Toshaan Bharvani
1 year ago
commit
a19c110347
4 changed files with 4848 additions and 0 deletions
@ -0,0 +1,12 @@
@@ -0,0 +1,12 @@
|
||||
diff --git a/CMakeLists.txt b/CMakeLists.txt |
||||
index dbd5fa5..a5cdbbb 100644 |
||||
--- a/CMakeLists.txt |
||||
+++ b/CMakeLists.txt |
||||
@@ -133,6 +133,7 @@ else() |
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wwrite-strings") |
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-prototypes") |
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wbad-function-cast") |
||||
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-stringop-overflow") |
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic") |
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic-errors") |
||||
check_c_compiler_flag("-fstack-protector-all" HAVE_STACK_PROTECTOR_ALL) |
@ -0,0 +1,217 @@
@@ -0,0 +1,217 @@
|
||||
diff --git a/src/assert.c b/src/assert.c |
||||
index b4f9dd0..d0950a7 100644 |
||||
--- a/src/assert.c |
||||
+++ b/src/assert.c |
||||
@@ -363,7 +363,11 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst, |
||||
unsigned char *authdata_ptr = NULL; |
||||
size_t authdata_len; |
||||
struct cbor_load_result cbor; |
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000 |
||||
SHA256_CTX ctx; |
||||
+#else |
||||
+ EVP_MD_CTX *mdctx = NULL; |
||||
+#endif |
||||
int ok = -1; |
||||
|
||||
if ((item = cbor_load(authdata_cbor->ptr, authdata_cbor->len, |
||||
@@ -377,10 +381,20 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst, |
||||
authdata_len = cbor_bytestring_length(item); |
||||
|
||||
if (cose_alg != COSE_EDDSA) { |
||||
- if (dgst->len < SHA256_DIGEST_LENGTH || SHA256_Init(&ctx) == 0 || |
||||
+ if (dgst->len < SHA256_DIGEST_LENGTH || |
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000 |
||||
+ SHA256_Init(&ctx) == 0 || |
||||
SHA256_Update(&ctx, authdata_ptr, authdata_len) == 0 || |
||||
SHA256_Update(&ctx, clientdata->ptr, clientdata->len) == 0 || |
||||
- SHA256_Final(dgst->ptr, &ctx) == 0) { |
||||
+ SHA256_Final(dgst->ptr, &ctx) == 0 |
||||
+#else |
||||
+ (mdctx = EVP_MD_CTX_new()) == NULL || |
||||
+ EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL) <= 0 || |
||||
+ EVP_DigestUpdate(mdctx, authdata_ptr, authdata_len) <= 0 || |
||||
+ EVP_DigestUpdate(mdctx, clientdata->ptr, clientdata->len) <= 0 || |
||||
+ EVP_DigestFinal_ex(mdctx, dgst->ptr, NULL) <= 0 |
||||
+#endif |
||||
+ ) { |
||||
fido_log_debug("%s: sha256", __func__); |
||||
goto fail; |
||||
} |
||||
@@ -406,6 +415,9 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst, |
||||
fail: |
||||
if (item != NULL) |
||||
cbor_decref(&item); |
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000 |
||||
+ EVP_MD_CTX_free(mdctx); |
||||
+#endif |
||||
|
||||
return (ok); |
||||
} |
||||
@@ -410,7 +424,11 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk, |
||||
const fido_blob_t *sig) |
||||
{ |
||||
EVP_PKEY *pkey = NULL; |
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000 |
||||
+ EVP_PKEY_CTX *pctx = NULL; |
||||
+#else |
||||
EC_KEY *ec = NULL; |
||||
+#endif |
||||
int ok = -1; |
||||
|
||||
/* ECDSA_verify needs ints */ |
||||
@@ -420,6 +438,20 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk, |
||||
return (-1); |
||||
} |
||||
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000 |
||||
+ if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL || |
||||
+ (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { |
||||
+ fido_log_debug("%s: pk -> ec", __func__); |
||||
+ goto fail; |
||||
+ } |
||||
+ |
||||
+ if (EVP_PKEY_verify_init(pctx) != 1 || |
||||
+ EVP_PKEY_verify(pctx, sig->ptr, sig->len, |
||||
+ dgst->ptr, dgst->len) != 1) { |
||||
+ fido_log_debug("%s: EVP_PKEY_verify", __func__); |
||||
+ goto fail; |
||||
+ } |
||||
+#else |
||||
if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL || |
||||
(ec = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) { |
||||
fido_log_debug("%s: pk -> ec", __func__); |
||||
@@ -433,10 +465,13 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk, |
||||
} |
||||
|
||||
ok = 0; |
||||
+#endif |
