refactor: applies gosec rule

.golangci.yml

@@ -54,6 +54,9 @@ linters:
         - style
     gocyclo:
       min-complexity: 15
+    gosec:
+      excludes:
+        - G115
     misspell:
       locale: US
     mnd:

internal/amt/commands_test.go

@@ -41,7 +41,7 @@ func (c MockPTHICommands) Open(useLME bool) error {
 	}
 }
 func (c MockPTHICommands) Close() {}
-func (c MockPTHICommands) Call(command []byte, commandSize uint32) (result []byte, err error) {
+func (c MockPTHICommands) Call(command []byte, commandSize int) (result []byte, err error) {
 	return nil, nil
 }
 func (c MockPTHICommands) GetCodeVersions() (pthi.GetCodeVersionsResponse, error) {

internal/flags/flags_test.go

@@ -60,7 +60,7 @@ func (c MockPTHICommands) SetAmtOperationalState(state pthi.AMTOperationalState)
 
 func (c MockPTHICommands) Close() {}
 
-func (c MockPTHICommands) Call([]byte, uint32) (result []byte, err error) {
+func (c MockPTHICommands) Call([]byte, int) (result []byte, err error) {
 	return []byte{}, nil
 }
 
@@ -398,7 +398,7 @@ func writeTestCfgFiles(t *testing.T, cfg *config.Config, ext string) (cfgFilePat
 	}
 
 	assert.Nil(t, err)
-	err = os.WriteFile(cfgFilePath, cfgBytes, 0644)
+	err = os.WriteFile(cfgFilePath, cfgBytes, 0600)
 	assert.Nil(t, err)
 
 	return cfgFilePath

internal/lm/engine.go

@@ -75,7 +75,7 @@ func (lme *LMEConnection) Connect() error {
 	lme.Session.WaitGroup.Add(1)
 	bin_buf := apf.ChannelOpen(lme.ourChannel)
 
-	err := lme.Command.Send(bin_buf.Bytes(), uint32(bin_buf.Len()))
+	err := lme.Command.Send(bin_buf.Bytes())
 	if err != nil {
 		lme.retries = lme.retries + 1
 		if lme.retries < 3 && (err.Error() == "no such device" || err.Error() == "The device is not connected.") {
@@ -113,7 +113,7 @@ func (lme *LMEConnection) Send(data []byte) error {
 
 	lme.Session.TXWindow -= lme.Session.TXWindow // hmmm
 
-	err := lme.Command.Send(bin_buf.Bytes(), uint32(bin_buf.Len()))
+	err := lme.Command.Send(bin_buf.Bytes())
 	if err != nil {
 		return err
 	}
@@ -125,7 +125,7 @@ func (lme *LMEConnection) Send(data []byte) error {
 
 func (lme *LMEConnection) execute(bin_buf bytes.Buffer) error {
 	for {
-		result, err := lme.Command.Call(bin_buf.Bytes(), uint32(bin_buf.Len()))
+		result, err := lme.Command.Call(bin_buf.Bytes(), bin_buf.Len())
 		if err != nil && (err.Error() == "empty response from AMT" || err.Error() == "no such device") {
 			log.Warn("AMT Unavailable, retrying...")
 
@@ -159,7 +159,7 @@ func (lme *LMEConnection) Listen() {
 		binary.Write(&bin_buf, binary.BigEndian, channelData.MessageType)
 		binary.Write(&bin_buf, binary.BigEndian, channelData.RecipientChannel)
 
-		lme.Command.Send(bin_buf.Bytes(), uint32(bin_buf.Len()))
+		lme.Command.Send(bin_buf.Bytes())
 	}()
 
 	for {

internal/lm/engine_test.go

@@ -17,7 +17,7 @@ import (
 type MockHECICommands struct{}
 
 var message []byte
-var sendBytesWritten uint32
+var sendBytesWritten int
 var sendError error
 var initError error
 var bufferSize uint32
@@ -32,15 +32,15 @@ func resetMock() {
 
 func (c *MockHECICommands) Init(useLME bool, useWD bool) error { return initError }
 func (c *MockHECICommands) GetBufferSize() uint32              { return bufferSize } // MaxMessageLength
-func (c *MockHECICommands) SendMessage(buffer []byte, done *uint32) (bytesWritten uint32, err error) {
+func (c *MockHECICommands) SendMessage(buffer []byte, done *uint32) (bytesWritten int, err error) {
 	return sendBytesWritten, sendError
 }
-func (c *MockHECICommands) ReceiveMessage(buffer []byte, done *uint32) (bytesRead uint32, err error) {
+func (c *MockHECICommands) ReceiveMessage(buffer []byte, done *uint32) (bytesRead int, err error) {
 	for i := 0; i < len(message) && i < len(buffer); i++ {
 		buffer[i] = message[i]
 	}
 
