From a9afd519064609cf42544caeadc31d96ccd2d2f0 Mon Sep 17 00:00:00 2001 From: Sergio Arroutbi Date: Mon, 1 Apr 2024 15:24:48 +0200 Subject: [PATCH] Rebase to clevis-20 upstream version Resolves: RHEL-29279 Signed-off-by: Sergio Arroutbi --- .gitignore | 1 + ...neous-sast-fixes-clevis-luks-udisk-2.patch | 56 +++++++++++++++++++ clevis.spec | 8 +-- sources | 2 +- 4 files changed, 62 insertions(+), 5 deletions(-) create mode 100644 0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch diff --git a/.gitignore b/.gitignore index 5e440c4..8688f41 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ /clevis-17.tar.xz /clevis-18.tar.xz /clevis-19.tar.xz +/clevis-20.tar.xz diff --git a/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch b/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch new file mode 100644 index 0000000..263166d --- /dev/null +++ b/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch @@ -0,0 +1,56 @@ +--- clevis-20.old/src/luks/udisks2/clevis-luks-udisks2.c 2024-03-08 09:35:37.000000000 +0100 ++++ clevis-20/src/luks/udisks2/clevis-luks-udisks2.c 2024-05-21 10:04:15.301469592 +0200 +@@ -264,8 +264,10 @@ + + error: + g_list_free_full(ctx.lst, g_free); +- g_main_loop_unref(ctx.loop); +- g_object_unref(ctx.clt); ++ if (ctx.loop) ++ g_main_loop_unref(ctx.loop); ++ if (ctx.clt) ++ g_object_unref(ctx.clt); + close(sock); + return exit_status; + } +@@ -299,12 +301,12 @@ + safeclose(&pair[0]); + } + +-static ssize_t +-recover_key(const pkt_t *jwe, char *out, size_t max, uid_t uid, gid_t gid) ++static uint32_t ++recover_key(const pkt_t *jwe, char *out, int32_t max, uid_t uid, gid_t gid) + { + int push[2] = { -1, -1 }; + int pull[2] = { -1, -1 }; +- ssize_t bytes = 0; ++ int32_t bytes = 0; + pid_t chld = 0; + + if (pipe(push) != 0) +@@ -379,12 +381,18 @@ + } + + bytes = 0; +- for (ssize_t block = 1; block > 0; bytes += block) { +- block = read(pull[PIPE_RD], &out[bytes], max - bytes); +- if (block < 0) { +- kill(chld, SIGTERM); +- goto error; +- } ++ ssize_t block = 0; ++ while (max > 0 && max > bytes) { ++ do { ++ block = read(pull[PIPE_RD], &out[bytes], max - bytes); ++ } while (block < 0 && errno == EINTR); ++ if (block < 0 || block < INT32_MIN || block > INT32_MAX) { ++ kill(chld, SIGTERM); ++ goto error; ++ } ++ if (block == 0) ++ break; ++ bytes += block; + } + + safeclose(&pull[PIPE_RD]); diff --git a/clevis.spec b/clevis.spec index 7e31f9b..f2c70d2 100644 --- a/clevis.spec +++ b/clevis.spec @@ -1,5 +1,5 @@ Name: clevis -Version: 19 +Version: 20 Release: %autorelease Summary: Automated decryption framework @@ -7,6 +7,7 @@ License: GPL-3.0-or-later URL: https://github.com/latchset/%{name} Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz Source1: clevis.sysusers +Patch1: 0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch BuildRequires: git-core BuildRequires: gcc @@ -29,7 +30,6 @@ BuildRequires: systemd-rpm-macros BuildRequires: dracut BuildRequires: tang >= 6 BuildRequires: curl -BuildRequires: cracklib-dicts BuildRequires: luksmeta BuildRequires: openssl BuildRequires: diffutils @@ -43,8 +43,7 @@ Requires: curl Requires: jq Requires(pre): shadow-utils Requires(post): systemd -Recommends: cracklib-dicts -Recommends: clevis-pin-tpm2 +Requires: clevis-pin-tpm2 %description Clevis is a framework for automated decryption. It allows you to encrypt @@ -170,6 +169,7 @@ exit 0 %files systemd %{_libexecdir}/%{name}-luks-askpass +%{_libexecdir}/%{name}-luks-unlocker %{_unitdir}/%{name}-luks-askpass.path %{_unitdir}/%{name}-luks-askpass.service diff --git a/sources b/sources index 27e099f..ebb2917 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (clevis-19.tar.xz) = a4d1545dad8a70579f5f2a3992b71f1034df57386a8881c04cf1552394ad1aa1e39d38ac16312d8b61073b3bd462fe9032b29b68580cd3c50913cc5a77e32029 +SHA512 (clevis-20.tar.xz) = 26b89d7ca21a08dfb6abdf894c9867eb6954593adc384c651b2cf8effe6be962fa67a116b15e1a40a720d36d9726ea859dc907ffb72585da91949d9a620893fe