.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1 +1,7 @@
-SOURCES/tang-7.tar.bz2
+/tang-7.tar.bz2
+/tang-8.tar.xz
+/tang-10.tar.xz
+/tang-11.tar.xz
+/tang-12.tar.xz
+/tang-13.tar.xz
+/tang-14.tar.xz

0001-Add-support-for-building-with-llhttp-instead-of-http.patch

@@ -0,0 +1,238 @@
+From 6aebfd5499039b58b88eb15eba1aa719c117cfd4 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Tue, 9 Jan 2024 08:56:59 +0000
+Subject: [PATCH] Add support for building with llhttp instead of http-parser
+
+As http-parser has been unmaintained for a while [1], let's add
+support for its natural replacement, llhttp.
+
+However, as llhttp does not seem to be packaged in distros like
+Debian [2], we will keep supporting building with http-parser for
+time being, preferring llhttp, if it is present.
+
+[1] https://github.com/nodejs/http-parser/issues/522
+[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977716
+---
+ .github/workflows/install-dependencies |  2 +-
+ meson.build                            | 17 ++++++++++---
+ src/http.c                             | 10 ++++----
+ src/http.h                             | 35 +++++++++++++++++++++++---
+ src/tangd.c                            | 16 ++++++------
+ 5 files changed, 58 insertions(+), 22 deletions(-)
+
+diff --git a/.github/workflows/install-dependencies b/.github/workflows/install-dependencies
+index 96852a8..a9bbab0 100755
+--- a/.github/workflows/install-dependencies
++++ b/.github/workflows/install-dependencies
+@@ -13,7 +13,7 @@ debian:*|ubuntu:*)
+     echo 'max_parallel_downloads=10' >> /etc/dnf/dnf.conf
+     dnf -y clean all
+     dnf -y --setopt=deltarpm=0 update
+-    dnf -y install gcc meson pkgconfig libjose-devel jose http-parser-devel \
++    dnf -y install gcc meson pkgconfig libjose-devel jose llhttp-devel \
+                    systemd gcovr curl socat iproute
+     ;;
+ 
+diff --git a/meson.build b/meson.build
+index fd46cef..33c8aff 100644
+--- a/meson.build
++++ b/meson.build
+@@ -55,13 +55,22 @@ add_project_arguments('-DVERSION="'+meson.project_version() + '"', language : 'c
+ jose = dependency('jose', version: '>=8')
+ a2x = find_program('a2x', required: false)
+ compiler = meson.get_compiler('c')
+-if not compiler.has_header('http_parser.h',args : '-I/usr/local/include')
+-  error('http-parser devel files not found.')
++
++http_lib = []
++if compiler.has_header('llhttp.h', args: '-I/usr/local/include')
++  http_lib = 'llhttp'
++  add_project_arguments('-DUSE_LLHTTP', language: 'c')
++else
++  if not compiler.has_header('http_parser.h', args: '-I/usr/local/include')
++    error('neither llhttp nor http-parser devel files found.')
++  endif
++  http_lib = 'http_parser'
+ endif
++
+ if host_machine.system() == 'freebsd'
+-  http_parser = compiler.find_library('http_parser',dirs : '/usr/local/lib')
++  http_parser = compiler.find_library(http_lib, dirs : '/usr/local/lib')
+ else
+-  http_parser = compiler.find_library('http_parser')
++  http_parser = compiler.find_library(http_lib)
+ endif
+ 
+ licenses = ['COPYING']
+diff --git a/src/http.c b/src/http.c
+index e9af37b..17b613f 100644
+--- a/src/http.c
++++ b/src/http.c
+@@ -36,7 +36,7 @@ HTTP_METHOD_MAP(XX)
+ };
+ 
+ static int
+-on_url(http_parser *parser, const char *at, size_t length)
++on_url(http_parser_t *parser, const char *at, size_t length)
+ {
+     struct http_state *state = parser->data;
+ 
+@@ -51,7 +51,7 @@ on_url(http_parser *parser, const char *at, size_t length)
+ }
+ 
+ static int
+-on_body(http_parser *parser, const char *at, size_t length)
++on_body(http_parser_t *parser, const char *at, size_t length)
+ {
+     struct http_state *state = parser->data;
+ 
+@@ -66,7 +66,7 @@ on_body(http_parser *parser, const char *at, size_t length)
+ }
+ 
+ static int
+-on_message_complete(http_parser *parser)
++on_message_complete(http_parser_t *parser)
+ {
+     struct http_state *state = parser->data;
+     const char *addr = NULL;
+@@ -132,7 +132,7 @@ egress:
+     return 0;
+ }
+ 
+-const http_parser_settings http_settings = {
++const http_settings_t http_settings = {
+     .on_url = on_url,
+     .on_body = on_body,
+     .on_message_complete = on_message_complete,
+@@ -140,7 +140,7 @@ const http_parser_settings http_settings = {
+ 
+ int
+ http_reply(const char *file, int line,
+-           enum http_status code, const char *fmt, ...)
++           http_status_t code, const char *fmt, ...)
+ {
+     const char *msg = NULL;
+     va_list ap;
+diff --git a/src/http.h b/src/http.h
+index 8660a4f..2e35686 100644
+--- a/src/http.h
++++ b/src/http.h
+@@ -19,12 +19,39 @@
+ 
+ #pragma once
+ 
+-#include <http_parser.h>
+ #include <sys/types.h>
+ #include <regex.h>
+ 
++#ifdef USE_LLHTTP
++#include <llhttp.h>
++
++typedef llhttp_method_t http_method_t;
++typedef llhttp_status_t http_status_t;
++typedef llhttp_settings_t http_settings_t;
++typedef llhttp_t http_parser_t;
++#define tang_http_parser_init(parser, settings) llhttp_init(parser, HTTP_REQUEST, settings)
++#define tang_http_parser_execute(parser, settings, req, rcvd) llhttp_execute(parser, req, rcvd)
++#define tang_http_parser_errno(parser) parser.error
++#define tang_http_errno_description(parser, errno) llhttp_get_error_reason(parser)
++
++#else
++/* Legacy http-parser. */
++#include <http_parser.h>
++
++typedef enum http_method http_method_t;
++typedef enum http_status http_status_t;
++typedef http_parser_settings http_settings_t;
++typedef struct http_parser http_parser_t;
++
++#define tang_http_parser_init(parser, settings) http_parser_init(parser, HTTP_REQUEST)
++#define tang_http_parser_execute(parser, settings, req, rcvd) http_parser_execute(parser, settings, req, rcvd)
++#define tang_http_parser_errno(parser) parser.http_errno
++#define tang_http_errno_description(parser, errno) http_errno_description(errno)
++
++#endif /* USE_LLHTTP */
++
+ struct http_dispatch {
+-    int (*func)(enum http_method method, const char *path,
++    int (*func)(http_method_t method, const char *path,
+                 const char *body, regmatch_t matches[], void *misc);
+     uint64_t methods;
+     size_t nmatches;
+@@ -43,11 +70,11 @@ struct http_state {
+     void *misc;
+ };
+ 
+-extern const http_parser_settings http_settings;
++extern const http_settings_t http_settings;
+ 
+ int __attribute__ ((format(printf, 4, 5)))
+ http_reply(const char *file, int line,
+-           enum http_status code, const char *fmt, ...);
++           http_status_t code, const char *fmt, ...);
+ 
+ #define http_reply(code, ...) \
+     http_reply(__FILE__, __LINE__, code, __VA_ARGS__)
+diff --git a/src/tangd.c b/src/tangd.c
+index 1e3a6a3..7f197f6 100644
+--- a/src/tangd.c
++++ b/src/tangd.c
+@@ -64,7 +64,7 @@ str_cleanup(char **str)
+ }
+ 
+ static int
+-adv(enum http_method method, const char *path, const char *body,
++adv(http_method_t method, const char *path, const char *body,
+     regmatch_t matches[], void *misc)
+ {
+     __attribute__((cleanup(str_cleanup))) char *adv = NULL;
+@@ -101,7 +101,7 @@ adv(enum http_method method, const char *path, const char *body,
+ }
+ 
+ static int
+-rec(enum http_method method, const char *path, const char *body,
++rec(http_method_t method, const char *path, const char *body,
+     regmatch_t matches[], void *misc)
+ {
+     __attribute__((cleanup(str_cleanup))) char *enc = NULL;
+@@ -197,13 +197,14 @@ static int
+ process_request(const char *jwkdir, int in_fileno)
+ {
+     struct http_state state = { .dispatch = dispatch, .misc = (char*)jwkdir };
+-    struct http_parser parser = { .data = &state };
++    http_parser_t parser;
+     struct stat st = {};
+     char req[4096] = {};
+     size_t rcvd = 0;
+     int r = 0;
+ 
+-    http_parser_init(&parser, HTTP_REQUEST);
++    tang_http_parser_init(&parser, &http_settings);
++    parser.data = &state;
+ 
+     if (stat(jwkdir, &st) != 0) {
+         fprintf(stderr, "Error calling stat() on path: %s: %m\n", jwkdir);
+@@ -224,17 +225,16 @@ process_request(const char *jwkdir, int in_fileno)
+ 
+         rcvd += r;
+ 
+-        r = http_parser_execute(&parser, &http_settings, req, rcvd);
+-        if (parser.http_errno != 0) {
++        r = tang_http_parser_execute(&parser, &http_settings, req, rcvd);
++        if (tang_http_parser_errno(parser) != 0) {
+             fprintf(stderr, "HTTP Parsing Error: %s\n",
+-                    http_errno_description(parser.http_errno));
++                    tang_http_errno_description(&parser, tang_http_parser_errno(parser)));
+             return EXIT_SUCCESS;
+         }
+ 
+         memmove(req, &req[r], rcvd - r);
+         rcvd -= r;
+     }
+-
+     return EXIT_SUCCESS;
+ }
+ 
+-- 
+2.41.0
+

0002-Fix-issue-introduced-in-http-parser-llhttp-conversio.patch

@@ -0,0 +1,111 @@
+From 960b2036a97baded1b61b405e4fa99380f807ff9 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Mon, 12 Feb 2024 13:07:45 +0000
+Subject: [PATCH 2/2] Fix issue introduced in http-parser -> llhttp conversion
+
+http_parser_execute() returns the number of parsed bytes, while
+llhttp_execute() returns an error code.
+
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+---
+ src/http.h  |  6 ++----
+ src/tangd.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 48 insertions(+), 6 deletions(-)
+
+diff --git a/src/http.h b/src/http.h
+index 2e35686..8d9de51 100644
+--- a/src/http.h
++++ b/src/http.h
+@@ -30,10 +30,9 @@ typedef llhttp_status_t http_status_t;
+ typedef llhttp_settings_t http_settings_t;
+ typedef llhttp_t http_parser_t;
+ #define tang_http_parser_init(parser, settings) llhttp_init(parser, HTTP_REQUEST, settings)
+-#define tang_http_parser_execute(parser, settings, req, rcvd) llhttp_execute(parser, req, rcvd)
+ #define tang_http_parser_errno(parser) parser.error
+ #define tang_http_errno_description(parser, errno) llhttp_get_error_reason(parser)
+-
++#define tang_http_parser_resume(parser) llhttp_resume(parser)
+ #else
+ /* Legacy http-parser. */
+ #include <http_parser.h>
+@@ -44,10 +43,9 @@ typedef http_parser_settings http_settings_t;
+ typedef struct http_parser http_parser_t;
+ 
+ #define tang_http_parser_init(parser, settings) http_parser_init(parser, HTTP_REQUEST)
+-#define tang_http_parser_execute(parser, settings, req, rcvd) http_parser_execute(parser, settings, req, rcvd)
+ #define tang_http_parser_errno(parser) parser.http_errno
+ #define tang_http_errno_description(parser, errno) http_errno_description(errno)
+-
++#define tang_http_parser_resume(parser) http_parser_pause(parser, 0)
+ #endif /* USE_LLHTTP */
+ 
+ struct http_dispatch {
+diff --git a/src/tangd.c b/src/tangd.c
+index 7f197f6..ab7f0cf 100644
+--- a/src/tangd.c
++++ b/src/tangd.c
+@@ -193,6 +193,44 @@ static struct http_dispatch dispatch[] = {
+ 
+ #define DEFAULT_PORT 9090
+ 
++static size_t
++tang_http_parser_execute(http_parser_t *parser, const char* data, size_t len)
++{
++#ifdef USE_LLHTTP
++    llhttp_errno_t error;
++    size_t parsed_len;
++
++    /*
++     * Unlike http_parser, which returns the number of parsed
++     * bytes in the _execute() call, llhttp returns an error
++     * code.
++     */
++
++    if (data == NULL || len == 0) {
++        error = llhttp_finish(parser);
++    } else {
++        error = llhttp_execute(parser, data, len);
++    }
++
++    parsed_len = len;
++    /*
++     * Adjust number of parsed bytes in case of error.
++     */
++    if (error != HPE_OK) {
++        parsed_len = llhttp_get_error_pos(parser) - data;
++
++        /* This isn't a real pause, just a way to stop parsing early. */
++        if (error == HPE_PAUSED_UPGRADE) {
++            llhttp_resume_after_upgrade(parser);
++        }
++    }
++
++    return parsed_len;
++#else
++    return http_parser_execute(parser, &http_settings, data, len);
++#endif
++}
++
+ static int
+ process_request(const char *jwkdir, int in_fileno)
+ {
+@@ -225,8 +263,14 @@ process_request(const char *jwkdir, int in_fileno)
+ 
+         rcvd += r;
+ 
+-        r = tang_http_parser_execute(&parser, &http_settings, req, rcvd);
+-        if (tang_http_parser_errno(parser) != 0) {
++        r = tang_http_parser_execute(&parser, req, rcvd);
++        switch (tang_http_parser_errno(parser)) {
++        case HPE_OK:
++            break;
++        case HPE_PAUSED:
++            tang_http_parser_resume(&parser);
++            break;
++        default:
+             fprintf(stderr, "HTTP Parsing Error: %s\n",
+                     tang_http_errno_description(&parser, tang_http_parser_errno(parser)));
+             return EXIT_SUCCESS;
+-- 
+2.43.0
+

SOURCES/0002-Exit-with-success-unless-the-issue-was-with-with-tan.patch

@@ -1,38 +0,0 @@
-From ea43ca02cf52d0455c6949683692a95e38ccdf70 Mon Sep 17 00:00:00 2001
-From: Sergio Correia <scorreia@redhat.com>
-Date: Fri, 4 Dec 2020 09:05:19 -0300
-Subject: [PATCH 2/2] Exit with success unless the issue was with with tangd
- itself
-
-When an HTTP parser error happens, tangd is currently exiting with an
-error status, which may cause trouble in some scenarios [1].
-
-However, we don't exit with an error in situations where we try requests
-that do not exist, for instance. It makes sense to only exit with an
-error when the error was with tangd itself, e.g.: when we are unable to
-read the directory with the keys, not when the actual HTTP operation
-does not succeed for some reason.
-
-Upstream: https://github.com/latchset/tang/pull/55
-
-[1] https://bugzilla.redhat.com/show_bug.cgi?id=1828558
----
- src/tangd.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tangd.c b/src/tangd.c
-index b569f38..d40201f 100644
---- a/src/tangd.c
-+++ b/src/tangd.c
-@@ -225,7 +225,7 @@ main(int argc, char *argv[])
-         if (parser.http_errno != 0) {
-             fprintf(stderr, "HTTP Parsing Error: %s\n",
-                     http_errno_description(parser.http_errno));
--            return EXIT_FAILURE;
-+            return EXIT_SUCCESS;
-         }
- 
-         memmove(req, &req[r], rcvd - r);
--- 
-2.27.0
-

