rpms / pcs

Clone
Source Code
GIT

Files

  1.   409d620c710b6dedbcebe1f5877041efb9fe32cf
  2.   SOURCES
  3.   bz1740218-01-set-authkey-length-to-256-bytes.patch
Blob Blame History Raw 
From 77cce4b737c8d242e3c550e3d14cb4893b4ad73c Mon Sep 17 00:00:00 2001
From: Tomas Jelinek <tojeline@redhat.com>
Date: Tue, 13 Aug 2019 10:06:29 +0200
Subject: [PATCH] set authkey length to 256 bytes

---
 pcs/settings_default.py                                         | 7 +++++--
 pcs_test/tier0/lib/commands/remote_node/test_node_add_guest.py  | 4 ++--
 pcs_test/tier0/lib/commands/remote_node/test_node_add_remote.py | 4 ++--
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/pcs/settings_default.py b/pcs/settings_default.py
index 60647f5d..07014e33 100644
--- a/pcs/settings_default.py
+++ b/pcs/settings_default.py
@@ -20,11 +20,14 @@ corosync_qdevice_net_client_certs_dir = os.path.join(
 )
 corosync_qdevice_net_client_ca_file_name = "qnetd-cacert.crt"
 corosync_authkey_file = os.path.join(corosync_conf_dir, "authkey")
-corosync_authkey_bytes = 384
+# Must be set to 256 for corosync to work in FIPS environment.
+corosync_authkey_bytes = 256
 corosync_log_file = "/var/log/cluster/corosync.log"
 pacemaker_authkey_file = "/etc/pacemaker/authkey"
-pacemaker_authkey_bytes = 384
+# Using the same value as for corosync. Higher values MAY work in FIPS.
+pacemaker_authkey_bytes = 256
 booth_authkey_file_mode = 0o600
+# Booth does not support keys longer than 64 bytes.
 booth_authkey_bytes = 64
 cluster_conf_file = "/etc/cluster/cluster.conf"
 fence_agent_binaries = "/usr/sbin/"
diff --git a/pcs_test/tier0/lib/commands/remote_node/test_node_add_guest.py b/pcs_test/tier0/lib/commands/remote_node/test_node_add_guest.py
index 4a68c9d1..ee463c70 100644
--- a/pcs_test/tier0/lib/commands/remote_node/test_node_add_guest.py
+++ b/pcs_test/tier0/lib/commands/remote_node/test_node_add_guest.py
@@ -158,7 +158,7 @@ class AddGuest(TestCase):
             .local.push_cib()
         )
         node_add_guest(self.env_assist.get_env())
-        generate_binary_key.assert_called_once_with(random_bytes_count=384)
+        generate_binary_key.assert_called_once_with(random_bytes_count=256)
         self.env_assist.assert_reports(
             REPORTS
                 .adapt(
@@ -531,7 +531,7 @@ class AddGuest(TestCase):
             .local.push_cib()
         )
         node_add_guest(self.env_assist.get_env(), skip_offline_nodes=True)
-        generate_binary_key.assert_called_once_with(random_bytes_count=384)
+        generate_binary_key.assert_called_once_with(random_bytes_count=256)
         self.env_assist.assert_reports(
             fixture_reports_new_node_unreachable(NODE_NAME)
             + [
diff --git a/pcs_test/tier0/lib/commands/remote_node/test_node_add_remote.py b/pcs_test/tier0/lib/commands/remote_node/test_node_add_remote.py
index bb2b6615..d34d7126 100644
--- a/pcs_test/tier0/lib/commands/remote_node/test_node_add_remote.py
+++ b/pcs_test/tier0/lib/commands/remote_node/test_node_add_remote.py
@@ -216,7 +216,7 @@ class AddRemote(TestCase):
             .env.push_cib(resources=FIXTURE_RESOURCES)
         )
         node_add_remote(self.env_assist.get_env())
-        generate_binary_key.assert_called_once_with(random_bytes_count=384)
+        generate_binary_key.assert_called_once_with(random_bytes_count=256)
         self.env_assist.assert_reports(
             REPORTS
                 .adapt(
@@ -511,7 +511,7 @@ class AddRemote(TestCase):
             .env.push_cib(resources=FIXTURE_RESOURCES)
         )
         node_add_remote(self.env_assist.get_env(), skip_offline_nodes=True)
-        generate_binary_key.assert_called_once_with(random_bytes_count=384)
+        generate_binary_key.assert_called_once_with(random_bytes_count=256)
         self.env_assist.assert_reports(
             fixture_reports_new_node_unreachable(NODE_NAME)
             + [
-- 
2.11.0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation