98 lines
3.6 KiB
Diff
98 lines
3.6 KiB
Diff
From 5d29bc014a33d9bdc1c5fb4b8add2f38850f46a8 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Trefny <vtrefny@redhat.com>
|
|
Date: Wed, 24 Feb 2021 14:44:03 +0100
|
|
Subject: [PATCH] crypto: Fix default key size for non XTS ciphers
|
|
|
|
512 bits should be default only for AES-XTS which needs two keys,
|
|
default for other modes must be 256 bits.
|
|
|
|
resolves: rhbz#1931847
|
|
---
|
|
src/plugins/crypto.c | 11 +++++++++--
|
|
src/plugins/crypto.h | 2 +-
|
|
tests/crypto_test.py | 36 ++++++++++++++++++++++++++++++++++++
|
|
3 files changed, 46 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c
|
|
index f4a2e8f0..1e7043fa 100644
|
|
--- a/src/plugins/crypto.c
|
|
+++ b/src/plugins/crypto.c
|
|
@@ -774,8 +774,15 @@ static gboolean luks_format (const gchar *device, const gchar *cipher, guint64 k
|
|
return FALSE;
|
|
}
|
|
|
|
- /* resolve requested/default key_size (should be in bytes) */
|
|
- key_size = (key_size != 0) ? (key_size / 8) : (DEFAULT_LUKS_KEYSIZE_BITS / 8);
|
|
+ if (key_size == 0) {
|
|
+ if (g_str_has_prefix (cipher_specs[1], "xts-"))
|
|
+ key_size = DEFAULT_LUKS_KEYSIZE_BITS * 2;
|
|
+ else
|
|
+ key_size = DEFAULT_LUKS_KEYSIZE_BITS;
|
|
+ }
|
|
+
|
|
+ /* key_size should be in bytes */
|
|
+ key_size = key_size / 8;
|
|
|
|
/* wait for enough random data entropy (if requested) */
|
|
if (min_entropy > 0) {
|
|
diff --git a/src/plugins/crypto.h b/src/plugins/crypto.h
|
|
index 71a1438d..a38724d9 100644
|
|
--- a/src/plugins/crypto.h
|
|
+++ b/src/plugins/crypto.h
|
|
@@ -36,7 +36,7 @@ typedef enum {
|
|
/* 20 chars * 6 bits per char (64-item charset) = 120 "bits of security" */
|
|
#define BD_CRYPTO_BACKUP_PASSPHRASE_LENGTH 20
|
|
|
|
-#define DEFAULT_LUKS_KEYSIZE_BITS 512
|
|
+#define DEFAULT_LUKS_KEYSIZE_BITS 256
|
|
#define DEFAULT_LUKS_CIPHER "aes-xts-plain64"
|
|
#define DEFAULT_LUKS2_SECTOR_SIZE 512
|
|
|
|
diff --git a/tests/crypto_test.py b/tests/crypto_test.py
|
|
index 0609a070..0aecc032 100644
|
|
--- a/tests/crypto_test.py
|
|
+++ b/tests/crypto_test.py
|
|
@@ -236,6 +236,42 @@ def test_luks2_format(self):
|
|
self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err))
|
|
self.assertEqual(int(m.group(1)), 5)
|
|
|
|
+ def _get_luks1_key_size(self, device):
|
|
+ _ret, out, err = run_command("cryptsetup luksDump %s" % device)
|
|
+ m = re.search(r"MK bits:\s*(\S+)\s*", out)
|
|
+ if not m or len(m.groups()) != 1:
|
|
+ self.fail("Failed to get key size information from:\n%s %s" % (out, err))
|
|
+ key_size = m.group(1)
|
|
+ if not key_size.isnumeric():
|
|
+ self.fail("Failed to get key size information from: %s" % key_size)
|
|
+ return int(key_size)
|
|
+
|
|
+ @tag_test(TestTags.SLOW, TestTags.CORE)
|
|
+ def test_luks_format_key_size(self):
|
|
+ """Verify that formating device as LUKS works"""
|
|
+
|
|
+ # aes-xts: key size should default to 512
|
|
+ succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-xts-plain64", 0, PASSWD, None, 0)
|
|
+ self.assertTrue(succ)
|
|
+
|
|
+ key_size = self._get_luks1_key_size(self.loop_dev)
|
|
+ self.assertEqual(key_size, 512)
|
|
+
|
|
+ # aes-cbc: key size should default to 256
|
|
+ succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, PASSWD, None, 0)
|
|
+ self.assertTrue(succ)
|
|
+
|
|
+ key_size = self._get_luks1_key_size(self.loop_dev)
|
|
+ self.assertEqual(key_size, 256)
|
|
+
|
|
+ # try specifying key size for aes-xts
|
|
+ succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-xts-plain64", 256, PASSWD, None, 0)
|
|
+ self.assertTrue(succ)
|
|
+
|
|
+ key_size = self._get_luks1_key_size(self.loop_dev)
|
|
+ self.assertEqual(key_size, 256)
|
|
+
|
|
+
|
|
class CryptoTestResize(CryptoTestCase):
|
|
|
|
def _get_key_location(self, device):
|