commit fde-tools for openSUSE:Factory

Source-Sync Fri, 18 Aug 2023 10:29:37 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package fde-tools for openSUSE:Factory 
checked in at 2023-08-18 19:28:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
 and      /work/SRC/openSUSE:Factory/.fde-tools.new.1766 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "fde-tools"

Fri Aug 18 19:28:55 2023 rev:7 rq:1104645 version:0.6.7

Changes:
--------
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes      2023-07-27 
16:53:04.370581885 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.1766/fde-tools.changes    
2023-08-18 19:29:26.551432473 +0200
@@ -1,0 +2,9 @@
+Fri Aug 18 07:51:12 UTC 2023 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Update to version 0.6.7
+  + Check failure of authorized policy creation
+  + Additional check for recovery password
+- Drop upstreamed patch
+  + fde-tools-handle-authorized-policy-failure.patch
+
+-------------------------------------------------------------------

Old:
----
  fde-tools-0.6.6.tar.gz
  fde-tools-handle-authorized-policy-failure.patch

New:
----
  fde-tools-0.6.7.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ fde-tools.spec ++++++
--- /var/tmp/diff_new_pack.prolCu/_old  2023-08-18 19:29:27.439434065 +0200
+++ /var/tmp/diff_new_pack.prolCu/_new  2023-08-18 19:29:27.443434073 +0200
@@ -17,7 +17,7 @@
 
 
 Name:           fde-tools
-Version:        0.6.6
+Version:        0.6.7
 Release:        0
 Summary:        Tools required for Full Disk Encryption
 License:        GPL-2.0-only
@@ -26,7 +26,6 @@
 Source:         
https://github.com/openSUSE/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
 Source1:        fde-tools.service
 Patch:          fde-tools-firstboot-alp-snapshot.patch
-Patch1:         fde-tools-handle-authorized-policy-failure.patch
 BuildRequires:  help2man
 BuildRequires:  openssl >= 0.9.8
 BuildRequires:  tpm2-0-tss-devel

++++++ fde-tools-0.6.6.tar.gz -> fde-tools-0.6.7.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/fde-tools-0.6.6/share/commands/add-secondary-key 
new/fde-tools-0.6.7/share/commands/add-secondary-key
--- old/fde-tools-0.6.6/share/commands/add-secondary-key        2023-07-20 
10:35:24.000000000 +0200
+++ new/fde-tools-0.6.7/share/commands/add-secondary-key        2023-08-04 
08:45:44.000000000 +0200
@@ -48,7 +48,9 @@
        bootloader_commit_config
     fi
 
-    enroll_tpm_secondary_key "$luks_dev"
+    if ! enroll_tpm_secondary_key "${luks_dev}"; then
+       return 1
+    fi
 
     return 0
 }
@@ -68,6 +70,10 @@
     # loading the pubkey.
     tpm_set_authorized_policy_paths "$policy_name"
     tpm_create_authorized_policy $FDE_AP_SECRET_KEY $FDE_AP_AUTHPOLICY 
$FDE_AP_PUBLIC_KEY
+    if [ $? -ne 0 ]; then
+       display_errorbox "Failed to create authorized policy"
+       return 1
+    fi
 
     if [ "$FDE_AUTHORIZED_POLICY" != "$policy_name" ]; then
        fde_set_variable FDE_AUTHORIZED_POLICY "$policy_name"
@@ -87,6 +93,20 @@
        return 1
     fi
 
