diff --git a/0001-Fix-issues-reported-by-shellcheck.patch b/0001-Fix-issues-reported-by-shellcheck.patch new file mode 100644 index 0000000..3051c70 --- /dev/null +++ b/0001-Fix-issues-reported-by-shellcheck.patch @@ -0,0 +1,155 @@ +From 0b0b1ef7244433cde737cd65d07930efd9667ed1 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Thu, 20 May 2021 10:21:21 -0300 +Subject: [PATCH 1/2] Fix issues reported by shellcheck + +Additionally, improve testing of these scripts. +--- + src/tang-show-keys | 5 ++--- + src/tangd-keygen | 17 ++++++++++------- + src/tangd-rotate-keys | 6 +++--- + tests/adv | 20 ++++++++++++++++++++ + tests/helpers | 15 +++++++++++++++ + 5 files changed, 50 insertions(+), 13 deletions(-) + +diff --git a/src/tang-show-keys b/src/tang-show-keys +index 689e4df..0c33c3a 100755 +--- a/src/tang-show-keys ++++ b/src/tang-show-keys +@@ -27,10 +27,9 @@ fi + + port=${1-80} + +-adv=$(curl -sSf localhost:$port/adv) ++adv=$(curl -sSf "localhost:$port/adv") + + THP_DEFAULT_HASH=S256 # SHA-256. +-echo $adv \ +- | jose fmt -j- -g payload -y -o- \ ++jose fmt --json "${adv}" -g payload -y -o- \ + | jose jwk use -i- -r -u verify -o- \ + | jose jwk thp -i- -a "${THP_DEFAULT_HASH}" +diff --git a/src/tangd-keygen b/src/tangd-keygen +index 7a9adaf..f37121f 100755 +--- a/src/tangd-keygen ++++ b/src/tangd-keygen +@@ -18,20 +18,23 @@ + # along with this program. If not, see . + # + +-trap 'exit' ERR ++set -e + +-if [ $# -ne 1 -a $# -ne 3 ] || [ ! -d "$1" ]; then ++usage() { + echo "Usage: $0 [ ]" >&2 + exit 1 +-fi ++} ++ ++[ $# -ne 1 ] && [ $# -ne 3 ] && usage ++[ -d "$1" ] || usage + + [ $# -eq 3 ] && sig=$2 && exc=$3 + + THP_DEFAULT_HASH=S256 # SHA-256. +-jwe=`jose jwk gen -i '{"alg":"ES512"}'` ++jwe=$(jose jwk gen -i '{"alg":"ES512"}') + [ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}") +-echo "$jwe" > $1/$sig.jwk ++echo "$jwe" > "$1/$sig.jwk" + +-jwe=`jose jwk gen -i '{"alg":"ECMR"}'` ++jwe=$(jose jwk gen -i '{"alg":"ECMR"}') + [ -z "$exc" ] && exc=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}") +-echo "$jwe" > $1/$exc.jwk ++echo "$jwe" > "$1/$exc.jwk" +diff --git a/src/tangd-rotate-keys b/src/tangd-rotate-keys +index 9d38bb5..a095a91 100755 +--- a/src/tangd-rotate-keys ++++ b/src/tangd-rotate-keys +@@ -21,7 +21,7 @@ + SUMMARY="Perform rotation of tang keys" + + usage() { +- local _ret="${1:-1}" ++ _ret="${1:-1}" + exec >&2 + echo "Usage: ${0} [-h] [-v] -d " + echo +@@ -37,8 +37,8 @@ usage() { + } + + log() { +- local _msg="${1}" +- local _verbose="${2:-}" ++ _msg="${1}" ++ _verbose="${2:-}" + [ -z "${_verbose}" ] && return 0 + echo "${_msg}" >&2 + } +diff --git a/tests/adv b/tests/adv +index 490d4d1..4c8bc97 100755 +--- a/tests/adv ++++ b/tests/adv +@@ -93,6 +93,9 @@ fetch /adv + # Lets's now test with multiple pairs of keys. + for i in 1 2 3 4 5 6 7 8 9; do + tangd-keygen "${TMP}"/db other-sig-${i} other-exc-${i} ++ # Make sure the requested keys exist and are valid. ++ validate_sig "${TMP}/db/other-sig-${i}.jwk" ++ validate_exc "${TMP}/db/other-exc-${i}.jwk" + done + + # Verify the advertisement is correct. +@@ -104,3 +107,20 @@ for jwk in "${TMP}"/db/other-sig-*.jwk; do + fetch /adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}" + done + done ++ ++# Now let's test keys rotation. ++tangd-rotate-keys -d "${TMP}/db" ++for i in 1 2 3 4 5 6 7 8 9; do ++ # Make sure keys were excluded from advertisement. ++ validate_sig "${TMP}/db/.other-sig-${i}.jwk" ++ validate_exc "${TMP}/db/.other-exc-${i}.jwk" ++done ++ ++# And test also that we have valid keys after rotation. ++thp= ++for jwk in "${TMP}"/db/*.jwk; do ++ validate_sig "${jwk}" && thp="$(jose jwk thp -a "${THP_DEFAULT_HASH}" \ ++ -i "${jwk}")" ++done ++[ -z "${thp}" ] && die "There should be valid keys after rotation" ++test "$(tang-show-keys $PORT)" = "${thp}" +diff --git a/tests/helpers b/tests/helpers +index af122ab..7ce54d7 100755 +--- a/tests/helpers ++++ b/tests/helpers +@@ -56,7 +56,22 @@ validate() { + fi + } + ++validate_sig() { ++ jose fmt --json "${1}" --output=- | jose jwk use --input=- --required \ ++ --use verify 2>/dev/null ++} ++ ++validate_exc() { ++ jose fmt --json "${1}" --output=- | jose jwk use --input=- --required \ ++ --use deriveKey 2>/dev/null ++} ++ + sanity_check() { + # Skip test if socat is not available. + [ -n "${SOCAT}" ] || exit 77 + } ++ ++die() { ++ echo "${1}" >&2 ++ exit 1 ++} +-- +2.31.1 + diff --git a/0002-Fix-possible-NULL-pointer-dereference-in-find_by_thp.patch b/0002-Fix-possible-NULL-pointer-dereference-in-find_by_thp.patch new file mode 100644 index 0000000..5ef0463 --- /dev/null +++ b/0002-Fix-possible-NULL-pointer-dereference-in-find_by_thp.patch @@ -0,0 +1,29 @@ +From af3b3835bcdb7e2d7a4f14e077fecb5e472f11ba Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Thu, 20 May 2021 10:31:25 -0300 +Subject: [PATCH 2/2] Fix possible NULL pointer dereference in find_by_thp() + +jwk_thumbprint() might return NULL, so let's make sure we handle that +case. + +Issue pointed out by gcc static analyzer. +--- + src/keys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/keys.c b/src/keys.c +index 5a8c1ac..55d0cff 100644 +--- a/src/keys.c ++++ b/src/keys.c +@@ -263,7 +263,7 @@ find_by_thp(struct tang_keys_info* tki, const char* target) + json_array_foreach(keys, idx, jwk) { + for (int i = 0; hashes[i]; i++) { + __attribute__ ((__cleanup__(cleanup_str))) char* thumbprint = jwk_thumbprint(jwk, hashes[i]); +- if (strcmp(thumbprint, target) != 0) { ++ if (!thumbprint || strcmp(thumbprint, target) != 0) { + continue; + } + +-- +2.31.1 + diff --git a/tang.spec b/tang.spec index bfc1f96..b48bd14 100644 --- a/tang.spec +++ b/tang.spec @@ -1,12 +1,15 @@ Name: tang Version: 10 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Network Presence Binding Daemon License: GPLv3+ URL: https://github.com/latchset/%{name} Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz +Patch0001: 0001-Fix-issues-reported-by-shellcheck.patch +Patch0002: 0002-Fix-possible-NULL-pointer-dereference-in-find_by_thp.patch + BuildRequires: gcc BuildRequires: meson BuildRequires: git-core @@ -83,6 +86,10 @@ exit 0 %{_mandir}/man1/tang-show-keys.1* %changelog +* Thu May 20 2021 Sergio Correia - 10-2 +- Fix issues reported by static analyzer checks + Resolves: rhbz#1956765 + * Wed May 05 2021 Sergio Correia - 10-1 - New upstream release - v10. Resolves: rhbz#1956765