util: Make encryption passphrase size a parameter

fscrypt support requires keys longer than 20 bytes. As a preparation, make the new passphrase length configurable, but default to 20 bytes. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
2024-09-19 15:09:56 +00:00 · 2022-02-11 16:30:23 +01:00 · 2022-02-11 16:30:23 +01:00 · fe4821435e
commit fe4821435e
parent 69eb6e40dc
3 changed files with 11 additions and 9 deletions
--- a/internal/rbd/encryption.go
+++ b/internal/rbd/encryption.go
@ -61,6 +61,8 @@ const (
 	// DEK is stored.
 	metadataDEK    = "rbd.csi.ceph.com/dek"
 	oldMetadataDEK = ".rbd.csi.ceph.com/dek"
+
+	encryptionPassphraseSize = 20
 )

 // checkRbdImageEncrypted verifies if rbd image was encrypted when created.
@ -100,7 +102,7 @@ func (ri *rbdImage) isEncrypted() bool {
 // - the Data-Encryption-Key (DEK) will be generated stored for use by the KMS;
 // - the RBD image will be marked to support encryption in its metadata.
 func (ri *rbdImage) setupEncryption(ctx context.Context) error {
-	err := ri.encryption.StoreNewCryptoPassphrase(ri.VolID)
+	err := ri.encryption.StoreNewCryptoPassphrase(ri.VolID, encryptionPassphraseSize)
 	if err != nil {
 		log.ErrorLog(ctx, "failed to save encryption passphrase for "+
 			"image %s: %s", ri, err)
--- a/internal/util/crypto.go
+++ b/internal/util/crypto.go
@ -36,7 +36,7 @@ const (

 	// Passphrase size - 20 bytes is 160 bits to satisfy:
 	// https://tools.ietf.org/html/rfc6749#section-10.10
-	encryptionPassphraseSize = 20
+	defaultEncryptionPassphraseSize = 20
 )

 var (
@ -156,8 +156,8 @@ func (ve *VolumeEncryption) StoreCryptoPassphrase(volumeID, passphrase string) e
 }

 // StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS.
-func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
-	passphrase, err := generateNewEncryptionPassphrase()
+func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string, length int) error {
+	passphrase, err := generateNewEncryptionPassphrase(length)
 	if err != nil {
 		return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err)
 	}
@ -176,8 +176,8 @@ func (ve *VolumeEncryption) GetCryptoPassphrase(volumeID string) (string, error)
 }

 // generateNewEncryptionPassphrase generates a random passphrase for encryption.
-func generateNewEncryptionPassphrase() (string, error) {
-	bytesPassphrase := make([]byte, encryptionPassphraseSize)
+func generateNewEncryptionPassphrase(length int) (string, error) {
+	bytesPassphrase := make([]byte, length)
 	_, err := rand.Read(bytesPassphrase)
 	if err != nil {
 		return "", err
--- a/internal/util/crypto_test.go
+++ b/internal/util/crypto_test.go
@ -28,14 +28,14 @@ import (

 func TestGenerateNewEncryptionPassphrase(t *testing.T) {
 	t.Parallel()
-	b64Passphrase, err := generateNewEncryptionPassphrase()
+	b64Passphrase, err := generateNewEncryptionPassphrase(defaultEncryptionPassphraseSize)
 	require.NoError(t, err)

 	// b64Passphrase is URL-encoded, decode to verify the length of the
 	// passphrase
 	passphrase, err := base64.URLEncoding.DecodeString(b64Passphrase)
 	assert.NoError(t, err)
-	assert.Equal(t, encryptionPassphraseSize, len(passphrase))
+	assert.Equal(t, defaultEncryptionPassphraseSize, len(passphrase))
 }

 func TestKMSWorkflow(t *testing.T) {
@ -56,7 +56,7 @@ func TestKMSWorkflow(t *testing.T) {

 	volumeID := "volume-id"

-	err = ve.StoreNewCryptoPassphrase(volumeID)
+	err = ve.StoreNewCryptoPassphrase(volumeID, defaultEncryptionPassphraseSize)
 	assert.NoError(t, err)

 	passphrase, err := ve.GetCryptoPassphrase(volumeID)