Commit Graph

217 Commits

Author SHA1 Message Date
Peter Jones a4c64c8c21 Initialize C_Initialize's reader list to NULs.
valgrind --track-origins=true says:

==13529== Conditional jump or move depends on uninitialised value(s)
==13529==    at 0x4AF92D1: PK11_MakeString (pk11slot.c:1073)
==13529==    by 0x4AFA5AA: PK11_InitSlot (pk11slot.c:1456)
==13529==    by 0x4AE315E: secmod_LoadPKCS11Module (pk11load.c:563)
==13529==    by 0x4AEF68C: SECMOD_LoadModule (pk11pars.c:1838)
==13529==    by 0x4AEF7C7: SECMOD_LoadModule (pk11pars.c:1874)
==13529==    by 0x4ABCB6A: nss_InitModules (nssinit.c:464)
==13529==    by 0x4ABCB6A: nss_Init (nssinit.c:689)
==13529==    by 0x4ABD17C: NSS_Init (nssinit.c:824)
==13529==    by 0x4059C0: main (pesign.c:354)
==13529==  Uninitialised value was created by a stack allocation
==13529==    at 0x484D175: C_Initialize (in /usr/lib64/libykcs11.so.1.5.0)

This is the result of a combination of two problems.  In
ykcs11/utils.c:parse_readers(), the code does:

  for (i = 0; i < len; i++)
    if (readers[i] == '\0' && i != len - 1) {

But in ykcs11/ykcs11.c:C_Initialize(), the parts of readers[] that are
initialized are only the parts that have been populated; the rest of
the array is still just whatever value is on the stack.  Additionally,
in lib/ykpiv.c:ykpiv_list_readers(), which populates the array, the
length is updated only in the case where the buffer is smaller than the
data, not when there is additional buffer but no data:

  if (num_readers > *len) {
    num_readers = (pcsc_word)*len;
  }

The result is that if the amount of reader data is smaller than 2048
bytes, PK11_InitSlot() will try to find reader data in the rest of the
array, which has not been initialized.

This patch adds an initialization for the data to set it all '\0', and
also updates the length when there is excess buffer available.

Signed-off-by: Peter Jones <pjones@redhat.com>
2019-05-21 11:01:24 -04:00
Kelby Ludwig 08b32ef3e0 added switch to ignore CKA_LABEL on calls to check_pubkey_template and check_pvtkey_template 2019-05-18 21:39:36 -05:00
Dave Pate c61d6c6f23 lib: warn, but don't fail on error reading serial number or version
lib: fix Windows build with OpenSSL 1.1.1
ykcs11: fix size_t/unsigned long type mismatch on Windows x64
2019-05-06 14:46:46 -07:00
Gabriel Kihlman bc2f161c51 Initialize buf to 0 to make a code scanner happy 2019-03-06 15:16:56 +01:00
Gabriel Kihlman f60d2d4ff8 Do not assign variable twice 2019-03-06 14:32:42 +01:00
Gabriel Kihlman 3f7f2b633b Remove duplicate check on op_info.type != YKCS11_SIGN 2019-03-06 14:31:04 +01:00
Gabriel Kihlman 5baf9347e1 Check return value of strdup 2019-02-20 16:02:19 +01:00
Alessio Di Mauro 5749371432 ykcs11: use a large enough buffer when writing EC signatures 2019-01-07 11:03:52 +01:00
Klas Lindfors 898b85821c ykcs11: allow the pkcs11 module to find headers from tool/
fixes #166
2018-09-18 08:38:57 +02:00
Alessio Di Mauro 5877998f03 ykcs11: ignore more attributes when creating objects 2018-05-15 11:45:00 +02:00
Alessio Di Mauro bdfe49f223 Make slot 9e private so that OpenSSL can ask for a PIN 2018-05-09 16:34:08 +02:00
Alessio Di Mauro 3758cecdd9 Remove 384 from the supported lengths for EC key generation in ykcs11
Closes #149
2018-05-07 13:35:05 +02:00
Alessio Di Mauro 7533e7fb56 Ignore CKA_PRIVATE in ykcs11
Newer version of pkcs11-tool set the CKA_PRIVATE attribute during
generation making the operation fail. The attribute is now ignored.
2018-05-03 10:20:02 +02:00
Alessio Di Mauro 15aef8957d Update key generation in ykcs11 to work with OpenSSL 1.1
Manually setting a signature for a certificate is not possible in
OpenSSL 1.1 because some of the structs have become opaque. Use
X509_sign() with a bogus key instead.
2018-05-03 10:20:00 +02:00
quentin c8372f27d7 Improve compatibility with OpenSSL 1.1.0
* add missing headers
* stop using deprecated APIs
2018-02-26 02:43:41 +01:00
Aloz1 866b6b1d9d Added checks to allow building against LibreSSL
It seems that when OpenSSL 1.1.0 support was added, LibreSSL was broken
due to the way version checking was done. This adds extra checks for
LIBRESSL_VERSION_NUMBER where applicable.
2017-12-29 14:38:37 +11:00
Trevor Bentley d5d953be95 Use library dependencies for openssl compat layer 2017-11-29 09:47:45 +00:00
Trevor Bentley 7ca0267ddf Fix OpenSSL 1.1 compat layer
- Changes for latest ykpiv_util refactor
 - Passes hw tests with openssl 1.0 and 1.1
 - Passes valgrind
2017-11-21 17:08:38 +01:00
Trevor Bentley 4785e23bd1 Merge branch 'master' of https://github.com/Jakuje/yubico-piv-tool into Jakuje-master 2017-11-20 14:03:48 +01:00
Trevor Bentley 6a34b6ef96 Fix cross-compiling for mingw64 2017-11-17 16:13:15 +01:00
Jakub Jelen 77c51a7317 Properly apply the OpenSSL version checks 2017-11-14 13:34:57 +01:00
Jakub Jelen eda075fa57 Provide the bogus signature with OpenSSL 1.1.0 API 2017-11-14 10:37:02 +01:00
Jakub Jelen 13f542c1f8 Use the new OpenSSL 1.1.0 API also in the HW tests 2017-11-14 10:29:34 +01:00
Jakub Jelen a2715f0a4a Use OpenSSL 1.1.0 API 2017-11-13 17:43:06 +01:00
Jakub Jelen 4a847677cc WIP:Use RSA/EC_KEY METHOD to provide X509 signatures using high-level OpenSSL API 2017-11-13 17:39:34 +01:00
Jakub Jelen d2ffc41a6c RAND_pseudo_bytes is deprecated in OpenSSL 1.1.0 2017-11-13 17:39:34 +01:00
Jakub Jelen ad4e93a462 Few more OpenSSL 1.1.0 incompatibilities 2017-11-13 17:39:34 +01:00
Trevor Bentley 7818b49e7d Skip unusable integration tests when testing a NEO 2017-10-31 15:40:51 +01:00
Trevor Bentley 252226220a Disable ensure_application_selected() by default, since it breaks PIN policy. 2017-10-31 12:29:16 +01:00
Trevor Bentley a7eb0657f1 Fix compile time warnings about -no-install on Darwin/clang 2017-10-26 12:37:05 +02:00
Trevor Bentley 15f533d7de Move hardware tests to "make hwtest", with one warning for all test suites.
- "make check" will mark destructive tests as skipped
- "make hwtest" will ask once for user confirmation
2017-10-24 15:10:45 +02:00
Trevor Bentley 9a7ccf48fa Fix all clang scan-build warnings 2017-10-23 16:25:56 +02:00
Trevor Bentley 79464a3d3e Use slot enum consistently. Move slot->object translation into libykpiv. 2017-10-23 16:25:47 +02:00
Trevor Bentley 0d2b85fcef Switch test cases to use libcheck framework
This keeps the test logic the same, but moves most of them into the libcheck
test suite framework.  It gives better control over grouping related tests,
running them in parallel, and reporting on multiple failures.

