Commit Graph

1247 Commits

Author SHA1 Message Date
Klas Lindfors a24dd0a2ee tool: for openssl 1.1 rsa signatures include hash oid
the rsa signature has to be over hash oid + message digest, dropping the
oid from the hash leads to invalid certificate requests and selfsigned
certificates.

fixes #164
2018-09-10 10:24:32 +02:00
Klas Lindfors 228a04ad73 tool: only declare the static struct once in wrap_public_key()
and make sure to just set it once for both rsa and ec
2018-09-10 10:04:46 +02:00
Klas Lindfors 696894bc68 tool: handle error conditions from signing with openssl 1.1
relates #164
2018-09-10 08:52:39 +02:00
Alessio Di Mauro d0ba708260 Merge PR #163 2018-09-07 13:58:18 +02:00
Klas Lindfors 6e51db8c80 lib: make the reader comparison case-insensitive
sadly strcasestr is a GNU/BSD extension, not part of posix so we have to
do our own thing here or do different things on different platforms.
2018-09-07 12:57:10 +02:00
Klas Lindfors 62142a1b74 bump openssl versions to 1.0.2p 2018-08-17 09:45:39 +02:00
Klas Lindfors 945a0f314d bump version to 1.6.2 2018-08-17 09:45:20 +02:00
Klas Lindfors ff12f8baf3 NEWS for 1.6.1 2018-08-17 09:22:18 +02:00
Klas Lindfors 5bbce58cee update NEWS for more changes that happened in 1.6.0 2018-08-17 09:20:36 +02:00
Klas Lindfors 23a4d008c6 finish up version bump to 1.6.1, LT_REVISION has to increase 2018-08-17 09:14:32 +02:00
Klas Lindfors 45e74cfccf tool: check length before trying to store cert in buffer
fixes #148
2018-08-16 14:49:32 +02:00
Klas Lindfors 16d539041e ykpiv: when decoding an object compare lengths correctly
the length comparison when reading an object out was messed up, this
fixes it to compare correctly.

relates #154
2018-08-16 14:25:31 +02:00
Klas Lindfors c15efbfdd7 ykpiv: fix length when encoding exactly 0xff bytes
this should be encoded as 81 ff, not 82 00 ff

relates #154
2018-08-16 14:25:14 +02:00
Klas Lindfors 7b1c8197fb Merge branch 'pr-157' 2018-08-09 10:23:52 +02:00
Jakub Jelen d613b42b0c Avoid unused variables and warnings when building against OpenSSL 1.1 2018-08-08 16:12:25 +02:00
Thordur Bjornsson 419d0da8bc Revert the configure.ac portion of c31a0425.
Bugfixes don't change the libtool versions, so revert back.
2018-08-08 15:25:09 +02:00
Thordur Bjornsson c31a042595 Bump version to 1.6.1 unreleased 2018-08-08 10:42:20 +02:00
Thordur Bjornsson 5258920cff release: 1.6.0 2018-08-06 17:31:55 +02:00
Klas Lindfors 80d47c82f0 lib: in _ykpiv_fetch_object() handle bogus length by returning
otherwise we might memmove() to much data

Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us.
2018-08-03 10:51:46 +02:00
Klas Lindfors 01a127a44a lib: in ykpiv_transfer_data() handle overflow by exiting
this is detected and printed, but we never exit the function

Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us.
2018-08-03 10:51:00 +02:00
Alessio Di Mauro 5877998f03 ykcs11: ignore more attributes when creating objects 2018-05-15 11:45:00 +02:00
Alessio Di Mauro bdfe49f223 Make slot 9e private so that OpenSSL can ask for a PIN 2018-05-09 16:34:08 +02:00
Alessio Di Mauro 3758cecdd9 Remove 384 from the supported lengths for EC key generation in ykcs11
Closes #149
2018-05-07 13:35:05 +02:00
Alessio Di Mauro 7533e7fb56 Ignore CKA_PRIVATE in ykcs11
Newer version of pkcs11-tool set the CKA_PRIVATE attribute during
generation making the operation fail. The attribute is now ignored.
2018-05-03 10:20:02 +02:00
Alessio Di Mauro 15aef8957d Update key generation in ykcs11 to work with OpenSSL 1.1
Manually setting a signature for a certificate is not possible in
OpenSSL 1.1 because some of the structs have become opaque. Use
X509_sign() with a bogus key instead.
2018-05-03 10:20:00 +02:00
Klas Lindfors 0bae4b53ce Merge branch 'pr-144' 2018-03-25 17:36:12 +02:00
James Alseth 9d8f8f3f2b Fixed slot argument error in attestation verification example. 2018-03-23 14:53:27 -07:00
Alessio Di Mauro a2005eac92 Add check as a dependency to the Vagrant provision script
Closes #142.
2018-03-19 09:08:10 +01:00
Trevor Bentley b4201cb605 Merge pull request #139 from notdpate/master
Libykpiv ROCA mitigation changes for PIV tool/Minidriver - Release 1.5.2
2018-03-06 12:46:46 +00:00
Dave Pate 7aa8228985 Release 1.5.2
Bump libtool version
2018-03-05 14:17:47 -08:00
Dave Pate 775eaacc9f Merge upstream master commits 2018-03-05 11:32:25 -08:00
Dave Pate b98f97ef62 Fixes linux/osx build warnings
Clarify logic for configuration file
2018-03-05 11:28:52 -08:00
Trevor Bentley 8b99accf58 Merge pull request #138 from Jakuje/master
Compiler warnings and compatibility with older check versions
2018-02-27 15:00:09 +00:00
Jakub Jelen bbd92009fc libcheck 0.9 compatibility for RHEL7 2018-02-27 15:40:31 +01:00
Jakub Jelen dfca8e2e55 Remove unused variables 2018-02-27 15:40:31 +01:00
Trevor Bentley b5d9dc86d7 Merge pull request #141 from laomaiweng/openssl-1.1.0-compat
Improve compatibility with OpenSSL 1.1.0
2018-02-27 14:21:49 +00:00
quentin c8372f27d7 Improve compatibility with OpenSSL 1.1.0
* add missing headers
* stop using deprecated APIs
2018-02-26 02:43:41 +01:00
Jakub Jelen f5c42cef89 Do not build test if HW_TESTS is not enabled (to avoid warnings) 2018-02-10 19:35:12 +01:00
Dave Pate 0b2dcb0aaf Fix msvc build warning re: return values 2018-02-09 09:14:45 -08:00
Dave Pate 9783f9b626 Fix warnings in msvc build 2018-02-09 09:03:10 -08:00
Dave Pate 289896ac61 Add syslog/windows event log output
Read multistage configuration
Update ROCA mitigation check and warnings
2018-02-09 08:28:51 -08:00
Trevor Bentley 38ce95cf1c Merge pull request #137 from Yubico/custom_pcsc
Support specifying custom PCSC lib
2018-01-25 11:23:01 +01:00
Trevor Bentley c9f4d684d1 Support specifying custom PCSC lib 2018-01-24 15:44:22 +01:00
Trevor Bentley 74e1a0885c Merge pull request #136 from jmyreen/openssl-1.1-fixes
Fixed some bugs in the port to Openssl-1.1:
2018-01-02 13:24:53 +01:00
Trevor Bentley 6dc0419a79 Merge pull request #135 from Aloz1/libressl-support
Added checks to allow building against LibreSSL
2018-01-02 13:07:07 +01:00
Johan Myréen b0210e0710 Fixed some bugs in the port to Openssl-1.1:
- wrap_public_key() passed the address of the local stack variable
  internal_key to RSA_meth_set0_data(), which was used long after
  wrap_public_key() had returned. Changed to static.

- The callback functions yk_rsa_meth_sign and yk_ec_meth_sign 'siglen'
  parameter has type (unisgned int *), which was cast to (size_t *)
  before it was used to write a value in the caller's memory
  space. This caused stack corruption on machines where size_t is
  bigger than unsigned int.

- The callback function's 'siglen' parameter is output-only, not
  in-out. The input value was assumed to contain the maximum size of
  the output buffer as input, and a bogus value was compared to the
  amount of data received from the token in function
  _general_authenticate(). Changed to pass in the values returned by
  RSA_size(rsa) and ECDSA_size(ec), which Openssl specifies as minimum
  buffer sizes.

- The callback functions' return values were swapped; fixed to return
  1 on success, 0 on failure.
2017-12-30 22:08:09 +02:00
Aloz1 866b6b1d9d Added checks to allow building against LibreSSL
It seems that when OpenSSL 1.1.0 support was added, LibreSSL was broken
due to the way version checking was done. This adds extra checks for
LIBRESSL_VERSION_NUMBER where applicable.
2017-12-29 14:38:37 +11:00
Trevor Bentley 427451c12f Bump version to 1.5.1 unreleased 2017-11-29 13:10:53 +01:00
Trevor Bentley ab6f3d668a Merge pull request #133 from Yubico/distclean
Use library dependencies for openssl compat layer
2017-11-29 10:56:55 +01:00
Trevor Bentley d46db8e181 Build libs before running check. 2017-11-29 09:55:20 +00:00