Merge branch 'main' into asan_libstdcxxx

cmake/ccf_app.cmake

@@ -22,6 +22,13 @@ message(STATUS "Compile target platform: ${COMPILE_TARGET}")
 if(USE_LIBCXX)
   list(APPEND COMPILE_LIBCXX -stdlib=libc++)
   list(APPEND LINK_LIBCXX -lc++ -lc++abi -stdlib=libc++)
+
+  if("${CMAKE_BUILD_TYPE}" STREQUAL "Debug")
+    add_compile_options(-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_DEBUG)
+  elseif("${CMAKE_BUILD_TYPE}" STREQUAL "Release")
+    add_compile_options(-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_FAST)
+  endif()
+
 endif()
 
 # Enclave library wrapper

cmake/cpack_settings.cmake

@@ -22,7 +22,7 @@ message(STATUS "Debian package version: ${CPACK_DEBIAN_PACKAGE_VERSION}")
 # 1.1.1f, which corresponds to the OpenSSL 1.1.1t release (latest security
 # patches).
 set(CCF_DEB_BASE_DEPENDENCIES
-    "libuv1 (>= 1.34.2);openssl (>=1.1.1f);libnghttp2-14 (>=1.40.0)"
+    "libuv1 (>= 1.34.2);openssl (>=1.1.1f);libnghttp2-14 (>=1.40.0);curl (>=7.68.0)"
 )
 set(CCF_DEB_DEPENDENCIES ${CCF_DEB_BASE_DEPENDENCIES})
 

include/ccf/http_accept.h

@@ -45,28 +45,21 @@ namespace ccf::http
 
     bool operator<(const AcceptHeaderField& other) const
     {
-      if (q_factor != other.q_factor)
+      static constexpr auto float_comp_epsilon = 0.0000001f;
+      if (abs(q_factor - other.q_factor) > float_comp_epsilon)
       {
         return q_factor < other.q_factor;
       }
 
-      if (is_wildcard(mime_type))
+      if (is_wildcard(mime_type) && !is_wildcard(other.mime_type))
       {
         return true;
       }
-      else if (is_wildcard(other.mime_type))
-      {
-        return false;
-      }
 
-      if (is_wildcard(mime_subtype))
+      if (is_wildcard(mime_subtype) && !is_wildcard(other.mime_subtype))
       {
         return true;
       }
-      else if (is_wildcard(other.mime_subtype))
-      {
-        return false;
-      }
 
       // Spec says these mime types are now equivalent. For stability, we
       // order them lexicographically

python/src/ccf/cose.py

@@ -44,6 +44,8 @@
 # should move to a pycose.header value after RFC publication
 
 COSE_PHDR_VDP_LABEL = 396
+COSE_PHDR_VDS_LABEL = 395
+COSE_PHDR_VDS_CCF_LEDGER_SHA256 = 2
 COSE_RECEIPT_INCLUSION_PROOF_LABEL = -1
 
 # See https://datatracker.ietf.org/doc/draft-birkholz-cose-receipts-ccf-profile/
@@ -222,6 +224,13 @@ def verify_receipt(
     assert receipt.phdr[pycose.headers.KID] == expected_kid
     receipt.key = cose_key
 
+    assert (
+        COSE_PHDR_VDS_LABEL in receipt.phdr
+    ), "Verifiable data structure type is required"
+    assert (
+        receipt.phdr[COSE_PHDR_VDS_LABEL] == COSE_PHDR_VDS_CCF_LEDGER_SHA256
+    ), "vds(395) protected header must be CCF_LEDGER_SHA256(2)"
+
     assert COSE_PHDR_VDP_LABEL in receipt.uhdr, "Verifiable data proof is required"
     proof = receipt.uhdr[COSE_PHDR_VDP_LABEL]
     assert COSE_RECEIPT_INCLUSION_PROOF_LABEL in proof, "Inclusion proof is required"

samples/constitutions/default/actions.js

@@ -1049,19 +1049,6 @@ const actions = new Map([
       },
     ),
   ],
-  [
-    "add_executor_node_code",
-    new Action(
-      function (args) {
-        checkType(args.executor_code_id, "string", "executor_code_id");
-      },
-      function (args) {
-        const codeId = ccf.strToBuf(args.executor_code_id);
-        const ALLOWED = ccf.jsonCompatibleToBuf("AllowedToExecute");
-        ccf.kv["public:ccf.gov.nodes.executor_code_ids"].set(codeId, ALLOWED);
-      },
-    ),
-  ],
   [
     "add_snp_host_data",
     new Action(
@@ -1254,18 +1241,6 @@ const actions = new Map([
       },
     ),
   ],
-  [
-    "remove_executor_node_code",
-    new Action(
-      function (args) {
-        checkType(args.executor_code_id, "string", "executor_code_id");
-      },
-      function (args) {
-        const codeId = ccf.strToBuf(args.executor_code_id);
-        ccf.kv["public:ccf.gov.nodes.executor_code_ids"].delete(codeId);
-      },
-    ),
-  ],
   [
     "remove_node",
     new Action(