Refresh patch queue

debian/patches/cherry-pick/1620092196.v18-2-gee1dfed.sss-use-bn-set-word-x-0-instead-of-bn-zero.patch

@@ -1,39 +0,0 @@
-Subject: Sss: use BN_set_word(x, 0) instead of BN_zero()
-Origin: v18-2-gee1dfed <https://github.com/latchset/clevis/commit/v18-2-gee1dfed>
-Upstream-Author: Sergio Correia <scorreia@redhat.com>
-Date: Mon May 3 22:36:36 2021 -0300
-
-    Different OpenSSL versions define BN_zero() differently -- sometimes
-    returning an integer, sometimes as void --, so let's use instead
-    BN_set_word() instead, not to have issues when building with these
-    different versions.
-
---- a/src/pins/sss/sss.c
-+++ b/src/pins/sss/sss.c
-@@ -214,7 +214,7 @@
-     if (BN_rand_range(xx, pp) <= 0)
-         return NULL;
- 
--    if (BN_zero(yy) <= 0)
-+    if (BN_set_word(yy, 0) <= 0)
-         return NULL;
- 
-     for (size_t i = 0; i < json_array_size(e); i++) {
-@@ -272,7 +272,7 @@
-     if (!ctx || !pp || !acc || !tmp || !k)
-         return NULL;
- 
--    if (BN_zero(k) <= 0)
-+    if (BN_set_word(k, 0) <= 0)
-         return NULL;
- 
-     len = jose_b64_dec(p, NULL, 0);
-@@ -303,7 +303,7 @@
- 
-             /* acc *= (0 - xi) / (xo - xi) */
- 
--            if (BN_zero(tmp) <= 0)
-+            if (BN_set_word(tmp, 0) <= 0)
-                 return NULL;
- 
-             if (BN_mod_sub(tmp, tmp, xi, pp, ctx) <= 0)

debian/patches/cherry-pick/1623378825.v18-3-g4600bd6.do-not-kill-non-clevis-slots-315.patch

@@ -1,52 +0,0 @@
-Subject: Do not kill non clevis slots (#315)
-Origin: v18-3-g4600bd6 <https://github.com/latchset/clevis/commit/v18-3-g4600bd6>
-Upstream-Author: Sergio Arroutbi <sarroutb@redhat.com>
-Date: Fri Jun 11 04:33:45 2021 +0200
-
-    When using clevis-luks-unbind against a slot
-    that has no clevis token assigned, removing the slot
-    must be avoided. Fixes #183
-
-    Signed-off-by: Sergio Arroutbi Braojos <sarroutb@redhat.com>
-
---- a/src/luks/clevis-luks-unbind.in
-+++ b/src/luks/clevis-luks-unbind.in
-@@ -106,6 +106,10 @@
-     grep -q "^\s*$SLT: luks2" <<< "$dump" && KILL=true
-     TOK="$(grep -E -B1 "^\s+Keyslot:\s+$SLT$" <<< "$dump" \
-         | sed -rn 's|^\s+([0-9]+): clevis|\1|p')"
-+    if [ -z "${TOK}" ]; then
-+        echo "No clevis slot detected on device ${DEV}:${SLT}!" >&2
-+        exit 1
-+    fi
- fi
- 
- if [ -z "${FRC[*]}" ]; then
---- a/src/luks/tests/unbind-luks2
-+++ b/src/luks/tests/unbind-luks2
-@@ -42,10 +42,23 @@
- new_device "luks2" "${DEV}"
- # Binding.
- if ! clevis luks bind -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
--    error "${TEST}: Binding is expected to succeed." >&2
-+    error "${TEST}: Binding is expected to succeed."
- fi
- 
- SLT=1
- if ! clevis luks unbind -f -d "${DEV}" -s "${SLT}"; then
--    error "${TEST}: Unbind is expected to succeed for device ${DEV} and slot ${SLT}" >&2
-+    error "${TEST}: Unbind is expected to succeed for device ${DEV} and slot ${SLT}"
-+fi
-+
-+SLT=0
-+if ! echo "${DEFAULT_PASS}" | cryptsetup open --test-passphrase "${DEV}" --key-slot "${SLT}"; then
-+   error "${TEST}: Unable to open device ${DEV}:${SLT}"
-+fi
-+
-+if clevis luks unbind -f -d "${DEV}" -s "${SLT}"; then
-+   error "${TEST}: Unbind is expected to fail for device ${DEV}:${SLT} that is not bound with clevis"
-+fi
-+
-+if ! echo "${DEFAULT_PASS}" | cryptsetup open --test-passphrase "${DEV}" --key-slot "${SLT}"; then
-+  error "${TEST}: Unbind is expected not to remove non clevis slots"
- fi

debian/patches/cherry-pick/1623754283.v18-5-gd8a25e3.avoid-luksmeta-corruption-on-clevis-bind-319.patch

