Merge upstream master commits
This commit is contained in:
+6
-1
@@ -52,6 +52,10 @@ int destruction_confirmed(void);
|
|||||||
#ifndef ck_assert_mem_eq
|
#ifndef ck_assert_mem_eq
|
||||||
#define ck_assert_mem_eq(a,b,n) ck_assert(memcmp((a), (b), (n)) == 0)
|
#define ck_assert_mem_eq(a,b,n) ck_assert(memcmp((a), (b), (n)) == 0)
|
||||||
#endif
|
#endif
|
||||||
|
// only defined in libcheck 0.10+ (RHEL7 is still shipping 0.9)
|
||||||
|
#ifndef ck_assert_ptr_eq
|
||||||
|
#define ck_assert_ptr_eq(a,b) ck_assert((void *)(a) == (void *)(b))
|
||||||
|
#endif
|
||||||
|
|
||||||
ykpiv_state *g_state;
|
ykpiv_state *g_state;
|
||||||
const uint8_t g_cert[] = {
|
const uint8_t g_cert[] = {
|
||||||
@@ -92,6 +96,7 @@ void teardown(void) {
|
|||||||
ck_assert_int_eq(res, YKPIV_OK);
|
ck_assert_int_eq(res, YKPIV_OK);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef HW_TESTS
|
||||||
START_TEST(test_devicemodel) {
|
START_TEST(test_devicemodel) {
|
||||||
ykpiv_rc res;
|
ykpiv_rc res;
|
||||||
ykpiv_devmodel model;
|
ykpiv_devmodel model;
|
||||||
@@ -271,7 +276,6 @@ static bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int element_l
|
|||||||
static bool prepare_rsa_signature(const unsigned char *in, unsigned int in_len, unsigned char *out, unsigned int *out_len, int nid) {
|
static bool prepare_rsa_signature(const unsigned char *in, unsigned int in_len, unsigned char *out, unsigned int *out_len, int nid) {
|
||||||
X509_SIG *digestInfo;
|
X509_SIG *digestInfo;
|
||||||
X509_ALGOR *algor;
|
X509_ALGOR *algor;
|
||||||
ASN1_TYPE parameter;
|
|
||||||
ASN1_OCTET_STRING *digest;
|
ASN1_OCTET_STRING *digest;
|
||||||
unsigned char data[1024];
|
unsigned char data[1024];
|
||||||
|
|
||||||
@@ -926,6 +930,7 @@ START_TEST(test_pin_cache) {
|
|||||||
ck_assert_int_eq(res, YKPIV_OK);
|
ck_assert_int_eq(res, YKPIV_OK);
|
||||||
}
|
}
|
||||||
END_TEST
|
END_TEST
|
||||||
|
#endif
|
||||||
|
|
||||||
int destruction_confirmed(void) {
|
int destruction_confirmed(void) {
|
||||||
char *confirmed = getenv("YKPIV_ENV_HWTESTS_CONFIRMED");
|
char *confirmed = getenv("YKPIV_ENV_HWTESTS_CONFIRMED");
|
||||||
|
|||||||
@@ -221,7 +221,6 @@ ykpiv_rc ykpiv_util_list_keys(ykpiv_state *state, uint8_t *key_count, ykpiv_key
|
|||||||
size_t offset = 0;
|
size_t offset = 0;
|
||||||
uint8_t buf[CB_BUF_MAX];
|
uint8_t buf[CB_BUF_MAX];
|
||||||
size_t cbBuf = 0;
|
size_t cbBuf = 0;
|
||||||
bool transaction = false;
|
|
||||||
size_t i = 0;
|
size_t i = 0;
|
||||||
size_t cbRealloc = 0;
|
size_t cbRealloc = 0;
|
||||||
|
|
||||||
@@ -491,7 +490,6 @@ Cleanup:
|
|||||||
ykpiv_rc ykpiv_util_write_mscmap(ykpiv_state *state, ykpiv_container *containers, size_t n_containers) {
|
ykpiv_rc ykpiv_util_write_mscmap(ykpiv_state *state, ykpiv_container *containers, size_t n_containers) {
|
||||||
ykpiv_rc res = YKPIV_OK;
|
ykpiv_rc res = YKPIV_OK;
|
||||||
uint8_t buf[CB_OBJ_MAX];
|
uint8_t buf[CB_OBJ_MAX];
|
||||||
size_t cbBuf = sizeof(buf);
|
|
||||||
size_t offset = 0;
|
size_t offset = 0;
|
||||||
size_t req_len = 0;
|
size_t req_len = 0;
|
||||||
size_t data_len = n_containers * sizeof(ykpiv_container);
|
size_t data_len = n_containers * sizeof(ykpiv_container);
|
||||||
@@ -1444,7 +1442,6 @@ static ykpiv_rc _read_certificate(ykpiv_state *state, uint8_t slot, uint8_t *buf
|
|||||||
|
|
||||||
static ykpiv_rc _write_certificate(ykpiv_state *state, uint8_t slot, uint8_t *data, size_t data_len, uint8_t certinfo) {
|
static ykpiv_rc _write_certificate(ykpiv_state *state, uint8_t slot, uint8_t *data, size_t data_len, uint8_t certinfo) {
|
||||||
uint8_t buf[CB_OBJ_MAX];
|
uint8_t buf[CB_OBJ_MAX];
|
||||||
size_t cbBuf = sizeof(buf);
|
|
||||||
int object_id = ykpiv_util_slot_object(slot);
|
int object_id = ykpiv_util_slot_object(slot);
|
||||||
size_t offset = 0;
|
size_t offset = 0;
|
||||||
size_t req_len = 0;
|
size_t req_len = 0;
|
||||||
|
|||||||
+1
-1
@@ -38,6 +38,7 @@