||||
fail: |
||||
if (pkey != NULL) |
||||
EVP_PKEY_free(pkey); |
||||
- |
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000 |
||||
+ EVP_PKEY_CTX_free(pctx); |
||||
+#endif |
||||
return (ok); |
||||
} |
||||
|
||||
@@ -445,7 +480,11 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk, |
||||
const fido_blob_t *sig) |
||||
{ |
||||
EVP_PKEY *pkey = NULL; |
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000 |
||||
+ EVP_PKEY_CTX *pctx = NULL; |
||||
+#else |
||||
RSA *rsa = NULL; |
||||
+#endif |
||||
int ok = -1; |
||||
|
||||
/* RSA_verify needs unsigned ints */ |
||||
@@ -455,6 +494,22 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk, |
||||
return (-1); |
||||
} |
||||
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000 |
||||
+ if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL || |
||||
+ (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { |
||||
+ fido_log_debug("%s: pk -> ec", __func__); |
||||
+ goto fail; |
||||
+ } |
||||
+ |
||||
+ if (EVP_PKEY_verify_init(pctx) != 1 || |
||||
+ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PADDING) != 1 || |
||||
+ EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha256()) != 1 || |
||||
+ EVP_PKEY_verify(pctx, sig->ptr, sig->len, |
||||
+ dgst->ptr, dgst->len) != 1) { |
||||
+ fido_log_debug("%s: EVP_PKEY_verify", __func__); |
||||
+ goto fail; |
||||
+ } |
||||
+#else |
||||
if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL || |
||||
(rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) { |
||||
fido_log_debug("%s: pk -> ec", __func__); |
||||
@@ -466,12 +521,16 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk, |
||||
fido_log_debug("%s: RSA_verify", __func__); |
||||
goto fail; |
||||
} |
||||
+#endif |
||||
|
||||
ok = 0; |
||||
fail: |
||||
if (pkey != NULL) |
||||
EVP_PKEY_free(pkey); |
||||
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000 |
||||
+ EVP_PKEY_CTX_free(pctx); |
||||
+#endif |
||||
return (ok); |
||||
} |
||||
|
||||
diff --git a/src/cred.c b/src/cred.c |
||||
index 92efde4..2ba1dd9 100644 |
||||
--- a/src/cred.c |
||||
+++ b/src/cred.c |
||||
@@ -247,7 +247,11 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c, |
||||
BIO *rawcert = NULL; |
||||
X509 *cert = NULL; |
||||
EVP_PKEY *pkey = NULL; |
||||
- EC_KEY *ec; |
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000 |
||||
+ EVP_PKEY_CTX *pctx = NULL; |
||||
+#else |
||||
+ EC_KEY *ec = NULL; |
||||
+#endif |
||||
int ok = -1; |
||||
|
||||
/* openssl needs ints */ |
||||
@@ -257,6 +261,22 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c, |
||||
return (-1); |
||||
} |
||||
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000 |
||||
+ if ((rawcert = BIO_new_mem_buf(x5c->ptr, (int)x5c->len)) == NULL || |
||||
+ (cert = d2i_X509_bio(rawcert, NULL)) == NULL || |
||||
+ (pkey = X509_get_pubkey(cert)) == NULL || |
||||
+ (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { |
||||
+ fido_log_debug("%s: x509 key", __func__); |
||||
+ goto fail; |
||||
+ } |
||||
+ |
||||
+ if (EVP_PKEY_verify_init(pctx) != 1 || |
||||
+ EVP_PKEY_verify(pctx, sig->ptr, sig->len, |
||||
+ dgst->ptr, dgst->len) != 1) { |
||||
+ fido_log_debug("%s: EVP_PKEY_verify", __func__); |
||||
+ goto fail; |
||||
+ } |
||||
+#else |
||||
/* fetch key from x509 */ |
||||
if ((rawcert = BIO_new_mem_buf(x5c->ptr, (int)x5c->len)) == NULL || |
||||
(cert = d2i_X509_bio(rawcert, NULL)) == NULL || |
||||
@@ -271,6 +291,7 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c, |
||||
fido_log_debug("%s: ECDSA_verify", __func__); |
||||
goto fail; |
||||
} |
||||
+#endif |
||||
|
||||
ok = 0; |
||||
fail: |
||||
@@ -280,6 +301,9 @@ fail: |
||||
X509_free(cert); |
||||
if (pkey != NULL) |
||||
EVP_PKEY_free(pkey); |
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000 |
||||
+ EVP_PKEY_CTX_free(pctx); |
||||
+#endif |
||||
|
||||
return (ok); |
||||
} |
||||
--- libfido2-1.6.0/CMakeLists.txt.orig 2021-05-25 16:26:28.124822909 +0200 |
||||
+++ libfido2-1.6.0/CMakeLists.txt 2021-05-25 16:27:08.492148194 +0200 |
||||
@@ -152,6 +152,7 @@ |
