You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
97 lines
3.6 KiB
97 lines
3.6 KiB
From 5d29bc014a33d9bdc1c5fb4b8add2f38850f46a8 Mon Sep 17 00:00:00 2001 |
|
From: Vojtech Trefny <vtrefny@redhat.com> |
|
Date: Wed, 24 Feb 2021 14:44:03 +0100 |
|
Subject: [PATCH] crypto: Fix default key size for non XTS ciphers |
|
|
|
512 bits should be default only for AES-XTS which needs two keys, |
|
default for other modes must be 256 bits. |
|
|
|
resolves: rhbz#1931847 |
|
--- |
|
src/plugins/crypto.c | 11 +++++++++-- |
|
src/plugins/crypto.h | 2 +- |
|
tests/crypto_test.py | 36 ++++++++++++++++++++++++++++++++++++ |
|
3 files changed, 46 insertions(+), 3 deletions(-) |
|
|
|
diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c |
|
index f4a2e8f0..1e7043fa 100644 |
|
--- a/src/plugins/crypto.c |
|
+++ b/src/plugins/crypto.c |
|
@@ -774,8 +774,15 @@ static gboolean luks_format (const gchar *device, const gchar *cipher, guint64 k |
|
return FALSE; |
|
} |
|
|
|
- /* resolve requested/default key_size (should be in bytes) */ |
|
- key_size = (key_size != 0) ? (key_size / 8) : (DEFAULT_LUKS_KEYSIZE_BITS / 8); |
|
+ if (key_size == 0) { |
|
+ if (g_str_has_prefix (cipher_specs[1], "xts-")) |
|
+ key_size = DEFAULT_LUKS_KEYSIZE_BITS * 2; |
|
+ else |
|
+ key_size = DEFAULT_LUKS_KEYSIZE_BITS; |
|
+ } |
|
+ |
|
+ /* key_size should be in bytes */ |
|
+ key_size = key_size / 8; |
|
|
|
/* wait for enough random data entropy (if requested) */ |
|
if (min_entropy > 0) { |
|
diff --git a/src/plugins/crypto.h b/src/plugins/crypto.h |
|
index 71a1438d..a38724d9 100644 |
|
--- a/src/plugins/crypto.h |
|
+++ b/src/plugins/crypto.h |
|
@@ -36,7 +36,7 @@ typedef enum { |
|
/* 20 chars * 6 bits per char (64-item charset) = 120 "bits of security" */ |
|
#define BD_CRYPTO_BACKUP_PASSPHRASE_LENGTH 20 |
|
|
|
-#define DEFAULT_LUKS_KEYSIZE_BITS 512 |
|
+#define DEFAULT_LUKS_KEYSIZE_BITS 256 |
|
#define DEFAULT_LUKS_CIPHER "aes-xts-plain64" |
|
#define DEFAULT_LUKS2_SECTOR_SIZE 512 |
|
|
|
diff --git a/tests/crypto_test.py b/tests/crypto_test.py |
|
index 0609a070..0aecc032 100644 |
|
--- a/tests/crypto_test.py |
|
+++ b/tests/crypto_test.py |
|
@@ -236,6 +236,42 @@ def test_luks2_format(self): |
|
self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err)) |
|
self.assertEqual(int(m.group(1)), 5) |
|
|
|
+ def _get_luks1_key_size(self, device): |
|
+ _ret, out, err = run_command("cryptsetup luksDump %s" % device) |
|
+ m = re.search(r"MK bits:\s*(\S+)\s*", out) |
|
+ if not m or len(m.groups()) != 1: |
|
+ self.fail("Failed to get key size information from:\n%s %s" % (out, err)) |
|
+ key_size = m.group(1) |
|
+ if not key_size.isnumeric(): |
|
+ self.fail("Failed to get key size information from: %s" % key_size) |
|
+ return int(key_size) |
|
+ |
|
+ @tag_test(TestTags.SLOW, TestTags.CORE) |
|
+ def test_luks_format_key_size(self): |
|
+ """Verify that formating device as LUKS works""" |
|
+ |
|
+ # aes-xts: key size should default to 512 |
|
+ succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-xts-plain64", 0, PASSWD, None, 0) |
|
+ self.assertTrue(succ) |
|
+ |
|
+ key_size = self._get_luks1_key_size(self.loop_dev) |
|
+ self.assertEqual(key_size, 512) |
|
+ |
|
+ # aes-cbc: key size should default to 256 |
|
+ succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, PASSWD, None, 0) |
|
+ self.assertTrue(succ) |
|
+ |
|
+ key_size = self._get_luks1_key_size(self.loop_dev) |
|
+ self.assertEqual(key_size, 256) |
|
+ |
|
+ # try specifying key size for aes-xts |
|
+ succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-xts-plain64", 256, PASSWD, None, 0) |
|
+ self.assertTrue(succ) |
|
+ |
|
+ key_size = self._get_luks1_key_size(self.loop_dev) |
|
+ self.assertEqual(key_size, 256) |
|
+ |
|
+ |
|
class CryptoTestResize(CryptoTestCase): |
|
|
|
def _get_key_location(self, device):
|
|
|