pcrlock: generate recovery PINs via make_recovery_key()

We already have infrastructure for generating nice recovery keys, for
the usual cryptenroll recovery keys. Let's reuse them here, as they are
nicer to read and type than the base64 encoded randomness we so far
used.

Previously valid recovery keys remain valid, in their original format.
For future enrollments we'll however have nicer, easier recovery keys to
deal with.

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index fa382a22d8a62a821b033c8f8c692c30dc03cff3..6651b1e3e1ee209d08c08cd3ec17170ea1523632 100644 (file)
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -4473,16 +4473,9 @@ static int make_policy(bool force, bool recovery_pin) {
                 }
 
         } else if (!have_old_policy) {
-                char rnd[256];
-
-                r = crypto_random_bytes(rnd, sizeof(rnd));
+                r = make_recovery_key(&pin);
                 if (r < 0)
                         return log_error_errno(r, "Failed to generate a randomized recovery PIN: %m");
-
-                (void) base64mem(rnd, sizeof(rnd), &pin);
-                explicit_bzero_safe(rnd, sizeof(rnd));
-                if (!pin)
-                        return log_oom();
         }
 
         _cleanup_(tpm2_handle_freep) Tpm2Handle *nv_handle = NULL;