Accepting request 1066186 from home:aplanas:branches:security

- Drop zmq from the feature set - Remove already merged patches: * 0001-keylime-agent-remove-const_err-deny.patch * 0001-Cargo.toml-tss-esapi-bindings.patch - Update to version 0.1.0+git.1676549716.5382ed9: * Cargo: Update clap minimum version to 3.2 * Cargo: Update uuid minimum version to 1.3 * Cargo: Update tokio minimum version to 1.24 and reduce features * build(deps): bump tss-esapi from 7.1.0 to 7.2.0 * cargo deb: include shim.py in packaging * build(deps): bump thiserror from 1.0.36 to 1.0.38 * keylime-agent.conf: Add comments on how to override options * config: Fix overriding options with env vars * Add missing e2e tests and reordering tests based on alphabetical order * e2e tests: Fix test name * Store associated U keys, auth tags, and payloads together * Refactor ZeroMQ revocation listener to not block * keylime-agent: Gracefully shutdown on SIGINT * Refactor async code for keys and payloads * main: Move payload related functions to payloads module * main: Run ZeroMQ service in a separate task * Remove unused option "openstack" for obtaining uuid * algorithms: fix typo * clippy: fix uninlined_format_args warnings * clippy: fix needless_borrow warnings * crypto, mTLS: allow certificate chain for trusted_client_ca * build(deps): bump base64 from 0.13.0 to 0.13.1 * build(deps): bump serde_json from 1.0.85 to 1.0.91 * build(deps): bump libc from 0.2.133 to 0.2.139 * build(deps): bump bumpalo from 3.11.0 to 3.12.0 * build(deps): bump futures from 0.3.24 to 0.3.25 * Cargo.toml: tss-esapi bindings * packit-ci: Disable Rawhide due to agent compilation issues * packit-ci: Add hotfix for tpm2-tss Fedora BZ#2158598 * keylime-agent: remove const_err deny * build(deps): bump tokio from 1.23.0 to 1.24.2 OBS-URL: https://build.opensuse.org/request/show/1066186 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=36
2023-02-16 14:24:29 +00:00 · 2023-02-16 14:24:29 +00:00 · b88b2eb241
commit b88b2eb241
parent 061c362acb
9 changed files with 78 additions and 111 deletions
--- a/0001-Cargo.toml-tss-esapi-bindings.patch
+++ b/0001-Cargo.toml-tss-esapi-bindings.patch
@ -1,43 +0,0 @@
-From df18e7f683b610e198f8d359d2036655a1891795 Mon Sep 17 00:00:00 2001
-From: Alberto Planas <aplanas@suse.com>
-Date: Tue, 17 Jan 2023 11:35:59 +0100
-Subject: [PATCH] Cargo.toml: tss-esapi bindings
-
-Generate the tss-esapi bindings during compilation time.  This will
-extend the amount of supported architectures.
-
-This is a regression done after the crate split, that was fixed before
-in #459.
-
-Signed-off-by: Alberto Planas <aplanas@suse.com>
---
- keylime-ima-emulator/Cargo.toml | 2 +-
- keylime/Cargo.toml              | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/keylime-ima-emulator/Cargo.toml b/keylime-ima-emulator/Cargo.toml
-index ee3d5c1..333a192 100644
--- a/keylime-ima-emulator/Cargo.toml
-+++ b/keylime-ima-emulator/Cargo.toml
