summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Matthias Schiffer [Sat, 16 May 2020 21:04:05 +0000 (23:04 +0200)]
Do not print line number in debug messages
The line number does not add any significant information, and it makes
the unit tests which check for these debug messages very fragile.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sat, 16 May 2020 20:29:24 +0000 (22:29 +0200)]
Fix length checks in cert_load()
cert_load() iterates over multiple blobs, so the length argument to
blob_parse_untrusted() needs to be updated to prevent out-of-bounds
accesses.
Some other checks have become redundant and are removed, as
blob_parse_untrusted() already ensures that all attrs are contained in
the passed buffer.
Note that this issue currently does not pose a security threat, as an
over-restrictive check in blob_parse_untrusted() broke parsing of
buffers with multiple blobs completely.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sat, 16 May 2020 16:53:40 +0000 (18:53 +0200)]
usign-exec: improve usign -F output handling
While not likely to happen in pratice, nothing guarantees that read()
will retrieve more than 1 byte at a time. The easiest way to make this
code compliant is to wrap the file descriptor using fdopen().
While we're at it, also
- remove useless memset()
- check fingerprint for validity
The check is particularly relevant, as a usign bug [1] causing short
fingerprint outputs only went unnoticed for so long because the trailing
newline was considered one of the 16 characters ucert was expecting.
[1] https://patchwork.ozlabs.org/project/openwrt/patch/
8ead1fd6a61117b54b4efd5111fe0d19e4eef9c5.
1589642591.git.mschiffer@universe-factory.net/
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sat, 16 May 2020 16:45:23 +0000 (18:45 +0200)]
usign-exec: return code fixes
- WEXITSTATUS() should only be called when WIFEXITED() returns true
- Fix double WEXITSTATUS() in usign_f()
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sat, 16 May 2020 16:27:51 +0000 (18:27 +0200)]
usign-exec: close writing end of pipe early in parent process
When the child process exited without producing output (for example
because usign was not found), the parent process would hang forever in
read(). By closing the writing end early in the parent process, read
will return as soon as no writing FDs are left - that is, when the child
process has exited.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sat, 16 May 2020 16:23:22 +0000 (18:23 +0200)]
usign-exec: remove redundant return statements
All switch() cases were already returning value or exiting. Instead,
move the default case out of the switch to reduce indentation (only
relevant for usign_f()).
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sat, 16 May 2020 16:18:24 +0000 (18:18 +0200)]
usign-exec: change usign_f_* fingerprint argument to char[17]
This makes it more obvious that a buffer with space for 17 characters is
expected to be passed. The code still works the same (a char[17] is
equivalent to char* as an argument).
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sat, 16 May 2020 16:00:24 +0000 (18:00 +0200)]
usign-exec: do not close stdin and stderr before exec
FDs 0, 1 and 2 should always be available. This also allows the exec error
message in the forked process to be displayed.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sat, 16 May 2020 15:53:29 +0000 (17:53 +0200)]
usign-exec: fix exec error handling
When execvp fails in the forked process, we must exit. Also add an error
message.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sat, 16 May 2020 12:52:35 +0000 (14:52 +0200)]
usign-exec: simplify usign execv calls
When the executable to exec is passed as an absolute path, execv() and
execvp() are equivalent, so there it no need to make the code hard to
read with #ifdefs.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sat, 16 May 2020 11:19:36 +0000 (13:19 +0200)]
Introduce read_file() helper, improve error reporting
This helper simplifies handling, ensures that there are no resource
leaks, and checks for EOF more robustly.
Also introduce error reporting at all call sites to give the user some
feedback when something went wrong.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sat, 16 May 2020 11:33:55 +0000 (13:33 +0200)]
Fix return code of write_file()
write_file() returns 1/true on success; it should return 0/false when
opening the file fails.
To make it more obvious that is function returns true and not 0 on
success, also change its return type to bool.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sat, 16 May 2020 11:26:55 +0000 (13:26 +0200)]
stdout/stderr improvements
- Print error messages to stderr
- fprintf(stdout, ...) is just printf(...)
