Accepting request 1069081 from security

Update to version 1.1.4 (forwarded request 1069040 from schubi2) OBS-URL: https://build.opensuse.org/request/show/1069081 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fdo-client?expand=0&rev=2
2023-03-03 21:28:32 +00:00 · 2023-03-03 21:28:32 +00:00 · 07f007ba69
commit 07f007ba69
parent 48aec158a4 3c2696c3f3
8 changed files with 110 additions and 190 deletions
--- a/8
+++ b/8
@ -2,7 +2,7 @@
  <service name="tar_scm" mode="disabled">
    <param name="version">1.0.0</param>
    <param name="versionformat">1.0.0+git%cd.%h</param>
-    <param name="url">git://github.com/intel/safestringlib.git</param>
+    <param name="url">git@github.com:intel/safestringlib.git</param>
    <param name="revision">v1.0.0</param>
    <param name="scm">git</param>
    <param name="changesgenerate">enable</param>
@ -16,10 +16,10 @@
    <param name="changesgenerate">enable</param>
  </service>  
  <service name="tar_scm" mode="disabled">
-    <param name="version">1.0.0</param>
+    <param name="version">1.1.4</param>
-    <param name="versionformat">1.0.0+git%cd.%h</param>
+    <param name="versionformat">1.1.4+git%cd.%h</param>
    <param name="url">git@github.com:secure-device-onboard/client-sdk-fidoiot.git</param>
-    <param name="revision">v1.0.0</param>
+    <param name="revision">v1.1.4</param>
    <param name="scm">git</param>
    <param name="filename">fdo-client</param>
    <param name="changesgenerate">enable</param>
--- a/6
+++ b/6
@ -9,6 +9,8 @@
 </service> 
  <service name="tar_scm">
    <param name="url">git@github.com:secure-device-onboard/client-sdk-fidoiot.git</param>
-    <param name="changesrevision">baa09b537ddbb4ce9fdf289ad55e885526d045ec</param>
+    <param name="changesrevision">c8ef7576afa1b250ff9460b519238f32711ef175</param>
 </service> 
-</servicedata>
+<service name="tar_scm">
                <param name="url">git@github.com:intel/safestringlib.git</param>
              <param name="changesrevision">5da1badd337e68c1334fb232c778166f46f6d9f9</param></service></servicedata>
--- a/build.patch
+++ b/build.patch
@ -1,6 +1,5 @@
-diff -u a/blob_path.cmake b/blob_path.cmake
+--- org/cmake/blob_path.cmake	2022-12-09 09:44:34.000000000 +0100
--- a/cmake/blob_path.cmake	2021-10-14 22:02:06.855474972 +0200
+++ patch/cmake/blob_path.cmake	2023-03-02 14:51:38.637622177 +0100
 +++ b/cmake/blob_path.cmake	2021-10-14 22:19:21.969170219 +0200
@@ -7,17 +7,18 @@
 # Note all blobs and data will be made relative.
 # if absoulte is needed declare BLOB_PATH on CLI
@ -99,7 +98,7 @@ diff -u a/blob_path.cmake b/blob_path.cmake
 	)
       if (${DA_FILE} MATCHES pem)
 	client_sdk_compile_definitions(
-@@ -164,10 +165,10 @@
+@@ -164,9 +165,9 @@
 # Configure if needed at a later point
 # configure_file(${BLOB_PATH}/data/Normal.blob NEWLINE_STYLE DOS)
@ -109,19 +108,15 @@ diff -u a/blob_path.cmake b/blob_path.cmake
 -file(WRITE ${BLOB_PATH}/data/Normal.blob "")
 -file(WRITE ${BLOB_PATH}/data/Secure.blob "")
 -file(WRITE ${BLOB_PATH}/data/raw.blob "")
 -file(WRITE ${BLOB_PATH}/data/max_serviceinfo_sz.bin "")
 +file(WRITE ./data/platform_iv.bin "")
 +file(WRITE ./data/platform_hmac_key.bin "")
 +file(WRITE ./data/platform_aes_key.bin "")
 +file(WRITE ./data/Normal.blob "")
 +file(WRITE ./data/Secure.blob "")
 +file(WRITE ./data/raw.blob "")
-+file(WRITE ./data/max_serviceinfo_sz.bin "")
+--- org/cmake/cli_input.cmake	2022-12-09 09:44:34.000000000 +0100
-Nur in b: blob_path.cmake~.
