siemens · martin-barta-sie · Aug 15, 2022 · Aug 15, 2022 · DDvO · Aug 22, 2022
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -43,13 +43,11 @@ set(SRC_EXAMPLE_DIR ${PROJECT_SOURCE_DIR}/test)
 
 find_package(OpenSSL REQUIRED)
 
-if(DEFINED ENV{NDEBUG})
-  add_definitions(-DNDEBUG=1 -O2)
-else()
-  add_definitions(-g -O0)
-  add_definitions(-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all)
-  link_libraries("-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all")
-endif()
+# Add this to get some additional runtime checks.
+# Warning: it's incompatible with tools like Valgrind and you have to add it to the app using this lib too.
+# add_definitions("-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all")
+# link_libraries("-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all")
+
 add_definitions(-Wall -Woverflow -Wextra -Wswitch -Wmissing-prototypes -Wstrict-prototypes -Wformat -Wtype-limits -Wundef -Wconversion -Wno-shadow -Wno-conversion -Wno-sign-conversion -Wno-unused-parameter -Wno-sign-compare) # TODO enable -Wconversion -Wsign-conversion -Wsign-compare -Wunused-parameter
 add_definitions(-Wformat -Wformat-security -Wno-declaration-after-statement -Wno-vla) # -Wpointer-arith -pedantic -DPEDANTIC # -Werror
 
@@ -75,6 +73,7 @@ set(SECUTIL_LIB_SRC ${SRC_DIR}/certstatus/certstatus.c
     ${SRC_DIR}/connections/conn.c
     ${SRC_DIR}/connections/http.c
     ${SRC_DIR}/connections/tls.c
+    ${SRC_DIR}/credentials/cert.c
     ${SRC_DIR}/credentials/credentials.c
     ${SRC_DIR}/credentials/key.c
     ${SRC_DIR}/credentials/store.c

diff --git a/Makefile b/Makefile
@@ -57,12 +57,16 @@ endif
 # Note: stuff for testing purposes should go here
 ################################################################################
 
-ifdef NDEBUG
+ifdef DEBUG
+    DEBUG_FLAGS ?= -g -O0
+# Add this to get some additional runtime checks.
+# Warning: it's incompatible with tools like Valgrind and you have to add it to the app using this lib too
+#	DEBUG_FLAGS += -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all
+else
     DEBUG_FLAGS ?= -O2
     override DEBUG_FLAGS += -DNDEBUG=1
-else
-    DEBUG_FLAGS ?= -g -O0 -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all # not every compiler(version) supports -Og
 endif
+
 override CFLAGS += $(DEBUG_FLAGS) -Wall -Woverflow -Wextra -Wswitch -Wmissing-prototypes -Wstrict-prototypes -Wformat -Wtype-limits -Wundef -Wconversion
 override CFLAGS += -Wno-shadow -Wno-conversion -Wno-sign-conversion -Wno-sign-compare -Wno-unused-parameter # TODO clean up code and enable -Wshadow -Wconversion -Wsign-conversion -Wsign-compare -Wunused-parameter
 override CFLAGS += -Wformat -Wformat-security -Wno-declaration-after-statement -Wno-vla # -Wpointer-arith -pedantic -DPEDANTIC # -Werror
@@ -150,11 +154,13 @@ ifeq ($(COV_ENABLED), 1)
 endif
 	$(MAKE) COMPILE_TYPE=$(COMPILE_TYPE) build_only
 
-util:
+util: $(OUT_DIR)/$(OUTLIB)
 	$(MAKE) -C util SECUTILS_USE_UTA="$(SECUTILS_USE_UTA)" \
 	   CFLAGS="$(CFLAGS) $(LOCAL_CFLAGS)" LDFLAGS="$(LDFLAGS)"
 
-build_all: build util
+build_all:
+	$(MAKE) build
+	$(MAKE) util
 
 # Binary output target
 $(OUT_DIR)/$(OUTLIB).$(VERSION): $(OBJS)
@@ -219,10 +225,10 @@ clean_uta:
           $(OUT_DIR)/$(OUTLIB)* $(OUT_DIR)/util/$(OUTBIN) $(OUT_DIR)/util/icvutil.o
 
 clean:
+	$(MAKE) -C util clean
 	rm -rf $(OUT_DIR)/$(OUTLIB)* $(OUT_DIR)/util/$(OUTBIN) $(BUILDDIR)
 
 clean_all: clean clean_deb
-	$(MAKE) -C util clean
 	rm -rf doc refman.pdf *.gcov reports
 
 doc: doc/html refman.pdf

diff --git a/debian/rules b/debian/rules
@@ -25,7 +25,8 @@ override_dh_auto_clean:
 
