diff --git a/src/assert.c b/src/assert.c index b4f9dd0..d0950a7 100644 --- a/src/assert.c +++ b/src/assert.c @@ -363,7 +363,11 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst, unsigned char *authdata_ptr = NULL; size_t authdata_len; struct cbor_load_result cbor; +#if OPENSSL_VERSION_NUMBER < 0x30000000 SHA256_CTX ctx; +#else + EVP_MD_CTX *mdctx = NULL; +#endif int ok = -1; if ((item = cbor_load(authdata_cbor->ptr, authdata_cbor->len, @@ -377,10 +381,20 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst, authdata_len = cbor_bytestring_length(item); if (cose_alg != COSE_EDDSA) { - if (dgst->len < SHA256_DIGEST_LENGTH || SHA256_Init(&ctx) == 0 || + if (dgst->len < SHA256_DIGEST_LENGTH || +#if OPENSSL_VERSION_NUMBER < 0x30000000 + SHA256_Init(&ctx) == 0 || SHA256_Update(&ctx, authdata_ptr, authdata_len) == 0 || SHA256_Update(&ctx, clientdata->ptr, clientdata->len) == 0 || - SHA256_Final(dgst->ptr, &ctx) == 0) { + SHA256_Final(dgst->ptr, &ctx) == 0 +#else + (mdctx = EVP_MD_CTX_new()) == NULL || + EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL) <= 0 || + EVP_DigestUpdate(mdctx, authdata_ptr, authdata_len) <= 0 || + EVP_DigestUpdate(mdctx, clientdata->ptr, clientdata->len) <= 0 || + EVP_DigestFinal_ex(mdctx, dgst->ptr, NULL) <= 0 +#endif + ) { fido_log_debug("%s: sha256", __func__); goto fail; } @@ -406,6 +415,9 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst, fail: if (item != NULL) cbor_decref(&item); +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + EVP_MD_CTX_free(mdctx); +#endif return (ok); } @@ -410,7 +424,11 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk, const fido_blob_t *sig) { EVP_PKEY *pkey = NULL; +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + EVP_PKEY_CTX *pctx = NULL; +#else EC_KEY *ec = NULL; +#endif int ok = -1; /* ECDSA_verify needs ints */ @@ -420,6 +438,20 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk, return (-1); } +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL || + (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { + fido_log_debug("%s: pk -> ec", __func__); + goto fail; + } + + if (EVP_PKEY_verify_init(pctx) != 1 || + EVP_PKEY_verify(pctx, sig->ptr, sig->len, + dgst->ptr, dgst->len) != 1) { + fido_log_debug("%s: EVP_PKEY_verify", __func__); + goto fail; + } +#else if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL || (ec = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) { fido_log_debug("%s: pk -> ec", __func__); @@ -433,10 +465,13 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk, } ok = 0; +#endif fail: if (pkey != NULL) EVP_PKEY_free(pkey); - +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + EVP_PKEY_CTX_free(pctx); +#endif return (ok); } @@ -445,7 +480,11 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk, const fido_blob_t *sig) { EVP_PKEY *pkey = NULL; +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + EVP_PKEY_CTX *pctx = NULL; +#else RSA *rsa = NULL; +#endif int ok = -1; /* RSA_verify needs unsigned ints */ @@ -455,6 +494,22 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk, return (-1); } +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL || + (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { + fido_log_debug("%s: pk -> ec", __func__); + goto fail; + } + + if (EVP_PKEY_verify_init(pctx) != 1 || + EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PADDING) != 1 || + EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha256()) != 1 || + EVP_PKEY_verify(pctx, sig->ptr, sig->len, + dgst->ptr, dgst->len) != 1) { + fido_log_debug("%s: EVP_PKEY_verify", __func__); + goto fail; + } +#else if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) { fido_log_debug("%s: pk -> ec", __func__); @@ -466,12 +521,16 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk, fido_log_debug("%s: RSA_verify", __func__); goto fail; } +#endif ok = 0; fail: if (pkey != NULL) EVP_PKEY_free(pkey); +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + EVP_PKEY_CTX_free(pctx); +#endif return (ok); } diff --git a/src/cred.c b/src/cred.c index 92efde4..2ba1dd9 100644 --- a/src/cred.c +++ b/src/cred.c @@ -247,7 +247,11 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c, BIO *rawcert = NULL; X509 *cert = NULL; EVP_PKEY *pkey = NULL; - EC_KEY *ec; +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + EVP_PKEY_CTX *pctx = NULL; +#else + EC_KEY *ec = NULL; +#endif int ok = -1; /* openssl needs ints */ @@ -257,6 +261,22 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c, return (-1); } +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + if ((rawcert = BIO_new_mem_buf(x5c->ptr, (int)x5c->len)) == NULL || + (cert = d2i_X509_bio(rawcert, NULL)) == NULL || + (pkey = X509_get_pubkey(cert)) == NULL || + (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { + fido_log_debug("%s: x509 key", __func__); + goto fail; + } + + if (EVP_PKEY_verify_init(pctx) != 1 || + EVP_PKEY_verify(pctx, sig->ptr, sig->len, + dgst->ptr, dgst->len) != 1) { + fido_log_debug("%s: EVP_PKEY_verify", __func__); + goto fail; + } +#else /* fetch key from x509 */ if ((rawcert = BIO_new_mem_buf(x5c->ptr, (int)x5c->len)) == NULL || (cert = d2i_X509_bio(rawcert, NULL)) == NULL || @@ -271,6 +291,7 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c, fido_log_debug("%s: ECDSA_verify", __func__); goto fail; } +#endif ok = 0; fail: @@ -280,6 +301,9 @@ fail: X509_free(cert); if (pkey != NULL) EVP_PKEY_free(pkey); +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + EVP_PKEY_CTX_free(pctx); +#endif return (ok); } --- libfido2-1.6.0/CMakeLists.txt.orig 2021-05-25 16:26:28.124822909 +0200 +++ libfido2-1.6.0/CMakeLists.txt 2021-05-25 16:27:08.492148194 +0200 @@ -152,6 +152,7 @@ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-stringop-overflow") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic-errors") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-deprecated-declarations") check_c_compiler_flag("-fstack-protector-all" HAVE_STACK_PROTECTOR_ALL) if(HAVE_STACK_PROTECTOR_ALL) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector-all")