Asymmetric wrap support (#25)

Add support for asymmetric wrap functionality
Yubico · Aug 8, 2024 · 080e32d · 080e32d
1 parent 4d6142e
commit 080e32d
Show file tree

Hide file tree

Showing 18 changed files with 3,118 additions and 472 deletions.
diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
@@ -8,16 +8,16 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - environment: "ubuntu:23.10"
+          - environment: "ubuntu:24.04"
             cc: "gcc"
             upload_for_test: "false"
-          - environment: "ubuntu:23.10"
+          - environment: "ubuntu:24.04"
             cc: "clang"
             upload_for_test: "false"
-          - environment: "ubuntu:23.04"
+          - environment: "ubuntu:23.10"
             cc: "gcc"
             upload_for_test: "false"
-          - environment: "ubuntu:23.04"
+          - environment: "ubuntu:23.10"
             cc: "clang"
             upload_for_test: "false"
           - environment: "ubuntu:22.04"
@@ -32,15 +32,15 @@ jobs:
           - environment: "ubuntu:20.04"
             cc: "clang"
             upload_for_test: "false"
-          - environment: "ubuntu:18.04"
-            cc: "gcc"
-            upload_for_test: "false"
-          - environment: "ubuntu:16.04"
-            cc: "gcc"
-            upload_for_test: "false"
-          - environment: "ubuntu:14.04"
-            cc: "gcc"
-            upload_for_test: "false"
+#          - environment: "ubuntu:18.04"
+#            cc: "gcc"
+#            upload_for_test: "false"
+#          - environment: "ubuntu:16.04"
+#            cc: "gcc"
+#            upload_for_test: "false"
+#          - environment: "ubuntu:14.04"
+#            cc: "gcc"
+#            upload_for_test: "false"
           - environment: "debian:12"
             cc: "gcc"
             upload_for_test: "false"
@@ -53,9 +53,6 @@ jobs:
           - environment: "debian:11"
             cc: "clang"
             upload_for_test: "false"
-          - environment: "debian:10"
-            cc: "gcc"
-            upload_for_test: "false"
 
     name: build on ${{ matrix.environment }} (${{ matrix.cc }},${{ matrix.upload_for_test}})
     runs-on: ubuntu-latest
@@ -87,7 +84,7 @@ jobs:
           fi
 
       - name: clone the Yubico/yubihsm-shell repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: yubihsm-shell
 
@@ -169,21 +166,18 @@ jobs:
       matrix:
         include:
           # we do not perform clang builds for all environments, only fedora
-          - environment: "fedora:38"
+          - environment: "fedora:40"
             cc: "gcc"
-            upload_for_test: "false"
-          - environment: "fedora:38"
+            upload_for_test: "true"
+          - environment: "fedora:40"
             cc: "clang"
             upload_for_test: "false"
-          - environment: "fedora:37"
+          - environment: "fedora:39"
             cc: "gcc"
             upload_for_test: "false"
-          - environment: "fedora:37"
+          - environment: "fedora:39"
             cc: "clang"
             upload_for_test: "false"
-          - environment: "centos:7"
-            cc: "gcc"
-            upload_for_test: "true"
 
     name: build on ${{ matrix.environment }} (${{ matrix.cc }}, ${{ matrix.upload_for_test }})
     runs-on: ubuntu-latest
@@ -352,7 +346,7 @@ jobs:
         include:
           - environment: "ubuntu:22.04"
             cc: "clang"
-          - environment: "centos:7"
+          - environment: "fedora:40"
             cc: "gcc"
 
     name: run unit tests
@@ -371,7 +365,7 @@ jobs:
           apt install -q -y build-essential cmake python3 python3-pip python3-setuptools curl libedit2 libpcsclite1 libengine-pkcs11-openssl opensc swig openjdk-11-jdk-headless libssl3
 
       - name: install dependencies from package management (rpm based)
-        if: ${{ matrix.environment == 'centos:7' }}
+        if: ${{ matrix.environment == 'fedora:40' }}
         run: |
           yum install -y gcc gcc-c++ cmake python3-devel python3-pip python3-setuptools curl libedit gengetopt openssl libcurl pcsc-lite swig java-11-openjdk-headless which
 

diff --git a/.github/workflows/integration_test.yml b/.github/workflows/integration_test.yml
@@ -1,9 +1,6 @@
 name: Run Integration Tests
 