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-stringop-overflow") |
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic") |
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic-errors") |
||||
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-deprecated-declarations") |
||||
check_c_compiler_flag("-fstack-protector-all" HAVE_STACK_PROTECTOR_ALL) |
||||
if(HAVE_STACK_PROTECTOR_ALL) |
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector-all") |
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,199 @@
@@ -0,0 +1,199 @@
|
||||
Name: libfido2 |
||||
|
||||
Version: 1.6.0 |
||||
Release: 7%{?dist} |
||||
Summary: FIDO2 library |
||||
|
||||
License: BSD |
||||
URL: https://github.com/Yubico/%{name} |
||||
Source0: https://developers.yubico.com/%{name}/Releases/%{name}-%{version}.tar.gz |
||||
Source1: https://developers.yubico.com/%{name}/Releases/%{name}-%{version}.tar.gz.sig |
||||
Source2: yubico-release-gpgkeys.asc |
||||
# Work around false positive from gcc-11 until its fixed upstream |
||||
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631 |
||||
Patch0002: %{name}-gcc11.patch |
||||
Patch0003: %{name}-openssl30.patch |
||||
|
||||
BuildRequires: cmake |
||||
BuildRequires: hidapi-devel |
||||
BuildRequires: libcbor-devel |
||||
BuildRequires: libudev-devel |
||||
BuildRequires: openssl-devel |
||||
BuildRequires: gcc |
||||
BuildRequires: gnupg2 |
||||
BuildRequires: make |
||||
Requires: (u2f-hidraw-policy if systemd-udev) |
||||
|
||||
%description |
||||
%{name} is an open source library to support the FIDO2 protocol. FIDO2 is |
||||
an open authentication standard that consists of the W3C Web Authentication |
||||
specification (WebAuthn API), and the Client to Authentication Protocol |
||||
(CTAP). CTAP is an application layer protocol used for communication |
||||
between a client (browser) or a platform (operating system) with an external |
||||
authentication device (for example the Yubico Security Key). |
||||
|
||||
################################################################################ |
||||
|
||||
%package devel |
||||
|
||||
Summary: Development files for %{name} |
||||
Requires: %{name}%{?_isa} = %{version}-%{release} |
||||
|
||||
%description devel |
||||
%{name}-devel contains development libraries and header files for %{name}. |
||||
|
||||
################################################################################ |
||||
|
||||
%package -n fido2-tools |
||||
|
||||
Summary: FIDO2 tools |
||||
Requires: %{name}%{?_isa} = %{version}-%{release} |
||||
|
||||
%description -n fido2-tools |
||||
FIDO2 command line tools to access and configure a FIDO2 compliant |
||||
authentication device. |
||||
|
||||
################################################################################ |
||||
|
||||
|
||||
%prep |
||||
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' |
||||
%autosetup -p1 -n %{name}-%{version} |
||||
|
||||
|
||||
%build |
||||
%cmake |
||||
%cmake_build |
||||
|
||||
|
||||
%install |
||||
%cmake_install |
||||
# Remove static files per packaging guidelines |
||||
find %{buildroot} -type f -name "*.a" -delete -print |
||||
|
||||
|
||||
%files |
||||
%doc NEWS README.adoc |
||||
%license LICENSE |
||||
%{_libdir}/libfido2.so.1{,.*} |
||||
|
||||
%files devel |
||||
%{_libdir}/pkgconfig/* |
||||
%{_libdir}/libfido2.so |
||||
%{_includedir}/* |
||||
%{_mandir}/man3/* |
||||
|
||||
%files -n fido2-tools |
||||
%{_bindir}/* |
||||
%{_mandir}/man1/* |
||||
|
||||
|
||||
%changelog |
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.0-7 |
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags |
||||
Related: rhbz#1991688 |
||||
|
||||
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.0-6 |
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0 |
||||
Related: rhbz#1971065 |
||||
|
||||
* Fri Jun 04 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1.6.0-5 |
||||
- rebuilt |
||||
|
||||
* Tue May 25 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1.6.0-4 |
||||
- OpenSSL 3.0 compatibility. Related: rhbz#1961051 |
