From 81f594e64f0018d2b612f372742633032eb48979 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 27 2021 04:22:20 +0000
Subject: import clevis-15-3.el8


---

diff --git a/SOURCES/0004-systemd-drop-ncat-dependency.patch b/SOURCES/0004-systemd-drop-ncat-dependency.patch
new file mode 100644
index 0000000..fbd22de
--- /dev/null
+++ b/SOURCES/0004-systemd-drop-ncat-dependency.patch
@@ -0,0 +1,101 @@
+From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Thu, 18 Nov 2021 16:45:58 -0300
+Subject: [PATCH 4/4] systemd: drop ncat dependency
+
+When using systemd, i.e., clevis-luks-askpass, we use ncat to send
+the decrypted password to the systemd socket as per systemd's password
+agents specification [1].
+
+However, systemd itself has a utility that does exactly that,
+systemd-reply-password.
+
+In this commit we drop the ncat dependency and instead use
+systemd-reply-password in clevis-luks-askpass.
+
+[1] https://systemd.io/PASSWORD_AGENTS/
+---
+ ...is-luks-askpass => clevis-luks-askpass.in} |  2 +-
+ .../systemd/dracut/clevis/module-setup.sh.in  |  4 ++--
+ src/luks/systemd/meson.build                  | 19 +++++++++++++++++--
+ 3 files changed, 20 insertions(+), 5 deletions(-)
+ rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%)
+
+diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in
+similarity index 97%
+rename from src/luks/systemd/clevis-luks-askpass
+rename to src/luks/systemd/clevis-luks-askpass.in
+index f19671f..a6699c9 100755
+--- a/src/luks/systemd/clevis-luks-askpass
++++ b/src/luks/systemd/clevis-luks-askpass.in
+@@ -58,7 +58,7 @@ while true; do
+         fi
+ 
+         uuid="$(cryptsetup luksUUID "${d}")"
+-        if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then
++        if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then
+             echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
+             continue
+         fi
+diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in
+index ebf969f..d46c6e2 100755
+--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
++++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
+@@ -36,6 +36,7 @@ install() {
+ 
+     inst_multiple \
+         /etc/services \
++        @SYSTEMD_REPLY_PASS@ \
+         @libexecdir@/clevis-luks-askpass \
+         clevis-luks-common-functions \
+         grep sed cut \
+@@ -45,8 +46,7 @@ install() {
+         luksmeta \
+         clevis \
+         mktemp \
+-        jose \
+-        ncat
++        jose
+ 
+     dracut_need_initqueue
+ }
+diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
+index 369e7f7..e3b3d91 100644
+--- a/src/luks/systemd/meson.build
++++ b/src/luks/systemd/meson.build
+@@ -1,6 +1,15 @@
+ systemd = dependency('systemd', required: false)
+ 
+-if systemd.found()
++sd_reply_pass = find_program(
++  join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
++  join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
++  join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
++  join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
++  required: false
++)
++
++if systemd.found() and sd_reply_pass.found()
++  data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
+   subdir('dracut')
+ 
+   unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
+@@ -12,8 +21,14 @@ if systemd.found()
+     configuration: data,
+   )
+ 
++  configure_file(
++    input: 'clevis-luks-askpass.in',
++    output: 'clevis-luks-askpass',
++    install_dir: libexecdir,
++    configuration: data
++  )
++
+   install_data('clevis-luks-askpass.path', install_dir: unitdir)
+-  install_data('clevis-luks-askpass', install_dir: libexecdir)
+ else
+   warning('Will not install systemd support due to missing dependencies!')
+ endif
+-- 
+2.33.1
+
diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec
index 723fe8c..16e00b0 100644
--- a/SPECS/clevis.spec
+++ b/SPECS/clevis.spec
@@ -2,7 +2,7 @@
 
 Name:           clevis
 Version:        15
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Automated decryption framework
 
 License:        GPLv3+
@@ -12,6 +12,7 @@ Source0:        https://github.com/latchset/%{name}/releases/download/v%{version
 Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch
 Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch
 Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
+Patch0004: 0004-systemd-drop-ncat-dependency.patch
 
 BuildRequires:  git
 BuildRequires:  gcc
@@ -86,7 +87,6 @@ Requires:       systemd%{?_isa} >= 236
 %endif
 %endif
 %endif
-Requires:       nc
 
 %description systemd
 Automatically unlocks clevis-bound LUKS block devices during boot.
@@ -197,6 +197,10 @@ exit 0
 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
 
 %changelog
+* Thu Nov 18 2021 Sergio Correia <scorreia@redhat.com> - 15-3
+- Drop ncat dependency
+  Resolves: rhbz#1949289
+
 * Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 15-2
 - Account for unlocking failures in clevis-luks-askpass
   Resolves: rhbz#2018292