diff --git a/lib/tests/api.c b/lib/tests/api.c index 7e2cf13..a41e08c 100644 --- a/lib/tests/api.c +++ b/lib/tests/api.c @@ -52,6 +52,10 @@ int destruction_confirmed(void); #ifndef ck_assert_mem_eq #define ck_assert_mem_eq(a,b,n) ck_assert(memcmp((a), (b), (n)) == 0) #endif +// only defined in libcheck 0.10+ (RHEL7 is still shipping 0.9) +#ifndef ck_assert_ptr_eq +#define ck_assert_ptr_eq(a,b) ck_assert((void *)(a) == (void *)(b)) +#endif ykpiv_state *g_state; const uint8_t g_cert[] = { @@ -92,6 +96,7 @@ void teardown(void) { ck_assert_int_eq(res, YKPIV_OK); } +#ifdef HW_TESTS START_TEST(test_devicemodel) { ykpiv_rc res; ykpiv_devmodel model; @@ -271,7 +276,6 @@ static bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int element_l static bool prepare_rsa_signature(const unsigned char *in, unsigned int in_len, unsigned char *out, unsigned int *out_len, int nid) { X509_SIG *digestInfo; X509_ALGOR *algor; - ASN1_TYPE parameter; ASN1_OCTET_STRING *digest; unsigned char data[1024]; @@ -926,6 +930,7 @@ START_TEST(test_pin_cache) { ck_assert_int_eq(res, YKPIV_OK); } END_TEST +#endif int destruction_confirmed(void) { char *confirmed = getenv("YKPIV_ENV_HWTESTS_CONFIRMED"); diff --git a/lib/util.c b/lib/util.c index 38bcc40..09b72f9 100644 --- a/lib/util.c +++ b/lib/util.c @@ -221,7 +221,6 @@ ykpiv_rc ykpiv_util_list_keys(ykpiv_state *state, uint8_t *key_count, ykpiv_key size_t offset = 0; uint8_t buf[CB_BUF_MAX]; size_t cbBuf = 0; - bool transaction = false; size_t i = 0; size_t cbRealloc = 0; @@ -491,7 +490,6 @@ Cleanup: ykpiv_rc ykpiv_util_write_mscmap(ykpiv_state *state, ykpiv_container *containers, size_t n_containers) { ykpiv_rc res = YKPIV_OK; uint8_t buf[CB_OBJ_MAX]; - size_t cbBuf = sizeof(buf); size_t offset = 0; size_t req_len = 0; size_t data_len = n_containers * sizeof(ykpiv_container); @@ -1444,7 +1442,6 @@ static ykpiv_rc _read_certificate(ykpiv_state *state, uint8_t slot, uint8_t *buf static ykpiv_rc _write_certificate(ykpiv_state *state, uint8_t slot, uint8_t *data, size_t data_len, uint8_t certinfo) { uint8_t buf[CB_OBJ_MAX]; - size_t cbBuf = sizeof(buf); int object_id = ykpiv_util_slot_object(slot); size_t offset = 0; size_t req_len = 0; diff --git a/tool/util.c b/tool/util.c index de6b071..015945c 100644 --- a/tool/util.c +++ b/tool/util.c @@ -38,6 +38,7 @@ #endif #include "openssl-compat.h" +#include #include #include #include @@ -336,7 +337,6 @@ bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int element_len) { bool prepare_rsa_signature(const unsigned char *in, unsigned int in_len, unsigned char *out, unsigned int *out_len, int nid) { X509_SIG *digestInfo; X509_ALGOR *algor; - ASN1_TYPE parameter; ASN1_OCTET_STRING *digest; unsigned char data[1024]; diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c index c40b027..f8b72b1 100644 --- a/tool/yubico-piv-tool.c +++ b/tool/yubico-piv-tool.c @@ -43,10 +43,12 @@ #endif #include "openssl-compat.h" +#include #include #include #include #include +#include #include "cmdline.h" #include "util.h" @@ -868,11 +870,19 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo fprintf(stderr, "Failed to set certificate serial.\n"); goto selfsign_out; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L if(!X509_gmtime_adj(X509_get_notBefore(x509), 0)) { +#else + if(!X509_gmtime_adj(X509_getm_notBefore(x509), 0)) { +#endif fprintf(stderr, "Failed to set certificate notBefore.