-@@ -12,4 +12,4 @@ keylime = { path = "../keylime" }
- log = "0.4"
- openssl = "0.10.15"
- thiserror = "1.0"
-tss-esapi = "7.1.0"
-+tss-esapi = {version = "7.1.0", features = ["generate-bindings"]}
-diff --git a/keylime/Cargo.toml b/keylime/Cargo.toml
-index 9693912..c343d40 100644
--- a/keylime/Cargo.toml
-+++ b/keylime/Cargo.toml
-@@ -14,7 +14,7 @@ serde = "1.0.80"
- serde_derive = "1.0.80"
- static_assertions = "1"
- thiserror = "1.0"
-tss-esapi = "7.1.0"
-+tss-esapi = {version = "7.1.0", features = ["generate-bindings"]}
- 
- [dev-dependencies]
- tempfile = "3.0.4"
-- 
-2.39.0
-
--- a/0001-keylime-agent-remove-const_err-deny.patch
+++ b/0001-keylime-agent-remove-const_err-deny.patch
@ -1,32 +0,0 @@
-From a44207e5ffde079b39b119afbf12871d2f78adf1 Mon Sep 17 00:00:00 2001
-From: Alberto Planas <aplanas@suse.com>
-Date: Mon, 16 Jan 2023 15:51:46 +0100
-Subject: [PATCH] keylime-agent: remove const_err deny
-
-In 1.66 / 1.66.1 const_err is already a hard error, and was enabled as
-such as long ago. New compilers will complain in case that this is still
-used:
-
-  warning: lint `const_err` has been removed: converted into hard error
-
-More info:
-  https://github.com/rust-lang/rust/issues/71800
---
- keylime-agent/src/main.rs | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs
-index 6333652..1d6fdf4 100644
--- a/keylime-agent/src/main.rs
-+++ b/keylime-agent/src/main.rs
-@@ -3,7 +3,6 @@
- 
- #![deny(
-     nonstandard_style,
-    const_err,
-     dead_code,
-     improper_ctypes,
-     non_shorthand_field_patterns,
-- 
-2.39.0
-
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/keylime/rust-keylime.git</param>
-              <param name="changesrevision">762cec820ee1bc00ca480cf3b410e61904410ffa</param></service></servicedata>
+              <param name="changesrevision">5382ed930bbb70c2041160386547fbbf07dcde44</param></service></servicedata>
--- a/keylime-agent.conf.diff
+++ b/keylime-agent.conf.diff
@ -1,36 +1,49 @@
-Index: rust-keylime-0.1.0+git.1663769444.6318234/keylime-agent.conf
+Index: rust-keylime-0.1.0+git.1676549716.5382ed9/keylime-agent.conf
 ===================================================================
--- rust-keylime-0.1.0+git.1663769444.6318234.orig/keylime-agent.conf
-+++ rust-keylime-0.1.0+git.1663769444.6318234/keylime-agent.conf
-@@ -10,10 +10,12 @@ version = "2.0"
- # If you set this to "generate", Keylime will create a random UUID.
- # If you set this to "hash_ek", Keylime will set the UUID to the result
+--- rust-keylime-0.1.0+git.1676549716.5382ed9.orig/keylime-agent.conf
+++ rust-keylime-0.1.0+git.1676549716.5382ed9/keylime-agent.conf
+@@ -19,13 +19,15 @@ version = "2.0"
 # of 'SHA256(public EK in PEM format)'.
+ #
+ # To override, set KEYLIME_AGENT_UUID environment variable.
 -uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
 +# uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
 +uuid = "generate"
 
