import libfido2-1.6.0-7.el9

.gitignore

@@ -0,0 +1,2 @@
+SOURCES/libfido2-1.6.0.tar.gz
+SOURCES/yubico-release-gpgkeys.asc

.libfido2.metadata

@@ -0,0 +1,2 @@
+6f57e9a0554b458f3840f963025dc99340e1ed43 SOURCES/libfido2-1.6.0.tar.gz
+af0831854f1e3c8bb59e5f2764d457adc31d285a SOURCES/yubico-release-gpgkeys.asc

SOURCES/libfido2-gcc11.patch

@@ -0,0 +1,12 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index dbd5fa5..a5cdbbb 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -133,6 +133,7 @@ else()
+ 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wwrite-strings")
+ 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-prototypes")
+ 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wbad-function-cast")
++	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-stringop-overflow")
+ 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic")
+ 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic-errors")
+ 	check_c_compiler_flag("-fstack-protector-all" HAVE_STACK_PROTECTOR_ALL)

SOURCES/libfido2-openssl30.patch

@@ -0,0 +1,217 @@
+diff --git a/src/assert.c b/src/assert.c
+index b4f9dd0..d0950a7 100644
+--- a/src/assert.c
++++ b/src/assert.c
+@@ -363,7 +363,11 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst,
+ 	unsigned char		*authdata_ptr = NULL;
+ 	size_t			 authdata_len;
+ 	struct cbor_load_result	 cbor;
++#if OPENSSL_VERSION_NUMBER < 0x30000000
+ 	SHA256_CTX		 ctx;
++#else
++	EVP_MD_CTX		*mdctx = NULL;
++#endif
+ 	int			 ok = -1;
+ 
+ 	if ((item = cbor_load(authdata_cbor->ptr, authdata_cbor->len,
+@@ -377,10 +381,20 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst,
+ 	authdata_len = cbor_bytestring_length(item);
+ 
+ 	if (cose_alg != COSE_EDDSA) {
+-		if (dgst->len < SHA256_DIGEST_LENGTH || SHA256_Init(&ctx) == 0 ||
++		if (dgst->len < SHA256_DIGEST_LENGTH ||
++#if OPENSSL_VERSION_NUMBER < 0x30000000
++		    SHA256_Init(&ctx) == 0 ||
+ 		    SHA256_Update(&ctx, authdata_ptr, authdata_len) == 0 ||
+ 		    SHA256_Update(&ctx, clientdata->ptr, clientdata->len) == 0 ||
+-		    SHA256_Final(dgst->ptr, &ctx) == 0) {
++		    SHA256_Final(dgst->ptr, &ctx) == 0
++#else
++		    (mdctx = EVP_MD_CTX_new()) == NULL ||
++		    EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL) <= 0 ||
++		    EVP_DigestUpdate(mdctx, authdata_ptr, authdata_len) <= 0 ||
++		    EVP_DigestUpdate(mdctx, clientdata->ptr, clientdata->len) <= 0 ||
++		    EVP_DigestFinal_ex(mdctx, dgst->ptr, NULL) <= 0
++#endif
++		    ) {
+ 			fido_log_debug("%s: sha256", __func__);
+ 			goto fail;
+ 		}
+@@ -406,6 +415,9 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst,
+ fail:
+ 	if (item != NULL)
+ 		cbor_decref(&item);
++#if OPENSSL_VERSION_NUMBER >= 0x30000000
++	EVP_MD_CTX_free(mdctx);
++#endif
+ 
+ 	return (ok);
+ }
+@@ -410,7 +424,11 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk,
+     const fido_blob_t *sig)
+ {
+ 	EVP_PKEY	*pkey = NULL;
++#if OPENSSL_VERSION_NUMBER >= 0x30000000
++	EVP_PKEY_CTX	*pctx = NULL;
++#else
+ 	EC_KEY		*ec = NULL;
++#endif
+ 	int		 ok = -1;
+ 
+ 	/* ECDSA_verify needs ints */
+@@ -420,6 +438,20 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk,
+ 		return (-1);
+ 	}
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000
++	if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL ||
++	    (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
++		fido_log_debug("%s: pk -> ec", __func__);
++		goto fail;
++	}
++
++	if (EVP_PKEY_verify_init(pctx) != 1 ||
++	    EVP_PKEY_verify(pctx, sig->ptr, sig->len,
++	    dgst->ptr, dgst->len) != 1) {
++		fido_log_debug("%s: EVP_PKEY_verify", __func__);
++		goto fail;
++	}
++#else
+ 	if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL ||
+ 	    (ec = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) {
+ 		fido_log_debug("%s: pk -> ec", __func__);
+@@ -433,10 +465,13 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk,
+ 	}
+ 
+ 	ok = 0;
++#endif
+ fail:
+ 	if (pkey != NULL)
