c00b 
-#define PASS6 "ggg"
38c00b 
-#define PASS7 "bbb"
38c00b 
-#define PASS8 "iii"
38c00b 
+#define PASS0 "aaablabl"
38c00b 
+#define PASS1 "hhhblabl"
38c00b 
+#define PASS2 "cccblabl"
38c00b 
+#define PASS3 "dddblabl"
38c00b 
+#define PASS4 "eeeblabl"
38c00b 
+#define PASS5 "fffblabl"
38c00b 
+#define PASS6 "gggblabl"
38c00b 
+#define PASS7 "bbbblabl"
38c00b 
+#define PASS8 "iiiblabl"
38c00b
38c00b 
 static int _fips_mode = 0;
38c00b
38c00b 
@@ -429,11 +429,11 @@ static int _setup(void)
38c00b
38c00b 
 	_system("dd if=/dev/zero of=" IMAGE_EMPTY_SMALL_2 " bs=512 count=2050 2>/dev/null", 1);
38c00b
38c00b 
-	_system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && xz -dk " NO_REQS_LUKS2_HEADER ".xz", 1);
38c00b 
+	_system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
38c00b 
 	fd = loop_attach(&DEVICE_4, NO_REQS_LUKS2_HEADER, 0, 0, &ro);
38c00b 
 	close(fd);
38c00b
38c00b 
-	_system(" [ ! -e " REQS_LUKS2_HEADER " ] && xz -dk " REQS_LUKS2_HEADER ".xz", 1);
38c00b 
+	_system(" [ ! -e " REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
38c00b 
 	fd = loop_attach(&DEVICE_5, REQS_LUKS2_HEADER, 0, 0, &ro);
38c00b 
 	close(fd);
38c00b
38c00b 
@@ -709,7 +709,7 @@ static void AddDeviceLuks2(void)
38c00b 
 	};
38c00b 
 	char key[128], key2[128], key3[128];
38c00b
38c00b 
-	const char *tmp_buf, *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
38c00b 
+	const char *tmp_buf, *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
38c00b 
 	const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
38c00b 
 	const char *mk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
38c00b 
 	size_t key_size = strlen(mk_hex) / 2;
38c00b 
@@ -1056,7 +1056,6 @@ static void Luks2MetadataSize(void)
38c00b 
 	};
38c00b 
 	char key[128], tmp[128];
38c00b
38c00b 
-	const char *passphrase = "blabla";
38c00b 
 	const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
38c00b 
 	size_t key_size = strlen(mk_hex) / 2;
38c00b 
 	const char *cipher = "aes";
38c00b 
@@ -1103,7 +1102,7 @@ static void Luks2MetadataSize(void)
38c00b 
 	OK_(crypt_init(&cd, DMDIR H_DEVICE));
38c00b 
 	OK_(crypt_set_metadata_size(cd, 0x080000, 0x080000));
38c00b 
 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, &params));
38c00b 
-	EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)), 7);
38c00b 
+	EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
38c00b 
 	CRYPT_FREE(cd);
38c00b 
 	OK_(crypt_init(&cd, DMDIR H_DEVICE));
38c00b 
 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
38c00b 
@@ -3306,8 +3305,8 @@ static void Luks2Requirements(void)
38c00b 
 		.key_description = KEY_DESC_TEST0
38c00b 
 	};
38c00b
38c00b 
-	OK_(prepare_keyfile(KEYFILE1, "aaa", 3));
38c00b 
-	OK_(prepare_keyfile(KEYFILE2, "xxx", 3));
38c00b 
+	OK_(prepare_keyfile(KEYFILE1, PASSPHRASE, strlen(PASSPHRASE)));
38c00b 
+	OK_(prepare_keyfile(KEYFILE2, PASSPHRASE1, strlen(PASSPHRASE1)));
38c00b
38c00b 
 	/* crypt_load (unrestricted) */
38c00b 
 	OK_(crypt_init(&cd, DEVICE_5));
38c00b 
@@ -3361,11 +3360,11 @@ static void Luks2Requirements(void)
38c00b 
 	OK_(crypt_repair(cd, CRYPT_LUKS2, NULL));
38c00b
38c00b 
 	/* crypt_keyslot_add_passphrase (restricted) */
38c00b 
-	FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
38c00b 
+	FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
38c00b 
 	EQ_(r, -ETXTBSY);
38c00b
38c00b 
 	/* crypt_keyslot_change_by_passphrase (restricted) */
38c00b 
-	FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
38c00b 
+	FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
38c00b 
 	EQ_(r, -ETXTBSY);
38c00b
38c00b 
 	/* crypt_keyslot_add_by_keyfile (restricted) */
38c00b 
@@ -3377,18 +3376,18 @@ static void Luks2Requirements(void)
38c00b 
 	EQ_(r, -ETXTBSY);
38c00b
38c00b 
 	/* crypt_volume_key_get (unrestricted, but see below) */
38c00b 
-	OK_(crypt_volume_key_get(cd, 0, key, &key_size, "aaa", 3));
38c00b 
+	OK_(crypt_volume_key_get(cd, 0, key, &key_size, PASSPHRASE, strlen(PASSPHRASE)));
38c00b
38c00b 
 	/* crypt_keyslot_add_by_volume_key (restricted) */
38c00b 