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include "openssl-compat.h"
|
#include "openssl-compat.h"
|
||||||
|
#include <openssl/bn.h>
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/x509.h>
|
#include <openssl/x509.h>
|
||||||
#include <openssl/rsa.h>
|
#include <openssl/rsa.h>
|
||||||
@@ -336,7 +337,6 @@ bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int element_len) {
|
|||||||
bool prepare_rsa_signature(const unsigned char *in, unsigned int in_len, unsigned char *out, unsigned int *out_len, int nid) {
|
bool prepare_rsa_signature(const unsigned char *in, unsigned int in_len, unsigned char *out, unsigned int *out_len, int nid) {
|
||||||
X509_SIG *digestInfo;
|
X509_SIG *digestInfo;
|
||||||
X509_ALGOR *algor;
|
X509_ALGOR *algor;
|
||||||
ASN1_TYPE parameter;
|
|
||||||
ASN1_OCTET_STRING *digest;
|
ASN1_OCTET_STRING *digest;
|
||||||
unsigned char data[1024];
|
unsigned char data[1024];
|
||||||
|
|
||||||
|
|||||||
+23
-1
@@ -43,10 +43,12 @@
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include "openssl-compat.h"
|
#include "openssl-compat.h"
|
||||||
|
#include <openssl/bn.h>
|
||||||
#include <openssl/des.h>
|
#include <openssl/des.h>
|
||||||
#include <openssl/pem.h>
|
#include <openssl/pem.h>
|
||||||
#include <openssl/pkcs12.h>
|
#include <openssl/pkcs12.h>
|
||||||
#include <openssl/rand.h>
|
#include <openssl/rand.h>
|
||||||
|
#include <openssl/rsa.h>
|
||||||
|
|
||||||
#include "cmdline.h"
|
#include "cmdline.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
@@ -868,11 +870,19 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo
|
|||||||
fprintf(stderr, "Failed to set certificate serial.\n");
|
fprintf(stderr, "Failed to set certificate serial.\n");
|
||||||
goto selfsign_out;
|
goto selfsign_out;
|
||||||
}
|
}
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
if(!X509_gmtime_adj(X509_get_notBefore(x509), 0)) {
|
if(!X509_gmtime_adj(X509_get_notBefore(x509), 0)) {
|
||||||
|
#else
|
||||||
|
if(!X509_gmtime_adj(X509_getm_notBefore(x509), 0)) {
|
||||||
|
#endif
|
||||||
fprintf(stderr, "Failed to set certificate notBefore.\n");
|
fprintf(stderr, "Failed to set certificate notBefore.\n");
|
||||||
goto selfsign_out;
|
goto selfsign_out;
|
||||||
}
|
}
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
if(!X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * validDays)) {
|
if(!X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * validDays)) {
|
||||||
|
#else
|
||||||
|
if(!X509_gmtime_adj(X509_getm_notAfter(x509), 60L * 60L * 24L * validDays)) {
|
||||||
|
#endif
|
||||||
fprintf(stderr, "Failed to set certificate notAfter.\n");
|
fprintf(stderr, "Failed to set certificate notAfter.\n");
|
||||||
goto selfsign_out;
|
goto selfsign_out;
|
||||||
}
|
}
|
||||||
@@ -1241,7 +1251,7 @@ static void print_cert_info(ykpiv_state *state, enum enum_slot slot, const EVP_M
|
|||||||
|
|
||||||
if(*ptr++ == 0x70) {
|
if(*ptr++ == 0x70) {
|
||||||
unsigned int md_len = sizeof(data);
|
unsigned int md_len = sizeof(data);
|
||||||
ASN1_TIME *not_before, *not_after;
|
const ASN1_TIME *not_before, *not_after;
|
||||||
|
|
||||||
ptr += get_length(ptr, &cert_len);
|
ptr += get_length(ptr, &cert_len);
|
||||||
x509 = X509_new();
|
x509 = X509_new();
|
||||||
@@ -1299,13 +1309,21 @@ static void print_cert_info(ykpiv_state *state, enum enum_slot slot, const EVP_M
|
|||||||
dump_data(data, md_len, output, false, format_arg_hex);
|
dump_data(data, md_len, output, false, format_arg_hex);
|
||||||
|
|
||||||
bio = BIO_new_fp(output, BIO_NOCLOSE | BIO_FP_TEXT);
|
bio = BIO_new_fp(output, BIO_NOCLOSE | BIO_FP_TEXT);
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
not_before = X509_get_notBefore(x509);
|
not_before = X509_get_notBefore(x509);
|
||||||
|
#else
|
||||||
|
not_before = X509_get0_notBefore(x509);
|
||||||
|
#endif
|
||||||
if(not_before) {
|
if(not_before) {
|
||||||
fprintf(output, "\tNot Before:\t");
