From 3a1439a74eb64b3473cb5ce84914cdd533563573 Mon Sep 17 00:00:00 2001

From: Tomas Jelinek <tojeline@redhat.com>

Date: Tue, 13 Aug 2019 10:06:29 +0200

Subject: [PATCH] set authkey length to 256 bytes

---

 pcs/lib/commands/test/remote_node/test_node_add_guest.py  | 4 ++--

 pcs/lib/commands/test/remote_node/test_node_add_remote.py | 4 ++--

 pcs/settings_default.py                                   | 7 +++++--

 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/pcs/lib/commands/test/remote_node/test_node_add_guest.py b/pcs/lib/commands/test/remote_node/test_node_add_guest.py

index cb385150..d013b255 100644

--- a/pcs/lib/commands/test/remote_node/test_node_add_guest.py

+++ b/pcs/lib/commands/test/remote_node/test_node_add_guest.py

@@ -154,7 +154,7 @@ class AddGuest(TestCase):

             .local.push_cib()

         )

         node_add_guest(self.env_assist.get_env())

-        generate_binary_key.assert_called_once_with(random_bytes_count=384)

+        generate_binary_key.assert_called_once_with(random_bytes_count=256)

         self.env_assist.assert_reports(

             REPORTS

                 .adapt(

@@ -523,7 +523,7 @@ class AddGuest(TestCase):

             .local.push_cib()

         )

         node_add_guest(self.env_assist.get_env(), skip_offline_nodes=True)

-        generate_binary_key.assert_called_once_with(random_bytes_count=384)

+        generate_binary_key.assert_called_once_with(random_bytes_count=256)

         self.env_assist.assert_reports(

             fixture_reports_new_node_unreachable(NODE_NAME)

             + [

diff --git a/pcs/lib/commands/test/remote_node/test_node_add_remote.py b/pcs/lib/commands/test/remote_node/test_node_add_remote.py

index 46f82587..b0b3d6d3 100644

--- a/pcs/lib/commands/test/remote_node/test_node_add_remote.py

+++ b/pcs/lib/commands/test/remote_node/test_node_add_remote.py

@@ -212,7 +212,7 @@ class AddRemote(TestCase):

             .env.push_cib(resources=FIXTURE_RESOURCES)

         )

         node_add_remote(self.env_assist.get_env())

-        generate_binary_key.assert_called_once_with(random_bytes_count=384)

+        generate_binary_key.assert_called_once_with(random_bytes_count=256)

         self.env_assist.assert_reports(

             REPORTS

                 .adapt(

@@ -507,7 +507,7 @@ class AddRemote(TestCase):

             .env.push_cib(resources=FIXTURE_RESOURCES)

         )

         node_add_remote(self.env_assist.get_env(), skip_offline_nodes=True)

-        generate_binary_key.assert_called_once_with(random_bytes_count=384)

+        generate_binary_key.assert_called_once_with(random_bytes_count=256)

         self.env_assist.assert_reports(

             fixture_reports_new_node_unreachable(NODE_NAME)

             + [

diff --git a/pcs/settings_default.py b/pcs/settings_default.py

index e3a55b58..0d025b85 100644

--- a/pcs/settings_default.py

+++ b/pcs/settings_default.py

@@ -21,11 +21,14 @@ corosync_qdevice_net_client_certs_dir = os.path.join(

 )

 corosync_qdevice_net_client_ca_file_name = "qnetd-cacert.crt"

 corosync_authkey_file = os.path.join(corosync_conf_dir, "authkey")

-corosync_authkey_bytes = 384

+# Must be set to 256 for corosync to work in FIPS environment.

+corosync_authkey_bytes = 256

 corosync_log_file = "/var/log/cluster/corosync.log"

 pacemaker_authkey_file = "/etc/pacemaker/authkey"

-pacemaker_authkey_bytes = 384

+# Using the same value as for corosync. Higher values MAY work in FIPS.

+pacemaker_authkey_bytes = 256

 booth_authkey_file_mode = 0o600

+# Booth does not support keys longer than 64 bytes.

 booth_authkey_bytes = 64

 cluster_conf_file = "/etc/cluster/cluster.conf"

 fence_agent_binaries = "/usr/sbin/"

-- 

2.21.0