Browse Source

Refresh patches

* Drop patched cherry-picked or fixed upstream
* Preserve support for build on non-usrmerged systems as a new patch
Christoph Biedl 1 year ago
parent
commit
441a032c26

+ 0 - 110
debian/patches/cherry-pick/1605094998.v15-1-gef76951.pins-tpm2-add-support-for-tpm2-tools-5-x.patch

@@ -1,110 +0,0 @@
-Subject: Pins/tpm2: add support for tpm2-tools 5.X
-Origin: v15-1-gef76951 <https://github.com/latchset/clevis/commit/v15-1-gef76951>
-Upstream-Author: Jonas Witschel <diabonas@gmx.de>
-Date: Wed Nov 11 12:43:18 2020 +0100
-
-    tpm2-tools 5.0 consolidates all tools into a single busybox-style binary, so
-    the preferred way to invoke the commands would be e.g. "tpm2 createprimary"
-    instead of "tpm2_createprimary". However, compatibility symlinks tpm2_* -> tpm2
-    are installed by default, so we keep the old syntax for tpm2-tools 5.0 to avoid
-    creating another special case, since the option syntax has not changed (it
-    should be stable since version 4).
-
-    tpm2-tools 3.X is deprecated, but unfortunately still packaged by a few Linux
-    distributions, so keep supporting it for now at least.
-
---- a/src/pins/tpm2/clevis-decrypt-tpm2
-+++ b/src/pins/tpm2/clevis-decrypt-tpm2
-@@ -49,8 +49,8 @@
- 
- match='version="(.)\.'
- [[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
--if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
--    echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
-+if [[ $TPM2TOOLS_VERSION -lt 3 ]] || [[ $TPM2TOOLS_VERSION -gt 5 ]]; then
-+    echo "The tpm2 pin requires a tpm2-tools version between 3 and 5" >&2
-     exit 1
- fi
- 
-@@ -135,7 +135,7 @@
- 
- case "$TPM2TOOLS_VERSION" in
-     3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
--    4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
-+    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
-     *) fail=1;;
- esac
- if [ -n "$fail" ]; then
-@@ -146,8 +146,8 @@
- case "$TPM2TOOLS_VERSION" in
-     3) tpm2_load -Q -c "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
-                  -C "$TMP"/load.context || fail=$?;;
--    4) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
--                 -c "$TMP"/load.context || fail=$?;;
-+    4|5) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
-+                   -c "$TMP"/load.context || fail=$?;;
-     *) fail=1;;
- esac
- if [ -n "$fail" ]; then
-@@ -157,7 +157,7 @@
- 
- case "$TPM2TOOLS_VERSION" in
-     3) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-L $pcr_spec})" || fail=$?;;
--    4) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
-+    4|5) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
-     *) fail=1;;
- esac
- if [ -n "$fail" ]; then
---- a/src/pins/tpm2/clevis-encrypt-tpm2
-+++ b/src/pins/tpm2/clevis-encrypt-tpm2
-@@ -71,8 +71,8 @@
- 
- match='version="(.)\.'
- [[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
--if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
--    echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
-+if [[ $TPM2TOOLS_VERSION -lt 3 ]] || [[ $TPM2TOOLS_VERSION -gt 5 ]]; then
-+    echo "The tpm2 pin requires a tpm2-tools version between 3 and 5" >&2
-     exit 1
- fi
- 
-@@ -153,7 +153,7 @@
- 
- case "$TPM2TOOLS_VERSION" in
-     3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
--    4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
-+    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
-     *) fail=1;;
- esac
- if [ -n "$fail" ]; then
-@@ -166,7 +166,7 @@
-     if [ -z "$pcr_digest" ]; then
-         case "$TPM2TOOLS_VERSION" in
-             3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
--            4) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
-+            4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
-             *) fail=1;;
-         esac
-         if [ -n "$fail" ]; then
-@@ -183,8 +183,8 @@
-     case "$TPM2TOOLS_VERSION" in
-         3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" \
-                              -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;;
--        4) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
--                             -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
-+        4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
-+                               -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
-         *) fail=1;;
-     esac
-     if [ -n "$fail" ]; then
-@@ -200,8 +200,8 @@
- case "$TPM2TOOLS_VERSION" in
-     3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub \
-                    -r "$TMP"/jwk.priv -A "$obj_attr" "${policy_options[@]}" -I- <<< "$jwk" || fail=$?;;
--    4) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
--                   -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
-+    4|5) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
-+                     -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
-     *) fail=1;;
- esac
- if [ -n "$fail" ]; then

+ 0 - 451
debian/patches/cherry-pick/1605797689.v15-2-g3dedc5d.tests-move-tang-tests-to-src-pins-tang.patch

