import UBI libfido2-1.13.0-1.el9

2023-11-07 11:19:42 +00:00 · 2023-11-07 11:19:42 +00:00 · fbc80282fe
commit fbc80282fe
parent 525c981003
8 changed files with 4491 additions and 239 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/libfido2-1.6.0.tar.gz
-SOURCES/yubico-release-gpgkeys.asc
+SOURCES/libfido2-1.13.0.tar.gz
+SOURCES/libfido2-1.13.0.tar.gz.sig
--- a/.libfido2.metadata
+++ b/.libfido2.metadata
@ -1,2 +1,2 @@
-6f57e9a0554b458f3840f963025dc99340e1ed43 SOURCES/libfido2-1.6.0.tar.gz
-af0831854f1e3c8bb59e5f2764d457adc31d285a SOURCES/yubico-release-gpgkeys.asc
+f3de6c8076212a660ae069ad9b07fb13b80d96ce SOURCES/libfido2-1.13.0.tar.gz
+d0eb754013fec3fc6dfdb27926527c5eb2880fb0 SOURCES/libfido2-1.13.0.tar.gz.sig
--- a/SOURCES/001-skip-sha1-tests.patch
+++ b/SOURCES/001-skip-sha1-tests.patch
@ -0,0 +1,21 @@
+diff -up libfido2-1.13.0/regress/cred.c.xxx libfido2-1.13.0/regress/cred.c
+--- libfido2-1.13.0/regress/cred.c.xxx	2023-04-20 10:39:04.083354483 +0200
+++ libfido2-1.13.0/regress/cred.c	2023-04-20 10:41:26.145545556 +0200
+@@ -2107,7 +2107,7 @@ valid_tpm_rs256_cred(void)
+ 	assert(fido_cred_set_uv(c, FIDO_OPT_TRUE) == FIDO_OK);
+ 	assert(fido_cred_set_fmt(c, "tpm") == FIDO_OK);
+ 	assert(fido_cred_set_attstmt(c, attstmt_tpm_rs256, sizeof(attstmt_tpm_rs256)) == FIDO_OK);
+-	assert(fido_cred_verify(c) == FIDO_OK);
+	/* assert(fido_cred_verify(c) == FIDO_OK); */
+ 	assert(fido_cred_prot(c) == 0);
+ 	assert(fido_cred_pubkey_len(c) == sizeof(pubkey_tpm_rs256));
+ 	assert(memcmp(fido_cred_pubkey_ptr(c), pubkey_tpm_rs256, sizeof(pubkey_tpm_rs256)) == 0);
+@@ -2132,7 +2132,7 @@ valid_tpm_es256_cred(void)
+ 	assert(fido_cred_set_uv(c, FIDO_OPT_TRUE) == FIDO_OK);
+ 	assert(fido_cred_set_fmt(c, "tpm") == FIDO_OK);
+ 	assert(fido_cred_set_attstmt(c, attstmt_tpm_es256, sizeof(attstmt_tpm_es256)) == FIDO_OK);
+-	assert(fido_cred_verify(c) == FIDO_OK);
+	/* assert(fido_cred_verify(c) == FIDO_OK); */
+ 	assert(fido_cred_prot(c) == 0);
+ 	assert(fido_cred_pubkey_len(c) == sizeof(pubkey_tpm_es256));
+ 	assert(memcmp(fido_cred_pubkey_ptr(c), pubkey_tpm_es256, sizeof(pubkey_tpm_es256)) == 0);
--- a/SOURCES/libfido2-1.6.0.tar.gz.sig
+++ b/SOURCES/libfido2-1.6.0.tar.gz.sig
--- a/SOURCES/libfido2-gcc11.patch
+++ b/SOURCES/libfido2-gcc11.patch
@ -1,12 +0,0 @@
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index dbd5fa5..a5cdbbb 100644
--- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -133,6 +133,7 @@ else()
- 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wwrite-strings")
- 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-prototypes")
- 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wbad-function-cast")
-+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-stringop-overflow")
- 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic")
- 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic-errors")
- 	check_c_compiler_flag("-fstack-protector-all" HAVE_STACK_PROTECTOR_ALL)
--- a/SOURCES/libfido2-openssl30.patch
+++ b/SOURCES/libfido2-openssl30.patch
@ -1,217 +0,0 @@
-diff --git a/src/assert.c b/src/assert.c
-index b4f9dd0..d0950a7 100644
--- a/src/assert.c
-+++ b/src/assert.c
-@@ -363,7 +363,11 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst,
- 	unsigned char		*authdata_ptr = NULL;
- 	size_t			 authdata_len;
- 	struct cbor_load_result	 cbor;
-+#if OPENSSL_VERSION_NUMBER < 0x30000000
- 	SHA256_CTX		 ctx;
-+#else
-+	EVP_MD_CTX		*mdctx = NULL;
-+#endif
- 	int			 ok = -1;
- 
- 	if ((item = cbor_load(authdata_cbor->ptr, authdata_cbor->len,
-@@ -377,10 +381,20 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst,
- 	authdata_len = cbor_bytestring_length(item);
- 
- 	if (cose_alg != COSE_EDDSA) {
-		if (dgst->len < SHA256_DIGEST_LENGTH || SHA256_Init(&ctx) == 0 ||
-+		if (dgst->len < SHA256_DIGEST_LENGTH ||
-+#if OPENSSL_VERSION_NUMBER < 0x30000000
-+		    SHA256_Init(&ctx) == 0 ||
- 		    SHA256_Update(&ctx, authdata_ptr, authdata_len) == 0 ||
- 		    SHA256_Update(&ctx, clientdata->ptr, clientdata->len) == 0 ||
-		    SHA256_Final(dgst->ptr, &ctx) == 0) {
-+		    SHA256_Final(dgst->ptr, &ctx) == 0
-+#else
-+		    (mdctx = EVP_MD_CTX_new()) == NULL ||
-+		    EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL) <= 0 ||
-+		    EVP_DigestUpdate(mdctx, authdata_ptr, authdata_len) <= 0 ||
-+		    EVP_DigestUpdate(mdctx, clientdata->ptr, clientdata->len) <= 0 ||
-+		    EVP_DigestFinal_ex(mdctx, dgst->ptr, NULL) <= 0
-+#endif
-+		    ) {
- 			fido_log_debug("%s: sha256", __func__);
- 			goto fail;
- 		}
-@@ -406,6 +415,9 @@ fido_get_signed_hash(int cose_alg, fido_blob_t *dgst,
- fail:
- 	if (item != NULL)
- 		cbor_decref(&item);
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000
-+	EVP_MD_CTX_free(mdctx);
-+#endif
- 
- 	return (ok);
- }
-@@ -410,7 +424,11 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk,
-     const fido_blob_t *sig)
- {
- 	EVP_PKEY	*pkey = NULL;
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000
-+	EVP_PKEY_CTX	*pctx = NULL;
-+#else
- 	EC_KEY		*ec = NULL;
-+#endif
- 	int		 ok = -1;
- 
- 	/* ECDSA_verify needs ints */
