gui-init, tpm-reset: Enforce TPM password maximum length

TPM password must be 1-32 characters.  Loop if the password is not
valid or the repeated password doesn't match, so the user can try
again.

Move prompt_new_owner_password to functions and use in both gui-init
and tpm-reset.

Fixes #1336

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>

initrd/bin/gui-init

@@ -510,24 +510,6 @@ prompt_totp_mismatch()
   fi
 }
 
-prompt_new_owner_password() {
-  read -s -p "New TPM owner password: " key_password
-  echo
-
-  if [ -z "$key_password" ]; then
-    echo "Empty owner password is not allowed" >&2
-    return 1
-  fi
-
-  read -s -p "Repeat owner password: " key_password2
-  echo
-
-  if [ "$key_password" != "$key_password2" ]; then
-    echo "Key passwords do not match" >&2
-    return 1
-  fi
-}
-
 reset_tpm()
 {
   TRACE "Under /bin/gui-init:reset_tpm"

initrd/bin/tpm-reset

@@ -5,19 +5,6 @@ echo '*****'
 echo '***** WARNING: This will erase all keys and secrets from the TPM'
 echo '*****'
 
-read -s -p "New TPM owner password: " key_password
-echo
-
-if [ -z "$key_password" ]; then
-    die "Empty owner password is not allowed"
-fi
-
-read -s -p "Repeat owner password: " key_password2
-echo
-
-
-if [ "$key_password" != "$key_password2" ]; then
-    die "Key passwords do not match"
-fi
+prompt_new_owner_password
 
 tpmr reset "$key_password"

initrd/etc/functions

@@ -221,6 +221,27 @@ prompt_tpm_password() {
 	echo # new line after password prompt
 }
 
+# Prompt for a new owner password when resetting the TPM.  Returned in
+# key_password.  The password must be 1-32 characters and must be entered twice,
+# the script will loop until this is met.
+prompt_new_owner_password() {
+	local key_password2
+	key_password=1
+	key_password2=2
+	while [ "$key_password" != "$key_password2" ] || [ "${#key_password}" -gt 32 ] || [ -z "$key_password" ]; do
+		read -s -p "New TPM owner passphrase (2 words suggested, 1-32 characters max): " key_password
+		echo
+
+		read -s -p "Repeat chosen TPM owner passphrase: " key_password2
+		echo
+
+		if [ "$key_password" != "$key_password2" ]; then
+			echo "Passphrases entered do not match. Try again!"
+			echo
+		fi
+	done
+}
+
 check_tpm_counter()
 {
   TRACE "Under /etc/functions:check_tpm_counter"