diff --git a/README b/README index 9c9c1e9..5c80b0c 100644 --- a/README +++ b/README @@ -67,8 +67,8 @@ situations, running ./configure should automatically find the proper backend to use. === Building from Git -Recent versions of autoconf, automake, pkg-config and libtool must -be installed. Help2man is used to generate the manpages. Gengetopt +Recent versions of autoconf, automake, check, pkg-config, and libtool +must be installed. Help2man is used to generate the manpages. Gengetopt version 2.22.6 or later is needed for command line parameter handling. The link:https://github.com/Yubico/yubico-piv-tool/tree/master/vagrant/development[Vagrant diff --git a/configure.ac b/configure.ac index 2c8cd71..7797bd1 100644 --- a/configure.ac +++ b/configure.ac @@ -35,7 +35,7 @@ AC_CONFIG_MACRO_DIR([m4]) # Interfaces removed: AGE=0 AC_SUBST([LT_CURRENT], 5) AC_SUBST([LT_REVISION], 0) -AC_SUBST([LT_AGE], 0) +AC_SUBST([LT_AGE], 4) AM_INIT_AUTOMAKE([-Wall -Werror foreign]) AM_SILENT_RULES([yes]) @@ -60,7 +60,7 @@ gl_VALGRIND_TESTS # Check for clang AC_CACHE_CHECK([for clang], - cv_clang,[ + _cv_clang,[ AC_TRY_COMPILE([], [ #ifdef __clang__ #else @@ -68,11 +68,11 @@ AC_CACHE_CHECK([for clang], #endif return 0; ], - [cv_clang=yes], - [cv_clang=no], + [_cv_clang=yes], + [_cv_clang=no], []) ]) -AM_CONDITIONAL([COMPILER_CLANG], [test "$cv_clang" = yes]) +AM_CONDITIONAL([COMPILER_CLANG], [test "$_cv_clang" = yes]) AC_ARG_WITH([backend], [AS_HELP_STRING([--with-backend=ARG], diff --git a/lib/util.c b/lib/util.c index 8fa8f59..9b83eb7 100644 --- a/lib/util.c +++ b/lib/util.c @@ -1159,7 +1159,7 @@ ykpiv_rc ykpiv_util_set_protected_mgm(ykpiv_state *state, ykpiv_mgm *mgm) { if (fGenerate) { /* generate a new mgm key */ if (PRNG_OK != (prngrc = _ykpiv_prng_generate(mgm_key, sizeof(mgm_key)))) { - if (state->verbose) fprintf(stderr, "could not set generate new mgm, err = %d\n", prngrc); + if (state->verbose) fprintf(stderr, "could not generate new mgm, err = %d\n", prngrc); res = YKPIV_RANDOMNESS_ERROR; goto Cleanup; } @@ -1546,7 +1546,7 @@ static ykpiv_rc _read_metadata(ykpiv_state *state, uint8_t tag, uint8_t* data, s size_t cb_temp = 0; int obj_id = 0; - if (!data || !data || !pcb_data || (CB_BUF_MAX > *pcb_data)) return YKPIV_GENERIC_ERROR; + if (!data || !pcb_data || (CB_BUF_MAX > *pcb_data)) return YKPIV_GENERIC_ERROR; switch (tag) { case TAG_ADMIN: obj_id = YKPIV_OBJ_ADMIN_DATA; break; diff --git a/lib/ykpiv.c b/lib/ykpiv.c index fef2602..f556c87 100644 --- a/lib/ykpiv.c +++ b/lib/ykpiv.c @@ -1058,7 +1058,7 @@ Cleanup: return res; } -ykpiv_rc ykpiv_get_pin_retries(ykpiv_state *state, int* tries) { +ykpiv_rc ykpiv_get_pin_retries(ykpiv_state *state, int *tries) { ykpiv_rc res; ykpiv_rc ykrc; if (NULL == state || NULL == tries) { @@ -1329,10 +1329,6 @@ ykpiv_rc ykpiv_import_private_key(ykpiv_state *state, const unsigned char key, u if (state == NULL) return YKPIV_GENERIC_ERROR; - if (p_len + q_len + dp_len + dq_len + qinv_len + ec_data_len >= sizeof(key_data)) { - return YKPIV_SIZE_ERROR; - } - if (key == YKPIV_KEY_CARDMGM || key < YKPIV_KEY_RETIRED1 || (key > YKPIV_KEY_RETIRED20 && key < YKPIV_KEY_AUTHENTICATION) || @@ -1354,6 +1350,10 @@ ykpiv_rc ykpiv_import_private_key(ykpiv_state *state, const unsigned char key, u if (algorithm == YKPIV_ALGO_RSA1024 || algorithm == YKPIV_ALGO_RSA2048) { + if (p_len + q_len + dp_len + dq_len + qinv_len >= sizeof(key_data)) { + return YKPIV_SIZE_ERROR; + } + if (algorithm == YKPIV_ALGO_RSA1024) elem_len = 64; if (algorithm == YKPIV_ALGO_RSA2048) @@ -1378,6 +1378,12 @@ ykpiv_rc ykpiv_import_private_key(ykpiv_state *state, const unsigned char key, u n_params = 5; } else if (algorithm == YKPIV_ALGO_ECCP256 || algorithm == YKPIV_ALGO_ECCP384) { + + if ((size_t)ec_data_len >= sizeof(key_data)) { + // This can never be true, but check to be explicit. + return YKPIV_SIZE_ERROR; + } + if (algorithm == YKPIV_ALGO_ECCP256) elem_len = 32; if (algorithm == YKPIV_ALGO_ECCP384) diff --git a/lib/ykpiv.h b/lib/ykpiv.h index 59efea2..a0084ef 100644 --- a/lib/ykpiv.h +++ b/lib/ykpiv.h @@ -142,7 +142,7 @@ extern "C" * * @return Error code */ - ykpiv_rc ykpiv_get_pin_retries(ykpiv_state *state, int* tries); + ykpiv_rc ykpiv_get_pin_retries(ykpiv_state *state, int *tries); /** * Set number of attempts before locking for PIN and PUK codes.