@@ -1,451 +0,0 @@
-Subject: Tests: move tang tests to src/pins/tang
-Origin: v15-2-g3dedc5d <https://github.com/latchset/clevis/commit/v15-2-g3dedc5d>
-Upstream-Author: Sergio Correia <scorreia@redhat.com>
-Date: Thu Nov 19 11:54:49 2020 -0300
-
-    So that we can organize them better.
-
---- a/src/pins/tang/meson.build
-+++ b/src/pins/tang/meson.build
-@@ -1,33 +1,3 @@
--actv = find_program(
--  'systemd-socket-activate',
--  'systemd-activate',
--  join_paths('/', 'usr', 'lib', 'systemd', 'systemd-activate'),
--  required: false
--)
--kgen = find_program(
--  join_paths(libexecdir, 'tangd-keygen'),
--  join_paths(get_option('prefix'), get_option('libdir'), 'tangd-keygen'),
--  join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-keygen'),
--  join_paths('/', 'usr', get_option('libdir'), 'tangd-keygen'),
--  join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
--  required: false
--)
--updt = find_program(
--  join_paths(libexecdir, 'tangd-update'),
--  join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
--  join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
--  join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
--  join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
--  required: false
--)
--tang = find_program(
--  join_paths(libexecdir, 'tangd'),
--  join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
--  join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd'),
--  join_paths('/', 'usr', get_option('libdir'), 'tangd'),
--  join_paths('/', 'usr', get_option('libexecdir'), 'tangd'),
--  required: false
--)
- curl = find_program('curl', required: false)
- 
- if curl.found()
-@@ -35,22 +5,7 @@
-   bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang')
-   mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang.1')
- 
--  if actv.found() and kgen.found() and updt.found() and tang.found()
--    env = environment()
--    env.set('SD_ACTIVATE', actv.path())
--    env.set('TANGD_KEYGEN', kgen.path())
--    env.set('TANGD_UPDATE', updt.path())
--    env.set('TANGD', tang.path())
--    env.prepend('PATH',
--      join_paths(meson.source_root(), 'src'),
--      meson.current_source_dir(),
--      separator: ':'
--    )
--
--    test('pin-tang', find_program('./pin-tang'), env: env)
--  else
--    warning('Will not run tang tests due to missing dependencies!')
--  endif
-+  subdir('tests')
- else
-   warning('Will not install tang pin due to missing dependencies!')
- endif
---- a/src/pins/tang/pin-tang
-+++ /dev/null
-@@ -1,65 +0,0 @@
--#!/bin/bash -x
--# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
--#
--# Copyright (c) 2016 Red Hat, Inc.
--# Author: Nathaniel McCallum <npmccallum@redhat.com>
--#
--# This program is free software: you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation, either version 3 of the License, or
--# (at your option) any later version.
--#
--# This program is distributed in the hope that it will be useful,
--# but WITHOUT ANY WARRANTY; without even the implied warranty of
--# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
--#
--# You should have received a copy of the GNU General Public License
--# along with this program.  If not, see <http://www.gnu.org/licenses/>.
--#
--
--function on_exit() {
--    if [ "$PID" ]; then kill $PID; wait $PID || true; fi
--    [ -d "$TMP" ] && rm -rf "$TMP"
--}
--
--trap 'on_exit' EXIT
--trap 'exit' ERR
--
--TMP="$(mktemp -d)"
--mkdir -p "$TMP"/db
--mkdir -p "$TMP"/cache
--
--# Generate the server keys
--"${TANGD_KEYGEN}" "$TMP"/db sig exc
--"${TANGD_UPDATE}" "$TMP"/db "$TMP"/cache
--
--# Start the server
--port="$(shuf -i 1024-65536 -n 1)"
--
--inetd='--inetd'
--[ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
--
--"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$TMP"/cache &
--PID=$!
--sleep 0.25
--
--thp="$(jose jwk thp -i "$TMP/db/sig.jwk")"
--adv="$TMP/cache/default.jws"
--url="http://localhost:${port}"
--
--cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")"
--enc="$(echo -n "hi" | clevis encrypt tang "$cfg")"
--dec="$(echo -n "$enc" | clevis decrypt)"
--test "$dec" == "hi"
--
--cfg="$(printf '{"url":"%s","thp":"%s"}' "$url" "$thp")"
--enc="$(echo -n "hi" | clevis encrypt tang "$cfg")"
--dec="$(echo -n "$enc" | clevis decrypt)"
--test "$dec" == "hi"
--
--kill -9 $PID
--! wait $PID
--unset PID
--
--! echo "$enc" | clevis decrypt
---- /dev/null
-+++ b/src/pins/tang/tests/meson.build
-@@ -0,0 +1,64 @@
-+kgen = find_program(
-+  join_paths(libexecdir, 'tangd-keygen'),
-+  join_paths(get_option('prefix'), get_option('libdir'), 'tangd-keygen'),
-+  join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-keygen'),
-+  join_paths('/', 'usr', get_option('libdir'), 'tangd-keygen'),
-+  join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
-+  required: false
-+)
-+updt = find_program(
-+  join_paths(libexecdir, 'tangd-update'),
-+  join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
-+  join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
-+  join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
-+  join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
-+  required: false
-+)
-+tang = find_program(
-+  join_paths(libexecdir, 'tangd'),
-+  join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
-+  join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd'),
-+  join_paths('/', 'usr', get_option('libdir'), 'tangd'),
-+  join_paths('/', 'usr', get_option('libexecdir'), 'tangd'),
-+  required: false
-+)
-+
-+socat = find_program('socat', required: false)
-+
-+tang_data = configuration_data()
-+tang_data.set('SOCAT', '')
-+tang_data.set('TANGD_KEYGEN', '')
-+tang_data.set('TANGD_UPDATE', '')
-+tang_data.set('TANGD', '')
-+
-+if socat.found()
-+  tang_data.set('SOCAT', socat.path())
-+endif
-+
-+if kgen.found()
-+  tang_data.set('TANGD_KEYGEN', kgen.path())
-+endif
-+
-+if tang.found()
-+  tang_data.set('TANGD', tang.path())
-+endif
-+
-+if updt.found()
-+  tang_data.set('TANGD_UPDATE', updt.path())
-+endif
-+
-+tang_tests_common = configure_file(
-+  input: 'tang-common-test-functions.in',
-+  output: 'tang-common-test-functions',
-+  configuration: tang_data
-+)
-+
-+env = environment()
-+env.prepend('PATH',
-+  join_paths(meson.source_root(), 'src'),
-+  join_paths(meson.source_root(), 'src', 'pins', 'tang'),
-+  join_paths(meson.build_root(), 'src', 'pins', 'tang', 'tests'),
-+  separator: ':'
-+)
-+
