From 03440c8af2e636183482979d0338058ae2d80c30 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 04 2021 02:17:05 +0000 Subject: import libfido2-1.6.0-7.el9 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..046c030 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/libfido2-1.6.0.tar.gz +SOURCES/yubico-release-gpgkeys.asc diff --git a/.libfido2.metadata b/.libfido2.metadata new file mode 100644 index 0000000..a459f07 --- /dev/null +++ b/.libfido2.metadata @@ -0,0 +1,2 @@ +6f57e9a0554b458f3840f963025dc99340e1ed43 SOURCES/libfido2-1.6.0.tar.gz +af0831854f1e3c8bb59e5f2764d457adc31d285a SOURCES/yubico-release-gpgkeys.asc diff --git a/SOURCES/libfido2-1.6.0.tar.gz.sig b/SOURCES/libfido2-1.6.0.tar.gz.sig new file mode 100644 index 0000000..91dd1a3 Binary files /dev/null and b/SOURCES/libfido2-1.6.0.tar.gz.sig differ diff --git a/SOURCES/libfido2-gcc11.patch b/SOURCES/libfido2-gcc11.patch new file mode 100644 index 0000000..1765779 --- /dev/null +++ b/SOURCES/libfido2-gcc11.patch @@ -0,0 +1,12 @@ +diff --git a/CMakeLists.txt b/CMakeLists.txt +index dbd5fa5..a5cdbbb 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -133,6 +133,7 @@ else() + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wwrite-strings") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-prototypes") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wbad-function-cast") ++ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-stringop-overflow") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic-errors") + check_c_compiler_flag("-fstack-protector-all" HAVE_STACK_PROTECTOR_ALL) diff --git a/SOURCES/libfido2-openssl30.patch b/SOURCES/libfido2-openssl30.patch new file mode 100644 index 0000000..bc2a201 --- /dev/null +++ b/SOURCES/libfido2-openssl30.patch @@ -0,0 +1,217 @@ +diff --git a/src/assert.c b/src/assert.c +index b4f9dd0..d0950a7 100644 +--- a/src/assert.c ++++ b/src/assert.c +@@ -363,7 +363,11 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst, + unsigned char *authdata_ptr = NULL; + size_t authdata_len; + struct cbor_load_result cbor; ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + SHA256_CTX ctx; ++#else ++ EVP_MD_CTX *mdctx = NULL; ++#endif + int ok = -1; + + if ((item = cbor_load(authdata_cbor->ptr, authdata_cbor->len, +@@ -377,10 +381,20 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst, + authdata_len = cbor_bytestring_length(item); + + if (cose_alg != COSE_EDDSA) { +- if (dgst->len < SHA256_DIGEST_LENGTH || SHA256_Init(&ctx) == 0 || ++ if (dgst->len < SHA256_DIGEST_LENGTH || ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ SHA256_Init(&ctx) == 0 || + SHA256_Update(&ctx, authdata_ptr, authdata_len) == 0 || + SHA256_Update(&ctx, clientdata->ptr, clientdata->len) == 0 || +- SHA256_Final(dgst->ptr, &ctx) == 0) { ++ SHA256_Final(dgst->ptr, &ctx) == 0 ++#else ++ (mdctx = EVP_MD_CTX_new()) == NULL || ++ EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL) <= 0 || ++ EVP_DigestUpdate(mdctx, authdata_ptr, authdata_len) <= 0 || ++ EVP_DigestUpdate(mdctx, clientdata->ptr, clientdata->len) <= 0 || ++ EVP_DigestFinal_ex(mdctx, dgst->ptr, NULL) <= 0 ++#endif ++ ) { + fido_log_debug("%s: sha256", __func__); + goto fail; + } +@@ -406,6 +415,9 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst, + fail: + if (item != NULL) + cbor_decref(&item); ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++ EVP_MD_CTX_free(mdctx); ++#endif + + return (ok); + } +@@ -410,7 +424,11 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk, + const