From 3a1439a74eb64b3473cb5ce84914cdd533563573 Mon Sep 17 00:00:00 2001 From: Tomas Jelinek Date: Tue, 13 Aug 2019 10:06:29 +0200 Subject: [PATCH] set authkey length to 256 bytes --- pcs/lib/commands/test/remote_node/test_node_add_guest.py | 4 ++-- pcs/lib/commands/test/remote_node/test_node_add_remote.py | 4 ++-- pcs/settings_default.py | 7 +++++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/pcs/lib/commands/test/remote_node/test_node_add_guest.py b/pcs/lib/commands/test/remote_node/test_node_add_guest.py index cb385150..d013b255 100644 --- a/pcs/lib/commands/test/remote_node/test_node_add_guest.py +++ b/pcs/lib/commands/test/remote_node/test_node_add_guest.py @@ -154,7 +154,7 @@ class AddGuest(TestCase): .local.push_cib() ) node_add_guest(self.env_assist.get_env()) - generate_binary_key.assert_called_once_with(random_bytes_count=384) + generate_binary_key.assert_called_once_with(random_bytes_count=256) self.env_assist.assert_reports( REPORTS .adapt( @@ -523,7 +523,7 @@ class AddGuest(TestCase): .local.push_cib() ) node_add_guest(self.env_assist.get_env(), skip_offline_nodes=True) - generate_binary_key.assert_called_once_with(random_bytes_count=384) + generate_binary_key.assert_called_once_with(random_bytes_count=256) self.env_assist.assert_reports( fixture_reports_new_node_unreachable(NODE_NAME) + [ diff --git a/pcs/lib/commands/test/remote_node/test_node_add_remote.py b/pcs/lib/commands/test/remote_node/test_node_add_remote.py index 46f82587..b0b3d6d3 100644 --- a/pcs/lib/commands/test/remote_node/test_node_add_remote.py +++ b/pcs/lib/commands/test/remote_node/test_node_add_remote.py @@ -212,7 +212,7 @@ class AddRemote(TestCase): .env.push_cib(resources=FIXTURE_RESOURCES) ) node_add_remote(self.env_assist.get_env()) - generate_binary_key.assert_called_once_with(random_bytes_count=384) + generate_binary_key.assert_called_once_with(random_bytes_count=256) self.env_assist.assert_reports( REPORTS .adapt( @@ -507,7 +507,7 @@ class AddRemote(TestCase): .env.push_cib(resources=FIXTURE_RESOURCES) ) node_add_remote(self.env_assist.get_env(), skip_offline_nodes=True) - generate_binary_key.assert_called_once_with(random_bytes_count=384) + generate_binary_key.assert_called_once_with(random_bytes_count=256) self.env_assist.assert_reports( fixture_reports_new_node_unreachable(NODE_NAME) + [ diff --git a/pcs/settings_default.py b/pcs/settings_default.py index e3a55b58..0d025b85 100644 --- a/pcs/settings_default.py +++ b/pcs/settings_default.py @@ -21,11 +21,14 @@ corosync_qdevice_net_client_certs_dir = os.path.join( ) corosync_qdevice_net_client_ca_file_name = "qnetd-cacert.crt" corosync_authkey_file = os.path.join(corosync_conf_dir, "authkey") -corosync_authkey_bytes = 384 +# Must be set to 256 for corosync to work in FIPS environment. +corosync_authkey_bytes = 256 corosync_log_file = "/var/log/cluster/corosync.log" pacemaker_authkey_file = "/etc/pacemaker/authkey" -pacemaker_authkey_bytes = 384 +# Using the same value as for corosync. Higher values MAY work in FIPS. +pacemaker_authkey_bytes = 256 booth_authkey_file_mode = 0o600 +# Booth does not support keys longer than 64 bytes. booth_authkey_bytes = 64 cluster_conf_file = "/etc/cluster/cluster.conf" fence_agent_binaries = "/usr/sbin/" -- 2.21.0