1975799 – cryptsetup default hash to encrypt key do not work with openssl-3

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1975799 - cryptsetup default hash to encrypt key do not work with openssl-3

Summary: cryptsetup default hash to encrypt key do not work with openssl-3

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	cryptsetup
Sub Component:
Version:	CentOS Stream
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	beta
Target Release:	9.0 Beta
Assignee:	Ondrej Kozina
QA Contact:	guazhang@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:	1975836
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-24 13:01 UTC by Yatin Karel
Modified:	2021-12-07 21:38 UTC (History)
CC List:	13 users (show)
Fixed In Version:	cryptsetup-2.4.0-1.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1975836 (view as bug list)
Environment:
Last Closed:	2021-12-07 21:35:16 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Yatin Karel 2021-06-24 13:01:39 UTC

Description of problem:

cryptsetup no longer works with default hash ripemd160 after moving to openssl3.

Version-Release number of selected component (if applicable):
cryptsetup-2.3.6-2.el9.x86_64
openssl-3.0.0-0.alpha16.4.el9.x86_64

How reproducible:
Always with openssl-3.0.0, with openssl-1.1 works fine.

Steps to Reproduce:

Detected while testing CentOS Stream 9 latest composes with RDO, cryptsetup create fails there, to simulate able to reproduce with below steps:-

# dev=`losetup -f`
# dd if=/dev/urandom of=/home/secret_dir bs=1M count=10
# losetup $dev /home/secret_dir
# cryptsetup open $dev test-device --type plain -c aes-xts-plain64
Enter passphrase for /home/secret_dir:
Hash algorithm ripemd160 not supported.

with other hash algo like sha256, sha512(-h sha256 or -h sha512) etc it worked fine. /me not sure on what's recommended one.

Actual results:
cryptsetup open --type plain with default hash(ripemd160) not working with openssl-3

Expected results:
cryptsetup defaults should work with openssl-3.

Additional info:

Works fine with cryptsetup-2.3.6-1.el9.
# ldd /usr/sbin/cryptsetup|grep ssl
libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f750cbfc000)

Fails in cryptsetup-2.3.6-2.el9.
# ldd /usr/sbin/cryptsetup|grep ssl
libssl.so.3 => /lib64/libssl.so.3 (0x00007f71cd197000)

So defaults needs to be fixed so it works with openssl3 unless and until openssl3 re adds support for ripemd160.

Comment 1 Milan Broz 2021-06-24 13:30:06 UTC

OpenSSL backend need to load non-default provider here (that allows ripemn160)
We cannot easily change default hash for plain password hasing here. (For LUKS we changed default years ago.)
Also, it must be available for compatibility reasons (to unlock older encrypted disks).

And what is completely broken is that OpenSSL3  is not yet in Fedora...

Anyway, just use --hash sha256 (ditto in crypttab), if you need to use plain mode.
LUKS is recommened anyway. Why are you using plain mode?

Comment 2 Yatin Karel 2021-06-24 14:10:26 UTC

Thanks Milan for quick response, adding some storage(cinder) folks as they have more context on usage of plain and how to handle it in os-brick/cinder side. Seems it also needs to be reached out to openssl for readding ripemn160 as per your concerns.

Comment 3 Alan Pevec 2021-06-24 14:24:42 UTC

FTR cryptsetup in OpenStack is in os-brick project: https://github.com/openstack/os-brick/blob/4baa502ec8c6c62184c474f126c0ad07eb3409f1/os_brick/encryptors/cryptsetup.py#L106-L129
used by both Cinder and Nova.

Adding Lee since he also worked on that code, for the Nova perspective.

Comment 4 Ondrej Kozina 2021-06-24 14:35:32 UTC

(In reply to Alan Pevec from comment #3)
> FTR cryptsetup in OpenStack is in os-brick project:
> https://github.com/openstack/os-brick/blob/
> 4baa502ec8c6c62184c474f126c0ad07eb3409f1/os_brick/encryptors/cryptsetup.
> py#L106-L129
> used by both Cinder and Nova.
> 
> Adding Lee since he also worked on that code, for the Nova perspective.

LUKS is not affected in any way. It's only plain mode.

Comment 5 Milan Broz 2021-06-24 15:22:24 UTC

I hope we can fix this upstream (in cryptsetup openssl backed wrapper, I will try it) but also I think it is time to completely deprecate RIPEMD160, even it means incompatibilities...

Openssl perhaps will not add RIPEMD hash bbck to suported algorithms, there is a reason for removing it from defaults.

Comment 6 Eric Harney 2021-06-24 18:57:49 UTC

(In reply to Alan Pevec from comment #3)
Plain mode is not supported for encrypted Cinder volumes in OSP, only LUKS is.  This is documented in section 2.2.6.1 here re: "Provider":

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html-single/storage_guide/index#section-volumes_advanced_encryption

The recommendation upstream would also be to use LUKS instead of plain mode, but plain is technically still available for now.

Comment 7 Milan Broz 2021-06-25 05:45:52 UTC

There is a relatively easy patch for cryptsetup that enables legacy provider support if used with OpenSSL3. 
(It is not only RIPEMD160 hash, we need support for older block ciphers for other disk encryption formats backward compatibility.)

Unfortunately it crashes in deallocatuion inside OpenSSL, I need to ask OpenSSL developers what's the problem there,
seems like we are the first real users of this API... :-)

Comment 8 Ondrej Kozina 2021-07-30 12:40:59 UTC

Legacy providers were enabled in upstream with: https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/178

Comment 9 guazhang@redhat.com 2021-08-04 12:46:34 UTC

Hi,

Hit the bug with cryptsetup-2.3.6-2.el9.x86_64

[root@storageqe-66 ~]# sh 1.sh 
10+0 records in
10+0 records out
10485760 bytes (10 MB, 10 MiB) copied, 0.0665328 s, 158 MB/s
Hash algorithm ripemd160 not supported.
NAME                        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
loop0                         7:0    0    10M  0 loop 
sda                           8:0    0 558.9G  0 disk 
├─sda1                        8:1    0     1G  0 part /boot
└─sda2                        8:2    0 557.9G  0 part 
  ├─rhel_storageqe--66-root 253:0    0    70G  0 lvm  /
  ├─rhel_storageqe--66-swap 253:1    0  15.6G  0 lvm  [SWAP]
  └─rhel_storageqe--66-home 253:2    0 472.3G  0 lvm  /home
sdb                           8:16   1     0B  0 disk 
[root@storageqe-66 ~]# rpm -qa | grep cryptsetup
cryptsetup-libs-2.3.6-2.el9.x86_64
cryptsetup-2.3.6-2.el9.x86_64
[root@storageqe-66 ~]# rpm -qa | grep openssl
openssl-pkcs11-0.4.11-6.el9.x86_64
openssl-libs-3.0.0-0.beta1.4.el9.x86_64
compat-openssl11-1.1.1k-1.el9.x86_64
openssl-3.0.0-0.beta1.4.el9.x86_64
[root@storageqe-66 ~]# cat 1.sh
dev=`losetup -f`
dd if=/dev/urandom of=/home/secret_dir bs=1M count=10
losetup $dev /home/secret_dir
echo 'redhat redhat'|cryptsetup open $dev test-device --type plain -c aes-xts-plain64 
lsblk

Comment 11 guazhang@redhat.com 2021-08-19 11:59:39 UTC

Hi

Test pass with cryptsetup-2.4.0-1.el9.

Comment 14 guazhang@redhat.com 2021-08-22 10:50:09 UTC

No regression found, move to verified.

Note You need to log in before you can comment on or make changes to this bug.