From e1efdc800f77af2843e42cf6ee61ca322b9031bd Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Thu, 29 Aug 2024 20:32:01 +0200 Subject: [PATCH 1/2] Validate oeap_label len --- lib/yubihsm.c | 6 ++++++ resources/tests/bash/test_wrapkey.sh | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/lib/yubihsm.c b/lib/yubihsm.c index c55df6e7..5cf89252 100644 --- a/lib/yubihsm.c +++ b/lib/yubihsm.c @@ -2919,6 +2919,12 @@ do_rsa_wrap(yh_cmd cmd, return YHR_INVALID_PARAMETERS; } + if (oaep_label_len != 20 && oaep_label_len != 32 && oaep_label_len != 48 && + oaep_label_len != 64) { + DBG_ERR("Wrong digest length. %s", yh_strerror(YHR_INVALID_PARAMETERS)); + return YHR_INVALID_PARAMETERS; + } + #pragma pack(push, 1) union { struct { diff --git a/resources/tests/bash/test_wrapkey.sh b/resources/tests/bash/test_wrapkey.sh index d66d0278..b41f0250 100755 --- a/resources/tests/bash/test_wrapkey.sh +++ b/resources/tests/bash/test_wrapkey.sh @@ -290,9 +290,9 @@ for k in ${RSA_KEYSIZE[@]}; do rm data.enc echo "=== Wrap and unwrap AES key material with generated RSA wrap key" - test "$BIN -p password -a get-rsa-wrapped-key --wrap-id $keyid -i $aeskey -t symmetric-key --oaep rsa-oaep-sha1 --mgf1 mgf1-sha384 --out rsawrapped.key" " Export wrapped AES key material" + test "$BIN -p password -a get-rsa-wrapped-key --wrap-id $keyid -i $aeskey -t symmetric-key --oaep rsa-oaep-sha384 --mgf1 mgf1-sha1 --out rsawrapped.key" " Export wrapped AES key material" test "$BIN -p password -a delete-object -i $aeskey -t symmetric-key" " Delete AES key" - test "$BIN -p password -a put-rsa-wrapped-key --wrap-id $keyid -i $aeskey -t symmetric-key -A aes128 -c exportable-under-wrap,decrypt-cbc,encrypt-cbc --oaep rsa-oaep-sha1 --mgf1 mgf1-sha384 --in rsawrapped.key" " Import wrapped AES key material" + test "$BIN -p password -a put-rsa-wrapped-key --wrap-id $keyid -i $aeskey -t symmetric-key -A aes128 -c exportable-under-wrap,decrypt-cbc,encrypt-cbc --oaep rsa-oaep-sha384 --mgf1 mgf1-sha1 --in rsawrapped.key" " Import wrapped AES key material" info=$($BIN -p password -a get-object-info -i $aeskey -t symmetric-key 2> /dev/null) seq_aes=$((seq_aes+1)) cmp_str_content "$info" "sequence: $seq_aes" "Sequence" @@ -337,9 +337,9 @@ for k in ${RSA_KEYSIZE[@]}; do rm rsawrapped.object echo "=== Wrap and unwrap EC key material with imported RSA wrap key" - test "$BIN -p password -a get-rsa-wrapped-key --wrap-id $import_keyid -i $eckey -t asymmetric-key --oaep rsa-oaep-sha1 --mgf1 mgf1-sha384 --out rsawrapped.key" " Export wrapped EC key material" + test "$BIN -p password -a get-rsa-wrapped-key --wrap-id $import_keyid -i $eckey -t asymmetric-key --oaep rsa-oaep-sha512 --mgf1 mgf1-sha512 --out rsawrapped.key" " Export wrapped EC key material" test "$BIN -p password -a delete-object -i $eckey -t asymmetric-key" " Delete EC key" - test "$BIN -p password -a put-rsa-wrapped-key --wrap-id $import_keyid -i $eckey -t asymmetric-key -A ecp224 -c exportable-under-wrap,sign-ecdsa --oaep rsa-oaep-sha1 --mgf1 mgf1-sha384 --in rsawrapped.key" " Import wrapped EC key material" + test "$BIN -p password -a put-rsa-wrapped-key --wrap-id $import_keyid -i $eckey -t asymmetric-key -A ecp224 -c exportable-under-wrap,sign-ecdsa --oaep rsa-oaep-sha512 --mgf1 mgf1-sha512 --in rsawrapped.key" " Import wrapped EC key material" info=$($BIN -p password -a get-object-info -i $eckey -t asymmetric-key 2> /dev/null) seq_ec=$((seq_ec+1)) cmp_str_content "$info" "sequence: $seq_ec" "Sequence" From c505f8c6e12949cc9464a59d2daf3d6928bb2c0d Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Sat, 31 Aug 2024 10:47:15 +0200 Subject: [PATCH 2/2] Return correct length for partnumber --- lib/yubihsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/yubihsm.c b/lib/yubihsm.c index 5cf89252..3ae4bbae 100644 --- a/lib/yubihsm.c +++ b/lib/yubihsm.c @@ -1393,7 +1393,7 @@ yh_rc yh_util_get_partnumber(yh_connector *connector, char *part_number, } memcpy(part_number, response, response_len); part_number[response_len] = 0; - *part_number_len = response_len; + *part_number_len = response_len + 1; return YHR_SUCCESS; }