+++ patch/cmake/cli_input.cmake	2023-03-02 14:56:02.036016802 +0100
-diff -u a/cli_input.cmake b/cli_input.cmake
+@@ -25,6 +25,7 @@
 --- a/cmake/cli_input.cmake	2021-10-14 22:24:53.078959088 +0200
 +++ b/cmake/cli_input.cmake	2021-10-14 22:26:36.187516122 +0200
@@ -24,6 +24,7 @@
 set (STORAGE true)
 set (BOARD NUCLEO_F767ZI)
 set (BLOB_PATH .)
@ -129,7 +124,7 @@ diff -u a/cli_input.cmake b/cli_input.cmake
 set (TPM2_TCTI_TYPE tabrmd)
 set (RESALE true)
 set (REUSE true)
-@@ -501,6 +502,36 @@
+@@ -530,6 +531,37 @@
 message("Selected BLOB_PATH ${BLOB_PATH}")
 ###########################################
@ -162,8 +157,8 @@ diff -u a/cli_input.cmake b/cli_input.cmake
 +set(CACHED_RO_BLOB_PATH ${RO_BLOB_PATH} CACHE STRING "Selected RO_BLOB_PATH")
 +message("Selected RO_BLOB_PATH ${RO_BLOB_PATH}")
 +
 +
 +###########################################
 # FOR WIFI_SSID
 get_property(cached_wifi_ssid_value CACHE WIFI_SSID PROPERTY VALUE)
 Nur in b: cli_input.cmake~.
--- a/fdo-client-1.0.0+git20210816.baa09b5.tar.xz
+++ b/fdo-client-1.0.0+git20210816.baa09b5.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:f35493ad6470003d707834b11614296300f578163c474c7219a9aa4eff82b3c0
 size 255368
--- a/fdo-client-1.1.4+git20221209.c8ef757.tar.xz
+++ b/fdo-client-1.1.4+git20221209.c8ef757.tar.xz
--- a/fdo-client.changes
+++ b/fdo-client.changes
@ -1,3 +1,60 @@
 -------------------------------------------------------------------
 Thu Mar 02 11:38:56 UTC 2023 - schubi@suse.com
 - Update to version 1.1.4+git20221209.c8ef757:
  * Readme update (#210)
  * Updating the readme with openssl 1.1.1s (#209)
  * Fix TO when IP/RV is empty string (#208)
  * * Replaced unsafe string function (#207)
  * Increase max message buffer size to 64000 (#205)
  * Update Curl version as 7.86 in Readme (#206)
  * Readme updates (#204)
  * Minimal logs by default (compile time) (#203)
  * Revert openssl3 (#201)
  * Update HTTPS connection to use TLS 1.2 (#196)
  * Openssl 3 porting (#194)
  * Add curl support for HTTP connection (#195)
  * Update NOTICE file (#192)
  * Add CURL support for HTTPS connection (#188)
  * Readme update for installing safestringlib (#191)
  * Updating the readme with openssl 1.1.1q (#187)
  * switch to host.docker.internal (#185)
  * Fix to enable compilation of CSDK in ubuntu 22 (#183)
  * Fix TO when IP is NULL (#184)
  * Update EAT-UEID value as per FIDO working draft specification (#180)
  * Revert "Update EAT-UEID value as per FIDO working draft specification (#178)" (#179)
  * Update EAT-UEID value as per FIDO working draft specification (#178)