SOURCES/0003-Fix-permissions-race-condition.patch

@@ -1,31 +0,0 @@
---- tang-7.ori/src/tangd-keygen	2017-06-10 15:29:39.000000000 +0200
-+++ tang-7/src/tangd-keygen	2023-06-28 11:40:01.700819479 +0200
-@@ -27,6 +27,8 @@
- 
- [ $# -eq 3 ] && sig=$2 && exc=$3
- 
-+# Set default umask for file creation.
-+umask 0337
- jwe=`jose jwk gen -i '{"alg":"ES512"}'`
- [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
- echo "$jwe" > $1/$sig.jwk
---- tang-7.ori/src/keys.c	2023-06-28 09:57:08.706712410 +0200
-+++ tang-7/src/keys.c	2023-06-28 11:43:41.742247417 +0200
-@@ -23,6 +23,7 @@
- #include <jose/io.h>
- #include <jansson.h>
- #include <string.h>
-+#include <sys/stat.h>
- 
- #include "util.h"
- #include "keys.h"
-@@ -557,6 +558,9 @@
-     /* At this point, there are no keys, so let's create them. */
-     const char *alg[] = {"ES512", "ECMR", NULL};
-     char path[PATH_MAX];
-+
-+    /* Set default umask for file creation. */
-+    umask(0337);
-     for (int i = 0; alg[i] != NULL; i++) {
-         struct tang_jwk *jwk __attribute__((cleanup(cleanup_tang_jwk))) = generate_new_tang_jwk(alg[i]);
-         if (!jwk) {

SOURCES/0004-Set-tang-owner-group.patch

@@ -1,26 +0,0 @@
---- tang-7.ori/src/tangd-keygen	2023-07-21 11:45:39.091100369 +0200
-+++ tang-7/src/tangd-keygen	2023-07-21 11:47:58.813612221 +0200
-@@ -20,6 +20,13 @@
- 
- trap 'exit' ERR
- 
-+set_perms() {
-+    chmod -- 0440 "${1}"
-+    if ! chown -- "tang:tang" "${1}" 2>/dev/null; then
-+        echo "Unable to change owner/group for ${1} to tang:tang" >&2
-+    fi
-+}
-+
- if [ $# -ne 1 -a $# -ne 3 ] || [ ! -d "$1" ]; then
-     echo "Usage: $0 <jwkdir> [<sig> <exc>]" >&2
-     exit 1
-@@ -32,7 +39,9 @@
- jwe=`jose jwk gen -i '{"alg":"ES512"}'`
- [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
- echo "$jwe" > $1/$sig.jwk
-+set_perms "$1/$sig.jwk"
- 
- jwe=`jose jwk gen -i '{"alg":"ECMR"}'`
- [ -z "$exc" ] && exc=`echo "$jwe" | jose jwk thp -i-`
- echo "$jwe" > $1/$exc.jwk
-+set_perms "$1/$exc.jwk"

