abd65a1e50
By default barbican checks only the algorithm and the bit_length when creating a new secret. The xts-mode cuts the key in half for aes, so for using aes-256 with xts, you have to use a 512 bit key, but barbican allows only a maximum of 256 bit. For this reason, it was necessary to add a check for the mode within the _is_algorithm_supported method of the class SimpleCryptoPlugin. When mode xts is set, it now checks, if the half of the key-length is in the list of supported bit-length. So when using xts-mode, 512 bit keys are now supported, but 64 bit keys are not because they would result in a 32 bit aes key, which would be too short. Maybe there are other modes too, which change the effective key-length, so the new length_factor was added, to make it easier to add other modes like xts too. In the future their could be a list of supported modes together with its key changing factor. Change-Id: I4dc552587391ad2245ee2fdfa20ce178da2efbe0 Story: 2002612
10 lines
441 B
YAML
10 lines
441 B
YAML
---
|
|
fixes:
|
|
- |
|
|
By default barbican checks only the algorithm and the bit_length when
|
|
creating a new secret. The xts-mode cuts the key in half for aes, so for
|
|
using aes-256 with xts, you have to use a 512 bit key, but barbican allows
|
|
only a maximum of 256 bit. A check for the mode within the
|
|
_is_algorithm_supported method of the class SimpleCryptoPlugin was added
|
|
to allow 512 bit keys for aes-xts in this plugin.
|