Accepting request 1078770 from home:aplanas:branches:security

- Update to version 0.2.0+git.1681223954.646cf61:
  * Allow setting measured boot log path for testing
  * build(deps): bump base64 from 0.13.1 to 0.21.0
  * build(deps): bump wiremock from 0.5.14 to 0.5.18
  * Build Fedora and CentOS packages on Copr using packit
  * build(deps): bump serde_json from 1.0.91 to 1.0.95
  * build(deps): bump actix-rt from 2.7.0 to 2.8.0
  * build(deps): bump base64 from 0.13.1 to 0.21.0
  * build(deps): bump serde from 1.0.147 to 1.0.159
  * build(deps): bump glob from 0.3.0 to 0.3.1
  * Add missing test from keylime testsuite to e2e plan
  * Fix typo in name of test for generating coverage
  * build(deps): bump thiserror from 1.0.38 to 1.0.40
  * build(deps): bump base64 from 0.13.1 to 0.21.0
  * build(deps): bump actix-web from 4.2.1 to 4.3.1
  * build(deps): bump serde from 1.0.145 to 1.0.147
  * build(deps): bump libc from 0.2.139 to 0.2.140
  * build(deps): bump futures from 0.3.25 to 0.3.27
  * build(deps): bump reqwest from 0.11.12 to 0.11.15
  * build(deps): bump config from 0.13.2 to 0.13.3
  * build(deps): bump openssl from 0.10.45 to 0.10.48
  * build(deps): bump tokio from 1.24.2 to 1.26.0
  * Cargo: Update tempfile to 3.4.0 version
- Add keylime-ima-policy subpackage to provide a better IMA policy
- Update to version 0.2.0+git.1677691779.f7edd9a:
  * Disable e2e on Rawhide due to RHBZ#2171376
  * Change number of required uploaded files
  * Coverage for rust agent as github action.
  * config: Skip validation of keylime_dir during tests
- Create the certificiate directory
- Update to version 0.2.0+git.1677002906.cf6c4f0:
  * Bump version to 0.2.0
  * packit: Remove workaround for Fedora BZ#2158598
  * ima-emulator: Implement graceful shutdown
  * Update tss-esapi in Cargo.toml
  * packit: Re-enable tests on Fedora Rawhide
  * Deprecate `with-zmq` and `legacy-python-actions` features
- Drop zmq from the feature set
- Remove already merged patches:
  * 0001-keylime-agent-remove-const_err-deny.patch
  * 0001-Cargo.toml-tss-esapi-bindings.patch
- Update to version 0.1.0+git.1676549716.5382ed9:
  * Cargo: Update clap minimum version to 3.2
  * Cargo: Update uuid minimum version to 1.3
  * Cargo: Update tokio minimum version to 1.24 and reduce features
  * build(deps): bump tss-esapi from 7.1.0 to 7.2.0
  * cargo deb: include shim.py in packaging
  * build(deps): bump thiserror from 1.0.36 to 1.0.38
  * keylime-agent.conf: Add comments on how to override options
  * config: Fix overriding options with env vars
  * Add missing e2e tests and reordering tests based on alphabetical order
  * e2e tests: Fix test name
  * Store associated U keys, auth tags, and payloads together
  * Refactor ZeroMQ revocation listener to not block
  * keylime-agent: Gracefully shutdown on SIGINT
  * Refactor async code for keys and payloads
  * main: Move payload related functions to payloads module
  * main: Run ZeroMQ service in a separate task
  * Remove unused option "openstack" for obtaining uuid
  * algorithms: fix typo
  * clippy: fix uninlined_format_args warnings
  * clippy: fix needless_borrow warnings
  * crypto, mTLS: allow certificate chain for trusted_client_ca
  * build(deps): bump base64 from 0.13.0 to 0.13.1
  * build(deps): bump serde_json from 1.0.85 to 1.0.91
  * build(deps): bump libc from 0.2.133 to 0.2.139
  * build(deps): bump bumpalo from 3.11.0 to 3.12.0
  * build(deps): bump futures from 0.3.24 to 0.3.25
  * Cargo.toml: tss-esapi bindings
  * packit-ci: Disable Rawhide due to agent compilation issues
  * packit-ci: Add hotfix for tpm2-tss Fedora BZ#2158598
  * keylime-agent: remove const_err deny
  * build(deps): bump tokio from 1.23.0 to 1.24.2
- Update to version 0.1.0+git.1672681780.762cec8:
  * build(deps): bump openssl from 0.10.41 to 0.10.45
  * build(deps): bump tokio from 1.21.1 to 1.23.0
  * Disable dnf-makecache.service to save RAM
  * CI tests: Do not remove Fedora tag repository
  * add support for cargo deb
  * Pacify clippy::needless-borrow
  * Move tpm.rs from keylime-agent to the library
  * Split crates into library and applications
- Add 0001-keylime-agent-remove-const_err-deny.patch
- Fix "cargo install" with workspaces
  https://github.com/rust-lang/cargo/issues/7599
- Add 0001-Cargo.toml-tss-esapi-bindings.patch
- Update to version 0.1.0+git.1670590616.e80c67a:
  * main: only read uuid from KeylimeConfig
  * Enabling more e2e tests in Packit CI
  * systemd: start agent after network is online
  * Cargo: Drop unused dependencies rust-ini and toml
