Remove pwmake for password generation
This change removes password generation with pwmake and uses jose to do so. It has been checked that generation is similar, as jose uses OpenSSL. Apart from that, we will introduce --force-password so that pwquality configuration does not bother on LUKS operations Resolves: rhbz#2207488 Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
This commit is contained in:
parent
ea4cad69fc
commit
35802634dc
98
0014-remove-pwmake-for-password-generation.patch
Normal file
98
0014-remove-pwmake-for-password-generation.patch
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
--- clevis-18.ori/src/luks/meson.build 2023-06-01 15:28:51.615436832 +0200
|
||||||
|
+++ clevis-18/src/luks/meson.build 2023-06-01 15:31:02.420366592 +0200
|
||||||
|
@@ -1,7 +1,6 @@
|
||||||
|
|
||||||
|
luksmeta_data = configuration_data()
|
||||||
|
luksmeta = dependency('luksmeta', version: '>=8', required: false)
|
||||||
|
-pwmake = find_program('pwmake', required: false)
|
||||||
|
|
||||||
|
libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false)
|
||||||
|
if libcryptsetup.found()
|
||||||
|
@@ -33,7 +32,7 @@
|
||||||
|
output: 'clevis-luks-unbind',
|
||||||
|
configuration: luksmeta_data)
|
||||||
|
|
||||||
|
-if libcryptsetup.found() and luksmeta.found() and pwmake.found()
|
||||||
|
+if libcryptsetup.found() and luksmeta.found()
|
||||||
|
subdir('systemd')
|
||||||
|
subdir('udisks2')
|
||||||
|
|
||||||
|
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-06-01 15:28:51.656437123 +0200
|
||||||
|
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-06-02 17:31:52.430534483 +0200
|
||||||
|
@@ -20,6 +20,11 @@
|
||||||
|
|
||||||
|
CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
||||||
|
|
||||||
|
+# Length, in bytes, used for password generated for LUKS key
|
||||||
|
+# This value corresponds to an entropy of 256 bits if the password
|
||||||
|
+# was generated by pwmake or similar tool
|
||||||
|
+JOSE_PASSWORD_LENGTH=40
|
||||||
|
+
|
||||||
|
enable_debugging() {
|
||||||
|
# Automatically enable debugging if in initramfs phase and rd.debug
|
||||||
|
if [ -e /usr/lib/dracut-lib.sh ]; then
|
||||||
|
@@ -782,7 +787,7 @@
|
||||||
|
fi
|
||||||
|
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||||
|
|
||||||
|
- printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
|
||||||
|
+ printf '%s' "${input}" | cryptsetup luksAddKey --force-password --batch-mode \
|
||||||
|
--key-slot "${SLT}" \
|
||||||
|
"${DEV}" \
|
||||||
|
${pbkdf_args} \
|
||||||
|
@@ -812,11 +817,11 @@
|
||||||
|
local input extra_args=
|
||||||
|
input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
|
||||||
|
if [ -n "${KEYFILE}" ]; then
|
||||||
|
- extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
|
||||||
|
+ extra_args="$(printf -- '--key-file %s --force-password' "${KEYFILE}")"
|
||||||
|
input="$(printf '%s' "${NEWKEY}")"
|
||||||
|
fi
|
||||||
|
if [ -n "${EXISTING_TOKEN_ID}" ]; then
|
||||||
|
- extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
|
||||||
|
+ extra_args="$(printf -- '--token-id %s --force-password' "${EXISTING_TOKEN_ID}")"
|
||||||
|
input="$(printf '%s' "${NEWKEY}")"
