[OpenWrt-Devel] [PATCH ucert 00/13] ucert fixes and cleanup

Matthias Schiffer mschiffer at universe-factory.net
Sat May 16 17:13:49 EDT 2020

While looking for a build issue (see [1]), I noticed various issues in
the ucert code (and this should not be applied before [1] is applied to
usign). There might well be more problems lurking - I did not read all
the code.

In particular patch 12/12 is critical: It must be applied before the
attached libubox patch to avoid a new security issue.

The libubox patch is necessary to make ucert verification work at all
again; without it, cert_load() will always fail, and in consequence, all
images will be found invalid when REQUIRE_IMAGE_SIGNATURE is enabled.

[1] https://patchwork.ozlabs.org/project/openwrt/patch/8ead1fd6a61117b54b4efd5111fe0d19e4eef9c5.1589642591.git.mschiffer@universe-factory.net/

Matthias Schiffer (13):
  stdout/stderr improvements
  Fix return code of write_file()
  Introduce read_file() helper, improve error reporting
  usign-exec: simplify usign execv calls
  usign-exec: fix exec error handling
  usign-exec: do not close stdin and stderr before exec
  usign-exec: change usign_f_* fingerprint argument to char[17]
  usign-exec: remove redundant return statements
  usign-exec: close writing end of pipe early in parent process
  usign-exec: return code fixes
  usign-exec: improve usign -F output handling
  Fix length checks in cert_load()
  Do not print line number in debug messages

 tests/cram/test_ucert.t |   4 +-
 ucert.c                 | 147 +++++++++++++++++++++++-----------------
 usign-exec.c            | 115 +++++++++++++------------------
 usign.h                 |   8 ++-
 4 files changed, 138 insertions(+), 136 deletions(-)


openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list