Commit Graph

253 Commits

Author SHA1 Message Date
Klas Lindfors 45e74cfccf tool: check length before trying to store cert in buffer
fixes #148
2018-08-16 14:49:32 +02:00
Jakub Jelen d613b42b0c Avoid unused variables and warnings when building against OpenSSL 1.1 2018-08-08 16:12:25 +02:00
Trevor Bentley 8b99accf58 Merge pull request #138 from Jakuje/master
Compiler warnings and compatibility with older check versions
2018-02-27 15:00:09 +00:00
Jakub Jelen dfca8e2e55 Remove unused variables 2018-02-27 15:40:31 +01:00
quentin c8372f27d7 Improve compatibility with OpenSSL 1.1.0
* add missing headers
* stop using deprecated APIs
2018-02-26 02:43:41 +01:00
Trevor Bentley 74e1a0885c Merge pull request #136 from jmyreen/openssl-1.1-fixes
Fixed some bugs in the port to Openssl-1.1:
2018-01-02 13:24:53 +01:00
Johan Myréen b0210e0710 Fixed some bugs in the port to Openssl-1.1:
- wrap_public_key() passed the address of the local stack variable
  internal_key to RSA_meth_set0_data(), which was used long after
  wrap_public_key() had returned. Changed to static.

- The callback functions yk_rsa_meth_sign and yk_ec_meth_sign 'siglen'
  parameter has type (unisgned int *), which was cast to (size_t *)
  before it was used to write a value in the caller's memory
  space. This caused stack corruption on machines where size_t is
  bigger than unsigned int.

- The callback function's 'siglen' parameter is output-only, not
  in-out. The input value was assumed to contain the maximum size of
  the output buffer as input, and a bogus value was compared to the
  amount of data received from the token in function
  _general_authenticate(). Changed to pass in the values returned by
  RSA_size(rsa) and ECDSA_size(ec), which Openssl specifies as minimum
  buffer sizes.

- The callback functions' return values were swapped; fixed to return
  1 on success, 0 on failure.
2017-12-30 22:08:09 +02:00
Aloz1 866b6b1d9d Added checks to allow building against LibreSSL
It seems that when OpenSSL 1.1.0 support was added, LibreSSL was broken
due to the way version checking was done. This adds extra checks for
LIBRESSL_VERSION_NUMBER where applicable.
2017-12-29 14:38:37 +11:00
Trevor Bentley 20a5ecce0f Fix OpenSSL 1.1 build with mingw32/64 2017-11-27 11:27:11 +01:00
Trevor Bentley 7ca0267ddf Fix OpenSSL 1.1 compat layer
- Changes for latest ykpiv_util refactor
 - Passes hw tests with openssl 1.0 and 1.1
 - Passes valgrind
2017-11-21 17:08:38 +01:00
Trevor Bentley 4785e23bd1 Merge branch 'master' of https://github.com/Jakuje/yubico-piv-tool into Jakuje-master 2017-11-20 14:03:48 +01:00
Jakub Jelen 77c51a7317 Properly apply the OpenSSL version checks 2017-11-14 13:34:57 +01:00
Jakub Jelen 0a131a053d Do not use the new API with the old OpenSSL 2017-11-14 10:54:47 +01:00
Jakub Jelen 4a847677cc WIP:Use RSA/EC_KEY METHOD to provide X509 signatures using high-level OpenSSL API 2017-11-13 17:39:34 +01:00
Jakub Jelen d2ffc41a6c RAND_pseudo_bytes is deprecated in OpenSSL 1.1.0 2017-11-13 17:39:34 +01:00
Jakub Jelen ad4e93a462 Few more OpenSSL 1.1.0 incompatibilities 2017-11-13 17:39:34 +01:00
Jakub Jelen bd351261ec Initial idea of openssl-1.1.0 compatibility (still missing some magic around certificates) 2017-11-13 17:39:34 +01:00
Trevor Bentley a7eb0657f1 Fix compile time warnings about -no-install on Darwin/clang 2017-10-26 12:37:05 +02:00
Trevor Bentley c2f86d0a0f Move YK4 insecure on-chip key generation prevention from yubico-piv-tool to libykpiv 2017-10-24 15:59:44 +02:00
Trevor Bentley 15f533d7de Move hardware tests to "make hwtest", with one warning for all test suites.
- "make check" will mark destructive tests as skipped
- "make hwtest" will ask once for user confirmation
2017-10-24 15:10:45 +02:00
Trevor Bentley 4c9004feeb Remove artifact from rebase (bad local variable) 2017-10-23 16:28:57 +02:00
Trevor Bentley c07355fefb Fix unit tests for NEO: use ECCP256 and detect attestation errors 2017-10-23 16:26:14 +02:00
Trevor Bentley 7177ceda74 Extra attempts for PIN/PUK block in unit test 2017-10-23 16:26:11 +02:00
Trevor Bentley ef81054dc2 Add automated tests for yubico-piv-tool CLI (hw-tests only) 2017-10-23 16:25:59 +02:00
Trevor Bentley 9a7ccf48fa Fix all clang scan-build warnings 2017-10-23 16:25:56 +02:00
Trevor Bentley 90209997cc Unit test for ykpiv_attest() 2017-10-23 16:25:53 +02:00
Trevor Bentley 5291bc4a63 Fix issue #123 - specify text/binary mode for open files 2017-10-23 16:25:50 +02:00
Trevor Bentley 79464a3d3e Use slot enum consistently. Move slot->object translation into libykpiv. 2017-10-23 16:25:47 +02:00
Trevor Bentley 2e818dd914 Add ykpiv_util_(get/set)_cccid(), and use in yubico-piv-tool 2017-10-23 16:25:44 +02:00
Trevor Bentley f6b817f056 Add ykpiv_attest() and use it in yubico-piv-tool 2017-10-23 16:25:38 +02:00
Trevor Bentley 248980fe27 yubico-piv-tool: use ykpiv_util_read_cert 2017-10-23 16:25:35 +02:00
Trevor Bentley 3bca63c39c yubico-piv-tool: use ykpiv_util_delete_cert 2017-10-23 16:25:32 +02:00
Trevor Bentley ded78751a0 Add gzip support to ykpiv_util_import_certificate(), and use in yubico-piv-tool 2017-10-23 16:25:20 +02:00
Trevor Bentley 8135a55200 yubico-piv-tool: Switch to ykpiv_set_pin_retries() 2017-10-23 16:25:17 +02:00
Trevor Bentley ec8e2786e6 yubico-piv-tool: use ykpiv_util_reset() 2017-10-23 16:25:13 +02:00
Trevor Bentley 12f35b8884 yubico-piv-tool: use util function for key generation 2017-10-23 16:25:10 +02:00
Trevor Bentley 0d2b85fcef Switch test cases to use libcheck framework
This keeps the test logic the same, but moves most of them into the libcheck
test suite framework.  It gives better control over grouping related tests,
running them in parallel, and reporting on multiple failures.

