libras: a few code enhancements

Signed-off-by: Kun Lai <me@imlk.top>

api/librats_verify_attestation_certificate.c

@@ -58,7 +58,7 @@ rats_verifier_err_t librats_verify_attestation_certificate(
  certificate_size);
  if (crypto_ret != CRYPTO_WRAPPER_ERR_NONE) {
  RATS_ERR("certificate verification failed: %#x\n", crypto_ret);
- ret = RATS_ATTESTER_ERR_CERT_GEN;
+ ret = RATS_VERIFIER_ERR_INVALID;
  goto err;
  }
 

cmake/CompilerOptions.cmake

@@ -1,5 +1,5 @@
 # Normal and occlum mode
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu11 -fPIC -Werror=implicit-function-declaration")
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu11 -fPIC -Werror=implicit-function-declaration -Werror=undef")
 set(RATS_LDFLAGS "-fPIC -Bsymbolic -ldl")
 
 if(OCCLUM)

core/dice.c

@@ -5,6 +5,7 @@
  */
 
 #include <string.h>
+#include <inttypes.h>
 #include <librats/err.h>
 #include <librats/log.h>
 #include <internal/dice.h>
@@ -86,7 +87,7 @@ int evidence_from_raw(const uint8_t *data, size_t size, uint64_t tag,
  data[15]);
 
  if (!tag_is_valid(tag)) {
- RATS_FATAL("Invalid cbor tag: 0x%zx\n", tag);
+ RATS_FATAL("Invalid cbor tag: 0x%" PRIx64 "\n", tag);
  return 1;
  }
 
@@ -466,7 +467,8 @@ rats_verifier_err_t dice_parse_evidence_buffer_with_tag(const uint8_t *evidence_
  /* Check cbor tag */
  RATS_VERIFIER_CBOR_ASSERT(cbor_isa_tag(root));
  if (!tag_is_valid(cbor_tag_value(root))) {
- RATS_ERR("Bad cbor data: invalid cbor tag got: 0x%zx\n", cbor_tag_value(root));
+ RATS_ERR("Bad cbor data: invalid cbor tag got: 0x%" PRIx64 "\n",
+ cbor_tag_value(root));
  goto err;
  }
 
@@ -550,7 +552,8 @@ rats_verifier_err_t dice_parse_endorsements_buffer_with_tag(const char *type,
  RATS_VERIFIER_CBOR_ASSERT(cbor_isa_tag(root));
  if (cbor_tag_value(root) != OCBR_TAG_EVIDENCE_INTEL_TEE_QUOTE) {
  /* We currently only support endorsements for SGX/TDX ECDSA. */
- RATS_ERR("Bad cbor data: invalid cbor tag got: 0x%zx, 0x%zx expected\n",
+ RATS_ERR("Bad cbor data: invalid cbor tag got: 0x%" PRIx64 ", 0x%" PRIx64
+ " expected\n",
  cbor_tag_value(root), (uint64_t)OCBR_TAG_EVIDENCE_INTEL_TEE_QUOTE);
  goto err;
  }
@@ -683,10 +686,10 @@ rats_verifier_err_t dice_parse_pubkey_hash_value_buffer(const uint8_t *pubkey_ha
 
  size_t hash_size = hash_size_of_algo(hash_algo_id);
  if (hash_size == 0) {
- RATS_ERR(
- "unsupported hash-alg-id: %lu, sha-256(1), sha-384(7), sha-512(8) are expected\n",
- hash_algo_id);
- ret = RATS_ATTESTER_ERR_INVALID;
+ RATS_ERR("unsupported hash-alg-id: %" PRIu64
+  ", sha-256(1), sha-384(7), sha-512(8) are expected\n",
+  hash_algo_id);
+ ret = RATS_VERIFIER_ERR_INVALID;
  goto err;
  }
 

crypto_wrappers/api/crypto_wrapper_verify_certificate_extension.c

@@ -232,7 +232,7 @@ crypto_wrapper_err_t crypto_wrapper_verify_certificate_extension(
  void *t = realloc(claims,
  sizeof(claim_t) * (builtin_claims_length + custom_claims_length));
  if (!t) {
- ret = RATS_VERIFIER_ERR_NO_MEM;
+ ret = CRYPTO_WRAPPER_ERR_NO_MEM;
  goto err;
  }
  claims = (claim_t *)t;

crypto_wrappers/openssl/gen_cert.c

@@ -182,15 +182,15 @@ crypto_wrapper_err_t openssl_gen_cert(crypto_wrapper_ctx_t *ctx, rats_hash_algo_
  /* The DiceTaggedEvidence extension criticality flag SHOULD be marked critical. */
  if (!x509_extension_add(cert, TCG_DICE_TAGGED_EVIDENCE_OID, false,
  cert_info->evidence_buffer,
- cert_info->evidence_buffer_size) != RATS_ERR_NONE)
+ cert_info->evidence_buffer_size))
  goto err;
  }
 
