From 26095133483bbda5823e37634db227944696b526 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Dec 07 2021 17:15:18 +0000
Subject: import clevis-18-5.el9


---

diff --git a/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch b/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
new file mode 100644
index 0000000..1fc7016
--- /dev/null
+++ b/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
@@ -0,0 +1,41 @@
+From d3010c89a8f516a0c9695a939a8cccca0918da2b Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Fri, 29 Oct 2021 12:04:46 -0300
+Subject: [PATCH 2/2] systemd: account for unlocking failures in
+ clevis-luks-askpass (#343)
+
+As unlock may fail for some reason, e.g. the network is not up yet,
+one way cause problems would be to add extra `rd.luks.uuid' params
+to the cmdline, which would then cause such devices to be unlocked
+in early boot. If the unlocking fail, those devices might not be
+accounted for in the clevis_devices_to_unlock() check, as it is
+based on crypttab.
+
+Let's make sure there are no pending ask.* sockets waiting to be
+answered, before exiting.
+
+Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
+---
+ src/luks/systemd/clevis-luks-askpass.in | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in
+index 8f54859..a6699c9 100755
+--- a/src/luks/systemd/clevis-luks-askpass.in
++++ b/src/luks/systemd/clevis-luks-askpass.in
+@@ -67,8 +67,11 @@ while true; do
+     done
+ 
+     [ "${loop}" != true ] && break
++
+     # Checking for pending devices to be unlocked.
+-    if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
++    remaining_crypttab=$(clevis_devices_to_unlock) ||:
++    remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
++    if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
+         break;
+     fi
+ 
+-- 
+2.33.1
+
diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec
index 20f1b4c..cf9ef41 100644
--- a/SPECS/clevis.spec
+++ b/SPECS/clevis.spec
@@ -1,6 +1,6 @@
 Name:           clevis
 Version:        18
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Automated decryption framework
 
 License:        GPLv3+
@@ -9,6 +9,7 @@ Source0:        https://github.com/latchset/%{name}/releases/download/v%{version
 Source1:        clevis.sysusers
 
 Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
+Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
 
 BuildRequires:  git-core
 BuildRequires:  gcc
@@ -193,6 +194,10 @@ exit 0
 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
 
 %changelog
+* Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 18-5
+- Account for unlocking failures in clevis-luks-askpass
+  Resolves: rhbz#2022421
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 18-4
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688