+    if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then
+       rm -f "$luks_keyfile"
+       display_errorbox "Failed to verify password on LUKS partition"
+       return 1
+    fi
+
+    for extra_dev in ${FDE_EXTRA_DEVS}; do
+       if ! luks_verify_password "$extra_dev" "$luks_keyfile"; then
+           rm -f "$luks_keyfile"
+           display_errorbox "Failed to verify password on LUKS 
partition($extra_dev)"
+           return 1
+        fi
+    done
+
     if ! luks_add_random_key "${luks_dev}" "${luks_keyfile}" 
"${luks_new_keyfile}"; then
        display_errorbox "Failed to add secondary LUKS key"
        rm -f "$luks_keyfile"
@@ -96,6 +116,7 @@
     # Add the new random key to the devices in FDE_EXTRA_DEVS
     for extra_dev in ${FDE_EXTRA_DEVS}; do
         if ! luks_add_key "$extra_dev" "$luks_keyfile" "$luks_new_keyfile"; 
then
+           display_errorbox "Failed to add secondary LUKS key (${extra_dev})"
             rm -f "$luks_keyfile"
             return 1
         fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/fde-tools-0.6.6/share/commands/regenerate-key 
new/fde-tools-0.6.7/share/commands/regenerate-key
--- old/fde-tools-0.6.6/share/commands/regenerate-key   2023-07-20 
10:35:24.000000000 +0200
+++ new/fde-tools-0.6.7/share/commands/regenerate-key   2023-08-04 
08:45:44.000000000 +0200
@@ -35,7 +35,9 @@
         EXTRA_KEYSLOTS_OLD["${extra_dev}"]=$(bootloader_get_keyslots 
${extra_dev})
     done
 
-    enroll_tpm_secondary_key "${luks_dev}"
+    if ! enroll_tpm_secondary_key "${luks_dev}"; then
+       return 1
+    fi
 
     # Finish TPM key sealing
     tpm_enable ${luks_dev}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/fde-tools-0.6.6/share/commands/tpm-enable 
new/fde-tools-0.6.7/share/commands/tpm-enable
--- old/fde-tools-0.6.6/share/commands/tpm-enable       2023-07-20 
10:35:24.000000000 +0200
+++ new/fde-tools-0.6.7/share/commands/tpm-enable       2023-08-04 
08:45:44.000000000 +0200
@@ -145,6 +145,20 @@
            return 1
        fi
 
+       if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then
+           rm -f "$luks_keyfile"
+           display_errorbox "Failed to verify password on LUKS partition"
+           return 1
+       fi
+
+       for extra_dev in ${FDE_EXTRA_DEVS}; do
+           if ! luks_verify_password "$extra_dev" "$luks_keyfile"; then
+               rm -f "$luks_keyfile"
+               display_errorbox "Failed to verify password on LUKS 
partition($extra_dev)"
+               return 1
+           fi
+       done
+
        luks_new_keyfile=$(fde_make_tempfile new.key)
 
        if ! luks_add_random_key "${luks_dev}" "${luks_keyfile}" 
"${luks_new_keyfile}"; then
@@ -153,6 +167,15 @@
            return 1
        fi
 
+       # Add the new random key to the devices in FDE_EXTRA_DEVS
+       for extra_dev in ${FDE_EXTRA_DEVS}; do
+           if ! luks_add_key "$extra_dev" "$luks_keyfile" "$luks_new_keyfile"; 
then
+               display_errorbox "Failed to add secondary LUKS key 
(${extra_dev})"
+               rm -f "$luks_keyfile"
+               return 1
+           fi
+       done
+
        rm -f "$luks_keyfile"
     fi
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/fde-tools-0.6.6/share/tpm 
new/fde-tools-0.6.7/share/tpm
--- old/fde-tools-0.6.6/share/tpm       2023-07-20 10:35:24.000000000 +0200
+++ new/fde-tools-0.6.7/share/tpm       2023-08-04 08:45:44.000000000 +0200
@@ -165,7 +165,7 @@
        --algorithm $FDE_SEAL_PCR_BANK \
         create-authorized-policy $FDE_SEAL_PCR_LIST
     if [ $? -ne 0 ]; then
-       return $?
+       return 1
     fi
 
     # Store the public key in a format suitable for feeding it to the TPM
@@ -175,7 +175,7 @@
                --public-key "$public_key" \
                store-public-key
        if [ $? -ne 0 ]; then
-           return $?
+           return 1
        fi
     fi
 }

commit fde-tools for openSUSE:Factory

Reply via email to