-+test('pin-tang', find_program('pin-tang'), env: env)
---- /dev/null
-+++ b/src/pins/tang/tests/pin-tang
-@@ -0,0 +1,55 @@
-+#!/bin/bash -xe
-+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
-+#
-+# Copyright (c) 2016 Red Hat, Inc.
-+# Author: Nathaniel McCallum <npmccallum@redhat.com>
-+#
-+# This program is free software: you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation, either version 3 of the License, or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+#
-+
-+. tang-common-test-functions
-+
-+on_exit() {
-+    exit_status=$?
-+    tang_stop "${TMP}"
-+    [ -d "$TMP" ] && rm -rf "$TMP"
-+    exit "${exit_status}"
-+}
-+
-+trap 'on_exit' EXIT
-+
-+TMP="$(mktemp -d)"
-+
-+port=$(tang_new_random_port)
-+
-+tang_run "${TMP}" "${port}" sig exc
-+
-+thp="$(jose jwk thp -i "$TMP/db/sig.jwk")"
-+adv="${TMP}/adv.jws"
-+tang_get_adv "${port}" "${adv}"
-+url="http://localhost:${port}"
-+
-+cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")"
-+enc="$(echo -n "hi" | clevis encrypt tang "$cfg")"
-+dec="$(echo -n "$enc" | clevis decrypt)"
-+test "$dec" == "hi"
-+
-+cfg="$(printf '{"url":"%s","thp":"%s"}' "$url" "$thp")"
-+enc="$(echo -n "hi" | clevis encrypt tang "$cfg")"
-+dec="$(echo -n "$enc" | clevis decrypt)"
-+test "$dec" == "hi"
-+
-+tang_stop "${TMP}"
-+
-+! echo "$enc" | clevis decrypt
---- /dev/null
-+++ b/src/pins/tang/tests/tang-common-test-functions.in
-@@ -0,0 +1,188 @@
-+#!/bin/bash -ex
-+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
-+#
-+# Copyright (c) 2020 Red Hat, Inc.
-+# Author: Sergio Correia <scorreia@redhat.com>
-+#
-+# This program is free software: you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation, either version 3 of the License, or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+#
-+
-+SOCAT="@SOCAT@"
-+TANGD_KEYGEN="@TANGD_KEYGEN@"
-+TANGD_UPDATE="@TANGD_UPDATE@"
-+TANGD="@TANGD@"
-+
-+tang_error() {
-+    echo "${1}" >&2
-+    exit 1
-+}
-+
-+tang_skip() {
-+    echo "${1}" >&2
-+    exit 77
-+}
-+
-+tang_sanity_check() {
-+    [ -n "${SOCAT}" ] && [ -n "${TANGD_KEYGEN}" ] && \
-+        [ -n "${TANGD}" ] && return 0
-+    tang_skip "tang is not enabled/supported. Check if you have met all the requirements"
-+}
-+
-+# Creates a tang adv to be used in the tests.
-+tang_create_adv() {
-+    local basedir="${1}"
-+    local adv="${2:-/dev/stdout}"
-+
-+    local SIG="${basedir}/sig.jwk"
-+    jose jwk gen --input='{"alg":"ES512"}' --output="${SIG}"
-+
-+    local EXC="${basedir}/exc.jwk"
-+    jose jwk gen --input='{"alg":"ECMR"}' --output="${EXC}"
-+
-+    local TEMPLATE='{"protected":{"cty":"jwk-set+json"}}'
-+    jose jwk pub --set --input="${SIG}" --input="${EXC}" \
-+        | jose jws sig --detached=- --signature="${TEMPLATE}" \
-+                       --key="${SIG}" --output="${adv}"
-+}
-+
-+# Get a random port to be used with a test tang server.
-+tang_new_random_port() {
-+    tang_sanity_check
-+    shuf -i 1024-65535 -n 1
-+}
-+
-+# Removes tang rotated keys from the test server.
-+tang_remove_rotated_keys() {
-+    tang_sanity_check
-+    local basedir="${1}"
-+
-+    [ -z "${basedir}" ] && \
-+        tang_error "tang_remove_rotated_keys: please specify 'basedir'"
-+
-+    local db="${basedir}/db"
-+
-+    mkdir -p "${db}"
-+    pushd "${db}"
-+        find . -name ".*.jwk" -exec rm -f {} \;
-+    popd
-+
-+    [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${basedir}/cache"
-+    return 0
-+}
-+
-+# Creates new keys for the test tang server.
-+tang_new_keys() {
-+    tang_sanity_check
-+    local basedir="${1}"
-+    local rotate="${2:-}"
-+    local sig_name="${3:-}"
-+    local exc_name="${4:-}"
-+
-+    [ -z "${basedir}" ] && tang_error "tang_new_keys: please specify 'basedir'"
-+
-+    local db="${basedir}/db"
-+    mkdir -p "${db}"
-+
-+    if [ -n "${rotate}" ]; then
-+        pushd "${db}"
-+            local k
-+            k=$(find . -name "*.jwk" | wc -l)
-+            if [ "${k}" -gt 0 ]; then
-+                for k in *.jwk; do
-+                    mv -f -- "${k}" ".${k}"
-+                done
-+            fi
-+        popd
-+    fi
-+
-+    "${TANGD_KEYGEN}" "${db}" ${sig_name} ${exc_name}
-+    [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${basedir}/cache"
-+
-+    return 0
-+}
-+
-+# Wait for the tang server to be operational.
-+tang_wait_until_ready() {
-+    tang_sanity_check
-+    local port="${1}"
-+
-+    [ -z "${port}" ] && \
-+        tang_error "tang_wait_until_ready: please specify 'port'"
-+
-+    local max_timeout_in_s=5
-+    local start elapsed
-+    start="${SECONDS}"
-+    while ! curl --output /dev/null --silent --fail \
-+                "http://localhost:${port}/adv"; do
-+        elapsed=$((SECONDS - start))
-+        if [ "${elapsed}" -gt "${max_timeout_in_s}" ]; then
-+            tang_error "Timeout (${max_timeout_in_s}s) waiting for tang server"
-+        fi
-+        sleep 0.1
-+        echo -n . >&2
-+    done
-+}
-+
-+# Start a test tang server.
-+tang_run() {
-+    tang_sanity_check
-+    local basedir="${1}"
-+    local port="${2}"
-+    local sig_name="${3:-}"
-+    local exc_name="${4:-}"
-+
-+    [ -z "${basedir}" ] && tang_error "tang_run: please specify 'basedir'"
-+    [ -z "${port}" ] && tang_error "tang_run: please specify 'port'"
-+
-+    if ! tang_new_keys "${basedir}" "" "${sig_name}" "${exc_name}"; then
-+        tang_error "Error creating new keys for tang server"
-+    fi
-+
-+    local KEYS="${basedir}/cache"
-+    [ -z "${TANGD_UPDATE}" ] && KEYS="${basedir}/db"
-+
-+    local pid pidfile
-+    pidfile="${basedir}/tang.pid"
-+
-+    "${SOCAT}" -v -v TCP-LISTEN:${port},reuseaddr,fork \
-+               exec:"${TANGD} ${KEYS}" &
-+
-+    pid=$!
-+    echo "${pid}" > "${pidfile}"
-+    tang_wait_until_ready "${port}"
-+}
-+
-+# Stop tang server.
-+tang_stop() {
-+    tang_sanity_check
-+    local basedir="${1}"
-+    [ -z "${basedir}" ] && tang_error "tang_stop: please specify 'basedir'"
-+
-+    local pidfile="${basedir}/tang.pid"
-+    [ -f "${pidfile}" ] || return 0
-+
-+    local pid
-+    pid=$(<"${pidfile}")
-+    kill -9 "${pid}" 2>/dev/null || :
-+}
-+
-+# Get tang advertisement.
-+tang_get_adv() {
-+    tang_sanity_check
-+    local port="${1}"
-+    local adv="${2:-/dev/stdout}"
-+
-+    [ -z "${port}" ] && tang_error "tang_get_adv: please specify 'port'"
-+    curl -L -o "${adv}" "http://localhost:${port}/adv"
-+}