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.0-3 |
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 |
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.0-2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild |
||||
|
||||
* Wed Jan 13 2021 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.6.0-1 |
||||
- 1.6.0 release (#1910101) |
||||
|
||||
* Thu Dec 17 2020 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.5.0-4 |
||||
- Use gpgverify macro and ascii armored yubico release keys |
||||
|
||||
* Wed Nov 04 2020 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.5.0-3 |
||||
- add BR make |
||||
- fix typo in changelog day (Tuu -> Thu) to make rpmlint happy |
||||
|
||||
* Thu Oct 29 2020 Jeff Law <law@redhat.com> 1.5.0-2 |
||||
- Work around false positive diagnostic in gcc-11 |
||||
|
||||
* Fri Sep 11 2020 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.5.0-1 |
||||
- 1.5.0 release (#1824326) |
||||
- include upstream patch to fix 32-bit platform compile, reported at |
||||
https://github.com/Yubico/libfido2/issues/210 |
||||
|
||||
* Tue Sep 08 2020 Kalev Lember <klember@redhat.com> - 1.4.0-4 |
||||
- Rebuilt for libcbor soname bump |
||||
|
||||
* Wed Jul 29 2020 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.4.0-3 |
||||
- adapt to new Fedora cmake rpm macros |
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild |
||||
|
||||
* Wed Apr 15 2020 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.4.0-1 |
||||
- 1.4.0 release (#1824326) |
||||
|
||||
* Sat Apr 11 2020 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.3.1-2 |
||||
- change to require u2f-hidraw-policy only if systemd-udev (#1823002) |
||||
|
||||
* Thu Feb 20 2020 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.3.1-1 |
||||
- 1.3.1 release |
||||
|
||||
* Mon Dec 16 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.3.0-3 |
||||
- use yubico corp release site for sources and gpg signature |
||||
|
||||
* Sat Dec 14 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.3.0-2 |
||||
- packaging cleanups |
||||
|
||||
* Sat Nov 30 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.3.0-1 |
||||
- 1.3.0 release |
||||
|
||||
* Mon Jul 29 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.2.0-1 |
||||
- 1.2.0 release |
||||
|
||||
* Sat May 11 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.1.0-1 |
||||
- 1.1.0 release |
||||
|
||||
* Fri Apr 05 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.0.0-2 |
||||
- include backported upstream patches for compiler dependencies and soname version |
||||
- modify libdir glob to meet newer packaging recommendations |
||||
|
||||
* Thu Mar 21 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.0.0-1 |
||||
- 1.0.0 release |
||||
|
||||
* Mon Jan 07 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.4.0-1 |
||||
- 0.4.0 release |
||||
|
||||
* Wed Sep 12 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-1 |
||||
- 0.3.0 release |
||||
|
||||
* Fri Sep 07 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.8.20180907git878fcd8 |
||||
- update to upstream master |
||||
|
||||
* Thu Sep 06 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.7.20180906gitff7ece8 |
||||
- update to upstream master |
||||
|
||||
* Wed Sep 05 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.6.20180905gitcb4951c |
||||
- update to upstream master |
||||
|
||||
* Tue Sep 04 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.5.20180904git2b5f0d0 |
||||
- update to upstream master |
||||
|
||||
* Mon Aug 27 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.4.20180827git9d178b2 |
||||
- Update to upstream master |
||||
|
||||
* Thu Aug 23 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.3.20180823git0f40181 |
||||
- Update to upstream master |
||||
|
||||
* Tue Aug 21 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.2.20180821gitfff65a4 |
||||
- Update to upstream master |
||||
|
||||
* Wed Aug 08 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.1.20180808git5be8903 |
||||
- Update to new spec |
||||
|
Loading…
Reference in new issue