clevis/SOURCES/0014-remove-pwmake-for-password-generation.patch

--- clevis-18.ori/src/luks/meson.build	2023-06-01 15:28:51.615436832 +0200
+++ clevis-18/src/luks/meson.build	2023-06-01 15:31:02.420366592 +0200
@@ -1,7 +1,6 @@
 
 luksmeta_data = configuration_data()
 luksmeta = dependency('luksmeta', version: '>=8', required: false)
-pwmake = find_program('pwmake', required: false)
 
 libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false)
 if libcryptsetup.found()
@@ -33,7 +32,7 @@
                output: 'clevis-luks-unbind',
                configuration: luksmeta_data)
 
-if libcryptsetup.found() and luksmeta.found() and pwmake.found()
+if libcryptsetup.found() and luksmeta.found()
   subdir('systemd')
   subdir('udisks2')
 
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in	2023-06-01 15:28:51.656437123 +0200
+++ clevis-18/src/luks/clevis-luks-common-functions.in	2023-06-02 17:31:52.430534483 +0200
@@ -20,6 +20,11 @@
 
 CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
 
+# Length, in bytes, used for password generated for LUKS key
+# This value corresponds to an entropy of 256 bits if the password
+# was generated by pwmake or similar tool
+JOSE_PASSWORD_LENGTH=40
+
 enable_debugging() {
     # Automatically enable debugging if in initramfs phase and rd.debug
     if [ -e /usr/lib/dracut-lib.sh ]; then
@@ -782,7 +787,7 @@
     fi
     local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
 
-    printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
+    printf '%s' "${input}" | cryptsetup luksAddKey --force-password --batch-mode \
                                          --key-slot "${SLT}" \
                                          "${DEV}" \
                                          ${pbkdf_args} \
@@ -812,11 +817,11 @@
     local input extra_args=
     input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
     if [ -n "${KEYFILE}" ]; then
-        extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
+        extra_args="$(printf -- '--key-file %s --force-password' "${KEYFILE}")"
         input="$(printf '%s' "${NEWKEY}")"
     fi
     if [ -n "${EXISTING_TOKEN_ID}" ]; then
-        extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
+        extra_args="$(printf -- '--token-id %s --force-password' "${EXISTING_TOKEN_ID}")"
         input="$(printf '%s' "${NEWKEY}")"
     fi
     local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
@@ -876,26 +881,10 @@
 
 # clevis_luks_generate_key() generates a new key for use with clevis.
 clevis_luks_generate_key() {
-    local DEV="${1}"
-    [ -z "${DEV}" ] && return 1
-
-    local dump filter bits
-    local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
-    dump=$(cryptsetup luksDump "${DEV}")
-    if cryptsetup isLuks --type luks1 "${DEV}"; then
-        filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
-    elif cryptsetup isLuks --type luks2 "${DEV}"; then
-        filter="$(echo -n "${dump}" | \
-                  sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p')"
-    else
-        return 1
-    fi
-
-    bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
-    if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
-        bits="${MAX_ENTROPY_BITS}"
-    fi
-    pwmake "${bits}"
+    local input
+    input=$(printf '{"kty":"oct","bytes":%s}' "${JOSE_PASSWORD_LENGTH}")
+    jose jwk gen --input="${input}" --output=- \
+        | jose fmt --json=- --object --get k --unquote=-
 }
 
 # clevis_luks_token_id_by_slot() returns the token ID linked to a
@@ -986,8 +975,8 @@
     fi
 
     local newkey jwe
-    if ! newkey="$(clevis_luks_generate_key "${DEV}")" \
-                   || [ -z "${newkey}" ]; then
+
+    if ! newkey="$(clevis_luks_generate_key)" || [ -z "${newkey}" ]; then
         echo "Unable to generate a new key" >&2
         return 1
     fi
import CS clevis-18-112.el9 2023-09-21 18:09:59 +00:00			`--- clevis-18.ori/src/luks/meson.build 2023-06-01 15:28:51.615436832 +0200`
			`+++ clevis-18/src/luks/meson.build 2023-06-01 15:31:02.420366592 +0200`
			`@@ -1,7 +1,6 @@`

