openstack/nova
Code Issues Proposed changes

Fix decoding of encryption key passed to dmcrypt

Browse Source 
This patch fixes the decoding of the encryption key passed to dmcrypt.
During the key management move from Nova to Castellan, in the Newton
release, conversion of the encryption key (from a string to list of
unsigned ints) was removed from the key retrieval method. This patch
updates dmcrypt to decode an encryption key string, rather than a list
of unsigned ints. See the linked bug for more information.

The method used to decode the encryption key has been updated to use
binascii, as done in os-brick [1], to maintain consistency. The key
generation and decoding portions of test_dmcrypt have been updated to
reflect this change and ensure compatibility with both, Python 2 and
Python 3.

[1] 6cf9b1cd68/os_brick/encryptors/cryptsetup.py (L100-L102)

Depends-On: I5fe3e5d5e5a9694d0dbe5b59248e5eaf89858c62
Closes-Bug: #1688342
Change-Id: I050585ecb55742a972038cf72b0650321ded2856
This commit is contained in:
Jackie Truong 2017-05-04 12:51:22 -04:00
parent c2c6960e37
commit 53a71c1241
2 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nova/tests/unit/virt/libvirt/storage/test_dmcrypt.py
View File

@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
import binascii
import mock import mock
from oslo_concurrency import processutils from oslo_concurrency import processutils
@ -29,8 +30,8 @@ class LibvirtDmcryptTestCase(test.NoDBTestCase):
self.NAME = 'disk' self.NAME = 'disk'
self.TARGET = dmcrypt.volume_name(self.NAME) self.TARGET = dmcrypt.volume_name(self.NAME)
self.PATH = '/dev/nova-lvm/instance_disk' self.PATH = '/dev/nova-lvm/instance_disk'
self.KEY = range(0, self.KEY_SIZE) self.KEY = bytes(bytearray(x for x in range(0, self.KEY_SIZE)))
self.KEY_STR = ''.join(["%02x" % x for x in range(0, self.KEY_SIZE)]) self.KEY_STR = binascii.hexlify(self.KEY).decode('utf-8')
@mock.patch('nova.utils.execute') @mock.patch('nova.utils.execute')
def test_create_volume(self, mock_execute): def test_create_volume(self, mock_execute):

5
nova/virt/libvirt/storage/dmcrypt.py
View File

@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
import binascii
import os import os
from oslo_concurrency import processutils from oslo_concurrency import processutils
@ -52,7 +53,7 @@ def create_volume(target, device, cipher, key_size, key):
:param device: underlying block device :param device: underlying block device
:param cipher: encryption cipher string digestible by cryptsetup :param cipher: encryption cipher string digestible by cryptsetup
:param key_size: encryption key size :param key_size: encryption key size
:param key: encryption key as an array of unsigned bytes :param key: encoded encryption key bytestring
""" """
cmd = ('cryptsetup', cmd = ('cryptsetup',
'create', 'create',
@ -61,7 +62,7 @@ def create_volume(target, device, cipher, key_size, key):
'--cipher=' + cipher, '--cipher=' + cipher,
'--key-size=' + str(key_size), '--key-size=' + str(key_size),
'--key-file=-') '--key-file=-')
key = ''.join(map(lambda byte: "%02x" % byte, key)) key = binascii.hexlify(key).decode('utf-8')
try: try:
utils.execute(*cmd, process_input=key, run_as_root=True) utils.execute(*cmd, process_input=key, run_as_root=True)
except processutils.ProcessExecutionError as e: except processutils.ProcessExecutionError as e: