From f67e96ecee714a3a65491f818f46251c77461a27 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 19 2021 04:20:13 +0000
Subject: import clevis-15-2.el8


---

diff --git a/SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch b/SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
new file mode 100644
index 0000000..35738b5
--- /dev/null
+++ b/SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
@@ -0,0 +1,41 @@
+From 678ef82dd5608439c9a4222c594ab66d69009f06 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Fri, 29 Oct 2021 12:04:46 -0300
+Subject: [PATCH 3/3] systemd: account for unlocking failures in
+ clevis-luks-askpass (#343)
+
+As unlock may fail for some reason, e.g. the network is not up yet,
+one way cause problems would be to add extra `rd.luks.uuid' params
+to the cmdline, which would then cause such devices to be unlocked
+in early boot. If the unlocking fail, those devices might not be
+accounted for in the clevis_devices_to_unlock() check, as it is
+based on crypttab.
+
+Let's make sure there are no pending ask.* sockets waiting to be
+answered, before exiting.
+
+Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
+---
+ src/luks/systemd/clevis-luks-askpass | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass
+index 285bba4..f19671f 100755
+--- a/src/luks/systemd/clevis-luks-askpass
++++ b/src/luks/systemd/clevis-luks-askpass
+@@ -67,8 +67,11 @@ while true; do
+     done
+ 
+     [ "${loop}" != true ] && break
++
+     # Checking for pending devices to be unlocked.
+-    if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
++    remaining_crypttab=$(clevis_devices_to_unlock) ||:
++    remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
++    if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
+         break;
+     fi
+ 
+-- 
+2.33.1
+
diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec
index 6ad3954..723fe8c 100644
--- a/SPECS/clevis.spec
+++ b/SPECS/clevis.spec
@@ -2,7 +2,7 @@
 
 Name:           clevis
 Version:        15
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Automated decryption framework
 
 License:        GPLv3+
@@ -11,6 +11,7 @@ Source0:        https://github.com/latchset/%{name}/releases/download/v%{version
 
 Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch
 Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch
+Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
 
 BuildRequires:  git
 BuildRequires:  gcc
@@ -196,6 +197,10 @@ exit 0
 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
 
 %changelog
+* Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 15-2
+- Account for unlocking failures in clevis-luks-askpass
+  Resolves: rhbz#2018292
+
 * Mon Oct 26 2020 Sergio Correia <scorreia@redhat.com> - 15-1
 - Update to latest upstream release, v15
   Resolves: rhbz#1887836