			`luksmeta_data = configuration_data()`
			`luksmeta = dependency('luksmeta', version: '>=8', required: false)`
			`-pwmake = find_program('pwmake', required: false)`

			`libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false)`
			`if libcryptsetup.found()`
			`@@ -33,7 +32,7 @@`
			`output: 'clevis-luks-unbind',`
			`configuration: luksmeta_data)`

			`-if libcryptsetup.found() and luksmeta.found() and pwmake.found()`
			`+if libcryptsetup.found() and luksmeta.found()`
			`subdir('systemd')`
			`subdir('udisks2')`

			`--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-06-01 15:28:51.656437123 +0200`
			`+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-06-02 17:31:52.430534483 +0200`
			`@@ -20,6 +20,11 @@`

			`CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"`

			`+# Length, in bytes, used for password generated for LUKS key`
			`+# This value corresponds to an entropy of 256 bits if the password`
			`+# was generated by pwmake or similar tool`
			`+JOSE_PASSWORD_LENGTH=40`
			`+`
			`enable_debugging() {`
			`# Automatically enable debugging if in initramfs phase and rd.debug`
			`if [ -e /usr/lib/dracut-lib.sh ]; then`
			`@@ -782,7 +787,7 @@`
			`fi`
			`local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"`

			`- printf '%s' "${input}" \| cryptsetup luksAddKey --batch-mode \`
			`+ printf '%s' "${input}" \| cryptsetup luksAddKey --force-password --batch-mode \`
			`--key-slot "${SLT}" \`
			`"${DEV}" \`
			`${pbkdf_args} \`
			`@@ -812,11 +817,11 @@`
			`local input extra_args=`
			`input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"`
			`if [ -n "${KEYFILE}" ]; then`
			`- extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"`
			`+ extra_args="$(printf -- '--key-file %s --force-password' "${KEYFILE}")"`
			`input="$(printf '%s' "${NEWKEY}")"`
			`fi`
			`if [ -n "${EXISTING_TOKEN_ID}" ]; then`
			`- extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"`
			`+ extra_args="$(printf -- '--token-id %s --force-password' "${EXISTING_TOKEN_ID}")"`
			`input="$(printf '%s' "${NEWKEY}")"`
			`fi`
			`local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"`
			`@@ -876,26 +881,10 @@`

			`# clevis_luks_generate_key() generates a new key for use with clevis.`
			`clevis_luks_generate_key() {`
			`- local DEV="${1}"`
			`- [ -z "${DEV}" ] && return 1`
			`-`
			`- local dump filter bits`
			`- local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.`
			`- dump=$(cryptsetup luksDump "${DEV}")`
			`- if cryptsetup isLuks --type luks1 "${DEV}"; then`
			`- filter="$(echo "${dump}" \| sed -rn 's\|MK bits:[ \t]*([0-9]+)\|\1\|p')"`
			`- elif cryptsetup isLuks --type luks2 "${DEV}"; then`
			`- filter="$(echo -n "${dump}" \| \`
			`- sed -rn 's\|^\s+Key:\s+([0-9]+) bits\s*$\|\1\|p')"`
			`- else`
			`- return 1`
			`- fi`
			`-`
			`- bits="$(echo -n "${filter}" \| sort -n \| tail -n 1)"`
			`- if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then`
			`- bits="${MAX_ENTROPY_BITS}"`
			`- fi`
			`- pwmake "${bits}"`
			`+ local input`
			`+ input=$(printf '{"kty":"oct","bytes":%s}' "${JOSE_PASSWORD_LENGTH}")`
			`+ jose jwk gen --input="${input}" --output=- \`
			`+ \| jose fmt --json=- --object --get k --unquote=-`
			`}`

			`# clevis_luks_token_id_by_slot() returns the token ID linked to a`
			`@@ -986,8 +975,8 @@`
			`fi`

			`local newkey jwe`
			`- if ! newkey="$(clevis_luks_generate_key "${DEV}")" \`
			`- \|\| [ -z "${newkey}" ]; then`
			`+`
			`+ if ! newkey="$(clevis_luks_generate_key)" \|\| [ -z "${newkey}" ]; then`
			`echo "Unable to generate a new key" >&2`
			`return 1`
			`fi`