\n"); goto selfsign_out; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L if(!X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * validDays)) { +#else + if(!X509_gmtime_adj(X509_getm_notAfter(x509), 60L * 60L * 24L * validDays)) { +#endif fprintf(stderr, "Failed to set certificate notAfter.\n"); goto selfsign_out; } @@ -1241,7 +1251,7 @@ static void print_cert_info(ykpiv_state *state, enum enum_slot slot, const EVP_M if(*ptr++ == 0x70) { unsigned int md_len = sizeof(data); - ASN1_TIME *not_before, *not_after; + const ASN1_TIME *not_before, *not_after; ptr += get_length(ptr, &cert_len); x509 = X509_new(); @@ -1299,13 +1309,21 @@ static void print_cert_info(ykpiv_state *state, enum enum_slot slot, const EVP_M dump_data(data, md_len, output, false, format_arg_hex); bio = BIO_new_fp(output, BIO_NOCLOSE | BIO_FP_TEXT); +#if OPENSSL_VERSION_NUMBER < 0x10100000L not_before = X509_get_notBefore(x509); +#else + not_before = X509_get0_notBefore(x509); +#endif if(not_before) { fprintf(output, "\tNot Before:\t"); ASN1_TIME_print(bio, not_before); fprintf(output, "\n"); } +#if OPENSSL_VERSION_NUMBER < 0x10100000L not_after = X509_get_notAfter(x509); +#else + not_after = X509_get0_notAfter(x509); +#endif if(not_after) { fprintf(output, "\tNot After:\t"); ASN1_TIME_print(bio, not_after); @@ -1950,7 +1968,9 @@ int main(int argc, char *argv[]) { /* openssl setup.. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L OpenSSL_add_all_algorithms(); +#endif for(i = 0; i < args_info.action_given; i++) { @@ -2191,6 +2211,8 @@ int main(int argc, char *argv[]) { } ykpiv_done(state); +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_cleanup(); +#endif return ret; } diff --git a/ykcs11/openssl_types.h b/ykcs11/openssl_types.h index 307f746..08170fc 100644 --- a/ykcs11/openssl_types.h +++ b/ykcs11/openssl_types.h @@ -31,6 +31,7 @@ #ifndef OPENSSL_TYPES_H #define OPENSSL_TYPES_H +#include #include #include #include diff --git a/ykcs11/openssl_utils.c b/ykcs11/openssl_utils.c index 5a7f85d..edfe0ea 100644 --- a/ykcs11/openssl_utils.c +++ b/ykcs11/openssl_utils.c @@ -35,6 +35,11 @@ #include "debug.h" #include +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +# define X509_set_notBefore X509_set1_notBefore +# define X509_set_notAfter X509_set1_notAfter +#endif + CK_RV do_store_cert(CK_BYTE_PTR data, CK_ULONG len, X509 **cert) { const unsigned char *p = data; // Mandatory temp variable required by OpenSSL @@ -580,7 +585,9 @@ CK_RV do_pkcs_pss(ykcs11_rsa_key_t *key, CK_BYTE_PTR in, CK_ULONG in_len, int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len) { unsigned char em[RSA_size(key)]; +#if OPENSSL_VERSION_NUMBER < 0x10100000L OpenSSL_add_all_digests(); +#endif DBG("Apply PSS padding to %lu bytes and get %d", in_len, RSA_size(key)); @@ -590,14 +597,18 @@ CK_RV do_pkcs_pss(ykcs11_rsa_key_t *key, CK_BYTE_PTR in, CK_ULONG in_len, // In case of raw PSS (no hash) this function will fail because OpenSSL requires an MD if (RSA_padding_add_PKCS1_PSS(key, em, out, EVP_get_digestbynid(nid), -2) == 0) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_cleanup(); +#endif return CKR_FUNCTION_FAILED; } memcpy(out, em, sizeof(em)); *out_len = (CK_ULONG) sizeof(em); +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_cleanup(); +#endif return CKR_OK; }