#! /bin/bash
# SPDX-License-Identifier: GPL-2.0
# Copyright (c) 2016 Google, Inc.  All Rights Reserved.
#
# FS QA Test generic/399
#
# Check for weaknesses in filesystem encryption involving the same ciphertext
# being repeated.  For file contents, we fill a small filesystem with large
# files of 0's and verify the filesystem is incompressible.  For filenames, we
# create an identical symlink in two different directories and verify the
# ciphertext filenames and symlink targets are different.
#
# This test can detect some basic cryptographic mistakes such as nonce reuse
# (across files), initialization vector reuse (across blocks), or data somehow
# being left in plaintext by accident.  For example, it detects the
# initialization vector reuse bug fixed in commit 02fc59a0d28f ("f2fs/crypto:
# fix xts_tweak initialization").
#
. ./common/preamble
_begin_fstest auto encrypt

# Import common functions.
. ./common/filter
. ./common/encrypt

# real QA test starts here
_supported_fs generic
_require_scratch_encryption
_require_symlinks
_require_command "$XZ_PROG" xz
_require_command "$KEYCTL_PROG" keyctl

_init_session_keyring

#
# Set up a small filesystem containing an encrypted directory.  64 MB is enough
# for both ext4 and f2fs (f2fs doesn't support a 32 MB filesystem).  Before
# creating the filesystem, zero out the needed portion of the device so that
# existing data on the device doesn't contribute to the compressed size.
#
fs_size_in_mb=64
fs_size=$((fs_size_in_mb * 1024 * 1024))
dd if=/dev/zero of=$SCRATCH_DEV bs=$((1024 * 1024)) \
	count=$fs_size_in_mb &>> $seqres.full
_scratch_mkfs_sized_encrypted $fs_size &>> $seqres.full
_scratch_mount

keydesc=$(_generate_session_encryption_key)
mkdir $SCRATCH_MNT/encrypted_dir
_set_encpolicy $SCRATCH_MNT/encrypted_dir $keydesc

# Create the "same" symlink in two different directories.
# Later we'll check both the name and target of the symlink.
mkdir $SCRATCH_MNT/encrypted_dir/subdir1
mkdir $SCRATCH_MNT/encrypted_dir/subdir2
ln -s symlink_target $SCRATCH_MNT/encrypted_dir/subdir1/symlink
ln -s symlink_target $SCRATCH_MNT/encrypted_dir/subdir2/symlink

#
# Write files of 1 MB of all the same byte until we hit ENOSPC.  Note that we
# must not create sparse files, since the contents of sparse files are not
# stored on-disk.  Also, we create multiple files rather than one big file
# because we want to test for reuse of per-file keys.
#
total_file_size=0
i=1
while true; do
	file=$SCRATCH_MNT/encrypted_dir/file$i

	$XFS_IO_PROG -f $file -c 'pwrite 0 1M' &> $tmp.out
	echo "Writing $file..." >> $seqres.full
	cat $tmp.out >> $seqres.full

	file_size=0
	if [ -e $file ]; then
		file_size=$(_get_filesize $file)
	fi

	# We shouldn't have been able to write more data than we had space for.
	(( total_file_size += file_size ))
	if (( total_file_size > fs_size )); then
		_fail "Wrote $total_file_size bytes but should have only" \
		      "had space for $fs_size bytes at most!"
	fi

	# Stop if we hit ENOSPC.
	if grep -q 'No space left on device' $tmp.out; then
		break
	fi

	# Otherwise the file should have been successfully created.
	if [ ! -e $file ]; then
		_fail "$file failed to be created, but the fs isn't out of space yet!"
	fi
	if (( file_size != 1024 * 1024 )); then
		_fail "Size of $file is wrong (possible write error?)." \
		      "Got $file_size, expected 1 MiB"
	fi
	(( i++ ))
done

#
# Unmount the filesystem and compute its compressed size.  It must be no smaller
# than the amount of data that was written; otherwise there was a compromise in
# the confidentiality of the data.  False positives should not be possible
# because filesystem metadata will also contribute to the compressed size.
#
# Note: it's important to use a strong compressor such as xz which can detect
# redundancy across most or all of the filesystem.  We run xz with a 64 MB
# sliding window but use some custom settings to make it faster and use less
# memory than the '-9' preset.  The memory needed with our settings will be
# 64 * 6.5 = 416 MB; see xz(1).
#
_unlink_session_encryption_key $keydesc
_scratch_unmount
fs_compressed_size=$(head -c $fs_size $SCRATCH_DEV | \
	xz --lzma2=dict=64M,mf=hc4,mode=fast,nice=16 | \
	wc -c)

if (( $fs_compressed_size < $total_file_size )); then
	echo "FAIL: filesystem was compressible" \
		"($total_file_size bytes => $fs_compressed_size bytes)"
else
	echo "PASS: ciphertexts were not repeated for contents"
fi

# Verify that encrypted filenames and symlink targets were not reused.  Note
# that since the ciphertexts should be unpredictable, we cannot simply include
# the expected names in the expected output file.
_scratch_mount
find $SCRATCH_MNT/encrypted_dir -type l | wc -l
link1=$(find $SCRATCH_MNT/encrypted_dir -type l | head -1)
link2=$(find $SCRATCH_MNT/encrypted_dir -type l | tail -1)
[ $(basename $link1) = $(basename $link2) ] && \
	echo "Encrypted filenames were reused!"
[ $(readlink $link1) = $(readlink $link2) ] && \
	echo "Encrypted symlink targets were reused!"

# success, all done
status=0
exit
