New upstream release - v11
This commit is contained in:
parent
b44ee07e42
commit
e659b083bf
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,3 +1,4 @@
|
|||||||
/tang-7.tar.bz2
|
/tang-7.tar.bz2
|
||||||
/tang-8.tar.xz
|
/tang-8.tar.xz
|
||||||
/tang-10.tar.xz
|
/tang-10.tar.xz
|
||||||
|
/tang-11.tar.xz
|
||||||
|
@ -1,155 +0,0 @@
|
|||||||
From 0b0b1ef7244433cde737cd65d07930efd9667ed1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sergio Correia <scorreia@redhat.com>
|
|
||||||
Date: Thu, 20 May 2021 10:21:21 -0300
|
|
||||||
Subject: [PATCH 1/2] Fix issues reported by shellcheck
|
|
||||||
|
|
||||||
Additionally, improve testing of these scripts.
|
|
||||||
---
|
|
||||||
src/tang-show-keys | 5 ++---
|
|
||||||
src/tangd-keygen | 17 ++++++++++-------
|
|
||||||
src/tangd-rotate-keys | 6 +++---
|
|
||||||
tests/adv | 20 ++++++++++++++++++++
|
|
||||||
tests/helpers | 15 +++++++++++++++
|
|
||||||
5 files changed, 50 insertions(+), 13 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tang-show-keys b/src/tang-show-keys
|
|
||||||
index 689e4df..0c33c3a 100755
|
|
||||||
--- a/src/tang-show-keys
|
|
||||||
+++ b/src/tang-show-keys
|
|
||||||
@@ -27,10 +27,9 @@ fi
|
|
||||||
|
|
||||||
port=${1-80}
|
|
||||||
|
|
||||||
-adv=$(curl -sSf localhost:$port/adv)
|
|
||||||
+adv=$(curl -sSf "localhost:$port/adv")
|
|
||||||
|
|
||||||
THP_DEFAULT_HASH=S256 # SHA-256.
|
|
||||||
-echo $adv \
|
|
||||||
- | jose fmt -j- -g payload -y -o- \
|
|
||||||
+jose fmt --json "${adv}" -g payload -y -o- \
|
|
||||||
| jose jwk use -i- -r -u verify -o- \
|
|
||||||
| jose jwk thp -i- -a "${THP_DEFAULT_HASH}"
|
|
||||||
diff --git a/src/tangd-keygen b/src/tangd-keygen
|
|
||||||
index 7a9adaf..f37121f 100755
|
|
||||||
--- a/src/tangd-keygen
|
|
||||||
+++ b/src/tangd-keygen
|
|
||||||
@@ -18,20 +18,23 @@
|
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
|
|
||||||
-trap 'exit' ERR
|
|
||||||
+set -e
|
|
||||||
|
|
||||||
-if [ $# -ne 1 -a $# -ne 3 ] || [ ! -d "$1" ]; then
|
|
||||||
+usage() {
|
|
||||||
echo "Usage: $0 <jwkdir> [<sig> <exc>]" >&2
|
|
||||||
exit 1
|
|
||||||
-fi
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+[ $# -ne 1 ] && [ $# -ne 3 ] && usage
|
|
||||||
+[ -d "$1" ] || usage
|
|
||||||
|
|
||||||
[ $# -eq 3 ] && sig=$2 && exc=$3
|
|
||||||
|
|
||||||
THP_DEFAULT_HASH=S256 # SHA-256.
