|
 |
03440c |
diff --git a/src/assert.c b/src/assert.c
|
|
|
03440c |
index b4f9dd0..d0950a7 100644
|
|
|
03440c |
--- a/src/assert.c
|
|
|
03440c |
+++ b/src/assert.c
|
|
|
03440c |
@@ -363,7 +363,11 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst,
|
|
|
03440c |
unsigned char *authdata_ptr = NULL;
|
|
|
03440c |
size_t authdata_len;
|
|
|
03440c |
struct cbor_load_result cbor;
|
|
|
03440c |
+#if OPENSSL_VERSION_NUMBER < 0x30000000
|
|
|
03440c |
SHA256_CTX ctx;
|
|
|
03440c |
+#else
|
|
|
03440c |
+ EVP_MD_CTX *mdctx = NULL;
|
|
|
03440c |
+#endif
|
|
|
03440c |
int ok = -1;
|
|
|
03440c |
|
|
|
03440c |
if ((item = cbor_load(authdata_cbor->ptr, authdata_cbor->len,
|
|
|
03440c |
@@ -377,10 +381,20 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst,
|
|
|
03440c |
authdata_len = cbor_bytestring_length(item);
|
|
|
03440c |
|
|
|
03440c |
if (cose_alg != COSE_EDDSA) {
|
|
|
03440c |
- if (dgst->len < SHA256_DIGEST_LENGTH || SHA256_Init(&ctx) == 0 ||
|
|
|
03440c |
+ if (dgst->len < SHA256_DIGEST_LENGTH ||
|
|
|
03440c |
+#if OPENSSL_VERSION_NUMBER < 0x30000000
|
|
|
03440c |
+ SHA256_Init(&ctx) == 0 ||
|
|
|
03440c |
SHA256_Update(&ctx, authdata_ptr, authdata_len) == 0 ||
|
|
|
03440c |
SHA256_Update(&ctx, clientdata->ptr, clientdata->len) == 0 ||
|
|
|
03440c |
- SHA256_Final(dgst->ptr, &ctx) == 0) {
|
|
|
03440c |
+ SHA256_Final(dgst->ptr, &ctx) == 0
|
|
|
03440c |
+#else
|
|
|
03440c |
+ (mdctx = EVP_MD_CTX_new()) == NULL ||
|
|
|
03440c |
+ EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL) <= 0 ||
|
|
|
03440c |
+ EVP_DigestUpdate(mdctx, authdata_ptr, authdata_len) <= 0 ||
|
|
|
03440c |
+ EVP_DigestUpdate(mdctx, clientdata->ptr, clientdata->len) <= 0 ||
|
|
|
03440c |
+ EVP_DigestFinal_ex(mdctx, dgst->ptr, NULL) <= 0
|
|
|
03440c |
+#endif
|
|
|
03440c |
+ ) {
|
|
|
03440c |
fido_log_debug("%s: sha256", __func__);
|
|
|
03440c |
goto fail;
|
|
|
03440c |
}
|
|
|
03440c |
@@ -406,6 +415,9 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst,
|
|
|
03440c |
fail:
|
|
|
03440c |
if (item != NULL)
|
|
|
03440c |
cbor_decref(&item);
|
|
|
03440c |
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
|
|
|
03440c |
+ EVP_MD_CTX_free(mdctx);
|
|
|
03440c |
+#endif
|
|
|
03440c |
|
|
|
03440c |
return (ok);
|
|
|
03440c |
}
|
|
|
03440c |
@@ -410,7 +424,11 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk,
|
|
|
03440c |
const fido_blob_t *sig)
|
|
|
03440c |
{
|
|
|
03440c |
EVP_PKEY *pkey = NULL;
|
|
|
03440c |
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
|
|
|
03440c |
+ EVP_PKEY_CTX *pctx = NULL;
|
|
|
03440c |
+#else
|
|
|
03440c |
EC_KEY *ec = NULL;
|
|
|
03440c |
+#endif
|
|
|
03440c |
int ok = -1;
|
|
|
03440c |
|
|
|
03440c |
/* ECDSA_verify needs ints */
|
|
|
03440c |
@@ -420,6 +438,20 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk,
|
|
|
03440c |
return (-1);
|
|
|
03440c |
}
|
|
|
03440c |
|
|
|
03440c |
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
|
|
|
03440c |
+ if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL ||
|
|
|
03440c |
+ (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
|
|
|
03440c |
+ fido_log_debug("%s: pk -> ec", __func__);
|
|
