Browse Source

Cherry-pick from upstream

* Sss: use BN_set_word(x, 0) instead of BN_zero() (Closes: #995657)
* Do not kill non clevis slots (#315)
* Avoid luksmeta corruption on clevis bind (#319)
* Use `command -v` instead of `which`
Christoph Biedl 3 months ago
parent
commit
e32849f729

+ 39 - 0
debian/patches/cherry-pick/1620092196.v18-2-gee1dfed.sss-use-bn-set-word-x-0-instead-of-bn-zero.patch

@@ -0,0 +1,39 @@
+Subject: Sss: use BN_set_word(x, 0) instead of BN_zero()
+Origin: v18-2-gee1dfed <https://github.com/latchset/clevis/commit/v18-2-gee1dfed>
+Upstream-Author: Sergio Correia <scorreia@redhat.com>
+Date: Mon May 3 22:36:36 2021 -0300
+
+    Different OpenSSL versions define BN_zero() differently -- sometimes
+    returning an integer, sometimes as void --, so let's use instead
+    BN_set_word() instead, not to have issues when building with these
+    different versions.
+
+--- a/src/pins/sss/sss.c
++++ b/src/pins/sss/sss.c
+@@ -214,7 +214,7 @@
+     if (BN_rand_range(xx, pp) <= 0)
+         return NULL;
+ 
+-    if (BN_zero(yy) <= 0)
++    if (BN_set_word(yy, 0) <= 0)
+         return NULL;
+ 
+     for (size_t i = 0; i < json_array_size(e); i++) {
+@@ -272,7 +272,7 @@
+     if (!ctx || !pp || !acc || !tmp || !k)
+         return NULL;
+ 
+-    if (BN_zero(k) <= 0)
++    if (BN_set_word(k, 0) <= 0)
+         return NULL;
+ 
+     len = jose_b64_dec(p, NULL, 0);
+@@ -303,7 +303,7 @@
+ 
+             /* acc *= (0 - xi) / (xo - xi) */
+ 
+-            if (BN_zero(tmp) <= 0)
++            if (BN_set_word(tmp, 0) <= 0)
+                 return NULL;
+ 
+             if (BN_mod_sub(tmp, tmp, xi, pp, ctx) <= 0)

+ 52 - 0
debian/patches/cherry-pick/1623378825.v18-3-g4600bd6.do-not-kill-non-clevis-slots-315.patch

@@ -0,0 +1,52 @@
+Subject: Do not kill non clevis slots (#315)
+Origin: v18-3-g4600bd6 <https://github.com/latchset/clevis/commit/v18-3-g4600bd6>
+Upstream-Author: Sergio Arroutbi <sarroutb@redhat.com>
+Date: Fri Jun 11 04:33:45 2021 +0200
+
+    When using clevis-luks-unbind against a slot
+    that has no clevis token assigned, removing the slot
+    must be avoided. Fixes #183
+
+    Signed-off-by: Sergio Arroutbi Braojos <sarroutb@redhat.com>
+
+--- a/src/luks/clevis-luks-unbind.in
++++ b/src/luks/clevis-luks-unbind.in
+@@ -106,6 +106,10 @@
+     grep -q "^\s*$SLT: luks2" <<< "$dump" && KILL=true
+     TOK="$(grep -E -B1 "^\s+Keyslot:\s+$SLT$" <<< "$dump" \
+         | sed -rn 's|^\s+([0-9]+): clevis|\1|p')"
++    if [ -z "${TOK}" ]; then
++        echo "No clevis slot detected on device ${DEV}:${SLT}!" >&2
++        exit 1
++    fi
+ fi
+ 
+ if [ -z "${FRC[*]}" ]; then
+--- a/src/luks/tests/unbind-luks2
++++ b/src/luks/tests/unbind-luks2
+@@ -42,10 +42,23 @@
+ new_device "luks2" "${DEV}"
+ # Binding.
+ if ! clevis luks bind -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
+-    error "${TEST}: Binding is expected to succeed." >&2
++    error "${TEST}: Binding is expected to succeed."
+ fi
+ 
+ SLT=1
+ if ! clevis luks unbind -f -d "${DEV}" -s "${SLT}"; then
+-    error "${TEST}: Unbind is expected to succeed for device ${DEV} and slot ${SLT}" >&2
++    error "${TEST}: Unbind is expected to succeed for device ${DEV} and slot ${SLT}"
++fi
++
++SLT=0
++if ! echo "${DEFAULT_PASS}" | cryptsetup open --test-passphrase "${DEV}" --key-slot "${SLT}"; then
++   error "${TEST}: Unable to open device ${DEV}:${SLT}"
++fi
++
++if clevis luks unbind -f -d "${DEV}" -s "${SLT}"; then
++   error "${TEST}: Unbind is expected to fail for device ${DEV}:${SLT} that is not bound with clevis"
++fi
++
++if ! echo "${DEFAULT_PASS}" | cryptsetup open --test-passphrase "${DEV}" --key-slot "${SLT}"; then
++  error "${TEST}: Unbind is expected not to remove non clevis slots"
+ fi

+ 95 - 0
debian/patches/cherry-pick/1623754283.v18-5-gd8a25e3.avoid-luksmeta-corruption-on-clevis-bind-319.patch