|
|
||||||
-jwe=`jose jwk gen -i '{"alg":"ES512"}'`
|
|
||||||
+jwe=$(jose jwk gen -i '{"alg":"ES512"}')
|
|
||||||
[ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
|
|
||||||
-echo "$jwe" > $1/$sig.jwk
|
|
||||||
+echo "$jwe" > "$1/$sig.jwk"
|
|
||||||
|
|
||||||
-jwe=`jose jwk gen -i '{"alg":"ECMR"}'`
|
|
||||||
+jwe=$(jose jwk gen -i '{"alg":"ECMR"}')
|
|
||||||
[ -z "$exc" ] && exc=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
|
|
||||||
-echo "$jwe" > $1/$exc.jwk
|
|
||||||
+echo "$jwe" > "$1/$exc.jwk"
|
|
||||||
diff --git a/src/tangd-rotate-keys b/src/tangd-rotate-keys
|
|
||||||
index 9d38bb5..a095a91 100755
|
|
||||||
--- a/src/tangd-rotate-keys
|
|
||||||
+++ b/src/tangd-rotate-keys
|
|
||||||
@@ -21,7 +21,7 @@
|
|
||||||
SUMMARY="Perform rotation of tang keys"
|
|
||||||
|
|
||||||
usage() {
|
|
||||||
- local _ret="${1:-1}"
|
|
||||||
+ _ret="${1:-1}"
|
|
||||||
exec >&2
|
|
||||||
echo "Usage: ${0} [-h] [-v] -d <KEYDIR>"
|
|
||||||
echo
|
|
||||||
@@ -37,8 +37,8 @@ usage() {
|
|
||||||
}
|
|
||||||
|
|
||||||
log() {
|
|
||||||
- local _msg="${1}"
|
|
||||||
- local _verbose="${2:-}"
|
|
||||||
+ _msg="${1}"
|
|
||||||
+ _verbose="${2:-}"
|
|
||||||
[ -z "${_verbose}" ] && return 0
|
|
||||||
echo "${_msg}" >&2
|
|
||||||
}
|
|
||||||
diff --git a/tests/adv b/tests/adv
|
|
||||||
index 490d4d1..4c8bc97 100755
|
|
||||||
--- a/tests/adv
|
|
||||||
+++ b/tests/adv
|
|
||||||
@@ -93,6 +93,9 @@ fetch /adv
|
|
||||||
# Lets's now test with multiple pairs of keys.
|
|
||||||
for i in 1 2 3 4 5 6 7 8 9; do
|
|
||||||
tangd-keygen "${TMP}"/db other-sig-${i} other-exc-${i}
|
|
||||||
+ # Make sure the requested keys exist and are valid.
|
|
||||||
+ validate_sig "${TMP}/db/other-sig-${i}.jwk"
|
|
||||||
+ validate_exc "${TMP}/db/other-exc-${i}.jwk"
|
|
||||||
done
|
|
||||||
|
|
||||||
# Verify the advertisement is correct.
|
|
||||||
@@ -104,3 +107,20 @@ for jwk in "${TMP}"/db/other-sig-*.jwk; do
|
|
||||||
fetch /adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}"
|
|
||||||
done
|
|
||||||
done
|
|
||||||
+
|
|
||||||
+# Now let's test keys rotation.
|
|
||||||
+tangd-rotate-keys -d "${TMP}/db"
|
|
||||||
+for i in 1 2 3 4 5 6 7 8 9; do
|
|
||||||
+ # Make sure keys were excluded from advertisement.
|
|
||||||
+ validate_sig "${TMP}/db/.other-sig-${i}.jwk"
|
|
||||||
+ validate_exc "${TMP}/db/.other-exc-${i}.jwk"
|
|
||||||
+done
|
|
||||||
+
|
|
||||||
+# And test also that we have valid keys after rotation.
|
|
||||||
+thp=
|
|
||||||
+for jwk in "${TMP}"/db/*.jwk; do
|
|
||||||
+ validate_sig "${jwk}" && thp="$(jose jwk thp -a "${THP_DEFAULT_HASH}" \
|
|
||||||
+ -i "${jwk}")"
|
|
||||||
+done
|
|
||||||
+[ -z "${thp}" ] && die "There should be valid keys after rotation"
|
|
||||||
+test "$(tang-show-keys $PORT)" = "${thp}"
