import libblockdev-2.24-6.el8

2021-05-18 04:12:40 +00:00 · 2021-05-18 04:12:40 +00:00 · a456071d4d
parent 4136df5113
commit a456071d4d
2 changed files with 104 additions and 1 deletions
--- a/SOURCES/0004-Fix-default-key-size-for-non-XTS-ciphers.patch
+++ b/SOURCES/0004-Fix-default-key-size-for-non-XTS-ciphers.patch
@ -0,0 +1,97 @@
+From 5d29bc014a33d9bdc1c5fb4b8add2f38850f46a8 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Wed, 24 Feb 2021 14:44:03 +0100
+Subject: [PATCH] crypto: Fix default key size for non XTS ciphers
+
+512 bits should be default only for AES-XTS which needs two keys,
+default for other modes must be 256 bits.
+
+resolves: rhbz#1931847
+---
+ src/plugins/crypto.c | 11 +++++++++--
+ src/plugins/crypto.h |  2 +-
+ tests/crypto_test.py | 36 ++++++++++++++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c
+index f4a2e8f0..1e7043fa 100644
+--- a/src/plugins/crypto.c
+++ b/src/plugins/crypto.c
+@@ -774,8 +774,15 @@ static gboolean luks_format (const gchar *device, const gchar *cipher, guint64 k
+         return FALSE;
+     }
+ 
+-    /* resolve requested/default key_size (should be in bytes) */
+-    key_size = (key_size != 0) ? (key_size / 8) : (DEFAULT_LUKS_KEYSIZE_BITS / 8);
+    if (key_size == 0) {
+        if (g_str_has_prefix (cipher_specs[1], "xts-"))
+            key_size = DEFAULT_LUKS_KEYSIZE_BITS * 2;
+        else
+            key_size = DEFAULT_LUKS_KEYSIZE_BITS;
+    }
+
+    /* key_size should be in bytes */
+    key_size = key_size / 8;
+ 
+     /* wait for enough random data entropy (if requested) */
+     if (min_entropy > 0) {
+diff --git a/src/plugins/crypto.h b/src/plugins/crypto.h
+index 71a1438d..a38724d9 100644
+--- a/src/plugins/crypto.h
+++ b/src/plugins/crypto.h
+@@ -36,7 +36,7 @@ typedef enum {
+ /* 20 chars * 6 bits per char (64-item charset) = 120 "bits of security" */
+ #define BD_CRYPTO_BACKUP_PASSPHRASE_LENGTH 20
+ 
+-#define DEFAULT_LUKS_KEYSIZE_BITS 512
+#define DEFAULT_LUKS_KEYSIZE_BITS 256
+ #define DEFAULT_LUKS_CIPHER "aes-xts-plain64"
+ #define DEFAULT_LUKS2_SECTOR_SIZE 512
+ 
+diff --git a/tests/crypto_test.py b/tests/crypto_test.py
+index 0609a070..0aecc032 100644
+--- a/tests/crypto_test.py
+++ b/tests/crypto_test.py
+@@ -236,6 +236,42 @@ def test_luks2_format(self):
+             self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err))
+         self.assertEqual(int(m.group(1)), 5)
+ 
+    def _get_luks1_key_size(self, device):
+        _ret, out, err = run_command("cryptsetup luksDump %s" % device)
+        m = re.search(r"MK bits:\s*(\S+)\s*", out)
+        if not m or len(m.groups()) != 1:
+            self.fail("Failed to get key size information from:\n%s %s" % (out, err))
+        key_size = m.group(1)
+        if not key_size.isnumeric():
+            self.fail("Failed to get key size information from: %s" % key_size)
+        return int(key_size)
+
+    @tag_test(TestTags.SLOW, TestTags.CORE)
+    def test_luks_format_key_size(self):
+        """Verify that formating device as LUKS works"""
+
+        # aes-xts: key size should default to 512
+        succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-xts-plain64", 0, PASSWD, None, 0)
+        self.assertTrue(succ)
+
+        key_size = self._get_luks1_key_size(self.loop_dev)
+        self.assertEqual(key_size, 512)
+
+        # aes-cbc: key size should default to 256
+        succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, PASSWD, None, 0)
+        self.assertTrue(succ)
+
+        key_size = self._get_luks1_key_size(self.loop_dev)
+        self.assertEqual(key_size, 256)
+
+        # try specifying key size for aes-xts
+        succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-xts-plain64", 256, PASSWD, None, 0)
+        self.assertTrue(succ)
+
+        key_size = self._get_luks1_key_size(self.loop_dev)
+        self.assertEqual(key_size, 256)
+
+
+ class CryptoTestResize(CryptoTestCase):
+ 
+     def _get_key_location(self, device):
--- a/SPECS/libblockdev.spec
+++ b/SPECS/libblockdev.spec
@ -125,7 +125,7 @@

 Name:        libblockdev
 Version:     2.24
-Release:     5%{?dist}
+Release:     6%{?dist}
 Summary:     A library for low-level manipulation with block devices
 License:     LGPLv2+
 URL:         https://github.com/storaged-project/libblockdev
@ -133,6 +133,7 @@ Source0:     https://github.com/storaged-project/libblockdev/releases/download/%
 Patch0:      0001-exec-Fix-setting-locale-for-util-calls.patch
 Patch1:      0002-exec-polling-fixes.patch
 Patch2:      0003-LVM-thin-metadata-calculation-fix.patch
+Patch3:      0004-Fix-default-key-size-for-non-XTS-ciphers.patch

 BuildRequires: glib2-devel
 %if %{with_gi}
@ -691,6 +692,7 @@ A meta-package that pulls all the libblockdev plugins as dependencies.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1

 %build
 autoreconf -ivf
@ -994,6 +996,10 @@ find %{buildroot} -type f -name "*.la" | xargs %{__rm}
 %files plugins-all

 %changelog
+* Fri May 14 2021 Vojtech Trefny <vtrefny@redhat.com> - 2.24-6
+- Fix default key size for non XTS ciphers
+  Resolves: rhbz#1931847
+
 * Mon Jan 11 2021 Vojtech Trefny <vtrefny@redhat.com> - 2.24-5
 - Fix LVM thin metadata calculation fix
  Resolves: rhbz#1901714