From f28d5713918f41194df2322a96c68a759f9deb42 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 12 Jun 2024 11:17:32 +0200 Subject: [PATCH] Update to upstream version 0.2.5 Resolves: RHEL-38409 Signed-off-by: Anderson Toshiyuki Sasaki --- .gitignore | 2 + keylime-agent-rust.spec | 32 ++- rust-keylime-metadata.patch | 26 +- ...me-support-hostnames-in-registrar-ip.patch | 242 ++++++++++++++++++ rust-keylime-unnecessary-qualifications.patch | 142 ++++++++++ sources | 4 +- 6 files changed, 426 insertions(+), 22 deletions(-) create mode 100644 rust-keylime-support-hostnames-in-registrar-ip.patch create mode 100644 rust-keylime-unnecessary-qualifications.patch diff --git a/.gitignore b/.gitignore index 9f6f3bd..769e785 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,5 @@ /rust-keylime-0.2.1-vendor.tar.xz /v0.2.2.tar.gz /rust-keylime-0.2.2-vendor.tar.xz +/rust-keylime-0.2.5-vendor.tar.xz +/v0.2.5.tar.gz diff --git a/keylime-agent-rust.spec b/keylime-agent-rust.spec index 9d2a1e0..f54d171 100644 --- a/keylime-agent-rust.spec +++ b/keylime-agent-rust.spec @@ -15,7 +15,7 @@ %endif Name: keylime-agent-rust -Version: 0.2.2 +Version: 0.2.5 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Summary: Rust agent for Keylime @@ -53,9 +53,17 @@ Source0: %{url}/archive/refs/tags/v%{version}.tar.gz # --exclude-crate-path "libloading#tests" # tar jcf rust-keylime-%%{version}-vendor.tar.xz vendor Source1: rust-keylime-%{version}-vendor.tar.xz -## Patches for building from system Rust libraries (Fedora) +## (0-99) General patches +# Fix build with latest rust: https://github.com/keylime/rust-keylime/pull/789 +# and https://github.com/keylime/rust-keylime/pull/793 +Patch0: rust-keylime-unnecessary-qualifications.patch +# Fix regression to support hostname in registrar_ip configuration option +# https://github.com/keylime/rust-keylime/pull/797 +Patch1: rust-keylime-support-hostnames-in-registrar-ip.patch +## (100-199) Patches for building from system Rust libraries (Fedora) # Drop completely the legacy-python-actions feature -Patch1: rust-keylime-metadata.patch +Patch100: rust-keylime-metadata.patch +## (200+) Patches for building from vendored Rust libraries (RHEL) ExclusiveArch: %{rust_arches} @@ -87,13 +95,14 @@ Conflicts: keylime-agent Rust agent for Keylime %prep -%autosetup -n rust-keylime-%{version} -N +%autosetup -n rust-keylime-%{version} -N %{?bundled_rust_deps:-a1} +%autopatch -M 99 -p1 %if 0%{?bundled_rust_deps} # Source1 is vendored dependencies -%cargo_prep -V 1 -%autopatch -m 100 -p1 +%cargo_prep -v vendor +%autopatch -m 200 -p1 %else -%autopatch -M 99 -p1 +%autopatch -m 100 -M 199 -p1 %cargo_prep %generate_buildrequires %cargo_generate_buildrequires @@ -101,6 +110,11 @@ Rust agent for Keylime %build %cargo_build +%cargo_license_summary +%{cargo_license} > LICENSE.dependencies +%if 0%{?bundled_rust_deps} +%cargo_vendor_manifest +%endif %install @@ -148,6 +162,10 @@ chown -R keylime:keylime %{_sysconfdir}/keylime %files %license LICENSE +%license LICENSE.dependencies +%if 0%{?bundled_rust_deps} +%license cargo-vendor.txt +%endif %doc README.md %attr(500,keylime,keylime) %dir %{_sysconfdir}/keylime %attr(500,keylime,keylime) %dir %{_sysconfdir}/keylime/agent.conf.d diff --git a/rust-keylime-metadata.patch b/rust-keylime-metadata.patch index 3fb3c7b..15f4103 100644 --- a/rust-keylime-metadata.patch +++ b/rust-keylime-metadata.patch @@ -1,16 +1,5 @@ ---- a/keylime-agent/Cargo.toml 2023-07-13 17:19:34.757045275 +0200 -+++ b/keylime-agent/Cargo.toml 2023-07-13 17:46:40.031264398 +0200 -@@ -21,8 +21,8 @@ - libc = "0.2.43" - log = "0.4" - openssl = "0.10.15" --picky-asn1-der = "0.3.1" --picky-asn1-x509 = "0.6.1" -+picky-asn1-der = "0.3" -+picky-asn1-x509 = "0.7" - pretty_env_logger = "0.4" - reqwest = {version = "0.11", default-features = false, features = ["json"]} - serde = "1.0.80" +--- a/keylime-agent/Cargo.toml 2024-01-31 10:25:42.291841679 +0100 ++++ b/keylime-agent/Cargo.toml 2024-01-31 10:28:02.795282892 +0100 @@ -48,18 +48,6 @@ default = [] # this should change to dev-dependencies when we have integration testing @@ -30,3 +19,14 @@ [package.metadata.deb] section = "net" +--- a/Cargo.toml 2024-05-02 11:18:17.351856756 +0200 ++++ b/Cargo.toml 2024-05-02 11:18:23.930839679 +0200 +@@ -16,7 +16,7 @@ + [workspace.dependencies] + actix-rt = "2" + actix-web = { version = "4", default-features = false, features = ["macros", "openssl"] } +-base64 = "0.21" ++base64 = "0.22" + cfg-if = "1" + clap = { version = "4.3", features = ["derive"] } + config = { version = "0.13", default-features = false, features = ["toml"] } diff --git a/rust-keylime-support-hostnames-in-registrar-ip.patch b/rust-keylime-support-hostnames-in-registrar-ip.patch new file mode 100644 index 0000000..029e634 --- /dev/null +++ b/rust-keylime-support-hostnames-in-registrar-ip.patch @@ -0,0 +1,242 @@ +From d4becf39196aa17583b02ad21cadcfe606d49a86 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Tue, 28 May 2024 15:44:29 +0200 +Subject: [PATCH] config: Support hostnames in registrar_ip option + +This restores previous behavior where hostnames could be used to set the +'registrar_ip' configuration option. + +The configuration will try to parse the input configuration string as an +IP and in case of failure, try to parse the string as a hostname. + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + keylime-agent/src/config.rs | 9 ++- + keylime-agent/src/error.rs | 4 ++ + keylime-agent/src/registrar_agent.rs | 40 ++++++++---- + keylime/src/hostname.pest | 2 + + keylime/src/hostname_parser.rs | 94 ++++++++++++++++++++++++++++ + keylime/src/lib.rs | 1 + + 6 files changed, 136 insertions(+), 14 deletions(-) + create mode 100644 keylime/src/hostname.pest + create mode 100644 keylime/src/hostname_parser.rs + +diff --git a/keylime-agent/src/config.rs b/keylime-agent/src/config.rs +index 03a6fa57..7ed5c70f 100644 +--- a/keylime-agent/src/config.rs ++++ b/keylime-agent/src/config.rs +@@ -9,6 +9,7 @@ use config::{ + use glob::glob; + use keylime::{ + algorithms::{EncryptionAlgorithm, HashAlgorithm, SignAlgorithm}, ++ hostname_parser::parse_hostname, + ip_parser::parse_ip, + list_parser::parse_list, + }; +@@ -856,8 +857,12 @@ fn config_translate_keywords( + + let ip = parse_ip(config.agent.ip.as_ref())?.to_string(); + let contact_ip = parse_ip(config.agent.contact_ip.as_ref())?.to_string(); +- let registrar_ip = +- parse_ip(config.agent.registrar_ip.as_ref())?.to_string(); ++ let registrar_ip = match parse_ip(config.agent.registrar_ip.as_ref()) { ++ Ok(ip) => ip.to_string(), ++ Err(_) => { ++ parse_hostname(config.agent.registrar_ip.as_ref())?.to_string() ++ } ++ }; + + // Validate the configuration + +diff --git a/keylime-agent/src/error.rs b/keylime-agent/src/error.rs +index 73bbc1a1..c322dcd3 100644 +--- a/keylime-agent/src/error.rs ++++ b/keylime-agent/src/error.rs +@@ -47,6 +47,10 @@ pub(crate) enum Error { + Io(#[from] std::io::Error), + #[error("Failed to parse IP")] + IpParserError(#[from] keylime::ip_parser::IpParsingError), ++ #[error("Failed to parse hostname")] ++ HostnameParserError( ++ #[from] keylime::hostname_parser::HostnameParsingError, ++ ), + #[error("Text decoding error: {0}")] + Utf8(#[from] std::string::FromUtf8Error), + #[error("Secure Mount error: {0})")] +diff --git a/keylime-agent/src/registrar_agent.rs b/keylime-agent/src/registrar_agent.rs +index da75cf7e..0905ec19 100644 +--- a/keylime-agent/src/registrar_agent.rs ++++ b/keylime-agent/src/registrar_agent.rs +@@ -84,12 +84,20 @@ pub(crate) async fn do_activate_agent( + ) -> crate::error::Result<()> { + let data = Activate { auth_tag }; + +- // Add brackets if the address is IPv6 +- let parsed_ip = registrar_ip.parse::()?; +- let remote_ip = if parsed_ip.is_ipv6() { +- format!("[{registrar_ip}]") +- } else { +- registrar_ip.to_string() ++ let remote_ip = match registrar_ip.parse::() { ++ Ok(addr) => { ++ // Add brackets if the address is IPv6 ++ if addr.is_ipv6() { ++ format!("[{registrar_ip}]") ++ } else { ++ registrar_ip.to_string() ++ } ++ } ++ Err(_) => { ++ // The registrar_ip option can also be a hostname. If it is the case, the hostname was ++ // already validated during configuration ++ registrar_ip.to_string() ++ } + }; + + #[cfg(test)] +@@ -173,12 +181,20 @@ pub(crate) async fn do_register_agent( + port: Some(port), + }; + +- // Add brackets if the address is IPv6 +- let parsed_ip = registrar_ip.parse::()?; +- let remote_ip = if parsed_ip.is_ipv6() { +- format!("[{registrar_ip}]") +- } else { +- registrar_ip.to_string() ++ let remote_ip = match registrar_ip.parse::() { ++ Ok(addr) => { ++ // Add brackets if the address is IPv6 ++ if addr.is_ipv6() { ++ format!("[{registrar_ip}]") ++ } else { ++ registrar_ip.to_string() ++ } ++ } ++ Err(_) => { ++ // The registrar_ip option can also be a hostname. If it is the case, the hostname was ++ // already validated during configuration ++ registrar_ip.to_string() ++ } + }; + + #[cfg(test)] +diff --git a/keylime/src/hostname.pest b/keylime/src/hostname.pest +new file mode 100644 +index 00000000..6e7c54e4 +--- /dev/null ++++ b/keylime/src/hostname.pest +@@ -0,0 +1,2 @@ ++hostname = {SOI ~ label ~ ("." ~ label)* ~ EOI} ++label = { ASCII_ALPHANUMERIC+ ~ ("-"+ ~ ASCII_ALPHANUMERIC+)*} +diff --git a/keylime/src/hostname_parser.rs b/keylime/src/hostname_parser.rs +new file mode 100644 +index 00000000..dbf971a6 +--- /dev/null ++++ b/keylime/src/hostname_parser.rs +@@ -0,0 +1,94 @@ ++// SPDX-License-Identifier: Apache-2.0 ++// Copyright 2024 Keylime Authors ++ ++use pest::Parser; ++use pest_derive::Parser; ++use thiserror::Error; ++ ++#[derive(Parser)] ++#[grammar = "hostname.pest"] ++pub struct HostnameParser; ++ ++#[derive(Error, Debug)] ++pub enum HostnameParsingError { ++ #[error("Invalid input {0}")] ++ InvalidInput(String), ++ ++ #[error("failed to parse the input {input}")] ++ ParseError { ++ input: String, ++ source: Box>, ++ }, ++} ++ ++/// Parses a hostname from a string slice following RFC-1123 ++/// ++/// Valid hostnames are formed by labels separated by dots ('.'). ++/// ++/// The labels can only contain alphanumeric characters ('a'..'z' | 'A'..'Z' | '0'..'9') and the ++/// hyphen ('-'). The labels cannot begin or end with an hyphen. ++/// ++/// # Arguments ++/// ++/// * `hostname` the string to be parsed ++/// ++/// # Returns ++/// ++/// The obtained hostname as a &str if it is a valid hostname ++/// ++/// # Examples ++/// ++/// Valid hostnames: ++/// ++/// * `hostname` ++/// * `host-name` ++/// * `a.b.c` ++/// * `a-b.c-d.e-f` ++/// ++/// Invalid hostnames: ++/// ++/// * `a_b.c` ++/// * `a.b-.c` ++/// * `a.-b.c` ++pub fn parse_hostname(hostname: &str) -> Result<&str, HostnameParsingError> { ++ let Some(pair) = HostnameParser::parse(Rule::hostname, hostname) ++ .map_err(|e| HostnameParsingError::ParseError { ++ input: hostname.to_string(), ++ source: Box::new(e), ++ })? ++ .next() ++ else { ++ return Err(HostnameParsingError::InvalidInput(hostname.to_string())); ++ }; ++ return Ok(pair.as_str()); ++} ++ ++// Unit Testing ++#[cfg(test)] ++mod tests { ++ use super::*; ++ ++ #[test] ++ fn test_parse_hostname() { ++ // Sanity: most common case ++ assert_eq!(parse_hostname("hostname").unwrap(), "hostname"); //#[allow_ci] ++ assert_eq!(parse_hostname("ab.cd.ef").unwrap(), "ab.cd.ef"); //#[allow_ci] ++ assert_eq!(parse_hostname("ab-cd-ef").unwrap(), "ab-cd-ef"); //#[allow_ci] ++ ++ // More advanced cases ++ assert_eq!( ++ parse_hostname("hostname-123.test").unwrap(), //#[allow_ci] ++ "hostname-123.test" ++ ); ++ assert_eq!(parse_hostname("123-456.789").unwrap(), "123-456.789"); //#[allow_ci] ++ assert_eq!(parse_hostname("1----9").unwrap(), "1----9"); //#[allow_ci] ++ ++ // Invalid input ++ assert!(parse_hostname("-host-na.me").is_err()); ++ assert!(parse_hostname("host-na.me-").is_err()); ++ assert!(parse_hostname(".host-na.me").is_err()); ++ assert!(parse_hostname("host-na.me.").is_err()); ++ assert!(parse_hostname("host_name").is_err()); ++ assert!(parse_hostname("host..name").is_err()); ++ } ++} +diff --git a/keylime/src/lib.rs b/keylime/src/lib.rs +index 3f0213eb..791729e1 100644 +--- a/keylime/src/lib.rs ++++ b/keylime/src/lib.rs +@@ -1,5 +1,6 @@ + pub mod algorithms; + pub mod crypto; ++pub mod hostname_parser; + pub mod ima; + pub mod ip_parser; + pub mod list_parser; diff --git a/rust-keylime-unnecessary-qualifications.patch b/rust-keylime-unnecessary-qualifications.patch new file mode 100644 index 0000000..85de483 --- /dev/null +++ b/rust-keylime-unnecessary-qualifications.patch @@ -0,0 +1,142 @@ +From c91fba3382867737d194dfedf85cae7ee133c9e3 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Wed, 8 May 2024 14:13:47 +0200 +Subject: [PATCH] Fix 'unnecessary qualification' warnings + +Newer versions of the rust compiler generates warnings when symbols are +over-specified. + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + keylime-agent/src/payloads.rs | 2 +- + keylime-agent/src/revocation.rs | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/keylime-agent/src/payloads.rs b/keylime-agent/src/payloads.rs +index 5c40125f..d42918c8 100644 +--- a/keylime-agent/src/payloads.rs ++++ b/keylime-agent/src/payloads.rs +@@ -222,7 +222,7 @@ async fn run_encrypted_payload( + let action_file = unzipped.join("action_list"); + + if action_file.exists() { +- let action_data = std::fs::read_to_string(&action_file) ++ let action_data = fs::read_to_string(&action_file) + .expect("unable to read action_list"); + + action_data +diff --git a/keylime-agent/src/revocation.rs b/keylime-agent/src/revocation.rs +index e5ffaade..c48116b1 100644 +--- a/keylime-agent/src/revocation.rs ++++ b/keylime-agent/src/revocation.rs +@@ -203,7 +203,7 @@ fn run_revocation_actions( + let action_file = unzipped.join("action_list"); + + if action_file.exists() { +- action_data = std::fs::read_to_string(&action_file) ++ action_data = fs::read_to_string(&action_file) + .expect("unable to read action_list"); + + let file_actions = parse_list(&action_data)?; +@@ -528,7 +528,7 @@ mod tests { + env!("CARGO_MANIFEST_DIR"), + "/tests/unzipped/test_ok.json" + ); +- let json_str = std::fs::read_to_string(json_file).unwrap(); //#[allow_ci] ++ let json_str = fs::read_to_string(json_file).unwrap(); //#[allow_ci] + let json = serde_json::from_str(&json_str).unwrap(); //#[allow_ci] + let actions_dir = + &Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/actions/"); +@@ -567,7 +567,7 @@ mod tests { + env!("CARGO_MANIFEST_DIR"), + "/tests/unzipped/test_err.json" + ); +- let json_str = std::fs::read_to_string(json_file).unwrap(); //#[allow_ci] ++ let json_str = fs::read_to_string(json_file).unwrap(); //#[allow_ci] + let json = serde_json::from_str(&json_str).unwrap(); //#[allow_ci] + let actions_dir = + &Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/actions/"); +@@ -602,7 +602,7 @@ mod tests { + let revocation_actions = "local_action_stand_alone.py, local_action_rev_script1.py"; + } + } +- let json_str = std::fs::read_to_string(json_file).unwrap(); //#[allow_ci] ++ let json_str = fs::read_to_string(json_file).unwrap(); //#[allow_ci] + let json = serde_json::from_str(&json_str).unwrap(); //#[allow_ci] + let actions_dir = + &Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/actions/"); +From 96d4bd4349518f173ede77cc5986e5e425f621ba Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Tue, 21 May 2024 15:55:36 +0200 +Subject: [PATCH] Fix leftover 'unnecessary qualification' warnings on tests + +Fix leftover 'unnecessary qualification' warnings generated when running +the tests ('cargo test --features=testing') with newer rust compilers. + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + keylime-agent/src/errors_handler.rs | 4 ++-- + keylime-agent/src/keys_handler.rs | 5 +---- + keylime-agent/src/main.rs | 4 ++-- + 3 files changed, 5 insertions(+), 8 deletions(-) + +diff --git a/keylime-agent/src/errors_handler.rs b/keylime-agent/src/errors_handler.rs +index b0fa4c24..48ea2ffb 100644 +--- a/keylime-agent/src/errors_handler.rs ++++ b/keylime-agent/src/errors_handler.rs +@@ -266,7 +266,7 @@ pub(crate) fn wrap_404( + #[cfg(test)] + mod tests { + use super::*; +- use actix_web::{middleware, test, App, Resource}; ++ use actix_web::{test, App, Resource}; + use core::future::Future; + use serde::{Deserialize, Serialize}; + use serde_json::{json, Value}; +@@ -379,7 +379,7 @@ mod tests { + let mut app = test::init_service( + App::new() + .wrap( +- middleware::ErrorHandlers::new() ++ ErrorHandlers::new() + .handler(http::StatusCode::NOT_FOUND, wrap_404), + ) + .app_data( +diff --git a/keylime-agent/src/keys_handler.rs b/keylime-agent/src/keys_handler.rs +index 6f4489d3..3407deeb 100644 +--- a/keylime-agent/src/keys_handler.rs ++++ b/keylime-agent/src/keys_handler.rs +@@ -970,10 +970,7 @@ mod tests { + + // Send Shutdown message to the workers for a graceful shutdown + keys_tx.send((KeyMessage::Shutdown, None)).await.unwrap(); //#[allow_ci] +- payload_tx +- .send(payloads::PayloadMessage::Shutdown) +- .await +- .unwrap(); //#[allow_ci] ++ payload_tx.send(PayloadMessage::Shutdown).await.unwrap(); //#[allow_ci] + arbiter.join(); + } + +diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs +index f0713f9b..77f84cd3 100644 +--- a/keylime-agent/src/main.rs ++++ b/keylime-agent/src/main.rs +@@ -1066,7 +1066,7 @@ mod testing { + + /// CryptoTest error + #[error("CryptoTestError")] +- CryptoTestError(#[from] crate::crypto::testing::CryptoTestError), ++ CryptoTestError(#[from] crypto::testing::CryptoTestError), + + /// IO error + #[error("IOError")] +@@ -1078,7 +1078,7 @@ mod testing { + + /// TPM error + #[error("TPMError")] +- TPMError(#[from] keylime::tpm::TpmError), ++ TPMError(#[from] tpm::TpmError), + + /// TSS esapi error + #[error("TSSError")] diff --git a/sources b/sources index 702beba..a0fc54a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (v0.2.2.tar.gz) = d83dbece1e850383fe98dec7ab2c473cdad46193d0f31eba25ae0a75928df94ee00fa8ee656806f356fcccbc36a5b6f417c1029a1f6a3a0974186197826eb4cc -SHA512 (rust-keylime-0.2.2-vendor.tar.xz) = 2b7de85d6250161d6fccfbc70700c8561114c37698cf5ed328545a1934b1f6b3b92d7c62d3aca93d20c1c474e870c17441d02a60b407d80aee18d80a2addc8c2 +SHA512 (rust-keylime-0.2.5-vendor.tar.xz) = 96aba845b075f2ff638a2f82da8606ed44d9df7084318ed9bbfa9b781df6b862b3b1c54b609333cfda8f42c168b2f211699e3d3a28b19cb4432b4b05db384d1e +SHA512 (v0.2.5.tar.gz) = 3f36e3e248ff29dcbcbe77516f4edad7fa15a4e2fbdff5bc488393bb562abcc7c976712bc8cbdb4b397ee571d8652d9d8ad1c18740c92c1458176f218d067d39