project/ucert.git
4 years agoDo not print line number in debug messages master
Matthias Schiffer [Sat, 16 May 2020 21:04:05 +0000 (23:04 +0200)]
Do not print line number in debug messages

The line number does not add any significant information, and it makes
the unit tests which check for these debug messages very fragile.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
4 years agoFix length checks in cert_load()
Matthias Schiffer [Sat, 16 May 2020 20:29:24 +0000 (22:29 +0200)]
Fix length checks in cert_load()

cert_load() iterates over multiple blobs, so the length argument to
blob_parse_untrusted() needs to be updated to prevent out-of-bounds
accesses.

Some other checks have become redundant and are removed, as
blob_parse_untrusted() already ensures that all attrs are contained in
the passed buffer.

Note that this issue currently does not pose a security threat, as an
over-restrictive check in blob_parse_untrusted() broke parsing of
buffers with multiple blobs completely.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
4 years agousign-exec: improve usign -F output handling
Matthias Schiffer [Sat, 16 May 2020 16:53:40 +0000 (18:53 +0200)]
usign-exec: improve usign -F output handling

While not likely to happen in pratice, nothing guarantees that read()
will retrieve more than 1 byte at a time. The easiest way to make this
code compliant is to wrap the file descriptor using fdopen().

While we're at it, also
- remove useless memset()
- check fingerprint for validity

The check is particularly relevant, as a usign bug [1] causing short
fingerprint outputs only went unnoticed for so long because the trailing
newline was considered one of the 16 characters ucert was expecting.

[1] https://patchwork.ozlabs.org/project/openwrt/patch/8ead1fd6a61117b54b4efd5111fe0d19e4eef9c5.1589642591.git.mschiffer@universe-factory.net/

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
4 years agousign-exec: return code fixes
Matthias Schiffer [Sat, 16 May 2020 16:45:23 +0000 (18:45 +0200)]
usign-exec: return code fixes

- WEXITSTATUS() should only be called when WIFEXITED() returns true
- Fix double WEXITSTATUS() in usign_f()

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
4 years agousign-exec: close writing end of pipe early in parent process
Matthias Schiffer [Sat, 16 May 2020 16:27:51 +0000 (18:27 +0200)]
usign-exec: close writing end of pipe early in parent process

When the child process exited without producing output (for example
because usign was not found), the parent process would hang forever in
read(). By closing the writing end early in the parent process, read
will return as soon as no writing FDs are left - that is, when the child
process has exited.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
4 years agousign-exec: remove redundant return statements
Matthias Schiffer [Sat, 16 May 2020 16:23:22 +0000 (18:23 +0200)]
usign-exec: remove redundant return statements

All switch() cases were already returning value or exiting. Instead,
move the default case out of the switch to reduce indentation (only
relevant for usign_f()).

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
4 years agousign-exec: change usign_f_* fingerprint argument to char[17]
Matthias Schiffer [Sat, 16 May 2020 16:18:24 +0000 (18:18 +0200)]
usign-exec: change usign_f_* fingerprint argument to char[17]

This makes it more obvious that a buffer with space for 17 characters is
expected to be passed. The code still works the same (a char[17] is
equivalent to char* as an argument).

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
4 years agousign-exec: do not close stdin and stderr before exec
Matthias Schiffer [Sat, 16 May 2020 16:00:24 +0000 (18:00 +0200)]
usign-exec: do not close stdin and stderr before exec

FDs 0, 1 and 2 should always be available. This also allows the exec error
message in the forked process to be displayed.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
4 years agousign-exec: fix exec error handling
Matthias Schiffer [Sat, 16 May 2020 15:53:29 +0000 (17:53 +0200)]
usign-exec: fix exec error handling

When execvp fails in the forked process, we must exit. Also add an error
message.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
4 years agousign-exec: simplify usign execv calls
Matthias Schiffer [Sat, 16 May 2020 12:52:35 +0000 (14:52 +0200)]
usign-exec: simplify usign execv calls

When the executable to exec is passed as an absolute path, execv() and
execvp() are equivalent, so there it no need to make the code hard to
read with #ifdefs.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
4 years agoIntroduce read_file() helper, improve error reporting
Matthias Schiffer [Sat, 16 May 2020 11:19:36 +0000 (13:19 +0200)]
Introduce read_file() helper, improve error reporting

This helper simplifies handling, ensures that there are no resource
leaks, and checks for EOF more robustly.