SPECS/tang.spec

@@ -1,163 +0,0 @@
-Name:           tang
-Version:        7
-Release:        8%{?dist}
-Summary:        Network Presence Binding Daemon
-
-License:        GPLv3+
-URL:            https://github.com/latchset/%{name}
-Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
-Patch1: 0001-Move-key-generation-to-tang.patch
-Patch2: 0002-Exit-with-success-unless-the-issue-was-with-with-tan.patch
-Patch3: 0003-Fix-permissions-race-condition.patch
-Patch4: 0004-Set-tang-owner-group.patch
-
-BuildRequires:  gcc
-BuildRequires:  autoconf
-BuildRequires:  automake
-BuildRequires:  jose >= 8
-BuildRequires:  libjose-devel >= 8
-BuildRequires:  libjose-zlib-devel >= 8
-BuildRequires:  libjose-openssl-devel >= 8
-
-BuildRequires:  http-parser-devel >= 2.7.1-3
-BuildRequires:  systemd-devel
-BuildRequires:  pkgconfig
-
-BuildRequires:  systemd
-BuildRequires:  curl
-
-BuildRequires:  asciidoc
-BuildRequires:  coreutils
-BuildRequires:  grep
-BuildRequires:  sed
-BuildRequires:  git-core
-
-%{?systemd_requires}
-Requires:       coreutils
-Requires:       jose >= 8
-Requires:       grep
-Requires:       sed
-
-Requires(pre):  shadow-utils
-
-%description
-Tang is a small daemon for binding data to the presence of a third party.
-
-%prep
-%autosetup -S git
-
-%build
-autoreconf -i
-%configure
-make %{?_smp_mflags} V=1
-
-%install
-rm -rf $RPM_BUILD_ROOT
-%make_install
-echo "User=%{name}" >> $RPM_BUILD_ROOT/%{_unitdir}/%{name}d@.service
-%{__mkdir_p} $RPM_BUILD_ROOT/%{_localstatedir}/db/%{name}
-
-%check
-if ! make %{?_smp_mflags} check; then
-    cat test-suite.log
-    false
-fi
-
-%pre
-getent group %{name} >/dev/null || groupadd -r %{name}
-getent passwd %{name} >/dev/null || \
-    useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \
-    -c "Tang Network Presence Daemon user" %{name}
-exit 0
-
-%post
-%systemd_post %{name}d.socket
-
-%preun
-%systemd_preun %{name}d.socket
-
-%postun
-%systemd_postun_with_restart %{name}d.socket
-
-%files
-%license COPYING
-%attr(0700, %{name}, %{name}) %{_localstatedir}/db/%{name}
-%{_unitdir}/%{name}d@.service
-%{_unitdir}/%{name}d.socket
-%{_libexecdir}/%{name}d-keygen
-%{_libexecdir}/%{name}d
-%{_mandir}/man8/tang.8*
-%{_bindir}/%{name}-show-keys
-%{_mandir}/man1/tang-show-keys.1*
-
-%changelog
-* Fri Jul 21 2023 Sergio Arroutbi <sarroutb@redhat.com> - 7-8
-- Set correct user/group (tang/tang) in tangd-keygen
-  Resolves: rhbz#2188743
-
-* Wed Jun 28 2023 Sergio Arroutbi <sarroutb@redhat.com> - 7-7
-- Fix race condition when creating/rotating keys
-  Resolves: rhbz#2182410
-  Resolves: CVE-2023-1672
-
-* Wed Jan 13 2021 Sergio Correia <scorreia@redhat.com> - 7-6
-- Exit with success unless the issue was with with tangd itself
-  Resolves: rhbz#1828558
-
-* Sun Dec 01 2019 Sergio Correia <scorreia@redhat.com> - 7-5
-- Permissions of /var/db/tang set to 0700
-- Home dir of user tang is /var/cache/tang
-
-* Fri Nov 29 2019 Sergio Correia <scorreia@redhat.com> - 7-4
-- Fix permissions of /var/db/tang
-
-* Tue Oct 15 2019 Sergio Correia <scorreia@redhat.com> - 7-3
-- Rebuild to ensure correct dist tag
-
-* Sun Sep 29 2019 Sergio Correia <scorreia@redhat.com> - 7-2
-- Move key generation to tang
-- Resolves rhbz#1745177, rhbz#1679186
-
-* Fri Aug 10 2018 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
-- New upstream release
-- Retire tang-nagios package (now separate upstream)
-
-* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
-- New upstream release
-
-* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-2
-- Fix incorrect dependencies
-
-* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
-- New upstream release
-
-* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 4-2
-- Fix a race condition in one of the tests
-
-* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
-- New upstream release
-- Add nagios subpackage
-
-* Wed Oct 26 2016 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
-- New upstream release
-
-* Wed Oct 19 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
-- New upstream release
-
-* Tue Aug 23 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
-- First release

