import tang-10-4.el9

.gitignore

@@ -0,0 +1 @@
+SOURCES/tang-10.tar.xz

.tang.metadata

@@ -0,0 +1 @@
+18251b04c3fc9f67279b0001983ab564563e7cb3 SOURCES/tang-10.tar.xz

SOURCES/0001-Fix-issues-reported-by-shellcheck.patch

@@ -0,0 +1,155 @@
+From 0b0b1ef7244433cde737cd65d07930efd9667ed1 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Thu, 20 May 2021 10:21:21 -0300
+Subject: [PATCH 1/2] Fix issues reported by shellcheck
+
+Additionally, improve testing of these scripts.
+---
+ src/tang-show-keys    |  5 ++---
+ src/tangd-keygen      | 17 ++++++++++-------
+ src/tangd-rotate-keys |  6 +++---
+ tests/adv             | 20 ++++++++++++++++++++
+ tests/helpers         | 15 +++++++++++++++
+ 5 files changed, 50 insertions(+), 13 deletions(-)
+
+diff --git a/src/tang-show-keys b/src/tang-show-keys
+index 689e4df..0c33c3a 100755
+--- a/src/tang-show-keys
++++ b/src/tang-show-keys
+@@ -27,10 +27,9 @@ fi
+ 
+ port=${1-80}
+ 
+-adv=$(curl -sSf localhost:$port/adv)
++adv=$(curl -sSf "localhost:$port/adv")
+ 
+ THP_DEFAULT_HASH=S256    # SHA-256.
+-echo $adv \
+-    | jose fmt -j- -g payload -y -o- \
++jose fmt --json "${adv}" -g payload -y -o- \
+     | jose jwk use -i- -r -u verify -o- \
+     | jose jwk thp -i- -a "${THP_DEFAULT_HASH}"
+diff --git a/src/tangd-keygen b/src/tangd-keygen
+index 7a9adaf..f37121f 100755
+--- a/src/tangd-keygen
++++ b/src/tangd-keygen
+@@ -18,20 +18,23 @@
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ #
+ 
+-trap 'exit' ERR
++set -e
+ 
+-if [ $# -ne 1 -a $# -ne 3 ] || [ ! -d "$1" ]; then
++usage() {
+     echo "Usage: $0 <jwkdir> [<sig> <exc>]" >&2
+     exit 1
+-fi
++}
++
++[ $# -ne 1 ] && [ $# -ne 3 ] && usage
++[ -d "$1" ] || usage
+ 
+ [ $# -eq 3 ] && sig=$2 && exc=$3
+ 
+ THP_DEFAULT_HASH=S256     # SHA-256.
+-jwe=`jose jwk gen -i '{"alg":"ES512"}'`
++jwe=$(jose jwk gen -i '{"alg":"ES512"}')
+ [ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
+-echo "$jwe" > $1/$sig.jwk
++echo "$jwe" > "$1/$sig.jwk"
+ 
+-jwe=`jose jwk gen -i '{"alg":"ECMR"}'`
++jwe=$(jose jwk gen -i '{"alg":"ECMR"}')
+ [ -z "$exc" ] && exc=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
+-echo "$jwe" > $1/$exc.jwk
++echo "$jwe" > "$1/$exc.jwk"
+diff --git a/src/tangd-rotate-keys b/src/tangd-rotate-keys
+index 9d38bb5..a095a91 100755
+--- a/src/tangd-rotate-keys
