rpms/keylime-agent-rust
7
0
Fork 0
Code Issues Pull Requests Releases Activity
2d2ad77dbe
keylime-agent-rust/0004-Clippy-fixes.patch
Sergio Correia 2d2ad77dbe
Enable different key sizes and curves for EK and AK 
Resolves: RHEL-1951

Signed-off-by: Sergio Correia <scorreia@redhat.com>
2025-09-29 22:59:09 +00:00

558 lines
23 KiB
Diff
Raw Blame History

From dc36c72e75c9b3ab36693b59252e3246ef53d5fb Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Mon, 29 Sep 2025 22:45:55 +0000
Subject: [PATCH 4/6] Clippy fixes
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
keylime-agent/src/config.rs | 13 ++++++-------
keylime-agent/src/keys_handler.rs | 4 ++--
keylime-agent/src/main.rs | 10 +++++-----
keylime-agent/src/payloads.rs | 12 ++++++------
keylime-agent/src/permissions.rs | 14 +++++++-------
keylime-agent/src/quotes_handler.rs | 16 ++++++++--------
keylime-agent/src/revocation.rs | 15 +++++++--------
keylime-agent/src/secure_mount.rs | 6 +++---
keylime/src/crypto.rs | 12 ++++++------
keylime/src/ima/entry.rs | 7 +++----
keylime/src/registrar_client.rs | 2 +-
keylime/src/tpm.rs | 14 +++++---------
12 files changed, 59 insertions(+), 66 deletions(-)
diff --git a/keylime-agent/src/config.rs b/keylime-agent/src/config.rs
index 21c0516..f1fe7d1 100644
--- a/keylime-agent/src/config.rs
+++ b/keylime-agent/src/config.rs
@@ -614,8 +614,10 @@ fn config_translate_keywords(
.collect::<Vec<String>>()
.join(", "),
"latest" => {
- if let Some(version) =
- SUPPORTED_API_VERSIONS.iter().map(|&s| s.to_string()).last()
+ if let Some(version) = SUPPORTED_API_VERSIONS
+ .iter()
+ .map(|&s| s.to_string())
+ .next_back()
{
version
} else {
@@ -980,7 +982,7 @@ mod tests {
let expected = SUPPORTED_API_VERSIONS
.iter()
.map(|e| e.to_string())
- .last()
+ .next_back()
.unwrap(); //#[allow_ci]
assert_eq!(version, expected);
}
@@ -1273,10 +1275,7 @@ mod tests {
let j = obtained.get(i).unwrap(); //#[allow_ci]
assert!(
e.to_string() == j.to_string(),
- "Option {} mismatch: expected == '{}', obtained == '{}'",
- i,
- e,
- j
+ "Option {i} mismatch: expected == '{e}', obtained == '{j}'"
);
}
}
diff --git a/keylime-agent/src/keys_handler.rs b/keylime-agent/src/keys_handler.rs
index 447f0d1..a4c9f21 100644
--- a/keylime-agent/src/keys_handler.rs
+++ b/keylime-agent/src/keys_handler.rs
@@ -327,7 +327,7 @@ async fn pubkey(
HttpResponse::Ok().json(response)
}
Err(e) => {
- debug!("Unable to retrieve public key: {:?}", e);
+ debug!("Unable to retrieve public key: {e:?}");
HttpResponse::InternalServerError().json(JsonWrapper::error(
500,
"Unable to retrieve public key".to_string(),
@@ -411,7 +411,7 @@ async fn verify(
HttpResponse::Ok().json(response)
}
Err(e) => {
- warn!("GET key challenge failed: {:?}", e);
+ warn!("GET key challenge failed: {e:?}");
HttpResponse::InternalServerError().json(JsonWrapper::error(
500,
"GET key challenge failed".to_string(),
diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs
index 9e3d727..be51a21 100644
--- a/keylime-agent/src/main.rs
+++ b/keylime-agent/src/main.rs
@@ -269,7 +269,7 @@ async fn main() -> Result<()> {
config::KeylimeConfigError::Generic(message),
));
}
- info!("Running the service as {}...", user_group);
+ info!("Running the service as {user_group}...");
}
// Parse the configured API versions
@@ -403,7 +403,7 @@ async fn main() -> Result<()> {
}
}
Err(e) => {
- warn!("Could not load agent data: {}", e);
+ warn!("Could not load agent data: {e}");
None
}
}
@@ -442,7 +442,7 @@ async fn main() -> Result<()> {
path => agent_data_new.store(Path::new(&path))?,
}
- info!("Agent UUID: {}", agent_uuid);
+ info!("Agent UUID: {agent_uuid}");
// If using IAK/IDevID is enabled, obtain IAK/IDevID and respective certificates
let mut device_id = if config.agent.enable_iak_idevid {