|
|
||||||
diff --git a/tests/helpers b/tests/helpers
|
|
||||||
index af122ab..7ce54d7 100755
|
|
||||||
--- a/tests/helpers
|
|
||||||
+++ b/tests/helpers
|
|
||||||
@@ -56,7 +56,22 @@ validate() {
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
+validate_sig() {
|
|
||||||
+ jose fmt --json "${1}" --output=- | jose jwk use --input=- --required \
|
|
||||||
+ --use verify 2>/dev/null
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+validate_exc() {
|
|
||||||
+ jose fmt --json "${1}" --output=- | jose jwk use --input=- --required \
|
|
||||||
+ --use deriveKey 2>/dev/null
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
sanity_check() {
|
|
||||||
# Skip test if socat is not available.
|
|
||||||
[ -n "${SOCAT}" ] || exit 77
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+die() {
|
|
||||||
+ echo "${1}" >&2
|
|
||||||
+ exit 1
|
|
||||||
+}
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,29 +0,0 @@
|
|||||||
From af3b3835bcdb7e2d7a4f14e077fecb5e472f11ba Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sergio Correia <scorreia@redhat.com>
|
|
||||||
Date: Thu, 20 May 2021 10:31:25 -0300
|
|
||||||
Subject: [PATCH 2/2] Fix possible NULL pointer dereference in find_by_thp()
|
|
||||||
|
|
||||||
jwk_thumbprint() might return NULL, so let's make sure we handle that
|
|
||||||
case.
|
|
||||||
|
|
||||||
Issue pointed out by gcc static analyzer.
|
|
||||||
---
|
|
||||||
src/keys.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/keys.c b/src/keys.c
|
|
||||||
index 5a8c1ac..55d0cff 100644
|
|
||||||
--- a/src/keys.c
|
|
||||||
+++ b/src/keys.c
|
|
||||||
@@ -263,7 +263,7 @@ find_by_thp(struct tang_keys_info* tki, const char* target)
|
|
||||||
json_array_foreach(keys, idx, jwk) {
|
|
||||||
for (int i = 0; hashes[i]; i++) {
|
|
||||||
__attribute__ ((__cleanup__(cleanup_str))) char* thumbprint = jwk_thumbprint(jwk, hashes[i]);
|
|
||||||
- if (strcmp(thumbprint, target) != 0) {
|
|
||||||
+ if (!thumbprint || strcmp(thumbprint, target) != 0) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,207 +0,0 @@
|
|||||||
From b3d12b6a8f0ad7d56a584c1962e92f69b289a2a2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sergio Correia <scorreia@redhat.com>
|
|
||||||
Date: Mon, 27 Sep 2021 15:19:42 -0300
|
|
||||||
Subject: [PATCH 3/3] keys: make sure keys are created with 0440 mode
|
|
||||||
|
|
||||||
There is no need for them to be readable by other than the owner/group.
|
|
||||||
Helpers (tangd-keygen and tangd-rotate-keys) also updated.
|
|
||||||
---
|
|
||||||
src/keys.c | 7 ++++++
|
|
||||||
src/tangd-keygen | 3 +++
|
|
||||||
src/tangd-rotate-keys | 1 +
|
|
||||||
tests/adv | 11 +++++++++
|
|
||||||
tests/helpers | 5 ++++
|
|
||||||
tests/rec | 3 +++
|
|
||||||
tests/test-keys.c.in | 54 +++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
7 files changed, 84 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/keys.c b/src/keys.c
|
|
||||||
index 55d0cff..a433f9c 100644
|
|
||||||
--- a/src/keys.c
|
|
||||||
+++ b/src/keys.c
|
|
||||||
@@ -17,6 +17,7 @@
|
|
||||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
*/
|
|
||||||
|
|
||||||
+#include <sys/stat.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include <dirent.h>
|
|
||||||
@@ -337,6 +338,12 @@ create_new_keys(const char* jwkdir)
|
|
||||||
fprintf(stderr, "Error saving JWK to file (%s)\n", path);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /* Set 0440 permission for the new key. */
|
|
||||||
+ if (chmod(path, S_IRUSR | S_IRGRP) == -1) {
|
|
||||||
+ fprintf(stderr, "Unable to set permissions for JWK file (%s)\n", path);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
diff --git a/src/tangd-keygen b/src/tangd-keygen
|
|
||||||
index f37121f..ed51124 100755
|
|
||||||
--- a/src/tangd-keygen
|
|
||||||
+++ b/src/tangd-keygen
|
|
||||||
@@ -34,7 +34,10 @@ THP_DEFAULT_HASH=S256 # SHA-256.
|
|
||||||
jwe=$(jose jwk gen -i '{"alg":"ES512"}')
|
|
||||||
[ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
|
|
||||||
echo "$jwe" > "$1/$sig.jwk"
|
|
||||||
+chmod 0440 "$1/$sig.jwk"
|
|
||||||
+
|
|
||||||
|
|
||||||
jwe=$(jose jwk gen -i '{"alg":"ECMR"}')
|
|
||||||
[ -z "$exc" ] && exc=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
|
|
||||||
echo "$jwe" > "$1/$exc.jwk"
|
|
||||||
+chmod 0440 "$1/$exc.jwk"
|
|
||||||
diff --git a/src/tangd-rotate-keys b/src/tangd-rotate-keys
|
|
||||||
index a095a91..8649652 100755
|
|
||||||
--- a/src/tangd-rotate-keys
|
|
||||||
+++ b/src/tangd-rotate-keys
|
|
||||||
@@ -78,6 +78,7 @@ cd "${JWKDIR}" || error "Unable to change to keys directory '${JWKDIR}'"
|
|
||||||
thp="$(printf '%s' "${jwe}" | jose jwk thp --input=- \
|
|
||||||
-a "${DEFAULT_THP_HASH}")"
|
|
||||||
echo "${jwe}" > "${thp}.jwk"
|
|
||||||
+ chmod 0440 "${thp}.jwk"
|
|
||||||
log "Created new key ${thp}.jwk" "${VERBOSE}"
|
|
||||||
done
|
|
||||||
cd - >/dev/null
|
|
||||||
diff --git a/tests/adv b/tests/adv
|
|
||||||
index 4c8bc97..1fde37e 100755
|
|
||||||
--- a/tests/adv
|
|
||||||
+++ b/tests/adv
|
|
||||||
@@ -27,6 +27,10 @@ export TMP=`mktemp -d`
|
|
||||||
mkdir -p $TMP/db
|
|
||||||
|
|
||||||
tangd-keygen $TMP/db sig exc
|
|
||||||
+# Make sure keys generated by tangd-keygen have proper permissions.
|
|
||||||
+valid_key_perm "${TMP}/db/sig.jwk"
|
|
||||||
+valid_key_perm "${TMP}/db/exc.jwk"
|
|
||||||
+
|
|
||||||
jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.sig.jwk
|
|
||||||
jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.oth.jwk
|
|
||||||
|
|
||||||
@@ -96,6 +100,10 @@ for i in 1 2 3 4 5 6 7 8 9; do
|
|
||||||
# Make sure the requested keys exist and are valid.
|
|
||||||
validate_sig "${TMP}/db/other-sig-${i}.jwk"
|
|
||||||
validate_exc "${TMP}/db/other-exc-${i}.jwk"
|
|
||||||
+
|
|
||||||
+ # Make sure keys generated by tangd-keygen have proper permissions.
|
|
||||||
+ valid_key_perm "${TMP}/db/other-sig-${i}.jwk"
|
|
||||||
+ valid_key_perm "${TMP}/db/other-exc-${i}.jwk"
|
|
||||||
done
|
|
||||||
|
|
||||||
# Verify the advertisement is correct.
|
|
||||||
@@ -121,6 +129,9 @@ thp=
|
|
||||||
for jwk in "${TMP}"/db/*.jwk; do
|
|
||||||
validate_sig "${jwk}" && thp="$(jose jwk thp -a "${THP_DEFAULT_HASH}" \
|
|
||||||
-i "${jwk}")"
|
|
||||||
+
|
|
||||||
+ # Make sure keys generated by tangd-rotate-keys have proper permissions.