- Add cargo-audit service per policy
- Update to version 0.1.0+git.1666019359.f5de47b:
  * README: mark Rust agent as the official one, fix cargo run command
- Drop bindgen.patch as is already upstream
- Update to version 0.1.0+git.1664480840.0ea0492:
  * Increase unit testing
  * Test all features with cargo tarpaulin
  * Cargo.toml: tss-esapi bindings
- Rebase bindgen.patch and upstream the change
- Rebase keylime-agent.conf.diff
- Store the configuration file in /usr/etc/keylime/agent.conf
- Fix keylime user creation
- Drop webapp service port in firewall XML service file
- Update to version 0.1.0+git.1663769444.6318234:
  * Update comments in the configuration file
  * config: Align config locations with the python components
  * config: Add configuration file version
  * config: Add back support for KEYLIME_DIR env var
  * Change configuration format to TOML
  * Add support for using passphrase protected key
  * Do not try to load TPM data generated by another TPM
  * Allow using existing key and certificate
  * Remove the agent TPM data from the config struct
  * Rename the configuration options
  * Use password to generate EK when provided
  * Add tpm_ownerpassword option to keylime.conf
  * Add cargo audit to CI static tests
  * Add agent and faked_measured_boot_log tests context
  * Appease clippy
- Update to version 0.1.0+git.1659977521.0186093:
  * Fix display of mb measurement file path
  * Add more helpful error when config file is not found
  * Fix small comment about implementing TPM ownership
  * main: die when cannot drop privileges
  * keylime.conf: add run_as section
  * Use Rust agent-specific config in Makefile
  * Fix typo in listen_notifications option in keylime.conf
  * tpm: Support pre-existing EK
  * Set swtpm context which is later used for test filtering
  * Add GitLeaks configuration to ignore RSA key used for testing
  * Handle whitespace in keylime.conf
- Rename keylime.conf.diff to keylime-agent.conf.diff
- Drop 0001-main-die-when-cannot-drop-privileges.patch, as is already
  merged upstream
- Add bindgen.patch to add more architectures
- Update to version 0.1.0+git.1657303637.5b9072a:
  * keys_handler: Use scopes to drop mutexes before await
  * Enable usage of Rust IMA emulator in E2E tests.
  * ima_emulator: Support PCR hash algorithms other than SHA-1
  * ima_entry: add IMA entry parser ported from Python Keylime
  * algorithms: Add conversion between our hash algorithms and OpenSSL's
  * Remove unused functions revocation_ip_get and revocation_port_get. Change String to &str.
  * Adjust function usage comments to account for new parameters.
  * Load config file less at startup in src/common.rs
  * GNUmakefile: Make target dependencies explicit
  * permissions: Set supplementary groups when dropping privileges
  * main: Use more descriptive message for missing files error
  * Show path when fail to load the certificate
  * tpm: Add serialization functions for structures in quotes
- Requires tpm2.0-abrmd dependency, as the kernel resource manager
  could be not enough
- Downgrade /var/run/keylime permissions
- Set "run_as" parameter to "keylime:tss"
- Create the keylime user via systemd
- Fix keylime service home directory
- Add 0001-main-die-when-cannot-drop-privileges.patch to avoid the
  execution as root when the run_as user is missing in the system
- Update to version 0.1.0+git.1655384301.b834667:
  * Update fmf plans to run test with IMA policy
  * .github/dependabot.yml: prevent updates that require manifest change
- Add logrotate configuration for the agent service
- Requires libtss2-tcti-device0 to interact with the real device
- Drop legacy Python subpackage and feature
- Move conflicts into the Python version
- Drop CFSSL port from the keylime.xml firewalld rules
- Update to version 0.1.0+git.1655143451.7c4121e:
  * Add dependabot for automatic dependency updates
  * config: remove unused options
  * persist AK, NK and mTLS certificate to disk
  * Update tokio minimum version
  * Adjust CI test name according to keylime-tests PR#125
  * Make wiremock an optional dependency
  * Drop unused dependency flate2
  * Drop unused dependency rustc-serialize
  * Update clap dependency to 3.1.18
  * add support for "hash_ek" UUID creation
  * tpm: add and use EKResult struct as return value for create_ek(..)
  * replace custom marshall functions with the offical one
  * update to tss-esapi 7.1.0
  * quotes_handler: Rewind measured boot log file
  * Add test /functional/measured-boot-swtpm-sanity to Packit CI plan
  * OpenSSL on deb family is now libssl-dev