+ 0 - 746
debian/patches/cherry-pick/1605845630.v15-3-ga07e753.tests-update-src-luks-tests-to-use-shared-tang-test-functions.patch

@@ -1,746 +0,0 @@
-Subject: Tests: update src/luks/tests to use shared tang test functions
-Origin: v15-3-ga07e753 <https://github.com/latchset/clevis/commit/v15-3-ga07e753>
-Upstream-Author: Sergio Correia <scorreia@redhat.com>
-Date: Fri Nov 20 01:13:50 2020 -0300
-
---- a/src/luks/tests/assume-yes
-+++ b/src/luks/tests/assume-yes
-@@ -33,11 +33,10 @@
- 
- TMP="$(mktemp -d)"
- 
--port=$(get_random_port)
--tang_run "${TMP}" "${port}" &
--tang_wait_until_ready "${port}"
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
- 
--url="http://${TANG_HOST}:${port}"
-+url="http://localhost:${port}"
- cfg=$(printf '{"url":"%s"}' "$url")
- 
- test_tang() {
---- a/src/luks/tests/assume-yes-luks2
-+++ b/src/luks/tests/assume-yes-luks2
-@@ -33,11 +33,10 @@
- 
- TMP="$(mktemp -d)"
- 
--port=$(get_random_port)
--tang_run "${TMP}" "${port}" &
--tang_wait_until_ready "${port}"
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
- 
--url="http://${TANG_HOST}:${port}"
-+url="http://localhost:${port}"
- cfg=$(printf '{"url":"%s"}' "$url")
- 
- # LUKS2.
---- a/src/luks/tests/backup-restore-luks1
-+++ b/src/luks/tests/backup-restore-luks1
-@@ -31,7 +31,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
- 
- # LUKS1.
---- a/src/luks/tests/backup-restore-luks2
-+++ b/src/luks/tests/backup-restore-luks2
-@@ -31,7 +31,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
- 
- # LUKS1.
---- a/src/luks/tests/bind-already-used-luksmeta-slot
-+++ b/src/luks/tests/bind-already-used-luksmeta-slot
-@@ -31,7 +31,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
- 
- # LUKS1.
---- a/src/luks/tests/bind-key-file-non-interactive-luks1
-+++ b/src/luks/tests/bind-key-file-non-interactive-luks1
-@@ -31,7 +31,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
- UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
- KEYFILE="${TMP}/key"
---- a/src/luks/tests/bind-luks1
-+++ b/src/luks/tests/bind-luks1
-@@ -31,7 +31,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
- 
- # LUKS1.
---- a/src/luks/tests/bind-luks2
-+++ b/src/luks/tests/bind-luks2
-@@ -35,7 +35,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
- 
- # LUKS2.
---- a/src/luks/tests/bind-pass-with-newline-keyfile-luks1
-+++ b/src/luks/tests/bind-pass-with-newline-keyfile-luks1
-@@ -31,7 +31,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
- 
- # LUKS1.
---- a/src/luks/tests/bind-pass-with-newline-luks1
-+++ b/src/luks/tests/bind-pass-with-newline-luks1
-@@ -31,7 +31,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
- 
- # LUKS1.
---- a/src/luks/tests/bind-wrong-pass-luks1
-+++ b/src/luks/tests/bind-wrong-pass-luks1
-@@ -31,7 +31,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
- 
- # LUKS1.
---- a/src/luks/tests/bind-wrong-pass-luks2
-+++ b/src/luks/tests/bind-wrong-pass-luks2
-@@ -35,7 +35,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
- 
- # LUKS2.
---- a/src/luks/tests/edit-tang-luks1
-+++ b/src/luks/tests/edit-tang-luks1
-@@ -36,11 +36,10 @@
- 
- TMP="$(mktemp -d)"
- 
--port=$(get_random_port)
--tang_run "${TMP}" "${port}" &
--tang_wait_until_ready "${port}"
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
- 
--url="http://${TANG_HOST}:${port}"
-+url="http://localhost:${port}"
- 
- cfg=$(printf '{"url":"%s"}' "${url}")
- 
-@@ -65,11 +64,10 @@
- 
- # Now let's have another tang instance running and change the config to use
- # the new one.
--port2=$(get_random_port)
-+port2=$(tang_new_random_port)
- TMP2="$(mktemp -d)"
--tang_run "${TMP2}" "${port2}" &
--tang_wait_until_ready "${port2}"
--new_url="http://${TANG_HOST}:${port2}"
-+tang_run "${TMP2}" "${port2}"
-+new_url="http://localhost:${port2}"
- new_cfg=$(printf '{"url":"%s"}' "${new_url}")
- 
- if ! clevis luks edit -d "${DEV}" -s 1 -c "${new_cfg}"; then
---- a/src/luks/tests/edit-tang-luks2
-+++ b/src/luks/tests/edit-tang-luks2
-@@ -36,11 +36,10 @@
- 
- TMP="$(mktemp -d)"
- 
--port=$(get_random_port)
--tang_run "${TMP}" "${port}" &
--tang_wait_until_ready "${port}"
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
- 
--url="http://${TANG_HOST}:${port}"
-+url="http://localhost:${port}"
- 
- cfg=$(printf '{"url":"%s"}' "${url}")
- 
-@@ -65,11 +64,10 @@
- 
- # Now let's have another tang instance running and change the config to use
- # the new one.
--port2=$(get_random_port)
-+port2=$(tang_new_random_port)
- TMP2="$(mktemp -d)"
--tang_run "${TMP2}" "${port2}" &
--tang_wait_until_ready "${port2}"
--new_url="http://${TANG_HOST}:${port2}"
-+tang_run "${TMP2}" "${port2}"
-+new_url="http://localhost:${port2}"
- new_cfg=$(printf '{"url":"%s"}' "${new_url}")
- 
- if ! clevis luks edit -d "${DEV}" -s 1 -c "${new_cfg}"; then
---- a/src/luks/tests/list-recursive-luks1
-+++ b/src/luks/tests/list-recursive-luks1
-@@ -31,7 +31,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- PIN="sss"
- CFG=$(printf '
- {
---- a/src/luks/tests/list-recursive-luks2
-+++ b/src/luks/tests/list-recursive-luks2
-@@ -31,7 +31,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- PIN="sss"
- CFG=$(printf '
- {
---- a/src/luks/tests/list-sss-tang-luks1
-+++ b/src/luks/tests/list-sss-tang-luks1
-@@ -31,7 +31,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- PIN="sss"
- CFG=$(printf '
- {
---- a/src/luks/tests/list-sss-tang-luks2
-+++ b/src/luks/tests/list-sss-tang-luks2
-@@ -31,7 +31,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- PIN="sss"
- CFG=$(printf '
- {
---- a/src/luks/tests/list-tang-luks1
-+++ b/src/luks/tests/list-tang-luks1
-@@ -31,7 +31,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- PIN="tang"
- CFG=$(printf '{"url": "ADDR","adv": "%s"}' "${ADV}")
- 
---- a/src/luks/tests/list-tang-luks2
-+++ b/src/luks/tests/list-tang-luks2
-@@ -31,7 +31,7 @@
- TMP="$(mktemp -d)"
- 
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- PIN="tang"
- CFG=$(printf '{"url": "ADDR","adv": "%s"}' "${ADV}")
- 
---- a/src/luks/tests/meson.build
-+++ b/src/luks/tests/meson.build
-@@ -1,39 +1,6 @@
- # We use jq for comparing the pin config in the clevis luks list tests.
- jq = find_program('jq', required: false)
- 
--# We use systemd-socket-activate for running test tang servers.
--actv = find_program(
--  'systemd-socket-activate',
--  'systemd-activate',
--  join_paths('/', 'usr', 'lib', 'systemd', 'systemd-activate'),
--  required: false
--)
--
--kgen = find_program(
--  join_paths(libexecdir, 'tangd-keygen'),
--  join_paths(get_option('prefix'), get_option('libdir'), 'tangd-keygen'),
--  join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-keygen'),
--  join_paths('/', 'usr', get_option('libdir'), 'tangd-keygen'),
--  join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
--  required: false
--)
--updt = find_program(
--  join_paths(libexecdir, 'tangd-update'),
--  join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
--  join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
--  join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
--  join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
--  required: false
--)
--tang = find_program(
--  join_paths(libexecdir, 'tangd'),
--  join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
--  join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd'),
--  join_paths('/', 'usr', get_option('libdir'), 'tangd'),
--  join_paths('/', 'usr', get_option('libexecdir'), 'tangd'),
--  required: false
--)
--
- common_functions = configure_file(input: 'tests-common-functions.in',
-   output: 'tests-common-functions',
-   configuration: luksmeta_data,
-@@ -53,19 +20,11 @@
-   join_paths(meson.build_root(), 'src', 'luks'),
-   join_paths(meson.build_root(), 'src', 'pins', 'sss'),
-   join_paths(meson.build_root(), 'src', 'pins', 'tang'),
-+  join_paths(meson.build_root(), 'src', 'pins', 'tang', 'tests'),
-   join_paths(meson.build_root(), 'src', 'pins', 'tpm2'),
-   separator: ':'
- )
- 
--has_tang = false
--if actv.found() and kgen.found() and updt.found() and tang.found()
--  has_tang = true
--  env.set('SD_ACTIVATE', actv.path())
--  env.set('TANGD_KEYGEN', kgen.path())
--  env.set('TANGD_UPDATE', updt.path())
--  env.set('TANGD', tang.path())
--endif
--
- test('bind-wrong-pass-luks1', find_program('bind-wrong-pass-luks1'), env: env)
- test('bind-luks1', find_program('bind-luks1'), env: env)
- test('unbind-unbound-slot-luks1', find_program('unbind-unbound-slot-luks1'), env: env)
-@@ -85,15 +44,13 @@
-   warning('Will not run "clevis luks list" tests due to missing jq dependency')
- endif
- 
--if has_tang
--  test('unlock-tang-luks1', find_program('unlock-tang-luks1'), env: env, timeout: 90)
--  test('assume-yes', find_program('assume-yes'), env: env, timeout: 60)
--  test('regen-inplace-luks1', find_program('regen-inplace-luks1'), env: env, timeout: 90)
--  test('regen-not-inplace-luks1', find_program('regen-not-inplace-luks1'), env: env, timeout: 90)
--  test('report-tang-luks1', find_program('report-tang-luks1'), env: env, timeout: 90)
--  test('report-sss-luks1', find_program('report-sss-luks1'), env: env, timeout: 90)
--  test('edit-tang-luks1', find_program('edit-tang-luks1'), env: env, timeout: 150)
--endif
-+test('unlock-tang-luks1', find_program('unlock-tang-luks1'), env: env, timeout: 90)
-+test('assume-yes', find_program('assume-yes'), env: env, timeout: 60)
-+test('regen-inplace-luks1', find_program('regen-inplace-luks1'), env: env, timeout: 90)
-+test('regen-not-inplace-luks1', find_program('regen-not-inplace-luks1'), env: env, timeout: 90)
-+test('report-tang-luks1', find_program('report-tang-luks1'), env: env, timeout: 90)
-+test('report-sss-luks1', find_program('report-sss-luks1'), env: env, timeout: 90)
-+test('edit-tang-luks1', find_program('edit-tang-luks1'), env: env, timeout: 150)
- 
- test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60)
- 
-@@ -112,15 +69,13 @@
-     test('list-sss-tang-luks2', find_program('list-sss-tang-luks2'), env: env, timeout: 60)
-   endif
- 
--  if has_tang
--    test('unlock-tang-luks2', find_program('unlock-tang-luks2'), env: env, timeout: 120)
--    test('assume-yes-luks2', find_program('assume-yes-luks2'), env: env, timeout: 90)
--    test('regen-inplace-luks2', find_program('regen-inplace-luks2'), env: env, timeout: 120)
--    test('regen-not-inplace-luks2', find_program('regen-not-inplace-luks2'), env: env, timeout: 120)
--    test('report-tang-luks2', find_program('report-tang-luks2'), env: env, timeout: 120)
--    test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
--    test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
--  endif
-+  test('unlock-tang-luks2', find_program('unlock-tang-luks2'), env: env, timeout: 120)
-+  test('assume-yes-luks2', find_program('assume-yes-luks2'), env: env, timeout: 90)
-+  test('regen-inplace-luks2', find_program('regen-inplace-luks2'), env: env, timeout: 120)
-+  test('regen-not-inplace-luks2', find_program('regen-not-inplace-luks2'), env: env, timeout: 120)
-+  test('report-tang-luks2', find_program('report-tang-luks2'), env: env, timeout: 120)
-+  test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
-+  test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
- 
--test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
-+  test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
- endif
---- a/src/luks/tests/regen-inplace-luks1
-+++ b/src/luks/tests/regen-inplace-luks1
-@@ -32,11 +32,10 @@
- 
- TMP=$(mktemp -d)
- 
--port=$(get_random_port)
--tang_run "${TMP}" "${port}" &
--tang_wait_until_ready "${port}"
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
- 
--url="http://${TANG_HOST}:${port}"
-+url="http://localhost:${port}"
- adv="${TMP}/adv"
- tang_get_adv "${port}" "${adv}"
- 
---- a/src/luks/tests/regen-inplace-luks2
-+++ b/src/luks/tests/regen-inplace-luks2
-@@ -32,11 +32,10 @@
- 
- TMP=$(mktemp -d)
- 
--port=$(get_random_port)
--tang_run "${TMP}" "${port}" &
--tang_wait_until_ready "${port}"
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
- 
--url="http://${TANG_HOST}:${port}"
-+url="http://localhost:${port}"
- adv="${TMP}/adv"
- tang_get_adv "${port}" "${adv}"
- 
---- a/src/luks/tests/regen-not-inplace-luks1
-+++ b/src/luks/tests/regen-not-inplace-luks1
-@@ -32,11 +32,10 @@
- 
- export TMP=$(mktemp -d)
- 
--port=$(get_random_port)
--tang_run "${TMP}" "${port}" &
--tang_wait_until_ready "${port}"
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
- 
--url="http://${TANG_HOST}:${port}"
-+url="http://localhost:${port}"
- adv="${TMP}/adv"
- tang_get_adv "${port}" "${adv}"
- 
---- a/src/luks/tests/regen-not-inplace-luks2
-+++ b/src/luks/tests/regen-not-inplace-luks2
-@@ -32,11 +32,10 @@
- 
- export TMP=$(mktemp -d)
- 
--port=$(get_random_port)
--tang_run "${TMP}" "${port}" &
--tang_wait_until_ready "${port}"
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
- 
--url="http://${TANG_HOST}:${port}"
-+url="http://localhost:${port}"
- adv="${TMP}/adv"
- tang_get_adv "${port}" "${adv}"
- 
---- a/src/luks/tests/report-sss-luks1
-+++ b/src/luks/tests/report-sss-luks1
-@@ -32,11 +32,10 @@
- 
- TMP=$(mktemp -d)
- 
--port=$(get_random_port)
--tang_run "${TMP}" "${port}" &
--tang_wait_until_ready "${port}"
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
- 
--url="http://${TANG_HOST}:${port}"
-+url="http://localhost:${port}"
- adv="${TMP}/adv"
- tang_get_adv "${port}" "${adv}"
- 
---- a/src/luks/tests/report-sss-luks2
-+++ b/src/luks/tests/report-sss-luks2
-@@ -32,11 +32,10 @@
- 
- TMP=$(mktemp -d)
- 
--port=$(get_random_port)
--tang_run "${TMP}" "${port}" &
--tang_wait_until_ready "${port}"
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
- 
--url="http://${TANG_HOST}:${port}"
-+url="http://localhost:${port}"
- adv="${TMP}/adv"
- tang_get_adv "${port}" "${adv}"
- 
---- a/src/luks/tests/report-tang-luks1
-+++ b/src/luks/tests/report-tang-luks1
-@@ -32,11 +32,10 @@
- 
- TMP=$(mktemp -d)
- 
--port=$(get_random_port)
--tang_run "${TMP}" "${port}" &
--tang_wait_until_ready "${port}"
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
- 
--url="http://${TANG_HOST}:${port}"
-+url="http://localhost:${port}"
- adv="${TMP}/adv"
- tang_get_adv "${port}" "${adv}"
- 
---- a/src/luks/tests/report-tang-luks2
-+++ b/src/luks/tests/report-tang-luks2
-@@ -32,11 +32,10 @@
- 
- TMP=$(mktemp -d)
- 
--port=$(get_random_port)
--tang_run "${TMP}" "${port}" &
--tang_wait_until_ready "${port}"
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
- 
--url="http://${TANG_HOST}:${port}"
-+url="http://localhost:${port}"
- adv="${TMP}/adv"
- tang_get_adv "${port}" "${adv}"
- 
---- a/src/luks/tests/tests-common-functions.in
-+++ b/src/luks/tests/tests-common-functions.in
-@@ -18,6 +18,8 @@
- # along with this program.  If not, see <http://www.gnu.org/licenses/>.
- #
- 
-+. tang-common-test-functions
-+
- error() {
-     echo "${1}" >&2
-     exit 1
-@@ -34,20 +36,6 @@
-     return @OLD_CRYPTSETUP@
- }
- 
--# Creates a tang adv to be used in the test.
--create_tang_adv() {
--    local adv="${1}"
--    local SIG="${TMP}/sig.jwk"
--    jose jwk gen -i '{"alg":"ES512"}' > "${SIG}"
--
--    local EXC="${TMP}/exc.jwk"
--    jose jwk gen -i '{"alg":"ECMR"}' > "${EXC}"
--
--    local TEMPLATE='{"protected":{"cty":"jwk-set+json"}}'
--    jose jwk pub -s -i "${SIG}" -i "${EXC}" \
--        | jose jws sig -I- -s "${TEMPLATE}" -k "${SIG}" -o "${adv}"
--}
--
- # Creates a new LUKS1 or LUKS2 device to be used.
- new_device() {
-     local LUKS="${1}"
-@@ -236,132 +224,4 @@
-     return 0
- }
- 
--
--# Get a random port to be used with a test tang server.
--get_random_port() {
--    shuf -i 1024-65535 -n 1
--}
--
--# Removes tang rotated keys from the test server.
--tang_remove_rotated_keys() {
--    local basedir="${1}"
--
--    if [ -z "${basedir}" ]; then
--        echo "Please pass a valid base directory for tang"
--        return 1
--    fi
--
--    [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
--
--    local db="${basedir}/db"
--    local cache="${basedir}/cache"
--    mkdir -p "${db}"
--    mkdir -p "${cache}"
--
--    pushd "${db}"
--        find . -name ".*.jwk" -exec rm -f {} \;
--    popd
--
--    "${TANGD_UPDATE}" "${db}" "${cache}"
--    return 0
--}
--
--# Creates new keys for the test tang server.
--tang_new_keys() {
--    local basedir="${1}"
--    local rotate="${2}"
--
--    if [ -z "${basedir}" ]; then
--        echo "Please pass a valid base directory for tang"
--        return 1
--    fi
--
--    [ -z "${TANGD_KEYGEN}" ] && skip_test "WARNING: TANGD_KEYGEN is not defined."
--    [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
--
--    local db="${basedir}/db"
--    local cache="${basedir}/cache"
--    mkdir -p "${db}"
--
--    if [ -n "${rotate}" ]; then
--        pushd "${db}"
--            local k
--            k=$(find . -name "*.jwk" | wc -l)
--            if [ "${k}" -gt 0 ]; then
--                for k in *.jwk; do
--                    mv -f -- "${k}" ".${k}"
--                done
--            fi
--        popd
--    fi
--
--    "${TANGD_KEYGEN}" "${db}"
--    "${TANGD_UPDATE}" "${db}" "${cache}"
--
--    return 0
--}
--
--# Start a test tang server.
--tang_run() {
--    local basedir="${1}"
--    local port="${2}"
--
--    if [ -z "${basedir}" ]; then
--        echo "Please pass a valid base directory for tang" >&2
--        return 1
--    fi
--
--    if [ -z "${port}" ]; then
--        echo "Please pass a valid port for tang" >&2
--        return 1
--    fi
--
--    if ! tang_new_keys "${basedir}"; then
--        echo "Error creating new keys for tang server" >&2
--        return 1
--    fi
--
--    local KEYS="${basedir}/cache"
--    local inetd='--inetd'
--    [ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
--
--    local pid pidfile
--    pidfile="${basedir}/tang.pid"
--
--    "${SD_ACTIVATE}" ${inetd} -l "${TANG_HOST}":"${port}" \
--            -a "${TANGD}" "${KEYS}" &
--    pid=$!
--    echo "${pid}" > "${pidfile}"
--}
--
--# Stop tang server.
--tang_stop() {
--    local basedir="${1}"
--    local pidfile="${basedir}/tang.pid"
--    [ -f "${pidfile}" ] || return 0
--
--    local pid
--    pid=$(<"${pidfile}")
--    kill "${pid}"
--}
--
--# Wait for the tang server to be operational.
--tang_wait_until_ready() {
--   local port="${1}"
--   while ! curl --output /dev/null --silent --fail \
--                http://"${TANG_HOST}":"${port}"/adv; do
--       sleep 0.1
--       echo -n . >&2
--   done
--}
--
--# Get tang advertisement.
--tang_get_adv() {
--    local port="${1}"
--    local adv="${2}"
--
--    curl -o "${adv}" http://"${TANG_HOST}":"${port}"/adv
--}
--
--export TANG_HOST=127.0.0.1
- export DEFAULT_PASS='just-some-test-password-here'
---- a/src/luks/tests/unbind-luks1
-+++ b/src/luks/tests/unbind-luks1
-@@ -30,7 +30,7 @@
- 
- TMP="$(mktemp -d)"
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
- 
- # LUKS1.
---- a/src/luks/tests/unbind-luks2
-+++ b/src/luks/tests/unbind-luks2
-@@ -34,7 +34,7 @@
- 
- TMP="$(mktemp -d)"
- ADV="${TMP}/adv.jws"
--create_tang_adv "${ADV}"
-+tang_create_adv "${TMP}" "${ADV}"
- CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
- 
- # LUKS2.
---- a/src/luks/tests/unlock-tang-luks1
-+++ b/src/luks/tests/unlock-tang-luks1
-@@ -33,11 +33,10 @@
- 
- TMP="$(mktemp -d)"
- 
--port=$(get_random_port)
--tang_run "${TMP}" "${port}" &
--tang_wait_until_ready "${port}"
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
- 
--url="http://${TANG_HOST}:${port}"
-+url="http://localhost:${port}"
- adv="${TMP}/adv"
- tang_get_adv "${port}" "${adv}"
- 
---- a/src/luks/tests/unlock-tang-luks2
-+++ b/src/luks/tests/unlock-tang-luks2
-@@ -33,11 +33,10 @@
- 
- TMP="$(mktemp -d)"
- 
--port=$(get_random_port)
--tang_run "${TMP}" "${port}" &
--tang_wait_until_ready "${port}"
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
- 
--url="http://${TANG_HOST}:${port}"
-+url="http://localhost:${port}"
- adv="${TMP}/adv"
- tang_get_adv "${port}" "${adv}"
- 

