Accepting request 932540 from home:aplanas:branches:security

- Update to version 0.1.0+git.1637095429.d5a3191: * Run Fedora tests on unified Keylime test container * ima_emulator: Print error message when TCTI envvar is not set * Add keylime_ima_emulator executable for testing * Fix 0mq problem * ci: Check unit test coverage with cargo tarpaulin (#216) * config: merge with Python keylime.conf and remove unused entries * Add support for contact ip and port * common: move get env or from config into sperate function * keys_handler: Add unit tests * quotes_handler: Add unit tests (#265) * Fix bugs that occur after a delete and re-add from the tenant * Retain the main loop running after payload execution (#249) * keys_handler: verify HMAC in constant-time (#248) * build: Adjust package dependencies to compile in Fedora (#245) * Generate Cargo.lock file * Add Ueno as a maintainer and set codeowners * Fix clippy errors, update to newest TSS-ESAPI - Drop generate-cargo-lock-file.patch (already in upstream) OBS-URL: https://build.opensuse.org/request/show/932540 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=5
2021-11-19 13:51:44 +00:00 · 2021-11-19 13:51:44 +00:00 · 4a125f71be
commit 4a125f71be
parent b5b7b67a4c
8 changed files with 64 additions and 3065 deletions
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/keylime/rust-keylime.git</param>
-              <param name="changesrevision">890e8c9e226ffb9fe3b34571ed11901661437fc0</param></service></servicedata>
+              <param name="changesrevision">d5a31912eb9f69ea1c8fed59811089ff7c4ccebf</param></service></servicedata>
--- a/generate-cargo-lock-file.patch
+++ b/generate-cargo-lock-file.patch
--- a/keylime.conf.diff
+++ b/keylime.conf.diff
@ -1,74 +1,44 @@
-Index: rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf
-===================================================================
--- rust-keylime-0.1.0+git.1626706730.a009476.orig/keylime.conf
-+++ rust-keylime-0.1.0+git.1626706730.a009476/keylime.conf
-@@ -11,7 +11,8 @@ tls_check_hostnames = False
- # Valid options are 'cfssl' or 'openssl'  For cfssl to work, you must have the
- # go binary installed in your path or in /usr/local/
- # Revocation list generation is only supported by cfssl
-ca_implementation = openssl
-+# ca_implementation = openssl
-+ca_implementation = cfssl
+diff --git a/keylime.conf b/keylime.conf
+index 005c0af..fb9b737 100644
+--- a/keylime.conf
+++ b/keylime.conf
+@@ -4,7 +4,8 @@
 
+ # Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
+ # revocation events from the verifier.
+-receive_revocation_ip = 127.0.0.1
+# receive_revocation_ip = 127.0.0.1
+receive_revocation_ip = <REMOTE_IP>
+ receive_revocation_port = 8992
+ 
+ 
+@@ -13,7 +14,8 @@ receive_revocation_port = 8992
 #=============================================================================
- [cloud_agent]
-@@ -19,7 +20,8 @@ ca_implementation = openssl
 
- # The Agent's IP address and port used to communicate with other services
- # as well as a bind address for the agent server.
+ # The binding address and port for the agent server
 -cloudagent_ip = 127.0.0.1
 +# cloudagent_ip = 127.0.0.1
 +cloudagent_ip = 0.0.0.0
 cloudagent_port = 9002
 
- # What is the name of the rsa key that keylime should use for protecting
-@@ -54,7 +56,8 @@ extract_payload_zip = True
- # If you set this to 'generate', keylime will create a random uuid
- # If you set this to 'hash_ek', keylime will set the UUID to the result
- # of SHA256(public EK in PEM format)
-agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000
-+# agent_uuid = D432FBB3-D2F1-4A97-9EF7-75BD81C00000
-+agent_uuid = hash_ek
+ # Address and port where the verifier and tenant can connect to reach the agent.
+@@ -22,7 +24,8 @@ agent_contact_ip = 127.0.0.1
+ agent_contact_port = 9002
 
- # Whether to listen for revocation notifications from the verifier
- listen_notfications = True
-@@ -115,7 +118,8 @@ ek_handle = generate
- 
- # The cloud verifier IP address and port used to communicate with other services
- # as well as a bind address for the verifier server.
-cloudverifier_ip = 127.0.0.1
-+# cloudverifier_ip = 127.0.0.1
-+cloudverifier_ip = 0.0.0.0
- cloudverifier_port = 8881
- 
- # Cloud Verifier TLS options.  This is for authenticating the CV itself,
-@@ -204,7 +208,8 @@ revocation_notifier = True
- # The revocation notifier IP address and port used to start the revocation service.
- # If the revocation_notifier is true, then the verifier automatically
- # starts revocation service.
-revocation_notifier_ip = 127.0.0.1
-+# revocation_notifier_ip = 127.0.0.1
-+revocation_notifier_ip = 0.0.0.0
- revocation_notifier_port = 8992
- 
- # The verifier limits the size of upload payloads (whitelists) which defaults to
-@@ -330,7 +335,8 @@ max_retries = 10
- # might provide a signed list of EK public key hashes.  Then you could write
- # an ek_check_script that checks the signature of the whitelist and then
- # compares the hash of the given EK with the whistlist
-require_ek_cert = True
-+# require_ek_cert = True
-+require_ek_cert = False
- 
- # Optional script to execute to check the EK and/or EK certificate against a
- # whitelist or any other additional EK processing you want to do. Runs in
-@@ -356,7 +362,8 @@ ek_check_script=
- 
- # The registrar's IP address and port used to communicate with other
- # services as well as a bind address for the registrar server.
+ # The address and port of registrar server which agent communicate with
 -registrar_ip = 127.0.0.1
 +# registrar_ip = 127.0.0.1
-+registrar_ip = 0.0.0.0
+registrar_ip = <REMOTE_IP>
 registrar_port = 8890
- registrar_tls_port = 8891
 