- Update to version 0.1.0+git.1653314004.ceda2ec:
  * Skip serialization of optional fields
  * Make support for legacy python revocation actions optional
  * main: Do not try to load CA cert if mTLS is disabled
  * CI: Add packit to run end-to-end tests
  * GNUmakefile: Install shim.py
  * Add service for secure mount
  * secure_mount: Do not try to give ownership to root
  * secure_mount: Rewrite check_mount()
  * main: Ignore original ownership when unzipping files
  * Drop privileges to run as normal user and group
  * main: Mount secure mount before dropping the privileges
  * main: Open files that require privilege at the beginning
  * quotes_handler: Fix measured boot list encoding
  * Fix typo in config_get()
  * Add option to disable mTLS
  * Update actix-web to 4, remove tokio 0.2 dependencies
  * crypto: Add helper function to convert public key to PEM string
  * Add ansasaki as maintainer
- Update to version 0.1.0+git.1649449492.59856c2:
  * errors_handler: Add handler for 404 error
  * errors_handler: Add tests for error handlers
  * main: Add handler for actix request parsing errors
  * main: Add default handlers for each scope
  * main: Use actix middleware to log requests
  * common: Change status code type from u32 to u16
  * common: Use trait ToString for status on JsonWrapper::error
  * quotes_handler: Add used measured boot path to warning message
  * common: Rename JsonWrapper::new as JsonWrapper::success
  * Generalize error JSON wrapping
  * main: Use scopes to organize API
  * Use JSON wrapper on error responses
  * quotes_handler: Simplify integrity quote structures
  * quotes_handler: Improve query parameters parsing
  * quotes_handler: Add missing log messages
  * keys_handler: Add API to verify derived key
  * keys_handler: Remove workaround for missing JSON Content-Type
  * keys_handler: Fix test for 256-bits keys
  * Use shared JSON wrapper for HTTP responses
  * ima: Avoid using unwrap() or panic!()
  * Apply changes suggested by cargo fmt and cargo clippy
  * ima: Read IMA measurement list begining at n-th entry.
  * ima: Get ima_ml_entry from HTTP request
  * version_handler: Introduce /version REST endpoint (#313)
  * main: Do not error if payload_script is not found
  * Remove revocation actions naming restriction
  * Revert API version to 2.0
  * Set working directory via KEYLIME_DIR env variable
- Add work_dir directory in /var/lib/keylime
- Add subpackage rust-keylime-python to execute revocation payload in Python
- Update to version 0.1.0+git.1645537954.2f1447d:
  * Make zmq an optional dependency
  * notifications_handler: Introduce /notifications/revocation REST endpoint
  * revocation: Move out revocation message processing
  * revocation: Make get_revocation_cert_path() public
  * Install systemd unit file
- Update to version 0.1.0+git.1645023877.811a869:
  * Make clippy happy.
  * Add a --help message.
  * Depend on Rust-TSS-ESAPI 7.0.0 stable
  * main: Return error on initialization if python shim is missing
  * common: Add hardcoded config defaults for revocation
  * main: Add execution permissions to revocation actions
  * revocation: Log revocation actions output
  * revocation: Fix get_revocation_cert_path() comment
  * gitignore: Add filters for some temporary files
  * revocation: Do not ignore revocation actions from config
  * revocation: Implement python actions support
  * tests: Implement proof-of-concept python shim
  * revocation: Implement lookup_action() function
  * common: Add revocation actions configurations
  * revocation: Enforce local action naming restriction
  * revocation: Remove duplicate logger initialization
  * crypto: unfiy import_x509 and load_x509
  * update Cargo.lock
  * common: update API version to v2.0
  * tpm: drop zlib compression in quotes
  * run agent webserver with mTLS enabled and add mtls_cert to registrar
  * crypto: load and generate X509 certificates, mTLS context generation
  * keylime.conf: add setting for Keylime CA
  * Bump tss-esapi crate to 7.0.0-beta.1
  * Update to fix typo
  * Use Path and PathBuf consistently to represent paths
  * Bump versions of some dependencies
  * quotes_handler: Check quotes in tests
  * tpm: Remove hard-coded struct sizes with std::mem::size_of
  * tpm: Let compiler to infer arch-dependent integer types
  * Use CString as the first argument of libc::chown
  * keys_handler: Add API to get public key (#284)
  * crypto: Fix algorithms used for revocation signature (#275)
  * revocation: Use revocation certificate set by configuration (#300)