|
03440c |
+ goto fail;
|
|
|
03440c |
+ }
|
|
|
03440c |
+
|
|
|
03440c |
+ if (EVP_PKEY_verify_init(pctx) != 1 ||
|
|
|
03440c |
+ EVP_PKEY_verify(pctx, sig->ptr, sig->len,
|
|
|
03440c |
+ dgst->ptr, dgst->len) != 1) {
|
|
|
03440c |
+ fido_log_debug("%s: EVP_PKEY_verify", __func__);
|
|
|
03440c |
+ goto fail;
|
|
|
03440c |
+ }
|
|
|
03440c |
+#else
|
|
|
03440c |
if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL ||
|
|
|
03440c |
(ec = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) {
|
|
|
03440c |
fido_log_debug("%s: pk -> ec", __func__);
|
|
|
03440c |
@@ -433,10 +465,13 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk,
|
|
|
03440c |
}
|
|
|
03440c |
|
|
|
03440c |
ok = 0;
|
|
|
03440c |
+#endif
|
|
|
03440c |
fail:
|
|
|
03440c |
if (pkey != NULL)
|
|
|
03440c |
EVP_PKEY_free(pkey);
|
|
|
03440c |
-
|
|
|
03440c |
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
|
|
|
03440c |
+ EVP_PKEY_CTX_free(pctx);
|
|
|
03440c |
+#endif
|
|
|
03440c |
return (ok);
|
|
|
03440c |
}
|
|
|
03440c |
|
|
|
03440c |
@@ -445,7 +480,11 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk,
|
|
|
03440c |
const fido_blob_t *sig)
|
|
|
03440c |
{
|
|
|
03440c |
EVP_PKEY *pkey = NULL;
|
|
|
03440c |
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
|
|
|
03440c |
+ EVP_PKEY_CTX *pctx = NULL;
|
|
|
03440c |
+#else
|
|
|
03440c |
RSA *rsa = NULL;
|
|
|
03440c |
+#endif
|
|
|
03440c |
int ok = -1;
|
|
|
03440c |
|
|
|
03440c |
/* RSA_verify needs unsigned ints */
|
|
|
03440c |
@@ -455,6 +494,22 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk,
|
|
|
03440c |
return (-1);
|
|
|
03440c |
}
|
|
|
03440c |
|
|
|
03440c |
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
|
|
|
03440c |
+ if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL ||
|
|
|
03440c |
+ (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
|
|
|
03440c |
+ fido_log_debug("%s: pk -> ec", __func__);
|
|
|
03440c |
+ goto fail;
|
|
|
03440c |
+ }
|
|
|
03440c |
+
|
|
|
03440c |
+ if (EVP_PKEY_verify_init(pctx) != 1 ||
|
|
|
03440c |
+ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PADDING) != 1 ||
|
|
|
03440c |
+ EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha256()) != 1 ||
|
|
|
03440c |
+ EVP_PKEY_verify(pctx, sig->ptr, sig->len,
|
|
|
03440c |
+ dgst->ptr, dgst->len) != 1) {
|
|
|
03440c |
+ fido_log_debug("%s: EVP_PKEY_verify", __func__);
|
|
|
03440c |
+ goto fail;
|
|
|
03440c |
+ }
|
|
|
03440c |
+#else
|
|
|
03440c |
if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL ||
|
|
|
03440c |
(rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
|
|
|
03440c |
fido_log_debug("%s: pk -> ec", __func__);
|
|
|
03440c |
@@ -466,12 +521,16 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk,
|
|
|
03440c |
fido_log_debug("%s: RSA_verify", __func__);
|
|
|
03440c |
goto fail;
|
|
|
03440c |
}
|
|
|
03440c |
+#endif
|
|
|
03440c |
|
|
|
03440c |
ok = 0;
|
|
|
03440c |
fail:
|
|
|
03440c |
if (pkey != NULL)
|
|
|
03440c |
EVP_PKEY_free(pkey);
|
|
|
03440c |
|
|
|
03440c |
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
|
|
|
03440c |
+ EVP_PKEY_CTX_free(pctx);
|
|
|
03440c |
+#endif
|
|
|
03440c |
