From 3a1439a74eb64b3473cb5ce84914cdd533563573 Mon Sep 17 00:00:00 2001
From: Tomas Jelinek <tojeline@redhat.com>
Date: Tue, 13 Aug 2019 10:06:29 +0200
Subject: [PATCH] set authkey length to 256 bytes

---
 pcs/lib/commands/test/remote_node/test_node_add_guest.py  | 4 ++--
 pcs/lib/commands/test/remote_node/test_node_add_remote.py | 4 ++--
 pcs/settings_default.py                                   | 7 +++++--
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/pcs/lib/commands/test/remote_node/test_node_add_guest.py b/pcs/lib/commands/test/remote_node/test_node_add_guest.py
index cb385150..d013b255 100644
--- a/pcs/lib/commands/test/remote_node/test_node_add_guest.py
+++ b/pcs/lib/commands/test/remote_node/test_node_add_guest.py
@@ -154,7 +154,7 @@ class AddGuest(TestCase):
             .local.push_cib()
         )
         node_add_guest(self.env_assist.get_env())
-        generate_binary_key.assert_called_once_with(random_bytes_count=384)
+        generate_binary_key.assert_called_once_with(random_bytes_count=256)
         self.env_assist.assert_reports(
             REPORTS
                 .adapt(
@@ -523,7 +523,7 @@ class AddGuest(TestCase):
             .local.push_cib()
         )
         node_add_guest(self.env_assist.get_env(), skip_offline_nodes=True)
-        generate_binary_key.assert_called_once_with(random_bytes_count=384)
+        generate_binary_key.assert_called_once_with(random_bytes_count=256)
         self.env_assist.assert_reports(
             fixture_reports_new_node_unreachable(NODE_NAME)
             + [
diff --git a/pcs/lib/commands/test/remote_node/test_node_add_remote.py b/pcs/lib/commands/test/remote_node/test_node_add_remote.py
index 46f82587..b0b3d6d3 100644
--- a/pcs/lib/commands/test/remote_node/test_node_add_remote.py
+++ b/pcs/lib/commands/test/remote_node/test_node_add_remote.py
@@ -212,7 +212,7 @@ class AddRemote(TestCase):
             .env.push_cib(resources=FIXTURE_RESOURCES)
         )
         node_add_remote(self.env_assist.get_env())
-        generate_binary_key.assert_called_once_with(random_bytes_count=384)
+        generate_binary_key.assert_called_once_with(random_bytes_count=256)
         self.env_assist.assert_reports(
             REPORTS
                 .adapt(
@@ -507,7 +507,7 @@ class AddRemote(TestCase):
             .env.push_cib(resources=FIXTURE_RESOURCES)
         )
         node_add_remote(self.env_assist.get_env(), skip_offline_nodes=True)
-        generate_binary_key.assert_called_once_with(random_bytes_count=384)
+        generate_binary_key.assert_called_once_with(random_bytes_count=256)
         self.env_assist.assert_reports(
             fixture_reports_new_node_unreachable(NODE_NAME)
             + [
diff --git a/pcs/settings_default.py b/pcs/settings_default.py
index e3a55b58..0d025b85 100644
--- a/pcs/settings_default.py
+++ b/pcs/settings_default.py
@@ -21,11 +21,14 @@ corosync_qdevice_net_client_certs_dir = os.path.join(
 )
 corosync_qdevice_net_client_ca_file_name = "qnetd-cacert.crt"
 corosync_authkey_file = os.path.join(corosync_conf_dir, "authkey")
-corosync_authkey_bytes = 384
+# Must be set to 256 for corosync to work in FIPS environment.
+corosync_authkey_bytes = 256
 corosync_log_file = "/var/log/cluster/corosync.log"
 pacemaker_authkey_file = "/etc/pacemaker/authkey"
-pacemaker_authkey_bytes = 384
+# Using the same value as for corosync. Higher values MAY work in FIPS.
+pacemaker_authkey_bytes = 256
 booth_authkey_file_mode = 0o600
+# Booth does not support keys longer than 64 bytes.
 booth_authkey_bytes = 64
 cluster_conf_file = "/etc/cluster/cluster.conf"
 fence_agent_binaries = "/usr/sbin/"
-- 
2.21.0