+ 		EVP_PKEY_free(pkey);
+-
++#if OPENSSL_VERSION_NUMBER >= 0x30000000
++	EVP_PKEY_CTX_free(pctx);
++#endif
+ 	return (ok);
+ }
+ 
+@@ -445,7 +480,11 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk,
+     const fido_blob_t *sig)
+ {
+ 	EVP_PKEY	*pkey = NULL;
++#if OPENSSL_VERSION_NUMBER >= 0x30000000
++	EVP_PKEY_CTX	*pctx = NULL;
++#else
+ 	RSA		*rsa = NULL;
++#endif
+ 	int		 ok = -1;
+ 
+ 	/* RSA_verify needs unsigned ints */
+@@ -455,6 +494,22 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk,
+ 		return (-1);
+ 	}
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000
++	if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL ||
++	    (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
++		fido_log_debug("%s: pk -> ec", __func__);
++		goto fail;
++	}
++
++	if (EVP_PKEY_verify_init(pctx) != 1 ||
++	    EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PADDING) != 1 ||
++	    EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha256()) != 1 ||
++	    EVP_PKEY_verify(pctx, sig->ptr, sig->len,
++	    dgst->ptr, dgst->len) != 1) {
++		fido_log_debug("%s: EVP_PKEY_verify", __func__);
++		goto fail;
++	}
++#else
+ 	if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL ||
+ 	    (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
+ 		fido_log_debug("%s: pk -> ec", __func__);
+@@ -466,12 +521,16 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk,
+ 		fido_log_debug("%s: RSA_verify", __func__);
+ 		goto fail;
+ 	}
++#endif
+ 
+ 	ok = 0;
+ fail:
+ 	if (pkey != NULL)
+ 		EVP_PKEY_free(pkey);
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000
++	EVP_PKEY_CTX_free(pctx);
++#endif
+ 	return (ok);
+ }
+ 
+diff --git a/src/cred.c b/src/cred.c
+index 92efde4..2ba1dd9 100644
+--- a/src/cred.c
++++ b/src/cred.c
+@@ -247,7 +247,11 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c,
+ 	BIO		*rawcert = NULL;
+ 	X509		*cert = NULL;
+ 	EVP_PKEY	*pkey = NULL;
+-	EC_KEY		*ec;
++#if OPENSSL_VERSION_NUMBER >= 0x30000000
++	EVP_PKEY_CTX	*pctx = NULL;
++#else
++	EC_KEY		*ec = NULL;
++#endif
+ 	int		 ok = -1;
+ 
+ 	/* openssl needs ints */
+@@ -257,6 +261,22 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c,
+ 		return (-1);
+ 	}
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000
++	if ((rawcert = BIO_new_mem_buf(x5c->ptr, (int)x5c->len)) == NULL ||
++	    (cert = d2i_X509_bio(rawcert, NULL)) == NULL ||
++	    (pkey = X509_get_pubkey(cert)) == NULL ||
++	    (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
++		fido_log_debug("%s: x509 key", __func__);
++		goto fail;
++	}
++
++	if (EVP_PKEY_verify_init(pctx) != 1 ||
++	    EVP_PKEY_verify(pctx, sig->ptr, sig->len,
++	    dgst->ptr, dgst->len) != 1) {
++		fido_log_debug("%s: EVP_PKEY_verify", __func__);
++		goto fail;
++	}
++#else
+ 	/* fetch key from x509 */
+ 	if ((rawcert = BIO_new_mem_buf(x5c->ptr, (int)x5c->len)) == NULL ||
+ 	    (cert = d2i_X509_bio(rawcert, NULL)) == NULL ||
+@@ -271,6 +291,7 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c,
+ 		fido_log_debug("%s: ECDSA_verify", __func__);
+ 		goto fail;
+ 	}
++#endif
+ 
+ 	ok = 0;
+ fail:
+@@ -280,6 +301,9 @@ fail:
+ 		X509_free(cert);
+ 	if (pkey != NULL)
+ 		EVP_PKEY_free(pkey);
++#if OPENSSL_VERSION_NUMBER >= 0x30000000
++	EVP_PKEY_CTX_free(pctx);
++#endif
+ 
+ 	return (ok);
+ }
+--- libfido2-1.6.0/CMakeLists.txt.orig	2021-05-25 16:26:28.124822909 +0200
++++ libfido2-1.6.0/CMakeLists.txt	2021-05-25 16:27:08.492148194 +0200
+@@ -152,6 +152,7 @@
+ 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-stringop-overflow")
+ 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic")
+ 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic-errors")
++	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-deprecated-declarations")
+ 	check_c_compiler_flag("-fstack-protector-all" HAVE_STACK_PROTECTOR_ALL)
+ 	if(HAVE_STACK_PROTECTOR_ALL)
+ 		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector-all")