|
||||||
|
fi
|
||||||
|
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||||
|
@@ -876,26 +881,10 @@
|
||||||
|
|
||||||
|
# clevis_luks_generate_key() generates a new key for use with clevis.
|
||||||
|
clevis_luks_generate_key() {
|
||||||
|
- local DEV="${1}"
|
||||||
|
- [ -z "${DEV}" ] && return 1
|
||||||
|
-
|
||||||
|
- local dump filter bits
|
||||||
|
- local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
|
||||||
|
- dump=$(cryptsetup luksDump "${DEV}")
|
||||||
|
- if cryptsetup isLuks --type luks1 "${DEV}"; then
|
||||||
|
- filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
|
||||||
|
- elif cryptsetup isLuks --type luks2 "${DEV}"; then
|
||||||
|
- filter="$(echo -n "${dump}" | \
|
||||||
|
- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p')"
|
||||||
|
- else
|
||||||
|
- return 1
|
||||||
|
- fi
|
||||||
|
-
|
||||||
|
- bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
|
||||||
|
- if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
|
||||||
|
- bits="${MAX_ENTROPY_BITS}"
|
||||||
|
- fi
|
||||||
|
- pwmake "${bits}"
|
||||||
|
+ local input
|
||||||
|
+ input=$(printf '{"kty":"oct","bytes":%s}' "${JOSE_PASSWORD_LENGTH}")
|
||||||
|
+ jose jwk gen --input="${input}" --output=- \
|
||||||
|
+ | jose fmt --json=- --object --get k --unquote=-
|
||||||
|
}
|
||||||
|
|
||||||
|
# clevis_luks_token_id_by_slot() returns the token ID linked to a
|
||||||
|
@@ -986,8 +975,8 @@
|
||||||
|
fi
|
||||||
|
|
||||||
|
local newkey jwe
|
||||||
|
- if ! newkey="$(clevis_luks_generate_key "${DEV}")" \
|
||||||
|
- || [ -z "${newkey}" ]; then
|
||||||
|
+
|
||||||
|
+ if ! newkey="$(clevis_luks_generate_key)" || [ -z "${newkey}" ]; then
|
||||||
|
echo "Unable to generate a new key" >&2
|
||||||
|
return 1
|
||||||
|
fi
|
@ -1,6 +1,6 @@
|
|||||||
Name: clevis
|
Name: clevis
|
||||||
Version: 18
|
Version: 18
|
||||||
Release: 111%{?dist}
|
Release: 112%{?dist}
|
||||||
Summary: Automated decryption framework
|
Summary: Automated decryption framework
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -20,6 +20,7 @@ Patch0010: 0010-existing-luks2-token-id.patch
|
|||||||
Patch0011: 0011-ignore-empty-and-comment-lines-in-crypttab.patch
|
Patch0011: 0011-ignore-empty-and-comment-lines-in-crypttab.patch
|
||||||
Patch0012: 0012-luks-define-max-entropy-bits-for-pwmake.patch
|
Patch0012: 0012-luks-define-max-entropy-bits-for-pwmake.patch
|
||||||
Patch0013: 0013-luks-edit-remove-unnecessary-redirection.patch
|
Patch0013: 0013-luks-edit-remove-unnecessary-redirection.patch
|
||||||
|
Patch0014: 0014-remove-pwmake-for-password-generation.patch
|
||||||
|
|
||||||
BuildRequires: git-core
|
BuildRequires: git-core
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -42,7 +43,6 @@ BuildRequires: systemd-rpm-macros
|
|||||||
BuildRequires: dracut
|
BuildRequires: dracut
|
||||||
BuildRequires: tang >= 6
|
BuildRequires: tang >= 6
|
||||||
BuildRequires: curl
|
BuildRequires: curl
|
||||||
BuildRequires: cracklib-dicts
|
|
||||||
BuildRequires: luksmeta
|
BuildRequires: luksmeta
|
||||||
BuildRequires: openssl
|
BuildRequires: openssl
|
||||||
BuildRequires: diffutils
|
BuildRequires: diffutils
|
||||||
@ -56,7 +56,6 @@ Requires: curl
|
|||||||
Requires: jq
|
Requires: jq
|
||||||
Requires(pre): shadow-utils
|
Requires(pre): shadow-utils
|
||||||
Requires(post): systemd
|
Requires(post): systemd
|
||||||
Recommends: cracklib-dicts
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Clevis is a framework for automated decryption. It allows you to encrypt
|
Clevis is a framework for automated decryption. It allows you to encrypt
|
||||||
@ -200,6 +199,10 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
|
|||||||
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
|
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 1 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-112
|
||||||
|
- Remove pwmake for password generation
|
||||||
|
Resolves: rhbz#2207488
|
||||||
|
|
||||||
* Thu May 4 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-111
|
* Thu May 4 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-111
|
||||||
- Fix changelog to correct versions
|
- Fix changelog to correct versions
|
||||||
Resolves: rhbz#2180451
|
Resolves: rhbz#2180451
|
||||||
|
Loading…
Reference in New Issue
Block a user