|
|
||||||
+ valid_key_perm "${jwk}"
|
|
||||||
done
|
|
||||||
[ -z "${thp}" ] && die "There should be valid keys after rotation"
|
|
||||||
test "$(tang-show-keys $PORT)" = "${thp}"
|
|
||||||
diff --git a/tests/helpers b/tests/helpers
|
|
||||||
index 7ce54d7..8b789fb 100755
|
|
||||||
--- a/tests/helpers
|
|
||||||
+++ b/tests/helpers
|
|
||||||
@@ -75,3 +75,8 @@ die() {
|
|
||||||
echo "${1}" >&2
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+valid_key_perm() {
|
|
||||||
+ _perm="$(stat -c %a "${1}")"
|
|
||||||
+ [ "${_perm}" = "440" ]
|
|
||||||
+}
|
|
||||||
diff --git a/tests/rec b/tests/rec
|
|
||||||
index af0d075..7fba6a9 100755
|
|
||||||
--- a/tests/rec
|
|
||||||
+++ b/tests/rec
|
|
||||||
@@ -28,6 +28,9 @@ mkdir -p $TMP/db
|
|
||||||
|
|
||||||
# Generate the server keys
|
|
||||||
tangd-keygen $TMP/db sig exc
|
|
||||||
+# Make sure keys generated by tangd-keygen have proper permissions.
|
|
||||||
+valid_key_perm "${TMP}/db/sig.jwk"
|
|
||||||
+valid_key_perm "${TMP}/db/exc.jwk"
|
|
||||||
|
|
||||||
# Generate the client keys
|
|
||||||
exc_kid=`jose jwk thp -i $TMP/db/exc.jwk`
|
|
||||||
diff --git a/tests/test-keys.c.in b/tests/test-keys.c.in
|
|
||||||
index 1f811f3..fca26c4 100644
|
|
||||||
--- a/tests/test-keys.c.in
|
|
||||||
+++ b/tests/test-keys.c.in
|
|
||||||
@@ -32,6 +32,56 @@ struct test_result_int {
|
|
||||||
int expected;
|
|
||||||
};
|
|
||||||
|
|
||||||
+static void
|
|
||||||
+verify_keys_permissions(const char* targetdir)
|
|
||||||
+{
|
|
||||||
+ struct stat st;
|
|
||||||
+ struct dirent* d;
|
|
||||||
+ DIR* dir = opendir(targetdir);
|
|
||||||
+ ASSERT(dir);
|
|
||||||
+ char filepath[PATH_MAX];
|
|
||||||
+ const char* pattern = ".jwk";
|
|
||||||
+ while ((d = readdir(dir)) != NULL) {
|
|
||||||
+ if (strcmp(d->d_name, ".") == 0 || strcmp(d->d_name, "..") == 0) {
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ char* dot = strrchr(d->d_name, '.');
|
|
||||||
+ if (!dot) {
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (strcmp(dot, pattern) == 0) {
|
|
||||||
+ /* Found a file with .jwk extension. */
|
|
||||||
+ if (snprintf(filepath, PATH_MAX, "%s/%s", targetdir, d->d_name) < 0) {
|
|
||||||
+ fprintf(stderr, "Unable to prepare variable with file full path (%s); skipping\n", d->d_name);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+ filepath[sizeof(filepath) - 1] = '\0';
|
|
||||||
+ ASSERT(stat(filepath, &st) == 0);
|
|
||||||
+
|
|
||||||
+ ASSERT_WITH_MSG(st.st_mode & (S_IRUSR | S_IRGRP), "key = %s, missing perm (0%o)", filepath, (S_IRUSR | S_IRGRP));
|
|
||||||
+ int unexpected_perms[] = {
|
|
||||||
+ S_ISUID, /* 04000 set-user-ID */
|
|
||||||
+ S_ISGID, /* 02000 set-group-ID */
|
|
||||||
+ S_IWUSR, /* 00200 write by owner */
|
|
||||||
+ S_IXUSR, /* 00100 execute/search by owner */
|
|
||||||
+ S_IWGRP, /* 00020 write by group */
|
|
||||||
+ S_IXGRP, /* 00010 execute/search by group */
|
|
||||||
+ S_IROTH, /* 00004 read by others */
|
|
||||||
