| #
348588 |
|
03-Jun-2019 |
jhb |
MFC 348206,348231,348454: GELI crypto deprecation warnings.
348206:
Add deprecation warnings for weaker algorithms to geli(4).
- Triple DES has been formally deprecated in Kerberos (RFC 8429)
and is soon to be deprecated in IPsec (RFC 8221).
- Blowfish is deprecated. FreeBSD doesn't support its successor
(Twofish).
- MD5 is generally considered a weak digest that has known attacks.
geli refuses to create new volumes using these algorithms via 'geli
init'. It also warns when attaching to existing volumes or creating
temporary volumes via 'geli onetime' . The plan is to fully remove
support for these algorithms in FreeBSD 13.
Note that none of these algorithms have ever been the default
algorithm used by geli(8). Users would have had to explicitly select
these algorithms when creating volumes in the past.
348231:
Correct the argument passed to g_eli_algo2str()
348454:
Remove tests for the deprecated algorithms in r348206
The tests are failing because the return value and output have changed, but
before test code structure adjusted, removing these test cases help people
be able to focus on more important cases.
Approved by: re (gjb)
Relnotes: yes
|
| #
345394 |
|
21-Mar-2019 |
asomers |
MFC r341390, r341392, r341667
r341390:
Remove some dead code from the geli tests
This is detritus in the Makefile, leftover from 327662.
r341392:
Unbreak geli/gmirror testcases if their geom classes cannot be loaded
The problem with the logic prior to this commit was twofold:
1. The wrong set of idioms (TAP-compatible) were being applied to the ATF
testcases when run, resulting in confusing ATF failure results on setup.
2. The cleanup subroutines were broken when the geom classes could not be
loaded as they exited with 0 unexpectedly.
This commit changes the test code to source the class-specific configuration
(conf.sh) once globally, instead of sourcing it per testcase and per cleanup
subroutine, and to call the ATF-specific setup subroutine(s) inline in
the testcases.
The refactoring done is effectively a no-op for the TAP testcases, modulo
any refactoring done to create common code between the ATF and TAP
testcases.
This unbreaks the geli testcases converted to ATF in r327662 and r327683,
and the gmirror testcases added in r327780, respectively, when the geom
class could not be loaded.
tests/sys/geom/class/mirror/...
While here, ignore errors when turning debug failpoint sysctl off, which
could occur if the gmirror class was not loaded.
Submitted by: ngie
Pull Request: https://github.com/freebsd/freebsd/pull/241
r341667:
geom tests: Fix cleanup of ATF tests since r341392
r341392 changed common test cleanup routines in a way that allowed them to
be used by TAP tests as well as ATF tests. However, a late change made
during code review resulted in cleanup being broken for ATF tests, which
source geom_subr.sh separately during the body and cleanup phases of the
test. The result was that md(4) devices wouldn't get cleaned up.
X-MFC-With: 341392
|
| #
328811 |
|
02-Feb-2018 |
asomers |
MFC geli test suite changes
MFC r306188, r306395, r327346-r327347, r327352-r327353, r327662, r327666, r327682-r327683, r327685
r306188 by br:
Use bsdlabel as we don't have hardlink disklabel -> bsdlabel
on some platforms.
Reviewed by: ngie
Sponsored by: DARPA, AFRL
Sponsored by: HEIF5
Differential Revision: https://reviews.freebsd.org/D7968
r306395 by br:
Increase timeouts for geli tests. It takes 2-3x more time to proceed the
tests on MIPS64EB in QEMU.
Sponsored by: DARPA, AFRL
Sponsored by: HEIF5
r327346:
Fix potential TOCTTOU bug in the geli tests
This change mostly reverts r293436, which introduced the bug due to a belief
that geli(8) would allocate md(4) devices by itself. However, that belief is
incorrect. Instead of using linear probing to find available md(4) numbers,
it's best to use the existing attach_md function.
Reviewed by: ngie
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D13666
r327347:
geli: factor out some common code in the geli tests
No functional change.
Sponsored by: Spectra Logic Corp
r327352:
Fix a harmless typo from r310786
I copy/pasted a reference to an undefined shell variable.
r327353:
geli: fix the resize test on arm64
The resize test used bsdlabel(8), which is not available on all
architectures. Change it to use gpart(8) instead, which should be available
everywhere.