@@ -595,7 +595,7 @@ async fn main() -> Result<()> {
) {
Ok(t) => Ok(t),
Err(e) => {
- error!("Failed to load trusted CA certificates: {}", e);
+ error!("Failed to load trusted CA certificates: {e}");
Err(e)
}
}?;
@@ -833,7 +833,7 @@ async fn main() -> Result<()> {
Ok(ip_addr) => {
// Add bracket if IPv6, otherwise use as it is
if ip_addr.is_ipv6() {
- format!("[{}]", ip_addr)
+ format!("[{ip_addr}]")
} else {
ip_addr.to_string()
}
diff --git a/keylime-agent/src/payloads.rs b/keylime-agent/src/payloads.rs
index 3b8873d..8996a5e 100644
--- a/keylime-agent/src/payloads.rs
+++ b/keylime-agent/src/payloads.rs
@@ -109,14 +109,14 @@ fn write_out_key_and_payload(
if bytes != key.as_ref().len() {
return Err(Error::Other(format!("Error writing symm key to {:?}: key len is {}, but {bytes} bytes were written", key_path, key.as_ref().len())));
}
- info!("Wrote payload decryption key to {:?}", key_path);
+ info!("Wrote payload decryption key to {key_path:?}");
let mut dec_payload_file = fs::File::create(dec_payload_path)?;
let bytes = dec_payload_file.write(dec_payload)?;
if bytes != dec_payload.len() {
return Err(Error::Other(format!("Error writing decrypted payload to {:?}: payload len is {}, but {bytes} bytes were written", dec_payload_path, dec_payload.len())));
}
- info!("Wrote decrypted payload to {:?}", dec_payload_path);
+ info!("Wrote decrypted payload to {dec_payload_path:?}");
Ok(())
}
@@ -124,7 +124,7 @@ fn write_out_key_and_payload(
// run a script (such as the init script, if any) and check the status
fn run(dir: &Path, script: &str) -> Result<()> {
let script_path = dir.join(script);
- info!("Running script: {:?}", script_path);
+ info!("Running script: {script_path:?}");
if !script_path.exists() {
info!("No payload script {script} found in {}", dir.display());
@@ -176,7 +176,7 @@ fn optional_unzip_payload(
dec_file => {
let zipped_payload_path = unzipped.join(dec_file);
- info!("Unzipping payload {} to {:?}", dec_file, unzipped);
+ info!("Unzipping payload {dec_file} to {unzipped:?}");
let mut source = fs::File::open(zipped_payload_path)?;
let mut zip = ZipArchive::new(source)?;
@@ -215,7 +215,7 @@ async fn run_encrypted_payload(
info!("No payload script specified, skipping");
}
script => {
- info!("Payload init script indicated: {}", script);
+ info!("Payload init script indicated: {script}");
run(&unzipped, script)?;
}
}
@@ -304,7 +304,7 @@ pub(crate) async fn worker(
info!("Successfully executed encrypted payload");
}
Err(e) => {
- warn!("Failed to run encrypted payload: {}", e);
+ warn!("Failed to run encrypted payload: {e}");
}
}
}
diff --git a/keylime-agent/src/permissions.rs b/keylime-agent/src/permissions.rs
index aa240d9..4b8ac9a 100644
--- a/keylime-agent/src/permissions.rs
+++ b/keylime-agent/src/permissions.rs
@@ -38,7 +38,7 @@ impl TryFrom<&str> for UserIds {
if parts.len() != 2 {
let e = format!("Invalid parameter format: {value} cannot be parsed as 'user:group'");
- error!("{}", e);
+ error!("{e}");
return Err(Error::Conversion(e));
}
@@ -50,7 +50,7 @@ impl TryFrom<&str> for UserIds {
let p = unsafe { libc::getgrnam(g_cstr.as_ptr()) };
if p.is_null() {
let e = io::Error::last_os_error();
- error!("Could not get group {}: {}", group, e);
+ error!("Could not get group {group}: {e}");
return Err(Error::Conversion(e.to_string()));
}
unsafe { (*p) }
@@ -65,7 +65,7 @@ impl TryFrom<&str> for UserIds {
let p = unsafe { libc::getpwnam(u_cstr.as_ptr()) };
if p.is_null() {
let e = io::Error::last_os_error();
- error!("Could not get user {}: {}", user, e);
+ error!("Could not get user {user}: {e}");
return Err(Error::Conversion(e.to_string()));
}
unsafe { (*p) }
@@ -91,7 +91,7 @@ pub(crate) fn run_as(user_group: &str) -> Result<()> {
// Set gid
if unsafe { libc::setgid(ids.group.gr_gid) } != 0 {
let e = io::Error::last_os_error();
- error!("Could not set group id: {}", e);
+ error!("Could not set group id: {e}");
return Err(Error::Permission);
}
@@ -127,18 +127,18 @@ pub(crate) fn run_as(user_group: &str) -> Result<()> {
if unsafe { libc::setgroups(ngroups as usize, sup_groups.as_ptr()) } != 0
{
let e = io::Error::last_os_error();
- error!("Could not set supplementary groups: {}", e);
+ error!("Could not set supplementary groups: {e}");
return Err(Error::Permission);
}
// Set uid
if unsafe { libc::setuid(ids.passwd.pw_uid) } != 0 {
let e = io::Error::last_os_error();
- error!("Could not set user id: {}", e);
+ error!("Could not set user id: {e}");
return Err(Error::Permission);
}
- info!("Dropped privileges to run as {}", user_group);
+ info!("Dropped privileges to run as {user_group}");
Ok(())
}
diff --git a/keylime-agent/src/quotes_handler.rs b/keylime-agent/src/quotes_handler.rs
index a49dcc4..d61adf2 100644
--- a/keylime-agent/src/quotes_handler.rs
+++ b/keylime-agent/src/quotes_handler.rs
@@ -95,7 +95,7 @@ async fn identity(
) {
Ok(quote) => quote,
Err(e) => {
- debug!("Unable to retrieve quote: {:?}", e);
+ debug!("Unable to retrieve quote: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -116,7 +116,7 @@ async fn identity(
match crypto::pkey_pub_to_pem(&data.pub_key) {
Ok(pubkey) => quote.pubkey = Some(pubkey),
Err(e) => {
- debug!("Unable to retrieve public key for quote: {:?}", e);
+ debug!("Unable to retrieve public key for quote: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -193,7 +193,7 @@ async fn integrity(
let pubkey = match crypto::pkey_pub_to_pem(&data.pub_key) {
Ok(pubkey) => pubkey,
Err(e) => {
- debug!("Unable to retrieve public key: {:?}", e);
+ debug!("Unable to retrieve public key: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -242,7 +242,7 @@ async fn integrity(
) {
Ok(tpm_quote) => tpm_quote,
Err(e) => {
- debug!("Unable to retrieve quote: {:?}", e);
+ debug!("Unable to retrieve quote: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -268,7 +268,7 @@ async fn integrity(
let mut ml = Vec::<u8>::new();
let mut f = measuredboot_ml_file.lock().unwrap(); //#[allow_ci]
if let Err(e) = f.rewind() {
- debug!("Failed to rewind measured boot file: {}", e);
+ debug!("Failed to rewind measured boot file: {e}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -279,14 +279,14 @@ async fn integrity(
mb_measurement_list = match f.read_to_end(&mut ml) {
Ok(_) => Some(general_purpose::STANDARD.encode(ml)),
Err(e) => {
- warn!("Could not read TPM2 event log: {}", e);
+ warn!("Could not read TPM2 event log: {e}");
None
}
};
}
}
Err(e) => {
- debug!("Unable to check PCR mask: {:?}", e);
+ debug!("Unable to check PCR mask: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
@@ -309,7 +309,7 @@ async fn integrity(
(Some(result.0), Some(result.1), Some(result.2))
}
Err(e) => {
- debug!("Unable to read measurement list: {:?}", e);
+ debug!("Unable to read measurement list: {e:?}");
return HttpResponse::InternalServerError().json(
JsonWrapper::error(
500,
diff --git a/keylime-agent/src/revocation.rs b/keylime-agent/src/revocation.rs
index fae5a9c..738c12a 100644
--- a/keylime-agent/src/revocation.rs
+++ b/keylime-agent/src/revocation.rs
@@ -124,7 +124,7 @@ pub(crate) fn run_action(
allow_payload_actions,
)?;
- info!("Executing revocation action {}", action);
+ info!("Executing revocation action {action}");
// Write JSON argument to a temporary file
let raw_json = serde_json::value::to_raw_value(&json)?;
@@ -171,7 +171,7 @@ pub(crate) fn run_action(
return Err(output.try_into()?);
}
- info!("INFO: revocation action {} successful", action);
+ info!("INFO: revocation action {action} successful");
Ok(output)
}
@@ -233,7 +233,7 @@ fn run_revocation_actions(
let msg = format!(
"error executing revocation script {action}: {e:?}"
);
- error!("{}", msg);
+ error!("{msg}");
return Err(Error::Script(
action.to_string(),
e.exe_code()?,
@@ -273,8 +273,7 @@ fn process_revocation(
let msg_payload: Value = serde_json::from_str(msg)?;
debug!(
- "Revocation signature validated for revocation: {}",
- msg_payload
+ "Revocation signature validated for revocation: {msg_payload}"
);
let outputs = run_revocation_actions(
@@ -289,11 +288,11 @@ fn process_revocation(
for output in outputs {
if !output.stdout.is_empty() {
let out = String::from_utf8(output.stdout)?;
- info!("Action stdout: {}", out);
+ info!("Action stdout: {out}");
}
if !output.stderr.is_empty() {
let out = String::from_utf8(output.stderr)?;
- warn!("Action stderr: {}", out);
+ warn!("Action stderr: {out}");
}
}
Ok(())
@@ -476,7 +475,7 @@ pub(crate) async fn worker(
info!("Revocation processed successfully");
}
Err(e) => {
- error!("Failed to process revocation: {}", e);
+ error!("Failed to process revocation: {e}");
}
}
}
diff --git a/keylime-agent/src/secure_mount.rs b/keylime-agent/src/secure_mount.rs
index 573d0c9..435fdfc 100644
--- a/keylime-agent/src/secure_mount.rs
+++ b/keylime-agent/src/secure_mount.rs
@@ -47,7 +47,7 @@ fn check_mount(secure_dir: &Path) -> Result<bool> {
return Ok(true);
} else {
let message = format!("Secure storage location {} already mounted on wrong file system type: {}. Unmount to continue.", secure_dir.display(), fs_type);
- error!("Secure mount error: {}", message);
+ error!("Secure mount error: {message}");
return Err(Error::SecureMount(message));
}
} else {
@@ -65,7 +65,7 @@ fn check_mount(secure_dir: &Path) -> Result<bool> {
let message =
"Mount information parsing error: not enough elements"
.to_string();
- error!("Secure mount error: {}", message);
+ error!("Secure mount error: {message}");
return Err(Error::SecureMount(message));
}
}
@@ -96,7 +96,7 @@ pub(crate) fn mount(work_dir: &Path, secure_size: &str) -> Result<PathBuf> {
))
})?;
- info!("Directory {:?} created.", secure_dir_path);
+ info!("Directory {secure_dir_path:?} created.");
let metadata = fs::metadata(&secure_dir_path).map_err(|e| {
Error::SecureMount(format!(
"unable to get metadata for secure dir path: {e:?}"
diff --git a/keylime/src/crypto.rs b/keylime/src/crypto.rs
index 5c951b1..19e651f 100644
--- a/keylime/src/crypto.rs
+++ b/keylime/src/crypto.rs
@@ -399,14 +399,14 @@ pub fn check_x509_key(
.map_err(CryptoError::RSAGetPublicKeyError)?
.n()
.to_vec();
- let mut cert_n_str = format!("{:?}", cert_n);
+ let mut cert_n_str = format!("{cert_n:?}");
_ = cert_n_str.pop();
_ = cert_n_str.remove(0);
let key = SubjectPublicKeyInfo::try_from(tpm_key.clone())
.map_err(CryptoError::SubjectPublicKeyInfoFromRSAError)?;
let key_der = picky_asn1_der::to_vec(&key)
.map_err(CryptoError::SubjectPublicKeyInfoToDERError)?;
- let key_der_str = format!("{:?}", key_der);
+ let key_der_str = format!("{key_der:?}");
Ok(key_der_str.contains(&cert_n_str))
}
@@ -418,14 +418,14 @@ pub fn check_x509_key(
.map_err(CryptoError::RSAGetPublicKeyError)?
.n()
.to_vec();
- let mut cert_n_str = format!("{:?}", cert_n);
+ let mut cert_n_str = format!("{cert_n:?}");
_ = cert_n_str.pop();
_ = cert_n_str.remove(0);
let key = SubjectPublicKeyInfo::try_from(tpm_key.clone())
.map_err(CryptoError::SubjectPublicKeyInfoFromRSAError)?;
let key_der = picky_asn1_der::to_vec(&key)
.map_err(CryptoError::SubjectPublicKeyInfoToDERError)?;
- let key_der_str = format!("{:?}", key_der);
+ let key_der_str = format!("{key_der:?}");
Ok(key_der_str.contains(&cert_n_str))
}
@@ -437,14 +437,14 @@ pub fn check_x509_key(
.map_err(CryptoError::PublicKeyGetECCError)?