 # adding compile flags as, defaults are commonly debug flags
 override_dh_auto_build:
-#	CFLAGS="-O2 -DNDEBUG" CXXFLAGS="-O2 -DNDEBUG" DEBUG_FLAGS="" LDFLAGS=""  # can be used to avoid dependency on libasan and libubsan
+# clear DEBUG_FLAGS so that the default debian options get applied
+	DEBUG_FLAGS="" \
 	OPENSSL_DIR=/usr CC=$(CC) CXX=$(CXX) AR=$(AR) \
 	dh_auto_build -- -j1 build_only util
 

diff --git a/include/secutils/certstatus/certstatus.h b/include/secutils/certstatus/certstatus.h
@@ -17,6 +17,7 @@
 #define SECUTILS_CERTSTATUS_H_
 
 #include <openssl/x509_vfy.h>
+
 #include "../util/log.h"
 
 #if OPENSSL_VERSION_NUMBER < 0x10101000L

diff --git a/include/secutils/certstatus/crl_mgmt.h b/include/secutils/certstatus/crl_mgmt.h
@@ -17,7 +17,8 @@
 #define SECUTILS_HEADER_CRL_MGMT_H
 
 #include <openssl/x509.h>
-#include <secutils/basic.h>
+
+#include "../basic.h"
 
 #ifdef __cplusplus
 extern "C" {

diff --git a/include/secutils/certstatus/crls.h b/include/secutils/certstatus/crls.h
@@ -16,6 +16,8 @@
 #ifndef SECUTILS_CRLS_H_
 #define SECUTILS_CRLS_H_
 
+#include "../basic.h"
+
 #include <openssl/x509.h>
 
 /*!*****************************************************************************

diff --git a/include/secutils/credentials/cert.h b/include/secutils/credentials/cert.h
@@ -26,8 +26,7 @@
 #include <string.h>  /* for strcmp, strlen */
 
 #include "../basic.h"
-#include "../operators.h"
-# include "../util/log.h"
+#include "../util/log.h"
 
 #include <openssl/x509.h>
 

diff --git a/include/secutils/credentials/verify.h b/include/secutils/credentials/verify.h
@@ -74,15 +74,13 @@ bool verify_cb_cert(X509_STORE_CTX* store_ctx, X509* cert, int err);
 /*!*****************************************************************************
  * @brief attempt to verify certificate
  *
- * @param ctx (optional) pointer to UTA context, unused
  * @param cert certificate to be verified
  * @param untrusted (optional) intermediate certs that may be useful for building
  * the chain of certificates between the cert and the trusted certs in the trust store
  * @param trust_store pointer to structure containing trusted (root) certs and further verification parameters
  * @note trust_store may contain CRLs loaded via STORE_load_crl_dir()
- * @return < 0 on on verification error, 0 for invalid cert, 1 for vaild cert
+ * @return < 0 on on verification error, 0 for invalid cert, 1 for valid cert
  *******************************************************************************/
-int CREDENTIALS_verify_cert(OPTIONAL uta_ctx* ctx, X509* cert,
-                            OPTIONAL const STACK_OF(X509) * untrusted, X509_STORE* trust_store);
+int CREDENTIALS_verify_cert(X509* cert, OPTIONAL const STACK_OF(X509) * untrusted, X509_STORE* trust_store);
 
 #endif /* SECUTILS_VERIFY_H_ */
diff --git a/include/secutils/storage/files_dv.h b/include/secutils/storage/files_dv.h
@@ -25,6 +25,8 @@
 
 #include <openssl/x509.h>
 
+#include "../util/util.h"
+
 #include "../storage/uta_api.h"
 #define MAX_UTA_PASS_LEN (MAX_B64_CHARS_PER_BYTE * TA_OUTLEN + 1)
 #include "files.h"

diff --git a/include/secutils/storage/files_icv.h b/include/secutils/storage/files_icv.h
@@ -20,6 +20,7 @@
 #include "../storage/uta_api.h"
 
 #include <openssl/ossl_typ.h>
+#include <openssl/safestack.h>
 
 /*!
  * @brief (re-)protect integrity of file (of any type that allows appending text) with ICV derived via UTA
@@ -126,5 +127,16 @@ bool FILES_store_cert_pem(OPTIONAL uta_ctx* ctx, const X509* cert, const char* f
  */
 bool FILES_store_crl_pem_icv(OPTIONAL uta_ctx* ctx, const X509_CRL* crl, const char* file, OPTIONAL const char* desc);
 
+/*!
+ * @brief Calculates a file's ICV and, if it is equal to the ICV stored in the file, returns the content without ICV.
+ *
+ * @param ctx pointer to UTA context, which typically is part of the libsecutils context
+ * @param path path to the file, can be relative or absolute
+ * @note if \p path is relative, it is transformed into absolute path
+ * @return \c OPENSSL_STRING containing content of the file if ICV matches, otherwise null pointer.
+ * In case of an error, message is logged and null pointer is returned.
+ * @warning Returned \c OPENSSL_STRING must be freed using function \c OPENSSL_free().
+ */
+OPENSSL_STRING FILE_get_file_content_if_existing_icv_is_valid(uta_ctx* ctx, const char* path);
 
 #endif /* SECUTILS_FILES_ICV_H_ */
diff --git a/include/secutils/util/util.h b/include/secutils/util/util.h
@@ -30,11 +30,12 @@
 # include <unistd.h>
 
 # include "../basic.h"
-# include "../operators.h"
 
 # include <openssl/err.h>
 # include <openssl/x509v3.h>
 
+# include "../storage/uta_api.h"
+
 static const char *const
 UTIL_SECUTILS_NAME = "secutils";           /*!< short name of this library */
 static const int UTIL_max_path_len = 512;  /*!< max length of file path name */
@@ -370,6 +371,7 @@ size_t UTIL_url_encode(const char  *source,
 # define HEX_BITS 4
 # define HEX_MASK 0x0f
 # define MAX_DIGIT 9
+# define ICV_LEN16 16
 
 /*!
  * @brief The function converts a binary string into a sequence of hex values.
@@ -435,4 +437,33 @@ int UTIL_base64_encode_to_buf(const unsigned char *data, int len,
 unsigned char *UTIL_base64_decode(const char *b64_data, int b64_len,
                                   int *decoded_len);
 
+/*!
+ * @brief derive integrity protection hash for data with given len, using key as DV.
+ *
+ * @param ctx pointer to uta context object
+ * @param data pointer to data from which the ICV will be calculated
+ * @param data_len size of data from which the ICV will be calculated
+ * @param key_dv The derivation value for key for which the ICV is calculated
+ * @param icv_out Pointer to a buffer where the resulting ICV will be stored. This buffer must be at least
+ * ICV_LEN16 in size.
+ * @return true if calculating the ICV is successful, false otherwise
+ */
+bool UTIL_calculate_icv(uta_ctx* ctx, const unsigned char* data, const size_t data_len, const char* key_dv,
+                        unsigned char* icv_out);
+
+/*!
+ * @brief implementation of the function UTIL_calculate_icv.
+ * @note this function was created to avoid code repetition (the same computation is needed in files_icv.c).
+ *
+ * @param ctx pointer to uta context object
+ * @param data pointer to data from which the ICV will be calculated
+ * @param data_len size of data from which the ICV will be calculated
+ * @param key_dv The derivation value for key for which the ICV is calculated
+ * @param mac Pointer to a buffer where the resulting ICV will be stored. This buffer must be at least
+ * ICV_LEN16 in size.
+ * @return true if calculating the ICV is successful, false otherwise
+ */
+bool UTIL_calculate_icv_impl(uta_ctx* ctx, const unsigned char* data, const size_t data_len, const char* key_dv,
+                             unsigned char* mac);
+
 #endif /* SECUTILS_UTIL_H_ */
diff --git a/src/certstatus/certstatus.c b/src/certstatus/certstatus.c
@@ -1,13 +1,13 @@
-/** 
+/**
 * @file certstatus.c
-* 
+*
 * @brief Certificate status checking using CRLs and/or OCSP
 *
 * @copyright Copyright (c) Siemens Mobility GmbH, 2021
 *
 * @author David von Oheimb <david.von.oheimb@siemens.com>
 *
-* This work is licensed under the terms of the Apache Software License 
+* This work is licensed under the terms of the Apache Software License
 * 2.0. See the COPYING file in the top-level directory.
 *
 * SPDX-License-Identifier: Apache-2.0
@@ -28,7 +28,7 @@
 # include <certstatus/ocsp.h>
 #endif
 
-#include <operators.h>
+#include "secutils/operators.h"
 
 static unsigned int num_CDPs(const X509* cert)
 {

diff --git a/src/certstatus/crls.c b/src/certstatus/crls.c
@@ -27,7 +27,7 @@
 #include <credentials/verify.h>
 #include <connections/conn.h>
 
-#include <operators.h>
+#include "secutils/operators.h"
 
 /* adapted from OpenSSL:crypto/x509/t_crl.c */
 void UTIL_print_crl(OPTIONAL BIO* bio, OPTIONAL const X509_CRL* crl)

diff --git a/src/certstatus/ocsp.c b/src/certstatus/ocsp.c
@@ -29,7 +29,7 @@
 #  include <connections/tls.h>
 # endif
 
-# include <operators.h>
+#include "secutils/operators.h"
 
 OCSP_RESPONSE* CONN_load_OCSP_http(const char* url, int timeout,
                                    const OCSP_REQUEST* req,

diff --git a/src/config/config.c b/src/config/config.c
@@ -22,7 +22,7 @@
 #include <credentials/verify.h>
 #include <storage/files_icv.h>
 
-#include <operators.h>
+#include "secutils/operators.h"
 
 /* adapted from OpenSSL:apps/include/apps.h */
 static opt_t vpm_opts[] = { OPT_V_OPTIONS, OPT_END };

diff --git a/src/config/config_update.c b/src/config/config_update.c
@@ -17,7 +17,7 @@
 #include <storage/files_icv.h>
 #include <util/log.h>
 
-#include <operators.h>
+#include "secutils/operators.h"
 
 
 static void skip_space(char** p)

diff --git a/src/config/opt.c b/src/config/opt.c
@@ -19,7 +19,7 @@
 
 #include <inttypes.h> /* for strtoimax on Linux */
 
-#include <operators.h>
+#include "secutils/operators.h"
 
 const char OPT_more_str[] = "-M";
 const char OPT_section_str[] = "-S";

diff --git a/src/connections/conn.c b/src/connections/conn.c
@@ -21,7 +21,7 @@
 # include <openssl/ssl.h>
 #endif
 
-#include <operators.h>
+#include "secutils/operators.h"
 
 static const char* skip_scheme(const char* str)
 {

diff --git a/src/connections/http.c b/src/connections/http.c
@@ -16,7 +16,6 @@
 #if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
 
 # include <util/log.h>
-# include <operators.h>
 # include <connections/http.h>
 # include <connections/conn.h>
 # ifndef SECUTILS_NO_TLS
@@ -29,6 +28,8 @@
 # endif
 # include <openssl/ocsp.h>
 
+# include "secutils/operators.h"
+
 /* TODO replace this all by new API in http.h of OpenSSL 3.0 */
 
 static int REQ_CTX_i2d(OCSP_REQ_CTX* rctx, const char* content_type,

diff --git a/src/connections/tls.c b/src/connections/tls.c
@@ -29,7 +29,7 @@
 #include <certstatus/ocsp.h>
 #endif
 
-#include <operators.h>
+#include "secutils/operators.h"
 
 bool TLS_init(void)
 {

diff --git a/src/credentials/cert.c b/src/credentials/cert.c
@@ -19,7 +19,7 @@
 #include <storage/files.h>
 #include <util/log.h>
 
-#include <operators.h>
+#include "secutils/operators.h"
 
 
 X509 *CERT_load(const char *file, OPTIONAL const char *source,

diff --git a/src/credentials/credentials.c b/src/credentials/credentials.c
@@ -27,7 +27,7 @@
 #include <util/log.h>
 #include <util/util.h>
 
-#include <operators.h>
+#include "secutils/operators.h"
 
 /* this type is part of the genCMPClient API */
 struct credentials

diff --git a/src/credentials/key.c b/src/credentials/key.c
@@ -20,7 +20,7 @@
 #include <credentials/key.h>
 #include <util/log.h>
 
-#include <operators.h>
+#include "secutils/operators.h"
 
 EVP_PKEY* KEY_new(const char* spec)
 {

diff --git a/src/credentials/store.c b/src/credentials/store.c
@@ -26,7 +26,7 @@
 #include <util/log.h>
 #include <util/util.h>
 
-#include <operators.h>
+#include "secutils/operators.h"
 
 typedef struct STORE_ex_st
 {

diff --git a/src/credentials/trusted.c b/src/credentials/trusted.c
@@ -20,7 +20,7 @@
 #include <storage/files_icv.h>
 #include <util/log.h>
 
-#include <operators.h>
+#include "secutils/operators.h"
 
 static const char* config_file(void)
 {

diff --git a/src/credentials/verify.c b/src/credentials/verify.c
@@ -23,7 +23,7 @@
 #include <util/log.h>
 #include <storage/uta_api.h>
 
-#include <operators.h>
+#include "secutils/operators.h"
 
 
 bool STORE_CTX_tls_active(const X509_STORE_CTX* ctx)
@@ -183,8 +183,7 @@ bool verify_cb_cert(X509_STORE_CTX* store_ctx, X509* cert, int err)
     return verify_cb != 0 and (*verify_cb)(0, store_ctx) != 0;
 }
 
-int CREDENTIALS_verify_cert(OPTIONAL uta_ctx* uta_ctx, X509* cert,
-                            OPTIONAL const STACK_OF(X509) * untrusted_certs, X509_STORE* trust_store)
+int CREDENTIALS_verify_cert(X509* cert, OPTIONAL const STACK_OF(X509) * untrusted_certs, X509_STORE* trust_store)
 {
     int result = -1;
     X509_STORE_CTX* store_ctx = 0;