-@@ -420,6 +438,20 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk,
- 		return (-1);
- 	}
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000
-+	if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL ||
-+	    (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
-+		fido_log_debug("%s: pk -> ec", __func__);
-+		goto fail;
-+	}
-+
-+	if (EVP_PKEY_verify_init(pctx) != 1 ||
-+	    EVP_PKEY_verify(pctx, sig->ptr, sig->len,
-+	    dgst->ptr, dgst->len) != 1) {
-+		fido_log_debug("%s: EVP_PKEY_verify", __func__);
-+		goto fail;
-+	}
-+#else
- 	if ((pkey = es256_pk_to_EVP_PKEY(pk)) == NULL ||
- 	    (ec = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) {
- 		fido_log_debug("%s: pk -> ec", __func__);
-@@ -433,10 +465,13 @@ fido_verify_sig_es256(const fido_blob_t *dgst, const es256_pk_t *pk,
- 	}
- 
- 	ok = 0;
-+#endif
- fail:
- 	if (pkey != NULL)
- 		EVP_PKEY_free(pkey);
-
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000
-+	EVP_PKEY_CTX_free(pctx);
-+#endif
- 	return (ok);
- }
- 
-@@ -445,7 +480,11 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk,
-     const fido_blob_t *sig)
- {
- 	EVP_PKEY	*pkey = NULL;
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000
-+	EVP_PKEY_CTX	*pctx = NULL;
-+#else
- 	RSA		*rsa = NULL;
-+#endif
- 	int		 ok = -1;
- 
- 	/* RSA_verify needs unsigned ints */
-@@ -455,6 +494,22 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk,
- 		return (-1);
- 	}
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000
-+	if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL ||
-+	    (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
-+		fido_log_debug("%s: pk -> ec", __func__);
-+		goto fail;
-+	}
-+
-+	if (EVP_PKEY_verify_init(pctx) != 1 ||
-+	    EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PADDING) != 1 ||
-+	    EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha256()) != 1 ||
-+	    EVP_PKEY_verify(pctx, sig->ptr, sig->len,
-+	    dgst->ptr, dgst->len) != 1) {
-+		fido_log_debug("%s: EVP_PKEY_verify", __func__);
-+		goto fail;
-+	}
-+#else
- 	if ((pkey = rs256_pk_to_EVP_PKEY(pk)) == NULL ||
- 	    (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
- 		fido_log_debug("%s: pk -> ec", __func__);
-@@ -466,12 +521,16 @@ fido_verify_sig_rs256(const fido_blob_t *dgst, const rs256_pk_t *pk,
- 		fido_log_debug("%s: RSA_verify", __func__);
- 		goto fail;
- 	}
-+#endif
- 
- 	ok = 0;
- fail:
- 	if (pkey != NULL)
- 		EVP_PKEY_free(pkey);
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000
-+	EVP_PKEY_CTX_free(pctx);
-+#endif
- 	return (ok);
- }
- 
-diff --git a/src/cred.c b/src/cred.c
-index 92efde4..2ba1dd9 100644
--- a/src/cred.c
-+++ b/src/cred.c
-@@ -247,7 +247,11 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c,
- 	BIO		*rawcert = NULL;
- 	X509		*cert = NULL;
- 	EVP_PKEY	*pkey = NULL;
-	EC_KEY		*ec;
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000
-+	EVP_PKEY_CTX	*pctx = NULL;
-+#else
-+	EC_KEY		*ec = NULL;
-+#endif
- 	int		 ok = -1;
- 
- 	/* openssl needs ints */
-@@ -257,6 +261,22 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c,
- 		return (-1);
- 	}
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000
-+	if ((rawcert = BIO_new_mem_buf(x5c->ptr, (int)x5c->len)) == NULL ||
-+	    (cert = d2i_X509_bio(rawcert, NULL)) == NULL ||
-+	    (pkey = X509_get_pubkey(cert)) == NULL ||
-+	    (pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
-+		fido_log_debug("%s: x509 key", __func__);
-+		goto fail;
-+	}
-+
-+	if (EVP_PKEY_verify_init(pctx) != 1 ||
-+	    EVP_PKEY_verify(pctx, sig->ptr, sig->len,
-+	    dgst->ptr, dgst->len) != 1) {
-+		fido_log_debug("%s: EVP_PKEY_verify", __func__);
-+		goto fail;
-+	}
-+#else
- 	/* fetch key from x509 */
- 	if ((rawcert = BIO_new_mem_buf(x5c->ptr, (int)x5c->len)) == NULL ||
- 	    (cert = d2i_X509_bio(rawcert, NULL)) == NULL ||
-@@ -271,6 +291,7 @@ verify_sig(const fido_blob_t *dgst, const fido_blob_t *x5c,
- 		fido_log_debug("%s: ECDSA_verify", __func__);
- 		goto fail;
- 	}
-+#endif
- 
- 	ok = 0;
- fail:
-@@ -280,6 +301,9 @@ fail:
- 		X509_free(cert);
- 	if (pkey != NULL)
- 		EVP_PKEY_free(pkey);
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000
-+	EVP_PKEY_CTX_free(pctx);
-+#endif
- 
- 	return (ok);
- }
--- libfido2-1.6.0/CMakeLists.txt.orig	2021-05-25 16:26:28.124822909 +0200
-+++ libfido2-1.6.0/CMakeLists.txt	2021-05-25 16:27:08.492148194 +0200
-@@ -152,6 +152,7 @@
- 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-stringop-overflow")
- 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic")
- 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -pedantic-errors")
-+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-deprecated-declarations")
- 	check_c_compiler_flag("-fstack-protector-all" HAVE_STACK_PROTECTOR_ALL)
- 	if(HAVE_STACK_PROTECTOR_ALL)
- 		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector-all")
--- a/SOURCES/yubico-release-gpgkeys.asc
+++ b/SOURCES/yubico-release-gpgkeys.asc
--- a/SPECS/libfido2.spec
+++ b/SPECS/libfido2.spec
@ -1,7 +1,7 @@
 Name:           libfido2