++++ b/src/tangd-rotate-keys
+@@ -21,7 +21,7 @@
+ SUMMARY="Perform rotation of tang keys"
+ 
+ usage() {
+-    local _ret="${1:-1}"
++    _ret="${1:-1}"
+     exec >&2
+     echo "Usage: ${0} [-h] [-v] -d <KEYDIR>"
+     echo
+@@ -37,8 +37,8 @@ usage() {
+ }
+ 
+ log() {
+-    local _msg="${1}"
+-    local _verbose="${2:-}"
++    _msg="${1}"
++    _verbose="${2:-}"
+     [ -z "${_verbose}" ] && return 0
+     echo "${_msg}" >&2
+ }
+diff --git a/tests/adv b/tests/adv
+index 490d4d1..4c8bc97 100755
+--- a/tests/adv
++++ b/tests/adv
+@@ -93,6 +93,9 @@ fetch /adv
+ # Lets's now test with multiple pairs of keys.
+ for i in 1 2 3 4 5 6 7 8 9; do
+     tangd-keygen "${TMP}"/db other-sig-${i} other-exc-${i}
++    # Make sure the requested keys exist and are valid.
++    validate_sig "${TMP}/db/other-sig-${i}.jwk"
++    validate_exc "${TMP}/db/other-exc-${i}.jwk"
+ done
+ 
+ # Verify the advertisement is correct.
+@@ -104,3 +107,20 @@ for jwk in "${TMP}"/db/other-sig-*.jwk; do
+         fetch /adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}"
+     done
+ done
++
++# Now let's test keys rotation.
++tangd-rotate-keys -d "${TMP}/db"
++for i in 1 2 3 4 5 6 7 8 9; do
++    # Make sure keys were excluded from advertisement.
++    validate_sig "${TMP}/db/.other-sig-${i}.jwk"
++    validate_exc "${TMP}/db/.other-exc-${i}.jwk"
++done
++
++# And test also that we have valid keys after rotation.
++thp=
++for jwk in "${TMP}"/db/*.jwk; do
++    validate_sig "${jwk}" && thp="$(jose jwk thp -a "${THP_DEFAULT_HASH}" \
++                                    -i "${jwk}")"
++done
++[ -z "${thp}" ] && die "There should be valid keys after rotation"
++test "$(tang-show-keys $PORT)" = "${thp}"
+diff --git a/tests/helpers b/tests/helpers
+index af122ab..7ce54d7 100755
+--- a/tests/helpers
++++ b/tests/helpers
+@@ -56,7 +56,22 @@ validate() {
+     fi
+ }
+ 
++validate_sig() {
++    jose fmt --json "${1}" --output=- | jose jwk use --input=- --required \
++        --use verify 2>/dev/null
++}
++
++validate_exc() {
++    jose fmt --json "${1}" --output=- | jose jwk use --input=- --required \
++        --use deriveKey 2>/dev/null
++}
++
+ sanity_check() {
+     # Skip test if socat is not available.
+     [ -n "${SOCAT}" ] || exit 77
+ }
++
++die() {
++    echo "${1}" >&2
++    exit 1
++}
+-- 
+2.31.1
+

