Accepting request 932540 from home:aplanas:branches:security

- Update to version 0.1.0+git.1637095429.d5a3191:
  * Run Fedora tests on unified Keylime test container
  * ima_emulator: Print error message when TCTI envvar is not set
  * Add keylime_ima_emulator executable for testing
  * Fix 0mq problem
  * ci: Check unit test coverage with cargo tarpaulin (#216)
  * config: merge with Python keylime.conf and remove unused entries
  * Add support for contact ip and port
  * common: move get env or from config into sperate function
  * keys_handler: Add unit tests
  * quotes_handler: Add unit tests (#265)
  * Fix bugs that occur after a delete and re-add from the tenant
  * Retain the main loop running after payload execution (#249)
  * keys_handler: verify HMAC in constant-time (#248)
  * build: Adjust package dependencies to compile in Fedora (#245)
  * Generate Cargo.lock file
  * Add Ueno as a maintainer and set codeowners
  * Fix clippy errors, update to newest TSS-ESAPI
- Drop generate-cargo-lock-file.patch (already in upstream)

OBS-URL: https://build.opensuse.org/request/show/932540
OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=5

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/keylime/rust-keylime.git</param>
-              <param name="changesrevision">890e8c9e226ffb9fe3b34571ed11901661437fc0</param></service></servicedata>
+              <param name="changesrevision">d5a31912eb9f69ea1c8fed59811089ff7c4ccebf</param></service></servicedata>

keylime.conf.diff

@@ -1,74 +1,44 @@
-Index: rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf
+diff --git a/keylime.conf b/keylime.conf
-===================================================================
+index 005c0af..fb9b737 100644
---- rust-keylime-0.1.0+git.1626706730.a009476.orig/keylime.conf
+--- a/keylime.conf
-+++ rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf
++++ b/keylime.conf
-@@ -11,7 +11,8 @@ tls_check_hostnames = False
+@@ -4,7 +4,8 @@
- # Valid options are 'cfssl' or 'openssl'  For cfssl to work, you must have the
- # go binary installed in your path or in /usr/local/
- # Revocation list generation is only supported by cfssl
--ca_implementation = openssl
-+# ca_implementation = openssl
-+ca_implementation = cfssl
  
+ # Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
+ # revocation events from the verifier.
+-receive_revocation_ip = 127.0.0.1
++# receive_revocation_ip = 127.0.0.1
++receive_revocation_ip = <REMOTE_IP>
+ receive_revocation_port = 8992
+ 
+ 
+@@ -13,7 +14,8 @@ receive_revocation_port = 8992
  #=============================================================================
- [cloud_agent]
-@@ -19,7 +20,8 @@ ca_implementation = openssl
  
- # The Agent's IP address and port used to communicate with other services
+ # The binding address and port for the agent server
- # as well as a bind address for the agent server.
 -cloudagent_ip = 127.0.0.1
 +# cloudagent_ip = 127.0.0.1
 +cloudagent_ip = 0.0.0.0
  cloudagent_port = 9002
  
- # What is the name of the rsa key that keylime should use for protecting
+ # Address and port where the verifier and tenant can connect to reach the agent.
-@@ -54,7 +56,8 @@ extract_payload_zip = True
+@@ -22,7 +24,8 @@ agent_contact_ip = 127.0.0.1
- # If you set this to 'generate', keylime will create a random uuid
+ agent_contact_port = 9002
- # If you set this to 'hash_ek', keylime will set the UUID to the result
- # of SHA256(public EK in PEM format)
--agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000
-+# agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000
-+agent_uuid = hash_ek
  
- # Whether to listen for revocation notifications from the verifier
+ # The address and port of registrar server which agent communicate with
- listen_notfications = True
-@@ -115,7 +118,8 @@ ek_handle = generate
- 
- # The cloud verifier IP address and port used to communicate with other services
- # as well as a bind address for the verifier server.
--cloudverifier_ip = 127.0.0.1
-+# cloudverifier_ip = 127.0.0.1
-+cloudverifier_ip = 0.0.0.0
- cloudverifier_port = 8881
- 
- # Cloud Verifier TLS options.  This is for authenticating the CV itself,
-@@ -204,7 +208,8 @@ revocation_notifier = True
- # The revocation notifier IP address and port used to start the revocation service.
- # If the revocation_notifier is true, then the verifier automatically
- # starts revocation service.
--revocation_notifier_ip = 127.0.0.1
-+# revocation_notifier_ip = 127.0.0.1
-+revocation_notifier_ip = 0.0.0.0
- revocation_notifier_port = 8992
- 
- # The verifier limits the size of upload payloads (whitelists) which defaults to
-@@ -330,7 +335,8 @@ max_retries = 10
- # might provide a signed list of EK public key hashes.  Then you could write
- # an ek_check_script that checks the signature of the whitelist and then
- # compares the hash of the given EK with the whistlist
--require_ek_cert = True
-+# require_ek_cert = True
-+require_ek_cert = False
- 
- # Optional script to execute to check the EK and/or EK certificate against a
- # whitelist or any other additional EK processing you want to do. Runs in
-@@ -356,7 +362,8 @@ ek_check_script=
- 
- # The registrar's IP address and port used to communicate with other
- # services as well as a bind address for the registrar server.
 -registrar_ip = 127.0.0.1
 +# registrar_ip = 127.0.0.1
-+registrar_ip = 0.0.0.0
++registrar_ip = <REMOTE_IP>
  registrar_port = 8890
- registrar_tls_port = 8891
  
