diff --git a/.clevis.metadata b/.clevis.metadata
index d353097e804f2567376ee73e2f545613b52923d6..4797be4e096f9d672b326d7b175e15a87949f6ab 100644
--- a/.clevis.metadata
+++ b/.clevis.metadata
@@ -1 +1 @@
-e4c280b5b6cc8876d2e2e4d6ea864168be44c0cf0ad2bc2d2e065b896e4fab1e SOURCES/clevis-20.tar.xz
+a0388a544c77139dc751cdbf66bdd38fc29c43f9e81a1cdfd119c84109ffca3f SOURCES/clevis-21.tar.xz
diff --git a/SOURCES/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch b/SOURCES/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch
deleted file mode 100644
index 263166d19d61570419fda8c874383bf59e76e7f9..0000000000000000000000000000000000000000
--- a/SOURCES/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch
+++ /dev/null
@@ -1,56 +0,0 @@
---- clevis-20.old/src/luks/udisks2/clevis-luks-udisks2.c 2024-03-08 09:35:37.000000000 +0100
-+++ clevis-20/src/luks/udisks2/clevis-luks-udisks2.c 2024-05-21 10:04:15.301469592 +0200
-@@ -264,8 +264,10 @@
-
- error:
- g_list_free_full(ctx.lst, g_free);
-- g_main_loop_unref(ctx.loop);
-- g_object_unref(ctx.clt);
-+ if (ctx.loop)
-+ g_main_loop_unref(ctx.loop);
-+ if (ctx.clt)
-+ g_object_unref(ctx.clt);
- close(sock);
- return exit_status;
- }
-@@ -299,12 +301,12 @@
- safeclose(&pair[0]);
- }
-
--static ssize_t
--recover_key(const pkt_t *jwe, char *out, size_t max, uid_t uid, gid_t gid)
-+static uint32_t
-+recover_key(const pkt_t *jwe, char *out, int32_t max, uid_t uid, gid_t gid)
- {
- int push[2] = { -1, -1 };
- int pull[2] = { -1, -1 };
-- ssize_t bytes = 0;
-+ int32_t bytes = 0;
- pid_t chld = 0;
-
- if (pipe(push) != 0)
-@@ -379,12 +381,18 @@
- }
-
- bytes = 0;
-- for (ssize_t block = 1; block > 0; bytes += block) {
-- block = read(pull[PIPE_RD], &out[bytes], max - bytes);
-- if (block < 0) {
-- kill(chld, SIGTERM);
-- goto error;
-- }
-+ ssize_t block = 0;
-+ while (max > 0 && max > bytes) {
-+ do {
-+ block = read(pull[PIPE_RD], &out[bytes], max - bytes);
-+ } while (block < 0 && errno == EINTR);
-+ if (block < 0 || block < INT32_MIN || block > INT32_MAX) {
-+ kill(chld, SIGTERM);
-+ goto error;
-+ }
-+ if (block == 0)
-+ break;
-+ bytes += block;
- }
-
- safeclose(&pull[PIPE_RD]);
diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec
index 54a43ddb1cc37972e705ad744162e3f11cb5fb30..72a049c274335007ab8d970993b50fff23cacad7 100644
--- a/SPECS/clevis.spec
+++ b/SPECS/clevis.spec
@@ -1,15 +1,15 @@
## START: Set by rpmautospec
-## (rpmautospec version 0.6.3)
+## (rpmautospec version 0.7.2)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
- release_number = 4;
+ release_number = 1;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
## END: Set by rpmautospec
Name: clevis
-Version: 20
+Version: 21
Release: %autorelease
Summary: Automated decryption framework
@@ -17,7 +17,6 @@ License: GPL-3.0-or-later
URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Source1: clevis.sysusers
-Patch1: 0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch
BuildRequires: git-core
BuildRequires: gcc
@@ -45,6 +44,8 @@ BuildRequires: openssl
BuildRequires: diffutils
BuildRequires: cryptsetup
BuildRequires: jq
+BuildRequires: pcsc-lite
+BuildRequires: opensc
Requires: tpm2-tools >= 4.0.0
Requires: coreutils
@@ -54,6 +55,8 @@ Requires: jq
Requires(pre): shadow-utils
Requires(post): systemd
Requires: clevis-pin-tpm2
+Requires: pcsc-lite
+Requires: opensc
%description
Clevis is a framework for automated decryption. It allows you to encrypt
@@ -144,15 +147,20 @@ exit 0
%{_bindir}/%{name}-decrypt-tpm2
%{_bindir}/%{name}-decrypt-sss
%{_bindir}/%{name}-decrypt-null
+%{_bindir}/%{name}-decrypt-pkcs11
%{_bindir}/%{name}-decrypt
%{_bindir}/%{name}-encrypt-tang
%{_bindir}/%{name}-encrypt-tpm2
%{_bindir}/%{name}-encrypt-sss
%{_bindir}/%{name}-encrypt-null
+%{_bindir}/%{name}-encrypt-pkcs11
+%{_bindir}/%{name}-pkcs11-afunix-socket-unlock
+%{_bindir}/%{name}-pkcs11-common
%{_bindir}/%{name}
%{_mandir}/man1/%{name}-encrypt-tang.1*
%{_mandir}/man1/%{name}-encrypt-tpm2.1*
%{_mandir}/man1/%{name}-encrypt-sss.1*
+%{_mandir}/man1/%{name}-encrypt-pkcs11.1*
%{_mandir}/man1/%{name}-decrypt.1*
%{_mandir}/man1/%{name}.1*
%{_sysusersdir}/clevis.conf
@@ -180,8 +188,12 @@ exit 0
%files systemd
%{_libexecdir}/%{name}-luks-askpass
%{_libexecdir}/%{name}-luks-unlocker
+%{_libexecdir}/%{name}-luks-pkcs11-askpass
+%{_libexecdir}/%{name}-luks-pkcs11-askpin
%{_unitdir}/%{name}-luks-askpass.path
%{_unitdir}/%{name}-luks-askpass.service
+%{_unitdir}/%{name}-luks-pkcs11-askpass.service
+%{_unitdir}/%{name}-luks-pkcs11-askpass.socket
%files dracut
%{_prefix}/lib/dracut/modules.d/60%{name}
@@ -189,6 +201,9 @@ exit 0
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh
+%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/module-setup.sh
+%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-prehook.sh
+%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-hook.sh
%files udisks2
%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
@@ -199,6 +214,9 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%changelog
## START: Generated by rpmautospec
+* Thu Sep 26 2024 Sergio Arroutbi <sarroutb@redhat.com> - 21-1
+- Rebase to clevis-21 upstream version
+
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 20-4
- Bump release for June 2024 mass rebuild