From ffd7366922705d8332c1a9b472c21c80a365bb30 Mon Sep 17 00:00:00 2001 From: Kun Lai Date: Wed, 16 Aug 2023 14:09:50 +0000 Subject: [PATCH] libras: a few code enhancements Signed-off-by: Kun Lai --- api/librats_verify_attestation_certificate.c | 2 +- cmake/CompilerOptions.cmake | 2 +- core/dice.c | 17 ++++++++++------- ...rypto_wrapper_verify_certificate_extension.c | 2 +- crypto_wrappers/openssl/gen_cert.c | 4 ++-- crypto_wrappers/openssl/use_privkey.c | 2 +- crypto_wrappers/openssl/verify_cert.c | 4 ++-- include/librats/err.h | 3 ++- verifiers/csv/csv_utils.c | 2 +- verifiers/csv/hygoncert.c | 4 +++- 10 files changed, 24 insertions(+), 18 deletions(-) diff --git a/api/librats_verify_attestation_certificate.c b/api/librats_verify_attestation_certificate.c index 7dce4d5..c9d11b4 100644 --- a/api/librats_verify_attestation_certificate.c +++ b/api/librats_verify_attestation_certificate.c @@ -58,7 +58,7 @@ rats_verifier_err_t librats_verify_attestation_certificate( certificate_size); if (crypto_ret != CRYPTO_WRAPPER_ERR_NONE) { RATS_ERR("certificate verification failed: %#x\n", crypto_ret); - ret = RATS_ATTESTER_ERR_CERT_GEN; + ret = RATS_VERIFIER_ERR_INVALID; goto err; } diff --git a/cmake/CompilerOptions.cmake b/cmake/CompilerOptions.cmake index 7748c79..5ef3bb2 100644 --- a/cmake/CompilerOptions.cmake +++ b/cmake/CompilerOptions.cmake @@ -1,5 +1,5 @@ # Normal and occlum mode -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu11 -fPIC -Werror=implicit-function-declaration") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu11 -fPIC -Werror=implicit-function-declaration -Werror=undef") set(RATS_LDFLAGS "-fPIC -Bsymbolic -ldl") if(OCCLUM) diff --git a/core/dice.c b/core/dice.c index 36ad4a5..8969aa1 100644 --- a/core/dice.c +++ b/core/dice.c @@ -5,6 +5,7 @@ */ #include +#include #include #include #include @@ -86,7 +87,7 @@ int evidence_from_raw(const uint8_t *data, size_t size, uint64_t tag, data[15]); if (!tag_is_valid(tag)) { - RATS_FATAL("Invalid cbor tag: 0x%zx\n", tag); + RATS_FATAL("Invalid cbor tag: 0x%" PRIx64 "\n", tag); return 1; } @@ -466,7 +467,8 @@ rats_verifier_err_t dice_parse_evidence_buffer_with_tag(const uint8_t *evidence_ /* Check cbor tag */ RATS_VERIFIER_CBOR_ASSERT(cbor_isa_tag(root)); if (!tag_is_valid(cbor_tag_value(root))) { - RATS_ERR("Bad cbor data: invalid cbor tag got: 0x%zx\n", cbor_tag_value(root)); + RATS_ERR("Bad cbor data: invalid cbor tag got: 0x%" PRIx64 "\n", + cbor_tag_value(root)); goto err; } @@ -550,7 +552,8 @@ rats_verifier_err_t dice_parse_endorsements_buffer_with_tag(const char *type, RATS_VERIFIER_CBOR_ASSERT(cbor_isa_tag(root)); if (cbor_tag_value(root) != OCBR_TAG_EVIDENCE_INTEL_TEE_QUOTE) { /* We currently only support endorsements for SGX/TDX ECDSA. */ - RATS_ERR("Bad cbor data: invalid cbor tag got: 0x%zx, 0x%zx expected\n", + RATS_ERR("Bad cbor data: invalid cbor tag got: 0x%" PRIx64 ", 0x%" PRIx64 + " expected\n", cbor_tag_value(root), (uint64_t)OCBR_TAG_EVIDENCE_INTEL_TEE_QUOTE); goto err; } @@ -683,10 +686,10 @@ rats_verifier_err_t dice_parse_pubkey_hash_value_buffer(const uint8_t *pubkey_ha size_t hash_size = hash_size_of_algo(hash_algo_id); if (hash_size == 0) { - RATS_ERR( - "unsupported hash-alg-id: %lu, sha-256(1), sha-384(7), sha-512(8) are expected\n", - hash_algo_id); - ret = RATS_ATTESTER_ERR_INVALID; + RATS_ERR("unsupported hash-alg-id: %" PRIu64 + ", sha-256(1), sha-384(7), sha-512(8) are expected\n", + hash_algo_id); + ret = RATS_VERIFIER_ERR_INVALID; goto err; } diff --git a/crypto_wrappers/api/crypto_wrapper_verify_certificate_extension.c b/crypto_wrappers/api/crypto_wrapper_verify_certificate_extension.c index a34f45e..c273705 100644 --- a/crypto_wrappers/api/crypto_wrapper_verify_certificate_extension.c +++ b/crypto_wrappers/api/crypto_wrapper_verify_certificate_extension.c @@ -232,7 +232,7 @@ crypto_wrapper_err_t crypto_wrapper_verify_certificate_extension( void *t = realloc(claims, sizeof(claim_t) * (builtin_claims_length + custom_claims_length)); if (!t) { - ret = RATS_VERIFIER_ERR_NO_MEM; + ret = CRYPTO_WRAPPER_ERR_NO_MEM; goto err; } claims = (claim_t *)t; diff --git a/crypto_wrappers/openssl/gen_cert.c b/crypto_wrappers/openssl/gen_cert.c index f3d7414..699bbe2 100644 --- a/crypto_wrappers/openssl/gen_cert.c +++ b/crypto_wrappers/openssl/gen_cert.c @@ -182,7 +182,7 @@ crypto_wrapper_err_t openssl_gen_cert(crypto_wrapper_ctx_t *ctx, rats_hash_algo_ /* The DiceTaggedEvidence extension criticality flag SHOULD be marked critical. */ if (!x509_extension_add(cert, TCG_DICE_TAGGED_EVIDENCE_OID, false, cert_info->evidence_buffer, - cert_info->evidence_buffer_size) != RATS_ERR_NONE) + cert_info->evidence_buffer_size)) goto err; } @@ -190,7 +190,7 @@ crypto_wrapper_err_t openssl_gen_cert(crypto_wrapper_ctx_t *ctx, rats_hash_algo_ if (cert_info->endorsements_buffer_size) { if (!x509_extension_add(cert, TCG_DICE_ENDORSEMENT_MANIFEST_OID, false, cert_info->endorsements_buffer, - cert_info->endorsements_buffer_size) != RATS_ERR_NONE) + cert_info->endorsements_buffer_size)) goto err; } diff --git a/crypto_wrappers/openssl/use_privkey.c b/crypto_wrappers/openssl/use_privkey.c index 7386993..eb5b49a 100644 --- a/crypto_wrappers/openssl/use_privkey.c +++ b/crypto_wrappers/openssl/use_privkey.c @@ -30,7 +30,7 @@ crypto_wrapper_err_t openssl_use_privkey(crypto_wrapper_ctx_t *ctx, uint8_t *pri if (!bio) goto err; - ret = RATS_ATTESTER_ERR_CERT_PRIV_KEY; + ret = CRYPTO_WRAPPER_ERR_PRIV_KEY_DECODE; if (!PEM_read_bio_PrivateKey(bio, &pkey, NULL, NULL)) goto err; BIO_free(bio); diff --git a/crypto_wrappers/openssl/verify_cert.c b/crypto_wrappers/openssl/verify_cert.c index 79dac70..6fdacc1 100644 --- a/crypto_wrappers/openssl/verify_cert.c +++ b/crypto_wrappers/openssl/verify_cert.c @@ -84,7 +84,7 @@ crypto_wrapper_err_t openssl_verify_cert(crypto_wrapper_ctx_t *ctx, const uint8_ size_t endorsements_buffer_size = 0; /* Decode certificate as DER format */ - ret = RATS_VERIFIER_ERR_CERT_PARSE; + ret = CRYPTO_WRAPPER_ERR_CERT_PARSE; const unsigned char *t = (const unsigned char *)certificate; if (!d2i_X509(&cert, &t, certificate_size)) { RATS_ERR("bad certificate format\n"); @@ -116,7 +116,7 @@ crypto_wrapper_err_t openssl_verify_cert(crypto_wrapper_ctx_t *ctx, const uint8_ /* Extract the evidence_buffer(optional for nullverifier) and endorsements_buffer(optional) * from the X.509 certificate extension. */ - ret = RATS_VERIFIER_ERR_CERT_EXTENSION; + ret = CRYPTO_WRAPPER_ERR_CERT_EXTENSION; /* Extract evidence from extension */ int rc = find_extension_from_cert(cert, TCG_DICE_TAGGED_EVIDENCE_OID, &evidence_buffer, &evidence_buffer_size, true); diff --git a/include/librats/err.h b/include/librats/err.h index b52291c..9574dda 100644 --- a/include/librats/err.h +++ b/include/librats/err.h @@ -104,9 +104,10 @@ typedef enum { CRYPTO_WRAPPER_ERR_RSA_KEY_LEN, CRYPTO_WRAPPER_ERR_PUB_KEY_LEN, CRYPTO_WRAPPER_ERR_UNSUPPORTED_ALGO, - CRYPTO_WRAPPER_ERR_PUB_KEY_DECODE, + CRYPTO_WRAPPER_ERR_PRIV_KEY_DECODE, CRYPTO_WRAPPER_ERR_CERT_EXTENSION, CRYPTO_WRAPPER_ERR_UNSUPPORTED_HASH_ALGO, + CRYPTO_WRAPPER_ERR_CERT_PARSE, } crypto_wrapper_err_t; #endif diff --git a/verifiers/csv/csv_utils.c b/verifiers/csv/csv_utils.c index 79180f6..bdaa0b5 100644 --- a/verifiers/csv/csv_utils.c +++ b/verifiers/csv/csv_utils.c @@ -12,7 +12,7 @@ int sm3_hmac(const char *key, size_t key_len, const unsigned char *data, size_t { HMAC_CTX *hmac_ctx = HMAC_CTX_new(); const EVP_MD *evp_md = EVP_sm3(); - int sm3_hmac_out_size = 0; + unsigned int sm3_hmac_out_size = 0; int ret = -1; if (hmac_ctx == NULL) diff --git a/verifiers/csv/hygoncert.c b/verifiers/csv/hygoncert.c index 9e44cc9..78e8988 100644 --- a/verifiers/csv/hygoncert.c +++ b/verifiers/csv/hygoncert.c @@ -899,7 +899,9 @@ static int verify_hsk_cert_signature(hygon_root_cert_t *hsk_cert) int verify_hsk_cert(hygon_root_cert_t *cert) { if (cert->key_usage != KEY_USAGE_TYPE_HSK) { - RATS_ERR("HSK cert key usage type invalid\n"); + RATS_ERR( + "HSK cert key usage type invalid. Expected %d(KEY_USAGE_TYPE_HSK), got %d\n", + KEY_USAGE_TYPE_HSK, cert->key_usage); return -1; }