- # The binding address and port for the agent server
+ # The binding IP address and port for the agent server
+ #
+ # To override ip, set KEYLIME_AGENT_IP environment variable.
+ # To override port, set KEYLIME_AGENT_PORT environment variable.
 -ip = "127.0.0.1"
 +# ip = "127.0.0.1"
 +ip = "0.0.0.0"
 port = 9002
 
 # Address and port where the verifier and tenant can connect to reach the agent.
-@@ -22,7 +24,8 @@ contact_ip = "127.0.0.1"
- contact_port = 9002
- 
- # The address and port of registrar server which agent communicate with
+@@ -41,7 +43,8 @@ contact_port = 9002
+ # To override registrar_ip, set KEYLIME_AGENT_REGISTRAR_IP environment variable.
+ # To override registrar_port, set KEYLIME_AGENT_REGISTRAR_PORT environment
+ # variable.
 -registrar_ip = "127.0.0.1"
 +# registrar_ip = "127.0.0.1"
 +registrar_ip = "<REMOTE_IP>"
 registrar_port = 8890
 
 # Enable mTLS communication between agent, verifier and tenant.
-@@ -96,7 +99,8 @@ revocation_actions_dir = "/usr/libexec/k
- # Revocation IP & Port used by the agent to receive revocation
- # notifications from the verifier via zeromq.
- # This is optional and used only when 'enable_revocation_notifications' is 'true'.
+@@ -133,7 +136,8 @@ extract_payload_zip = true
+ #
+ # To override enable_revocation_notifications, set
+ # KEYLIME_AGENT_ENABLE_REVOCATION_NOTIFICATIONS environment variable.
+-enable_revocation_notifications = true
+# enable_revocation_notifications = true
+enable_revocation_notifications = false
+ 
+ # The path to the directory containing the pre-installed revocation action
+ # scripts.  Ideally should point to an fixed/immutable location subject to
+@@ -151,7 +155,8 @@ revocation_actions_dir = "/usr/libexec/k
+ # KEYLIME_AGENT_REVOCATION_NOTIFICATION_IP environment variable.
+ # To override revocation_notification_port, set
+ # KEYLIME_AGENT_REVOCATION_NOTIFICATION_PORT environment variable.
 -revocation_notification_ip = "127.0.0.1"
 +# revocation_notification_ip = "127.0.0.1"
 +revocation_notification_ip = "<REMOTE_IP>"
--- a/rust-keylime-0.1.0+git.1672681780.762cec8.tar.xz
+++ b/rust-keylime-0.1.0+git.1672681780.762cec8.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:68268240480a7dabb3475afae040ea4cf093a1e9a85333f9e72cfe32747a5402
-size 20677888
--- a/rust-keylime-0.1.0+git.1676549716.5382ed9.tar.xz
+++ b/rust-keylime-0.1.0+git.1676549716.5382ed9.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e0e916efe0dc4e3c20e78724be16c235d0f55cdf8d42ba92d01a5c19fb5a2eb6
+size 130384
--- a/rust-keylime.changes
+++ b/rust-keylime.changes
@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Thu Feb 16 12:51:38 UTC 2023 - aplanas@suse.com
+
+- Drop zmq from the feature set
+- Remove already merged patches:
+  * 0001-keylime-agent-remove-const_err-deny.patch
+  * 0001-Cargo.toml-tss-esapi-bindings.patch
+- Update to version 0.1.0+git.1676549716.5382ed9:
+  * Cargo: Update clap minimum version to 3.2
+  * Cargo: Update uuid minimum version to 1.3
+  * Cargo: Update tokio minimum version to 1.24 and reduce features
+  * build(deps): bump tss-esapi from 7.1.0 to 7.2.0
+  * cargo deb: include shim.py in packaging
+  * build(deps): bump thiserror from 1.0.36 to 1.0.38
+  * keylime-agent.conf: Add comments on how to override options
+  * config: Fix overriding options with env vars
+  * Add missing e2e tests and reordering tests based on alphabetical order
+  * e2e tests: Fix test name
+  * Store associated U keys, auth tags, and payloads together
+  * Refactor ZeroMQ revocation listener to not block
+  * keylime-agent: Gracefully shutdown on SIGINT
+  * Refactor async code for keys and payloads
+  * main: Move payload related functions to payloads module
+  * main: Run ZeroMQ service in a separate task
+  * Remove unused option "openstack" for obtaining uuid
+  * algorithms: fix typo
+  * clippy: fix uninlined_format_args warnings
+  * clippy: fix needless_borrow warnings
+  * crypto, mTLS: allow certificate chain for trusted_client_ca
+  * build(deps): bump base64 from 0.13.0 to 0.13.1
+  * build(deps): bump serde_json from 1.0.85 to 1.0.91
+  * build(deps): bump libc from 0.2.133 to 0.2.139
+  * build(deps): bump bumpalo from 3.11.0 to 3.12.0
+  * build(deps): bump futures from 0.3.24 to 0.3.25
+  * Cargo.toml: tss-esapi bindings
+  * packit-ci: Disable Rawhide due to agent compilation issues
+  * packit-ci: Add hotfix for tpm2-tss Fedora BZ#2158598
+  * keylime-agent: remove const_err deny
+  * build(deps): bump tokio from 1.23.0 to 1.24.2
+
 -------------------------------------------------------------------
 Mon Jan 16 14:02:08 UTC 2023 - aplanas@suse.com

