Compare commits

...

No commits in common. "c9s" and "c8" have entirely different histories.
c9s ... c8

12 changed files with 2002 additions and 235 deletions

View File

@ -1 +0,0 @@
1

6
.gitignore vendored
View File

@ -1,5 +1 @@
/tang-7.tar.bz2 SOURCES/tang-7.tar.bz2
/tang-8.tar.xz
/tang-10.tar.xz
/tang-11.tar.xz
/tang-14.tar.xz

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,38 @@
From ea43ca02cf52d0455c6949683692a95e38ccdf70 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Fri, 4 Dec 2020 09:05:19 -0300
Subject: [PATCH 2/2] Exit with success unless the issue was with with tangd
itself
When an HTTP parser error happens, tangd is currently exiting with an
error status, which may cause trouble in some scenarios [1].
However, we don't exit with an error in situations where we try requests
that do not exist, for instance. It makes sense to only exit with an
error when the error was with tangd itself, e.g.: when we are unable to
read the directory with the keys, not when the actual HTTP operation
does not succeed for some reason.
Upstream: https://github.com/latchset/tang/pull/55
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1828558
---
src/tangd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tangd.c b/src/tangd.c
index b569f38..d40201f 100644
--- a/src/tangd.c
+++ b/src/tangd.c
@@ -225,7 +225,7 @@ main(int argc, char *argv[])
if (parser.http_errno != 0) {
fprintf(stderr, "HTTP Parsing Error: %s\n",
http_errno_description(parser.http_errno));
- return EXIT_FAILURE;
+ return EXIT_SUCCESS;
}
memmove(req, &req[r], rcvd - r);
--
2.27.0

View File

@ -0,0 +1,31 @@
--- tang-7.ori/src/tangd-keygen 2017-06-10 15:29:39.000000000 +0200
+++ tang-7/src/tangd-keygen 2023-06-28 11:40:01.700819479 +0200
@@ -27,6 +27,8 @@
[ $# -eq 3 ] && sig=$2 && exc=$3
+# Set default umask for file creation.
+umask 0337
jwe=`jose jwk gen -i '{"alg":"ES512"}'`
[ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
echo "$jwe" > $1/$sig.jwk
--- tang-7.ori/src/keys.c 2023-06-28 09:57:08.706712410 +0200
+++ tang-7/src/keys.c 2023-06-28 11:43:41.742247417 +0200
@@ -23,6 +23,7 @@
#include <jose/io.h>
#include <jansson.h>
#include <string.h>
+#include <sys/stat.h>
#include "util.h"
#include "keys.h"
@@ -557,6 +558,9 @@
/* At this point, there are no keys, so let's create them. */
const char *alg[] = {"ES512", "ECMR", NULL};
char path[PATH_MAX];
+
+ /* Set default umask for file creation. */
+ umask(0337);
for (int i = 0; alg[i] != NULL; i++) {
struct tang_jwk *jwk __attribute__((cleanup(cleanup_tang_jwk))) = generate_new_tang_jwk(alg[i]);
if (!jwk) {

View File

@ -0,0 +1,26 @@
--- tang-7.ori/src/tangd-keygen 2023-07-21 11:45:39.091100369 +0200
+++ tang-7/src/tangd-keygen 2023-07-21 11:47:58.813612221 +0200
@@ -20,6 +20,13 @@
trap 'exit' ERR
+set_perms() {
+ chmod -- 0440 "${1}"
+ if ! chown -- "tang:tang" "${1}" 2>/dev/null; then
+ echo "Unable to change owner/group for ${1} to tang:tang" >&2
+ fi
+}
+
if [ $# -ne 1 -a $# -ne 3 ] || [ ! -d "$1" ]; then
echo "Usage: $0 <jwkdir> [<sig> <exc>]" >&2
exit 1
@@ -32,7 +39,9 @@
jwe=`jose jwk gen -i '{"alg":"ES512"}'`
[ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
echo "$jwe" > $1/$sig.jwk
+set_perms "$1/$sig.jwk"
jwe=`jose jwk gen -i '{"alg":"ECMR"}'`
[ -z "$exc" ] && exc=`echo "$jwe" | jose jwk thp -i-`
echo "$jwe" > $1/$exc.jwk
+set_perms "$1/$exc.jwk"

