Remove pwmake for password generation

This change removes password generation with pwmake and uses jose to do so. It has been checked that generation is similar, as jose uses OpenSSL. Apart from that, we will introduce --force-password so that pwquality configuration does not bother on LUKS operations Resolves: rhbz#2207488 Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2023-06-01 15:36:32 +02:00 · 2023-06-01 15:36:32 +02:00 · 35802634dc
commit 35802634dc
parent ea4cad69fc
2 changed files with 104 additions and 3 deletions
--- a/0014-remove-pwmake-for-password-generation.patch
+++ b/0014-remove-pwmake-for-password-generation.patch
@ -0,0 +1,98 @@
+--- clevis-18.ori/src/luks/meson.build	2023-06-01 15:28:51.615436832 +0200
+++ clevis-18/src/luks/meson.build	2023-06-01 15:31:02.420366592 +0200
+@@ -1,7 +1,6 @@
+ 
+ luksmeta_data = configuration_data()
+ luksmeta = dependency('luksmeta', version: '>=8', required: false)
+-pwmake = find_program('pwmake', required: false)
+ 
+ libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false)
+ if libcryptsetup.found()
+@@ -33,7 +32,7 @@
+                output: 'clevis-luks-unbind',
+                configuration: luksmeta_data)
+ 
+-if libcryptsetup.found() and luksmeta.found() and pwmake.found()
+if libcryptsetup.found() and luksmeta.found()
+   subdir('systemd')
+   subdir('udisks2')
+ 
+--- clevis-18.ori/src/luks/clevis-luks-common-functions.in	2023-06-01 15:28:51.656437123 +0200
+++ clevis-18/src/luks/clevis-luks-common-functions.in	2023-06-02 17:31:52.430534483 +0200
+@@ -20,6 +20,11 @@
+ 
+ CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+ 
+# Length, in bytes, used for password generated for LUKS key
+# This value corresponds to an entropy of 256 bits if the password
+# was generated by pwmake or similar tool
+JOSE_PASSWORD_LENGTH=40
+
+ enable_debugging() {
+     # Automatically enable debugging if in initramfs phase and rd.debug
+     if [ -e /usr/lib/dracut-lib.sh ]; then
+@@ -782,7 +787,7 @@
+     fi
+     local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+ 
+-    printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
+    printf '%s' "${input}" | cryptsetup luksAddKey --force-password --batch-mode \
+                                          --key-slot "${SLT}" \
+                                          "${DEV}" \
+                                          ${pbkdf_args} \
+@@ -812,11 +817,11 @@
+     local input extra_args=
+     input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
+     if [ -n "${KEYFILE}" ]; then
+-        extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
+        extra_args="$(printf -- '--key-file %s --force-password' "${KEYFILE}")"
+         input="$(printf '%s' "${NEWKEY}")"
+     fi
+     if [ -n "${EXISTING_TOKEN_ID}" ]; then
+-        extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
+        extra_args="$(printf -- '--token-id %s --force-password' "${EXISTING_TOKEN_ID}")"
+         input="$(printf '%s' "${NEWKEY}")"
+     fi
+     local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+@@ -876,26 +881,10 @@
+ 
+ # clevis_luks_generate_key() generates a new key for use with clevis.
+ clevis_luks_generate_key() {
+-    local DEV="${1}"
+-    [ -z "${DEV}" ] && return 1
+-
+-    local dump filter bits
+-    local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
+-    dump=$(cryptsetup luksDump "${DEV}")
+-    if cryptsetup isLuks --type luks1 "${DEV}"; then
+-        filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
+-    elif cryptsetup isLuks --type luks2 "${DEV}"; then
+-        filter="$(echo -n "${dump}" | \
+-                  sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p')"
+-    else
+-        return 1
+-    fi
+-
+-    bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
+-    if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
+-        bits="${MAX_ENTROPY_BITS}"
+-    fi
+-    pwmake "${bits}"
+    local input
+    input=$(printf '{"kty":"oct","bytes":%s}' "${JOSE_PASSWORD_LENGTH}")
+    jose jwk gen --input="${input}" --output=- \
+        | jose fmt --json=- --object --get k --unquote=-
+ }
+ 
+ # clevis_luks_token_id_by_slot() returns the token ID linked to a
+@@ -986,8 +975,8 @@
+     fi
+ 
+     local newkey jwe
+-    if ! newkey="$(clevis_luks_generate_key "${DEV}")" \
+-                   || [ -z "${newkey}" ]; then
+
+    if ! newkey="$(clevis_luks_generate_key)" || [ -z "${newkey}" ]; then
+         echo "Unable to generate a new key" >&2
+         return 1
+     fi
--- a/clevis.spec
+++ b/clevis.spec
@ -1,6 +1,6 @@
 Name:           clevis
 Version:        18
-Release:        111%{?dist}
+Release:        112%{?dist}
 Summary:        Automated decryption framework

 License:        GPLv3+
@ -20,6 +20,7 @@ Patch0010: 0010-existing-luks2-token-id.patch
 Patch0011: 0011-ignore-empty-and-comment-lines-in-crypttab.patch
 Patch0012: 0012-luks-define-max-entropy-bits-for-pwmake.patch
 Patch0013: 0013-luks-edit-remove-unnecessary-redirection.patch
+Patch0014: 0014-remove-pwmake-for-password-generation.patch

 BuildRequires:  git-core
 BuildRequires:  gcc
@ -42,7 +43,6 @@ BuildRequires:  systemd-rpm-macros
 BuildRequires:  dracut
 BuildRequires:  tang >= 6
 BuildRequires:  curl
-BuildRequires:  cracklib-dicts
 BuildRequires:  luksmeta
 BuildRequires:  openssl
 BuildRequires:  diffutils
@ -56,7 +56,6 @@ Requires:       curl
 Requires:       jq
 Requires(pre):  shadow-utils
 Requires(post): systemd
-Recommends:     cracklib-dicts

 %description
 Clevis is a framework for automated decryption. It allows you to encrypt
@ -200,6 +199,10 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2

 %changelog
+* Thu Jun 1 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-112
+- Remove pwmake for password generation
+  Resolves: rhbz#2207488
+
 * Thu May 4 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-111
 - Fix changelog to correct versions
  Resolves: rhbz#2180451