Running in parallel also brings problems, so libykcs11 tests are left
untouched.  Parallel access to a single hardware DUT does not make sense,
and pcsc-lite doesn't work after a fork() in OS X 10.11+, so it can't run
in libcheck's tests anyway.
2017-10-23 16:21:50 +02:00
Trevor Bentley ba7d256ecf Fix test cases: uninitialized memory and non-terminated string compare 2017-10-23 16:21:46 +02:00
Klas Lindfors bf9c09f9e8 ykcs11: disable rsa keygeneration for yk4 < 4.3.5
see https://yubi.co/ysa201701/
relates #127
2017-10-17 12:51:48 +02:00
edent ea00678314 http->https 2017-10-17 08:02:02 +01:00
Hannes Mehnert 03849d9722 alias RSA type, call openssl functions only in openssl_utils.c 2017-03-29 23:01:17 +01:00
Hannes Mehnert 847b0b4267 fix PSS signing support 2017-03-26 19:13:07 +02:00
Alessio Di Mauro 127227fe4c Better approximation for signature size
Relates to #98.
2016-10-05 16:39:58 +02:00
Alessio Di Mauro af78e18151 Always set number of slots
Relates to #98.
2016-10-05 16:39:58 +02:00
Alessio Di Mauro 7b7c798ef6 Return correct modulus
When asked for CKA_MODULUS on a private key return only n and not the
whole key

Relates to #98.
2016-10-05 16:39:54 +02:00
Simon Josefsson e54176d530 Drop cflags since this "library" doesn't have any public header files. 2016-08-12 15:39:25 +02:00
Simon Josefsson 1b453e0f38 We modified it => add license header. 2016-08-12 15:38:31 +02:00
Simon Josefsson 4937270a13 Don't install ykcs11-version.h. 2016-08-12 15:37:33 +02:00
Simon Josefsson 89bec1260a Improve license headers. 2016-08-12 15:30:06 +02:00
Klas Lindfors 8e7a2796b9 if CRYPTOKI_EXPORTS is not defined don't add __declspec
this messes up the windows build since we're already using libtool for
the exports.
2016-08-12 15:09:49 +02:00
Klas Lindfors 56cb376b3c drop ykcs11_check_version() that was never used or exported 2016-08-12 14:46:13 +02:00
Klas Lindfors c5f60bac4f fixup license header of Makefile.am 2016-08-12 14:03:42 +02:00
Klas Lindfors e7b4fc6ccf switch out the pkcs11 headers for the SCUTE pkcs11 header from opensc
create pkcs11y.h for our additional things
2016-08-12 14:00:15 +02:00