|
fprintf(output, "\tNot Before:\t");
|
||||||
ASN1_TIME_print(bio, not_before);
|
ASN1_TIME_print(bio, not_before);
|
||||||
fprintf(output, "\n");
|
fprintf(output, "\n");
|
||||||
}
|
}
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
not_after = X509_get_notAfter(x509);
|
not_after = X509_get_notAfter(x509);
|
||||||
|
#else
|
||||||
|
not_after = X509_get0_notAfter(x509);
|
||||||
|
#endif
|
||||||
if(not_after) {
|
if(not_after) {
|
||||||
fprintf(output, "\tNot After:\t");
|
fprintf(output, "\tNot After:\t");
|
||||||
ASN1_TIME_print(bio, not_after);
|
ASN1_TIME_print(bio, not_after);
|
||||||
@@ -1950,7 +1968,9 @@ int main(int argc, char *argv[]) {
|
|||||||
|
|
||||||
|
|
||||||
/* openssl setup.. */
|
/* openssl setup.. */
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
OpenSSL_add_all_algorithms();
|
OpenSSL_add_all_algorithms();
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
for(i = 0; i < args_info.action_given; i++) {
|
for(i = 0; i < args_info.action_given; i++) {
|
||||||
@@ -2191,6 +2211,8 @@ int main(int argc, char *argv[]) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
ykpiv_done(state);
|
ykpiv_done(state);
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
EVP_cleanup();
|
EVP_cleanup();
|
||||||
|
#endif
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -31,6 +31,7 @@
|
|||||||
#ifndef OPENSSL_TYPES_H
|
#ifndef OPENSSL_TYPES_H
|
||||||
#define OPENSSL_TYPES_H
|
#define OPENSSL_TYPES_H
|
||||||
|
|
||||||
|
#include <openssl/bn.h>
|
||||||
#include <openssl/x509.h>
|
#include <openssl/x509.h>
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/rsa.h>
|
#include <openssl/rsa.h>
|
||||||
|
|||||||
@@ -35,6 +35,11 @@
|
|||||||
#include "debug.h"
|
#include "debug.h"
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||||
|
# define X509_set_notBefore X509_set1_notBefore
|
||||||
|
# define X509_set_notAfter X509_set1_notAfter
|
||||||
|
#endif
|
||||||
|
|
||||||
CK_RV do_store_cert(CK_BYTE_PTR data, CK_ULONG len, X509 **cert) {
|
CK_RV do_store_cert(CK_BYTE_PTR data, CK_ULONG len, X509 **cert) {
|
||||||
|
|
||||||
const unsigned char *p = data; // Mandatory temp variable required by OpenSSL
|
const unsigned char *p = data; // Mandatory temp variable required by OpenSSL
|
||||||
@@ -580,7 +585,9 @@ CK_RV do_pkcs_pss(ykcs11_rsa_key_t *key, CK_BYTE_PTR in, CK_ULONG in_len,
|
|||||||
int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len) {
|
int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len) {
|
||||||
unsigned char em[RSA_size(key)];
|
unsigned char em[RSA_size(key)];
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
OpenSSL_add_all_digests();
|
OpenSSL_add_all_digests();
|
||||||
|
#endif
|
||||||
|
|
||||||
DBG("Apply PSS padding to %lu bytes and get %d", in_len, RSA_size(key));
|
DBG("Apply PSS padding to %lu bytes and get %d", in_len, RSA_size(key));
|
||||||
|
|
||||||
@@ -590,14 +597,18 @@ CK_RV do_pkcs_pss(ykcs11_rsa_key_t *key, CK_BYTE_PTR in, CK_ULONG in_len,
|
|||||||
|
|
||||||
// In case of raw PSS (no hash) this function will fail because OpenSSL requires an MD
|
// In case of raw PSS (no hash) this function will fail because OpenSSL requires an MD
|
||||||
if (RSA_padding_add_PKCS1_PSS(key, em, out, EVP_get_digestbynid(nid), -2) == 0) {
|
if (RSA_padding_add_PKCS1_PSS(key, em, out, EVP_get_digestbynid(nid), -2) == 0) {
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
EVP_cleanup();
|
EVP_cleanup();
|
||||||
|
#endif
|
||||||
return CKR_FUNCTION_FAILED;
|
return CKR_FUNCTION_FAILED;
|
||||||
}
|
}
|
||||||
|
|
||||||
memcpy(out, em, sizeof(em));
|
memcpy(out, em, sizeof(em));
|
||||||
*out_len = (CK_ULONG) sizeof(em);
|
*out_len = (CK_ULONG) sizeof(em);
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
EVP_cleanup();
|
EVP_cleanup();
|
||||||
|
#endif
|
||||||
|
|
||||||
return CKR_OK;
|
return CKR_OK;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user