+ S_IWOTH, /* 00002 write by others */
|
|
||||||
+ S_IXOTH, /* 00001 execute/search by others */
|
|
||||||
+ 0
|
|
||||||
+ };
|
|
||||||
+ for (int i = 0; unexpected_perms[i] != 0; i++) {
|
|
||||||
+ ASSERT_WITH_MSG((st.st_mode & unexpected_perms[i]) == 0, "key = %s, i = %d, unexpected perm (0%o)", filepath, i, unexpected_perms[i]);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ closedir(dir);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void
|
|
||||||
test_create_new_keys(void)
|
|
||||||
{
|
|
||||||
@@ -40,6 +90,10 @@ test_create_new_keys(void)
|
|
||||||
__attribute__((cleanup(cleanup_tang_keys_info))) struct tang_keys_info* tki = read_keys(newdir);
|
|
||||||
ASSERT(tki);
|
|
||||||
ASSERT(tki->m_keys_count == 2);
|
|
||||||
+
|
|
||||||
+ /* Make sure keys have proper permissions. */
|
|
||||||
+ verify_keys_permissions(newdir);
|
|
||||||
+
|
|
||||||
remove_tempdir(newdir);
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,147 +0,0 @@
|
|||||||
From ab3b913cc74666dffe56d1f87f6f90653d8f4e70 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sergio Correia <scorreia@redhat.com>
|
|
||||||
Date: Sat, 2 Oct 2021 09:14:21 -0300
|
|
||||||
Subject: [PATCH 4/4] Specify user and group for tang
|
|
||||||
|
|
||||||
So that we can run tang itself with a different user.
|
|
||||||
|
|
||||||
Systemd unit and helpers for rotating keys updated to use the
|
|
||||||
new user and group.
|
|
||||||
---
|
|
||||||
meson.build | 2 ++
|
|
||||||
meson_options.txt | 2 ++
|
|
||||||
src/meson.build | 18 ++++++++++++++++--
|
|
||||||
src/{tangd-keygen => tangd-keygen.in} | 11 +++++++++--
|
|
||||||
...{tangd-rotate-keys => tangd-rotate-keys.in} | 9 ++++++++-
|
|
||||||
units/tangd@.service.in | 1 +
|
|
||||||
6 files changed, 38 insertions(+), 5 deletions(-)
|
|
||||||
create mode 100644 meson_options.txt
|
|
||||||
rename src/{tangd-keygen => tangd-keygen.in} (85%)
|
|
||||||
rename src/{tangd-rotate-keys => tangd-rotate-keys.in} (92%)
|
|
||||||
|
|
||||||
diff --git a/meson.build b/meson.build
|
|
||||||
index 1733d47..7664e05 100644
|
|
||||||
--- a/meson.build
|
|
||||||
+++ b/meson.build
|
|
||||||
@@ -26,6 +26,8 @@ data.set('libexecdir', libexecdir)
|
|
||||||
data.set('sysconfdir', sysconfdir)
|
|
||||||
data.set('systemunitdir', systemunitdir)
|
|
||||||
data.set('jwkdir', jwkdir)
|
|
||||||
+data.set('user', get_option('user'))
|
|
||||||
+data.set('group', get_option('group'))
|
|
||||||
|
|
||||||
add_project_arguments(
|
|
||||||
'-D_POSIX_C_SOURCE=200809L',
|
|
||||||
diff --git a/meson_options.txt b/meson_options.txt
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..9b1f7c6
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/meson_options.txt
|
|
||||||
@@ -0,0 +1,2 @@
|
|
||||||
+option('user', type: 'string', value: 'tang', description: 'Unprivileged user for tang operations')
|
|
||||||
+option('group', type: 'string', value: 'tang', description: 'Unprivileged group for tang operations')
|
|
||||||