-	FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3)), "Unmet requirements detected");
38c00b 
+	FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1))), "Unmet requirements detected");
38c00b 
 	EQ_(r, -ETXTBSY);
38c00b
38c00b 
 	/* crypt_keyslot_add_by_key (restricted) */
38c00b 
-	FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, "xxx", 3, CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
38c00b 
+	FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
38c00b 
 	EQ_(r, -ETXTBSY);
38c00b
38c00b 
 	/* crypt_keyslot_add_by_key (restricted) */
38c00b 
-	FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3, 0)), "Unmet requirements detected");
38c00b 
+	FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1), 0)), "Unmet requirements detected");
38c00b 
 	EQ_(r, -ETXTBSY);
38c00b
38c00b 
 	/* crypt_persistent_flasgs_set (restricted) */
38c00b 
@@ -3364,10 +3363,10 @@ static void Luks2Requirements(void)
38c00b 
 	EQ_(flags, (uint32_t) CRYPT_REQUIREMENT_UNKNOWN);
38c00b
38c00b 
 	/* crypt_activate_by_passphrase (restricted for activation only) */
38c00b 
-	FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)), "Unmet requirements detected");
38c00b 
+	FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0)), "Unmet requirements detected");
38c00b 
 	EQ_(r, -ETXTBSY);
38c00b 
-	OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, 0));
38c00b 
-	OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
38c00b 
+	OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
38c00b 
+	OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
38c00b 
 	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
38c00b
38c00b 
 	/* crypt_activate_by_keyfile (restricted for activation only) */
38c00b 
@@ -3420,7 +3419,7 @@ static void Luks2Requirements(void)
38c00b
38c00b 
 #ifdef KERNEL_KEYRING
38c00b 
 	if (t_dm_crypt_keyring_support()) {
38c00b 
-		kid = add_key("user", KEY_DESC_TEST0, "aaa", 3, KEY_SPEC_THREAD_KEYRING);
38c00b 
+		kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
38c00b 
 		NOTFAIL_(kid, "Test or kernel keyring are broken.");
38c00b
38c00b 
 		/* crypt_activate_by_keyring (restricted for activation only) */
38c00b 
@@ -3428,6 +3427,8 @@ static void Luks2Requirements(void)
38c00b 
 		EQ_(r, t_dm_crypt_keyring_support() ? -ETXTBSY : -EINVAL);
38c00b 
 		OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0));
38c00b 
 		OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, CRYPT_ACTIVATE_KEYRING_KEY));
38c00b 
+
38c00b 
+		NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
38c00b 
 	}
38c00b 
 #endif
38c00b
38c00b 
@@ -3513,10 +3514,15 @@ static void Luks2Requirements(void)
38c00b 
 	/* crypt_activate_by_token (restricted for activation only) */
38c00b 
 #ifdef KERNEL_KEYRING
38c00b 
 	if (t_dm_crypt_keyring_support()) {
38c00b 
+		kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
38c00b 
+		NOTFAIL_(kid, "Test or kernel keyring are broken.");
38c00b 
+
38c00b 
 		FAIL_((r = crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0)), ""); // supposed to be silent
38c00b 
 		EQ_(r, -ETXTBSY);
38c00b 
 		OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0));
38c00b 
 		OK_(crypt_activate_by_token(cd, NULL, 1, NULL, CRYPT_ACTIVATE_KEYRING_KEY));
38c00b 
+
38c00b 
+		NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
38c00b 
 	}
38c00b 
 #endif
38c00b 
 	OK_(get_luks2_offsets(0, 8192, 0, NULL, &r_payload_offset));
38c00b 
@@ -3528,7 +3534,7 @@ static void Luks2Requirements(void)
38c00b 
 	CRYPT_FREE(cd);
38c00b 
 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
38c00b 
 	OK_(crypt_load(cd, CRYPT_LUKS, NULL));
38c00b 
-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
38c00b 
+	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
38c00b 
 	OK_(crypt_header_backup(cd, CRYPT_LUKS2, BACKUP_FILE));
38c00b 
 	/* replace header with no requirements */
38c00b 
 	OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
38c00b 
@@ -3566,7 +3572,7 @@ static void Luks2Requirements(void)
38c00b 
 	OK_(crypt_init_by_name(&cd, CDEVICE_1));