-	return uint32(len(message)), nil
+	return len(message), nil
 }
 func (c *MockHECICommands) Close() {}
 
@@ -67,28 +67,28 @@ func TestLMEConnection_Initialize(t *testing.T) {
 
 	tests := []struct {
 		name         string
-		sendNumBytes uint32
+		sendNumBytes int
 		sendErr      error
 		initErr      error
 		wantErr      bool
 	}{
 		{
 			name:         "Normal",
-			sendNumBytes: uint32(93),
+			sendNumBytes: 93,
 			sendErr:      nil,
 			initErr:      nil,
 			wantErr:      false,
 		},
 		{
 			name:         "ExpectedFailureOnOpen",
-			sendNumBytes: uint32(93),
+			sendNumBytes: 93,
 			sendErr:      nil,
 			initErr:      testError,
 			wantErr:      true,
 		},
 		{
 			name:         "ExpectedFailureOnExecute",
-			sendNumBytes: uint32(93),
+			sendNumBytes: 93,
 			sendErr:      testError,
 			initErr:      nil,
 			wantErr:      true,

internal/local/configure.go

@@ -25,7 +25,9 @@ func (service *ProvisioningService) Configure() (err error) {
 		return utils.UnableToConfigure
 	}
 
-	tlsConfig := &tls.Config{}
+	tlsConfig := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+	}
 	if service.flags.LocalTlsEnforced {
 		tlsConfig = config.GetTLSConfig(&service.flags.ControlMode, nil, service.flags.SkipCertCheck)
 	}

internal/local/deactivate.go

@@ -63,7 +63,9 @@ func (service *ProvisioningService) DeactivateACM() (err error) {
 		}
 	}
 
-	tlsConfig := &tls.Config{}
+	tlsConfig := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+	}
 	if service.flags.LocalTlsEnforced {
 		tlsConfig = config.GetTLSConfig(&service.flags.ControlMode, nil, service.flags.SkipCertCheck)
 	}

internal/local/info.go

@@ -342,7 +342,9 @@ func (service *ProvisioningService) DisplayAMTInfo() (err error) {
 	}
 
 	if service.flags.AmtInfo.UserCert {
-		tlsConfig := &tls.Config{}
+		tlsConfig := &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
 		if service.flags.LocalTlsEnforced {
 			tlsConfig = config.GetTLSConfig(&service.flags.ControlMode, nil, service.flags.SkipCertCheck)
 		}

internal/rps/rps.go

@@ -91,7 +91,7 @@ func (amt *AMTActivationServer) Connect(skipCertCheck bool) error {
 
 	websocketDialer := websocket.Dialer{
 		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: skipCertCheck,
+			InsecureSkipVerify: skipCertCheck, //nolint:gosec // self signed certs could be used
 		},
 	}
 

pkg/heci/linux.go

@@ -94,21 +94,21 @@ func (heci *Driver) Init(useLME bool, useWD bool) error {
 func (heci *Driver) GetBufferSize() uint32 {
 	return heci.bufferSize
 }
-func (heci *Driver) SendMessage(buffer []byte, done *uint32) (bytesWritten uint32, err error) {
+func (heci *Driver) SendMessage(buffer []byte, done *uint32) (bytesWritten int, err error) {
 	size, err := syscall.Write(int(heci.meiDevice.Fd()), buffer)
 	if err != nil {
 		return 0, err
 	}
 
-	return uint32(size), nil
+	return size, nil
 }
-func (heci *Driver) ReceiveMessage(buffer []byte, done *uint32) (bytesRead uint32, err error) {
-	read, err := unix.Read(int(heci.meiDevice.Fd()), buffer)
+func (driver *Driver) ReceiveMessage(buffer []byte, done *uint32) (bytesRead int, err error) {
+	read, err := unix.Read(int(driver.meiDevice.Fd()), buffer)
 	if err != nil {
 		return 0, err
 	}
 
-	return uint32(read), nil
+	return read, nil
 }
 
 func Ioctl(fd, op, arg uintptr) error {

pkg/heci/types.go

@@ -8,8 +8,8 @@ package heci
 type Interface interface {
 	Init(useLME bool, useWD bool) error
 	GetBufferSize() uint32
-	SendMessage(buffer []byte, done *uint32) (bytesWritten uint32, err error)
-	ReceiveMessage(buffer []byte, done *uint32) (bytesRead uint32, err error)
+	SendMessage(buffer []byte, done *uint32) (bytesWritten int, err error)
+	ReceiveMessage(buffer []byte, done *uint32) (bytesRead int, err error)
 	Close()
 }
 

pkg/heci/windows.go

@@ -215,7 +215,7 @@ func (heci *Driver) doIoctl(controlCode uint32, inBuf *byte, intsize uint32, out
 	return nil
 }
 
-func (heci *Driver) SendMessage(buffer []byte, done *uint32) (bytesWritten uint32, err error) {
+func (heci *Driver) SendMessage(buffer []byte, done *uint32) (bytesWritten int, err error) {
 	var overlapped windows.Overlapped
 	overlapped.HEvent, err = windows.CreateEvent(nil, 0, 0, nil)
 	defer windows.CloseHandle(overlapped.HEvent)
@@ -237,9 +237,9 @@ func (heci *Driver) SendMessage(buffer []byte, done *uint32) (bytesWritten uint3
 	if err != nil {
 		return 0, err
 	}
-	return *done, nil
+	return int(*done), nil
 }
-func (heci *Driver) ReceiveMessage(buffer []byte, done *uint32) (bytesRead uint32, err error) {
+func (heci *Driver) ReceiveMessage(buffer []byte, done *uint32) (bytesRead int, err error) {
 
 	var overlapped windows.Overlapped
 	overlapped.HEvent, err = windows.CreateEvent(nil, 0, 0, nil)
@@ -262,7 +262,7 @@ func (heci *Driver) ReceiveMessage(buffer []byte, done *uint32) (bytesRead uint3
 	if err != nil {
 		return 0, err
 	}
-	return *done, nil
+	return int(*done), nil
 }
 
 func (heci *Driver) Close() {

pkg/pthi/commands.go

@@ -21,7 +21,7 @@ type Interface interface {
 	Open(useLME bool) error
 	OpenWatchdog() error
 	Close()
-	Call(command []byte, commandSize uint32) (result []byte, err error)
+	Call(command []byte, commandSize int) (result []byte, err error)
 	GetCodeVersions() (GetCodeVersionsResponse, error)
 	GetUUID() (uuid string, err error)
 	GetControlMode() (state int, err error)
@@ -59,15 +59,21 @@ func (pthi Command) Close() {
 	pthi.Heci.Close()
 }
 
-func (pthi Command) Call(command []byte, commandSize uint32) (result []byte, err error) {
+func (pthi Command) Call(command []byte, commandSize int) (result []byte, err error) {
 	size := pthi.Heci.GetBufferSize()
 
-	bytesWritten, err := pthi.Heci.SendMessage(command, &commandSize)
+	if commandSize < 0 || commandSize > int(^uint32(0)) {
+		return nil, fmt.Errorf("buffer length exceeds uint32 maximum value")
+	}
+
+	commandSizeUint32 := uint32(commandSize)
+
+	bytesWritten, err := pthi.Heci.SendMessage(command, &commandSizeUint32)
 	if err != nil {
 		return nil, err
 	}
 
-	if bytesWritten != uint32(len(command)) {
+	if bytesWritten != len(command) {
 		return nil, errors.New("amt internal error")
 	}
 
@@ -84,19 +90,21 @@ func (pthi Command) Call(command []byte, commandSize uint32) (result []byte, err
 
 	return readBuffer, nil
 }
-func (pthi Command) Send(command []byte, commandSize uint32) (err error) {
-	bytesWritten, err := pthi.Heci.SendMessage(command, &commandSize)
+func (cmd Command) Send(command []byte) (err error) {
+	commandSize := (uint32)(len(command))
+
+	bytesWritten, err := cmd.Heci.SendMessage(command, &commandSize)
 	if err != nil {
 		return err
 	}
 
-	if bytesWritten != uint32(len(command)) {
+	if bytesWritten != len(command) {
 		return errors.New("amt internal error")
 	}
 
 	return nil
 }
-func (pthi Command) Receive() (result []byte, bytesRead uint32, err error) {
+func (pthi Command) Receive() (result []byte, bytesRead int, err error) {
 	size := pthi.Heci.GetBufferSize()
 
 	readBuffer := make([]byte, size)
@@ -205,7 +213,7 @@ func (pthi Command) GetIsAMTEnabled() (uint8, error) {
 	var bin_buf bytes.Buffer
 
 	binary.Write(&bin_buf, binary.LittleEndian, command)
-	result, err := pthi.Call(bin_buf.Bytes(), uint32(bin_buf.Len()))
+	result, err := pthi.Call(bin_buf.Bytes(), bin_buf.Len())
 