+ # The name of the RSA key that Keylime should use for protecting shares of U/V.
+@@ -62,7 +65,8 @@ extract_payload_zip = True
+ # 'dmidecode -s system-uuid'.
+ # If you set this to "hostname", Keylime will use the full qualified domain
+ # name of current host as the agent id.
+-agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
+# agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
+agent_uuid = hostname
+ 
+ # Whether to listen for revocation notifications from the verifier or not.
+ listen_notfications = True
--- a/rust-keylime-0.1.0+git.1629114992.890e8c9.tar.xz
+++ b/rust-keylime-0.1.0+git.1629114992.890e8c9.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:924fff46b0ae17ec2d8b164d1d2b878524dc50fd1fc0f49153b86dc14c7b9dec
-size 39740
--- a/rust-keylime-0.1.0+git.1637095429.d5a3191.tar.xz
+++ b/rust-keylime-0.1.0+git.1637095429.d5a3191.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9ff2e8753fdaf96f5d558f10e664f13208c88389fdd36a86a5cdd5a95ef53495
+size 99716
--- a/rust-keylime.changes
+++ b/rust-keylime.changes
@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Fri Nov 19 13:02:48 UTC 2021 - aplanas@suse.com
+
+- Update to version 0.1.0+git.1637095429.d5a3191:
+  * Run Fedora tests on unified Keylime test container
+  * ima_emulator: Print error message when TCTI envvar is not set
+  * Add keylime_ima_emulator executable for testing
+  * Fix 0mq problem
+  * ci: Check unit test coverage with cargo tarpaulin (#216)
+  * config: merge with Python keylime.conf and remove unused entries
+  * Add support for contact ip and port
+  * common: move get env or from config into sperate function
+  * keys_handler: Add unit tests
+  * quotes_handler: Add unit tests (#265)
+  * Fix bugs that occur after a delete and re-add from the tenant
+  * Retain the main loop running after payload execution (#249)
+  * keys_handler: verify HMAC in constant-time (#248)
+  * build: Adjust package dependencies to compile in Fedora (#245)
+  * Generate Cargo.lock file
+  * Add Ueno as a maintainer and set codeowners
+  * Fix clippy errors, update to newest TSS-ESAPI
+- Drop generate-cargo-lock-file.patch (already in upstream)
+
 -------------------------------------------------------------------
 Mon Aug 16 14:23:13 UTC 2021 - aplanas@suse.com

--- a/rust-keylime.spec
+++ b/rust-keylime.spec
@ -18,7 +18,7 @@

 %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now'
 Name:           rust-keylime
-Version:        0.1.0+git.1629114992.890e8c9
+Version:        0.1.0+git.1637095429.d5a3191
 Release:        0
 Summary:        Rust implementation of the keylime agent
 License:        Apache-2.0 AND MIT
@ -30,8 +30,6 @@ Source3:        keylime_agent.service
 Source4:        keylime.xml
 # PATCH-FIX-OPENSUSE keylime.conf.diff
 Patch1:         keylime.conf.diff
-# PATCH-FIX-UPSTREAM generate-cargo-lock-file.patch gh#keylime/rust-keylime!244
-Patch2:         generate-cargo-lock-file.patch
 BuildRequires:  cargo
 BuildRequires:  firewall-macros
 BuildRequires:  libarchive-devel
@ -63,6 +61,9 @@ install -D -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/firewalld/services/keyli
 rm %{buildroot}%{_prefix}/.crates.toml
 rm %{buildroot}%{_prefix}/.crates2.json

+# We do not need the IMA emulator until tests
+rm %{buildroot}%{_bindir}/keylime_ima_emulator
+
 %pre
 %service_add_pre keylime_agent.service

--- a/vendor.tar.xz
+++ b/vendor.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:b23bdccc1fadfd5e6f066c9abb4b2938f087d5431d56a13026773dfe9aff89cc
-size 15782704
+oid sha256:5aec49064dfd5872ddac53168ddf2a1956b122eb6a687e67bed81b9e2168f9d7
+size 15777356