Bug 1028362
| Summary: | cryptsetup: malformed hash algorithm specifiers lead to zero-entropy keys | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Florian Weimer <fweimer> |
| Component: | cryptsetup | Assignee: | Ondrej Kozina <okozina> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Release Test Team <release-test-team-automation> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | agk, gmazyland, okozina, pholica, pkotvan, prajnoha |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | cryptsetup-1.6.3-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 09:19:40 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1028357 | ||
The colon will always reduce key, it should be used only in situation when you are dealing with seriously broken cryptosystem (which set some parts of key to zero). But yes, error checking should be better here. I need to implement it even for --hash=plain (==no hash) because some implementation of cryptoloop/losetup wipes the last byte of key... (and cryptsetup should be able to replace such system). So this will be fixed upstream and RH should track the patch for RHEL as well, thanks. Should be fixed upstream by this patch http://code.google.com/p/cryptsetup/source/detail?r=db561257084fd09f117d589fe9f42980a9ea3ad9# Thanks for reporting this problem! This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
If the user specifies --type=plain --hash=sha1:secure (or something similar, the colon is important) during open, cryptsetup will use an all-zero key because it truncates the key-derived hash to length 0. This is caused by code in crypt_plain_hash() which implements a ":NNN" specifier for reducing key strength: /* hash[:hash_length] */ if ((s = strchr(hash_name_buf, ':'))) { *s = '\0'; hash_size = atoi(++s); if (hash_size > key_size) { log_dbg("Hash length %zd > key length %zd", hash_size, key_size); return -EINVAL; } pad_size = key_size - hash_size; } else { hash_size = key_size; pad_size = 0; } … if (r == 0 && pad_size) memset(key + hash_size, 0, pad_size); This code should have more error checking.