Accepting request 1066186 from home:aplanas:branches:security

- Drop zmq from the feature set - Remove already merged patches: * 0001-keylime-agent-remove-const_err-deny.patch * 0001-Cargo.toml-tss-esapi-bindings.patch - Update to version 0.1.0+git.1676549716.5382ed9: * Cargo: Update clap minimum version to 3.2 * Cargo: Update uuid minimum version to 1.3 * Cargo: Update tokio minimum version to 1.24 and reduce features * build(deps): bump tss-esapi from 7.1.0 to 7.2.0 * cargo deb: include shim.py in packaging * build(deps): bump thiserror from 1.0.36 to 1.0.38 * keylime-agent.conf: Add comments on how to override options * config: Fix overriding options with env vars * Add missing e2e tests and reordering tests based on alphabetical order * e2e tests: Fix test name * Store associated U keys, auth tags, and payloads together * Refactor ZeroMQ revocation listener to not block * keylime-agent: Gracefully shutdown on SIGINT * Refactor async code for keys and payloads * main: Move payload related functions to payloads module * main: Run ZeroMQ service in a separate task * Remove unused option "openstack" for obtaining uuid * algorithms: fix typo * clippy: fix uninlined_format_args warnings * clippy: fix needless_borrow warnings * crypto, mTLS: allow certificate chain for trusted_client_ca * build(deps): bump base64 from 0.13.0 to 0.13.1 * build(deps): bump serde_json from 1.0.85 to 1.0.91 * build(deps): bump libc from 0.2.133 to 0.2.139 * build(deps): bump bumpalo from 3.11.0 to 3.12.0 * build(deps): bump futures from 0.3.24 to 0.3.25 * Cargo.toml: tss-esapi bindings * packit-ci: Disable Rawhide due to agent compilation issues * packit-ci: Add hotfix for tpm2-tss Fedora BZ#2158598 * keylime-agent: remove const_err deny * build(deps): bump tokio from 1.23.0 to 1.24.2 OBS-URL: https://build.opensuse.org/request/show/1066186 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=36
2023-02-16 14:24:29 +00:00 · 2023-02-16 14:24:29 +00:00 · b88b2eb241
commit b88b2eb241
parent 061c362acb
9 changed files with 78 additions and 111 deletions
--- a/0001-Cargo.toml-tss-esapi-bindings.patch
+++ b/0001-Cargo.toml-tss-esapi-bindings.patch
@ -1,43 +0,0 @@
 From df18e7f683b610e198f8d359d2036655a1891795 Mon Sep 17 00:00:00 2001
 From: Alberto Planas <aplanas@suse.com>
 Date: Tue, 17 Jan 2023 11:35:59 +0100
 Subject: [PATCH] Cargo.toml: tss-esapi bindings
 Generate the tss-esapi bindings during compilation time.  This will
 extend the amount of supported architectures.
 This is a regression done after the crate split, that was fixed before
 in #459.