diff --git a/src/meson.build b/src/meson.build
|
|
||||||
index e7dc60c..f022775 100644
|
|
||||||
--- a/src/meson.build
|
|
||||||
+++ b/src/meson.build
|
|
||||||
@@ -7,8 +7,22 @@ tangd = executable('tangd',
|
|
||||||
install_dir: libexecdir
|
|
||||||
)
|
|
||||||
|
|
||||||
+tangd_keygen = configure_file(
|
|
||||||
+ input: 'tangd-keygen.in',
|
|
||||||
+ output: 'tangd-keygen',
|
|
||||||
+ configuration: data,
|
|
||||||
+ install: true,
|
|
||||||
+ install_dir: libexecdir
|
|
||||||
+)
|
|
||||||
+
|
|
||||||
+tangd_rotate_keys = configure_file(
|
|
||||||
+ input: 'tangd-rotate-keys.in',
|
|
||||||
+ output: 'tangd-rotate-keys',
|
|
||||||
+ configuration: data,
|
|
||||||
+ install: true,
|
|
||||||
+ install_dir: libexecdir
|
|
||||||
+)
|
|
||||||
+
|
|
||||||
bins += join_paths(meson.current_source_dir(), 'tang-show-keys')
|
|
||||||
-libexecbins += join_paths(meson.current_source_dir(), 'tangd-keygen')
|
|
||||||
-libexecbins += join_paths(meson.current_source_dir(), 'tangd-rotate-keys')
|
|
||||||
|
|
||||||
# vim:set ts=2 sw=2 et:
|
|
||||||
diff --git a/src/tangd-keygen b/src/tangd-keygen.in
|
|
||||||
similarity index 85%
|
|
||||||
rename from src/tangd-keygen
|
|
||||||
rename to src/tangd-keygen.in
|
|
||||||
index ed51124..f74b86f 100755
|
|
||||||
--- a/src/tangd-keygen
|
|
||||||
+++ b/src/tangd-keygen.in
|
|
||||||
@@ -25,6 +25,13 @@ usage() {
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
+set_perms() {
|
|
||||||
+ chmod 0440 -- "${1}"
|
|
||||||
+ if ! chown @user@:@group@ -- "${1}" 2>/dev/null; then
|
|
||||||
+ echo "Unable to change owner/group for ${1} to @user@:@group@" >&2
|
|
||||||
+ fi
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
[ $# -ne 1 ] && [ $# -ne 3 ] && usage
|
|
||||||
[ -d "$1" ] || usage
|
|
||||||
|
|
||||||
@@ -34,10 +41,10 @@ THP_DEFAULT_HASH=S256 # SHA-256.
|
|
||||||
jwe=$(jose jwk gen -i '{"alg":"ES512"}')
|
|
||||||
[ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
|
|
||||||
echo "$jwe" > "$1/$sig.jwk"
|
|
||||||
-chmod 0440 "$1/$sig.jwk"
|
|
||||||
+set_perms "$1/$sig.jwk"
|
|
||||||
|
|
||||||
|
|
||||||
jwe=$(jose jwk gen -i '{"alg":"ECMR"}')
|
|
||||||
[ -z "$exc" ] && exc=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
|
|
||||||
echo "$jwe" > "$1/$exc.jwk"
|
|
||||||
-chmod 0440 "$1/$exc.jwk"
|
|
||||||
+set_perms "$1/$exc.jwk"
|
|
||||||
diff --git a/src/tangd-rotate-keys b/src/tangd-rotate-keys.in
|
|
||||||
similarity index 92%
|
|
||||||
rename from src/tangd-rotate-keys
|
|
||||||
rename to src/tangd-rotate-keys.in
|
|
||||||
index 8649652..56b94ad 100755
|
|
||||||
--- a/src/tangd-rotate-keys
|
|
||||||
+++ b/src/tangd-rotate-keys.in
|
|
||||||
@@ -48,6 +48,13 @@ error() {
|
|
||||||
usage 1
|
|
||||||
}
|
|
||||||
|
|
||||||
+set_perms() {
|
|
||||||
+ chmod 0440 -- "${1}"
|
|
||||||
+ if ! chown @user@:@group@ -- "${1}" 2>/dev/null; then
|
|
||||||
+ echo "Unable to change owner/group for ${1} to @user@:@group@" >&2
|
|
||||||
+ fi
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