38c00b
38c00b 
 	/* crypt_resume_by_passphrase (restricted) */
38c00b 
-	FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3)), "Unmet requirements detected");
38c00b 
+	FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE))), "Unmet requirements detected");
38c00b 
 	EQ_(r, -ETXTBSY);
38c00b
38c00b 
 	/* crypt_resume_by_keyfile (restricted) */
38c00b 
@@ -3580,13 +3586,13 @@ static void Luks2Requirements(void)
38c00b
38c00b 
 	OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
38c00b 
 	OK_(crypt_init_by_name(&cd, CDEVICE_1));
38c00b 
-	OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3));
38c00b 
+	OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE)));
38c00b 
 	CRYPT_FREE(cd);
38c00b 
 	OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
38c00b
38c00b 
 	OK_(crypt_init_by_name(&cd, CDEVICE_1));
38c00b 
 	/* load VK in keyring */
38c00b 
-	OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
38c00b 
+	OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
38c00b 
 	/* crypt_resize (restricted) */
38c00b 
 	FAIL_((r = crypt_resize(cd, CDEVICE_1, 1)), "Unmet requirements detected");
38c00b 
 	EQ_(r, -ETXTBSY);
38c00b 
@@ -3622,7 +3628,6 @@ static void Luks2Integrity(void)
38c00b 
 		.integrity = "hmac(sha256)"
38c00b 
 	};
38c00b 
 	size_t key_size = 32 + 32;
38c00b 
-	const char *passphrase = "blabla";
38c00b 
 	const char *cipher = "aes";
38c00b 
 	const char *cipher_mode = "xts-random";
38c00b 
 	int ret;
38c00b 
@@ -3636,8 +3641,8 @@ static void Luks2Integrity(void)
38c00b 
 		return;
38c00b 
 	}
38c00b
38c00b 
-	EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, passphrase, strlen(passphrase)), 7);
38c00b 
-	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, passphrase, strlen(passphrase) ,0), 7);
38c00b 
+	EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
38c00b 
+	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, PASSPHRASE, strlen(PASSPHRASE) ,0), 7);
38c00b 
 	GE_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
38c00b 
 	CRYPT_FREE(cd);
38c00b
38c00b 
@@ -3689,36 +3694,36 @@ static void Luks2Refresh(void)
38c00b 
 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
38c00b 
 	OK_(set_fast_pbkdf(cd));
38c00b 
 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, mode, NULL, key, 32, NULL));
38c00b 
-	OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
38c00b 
-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
38c00b 
+	OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
38c00b 
+	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
38c00b
38c00b 
 	/* check we can refresh significant flags */
38c00b 
 	if (t_dm_crypt_discard_support()) {
38c00b 
-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
38c00b 
+		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
38c00b 
 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
38c00b 
 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_ALLOW_DISCARDS));
38c00b 
 		cad.flags = 0;
38c00b 
 	}
38c00b
38c00b 
 	if (t_dm_crypt_cpu_switch_support()) {
38c00b 
-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
38c00b 
+		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
38c00b 
 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
38c00b 
 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SAME_CPU_CRYPT));
38c00b 
 		cad.flags = 0;
38c00b
38c00b 
-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
38c00b 
+		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
38c00b 
 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
38c00b 
 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
38c00b 
 		cad.flags = 0;
38c00b
38c00b 
-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
38c00b 
+		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
38c00b 
 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
38c00b 
 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
38c00b 
 		cad.flags = 0;
38c00b 
 	}
38c00b
38c00b 
 	OK_(crypt_volume_key_keyring(cd, 0));
38c00b 
-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
38c00b 