return (ok);
|
|
|
03440c |
}
|
|
|
03440c |
|
|
|
03440c |
diff --git a/src/cred.c b/src/cred.c
|
|
|
03440c |
index 92efde4..2ba1dd9 100644
|
|
|
03440c |
--- a/src/cred.c
|
|
|
03440c |
+++ b/src/cred.c
|
|
|
03440c |
@@ -247,7 +247,11 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c,
|
|
|
03440c |
BIO *rawcert = NULL;
|
|
|
03440c |
X509 *cert = NULL;
|
|
|
03440c |
EVP_PKEY *pkey = NULL;
|
|
|
03440c |
- EC_KEY *ec;
|
|
|
03440c |
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
|
|
|
03440c |
+ EVP_PKEY_CTX *pctx = NULL;
|
|
|
03440c |
+#else
|
|
|
03440c |
+ EC_KEY *ec = NULL;
|
|
|
03440c |
+#endif
|
|
|
03440c |
int ok = -1;
|
|
|
03440c |
|
|
|
03440c |
/* openssl needs ints */
|
|
|
03440c |
@@ -257,6 +261,22 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c,
|
|
|
03440c |
return (-1);
|
|
|
03440c |
}
|
|
|
03440c |
|
|
|
03440c |
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
|
|
|
03440c |
+ if ((rawcert = BIO_new_mem_buf(x5c->ptr, (int)x5c->len)) == NULL ||
|
|
|
03440c |
+ (cert = d2i_X509_bio(rawcert, NULL)) == NULL ||
|
|
|
03440c |
+ (pkey = X509_get_pubkey(cert)) == NULL ||
|
|
|
03440c |
+ (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
|
|
|
03440c |
+ fido_log_debug("%s: x509 key", __func__);
|
|
|
03440c |
+ goto fail;
|
|
|
03440c |
+ }
|
|
|
03440c |
+
|
|
|
03440c |
+ if (EVP_PKEY_verify_init(pctx) != 1 ||
|
|
|
03440c |
+ EVP_PKEY_verify(pctx, sig->ptr, sig->len,
|
|
|
03440c |
+ dgst->ptr, dgst->len) != 1) {
|
|
|
03440c |
+ fido_log_debug("%s: EVP_PKEY_verify", __func__);
|
|
|
03440c |
+ goto fail;
|
|
|
03440c |
+ }
|
|
|
03440c |
+#else
|
|
|
03440c |
/* fetch key from x509 */
|
|
|
03440c |
if ((rawcert = BIO_new_mem_buf(x5c->ptr, (int)x5c->len)) == NULL ||
|
|
|
03440c |
(cert = d2i_X509_bio(rawcert, NULL)) == NULL ||
|
|
|
03440c |
@@ -271,6 +291,7 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c,
|
|
|
03440c |
fido_log_debug("%s: ECDSA_verify", __func__);
|
|
|
03440c |
goto fail;
|
|
|
03440c |
}
|
|
|
03440c |
+#endif
|
|
|
03440c |
|
|
|
03440c |
ok = 0;
|
|
|
03440c |
fail:
|
|
|
03440c |
@@ -280,6 +301,9 @@ fail:
|
|
|
03440c |
X509_free(cert);
|
|
|
03440c |
if (pkey != NULL)
|
|
|
03440c |
EVP_PKEY_free(pkey);
|
|
|
03440c |
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
|
|
|
03440c |
+ EVP_PKEY_CTX_free(pctx);
|
|
|
03440c |
+#endif
|
|
|
03440c |
|
|
|
03440c |
return (ok);
|
|
|
03440c |
}
|
|
|
03440c |
--- libfido2-1.6.0/CMakeLists.txt.orig 2021-05-25 16:26:28.124822909 +0200
|
|
|
03440c |
+++ libfido2-1.6.0/CMakeLists.txt 2021-05-25 16:27:08.492148194 +0200
|
|
|
03440c |
@@ -152,6 +152,7 @@
|
|
|
03440c |
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-stringop-overflow")
|
|
|
03440c |
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic")
|
|
|
03440c |
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic-errors")
|
|
|
03440c |
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-deprecated-declarations")
|
|
|
03440c |
check_c_compiler_flag("-fstack-protector-all" HAVE_STACK_PROTECTOR_ALL)
|
|
|
03440c |
if(HAVE_STACK_PROTECTOR_ALL)
|
|
|
03440c |
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector-all")
|