JWKDIR=
|
|
||||||
VERBOSE=
|
|
||||||
while getopts "hvd:" o; do
|
|
||||||
@@ -78,7 +85,7 @@ cd "${JWKDIR}" || error "Unable to change to keys directory '${JWKDIR}'"
|
|
||||||
thp="$(printf '%s' "${jwe}" | jose jwk thp --input=- \
|
|
||||||
-a "${DEFAULT_THP_HASH}")"
|
|
||||||
echo "${jwe}" > "${thp}.jwk"
|
|
||||||
- chmod 0440 "${thp}.jwk"
|
|
||||||
+ set_perms "${thp}.jwk"
|
|
||||||
log "Created new key ${thp}.jwk" "${VERBOSE}"
|
|
||||||
done
|
|
||||||
cd - >/dev/null
|
|
||||||
diff --git a/units/tangd@.service.in b/units/tangd@.service.in
|
|
||||||
index f1db261..aeb2dc1 100644
|
|
||||||
--- a/units/tangd@.service.in
|
|
||||||
+++ b/units/tangd@.service.in
|
|
||||||
@@ -6,3 +6,4 @@ StandardInput=socket
|
|
||||||
StandardOutput=socket
|
|
||||||
StandardError=journal
|
|
||||||
ExecStart=@libexecdir@/tangd @jwkdir@
|
|
||||||
+User=@user@
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (tang-10.tar.xz) = 9bd438edb77e4f14372a19313abde342d1b111e99e6b2b3aa46714dc0807fc33c62f4c778f83b7c30d00e2c7e0c65724a3b2d3116478ff4e67a408e3faac09ce
|
SHA512 (tang-11.tar.xz) = 332ff8bca33afef17cb86a77780f34499659ee0576b36b111a0a57996836b6770d89c5f5fa5da9c6095f17c731db6ad1e261bf6d97b6daa109565e8e294e3b87
|
||||||
|
14
tang.spec
14
tang.spec
@ -1,17 +1,12 @@
|
|||||||
Name: tang
|
Name: tang
|
||||||
Version: 10
|
Version: 11
|
||||||
Release: 5%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: Network Presence Binding Daemon
|
Summary: Network Presence Binding Daemon
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
URL: https://github.com/latchset/%{name}
|
URL: https://github.com/latchset/%{name}
|
||||||
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
|
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
|
||||||
|
|
||||||
Patch0001: 0001-Fix-issues-reported-by-shellcheck.patch
|
|
||||||
Patch0002: 0002-Fix-possible-NULL-pointer-dereference-in-find_by_thp.patch
|
|
||||||
Patch0003: 0003-keys-make-sure-keys-are-created-with-0440-mode.patch
|
|
||||||
Patch0004: 0004-Specify-user-and-group-for-tang.patch
|
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: meson
|
BuildRequires: meson
|
||||||
BuildRequires: git-core
|
BuildRequires: git-core
|
||||||
@ -99,8 +94,13 @@ fi
|
|||||||
%{_mandir}/man8/tang.8*
|
%{_mandir}/man8/tang.8*
|
||||||
%{_bindir}/%{name}-show-keys
|
%{_bindir}/%{name}-show-keys
|
||||||
%{_mandir}/man1/tang-show-keys.1*
|
%{_mandir}/man1/tang-show-keys.1*
|
||||||
|
%{_mandir}/man1/tangd-rotate-keys.1.*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 14 2021 Sergio Correia <scorreia@redhat.com> - 11-1
|
||||||
|
- New upstream release - v11.
|
||||||
|
Resolves: CVE-2021-4076
|
||||||
|
|
||||||
* Mon Oct 04 2021 Sergio Arroutbi <sarroutb@redhat.com> - 10-5
|
* Mon Oct 04 2021 Sergio Arroutbi <sarroutb@redhat.com> - 10-5
|
||||||
- Fix scriptlet from previous commit
|
- Fix scriptlet from previous commit
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user