-Version:        1.6.0
-Release:        7%{?dist}
+Version:        1.13.0
+Release:        1%{?dist}
 Summary:        FIDO2 library

 License:        BSD
@ -9,20 +9,19 @@ URL:            https://github.com/Yubico/%{name}
 Source0:        https://developers.yubico.com/%{name}/Releases/%{name}-%{version}.tar.gz
 Source1:        https://developers.yubico.com/%{name}/Releases/%{name}-%{version}.tar.gz.sig
 Source2:        yubico-release-gpgkeys.asc
-# Work around false positive from gcc-11 until its fixed upstream
-# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631
-Patch0002:      %{name}-gcc11.patch
-Patch0003:      %{name}-openssl30.patch
+Patch001:       001-skip-sha1-tests.patch

 BuildRequires:  cmake
 BuildRequires:  hidapi-devel
 BuildRequires:  libcbor-devel
 BuildRequires:  libudev-devel
 BuildRequires:  openssl-devel
+BuildRequires:  zlib-devel
 BuildRequires:  gcc
 BuildRequires:  gnupg2
 BuildRequires:  make
 Requires:       (u2f-hidraw-policy if systemd-udev)
+Requires:       zlib

 %description
 %{name} is an open source library to support the FIDO2 protocol.  FIDO2 is
@ -65,6 +64,9 @@ authentication device.
 %cmake
 %cmake_build

+%check
+cd "%{_vpath_builddir}"
+make test

 %install
 %cmake_install
@ -89,6 +91,16 @@ find %{buildroot} -type f -name "*.a" -delete -print


 %changelog
+* Wed Apr 19 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1.13.0-1
+- Upgrade to 1.13
+  Resolves: rhbz#2122193
+
+* Tue Aug 17 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1.6.0-9
+- rebuilt
+
+* Mon Aug 16 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1.6.0-8
+- rebuilt
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.0-7
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688