Rebase clevis-21 upstream version

Resolves: #RHEL-60257

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>

.gitignore

@@ -6,3 +6,4 @@
 /clevis-16.tar.xz
 /clevis-18.tar.xz
 /clevis-20.tar.xz
+/clevis-21.tar.xz

0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch

@@ -1,56 +0,0 @@
---- clevis-20.old/src/luks/udisks2/clevis-luks-udisks2.c	2024-03-08 09:35:37.000000000 +0100
-+++ clevis-20/src/luks/udisks2/clevis-luks-udisks2.c	2024-05-21 10:04:15.301469592 +0200
-@@ -264,8 +264,10 @@
- 
- error:
-     g_list_free_full(ctx.lst, g_free);
--    g_main_loop_unref(ctx.loop);
--    g_object_unref(ctx.clt);
-+    if (ctx.loop) 
-+        g_main_loop_unref(ctx.loop);
-+    if (ctx.clt) 
-+        g_object_unref(ctx.clt);
-     close(sock);
-     return exit_status;
- }
-@@ -299,12 +301,12 @@
-     safeclose(&pair[0]);
- }
- 
--static ssize_t
--recover_key(const pkt_t *jwe, char *out, size_t max, uid_t uid, gid_t gid)
-+static uint32_t
-+recover_key(const pkt_t *jwe, char *out, int32_t max, uid_t uid, gid_t gid)
- {
-     int push[2] = { -1, -1 };
-     int pull[2] = { -1, -1 };
--    ssize_t bytes = 0;
-+    int32_t bytes = 0;
-     pid_t chld = 0;
- 
-     if (pipe(push) != 0)
-@@ -379,12 +381,18 @@
-     }
- 
-     bytes = 0;
--    for (ssize_t block = 1; block > 0; bytes += block) {
--        block = read(pull[PIPE_RD], &out[bytes], max - bytes);
--        if (block < 0) {
--            kill(chld, SIGTERM);
--            goto error;
--        }
-+    ssize_t block = 0;
-+    while (max > 0 && max > bytes) {
-+       do {
-+           block = read(pull[PIPE_RD], &out[bytes], max - bytes);
-+       } while (block < 0 && errno == EINTR);
-+       if (block < 0 || block < INT32_MIN || block > INT32_MAX) {
-+           kill(chld, SIGTERM);
-+           goto error;
-+       }
-+       if (block == 0)
-+           break;
-+       bytes += block;
-     }
- 
-     safeclose(&pull[PIPE_RD]);

clevis.spec

@@ -1,14 +1,12 @@
 Name:           clevis
-Version:        20
+Version:        21
-Release:        200%{?dist}
+Release:        201%{?dist}
 Summary:        Automated decryption framework
 
 License:        GPLv3+
 URL:            https://github.com/latchset/%{name}
 Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
 Source1:        clevis.sysusers
-Patch1:         0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch
-
 
 BuildRequires:  git-core
 BuildRequires:  gcc
@@ -16,6 +14,8 @@ BuildRequires:  meson
 BuildRequires:  asciidoc
 BuildRequires:  ninja-build
 BuildRequires:  bash-completion
+BuildRequires:  pcsc-lite
+BuildRequires:  opensc
 
 BuildRequires:  libjose-devel >= 8
 BuildRequires:  libluksmeta-devel >= 8
@@ -44,6 +44,8 @@ Requires:       curl
 Requires:       jq
 Requires(pre):  shadow-utils
 Requires(post): systemd
+Requires:       pcsc-lite
+Requires:       opensc
 
 %description
 Clevis is a framework for automated decryption. It allows you to encrypt
@@ -137,15 +139,20 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
 %{_bindir}/%{name}-decrypt-tpm2
 %{_bindir}/%{name}-decrypt-sss
 %{_bindir}/%{name}-decrypt-null
+%{_bindir}/%{name}-decrypt-pkcs11
 %{_bindir}/%{name}-decrypt
 %{_bindir}/%{name}-encrypt-tang
 %{_bindir}/%{name}-encrypt-tpm2
 %{_bindir}/%{name}-encrypt-sss
 %{_bindir}/%{name}-encrypt-null
+%{_bindir}/%{name}-encrypt-pkcs11
+%{_bindir}/%{name}-pkcs11-afunix-socket-unlock
+%{_bindir}/%{name}-pkcs11-common
 %{_bindir}/%{name}
 %{_mandir}/man1/%{name}-encrypt-tang.1*
 %{_mandir}/man1/%{name}-encrypt-tpm2.1*
 %{_mandir}/man1/%{name}-encrypt-sss.1*
+%{_mandir}/man1/%{name}-encrypt-pkcs11.1*
 %{_mandir}/man1/%{name}-decrypt.1*
 %{_mandir}/man1/%{name}.1*
 %{_sysusersdir}/clevis.conf
@@ -173,8 +180,12 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
 %files systemd
 %{_libexecdir}/%{name}-luks-askpass
 %{_libexecdir}/%{name}-luks-unlocker
+%{_libexecdir}/%{name}-luks-pkcs11-askpass
+%{_libexecdir}/%{name}-luks-pkcs11-askpin
 %{_unitdir}/%{name}-luks-askpass.path
 %{_unitdir}/%{name}-luks-askpass.service
+%{_unitdir}/%{name}-luks-pkcs11-askpass.service
+%{_unitdir}/%{name}-luks-pkcs11-askpass.socket
 
 %files dracut
 %{_prefix}/lib/dracut/modules.d/60%{name}
@@ -182,6 +193,9 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
 %{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh
 %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh
 %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh
+%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/module-setup.sh
+%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-hook.sh
+%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-prehook.sh
 
 %files udisks2
 %{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop

sources

@@ -1 +1 @@
-SHA512 (clevis-20.tar.xz) = 26b89d7ca21a08dfb6abdf894c9867eb6954593adc384c651b2cf8effe6be962fa67a116b15e1a40a720d36d9726ea859dc907ffb72585da91949d9a620893fe
+SHA512 (clevis-21.tar.xz) = 66f141b9d0c35ec3bb975b49053ee11f8fd5492b2af0377797892d6e28f4491b146e48477107dcf0ae5860ed1b08920bc95ed69893664689077c1342169cd399