diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..544a09a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tang-10.tar.xz diff --git a/.tang.metadata b/.tang.metadata new file mode 100644 index 0000000..bcbfe7e --- /dev/null +++ b/.tang.metadata @@ -0,0 +1 @@ +18251b04c3fc9f67279b0001983ab564563e7cb3 SOURCES/tang-10.tar.xz diff --git a/SOURCES/0001-Fix-issues-reported-by-shellcheck.patch b/SOURCES/0001-Fix-issues-reported-by-shellcheck.patch new file mode 100644 index 0000000..3051c70 --- /dev/null +++ b/SOURCES/0001-Fix-issues-reported-by-shellcheck.patch @@ -0,0 +1,155 @@ +From 0b0b1ef7244433cde737cd65d07930efd9667ed1 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Thu, 20 May 2021 10:21:21 -0300 +Subject: [PATCH 1/2] Fix issues reported by shellcheck + +Additionally, improve testing of these scripts. +--- + src/tang-show-keys | 5 ++--- + src/tangd-keygen | 17 ++++++++++------- + src/tangd-rotate-keys | 6 +++--- + tests/adv | 20 ++++++++++++++++++++ + tests/helpers | 15 +++++++++++++++ + 5 files changed, 50 insertions(+), 13 deletions(-) + +diff --git a/src/tang-show-keys b/src/tang-show-keys +index 689e4df..0c33c3a 100755 +--- a/src/tang-show-keys ++++ b/src/tang-show-keys +@@ -27,10 +27,9 @@ fi + + port=${1-80} + +-adv=$(curl -sSf localhost:$port/adv) ++adv=$(curl -sSf "localhost:$port/adv") + + THP_DEFAULT_HASH=S256 # SHA-256. +-echo $adv \ +- | jose fmt -j- -g payload -y -o- \ ++jose fmt --json "${adv}" -g payload -y -o- \ + | jose jwk use -i- -r -u verify -o- \ + | jose jwk thp -i- -a "${THP_DEFAULT_HASH}" +diff --git a/src/tangd-keygen b/src/tangd-keygen +index 7a9adaf..f37121f 100755 +--- a/src/tangd-keygen ++++ b/src/tangd-keygen +@@ -18,20 +18,23 @@ + # along with this program. If not, see . + # + +-trap 'exit' ERR ++set -e + +-if [ $# -ne 1 -a $# -ne 3 ] || [ ! -d "$1" ]; then ++usage() { + echo "Usage: $0 [ ]" >&2 + exit 1 +-fi ++} ++ ++[ $# -ne 1 ] && [ $# -ne 3 ] && usage ++[ -d "$1" ] || usage + + [ $# -eq 3 ] && sig=$2 && exc=$3 + + THP_DEFAULT_HASH=S256 # SHA-256. +-jwe=`jose jwk gen -i '{"alg":"ES512"}'` ++jwe=$(jose jwk gen -i '{"alg":"ES512"}') + [ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}") +-echo "$jwe" > $1/$sig.jwk ++echo "$jwe" > "$1/$sig.jwk" + +-jwe=`jose jwk gen -i '{"alg":"ECMR"}'` ++jwe=$(jose jwk gen -i '{"alg":"ECMR"}') + [ -z "$exc" ] && exc=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}") +-echo "$jwe" > $1/$exc.jwk ++echo "$jwe" > "$1/$exc.jwk" +diff --git a/src/tangd-rotate-keys b/src/tangd-rotate-keys +index 9d38bb5..a095a91 100755 +--- a/src/tangd-rotate-keys ++++ b/src/tangd-rotate-keys +@@ -21,7 +21,7 @@ + SUMMARY="Perform rotation of tang keys" + + usage() { +- local _ret="${1:-1}" ++ _ret="${1:-1}" + exec >&2 + echo "Usage: ${0} [-h] [-v] -d " + echo +@@ -37,8 +37,8 @@ usage() { + } + + log() { +- local _msg="${1}" +- local _verbose="${2:-}" ++ _msg="${1}" ++ _verbose="${2:-}" + [ -z "${_verbose}" ] && return 0 + echo "${_msg}" >&2 + } +diff --git a/tests/adv b/tests/adv +index 490d4d1..4c8bc97 100755 +--- a/tests/adv ++++ b/tests/adv +@@ -93,6 +93,9 @@ fetch /adv + # Lets's now test with multiple pairs of keys. + for i in 1 2 3 4 5 6 7 8 9; do + tangd-keygen "${TMP}"/db other-sig-${i} other-exc-${i} ++ # Make sure the requested keys exist and are valid. ++ validate_sig "${TMP}/db/other-sig-${i}.jwk" ++ validate_exc "${TMP}/db/other-exc-${i}.jwk" + done + + # Verify the advertisement is correct. +@@ -104,3 +107,20 @@ for jwk in "${TMP}"/db/other-sig-*.jwk; do + fetch /adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}" + done + done ++ ++# Now let's test keys rotation. ++tangd-rotate-keys -d "${TMP}/db" ++for i in 1 2 3 4 5 6 7 8 9; do ++ # Make sure keys were excluded from advertisement. ++ validate_sig "${TMP}/db/.other-sig-${i}.jwk" ++ validate_exc "${TMP}/db/.other-exc-${i}.jwk" ++done ++ ++# And test also that we have valid keys after rotation. ++thp= ++for jwk in "${TMP}"/db/*.jwk; do ++ validate_sig "${jwk}" && thp="$(jose jwk thp -a "${THP_DEFAULT_HASH}" \ ++ -i "${jwk}")" ++done ++[ -z "${thp}" ] && die "There should be valid keys after rotation" ++test "$(tang-show-keys $PORT)" = "${thp}" +diff --git a/tests/helpers b/tests/helpers +index af122ab..7ce54d7 100755 +--- a/tests/helpers ++++ b/tests/helpers +@@ -56,7 +56,22 @@ validate() { + fi + } + ++validate_sig() { ++ jose fmt --json "${1}" --output=- | jose jwk use --input=- --required \ ++ --use verify 2>/dev/null ++} ++ ++validate_exc() { ++ jose fmt --json "${1}" --output=- | jose jwk use --input=- --required \ ++ --use deriveKey 2>/dev/null ++} ++ + sanity_check() { + # Skip test if socat is not available. + [ -n "${SOCAT}" ] || exit 77 + } ++ ++die() { ++ echo "${1}" >&2 ++ exit 1 ++} +-- +2.31.1 + diff --git a/SOURCES/0002-Fix-possible-NULL-pointer-dereference-in-find_by_thp.patch b/SOURCES/0002-Fix-possible-NULL-pointer-dereference-in-find_by_thp.patch new file mode 100644 index 0000000..5ef0463 --- /dev/null +++ b/SOURCES/0002-Fix-possible-NULL-pointer-dereference-in-find_by_thp.patch @@ -0,0 +1,29 @@ +From af3b3835bcdb7e2d7a4f14e077fecb5e472f11ba Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Thu, 20 May 2021 10:31:25 -0300 +Subject: [PATCH 2/2] Fix possible NULL pointer dereference in find_by_thp() + +jwk_thumbprint() might return NULL, so let's make sure we handle that +case. + +Issue pointed out by gcc static analyzer. +--- + src/keys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/keys.c b/src/keys.c +index 5a8c1ac..55d0cff 100644 +--- a/src/keys.c ++++ b/src/keys.c +@@ -263,7 +263,7 @@ find_by_thp(struct tang_keys_info* tki, const char* target) + json_array_foreach(keys, idx, jwk) { + for (int i = 0; hashes[i]; i++) { + __attribute__ ((__cleanup__(cleanup_str))) char* thumbprint = jwk_thumbprint(jwk, hashes[i]); +- if (strcmp(thumbprint, target) != 0) { ++ if (!thumbprint || strcmp(thumbprint, target) != 0) { + continue; + } + +-- +2.31.1 + diff --git a/SPECS/tang.spec b/SPECS/tang.spec new file mode 100644 index 0000000..eb8cd3e --- /dev/null +++ b/SPECS/tang.spec @@ -0,0 +1,183 @@ +Name: tang +Version: 10 +Release: 4%{?dist} +Summary: Network Presence Binding Daemon + +License: GPLv3+ +URL: https://github.com/latchset/%{name} +Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz + +Patch0001: 0001-Fix-issues-reported-by-shellcheck.patch +Patch0002: 0002-Fix-possible-NULL-pointer-dereference-in-find_by_thp.patch + +BuildRequires: gcc +BuildRequires: meson +BuildRequires: git-core +BuildRequires: jose >= 8 +BuildRequires: libjose-devel >= 8 +BuildRequires: libjose-zlib-devel >= 8 +BuildRequires: libjose-openssl-devel >= 8 + +BuildRequires: http-parser-devel >= 2.7.1-3 +BuildRequires: systemd-devel +BuildRequires: pkgconfig + +BuildRequires: systemd +BuildRequires: curl + +BuildRequires: asciidoc +BuildRequires: coreutils +BuildRequires: grep +BuildRequires: socat +BuildRequires: sed + +%{?systemd_requires} +Requires: coreutils +Requires: jose >= 8 +Requires: grep +Requires: sed + +Requires(pre): shadow-utils + +%description +Tang is a small daemon for binding data to the presence of a third party. + +%prep +%autosetup -S git + +%build +%meson +%meson_build + +%install +%meson_install +echo "User=%{name}" >> $RPM_BUILD_ROOT/%{_unitdir}/%{name}d@.service +%{__mkdir_p} $RPM_BUILD_ROOT/%{_localstatedir}/db/%{name} + +%check +%meson_test + +%pre +getent group %{name} >/dev/null || groupadd -r %{name} +getent passwd %{name} >/dev/null || \ + useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \ + -c "Tang Network Presence Daemon user" %{name} +exit 0 + +%post +%systemd_post %{name}d.socket + +%preun +%systemd_preun %{name}d.socket + +%postun +%systemd_postun_with_restart %{name}d.socket + +%files +%license COPYING +%attr(0700, %{name}, %{name}) %{_localstatedir}/db/%{name} +%{_unitdir}/%{name}d@.service +%{_unitdir}/%{name}d.socket +%{_libexecdir}/%{name}d-keygen +%{_libexecdir}/%{name}d-rotate-keys +%{_libexecdir}/%{name}d +%{_mandir}/man8/tang.8* +%{_bindir}/%{name}-show-keys +%{_mandir}/man1/tang-show-keys.1* + +%changelog +* Tue Aug 10 2021 Mohan Boddu - 10-4 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Tue Jun 22 2021 Mohan Boddu - 10-3 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Thu May 20 2021 Sergio Correia - 10-2 +- Fix issues reported by static analyzer checks + Resolves: rhbz#1956765 + +* Wed May 05 2021 Sergio Correia - 10-1 +- New upstream release - v10. + Resolves: rhbz#1956765 + +* Fri Apr 16 2021 Mohan Boddu - 8-3 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Feb 09 2021 Sergio Correia - 8-2 +- Remove extra patches as they are already included in v8 release + +* Mon Feb 08 2021 Sergio Correia - 8-1 +- New upstream release - v8. + +* Wed Jan 27 2021 Fedora Release Engineering - 7-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Dec 1 2020 Sergio Correia - 7.8 +- Move build system to meson + Upstream commits (fed9020, 590de27) +- Move key handling to tang itself + Upstream commits (6090505, c71df1d, 7119454) + +* Wed Jul 29 2020 Fedora Release Engineering - 7-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Apr 15 2020 Igor Raits - 7-6 +- Rebuild for http-parser 2.9.4 + +* Tue Feb 25 2020 Sergio Correia - 7-5 +- Rebuilt after http-parser update + +* Fri Jan 31 2020 Fedora Release Engineering - 7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Jul 27 2019 Fedora Release Engineering - 7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Aug 10 2018 Nathaniel McCallum - 7-1 +- New upstream release +- Retire tang-nagios package (now separate upstream) + +* Sat Jul 14 2018 Fedora Release Engineering - 6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Feb 09 2018 Fedora Release Engineering - 6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Jun 14 2017 Nathaniel McCallum - 6-1 +- New upstream release + +* Wed Jun 14 2017 Nathaniel McCallum - 5-2 +- Fix incorrect dependencies + +* Wed Jun 14 2017 Nathaniel McCallum - 5-1 +- New upstream release + +* Sat Feb 11 2017 Fedora Release Engineering - 4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Nov 14 2016 Nathaniel McCallum - 4-2 +- Fix a race condition in one of the tests + +* Thu Nov 10 2016 Nathaniel McCallum - 4-1 +- New upstream release +- Add nagios subpackage + +* Wed Oct 26 2016 Nathaniel McCallum - 3-1 +- New upstream release + +* Wed Oct 19 2016 Nathaniel McCallum - 2-1 +- New upstream release + +* Tue Aug 23 2016 Nathaniel McCallum - 1-1 +- First release