8 changed files with 1886 additions and 96 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/tang-14.tar.xz
+SOURCES/tang-7.tar.bz2
--- a/.tang.metadata
+++ b/.tang.metadata
@ -1 +1 @@
-81a09f024fcb0e8b53bb867b2679ebab14555791 SOURCES/tang-14.tar.xz
+e08a9fec3760328fd263a347b497898fb3c0e891 SOURCES/tang-7.tar.bz2
--- a/SOURCES/0001-Move-key-generation-to-tang.patch
+++ b/SOURCES/0001-Move-key-generation-to-tang.patch
--- a/SOURCES/0002-Exit-with-success-unless-the-issue-was-with-with-tan.patch
+++ b/SOURCES/0002-Exit-with-success-unless-the-issue-was-with-with-tan.patch
@ -0,0 +1,38 @@
+From ea43ca02cf52d0455c6949683692a95e38ccdf70 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Fri, 4 Dec 2020 09:05:19 -0300
+Subject: [PATCH 2/2] Exit with success unless the issue was with with tangd
+ itself
+
+When an HTTP parser error happens, tangd is currently exiting with an
+error status, which may cause trouble in some scenarios [1].
+
+However, we don't exit with an error in situations where we try requests
+that do not exist, for instance. It makes sense to only exit with an
+error when the error was with tangd itself, e.g.: when we are unable to
+read the directory with the keys, not when the actual HTTP operation
+does not succeed for some reason.
+
+Upstream: https://github.com/latchset/tang/pull/55
+
+[1] https://bugzilla.redhat.com/show_bug.cgi?id=1828558
+---
+ src/tangd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tangd.c b/src/tangd.c
+index b569f38..d40201f 100644
+--- a/src/tangd.c
+++ b/src/tangd.c
+@@ -225,7 +225,7 @@ main(int argc, char *argv[])
+         if (parser.http_errno != 0) {
+             fprintf(stderr, "HTTP Parsing Error: %s\n",
+                     http_errno_description(parser.http_errno));
+-            return EXIT_FAILURE;
+            return EXIT_SUCCESS;
+         }
+ 
+         memmove(req, &req[r], rcvd - r);
+-- 
+2.27.0
+
--- a/SOURCES/0003-Fix-permissions-race-condition.patch
+++ b/SOURCES/0003-Fix-permissions-race-condition.patch
@ -0,0 +1,31 @@
+--- tang-7.ori/src/tangd-keygen	2017-06-10 15:29:39.000000000 +0200
+++ tang-7/src/tangd-keygen	2023-06-28 11:40:01.700819479 +0200
+@@ -27,6 +27,8 @@
+ 
+ [ $# -eq 3 ] && sig=$2 && exc=$3
+ 
+# Set default umask for file creation.
+umask 0337
+ jwe=`jose jwk gen -i '{"alg":"ES512"}'`
+ [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
+ echo "$jwe" > $1/$sig.jwk
+--- tang-7.ori/src/keys.c	2023-06-28 09:57:08.706712410 +0200
+++ tang-7/src/keys.c	2023-06-28 11:43:41.742247417 +0200
+@@ -23,6 +23,7 @@
+ #include <jose/io.h>
+ #include <jansson.h>
+ #include <string.h>
+#include <sys/stat.h>
+ 
+ #include "util.h"
+ #include "keys.h"
+@@ -557,6 +558,9 @@
+     /* At this point, there are no keys, so let's create them. */
+     const char *alg[] = {"ES512", "ECMR", NULL};
+     char path[PATH_MAX];
+
+    /* Set default umask for file creation. */
+    umask(0337);
+     for (int i = 0; alg[i] != NULL; i++) {
+         struct tang_jwk *jwk __attribute__((cleanup(cleanup_tang_jwk))) = generate_new_tang_jwk(alg[i]);
+         if (!jwk) {
--- a/SOURCES/0004-Set-tang-owner-group.patch
+++ b/SOURCES/0004-Set-tang-owner-group.patch
@ -0,0 +1,26 @@
+--- tang-7.ori/src/tangd-keygen	2023-07-21 11:45:39.091100369 +0200
+++ tang-7/src/tangd-keygen	2023-07-21 11:47:58.813612221 +0200
+@@ -20,6 +20,13 @@
+ 
+ trap 'exit' ERR
+ 
+set_perms() {
+    chmod -- 0440 "${1}"
+    if ! chown -- "tang:tang" "${1}" 2>/dev/null; then
+        echo "Unable to change owner/group for ${1} to tang:tang" >&2
+    fi
+}
+
+ if [ $# -ne 1 -a $# -ne 3 ] || [ ! -d "$1" ]; then
+     echo "Usage: $0 <jwkdir> [<sig> <exc>]" >&2
+     exit 1
+@@ -32,7 +39,9 @@
+ jwe=`jose jwk gen -i '{"alg":"ES512"}'`
+ [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
+ echo "$jwe" > $1/$sig.jwk
+set_perms "$1/$sig.jwk"
+ 
+ jwe=`jose jwk gen -i '{"alg":"ECMR"}'`
+ [ -z "$exc" ] && exc=`echo "$jwe" | jose jwk thp -i-`
+ echo "$jwe" > $1/$exc.jwk
+set_perms "$1/$exc.jwk"
--- a/SOURCES/tang.sysusers
+++ b/SOURCES/tang.sysusers
@ -1 +0,0 @@
-u tang - "Tang Network Presence Daemon user" /var/cache/tang -
--- a/SPECS/tang.spec
+++ b/SPECS/tang.spec
@ -1,16 +1,19 @@
 Name:           tang
-Version:        14
-Release:        2%{?dist}
+Version:        7
+Release:        8%{?dist}
 Summary:        Network Presence Binding Daemon