163
SPECS/tang.spec Normal file
View File

@ -0,0 +1,163 @@
Name: tang
Version: 7
Release: 8%{?dist}
Summary: Network Presence Binding Daemon
License: GPLv3+
URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
Patch1: 0001-Move-key-generation-to-tang.patch
Patch2: 0002-Exit-with-success-unless-the-issue-was-with-with-tan.patch
Patch3: 0003-Fix-permissions-race-condition.patch
Patch4: 0004-Set-tang-owner-group.patch
BuildRequires: gcc
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: jose >= 8
BuildRequires: libjose-devel >= 8
BuildRequires: libjose-zlib-devel >= 8
BuildRequires: libjose-openssl-devel >= 8
BuildRequires: http-parser-devel >= 2.7.1-3
BuildRequires: systemd-devel
BuildRequires: pkgconfig
BuildRequires: systemd
BuildRequires: curl
BuildRequires: asciidoc
BuildRequires: coreutils
BuildRequires: grep
BuildRequires: sed
BuildRequires: git-core
%{?systemd_requires}
Requires: coreutils
Requires: jose >= 8
Requires: grep
Requires: sed
Requires(pre): shadow-utils
%description
Tang is a small daemon for binding data to the presence of a third party.
%prep
%autosetup -S git
%build
autoreconf -i
%configure
make %{?_smp_mflags} V=1
%install
rm -rf $RPM_BUILD_ROOT
%make_install
echo "User=%{name}" >> $RPM_BUILD_ROOT/%{_unitdir}/%{name}d@.service
%{__mkdir_p} $RPM_BUILD_ROOT/%{_localstatedir}/db/%{name}
%check
if ! make %{?_smp_mflags} check; then
cat test-suite.log
false
fi
%pre
getent group %{name} >/dev/null || groupadd -r %{name}
getent passwd %{name} >/dev/null || \
useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \
-c "Tang Network Presence Daemon user" %{name}
exit 0
%post
%systemd_post %{name}d.socket
%preun
%systemd_preun %{name}d.socket
%postun
%systemd_postun_with_restart %{name}d.socket
%files
%license COPYING
%attr(0700, %{name}, %{name}) %{_localstatedir}/db/%{name}
%{_unitdir}/%{name}d@.service
%{_unitdir}/%{name}d.socket
%{_libexecdir}/%{name}d-keygen
%{_libexecdir}/%{name}d
%{_mandir}/man8/tang.8*
%{_bindir}/%{name}-show-keys
%{_mandir}/man1/tang-show-keys.1*
%changelog
* Fri Jul 21 2023 Sergio Arroutbi <sarroutb@redhat.com> - 7-8
- Set correct user/group (tang/tang) in tangd-keygen
Resolves: rhbz#2188743
* Wed Jun 28 2023 Sergio Arroutbi <sarroutb@redhat.com> - 7-7
- Fix race condition when creating/rotating keys
Resolves: rhbz#2182410
Resolves: CVE-2023-1672
* Wed Jan 13 2021 Sergio Correia <scorreia@redhat.com> - 7-6
- Exit with success unless the issue was with with tangd itself
Resolves: rhbz#1828558
* Sun Dec 01 2019 Sergio Correia <scorreia@redhat.com> - 7-5
- Permissions of /var/db/tang set to 0700
- Home dir of user tang is /var/cache/tang
* Fri Nov 29 2019 Sergio Correia <scorreia@redhat.com> - 7-4
- Fix permissions of /var/db/tang
* Tue Oct 15 2019 Sergio Correia <scorreia@redhat.com> - 7-3
- Rebuild to ensure correct dist tag
* Sun Sep 29 2019 Sergio Correia <scorreia@redhat.com> - 7-2
- Move key generation to tang
- Resolves rhbz#1745177, rhbz#1679186
* Fri Aug 10 2018 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
- New upstream release
- Retire tang-nagios package (now separate upstream)
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
- New upstream release
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-2
- Fix incorrect dependencies
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
- New upstream release
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 4-2
- Fix a race condition in one of the tests
* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
- New upstream release
- Add nagios subpackage
* Wed Oct 26 2016 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
- New upstream release
* Wed Oct 19 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
- New upstream release
* Tue Aug 23 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
- First release

View File

@ -1,6 +0,0 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

View File

@ -1 +0,0 @@
SHA512 (tang-14.tar.xz) = 1f41542116c27cd4c05f683d0b03a51fca37f07abc13f9a8301602fff0b8681383875f5c4fa7fe5f1c7e216790ff84f2271432836b126c825e6b1a55e1cf44fc