 Signed-off-by: Alberto Planas <aplanas@suse.com>
 ---
 keylime-ima-emulator/Cargo.toml | 2 +-
 keylime/Cargo.toml              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 diff --git a/keylime-ima-emulator/Cargo.toml b/keylime-ima-emulator/Cargo.toml
 index ee3d5c1..333a192 100644
 --- a/keylime-ima-emulator/Cargo.toml
 +++ b/keylime-ima-emulator/Cargo.toml
@@ -12,4 +12,4 @@ keylime = { path = "../keylime" }
 log = "0.4"
 openssl = "0.10.15"
 thiserror = "1.0"
 -tss-esapi = "7.1.0"
 +tss-esapi = {version = "7.1.0", features = ["generate-bindings"]}
 diff --git a/keylime/Cargo.toml b/keylime/Cargo.toml
 index 9693912..c343d40 100644
 --- a/keylime/Cargo.toml
 +++ b/keylime/Cargo.toml
@@ -14,7 +14,7 @@ serde = "1.0.80"
 serde_derive = "1.0.80"
 static_assertions = "1"
 thiserror = "1.0"
 -tss-esapi = "7.1.0"
 +tss-esapi = {version = "7.1.0", features = ["generate-bindings"]}
 [dev-dependencies]
 tempfile = "3.0.4"
 -- 
 2.39.0
--- a/0001-keylime-agent-remove-const_err-deny.patch
+++ b/0001-keylime-agent-remove-const_err-deny.patch
@ -1,32 +0,0 @@
 From a44207e5ffde079b39b119afbf12871d2f78adf1 Mon Sep 17 00:00:00 2001
 From: Alberto Planas <aplanas@suse.com>
 Date: Mon, 16 Jan 2023 15:51:46 +0100
 Subject: [PATCH] keylime-agent: remove const_err deny
 In 1.66 / 1.66.1 const_err is already a hard error, and was enabled as
 such as long ago. New compilers will complain in case that this is still
 used:
  warning: lint `const_err` has been removed: converted into hard error
 More info:
  https://github.com/rust-lang/rust/issues/71800
 ---
 keylime-agent/src/main.rs | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs
 index 6333652..1d6fdf4 100644
 --- a/keylime-agent/src/main.rs
 +++ b/keylime-agent/src/main.rs
@@ -3,7 +3,6 @@
 #![deny(
     nonstandard_style,
 -    const_err,
     dead_code,
     improper_ctypes,
     non_shorthand_field_patterns,
 -- 
 2.39.0
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/keylime/rust-keylime.git</param>
-              <param name="changesrevision">762cec820ee1bc00ca480cf3b410e61904410ffa</param></service></servicedata>
+              <param name="changesrevision">5382ed930bbb70c2041160386547fbbf07dcde44</param></service></servicedata>
--- a/keylime-agent.conf.diff
+++ b/keylime-agent.conf.diff
@ -1,36 +1,49 @@
-Index: rust-keylime-0.1.0+git.1663769444.6318234/keylime-agent.conf
+Index: rust-keylime-0.1.0+git.1676549716.5382ed9/keylime-agent.conf
 ===================================================================
--- rust-keylime-0.1.0+git.1663769444.6318234.orig/keylime-agent.conf
+--- rust-keylime-0.1.0+git.1676549716.5382ed9.orig/keylime-agent.conf
-+++ rust-keylime-0.1.0+git.1663769444.6318234/keylime-agent.conf
+++ rust-keylime-0.1.0+git.1676549716.5382ed9/keylime-agent.conf
-@@ -10,10 +10,12 @@ version = "2.0"
+@@ -19,13 +19,15 @@ version = "2.0"
 # If you set this to "generate", Keylime will create a random UUID.
 # If you set this to "hash_ek", Keylime will set the UUID to the result
 # of 'SHA256(public EK in PEM format)'.
 #
 # To override, set KEYLIME_AGENT_UUID environment variable.
 -uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
 +# uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
 +uuid = "generate"
- # The binding address and port for the agent server
+ # The binding IP address and port for the agent server
 #
 # To override ip, set KEYLIME_AGENT_IP environment variable.
 # To override port, set KEYLIME_AGENT_PORT environment variable.
 -ip = "127.0.0.1"
 +# ip = "127.0.0.1"
 +ip = "0.0.0.0"
 port = 9002
 # Address and port where the verifier and tenant can connect to reach the agent.
-@@ -22,7 +24,8 @@ contact_ip = "127.0.0.1"
+@@ -41,7 +43,8 @@ contact_port = 9002
- contact_port = 9002
+ # To override registrar_ip, set KEYLIME_AGENT_REGISTRAR_IP environment variable.
- 
+ # To override registrar_port, set KEYLIME_AGENT_REGISTRAR_PORT environment
- # The address and port of registrar server which agent communicate with
+ # variable.