changelog

@@ -0,0 +1,132 @@
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 14-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jan 11 2024 Sergio Correia <scorreia@redhat.com> - 14.3
+- Use llhttp instead of http-parser
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 14-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Wed Jun 14 2023 Sergio Arroutbi <sarroutb@redhat.com> - 14-1
+- New upstream release - v14
+  Resolves: rhbz#2180990
+
+* Fri Feb 10 2023 Sergio Arroutbi <sarroutb@redhat.com> - 13-1
+- New upstream release - v13
+
+* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 11-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Wed Dec 07 2022 Sergio Correia <scorreia@redhat.com> - 11-5
+- Report error details when json_load_file() fails
+
+* Wed Aug 17 2022 Sergio Arroutbi <sarroutb@redhat.com> - 11-4
+- Adopt systemd-sysusers format
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 11-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 11-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Tue Dec 14 2021 Sergio Correia <scorreia@redhat.com> - 11-1
+- New upstream release - v11.
+  Resolves: CVE-2021-4076
+
+* Mon Oct 04 2021 Sergio Arroutbi <sarroutb@redhat.com> - 10-5
+- Fix scriptlet from previous commit
+
+* Mon Oct 04 2021 Sergio Correia <scorreia@redhat.com> - 10-4
+- Keys are created with 0440 mode
+  Resolves rhbz#2008204
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 10-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Thu May 20 2021 Sergio Correia <scorreia@redhat.com> - 10-2
+- Fix issues reported by shellcheck and a possible NULL pointer
+  dereference reported by gcc static analyzer (3d770c6, 262d98f)
+
+* Wed May 05 2021 Sergio Correia <scorreia@redhat.com> - 10-1
+- New upstream release - v10.
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 8-3
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Tue Feb 09 2021 Sergio Correia <scorreia@redhat.com> - 8-2
+- Remove extra patches as they are already included in v8 release
+
+* Mon Feb 08 2021 Sergio Correia <scorreia@redhat.com> - 8-1
+- New upstream release - v8.
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Dec 1 2020 Sergio Correia <scorreia@redhat.com> - 7.8
+- Move build system to meson
+  Upstream commits (fed9020, 590de27)
+- Move key handling to tang itself
+  Upstream commits (6090505, c71df1d, 7119454)
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Apr 15 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 7-6
+- Rebuild for http-parser 2.9.4
+
+* Tue Feb 25 2020 Sergio Correia <scorreia@redhat.com> - 7-5
+- Rebuilt after http-parser update
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Aug 10 2018 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
+- New upstream release
+- Retire tang-nagios package (now separate upstream)
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
+- New upstream release
+
+* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-2
+- Fix incorrect dependencies
+
+* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
+- New upstream release
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 4-2
+- Fix a race condition in one of the tests
+
+* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
+- New upstream release
+- Add nagios subpackage
+
+* Wed Oct 26 2016 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
+- New upstream release
+
+* Wed Oct 19 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
+- New upstream release
+
+* Tue Aug 23 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
+- First release

ci_tests.fmf

@@ -0,0 +1,17 @@
+/e2e:
+  plan:
+    import:
+      url: https://github.com/RedHat-SP-Security/tang-plans.git
+      name: /generic/e2e_ci
+
+/e2e_internal:
+  plan:
+    import:
+      url: https://github.com/RedHat-SP-Security/tang-plans.git
+      name: /generic/e2e_ci_internal
+
+/rpmverify:
+  plan:
+    import:
+      url: https://github.com/RedHat-SP-Security/tang-plans.git
+      name: /generic/rpmverify