fido_blob_t *sig) + { + EVP_PKEY *pkey = NULL; ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++ EVP_PKEY_CTX *pctx = NULL; ++#else + EC_KEY *ec = NULL; ++#endif + int ok = -1; + + /* ECDSA_verify needs ints */ +@@ -420,6 +438,20 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk, + return (-1); + } + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++ if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL || ++ (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { ++ fido_log_debug("%s: pk -> ec", __func__); ++ goto fail; ++ } ++ ++ if (EVP_PKEY_verify_init(pctx) != 1 || ++ EVP_PKEY_verify(pctx, sig->ptr, sig->len, ++ dgst->ptr, dgst->len) != 1) { ++ fido_log_debug("%s: EVP_PKEY_verify", __func__); ++ goto fail; ++ } ++#else + if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL || + (ec = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) { + fido_log_debug("%s: pk -> ec", __func__); +@@ -433,10 +465,13 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk, + } + + ok = 0; ++#endif + fail: + if (pkey != NULL) + EVP_PKEY_free(pkey); +- ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++ EVP_PKEY_CTX_free(pctx); ++#endif + return (ok); + } + +@@ -445,7 +480,11 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk, + const fido_blob_t *sig) + { + EVP_PKEY *pkey = NULL; ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++ EVP_PKEY_CTX *pctx = NULL; ++#else + RSA *rsa = NULL; ++#endif + int ok = -1; + + /* RSA_verify needs unsigned ints */ +@@ -455,6 +494,22 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk, + return (-1); + } + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++ if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL || ++ (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { ++ fido_log_debug("%s: pk -> ec", __func__); ++ goto fail; ++ } ++ ++ if (EVP_PKEY_verify_init(pctx) != 1 || ++ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PADDING) != 1 || ++ EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha256()) != 1 || ++ EVP_PKEY_verify(pctx, sig->ptr, sig->len, ++ dgst->ptr, dgst->len) != 1) { ++ fido_log_debug("%s: EVP_PKEY_verify", __func__); ++ goto fail; ++ } ++#else + if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL || + (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) { + fido_log_debug("%s: pk -> ec", __func__); +@@ -466,12 +521,16 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk, + fido_log_debug("%s: RSA_verify", __func__); + goto fail; + } ++#endif + + ok = 0; + fail: + if (pkey != NULL) + EVP_PKEY_free(pkey); + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++ EVP_PKEY_CTX_free(pctx); ++#endif + return (ok); + } + +diff --git a/src/cred.c b/src/cred.c +index 92efde4..2ba1dd9 100644 +--- a/src/cred.c ++++ b/src/cred.c +@@ -247,7 +247,11 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c, + BIO *rawcert = NULL; + X509 *cert = NULL; + EVP_PKEY *pkey = NULL; +- EC_KEY *ec; ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++ EVP_PKEY_CTX *pctx = NULL; ++#else ++ EC_KEY *ec = NULL; ++#endif + int ok = -1; + + /* openssl needs ints */ +@@ -257,6 +261,22 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c, + return (-1); + } + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++ if ((rawcert = BIO_new_mem_buf(x5c->ptr, (int)x5c->len)) == NULL || ++ (cert = d2i_X509_bio(rawcert, NULL)) == NULL || ++ (pkey = X509_get_pubkey(cert)) == NULL || ++ (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { ++ fido_log_debug("%s: x509 key", __func__); ++ goto fail; ++ } ++ ++ if (EVP_PKEY_verify_init(pctx) != 1 || ++ EVP_PKEY_verify(pctx, sig->ptr, sig->len, ++ dgst->ptr, dgst->len) != 1) { ++ fido_log_debug("%s: EVP_PKEY_verify", __func__); ++ goto fail; ++ } ++#else + /* fetch key from x509 */ + if ((rawcert = BIO_new_mem_buf(x5c->ptr, (int)x5c->len)) == NULL || + (cert = d2i_X509_bio(rawcert, NULL)) == NULL || +@@ -271,6 +291,7 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c, + fido_log_debug("%s: ECDSA_verify", __func__); + goto fail; + } ++#endif + + ok = 0; + fail: +@@ -280,6 +301,9 @@ fail: + X509_free(cert); + if (pkey != NULL) + EVP_PKEY_free(pkey); ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++ EVP_PKEY_CTX_free(pctx); ++#endif + + return (ok); + } +--- libfido2-1.6.0/CMakeLists.txt.orig 2021-05-25 16:26:28.124822909 +0200 ++++ libfido2-1.6.0/CMakeLists.txt 2021-05-25 16:27:08.492148194 +0200 +@@ -152,6 +152,7 @@ + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-stringop-overflow") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic-errors") ++ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-deprecated-declarations") + check_c_compiler_flag("-fstack-protector-all" HAVE_STACK_PROTECTOR_ALL) + if(HAVE_STACK_PROTECTOR_ALL) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector-all") diff --git a/SPECS/libfido2.spec b/SPECS/libfido2.spec new file mode 100644 index 0000000..f30a8f9 --- /dev/null +++ b/SPECS/libfido2.spec @@ -0,0 +1,199 @@ +Name: libfido2 + +Version: 1.6.0 +Release: 7%{?dist} +Summary: FIDO2 library + +License: BSD +URL: https://github.com/Yubico/%{name} +Source0: https://developers.yubico.com/%{name}/Releases/%{name}-%{version}.tar.gz +Source1: https://developers.yubico.com/%{name}/Releases/%{name}-%{version}.tar.gz.sig +Source2: yubico-release-gpgkeys.asc +# Work around false positive from gcc-11 until its fixed upstream +# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631 +Patch0002: %{name}-gcc11.patch +Patch0003: %{name}-openssl30.patch + +BuildRequires: cmake +BuildRequires: hidapi-devel +BuildRequires: libcbor-devel +BuildRequires: libudev-devel +BuildRequires: openssl-devel +BuildRequires: gcc +BuildRequires: gnupg2 +BuildRequires: make +Requires: (u2f-hidraw-policy if systemd-udev) + +%description +%{name} is an open source library to support the FIDO2 protocol. FIDO2 is +an open authentication standard that consists of the W3C Web Authentication +specification (WebAuthn API), and the Client to Authentication Protocol +(CTAP). CTAP is an application layer protocol used for communication +between a client (browser) or a platform (operating system) with an external +authentication device (for example the Yubico Security Key). + +################################################################################ + +%package devel + +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +%{name}-devel contains development libraries and header files for %{name}. + +################################################################################ + +%package -n fido2-tools + +Summary: FIDO2 tools +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description -n fido2-tools +FIDO2 command line tools to access and configure a FIDO2 compliant +authentication device. + +################################################################################ + + +%prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' +%autosetup -p1 -n %{name}-%{version} + + +%build +%cmake +%cmake_build + + +%install +%cmake_install +# Remove static files per packaging guidelines +find %{buildroot} -type f -name "*.a" -delete -print + + +%files +%doc NEWS README.adoc +%license LICENSE +%{_libdir}/libfido2.so.1{,.