+ 0 - 245
debian/patches/cherry-pick/1606953228.v15-5-g9cdd041.systemd-drop-ncat-dependency.patch

@@ -1,245 +0,0 @@
-Subject: Systemd: drop ncat dependency
-Origin: v15-5-g9cdd041 <https://github.com/latchset/clevis/commit/v15-5-g9cdd041>
-Upstream-Author: Sergio Correia <scorreia@redhat.com>
-Date: Wed Dec 2 20:53:48 2020 -0300
-
-    When using systemd, i.e., clevis-luks-askpass, we use ncat to send
-    the decrypted password to the systemd socket as per systemd's password
-    agents specification [1].
-
-    However, systemd itself has a utility that does exactly that,
-    systemd-reply-password.
-
-    In this commit we drop the ncat dependency and instead use
-    systemd-reply-password in clevis-luks-askpass.
-
-    [1] https://systemd.io/PASSWORD_AGENTS/
-
-    --
-
-    Extra adjustment needed to build on pre-usrmerge chroots.
-
---- a/INSTALL.md
-+++ b/INSTALL.md
-@@ -22,7 +22,6 @@
- * [tang](https://github.com/latchset/tang)
- * [curl](https://github.com/curl/curl)
- * [tpm2-tools](https://github.com/tpm2-software/tpm2-tools)
--* [ncat](https://nmap.org/ncat/) (for clevis-luks-askpass)
- 
- ### Fedora
- 
---- a/src/luks/systemd/clevis-luks-askpass
-+++ /dev/null
-@@ -1,76 +0,0 @@
--#!/bin/bash
--set -eu
--# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
--#
--# Copyright (c) 2016 Red Hat, Inc.
--# Author: Harald Hoyer <harald@redhat.com>
--# Author: Nathaniel McCallum <npmccallum@redhat.com>
--#
--# This program is free software: you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation, either version 3 of the License, or
--# (at your option) any later version.
--#
--# This program is distributed in the hope that it will be useful,
--# but WITHOUT ANY WARRANTY; without even the implied warranty of
--# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
--#
--# You should have received a copy of the GNU General Public License
--# along with this program.  If not, see <http://www.gnu.org/licenses/>.
--#
--
--. clevis-luks-common-functions
--
--# Make sure to exit cleanly if SIGTERM is received.
--trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
--
--loop=
--path=/run/systemd/ask-password
--while getopts ":lp:" o; do
--    case "${o}" in
--    l) loop=true;;
--    p) path="${OPTARG}";;
--    *) ;;
--    esac
--done
--
--while true; do
--    for question in "${path}"/ask.*; do
--        # question will expand to itself, in case no files match, so we verify
--        # whether it actually exists, before proceeding.
--        [ ! -e "${question}" ] && continue
--
--        d=
--        s=
--        while read -r line; do
--            case "$line" in
--                Id=cryptsetup:*) d="${line##Id=cryptsetup:}";;
--                Socket=*) s="${line##Socket=}";;
--            esac
--        done < "$question"
--
--        [ -b "${d}" ] || continue
--        [ -S "${s}" ] || continue
--
--        if ! pt="$(clevis_luks_unlock_device "${d}")" || [ -z "${pt}" ]; then
--            continue
--        fi
--
--        uuid="$(cryptsetup luksUUID "${d}")"
--        if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then
--            echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
--            continue
--        fi
--
--        echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2
--    done
--
--    [ "${loop}" != true ] && break
--    # Checking for pending devices to be unlocked.
--    if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
--        break;
--    fi
--
--    sleep 0.5
--done
---- /dev/null
-+++ b/src/luks/systemd/clevis-luks-askpass.in
-@@ -0,0 +1,76 @@
-+#!/bin/bash
-+set -eu
-+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
-+#
-+# Copyright (c) 2016 Red Hat, Inc.
-+# Author: Harald Hoyer <harald@redhat.com>
-+# Author: Nathaniel McCallum <npmccallum@redhat.com>
-+#
-+# This program is free software: you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation, either version 3 of the License, or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+#
-+
-+. clevis-luks-common-functions
-+
-+# Make sure to exit cleanly if SIGTERM is received.
-+trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
-+
-+loop=
-+path=/run/systemd/ask-password
-+while getopts ":lp:" o; do
-+    case "${o}" in
-+    l) loop=true;;
-+    p) path="${OPTARG}";;
-+    *) ;;
-+    esac
-+done
-+
-+while true; do
-+    for question in "${path}"/ask.*; do
-+        # question will expand to itself, in case no files match, so we verify
-+        # whether it actually exists, before proceeding.
-+        [ ! -e "${question}" ] && continue
-+
-+        d=
-+        s=
-+        while read -r line; do
-+            case "$line" in
-+                Id=cryptsetup:*) d="${line##Id=cryptsetup:}";;
-+                Socket=*) s="${line##Socket=}";;
-+            esac
-+        done < "$question"
-+
-+        [ -b "${d}" ] || continue
-+        [ -S "${s}" ] || continue
-+
-+        if ! pt="$(clevis_luks_unlock_device "${d}")" || [ -z "${pt}" ]; then
-+            continue
-+        fi
-+
-+        uuid="$(cryptsetup luksUUID "${d}")"
-+        if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then
-+            echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
-+            continue
-+        fi
-+
-+        echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2
-+    done
-+
-+    [ "${loop}" != true ] && break
-+    # Checking for pending devices to be unlocked.
-+    if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
-+        break;
-+    fi
-+
-+    sleep 0.5
-+done
---- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
-+++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
-@@ -36,6 +36,7 @@
- 
-     inst_multiple \
-         /etc/services \
-+        @SYSTEMD_REPLY_PASS@ \
-         @libexecdir@/clevis-luks-askpass \
-         clevis-luks-common-functions \
-         grep sed cut \
-@@ -45,8 +46,7 @@
-         luksmeta \
-         clevis \
-         mktemp \
--        jose \
--        ncat
-+        jose
- 
-     dracut_need_initqueue
- }
---- a/src/luks/systemd/meson.build
-+++ b/src/luks/systemd/meson.build
-@@ -1,6 +1,16 @@
- systemd = dependency('systemd', required: false)
- 
--if systemd.found()
-+sd_reply_pass = find_program(
-+  join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
-+  join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
-+  join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
-+  join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
-+  join_paths('/', 'lib', 'systemd', 'systemd-reply-password'),
-+  required: false
-+)
-+
-+if systemd.found() and sd_reply_pass.found()
-+  data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
-   subdir('dracut')
- 
-   unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
-@@ -12,8 +22,14 @@
-     configuration: data,
-   )
- 
-+  configure_file(
-+    input: 'clevis-luks-askpass.in',
-+    output: 'clevis-luks-askpass',
-+    install_dir: libexecdir,
-+    configuration: data
-+  )
-+
-   install_data('clevis-luks-askpass.path', install_dir: unitdir)
--  install_data('clevis-luks-askpass', install_dir: libexecdir)
- else
-   warning('Will not install systemd support due to missing dependencies!')
- endif