213
tang.spec
View File

@ -1,213 +0,0 @@
Name: tang
Version: 14
Release: 2%{?dist}
Summary: Network Presence Binding Daemon
License: GPLv3+
URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Source1: tang.sysusers
BuildRequires: gcc
BuildRequires: meson
BuildRequires: git-core
BuildRequires: jose >= 8
BuildRequires: libjose-devel >= 8
BuildRequires: libjose-zlib-devel >= 8
BuildRequires: libjose-openssl-devel >= 8
BuildRequires: http-parser-devel >= 2.7.1-3
BuildRequires: systemd-devel
BuildRequires: pkgconfig
BuildRequires: systemd
BuildRequires: systemd-rpm-macros
BuildRequires: curl
BuildRequires: asciidoc
BuildRequires: coreutils
BuildRequires: grep
BuildRequires: socat
BuildRequires: sed
BuildRequires: iproute
%{?systemd_requires}
Requires: coreutils
Requires: jose >= 8
Requires: grep
Requires: sed
Requires(pre): shadow-utils
%description
Tang is a small daemon for binding data to the presence of a third party.
%prep
%autosetup -S git
%build
%meson
%meson_build
%install
%meson_install
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/tang.conf
grep "User=%{name}" $RPM_BUILD_ROOT/%{_unitdir}/%{name}d@.service || echo "User=%{name}" >> $RPM_BUILD_ROOT/%{_unitdir}/%{name}d@.service
%{__mkdir_p} $RPM_BUILD_ROOT/%{_localstatedir}/db/%{name}
%check
%meson_test
%pre
%sysusers_create_compat %{SOURCE1}
exit 0
%post
%systemd_post %{name}d.socket
# Let's make sure any existing keys are readable only
# by the owner/group.
if [ -d /var/db/tang ]; then
for k in /var/db/tang/*.jwk; do
test -e "${k}" || continue
chmod 0440 -- "${k}"
done
for k in /var/db/tang/.*.jwk; do
test -e "${k}" || continue
chmod 0440 -- "${k}"
done
chown tang:tang -R /var/db/tang
fi
%preun
%systemd_preun %{name}d.socket
%postun
%systemd_postun_with_restart %{name}d.socket
%files
%license COPYING
%attr(0700, %{name}, %{name}) %{_localstatedir}/db/%{name}
%{_unitdir}/%{name}d@.service
%{_unitdir}/%{name}d.socket
%{_libexecdir}/%{name}d-keygen
%{_libexecdir}/%{name}d-rotate-keys
%{_libexecdir}/%{name}d
%{_mandir}/man8/tang.8*
%{_bindir}/%{name}-show-keys
%{_mandir}/man1/tang-show-keys.1*
%{_mandir}/man1/tangd-rotate-keys.1.*
%{_sysusersdir}/tang.conf
%changelog
* Thu Jun 29 2023 Sergio Arroutbi <sarroutb@redhat.com> - 14-2
- Fix service start up
* Tue Jun 27 2023 Sergio Arroutbi <sarroutb@redhat.com> - 14-1
- New upstream release - v14.
Resolves: rhbz#2182411
Resolves: CVE-2023-1672
* Wed Aug 17 2022 Sergio Arroutbi <sarroutb@redhat.com> - 11-2
- Adopt systemd-sysusers format
Resolves: rhbz#2095474
* Tue Dec 14 2021 Sergio Correia <scorreia@redhat.com> - 11-1
- New upstream release - v11.
Resolves: CVE-2021-4076
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 10-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 10-3
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Thu May 20 2021 Sergio Correia <scorreia@redhat.com> - 10-2
- Fix issues reported by static analyzer checks
Resolves: rhbz#1956765
* Wed May 05 2021 Sergio Correia <scorreia@redhat.com> - 10-1
- New upstream release - v10.
Resolves: rhbz#1956765
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 8-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Feb 09 2021 Sergio Correia <scorreia@redhat.com> - 8-2
- Remove extra patches as they are already included in v8 release
* Mon Feb 08 2021 Sergio Correia <scorreia@redhat.com> - 8-1
- New upstream release - v8.
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Dec 1 2020 Sergio Correia <scorreia@redhat.com> - 7.8
- Move build system to meson
Upstream commits (fed9020, 590de27)
- Move key handling to tang itself
Upstream commits (6090505, c71df1d, 7119454)
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Apr 15 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 7-6
- Rebuild for http-parser 2.9.4
* Tue Feb 25 2020 Sergio Correia <scorreia@redhat.com> - 7-5
- Rebuilt after http-parser update
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Aug 10 2018 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
- New upstream release
- Retire tang-nagios package (now separate upstream)
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
- New upstream release
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-2
- Fix incorrect dependencies
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
- New upstream release
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 4-2
- Fix a race condition in one of the tests
* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
- New upstream release
- Add nagios subpackage
* Wed Oct 26 2016 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
- New upstream release
* Wed Oct 19 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
- New upstream release
* Tue Aug 23 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
- First release

View File

@ -1 +0,0 @@
u tang - "Tang Network Presence Daemon user" /var/cache/tang -

View File

@ -1,8 +0,0 @@
summary: CI for tang MR's on c9s branch
discover:
- how: fmf
url: https://github.com/RedHat-SP-Security/tang-tests
filter: component:tang & tag:CI-Tier-1
execute:
how: tmt