PR: 221763
Reported by: andrew
r327662:
geli: convert most tests from TAP to ATF
I'm leaving readonly_test and nokey_test alone for now. In a future commit
they should be broken up into several smaller test cases and distributed
between multiple files.
Reviewed by: ngie
Differential Revision: https://reviews.freebsd.org/D13717
r327666:
geli: fix parallel execution of tests
The trick is not to destroy an md(4) device during a test. That can create
a "double-free" situation, because we also destroy md devices during test
cleanup.
r327682:
Fix typo from r327666
X-MFC-With: 327666
r327683:
geli: convert remaining TAP tests to ATF
r327685:
geli: optimize tests
Reduce the geli tests' runtime by about a third:
* In integrity_test:copy, use a file-backed md(4) device instead of a
malloc'd one. That way we can corrupt the underlying storage without
needing to detach and reattach the geli device.
* In integrity_test:{copy, hmac, data} and onetime_test:{onetime,
onetime_a}, move reads of /dev/random out of the loop.
|
| #
312829 |
|
26-Jan-2017 |
asomers |
MFC r310786, r310803, r310985, r311894
r310786:
Reduce the runtime of the GELI tests
There is no reduction in test coverage. On my system runtime is reduced
from 38m32s to 6m24s.
tests/sys/geom/class/eli/conf.sh
tests/sys/geom/class/eli/init_a_test.sh
tests/sys/geom/class/eli/init_test.sh
tests/sys/geom/class/eli/integrity_copy_test.sh
tests/sys/geom/class/eli/integrity_data_test.sh
tests/sys/geom/class/eli/integrity_hmac_test.sh
tests/sys/geom/class/eli/onetime_a_test.sh
tests/sys/geom/class/eli/onetime_test.sh
Move the looping code into common functions in conf.sh, and remove
alias ciphers from the list.
tests/sys/geom/class/eli/init_a_test.sh
tests/sys/geom/class/eli/init_test.sh
tests/sys/geom/class/eli/integrity_copy_test.sh
tests/sys/geom/class/eli/integrity_data_test.sh
tests/sys/geom/class/eli/integrity_hmac_test.sh
tests/sys/geom/class/eli/onetime_a_test.sh
Move a few commands that don't need to be in the inner loop out.
tests/sys/geom/class/eli/init_test.sh
tests/sys/geom/class/eli/onetime_a_test.sh
Reduce the sector count
tests/sys/geom/class/eli/Makefile
tests/sys/geom/class/eli/init_alias_test.sh
Add a test for initializing a GELI device using one of the cipher
aliases, and check that the alias is correctly interpreted.
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D8814
r310803:
ATFify the gnop tests
Also, add test cases for the -p, -P, and -s options to gnop create
Reviewed by: ngie
MFC after: 4 weeks
Differential Revision: https://reviews.freebsd.org/D8892
r310985:
Update ObsoleteFiles.inc for r310803
MFC after: 26 days
X-MFC-with: 310803
r311894:
Fix typo from change 310985 in ObsoleteFiles.inc
MFC after: 16 days
X-MFC-With: 310803
Sponsored by: Spectra Logic Corp
|
| #
293821 |
|
13-Jan-2016 |
ngie |
Integrate
tools/regression/geom_{concat,eli,gate,mirror,nop,raid3,shsec,stripe,uzip}
in to the FreeBSD test suite as
tests/sys/geom/class/{concat,eli,gate,mirror,nop,raid3,shsec,stripe,uzip}
The tools/regression/geom and tools/regression/geom_part testcases are being
left alone because both test sets are both currently broken.
The majority of this work was done on ^/user/ngie/more-tests2 . The differences
are as follows:
- tests/sys/geom/class/Makefile.inc is not present; it was
inlined into the class's Makefiles for explicitness.
- The testcases officially require root via kyua
- The geom_gate(4) tests don't use the pidfile changes proposed in
https://reviews.freebsd.org/D4836 .
MFC after: 1 month
Sponsored by: EMC / Isilon Storage Division
|
| #
293436 |
|
08-Jan-2016 |
ngie |
- Add a conf.sh file for executing common functions with geli
-- Use linear probing to find the first unique md(4) device, unlike the other
code which uses attach_md, as geli(8) allocates the md(4) devices itself
- Don't hardcode /tmp for temporary files, which violates the kyua sandbox
MFC after: 3 weeks
Sponsored by: EMC / Isilon Storage Division
|