Also introduce error reporting at all call sites to give the user some
feedback when something went wrong.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
4 years agoFix return code of write_file()
Matthias Schiffer [Sat, 16 May 2020 11:33:55 +0000 (13:33 +0200)]
Fix return code of write_file()

write_file() returns 1/true on success; it should return 0/false when
opening the file fails.

To make it more obvious that is function returns true and not 0 on
success, also change its return type to bool.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
4 years agostdout/stderr improvements
Matthias Schiffer [Sat, 16 May 2020 11:26:55 +0000 (13:26 +0200)]
stdout/stderr improvements

- Print error messages to stderr
- fprintf(stdout, ...) is just printf(...)

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
4 years agoci: fix unit test failures by enabling full ucert build
Petr Štetiar [Tue, 21 Jan 2020 17:23:13 +0000 (18:23 +0100)]
ci: fix unit test failures by enabling full ucert build

Fixing following unit test failures:

 $ ucert -D -c $TEST_INPUTS/key-build.ucert
 ucert: invalid option -- 'D'

Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agoci: enable unit testing
Petr Štetiar [Thu, 26 Dec 2019 08:48:31 +0000 (09:48 +0100)]
ci: enable unit testing

In commit 4462ff9dedfa ("add cram based unit tests") some unit tests
were added so enable them on CI as well.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agofix certificate blob parsing vulnerability by using blob_parse_untrusted
Petr Štetiar [Mon, 16 Dec 2019 13:58:50 +0000 (14:58 +0100)]
fix certificate blob parsing vulnerability by using blob_parse_untrusted

blob_parse expects blobs from trusted inputs, but in this case it can be
supplied with possibly malicious certificates from untrusted inputs as
well, so in order to prevent such conditions, switch to
blob_parse_untrusted which should hopefully handle such inputs
appropriately.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agofix leaking memory in cert_dump_blob
Petr Štetiar [Mon, 16 Dec 2019 13:49:40 +0000 (14:49 +0100)]
fix leaking memory in cert_dump_blob

Fixes following valgrind reported memory leak:

 189 bytes in 1 blocks are definitely lost in loss record 3 of 4
    at realloc
    by blobmsg_format_json_with_cb
    by blobmsg_format_json_indent
    by cert_dump_blob (ucert.c:386)
    by cert_dump (ucert.c:405)
    by main (ucert.c:728)

Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agofix possibly garbage value returned in cert_process_revoker
Petr Štetiar [Mon, 16 Dec 2019 13:34:20 +0000 (14:34 +0100)]
fix possibly garbage value returned in cert_process_revoker

Fixes following warning reported by clang-9 scan-build analyzer:

 ucert.c:585:2: warning: Undefined or garbage value returned to caller
        return ret;
        ^~~~~~~~~~

Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agoadd cram based unit tests
Petr Štetiar [Mon, 16 Dec 2019 13:43:19 +0000 (14:43 +0100)]
add cram based unit tests

For improved QA etc. for the start with initial test case for dump
command.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agocmake: split usign bits into static library
Petr Štetiar [Mon, 16 Dec 2019 13:29:57 +0000 (14:29 +0100)]
cmake: split usign bits into static library

So it could be reused easily in unit tests for example.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agocmake: reindent the file
Petr Štetiar [Mon, 16 Dec 2019 13:23:26 +0000 (14:23 +0100)]
cmake: reindent the file

In order to make the indentation consistent within the file.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agocmake: enable hardening compiler flags and fix the reported issues
Petr Štetiar [Mon, 16 Dec 2019 12:56:29 +0000 (13:56 +0100)]
cmake: enable hardening compiler flags and fix the reported issues

Lets enable some useful flags in order to spot possible issues during
QA on CI (GCC version 6 and higher). Fix warnings uncovered by this new
flags as reported by clang-9 on x86/64:

 ucert.c:158:33: error: comparison of integers of different signs: 'unsigned long' and 'int' [-Werror,-Wsign-compare]
 ucert.c:176:14: error: comparison of integers of different signs: 'int' and 'unsigned long' [-Werror,-Wsign-compare]
 ucert.c:314:18: error: comparison of integers of different signs: '__time_t' (aka 'long') and 'uint64_t' (aka 'unsigned long') [-Werror,-Wsign-compare]
 ucert.c:315:18: error: comparison of integers of different signs: '__time_t' (aka 'long') and 'uint64_t' (aka 'unsigned long') [-Werror,-Wsign-compare]
 ucert.c:557:17: error: comparison of integers of different signs: '__time_t' (aka 'long') and 'uint64_t' (aka 'unsigned long') [-Werror,-Wsign-compare]