 -registrar_ip = "127.0.0.1"
 +# registrar_ip = "127.0.0.1"
 +registrar_ip = "<REMOTE_IP>"
 registrar_port = 8890
 # Enable mTLS communication between agent, verifier and tenant.
-@@ -96,7 +99,8 @@ revocation_actions_dir = "/usr/libexec/k
+@@ -133,7 +136,8 @@ extract_payload_zip = true
- # Revocation IP & Port used by the agent to receive revocation
+ #
- # notifications from the verifier via zeromq.
+ # To override enable_revocation_notifications, set
- # This is optional and used only when 'enable_revocation_notifications' is 'true'.
+ # KEYLIME_AGENT_ENABLE_REVOCATION_NOTIFICATIONS environment variable.
 -enable_revocation_notifications = true
 +# enable_revocation_notifications = true
 +enable_revocation_notifications = false
 # The path to the directory containing the pre-installed revocation action
 # scripts.  Ideally should point to an fixed/immutable location subject to
@@ -151,7 +155,8 @@ revocation_actions_dir = "/usr/libexec/k
 # KEYLIME_AGENT_REVOCATION_NOTIFICATION_IP environment variable.
 # To override revocation_notification_port, set
 # KEYLIME_AGENT_REVOCATION_NOTIFICATION_PORT environment variable.
 -revocation_notification_ip = "127.0.0.1"
 +# revocation_notification_ip = "127.0.0.1"
 +revocation_notification_ip = "<REMOTE_IP>"
--- a/rust-keylime-0.1.0+git.1672681780.762cec8.tar.xz
+++ b/rust-keylime-0.1.0+git.1672681780.762cec8.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:68268240480a7dabb3475afae040ea4cf093a1e9a85333f9e72cfe32747a5402
 size 20677888
--- a/rust-keylime-0.1.0+git.1676549716.5382ed9.tar.xz
+++ b/rust-keylime-0.1.0+git.1676549716.5382ed9.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:e0e916efe0dc4e3c20e78724be16c235d0f55cdf8d42ba92d01a5c19fb5a2eb6
 size 130384
--- a/rust-keylime.changes
+++ b/rust-keylime.changes
@ -1,3 +1,43 @@
 -------------------------------------------------------------------
 Thu Feb 16 12:51:38 UTC 2023 - aplanas@suse.com
 - Drop zmq from the feature set
 - Remove already merged patches:
  * 0001-keylime-agent-remove-const_err-deny.patch
  * 0001-Cargo.toml-tss-esapi-bindings.patch
 - Update to version 0.1.0+git.1676549716.5382ed9:
  * Cargo: Update clap minimum version to 3.2
  * Cargo: Update uuid minimum version to 1.3
  * Cargo: Update tokio minimum version to 1.24 and reduce features
  * build(deps): bump tss-esapi from 7.1.0 to 7.2.0
  * cargo deb: include shim.py in packaging
  * build(deps): bump thiserror from 1.0.36 to 1.0.38
  * keylime-agent.conf: Add comments on how to override options
  * config: Fix overriding options with env vars
  * Add missing e2e tests and reordering tests based on alphabetical order
  * e2e tests: Fix test name
  * Store associated U keys, auth tags, and payloads together
  * Refactor ZeroMQ revocation listener to not block
  * keylime-agent: Gracefully shutdown on SIGINT
  * Refactor async code for keys and payloads
  * main: Move payload related functions to payloads module
  * main: Run ZeroMQ service in a separate task
  * Remove unused option "openstack" for obtaining uuid
  * algorithms: fix typo
  * clippy: fix uninlined_format_args warnings
  * clippy: fix needless_borrow warnings
