Import from AlmaLinux stable repository

SOURCES/0014-remove-pwmake-for-password-generation.patch

@@ -0,0 +1,98 @@
+--- clevis-18.ori/src/luks/meson.build	2023-06-01 15:28:51.615436832 +0200
++++ clevis-18/src/luks/meson.build	2023-06-01 15:31:02.420366592 +0200
+@@ -1,7 +1,6 @@
+ 
+ luksmeta_data = configuration_data()
+ luksmeta = dependency('luksmeta', version: '>=8', required: false)
+-pwmake = find_program('pwmake', required: false)
+ 
+ libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false)
+ if libcryptsetup.found()
+@@ -33,7 +32,7 @@
+                output: 'clevis-luks-unbind',
+                configuration: luksmeta_data)
+ 
+-if libcryptsetup.found() and luksmeta.found() and pwmake.found()
++if libcryptsetup.found() and luksmeta.found()
+   subdir('systemd')
+   subdir('udisks2')
+ 
+--- clevis-18.ori/src/luks/clevis-luks-common-functions.in	2023-06-01 15:28:51.656437123 +0200
++++ clevis-18/src/luks/clevis-luks-common-functions.in	2023-06-02 17:31:52.430534483 +0200
+@@ -20,6 +20,11 @@
+ 
+ CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+ 
++# Length, in bytes, used for password generated for LUKS key
++# This value corresponds to an entropy of 256 bits if the password
++# was generated by pwmake or similar tool
++JOSE_PASSWORD_LENGTH=40
++
+ enable_debugging() {
+     # Automatically enable debugging if in initramfs phase and rd.debug
+     if [ -e /usr/lib/dracut-lib.sh ]; then
+@@ -782,7 +787,7 @@
+     fi
+     local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+ 
+-    printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
++    printf '%s' "${input}" | cryptsetup luksAddKey --force-password --batch-mode \
+                                          --key-slot "${SLT}" \
+                                          "${DEV}" \
+                                          ${pbkdf_args} \
+@@ -812,11 +817,11 @@
+     local input extra_args=
+     input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
+     if [ -n "${KEYFILE}" ]; then
+-        extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
++        extra_args="$(printf -- '--key-file %s --force-password' "${KEYFILE}")"
+         input="$(printf '%s' "${NEWKEY}")"
+     fi
+     if [ -n "${EXISTING_TOKEN_ID}" ]; then
+-        extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
++        extra_args="$(printf -- '--token-id %s --force-password' "${EXISTING_TOKEN_ID}")"
+         input="$(printf '%s' "${NEWKEY}")"
+     fi
+     local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+@@ -876,26 +881,10 @@
+ 
+ # clevis_luks_generate_key() generates a new key for use with clevis.
+ clevis_luks_generate_key() {
+-    local DEV="${1}"
+-    [ -z "${DEV}" ] && return 1
+-
+-    local dump filter bits
+-    local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
+-    dump=$(cryptsetup luksDump "${DEV}")
+-    if cryptsetup isLuks --type luks1 "${DEV}"; then
+-        filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
+-    elif cryptsetup isLuks --type luks2 "${DEV}"; then
+-        filter="$(echo -n "${dump}" | \
+-                  sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p')"
+-    else
+-        return 1
+-    fi
+-
+-    bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
+-    if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
+-        bits="${MAX_ENTROPY_BITS}"
+-    fi
+-    pwmake "${bits}"
++    local input
++    input=$(printf '{"kty":"oct","bytes":%s}' "${JOSE_PASSWORD_LENGTH}")
++    jose jwk gen --input="${input}" --output=- \
++        | jose fmt --json=- --object --get k --unquote=-
+ }
+ 
+ # clevis_luks_token_id_by_slot() returns the token ID linked to a
+@@ -986,8 +975,8 @@
+     fi
+ 
+     local newkey jwe
+-    if ! newkey="$(clevis_luks_generate_key "${DEV}")" \
+-                   || [ -z "${newkey}" ]; then
++
++    if ! newkey="$(clevis_luks_generate_key)" || [ -z "${newkey}" ]; then
+         echo "Unable to generate a new key" >&2
+         return 1
+     fi

SPECS/clevis.spec

@@ -1,6 +1,6 @@
 Name:           clevis
 Version:        18
-Release:        110%{?dist}
+Release:        112%{?dist}
 Summary:        Automated decryption framework
 
 License:        GPLv3+
@@ -20,6 +20,7 @@ Patch0010: 0010-existing-luks2-token-id.patch
 Patch0011: 0011-ignore-empty-and-comment-lines-in-crypttab.patch
 Patch0012: 0012-luks-define-max-entropy-bits-for-pwmake.patch
 Patch0013: 0013-luks-edit-remove-unnecessary-redirection.patch
+Patch0014: 0014-remove-pwmake-for-password-generation.patch
 
 BuildRequires:  git-core
 BuildRequires:  gcc
@@ -42,7 +43,6 @@ BuildRequires:  systemd-rpm-macros
 BuildRequires:  dracut
 BuildRequires:  tang >= 6
 BuildRequires:  curl
-BuildRequires:  cracklib-dicts
 BuildRequires:  luksmeta
 BuildRequires:  openssl
 BuildRequires:  diffutils
@@ -56,7 +56,6 @@ Requires:       curl
 Requires:       jq
 Requires(pre):  shadow-utils
 Requires(post): systemd
-Recommends:     cracklib-dicts
 
 %description
 Clevis is a framework for automated decryption. It allows you to encrypt
@@ -200,15 +199,23 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
 
 %changelog
-* Wed Jan 25 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-110
+* Thu Jun 1 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-112
+- Remove pwmake for password generation
+  Resolves: rhbz#2207488
+
+* Thu May 4 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-111
+- Fix changelog to correct versions
+  Resolves: rhbz#2180451
+
+* Wed Jan 25 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-110
 - luks-edit: remove unnecessary 2>/dev/null
   Resolves: rhbz#2159738
 
-* Fri Jan 13 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-109
+* Fri Jan 13 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-109
 - luks: define max entropy bits for pwmake
   Resolves: rhbz#2159735
 
-* Thu Jan 12 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-108
+* Thu Jan 12 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-108
 - Ignore empty & comment lines in crypttab
   Resolves: rhbz#2159728