.public_key_to_der()
.map_err(CryptoError::PublicKeyToDERError)?;
- let mut cert_n_str = format!("{:?}", cert_n);
+ let mut cert_n_str = format!("{cert_n:?}");
_ = cert_n_str.pop();
_ = cert_n_str.remove(0);
let key = SubjectPublicKeyInfo::try_from(tpm_key.clone())
.map_err(CryptoError::SubjectPublicKeyInfoFromECCError)?;
let key_der = picky_asn1_der::to_vec(&key)
.map_err(CryptoError::SubjectPublicKeyInfoToDERError)?;
- let key_der_str = format!("{:?}", key_der);
+ let key_der_str = format!("{key_der:?}");
Ok(key_der_str.contains(&cert_n_str))
}
diff --git a/keylime/src/ima/entry.rs b/keylime/src/ima/entry.rs
index 1168b3c..982afa7 100644
--- a/keylime/src/ima/entry.rs
+++ b/keylime/src/ima/entry.rs
@@ -431,10 +431,9 @@ impl TryFrom<&str> for Entry {
template_hash,
event_data: Box::new(ImaBuf::try_from(event)?),
}),
- template => Err(Error::new(
- ErrorKind::Other,
- format!("unrecognized template \"{template}\"",),
- )),
+ template => Err(Error::other(format!(
+ "unrecognized template \"{template}\"",
+ ))),
}
}
}
diff --git a/keylime/src/registrar_client.rs b/keylime/src/registrar_client.rs
index dcfcd22..e036845 100644
--- a/keylime/src/registrar_client.rs
+++ b/keylime/src/registrar_client.rs
@@ -320,7 +320,7 @@ impl<'a> RegistrarClientBuilder<'a> {
// Try to reach the registrar
let addr = format!("http://{registrar_ip}:{registrar_port}/version");
- info!("Requesting registrar API version to {}", addr);
+ info!("Requesting registrar API version to {addr}");
let resp = reqwest::Client::new()
.get(&addr)
diff --git a/keylime/src/tpm.rs b/keylime/src/tpm.rs
index 8a8c85a..ac23720 100644
--- a/keylime/src/tpm.rs
+++ b/keylime/src/tpm.rs
@@ -1344,7 +1344,7 @@ impl Context<'_> {
let mut pcrs = read_mask(mask)?;
// add pcr16 if it isn't in the vec already
- if !pcrs.iter().any(|&pcr| pcr == PcrSlot::Slot16) {
+ if !pcrs.contains(&PcrSlot::Slot16) {
let mut slot16 = vec![PcrSlot::Slot16];
pcrs.append(&mut slot16);
}
@@ -1838,9 +1838,7 @@ fn check_if_pcr_data_and_attestation_match(
.map_err(|source| TpmError::OpenSSLHasherFinish { source })?;
log::trace!(
- "Attested to PCR digest: {:?}, read PCR digest: {:?}",
- attested_pcr,
- pcr_digest,
+ "Attested to PCR digest: {attested_pcr:?}, read PCR digest: {pcr_digest:?}",
);
Ok(memcmp::eq(attested_pcr, &pcr_digest))
@@ -1884,12 +1882,11 @@ fn perform_quote_and_pcr_read(
}
log::info!(
- "PCR data and attestation data mismatched on attempt {}",
- attempt
+ "PCR data and attestation data mismatched on attempt {attempt}"
);
}
- log::error!("PCR data and attestation data mismatched on all {} attempts, giving up", NUM_ATTESTATION_ATTEMPTS);
+ log::error!("PCR data and attestation data mismatched on all {NUM_ATTESTATION_ATTEMPTS} attempts, giving up");
Err(TpmError::TooManyAttestationMismatches {
attempts: NUM_ATTESTATION_ATTEMPTS,
})
@@ -2128,8 +2125,7 @@ pub mod testing {
// Always 1 PCR digest should follow
if count != 1 {
return Err(TpmError::InvalidRequest(format!(
- "Expected 1 PCR digest, got {}",
- count
+ "Expected 1 PCR digest, got {count}"
)));
}
--
2.47.3
Reference in New Issue View Git Blame Copy Permalink