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

sources

@@ -0,0 +1 @@
+SHA512 (tang-14.tar.xz) = 1f41542116c27cd4c05f683d0b03a51fca37f07abc13f9a8301602fff0b8681383875f5c4fa7fe5f1c7e216790ff84f2271432836b126c825e6b1a55e1cf44fc

tang.spec

@@ -0,0 +1,109 @@
+Name:           tang
+Version:        14
+Release:        %autorelease
+Summary:        Network Presence Binding Daemon
+
+License:        GPL-3.0-or-later
+URL:            https://github.com/latchset/%{name}
+Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
+Source1:        tang.sysusers
+Patch: 0001-Add-support-for-building-with-llhttp-instead-of-http.patch
+Patch: 0002-Fix-issue-introduced-in-http-parser-llhttp-conversio.patch
+
+BuildRequires:  gcc
+BuildRequires:  meson
+BuildRequires:  git-core
+BuildRequires:  jose >= 8
+BuildRequires:  libjose-devel >= 8
+BuildRequires:  libjose-zlib-devel >= 8
+BuildRequires:  libjose-openssl-devel >= 8
+
+BuildRequires:  llhttp-devel
+BuildRequires:  systemd-devel
+BuildRequires:  pkgconfig
+
+BuildRequires:  systemd
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  curl
+
+BuildRequires:  asciidoc
+BuildRequires:  coreutils
+BuildRequires:  grep
+BuildRequires:  socat
+BuildRequires:  sed
+BuildRequires:  iproute
+
+%{?systemd_ordering}
+Requires:       coreutils
+Requires:       jose >= 8
+Requires:       llhttp
+Requires:       grep
+Requires:       sed
+
+Requires(pre):  shadow-utils
+
+%description
+Tang is a small daemon for binding data to the presence of a third party.
+
+%prep
+%autosetup -S git
+
+%build
+%meson
+%meson_build
+
+%install
+%meson_install
+install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/tang.conf
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_localstatedir}/db/%{name}
+
+%check
+%meson_test \
+%ifarch riscv64
+    --timeout-multiplier 10 \
+%endif
+    %{nil}
+
+%pre
+%sysusers_create_compat %{SOURCE1}
+exit 0
+
+%post
+%systemd_post %{name}d.socket
+
+# Let's make sure any existing keys are readable only
+# by the owner/group.
+if [ -d /var/db/tang ]; then
+    for k in /var/db/tang/*.jwk; do
+        test -e "${k}" || continue
+        chmod 0440 -- "${k}"
+    done
+    for k in /var/db/tang/.*.jwk; do
+        test -e "${k}" || continue
+        chmod 0440 -- "${k}"
+    done
+    chown tang:tang -R /var/db/tang
+fi
+
+%preun
+%systemd_preun %{name}d.socket
+
+%postun
+%systemd_postun_with_restart %{name}d.socket
+
+%files
+%license COPYING
+%attr(0700, %{name}, %{name}) %{_localstatedir}/db/%{name}
+%{_unitdir}/%{name}d@.service
+%{_unitdir}/%{name}d.socket
+%{_libexecdir}/%{name}d-keygen
+%{_libexecdir}/%{name}d-rotate-keys
+%{_libexecdir}/%{name}d
+%{_mandir}/man8/tang.8*
+%{_bindir}/%{name}-show-keys
+%{_mandir}/man1/tang-show-keys.1*
+%{_mandir}/man1/tangd-rotate-keys.1.*
+%{_sysusersdir}/tang.conf
+
+%changelog
+%autochangelog

tang.sysusers

@@ -0,0 +1 @@
+u tang - "Tang Network Presence Daemon user" /var/cache/tang -