From 9100783ee2ee46ec08ce62ed8c345d21caa86ff7 Mon Sep 17 00:00:00 2001 From: Sergio Arroutbi Date: Thu, 26 Sep 2024 12:43:27 +0200 Subject: [PATCH] Rebase clevis-21 upstream version Resolves: #RHEL-60257 Signed-off-by: Sergio Arroutbi --- .gitignore | 1 + ...neous-sast-fixes-clevis-luks-udisk-2.patch | 56 ------------------- clevis.spec | 22 ++++++-- sources | 2 +- 4 files changed, 20 insertions(+), 61 deletions(-) delete mode 100644 0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch diff --git a/.gitignore b/.gitignore index 9f45cf1..c7ece3e 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ /clevis-16.tar.xz /clevis-18.tar.xz /clevis-20.tar.xz +/clevis-21.tar.xz diff --git a/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch b/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch deleted file mode 100644 index 263166d..0000000 --- a/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch +++ /dev/null @@ -1,56 +0,0 @@ ---- clevis-20.old/src/luks/udisks2/clevis-luks-udisks2.c 2024-03-08 09:35:37.000000000 +0100 -+++ clevis-20/src/luks/udisks2/clevis-luks-udisks2.c 2024-05-21 10:04:15.301469592 +0200 -@@ -264,8 +264,10 @@ - - error: - g_list_free_full(ctx.lst, g_free); -- g_main_loop_unref(ctx.loop); -- g_object_unref(ctx.clt); -+ if (ctx.loop) -+ g_main_loop_unref(ctx.loop); -+ if (ctx.clt) -+ g_object_unref(ctx.clt); - close(sock); - return exit_status; - } -@@ -299,12 +301,12 @@ - safeclose(&pair[0]); - } - --static ssize_t --recover_key(const pkt_t *jwe, char *out, size_t max, uid_t uid, gid_t gid) -+static uint32_t -+recover_key(const pkt_t *jwe, char *out, int32_t max, uid_t uid, gid_t gid) - { - int push[2] = { -1, -1 }; - int pull[2] = { -1, -1 }; -- ssize_t bytes = 0; -+ int32_t bytes = 0; - pid_t chld = 0; - - if (pipe(push) != 0) -@@ -379,12 +381,18 @@ - } - - bytes = 0; -- for (ssize_t block = 1; block > 0; bytes += block) { -- block = read(pull[PIPE_RD], &out[bytes], max - bytes); -- if (block < 0) { -- kill(chld, SIGTERM); -- goto error; -- } -+ ssize_t block = 0; -+ while (max > 0 && max > bytes) { -+ do { -+ block = read(pull[PIPE_RD], &out[bytes], max - bytes); -+ } while (block < 0 && errno == EINTR); -+ if (block < 0 || block < INT32_MIN || block > INT32_MAX) { -+ kill(chld, SIGTERM); -+ goto error; -+ } -+ if (block == 0) -+ break; -+ bytes += block; - } - - safeclose(&pull[PIPE_RD]); diff --git a/clevis.spec b/clevis.spec index ce5cf68..15d9940 100644 --- a/clevis.spec +++ b/clevis.spec @@ -1,14 +1,12 @@ Name: clevis -Version: 20 -Release: 200%{?dist} +Version: 21 +Release: 201%{?dist} Summary: Automated decryption framework License: GPLv3+ URL: https://github.com/latchset/%{name} Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz Source1: clevis.sysusers -Patch1: 0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch - BuildRequires: git-core BuildRequires: gcc @@ -16,6 +14,8 @@ BuildRequires: meson BuildRequires: asciidoc BuildRequires: ninja-build BuildRequires: bash-completion +BuildRequires: pcsc-lite +BuildRequires: opensc BuildRequires: libjose-devel >= 8 BuildRequires: libluksmeta-devel >= 8 @@ -44,6 +44,8 @@ Requires: curl Requires: jq Requires(pre): shadow-utils Requires(post): systemd +Requires: pcsc-lite +Requires: opensc %description Clevis is a framework for automated decryption. It allows you to encrypt @@ -137,15 +139,20 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || : %{_bindir}/%{name}-decrypt-tpm2 %{_bindir}/%{name}-decrypt-sss %{_bindir}/%{name}-decrypt-null +%{_bindir}/%{name}-decrypt-pkcs11 %{_bindir}/%{name}-decrypt %{_bindir}/%{name}-encrypt-tang %{_bindir}/%{name}-encrypt-tpm2 %{_bindir}/%{name}-encrypt-sss %{_bindir}/%{name}-encrypt-null +%{_bindir}/%{name}-encrypt-pkcs11 +%{_bindir}/%{name}-pkcs11-afunix-socket-unlock +%{_bindir}/%{name}-pkcs11-common %{_bindir}/%{name} %{_mandir}/man1/%{name}-encrypt-tang.1* %{_mandir}/man1/%{name}-encrypt-tpm2.1* %{_mandir}/man1/%{name}-encrypt-sss.1* +%{_mandir}/man1/%{name}-encrypt-pkcs11.1* %{_mandir}/man1/%{name}-decrypt.1* %{_mandir}/man1/%{name}.1* %{_sysusersdir}/clevis.conf @@ -173,8 +180,12 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || : %files systemd %{_libexecdir}/%{name}-luks-askpass %{_libexecdir}/%{name}-luks-unlocker +%{_libexecdir}/%{name}-luks-pkcs11-askpass +%{_libexecdir}/%{name}-luks-pkcs11-askpin %{_unitdir}/%{name}-luks-askpass.path %{_unitdir}/%{name}-luks-askpass.service +%{_unitdir}/%{name}-luks-pkcs11-askpass.service +%{_unitdir}/%{name}-luks-pkcs11-askpass.socket %files dracut %{_prefix}/lib/dracut/modules.d/60%{name} @@ -182,6 +193,9 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || : %{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-hook.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-prehook.sh %files udisks2 %{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop diff --git a/sources b/sources index ebb2917..85f0289 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (clevis-20.tar.xz) = 26b89d7ca21a08dfb6abdf894c9867eb6954593adc384c651b2cf8effe6be962fa67a116b15e1a40a720d36d9726ea859dc907ffb72585da91949d9a620893fe +SHA512 (clevis-21.tar.xz) = 66f141b9d0c35ec3bb975b49053ee11f8fd5492b2af0377797892d6e28f4491b146e48477107dcf0ae5860ed1b08920bc95ed69893664689077c1342169cd399