+	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
38c00b 
 	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
38c00b 
 	FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY), "Unexpected flag raised.");
38c00b 
 	cad.flags = 0;
38c00b 
@@ -3726,7 +3731,7 @@ static void Luks2Refresh(void)
38c00b 
 #ifdef KERNEL_KEYRING
38c00b 
 	if (t_dm_crypt_keyring_support()) {
38c00b 
 		OK_(crypt_volume_key_keyring(cd, 1));
38c00b 
-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
38c00b 
+		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
38c00b 
 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
38c00b 
 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY));
38c00b 
 		cad.flags = 0;
38c00b 
@@ -3735,26 +3740,26 @@ static void Luks2Refresh(void)
38c00b
38c00b 
 	/* multiple flags at once */
38c00b 
 	if (t_dm_crypt_discard_support() && t_dm_crypt_cpu_switch_support()) {
38c00b 
-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
38c00b 
+		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
38c00b 
 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
38c00b 
 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
38c00b 
 		cad.flags = 0;
38c00b 
 	}
38c00b
38c00b 
 	/* do not allow reactivation with read-only (and drop flag silently because activation behaves exactly same) */
38c00b 
-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
38c00b 
+	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
38c00b 
 	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
38c00b 
 	FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY), "Reactivated with read-only flag.");
38c00b 
 	cad.flags = 0;
38c00b
38c00b 
 	/* reload flag is dropped silently */
38c00b 
 	OK_(crypt_deactivate(cd, CDEVICE_1));
38c00b 
-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
38c00b 
+	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
38c00b
38c00b 
 	/* check read-only flag is not lost after reload */
38c00b 
 	OK_(crypt_deactivate(cd, CDEVICE_1));
38c00b 
-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_READONLY));
38c00b 
-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
38c00b 
+	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_READONLY));
38c00b 
+	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
38c00b 
 	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
38c00b 
 	OK_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY));
38c00b 
 	cad.flags = 0;
38c00b 
@@ -3762,7 +3767,7 @@ static void Luks2Refresh(void)
38c00b 
 	/* check LUKS2 with auth. enc. reload */
38c00b 
 	OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
38c00b 
 	if (!crypt_format(cd2, CRYPT_LUKS2, "aes", "gcm-random", crypt_get_uuid(cd), key, 32, &params)) {
38c00b 
-		OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, "aaa", 3));
38c00b 
+		OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
38c00b 
 		OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, 0));
38c00b 
 		OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_NO_JOURNAL));
38c00b 
 		OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
38c00b 
@@ -3772,11 +3777,11 @@ static void Luks2Refresh(void)
38c00b 
 		OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
38c00b 
 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
38c00b 
 		cad.flags = 0;
38c00b 
-		OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
38c00b 
+		OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
38c00b 
 		OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
38c00b 
 		FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL), "");
38c00b 
 		FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS), "");
38c00b 
-		FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
38c00b 
+		FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
38c00b 
 		OK_(crypt_deactivate(cd2, CDEVICE_2));
38c00b 
 	} else {
38c00b 
 		printf("WARNING: cannot format integrity device, skipping few reload tests.\n");
38c00b 
@@ -3786,8 +3791,8 @@ static void Luks2Refresh(void)
38c00b 
 	/* Use LUKS1 context on LUKS2 device */
38c00b 
