diff --git a/SOURCES/0014-remove-pwmake-for-password-generation.patch b/SOURCES/0014-remove-pwmake-for-password-generation.patch new file mode 100644 index 0000000..bb66aaa --- /dev/null +++ b/SOURCES/0014-remove-pwmake-for-password-generation.patch @@ -0,0 +1,98 @@ +--- clevis-18.ori/src/luks/meson.build 2023-06-01 15:28:51.615436832 +0200 ++++ clevis-18/src/luks/meson.build 2023-06-01 15:31:02.420366592 +0200 +@@ -1,7 +1,6 @@ + + luksmeta_data = configuration_data() + luksmeta = dependency('luksmeta', version: '>=8', required: false) +-pwmake = find_program('pwmake', required: false) + + libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false) + if libcryptsetup.found() +@@ -33,7 +32,7 @@ + output: 'clevis-luks-unbind', + configuration: luksmeta_data) + +-if libcryptsetup.found() and luksmeta.found() and pwmake.found() ++if libcryptsetup.found() and luksmeta.found() + subdir('systemd') + subdir('udisks2') + +--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-06-01 15:28:51.656437123 +0200 ++++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-06-02 17:31:52.430534483 +0200 +@@ -20,6 +20,11 @@ + + CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" + ++# Length, in bytes, used for password generated for LUKS key ++# This value corresponds to an entropy of 256 bits if the password ++# was generated by pwmake or similar tool ++JOSE_PASSWORD_LENGTH=40 ++ + enable_debugging() { + # Automatically enable debugging if in initramfs phase and rd.debug + if [ -e /usr/lib/dracut-lib.sh ]; then +@@ -782,7 +787,7 @@ + fi + local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + +- printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \ ++ printf '%s' "${input}" | cryptsetup luksAddKey --force-password --batch-mode \ + --key-slot "${SLT}" \ + "${DEV}" \ + ${pbkdf_args} \ +@@ -812,11 +817,11 @@ + local input extra_args= + input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")" + if [ -n "${KEYFILE}" ]; then +- extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" ++ extra_args="$(printf -- '--key-file %s --force-password' "${KEYFILE}")" + input="$(printf '%s' "${NEWKEY}")" + fi + if [ -n "${EXISTING_TOKEN_ID}" ]; then +- extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")" ++ extra_args="$(printf -- '--token-id %s --force-password' "${EXISTING_TOKEN_ID}")" + input="$(printf '%s' "${NEWKEY}")" + fi + local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" +@@ -876,26 +881,10 @@ + + # clevis_luks_generate_key() generates a new key for use with clevis. + clevis_luks_generate_key() { +- local DEV="${1}" +- [ -z "${DEV}" ] && return 1 +- +- local dump filter bits +- local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake. +- dump=$(cryptsetup luksDump "${DEV}") +- if cryptsetup isLuks --type luks1 "${DEV}"; then +- filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')" +- elif cryptsetup isLuks --type luks2 "${DEV}"; then +- filter="$(echo -n "${dump}" | \ +- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p')" +- else +- return 1 +- fi +- +- bits="$(echo -n "${filter}" | sort -n | tail -n 1)" +- if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then +- bits="${MAX_ENTROPY_BITS}" +- fi +- pwmake "${bits}" ++ local input ++ input=$(printf '{"kty":"oct","bytes":%s}' "${JOSE_PASSWORD_LENGTH}") ++ jose jwk gen --input="${input}" --output=- \ ++ | jose fmt --json=- --object --get k --unquote=- + } + + # clevis_luks_token_id_by_slot() returns the token ID linked to a +@@ -986,8 +975,8 @@ + fi + + local newkey jwe +- if ! newkey="$(clevis_luks_generate_key "${DEV}")" \ +- || [ -z "${newkey}" ]; then ++ ++ if ! newkey="$(clevis_luks_generate_key)" || [ -z "${newkey}" ]; then + echo "Unable to generate a new key" >&2 + return 1 + fi diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec index fbe33ba..b33b6ab 100644 --- a/SPECS/clevis.spec +++ b/SPECS/clevis.spec @@ -1,6 +1,6 @@ Name: clevis Version: 18 -Release: 110%{?dist} +Release: 112%{?dist} Summary: Automated decryption framework License: GPLv3+ @@ -20,6 +20,7 @@ Patch0010: 0010-existing-luks2-token-id.patch Patch0011: 0011-ignore-empty-and-comment-lines-in-crypttab.patch Patch0012: 0012-luks-define-max-entropy-bits-for-pwmake.patch Patch0013: 0013-luks-edit-remove-unnecessary-redirection.patch +Patch0014: 0014-remove-pwmake-for-password-generation.patch BuildRequires: git-core BuildRequires: gcc @@ -42,7 +43,6 @@ BuildRequires: systemd-rpm-macros BuildRequires: dracut BuildRequires: tang >= 6 BuildRequires: curl -BuildRequires: cracklib-dicts BuildRequires: luksmeta BuildRequires: openssl BuildRequires: diffutils @@ -56,7 +56,6 @@ Requires: curl Requires: jq Requires(pre): shadow-utils Requires(post): systemd -Recommends: cracklib-dicts %description Clevis is a framework for automated decryption. It allows you to encrypt @@ -200,15 +199,23 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || : %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %changelog -* Wed Jan 25 2023 Sergio Arroutbi - 15-110 +* Thu Jun 1 2023 Sergio Arroutbi - 18-112 +- Remove pwmake for password generation + Resolves: rhbz#2207488 + +* Thu May 4 2023 Sergio Arroutbi - 18-111 +- Fix changelog to correct versions + Resolves: rhbz#2180451 + +* Wed Jan 25 2023 Sergio Arroutbi - 18-110 - luks-edit: remove unnecessary 2>/dev/null Resolves: rhbz#2159738 -* Fri Jan 13 2023 Sergio Arroutbi - 15-109 +* Fri Jan 13 2023 Sergio Arroutbi - 18-109 - luks: define max entropy bits for pwmake Resolves: rhbz#2159735 -* Thu Jan 12 2023 Sergio Arroutbi - 15-108 +* Thu Jan 12 2023 Sergio Arroutbi - 18-108 - Ignore empty & comment lines in crypttab Resolves: rhbz#2159728