  /* Add endorsements extension */
  if (cert_info->endorsements_buffer_size) {
  if (!x509_extension_add(cert, TCG_DICE_ENDORSEMENT_MANIFEST_OID, false,
  cert_info->endorsements_buffer,
- cert_info->endorsements_buffer_size) != RATS_ERR_NONE)
+ cert_info->endorsements_buffer_size))
  goto err;
  }
 

crypto_wrappers/openssl/use_privkey.c

@@ -30,7 +30,7 @@ crypto_wrapper_err_t openssl_use_privkey(crypto_wrapper_ctx_t *ctx, uint8_t *pri
  if (!bio)
  goto err;
 
- ret = RATS_ATTESTER_ERR_CERT_PRIV_KEY;
+ ret = CRYPTO_WRAPPER_ERR_PRIV_KEY_DECODE;
  if (!PEM_read_bio_PrivateKey(bio, &pkey, NULL, NULL))
  goto err;
  BIO_free(bio);

crypto_wrappers/openssl/verify_cert.c

@@ -84,7 +84,7 @@ crypto_wrapper_err_t openssl_verify_cert(crypto_wrapper_ctx_t *ctx, const uint8_
  size_t endorsements_buffer_size = 0;
 
  /* Decode certificate as DER format */
- ret = RATS_VERIFIER_ERR_CERT_PARSE;
+ ret = CRYPTO_WRAPPER_ERR_CERT_PARSE;
  const unsigned char *t = (const unsigned char *)certificate;
  if (!d2i_X509(&cert, &t, certificate_size)) {
  RATS_ERR("bad certificate format\n");
@@ -116,7 +116,7 @@ crypto_wrapper_err_t openssl_verify_cert(crypto_wrapper_ctx_t *ctx, const uint8_
  /* Extract the evidence_buffer(optional for nullverifier) and endorsements_buffer(optional)
  * from the X.509 certificate extension.
  */
- ret = RATS_VERIFIER_ERR_CERT_EXTENSION;
+ ret = CRYPTO_WRAPPER_ERR_CERT_EXTENSION;
  /* Extract evidence from extension */
  int rc = find_extension_from_cert(cert, TCG_DICE_TAGGED_EVIDENCE_OID, &evidence_buffer,
  &evidence_buffer_size, true);

include/librats/err.h

@@ -104,9 +104,10 @@ typedef enum {
  CRYPTO_WRAPPER_ERR_RSA_KEY_LEN,
  CRYPTO_WRAPPER_ERR_PUB_KEY_LEN,
  CRYPTO_WRAPPER_ERR_UNSUPPORTED_ALGO,
- CRYPTO_WRAPPER_ERR_PUB_KEY_DECODE,
+ CRYPTO_WRAPPER_ERR_PRIV_KEY_DECODE,
  CRYPTO_WRAPPER_ERR_CERT_EXTENSION,
  CRYPTO_WRAPPER_ERR_UNSUPPORTED_HASH_ALGO,
+ CRYPTO_WRAPPER_ERR_CERT_PARSE,
 } crypto_wrapper_err_t;
 
 #endif

verifiers/csv/csv_utils.c

@@ -12,7 +12,7 @@ int sm3_hmac(const char *key, size_t key_len, const unsigned char *data, size_t
 {
  HMAC_CTX *hmac_ctx = HMAC_CTX_new();
  const EVP_MD *evp_md = EVP_sm3();
- int sm3_hmac_out_size = 0;
+ unsigned int sm3_hmac_out_size = 0;
  int ret = -1;
 
  if (hmac_ctx == NULL)

verifiers/csv/hygoncert.c

@@ -899,7 +899,9 @@ static int verify_hsk_cert_signature(hygon_root_cert_t *hsk_cert)
 int verify_hsk_cert(hygon_root_cert_t *cert)
 {
  if (cert->key_usage != KEY_USAGE_TYPE_HSK) {
- RATS_ERR("HSK cert key usage type invalid\n");
+ RATS_ERR(
+ "HSK cert key usage type invalid. Expected %d(KEY_USAGE_TYPE_HSK), got %d\n",
+ KEY_USAGE_TYPE_HSK, cert->key_usage);
  return -1;
  }