Running in parallel also brings problems, so libykcs11 tests are left
untouched.  Parallel access to a single hardware DUT does not make sense,
and pcsc-lite doesn't work after a fork() in OS X 10.11+, so it can't run
in libcheck's tests anyway.
2017-10-23 16:21:50 +02:00
Klas Lindfors cd11196535 disable rsa keygen for yubikey4 before 4.3.5
point at https://yubi.co/ysa201701/
2017-10-16 15:32:25 +02:00
Klas Lindfors 8614d227cb touch-policy and pin-policy is only available on YubiKey 4 2017-04-24 08:27:58 +02:00
Klas Lindfors 6304a6c799 add a line about slot f9 to help output 2017-04-19 14:23:59 +02:00
Klas Lindfors 60e32d53c5 let help2adoc use the h2m file as extra include 2017-04-19 14:16:44 +02:00
Klas Lindfors 9dfe04cd06 update documentation and help output for how to specify secrets on stdin
also update all examples to have no space after short option.
2017-04-19 14:15:24 +02:00
Klas Lindfors e6a7517050 add a new hidden flag --stdin-input for straight stdin input 2017-04-18 13:05:27 +02:00
Klas Lindfors 8bdf7378d6 fixup dependencies for yubico-piv-tool.1
should now support parallel builds
2016-09-12 09:54:04 +02:00
Klas Lindfors 621bad8acd make sure to return RSA keys with ASN1_NULL as parameter 2016-08-17 10:32:04 +02:00
Simon Josefsson 89bec1260a Improve license headers. 2016-08-12 15:30:06 +02:00
Klas Lindfors b052250a1b make certificate serial number random by default 2016-08-10 10:12:32 +02:00
Alessio Di Mauro 3f4cb12702 Add SSH export for RSA public key 2016-07-12 13:54:22 +02:00
Michael Scherer 24534bcfcf Replace magic number for status word by constants
Most come from NIST special publication 800-73-4, section 5.6,
except one which I assume to be a custom one for yubikey.
2016-05-09 09:38:37 +02:00
Klas Lindfors bbde9f91f9 Merge branch 'fix_typo' of ssh://github.com/mscherer/yubico-piv-tool into mscherer-fix_typo 2016-05-09 09:01:28 +02:00