From 35802634dc1b7d5920d207137f93b88e1263cbf3 Mon Sep 17 00:00:00 2001 From: Sergio Arroutbi Date: Thu, 1 Jun 2023 15:36:32 +0200 Subject: [PATCH] Remove pwmake for password generation This change removes password generation with pwmake and uses jose to do so. It has been checked that generation is similar, as jose uses OpenSSL. Apart from that, we will introduce --force-password so that pwquality configuration does not bother on LUKS operations Resolves: rhbz#2207488 Signed-off-by: Sergio Arroutbi --- ...emove-pwmake-for-password-generation.patch | 98 +++++++++++++++++++ clevis.spec | 9 +- 2 files changed, 104 insertions(+), 3 deletions(-) create mode 100644 0014-remove-pwmake-for-password-generation.patch diff --git a/0014-remove-pwmake-for-password-generation.patch b/0014-remove-pwmake-for-password-generation.patch new file mode 100644 index 0000000..bb66aaa --- /dev/null +++ b/0014-remove-pwmake-for-password-generation.patch @@ -0,0 +1,98 @@ +--- clevis-18.ori/src/luks/meson.build 2023-06-01 15:28:51.615436832 +0200 ++++ clevis-18/src/luks/meson.build 2023-06-01 15:31:02.420366592 +0200 +@@ -1,7 +1,6 @@ + + luksmeta_data = configuration_data() + luksmeta = dependency('luksmeta', version: '>=8', required: false) +-pwmake = find_program('pwmake', required: false) + + libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false) + if libcryptsetup.found() +@@ -33,7 +32,7 @@ + output: 'clevis-luks-unbind', + configuration: luksmeta_data) + +-if libcryptsetup.found() and luksmeta.found() and pwmake.found() ++if libcryptsetup.found() and luksmeta.found() + subdir('systemd') + subdir('udisks2') + +--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-06-01 15:28:51.656437123 +0200 ++++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-06-02 17:31:52.430534483 +0200 +@@ -20,6 +20,11 @@ + + CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" + ++# Length, in bytes, used for password generated for LUKS key ++# This value corresponds to an entropy of 256 bits if the password ++# was generated by pwmake or similar tool ++JOSE_PASSWORD_LENGTH=40 ++ + enable_debugging() { + # Automatically enable debugging if in initramfs phase and rd.debug + if [ -e /usr/lib/dracut-lib.sh ]; then +@@ -782,7 +787,7 @@ + fi + local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + +- printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \ ++ printf '%s' "${input}" | cryptsetup luksAddKey --force-password --batch-mode \ + --key-slot "${SLT}" \ + "${DEV}" \ + ${pbkdf_args} \ +@@ -812,11 +817,11 @@ + local input extra_args= + input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")" + if [ -n "${KEYFILE}" ]; then +- extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" ++ extra_args="$(printf -- '--key-file %s --force-password' "${KEYFILE}")" + input="$(printf '%s' "${NEWKEY}")" + fi + if [ -n "${EXISTING_TOKEN_ID}" ]; then +- extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")" ++ extra_args="$(printf -- '--token-id %s --force-password' "${EXISTING_TOKEN_ID}")" + input="$(printf '%s' "${NEWKEY}")" + fi + local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" +@@ -876,26 +881,10 @@ + + # clevis_luks_generate_key() generates a new key for use with clevis. + clevis_luks_generate_key() { +- local DEV="${1}" +- [ -z "${DEV}" ] && return 1 +- +- local dump filter bits +- local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake. +- dump=$(cryptsetup luksDump "${DEV}") +- if cryptsetup isLuks --type luks1 "${DEV}"; then +- filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')" +- elif cryptsetup isLuks --type luks2 "${DEV}"; then +- filter="$(echo -n "${dump}" | \ +- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p')" +- else +- return 1 +- fi +- +- bits="$(echo -n "${filter}" | sort -n | tail -n 1)" +- if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then +- bits="${MAX_ENTROPY_BITS}" +- fi +- pwmake "${bits}" ++ local input ++ input=$(printf '{"kty":"oct","bytes":%s}' "${JOSE_PASSWORD_LENGTH}") ++ jose jwk gen --input="${input}" --output=- \ ++ | jose fmt --json=- --object --get k --unquote=- + } + + # clevis_luks_token_id_by_slot() returns the token ID linked to a +@@ -986,8 +975,8 @@ + fi + + local newkey jwe +- if ! newkey="$(clevis_luks_generate_key "${DEV}")" \ +- || [ -z "${newkey}" ]; then ++ ++ if ! newkey="$(clevis_luks_generate_key)" || [ -z "${newkey}" ]; then + echo "Unable to generate a new key" >&2 + return 1 + fi diff --git a/clevis.spec b/clevis.spec index d07eb38..b33b6ab 100644 --- a/clevis.spec +++ b/clevis.spec @@ -1,6 +1,6 @@ Name: clevis Version: 18 -Release: 111%{?dist} +Release: 112%{?dist} Summary: Automated decryption framework License: GPLv3+ @@ -20,6 +20,7 @@ Patch0010: 0010-existing-luks2-token-id.patch Patch0011: 0011-ignore-empty-and-comment-lines-in-crypttab.patch Patch0012: 0012-luks-define-max-entropy-bits-for-pwmake.patch Patch0013: 0013-luks-edit-remove-unnecessary-redirection.patch +Patch0014: 0014-remove-pwmake-for-password-generation.patch BuildRequires: git-core BuildRequires: gcc @@ -42,7 +43,6 @@ BuildRequires: systemd-rpm-macros BuildRequires: dracut BuildRequires: tang >= 6 BuildRequires: curl -BuildRequires: cracklib-dicts BuildRequires: luksmeta BuildRequires: openssl BuildRequires: diffutils @@ -56,7 +56,6 @@ Requires: curl Requires: jq Requires(pre): shadow-utils Requires(post): systemd -Recommends: cracklib-dicts %description Clevis is a framework for automated decryption. It allows you to encrypt @@ -200,6 +199,10 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || : %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %changelog +* Thu Jun 1 2023 Sergio Arroutbi - 18-112 +- Remove pwmake for password generation + Resolves: rhbz#2207488 + * Thu May 4 2023 Sergio Arroutbi - 18-111 - Fix changelog to correct versions Resolves: rhbz#2180451