  * common: Add revocation_cert to the global configuration structure
  * ima_emulator: Fix running hash calculation on resumption
  * keys_handler: Add test with encrypted payload
  * main: Use condition variable to wait for payload encryption key
  * main: Use Option to represent a combined key
  * main: Redefine KeySet as a vector
  * keys_handler, main: Move crypto operations to crypto module
  * keys_handler: Make use of type safe payload deserialization
  * Remove unused imports
  * Remove duplicate CODEOWNERS file
  * Remove panic when running rev action
  * move global configuration into a single struct
  * Add codeowners
- Update to version 0.1.0+git.1641587454.1248597:
  * quotes_handler: send TPM2 event log for measured boot
  * serialization: move serialization into separate module
  * try to load AK from disk instead of always creating a new one
  * update Cargo.lock file
  * make hash, encryption and signing algorithm configurable
  * tpm: remove get_sig_scheme(..) function
  * hash: rename to algorithms and implement tss conversions
  * cmd_exec: remove cmd_exec module
  * secure_mount: fix mount of tmpfs for secure directory
  * common: change default WORK_DIR to /var/lib/keylime
  * tpm: remove special handling for PCR10
- Update to version 0.1.0+git.1639176416.fc90088:
  * Code refactor to use updated tss-esapi
- Drop add_property_tag_variant_for_maxcapbuffer.patch, included in
  the upstream crate
- Conflict with keylime-agent, keylime-config and keylime-firewalld
- Add keylime_ima_emulator tool
- Add patch add_property_tag_variant_for_maxcapbuffer.patch
- Update to version 0.1.0+git.1637095429.d5a3191:
  * Run Fedora tests on unified Keylime test container
  * ima_emulator: Print error message when TCTI envvar is not set
  * Add keylime_ima_emulator executable for testing
  * Fix 0mq problem
  * ci: Check unit test coverage with cargo tarpaulin (#216)
  * config: merge with Python keylime.conf and remove unused entries
  * Add support for contact ip and port
  * common: move get env or from config into sperate function
  * keys_handler: Add unit tests
  * quotes_handler: Add unit tests (#265)
  * Fix bugs that occur after a delete and re-add from the tenant
  * Retain the main loop running after payload execution (#249)
  * keys_handler: verify HMAC in constant-time (#248)
  * build: Adjust package dependencies to compile in Fedora (#245)
  * Generate Cargo.lock file
  * Add Ueno as a maintainer and set codeowners
  * Fix clippy errors, update to newest TSS-ESAPI
- Drop generate-cargo-lock-file.patch (already in upstream)
- Update to version 0.1.0+git.1629114992.890e8c9:
  * Add "v1.0" prefix to agent APIs
- Update generate-cargo-lock-file.patch
- Add generate-cargo-lock-file.patch to fix the build system in OBS
- Add keylime.conf.diff to adjust the default config file
- Adjust build requirements
- Add firewalld XML rules
- Add systemd keylime_agent.service
- Fix license tag
- Update to version 0.0.1+git.1626706730.a009476:
  * libarchive-devel is needed to build on Fedora
  * Accept sets of U and V keys; use new Key types
  * Output mask info
  * Fix for race condition bug
  * Do not resend pubkey to CV after attestation
  * Run payload script from a shell
  * Write out data and run payload
  * Decrypt payload after key handlers find symm key
  * Add handler for U and V keys
  * Add helper functions for handling U and V keys
  * Some TPM fixes for IMA PCR validation
  * Do not flush AK context as this causes an error
  * Fix bug in revocation service
  * Drop references to vmask
  * Better documentation of consts
  * Do not fail if EK cert is not present in TPM NV
  * Add more verbose logging to better match Python agent
  * Remove verify stub as we are not using it
  * tests: Don't pass --allow-signing to swtpm_setup
  * Fix typos
  * Add dependency for libzmq3-dev / zeromq-devel
  * Fix new clippy lints
  * Add handling for Identity and Integrity quotes
  * Add Quote functionality
  * Add marshaling functions for TPM structs
- Update to version 0.0.1+git.1620935374.4df2148:
  * Add function to read PCR mask
  * Small fixes in TPM functions
  * Send quote data to actixweb handlers
- Update to version 0.0.1+git.1618949271.f609525:
  * Add more TPM helper functions
  * Use PKeys consistently
  * Rebase on tss-esapi 5.0
  * Pass a PKeyRef to asym_verify
  * Use #[[from] from thiserror
  * Fix uppercase acronyms
  * Add testing feature
  * Remove port bindings for agent
  * More verbose TPM and revocation error, verbose success
  * Fix docker networking

