Factor out the miniroon decoding function - miniroon - Simplistic macaroon-based authorization for Unix systems

commit 4dcec9f36ce8974c08d79b5430bd3fdb9c31b0af
parent 1748b7a20693ea9a7b21532089a097a3502c8f2c
Author: Jan Pobrislo <ccx@te2000.cz>
Date:   Fri,  6 Dec 2024 22:09:10 +0000

Factor out the miniroon decoding function

Diffstat:
M src/Makefile  | 8 ++++----
M src/cmd_verify.c  | 59 ++++-------------------------------------------------------
A src/decode.c  | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A src/decode.h  | 13 +++++++++++++
M src/netstring.c  | 14 ++++++++++++++
M src/netstring.h  | 2 ++

6 files changed, 97 insertions(+), 59 deletions(-)
diff --git a/src/Makefile b/src/Makefile
@@ -3,6 +3,10 @@ all: tools
 
 miniroon_tool_names:=read verify
 
+tools:=$(patsubst %,build/miniroon-%,$(miniroon_tool_names))
+tools: $(tools)
+.PHONY: tools
+
 define miniroon_autolink =
 include build/cmd_$(1).c.deps.mk
 build/miniroon-$(1): $$(LINKDEP_cmd_$(1)__c) ../link build/cmd_$(1).c.deps.mk
@@ -10,10 +14,6 @@ build/miniroon-$(1): $$(LINKDEP_cmd_$(1)__c) ../link build/cmd_$(1).c.deps.mk
 endef
 $(foreach var,$(miniroon_tool_names),$(eval $(call miniroon_autolink,$(var))))
 
-tools:=$(patsubst %,build/miniroon-%,$(miniroon_tool_names))
-tools: $(tools)
-.PHONY: tools
-
 clean:
 	rm -r $(tools) build
 .PHONY: clean
diff --git a/src/cmd_verify.c b/src/cmd_verify.c
@@ -19,11 +19,10 @@
 #include "verify_common.h"
 #include "bytebuffer.h"
 #include "netstring.h"
-#include "hmac_sha2_256.h"
 #include "header.h"
 #include "caveats.h"
 #include "miniroon_data.h"
-#include "secret.h"
+#include "decode.h"
 
 /* declarations */
 void process_payload(const bytebuffer payload);
@@ -38,11 +37,11 @@ void validate_and_exec(miniroon_data *md) {
   // stralloc env_modif;
 
   for(size_t i=0; i < md->caveat_count; i++) {
-    dbg_print_bb1("Validate caveat", md->caveats[i]);
+    dbg_print_bb1("Validate[1] caveat", md->caveats[i]);
     miniroon_caveat_prepare(md->caveats[i], &state);
   }
   for(size_t i=0; i < md->caveat_count; i++) {
-    dbg_print_bb1("Validate caveat", md->caveats[i]);
+    dbg_print_bb1("Validate[2] caveat", md->caveats[i]);
     miniroon_caveat_validate(md->caveats[i], &state);
   }
 
@@ -55,57 +54,7 @@ void validate_and_exec(miniroon_data *md) {
 
 void process_payload(const bytebuffer payload) {
   miniroon_data md;
-  miniroon_data_init(&md);
-  netstring_chunk c;
-  netstring_chunk_init(&c, payload);
-
-  if(!netstring_chunk_next(&c)) {
-    strerr_dief1x(111, "Mising miniroon header");
-  }
-  parse_header(&md.hdr, c.inner);
-  // header should be verified by now, we can start hashing
-  uint8_t hmac_data[MINIROON_HMAC_SIZE];
-  bytebuffer hmac_bb = {hmac_data, MINIROON_HMAC_SIZE};
-  read_secret(hmac_bb);
-  // dbg_print_bb1("Secret", hmac_bb);
-  MINIROON_HMAC_FUNC(hmac_bb, c.inner, hmac_bb);
-  // dbg_print_bb1("Signature update", hmac_bb);
-
-  if(!netstring_chunk_next(&c)) {
-    strerr_dief1x(111, "Mising miniroon body");
-  }
-  netstring_chunk body;
-  netstring_chunk_init(&body, c.inner);
-
-  while(netstring_chunk_next(&body)) {
-    dbg_print_bb1("Got caveat", body.inner);
-    if(md.caveat_count >= MAX_CAVEATS) {
-      strerr_dief1x(111, "Too many caveats");
-    }
-    md.caveats[md.caveat_count++] = body.inner;
-    MINIROON_HMAC_FUNC(hmac_bb, body.inner, hmac_bb);
-    // dbg_print_bb1("Signature update", hmac_bb);
-  }
-
-  if(!netstring_chunk_next(&c)) {
-    strerr_dief1x(111, "Mising miniroon signature");
-  }
-  dbg_print_bb1("Got signature", c.inner);
-  if(c.inner.len != MINIROON_HMAC_SIZE) {
-    strerr_dief1x(111, "Invalid miniroon signature length");
-  }
-  /* constant time hash compare */
-  uint8_t bitdiff = 0;
-  for(size_t i=0; i<MINIROON_HMAC_SIZE; i++) {
-    bitdiff |= hmac_data[i] ^ c.inner.data[i];
-  }
-  if(netstring_chunk_next(&c)) {
-    strerr_dief1x(111, "Extraneous data in miniroon");
-  }
-  if(bitdiff) {
-    strerr_dief1x(111, "Invalid miniroon signature");
-  }
-
+  miniroon_decode(&md, payload);
   validate_and_exec(&md);
   strerr_dief1x(110, "Internal logic error, should not get here");
 }
diff --git a/src/decode.c b/src/decode.c
@@ -0,0 +1,60 @@
+#include <stdint.h>
+
+#include "verify_common.h"
+#include "decode.h"
+#include "header.h"
+#include "secret.h"
+#include "hmac_sha2_256.h"
+
+void miniroon_decode(miniroon_data *md, const bytebuffer encoded) {
+  miniroon_data_init(md);
+  netstring_chunk c;
+  netstring_chunk_init(&c, encoded);
+
+  if(!netstring_chunk_next(&c)) {
+    strerr_dief1x(111, "Mising miniroon header");
+  }
+  parse_header(&md->hdr, c.inner);
+  // header should be verified by now, we can start hashing
+  uint8_t hmac_data[MINIROON_HMAC_SIZE];
+  bytebuffer hmac_bb = {hmac_data, MINIROON_HMAC_SIZE};
+  read_secret(hmac_bb);
+  // dbg_print_bb1("Secret", hmac_bb);
+  MINIROON_HMAC_FUNC(hmac_bb, c.inner, hmac_bb);
+  // dbg_print_bb1("Signature update", hmac_bb);
+
+  if(!netstring_chunk_next(&c)) {
+    strerr_dief1x(111, "Mising miniroon body");
+  }
+  netstring_chunk body;
+  netstring_chunk_init(&body, c.inner);
+
+  while(netstring_chunk_next(&body)) {
+    dbg_print_bb1("Got caveat", body.inner);
+    if(md->caveat_count >= MAX_CAVEATS) {
+      strerr_dief1x(111, "Too many caveats");
+    }
+    md->caveats[md->caveat_count++] = body.inner;
+    MINIROON_HMAC_FUNC(hmac_bb, body.inner, hmac_bb);
+    // dbg_print_bb1("Signature update", hmac_bb);
+  }
+
+  if(!netstring_chunk_next(&c)) {
+    strerr_dief1x(111, "Mising miniroon signature");
+  }
+  dbg_print_bb1("Got signature", c.inner);
+  if(c.inner.len != MINIROON_HMAC_SIZE) {
+    strerr_dief1x(111, "Invalid miniroon signature length");
+  }
+  /* constant time hash compare */
+  uint8_t bitdiff = 0;
+  for(size_t i=0; i<MINIROON_HMAC_SIZE; i++) {
+    bitdiff |= hmac_data[i] ^ c.inner.data[i];
+  }
+  if(netstring_chunk_next(&c)) {
+    strerr_dief1x(111, "Extraneous data in miniroon");
+  }
+  if(bitdiff) {
+    strerr_dief1x(111, "Invalid miniroon signature");
+  }
+}
diff --git a/src/decode.h b/src/decode.h
@@ -0,0 +1,13 @@
+#ifndef MINIROON_DECODE_H
+#define MINIROON_DECODE_H
+
+// implementation:
+// {IMP} decode.c
+
+#include "bytebuffer.h"
+#include "netstring.h"
+#include "miniroon_data.h"
+
+void miniroon_decode(miniroon_data *md, const bytebuffer encoded);
+
+#endif
diff --git a/src/netstring.c b/src/netstring.c
@@ -2,6 +2,7 @@
 #include <assert.h>
 
 #include <skalibs/uint64.h>
+#include <skalibs/types.h>
 #include <skalibs/strerr.h>
 
 #include "netstring.h"
@@ -39,3 +40,16 @@ bool netstring_chunk_next (netstring_chunk *c) {
   // dbg_print_bb1("Chunk > Inner", c->inner);
   return true;
 }
+
+size_t netstring_write (bytebuffer *dest, const bytebuffer src) {
+	size_t len;
+	len = size_fmt(dest ? dest->data : NULL, src.len);
+	assert(dest->len >= len + 2 + src.len);
+	dest->len -= len + 2 + src.len;
+	dest->data += len;
+	*(dest->data++) = ':';
+	memcpy(dest->data, src.data, src.len);
+	dest->data += src.len;
+	*(dest->data++) = ';';
+	return len + 2 + src.len;
+}
diff --git a/src/netstring.h b/src/netstring.h
@@ -17,4 +17,6 @@ typedef struct netstring_chunk_b {
 void netstring_chunk_init (netstring_chunk *chunk, const bytebuffer source);
 bool netstring_chunk_next (netstring_chunk *c);
 
+size_t netstring_write (bytebuffer *dest, const bytebuffer src);
+
 #endif

	miniroon Simplistic macaroon-based authorization for Unix systems
	git clone https://ccx.te2000.cz/git/miniroon
	Log \| Files \| Refs

M	src/Makefile	\|	8	++++----
M	src/cmd_verify.c	\|	59	++++-------------------------------------------------------
A	src/decode.c	\|	60	++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A	src/decode.h	\|	13	+++++++++++++
M	src/netstring.c	\|	14	++++++++++++++
M	src/netstring.h	\|	2	++