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Petr Štetiar [Tue, 21 Jan 2020 17:23:13 +0000 (18:23 +0100)]
ci: fix unit test failures by enabling full ucert build
Fixing following unit test failures:
$ ucert -D -c $TEST_INPUTS/key-build.ucert
ucert: invalid option -- 'D'
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Thu, 26 Dec 2019 08:48:31 +0000 (09:48 +0100)]
ci: enable unit testing
In commit
4462ff9dedfa ("add cram based unit tests") some unit tests
were added so enable them on CI as well.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 16 Dec 2019 13:58:50 +0000 (14:58 +0100)]
fix certificate blob parsing vulnerability by using blob_parse_untrusted
blob_parse expects blobs from trusted inputs, but in this case it can be
supplied with possibly malicious certificates from untrusted inputs as
well, so in order to prevent such conditions, switch to
blob_parse_untrusted which should hopefully handle such inputs
appropriately.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 16 Dec 2019 13:49:40 +0000 (14:49 +0100)]
fix leaking memory in cert_dump_blob
Fixes following valgrind reported memory leak:
189 bytes in 1 blocks are definitely lost in loss record 3 of 4
at realloc
by blobmsg_format_json_with_cb
by blobmsg_format_json_indent
by cert_dump_blob (ucert.c:386)
by cert_dump (ucert.c:405)
by main (ucert.c:728)
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 16 Dec 2019 13:34:20 +0000 (14:34 +0100)]
fix possibly garbage value returned in cert_process_revoker
Fixes following warning reported by clang-9 scan-build analyzer:
ucert.c:585:2: warning: Undefined or garbage value returned to caller
return ret;
^~~~~~~~~~
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 16 Dec 2019 13:43:19 +0000 (14:43 +0100)]
add cram based unit tests
For improved QA etc. for the start with initial test case for dump
command.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 16 Dec 2019 13:29:57 +0000 (14:29 +0100)]
cmake: split usign bits into static library
So it could be reused easily in unit tests for example.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 16 Dec 2019 13:23:26 +0000 (14:23 +0100)]
cmake: reindent the file
In order to make the indentation consistent within the file.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 16 Dec 2019 12:56:29 +0000 (13:56 +0100)]
cmake: enable hardening compiler flags and fix the reported issues
Lets enable some useful flags in order to spot possible issues during
QA on CI (GCC version 6 and higher). Fix warnings uncovered by this new
flags as reported by clang-9 on x86/64:
ucert.c:158:33: error: comparison of integers of different signs: 'unsigned long' and 'int' [-Werror,-Wsign-compare]
ucert.c:176:14: error: comparison of integers of different signs: 'int' and 'unsigned long' [-Werror,-Wsign-compare]
ucert.c:314:18: error: comparison of integers of different signs: '__time_t' (aka 'long') and 'uint64_t' (aka 'unsigned long') [-Werror,-Wsign-compare]
ucert.c:315:18: error: comparison of integers of different signs: '__time_t' (aka 'long') and 'uint64_t' (aka 'unsigned long') [-Werror,-Wsign-compare]
ucert.c:557:17: error: comparison of integers of different signs: '__time_t' (aka 'long') and 'uint64_t' (aka 'unsigned long') [-Werror,-Wsign-compare]
Ref: https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Thu, 28 Nov 2019 21:44:08 +0000 (22:44 +0100)]
add initial GitLab CI support
Uses currently proof-of-concept openwrt-ci[1] in order to:
* improve the quality of the codebase in various areas
* decrease code review time and help merging contributions faster
* get automagic feedback loop on various platforms and tools
- out of tree build with OpenWrt SDK on following targets:
* ath79-generic
* imx6-generic
* malta-be
* mvebu-cortexa53
- out of tree native build on x86/64 with GCC (versions 7, 8, 9) and Clang 10
- out of tree native x86/64 static code analysis with cppcheck and
scan-build from Clang 10
1. https://gitlab.com/ynezz/openwrt-ci/
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Tue, 17 Sep 2019 13:31:08 +0000 (15:31 +0200)]
cmake: add proper include and library dependencies
Otherwise it's not possible to compile it properly if the dependencies
are not installed in the standard include/libraries paths.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Rosen Penev [Thu, 28 Nov 2019 19:17:20 +0000 (11:17 -0800)]
cast ucert_argv to proper type when passing to execv
Fixes warnings:
warning: passing argument 2 of 'execv' from incompatible pointer type
[-Wincompatible-pointer-types]
254 | execv(usign_argv[0], usign_argv)
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Daniel Golle [Tue, 18 Sep 2018 11:29:10 +0000 (13:29 +0200)]
be more tolerant when reading key fingerprint
usign occasionally writes 16 characters then exits without writing a LF,
leaving ucert hanging waiting for more input. Accept 16 characters
or more rather than 17 to work around the short read.
Signed-off-by: Mike McCormack <mike@atratus.org>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Damien Mascord [Wed, 8 Aug 2018 13:54:53 +0000 (23:54 +1000)]
Change the sigb buffer to be the same size as the fread
Signed-off-by: Damien Mascord <tusker@tusker.org>
Daniel Golle [Tue, 7 Aug 2018 16:07:56 +0000 (18:07 +0200)]
blob_buf needs to be zero'd
Fixes weird segfaults when compiling libubox with GCC 8.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Daniel Golle [Mon, 6 Aug 2018 15:23:46 +0000 (17:23 +0200)]
set rpath to make bundle-libraries.sh happy
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Daniel Golle [Sun, 10 Jun 2018 17:03:00 +0000 (19:03 +0200)]
don't ever set pointer outside of buffer
even if it's not going to be used.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Sun, 10 Jun 2018 16:44:36 +0000 (18:44 +0200)]
fix host build
use execvp in host builds instead of hardcoding /usr/bin/usign path
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Fri, 8 Jun 2018 16:16:00 +0000 (18:16 +0200)]
harden reading fingerprint from usign process
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Fri, 8 Jun 2018 03:30:44 +0000 (05:30 +0200)]
add light build variant without -C, -A and -D
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Fri, 8 Jun 2018 00:56:22 +0000 (02:56 +0200)]
remove unused stat variable and gettimeofday only once while verifying
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Fri, 8 Jun 2018 00:50:00 +0000 (02:50 +0200)]
README.md...
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Fri, 8 Jun 2018 00:49:18 +0000 (02:49 +0200)]
allow issue to append existing cert and be strictly quiet
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Fri, 8 Jun 2018 00:07:46 +0000 (02:07 +0200)]
don't be crazily strickt on position of '-q' parameter
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 23:15:26 +0000 (01:15 +0200)]
fix memory corruption caused by use-after-free
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 22:01:35 +0000 (00:01 +0200)]
README.md: add a line about context and dependencies
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 21:52:16 +0000 (23:52 +0200)]
output error message in case of revoked key
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 21:44:57 +0000 (23:44 +0200)]
add README.md
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 20:53:46 +0000 (22:53 +0200)]
add comments in usign-exec
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 20:22:26 +0000 (22:22 +0200)]
harden cmdline options
make all options single-set, only accept options after command and only
those needed for the specific command.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 20:12:06 +0000 (22:12 +0200)]
add comments and license headers
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 19:28:50 +0000 (21:28 +0200)]
take care of revokers in verify path
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 17:14:18 +0000 (19:14 +0200)]
improve usage message and start working on revoker logic
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 13:16:41 +0000 (15:16 +0200)]
allow append also on non-existing certfile
Just in case someone just wants a single plain signature without any
chain.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 12:39:06 +0000 (14:39 +0200)]
enumerate chain elements in dump output
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 10:32:21 +0000 (12:32 +0200)]
always include complete signature file including trailing newline
just to harmonize things
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 10:09:57 +0000 (12:09 +0200)]
add forgotten usign_v sigfile parameter
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 09:38:42 +0000 (11:38 +0200)]
read more than one cert from file
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Thu, 7 Jun 2018 00:17:28 +0000 (02:17 +0200)]
implement chain and message verify
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Wed, 6 Jun 2018 20:48:31 +0000 (22:48 +0200)]
use list to model certificate chain
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Wed, 6 Jun 2018 20:21:23 +0000 (22:21 +0200)]
implement cert issue
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Wed, 6 Jun 2018 19:12:50 +0000 (21:12 +0200)]
add usign-exec.c
create C function wrappers calling the /usr/bin/usign executable and
processing the results.
usign_v() : usign -V ...
usign_s() : usign -S ...
usign_f_*() : usign -F ...
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Wed, 6 Jun 2018 18:37:50 +0000 (20:37 +0200)]
start implementing loading cert from filesystem, add validity times
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Mon, 4 Jun 2018 22:02:00 +0000 (00:02 +0200)]
add external blob and internal blobmsg data structures
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Mon, 4 Jun 2018 21:54:09 +0000 (23:54 +0200)]
add shim executable and CMakeLists
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Mon, 4 Jun 2018 21:40:28 +0000 (23:40 +0200)]
add COPYING license file
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)
Daniel Golle [Mon, 4 Jun 2018 21:36:24 +0000 (23:36 +0200)]
add .gitignore
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)