From fe4821435e593dac0b402cdd6039a724b7131120 Mon Sep 17 00:00:00 2001 From: Marcel Lauhoff Date: Fri, 11 Feb 2022 16:30:23 +0100 Subject: [PATCH] util: Make encryption passphrase size a parameter fscrypt support requires keys longer than 20 bytes. As a preparation, make the new passphrase length configurable, but default to 20 bytes. Signed-off-by: Marcel Lauhoff --- internal/rbd/encryption.go | 4 +++- internal/util/crypto.go | 10 +++++----- internal/util/crypto_test.go | 6 +++--- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go index 0b632aa99..4afd8b4f7 100644 --- a/internal/rbd/encryption.go +++ b/internal/rbd/encryption.go @@ -61,6 +61,8 @@ const ( // DEK is stored. metadataDEK = "rbd.csi.ceph.com/dek" oldMetadataDEK = ".rbd.csi.ceph.com/dek" + + encryptionPassphraseSize = 20 ) // checkRbdImageEncrypted verifies if rbd image was encrypted when created. @@ -100,7 +102,7 @@ func (ri *rbdImage) isEncrypted() bool { // - the Data-Encryption-Key (DEK) will be generated stored for use by the KMS; // - the RBD image will be marked to support encryption in its metadata. func (ri *rbdImage) setupEncryption(ctx context.Context) error { - err := ri.encryption.StoreNewCryptoPassphrase(ri.VolID) + err := ri.encryption.StoreNewCryptoPassphrase(ri.VolID, encryptionPassphraseSize) if err != nil { log.ErrorLog(ctx, "failed to save encryption passphrase for "+ "image %s: %s", ri, err) diff --git a/internal/util/crypto.go b/internal/util/crypto.go index bec6b18a8..c7aaf0605 100644 --- a/internal/util/crypto.go +++ b/internal/util/crypto.go @@ -36,7 +36,7 @@ const ( // Passphrase size - 20 bytes is 160 bits to satisfy: // https://tools.ietf.org/html/rfc6749#section-10.10 - encryptionPassphraseSize = 20 + defaultEncryptionPassphraseSize = 20 ) var ( @@ -156,8 +156,8 @@ func (ve *VolumeEncryption) StoreCryptoPassphrase(volumeID, passphrase string) e } // StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS. -func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error { - passphrase, err := generateNewEncryptionPassphrase() +func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string, length int) error { + passphrase, err := generateNewEncryptionPassphrase(length) if err != nil { return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err) } @@ -176,8 +176,8 @@ func (ve *VolumeEncryption) GetCryptoPassphrase(volumeID string) (string, error) } // generateNewEncryptionPassphrase generates a random passphrase for encryption. -func generateNewEncryptionPassphrase() (string, error) { - bytesPassphrase := make([]byte, encryptionPassphraseSize) +func generateNewEncryptionPassphrase(length int) (string, error) { + bytesPassphrase := make([]byte, length) _, err := rand.Read(bytesPassphrase) if err != nil { return "", err diff --git a/internal/util/crypto_test.go b/internal/util/crypto_test.go index 28b8fefea..a5bb49da6 100644 --- a/internal/util/crypto_test.go +++ b/internal/util/crypto_test.go @@ -28,14 +28,14 @@ import ( func TestGenerateNewEncryptionPassphrase(t *testing.T) { t.Parallel() - b64Passphrase, err := generateNewEncryptionPassphrase() + b64Passphrase, err := generateNewEncryptionPassphrase(defaultEncryptionPassphraseSize) require.NoError(t, err) // b64Passphrase is URL-encoded, decode to verify the length of the // passphrase passphrase, err := base64.URLEncoding.DecodeString(b64Passphrase) assert.NoError(t, err) - assert.Equal(t, encryptionPassphraseSize, len(passphrase)) + assert.Equal(t, defaultEncryptionPassphraseSize, len(passphrase)) } func TestKMSWorkflow(t *testing.T) { @@ -56,7 +56,7 @@ func TestKMSWorkflow(t *testing.T) { volumeID := "volume-id" - err = ve.StoreNewCryptoPassphrase(volumeID) + err = ve.StoreNewCryptoPassphrase(volumeID, defaultEncryptionPassphraseSize) assert.NoError(t, err) passphrase, err := ve.GetCryptoPassphrase(volumeID)