-on:
-  schedule:
-    # Run this every wednesday at 3:40. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule
-    - cron: '40 3 * * 3'
+on: [push, pull_request]
 
 jobs:
   main:
@@ -77,12 +74,12 @@ jobs:
         working-directory: yubihsm-shell/resources/tests/bash
         run: ./cmdline_test.sh $GITHUB_WORKSPACE/yubihsm-shell/build/src/yubihsm-shell $DEFAULT_CONNECTOR_URL
 
-      - name: run pkcs11-tool tests
-        working-directory: yubihsm-shell/resources/tests/bash
-        run: |
-          echo "connector=$DEFAULT_CONNECTOR_URL" > yubihsm_pkcs11.conf
-          export YUBIHSM_PKCS11_CONF=`pwd`/yubihsm_pkcs11.conf
-          ./opensc_test.sh $GITHUB_WORKSPACE/yubihsm-shell/build/pkcs11/yubihsm_pkcs11.so
+#      - name: run pkcs11-tool tests
+#        working-directory: yubihsm-shell/resources/tests/bash
+#        run: |
+#          echo "connector=$DEFAULT_CONNECTOR_URL" > yubihsm_pkcs11.conf
+#          export YUBIHSM_PKCS11_CONF=`pwd`/yubihsm_pkcs11.conf
+#          ./opensc_test.sh $GITHUB_WORKSPACE/yubihsm-shell/build/pkcs11/yubihsm_pkcs11.so
 
       - name: clone the YubicoLabs/yubihsm_sunpkcs11_tests repository
         uses: actions/checkout@v4

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -141,16 +141,15 @@ jobs:
       fail-fast: false
       matrix:
         environment: [
+            "ubuntu:24.04",
             "ubuntu:23.10",
-            "ubuntu:23.04",
             "ubuntu:22.04",
             "ubuntu:20.04",
-            "ubuntu:18.04",
-            "ubuntu:16.04",
-            "ubuntu:14.04",
+#            "ubuntu:18.04",
+#            "ubuntu:16.04",
+#            "ubuntu:14.04",
             "debian:12",
             "debian:11",
-            "debian:10"
         ]
         # perform gcc builds for all environments
         cc: [ "gcc" ]
@@ -208,6 +207,13 @@ jobs:
           # append the following flags: -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration
           sed -i 's/-Wall -Wextra -Werror/-Wall -Wextra -Werror -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration/' cmake/SecurityFlags.cmake
 
+      - name: apply environment specific changes to CMakeLists.txt
+        working-directory: yubihsm-shell
+        if: ${{ matrix.environment == 'ubuntu:24.04' }}
+        run: |
+          # ubuntu 24.04 comes with _FORTIFY_SOURCE already set
+          sed -i 's/add_definitions (-D_FORTIFY_SOURCE=2)/add_definitions (-D_FORTIFY_SOURCE=3)/' cmake/SecurityFlags.cmake
+
       - name: extract platform name
         env:
           DOCKER_IMAGE: ${{ matrix.environment }}
@@ -278,9 +284,8 @@ jobs:
       fail-fast: false
       matrix:
         environment: [
-            "fedora:37",
-            "fedora:38",
-            "centos:7"
+            "fedora:39",
+            "fedora:40",
         ]
 
     name: build on ${{ matrix.environment }}

diff --git a/lib/error.c b/lib/error.c
@@ -39,7 +39,7 @@ static const err_t errors[] = {
   ERR(YHR_SESSION_AUTHENTICATION_FAILED, "Unable to authenticate session"),
   ERR(YHR_MAC_MISMATCH, "Unable to verify MAC"),
   ERR(YHR_DEVICE_OK, "No error"),
-  ERR(YHR_DEVICE_INVALID_COMMAND, "Invalid command"),
+  ERR(YHR_DEVICE_INVALID_COMMAND, "Unrecognized command"),
   ERR(YHR_DEVICE_INVALID_DATA, "Malformed command / invalid data"),
   ERR(YHR_DEVICE_INVALID_SESSION, "Invalid session"),
   ERR(YHR_DEVICE_AUTHENTICATION_FAILED,

diff --git a/lib/scp.h b/lib/scp.h
@@ -49,7 +49,7 @@
 
 #define SCP_AUTHKEY_ID_LEN 2
 
-#define SCP_MSG_BUF_SIZE 2048
+#define SCP_MSG_BUF_SIZE 4096
 
 // Message
 #pragma pack(push, 1)