OBS-URL: https://build.opensuse.org/request/show/1078770
OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=47

CVE-2023-26964.patch

@@ -1,56 +0,0 @@
-From 4dcb5fb4162665cad436a18e9cb6d1735203d3ac Mon Sep 17 00:00:00 2001
-From: Alberto Planas <aplanas@suse.com>
-Date: Wed, 12 Apr 2023 16:48:26 +0200
-Subject: [PATCH] Update hyper to v0.14.25 (CVE-2023-26964)
-
-Signed-off-by: Alberto Planas <aplanas@suse.com>
----
- Cargo.lock | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/Cargo.lock b/Cargo.lock
-index 70aeb97e..3fe2353c 100644
---- a/Cargo.lock
-+++ b/Cargo.lock
-@@ -918,9 +918,9 @@ checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
- 
- [[package]]
- name = "h2"
--version = "0.3.14"
-+version = "0.3.16"
- source = "registry+https://github.com/rust-lang/crates.io-index"
--checksum = "5ca32592cf21ac7ccab1825cd87f6c9b3d9022c44d086172ed0966bec8af30be"
-+checksum = "5be7b54589b581f624f566bf5d8eb2bab1db736c51528720b6bd36b96b55924d"
- dependencies = [
-  "bytes",
-  "fnv",
-@@ -1037,9 +1037,9 @@ dependencies = [
- 
- [[package]]
- name = "hyper"
--version = "0.14.20"
-+version = "0.14.25"
- source = "registry+https://github.com/rust-lang/crates.io-index"
--checksum = "02c929dc5c39e335a03c405292728118860721b10190d98c2a0f0efd5baafbac"
-+checksum = "cc5e554ff619822309ffd57d8734d77cd5ce6238bc956f037ea06c58238c9899"
- dependencies = [
-  "bytes",
-  "futures-channel",
-@@ -1162,7 +1162,7 @@ dependencies = [
- name = "keylime"
- version = "0.2.0"
- dependencies = [
-- "base64 0.21.0",
-+ "base64 0.13.1",
-  "hex",
-  "log",
-  "openssl",
-@@ -1180,7 +1180,7 @@ version = "0.2.0"
- dependencies = [
-  "actix-rt",
-  "actix-web",
-- "base64 0.21.0",
-+ "base64 0.13.1",
-  "cfg-if",
-  "clap",
-  "compress-tools",

rust-keylime.changes

@@ -1,9 +1,6 @@
 -------------------------------------------------------------------
 Wed Apr 12 14:52:38 UTC 2023 - aplanas@suse.com
 
-- Add CVE-2023-26964.patch to upgrade hyper crate (CVE-2023-26964,
-  bsc#1210344)
-
 - Update to version 0.2.0+git.1681223954.646cf61:
   * Allow setting measured boot log path for testing
   * build(deps): bump base64 from 0.13.1 to 0.21.0

rust-keylime.spec

@@ -41,8 +41,6 @@ Source7:        ima-policy.service
 Source8:        README.suse
 # PATCH-FIX-OPENSUSE keylime-agent.conf.diff
 Patch1:         keylime-agent.conf.diff
-# PATCH-FIX-UPSTREAM CVE-2023-26964.patch https://github.com/keylime/rust-keylime/pull/560
-Patch2:         CVE-2023-26964.patch
 BuildRequires:  cargo-packaging
 BuildRequires:  clang
 BuildRequires:  firewall-macros

vendor.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:540c04c5cba0ca0b67ac0adbc5bc8af3ce1fa6e9b9d9a46f9913c781180aba98
-size 26584652
+oid sha256:2e7a358d00578aa1248c30908de5368c0f673c8c800ecb415e2d4f7e7e7466db
+size 26584112