  * crypto, mTLS: allow certificate chain for trusted_client_ca
  * build(deps): bump base64 from 0.13.0 to 0.13.1
  * build(deps): bump serde_json from 1.0.85 to 1.0.91
  * build(deps): bump libc from 0.2.133 to 0.2.139
  * build(deps): bump bumpalo from 3.11.0 to 3.12.0
  * build(deps): bump futures from 0.3.24 to 0.3.25
  * Cargo.toml: tss-esapi bindings
  * packit-ci: Disable Rawhide due to agent compilation issues
  * packit-ci: Add hotfix for tpm2-tss Fedora BZ#2158598
  * keylime-agent: remove const_err deny
  * build(deps): bump tokio from 1.23.0 to 1.24.2
 -------------------------------------------------------------------
 Mon Jan 16 14:02:08 UTC 2023 - aplanas@suse.com
--- a/rust-keylime.spec
+++ b/rust-keylime.spec
@ -25,7 +25,7 @@
  %define _config_norepl %config(noreplace)
 %endif
 Name:           rust-keylime
-Version:        0.1.0+git.1672681780.762cec8
+Version:        0.1.0+git.1676549716.5382ed9
 Release:        0
 Summary:        Rust implementation of the keylime agent
 License:        Apache-2.0 AND MIT
@ -38,10 +38,6 @@ Source4:        keylime-user.conf
 Source5:        tmpfiles.keylime
 # PATCH-FIX-OPENSUSE keylime-agent.conf.diff
 Patch1:         keylime-agent.conf.diff
 # PATCH-FIX-UPSTREAM 0001-keylime-agent-remove-const_err-deny.patch gh#keylime/rust-keylime#501
 Patch2:         0001-keylime-agent-remove-const_err-deny.patch
 # PATCH-FIX-UPSTREAM 0001-Cargo.toml-tss-esapi-bindings.patch gh#keylime/rust-keylime#502
 Patch3:         0001-Cargo.toml-tss-esapi-bindings.patch
 BuildRequires:  cargo-packaging
 BuildRequires:  clang
 BuildRequires:  firewall-macros
@ -49,7 +45,6 @@ BuildRequires:  libarchive-devel
 BuildRequires:  rust
 BuildRequires:  sysuser-tools
 BuildRequires:  tpm2-0-tss-devel
 BuildRequires:  zeromq-devel
 Requires:       libtss2-tcti-device0
 Requires:       logrotate
 Requires:       tpm2.0-abrmd
@ -70,18 +65,12 @@ mkdir .cargo
 cp %{SOURCE2} .cargo/config
 %build
-%{cargo_build} --no-default-features --features "with-zmq"
+%{cargo_build} --no-default-features
 %sysusers_generate_pre %{SOURCE4} keylime keylime-user.conf
 %install
-# If https://github.com/Firstyear/cargo-packaging/pull/3 gets merged,
+%{cargo_install -p keylime-agent} --no-default-features
-# replace it with:
+%{cargo_install -p keylime-ima-emulator}
 #
 #  #{cargo_install -p keylime-agent} --no-default-features --features "with-zmq"
 #  #{cargo_install -p keylime-ima-emulator}
 install -Dpm 0755 %{_builddir}/%{name}-%{version}/target/release/keylime_agent %{buildroot}%{_bindir}/keylime_agent
 install -Dpm 0755 %{_builddir}/%{name}-%{version}/target/release/keylime_ima_emulator %{buildroot}%{_bindir}/keylime_ima_emulator
 install -Dpm 0600 keylime-agent.conf %{buildroot}%{_distconfdir}/keylime/agent.conf
 install -Dpm 0644 ./dist/systemd/system/keylime_agent.service %{buildroot}%{_unitdir}/keylime_agent.service
--- a/vendor.tar.xz
+++ b/vendor.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:89e4102d09cff722290c9c3e1cc18b02dd3edb7f893039b1190b41c6cb213c17
+oid sha256:87478d2ed42d4b9b50c20a680c3b40fcc06dbbb8b6d9554ef9bb29d548e9073f
-size 26221436
+size 25855860