 License:        GPLv3+
 URL:            https://github.com/latchset/%{name}
-Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
-Source1:        tang.sysusers
+Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
+Patch1: 0001-Move-key-generation-to-tang.patch
+Patch2: 0002-Exit-with-success-unless-the-issue-was-with-with-tan.patch
+Patch3: 0003-Fix-permissions-race-condition.patch
+Patch4: 0004-Set-tang-owner-group.patch

 BuildRequires:  gcc
-BuildRequires:  meson
-BuildRequires:  git-core
+BuildRequires:  autoconf
+BuildRequires:  automake
 BuildRequires:  jose >= 8
 BuildRequires:  libjose-devel >= 8
 BuildRequires:  libjose-zlib-devel >= 8
@ -21,15 +24,13 @@ BuildRequires:  systemd-devel
 BuildRequires:  pkgconfig

 BuildRequires:  systemd
-BuildRequires:  systemd-rpm-macros
 BuildRequires:  curl

 BuildRequires:  asciidoc
 BuildRequires:  coreutils
 BuildRequires:  grep
-BuildRequires:  socat
 BuildRequires:  sed
-BuildRequires:  iproute
+BuildRequires:  git-core

 %{?systemd_requires}
 Requires:       coreutils
@ -46,39 +47,32 @@ Tang is a small daemon for binding data to the presence of a third party.
 %autosetup -S git

 %build
-%meson
-%meson_build
+autoreconf -i
+%configure
+make %{?_smp_mflags} V=1

 %install
-%meson_install
-install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/tang.conf
-grep "User=%{name}" $RPM_BUILD_ROOT/%{_unitdir}/%{name}d@.service || echo "User=%{name}" >> $RPM_BUILD_ROOT/%{_unitdir}/%{name}d@.service
+rm -rf $RPM_BUILD_ROOT
+%make_install
+echo "User=%{name}" >> $RPM_BUILD_ROOT/%{_unitdir}/%{name}d@.service
 %{__mkdir_p} $RPM_BUILD_ROOT/%{_localstatedir}/db/%{name}

 %check
-%meson_test
+if ! make %{?_smp_mflags} check; then
+    cat test-suite.log
+    false
+fi

 %pre
-%sysusers_create_compat %{SOURCE1}
+getent group %{name} >/dev/null || groupadd -r %{name}
+getent passwd %{name} >/dev/null || \
+    useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \
+    -c "Tang Network Presence Daemon user" %{name}
 exit 0

 %post
 %systemd_post %{name}d.socket

-# Let's make sure any existing keys are readable only
-# by the owner/group.
-if [ -d /var/db/tang ]; then
-    for k in /var/db/tang/*.jwk; do
-        test -e "${k}" || continue
-        chmod 0440 -- "${k}"
-    done
-    for k in /var/db/tang/.*.jwk; do
-        test -e "${k}" || continue
-        chmod 0440 -- "${k}"
-    done
-    chown tang:tang -R /var/db/tang
-fi
-
 %preun
 %systemd_preun %{name}d.socket

@ -91,82 +85,41 @@ fi
 %{_unitdir}/%{name}d@.service
 %{_unitdir}/%{name}d.socket
 %{_libexecdir}/%{name}d-keygen
-%{_libexecdir}/%{name}d-rotate-keys
 %{_libexecdir}/%{name}d
 %{_mandir}/man8/tang.8*
 %{_bindir}/%{name}-show-keys
 %{_mandir}/man1/tang-show-keys.1*
-%{_mandir}/man1/tangd-rotate-keys.1.*
-%{_sysusersdir}/tang.conf

 %changelog
-* Thu Jun 29 2023 Sergio Arroutbi <sarroutb@redhat.com> - 14-2
- Fix service start up
-
-* Tue Jun 27 2023 Sergio Arroutbi <sarroutb@redhat.com> - 14-1
- New upstream release - v14.
-  Resolves: rhbz#2182411
-  Resolves: CVE-2023-1672
-
-* Wed Aug 17 2022 Sergio Arroutbi <sarroutb@redhat.com> - 11-2
- Adopt systemd-sysusers format
-  Resolves: rhbz#2095474
-
-* Tue Dec 14 2021 Sergio Correia <scorreia@redhat.com> - 11-1
- New upstream release - v11.
-  Resolves: CVE-2021-4076
+* Wed Jul 26 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 7-8
+- Rebuilt for MSVSphere 8.8

-* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 10-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
+* Fri Jul 21 2023 Sergio Arroutbi <sarroutb@redhat.com> - 7-8
+- Set correct user/group (tang/tang) in tangd-keygen
+  Resolves: rhbz#2188743

-* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 10-3
- Rebuilt for RHEL 9 BETA for openssl 3.0
-  Related: rhbz#1971065
-
-* Thu May 20 2021 Sergio Correia <scorreia@redhat.com> - 10-2
- Fix issues reported by static analyzer checks
-  Resolves: rhbz#1956765
-
-* Wed May 05 2021 Sergio Correia <scorreia@redhat.com> - 10-1
- New upstream release - v10.
-  Resolves: rhbz#1956765
-
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 8-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Tue Feb 09 2021 Sergio Correia <scorreia@redhat.com> - 8-2
- Remove extra patches as they are already included in v8 release
-
-* Mon Feb 08 2021 Sergio Correia <scorreia@redhat.com> - 8-1
- New upstream release - v8.
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Tue Dec 1 2020 Sergio Correia <scorreia@redhat.com> - 7.8
- Move build system to meson
-  Upstream commits (fed9020, 590de27)
- Move key handling to tang itself
-  Upstream commits (6090505, c71df1d, 7119454)
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+* Wed Jun 28 2023 Sergio Arroutbi <sarroutb@redhat.com> - 7-7
+- Fix race condition when creating/rotating keys
+  Resolves: rhbz#2182410
+  Resolves: CVE-2023-1672

-* Wed Apr 15 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 7-6
- Rebuild for http-parser 2.9.4
+* Wed Jan 13 2021 Sergio Correia <scorreia@redhat.com> - 7-6
+- Exit with success unless the issue was with with tangd itself
+  Resolves: rhbz#1828558

-* Tue Feb 25 2020 Sergio Correia <scorreia@redhat.com> - 7-5
- Rebuilt after http-parser update
+* Sun Dec 01 2019 Sergio Correia <scorreia@redhat.com> - 7-5
+- Permissions of /var/db/tang set to 0700
+- Home dir of user tang is /var/cache/tang

-* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+* Fri Nov 29 2019 Sergio Correia <scorreia@redhat.com> - 7-4
+- Fix permissions of /var/db/tang

-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+* Tue Oct 15 2019 Sergio Correia <scorreia@redhat.com> - 7-3
+- Rebuild to ensure correct dist tag

-* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+* Sun Sep 29 2019 Sergio Correia <scorreia@redhat.com> - 7-2
+- Move key generation to tang
+- Resolves rhbz#1745177, rhbz#1679186

 * Fri Aug 10 2018 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
 - New upstream release
				`@ -1 +0,0 @@`
				`u tang - "Tang Network Presence Daemon user" /var/cache/tang -`