Ref: https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agoadd initial GitLab CI support
Petr Štetiar [Thu, 28 Nov 2019 21:44:08 +0000 (22:44 +0100)]
add initial GitLab CI support

Uses currently proof-of-concept openwrt-ci[1] in order to:

 * improve the quality of the codebase in various areas
 * decrease code review time and help merging contributions faster
 * get automagic feedback loop on various platforms and tools
   - out of tree build with OpenWrt SDK on following targets:
     * ath79-generic
     * imx6-generic
     * malta-be
     * mvebu-cortexa53
   - out of tree native build on x86/64 with GCC (versions 7, 8, 9) and Clang 10
   - out of tree native x86/64 static code analysis with cppcheck and
     scan-build from Clang 10

1. https://gitlab.com/ynezz/openwrt-ci/

Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agocmake: add proper include and library dependencies
Petr Štetiar [Tue, 17 Sep 2019 13:31:08 +0000 (15:31 +0200)]
cmake: add proper include and library dependencies

Otherwise it's not possible to compile it properly if the dependencies
are not installed in the standard include/libraries paths.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
5 years agocast ucert_argv to proper type when passing to execv
Rosen Penev [Thu, 28 Nov 2019 19:17:20 +0000 (11:17 -0800)]
cast ucert_argv to proper type when passing to execv

Fixes warnings:

warning: passing argument 2 of 'execv' from incompatible pointer type
[-Wincompatible-pointer-types]
  254 |       execv(usign_argv[0], usign_argv)

Signed-off-by: Rosen Penev <rosenp@gmail.com>
6 years agobe more tolerant when reading key fingerprint
Daniel Golle [Tue, 18 Sep 2018 11:29:10 +0000 (13:29 +0200)]
be more tolerant when reading key fingerprint

usign occasionally writes 16 characters then exits without writing a LF,
leaving ucert hanging waiting for more input.  Accept 16 characters
or more rather than 17 to work around the short read.

Signed-off-by: Mike McCormack <mike@atratus.org>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
6 years agoChange the sigb buffer to be the same size as the fread
Damien Mascord [Wed, 8 Aug 2018 13:54:53 +0000 (23:54 +1000)]
Change the sigb buffer to be the same size as the fread

Signed-off-by: Damien Mascord <tusker@tusker.org>
6 years agoblob_buf needs to be zero'd
Daniel Golle [Tue, 7 Aug 2018 16:07:56 +0000 (18:07 +0200)]
blob_buf needs to be zero'd

Fixes weird segfaults when compiling libubox with GCC 8.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
6 years agoset rpath to make bundle-libraries.sh happy
Daniel Golle [Mon, 6 Aug 2018 15:23:46 +0000 (17:23 +0200)]
set rpath to make bundle-libraries.sh happy

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
6 years agodon't ever set pointer outside of buffer
Daniel Golle [Sun, 10 Jun 2018 17:03:00 +0000 (19:03 +0200)]
don't ever set pointer outside of buffer

even if it's not going to be used.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agofix host build
Daniel Golle [Sun, 10 Jun 2018 16:44:36 +0000 (18:44 +0200)]
fix host build

use execvp in host builds instead of hardcoding /usr/bin/usign path

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoharden reading fingerprint from usign process
Daniel Golle [Fri, 8 Jun 2018 16:16:00 +0000 (18:16 +0200)]
harden reading fingerprint from usign process

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoadd light build variant without -C, -A and -D
Daniel Golle [Fri, 8 Jun 2018 03:30:44 +0000 (05:30 +0200)]
add light build variant without -C, -A and -D

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoremove unused stat variable and gettimeofday only once while verifying
Daniel Golle [Fri, 8 Jun 2018 00:56:22 +0000 (02:56 +0200)]
remove unused stat variable and gettimeofday only once while verifying

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoREADME.md...
Daniel Golle [Fri, 8 Jun 2018 00:50:00 +0000 (02:50 +0200)]
README.md...