 	OK_(crypt_init(&cd2, DMDIR L_DEVICE_1S));
38c00b 
 	OK_(crypt_format(cd2, CRYPT_LUKS1, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
38c00b 
-	OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, "aaa", 3));
38c00b 
-	FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
38c00b 
+	OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)));
38c00b 
+	FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
38c00b 
 	CRYPT_FREE(cd2);
38c00b
38c00b 
 	/* Use PLAIN context on LUKS2 device */
38c00b 
@@ -3803,8 +3808,8 @@ static void Luks2Refresh(void)
38c00b 
 	OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
38c00b 
 	OK_(set_fast_pbkdf(cd2));
38c00b 
 	OK_(crypt_format(cd2, CRYPT_LUKS2, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
38c00b 
-	OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
38c00b 
-	FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
38c00b 
+	OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
38c00b 
+	FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
38c00b
38c00b 
 	OK_(crypt_deactivate(cd, CDEVICE_1));
38c00b
38c00b 
diff --git a/tests/api-test.c b/tests/api-test.c
38c00b 
index 2b2f0813..9bb6d2f1 100644
38c00b 
--- a/tests/api-test.c
38c00b 
+++ b/tests/api-test.c
38c00b 
@@ -65,8 +65,8 @@
38c00b 
 #define KEYFILE2 "key2.file"
38c00b 
 #define KEY2 "0123456789abcdef"
38c00b
38c00b 
-#define PASSPHRASE "blabla"
38c00b 
-#define PASSPHRASE1 "albalb"
38c00b 
+#define PASSPHRASE "blablabl"
38c00b 
+#define PASSPHRASE1 "albalbal"
38c00b
38c00b 
 #define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
38c00b
38c00b 
@@ -321,6 +321,6 @@ static void AddDevicePlain(void)
38c00b 
 	char key[128], key2[128], path[128];
38c00b
38c00b 
-	const char *passphrase = PASSPHRASE;
38c00b 
+	const char *passphrase = "blabla";
38c00b 
 	// hashed hex version of PASSPHRASE
38c00b 
 	const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
38c00b 
 	size_t key_size = strlen(mk_hex) / 2;
38c00b 
@@ -772,6 +772,10 @@ static void SuspendDevice(void)
38c00b 
 	OK_(crypt_deactivate(cd, CDEVICE_1));
38c00b 
 	CRYPT_FREE(cd);
38c00b
38c00b 
+	/* skip tests using empty passphrase */
38c00b 
+	if(_fips_mode)
38c00b 
+		return;
38c00b 
+
38c00b 
 	OK_(get_luks_offsets(0, key_size, 1024*2, 0, NULL, &r_payload_offset));
38c00b 
 	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1));
38c00b
38c00b 
@@ -795,7 +799,7 @@ static void AddDeviceLuks(void)
38c00b 
 	};
38c00b 
 	char key[128], key2[128], key3[128];
38c00b
38c00b 
-	const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
38c00b 
+	const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
38c00b 
 	const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
38c00b 
 	const char *mk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
38c00b 
 	size_t key_size = strlen(mk_hex) / 2;
38c00b 
diff --git a/tests/compat-test b/tests/compat-test
38c00b 
index 356b7283..6dc80041 100755
38c00b 
--- a/tests/compat-test
38c00b 
+++ b/tests/compat-test
38c00b 
@@ -450,10 +450,13 @@ if [ -d /dev/disk/by-uuid ] ; then
38c00b 
 	$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
38c00b 
 	$CRYPTSETUP -q luksClose  $DEV_NAME || fail
38c00b 
 fi
38c00b 
+# skip tests using empty passphrase
38c00b 
+if [ ! fips_mode ]; then
38c00b 
 # empty keyfile
38c00b 
 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail
38c00b 
 $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
38c00b 
 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
38c00b 
+fi
38c00b 
 # open by volume key
38c00b 
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --master-key-file $KEY1 $LOOPDEV || fail
38c00b 
 $CRYPTSETUP luksOpen --master-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
38c00b 
@@ -498,7 +501,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --
38c00b 
 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
38c00b 
 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
38c00b 
 # keyfile/passphrase
38c00b 
-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
38c00b 
+echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
38c00b 
 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
38c00b
38c00b 
 prepare "[18] RemoveKey passphrase and keyfile" reuse
38c00b 
@@ -723,12 +726,15 @@ echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
38c00b 
 [ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
38c00b 
 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME  || fail
38c00b 
 $CRYPTSETUP -q luksClose $DEV_NAME || fail
38c00b 
+# skip tests using empty passphrase
38c00b 
+if [ ! fips_mode ]; then
38c00b 
 echo | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks1 $LOOPDEV || fail
38c00b 
 echo | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
38c00b 
 $CRYPTSETUP luksSuspend $DEV_NAME || fail
38c00b 
 $CRYPTSETUP -q status  $DEV_NAME | grep -q "(suspended)" || fail
38c00b 
 echo | $CRYPTSETUP luksResume $DEV_NAME || fail
38c00b 
 $CRYPTSETUP -q luksClose $DEV_NAME || fail
38c00b 
+fi
38c00b
38c00b 
 prepare "[27] luksOpen with specified key slot number" wipe
38c00b 
 # first, let's try passphrase option
38c00b 
diff --git a/tests/compat-test2 b/tests/compat-test2
38c00b 
index 2f18d7b6..c54dc7ea 100755
38c00b 
--- a/tests/compat-test2
38c00b 
+++ b/tests/compat-test2
38c00b 
@@ -421,10 +421,14 @@ if [ -d /dev/disk/by-uuid ] ; then
38c00b 
 	$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
38c00b 
 	$CRYPTSETUP -q luksClose  $DEV_NAME || fail
38c00b 
 fi
38c00b 
+# skip tests using empty passphrases
38c00b 
+if [ ! fips_mode ]; then
38c00b 
 # empty keyfile
38c00b 
 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail
38c00b 
 $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
38c00b 
 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
38c00b 
+fi
38c00b 
+
38c00b 
 # open by volume key
38c00b 
 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --master-key-file $KEY1 --type luks2 $LOOPDEV || fail
38c00b 
 $CRYPTSETUP luksOpen --master-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
38c00b 
@@ -471,7 +475,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --
38c00b 
 echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
38c00b 
 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
38c00b 
 # keyfile/passphrase
38c00b 
-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
38c00b 
+echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
38c00b 
 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
38c00b
38c00b 
 prepare "[18] RemoveKey passphrase and keyfile" reuse
38c00b 
@@ -949,14 +953,14 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
38c00b 
 $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
38c00b 
 echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
38c00b 
 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips
38c00b 
-echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail
38c00b 
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 72 $LOOPDEV || fail
38c00b 
 echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail
38c00b
38c00b 
 prepare "[38] luksAddKey unbound tests" wipe
38c00b 
 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
38c00b 
 # unbound key may have arbitrary size
38c00b 
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 16 $LOOPDEV || fail
38c00b 
-echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 32 -S 2 $LOOPDEV || fail
38c00b 
+echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 72 $LOOPDEV || fail
38c00b 
+echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 72 -S 2 $LOOPDEV || fail
38c00b 
 $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" || fail
38c00b 
 dd if=/dev/urandom of=$KEY_FILE0 bs=64 count=1 > /dev/null 2>&1 || fail
38c00b 
 echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 512 -S 3 --master-key-file $KEY_FILE0 $LOOPDEV || fail
38c00b 
@@ -1048,10 +1052,10 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 -
38c00b 
 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher:"    | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
38c00b 
 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