SOURCES/0002-Fix-possible-NULL-pointer-dereference-in-find_by_thp.patch

@@ -0,0 +1,29 @@
+From af3b3835bcdb7e2d7a4f14e077fecb5e472f11ba Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Thu, 20 May 2021 10:31:25 -0300
+Subject: [PATCH 2/2] Fix possible NULL pointer dereference in find_by_thp()
+
+jwk_thumbprint() might return NULL, so let's make sure we handle that
+case.
+
+Issue pointed out by gcc static analyzer.
+---
+ src/keys.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/keys.c b/src/keys.c
+index 5a8c1ac..55d0cff 100644
+--- a/src/keys.c
++++ b/src/keys.c
+@@ -263,7 +263,7 @@ find_by_thp(struct tang_keys_info* tki, const char* target)
+     json_array_foreach(keys, idx, jwk) {
+         for (int i = 0; hashes[i]; i++) {
+             __attribute__ ((__cleanup__(cleanup_str))) char* thumbprint = jwk_thumbprint(jwk, hashes[i]);
+-            if (strcmp(thumbprint, target) != 0) {
++            if (!thumbprint || strcmp(thumbprint, target) != 0) {
+                 continue;
+             }
+ 
+-- 
+2.31.1
+

SPECS/tang.spec

@@ -0,0 +1,183 @@
+Name:           tang
+Version:        10
+Release:        4%{?dist}
+Summary:        Network Presence Binding Daemon
+
+License:        GPLv3+
+URL:            https://github.com/latchset/%{name}
+Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
+
+Patch0001: 0001-Fix-issues-reported-by-shellcheck.patch
+Patch0002: 0002-Fix-possible-NULL-pointer-dereference-in-find_by_thp.patch
+
+BuildRequires:  gcc
+BuildRequires:  meson
+BuildRequires:  git-core
+BuildRequires:  jose >= 8
+BuildRequires:  libjose-devel >= 8
+BuildRequires:  libjose-zlib-devel >= 8
+BuildRequires:  libjose-openssl-devel >= 8
+
+BuildRequires:  http-parser-devel >= 2.7.1-3
+BuildRequires:  systemd-devel
+BuildRequires:  pkgconfig
+
+BuildRequires:  systemd
+BuildRequires:  curl
+
+BuildRequires:  asciidoc
+BuildRequires:  coreutils
+BuildRequires:  grep
+BuildRequires:  socat
+BuildRequires:  sed
+
+%{?systemd_requires}
+Requires:       coreutils
+Requires:       jose >= 8
+Requires:       grep
+Requires:       sed
+
+Requires(pre):  shadow-utils
+
+%description
+Tang is a small daemon for binding data to the presence of a third party.
+
+%prep
+%autosetup -S git
+
+%build
+%meson
+%meson_build
+
+%install
+%meson_install
+echo "User=%{name}" >> $RPM_BUILD_ROOT/%{_unitdir}/%{name}d@.service
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_localstatedir}/db/%{name}
+
+%check
+%meson_test
+
+%pre
+getent group %{name} >/dev/null || groupadd -r %{name}
+getent passwd %{name} >/dev/null || \
+    useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \
+    -c "Tang Network Presence Daemon user" %{name}
+exit 0
+
+%post
+%systemd_post %{name}d.socket
+
+%preun
+%systemd_preun %{name}d.socket
+
+%postun
+%systemd_postun_with_restart %{name}d.socket
+
+%files
+%license COPYING
+%attr(0700, %{name}, %{name}) %{_localstatedir}/db/%{name}
+%{_unitdir}/%{name}d@.service
+%{_unitdir}/%{name}d.socket
+%{_libexecdir}/%{name}d-keygen
+%{_libexecdir}/%{name}d-rotate-keys
+%{_libexecdir}/%{name}d
+%{_mandir}/man8/tang.8*
+%{_bindir}/%{name}-show-keys
+%{_mandir}/man1/tang-show-keys.1*
+
+%changelog
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 10-4
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 10-3
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Thu May 20 2021 Sergio Correia <scorreia@redhat.com> - 10-2
+- Fix issues reported by static analyzer checks
+  Resolves: rhbz#1956765
+
+* Wed May 05 2021 Sergio Correia <scorreia@redhat.com> - 10-1
+- New upstream release - v10.
+  Resolves: rhbz#1956765
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 8-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Feb 09 2021 Sergio Correia <scorreia@redhat.com> - 8-2
+- Remove extra patches as they are already included in v8 release
+
+* Mon Feb 08 2021 Sergio Correia <scorreia@redhat.com> - 8-1
+- New upstream release - v8.
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Dec 1 2020 Sergio Correia <scorreia@redhat.com> - 7.8
+- Move build system to meson
+  Upstream commits (fed9020, 590de27)
+- Move key handling to tang itself
+  Upstream commits (6090505, c71df1d, 7119454)
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Apr 15 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 7-6
+- Rebuild for http-parser 2.9.4
+
+* Tue Feb 25 2020 Sergio Correia <scorreia@redhat.com> - 7-5
+- Rebuilt after http-parser update
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Aug 10 2018 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
+- New upstream release
+- Retire tang-nagios package (now separate upstream)
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
+- New upstream release
+
+* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-2
+- Fix incorrect dependencies
+
+* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
+- New upstream release
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 4-2
+- Fix a race condition in one of the tests
+
+* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
+- New upstream release
+- Add nagios subpackage
+
+* Wed Oct 26 2016 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
+- New upstream release
+
+* Wed Oct 19 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
+- New upstream release
+
+* Tue Aug 23 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
+- First release