From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Thu, 18 Nov 2021 16:45:58 -0300
Subject: [PATCH 4/4] systemd: drop ncat dependency

When using systemd, i.e., clevis-luks-askpass, we use ncat to send
the decrypted password to the systemd socket as per systemd's password
agents specification [1].

However, systemd itself has a utility that does exactly that,
systemd-reply-password.

In this commit we drop the ncat dependency and instead use
systemd-reply-password in clevis-luks-askpass.

[1] https://systemd.io/PASSWORD_AGENTS/
---
 ...is-luks-askpass => clevis-luks-askpass.in} |  2 +-
 .../systemd/dracut/clevis/module-setup.sh.in  |  4 ++--
 src/luks/systemd/meson.build                  | 19 +++++++++++++++++--
 3 files changed, 20 insertions(+), 5 deletions(-)
 rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%)

diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in
similarity index 97%
rename from src/luks/systemd/clevis-luks-askpass
rename to src/luks/systemd/clevis-luks-askpass.in
index f19671f..a6699c9 100755
--- a/src/luks/systemd/clevis-luks-askpass
+++ b/src/luks/systemd/clevis-luks-askpass.in
@@ -58,7 +58,7 @@ while true; do
         fi
 
         uuid="$(cryptsetup luksUUID "${d}")"
-        if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then
+        if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then
             echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
             continue
         fi
diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in
index ebf969f..d46c6e2 100755
--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
+++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
@@ -36,6 +36,7 @@ install() {
 
     inst_multiple \
         /etc/services \
+        @SYSTEMD_REPLY_PASS@ \
         @libexecdir@/clevis-luks-askpass \
         clevis-luks-common-functions \
         grep sed cut \
@@ -45,8 +46,7 @@ install() {
         luksmeta \
         clevis \
         mktemp \
-        jose \
-        ncat
+        jose
 
     dracut_need_initqueue
 }
diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
index 369e7f7..e3b3d91 100644
--- a/src/luks/systemd/meson.build
+++ b/src/luks/systemd/meson.build
@@ -1,6 +1,15 @@
 systemd = dependency('systemd', required: false)
 
-if systemd.found()
+sd_reply_pass = find_program(
+  join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
+  join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
+  join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
+  join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
+  required: false
+)
+
+if systemd.found() and sd_reply_pass.found()
+  data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
   subdir('dracut')
 
   unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
@@ -12,8 +21,14 @@ if systemd.found()
     configuration: data,
   )
 
+  configure_file(
+    input: 'clevis-luks-askpass.in',
+    output: 'clevis-luks-askpass',
+    install_dir: libexecdir,
+    configuration: data
+  )
+
   install_data('clevis-luks-askpass.path', install_dir: unitdir)
-  install_data('clevis-luks-askpass', install_dir: libexecdir)
 else
   warning('Will not install systemd support due to missing dependencies!')
 endif
-- 
2.33.1