diff -rupN cryptsetup-2.4.3.old/tests/api-test.c cryptsetup-2.4.3/tests/api-test.c
--- cryptsetup-2.4.3.old/tests/api-test.c 2022-02-17 16:37:09.535345938 +0100
+++ cryptsetup-2.4.3/tests/api-test.c 2022-02-17 16:37:29.156459763 +0100
@@ -312,7 +312,7 @@ static int _setup(void)
static void AddDevicePlain(void)
{
struct crypt_params_plain params = {
- .hash = "sha1",
+ .hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
@@ -322,7 +322,7 @@ static void AddDevicePlain(void)
const char *passphrase = PASSPHRASE;
// hashed hex version of PASSPHRASE
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
size_t key_size = strlen(mk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
@@ -438,7 +438,7 @@ static void AddDevicePlain(void)
OK_(crypt_deactivate(cd,CDEVICE_1));
CRYPT_FREE(cd);
- params.hash = "sha1";
+ params.hash = "sha256";
params.offset = 0;
params.size = 0;
params.skip = 0;
@@ -620,7 +620,7 @@ static void new_log(int level, const cha
static void CallbacksTest(void)
{
struct crypt_params_plain params = {
- .hash = "sha1",
+ .hash = "sha256",
.skip = 0,
.offset = 0,
};
@@ -1116,7 +1116,7 @@ static void LuksHeaderRestore(void)
.data_alignment = 2048, // 4M, data offset will be 4096
};
struct crypt_params_plain pl_params = {
- .hash = "sha1",
+ .hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
@@ -1203,7 +1203,7 @@ static void LuksHeaderLoad(void)
.data_alignment = 2048,
};
struct crypt_params_plain pl_params = {
- .hash = "sha1",
+ .hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
diff -rupN cryptsetup-2.4.3.old/tests/api-test-2.c cryptsetup-2.4.3/tests/api-test-2.c
--- cryptsetup-2.4.3.old/tests/api-test-2.c 2022-02-17 16:37:09.535345938 +0100
+++ cryptsetup-2.4.3/tests/api-test-2.c 2022-02-17 16:37:29.155459758 +0100
@@ -1232,7 +1232,7 @@ static void Luks2HeaderRestore(void)
.sector_size = 512
};
struct crypt_params_plain pl_params = {
- .hash = "sha1",
+ .hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
@@ -1242,7 +1242,7 @@ static void Luks2HeaderRestore(void)
};
uint32_t flags = 0;
- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
size_t key_size = strlen(mk_hex) / 2;
const char *cipher = "aes";
const char *cipher_mode = "cbc-essiv:sha256";
@@ -1337,7 +1337,7 @@ static void Luks2HeaderLoad(void)
.sector_size = 512
};
struct crypt_params_plain pl_params = {
- .hash = "sha1",
+ .hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
@@ -2142,7 +2142,7 @@ static void LuksConvert(void)
.parallel_threads = 1
}, pbkdf2 = {
.type = CRYPT_KDF_PBKDF2,
- .hash = "sha1",
+ .hash = "sha256",
.time_ms = 1
};
@@ -2675,7 +2675,7 @@ static void Pbkdf(void)
.hash = default_luks1_hash
};
struct crypt_params_plain params = {
- .hash = "sha1",
+ .hash = "sha256",
.skip = 0,
.offset = 0,
.size = 0
@@ -2874,11 +2874,11 @@ static void Pbkdf(void)
pbkdf2.time_ms = 9;
pbkdf2.hash = NULL;
FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Hash is mandatory for pbkdf2");
- pbkdf2.hash = "sha1";
+ pbkdf2.hash = "sha256";
OK_(crypt_set_pbkdf_type(cd, &pbkdf2));
argon2.time_ms = 9;
- argon2.hash = "sha1"; // will be ignored
+ argon2.hash = "sha256"; // will be ignored
OK_(crypt_set_pbkdf_type(cd, &argon2));
argon2.hash = NULL;
OK_(crypt_set_pbkdf_type(cd, &argon2));
@@ -3839,7 +3839,7 @@ static void Luks2Reencryption(void)
struct crypt_params_reencrypt retparams = {}, rparams = {
.direction = CRYPT_REENCRYPT_FORWARD,
.resilience = "checksum",
- .hash = "sha1",
+ .hash = "sha256",
.luks2 = ¶ms2,
};
dev_t devno;
@@ -3983,7 +3983,7 @@ static void Luks2Reencryption(void)
rparams.hash = "hamSter";
FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams), "Invalid resilience hash.");
- rparams.hash = "sha1";
+ rparams.hash = "sha256";
OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams));
OK_(crypt_reencrypt_run(cd, NULL, NULL));
diff -rupN cryptsetup-2.4.3.old/tests/compat-test cryptsetup-2.4.3/tests/compat-test
--- cryptsetup-2.4.3.old/tests/compat-test 2022-02-17 16:37:09.541345973 +0100
+++ cryptsetup-2.4.3/tests/compat-test 2022-02-17 16:37:29.157459769 +0100
