Blame SOURCES/0004-Fix-default-key-size-for-non-XTS-ciphers.patch

cb9006
From 5d29bc014a33d9bdc1c5fb4b8add2f38850f46a8 Mon Sep 17 00:00:00 2001
cb9006
From: Vojtech Trefny <vtrefny@redhat.com>
cb9006
Date: Wed, 24 Feb 2021 14:44:03 +0100
cb9006
Subject: [PATCH] crypto: Fix default key size for non XTS ciphers
cb9006
cb9006
512 bits should be default only for AES-XTS which needs two keys,
cb9006
default for other modes must be 256 bits.
cb9006
cb9006
resolves: rhbz#1931847
cb9006
---
cb9006
 src/plugins/crypto.c | 11 +++++++++--
cb9006
 src/plugins/crypto.h |  2 +-
cb9006
 tests/crypto_test.py | 36 ++++++++++++++++++++++++++++++++++++
cb9006
 3 files changed, 46 insertions(+), 3 deletions(-)
cb9006
cb9006
diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c
cb9006
index f4a2e8f0..1e7043fa 100644
cb9006
--- a/src/plugins/crypto.c
cb9006
+++ b/src/plugins/crypto.c
cb9006
@@ -774,8 +774,15 @@ static gboolean luks_format (const gchar *device, const gchar *cipher, guint64 k
cb9006
         return FALSE;
cb9006
     }
cb9006
 
cb9006
-    /* resolve requested/default key_size (should be in bytes) */
cb9006
-    key_size = (key_size != 0) ? (key_size / 8) : (DEFAULT_LUKS_KEYSIZE_BITS / 8);
cb9006
+    if (key_size == 0) {
cb9006
+        if (g_str_has_prefix (cipher_specs[1], "xts-"))
cb9006
+            key_size = DEFAULT_LUKS_KEYSIZE_BITS * 2;
cb9006
+        else
cb9006
+            key_size = DEFAULT_LUKS_KEYSIZE_BITS;
cb9006
+    }
cb9006
+
cb9006
+    /* key_size should be in bytes */
cb9006
+    key_size = key_size / 8;
cb9006
 
cb9006
     /* wait for enough random data entropy (if requested) */
cb9006
     if (min_entropy > 0) {
cb9006
diff --git a/src/plugins/crypto.h b/src/plugins/crypto.h
cb9006
index 71a1438d..a38724d9 100644
cb9006
--- a/src/plugins/crypto.h
cb9006
+++ b/src/plugins/crypto.h
cb9006
@@ -36,7 +36,7 @@ typedef enum {
cb9006
 /* 20 chars * 6 bits per char (64-item charset) = 120 "bits of security" */
cb9006
 #define BD_CRYPTO_BACKUP_PASSPHRASE_LENGTH 20
cb9006
 
cb9006
-#define DEFAULT_LUKS_KEYSIZE_BITS 512
cb9006
+#define DEFAULT_LUKS_KEYSIZE_BITS 256
cb9006
 #define DEFAULT_LUKS_CIPHER "aes-xts-plain64"
cb9006
 #define DEFAULT_LUKS2_SECTOR_SIZE 512
cb9006
 
cb9006
diff --git a/tests/crypto_test.py b/tests/crypto_test.py
cb9006
index 0609a070..0aecc032 100644
cb9006
--- a/tests/crypto_test.py
cb9006
+++ b/tests/crypto_test.py
cb9006
@@ -236,6 +236,42 @@ def test_luks2_format(self):
cb9006
             self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err))
cb9006
         self.assertEqual(int(m.group(1)), 5)
cb9006
 
cb9006
+    def _get_luks1_key_size(self, device):
cb9006
+        _ret, out, err = run_command("cryptsetup luksDump %s" % device)
cb9006
+        m = re.search(r"MK bits:\s*(\S+)\s*", out)
cb9006
+        if not m or len(m.groups()) != 1:
cb9006
+            self.fail("Failed to get key size information from:\n%s %s" % (out, err))
cb9006
+        key_size = m.group(1)
cb9006
+        if not key_size.isnumeric():
cb9006
+            self.fail("Failed to get key size information from: %s" % key_size)
cb9006
+        return int(key_size)
cb9006
+
cb9006
+    @tag_test(TestTags.SLOW, TestTags.CORE)
cb9006
+    def test_luks_format_key_size(self):
cb9006
+        """Verify that formating device as LUKS works"""
cb9006
+
cb9006
+        # aes-xts: key size should default to 512
cb9006
+        succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-xts-plain64", 0, PASSWD, None, 0)
cb9006
+        self.assertTrue(succ)
cb9006
+
cb9006
+        key_size = self._get_luks1_key_size(self.loop_dev)
cb9006
+        self.assertEqual(key_size, 512)
cb9006
+
cb9006
+        # aes-cbc: key size should default to 256
cb9006
+        succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, PASSWD, None, 0)
cb9006
+        self.assertTrue(succ)
cb9006
+
cb9006
+        key_size = self._get_luks1_key_size(self.loop_dev)
cb9006
+        self.assertEqual(key_size, 256)
cb9006
+
cb9006
+        # try specifying key size for aes-xts
cb9006
+        succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-xts-plain64", 256, PASSWD, None, 0)
cb9006
+        self.assertTrue(succ)
cb9006
+
cb9006
+        key_size = self._get_luks1_key_size(self.loop_dev)
cb9006
+        self.assertEqual(key_size, 256)
cb9006
+
cb9006
+
cb9006
 class CryptoTestResize(CryptoTestCase):
cb9006
 
cb9006
     def _get_key_location(self, device):