You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

98 lines
3.6 KiB

From 5d29bc014a33d9bdc1c5fb4b8add2f38850f46a8 Mon Sep 17 00:00:00 2001
From: Vojtech Trefny <vtrefny@redhat.com>
Date: Wed, 24 Feb 2021 14:44:03 +0100
Subject: [PATCH] crypto: Fix default key size for non XTS ciphers
512 bits should be default only for AES-XTS which needs two keys,
default for other modes must be 256 bits.
resolves: rhbz#1931847
---
src/plugins/crypto.c | 11 +++++++++--
src/plugins/crypto.h | 2 +-
tests/crypto_test.py | 36 ++++++++++++++++++++++++++++++++++++
3 files changed, 46 insertions(+), 3 deletions(-)
diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c
index f4a2e8f0..1e7043fa 100644
--- a/src/plugins/crypto.c
+++ b/src/plugins/crypto.c
@@ -774,8 +774,15 @@ static gboolean luks_format (const gchar *device, const gchar *cipher, guint64 k
return FALSE;
}
- /* resolve requested/default key_size (should be in bytes) */
- key_size = (key_size != 0) ? (key_size / 8) : (DEFAULT_LUKS_KEYSIZE_BITS / 8);
+ if (key_size == 0) {
+ if (g_str_has_prefix (cipher_specs[1], "xts-"))
+ key_size = DEFAULT_LUKS_KEYSIZE_BITS * 2;
+ else
+ key_size = DEFAULT_LUKS_KEYSIZE_BITS;
+ }
+
+ /* key_size should be in bytes */
+ key_size = key_size / 8;
/* wait for enough random data entropy (if requested) */
if (min_entropy > 0) {
diff --git a/src/plugins/crypto.h b/src/plugins/crypto.h
index 71a1438d..a38724d9 100644
--- a/src/plugins/crypto.h
+++ b/src/plugins/crypto.h
@@ -36,7 +36,7 @@ typedef enum {
/* 20 chars * 6 bits per char (64-item charset) = 120 "bits of security" */
#define BD_CRYPTO_BACKUP_PASSPHRASE_LENGTH 20
-#define DEFAULT_LUKS_KEYSIZE_BITS 512
+#define DEFAULT_LUKS_KEYSIZE_BITS 256
#define DEFAULT_LUKS_CIPHER "aes-xts-plain64"
#define DEFAULT_LUKS2_SECTOR_SIZE 512
diff --git a/tests/crypto_test.py b/tests/crypto_test.py
index 0609a070..0aecc032 100644
--- a/tests/crypto_test.py
+++ b/tests/crypto_test.py
@@ -236,6 +236,42 @@ def test_luks2_format(self):
self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err))
self.assertEqual(int(m.group(1)), 5)
+ def _get_luks1_key_size(self, device):
+ _ret, out, err = run_command("cryptsetup luksDump %s" % device)
+ m = re.search(r"MK bits:\s*(\S+)\s*", out)
+ if not m or len(m.groups()) != 1:
+ self.fail("Failed to get key size information from:\n%s %s" % (out, err))
+ key_size = m.group(1)
+ if not key_size.isnumeric():
+ self.fail("Failed to get key size information from: %s" % key_size)
+ return int(key_size)
+
+ @tag_test(TestTags.SLOW, TestTags.CORE)
+ def test_luks_format_key_size(self):
+ """Verify that formating device as LUKS works"""
+
+ # aes-xts: key size should default to 512
+ succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-xts-plain64", 0, PASSWD, None, 0)
+ self.assertTrue(succ)
+
+ key_size = self._get_luks1_key_size(self.loop_dev)
+ self.assertEqual(key_size, 512)
+
+ # aes-cbc: key size should default to 256
+ succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, PASSWD, None, 0)
+ self.assertTrue(succ)
+
+ key_size = self._get_luks1_key_size(self.loop_dev)
+ self.assertEqual(key_size, 256)
+
+ # try specifying key size for aes-xts
+ succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-xts-plain64", 256, PASSWD, None, 0)
+ self.assertTrue(succ)
+
+ key_size = self._get_luks1_key_size(self.loop_dev)
+ self.assertEqual(key_size, 256)
+
+
class CryptoTestResize(CryptoTestCase):
def _get_key_location(self, device):