--- a/rust-keylime.spec
+++ b/rust-keylime.spec
@ -25,7 +25,7 @@
  %define _config_norepl %config(noreplace)
 %endif
 Name:           rust-keylime
-Version:        0.1.0+git.1672681780.762cec8
+Version:        0.1.0+git.1676549716.5382ed9
 Release:        0
 Summary:        Rust implementation of the keylime agent
 License:        Apache-2.0 AND MIT
@ -38,10 +38,6 @@ Source4:        keylime-user.conf
 Source5:        tmpfiles.keylime
 # PATCH-FIX-OPENSUSE keylime-agent.conf.diff
 Patch1:         keylime-agent.conf.diff
-# PATCH-FIX-UPSTREAM 0001-keylime-agent-remove-const_err-deny.patch gh#keylime/rust-keylime#501
-Patch2:         0001-keylime-agent-remove-const_err-deny.patch
-# PATCH-FIX-UPSTREAM 0001-Cargo.toml-tss-esapi-bindings.patch gh#keylime/rust-keylime#502
-Patch3:         0001-Cargo.toml-tss-esapi-bindings.patch
 BuildRequires:  cargo-packaging
 BuildRequires:  clang
 BuildRequires:  firewall-macros
@ -49,7 +45,6 @@ BuildRequires:  libarchive-devel
 BuildRequires:  rust
 BuildRequires:  sysuser-tools
 BuildRequires:  tpm2-0-tss-devel
-BuildRequires:  zeromq-devel
 Requires:       libtss2-tcti-device0
 Requires:       logrotate
 Requires:       tpm2.0-abrmd
@ -70,18 +65,12 @@ mkdir .cargo
 cp %{SOURCE2} .cargo/config

 %build
-%{cargo_build} --no-default-features --features "with-zmq"
+%{cargo_build} --no-default-features
 %sysusers_generate_pre %{SOURCE4} keylime keylime-user.conf

 %install
-# If https://github.com/Firstyear/cargo-packaging/pull/3 gets merged,
-# replace it with:
-#
-#  #{cargo_install -p keylime-agent} --no-default-features --features "with-zmq"
-#  #{cargo_install -p keylime-ima-emulator}
-
-install -Dpm 0755 %{_builddir}/%{name}-%{version}/target/release/keylime_agent %{buildroot}%{_bindir}/keylime_agent
-install -Dpm 0755 %{_builddir}/%{name}-%{version}/target/release/keylime_ima_emulator %{buildroot}%{_bindir}/keylime_ima_emulator
+%{cargo_install -p keylime-agent} --no-default-features
+%{cargo_install -p keylime-ima-emulator}

 install -Dpm 0600 keylime-agent.conf %{buildroot}%{_distconfdir}/keylime/agent.conf
 install -Dpm 0644 ./dist/systemd/system/keylime_agent.service %{buildroot}%{_unitdir}/keylime_agent.service
--- a/vendor.tar.xz
+++ b/vendor.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:89e4102d09cff722290c9c3e1cc18b02dd3edb7f893039b1190b41c6cb213c17
-size 26221436
+oid sha256:87478d2ed42d4b9b50c20a680c3b40fcc06dbbb8b6d9554ef9bb29d548e9073f
+size 25855860