@@ -1,95 +0,0 @@
-Subject: Avoid luksmeta corruption on clevis bind (#319)
-Origin: v18-5-gd8a25e3 <https://github.com/latchset/clevis/commit/v18-5-gd8a25e3>
-Upstream-Author: Sergio Arroutbi <sarroutb@redhat.com>
-Date: Tue Jun 15 12:51:23 2021 +0200
-
-    When using long key information to be stored in luks metadata,
-    luksmeta save is not reporting the corruption of LUKs meta.
-    This change detects if issue occurs after luksmeta metadata save
-    and, in that case, restores the device. Fixes #181
-
-    Signed-off-by: Sergio Arroutbi Braojos <sarroutb@redhat.com>
-
---- a/src/luks/clevis-luks-common-functions.in
-+++ b/src/luks/clevis-luks-common-functions.in
-@@ -448,6 +448,12 @@
-         echo "Error saving metadata to LUKSMeta slot ${SLOT} from ${DEV}" >&2
-         return 1
-     fi
-+
-+    if ! luksmeta test -d "${DEV}" 2>/dev/null >/dev/null ; then
-+        echo "Error detected after saving metadata to LUKSMeta slot ${SLOT}, device ${DEV}" >&2
-+        return 1
-+    fi
-+
-     return 0
- }
- 
---- /dev/null
-+++ b/src/luks/tests/bind-luks1-avoid-luksmeta-corruption
-@@ -0,0 +1,55 @@
-+#!/bin/bash -ex
-+#
-+# Copyright (c) 2021 Red Hat, Inc.
-+# Author: Sergio Arroutbi Braojos <sarroutb@redhat.com>
-+#
-+# This program is free software: you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation, either version 3 of the License, or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+#
-+
-+TEST=$(basename "${0}")
-+. tests-common-functions
-+
-+on_exit() {
-+    [ ! -d "${TMP}" ] && return 0
-+    tang_stop "${TMP}"
-+    rm -rf "${TMP}"
-+}
-+
-+trap 'on_exit' EXIT
-+
-+TMP="$(mktemp -d)"
-+
-+ADV_AMOUNT=50
-+
-+# Create LUKS1 device
-+DEV="${TMP}/luks1-device"
-+new_device "luks1" "${DEV}"
-+
-+# TANG server specifics
-+port=$(tang_new_random_port)
-+tang_run "${TMP}" "${port}"
-+url="http://localhost:${port}"
-+
-+# Initial binding to ensure luksmeta gets corrupted
-+for ADV_NU in $(seq 0 ${ADV_AMOUNT}); do
-+    "${TANGD_KEYGEN}" "${TMP}/db"
-+done
-+tang_new_keys "${TMP}"
-+
-+CFG=$(printf '{"url":"%s"}' "${url}")
-+
-+# At this point, luks bind must return an error. If not, test fails
-+if clevis luks bind -y -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
-+    error "${TEST}: Binding is expected to fail when given a too long adv"
-+fi
---- a/src/luks/tests/meson.build
-+++ b/src/luks/tests/meson.build
-@@ -59,6 +59,7 @@
- 
- test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60)
- test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60)
-+test('bind-luks1-avoid-luksmeta-corruption', find_program('bind-luks1-avoid-luksmeta-corruption'), env: env, timeout: 60)
- 
- # LUKS2 tests go here, and they get included if we get support for it, based
- # on the cryptsetup version.

debian/patches/cherry-pick/1640668269.v18-17-gad61841.use-command-v-instead-of-which.patch

@@ -1,37 +0,0 @@
-Subject: Use `command -v` instead of `which`
-Origin: v18-17-gad61841 <https://github.com/latchset/clevis/commit/v18-17-gad61841>
-Upstream-Author: Rohan Jain <crodjer@pm.me>
-Date: Tue Dec 28 10:41:09 2021 +0530
-
-    On debian `/usr/bin/which` results in deprecated messages, recommending
-    `command -v` instead.
-
-    They look like:
-
-    ```
-    at 10:35:36 ❯ sudo update-initramfs -u -k 'all'
-    update-initramfs: Generating /boot/initrd.img-5.15.0-2-amd64
-    I: The initramfs will attempt to resume from /dev/dm-2
-    I: (/dev/mapper/sys-swap)
-    I: Set the RESUME variable to override this.
-    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
-    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
-    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
-    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
-    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
-    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
-    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
-    /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead.
-    ```
-
---- a/src/initramfs-tools/hooks/clevis.in
-+++ b/src/initramfs-tools/hooks/clevis.in
-@@ -42,7 +42,7 @@
- 
- find_binary() {
-     bin_name="$1"
--    resolved=$(which ${bin_name})
-+    resolved=$(command -v ${bin_name})
-     [ -z "$resolved" ] && die 1 "Unable to find ${bin_name}"
-     echo "$resolved"
- }

debian/patches/for-upstream/2020-05-21.embed-more-programs-in-initram.patch

@@ -6,7 +6,7 @@ Last-Update: 2020-11-22
 
 --- a/src/initramfs-tools/hooks/clevis.in
 +++ b/src/initramfs-tools/hooks/clevis.in
-@@ -61,6 +61,7 @@
+@@ -62,6 +62,7 @@
  copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
  copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found"
  copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found"

debian/patches/series

@@ -1,8 +1,4 @@
 # cherry-picked commits. Keep in upstream's chronological order
-cherry-pick/1620092196.v18-2-gee1dfed.sss-use-bn-set-word-x-0-instead-of-bn-zero.patch
-cherry-pick/1623378825.v18-3-g4600bd6.do-not-kill-non-clevis-slots-315.patch
-cherry-pick/1623754283.v18-5-gd8a25e3.avoid-luksmeta-corruption-on-clevis-bind-319.patch
-cherry-pick/1640668269.v18-17-gad61841.use-command-v-instead-of-which.patch
 
 # patches for upstream
 for-upstream/2018-10-30.use-asciidoctor-to-build-manpages.patch