+ 20 - 0
debian/patches/debian/2021-02-10.build-on-non-usrmerge.patch

@@ -0,0 +1,20 @@
+Subject: Adjust build for non-usrmerged systems
+Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Date: 2020-12-29
+Forwarded: not-needed
+Last-Update: 2021-02-10
+
+    Was previously part of
+    cherry-pick/1606953228.v15-5-g9cdd041.systemd-drop-ncat-dependency.patch
+
+--- a/src/luks/systemd/meson.build
++++ b/src/luks/systemd/meson.build
+@@ -4,7 +4,7 @@
+   join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
+   join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
+   join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
+-  join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
++  join_paths('/', 'lib', 'systemd', 'systemd-reply-password'),
+   required: false
+ )
+ 

+ 2 - 2
debian/patches/for-upstream/2018-10-30.use-asciidoctor-to-build-manpages.patch

@@ -5,7 +5,7 @@ Bug: https://github.com/latchset/tang/issues/32
 
 --- a/meson.build
 +++ b/meson.build
-@@ -39,7 +39,7 @@
+@@ -41,7 +41,7 @@
  
  jansson = dependency('jansson', version: '>=2.10', required: false)
  jose = dependency('jose', version: '>=8')
@@ -14,7 +14,7 @@ Bug: https://github.com/latchset/tang/issues/32
  
  bins = []
  mans = []
-@@ -48,10 +48,10 @@
+@@ -50,10 +50,10 @@
  
  install_data(bins, install_dir: bindir)
  

+ 0 - 16
debian/patches/for-upstream/2020-05-21.embed-tpm-modules-in-initramfs.patch

@@ -1,16 +0,0 @@
-Subject: Embed TPM modules in initramfs
-Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
-Date:  2020-05-21
-Bug: https://github.com/latchset/clevis/issues/194
-
---- a/src/initramfs-tools/hooks/clevis.in
-+++ b/src/initramfs-tools/hooks/clevis.in
-@@ -74,6 +74,8 @@
-             copy_exec "${_LIBRARY}" || die 2 "Unable to copy ${_LIBRARY}"
-         fi
-     done
-+    manual_add_modules tpm_crb
-+    manual_add_modules tpm_tis
- fi
- 
- 

+ 0 - 51
debian/patches/for-upstream/2020-11-22.work-around-missing-dev-fd-links.patch

@@ -1,51 +0,0 @@
-Subject: Work around /dev/fd/<num> no longer being created by systemd
-Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
-Date: 2020-11-22
-Bug: https://github.com/latchset/clevis/issues/262
-Bug-Debian: 
-    https://bugs.debian.org/968518
-    https://bugs.debian.org/979089
-Last-Update: 2021-01-03
-
---- a/src/clevis-decrypt
-+++ b/src/clevis-decrypt
-@@ -46,7 +46,8 @@
-         exit 1
-     fi
- 
--    exec "$cmd" < <(echo -n "$hdr."; /bin/cat)
-+    (echo -n "$hdr."; /bin/cat) | "$cmd"
-+    exit $?
- fi
- 
- exec >&2
---- a/src/luks/clevis-luks-unlock
-+++ b/src/luks/clevis-luks-unlock
-@@ -65,4 +65,4 @@
-     exit 1
- fi
- 
--cryptsetup open -d- "${DEV}" "${NAME}" < <(echo -n "${pt}")
-+echo -n "${pt}" | cryptsetup open -d- "${DEV}" "${NAME}"
---- a/src/pins/tang/clevis-decrypt-tang
-+++ b/src/pins/tang/clevis-decrypt-tang
-@@ -88,4 +88,5 @@
- tmp="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$eph$srv")"
- rep="$(jose jwk pub -i- <<< "$rep")"
- jwk="$(jose jwk exc -l- -r- <<< "$rep$tmp")"
--exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)
-+(echo -n "$jwk$hdr."; /bin/cat) | jose jwe dec -k- -i-
-+exit $?
---- a/src/pins/tpm2/clevis-decrypt-tpm2
-+++ b/src/pins/tpm2/clevis-decrypt-tpm2
-@@ -165,8 +165,5 @@
-     exit 1
- fi
- 
--# The on_exit() trap will not be fired after exec, so let's clean up the temp
--# directory at this point.
--[ -d "${TMP}" ] && rm -rf "${TMP}"
--
--exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)
-+(echo -n "$jwk$hdr."; /bin/cat) | jose jwe dec -k- -i-
-+exit $?

+ 1 - 6
debian/patches/series

@@ -1,14 +1,9 @@
 # cherry-picked commits. Keep in upstream's chronological order
-cherry-pick/1605094998.v15-1-gef76951.pins-tpm2-add-support-for-tpm2-tools-5-x.patch
-cherry-pick/1605797689.v15-2-g3dedc5d.tests-move-tang-tests-to-src-pins-tang.patch
-cherry-pick/1605845630.v15-3-ga07e753.tests-update-src-luks-tests-to-use-shared-tang-test-functions.patch
-cherry-pick/1606953228.v15-5-g9cdd041.systemd-drop-ncat-dependency.patch
 
 # patches for upstream
 for-upstream/2018-10-30.use-asciidoctor-to-build-manpages.patch
-for-upstream/2020-05-21.embed-tpm-modules-in-initramfs.patch
 for-upstream/2020-05-21.embed-more-programs-in-initram.patch
-for-upstream/2020-11-22.work-around-missing-dev-fd-links.patch
 
 # patches for Debian
 debian/2020-05-21.set-unprivileged-user.patch
+debian/2021-02-10.build-on-non-usrmerge.patch