+ # The name of the RSA key that Keylime should use for protecting shares of U/V.
+@@ -62,7 +65,8 @@ extract_payload_zip = True
+ # 'dmidecode -s system-uuid'.
+ # If you set this to "hostname", Keylime will use the full qualified domain
+ # name of current host as the agent id.
+-agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
++# agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
++agent_uuid = hostname
+ 
+ # Whether to listen for revocation notifications from the verifier or not.
+ listen_notfications = True

rust-keylime-0.1.0+git.1629114992.890e8c9.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:924fff46b0ae17ec2d8b164d1d2b878524dc50fd1fc0f49153b86dc14c7b9dec
-size 39740

rust-keylime-0.1.0+git.1637095429.d5a3191.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9ff2e8753fdaf96f5d558f10e664f13208c88389fdd36a86a5cdd5a95ef53495
+size 99716

rust-keylime.changes

@@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Fri Nov 19 13:02:48 UTC 2021 - aplanas@suse.com
+
+- Update to version 0.1.0+git.1637095429.d5a3191:
+  * Run Fedora tests on unified Keylime test container
+  * ima_emulator: Print error message when TCTI envvar is not set
+  * Add keylime_ima_emulator executable for testing
+  * Fix 0mq problem
+  * ci: Check unit test coverage with cargo tarpaulin (#216)
+  * config: merge with Python keylime.conf and remove unused entries
+  * Add support for contact ip and port
+  * common: move get env or from config into sperate function
+  * keys_handler: Add unit tests
+  * quotes_handler: Add unit tests (#265)
+  * Fix bugs that occur after a delete and re-add from the tenant
+  * Retain the main loop running after payload execution (#249)
+  * keys_handler: verify HMAC in constant-time (#248)
+  * build: Adjust package dependencies to compile in Fedora (#245)
+  * Generate Cargo.lock file
+  * Add Ueno as a maintainer and set codeowners
+  * Fix clippy errors, update to newest TSS-ESAPI
+- Drop generate-cargo-lock-file.patch (already in upstream)
+
 -------------------------------------------------------------------
 Mon Aug 16 14:23:13 UTC 2021 - aplanas@suse.com
 

rust-keylime.spec

@@ -18,7 +18,7 @@
 
 %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now'
 Name:           rust-keylime
-Version:        0.1.0+git.1629114992.890e8c9
+Version:        0.1.0+git.1637095429.d5a3191
 Release:        0
 Summary:        Rust implementation of the keylime agent
 License:        Apache-2.0 AND MIT
@@ -30,8 +30,6 @@ Source3:        keylime_agent.service
 Source4:        keylime.xml
 # PATCH-FIX-OPENSUSE keylime.conf.diff
 Patch1:         keylime.conf.diff
-# PATCH-FIX-UPSTREAM generate-cargo-lock-file.patch gh#keylime/rust-keylime!244
-Patch2:         generate-cargo-lock-file.patch
 BuildRequires:  cargo
 BuildRequires:  firewall-macros
 BuildRequires:  libarchive-devel
@@ -63,6 +61,9 @@ install -D -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/firewalld/services/keyli
 rm %{buildroot}%{_prefix}/.crates.toml
 rm %{buildroot}%{_prefix}/.crates2.json
 
+# We do not need the IMA emulator until tests
+rm %{buildroot}%{_bindir}/keylime_ima_emulator
+
 %pre
 %service_add_pre keylime_agent.service
 

vendor.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:b23bdccc1fadfd5e6f066c9abb4b2938f087d5431d56a13026773dfe9aff89cc
+oid sha256:5aec49064dfd5872ddac53168ddf2a1956b122eb6a687e67bed81b9e2168f9d7
-size 15782704
+size 15777356