@@ -302,8 +302,8 @@ $CRYPTSETUP -q luksUUID $IMG | grep -q $
prepare "[1] open - compat image - acceptance check" new
echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
check_exists
-ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
-[ "$ORG_SHA1" = 676062b66ebf36669dab705442ea0762dfc091b0 ] || fail
+ORG_SHA256=$(sha256sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
+[ "$ORG_SHA256" = 7428e8f2436882a07eb32765086f5c899474c08b5576f556b573d2aabdf923e8 ] || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
# Check it can be opened from header backup as well
@@ -315,6 +315,7 @@ $CRYPTSETUP -q luksClose $DEV_NAME || f
$CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
# Repeat for V1.0 header - not aligned first keyslot
+if [ ! fips_mode ] ; then
echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail
check_exists
ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
@@ -326,6 +327,7 @@ $CRYPTSETUP luksHeaderBackup $IMG10 --he
echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
check_exists
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+fi
prepare "[2] open - compat image - denial check" new
echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
@@ -526,7 +528,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q
prepare "[19] create & status & resize" wipe
echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
$CRYPTSETUP -q status $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail
$CRYPTSETUP -q status $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail
$CRYPTSETUP -q status $DEV_NAME | grep "mode:" | grep -q "readonly" || fail
@@ -546,15 +548,15 @@ $CRYPTSETUP -q resize $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME >/dev/null && fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
-echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 $LOOPDEV || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
-echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 --size 100 $LOOPDEV || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
# 4k sector resize (if kernel supports it)
-echo $PWD1 | $CRYPTSETUP -q open --type plain $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1
+echo $PWD1 | $CRYPTSETUP -q open --type plain --hash sha256 $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1
if [ $? -eq 0 ] ; then
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail
$CRYPTSETUP -q resize $DEV_NAME --size 16 || fail
@@ -567,7 +569,7 @@ if [ $? -eq 0 ] ; then
fi
# Resize not aligned to logical block size
add_scsi_device dev_size_mb=32 sector_size=4096
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV || fail
OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
$CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail
dmsetup info $DEV_NAME | grep -q SUSPENDED && fail
@@ -575,10 +577,10 @@ NEW_SIZE=$($CRYPTSETUP status $DEV_NAME
test $OLD_SIZE -eq $NEW_SIZE || fail
$CRYPTSETUP close $DEV_NAME || fail
# Add check for unaligned plain crypt activation
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV -b 7 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV -b 7 2>/dev/null && fail
$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
# verify is ignored on non-tty input
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --verify-passphrase 2>/dev/null || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail
@@ -695,15 +697,15 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST
dmsetup remove --retry $DEV_NAME2
prepare "[25] Create shared segments" wipe
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --offset 0 --size 256 || fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --offset 0 --size 256 || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 --shared || fail
$CRYPTSETUP -q remove $DEV_NAME2 || fail
$CRYPTSETUP -q remove $DEV_NAME || fail
prepare "[26] Suspend/Resume" wipe
# only LUKS is supported
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
$CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP -q remove $DEV_NAME || fail
diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2
--- cryptsetup-2.4.3.old/tests/compat-test2 2022-02-17 16:37:09.541345973 +0100
+++ cryptsetup-2.4.3/tests/compat-test2 2022-02-17 16:37:29.158459775 +0100
@@ -774,7 +774,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q
$CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
$CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
# hash test
-$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha1 || fail
+$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha512 || fail
$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail
$CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
diff -rupN cryptsetup-2.4.3.old/tests/discards-test cryptsetup-2.4.3/tests/discards-test
--- cryptsetup-2.4.3.old/tests/discards-test 2022-02-17 16:37:09.541345973 +0100
+++ cryptsetup-2.4.3/tests/discards-test 2022-02-17 16:37:29.158459775 +0100
@@ -80,7 +80,7 @@ dmsetup table $DEV_NAME | grep allow_dis
$CRYPTSETUP luksClose $DEV_NAME || fail
echo "[2] Allowing discards for plain device"
-echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha1 --allow-discards || fail
+echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha256 --allow-discards || fail
$CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
$CRYPTSETUP resize $DEV_NAME --size 100 || fail
$CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
diff -rupN cryptsetup-2.4.3.old/tests/integrity-compat-test cryptsetup-2.4.3/tests/integrity-compat-test
--- cryptsetup-2.4.3.old/tests/integrity-compat-test 2022-02-17 16:37:09.542345979 +0100
+++ cryptsetup-2.4.3/tests/integrity-compat-test 2022-02-17 16:37:29.159459781 +0100
@@ -168,7 +168,7 @@ intformat() # alg alg_out tagsize outtag
echo -n "[FORMAT]"
$INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1
if [ $? -ne 0 ] ; then
- if [[ $1 =~ "sha" || $1 =~ "crc" ]] ; then
+ if [[ $1 =~ "sha2" || $1 =~ "crc" ]] ; then
fail "Cannot format device."
fi
echo "[N/A]"
@@ -214,7 +214,14 @@ int_error_detection() # mode alg tagsize
echo -n "[INTEGRITY:$1:$2:$4:$5]"
echo -n "[FORMAT]"
- $INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null || fail "Cannot format device."
+ $INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null 2>&1
+ if [ $? -ne 0 ] ; then
+ if [[ $2 =~ "sha2" || $2 =~ "crc" ]] ; then
+ fail "Cannot format device."
+ fi
+ echo "[N/A]"
+ return
+ fi
echo -n "[ACTIVATE]"
$INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device."
diff -rupN cryptsetup-2.4.3.old/tests/keyring-compat-test cryptsetup-2.4.3/tests/keyring-compat-test
--- cryptsetup-2.4.3.old/tests/keyring-compat-test 2022-02-17 16:37:09.542345979 +0100
+++ cryptsetup-2.4.3/tests/keyring-compat-test 2022-02-17 16:39:07.132028140 +0100
@@ -119,7 +119,7 @@ add_device() {
which dmsetup >/dev/null 2>&1 || skip "Cannot find dmsetup, test skipped"
which keyctl >/dev/null 2>&1 || skip "Cannot find keyctl, test skipped"
which xxd >/dev/null 2>&1 || skip "Cannot find xxd, test skipped"
-which sha1sum > /dev/null 2>&1 || skip "Cannot find sha1sum, test skipped"
+which sha256sum >/dev/null 2>&1 || skip "Cannot find sha256sum, test skipped"
modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped."
@@ -132,23 +132,23 @@ dd if=/dev/urandom of=$DEV bs=1M count=$
#test aes cipher with xts mode, plain IV
echo -n "Testing $CIPHER_XTS_PLAIN..."
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
load_key "$HEXKEY_32" logon $LOGON_KEY_32_OK "$TEST_KEYRING" || fail "Cannot load 32 byte logon key type"
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN :32:logon:$LOGON_KEY_32_OK 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
# same test using message
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
dmsetup suspend $NAME || fail
dmsetup message $NAME 0 key wipe || fail
dmsetup message $NAME 0 "key set :32:logon:$LOGON_KEY_32_OK" || fail
dmsetup resume $NAME || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
echo "OK"
@@ -156,23 +156,23 @@ echo "OK"
#test aes cipher, xts mode, essiv IV
echo -n "Testing $CIPHER_CBC_ESSIV..."
