1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 2001
From: Guillaume Abrioux <gabrioux@redhat.com>
Date: Tue, 25 Jan 2022 10:25:53 +0100
Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
ceph-volume doesn't honour osd_dmcrypt_key_size.
It means the default size is always applied.
It also changes the default value in `get_key_size_from_conf()`
From cryptsetup manpage:
> For XTS mode you can optionally set a key size of 512 bits with the -s option.
Using more than 512bits will end up with the following error message:
```
Key size in XTS mode must be 256 or 512 bits.
```
Fixes: https://tracker.ceph.com/issues/54006
Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
Upstream-Status: Backport
github.com/ceph/ceph.git
equivalent to cherry-pick of commit 47c33179f9a15ae95cc1579a421be89378602656
CVE: CVE-2021-3979
Signed-off-by: Joe Slater <joe.slater@windriver.com>
---
.../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
.../ceph_volume/util/encryption.py | 34 ++++++++++-----
2 files changed, 51 insertions(+), 24 deletions(-)
diff --git a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
index e1420b440d3..c86dc50b7c7 100644
--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
@@ -1,5 +1,31 @@
from ceph_volume.util import encryption
+import base64
+class TestGetKeySize(object):
+ def test_get_size_from_conf_default(self, conf_ceph_stub):
+ conf_ceph_stub('''
+ [global]
+ fsid=asdf
+ ''')
+ assert encryption.get_key_size_from_conf() == '512'
+
+ def test_get_size_from_conf_custom(self, conf_ceph_stub):
+ conf_ceph_stub('''
+ [global]
+ fsid=asdf
+ [osd]
+ osd_dmcrypt_key_size=256
+ ''')
+ assert encryption.get_key_size_from_conf() == '256'
+
+ def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
+ conf_ceph_stub('''
+ [global]
+ fsid=asdf
+ [osd]
+ osd_dmcrypt_key_size=1024
+ ''')
+ assert encryption.get_key_size_from_conf() == '512'
class TestStatus(object):
@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
class TestDmcryptKey(object):
- def test_dmcrypt_with_default_size(self, conf_ceph_stub):
- conf_ceph_stub('[global]\nfsid=asdf-lkjh')
- result = encryption.create_dmcrypt_key()
- assert len(result) == 172
-
- def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
- conf_ceph_stub('''
- [global]
- fsid=asdf
- [osd]
- osd_dmcrypt_size=8
- ''')
+ def test_dmcrypt(self):
result = encryption.create_dmcrypt_key()
- assert len(result) == 172
+ assert len(base64.b64decode(result)) == 128
diff --git a/src/ceph-volume/ceph_volume/util/encryption.py b/src/ceph-volume/ceph_volume/util/encryption.py
index 72a0ccf121e..2a2c03337b6 100644
--- a/src/ceph-volume/ceph_volume/util/encryption.py
+++ b/src/ceph-volume/ceph_volume/util/encryption.py
@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, get_part_entry_type
logger = logging.getLogger(__name__)
-
-def create_dmcrypt_key():
+def get_key_size_from_conf():
"""
- Create the secret dm-crypt key used to decrypt a device.
+ Return the osd dmcrypt key size from config file.
+ Default is 512.
"""
- # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
- # to the default of 1024
- dmcrypt_key_size = conf.ceph.get_safe(
+ default_key_size = '512'
+ key_size = conf.ceph.get_safe(
'osd',
'osd_dmcrypt_key_size',
- default=1024,
- )
- # The size of the key is defined in bits, so we must transform that
- # value to bytes (dividing by 8) because we read in bytes, not bits
- random_string = os.urandom(int(dmcrypt_key_size / 8))
+ default='512')
+
+ if key_size not in ['256', '512']:
+ logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
+ "Falling back to {}bits".format(key_size, default_key_size)))
+ return default_key_size
+
+ return key_size
+
+def create_dmcrypt_key():
+ """
+ Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume Key.
+ """
+ random_string = os.urandom(128)
key = base64.b64encode(random_string).decode('utf-8')
return key
@@ -38,6 +46,8 @@ def luks_format(key, device):
command = [
'cryptsetup',
'--batch-mode', # do not prompt
+ '--key-size',
+ get_key_size_from_conf(),
'--key-file', # misnomer, should be key
'-', # because we indicate stdin for the key here
'luksFormat',
@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
"""
command = [
'cryptsetup',
+ '--key-size',
+ get_key_size_from_conf(),
'--key-file',
'-',
'--allow-discards', # allow discards (aka TRIM) requests for device
--
2.35.1
|