38c00b 
 # unbound keyslot
38c00b 
-echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --key-slot 21 --unbound -s 32 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
38c00b 
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 72 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
38c00b 
 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher:"    | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
38c00b 
 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
38c00b 
-echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --key-slot 22 --unbound -s 32 $LOOPDEV || fail
38c00b 
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 72 $LOOPDEV || fail
38c00b 
 echo $PWD3 | $CRYPTSETUP luksConvertKey --key-slot 22 $LOOPDEV --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
38c00b 
 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher:"    | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
38c00b 
 [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
38c00b 
diff --git a/tests/keyring-compat-test b/tests/keyring-compat-test
38c00b 
index 57c7fd98..ea88c210 100755
38c00b 
--- a/tests/keyring-compat-test
38c00b 
+++ b/tests/keyring-compat-test
38c00b 
@@ -21,7 +21,7 @@ NAME=testcryptdev
38c00b 
 CHKS_DMCRYPT=vk_in_dmcrypt.chk
38c00b 
 CHKS_KEYRING=vk_in_keyring.chk
38c00b
38c00b 
-PWD="aaa"
38c00b 
+PWD="aaablabl"
38c00b
38c00b 
 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
38c00b 
 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
38c00b 
diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
38c00b 
index 433f4d4c..f6a84137 100755
38c00b 
--- a/tests/reencryption-compat-test
38c00b 
+++ b/tests/reencryption-compat-test
38c00b 
@@ -22,6 +22,12 @@ PWD3="1-9Qu5Ejfnqv"
38c00b
38c00b 
 MNT_DIR=./mnt_luks
38c00b 
 START_DIR=$(pwd)
38c00b 
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
38c00b 
+
38c00b 
+function fips_mode()
38c00b 
+{
38c00b 
+	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
38c00b 
+}
38c00b
38c00b 
 function del_scsi_device()
38c00b 
 {
38c00b 
@@ -296,6 +302,7 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled"
38c00b 
 $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
38c00b 
 # FIXME echo $PWD1 | $REENC ...
38c00b
38c00b 
+if [ ! fips_mode ]; then
38c00b 
 echo "[4] Encryption of not yet encrypted device"
38c00b 
 # well, movin' zeroes :-)
38c00b 
 OFFSET=2048
38c00b 
@@ -323,6 +330,7 @@ OFFSET=4096
38c00b 
 echo fake | $REENC $LOOPDEV1 -d $KEY1 --new --type luks1 --reduce-device-size "$OFFSET"S -q $FAST_PBKDF || fail
38c00b 
 $CRYPTSETUP open --test-passphrase $LOOPDEV1 -d $KEY1 || fail
38c00b 
 wipe_dev $LOOPDEV1
38c00b 
+fi
38c00b
38c00b 
 echo "[5] Reencryption using specific keyslot"
38c00b 
 echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
38c00b 
@@ -396,6 +404,7 @@ add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3
38c00b 
 test_logging "[4096/512 sector]" || fail
38c00b 
 test_logging_tmpfs || fail
38c00b
38c00b 
+if [ ! fips_mode ]; then
38c00b 
 echo "[10] Removal of encryption"
38c00b 
 prepare 8192
38c00b 
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
38c00b 
@@ -405,6 +405,7 @@ echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_P
38c00b 
 check_hash $PWD1 $HASH4 $IMG_HDR
38c00b 
 $CRYPTSETUP isLuks $LOOPDEV1 && fail
38c00b 
 $CRYPTSETUP isLuks $IMG_HDR || fail
38c00b 
+fi # if [ ! fips_mode ]
38c00b
38c00b 
 remove_mapping
38c00b 
 exit 0
38c00b 
diff --git a/tests/ssh-plugin-test b/tests/ssh-plugin-test
38c00b 
index 0a440b93..5b3966e7 100755
38c00b 
--- a/tests/ssh-plugin-test
38c00b 
+++ b/tests/ssh-plugin-test
38c00b 
@@ -9,7 +9,7 @@ CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh
38c00b 
 IMG="ssh_test.img"
38c00b 
 MAP="sshtest"
38c00b 
 USER="sshtest"
38c00b 
-PASSWD="sshtest"
38c00b 
+PASSWD="sshtest1"
38c00b 
 PASSWD2="sshtest2"
38c00b 
 LOOPDEV=$(losetup -f 2>/dev/null)
38c00b 
 SSH_OPTIONS="-o StrictHostKeyChecking=no"
38c00b 
--
38c00b 
2.38.1
38c00b

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation