Update macaroon lib
Change-Id: Iada0942ea1037ba061d53ee271a40965393306c1
Reviewed-on: https://weave-review.googlesource.com/2797
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
diff --git a/third_party/libuweave/src/macaroon.c b/third_party/libuweave/src/macaroon.c
index c823804..007aa15 100644
--- a/third_party/libuweave/src/macaroon.c
+++ b/third_party/libuweave/src/macaroon.c
@@ -31,15 +31,15 @@
// Compute the first tag by using the key
if (!uw_macaroon_caveat_sign_(key, key_len, context, caveats[0], mac_tag_buff,
- UW_MACAROON_MAC_LEN)) {
+ sizeof(mac_tag_buff))) {
return false;
}
// Compute the rest of the tags by using the tag as the key
for (size_t i = 1; i < num_caveats; i++) {
- if (!uw_macaroon_caveat_sign_(mac_tag_buff, UW_MACAROON_MAC_LEN, context,
+ if (!uw_macaroon_caveat_sign_(mac_tag_buff, sizeof(mac_tag_buff), context,
caveats[i], mac_tag_buff,
- UW_MACAROON_MAC_LEN)) {
+ sizeof(mac_tag_buff))) {
return false;
}
}
@@ -100,25 +100,32 @@
additional_caveat == NULL || buffer == NULL || buffer_size == 0) {
return false;
}
+ // If we update the same macaroon in-place, do not zero it.
+ if (new_macaroon != old_macaroon) {
+ *new_macaroon = (UwMacaroon){};
+ }
- new_macaroon->num_caveats = old_macaroon->num_caveats + 1;
+ const size_t old_count = old_macaroon->num_caveats;
+ const size_t new_count = old_count + 1;
+
+ new_macaroon->num_caveats = new_count;
// Extend the caveat pointer list
- if ((new_macaroon->num_caveats) * sizeof(UwMacaroonCaveat*) > buffer_size) {
+ if (new_count * sizeof(new_macaroon->caveats[0]) > buffer_size) {
// Not enough memory to store the extended caveat pointer list
return false;
}
const UwMacaroonCaveat** extended_list = (const UwMacaroonCaveat**)buffer;
- if (new_macaroon->caveats != old_macaroon->caveats) {
+ if (extended_list != old_macaroon->caveats) {
memcpy(extended_list, old_macaroon->caveats,
- old_macaroon->num_caveats * sizeof(old_macaroon->caveats[0]));
+ old_count * sizeof(old_macaroon->caveats[0]));
}
- extended_list[old_macaroon->num_caveats] = additional_caveat;
+ extended_list[old_count] = additional_caveat;
new_macaroon->caveats = (const UwMacaroonCaveat* const*)extended_list;
// Compute the new MAC tag
return create_mac_tag_(old_macaroon->mac_tag, UW_MACAROON_MAC_LEN, context,
- new_macaroon->caveats + old_macaroon->num_caveats, 1,
+ new_macaroon->caveats + old_count, 1,
new_macaroon->mac_tag);
}
@@ -133,7 +140,7 @@
/** Reset the result object to the lowest scope when encountering errors */
static void reset_validation_result(UwMacaroonValidationResult* result) {
*result = (UwMacaroonValidationResult){
- .weave_app_restricted = true,
+ .app_commands_only = true,
.granted_scope = UW_MACAROON_CAVEAT_SCOPE_LOWEST_POSSIBLE};
}
@@ -318,3 +325,12 @@
return true;
}
+
+time_t uw_macaroon_get_expiration_unix_epoch_time_(
+ UwMacaroonValidationResult* result) {
+ // Expiration times of 0 and UINT32_MAX both mean no expiration.
+ if (result->expiration_time == 0 || result->expiration_time == UINT32_MAX) {
+ return 0;
+ }
+ return uw_macaroon_j2000_to_unix_epoch(result->expiration_time);
+}
diff --git a/third_party/libuweave/src/macaroon.h b/third_party/libuweave/src/macaroon.h
index 5e73b28..310f988 100644
--- a/third_party/libuweave/src/macaroon.h
+++ b/third_party/libuweave/src/macaroon.h
@@ -8,12 +8,16 @@
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
+#include <time.h>
#include "src/macaroon_caveat.h"
#include "src/macaroon_context.h"
#define UW_MACAROON_MAC_LEN 16
+// Jan 1st 2000 00:00:00 in unix epoch seconds.
+#define J2000_EPOCH_OFFSET 946684800
+
// Note: If we are looking to make memory savings on MCUs,
// at the cost of a little extra processing, we can make
// the macaroon encoding the actual in-memory representation.
@@ -44,8 +48,8 @@
typedef struct {
UwMacaroonCaveatScopeType granted_scope;
- uint32_t expiration_time;
- bool weave_app_restricted;
+ uint32_t expiration_time; // In number of seconds since Jan 1st 2000 00:00:00
+ bool app_commands_only;
const uint8_t* lan_session_id;
size_t lan_session_id_len;
UwMacaroonDelegateeInfo delegatees[MAX_NUM_DELEGATEES];
@@ -59,7 +63,10 @@
const UwMacaroonCaveat* const caveats[],
size_t num_caveats);
-/** Creates a new macaroon with a new caveat. */
+/**
+ * Creates a new macaroon with a new caveat. The buffer must be large enough to
+ * hold the count of caveats in the old_macaroon plus one.
+ */
bool uw_macaroon_extend_(const UwMacaroon* old_macaroon,
UwMacaroon* new_macaroon,
const UwMacaroonContext* context,
@@ -97,4 +104,21 @@
size_t buffer_size,
UwMacaroon* new_macaroon);
+/** Converts a j2000 timestamp to a unix timestamp. */
+static inline time_t uw_macaroon_j2000_to_unix_epoch(time_t j2000) {
+ return j2000 + J2000_EPOCH_OFFSET;
+}
+
+/** Converts a unix timestamp to a j2000 timestamp. */
+static inline time_t uw_macaroon_unix_epoch_to_j2000(time_t unix) {
+ return unix - J2000_EPOCH_OFFSET;
+}
+
+/**
+ * Gets the expiration time of the macaroon as the number of seconds since the
+ * unix epoch. A value of 0 means no expiration.
+ */
+time_t uw_macaroon_get_expiration_unix_epoch_time_(
+ UwMacaroonValidationResult* result);
+
#endif // LIBUWEAVE_SRC_MACAROON_H_
diff --git a/third_party/libuweave/src/macaroon_caveat.c b/third_party/libuweave/src/macaroon_caveat.c
index 0abf7ca..bd1011b 100644
--- a/third_party/libuweave/src/macaroon_caveat.c
+++ b/third_party/libuweave/src/macaroon_caveat.c
@@ -349,8 +349,7 @@
}
UwMacaroonCaveatType caveat_type;
- if (!uw_macaroon_caveat_get_type_(caveat, &caveat_type) ||
- !is_valid_caveat_type_(caveat_type)) {
+ if (!uw_macaroon_caveat_get_type_(caveat, &caveat_type)) {
return false;
}
@@ -407,7 +406,7 @@
}
// The length here includes: 1. the header for the whole byte string; 2. the
- // header for the addtional value part; 3. the additional value part.
+ // header for the additional value part; 3. the additional value part.
size_t total_length =
caveat->num_bytes + value_cbor_prefix_len + additional_value_str_len;
if (!uw_macaroon_encoding_encode_byte_str_len_(
@@ -579,7 +578,7 @@
return true;
case kUwMacaroonCaveatTypeAppCommandsOnly:
- result->weave_app_restricted = true;
+ result->app_commands_only = true;
return true;
case kUwMacaroonCaveatTypeLanSessionID:
