From 4d23eda3191faa4424931099fb462f72ff2bacf3 Mon Sep 17 00:00:00 2001 From: Sergio Arroutbi Date: Wed, 7 Jun 2023 12:37:42 +0200 Subject: [PATCH] Use jose, not pwmake, for password generation (#418) This change removes password generation with pwmake and uses jose to do so. It has been checked that generation is similar, as jose uses OpenSSL. Apart from that, we will introduce --force-password so that pwquality configuration does not bother on LUKS operations Resolves: #199 Signed-off-by: Sergio Arroutbi --- src/luks/clevis-luks-common-functions.in | 38 ++++++++---------------- src/luks/meson.build | 3 +- 2 files changed, 14 insertions(+), 27 deletions(-) diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in index 98cc9bc9..59ac9af5 100644 --- a/src/luks/clevis-luks-common-functions.in +++ b/src/luks/clevis-luks-common-functions.in @@ -20,6 +20,11 @@ CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" +# Length, in bytes, used for password generated for LUKS key +# This value corresponds to an entropy of 256 bits if the password +# was generated by pwmake or similar tool +JOSE_PASSWORD_LENGTH=40 + enable_debugging() { # Automatically enable debugging if in initramfs phase and rd.debug if [ -e /usr/lib/dracut-lib.sh ]; then @@ -788,7 +793,7 @@ clevis_luks_add_key() { fi local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" - printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \ + printf '%s' "${input}" | cryptsetup luksAddKey --force-password --batch-mode \ --key-slot "${SLT}" \ "${DEV}" \ ${pbkdf_args} \ @@ -818,11 +823,11 @@ clevis_luks_update_key() { local input extra_args= input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")" if [ -n "${KEYFILE}" ]; then - extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" + extra_args="$(printf -- '--key-file %s --force-password' "${KEYFILE}")" input="$(printf '%s' "${NEWKEY}")" fi if [ -n "${EXISTING_TOKEN_ID}" ]; then - extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")" + extra_args="$(printf -- '--token-id %s --force-password' "${EXISTING_TOKEN_ID}")" input="$(printf '%s' "${NEWKEY}")" fi @@ -884,26 +889,10 @@ clevis_luks_save_key_to_slot() { # clevis_luks_generate_key() generates a new key for use with clevis. clevis_luks_generate_key() { - local DEV="${1}" - [ -z "${DEV}" ] && return 1 - - local dump filter bits - local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake. - dump=$(cryptsetup luksDump "${DEV}") - if cryptsetup isLuks --type luks1 "${DEV}"; then - filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')" - elif cryptsetup isLuks --type luks2 "${DEV}"; then - filter="$(echo -n "${dump}" | \ - sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p')" - else - return 1 - fi - - bits="$(echo -n "${filter}" | sort -n | tail -n 1)" - if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then - bits="${MAX_ENTROPY_BITS}" - fi - pwmake "${bits}" + local input + input=$(printf '{"kty":"oct","bytes":%s}' "${JOSE_PASSWORD_LENGTH}") + jose jwk gen --input="${input}" --output=- | \ + jose fmt --json=- --object --get k --unquote=- } # clevis_luks_token_id_by_slot() returns the token ID linked to a @@ -993,8 +982,7 @@ clevis_luks_do_bind() { fi local newkey jwe - if ! newkey="$(clevis_luks_generate_key "${DEV}")" \ - || [ -z "${newkey}" ]; then + if ! newkey="$(clevis_luks_generate_key)" || [ -z "${newkey}" ]; then echo "Unable to generate a new key" >&2 return 1 fi diff --git a/src/luks/meson.build b/src/luks/meson.build index 3d35e485..e06fa125 100644 --- a/src/luks/meson.build +++ b/src/luks/meson.build @@ -1,7 +1,6 @@ luksmeta_data = configuration_data() luksmeta = dependency('luksmeta', version: '>=8', required: false) -pwmake = find_program('pwmake', required: false) libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false) if libcryptsetup.found() @@ -33,7 +32,7 @@ clevis_luks_unbind = configure_file(input: 'clevis-luks-unbind.in', output: 'clevis-luks-unbind', configuration: luksmeta_data) -if libcryptsetup.found() and luksmeta.found() and pwmake.found() +if libcryptsetup.found() and luksmeta.found() subdir('systemd') subdir('udisks2')