@@ -0,0 +1,95 @@
+Subject: Avoid luksmeta corruption on clevis bind (#319)
+Origin: v18-5-gd8a25e3 <https://github.com/latchset/clevis/commit/v18-5-gd8a25e3>
+Upstream-Author: Sergio Arroutbi <sarroutb@redhat.com>
+Date: Tue Jun 15 12:51:23 2021 +0200
+
+    When using long key information to be stored in luks metadata,
+    luksmeta save is not reporting the corruption of LUKs meta.
+    This change detects if issue occurs after luksmeta metadata save
+    and, in that case, restores the device. Fixes #181
+
+    Signed-off-by: Sergio Arroutbi Braojos <sarroutb@redhat.com>
+
+--- a/src/luks/clevis-luks-common-functions.in
++++ b/src/luks/clevis-luks-common-functions.in
+@@ -448,6 +448,12 @@
+         echo "Error saving metadata to LUKSMeta slot ${SLOT} from ${DEV}" >&2
+         return 1
+     fi
++
++    if ! luksmeta test -d "${DEV}" 2>/dev/null >/dev/null ; then
++        echo "Error detected after saving metadata to LUKSMeta slot ${SLOT}, device ${DEV}" >&2
++        return 1
++    fi
++
+     return 0
+ }
+ 
+--- /dev/null
++++ b/src/luks/tests/bind-luks1-avoid-luksmeta-corruption
+@@ -0,0 +1,55 @@
++#!/bin/bash -ex
++#
++# Copyright (c) 2021 Red Hat, Inc.
++# Author: Sergio Arroutbi Braojos <sarroutb@redhat.com>
++#
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++#
++
++TEST=$(basename "${0}")
++. tests-common-functions
++
++on_exit() {
++    [ ! -d "${TMP}" ] && return 0
++    tang_stop "${TMP}"
++    rm -rf "${TMP}"
++}
++
++trap 'on_exit' EXIT
++
++TMP="$(mktemp -d)"
++
++ADV_AMOUNT=50
++
++# Create LUKS1 device
++DEV="${TMP}/luks1-device"
++new_device "luks1" "${DEV}"
++
++# TANG server specifics
++port=$(tang_new_random_port)
++tang_run "${TMP}" "${port}"
++url="http://localhost:${port}"
++
++# Initial binding to ensure luksmeta gets corrupted
++for ADV_NU in $(seq 0 ${ADV_AMOUNT}); do
++    "${TANGD_KEYGEN}" "${TMP}/db"
++done
++tang_new_keys "${TMP}"
++
++CFG=$(printf '{"url":"%s"}' "${url}")
++
++# At this point, luks bind must return an error. If not, test fails
++if clevis luks bind -y -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
++    error "${TEST}: Binding is expected to fail when given a too long adv"
++fi
+--- a/src/luks/tests/meson.build
++++ b/src/luks/tests/meson.build
+@@ -59,6 +59,7 @@
+ 
+ test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60)
+ test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60)
++test('bind-luks1-avoid-luksmeta-corruption', find_program('bind-luks1-avoid-luksmeta-corruption'), env: env, timeout: 60)
+ 
+ # LUKS2 tests go here, and they get included if we get support for it, based
+ # on the cryptsetup version.

+ 37 - 0
debian/patches/cherry-pick/1640668269.v18-17-gad61841.use-command-v-instead-of-which.patch

@@ -0,0 +1,37 @@
+Subject: Use `command -v` instead of `which`
+Origin: v18-17-gad61841 <https://github.com/latchset/clevis/commit/v18-17-gad61841>
+Upstream-Author: Rohan Jain <crodjer@pm.me>
+Date: Tue Dec 28 10:41:09 2021 +0530
+
+    On debian `/usr/bin/which` results in deprecated messages, recommending
+    `command -v` instead.
+
+    They look like:
+
+    ```
+    at 10:35:36 ❯ sudo update-initramfs -u -k 'all'
+    update-initramfs: Generating /boot/initrd.img-5.15.0-2-amd64
+    I: The initramfs will attempt to resume from /dev/dm-2
+    I: (/dev/mapper/sys-swap)
+    I: Set the RESUME variable to override this.
+    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
+    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
+    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
+    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
+    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
+    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
+    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
+    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
+    ```
+
+--- a/src/initramfs-tools/hooks/clevis.in
++++ b/src/initramfs-tools/hooks/clevis.in
+@@ -42,7 +42,7 @@
+ 
+ find_binary() {
+     bin_name="$1"
+-    resolved=$(which ${bin_name})
++    resolved=$(command -v ${bin_name})
+     [ -z "$resolved" ] && die 1 "Unable to find ${bin_name}"
+     echo "$resolved"
+ }

+ 4 - 0
debian/patches/series

@@ -1,4 +1,8 @@
 # cherry-picked commits. Keep in upstream's chronological order
+cherry-pick/1620092196.v18-2-gee1dfed.sss-use-bn-set-word-x-0-instead-of-bn-zero.patch
+cherry-pick/1623378825.v18-3-g4600bd6.do-not-kill-non-clevis-slots-315.patch
+cherry-pick/1623754283.v18-5-gd8a25e3.avoid-luksmeta-corruption-on-clevis-bind-319.patch
+cherry-pick/1640668269.v18-17-gad61841.use-command-v-instead-of-which.patch
 
 # patches for upstream
 for-upstream/2018-10-30.use-asciidoctor-to-build-manpages.patch