  * Updating comments in fdonet.c (#177)
  * Upgrade OpenSSL toolkit version to 1.1.1n (#176)
  * Documentation updates (#175)
  * Add a note regarding fdosys issue (#174)
  * Update Jenkinsfile to copy PRI artifacts from master (#173)
  * Merging 1.1 dev branch to master. (#172)
  * Fix multiple owner support for CSDK devices. (#167)
  * Fix: fdo_sys:exec_cb/exec not working after initial fdo_sys:exec (#166)
  * Add implementation for fdo_sys keep-alive (#165)
  * Fix an issue with keeping in-memory Mfg PublicKey hash (#164)
  * Update/Tweak Device Status and Cred management (#163)
  * Updating EAT IANA numbers as per spec ERRATA (#160)
  * Updating Device ServiceInfo framework to handle writes (#162)
  * Add TPM support on RHEL (#161)
  * Update README for RHEL support (#159)
  * Remove disclaimer from README (#158)
 -------------------------------------------------------------------
 Thu Mar 02 11:37:36 UTC 2023 - schubi@suse.com
 - Update to version 1.0.0+git20171208.5da1bad:
  * Use secure functions where appropriate
  * Added extern definition
  * Fix Klocwork Errors
  * Fix output
  * Fix Core Dump in Unit Test
  * Add Makefile
  * publish unit tests
  * strpcpu_s: remove unsed redundant variable overlap_bumper
  * Update LICENSE&COPYING.txt
 -------------------------------------------------------------------
 Fri Oct 15 17:39:31 UTC 2021 - Stefan Schubert <schubi@suse.de>
--- a/fdo-client.spec
+++ b/fdo-client.spec
@ -17,7 +17,7 @@
 Name:           fdo-client
-Version:        1.0.0+git20210816.baa09b5
+Version:        1.1.4+git20221209.c8ef757
 Release:        0
 Summary:        FIDO Device Onboard Client
 License:        Apache-2.0
@ -32,11 +32,11 @@ Source5:        README
 Patch0:         build.patch
 Patch1:         gcc.patch
 Requires:       openssl
 Obsoletes:      sdo-client
 BuildRequires:  cmake
 BuildRequires:  vim
 BuildRequires:  gcc-c++
 BuildRequires:  libopenssl-devel
 BuildRequires:  libcurl-devel
 %{?systemd_ordering}
 %description
--- a/gcc.patch
+++ b/gcc.patch
@ -1,171 +1,37 @@
--- org/lib/fdoprotctx.c	2021-10-18 21:51:23.914574062 +0200
+--- org/network/network_if_linux.c	2022-12-09 09:44:34.000000000 +0100
-+++ patch/lib/fdoprotctx.c	2021-10-18 21:49:40.170002557 +0200
+++ patch/network/network_if_linux.c	2023-03-02 16:05:07.625074915 +0100
-@@ -118,8 +118,11 @@
+@@ -246,7 +246,7 @@
 		goto err;
 	}
- 	switch (prot_ctx->protdata->state) {
+-	if (ip_addr->addr) {
- 	case FDO_STATE_DI_APP_START: /* type 10 */
+	if (ip_addr->length > 0) {
-		ATTRIBUTE_FALLTHROUGH;
+ 		ip_ascii = fdo_alloc(IP_TAG_LEN);
