Rebase to clevis-20 upstream version

Resolves: RHEL-29279 Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2024-04-01 15:24:48 +02:00 · 2024-04-01 15:24:48 +02:00 · a9afd51906
commit a9afd51906
parent 45f9470a7b
4 changed files with 62 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,4 @@
 /clevis-17.tar.xz
 /clevis-18.tar.xz
 /clevis-19.tar.xz
+/clevis-20.tar.xz
--- a/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch
+++ b/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch
@ -0,0 +1,56 @@
+--- clevis-20.old/src/luks/udisks2/clevis-luks-udisks2.c	2024-03-08 09:35:37.000000000 +0100
+++ clevis-20/src/luks/udisks2/clevis-luks-udisks2.c	2024-05-21 10:04:15.301469592 +0200
+@@ -264,8 +264,10 @@
+ 
+ error:
+     g_list_free_full(ctx.lst, g_free);
+-    g_main_loop_unref(ctx.loop);
+-    g_object_unref(ctx.clt);
+    if (ctx.loop) 
+        g_main_loop_unref(ctx.loop);
+    if (ctx.clt) 
+        g_object_unref(ctx.clt);
+     close(sock);
+     return exit_status;
+ }
+@@ -299,12 +301,12 @@
+     safeclose(&pair[0]);
+ }
+ 
+-static ssize_t
+-recover_key(const pkt_t *jwe, char *out, size_t max, uid_t uid, gid_t gid)
+static uint32_t
+recover_key(const pkt_t *jwe, char *out, int32_t max, uid_t uid, gid_t gid)
+ {
+     int push[2] = { -1, -1 };
+     int pull[2] = { -1, -1 };
+-    ssize_t bytes = 0;
+    int32_t bytes = 0;
+     pid_t chld = 0;
+ 
+     if (pipe(push) != 0)
+@@ -379,12 +381,18 @@
+     }
+ 
+     bytes = 0;
+-    for (ssize_t block = 1; block > 0; bytes += block) {
+-        block = read(pull[PIPE_RD], &out[bytes], max - bytes);
+-        if (block < 0) {
+-            kill(chld, SIGTERM);
+-            goto error;
+-        }
+    ssize_t block = 0;
+    while (max > 0 && max > bytes) {
+       do {
+           block = read(pull[PIPE_RD], &out[bytes], max - bytes);
+       } while (block < 0 && errno == EINTR);
+       if (block < 0 || block < INT32_MIN || block > INT32_MAX) {
+           kill(chld, SIGTERM);
+           goto error;
+       }
+       if (block == 0)
+           break;
+       bytes += block;
+     }
+ 
+     safeclose(&pull[PIPE_RD]);
--- a/clevis.spec
+++ b/clevis.spec
@ -1,5 +1,5 @@
 Name:           clevis
-Version:        19
+Version:        20
 Release:        %autorelease
 Summary:        Automated decryption framework

@ -7,6 +7,7 @@ License:        GPL-3.0-or-later
 URL:            https://github.com/latchset/%{name}
 Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
 Source1:        clevis.sysusers
+Patch1:         0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch

 BuildRequires:  git-core
 BuildRequires:  gcc
@ -29,7 +30,6 @@ BuildRequires:  systemd-rpm-macros
 BuildRequires:  dracut
 BuildRequires:  tang >= 6
 BuildRequires:  curl
-BuildRequires:  cracklib-dicts
 BuildRequires:  luksmeta
 BuildRequires:  openssl
 BuildRequires:  diffutils
@ -43,8 +43,7 @@ Requires:       curl
 Requires:       jq
 Requires(pre):  shadow-utils
 Requires(post): systemd
-Recommends:     cracklib-dicts
-Recommends:     clevis-pin-tpm2
+Requires:       clevis-pin-tpm2

 %description
 Clevis is a framework for automated decryption. It allows you to encrypt
@ -170,6 +169,7 @@ exit 0

 %files systemd
 %{_libexecdir}/%{name}-luks-askpass
+%{_libexecdir}/%{name}-luks-unlocker
 %{_unitdir}/%{name}-luks-askpass.path
 %{_unitdir}/%{name}-luks-askpass.service

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (clevis-19.tar.xz) = a4d1545dad8a70579f5f2a3992b71f1034df57386a8881c04cf1552394ad1aa1e39d38ac16312d8b61073b3bd462fe9032b29b68580cd3c50913cc5a77e32029
+SHA512 (clevis-20.tar.xz) = 26b89d7ca21a08dfb6abdf894c9867eb6954593adc384c651b2cf8effe6be962fa67a116b15e1a40a720d36d9726ea859dc907ffb72585da91949d9a620893fe