*} + +%files devel +%{_libdir}/pkgconfig/* +%{_libdir}/libfido2.so +%{_includedir}/* +%{_mandir}/man3/* + +%files -n fido2-tools +%{_bindir}/* +%{_mandir}/man1/* + + +%changelog +* Mon Aug 09 2021 Mohan Boddu - 1.6.0-7 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jun 16 2021 Mohan Boddu - 1.6.0-6 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Fri Jun 04 2021 Dmitry Belyavskiy - 1.6.0-5 +- rebuilt + +* Tue May 25 2021 Dmitry Belyavskiy - 1.6.0-4 +- OpenSSL 3.0 compatibility. Related: rhbz#1961051 + +* Fri Apr 16 2021 Mohan Boddu - 1.6.0-3 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Jan 26 2021 Fedora Release Engineering - 1.6.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jan 13 2021 Gary Buhrmaster 1.6.0-1 +- 1.6.0 release (#1910101) + +* Thu Dec 17 2020 Gary Buhrmaster 1.5.0-4 +- Use gpgverify macro and ascii armored yubico release keys + +* Wed Nov 04 2020 Gary Buhrmaster 1.5.0-3 +- add BR make +- fix typo in changelog day (Tuu -> Thu) to make rpmlint happy + +* Thu Oct 29 2020 Jeff Law 1.5.0-2 +- Work around false positive diagnostic in gcc-11 + +* Fri Sep 11 2020 Gary Buhrmaster 1.5.0-1 +- 1.5.0 release (#1824326) +- include upstream patch to fix 32-bit platform compile, reported at + https://github.com/Yubico/libfido2/issues/210 + +* Tue Sep 08 2020 Kalev Lember - 1.4.0-4 +- Rebuilt for libcbor soname bump + +* Wed Jul 29 2020 Gary Buhrmaster 1.4.0-3 +- adapt to new Fedora cmake rpm macros + +* Tue Jul 28 2020 Fedora Release Engineering - 1.4.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Apr 15 2020 Gary Buhrmaster 1.4.0-1 +- 1.4.0 release (#1824326) + +* Sat Apr 11 2020 Gary Buhrmaster 1.3.1-2 +- change to require u2f-hidraw-policy only if systemd-udev (#1823002) + +* Thu Feb 20 2020 Gary Buhrmaster 1.3.1-1 +- 1.3.1 release + +* Mon Dec 16 2019 Gary Buhrmaster 1.3.0-3 +- use yubico corp release site for sources and gpg signature + +* Sat Dec 14 2019 Gary Buhrmaster 1.3.0-2 +- packaging cleanups + +* Sat Nov 30 2019 Gary Buhrmaster 1.3.0-1 +- 1.3.0 release + +* Mon Jul 29 2019 Gary Buhrmaster 1.2.0-1 +- 1.2.0 release + +* Sat May 11 2019 Gary Buhrmaster 1.1.0-1 +- 1.1.0 release + +* Fri Apr 05 2019 Gary Buhrmaster 1.0.0-2 +- include backported upstream patches for compiler dependencies and soname version +- modify libdir glob to meet newer packaging recommendations + +* Thu Mar 21 2019 Gary Buhrmaster 1.0.0-1 +- 1.0.0 release + +* Mon Jan 07 2019 Gary Buhrmaster 0.4.0-1 +- 0.4.0 release + +* Wed Sep 12 2018 Gary Buhrmaster 0.3.0-1 +- 0.3.0 release + +* Fri Sep 07 2018 Gary Buhrmaster 0.3.0-0.8.20180907git878fcd8 +- update to upstream master + +* Thu Sep 06 2018 Gary Buhrmaster 0.3.0-0.7.20180906gitff7ece8 +- update to upstream master + +* Wed Sep 05 2018 Gary Buhrmaster 0.3.0-0.6.20180905gitcb4951c +- update to upstream master + +* Tue Sep 04 2018 Gary Buhrmaster 0.3.0-0.5.20180904git2b5f0d0 +- update to upstream master + +* Mon Aug 27 2018 Gary Buhrmaster 0.3.0-0.4.20180827git9d178b2 +- Update to upstream master + +* Thu Aug 23 2018 Gary Buhrmaster 0.3.0-0.3.20180823git0f40181 +- Update to upstream master + +* Tue Aug 21 2018 Gary Buhrmaster 0.3.0-0.2.20180821gitfff65a4 +- Update to upstream master + +* Wed Aug 08 2018 Gary Buhrmaster 0.3.0-0.1.20180808git5be8903 +- Update to new spec +