-+		{
+ 		if (!ip_ascii) {
-+			ATTRIBUTE_FALLTHROUGH;
+ 			goto err;
-+		}
+@@ -331,7 +331,7 @@
 	case FDO_STATE_DI_SET_CREDENTIALS: /* type 11 */
 +		{
 		if (prot_ctx->host_dns) {
 			if (prot_ctx->resolved_ip) {
 				fdo_free(prot_ctx->resolved_ip);
@@ -133,9 +136,12 @@
 				break;
 		}
 	}
-		ATTRIBUTE_FALLTHROUGH;
+ 
-+			ATTRIBUTE_FALLTHROUGH;
+-	if (ip_addr->addr) {
-+		}
+	if (ip_addr->length > 0) {
- 	case FDO_STATE_DI_SET_HMAC: /* type 12 */
+ 		ip_ascii = fdo_alloc(IP_TAG_LEN);
-		ATTRIBUTE_FALLTHROUGH;
+ 		if (!ip_ascii) {
-+		{
+ 			goto err;
-+			ATTRIBUTE_FALLTHROUGH;
+--- org/lib/credentials_from_file.c	2022-12-09 09:44:34.000000000 +0100
-+		}
+++ patch/lib/credentials_from_file.c	2023-03-02 16:34:46.597314561 +0100
- 	case FDO_STATE_DI_DONE: /* type 13 */
+@@ -231,7 +231,6 @@
 		ret = connect_to_manufacturer(
 			      prot_ctx->resolved_ip ? prot_ctx->resolved_ip : prot_ctx->host_ip,
@@ -144,24 +150,30 @@
 			      (prot_ctx->tls ? &prot_ctx->ssl : NULL));
 		break;
 	case FDO_STATE_T01_SND_HELLO_FDO: /* type 30 */
 -		ATTRIBUTE_FALLTHROUGH;
 +		{
 +			ATTRIBUTE_FALLTHROUGH;
 +		}
 	case FDO_STATE_TO1_RCV_HELLO_FDOACK: /* type 31 */
 -		if (prot_ctx->host_dns) {
 -			if (prot_ctx->resolved_ip) {
 -				fdo_free(prot_ctx->resolved_ip);
 -			}
 -			if (!resolve_dn(prot_ctx->host_dns,
 -					&prot_ctx->resolved_ip,
 -					prot_ctx->host_port,
 -					(prot_ctx->tls ? &prot_ctx->ssl : NULL),
 -					is_rv_proxy_defined())) {
 -				ret = false;
 -				fdo_free(prot_ctx->resolved_ip);
 +		{
 +			if (prot_ctx->host_dns) {
 +				if (prot_ctx->resolved_ip) {
 +					fdo_free(prot_ctx->resolved_ip);
 +				}
 +				if (!resolve_dn(prot_ctx->host_dns,
 +						&prot_ctx->resolved_ip,
 +						prot_ctx->host_port,
 +						(prot_ctx->tls ? &prot_ctx->ssl : NULL),
 +						is_rv_proxy_defined())) {
 +					ret = false;
 +					fdo_free(prot_ctx->resolved_ip);
 +				}
 			}
 +			ATTRIBUTE_FALLTHROUGH;
 		}
 -		ATTRIBUTE_FALLTHROUGH;
 	case FDO_STATE_TO1_SND_PROVE_TO_FDO: /* type 32 */
 -		ATTRIBUTE_FALLTHROUGH;
 +		{
 +			ATTRIBUTE_FALLTHROUGH;
 +		}
 	case FDO_STATE_TO1_RCV_FDO_REDIRECT: /* type 33 */
 		// try DNS's resolved IP first, if it fails, try given IP address
 		ret = connect_to_rendezvous(
@@ -174,40 +186,62 @@
 		}
 		break;
 	case FDO_STATE_T02_SND_HELLO_DEVICE: /* type 60 */
 -		ATTRIBUTE_FALLTHROUGH;
 +		{	
 +			ATTRIBUTE_FALLTHROUGH;
 +		}
 	case FDO_STATE_TO2_RCV_PROVE_OVHDR: /* type 61 */
 -		if (prot_ctx->host_dns) {
 -			if (prot_ctx->resolved_ip) {
 -				fdo_free(prot_ctx->resolved_ip);
 -			}
 -			if (!resolve_dn(prot_ctx->host_dns,
 -					&prot_ctx->resolved_ip,
 -					prot_ctx->host_port,
 -					(prot_ctx->tls ? &prot_ctx->ssl : NULL),
 -					is_owner_proxy_defined())) {
 -				ret = false;
 -				fdo_free(prot_ctx->resolved_ip);
 +		{
 +			if (prot_ctx->host_dns) {
 +				if (prot_ctx->resolved_ip) {
 +					fdo_free(prot_ctx->resolved_ip);
 +				}
 +				if (!resolve_dn(prot_ctx->host_dns,
 +						&prot_ctx->resolved_ip,
 +						prot_ctx->host_port,
 +						(prot_ctx->tls ? &prot_ctx->ssl : NULL),
 +						is_owner_proxy_defined())) {
 +					ret = false;
 +					fdo_free(prot_ctx->resolved_ip);
 +				}
 			}
 +			ATTRIBUTE_FALLTHROUGH;
 		}
 -		ATTRIBUTE_FALLTHROUGH;
 	case FDO_STATE_TO2_SND_GET_OP_NEXT_ENTRY: /* type 62 */
 -		ATTRIBUTE_FALLTHROUGH;
 + 		{
 +			ATTRIBUTE_FALLTHROUGH;
 +		}
 	case FDO_STATE_T02_RCV_OP_NEXT_ENTRY: /* type 63 */
 -		ATTRIBUTE_FALLTHROUGH;
 +		{
 +			ATTRIBUTE_FALLTHROUGH;
 +		}
 	case FDO_STATE_TO2_SND_PROVE_DEVICE: /* type 64 */
 -		ATTRIBUTE_FALLTHROUGH;
 +		{
 +			ATTRIBUTE_FALLTHROUGH;
 +		}
 	case FDO_STATE_TO2_RCV_GET_NEXT_DEVICE_SERVICE_INFO: /* type 65 */
 -		ATTRIBUTE_FALLTHROUGH;
 +		{
 +			ATTRIBUTE_FALLTHROUGH;
 +		}
 	case FDO_STATE_TO2_SND_NEXT_DEVICE_SERVICE_INFO: /* type 66 */
 -		ATTRIBUTE_FALLTHROUGH;
 +		{
 +			ATTRIBUTE_FALLTHROUGH;
 +		}
 	case FDO_STATE_TO2_RCV_SETUP_DEVICE: /* type 67 */
 -		ATTRIBUTE_FALLTHROUGH;
 +		{
 +			ATTRIBUTE_FALLTHROUGH;
 +		}
 	case FDO_STATE_T02_SND_GET_NEXT_OWNER_SERVICE_INFO: /* type 68 */
 -		ATTRIBUTE_FALLTHROUGH;
 +		{
 +			ATTRIBUTE_FALLTHROUGH;
 +		}
 	case FDO_STATE_T02_RCV_NEXT_OWNER_SERVICE_INFO: /* type 69 */
 -		ATTRIBUTE_FALLTHROUGH;
 +		{
 +			ATTRIBUTE_FALLTHROUGH;
 +		}
 	case FDO_STATE_TO2_SND_DONE: /* type 70 */
 -		ATTRIBUTE_FALLTHROUGH;
 +		{
 +			ATTRIBUTE_FALLTHROUGH;
 +		}
 	case FDO_STATE_TO2_RCV_DONE_2: /* type 71 */
 		// try DNS's resolved IP first, if it fails, try given IP address
 		ret = connect_to_owner(prot_ctx->resolved_ip, prot_ctx->host_port,
 --- org/lib/credentials_from_file.c	2021-10-18 22:19:33.447783075 +0200
 +++ patch/lib/credentials_from_file.c	2021-10-18 22:19:20.143711330 +0200
@@ -228,8 +228,6 @@
 		return true;
 	}
 -	LOG(LOG_DEBUG, "Reading DeviceCredential blob of length %"PRIu64"\n", dev_cred_len);
-
+ 
 	fdor = fdo_alloc(sizeof(fdor_t));
 	if (!fdor || !fdor_init(fdor) || !fdo_block_alloc_with_size(&fdor->b, dev_cred_len)) {
- 		LOG(LOG_ERROR, "FDOR Initialization/Allocation failed!\n");
+@@ -531,4 +530,4 @@
 		return true;
 	}
 	return false;
 -}
 \ Kein Zeilenumbruch am Dateiende.
 +}