Commit 5d29bc014a33d9bdc1c5fb4b8add2f38850f46a8 - libblockdev

crypto: Fix default key size for non XTS ciphers 512 bits should be default only for AES-XTS which needs two keys, default for other modes must be 256 bits. resolves: rhbz#1931847 Vojtech Trefny 3 years ago

3 changed file(s) with 46 addition(s) and 3 deletion(s). Raw diff Collapse all Expand all

-2

src/plugins/crypto.c less more

773	773	return FALSE;
774	774	}
775	775
776		/* resolve requested/default key_size (should be in bytes) */
777		key_size = (key_size != 0) ? (key_size / 8) : (DEFAULT_LUKS_KEYSIZE_BITS / 8);
	776	if (key_size == 0) {
	777	if (g_str_has_prefix (cipher_specs[1], "xts-"))
	778	key_size = DEFAULT_LUKS_KEYSIZE_BITS * 2;
	779	else
	780	key_size = DEFAULT_LUKS_KEYSIZE_BITS;
	781	}
	782
	783	/* key_size should be in bytes */
	784	key_size = key_size / 8;
778	785
779	786	/* wait for enough random data entropy (if requested) */
780	787	if (min_entropy > 0) {

-1

src/plugins/crypto.h less more

35	35	/* 20 chars * 6 bits per char (64-item charset) = 120 "bits of security" */
36	36	#define BD_CRYPTO_BACKUP_PASSPHRASE_LENGTH 20
37	37
38		#define DEFAULT_LUKS_KEYSIZE_BITS 512
	38	#define DEFAULT_LUKS_KEYSIZE_BITS 256
39	39	#define DEFAULT_LUKS_CIPHER "aes-xts-plain64"
40	40	#define DEFAULT_LUKS2_SECTOR_SIZE 512
41	41

+36

-0

tests/crypto_test.py less more

234	234	if not m or len(m.groups()) != 1:
235	235	self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err))
236	236	self.assertEqual(int(m.group(1)), 5)
	237
	238	def _get_luks1_key_size(self, device):
	239	_ret, out, err = run_command("cryptsetup luksDump %s" % device)
	240	m = re.search(r"MK bits:\s(\S+)\s", out)
	241	if not m or len(m.groups()) != 1:
	242	self.fail("Failed to get key size information from:\n%s %s" % (out, err))
	243	key_size = m.group(1)
	244	if not key_size.isnumeric():
	245	self.fail("Failed to get key size information from: %s" % key_size)
	246	return int(key_size)
	247
	248	@tag_test(TestTags.SLOW, TestTags.CORE)
	249	def test_luks_format_key_size(self):
	250	"""Verify that formating device as LUKS works"""
	251
	252	# aes-xts: key size should default to 512
	253	succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-xts-plain64", 0, PASSWD, None, 0)
	254	self.assertTrue(succ)
	255
	256	key_size = self._get_luks1_key_size(self.loop_dev)
	257	self.assertEqual(key_size, 512)
	258
	259	# aes-cbc: key size should default to 256
	260	succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, PASSWD, None, 0)
	261	self.assertTrue(succ)
	262
	263	key_size = self._get_luks1_key_size(self.loop_dev)
	264	self.assertEqual(key_size, 256)
	265
	266	# try specifying key size for aes-xts
	267	succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-xts-plain64", 256, PASSWD, None, 0)
	268	self.assertTrue(succ)
	269
	270	key_size = self._get_luks1_key_size(self.loop_dev)
	271	self.assertEqual(key_size, 256)
	272
237	273
238	274	class CryptoTestResize(CryptoTestCase):
239	275