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoallow issue to append existing cert and be strictly quiet
Daniel Golle [Fri, 8 Jun 2018 00:49:18 +0000 (02:49 +0200)]
allow issue to append existing cert and be strictly quiet

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agodon't be crazily strickt on position of '-q' parameter
Daniel Golle [Fri, 8 Jun 2018 00:07:46 +0000 (02:07 +0200)]
don't be crazily strickt on position of '-q' parameter

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agofix memory corruption caused by use-after-free
Daniel Golle [Thu, 7 Jun 2018 23:15:26 +0000 (01:15 +0200)]
fix memory corruption caused by use-after-free

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoREADME.md: add a line about context and dependencies
Daniel Golle [Thu, 7 Jun 2018 22:01:35 +0000 (00:01 +0200)]
README.md: add a line about context and dependencies

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agooutput error message in case of revoked key
Daniel Golle [Thu, 7 Jun 2018 21:52:16 +0000 (23:52 +0200)]
output error message in case of revoked key

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoadd README.md
Daniel Golle [Thu, 7 Jun 2018 21:44:57 +0000 (23:44 +0200)]
add README.md

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoadd comments in usign-exec
Daniel Golle [Thu, 7 Jun 2018 20:53:46 +0000 (22:53 +0200)]
add comments in usign-exec

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoharden cmdline options
Daniel Golle [Thu, 7 Jun 2018 20:22:26 +0000 (22:22 +0200)]
harden cmdline options

make all options single-set, only accept options after command and only
those needed for the specific command.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoadd comments and license headers
Daniel Golle [Thu, 7 Jun 2018 20:12:06 +0000 (22:12 +0200)]
add comments and license headers

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agotake care of revokers in verify path
Daniel Golle [Thu, 7 Jun 2018 19:28:50 +0000 (21:28 +0200)]
take care of revokers in verify path

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoimprove usage message and start working on revoker logic
Daniel Golle [Thu, 7 Jun 2018 17:14:18 +0000 (19:14 +0200)]
improve usage message and start working on revoker logic

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoallow append also on non-existing certfile
Daniel Golle [Thu, 7 Jun 2018 13:16:41 +0000 (15:16 +0200)]
allow append also on non-existing certfile

Just in case someone just wants a single plain signature without any
chain.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoenumerate chain elements in dump output
Daniel Golle [Thu, 7 Jun 2018 12:39:06 +0000 (14:39 +0200)]
enumerate chain elements in dump output

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoalways include complete signature file including trailing newline
Daniel Golle [Thu, 7 Jun 2018 10:32:21 +0000 (12:32 +0200)]
always include complete signature file including trailing newline

just to harmonize things

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoadd forgotten usign_v sigfile parameter
Daniel Golle [Thu, 7 Jun 2018 10:09:57 +0000 (12:09 +0200)]
add forgotten usign_v sigfile parameter

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoread more than one cert from file
Daniel Golle [Thu, 7 Jun 2018 09:38:42 +0000 (11:38 +0200)]
read more than one cert from file

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoimplement chain and message verify
Daniel Golle [Thu, 7 Jun 2018 00:17:28 +0000 (02:17 +0200)]
implement chain and message verify

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agouse list to model certificate chain
Daniel Golle [Wed, 6 Jun 2018 20:48:31 +0000 (22:48 +0200)]
use list to model certificate chain

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoimplement cert issue
Daniel Golle [Wed, 6 Jun 2018 20:21:23 +0000 (22:21 +0200)]
implement cert issue

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoadd usign-exec.c
Daniel Golle [Wed, 6 Jun 2018 19:12:50 +0000 (21:12 +0200)]
add usign-exec.c

create C function wrappers calling the /usr/bin/usign executable and
processing the results.

usign_v()   : usign -V ...
usign_s()   : usign -S ...
usign_f_*() : usign -F ...

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agostart implementing loading cert from filesystem, add validity times
Daniel Golle [Wed, 6 Jun 2018 18:37:50 +0000 (20:37 +0200)]
start implementing loading cert from filesystem, add validity times

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoadd external blob and internal blobmsg data structures
Daniel Golle [Mon, 4 Jun 2018 22:02:00 +0000 (00:02 +0200)]
add external blob and internal blobmsg data structures

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoadd shim executable and CMakeLists
Daniel Golle [Mon, 4 Jun 2018 21:54:09 +0000 (23:54 +0200)]
add shim executable and CMakeLists

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoadd COPYING license file
Daniel Golle [Mon, 4 Jun 2018 21:40:28 +0000 (23:40 +0200)]
add COPYING license file

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

6 years agoadd .gitignore
Daniel Golle [Mon, 4 Jun 2018 21:36:24 +0000 (23:36 +0200)]
add .gitignore

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)