SPECS/libfido2.spec

@@ -0,0 +1,199 @@
+Name:           libfido2
+
+Version:        1.6.0
+Release:        7%{?dist}
+Summary:        FIDO2 library
+
+License:        BSD
+URL:            https://github.com/Yubico/%{name}
+Source0:        https://developers.yubico.com/%{name}/Releases/%{name}-%{version}.tar.gz
+Source1:        https://developers.yubico.com/%{name}/Releases/%{name}-%{version}.tar.gz.sig
+Source2:        yubico-release-gpgkeys.asc
+# Work around false positive from gcc-11 until its fixed upstream
+# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631
+Patch0002:      %{name}-gcc11.patch
+Patch0003:      %{name}-openssl30.patch
+
+BuildRequires:  cmake
+BuildRequires:  hidapi-devel
+BuildRequires:  libcbor-devel
+BuildRequires:  libudev-devel
+BuildRequires:  openssl-devel
+BuildRequires:  gcc
+BuildRequires:  gnupg2
+BuildRequires:  make
+Requires:       (u2f-hidraw-policy if systemd-udev)
+
+%description
+%{name} is an open source library to support the FIDO2 protocol.  FIDO2 is
+an open authentication standard that consists of the W3C Web Authentication
+specification (WebAuthn API), and the Client to Authentication Protocol
+(CTAP).  CTAP is an application layer protocol used for communication
+between a client (browser) or a platform (operating system) with an external
+authentication device (for example the Yubico Security Key).
+
+################################################################################
+
+%package devel
+
+Summary:        Development files for %{name}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+%description devel
+%{name}-devel contains development libraries and header files for %{name}.
+
+################################################################################
+
+%package -n fido2-tools
+
+Summary:        FIDO2 tools
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+%description -n fido2-tools
+FIDO2 command line tools to access and configure a FIDO2 compliant
+authentication device.
+
+################################################################################
+
+
+%prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%autosetup -p1 -n %{name}-%{version}
+
+
+%build
+%cmake
+%cmake_build
+
+
+%install
+%cmake_install
+# Remove static files per packaging guidelines
+find %{buildroot} -type f -name "*.a" -delete -print
+
+
+%files
+%doc NEWS README.adoc
+%license LICENSE
+%{_libdir}/libfido2.so.1{,.*}
+
+%files devel
+%{_libdir}/pkgconfig/*
+%{_libdir}/libfido2.so
+%{_includedir}/*
+%{_mandir}/man3/*
+
+%files -n fido2-tools
+%{_bindir}/*
+%{_mandir}/man1/*
+
+
+%changelog
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.0-7
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.0-6
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Fri Jun 04 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1.6.0-5
+- rebuilt
+
+* Tue May 25 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1.6.0-4
+- OpenSSL 3.0 compatibility. Related: rhbz#1961051
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.0-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jan 13 2021 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.6.0-1
+- 1.6.0 release (#1910101)
+
+* Thu Dec 17 2020 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.5.0-4
+- Use gpgverify macro and ascii armored yubico release keys
+
+* Wed Nov 04 2020 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.5.0-3
+- add BR make
+- fix typo in changelog day (Tuu -> Thu) to make rpmlint happy
+
+* Thu Oct 29 2020 Jeff Law <law@redhat.com> 1.5.0-2
+- Work around false positive diagnostic in gcc-11
+
+* Fri Sep 11 2020 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.5.0-1
+- 1.5.0 release (#1824326)
+- include upstream patch to fix 32-bit platform compile, reported at
+  https://github.com/Yubico/libfido2/issues/210
+
+* Tue Sep 08 2020 Kalev Lember <klember@redhat.com> - 1.4.0-4
+- Rebuilt for libcbor soname bump
+
+* Wed Jul 29 2020 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.4.0-3
+- adapt to new Fedora cmake rpm macros
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Apr 15 2020 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.4.0-1
+- 1.4.0 release (#1824326)
+
+* Sat Apr 11 2020 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.3.1-2
+- change to require u2f-hidraw-policy only if systemd-udev (#1823002)
+
+* Thu Feb 20 2020 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.3.1-1
+- 1.3.1 release
+
+* Mon Dec 16 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.3.0-3
+- use yubico corp release site for sources and gpg signature
+
+* Sat Dec 14 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.3.0-2
+- packaging cleanups
+
+* Sat Nov 30 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.3.0-1
+- 1.3.0 release
+
+* Mon Jul 29 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.2.0-1
+- 1.2.0 release
+
+* Sat May 11 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.1.0-1
+- 1.1.0 release
+
+* Fri Apr 05 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.0.0-2
+- include backported upstream patches for compiler dependencies and soname version
+- modify libdir glob to meet newer packaging recommendations
+
+* Thu Mar 21 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 1.0.0-1
+- 1.0.0 release
+
+* Mon Jan 07 2019 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.4.0-1
+- 0.4.0 release
+
+* Wed Sep 12 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-1
+- 0.3.0 release
+
+* Fri Sep 07 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.8.20180907git878fcd8
+- update to upstream master
+
+* Thu Sep 06 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.7.20180906gitff7ece8
+- update to upstream master
+
+* Wed Sep 05 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.6.20180905gitcb4951c
+- update to upstream master
+
+* Tue Sep 04 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.5.20180904git2b5f0d0
+- update to upstream master
+
+* Mon Aug 27 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.4.20180827git9d178b2
+- Update to upstream master
+
+* Thu Aug 23 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.3.20180823git0f40181
+- Update to upstream master
+
+* Tue Aug 21 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.2.20180821gitfff65a4
+- Update to upstream master
+
+* Wed Aug 08 2018 Gary Buhrmaster <gary.buhrmaster@gmail.com> 0.3.0-0.1.20180808git5be8903
+- Update to new spec
+