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
load_key "$HEXKEY_16" logon $LOGON_KEY_16_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV :16:logon:$LOGON_KEY_16_OK 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
# same test using message
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
dmsetup suspend $NAME || fail
dmsetup message $NAME 0 key wipe || fail
dmsetup message $NAME 0 "key set :16:logon:$LOGON_KEY_16_OK" || fail
dmsetup resume $NAME || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
echo "OK"
@@ -181,23 +181,23 @@ echo "OK"
fips_mode || {
echo -n "Testing $CIPHER_CBC_TCW..."
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
load_key "$HEXKEY_64" logon $LOGON_KEY_64_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW :64:logon:$LOGON_KEY_64_OK 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
# same test using message
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
dmsetup remove --retry $NAME || fail
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
dmsetup suspend $NAME || fail
dmsetup message $NAME 0 key wipe || fail
dmsetup message $NAME 0 "key set :64:logon:$LOGON_KEY_64_OK" || fail
dmsetup resume $NAME || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
dmsetup remove --retry $NAME || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
echo "OK"
@@ -207,10 +207,10 @@ echo -n "Test LUKS2 key refresh..."
echo $PWD | $CRYPTSETUP luksFormat --type luks2 --luks2-metadata-size 16k --luks2-keyslots-size 4064k --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --force-password $DEV || fail
echo $PWD | $CRYPTSETUP open $DEV $NAME || fail
$CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" || skip "LUKS2 can't use keyring. Test skipped."
-dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_KEYRING || fail
+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_KEYRING || fail
echo $PWD | $CRYPTSETUP refresh $NAME --disable-keyring || fail
$CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" && fail "Key is still in keyring"
-dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_DMCRYPT || fail
+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_DMCRYPT || fail
diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
echo "OK"
diff -rupN cryptsetup-2.4.3.old/tests/password-hash-test cryptsetup-2.4.3/tests/password-hash-test
--- cryptsetup-2.4.3.old/tests/password-hash-test 2022-02-17 16:37:09.541345973 +0100
+++ cryptsetup-2.4.3/tests/password-hash-test 2022-02-17 16:37:29.160459787 +0100
@@ -75,7 +75,7 @@ crypt_key() # hash keysize pwd/file name
esac
# ignore these cases, not all libs/kernel supports it
- if [ "$1" != "sha1" -a "$1" != "sha256" ] || [ $2 -gt 256 ] ; then
+ if [ "$1" != "sha256" ] || [ $2 -gt 256 ] ; then
if [ $ret -ne 0 ] ; then
echo " [N/A] ($ret, SKIPPED)"
return
diff -rupN cryptsetup-2.4.3.old/tests/reencryption-compat-test cryptsetup-2.4.3/tests/reencryption-compat-test
--- cryptsetup-2.4.3.old/tests/reencryption-compat-test 2022-02-17 16:37:09.541345973 +0100
+++ cryptsetup-2.4.3/tests/reencryption-compat-test 2022-02-17 16:37:29.160459787 +0100
@@ -338,7 +338,7 @@ simple_scsi_reenc "[4096/512 sector]"
echo "[OK]"
echo "[8] Header only reencryption (hash and iteration time)"
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha1 $FAST_PBKDF $LOOPDEV1 || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha512 $FAST_PBKDF $LOOPDEV1 || fail
wipe $PWD1
check_hash $PWD1 $HASH1
echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key || fail
diff -rupN cryptsetup-2.4.3.old/tests/verity-compat-test cryptsetup-2.4.3/tests/verity-compat-test
--- cryptsetup-2.4.3.old/tests/verity-compat-test 2022-02-17 16:37:09.541345973 +0100
+++ cryptsetup-2.4.3/tests/verity-compat-test 2022-02-17 16:37:29.161459793 +0100
@@ -148,7 +148,13 @@ function check_root_hash() # $1 size, $2
for fail in data hash; do
wipe
echo -n "V$4(sb=$sb root_hash_as_file=$root_hash_as_file) $5 block size $1: "
- $VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT || fail
+ $VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT
+ if [ $? -ne 0 ] ; then
+ if [[ $1 =~ "sha2" ]] ; then
+ fail "Cannot format device."
+ fi
+ return
+ fi
echo -n "[root hash]"
compare_out "root hash" $2