 	if err != nil {
 		return uint8(0), err
@@ -233,7 +241,7 @@ func (pthi Command) SetAmtOperationalState(state AMTOperationalState) (Status, e
 
 	binary.Write(&bin_buf, binary.LittleEndian, command)
 	//result, err := pthi.Call(bin_buf.Bytes(), 32)
-	result, err := pthi.Call(bin_buf.Bytes(), uint32(bin_buf.Len()))
+	result, err := pthi.Call(bin_buf.Bytes(), bin_buf.Len())
 	if err != nil {
 		return Status(0), err
 	}
@@ -354,7 +362,7 @@ func (pthi Command) GetCertificateHashes(hashHandles AMTHashHandles) (hashEntryL
 	}
 	// Request from the enumerated list and return cert hashes
 	for i := 0; i < int(hashHandles.Length); i++ {
-		commandSize := (uint32)(16)
+		commandSize := 16
 		command := GetCertHashEntryRequest{
 			Header:     CreateRequestHeader(GET_CERTHASH_ENTRY_REQUEST, 4),
 			HashHandle: hashHandles.Handles[i],
@@ -420,7 +428,7 @@ func (pthi Command) GetRemoteAccessConnectionStatus() (RAStatus GetRemoteAccessC
 }
 
 func (pthi Command) GetLANInterfaceSettings(useWireless bool) (LANInterface GetLANInterfaceSettingsResponse, err error) {
-	commandSize := (uint32)(16)
+	commandSize := 16
 
 	command := GetLANInterfaceSettingsRequest{
 		Header:         CreateRequestHeader(GET_LAN_INTERFACE_SETTINGS_REQUEST, 4),
@@ -457,7 +465,7 @@ func (pthi Command) GetLANInterfaceSettings(useWireless bool) (LANInterface GetL
 }
 
 func (pthi Command) GetLocalSystemAccount() (localAccount GetLocalSystemAccountResponse, err error) {
-	commandSize := (uint32)(52)
+	commandSize := 52
 	command := GetLocalSystemAccountRequest{
 		Header: CreateRequestHeader(GET_LOCAL_SYSTEM_ACCOUNT_REQUEST, 40),
 	}

pkg/pthi/commands_test.go

@@ -31,16 +31,16 @@ func (c *MockHECICommands) Init(useLME bool, useWD bool) error {
 }
 func (c *MockHECICommands) GetBufferSize() uint32 { return 5120 } // MaxMessageLength
 
-func (c *MockHECICommands) SendMessage(buffer []byte, done *uint32) (bytesWritten uint32, err error) {
-	return numBytes, nil
+func (c *MockHECICommands) SendMessage(buffer []byte, done *uint32) (bytesWritten int, err error) {
+	return int(numBytes), nil
 }
-func (c *MockHECICommands) ReceiveMessage(buffer []byte, done *uint32) (bytesRead uint32, err error) {
+func (c *MockHECICommands) ReceiveMessage(buffer []byte, done *uint32) (bytesRead int, err error) {
 	i := 0
 	for i = 0; i < len(message) && i < len(buffer); i++ {
 		buffer[i] = message[i]
 	}
 
-	return uint32(i), nil
+	return i, nil
 }
 func (c *MockHECICommands) Close() {}
 
@@ -90,7 +90,7 @@ func TestAMTOperationalState(t *testing.T) {
 func TestSend(t *testing.T) {
 	numBytes = 54
 	bin_buf := apf.ChannelOpen(1)
-	err := pthi.Send(bin_buf.Bytes(), uint32(bin_buf.Len()))
+	err := pthi.Send(bin_buf.Bytes())
 	assert.NoError(t, err)
 }
 func TestReceive(t *testing.T) {
@@ -108,7 +108,7 @@ func TestReceive(t *testing.T) {
 
 	result, n, err := pthi.Receive()
 	assert.NotNil(t, result)
-	assert.Greater(t, n, uint32(0))
+	assert.Greater(t, n, 0)
 	assert.NoError(t, err)
 }
 func TestGetGUID(t *testing.T) {

pkg/pthi/types.go

@@ -4,7 +4,7 @@
  **********************************************************************/
 package pthi
 
-const GET_REQUEST_SIZE uint32 = 12
+const GET_REQUEST_SIZE = 12
 const MAX_SUFFIX_LENGTH = 64
 const MAX_DNS_SUFFIXES = 5
 const CERT_HASH_MAX_LENGTH = 64